package com.floragunn.searchguard.enterprise.auth.jwt;

import com.floragunn.codova.documents.DocNode;
import com.floragunn.searchguard.enterprise.auth.oidc.TestJwk;
import com.floragunn.searchguard.enterprise.auth.oidc.TestJwts;
import com.floragunn.searchguard.test.GenericRestClient;
import com.floragunn.searchguard.test.RestMatchers;
import com.floragunn.searchguard.test.TestSgConfig;
import com.floragunn.searchguard.test.helper.cluster.BearerAuthorization;
import com.floragunn.searchguard.test.helper.cluster.LocalCluster;
import org.apache.http.Header;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.hamcrest.BaseMatcher;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.junit.ClassRule;
import org.junit.Test;

/* loaded from: input_file:com/floragunn/searchguard/enterprise/auth/jwt/HTTPJwtAuthenticatorIntegrationTest.class */
public class HTTPJwtAuthenticatorIntegrationTest {
    private static final Logger log = LogManager.getLogger(HTTPJwtAuthenticatorIntegrationTest.class);
    public static final TestSgConfig.JwtDomain JWK_DOMAIN = new TestSgConfig.JwtDomain().signing(new TestSgConfig.Signing().jwks(new TestSgConfig.Jwks().addKey(new TestSgConfig.JsonWebKey().kty("oct").kid("kid/a").use("sig").alg("HS256").k(TestJwk.OCT_1_K)))).urlParameter("custom_jwt_param");

    @ClassRule
    public static LocalCluster cluster = new LocalCluster.Builder().sslEnabled().enterpriseModulesEnabled().roles(new TestSgConfig.Role[]{TestSgConfig.Role.ALL_ACCESS}).roleMapping(new TestSgConfig.RoleMapping[]{new TestSgConfig.RoleMapping(TestSgConfig.Role.ALL_ACCESS.getName()).backendRoles(new String[]{"role1"})}).authc(new TestSgConfig.Authc(new TestSgConfig.Authc.Domain[]{new TestSgConfig.Authc.Domain("jwt").jwt(JWK_DOMAIN).userMapping(new TestSgConfig.Authc.Domain.UserMapping().rolesFromCommaSeparatedString("jwt.roles").attrsFrom("from_jwt_claim_n", "jwt.m"))})).build();

    @Test
    public void simple() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(new Header[]{new BearerAuthorization(TestJwts.MC_LIST_CLAIM_SIGNED_OCT_1)});
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/authinfo", new Header[0]);
            MatcherAssert.assertThat(httpResponse, RestMatchers.isOk());
            MatcherAssert.assertThat(httpResponse, RestMatchers.json(new BaseMatcher[]{RestMatchers.nodeAt("user_name", Matchers.is("McList"))}));
            MatcherAssert.assertThat(httpResponse, RestMatchers.json(new BaseMatcher[]{RestMatchers.nodeAt("backend_roles", Matchers.containsInAnyOrder(new String[]{"role1", "kibana_user"}))}));
            MatcherAssert.assertThat(httpResponse, RestMatchers.json(new BaseMatcher[]{RestMatchers.nodeAt("attribute_names", Matchers.containsInAnyOrder(new String[]{"from_jwt_claim_n", "__auth_type"}))}));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void urlParam() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(new Header[0]);
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/authinfo?custom_jwt_param=" + TestJwts.MC_LIST_CLAIM_SIGNED_OCT_1, new Header[0]);
            MatcherAssert.assertThat(httpResponse, RestMatchers.isOk());
            MatcherAssert.assertThat(httpResponse, RestMatchers.json(new BaseMatcher[]{RestMatchers.nodeAt("user_name", Matchers.is("McList"))}));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void headerAndUrlParamMixed() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(new Header[]{new BearerAuthorization(TestJwts.MC_COY_SIGNED_OCT_1)});
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/authinfo?custom_jwt_param=" + TestJwts.MC_LIST_CLAIM_SIGNED_OCT_1, new Header[0]);
            MatcherAssert.assertThat(httpResponse, RestMatchers.isOk());
            MatcherAssert.assertThat(httpResponse, RestMatchers.json(new BaseMatcher[]{RestMatchers.nodeAt("user_name", Matchers.is(TestJwts.MCCOY_SUBJECT))}));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void shouldCreateSessionWithJwtToken() throws Exception {
        GenericRestClient restClient = cluster.getRestClient("kibanaserver", "kibanaserver", new Header[0]);
        try {
            log.info("Auth config response: '{}'", restClient.get("/_searchguard/auth/config?next_url=/abc/def", new Header[0]).getBody());
            GenericRestClient.HttpResponse postJson = restClient.postJson("/_searchguard/auth/session", DocNode.of("method", "jwt", "jwt", TestJwts.MC_COY_SIGNED_OCT_1).toJsonString(), new Header[0]);
            log.info("POST /_searchguard/auth/session response '{}'.", postJson.getBody());
            MatcherAssert.assertThat(postJson.getBody(), Integer.valueOf(postJson.getStatusCode()), Matchers.equalTo(201));
            String asString = postJson.getBodyAsDocNode().getAsString("token");
            GenericRestClient restClient2 = cluster.getRestClient(new Header[]{new BearerAuthorization(asString)});
            try {
                GenericRestClient.HttpResponse httpResponse = restClient2.get("/_searchguard/authinfo", new Header[0]);
                log.info("Session token '{}' used to retrieve auth info '{}'.", asString, httpResponse.getBody());
                MatcherAssert.assertThat(Integer.valueOf(httpResponse.getStatusCode()), Matchers.equalTo(200));
                if (restClient2 != null) {
                    restClient2.close();
                }
                if (restClient != null) {
                    restClient.close();
                }
            } finally {
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void shouldNotCreateSessionWhenTokenSignatureIsIncorrect() throws Exception {
        GenericRestClient restClient = cluster.getRestClient("kibanaserver", "kibanaserver", new Header[0]);
        try {
            log.info("Auth config response: '{}'", restClient.get("/_searchguard/auth/config?next_url=/abc/def", new Header[0]).getBody());
            GenericRestClient.HttpResponse postJson = restClient.postJson("/_searchguard/auth/session", DocNode.of("method", "jwt", "jwt", TestJwts.MC_COY_SIGNED_RSA_1).toJsonString(), new Header[0]);
            log.info("POST /_searchguard/auth/session response '{}'.", postJson.getBody());
            MatcherAssert.assertThat(Integer.valueOf(postJson.getStatusCode()), Matchers.equalTo(401));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void shouldNotCreateSessionWhenTokenIsMissing() throws Exception {
        GenericRestClient restClient = cluster.getRestClient("kibanaserver", "kibanaserver", new Header[0]);
        try {
            log.info("Auth config response: '{}'", restClient.get("/_searchguard/auth/config?next_url=/abc/def", new Header[0]).getBody());
            GenericRestClient.HttpResponse postJson = restClient.postJson("/_searchguard/auth/session", DocNode.of("method", "jwt").toJsonString(), new Header[0]);
            log.info("POST /_searchguard/auth/session response '{}'.", postJson.getBody());
            MatcherAssert.assertThat(Integer.valueOf(postJson.getStatusCode()), Matchers.equalTo(401));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }
}
