package org.apache.kafka.common.security.oauthbearer.internals;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import org.apache.kafka.common.config.types.Password;
import org.apache.kafka.common.errors.SaslAuthenticationException;
import org.apache.kafka.common.security.JaasContext;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.apache.kafka.common.security.auth.SaslExtensions;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerExtensionsValidatorCallback;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenMock;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback;
import org.apache.kafka.common.security.oauthbearer.internals.unsecured.OAuthBearerConfigException;
import org.apache.kafka.common.security.oauthbearer.internals.unsecured.OAuthBearerUnsecuredLoginCallbackHandler;
import org.apache.kafka.common.security.oauthbearer.internals.unsecured.OAuthBearerUnsecuredValidatorCallbackHandler;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerSaslServerTest.class */
public class OAuthBearerSaslServerTest {
    private static final String USER = "user";
    private static final Map<String, ?> CONFIGS;
    private static final AuthenticateCallbackHandler LOGIN_CALLBACK_HANDLER;
    private static final AuthenticateCallbackHandler VALIDATOR_CALLBACK_HANDLER;
    private static final AuthenticateCallbackHandler EXTENSIONS_VALIDATOR_CALLBACK_HANDLER;
    private OAuthBearerSaslServer saslServer;

    @Before
    public void setUp() {
        this.saslServer = new OAuthBearerSaslServer(VALIDATOR_CALLBACK_HANDLER);
    }

    @Test
    public void noAuthorizationIdSpecified() throws Exception {
        Assert.assertTrue("Next challenge is not empty", this.saslServer.evaluateResponse(clientInitialResponse(null)).length == 0);
    }

    @Test
    public void negotiatedProperty() throws Exception {
        this.saslServer.evaluateResponse(clientInitialResponse(USER));
        OAuthBearerToken oAuthBearerToken = (OAuthBearerToken) this.saslServer.getNegotiatedProperty("OAUTHBEARER.token");
        Assert.assertNotNull(oAuthBearerToken);
        Assert.assertEquals(Long.valueOf(oAuthBearerToken.lifetimeMs()), this.saslServer.getNegotiatedProperty("CREDENTIAL.LIFETIME.MS"));
    }

    @Test
    public void savesCustomExtensionAsNegotiatedProperty() throws Exception {
        HashMap hashMap = new HashMap();
        hashMap.put("firstKey", "value1");
        hashMap.put("secondKey", "value2");
        Assert.assertTrue("Next challenge is not empty", this.saslServer.evaluateResponse(clientInitialResponse(null, false, hashMap)).length == 0);
        Assert.assertEquals("value1", this.saslServer.getNegotiatedProperty("firstKey"));
        Assert.assertEquals("value2", this.saslServer.getNegotiatedProperty("secondKey"));
    }

    @Test
    public void unrecognizedExtensionsAreNotSaved() throws Exception {
        this.saslServer = new OAuthBearerSaslServer(EXTENSIONS_VALIDATOR_CALLBACK_HANDLER);
        HashMap hashMap = new HashMap();
        hashMap.put("firstKey", "value1");
        hashMap.put("secondKey", "value1");
        hashMap.put("thirdKey", "value1");
        Assert.assertTrue("Next challenge is not empty", this.saslServer.evaluateResponse(clientInitialResponse(null, false, hashMap)).length == 0);
        Assert.assertNull("Extensions not recognized by the server must be ignored", this.saslServer.getNegotiatedProperty("thirdKey"));
    }

    @Test(expected = SaslAuthenticationException.class)
    public void throwsAuthenticationExceptionOnInvalidExtensions() throws Exception {
        this.saslServer = new OAuthBearerSaslServer(new OAuthBearerUnsecuredValidatorCallbackHandler() { // from class: org.apache.kafka.common.security.oauthbearer.internals.OAuthBearerSaslServerTest.2
            public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
                for (Callback callback : callbackArr) {
                    if (callback instanceof OAuthBearerValidatorCallback) {
                        ((OAuthBearerValidatorCallback) callback).token(new OAuthBearerTokenMock());
                    } else {
                        if (!(callback instanceof OAuthBearerExtensionsValidatorCallback)) {
                            throw new UnsupportedCallbackException(callback);
                        }
                        OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback = (OAuthBearerExtensionsValidatorCallback) callback;
                        oAuthBearerExtensionsValidatorCallback.error("firstKey", "is not valid");
                        oAuthBearerExtensionsValidatorCallback.error("secondKey", "is not valid either");
                    }
                }
            }
        });
        HashMap hashMap = new HashMap();
        hashMap.put("firstKey", "value");
        hashMap.put("secondKey", "value");
        this.saslServer.evaluateResponse(clientInitialResponse(null, false, hashMap));
    }

    @Test
    public void authorizatonIdEqualsAuthenticationId() throws Exception {
        Assert.assertTrue("Next challenge is not empty", this.saslServer.evaluateResponse(clientInitialResponse(USER)).length == 0);
    }

    @Test(expected = SaslAuthenticationException.class)
    public void authorizatonIdNotEqualsAuthenticationId() throws Exception {
        this.saslServer.evaluateResponse(clientInitialResponse("userx"));
    }

    @Test
    public void illegalToken() throws Exception {
        Assert.assertEquals("{\"status\":\"invalid_token\"}", new String(this.saslServer.evaluateResponse(clientInitialResponse(null, true, Collections.emptyMap())), StandardCharsets.UTF_8));
    }

    private byte[] clientInitialResponse(String str) throws OAuthBearerConfigException, IOException, UnsupportedCallbackException, LoginException {
        return clientInitialResponse(str, false);
    }

    private byte[] clientInitialResponse(String str, boolean z) throws OAuthBearerConfigException, IOException, UnsupportedCallbackException {
        return clientInitialResponse(str, false, Collections.emptyMap());
    }

    private byte[] clientInitialResponse(String str, boolean z, Map<String, String> map) throws OAuthBearerConfigException, IOException, UnsupportedCallbackException {
        Callback oAuthBearerTokenCallback = new OAuthBearerTokenCallback();
        LOGIN_CALLBACK_HANDLER.handle(new Callback[]{oAuthBearerTokenCallback});
        return new OAuthBearerClientInitialResponse(oAuthBearerTokenCallback.token().value() + (z ? "AB" : ""), str, new SaslExtensions(map)).toBytes();
    }

    static {
        HashMap hashMap = new HashMap();
        hashMap.put("sasl.jaas.config", new Password("org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule Required unsecuredLoginStringClaim_sub=\"user\";"));
        CONFIGS = Collections.unmodifiableMap(hashMap);
        LOGIN_CALLBACK_HANDLER = new OAuthBearerUnsecuredLoginCallbackHandler();
        LOGIN_CALLBACK_HANDLER.configure(CONFIGS, "OAUTHBEARER", JaasContext.loadClientContext(CONFIGS).configurationEntries());
        VALIDATOR_CALLBACK_HANDLER = new OAuthBearerUnsecuredValidatorCallbackHandler();
        VALIDATOR_CALLBACK_HANDLER.configure(CONFIGS, "OAUTHBEARER", JaasContext.loadClientContext(CONFIGS).configurationEntries());
        EXTENSIONS_VALIDATOR_CALLBACK_HANDLER = new OAuthBearerUnsecuredValidatorCallbackHandler() { // from class: org.apache.kafka.common.security.oauthbearer.internals.OAuthBearerSaslServerTest.1
            public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
                for (Callback callback : callbackArr) {
                    if (callback instanceof OAuthBearerValidatorCallback) {
                        ((OAuthBearerValidatorCallback) callback).token(new OAuthBearerTokenMock());
                    } else {
                        if (!(callback instanceof OAuthBearerExtensionsValidatorCallback)) {
                            throw new UnsupportedCallbackException(callback);
                        }
                        OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback = (OAuthBearerExtensionsValidatorCallback) callback;
                        oAuthBearerExtensionsValidatorCallback.valid("firstKey");
                        oAuthBearerExtensionsValidatorCallback.valid("secondKey");
                    }
                }
            }
        };
    }
}
