package io.confluent.kafka.server.plugins.auth;

import java.util.Optional;
import org.apache.kafka.common.security.authenticator.PathAwareSniHostName;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;

/* loaded from: input_file:io/confluent/kafka/server/plugins/auth/SniValidationModeTest.class */
public class SniValidationModeTest {
    private static final String UNRECOGNIZED_MODE = "unrecognized_mode";
    private static final String EXPECTED_LKC = "lkc-123";
    private static final String WRONG_LKC = "lkc-wrong";
    private static final String WRONG_PKC = "pkc-wrong";
    private static final String HOST_NAME_SUFFIX = "-00aa.confluent.io";

    @Test
    public void fromStringTest() {
        Assertions.assertEquals(SniValidationMode.OPTIONAL_VALIDATION, SniValidationMode.fromString((String) null), "Should return optional_validation if input is null");
        Assertions.assertEquals(SniValidationMode.OPTIONAL_VALIDATION, SniValidationMode.fromString(UNRECOGNIZED_MODE), "Should return optional_validation if input is not recognized");
        Assertions.assertEquals(SniValidationMode.OPTIONAL_VALIDATION, SniValidationMode.fromString(SniValidationMode.OPTIONAL_VALIDATION.getText()), "Should parse optional_validation successfully");
        Assertions.assertEquals(SniValidationMode.ALLOW_LEGACY_BOOTSTRAP, SniValidationMode.fromString(SniValidationMode.ALLOW_LEGACY_BOOTSTRAP.getText()), "Should parse allow_legacy_bootstrap successfully");
        Assertions.assertEquals(SniValidationMode.STRICT, SniValidationMode.fromString(SniValidationMode.STRICT.getText()), "Should parse strict successfully");
    }

    @Test
    public void isSniHostNameMatchedOptionalTest() {
        Assertions.assertTrue(SniValidationMode.OPTIONAL_VALIDATION.sniHostNameMatches(EXPECTED_LKC, Optional.of(EXPECTED_LKC), constructSNIHostNameFor(EXPECTED_LKC)), "SNI hostname should match if the supplied cluster name is the same as expected in optional mode");
        Assertions.assertTrue(SniValidationMode.OPTIONAL_VALIDATION.sniHostNameMatches(EXPECTED_LKC, Optional.empty(), constructSNIHostNameFor(WRONG_PKC)), "SNI hostname should match regardless in optional mode");
        Assertions.assertTrue(SniValidationMode.OPTIONAL_VALIDATION.sniHostNameMatches(EXPECTED_LKC, Optional.empty(), Optional.empty()), "SNI hostname should match if hostname is empty in optional mode");
        Assertions.assertFalse(SniValidationMode.OPTIONAL_VALIDATION.sniHostNameMatches(EXPECTED_LKC, Optional.of(WRONG_LKC), constructSNIHostNameFor(WRONG_LKC)), "SNI hostname shouldn't match in optional mode if supplied cluster name is different from expected");
    }

    @Test
    public void isSniHostNameMatchedLegacyTest() {
        Assertions.assertTrue(SniValidationMode.ALLOW_LEGACY_BOOTSTRAP.sniHostNameMatches(EXPECTED_LKC, Optional.of(EXPECTED_LKC), constructSNIHostNameFor(EXPECTED_LKC)), "SNI hostname should match if supplied cluster name is the same as expected in legacy mode");
        Assertions.assertTrue(SniValidationMode.ALLOW_LEGACY_BOOTSTRAP.sniHostNameMatches(EXPECTED_LKC, Optional.empty(), constructSNIHostNameFor(WRONG_PKC)), "SNI hostname should match in legacy mode if supplied cluster name starts with `pkc-`. We accept any SNI hostname that starts with `pkc-` since it is the bootstrap path and we don't have a mapping for the correct PKC.");
        Assertions.assertFalse(SniValidationMode.ALLOW_LEGACY_BOOTSTRAP.sniHostNameMatches(EXPECTED_LKC, Optional.of(WRONG_LKC), constructSNIHostNameFor(WRONG_LKC)), "SNI hostname shouldn't match in legacy mode if supplied cluster name is different from expected");
        Assertions.assertFalse(SniValidationMode.ALLOW_LEGACY_BOOTSTRAP.sniHostNameMatches(EXPECTED_LKC, Optional.empty(), Optional.empty()), "SNI hostname shouldn't match in legacy mode if cluster name is not supplied");
    }

    @Test
    public void isSniHostNameMatchedStrictTest() {
        Assertions.assertTrue(SniValidationMode.STRICT.sniHostNameMatches(EXPECTED_LKC, Optional.of(EXPECTED_LKC), constructSNIHostNameFor(EXPECTED_LKC)), "SNI hostname should match if the supplied cluster name is the same as expected in strict mode");
        Assertions.assertFalse(SniValidationMode.STRICT.sniHostNameMatches(EXPECTED_LKC, Optional.of(WRONG_LKC), constructSNIHostNameFor(WRONG_LKC)), "SNI hostname shouldn't match if the supplied cluster name is not the same as expected in strict mode");
        Assertions.assertFalse(SniValidationMode.STRICT.sniHostNameMatches(EXPECTED_LKC, Optional.empty(), constructSNIHostNameFor(WRONG_PKC)), "SNI hostname shouldn't match if supplied cluster name is not the same as expected even if it starts with `pkc-` in strict mode");
        Assertions.assertFalse(SniValidationMode.STRICT.sniHostNameMatches(EXPECTED_LKC, Optional.empty(), Optional.empty()), "SNI hostname shouldn't match if supplied cluster name is not supplied in strict mode");
    }

    private Optional<PathAwareSniHostName> constructSNIHostNameFor(String str) {
        return Optional.of(new PathAwareSniHostName(str + "-00aa.confluent.io"));
    }
}
