package it.common.testbase.auth;

import com.atlassian.asap.api.exception.CannotRetrieveKeyException;
import com.atlassian.asap.core.exception.InvalidHeaderException;
import com.atlassian.asap.core.keys.privatekey.PrivateKeyProviderFactory;
import com.atlassian.asap.core.validator.ValidatedKeyId;
import com.atlassian.plugin.connect.modules.beans.nested.ScopeName;
import com.atlassian.plugin.connect.test.common.servlet.ConnectRunner;
import com.atlassian.plugin.connect.test.common.servlet.InstallHandlerServlet;
import com.atlassian.plugin.connect.test.common.util.AddonTestUtils;
import com.atlassian.plugin.connect.test.product.TestedProductAccessor;
import com.google.common.collect.ImmutableSet;
import com.nimbusds.jose.JOSEException;
import io.atlassian.micros.oauth2.accesstoken.ConnectSessionAuthToken;
import io.atlassian.micros.oauth2.accesstoken.SessionClaimSet;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.security.interfaces.RSAPrivateKey;
import java.util.Iterator;
import java.util.Optional;
import java.util.Set;
import java.util.function.Consumer;
import org.apache.http.HttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.util.EntityUtils;
import org.joda.time.Duration;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Ignore;
import org.junit.Test;

/* loaded from: input_file:it/common/testbase/auth/OAuth2AuthenticationBaseTest.class */
public abstract class OAuth2AuthenticationBaseTest {
    private ConnectRunner addon;
    private String clientId;
    private final String baseUrl = TestedProductAccessor.get().getTestedProduct().getProductInstance().getBaseUrl();
    private final String authzServerId = "oauth-2-authorization-server";
    private final String keyid = "oauth-2-authorization-server/testing";
    private final Set<String> addonScopes = ImmutableSet.of(ScopeName.READ.toString());
    private final Consumer<HttpResponse> mustBeUnauthorized = responseCodeMustBe(401);
    private final Consumer<HttpResponse> mustBeOk = responseCodeMustBe(200);
    private final Consumer<HttpResponse> mustBeForbidden = responseCodeMustBe(403);

    private Consumer<HttpResponse> responseCodeMustBe(int i) {
        return httpResponse -> {
            Assert.assertEquals(i, httpResponse.getStatusLine().getStatusCode());
        };
    }

    protected Consumer<HttpResponse> mustBeUserKey(String str) {
        return httpResponse -> {
            try {
                Assert.assertEquals("Impersonated call to self resource reported wrong user as authenticated", str, getUserKeyFromSelfResponse(EntityUtils.toString(httpResponse.getEntity())));
            } catch (IOException e) {
                Assert.fail("Could not parse self resource");
            }
        };
    }

    @Before
    public void startAddon() throws Exception {
        startAddon(this.addonScopes);
    }

    private void startAddon(Set<String> set) throws Exception {
        InstallHandlerServlet installHandlerServlet = new InstallHandlerServlet();
        this.addon = new ConnectRunner(this.baseUrl, AddonTestUtils.randomAddonKey()).addJWT(installHandlerServlet);
        Iterator<String> it2 = set.iterator();
        while (it2.hasNext()) {
            this.addon.addScope(ScopeName.valueOf(it2.next()));
        }
        this.addon.start();
        this.clientId = installHandlerServlet.getInstallPayload().getOauthClientId();
    }

    @After
    public void stopAddon() {
        ConnectRunner.stopAndUninstallQuietly(this.addon);
    }

    protected abstract String getAdminUserKey();

    protected abstract String getReadScopedResourcePath();

    protected abstract String getAdminScopedResourcePath();

    protected abstract String getSelfResourcePath();

    protected abstract String getNonWhitelistedResourcePath();

    protected abstract String getUserKeyFromSelfResponse(String str);

    private void callWithClaimSet(Optional<SessionClaimSet> optional, Optional<String> optional2, Consumer<HttpResponse> consumer) throws InvalidHeaderException, IOException, CannotRetrieveKeyException, JOSEException, URISyntaxException {
        HttpGet httpGet = new HttpGet(this.baseUrl + optional2.orElse(getReadScopedResourcePath()));
        URI uri = new URI(System.getProperty("asap.private.key.server.url"));
        optional.ifPresent(sessionClaimSet -> {
            try {
                httpGet.setHeader("Authorization", "Bearer " + new ConnectSessionAuthToken(sessionClaimSet, (RSAPrivateKey) PrivateKeyProviderFactory.createPrivateKeyProvider(uri).getKey(ValidatedKeyId.validate("oauth-2-authorization-server/testing")), "oauth-2-authorization-server/testing").serialize());
            } catch (Exception e) {
                e.printStackTrace();
            }
        });
        consumer.accept(HttpClientBuilder.create().build().execute(httpGet));
    }

    @Test
    @Ignore
    public void restCallOutOfScopeForToken() throws Exception {
        stopAddon();
        startAddon(ImmutableSet.of(ScopeName.READ.toString(), ScopeName.WRITE.toString(), ScopeName.ADMIN.toString()));
        callWithClaimSet(Optional.of(new SessionClaimSet("oauth-2-authorization-server", getAdminUserKey(), this.clientId, new URL(this.baseUrl), ImmutableSet.of(ScopeName.READ.toString(), ScopeName.WRITE.toString()), Duration.standardHours(1L))), Optional.of(getAdminScopedResourcePath()), this.mustBeForbidden);
    }

    @Test
    public void restCallOutOfScopeForAddon() throws Exception {
        callWithClaimSet(Optional.of(new SessionClaimSet("oauth-2-authorization-server", getAdminUserKey(), this.clientId, new URL(this.baseUrl), this.addonScopes, Duration.standardHours(1L))), Optional.of(getAdminScopedResourcePath()), this.mustBeForbidden);
    }

    @Test
    public void restCallNotInConnectWhitelist() throws Exception {
        callWithClaimSet(Optional.of(new SessionClaimSet("oauth-2-authorization-server", getAdminUserKey(), this.clientId, new URL(this.baseUrl), this.addonScopes, Duration.standardHours(1L))), Optional.of(getNonWhitelistedResourcePath()), this.mustBeForbidden);
    }

    @Test
    public void restCallWithNoToken() throws Exception {
        callWithClaimSet(Optional.empty(), Optional.empty(), this.mustBeUnauthorized);
    }

    @Test
    public void restCallWithInvalidAuthzServer() throws Exception {
        callWithClaimSet(Optional.of(new SessionClaimSet("somethingelse", getAdminUserKey(), this.clientId, new URL(this.baseUrl), this.addonScopes, Duration.standardHours(1L))), Optional.empty(), this.mustBeForbidden);
    }

    @Test
    public void restCallWithValidToken() throws Exception {
        callWithClaimSet(Optional.of(new SessionClaimSet("oauth-2-authorization-server", getAdminUserKey(), this.clientId, new URL(this.baseUrl), this.addonScopes, Duration.standardHours(1L))), Optional.empty(), this.mustBeOk);
    }

    @Test
    public void restCallWithValidTokenIsAuthenticatedAsImpersonatedUser() throws Exception {
        String adminUserKey = getAdminUserKey();
        callWithClaimSet(Optional.of(new SessionClaimSet("oauth-2-authorization-server", adminUserKey, this.clientId, new URL(this.baseUrl), this.addonScopes, Duration.standardHours(1L))), Optional.of(getSelfResourcePath()), mustBeUserKey(adminUserKey));
    }
}
