package net.shibboleth.idp.test.flows.cas;

import jakarta.servlet.http.Cookie;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.annotation.Nonnull;
import net.shibboleth.idp.attribute.context.AttributeContext;
import net.shibboleth.idp.authn.AuthenticationResult;
import net.shibboleth.idp.authn.context.SubjectContext;
import net.shibboleth.idp.authn.principal.UsernamePrincipal;
import net.shibboleth.idp.cas.config.LoginConfiguration;
import net.shibboleth.idp.cas.ticket.ServiceTicket;
import net.shibboleth.idp.cas.ticket.TicketService;
import net.shibboleth.idp.consent.context.ConsentContext;
import net.shibboleth.idp.session.IdPSession;
import net.shibboleth.idp.session.SPSession;
import net.shibboleth.idp.session.criterion.SessionIdCriterion;
import net.shibboleth.idp.session.impl.StorageBackedSessionManager;
import net.shibboleth.idp.test.flows.AbstractFlowTest;
import net.shibboleth.profile.context.RelyingPartyContext;
import net.shibboleth.profile.relyingparty.RelyingPartyConfiguration;
import net.shibboleth.profile.relyingparty.RelyingPartyConfigurationResolver;
import net.shibboleth.profile.relyingparty.VerifiedProfileCriterion;
import net.shibboleth.shared.collection.CollectionSupport;
import net.shibboleth.shared.net.URISupport;
import net.shibboleth.shared.resolver.CriteriaSet;
import net.shibboleth.shared.resolver.Criterion;
import net.shibboleth.shared.service.ReloadableService;
import net.shibboleth.shared.service.ServiceableComponent;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.profile.criterion.ProfileRequestContextCriterion;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.test.context.ContextConfiguration;
import org.springframework.webflow.core.collection.MutableAttributeMap;
import org.springframework.webflow.execution.FlowExecutionOutcome;
import org.springframework.webflow.executor.FlowExecutionResult;
import org.testng.Assert;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;

@ContextConfiguration(locations = {"/test/test-cas-beans.xml"})
/* loaded from: input_file:net/shibboleth/idp/test/flows/cas/LoginFlowTest.class */
public class LoginFlowTest extends AbstractFlowTest {

    @Nonnull
    private static String FLOW_ID;

    @Autowired
    @Qualifier("shibboleth.CASTicketService")
    private TicketService ticketService;

    @Autowired
    private StorageBackedSessionManager sessionManager;

    @Autowired
    @Qualifier("shibboleth.RelyingPartyResolverService")
    private ReloadableService<RelyingPartyConfigurationResolver> relyingPartyConfigurationResolver;
    static final /* synthetic */ boolean $assertionsDisabled;

    @BeforeMethod
    public void setUp() throws Exception {
        setPostAuthenticationFlows(CollectionSupport.emptyList());
    }

    @Test
    public void testGatewayNoSession() throws Exception {
        this.externalContext.getMockRequestParameterMap().put("service", "https://gateway.example.org/");
        this.externalContext.getMockRequestParameterMap().put("gateway", "true");
        Assert.assertEquals(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext).getOutcome().getId(), "RedirectToService");
        Assert.assertTrue(this.externalContext.getExternalRedirectUrl().contains("https://gateway.example.org/?ticket=ST-"));
    }

    @Test
    public void testGatewayNoSessionNoAuth() throws Exception {
        this.externalContext.getMockRequestParameterMap().put("service", "https://gateway.example.org/");
        this.externalContext.getMockRequestParameterMap().put("gateway", "true");
        this.request.removeHeader("Authorization");
        Assert.assertEquals(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext).getOutcome().getId(), "RedirectToService");
        Assert.assertEquals(this.externalContext.getExternalRedirectUrl(), "https://gateway.example.org/");
    }

    @Test
    public void testGatewayWithSession() throws Exception {
        IdPSession createSession = this.sessionManager.createSession("aurora");
        createSession.addAuthenticationResult(new AuthenticationResult("authn/Password", new UsernamePrincipal("aurora")));
        this.externalContext.getMockRequestParameterMap().put("service", "https://gateway.example.org/");
        this.externalContext.getMockRequestParameterMap().put("gateway", "true");
        overrideEndStateOutput(FLOW_ID, "RedirectToService");
        this.request.setCookies(new Cookie[]{new Cookie("shib_idp_session", createSession.getId())});
        initializeThreadLocals();
        Assert.assertEquals(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext).getOutcome().getId(), "RedirectToService");
        Assert.assertTrue(this.externalContext.getExternalRedirectUrl().contains("https://gateway.example.org/?ticket=ST-"));
    }

    @Test
    public void testLoginStartSession() throws Exception {
        this.externalContext.getMockRequestParameterMap().put("service", "https://slo.example.org/");
        overrideEndStateOutput(FLOW_ID, "RedirectToService");
        FlowExecutionOutcome outcome = this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext).getOutcome();
        Assert.assertEquals(outcome.getId(), "RedirectToService");
        String ticketIdFromUrl = getTicketIdFromUrl(this.externalContext.getExternalRedirectUrl());
        if (!$assertionsDisabled && ticketIdFromUrl == null) {
            throw new AssertionError();
        }
        ServiceTicket removeServiceTicket = this.ticketService.removeServiceTicket(ticketIdFromUrl);
        if (!$assertionsDisabled && removeServiceTicket == null) {
            throw new AssertionError();
        }
        String sessionId = removeServiceTicket.getSessionId();
        if (!$assertionsDisabled && sessionId == null) {
            throw new AssertionError();
        }
        IdPSession resolveSingle = this.sessionManager.resolveSingle(new CriteriaSet(new Criterion[]{new SessionIdCriterion(sessionId)}));
        if (!$assertionsDisabled && resolveSingle == null) {
            throw new AssertionError();
        }
        Assert.assertEquals(resolveSingle.getSPSessions().size(), 1);
        Assert.assertEquals(((SPSession) resolveSingle.getSPSessions().iterator().next()).getId(), "https://slo.example.org/");
        ProfileRequestContext profileRequestContext = (ProfileRequestContext) outcome.getOutput().get(AbstractFlowTest.END_STATE_OUTPUT_ATTR_NAME);
        Assert.assertNotNull(profileRequestContext.getSubcontext(SubjectContext.class));
        assertPopulatedAttributeContext(profileRequestContext);
    }

    @Test
    public void testLoginStartSessionWithPostMethod() throws Exception {
        this.externalContext.getMockRequestParameterMap().put("service", "https://start.example.org/");
        this.externalContext.getMockRequestParameterMap().put("method", "post");
        overrideEndStateOutput(FLOW_ID, "PostBackToService");
        FlowExecutionOutcome outcome = this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext).getOutcome();
        Assert.assertEquals(outcome.getId(), "PostBackToService");
        String contentAsString = ((MockHttpServletResponse) this.externalContext.getNativeResponse()).getContentAsString();
        Assert.assertTrue(contentAsString.contains(String.format("<form action=\"%s\" method=\"post\">", "https://start.example.org/")));
        Assert.assertTrue(contentAsString.contains("<input type=\"hidden\" name=\"ticket\" value=\"ST-"));
        Matcher matcher = Pattern.compile("value=\"([^\"]+)").matcher(contentAsString);
        Assert.assertTrue(matcher.find());
        Assert.assertEquals(1, matcher.groupCount());
        String group = matcher.group(1);
        if (!$assertionsDisabled && group == null) {
            throw new AssertionError();
        }
        ServiceTicket removeServiceTicket = this.ticketService.removeServiceTicket(group);
        if (!$assertionsDisabled && removeServiceTicket == null) {
            throw new AssertionError();
        }
        String sessionId = removeServiceTicket.getSessionId();
        if (!$assertionsDisabled && sessionId == null) {
            throw new AssertionError();
        }
        IdPSession resolveSingle = this.sessionManager.resolveSingle(new CriteriaSet(new Criterion[]{new SessionIdCriterion(sessionId)}));
        if (!$assertionsDisabled && resolveSingle == null) {
            throw new AssertionError();
        }
        ProfileRequestContext profileRequestContext = (ProfileRequestContext) outcome.getOutput().get(AbstractFlowTest.END_STATE_OUTPUT_ATTR_NAME);
        Assert.assertNotNull(profileRequestContext.getSubcontext(SubjectContext.class));
        assertPopulatedAttributeContext(profileRequestContext);
    }

    @Test
    public void testLoginWithConsent() throws Exception {
        this.externalContext.getMockRequestParameterMap().put("service", "https://start.example.org/");
        setPostAuthenticationFlows(CollectionSupport.singletonList("attribute-release"));
        overrideEndStateOutput(FLOW_ID, "RedirectToService");
        FlowExecutionResult launchExecution = this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext);
        FlowExecutionOutcome outcome = launchExecution.getOutcome();
        Assert.assertEquals(launchExecution.getOutcome().getId(), "RedirectToService");
        String ticketIdFromUrl = getTicketIdFromUrl(this.externalContext.getExternalRedirectUrl());
        if (!$assertionsDisabled && ticketIdFromUrl == null) {
            throw new AssertionError();
        }
        ServiceTicket removeServiceTicket = this.ticketService.removeServiceTicket(ticketIdFromUrl);
        if (!$assertionsDisabled && removeServiceTicket == null) {
            throw new AssertionError();
        }
        String sessionId = removeServiceTicket.getSessionId();
        if (!$assertionsDisabled && sessionId == null) {
            throw new AssertionError();
        }
        IdPSession resolveSingle = this.sessionManager.resolveSingle(new CriteriaSet(new Criterion[]{new SessionIdCriterion(sessionId)}));
        if (!$assertionsDisabled && resolveSingle == null) {
            throw new AssertionError();
        }
        ProfileRequestContext profileRequestContext = (ProfileRequestContext) outcome.getOutput().get(AbstractFlowTest.END_STATE_OUTPUT_ATTR_NAME);
        Assert.assertNotNull(profileRequestContext);
        Assert.assertNotNull(profileRequestContext.getSubcontext(SubjectContext.class));
        Assert.assertNotNull(profileRequestContext.getSubcontext(ConsentContext.class));
    }

    @Test
    public void testLoginExistingSession() throws Exception {
        IdPSession createSession = this.sessionManager.createSession("aurora");
        createSession.addAuthenticationResult(new AuthenticationResult("authn/Password", new UsernamePrincipal("aurora")));
        this.externalContext.getMockRequestParameterMap().put("service", "https://existing.example.org/");
        overrideEndStateOutput(FLOW_ID, "RedirectToService");
        this.request.setCookies(new Cookie[]{new Cookie("shib_idp_session", createSession.getId())});
        initializeThreadLocals();
        FlowExecutionOutcome outcome = this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext).getOutcome();
        Assert.assertEquals(outcome.getId(), "RedirectToService");
        String ticketIdFromUrl = getTicketIdFromUrl(this.externalContext.getExternalRedirectUrl());
        if (!$assertionsDisabled && ticketIdFromUrl == null) {
            throw new AssertionError();
        }
        ServiceTicket removeServiceTicket = this.ticketService.removeServiceTicket(ticketIdFromUrl);
        if (!$assertionsDisabled && removeServiceTicket == null) {
            throw new AssertionError();
        }
        String sessionId = removeServiceTicket.getSessionId();
        if (!$assertionsDisabled && sessionId == null) {
            throw new AssertionError();
        }
        IdPSession resolveSingle = this.sessionManager.resolveSingle(new CriteriaSet(new Criterion[]{new SessionIdCriterion(sessionId)}));
        if (!$assertionsDisabled && resolveSingle == null) {
            throw new AssertionError();
        }
        Assert.assertEquals(resolveSingle.getId(), createSession.getId());
        ProfileRequestContext profileRequestContext = (ProfileRequestContext) outcome.getOutput().get(AbstractFlowTest.END_STATE_OUTPUT_ATTR_NAME);
        Assert.assertNotNull(profileRequestContext.getSubcontext(SubjectContext.class));
        assertPopulatedAttributeContext(profileRequestContext);
    }

    @Test
    public void testLoginExistingSessionDoNotCache() throws Exception {
        IdPSession createSession = this.sessionManager.createSession("maleficent");
        this.externalContext.getMockRequestParameterMap().put("service", "https://existing.example.org/");
        overrideEndStateOutput(FLOW_ID, "RedirectToService");
        this.request.setCookies(new Cookie[]{new Cookie("shib_idp_session", createSession.getId())});
        initializeThreadLocals();
        FlowExecutionOutcome outcome = this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext).getOutcome();
        Assert.assertEquals(outcome.getId(), "RedirectToService");
        String ticketIdFromUrl = getTicketIdFromUrl(this.externalContext.getExternalRedirectUrl());
        if (!$assertionsDisabled && ticketIdFromUrl == null) {
            throw new AssertionError();
        }
        ServiceTicket removeServiceTicket = this.ticketService.removeServiceTicket(ticketIdFromUrl);
        if (!$assertionsDisabled && removeServiceTicket == null) {
            throw new AssertionError();
        }
        String sessionId = removeServiceTicket.getSessionId();
        if (!$assertionsDisabled && sessionId == null) {
            throw new AssertionError();
        }
        IdPSession resolveSingle = this.sessionManager.resolveSingle(new CriteriaSet(new Criterion[]{new SessionIdCriterion(sessionId)}));
        if (!$assertionsDisabled && resolveSingle == null) {
            throw new AssertionError();
        }
        Assert.assertNotEquals(resolveSingle.getId(), createSession.getId());
        ProfileRequestContext profileRequestContext = (ProfileRequestContext) outcome.getOutput().get(AbstractFlowTest.END_STATE_OUTPUT_ATTR_NAME);
        Assert.assertNotNull(profileRequestContext.getSubcontext(SubjectContext.class));
        assertPopulatedAttributeContext(profileRequestContext);
    }

    @Test
    public void testErrorNoService() throws Exception {
        FlowExecutionResult launchExecution = this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext);
        String contentAsString = this.response.getContentAsString();
        Assert.assertEquals(launchExecution.getOutcome().getId(), "AuditedErrorView");
        Assert.assertTrue(contentAsString.contains("ServiceNotSpecified"));
    }

    private void setPostAuthenticationFlows(List<String> list) throws Exception {
        ProfileRequestContext profileRequestContext = new ProfileRequestContext();
        profileRequestContext.setProfileId("https://www.apereo.org/cas/protocol/login");
        ServiceableComponent serviceableComponent = this.relyingPartyConfigurationResolver.getServiceableComponent();
        try {
            RelyingPartyConfiguration relyingPartyConfiguration = (RelyingPartyConfiguration) ((RelyingPartyConfigurationResolver) serviceableComponent.getComponent()).resolveSingle(new CriteriaSet(new Criterion[]{new ProfileRequestContextCriterion(profileRequestContext), new VerifiedProfileCriterion(true)}));
            if (relyingPartyConfiguration == null) {
                throw new IllegalStateException("Relying party configuration not found");
            }
            LoginConfiguration profileConfiguration = relyingPartyConfiguration.getProfileConfiguration(profileRequestContext, "https://www.apereo.org/cas/protocol/login");
            if (profileConfiguration == null) {
                throw new IllegalStateException("CAS login profile configuration not found");
            }
            profileConfiguration.setPostAuthenticationFlows(list);
            if (serviceableComponent != null) {
                serviceableComponent.close();
            }
        } catch (Throwable th) {
            if (serviceableComponent != null) {
                try {
                    serviceableComponent.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private void assertPopulatedAttributeContext(ProfileRequestContext profileRequestContext) {
        Assert.assertNotNull(profileRequestContext);
        RelyingPartyContext subcontext = profileRequestContext.getSubcontext(RelyingPartyContext.class);
        if (!$assertionsDisabled && subcontext == null) {
            throw new AssertionError();
        }
        AttributeContext subcontext2 = subcontext.getSubcontext(AttributeContext.class);
        if (!$assertionsDisabled && subcontext2 == null) {
            throw new AssertionError();
        }
        Assert.assertFalse(subcontext2.getUnfilteredIdPAttributes().isEmpty());
    }

    private String getTicketIdFromUrl(String str) {
        Assert.assertTrue(str.contains("ticket=ST-"));
        String substring = str.substring(str.indexOf("ticket=") + 7);
        Assert.assertEquals(substring.indexOf(47), -1);
        Assert.assertEquals(substring.indexOf(43), -1);
        return URISupport.doURLDecode(substring);
    }

    static {
        $assertionsDisabled = !LoginFlowTest.class.desiredAssertionStatus();
        FLOW_ID = "cas/login";
    }
}
