package io.trino.server.security.jwt;

import com.google.common.io.Resources;
import io.airlift.security.pem.PemReader;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.JwsHeader;
import io.jsonwebtoken.SigningKeyResolver;
import io.trino.server.security.jwt.JwkDecoder;
import java.io.File;
import java.nio.charset.StandardCharsets;
import java.security.Key;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.ECParameterSpec;
import java.time.ZonedDateTime;
import java.util.Date;
import java.util.Map;
import java.util.Optional;
import org.junit.jupiter.api.Test;
import org.testng.Assert;

/* loaded from: input_file:io/trino/server/security/jwt/TestJwkDecoder.class */
public class TestJwkDecoder {
    @Test
    public void testReadRsaKeys() {
        Map decodeKeys = JwkDecoder.decodeKeys("{\n  \"keys\": [\n    {\n      \"e\": \"AQAB\",\n      \"n\": \"mvj-0waJ2owQlFWrlC06goLs9PcNehIzCF0QrkdsYZJXOsipcHCFlXBsgQIdTdLvlCzNI07jSYA-zggycYi96lfDX-FYv_CqC8dRLf9TBOPvUgCyFMCFNUTC69hsrEYMR_J79Wj0MIOffiVr6eX-AaCG3KhBMZMh15KCdn3uVrl9coQivy7bk2Uw-aUJ_b26C0gWYj1DnpO4UEEKBk1X-lpeUMh0B_XorqWeq0NYK2pN6CoEIh0UrzYKlGfdnMU1pJJCsNxMiha-Vw3qqxez6oytOV_AswlWvQc7TkSX6cHfqepNskQb7pGxpgQpy9sA34oIxB_S-O7VS7_h0Qh4vQ\",\n      \"alg\": \"RS256\",\n      \"use\": \"sig\",\n      \"kty\": \"RSA\",\n      \"kid\": \"example-rsa\"\n    },\n    {\n      \"kty\": \"EC\",\n      \"use\": \"sig\",\n      \"crv\": \"P-256\",\n      \"kid\": \"example-ec\",\n      \"x\": \"W9pnAHwUz81LldKjL3BzxO1iHe1Pc0fO6rHkrybVy6Y\",\n      \"y\": \"XKSNmn_xajgOvWuAiJnWx5I46IwPVJJYPaEpsX3NPZg\",\n      \"alg\": \"ES256\"\n    }\n  ]\n}");
        Assert.assertEquals(decodeKeys.size(), 2);
        Assert.assertTrue(decodeKeys.get("example-rsa") instanceof JwkDecoder.JwkRsaPublicKey);
        Assert.assertTrue(decodeKeys.get("example-ec") instanceof JwkDecoder.JwkEcPublicKey);
    }

    @Test
    public void testNoKeyId() {
        Assert.assertEquals(JwkDecoder.decodeKeys("{\n  \"keys\": [\n    {\n      \"e\": \"AQAB\",\n      \"n\": \"mvj-0waJ2owQlFWrlC06goLs9PcNehIzCF0QrkdsYZJXOsipcHCFlXBsgQIdTdLvlCzNI07jSYA-zggycYi96lfDX-FYv_CqC8dRLf9TBOPvUgCyFMCFNUTC69hsrEYMR_J79Wj0MIOffiVr6eX-AaCG3KhBMZMh15KCdn3uVrl9coQivy7bk2Uw-aUJ_b26C0gWYj1DnpO4UEEKBk1X-lpeUMh0B_XorqWeq0NYK2pN6CoEIh0UrzYKlGfdnMU1pJJCsNxMiha-Vw3qqxez6oytOV_AswlWvQc7TkSX6cHfqepNskQb7pGxpgQpy9sA34oIxB_S-O7VS7_h0Qh4vQ\",\n      \"alg\": \"RS256\",\n      \"use\": \"sig\",\n      \"kty\": \"RSA\"\n    },\n    {\n      \"kty\": \"EC\",\n      \"use\": \"sig\",\n      \"crv\": \"P-256\",\n      \"x\": \"W9pnAHwUz81LldKjL3BzxO1iHe1Pc0fO6rHkrybVy6Y\",\n      \"y\": \"XKSNmn_xajgOvWuAiJnWx5I46IwPVJJYPaEpsX3NPZg\",\n      \"alg\": \"ES256\"\n    }\n  ]\n}").size(), 0);
    }

    @Test
    public void testRsaNoModulus() {
        Assert.assertEquals(JwkDecoder.decodeKeys("{\n  \"keys\": [\n    {\n      \"e\": \"AQAB\",\n      \"alg\": \"RS256\",\n      \"use\": \"sig\",\n      \"kty\": \"RSA\",\n      \"kid\": \"2c6fa6f5950a7ce465fcf247aa0b094828ac952c\"\n    }\n  ]\n}").size(), 0);
    }

    @Test
    public void testRsaNoExponent() {
        Assert.assertEquals(JwkDecoder.decodeKeys("{\n  \"keys\": [\n    {\n      \"n\": \"mvj-0waJ2owQlFWrlC06goLs9PcNehIzCF0QrkdsYZJXOsipcHCFlXBsgQIdTdLvlCzNI07jSYA-zggycYi96lfDX-FYv_CqC8dRLf9TBOPvUgCyFMCFNUTC69hsrEYMR_J79Wj0MIOffiVr6eX-AaCG3KhBMZMh15KCdn3uVrl9coQivy7bk2Uw-aUJ_b26C0gWYj1DnpO4UEEKBk1X-lpeUMh0B_XorqWeq0NYK2pN6CoEIh0UrzYKlGfdnMU1pJJCsNxMiha-Vw3qqxez6oytOV_AswlWvQc7TkSX6cHfqepNskQb7pGxpgQpy9sA34oIxB_S-O7VS7_h0Qh4vQ\",\n      \"alg\": \"RS256\",\n      \"use\": \"sig\",\n      \"kty\": \"RSA\",\n      \"kid\": \"2c6fa6f5950a7ce465fcf247aa0b094828ac952c\"\n    }\n  ]\n}").size(), 0);
    }

    @Test
    public void testRsaInvalidModulus() {
        Assert.assertEquals(JwkDecoder.decodeKeys("{\n  \"keys\": [\n    {\n      \"e\": \"AQAB\",\n      \"n\": \"!!INVALID!!\",\n      \"alg\": \"RS256\",\n      \"use\": \"sig\",\n      \"kty\": \"RSA\",\n      \"kid\": \"2c6fa6f5950a7ce465fcf247aa0b094828ac952c\"\n    }\n  ]\n}").size(), 0);
    }

    @Test
    public void testRsaInvalidExponent() {
        Assert.assertEquals(JwkDecoder.decodeKeys("{\n  \"keys\": [\n    {\n      \"e\": \"!!INVALID!!\",\n      \"n\": \"mvj-0waJ2owQlFWrlC06goLs9PcNehIzCF0QrkdsYZJXOsipcHCFlXBsgQIdTdLvlCzNI07jSYA-zggycYi96lfDX-FYv_CqC8dRLf9TBOPvUgCyFMCFNUTC69hsrEYMR_J79Wj0MIOffiVr6eX-AaCG3KhBMZMh15KCdn3uVrl9coQivy7bk2Uw-aUJ_b26C0gWYj1DnpO4UEEKBk1X-lpeUMh0B_XorqWeq0NYK2pN6CoEIh0UrzYKlGfdnMU1pJJCsNxMiha-Vw3qqxez6oytOV_AswlWvQc7TkSX6cHfqepNskQb7pGxpgQpy9sA34oIxB_S-O7VS7_h0Qh4vQ\",\n      \"alg\": \"RS256\",\n      \"use\": \"sig\",\n      \"kty\": \"RSA\",\n      \"kid\": \"2c6fa6f5950a7ce465fcf247aa0b094828ac952c\"\n    }\n  ]\n}").size(), 0);
    }

    @Test
    public void testJwtRsa() throws Exception {
        final RSAPublicKey rSAPublicKey = (RSAPublicKey) JwkDecoder.decodeKeys(Resources.toString(Resources.getResource("jwk/jwk-public.json"), StandardCharsets.UTF_8)).get("test-rsa");
        Assert.assertNotNull(rSAPublicKey);
        RSAPublicKey rSAPublicKey2 = (RSAPublicKey) PemReader.loadPublicKey(new File(Resources.getResource("jwk/jwk-rsa-public.pem").toURI()));
        Assert.assertEquals(rSAPublicKey.getPublicExponent(), rSAPublicKey2.getPublicExponent());
        Assert.assertEquals(rSAPublicKey.getModulus(), rSAPublicKey2.getModulus());
        Assert.assertEquals(((Claims) JwtUtil.newJwtParserBuilder().setSigningKeyResolver(new SigningKeyResolver() { // from class: io.trino.server.security.jwt.TestJwkDecoder.1
            public Key resolveSigningKey(JwsHeader jwsHeader, Claims claims) {
                return getKey(jwsHeader);
            }

            public Key resolveSigningKey(JwsHeader jwsHeader, String str) {
                return getKey(jwsHeader);
            }

            private Key getKey(JwsHeader<?> jwsHeader) {
                Assert.assertEquals(jwsHeader.getKeyId(), "test-rsa");
                return rSAPublicKey;
            }
        }).build().parseClaimsJws(JwtUtil.newJwtBuilder().signWith(PemReader.loadPrivateKey(new File(Resources.getResource("jwk/jwk-rsa-private.pem").toURI()), Optional.empty())).setHeaderParam("kid", "test-rsa").setSubject("test-user").setExpiration(Date.from(ZonedDateTime.now().plusMinutes(5L).toInstant())).compact()).getBody()).getSubject(), "test-user");
    }

    @Test
    public void testEcKey() {
        Map decodeKeys = JwkDecoder.decodeKeys("{\n  \"keys\": [\n    {\n      \"kid\": \"test-ec\",\n      \"kty\": \"EC\",\n      \"crv\": \"P-256\",\n      \"x\": \"W9pnAHwUz81LldKjL3BzxO1iHe1Pc0fO6rHkrybVy6Y\",\n      \"y\": \"XKSNmn_xajgOvWuAiJnWx5I46IwPVJJYPaEpsX3NPZg\"\n    }\n  ]\n}");
        Assert.assertEquals(decodeKeys.size(), 1);
        Assert.assertTrue(decodeKeys.get("test-ec") instanceof JwkDecoder.JwkEcPublicKey);
    }

    @Test
    public void testEcInvalidCurve() {
        Assert.assertEquals(JwkDecoder.decodeKeys("{\n  \"keys\": [\n    {\n      \"kid\": \"test-ec\",\n      \"kty\": \"EC\",\n      \"crv\": \"taco\",\n      \"x\": \"W9pnAHwUz81LldKjL3BzxO1iHe1Pc0fO6rHkrybVy6Y\",\n      \"y\": \"XKSNmn_xajgOvWuAiJnWx5I46IwPVJJYPaEpsX3NPZg\"\n    }\n  ]\n}").size(), 0);
    }

    @Test
    public void testEcInvalidX() {
        Assert.assertEquals(JwkDecoder.decodeKeys("{\n  \"keys\": [\n    {\n      \"kid\": \"test-ec\",\n      \"kty\": \"EC\",\n      \"crv\": \"P-256\",\n      \"x\": \"!!INVALID!!\",\n      \"y\": \"XKSNmn_xajgOvWuAiJnWx5I46IwPVJJYPaEpsX3NPZg\"\n    }\n  ]\n}").size(), 0);
    }

    @Test
    public void testEcInvalidY() {
        Assert.assertEquals(JwkDecoder.decodeKeys("{\n  \"keys\": [\n    {\n      \"kid\": \"test-ec\",\n      \"kty\": \"EC\",\n      \"crv\": \"P-256\",\n      \"x\": \"W9pnAHwUz81LldKjL3BzxO1iHe1Pc0fO6rHkrybVy6Y\",\n      \"y\": \"!!INVALID!!\"\n    }\n  ]\n}").size(), 0);
    }

    @Test
    public void testJwtEc() throws Exception {
        assertJwtEc("jwk-ec-p256", EcCurve.P_256);
        assertJwtEc("jwk-ec-p384", EcCurve.P_384);
        assertJwtEc("jwk-ec-p512", EcCurve.P_521);
    }

    private static void assertJwtEc(final String str, ECParameterSpec eCParameterSpec) throws Exception {
        final ECPublicKey eCPublicKey = (ECPublicKey) JwkDecoder.decodeKeys(Resources.toString(Resources.getResource("jwk/jwk-public.json"), StandardCharsets.UTF_8)).get(str);
        Assert.assertNotNull(eCPublicKey);
        Assert.assertSame(eCPublicKey.getParams(), eCParameterSpec);
        ECPublicKey eCPublicKey2 = (ECPublicKey) PemReader.loadPublicKey(new File(Resources.getResource("jwk/" + str + "-public.pem").toURI()));
        Assert.assertEquals(eCPublicKey.getW(), eCPublicKey2.getW());
        Assert.assertEquals(eCPublicKey.getParams().getCurve(), eCPublicKey2.getParams().getCurve());
        Assert.assertEquals(eCPublicKey.getParams().getGenerator(), eCPublicKey2.getParams().getGenerator());
        Assert.assertEquals(eCPublicKey.getParams().getOrder(), eCPublicKey2.getParams().getOrder());
        Assert.assertEquals(eCPublicKey.getParams().getCofactor(), eCPublicKey2.getParams().getCofactor());
        Assert.assertEquals(((Claims) JwtUtil.newJwtParserBuilder().setSigningKeyResolver(new SigningKeyResolver() { // from class: io.trino.server.security.jwt.TestJwkDecoder.2
            public Key resolveSigningKey(JwsHeader jwsHeader, Claims claims) {
                return getKey(jwsHeader);
            }

            public Key resolveSigningKey(JwsHeader jwsHeader, String str2) {
                return getKey(jwsHeader);
            }

            private Key getKey(JwsHeader<?> jwsHeader) {
                Assert.assertEquals(jwsHeader.getKeyId(), str);
                return eCPublicKey;
            }
        }).build().parseClaimsJws(JwtUtil.newJwtBuilder().signWith(PemReader.loadPrivateKey(new File(Resources.getResource("jwk/" + str + "-private.pem").toURI()), Optional.empty())).setHeaderParam("kid", str).setSubject("test-user").setExpiration(Date.from(ZonedDateTime.now().plusMinutes(5L).toInstant())).compact()).getBody()).getSubject(), "test-user");
    }
}
