package it.geosolutions.geostore.rest.security.keycloak;

import com.fasterxml.jackson.databind.ObjectMapper;
import it.geosolutions.geostore.core.model.User;
import it.geosolutions.geostore.services.rest.security.TokenAuthenticationCache;
import it.geosolutions.geostore.services.rest.security.keycloak.GeoStoreKeycloakAuthProvider;
import it.geosolutions.geostore.services.rest.security.keycloak.GeoStoreOAuthAuthenticator;
import it.geosolutions.geostore.services.rest.security.keycloak.KeyCloakConfiguration;
import it.geosolutions.geostore.services.rest.security.keycloak.KeyCloakFilter;
import it.geosolutions.geostore.services.rest.security.keycloak.KeyCloakHelper;
import it.geosolutions.geostore.services.rest.security.keycloak.KeyCloakRequestWrapper;
import it.geosolutions.geostore.services.rest.security.keycloak.KeycloakTokenDetails;
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.keycloak.adapters.AdapterDeploymentContext;
import org.keycloak.adapters.AdapterTokenStore;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.KeycloakDeploymentBuilder;
import org.keycloak.adapters.OAuthRequestAuthenticator;
import org.keycloak.adapters.RequestAuthenticator;
import org.keycloak.adapters.rotation.AdapterTokenVerifier;
import org.keycloak.adapters.spi.AdapterSessionStore;
import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.adapters.springsecurity.authentication.SpringSecurityRequestAuthenticator;
import org.keycloak.adapters.springsecurity.facade.SimpleHttpFacade;
import org.keycloak.common.VerificationException;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.adapters.config.AdapterConfig;
import org.mockito.ArgumentMatchers;
import org.mockito.MockedStatic;
import org.mockito.Mockito;
import org.springframework.mock.web.MockFilterChain;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;

/* loaded from: input_file:it/geosolutions/geostore/rest/security/keycloak/KeycloakFilterTest.class */
public class KeycloakFilterTest extends KeycloakTestSupport {
    private MockHttpServletRequest request;
    private MockHttpServletResponse response;
    private FilterChain chain;

    /* loaded from: input_file:it/geosolutions/geostore/rest/security/keycloak/KeycloakFilterTest$TestAuthenticator.class */
    private class TestAuthenticator extends SpringSecurityRequestAuthenticator {
        public TestAuthenticator(HttpFacade httpFacade, HttpServletRequest httpServletRequest, KeycloakDeployment keycloakDeployment, AdapterTokenStore adapterTokenStore, int i) {
            super(httpFacade, httpServletRequest, keycloakDeployment, adapterTokenStore, i);
        }

        protected OAuthRequestAuthenticator createOAuthAuthenticator() {
            return new TestOAuthAuthenticator(this, this.facade, this.deployment, this.sslRedirectPort, this.tokenStore);
        }
    }

    /* loaded from: input_file:it/geosolutions/geostore/rest/security/keycloak/KeycloakFilterTest$TestOAuthAuthenticator.class */
    private class TestOAuthAuthenticator extends GeoStoreOAuthAuthenticator {
        public TestOAuthAuthenticator(RequestAuthenticator requestAuthenticator, HttpFacade httpFacade, KeycloakDeployment keycloakDeployment, int i, AdapterSessionStore adapterSessionStore) {
            super(requestAuthenticator, httpFacade, keycloakDeployment, i, adapterSessionStore);
        }

        protected String getRedirectUri(String str) {
            return KeycloakTestSupport.AUTH_URL;
        }
    }

    @Before
    public void before() {
        setUpAdapter(KeycloakTestSupport.AUTH_URL);
        this.request = new MockHttpServletRequest();
        this.response = new MockHttpServletResponse();
        this.request.setRequestURI(KeycloakTestSupport.APP_URL);
        this.request.setScheme("http");
        this.request.setServerPort(8080);
        this.request.setServerName("localhost");
        this.chain = new MockFilterChain();
        RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(this.request, this.response));
    }

    @Test
    public void testKeyCloakFilterRedirect() throws IOException, ServletException {
        createFilter(createConfiguration()).doFilter(this.request, this.response, this.chain);
        Assert.assertTrue(this.request.getAttribute("KEYCLOAK_REDIRECT") instanceof AuthenticationEntryPoint);
    }

    @Test
    public void testAuthentication() throws IOException, ServletException, VerificationException {
        KeyCloakConfiguration createConfiguration = createConfiguration();
        AdapterConfig readAdapterConfig = createConfiguration.readAdapterConfig();
        readAdapterConfig.setRealmKey(KeycloakTestSupport.PUBLIC_KEY);
        createConfiguration.setJsonConfig(new ObjectMapper().writeValueAsString(readAdapterConfig));
        MockedStatic mockStatic = Mockito.mockStatic(AdapterTokenVerifier.class);
        Throwable th = null;
        try {
            try {
                mockStatic.when(() -> {
                    AdapterTokenVerifier.verifyToken((String) ArgumentMatchers.eq(KeycloakTestSupport.JWT_2018_2037), (KeycloakDeployment) ArgumentMatchers.any(KeycloakDeployment.class));
                }).thenReturn(verifyToken());
                TokenAuthenticationCache tokenAuthenticationCache = new TokenAuthenticationCache();
                KeyCloakFilter createFilter = createFilter(createConfiguration, tokenAuthenticationCache);
                this.request.addHeader("AUTHORIZATION", "bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJqS2RPZS0zNmhrLVI2R1puQk5tb2JfTFdtMUZJQUtWVXlKblEzTnNuU21RIn0.eyJqdGkiOiIzNTc5MDQ5MS0yNzI5LTRiNTAtOGIwOC1kYzNhYTM1NDE0ZjgiLCJleHAiOjIxMjE4MTY5OTYsIm5iZiI6MCwiaWF0IjoxNTE3MDE2OTk2LCJpc3MiOiJodHRwczovL2Nhcy5jb3JlLm1hdWkubWRhLmNhOjgwNDAvYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjoibmdpbngtYXV0aG4iLCJzdWIiOiIxMDM3NzU0OC04OTZhLTQwODUtODY2OC0zNmM4OWQzYzU0OTMiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJuZ2lueC1hdXRobiIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjY5MWQwOTZiLTkzNjctNDdlZi04OGEyLTQ1ZjIwZGI4ZjMxNCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOltdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiY3JlYXRlLXJlYWxtIiwiYWRtaW4iLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7Im1hc3Rlci1yZWFsbSI6eyJyb2xlcyI6WyJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsInZpZXctcmVhbG0iLCJtYW5hZ2UtaWRlbnRpdHktcHJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsImNyZWF0ZS1jbGllbnQiLCJtYW5hZ2UtdXNlcnMiLCJxdWVyeS1yZWFsbXMiLCJ2aWV3LWF1dGhvcml6YXRpb24iLCJxdWVyeS1jbGllbnRzIiwicXVlcnktdXNlcnMiLCJtYW5hZ2UtZXZlbnRzIiwibWFuYWdlLXJlYWxtIiwidmlldy1ldmVudHMiLCJ2aWV3LXVzZXJzIiwidmlldy1jbGllbnRzIiwibWFuYWdlLWF1dGhvcml6YXRpb24iLCJtYW5hZ2UtY2xpZW50cyIsInF1ZXJ5LWdyb3VwcyJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ifQ.deouu-Gqb1MNmfMYARKtkIaM4ztP2tDowG_X0yRxPPSefhQd0rUjLgUl_FS9yiMwJoZBCIYBEvgqBlQW1836SfDTiPXSUlhQRQElJwoXWCS1UaO8neVa-vt8uGo2vBBsOv8pGVM1dsunA3-BMF7P-MX9y0ZmMp4T5VOe4iK3K_uP1teTDyGg455WlL18CsVxKKSvOIrd2xF4M2qNny2fgU7Ca1s-7Jo555VB7fsUu4nLYvoELb0f_4U4H3Yui_J4m2FplsGoqY7RgM_yTBZ9ZvS-W7ddEjpjyM_D1aFaSByzMYVA6yvnqWIsAVZe4sZnjoVZM0sMCQtXtNQaUk7Rbg");
                createFilter.doFilter(this.request, this.response, this.chain);
                Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
                Assert.assertTrue(authentication.getPrincipal() instanceof User);
                Assert.assertTrue(authentication.getDetails() instanceof KeycloakTokenDetails);
                Assert.assertNotNull(tokenAuthenticationCache.get(((KeycloakTokenDetails) authentication.getDetails()).getAccessToken()));
                if (mockStatic != null) {
                    if (0 == 0) {
                        mockStatic.close();
                        return;
                    }
                    try {
                        mockStatic.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (mockStatic != null) {
                if (th != null) {
                    try {
                        mockStatic.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    mockStatic.close();
                }
            }
            throw th4;
        }
    }

    @Test
    public void testAuthenticationFailure() throws IOException, ServletException {
        KeyCloakConfiguration createConfiguration = createConfiguration();
        AdapterConfig readAdapterConfig = createConfiguration.readAdapterConfig();
        readAdapterConfig.setRealmKey(KeycloakTestSupport.PUBLIC_KEY);
        createConfiguration.setJsonConfig(new ObjectMapper().writeValueAsString(readAdapterConfig));
        KeyCloakFilter createFilter = createFilter(createConfiguration, new TokenAuthenticationCache());
        this.request.addHeader("AUTHORIZATION", "bearer wrong_token");
        createFilter.doFilter(this.request, this.response, this.chain);
        Assert.assertNull(SecurityContextHolder.getContext().getAuthentication());
    }

    private KeyCloakFilter createFilter(KeyCloakConfiguration keyCloakConfiguration) {
        return createFilter(keyCloakConfiguration, new TokenAuthenticationCache());
    }

    private KeyCloakFilter createFilter(KeyCloakConfiguration keyCloakConfiguration, TokenAuthenticationCache tokenAuthenticationCache) {
        return new KeyCloakFilter(new KeyCloakHelper(new AdapterDeploymentContext(KeycloakDeploymentBuilder.build(keyCloakConfiguration.readAdapterConfig()))) { // from class: it.geosolutions.geostore.rest.security.keycloak.KeycloakFilterTest.1
            public RequestAuthenticator getAuthenticator(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, KeycloakDeployment keycloakDeployment) {
                KeyCloakRequestWrapper keyCloakRequestWrapper = new KeyCloakRequestWrapper(httpServletRequest);
                AdapterTokenStore createAdapterTokenStore = this.adapterTokenStoreFactory.createAdapterTokenStore(keycloakDeployment, keyCloakRequestWrapper, httpServletResponse);
                return new TestAuthenticator(new SimpleHttpFacade(keyCloakRequestWrapper, httpServletResponse), keyCloakRequestWrapper, keycloakDeployment, createAdapterTokenStore, -1);
            }
        }, tokenAuthenticationCache, keyCloakConfiguration, new GeoStoreKeycloakAuthProvider(keyCloakConfiguration));
    }

    @After
    public void cleanUp() {
        RequestContextHolder.resetRequestAttributes();
        SecurityContextHolder.clearContext();
    }

    private static AccessToken verifyToken() {
        try {
            return (AccessToken) new JWSInput(KeycloakTestSupport.JWT_2018_2037).readJsonContent(AccessToken.class);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }
}
