package io.confluent.rest;

import java.util.Properties;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.client.ClientBuilder;
import javax.ws.rs.core.Configurable;
import javax.ws.rs.core.Response;
import org.eclipse.jetty.server.Server;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;

/* loaded from: input_file:io/confluent/rest/CsrfHandlingTest.class */
public class CsrfHandlingTest {
    TestRestConfig config;
    CsrfApplication app;
    private Server server;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/confluent/rest/CsrfHandlingTest$CsrfApplication.class */
    public static class CsrfApplication extends Application<TestRestConfig> {
        Configurable resourceConfig;

        CsrfApplication(TestRestConfig testRestConfig) {
            super(testRestConfig);
        }

        public void setupResources(Configurable<?> configurable, TestRestConfig testRestConfig) {
            this.resourceConfig = configurable;
            configurable.register(TestResource.class);
        }

        public /* bridge */ /* synthetic */ void setupResources(Configurable configurable, RestConfig restConfig) {
            setupResources((Configurable<?>) configurable, (TestRestConfig) restConfig);
        }
    }

    @Path("/")
    /* loaded from: input_file:io/confluent/rest/CsrfHandlingTest$TestResource.class */
    public static class TestResource {
        @GET
        @Path("/ping")
        public String getPing() {
            return "pong";
        }

        @POST
        @Path("/ping")
        public String postPing() {
            return "pong";
        }
    }

    @BeforeEach
    public void setUp() throws Exception {
        Properties properties = new Properties();
        properties.setProperty("csrf.prevention.enable", "true");
        properties.setProperty("suppress.stack.trace.response", "false");
        this.config = TestRestConfig.maprCompatible(properties);
        this.app = new CsrfApplication(this.config);
        this.server = this.app.createServer();
        this.server.start();
    }

    @AfterEach
    public void tearDown() throws Exception {
        this.server.stop();
        this.server.join();
    }

    @Test
    public void testRequestWithValidToken() {
        Response method = ClientBuilder.newClient(this.app.resourceConfig.getConfiguration()).target(this.server.getURI()).path("ping").request().header("X-Requested-By", "user-session-1").header("X-Requested-With", getToken("user-session-1")).method("POST");
        String str = (String) method.readEntity(String.class);
        Assertions.assertEquals(200, method.getStatus());
        Assertions.assertEquals("pong", str);
    }

    @Test
    public void testRequestMissingCsrfTokenException() {
        Response method = ClientBuilder.newClient(this.app.resourceConfig.getConfiguration()).target(this.server.getURI()).path("ping").request().header("X-Requested-By", "user-session-1").method("POST");
        Assertions.assertEquals(500, method.getStatus());
        Assertions.assertTrue(((String) method.readEntity(String.class)).contains("Missing CSRF token in request header X-Requested-With"));
    }

    @Test
    public void testRequestMissingRequesterException() {
        Response method = ClientBuilder.newClient(this.app.resourceConfig.getConfiguration()).target(this.server.getURI()).path("ping").request().header("X-Requested-With", getToken("user-session-1")).method("POST");
        Assertions.assertEquals(500, method.getStatus());
        Assertions.assertTrue(((String) method.readEntity(String.class)).contains("Missing user session identifier in request header X-Requested-By"));
    }

    @Test
    public void testRequestInvalidCsrfTokenException() {
        Response method = ClientBuilder.newClient(this.app.resourceConfig.getConfiguration()).target(this.server.getURI()).path("ping").request().header("X-Requested-By", "user-session-1").header("X-Requested-With", "invalid token").method("POST");
        Assertions.assertEquals(500, method.getStatus());
        Assertions.assertTrue(((String) method.readEntity(String.class)).contains("Invalid CSRF token in request header X-Requested-With"));
    }

    @Test
    public void testGetByPassesCheck() {
        Response response = ClientBuilder.newClient(this.app.resourceConfig.getConfiguration()).target(this.server.getURI()).path("ping").request().get();
        String str = (String) response.readEntity(String.class);
        Assertions.assertEquals(200, response.getStatus());
        Assertions.assertEquals("pong", str);
    }

    @Test
    public void testCsrfTokenFetchRequest() {
        Response response = ClientBuilder.newClient(this.app.resourceConfig.getConfiguration()).target(this.server.getURI()).path("/csrf").request().header("X-Requested-By", "test-session").get();
        String headerString = response.getHeaderString("X-CONFLUENT-CSRF-TOKEN");
        Assertions.assertEquals(200, response.getStatus());
        Assertions.assertNotNull(headerString);
    }

    @Test
    public void testCsrfTokenFetchMissingRequester() {
        Response response = ClientBuilder.newClient(this.app.resourceConfig.getConfiguration()).target(this.server.getURI()).path("/csrf").request().get();
        String headerString = response.getHeaderString("X-CONFLUENT-CSRF-TOKEN");
        Assertions.assertEquals(500, response.getStatus());
        Assertions.assertNull(headerString);
        Assertions.assertTrue(((String) response.readEntity(String.class)).contains("Missing user session identifier in request header X-Requested-By"));
    }

    private String getToken(String str) {
        return ClientBuilder.newClient(this.app.resourceConfig.getConfiguration()).target(this.server.getURI()).path("/csrf").request().header("X-Requested-By", str).get().getHeaderString("X-CONFLUENT-CSRF-TOKEN");
    }
}
