package org.apache.kafka.common.security.oauthbearer.internals.unsecured;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import org.apache.kafka.common.security.authenticator.TestJaasConfig;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback;
import org.apache.kafka.common.utils.MockTime;
import org.apache.kafka.common.utils.Time;
import org.junit.Assert;
import org.junit.Test;

/* loaded from: input_file:org/apache/kafka/common/security/oauthbearer/internals/unsecured/OAuthBearerUnsecuredValidatorCallbackHandlerTest.class */
public class OAuthBearerUnsecuredValidatorCallbackHandlerTest {
    private static final String QUOTE = "\"";
    private static final Map<String, String> MODULE_OPTIONS_MAP_NO_SCOPE_REQUIRED;
    private static final Map<String, String> MODULE_OPTIONS_MAP_REQUIRE_EXISTING_SCOPE;
    private static final Map<String, String> MODULE_OPTIONS_MAP_REQUIRE_ADDITIONAL_SCOPE;
    private static final String UNSECURED_JWT_HEADER_JSON = "{" + claimOrHeaderText("alg", "none") + "}";
    private static final Time MOCK_TIME = new MockTime();
    private static final String PRINCIPAL_CLAIM_VALUE = "username";
    private static final String PRINCIPAL_CLAIM_TEXT = claimOrHeaderText("principal", PRINCIPAL_CLAIM_VALUE);
    private static final String SUB_CLAIM_TEXT = claimOrHeaderText("sub", PRINCIPAL_CLAIM_VALUE);
    private static final String BAD_PRINCIPAL_CLAIM_TEXT = claimOrHeaderText("principal", (Number) 1);
    private static final long LIFETIME_SECONDS_TO_USE = 3600000;
    private static final String EXPIRATION_TIME_CLAIM_TEXT = expClaimText(LIFETIME_SECONDS_TO_USE);
    private static final String TOO_EARLY_EXPIRATION_TIME_CLAIM_TEXT = expClaimText(0);
    private static final String ISSUED_AT_CLAIM_TEXT = claimOrHeaderText("iat", Double.valueOf(MOCK_TIME.milliseconds() / 1000.0d));
    private static final String SCOPE_CLAIM_TEXT = claimOrHeaderText("scope", "scope1");

    @Test
    public void validToken() {
        for (boolean z : new boolean[]{true, false}) {
            Object validationResult = validationResult(UNSECURED_JWT_HEADER_JSON, "{" + PRINCIPAL_CLAIM_TEXT + comma(EXPIRATION_TIME_CLAIM_TEXT) + (z ? comma(ISSUED_AT_CLAIM_TEXT) : "") + "}", MODULE_OPTIONS_MAP_NO_SCOPE_REQUIRED);
            Assert.assertTrue(validationResult instanceof OAuthBearerValidatorCallback);
            Assert.assertTrue(((OAuthBearerValidatorCallback) validationResult).token() instanceof OAuthBearerUnsecuredJws);
        }
    }

    @Test
    public void badOrMissingPrincipal() throws IOException, UnsupportedCallbackException {
        for (boolean z : new boolean[]{true, false}) {
            confirmFailsValidation(UNSECURED_JWT_HEADER_JSON, "{" + EXPIRATION_TIME_CLAIM_TEXT + (z ? comma(BAD_PRINCIPAL_CLAIM_TEXT) : "") + "}", MODULE_OPTIONS_MAP_NO_SCOPE_REQUIRED);
        }
    }

    @Test
    public void tooEarlyExpirationTime() throws IOException, UnsupportedCallbackException {
        confirmFailsValidation(UNSECURED_JWT_HEADER_JSON, "{" + PRINCIPAL_CLAIM_TEXT + comma(ISSUED_AT_CLAIM_TEXT) + comma(TOO_EARLY_EXPIRATION_TIME_CLAIM_TEXT) + "}", MODULE_OPTIONS_MAP_NO_SCOPE_REQUIRED);
    }

    @Test
    public void includesRequiredScope() {
        Object validationResult = validationResult(UNSECURED_JWT_HEADER_JSON, "{" + SUB_CLAIM_TEXT + comma(EXPIRATION_TIME_CLAIM_TEXT) + comma(SCOPE_CLAIM_TEXT) + "}", MODULE_OPTIONS_MAP_REQUIRE_EXISTING_SCOPE);
        Assert.assertTrue(validationResult instanceof OAuthBearerValidatorCallback);
        Assert.assertTrue(((OAuthBearerValidatorCallback) validationResult).token() instanceof OAuthBearerUnsecuredJws);
    }

    @Test
    public void missingRequiredScope() throws IOException, UnsupportedCallbackException {
        confirmFailsValidation(UNSECURED_JWT_HEADER_JSON, "{" + SUB_CLAIM_TEXT + comma(EXPIRATION_TIME_CLAIM_TEXT) + comma(SCOPE_CLAIM_TEXT) + "}", MODULE_OPTIONS_MAP_REQUIRE_ADDITIONAL_SCOPE, "[scope1, scope2]");
    }

    private static void confirmFailsValidation(String str, String str2, Map<String, String> map) throws OAuthBearerConfigException, OAuthBearerIllegalTokenException, IOException, UnsupportedCallbackException {
        confirmFailsValidation(str, str2, map, null);
    }

    private static void confirmFailsValidation(String str, String str2, Map<String, String> map, String str3) throws OAuthBearerConfigException, OAuthBearerIllegalTokenException {
        Object validationResult = validationResult(str, str2, map);
        Assert.assertTrue(validationResult instanceof OAuthBearerValidatorCallback);
        OAuthBearerValidatorCallback oAuthBearerValidatorCallback = (OAuthBearerValidatorCallback) validationResult;
        Assert.assertNull(oAuthBearerValidatorCallback.token());
        Assert.assertNull(oAuthBearerValidatorCallback.errorOpenIDConfiguration());
        if (str3 == null) {
            Assert.assertEquals("invalid_token", oAuthBearerValidatorCallback.errorStatus());
            Assert.assertNull(oAuthBearerValidatorCallback.errorScope());
        } else {
            Assert.assertEquals("insufficient_scope", oAuthBearerValidatorCallback.errorStatus());
            Assert.assertEquals(str3, oAuthBearerValidatorCallback.errorScope());
        }
    }

    private static Object validationResult(String str, String str2, Map<String, String> map) {
        Base64.Encoder withoutPadding = Base64.getUrlEncoder().withoutPadding();
        try {
            Callback oAuthBearerValidatorCallback = new OAuthBearerValidatorCallback(String.format("%s.%s.", withoutPadding.encodeToString(str.getBytes(StandardCharsets.UTF_8)), withoutPadding.encodeToString(str2.getBytes(StandardCharsets.UTF_8))));
            createCallbackHandler(map).handle(new Callback[]{oAuthBearerValidatorCallback});
            return oAuthBearerValidatorCallback;
        } catch (Exception e) {
            return e;
        }
    }

    private static OAuthBearerUnsecuredValidatorCallbackHandler createCallbackHandler(Map<String, String> map) {
        TestJaasConfig testJaasConfig = new TestJaasConfig();
        testJaasConfig.createOrUpdateEntry("KafkaClient", "org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule", map);
        OAuthBearerUnsecuredValidatorCallbackHandler oAuthBearerUnsecuredValidatorCallbackHandler = new OAuthBearerUnsecuredValidatorCallbackHandler();
        oAuthBearerUnsecuredValidatorCallbackHandler.configure(Collections.emptyMap(), "OAUTHBEARER", Arrays.asList(testJaasConfig.getAppConfigurationEntry("KafkaClient")[0]));
        return oAuthBearerUnsecuredValidatorCallbackHandler;
    }

    private static String comma(String str) {
        return "," + str;
    }

    private static String claimOrHeaderText(String str, Number number) {
        return QUOTE + str + QUOTE + ":" + number;
    }

    private static String claimOrHeaderText(String str, String str2) {
        return QUOTE + str + QUOTE + ":" + QUOTE + str2 + QUOTE;
    }

    private static String expClaimText(long j) {
        return claimOrHeaderText("exp", Double.valueOf((MOCK_TIME.milliseconds() / 1000.0d) + j));
    }

    static {
        HashMap hashMap = new HashMap();
        hashMap.put("unsecuredValidatorPrincipalClaimName", "principal");
        hashMap.put("unsecuredValidatorAllowableClockSkewMs", "1");
        MODULE_OPTIONS_MAP_NO_SCOPE_REQUIRED = Collections.unmodifiableMap(hashMap);
        HashMap hashMap2 = new HashMap();
        hashMap2.put("unsecuredValidatorRequiredScope", "scope1");
        MODULE_OPTIONS_MAP_REQUIRE_EXISTING_SCOPE = Collections.unmodifiableMap(hashMap2);
        HashMap hashMap3 = new HashMap();
        hashMap3.put("unsecuredValidatorRequiredScope", "scope1 scope2");
        MODULE_OPTIONS_MAP_REQUIRE_ADDITIONAL_SCOPE = Collections.unmodifiableMap(hashMap3);
    }
}
