package net.shibboleth.idp.plugin.authn.duo.impl;

import java.io.IOException;
import java.net.UnknownHostException;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.security.auth.Subject;
import net.shibboleth.idp.authn.AuthenticationFlowDescriptor;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.ExternalAuthenticationContext;
import net.shibboleth.idp.authn.context.RequestedPrincipalContext;
import net.shibboleth.idp.authn.context.SubjectCanonicalizationContext;
import net.shibboleth.idp.authn.impl.ExternalAuthenticationImpl;
import net.shibboleth.idp.plugin.authn.duo.DefaultDuoOIDCIntegration;
import net.shibboleth.idp.plugin.authn.duo.DuoClientException;
import net.shibboleth.idp.plugin.authn.duo.DuoOIDCIntegration;
import net.shibboleth.idp.plugin.authn.duo.context.DuoOIDCAuthenticationContext;
import net.shibboleth.idp.plugin.authn.duo.context.DuoPasswordlessContext;
import net.shibboleth.idp.plugin.authn.mock.MockDuoOIDCClientFactory_FAIL_Client;
import net.shibboleth.idp.plugin.authn.mock.MockDuoOIDCClientFactory_OK_Client;
import net.shibboleth.idp.plugin.authn.mock.MockDuoOIDCClient_OK;
import net.shibboleth.idp.plugin.authn.mock.MockDuoOIDCClient_OK_OLD_AUTH_TIME;
import net.shibboleth.idp.plugin.authn.mock.MockFlowBuilder;
import net.shibboleth.idp.saml.authn.principal.AuthnContextClassRefPrincipal;
import net.shibboleth.profile.context.RelyingPartyContext;
import net.shibboleth.shared.annotation.constraint.NonnullElements;
import net.shibboleth.shared.annotation.constraint.Unmodifiable;
import net.shibboleth.shared.component.ComponentInitializationException;
import okhttp3.mockwebserver.MockResponse;
import okhttp3.mockwebserver.MockWebServer;
import okhttp3.tls.HandshakeCertificates;
import okhttp3.tls.HeldCertificate;
import org.junit.Test;
import org.opensaml.profile.context.EventContext;
import org.opensaml.profile.context.ProfileRequestContext;
import org.springframework.core.io.ClassPathResource;
import org.springframework.webflow.core.collection.LocalAttributeMap;
import org.springframework.webflow.engine.Flow;
import org.springframework.webflow.engine.impl.FlowExecutionImpl;
import org.springframework.webflow.execution.FlowExecution;
import org.springframework.webflow.test.MockFlowBuilderContext;

/* loaded from: input_file:net/shibboleth/idp/plugin/authn/duo/impl/DuoAuthnFlowTest.class */
public class DuoAuthnFlowTest extends AbstractAuthnXmlFlowExecutionTests {

    @Nonnull
    public static final String FIRST_INTEGRATION_SP = "https://sp.example.com/requires-first-integration";

    @Nonnull
    public static final String SECOND_INTEGRATION_SP = "https://sp.example.com/requires-second-integration";

    @Nonnull
    public static final String FIRST_INTEGRATION_CLIENT_ID = "FIRST_INTEGRATION";

    @Nonnull
    public static final String SECOND_INTEGRATION_CLIENT_ID = "SECOND_INTEGRATION";

    @Nonnull
    private static final String FLOW = "/META-INF/net/shibboleth/idp/flows/authn/DuoOIDC/duo-oidc-authn-flow.xml";

    @Unmodifiable
    @Nonnull
    @NonnullElements
    private final List<Flow> subflows;

    @Unmodifiable
    @Nonnull
    @NonnullElements
    private final Map<String, String> flowResources;
    private static final String ADMIN_API_USER_RESPONSE = "{\n\"response\": [\n    {\n    \"created\": 1592986174,\n    \"email\": \"\",\n    \"firstname\": null,\n    \"is_enrolled\": true,\n    \"last_directory_sync\": null,\n    \"last_login\": 1704368292,\n    \"lastname\": null,\n    \"lockout_reason\": null,\n    \"realname\": \"\",\n    \"status\": \"active\",\n    \"tokens\": [],\n    \"user_id\": \"FWREGFEROGJER\",\n    \"username\": \"jdoe\",\n    \"webauthncredentials\": [\n        {\n            \"credential_name\": \"Security Key\",\n            \"date_added\": 1643124774,\n            \"label\": \"Passkey\",\n            \"webauthnkey\": \"DDFKJNBVWFRFFDD\"\n        }\n    ]\n    }\n],\n\"stat\": \"OK\"\n}\n";
    static final /* synthetic */ boolean $assertionsDisabled;

    public DuoAuthnFlowTest() {
        super("http://idp.example.org");
        this.subflows = List.of(MockFlowBuilder.MockNoOpFlow("c14n"));
        this.flowResources = Map.of("classpath:/net/shibboleth/idp/flows/authn/authn-abstract-flow.xml", "authn.abstract", "classpath:/net/shibboleth/idp/module/conf/authn/authn-events-flow.xml", "authn.events");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.plugin.authn.duo.impl.AbstractAuthnXmlFlowExecutionTests
    public void registerMockBeanDefinitions(@Nonnull MockFlowBuilderContext mockFlowBuilderContext) {
        super.registerMockBeanDefinitions(mockFlowBuilderContext);
        loadBeanDefinitionsFromXmlFile(mockFlowBuilderContext, new ClassPathResource("META-INF/net.shibboleth.idp/postconfig.xml"), this.mockProperties);
        loadBeanDefinitionsFromXmlFile(mockFlowBuilderContext, new ClassPathResource("/conf/authn/duo-oidc-authn-test-beans.xml"), this.mockProperties);
    }

    protected MockWebServer createSimpleServer() throws UnknownHostException {
        MockWebServer mockWebServer = new MockWebServer();
        mockWebServer.useHttps(new HandshakeCertificates.Builder().heldCertificate(new HeldCertificate.Builder().addSubjectAlternativeName("localhost").build(), new X509Certificate[0]).build().sslSocketFactory(), false);
        return mockWebServer;
    }

    private void queueMockServerResponse(MockWebServer mockWebServer, int i, String str, String str2) {
        mockWebServer.enqueue(new MockResponse().setResponseCode(i).setHeader("content-type", str2).setBody(str));
    }

    @Test
    public void testDuoAuthnFlowDuoEndpointUnhealthy() {
        setFlowPath(FLOW);
        setFlowModelResources(this.flowResources);
        setSubflows(this.subflows);
        setClientFactory(new MockDuoOIDCClientFactory_FAIL_Client());
        setMockProperties(Map.of("idp.duo.oidc.redirectURL", "http://localhost/callback", "idp.duo.oidc.apiHost", "api-c9f24c5a.duosecurity.com", "idp.duo.oidc.clientId", "DIU6GEFWG5LIUBVV2M3P", "idp.duo.oidc.secretKey", "rFvDfPul27v3Wew2zb6xRPzAJewJ34MP2w8UitPh", "idp.duo.oidc.user.config", "duo-oidc-authn-config.xml", "idp.duo.oidc.clientFactoryBean", "shibboleth.authn.DuoOIDC.test.clientFactory"));
        LocalAttributeMap localAttributeMap = new LocalAttributeMap();
        localAttributeMap.put("calledAsSubflow", true);
        FlowExecution createFlowExecution = getFlowExecutionFactory().createFlowExecution(getFlowDefinition());
        createFlowExecution.getConversationScope().put("opensamlProfileRequestContext", buildProfileRequestContext(false, true));
        updateFlowExecution(createFlowExecution);
        createFlowExecution.start(localAttributeMap, this.externalContext);
        assertFlowExecutionEnded();
    }

    @Test
    public void testDuoAuthnFlowToAuthorizationRequest() {
        setFlowPath(FLOW);
        setFlowModelResources(this.flowResources);
        setSubflows(this.subflows);
        setClientFactory(new MockDuoOIDCClientFactory_OK_Client());
        setMockProperties(Map.of("idp.duo.oidc.redirectURL", "http://localhost/authorization-callback", "idp.duo.oidc.apiHost", "api-c9f24c5a.duosecurity.com", "idp.duo.oidc.clientId", "DIU6GEFWG5LIUBVV2M3P", "idp.duo.oidc.secretKey", "rFvDfPul27v3Wew2zb6xRPzAJewJ34MP2w8UitPh", "idp.duo.oidc.user.config", "duo-oidc-authn-config.xml", "idp.duo.oidc.clientFactoryBean", "shibboleth.authn.DuoOIDC.test.clientFactory"));
        LocalAttributeMap localAttributeMap = new LocalAttributeMap();
        localAttributeMap.put("calledAsSubflow", true);
        FlowExecution createFlowExecution = getFlowExecutionFactory().createFlowExecution(getFlowDefinition());
        createFlowExecution.getConversationScope().put("opensamlProfileRequestContext", buildProfileRequestContext(false, true));
        updateFlowExecution(createFlowExecution);
        createFlowExecution.start(localAttributeMap, this.externalContext);
        assertFlowExecutionActive();
        assertCurrentStateEquals("Duo2FAAuthorizationRequest");
    }

    @Test
    public void testDuoAuthnFlowToPasswordlessViewForPasswordlessIntegration() throws IOException {
        MockWebServer createSimpleServer = createSimpleServer();
        queueMockServerResponse(createSimpleServer, 200, ADMIN_API_USER_RESPONSE, "application/json");
        createSimpleServer.start(9191);
        setFlowPath(FLOW);
        setFlowModelResources(this.flowResources);
        setSubflows(this.subflows);
        setClientFactory(new MockDuoOIDCClientFactory_OK_Client());
        setMockProperties(Map.of("idp.duo.oidc.redirectURL", "http://localhost/authorization-callback", "idp.duo.oidc.apiHost", "api-c9f24c5a.duosecurity.com", "idp.duo.oidc.clientId", "DIU6GEFWG5LIUBVV2M3P", "idp.duo.oidc.secretKey", "rFvDfPul27v3Wew2zb6xRPzAJewJ34MP2w8UitPh", "idp.duo.oidc.user.config", "duo-oidc-authn-config.xml", "idp.duo.oidc.clientFactoryBean", "shibboleth.authn.DuoOIDC.test.clientFactory"));
        LocalAttributeMap localAttributeMap = new LocalAttributeMap();
        localAttributeMap.put("calledAsSubflow", true);
        ProfileRequestContext buildProfileRequestContext = buildProfileRequestContext(false, true);
        buildProfileRequestContext.ensureSubcontext(AuthenticationContext.class).ensureSubcontext(DuoPasswordlessContext.class).setUsername("jdoe");
        FlowExecution createFlowExecution = getFlowExecutionFactory().createFlowExecution(getFlowDefinition());
        createFlowExecution.getConversationScope().put("opensamlProfileRequestContext", buildProfileRequestContext);
        updateFlowExecution(createFlowExecution);
        createFlowExecution.start(localAttributeMap, this.externalContext);
        assertFlowExecutionActive();
        assertCurrentStateEquals("PasswordlessView");
    }

    @Test
    public void testDuoAuthnFlowToAuthorizationRequestMultipleDuoIntegrationsFirst() {
        setFlowPath(FLOW);
        setFlowModelResources(this.flowResources);
        setSubflows(this.subflows);
        setClientFactory(new MockDuoOIDCClientFactory_OK_Client());
        setMockProperties(Map.of("idp.duo.oidc.redirectURL", "http://localhost/authorization-callback", "idp.duo.oidc.clientFactoryBean", "shibboleth.authn.DuoOIDC.test.clientFactory", "idp.duo.oidc.user.config", "duo-oidc-authn-config-multiple-integrations.xml"));
        LocalAttributeMap localAttributeMap = new LocalAttributeMap();
        localAttributeMap.put("calledAsSubflow", true);
        FlowExecution createFlowExecution = getFlowExecutionFactory().createFlowExecution(getFlowDefinition());
        ProfileRequestContext buildProfileRequestContext = buildProfileRequestContext(false, true);
        RelyingPartyContext relyingPartyContext = new RelyingPartyContext();
        relyingPartyContext.setRelyingPartyId(FIRST_INTEGRATION_SP);
        buildProfileRequestContext.addSubcontext(relyingPartyContext);
        createFlowExecution.getConversationScope().put("opensamlProfileRequestContext", buildProfileRequestContext);
        updateFlowExecution(createFlowExecution);
        createFlowExecution.start(localAttributeMap, this.externalContext);
        assertFlowExecutionActive();
        assertCurrentStateEquals("Duo2FAAuthorizationRequest");
        assertNotNull(buildProfileRequestContext.getSubcontext(AuthenticationContext.class));
        assertNotNull(buildProfileRequestContext.ensureSubcontext(AuthenticationContext.class).getSubcontext(DuoOIDCAuthenticationContext.class));
        DuoOIDCIntegration integration = buildProfileRequestContext.ensureSubcontext(AuthenticationContext.class).ensureSubcontext(DuoOIDCAuthenticationContext.class).getIntegration();
        if (!$assertionsDisabled && integration == null) {
            throw new AssertionError();
        }
        assertEquals(FIRST_INTEGRATION_CLIENT_ID, integration.getClientId());
    }

    @Test
    public void testDuoAuthnFlowToAuthorizationRequestMultipleDuoIntegrationsSecond() {
        setFlowPath(FLOW);
        setFlowModelResources(this.flowResources);
        setSubflows(this.subflows);
        setClientFactory(new MockDuoOIDCClientFactory_OK_Client());
        setMockProperties(Map.of("idp.duo.oidc.clientFactoryBean", "shibboleth.authn.DuoOIDC.test.clientFactory", "idp.duo.oidc.user.config", "duo-oidc-authn-config-multiple-integrations.xml", "idp.duo.oidc.redirectURL", "http://localhost/authorization-callback", "idp.duo.oidc.apiHost", "api-c9f24c5a.duosecurity.com", "idp.duo.oidc.clientId", "DIU6GEFWG5LIUBVV2M3P", "idp.duo.oidc.secretKey", "rFvDfPul27v3Wew2zb6xRPzAJewJ34MP2w8UitPh"));
        LocalAttributeMap localAttributeMap = new LocalAttributeMap();
        localAttributeMap.put("calledAsSubflow", true);
        FlowExecution createFlowExecution = getFlowExecutionFactory().createFlowExecution(getFlowDefinition());
        ProfileRequestContext buildProfileRequestContext = buildProfileRequestContext(false, true);
        RelyingPartyContext relyingPartyContext = new RelyingPartyContext();
        relyingPartyContext.setRelyingPartyId(SECOND_INTEGRATION_SP);
        buildProfileRequestContext.addSubcontext(relyingPartyContext);
        createFlowExecution.getConversationScope().put("opensamlProfileRequestContext", buildProfileRequestContext);
        updateFlowExecution(createFlowExecution);
        createFlowExecution.start(localAttributeMap, this.externalContext);
        assertFlowExecutionActive();
        assertCurrentStateEquals("Duo2FAAuthorizationRequest");
        assertNotNull(buildProfileRequestContext.getSubcontext(AuthenticationContext.class));
        assertNotNull(buildProfileRequestContext.ensureSubcontext(AuthenticationContext.class).getSubcontext(DuoOIDCAuthenticationContext.class));
        DuoOIDCIntegration integration = buildProfileRequestContext.ensureSubcontext(AuthenticationContext.class).ensureSubcontext(DuoOIDCAuthenticationContext.class).getIntegration();
        if (!$assertionsDisabled && integration == null) {
            throw new AssertionError();
        }
        assertEquals(SECOND_INTEGRATION_CLIENT_ID, integration.getClientId());
    }

    @Test
    public void testDuoAuthnFlowToAuthorizationRequestWithUserSpaceFactory() {
        setFlowPath(FLOW);
        setFlowModelResources(this.flowResources);
        setSubflows(this.subflows);
        setMockProperties(Map.of("idp.duo.oidc.redirectURL", "http://localhost/authorization-callback", "idp.duo.oidc.apiHost", "api-c9f24c5a.duosecurity.com", "idp.duo.oidc.clientId", "DIU6GEFWG5LIUBVV2M3P", "idp.duo.oidc.secretKey", "rFvDfPul27v3Wew2zb6xRPzAJewJ34MP2w8UitPh", "idp.duo.oidc.clientFactoryBean", "shibboleth.authn.DuoOIDC.test.clientFactory", "idp.duo.oidc.user.config", "duo-oidc-authn-config-custom-factory.xml"));
        LocalAttributeMap localAttributeMap = new LocalAttributeMap();
        localAttributeMap.put("calledAsSubflow", true);
        FlowExecution createFlowExecution = getFlowExecutionFactory().createFlowExecution(getFlowDefinition());
        createFlowExecution.getConversationScope().put("opensamlProfileRequestContext", buildProfileRequestContext(false, true));
        updateFlowExecution(createFlowExecution);
        createFlowExecution.start(localAttributeMap, this.externalContext);
        assertFlowExecutionActive();
        assertCurrentStateEquals("Duo2FAAuthorizationRequest");
    }

    @Test
    public void testContextToPrincipalMappingStrategy() throws DuoClientException, ComponentInitializationException {
        setFlowPath(FLOW);
        setFlowModelResources(this.flowResources);
        setSubflows(this.subflows);
        setClientFactory(new MockDuoOIDCClientFactory_OK_Client());
        setMockProperties(Map.of("idp.duo.oidc.redirectURL", "http://localhost/authorization-callback", "idp.duo.oidc.apiHost", "api-c9f24c5a.duosecurity.com", "idp.duo.oidc.clientId", "DIU6GEFWG5LIUBVV2M3P", "idp.duo.oidc.secretKey", "rFvDfPul27v3Wew2zb6xRPzAJewJ34MP2w8UitPh", "idp.duo.oidc.clientFactoryBean", "shibboleth.authn.DuoOIDC.test.clientFactory", "idp.duo.oidc.user.config", "duo-oidc-authn-config-principal-mapping.xml"));
        new LocalAttributeMap().put("calledAsSubflow", true);
        FlowExecutionImpl createFlowExecution = getFlowExecutionFactory().createFlowExecution(getFlowDefinition());
        ProfileRequestContext buildProfileRequestContext = buildProfileRequestContext(false, false);
        DuoOIDCAuthenticationContext duoOIDCAuthenticationContext = new DuoOIDCAuthenticationContext();
        String generateNonce = DuoSupport.generateNonce(32);
        duoOIDCAuthenticationContext.setAuthorizationCode("adummycode");
        duoOIDCAuthenticationContext.setRequestState(generateNonce);
        duoOIDCAuthenticationContext.setResponseState(generateNonce);
        duoOIDCAuthenticationContext.setUsername("jdoe");
        DefaultDuoOIDCIntegration defaultDuoOIDCIntegration = new DefaultDuoOIDCIntegration();
        defaultDuoOIDCIntegration.setClientId("DIU6GEFWG5LIUBVV2M3P");
        defaultDuoOIDCIntegration.setAPIHost("api-c9f24c5a.duosecurity.com");
        defaultDuoOIDCIntegration.setSecretKey("rFvDfPul27v3Wew2zb6xRPzAJewJ34MP2w8UitPh");
        defaultDuoOIDCIntegration.setAuthorizeEndpoint("/authorize");
        defaultDuoOIDCIntegration.setHealthCheckEndpoint("/health");
        defaultDuoOIDCIntegration.setTokenEndpoint("/token");
        defaultDuoOIDCIntegration.setRegisteredRedirectURI("http://localhost/authorization-callback");
        defaultDuoOIDCIntegration.initialize();
        duoOIDCAuthenticationContext.setIntegration(defaultDuoOIDCIntegration);
        duoOIDCAuthenticationContext.setClient(new MockDuoOIDCClient_OK(defaultDuoOIDCIntegration));
        buildProfileRequestContext.ensureSubcontext(AuthenticationContext.class).addSubcontext(duoOIDCAuthenticationContext);
        buildProfileRequestContext.ensureSubcontext(AuthenticationContext.class).addSubcontext(new ExternalAuthenticationContext(new ExternalAuthenticationImpl(false)));
        createFlowExecution.getConversationScope().put("opensamlProfileRequestContext", buildProfileRequestContext);
        updateFlowExecution(createFlowExecution);
        this.externalContext.setEventId("proceed");
        setCurrentState("Duo2FAAuthorizationRequest");
        resumeFlow(this.externalContext);
        assertFlowExecutionEnded();
        assertNotNull(buildProfileRequestContext.getSubcontext(AuthenticationContext.class));
        assertNotNull(buildProfileRequestContext.getSubcontext(SubjectCanonicalizationContext.class));
        assertEquals(buildProfileRequestContext.ensureSubcontext(SubjectCanonicalizationContext.class).getPrincipalName(), "jdoe");
        Subject subject = buildProfileRequestContext.ensureSubcontext(SubjectCanonicalizationContext.class).getSubject();
        if (!$assertionsDisabled && subject == null) {
            throw new AssertionError();
        }
        Set principals = subject.getPrincipals(AuthnContextClassRefPrincipal.class);
        assertEquals(1, principals.size());
        assertEquals("http://example.org/ac/classes/mfa/strong", ((AuthnContextClassRefPrincipal) principals.iterator().next()).getName());
    }

    @Test
    public void testDuoAuthnFlowFromAuthorizationCallback() throws DuoClientException, ComponentInitializationException {
        setRemoveDefaultContextCleanupHook(true);
        setFlowPath(FLOW);
        setFlowModelResources(this.flowResources);
        setSubflows(this.subflows);
        setClientFactory(new MockDuoOIDCClientFactory_OK_Client());
        setMockProperties(Map.of("idp.duo.oidc.user.config", "duo-oidc-authn-config.xml", "idp.duo.oidc.clientFactoryBean", "shibboleth.authn.DuoOIDC.test.clientFactory", "idp.duo.oidc.redirectURL", "http://localhost/authorization-callback", "idp.duo.oidc.apiHost", "api-c9f24c5a.duosecurity.com", "idp.duo.oidc.clientId", "DIU6GEFWG5LIUBVV2M3P", "idp.duo.oidc.secretKey", "rFvDfPul27v3Wew2zb6xRPzAJewJ34MP2w8UitPh"));
        FlowExecutionImpl createFlowExecution = getFlowExecutionFactory().createFlowExecution(getFlowDefinition());
        ProfileRequestContext buildProfileRequestContext = buildProfileRequestContext(false, false);
        DuoOIDCAuthenticationContext duoOIDCAuthenticationContext = new DuoOIDCAuthenticationContext();
        String generateNonce = DuoSupport.generateNonce(32);
        duoOIDCAuthenticationContext.setAuthorizationCode("adummycode");
        duoOIDCAuthenticationContext.setRequestState(generateNonce);
        duoOIDCAuthenticationContext.setResponseState(generateNonce);
        duoOIDCAuthenticationContext.setUsername("jdoe");
        DefaultDuoOIDCIntegration defaultDuoOIDCIntegration = new DefaultDuoOIDCIntegration();
        defaultDuoOIDCIntegration.setClientId("DIU6GEFWG5LIUBVV2M3P");
        defaultDuoOIDCIntegration.setAPIHost("api-c9f24c5a.duosecurity.com");
        defaultDuoOIDCIntegration.setSecretKey("rFvDfPul27v3Wew2zb6xRPzAJewJ34MP2w8UitPh");
        defaultDuoOIDCIntegration.setAuthorizeEndpoint("/authorize");
        defaultDuoOIDCIntegration.setHealthCheckEndpoint("/health");
        defaultDuoOIDCIntegration.setTokenEndpoint("/token");
        defaultDuoOIDCIntegration.setRegisteredRedirectURI("http://localhost/authorization-callback");
        defaultDuoOIDCIntegration.initialize();
        duoOIDCAuthenticationContext.setIntegration(defaultDuoOIDCIntegration);
        duoOIDCAuthenticationContext.setClient(new MockDuoOIDCClient_OK(defaultDuoOIDCIntegration));
        buildProfileRequestContext.ensureSubcontext(AuthenticationContext.class).addSubcontext(duoOIDCAuthenticationContext);
        buildProfileRequestContext.ensureSubcontext(AuthenticationContext.class).addSubcontext(new ExternalAuthenticationContext(new ExternalAuthenticationImpl(false)));
        createFlowExecution.getConversationScope().put("opensamlProfileRequestContext", buildProfileRequestContext);
        updateFlowExecution(createFlowExecution);
        this.externalContext.setEventId("proceed");
        setCurrentState("Duo2FAAuthorizationRequest");
        resumeFlow(this.externalContext);
        assertFlowExecutionEnded();
        assertNotNull(buildProfileRequestContext.getSubcontext(AuthenticationContext.class));
        assertNotNull(buildProfileRequestContext.ensureSubcontext(AuthenticationContext.class).getSubcontext(DuoOIDCAuthenticationContext.class));
        assertNotNull(buildProfileRequestContext.ensureSubcontext(AuthenticationContext.class).ensureSubcontext(DuoOIDCAuthenticationContext.class).getAuthToken());
        assertNotNull(buildProfileRequestContext.ensureSubcontext(SubjectCanonicalizationContext.class));
        assertEquals(buildProfileRequestContext.ensureSubcontext(SubjectCanonicalizationContext.class).getPrincipalName(), "jdoe");
    }

    @Test
    public void testDuoAuthnFlowFromAuthorizationCallbackWithRPC() throws DuoClientException, ComponentInitializationException {
        setRemoveDefaultContextCleanupHook(true);
        setFlowPath(FLOW);
        setFlowModelResources(this.flowResources);
        setSubflows(this.subflows);
        setClientFactory(new MockDuoOIDCClientFactory_OK_Client());
        setMockProperties(Map.of("idp.duo.oidc.clientFactoryBean", "shibboleth.authn.DuoOIDC.test.clientFactory", "idp.duo.oidc.user.config", "duo-oidc-authn-config.xml", "idp.duo.oidc.redirectURL", "http://localhost/authorization-callback", "idp.duo.oidc.apiHost", "api-c9f24c5a.duosecurity.com", "idp.duo.oidc.clientId", "DIU6GEFWG5LIUBVV2M3P", "idp.duo.oidc.secretKey", "rFvDfPul27v3Wew2zb6xRPzAJewJ34MP2w8UitPh"));
        FlowExecutionImpl createFlowExecution = getFlowExecutionFactory().createFlowExecution(getFlowDefinition());
        ProfileRequestContext buildProfileRequestContext = buildProfileRequestContext(false, false);
        DuoOIDCAuthenticationContext duoOIDCAuthenticationContext = new DuoOIDCAuthenticationContext();
        String generateNonce = DuoSupport.generateNonce(32);
        duoOIDCAuthenticationContext.setAuthorizationCode("adummycode");
        duoOIDCAuthenticationContext.setRequestState(generateNonce);
        duoOIDCAuthenticationContext.setResponseState(generateNonce);
        duoOIDCAuthenticationContext.setUsername("jdoe");
        DefaultDuoOIDCIntegration defaultDuoOIDCIntegration = new DefaultDuoOIDCIntegration();
        defaultDuoOIDCIntegration.setClientId("DIU6GEFWG5LIUBVV2M3P");
        defaultDuoOIDCIntegration.setAPIHost("api-c9f24c5a.duosecurity.com");
        defaultDuoOIDCIntegration.setSecretKey("rFvDfPul27v3Wew2zb6xRPzAJewJ34MP2w8UitPh");
        defaultDuoOIDCIntegration.setAuthorizeEndpoint("/authorize");
        defaultDuoOIDCIntegration.setHealthCheckEndpoint("/health");
        defaultDuoOIDCIntegration.setTokenEndpoint("/token");
        defaultDuoOIDCIntegration.setRegisteredRedirectURI("http://localhost/authorization-callback");
        defaultDuoOIDCIntegration.initialize();
        duoOIDCAuthenticationContext.setIntegration(defaultDuoOIDCIntegration);
        duoOIDCAuthenticationContext.setClient(new MockDuoOIDCClient_OK(defaultDuoOIDCIntegration));
        buildProfileRequestContext.ensureSubcontext(AuthenticationContext.class).addSubcontext(duoOIDCAuthenticationContext);
        buildProfileRequestContext.ensureSubcontext(AuthenticationContext.class).addSubcontext(new ExternalAuthenticationContext(new ExternalAuthenticationImpl(false)));
        RequestedPrincipalContext requestedPrincipalContext = new RequestedPrincipalContext();
        requestedPrincipalContext.setRequestedPrincipals(List.of(new AuthnContextClassRefPrincipal("http://example.org/ac/classes/mfa")));
        requestedPrincipalContext.setOperator("exact");
        buildProfileRequestContext.ensureSubcontext(AuthenticationContext.class).addSubcontext(requestedPrincipalContext);
        AuthenticationFlowDescriptor authenticationFlowDescriptor = new AuthenticationFlowDescriptor();
        authenticationFlowDescriptor.setId("authn/DuoOIDC");
        authenticationFlowDescriptor.setSupportedPrincipals(List.of(new AuthnContextClassRefPrincipal("http://example.org/ac/classes/mfa")));
        buildProfileRequestContext.ensureSubcontext(AuthenticationContext.class).setAttemptedFlow(authenticationFlowDescriptor);
        createFlowExecution.getConversationScope().put("opensamlProfileRequestContext", buildProfileRequestContext);
        updateFlowExecution(createFlowExecution);
        this.externalContext.setEventId("proceed");
        setCurrentState("Duo2FAAuthorizationRequest");
        resumeFlow(this.externalContext);
        assertFlowExecutionEnded();
        assertNotNull(buildProfileRequestContext.getSubcontext(AuthenticationContext.class));
        assertNotNull(buildProfileRequestContext.ensureSubcontext(AuthenticationContext.class).getSubcontext(DuoOIDCAuthenticationContext.class));
        assertNotNull(buildProfileRequestContext.ensureSubcontext(AuthenticationContext.class).ensureSubcontext(DuoOIDCAuthenticationContext.class).getAuthToken());
        assertNotNull(buildProfileRequestContext.getSubcontext(SubjectCanonicalizationContext.class));
        assertEquals(buildProfileRequestContext.ensureSubcontext(SubjectCanonicalizationContext.class).getPrincipalName(), "jdoe");
    }

    @Test
    public void testDuoAuthnFlowFromAuthorizationCallbackForceAuthnFailure() throws DuoClientException, ComponentInitializationException {
        setFlowPath(FLOW);
        setFlowModelResources(this.flowResources);
        setSubflows(this.subflows);
        setClientFactory(new MockDuoOIDCClientFactory_OK_Client());
        setMockProperties(Map.of("idp.duo.oidc.clientFactoryBean", "shibboleth.authn.DuoOIDC.test.clientFactory", "idp.duo.oidc.user.config", "duo-oidc-authn-config.xml", "idp.duo.oidc.redirectURL", "http://localhost/authorization-callback", "idp.duo.oidc.apiHost", "api-c9f24c5a.duosecurity.com", "idp.duo.oidc.clientId", "DIU6GEFWG5LIUBVV2M3P", "idp.duo.oidc.secretKey", "rFvDfPul27v3Wew2zb6xRPzAJewJ34MP2w8UitPh"));
        FlowExecutionImpl createFlowExecution = getFlowExecutionFactory().createFlowExecution(getFlowDefinition());
        ProfileRequestContext buildProfileRequestContext = buildProfileRequestContext(true, false);
        DuoOIDCAuthenticationContext duoOIDCAuthenticationContext = new DuoOIDCAuthenticationContext();
        String generateNonce = DuoSupport.generateNonce(32);
        duoOIDCAuthenticationContext.setAuthorizationCode("adummycode");
        duoOIDCAuthenticationContext.setRequestState(generateNonce);
        duoOIDCAuthenticationContext.setResponseState(generateNonce);
        duoOIDCAuthenticationContext.setUsername("jdoe");
        DefaultDuoOIDCIntegration defaultDuoOIDCIntegration = new DefaultDuoOIDCIntegration();
        defaultDuoOIDCIntegration.setClientId("DIU6GEFWG5LIUBVV2M3P");
        defaultDuoOIDCIntegration.setAPIHost("api-c9f24c5a.duosecurity.com");
        defaultDuoOIDCIntegration.setSecretKey("rFvDfPul27v3Wew2zb6xRPzAJewJ34MP2w8UitPh");
        defaultDuoOIDCIntegration.setRegisteredRedirectURI("http://localhost/authorization-callback");
        defaultDuoOIDCIntegration.setAuthorizeEndpoint("/authorize");
        defaultDuoOIDCIntegration.setHealthCheckEndpoint("/health");
        defaultDuoOIDCIntegration.setTokenEndpoint("/token");
        defaultDuoOIDCIntegration.initialize();
        duoOIDCAuthenticationContext.setIntegration(defaultDuoOIDCIntegration);
        duoOIDCAuthenticationContext.setClient(new MockDuoOIDCClient_OK_OLD_AUTH_TIME(defaultDuoOIDCIntegration));
        buildProfileRequestContext.ensureSubcontext(AuthenticationContext.class).addSubcontext(duoOIDCAuthenticationContext);
        buildProfileRequestContext.ensureSubcontext(AuthenticationContext.class).addSubcontext(new ExternalAuthenticationContext(new ExternalAuthenticationImpl(false)));
        createFlowExecution.getConversationScope().put("opensamlProfileRequestContext", buildProfileRequestContext);
        updateFlowExecution(createFlowExecution);
        this.externalContext.setEventId("proceed");
        setCurrentState("Duo2FAAuthorizationRequest");
        resumeFlow(this.externalContext);
        assertFlowExecutionEnded();
        assertNotNull(buildProfileRequestContext.getSubcontext(EventContext.class));
        assertNotNull(buildProfileRequestContext.ensureSubcontext(EventContext.class).getEvent());
        assertTrue(buildProfileRequestContext.ensureSubcontext(EventContext.class).getEvent() instanceof String);
        assertEquals("NoCredentials", buildProfileRequestContext.ensureSubcontext(EventContext.class).getEvent());
    }

    static {
        $assertionsDisabled = !DuoAuthnFlowTest.class.desiredAssertionStatus();
    }
}
