package com.floragunn.searchguard.enterprise.auth.saml;

import com.floragunn.codova.documents.DocNode;
import com.floragunn.codova.documents.Format;
import com.floragunn.codova.validation.VariableResolvers;
import com.floragunn.fluent.collections.ImmutableList;
import com.floragunn.fluent.collections.ImmutableMap;
import com.floragunn.searchguard.SearchGuardModulesRegistry;
import com.floragunn.searchguard.authc.AuthenticatorUnavailableException;
import com.floragunn.searchguard.authc.CredentialsException;
import com.floragunn.searchguard.authc.session.ActivatedFrontendConfig;
import com.floragunn.searchguard.authc.session.GetActivatedFrontendConfigAction;
import com.floragunn.searchguard.configuration.ConfigurationRepository;
import com.floragunn.searchguard.enterprise.auth.oidc.TestJwts;
import com.floragunn.searchguard.user.AuthCredentials;
import java.nio.file.Path;
import java.security.Security;
import java.util.Arrays;
import java.util.Map;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.elasticsearch.common.settings.Settings;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;
import org.opensaml.core.config.InitializationService;
import org.opensaml.saml.config.impl.SAMLConfigurationInitializer;
import org.opensaml.saml.config.impl.XMLObjectProviderInitializer;

/* loaded from: input_file:com/floragunn/searchguard/enterprise/auth/saml/SamlAuthenticatorTest.class */
public class SamlAuthenticatorTest {
    protected static MockSamlIdpServer mockSamlIdpServer;
    private static ConfigurationRepository.Context testContext;
    private static Map<String, Object> basicIdpConfig;
    private static Map<String, Object> basicAuthenticatorSettings;
    private static String FRONTEND_BASE_URL;

    @BeforeClass
    public static void setUp() throws Exception {
        mockSamlIdpServer = new MockSamlIdpServer();
        mockSamlIdpServer.start();
        basicIdpConfig = ImmutableMap.of("metadata_url", mockSamlIdpServer.getMetadataUri(), "entity_id", mockSamlIdpServer.getIdpEntityId());
        basicAuthenticatorSettings = ImmutableMap.of("idp", basicIdpConfig);
    }

    @AfterClass
    public static void tearDown() {
        if (mockSamlIdpServer != null) {
            try {
                mockSamlIdpServer.close();
            } catch (Exception e) {
                e.printStackTrace();
            }
        }
    }

    @Test
    public void basicTest() throws Exception {
        mockSamlIdpServer.setSignResponses(true);
        mockSamlIdpServer.loadSigningKeys("saml/kirk-keystore.jks", "kirk");
        mockSamlIdpServer.setAuthenticateUser("horst");
        mockSamlIdpServer.setEndpointQueryString(null);
        SamlAuthenticator samlAuthenticator = new SamlAuthenticator(basicAuthenticatorSettings, testContext);
        ActivatedFrontendConfig.AuthMethod activateFrontendConfig = samlAuthenticator.activateFrontendConfig(new ActivatedFrontendConfig.AuthMethod("saml", "SAML", (String) null), new GetActivatedFrontendConfigAction.Request((String) null, (String) null, FRONTEND_BASE_URL));
        Assert.assertEquals("horst", samlAuthenticator.extractCredentials(ImmutableMap.of("saml_response", mockSamlIdpServer.handleSsoGetRequestURI(activateFrontendConfig.getSsoLocation()), "sso_context", activateFrontendConfig.getSsoContext(), "frontend_base_url", FRONTEND_BASE_URL)).getUsername());
    }

    @Test
    public void inlineXmlTest() throws Exception {
        mockSamlIdpServer.setSignResponses(true);
        mockSamlIdpServer.loadSigningKeys("saml/kirk-keystore.jks", "kirk");
        mockSamlIdpServer.setAuthenticateUser("horst");
        mockSamlIdpServer.setEndpointQueryString(null);
        ImmutableMap of = ImmutableMap.of("metadata_xml", " " + mockSamlIdpServer.createMetadata(), "entity_id", mockSamlIdpServer.getIdpEntityId(), "frontend_base_url", FRONTEND_BASE_URL);
        ImmutableMap of2 = ImmutableMap.of("idp", of);
        System.out.println(of);
        SamlAuthenticator samlAuthenticator = new SamlAuthenticator(of2, testContext);
        ActivatedFrontendConfig.AuthMethod activateFrontendConfig = samlAuthenticator.activateFrontendConfig(new ActivatedFrontendConfig.AuthMethod("saml", "SAML", (String) null), new GetActivatedFrontendConfigAction.Request((String) null, (String) null, FRONTEND_BASE_URL));
        Assert.assertEquals("horst", samlAuthenticator.extractCredentials(ImmutableMap.of("saml_response", mockSamlIdpServer.handleSsoGetRequestURI(activateFrontendConfig.getSsoLocation()), "sso_context", activateFrontendConfig.getSsoContext(), "frontend_base_url", FRONTEND_BASE_URL)).getUsername());
    }

    @Test
    public void inlineXmlParsingTest() throws Exception {
        new SamlAuthenticator(DocNode.parse(Format.YAML).from("      idp:\n        metadata_xml: | \n            <EntityDescriptor entityID=\"urn:searchguard.eu.auth0.com\" xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\">\n              <IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n                <KeyDescriptor use=\"signing\">\n                  <KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n                    <X509Data>\n                      <X509Certificate>MIIDCzCCAfOgAwIBAgIJdqTEVOBFJFb+MA0GCSqGSIb3DQEBCwUAMCMxITAfBgNVBAMTGHNlYXJjaGd1YXJkLmV1LmF1dGgwLmNvbTAeFw0xODA2MDIwOTUyMTZaFw0zMjAyMDkwOTUyMTZaMCMxITAfBgNVBAMTGHNlYXJjaGd1YXJkLmV1LmF1dGgwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALzQtPED4GXSPca5MuPKf6b9Jza2yLOasMJ9jRIqg7MdKea05yx4jnDn9bXU3NocTisLR8jV2QCijOiUEv+CExBzhZhj8xGcr7IzhPIejpOeDaLTHCCK9VLVjH2RtDHJ6YT+jxlALTqaJnHu2yNwAVs0mlfSGOTi2rcCZTXCk/04FmYyo6RPtGwpuyLlqexwDI6dXO2T+/MJqox/hZ0m5KycKeQpdOcNPb4I3M7suUdFs5W0mYg67Ayp/XbwVjmlD4r+Z/TNknaDlHLEMwdYYTH6PpaUSdls2Gxl2JLu0o8SuHfvI/KyxQGc8EBBIFQRZ/6X/dphpnkpYmq0OD5Xj0sCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU413vkg/THPSv9VulJMJzMa5IOS4wDgYDVR0PAQH/BAQDAgKEMA0GCSqGSIb3DQEBCwUAA4IBAQB9HiG2/Zcm+LhuUvmobPxSLzWbsOQdqAnmV8T1H560cFLtDUh5bcGhcSnZBmxW8Vdy7vNSm+TOhVsmYqqsWBc53yVFSi+1mgh8GlK+V1cN/l3/teZp70sOLncpxGQWMWxpiOkTYkmaaoJbg59oJECSYGvSESuWhugsLd6lBF1Rn9k0tJqYxuy7RJuDpjDLGTP+F9sNcY4Inn+nB5NiaFs1F5HCZgnJGzc706a9FfXKkvVrKd2FuyuXA5m4ScyiO77+Wbx1IcnKGTj9a+ZhNhNkHj84DHYiiKn9ZJgmPHW4J1t+IcbUjPLQD/ro4RabMqx9rkHBAs7EeFL1IRcHdPXV</X509Certificate>\n                    </X509Data>\n                  </KeyInfo>\n                </KeyDescriptor>\n                <SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://searchguard.eu.auth0.com/samlp/rDlT7CzxPHjozMsOMXanoHtZwZR7Rih1/logout\"/>\n                <SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://searchguard.eu.auth0.com/samlp/rDlT7CzxPHjozMsOMXanoHtZwZR7Rih1/logout\"/>\n                <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>\n                <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>\n                <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>\n                <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://searchguard.eu.auth0.com/samlp/rDlT7CzxPHjozMsOMXanoHtZwZR7Rih1\"/>\n                <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://searchguard.eu.auth0.com/samlp/rDlT7CzxPHjozMsOMXanoHtZwZR7Rih1\"/>\n                <Attribute Name=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"E-Mail Address\" xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\"/>\n                <Attribute Name=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"Given Name\" xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\"/>\n                <Attribute Name=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"Name\" xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\"/>\n                <Attribute Name=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"Surname\" xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\"/>\n                <Attribute Name=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"Name ID\" xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\"/>\n              </IDPSSODescriptor>\n            </EntityDescriptor>\n        entity_id: urn:searchguard.eu.auth0.com\n      sp:\n        entity_id: es-saml\n"), (ConfigurationRepository.Context) null);
    }

    @Test
    public void unsolicitedSsoTest() throws Exception {
        mockSamlIdpServer.setSignResponses(true);
        mockSamlIdpServer.loadSigningKeys("saml/kirk-keystore.jks", "kirk");
        mockSamlIdpServer.setAuthenticateUser("horst");
        mockSamlIdpServer.setEndpointQueryString(null);
        mockSamlIdpServer.setDefaultAssertionConsumerService("http://whereever/searchguard/saml/acs/idpinitiated");
        Assert.assertEquals("horst", new SamlAuthenticator(basicAuthenticatorSettings, testContext).extractCredentials(ImmutableMap.of("saml_response", mockSamlIdpServer.createUnsolicitedSamlResponse(), "frontend_base_url", FRONTEND_BASE_URL)).getUsername());
    }

    @Test
    public void badUnsolicitedSsoTest() throws Exception {
        mockSamlIdpServer.setSignResponses(true);
        mockSamlIdpServer.loadSigningKeys("saml/kirk-keystore.jks", "kirk");
        mockSamlIdpServer.setAuthenticateUser("horst");
        mockSamlIdpServer.setEndpointQueryString(null);
        mockSamlIdpServer.setDefaultAssertionConsumerService("http://whereever/searchguard/saml/acs/idpinitiated");
        try {
            Assert.fail("Expected exception, got: " + new SamlAuthenticator(basicAuthenticatorSettings, testContext).extractCredentials(ImmutableMap.of("saml_response", mockSamlIdpServer.createUnsolicitedSamlResponse(), "sso_context", "saml_request_id:wrong_request_id", "frontend_base_url", FRONTEND_BASE_URL)));
        } catch (CredentialsException e) {
            Assert.assertTrue(e.getMessage(), e.getMessage().contains("does not match the ID of the AuthNRequest sent by the SP"));
        }
    }

    @Test
    public void wrongCertTest() throws Exception {
        mockSamlIdpServer.setSignResponses(true);
        mockSamlIdpServer.loadSigningKeys("saml/kirk-keystore.jks", "kirk");
        mockSamlIdpServer.setAuthenticateUser("horst");
        mockSamlIdpServer.setEndpointQueryString(null);
        SamlAuthenticator samlAuthenticator = new SamlAuthenticator(basicAuthenticatorSettings, testContext);
        ActivatedFrontendConfig.AuthMethod activateFrontendConfig = samlAuthenticator.activateFrontendConfig(new ActivatedFrontendConfig.AuthMethod("saml", "SAML", (String) null), new GetActivatedFrontendConfigAction.Request((String) null, (String) null, FRONTEND_BASE_URL));
        mockSamlIdpServer.loadSigningKeys("saml/spock-keystore.jks", "spock");
        try {
            Assert.fail("Expected exception, got: " + samlAuthenticator.extractCredentials(ImmutableMap.of("saml_response", mockSamlIdpServer.handleSsoGetRequestURI(activateFrontendConfig.getSsoLocation()), "sso_context", activateFrontendConfig.getSsoContext(), "frontend_base_url", FRONTEND_BASE_URL)));
        } catch (CredentialsException e) {
            Assert.assertTrue(e.getMessage(), e.getMessage().contains("Signature validation failed"));
        }
    }

    @Test
    public void noSignatureTest() throws Exception {
        mockSamlIdpServer.setSignResponses(false);
        mockSamlIdpServer.setAuthenticateUser("horst");
        mockSamlIdpServer.setEndpointQueryString(null);
        SamlAuthenticator samlAuthenticator = new SamlAuthenticator(basicAuthenticatorSettings, testContext);
        ActivatedFrontendConfig.AuthMethod activateFrontendConfig = samlAuthenticator.activateFrontendConfig(new ActivatedFrontendConfig.AuthMethod("saml", "SAML", (String) null), new GetActivatedFrontendConfigAction.Request((String) null, (String) null, FRONTEND_BASE_URL));
        try {
            Assert.fail("Expected exception, got " + samlAuthenticator.extractCredentials(ImmutableMap.of("saml_response", mockSamlIdpServer.handleSsoGetRequestURI(activateFrontendConfig.getSsoLocation()), "sso_context", activateFrontendConfig.getSsoContext(), "frontend_base_url", FRONTEND_BASE_URL)));
        } catch (CredentialsException e) {
            Assert.assertTrue(e.getMessage(), e.getMessage().contains("No Signature found"));
        }
    }

    @Test
    public void rolesTest() throws Exception {
        mockSamlIdpServer.setSignResponses(true);
        mockSamlIdpServer.loadSigningKeys("saml/kirk-keystore.jks", "kirk");
        mockSamlIdpServer.setAuthenticateUser("horst");
        mockSamlIdpServer.setAuthenticateUserRoles(Arrays.asList("a", "b"));
        mockSamlIdpServer.setEndpointQueryString(null);
        SamlAuthenticator samlAuthenticator = new SamlAuthenticator(basicAuthenticatorSettings, testContext);
        ActivatedFrontendConfig.AuthMethod activateFrontendConfig = samlAuthenticator.activateFrontendConfig(new ActivatedFrontendConfig.AuthMethod("saml", "SAML", (String) null), new GetActivatedFrontendConfigAction.Request((String) null, (String) null, FRONTEND_BASE_URL));
        AuthCredentials extractCredentials = samlAuthenticator.extractCredentials(ImmutableMap.of("saml_response", mockSamlIdpServer.handleSsoGetRequestURI(activateFrontendConfig.getSsoLocation()), "sso_context", activateFrontendConfig.getSsoContext(), "frontend_base_url", FRONTEND_BASE_URL));
        Assert.assertEquals("horst", extractCredentials.getUsername());
        Assert.assertEquals(ImmutableMap.of(TestJwts.ROLES_CLAIM, ImmutableList.of("a", "b")), extractCredentials.getAttributesForUserMapping().get("saml_response"));
    }

    @Test
    public void idpEndpointWithQueryStringTest() throws Exception {
        mockSamlIdpServer.setSignResponses(true);
        mockSamlIdpServer.loadSigningKeys("saml/kirk-keystore.jks", "kirk");
        mockSamlIdpServer.setAuthenticateUser("horst");
        mockSamlIdpServer.setEndpointQueryString("extra=query");
        SamlAuthenticator samlAuthenticator = new SamlAuthenticator(basicAuthenticatorSettings, testContext);
        ActivatedFrontendConfig.AuthMethod activateFrontendConfig = samlAuthenticator.activateFrontendConfig(new ActivatedFrontendConfig.AuthMethod("saml", "SAML", (String) null), new GetActivatedFrontendConfigAction.Request((String) null, (String) null, FRONTEND_BASE_URL));
        Assert.assertEquals("horst", samlAuthenticator.extractCredentials(ImmutableMap.of("saml_response", mockSamlIdpServer.handleSsoGetRequestURI(activateFrontendConfig.getSsoLocation()), "sso_context", activateFrontendConfig.getSsoContext(), "frontend_base_url", FRONTEND_BASE_URL)).getUsername());
    }

    @Test
    public void initialConnectionFailureTest() throws Exception {
        MockSamlIdpServer mockSamlIdpServer2 = new MockSamlIdpServer();
        try {
            SamlAuthenticator samlAuthenticator = new SamlAuthenticator(ImmutableMap.of("idp", ImmutableMap.of("metadata_url", mockSamlIdpServer2.getMetadataUri(), "entity_id", mockSamlIdpServer2.getIdpEntityId()), "idp.min_refresh_delay", 100), testContext);
            try {
                Assert.fail(samlAuthenticator.activateFrontendConfig(new ActivatedFrontendConfig.AuthMethod("saml", "SAML", (String) null), new GetActivatedFrontendConfigAction.Request((String) null, (String) null, FRONTEND_BASE_URL)).toString());
            } catch (AuthenticatorUnavailableException e) {
                Assert.assertTrue(e.getMessage(), e.getMessage().contains("SAML metadata is not yet available"));
            }
            try {
                samlAuthenticator.extractCredentials(ImmutableMap.of("saml_response", "whatever", "frontend_base_url", FRONTEND_BASE_URL));
                Assert.fail();
            } catch (Exception e2) {
                Assert.assertTrue(e2.toString(), e2.getMessage().contains("SAML metadata is not yet available"));
            }
            mockSamlIdpServer2.start();
            mockSamlIdpServer2.setSignResponses(true);
            mockSamlIdpServer2.loadSigningKeys("saml/kirk-keystore.jks", "kirk");
            mockSamlIdpServer2.setAuthenticateUser("horst");
            mockSamlIdpServer2.setEndpointQueryString(null);
            Thread.sleep(500L);
            ActivatedFrontendConfig.AuthMethod activateFrontendConfig = samlAuthenticator.activateFrontendConfig(new ActivatedFrontendConfig.AuthMethod("saml", "SAML", (String) null), new GetActivatedFrontendConfigAction.Request((String) null, (String) null, FRONTEND_BASE_URL));
            Assert.assertEquals("horst", samlAuthenticator.extractCredentials(ImmutableMap.of("saml_response", mockSamlIdpServer2.handleSsoGetRequestURI(activateFrontendConfig.getSsoLocation()), "sso_context", activateFrontendConfig.getSsoContext(), "frontend_base_url", FRONTEND_BASE_URL)).getUsername());
            mockSamlIdpServer2.close();
        } catch (Throwable th) {
            try {
                mockSamlIdpServer2.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    static void ensureOpenSamlInitialization() {
        Thread currentThread = Thread.currentThread();
        ClassLoader contextClassLoader = currentThread.getContextClassLoader();
        try {
            currentThread.setContextClassLoader(InitializationService.class.getClassLoader());
            InitializationService.initialize();
            new XMLObjectProviderInitializer().init();
            new SAMLConfigurationInitializer().init();
            new org.opensaml.xmlsec.config.impl.XMLObjectProviderInitializer().init();
        } catch (Exception e) {
            e.printStackTrace();
        } finally {
            currentThread.setContextClassLoader(contextClassLoader);
        }
    }

    static {
        if (Security.getProvider("BC") == null) {
            Security.addProvider(new BouncyCastleProvider());
        }
        ensureOpenSamlInitialization();
        testContext = new ConfigurationRepository.Context((VariableResolvers) null, (SearchGuardModulesRegistry) null, (Settings) null, (Path) null);
        FRONTEND_BASE_URL = "http://whereever";
    }
}
