package org.alfresco.repo.security.authentication.identityservice;

import java.io.ByteArrayInputStream;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PublicKey;
import java.util.Enumeration;
import java.util.Map;
import java.util.Vector;
import javax.servlet.http.HttpServletRequest;
import org.alfresco.repo.management.subsystems.AbstractChainedSubsystemTest;
import org.alfresco.repo.management.subsystems.ChildApplicationContextFactory;
import org.alfresco.repo.management.subsystems.DefaultChildApplicationContextManager;
import org.alfresco.repo.security.authentication.external.RemoteUserMapper;
import org.alfresco.util.ApplicationContextHelper;
import org.alfresco.util.test.junitrules.AlfrescoTenant;
import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
import org.apache.http.StatusLine;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpUriRequest;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.rotation.HardcodedPublicKeyLocator;
import org.keycloak.common.util.Base64;
import org.keycloak.common.util.Time;
import org.keycloak.jose.jws.JWSBuilder;
import org.keycloak.representations.AccessToken;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;
import org.springframework.context.ApplicationContext;

/* loaded from: input_file:org/alfresco/repo/security/authentication/identityservice/IdentityServiceRemoteUserMapperTest.class */
public class IdentityServiceRemoteUserMapperTest extends AbstractChainedSubsystemTest {
    private static final String REMOTE_USER_MAPPER_BEAN_NAME = "remoteUserMapper";
    private static final String DEPLOYMENT_BEAN_NAME = "identityServiceDeployment";
    private static final String CONFIG_BEAN_NAME = "identityServiceConfig";
    private static final String TEST_USER_USERNAME = "testuser";
    private static final String TEST_USER_EMAIL = "testuser@mail.com";
    private static final String AUTHORIZATION_HEADER = "Authorization";
    private static final String BEARER_PREFIX = "Bearer ";
    private static final String BASIC_PREFIX = "Basic ";
    private static final String CONFIG_SILENT_ERRORS = "identity-service.authentication.validation.failure.silent";
    private static final String PASSWORD_GRANT_RESPONSE = "{\"access_token\": \"%s\",\"expires_in\": 300,\"refresh_expires_in\": 1800,\"refresh_token\": \"%s\",\"token_type\": \"bearer\",\"not-before-policy\": 0,\"session_state\": \"71c2c5ba-9c98-49fc-882f-dedcf80ee1b5\"}";
    ApplicationContext ctx = ApplicationContextHelper.getApplicationContext();
    DefaultChildApplicationContextManager childApplicationContextManager;
    ChildApplicationContextFactory childApplicationContextFactory;
    private KeyPair keyPair;
    private IdentityServiceConfig identityServiceConfig;

    protected void setUp() throws Exception {
        this.childApplicationContextManager = (DefaultChildApplicationContextManager) this.ctx.getBean("Authentication");
        this.childApplicationContextManager.stop();
        this.childApplicationContextManager.setProperty("chain", "identity-service1:identity-service");
        this.childApplicationContextFactory = getChildApplicationContextFactory(this.childApplicationContextManager, "identity-service1");
        this.keyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
        applyHardcodedPublicKey(this.keyPair.getPublic());
        this.identityServiceConfig = (IdentityServiceConfig) this.childApplicationContextFactory.getApplicationContext().getBean(CONFIG_BEAN_NAME);
    }

    protected void tearDown() throws Exception {
        this.childApplicationContextManager.destroy();
        this.childApplicationContextManager = null;
        this.childApplicationContextFactory = null;
    }

    public void testKeycloakConfig() throws Exception {
        assertEquals("identity-service.auth-server-url", "http://localhost:8999/auth", this.identityServiceConfig.getAuthServerUrl());
        assertEquals("identity-service.realm", "alfresco", this.identityServiceConfig.getRealm());
        assertEquals("identity-service.realm-public-key", "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvWLQxipXNe6cLnVPGy7lBgyR51bDiK7Jso8Rmh2TB+bmO4fNaMY1ETsxECSM0f6NTV0QHks9+gBe+pB6JNeMuPmaE/M/MsE9KUif9L2ChFq3zor6s2foFv2DTiTkij+1aQF9fuIjDNH4FC6L252WydZzh+f73Xuy5evdPj+wrPYqWyP7sKd+4Q9EIILWAuTDvKEjwyZmIyfM/nUn6ltDP6W8xMP0PoEJNAAp79anz2jk2HP2PvC2qdjVsphdTk3JG5qQMB0WJUh4Kjgabd4jQJ77U8gTRswKgNHRRPWhruiIcmmkP+zI0ozNW6rxH3PF4L7M9rXmfcmUcBcKf+YxjwIDAQAB", this.identityServiceConfig.getRealmKey());
        assertEquals("identity-service.ssl-required", "external", this.identityServiceConfig.getSslRequired());
        assertEquals("identity-service.resource", "test", this.identityServiceConfig.getResource());
        assertEquals("identity-service.cors-allowed-headers", AUTHORIZATION_HEADER, this.identityServiceConfig.getCorsAllowedHeaders());
        assertEquals("identity-service.cors-allowed-methods", "POST, PUT, DELETE, GET", this.identityServiceConfig.getCorsAllowedMethods());
        assertEquals("identity-service.cors-exposed-headers", "WWW-Authenticate, My-custom-exposed-Header", this.identityServiceConfig.getCorsExposedHeaders());
        assertEquals("identity-service.truststore", "classpath:/alfresco/subsystems/identityServiceAuthentication/keystore.jks", this.identityServiceConfig.getTruststore());
        assertEquals("identity-service.truststore-password", AlfrescoTenant.ADMIN_PASSWORD, this.identityServiceConfig.getTruststorePassword());
        assertEquals("identity-service.client-keystore", "classpath:/alfresco/subsystems/identityServiceAuthentication/keystore.jks", this.identityServiceConfig.getClientKeystore());
        assertEquals("identity-service.client-keystore-password", AlfrescoTenant.ADMIN_PASSWORD, this.identityServiceConfig.getClientKeystorePassword());
        assertEquals("identity-service.client-key-password", AlfrescoTenant.ADMIN_PASSWORD, this.identityServiceConfig.getClientKeyPassword());
        assertEquals("identity-service.token-store", "SESSION", this.identityServiceConfig.getTokenStore());
        assertEquals("identity-service.principal-attribute", "preferred_username", this.identityServiceConfig.getPrincipalAttribute());
        assertEquals("identity-service.confidential-port", 100, this.identityServiceConfig.getConfidentialPort());
        assertEquals("identity-service.cors-max-age", 1000, this.identityServiceConfig.getCorsMaxAge());
        assertEquals("identity-service.connection-pool-size", 5, this.identityServiceConfig.getConnectionPoolSize());
        assertEquals("identity-service.register-node-period", 50, this.identityServiceConfig.getRegisterNodePeriod());
        assertEquals("identity-service.token-minimum-time-to-live", 10, this.identityServiceConfig.getTokenMinimumTimeToLive());
        assertEquals("identity-service.min-time-between-jwks-requests", 60, this.identityServiceConfig.getMinTimeBetweenJwksRequests());
        assertEquals("identity-service.public-key-cache-ttl", 3600, this.identityServiceConfig.getPublicKeyCacheTtl());
        assertEquals("identity-service.client-connection-timeout", 3000, this.identityServiceConfig.getClientConnectionTimeout());
        assertEquals("identity-service.client-socket-timeout", 1000, this.identityServiceConfig.getClientSocketTimeout());
        assertFalse("identity-service.public-client", this.identityServiceConfig.isPublicClient());
        assertTrue("identity-service.use-resource-role-mappings", this.identityServiceConfig.isUseResourceRoleMappings());
        assertTrue("identity-service.enable-cors", this.identityServiceConfig.isCors());
        assertTrue("identity-service.expose-token", this.identityServiceConfig.isExposeToken());
        assertTrue("identity-service.bearer-only", this.identityServiceConfig.isBearerOnly());
        assertTrue("identity-service.autodetect-bearer-only", this.identityServiceConfig.isAutodetectBearerOnly());
        assertTrue("identity-service.enable-basic-auth", this.identityServiceConfig.isEnableBasicAuth());
        assertTrue("identity-service.allow-any-hostname", this.identityServiceConfig.isAllowAnyHostname());
        assertTrue("identity-service.disable-trust-manager", this.identityServiceConfig.isDisableTrustManager());
        assertTrue("identity-service.always-refresh-token", this.identityServiceConfig.isAlwaysRefreshToken());
        assertTrue("identity-service.register-node-at-startup", this.identityServiceConfig.isRegisterNodeAtStartup());
        assertTrue("identity-service.enable-pkce", this.identityServiceConfig.isPkce());
        assertTrue("identity-service.ignore-oauth-query-parameter", this.identityServiceConfig.isIgnoreOAuthQueryParameter());
        assertTrue("identity-service.turn-off-change-session-id-on-login", this.identityServiceConfig.getTurnOffChangeSessionIdOnLogin().booleanValue());
        Map credentials = this.identityServiceConfig.getCredentials();
        assertNotNull("Expected a credentials map", credentials);
        assertFalse("Expected to retrieve a populated credentials map", credentials.isEmpty());
        assertEquals("identity-service.credentials.secret", "11111", credentials.get("secret"));
        assertEquals("identity-service.credentials.provider", "secret", credentials.get("provider"));
    }

    public void testValidToken() throws Exception {
        assertEquals(TEST_USER_USERNAME, ((RemoteUserMapper) this.childApplicationContextFactory.getApplicationContext().getBean(REMOTE_USER_MAPPER_BEAN_NAME)).getRemoteUser(createMockTokenRequest(generateToken(false))));
    }

    public void testWrongPublicKey() throws Exception {
        this.childApplicationContextFactory.stop();
        applyHardcodedPublicKey(KeyPairGenerator.getInstance("RSA").generateKeyPair().getPublic());
        assertNull(((RemoteUserMapper) this.childApplicationContextFactory.getApplicationContext().getBean(REMOTE_USER_MAPPER_BEAN_NAME)).getRemoteUser(createMockTokenRequest(generateToken(false))));
    }

    public void testWrongPublicKeyWithError() throws Exception {
        this.childApplicationContextFactory.stop();
        this.childApplicationContextFactory.setProperty(CONFIG_SILENT_ERRORS, "false");
        applyHardcodedPublicKey(KeyPairGenerator.getInstance("RSA").generateKeyPair().getPublic());
        assertEquals("Returned user should be null when wrong public key is used.", null, ((RemoteUserMapper) this.childApplicationContextFactory.getApplicationContext().getBean(REMOTE_USER_MAPPER_BEAN_NAME)).getRemoteUser(createMockTokenRequest(generateToken(false))));
    }

    public void testInvalidJwt() throws Exception {
        assertNull(((RemoteUserMapper) this.childApplicationContextFactory.getApplicationContext().getBean(REMOTE_USER_MAPPER_BEAN_NAME)).getRemoteUser(createMockTokenRequest("thisisnotaJWT")));
    }

    public void testMissingToken() throws Exception {
        assertNull(((RemoteUserMapper) this.childApplicationContextFactory.getApplicationContext().getBean(REMOTE_USER_MAPPER_BEAN_NAME)).getRemoteUser(createMockTokenRequest("")));
    }

    public void testExpiredToken() throws Exception {
        assertNull(((RemoteUserMapper) this.childApplicationContextFactory.getApplicationContext().getBean(REMOTE_USER_MAPPER_BEAN_NAME)).getRemoteUser(createMockTokenRequest(generateToken(true))));
    }

    public void testExpiredTokenWithError() throws Exception {
        this.childApplicationContextFactory.stop();
        this.childApplicationContextFactory.setProperty(CONFIG_SILENT_ERRORS, "false");
        applyHardcodedPublicKey(this.keyPair.getPublic());
        assertEquals("Returned user should be null when the token is expired.", null, ((RemoteUserMapper) this.childApplicationContextFactory.getApplicationContext().getBean(REMOTE_USER_MAPPER_BEAN_NAME)).getRemoteUser(createMockTokenRequest(generateToken(true))));
    }

    public void testMissingHeader() throws Exception {
        assertNull(((RemoteUserMapper) this.childApplicationContextFactory.getApplicationContext().getBean(REMOTE_USER_MAPPER_BEAN_NAME)).getRemoteUser(createMockTokenRequest(null)));
    }

    private HttpServletRequest createMockTokenRequest(String str) {
        HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
        Vector vector = new Vector(1);
        if (str != null) {
            vector.add(BEARER_PREFIX + str);
        }
        Mockito.when(httpServletRequest.getHeaders(AUTHORIZATION_HEADER)).thenReturn(vector.elements());
        return httpServletRequest;
    }

    private HttpServletRequest createMockBasicRequest() {
        HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
        Vector vector = new Vector(1);
        vector.add(BASIC_PREFIX + Base64.encodeBytes("testuser:testuser".getBytes()));
        Mockito.when(httpServletRequest.getHeaders(AUTHORIZATION_HEADER)).thenReturn(vector.elements(), new Enumeration[]{vector.elements()});
        return httpServletRequest;
    }

    private HttpClient createMockHttpClient() throws Exception {
        HttpClient httpClient = (HttpClient) Mockito.mock(HttpClient.class);
        HttpResponse httpResponse = (HttpResponse) Mockito.mock(HttpResponse.class);
        StatusLine statusLine = (StatusLine) Mockito.mock(StatusLine.class);
        HttpEntity httpEntity = (HttpEntity) Mockito.mock(HttpEntity.class);
        String generateToken = generateToken(false);
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(String.format(PASSWORD_GRANT_RESPONSE, generateToken, generateToken).getBytes());
        Mockito.when(httpClient.execute((HttpUriRequest) ArgumentMatchers.any())).thenReturn(httpResponse);
        Mockito.when(httpResponse.getStatusLine()).thenReturn(statusLine);
        Mockito.when(httpResponse.getEntity()).thenReturn(httpEntity);
        Mockito.when(Integer.valueOf(statusLine.getStatusCode())).thenReturn(200);
        Mockito.when(httpEntity.getContent()).thenReturn(byteArrayInputStream);
        return httpClient;
    }

    private String generateToken(boolean z) throws Exception {
        String str = String.valueOf(this.identityServiceConfig.getAuthServerUrl()) + "/realms/" + this.identityServiceConfig.getRealm();
        AccessToken accessToken = new AccessToken();
        accessToken.type("Bearer");
        accessToken.id("1234");
        accessToken.subject("abc123");
        accessToken.issuer(str);
        accessToken.setPreferredUsername(TEST_USER_USERNAME);
        accessToken.setEmail(TEST_USER_EMAIL);
        accessToken.setGivenName("Joe");
        accessToken.setFamilyName("Bloggs");
        if (z) {
            accessToken.expiration(Time.currentTime() - 60);
        }
        return new JWSBuilder().jsonContent(accessToken).rsa256(this.keyPair.getPrivate());
    }

    private void applyHardcodedPublicKey(PublicKey publicKey) {
        ((KeycloakDeployment) this.childApplicationContextFactory.getApplicationContext().getBean(DEPLOYMENT_BEAN_NAME)).setPublicKeyLocator(new HardcodedPublicKeyLocator(publicKey));
    }
}
