package org.apache.hadoop.security.authentication.server;

import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.io.File;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.Date;
import java.util.Properties;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.hadoop.minikdc.KerberosSecurityTestcase;
import org.apache.hadoop.security.authentication.KerberosTestUtils;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.mockito.Mockito;

/* JADX WARN: Classes with same name are omitted:
  input_file:test-classes/org/apache/hadoop/security/authentication/server/TestJWTRedirectAuthenticationHandler.class
 */
/* loaded from: input_file:hadoop-auth-2.10.0-tests.jar:org/apache/hadoop/security/authentication/server/TestJWTRedirectAuthenticationHandler.class */
public class TestJWTRedirectAuthenticationHandler extends KerberosSecurityTestcase {
    private static final String SERVICE_URL = "https://localhost:8888/resource";
    private static final String REDIRECT_LOCATION = "https://localhost:8443/authserver?originalUrl=https://localhost:8888/resource";
    RSAPublicKey publicKey = null;
    RSAPrivateKey privateKey = null;
    JWTRedirectAuthenticationHandler handler = null;

    @Test
    public void testNoPublicKeyJWT() throws Exception {
        try {
            this.handler.init(getProperties());
            Cookie cookie = new Cookie("hadoop-jwt", getJWT("bob", new Date(new Date().getTime() + 5000), this.privateKey).serialize());
            HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
            Mockito.when(httpServletRequest.getCookies()).thenReturn(new Cookie[]{cookie});
            Mockito.when(httpServletRequest.getRequestURL()).thenReturn(new StringBuffer(SERVICE_URL));
            HttpServletResponse httpServletResponse = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
            Mockito.when(httpServletResponse.encodeRedirectURL(SERVICE_URL)).thenReturn(SERVICE_URL);
            this.handler.alternateAuthenticate(httpServletRequest, httpServletResponse);
            Assert.fail("alternateAuthentication should have thrown a ServletException");
        } catch (ServletException e) {
            Assert.assertTrue(e.getMessage().contains("Public key for signature validation must be provisioned"));
        } catch (AuthenticationException e2) {
            Assert.fail("alternateAuthentication should NOT have thrown a AuthenticationException");
        }
    }

    @Test
    public void testCustomCookieNameJWT() throws Exception {
        try {
            this.handler.setPublicKey(this.publicKey);
            Properties properties = getProperties();
            properties.put(JWTRedirectAuthenticationHandler.JWT_COOKIE_NAME, "jowt");
            this.handler.init(properties);
            Cookie cookie = new Cookie("jowt", getJWT("bob", new Date(new Date().getTime() + 5000), this.privateKey).serialize());
            HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
            Mockito.when(httpServletRequest.getCookies()).thenReturn(new Cookie[]{cookie});
            Mockito.when(httpServletRequest.getRequestURL()).thenReturn(new StringBuffer(SERVICE_URL));
            HttpServletResponse httpServletResponse = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
            Mockito.when(httpServletResponse.encodeRedirectURL(SERVICE_URL)).thenReturn(SERVICE_URL);
            Assert.assertEquals("bob", this.handler.alternateAuthenticate(httpServletRequest, httpServletResponse).getUserName());
        } catch (AuthenticationException e) {
            Assert.fail("alternateAuthentication should NOT have thrown a AuthenticationException");
        } catch (ServletException e2) {
            Assert.fail("alternateAuthentication should NOT have thrown a ServletException: " + e2.getMessage());
        }
    }

    @Test
    public void testNoProviderURLJWT() throws Exception {
        try {
            this.handler.setPublicKey(this.publicKey);
            Properties properties = getProperties();
            properties.remove(JWTRedirectAuthenticationHandler.AUTHENTICATION_PROVIDER_URL);
            this.handler.init(properties);
            Cookie cookie = new Cookie("hadoop-jwt", getJWT("bob", new Date(new Date().getTime() + 5000), this.privateKey).serialize());
            HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
            Mockito.when(httpServletRequest.getCookies()).thenReturn(new Cookie[]{cookie});
            Mockito.when(httpServletRequest.getRequestURL()).thenReturn(new StringBuffer(SERVICE_URL));
            HttpServletResponse httpServletResponse = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
            Mockito.when(httpServletResponse.encodeRedirectURL(SERVICE_URL)).thenReturn(SERVICE_URL);
            this.handler.alternateAuthenticate(httpServletRequest, httpServletResponse);
            Assert.fail("alternateAuthentication should have thrown an AuthenticationException");
        } catch (ServletException e) {
            Assert.assertTrue(e.getMessage().contains("Authentication provider URL must not be null"));
        } catch (AuthenticationException e2) {
            Assert.fail("alternateAuthentication should NOT have thrown a AuthenticationException");
        }
    }

    @Test
    public void testUnableToParseJWT() throws Exception {
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
            keyPairGenerator.initialize(2048);
            this.handler.setPublicKey((RSAPublicKey) keyPairGenerator.genKeyPair().getPublic());
            this.handler.init(getProperties());
            Cookie cookie = new Cookie("hadoop-jwt", "ljm" + getJWT("bob", new Date(new Date().getTime() + 5000), this.privateKey).serialize());
            HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
            Mockito.when(httpServletRequest.getCookies()).thenReturn(new Cookie[]{cookie});
            Mockito.when(httpServletRequest.getRequestURL()).thenReturn(new StringBuffer(SERVICE_URL));
            HttpServletResponse httpServletResponse = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
            Mockito.when(httpServletResponse.encodeRedirectURL(SERVICE_URL)).thenReturn(SERVICE_URL);
            this.handler.alternateAuthenticate(httpServletRequest, httpServletResponse);
            ((HttpServletResponse) Mockito.verify(httpServletResponse)).sendRedirect(REDIRECT_LOCATION);
        } catch (ServletException e) {
            Assert.fail("alternateAuthentication should NOT have thrown a ServletException");
        } catch (AuthenticationException e2) {
            Assert.fail("alternateAuthentication should NOT have thrown a AuthenticationException");
        }
    }

    @Test
    public void testFailedSignatureValidationJWT() throws Exception {
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
            keyPairGenerator.initialize(2048);
            this.handler.setPublicKey((RSAPublicKey) keyPairGenerator.genKeyPair().getPublic());
            this.handler.init(getProperties());
            Cookie cookie = new Cookie("hadoop-jwt", getJWT("bob", new Date(new Date().getTime() + 5000), this.privateKey).serialize());
            HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
            Mockito.when(httpServletRequest.getCookies()).thenReturn(new Cookie[]{cookie});
            Mockito.when(httpServletRequest.getRequestURL()).thenReturn(new StringBuffer(SERVICE_URL));
            HttpServletResponse httpServletResponse = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
            Mockito.when(httpServletResponse.encodeRedirectURL(SERVICE_URL)).thenReturn(SERVICE_URL);
            this.handler.alternateAuthenticate(httpServletRequest, httpServletResponse);
            ((HttpServletResponse) Mockito.verify(httpServletResponse)).sendRedirect(REDIRECT_LOCATION);
        } catch (ServletException e) {
            Assert.fail("alternateAuthentication should NOT have thrown a ServletException");
        } catch (AuthenticationException e2) {
            Assert.fail("alternateAuthentication should NOT have thrown a AuthenticationException");
        }
    }

    @Test
    public void testExpiredJWT() throws Exception {
        try {
            this.handler.setPublicKey(this.publicKey);
            this.handler.init(getProperties());
            Cookie cookie = new Cookie("hadoop-jwt", getJWT("bob", new Date(new Date().getTime() - 1000), this.privateKey).serialize());
            HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
            Mockito.when(httpServletRequest.getCookies()).thenReturn(new Cookie[]{cookie});
            Mockito.when(httpServletRequest.getRequestURL()).thenReturn(new StringBuffer(SERVICE_URL));
            HttpServletResponse httpServletResponse = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
            Mockito.when(httpServletResponse.encodeRedirectURL(SERVICE_URL)).thenReturn(SERVICE_URL);
            this.handler.alternateAuthenticate(httpServletRequest, httpServletResponse);
            ((HttpServletResponse) Mockito.verify(httpServletResponse)).sendRedirect(REDIRECT_LOCATION);
        } catch (ServletException e) {
            Assert.fail("alternateAuthentication should NOT have thrown a ServletException");
        } catch (AuthenticationException e2) {
            Assert.fail("alternateAuthentication should NOT have thrown a AuthenticationException");
        }
    }

    @Test
    public void testNoExpirationJWT() throws Exception {
        try {
            this.handler.setPublicKey(this.publicKey);
            this.handler.init(getProperties());
            Cookie cookie = new Cookie("hadoop-jwt", getJWT("bob", null, this.privateKey).serialize());
            HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
            Mockito.when(httpServletRequest.getCookies()).thenReturn(new Cookie[]{cookie});
            Mockito.when(httpServletRequest.getRequestURL()).thenReturn(new StringBuffer(SERVICE_URL));
            HttpServletResponse httpServletResponse = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
            Mockito.when(httpServletResponse.encodeRedirectURL(SERVICE_URL)).thenReturn(SERVICE_URL);
            AuthenticationToken alternateAuthenticate = this.handler.alternateAuthenticate(httpServletRequest, httpServletResponse);
            Assert.assertNotNull("Token should not be null.", alternateAuthenticate);
            Assert.assertEquals("bob", alternateAuthenticate.getUserName());
        } catch (ServletException e) {
            Assert.fail("alternateAuthentication should NOT have thrown a ServletException");
        } catch (AuthenticationException e2) {
            Assert.fail("alternateAuthentication should NOT have thrown a AuthenticationException");
        }
    }

    @Test
    public void testInvalidAudienceJWT() throws Exception {
        try {
            this.handler.setPublicKey(this.publicKey);
            Properties properties = getProperties();
            properties.put(JWTRedirectAuthenticationHandler.EXPECTED_JWT_AUDIENCES, "foo");
            this.handler.init(properties);
            Cookie cookie = new Cookie("hadoop-jwt", getJWT("bob", new Date(new Date().getTime() + 5000), this.privateKey).serialize());
            HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
            Mockito.when(httpServletRequest.getCookies()).thenReturn(new Cookie[]{cookie});
            Mockito.when(httpServletRequest.getRequestURL()).thenReturn(new StringBuffer(SERVICE_URL));
            HttpServletResponse httpServletResponse = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
            Mockito.when(httpServletResponse.encodeRedirectURL(SERVICE_URL)).thenReturn(SERVICE_URL);
            this.handler.alternateAuthenticate(httpServletRequest, httpServletResponse);
            ((HttpServletResponse) Mockito.verify(httpServletResponse)).sendRedirect(REDIRECT_LOCATION);
        } catch (AuthenticationException e) {
            Assert.fail("alternateAuthentication should NOT have thrown a AuthenticationException");
        } catch (ServletException e2) {
            Assert.fail("alternateAuthentication should NOT have thrown a ServletException");
        }
    }

    @Test
    public void testValidAudienceJWT() throws Exception {
        try {
            this.handler.setPublicKey(this.publicKey);
            Properties properties = getProperties();
            properties.put(JWTRedirectAuthenticationHandler.EXPECTED_JWT_AUDIENCES, "bar");
            this.handler.init(properties);
            Cookie cookie = new Cookie("hadoop-jwt", getJWT("bob", new Date(new Date().getTime() + 5000), this.privateKey).serialize());
            HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
            Mockito.when(httpServletRequest.getCookies()).thenReturn(new Cookie[]{cookie});
            Mockito.when(httpServletRequest.getRequestURL()).thenReturn(new StringBuffer(SERVICE_URL));
            HttpServletResponse httpServletResponse = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
            Mockito.when(httpServletResponse.encodeRedirectURL(SERVICE_URL)).thenReturn(SERVICE_URL);
            Assert.assertEquals("bob", this.handler.alternateAuthenticate(httpServletRequest, httpServletResponse).getUserName());
        } catch (AuthenticationException e) {
            Assert.fail("alternateAuthentication should NOT have thrown an AuthenticationException");
        } catch (ServletException e2) {
            Assert.fail("alternateAuthentication should NOT have thrown a ServletException");
        }
    }

    @Test
    public void testValidJWT() throws Exception {
        try {
            this.handler.setPublicKey(this.publicKey);
            this.handler.init(getProperties());
            Cookie cookie = new Cookie("hadoop-jwt", getJWT("alice", new Date(new Date().getTime() + 5000), this.privateKey).serialize());
            HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
            Mockito.when(httpServletRequest.getCookies()).thenReturn(new Cookie[]{cookie});
            Mockito.when(httpServletRequest.getRequestURL()).thenReturn(new StringBuffer(SERVICE_URL));
            HttpServletResponse httpServletResponse = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
            Mockito.when(httpServletResponse.encodeRedirectURL(SERVICE_URL)).thenReturn(SERVICE_URL);
            AuthenticationToken alternateAuthenticate = this.handler.alternateAuthenticate(httpServletRequest, httpServletResponse);
            Assert.assertNotNull("Token should not be null.", alternateAuthenticate);
            Assert.assertEquals("alice", alternateAuthenticate.getUserName());
        } catch (AuthenticationException e) {
            Assert.fail("alternateAuthentication should NOT have thrown an AuthenticationException");
        } catch (ServletException e2) {
            Assert.fail("alternateAuthentication should NOT have thrown a ServletException.");
        }
    }

    @Test
    public void testOrigURLWithQueryString() throws Exception {
        this.handler.setPublicKey(this.publicKey);
        this.handler.init(getProperties());
        HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
        Mockito.when(httpServletRequest.getRequestURL()).thenReturn(new StringBuffer(SERVICE_URL));
        Mockito.when(httpServletRequest.getQueryString()).thenReturn("name=value");
        String constructLoginURL = this.handler.constructLoginURL(httpServletRequest);
        Assert.assertNotNull("loginURL should not be null.", constructLoginURL);
        Assert.assertEquals("https://localhost:8443/authserver?originalUrl=https://localhost:8888/resource?name=value", constructLoginURL);
    }

    @Test
    public void testOrigURLNoQueryString() throws Exception {
        this.handler.setPublicKey(this.publicKey);
        this.handler.init(getProperties());
        HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
        Mockito.when(httpServletRequest.getRequestURL()).thenReturn(new StringBuffer(SERVICE_URL));
        Mockito.when(httpServletRequest.getQueryString()).thenReturn((Object) null);
        String constructLoginURL = this.handler.constructLoginURL(httpServletRequest);
        Assert.assertNotNull("LoginURL should not be null.", constructLoginURL);
        Assert.assertEquals(REDIRECT_LOCATION, constructLoginURL);
    }

    @Before
    public void setup() throws Exception, NoSuchAlgorithmException {
        setupKerberosRequirements();
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        keyPairGenerator.initialize(2048);
        KeyPair genKeyPair = keyPairGenerator.genKeyPair();
        this.publicKey = (RSAPublicKey) genKeyPair.getPublic();
        this.privateKey = (RSAPrivateKey) genKeyPair.getPrivate();
        this.handler = new JWTRedirectAuthenticationHandler();
    }

    protected void setupKerberosRequirements() throws Exception {
        getKdc().createPrincipal(new File(KerberosTestUtils.getKeytabFile()), new String[]{"HTTP/host1", "HTTP/host2", "HTTP2/host1", "XHTTP/host"});
    }

    @After
    public void teardown() throws Exception {
        this.handler.destroy();
    }

    protected Properties getProperties() {
        Properties properties = new Properties();
        properties.setProperty(JWTRedirectAuthenticationHandler.AUTHENTICATION_PROVIDER_URL, "https://localhost:8443/authserver");
        properties.setProperty(KerberosAuthenticationHandler.PRINCIPAL, KerberosTestUtils.getServerPrincipal());
        properties.setProperty(KerberosAuthenticationHandler.KEYTAB, KerberosTestUtils.getKeytabFile());
        return properties;
    }

    protected SignedJWT getJWT(String str, Date date, RSAPrivateKey rSAPrivateKey) throws Exception {
        JWTClaimsSet build = new JWTClaimsSet.Builder().subject(str).issueTime(new Date(new Date().getTime())).issuer("https://c2id.com").claim("scope", "openid").audience("bar").expirationTime(date).build();
        new ArrayList().add("bar");
        SignedJWT signedJWT = new SignedJWT(new JWSHeader.Builder(JWSAlgorithm.RS256).build(), build);
        signedJWT.sign(new RSASSASigner(rSAPrivateKey));
        return signedJWT;
    }
}
