package org.geoserver.security.onelogin.test;

import com.github.tomakehurst.wiremock.WireMockServer;
import com.github.tomakehurst.wiremock.client.WireMock;
import com.github.tomakehurst.wiremock.core.WireMockConfiguration;
import java.io.ByteArrayInputStream;
import java.io.StringWriter;
import java.util.Iterator;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathFactory;
import org.apache.commons.io.IOUtils;
import org.apache.http.NameValuePair;
import org.apache.http.client.utils.URIBuilder;
import org.geoserver.data.test.SystemTestData;
import org.geoserver.security.LogoutFilterChain;
import org.geoserver.security.auth.AbstractAuthenticationProviderTest;
import org.geoserver.security.config.PreAuthenticatedUserNameFilterConfig;
import org.geoserver.security.onelogin.OneloginAuthenticationFilter;
import org.geoserver.security.onelogin.OneloginAuthenticationFilterConfig;
import org.geotools.data.Base64;
import org.hamcrest.CoreMatchers;
import org.joda.time.DateTime;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.springframework.mock.web.MockFilterChain;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.w3c.dom.Document;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import org.xml.sax.InputSource;

/* loaded from: input_file:org/geoserver/security/onelogin/test/OneloginAuthenticationTest.class */
public class OneloginAuthenticationTest extends AbstractAuthenticationProviderTest {
    private static final String METADATA_URL = "/saml/metadata";
    private static final String REDIRECT_URL = "/trust/saml2/http-redirect/sso";
    private static final Integer IDP_PORT = 8443;
    private static final String IDP_LOGIN_URL = "http://localhost:" + IDP_PORT + "/login";
    private static OneloginAuthenticationFilterConfig config;
    private static WireMockServer idpSamlService;

    protected void onSetUp(SystemTestData systemTestData) throws Exception {
        super.onSetUp(systemTestData);
        idpSamlService.stubFor(WireMock.get(WireMock.urlEqualTo(METADATA_URL)).willReturn(WireMock.aResponse().withStatus(200).withHeader("Content-Type", "application/xml").withBodyFile("metadata.xml")));
        idpSamlService.stubFor(WireMock.get(WireMock.urlPathEqualTo(REDIRECT_URL)).willReturn(WireMock.aResponse().withStatus(302).withHeader("Location", IDP_LOGIN_URL)));
    }

    @BeforeClass
    public static void beforeClass() throws Exception {
        SSLUtilities.registerKeyStore("keystore");
        idpSamlService = new WireMockServer(WireMockConfiguration.wireMockConfig().httpsPort(IDP_PORT));
        idpSamlService.start();
    }

    @Before
    public void before() throws Exception {
        SecurityContextHolder.getContext().setAuthentication((Authentication) null);
    }

    @AfterClass
    public static void afterClass() throws Exception {
        idpSamlService.shutdown();
    }

    @Test
    public void metadataDiscovery() throws Exception {
        confgiureFilter(PreAuthenticatedUserNameFilterConfig.PreAuthenticatedUserNameRoleSource.UserGroupService);
        WireMock.verify(WireMock.getRequestedFor(WireMock.urlEqualTo(METADATA_URL)).withUrl(METADATA_URL));
    }

    @Test
    public void notAuthenticatedRedirect() throws Exception {
        confgiureFilter(PreAuthenticatedUserNameFilterConfig.PreAuthenticatedUserNameRoleSource.UserGroupService);
        MockHttpServletRequest createRequest = createRequest("/foo/bar");
        MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
        getProxy().doFilter(createRequest, mockHttpServletResponse, new MockFilterChain());
        Assert.assertTrue(mockHttpServletResponse.getStatus() == 302);
        String header = mockHttpServletResponse.getHeader("Location");
        Assert.assertThat(header, CoreMatchers.containsString(REDIRECT_URL));
        String str = null;
        Iterator it = new URIBuilder(header).getQueryParams().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            NameValuePair nameValuePair = (NameValuePair) it.next();
            if (nameValuePair.getName().equals("SAMLRequest")) {
                str = nameValuePair.getValue();
                break;
            }
        }
        Assert.assertNotNull(str);
        Assert.assertNotNull(new StringSamlDecoder().decode(str));
    }

    @Test
    public void autorizationWithGroup() throws Exception {
        confgiureFilter(PreAuthenticatedUserNameFilterConfig.PreAuthenticatedUserNameRoleSource.UserGroupService);
        getProxy().doFilter(createRequest("/foo/bar"), new MockHttpServletResponse(), new MockFilterChain());
        String buildSAMLRespons = buildSAMLRespons("abc@xyz.com");
        MockHttpServletRequest createRequest = createRequest("/saml/SSO");
        createRequest.setMethod("POST");
        createRequest.addParameter("SAMLResponse", buildSAMLRespons);
        MockFilterChain mockFilterChain = new MockFilterChain();
        getProxy().doFilter(createRequest, new MockHttpServletResponse(), mockFilterChain);
        SecurityContext securityContext = (SecurityContext) createRequest.getSession(false).getAttribute("SPRING_SECURITY_CONTEXT");
        Assert.assertNotNull(securityContext);
        Authentication authentication = securityContext.getAuthentication();
        Assert.assertNotNull(authentication);
        Assert.assertNull(SecurityContextHolder.getContext().getAuthentication());
        checkForAuthenticatedRole(authentication);
        Assert.assertEquals("abc@xyz.com", authentication.getPrincipal());
    }

    @Test
    public void authenticationWithRoles() throws Exception {
        confgiureFilter(PreAuthenticatedUserNameFilterConfig.PreAuthenticatedUserNameRoleSource.RoleService);
        getProxy().doFilter(createRequest("/foo/bar"), new MockHttpServletResponse(), new MockFilterChain());
        String buildSAMLRespons = buildSAMLRespons("user1");
        MockHttpServletRequest createRequest = createRequest("/saml/SSO");
        createRequest.setMethod("POST");
        createRequest.addParameter("SAMLResponse", buildSAMLRespons);
        getProxy().doFilter(createRequest, new MockHttpServletResponse(), new MockFilterChain());
        SecurityContext securityContext = (SecurityContext) createRequest.getSession(false).getAttribute("SPRING_SECURITY_CONTEXT");
        Assert.assertNotNull(securityContext);
        Authentication authentication = securityContext.getAuthentication();
        Assert.assertNotNull(authentication);
        Assert.assertNull(SecurityContextHolder.getContext().getAuthentication());
        checkForAuthenticatedRole(authentication);
        boolean z = false;
        Iterator it = authentication.getAuthorities().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            } else if (((GrantedAuthority) it.next()).getAuthority().equals("RootRole")) {
                z = true;
                break;
            }
        }
        Assert.assertTrue(z);
        Assert.assertEquals("user1", authentication.getPrincipal());
    }

    @Test
    public void logoutTest() throws Exception {
        LogoutFilterChain requestChainByName = getSecurityManager().getSecurityConfig().getFilterChain().getRequestChainByName("webLogout");
        confgiureFilter(PreAuthenticatedUserNameFilterConfig.PreAuthenticatedUserNameRoleSource.RoleService);
        getProxy().doFilter(createRequest("/foo/bar"), new MockHttpServletResponse(), new MockFilterChain());
        String buildSAMLRespons = buildSAMLRespons("user1");
        MockHttpServletRequest createRequest = createRequest("/saml/SSO");
        createRequest.setMethod("POST");
        createRequest.addParameter("SAMLResponse", buildSAMLRespons);
        getProxy().doFilter(createRequest, new MockHttpServletResponse(), new MockFilterChain());
        SecurityContext securityContext = (SecurityContext) createRequest.getSession(false).getAttribute("SPRING_SECURITY_CONTEXT");
        Assert.assertNotNull(securityContext);
        Assert.assertEquals("user1", securityContext.getAuthentication().getPrincipal());
        SecurityContextHolder.setContext(securityContext);
        MockHttpServletRequest createRequest2 = createRequest((String) requestChainByName.getPatterns().get(0));
        MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
        getSecurityManager().loadFilter("formLogout").doFilter(createRequest2, mockHttpServletResponse, new MockFilterChain());
        Assert.assertTrue(mockHttpServletResponse.getStatus() == 302);
        Assert.assertThat(mockHttpServletResponse.getHeader("Location"), CoreMatchers.containsString("/saml/logout"));
    }

    private String buildSAMLRespons(String str) throws Exception {
        DateTime dateTime = new DateTime();
        Document parse = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(new InputSource(new ByteArrayInputStream(IOUtils.toString(getClass().getResourceAsStream("/__files/response.xml"), "UTF-8").getBytes("utf-8"))));
        XPath newXPath = XPathFactory.newInstance().newXPath();
        NodeList nodeList = (NodeList) newXPath.evaluate("//@IssueInstant", parse, XPathConstants.NODESET);
        for (int i = 0; i < nodeList.getLength(); i++) {
            nodeList.item(i).setNodeValue(dateTime.toString("yyyy-MM-dd'T'HH:mm:ssZ"));
        }
        NodeList nodeList2 = (NodeList) newXPath.evaluate("//@NotOnOrAfter", parse, XPathConstants.NODESET);
        for (int i2 = 0; i2 < nodeList2.getLength(); i2++) {
            nodeList2.item(i2).setNodeValue(dateTime.toString("yyyy-MM-dd'T'HH:mm:ssZ"));
        }
        NodeList nodeList3 = (NodeList) newXPath.evaluate("//@NotBefore", parse, XPathConstants.NODESET);
        for (int i3 = 0; i3 < nodeList3.getLength(); i3++) {
            nodeList3.item(i3).setNodeValue(dateTime.toString("yyyy-MM-dd'T'HH:mm:ssZ"));
        }
        NodeList nodeList4 = (NodeList) newXPath.evaluate("//@AuthnInstant", parse, XPathConstants.NODESET);
        for (int i4 = 0; i4 < nodeList4.getLength(); i4++) {
            nodeList4.item(i4).setNodeValue(dateTime.toString("yyyy-MM-dd'T'HH:mm:ssZ"));
        }
        NodeList nodeList5 = (NodeList) newXPath.evaluate("//@SessionNotOnOrAfter", parse, XPathConstants.NODESET);
        for (int i5 = 0; i5 < nodeList5.getLength(); i5++) {
            nodeList5.item(i5).setNodeValue(dateTime.plusDays(1).toString("yyyy-MM-dd'T'HH:mm:ssZ"));
        }
        ((Node) newXPath.evaluate("//*[local-name() = 'NameID']/text()", parse, XPathConstants.NODE)).setNodeValue(str);
        Transformer newTransformer = TransformerFactory.newInstance().newTransformer();
        StringWriter stringWriter = new StringWriter();
        newTransformer.transform(new DOMSource(parse), new StreamResult(stringWriter));
        return Base64.encodeBytes(stringWriter.getBuffer().toString().getBytes("UTF-8"), 8).trim();
    }

    private void confgiureFilter(PreAuthenticatedUserNameFilterConfig.PreAuthenticatedUserNameRoleSource preAuthenticatedUserNameRoleSource) {
        try {
            if (config == null) {
                config = new OneloginAuthenticationFilterConfig();
                config.setWantAssertionSigned(false);
                config.setClassName(OneloginAuthenticationFilter.class.getName());
                config.setName("testOneloginFilter");
                config.setEntityId("geoserver");
                config.setMetadataURL("https://localhost:" + idpSamlService.httpsPort() + METADATA_URL);
            }
            config.setUserGroupServiceName(preAuthenticatedUserNameRoleSource == PreAuthenticatedUserNameFilterConfig.PreAuthenticatedUserNameRoleSource.RoleService ? "rs1" : "ug1");
            config.setRoleSource(preAuthenticatedUserNameRoleSource);
            getSecurityManager().saveFilter(config);
            prepareFilterChain(this.pattern, new String[]{"testOneloginFilter"});
            modifyChain(this.pattern, false, true, null);
        } catch (Exception e) {
        }
    }
}
