package org.openmetadata.service.security;

import com.auth0.jwk.Jwk;
import com.auth0.jwk.JwkProvider;
import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import java.net.URI;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Date;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.core.MultivaluedHashMap;
import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.core.UriInfo;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test;
import org.mockito.ArgumentCaptor;
import org.mockito.Mockito;

/* loaded from: input_file:org/openmetadata/service/security/JwtFilterTest.class */
class JwtFilterTest {
    private static JwtFilter jwtFilter;
    private static JwkProvider jwkProvider;
    private static Algorithm algorithm;
    private static UriInfo mockRequestURIInfo;

    JwtFilterTest() {
    }

    @BeforeAll
    static void before() throws Exception {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        keyPairGenerator.initialize(512);
        KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
        algorithm = Algorithm.RSA256((RSAPublicKey) generateKeyPair.getPublic(), (RSAPrivateKey) generateKeyPair.getPrivate());
        Jwk jwk = (Jwk) Mockito.mock(Jwk.class);
        Mockito.when(jwk.getPublicKey()).thenReturn(generateKeyPair.getPublic());
        jwkProvider = (JwkProvider) Mockito.mock(JwkProvider.class);
        Mockito.when(jwkProvider.get(algorithm.getSigningKeyId())).thenReturn(jwk);
        URI create = URI.create("POST:http://localhost:8080/login");
        mockRequestURIInfo = (UriInfo) Mockito.mock(UriInfo.class);
        Mockito.when(mockRequestURIInfo.getPath()).thenReturn("/login");
        Mockito.when(mockRequestURIInfo.getRequestUri()).thenReturn(create);
        jwtFilter = new JwtFilter(jwkProvider, List.of("sub", "email"), "openmetadata.org", false);
    }

    @Test
    void testPrincipalDomainEnforcement() {
        jwtFilter = new JwtFilter(jwkProvider, List.of("EMAIL", "sub"), "openmetadata.org", true);
        ContainerRequestContext createRequestContextWithJwt = createRequestContextWithJwt(JWT.create().withExpiresAt(Date.from(Instant.now().plus(1L, (TemporalUnit) ChronoUnit.DAYS))).withClaim("email", "sam@openmetadata.org").sign(algorithm));
        jwtFilter.filter(createRequestContextWithJwt);
        ArgumentCaptor forClass = ArgumentCaptor.forClass(SecurityContext.class);
        ((ContainerRequestContext) Mockito.verify(createRequestContextWithJwt, Mockito.times(1))).setSecurityContext((SecurityContext) forClass.capture());
        Assertions.assertEquals("sam", ((SecurityContext) forClass.getValue()).getUserPrincipal().getName());
        ContainerRequestContext createRequestContextWithJwt2 = createRequestContextWithJwt(JWT.create().withExpiresAt(Date.from(Instant.now().plus(1L, (TemporalUnit) ChronoUnit.DAYS))).withClaim("email", "sam@gmail.com").sign(algorithm));
        Assertions.assertTrue(((Exception) Assertions.assertThrows(AuthenticationException.class, () -> {
            jwtFilter.filter(createRequestContextWithJwt2);
        })).getMessage().toLowerCase(Locale.ROOT).contains("email does not match the principal domain"));
    }

    @Test
    void testSuccessfulFilter() {
        ContainerRequestContext createRequestContextWithJwt = createRequestContextWithJwt(JWT.create().withExpiresAt(Date.from(Instant.now().plus(1L, (TemporalUnit) ChronoUnit.DAYS))).withClaim("sub", "sam").sign(algorithm));
        jwtFilter.filter(createRequestContextWithJwt);
        ArgumentCaptor forClass = ArgumentCaptor.forClass(SecurityContext.class);
        ((ContainerRequestContext) Mockito.verify(createRequestContextWithJwt, Mockito.times(1))).setSecurityContext((SecurityContext) forClass.capture());
        Assertions.assertEquals("sam", ((SecurityContext) forClass.getValue()).getUserPrincipal().getName());
    }

    @Test
    void testFilterWithEmailClaim() {
        ContainerRequestContext createRequestContextWithJwt = createRequestContextWithJwt(JWT.create().withExpiresAt(Date.from(Instant.now().plus(1L, (TemporalUnit) ChronoUnit.DAYS))).withClaim("email", "sam@gmail.com").sign(algorithm));
        jwtFilter.filter(createRequestContextWithJwt);
        ArgumentCaptor forClass = ArgumentCaptor.forClass(SecurityContext.class);
        ((ContainerRequestContext) Mockito.verify(createRequestContextWithJwt, Mockito.times(1))).setSecurityContext((SecurityContext) forClass.capture());
        Assertions.assertEquals("sam", ((SecurityContext) forClass.getValue()).getUserPrincipal().getName());
    }

    @Test
    void testMissingToken() {
        MultivaluedHashMap multivaluedHashMap = new MultivaluedHashMap();
        ContainerRequestContext containerRequestContext = (ContainerRequestContext) Mockito.mock(ContainerRequestContext.class);
        Mockito.when(containerRequestContext.getUriInfo()).thenReturn(mockRequestURIInfo);
        Mockito.when(containerRequestContext.getHeaders()).thenReturn(multivaluedHashMap);
        Assertions.assertTrue(((Exception) Assertions.assertThrows(AuthenticationException.class, () -> {
            jwtFilter.filter(containerRequestContext);
        })).getMessage().toLowerCase(Locale.ROOT).contains("token not present"));
    }

    @Test
    void testInvalidToken() {
        ContainerRequestContext createRequestContextWithJwt = createRequestContextWithJwt("invalid-token");
        Assertions.assertTrue(((Exception) Assertions.assertThrows(AuthenticationException.class, () -> {
            jwtFilter.filter(createRequestContextWithJwt);
        })).getMessage().toLowerCase(Locale.ROOT).contains("invalid token"));
    }

    @Test
    void testExpiredToken() {
        ContainerRequestContext createRequestContextWithJwt = createRequestContextWithJwt(JWT.create().withExpiresAt(Date.from(Instant.now().minus(1L, (TemporalUnit) ChronoUnit.DAYS))).withClaim("sub", "sam").sign(algorithm));
        Assertions.assertTrue(((Exception) Assertions.assertThrows(AuthenticationException.class, () -> {
            jwtFilter.filter(createRequestContextWithJwt);
        })).getMessage().toLowerCase(Locale.ROOT).contains("expired"));
    }

    @Test
    void testNoClaimsInToken() {
        ContainerRequestContext createRequestContextWithJwt = createRequestContextWithJwt(JWT.create().withExpiresAt(Date.from(Instant.now().plus(1L, (TemporalUnit) ChronoUnit.DAYS))).withClaim("emailAddress", "sam@gmail.com").sign(algorithm));
        Assertions.assertTrue(((Exception) Assertions.assertThrows(AuthenticationException.class, () -> {
            jwtFilter.filter(createRequestContextWithJwt);
        })).getMessage().toLowerCase(Locale.ROOT).contains("claim"));
    }

    @Test
    void testInvalidSignatureJwt() throws NoSuchAlgorithmException {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        keyPairGenerator.initialize(512);
        KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
        ContainerRequestContext createRequestContextWithJwt = createRequestContextWithJwt(JWT.create().withExpiresAt(Date.from(Instant.now().plus(1L, (TemporalUnit) ChronoUnit.DAYS))).withClaim("sub", "sam").sign(Algorithm.RSA256((RSAPublicKey) generateKeyPair.getPublic(), (RSAPrivateKey) generateKeyPair.getPrivate())));
        Assertions.assertTrue(((Exception) Assertions.assertThrows(AuthenticationException.class, () -> {
            jwtFilter.filter(createRequestContextWithJwt);
        })).getMessage().toLowerCase(Locale.ROOT).contains("invalid token"));
    }

    private static ContainerRequestContext createRequestContextWithJwt(String str) {
        MultivaluedHashMap multivaluedHashMap = new MultivaluedHashMap(Map.of("Authorization", String.format("%s %s", "Bearer", str)));
        ContainerRequestContext containerRequestContext = (ContainerRequestContext) Mockito.mock(ContainerRequestContext.class);
        Mockito.when(containerRequestContext.getUriInfo()).thenReturn(mockRequestURIInfo);
        Mockito.when(containerRequestContext.getHeaders()).thenReturn(multivaluedHashMap);
        return containerRequestContext;
    }
}
