package com.floragunn.searchguard.enterprise.auth.oidc;

import com.floragunn.codova.config.net.TLSConfig;
import com.floragunn.codova.documents.DocNode;
import com.floragunn.codova.validation.ConfigValidationException;
import com.floragunn.fluent.collections.ImmutableMap;
import com.floragunn.searchguard.enterprise.auth.oidc.TestJwk;
import com.floragunn.searchguard.test.GenericRestClient;
import com.floragunn.searchguard.test.TestSgConfig;
import com.floragunn.searchguard.test.helper.certificate.TestCertificates;
import com.floragunn.searchguard.test.helper.cluster.FileHelper;
import com.floragunn.searchguard.test.helper.cluster.LocalCluster;
import com.floragunn.searchsupport.proxy.wiremock.WireMockRequestHeaderAddingFilter;
import com.github.tomakehurst.wiremock.core.WireMockConfiguration;
import com.github.tomakehurst.wiremock.extension.Extension;
import com.github.tomakehurst.wiremock.junit.WireMockClassRule;
import java.io.FileNotFoundException;
import org.apache.http.Header;
import org.apache.http.message.BasicHeader;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;

/* loaded from: input_file:com/floragunn/searchguard/enterprise/auth/oidc/OidcAuthenticatorIntegrationTest.class */
public class OidcAuthenticatorIntegrationTest {
    protected static MockIpdServer mockIdpServer;
    private static final TestCertificates testCertificates = TestCertificates.builder().ca("CN=root.ca.example.com,OU=SearchGuard,O=SearchGuard", 2, "password").addClients(new String[]{"CN=client.ca.example.com,OU=SearchGuard,O=SearchGuard"}).build();
    private static final WireMockRequestHeaderAddingFilter REQUEST_HEADER_ADDING_FILTER = new WireMockRequestHeaderAddingFilter("Proxy", "wire-mock");

    @ClassRule
    public static WireMockClassRule wireMockProxy = new WireMockClassRule(WireMockConfiguration.options().bindAddress("127.0.0.8").caKeystorePath(testCertificates.getCaCertificate().getJksFile().getAbsolutePath()).trustAllProxyTargets(true).enableBrowserProxying(true).dynamicPort().extensions(new Extension[]{REQUEST_HEADER_ADDING_FILTER}));
    private static String FRONTEND_BASE_URL = "http://whereever";
    private static final TLSConfig IDP_TLS_CONFIG;
    public static LocalCluster.Embedded cluster;

    @BeforeClass
    public static void setUp() throws Exception {
        mockIdpServer = MockIpdServer.forKeySet(TestJwk.Jwks.ALL).acceptOnlyRequestsWithHeader(REQUEST_HEADER_ADDING_FILTER.getHeader()).useCustomTlsConfig(IDP_TLS_CONFIG).start();
        cluster = new LocalCluster.Builder().sslEnabled().enterpriseModulesEnabled().singleNode().resources("oidc").sgConfig(new TestSgConfig().resources("oidc").frontendAuthc(new TestSgConfig.FrontendAuthc[]{new TestSgConfig.FrontendAuthc().authDomain(new TestSgConfig.FrontendAuthDomain("oidc").label("Label").config("oidc.idp.openid_configuration_url", mockIdpServer.getDiscoverUri().toString(), new Object[]{"oidc.client_id", "Der Klient", "oidc.client_secret", "Das Geheimnis", "user_mapping.roles.from", ImmutableMap.of("json_path", "jwt.roles", "split", ","), "oidc.idp.proxy.host", "127.0.0.8", "oidc.idp.proxy.port", Integer.valueOf(wireMockProxy.port()), "oidc.idp.proxy.scheme", "http", "oidc.idp.tls.trusted_cas", "#{file:" + testCertificates.getCaCertificate().getCertificateFile().getAbsolutePath() + "}", "oidc.idp.tls.verify_hostnames", false}))})).embedded().start();
    }

    @AfterClass
    public static void tearDown() {
        if (mockIdpServer != null) {
            try {
                mockIdpServer.close();
            } catch (Exception e) {
                e.printStackTrace();
            }
        }
        if (cluster != null) {
            try {
                cluster.close();
            } catch (Exception e2) {
                e2.printStackTrace();
            }
            cluster = null;
        }
    }

    @Test
    public void basicTest() throws Exception {
        GenericRestClient restClient = cluster.getRestClient("kibanaserver", "kibanaserver", new Header[0]);
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/auth/config?next_url=" + "/abc/def" + "&frontend_base_url=" + FRONTEND_BASE_URL, new Header[0]);
            String asString = ((DocNode) httpResponse.getBodyAsDocNode().getAsListOfNodes("auth_methods").get(0)).getAsString("sso_location");
            String asString2 = ((DocNode) httpResponse.getBodyAsDocNode().getAsListOfNodes("auth_methods").get(0)).getAsString("sso_context");
            String asString3 = ((DocNode) httpResponse.getBodyAsDocNode().getAsListOfNodes("auth_methods").get(0)).getAsString("id");
            Assert.assertNotNull(httpResponse.getBody(), asString);
            GenericRestClient.HttpResponse postJson = restClient.postJson("/_searchguard/auth/session", DocNode.of("method", "oidc", "id", asString3, "sso_result", mockIdpServer.handleSsoGetRequestURI(asString, TestJwts.MC_COY_SIGNED_OCT_1), "sso_context", asString2, "frontend_base_url", FRONTEND_BASE_URL, new Object[0]), new Header[0]);
            Assert.assertEquals(postJson.getBody(), 201L, postJson.getStatusCode());
            Assert.assertEquals("/abc/def", postJson.getBodyAsDocNode().getAsString("redirect_uri"));
            GenericRestClient restClient2 = cluster.getRestClient(new Header[]{new BasicHeader("Authorization", "Bearer " + postJson.getBodyAsDocNode().getAsString("token"))});
            try {
                Assert.assertNotNull(restClient2.get("/_searchguard/auth/session", new Header[0]).getBodyAsDocNode().getAsString("sso_logout_url"));
                if (restClient2 != null) {
                    restClient2.close();
                }
                if (restClient != null) {
                    restClient.close();
                }
            } finally {
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    static {
        try {
            IDP_TLS_CONFIG = new TLSConfig.Builder().trust(FileHelper.getAbsoluteFilePathFromClassPath("oidc/idp/root-ca.pem").toFile()).clientCert(FileHelper.getAbsoluteFilePathFromClassPath("oidc/idp/idp.pem").toFile(), FileHelper.getAbsoluteFilePathFromClassPath("oidc/idp/idp.key").toFile(), "secret").build();
        } catch (FileNotFoundException | ConfigValidationException e) {
            throw new RuntimeException(e);
        }
    }
}
