package com.floragunn.searchguard.authtoken;

import com.floragunn.searchguard.SearchGuardModulesRegistry;
import com.floragunn.searchguard.authtoken.api.CreateAuthTokenRequest;
import com.floragunn.searchguard.authtoken.api.CreateAuthTokenResponse;
import com.floragunn.searchguard.authz.AuthorizationService;
import com.floragunn.searchguard.authz.PrivilegesEvaluator;
import com.floragunn.searchguard.authz.actions.Actions;
import com.floragunn.searchguard.configuration.ConfigurationRepository;
import com.floragunn.searchguard.configuration.ProtectedConfigIndexService;
import com.floragunn.searchguard.configuration.StaticSgConfig;
import com.floragunn.searchguard.sgconf.history.ConfigHistoryService;
import com.floragunn.searchguard.support.PrivilegedConfigClient;
import com.floragunn.searchguard.test.GenericRestClient;
import com.floragunn.searchguard.test.helper.cluster.JavaSecurityTestSetup;
import com.floragunn.searchguard.test.helper.cluster.LocalCluster;
import com.floragunn.searchguard.user.User;
import com.floragunn.searchsupport.StaticSettings;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.JwtParser;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.io.Decoders;
import java.nio.file.Path;
import java.time.Duration;
import java.util.Collections;
import java.util.Map;
import org.apache.http.Header;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.threadpool.ThreadPool;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;

/* loaded from: input_file:com/floragunn/searchguard/authtoken/AuthTokenServiceTest.class */
public class AuthTokenServiceTest {
    private static ConfigurationRepository configurationRepository;
    private static PrivilegesEvaluator privilegesEvaluator;
    private static AuthorizationService authorizationService;
    private static ProtectedConfigIndexService protectedConfigIndexService;
    private static ThreadPool threadPool;
    private static PrivilegedConfigClient privilegedConfigClient;
    private static StaticSgConfig staticSgConfig;
    private static ClusterService clusterService;

    @ClassRule
    public static JavaSecurityTestSetup javaSecurity = new JavaSecurityTestSetup();

    @ClassRule
    public static LocalCluster cluster = new LocalCluster.Builder().resources("authtoken").singleNode().enterpriseModulesEnabled().sslEnabled().disableModule(AuthTokenModule.class).build();

    @BeforeClass
    public static void setupDependencies() {
        configurationRepository = (ConfigurationRepository) cluster.getInjectable(ConfigurationRepository.class);
        authorizationService = (AuthorizationService) cluster.getInjectable(AuthorizationService.class);
        privilegesEvaluator = (PrivilegesEvaluator) cluster.getInjectable(PrivilegesEvaluator.class);
        protectedConfigIndexService = (ProtectedConfigIndexService) cluster.getInjectable(ProtectedConfigIndexService.class);
        clusterService = (ClusterService) cluster.getInjectable(ClusterService.class);
        threadPool = (ThreadPool) cluster.getInjectable(ThreadPool.class);
        staticSgConfig = (StaticSgConfig) cluster.getInjectable(StaticSgConfig.class);
        privilegedConfigClient = PrivilegedConfigClient.adapt(cluster.node().client());
    }

    @Test
    public void basicTest() throws Exception {
        User build = User.forUser("test_user").backendRoles(new String[]{"r1", "r2", "r3"}).build();
        AuthTokenServiceConfig authTokenServiceConfig = new AuthTokenServiceConfig();
        Actions actions = new Actions((SearchGuardModulesRegistry) null);
        authTokenServiceConfig.setEnabled(true);
        authTokenServiceConfig.setJwtSigningKey(TestJwk.OCT_1);
        authTokenServiceConfig.setJwtAud("_test_aud");
        authTokenServiceConfig.setMaxTokensPerUser(100);
        AuthTokenService authTokenService = new AuthTokenService(privilegedConfigClient, authorizationService, privilegesEvaluator, new ConfigHistoryService(configurationRepository, staticSgConfig, privilegedConfigClient, protectedConfigIndexService, actions, StaticSettings.EMPTY, privilegesEvaluator), StaticSettings.EMPTY, threadPool, clusterService, protectedConfigIndexService, actions, authTokenServiceConfig);
        try {
            authTokenService.setSendTokenUpdates(false);
            authTokenService.waitForInitComplete(10000L);
            RequestedPrivileges parseYaml = RequestedPrivileges.parseYaml("cluster_permissions:\n- cluster:test\nroles:\n- r1\n- r0");
            Claims claims = (Claims) Jwts.parser().setSigningKey((byte[]) Decoders.BASE64URL.decode("eTDZjSqRD9Abhod9iqeGX_7o93a-eElTeXWAF6FmzQshmRIrPD-C9ET3pFjJ_IBrzmWIZDk8ig-X_PIyGmKsxNMsrU-0BNWF5gJq5xOp4rYTl8z66Tw9wr8tHLxLxgJqkLSuUCRBZvlZlQ7jNdhBBxgM-hdSSzsN1T33qdIwhrUeJ-KXI5yKUXHjoWFYb9tETbYQ4NvONowkCsXK_flp-E3F_OcKe_z5iVUszAV8QfCod1zhbya540kDejXCL6N_XMmhWJqum7UJ3hgf6DEtroPSnVpHt4iR5w9ArKK-IBgluPght03gNcoNqwz7p77TFbdOmUKF_PWy1bcdbaUoSg")).parseClaimsJws(authTokenService.createJwt(build, new CreateAuthTokenRequest(parseYaml)).getJwt()).getBody();
            Assert.assertEquals(build.getName(), claims.getSubject());
            Assert.assertEquals(parseYaml.getClusterPermissions(), ((Map) claims.get("requested")).get("cluster_permissions"));
            Assert.assertEquals(Collections.singletonList("r1"), ((Map) claims.get("base")).get("r_be"));
            Assert.assertEquals(authTokenServiceConfig.getJwtAud(), claims.getAudience());
            AuthToken byClaims = authTokenService.getByClaims(claims);
            Assert.assertEquals(build.getName(), byClaims.getUserName());
            Assert.assertEquals(parseYaml.getClusterPermissions(), byClaims.getRequestedPrivileges().getClusterPermissions());
            Assert.assertEquals(Collections.singletonList("r1"), byClaims.getBase().getBackendRoles());
            authTokenService.shutdown();
        } catch (Throwable th) {
            authTokenService.shutdown();
            throw th;
        }
    }

    @Test
    public void reloadFromCacheTest() throws Exception {
        User build = User.forUser("test_user").backendRoles(new String[]{"r1", "r2", "r3"}).build();
        Actions actions = new Actions((SearchGuardModulesRegistry) null);
        AuthTokenServiceConfig authTokenServiceConfig = new AuthTokenServiceConfig();
        authTokenServiceConfig.setEnabled(true);
        authTokenServiceConfig.setJwtSigningKey(TestJwk.OCT_1);
        authTokenServiceConfig.setJwtAud("_test_aud");
        authTokenServiceConfig.setMaxTokensPerUser(100);
        AuthTokenService authTokenService = new AuthTokenService(privilegedConfigClient, authorizationService, privilegesEvaluator, new ConfigHistoryService(configurationRepository, staticSgConfig, privilegedConfigClient, protectedConfigIndexService, actions, StaticSettings.EMPTY, privilegesEvaluator), StaticSettings.EMPTY, threadPool, clusterService, protectedConfigIndexService, actions, authTokenServiceConfig);
        try {
            authTokenService.setSendTokenUpdates(false);
            authTokenService.waitForInitComplete(10000L);
            RequestedPrivileges parseYaml = RequestedPrivileges.parseYaml("cluster_permissions:\n- cluster:test\nroles:\n- r1\n- r0");
            Claims claims = (Claims) Jwts.parser().setSigningKey((byte[]) Decoders.BASE64URL.decode("eTDZjSqRD9Abhod9iqeGX_7o93a-eElTeXWAF6FmzQshmRIrPD-C9ET3pFjJ_IBrzmWIZDk8ig-X_PIyGmKsxNMsrU-0BNWF5gJq5xOp4rYTl8z66Tw9wr8tHLxLxgJqkLSuUCRBZvlZlQ7jNdhBBxgM-hdSSzsN1T33qdIwhrUeJ-KXI5yKUXHjoWFYb9tETbYQ4NvONowkCsXK_flp-E3F_OcKe_z5iVUszAV8QfCod1zhbya540kDejXCL6N_XMmhWJqum7UJ3hgf6DEtroPSnVpHt4iR5w9ArKK-IBgluPght03gNcoNqwz7p77TFbdOmUKF_PWy1bcdbaUoSg")).parseClaimsJws(authTokenService.createJwt(build, new CreateAuthTokenRequest(parseYaml)).getJwt()).getBody();
            Assert.assertEquals(build.getName(), claims.getSubject());
            Assert.assertEquals(parseYaml.getClusterPermissions(), ((Map) claims.get("requested")).get("cluster_permissions"));
            Assert.assertEquals(Collections.singletonList("r1"), ((Map) claims.get("base")).get("r_be"));
            Assert.assertEquals(authTokenServiceConfig.getJwtAud(), claims.getAudience());
            AuthToken byClaims = authTokenService.getByClaims(claims);
            Assert.assertEquals(build.getName(), byClaims.getUserName());
            Assert.assertEquals(parseYaml.getClusterPermissions(), byClaims.getRequestedPrivileges().getClusterPermissions());
            Assert.assertEquals(Collections.singletonList("r1"), byClaims.getBase().getBackendRoles());
            authTokenService.shutdown();
        } catch (Throwable th) {
            authTokenService.shutdown();
            throw th;
        }
    }

    @Test
    public void reloadFromIndexTest() throws Exception {
        User build = User.forUser("test_user").backendRoles(new String[]{"r1", "r2", "r3"}).build();
        AuthTokenServiceConfig authTokenServiceConfig = new AuthTokenServiceConfig();
        Actions actions = new Actions((SearchGuardModulesRegistry) null);
        authTokenServiceConfig.setEnabled(true);
        authTokenServiceConfig.setJwtSigningKey(TestJwk.OCT_1);
        authTokenServiceConfig.setJwtAud("_test_aud");
        authTokenServiceConfig.setMaxTokensPerUser(100);
        AuthTokenService authTokenService = new AuthTokenService(privilegedConfigClient, authorizationService, privilegesEvaluator, new ConfigHistoryService(configurationRepository, staticSgConfig, privilegedConfigClient, protectedConfigIndexService, actions, StaticSettings.EMPTY, privilegesEvaluator), StaticSettings.EMPTY, threadPool, clusterService, protectedConfigIndexService, actions, authTokenServiceConfig);
        try {
            authTokenService.setSendTokenUpdates(false);
            authTokenService.waitForInitComplete(20000L);
            RequestedPrivileges parseYaml = RequestedPrivileges.parseYaml("cluster_permissions:\n- cluster:test\nroles:\n- r1\n- r0");
            Claims claims = (Claims) Jwts.parser().setSigningKey((byte[]) Decoders.BASE64URL.decode("eTDZjSqRD9Abhod9iqeGX_7o93a-eElTeXWAF6FmzQshmRIrPD-C9ET3pFjJ_IBrzmWIZDk8ig-X_PIyGmKsxNMsrU-0BNWF5gJq5xOp4rYTl8z66Tw9wr8tHLxLxgJqkLSuUCRBZvlZlQ7jNdhBBxgM-hdSSzsN1T33qdIwhrUeJ-KXI5yKUXHjoWFYb9tETbYQ4NvONowkCsXK_flp-E3F_OcKe_z5iVUszAV8QfCod1zhbya540kDejXCL6N_XMmhWJqum7UJ3hgf6DEtroPSnVpHt4iR5w9ArKK-IBgluPght03gNcoNqwz7p77TFbdOmUKF_PWy1bcdbaUoSg")).parseClaimsJws(authTokenService.createJwt(build, new CreateAuthTokenRequest(parseYaml)).getJwt()).getBody();
            Assert.assertEquals(build.getName(), claims.getSubject());
            Assert.assertEquals(parseYaml.getClusterPermissions(), ((Map) claims.get("requested")).get("cluster_permissions"));
            Assert.assertEquals(Collections.singletonList("r1"), ((Map) claims.get("base")).get("r_be"));
            Assert.assertEquals(authTokenServiceConfig.getJwtAud(), claims.getAudience());
            AuthToken byClaims = authTokenService.getByClaims(claims);
            Assert.assertEquals(build.getName(), byClaims.getUserName());
            Assert.assertEquals(parseYaml.getClusterPermissions(), byClaims.getRequestedPrivileges().getClusterPermissions());
            Assert.assertEquals(Collections.singletonList("r1"), byClaims.getBase().getBackendRoles());
            authTokenService.shutdown();
            AuthTokenService authTokenService2 = new AuthTokenService(privilegedConfigClient, authorizationService, privilegesEvaluator, new ConfigHistoryService(configurationRepository, staticSgConfig, privilegedConfigClient, protectedConfigIndexService, actions, StaticSettings.EMPTY, privilegesEvaluator), StaticSettings.EMPTY, threadPool, clusterService, protectedConfigIndexService, actions, authTokenServiceConfig);
            authTokenService2.setSendTokenUpdates(false);
            authTokenService2.waitForInitComplete(20000L);
            AuthToken byClaims2 = authTokenService2.getByClaims(claims);
            Assert.assertEquals(byClaims.getUserName(), byClaims2.getUserName());
            Assert.assertEquals(byClaims.getRequestedPrivileges().getClusterPermissions(), byClaims2.getRequestedPrivileges().getClusterPermissions());
            Assert.assertEquals(byClaims.getBase().getBackendRoles(), byClaims2.getBase().getBackendRoles());
            authTokenService.shutdown();
        } catch (Throwable th) {
            authTokenService.shutdown();
            throw th;
        }
    }

    @Test
    public void expiryTest() throws Exception {
        User build = User.forUser("test_user").backendRoles(new String[]{"r1", "r2", "r3"}).build();
        AuthTokenServiceConfig authTokenServiceConfig = new AuthTokenServiceConfig();
        Actions actions = new Actions((SearchGuardModulesRegistry) null);
        authTokenServiceConfig.setEnabled(true);
        authTokenServiceConfig.setJwtSigningKey(TestJwk.OCT_1);
        authTokenServiceConfig.setJwtAud("_test_aud");
        authTokenServiceConfig.setMaxTokensPerUser(100);
        AuthTokenService authTokenService = new AuthTokenService(privilegedConfigClient, authorizationService, privilegesEvaluator, new ConfigHistoryService(configurationRepository, staticSgConfig, privilegedConfigClient, protectedConfigIndexService, actions, StaticSettings.EMPTY, privilegesEvaluator), new StaticSettings(Settings.builder().put(AuthTokenService.CLEANUP_INTERVAL.name(), TimeValue.timeValueSeconds(1L)).build(), (Path) null), threadPool, clusterService, protectedConfigIndexService, actions, authTokenServiceConfig);
        try {
            authTokenService.setSendTokenUpdates(false);
            authTokenService.waitForInitComplete(10000L);
            RequestedPrivileges parseYaml = RequestedPrivileges.parseYaml("cluster_permissions:\n- cluster:test\nroles:\n- r1\n- r0");
            CreateAuthTokenRequest createAuthTokenRequest = new CreateAuthTokenRequest(parseYaml);
            createAuthTokenRequest.setExpiresAfter(Duration.ofSeconds(5L));
            CreateAuthTokenResponse createJwt = authTokenService.createJwt(build, createAuthTokenRequest);
            Claims claims = (Claims) Jwts.parser().setSigningKey((byte[]) Decoders.BASE64URL.decode("eTDZjSqRD9Abhod9iqeGX_7o93a-eElTeXWAF6FmzQshmRIrPD-C9ET3pFjJ_IBrzmWIZDk8ig-X_PIyGmKsxNMsrU-0BNWF5gJq5xOp4rYTl8z66Tw9wr8tHLxLxgJqkLSuUCRBZvlZlQ7jNdhBBxgM-hdSSzsN1T33qdIwhrUeJ-KXI5yKUXHjoWFYb9tETbYQ4NvONowkCsXK_flp-E3F_OcKe_z5iVUszAV8QfCod1zhbya540kDejXCL6N_XMmhWJqum7UJ3hgf6DEtroPSnVpHt4iR5w9ArKK-IBgluPght03gNcoNqwz7p77TFbdOmUKF_PWy1bcdbaUoSg")).parseClaimsJws(createJwt.getJwt()).getBody();
            String obj = claims.get("jti").toString();
            Assert.assertEquals(build.getName(), claims.getSubject());
            Assert.assertEquals(parseYaml.getClusterPermissions(), ((Map) claims.get("requested")).get("cluster_permissions"));
            Assert.assertEquals(Collections.singletonList("r1"), ((Map) claims.get("base")).get("r_be"));
            Assert.assertEquals(authTokenServiceConfig.getJwtAud(), claims.getAudience());
            Assert.assertTrue(createJwt.getAuthToken().getCreationTime().plusSeconds(11L) + " <= " + claims.getExpiration().getTime() + "\n" + claims.toString(), createJwt.getAuthToken().getCreationTime().plusSeconds(11L).toEpochMilli() > claims.getExpiration().getTime());
            AuthToken byIdFromIndex = authTokenService.getByIdFromIndex(obj);
            Assert.assertEquals(build.getName(), byIdFromIndex.getUserName());
            Assert.assertEquals(parseYaml.getClusterPermissions(), byIdFromIndex.getRequestedPrivileges().getClusterPermissions());
            Assert.assertEquals(Collections.singletonList("r1"), byIdFromIndex.getBase().getBackendRoles());
            Thread.sleep(10000L);
            try {
                Assert.fail(authTokenService.getByIdFromIndex(obj) + "");
            } catch (NoSuchAuthTokenException e) {
            }
        } finally {
            authTokenService.shutdown();
        }
    }

    @Test
    public void authTokenBasedOnAuthTokenTest() throws Exception {
        GenericRestClient adminCertRestClient = cluster.getAdminCertRestClient();
        try {
            User build = User.forUser("test_user").backendRoles(new String[]{"r1", "r2", "r3"}).build();
            AuthTokenServiceConfig authTokenServiceConfig = new AuthTokenServiceConfig();
            Actions actions = new Actions((SearchGuardModulesRegistry) null);
            authTokenServiceConfig.setEnabled(true);
            authTokenServiceConfig.setJwtSigningKey(TestJwk.OCT_1);
            authTokenServiceConfig.setJwtAud("_test_aud");
            authTokenServiceConfig.setMaxTokensPerUser(100);
            authTokenServiceConfig.setExcludeClusterPermissions(Collections.emptyList());
            AuthTokenService authTokenService = new AuthTokenService(privilegedConfigClient, authorizationService, privilegesEvaluator, new ConfigHistoryService(configurationRepository, staticSgConfig, privilegedConfigClient, protectedConfigIndexService, actions, StaticSettings.EMPTY, privilegesEvaluator), StaticSettings.EMPTY, threadPool, clusterService, protectedConfigIndexService, actions, authTokenServiceConfig);
            try {
                authTokenService.setSendTokenUpdates(false);
                authTokenService.waitForInitComplete(10000L);
                RequestedPrivileges parseYaml = RequestedPrivileges.parseYaml("cluster_permissions:\n- cluster:test");
                CreateAuthTokenRequest createAuthTokenRequest = new CreateAuthTokenRequest(parseYaml);
                CreateAuthTokenResponse createJwt = authTokenService.createJwt(build, createAuthTokenRequest);
                JwtParser signingKey = Jwts.parser().setSigningKey((byte[]) Decoders.BASE64URL.decode("eTDZjSqRD9Abhod9iqeGX_7o93a-eElTeXWAF6FmzQshmRIrPD-C9ET3pFjJ_IBrzmWIZDk8ig-X_PIyGmKsxNMsrU-0BNWF5gJq5xOp4rYTl8z66Tw9wr8tHLxLxgJqkLSuUCRBZvlZlQ7jNdhBBxgM-hdSSzsN1T33qdIwhrUeJ-KXI5yKUXHjoWFYb9tETbYQ4NvONowkCsXK_flp-E3F_OcKe_z5iVUszAV8QfCod1zhbya540kDejXCL6N_XMmhWJqum7UJ3hgf6DEtroPSnVpHt4iR5w9ArKK-IBgluPght03gNcoNqwz7p77TFbdOmUKF_PWy1bcdbaUoSg"));
                Claims claims = (Claims) signingKey.parseClaimsJws(createJwt.getJwt()).getBody();
                Assert.assertEquals(build.getName(), claims.getSubject());
                Assert.assertEquals(parseYaml.getClusterPermissions(), ((Map) claims.get("requested")).get("cluster_permissions"));
                AuthToken byClaims = authTokenService.getByClaims(claims);
                Assert.assertEquals(build.getName(), byClaims.getUserName());
                Assert.assertEquals(parseYaml.getClusterPermissions(), byClaims.getRequestedPrivileges().getClusterPermissions());
                Assert.assertEquals(adminCertRestClient.putJson("/_searchguard/api/roles/new_test_role", "{\"cluster_permissions\": [\"*\"]}", new Header[0]).getBody(), 201L, r0.getStatusCode());
                Thread.sleep(500L);
                User build2 = User.forUser(build.getName()).backendRoles(new String[]{"r1", "r2", "r3"}).type("sg_auth_token").specialAuthzConfig(byClaims.getId()).build();
                createAuthTokenRequest.setTokenName("auth_token_based_on_auth_token");
                Assert.assertEquals(byClaims.getBase(), authTokenService.getByClaims((Claims) signingKey.parseClaimsJws(authTokenService.createJwt(build2, createAuthTokenRequest).getJwt()).getBody()).getBase());
                createAuthTokenRequest.setTokenName("auth_token_with_fresh_base");
                Assert.assertNotEquals(byClaims.getBase(), authTokenService.getByClaims((Claims) signingKey.parseClaimsJws(authTokenService.createJwt(build, createAuthTokenRequest).getJwt()).getBody()).getBase());
                authTokenService.shutdown();
                if (adminCertRestClient != null) {
                    adminCertRestClient.close();
                }
            } catch (Throwable th) {
                authTokenService.shutdown();
                throw th;
            }
        } catch (Throwable th2) {
            if (adminCertRestClient != null) {
                try {
                    adminCertRestClient.close();
                } catch (Throwable th3) {
                    th2.addSuppressed(th3);
                }
            }
            throw th2;
        }
    }
}
