package net.shibboleth.idp.test.flows.cas;

import java.util.Collections;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.annotation.Nonnull;
import javax.servlet.http.Cookie;
import net.shibboleth.idp.attribute.context.AttributeContext;
import net.shibboleth.idp.authn.AuthenticationResult;
import net.shibboleth.idp.authn.context.SubjectContext;
import net.shibboleth.idp.authn.principal.UsernamePrincipal;
import net.shibboleth.idp.cas.config.LoginConfiguration;
import net.shibboleth.idp.cas.ticket.ServiceTicket;
import net.shibboleth.idp.cas.ticket.TicketService;
import net.shibboleth.idp.consent.context.ConsentContext;
import net.shibboleth.idp.profile.context.RelyingPartyContext;
import net.shibboleth.idp.relyingparty.RelyingPartyConfiguration;
import net.shibboleth.idp.relyingparty.RelyingPartyConfigurationResolver;
import net.shibboleth.idp.session.IdPSession;
import net.shibboleth.idp.session.criterion.SessionIdCriterion;
import net.shibboleth.idp.session.impl.StorageBackedSessionManager;
import net.shibboleth.idp.test.flows.AbstractFlowTest;
import net.shibboleth.utilities.java.support.net.URISupport;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.Criterion;
import org.opensaml.profile.context.ProfileRequestContext;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.test.context.ContextConfiguration;
import org.springframework.webflow.core.collection.MutableAttributeMap;
import org.springframework.webflow.execution.FlowExecutionOutcome;
import org.springframework.webflow.executor.FlowExecutionResult;
import org.testng.Assert;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;

@ContextConfiguration(locations = {"/test/test-cas-beans.xml"})
/* loaded from: input_file:net/shibboleth/idp/test/flows/cas/LoginFlowTest.class */
public class LoginFlowTest extends AbstractFlowTest {

    @Nonnull
    private static String FLOW_ID = "cas/login";

    @Autowired
    @Qualifier("shibboleth.CASTicketService")
    private TicketService ticketService;

    @Autowired
    private StorageBackedSessionManager sessionManager;

    @Autowired
    @Qualifier("shibboleth.RelyingPartyConfigurationResolver")
    private RelyingPartyConfigurationResolver relyingPartyConfigurationResolver;

    @BeforeMethod
    public void setUp() throws Exception {
        setPostAuthenticationFlows(Collections.emptyList());
    }

    @Test
    public void testGatewayNoSession() throws Exception {
        this.externalContext.getMockRequestParameterMap().put("service", "https://gateway.example.org/");
        this.externalContext.getMockRequestParameterMap().put("gateway", "true");
        Assert.assertEquals(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext).getOutcome().getId(), "RedirectToService");
        Assert.assertEquals(this.externalContext.getExternalRedirectUrl(), "https://gateway.example.org/");
    }

    @Test
    public void testGatewayWithSession() throws Exception {
        IdPSession createSession = this.sessionManager.createSession("aurora");
        createSession.addAuthenticationResult(new AuthenticationResult("authn/Password", new UsernamePrincipal("aurora")));
        this.externalContext.getMockRequestParameterMap().put("service", "https://gateway.example.org/");
        this.externalContext.getMockRequestParameterMap().put("gateway", "true");
        overrideEndStateOutput(FLOW_ID, "RedirectToService");
        this.request.setCookies(new Cookie[]{new Cookie("shib_idp_session", createSession.getId())});
        initializeThreadLocals();
        Assert.assertEquals(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext).getOutcome().getId(), "RedirectToService");
        Assert.assertTrue(this.externalContext.getExternalRedirectUrl().contains("https://gateway.example.org/?ticket=ST-"));
    }

    @Test
    public void testLoginStartSession() throws Exception {
        this.externalContext.getMockRequestParameterMap().put("service", "https://start.example.org/");
        overrideEndStateOutput(FLOW_ID, "RedirectToService");
        FlowExecutionOutcome outcome = this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext).getOutcome();
        Assert.assertEquals(outcome.getId(), "RedirectToService");
        ServiceTicket removeServiceTicket = this.ticketService.removeServiceTicket(getTicketIdFromUrl(this.externalContext.getExternalRedirectUrl()));
        Assert.assertNotNull(removeServiceTicket);
        Assert.assertNotNull(this.sessionManager.resolveSingle(new CriteriaSet(new Criterion[]{new SessionIdCriterion(removeServiceTicket.getSessionId())})));
        ProfileRequestContext profileRequestContext = (ProfileRequestContext) outcome.getOutput().get(AbstractFlowTest.END_STATE_OUTPUT_ATTR_NAME);
        Assert.assertNotNull(profileRequestContext.getSubcontext(SubjectContext.class));
        assertPopulatedAttributeContext(profileRequestContext);
    }

    @Test
    public void testLoginStartSessionWithPostMethod() throws Exception {
        this.externalContext.getMockRequestParameterMap().put("service", "https://start.example.org/");
        this.externalContext.getMockRequestParameterMap().put("method", "post");
        overrideEndStateOutput(FLOW_ID, "PostBackToService");
        FlowExecutionOutcome outcome = this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext).getOutcome();
        Assert.assertEquals(outcome.getId(), "PostBackToService");
        String contentAsString = ((MockHttpServletResponse) this.externalContext.getNativeResponse()).getContentAsString();
        Assert.assertTrue(contentAsString.contains(String.format("<form action=\"%s\" method=\"post\">", "https://start.example.org/")));
        Assert.assertTrue(contentAsString.contains("<input type=\"hidden\" name=\"ticket\" value=\"ST-"));
        Matcher matcher = Pattern.compile("value=\"([^\"]+)").matcher(contentAsString);
        Assert.assertTrue(matcher.find());
        Assert.assertEquals(1, matcher.groupCount());
        ServiceTicket removeServiceTicket = this.ticketService.removeServiceTicket(matcher.group(1));
        Assert.assertNotNull(removeServiceTicket);
        Assert.assertNotNull(this.sessionManager.resolveSingle(new CriteriaSet(new Criterion[]{new SessionIdCriterion(removeServiceTicket.getSessionId())})));
        ProfileRequestContext profileRequestContext = (ProfileRequestContext) outcome.getOutput().get(AbstractFlowTest.END_STATE_OUTPUT_ATTR_NAME);
        Assert.assertNotNull(profileRequestContext.getSubcontext(SubjectContext.class));
        assertPopulatedAttributeContext(profileRequestContext);
    }

    @Test
    public void testLoginWithConsent() throws Exception {
        this.externalContext.getMockRequestParameterMap().put("service", "https://start.example.org/");
        setPostAuthenticationFlows(Collections.singletonList("attribute-release"));
        overrideEndStateOutput(FLOW_ID, "RedirectToService");
        FlowExecutionResult launchExecution = this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext);
        FlowExecutionOutcome outcome = launchExecution.getOutcome();
        Assert.assertEquals(launchExecution.getOutcome().getId(), "RedirectToService");
        ServiceTicket removeServiceTicket = this.ticketService.removeServiceTicket(getTicketIdFromUrl(this.externalContext.getExternalRedirectUrl()));
        Assert.assertNotNull(removeServiceTicket);
        Assert.assertNotNull(this.sessionManager.resolveSingle(new CriteriaSet(new Criterion[]{new SessionIdCriterion(removeServiceTicket.getSessionId())})));
        ProfileRequestContext profileRequestContext = (ProfileRequestContext) outcome.getOutput().get(AbstractFlowTest.END_STATE_OUTPUT_ATTR_NAME);
        Assert.assertNotNull(profileRequestContext);
        Assert.assertNotNull(profileRequestContext.getSubcontext(SubjectContext.class));
        Assert.assertNotNull(profileRequestContext.getSubcontext(ConsentContext.class, false));
    }

    @Test
    public void testLoginExistingSession() throws Exception {
        IdPSession createSession = this.sessionManager.createSession("aurora");
        createSession.addAuthenticationResult(new AuthenticationResult("authn/Password", new UsernamePrincipal("aurora")));
        this.externalContext.getMockRequestParameterMap().put("service", "https://existing.example.org/");
        overrideEndStateOutput(FLOW_ID, "RedirectToService");
        this.request.setCookies(new Cookie[]{new Cookie("shib_idp_session", createSession.getId())});
        initializeThreadLocals();
        FlowExecutionOutcome outcome = this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext).getOutcome();
        Assert.assertEquals(outcome.getId(), "RedirectToService");
        ServiceTicket removeServiceTicket = this.ticketService.removeServiceTicket(getTicketIdFromUrl(this.externalContext.getExternalRedirectUrl()));
        Assert.assertNotNull(removeServiceTicket);
        IdPSession resolveSingle = this.sessionManager.resolveSingle(new CriteriaSet(new Criterion[]{new SessionIdCriterion(removeServiceTicket.getSessionId())}));
        Assert.assertNotNull(resolveSingle);
        Assert.assertEquals(resolveSingle.getId(), createSession.getId());
        ProfileRequestContext profileRequestContext = (ProfileRequestContext) outcome.getOutput().get(AbstractFlowTest.END_STATE_OUTPUT_ATTR_NAME);
        Assert.assertNotNull(profileRequestContext.getSubcontext(SubjectContext.class));
        assertPopulatedAttributeContext(profileRequestContext);
    }

    @Test
    public void testLoginExistingSessionDoNotCache() throws Exception {
        IdPSession createSession = this.sessionManager.createSession("maleficent");
        this.externalContext.getMockRequestParameterMap().put("service", "https://existing.example.org/");
        overrideEndStateOutput(FLOW_ID, "RedirectToService");
        this.request.setCookies(new Cookie[]{new Cookie("shib_idp_session", createSession.getId())});
        initializeThreadLocals();
        FlowExecutionOutcome outcome = this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext).getOutcome();
        Assert.assertEquals(outcome.getId(), "RedirectToService");
        ServiceTicket removeServiceTicket = this.ticketService.removeServiceTicket(getTicketIdFromUrl(this.externalContext.getExternalRedirectUrl()));
        Assert.assertNotNull(removeServiceTicket);
        IdPSession resolveSingle = this.sessionManager.resolveSingle(new CriteriaSet(new Criterion[]{new SessionIdCriterion(removeServiceTicket.getSessionId())}));
        Assert.assertNotNull(resolveSingle);
        Assert.assertNotEquals(resolveSingle.getId(), createSession.getId());
        ProfileRequestContext profileRequestContext = (ProfileRequestContext) outcome.getOutput().get(AbstractFlowTest.END_STATE_OUTPUT_ATTR_NAME);
        Assert.assertNotNull(profileRequestContext.getSubcontext(SubjectContext.class));
        assertPopulatedAttributeContext(profileRequestContext);
    }

    @Test
    public void testErrorNoService() throws Exception {
        FlowExecutionResult launchExecution = this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext);
        String contentAsString = this.response.getContentAsString();
        Assert.assertEquals(launchExecution.getOutcome().getId(), "AuditedErrorView");
        Assert.assertTrue(contentAsString.contains("ServiceNotSpecified"));
    }

    private void setPostAuthenticationFlows(List<String> list) throws Exception {
        ProfileRequestContext profileRequestContext = new ProfileRequestContext();
        profileRequestContext.setProfileId("https://www.apereo.org/cas/protocol/login");
        RelyingPartyConfiguration relyingPartyConfiguration = (RelyingPartyConfiguration) this.relyingPartyConfigurationResolver.resolveSingle(profileRequestContext);
        if (relyingPartyConfiguration == null) {
            throw new IllegalStateException("Relying party configuration not found");
        }
        LoginConfiguration profileConfiguration = relyingPartyConfiguration.getProfileConfiguration(profileRequestContext, "https://www.apereo.org/cas/protocol/login");
        if (profileConfiguration == null) {
            throw new IllegalStateException("CAS login profile configuration not found");
        }
        profileConfiguration.setPostAuthenticationFlows(list);
    }

    private void assertPopulatedAttributeContext(ProfileRequestContext profileRequestContext) {
        Assert.assertNotNull(profileRequestContext);
        RelyingPartyContext subcontext = profileRequestContext.getSubcontext(RelyingPartyContext.class, false);
        Assert.assertNotNull(subcontext);
        AttributeContext subcontext2 = subcontext.getSubcontext(AttributeContext.class, false);
        Assert.assertNotNull(subcontext2);
        Assert.assertFalse(subcontext2.getUnfilteredIdPAttributes().isEmpty());
    }

    private String getTicketIdFromUrl(String str) {
        Assert.assertTrue(str.contains("ticket=ST-"));
        String substring = str.substring(str.indexOf("ticket=") + 7);
        Assert.assertEquals(substring.indexOf(47), -1);
        Assert.assertEquals(substring.indexOf(43), -1);
        return URISupport.doURLDecode(substring);
    }
}
