package com.floragunn.dlic.auth.http.jwt;

import com.floragunn.codova.documents.DocWriter;
import com.floragunn.dlic.auth.http.jwt.keybyoidc.TestJwts;
import com.floragunn.searchguard.user.AuthCredentials;
import com.floragunn.searchguard.util.FakeRestRequest;
import com.google.common.collect.ImmutableMap;
import com.google.common.io.BaseEncoding;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.io.SerializationException;
import io.jsonwebtoken.io.Serializer;
import io.jsonwebtoken.security.Keys;
import java.nio.file.Path;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.hamcrest.CoreMatchers;
import org.hamcrest.core.Is;
import org.junit.Assert;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;

/* loaded from: input_file:com/floragunn/dlic/auth/http/jwt/HTTPJwtAuthenticatorTest.class */
public class HTTPJwtAuthenticatorTest {
    static final byte[] secretKey = new byte[1024];

    @Rule
    public ExpectedException thrown = ExpectedException.none();
    private static final Serializer<Map<String, ?>> jwtSerializer;

    @Test
    public void testNoKey() throws Exception {
        Settings build = Settings.builder().build();
        String compact = Jwts.builder().serializeToJsonWith(jwtSerializer).setSubject(TestJwts.MCCOY_SUBJECT).signWith(Keys.hmacShaKeyFor(secretKey), SignatureAlgorithm.HS512).compact();
        HTTPJwtAuthenticator hTTPJwtAuthenticator = new HTTPJwtAuthenticator(build, (Path) null);
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", "Bearer " + compact);
        Assert.assertNull(hTTPJwtAuthenticator.extractCredentials(new FakeRestRequest(hashMap, new HashMap()), (ThreadContext) null));
    }

    @Test
    public void testEmptyKey() throws Exception {
        Settings build = Settings.builder().put("signing_key", "").build();
        String compact = Jwts.builder().serializeToJsonWith(jwtSerializer).setSubject(TestJwts.MCCOY_SUBJECT).signWith(Keys.hmacShaKeyFor(secretKey), SignatureAlgorithm.HS512).compact();
        HTTPJwtAuthenticator hTTPJwtAuthenticator = new HTTPJwtAuthenticator(build, (Path) null);
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", "Bearer " + compact);
        Assert.assertNull(hTTPJwtAuthenticator.extractCredentials(new FakeRestRequest(hashMap, new HashMap()), (ThreadContext) null));
    }

    @Test
    public void testBadKey() throws Exception {
        Settings build = Settings.builder().put("signing_key", BaseEncoding.base64().encode(new byte[]{1, 3, 3, 4, 3, 6, 7, 8, 3, 10})).build();
        String compact = Jwts.builder().serializeToJsonWith(jwtSerializer).setSubject(TestJwts.MCCOY_SUBJECT).signWith(Keys.hmacShaKeyFor(secretKey), SignatureAlgorithm.HS512).compact();
        HTTPJwtAuthenticator hTTPJwtAuthenticator = new HTTPJwtAuthenticator(build, (Path) null);
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", "Bearer " + compact);
        Assert.assertNull(hTTPJwtAuthenticator.extractCredentials(new FakeRestRequest(hashMap, new HashMap()), (ThreadContext) null));
    }

    @Test
    public void testTokenMissing() throws Exception {
        Assert.assertNull(new HTTPJwtAuthenticator(Settings.builder().put("signing_key", BaseEncoding.base64().encode(secretKey)).build(), (Path) null).extractCredentials(new FakeRestRequest(new HashMap(), new HashMap()), (ThreadContext) null));
    }

    @Test
    public void testInvalid() throws Exception {
        HTTPJwtAuthenticator hTTPJwtAuthenticator = new HTTPJwtAuthenticator(Settings.builder().put("signing_key", BaseEncoding.base64().encode(secretKey)).build(), (Path) null);
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", "Bearer " + "123invalidtoken..");
        Assert.assertNull(hTTPJwtAuthenticator.extractCredentials(new FakeRestRequest(hashMap, new HashMap()), (ThreadContext) null));
    }

    @Test
    public void testBearer() throws Exception {
        Settings build = Settings.builder().put("signing_key", BaseEncoding.base64().encode(secretKey)).build();
        String compact = Jwts.builder().serializeToJsonWith(jwtSerializer).setSubject(TestJwts.MCCOY_SUBJECT).setAudience("myaud").signWith(Keys.hmacShaKeyFor(secretKey), SignatureAlgorithm.HS512).compact();
        HTTPJwtAuthenticator hTTPJwtAuthenticator = new HTTPJwtAuthenticator(build, (Path) null);
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", "Bearer " + compact);
        AuthCredentials extractCredentials = hTTPJwtAuthenticator.extractCredentials(new FakeRestRequest(hashMap, new HashMap()), (ThreadContext) null);
        Assert.assertNotNull(extractCredentials);
        Assert.assertEquals(TestJwts.MCCOY_SUBJECT, extractCredentials.getUsername());
        Assert.assertEquals(0L, extractCredentials.getBackendRoles().size());
        Assert.assertEquals(2L, extractCredentials.getAttributes().size());
    }

    @Test
    public void testBearerWrongPosition() throws Exception {
        Settings build = Settings.builder().put("signing_key", BaseEncoding.base64().encode(secretKey)).build();
        String compact = Jwts.builder().serializeToJsonWith(jwtSerializer).setSubject(TestJwts.MCCOY_SUBJECT).signWith(Keys.hmacShaKeyFor(secretKey), SignatureAlgorithm.HS512).compact();
        HTTPJwtAuthenticator hTTPJwtAuthenticator = new HTTPJwtAuthenticator(build, (Path) null);
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", compact + "Bearer  123");
        Assert.assertNull(hTTPJwtAuthenticator.extractCredentials(new FakeRestRequest(hashMap, new HashMap()), (ThreadContext) null));
    }

    @Test
    public void testNonBearer() throws Exception {
        Settings build = Settings.builder().put("signing_key", BaseEncoding.base64().encode(secretKey)).build();
        String compact = Jwts.builder().serializeToJsonWith(jwtSerializer).setSubject(TestJwts.MCCOY_SUBJECT).signWith(Keys.hmacShaKeyFor(secretKey), SignatureAlgorithm.HS512).compact();
        HTTPJwtAuthenticator hTTPJwtAuthenticator = new HTTPJwtAuthenticator(build, (Path) null);
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", compact);
        AuthCredentials extractCredentials = hTTPJwtAuthenticator.extractCredentials(new FakeRestRequest(hashMap, new HashMap()), (ThreadContext) null);
        Assert.assertNotNull(extractCredentials);
        Assert.assertEquals(TestJwts.MCCOY_SUBJECT, extractCredentials.getUsername());
        Assert.assertEquals(0L, extractCredentials.getBackendRoles().size());
    }

    @Test
    public void testRoles() throws Exception {
        Settings build = Settings.builder().put("signing_key", BaseEncoding.base64().encode(secretKey)).put("roles_key", TestJwts.ROLES_CLAIM).build();
        String compact = Jwts.builder().serializeToJsonWith(jwtSerializer).setSubject(TestJwts.MCCOY_SUBJECT).claim(TestJwts.ROLES_CLAIM, "role1,role2").signWith(Keys.hmacShaKeyFor(secretKey), SignatureAlgorithm.HS512).compact();
        HTTPJwtAuthenticator hTTPJwtAuthenticator = new HTTPJwtAuthenticator(build, (Path) null);
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", compact);
        AuthCredentials extractCredentials = hTTPJwtAuthenticator.extractCredentials(new FakeRestRequest(hashMap, new HashMap()), (ThreadContext) null);
        Assert.assertNotNull(extractCredentials);
        Assert.assertEquals(TestJwts.MCCOY_SUBJECT, extractCredentials.getUsername());
        Assert.assertEquals(2L, extractCredentials.getBackendRoles().size());
    }

    @Test
    public void testApi() throws Exception {
        AuthCredentials extractCredentials = new HTTPJwtAuthenticator(Settings.builder().put("signing_key", BaseEncoding.base64().encode(secretKey)).put("roles_key", TestJwts.ROLES_CLAIM).build(), (Path) null).extractCredentials(ImmutableMap.of("jwt", Jwts.builder().serializeToJsonWith(jwtSerializer).setSubject(TestJwts.MCCOY_SUBJECT).claim(TestJwts.ROLES_CLAIM, "role1,role2").signWith(Keys.hmacShaKeyFor(secretKey), SignatureAlgorithm.HS512).compact()));
        Assert.assertNotNull(extractCredentials);
        Assert.assertEquals(TestJwts.MCCOY_SUBJECT, extractCredentials.getUsername());
        Assert.assertEquals(2L, extractCredentials.getBackendRoles().size());
    }

    @Test
    public void testNullClaim() throws Exception {
        Settings build = Settings.builder().put("signing_key", BaseEncoding.base64().encode(secretKey)).put("roles_key", TestJwts.ROLES_CLAIM).build();
        String compact = Jwts.builder().serializeToJsonWith(jwtSerializer).setSubject(TestJwts.MCCOY_SUBJECT).claim(TestJwts.ROLES_CLAIM, (Object) null).signWith(Keys.hmacShaKeyFor(secretKey), SignatureAlgorithm.HS512).compact();
        HTTPJwtAuthenticator hTTPJwtAuthenticator = new HTTPJwtAuthenticator(build, (Path) null);
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", compact);
        AuthCredentials extractCredentials = hTTPJwtAuthenticator.extractCredentials(new FakeRestRequest(hashMap, new HashMap()), (ThreadContext) null);
        Assert.assertNotNull(extractCredentials);
        Assert.assertEquals(TestJwts.MCCOY_SUBJECT, extractCredentials.getUsername());
        Assert.assertEquals(0L, extractCredentials.getBackendRoles().size());
    }

    @Test
    public void testNonStringClaim() throws Exception {
        Settings build = Settings.builder().put("signing_key", BaseEncoding.base64().encode(secretKey)).put("roles_key", TestJwts.ROLES_CLAIM).build();
        String compact = Jwts.builder().serializeToJsonWith(jwtSerializer).setSubject(TestJwts.MCCOY_SUBJECT).claim(TestJwts.ROLES_CLAIM, 123L).signWith(Keys.hmacShaKeyFor(secretKey), SignatureAlgorithm.HS512).compact();
        HTTPJwtAuthenticator hTTPJwtAuthenticator = new HTTPJwtAuthenticator(build, (Path) null);
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", compact);
        AuthCredentials extractCredentials = hTTPJwtAuthenticator.extractCredentials(new FakeRestRequest(hashMap, new HashMap()), (ThreadContext) null);
        Assert.assertNotNull(extractCredentials);
        Assert.assertEquals(TestJwts.MCCOY_SUBJECT, extractCredentials.getUsername());
        Assert.assertEquals(1L, extractCredentials.getBackendRoles().size());
        Assert.assertTrue(extractCredentials.getBackendRoles().contains("123"));
    }

    @Test
    public void testRolesMissing() throws Exception {
        Settings build = Settings.builder().put("signing_key", BaseEncoding.base64().encode(secretKey)).put("roles_key", TestJwts.ROLES_CLAIM).build();
        String compact = Jwts.builder().serializeToJsonWith(jwtSerializer).setSubject(TestJwts.MCCOY_SUBJECT).signWith(Keys.hmacShaKeyFor(secretKey), SignatureAlgorithm.HS512).compact();
        HTTPJwtAuthenticator hTTPJwtAuthenticator = new HTTPJwtAuthenticator(build, (Path) null);
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", compact);
        AuthCredentials extractCredentials = hTTPJwtAuthenticator.extractCredentials(new FakeRestRequest(hashMap, new HashMap()), (ThreadContext) null);
        Assert.assertNotNull(extractCredentials);
        Assert.assertEquals(TestJwts.MCCOY_SUBJECT, extractCredentials.getUsername());
        Assert.assertEquals(0L, extractCredentials.getBackendRoles().size());
    }

    @Test
    public void testWrongSubjectKey() throws Exception {
        Settings build = Settings.builder().put("signing_key", BaseEncoding.base64().encode(secretKey)).put("subject_key", "missing").build();
        String compact = Jwts.builder().serializeToJsonWith(jwtSerializer).claim(TestJwts.ROLES_CLAIM, "role1,role2").claim("asub", "Dr. Who").signWith(Keys.hmacShaKeyFor(secretKey), SignatureAlgorithm.HS512).compact();
        HTTPJwtAuthenticator hTTPJwtAuthenticator = new HTTPJwtAuthenticator(build, (Path) null);
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", compact);
        Assert.assertNull(hTTPJwtAuthenticator.extractCredentials(new FakeRestRequest(hashMap, new HashMap()), (ThreadContext) null));
    }

    @Test
    public void testAlternativeSubject() throws Exception {
        Settings build = Settings.builder().put("signing_key", BaseEncoding.base64().encode(secretKey)).put("subject_key", "asub").build();
        String compact = Jwts.builder().serializeToJsonWith(jwtSerializer).setSubject(TestJwts.MCCOY_SUBJECT).claim(TestJwts.ROLES_CLAIM, "role1,role2").claim("asub", "Dr. Who").signWith(Keys.hmacShaKeyFor(secretKey), SignatureAlgorithm.HS512).compact();
        HTTPJwtAuthenticator hTTPJwtAuthenticator = new HTTPJwtAuthenticator(build, (Path) null);
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", compact);
        AuthCredentials extractCredentials = hTTPJwtAuthenticator.extractCredentials(new FakeRestRequest(hashMap, new HashMap()), (ThreadContext) null);
        Assert.assertNotNull(extractCredentials);
        Assert.assertEquals("Dr. Who", extractCredentials.getUsername());
        Assert.assertEquals(0L, extractCredentials.getBackendRoles().size());
    }

    @Test
    public void testNonStringAlternativeSubject() throws Exception {
        Settings build = Settings.builder().put("signing_key", BaseEncoding.base64().encode(secretKey)).put("subject_key", "asub").build();
        String compact = Jwts.builder().serializeToJsonWith(jwtSerializer).setSubject(TestJwts.MCCOY_SUBJECT).claim(TestJwts.ROLES_CLAIM, "role1,role2").claim("asub", false).signWith(Keys.hmacShaKeyFor(secretKey), SignatureAlgorithm.HS512).compact();
        HTTPJwtAuthenticator hTTPJwtAuthenticator = new HTTPJwtAuthenticator(build, (Path) null);
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", compact);
        AuthCredentials extractCredentials = hTTPJwtAuthenticator.extractCredentials(new FakeRestRequest(hashMap, new HashMap()), (ThreadContext) null);
        Assert.assertNotNull(extractCredentials);
        Assert.assertEquals("false", extractCredentials.getUsername());
        Assert.assertEquals(0L, extractCredentials.getBackendRoles().size());
    }

    @Test
    public void testUrlParam() throws Exception {
        Settings build = Settings.builder().put("signing_key", BaseEncoding.base64().encode(secretKey)).put("jwt_url_parameter", "abc").build();
        String compact = Jwts.builder().serializeToJsonWith(jwtSerializer).setSubject(TestJwts.MCCOY_SUBJECT).signWith(Keys.hmacShaKeyFor(secretKey), SignatureAlgorithm.HS512).compact();
        HTTPJwtAuthenticator hTTPJwtAuthenticator = new HTTPJwtAuthenticator(build, (Path) null);
        FakeRestRequest fakeRestRequest = new FakeRestRequest(new HashMap(), new HashMap());
        fakeRestRequest.params().put("abc", compact);
        AuthCredentials extractCredentials = hTTPJwtAuthenticator.extractCredentials(fakeRestRequest, (ThreadContext) null);
        Assert.assertNotNull(extractCredentials);
        Assert.assertEquals(TestJwts.MCCOY_SUBJECT, extractCredentials.getUsername());
        Assert.assertEquals(0L, extractCredentials.getBackendRoles().size());
    }

    @Test
    public void testExp() throws Exception {
        Settings build = Settings.builder().put("signing_key", BaseEncoding.base64().encode(secretKey)).build();
        String compact = Jwts.builder().serializeToJsonWith(jwtSerializer).setSubject("Expired").setExpiration(new Date(100L)).signWith(Keys.hmacShaKeyFor(secretKey), SignatureAlgorithm.HS512).compact();
        HTTPJwtAuthenticator hTTPJwtAuthenticator = new HTTPJwtAuthenticator(build, (Path) null);
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", compact);
        Assert.assertNull(hTTPJwtAuthenticator.extractCredentials(new FakeRestRequest(hashMap, new HashMap()), (ThreadContext) null));
    }

    @Test
    public void testNbf() throws Exception {
        Settings build = Settings.builder().put("signing_key", BaseEncoding.base64().encode(secretKey)).build();
        String compact = Jwts.builder().serializeToJsonWith(jwtSerializer).setSubject("Expired").setNotBefore(new Date(System.currentTimeMillis() + 36000000)).signWith(Keys.hmacShaKeyFor(secretKey), SignatureAlgorithm.HS512).compact();
        HTTPJwtAuthenticator hTTPJwtAuthenticator = new HTTPJwtAuthenticator(build, (Path) null);
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", compact);
        Assert.assertNull(hTTPJwtAuthenticator.extractCredentials(new FakeRestRequest(hashMap, new HashMap()), (ThreadContext) null));
    }

    @Test
    public void testRS256() throws Exception {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        keyPairGenerator.initialize(2048);
        KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
        PrivateKey privateKey = generateKeyPair.getPrivate();
        PublicKey publicKey = generateKeyPair.getPublic();
        String compact = Jwts.builder().serializeToJsonWith(jwtSerializer).setSubject(TestJwts.MCCOY_SUBJECT).signWith(privateKey, SignatureAlgorithm.RS256).compact();
        HTTPJwtAuthenticator hTTPJwtAuthenticator = new HTTPJwtAuthenticator(Settings.builder().put("signing_key", "-----BEGIN PUBLIC KEY-----\n" + BaseEncoding.base64().encode(publicKey.getEncoded()) + "-----END PUBLIC KEY-----").build(), (Path) null);
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", "Bearer " + compact);
        AuthCredentials extractCredentials = hTTPJwtAuthenticator.extractCredentials(new FakeRestRequest(hashMap, new HashMap()), (ThreadContext) null);
        Assert.assertNotNull(extractCredentials);
        Assert.assertEquals(TestJwts.MCCOY_SUBJECT, extractCredentials.getUsername());
        Assert.assertEquals(0L, extractCredentials.getBackendRoles().size());
    }

    @Test
    public void testES512() throws Exception {
        KeyPair keyPairFor = Keys.keyPairFor(SignatureAlgorithm.ES512);
        PrivateKey privateKey = keyPairFor.getPrivate();
        PublicKey publicKey = keyPairFor.getPublic();
        String compact = Jwts.builder().serializeToJsonWith(jwtSerializer).setSubject(TestJwts.MCCOY_SUBJECT).signWith(privateKey, SignatureAlgorithm.ES512).compact();
        HTTPJwtAuthenticator hTTPJwtAuthenticator = new HTTPJwtAuthenticator(Settings.builder().put("signing_key", BaseEncoding.base64().encode(publicKey.getEncoded())).build(), (Path) null);
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", "Bearer " + compact);
        AuthCredentials extractCredentials = hTTPJwtAuthenticator.extractCredentials(new FakeRestRequest(hashMap, new HashMap()), (ThreadContext) null);
        Assert.assertNotNull(extractCredentials);
        Assert.assertEquals(TestJwts.MCCOY_SUBJECT, extractCredentials.getUsername());
        Assert.assertEquals(0L, extractCredentials.getBackendRoles().size());
    }

    @Test
    public void rolesArray() throws Exception {
        Settings build = Settings.builder().put("signing_key", BaseEncoding.base64().encode(secretKey)).put("roles_key", TestJwts.ROLES_CLAIM).build();
        String compact = Jwts.builder().serializeToJsonWith(jwtSerializer).setPayload("{\"sub\": \"John Doe\",\"roles\": [\"a\",\"b\",\"3rd\"]}").signWith(Keys.hmacShaKeyFor(secretKey), SignatureAlgorithm.HS512).compact();
        HTTPJwtAuthenticator hTTPJwtAuthenticator = new HTTPJwtAuthenticator(build, (Path) null);
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", "Bearer " + compact);
        AuthCredentials extractCredentials = hTTPJwtAuthenticator.extractCredentials(new FakeRestRequest(hashMap, new HashMap()), (ThreadContext) null);
        Assert.assertNotNull(extractCredentials);
        Assert.assertEquals("John Doe", extractCredentials.getUsername());
        Assert.assertEquals(3L, extractCredentials.getBackendRoles().size());
        Assert.assertTrue(extractCredentials.getBackendRoles().contains("a"));
        Assert.assertTrue(extractCredentials.getBackendRoles().contains("b"));
        Assert.assertTrue(extractCredentials.getBackendRoles().contains("3rd"));
    }

    @Test
    public void testJsonPathRolesAndSubjectExpression() {
        Settings build = Settings.builder().put("signing_key", BaseEncoding.base64().encode(secretKey)).put("subject_path", "$['some_claim_name']['user']['id']").put("roles_path", "$['some_claim_name']['user']['roles']").build();
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        hashMap2.put("id", "peter mueller");
        hashMap2.put(TestJwts.ROLES_CLAIM, "some role a, another role b");
        hashMap.put("user", hashMap2);
        String compact = Jwts.builder().serializeToJsonWith(jwtSerializer).claim("some_claim_name", hashMap).signWith(Keys.hmacShaKeyFor(secretKey), SignatureAlgorithm.HS512).compact();
        HTTPJwtAuthenticator hTTPJwtAuthenticator = new HTTPJwtAuthenticator(build, (Path) null);
        HashMap hashMap3 = new HashMap();
        hashMap3.put("Authorization", compact);
        AuthCredentials extractCredentials = hTTPJwtAuthenticator.extractCredentials(new FakeRestRequest(hashMap3, new HashMap()), (ThreadContext) null);
        Assert.assertNotNull(extractCredentials);
        Assert.assertEquals("peter mueller", extractCredentials.getUsername());
        Assert.assertThat(extractCredentials.getBackendRoles(), CoreMatchers.hasItems(new String[]{"some role a", "another role b"}));
    }

    @Test
    public void testJsonPathRolesAndSubjectExpressionWithSingleRole() {
        Settings build = Settings.builder().put("signing_key", BaseEncoding.base64().encode(secretKey)).put("subject_path", "$['some_claim_name']['user']['id']").put("roles_path", "$['some_claim_name']['user']['roles']").build();
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        hashMap2.put("id", "peter mueller");
        hashMap2.put(TestJwts.ROLES_CLAIM, "some role a");
        hashMap.put("user", hashMap2);
        String compact = Jwts.builder().serializeToJsonWith(jwtSerializer).claim("some_claim_name", hashMap).signWith(Keys.hmacShaKeyFor(secretKey), SignatureAlgorithm.HS512).compact();
        HTTPJwtAuthenticator hTTPJwtAuthenticator = new HTTPJwtAuthenticator(build, (Path) null);
        HashMap hashMap3 = new HashMap();
        hashMap3.put("Authorization", compact);
        AuthCredentials extractCredentials = hTTPJwtAuthenticator.extractCredentials(new FakeRestRequest(hashMap3, new HashMap()), (ThreadContext) null);
        Assert.assertNotNull(extractCredentials);
        Assert.assertEquals("peter mueller", extractCredentials.getUsername());
        Assert.assertThat(extractCredentials.getBackendRoles(), CoreMatchers.hasItem("some role a"));
    }

    @Test
    public void testJsonPathRolesAndSubjectExpressionWithCollection() {
        Settings build = Settings.builder().put("signing_key", BaseEncoding.base64().encode(secretKey)).put("subject_path", "$['some_claim_name']['user']['id']").put("roles_path", "$['some_claim_name']['user']['roles']").build();
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        hashMap2.put("id", "peter mueller");
        hashMap2.put(TestJwts.ROLES_CLAIM, Arrays.asList("some role a, some role b", "some role c"));
        hashMap.put("user", hashMap2);
        String compact = Jwts.builder().serializeToJsonWith(jwtSerializer).claim("some_claim_name", hashMap).signWith(Keys.hmacShaKeyFor(secretKey), SignatureAlgorithm.HS512).compact();
        HTTPJwtAuthenticator hTTPJwtAuthenticator = new HTTPJwtAuthenticator(build, (Path) null);
        HashMap hashMap3 = new HashMap();
        hashMap3.put("Authorization", compact);
        AuthCredentials extractCredentials = hTTPJwtAuthenticator.extractCredentials(new FakeRestRequest(hashMap3, new HashMap()), (ThreadContext) null);
        Assert.assertNotNull(extractCredentials);
        Assert.assertEquals("peter mueller", extractCredentials.getUsername());
        Assert.assertThat(extractCredentials.getBackendRoles(), CoreMatchers.hasItems(new String[]{"some role a", "some role b", "some role c"}));
    }

    @Test
    public void testJsonPathRolesAndSubjectExpressionWithInvalidRolePath() {
        Settings build = Settings.builder().put("signing_key", BaseEncoding.base64().encode(secretKey)).put("subject_path", "$['some_claim_name']['user']['id']").put("roles_path", "$['some_claim_name']['asd']['roles']").build();
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        hashMap2.put("id", "peter mueller");
        hashMap2.put(TestJwts.ROLES_CLAIM, "some role a");
        hashMap.put("user", hashMap2);
        String compact = Jwts.builder().serializeToJsonWith(jwtSerializer).serializeToJsonWith(jwtSerializer).claim("some_claim_name", hashMap).signWith(Keys.hmacShaKeyFor(secretKey), SignatureAlgorithm.HS512).compact();
        HTTPJwtAuthenticator hTTPJwtAuthenticator = new HTTPJwtAuthenticator(build, (Path) null);
        HashMap hashMap3 = new HashMap();
        hashMap3.put("Authorization", compact);
        AuthCredentials extractCredentials = hTTPJwtAuthenticator.extractCredentials(new FakeRestRequest(hashMap3, new HashMap()), (ThreadContext) null);
        Assert.assertNotNull(extractCredentials);
        Assert.assertEquals("peter mueller", extractCredentials.getUsername());
        Assert.assertThat(extractCredentials.getBackendRoles(), Is.is(Collections.emptySet()));
    }

    @Test
    public void testInvalidJsonPathRolesAndSubjectExpression() {
        Settings build = Settings.builder().put("signing_key", BaseEncoding.base64().encode(secretKey)).put("subject_path", "$['123123asd']['asdf']['id']").put("roles_path", "$['xyasd']['foo']['ss']").build();
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        hashMap2.put("id", "peter mueller");
        hashMap2.put(TestJwts.ROLES_CLAIM, Arrays.asList("some role a", "another role b"));
        hashMap.put("user", hashMap2);
        String compact = Jwts.builder().serializeToJsonWith(jwtSerializer).claim("some_claim_name", hashMap).signWith(Keys.hmacShaKeyFor(secretKey), SignatureAlgorithm.HS512).compact();
        HTTPJwtAuthenticator hTTPJwtAuthenticator = new HTTPJwtAuthenticator(build, (Path) null);
        HashMap hashMap3 = new HashMap();
        hashMap3.put("Authorization", compact);
        Assert.assertNull(hTTPJwtAuthenticator.extractCredentials(new FakeRestRequest(hashMap3, new HashMap()), (ThreadContext) null));
    }

    @Test
    public void testIllegalJWTConfigurationDuplicateSubjects() {
        Settings build = Settings.builder().put("signing_key", BaseEncoding.base64().encode(secretKey)).put("subject_path", "$['some_claim_name']['user']['id']").put("subject_key", "foo").build();
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        hashMap2.put("id", "peter mueller");
        hashMap2.put(TestJwts.ROLES_CLAIM, Arrays.asList("some role a", "another role b"));
        hashMap.put("user", hashMap2);
        Jwts.builder().serializeToJsonWith(jwtSerializer).claim("some_claim_name", hashMap).signWith(Keys.hmacShaKeyFor(secretKey), SignatureAlgorithm.HS512).compact();
        this.thrown.expect(IllegalStateException.class);
        new HTTPJwtAuthenticator(build, (Path) null);
    }

    @Test
    public void testIllegalJWTConfigurationDuplicateRoleSpecification() {
        Settings build = Settings.builder().put("signing_key", BaseEncoding.base64().encode(secretKey)).put("subject_path", "$['some_claim_name']['user']['id']").put("roles_path", "$['xyasd']['foo']['ss']").put("roles_key", "a, b, c").build();
        HashMap hashMap = new HashMap();
        hashMap.put("user", new HashMap());
        Jwts.builder().serializeToJsonWith(jwtSerializer).claim("some_claim_name", hashMap).signWith(Keys.hmacShaKeyFor(secretKey), SignatureAlgorithm.HS512).compact();
        this.thrown.expect(IllegalStateException.class);
        new HTTPJwtAuthenticator(build, (Path) null);
    }

    @Test
    public void attributeAsArray() throws Exception {
        Settings build = Settings.builder().put("signing_key", BaseEncoding.base64().encode(secretKey)).put("roles_key", TestJwts.ROLES_CLAIM).put("map_claims_to_user_attrs.attr_1", "claimsarray_string").put("map_claims_to_user_attrs.attr_2", "claimsarray_int").put("map_claims_to_user_attrs.attr_3", "claimsarray_object").put("map_claims_to_user_attrs.attr_4", "claimsarray_mixed").put("map_claims_to_user_attrs.attr_5", "claimsarray_empty").build();
        String compact = Jwts.builder().serializeToJsonWith(jwtSerializer).setPayload("{\"sub\": \"John Doe\",\"claimsarray_string\": [\"a\",\"b\",\"c\"],\"claimsarray_int\": [1,2,3],\"claimsarray_object\": { \"objectarray\": []},\"claimsarray_mixed\": [\"a\",\"b\",1],\"claimsarray_empty\": []}").signWith(Keys.hmacShaKeyFor(secretKey), SignatureAlgorithm.HS512).compact();
        HTTPJwtAuthenticator hTTPJwtAuthenticator = new HTTPJwtAuthenticator(build, (Path) null);
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", "Bearer " + compact);
        AuthCredentials extractCredentials = hTTPJwtAuthenticator.extractCredentials(new FakeRestRequest(hashMap, new HashMap()), (ThreadContext) null);
        Assert.assertNotNull(extractCredentials);
        Assert.assertEquals("John Doe", extractCredentials.getUsername());
        Assert.assertEquals(Arrays.asList("a", "b", "c"), extractCredentials.getStructuredAttributes().get("attr_1"));
        Assert.assertEquals(Arrays.asList(1, 2, 3), extractCredentials.getStructuredAttributes().get("attr_2"));
        Assert.assertEquals(ImmutableMap.of("objectarray", Collections.emptyList()), extractCredentials.getStructuredAttributes().get("attr_3"));
        Assert.assertEquals(Arrays.asList("a", "b", 1), extractCredentials.getStructuredAttributes().get("attr_4"));
        Assert.assertEquals(Arrays.asList(new Object[0]), extractCredentials.getStructuredAttributes().get("attr_5"));
    }

    @Test
    public void testSubjectPattern() throws Exception {
        Settings build = Settings.builder().put("signing_key", BaseEncoding.base64().encode(secretKey)).put("subject_pattern", "^(.+)@(?:.+)$").build();
        String compact = Jwts.builder().serializeToJsonWith(jwtSerializer).setSubject("leonard@mccoy.com").setAudience("myaud").signWith(Keys.hmacShaKeyFor(secretKey), SignatureAlgorithm.HS512).compact();
        HTTPJwtAuthenticator hTTPJwtAuthenticator = new HTTPJwtAuthenticator(build, (Path) null);
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", "Bearer " + compact);
        AuthCredentials extractCredentials = hTTPJwtAuthenticator.extractCredentials(new FakeRestRequest(hashMap, new HashMap()), (ThreadContext) null);
        Assert.assertNotNull(extractCredentials);
        Assert.assertEquals("leonard", extractCredentials.getUsername());
    }

    @Test
    public void testSubjectPathWithList() {
        Settings build = Settings.builder().put("signing_key", BaseEncoding.base64().encode(secretKey)).put("subject_path", "$['some_claim_name']['user']['id']").put("roles_path", "$['some_claim_name']['user']['roles']").build();
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        hashMap2.put("id", Arrays.asList("peter mueller"));
        hashMap2.put(TestJwts.ROLES_CLAIM, "some role a, another role b");
        hashMap.put("user", hashMap2);
        String compact = Jwts.builder().serializeToJsonWith(jwtSerializer).claim("some_claim_name", hashMap).signWith(Keys.hmacShaKeyFor(secretKey), SignatureAlgorithm.HS512).compact();
        HTTPJwtAuthenticator hTTPJwtAuthenticator = new HTTPJwtAuthenticator(build, (Path) null);
        HashMap hashMap3 = new HashMap();
        hashMap3.put("Authorization", compact);
        AuthCredentials extractCredentials = hTTPJwtAuthenticator.extractCredentials(new FakeRestRequest(hashMap3, new HashMap()), (ThreadContext) null);
        Assert.assertNotNull(extractCredentials);
        Assert.assertEquals("peter mueller", extractCredentials.getUsername());
    }

    @Test
    public void testSubjectPathWithListSize2() {
        Settings build = Settings.builder().put("signing_key", BaseEncoding.base64().encode(secretKey)).put("subject_path", "$['some_claim_name']['user']['id']").put("roles_path", "$['some_claim_name']['user']['roles']").build();
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        hashMap2.put("id", Arrays.asList("peter mueller", "lieschen mueller"));
        hashMap2.put(TestJwts.ROLES_CLAIM, "some role a, another role b");
        hashMap.put("user", hashMap2);
        String compact = Jwts.builder().serializeToJsonWith(jwtSerializer).claim("some_claim_name", hashMap).signWith(Keys.hmacShaKeyFor(secretKey), SignatureAlgorithm.HS512).compact();
        HTTPJwtAuthenticator hTTPJwtAuthenticator = new HTTPJwtAuthenticator(build, (Path) null);
        HashMap hashMap3 = new HashMap();
        hashMap3.put("Authorization", compact);
        Assert.assertNull(hTTPJwtAuthenticator.extractCredentials(new FakeRestRequest(hashMap3, new HashMap()), (ThreadContext) null));
    }

    @Test
    public void testRequiredAudience() {
        Settings build = Settings.builder().put("signing_key", BaseEncoding.base64().encode(secretKey)).put("required_audience", "test_audience").build();
        String compact = Jwts.builder().serializeToJsonWith(jwtSerializer).setSubject(TestJwts.MCCOY_SUBJECT).setAudience("test_audience").signWith(Keys.hmacShaKeyFor(secretKey), SignatureAlgorithm.HS512).compact();
        HTTPJwtAuthenticator hTTPJwtAuthenticator = new HTTPJwtAuthenticator(build, (Path) null);
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", compact);
        AuthCredentials extractCredentials = hTTPJwtAuthenticator.extractCredentials(new FakeRestRequest(hashMap, new HashMap()), (ThreadContext) null);
        Assert.assertNotNull(extractCredentials);
        Assert.assertEquals(TestJwts.MCCOY_SUBJECT, extractCredentials.getUsername());
        hashMap.put("Authorization", Jwts.builder().serializeToJsonWith(jwtSerializer).setSubject(TestJwts.MCCOY_SUBJECT).setAudience("wrong_audience").signWith(Keys.hmacShaKeyFor(secretKey), SignatureAlgorithm.HS512).compact());
        Assert.assertNull(hTTPJwtAuthenticator.extractCredentials(new FakeRestRequest(hashMap, new HashMap()), (ThreadContext) null));
    }

    @Test
    public void testRequiredIssuer() {
        Settings build = Settings.builder().put("signing_key", BaseEncoding.base64().encode(secretKey)).put("required_issuer", "test_issuer").build();
        String compact = Jwts.builder().serializeToJsonWith(jwtSerializer).setSubject(TestJwts.MCCOY_SUBJECT).setIssuer("test_issuer").signWith(Keys.hmacShaKeyFor(secretKey), SignatureAlgorithm.HS512).compact();
        HTTPJwtAuthenticator hTTPJwtAuthenticator = new HTTPJwtAuthenticator(build, (Path) null);
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", compact);
        AuthCredentials extractCredentials = hTTPJwtAuthenticator.extractCredentials(new FakeRestRequest(hashMap, new HashMap()), (ThreadContext) null);
        Assert.assertNotNull(extractCredentials);
        Assert.assertEquals(TestJwts.MCCOY_SUBJECT, extractCredentials.getUsername());
        hashMap.put("Authorization", Jwts.builder().serializeToJsonWith(jwtSerializer).setSubject(TestJwts.MCCOY_SUBJECT).setAudience("wrong_issuer").signWith(Keys.hmacShaKeyFor(secretKey), SignatureAlgorithm.HS512).compact());
        Assert.assertNull(hTTPJwtAuthenticator.extractCredentials(new FakeRestRequest(hashMap, new HashMap()), (ThreadContext) null));
    }

    static {
        new SecureRandom().nextBytes(secretKey);
        jwtSerializer = new Serializer<Map<String, ?>>() { // from class: com.floragunn.dlic.auth.http.jwt.HTTPJwtAuthenticatorTest.1
            public byte[] serialize(Map<String, ?> map) throws SerializationException {
                return DocWriter.json().writeAsBytes(map);
            }
        };
    }
}
