package net.shibboleth.idp.plugin.authn.duo.impl;

import javax.annotation.Nonnull;
import javax.servlet.ServletContext;
import net.shibboleth.idp.authn.AuthenticationFlowDescriptor;
import net.shibboleth.idp.authn.ExternalAuthenticationException;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.ExternalAuthenticationContext;
import net.shibboleth.idp.authn.context.SubjectCanonicalizationContext;
import net.shibboleth.idp.authn.impl.ExternalAuthenticationImpl;
import net.shibboleth.idp.plugin.authn.duo.DefaultDuoOIDCIntegration;
import net.shibboleth.idp.plugin.authn.duo.DuoClientException;
import net.shibboleth.idp.plugin.authn.duo.context.DuoOIDCAuthenticationContext;
import net.shibboleth.idp.plugin.authn.mock.MockDuoOIDCClient_OK;
import net.shibboleth.idp.plugin.authn.util.mock.IdPPropertyConfigurer;
import net.shibboleth.idp.session.IdPSession;
import net.shibboleth.idp.session.context.SessionContext;
import net.shibboleth.idp.ui.context.RelyingPartyUIContext;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullAfterInit;
import org.apache.commons.codec.binary.Hex;
import org.mockito.Mockito;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.test.context.ContextConfiguration;
import org.springframework.test.context.TestPropertySource;
import org.springframework.test.context.testng.AbstractTestNGSpringContextTests;
import org.springframework.test.context.web.WebAppConfiguration;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.MvcResult;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.result.MockMvcResultHandlers;
import org.springframework.test.web.servlet.result.MockMvcResultMatchers;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.util.NestedServletException;
import org.springframework.webflow.core.collection.LocalAttributeMap;
import org.springframework.webflow.execution.FlowExecution;
import org.springframework.webflow.execution.repository.FlowExecutionRepository;
import org.springframework.webflow.execution.repository.support.CompositeFlowExecutionKey;
import org.springframework.webflow.executor.FlowExecutorImpl;
import org.testng.Assert;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;

@WebAppConfiguration
@ContextConfiguration(classes = {DuoOIDCAuthnController.class, IdPPropertyConfigurer.class})
@TestPropertySource(properties = {"idp.authn.duo.OIDC.externalAuthnPath=/Authn/Duo/2FA"})
/* loaded from: input_file:net/shibboleth/idp/plugin/authn/duo/impl/DuoOIDCAuthnControllerTest.class */
public class DuoOIDCAuthnControllerTest extends AbstractTestNGSpringContextTests {

    @NonnullAfterInit
    private String state;

    @Nonnull
    private MockMvc mockMvc;

    @Nonnull
    @Autowired
    private ServletContext servletContext;

    @Nonnull
    @Autowired
    private WebApplicationContext webApplicationContext;

    @Nonnull
    private final String API_HOST = "duo.host.com";

    @Nonnull
    private final String KEY = "e1s1";

    @Nonnull
    private final String NONCE = "8821febf7b3237fc3974f76a75f37e8c";

    @Nonnull
    private final String CODE = "db87f45083db5aea16eb45b7ace685c8";

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(DuoOIDCAuthnControllerTest.class);

    @BeforeMethod
    public void setUp() throws Exception {
        this.state = "8821febf7b3237fc3974f76a75f37e8c." + Hex.encodeHexString("e1s1".getBytes());
        Assert.assertNotNull((DuoOIDCAuthnController) this.webApplicationContext.getBean(DuoOIDCAuthnController.class));
        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.webApplicationContext).build();
        exportServletContextAttributes();
    }

    @Test
    public void testSuccessfulAuthorizeRequest() throws Exception {
        MvcResult andReturn = this.mockMvc.perform(MockMvcRequestBuilders.get("/Authn/Duo/2FA/authorize", new Object[0]).param("conversation", new String[]{"e1s1"})).andDo(MockMvcResultHandlers.print()).andExpect(MockMvcResultMatchers.status().is3xxRedirection()).andReturn();
        Assert.assertNotNull(andReturn.getResponse().getHeader("Location"));
        Assert.assertTrue(andReturn.getResponse().getHeader("Location").contains("duo.host.com"));
    }

    @Test
    public void testIncorrectStateNoExecutionKey() throws Exception {
        try {
            this.mockMvc.perform(MockMvcRequestBuilders.get("/Authn/Duo/2FA/duo-callback", new Object[0]).param("code", new String[]{"db87f45083db5aea16eb45b7ace685c8"}).param("state", new String[]{"8821febf7b3237fc3974f76a75f37e8c."})).andDo(MockMvcResultHandlers.print());
        } catch (NestedServletException e) {
            Assert.assertTrue(e.getCause() instanceof ExternalAuthenticationException);
            this.log.error("{}", e.getRootCause().getMessage());
        }
    }

    @Test
    public void testIncorrectStateNoNonce() throws Exception {
        try {
            this.mockMvc.perform(MockMvcRequestBuilders.get("/Authn/Duo/2FA/duo-callback", new Object[0]).param("code", new String[]{"db87f45083db5aea16eb45b7ace685c8"}).param("state", new String[]{".e1s1"})).andDo(MockMvcResultHandlers.print());
        } catch (NestedServletException e) {
            Assert.assertTrue(e.getCause() instanceof ExternalAuthenticationException);
            this.log.error("{}", e.getRootCause().getMessage());
        }
    }

    @Test
    public void testSuccessfulCallback() throws Exception {
        this.mockMvc.perform(MockMvcRequestBuilders.get("/Authn/Duo/2FA/duo-callback", new Object[0]).param("code", new String[]{"db87f45083db5aea16eb45b7ace685c8"}).param("state", new String[]{this.state})).andDo(MockMvcResultHandlers.print()).andExpect(MockMvcResultMatchers.status().is3xxRedirection());
        DuoOIDCAuthenticationContext extractDuoContext = extractDuoContext();
        Assert.assertEquals("db87f45083db5aea16eb45b7ace685c8", extractDuoContext.getAuthorizationCode());
        Assert.assertEquals("8821febf7b3237fc3974f76a75f37e8c", extractDuoContext.getResponseState());
    }

    @Test
    public void testCallbackNoDuoAuthenticationContext() throws Exception {
        removeDuoContext();
        Object attribute = this.mockMvc.perform(MockMvcRequestBuilders.get("/Authn/Duo/2FA/duo-callback", new Object[0]).param("code", new String[]{"db87f45083db5aea16eb45b7ace685c8"}).param("state", new String[]{this.state})).andDo(MockMvcResultHandlers.print()).andExpect(MockMvcResultMatchers.status().is3xxRedirection()).andReturn().getRequest().getAttribute("authnError");
        Assert.assertNotNull(attribute);
        Assert.assertTrue(attribute instanceof String);
        Assert.assertEquals("InvalidProfileContext", (String) attribute);
    }

    @Test
    public void testCallbackNoCode() throws Exception {
        try {
            this.mockMvc.perform(MockMvcRequestBuilders.get("/Authn/Duo/2FA/duo-callback", new Object[0]).param("state", new String[]{this.state})).andDo(MockMvcResultHandlers.print());
        } catch (NestedServletException e) {
            Assert.assertTrue(e.getCause() instanceof ExternalAuthenticationException);
            this.log.error("{}", e.getMessage());
        }
    }

    @Test
    public void testCallbackNoState() throws Exception {
        try {
            this.mockMvc.perform(MockMvcRequestBuilders.get("/Authn/Duo/2FA/duo-callback", new Object[0]).param("code", new String[]{"db87f45083db5aea16eb45b7ace685c8"})).andDo(MockMvcResultHandlers.print());
        } catch (NestedServletException e) {
            Assert.assertTrue(e.getCause() instanceof ExternalAuthenticationException);
            this.log.error("{}", e.getMessage());
        }
    }

    private void exportServletContextAttributes() throws DuoClientException {
        FlowExecutorImpl flowExecutorImpl = (FlowExecutorImpl) Mockito.mock(FlowExecutorImpl.class);
        FlowExecutionRepository flowExecutionRepository = (FlowExecutionRepository) Mockito.mock(FlowExecutionRepository.class);
        FlowExecution flowExecution = (FlowExecution) Mockito.mock(FlowExecution.class);
        LocalAttributeMap localAttributeMap = new LocalAttributeMap();
        localAttributeMap.put("opensamlProfileRequestContext", buildProfileRequestContext());
        Mockito.when(flowExecutorImpl.getExecutionRepository()).thenReturn(flowExecutionRepository);
        CompositeFlowExecutionKey compositeFlowExecutionKey = new CompositeFlowExecutionKey("1", "1");
        Mockito.when(flowExecutionRepository.parseFlowExecutionKey("e1s1")).thenReturn(compositeFlowExecutionKey);
        Mockito.when(flowExecutionRepository.getFlowExecution(compositeFlowExecutionKey)).thenReturn(flowExecution);
        Mockito.when(flowExecution.getConversationScope()).thenReturn(localAttributeMap);
        this.servletContext.setAttribute("net.shibboleth.idp.flowExecutor", flowExecutorImpl);
    }

    @Nonnull
    private ProfileRequestContext buildProfileRequestContext() throws DuoClientException {
        ProfileRequestContext profileRequestContext = new ProfileRequestContext();
        AuthenticationContext authenticationContext = new AuthenticationContext();
        ExternalAuthenticationContext externalAuthenticationContext = new ExternalAuthenticationContext(new ExternalAuthenticationImpl());
        DuoOIDCAuthenticationContext duoOIDCAuthenticationContext = new DuoOIDCAuthenticationContext();
        externalAuthenticationContext.setFlowExecutionUrl("http://localhost/idp/profile/SSO&_eventId_proceed=1");
        DefaultDuoOIDCIntegration defaultDuoOIDCIntegration = new DefaultDuoOIDCIntegration();
        defaultDuoOIDCIntegration.setAPIHost("duo.host.com");
        defaultDuoOIDCIntegration.setClientId("DIU6GEFWG5LIUBVV2M3P");
        defaultDuoOIDCIntegration.setRegisteredRedirectURI("http://localhost/");
        defaultDuoOIDCIntegration.setSecretKey("rFvDfPul27v3Wew2zb6xRPzAJewJ34MP2w8UitPh");
        duoOIDCAuthenticationContext.setUsername("jdoe");
        duoOIDCAuthenticationContext.setIntegration(defaultDuoOIDCIntegration);
        duoOIDCAuthenticationContext.setClient(new MockDuoOIDCClient_OK(defaultDuoOIDCIntegration));
        duoOIDCAuthenticationContext.setRequestState("8821febf7b3237fc3974f76a75f37e8c");
        AuthenticationFlowDescriptor authenticationFlowDescriptor = new AuthenticationFlowDescriptor();
        authenticationFlowDescriptor.setId("authn/DuoOIDC");
        authenticationContext.setAttemptedFlow(authenticationFlowDescriptor);
        authenticationContext.addSubcontext(new RelyingPartyUIContext());
        authenticationContext.setForceAuthn(false);
        SubjectCanonicalizationContext subjectCanonicalizationContext = new SubjectCanonicalizationContext();
        subjectCanonicalizationContext.setPrincipalName("jdoe");
        SessionContext sessionContext = new SessionContext();
        IdPSession idPSession = (IdPSession) Mockito.mock(IdPSession.class);
        Mockito.when(idPSession.getPrincipalName()).thenReturn("jdoe");
        sessionContext.setIdPSession(idPSession);
        authenticationContext.addSubcontext(duoOIDCAuthenticationContext);
        authenticationContext.addSubcontext(externalAuthenticationContext);
        profileRequestContext.addSubcontext(subjectCanonicalizationContext);
        profileRequestContext.addSubcontext(authenticationContext);
        profileRequestContext.addSubcontext(sessionContext);
        return profileRequestContext;
    }

    private void removeDuoContext() {
        Object attribute = this.servletContext.getAttribute("net.shibboleth.idp.flowExecutor");
        Assert.assertTrue(attribute instanceof FlowExecutorImpl);
        ((ProfileRequestContext) ((FlowExecutorImpl) attribute).getExecutionRepository().getFlowExecution(new CompositeFlowExecutionKey("1", "1")).getConversationScope().get("opensamlProfileRequestContext")).getSubcontext(AuthenticationContext.class).removeSubcontext(DuoOIDCAuthenticationContext.class);
    }

    @Nonnull
    private DuoOIDCAuthenticationContext extractDuoContext() {
        Object attribute = this.servletContext.getAttribute("net.shibboleth.idp.flowExecutor");
        Assert.assertTrue(attribute instanceof FlowExecutorImpl);
        Object obj = ((FlowExecutorImpl) attribute).getExecutionRepository().getFlowExecution(new CompositeFlowExecutionKey("1", "1")).getConversationScope().get("opensamlProfileRequestContext");
        Assert.assertTrue(obj instanceof ProfileRequestContext);
        DuoOIDCAuthenticationContext subcontext = ((ProfileRequestContext) obj).getSubcontext(AuthenticationContext.class).getSubcontext(DuoOIDCAuthenticationContext.class);
        Assert.assertNotNull(subcontext);
        return subcontext;
    }
}
