package io.confluent.kafka.server.plugins.auth.oauth;

import io.confluent.security.util.SecurityContext;
import java.io.File;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.kafka.test.TestUtils;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;

/* loaded from: input_file:io/confluent/kafka/server/plugins/auth/oauth/JwtAuthenticatorConfigTest.class */
public class JwtAuthenticatorConfigTest {
    private static final String SPIRE_WITH_DEFAULT_ISSUER_SUFFIX = "SpireWithDefaultIssuerSuffix";
    private static final String SPIRE_WITH_CUSTOM_ISSUER_SUFFIX = "SpireWithCustomIssuerSuffix";
    private static final String SPIRE_CUSTOM_SUFFIX = "spire.custom.suffix";

    @Test
    public void testSpireIssuerSuffixFromProperties() {
        HashMap hashMap = new HashMap();
        addToMapWithPrefix(hashMap, "kind", "jwt");
        addToMapWithPrefix(hashMap, "algorithmWhitelist.1", "RS256");
        addToMapWithPrefix(hashMap, "spireAgentSocketEndpoint", "localhost:8080");
        addToMapWithPrefix(hashMap, "issuers.1.name", SPIRE_WITH_CUSTOM_ISSUER_SUFFIX);
        addToMapWithPrefix(hashMap, "issuers.1.verifier", "io.confluent.security.authentication.oauthbearer.JwtIssuerSpire");
        addToMapWithPrefix(hashMap, "issuers.1.audience.1", "rapt");
        addToMapWithPrefix(hashMap, "issuers.1.spireIssuerSuffix", SPIRE_CUSTOM_SUFFIX);
        addToMapWithPrefix(hashMap, "issuers.2.name", SPIRE_WITH_DEFAULT_ISSUER_SUFFIX);
        addToMapWithPrefix(hashMap, "issuers.2.verifier", "io.confluent.security.authentication.oauthbearer.JwtIssuerSpire");
        addToMapWithPrefix(hashMap, "issuers.2.audience.1", "inattentive");
        validateSpireIssuerSuffix(JwtAuthenticatorConfig.newInstance(hashMap), hashMap);
    }

    @Test
    public void testCreationFromYamlConfigFile() throws IOException {
        File tempFile = TestUtils.tempFile();
        try {
            Files.write(tempFile.toPath(), getYamlConfig().getBytes(), new OpenOption[0]);
            Map singletonMap = Collections.singletonMap(JwtAuthenticatorConfig.JWT_AUTHENTICATOR_CONFIG_URL, tempFile.getPath());
            validateSpireIssuerSuffix(JwtAuthenticatorConfig.newInstance(singletonMap), singletonMap);
            Files.deleteIfExists(tempFile.toPath());
        } catch (Throwable th) {
            Files.deleteIfExists(tempFile.toPath());
            throw th;
        }
    }

    private String getYamlConfig() {
        return "kind: jwt\nalgorithmWhitelist:\n  - RS256\nspireAgentSocketEndpoint: localhost:8080\nissuers:\n  - name: SpireWithCustomIssuerSuffix\n    verifier: io.confluent.security.authentication.oauthbearer.JwtIssuerSpire\n    audience:\n      - rapt\n    spireIssuerSuffix: spire.custom.suffix\n  - name: SpireWithDefaultIssuerSuffix\n    verifier: io.confluent.security.authentication.oauthbearer.JwtIssuerSpire\n    audience:\n      - inattentive\n";
    }

    private static void validateSpireIssuerSuffix(JwtAuthenticatorConfig jwtAuthenticatorConfig, Map<String, Object> map) {
        List issuers = jwtAuthenticatorConfig.createAuthenticationConfig(map).issuers();
        Assertions.assertEquals(2, issuers.size());
        issuers.forEach(jwtIssuer -> {
            Assertions.assertEquals(jwtIssuer.name().equals(SPIRE_WITH_CUSTOM_ISSUER_SUFFIX) ? SPIRE_CUSTOM_SUFFIX : "spire.internal.confluent.cloud", jwtIssuer.keyResolver(Collections.emptyList(), new SecurityContext()).getDelegate().getSpireIssuerSuffix());
        });
    }

    private void addToMapWithPrefix(Map<String, Object> map, String str, Object obj) {
        map.put("authenticator.jwt." + str, obj);
    }
}
