package org.geoserver.security.validation;

import java.io.IOException;
import org.geoserver.security.GeoServerAuthenticationProvider;
import org.geoserver.security.GeoServerRoleService;
import org.geoserver.security.GeoServerSecurityFilterChain;
import org.geoserver.security.GeoServerUserGroupService;
import org.geoserver.security.ServiceLoginFilterChain;
import org.geoserver.security.auth.UsernamePasswordAuthenticationProvider;
import org.geoserver.security.config.BaseSecurityNamedServiceConfig;
import org.geoserver.security.config.PasswordPolicyConfig;
import org.geoserver.security.config.SecurityAuthProviderConfig;
import org.geoserver.security.config.SecurityManagerConfig;
import org.geoserver.security.config.SecurityNamedServiceConfig;
import org.geoserver.security.config.SecurityRoleServiceConfig;
import org.geoserver.security.config.SecurityUserGroupServiceConfig;
import org.geoserver.security.config.UsernamePasswordAuthenticationProviderConfig;
import org.geoserver.security.config.impl.MemoryRoleServiceConfigImpl;
import org.geoserver.security.config.impl.MemoryUserGroupServiceConfigImpl;
import org.geoserver.security.filter.GeoServerSecurityFilter;
import org.geoserver.security.impl.GeoServerRole;
import org.geoserver.security.impl.MemoryRoleService;
import org.geoserver.security.impl.MemoryUserGroupService;
import org.geoserver.security.password.PasswordValidator;
import org.geoserver.security.xml.XMLRoleService;
import org.geoserver.security.xml.XMLUserGroupService;
import org.geoserver.test.GeoServerSystemTestSupport;
import org.junit.Assert;
import org.junit.Test;

/* loaded from: input_file:org/geoserver/security/validation/SecurityConfigValidatorTest.class */
public class SecurityConfigValidatorTest extends GeoServerSystemTestSupport {
    @Test
    public void testMasterConfigValidation() throws Exception {
        SecurityManagerConfig securityManagerConfig = new SecurityManagerConfig();
        securityManagerConfig.setRoleServiceName(XMLRoleService.DEFAULT_NAME);
        securityManagerConfig.setConfigPasswordEncrypterName(getPBEPasswordEncoder().getName());
        securityManagerConfig.getAuthProviderNames().add(GeoServerAuthenticationProvider.DEFAULT_NAME);
        SecurityConfigValidator securityConfigValidator = new SecurityConfigValidator(getSecurityManager());
        securityConfigValidator.validateManagerConfig(securityManagerConfig, new SecurityManagerConfig());
        try {
            securityManagerConfig.setConfigPasswordEncrypterName("abc");
            securityConfigValidator.validateManagerConfig(securityManagerConfig, new SecurityManagerConfig());
            Assert.fail("invalid password encoder should fail");
        } catch (SecurityConfigException e) {
            Assert.assertEquals("INVALID_PASSWORD_ENCODER", e.getId());
        }
        try {
            securityManagerConfig.setConfigPasswordEncrypterName((String) null);
            securityConfigValidator.validateManagerConfig(securityManagerConfig, new SecurityManagerConfig());
            Assert.fail("no password encoder should fail");
        } catch (SecurityConfigException e2) {
            Assert.assertEquals("PASSWORD_ENCODER_REQUIRED", e2.getId());
        }
        if (!getSecurityManager().isStrongEncryptionAvailable()) {
            securityManagerConfig.setConfigPasswordEncrypterName(getStrongPBEPasswordEncoder().getName());
            try {
                securityConfigValidator.validateManagerConfig(securityManagerConfig, new SecurityManagerConfig());
                Assert.fail("invalid strong password encoder should fail");
            } catch (SecurityConfigException e3) {
                Assert.assertEquals("INVALID_STRONG_CONFIG_PASSWORD_ENCODER", e3.getId());
            }
        }
        securityManagerConfig.setConfigPasswordEncrypterName(getPBEPasswordEncoder().getName());
        securityManagerConfig.setRoleServiceName("XX");
        try {
            securityConfigValidator.validateManagerConfig(securityManagerConfig, new SecurityManagerConfig());
            Assert.fail("unknown role service should fail");
        } catch (SecurityConfigException e4) {
            Assert.assertEquals("ROLE_SERVICE_NOT_FOUND", e4.getId());
        }
        securityManagerConfig.setRoleServiceName((String) null);
        try {
            securityConfigValidator.validateManagerConfig(securityManagerConfig, new SecurityManagerConfig());
            Assert.fail("null role service should fail");
        } catch (SecurityConfigException e5) {
            Assert.assertEquals("ROLE_SERVICE_NOT_FOUND", e5.getId());
        }
        securityManagerConfig.setRoleServiceName(XMLRoleService.DEFAULT_NAME);
        securityManagerConfig.getAuthProviderNames().add("XX");
        try {
            securityConfigValidator.validateManagerConfig(securityManagerConfig, new SecurityManagerConfig());
            Assert.fail("unknown auth provider should fail");
        } catch (SecurityConfigException e6) {
            Assert.assertEquals("AUTH_PROVIDER_NOT_FOUND", e6.getId());
        }
        securityManagerConfig.getAuthProviderNames().remove("XX");
        GeoServerSecurityFilterChain geoServerSecurityFilterChain = new GeoServerSecurityFilterChain();
        securityManagerConfig.setFilterChain(geoServerSecurityFilterChain);
        ServiceLoginFilterChain serviceLoginFilterChain = new ServiceLoginFilterChain(new String[0]);
        geoServerSecurityFilterChain.getRequestChains().add(serviceLoginFilterChain);
        try {
            securityConfigValidator.validateManagerConfig(securityManagerConfig, new SecurityManagerConfig());
            Assert.fail("chain with no name should fail");
        } catch (SecurityConfigException e7) {
            Assert.assertEquals("FILTER_CHAIN_NAME_MANDATORY", e7.getId());
            Assert.assertEquals(0L, e7.getArgs().length);
        }
        serviceLoginFilterChain.setName("testChain");
        try {
            securityConfigValidator.validateManagerConfig(securityManagerConfig, new SecurityManagerConfig());
            Assert.fail("chain with no patterns should fail");
        } catch (SecurityConfigException e8) {
            Assert.assertEquals("PATTERN_LIST_EMPTY", e8.getId());
            Assert.assertEquals(1L, e8.getArgs().length);
            Assert.assertEquals("testChain", e8.getArgs()[0]);
        }
        serviceLoginFilterChain.getPatterns().add("/**");
        serviceLoginFilterChain.setDisabled(true);
        securityConfigValidator.validateManagerConfig(securityManagerConfig, new SecurityManagerConfig());
        serviceLoginFilterChain.setDisabled(false);
        try {
            securityConfigValidator.validateManagerConfig(securityManagerConfig, new SecurityManagerConfig());
            Assert.fail("enabled authentication chain with no filter should fail");
        } catch (SecurityConfigException e9) {
            Assert.assertEquals("FILTER_CHAIN_EMPTY", e9.getId());
            Assert.assertEquals(1L, e9.getArgs().length);
            Assert.assertEquals("testChain", e9.getArgs()[0]);
        }
        serviceLoginFilterChain.getFilterNames().add("unknown");
        serviceLoginFilterChain.setRoleFilterName("XX");
        try {
            securityConfigValidator.validateManagerConfig(securityManagerConfig, new SecurityManagerConfig());
            Assert.fail("unknown role filter should fail");
        } catch (SecurityConfigException e10) {
            Assert.assertEquals("UNKNOWN_ROLE_FILTER", e10.getId());
            Assert.assertEquals(2L, e10.getArgs().length);
            Assert.assertEquals("testChain", e10.getArgs()[0]);
            Assert.assertEquals("XX", e10.getArgs()[1]);
        }
        serviceLoginFilterChain.setRoleFilterName("roleFilter");
        serviceLoginFilterChain.getFilterNames().add(0, "anonymous");
        try {
            securityConfigValidator.validateManagerConfig(securityManagerConfig, new SecurityManagerConfig());
            Assert.fail("anonymous not last should fail");
        } catch (SecurityConfigException e11) {
            Assert.assertEquals("ANONYMOUS_NOT_LAST", e11.getId());
            Assert.assertEquals(1L, e11.getArgs().length);
            Assert.assertEquals("testChain", e11.getArgs()[0]);
        }
        serviceLoginFilterChain.getFilterNames().remove("anonymous");
        serviceLoginFilterChain.getFilterNames().add("anonymous");
        try {
            securityConfigValidator.validateManagerConfig(securityManagerConfig, new SecurityManagerConfig());
            Assert.fail("unknown  filter should fail");
        } catch (SecurityConfigException e12) {
            Assert.assertEquals("UNKNOWN_FILTER", e12.getId());
            Assert.assertEquals(2L, e12.getArgs().length);
            Assert.assertEquals("testChain", e12.getArgs()[0]);
            Assert.assertEquals("unknown", e12.getArgs()[1]);
        }
        serviceLoginFilterChain.getFilterNames().remove("unknown");
        serviceLoginFilterChain.getFilterNames().add(0, "roleFilter");
        try {
            securityConfigValidator.validateManagerConfig(securityManagerConfig, new SecurityManagerConfig());
            Assert.fail("no authentication filter should fail");
        } catch (SecurityConfigException e13) {
            Assert.assertEquals("NOT_AN_AUTHENTICATION_FILTER", e13.getId());
            Assert.assertEquals(2L, e13.getArgs().length);
            Assert.assertEquals("testChain", e13.getArgs()[0]);
            Assert.assertEquals("roleFilter", e13.getArgs()[1]);
        }
        serviceLoginFilterChain.getFilterNames().remove("roleFilter");
        serviceLoginFilterChain.getFilterNames().add(0, "form");
        try {
            securityConfigValidator.validateManagerConfig(securityManagerConfig, new SecurityManagerConfig());
            Assert.fail("form login filter should fail");
        } catch (SecurityConfigException e14) {
            Assert.assertEquals("NOT_A_SERVICE_AUTHENTICATION_FILTER", e14.getId());
            Assert.assertEquals(2L, e14.getArgs().length);
            Assert.assertEquals("testChain", e14.getArgs()[0]);
            Assert.assertEquals("form", e14.getArgs()[1]);
        }
        serviceLoginFilterChain.getFilterNames().remove("form");
        serviceLoginFilterChain.getFilterNames().add(0, "basic");
        securityConfigValidator.validateManagerConfig(securityManagerConfig, new SecurityManagerConfig());
    }

    @Test
    public void testNamedServices() {
        SecurityConfigValidator securityConfigValidator = new SecurityConfigValidator(getSecurityManager());
        Class[] clsArr = {GeoServerUserGroupService.class, GeoServerRoleService.class, PasswordValidator.class, GeoServerAuthenticationProvider.class, GeoServerSecurityFilter.class};
        int length = clsArr.length;
        for (int i = 0; i < length; i++) {
            Class cls = clsArr[i];
            try {
                securityConfigValidator.checkExtensionPont(cls, "a.b.c");
                Assert.fail("unknown class should fail");
            } catch (SecurityConfigException e) {
                Assert.assertEquals(e.getId(), "CLASS_NOT_FOUND");
                Assert.assertEquals(e.getArgs()[0], "a.b.c");
            }
            try {
                securityConfigValidator.checkExtensionPont(cls, "java.lang.String");
                Assert.fail("wrong class should fail");
            } catch (SecurityConfigException e2) {
                Assert.assertEquals(e2.getId(), "CLASS_WRONG_TYPE");
                Assert.assertEquals(e2.getArgs()[0], cls);
                Assert.assertEquals(e2.getArgs()[1], "java.lang.String");
            }
            try {
                securityConfigValidator.checkExtensionPont(cls, cls == GeoServerUserGroupService.class ? null : "");
                Assert.fail("no class should fail");
            } catch (SecurityConfigException e3) {
                Assert.assertEquals(e3.getId(), "CLASSNAME_REQUIRED");
                Assert.assertEquals(0L, e3.getArgs().length);
            }
            try {
                securityConfigValidator.checkServiceName(cls, cls == GeoServerUserGroupService.class ? null : "");
                Assert.fail("no name should fail");
            } catch (SecurityConfigException e4) {
                Assert.assertEquals(e4.getId(), "NAME_REQUIRED");
                Assert.assertEquals(0L, e4.getArgs().length);
            }
        }
        try {
            securityConfigValidator.validateAddPasswordPolicy(createPolicyConfig("default", PasswordValidatorImpl.class, 1, 10));
            Assert.fail("passwd policy already exists should fail");
        } catch (SecurityConfigException e5) {
            Assert.assertEquals("PASSWD_POLICY_ALREADY_EXISTS", e5.getId());
            Assert.assertEquals(e5.getArgs()[0], "default");
        }
        PasswordPolicyConfig createPolicyConfig = createPolicyConfig("default2", PasswordValidatorImpl.class, 1, 10);
        try {
            securityConfigValidator.validateModifiedPasswordPolicy(createPolicyConfig, createPolicyConfig);
            Assert.fail("unknown passwd policy should fail");
        } catch (SecurityConfigException e6) {
            Assert.assertEquals("PASSWD_POLICY_NOT_FOUND", e6.getId());
            Assert.assertEquals(e6.getArgs()[0], "default2");
        }
        try {
            securityConfigValidator.validateAddUserGroupService(createUGConfig(XMLUserGroupService.DEFAULT_NAME, GeoServerUserGroupService.class, getPlainTextPasswordEncoder().getName(), "default"));
            Assert.fail("user group service already exists should fail");
        } catch (SecurityConfigException e7) {
            Assert.assertEquals(e7.getId(), "USERGROUP_SERVICE_ALREADY_EXISTS");
            Assert.assertEquals(e7.getArgs()[0], XMLUserGroupService.DEFAULT_NAME);
        }
        SecurityUserGroupServiceConfig createUGConfig = createUGConfig("default2", GeoServerUserGroupService.class, getPlainTextPasswordEncoder().getName(), "default");
        try {
            securityConfigValidator.validateModifiedUserGroupService(createUGConfig, createUGConfig);
            Assert.fail("unknown user group service should fail");
        } catch (SecurityConfigException e8) {
            Assert.assertEquals(e8.getId(), "USERGROUP_SERVICE_NOT_FOUND");
            Assert.assertEquals(e8.getArgs()[0], "default2");
        }
        try {
            securityConfigValidator.validateAddRoleService(createRoleConfig(XMLRoleService.DEFAULT_NAME, GeoServerRoleService.class, GeoServerRole.ADMIN_ROLE.getAuthority()));
            Assert.fail("role service already exists should fail");
        } catch (SecurityConfigException e9) {
            Assert.assertEquals(e9.getId(), "ROLE_SERVICE_ALREADY_EXISTS");
            Assert.assertEquals(e9.getArgs()[0], XMLRoleService.DEFAULT_NAME);
        }
        SecurityRoleServiceConfig createRoleConfig = createRoleConfig("default2", GeoServerRoleService.class, GeoServerRole.ADMIN_ROLE.getAuthority());
        try {
            securityConfigValidator.validateModifiedRoleService(createRoleConfig, createRoleConfig);
            Assert.fail("unknown role service should fail");
        } catch (SecurityConfigException e10) {
            Assert.assertEquals(e10.getId(), "ROLE_SERVICE_NOT_FOUND");
            Assert.assertEquals(e10.getArgs()[0], "default2");
        }
        try {
            securityConfigValidator.validateAddAuthProvider(createAuthConfig(GeoServerAuthenticationProvider.DEFAULT_NAME, UsernamePasswordAuthenticationProvider.class, XMLUserGroupService.DEFAULT_NAME));
            Assert.fail("auth provider already exists should fail");
        } catch (SecurityConfigException e11) {
            Assert.assertEquals(e11.getId(), "AUTH_PROVIDER_ALREADY_EXISTS");
            Assert.assertEquals(e11.getArgs()[0], GeoServerAuthenticationProvider.DEFAULT_NAME);
        }
        SecurityAuthProviderConfig createAuthConfig = createAuthConfig("default2", UsernamePasswordAuthenticationProvider.class, XMLUserGroupService.DEFAULT_NAME);
        try {
            securityConfigValidator.validateModifiedAuthProvider(createAuthConfig, createAuthConfig);
            Assert.fail("unknown auth provider should fail");
        } catch (SecurityConfigException e12) {
            Assert.assertEquals(e12.getId(), "AUTH_PROVIDER_NOT_FOUND");
            Assert.assertEquals(e12.getArgs()[0], "default2");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SecurityAuthProviderConfig createAuthConfig(String str, Class<?> cls, String str2) {
        UsernamePasswordAuthenticationProviderConfig usernamePasswordAuthenticationProviderConfig = new UsernamePasswordAuthenticationProviderConfig();
        usernamePasswordAuthenticationProviderConfig.setName(str);
        usernamePasswordAuthenticationProviderConfig.setClassName(cls.getName());
        usernamePasswordAuthenticationProviderConfig.setUserGroupServiceName(str2);
        return usernamePasswordAuthenticationProviderConfig;
    }

    protected SecurityUserGroupServiceConfig createUGConfig(String str, Class<?> cls, String str2, String str3) {
        MemoryUserGroupServiceConfigImpl memoryUserGroupServiceConfigImpl = new MemoryUserGroupServiceConfigImpl();
        memoryUserGroupServiceConfigImpl.setName(str);
        memoryUserGroupServiceConfigImpl.setClassName(cls.getName());
        memoryUserGroupServiceConfigImpl.setPasswordEncoderName(str2);
        memoryUserGroupServiceConfigImpl.setPasswordPolicyName(str3);
        return memoryUserGroupServiceConfigImpl;
    }

    protected SecurityRoleServiceConfig createRoleConfig(String str, Class<?> cls, String str2) {
        MemoryRoleServiceConfigImpl memoryRoleServiceConfigImpl = new MemoryRoleServiceConfigImpl();
        memoryRoleServiceConfigImpl.setName(str);
        memoryRoleServiceConfigImpl.setClassName(cls.getName());
        memoryRoleServiceConfigImpl.setAdminRoleName(str2);
        return memoryRoleServiceConfigImpl;
    }

    protected PasswordPolicyConfig createPolicyConfig(String str, Class<?> cls, int i, int i2) {
        PasswordPolicyConfig passwordPolicyConfig = new PasswordPolicyConfig();
        passwordPolicyConfig.setName(str);
        passwordPolicyConfig.setClassName(cls.getName());
        passwordPolicyConfig.setMinLength(i);
        passwordPolicyConfig.setMaxLength(i2);
        return passwordPolicyConfig;
    }

    protected SecurityNamedServiceConfig createFilterConfig(String str, Class<?> cls) {
        BaseSecurityNamedServiceConfig baseSecurityNamedServiceConfig = new BaseSecurityNamedServiceConfig();
        baseSecurityNamedServiceConfig.setName(str);
        baseSecurityNamedServiceConfig.setClassName(cls.getName());
        return baseSecurityNamedServiceConfig;
    }

    @Test
    public void testPasswordPolicy() throws IOException {
        SecurityConfigValidator securityConfigValidator = new SecurityConfigValidator(getSecurityManager());
        PasswordPolicyConfig createPolicyConfig = createPolicyConfig("default", PasswordValidatorImpl.class, -1, 10);
        try {
            createPolicyConfig.setName("default2");
            securityConfigValidator.validateAddPasswordPolicy(createPolicyConfig);
            Assert.fail("invalid min length should fail");
        } catch (SecurityConfigException e) {
            Assert.assertEquals("INVALID_MIN_LENGTH", e.getId());
            Assert.assertEquals(0L, e.getArgs().length);
        }
        try {
            securityConfigValidator.validateAddPasswordPolicy(createPolicyConfig);
            Assert.fail("invalid min length should fail");
        } catch (SecurityConfigException e2) {
            Assert.assertEquals("INVALID_MIN_LENGTH", e2.getId());
            Assert.assertEquals(0L, e2.getArgs().length);
        }
        createPolicyConfig.setMinLength(1);
        createPolicyConfig.setMaxLength(0);
        try {
            securityConfigValidator.validateAddPasswordPolicy(createPolicyConfig);
            Assert.fail("invalid max length should fail");
            getSecurityManager().savePasswordPolicy(createPolicyConfig);
        } catch (SecurityConfigException e3) {
            Assert.assertEquals("INVALID_MAX_LENGTH", e3.getId());
            Assert.assertEquals(0L, e3.getArgs().length);
        }
        try {
            securityConfigValidator.validateAddPasswordPolicy(createPolicyConfig);
            Assert.fail("invalid max length should fail");
        } catch (SecurityConfigException e4) {
            Assert.assertEquals("INVALID_MAX_LENGTH", e4.getId());
            Assert.assertEquals(0L, e4.getArgs().length);
        }
        createPolicyConfig.setMaxLength(-1);
        try {
            createPolicyConfig.setName("");
            securityConfigValidator.validateRemovePasswordPolicy(createPolicyConfig);
            Assert.fail("no name should fail");
        } catch (SecurityConfigException e5) {
            Assert.assertEquals("NAME_REQUIRED", e5.getId());
            Assert.assertEquals(0L, e5.getArgs().length);
        }
        try {
            createPolicyConfig.setName("default");
            securityConfigValidator.validateRemovePasswordPolicy(createPolicyConfig);
            Assert.fail("remove active should fail");
        } catch (SecurityConfigException e6) {
            Assert.assertEquals("PASSWD_POLICY_ACTIVE", e6.getId());
            Assert.assertEquals("default", e6.getArgs()[0]);
            Assert.assertEquals(XMLUserGroupService.DEFAULT_NAME, e6.getArgs()[1]);
        }
        try {
            createPolicyConfig.setName("master");
            securityConfigValidator.validateRemovePasswordPolicy(createPolicyConfig);
            Assert.fail("remove master should fail");
        } catch (SecurityConfigException e7) {
            Assert.assertEquals("PASSWD_POLICY_MASTER_DELETE", e7.getId());
            Assert.assertEquals(0L, e7.getArgs().length);
        }
    }

    @Test
    public void testRoleConfig() throws IOException {
        SecurityRoleServiceConfig createRoleConfig = createRoleConfig(XMLRoleService.DEFAULT_NAME, MemoryRoleService.class, GeoServerRole.ADMIN_ROLE.getAuthority());
        SecurityConfigValidator securityConfigValidator = new SecurityConfigValidator(getSecurityManager());
        try {
            createRoleConfig.setName((String) null);
            securityConfigValidator.validateRemoveRoleService(createRoleConfig);
            Assert.fail("no name should fail");
        } catch (SecurityConfigException e) {
            Assert.assertEquals("NAME_REQUIRED", e.getId());
            Assert.assertEquals(0L, e.getArgs().length);
        }
        createRoleConfig.setName("abcd");
        for (GeoServerRole geoServerRole : GeoServerRole.SystemRoles) {
            createRoleConfig.setAdminRoleName(geoServerRole.getAuthority());
            try {
                securityConfigValidator.validateAddRoleService(createRoleConfig);
                Assert.fail("reserved role name should fail");
            } catch (SecurityConfigException e2) {
                Assert.assertEquals("RESERVED_ROLE_NAME", e2.getId());
                Assert.assertEquals(geoServerRole.getAuthority(), e2.getArgs()[0]);
            }
        }
        for (GeoServerRole geoServerRole2 : GeoServerRole.SystemRoles) {
            createRoleConfig.setGroupAdminRoleName(geoServerRole2.getAuthority());
            try {
                securityConfigValidator.validateAddRoleService(createRoleConfig);
                Assert.fail("resoerved role name should fail");
            } catch (SecurityConfigException e3) {
                Assert.assertEquals("RESERVED_ROLE_NAME", e3.getId());
                Assert.assertEquals(geoServerRole2.getAuthority(), e3.getArgs()[0]);
            }
        }
        try {
            createRoleConfig.setName(XMLRoleService.DEFAULT_NAME);
            securityConfigValidator.validateRemoveRoleService(createRoleConfig);
            Assert.fail("role service active should fail");
        } catch (SecurityConfigException e4) {
            Assert.assertEquals("ROLE_SERVICE_ACTIVE", e4.getId());
            Assert.assertEquals(XMLRoleService.DEFAULT_NAME, e4.getArgs()[0]);
        }
    }

    @Test
    public void testAuthenticationProvider() throws IOException {
        SecurityAuthProviderConfig createAuthConfig = createAuthConfig(GeoServerAuthenticationProvider.DEFAULT_NAME, UsernamePasswordAuthenticationProvider.class, "default2");
        SecurityConfigValidator securityConfigValidator = new SecurityConfigValidator(getSecurityManager());
        try {
            createAuthConfig.setName("default2");
            securityConfigValidator.validateAddAuthProvider(createAuthConfig);
            Assert.fail("user group service not found should fail");
        } catch (SecurityConfigException e) {
            Assert.assertEquals("USERGROUP_SERVICE_NOT_FOUND", e.getId());
            Assert.assertEquals("default2", e.getArgs()[0]);
        }
        try {
            createAuthConfig.setName("other");
            securityConfigValidator.validateAddAuthProvider(createAuthConfig);
            Assert.fail("user group service not found should fail");
        } catch (SecurityConfigException e2) {
            Assert.assertEquals("USERGROUP_SERVICE_NOT_FOUND", e2.getId());
            Assert.assertEquals("default2", e2.getArgs()[0]);
        }
        try {
            createAuthConfig.setName("");
            securityConfigValidator.validateRemoveAuthProvider(createAuthConfig);
            Assert.fail("no name should fail");
        } catch (SecurityConfigException e3) {
            Assert.assertEquals("NAME_REQUIRED", e3.getId());
            Assert.assertEquals(0L, e3.getArgs().length);
        }
        try {
            createAuthConfig.setName(GeoServerAuthenticationProvider.DEFAULT_NAME);
            securityConfigValidator.validateRemoveAuthProvider(createAuthConfig);
            Assert.fail("active auth provieder should fail");
        } catch (SecurityConfigException e4) {
            Assert.assertEquals("AUTH_PROVIDER_ACTIVE", e4.getId());
            Assert.assertEquals(GeoServerAuthenticationProvider.DEFAULT_NAME, e4.getArgs()[0]);
        }
    }

    @Test
    public void testUserGroupConfig() throws IOException {
        SecurityUserGroupServiceConfig createUGConfig = createUGConfig(XMLUserGroupService.DEFAULT_NAME, MemoryUserGroupService.class, getPlainTextPasswordEncoder().getName(), "default");
        SecurityConfigValidator securityConfigValidator = new SecurityConfigValidator(getSecurityManager());
        try {
            createUGConfig.setName("default2");
            createUGConfig.setPasswordEncoderName("xxx");
            securityConfigValidator.validateAddUserGroupService(createUGConfig);
            Assert.fail("invalid config password encoder should fail");
        } catch (SecurityConfigException e) {
            Assert.assertEquals("INVALID_CONFIG_PASSWORD_ENCODER", e.getId());
            Assert.assertEquals("xxx", e.getArgs()[0]);
        }
        if (!getSecurityManager().isStrongEncryptionAvailable()) {
            createUGConfig.setPasswordEncoderName(getStrongPBEPasswordEncoder().getName());
            try {
                securityConfigValidator.validateAddUserGroupService(createUGConfig);
                Assert.fail("invalid strong password encoder should fail");
            } catch (SecurityConfigException e2) {
                Assert.assertEquals("INVALID_CONFIG_PASSWORD_ENCODER", e2.getId());
            }
        }
        try {
            createUGConfig.setName("other");
            createUGConfig.setPasswordEncoderName("xxx");
            securityConfigValidator.validateAddUserGroupService(createUGConfig);
            Assert.fail("invalid config password encoder should fail");
        } catch (SecurityConfigException e3) {
            Assert.assertEquals("INVALID_CONFIG_PASSWORD_ENCODER", e3.getId());
            Assert.assertEquals("xxx", e3.getArgs()[0]);
        }
        try {
            createUGConfig.setName("default2");
            createUGConfig.setPasswordEncoderName("");
            securityConfigValidator.validateAddUserGroupService(createUGConfig);
            Assert.fail("no password encoder should fail");
        } catch (SecurityConfigException e4) {
            Assert.assertEquals("PASSWD_ENCODER_REQUIRED", e4.getId());
            Assert.assertEquals("default2", e4.getArgs()[0]);
        }
        try {
            createUGConfig.setName("default3");
            createUGConfig.setPasswordEncoderName((String) null);
            securityConfigValidator.validateAddUserGroupService(createUGConfig);
            Assert.fail("no password encoder should fail");
        } catch (SecurityConfigException e5) {
            Assert.assertEquals("PASSWD_ENCODER_REQUIRED", e5.getId());
            Assert.assertEquals("default3", e5.getArgs()[0]);
        }
        createUGConfig.setPasswordEncoderName(getPlainTextPasswordEncoder().getName());
        try {
            createUGConfig.setName("default2");
            createUGConfig.setPasswordPolicyName("default2");
            securityConfigValidator.validateAddUserGroupService(createUGConfig);
            Assert.fail("unknown password policy should fail");
        } catch (SecurityConfigException e6) {
            Assert.assertEquals("PASSWD_POLICY_NOT_FOUND", e6.getId());
            Assert.assertEquals("default2", e6.getArgs()[0]);
        }
        try {
            createUGConfig.setName("default3");
            createUGConfig.setPasswordPolicyName("default2");
            securityConfigValidator.validateAddUserGroupService(createUGConfig);
            Assert.fail("unkonwn password policy encoder should fail");
        } catch (SecurityConfigException e7) {
            Assert.assertEquals("PASSWD_POLICY_NOT_FOUND", e7.getId());
            Assert.assertEquals("default2", e7.getArgs()[0]);
        }
        try {
            createUGConfig.setName("default2");
            createUGConfig.setPasswordPolicyName("");
            securityConfigValidator.validateAddUserGroupService(createUGConfig);
            Assert.fail("no password policy should fail");
        } catch (SecurityConfigException e8) {
            Assert.assertEquals("PASSWD_POLICY_REQUIRED", e8.getId());
            Assert.assertEquals("default2", e8.getArgs()[0]);
        }
        try {
            createUGConfig.setName("default3");
            createUGConfig.setPasswordPolicyName((String) null);
            securityConfigValidator.validateAddUserGroupService(createUGConfig);
            Assert.fail("invalidate password policy should fail");
        } catch (SecurityConfigException e9) {
            Assert.assertEquals("PASSWD_POLICY_REQUIRED", e9.getId());
            Assert.assertEquals("default3", e9.getArgs()[0]);
        }
        try {
            createUGConfig.setName((String) null);
            securityConfigValidator.validateRemoveUserGroupService(createUGConfig);
            Assert.fail("no name should fail");
            getSecurityManager().removeUserGroupService(createUGConfig);
        } catch (SecurityConfigException e10) {
            Assert.assertEquals("NAME_REQUIRED", e10.getId());
            Assert.assertEquals(0L, e10.getArgs().length);
        }
        try {
            createUGConfig.setName(XMLUserGroupService.DEFAULT_NAME);
            securityConfigValidator.validateRemoveUserGroupService(createUGConfig);
            Assert.fail("active user group service should fail");
        } catch (SecurityConfigException e11) {
            Assert.assertEquals("USERGROUP_SERVICE_ACTIVE", e11.getId());
            Assert.assertEquals(XMLUserGroupService.DEFAULT_NAME, e11.getArgs()[0]);
            Assert.assertEquals(GeoServerAuthenticationProvider.DEFAULT_NAME, e11.getArgs()[1]);
        }
    }
}
