package com.floragunn.searchguard.legacy;

import com.floragunn.searchguard.action.configupdate.ConfigUpdateAction;
import com.floragunn.searchguard.action.configupdate.ConfigUpdateRequest;
import com.floragunn.searchguard.action.configupdate.ConfigUpdateResponse;
import com.floragunn.searchguard.legacy.test.DynamicSgConfig;
import com.floragunn.searchguard.legacy.test.RestHelper;
import com.floragunn.searchguard.legacy.test.SingleClusterTest;
import com.floragunn.searchguard.test.helper.cluster.FileHelper;
import com.floragunn.searchguard.test.helper.cluster.JavaSecurityTestSetup;
import org.apache.http.Header;
import org.apache.http.message.BasicHeader;
import org.elasticsearch.action.index.IndexRequest;
import org.elasticsearch.action.support.WriteRequest;
import org.elasticsearch.client.Client;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.xcontent.XContentType;
import org.junit.Assert;
import org.junit.ClassRule;
import org.junit.Test;

/* loaded from: input_file:com/floragunn/searchguard/legacy/HTTPProxyAuthenticator2Tests.class */
public class HTTPProxyAuthenticator2Tests extends SingleClusterTest {

    @ClassRule
    public static JavaSecurityTestSetup javaSecurity = new JavaSecurityTestSetup();

    public void testAdditionalAttributes(RestHelper restHelper, BasicHeader basicHeader) throws Exception {
        RestHelper.HttpResponse executeGetRequest = restHelper.executeGetRequest("_searchguard/authinfo", new BasicHeader("x-proxy-user", "scotty"), new BasicHeader("x-proxy-roles", "starfleet,engineer"), basicHeader);
        Assert.assertTrue("Expected no attributes to be set for user: " + executeGetRequest.getBody(), executeGetRequest.getBody().contains("\"custom_attribute_names\":[\"attr.proxy2.username\"]"));
        Assert.assertEquals(200L, executeGetRequest.getStatusCode());
        RestHelper.HttpResponse executeGetRequest2 = restHelper.executeGetRequest("_searchguard/authinfo", new BasicHeader("x-proxy-user", "scotty"), new BasicHeader("x-proxy-roles", "starfleet,engineer"), basicHeader, new BasicHeader("x-proxy-attribute-2", "attributeValue2"));
        Assert.assertTrue("Expected (only) 'attribute-2' to be set for user'" + executeGetRequest2.getBody(), executeGetRequest2.getBody().contains("attr.proxy2.x-proxy-attribute-2"));
        Assert.assertTrue("Expected (only) 'attribute-2' to be set for user'" + executeGetRequest2.getBody(), executeGetRequest2.getBody().contains("attr.proxy2.username"));
        Assert.assertTrue("Expected (only) 'attribute-2' to be set for user'" + executeGetRequest2.getBody(), executeGetRequest2.toDocNode().getAsListOfNodes("custom_attribute_names").size() == 2);
        Assert.assertEquals(200L, executeGetRequest2.getStatusCode());
        RestHelper.HttpResponse executeGetRequest3 = restHelper.executeGetRequest("_searchguard/authinfo", new BasicHeader("x-proxy-user", "scotty"), new BasicHeader("x-proxy-roles", "starfleet,engineer"), basicHeader, new BasicHeader("x-proxy-attribute-1", "attributeValue1"), new BasicHeader("x-proxy-attribute-2", "attributeValue2"));
        Assert.assertTrue("Expected 'attribute-1' and 'attribute-2' to be set for user'" + executeGetRequest3.getBody(), executeGetRequest3.getBody().contains("attr.proxy2.x-proxy-attribute-1"));
        Assert.assertTrue("Expected 'attribute-1' and 'attribute-2' to be set for user'" + executeGetRequest3.getBody(), executeGetRequest3.getBody().contains("attr.proxy2.x-proxy-attribute-2"));
        Assert.assertTrue("Expected 'attribute-1' and 'attribute-2' to be set for user'" + executeGetRequest3.getBody(), executeGetRequest3.getBody().contains("attr.proxy2.username"));
        Assert.assertTrue("Expected 'attribute-1' and 'attribute-2' to be set for user'" + executeGetRequest3.getBody(), executeGetRequest3.toDocNode().getAsListOfNodes("custom_attribute_names").size() == 3);
        Assert.assertEquals(200L, executeGetRequest3.getStatusCode());
    }

    @Test
    public void testHTTPEnterpriseProxyIpMode() throws Exception {
        setup(Settings.EMPTY, new DynamicSgConfig().setSgConfig("sg_config_proxy2_ip_mode.yml"), Settings.EMPTY, true);
        RestHelper nonSslRestHelper = nonSslRestHelper();
        Assert.assertEquals(401L, nonSslRestHelper.executeGetRequest("", new Header[0]).getStatusCode());
        Assert.assertEquals(200L, nonSslRestHelper.executeGetRequest("", encodeBasicHeader("nagilum", "nagilum")).getStatusCode());
        Assert.assertEquals(200L, nonSslRestHelper.executeGetRequest("", new BasicHeader("x-forwarded-for", "127.0.0.1,192.168.0.1,10.0.0.2"), new BasicHeader("x-proxy-user", "scotty"), encodeBasicHeader("nagilum-wrong", "nagilum-wrong")).getStatusCode());
        Assert.assertEquals(200L, nonSslRestHelper.executeGetRequest("", new BasicHeader("x-forwarded-for", "127.0.0.1,192.168.0.1,10.0.0.2"), new BasicHeader("x-proxy-user-wrong", "scotty"), encodeBasicHeader("nagilum", "nagilum")).getStatusCode());
        Assert.assertEquals(400L, nonSslRestHelper.executeGetRequest("", new BasicHeader("x-forwarded-for", "a"), new BasicHeader("x-proxy-user", "scotty"), encodeBasicHeader("nagilum-wrong", "nagilum-wrong")).getStatusCode());
        Assert.assertEquals(400L, nonSslRestHelper.executeGetRequest("", new BasicHeader("x-forwarded-for", "a,b,c"), new BasicHeader("x-proxy-user", "scotty")).getStatusCode());
        Assert.assertEquals(200L, nonSslRestHelper.executeGetRequest("", new BasicHeader("x-forwarded-for", "127.0.0.1,192.168.0.1,10.0.0.2"), new BasicHeader("x-proxy-user", "scotty")).getStatusCode());
        Assert.assertEquals(200L, nonSslRestHelper.executeGetRequest("", new BasicHeader("x-forwarded-for", "127.0.0.1,192.168.0.1,10.0.0.2"), new BasicHeader("X-Proxy-User", "scotty")).getStatusCode());
        Assert.assertEquals(200L, nonSslRestHelper.executeGetRequest("", new BasicHeader("x-forwarded-for", "127.0.0.1,192.168.0.1,10.0.0.2"), new BasicHeader("x-proxy-user", "scotty"), new BasicHeader("x-proxy-roles", "starfleet,engineer")).getStatusCode());
        testAdditionalAttributes(nonSslRestHelper(), new BasicHeader("x-forwarded-for", "127.0.0.1,192.168.0.1,10.0.0.2"));
    }

    public void setupClientCertTest(String str) throws Exception {
        setup(Settings.EMPTY, new DynamicSgConfig().setSgConfig(str), Settings.builder().put("searchguard.ssl.http.clientauth_mode", "REQUIRE").put("searchguard.ssl.http.enabled", true).put("searchguard.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")).put("searchguard.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")).putList("searchguard.ssl.http.enabled_protocols", new String[]{"TLSv1.1", "TLSv1.2"}).putList("searchguard.ssl.http.enabled_ciphers", new String[]{"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"}).putList("searchguard.ssl.transport.enabled_protocols", new String[]{"TLSv1.1", "TLSv1.2"}).putList("searchguard.ssl.transport.enabled_ciphers", new String[]{"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"}).build(), true);
        Client privilegedInternalNodeClient = getPrivilegedInternalNodeClient();
        try {
            privilegedInternalNodeClient.index(new IndexRequest("vulcangov").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet();
            Assert.assertFalse(((ConfigUpdateResponse) privilegedInternalNodeClient.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[]{"config", "roles", "rolesmapping", "internalusers", "actiongroups"})).actionGet()).hasFailures());
            Assert.assertEquals(this.clusterInfo.numNodes, r0.getNodes().size());
            if (privilegedInternalNodeClient != null) {
                privilegedInternalNodeClient.close();
            }
        } catch (Throwable th) {
            if (privilegedInternalNodeClient != null) {
                try {
                    privilegedInternalNodeClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public void testCert(String str) throws Exception {
        setupClientCertTest(str);
        RestHelper restHelper = restHelper();
        restHelper.enableHTTPClientSSL = true;
        restHelper.trustHTTPServerCertificate = true;
        restHelper.sendHTTPClientCertificate = true;
        restHelper.keystore = "spock-keystore.jks";
        Assert.assertEquals(200L, restHelper.executeGetRequest("_searchguard/authinfo", new BasicHeader("x-proxy-user", "scotty"), new BasicHeader("x-proxy-roles", "starfleet,engineer")).getStatusCode());
        Assert.assertEquals(403L, restHelper.executePutRequest("searchguard/_doc/x", "{}", new BasicHeader("x-proxy-user", "scotty"), new BasicHeader("x-proxy-roles", "starfleet,engineer")).getStatusCode());
        testAdditionalAttributes(restHelper, null);
        restHelper.keystore = "kirk-keystore.jks";
        Assert.assertEquals(201L, restHelper.executePutRequest("searchguard/_doc/y", "{}", new Header[0]).getStatusCode());
        RestHelper.HttpResponse executeGetRequest = restHelper.executeGetRequest("_searchguard/authinfo", new Header[0]);
        Assert.assertEquals(200L, executeGetRequest.getStatusCode());
        System.out.println(executeGetRequest.getBody());
    }

    @Test
    public void testHTTPEnterpriseProxyCertMode() throws Exception {
        testCert("sg_config_proxy2_cert_mode.yml");
    }

    @Test
    public void testHTTPEnterpriseProxyDefaultMode() throws Exception {
        setupClientCertTest("sg_config_proxy2_both_mode.yml");
        RestHelper restHelper = restHelper();
        restHelper.enableHTTPClientSSL = true;
        restHelper.trustHTTPServerCertificate = true;
        restHelper.sendHTTPClientCertificate = true;
        Assert.assertEquals(401L, restHelper.executeGetRequest("_searchguard/authinfo", new BasicHeader("x-proxy-user", "scotty"), new BasicHeader("x-proxy-roles", "starfleet,engineer"), new BasicHeader("x-forwarded-for", "99.0.0.1,192.168.0.1,10.0.0.2")).getStatusCode());
        restHelper.keystore = "spock-keystore.jks";
        Assert.assertEquals(401L, restHelper.executeGetRequest("_searchguard/authinfo", new BasicHeader("x-forwarded-for", "99.0.0.1,192.168.0.1,10.0.0.2")).getStatusCode());
        Assert.assertEquals(200L, restHelper.executeGetRequest("_searchguard/authinfo", new BasicHeader("x-proxy-user", "scotty"), new BasicHeader("x-proxy-roles", "starfleet,engineer"), new BasicHeader("x-forwarded-for", "99.0.0.1,192.168.0.1,10.0.0.2")).getStatusCode());
        Assert.assertEquals(403L, restHelper.executePutRequest("searchguard/_doc/x", "{}", new BasicHeader("x-proxy-user", "scotty"), new BasicHeader("x-proxy-roles", "starfleet,engineer"), new BasicHeader("x-forwarded-for", "99.0.0.1,192.168.0.1,10.0.0.2")).getStatusCode());
        testAdditionalAttributes(restHelper, new BasicHeader("x-forwarded-for", "99.0.0.1,192.168.0.1,10.0.0.2"));
        restHelper.keystore = "kirk-keystore.jks";
        Assert.assertEquals(201L, restHelper.executePutRequest("searchguard/_doc/y", "{}", new Header[0]).getStatusCode());
        RestHelper.HttpResponse executeGetRequest = restHelper.executeGetRequest("_searchguard/authinfo", new Header[0]);
        Assert.assertEquals(200L, executeGetRequest.getStatusCode());
        System.out.println(executeGetRequest.getBody());
    }

    @Test
    public void testHTTPEnterpriseProxyEitherMode() throws Exception {
        testCert("sg_config_proxy2_either_mode.yml");
        tearDown();
        setupClientCertTest("sg_config_proxy2_either_mode.yml");
        RestHelper restHelper = restHelper();
        restHelper.enableHTTPClientSSL = true;
        restHelper.trustHTTPServerCertificate = true;
        restHelper.sendHTTPClientCertificate = true;
        Assert.assertEquals(200L, restHelper.executeGetRequest("_searchguard/authinfo", new BasicHeader("x-proxy-user", "scotty"), new BasicHeader("x-proxy-roles", "starfleet,engineer"), new BasicHeader("x-forwarded-for", "127.0.0.1,192.168.0.1,10.0.0.2")).getStatusCode());
        restHelper.keystore = "spock-keystore.jks";
        Assert.assertEquals(200L, restHelper.executeGetRequest("_searchguard/authinfo", new BasicHeader("x-proxy-user", "scotty"), new BasicHeader("x-proxy-roles", "starfleet,engineer"), new BasicHeader("x-forwarded-for", "127.0.0.1,192.168.0.1,10.0.0.2")).getStatusCode());
        Assert.assertEquals(403L, restHelper.executePutRequest("searchguard/_doc/x", "{}", new BasicHeader("x-proxy-user", "scotty"), new BasicHeader("x-proxy-roles", "starfleet,engineer"), new BasicHeader("x-forwarded-for", "127.0.0.1,192.168.0.1,10.0.0.2")).getStatusCode());
        tearDown();
        setup(Settings.EMPTY, new DynamicSgConfig().setSgConfig("sg_config_proxy2_either_mode.yml"), Settings.EMPTY, true);
        RestHelper nonSslRestHelper = nonSslRestHelper();
        Assert.assertEquals(400L, nonSslRestHelper.executeGetRequest("", new BasicHeader("x-forwarded-for", "a,b,c"), new BasicHeader("x-proxy-user", "scotty")).getStatusCode());
        Assert.assertEquals(200L, nonSslRestHelper.executeGetRequest("", new BasicHeader("x-forwarded-for", "127.0.0.1,192.168.0.1,10.0.0.2"), new BasicHeader("x-proxy-user", "scotty")).getStatusCode());
        Assert.assertEquals(200L, nonSslRestHelper.executeGetRequest("", new BasicHeader("x-forwarded-for", "127.0.0.1,192.168.0.1,10.0.0.2"), new BasicHeader("X-Proxy-User", "scotty")).getStatusCode());
        Assert.assertEquals(200L, nonSslRestHelper.executeGetRequest("", new BasicHeader("x-forwarded-for", "127.0.0.1,192.168.0.1,10.0.0.2"), new BasicHeader("x-proxy-user", "scotty"), new BasicHeader("x-proxy-roles", "starfleet,engineer")).getStatusCode());
        Assert.assertEquals(401L, nonSslRestHelper.executeGetRequest("", new Header[0]).getStatusCode());
        testAdditionalAttributes(nonSslRestHelper, new BasicHeader("x-forwarded-for", "127.0.0.1,192.168.0.1,10.0.0.2"));
    }
}
