package org.apereo.cas.authentication;

import com.amazonaws.services.cognitoidp.AWSCognitoIdentityProvider;
import com.amazonaws.services.cognitoidp.model.AdminGetUserRequest;
import com.amazonaws.services.cognitoidp.model.AdminGetUserResult;
import com.amazonaws.services.cognitoidp.model.AdminInitiateAuthRequest;
import com.amazonaws.services.cognitoidp.model.AdminInitiateAuthResult;
import com.amazonaws.services.cognitoidp.model.AttributeType;
import com.amazonaws.services.cognitoidp.model.AuthenticationResultType;
import com.amazonaws.services.cognitoidp.model.InvalidPasswordException;
import com.amazonaws.services.cognitoidp.model.NotAuthorizedException;
import com.amazonaws.services.cognitoidp.model.UserNotFoundException;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
import java.util.Date;
import java.util.List;
import javax.security.auth.login.AccountExpiredException;
import javax.security.auth.login.AccountNotFoundException;
import javax.security.auth.login.FailedLoginException;
import org.apereo.cas.authentication.credential.UsernamePasswordCredential;
import org.apereo.cas.authentication.exceptions.AccountDisabledException;
import org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException;
import org.apereo.cas.authentication.principal.PrincipalFactoryUtils;
import org.apereo.cas.config.AmazonCognitoAuthenticationConfiguration;
import org.apereo.cas.config.CasCoreServicesConfiguration;
import org.apereo.cas.config.CasCoreUtilConfiguration;
import org.apereo.cas.config.CasRegisteredServicesTestConfiguration;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.services.ServicesManager;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Tag;
import org.junit.jupiter.api.Test;
import org.mockito.Mockito;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.cloud.autoconfigure.RefreshAutoConfiguration;

@Tag("AmazonWebServices")
@EnableConfigurationProperties({CasConfigurationProperties.class})
@SpringBootTest(classes = {RefreshAutoConfiguration.class, CasCoreServicesConfiguration.class, CasRegisteredServicesTestConfiguration.class, CasCoreUtilConfiguration.class, AmazonCognitoAuthenticationConfiguration.class}, properties = {"cas.authn.cognito.userPoolId=us-west-2_igeBNHRsb", "cas.authn.cognito.region=us-west-2", "cas.authn.cognito.clientExecutionTimeout=30000", "cas.authn.cognito.credentialAccessKey=test", "cas.authn.cognito.credentialSecretKey=test", "cas.authn.cognito.clientId=4o5qr8egumc72iv6qibm8foeh6"})
/* loaded from: input_file:org/apereo/cas/authentication/AmazonCognitoAuthenticationAuthenticationHandlerTests.class */
public class AmazonCognitoAuthenticationAuthenticationHandlerTests {

    @Autowired
    @Qualifier("amazonCognitoAuthenticationHandler")
    private AuthenticationHandler amazonCognitoAuthenticationHandler;

    @Autowired
    private CasConfigurationProperties casProperties;

    private static ConfigurableJWTProcessor getConfigurableJWTProcessor(String str) throws Exception {
        ConfigurableJWTProcessor configurableJWTProcessor = (ConfigurableJWTProcessor) Mockito.mock(ConfigurableJWTProcessor.class);
        Mockito.when(configurableJWTProcessor.process(Mockito.anyString(), (SecurityContext) Mockito.any())).thenReturn(new JWTClaimsSet.Builder().subject(str).build());
        return configurableJWTProcessor;
    }

    @Test
    public void verifyHandler() {
        Assertions.assertNotNull(this.amazonCognitoAuthenticationHandler);
    }

    @Test
    public void verifyExpiredPassword() throws Exception {
        ConfigurableJWTProcessor configurableJWTProcessor = getConfigurableJWTProcessor("casuser");
        AWSCognitoIdentityProvider aWSCognitoIdentityProvider = (AWSCognitoIdentityProvider) Mockito.mock(AWSCognitoIdentityProvider.class);
        AdminInitiateAuthResult adminInitiateAuthResult = new AdminInitiateAuthResult();
        adminInitiateAuthResult.setChallengeName("NEW_PASSWORD_REQUIRED");
        Mockito.when(aWSCognitoIdentityProvider.adminInitiateAuth((AdminInitiateAuthRequest) Mockito.any())).thenReturn(adminInitiateAuthResult);
        UsernamePasswordCredential credentialsWithDifferentUsernameAndPassword = CoreAuthenticationTestUtils.getCredentialsWithDifferentUsernameAndPassword("casuser-exp-password", "Hell063!!");
        AmazonCognitoAuthenticationAuthenticationHandler amazonCognitoAuthenticationAuthenticationHandler = new AmazonCognitoAuthenticationAuthenticationHandler(getClass().getSimpleName(), (ServicesManager) Mockito.mock(ServicesManager.class), PrincipalFactoryUtils.newPrincipalFactory(), aWSCognitoIdentityProvider, this.casProperties.getAuthn().getCognito(), configurableJWTProcessor);
        Assertions.assertThrows(AccountPasswordMustChangeException.class, () -> {
            amazonCognitoAuthenticationAuthenticationHandler.authenticate(credentialsWithDifferentUsernameAndPassword);
        });
    }

    @Test
    public void verifyAccountDisabled() throws Exception {
        verifyAccountStatusFailure(new NotAuthorizedException("disabled"), AccountDisabledException.class);
    }

    @Test
    public void verifyAccountExpired() throws Exception {
        verifyAccountStatusFailure(new NotAuthorizedException("expired"), AccountExpiredException.class);
    }

    @Test
    public void verifyAccountFail() throws Exception {
        verifyAccountStatusFailure(new UserNotFoundException("not-found"), AccountNotFoundException.class);
        verifyAccountStatusFailure(new AuthenticationException("not-found"), FailedLoginException.class);
    }

    @Test
    public void verifyAccountNotFound() throws Exception {
        verifyAccountStatusFailure(new NotAuthorizedException("fail"), FailedLoginException.class);
    }

    @Test
    public void verifyAccountPassword() throws Exception {
        verifyAccountStatusFailure(new InvalidPasswordException("fail"), AccountPasswordMustChangeException.class);
    }

    private void verifyAccountStatusFailure(Exception exc, Class<? extends Throwable> cls) throws Exception {
        ConfigurableJWTProcessor configurableJWTProcessor = getConfigurableJWTProcessor("casuser");
        AWSCognitoIdentityProvider aWSCognitoIdentityProvider = (AWSCognitoIdentityProvider) Mockito.mock(AWSCognitoIdentityProvider.class);
        Mockito.when(aWSCognitoIdentityProvider.adminInitiateAuth((AdminInitiateAuthRequest) Mockito.any())).thenThrow(new Throwable[]{exc});
        UsernamePasswordCredential credentialsWithDifferentUsernameAndPassword = CoreAuthenticationTestUtils.getCredentialsWithDifferentUsernameAndPassword("casuser-exp-password", "Hell063!!");
        AmazonCognitoAuthenticationAuthenticationHandler amazonCognitoAuthenticationAuthenticationHandler = new AmazonCognitoAuthenticationAuthenticationHandler(getClass().getSimpleName(), (ServicesManager) Mockito.mock(ServicesManager.class), PrincipalFactoryUtils.newPrincipalFactory(), aWSCognitoIdentityProvider, this.casProperties.getAuthn().getCognito(), configurableJWTProcessor);
        Assertions.assertThrows(cls, () -> {
            amazonCognitoAuthenticationAuthenticationHandler.authenticate(credentialsWithDifferentUsernameAndPassword);
        });
    }

    @Test
    public void verifyNoSub() throws Exception {
        ConfigurableJWTProcessor configurableJWTProcessor = getConfigurableJWTProcessor("");
        AWSCognitoIdentityProvider aWSCognitoIdentityProvider = (AWSCognitoIdentityProvider) Mockito.mock(AWSCognitoIdentityProvider.class);
        new AdminInitiateAuthResult().setChallengeName("OK");
        AdminInitiateAuthResult adminInitiateAuthResult = new AdminInitiateAuthResult();
        AuthenticationResultType authenticationResultType = new AuthenticationResultType();
        authenticationResultType.setIdToken("some-id-token");
        adminInitiateAuthResult.setAuthenticationResult(authenticationResultType);
        Mockito.when(aWSCognitoIdentityProvider.adminInitiateAuth((AdminInitiateAuthRequest) Mockito.any())).thenReturn(adminInitiateAuthResult);
        UsernamePasswordCredential credentialsWithDifferentUsernameAndPassword = CoreAuthenticationTestUtils.getCredentialsWithDifferentUsernameAndPassword("casuser-ok", "Hell063!!");
        AmazonCognitoAuthenticationAuthenticationHandler amazonCognitoAuthenticationAuthenticationHandler = new AmazonCognitoAuthenticationAuthenticationHandler(getClass().getSimpleName(), (ServicesManager) Mockito.mock(ServicesManager.class), PrincipalFactoryUtils.newPrincipalFactory(), aWSCognitoIdentityProvider, this.casProperties.getAuthn().getCognito(), configurableJWTProcessor);
        Assertions.assertThrows(FailedLoginException.class, () -> {
            amazonCognitoAuthenticationAuthenticationHandler.authenticate(credentialsWithDifferentUsernameAndPassword);
        });
    }

    @Test
    public void verifyOK() throws Exception {
        ConfigurableJWTProcessor configurableJWTProcessor = getConfigurableJWTProcessor("casuser");
        AWSCognitoIdentityProvider aWSCognitoIdentityProvider = (AWSCognitoIdentityProvider) Mockito.mock(AWSCognitoIdentityProvider.class);
        new AdminInitiateAuthResult().setChallengeName("OK");
        AdminInitiateAuthResult adminInitiateAuthResult = new AdminInitiateAuthResult();
        AuthenticationResultType authenticationResultType = new AuthenticationResultType();
        authenticationResultType.setIdToken("some-id-token");
        adminInitiateAuthResult.setAuthenticationResult(authenticationResultType);
        Mockito.when(aWSCognitoIdentityProvider.adminInitiateAuth((AdminInitiateAuthRequest) Mockito.any())).thenReturn(adminInitiateAuthResult);
        AdminGetUserResult adminGetUserResult = new AdminGetUserResult();
        adminGetUserResult.setUserStatus("OK");
        adminGetUserResult.setUserCreateDate(new Date());
        adminGetUserResult.setUserLastModifiedDate(new Date());
        AttributeType attributeType = new AttributeType();
        attributeType.setName("cn");
        attributeType.setName("CAS");
        adminGetUserResult.setUserAttributes(List.of(attributeType));
        adminGetUserResult.setUsername("casuser");
        Mockito.when(aWSCognitoIdentityProvider.adminGetUser((AdminGetUserRequest) Mockito.argThat(adminGetUserRequest -> {
            return adminGetUserRequest.getUsername().equals("casuser-ok");
        }))).thenReturn(adminGetUserResult);
        Assertions.assertNotNull(new AmazonCognitoAuthenticationAuthenticationHandler(getClass().getSimpleName(), (ServicesManager) Mockito.mock(ServicesManager.class), PrincipalFactoryUtils.newPrincipalFactory(), aWSCognitoIdentityProvider, this.casProperties.getAuthn().getCognito(), configurableJWTProcessor).authenticate(CoreAuthenticationTestUtils.getCredentialsWithDifferentUsernameAndPassword("casuser-ok", "Hell063!!")));
    }
}
