package org.apache.qpid.server.security;

import java.security.Principal;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import javax.security.auth.Subject;
import javax.security.sasl.SaslServer;
import org.apache.qpid.server.model.AuthenticationProvider;
import org.apache.qpid.server.model.GroupProvider;
import org.apache.qpid.server.security.auth.AuthenticatedPrincipal;
import org.apache.qpid.server.security.auth.AuthenticationResult;
import org.apache.qpid.server.security.auth.SubjectAuthenticationResult;
import org.apache.qpid.test.utils.QpidTestCase;
import org.mockito.Mockito;

/* loaded from: input_file:org/apache/qpid/server/security/SubjectCreatorTest.class */
public class SubjectCreatorTest extends QpidTestCase {
    private static final String USERNAME = "username";
    private static final String PASSWORD = "password";
    private SubjectCreator _subjectCreator;
    private AuthenticationResult _authenticationResult;
    private AuthenticationProvider<?> _authenticationProvider = (AuthenticationProvider) Mockito.mock(AuthenticationProvider.class);
    private GroupProvider<?> _groupManager1 = (GroupProvider) Mockito.mock(GroupProvider.class);
    private GroupProvider<?> _groupManager2 = (GroupProvider) Mockito.mock(GroupProvider.class);
    private Principal _userPrincipal = (Principal) Mockito.mock(Principal.class);
    private Principal _group1 = (Principal) Mockito.mock(Principal.class);
    private Principal _group2 = (Principal) Mockito.mock(Principal.class);
    private SaslServer _testSaslServer = (SaslServer) Mockito.mock(SaslServer.class);
    private byte[] _saslResponseBytes = "password".getBytes();

    public void setUp() {
        Mockito.when(this._groupManager1.getGroupPrincipalsForUser(USERNAME)).thenReturn(Collections.singleton(this._group1));
        Mockito.when(this._groupManager2.getGroupPrincipalsForUser(USERNAME)).thenReturn(Collections.singleton(this._group2));
        this._subjectCreator = new SubjectCreator(this._authenticationProvider, new HashSet(Arrays.asList(this._groupManager1, this._groupManager2)), false);
        this._authenticationResult = new AuthenticationResult(this._userPrincipal);
        Mockito.when(this._authenticationProvider.authenticate(USERNAME, "password")).thenReturn(this._authenticationResult);
    }

    public void testAuthenticateUsernameAndPasswordReturnsSubjectWithUserAndGroupPrincipals() {
        SubjectAuthenticationResult authenticate = this._subjectCreator.authenticate(USERNAME, "password");
        assertEquals(AuthenticationResult.AuthenticationStatus.SUCCESS, authenticate.getStatus());
        Subject subject = authenticate.getSubject();
        assertEquals("Should contain one user principal and two groups ", 3, subject.getPrincipals().size());
        assertTrue(subject.getPrincipals().contains(new AuthenticatedPrincipal(this._userPrincipal)));
        assertTrue(subject.getPrincipals().contains(this._group1));
        assertTrue(subject.getPrincipals().contains(this._group2));
        assertTrue(subject.isReadOnly());
    }

    public void testSaslAuthenticationSuccessReturnsSubjectWithUserAndGroupPrincipals() throws Exception {
        Mockito.when(this._authenticationProvider.authenticate(this._testSaslServer, this._saslResponseBytes)).thenReturn(this._authenticationResult);
        Mockito.when(Boolean.valueOf(this._testSaslServer.isComplete())).thenReturn(true);
        Mockito.when(this._testSaslServer.getAuthorizationID()).thenReturn(USERNAME);
        Subject subject = this._subjectCreator.authenticate(this._testSaslServer, this._saslResponseBytes).getSubject();
        assertEquals("Should contain one user principal and two groups ", 3, subject.getPrincipals().size());
        assertTrue(subject.getPrincipals().contains(new AuthenticatedPrincipal(this._userPrincipal)));
        assertTrue(subject.getPrincipals().contains(this._group1));
        assertTrue(subject.getPrincipals().contains(this._group2));
        assertTrue(subject.isReadOnly());
    }

    public void testAuthenticateUnsuccessfulWithUsernameReturnsNullSubjectAndCorrectStatus() {
        testUnsuccessfulAuthentication(AuthenticationResult.AuthenticationStatus.CONTINUE);
        testUnsuccessfulAuthentication(AuthenticationResult.AuthenticationStatus.ERROR);
    }

    private void testUnsuccessfulAuthentication(AuthenticationResult.AuthenticationStatus authenticationStatus) {
        Mockito.when(this._authenticationProvider.authenticate(USERNAME, "password")).thenReturn(new AuthenticationResult(authenticationStatus));
        SubjectAuthenticationResult authenticate = this._subjectCreator.authenticate(USERNAME, "password");
        assertSame(authenticationStatus, authenticate.getStatus());
        assertNull(authenticate.getSubject());
    }

    public void testAuthenticateUnsuccessfulWithSaslServerReturnsNullSubjectAndCorrectStatus() {
        testUnsuccessfulAuthenticationWithSaslServer(AuthenticationResult.AuthenticationStatus.CONTINUE);
        testUnsuccessfulAuthenticationWithSaslServer(AuthenticationResult.AuthenticationStatus.ERROR);
    }

    private void testUnsuccessfulAuthenticationWithSaslServer(AuthenticationResult.AuthenticationStatus authenticationStatus) {
        Mockito.when(this._authenticationProvider.authenticate(this._testSaslServer, this._saslResponseBytes)).thenReturn(new AuthenticationResult(authenticationStatus));
        Mockito.when(Boolean.valueOf(this._testSaslServer.isComplete())).thenReturn(false);
        SubjectAuthenticationResult authenticate = this._subjectCreator.authenticate(this._testSaslServer, this._saslResponseBytes);
        assertSame(authenticationStatus, authenticate.getStatus());
        assertNull(authenticate.getSubject());
    }

    public void testGetGroupPrincipals() {
        getAndAssertGroupPrincipals(this._group1, this._group2);
    }

    public void testGetGroupPrincipalsWhenAGroupManagerReturnsNull() {
        Mockito.when(this._groupManager1.getGroupPrincipalsForUser(USERNAME)).thenReturn((Object) null);
        getAndAssertGroupPrincipals(this._group2);
    }

    public void testGetGroupPrincipalsWhenAGroupManagerReturnsEmptySet() {
        Mockito.when(this._groupManager2.getGroupPrincipalsForUser(USERNAME)).thenReturn(new HashSet());
        getAndAssertGroupPrincipals(this._group1);
    }

    private void getAndAssertGroupPrincipals(Principal... principalArr) {
        assertEquals(new HashSet(Arrays.asList(principalArr)), this._subjectCreator.getGroupPrincipals(USERNAME));
    }

    public void testDisabledMechanisms() {
        AuthenticationProvider authenticationProvider = (AuthenticationProvider) Mockito.mock(AuthenticationProvider.class);
        SubjectCreator subjectCreator = new SubjectCreator(authenticationProvider, new HashSet(Arrays.asList(this._groupManager1, this._groupManager2)), false);
        Mockito.when(authenticationProvider.getMechanisms()).thenReturn(Arrays.asList("PLAIN", "SCRAM-SHA-1"));
        assertTrue("Should contain SCRAM-SHA-1 mechanism.", subjectCreator.getMechanisms().contains("SCRAM-SHA-1"));
        assertTrue("Should contain PLAIN mechanism.", subjectCreator.getMechanisms().contains("PLAIN"));
        Mockito.when(authenticationProvider.getDisabledMechanisms()).thenReturn(Arrays.asList("SCRAM-SHA-1"));
        assertFalse("SCRAM-SHA-1 should have been filtered out.", subjectCreator.getMechanisms().contains("SCRAM-SHA-1"));
        assertTrue("PLAIN should not have been filtered out.", subjectCreator.getMechanisms().contains("PLAIN"));
    }

    public void testSecureOnlyMechanisms() {
        AuthenticationProvider authenticationProvider = (AuthenticationProvider) Mockito.mock(AuthenticationProvider.class);
        SubjectCreator subjectCreator = new SubjectCreator(authenticationProvider, new HashSet(Arrays.asList(this._groupManager1, this._groupManager2)), false);
        Mockito.when(authenticationProvider.getMechanisms()).thenReturn(Arrays.asList("PLAIN", "SCRAM-SHA-1"));
        assertTrue("Should contain SCRAM-SHA-1 mechanism", subjectCreator.getMechanisms().contains("SCRAM-SHA-1"));
        assertTrue("Should contain PLAIN mechanism", subjectCreator.getMechanisms().contains("PLAIN"));
        Mockito.when(authenticationProvider.getSecureOnlyMechanisms()).thenReturn(Arrays.asList("PLAIN"));
        assertTrue("SCRAM-SHA-1 should not have been filtered out.", subjectCreator.getMechanisms().contains("SCRAM-SHA-1"));
        assertFalse("PLAIN should have been filtered out on insecure connection.", subjectCreator.getMechanisms().contains("PLAIN"));
        SubjectCreator subjectCreator2 = new SubjectCreator(authenticationProvider, new HashSet(Arrays.asList(this._groupManager1, this._groupManager2)), true);
        assertTrue("SCRAM-SHA-1 should not have been filtered out.", subjectCreator2.getMechanisms().contains("SCRAM-SHA-1"));
        assertTrue("PLAIN should not have been filtered out on secure connection.", subjectCreator2.getMechanisms().contains("PLAIN"));
    }
}
