package org.apache.kafka.common.security.auth;

import java.net.InetAddress;
import java.security.Principal;
import javax.net.ssl.SSLSession;
import javax.security.auth.x500.X500Principal;
import javax.security.sasl.SaslServer;
import org.apache.kafka.common.network.Authenticator;
import org.apache.kafka.common.network.TransportLayer;
import org.apache.kafka.common.security.authenticator.DefaultKafkaPrincipalBuilder;
import org.apache.kafka.common.security.kerberos.KerberosName;
import org.apache.kafka.common.security.kerberos.KerberosShortNamer;
import org.apache.kafka.common.security.scram.internals.ScramMechanism;
import org.apache.kafka.common.security.ssl.SslPrincipalMapper;
import org.junit.Assert;
import org.junit.Test;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;

/* loaded from: input_file:org/apache/kafka/common/security/auth/DefaultKafkaPrincipalBuilderTest.class */
public class DefaultKafkaPrincipalBuilderTest {

    /* loaded from: input_file:org/apache/kafka/common/security/auth/DefaultKafkaPrincipalBuilderTest$DummyPrincipal.class */
    private static class DummyPrincipal implements Principal {
        private final String name;

        private DummyPrincipal(String str) {
            this.name = str;
        }

        @Override // java.security.Principal
        public String getName() {
            return this.name;
        }
    }

    @Test
    public void testUseOldPrincipalBuilderForPlaintextIfProvided() throws Exception {
        TransportLayer transportLayer = (TransportLayer) Mockito.mock(TransportLayer.class);
        Authenticator authenticator = (Authenticator) Mockito.mock(Authenticator.class);
        PrincipalBuilder principalBuilder = (PrincipalBuilder) Mockito.mock(PrincipalBuilder.class);
        Mockito.when(principalBuilder.buildPrincipal((TransportLayer) ArgumentMatchers.any(), (Authenticator) ArgumentMatchers.any())).thenReturn(new DummyPrincipal("foo"));
        DefaultKafkaPrincipalBuilder fromOldPrincipalBuilder = DefaultKafkaPrincipalBuilder.fromOldPrincipalBuilder(authenticator, transportLayer, principalBuilder, (KerberosShortNamer) null);
        KafkaPrincipal build = fromOldPrincipalBuilder.build(new PlaintextAuthenticationContext(InetAddress.getLocalHost(), SecurityProtocol.PLAINTEXT.name()));
        Assert.assertEquals("User", build.getPrincipalType());
        Assert.assertEquals("foo", build.getName());
        fromOldPrincipalBuilder.close();
        ((PrincipalBuilder) Mockito.verify(principalBuilder)).buildPrincipal(transportLayer, authenticator);
        ((PrincipalBuilder) Mockito.verify(principalBuilder)).close();
    }

    @Test
    public void testReturnAnonymousPrincipalForPlaintext() throws Exception {
        DefaultKafkaPrincipalBuilder defaultKafkaPrincipalBuilder = new DefaultKafkaPrincipalBuilder((KerberosShortNamer) null, (SslPrincipalMapper) null);
        Throwable th = null;
        try {
            Assert.assertEquals(KafkaPrincipal.ANONYMOUS, defaultKafkaPrincipalBuilder.build(new PlaintextAuthenticationContext(InetAddress.getLocalHost(), SecurityProtocol.PLAINTEXT.name())));
            if (defaultKafkaPrincipalBuilder != null) {
                if (0 == 0) {
                    defaultKafkaPrincipalBuilder.close();
                    return;
                }
                try {
                    defaultKafkaPrincipalBuilder.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
        } catch (Throwable th3) {
            if (defaultKafkaPrincipalBuilder != null) {
                if (0 != 0) {
                    try {
                        defaultKafkaPrincipalBuilder.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    defaultKafkaPrincipalBuilder.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testUseOldPrincipalBuilderForSslIfProvided() throws Exception {
        TransportLayer transportLayer = (TransportLayer) Mockito.mock(TransportLayer.class);
        Authenticator authenticator = (Authenticator) Mockito.mock(Authenticator.class);
        PrincipalBuilder principalBuilder = (PrincipalBuilder) Mockito.mock(PrincipalBuilder.class);
        SSLSession sSLSession = (SSLSession) Mockito.mock(SSLSession.class);
        Mockito.when(principalBuilder.buildPrincipal((TransportLayer) ArgumentMatchers.any(), (Authenticator) ArgumentMatchers.any())).thenReturn(new DummyPrincipal("foo"));
        DefaultKafkaPrincipalBuilder fromOldPrincipalBuilder = DefaultKafkaPrincipalBuilder.fromOldPrincipalBuilder(authenticator, transportLayer, principalBuilder, (KerberosShortNamer) null);
        KafkaPrincipal build = fromOldPrincipalBuilder.build(new SslAuthenticationContext(sSLSession, InetAddress.getLocalHost(), SecurityProtocol.PLAINTEXT.name()));
        Assert.assertEquals("User", build.getPrincipalType());
        Assert.assertEquals("foo", build.getName());
        fromOldPrincipalBuilder.close();
        ((PrincipalBuilder) Mockito.verify(principalBuilder)).buildPrincipal(transportLayer, authenticator);
        ((PrincipalBuilder) Mockito.verify(principalBuilder)).close();
    }

    @Test
    public void testUseSessionPeerPrincipalForSsl() throws Exception {
        SSLSession sSLSession = (SSLSession) Mockito.mock(SSLSession.class);
        Mockito.when(sSLSession.getPeerPrincipal()).thenReturn(new DummyPrincipal("foo"));
        DefaultKafkaPrincipalBuilder defaultKafkaPrincipalBuilder = new DefaultKafkaPrincipalBuilder((KerberosShortNamer) null, (SslPrincipalMapper) null);
        KafkaPrincipal build = defaultKafkaPrincipalBuilder.build(new SslAuthenticationContext(sSLSession, InetAddress.getLocalHost(), SecurityProtocol.PLAINTEXT.name()));
        Assert.assertEquals("User", build.getPrincipalType());
        Assert.assertEquals("foo", build.getName());
        defaultKafkaPrincipalBuilder.close();
        ((SSLSession) Mockito.verify(sSLSession, Mockito.atLeastOnce())).getPeerPrincipal();
    }

    @Test
    public void testPrincipalIfSSLPeerIsNotAuthenticated() throws Exception {
        SSLSession sSLSession = (SSLSession) Mockito.mock(SSLSession.class);
        Mockito.when(sSLSession.getPeerPrincipal()).thenReturn(KafkaPrincipal.ANONYMOUS);
        DefaultKafkaPrincipalBuilder defaultKafkaPrincipalBuilder = new DefaultKafkaPrincipalBuilder((KerberosShortNamer) null, (SslPrincipalMapper) null);
        Assert.assertEquals(KafkaPrincipal.ANONYMOUS, defaultKafkaPrincipalBuilder.build(new SslAuthenticationContext(sSLSession, InetAddress.getLocalHost(), SecurityProtocol.PLAINTEXT.name())));
        defaultKafkaPrincipalBuilder.close();
        ((SSLSession) Mockito.verify(sSLSession, Mockito.atLeastOnce())).getPeerPrincipal();
    }

    @Test
    public void testPrincipalWithSslPrincipalMapper() throws Exception {
        SSLSession sSLSession = (SSLSession) Mockito.mock(SSLSession.class);
        Mockito.when(sSLSession.getPeerPrincipal()).thenReturn(new X500Principal("CN=Duke, OU=ServiceUsers, O=Org, C=US")).thenReturn(new X500Principal("CN=Duke, OU=SME, O=mycp, L=Fulton, ST=MD, C=US")).thenReturn(new X500Principal("CN=duke, OU=JavaSoft, O=Sun Microsystems")).thenReturn(new X500Principal("OU=JavaSoft, O=Sun Microsystems, C=US"));
        DefaultKafkaPrincipalBuilder defaultKafkaPrincipalBuilder = new DefaultKafkaPrincipalBuilder((KerberosShortNamer) null, SslPrincipalMapper.fromRules(String.join(", ", "RULE:^CN=(.*),OU=ServiceUsers.*$/$1/L", "RULE:^CN=(.*),OU=(.*),O=(.*),L=(.*),ST=(.*),C=(.*)$/$1@$2/L", "RULE:^.*[Cc][Nn]=([a-zA-Z0-9.]*).*$/$1/U", "DEFAULT")));
        SslAuthenticationContext sslAuthenticationContext = new SslAuthenticationContext(sSLSession, InetAddress.getLocalHost(), SecurityProtocol.PLAINTEXT.name());
        Assert.assertEquals("duke", defaultKafkaPrincipalBuilder.build(sslAuthenticationContext).getName());
        Assert.assertEquals("duke@sme", defaultKafkaPrincipalBuilder.build(sslAuthenticationContext).getName());
        Assert.assertEquals("DUKE", defaultKafkaPrincipalBuilder.build(sslAuthenticationContext).getName());
        Assert.assertEquals("OU=JavaSoft,O=Sun Microsystems,C=US", defaultKafkaPrincipalBuilder.build(sslAuthenticationContext).getName());
        defaultKafkaPrincipalBuilder.close();
        ((SSLSession) Mockito.verify(sSLSession, Mockito.times(4))).getPeerPrincipal();
    }

    @Test
    public void testPrincipalBuilderScram() throws Exception {
        SaslServer saslServer = (SaslServer) Mockito.mock(SaslServer.class);
        Mockito.when(saslServer.getMechanismName()).thenReturn(ScramMechanism.SCRAM_SHA_256.mechanismName());
        Mockito.when(saslServer.getAuthorizationID()).thenReturn("foo");
        DefaultKafkaPrincipalBuilder defaultKafkaPrincipalBuilder = new DefaultKafkaPrincipalBuilder((KerberosShortNamer) null, (SslPrincipalMapper) null);
        KafkaPrincipal build = defaultKafkaPrincipalBuilder.build(new SaslAuthenticationContext(saslServer, SecurityProtocol.SASL_PLAINTEXT, InetAddress.getLocalHost(), SecurityProtocol.SASL_PLAINTEXT.name()));
        Assert.assertEquals("User", build.getPrincipalType());
        Assert.assertEquals("foo", build.getName());
        defaultKafkaPrincipalBuilder.close();
        ((SaslServer) Mockito.verify(saslServer, Mockito.atLeastOnce())).getMechanismName();
        ((SaslServer) Mockito.verify(saslServer, Mockito.atLeastOnce())).getAuthorizationID();
    }

    @Test
    public void testPrincipalBuilderGssapi() throws Exception {
        SaslServer saslServer = (SaslServer) Mockito.mock(SaslServer.class);
        KerberosShortNamer kerberosShortNamer = (KerberosShortNamer) Mockito.mock(KerberosShortNamer.class);
        Mockito.when(saslServer.getMechanismName()).thenReturn("GSSAPI");
        Mockito.when(saslServer.getAuthorizationID()).thenReturn("foo/host@REALM.COM");
        Mockito.when(kerberosShortNamer.shortName((KerberosName) ArgumentMatchers.any())).thenReturn("foo");
        DefaultKafkaPrincipalBuilder defaultKafkaPrincipalBuilder = new DefaultKafkaPrincipalBuilder(kerberosShortNamer, (SslPrincipalMapper) null);
        KafkaPrincipal build = defaultKafkaPrincipalBuilder.build(new SaslAuthenticationContext(saslServer, SecurityProtocol.SASL_PLAINTEXT, InetAddress.getLocalHost(), SecurityProtocol.SASL_PLAINTEXT.name()));
        Assert.assertEquals("User", build.getPrincipalType());
        Assert.assertEquals("foo", build.getName());
        defaultKafkaPrincipalBuilder.close();
        ((SaslServer) Mockito.verify(saslServer, Mockito.atLeastOnce())).getMechanismName();
        ((SaslServer) Mockito.verify(saslServer, Mockito.atLeastOnce())).getAuthorizationID();
        ((KerberosShortNamer) Mockito.verify(kerberosShortNamer, Mockito.atLeastOnce())).shortName((KerberosName) ArgumentMatchers.any());
    }
}
