package io.fabric8.kubernetes.client.utils;

import io.fabric8.kubernetes.api.model.AuthProviderConfig;
import io.fabric8.kubernetes.api.model.NamedAuthInfo;
import io.fabric8.kubernetes.api.model.NamedAuthInfoBuilder;
import io.fabric8.kubernetes.api.model.NamedCluster;
import io.fabric8.kubernetes.api.model.NamedClusterBuilder;
import io.fabric8.kubernetes.api.model.NamedContext;
import io.fabric8.kubernetes.api.model.NamedContextBuilder;
import io.fabric8.kubernetes.client.Config;
import io.fabric8.kubernetes.client.ConfigBuilder;
import io.fabric8.kubernetes.client.http.TestStandardHttpClientBuilder;
import io.fabric8.kubernetes.client.http.TestStandardHttpClientFactory;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.PrintStream;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Base64;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.X509ExtendedTrustManager;
import org.assertj.core.api.Assertions;
import org.assertj.core.api.InstanceOfAssertFactories;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Disabled;
import org.junit.jupiter.api.DisplayName;
import org.junit.jupiter.api.Nested;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.io.TempDir;

/* loaded from: input_file:io/fabric8/kubernetes/client/utils/OpenIDConnectionUtilsBehaviorTest.class */
class OpenIDConnectionUtilsBehaviorTest {

    @TempDir
    Path tempDir;
    private TestStandardHttpClientFactory httpClientFactory;
    private TestStandardHttpClientBuilder httpClientBuilder;
    private PrintStream originalSystemErrStream;
    private ByteArrayOutputStream systemErr;
    private Config originalConfig;
    private Map<String, String> authProviderConfig;

    @DisplayName("With support for token refresh")
    @Nested
    /* loaded from: input_file:io/fabric8/kubernetes/client/utils/OpenIDConnectionUtilsBehaviorTest$WithRefreshToken.class */
    class WithRefreshToken {

        @Disabled("This scenario is not implemented")
        @DisplayName("With 404 OpenID Connect Discovery response")
        @Nested
        /* loaded from: input_file:io/fabric8/kubernetes/client/utils/OpenIDConnectionUtilsBehaviorTest$WithRefreshToken$WithNotFoundOpenIDConnectDiscovery.class */
        class WithNotFoundOpenIDConnectDiscovery {
            WithNotFoundOpenIDConnectDiscovery() {
            }

            @BeforeEach
            void setUp() {
                OpenIDConnectionUtilsBehaviorTest.this.httpClientFactory.expect("/.well-known/openid-configuration", 404, "Not Found /.well-known/openid-configuration");
            }

            @DisplayName("Resolves token from auth provider config (fallback)")
            @Test
            void fallbacksToOriginalToken() throws Exception {
                Assertions.assertThat((String) OpenIDConnectionUtils.resolveOIDCTokenFromAuthConfig(OpenIDConnectionUtilsBehaviorTest.this.originalConfig, OpenIDConnectionUtilsBehaviorTest.this.authProviderConfig, OpenIDConnectionUtilsBehaviorTest.this.httpClientBuilder).get(10L, TimeUnit.SECONDS)).isEqualTo("original-token");
            }
        }

        @DisplayName("With valid OpenID Connect Discovery")
        @Nested
        /* loaded from: input_file:io/fabric8/kubernetes/client/utils/OpenIDConnectionUtilsBehaviorTest$WithRefreshToken$WithValidOpenIDConnectDiscovery.class */
        class WithValidOpenIDConnectDiscovery {

            @DisplayName("With invalid token response body")
            @Nested
            /* loaded from: input_file:io/fabric8/kubernetes/client/utils/OpenIDConnectionUtilsBehaviorTest$WithRefreshToken$WithValidOpenIDConnectDiscovery$WithInvalidTokenResponseBody.class */
            class WithInvalidTokenResponseBody {
                private String result;

                WithInvalidTokenResponseBody() {
                }

                @BeforeEach
                void setUp() throws Exception {
                    OpenIDConnectionUtilsBehaviorTest.this.httpClientFactory.expect("/token", 200, "Not JSON");
                    this.result = (String) OpenIDConnectionUtils.resolveOIDCTokenFromAuthConfig(OpenIDConnectionUtilsBehaviorTest.this.originalConfig, OpenIDConnectionUtilsBehaviorTest.this.authProviderConfig, OpenIDConnectionUtilsBehaviorTest.this.httpClientBuilder).get(10L, TimeUnit.SECONDS);
                }

                @DisplayName("Resolves token from auth provider config (fallback)")
                @Test
                void fallbacksToOriginalToken() {
                    Assertions.assertThat(this.result).isEqualTo("original-token");
                }

                @DisplayName("Logs JSON parsing error")
                @Test
                void logsJsonParsingError() {
                    Assertions.assertThat(OpenIDConnectionUtilsBehaviorTest.this.systemErr.toString()).contains(new CharSequence[]{"Failure in fetching refresh token:"}).contains(new CharSequence[]{"Cannot construct instance of `java.util.LinkedHashMap`"});
                }

                @DisplayName("Logs token fallback warning")
                @Test
                void logsTokenFallbackWarning() {
                    Assertions.assertThat(OpenIDConnectionUtilsBehaviorTest.this.systemErr.toString()).contains(new CharSequence[]{"token response did not contain an id_token, either the scope \\\"openid\\\" wasn't requested upon login, or the provider doesn't support id_tokens as part of the refresh response."});
                }
            }

            @DisplayName("With 404 token response")
            @Nested
            /* loaded from: input_file:io/fabric8/kubernetes/client/utils/OpenIDConnectionUtilsBehaviorTest$WithRefreshToken$WithValidOpenIDConnectDiscovery$WithNotFoundTokenResponse.class */
            class WithNotFoundTokenResponse {
                private String result;

                WithNotFoundTokenResponse() {
                }

                @BeforeEach
                void setUp() throws Exception {
                    OpenIDConnectionUtilsBehaviorTest.this.httpClientFactory.expect("/token", 404, "Not Found /token");
                    this.result = (String) OpenIDConnectionUtils.resolveOIDCTokenFromAuthConfig(OpenIDConnectionUtilsBehaviorTest.this.originalConfig, OpenIDConnectionUtilsBehaviorTest.this.authProviderConfig, OpenIDConnectionUtilsBehaviorTest.this.httpClientBuilder).get(10L, TimeUnit.SECONDS);
                }

                @DisplayName("Resolves token from auth provider config (fallback)")
                @Test
                void fallbacksToOriginalToken() {
                    Assertions.assertThat(this.result).isEqualTo("original-token");
                }

                @DisplayName("Logs refresh token response")
                @Test
                void logsRefreshTokenResponse() {
                    Assertions.assertThat(OpenIDConnectionUtilsBehaviorTest.this.systemErr.toString()).contains(new CharSequence[]{"Response: Not Found /token"});
                }

                @DisplayName("Logs token fallback warning")
                @Test
                void logsTokenFallbackWarning() {
                    Assertions.assertThat(OpenIDConnectionUtilsBehaviorTest.this.systemErr.toString()).contains(new CharSequence[]{"token response did not contain an id_token, either the scope \\\"openid\\\" wasn't requested upon login, or the provider doesn't support id_tokens as part of the refresh response."});
                }
            }

            @DisplayName("With valid token response")
            @Nested
            /* loaded from: input_file:io/fabric8/kubernetes/client/utils/OpenIDConnectionUtilsBehaviorTest$WithRefreshToken$WithValidOpenIDConnectDiscovery$WithValidTokenResponse.class */
            class WithValidTokenResponse {
                private String result;

                WithValidTokenResponse() {
                }

                @BeforeEach
                void setUp() throws Exception {
                    OpenIDConnectionUtilsBehaviorTest.this.httpClientFactory.expect("/token", 200, "{\"id_token\": \"new-token\",\"refresh_token\": \"new-refresh-token\"}");
                    this.result = (String) OpenIDConnectionUtils.resolveOIDCTokenFromAuthConfig(OpenIDConnectionUtilsBehaviorTest.this.originalConfig, OpenIDConnectionUtilsBehaviorTest.this.authProviderConfig, OpenIDConnectionUtilsBehaviorTest.this.httpClientBuilder).get(10L, TimeUnit.SECONDS);
                }

                @DisplayName("Resolves token from token endpoint")
                @Test
                void resolvesTokenFromTokenEndpoint() {
                    Assertions.assertThat(this.result).isEqualTo("new-token");
                }

                @DisplayName("Updates current config auth provider config with new token")
                @Test
                void updatesCurrentConfigAuthProviderConfigWithNewToken() {
                    Assertions.assertThat(OpenIDConnectionUtilsBehaviorTest.this.originalConfig).extracting((v0) -> {
                        return v0.getAuthProvider();
                    }).extracting((v0) -> {
                        return v0.getConfig();
                    }).asInstanceOf(InstanceOfAssertFactories.map(String.class, String.class)).containsEntry("id-token", "new-token").containsEntry("refresh-token", "new-refresh-token");
                }

                @DisplayName("Updates current config auth provider config with new token in file")
                @Test
                void updatesCurrentConfigAuthProviderConfigWithNewTokenInFile() throws Exception {
                    Assertions.assertThat(Serialization.unmarshal(new String(Files.readAllBytes(OpenIDConnectionUtilsBehaviorTest.this.originalConfig.getFile().toPath()), StandardCharsets.UTF_8), io.fabric8.kubernetes.api.model.Config.class)).extracting((v0) -> {
                        return v0.getUsers();
                    }).asInstanceOf(InstanceOfAssertFactories.list(NamedAuthInfo.class)).singleElement().extracting("user.authProvider.config").asInstanceOf(InstanceOfAssertFactories.map(String.class, String.class)).containsEntry("id-token", "new-token").containsEntry("refresh-token", "new-refresh-token");
                }

                @DisplayName("Certificate is loaded into HttpClient trust manager")
                @Test
                void certificateIsLoadedIntoHttpClientTrustManager() {
                    Assertions.assertThat(OpenIDConnectionUtilsBehaviorTest.this.httpClientBuilder.getTrustManagers()).singleElement().asInstanceOf(InstanceOfAssertFactories.type(X509ExtendedTrustManager.class)).extracting((v0) -> {
                        return v0.getAcceptedIssuers();
                    }).asInstanceOf(InstanceOfAssertFactories.array(X509Certificate[].class)).extracting((v0) -> {
                        return v0.getSubjectDN();
                    }).extracting((v0) -> {
                        return v0.getName();
                    }).contains(new String[]{"CN=auth.fabric8.example.com"});
                }

                @DisplayName("Token refresh request contains valid auth and form data")
                @Test
                void tokenRefreshRequestContainsValidFormData() {
                    Assertions.assertThat(OpenIDConnectionUtilsBehaviorTest.this.httpClientBuilder.m6build().getRecordedConsumeBytesDirects()).filteredOn(recordedConsumeBytesDirect -> {
                        return recordedConsumeBytesDirect.getRequest().uri().getPath().equals("/token");
                    }).singleElement().extracting((v0) -> {
                        return v0.getRequest();
                    }).hasFieldOrPropertyWithValue("method", "POST").hasFieldOrPropertyWithValue("contentType", "application/x-www-form-urlencoded").hasFieldOrPropertyWithValue("bodyString", "refresh_token=original-refresh-token&grant_type=refresh_token&client_id=id-of-test-client&client_secret=secret-of-test-client").returns("Basic aWQtb2YtdGVzdC1jbGllbnQ6c2VjcmV0LW9mLXRlc3QtY2xpZW50", standardHttpRequest -> {
                        return standardHttpRequest.header("Authorization");
                    });
                }
            }

            WithValidOpenIDConnectDiscovery() {
            }

            @BeforeEach
            void setUp() {
                OpenIDConnectionUtilsBehaviorTest.this.httpClientFactory.expect("/.well-known/openid-configuration", 200, "{\"issuer\": \"https://auth.example.com\",\"token_endpoint\": \"https://auth.example.com/token\",\"response_types_supported\": [\"code\",\"id_token\"]}");
            }

            @DisplayName("With valid token repsonse and missing kube config, logs warning")
            @Test
            void withValidTokenResponseAndMissingKubeConfig() throws Exception {
                Files.delete(OpenIDConnectionUtilsBehaviorTest.this.originalConfig.getFile().toPath());
                OpenIDConnectionUtilsBehaviorTest.this.httpClientFactory.expect("/token", 200, "{\"id_token\": \"new-token\"}");
                Assertions.assertThat((String) OpenIDConnectionUtils.resolveOIDCTokenFromAuthConfig(OpenIDConnectionUtilsBehaviorTest.this.originalConfig, OpenIDConnectionUtilsBehaviorTest.this.authProviderConfig, OpenIDConnectionUtilsBehaviorTest.this.httpClientBuilder).get(10L, TimeUnit.SECONDS)).isEqualTo("new-token");
                Assertions.assertThat(OpenIDConnectionUtilsBehaviorTest.this.systemErr.toString()).contains(new CharSequence[]{"oidc: failure while persisting new tokens into KUBECONFIG"});
            }
        }

        WithRefreshToken() {
        }

        @BeforeEach
        void setUp() {
            OpenIDConnectionUtilsBehaviorTest.this.authProviderConfig.put("refresh-token", "original-refresh-token");
        }

        @DisplayName("With invalid cert data in original config, throws certificate exception")
        @Test
        void withInvalidCertDataInConfig() {
            OpenIDConnectionUtilsBehaviorTest.this.originalConfig = new ConfigBuilder(OpenIDConnectionUtilsBehaviorTest.this.originalConfig).withCaCertData(Base64.getEncoder().encodeToString(new byte[]{48, -17, -65, -67, 3, 6})).withCaCertFile((String) null).build();
            Assertions.assertThatThrownBy(() -> {
                OpenIDConnectionUtils.resolveOIDCTokenFromAuthConfig(OpenIDConnectionUtilsBehaviorTest.this.originalConfig, OpenIDConnectionUtilsBehaviorTest.this.authProviderConfig, OpenIDConnectionUtilsBehaviorTest.this.httpClientBuilder);
            }).isInstanceOf(RuntimeException.class).hasMessage("Could not import idp certificate").cause().isInstanceOf(CertificateException.class);
        }

        @DisplayName("With invalid cert data in provided auth config, throws certificate exception")
        @Test
        void withInvalidCertDataInAuthProviderConfig() {
            OpenIDConnectionUtilsBehaviorTest.this.authProviderConfig.put("idp-certificate-authority-data", Base64.getEncoder().encodeToString(new byte[]{48, -17, -65, -67, 3, 6}));
            Assertions.assertThatThrownBy(() -> {
                OpenIDConnectionUtils.resolveOIDCTokenFromAuthConfig(OpenIDConnectionUtilsBehaviorTest.this.originalConfig, OpenIDConnectionUtilsBehaviorTest.this.authProviderConfig, OpenIDConnectionUtilsBehaviorTest.this.httpClientBuilder);
            }).isInstanceOf(RuntimeException.class).hasMessage("Could not import idp certificate").cause().isInstanceOf(CertificateException.class);
        }

        @DisplayName("With invalid cert file in original config, throws certificate exception")
        @Test
        void withInvalidCertFileInConfig() throws IOException {
            Path resolve = OpenIDConnectionUtilsBehaviorTest.this.tempDir.resolve("invalid.crt");
            Files.write(resolve, new byte[]{48, -17, -65, -67, 3, 6}, new OpenOption[0]);
            OpenIDConnectionUtilsBehaviorTest.this.originalConfig = new ConfigBuilder(OpenIDConnectionUtilsBehaviorTest.this.originalConfig).withCaCertFile(resolve.toFile().getAbsolutePath()).build();
            Assertions.assertThatThrownBy(() -> {
                OpenIDConnectionUtils.resolveOIDCTokenFromAuthConfig(OpenIDConnectionUtilsBehaviorTest.this.originalConfig, OpenIDConnectionUtilsBehaviorTest.this.authProviderConfig, OpenIDConnectionUtilsBehaviorTest.this.httpClientBuilder);
            }).isInstanceOf(RuntimeException.class).hasMessage("Could not import idp certificate").cause().isInstanceOf(CertificateException.class);
        }

        @DisplayName("With missing cert file in original config, throws NPE")
        @Test
        void withMissingCertFileInConfig() {
            Path resolve = OpenIDConnectionUtilsBehaviorTest.this.tempDir.resolve("missing.crt");
            OpenIDConnectionUtilsBehaviorTest.this.originalConfig = new ConfigBuilder(OpenIDConnectionUtilsBehaviorTest.this.originalConfig).withCaCertFile(resolve.toFile().getAbsolutePath()).build();
            Assertions.assertThatThrownBy(() -> {
                OpenIDConnectionUtils.resolveOIDCTokenFromAuthConfig(OpenIDConnectionUtilsBehaviorTest.this.originalConfig, OpenIDConnectionUtilsBehaviorTest.this.authProviderConfig, OpenIDConnectionUtilsBehaviorTest.this.httpClientBuilder);
            }).isInstanceOf(NullPointerException.class);
        }
    }

    OpenIDConnectionUtilsBehaviorTest() {
    }

    @BeforeEach
    void setUp() throws Exception {
        this.httpClientFactory = new TestStandardHttpClientFactory(TestStandardHttpClientFactory.Mode.SINGLETON);
        this.httpClientBuilder = this.httpClientFactory.m7newBuilder();
        this.originalSystemErrStream = System.err;
        this.systemErr = new ByteArrayOutputStream();
        System.setErr(new PrintStream(this.systemErr));
        KeyPair generateKeyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
        X509CertificateHolder build = new JcaX509v3CertificateBuilder(new X500Name("o=Fabric8"), BigInteger.ONE, new Date(), new Date(new Date().getTime() + 1000), new X500Name("cn=auth.fabric8.example.com"), generateKeyPair.getPublic()).build(new JcaContentSignerBuilder("SHA256WithRSA").build(generateKeyPair.getPrivate()));
        Path resolve = this.tempDir.resolve("valid.crt");
        Files.write(resolve, Base64.getEncoder().encode(build.getEncoded()), new OpenOption[0]);
        Files.write(this.tempDir.resolve("kube-config"), Serialization.asYaml(new io.fabric8.kubernetes.api.model.ConfigBuilder().addToClusters(new NamedCluster[]{((NamedClusterBuilder) new NamedClusterBuilder().withName("default-cluster").withNewCluster().withServer("https://cluster.example.com").withCertificateAuthority(resolve.toFile().getAbsolutePath()).endCluster()).build()}).addToUsers(new NamedAuthInfo[]{((NamedAuthInfoBuilder) new NamedAuthInfoBuilder().withName("default-user").withNewUser().withAuthProvider(new AuthProviderConfig()).endUser()).build()}).addToContexts(new NamedContext[]{((NamedContextBuilder) new NamedContextBuilder().withName("default").withNewContext().withCluster("default-cluster").withUser("default-user").endContext()).build()}).withCurrentContext("default").build()).getBytes(StandardCharsets.UTF_8), new OpenOption[0]);
        this.originalConfig = new ConfigBuilder(Config.empty()).withFile(this.tempDir.resolve("kube-config").toFile()).build().refresh();
        this.authProviderConfig = new HashMap();
        this.authProviderConfig.put("id-token", "original-token");
        this.authProviderConfig.put("idp-issuer-url", "https://auth.fabric8.example.com");
        this.authProviderConfig.put("client-id", "id-of-test-client");
        this.authProviderConfig.put("client-secret", "secret-of-test-client");
    }

    @AfterEach
    void tearDown() {
        System.setErr(this.originalSystemErrStream);
    }

    @DisplayName("Unsupported token refresh, resolves token from auth provider config")
    @Test
    void withUnsupportedTokenRefresh() throws Exception {
        Assertions.assertThat((String) OpenIDConnectionUtils.resolveOIDCTokenFromAuthConfig(this.originalConfig, this.authProviderConfig, this.httpClientBuilder).get(10L, TimeUnit.SECONDS)).isEqualTo("original-token");
    }
}
