package com.floragunn.dlic.auth.http.saml;

import com.fasterxml.jackson.core.type.TypeReference;
import com.floragunn.dlic.auth.http.jwt.keybyoidc.TestJwts;
import com.floragunn.searchguard.DefaultObjectMapper;
import com.floragunn.searchguard.test.helper.cluster.FileHelper;
import com.floragunn.searchguard.user.AuthCredentials;
import com.floragunn.searchguard.util.FakeRestRequest;
import com.google.common.collect.ImmutableMap;
import java.io.FileInputStream;
import java.io.IOException;
import java.nio.file.Path;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Security;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Base64;
import java.util.HashMap;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.net.ssl.KeyManagerFactory;
import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.elasticsearch.common.bytes.BytesArray;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.io.stream.BytesStreamOutput;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.rest.RestChannel;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestResponse;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.xcontent.XContentBuilder;
import org.elasticsearch.xcontent.XContentType;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;

@Deprecated
/* loaded from: input_file:com/floragunn/dlic/auth/http/saml/HTTPSamlAuthenticatorTest.class */
public class HTTPSamlAuthenticatorTest {
    protected static MockSamlIdpServer mockSamlIdpServer;
    private static final Pattern WWW_AUTHENTICATE_PATTERN;
    private static final String SPOCK_KEY = "-----BEGIN ENCRYPTED PRIVATE KEY-----\nMIIE6TAbBgkqhkiG9w0BBQMwDgQI0JMa7PyPedwCAggABIIEyLdPL2RXj8jjKqFT\np+7vywwyxyUQOQvvIIU6H+lKZPd/y6pxzYtGd1suT2aermrrlh4b/ZXXfj/EcKcw\nGgcXB60Kr7UHIv7Xr498S4EKa9R7UG0NtWtsA3FVR5ndwXI+CiRSShhkskmpseVH\ndNWAoUsKQFbZRLnoINMKIw1/lpQBUwAUcYVB7LxLeKSTVHn/h9kvq0tad1kbE5OY\nGnOLEVW311++XQ3Ep/13tGEZCrxef+QsnmXuYxXBq4RvbyGZOvyM2FC7va8KzJxl\nP38SPEL1TzqokQB/eLDBMBOCqkhTbP/8lNuoEVm44T6//ijBp6VdBB+YRIFh3NrS\n1fPuDVgHr1jrRGICe8lzWy/bSa+4FlxYjn5qpEzZQtbC6C+iRzlwtlCiDdKl8zJ1\nYF80OW9Gr3Kvph2LJukBiODcyWUAsAf5vJH3vfPV4T9kWTNMu2NCy3Ch8u9d906k\nzojB/tRRdZ/XCftkU05gYU/5ruU1YA49U60s0KWXvSLmecFo2SjkcEoPDI+Y80Uw\nOB/5kdh1M1uu/qjoJTPWBbZ28L6e0fiMsr7eWSG7PQFwnN6VzY6Oesm8AS8LMe3V\nDr4Syec8vVfGg/EDsjNC1yeZTzlO66NQYGkpnHwK1kgX/XXe7fjDfztPyM9crBXj\nYcYpNULAkMj9QUVDQqQ7L8TjoAFQiSdvNa+kkDhaxnAXoxfqeacTtkpKcHADsAQL\nazfoyflnpuZ1dIn0noRFsVuguKDp4k990bhXu9RkQ1H5IzIoYqJwypacVdt3m74o\njpZvBY6z0EtBNkze6WA0Vj0BSWpy/IzndDwroG4Xf+54hn0R/Tp5K5UNttOaJN8c\n9U/NTiGJTJg1O4x6xbPD7C5bBdoJ/MH5yJuk/dUc7pVkisLpuH9sAPETjYCdFIjX\nMSRJCtq2ouT0ZRW1yBIrKIadgHLExhjZjTSQCBXJMbO7r2DjPHMZU23GTiPtC8ua\nL2BmC+AW7RQ2Fyo3hJDT2TM4XlMMlTtGuFxkWwmjV+FiwfjbiR3cp0+99/X6OFu5\nysgZLuTMQsmWNJ8ZARZqBnkGnN92Aw4D5GLCFv3QXO+fqJnOP1PbkPwpjq59Yytf\nU4XqyTwRYSXRzwPFFb7RcgL9HbmjpRBEnvqEjKYeXxkBnhs+WOWN/PuJzGgP5uAk\njAjQbtgLEPd4WpGcwEhkX6S1DBi8NrGapuehCjXsN1axify8Kx4eRuTiPdINlgsq\nd2MsPIuDgU2+0QXrXjRLwABcMGuKcmmfZjC+zZomj+yr4+Togs3vhSj9yGK3HHMh\nNgOlPBTibruXXa4AI07c28j3sEry+CMZrUGyYg6o1HLBpBfOmp7V5HJcvkMFWCVy\nDPFm5LZu0jZMDj9a+oGkv4hfp1xSXSUjhjiGz47xFJb6PH9pOUIkhTEdFCgEXbaR\nfXcR+kakLOotL4X1cT9cpxdimN3CCTBpr03gCv2NCVYMYhHKHK+CQVngJrY+PzMH\nq6fw81bUNcixZyeXFfLFN6GK75k51UV7YS/X2H8YkqGeIVNaFjrcqUoVAN8jQOeb\nXXIa8gT/MdNT0+W3NHKcbE31pDhOI92COZWlhOyp1cLhyo1ytayjxPTl/2RM/Vtj\nT9IKkp7810LOKhrCDQ==\n-----END ENCRYPTED PRIVATE KEY-----";
    private static X509Certificate spSigningCertificate;
    private static PrivateKey spSigningPrivateKey;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/floragunn/dlic/auth/http/saml/HTTPSamlAuthenticatorTest$AuthenticateHeaders.class */
    public static class AuthenticateHeaders {
        final String location;
        final String requestId;

        AuthenticateHeaders(String str, String str2) {
            this.location = str;
            this.requestId = str2;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/floragunn/dlic/auth/http/saml/HTTPSamlAuthenticatorTest$TestRestChannel.class */
    public static class TestRestChannel implements RestChannel {
        final RestRequest restRequest;
        RestResponse response;

        TestRestChannel(RestRequest restRequest) {
            this.restRequest = restRequest;
        }

        public XContentBuilder newBuilder() throws IOException {
            return null;
        }

        public XContentBuilder newErrorBuilder() throws IOException {
            return null;
        }

        public XContentBuilder newBuilder(XContentType xContentType, boolean z) throws IOException {
            return null;
        }

        public BytesStreamOutput bytesOutput() {
            return null;
        }

        public RestRequest request() {
            return this.restRequest;
        }

        public boolean detailedErrorsEnabled() {
            return false;
        }

        public void sendResponse(RestResponse restResponse) {
            this.response = restResponse;
        }

        public XContentBuilder newBuilder(XContentType xContentType, XContentType xContentType2, boolean z) throws IOException {
            return null;
        }
    }

    @BeforeClass
    public static void setUp() throws Exception {
        mockSamlIdpServer = new MockSamlIdpServer();
        mockSamlIdpServer.start();
        initSpSigningKeys();
    }

    @AfterClass
    public static void tearDown() {
        if (mockSamlIdpServer != null) {
            try {
                mockSamlIdpServer.close();
            } catch (Exception e) {
                e.printStackTrace();
            }
        }
    }

    @Test
    public void basicTest() throws Exception {
        mockSamlIdpServer.setSignResponses(true);
        mockSamlIdpServer.loadSigningKeys("saml-legacy/kirk-keystore.jks", "kirk");
        mockSamlIdpServer.setAuthenticateUser("horst");
        mockSamlIdpServer.setEndpointQueryString(null);
        HTTPSamlAuthenticator hTTPSamlAuthenticator = new HTTPSamlAuthenticator(Settings.builder().put("idp.metadata_url", mockSamlIdpServer.getMetadataUri()).put("kibana_url", "http://wherever").put("idp.entity_id", mockSamlIdpServer.getIdpEntityId()).put("exchange_key", "abc").put("roles_key", TestJwts.ROLES_CLAIM).put("path.home", ".").build(), (Path) null);
        AuthenticateHeaders autenticateHeaders = getAutenticateHeaders(hTTPSamlAuthenticator);
        TestRestChannel testRestChannel = new TestRestChannel(buildTokenExchangeRestRequest(mockSamlIdpServer.handleSsoGetRequestURI(autenticateHeaders.location), autenticateHeaders));
        hTTPSamlAuthenticator.reRequestAuthentication(testRestChannel, (AuthCredentials) null);
        String str = new String(BytesReference.toBytes(testRestChannel.response.content()));
        String str2 = (String) ((HashMap) DefaultObjectMapper.objectMapper.readValue(str, new TypeReference<HashMap<String, Object>>() { // from class: com.floragunn.dlic.auth.http.saml.HTTPSamlAuthenticatorTest.1
        })).get("authorization");
        Assert.assertNotNull("Expected authorization attribute in JSON: " + str, str2);
        Assert.assertEquals("horst", new JwsJwtCompactConsumer(str2.replaceAll("\\s*bearer\\s*", "")).getJwtToken().getClaim("sub"));
    }

    @Test
    public void unsolicitedSsoTest() throws Exception {
        mockSamlIdpServer.setSignResponses(true);
        mockSamlIdpServer.loadSigningKeys("saml-legacy/kirk-keystore.jks", "kirk");
        mockSamlIdpServer.setAuthenticateUser("horst");
        mockSamlIdpServer.setEndpointQueryString(null);
        mockSamlIdpServer.setDefaultAssertionConsumerService("http://wherever/searchguard/saml/acs/idpinitiated");
        HTTPSamlAuthenticator hTTPSamlAuthenticator = new HTTPSamlAuthenticator(Settings.builder().put("idp.metadata_url", mockSamlIdpServer.getMetadataUri()).put("kibana_url", "http://wherever").put("idp.entity_id", mockSamlIdpServer.getIdpEntityId()).put("exchange_key", "abc").put("roles_key", TestJwts.ROLES_CLAIM).put("path.home", ".").build(), (Path) null);
        TestRestChannel testRestChannel = new TestRestChannel(buildTokenExchangeRestRequest(mockSamlIdpServer.createUnsolicitedSamlResponse(), null, "/searchguard/saml/acs/idpinitiated"));
        hTTPSamlAuthenticator.reRequestAuthentication(testRestChannel, (AuthCredentials) null);
        String str = new String(BytesReference.toBytes(testRestChannel.response.content()));
        String str2 = (String) ((HashMap) DefaultObjectMapper.objectMapper.readValue(str, new TypeReference<HashMap<String, Object>>() { // from class: com.floragunn.dlic.auth.http.saml.HTTPSamlAuthenticatorTest.2
        })).get("authorization");
        Assert.assertNotNull("Expected authorization attribute in JSON: " + str, str2);
        Assert.assertEquals("horst", new JwsJwtCompactConsumer(str2.replaceAll("\\s*bearer\\s*", "")).getJwtToken().getClaim("sub"));
    }

    @Test
    public void badUnsolicitedSsoTest() throws Exception {
        mockSamlIdpServer.setSignResponses(true);
        mockSamlIdpServer.loadSigningKeys("saml-legacy/kirk-keystore.jks", "kirk");
        mockSamlIdpServer.setAuthenticateUser("horst");
        mockSamlIdpServer.setEndpointQueryString(null);
        mockSamlIdpServer.setDefaultAssertionConsumerService("http://wherever/searchguard/saml/acs/idpinitiated");
        HTTPSamlAuthenticator hTTPSamlAuthenticator = new HTTPSamlAuthenticator(Settings.builder().put("idp.metadata_url", mockSamlIdpServer.getMetadataUri()).put("kibana_url", "http://wherever").put("idp.entity_id", mockSamlIdpServer.getIdpEntityId()).put("exchange_key", "abc").put("roles_key", TestJwts.ROLES_CLAIM).put("path.home", ".").build(), (Path) null);
        TestRestChannel testRestChannel = new TestRestChannel(buildTokenExchangeRestRequest(mockSamlIdpServer.createUnsolicitedSamlResponse(), new AuthenticateHeaders("http://wherever/searchguard/saml/acs/", "wrong_request_id"), "/searchguard/saml/acs/idpinitiated"));
        hTTPSamlAuthenticator.reRequestAuthentication(testRestChannel, (AuthCredentials) null);
        Assert.assertEquals(RestStatus.UNAUTHORIZED, testRestChannel.response.status());
    }

    @Test
    public void wrongCertTest() throws Exception {
        mockSamlIdpServer.setSignResponses(true);
        mockSamlIdpServer.loadSigningKeys("saml-legacy/kirk-keystore.jks", "kirk");
        mockSamlIdpServer.setAuthenticateUser("horst");
        mockSamlIdpServer.setEndpointQueryString(null);
        HTTPSamlAuthenticator hTTPSamlAuthenticator = new HTTPSamlAuthenticator(Settings.builder().put("idp.metadata_url", mockSamlIdpServer.getMetadataUri()).put("kibana_url", "http://wherever").put("idp.entity_id", mockSamlIdpServer.getIdpEntityId()).put("exchange_key", "abc").put("roles_key", TestJwts.ROLES_CLAIM).put("path.home", ".").build(), (Path) null);
        AuthenticateHeaders autenticateHeaders = getAutenticateHeaders(hTTPSamlAuthenticator);
        mockSamlIdpServer.loadSigningKeys("saml-legacy/spock-keystore.jks", "spock");
        hTTPSamlAuthenticator.reRequestAuthentication(new TestRestChannel(buildTokenExchangeRestRequest(mockSamlIdpServer.handleSsoGetRequestURI(autenticateHeaders.location), autenticateHeaders)), (AuthCredentials) null);
        Assert.assertEquals(401L, r0.response.status().getStatus());
    }

    @Test
    public void noSignatureTest() throws Exception {
        mockSamlIdpServer.setSignResponses(false);
        mockSamlIdpServer.setAuthenticateUser("horst");
        mockSamlIdpServer.setEndpointQueryString(null);
        HTTPSamlAuthenticator hTTPSamlAuthenticator = new HTTPSamlAuthenticator(Settings.builder().put("idp.metadata_url", mockSamlIdpServer.getMetadataUri()).put("kibana_url", "http://wherever").put("idp.entity_id", mockSamlIdpServer.getIdpEntityId()).put("exchange_key", "abc").put("roles_key", TestJwts.ROLES_CLAIM).put("path.home", ".").build(), (Path) null);
        AuthenticateHeaders autenticateHeaders = getAutenticateHeaders(hTTPSamlAuthenticator);
        hTTPSamlAuthenticator.reRequestAuthentication(new TestRestChannel(buildTokenExchangeRestRequest(mockSamlIdpServer.handleSsoGetRequestURI(autenticateHeaders.location), autenticateHeaders)), (AuthCredentials) null);
        Assert.assertEquals(401L, r0.response.status().getStatus());
    }

    @Test
    public void rolesTest() throws Exception {
        mockSamlIdpServer.setSignResponses(true);
        mockSamlIdpServer.loadSigningKeys("saml-legacy/kirk-keystore.jks", "kirk");
        mockSamlIdpServer.setAuthenticateUser("horst");
        mockSamlIdpServer.setAuthenticateUserRoles(Arrays.asList("a", "b"));
        mockSamlIdpServer.setEndpointQueryString(null);
        HTTPSamlAuthenticator hTTPSamlAuthenticator = new HTTPSamlAuthenticator(Settings.builder().put("idp.metadata_url", mockSamlIdpServer.getMetadataUri()).put("kibana_url", "http://wherever").put("idp.entity_id", mockSamlIdpServer.getIdpEntityId()).put("exchange_key", "abc").put("roles_key", TestJwts.ROLES_CLAIM).put("path.home", ".").build(), (Path) null);
        AuthenticateHeaders autenticateHeaders = getAutenticateHeaders(hTTPSamlAuthenticator);
        TestRestChannel testRestChannel = new TestRestChannel(buildTokenExchangeRestRequest(mockSamlIdpServer.handleSsoGetRequestURI(autenticateHeaders.location), autenticateHeaders));
        hTTPSamlAuthenticator.reRequestAuthentication(testRestChannel, (AuthCredentials) null);
        String str = new String(BytesReference.toBytes(testRestChannel.response.content()));
        String str2 = (String) ((HashMap) DefaultObjectMapper.objectMapper.readValue(str, new TypeReference<HashMap<String, Object>>() { // from class: com.floragunn.dlic.auth.http.saml.HTTPSamlAuthenticatorTest.3
        })).get("authorization");
        Assert.assertNotNull("Expected authorization attribute in JSON: " + str, str2);
        JwtToken jwtToken = new JwsJwtCompactConsumer(str2.replaceAll("\\s*bearer\\s*", "")).getJwtToken();
        Assert.assertEquals("horst", jwtToken.getClaim("sub"));
        Assert.assertArrayEquals(new String[]{"a", "b"}, ((List) jwtToken.getClaim(TestJwts.ROLES_CLAIM)).toArray(new String[0]));
    }

    @Test
    public void idpEndpointWithQueryStringTest() throws Exception {
        mockSamlIdpServer.setSignResponses(true);
        mockSamlIdpServer.loadSigningKeys("saml-legacy/kirk-keystore.jks", "kirk");
        mockSamlIdpServer.setAuthenticateUser("horst");
        mockSamlIdpServer.setEndpointQueryString("extra=query");
        HTTPSamlAuthenticator hTTPSamlAuthenticator = new HTTPSamlAuthenticator(Settings.builder().put("idp.metadata_url", mockSamlIdpServer.getMetadataUri()).put("kibana_url", "http://wherever").put("idp.entity_id", mockSamlIdpServer.getIdpEntityId()).put("exchange_key", "abc").put("roles_key", TestJwts.ROLES_CLAIM).put("path.home", ".").build(), (Path) null);
        AuthenticateHeaders autenticateHeaders = getAutenticateHeaders(hTTPSamlAuthenticator);
        TestRestChannel testRestChannel = new TestRestChannel(buildTokenExchangeRestRequest(mockSamlIdpServer.handleSsoGetRequestURI(autenticateHeaders.location), autenticateHeaders));
        hTTPSamlAuthenticator.reRequestAuthentication(testRestChannel, (AuthCredentials) null);
        String str = new String(BytesReference.toBytes(testRestChannel.response.content()));
        String str2 = (String) ((HashMap) DefaultObjectMapper.objectMapper.readValue(str, new TypeReference<HashMap<String, Object>>() { // from class: com.floragunn.dlic.auth.http.saml.HTTPSamlAuthenticatorTest.4
        })).get("authorization");
        Assert.assertNotNull("Expected authorization attribute in JSON: " + str, str2);
        Assert.assertEquals("horst", new JwsJwtCompactConsumer(str2.replaceAll("\\s*bearer\\s*", "")).getJwtToken().getClaim("sub"));
    }

    @Test
    public void commaSeparatedRolesTest() throws Exception {
        mockSamlIdpServer.setAuthenticateUser("horst");
        mockSamlIdpServer.setSignResponses(true);
        mockSamlIdpServer.loadSigningKeys("saml-legacy/kirk-keystore.jks", "kirk");
        mockSamlIdpServer.setAuthenticateUserRoles(Arrays.asList("a,b"));
        mockSamlIdpServer.setEndpointQueryString(null);
        HTTPSamlAuthenticator hTTPSamlAuthenticator = new HTTPSamlAuthenticator(Settings.builder().put("idp.metadata_url", mockSamlIdpServer.getMetadataUri()).put("kibana_url", "http://wherever").put("idp.entity_id", mockSamlIdpServer.getIdpEntityId()).put("exchange_key", "abc").put("roles_key", TestJwts.ROLES_CLAIM).put("roles_seperator", ",").put("path.home", ".").build(), (Path) null);
        AuthenticateHeaders autenticateHeaders = getAutenticateHeaders(hTTPSamlAuthenticator);
        TestRestChannel testRestChannel = new TestRestChannel(buildTokenExchangeRestRequest(mockSamlIdpServer.handleSsoGetRequestURI(autenticateHeaders.location), autenticateHeaders));
        hTTPSamlAuthenticator.reRequestAuthentication(testRestChannel, (AuthCredentials) null);
        String str = new String(BytesReference.toBytes(testRestChannel.response.content()));
        String str2 = (String) ((HashMap) DefaultObjectMapper.objectMapper.readValue(str, new TypeReference<HashMap<String, Object>>() { // from class: com.floragunn.dlic.auth.http.saml.HTTPSamlAuthenticatorTest.5
        })).get("authorization");
        Assert.assertNotNull("Expected authorization attribute in JSON: " + str, str2);
        JwtToken jwtToken = new JwsJwtCompactConsumer(str2.replaceAll("\\s*bearer\\s*", "")).getJwtToken();
        Assert.assertEquals("horst", jwtToken.getClaim("sub"));
        Assert.assertArrayEquals(new String[]{"a", "b"}, ((List) jwtToken.getClaim(TestJwts.ROLES_CLAIM)).toArray(new String[0]));
    }

    @Test
    public void basicLogoutTest() throws Exception {
        mockSamlIdpServer.setSignResponses(true);
        mockSamlIdpServer.loadSigningKeys("saml-legacy/kirk-keystore.jks", "kirk");
        mockSamlIdpServer.setAuthenticateUser("horst");
        mockSamlIdpServer.setSpSignatureCertificate(spSigningCertificate);
        mockSamlIdpServer.setEndpointQueryString(null);
        mockSamlIdpServer.handleSloGetRequestURI(new HTTPSamlAuthenticator(Settings.builder().put("idp.metadata_url", mockSamlIdpServer.getMetadataUri()).put("kibana_url", "http://wherever").put("idp.entity_id", mockSamlIdpServer.getIdpEntityId()).put("exchange_key", "abc").put("roles_key", TestJwts.ROLES_CLAIM).put("sp.signature_private_key", "-BEGIN PRIVATE KEY-\n" + Base64.getEncoder().encodeToString(spSigningPrivateKey.getEncoded()) + "-END PRIVATE KEY-").put("path.home", ".").build(), (Path) null).buildLogoutUrl(AuthCredentials.forUser("horst").oldAttribute("attr.jwt.sub", "horst").oldAttribute("attr.jwt.saml_nif", "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified").oldAttribute("attr.jwt.saml_si", "si123").build()));
    }

    @Test
    public void basicLogoutTestEncryptedKey() throws Exception {
        mockSamlIdpServer.setSignResponses(true);
        mockSamlIdpServer.loadSigningKeys("saml-legacy/kirk-keystore.jks", "kirk");
        mockSamlIdpServer.setAuthenticateUser("horst");
        mockSamlIdpServer.setSpSignatureCertificate(spSigningCertificate);
        mockSamlIdpServer.setEndpointQueryString(null);
        mockSamlIdpServer.handleSloGetRequestURI(new HTTPSamlAuthenticator(Settings.builder().put("idp.metadata_url", mockSamlIdpServer.getMetadataUri()).put("kibana_url", "http://wherever").put("idp.entity_id", mockSamlIdpServer.getIdpEntityId()).put("exchange_key", "abc").put("roles_key", TestJwts.ROLES_CLAIM).put("sp.signature_private_key", SPOCK_KEY).put("sp.signature_private_key_password", "changeit").put("path.home", ".").build(), (Path) null).buildLogoutUrl(AuthCredentials.forUser("horst").oldAttribute("attr.jwt.sub", "horst").oldAttribute("attr.jwt.saml_nif", "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified").oldAttribute("attr.jwt.saml_si", "si123").build()));
    }

    @Test
    public void initialConnectionFailureTest() throws Exception {
        MockSamlIdpServer mockSamlIdpServer2 = new MockSamlIdpServer();
        try {
            HTTPSamlAuthenticator hTTPSamlAuthenticator = new HTTPSamlAuthenticator(Settings.builder().put("idp.metadata_url", mockSamlIdpServer2.getMetadataUri()).put("idp.min_refresh_delay", 100).put("kibana_url", "http://wherever").put("idp.entity_id", mockSamlIdpServer2.getIdpEntityId()).put("exchange_key", "abc").put("roles_key", TestJwts.ROLES_CLAIM).put("path.home", ".").build(), (Path) null);
            TestRestChannel testRestChannel = new TestRestChannel(new FakeRestRequest(ImmutableMap.of(), new HashMap()));
            hTTPSamlAuthenticator.reRequestAuthentication(testRestChannel, (AuthCredentials) null);
            Assert.assertNull(testRestChannel.response);
            mockSamlIdpServer2.start();
            mockSamlIdpServer2.setSignResponses(true);
            mockSamlIdpServer2.loadSigningKeys("saml-legacy/kirk-keystore.jks", "kirk");
            mockSamlIdpServer2.setAuthenticateUser("horst");
            mockSamlIdpServer2.setEndpointQueryString(null);
            Thread.sleep(500L);
            AuthenticateHeaders autenticateHeaders = getAutenticateHeaders(hTTPSamlAuthenticator);
            TestRestChannel testRestChannel2 = new TestRestChannel(buildTokenExchangeRestRequest(mockSamlIdpServer2.handleSsoGetRequestURI(autenticateHeaders.location), autenticateHeaders));
            hTTPSamlAuthenticator.reRequestAuthentication(testRestChannel2, (AuthCredentials) null);
            String str = new String(BytesReference.toBytes(testRestChannel2.response.content()));
            String str2 = (String) ((HashMap) DefaultObjectMapper.objectMapper.readValue(str, new TypeReference<HashMap<String, Object>>() { // from class: com.floragunn.dlic.auth.http.saml.HTTPSamlAuthenticatorTest.6
            })).get("authorization");
            Assert.assertNotNull("Expected authorization attribute in JSON: " + str, str2);
            Assert.assertEquals("horst", new JwsJwtCompactConsumer(str2.replaceAll("\\s*bearer\\s*", "")).getJwtToken().getClaim("sub"));
            mockSamlIdpServer2.close();
        } catch (Throwable th) {
            try {
                mockSamlIdpServer2.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    @Test
    public void subjectPatternTest() throws Exception {
        mockSamlIdpServer.setSignResponses(true);
        mockSamlIdpServer.loadSigningKeys("saml-legacy/kirk-keystore.jks", "kirk");
        mockSamlIdpServer.setAuthenticateUser("leonard@example.com");
        mockSamlIdpServer.setEndpointQueryString(null);
        HTTPSamlAuthenticator hTTPSamlAuthenticator = new HTTPSamlAuthenticator(Settings.builder().put("idp.metadata_url", mockSamlIdpServer.getMetadataUri()).put("kibana_url", "http://wherever").put("idp.entity_id", mockSamlIdpServer.getIdpEntityId()).put("exchange_key", "abc").put("roles_key", TestJwts.ROLES_CLAIM).put("path.home", ".").put("subject_pattern", "^(.+)@(?:.+)$").build(), (Path) null);
        AuthenticateHeaders autenticateHeaders = getAutenticateHeaders(hTTPSamlAuthenticator);
        TestRestChannel testRestChannel = new TestRestChannel(buildTokenExchangeRestRequest(mockSamlIdpServer.handleSsoGetRequestURI(autenticateHeaders.location), autenticateHeaders));
        hTTPSamlAuthenticator.reRequestAuthentication(testRestChannel, (AuthCredentials) null);
        String str = new String(BytesReference.toBytes(testRestChannel.response.content()));
        String str2 = (String) ((HashMap) DefaultObjectMapper.objectMapper.readValue(str, new TypeReference<HashMap<String, Object>>() { // from class: com.floragunn.dlic.auth.http.saml.HTTPSamlAuthenticatorTest.7
        })).get("authorization");
        Assert.assertNotNull("Expected authorization attribute in JSON: " + str, str2);
        Assert.assertEquals("leonard", new JwsJwtCompactConsumer(str2.replaceAll("\\s*bearer\\s*", "")).getJwtToken().getClaim("sub"));
    }

    private AuthenticateHeaders getAutenticateHeaders(HTTPSamlAuthenticator hTTPSamlAuthenticator) {
        TestRestChannel testRestChannel = new TestRestChannel(new FakeRestRequest(ImmutableMap.of(), new HashMap()));
        hTTPSamlAuthenticator.reRequestAuthentication(testRestChannel, (AuthCredentials) null);
        List list = (List) testRestChannel.response.getHeaders().get("WWW-Authenticate");
        Assert.assertNotNull(list);
        Assert.assertEquals("More than one WWW-Authenticate header: " + list, 1L, list.size());
        String str = (String) list.get(0);
        Matcher matcher = WWW_AUTHENTICATE_PATTERN.matcher(str);
        if (!matcher.matches()) {
            Assert.fail("Invalid WWW-Authenticate header: " + str);
        }
        Assert.assertEquals("X-SG-IdP", matcher.group(1));
        Assert.assertEquals("location", matcher.group(4));
        Assert.assertEquals("requestId", matcher.group(6));
        return new AuthenticateHeaders(matcher.group(5), matcher.group(7));
    }

    private RestRequest buildTokenExchangeRestRequest(String str, AuthenticateHeaders authenticateHeaders) {
        return buildTokenExchangeRestRequest(str, authenticateHeaders, "/searchguard/saml/acs");
    }

    private RestRequest buildTokenExchangeRestRequest(String str, AuthenticateHeaders authenticateHeaders, String str2) {
        return new FakeRestRequest.Builder().withPath("/_searchguard/api/authtoken").withMethod(RestRequest.Method.POST).withContent(new BytesArray(authenticateHeaders != null ? "{\"SAMLResponse\": \"" + str + "\", \"RequestId\": \"" + authenticateHeaders.requestId + "\"}" : "{\"SAMLResponse\": \"" + str + "\", \"RequestId\": null, \"acsEndpoint\": \"" + str2 + "\" }")).withHeaders(ImmutableMap.of("Content-Type", "application/json")).build();
    }

    private static void initSpSigningKeys() {
        try {
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            KeyStore keyStore = KeyStore.getInstance("JKS");
            keyStore.load(new FileInputStream(FileHelper.getAbsoluteFilePathFromClassPath("saml-legacy/spock-keystore.jks").toFile()), "changeit".toCharArray());
            keyManagerFactory.init(keyStore, "changeit".toCharArray());
            spSigningCertificate = (X509Certificate) keyStore.getCertificate("spock");
            spSigningPrivateKey = (PrivateKey) keyStore.getKey("spock", "changeit".toCharArray());
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException e) {
            throw new RuntimeException(e);
        }
    }

    static {
        if (Security.getProvider("BC") == null) {
            Security.addProvider(new BouncyCastleProvider());
        }
        WWW_AUTHENTICATE_PATTERN = Pattern.compile("([^\\s]+)\\s*([^\\s=]+)=\"([^\"]+)\"\\s*([^\\s=]+)=\"([^\"]+)\"\\s*([^\\s=]+)=\"([^\"]+)\"\\s*");
    }
}
