package com.atlassian.crowd.acceptance.tests.rest.service;

import com.atlassian.crowd.acceptance.tests.rest.service.util.RestTestFixture;
import com.atlassian.crowd.acceptance.utils.CrowdInstanceState;
import com.atlassian.crowd.acceptance.utils.TestDataState;
import com.atlassian.crowd.manager.sso.InvalidApplicationSamlConfigurationException;
import com.atlassian.crowd.plugin.rest.entity.ApplicationSamlConfigurationRestEntity;
import com.atlassian.crowd.plugin.rest.entity.sso.CertificateFormat;
import com.atlassian.crowd.plugin.rest.entity.sso.IdpSamlConfigurationEntity;
import com.atlassian.crowd.test.util.RestUtils;
import com.google.common.collect.ImmutableMap;
import com.sun.jersey.api.client.ClientResponse;
import io.restassured.http.ContentType;
import io.restassured.mapper.ObjectMapperType;
import io.restassured.response.ValidatableResponse;
import java.io.ByteArrayInputStream;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import java.util.stream.Collectors;
import javax.ws.rs.core.UriBuilder;
import net.shibboleth.utilities.java.support.xml.XMLParserException;
import org.hamcrest.Description;
import org.hamcrest.Matcher;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.hamcrest.TypeSafeMatcher;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Rule;
import org.junit.Test;
import org.opensaml.core.config.ConfigurationService;
import org.opensaml.core.config.InitializationException;
import org.opensaml.core.config.InitializationService;
import org.opensaml.core.xml.Namespace;
import org.opensaml.core.xml.config.XMLObjectProviderRegistry;
import org.opensaml.core.xml.io.UnmarshallingException;
import org.opensaml.core.xml.util.XMLObjectSupport;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml.saml2.metadata.KeyDescriptor;
import org.opensaml.saml.saml2.metadata.impl.SingleSignOnServiceImpl;
import org.opensaml.security.credential.UsageType;
import org.opensaml.xmlsec.signature.X509Certificate;
import org.opensaml.xmlsec.signature.X509Data;
import org.springframework.web.util.UriComponentsBuilder;

/* loaded from: input_file:com/atlassian/crowd/acceptance/tests/rest/service/SamlConfigurationResourceTest.class */
public class SamlConfigurationResourceTest {
    private static final String CERTIFICATE_HEADER = "-----BEGIN CERTIFICATE-----";
    private static final String SAML2_NAMESPACE = "urn:oasis:names:tc:SAML:2.0:metadata";
    private static final String SAML2_PREFIX = "md";
    private static final String SAML2_POST_BINDING_URI = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST";
    private static final String SAML2_REDIRECT_BINDING_URI = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect";
    private static final String XML_METADATA = "<md:EntityDescriptor entityID=\"http://jira.com\" xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\">\n<md:SPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n<md:AssertionConsumerService Location=\"http://jira.com/SAML2/SSO/POST\"/>\n</md:SPSSODescriptor></md:EntityDescriptor>";
    protected static final String ISSUER = CrowdInstanceState.getHostPath();
    private static final String SAML_CONFIGURATION_RESOURCE = CrowdInstanceState.getHostPath() + "/rest/admin/1.0/samlconfig";
    private static final String IDP_METADATA_RESOURCE = SAML_CONFIGURATION_RESOURCE + "/idp/metadata";
    private static final String RESET_SAML_CERTIFICATE_RESOURCE = SAML_CONFIGURATION_RESOURCE + "/reset-certificates";
    private static final String SSO_URL_SUFIX = "/console/secure/saml/sso.action";
    protected static final String SSO_URL = UriComponentsBuilder.fromUriString(CrowdInstanceState.getHostPath() + SSO_URL_SUFIX).build().toString();
    private final long APPLICATION_ID = 884737;
    private final long OTHER_APPLICATION = 1376257;

    @Rule
    public RestTestFixture fixture = new RestTestFixture();

    /* loaded from: input_file:com/atlassian/crowd/acceptance/tests/rest/service/SamlConfigurationResourceTest$IdpMetadataMatcher.class */
    private static class IdpMetadataMatcher extends TypeSafeMatcher<EntityDescriptor> {
        private final Matcher<Iterable<? extends KeyDescriptor>> keyDescriptorMatcher;
        private final Matcher<Iterable<? extends SingleSignOnServiceImpl>> singleSignOnServiceMatcher;
        private final Matcher<String> issuerMatcher;

        public IdpMetadataMatcher(Matcher<Iterable<? extends KeyDescriptor>> matcher, Matcher<Iterable<? extends SingleSignOnServiceImpl>> matcher2, Matcher<String> matcher3) {
            this.keyDescriptorMatcher = matcher;
            this.singleSignOnServiceMatcher = matcher2;
            this.issuerMatcher = matcher3;
        }

        /* JADX INFO: Access modifiers changed from: protected */
        public boolean matchesSafely(EntityDescriptor entityDescriptor) {
            IDPSSODescriptor iDPSSODescriptor = entityDescriptor.getIDPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol");
            return this.keyDescriptorMatcher.matches(iDPSSODescriptor.getKeyDescriptors()) && this.singleSignOnServiceMatcher.matches(iDPSSODescriptor.getSingleSignOnServices()) && this.issuerMatcher.matches(entityDescriptor.getEntityID());
        }

        public void describeTo(Description description) {
            description.appendText("IDP Metadata with key descriptor: ").appendDescriptionOf(this.keyDescriptorMatcher).appendText(" and SSO Service: ").appendDescriptionOf(this.singleSignOnServiceMatcher).appendText(" and issuer: ").appendDescriptionOf(this.issuerMatcher);
        }
    }

    /* loaded from: input_file:com/atlassian/crowd/acceptance/tests/rest/service/SamlConfigurationResourceTest$KeyDescriptorMatcher.class */
    private static class KeyDescriptorMatcher extends TypeSafeMatcher<KeyDescriptor> {
        private final UsageType usageType;
        private final Matcher<Iterable<? extends X509Data>> x509DataMatcher;

        public KeyDescriptorMatcher(UsageType usageType, Matcher<Iterable<? extends X509Data>> matcher) {
            this.usageType = usageType;
            this.x509DataMatcher = matcher;
        }

        /* JADX INFO: Access modifiers changed from: protected */
        public boolean matchesSafely(KeyDescriptor keyDescriptor) {
            return this.x509DataMatcher.matches(keyDescriptor.getKeyInfo().getX509Datas()) && Objects.equals(keyDescriptor.getUse(), this.usageType);
        }

        public void describeTo(Description description) {
            description.appendText("Key descriptor with x509 data matcher: ").appendDescriptionOf(this.x509DataMatcher).appendText(" and usage type: ").appendValue(this.usageType);
        }

        public static KeyDescriptorMatcher forX509Certificate(UsageType usageType, String str) {
            return new KeyDescriptorMatcher(usageType, Matchers.contains(new X509DataMatcher(Matchers.contains(new X509CertificateMatcher(str)))));
        }
    }

    /* loaded from: input_file:com/atlassian/crowd/acceptance/tests/rest/service/SamlConfigurationResourceTest$SsoServiceMatcher.class */
    private static class SsoServiceMatcher extends TypeSafeMatcher<SingleSignOnServiceImpl> {
        private final String location;
        private final String binding;

        public SsoServiceMatcher(String str, String str2) {
            this.location = str;
            this.binding = str2;
        }

        /* JADX INFO: Access modifiers changed from: protected */
        public boolean matchesSafely(SingleSignOnServiceImpl singleSignOnServiceImpl) {
            return Objects.equals(singleSignOnServiceImpl.getBinding(), this.binding) && Objects.equals(singleSignOnServiceImpl.getLocation(), this.location);
        }

        public void describeTo(Description description) {
            description.appendText("SSO service with key location: ").appendValue(this.location).appendText(" and binding: ").appendValue(this.binding);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/atlassian/crowd/acceptance/tests/rest/service/SamlConfigurationResourceTest$X509CertificateMatcher.class */
    public static class X509CertificateMatcher extends TypeSafeMatcher<X509Certificate> {
        private final String pemCertificate;

        public X509CertificateMatcher(String str) {
            this.pemCertificate = str;
        }

        /* JADX INFO: Access modifiers changed from: protected */
        public boolean matchesSafely(X509Certificate x509Certificate) {
            return this.pemCertificate.replaceAll("\n", "").contains(x509Certificate.getValue().replaceAll("\n", ""));
        }

        public void describeTo(Description description) {
            description.appendText("Certificate with value: ").appendValue(this.pemCertificate);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/atlassian/crowd/acceptance/tests/rest/service/SamlConfigurationResourceTest$X509DataMatcher.class */
    public static class X509DataMatcher extends TypeSafeMatcher<X509Data> {
        private final Matcher<Iterable<? extends X509Certificate>> x509CertificateMatcher;

        public X509DataMatcher(Matcher<Iterable<? extends X509Certificate>> matcher) {
            this.x509CertificateMatcher = matcher;
        }

        /* JADX INFO: Access modifiers changed from: protected */
        public boolean matchesSafely(X509Data x509Data) {
            return this.x509CertificateMatcher.matches(x509Data.getX509Certificates());
        }

        public void describeTo(Description description) {
            description.appendText("X509 Data with certificate: ").appendDescriptionOf(this.x509CertificateMatcher);
        }
    }

    @BeforeClass
    public static void onStart() throws InitializationException {
        InitializationService.initialize();
    }

    @Before
    public void setUp() {
        RestUtils.adminRequest().post(CrowdInstanceState.getHostPath() + "/rest/testkit/1.0/certificate", new Object[0]).then().statusCode(ClientResponse.Status.OK.getStatusCode());
    }

    void intendToModifyData() {
        TestDataState.INSTANCE.intendToModify(CrowdInstanceState.getHostPath());
    }

    private static URI buildApplicationsConfigUri(long j, String str) {
        return baseUriBuilder().path(j + str).build(new Object[0]);
    }

    private static UriBuilder baseUriBuilder() {
        return UriBuilder.fromUri(CrowdInstanceState.getHostPath()).path("rest/admin/1.0/samlconfig/application");
    }

    private ApplicationSamlConfigurationRestEntity getConfig(long j) {
        return (ApplicationSamlConfigurationRestEntity) RestUtils.adminRequest().get(buildApplicationsConfigUri(j, "")).then().statusCode(200).extract().as(ApplicationSamlConfigurationRestEntity.class, ObjectMapperType.JACKSON_1);
    }

    @Test
    public void shouldNotFetchSamlConfigurationWhenAnonymousRequest() {
        RestUtils.anonymousRequest().get(SAML_CONFIGURATION_RESOURCE, new Object[0]).then().statusCode(ClientResponse.Status.UNAUTHORIZED.getStatusCode());
    }

    @Test
    public void shouldNotResetSamlConfigurationWhenAnonymousRequest() {
        RestUtils.anonymousRequest().post(RESET_SAML_CERTIFICATE_RESOURCE, new Object[0]).then().assertThat().statusCode(ClientResponse.Status.UNAUTHORIZED.getStatusCode());
    }

    @Test
    public void shouldCorrectlyFetchSamlConfiguration() {
        validateSamlConfiguration();
    }

    @Test
    public void shouldGenerateCertificateAndCorrectlyFetchSamlConfiguration() {
        intendToModifyData();
        this.fixture.getTestkitClient().deleteProperty("saml.key.certificate.pair.id");
        validateSamlConfiguration();
    }

    public void validateSamlConfiguration() {
        IdpSamlConfigurationEntity idpConfig = getIdpConfig();
        MatcherAssert.assertThat(idpConfig.getIssuer(), Matchers.is(ISSUER));
        MatcherAssert.assertThat(idpConfig.getSsoUrl(), Matchers.is(SSO_URL));
        MatcherAssert.assertThat(idpConfig.getCertificateFormat(), Matchers.is(CertificateFormat.PEM));
        MatcherAssert.assertThat(idpConfig.getCertificate(), Matchers.containsString(CERTIFICATE_HEADER));
        MatcherAssert.assertThat(idpConfig.getExpirationDate(), Matchers.notNullValue());
    }

    @Test
    public void shouldCorrectlyFetchIdpMetadata() throws XMLParserException, UnmarshallingException {
        String asString = RestUtils.adminRequest().get(IDP_METADATA_RESOURCE, new Object[0]).then().statusCode(ClientResponse.Status.OK.getStatusCode()).contentType(ContentType.XML).extract().asString();
        String certificate = getIdpConfig().getCertificate();
        EntityDescriptor unmarshallMetadata = unmarshallMetadata(asString);
        MatcherAssert.assertThat(unmarshallMetadata, Matchers.is(new IdpMetadataMatcher(Matchers.contains(KeyDescriptorMatcher.forX509Certificate(UsageType.SIGNING, certificate)), Matchers.contains(new Matcher[]{new SsoServiceMatcher(SSO_URL, SAML2_POST_BINDING_URI), new SsoServiceMatcher(SSO_URL, SAML2_REDIRECT_BINDING_URI)}), Matchers.is(ISSUER))));
        MatcherAssert.assertThat(unmarshallMetadata.getNamespaces(), Matchers.contains(new Namespace[]{new Namespace(SAML2_NAMESPACE, SAML2_PREFIX)}));
    }

    private IdpSamlConfigurationEntity getIdpConfig() {
        return (IdpSamlConfigurationEntity) RestUtils.adminRequest().get(SAML_CONFIGURATION_RESOURCE, new Object[0]).then().statusCode(ClientResponse.Status.OK.getStatusCode()).extract().as(IdpSamlConfigurationEntity.class, ObjectMapperType.JACKSON_1);
    }

    @Test
    public void shouldNotReturnIdpsMetadataWhenAnonymousRequest() {
        RestUtils.anonymousRequest().get(IDP_METADATA_RESOURCE, new Object[0]).then().statusCode(ClientResponse.Status.UNAUTHORIZED.getStatusCode());
    }

    @Test
    public void testGetApplicationSamlConfig() {
        ApplicationSamlConfigurationRestEntity config = getConfig(884737L);
        MatcherAssert.assertThat(config.getAssertionConsumerUrl(), Matchers.nullValue());
        MatcherAssert.assertThat(config.getEntityId(), Matchers.nullValue());
        MatcherAssert.assertThat(config.getEnabled(), Matchers.equalTo(false));
    }

    @Test
    public void testParseXml() {
        ApplicationSamlConfigurationRestEntity parseXml = parseXml(XML_METADATA, 200);
        ApplicationSamlConfigurationRestEntity config = getConfig(884737L);
        MatcherAssert.assertThat(parseXml.getAssertionConsumerUrl(), Matchers.equalTo("http://jira.com/SAML2/SSO/POST"));
        MatcherAssert.assertThat(parseXml.getEntityId(), Matchers.equalTo("http://jira.com"));
        MatcherAssert.assertThat(parseXml.getEnabled(), Matchers.nullValue());
        MatcherAssert.assertThat(config.getAssertionConsumerUrl(), Matchers.nullValue());
        MatcherAssert.assertThat(config.getEntityId(), Matchers.nullValue());
        MatcherAssert.assertThat(config.getEnabled(), Matchers.equalTo(false));
    }

    @Test
    public void testParseXmlFailure() {
        parseXml("fdagoisdjboiwj92b8yviowgoe", 400);
    }

    @Test
    public void testUpdateSamlConfig() {
        intendToModifyData();
        update(884737L, new ApplicationSamlConfigurationRestEntity("eId", "http://url1.com", true), 200);
    }

    @Test
    public void testUpdateNotUnique() {
        intendToModifyData();
        update(884737L, new ApplicationSamlConfigurationRestEntity("eId", "http://url1.com", true), 200);
        MatcherAssert.assertThat(update(1376257L, new ApplicationSamlConfigurationRestEntity("eId", "http://url1.com", true), 400), Matchers.equalTo(ImmutableMap.of(InvalidApplicationSamlConfigurationException.Field.ENTITY_ID, InvalidApplicationSamlConfigurationException.ErrorCode.NOT_UNIQUE, InvalidApplicationSamlConfigurationException.Field.ASSERTION_CONSUMER_URL, InvalidApplicationSamlConfigurationException.ErrorCode.NOT_UNIQUE)));
    }

    @Test
    public void testUpdateEmptyDisabled() {
        intendToModifyData();
        update(884737L, new ApplicationSamlConfigurationRestEntity("", "", false), 200);
    }

    @Test
    public void testUpdateEmptyEnabled() {
        intendToModifyData();
        MatcherAssert.assertThat(update(1376257L, new ApplicationSamlConfigurationRestEntity("", "", true), 400), Matchers.equalTo(ImmutableMap.of(InvalidApplicationSamlConfigurationException.Field.ENTITY_ID, InvalidApplicationSamlConfigurationException.ErrorCode.EMPTY, InvalidApplicationSamlConfigurationException.Field.ASSERTION_CONSUMER_URL, InvalidApplicationSamlConfigurationException.ErrorCode.EMPTY)));
    }

    private Map<InvalidApplicationSamlConfigurationException.Field, InvalidApplicationSamlConfigurationException.ErrorCode> update(long j, ApplicationSamlConfigurationRestEntity applicationSamlConfigurationRestEntity, int i) {
        ValidatableResponse statusCode = RestUtils.adminRequest().body(applicationSamlConfigurationRestEntity).post(buildApplicationsConfigUri(j, "")).then().assertThat().statusCode(i);
        if (i != 200) {
            return (Map) ((Map) statusCode.extract().as(HashMap.class, ObjectMapperType.JACKSON_1)).entrySet().stream().collect(Collectors.toMap(entry -> {
                return InvalidApplicationSamlConfigurationException.Field.valueOf((String) entry.getKey());
            }, entry2 -> {
                return InvalidApplicationSamlConfigurationException.ErrorCode.valueOf((String) entry2.getValue());
            }));
        }
        MatcherAssert.assertThat(getConfig(j), Matchers.equalTo(applicationSamlConfigurationRestEntity));
        return null;
    }

    private EntityDescriptor unmarshallMetadata(String str) throws UnmarshallingException, XMLParserException {
        return XMLObjectSupport.unmarshallFromInputStream(((XMLObjectProviderRegistry) ConfigurationService.get(XMLObjectProviderRegistry.class)).getParserPool(), new ByteArrayInputStream(str.getBytes(StandardCharsets.UTF_8)));
    }

    private ApplicationSamlConfigurationRestEntity parseXml(String str, int i) {
        ValidatableResponse statusCode = RestUtils.adminRequest(ContentType.BINARY, ContentType.JSON).body(str.getBytes()).post(baseUriBuilder().path("parse_metadata").build(new Object[0])).then().statusCode(i);
        ValidatableResponse statusCode2 = RestUtils.adminRequest((ContentType) null, ContentType.JSON).contentType("multipart/form-data").header("X-Atlassian-Token", "no-check", new Object[0]).multiPart("file", "b", str.getBytes()).post(baseUriBuilder().path("parse_metadata_multipart").build(new Object[0])).then().statusCode(i);
        if (i != 200) {
            return null;
        }
        ApplicationSamlConfigurationRestEntity applicationSamlConfigurationRestEntity = (ApplicationSamlConfigurationRestEntity) statusCode.extract().as(ApplicationSamlConfigurationRestEntity.class, ObjectMapperType.JACKSON_1);
        MatcherAssert.assertThat(applicationSamlConfigurationRestEntity, Matchers.equalTo((ApplicationSamlConfigurationRestEntity) statusCode2.extract().as(ApplicationSamlConfigurationRestEntity.class, ObjectMapperType.JACKSON_1)));
        return applicationSamlConfigurationRestEntity;
    }

    @Test
    public void shouldCorrectlyResetSamlConfigurationWhenAdminRequest() {
        IdpSamlConfigurationEntity idpSamlConfigurationEntity = (IdpSamlConfigurationEntity) RestUtils.adminRequest().get(SAML_CONFIGURATION_RESOURCE, new Object[0]).then().assertThat().statusCode(ClientResponse.Status.OK.getStatusCode()).extract().as(IdpSamlConfigurationEntity.class, ObjectMapperType.JACKSON_1);
        IdpSamlConfigurationEntity idpSamlConfigurationEntity2 = (IdpSamlConfigurationEntity) RestUtils.adminRequest().post(RESET_SAML_CERTIFICATE_RESOURCE, new Object[0]).then().assertThat().statusCode(ClientResponse.Status.OK.getStatusCode()).extract().as(IdpSamlConfigurationEntity.class, ObjectMapperType.JACKSON_1);
        MatcherAssert.assertThat(idpSamlConfigurationEntity2.getIssuer(), Matchers.is(CrowdInstanceState.getHostPath()));
        MatcherAssert.assertThat(idpSamlConfigurationEntity2.getSsoUrl(), Matchers.is(UriComponentsBuilder.fromUriString(CrowdInstanceState.getHostPath() + SSO_URL_SUFIX).build().toString()));
        MatcherAssert.assertThat(idpSamlConfigurationEntity2.getCertificateFormat(), Matchers.is(CertificateFormat.PEM));
        MatcherAssert.assertThat(idpSamlConfigurationEntity2.getCertificate(), Matchers.containsString(CERTIFICATE_HEADER));
        MatcherAssert.assertThat(idpSamlConfigurationEntity2.getCertificate(), Matchers.not(Matchers.is(idpSamlConfigurationEntity.getCertificate())));
    }
}
