package io.apicurio.registry.utils.tests;

import com.github.tomakehurst.wiremock.WireMockServer;
import com.github.tomakehurst.wiremock.client.ResponseDefinitionBuilder;
import com.github.tomakehurst.wiremock.client.WireMock;
import com.github.tomakehurst.wiremock.core.WireMockConfiguration;
import io.apicurio.registry.rest.client.impl.ErrorHandler;
import io.quarkus.test.common.QuarkusTestResourceLifecycleManager;
import io.smallrye.jwt.build.Jwt;
import io.smallrye.jwt.build.JwtClaimsBuilder;
import java.util.HashMap;
import java.util.Map;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/apicurio/registry/utils/tests/JWKSMockServer.class */
public class JWKSMockServer implements QuarkusTestResourceLifecycleManager {
    private WireMockServer server;
    public String authServerUrl;
    public String realm = "test";
    public String tokenEndpoint;
    static final Logger LOGGER = LoggerFactory.getLogger(JWKSMockServer.class);
    public static String ADMIN_CLIENT_ID = "admin-client";
    public static String DEVELOPER_CLIENT_ID = "developer-client";
    public static String DEVELOPER_2_CLIENT_ID = "developer-2-client";
    public static String READONLY_CLIENT_ID = "readonly-client";
    public static String NO_ROLE_CLIENT_ID = "no-role-client";
    public static String WRONG_CREDS_CLIENT_ID = "wrong-creds-client";
    public static String BASIC_USER = "sr-test-user";
    public static String BASIC_PASSWORD = "sr-test-password";
    public static String BASIC_USER_A = "sr-test-user-a";
    public static String BASIC_USER_B = "sr-test-user-b";

    public Map<String, String> start() {
        this.server = new WireMockServer(WireMockConfiguration.wireMockConfig().dynamicPort());
        this.server.start();
        this.server.stubFor(WireMock.get(WireMock.urlMatching("/auth/realms/" + this.realm + "/.well-known/uma2-configuration")).willReturn(wellKnownResponse()));
        this.server.stubFor(WireMock.get(WireMock.urlMatching("/auth/realms/" + this.realm + "/.well-known/openid-configuration")).willReturn(wellKnownResponse()));
        this.server.stubFor(WireMock.get(WireMock.urlEqualTo("/auth/realms/" + this.realm + "/protocol/openid-connect/certs")).willReturn(WireMock.aResponse().withHeader("Content-Type", new String[]{"application/json"}).withBody("{\n  \"keys\" : [\n    {\n      \"kid\": \"1\",\n      \"kty\":\"RSA\",\n      \"n\":\"iJw33l1eVAsGoRlSyo-FCimeOc-AaZbzQ2iESA3Nkuo3TFb1zIkmt0kzlnWVGt48dkaIl13Vdefh9hqw_r9yNF8xZqX1fp0PnCWc5M_TX_ht5fm9y0TpbiVmsjeRMWZn4jr3DsFouxQ9aBXUJiu26V0vd2vrECeeAreFT4mtoHY13D2WVeJvboc5mEJcp50JNhxRCJ5UkY8jR_wfUk2Tzz4-fAj5xQaBccXnqJMu_1C6MjoCEiB7G1d13bVPReIeAGRKVJIF6ogoCN8JbrOhc_48lT4uyjbgnd24beatuKWodmWYhactFobRGYo5551cgMe8BoxpVQ4to30cGA0qjQ\",\n      \"e\":\"AQAB\"\n    }\n  ]\n}")));
        stubForClient(ADMIN_CLIENT_ID);
        stubForClient(DEVELOPER_CLIENT_ID);
        stubForClient(DEVELOPER_2_CLIENT_ID);
        stubForClient(READONLY_CLIENT_ID);
        stubForClient(NO_ROLE_CLIENT_ID);
        this.server.stubFor(WireMock.post("/auth/realms/" + this.realm + "/protocol/openid-connect/token/").withRequestBody(WireMock.containing("grant_type=client_credentials")).withRequestBody(WireMock.containing("client_id=" + BASIC_USER)).withRequestBody(WireMock.containing("client_secret=" + BASIC_PASSWORD)).willReturn(WireMock.aResponse().withHeader("Content-Type", new String[]{"application/json"}).withBody("{\n  \"access_token\": \"" + generateJwtToken(ADMIN_CLIENT_ID, null) + "\",\n  \"refresh_token\": \"07e08903-1263-4dd1-9fd1-4a59b0db5283\",\n  \"token_type\": \"bearer\"\n}")));
        this.server.stubFor(WireMock.post("/auth/realms/" + this.realm + "/protocol/openid-connect/token/").withRequestBody(WireMock.containing("grant_type=client_credentials")).withRequestBody(WireMock.containing("client_id=" + BASIC_USER_A)).withRequestBody(WireMock.containing("client_secret=" + BASIC_PASSWORD)).willReturn(WireMock.aResponse().withHeader("Content-Type", new String[]{"application/json"}).withBody("{\n  \"access_token\": \"" + generateJwtToken(ADMIN_CLIENT_ID, "aaa") + "\",\n  \"refresh_token\": \"07e08903-1263-4dd1-9fd1-4a59b0db5283\",\n  \"token_type\": \"bearer\"\n}")));
        this.server.stubFor(WireMock.post("/auth/realms/" + this.realm + "/protocol/openid-connect/token/").withRequestBody(WireMock.containing("grant_type=client_credentials")).withRequestBody(WireMock.containing("client_id=" + BASIC_USER_B)).withRequestBody(WireMock.containing("client_secret=" + BASIC_PASSWORD)).willReturn(WireMock.aResponse().withHeader("Content-Type", new String[]{"application/json"}).withBody("{\n  \"access_token\": \"" + generateJwtToken(ADMIN_CLIENT_ID, "bbb") + "\",\n  \"refresh_token\": \"07e08903-1263-4dd1-9fd1-4a59b0db5283\",\n  \"token_type\": \"bearer\"\n}")));
        this.server.stubFor(WireMock.post("/auth/realms/" + this.realm + "/protocol/openid-connect/token/").withRequestBody(WireMock.containing("grant_type=client_credentials")).withRequestBody(WireMock.containing("client_id=" + WRONG_CREDS_CLIENT_ID)).willReturn(WireMock.aResponse().withHeader("Content-Type", new String[]{"application/json"}).withStatus(ErrorHandler.UNAUTHORIZED_CODE)));
        this.authServerUrl = this.server.baseUrl() + "/auth";
        LOGGER.info("Keycloak started in mock mode: {}", this.authServerUrl);
        this.tokenEndpoint = this.authServerUrl + "/realms/" + this.realm + "/protocol/openid-connect/token";
        HashMap hashMap = new HashMap();
        hashMap.put("registry.keycloak.url", this.authServerUrl);
        hashMap.put("tenant-manager.keycloak.url.configured", this.tokenEndpoint);
        hashMap.put("registry.keycloak.realm", this.realm);
        hashMap.put("registry.auth.enabled", "true");
        hashMap.put("registry.auth.role-based-authorization", "true");
        hashMap.put("registry.auth.owner-only-authorization", "true");
        hashMap.put("registry.auth.admin-override.enabled", "true");
        hashMap.put("registry.auth.basic-auth-client-credentials.enabled", "true");
        return hashMap;
    }

    private ResponseDefinitionBuilder wellKnownResponse() {
        return WireMock.aResponse().withHeader("Content-Type", new String[]{"application/json"}).withBody("{\n    \"jwks_uri\": \"" + this.server.baseUrl() + "/auth/realms/" + this.realm + "/protocol/openid-connect/certs\",\n \"token_endpoint\": \"" + this.server.baseUrl() + "/auth/realms/" + this.realm + "/protocol/openid-connect/token\" }");
    }

    private String generateJwtToken(String str, String str2) {
        JwtClaimsBuilder preferredUserName = Jwt.preferredUserName(str);
        if (str.equals(ADMIN_CLIENT_ID)) {
            preferredUserName.claim("groups", "sr-admin");
        } else if (str.equals(DEVELOPER_CLIENT_ID)) {
            preferredUserName.claim("groups", "sr-developer");
        } else if (str.equals(DEVELOPER_2_CLIENT_ID)) {
            preferredUserName.claim("groups", "sr-developer");
        } else if (str.equals(READONLY_CLIENT_ID)) {
            preferredUserName.claim("groups", "sr-readonly");
        }
        if (str2 != null) {
            preferredUserName.claim("rh-org-id", str2);
        }
        return preferredUserName.jws().keyId("1").sign();
    }

    private void stubForClient(String str) {
        this.server.stubFor(WireMock.post("/auth/realms/" + this.realm + "/protocol/openid-connect/token/").withRequestBody(WireMock.containing("grant_type=client_credentials")).withRequestBody(WireMock.containing("client_id=" + str)).willReturn(WireMock.aResponse().withHeader("Content-Type", new String[]{"application/json"}).withBody("{\n  \"access_token\": \"" + generateJwtToken(str, null) + "\",\n  \"refresh_token\": \"07e08903-1263-4dd1-9fd1-4a59b0db5283\",\n  \"token_type\": \"bearer\"\n}")));
    }

    public synchronized void stop() {
        if (this.server != null) {
            this.server.stop();
            LOGGER.info("Keycloak was shut down");
            this.server = null;
        }
    }
}
