package io.camunda.zeebe.auth;

import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.interfaces.Claim;
import io.camunda.zeebe.auth.impl.Authorization;
import io.camunda.zeebe.auth.impl.JwtAuthorizationDecoder;
import io.camunda.zeebe.util.exception.UnrecoverableException;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.List;
import java.util.Map;
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.Test;

/* loaded from: input_file:io/camunda/zeebe/auth/JwtAuthorizationTest.class */
public class JwtAuthorizationTest {
    @Test
    public void shouldEncodeJwtTokenWithDefaultClaims() {
        assertDefaultClaims(JWT.decode(Authorization.jwtEncoder().encode()).getClaims());
    }

    @Test
    public void shouldEncodeJwtTokenWithAuthorizedTenants() {
        List of = List.of("tenant-1", "tenant-2", "tenant-3");
        Map<String, Claim> claims = JWT.decode(Authorization.jwtEncoder().withClaim("authorized_tenants", of).encode()).getClaims();
        assertDefaultClaims(claims);
        Assertions.assertThat(claims).containsKey("authorized_tenants");
        Assertions.assertThat((List) claims.get("authorized_tenants").as(List.class)).containsExactlyElementsOf(of);
    }

    @Test
    public void shouldValidateAndDecodeJwtTokenWithDefaultClaims() {
        assertDefaultClaims(Authorization.jwtDecoder(JWT.create().withIssuer("zeebe-gateway").withAudience(new String[]{"zeebe-broker"}).withSubject("zeebe-client").sign(Algorithm.none())).build().getClaims());
    }

    @Test
    public void shouldValidateAndDecodeJwtTokenWithAuthorizedTenantsClaim() {
        List of = List.of("tenant-1", "tenant-2", "tenant-3");
        Map<String, Claim> claims = Authorization.jwtDecoder(JWT.create().withIssuer("zeebe-gateway").withAudience(new String[]{"zeebe-broker"}).withSubject("zeebe-client").withClaim("authorized_tenants", of).sign(Algorithm.none())).withClaim("authorized_tenants").build().getClaims();
        assertDefaultClaims(claims);
        Assertions.assertThat((List) claims.get("authorized_tenants").as(List.class)).containsExactlyElementsOf(of);
    }

    @Test
    public void shouldFailJwtTokenValidationWithNoAuthorizedTenants() {
        JwtAuthorizationDecoder withClaim = Authorization.jwtDecoder(JWT.create().withIssuer("zeebe-gateway").withAudience(new String[]{"zeebe-broker"}).withSubject("zeebe-client").sign(Algorithm.none())).withClaim("authorized_tenants");
        Assertions.assertThatThrownBy(() -> {
            withClaim.decode();
        }).isInstanceOf(UnrecoverableException.class).hasMessage("Authorization data unavailable: The Claim 'authorized_tenants' is not present in the JWT.");
    }

    @Test
    public void shouldFailJwtTokenDecodingWithInvalidJwtToken() {
        JwtAuthorizationDecoder jwtDecoder = Authorization.jwtDecoder("invalid.jwt.token");
        Assertions.assertThatThrownBy(() -> {
            jwtDecoder.decode();
        }).isInstanceOf(UnrecoverableException.class).hasMessageContaining("Authorization data unavailable").hasMessageContaining("doesn't have a valid JSON format");
    }

    @Test
    public void shouldFailJwtTokenDecodingWithoutJwtToken() {
        JwtAuthorizationDecoder withClaim = Authorization.jwtDecoder((String) null).withClaim("authorized_tenants");
        Assertions.assertThatThrownBy(() -> {
            withClaim.decode();
        }).isInstanceOf(UnrecoverableException.class).hasMessage("Authorization data unavailable: The token is null.");
    }

    @Test
    public void shouldNotFailVerificationForFutureIssuedAt() {
        Authorization.jwtDecoder(JWT.create().withIssuer("zeebe-gateway").withAudience(new String[]{"zeebe-broker"}).withSubject("zeebe-client").withClaim("authorized_tenants", List.of()).withIssuedAt(Instant.now().plus(10L, (TemporalUnit) ChronoUnit.MINUTES)).sign(Algorithm.none())).withClaim("authorized_tenants").build();
    }

    private void assertDefaultClaims(Map<String, Claim> map) {
        Assertions.assertThat(map).containsKey("iss");
        Assertions.assertThat((String) map.get("iss").as(String.class)).isEqualTo("zeebe-gateway");
        Assertions.assertThat(map).containsKey("aud");
        Assertions.assertThat((String) map.get("aud").as(String.class)).isEqualTo("zeebe-broker");
        Assertions.assertThat(map).containsKey("sub");
        Assertions.assertThat((String) map.get("sub").as(String.class)).isEqualTo("zeebe-client");
    }
}
