package org.geoserver.security.validation;

import org.geoserver.security.config.DigestAuthenticationFilterConfig;
import org.geoserver.security.config.ExceptionTranslationFilterConfig;
import org.geoserver.security.config.J2eeAuthenticationBaseFilterConfig;
import org.geoserver.security.config.J2eeAuthenticationFilterConfig;
import org.geoserver.security.config.PreAuthenticatedUserNameFilterConfig;
import org.geoserver.security.config.RequestHeaderAuthenticationFilterConfig;
import org.geoserver.security.config.RoleFilterConfig;
import org.geoserver.security.config.SecurityInterceptorFilterConfig;
import org.geoserver.security.config.UsernamePasswordAuthenticationFilterConfig;
import org.geoserver.security.config.X509CertificateAuthenticationFilterConfig;
import org.geoserver.security.filter.GeoServerDigestAuthenticationFilter;
import org.geoserver.security.filter.GeoServerExceptionTranslationFilter;
import org.geoserver.security.filter.GeoServerJ2eeAuthenticationFilter;
import org.geoserver.security.filter.GeoServerRequestHeaderAuthenticationFilter;
import org.geoserver.security.filter.GeoServerRoleFilter;
import org.geoserver.security.filter.GeoServerSecurityInterceptorFilter;
import org.geoserver.security.filter.GeoServerUserNamePasswordAuthenticationFilter;
import org.geoserver.security.filter.GeoServerX509CertificateAuthenticationFilter;
import org.geoserver.security.xml.XMLRoleService;
import org.geoserver.security.xml.XMLUserGroupService;
import org.geoserver.test.GeoServerMockTestSupport;
import org.junit.Assert;
import org.junit.Test;

/* loaded from: input_file:org/geoserver/security/validation/FilterConfigValidatorTest.class */
public class FilterConfigValidatorTest extends GeoServerMockTestSupport {
    @Test
    public void testDigestConfigValidation() throws Exception {
        DigestAuthenticationFilterConfig digestAuthenticationFilterConfig = new DigestAuthenticationFilterConfig();
        digestAuthenticationFilterConfig.setClassName(GeoServerDigestAuthenticationFilter.class.getName());
        digestAuthenticationFilterConfig.setName("testDigest");
        FilterConfigValidator filterConfigValidator = new FilterConfigValidator(getSecurityManager());
        try {
            filterConfigValidator.validateFilterConfig(digestAuthenticationFilterConfig);
            Assert.fail("no user group service should fail");
        } catch (FilterConfigException e) {
            Assert.assertEquals("USER_GROUP_SERVICE_NEEDED", e.getId());
            Assert.assertEquals(0L, e.getArgs().length);
        }
        digestAuthenticationFilterConfig.setUserGroupServiceName("blabla");
        try {
            filterConfigValidator.validateFilterConfig(digestAuthenticationFilterConfig);
            Assert.fail("unknown user group service should fail");
        } catch (FilterConfigException e2) {
            Assert.assertEquals("UNKNOWN_USER_GROUP_SERVICE", e2.getId());
            Assert.assertEquals(1L, e2.getArgs().length);
            Assert.assertEquals("blabla", e2.getArgs()[0]);
        }
        digestAuthenticationFilterConfig.setUserGroupServiceName(XMLUserGroupService.DEFAULT_NAME);
        digestAuthenticationFilterConfig.setNonceValiditySeconds(-1);
        try {
            filterConfigValidator.validateFilterConfig(digestAuthenticationFilterConfig);
            Assert.fail("invalid nonce should fail");
        } catch (FilterConfigException e3) {
            Assert.assertEquals("INVALID_SECONDS", e3.getId());
            Assert.assertEquals(0L, e3.getArgs().length);
        }
        digestAuthenticationFilterConfig.setNonceValiditySeconds(100);
        filterConfigValidator.validateFilterConfig(digestAuthenticationFilterConfig);
    }

    @Test
    public void testRoleFilterConfigValidation() throws Exception {
        RoleFilterConfig roleFilterConfig = new RoleFilterConfig();
        roleFilterConfig.setClassName(GeoServerRoleFilter.class.getName());
        roleFilterConfig.setName("testRoleFilter");
        FilterConfigValidator filterConfigValidator = new FilterConfigValidator(getSecurityManager());
        try {
            filterConfigValidator.validateFilterConfig(roleFilterConfig);
            Assert.fail("no header attribute should fail");
        } catch (FilterConfigException e) {
            Assert.assertEquals("HEADER_ATTRIBUTE_NAME_REQUIRED", e.getId());
            Assert.assertEquals(0L, e.getArgs().length);
        }
        roleFilterConfig.setHttpResponseHeaderAttrForIncludedRoles("roles");
        roleFilterConfig.setRoleConverterName("unknown");
        try {
            filterConfigValidator.validateFilterConfig(roleFilterConfig);
            Assert.fail("unkonwn role converter should fail");
        } catch (FilterConfigException e2) {
            Assert.assertEquals("UNKNOWN_ROLE_CONVERTER", e2.getId());
            Assert.assertEquals(1L, e2.getArgs().length);
            Assert.assertEquals("unknown", e2.getArgs()[0]);
        }
        roleFilterConfig.setRoleConverterName((String) null);
        filterConfigValidator.validateFilterConfig(roleFilterConfig);
    }

    @Test
    public void testSecurityInterceptorFilterConfigValidation() throws Exception {
        SecurityInterceptorFilterConfig securityInterceptorFilterConfig = new SecurityInterceptorFilterConfig();
        securityInterceptorFilterConfig.setClassName(GeoServerSecurityInterceptorFilter.class.getName());
        securityInterceptorFilterConfig.setName("testInterceptFilter");
        FilterConfigValidator filterConfigValidator = new FilterConfigValidator(getSecurityManager());
        try {
            filterConfigValidator.validateFilterConfig(securityInterceptorFilterConfig);
            Assert.fail("no metadata source should fail");
        } catch (FilterConfigException e) {
            Assert.assertEquals("SECURITY_METADATA_SOURCE_NEEDED", e.getId());
            Assert.assertEquals(0L, e.getArgs().length);
        }
        securityInterceptorFilterConfig.setSecurityMetadataSource("unknown");
        try {
            filterConfigValidator.validateFilterConfig(securityInterceptorFilterConfig);
            Assert.fail("unknown metadata source should fail");
        } catch (FilterConfigException e2) {
            Assert.assertEquals("UNKNOWN_SECURITY_METADATA_SOURCE", e2.getId());
            Assert.assertEquals(1L, e2.getArgs().length);
            Assert.assertEquals("unknown", e2.getArgs()[0]);
        }
    }

    @Test
    public void testX509FilterConfigValidation() throws Exception {
        X509CertificateAuthenticationFilterConfig x509CertificateAuthenticationFilterConfig = new X509CertificateAuthenticationFilterConfig();
        x509CertificateAuthenticationFilterConfig.setClassName(GeoServerX509CertificateAuthenticationFilter.class.getName());
        x509CertificateAuthenticationFilterConfig.setName("testX509");
        check((J2eeAuthenticationBaseFilterConfig) x509CertificateAuthenticationFilterConfig);
    }

    @Test
    public void testUsernamePasswordFilterConfigValidation() throws Exception {
        UsernamePasswordAuthenticationFilterConfig usernamePasswordAuthenticationFilterConfig = new UsernamePasswordAuthenticationFilterConfig();
        usernamePasswordAuthenticationFilterConfig.setClassName(GeoServerUserNamePasswordAuthenticationFilter.class.getName());
        usernamePasswordAuthenticationFilterConfig.setName("testUsernamePassword");
        FilterConfigValidator filterConfigValidator = new FilterConfigValidator(getSecurityManager());
        try {
            filterConfigValidator.validateFilterConfig(usernamePasswordAuthenticationFilterConfig);
            Assert.fail("no user should fail");
        } catch (FilterConfigException e) {
            Assert.assertEquals("USER_PARAMETER_NAME_NEEDED", e.getId());
            Assert.assertEquals(0L, e.getArgs().length);
        }
        usernamePasswordAuthenticationFilterConfig.setUsernameParameterName("user");
        try {
            filterConfigValidator.validateFilterConfig(usernamePasswordAuthenticationFilterConfig);
            Assert.fail("no password should fail");
        } catch (FilterConfigException e2) {
            Assert.assertEquals("PASSWORD_PARAMETER_NAME_NEEDED", e2.getId());
            Assert.assertEquals(0L, e2.getArgs().length);
        }
        usernamePasswordAuthenticationFilterConfig.setPasswordParameterName("password");
        filterConfigValidator.validateFilterConfig(usernamePasswordAuthenticationFilterConfig);
    }

    @Test
    public void testJ2eeFilterConfigValidation() throws Exception {
        J2eeAuthenticationFilterConfig j2eeAuthenticationFilterConfig = new J2eeAuthenticationFilterConfig();
        j2eeAuthenticationFilterConfig.setClassName(GeoServerJ2eeAuthenticationFilter.class.getName());
        j2eeAuthenticationFilterConfig.setName("testJ2ee");
        check((J2eeAuthenticationBaseFilterConfig) j2eeAuthenticationFilterConfig);
    }

    @Test
    public void testExceptionTranslationFilterConfigValidation() throws Exception {
        ExceptionTranslationFilterConfig exceptionTranslationFilterConfig = new ExceptionTranslationFilterConfig();
        exceptionTranslationFilterConfig.setClassName(GeoServerExceptionTranslationFilter.class.getName());
        exceptionTranslationFilterConfig.setName("testEx");
        FilterConfigValidator filterConfigValidator = new FilterConfigValidator(getSecurityManager());
        exceptionTranslationFilterConfig.setAuthenticationFilterName("unknown");
        try {
            filterConfigValidator.validateFilterConfig(exceptionTranslationFilterConfig);
            Assert.fail("invalid entry point should fail");
        } catch (FilterConfigException e) {
            Assert.assertEquals("INVALID_ENTRY_POINT", e.getId());
            Assert.assertEquals(1L, e.getArgs().length);
            Assert.assertEquals("unknown", e.getArgs()[0]);
        }
        exceptionTranslationFilterConfig.setAuthenticationFilterName("interceptor");
        try {
            filterConfigValidator.validateFilterConfig(exceptionTranslationFilterConfig);
            Assert.fail("no auth entry point should fail");
        } catch (FilterConfigException e2) {
            Assert.assertEquals("NO_AUTH_ENTRY_POINT", e2.getId());
            Assert.assertEquals(1L, e2.getArgs().length);
            Assert.assertEquals("interceptor", e2.getArgs()[0]);
        }
        exceptionTranslationFilterConfig.setAuthenticationFilterName((String) null);
        filterConfigValidator.validateFilterConfig(exceptionTranslationFilterConfig);
    }

    public void check(PreAuthenticatedUserNameFilterConfig preAuthenticatedUserNameFilterConfig) throws Exception {
        FilterConfigValidator filterConfigValidator = new FilterConfigValidator(getSecurityManager());
        try {
            filterConfigValidator.validateFilterConfig(preAuthenticatedUserNameFilterConfig);
            Assert.fail("no role source should fail");
        } catch (FilterConfigException e) {
            Assert.assertEquals("ROLE_SOURCE_NEEDED", e.getId());
            Assert.assertEquals(0L, e.getArgs().length);
        }
        preAuthenticatedUserNameFilterConfig.setRoleSource(PreAuthenticatedUserNameFilterConfig.PreAuthenticatedUserNameRoleSource.UserGroupService);
        try {
            filterConfigValidator.validateFilterConfig(preAuthenticatedUserNameFilterConfig);
            Assert.fail("no user group service should fail");
        } catch (FilterConfigException e2) {
            Assert.assertEquals("USER_GROUP_SERVICE_NEEDED", e2.getId());
            Assert.assertEquals(0L, e2.getArgs().length);
        }
        preAuthenticatedUserNameFilterConfig.setUserGroupServiceName("blabla");
        try {
            filterConfigValidator.validateFilterConfig(preAuthenticatedUserNameFilterConfig);
            Assert.fail("unknown group service should fail");
        } catch (FilterConfigException e3) {
            Assert.assertEquals("UNKNOWN_USER_GROUP_SERVICE", e3.getId());
            Assert.assertEquals(1L, e3.getArgs().length);
            Assert.assertEquals("blabla", e3.getArgs()[0]);
        }
        preAuthenticatedUserNameFilterConfig.setUserGroupServiceName(XMLUserGroupService.DEFAULT_NAME);
        preAuthenticatedUserNameFilterConfig.setRoleSource(PreAuthenticatedUserNameFilterConfig.PreAuthenticatedUserNameRoleSource.RoleService);
        preAuthenticatedUserNameFilterConfig.setRoleServiceName("blabla");
        try {
            filterConfigValidator.validateFilterConfig(preAuthenticatedUserNameFilterConfig);
            Assert.fail("unknown role service should fail");
        } catch (FilterConfigException e4) {
            Assert.assertEquals("UNKNOWN_ROLE_SERVICE", e4.getId());
            Assert.assertEquals(1L, e4.getArgs().length);
            Assert.assertEquals("blabla", e4.getArgs()[0]);
        }
        preAuthenticatedUserNameFilterConfig.setRoleServiceName(XMLRoleService.DEFAULT_NAME);
        preAuthenticatedUserNameFilterConfig.setRoleSource(PreAuthenticatedUserNameFilterConfig.PreAuthenticatedUserNameRoleSource.Header);
        try {
            filterConfigValidator.validateFilterConfig(preAuthenticatedUserNameFilterConfig);
            Assert.fail("no roles header attribute should fail");
        } catch (FilterConfigException e5) {
            Assert.assertEquals("ROLES_HEADER_ATTRIBUTE_NEEDED", e5.getId());
            Assert.assertEquals(0L, e5.getArgs().length);
        }
        preAuthenticatedUserNameFilterConfig.setRolesHeaderAttribute("roles");
        preAuthenticatedUserNameFilterConfig.setRoleConverterName("unknown");
        try {
            filterConfigValidator.validateFilterConfig(preAuthenticatedUserNameFilterConfig);
            Assert.fail("unknown role converter should fail");
        } catch (FilterConfigException e6) {
            Assert.assertEquals("UNKNOWN_ROLE_CONVERTER", e6.getId());
            Assert.assertEquals(1L, e6.getArgs().length);
            Assert.assertEquals("unknown", e6.getArgs()[0]);
        }
        preAuthenticatedUserNameFilterConfig.setRoleConverterName((String) null);
        filterConfigValidator.validateFilterConfig(preAuthenticatedUserNameFilterConfig);
    }

    public void check(J2eeAuthenticationBaseFilterConfig j2eeAuthenticationBaseFilterConfig) throws Exception {
        check((PreAuthenticatedUserNameFilterConfig) j2eeAuthenticationBaseFilterConfig);
        FilterConfigValidator filterConfigValidator = new FilterConfigValidator(getSecurityManager());
        j2eeAuthenticationBaseFilterConfig.setRoleSource(J2eeAuthenticationBaseFilterConfig.J2EERoleSource.J2EE);
        j2eeAuthenticationBaseFilterConfig.setRoleServiceName("blabla");
        try {
            filterConfigValidator.validateFilterConfig(j2eeAuthenticationBaseFilterConfig);
            Assert.fail("unknown role service should fail");
        } catch (FilterConfigException e) {
            Assert.assertEquals("UNKNOWN_ROLE_SERVICE", e.getId());
            Assert.assertEquals(1L, e.getArgs().length);
            Assert.assertEquals("blabla", e.getArgs()[0]);
        }
        j2eeAuthenticationBaseFilterConfig.setRoleServiceName(XMLRoleService.DEFAULT_NAME);
    }

    @Test
    public void testRequestHeaderFilterConfigValidation() throws Exception {
        RequestHeaderAuthenticationFilterConfig requestHeaderAuthenticationFilterConfig = new RequestHeaderAuthenticationFilterConfig();
        requestHeaderAuthenticationFilterConfig.setClassName(GeoServerRequestHeaderAuthenticationFilter.class.getName());
        requestHeaderAuthenticationFilterConfig.setName("testRequestHeader");
        try {
            new FilterConfigValidator(getSecurityManager()).validateFilterConfig(requestHeaderAuthenticationFilterConfig);
            Assert.fail("no principal header attribute should fail");
        } catch (FilterConfigException e) {
            Assert.assertEquals("PRINCIPAL_HEADER_ATTRIBUTE_NEEDED", e.getId());
            Assert.assertEquals(0L, e.getArgs().length);
        }
        requestHeaderAuthenticationFilterConfig.setPrincipalHeaderAttribute("user");
        check((PreAuthenticatedUserNameFilterConfig) requestHeaderAuthenticationFilterConfig);
    }
}
