package io.confluent.common.security.jetty.initializer;

import com.google.common.collect.ImmutableSet;
import io.confluent.common.security.jetty.CompositeAuthenticator;
import io.confluent.common.security.jetty.CompositeLoginService;
import io.confluent.common.security.jetty.jwt.JwtBuilder;
import java.nio.file.Path;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import org.eclipse.jetty.security.ConstraintMapping;
import org.eclipse.jetty.security.ConstraintSecurityHandler;
import org.eclipse.jetty.security.DefaultIdentityService;
import org.eclipse.jetty.security.SecurityHandler;
import org.eclipse.jetty.servlet.ServletContextHandler;
import org.eclipse.jetty.util.security.Constraint;
import org.hamcrest.CoreMatchers;
import org.hamcrest.Description;
import org.hamcrest.Matcher;
import org.hamcrest.MatcherAssert;
import org.hamcrest.TypeSafeDiagnosingMatcher;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.junit.rules.TemporaryFolder;
import org.junit.runner.RunWith;
import org.mockito.ArgumentCaptor;
import org.mockito.Captor;
import org.mockito.Mock;
import org.mockito.Mockito;
import org.mockito.runners.MockitoJUnitRunner;

@RunWith(MockitoJUnitRunner.class)
/* loaded from: input_file:io/confluent/common/security/jetty/initializer/InstallCompositeSecurityHandlerTest.class */
public class InstallCompositeSecurityHandlerTest {
    private static final JwtBuilder JWT_BUILDER = new JwtBuilder();
    private static final String JWT = JWT_BUILDER.buildJwt("lkc-1234");
    private static final Constraint NO_AUTH = new Constraint();

    @Rule
    public final ExpectedException expectedException = ExpectedException.none();

    @Rule
    public TemporaryFolder tempFolder = new TemporaryFolder();
    static Path pemPath;

    @Mock
    private ServletContextHandler context;

    @Captor
    private ArgumentCaptor<SecurityHandler> securityHandlerArg;
    private InstallCompositeSecurityHandler installer;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/confluent/common/security/jetty/initializer/InstallCompositeSecurityHandlerTest$MapBuilder.class */
    public static class MapBuilder<K, V> {
        private final Map<K, V> map = new HashMap();

        public MapBuilder(Map<K, V> map) {
            this.map.putAll(map);
        }

        public static <K, V> MapBuilder<K, V> of(Class<K> cls, Class<V> cls2) {
            return new MapBuilder<>(Collections.emptyMap());
        }

        public static <K, V> MapBuilder<K, V> of(Map<K, V> map) {
            return new MapBuilder<>(map);
        }

        public MapBuilder<K, V> with(K k, V v) {
            this.map.put(k, v);
            return this;
        }

        public MapBuilder<K, V> without(K k) {
            this.map.remove(k);
            return this;
        }

        public Map<K, V> build() {
            return this.map;
        }
    }

    @Before
    public void setUp() {
        pemPath = JWT_BUILDER.createJwtPublicKey(this.tempFolder.getRoot().toPath().resolve("public.key"));
        this.installer = new InstallCompositeSecurityHandler();
    }

    @Test
    public void shouldSetRealm() {
        this.installer.configure(MapBuilder.of(validProps()).with("authentication.realm", "Hell").build());
        this.installer.accept(this.context);
        MatcherAssert.assertThat(assertSecurityHandlerInstalled().getRealmName(), CoreMatchers.is("Hell"));
    }

    @Test
    public void shouldNotSetRolesOnConstraintIfNotProvided() {
        this.installer.configure(MapBuilder.of(validProps()).with("authentication.roles", "").build());
        this.installer.accept(this.context);
        MatcherAssert.assertThat(assertSecurityHandlerInstalled().getRoles(), CoreMatchers.is(Collections.emptySet()));
    }

    @Test
    public void shouldSetRolesOnConstraintIfProvided() {
        this.installer.configure(MapBuilder.of(validProps()).with("authentication.roles", "team1,team2").build());
        this.installer.accept(this.context);
        MatcherAssert.assertThat(assertSecurityHandlerInstalled().getRoles(), CoreMatchers.is(ImmutableSet.of("team1", "team2")));
    }

    @Test
    public void shouldNotRequireSkipPaths() {
        this.installer.configure(MapBuilder.of(validProps()).without("authentication.skip.paths").build());
    }

    @Test
    public void shouldAddSkipPaths() {
        this.installer.configure(MapBuilder.of(validProps()).with("authentication.skip.paths", "/path/1,/path/2").build());
        this.installer.accept(this.context);
        ConstraintSecurityHandler assertSecurityHandlerInstalled = assertSecurityHandlerInstalled();
        ConstraintMapping constraintMapping = new ConstraintMapping();
        constraintMapping.setConstraint(NO_AUTH);
        constraintMapping.setMethod("*");
        constraintMapping.setPathSpec("/path/1");
        ConstraintMapping constraintMapping2 = new ConstraintMapping();
        constraintMapping2.setConstraint(NO_AUTH);
        constraintMapping2.setMethod("*");
        constraintMapping2.setPathSpec("/path/2");
        MatcherAssert.assertThat(assertSecurityHandlerInstalled.getConstraintMappings(), CoreMatchers.hasItems(new Matcher[]{constraintMapping(constraintMapping), constraintMapping(constraintMapping2)}));
    }

    @Test
    public void shouldInstallRequiredConstraintCoveringAll() {
        this.installer.configure(MapBuilder.of(validProps()).with("authentication.roles", "team1,team2").build());
        this.installer.accept(this.context);
        ConstraintSecurityHandler assertSecurityHandlerInstalled = assertSecurityHandlerInstalled();
        Constraint constraint = new Constraint();
        constraint.setAuthenticate(true);
        constraint.setRoles(new String[]{"team1", "team2"});
        ConstraintMapping constraintMapping = new ConstraintMapping();
        constraintMapping.setConstraint(constraint);
        constraintMapping.setMethod("*");
        constraintMapping.setPathSpec("/*");
        MatcherAssert.assertThat(assertSecurityHandlerInstalled.getConstraintMappings(), CoreMatchers.hasItem(constraintMapping(constraintMapping)));
    }

    @Test
    public void shouldInstallCompositeAuthenticator() {
        this.installer.configure(validProps());
        this.installer.accept(this.context);
        ConstraintSecurityHandler assertSecurityHandlerInstalled = assertSecurityHandlerInstalled();
        MatcherAssert.assertThat(assertSecurityHandlerInstalled.getAuthenticator(), CoreMatchers.is(CoreMatchers.instanceOf(CompositeAuthenticator.class)));
        MatcherAssert.assertThat(Boolean.valueOf(assertSecurityHandlerInstalled.getAuthenticator().isAllowAnonymousUser()), CoreMatchers.is(false));
    }

    @Test
    public void shouldAllowAnonymousAuthenticator() {
        this.installer.configure(MapBuilder.of(validProps()).with("auth.allow.anonymous.user", "true").build());
        this.installer.accept(this.context);
        ConstraintSecurityHandler assertSecurityHandlerInstalled = assertSecurityHandlerInstalled();
        MatcherAssert.assertThat(assertSecurityHandlerInstalled.getAuthenticator(), CoreMatchers.is(CoreMatchers.instanceOf(CompositeAuthenticator.class)));
        MatcherAssert.assertThat(Boolean.valueOf(assertSecurityHandlerInstalled.getAuthenticator().isAllowAnonymousUser()), CoreMatchers.is(true));
    }

    @Test
    public void shouldInstallDefaultIdentifyService() {
        this.installer.configure(validProps());
        this.installer.accept(this.context);
        MatcherAssert.assertThat(assertSecurityHandlerInstalled().getIdentityService(), CoreMatchers.is(CoreMatchers.instanceOf(DefaultIdentityService.class)));
    }

    @Test
    public void shouldInstallCompositeLoginService() {
        this.installer.configure(validProps());
        this.installer.accept(this.context);
        MatcherAssert.assertThat(assertSecurityHandlerInstalled().getLoginService(), CoreMatchers.is(CoreMatchers.instanceOf(CompositeLoginService.class)));
    }

    private ConstraintSecurityHandler assertSecurityHandlerInstalled() {
        ((ServletContextHandler) Mockito.verify(this.context)).setSecurityHandler((SecurityHandler) this.securityHandlerArg.capture());
        return (ConstraintSecurityHandler) this.securityHandlerArg.getValue();
    }

    private static Matcher<ConstraintMapping> constraintMapping(final ConstraintMapping constraintMapping) {
        return new TypeSafeDiagnosingMatcher<ConstraintMapping>() { // from class: io.confluent.common.security.jetty.initializer.InstallCompositeSecurityHandlerTest.1
            final Matcher<Constraint> constraintMatcher;

            {
                this.constraintMatcher = InstallCompositeSecurityHandlerTest.constraint(constraintMapping.getConstraint());
            }

            /* JADX INFO: Access modifiers changed from: protected */
            public boolean matchesSafely(ConstraintMapping constraintMapping2, Description description) {
                if (!Objects.equals(constraintMapping.getMethod(), constraintMapping2.getMethod())) {
                    description.appendText("expected method=").appendValue(constraintMapping.getMethod()).appendText(" but was ").appendValue(constraintMapping2.getMethod());
                    return false;
                }
                if (!Objects.equals(constraintMapping.getPathSpec(), constraintMapping2.getPathSpec())) {
                    description.appendText("expected pathSpec=").appendValue(constraintMapping.getPathSpec()).appendText(" but was ").appendValue(constraintMapping2.getPathSpec());
                    return false;
                }
                if (this.constraintMatcher.matches(constraintMapping2.getConstraint())) {
                    return true;
                }
                this.constraintMatcher.describeMismatch(constraintMapping2.getConstraint(), description);
                return false;
            }

            public void describeTo(Description description) {
                description.appendText("Mapping{method=").appendValue(constraintMapping.getMethod()).appendText(", pathSpec=").appendValue(constraintMapping.getPathSpec()).appendText(", constraint=").appendDescriptionOf(this.constraintMatcher).appendText("}");
            }
        };
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Matcher<Constraint> constraint(final Constraint constraint) {
        return new TypeSafeDiagnosingMatcher<Constraint>() { // from class: io.confluent.common.security.jetty.initializer.InstallCompositeSecurityHandlerTest.2
            /* JADX INFO: Access modifiers changed from: protected */
            public boolean matchesSafely(Constraint constraint2, Description description) {
                if (!Objects.equals(Boolean.valueOf(constraint.getAuthenticate()), Boolean.valueOf(constraint2.getAuthenticate()))) {
                    description.appendText("expected authenticate=").appendValue(authText(constraint)).appendText(" but was ").appendValue(authText(constraint2));
                    return false;
                }
                if (Arrays.equals(constraint.getRoles(), constraint2.getRoles())) {
                    return true;
                }
                description.appendText("expected roles=").appendValue(constraint.getRoles()).appendText(" but was ").appendValue(constraint2.getRoles());
                return false;
            }

            public void describeTo(Description description) {
                description.appendText("Constraint{authentication=").appendValue(authText(constraint)).appendText(", roles=").appendValue(constraint.getRoles()).appendText("}");
            }

            private String authText(Constraint constraint2) {
                return constraint2.getAuthenticate() ? "required" : "not required";
            }
        };
    }

    private static Map<String, Object> validProps() {
        return MapBuilder.of(String.class, Object.class).with("confluent.metadata.bootstrap.server.urls", "http://localhost:8090").with("public.key.path", pemPath.toString()).with("auth.ssl.principal.mapping.rules", "DEFAULT").with("authentication.skip.paths", "/path/1").build();
    }

    static {
        NO_AUTH.setAuthenticate(false);
    }
}
