package io.fabric8.kubernetes.client.utils;

import io.fabric8.kubernetes.api.model.AuthProviderConfig;
import io.fabric8.kubernetes.api.model.AuthProviderConfigBuilder;
import io.fabric8.kubernetes.client.Config;
import io.fabric8.kubernetes.client.ConfigBuilder;
import io.fabric8.kubernetes.client.http.HttpClient;
import io.fabric8.kubernetes.client.http.TestStandardHttpClient;
import io.fabric8.kubernetes.client.http.TestStandardHttpClientBuilder;
import io.fabric8.kubernetes.client.http.TestStandardHttpClientFactory;
import io.fabric8.kubernetes.client.internal.SSLUtils;
import java.io.File;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.time.Instant;
import java.util.Base64;
import java.util.HashMap;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.io.TempDir;
import org.mockito.ArgumentMatchers;
import org.mockito.MockedStatic;
import org.mockito.Mockito;

/* loaded from: input_file:io/fabric8/kubernetes/client/utils/OpenIDConnectionUtilsTest.class */
class OpenIDConnectionUtilsTest {
    private TestStandardHttpClient httpClient;
    private TestStandardHttpClientBuilder singletonHttpClientBuilder;

    OpenIDConnectionUtilsTest() {
    }

    @BeforeEach
    void setUp() {
        TestStandardHttpClientFactory testStandardHttpClientFactory = new TestStandardHttpClientFactory(TestStandardHttpClientFactory.Mode.SINGLETON);
        this.httpClient = testStandardHttpClientFactory.m9newBuilder().m8build();
        this.singletonHttpClientBuilder = testStandardHttpClientFactory.m9newBuilder();
    }

    @Test
    void resolveOIDCTokenFromAuthConfigShouldReturnOldTokenWhenRefreshNotSupported() throws Exception {
        HashMap hashMap = new HashMap();
        hashMap.put("client-id", "client-id");
        hashMap.put("client-secret", "client-secret");
        hashMap.put("id-token", "id-token");
        Assertions.assertEquals("id-token", (String) OpenIDConnectionUtils.resolveOIDCTokenFromAuthConfig(Config.empty(), hashMap, (HttpClient.Builder) null).get());
    }

    @Test
    void resolveOIDCTokenFromAuthConfig_whenIDPCertNotPresentInAuthConfig_thenUseCertFromConfig() throws Exception {
        MockedStatic mockStatic = Mockito.mockStatic(SSLUtils.class);
        try {
            HashMap hashMap = new HashMap();
            hashMap.put("client-id", "client-id");
            hashMap.put("client-secret", "client-secret");
            hashMap.put("id-token", "id-token");
            hashMap.put("refresh-token", "refresh-token");
            hashMap.put("idp-issuer-url", "https://iam.cloud.example.com/identity");
            Config build = new ConfigBuilder(Config.empty()).withCaCertData("cert").withAuthProvider(new AuthProviderConfig()).build();
            this.httpClient.expect("/identity/.well-known/openid-configuration", 200, "{\"issuer\":\"https://iam.cloud.example.com/identity\",\"token_endpoint\":\"https://iam.cloud.example.com/identity/token\"}");
            this.httpClient.expect("/identity/token", 200, "{\"id_token\":\"thisisatesttoken\",\"access_token\":\"thisisrefreshtoken\",\"expires_in\":3599,\"scope\":\"openid https://www.exampleapis.com/auth/userinfo.email\",\"token_type\":\"Bearer\"}");
            OpenIDConnectionUtils.resolveOIDCTokenFromAuthConfig(build, hashMap, this.singletonHttpClientBuilder).get();
            String str = new String(Base64.getDecoder().decode("cert"));
            mockStatic.verify(() -> {
                SSLUtils.trustManagers((String) ArgumentMatchers.eq(str), (String) ArgumentMatchers.isNull(), ArgumentMatchers.anyBoolean(), (String) ArgumentMatchers.isNull(), (String) ArgumentMatchers.isNull());
            });
            mockStatic.verify(() -> {
                SSLUtils.keyManagers((String) ArgumentMatchers.eq(str), (String) ArgumentMatchers.isNull(), (String) ArgumentMatchers.isNull(), (String) ArgumentMatchers.isNull(), (String) ArgumentMatchers.isNull(), (String) ArgumentMatchers.isNull(), (String) ArgumentMatchers.isNull(), (String) ArgumentMatchers.isNull());
            });
            if (mockStatic != null) {
                mockStatic.close();
            }
        } catch (Throwable th) {
            if (mockStatic != null) {
                try {
                    mockStatic.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    void resolveOIDCTokenFromAuthConfig_whenIDPCertNotPresentInAuthConfig_thenUseCertFileFromConfig(@TempDir File file) throws Exception {
        MockedStatic mockStatic = Mockito.mockStatic(SSLUtils.class);
        try {
            File file2 = new File(file, "ca.crt");
            Files.write(file2.toPath(), "cert".getBytes(StandardCharsets.UTF_8), new OpenOption[0]);
            HashMap hashMap = new HashMap();
            hashMap.put("client-id", "client-id");
            hashMap.put("client-secret", "client-secret");
            hashMap.put("id-token", "id-token");
            hashMap.put("refresh-token", "refresh-token");
            hashMap.put("idp-issuer-url", "https://iam.cloud.example.com/identity");
            Config build = new ConfigBuilder(Config.empty()).withCaCertFile(file2.getAbsolutePath()).withAuthProvider(new AuthProviderConfig()).build();
            this.httpClient.expect("/identity/.well-known/openid-configuration", 200, "{\"issuer\":\"https://iam.cloud.example.com/identity\",\"token_endpoint\":\"https://iam.cloud.example.com/identity/token\"}");
            this.httpClient.expect("/identity/token", 200, "{\"id_token\":\"thisisatesttoken\",\"access_token\":\"thisisrefreshtoken\",\"expires_in\":3599,\"scope\":\"openid https://www.exampleapis.com/auth/userinfo.email\",\"token_type\":\"Bearer\"}");
            OpenIDConnectionUtils.resolveOIDCTokenFromAuthConfig(build, hashMap, this.singletonHttpClientBuilder).get();
            mockStatic.verify(() -> {
                SSLUtils.trustManagers((String) ArgumentMatchers.eq("cert"), (String) ArgumentMatchers.isNull(), ArgumentMatchers.anyBoolean(), (String) ArgumentMatchers.isNull(), (String) ArgumentMatchers.isNull());
            });
            mockStatic.verify(() -> {
                SSLUtils.keyManagers((String) ArgumentMatchers.eq("cert"), (String) ArgumentMatchers.isNull(), (String) ArgumentMatchers.isNull(), (String) ArgumentMatchers.isNull(), (String) ArgumentMatchers.isNull(), (String) ArgumentMatchers.isNull(), (String) ArgumentMatchers.isNull(), (String) ArgumentMatchers.isNull());
            });
            if (mockStatic != null) {
                mockStatic.close();
            }
        } catch (Throwable th) {
            if (mockStatic != null) {
                try {
                    mockStatic.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    void idTokenExpired_whenEmptyFormatProvided_thenReturnTrue() {
        org.assertj.core.api.Assertions.assertThat(OpenIDConnectionUtils.idTokenExpired(createNewConfigWithAuthProviderIdToken(""))).isTrue();
    }

    @Test
    void idTokenExpired_whenInvalidJwtTokenFormatProvided_thenReturnTrue() {
        org.assertj.core.api.Assertions.assertThat(OpenIDConnectionUtils.idTokenExpired(createNewConfigWithAuthProviderIdToken("invalid-jwt-token"))).isTrue();
    }

    @Test
    void idTokenExpired_whenInvalidJwtPayloadProvided_thenReturnTrue() {
        org.assertj.core.api.Assertions.assertThat(OpenIDConnectionUtils.idTokenExpired(createNewConfigWithAuthProviderIdToken("header.payload.signature"))).isTrue();
    }

    @Test
    void idTokenExpired_whenOldTokenProvided_thenReturnTrue() {
        org.assertj.core.api.Assertions.assertThat(OpenIDConnectionUtils.idTokenExpired(createNewConfigWithAuthProviderIdToken("eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL21sYi50cmVtb2xvLmxhbjo4MDQzL2F1dGgvaWRwL29pZGMiLCJhdWQiOiJrdWJlcm5ldGVzIiwiZXhwIjoxNDc0NTk2NjY5LCJqdGkiOiI2RDUzNXoxUEpFNjJOR3QxaWVyYm9RIiwiaWF0IjoxNDc0NTk2MzY5LCJuYmYiOjE0NzQ1OTYyNDksInN1YiI6Im13aW5kdSIsInVzZXJfcm9sZSI6WyJ1c2VycyIsIm5ldy1uYW1lc3BhY2Utdmlld2VyIl0sImVtYWlsIjoibXdpbmR1QG5vbW9yZWplZGkuY29tIn0.f2As579n9VNoaKzoF-dOQGmXkFKf1FMyNV0-va_B63jn-_n9LGSCca_6IVMP8pO-Zb4KvRqGyTP0r3HkHxYy5c81AnIh8ijarruczl-TK_yF5akjSTHFZD-0gRzlevBDiH8Q79NAr-ky0P4iIXS8lY9Vnjch5MF74Zx0c3alKJHJUnnpjIACByfF2SCaYzbWFMUNat-K1PaUk5-ujMBG7yYnr95xD-63n8CO8teGUAAEMx6zRjzfhnhbzX-ajwZLGwGUBT4WqjMs70-6a7_8gZmLZb2az1cZynkFRj2BaCkVT3A2RrjeEwZEtGXlMqKJ1_I2ulrOVsYx01_yD35-rw"))).isTrue();
    }

    @Test
    void idTokenExpired_whenTokenStillNotExpired_thenReturnFalse() {
        org.assertj.core.api.Assertions.assertThat(OpenIDConnectionUtils.idTokenExpired(createNewConfigWithAuthProviderIdToken("header." + Base64.getEncoder().encodeToString(("{\"exp\": " + Instant.now().plusSeconds(30L).getEpochSecond() + "}").getBytes()) + ".signature"))).isFalse();
    }

    private Config createNewConfigWithAuthProviderIdToken(String str) {
        return new ConfigBuilder(Config.empty()).withAuthProvider(new AuthProviderConfigBuilder().addToConfig("id-token", str).build()).build();
    }
}
