package org.apereo.cas.web.flow.authz;

import jakarta.servlet.http.HttpServletRequest;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.principal.AbstractWebApplicationService;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.pac4j.client.DelegatedIdentityProviders;
import org.apereo.cas.services.CasRegisteredService;
import org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy;
import org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy;
import org.apereo.cas.services.RegisteredServiceTestUtils;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.util.MockRequestContext;
import org.apereo.cas.web.BaseDelegatedAuthenticationTests;
import org.apereo.cas.web.flow.DelegatedClientIdentityProviderAuthorizer;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Tag;
import org.junit.jupiter.api.Test;
import org.pac4j.core.client.Client;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.webflow.execution.RequestContext;

@Tag("Delegation")
@SpringBootTest(classes = {BaseDelegatedAuthenticationTests.SharedTestConfiguration.class})
/* loaded from: input_file:org/apereo/cas/web/flow/authz/DefaultDelegatedClientIdentityProviderAuthorizerTests.class */
class DefaultDelegatedClientIdentityProviderAuthorizerTests {

    @Autowired
    @Qualifier("delegatedClientIdentityProviderAuthorizer")
    private DelegatedClientIdentityProviderAuthorizer delegatedClientIdentityProviderAuthorizer;

    @Autowired
    @Qualifier("delegatedIdentityProviders")
    private DelegatedIdentityProviders identityProviders;

    @Autowired
    @Qualifier("servicesManager")
    private ServicesManager servicesManager;

    DefaultDelegatedClientIdentityProviderAuthorizerTests() {
    }

    @BeforeEach
    public void setup() {
        this.servicesManager.deleteAll();
    }

    @Test
    void verifyClientNameFromAuth() throws Throwable {
        Client client = (Client) this.identityProviders.findClient("FacebookClient").get();
        Authentication authentication = RegisteredServiceTestUtils.getAuthentication("casuser", Map.of("clientName", List.of(client.getName())));
        AbstractWebApplicationService service = RegisteredServiceTestUtils.getService(UUID.randomUUID().toString());
        DefaultRegisteredServiceAccessStrategy defaultRegisteredServiceAccessStrategy = new DefaultRegisteredServiceAccessStrategy();
        defaultRegisteredServiceAccessStrategy.setDelegatedAuthenticationPolicy(new DefaultRegisteredServiceDelegatedAuthenticationPolicy().setAllowedProviders(List.of(client.getName())));
        CasRegisteredService registeredService = RegisteredServiceTestUtils.getRegisteredService(service.getId(), Map.of());
        registeredService.setAccessStrategy(defaultRegisteredServiceAccessStrategy);
        this.servicesManager.save(registeredService);
        Assertions.assertTrue(this.delegatedClientIdentityProviderAuthorizer.isDelegatedClientAuthorizedForAuthentication(authentication, service, new MockRequestContext()));
    }

    @Test
    void verifyAuthzByService() throws Throwable {
        verifyAuthzForService(new MockHttpServletRequest(), new MockRequestContext());
    }

    private void verifyAuthzForService(HttpServletRequest httpServletRequest, RequestContext requestContext) throws Throwable {
        Client client = (Client) this.identityProviders.findClient("FacebookClient").get();
        AbstractWebApplicationService service = RegisteredServiceTestUtils.getService(UUID.randomUUID().toString());
        Assertions.assertTrue(this.delegatedClientIdentityProviderAuthorizer.isDelegatedClientAuthorizedForService(client, (Service) null, httpServletRequest));
        Assertions.assertFalse(this.delegatedClientIdentityProviderAuthorizer.isDelegatedClientAuthorizedForService(client, service, httpServletRequest));
        Assertions.assertFalse(this.delegatedClientIdentityProviderAuthorizer.isDelegatedClientAuthorizedForService(client, service, requestContext));
        CasRegisteredService registeredService = RegisteredServiceTestUtils.getRegisteredService(service.getId(), Map.of());
        registeredService.setAccessStrategy(new DefaultRegisteredServiceAccessStrategy().setEnabled(false));
        this.servicesManager.save(registeredService);
        Assertions.assertFalse(this.delegatedClientIdentityProviderAuthorizer.isDelegatedClientAuthorizedForService(client, service, httpServletRequest));
        Assertions.assertFalse(this.delegatedClientIdentityProviderAuthorizer.isDelegatedClientAuthorizedForService(client, service, requestContext));
        DefaultRegisteredServiceAccessStrategy defaultRegisteredServiceAccessStrategy = new DefaultRegisteredServiceAccessStrategy();
        registeredService.setAccessStrategy(new DefaultRegisteredServiceAccessStrategy().setEnabled(true));
        DefaultRegisteredServiceDelegatedAuthenticationPolicy allowedProviders = new DefaultRegisteredServiceDelegatedAuthenticationPolicy().setAllowedProviders(List.of("AnotherClient"));
        defaultRegisteredServiceAccessStrategy.setDelegatedAuthenticationPolicy(allowedProviders);
        registeredService.setAccessStrategy(defaultRegisteredServiceAccessStrategy);
        this.servicesManager.save(registeredService);
        Assertions.assertFalse(this.delegatedClientIdentityProviderAuthorizer.isDelegatedClientAuthorizedForService(client, service, httpServletRequest));
        Assertions.assertFalse(this.delegatedClientIdentityProviderAuthorizer.isDelegatedClientAuthorizedForService(client, service, requestContext));
        allowedProviders.setAllowedProviders(List.of(client.getName()));
        this.servicesManager.save(registeredService);
        Assertions.assertTrue(this.delegatedClientIdentityProviderAuthorizer.isDelegatedClientAuthorizedForService(client, service, httpServletRequest));
        Assertions.assertTrue(this.delegatedClientIdentityProviderAuthorizer.isDelegatedClientAuthorizedForService(client, service, requestContext));
    }
}
