package com.floragunn.searchguard.enterprise.auth;

import com.floragunn.codova.documents.DocNode;
import com.floragunn.fluent.collections.ImmutableList;
import com.floragunn.fluent.collections.ImmutableSet;
import com.floragunn.searchguard.enterprise.auth.jwt.Jose;
import com.floragunn.searchguard.enterprise.auth.oidc.TestJwk;
import com.floragunn.searchguard.enterprise.auth.oidc.TestJwts;
import com.floragunn.searchguard.test.GenericRestClient;
import com.floragunn.searchguard.test.TestSgConfig;
import com.floragunn.searchguard.test.helper.cluster.LocalCluster;
import java.net.InetAddress;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import java.util.stream.Collectors;
import org.apache.http.Header;
import org.apache.http.message.BasicHeader;
import org.junit.Assert;
import org.junit.ClassRule;
import org.junit.Test;

/* loaded from: input_file:com/floragunn/searchguard/enterprise/auth/RestAuthenticationIntegrationTests.class */
public class RestAuthenticationIntegrationTests {
    static TestSgConfig.Authc AUTHC = new TestSgConfig.Authc(new TestSgConfig.Authc.Domain[]{new TestSgConfig.Authc.Domain("jwt").frontend(DocNode.of("signing.jwks", Jose.toBasicObject(TestJwk.OCT_1_2_3))).skipIps(new String[]{"127.0.0.4"}).userMapping(new TestSgConfig.Authc.Domain.UserMapping().rolesFrom("jwt.n").attrsFrom("a_n", "jwt.n").attrsFrom("a_m", "jwt.m")), new TestSgConfig.Authc.Domain("jwt").frontend(DocNode.of("signing.jwks", Jose.toBasicObject(TestJwk.OCT_1_2_3))).acceptIps(new String[]{"127.0.0.4"}).userMapping(new TestSgConfig.Authc.Domain.UserMapping().rolesFromCommaSeparatedString("jwt.roles")), new TestSgConfig.Authc.Domain("basic/internal_users_db").frontend(DocNode.of("challenge", false)), new TestSgConfig.Authc.Domain("kerberos/internal_users_db")});

    @ClassRule
    public static LocalCluster cluster = new LocalCluster.Builder().singleNode().sslEnabled().authc(AUTHC).enterpriseModulesEnabled().build();

    @Test
    public void jwt() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(new Header[]{new BasicHeader("Authorization", "bearer " + TestJwts.MC_LIST_2_CLAIM_SIGNED_OCT_1)});
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/authinfo", new Header[0]);
            Assert.assertEquals(httpResponse.getBody(), 200L, httpResponse.getStatusCode());
            Assert.assertEquals(httpResponse.getBody(), "McList", httpResponse.getBodyAsDocNode().get("user_name"));
            Assert.assertEquals(httpResponse.getBody(), Arrays.asList("mcl", "mcl2"), httpResponse.getBodyAsDocNode().get("backend_roles"));
            Assert.assertTrue(httpResponse.getBody(), ((Collection) httpResponse.getBodyAsDocNode().get("attribute_names")).contains("a_m"));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void jwt_commaSeparatedRoles() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(new Header[]{new BasicHeader("Authorization", "bearer " + TestJwts.MC_COY_SIGNED_OCT_1)});
        try {
            restClient.setLocalAddress(InetAddress.getByAddress(new byte[]{Byte.MAX_VALUE, 0, 0, 4}));
            GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/authinfo", new Header[0]);
            Assert.assertEquals(httpResponse.getBody(), 200L, httpResponse.getStatusCode());
            Assert.assertEquals(httpResponse.getBody(), TestJwts.MC_COY.getClaims().getSubject(), httpResponse.getBodyAsDocNode().get("user_name"));
            Assert.assertEquals(httpResponse.getBody(), TestJwts.TEST_ROLES, ImmutableSet.of((Collection) httpResponse.getBodyAsDocNode().get("backend_roles")));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void challenges() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(new Header[0]);
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/authinfo", new Header[0]);
            List list = (List) httpResponse.getHeaders().stream().filter(header -> {
                return header.getName().equals("WWW-Authenticate");
            }).map(header2 -> {
                return header2.getValue();
            }).collect(Collectors.toList());
            Assert.assertEquals(httpResponse.getBody(), 401L, httpResponse.getStatusCode());
            Assert.assertEquals(httpResponse.getHeaders().toString(), ImmutableList.of("Bearer realm=\"Search Guard\"", "Negotiate"), list);
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }
}
