package org.apache.pulsar.broker.authentication;

import com.google.common.collect.Lists;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwt;
import io.jsonwebtoken.JwtBuilder;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.io.Decoders;
import io.jsonwebtoken.security.Keys;
import java.io.File;
import java.io.IOException;
import java.net.SocketAddress;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Paths;
import java.security.Key;
import java.security.KeyPair;
import java.sql.Date;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Properties;
import java.util.concurrent.TimeUnit;
import javax.crypto.SecretKey;
import javax.naming.AuthenticationException;
import javax.net.ssl.SSLSession;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.pulsar.broker.ServiceConfiguration;
import org.apache.pulsar.broker.authentication.utils.AuthTokenUtils;
import org.apache.pulsar.common.api.AuthData;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;
import org.testng.Assert;
import org.testng.annotations.Test;

/* loaded from: input_file:org/apache/pulsar/broker/authentication/AuthenticationProviderTokenTest.class */
public class AuthenticationProviderTokenTest {
    private static final String SUBJECT = "my-test-subject";

    @Test
    public void testInvalidInitialize() throws Exception {
        AuthenticationProviderToken authenticationProviderToken = new AuthenticationProviderToken();
        try {
            authenticationProviderToken.initialize(new ServiceConfiguration());
            Assert.fail("should have failed");
        } catch (IOException e) {
        } finally {
            authenticationProviderToken.close();
        }
    }

    @Test
    public void testSerializeSecretKey() {
        SecretKey createSecretKey = AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256);
        Jwt parse = Jwts.parserBuilder().setSigningKey(AuthTokenUtils.decodeSecretKey(createSecretKey.getEncoded())).build().parse(Jwts.builder().setSubject(SUBJECT).signWith(createSecretKey).compact());
        Assert.assertNotNull(parse);
        Assert.assertNotNull(parse.getBody());
        Assert.assertEquals(((Claims) parse.getBody()).getSubject(), SUBJECT);
    }

    @Test
    public void testSerializeKeyPair() throws Exception {
        KeyPair keyPairFor = Keys.keyPairFor(SignatureAlgorithm.RS256);
        String encodeKeyBase64 = AuthTokenUtils.encodeKeyBase64(keyPairFor.getPrivate());
        String encodeKeyBase642 = AuthTokenUtils.encodeKeyBase64(keyPairFor.getPublic());
        Jwt parse = Jwts.parserBuilder().setSigningKey(AuthTokenUtils.decodePublicKey((byte[]) Decoders.BASE64.decode(encodeKeyBase642), SignatureAlgorithm.RS256)).build().parse(AuthTokenUtils.createToken(AuthTokenUtils.decodePrivateKey((byte[]) Decoders.BASE64.decode(encodeKeyBase64), SignatureAlgorithm.RS256), SUBJECT, Optional.empty()));
        Assert.assertNotNull(parse);
        Assert.assertNotNull(parse.getBody());
        Assert.assertEquals(((Claims) parse.getBody()).getSubject(), SUBJECT);
    }

    @Test
    public void testAuthSecretKey() throws Exception {
        SecretKey createSecretKey = AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256);
        AuthenticationProviderToken authenticationProviderToken = new AuthenticationProviderToken();
        Assert.assertEquals(authenticationProviderToken.getAuthMethodName(), "token");
        Properties properties = new Properties();
        properties.setProperty("tokenSecretKey", AuthTokenUtils.encodeKeyBase64(createSecretKey));
        ServiceConfiguration serviceConfiguration = new ServiceConfiguration();
        serviceConfiguration.setProperties(properties);
        authenticationProviderToken.initialize(serviceConfiguration);
        try {
            authenticationProviderToken.authenticate(new AuthenticationDataSource() { // from class: org.apache.pulsar.broker.authentication.AuthenticationProviderTokenTest.1
            });
            Assert.fail("Should have failed");
        } catch (AuthenticationException e) {
        }
        final String createToken = AuthTokenUtils.createToken(createSecretKey, SUBJECT, Optional.empty());
        String authenticate = authenticationProviderToken.authenticate(new AuthenticationDataSource() { // from class: org.apache.pulsar.broker.authentication.AuthenticationProviderTokenTest.2
            public boolean hasDataFromCommand() {
                return true;
            }

            public String getCommandData() {
                return createToken;
            }
        });
        Assert.assertEquals(authenticate, SUBJECT);
        authenticationProviderToken.authenticate(new AuthenticationDataSource() { // from class: org.apache.pulsar.broker.authentication.AuthenticationProviderTokenTest.3
            public boolean hasDataFromHttp() {
                return true;
            }

            public String getHttpHeader(String str) {
                if (str.equals("Authorization")) {
                    return "Bearer " + createToken;
                }
                throw new IllegalArgumentException("Wrong HTTP header");
            }
        });
        Assert.assertEquals(authenticate, SUBJECT);
        final String str = "eyJhbGciOiJub25lIn0.eyJzdWIiOiJ0ZXN0LXVzZXIifQ.";
        try {
            authenticationProviderToken.authenticate(new AuthenticationDataSource() { // from class: org.apache.pulsar.broker.authentication.AuthenticationProviderTokenTest.4
                public boolean hasDataFromCommand() {
                    return true;
                }

                public String getCommandData() {
                    return str;
                }
            });
            Assert.fail("Should have failed");
        } catch (AuthenticationException e2) {
        }
        final String createToken2 = AuthTokenUtils.createToken(createSecretKey, SUBJECT, Optional.of(new Date(System.currentTimeMillis() - TimeUnit.HOURS.toMillis(1L))));
        try {
            authenticationProviderToken.authenticate(new AuthenticationDataSource() { // from class: org.apache.pulsar.broker.authentication.AuthenticationProviderTokenTest.5
                public boolean hasDataFromCommand() {
                    return true;
                }

                public String getCommandData() {
                    return createToken2;
                }
            });
            Assert.fail("Should have failed");
        } catch (AuthenticationException e3) {
        }
        authenticationProviderToken.close();
    }

    @Test
    public void testTrimAuthSecretKeyFilePath() throws Exception {
        SecretKey createSecretKey = AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256);
        File createTempFile = File.createTempFile("pulsar-test-secret-key-", ".key");
        createTempFile.deleteOnExit();
        Files.write(Paths.get(createTempFile.toString(), new String[0]), createSecretKey.getEncoded(), new OpenOption[0]);
        AuthenticationProviderToken authenticationProviderToken = new AuthenticationProviderToken();
        Properties properties = new Properties();
        properties.setProperty("tokenSecretKey", createTempFile.toURI().toString() + " ");
        ServiceConfiguration serviceConfiguration = new ServiceConfiguration();
        serviceConfiguration.setProperties(properties);
        authenticationProviderToken.initialize(serviceConfiguration);
    }

    @Test
    public void testAuthSecretKeyFromFile() throws Exception {
        SecretKey createSecretKey = AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256);
        File createTempFile = File.createTempFile("pulsar-test-secret-key-", ".key");
        createTempFile.deleteOnExit();
        Files.write(Paths.get(createTempFile.toString(), new String[0]), createSecretKey.getEncoded(), new OpenOption[0]);
        AuthenticationProviderToken authenticationProviderToken = new AuthenticationProviderToken();
        Properties properties = new Properties();
        properties.setProperty("tokenSecretKey", createTempFile.toURI().toString());
        ServiceConfiguration serviceConfiguration = new ServiceConfiguration();
        serviceConfiguration.setProperties(properties);
        authenticationProviderToken.initialize(serviceConfiguration);
        final String createToken = AuthTokenUtils.createToken(createSecretKey, SUBJECT, Optional.empty());
        Assert.assertEquals(authenticationProviderToken.authenticate(new AuthenticationDataSource() { // from class: org.apache.pulsar.broker.authentication.AuthenticationProviderTokenTest.6
            public boolean hasDataFromCommand() {
                return true;
            }

            public String getCommandData() {
                return createToken;
            }
        }), SUBJECT);
        authenticationProviderToken.close();
    }

    @Test
    public void testAuthSecretKeyFromValidFile() throws Exception {
        SecretKey createSecretKey = AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256);
        File createTempFile = File.createTempFile("pulsar-test-secret-key-valid", ".key");
        createTempFile.deleteOnExit();
        Files.write(Paths.get(createTempFile.toString(), new String[0]), createSecretKey.getEncoded(), new OpenOption[0]);
        AuthenticationProviderToken authenticationProviderToken = new AuthenticationProviderToken();
        Properties properties = new Properties();
        properties.setProperty("tokenSecretKey", createTempFile.toString());
        ServiceConfiguration serviceConfiguration = new ServiceConfiguration();
        serviceConfiguration.setProperties(properties);
        authenticationProviderToken.initialize(serviceConfiguration);
        final String createToken = AuthTokenUtils.createToken(createSecretKey, SUBJECT, Optional.empty());
        Assert.assertEquals(authenticationProviderToken.authenticate(new AuthenticationDataSource() { // from class: org.apache.pulsar.broker.authentication.AuthenticationProviderTokenTest.7
            public boolean hasDataFromCommand() {
                return true;
            }

            public String getCommandData() {
                return createToken;
            }
        }), SUBJECT);
        authenticationProviderToken.close();
    }

    @Test
    public void testAuthSecretKeyFromDataBase64() throws Exception {
        SecretKey createSecretKey = AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256);
        AuthenticationProviderToken authenticationProviderToken = new AuthenticationProviderToken();
        Properties properties = new Properties();
        properties.setProperty("tokenSecretKey", "data:;base64," + AuthTokenUtils.encodeKeyBase64(createSecretKey));
        ServiceConfiguration serviceConfiguration = new ServiceConfiguration();
        serviceConfiguration.setProperties(properties);
        authenticationProviderToken.initialize(serviceConfiguration);
        final String createToken = AuthTokenUtils.createToken(createSecretKey, SUBJECT, Optional.empty());
        Assert.assertEquals(authenticationProviderToken.authenticate(new AuthenticationDataSource() { // from class: org.apache.pulsar.broker.authentication.AuthenticationProviderTokenTest.8
            public boolean hasDataFromCommand() {
                return true;
            }

            public String getCommandData() {
                return createToken;
            }
        }), SUBJECT);
        authenticationProviderToken.close();
    }

    @Test
    public void testAuthSecretKeyPair() throws Exception {
        KeyPair keyPairFor = Keys.keyPairFor(SignatureAlgorithm.RS256);
        String encodeKeyBase64 = AuthTokenUtils.encodeKeyBase64(keyPairFor.getPrivate());
        String encodeKeyBase642 = AuthTokenUtils.encodeKeyBase64(keyPairFor.getPublic());
        AuthenticationProviderToken authenticationProviderToken = new AuthenticationProviderToken();
        Properties properties = new Properties();
        properties.setProperty("tokenPublicKey", encodeKeyBase642);
        ServiceConfiguration serviceConfiguration = new ServiceConfiguration();
        serviceConfiguration.setProperties(properties);
        authenticationProviderToken.initialize(serviceConfiguration);
        final String createToken = AuthTokenUtils.createToken(AuthTokenUtils.decodePrivateKey((byte[]) Decoders.BASE64.decode(encodeKeyBase64), SignatureAlgorithm.RS256), SUBJECT, Optional.empty());
        Assert.assertEquals(authenticationProviderToken.authenticate(new AuthenticationDataSource() { // from class: org.apache.pulsar.broker.authentication.AuthenticationProviderTokenTest.9
            public boolean hasDataFromCommand() {
                return true;
            }

            public String getCommandData() {
                return createToken;
            }
        }), SUBJECT);
        authenticationProviderToken.close();
    }

    @Test
    public void testAuthSecretKeyPairWithCustomClaim() throws Exception {
        final String str = "customClaim";
        final String str2 = "my-test-role";
        KeyPair keyPairFor = Keys.keyPairFor(SignatureAlgorithm.RS256);
        String encodeKeyBase64 = AuthTokenUtils.encodeKeyBase64(keyPairFor.getPrivate());
        String encodeKeyBase642 = AuthTokenUtils.encodeKeyBase64(keyPairFor.getPublic());
        AuthenticationProviderToken authenticationProviderToken = new AuthenticationProviderToken();
        Properties properties = new Properties();
        properties.setProperty("tokenPublicKey", encodeKeyBase642);
        properties.setProperty("tokenAuthClaim", "customClaim");
        ServiceConfiguration serviceConfiguration = new ServiceConfiguration();
        serviceConfiguration.setProperties(properties);
        authenticationProviderToken.initialize(serviceConfiguration);
        final String compact = Jwts.builder().setClaims(new HashMap<String, Object>() { // from class: org.apache.pulsar.broker.authentication.AuthenticationProviderTokenTest.10
            {
                put(str, str2);
            }
        }).signWith(AuthTokenUtils.decodePrivateKey((byte[]) Decoders.BASE64.decode(encodeKeyBase64), SignatureAlgorithm.RS256)).compact();
        Assert.assertEquals(authenticationProviderToken.authenticate(new AuthenticationDataSource() { // from class: org.apache.pulsar.broker.authentication.AuthenticationProviderTokenTest.11
            public boolean hasDataFromCommand() {
                return true;
            }

            public String getCommandData() {
                return compact;
            }
        }), "my-test-role");
        authenticationProviderToken.close();
    }

    @Test
    public void testAuthSecretKeyPairWithECDSA() throws Exception {
        KeyPair keyPairFor = Keys.keyPairFor(SignatureAlgorithm.ES256);
        String encodeKeyBase64 = AuthTokenUtils.encodeKeyBase64(keyPairFor.getPrivate());
        String encodeKeyBase642 = AuthTokenUtils.encodeKeyBase64(keyPairFor.getPublic());
        AuthenticationProviderToken authenticationProviderToken = new AuthenticationProviderToken();
        Properties properties = new Properties();
        properties.setProperty("tokenPublicKey", encodeKeyBase642);
        properties.setProperty("tokenPublicAlg", SignatureAlgorithm.ES256.getValue());
        ServiceConfiguration serviceConfiguration = new ServiceConfiguration();
        serviceConfiguration.setProperties(properties);
        authenticationProviderToken.initialize(serviceConfiguration);
        final String createToken = AuthTokenUtils.createToken(AuthTokenUtils.decodePrivateKey((byte[]) Decoders.BASE64.decode(encodeKeyBase64), SignatureAlgorithm.ES256), SUBJECT, Optional.empty());
        Assert.assertEquals(authenticationProviderToken.authenticate(new AuthenticationDataSource() { // from class: org.apache.pulsar.broker.authentication.AuthenticationProviderTokenTest.12
            public boolean hasDataFromCommand() {
                return true;
            }

            public String getCommandData() {
                return createToken;
            }
        }), SUBJECT);
        authenticationProviderToken.close();
    }

    @Test(expectedExceptions = {AuthenticationException.class})
    public void testAuthenticateWhenNoJwtPassed() throws AuthenticationException {
        new AuthenticationProviderToken().authenticate(new AuthenticationDataSource() { // from class: org.apache.pulsar.broker.authentication.AuthenticationProviderTokenTest.13
            public boolean hasDataFromCommand() {
                return false;
            }

            public boolean hasDataFromHttp() {
                return false;
            }
        });
    }

    @Test(expectedExceptions = {AuthenticationException.class})
    public void testAuthenticateWhenAuthorizationHeaderNotExist() throws AuthenticationException {
        new AuthenticationProviderToken().authenticate(new AuthenticationDataSource() { // from class: org.apache.pulsar.broker.authentication.AuthenticationProviderTokenTest.14
            public String getHttpHeader(String str) {
                return null;
            }

            public boolean hasDataFromHttp() {
                return true;
            }
        });
    }

    @Test(expectedExceptions = {AuthenticationException.class})
    public void testAuthenticateWhenAuthHeaderValuePrefixIsInvalid() throws AuthenticationException {
        new AuthenticationProviderToken().authenticate(new AuthenticationDataSource() { // from class: org.apache.pulsar.broker.authentication.AuthenticationProviderTokenTest.15
            public String getHttpHeader(String str) {
                return "MyBearer ";
            }

            public boolean hasDataFromHttp() {
                return true;
            }
        });
    }

    @Test(expectedExceptions = {AuthenticationException.class})
    public void testAuthenticateWhenJwtIsBlank() throws AuthenticationException {
        new AuthenticationProviderToken().authenticate(new AuthenticationDataSource() { // from class: org.apache.pulsar.broker.authentication.AuthenticationProviderTokenTest.16
            public String getHttpHeader(String str) {
                return "Bearer       ";
            }

            public boolean hasDataFromHttp() {
                return true;
            }
        });
    }

    @Test(expectedExceptions = {AuthenticationException.class})
    public void testAuthenticateWhenInvalidTokenIsPassed() throws AuthenticationException, IOException {
        SecretKey createSecretKey = AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256);
        Properties properties = new Properties();
        properties.setProperty("tokenSecretKey", AuthTokenUtils.encodeKeyBase64(createSecretKey));
        ServiceConfiguration serviceConfiguration = new ServiceConfiguration();
        serviceConfiguration.setProperties(properties);
        AuthenticationProviderToken authenticationProviderToken = new AuthenticationProviderToken();
        authenticationProviderToken.initialize(serviceConfiguration);
        authenticationProviderToken.authenticate(new AuthenticationDataSource() { // from class: org.apache.pulsar.broker.authentication.AuthenticationProviderTokenTest.17
            public String getHttpHeader(String str) {
                return "Bearer invalid_token";
            }

            public boolean hasDataFromHttp() {
                return true;
            }
        });
    }

    @Test(expectedExceptions = {IOException.class})
    public void testValidationKeyWhenBlankSecretKeyIsPassed() throws IOException {
        Properties properties = new Properties();
        properties.setProperty("tokenSecretKey", "   ");
        ServiceConfiguration serviceConfiguration = new ServiceConfiguration();
        serviceConfiguration.setProperties(properties);
        new AuthenticationProviderToken().initialize(serviceConfiguration);
    }

    @Test(expectedExceptions = {IOException.class})
    public void testValidationKeyWhenBlankPublicKeyIsPassed() throws IOException {
        Properties properties = new Properties();
        properties.setProperty("tokenPublicKey", "   ");
        ServiceConfiguration serviceConfiguration = new ServiceConfiguration();
        serviceConfiguration.setProperties(properties);
        new AuthenticationProviderToken().initialize(serviceConfiguration);
    }

    @Test(expectedExceptions = {IOException.class})
    public void testInitializeWhenSecretKeyFilePathIsInvalid() throws IOException {
        Properties properties = new Properties();
        properties.setProperty("tokenSecretKey", "file://invalid_secret_key_file");
        ServiceConfiguration serviceConfiguration = new ServiceConfiguration();
        serviceConfiguration.setProperties(properties);
        new AuthenticationProviderToken().initialize(serviceConfiguration);
    }

    @Test(expectedExceptions = {IOException.class})
    public void testInitializeWhenSecretKeyIsValidPathOrBase64() throws IOException {
        Properties properties = new Properties();
        properties.setProperty("tokenSecretKey", "secret_key_file_not_exist");
        ServiceConfiguration serviceConfiguration = new ServiceConfiguration();
        serviceConfiguration.setProperties(properties);
        new AuthenticationProviderToken().initialize(serviceConfiguration);
    }

    @Test(expectedExceptions = {IllegalArgumentException.class})
    public void testInitializeWhenSecretKeyFilePathIfNotExist() throws IOException {
        File createTempFile = File.createTempFile("secret_key_file_not_exist", ".key");
        Assert.assertTrue(createTempFile.delete());
        Assert.assertFalse(createTempFile.exists());
        Properties properties = new Properties();
        properties.setProperty("tokenSecretKey", createTempFile.toString());
        ServiceConfiguration serviceConfiguration = new ServiceConfiguration();
        serviceConfiguration.setProperties(properties);
        new AuthenticationProviderToken().initialize(serviceConfiguration);
    }

    @Test(expectedExceptions = {IOException.class})
    public void testInitializeWhenPublicKeyFilePathIsInvalid() throws IOException {
        Properties properties = new Properties();
        properties.setProperty("tokenPublicKey", "file://invalid_public_key_file");
        ServiceConfiguration serviceConfiguration = new ServiceConfiguration();
        serviceConfiguration.setProperties(properties);
        new AuthenticationProviderToken().initialize(serviceConfiguration);
    }

    @Test(expectedExceptions = {IllegalArgumentException.class})
    public void testValidationWhenPublicKeyAlgIsInvalid() throws IOException {
        Properties properties = new Properties();
        properties.setProperty("tokenPublicAlg", "invalid");
        ServiceConfiguration serviceConfiguration = new ServiceConfiguration();
        serviceConfiguration.setProperties(properties);
        new AuthenticationProviderToken().initialize(serviceConfiguration);
    }

    @Test
    public void testExpiringToken() throws Exception {
        SecretKey createSecretKey = AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256);
        AuthenticationProviderToken authenticationProviderToken = new AuthenticationProviderToken();
        try {
            Properties properties = new Properties();
            properties.setProperty("tokenSecretKey", AuthTokenUtils.encodeKeyBase64(createSecretKey));
            ServiceConfiguration serviceConfiguration = new ServiceConfiguration();
            serviceConfiguration.setProperties(properties);
            authenticationProviderToken.initialize(serviceConfiguration);
            String createToken = AuthTokenUtils.createToken(createSecretKey, SUBJECT, Optional.of(new Date(System.currentTimeMillis() + TimeUnit.SECONDS.toMillis(3L))));
            AuthenticationState newAuthState = authenticationProviderToken.newAuthState(AuthData.of(createToken.getBytes()), (SocketAddress) null, (SSLSession) null);
            newAuthState.authenticate(AuthData.of(createToken.getBytes()));
            Assert.assertTrue(newAuthState.isComplete());
            Assert.assertFalse(newAuthState.isExpired());
            Thread.sleep(TimeUnit.SECONDS.toMillis(6L));
            Assert.assertTrue(newAuthState.isExpired());
            Assert.assertTrue(newAuthState.isComplete());
            Assert.assertEquals(newAuthState.refreshAuthentication(), AuthData.REFRESH_AUTH_DATA);
            if (Collections.singletonList(authenticationProviderToken).get(0) != null) {
                authenticationProviderToken.close();
            }
        } catch (Throwable th) {
            if (Collections.singletonList(authenticationProviderToken).get(0) != null) {
                authenticationProviderToken.close();
            }
            throw th;
        }
    }

    @Test
    public void testExpiredTokenFailsOnAuthenticate() throws Exception {
        SecretKey createSecretKey = AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256);
        AuthenticationProviderToken authenticationProviderToken = new AuthenticationProviderToken();
        try {
            Properties properties = new Properties();
            properties.setProperty("tokenSecretKey", AuthTokenUtils.encodeKeyBase64(createSecretKey));
            ServiceConfiguration serviceConfiguration = new ServiceConfiguration();
            serviceConfiguration.setProperties(properties);
            authenticationProviderToken.initialize(serviceConfiguration);
            AuthData of = AuthData.of(AuthTokenUtils.createToken(createSecretKey, SUBJECT, Optional.of(new Date(System.currentTimeMillis() - TimeUnit.SECONDS.toMillis(3L)))).getBytes());
            AuthenticationState newAuthState = authenticationProviderToken.newAuthState(of, (SocketAddress) null, (SSLSession) null);
            Assert.assertThrows(AuthenticationException.class, () -> {
                newAuthState.authenticate(of);
            });
            if (Collections.singletonList(authenticationProviderToken).get(0) != null) {
                authenticationProviderToken.close();
            }
        } catch (Throwable th) {
            if (Collections.singletonList(authenticationProviderToken).get(0) != null) {
                authenticationProviderToken.close();
            }
            throw th;
        }
    }

    @Test
    public void testRightTokenAudienceClaim() throws Exception {
        String str = "testBroker_" + System.currentTimeMillis();
        Properties properties = new Properties();
        properties.setProperty("tokenAudienceClaim", "aud");
        properties.setProperty("tokenAudience", str);
        testTokenAudienceWithDifferentConfig(properties, str);
    }

    @Test(expectedExceptions = {AuthenticationException.class})
    public void testWrongTokenAudience() throws Exception {
        String str = "testBroker_" + System.currentTimeMillis();
        Properties properties = new Properties();
        properties.setProperty("tokenAudienceClaim", "aud");
        properties.setProperty("tokenAudience", str + "-wrong");
        testTokenAudienceWithDifferentConfig(properties, str);
    }

    @Test(expectedExceptions = {IllegalArgumentException.class})
    public void testNoBrokerTokenAudience() throws Exception {
        String str = "testBroker_" + System.currentTimeMillis();
        Properties properties = new Properties();
        properties.setProperty("tokenAudienceClaim", "aud");
        testTokenAudienceWithDifferentConfig(properties, str);
    }

    @Test
    public void testSelfDefineTokenAudienceClaim() throws Exception {
        String str = "audience_claim_" + System.currentTimeMillis();
        String str2 = "testBroker_" + System.currentTimeMillis();
        Properties properties = new Properties();
        properties.setProperty("tokenAudience", str2);
        properties.setProperty("tokenAudienceClaim", str);
        testTokenAudienceWithDifferentConfig(properties, str, Lists.newArrayList(new String[]{str2}));
    }

    @Test(expectedExceptions = {AuthenticationException.class})
    public void testWrongSelfDefineTokenAudienceClaim() throws Exception {
        String str = "audience_claim_" + System.currentTimeMillis();
        String str2 = "testBroker_" + System.currentTimeMillis();
        Properties properties = new Properties();
        properties.setProperty("tokenAudience", str2);
        properties.setProperty("tokenAudienceClaim", str);
        testTokenAudienceWithDifferentConfig(properties, str + "_wrong", Lists.newArrayList(new String[]{str2}));
    }

    @Test
    public void testMultiTokenAudience() throws Exception {
        String str = "audience_claim_" + System.currentTimeMillis();
        String str2 = "testBroker_" + System.currentTimeMillis();
        ArrayList newArrayList = Lists.newArrayList(new String[]{"AnotherBrokerAudience", str2});
        Properties properties = new Properties();
        properties.setProperty("tokenAudience", str2);
        properties.setProperty("tokenAudienceClaim", str);
        testTokenAudienceWithDifferentConfig(properties, str, newArrayList);
    }

    @Test(expectedExceptions = {AuthenticationException.class})
    public void testMultiTokenAudienceNotInclude() throws Exception {
        String str = "audience_claim_" + System.currentTimeMillis();
        String str2 = "testBroker_" + System.currentTimeMillis();
        ArrayList newArrayList = Lists.newArrayList(new String[]{"AnotherBrokerAudience", str2 + "_wrong"});
        Properties properties = new Properties();
        properties.setProperty("tokenAudience", str2);
        properties.setProperty("tokenAudienceClaim", str);
        testTokenAudienceWithDifferentConfig(properties, str, newArrayList);
    }

    @Test
    public void testArrayTypeRoleClaim() throws Exception {
        final String str = "customClaim";
        final String str2 = "my-test-role";
        KeyPair keyPairFor = Keys.keyPairFor(SignatureAlgorithm.RS256);
        String encodeKeyBase64 = AuthTokenUtils.encodeKeyBase64(keyPairFor.getPrivate());
        String encodeKeyBase642 = AuthTokenUtils.encodeKeyBase64(keyPairFor.getPublic());
        AuthenticationProviderToken authenticationProviderToken = new AuthenticationProviderToken();
        Properties properties = new Properties();
        properties.setProperty("tokenPublicKey", encodeKeyBase642);
        properties.setProperty("tokenAuthClaim", "customClaim");
        ServiceConfiguration serviceConfiguration = new ServiceConfiguration();
        serviceConfiguration.setProperties(properties);
        authenticationProviderToken.initialize(serviceConfiguration);
        final String compact = Jwts.builder().setClaims(new HashMap<String, Object>() { // from class: org.apache.pulsar.broker.authentication.AuthenticationProviderTokenTest.18
            {
                put(str, Arrays.asList(str2, "other-role"));
            }
        }).signWith(AuthTokenUtils.decodePrivateKey((byte[]) Decoders.BASE64.decode(encodeKeyBase64), SignatureAlgorithm.RS256)).compact();
        Assert.assertEquals(authenticationProviderToken.authenticate(new AuthenticationDataSource() { // from class: org.apache.pulsar.broker.authentication.AuthenticationProviderTokenTest.19
            public boolean hasDataFromCommand() {
                return true;
            }

            public String getCommandData() {
                return compact;
            }
        }), "my-test-role");
        authenticationProviderToken.close();
    }

    @Test
    public void testTokenSettingPrefix() throws Exception {
        AuthenticationProviderToken authenticationProviderToken = new AuthenticationProviderToken();
        String encodeKeyBase64 = AuthTokenUtils.encodeKeyBase64(Keys.keyPairFor(SignatureAlgorithm.RS256).getPublic());
        Properties properties = new Properties();
        properties.setProperty("tokenPublicKey", encodeKeyBase64);
        ServiceConfiguration serviceConfiguration = new ServiceConfiguration();
        serviceConfiguration.setProperties(properties);
        ServiceConfiguration serviceConfiguration2 = (ServiceConfiguration) Mockito.mock(ServiceConfiguration.class);
        String str = "test";
        Mockito.when(serviceConfiguration2.getProperty(ArgumentMatchers.anyString())).thenAnswer(invocationOnMock -> {
            return serviceConfiguration.getProperty(((String) invocationOnMock.getArgument(0)).substring(str.length()));
        });
        Mockito.when(serviceConfiguration2.getProperty("tokenSettingPrefix")).thenReturn("test");
        authenticationProviderToken.initialize(serviceConfiguration2);
        ((ServiceConfiguration) Mockito.verify(serviceConfiguration2, Mockito.times(1))).getProperty("tokenSettingPrefix");
        ((ServiceConfiguration) Mockito.verify(serviceConfiguration2, Mockito.times(1))).getProperty("test" + "tokenSecretKey");
        ((ServiceConfiguration) Mockito.verify(serviceConfiguration2, Mockito.times(1))).getProperty("test" + "tokenPublicKey");
        ((ServiceConfiguration) Mockito.verify(serviceConfiguration2, Mockito.times(1))).getProperty("test" + "tokenAuthClaim");
        ((ServiceConfiguration) Mockito.verify(serviceConfiguration2, Mockito.times(1))).getProperty("test" + "tokenPublicAlg");
        ((ServiceConfiguration) Mockito.verify(serviceConfiguration2, Mockito.times(1))).getProperty("test" + "tokenAudienceClaim");
        ((ServiceConfiguration) Mockito.verify(serviceConfiguration2, Mockito.times(1))).getProperty("test" + "tokenAudience");
    }

    @Test
    public void testTokenFromHttpParams() throws Exception {
        SecretKey createSecretKey = AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256);
        AuthenticationProviderToken authenticationProviderToken = new AuthenticationProviderToken();
        try {
            Properties properties = new Properties();
            properties.setProperty("tokenSecretKey", AuthTokenUtils.encodeKeyBase64(createSecretKey));
            ServiceConfiguration serviceConfiguration = new ServiceConfiguration();
            serviceConfiguration.setProperties(properties);
            authenticationProviderToken.initialize(serviceConfiguration);
            String createToken = AuthTokenUtils.createToken(createSecretKey, SUBJECT, Optional.empty());
            HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
            ((HttpServletRequest) Mockito.doReturn(createToken).when(httpServletRequest)).getParameter("token");
            ((HttpServletRequest) Mockito.doReturn((Object) null).when(httpServletRequest)).getHeader("Authorization");
            ((HttpServletRequest) Mockito.doReturn("127.0.0.1").when(httpServletRequest)).getRemoteAddr();
            ((HttpServletRequest) Mockito.doReturn(0).when(httpServletRequest)).getRemotePort();
            Assert.assertTrue(authenticationProviderToken.authenticateHttpRequest(httpServletRequest, (HttpServletResponse) null), "Authentication should have passed");
            if (Collections.singletonList(authenticationProviderToken).get(0) != null) {
                authenticationProviderToken.close();
            }
        } catch (Throwable th) {
            if (Collections.singletonList(authenticationProviderToken).get(0) != null) {
                authenticationProviderToken.close();
            }
            throw th;
        }
    }

    @Test
    public void testTokenFromHttpHeaders() throws Exception {
        SecretKey createSecretKey = AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256);
        AuthenticationProviderToken authenticationProviderToken = new AuthenticationProviderToken();
        try {
            Properties properties = new Properties();
            properties.setProperty("tokenSecretKey", AuthTokenUtils.encodeKeyBase64(createSecretKey));
            ServiceConfiguration serviceConfiguration = new ServiceConfiguration();
            serviceConfiguration.setProperties(properties);
            authenticationProviderToken.initialize(serviceConfiguration);
            String createToken = AuthTokenUtils.createToken(createSecretKey, SUBJECT, Optional.empty());
            HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
            ((HttpServletRequest) Mockito.doReturn("Bearer " + createToken).when(httpServletRequest)).getHeader("Authorization");
            ((HttpServletRequest) Mockito.doReturn("127.0.0.1").when(httpServletRequest)).getRemoteAddr();
            ((HttpServletRequest) Mockito.doReturn(0).when(httpServletRequest)).getRemotePort();
            Assert.assertTrue(authenticationProviderToken.authenticateHttpRequest(httpServletRequest, (HttpServletResponse) null), "Authentication should have passed");
            if (Collections.singletonList(authenticationProviderToken).get(0) != null) {
                authenticationProviderToken.close();
            }
        } catch (Throwable th) {
            if (Collections.singletonList(authenticationProviderToken).get(0) != null) {
                authenticationProviderToken.close();
            }
            throw th;
        }
    }

    @Test
    public void testTokenStateUpdatesAuthenticationDataSource() throws Exception {
        SecretKey createSecretKey = AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256);
        AuthenticationProviderToken authenticationProviderToken = new AuthenticationProviderToken();
        try {
            Properties properties = new Properties();
            properties.setProperty("tokenSecretKey", AuthTokenUtils.encodeKeyBase64(createSecretKey));
            ServiceConfiguration serviceConfiguration = new ServiceConfiguration();
            serviceConfiguration.setProperties(properties);
            authenticationProviderToken.initialize(serviceConfiguration);
            AuthenticationState newAuthState = authenticationProviderToken.newAuthState((AuthData) null, (SocketAddress) null, (SSLSession) null);
            Objects.requireNonNull(newAuthState);
            Assert.assertThrows(AuthenticationException.class, newAuthState::getAuthRole);
            Assert.assertNull(newAuthState.getAuthDataSource(), "Haven't created a source yet.");
            AuthData authenticate = newAuthState.authenticate(AuthData.of(AuthTokenUtils.createToken(createSecretKey, SUBJECT, Optional.empty()).getBytes()));
            AuthenticationDataSource authDataSource = newAuthState.getAuthDataSource();
            Assert.assertNull(authenticate, "TokenAuth doesn't respond with challenges");
            Assert.assertNotNull(authDataSource, "Created authDataSource");
            AuthData authenticate2 = newAuthState.authenticate(AuthData.of(AuthTokenUtils.createToken(createSecretKey, SUBJECT, Optional.empty()).getBytes()));
            AuthenticationDataSource authDataSource2 = newAuthState.getAuthDataSource();
            Assert.assertNull(authenticate2, "TokenAuth doesn't respond with challenges");
            Assert.assertNotNull(authDataSource2, "Created authDataSource");
            Assert.assertNotEquals(authDataSource, authDataSource2);
            if (Collections.singletonList(authenticationProviderToken).get(0) != null) {
                authenticationProviderToken.close();
            }
        } catch (Throwable th) {
            if (Collections.singletonList(authenticationProviderToken).get(0) != null) {
                authenticationProviderToken.close();
            }
            throw th;
        }
    }

    private static String createTokenWithAudience(Key key, String str, List<String> list) {
        JwtBuilder signWith = Jwts.builder().setSubject(SUBJECT).signWith(key);
        signWith.claim(str, list);
        return signWith.compact();
    }

    private static void testTokenAudienceWithDifferentConfig(Properties properties, String str) throws Exception {
        testTokenAudienceWithDifferentConfig(properties, "aud", Lists.newArrayList(new String[]{str}));
    }

    private static void testTokenAudienceWithDifferentConfig(Properties properties, String str, List<String> list) throws Exception {
        AuthenticationProviderToken authenticationProviderToken = new AuthenticationProviderToken();
        try {
            SecretKey createSecretKey = AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256);
            File createTempFile = File.createTempFile("pulsar-test-secret-key-valid", ".key");
            createTempFile.deleteOnExit();
            Files.write(Paths.get(createTempFile.toString(), new String[0]), createSecretKey.getEncoded(), new OpenOption[0]);
            properties.setProperty("tokenSecretKey", createTempFile.toString());
            ServiceConfiguration serviceConfiguration = new ServiceConfiguration();
            serviceConfiguration.setProperties(properties);
            authenticationProviderToken.initialize(serviceConfiguration);
            final String createTokenWithAudience = createTokenWithAudience(createSecretKey, str, list);
            Assert.assertEquals(authenticationProviderToken.authenticate(new AuthenticationDataSource() { // from class: org.apache.pulsar.broker.authentication.AuthenticationProviderTokenTest.20
                public boolean hasDataFromCommand() {
                    return true;
                }

                public String getCommandData() {
                    return createTokenWithAudience;
                }
            }), SUBJECT);
            authenticationProviderToken.close();
            if (Collections.singletonList(authenticationProviderToken).get(0) != null) {
                authenticationProviderToken.close();
            }
        } catch (Throwable th) {
            if (Collections.singletonList(authenticationProviderToken).get(0) != null) {
                authenticationProviderToken.close();
            }
            throw th;
        }
    }
}
