package org.geoserver.security.keycloak;

import java.io.IOException;
import java.util.Collections;
import java.util.Iterator;
import javax.servlet.FilterChain;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.keycloak.representations.adapters.config.AdapterConfig;
import org.mockito.AdditionalMatchers;
import org.mockito.ArgumentCaptor;
import org.mockito.Matchers;
import org.mockito.Mockito;
import org.springframework.http.HttpStatus;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.AuthenticationEntryPoint;

/* loaded from: input_file:org/geoserver/security/keycloak/GeoServerKeycloakFilterTest.class */
public class GeoServerKeycloakFilterTest {
    public static final String AEP_HEADER = "_AUTHENTICATION_ENTRY_POINT_HEADER";
    public static final String REALM = "master";
    public static final String CLIENT_ID = "nginx-authn";
    public static final String APP_URL = "http://localhost:8080/app";
    public static final String AUTH_URL = "https://cas.core.maui.mda.ca:8040/auth";
    public static final String OPENID_URL = "https://cas.core.maui.mda.ca:8040/auth/realms/master";
    public static final String PUBLIC_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzkRIC4ow7QqXed+4WICpF5gU2AqXrKT2lPBZOyG6NETv7Xg2FmlGA5KIPxcweexgJCcRY1oFEpulBhVo8zc7WVKX1gc8myXvqvdOMHTUMZ0C4l8Q8ls4fE8B4FiALv/48uT1YWXKKvsaBPSeh3QTINwtYsAxIrqTjW5wJVaH8L+EazeKep+JSKPvworT9Q8K4u0XURI9MZi983LEx4WufciTPqhD8v6h7Yr+Iy6H/vHHBulwIHZ4MnQBod1aiKuOhM8bsD+FPBVcKCanATVhz6pZoaZXv7j2ZnVSvh6iGiqP80DknLOyY3IqVST9w8KP1UG0upQ+Zsk8ohCg4Qlm6QIDAQAB";
    public static final String JWT_2018_2037 = "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJqS2RPZS0zNmhrLVI2R1puQk5tb2JfTFdtMUZJQUtWVXlKblEzTnNuU21RIn0.eyJqdGkiOiIzNTc5MDQ5MS0yNzI5LTRiNTAtOGIwOC1kYzNhYTM1NDE0ZjgiLCJleHAiOjIxMjE4MTY5OTYsIm5iZiI6MCwiaWF0IjoxNTE3MDE2OTk2LCJpc3MiOiJodHRwczovL2Nhcy5jb3JlLm1hdWkubWRhLmNhOjgwNDAvYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjoibmdpbngtYXV0aG4iLCJzdWIiOiIxMDM3NzU0OC04OTZhLTQwODUtODY2OC0zNmM4OWQzYzU0OTMiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJuZ2lueC1hdXRobiIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjY5MWQwOTZiLTkzNjctNDdlZi04OGEyLTQ1ZjIwZGI4ZjMxNCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOltdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiY3JlYXRlLXJlYWxtIiwiYWRtaW4iLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7Im1hc3Rlci1yZWFsbSI6eyJyb2xlcyI6WyJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsInZpZXctcmVhbG0iLCJtYW5hZ2UtaWRlbnRpdHktcHJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsImNyZWF0ZS1jbGllbnQiLCJtYW5hZ2UtdXNlcnMiLCJxdWVyeS1yZWFsbXMiLCJ2aWV3LWF1dGhvcml6YXRpb24iLCJxdWVyeS1jbGllbnRzIiwicXVlcnktdXNlcnMiLCJtYW5hZ2UtZXZlbnRzIiwibWFuYWdlLXJlYWxtIiwidmlldy1ldmVudHMiLCJ2aWV3LXVzZXJzIiwidmlldy1jbGllbnRzIiwibWFuYWdlLWF1dGhvcml6YXRpb24iLCJtYW5hZ2UtY2xpZW50cyIsInF1ZXJ5LWdyb3VwcyJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ifQ.deouu-Gqb1MNmfMYARKtkIaM4ztP2tDowG_X0yRxPPSefhQd0rUjLgUl_FS9yiMwJoZBCIYBEvgqBlQW1836SfDTiPXSUlhQRQElJwoXWCS1UaO8neVa-vt8uGo2vBBsOv8pGVM1dsunA3-BMF7P-MX9y0ZmMp4T5VOe4iK3K_uP1teTDyGg455WlL18CsVxKKSvOIrd2xF4M2qNny2fgU7Ca1s-7Jo555VB7fsUu4nLYvoELb0f_4U4H3Yui_J4m2FplsGoqY7RgM_yTBZ9ZvS-W7ddEjpjyM_D1aFaSByzMYVA6yvnqWIsAVZe4sZnjoVZM0sMCQtXtNQaUk7Rbg";
    private GeoServerKeycloakFilterConfig config;
    private HttpServletRequest request;
    private HttpServletResponse response;
    private FilterChain chain;

    @Before
    public void before() throws IOException {
        AdapterConfig adapterConfig = new AdapterConfig();
        adapterConfig.setRealm(REALM);
        adapterConfig.setResource(CLIENT_ID);
        adapterConfig.setAuthServerUrl(AUTH_URL);
        this.config = new GeoServerKeycloakFilterConfig();
        this.config.writeAdapterConfig(adapterConfig);
        this.request = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
        Mockito.when(this.request.getRequestURL()).thenReturn(new StringBuffer(APP_URL));
        Mockito.when(this.request.getHeaders(Matchers.anyString())).thenReturn(Collections.emptyEnumeration());
        this.response = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
        this.chain = (FilterChain) Mockito.mock(FilterChain.class);
    }

    @After
    public void after() {
        SecurityContextHolder.getContext().setAuthentication((Authentication) null);
        this.config = null;
        this.request = null;
        this.response = null;
        this.chain = null;
    }

    @Test
    public void testNoAuth() throws Exception {
        GeoServerKeycloakFilter geoServerKeycloakFilter = new GeoServerKeycloakFilter();
        geoServerKeycloakFilter.initializeFromConfig(this.config);
        Mockito.when(Integer.valueOf(this.response.getStatus())).thenReturn(Integer.valueOf(HttpStatus.MOVED_PERMANENTLY.value()));
        geoServerKeycloakFilter.doFilter(this.request, this.response, this.chain);
        ArgumentCaptor forClass = ArgumentCaptor.forClass(AuthenticationEntryPoint.class);
        ((HttpServletRequest) Mockito.verify(this.request)).setAttribute((String) Matchers.eq(AEP_HEADER), forClass.capture());
        ((AuthenticationEntryPoint) forClass.getValue()).commence(this.request, this.response, (AuthenticationException) null);
        ((FilterChain) Mockito.verify(this.chain)).doFilter(this.request, this.response);
        ArgumentCaptor forClass2 = ArgumentCaptor.forClass(Integer.class);
        ((HttpServletResponse) Mockito.verify(this.response)).setStatus(((Integer) forClass2.capture()).intValue());
        Assert.assertTrue(HttpStatus.valueOf(((Integer) forClass2.getValue()).intValue()).is3xxRedirection());
        ((HttpServletResponse) Mockito.verify(this.response)).setHeader((String) Matchers.eq("Location"), (String) AdditionalMatchers.and(Matchers.startsWith(OPENID_URL), Matchers.contains(CLIENT_ID)));
    }

    @Test
    public void testNoAuthBearerOnly() throws Exception {
        AdapterConfig readAdapterConfig = this.config.readAdapterConfig();
        readAdapterConfig.setBearerOnly(true);
        this.config.writeAdapterConfig(readAdapterConfig);
        GeoServerKeycloakFilter geoServerKeycloakFilter = new GeoServerKeycloakFilter();
        geoServerKeycloakFilter.initializeFromConfig(this.config);
        Mockito.when(Integer.valueOf(this.response.getStatus())).thenReturn(Integer.valueOf(HttpStatus.FORBIDDEN.value()));
        geoServerKeycloakFilter.doFilter(this.request, this.response, this.chain);
        ArgumentCaptor forClass = ArgumentCaptor.forClass(AuthenticationEntryPoint.class);
        ((HttpServletRequest) Mockito.verify(this.request)).setAttribute((String) Matchers.eq(AEP_HEADER), forClass.capture());
        ((AuthenticationEntryPoint) forClass.getValue()).commence(this.request, this.response, (AuthenticationException) null);
        ((FilterChain) Mockito.verify(this.chain)).doFilter(this.request, this.response);
        ((HttpServletResponse) Mockito.verify(this.response)).setStatus(HttpStatus.FORBIDDEN.value());
        Assert.assertNull(SecurityContextHolder.getContext().getAuthentication());
    }

    @Test
    public void testBadAuth() throws Exception {
        GeoServerKeycloakFilter geoServerKeycloakFilter = new GeoServerKeycloakFilter();
        geoServerKeycloakFilter.initializeFromConfig(this.config);
        Mockito.when(this.request.getHeader("Authorization")).thenReturn("bearer this.is.not.a.valid.token");
        Mockito.when(this.request.getHeaders("Authorization")).thenReturn(Collections.enumeration(Collections.singleton("bearer this.is.not.a.valid.token")));
        Mockito.when(Integer.valueOf(this.response.getStatus())).thenReturn(Integer.valueOf(HttpStatus.UNAUTHORIZED.value()));
        geoServerKeycloakFilter.doFilter(this.request, this.response, this.chain);
        ArgumentCaptor forClass = ArgumentCaptor.forClass(AuthenticationEntryPoint.class);
        ((HttpServletRequest) Mockito.verify(this.request)).setAttribute((String) Matchers.eq(AEP_HEADER), forClass.capture());
        ((AuthenticationEntryPoint) forClass.getValue()).commence(this.request, this.response, (AuthenticationException) null);
        ((FilterChain) Mockito.verify(this.chain)).doFilter(this.request, this.response);
        ((HttpServletResponse) Mockito.verify(this.response)).setStatus(HttpStatus.FORBIDDEN.value());
        Assert.assertNull(SecurityContextHolder.getContext().getAuthentication());
    }

    @Test
    public void testGoodAuth() throws Exception {
        AdapterConfig readAdapterConfig = this.config.readAdapterConfig();
        readAdapterConfig.setRealmKey(PUBLIC_KEY);
        this.config.writeAdapterConfig(readAdapterConfig);
        GeoServerKeycloakFilter geoServerKeycloakFilter = new GeoServerKeycloakFilter();
        geoServerKeycloakFilter.initializeFromConfig(this.config);
        Mockito.when(this.request.getHeader("Authorization")).thenReturn("bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJqS2RPZS0zNmhrLVI2R1puQk5tb2JfTFdtMUZJQUtWVXlKblEzTnNuU21RIn0.eyJqdGkiOiIzNTc5MDQ5MS0yNzI5LTRiNTAtOGIwOC1kYzNhYTM1NDE0ZjgiLCJleHAiOjIxMjE4MTY5OTYsIm5iZiI6MCwiaWF0IjoxNTE3MDE2OTk2LCJpc3MiOiJodHRwczovL2Nhcy5jb3JlLm1hdWkubWRhLmNhOjgwNDAvYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjoibmdpbngtYXV0aG4iLCJzdWIiOiIxMDM3NzU0OC04OTZhLTQwODUtODY2OC0zNmM4OWQzYzU0OTMiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJuZ2lueC1hdXRobiIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjY5MWQwOTZiLTkzNjctNDdlZi04OGEyLTQ1ZjIwZGI4ZjMxNCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOltdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiY3JlYXRlLXJlYWxtIiwiYWRtaW4iLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7Im1hc3Rlci1yZWFsbSI6eyJyb2xlcyI6WyJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsInZpZXctcmVhbG0iLCJtYW5hZ2UtaWRlbnRpdHktcHJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsImNyZWF0ZS1jbGllbnQiLCJtYW5hZ2UtdXNlcnMiLCJxdWVyeS1yZWFsbXMiLCJ2aWV3LWF1dGhvcml6YXRpb24iLCJxdWVyeS1jbGllbnRzIiwicXVlcnktdXNlcnMiLCJtYW5hZ2UtZXZlbnRzIiwibWFuYWdlLXJlYWxtIiwidmlldy1ldmVudHMiLCJ2aWV3LXVzZXJzIiwidmlldy1jbGllbnRzIiwibWFuYWdlLWF1dGhvcml6YXRpb24iLCJtYW5hZ2UtY2xpZW50cyIsInF1ZXJ5LWdyb3VwcyJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ifQ.deouu-Gqb1MNmfMYARKtkIaM4ztP2tDowG_X0yRxPPSefhQd0rUjLgUl_FS9yiMwJoZBCIYBEvgqBlQW1836SfDTiPXSUlhQRQElJwoXWCS1UaO8neVa-vt8uGo2vBBsOv8pGVM1dsunA3-BMF7P-MX9y0ZmMp4T5VOe4iK3K_uP1teTDyGg455WlL18CsVxKKSvOIrd2xF4M2qNny2fgU7Ca1s-7Jo555VB7fsUu4nLYvoELb0f_4U4H3Yui_J4m2FplsGoqY7RgM_yTBZ9ZvS-W7ddEjpjyM_D1aFaSByzMYVA6yvnqWIsAVZe4sZnjoVZM0sMCQtXtNQaUk7Rbg");
        Mockito.when(this.request.getHeaders("Authorization")).thenReturn(Collections.enumeration(Collections.singleton("bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJqS2RPZS0zNmhrLVI2R1puQk5tb2JfTFdtMUZJQUtWVXlKblEzTnNuU21RIn0.eyJqdGkiOiIzNTc5MDQ5MS0yNzI5LTRiNTAtOGIwOC1kYzNhYTM1NDE0ZjgiLCJleHAiOjIxMjE4MTY5OTYsIm5iZiI6MCwiaWF0IjoxNTE3MDE2OTk2LCJpc3MiOiJodHRwczovL2Nhcy5jb3JlLm1hdWkubWRhLmNhOjgwNDAvYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjoibmdpbngtYXV0aG4iLCJzdWIiOiIxMDM3NzU0OC04OTZhLTQwODUtODY2OC0zNmM4OWQzYzU0OTMiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJuZ2lueC1hdXRobiIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjY5MWQwOTZiLTkzNjctNDdlZi04OGEyLTQ1ZjIwZGI4ZjMxNCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOltdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiY3JlYXRlLXJlYWxtIiwiYWRtaW4iLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7Im1hc3Rlci1yZWFsbSI6eyJyb2xlcyI6WyJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsInZpZXctcmVhbG0iLCJtYW5hZ2UtaWRlbnRpdHktcHJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsImNyZWF0ZS1jbGllbnQiLCJtYW5hZ2UtdXNlcnMiLCJxdWVyeS1yZWFsbXMiLCJ2aWV3LWF1dGhvcml6YXRpb24iLCJxdWVyeS1jbGllbnRzIiwicXVlcnktdXNlcnMiLCJtYW5hZ2UtZXZlbnRzIiwibWFuYWdlLXJlYWxtIiwidmlldy1ldmVudHMiLCJ2aWV3LXVzZXJzIiwidmlldy1jbGllbnRzIiwibWFuYWdlLWF1dGhvcml6YXRpb24iLCJtYW5hZ2UtY2xpZW50cyIsInF1ZXJ5LWdyb3VwcyJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ifQ.deouu-Gqb1MNmfMYARKtkIaM4ztP2tDowG_X0yRxPPSefhQd0rUjLgUl_FS9yiMwJoZBCIYBEvgqBlQW1836SfDTiPXSUlhQRQElJwoXWCS1UaO8neVa-vt8uGo2vBBsOv8pGVM1dsunA3-BMF7P-MX9y0ZmMp4T5VOe4iK3K_uP1teTDyGg455WlL18CsVxKKSvOIrd2xF4M2qNny2fgU7Ca1s-7Jo555VB7fsUu4nLYvoELb0f_4U4H3Yui_J4m2FplsGoqY7RgM_yTBZ9ZvS-W7ddEjpjyM_D1aFaSByzMYVA6yvnqWIsAVZe4sZnjoVZM0sMCQtXtNQaUk7Rbg")));
        Mockito.when(Integer.valueOf(this.response.getStatus())).thenReturn(Integer.valueOf(HttpStatus.OK.value()));
        geoServerKeycloakFilter.doFilter(this.request, this.response, this.chain);
        ((FilterChain) Mockito.verify(this.chain)).doFilter(this.request, this.response);
        ((HttpServletResponse) Mockito.verify(this.response, Mockito.never())).setStatus(Matchers.anyInt());
        ((HttpServletResponse) Mockito.verify(this.response, Mockito.never())).setHeader(Matchers.anyString(), Matchers.anyString());
        ((HttpServletResponse) Mockito.verify(this.response, Mockito.never())).addCookie((Cookie) Matchers.any());
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        Assert.assertNotNull(authentication);
        Assert.assertTrue(authentication instanceof UsernamePasswordAuthenticationToken);
        Assert.assertFalse(authentication.getAuthorities().isEmpty());
        Iterator it = authentication.getAuthorities().iterator();
        while (it.hasNext()) {
            Assert.assertTrue(((GrantedAuthority) it.next()).getAuthority().startsWith("ROLE_"));
        }
    }
}
