package org.alfresco.repo.web.scripts.servlet;

import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.alfresco.model.ContentModel;
import org.alfresco.repo.management.subsystems.ChildApplicationContextFactory;
import org.alfresco.repo.management.subsystems.DefaultChildApplicationContextManager;
import org.alfresco.repo.security.authentication.AuthenticationComponent;
import org.alfresco.repo.security.authentication.external.DefaultRemoteUserMapper;
import org.alfresco.service.cmr.security.AuthorityService;
import org.alfresco.service.cmr.security.MutableAuthenticationService;
import org.alfresco.service.cmr.security.PersonService;
import org.alfresco.util.BaseSpringTest;
import org.alfresco.util.PropertyMap;
import org.alfresco.util.testing.category.IntermittentlyFailingTests;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.junit.Before;
import org.junit.Test;
import org.junit.experimental.categories.Category;
import org.junit.runner.RunWith;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;
import org.mockito.invocation.InvocationOnMock;
import org.mockito.stubbing.Answer;
import org.springframework.extensions.webscripts.Description;
import org.springframework.extensions.webscripts.Match;
import org.springframework.extensions.webscripts.WebScript;
import org.springframework.extensions.webscripts.servlet.WebScriptServletRequest;
import org.springframework.extensions.webscripts.servlet.WebScriptServletResponse;
import org.springframework.test.context.ContextConfiguration;
import org.springframework.test.context.junit4.SpringRunner;

@ContextConfiguration({"classpath:alfresco/application-context.xml", "classpath:alfresco/web-scripts-application-context.xml", "classpath:alfresco/web-scripts-application-context-test.xml"})
@RunWith(SpringRunner.class)
/* loaded from: input_file:org/alfresco/repo/web/scripts/servlet/RemoteAuthenticatorFactoryAdminConsoleAccessTest.class */
public class RemoteAuthenticatorFactoryAdminConsoleAccessTest extends BaseSpringTest {
    public static int setStatusCode;
    private RemoteUserAuthenticatorFactory remoteUserAuthenticatorFactory;
    private BlockingRemoteUserMapper blockingRemoteUserMapper;
    private PersonService personService;
    private MutableAuthenticationService authenticationService;
    private AuthenticationComponent authenticationComponent;
    private AuthorityService authorityService;
    private String proxyHeader = "X-Alfresco-Remote-User";
    protected final Log logger = LogFactory.getLog(getClass());

    @Before
    public void before() throws Exception {
        this.blockingRemoteUserMapper = new BlockingRemoteUserMapper();
        DefaultChildApplicationContextManager defaultChildApplicationContextManager = (DefaultChildApplicationContextManager) this.applicationContext.getBean("Authentication");
        this.remoteUserAuthenticatorFactory = (RemoteUserAuthenticatorFactory) this.applicationContext.getBean("webscripts.authenticator.remoteuser");
        this.remoteUserAuthenticatorFactory.setRemoteUserMapper(this.blockingRemoteUserMapper);
        this.remoteUserAuthenticatorFactory.setGetRemoteUserTimeoutMilliseconds(500L);
        this.personService = (PersonService) this.applicationContext.getBean("PersonService");
        this.authenticationService = (MutableAuthenticationService) this.applicationContext.getBean("AuthenticationService", MutableAuthenticationService.class);
        this.authenticationComponent = (AuthenticationComponent) this.applicationContext.getBean("AuthenticationComponent", AuthenticationComponent.class);
        this.authorityService = (AuthorityService) this.applicationContext.getBean("AuthorityService", AuthorityService.class);
        defaultChildApplicationContextManager.stop();
        defaultChildApplicationContextManager.setProperty("chain", "external1:external,alfrescoNtlm1:alfrescoNtlm");
        ChildApplicationContextFactory childApplicationContextFactory = defaultChildApplicationContextManager.getChildApplicationContextFactory("external1");
        childApplicationContextFactory.stop();
        childApplicationContextFactory.setProperty("external.authentication.proxyUserName", "");
    }

    @Test
    public void testAdminGuestAccess() {
        assertFalse("This should not authenticate. Admin access and guest is not a valid combination.", authenticateWithGuestParameters(Description.RequiredAuthentication.admin, true));
        checkTimeOutFeaturesWasNotUsed();
    }

    @Test
    public void testUserGuestAccess() {
        assertFalse("This should not authenticate", authenticateWithGuestParameters(Description.RequiredAuthentication.user, true));
        checkTimeOutFeaturesWasNotUsed();
    }

    @Test
    public void testGuestGuestAccess() {
        assertTrue("This should authenticate", authenticateWithGuestParameters(Description.RequiredAuthentication.guest, true));
        checkTimeOutFeaturesWasNotUsed();
    }

    @Test
    public void testNoneGuestAccess() {
        assertFalse("This should not authenticate.", authenticateWithGuestParameters(Description.RequiredAuthentication.none, true));
        checkTimeOutFeaturesWasNotUsed();
    }

    @Test
    public void testNoneNotGuestAccess() {
        Description.RequiredAuthentication requiredAuthentication = Description.RequiredAuthentication.none;
        assertFalse("This should not authenticate.", authenticateWithGuestParameters(Description.RequiredAuthentication.none, false));
        checkTimeOutFeaturesWasNotUsed();
    }

    @Test
    public void testExternalAuthForAdminPage() {
        Description.RequiredAuthentication requiredAuthentication = Description.RequiredAuthentication.admin;
        HashSet hashSet = new HashSet();
        hashSet.add("AdminConsole");
        checkExtAuthStillWorks(requiredAuthentication, hashSet);
    }

    @Test
    public void testExternalAuthForAdminResource() {
        checkExtAuthStillWorks(Description.RequiredAuthentication.admin, Collections.emptySet());
    }

    @Test
    public void testExternalAuthForUserResource() {
        checkExtAuthStillWorks(Description.RequiredAuthentication.user, Collections.emptySet());
    }

    @Test
    public void testAdminCanAccessAdminConsoleScript() {
        HashSet hashSet = new HashSet();
        hashSet.add("AdminConsole");
        complexCheckOfScriptCases(hashSet);
    }

    @Test
    @Category({IntermittentlyFailingTests.class})
    public void testAdminCanAccessAdminConsoleHelperScript() {
        HashSet hashSet = new HashSet();
        hashSet.add("AdminConsoleHelper");
        complexCheckOfScriptCases(hashSet);
    }

    @Test
    public void testUserCanAccessAdminConsoleScript() {
        HashSet hashSet = new HashSet();
        hashSet.add("AdminConsole");
        this.authenticationComponent.setSystemUserAsCurrentUser();
        String randomAlphabetic = RandomStringUtils.randomAlphabetic(10);
        String randomAlphabetic2 = RandomStringUtils.randomAlphabetic(10);
        createUser(randomAlphabetic, randomAlphabetic2);
        this.authorityService.addAuthority("GROUP_ALFRESCO_ADMINISTRATORS", randomAlphabetic);
        this.authenticationComponent.clearCurrentSecurityContext();
        checkAdminConsoleFamilyWithBasicAuthHeaderPresentUser(hashSet, getBasicAuthHeader(randomAlphabetic, randomAlphabetic2));
    }

    private void complexCheckOfScriptCases(Set<String> set) {
        checkGenericResourceAccess();
        checkAdminConsoleFamilyPage(set);
        checkAdminConsoleFamilyPageWithRemoteUserMapperDisabled(set);
        checkAdminConsoleFamilyWithBasicAuthHeaderPresent(set, "Basic YWRtaW46YWRtaW4=");
        checkAdminConsoleFamilyWithBasicAuthHeaderButWrongPassword(set);
    }

    private void checkAdminConsoleFamilyWithBasicAuthHeaderButWrongPassword(Set<String> set) {
        this.blockingRemoteUserMapper.reset();
        assertFalse("It is an AdminConsole webscript now and Admin basic auth header was present BUT with wrong password. Should fail.", authenticate(set, "Basic YWRtaW46YmliaQ=="));
        assertEquals("Status should be 401", 401, setStatusCode);
        assertFalse("The code from blockingRemoteUserMapper shouldn't have been called", this.blockingRemoteUserMapper.isWasInterrupted());
        assertEquals("The code from blockingRemoteUserMapper shouldn't have been called", this.blockingRemoteUserMapper.getTimePassed(), 0);
    }

    private void checkAdminConsoleFamilyPage(Set<String> set) {
        this.blockingRemoteUserMapper.reset();
        assertFalse("It is an AdminConsole webscript now, but Admin basic auth header was not present. It should return 401", authenticate(set, null));
        assertEquals("Status should be 401", 401, setStatusCode);
        assertTrue("Because it is an AdminConsole webscript, the interrupt should have been called.", this.blockingRemoteUserMapper.isWasInterrupted());
        assertTrue("The interrupt should have been called.", this.blockingRemoteUserMapper.getTimePassed() < 1000);
    }

    private void checkAdminConsoleFamilyWithBasicAuthHeaderPresent(Set<String> set, String str) {
        this.blockingRemoteUserMapper.reset();
        assertTrue("It is an AdminConsole webscript now and Admin basic auth header was present. It should succeed.", authenticate(set, str));
        assertFalse("The code from blockingRemoteUserMapper shouldn't have been called", this.blockingRemoteUserMapper.isWasInterrupted());
        assertEquals("The code from blockingRemoteUserMapper shouldn't have been called", this.blockingRemoteUserMapper.getTimePassed(), 0);
    }

    private void checkAdminConsoleFamilyWithBasicAuthHeaderPresentUser(Set<String> set, String str) {
        this.blockingRemoteUserMapper.reset();
        boolean z = false;
        try {
            z = authenticate(set, str);
        } catch (Exception e) {
            this.logger.error(String.format("The authentication should not require secure context to be set. %s", e.getMessage()), e);
        }
        assertTrue("It is an AdminConsole webscript and a User with Admin access and basic auth header was present. It should succeed.", z);
        assertFalse("The code from blockingRemoteUserMapper shouldn't have been called", this.blockingRemoteUserMapper.isWasInterrupted());
        assertEquals("The code from blockingRemoteUserMapper shouldn't have been called", this.blockingRemoteUserMapper.getTimePassed(), 0);
    }

    private void checkAdminConsoleFamilyPageWithRemoteUserMapperDisabled(Set<String> set) {
        this.blockingRemoteUserMapper.reset();
        this.blockingRemoteUserMapper.setEnabled(false);
        assertFalse("It is an AdminConsole webscript now, but Admin basic auth header was not present. It should return 401", authenticate(set, null));
        assertEquals("Status should be 401", 401, setStatusCode);
        assertFalse("The interrupt should have not been called because the RemoteUserMapper is not enabled.", this.blockingRemoteUserMapper.isWasInterrupted());
        assertEquals("RemoteUserMapper not called", this.blockingRemoteUserMapper.getTimePassed(), 0);
    }

    private void checkGenericResourceAccess() {
        this.blockingRemoteUserMapper.reset();
        assertFalse("This should not be authenticated as it is not an Admin Console requested. And no credentials have been provided", authenticate(Collections.emptySet(), null));
        assertFalse("Because it is not an Admin Console, the timeout feature from BasicHttpAuthenticator should not be requested. Therefore the interrupt should not have been called. ", this.blockingRemoteUserMapper.isWasInterrupted());
        assertTrue("No interrupt should have been called.", this.blockingRemoteUserMapper.getTimePassed() > 999);
    }

    private void checkTimeOutFeaturesWasNotUsed() {
        assertFalse("The timeout feature from BasicHttpAuthenticator should not be requested. Therefore the interrupt should not have been called. ", this.blockingRemoteUserMapper.isWasInterrupted());
        assertTrue("No interrupt should have been called.", this.blockingRemoteUserMapper.getTimePassed() > 999);
    }

    private boolean authenticate(Set<String> set, String str) {
        return this.remoteUserAuthenticatorFactory.create(prepareMockRequest(set, str), prepareMockResponse()).authenticate(Description.RequiredAuthentication.admin, false);
    }

    private boolean authenticateWithGuestParameters(Description.RequiredAuthentication requiredAuthentication, boolean z) {
        this.blockingRemoteUserMapper.reset();
        return this.remoteUserAuthenticatorFactory.create(prepareMockRequest(Collections.emptySet(), null), prepareMockResponse()).authenticate(requiredAuthentication, z);
    }

    private WebScriptServletRequest prepareMockRequest(Set<String> set, String str) {
        HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
        Mockito.when(httpServletRequest.getScheme()).thenReturn("http");
        if (str != null) {
            Mockito.when(httpServletRequest.getHeader("Authorization")).thenReturn(str);
        }
        WebScriptServletRequest webScriptServletRequest = (WebScriptServletRequest) Mockito.mock(WebScriptServletRequest.class);
        Mockito.when(webScriptServletRequest.getHttpServletRequest()).thenReturn(httpServletRequest);
        WebScript webScript = (WebScript) Mockito.mock(WebScript.class);
        Mockito.when(webScriptServletRequest.getServiceMatch()).thenReturn(new Match("fake", Collections.EMPTY_MAP, "whatever", webScript));
        Description description = (Description) Mockito.mock(Description.class);
        Mockito.when(webScript.getDescription()).thenReturn(description);
        Mockito.when(description.getFamilys()).thenReturn(set);
        return webScriptServletRequest;
    }

    private void checkExtAuthStillWorks(Description.RequiredAuthentication requiredAuthentication, Set<String> set) {
        this.blockingRemoteUserMapper.reset();
        DefaultRemoteUserMapper defaultRemoteUserMapper = new DefaultRemoteUserMapper();
        defaultRemoteUserMapper.setActive(true);
        defaultRemoteUserMapper.setProxyUserName((String) null);
        defaultRemoteUserMapper.setPersonService(this.personService);
        this.remoteUserAuthenticatorFactory.setRemoteUserMapper(defaultRemoteUserMapper);
        HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
        Mockito.when(httpServletRequest.getScheme()).thenReturn("http");
        Mockito.when(httpServletRequest.getHeader(this.proxyHeader)).thenReturn("RAFACAT_usr_" + ((int) (Math.random() * 1000.0d)));
        WebScriptServletRequest webScriptServletRequest = (WebScriptServletRequest) Mockito.mock(WebScriptServletRequest.class);
        Mockito.when(webScriptServletRequest.getHttpServletRequest()).thenReturn(httpServletRequest);
        WebScript webScript = (WebScript) Mockito.mock(WebScript.class);
        Mockito.when(webScriptServletRequest.getServiceMatch()).thenReturn(new Match("fake", Collections.EMPTY_MAP, "whatever", webScript));
        Description description = (Description) Mockito.mock(Description.class);
        Mockito.when(webScript.getDescription()).thenReturn(description);
        Mockito.when(description.getFamilys()).thenReturn(set);
        assertTrue("This should be authenticating with external auth", this.remoteUserAuthenticatorFactory.create(webScriptServletRequest, prepareMockResponse()).authenticate(requiredAuthentication, false));
        assertFalse("We have been using the DefaultRemoteUserMapper, so our BlockingRemoteUserMapper shouldn't have been called", this.blockingRemoteUserMapper.isWasInterrupted());
        assertEquals("BlockingRemoteUserMapper shouldn't have been called", this.blockingRemoteUserMapper.getTimePassed(), 0);
    }

    private WebScriptServletResponse prepareMockResponse() {
        HttpServletResponse httpServletResponse = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
        WebScriptServletResponse webScriptServletResponse = (WebScriptServletResponse) Mockito.mock(WebScriptServletResponse.class);
        Mockito.when(webScriptServletResponse.getHttpServletResponse()).thenReturn(httpServletResponse);
        ((HttpServletResponse) Mockito.doAnswer(new Answer() { // from class: org.alfresco.repo.web.scripts.servlet.RemoteAuthenticatorFactoryAdminConsoleAccessTest.1
            public Object answer(InvocationOnMock invocationOnMock) {
                Object[] arguments = invocationOnMock.getArguments();
                if (arguments == null || arguments.length != 1) {
                    return null;
                }
                RemoteAuthenticatorFactoryAdminConsoleAccessTest.setStatusCode = -1;
                try {
                    RemoteAuthenticatorFactoryAdminConsoleAccessTest.setStatusCode = ((Integer) arguments[0]).intValue();
                    return null;
                } catch (Exception e) {
                    RemoteAuthenticatorFactoryAdminConsoleAccessTest.this.logger.error("Could not get the status code: " + e.getMessage(), e);
                    return null;
                }
            }
        }).when(httpServletResponse)).setStatus(ArgumentMatchers.anyInt());
        return webScriptServletResponse;
    }

    private void createUser(String str, String str2) {
        if (this.personService.personExists(str)) {
            return;
        }
        this.authenticationService.createAuthentication(str, str2.toCharArray());
        PropertyMap propertyMap = new PropertyMap();
        propertyMap.put(ContentModel.PROP_USERNAME, str);
        propertyMap.put(ContentModel.PROP_FIRSTNAME, "myFirstName");
        propertyMap.put(ContentModel.PROP_LASTNAME, "myLastName");
        propertyMap.put(ContentModel.PROP_EMAIL, "myFirstName.myLastName@email.com");
        propertyMap.put(ContentModel.PROP_JOBTITLE, "myJobTitle");
        propertyMap.put(ContentModel.PROP_JOBTITLE, "myOrganisation");
        this.personService.createPerson(propertyMap);
    }

    private String getBasicAuthHeader(String str, String str2) {
        return String.format("Basic %s", Base64.encodeBase64String(String.format("%s:%s", str, str2).getBytes()));
    }
}
