package org.apache.kafka.common.security.scram.internals;

import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.HashMap;
import javax.security.sasl.SaslException;
import org.apache.kafka.common.errors.SaslAuthenticationException;
import org.apache.kafka.common.security.authenticator.CredentialCache;
import org.apache.kafka.common.security.scram.ScramCredential;
import org.apache.kafka.common.security.scram.internals.ScramMessages;
import org.apache.kafka.common.security.token.delegation.internals.DelegationTokenCache;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.mockito.Mockito;

/* loaded from: input_file:org/apache/kafka/common/security/scram/internals/ScramSaslServerTest.class */
public class ScramSaslServerTest {
    private static final String USER_A = "userA";
    private static final String USER_B = "userB";
    private ScramFormatter formatter;
    private ScramSaslServer saslServer;

    @BeforeEach
    public void setUp() throws Exception {
        ScramMechanism scramMechanism = ScramMechanism.SCRAM_SHA_256;
        this.formatter = new ScramFormatter(scramMechanism);
        CredentialCache.Cache createCache = new CredentialCache().createCache(scramMechanism.mechanismName(), ScramCredential.class);
        createCache.put(USER_A, this.formatter.generateCredential("passwordA", 4096));
        createCache.put(USER_B, this.formatter.generateCredential("passwordB", 4096));
        this.saslServer = new ScramSaslServer(scramMechanism, new HashMap(), new ScramServerCallbackHandler(createCache, new DelegationTokenCache(ScramMechanism.mechanismNames())));
    }

    @Test
    public void noAuthorizationIdSpecified() throws Exception {
        Assertions.assertTrue(this.saslServer.evaluateResponse(clientFirstMessage(USER_A, null)).length > 0, "Next challenge is empty");
    }

    @Test
    public void authorizationIdEqualsAuthenticationId() throws Exception {
        Assertions.assertTrue(this.saslServer.evaluateResponse(clientFirstMessage(USER_A, USER_A)).length > 0, "Next challenge is empty");
    }

    @Test
    public void authorizationIdNotEqualsAuthenticationId() {
        Assertions.assertThrows(SaslAuthenticationException.class, () -> {
            this.saslServer.evaluateResponse(clientFirstMessage(USER_A, USER_B));
        });
    }

    @Test
    public void validateNonceExchange() throws SaslException {
        ScramSaslServer scramSaslServer = (ScramSaslServer) Mockito.spy(this.saslServer);
        byte[] clientFirstMessage = clientFirstMessage(USER_A, USER_A);
        ScramMessages.ClientFirstMessage clientFirstMessage2 = new ScramMessages.ClientFirstMessage(clientFirstMessage);
        ScramMessages.ServerFirstMessage serverFirstMessage = new ScramMessages.ServerFirstMessage(scramSaslServer.evaluateResponse(clientFirstMessage));
        Assertions.assertTrue(serverFirstMessage.nonce().startsWith(clientFirstMessage2.nonce()), "Nonce in server message should start with client first message's nonce");
        byte[] clientFinalMessage = clientFinalMessage(serverFirstMessage.nonce());
        ((ScramSaslServer) Mockito.doNothing().when(scramSaslServer)).verifyClientProof((ScramMessages.ClientFinalMessage) Mockito.any(ScramMessages.ClientFinalMessage.class));
        Assertions.assertNull(new ScramMessages.ServerFinalMessage(scramSaslServer.evaluateResponse(clientFinalMessage)).error(), "Server final message should not contain error");
    }

    @Test
    public void validateFailedNonceExchange() throws SaslException {
        ScramSaslServer scramSaslServer = (ScramSaslServer) Mockito.spy(this.saslServer);
        byte[] clientFirstMessage = clientFirstMessage(USER_A, USER_A);
        Assertions.assertTrue(new ScramMessages.ServerFirstMessage(scramSaslServer.evaluateResponse(clientFirstMessage)).nonce().startsWith(new ScramMessages.ClientFirstMessage(clientFirstMessage).nonce()), "Nonce in server message should start with client first message's nonce");
        byte[] clientFinalMessage = clientFinalMessage(this.formatter.secureRandomString());
        ((ScramSaslServer) Mockito.doNothing().when(scramSaslServer)).verifyClientProof((ScramMessages.ClientFinalMessage) Mockito.any(ScramMessages.ClientFinalMessage.class));
        SaslException assertThrows = Assertions.assertThrows(SaslException.class, () -> {
            scramSaslServer.evaluateResponse(clientFinalMessage);
        });
        Assertions.assertEquals("Invalid client nonce in the final client message.", assertThrows.getMessage(), "Failure message: " + assertThrows.getMessage());
    }

    private byte[] clientFirstMessage(String str, String str2) {
        return String.format("n,%s,n=%s,r=%s", str2 != null ? "a=" + str2 : "", str, this.formatter.secureRandomString()).getBytes(StandardCharsets.UTF_8);
    }

    private byte[] clientFinalMessage(String str) {
        return String.format("c=%s,r=%s,p=%s", randomBytesAsString(), str, randomBytesAsString()).getBytes(StandardCharsets.UTF_8);
    }

    private String randomBytesAsString() {
        return Base64.getEncoder().encodeToString(this.formatter.secureRandomBytes());
    }
}
