package org.apache.kafka.common.security.oauthbearer.internals.secured;

import java.util.Collections;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
import org.jose4j.jwk.PublicJsonWebKey;
import org.jose4j.lang.InvalidAlgorithmException;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;

/* loaded from: input_file:org/apache/kafka/common/security/oauthbearer/internals/secured/ValidatorAccessTokenValidatorTest.class */
public class ValidatorAccessTokenValidatorTest extends AccessTokenValidatorTest {
    protected AccessTokenValidator createAccessTokenValidator(AccessTokenBuilder accessTokenBuilder, Map<String, Boolean> map) {
        return new ValidatorAccessTokenValidator(30, Collections.emptySet(), (String) null, (jsonWebSignature, list) -> {
            return accessTokenBuilder.jwk().getKey();
        }, accessTokenBuilder.scopeClaimName(), accessTokenBuilder.subjectClaimName(), map);
    }

    protected AccessTokenValidator createAccessTokenValidatorWithAud(AccessTokenBuilder accessTokenBuilder) {
        HashSet hashSet = new HashSet();
        if (accessTokenBuilder.audience() != null) {
            hashSet.add(accessTokenBuilder.audience());
        }
        return new ValidatorAccessTokenValidator(30, hashSet, (String) null, (jsonWebSignature, list) -> {
            return accessTokenBuilder.jwk().getKey();
        }, accessTokenBuilder.scopeClaimName(), accessTokenBuilder.subjectClaimName());
    }

    @Override // org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenValidatorTest
    protected AccessTokenValidator createAccessTokenValidator(AccessTokenBuilder accessTokenBuilder) {
        return new ValidatorAccessTokenValidator(30, Collections.emptySet(), (String) null, (jsonWebSignature, list) -> {
            return accessTokenBuilder.jwk().getKey();
        }, accessTokenBuilder.scopeClaimName(), accessTokenBuilder.subjectClaimName());
    }

    @Test
    public void testRsaEncryptionAlgorithm() throws Exception {
        testEncryptionAlgorithm(createRsaJwk(), "RS256");
    }

    @Test
    public void testEcdsaEncryptionAlgorithm() throws Exception {
        testEncryptionAlgorithm(createEcJwk(), "ES256");
    }

    @Test
    public void testInvalidEncryptionAlgorithm() throws Exception {
        PublicJsonWebKey createRsaJwk = createRsaJwk();
        assertThrowsWithMessage(InvalidAlgorithmException.class, () -> {
            testEncryptionAlgorithm(createRsaJwk, "fake");
        }, "fake is an unknown, unsupported or unavailable alg algorithm");
    }

    @Test
    public void testMissingSubShouldBeValid() throws Exception {
        AccessTokenBuilder subject = new AccessTokenBuilder().jwk(createRsaJwk()).alg("RS256").addCustomClaim("client_id", "otherSub").subjectClaimName("client_id").subject(null);
        Assertions.assertEquals("otherSub", createAccessTokenValidator(subject).validate(subject.build()).principalName());
    }

    @Test
    public void testIatNotRequiredButPresentInToken() throws Exception {
        AccessTokenBuilder subject = new AccessTokenBuilder().jwk(createRsaJwk()).alg("RS256").subject("sub");
        Assertions.assertEquals("sub", createAccessTokenValidator(subject).validate(subject.build()).principalName());
    }

    @Test
    public void testIatRequiredButNotPresentInToken() throws Exception {
        PublicJsonWebKey createRsaJwk = createRsaJwk();
        HashSet hashSet = new HashSet();
        hashSet.add("iat");
        AccessTokenBuilder subject = new AccessTokenBuilder((Set<String>) Collections.unmodifiableSet(hashSet)).jwk(createRsaJwk).alg("RS256").subject("sub");
        AccessTokenValidator createAccessTokenValidator = createAccessTokenValidator(subject, Collections.singletonMap("iatRequired", true));
        Assertions.assertTrue(Assertions.assertThrows(ValidateException.class, () -> {
            createAccessTokenValidator.validate(subject.build());
        }).getMessage().contains("No Issued At (iat) claim present."));
    }

    @Test
    public void testJtiNotRequiredButPresentInToken() throws Exception {
        AccessTokenBuilder subject = new AccessTokenBuilder().jwtId("jti-uuid").jwk(createRsaJwk()).alg("RS256").subject("sub");
        Assertions.assertEquals("sub", createAccessTokenValidator(subject).validate(subject.build()).principalName());
    }

    @Test
    public void testJtiRequiredButNotPresentInToken() throws Exception {
        AccessTokenBuilder subject = new AccessTokenBuilder().jwk(createRsaJwk()).alg("RS256").subject("sub");
        AccessTokenValidator createAccessTokenValidator = createAccessTokenValidator(subject, Collections.singletonMap("jtiRequired", true));
        Assertions.assertTrue(Assertions.assertThrows(ValidateException.class, () -> {
            createAccessTokenValidator.validate(subject.build());
        }).getMessage().contains("The JWT ID (jti) claim is not present."));
    }

    @Test
    public void testAudNotRequiredButPresentInToken() throws Exception {
        PublicJsonWebKey createRsaJwk = createRsaJwk();
        Assertions.assertEquals("sub", createAccessTokenValidatorWithAud(new AccessTokenBuilder().jwk(createRsaJwk).alg("RS256").subject("sub")).validate(new AccessTokenBuilder().jwk(createRsaJwk).audience("aud").alg("RS256").subject("sub").build()).principalName());
    }

    @Test
    public void testAudRequiredButNotPresentInToken() throws Exception {
        PublicJsonWebKey createRsaJwk = createRsaJwk();
        AccessTokenValidator createAccessTokenValidatorWithAud = createAccessTokenValidatorWithAud(new AccessTokenBuilder().jwk(createRsaJwk).audience("aud").alg("RS256").subject("sub"));
        HashSet hashSet = new HashSet();
        hashSet.add("aud");
        AccessTokenBuilder subject = new AccessTokenBuilder(hashSet).jwk(createRsaJwk).alg("RS256").subject("sub");
        Assertions.assertTrue(Assertions.assertThrows(ValidateException.class, () -> {
            createAccessTokenValidatorWithAud.validate(subject.build());
        }).getMessage().contains("No Audience (aud) claim present."));
    }

    private void testEncryptionAlgorithm(PublicJsonWebKey publicJsonWebKey, String str) throws Exception {
        AccessTokenBuilder alg = new AccessTokenBuilder().jwk(publicJsonWebKey).alg(str);
        OAuthBearerToken validate = createAccessTokenValidator(alg).validate(alg.build());
        Assertions.assertEquals(alg.subject(), validate.principalName());
        Assertions.assertEquals(alg.issuedAtSeconds().longValue() * 1000, validate.startTimeMs());
        Assertions.assertEquals(alg.expirationSeconds().longValue() * 1000, validate.lifetimeMs());
        Assertions.assertEquals(1, validate.scope().size());
    }
}
