package com.floragunn.searchguard.enterprise.auth.saml;

import com.floragunn.codova.documents.DocNode;
import com.floragunn.searchguard.test.GenericRestClient;
import com.floragunn.searchguard.test.TestSgConfig;
import com.floragunn.searchguard.test.helper.cluster.LocalCluster;
import com.google.common.collect.ImmutableMap;
import java.security.Security;
import java.util.Arrays;
import org.apache.http.Header;
import org.apache.http.message.BasicHeader;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;

/* loaded from: input_file:com/floragunn/searchguard/enterprise/auth/saml/SamlAuthenticatorIntegrationTest.class */
public class SamlAuthenticatorIntegrationTest {
    protected static MockSamlIdpServer mockSamlIdpServer;
    public static LocalCluster cluster;
    private static String FRONTEND_BASE_URL;

    @BeforeClass
    public static void setUp() throws Exception {
        mockSamlIdpServer = new MockSamlIdpServer();
        mockSamlIdpServer.start();
        mockSamlIdpServer.setSignResponses(true);
        mockSamlIdpServer.loadSigningKeys("saml/kirk-keystore.jks", "kirk");
        mockSamlIdpServer.setAuthenticateUser("horst");
        mockSamlIdpServer.setAuthenticateUserRoles(Arrays.asList("SGS_KIBANA_USER"));
        mockSamlIdpServer.setEndpointQueryString(null);
        cluster = new LocalCluster.Builder().sslEnabled().singleNode().resources("saml").enterpriseModulesEnabled().sgConfig(new TestSgConfig().resources("saml").frontendAuthc("default", new TestSgConfig.FrontendAuthc[]{new TestSgConfig.FrontendAuthc().authDomain(new TestSgConfig.FrontendAuthDomain("saml").label("SAML Label").config("user_mapping.roles.from", "saml_response.roles", new Object[]{"saml.idp.metadata_url", mockSamlIdpServer.getMetadataUri(), "saml.idp.entity_id", mockSamlIdpServer.getIdpEntityId()}))}).frontendAuthc("invalid", new TestSgConfig.FrontendAuthc[]{new TestSgConfig.FrontendAuthc().authDomain(new TestSgConfig.FrontendAuthDomain("saml").label("SAML Label").config("user_mapping.roles.from", "saml_response.roles", new Object[]{"saml.idp.metadata_url", mockSamlIdpServer.getMetadataUri(), "saml.idp.entity_id", "invalid"}))}).frontendAuthcDebug("invalid", true)).start();
    }

    @AfterClass
    public static void tearDown() {
        if (mockSamlIdpServer != null) {
            try {
                mockSamlIdpServer.close();
            } catch (Exception e) {
                e.printStackTrace();
            }
        }
        if (cluster != null) {
            try {
                cluster.close();
            } catch (Exception e2) {
                e2.printStackTrace();
            }
            cluster = null;
        }
    }

    @Test
    public void basic() throws Exception {
        GenericRestClient restClient = cluster.getRestClient("kibanaserver", "kibanaserver", new Header[0]);
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/auth/config?next_url=/abc/def&frontend_base_url=" + FRONTEND_BASE_URL, new Header[0]);
            String asString = ((DocNode) httpResponse.getBodyAsDocNode().getAsListOfNodes("auth_methods").get(0)).getAsString("sso_location");
            String asString2 = ((DocNode) httpResponse.getBodyAsDocNode().getAsListOfNodes("auth_methods").get(0)).getAsString("sso_context");
            String asString3 = ((DocNode) httpResponse.getBodyAsDocNode().getAsListOfNodes("auth_methods").get(0)).getAsString("id");
            Assert.assertNotNull(httpResponse.getBody(), asString);
            GenericRestClient.HttpResponse postJson = restClient.postJson("/_searchguard/auth/session", ImmutableMap.of("method", "saml", "id", asString3, "saml_response", mockSamlIdpServer.handleSsoGetRequestURI(asString), "sso_context", asString2, "frontend_base_url", FRONTEND_BASE_URL), new Header[0]);
            Assert.assertEquals(postJson.getBody(), 201L, postJson.getStatusCode());
            GenericRestClient restClient2 = cluster.getRestClient(new Header[]{new BasicHeader("Authorization", "Bearer " + postJson.getBodyAsDocNode().getAsString("token"))});
            try {
                Assert.assertNotNull(restClient2.get("/_searchguard/auth/session", new Header[0]).getBodyAsDocNode().getAsString("sso_logout_url"));
                if (restClient2 != null) {
                    restClient2.close();
                }
                if (restClient != null) {
                    restClient.close();
                }
            } finally {
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void loginFailure() throws Exception {
        GenericRestClient restClient = cluster.getRestClient("kibanaserver", "kibanaserver", new Header[0]);
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/auth/config?next_url=/abc/def&frontend_base_url=" + FRONTEND_BASE_URL, new Header[0]);
            System.out.println(httpResponse.getBody());
            String asString = ((DocNode) httpResponse.getBodyAsDocNode().getAsListOfNodes("auth_methods").get(0)).getAsString("sso_location");
            String asString2 = ((DocNode) httpResponse.getBodyAsDocNode().getAsListOfNodes("auth_methods").get(0)).getAsString("sso_context");
            String asString3 = ((DocNode) httpResponse.getBodyAsDocNode().getAsListOfNodes("auth_methods").get(0)).getAsString("id");
            Assert.assertNotNull(httpResponse.getBody(), asString);
            GenericRestClient.HttpResponse postJson = restClient.postJson("/_searchguard/auth/session", ImmutableMap.of("method", "saml", "id", asString3, "saml_response", "invalid", "sso_context", asString2, "frontend_base_url", FRONTEND_BASE_URL), new Header[0]);
            System.out.println(postJson.getBody());
            Assert.assertEquals(postJson.getBody(), 401L, postJson.getStatusCode());
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void invalidEntityId() throws Exception {
        GenericRestClient restClient = cluster.getRestClient("kibanaserver", "kibanaserver", new Header[0]);
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/auth/config?config_id=invalid&next_url=/abc/def&frontend_base_url=" + FRONTEND_BASE_URL, new Header[0]);
            Assert.assertEquals(httpResponse.getBody(), "Could not find entity descriptor for invalid", ((DocNode) httpResponse.getBodyAsDocNode().getAsListOfNodes("auth_methods").get(0)).getAsString("message_body"));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    static {
        if (Security.getProvider("BC") == null) {
            Security.addProvider(new BouncyCastleProvider());
        }
        FRONTEND_BASE_URL = "http://whereever";
    }
}
