package io.fabric8.openshift.client.internal;

import io.fabric8.kubernetes.api.model.ConfigBuilder;
import io.fabric8.kubernetes.api.model.ConfigFluent;
import io.fabric8.kubernetes.client.Config;
import io.fabric8.kubernetes.client.http.HttpRequest;
import io.fabric8.kubernetes.client.http.Interceptor;
import io.fabric8.kubernetes.client.http.StandardHttpRequest;
import io.fabric8.kubernetes.client.http.StandardWebSocketBuilder;
import io.fabric8.kubernetes.client.http.TestAsyncBody;
import io.fabric8.kubernetes.client.http.TestHttpResponse;
import io.fabric8.kubernetes.client.http.TestStandardHttpClient;
import io.fabric8.kubernetes.client.http.TestStandardHttpClientFactory;
import io.fabric8.kubernetes.client.http.WebSocket;
import io.fabric8.kubernetes.client.utils.Serialization;
import java.io.IOException;
import java.net.URI;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.StandardOpenOption;
import java.util.Map;
import java.util.concurrent.CompletableFuture;
import org.assertj.core.api.Assertions;
import org.assertj.core.api.InstanceOfAssertFactories;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.io.TempDir;

/* loaded from: input_file:io/fabric8/openshift/client/internal/OpenShiftOAuthInterceptorTest.class */
class OpenShiftOAuthInterceptorTest {
    private TestStandardHttpClientFactory clientFactory;
    private TestStandardHttpClient client;

    @TempDir
    private Path tempDir;
    private Path kubeConfigFile;
    private ConfigBuilder kubeConfigOriginal;

    OpenShiftOAuthInterceptorTest() {
    }

    @BeforeEach
    void setUp() {
        this.clientFactory = new TestStandardHttpClientFactory(TestStandardHttpClientFactory.Mode.SINGLETON);
        this.client = this.clientFactory.newBuilder().build();
        this.kubeConfigFile = this.tempDir.resolve("config.yaml");
        this.kubeConfigOriginal = ((ConfigBuilder) ((ConfigFluent.ContextsNested) ((ConfigBuilder) ((ConfigFluent.ClustersNested) ((ConfigBuilder) ((ConfigFluent.UsersNested) new ConfigBuilder().addNewUser().withName("user").withNewUser().endUser()).endUser()).addNewCluster().withName("cluster").withNewCluster().withServer("https://example.com").endCluster()).endCluster()).addNewContext().withName("current-context").withNewContext().withUser("user").withCluster("cluster").endContext()).endContext()).withCurrentContext("current-context");
    }

    @AfterEach
    void tearDown() {
        this.client.close();
    }

    @Test
    void basicAuthNotUsed() {
        OpenShiftOAuthInterceptor openShiftOAuthInterceptor = new OpenShiftOAuthInterceptor(this.client, new io.fabric8.kubernetes.client.ConfigBuilder(Config.empty()).withUsername("user").withPassword("pass").build());
        HttpRequest.Builder uri = this.client.newHttpRequestBuilder().uri("https://localhost");
        openShiftOAuthInterceptor.before(uri, uri.build(), (Interceptor.RequestTags) null);
        Assertions.assertThat(uri.build().headers("Authorization")).containsExactly(new String[]{"Bearer invalid"});
    }

    @Test
    void tokenIsUsed() {
        Config build = new io.fabric8.kubernetes.client.ConfigBuilder(Config.empty()).withUsername("user").withPassword("pass").build();
        build.setAutoOAuthToken("token");
        OpenShiftOAuthInterceptor openShiftOAuthInterceptor = new OpenShiftOAuthInterceptor(this.client, build);
        HttpRequest.Builder uri = this.client.newHttpRequestBuilder().uri("https://localhost");
        openShiftOAuthInterceptor.before(uri, uri.build(), (Interceptor.RequestTags) null);
        Assertions.assertThat(uri.build().headers("Authorization")).containsExactly(new String[]{"Bearer token"});
    }

    @Test
    void tokenIsRefreshedFromConfigFile() throws IOException {
        ((ConfigFluent.UsersNested) this.kubeConfigOriginal.editFirstUser().editUser().withToken("original-token").endUser()).endUser();
        Files.writeString(this.kubeConfigFile, Serialization.asYaml(this.kubeConfigOriginal.build()), new OpenOption[]{StandardOpenOption.CREATE});
        Config fromKubeconfig = Config.fromKubeconfig(this.kubeConfigFile.toFile());
        Files.writeString(this.kubeConfigFile, Serialization.asYaml(((ConfigBuilder) ((ConfigFluent.UsersNested) this.kubeConfigOriginal.editFirstUser().editUser().withToken("refreshed-token-from-config").endUser()).endUser()).build()), new OpenOption[]{StandardOpenOption.CREATE});
        OpenShiftOAuthInterceptor openShiftOAuthInterceptor = new OpenShiftOAuthInterceptor(this.client, fromKubeconfig);
        HttpRequest.Builder uri = this.client.newHttpRequestBuilder().uri("https://localhost");
        openShiftOAuthInterceptor.afterFailure(uri, TestHttpResponse.from(401, "not for you").withRequest(new StandardHttpRequest((Map) null, URI.create("https://localhost"), "GET", (String) null)), (Interceptor.RequestTags) null);
        Assertions.assertThat(uri.build().headers("Authorization")).containsExactly(new String[]{"Bearer refreshed-token-from-config"});
        Assertions.assertThat(fromKubeconfig).returns((Object) null, (v0) -> {
            return v0.getOauthToken();
        }).returns("refreshed-token-from-config", (v0) -> {
            return v0.getAutoOAuthToken();
        });
    }

    @Test
    void tokenIsRefreshedFromConfigFileForWs() throws IOException {
        ((ConfigFluent.UsersNested) this.kubeConfigOriginal.editFirstUser().editUser().withToken("original-token").endUser()).endUser();
        Files.writeString(this.kubeConfigFile, Serialization.asYaml(this.kubeConfigOriginal.build()), new OpenOption[]{StandardOpenOption.CREATE});
        Config fromKubeconfig = Config.fromKubeconfig(this.kubeConfigFile.toFile());
        Files.writeString(this.kubeConfigFile, Serialization.asYaml(((ConfigBuilder) ((ConfigFluent.UsersNested) this.kubeConfigOriginal.editFirstUser().editUser().withToken("refreshed-token-from-config").endUser()).endUser()).build()), new OpenOption[]{StandardOpenOption.CREATE});
        OpenShiftOAuthInterceptor openShiftOAuthInterceptor = new OpenShiftOAuthInterceptor(this.client, fromKubeconfig);
        WebSocket.Builder uri = this.client.newWebSocketBuilder().uri(URI.create("wss://localhost"));
        openShiftOAuthInterceptor.afterFailure(uri, TestHttpResponse.from(401, "not for you").withRequest(new StandardHttpRequest((Map) null, URI.create("wss://localhost"), "GET", (String) null)), (Interceptor.RequestTags) null);
        Assertions.assertThat(uri).asInstanceOf(InstanceOfAssertFactories.type(StandardWebSocketBuilder.class)).extracting((v0) -> {
            return v0.asHttpRequest();
        }).returns("Bearer refreshed-token-from-config", standardHttpRequest -> {
            return standardHttpRequest.header("Authorization");
        });
    }

    @Test
    void afterFailure_whenTokenSetByUser_thenNoRefresh() {
        Config build = new io.fabric8.kubernetes.client.ConfigBuilder(Config.empty()).withOauthToken("manually-set-token").build();
        Assertions.assertThat(new OpenShiftOAuthInterceptor(this.client, build).afterFailure(this.client.newHttpRequestBuilder().uri("https://localhost"), TestHttpResponse.from(401, "not for you").withRequest(new StandardHttpRequest((Map) null, URI.create("https://localhost"), "GET", (String) null)), (Interceptor.RequestTags) null)).isCompletedWithValue(false);
        Assertions.assertThat(build).returns("manually-set-token", (v0) -> {
            return v0.getOauthToken();
        }).returns((Object) null, (v0) -> {
            return v0.getAutoOAuthToken();
        });
    }

    @Test
    void afterFailure_whenOAuthTokenProviderPresent_thenUseTokenFromProvider() {
        Config build = new io.fabric8.kubernetes.client.ConfigBuilder(Config.empty()).withOauthTokenProvider(() -> {
            return "token-from-oauth-token-provider";
        }).build();
        HttpRequest.Builder uri = this.client.newHttpRequestBuilder().uri("https://localhost");
        Assertions.assertThat(new OpenShiftOAuthInterceptor(this.client, build).afterFailure(uri, TestHttpResponse.from(401, "not for you").withRequest(new StandardHttpRequest((Map) null, URI.create("https://localhost"), "GET", (String) null)), (Interceptor.RequestTags) null)).isCompletedWithValue(true);
        Assertions.assertThat(uri.build().headers("Authorization")).containsExactly(new String[]{"Bearer token-from-oauth-token-provider"});
    }

    @Test
    void afterFailure_withUsernamePassword_thenShouldAuthorizeAndPersistNewToken() throws IOException {
        ((ConfigFluent.UsersNested) this.kubeConfigOriginal.editFirstUser().editUser().withUsername("username").withPassword("pa33word").endUser()).endUser();
        Files.writeString(this.kubeConfigFile, Serialization.asYaml(this.kubeConfigOriginal.build()), new OpenOption[]{StandardOpenOption.CREATE});
        Config fromKubeconfig = Config.fromKubeconfig(this.kubeConfigFile.toFile());
        HttpRequest.Builder uri = this.client.newHttpRequestBuilder().uri("https://localhost");
        OpenShiftOAuthInterceptor openShiftOAuthInterceptor = new OpenShiftOAuthInterceptor(this.client, fromKubeconfig);
        this.clientFactory.expect("/.well-known/oauth-authorization-server", 200, "{\"authorization_endpoint\":\"https://oauth-test/oauth/authorize\"}");
        this.clientFactory.expect("/oauth/authorize", CompletableFuture.completedFuture(new TestHttpResponse().withHeader("Location", "https://oauth-test/oauth/token/implicit#access_token=sha256~refreshed&expires_in=86400&scope=user%3Afull&token_type=Bearer").withBody(new TestAsyncBody())));
        Assertions.assertThat(openShiftOAuthInterceptor.afterFailure(uri, TestHttpResponse.from(401, "not for you").withRequest(new StandardHttpRequest((Map) null, URI.create("https://localhost"), "GET", (String) null)), (Interceptor.RequestTags) null)).isCompletedWithValue(true);
        Assertions.assertThat(uri.build().headers("Authorization")).containsExactly(new String[]{"Bearer sha256~refreshed"});
        Assertions.assertThat(Config.fromKubeconfig(this.kubeConfigFile.toFile())).returns((Object) null, (v0) -> {
            return v0.getOauthToken();
        }).returns("sha256~refreshed", (v0) -> {
            return v0.getAutoOAuthToken();
        });
    }

    @Test
    void afterFailure_whenResponseCode403_thenShouldNotRefresh() {
        Config empty = Config.empty();
        Assertions.assertThat(new OpenShiftOAuthInterceptor(this.client, empty).afterFailure(this.client.newHttpRequestBuilder().uri("https://localhost"), TestHttpResponse.from(403, "FORBIDDEN").withRequest(new StandardHttpRequest((Map) null, URI.create("https://localhost"), "GET", (String) null)), (Interceptor.RequestTags) null)).isCompletedWithValue(false);
    }
}
