package org.apereo.cas.authentication;

import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
import java.time.Clock;
import java.time.Instant;
import java.util.List;
import javax.security.auth.login.AccountExpiredException;
import javax.security.auth.login.AccountNotFoundException;
import javax.security.auth.login.FailedLoginException;
import org.apereo.cas.authentication.credential.UsernamePasswordCredential;
import org.apereo.cas.authentication.exceptions.AccountDisabledException;
import org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException;
import org.apereo.cas.authentication.principal.PrincipalFactoryUtils;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.config.AmazonCognitoAuthenticationConfiguration;
import org.apereo.cas.config.CasCoreAuthenticationPrincipalConfiguration;
import org.apereo.cas.config.CasCoreNotificationsConfiguration;
import org.apereo.cas.config.CasCoreServicesConfiguration;
import org.apereo.cas.config.CasCoreUtilConfiguration;
import org.apereo.cas.config.CasCoreWebConfiguration;
import org.apereo.cas.config.CasPersonDirectoryTestConfiguration;
import org.apereo.cas.config.CasRegisteredServicesTestConfiguration;
import org.apereo.cas.config.support.CasWebApplicationServiceFactoryConfiguration;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.services.ServicesManager;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Tag;
import org.junit.jupiter.api.Test;
import org.mockito.Mockito;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.cloud.autoconfigure.RefreshAutoConfiguration;
import software.amazon.awssdk.services.cognitoidentityprovider.CognitoIdentityProviderClient;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminGetUserRequest;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminGetUserResponse;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminInitiateAuthRequest;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminInitiateAuthResponse;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AttributeType;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AuthenticationResultType;
import software.amazon.awssdk.services.cognitoidentityprovider.model.InvalidPasswordException;
import software.amazon.awssdk.services.cognitoidentityprovider.model.NotAuthorizedException;
import software.amazon.awssdk.services.cognitoidentityprovider.model.UserNotFoundException;

@Tag("AmazonWebServices")
@EnableConfigurationProperties({CasConfigurationProperties.class})
@SpringBootTest(classes = {RefreshAutoConfiguration.class, CasCoreNotificationsConfiguration.class, CasCoreServicesConfiguration.class, CasCoreWebConfiguration.class, CasWebApplicationServiceFactoryConfiguration.class, CasRegisteredServicesTestConfiguration.class, CasCoreUtilConfiguration.class, CasPersonDirectoryTestConfiguration.class, CasCoreAuthenticationPrincipalConfiguration.class, AmazonCognitoAuthenticationConfiguration.class}, properties = {"cas.authn.cognito.user-pool-id=us-west-2_igeBNHRsb", "cas.authn.cognito.region=us-west-2", "cas.authn.cognito.client-execution-timeout=30000", "cas.authn.cognito.credential-access-key=test", "cas.authn.cognito.credential-secret-key=test", "cas.authn.cognito.client-id=4o5qr8egumc72iv6qibm8foeh6", "cas.authn.cognito.mapped-attributes.[custom\\:netid]=netid"})
/* loaded from: input_file:org/apereo/cas/authentication/AmazonCognitoAuthenticationAuthenticationHandlerTests.class */
public class AmazonCognitoAuthenticationAuthenticationHandlerTests {

    @Autowired
    @Qualifier("amazonCognitoAuthenticationHandler")
    private AuthenticationHandler amazonCognitoAuthenticationHandler;

    @Autowired
    private CasConfigurationProperties casProperties;

    @Test
    public void verifyHandler() {
        Assertions.assertNotNull(this.amazonCognitoAuthenticationHandler);
    }

    @Test
    public void verifyExpiredPassword() throws Exception {
        ConfigurableJWTProcessor configurableJWTProcessor = getConfigurableJWTProcessor("casuser");
        CognitoIdentityProviderClient cognitoIdentityProviderClient = (CognitoIdentityProviderClient) Mockito.mock(CognitoIdentityProviderClient.class);
        Mockito.when(cognitoIdentityProviderClient.adminInitiateAuth((AdminInitiateAuthRequest) Mockito.any(AdminInitiateAuthRequest.class))).thenReturn((AdminInitiateAuthResponse) AdminInitiateAuthResponse.builder().challengeName("NEW_PASSWORD_REQUIRED").build());
        UsernamePasswordCredential credentialsWithDifferentUsernameAndPassword = CoreAuthenticationTestUtils.getCredentialsWithDifferentUsernameAndPassword("casuser-exp-password", "Hell063!!");
        AmazonCognitoAuthenticationAuthenticationHandler amazonCognitoAuthenticationAuthenticationHandler = new AmazonCognitoAuthenticationAuthenticationHandler(getClass().getSimpleName(), (ServicesManager) Mockito.mock(ServicesManager.class), PrincipalFactoryUtils.newPrincipalFactory(), cognitoIdentityProviderClient, this.casProperties.getAuthn().getCognito(), configurableJWTProcessor);
        Assertions.assertThrows(AccountPasswordMustChangeException.class, () -> {
            amazonCognitoAuthenticationAuthenticationHandler.authenticate(credentialsWithDifferentUsernameAndPassword, (Service) Mockito.mock(Service.class));
        });
    }

    @Test
    public void verifyAccountDisabled() throws Exception {
        verifyAccountStatusFailure((Exception) NotAuthorizedException.builder().message("disabled").build(), AccountDisabledException.class);
    }

    @Test
    public void verifyAccountExpired() throws Exception {
        verifyAccountStatusFailure((Exception) NotAuthorizedException.builder().message("expired").build(), AccountExpiredException.class);
    }

    @Test
    public void verifyAccountFail() throws Exception {
        verifyAccountStatusFailure((Exception) UserNotFoundException.builder().message("no-found").build(), AccountNotFoundException.class);
        verifyAccountStatusFailure((Exception) NotAuthorizedException.builder().message("not-found").build(), FailedLoginException.class);
    }

    @Test
    public void verifyAccountNotFound() throws Exception {
        verifyAccountStatusFailure((Exception) NotAuthorizedException.builder().message("fail").build(), FailedLoginException.class);
    }

    @Test
    public void verifyAccountPassword() throws Exception {
        verifyAccountStatusFailure((Exception) InvalidPasswordException.builder().message("fail").build(), AccountPasswordMustChangeException.class);
    }

    @Test
    public void verifyNoSub() throws Exception {
        ConfigurableJWTProcessor configurableJWTProcessor = getConfigurableJWTProcessor("");
        CognitoIdentityProviderClient cognitoIdentityProviderClient = (CognitoIdentityProviderClient) Mockito.mock(CognitoIdentityProviderClient.class);
        Mockito.when(cognitoIdentityProviderClient.adminInitiateAuth((AdminInitiateAuthRequest) Mockito.any(AdminInitiateAuthRequest.class))).thenReturn((AdminInitiateAuthResponse) AdminInitiateAuthResponse.builder().authenticationResult((AuthenticationResultType) AuthenticationResultType.builder().idToken("some-id-token").build()).build());
        UsernamePasswordCredential credentialsWithDifferentUsernameAndPassword = CoreAuthenticationTestUtils.getCredentialsWithDifferentUsernameAndPassword("casuser-ok", "Hell063!!");
        AmazonCognitoAuthenticationAuthenticationHandler amazonCognitoAuthenticationAuthenticationHandler = new AmazonCognitoAuthenticationAuthenticationHandler(getClass().getSimpleName(), (ServicesManager) Mockito.mock(ServicesManager.class), PrincipalFactoryUtils.newPrincipalFactory(), cognitoIdentityProviderClient, this.casProperties.getAuthn().getCognito(), configurableJWTProcessor);
        Assertions.assertThrows(FailedLoginException.class, () -> {
            amazonCognitoAuthenticationAuthenticationHandler.authenticate(credentialsWithDifferentUsernameAndPassword, (Service) Mockito.mock(Service.class));
        });
    }

    @Test
    public void verifyOK() throws Exception {
        ConfigurableJWTProcessor configurableJWTProcessor = getConfigurableJWTProcessor("casuser");
        CognitoIdentityProviderClient cognitoIdentityProviderClient = (CognitoIdentityProviderClient) Mockito.mock(CognitoIdentityProviderClient.class);
        Mockito.when(cognitoIdentityProviderClient.adminInitiateAuth((AdminInitiateAuthRequest) Mockito.any(AdminInitiateAuthRequest.class))).thenReturn((AdminInitiateAuthResponse) AdminInitiateAuthResponse.builder().authenticationResult((AuthenticationResultType) AuthenticationResultType.builder().idToken("some-id-token").build()).build());
        Mockito.when(cognitoIdentityProviderClient.adminGetUser((AdminGetUserRequest) Mockito.any(AdminGetUserRequest.class))).thenReturn((AdminGetUserResponse) AdminGetUserResponse.builder().username("casuser").userStatus("OK").userCreateDate(Instant.now(Clock.systemUTC())).userLastModifiedDate(Instant.now(Clock.systemUTC())).userAttributes(List.of((AttributeType) AttributeType.builder().name("CAS").build())).build());
        Assertions.assertNotNull(new AmazonCognitoAuthenticationAuthenticationHandler(getClass().getSimpleName(), (ServicesManager) Mockito.mock(ServicesManager.class), PrincipalFactoryUtils.newPrincipalFactory(), cognitoIdentityProviderClient, this.casProperties.getAuthn().getCognito(), configurableJWTProcessor).authenticate(CoreAuthenticationTestUtils.getCredentialsWithDifferentUsernameAndPassword("casuser-ok", "Hell063!!"), (Service) Mockito.mock(Service.class)));
    }

    @Test
    public void verifyOKWithMappedAttributes() throws Exception {
        ConfigurableJWTProcessor configurableJWTProcessor = getConfigurableJWTProcessor("casuser");
        CognitoIdentityProviderClient cognitoIdentityProviderClient = (CognitoIdentityProviderClient) Mockito.mock(CognitoIdentityProviderClient.class);
        Mockito.when(cognitoIdentityProviderClient.adminInitiateAuth((AdminInitiateAuthRequest) Mockito.any(AdminInitiateAuthRequest.class))).thenReturn((AdminInitiateAuthResponse) AdminInitiateAuthResponse.builder().authenticationResult((AuthenticationResultType) AuthenticationResultType.builder().idToken("some-id-token").build()).build());
        Mockito.when(cognitoIdentityProviderClient.adminGetUser((AdminGetUserRequest) Mockito.any(AdminGetUserRequest.class))).thenReturn((AdminGetUserResponse) AdminGetUserResponse.builder().username("casuser").userStatus("OK").userCreateDate(Instant.now(Clock.systemUTC())).userLastModifiedDate(Instant.now(Clock.systemUTC())).userAttributes(List.of((AttributeType) AttributeType.builder().name("custom:netid").value("cas789").build())).build());
        Assertions.assertEquals("cas789", ((List) new AmazonCognitoAuthenticationAuthenticationHandler(getClass().getSimpleName(), (ServicesManager) Mockito.mock(ServicesManager.class), PrincipalFactoryUtils.newPrincipalFactory(), cognitoIdentityProviderClient, this.casProperties.getAuthn().getCognito(), configurableJWTProcessor).authenticate(CoreAuthenticationTestUtils.getCredentialsWithDifferentUsernameAndPassword("casuser-ok", "Hell063!!"), (Service) Mockito.mock(Service.class)).getPrincipal().getAttributes().get("netid")).get(0));
    }

    private static ConfigurableJWTProcessor getConfigurableJWTProcessor(String str) throws Exception {
        ConfigurableJWTProcessor configurableJWTProcessor = (ConfigurableJWTProcessor) Mockito.mock(ConfigurableJWTProcessor.class);
        Mockito.when(configurableJWTProcessor.process(Mockito.anyString(), (SecurityContext) Mockito.any())).thenReturn(new JWTClaimsSet.Builder().subject(str).build());
        return configurableJWTProcessor;
    }

    private void verifyAccountStatusFailure(Exception exc, Class<? extends Throwable> cls) throws Exception {
        ConfigurableJWTProcessor configurableJWTProcessor = getConfigurableJWTProcessor("casuser");
        CognitoIdentityProviderClient cognitoIdentityProviderClient = (CognitoIdentityProviderClient) Mockito.mock(CognitoIdentityProviderClient.class);
        Mockito.when(cognitoIdentityProviderClient.adminInitiateAuth((AdminInitiateAuthRequest) Mockito.any(AdminInitiateAuthRequest.class))).thenThrow(new Throwable[]{exc});
        UsernamePasswordCredential credentialsWithDifferentUsernameAndPassword = CoreAuthenticationTestUtils.getCredentialsWithDifferentUsernameAndPassword("casuser-exp-password", "Hell063!!");
        AmazonCognitoAuthenticationAuthenticationHandler amazonCognitoAuthenticationAuthenticationHandler = new AmazonCognitoAuthenticationAuthenticationHandler(getClass().getSimpleName(), (ServicesManager) Mockito.mock(ServicesManager.class), PrincipalFactoryUtils.newPrincipalFactory(), cognitoIdentityProviderClient, this.casProperties.getAuthn().getCognito(), configurableJWTProcessor);
        Assertions.assertThrows(cls, () -> {
            amazonCognitoAuthenticationAuthenticationHandler.authenticate(credentialsWithDifferentUsernameAndPassword, (Service) Mockito.mock(Service.class));
        });
    }
}
