package com.floragunn.searchguard.authc.session;

import com.floragunn.searchguard.test.GenericRestClient;
import com.floragunn.searchguard.test.TestSgConfig;
import com.floragunn.searchguard.test.helper.cluster.BearerAuthorization;
import com.floragunn.searchguard.test.helper.cluster.JavaSecurityTestSetup;
import com.floragunn.searchguard.test.helper.cluster.LocalCluster;
import java.net.InetAddress;
import java.util.HashMap;
import java.util.Map;
import org.apache.http.Header;
import org.apache.http.message.BasicHeader;
import org.junit.Assert;
import org.junit.ClassRule;
import org.junit.Test;

/* loaded from: input_file:com/floragunn/searchguard/authc/session/SessionIntegrationTest.class */
public class SessionIntegrationTest {
    static TestSgConfig.User BASIC_USER = new TestSgConfig.User("basic_user").roles("sg_all_access");
    static TestSgConfig.User NO_ROLES_USER = new TestSgConfig.User("no_roles_user");
    static TestSgConfig.Authc AUTHC = new TestSgConfig.Authc(new TestSgConfig.Authc.Domain("basic/internal_users_db").skipOriginatingIps("127.0.0.22")).trustedProxies("127.0.0.42");
    static TestSgConfig TEST_SG_CONFIG = new TestSgConfig().resources("session").authc(AUTHC).frontendAuthc("default", new TestSgConfig.FrontendAuthc("basic").label("Basic Login")).frontendAuthc("test_fe", new TestSgConfig.FrontendAuthc(TestApiAuthenticationFrontend.class.getName()).label("Test Login")).user(NO_ROLES_USER).user(BASIC_USER);

    @ClassRule
    public static JavaSecurityTestSetup javaSecurity = new JavaSecurityTestSetup();

    @ClassRule
    public static LocalCluster cluster = new LocalCluster.Builder().nodeSettings("searchguard.restapi.roles_enabled.0", "sg_admin").resources("session").sgConfig(TEST_SG_CONFIG).sslEnabled().build();

    @Test
    public void startSession_basic() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(new Header[0]);
        try {
            GenericRestClient.HttpResponse postJson = restClient.postJson("/_searchguard/auth/session", basicAuthRequest(BASIC_USER, new Object[0]), new Header[0]);
            Assert.assertEquals(postJson.getBody(), 201L, postJson.getStatusCode());
            String asText = postJson.toJsonNode().path("token").asText();
            Assert.assertNotNull(postJson.getBody(), asText);
            if (restClient != null) {
                restClient.close();
            }
            restClient = cluster.getRestClient(new BearerAuthorization(asText));
            try {
                GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/authinfo", new Header[0]);
                Assert.assertEquals(httpResponse.getBody(), 200L, httpResponse.getStatusCode());
                Assert.assertEquals(httpResponse.getBody(), BASIC_USER.getName(), httpResponse.toJsonNode().path("user_name").textValue());
                if (restClient != null) {
                    restClient.close();
                }
            } finally {
            }
        } finally {
        }
    }

    @Test
    public void startSession_header() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(BASIC_USER, new Header[0]);
        try {
            GenericRestClient.HttpResponse post = restClient.post("/_searchguard/auth/session/with_header");
            Assert.assertEquals(post.getBody(), 200L, post.getStatusCode());
            String asText = post.toJsonNode().path("token").asText();
            Assert.assertNotNull(post.getBody(), asText);
            if (restClient != null) {
                restClient.close();
            }
            GenericRestClient restClient2 = cluster.getRestClient(new BearerAuthorization(asText));
            try {
                GenericRestClient.HttpResponse httpResponse = restClient2.get("/_searchguard/authinfo", new Header[0]);
                Assert.assertEquals(httpResponse.getBody(), 200L, httpResponse.getStatusCode());
                Assert.assertEquals(httpResponse.getBody(), BASIC_USER.getName(), httpResponse.toJsonNode().path("user_name").textValue());
                if (restClient2 != null) {
                    restClient2.close();
                }
            } catch (Throwable th) {
                if (restClient2 != null) {
                    try {
                        restClient2.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (Throwable th3) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th4) {
                    th3.addSuppressed(th4);
                }
            }
            throw th3;
        }
    }

    @Test
    public void startSession_trustedProxy() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(new Header[0]);
        try {
            restClient.setLocalAddress(InetAddress.getByAddress(new byte[]{Byte.MAX_VALUE, 0, 0, 42}));
            Assert.assertEquals(restClient.postJson("/_searchguard/auth/session", basicAuthRequest(BASIC_USER, new Object[0]), new BasicHeader("X-Forwarded-For", "127.0.0.21")).getBody(), 201L, r0.getStatusCode());
            if (restClient != null) {
                restClient.close();
            }
            restClient = cluster.getRestClient(new Header[0]);
            try {
                restClient.setLocalAddress(InetAddress.getByAddress(new byte[]{Byte.MAX_VALUE, 0, 0, 42}));
                Assert.assertEquals(restClient.postJson("/_searchguard/auth/session", basicAuthRequest(BASIC_USER, new Object[0]), new BasicHeader("X-Forwarded-For", "127.0.0.22")).getBody(), 401L, r0.getStatusCode());
                if (restClient != null) {
                    restClient.close();
                }
                restClient = cluster.getRestClient(new Header[0]);
                try {
                    Assert.assertEquals(restClient.postJson("/_searchguard/auth/session", basicAuthRequest(BASIC_USER, new Object[0]), new BasicHeader("X-Forwarded-For", "127.0.0.22")).getBody(), 201L, r0.getStatusCode());
                    if (restClient != null) {
                        restClient.close();
                    }
                } finally {
                }
            } finally {
            }
        } finally {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th) {
                    th.addSuppressed(th);
                }
            }
        }
    }

    @Test
    public void nonDefaultConfigTest() throws Exception {
        GenericRestClient restClient = cluster.getRestClient("kibanaserver", "kibanaserver", new Header[0]);
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/auth/config?config_id=test_fe", new Header[0]);
            Assert.assertEquals(httpResponse.getBody(), "test", httpResponse.toJsonNode().path("auth_methods").path(0).path("method").asText());
            Assert.assertEquals(httpResponse.getBody(), 1L, httpResponse.toJsonNode().path("auth_methods").size());
            if (restClient != null) {
                restClient.close();
            }
            GenericRestClient restClient2 = cluster.getRestClient(new Header[0]);
            try {
                GenericRestClient.HttpResponse postJson = restClient2.postJson("/_searchguard/auth/session", testAuthRequest("test_user", "config_id", "test_fe", "roles", "backend_role_all_access"), new Header[0]);
                Assert.assertEquals(postJson.getBody(), 201L, postJson.getStatusCode());
                String asText = postJson.toJsonNode().path("token").asText();
                Assert.assertNotNull(postJson.getBody(), asText);
                if (restClient2 != null) {
                    restClient2.close();
                }
                restClient2 = cluster.getRestClient(new BearerAuthorization(asText));
                try {
                    GenericRestClient.HttpResponse httpResponse2 = restClient2.get("/_searchguard/authinfo", new Header[0]);
                    Assert.assertEquals(httpResponse2.getBody(), 200L, httpResponse2.getStatusCode());
                    Assert.assertEquals(httpResponse2.getBody(), "test_user", httpResponse2.toJsonNode().path("user_name").textValue());
                    Assert.assertEquals(httpResponse2.getBody(), "backend_role_all_access", httpResponse2.toJsonNode().path("backend_roles").path(0).textValue());
                    if (restClient2 != null) {
                        restClient2.close();
                    }
                } finally {
                }
            } finally {
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void configsAreSeparatedTest() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(new Header[0]);
        try {
            Assert.assertEquals(restClient.postJson("/_searchguard/auth/session", testAuthRequest("test_user", "roles", "backend_role_all_access"), new Header[0]).getBody(), 401L, r0.getStatusCode());
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void noRolesTest() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(new Header[0]);
        try {
            GenericRestClient.HttpResponse postJson = restClient.postJson("/_searchguard/auth/session", basicAuthRequest(NO_ROLES_USER, new Object[0]), new Header[0]);
            Assert.assertEquals(postJson.getBody(), 403L, postJson.getStatusCode());
            Assert.assertEquals("The user 'no_roles_user' is not allowed to log in.", postJson.toJsonNode().path("error").textValue());
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void autogeneratedKeysAreEncrypted() throws Exception {
        GenericRestClient adminCertRestClient = cluster.getAdminCertRestClient();
        try {
            GenericRestClient.HttpResponse httpResponse = adminCertRestClient.get("/_searchguard/config/vars/sessions_signing_key", new Header[0]);
            Assert.assertEquals(httpResponse.getBody(), 200L, httpResponse.getStatusCode());
            System.out.println(httpResponse.getBody());
            if (adminCertRestClient != null) {
                adminCertRestClient.close();
            }
        } catch (Throwable th) {
            if (adminCertRestClient != null) {
                try {
                    adminCertRestClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void justBasicAuthWithoutFrontendConfigTest() throws Exception {
        LocalCluster start = new LocalCluster.Builder().resources("session").user(BASIC_USER).authc(AUTHC).sslEnabled().singleNode().start();
        try {
            GenericRestClient restClient = start.getRestClient("kibanaserver", "kibanaserver", new Header[0]);
            try {
                GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/auth/config", new Header[0]);
                Assert.assertEquals(httpResponse.getBody(), "basic", httpResponse.toJsonNode().path("auth_methods").path(0).path("method").asText());
                Assert.assertEquals(httpResponse.getBody(), 1L, httpResponse.toJsonNode().path("auth_methods").size());
                if (restClient != null) {
                    restClient.close();
                }
                GenericRestClient restClient2 = start.getRestClient(new Header[0]);
                try {
                    GenericRestClient.HttpResponse postJson = restClient2.postJson("/_searchguard/auth/session", basicAuthRequest(BASIC_USER, new Object[0]), new Header[0]);
                    Assert.assertEquals(postJson.getBody(), 201L, postJson.getStatusCode());
                    String asText = postJson.toJsonNode().path("token").asText();
                    Assert.assertNotNull(postJson.getBody(), asText);
                    if (restClient2 != null) {
                        restClient2.close();
                    }
                    restClient2 = start.getRestClient(new BearerAuthorization(asText));
                    try {
                        GenericRestClient.HttpResponse httpResponse2 = restClient2.get("/_searchguard/authinfo", new Header[0]);
                        Assert.assertEquals(httpResponse2.getBody(), 200L, httpResponse2.getStatusCode());
                        Assert.assertEquals(httpResponse2.getBody(), BASIC_USER.getName(), httpResponse2.toJsonNode().path("user_name").textValue());
                        if (restClient2 != null) {
                            restClient2.close();
                        }
                        if (start != null) {
                            start.close();
                        }
                    } finally {
                    }
                } finally {
                }
            } finally {
            }
        } catch (Throwable th) {
            if (start != null) {
                try {
                    start.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private static Map<String, Object> basicAuthRequest(TestSgConfig.User user, Object... objArr) {
        HashMap hashMap = new HashMap();
        hashMap.put("mode", "basic");
        hashMap.put("user", user.getName());
        hashMap.put("password", user.getPassword());
        if (objArr != null && objArr.length > 0) {
            for (int i = 0; i < objArr.length; i += 2) {
                hashMap.put(objArr[i].toString(), objArr[i + 1]);
            }
        }
        return hashMap;
    }

    private static Map<String, Object> testAuthRequest(String str, Object... objArr) {
        HashMap hashMap = new HashMap();
        hashMap.put("mode", "test");
        hashMap.put("user", str);
        hashMap.put("secret", "indeed");
        if (objArr != null && objArr.length > 0) {
            for (int i = 0; i < objArr.length; i += 2) {
                hashMap.put(objArr[i].toString(), objArr[i + 1]);
            }
        }
        return hashMap;
    }
}
