package org.geoserver.security.cas;

import com.sun.net.httpserver.HttpExchange;
import com.sun.net.httpserver.HttpHandler;
import com.sun.net.httpserver.HttpsServer;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.HttpURLConnection;
import java.net.URI;
import java.net.URL;
import java.net.URLDecoder;
import javax.servlet.ServletException;
import org.geoserver.data.test.SystemTestData;
import org.geoserver.platform.GeoServerExtensions;
import org.geoserver.security.AbstractSecurityServiceTest;
import org.geoserver.security.LogoutFilterChain;
import org.geoserver.security.ServiceLoginFilterChain;
import org.geoserver.security.auth.AbstractAuthenticationProviderTest;
import org.geoserver.security.config.PreAuthenticatedUserNameFilterConfig;
import org.geoserver.security.impl.GeoServerRole;
import org.jasig.cas.client.proxy.ProxyGrantingTicketStorage;
import org.jasig.cas.client.validation.Assertion;
import org.jasig.cas.client.validation.Cas20ProxyTicketValidator;
import org.junit.Assert;
import org.junit.Assume;
import org.junit.Before;
import org.junit.Test;
import org.springframework.mock.web.MockFilterChain;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.mock.web.MockHttpSession;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;

/* loaded from: input_file:org/geoserver/security/cas/CasAuthenticationTest.class */
public class CasAuthenticationTest extends AbstractAuthenticationProviderTest {
    static URL casServerURLPrefix;
    static URL serviceUrl;
    static URL loginUrl;
    static URL proxyCallbackUrlPrefix;
    static HttpsServer httpsServer;

    /* loaded from: input_file:org/geoserver/security/cas/CasAuthenticationTest$HttpsProxyCallBackHandler.class */
    public class HttpsProxyCallBackHandler implements HttpHandler {
        public HttpsProxyCallBackHandler() {
        }

        public void handle(HttpExchange httpExchange) throws IOException {
            URI requestURI = httpExchange.getRequestURI();
            httpExchange.getRequestBody().close();
            CasAuthenticationTest.LOGGER.info("Cas proxy callback: " + requestURI.toString());
            String query = requestURI.getQuery();
            MockHttpServletRequest createRequest = CasAuthenticationTest.this.createRequest("/j_spring_cas_security_proxyreceptor");
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            MockFilterChain mockFilterChain = new MockFilterChain();
            if (query != null) {
                createRequest.setQueryString(query);
                for (String str : query.split("&")) {
                    String[] split = str.split("=");
                    createRequest.addParameter(split[0], split[1]);
                }
            }
            try {
                CasAuthenticationTest.this.getProxy().doFilter(createRequest, mockHttpServletResponse, mockFilterChain);
                Assert.assertEquals(200L, mockHttpServletResponse.getStatus());
                httpExchange.sendResponseHeaders(200, 0L);
                httpExchange.getResponseBody().close();
            } catch (ServletException e) {
                throw new RuntimeException((Throwable) e);
            }
        }
    }

    /* loaded from: input_file:org/geoserver/security/cas/CasAuthenticationTest$SingleSignOutHandler.class */
    public class SingleSignOutHandler implements HttpHandler {
        private String service;

        public String getService() {
            return this.service;
        }

        public SingleSignOutHandler(String str) {
            this.service = str;
        }

        public void handle(HttpExchange httpExchange) throws IOException {
            BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(httpExchange.getRequestBody()));
            StringBuffer stringBuffer = new StringBuffer();
            while (true) {
                String readLine = bufferedReader.readLine();
                if (readLine == null) {
                    bufferedReader.close();
                    MockHttpServletRequest createRequest = CasAuthenticationTest.this.createRequest(this.service);
                    createRequest.setMethod("POST");
                    MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
                    MockFilterChain mockFilterChain = new MockFilterChain();
                    String decode = URLDecoder.decode(stringBuffer.toString(), "utf-8");
                    createRequest.addParameter("logoutRequest", decode.substring(decode.indexOf("=") + 1));
                    try {
                        CasAuthenticationTest.this.getProxy().doFilter(createRequest, mockHttpServletResponse, mockFilterChain);
                        Assert.assertEquals(200L, mockHttpServletResponse.getStatus());
                        httpExchange.sendResponseHeaders(200, 0L);
                        httpExchange.getResponseBody().close();
                        return;
                    } catch (ServletException e) {
                        throw new RuntimeException((Throwable) e);
                    }
                }
                stringBuffer.append(readLine);
            }
        }
    }

    @Before
    public void checkOnline() {
        Assume.assumeTrue(getTestData().isTestDataAvailable());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* renamed from: createTestData, reason: merged with bridge method [inline-methods] */
    public SystemTestData m0createTestData() throws Exception {
        return new LiveCasData(AbstractSecurityServiceTest.unpackTestDataDir());
    }

    protected void onSetUp(SystemTestData systemTestData) throws Exception {
        super.onSetUp(systemTestData);
        LiveCasData testData = getTestData();
        casServerURLPrefix = testData.getServerURLPrefix();
        loginUrl = testData.getLoginURL();
        serviceUrl = testData.getServiceURL();
        proxyCallbackUrlPrefix = testData.getProxyCallbackURLPrefix();
        if (httpsServer == null) {
            httpsServer = createAndStartHttpsServer();
            testData.checkSSLServer();
        }
    }

    protected HttpsServer createAndStartHttpsServer() throws Exception {
        HttpsServer createSSLServer = getTestData().createSSLServer();
        createSSLServer.createContext(new URL(GeoServerCasConstants.createProxyCallBackURl(proxyCallbackUrlPrefix.toString())).getPath(), new HttpsProxyCallBackHandler());
        createSSLServer.createContext(createRequest("/j_spring_cas_security_check").getRequestURI(), new SingleSignOutHandler("/j_spring_cas_security_check"));
        createSSLServer.createContext(createRequest("/wms").getRequestURI(), new SingleSignOutHandler("/wms"));
        createSSLServer.start();
        return createSSLServer;
    }

    protected String getResponseHeaderValue(HttpURLConnection httpURLConnection, String str) {
        int i = 0;
        while (true) {
            String headerFieldKey = httpURLConnection.getHeaderFieldKey(i);
            String headerField = httpURLConnection.getHeaderField(i);
            if (headerFieldKey == null && headerField == null) {
                return null;
            }
            if (str.equalsIgnoreCase(headerFieldKey)) {
                return headerField;
            }
            i++;
        }
    }

    @Test
    public void testCASLogin() throws Exception {
        CasAuthenticationFilterConfig casAuthenticationFilterConfig = new CasAuthenticationFilterConfig();
        casAuthenticationFilterConfig.setClassName(GeoServerCasAuthenticationFilter.class.getName());
        casAuthenticationFilterConfig.setCasServerUrlPrefix(casServerURLPrefix.toString());
        casAuthenticationFilterConfig.setName("testCasFilter1");
        casAuthenticationFilterConfig.setRoleSource(PreAuthenticatedUserNameFilterConfig.PreAuthenticatedUserNameRoleSource.UserGroupService);
        casAuthenticationFilterConfig.setUserGroupServiceName("ug1");
        casAuthenticationFilterConfig.setSingleSignOut(true);
        getSecurityManager().saveFilter(casAuthenticationFilterConfig);
        prepareFilterChain(this.pattern, new String[]{"testCasFilter1"});
        modifyChain(this.pattern, false, true, null);
        SecurityContextHolder.getContext().setAuthentication((Authentication) null);
        MockHttpServletRequest createRequest = createRequest("/foo/bar");
        MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
        getProxy().doFilter(createRequest, mockHttpServletResponse, new MockFilterChain());
        Assert.assertTrue(mockHttpServletResponse.getStatus() == 302);
        String header = mockHttpServletResponse.getHeader("Location");
        Assert.assertTrue(header.contains("/login"));
        Assert.assertTrue(header.endsWith("bar"));
        CasFormAuthenticationHelper casFormAuthenticationHelper = new CasFormAuthenticationHelper(casServerURLPrefix, "castest", "castest");
        casFormAuthenticationHelper.ssoLogin();
        MockHttpServletRequest createRequest2 = createRequest("/foo/bar");
        MockHttpServletResponse mockHttpServletResponse2 = new MockHttpServletResponse();
        String loginUsingTicket = loginUsingTicket(casFormAuthenticationHelper, createRequest2, mockHttpServletResponse2, new MockFilterChain());
        Assert.assertFalse(mockHttpServletResponse2.getStatus() == 302);
        SecurityContext securityContext = (SecurityContext) createRequest2.getSession(false).getAttribute("SPRING_SECURITY_CONTEXT");
        Assert.assertNotNull(securityContext);
        Authentication authentication = securityContext.getAuthentication();
        Assert.assertNotNull(authentication);
        Assert.assertNull(SecurityContextHolder.getContext().getAuthentication());
        checkForAuthenticatedRole(authentication);
        Assert.assertEquals("castest", authentication.getPrincipal());
        Assert.assertTrue(authentication.getAuthorities().contains(new GeoServerRole("RootRole")));
        Assert.assertTrue(authentication.getAuthorities().contains(new GeoServerRole("DerivedRole")));
        Assert.assertNotNull(GeoServerCasAuthenticationFilter.getHandler().getSessionMappingStorage().removeSessionByMappingId(loginUsingTicket));
        casFormAuthenticationHelper.ssoLogout();
        CasFormAuthenticationHelper casFormAuthenticationHelper2 = new CasFormAuthenticationHelper(casServerURLPrefix, "unknown", "unknown");
        casFormAuthenticationHelper2.ssoLogin();
        MockHttpServletRequest createRequest3 = createRequest("/foo/bar");
        MockHttpServletResponse mockHttpServletResponse3 = new MockHttpServletResponse();
        String loginUsingTicket2 = loginUsingTicket(casFormAuthenticationHelper2, createRequest3, mockHttpServletResponse3, new MockFilterChain());
        Assert.assertFalse(mockHttpServletResponse3.getStatus() == 302);
        SecurityContext securityContext2 = (SecurityContext) createRequest3.getSession(true).getAttribute("SPRING_SECURITY_CONTEXT");
        Assert.assertNotNull(securityContext2);
        Authentication authentication2 = securityContext2.getAuthentication();
        Assert.assertNotNull(authentication2);
        Assert.assertNull(SecurityContextHolder.getContext().getAuthentication());
        checkForAuthenticatedRole(securityContext2.getAuthentication());
        Assert.assertEquals("unknown", authentication2.getPrincipal());
        Assert.assertEquals(1L, authentication2.getAuthorities().size());
        Assert.assertNotNull(GeoServerCasAuthenticationFilter.getHandler().getSessionMappingStorage().removeSessionByMappingId(loginUsingTicket2));
        casFormAuthenticationHelper2.ssoLogout();
        CasFormAuthenticationHelper casFormAuthenticationHelper3 = new CasFormAuthenticationHelper(casServerURLPrefix, "root", "root");
        casFormAuthenticationHelper3.ssoLogin();
        new MockHttpServletResponse();
        new MockFilterChain();
        MockHttpServletRequest createRequest4 = createRequest("/foo/bar");
        MockHttpServletResponse mockHttpServletResponse4 = new MockHttpServletResponse();
        String loginUsingTicket3 = loginUsingTicket(casFormAuthenticationHelper3, createRequest4, mockHttpServletResponse4, new MockFilterChain());
        SecurityContext securityContext3 = (SecurityContext) createRequest4.getSession(true).getAttribute("SPRING_SECURITY_CONTEXT");
        Assert.assertFalse(mockHttpServletResponse4.getStatus() == 302);
        Authentication authentication3 = securityContext3.getAuthentication();
        Assert.assertNotNull(authentication3);
        Assert.assertNull(SecurityContextHolder.getContext().getAuthentication());
        Assert.assertEquals("root", authentication3.getPrincipal());
        Assert.assertTrue(authentication3.getAuthorities().size() == 1);
        Assert.assertTrue(authentication3.getAuthorities().contains(GeoServerRole.ADMIN_ROLE));
        Assert.assertNotNull(GeoServerCasAuthenticationFilter.getHandler().getSessionMappingStorage().removeSessionByMappingId(loginUsingTicket3));
        casFormAuthenticationHelper3.ssoLogout();
        CasFormAuthenticationHelper casFormAuthenticationHelper4 = new CasFormAuthenticationHelper(casServerURLPrefix, "castest", "castest");
        casFormAuthenticationHelper4.ssoLogin();
        updateUser("ug1", "castest", false);
        MockHttpServletRequest createRequest5 = createRequest("/foo/bar");
        MockHttpServletResponse mockHttpServletResponse5 = new MockHttpServletResponse();
        String loginUsingTicket4 = loginUsingTicket(casFormAuthenticationHelper4, createRequest5, mockHttpServletResponse5, new MockFilterChain());
        Assert.assertTrue(mockHttpServletResponse5.getStatus() == 302);
        Assert.assertTrue(mockHttpServletResponse5.getHeader("Location").contains("login"));
        Assert.assertNull((SecurityContext) createRequest5.getSession(true).getAttribute("SPRING_SECURITY_CONTEXT"));
        Assert.assertNull(SecurityContextHolder.getContext().getAuthentication());
        Assert.assertNull(GeoServerCasAuthenticationFilter.getHandler().getSessionMappingStorage().removeSessionByMappingId(loginUsingTicket4));
        updateUser("ug1", "castest", true);
        casFormAuthenticationHelper4.ssoLogout();
        insertAnonymousFilter();
        getProxy().doFilter(createRequest("foo/bar"), new MockHttpServletResponse(), new MockFilterChain());
        Assert.assertEquals(200L, r0.getStatus());
        removeAnonymousFilter();
        CasFormAuthenticationHelper casFormAuthenticationHelper5 = new CasFormAuthenticationHelper(casServerURLPrefix, "castest", "castest");
        casFormAuthenticationHelper5.ssoLogin();
        MockHttpServletRequest createRequest6 = createRequest("/foo/bar");
        MockHttpServletResponse mockHttpServletResponse6 = new MockHttpServletResponse();
        MockFilterChain mockFilterChain = new MockFilterChain();
        String str = casFormAuthenticationHelper5.getServiceTicket(new URL(createRequest6.getRequestURL().toString())) + "ST-A";
        createRequest6.addParameter("ticket", str);
        createRequest6.setQueryString("ticket=" + str);
        getProxy().doFilter(createRequest6, mockHttpServletResponse6, mockFilterChain);
        Assert.assertTrue(mockHttpServletResponse6.getStatus() == 302);
        Assert.assertTrue(mockHttpServletResponse6.getHeader("Location").contains("/login"));
        Assert.assertNull((SecurityContext) createRequest6.getSession(true).getAttribute("SPRING_SECURITY_CONTEXT"));
        Assert.assertNull(SecurityContextHolder.getContext().getAuthentication());
        Assert.assertNull(GeoServerCasAuthenticationFilter.getHandler().getSessionMappingStorage().removeSessionByMappingId(str));
        casFormAuthenticationHelper5.ssoLogout();
        casAuthenticationFilterConfig.setProxyCallbackUrlPrefix(proxyCallbackUrlPrefix.toString());
        getSecurityManager().saveFilter(casAuthenticationFilterConfig);
        CasFormAuthenticationHelper casFormAuthenticationHelper6 = new CasFormAuthenticationHelper(casServerURLPrefix, "castest", "castest");
        casFormAuthenticationHelper6.ssoLogin();
        MockHttpServletRequest createRequest7 = createRequest("/foo/bar");
        MockHttpServletResponse mockHttpServletResponse7 = new MockHttpServletResponse();
        MockFilterChain mockFilterChain2 = new MockFilterChain();
        String serviceTicket = casFormAuthenticationHelper6.getServiceTicket(new URL(createRequest7.getRequestURL().toString()));
        createRequest7.addParameter("ticket", serviceTicket);
        createRequest7.setQueryString("ticket=" + serviceTicket);
        getProxy().doFilter(createRequest7, mockHttpServletResponse7, mockFilterChain2);
        Assert.assertEquals(200L, mockHttpServletResponse7.getStatus());
        SecurityContext securityContext4 = (SecurityContext) createRequest7.getSession(true).getAttribute("SPRING_SECURITY_CONTEXT");
        Assert.assertNotNull(securityContext4);
        PreAuthenticatedAuthenticationToken authentication4 = securityContext4.getAuthentication();
        Assert.assertNotNull(authentication4);
        Assert.assertNull(SecurityContextHolder.getContext().getAuthentication());
        checkForAuthenticatedRole(authentication4);
        Assert.assertEquals("castest", authentication4.getPrincipal());
        Assert.assertTrue(authentication4.getAuthorities().contains(new GeoServerRole("RootRole")));
        Assert.assertTrue(authentication4.getAuthorities().contains(new GeoServerRole("DerivedRole")));
        Assertion assertion = (Assertion) createRequest7.getSession(true).getAttribute("org.geoserver.security.cas.CasAssertion");
        Assert.assertNotNull(assertion);
        Assert.assertNotNull(assertion.getPrincipal().getProxyTicketFor("http://localhost/blabla"));
        Assert.assertNotNull(GeoServerCasAuthenticationFilter.getHandler().getSessionMappingStorage().removeSessionByMappingId(serviceTicket));
        casFormAuthenticationHelper6.ssoLogout();
    }

    @Test
    public void testLogout() throws Exception {
        LogoutFilterChain requestChainByName = getSecurityManager().getSecurityConfig().getFilterChain().getRequestChainByName("webLogout");
        CasAuthenticationFilterConfig casAuthenticationFilterConfig = new CasAuthenticationFilterConfig();
        casAuthenticationFilterConfig.setClassName(GeoServerCasAuthenticationFilter.class.getName());
        casAuthenticationFilterConfig.setCasServerUrlPrefix(casServerURLPrefix.toString());
        casAuthenticationFilterConfig.setName("testCasFilter2");
        casAuthenticationFilterConfig.setRoleSource(PreAuthenticatedUserNameFilterConfig.PreAuthenticatedUserNameRoleSource.UserGroupService);
        casAuthenticationFilterConfig.setUserGroupServiceName("ug1");
        casAuthenticationFilterConfig.setSingleSignOut(true);
        getSecurityManager().saveFilter(casAuthenticationFilterConfig);
        prepareFilterChain(this.pattern, new String[]{"testCasFilter2"});
        modifyChain(this.pattern, false, true, null);
        SecurityContextHolder.getContext().setAuthentication((Authentication) null);
        getCache().removeAll();
        CasFormAuthenticationHelper casFormAuthenticationHelper = new CasFormAuthenticationHelper(casServerURLPrefix, "castest", "castest");
        casFormAuthenticationHelper.ssoLogin();
        MockHttpServletRequest createRequest = createRequest(this.pattern);
        MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
        loginUsingTicket(casFormAuthenticationHelper, createRequest, mockHttpServletResponse, new MockFilterChain());
        Assert.assertFalse(mockHttpServletResponse.getStatus() == 302);
        SecurityContext securityContext = (SecurityContext) createRequest.getSession(false).getAttribute("SPRING_SECURITY_CONTEXT");
        Assert.assertNotNull(securityContext);
        Assert.assertNotNull(securityContext.getAuthentication());
        Assert.assertNull(SecurityContextHolder.getContext().getAuthentication());
        MockHttpSession session = createRequest.getSession(false);
        Assert.assertNotNull(session);
        Assert.assertFalse(session.isInvalid());
        MockHttpServletRequest createRequest2 = createRequest((String) requestChainByName.getPatterns().get(0));
        SecurityContextHolder.setContext(securityContext);
        MockHttpServletResponse mockHttpServletResponse2 = new MockHttpServletResponse();
        getSecurityManager().loadFilter("formLogout").doFilter(createRequest2, mockHttpServletResponse2, new MockFilterChain());
        Assert.assertTrue(mockHttpServletResponse2.getStatus() == 302);
        String header = mockHttpServletResponse2.getHeader("Location");
        Assert.assertNotNull(header);
        Assert.assertTrue(header.contains("/logout"));
        createRequest2.getSession(false);
        CasFormAuthenticationHelper casFormAuthenticationHelper2 = new CasFormAuthenticationHelper(casServerURLPrefix, "castest", "castest");
        casFormAuthenticationHelper2.ssoLogin();
        MockHttpServletRequest createRequest3 = createRequest(this.pattern);
        MockHttpServletResponse mockHttpServletResponse3 = new MockHttpServletResponse();
        String loginUsingTicket = loginUsingTicket(casFormAuthenticationHelper2, createRequest3, mockHttpServletResponse3, new MockFilterChain());
        Assert.assertFalse(mockHttpServletResponse3.getStatus() == 302);
        SecurityContext securityContext2 = (SecurityContext) createRequest3.getSession(false).getAttribute("SPRING_SECURITY_CONTEXT");
        Assert.assertNotNull(securityContext2);
        Assert.assertNotNull(securityContext2.getAuthentication());
        Assert.assertNull(SecurityContextHolder.getContext().getAuthentication());
        MockHttpSession session2 = createRequest3.getSession(false);
        Assert.assertNotNull(session2);
        Assert.assertFalse(session2.isInvalid());
        MockHttpServletRequest createRequest4 = createRequest(this.pattern);
        SecurityContextHolder.setContext(securityContext2);
        createRequest4.setMethod("POST");
        createRequest4.setSession(session2);
        MockHttpServletResponse mockHttpServletResponse4 = new MockHttpServletResponse();
        MockFilterChain mockFilterChain = new MockFilterChain();
        createRequest4.addParameter("logoutRequest", getBodyForLogoutRequest(loginUsingTicket));
        getSecurityManager().loadFilter("testCasFilter2").doFilter(createRequest4, mockHttpServletResponse4, mockFilterChain);
        Assert.assertTrue(mockHttpServletResponse4.getStatus() == 302);
        String header2 = mockHttpServletResponse4.getHeader("Location");
        Assert.assertNotNull(header2);
        Assert.assertFalse(header2.contains("/logout"));
    }

    protected Assertion authenticateWithPGT(CasFormAuthenticationHelper casFormAuthenticationHelper) throws Exception {
        casFormAuthenticationHelper.ssoLogin();
        String serviceTicket = casFormAuthenticationHelper.getServiceTicket(serviceUrl);
        Cas20ProxyTicketValidator cas20ProxyTicketValidator = new Cas20ProxyTicketValidator(casServerURLPrefix.toString());
        cas20ProxyTicketValidator.setAcceptAnyProxy(true);
        cas20ProxyTicketValidator.setProxyCallbackUrl(GeoServerCasConstants.createProxyCallBackURl(proxyCallbackUrlPrefix.toExternalForm()));
        cas20ProxyTicketValidator.setProxyGrantingTicketStorage((ProxyGrantingTicketStorage) GeoServerExtensions.bean(ProxyGrantingTicketStorage.class));
        Assertion validate = cas20ProxyTicketValidator.validate(serviceTicket, serviceUrl.toExternalForm());
        Assert.assertNotNull(validate);
        return validate;
    }

    @Test
    public void testAuthWithServiceTicket() throws Exception {
        this.pattern = "/wms/**";
        CasAuthenticationFilterConfig casAuthenticationFilterConfig = new CasAuthenticationFilterConfig();
        casAuthenticationFilterConfig.setClassName(GeoServerCasAuthenticationFilter.class.getName());
        casAuthenticationFilterConfig.setName("testCasProxyFilter1");
        casAuthenticationFilterConfig.setCasServerUrlPrefix(casServerURLPrefix.toString());
        casAuthenticationFilterConfig.setRoleSource(PreAuthenticatedUserNameFilterConfig.PreAuthenticatedUserNameRoleSource.UserGroupService);
        casAuthenticationFilterConfig.setUserGroupServiceName("ug1");
        casAuthenticationFilterConfig.setSingleSignOut(true);
        getSecurityManager().saveFilter(casAuthenticationFilterConfig);
        prepareFilterChain(ServiceLoginFilterChain.class, this.pattern, new String[]{"testCasProxyFilter1"});
        SecurityContextHolder.getContext().setAuthentication((Authentication) null);
        MockHttpServletRequest createRequest = createRequest("wms");
        MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
        MockFilterChain mockFilterChain = new MockFilterChain();
        createRequest.addParameter("ticket", "ST-blabla");
        createRequest.setQueryString("ticket=ST-blabla");
        createRequest.addHeader("casredirect", "false");
        getProxy().doFilter(createRequest, mockHttpServletResponse, mockFilterChain);
        Assert.assertEquals(401L, mockHttpServletResponse.getStatus());
        getCache().removeAll();
        CasFormAuthenticationHelper casFormAuthenticationHelper = new CasFormAuthenticationHelper(casServerURLPrefix, "castest", "castest");
        casFormAuthenticationHelper.ssoLogin();
        MockHttpServletRequest createRequest2 = createRequest("wms");
        createRequest2.setQueryString("request=getCapabilities");
        createRequest2.addHeader("casredirect", "false");
        String serviceTicket = casFormAuthenticationHelper.getServiceTicket(new URL(createRequest2.getRequestURL().toString() + "?" + createRequest2.getQueryString()));
        Assert.assertNotNull(serviceTicket);
        MockHttpServletResponse mockHttpServletResponse2 = new MockHttpServletResponse();
        MockFilterChain mockFilterChain2 = new MockFilterChain();
        createRequest2.addParameter("ticket", serviceTicket);
        getProxy().doFilter(createRequest2, mockHttpServletResponse2, mockFilterChain2);
        Assert.assertEquals(200L, mockHttpServletResponse2.getStatus());
        Authentication authentication = getCache().get("testCasProxyFilter1", "castest");
        Assert.assertNotNull(authentication);
        Assert.assertNull(SecurityContextHolder.getContext().getAuthentication());
        checkForAuthenticatedRole(authentication);
        Assert.assertEquals("castest", authentication.getPrincipal());
        Assert.assertTrue(authentication.getAuthorities().contains(new GeoServerRole("RootRole")));
        Assert.assertTrue(authentication.getAuthorities().contains(new GeoServerRole("DerivedRole")));
        Assert.assertNotNull(createRequest2.getAttribute("org.geoserver.security.cas.CasAssertion"));
        Assert.assertNull(GeoServerCasAuthenticationFilter.getHandler().getSessionMappingStorage().removeSessionByMappingId(serviceTicket));
        casFormAuthenticationHelper.ssoLogout();
        CasFormAuthenticationHelper casFormAuthenticationHelper2 = new CasFormAuthenticationHelper(casServerURLPrefix, "unknown", "unknown");
        casFormAuthenticationHelper2.ssoLogin();
        MockHttpServletRequest createRequest3 = createRequest("wms");
        String serviceTicket2 = casFormAuthenticationHelper2.getServiceTicket(new URL(createRequest3.getRequestURL().toString()));
        Assert.assertNotNull(serviceTicket2);
        MockHttpServletResponse mockHttpServletResponse3 = new MockHttpServletResponse();
        MockFilterChain mockFilterChain3 = new MockFilterChain();
        createRequest3.addParameter("ticket", serviceTicket2);
        createRequest3.setQueryString("ticket=" + serviceTicket2);
        createRequest3.addHeader("casredirect", "false");
        getProxy().doFilter(createRequest3, mockHttpServletResponse3, mockFilterChain3);
        Assert.assertEquals(200L, mockHttpServletResponse3.getStatus());
        Authentication authentication2 = getCache().get("testCasProxyFilter1", "unknown");
        Assert.assertNotNull(authentication2);
        Assert.assertNotNull(authentication2);
        Assert.assertNull(SecurityContextHolder.getContext().getAuthentication());
        checkForAuthenticatedRole(authentication2);
        Assert.assertEquals("unknown", authentication2.getPrincipal());
        Assert.assertEquals(1L, authentication2.getAuthorities().size());
        Assert.assertNotNull(createRequest3.getAttribute("org.geoserver.security.cas.CasAssertion"));
        getCache().removeAll();
        updateUser("ug1", "castest", false);
        CasFormAuthenticationHelper casFormAuthenticationHelper3 = new CasFormAuthenticationHelper(casServerURLPrefix, "castest", "castest");
        casFormAuthenticationHelper3.ssoLogin();
        MockHttpServletRequest createRequest4 = createRequest("wms");
        String serviceTicket3 = casFormAuthenticationHelper3.getServiceTicket(new URL(createRequest4.getRequestURL().toString()));
        Assert.assertNotNull(serviceTicket3);
        MockHttpServletResponse mockHttpServletResponse4 = new MockHttpServletResponse();
        MockFilterChain mockFilterChain4 = new MockFilterChain();
        createRequest4.addParameter("ticket", serviceTicket3);
        createRequest4.setQueryString("ticket=" + serviceTicket3);
        createRequest4.addHeader("casredirect", "false");
        getProxy().doFilter(createRequest4, mockHttpServletResponse4, mockFilterChain4);
        Assert.assertEquals(401L, mockHttpServletResponse4.getStatus());
        Assert.assertNull(getCache().get("testCasProxyFilter1", serviceTicket3));
        Assert.assertNull(createRequest4.getAttribute("org.geoserver.security.cas.CasAssertion"));
        Assert.assertNull(createRequest4.getSession(false));
        updateUser("ug1", "castest", true);
        casFormAuthenticationHelper3.ssoLogout();
        insertAnonymousFilter();
        MockHttpServletRequest createRequest5 = createRequest("wms");
        createRequest5.addHeader("casredirect", "false");
        getProxy().doFilter(createRequest5, new MockHttpServletResponse(), new MockFilterChain());
        Assert.assertEquals(200L, r0.getStatus());
        removeAnonymousFilter();
        casAuthenticationFilterConfig.setProxyCallbackUrlPrefix(proxyCallbackUrlPrefix.toString());
        getSecurityManager().saveFilter(casAuthenticationFilterConfig);
        getCache().removeAll();
        CasFormAuthenticationHelper casFormAuthenticationHelper4 = new CasFormAuthenticationHelper(casServerURLPrefix, "castest", "castest");
        authenticateWithPGT(casFormAuthenticationHelper4);
        MockHttpServletRequest createRequest6 = createRequest("wms");
        String serviceTicket4 = casFormAuthenticationHelper4.getServiceTicket(new URL(createRequest6.getRequestURL().toString()));
        createRequest6.addHeader("casredirect", "false");
        Assert.assertNotNull(serviceTicket4);
        MockHttpServletResponse mockHttpServletResponse5 = new MockHttpServletResponse();
        MockFilterChain mockFilterChain5 = new MockFilterChain();
        createRequest6.addParameter("ticket", serviceTicket4);
        getProxy().doFilter(createRequest6, mockHttpServletResponse5, mockFilterChain5);
        Assert.assertEquals(200L, mockHttpServletResponse5.getStatus());
        Authentication authentication3 = getCache().get("testCasProxyFilter1", "castest");
        Assert.assertNotNull(authentication3);
        Assert.assertNotNull(authentication3);
        Assert.assertNull(SecurityContextHolder.getContext().getAuthentication());
        checkForAuthenticatedRole(authentication3);
        Assert.assertEquals("castest", authentication3.getPrincipal());
        Assert.assertTrue(authentication3.getAuthorities().contains(new GeoServerRole("RootRole")));
        Assert.assertTrue(authentication3.getAuthorities().contains(new GeoServerRole("DerivedRole")));
        Assert.assertNotNull(((Assertion) createRequest6.getAttribute("org.geoserver.security.cas.CasAssertion")).getPrincipal().getProxyTicketFor("http://localhost/blabla"));
        casFormAuthenticationHelper4.ssoLogout();
    }

    @Test
    public void testAuthWithProxyTicket() throws Exception {
        this.pattern = "/wms/**";
        CasAuthenticationFilterConfig casAuthenticationFilterConfig = new CasAuthenticationFilterConfig();
        casAuthenticationFilterConfig.setClassName(GeoServerCasAuthenticationFilter.class.getName());
        casAuthenticationFilterConfig.setName("testCasProxyFilter2");
        casAuthenticationFilterConfig.setCasServerUrlPrefix(casServerURLPrefix.toString());
        casAuthenticationFilterConfig.setRoleSource(PreAuthenticatedUserNameFilterConfig.PreAuthenticatedUserNameRoleSource.UserGroupService);
        casAuthenticationFilterConfig.setUserGroupServiceName("ug1");
        getSecurityManager().saveFilter(casAuthenticationFilterConfig);
        prepareFilterChain(ServiceLoginFilterChain.class, this.pattern, new String[]{"testCasProxyFilter2"});
        SecurityContextHolder.getContext().setAuthentication((Authentication) null);
        MockHttpServletRequest createRequest = createRequest("wms");
        MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
        MockFilterChain mockFilterChain = new MockFilterChain();
        createRequest.addParameter("ticket", "ST-blabla");
        createRequest.setQueryString("ticket=ST-blabla");
        createRequest.addHeader("casredirect", "false");
        getProxy().doFilter(createRequest, mockHttpServletResponse, mockFilterChain);
        Assert.assertEquals(401L, mockHttpServletResponse.getStatus());
        MockHttpServletRequest createRequest2 = createRequest("wms");
        MockHttpServletResponse mockHttpServletResponse2 = new MockHttpServletResponse();
        MockFilterChain mockFilterChain2 = new MockFilterChain();
        createRequest2.addParameter("ticket", "ST-blabla");
        createRequest2.addParameter("casredirect", "false");
        createRequest2.setQueryString("ticket=ST-blabla&casredirect=false");
        getProxy().doFilter(createRequest2, mockHttpServletResponse2, mockFilterChain2);
        Assert.assertEquals(401L, mockHttpServletResponse2.getStatus());
        getCache().removeAll();
        CasFormAuthenticationHelper casFormAuthenticationHelper = new CasFormAuthenticationHelper(casServerURLPrefix, "castest", "castest");
        Assertion authenticateWithPGT = authenticateWithPGT(casFormAuthenticationHelper);
        String str = null;
        for (int i = 0; i < 2; i++) {
            MockHttpServletRequest createRequest3 = createRequest("wms");
            createRequest3.setQueryString("request=getCapabilities");
            str = authenticateWithPGT.getPrincipal().getProxyTicketFor(createRequest3.getRequestURL().toString() + "?" + createRequest3.getQueryString());
            Assert.assertNotNull(str);
            MockHttpServletResponse mockHttpServletResponse3 = new MockHttpServletResponse();
            MockFilterChain mockFilterChain3 = new MockFilterChain();
            createRequest3.addParameter("ticket", str);
            if (i == 0) {
                createRequest3.addParameter("casredirect", "false");
                createRequest3.setQueryString(createRequest3.getQueryString() + "&ticket=" + str + "&casredirect=false");
            } else {
                createRequest3.addHeader("casredirect", "false");
                createRequest3.setQueryString(createRequest3.getQueryString() + "&ticket=" + str);
            }
            getProxy().doFilter(createRequest3, mockHttpServletResponse3, mockFilterChain3);
            Assert.assertEquals(200L, mockHttpServletResponse3.getStatus());
            Authentication authentication = getCache().get("testCasProxyFilter2", "castest");
            Assert.assertNotNull(authentication);
            checkForAuthenticatedRole(authentication);
            Assert.assertEquals("castest", authentication.getPrincipal());
            Assert.assertTrue(authentication.getAuthorities().contains(new GeoServerRole("RootRole")));
            Assert.assertTrue(authentication.getAuthorities().contains(new GeoServerRole("DerivedRole")));
            Assert.assertNotNull(createRequest3.getAttribute("org.geoserver.security.cas.CasAssertion"));
            Assert.assertNull(createRequest3.getSession(false));
        }
        Assert.assertNull(GeoServerCasAuthenticationFilter.getHandler().getSessionMappingStorage().removeSessionByMappingId(str));
        casFormAuthenticationHelper.ssoLogout();
        CasFormAuthenticationHelper casFormAuthenticationHelper2 = new CasFormAuthenticationHelper(casServerURLPrefix, "unknown", "unknown");
        Assertion authenticateWithPGT2 = authenticateWithPGT(casFormAuthenticationHelper2);
        for (int i2 = 0; i2 < 2; i2++) {
            MockHttpServletRequest createRequest4 = createRequest("wms");
            createRequest4.setQueryString("request=getCapabilities");
            String proxyTicketFor = authenticateWithPGT2.getPrincipal().getProxyTicketFor(createRequest4.getRequestURL().toString() + "?" + createRequest4.getQueryString());
            Assert.assertNotNull(proxyTicketFor);
            MockHttpServletResponse mockHttpServletResponse4 = new MockHttpServletResponse();
            MockFilterChain mockFilterChain4 = new MockFilterChain();
            createRequest4.addParameter("ticket", proxyTicketFor);
            if (i2 == 0) {
                createRequest4.addParameter("casredirect", "false");
                createRequest4.setQueryString(createRequest4.getQueryString() + "&ticket=" + proxyTicketFor + "&casredirect=false");
            } else {
                createRequest4.addHeader("casredirect", "false");
                createRequest4.setQueryString(createRequest4.getQueryString() + "&ticket=" + proxyTicketFor);
            }
            getProxy().doFilter(createRequest4, mockHttpServletResponse4, mockFilterChain4);
            Assert.assertEquals(200L, mockHttpServletResponse4.getStatus());
            Authentication authentication2 = getCache().get("testCasProxyFilter2", "unknown");
            Assert.assertNotNull(authentication2);
            checkForAuthenticatedRole(authentication2);
            Assert.assertEquals("unknown", authentication2.getPrincipal());
            Assert.assertEquals(1L, authentication2.getAuthorities().size());
            Assert.assertNotNull(createRequest4.getAttribute("org.geoserver.security.cas.CasAssertion"));
            Assert.assertNull(createRequest4.getSession(false));
        }
        casFormAuthenticationHelper2.ssoLogout();
        getCache().removeAll();
        updateUser("ug1", "castest", false);
        CasFormAuthenticationHelper casFormAuthenticationHelper3 = new CasFormAuthenticationHelper(casServerURLPrefix, "castest", "castest");
        Assertion authenticateWithPGT3 = authenticateWithPGT(casFormAuthenticationHelper3);
        MockHttpServletRequest createRequest5 = createRequest("wms");
        String proxyTicketFor2 = authenticateWithPGT3.getPrincipal().getProxyTicketFor(createRequest5.getRequestURL().toString());
        Assert.assertNotNull(proxyTicketFor2);
        MockHttpServletResponse mockHttpServletResponse5 = new MockHttpServletResponse();
        MockFilterChain mockFilterChain5 = new MockFilterChain();
        createRequest5.addParameter("ticket", proxyTicketFor2);
        createRequest5.addParameter("casredirect", "false");
        createRequest5.setQueryString("ticket=" + proxyTicketFor2 + "&casredirect=false");
        getProxy().doFilter(createRequest5, mockHttpServletResponse5, mockFilterChain5);
        Assert.assertEquals(401L, mockHttpServletResponse5.getStatus());
        Assert.assertNull(getCache().get("testCasProxyFilter2", proxyTicketFor2));
        Assert.assertNull(createRequest5.getAttribute("org.geoserver.security.cas.CasAssertion"));
        Assert.assertNull(createRequest5.getSession(false));
        updateUser("ug1", "castest", true);
        casFormAuthenticationHelper3.ssoLogout();
        insertAnonymousFilter();
        getProxy().doFilter(createRequest("wms"), new MockHttpServletResponse(), new MockFilterChain());
        Assert.assertEquals(200L, r0.getStatus());
        removeAnonymousFilter();
        casAuthenticationFilterConfig.setProxyCallbackUrlPrefix(proxyCallbackUrlPrefix.toString());
        getSecurityManager().saveFilter(casAuthenticationFilterConfig);
        getCache().removeAll();
        CasFormAuthenticationHelper casFormAuthenticationHelper4 = new CasFormAuthenticationHelper(casServerURLPrefix, "castest", "castest");
        Assertion authenticateWithPGT4 = authenticateWithPGT(casFormAuthenticationHelper4);
        MockHttpServletRequest createRequest6 = createRequest("wms");
        String proxyTicketFor3 = authenticateWithPGT4.getPrincipal().getProxyTicketFor(createRequest6.getRequestURL().toString());
        Assert.assertNotNull(proxyTicketFor3);
        MockHttpServletResponse mockHttpServletResponse6 = new MockHttpServletResponse();
        MockFilterChain mockFilterChain6 = new MockFilterChain();
        createRequest6.addParameter("ticket", proxyTicketFor3);
        getProxy().doFilter(createRequest6, mockHttpServletResponse6, mockFilterChain6);
        Assert.assertEquals(200L, mockHttpServletResponse6.getStatus());
        Authentication authentication3 = getCache().get("testCasProxyFilter2", "castest");
        Assert.assertNotNull(authentication3);
        checkForAuthenticatedRole(authentication3);
        Assert.assertEquals("castest", authentication3.getPrincipal());
        Assert.assertTrue(authentication3.getAuthorities().contains(new GeoServerRole("RootRole")));
        Assert.assertTrue(authentication3.getAuthorities().contains(new GeoServerRole("DerivedRole")));
        Assert.assertNotNull(((Assertion) createRequest6.getAttribute("org.geoserver.security.cas.CasAssertion")).getPrincipal().getProxyTicketFor("http://localhost/blabla"));
        casFormAuthenticationHelper4.ssoLogout();
    }

    @Test
    public void testCasAuthenticationHelper() throws Exception {
        Assert.assertFalse(new CasFormAuthenticationHelper(casServerURLPrefix, "fail", "abc").ssoLogin());
        CasFormAuthenticationHelper casFormAuthenticationHelper = new CasFormAuthenticationHelper(casServerURLPrefix, "success", "success");
        Assert.assertTrue(casFormAuthenticationHelper.ssoLogin());
        Assert.assertNotNull(casFormAuthenticationHelper.getTicketGrantingCookie());
        LOGGER.info("TGC after login : " + casFormAuthenticationHelper.getTicketGrantingCookie());
        Assert.assertTrue(casFormAuthenticationHelper.ssoLogout());
        Assert.assertNotNull(casFormAuthenticationHelper.getTicketGrantingCookie());
        LOGGER.info("TGC after logout : " + casFormAuthenticationHelper.getTicketGrantingCookie());
        Assert.assertTrue(casFormAuthenticationHelper.ssoLogin());
        Assert.assertNotNull(casFormAuthenticationHelper.getTicketGrantingCookie());
        String serviceTicket = casFormAuthenticationHelper.getServiceTicket(serviceUrl);
        Assert.assertNotNull(serviceTicket);
        Assert.assertTrue(serviceTicket.startsWith("ST-"));
        LOGGER.info("ST : " + serviceTicket);
        casFormAuthenticationHelper.ssoLogout();
    }

    protected String getBodyForLogoutRequest(String str) {
        return "<LogoutRequest ID=\"[RANDOM ID]\" Version=\"2.0\" IssueInstant=\"[CURRENT DATE/TIME]\"><NameID>@NOT_USED@</NameID><SessionIndex>[SESSION IDENTIFIER]</SessionIndex></LogoutRequest>".replace("[SESSION IDENTIFIER]", str);
    }

    protected String loginUsingTicket(CasFormAuthenticationHelper casFormAuthenticationHelper, MockHttpServletRequest mockHttpServletRequest, MockHttpServletResponse mockHttpServletResponse, MockFilterChain mockFilterChain) throws Exception {
        String serviceTicket = casFormAuthenticationHelper.getServiceTicket(new URL(mockHttpServletRequest.getRequestURL().toString()));
        mockHttpServletRequest.setQueryString("ticket=" + serviceTicket);
        mockHttpServletRequest.addParameter("ticket", serviceTicket);
        getProxy().doFilter(mockHttpServletRequest, mockHttpServletResponse, mockFilterChain);
        return serviceTicket;
    }
}
