package com.floragunn.searchguard.enterprise.auth.oidc;

import com.browserup.bup.BrowserUpProxy;
import com.browserup.bup.BrowserUpProxyServer;
import com.floragunn.codova.config.net.TLSConfig;
import com.floragunn.codova.documents.DocNode;
import com.floragunn.codova.validation.ConfigValidationException;
import com.floragunn.codova.validation.VariableResolvers;
import com.floragunn.searchguard.SearchGuardModulesRegistry;
import com.floragunn.searchguard.authc.CredentialsException;
import com.floragunn.searchguard.authc.session.ActivatedFrontendConfig;
import com.floragunn.searchguard.authc.session.GetActivatedFrontendConfigAction;
import com.floragunn.searchguard.configuration.ConfigurationRepository;
import com.floragunn.searchguard.enterprise.auth.oidc.TestJwk;
import com.floragunn.searchguard.enterprise.auth.oidc.TestJwts;
import com.floragunn.searchguard.test.helper.cluster.FileHelper;
import com.floragunn.searchguard.user.AuthCredentials;
import com.floragunn.searchsupport.StaticSettings;
import com.google.common.collect.ImmutableMap;
import java.io.FileNotFoundException;
import java.net.InetAddress;
import java.net.URLEncoder;
import java.util.Map;
import org.elasticsearch.common.xcontent.NamedXContentRegistry;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;

/* loaded from: input_file:com/floragunn/searchguard/enterprise/auth/oidc/OidcAuthenticatorTest.class */
public class OidcAuthenticatorTest {
    protected static MockIpdServer mockIdpServer;
    protected static MockIpdServer pkceMockIdpServer;
    protected static BrowserUpProxy httpProxy;
    private static Map<String, Object> basicAuthenticatorSettings;
    private static final TLSConfig IDP_TLS_CONFIG;
    private static ConfigurationRepository.Context testContext = new ConfigurationRepository.Context((VariableResolvers) null, (SearchGuardModulesRegistry) null, (StaticSettings) null, (NamedXContentRegistry) null);
    private static String FRONTEND_BASE_URL = "http://whereever";

    @BeforeClass
    public static void setUp() throws Exception {
        mockIdpServer = MockIpdServer.forKeySet(TestJwk.Jwks.ALL).start();
        httpProxy = new BrowserUpProxyServer();
        httpProxy.setMitmDisabled(true);
        httpProxy.start(0, InetAddress.getByName("127.0.0.8"), InetAddress.getByName("127.0.0.9"));
        basicAuthenticatorSettings = ImmutableMap.of("idp.openid_configuration_url", mockIdpServer.getDiscoverUri().toString(), "client_id", "Der Klient", "client_secret", "Das Geheimnis", "pkce", false);
        pkceMockIdpServer = MockIpdServer.forKeySet(TestJwk.Jwks.ALL).requirePkce(true).start();
    }

    @AfterClass
    public static void tearDown() {
        if (mockIdpServer != null) {
            try {
                mockIdpServer.close();
            } catch (Exception e) {
                e.printStackTrace();
            }
        }
        if (httpProxy != null) {
            httpProxy.abort();
        }
    }

    @Test
    public void basicTest() throws Exception {
        OidcAuthenticator oidcAuthenticator = new OidcAuthenticator(basicAuthenticatorSettings, testContext);
        ActivatedFrontendConfig.AuthMethod activateFrontendConfig = oidcAuthenticator.activateFrontendConfig(new ActivatedFrontendConfig.AuthMethod("oidc", "OIDC", (String) null), new GetActivatedFrontendConfigAction.Request((String) null, (String) null, FRONTEND_BASE_URL));
        Assert.assertEquals(TestJwts.MCCOY_SUBJECT, oidcAuthenticator.extractCredentials(ImmutableMap.of("sso_result", mockIdpServer.handleSsoGetRequestURI(activateFrontendConfig.getSsoLocation(), TestJwts.MC_COY_SIGNED_OCT_1), "sso_context", activateFrontendConfig.getSsoContext(), "frontend_base_url", FRONTEND_BASE_URL)).getUsername());
    }

    @Test
    public void userInfoTest() throws Exception {
        OidcAuthenticator oidcAuthenticator = new OidcAuthenticator(ImmutableMap.of("idp.openid_configuration_url", mockIdpServer.getDiscoverUri().toString(), "client_id", "Der Klient", "client_secret", "Das Geheimnis", "pkce", false, "get_user_info", true), testContext);
        ActivatedFrontendConfig.AuthMethod activateFrontendConfig = oidcAuthenticator.activateFrontendConfig(new ActivatedFrontendConfig.AuthMethod("oidc", "OIDC", (String) null), new GetActivatedFrontendConfigAction.Request((String) null, (String) null, FRONTEND_BASE_URL));
        AuthCredentials extractCredentials = oidcAuthenticator.extractCredentials(ImmutableMap.of("sso_result", mockIdpServer.handleSsoGetRequestURI(activateFrontendConfig.getSsoLocation(), TestJwts.MC_COY_SIGNED_OCT_1, ImmutableMap.of("sub", TestJwts.MCCOY_SUBJECT, "user_info_attr", 1234)), "sso_context", activateFrontendConfig.getSsoContext(), "frontend_base_url", FRONTEND_BASE_URL));
        Assert.assertEquals(TestJwts.MCCOY_SUBJECT, extractCredentials.getUsername());
        Assert.assertEquals(extractCredentials.getAttributesForUserMapping().toString(), 1234, ((Map) extractCredentials.getAttributesForUserMapping().get("oidc_user_info")).get("user_info_attr"));
    }

    @Test
    public void pkceTest() throws Exception {
        OidcAuthenticator oidcAuthenticator = new OidcAuthenticator(ImmutableMap.of("idp.openid_configuration_url", pkceMockIdpServer.getDiscoverUri().toString(), "client_id", "Der Klient"), testContext);
        ActivatedFrontendConfig.AuthMethod activateFrontendConfig = oidcAuthenticator.activateFrontendConfig(new ActivatedFrontendConfig.AuthMethod("oidc", "OIDC", (String) null), new GetActivatedFrontendConfigAction.Request((String) null, (String) null, FRONTEND_BASE_URL));
        Assert.assertEquals(TestJwts.MCCOY_SUBJECT, oidcAuthenticator.extractCredentials(ImmutableMap.of("sso_result", pkceMockIdpServer.handleSsoGetRequestURI(activateFrontendConfig.getSsoLocation(), TestJwts.MC_COY_SIGNED_OCT_1), "sso_context", activateFrontendConfig.getSsoContext(), "frontend_base_url", FRONTEND_BASE_URL)).getUsername());
    }

    @Test
    public void pkceMissingTest() throws Exception {
        Assert.assertNull(pkceMockIdpServer.handleSsoGetRequestURI(new OidcAuthenticator(basicAuthenticatorSettings, testContext).activateFrontendConfig(new ActivatedFrontendConfig.AuthMethod("oidc", "OIDC", (String) null), new GetActivatedFrontendConfigAction.Request((String) null, (String) null, FRONTEND_BASE_URL)).getSsoLocation(), TestJwts.MC_COY_SIGNED_OCT_1));
    }

    @Test
    public void nextUrlTest() throws Exception {
        OidcAuthenticator oidcAuthenticator = new OidcAuthenticator(basicAuthenticatorSettings, testContext);
        ActivatedFrontendConfig.AuthMethod activateFrontendConfig = oidcAuthenticator.activateFrontendConfig(new ActivatedFrontendConfig.AuthMethod("oidc", "OIDC", (String) null), new GetActivatedFrontendConfigAction.Request((String) null, "/goto/0f8bc3727ebe162dc2ceeae137e607a1?sg_tenant=management", FRONTEND_BASE_URL));
        String handleSsoGetRequestURI = mockIdpServer.handleSsoGetRequestURI(activateFrontendConfig.getSsoLocation(), TestJwts.MC_COY_SIGNED_OCT_1);
        Assert.assertTrue(handleSsoGetRequestURI, handleSsoGetRequestURI.matches(".*state=[A-Za-z0-9\\-_]+%7C" + URLEncoder.encode("/goto/0f8bc3727ebe162dc2ceeae137e607a1?sg_tenant=management", "utf-8")));
        AuthCredentials extractCredentials = oidcAuthenticator.extractCredentials(ImmutableMap.of("sso_result", handleSsoGetRequestURI, "sso_context", activateFrontendConfig.getSsoContext(), "frontend_base_url", FRONTEND_BASE_URL));
        Assert.assertEquals(TestJwts.MCCOY_SUBJECT, extractCredentials.getUsername());
        Assert.assertEquals("/goto/0f8bc3727ebe162dc2ceeae137e607a1?sg_tenant=management", extractCredentials.getRedirectUri());
    }

    @Test
    public void proxyTest() throws Exception {
        MockIpdServer start = MockIpdServer.forKeySet(TestJwk.Jwks.ALL).acceptConnectionsOnlyFromInetAddress(InetAddress.getByName("127.0.0.9")).start();
        try {
            OidcAuthenticator oidcAuthenticator = new OidcAuthenticator(DocNode.of("idp.openid_configuration_url", start.getDiscoverUri().toString(), "idp.proxy.host", "127.0.0.8", "idp.proxy.port", Integer.valueOf(httpProxy.getPort()), "idp.proxy.scheme", "http", "client_id", "x", new Object[]{"client_secret", "x"}), testContext);
            ActivatedFrontendConfig.AuthMethod activateFrontendConfig = oidcAuthenticator.activateFrontendConfig(new ActivatedFrontendConfig.AuthMethod("oidc", "OIDC", (String) null), new GetActivatedFrontendConfigAction.Request((String) null, (String) null, FRONTEND_BASE_URL));
            Assert.assertNotNull(activateFrontendConfig);
            Assert.assertNotNull(activateFrontendConfig.toString(), activateFrontendConfig.getSsoLocation());
            AuthCredentials extractCredentials = oidcAuthenticator.extractCredentials(ImmutableMap.of("sso_result", start.handleSsoGetRequestURI(activateFrontendConfig.getSsoLocation(), TestJwts.MC_COY_SIGNED_OCT_1), "sso_context", activateFrontendConfig.getSsoContext(), "frontend_base_url", FRONTEND_BASE_URL));
            Assert.assertNotNull(extractCredentials);
            Assert.assertEquals(TestJwts.MCCOY_SUBJECT, extractCredentials.getUsername());
            if (start != null) {
                start.close();
            }
        } catch (Throwable th) {
            if (start != null) {
                try {
                    start.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void proxyWithTlsConfigTest() throws Exception {
        MockIpdServer start = MockIpdServer.forKeySet(TestJwk.Jwks.ALL).acceptConnectionsOnlyFromInetAddress(InetAddress.getByName("127.0.0.9")).useCustomTlsConfig(IDP_TLS_CONFIG).start();
        try {
            OidcAuthenticator oidcAuthenticator = new OidcAuthenticator(DocNode.of("idp.openid_configuration_url", start.getDiscoverUri().toString(), "idp.proxy.host", "127.0.0.8", "idp.proxy.port", Integer.valueOf(httpProxy.getPort()), "idp.proxy.scheme", "http", "client_id", "x", new Object[]{"client_secret", "x", "idp.tls.trusted_cas", "#{file:" + FileHelper.getAbsoluteFilePathFromClassPath("oidc/idp/root-ca.pem") + "}", "idp.tls.verify_hostnames", false}), testContext);
            ActivatedFrontendConfig.AuthMethod activateFrontendConfig = oidcAuthenticator.activateFrontendConfig(new ActivatedFrontendConfig.AuthMethod("oidc", "OIDC", (String) null), new GetActivatedFrontendConfigAction.Request((String) null, (String) null, FRONTEND_BASE_URL));
            Assert.assertNotNull(activateFrontendConfig);
            Assert.assertNotNull(activateFrontendConfig.toString(), activateFrontendConfig.getSsoLocation());
            AuthCredentials extractCredentials = oidcAuthenticator.extractCredentials(ImmutableMap.of("sso_result", start.handleSsoGetRequestURI(activateFrontendConfig.getSsoLocation(), TestJwts.MC_COY_SIGNED_OCT_1), "sso_context", activateFrontendConfig.getSsoContext(), "frontend_base_url", FRONTEND_BASE_URL));
            Assert.assertNotNull(extractCredentials);
            Assert.assertEquals(TestJwts.MCCOY_SUBJECT, extractCredentials.getUsername());
            if (start != null) {
                start.close();
            }
        } catch (Throwable th) {
            if (start != null) {
                try {
                    start.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testExp() throws Exception {
        OidcAuthenticator oidcAuthenticator = new OidcAuthenticator(basicAuthenticatorSettings, testContext);
        ActivatedFrontendConfig.AuthMethod activateFrontendConfig = oidcAuthenticator.activateFrontendConfig(new ActivatedFrontendConfig.AuthMethod("oidc", "OIDC", (String) null), new GetActivatedFrontendConfigAction.Request((String) null, (String) null, FRONTEND_BASE_URL));
        try {
            Assert.fail("Expected exception, got: " + oidcAuthenticator.extractCredentials(ImmutableMap.of("sso_result", mockIdpServer.handleSsoGetRequestURI(activateFrontendConfig.getSsoLocation(), TestJwts.MC_COY_EXPIRED_SIGNED_OCT_1), "sso_context", activateFrontendConfig.getSsoContext(), "frontend_base_url", FRONTEND_BASE_URL)));
        } catch (CredentialsException e) {
            Assert.assertTrue(e.getMessage(), e.getMessage().contains("The token has expired"));
        }
    }

    @Test
    public void testRS256() throws Exception {
        OidcAuthenticator oidcAuthenticator = new OidcAuthenticator(basicAuthenticatorSettings, testContext);
        ActivatedFrontendConfig.AuthMethod activateFrontendConfig = oidcAuthenticator.activateFrontendConfig(new ActivatedFrontendConfig.AuthMethod("oidc", "OIDC", (String) null), new GetActivatedFrontendConfigAction.Request((String) null, (String) null, FRONTEND_BASE_URL));
        AuthCredentials extractCredentials = oidcAuthenticator.extractCredentials(ImmutableMap.of("sso_result", mockIdpServer.handleSsoGetRequestURI(activateFrontendConfig.getSsoLocation(), TestJwts.MC_COY_SIGNED_RSA_1), "sso_context", activateFrontendConfig.getSsoContext(), "frontend_base_url", FRONTEND_BASE_URL));
        Assert.assertNotNull(extractCredentials);
        Assert.assertEquals(TestJwts.MCCOY_SUBJECT, extractCredentials.getUsername());
    }

    @Test
    public void testBadSignature() throws Exception {
        OidcAuthenticator oidcAuthenticator = new OidcAuthenticator(basicAuthenticatorSettings, testContext);
        ActivatedFrontendConfig.AuthMethod activateFrontendConfig = oidcAuthenticator.activateFrontendConfig(new ActivatedFrontendConfig.AuthMethod("oidc", "OIDC", (String) null), new GetActivatedFrontendConfigAction.Request((String) null, (String) null, FRONTEND_BASE_URL));
        try {
            Assert.fail("Expected exception, got: " + oidcAuthenticator.extractCredentials(ImmutableMap.of("sso_result", mockIdpServer.handleSsoGetRequestURI(activateFrontendConfig.getSsoLocation(), TestJwts.MC_COY_SIGNED_RSA_X), "sso_context", activateFrontendConfig.getSsoContext(), "frontend_base_url", FRONTEND_BASE_URL)));
        } catch (CredentialsException e) {
            Assert.assertTrue(e.getMessage(), e.getMessage().contains("Invalid JWT signature"));
        }
    }

    @Test
    public void testPeculiarJsonEscaping() throws Exception {
        OidcAuthenticator oidcAuthenticator = new OidcAuthenticator(basicAuthenticatorSettings, testContext);
        ActivatedFrontendConfig.AuthMethod activateFrontendConfig = oidcAuthenticator.activateFrontendConfig(new ActivatedFrontendConfig.AuthMethod("oidc", "OIDC", (String) null), new GetActivatedFrontendConfigAction.Request((String) null, (String) null, FRONTEND_BASE_URL));
        AuthCredentials extractCredentials = oidcAuthenticator.extractCredentials(ImmutableMap.of("sso_result", mockIdpServer.handleSsoGetRequestURI(activateFrontendConfig.getSsoLocation(), TestJwts.PeculiarEscaping.MC_COY_SIGNED_RSA_1), "sso_context", activateFrontendConfig.getSsoContext(), "frontend_base_url", FRONTEND_BASE_URL));
        Assert.assertNotNull(extractCredentials);
        Assert.assertEquals(TestJwts.MCCOY_SUBJECT, extractCredentials.getUsername());
    }

    static {
        try {
            IDP_TLS_CONFIG = new TLSConfig.Builder().trust(FileHelper.getAbsoluteFilePathFromClassPath("oidc/idp/root-ca.pem").toFile()).clientCert(FileHelper.getAbsoluteFilePathFromClassPath("oidc/idp/idp.pem").toFile(), FileHelper.getAbsoluteFilePathFromClassPath("oidc/idp/idp.key").toFile(), "secret").build();
        } catch (FileNotFoundException | ConfigValidationException e) {
            throw new RuntimeException(e);
        }
    }
}
