package io.confluent.kafka.security.authenticator;

import io.confluent.kafka.multitenant.MultiTenantRequestContextTest;
import io.confluent.security.auth.oauth.mockserver.common.TokenInfo;
import java.net.InetAddress;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collections;
import java.util.HashSet;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.net.ssl.SSLSession;
import javax.security.auth.x500.X500Principal;
import javax.security.sasl.SaslServer;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.security.auth.ConfluentPrincipal;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.security.auth.SaslAuthenticationContext;
import org.apache.kafka.common.security.auth.SecurityProtocol;
import org.apache.kafka.common.security.auth.SslAuthenticationContext;
import org.apache.kafka.common.security.authenticator.DefaultKafkaPrincipalBuilder;
import org.apache.kafka.common.security.kerberos.KerberosShortNamer;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
import org.apache.kafka.common.security.oauthbearer.internals.OAuthBearerSaslServer;
import org.apache.kafka.common.security.oauthbearer.internals.unsecured.OAuthBearerUnsecuredJws;
import org.apache.kafka.common.security.ssl.SslPrincipalMapper;
import org.apache.kafka.server.immutable.ImmutableMap;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.Arguments;
import org.junit.jupiter.params.provider.MethodSource;
import org.mockito.Mockito;

/* loaded from: input_file:io/confluent/kafka/security/authenticator/OAuthKafkaPrincipalBuilderTest.class */
public class OAuthKafkaPrincipalBuilderTest {
    private static Stream<Arguments> principalClaimNameAndValue() {
        return Stream.of((Object[]) new Arguments[]{Arguments.of(new Object[]{"alice", "sub"}), Arguments.of(new Object[]{"bob", "customSubClaim"})});
    }

    @Test
    public void testPrincipalBuilderOAuthBearer() throws Exception {
        OAuthBearerToken oAuthBearerToken = (OAuthBearerToken) Mockito.mock(OAuthBearerToken.class);
        OAuthBearerSaslServer oAuthBearerSaslServer = (OAuthBearerSaslServer) Mockito.mock(OAuthBearerSaslServer.class);
        Mockito.when(oAuthBearerSaslServer.getMechanismName()).thenReturn("OAUTHBEARER");
        Mockito.when(oAuthBearerSaslServer.getAuthorizationID()).thenReturn("alice");
        Mockito.when(oAuthBearerSaslServer.getNegotiatedProperty("OAUTHBEARER.token")).thenReturn(oAuthBearerToken);
        Mockito.when(oAuthBearerToken.principalName()).thenReturn("alice");
        Mockito.when(oAuthBearerToken.value()).thenReturn(createUnsecuredJws("Confluent", "alice", "sub", "groups", "abcde", "g1", "g2").value());
        ConfluentPrincipal build = new OAuthKafkaPrincipalBuilder().build(new SaslAuthenticationContext(oAuthBearerSaslServer, SecurityProtocol.SASL_PLAINTEXT, InetAddress.getLocalHost(), SecurityProtocol.SASL_PLAINTEXT.name()));
        Assertions.assertTrue(build instanceof ConfluentPrincipal);
        Assertions.assertEquals("User", build.getPrincipalType());
        Assertions.assertEquals("alice", build.getName());
        Assertions.assertEquals(2, build.getGroups().size());
        Assertions.assertTrue(build.getGroups().containsAll(Arrays.asList("g1", "g2")));
        ((OAuthBearerSaslServer) Mockito.verify(oAuthBearerSaslServer, Mockito.atLeastOnce())).getMechanismName();
        ((OAuthBearerSaslServer) Mockito.verify(oAuthBearerSaslServer, Mockito.never())).getAuthorizationID();
        ((OAuthBearerSaslServer) Mockito.verify(oAuthBearerSaslServer, Mockito.atLeastOnce())).getNegotiatedProperty("OAUTHBEARER.token");
        ((OAuthBearerToken) Mockito.verify(oAuthBearerToken, Mockito.atLeastOnce())).principalName();
        ((OAuthBearerToken) Mockito.verify(oAuthBearerToken, Mockito.atLeastOnce())).value();
    }

    @MethodSource({"principalClaimNameAndValue"})
    @ParameterizedTest
    public void testPrincipalBuilderOAuthBearerClientCredentials(String str, String str2) throws Exception {
        OAuthBearerToken oAuthBearerToken = (OAuthBearerToken) Mockito.mock(OAuthBearerToken.class);
        OAuthBearerSaslServer oAuthBearerSaslServer = (OAuthBearerSaslServer) Mockito.mock(OAuthBearerSaslServer.class);
        Mockito.when(oAuthBearerSaslServer.getMechanismName()).thenReturn("OAUTHBEARER");
        Mockito.when(oAuthBearerSaslServer.getAuthorizationID()).thenReturn("alice");
        OAuthKafkaPrincipalBuilder oAuthKafkaPrincipalBuilder = new OAuthKafkaPrincipalBuilder();
        Mockito.when(oAuthBearerToken.value()).thenReturn(createUnsecuredJws("issuer", "alice", str2, "roles", "bob", "g1", "g2").value());
        Mockito.when(oAuthBearerToken.principalName()).thenReturn(str);
        Mockito.when(oAuthBearerSaslServer.getNegotiatedProperty("OAUTHBEARER.token")).thenReturn(oAuthBearerToken);
        oAuthKafkaPrincipalBuilder.configure(ImmutableMap.singleton("confluent.oauth.groups.claim.name", "roles"));
        ConfluentPrincipal build = oAuthKafkaPrincipalBuilder.build(new SaslAuthenticationContext(oAuthBearerSaslServer, SecurityProtocol.SASL_PLAINTEXT, InetAddress.getLocalHost(), SecurityProtocol.SASL_PLAINTEXT.name()));
        Assertions.assertTrue(build instanceof ConfluentPrincipal);
        Assertions.assertEquals("User", build.getPrincipalType());
        Assertions.assertEquals(str, build.getName());
        Assertions.assertEquals(2, build.getGroups().size());
        Assertions.assertTrue(build.getGroups().containsAll(Arrays.asList("g1", "g2")));
        ((OAuthBearerSaslServer) Mockito.verify(oAuthBearerSaslServer, Mockito.atLeastOnce())).getMechanismName();
        ((OAuthBearerSaslServer) Mockito.verify(oAuthBearerSaslServer, Mockito.never())).getAuthorizationID();
        ((OAuthBearerSaslServer) Mockito.verify(oAuthBearerSaslServer, Mockito.atLeastOnce())).getNegotiatedProperty("OAUTHBEARER.token");
        ((OAuthBearerToken) Mockito.verify(oAuthBearerToken, Mockito.atLeastOnce())).principalName();
        ((OAuthBearerToken) Mockito.verify(oAuthBearerToken, Mockito.atLeastOnce())).value();
    }

    @Test
    public void testOAuthKafkaPrincipalBuilderSerde_ConfluentPrincipal() {
        ConfluentPrincipal confluentPrincipal = new ConfluentPrincipal("User", "Alice", "Alice", Optional.empty(), false, new HashSet(Arrays.asList("g1", "g2")));
        OAuthKafkaPrincipalBuilder oAuthKafkaPrincipalBuilder = new OAuthKafkaPrincipalBuilder();
        ConfluentPrincipal deserialize = oAuthKafkaPrincipalBuilder.deserialize(oAuthKafkaPrincipalBuilder.serialize(confluentPrincipal));
        Assertions.assertEquals(confluentPrincipal, deserialize);
        Assertions.assertTrue(deserialize instanceof ConfluentPrincipal);
        Assertions.assertEquals(2, deserialize.getGroups().size());
        Assertions.assertTrue(deserialize.getGroups().containsAll(new HashSet(Arrays.asList("g1", "g2"))));
    }

    @Test
    public void testOAuthKafkaPrincipalBuilderSerde_KafkaPrincipal() {
        KafkaPrincipal kafkaPrincipal = new KafkaPrincipal("User", MultiTenantRequestContextTest.USERNAME);
        OAuthKafkaPrincipalBuilder oAuthKafkaPrincipalBuilder = new OAuthKafkaPrincipalBuilder();
        oAuthKafkaPrincipalBuilder.configure(Collections.emptyMap());
        Assertions.assertEquals(kafkaPrincipal, oAuthKafkaPrincipalBuilder.deserialize(oAuthKafkaPrincipalBuilder.serialize(kafkaPrincipal)));
    }

    @Test
    public void testDefaultKafkaPrincipalBuilderSerde_ConfluentPrincipal() {
        ConfluentPrincipal confluentPrincipal = new ConfluentPrincipal("User", "Alice", "Alice", Optional.empty(), false, new HashSet(Arrays.asList("g1", "g2")));
        DefaultKafkaPrincipalBuilder defaultKafkaPrincipalBuilder = new DefaultKafkaPrincipalBuilder((KerberosShortNamer) null, (SslPrincipalMapper) null);
        KafkaPrincipal deserialize = defaultKafkaPrincipalBuilder.deserialize(defaultKafkaPrincipalBuilder.serialize(confluentPrincipal));
        Assertions.assertEquals(KafkaPrincipal.class, deserialize.getClass());
        Assertions.assertEquals(confluentPrincipal.getPrincipalType(), deserialize.getPrincipalType());
        Assertions.assertEquals(confluentPrincipal.getName(), deserialize.getName());
        Assertions.assertEquals(Boolean.valueOf(confluentPrincipal.tokenAuthenticated()), Boolean.valueOf(deserialize.tokenAuthenticated()));
    }

    @Test
    public void testOAuthKafkaPrincipalBuilderSerde_KafkaPrincipalCompatibility() {
        KafkaPrincipal kafkaPrincipal = new KafkaPrincipal("User", MultiTenantRequestContextTest.USERNAME);
        DefaultKafkaPrincipalBuilder defaultKafkaPrincipalBuilder = new DefaultKafkaPrincipalBuilder((KerberosShortNamer) null, (SslPrincipalMapper) null);
        OAuthKafkaPrincipalBuilder oAuthKafkaPrincipalBuilder = new OAuthKafkaPrincipalBuilder();
        oAuthKafkaPrincipalBuilder.configure(Collections.emptyMap());
        KafkaPrincipal deserialize = oAuthKafkaPrincipalBuilder.deserialize(defaultKafkaPrincipalBuilder.serialize(kafkaPrincipal));
        Assertions.assertEquals(kafkaPrincipal, deserialize);
        Assertions.assertEquals(KafkaPrincipal.class, deserialize.getClass());
    }

    @Test
    public void testOAuthKafkaPrincipalBuilderSerde_KafkaPrincipalBuilderCompatibility() {
        ConfluentPrincipal confluentPrincipal = new ConfluentPrincipal("User", "Alice", "Alice", Optional.empty(), false, new HashSet(Arrays.asList("g1", "g2")));
        KafkaPrincipal deserialize = new DefaultKafkaPrincipalBuilder((KerberosShortNamer) null, (SslPrincipalMapper) null).deserialize(new OAuthKafkaPrincipalBuilder().serialize(confluentPrincipal));
        Assertions.assertEquals(KafkaPrincipal.class, deserialize.getClass());
        Assertions.assertEquals(confluentPrincipal.getPrincipalType(), deserialize.getPrincipalType());
        Assertions.assertEquals(confluentPrincipal.getName(), deserialize.getName());
        Assertions.assertEquals(Boolean.valueOf(confluentPrincipal.tokenAuthenticated()), Boolean.valueOf(deserialize.tokenAuthenticated()));
    }

    @Test
    public void testConfluentPrincipalBuilderWithSslPrincipalMapper() throws Exception {
        SSLSession sSLSession = (SSLSession) Mockito.mock(SSLSession.class);
        Mockito.when(sSLSession.getPeerPrincipal()).thenReturn(new X500Principal("CN=Duke, OU=ServiceUsers, O=Org, C=US")).thenReturn(new X500Principal("CN=Duke, OU=SME, O=mycp, L=Fulton, ST=MD, C=US")).thenReturn(new X500Principal("CN=duke, OU=JavaSoft, O=Sun Microsystems")).thenReturn(new X500Principal("OU=JavaSoft, O=Sun Microsystems, C=US"));
        String join = String.join(", ", "RULE:^CN=(.*),OU=ServiceUsers.*$/$1/L", "RULE:^CN=(.*),OU=(.*),O=(.*),L=(.*),ST=(.*),C=(.*)$/$1@$2/L", "RULE:^.*[Cc][Nn]=([a-zA-Z0-9.]*).*$/$1/U", "DEFAULT");
        OAuthKafkaPrincipalBuilder oAuthKafkaPrincipalBuilder = new OAuthKafkaPrincipalBuilder();
        oAuthKafkaPrincipalBuilder.configure(Collections.singletonMap("ssl.principal.mapping.rules", join));
        SslAuthenticationContext sslAuthenticationContext = new SslAuthenticationContext(sSLSession, InetAddress.getLocalHost(), SecurityProtocol.PLAINTEXT.name());
        Assertions.assertEquals("duke", oAuthKafkaPrincipalBuilder.build(sslAuthenticationContext).getName());
        Assertions.assertEquals("duke@sme", oAuthKafkaPrincipalBuilder.build(sslAuthenticationContext).getName());
        Assertions.assertEquals("DUKE", oAuthKafkaPrincipalBuilder.build(sslAuthenticationContext).getName());
        Assertions.assertEquals("OU=JavaSoft,O=Sun Microsystems,C=US", oAuthKafkaPrincipalBuilder.build(sslAuthenticationContext).getName());
        ((SSLSession) Mockito.verify(sSLSession, Mockito.times(4))).getPeerPrincipal();
    }

    @Test
    public void testConfluentPrincipalBuilderGssapi() throws Exception {
        SaslServer saslServer = (SaslServer) Mockito.mock(SaslServer.class);
        Mockito.when(saslServer.getMechanismName()).thenReturn("GSSAPI");
        Mockito.when(saslServer.getAuthorizationID()).thenReturn("foo/host@REALM.COM");
        OAuthKafkaPrincipalBuilder oAuthKafkaPrincipalBuilder = new OAuthKafkaPrincipalBuilder();
        oAuthKafkaPrincipalBuilder.configure(Collections.singletonMap("sasl.kerberos.principal.to.local.rules", Collections.singletonList("RULE:[2:$1]")));
        KafkaPrincipal build = oAuthKafkaPrincipalBuilder.build(new SaslAuthenticationContext(saslServer, SecurityProtocol.SASL_PLAINTEXT, InetAddress.getLocalHost(), SecurityProtocol.SASL_PLAINTEXT.name()));
        Assertions.assertEquals("User", build.getPrincipalType());
        Assertions.assertEquals("foo", build.getName());
        ((SaslServer) Mockito.verify(saslServer, Mockito.atLeastOnce())).getMechanismName();
        ((SaslServer) Mockito.verify(saslServer, Mockito.atLeastOnce())).getAuthorizationID();
    }

    @Test
    public void testImpersonatedTokenWithRequiredSSLSuccess() throws Exception {
        SSLSession sSLSession = (SSLSession) Mockito.mock(SSLSession.class);
        OAuthBearerToken oAuthBearerToken = (OAuthBearerToken) Mockito.mock(OAuthBearerToken.class);
        OAuthBearerSaslServer oAuthBearerSaslServer = (OAuthBearerSaslServer) Mockito.mock(OAuthBearerSaslServer.class);
        Mockito.when(sSLSession.getPeerPrincipal()).thenReturn(new X500Principal("CN=Rp, OU=ServiceUsers, O=Org, C=US"));
        Mockito.when(oAuthBearerSaslServer.getMechanismName()).thenReturn("OAUTHBEARER");
        Mockito.when(oAuthBearerSaslServer.getAuthorizationID()).thenReturn("alice");
        Mockito.when(oAuthBearerSaslServer.getNegotiatedProperty("OAUTHBEARER.token")).thenReturn(oAuthBearerToken);
        Mockito.when(oAuthBearerToken.principalName()).thenReturn("alice");
        Mockito.when(oAuthBearerToken.value()).thenReturn(createImpersonatedUnsecuredJws("Confluent", "alice", "CN=Rp,OU=ServiceUsers,O=Org,C=US", "sub", "groups", "abcde", "g1", "g2").value());
        SaslAuthenticationContext saslAuthenticationContext = new SaslAuthenticationContext(-1L, oAuthBearerSaslServer, SecurityProtocol.SASL_SSL, InetAddress.getLocalHost(), SecurityProtocol.SASL_SSL.name(), Optional.of(sSLSession), false, false);
        OAuthKafkaPrincipalBuilder oAuthKafkaPrincipalBuilder = new OAuthKafkaPrincipalBuilder();
        oAuthKafkaPrincipalBuilder.configure(Map.of("ssl.client.auth", "required"));
        ConfluentPrincipal build = oAuthKafkaPrincipalBuilder.build(saslAuthenticationContext);
        Assertions.assertEquals("alice", build.getName());
        Assertions.assertTrue(build instanceof ConfluentPrincipal);
        Assertions.assertEquals("User", build.getPrincipalType());
        Assertions.assertEquals("alice", build.getName());
        Assertions.assertEquals(2, build.getGroups().size());
        Assertions.assertTrue(build.getGroups().containsAll(Arrays.asList("g1", "g2")));
        ((SSLSession) Mockito.verify(sSLSession, Mockito.atLeastOnce())).getPeerPrincipal();
        ((OAuthBearerSaslServer) Mockito.verify(oAuthBearerSaslServer, Mockito.atLeastOnce())).getMechanismName();
        ((OAuthBearerSaslServer) Mockito.verify(oAuthBearerSaslServer, Mockito.never())).getAuthorizationID();
        ((OAuthBearerSaslServer) Mockito.verify(oAuthBearerSaslServer, Mockito.atLeastOnce())).getNegotiatedProperty("OAUTHBEARER.token");
        ((OAuthBearerToken) Mockito.verify(oAuthBearerToken, Mockito.atLeastOnce())).principalName();
        ((OAuthBearerToken) Mockito.verify(oAuthBearerToken, Mockito.atLeastOnce())).value();
    }

    @Test
    public void testImpersonatedTokenWithRequiredSSLPrincipalMismatch() throws Exception {
        SSLSession sSLSession = (SSLSession) Mockito.mock(SSLSession.class);
        OAuthBearerToken oAuthBearerToken = (OAuthBearerToken) Mockito.mock(OAuthBearerToken.class);
        OAuthBearerSaslServer oAuthBearerSaslServer = (OAuthBearerSaslServer) Mockito.mock(OAuthBearerSaslServer.class);
        Mockito.when(sSLSession.getPeerPrincipal()).thenReturn(new X500Principal("CN=Rp, OU=ServiceUsers, O=Org, C=US"));
        Mockito.when(oAuthBearerSaslServer.getMechanismName()).thenReturn("OAUTHBEARER");
        Mockito.when(oAuthBearerSaslServer.getAuthorizationID()).thenReturn("alice");
        Mockito.when(oAuthBearerSaslServer.getNegotiatedProperty("OAUTHBEARER.token")).thenReturn(oAuthBearerToken);
        Mockito.when(oAuthBearerToken.principalName()).thenReturn("alice");
        Mockito.when(oAuthBearerToken.value()).thenReturn(createImpersonatedUnsecuredJws("Confluent", "alice", "someOtherUser", "sub", "groups", "abcde", "g1", "g2").value());
        SaslAuthenticationContext saslAuthenticationContext = new SaslAuthenticationContext(-1L, oAuthBearerSaslServer, SecurityProtocol.SASL_SSL, InetAddress.getLocalHost(), SecurityProtocol.SASL_SSL.name(), Optional.of(sSLSession), false, false);
        OAuthKafkaPrincipalBuilder oAuthKafkaPrincipalBuilder = new OAuthKafkaPrincipalBuilder();
        oAuthKafkaPrincipalBuilder.configure(Map.of("ssl.client.auth", "required"));
        Assertions.assertEquals("Impersonation identity mismatch for 'alice'", Assertions.assertThrows(KafkaException.class, () -> {
            oAuthKafkaPrincipalBuilder.build(saslAuthenticationContext);
        }).getMessage());
        ((SSLSession) Mockito.verify(sSLSession, Mockito.atLeastOnce())).getPeerPrincipal();
        ((OAuthBearerSaslServer) Mockito.verify(oAuthBearerSaslServer, Mockito.atLeastOnce())).getMechanismName();
        ((OAuthBearerSaslServer) Mockito.verify(oAuthBearerSaslServer, Mockito.never())).getAuthorizationID();
        ((OAuthBearerSaslServer) Mockito.verify(oAuthBearerSaslServer, Mockito.atLeastOnce())).getNegotiatedProperty("OAUTHBEARER.token");
        ((OAuthBearerToken) Mockito.verify(oAuthBearerToken, Mockito.atLeastOnce())).principalName();
        ((OAuthBearerToken) Mockito.verify(oAuthBearerToken, Mockito.atLeastOnce())).value();
    }

    @Test
    public void testImpersonatedTokenWithoutSSL() throws Exception {
        OAuthBearerToken oAuthBearerToken = (OAuthBearerToken) Mockito.mock(OAuthBearerToken.class);
        OAuthBearerSaslServer oAuthBearerSaslServer = (OAuthBearerSaslServer) Mockito.mock(OAuthBearerSaslServer.class);
        Mockito.when(oAuthBearerSaslServer.getMechanismName()).thenReturn("OAUTHBEARER");
        Mockito.when(oAuthBearerSaslServer.getAuthorizationID()).thenReturn("alice");
        Mockito.when(oAuthBearerSaslServer.getNegotiatedProperty("OAUTHBEARER.token")).thenReturn(oAuthBearerToken);
        Mockito.when(oAuthBearerToken.principalName()).thenReturn("alice");
        Mockito.when(oAuthBearerToken.value()).thenReturn(createImpersonatedUnsecuredJws("Confluent", "alice", "rp", "sub", "groups", "abcde", "g1", "g2").value());
        ConfluentPrincipal build = new OAuthKafkaPrincipalBuilder().build(new SaslAuthenticationContext(oAuthBearerSaslServer, SecurityProtocol.SASL_PLAINTEXT, InetAddress.getLocalHost(), SecurityProtocol.SASL_PLAINTEXT.name()));
        Assertions.assertTrue(build instanceof ConfluentPrincipal);
        Assertions.assertEquals("User", build.getPrincipalType());
        Assertions.assertEquals("alice", build.getName());
        Assertions.assertEquals(2, build.getGroups().size());
        Assertions.assertTrue(build.getGroups().containsAll(Arrays.asList("g1", "g2")));
        ((OAuthBearerSaslServer) Mockito.verify(oAuthBearerSaslServer, Mockito.atLeastOnce())).getMechanismName();
        ((OAuthBearerSaslServer) Mockito.verify(oAuthBearerSaslServer, Mockito.never())).getAuthorizationID();
        ((OAuthBearerSaslServer) Mockito.verify(oAuthBearerSaslServer, Mockito.atLeastOnce())).getNegotiatedProperty("OAUTHBEARER.token");
        ((OAuthBearerToken) Mockito.verify(oAuthBearerToken, Mockito.atLeastOnce())).principalName();
        ((OAuthBearerToken) Mockito.verify(oAuthBearerToken, Mockito.atLeastOnce())).value();
    }

    @Test
    public void testImpersonatedTokenWithRequestedSSL() throws Exception {
        SSLSession sSLSession = (SSLSession) Mockito.mock(SSLSession.class);
        OAuthBearerToken oAuthBearerToken = (OAuthBearerToken) Mockito.mock(OAuthBearerToken.class);
        OAuthBearerSaslServer oAuthBearerSaslServer = (OAuthBearerSaslServer) Mockito.mock(OAuthBearerSaslServer.class);
        Mockito.when(sSLSession.getPeerPrincipal()).thenReturn(new X500Principal("CN=NOMATCH, OU=ServiceUsers, O=Org, C=US"));
        Mockito.when(oAuthBearerSaslServer.getMechanismName()).thenReturn("OAUTHBEARER");
        Mockito.when(oAuthBearerSaslServer.getNegotiatedProperty("OAUTHBEARER.token")).thenReturn(oAuthBearerToken);
        Mockito.when(oAuthBearerToken.principalName()).thenReturn("alice");
        Mockito.when(oAuthBearerToken.value()).thenReturn(createImpersonatedUnsecuredJws("Confluent", "alice", "rp", "sub", "groups", "abcde", "g1", "g2").value());
        SaslAuthenticationContext saslAuthenticationContext = new SaslAuthenticationContext(-1L, oAuthBearerSaslServer, SecurityProtocol.SASL_SSL, InetAddress.getLocalHost(), SecurityProtocol.SASL_SSL.name(), Optional.of(sSLSession), false, false);
        OAuthKafkaPrincipalBuilder oAuthKafkaPrincipalBuilder = new OAuthKafkaPrincipalBuilder();
        oAuthKafkaPrincipalBuilder.configure(Map.of("ssl.client.auth", "requested"));
        ConfluentPrincipal build = oAuthKafkaPrincipalBuilder.build(saslAuthenticationContext);
        Assertions.assertEquals("alice", build.getName());
        Assertions.assertTrue(build instanceof ConfluentPrincipal);
        Assertions.assertEquals("User", build.getPrincipalType());
        Assertions.assertEquals(2, build.getGroups().size());
        Assertions.assertTrue(build.getGroups().containsAll(Arrays.asList("g1", "g2")));
        ((SSLSession) Mockito.verify(sSLSession, Mockito.never())).getPeerPrincipal();
        ((OAuthBearerSaslServer) Mockito.verify(oAuthBearerSaslServer, Mockito.atLeastOnce())).getMechanismName();
        ((OAuthBearerSaslServer) Mockito.verify(oAuthBearerSaslServer, Mockito.atLeastOnce())).getNegotiatedProperty("OAUTHBEARER.token");
        ((OAuthBearerToken) Mockito.verify(oAuthBearerToken, Mockito.atLeastOnce())).principalName();
        ((OAuthBearerToken) Mockito.verify(oAuthBearerToken, Mockito.atLeastOnce())).value();
    }

    @Test
    public void testImpersonatedTokenWithNoneSSL() throws Exception {
        SSLSession sSLSession = (SSLSession) Mockito.mock(SSLSession.class);
        OAuthBearerToken oAuthBearerToken = (OAuthBearerToken) Mockito.mock(OAuthBearerToken.class);
        OAuthBearerSaslServer oAuthBearerSaslServer = (OAuthBearerSaslServer) Mockito.mock(OAuthBearerSaslServer.class);
        Mockito.when(sSLSession.getPeerPrincipal()).thenReturn(new X500Principal("CN=NOMATCH, OU=ServiceUsers, O=Org, C=US"));
        Mockito.when(oAuthBearerSaslServer.getMechanismName()).thenReturn("OAUTHBEARER");
        Mockito.when(oAuthBearerSaslServer.getNegotiatedProperty("OAUTHBEARER.token")).thenReturn(oAuthBearerToken);
        Mockito.when(oAuthBearerToken.principalName()).thenReturn("alice");
        Mockito.when(oAuthBearerToken.value()).thenReturn(createImpersonatedUnsecuredJws("Confluent", "alice", "rp", "sub", "groups", "abcde", "g1", "g2").value());
        SaslAuthenticationContext saslAuthenticationContext = new SaslAuthenticationContext(-1L, oAuthBearerSaslServer, SecurityProtocol.SASL_SSL, InetAddress.getLocalHost(), SecurityProtocol.SASL_SSL.name(), Optional.of(sSLSession), false, false);
        OAuthKafkaPrincipalBuilder oAuthKafkaPrincipalBuilder = new OAuthKafkaPrincipalBuilder();
        oAuthKafkaPrincipalBuilder.configure(Map.of("ssl.client.auth", "none"));
        ConfluentPrincipal build = oAuthKafkaPrincipalBuilder.build(saslAuthenticationContext);
        Assertions.assertEquals("alice", build.getName());
        Assertions.assertTrue(build instanceof ConfluentPrincipal);
        Assertions.assertEquals("User", build.getPrincipalType());
        Assertions.assertEquals(2, build.getGroups().size());
        Assertions.assertTrue(build.getGroups().containsAll(Arrays.asList("g1", "g2")));
        ((SSLSession) Mockito.verify(sSLSession, Mockito.never())).getPeerPrincipal();
        ((OAuthBearerSaslServer) Mockito.verify(oAuthBearerSaslServer, Mockito.atLeastOnce())).getMechanismName();
        ((OAuthBearerSaslServer) Mockito.verify(oAuthBearerSaslServer, Mockito.atLeastOnce())).getNegotiatedProperty("OAUTHBEARER.token");
        ((OAuthBearerToken) Mockito.verify(oAuthBearerToken, Mockito.atLeastOnce())).principalName();
        ((OAuthBearerToken) Mockito.verify(oAuthBearerToken, Mockito.atLeastOnce())).value();
    }

    @Test
    public void testImpersonatedTokenWithRequiredSSLButValidationSkip() throws Exception {
        SSLSession sSLSession = (SSLSession) Mockito.mock(SSLSession.class);
        OAuthBearerToken oAuthBearerToken = (OAuthBearerToken) Mockito.mock(OAuthBearerToken.class);
        OAuthBearerSaslServer oAuthBearerSaslServer = (OAuthBearerSaslServer) Mockito.mock(OAuthBearerSaslServer.class);
        Mockito.when(sSLSession.getPeerPrincipal()).thenReturn(new X500Principal("CN=Rp, OU=ServiceUsers, O=Org, C=US"));
        Mockito.when(oAuthBearerSaslServer.getMechanismName()).thenReturn("OAUTHBEARER");
        Mockito.when(oAuthBearerSaslServer.getAuthorizationID()).thenReturn("alice");
        Mockito.when(oAuthBearerSaslServer.getNegotiatedProperty("OAUTHBEARER.token")).thenReturn(oAuthBearerToken);
        Mockito.when(oAuthBearerToken.principalName()).thenReturn("alice");
        Mockito.when(oAuthBearerToken.value()).thenReturn(createImpersonatedUnsecuredJws("Confluent", "alice", "something-wrong", "sub", "groups", "abcde", "g1", "g2").value());
        SaslAuthenticationContext saslAuthenticationContext = new SaslAuthenticationContext(-1L, oAuthBearerSaslServer, SecurityProtocol.SASL_SSL, InetAddress.getLocalHost(), SecurityProtocol.SASL_SSL.name(), Optional.of(sSLSession), false, false);
        OAuthKafkaPrincipalBuilder oAuthKafkaPrincipalBuilder = new OAuthKafkaPrincipalBuilder();
        oAuthKafkaPrincipalBuilder.configure(Map.of("ssl.client.auth", "required", "token.impersonation.validation", "false"));
        ConfluentPrincipal build = oAuthKafkaPrincipalBuilder.build(saslAuthenticationContext);
        Assertions.assertEquals("alice", build.getName());
        Assertions.assertTrue(build instanceof ConfluentPrincipal);
        Assertions.assertEquals("User", build.getPrincipalType());
        Assertions.assertEquals("alice", build.getName());
        Assertions.assertEquals(2, build.getGroups().size());
        Assertions.assertTrue(build.getGroups().containsAll(Arrays.asList("g1", "g2")));
        ((OAuthBearerSaslServer) Mockito.verify(oAuthBearerSaslServer, Mockito.atLeastOnce())).getMechanismName();
        ((OAuthBearerSaslServer) Mockito.verify(oAuthBearerSaslServer, Mockito.never())).getAuthorizationID();
        ((OAuthBearerSaslServer) Mockito.verify(oAuthBearerSaslServer, Mockito.atLeastOnce())).getNegotiatedProperty("OAUTHBEARER.token");
        ((OAuthBearerToken) Mockito.verify(oAuthBearerToken, Mockito.atLeastOnce())).principalName();
        ((OAuthBearerToken) Mockito.verify(oAuthBearerToken, Mockito.atLeastOnce())).value();
    }

    private OAuthBearerUnsecuredJws createImpersonatedUnsecuredJws(String str, String str2, String str3, String str4, String str5, String str6, String... strArr) {
        Base64.Encoder withoutPadding = Base64.getUrlEncoder().withoutPadding();
        return new OAuthBearerUnsecuredJws(String.format("%s.%s.%s", withoutPadding.encodeToString("{\"alg\":\"none\",\"typ\":\"JWT\"}".getBytes(StandardCharsets.UTF_8)), withoutPadding.encodeToString(String.format("{\"iss\":\"%s\",\"sub\":\"%s\",\"customSubClaim\":\"%s\",\"%s\":[%s],\"%s\":\"%s\",\"exp\":%d}", str, str2, str6, str5, Arrays.stream(strArr).map(str7 -> {
            return "\"" + str7 + "\"";
        }).collect(Collectors.joining(",")), "cp_proxy", str3, Long.valueOf((System.currentTimeMillis() / 1000) + 50000)).getBytes(StandardCharsets.UTF_8)), withoutPadding.encodeToString("".getBytes(StandardCharsets.UTF_8))), "sub", TokenInfo.SCOPE);
    }

    private OAuthBearerUnsecuredJws createUnsecuredJws(String str, String str2, String str3, String str4, String str5, String... strArr) {
        Base64.Encoder withoutPadding = Base64.getUrlEncoder().withoutPadding();
        return new OAuthBearerUnsecuredJws(String.format("%s.%s.%s", withoutPadding.encodeToString("{\"alg\":\"none\",\"typ\":\"JWT\"}".getBytes(StandardCharsets.UTF_8)), withoutPadding.encodeToString(String.format("{\"iss\":\"%s\",\"sub\":\"%s\",\"customSubClaim\":\"%s\",\"%s\":[%s],\"exp\":%d}", str, str2, str5, str4, Arrays.stream(strArr).map(str6 -> {
            return "\"" + str6 + "\"";
        }).collect(Collectors.joining(",")), Long.valueOf((System.currentTimeMillis() / 1000) + 50000)).getBytes(StandardCharsets.UTF_8)), withoutPadding.encodeToString("".getBytes(StandardCharsets.UTF_8))), str3, TokenInfo.SCOPE);
    }
}
