package io.confluent.kafka.test.utils;

import com.yammer.metrics.core.Gauge;
import com.yammer.metrics.core.MetricName;
import io.confluent.kafka.clients.plugins.auth.oauth.OAuthBearerLoginCallbackHandler;
import io.confluent.kafka.server.plugins.auth.oauth.OAuthBearerServerLoginCallbackHandler;
import io.confluent.kafka.server.plugins.auth.oauth.OAuthBearerValidatorCallbackHandler;
import io.confluent.kafka.server.plugins.auth.oauth.OAuthUtils;
import io.confluent.kafka.test.cluster.EmbeddedKafkaCluster;
import io.confluent.license.validator.ConfluentLicenseValidator;
import java.io.File;
import java.security.Security;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.stream.Collectors;
import javax.security.auth.login.Configuration;
import kafka.admin.ConfigCommand;
import kafka.server.KafkaBroker;
import org.apache.kafka.common.acl.AccessControlEntry;
import org.apache.kafka.common.acl.AccessControlEntryFilter;
import org.apache.kafka.common.acl.AclBinding;
import org.apache.kafka.common.acl.AclBindingFilter;
import org.apache.kafka.common.acl.AclOperation;
import org.apache.kafka.common.resource.ResourcePattern;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.security.authenticator.CredentialCache;
import org.apache.kafka.common.security.authenticator.LoginManager;
import org.apache.kafka.common.security.scram.ScramCredential;
import org.apache.kafka.common.security.scram.internals.ScramMechanism;
import org.apache.kafka.server.authorizer.Authorizer;
import org.apache.kafka.server.metrics.KafkaYammerMetrics;
import org.apache.kafka.test.TestUtils;
import org.junit.jupiter.api.Assertions;

/* loaded from: input_file:io/confluent/kafka/test/utils/SecurityTestUtils.class */
public class SecurityTestUtils {
    public static String createScramUser(EmbeddedKafkaCluster embeddedKafkaCluster, String str, String str2) {
        String mechanismName = ScramMechanism.SCRAM_SHA_256.mechanismName();
        ConfigCommand.main(new String[]{"--alter", "--add-config", String.format("%s=[iterations=4096,password=%s]", mechanismName, str2), "--entity-type", "users", "--entity-name", str});
        Iterator<KafkaBroker> it = embeddedKafkaCluster.kafkaBrokers().iterator();
        while (it.hasNext()) {
            CredentialCache.Cache cache = it.next().credentialProvider().credentialCache().cache(mechanismName, ScramCredential.class);
            try {
                TestUtils.waitForCondition(() -> {
                    return cache.get(str) != null;
                }, "SCRAM credentials not created for user " + str);
            } catch (InterruptedException e) {
                throw new RuntimeException(e);
            }
        }
        return str2;
    }

    public static void deleteScramUser(EmbeddedKafkaCluster embeddedKafkaCluster, String str) {
        String mechanismName = ScramMechanism.SCRAM_SHA_256.mechanismName();
        ConfigCommand.main(new String[]{"--alter", "--delete-config", mechanismName, "--entity-type", "users", "--entity-name", str});
        Iterator<KafkaBroker> it = embeddedKafkaCluster.kafkaBrokers().iterator();
        while (it.hasNext()) {
            CredentialCache.Cache cache = it.next().credentialProvider().credentialCache().cache(mechanismName, ScramCredential.class);
            try {
                TestUtils.waitForCondition(() -> {
                    return cache.get(str) == null;
                }, "SCRAM credentials not deleted for user " + str);
            } catch (InterruptedException e) {
                throw new RuntimeException(e);
            }
        }
    }

    public static String scramSaslJaasConfig(String str, String str2) {
        return "org.apache.kafka.common.security.scram.ScramLoginModule required\nusername=\"" + str + "\"\npassword=\"" + str2 + "\";\n";
    }

    public static String gssapiSaslJaasConfig(File file, String str, String str2) {
        StringBuilder sb = new StringBuilder();
        sb.append("com.sun.security.auth.module.Krb5LoginModule required\n");
        sb.append("debug=true\n");
        if (str2 != null) {
            sb.append("serviceName=\"");
            sb.append(str2);
            sb.append("\"\n");
        }
        sb.append("keyTab=\"" + file.getAbsolutePath() + "\"\n");
        sb.append("principal=\"");
        sb.append(str);
        sb.append("\"\n");
        sb.append("storeKey=\"true\"\n");
        sb.append("useKeyTab=\"true\";\n");
        return sb.toString();
    }

    public static String oauthBearerSaslJaasConfig(String str, String str2) {
        return "org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required\nclientId=\"" + str + "\"\nclientSecret=\"" + str2 + "\";";
    }

    public static void clearSecurityConfigs() {
        System.getProperties().stringPropertyNames().stream().filter(str -> {
            return str.startsWith("java.security.krb5");
        }).forEach(System::clearProperty);
        System.clearProperty("org.apache.kafka.sasl.oauthbearer.allowed.urls");
        LoginManager.closeAll();
        Configuration.setConfiguration((Configuration) null);
        Security.removeProvider("ConfluentTrustProvider");
    }

    public static void waitForAclUpdate(Authorizer authorizer, KafkaPrincipal kafkaPrincipal, ResourcePattern resourcePattern, AclOperation aclOperation, boolean z) {
        try {
            TestUtils.waitForCondition(() -> {
                boolean z2 = false;
                Iterator it = authorizer.acls(new AclBindingFilter(resourcePattern.toFilter(), AccessControlEntryFilter.ANY)).iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    AccessControlEntry entry = ((AclBinding) it.next()).entry();
                    if (entry.operation().equals(aclOperation) && entry.principal().equals(kafkaPrincipal.toString())) {
                        z2 = true;
                        break;
                    }
                }
                return z != z2;
            }, "ACLs not updated");
        } catch (InterruptedException e) {
            throw new RuntimeException("Wait was interrupted", e);
        }
    }

    public static void verifyConfluentLicense(EmbeddedKafkaCluster embeddedKafkaCluster, ConfluentLicenseValidator.LicenseStatus licenseStatus) {
        Map map = (Map) KafkaYammerMetrics.defaultRegistry().allMetrics().entrySet().stream().filter(entry -> {
            return ((MetricName) entry.getKey()).getName().equals("licenseStatus");
        }).collect(Collectors.toMap(entry2 -> {
            return ((MetricName) entry2.getKey()).getGroup();
        }, (v0) -> {
            return v0.getValue();
        }));
        if (licenseStatus != null) {
            map.forEach((str, metric) -> {
                Assertions.assertEquals(licenseStatus.name().toLowerCase(Locale.ROOT), ((Gauge) metric).value(), "Unexpected license metric for " + str);
            });
        }
    }

    public static void attachServerOAuthConfigs(Map<String, Object> map, List<String> list, String str, OAuthUtils.JwsContainer jwsContainer) {
        map.put("sasl.enabled.mechanisms", list);
        map.put(str + ".oauthbearer.sasl.login.callback.handler.class", OAuthBearerServerLoginCallbackHandler.class.getName());
        map.put(str + ".oauthbearer.sasl.server.callback.handler.class", OAuthBearerValidatorCallbackHandler.class.getName());
        map.put(str + ".oauthbearer.sasl.jaas.config", "org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required publicKeyPath=\"" + String.valueOf(jwsContainer.getPublicKeyFile().toPath()) + "\";");
    }

    public static void attachMechanisms(Map<String, Object> map, String str, OAuthUtils.JwsContainer jwsContainer, String str2) {
        map.put("sasl.mechanism", str);
        map.put("sasl.login.callback.handler.class", OAuthBearerLoginCallbackHandler.class.getName());
        map.put("sasl.jaas.config", "org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule Required token=\"" + jwsContainer.getJwsToken() + "\" cluster=\"" + str2 + "\";");
    }
}
