package io.confluent.kafkarest.security;

import io.confluent.common.security.auth.AuthenticationFilter;
import io.confluent.common.security.auth.RestSecurityContext;
import io.confluent.common.security.auth.RestUserPrincipal;
import io.confluent.common.security.license.LicenseValidatorFilter;
import io.confluent.kafka.test.cluster.EmbeddedKafkaCluster;
import io.confluent.kafkarest.KafkaRestConfig;
import io.confluent.license.LicenseManager;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.Properties;
import java.util.concurrent.TimeoutException;
import java.util.concurrent.atomic.AtomicReference;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.core.Configurable;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import kafka.utils.TestUtils;
import org.apache.kafka.test.TestSslUtils;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.mockito.ArgumentCaptor;
import org.mockito.Mockito;

/* loaded from: input_file:io/confluent/kafkarest/security/KafkaRestSecurityResourceExtensionTest.class */
public class KafkaRestSecurityResourceExtensionTest {
    private static final int LICENSE_FETCHER_INIT_TIMEOUT_MS = 5000;
    private static final int LICENSE_FETCHER_DELAY_MS = 50;
    private EmbeddedKafkaCluster kafkaCluster;
    private String bootstrapServers;

    @Before
    public void setupKafkaCluster() throws Exception {
        this.kafkaCluster = new EmbeddedKafkaCluster();
        this.kafkaCluster.startZooKeeper();
        this.kafkaCluster.startBrokers(1, new Properties());
        this.bootstrapServers = this.kafkaCluster.bootstrapServers();
    }

    @After
    public void shutdownKafkaCluster() {
        this.kafkaCluster.shutdown();
    }

    @After
    public void teardown() {
        RestSecurityContext.clear();
    }

    @Test
    public void testRegisteredSslPrincipalMapper() throws Exception {
        Properties properties = new Properties();
        properties.put("bootstrap.servers", this.bootstrapServers);
        properties.put("confluent.rest.auth.ssl.principal.mapping.rules", "RULE:^CN=(.*?)$/$1/");
        KafkaRestConfig kafkaRestConfig = new KafkaRestConfig(properties);
        Configurable configurable = (Configurable) Mockito.mock(Configurable.class);
        AtomicReference atomicReference = new AtomicReference();
        Mockito.when(configurable.register(Mockito.any(Object.class))).then(invocationOnMock -> {
            if (invocationOnMock.getArguments()[0] instanceof AuthenticationFilter) {
                atomicReference.set((AuthenticationFilter) invocationOnMock.getArguments()[0]);
            }
            return configurable;
        });
        new KafkaRestSecurityResourceExtension().register(configurable, kafkaRestConfig);
        Assert.assertNotNull(atomicReference.get());
        X509Certificate generateCertificate = TestSslUtils.generateCertificate("CN=restproxy/localhost@EXAMPLE.COM", TestSslUtils.generateKeyPair("RSA"), 30, "SHA1withRSA");
        ContainerRequestContext containerRequestContext = (ContainerRequestContext) Mockito.mock(ContainerRequestContext.class);
        Mockito.when(containerRequestContext.getProperty("javax.servlet.request.X509Certificate")).thenReturn(new X509Certificate[]{generateCertificate});
        Mockito.when(containerRequestContext.getSecurityContext()).thenReturn(new SecurityContext() { // from class: io.confluent.kafkarest.security.KafkaRestSecurityResourceExtensionTest.1
            public Principal getUserPrincipal() {
                return new RestUserPrincipal("test");
            }

            public boolean isUserInRole(String str) {
                return false;
            }

            public boolean isSecure() {
                return false;
            }

            public String getAuthenticationScheme() {
                return null;
            }
        });
        ArgumentCaptor forClass = ArgumentCaptor.forClass(SecurityContext.class);
        ((ContainerRequestContext) Mockito.doNothing().when(containerRequestContext)).setSecurityContext((SecurityContext) forClass.capture());
        ((AuthenticationFilter) atomicReference.get()).filter(containerRequestContext);
        SecurityContext securityContext = (SecurityContext) forClass.getValue();
        Assert.assertNotNull(securityContext);
        Assert.assertEquals("restproxy/localhost@EXAMPLE.COM", securityContext.getUserPrincipal().getName());
        Assert.assertEquals("SSL", securityContext.getAuthenticationScheme());
    }

    @Test
    public void testInvalidLicense() throws Exception {
        Properties properties = new Properties();
        properties.put("bootstrap.servers", this.bootstrapServers);
        properties.put("confluent.license", "invalid-license");
        KafkaRestConfig kafkaRestConfig = new KafkaRestConfig(properties);
        Configurable configurable = (Configurable) Mockito.mock(Configurable.class);
        AtomicReference atomicReference = new AtomicReference();
        Mockito.when(configurable.register(Mockito.any(Object.class))).then(invocationOnMock -> {
            if (invocationOnMock.getArguments()[0] instanceof LicenseValidatorFilter) {
                atomicReference.set((LicenseValidatorFilter) invocationOnMock.getArguments()[0]);
            }
            return configurable;
        });
        new KafkaRestSecurityResourceExtension().register(configurable, kafkaRestConfig);
        Assert.assertNotNull(atomicReference.get());
        TestUtils.waitUntilTrue(() -> {
            return Boolean.valueOf(!((LicenseValidatorFilter) atomicReference.get()).getLicenseBackgroundFetcher().hasValidLicense());
        }, () -> {
            return "License expected to be invalid";
        }, 5000L, 50L);
        ContainerRequestContext containerRequestContext = (ContainerRequestContext) Mockito.mock(ContainerRequestContext.class);
        ((LicenseValidatorFilter) atomicReference.get()).filter(containerRequestContext);
        ((ContainerRequestContext) Mockito.verify(containerRequestContext, Mockito.times(1))).abortWith((Response) Mockito.anyObject());
    }

    @Test
    public void testFailOpen() {
        Properties properties = new Properties();
        properties.put("bootstrap.servers", this.bootstrapServers);
        KafkaRestConfig kafkaRestConfig = new KafkaRestConfig(properties);
        Configurable configurable = (Configurable) Mockito.mock(Configurable.class);
        AtomicReference atomicReference = new AtomicReference();
        Mockito.when(configurable.register(Mockito.any(Object.class))).then(invocationOnMock -> {
            if (invocationOnMock.getArguments()[0] instanceof LicenseValidatorFilter) {
                atomicReference.set((LicenseValidatorFilter) invocationOnMock.getArguments()[0]);
            }
            return configurable;
        });
        new KafkaRestSecurityResourceExtension().register(configurable, kafkaRestConfig);
        Assert.assertNotNull(atomicReference.get());
        TestUtils.waitUntilTrue(() -> {
            return Boolean.valueOf(((LicenseValidatorFilter) atomicReference.get()).getLicenseBackgroundFetcher().hasValidLicense());
        }, () -> {
            return "Should get a valid license at lease once";
        }, 5000L, 50L);
        LicenseManager licenseManager = (LicenseManager) Mockito.mock(LicenseManager.class);
        Mockito.when(licenseManager.registerOrValidateLicense(Mockito.anyString())).thenThrow(new Class[]{TimeoutException.class});
        ((LicenseValidatorFilter) atomicReference.get()).getLicenseBackgroundFetcher().setLicenseManager(licenseManager);
        ContainerRequestContext containerRequestContext = (ContainerRequestContext) Mockito.mock(ContainerRequestContext.class);
        ((LicenseValidatorFilter) atomicReference.get()).filter(containerRequestContext);
        ((ContainerRequestContext) Mockito.verify(containerRequestContext, Mockito.never())).abortWith((Response) Mockito.any(Response.class));
    }
}
