package com.floragunn.dlic.auth.http.jwt.keybyoidc;

import com.floragunn.codova.documents.DocReader;
import com.floragunn.dlic.auth.http.jwt.keybyoidc.TestJwk;
import com.floragunn.dlic.auth.http.jwt.keybyoidc.TestJwts;
import com.floragunn.searchguard.user.AuthCredentials;
import com.floragunn.searchguard.util.FakeRestRequest;
import com.floragunn.searchsupport.proxy.wiremock.WireMockRequestHeaderAddingFilter;
import com.github.tomakehurst.wiremock.core.WireMockConfiguration;
import com.github.tomakehurst.wiremock.extension.Extension;
import com.github.tomakehurst.wiremock.junit.WireMockRule;
import com.google.common.collect.ImmutableMap;
import java.io.IOException;
import java.nio.file.Path;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import org.elasticsearch.common.bytes.BytesArray;
import org.elasticsearch.common.io.stream.BytesStreamOutput;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.rest.RestChannel;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestResponse;
import org.elasticsearch.xcontent.XContentBuilder;
import org.elasticsearch.xcontent.XContentType;
import org.hamcrest.CoreMatchers;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;

@Deprecated
/* loaded from: input_file:com/floragunn/dlic/auth/http/jwt/keybyoidc/HTTPJwtKeyByOpenIdConnectAuthenticatorTest.class */
public class HTTPJwtKeyByOpenIdConnectAuthenticatorTest {
    protected static MockIpdServer mockIdpServer;
    private static final WireMockRequestHeaderAddingFilter REQUEST_HEADER_ADDING_FILTER = new WireMockRequestHeaderAddingFilter("Proxy", "wire-mock");

    @ClassRule
    public static WireMockRule wireMockProxy = new WireMockRule(WireMockConfiguration.options().bindAddress("127.0.0.8").enableBrowserProxying(true).proxyPassThrough(true).dynamicPort().extensions(new Extension[]{REQUEST_HEADER_ADDING_FILTER}));

    /* loaded from: input_file:com/floragunn/dlic/auth/http/jwt/keybyoidc/HTTPJwtKeyByOpenIdConnectAuthenticatorTest$TestRestChannel.class */
    static class TestRestChannel implements RestChannel {
        final RestRequest restRequest;
        RestResponse response;

        TestRestChannel(RestRequest restRequest) {
            this.restRequest = restRequest;
        }

        public XContentBuilder newBuilder() throws IOException {
            return null;
        }

        public XContentBuilder newErrorBuilder() throws IOException {
            return null;
        }

        public XContentBuilder newBuilder(XContentType xContentType, boolean z) throws IOException {
            return null;
        }

        public BytesStreamOutput bytesOutput() {
            return null;
        }

        public RestRequest request() {
            return this.restRequest;
        }

        public boolean detailedErrorsEnabled() {
            return false;
        }

        public void sendResponse(RestResponse restResponse) {
            this.response = restResponse;
        }

        public XContentBuilder newBuilder(XContentType xContentType, XContentType xContentType2, boolean z) throws IOException {
            return null;
        }

        public void releaseOutputBuffer() {
        }
    }

    @BeforeClass
    public static void setUp() throws Exception {
        mockIdpServer = MockIpdServer.start(TestJwk.Jwks.ALL);
    }

    @AfterClass
    public static void tearDown() {
        if (mockIdpServer != null) {
            try {
                mockIdpServer.close();
            } catch (Exception e) {
                e.printStackTrace();
            }
        }
    }

    @Test
    public void basicTest() {
        AuthCredentials extractCredentials = new HTTPJwtKeyByOpenIdConnectAuthenticator(Settings.builder().put("openid_connect_url", mockIdpServer.getDiscoverUri().toString()).build(), (Path) null).extractCredentials(new FakeRestRequest(ImmutableMap.of("Authorization", TestJwts.MC_COY_SIGNED_OCT_1), new HashMap()), (ThreadContext) null);
        Assert.assertNotNull(extractCredentials);
        Assert.assertEquals(TestJwts.MCCOY_SUBJECT, extractCredentials.getUsername());
        Assert.assertEquals(TestJwts.TEST_AUDIENCE, extractCredentials.getAttributes().get("attr.jwt.aud"));
        Assert.assertEquals(0L, extractCredentials.getBackendRoles().size());
        Assert.assertEquals(3L, extractCredentials.getAttributes().size());
    }

    @Test
    public void proxyTest() throws Exception {
        MockIpdServer acceptOnlyRequestsWithHeader = MockIpdServer.start(TestJwk.Jwks.ALL).acceptOnlyRequestsWithHeader(REQUEST_HEADER_ADDING_FILTER.getHeader());
        try {
            acceptOnlyRequestsWithHeader.setRequireValidCodes(false);
            HTTPJwtKeyByOpenIdConnectAuthenticator hTTPJwtKeyByOpenIdConnectAuthenticator = new HTTPJwtKeyByOpenIdConnectAuthenticator(Settings.builder().put("openid_connect_url", acceptOnlyRequestsWithHeader.getDiscoverUri().toString()).put("proxy.host", "127.0.0.8").put("proxy.port", wireMockProxy.port()).put("proxy.scheme", "http").build(), (Path) null);
            AuthCredentials extractCredentials = hTTPJwtKeyByOpenIdConnectAuthenticator.extractCredentials(new FakeRestRequest(ImmutableMap.of("Authorization", TestJwts.MC_COY_SIGNED_OCT_1), new HashMap()), (ThreadContext) null);
            Assert.assertNotNull(extractCredentials);
            Assert.assertEquals(TestJwts.MCCOY_SUBJECT, extractCredentials.getUsername());
            Assert.assertEquals(TestJwts.TEST_AUDIENCE, extractCredentials.getAttributes().get("attr.jwt.aud"));
            Assert.assertEquals(0L, extractCredentials.getBackendRoles().size());
            Assert.assertEquals(3L, extractCredentials.getAttributes().size());
            FakeRestRequest fakeRestRequest = new FakeRestRequest();
            TestRestChannel testRestChannel = new TestRestChannel(fakeRestRequest);
            hTTPJwtKeyByOpenIdConnectAuthenticator.handleMetaRequest(fakeRestRequest, testRestChannel, "/_searchguard/test/openid", "config", (ThreadContext) null);
            String utf8ToString = testRestChannel.response.content().utf8ToString();
            Assert.assertTrue(utf8ToString, DocReader.json().readObject(utf8ToString).containsKey("token_endpoint_proxy"));
            FakeRestRequest build = new FakeRestRequest.Builder().withMethod(RestRequest.Method.POST).withContent(new BytesArray("grant_type=authorization_code&code=wusch")).withHeaders(ImmutableMap.of("Content-Type", "application/x-www-form-urlencoded")).build();
            TestRestChannel testRestChannel2 = new TestRestChannel(build);
            hTTPJwtKeyByOpenIdConnectAuthenticator.handleMetaRequest(build, testRestChannel2, "/_searchguard/test/openid", "token", (ThreadContext) null);
            String utf8ToString2 = testRestChannel2.response.content().utf8ToString();
            System.out.println(utf8ToString2);
            Assert.assertTrue(utf8ToString2, DocReader.json().readObject(utf8ToString2).containsKey("id_token"));
            if (acceptOnlyRequestsWithHeader != null) {
                acceptOnlyRequestsWithHeader.close();
            }
        } catch (Throwable th) {
            if (acceptOnlyRequestsWithHeader != null) {
                try {
                    acceptOnlyRequestsWithHeader.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void bearerTest() {
        AuthCredentials extractCredentials = new HTTPJwtKeyByOpenIdConnectAuthenticator(Settings.builder().put("openid_connect_url", mockIdpServer.getDiscoverUri().toString()).build(), (Path) null).extractCredentials(new FakeRestRequest(ImmutableMap.of("Authorization", "Bearer " + TestJwts.MC_COY_SIGNED_OCT_1), new HashMap()), (ThreadContext) null);
        Assert.assertNotNull(extractCredentials);
        Assert.assertEquals(TestJwts.MCCOY_SUBJECT, extractCredentials.getUsername());
        Assert.assertEquals(TestJwts.TEST_AUDIENCE, extractCredentials.getAttributes().get("attr.jwt.aud"));
        Assert.assertEquals(0L, extractCredentials.getBackendRoles().size());
        Assert.assertEquals(3L, extractCredentials.getAttributes().size());
    }

    @Test
    public void testRoles() throws Exception {
        AuthCredentials extractCredentials = new HTTPJwtKeyByOpenIdConnectAuthenticator(Settings.builder().put("openid_connect_url", mockIdpServer.getDiscoverUri().toString()).put("roles_key", TestJwts.ROLES_CLAIM).build(), (Path) null).extractCredentials(new FakeRestRequest(ImmutableMap.of("Authorization", TestJwts.MC_COY_SIGNED_OCT_1), new HashMap()), (ThreadContext) null);
        Assert.assertNotNull(extractCredentials);
        Assert.assertEquals(TestJwts.MCCOY_SUBJECT, extractCredentials.getUsername());
        Assert.assertEquals(TestJwts.TEST_ROLES, extractCredentials.getBackendRoles());
    }

    @Test
    public void testRolesJsonPath() throws Exception {
        AuthCredentials extractCredentials = new HTTPJwtKeyByOpenIdConnectAuthenticator(Settings.builder().put("openid_connect_url", mockIdpServer.getDiscoverUri().toString()).put("roles_path", "$.roles").put("subject_path", "$.sub").build(), (Path) null).extractCredentials(new FakeRestRequest(ImmutableMap.of("Authorization", TestJwts.MC_COY_SIGNED_OCT_1), new HashMap()), (ThreadContext) null);
        Assert.assertNotNull(extractCredentials);
        Assert.assertEquals(TestJwts.MCCOY_SUBJECT, extractCredentials.getUsername());
        Assert.assertEquals(TestJwts.TEST_ROLES, extractCredentials.getBackendRoles());
    }

    @Test
    public void testRolesCollectionJsonPath() throws Exception {
        AuthCredentials extractCredentials = new HTTPJwtKeyByOpenIdConnectAuthenticator(Settings.builder().put("openid_connect_url", mockIdpServer.getDiscoverUri().toString()).put("roles_path", "$.roles").put("subject_path", "$.sub").build(), (Path) null).extractCredentials(new FakeRestRequest(ImmutableMap.of("Authorization", com.floragunn.searchguard.enterprise.auth.oidc.TestJwts.createSigned(com.floragunn.searchguard.enterprise.auth.oidc.TestJwts.create(TestJwts.MCCOY_SUBJECT, TestJwts.TEST_AUDIENCE, new Object[]{TestJwts.ROLES_CLAIM, Arrays.asList("role 1", "role 2", "role 3, role 4")}), TestJwk.OCT_1)), new HashMap()), (ThreadContext) null);
        Assert.assertNotNull(extractCredentials);
        Assert.assertEquals(TestJwts.MCCOY_SUBJECT, extractCredentials.getUsername());
        Assert.assertThat(extractCredentials.getBackendRoles(), CoreMatchers.hasItems(new String[]{"role 1", "role 2", "role 3", "role 4"}));
    }

    @Test
    public void testInvalidSubjectJsonPath() throws Exception {
        Assert.assertNull(new HTTPJwtKeyByOpenIdConnectAuthenticator(Settings.builder().put("openid_connect_url", mockIdpServer.getDiscoverUri().toString()).put("roles_path", "$.roles").put("subject_path", "$.subasd").build(), (Path) null).extractCredentials(new FakeRestRequest(ImmutableMap.of("Authorization", TestJwts.MC_COY_SIGNED_OCT_1), new HashMap()), (ThreadContext) null));
    }

    @Test
    public void testInvalidRolesJsonPath() throws Exception {
        AuthCredentials extractCredentials = new HTTPJwtKeyByOpenIdConnectAuthenticator(Settings.builder().put("openid_connect_url", mockIdpServer.getDiscoverUri().toString()).put("roles_path", "$.asdroles").put("subject_path", "$.sub").build(), (Path) null).extractCredentials(new FakeRestRequest(ImmutableMap.of("Authorization", TestJwts.MC_COY_SIGNED_OCT_1), new HashMap()), (ThreadContext) null);
        Assert.assertNotNull(extractCredentials);
        Assert.assertEquals(TestJwts.MCCOY_SUBJECT, extractCredentials.getUsername());
        Assert.assertEquals(Collections.emptySet(), extractCredentials.getBackendRoles());
    }

    @Test
    public void testExp() throws Exception {
        Assert.assertNull(new HTTPJwtKeyByOpenIdConnectAuthenticator(Settings.builder().put("openid_connect_url", mockIdpServer.getDiscoverUri().toString()).build(), (Path) null).extractCredentials(new FakeRestRequest(ImmutableMap.of("Authorization", TestJwts.MC_COY_EXPIRED_SIGNED_OCT_1), new HashMap()), (ThreadContext) null));
    }

    @Test
    public void testRS256() throws Exception {
        AuthCredentials extractCredentials = new HTTPJwtKeyByOpenIdConnectAuthenticator(Settings.builder().put("openid_connect_url", mockIdpServer.getDiscoverUri().toString()).build(), (Path) null).extractCredentials(new FakeRestRequest(ImmutableMap.of("Authorization", TestJwts.MC_COY_SIGNED_RSA_1), new HashMap()), (ThreadContext) null);
        Assert.assertNotNull(extractCredentials);
        Assert.assertEquals(TestJwts.MCCOY_SUBJECT, extractCredentials.getUsername());
        Assert.assertEquals(TestJwts.TEST_AUDIENCE, extractCredentials.getAttributes().get("attr.jwt.aud"));
        Assert.assertEquals(0L, extractCredentials.getBackendRoles().size());
        Assert.assertEquals(3L, extractCredentials.getAttributes().size());
    }

    @Test
    public void testBadSignature() throws Exception {
        Assert.assertNull(new HTTPJwtKeyByOpenIdConnectAuthenticator(Settings.builder().put("openid_connect_url", mockIdpServer.getDiscoverUri().toString()).build(), (Path) null).extractCredentials(new FakeRestRequest(ImmutableMap.of("Authorization", TestJwts.MC_COY_SIGNED_RSA_X), new HashMap()), (ThreadContext) null));
    }

    @Test
    public void testPeculiarJsonEscaping() {
        AuthCredentials extractCredentials = new HTTPJwtKeyByOpenIdConnectAuthenticator(Settings.builder().put("openid_connect_url", mockIdpServer.getDiscoverUri().toString()).build(), (Path) null).extractCredentials(new FakeRestRequest(ImmutableMap.of("Authorization", TestJwts.PeculiarEscaping.MC_COY_SIGNED_RSA_1), new HashMap()), (ThreadContext) null);
        Assert.assertNotNull(extractCredentials);
        Assert.assertEquals(TestJwts.MCCOY_SUBJECT, extractCredentials.getUsername());
        Assert.assertEquals(TestJwts.TEST_AUDIENCE, extractCredentials.getAttributes().get("attr.jwt.aud"));
        Assert.assertEquals(0L, extractCredentials.getBackendRoles().size());
        Assert.assertEquals(3L, extractCredentials.getAttributes().size());
    }

    @Test
    public void testSubjectPattern() {
        AuthCredentials extractCredentials = new HTTPJwtKeyByOpenIdConnectAuthenticator(Settings.builder().put("openid_connect_url", mockIdpServer.getDiscoverUri().toString()).put("subject_pattern", "^(.)(?:.*)$").build(), (Path) null).extractCredentials(new FakeRestRequest(ImmutableMap.of("Authorization", TestJwts.MC_COY_SIGNED_OCT_1), new HashMap()), (ThreadContext) null);
        Assert.assertNotNull(extractCredentials);
        Assert.assertEquals(TestJwts.MCCOY_SUBJECT.substring(0, 1), extractCredentials.getUsername());
        Assert.assertEquals(TestJwts.TEST_AUDIENCE, extractCredentials.getAttributes().get("attr.jwt.aud"));
        Assert.assertEquals(0L, extractCredentials.getBackendRoles().size());
        Assert.assertEquals(3L, extractCredentials.getAttributes().size());
    }

    @Test
    public void testSubjectJsonPathWithList() throws Exception {
        AuthCredentials extractCredentials = new HTTPJwtKeyByOpenIdConnectAuthenticator(Settings.builder().put("openid_connect_url", mockIdpServer.getDiscoverUri().toString()).put("roles_path", "$.roles").put("subject_path", "$.n").build(), (Path) null).extractCredentials(new FakeRestRequest(ImmutableMap.of("Authorization", TestJwts.MC_LIST_CLAIM_SIGNED_OCT_1), new HashMap()), (ThreadContext) null);
        Assert.assertNotNull(extractCredentials);
        Assert.assertEquals("mcl", extractCredentials.getUsername());
        Assert.assertEquals(TestJwts.TEST_ROLES, extractCredentials.getBackendRoles());
    }

    @Test
    public void testSubjectJsonPathWithListSize2() throws Exception {
        Assert.assertNull(new HTTPJwtKeyByOpenIdConnectAuthenticator(Settings.builder().put("openid_connect_url", mockIdpServer.getDiscoverUri().toString()).put("roles_path", "$.roles").put("subject_path", "$.n").build(), (Path) null).extractCredentials(new FakeRestRequest(ImmutableMap.of("Authorization", TestJwts.MC_LIST_2_CLAIM_SIGNED_OCT_1), new HashMap()), (ThreadContext) null));
    }
}
