package org.apereo.cas.web.flow;

import java.io.File;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.UUID;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.Criterion;
import org.apache.commons.io.FileUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apereo.cas.authentication.principal.AbstractWebApplicationService;
import org.apereo.cas.services.CasRegisteredService;
import org.apereo.cas.services.DefaultRegisteredServiceProperty;
import org.apereo.cas.services.RegisteredServiceProperty;
import org.apereo.cas.services.RegisteredServiceTestUtils;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.apereo.cas.ticket.TransientSessionTicket;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.apereo.cas.web.BaseDelegatedAuthenticationTests;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Tag;
import org.junit.jupiter.api.Test;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.saml.common.messaging.context.SAMLMetadataContext;
import org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext;
import org.opensaml.saml.common.messaging.context.SAMLSelfEntityContext;
import org.opensaml.saml.criterion.EntityRoleCriterion;
import org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver;
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import org.pac4j.cas.client.CasClient;
import org.pac4j.cas.config.CasConfiguration;
import org.pac4j.core.client.Client;
import org.pac4j.core.context.session.SessionStore;
import org.pac4j.jee.context.JEEContext;
import org.pac4j.oauth.client.OAuth10Client;
import org.pac4j.oauth.client.OAuth20Client;
import org.pac4j.oauth.config.OAuth10Configuration;
import org.pac4j.oauth.config.OAuth20Configuration;
import org.pac4j.oidc.client.OidcClient;
import org.pac4j.oidc.config.OidcConfiguration;
import org.pac4j.saml.client.SAML2Client;
import org.pac4j.saml.config.SAML2Configuration;
import org.pac4j.saml.context.SAML2MessageContext;
import org.pac4j.saml.sso.impl.SAML2AuthnRequestBuilder;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.mock.web.MockServletContext;
import org.springframework.web.servlet.DispatcherServlet;
import org.springframework.web.servlet.i18n.SessionLocaleResolver;
import org.springframework.webflow.context.ExternalContextHolder;
import org.springframework.webflow.context.servlet.ServletExternalContext;
import org.springframework.webflow.execution.RequestContextHolder;
import org.springframework.webflow.test.MockRequestContext;

@Tag("Webflow")
@SpringBootTest(classes = {BaseDelegatedAuthenticationTests.SharedTestConfiguration.class}, properties = {"cas.authn.pac4j.cookie.enabled=true"})
/* loaded from: input_file:org/apereo/cas/web/flow/DefaultDelegatedClientAuthenticationWebflowManagerTests.class */
public class DefaultDelegatedClientAuthenticationWebflowManagerTests {

    @Autowired
    @Qualifier("ticketRegistry")
    private TicketRegistry ticketRegistry;

    @Autowired
    @Qualifier("delegatedClientWebflowManager")
    private DelegatedClientAuthenticationWebflowManager delegatedClientAuthenticationWebflowManager;

    @Autowired
    @Qualifier("delegatedClientDistributedSessionStore")
    private SessionStore delegatedClientDistributedSessionStore;

    @Autowired
    @Qualifier("servicesManager")
    private ServicesManager servicesManager;
    private JEEContext context;
    private MockRequestContext requestContext;
    private MockHttpServletRequest httpServletRequest;

    @BeforeEach
    public void setup() {
        AbstractWebApplicationService service = RegisteredServiceTestUtils.getService();
        this.httpServletRequest = new MockHttpServletRequest();
        this.httpServletRequest.addParameter("service", service.getId());
        this.context = new JEEContext(this.httpServletRequest, new MockHttpServletResponse());
        this.requestContext = new MockRequestContext();
        this.requestContext.setExternalContext(new ServletExternalContext(new MockServletContext(), this.context.getNativeRequest(), this.context.getNativeResponse()));
        RequestContextHolder.setRequestContext(this.requestContext);
        ExternalContextHolder.setExternalContext(this.requestContext.getExternalContext());
    }

    @Test
    public void verifyOidcStoreOperation() throws Exception {
        OidcConfiguration oidcConfiguration = new OidcConfiguration();
        oidcConfiguration.setClientId(UUID.randomUUID().toString());
        oidcConfiguration.setSecret(UUID.randomUUID().toString());
        OidcClient oidcClient = new OidcClient(oidcConfiguration);
        oidcClient.setConfiguration(oidcConfiguration);
        TransientSessionTicket store = this.delegatedClientAuthenticationWebflowManager.store(this.requestContext, this.context, oidcClient);
        Assertions.assertNotNull(this.ticketRegistry.getTicket(store.getId()));
        Assertions.assertNotNull(this.delegatedClientAuthenticationWebflowManager.retrieve(this.requestContext, this.context, oidcClient));
        Assertions.assertNull(this.ticketRegistry.getTicket(store.getId()));
    }

    @Test
    public void verifyOAuth2StoreOperation() throws Exception {
        OAuth20Configuration oAuth20Configuration = new OAuth20Configuration();
        oAuth20Configuration.setKey(UUID.randomUUID().toString());
        oAuth20Configuration.setSecret(UUID.randomUUID().toString());
        OAuth20Client oAuth20Client = new OAuth20Client();
        oAuth20Client.setConfiguration(oAuth20Configuration);
        TransientSessionTicket store = this.delegatedClientAuthenticationWebflowManager.store(this.requestContext, this.context, oAuth20Client);
        Assertions.assertNotNull(this.ticketRegistry.getTicket(store.getId()));
        Assertions.assertNotNull(this.delegatedClientAuthenticationWebflowManager.retrieve(this.requestContext, this.context, oAuth20Client));
        Assertions.assertNull(this.ticketRegistry.getTicket(store.getId()));
    }

    @Test
    public void verifyOAuth1StoreOperation() throws Exception {
        OAuth10Configuration oAuth10Configuration = new OAuth10Configuration();
        oAuth10Configuration.setKey(UUID.randomUUID().toString());
        oAuth10Configuration.setSecret(UUID.randomUUID().toString());
        OAuth10Client oAuth10Client = new OAuth10Client();
        oAuth10Client.setConfiguration(oAuth10Configuration);
        TransientSessionTicket store = this.delegatedClientAuthenticationWebflowManager.store(this.requestContext, this.context, oAuth10Client);
        Assertions.assertNotNull(this.ticketRegistry.getTicket(store.getId()));
        Assertions.assertNotNull(this.delegatedClientAuthenticationWebflowManager.retrieve(this.requestContext, this.context, oAuth10Client));
        Assertions.assertNull(this.ticketRegistry.getTicket(store.getId()));
    }

    @Test
    public void verifyCasStoreOperation() throws Exception {
        SessionLocaleResolver sessionLocaleResolver = new SessionLocaleResolver();
        this.httpServletRequest.setAttribute(DispatcherServlet.LOCALE_RESOLVER_ATTRIBUTE, sessionLocaleResolver);
        CasConfiguration casConfiguration = new CasConfiguration();
        casConfiguration.setLoginUrl("https://example.org/login");
        CasClient casClient = new CasClient();
        casClient.setConfiguration(casConfiguration);
        this.httpServletRequest.addParameter("locale", "de");
        TransientSessionTicket store = this.delegatedClientAuthenticationWebflowManager.store(this.requestContext, this.context, casClient);
        Assertions.assertNotNull(this.ticketRegistry.getTicket(store.getId()));
        Assertions.assertNotNull(this.delegatedClientAuthenticationWebflowManager.retrieve(this.requestContext, this.context, casClient));
        Assertions.assertNull(this.ticketRegistry.getTicket(store.getId()));
        Assertions.assertEquals(Locale.GERMAN, sessionLocaleResolver.resolveLocale(this.httpServletRequest));
    }

    @Test
    public void verifySamlStoreOperation() throws Exception {
        SAML2Client sAML2Client = new SAML2Client(new SAML2Configuration());
        TransientSessionTicket store = this.delegatedClientAuthenticationWebflowManager.store(this.requestContext, this.context, sAML2Client);
        Assertions.assertNotNull(this.ticketRegistry.getTicket(store.getId()));
        Assertions.assertEquals(store.getId(), this.delegatedClientDistributedSessionStore.get(this.context, "samlRelayState").get());
        this.httpServletRequest.addParameter("RelayState", store.getId());
        Assertions.assertNotNull(this.delegatedClientAuthenticationWebflowManager.retrieve(this.requestContext, this.context, sAML2Client));
        Assertions.assertNull(this.ticketRegistry.getTicket(store.getId()));
    }

    @Test
    public void verifyForceAuthnOperation() throws Exception {
        CasRegisteredService registeredService = RegisteredServiceTestUtils.getRegisteredService(UUID.randomUUID().toString());
        registeredService.setProperties(Map.of(RegisteredServiceProperty.RegisteredServiceProperties.DELEGATED_AUTHN_FORCE_AUTHN.getPropertyName(), new DefaultRegisteredServiceProperty(new String[]{"true"})));
        this.servicesManager.save(registeredService);
        this.httpServletRequest.setParameter("service", registeredService.getServiceId());
        Pair<SAML2Client, SAML2MessageContext> pair = setupTestContextFor(File.createTempFile("sp-metadata", ".xml").getAbsolutePath(), "cas.example.sp");
        TransientSessionTicket store = this.delegatedClientAuthenticationWebflowManager.store(this.requestContext, this.context, (Client) pair.getLeft());
        Assertions.assertNotNull(this.ticketRegistry.getTicket(store.getId()));
        Assertions.assertEquals(store.getId(), this.delegatedClientDistributedSessionStore.get(this.context, "samlRelayState").get());
        Assertions.assertTrue(new SAML2AuthnRequestBuilder().build((SAML2MessageContext) pair.getRight()).isForceAuthn().booleanValue());
        this.httpServletRequest.addParameter("RelayState", store.getId());
        Assertions.assertNotNull(this.delegatedClientAuthenticationWebflowManager.retrieve(this.requestContext, this.context, (Client) pair.getLeft()));
        Assertions.assertNull(this.ticketRegistry.getTicket(store.getId()));
    }

    @Test
    public void verifyPassiveAuthnOperation() throws Exception {
        CasRegisteredService registeredService = RegisteredServiceTestUtils.getRegisteredService(UUID.randomUUID().toString());
        registeredService.setProperties(Map.of(RegisteredServiceProperty.RegisteredServiceProperties.DELEGATED_AUTHN_PASSIVE_AUTHN.getPropertyName(), new DefaultRegisteredServiceProperty(new String[]{"true"})));
        this.servicesManager.save(registeredService);
        this.httpServletRequest.setParameter("service", registeredService.getServiceId());
        Pair<SAML2Client, SAML2MessageContext> pair = setupTestContextFor(File.createTempFile("sp-metadata", ".xml").getAbsolutePath(), "cas.example.sp");
        TransientSessionTicket store = this.delegatedClientAuthenticationWebflowManager.store(this.requestContext, this.context, (Client) pair.getLeft());
        Assertions.assertNotNull(this.ticketRegistry.getTicket(store.getId()));
        Assertions.assertEquals(store.getId(), this.delegatedClientDistributedSessionStore.get(this.context, "samlRelayState").get());
        Assertions.assertTrue(new SAML2AuthnRequestBuilder().build((SAML2MessageContext) pair.getRight()).isPassive().booleanValue());
        this.httpServletRequest.addParameter("RelayState", store.getId());
        Assertions.assertNotNull(this.delegatedClientAuthenticationWebflowManager.retrieve(this.requestContext, this.context, (Client) pair.getLeft()));
        Assertions.assertNull(this.ticketRegistry.getTicket(store.getId()));
    }

    @Test
    public void verifyNoTransientSessionTicketStored() throws Exception {
        SAML2Client sAML2Client = new SAML2Client(new SAML2Configuration());
        this.delegatedClientAuthenticationWebflowManager.store(this.requestContext, this.context, sAML2Client);
        this.httpServletRequest.addParameter("service", "https://google.com");
        Assertions.assertEquals("https://google.com", this.delegatedClientAuthenticationWebflowManager.retrieve(this.requestContext, this.context, sAML2Client).getId());
    }

    @Test
    public void verifyExpiredTicketOperation() throws Exception {
        SAML2Client sAML2Client = new SAML2Client(new SAML2Configuration());
        TransientSessionTicket store = this.delegatedClientAuthenticationWebflowManager.store(this.requestContext, this.context, sAML2Client);
        Assertions.assertNotNull(this.ticketRegistry.getTicket(store.getId()));
        Assertions.assertEquals(store.getId(), this.delegatedClientDistributedSessionStore.get(this.context, "samlRelayState").get());
        this.httpServletRequest.addParameter("RelayState", store.getId());
        store.markTicketExpired();
        Assertions.assertThrows(UnauthorizedServiceException.class, () -> {
            this.delegatedClientAuthenticationWebflowManager.retrieve(this.requestContext, this.context, sAML2Client);
        });
    }

    private Pair<SAML2Client, SAML2MessageContext> setupTestContextFor(String str, String str2) throws Exception {
        SAML2Configuration sAML2Configuration = new SAML2Configuration(new File(FileUtils.getTempDirectory(), "keystore").getCanonicalPath(), "changeit", "changeit", new File("src/test/resources/idp-metadata.xml").getCanonicalPath());
        sAML2Configuration.setServiceProviderEntityId(str2);
        sAML2Configuration.setServiceProviderMetadataPath(str);
        sAML2Configuration.setForceKeystoreGeneration(true);
        sAML2Configuration.setForceServiceProviderMetadataGeneration(true);
        sAML2Configuration.init();
        SAML2Client sAML2Client = new SAML2Client(sAML2Configuration);
        sAML2Client.setCallbackUrl("http://callback.example.org");
        sAML2Client.init();
        SAML2MessageContext sAML2MessageContext = new SAML2MessageContext();
        sAML2MessageContext.setSaml2Configuration(sAML2Configuration);
        sAML2MessageContext.setWebContext(this.context);
        SAMLPeerEntityContext subcontext = sAML2MessageContext.getMessageContext().getSubcontext(SAMLPeerEntityContext.class, true);
        Assertions.assertNotNull(subcontext);
        subcontext.setEntityId("https://cas.example.org/idp");
        SAMLMetadataContext subcontext2 = subcontext.getSubcontext(SAMLMetadataContext.class, true);
        Assertions.assertNotNull(subcontext2);
        PredicateRoleDescriptorResolver predicateRoleDescriptorResolver = new PredicateRoleDescriptorResolver(sAML2Client.getIdpMetadataResolver().resolve());
        predicateRoleDescriptorResolver.initialize();
        subcontext2.setRoleDescriptor(predicateRoleDescriptorResolver.resolveSingle(new CriteriaSet(new Criterion[]{new EntityIdCriterion((String) Objects.requireNonNull(subcontext.getEntityId())), new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME)})));
        SAMLSelfEntityContext subcontext3 = sAML2MessageContext.getMessageContext().getSubcontext(SAMLSelfEntityContext.class, true);
        Assertions.assertNotNull(subcontext3);
        subcontext3.setEntityId(sAML2Configuration.getServiceProviderEntityId());
        SAMLMetadataContext subcontext4 = subcontext3.getSubcontext(SAMLMetadataContext.class, true);
        Assertions.assertNotNull(subcontext4);
        PredicateRoleDescriptorResolver predicateRoleDescriptorResolver2 = new PredicateRoleDescriptorResolver(sAML2Client.getSpMetadataResolver().resolve());
        predicateRoleDescriptorResolver2.initialize();
        subcontext4.setRoleDescriptor(predicateRoleDescriptorResolver2.resolveSingle(new CriteriaSet(new Criterion[]{new EntityIdCriterion((String) Objects.requireNonNull(subcontext3.getEntityId())), new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME)})));
        return Pair.of(sAML2Client, sAML2MessageContext);
    }
}
