package net.shibboleth.idp.plugin.authn.duo.impl;

import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.annotation.Nonnull;
import net.shibboleth.idp.authn.AuthenticationFlowDescriptor;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.ExternalAuthenticationContext;
import net.shibboleth.idp.authn.context.RequestedPrincipalContext;
import net.shibboleth.idp.authn.context.SubjectCanonicalizationContext;
import net.shibboleth.idp.authn.impl.ExternalAuthenticationImpl;
import net.shibboleth.idp.plugin.authn.duo.DefaultDuoOIDCIntegration;
import net.shibboleth.idp.plugin.authn.duo.DuoClientException;
import net.shibboleth.idp.plugin.authn.duo.context.DuoOIDCAuthenticationContext;
import net.shibboleth.idp.plugin.authn.mock.MockDuoOIDCClientFactory_FAIL_Client;
import net.shibboleth.idp.plugin.authn.mock.MockDuoOIDCClientFactory_OK_Client;
import net.shibboleth.idp.plugin.authn.mock.MockDuoOIDCClient_OK;
import net.shibboleth.idp.plugin.authn.mock.MockDuoOIDCClient_OK_OLD_AUTH_TIME;
import net.shibboleth.idp.plugin.authn.mock.MockFlowBuilder;
import net.shibboleth.idp.profile.context.RelyingPartyContext;
import net.shibboleth.idp.saml.authn.principal.AuthnContextClassRefPrincipal;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.annotation.constraint.Unmodifiable;
import org.junit.Test;
import org.opensaml.profile.context.EventContext;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.io.ClassPathResource;
import org.springframework.webflow.core.collection.LocalAttributeMap;
import org.springframework.webflow.engine.Flow;
import org.springframework.webflow.engine.impl.FlowExecutionImpl;
import org.springframework.webflow.execution.FlowExecution;
import org.springframework.webflow.test.MockFlowBuilderContext;

/* loaded from: input_file:net/shibboleth/idp/plugin/authn/duo/impl/DuoAuthnFlowTest.class */
public class DuoAuthnFlowTest extends AbstractAuthnXmlFlowExecutionTests {

    @Nonnull
    public static final String FIRST_INTEGRATION_SP = "https://sp.example.com/requires-first-integration";

    @Nonnull
    public static final String SECOND_INTEGRATION_SP = "https://sp.example.com/requires-second-integration";

    @Nonnull
    public static final String FIRST_INTEGRATION_CLIENT_ID = "FIRST_INTEGRATION";

    @Nonnull
    public static final String SECOND_INTEGRATION_CLIENT_ID = "SECOND_INTEGRATION";

    @Nonnull
    private static final String USERNAME = "jdoe";

    @Nonnull
    private static final String PASSWORD = "changeit";

    @Nonnull
    private static final String FLOW = "/META-INF/net/shibboleth/idp/flows/authn/DuoOIDC/duo-oidc-authn-flow.xml";

    @Nonnull
    private final Logger log;

    @NonnullElements
    @Nonnull
    @Unmodifiable
    private final List<Flow> subflows;

    @NonnullElements
    @Nonnull
    @Unmodifiable
    private final Map<String, String> flowResources;

    public DuoAuthnFlowTest() {
        super("http://idp.example.org");
        this.log = LoggerFactory.getLogger(DuoAuthnFlowTest.class);
        this.subflows = List.of(MockFlowBuilder.MockNoOpFlow("c14n"));
        this.flowResources = Map.of("classpath:/net/shibboleth/idp/flows/authn/authn-abstract-flow.xml", "authn.abstract", "classpath:/conf/authn/authn-events-flow.xml", "authn.events");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.plugin.authn.duo.impl.AbstractAuthnXmlFlowExecutionTests
    public void registerMockBeanDefinitions(@Nonnull MockFlowBuilderContext mockFlowBuilderContext) {
        super.registerMockBeanDefinitions(mockFlowBuilderContext);
        loadBeanDefinitionsFromXmlFile(mockFlowBuilderContext, new ClassPathResource("META-INF/net.shibboleth.idp/postconfig.xml"), null);
    }

    @Test
    public void testDuoAuthnFlowDuoEndpointUnhealthy() {
        setFlowPath(FLOW);
        setFlowModelResources(this.flowResources);
        setSubflows(this.subflows);
        setClientFactory(new MockDuoOIDCClientFactory_FAIL_Client());
        setMockProperties(Map.of("idp.duo.oidc.redirectURL", "http://localhost/callback", "idp.duo.oidc.apiHost", "api-c9f24c5a.duosecurity.com", "idp.duo.oidc.clientId", "DIU6GEFWG5LIUBVV2M3P", "idp.duo.oidc.secretKey", "rFvDfPul27v3Wew2zb6xRPzAJewJ34MP2w8UitPh", "idp.duo.oidc.user.config", "duo-oidc-authn-config.xml", "idp.duo.oidc.clientFactoryBean", "shibboleth.authn.DuoOIDC.test.clientFactory"));
        LocalAttributeMap localAttributeMap = new LocalAttributeMap();
        localAttributeMap.put("calledAsSubflow", true);
        FlowExecution createFlowExecution = getFlowExecutionFactory().createFlowExecution(getFlowDefinition());
        createFlowExecution.getConversationScope().put("opensamlProfileRequestContext", buildProfileRequestContext(false, true));
        updateFlowExecution(createFlowExecution);
        createFlowExecution.start(localAttributeMap, this.externalContext);
        assertFlowExecutionEnded();
    }

    @Test
    public void testDuoAuthnFlowToAuthorizationRequest() {
        setFlowPath(FLOW);
        setFlowModelResources(this.flowResources);
        setSubflows(this.subflows);
        setClientFactory(new MockDuoOIDCClientFactory_OK_Client());
        setMockProperties(Map.of("idp.duo.oidc.redirectURL", "http://localhost/authorization-callback", "idp.duo.oidc.apiHost", "api-c9f24c5a.duosecurity.com", "idp.duo.oidc.clientId", "DIU6GEFWG5LIUBVV2M3P", "idp.duo.oidc.secretKey", "rFvDfPul27v3Wew2zb6xRPzAJewJ34MP2w8UitPh", "idp.duo.oidc.user.config", "duo-oidc-authn-config.xml", "idp.duo.oidc.clientFactoryBean", "shibboleth.authn.DuoOIDC.test.clientFactory"));
        LocalAttributeMap localAttributeMap = new LocalAttributeMap();
        localAttributeMap.put("calledAsSubflow", true);
        FlowExecution createFlowExecution = getFlowExecutionFactory().createFlowExecution(getFlowDefinition());
        createFlowExecution.getConversationScope().put("opensamlProfileRequestContext", buildProfileRequestContext(false, true));
        updateFlowExecution(createFlowExecution);
        createFlowExecution.start(localAttributeMap, this.externalContext);
        assertFlowExecutionActive();
        assertCurrentStateEquals("Duo2FAAuthorizationRequest");
    }

    @Test
    public void testDuoAuthnFlowToAuthorizationRequestMultipleDuoIntegrationsFirst() {
        setFlowPath(FLOW);
        setFlowModelResources(this.flowResources);
        setSubflows(this.subflows);
        setClientFactory(new MockDuoOIDCClientFactory_OK_Client());
        setMockProperties(Map.of("idp.duo.oidc.redirectURL", "http://localhost/authorization-callback", "idp.duo.oidc.clientFactoryBean", "shibboleth.authn.DuoOIDC.test.clientFactory", "idp.duo.oidc.user.config", "duo-oidc-authn-config-multiple-integrations.xml"));
        LocalAttributeMap localAttributeMap = new LocalAttributeMap();
        localAttributeMap.put("calledAsSubflow", true);
        FlowExecution createFlowExecution = getFlowExecutionFactory().createFlowExecution(getFlowDefinition());
        ProfileRequestContext buildProfileRequestContext = buildProfileRequestContext(false, true);
        RelyingPartyContext relyingPartyContext = new RelyingPartyContext();
        relyingPartyContext.setRelyingPartyId(FIRST_INTEGRATION_SP);
        buildProfileRequestContext.addSubcontext(relyingPartyContext);
        createFlowExecution.getConversationScope().put("opensamlProfileRequestContext", buildProfileRequestContext);
        updateFlowExecution(createFlowExecution);
        createFlowExecution.start(localAttributeMap, this.externalContext);
        assertFlowExecutionActive();
        assertCurrentStateEquals("Duo2FAAuthorizationRequest");
        assertNotNull(buildProfileRequestContext.getSubcontext(AuthenticationContext.class));
        assertNotNull(buildProfileRequestContext.getSubcontext(AuthenticationContext.class).getSubcontext(DuoOIDCAuthenticationContext.class));
        assertNotNull(buildProfileRequestContext.getSubcontext(AuthenticationContext.class).getSubcontext(DuoOIDCAuthenticationContext.class).getIntegration());
        assertEquals(FIRST_INTEGRATION_CLIENT_ID, buildProfileRequestContext.getSubcontext(AuthenticationContext.class).getSubcontext(DuoOIDCAuthenticationContext.class).getIntegration().getClientId());
    }

    @Test
    public void testDuoAuthnFlowToAuthorizationRequestMultipleDuoIntegrationsSecond() {
        setFlowPath(FLOW);
        setFlowModelResources(this.flowResources);
        setSubflows(this.subflows);
        setClientFactory(new MockDuoOIDCClientFactory_OK_Client());
        setMockProperties(Map.of("idp.duo.oidc.clientFactoryBean", "shibboleth.authn.DuoOIDC.test.clientFactory", "idp.duo.oidc.user.config", "duo-oidc-authn-config-multiple-integrations.xml", "idp.duo.oidc.redirectURL", "http://localhost/authorization-callback", "idp.duo.oidc.apiHost", "api-c9f24c5a.duosecurity.com", "idp.duo.oidc.clientId", "DIU6GEFWG5LIUBVV2M3P", "idp.duo.oidc.secretKey", "rFvDfPul27v3Wew2zb6xRPzAJewJ34MP2w8UitPh"));
        LocalAttributeMap localAttributeMap = new LocalAttributeMap();
        localAttributeMap.put("calledAsSubflow", true);
        FlowExecution createFlowExecution = getFlowExecutionFactory().createFlowExecution(getFlowDefinition());
        ProfileRequestContext buildProfileRequestContext = buildProfileRequestContext(false, true);
        RelyingPartyContext relyingPartyContext = new RelyingPartyContext();
        relyingPartyContext.setRelyingPartyId(SECOND_INTEGRATION_SP);
        buildProfileRequestContext.addSubcontext(relyingPartyContext);
        createFlowExecution.getConversationScope().put("opensamlProfileRequestContext", buildProfileRequestContext);
        updateFlowExecution(createFlowExecution);
        createFlowExecution.start(localAttributeMap, this.externalContext);
        assertFlowExecutionActive();
        assertCurrentStateEquals("Duo2FAAuthorizationRequest");
        assertNotNull(buildProfileRequestContext.getSubcontext(AuthenticationContext.class));
        assertNotNull(buildProfileRequestContext.getSubcontext(AuthenticationContext.class).getSubcontext(DuoOIDCAuthenticationContext.class));
        assertNotNull(buildProfileRequestContext.getSubcontext(AuthenticationContext.class).getSubcontext(DuoOIDCAuthenticationContext.class).getIntegration());
        assertEquals(SECOND_INTEGRATION_CLIENT_ID, buildProfileRequestContext.getSubcontext(AuthenticationContext.class).getSubcontext(DuoOIDCAuthenticationContext.class).getIntegration().getClientId());
    }

    @Test
    public void testDuoAuthnFlowToAuthorizationRequestWithUserSpaceFactory() {
        setFlowPath(FLOW);
        setFlowModelResources(this.flowResources);
        setSubflows(this.subflows);
        setMockProperties(Map.of("idp.duo.oidc.redirectURL", "http://localhost/authorization-callback", "idp.duo.oidc.apiHost", "api-c9f24c5a.duosecurity.com", "idp.duo.oidc.clientId", "DIU6GEFWG5LIUBVV2M3P", "idp.duo.oidc.secretKey", "rFvDfPul27v3Wew2zb6xRPzAJewJ34MP2w8UitPh", "idp.duo.oidc.clientFactoryBean", "shibboleth.authn.DuoOIDC.test.clientFactory", "idp.duo.oidc.user.config", "duo-oidc-authn-config-custom-factory.xml"));
        LocalAttributeMap localAttributeMap = new LocalAttributeMap();
        localAttributeMap.put("calledAsSubflow", true);
        FlowExecution createFlowExecution = getFlowExecutionFactory().createFlowExecution(getFlowDefinition());
        createFlowExecution.getConversationScope().put("opensamlProfileRequestContext", buildProfileRequestContext(false, true));
        updateFlowExecution(createFlowExecution);
        createFlowExecution.start(localAttributeMap, this.externalContext);
        assertFlowExecutionActive();
        assertCurrentStateEquals("Duo2FAAuthorizationRequest");
    }

    @Test
    public void testContextToPrincipalMappingStrategy() throws DuoClientException {
        setFlowPath(FLOW);
        setFlowModelResources(this.flowResources);
        setSubflows(this.subflows);
        setClientFactory(new MockDuoOIDCClientFactory_OK_Client());
        setMockProperties(Map.of("idp.duo.oidc.redirectURL", "http://localhost/authorization-callback", "idp.duo.oidc.apiHost", "api-c9f24c5a.duosecurity.com", "idp.duo.oidc.clientId", "DIU6GEFWG5LIUBVV2M3P", "idp.duo.oidc.secretKey", "rFvDfPul27v3Wew2zb6xRPzAJewJ34MP2w8UitPh", "idp.duo.oidc.clientFactoryBean", "shibboleth.authn.DuoOIDC.test.clientFactory", "idp.duo.oidc.user.config", "duo-oidc-authn-config-principal-mapping.xml"));
        new LocalAttributeMap().put("calledAsSubflow", true);
        FlowExecutionImpl createFlowExecution = getFlowExecutionFactory().createFlowExecution(getFlowDefinition());
        ProfileRequestContext buildProfileRequestContext = buildProfileRequestContext(false, false);
        DuoOIDCAuthenticationContext duoOIDCAuthenticationContext = new DuoOIDCAuthenticationContext();
        String generateNonce = DuoSupport.generateNonce(32);
        duoOIDCAuthenticationContext.setAuthorizationCode("adummycode");
        duoOIDCAuthenticationContext.setRequestState(generateNonce);
        duoOIDCAuthenticationContext.setResponseState(generateNonce);
        duoOIDCAuthenticationContext.setUsername(USERNAME);
        DefaultDuoOIDCIntegration defaultDuoOIDCIntegration = new DefaultDuoOIDCIntegration();
        defaultDuoOIDCIntegration.setClientId("DIU6GEFWG5LIUBVV2M3P");
        defaultDuoOIDCIntegration.setAPIHost("api-c9f24c5a.duosecurity.com");
        defaultDuoOIDCIntegration.setSecretKey("rFvDfPul27v3Wew2zb6xRPzAJewJ34MP2w8UitPh");
        defaultDuoOIDCIntegration.setAuthorizeEndpoint("/authorize");
        defaultDuoOIDCIntegration.setHealthCheckEndpoint("/health");
        defaultDuoOIDCIntegration.setTokenEndpoint("/token");
        defaultDuoOIDCIntegration.setRegisteredRedirectURI("http://localhost/authorization-callback");
        duoOIDCAuthenticationContext.setIntegration(defaultDuoOIDCIntegration);
        duoOIDCAuthenticationContext.setClient(new MockDuoOIDCClient_OK(duoOIDCAuthenticationContext.getIntegration()));
        buildProfileRequestContext.getSubcontext(AuthenticationContext.class).addSubcontext(duoOIDCAuthenticationContext);
        buildProfileRequestContext.getSubcontext(AuthenticationContext.class).addSubcontext(new ExternalAuthenticationContext(new ExternalAuthenticationImpl(false)));
        createFlowExecution.getConversationScope().put("opensamlProfileRequestContext", buildProfileRequestContext);
        updateFlowExecution(createFlowExecution);
        this.externalContext.setEventId("proceed");
        setCurrentState("Duo2FAAuthorizationRequest");
        resumeFlow(this.externalContext);
        assertFlowExecutionEnded();
        assertNotNull(buildProfileRequestContext.getSubcontext(AuthenticationContext.class));
        assertNotNull(buildProfileRequestContext.getSubcontext(SubjectCanonicalizationContext.class));
        assertEquals(buildProfileRequestContext.getSubcontext(SubjectCanonicalizationContext.class).getPrincipalName(), USERNAME);
        Set principals = buildProfileRequestContext.getSubcontext(SubjectCanonicalizationContext.class).getSubject().getPrincipals(AuthnContextClassRefPrincipal.class);
        assertEquals(1, principals.size());
        assertEquals("http://example.org/ac/classes/mfa/strong", ((AuthnContextClassRefPrincipal) principals.iterator().next()).getName());
    }

    @Test
    public void testDuoAuthnFlowFromAuthorizationCallback() throws DuoClientException {
        setRemoveDefaultContextCleanupHook(true);
        setFlowPath(FLOW);
        setFlowModelResources(this.flowResources);
        setSubflows(this.subflows);
        setClientFactory(new MockDuoOIDCClientFactory_OK_Client());
        setMockProperties(Map.of("idp.duo.oidc.user.config", "duo-oidc-authn-config.xml", "idp.duo.oidc.clientFactoryBean", "shibboleth.authn.DuoOIDC.test.clientFactory", "idp.duo.oidc.redirectURL", "http://localhost/authorization-callback", "idp.duo.oidc.apiHost", "api-c9f24c5a.duosecurity.com", "idp.duo.oidc.clientId", "DIU6GEFWG5LIUBVV2M3P", "idp.duo.oidc.secretKey", "rFvDfPul27v3Wew2zb6xRPzAJewJ34MP2w8UitPh"));
        FlowExecutionImpl createFlowExecution = getFlowExecutionFactory().createFlowExecution(getFlowDefinition());
        ProfileRequestContext buildProfileRequestContext = buildProfileRequestContext(false, false);
        DuoOIDCAuthenticationContext duoOIDCAuthenticationContext = new DuoOIDCAuthenticationContext();
        String generateNonce = DuoSupport.generateNonce(32);
        duoOIDCAuthenticationContext.setAuthorizationCode("adummycode");
        duoOIDCAuthenticationContext.setRequestState(generateNonce);
        duoOIDCAuthenticationContext.setResponseState(generateNonce);
        duoOIDCAuthenticationContext.setUsername(USERNAME);
        DefaultDuoOIDCIntegration defaultDuoOIDCIntegration = new DefaultDuoOIDCIntegration();
        defaultDuoOIDCIntegration.setClientId("DIU6GEFWG5LIUBVV2M3P");
        defaultDuoOIDCIntegration.setAPIHost("api-c9f24c5a.duosecurity.com");
        defaultDuoOIDCIntegration.setSecretKey("rFvDfPul27v3Wew2zb6xRPzAJewJ34MP2w8UitPh");
        defaultDuoOIDCIntegration.setAuthorizeEndpoint("/authorize");
        defaultDuoOIDCIntegration.setHealthCheckEndpoint("/health");
        defaultDuoOIDCIntegration.setTokenEndpoint("/token");
        defaultDuoOIDCIntegration.setRegisteredRedirectURI("http://localhost/authorization-callback");
        duoOIDCAuthenticationContext.setIntegration(defaultDuoOIDCIntegration);
        duoOIDCAuthenticationContext.setClient(new MockDuoOIDCClient_OK(duoOIDCAuthenticationContext.getIntegration()));
        buildProfileRequestContext.getSubcontext(AuthenticationContext.class).addSubcontext(duoOIDCAuthenticationContext);
        buildProfileRequestContext.getSubcontext(AuthenticationContext.class).addSubcontext(new ExternalAuthenticationContext(new ExternalAuthenticationImpl(false)));
        createFlowExecution.getConversationScope().put("opensamlProfileRequestContext", buildProfileRequestContext);
        updateFlowExecution(createFlowExecution);
        this.externalContext.setEventId("proceed");
        setCurrentState("Duo2FAAuthorizationRequest");
        resumeFlow(this.externalContext);
        assertFlowExecutionEnded();
        assertNotNull(buildProfileRequestContext.getSubcontext(AuthenticationContext.class));
        assertNotNull(buildProfileRequestContext.getSubcontext(AuthenticationContext.class).getSubcontext(DuoOIDCAuthenticationContext.class));
        assertNotNull(buildProfileRequestContext.getSubcontext(AuthenticationContext.class).getSubcontext(DuoOIDCAuthenticationContext.class).getAuthToken());
        assertNotNull(buildProfileRequestContext.getSubcontext(SubjectCanonicalizationContext.class));
        assertEquals(buildProfileRequestContext.getSubcontext(SubjectCanonicalizationContext.class).getPrincipalName(), USERNAME);
    }

    @Test
    public void testDuoAuthnFlowFromAuthorizationCallbackWithRPC() throws DuoClientException {
        setRemoveDefaultContextCleanupHook(true);
        setFlowPath(FLOW);
        setFlowModelResources(this.flowResources);
        setSubflows(this.subflows);
        setClientFactory(new MockDuoOIDCClientFactory_OK_Client());
        setMockProperties(Map.of("idp.duo.oidc.clientFactoryBean", "shibboleth.authn.DuoOIDC.test.clientFactory", "idp.duo.oidc.user.config", "duo-oidc-authn-config.xml", "idp.duo.oidc.redirectURL", "http://localhost/authorization-callback", "idp.duo.oidc.apiHost", "api-c9f24c5a.duosecurity.com", "idp.duo.oidc.clientId", "DIU6GEFWG5LIUBVV2M3P", "idp.duo.oidc.secretKey", "rFvDfPul27v3Wew2zb6xRPzAJewJ34MP2w8UitPh"));
        FlowExecutionImpl createFlowExecution = getFlowExecutionFactory().createFlowExecution(getFlowDefinition());
        ProfileRequestContext buildProfileRequestContext = buildProfileRequestContext(false, false);
        DuoOIDCAuthenticationContext duoOIDCAuthenticationContext = new DuoOIDCAuthenticationContext();
        String generateNonce = DuoSupport.generateNonce(32);
        duoOIDCAuthenticationContext.setAuthorizationCode("adummycode");
        duoOIDCAuthenticationContext.setRequestState(generateNonce);
        duoOIDCAuthenticationContext.setResponseState(generateNonce);
        duoOIDCAuthenticationContext.setUsername(USERNAME);
        DefaultDuoOIDCIntegration defaultDuoOIDCIntegration = new DefaultDuoOIDCIntegration();
        defaultDuoOIDCIntegration.setClientId("DIU6GEFWG5LIUBVV2M3P");
        defaultDuoOIDCIntegration.setAPIHost("api-c9f24c5a.duosecurity.com");
        defaultDuoOIDCIntegration.setSecretKey("rFvDfPul27v3Wew2zb6xRPzAJewJ34MP2w8UitPh");
        defaultDuoOIDCIntegration.setAuthorizeEndpoint("/authorize");
        defaultDuoOIDCIntegration.setHealthCheckEndpoint("/health");
        defaultDuoOIDCIntegration.setTokenEndpoint("/token");
        defaultDuoOIDCIntegration.setRegisteredRedirectURI("http://localhost/authorization-callback");
        duoOIDCAuthenticationContext.setIntegration(defaultDuoOIDCIntegration);
        duoOIDCAuthenticationContext.setClient(new MockDuoOIDCClient_OK(duoOIDCAuthenticationContext.getIntegration()));
        buildProfileRequestContext.getSubcontext(AuthenticationContext.class).addSubcontext(duoOIDCAuthenticationContext);
        buildProfileRequestContext.getSubcontext(AuthenticationContext.class).addSubcontext(new ExternalAuthenticationContext(new ExternalAuthenticationImpl(false)));
        RequestedPrincipalContext requestedPrincipalContext = new RequestedPrincipalContext();
        requestedPrincipalContext.setRequestedPrincipals(List.of(new AuthnContextClassRefPrincipal("http://example.org/ac/classes/mfa")));
        requestedPrincipalContext.setOperator("exact");
        buildProfileRequestContext.getSubcontext(AuthenticationContext.class).addSubcontext(requestedPrincipalContext);
        AuthenticationFlowDescriptor authenticationFlowDescriptor = new AuthenticationFlowDescriptor();
        authenticationFlowDescriptor.setId("authn/DuoOIDC");
        authenticationFlowDescriptor.setSupportedPrincipals(List.of(new AuthnContextClassRefPrincipal("http://example.org/ac/classes/mfa")));
        buildProfileRequestContext.getSubcontext(AuthenticationContext.class).setAttemptedFlow(authenticationFlowDescriptor);
        createFlowExecution.getConversationScope().put("opensamlProfileRequestContext", buildProfileRequestContext);
        updateFlowExecution(createFlowExecution);
        this.externalContext.setEventId("proceed");
        setCurrentState("Duo2FAAuthorizationRequest");
        resumeFlow(this.externalContext);
        assertFlowExecutionEnded();
        assertNotNull(buildProfileRequestContext.getSubcontext(AuthenticationContext.class));
        assertNotNull(buildProfileRequestContext.getSubcontext(AuthenticationContext.class).getSubcontext(DuoOIDCAuthenticationContext.class));
        assertNotNull(buildProfileRequestContext.getSubcontext(AuthenticationContext.class).getSubcontext(DuoOIDCAuthenticationContext.class).getAuthToken());
        assertNotNull(buildProfileRequestContext.getSubcontext(SubjectCanonicalizationContext.class));
        assertEquals(buildProfileRequestContext.getSubcontext(SubjectCanonicalizationContext.class).getPrincipalName(), USERNAME);
    }

    @Test
    public void testDuoAuthnFlowFromAuthorizationCallbackForceAuthnFailure() throws DuoClientException {
        setFlowPath(FLOW);
        setFlowModelResources(this.flowResources);
        setSubflows(this.subflows);
        setClientFactory(new MockDuoOIDCClientFactory_OK_Client());
        setMockProperties(Map.of("idp.duo.oidc.clientFactoryBean", "shibboleth.authn.DuoOIDC.test.clientFactory", "idp.duo.oidc.user.config", "duo-oidc-authn-config.xml", "idp.duo.oidc.redirectURL", "http://localhost/authorization-callback", "idp.duo.oidc.apiHost", "api-c9f24c5a.duosecurity.com", "idp.duo.oidc.clientId", "DIU6GEFWG5LIUBVV2M3P", "idp.duo.oidc.secretKey", "rFvDfPul27v3Wew2zb6xRPzAJewJ34MP2w8UitPh"));
        FlowExecutionImpl createFlowExecution = getFlowExecutionFactory().createFlowExecution(getFlowDefinition());
        ProfileRequestContext buildProfileRequestContext = buildProfileRequestContext(true, false);
        DuoOIDCAuthenticationContext duoOIDCAuthenticationContext = new DuoOIDCAuthenticationContext();
        String generateNonce = DuoSupport.generateNonce(32);
        duoOIDCAuthenticationContext.setAuthorizationCode("adummycode");
        duoOIDCAuthenticationContext.setRequestState(generateNonce);
        duoOIDCAuthenticationContext.setResponseState(generateNonce);
        duoOIDCAuthenticationContext.setUsername(USERNAME);
        DefaultDuoOIDCIntegration defaultDuoOIDCIntegration = new DefaultDuoOIDCIntegration();
        defaultDuoOIDCIntegration.setClientId("DIU6GEFWG5LIUBVV2M3P");
        defaultDuoOIDCIntegration.setAPIHost("api-c9f24c5a.duosecurity.com");
        defaultDuoOIDCIntegration.setSecretKey("rFvDfPul27v3Wew2zb6xRPzAJewJ34MP2w8UitPh");
        defaultDuoOIDCIntegration.setRegisteredRedirectURI("http://localhost/authorization-callback");
        defaultDuoOIDCIntegration.setAuthorizeEndpoint("/authorize");
        defaultDuoOIDCIntegration.setHealthCheckEndpoint("/health");
        defaultDuoOIDCIntegration.setTokenEndpoint("/token");
        duoOIDCAuthenticationContext.setIntegration(defaultDuoOIDCIntegration);
        duoOIDCAuthenticationContext.setClient(new MockDuoOIDCClient_OK_OLD_AUTH_TIME(duoOIDCAuthenticationContext.getIntegration()));
        buildProfileRequestContext.getSubcontext(AuthenticationContext.class).addSubcontext(duoOIDCAuthenticationContext);
        buildProfileRequestContext.getSubcontext(AuthenticationContext.class).addSubcontext(new ExternalAuthenticationContext(new ExternalAuthenticationImpl(false)));
        createFlowExecution.getConversationScope().put("opensamlProfileRequestContext", buildProfileRequestContext);
        updateFlowExecution(createFlowExecution);
        this.externalContext.setEventId("proceed");
        setCurrentState("Duo2FAAuthorizationRequest");
        resumeFlow(this.externalContext);
        assertFlowExecutionEnded();
        assertNotNull(buildProfileRequestContext.getSubcontext(EventContext.class));
        assertNotNull(buildProfileRequestContext.getSubcontext(EventContext.class).getEvent());
        assertTrue(buildProfileRequestContext.getSubcontext(EventContext.class).getEvent() instanceof String);
        assertEquals("NoCredentials", buildProfileRequestContext.getSubcontext(EventContext.class).getEvent());
    }
}
