package org.apache.pulsar.broker.auth;

import com.github.tomakehurst.wiremock.WireMockServer;
import com.github.tomakehurst.wiremock.client.WireMock;
import com.github.tomakehurst.wiremock.common.FileSource;
import com.github.tomakehurst.wiremock.core.WireMockConfiguration;
import com.github.tomakehurst.wiremock.extension.Extension;
import com.github.tomakehurst.wiremock.extension.Parameters;
import com.github.tomakehurst.wiremock.extension.ResponseTransformer;
import com.github.tomakehurst.wiremock.http.Request;
import com.github.tomakehurst.wiremock.http.Response;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.impl.DefaultJwtBuilder;
import io.jsonwebtoken.security.Keys;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.util.Base64;
import java.util.Date;
import java.util.concurrent.TimeUnit;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

/* loaded from: input_file:org/apache/pulsar/broker/auth/MockOIDCIdentityProvider.class */
public class MockOIDCIdentityProvider {
    private final WireMockServer server;
    private final PublicKey publicKey;
    private final String audience;

    /* loaded from: input_file:org/apache/pulsar/broker/auth/MockOIDCIdentityProvider$OAuth2Transformer.class */
    class OAuth2Transformer extends ResponseTransformer {
        private final PrivateKey privateKey;
        private final long tokenTTL;
        private final Pattern clientIdToRolePattern = Pattern.compile("client_id=([A-Za-z0-9-]*)(&|$)");

        OAuth2Transformer(KeyPair keyPair, long j) {
            this.privateKey = keyPair.getPrivate();
            this.tokenTTL = j;
        }

        public Response transform(Request request, Response response, FileSource fileSource, Parameters parameters) {
            Matcher matcher = this.clientIdToRolePattern.matcher(request.getBodyAsString());
            if (!matcher.find()) {
                return Response.Builder.like(response).but().body("Invalid request").status(400).build();
            }
            return Response.Builder.like(response).but().body("{\n  \"access_token\": \"%s\",\n  \"expires_in\": %d,\n  \"token_type\":\"Bearer\"\n}\n".formatted(generateToken(matcher.group(1)), Long.valueOf(TimeUnit.MILLISECONDS.toSeconds(this.tokenTTL)))).build();
        }

        public String getName() {
            return "o-auth-token-transformer";
        }

        public boolean applyGlobally() {
            return false;
        }

        private String generateToken(String str) {
            long currentTimeMillis = System.currentTimeMillis();
            DefaultJwtBuilder defaultJwtBuilder = new DefaultJwtBuilder();
            defaultJwtBuilder.setHeaderParam("typ", "JWT");
            defaultJwtBuilder.setHeaderParam("alg", "RS256");
            defaultJwtBuilder.setIssuer(MockOIDCIdentityProvider.this.server.baseUrl());
            defaultJwtBuilder.setSubject(str);
            defaultJwtBuilder.setAudience(MockOIDCIdentityProvider.this.audience);
            defaultJwtBuilder.setIssuedAt(new Date(currentTimeMillis));
            defaultJwtBuilder.setNotBefore(new Date(currentTimeMillis));
            defaultJwtBuilder.setExpiration(new Date(currentTimeMillis + this.tokenTTL));
            defaultJwtBuilder.signWith(this.privateKey);
            return defaultJwtBuilder.compact();
        }
    }

    public MockOIDCIdentityProvider(String str, String str2, long j) {
        this.audience = str2;
        KeyPair keyPairFor = Keys.keyPairFor(SignatureAlgorithm.RS256);
        this.publicKey = keyPairFor.getPublic();
        this.server = new WireMockServer(WireMockConfiguration.wireMockConfig().port(0).extensions(new Extension[]{new OAuth2Transformer(keyPairFor, j)}));
        this.server.start();
        this.server.stubFor(WireMock.get(WireMock.urlEqualTo("/.well-known/openid-configuration")).willReturn(WireMock.aResponse().withHeader("Content-Type", new String[]{"application/json"}).withBody("{\n  \"issuer\": \"%s\",\n  \"token_endpoint\": \"%s/oauth/token\"\n}\n".replace("%s", this.server.baseUrl()))));
        this.server.stubFor(WireMock.post(WireMock.urlEqualTo("/oauth/token")).withRequestBody(WireMock.matching(".*grant_type=client_credentials.*")).withRequestBody(WireMock.matching(".*audience=" + URLEncoder.encode(str2, StandardCharsets.UTF_8) + ".*")).withRequestBody(WireMock.matching(".*client_id=.*")).withRequestBody(WireMock.matching(".*client_secret=" + str + "(&.*|$)")).willReturn(WireMock.aResponse().withTransformers(new String[]{"o-auth-token-transformer"}).withStatus(200)));
    }

    public void stop() {
        this.server.stop();
    }

    public String getBase64EncodedPublicKey() {
        return Base64.getEncoder().encodeToString(this.publicKey.getEncoded());
    }

    public String getIssuer() {
        return this.server.baseUrl();
    }
}
