package org.wildfly.security.sasl.scram;

import java.nio.charset.StandardCharsets;
import java.security.NoSuchAlgorithmException;
import java.security.Permissions;
import java.security.Provider;
import java.security.Security;
import java.security.spec.InvalidKeySpecException;
import java.util.Collections;
import java.util.HashMap;
import java.util.Random;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import mockit.Mock;
import mockit.MockUp;
import mockit.integration.junit4.JMockit;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.wildfly.common.iteration.CodePointIterator;
import org.wildfly.security.auth.permission.RunAsPrincipalPermission;
import org.wildfly.security.mechanism.scram.ScramClient;
import org.wildfly.security.password.Password;
import org.wildfly.security.password.PasswordFactory;
import org.wildfly.security.password.spec.EncryptablePasswordSpec;
import org.wildfly.security.password.spec.IteratedSaltedPasswordAlgorithmSpec;
import org.wildfly.security.sasl.test.SaslServerBuilder;
import org.wildfly.security.sasl.test.SaslTestUtil;

@RunWith(JMockit.class)
/* loaded from: input_file:org/wildfly/security/sasl/scram/ScramServerCompatibilityTest.class */
public class ScramServerCompatibilityTest {
    private static final Provider provider = WildFlyElytronSaslScramProvider.getInstance();

    @BeforeClass
    public static void registerPasswordProvider() {
        Security.insertProviderAt(provider, 1);
    }

    @AfterClass
    public static void removePasswordProvider() {
        Security.removeProvider(provider.getName());
    }

    private void mockNonce(final String str) {
        try {
            new MockUp<Object>(Class.forName("org.wildfly.security.mechanism.scram.ScramUtil", true, ScramClient.class.getClassLoader())) { // from class: org.wildfly.security.sasl.scram.ScramServerCompatibilityTest.1
                @Mock
                public byte[] generateNonce(int i, Random random) {
                    return str.getBytes(StandardCharsets.UTF_8);
                }
            };
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError(e.getMessage());
        }
    }

    @Test
    public void testRfc5802example() throws Exception {
        mockNonce("3rfcNHYJY1ZVvWVs7j");
        PasswordFactory.getInstance("scram-sha-1");
        SaslServer build = new SaslServerBuilder(ScramSaslServerFactory.class, "SCRAM-SHA-1").setUserName("user").setPassword(getPassword("pencil", "QSXCR+Q6sek8bf92")).build();
        Assert.assertEquals("r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=4096", new String(build.evaluateResponse("n,,n=user,r=fyko+d2lbbFgONRv9qkxdawL".getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8));
        Assert.assertEquals("v=rmF9pqV8S7suAoZWja4dJRkFsKQ=", new String(build.evaluateResponse("c=biws,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,p=v0X8v3Bz2T0CJGbJQyF0X+HI4Ts=".getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8));
        Assert.assertTrue(build.isComplete());
        Assert.assertEquals("user", build.getAuthorizationID());
    }

    private static Password getPassword(String str, String str2) throws InvalidKeySpecException, NoSuchAlgorithmException {
        return PasswordFactory.getInstance("scram-sha-1").generatePassword(new EncryptablePasswordSpec(str.toCharArray(), new IteratedSaltedPasswordAlgorithmSpec(4096, CodePointIterator.ofString(str2).base64Decode().drain())));
    }

    @Test
    public void testBadUsername() throws Exception {
        mockNonce("3rfcNHYJY1ZVvWVs7j");
        SaslServer build = new SaslServerBuilder(ScramSaslServerFactory.class, "SCRAM-SHA-1").setUserName("baduser").setPassword(getPassword("pencil", "QSXCR+Q6sek8bf92")).build();
        try {
            build.evaluateResponse("n,,n=user,r=fyko+d2lbbFgONRv9qkxdawL".getBytes(StandardCharsets.UTF_8));
            Assert.fail("SaslException not thrown");
        } catch (SaslException e) {
        }
        Assert.assertFalse(build.isComplete());
    }

    @Test
    public void testBadPassword() throws Exception {
        mockNonce("3rfcNHYJY1ZVvWVs7j");
        SaslServer build = new SaslServerBuilder(ScramSaslServerFactory.class, "SCRAM-SHA-1").setUserName("user").setPassword(getPassword("pen", "QSXCR+Q6sek8bf92")).build();
        Assert.assertEquals("r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=4096", new String(build.evaluateResponse("n,,n=user,r=fyko+d2lbbFgONRv9qkxdawL".getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8));
        try {
            build.evaluateResponse("c=biws,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,p=v0X8v3Bz2T0CJGbJQyF0X+HI4Ts=".getBytes(StandardCharsets.UTF_8));
            Assert.fail("SaslException not thrown");
        } catch (SaslException e) {
        }
        Assert.assertFalse(build.isComplete());
    }

    @Test
    public void testAllowedAuthorizationId() throws Exception {
        mockNonce("3rfcNHYJY1ZVvWVs7j");
        HashMap hashMap = new HashMap();
        hashMap.put("admin", getPassword("pencil", "QSXCR+Q6sek8bf92"));
        hashMap.put("user", getPassword("pen", "QSXCR+Q6sek8bf92"));
        Permissions permissions = new Permissions();
        permissions.add(new RunAsPrincipalPermission("user"));
        SaslServer build = new SaslServerBuilder(ScramSaslServerFactory.class, "SCRAM-SHA-1").setPasswordInstanceMap(hashMap).setProtocol("acap").setServerName("elwood.innosoft.com").setPermissionsMap(Collections.singletonMap("admin", permissions)).build();
        Assert.assertEquals("r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=4096", new String(build.evaluateResponse("n,a=user,n=admin,r=fyko+d2lbbFgONRv9qkxdawL".getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8));
        Assert.assertEquals("v=xzTfS758LckdRoQKN/ZFY/Bauxo=", new String(build.evaluateResponse("c=bixhPXVzZXIs,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,p=sSem09WkghLJOV/Ma5LjIqUtoo8=".getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8));
        Assert.assertTrue(build.isComplete());
        Assert.assertEquals(build.getAuthorizationID(), "user");
    }

    @Test
    public void testUnallowedAuthorizationId() throws Exception {
        mockNonce("3rfcNHYJY1ZVvWVs7j");
        SaslServer build = new SaslServerBuilder(ScramSaslServerFactory.class, "SCRAM-SHA-1").setUserName("admin").setPassword(getPassword("pencil", "QSXCR+Q6sek8bf92")).setProtocol("acap").setServerName("elwood.innosoft.com").build();
        Assert.assertEquals("r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=4096", new String(build.evaluateResponse("n,a=user,n=admin,r=fyko+d2lbbFgONRv9qkxdawL".getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8));
        try {
            build.evaluateResponse("c=bixhPXVzZXIs,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,p=sSem09WkghLJOV/Ma5LjIqUtoo8=".getBytes(StandardCharsets.UTF_8));
            Assert.fail("SaslException not thrown");
        } catch (SaslException e) {
        }
        Assert.assertFalse(build.isComplete());
    }

    @Test
    public void testMismatchedAuthorizationId() throws Exception {
        mockNonce("3rfcNHYJY1ZVvWVs7j");
        SaslServer build = new SaslServerBuilder(ScramSaslServerFactory.class, "SCRAM-SHA-1").setUserName("user").setPassword(getPassword("pencil", "QSXCR+Q6sek8bf92")).build();
        Assert.assertEquals("r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=4096", new String(build.evaluateResponse("n,a=user,n=user,r=fyko+d2lbbFgONRv9qkxdawL".getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8));
        try {
            build.evaluateResponse("c=bixhPWFkbWluLA==,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,p=NdEpo1qMJaCn9xyrYplfuEKubqQ=".getBytes(StandardCharsets.UTF_8));
            Assert.fail("SaslException not throwed");
        } catch (SaslException e) {
        }
        Assert.assertFalse(build.isComplete());
    }

    @Test
    public void testMismatchedAuthorizationIdBlank() throws Exception {
        mockNonce("3rfcNHYJY1ZVvWVs7j");
        SaslServer build = new SaslServerBuilder(ScramSaslServerFactory.class, "SCRAM-SHA-1").setUserName("user").setPassword(getPassword("pencil", "QSXCR+Q6sek8bf92")).build();
        Assert.assertEquals("r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=4096", new String(build.evaluateResponse("n,a=user,n=user,r=fyko+d2lbbFgONRv9qkxdawL".getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8));
        try {
            build.evaluateResponse("c=biws,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,p=v0X8v3Bz2T0CJGbJQyF0X+HI4Ts=".getBytes(StandardCharsets.UTF_8));
            Assert.fail("SaslException not throwed");
        } catch (SaslException e) {
        }
        Assert.assertFalse(build.isComplete());
    }

    @Test
    public void testDifferentNonceAttack() throws Exception {
        mockNonce("differentNonceVs7j");
        SaslServer build = new SaslServerBuilder(ScramSaslServerFactory.class, "SCRAM-SHA-1").setUserName("user").setPassword(getPassword("pencil", "QSXCR+Q6sek8bf92")).build();
        Assert.assertEquals("r=fyko+d2lbbFgONRv9qkxdawLdifferentNonceVs7j,s=QSXCR+Q6sek8bf92,i=4096", new String(build.evaluateResponse("n,,n=user,r=fyko+d2lbbFgONRv9qkxdawL".getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8));
        try {
            build.evaluateResponse("c=biws,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,p=v0X8v3Bz2T0CJGbJQyF0X+HI4Ts=".getBytes(StandardCharsets.UTF_8));
            Assert.fail("SaslException not throwed");
        } catch (SaslException e) {
        }
        Assert.assertFalse(build.isComplete());
    }

    @Test
    public void testStrangeCredentials() throws Exception {
        mockNonce("3rfcNHYJY1ZVvWVs7j");
        Assert.assertNotNull(SaslTestUtil.obtainSaslServerFactory(ScramSaslServerFactory.class));
        HashMap hashMap = new HashMap();
        hashMap.put("strange=admin, \\и你��1⁄2 ́", getPassword("\"strange=admin=password, \\\\\\u0438\\u4F60\\uD83C\\uDCA1\\u00BD\\u00B4\"", "QSXCR+Q6sek8bf92"));
        hashMap.put("strange=user, \\и你��1⁄2 ́", getPassword("strange=password, \\и你��½´", "QSXCR+Q6sek8bf92"));
        Permissions permissions = new Permissions();
        permissions.add(new RunAsPrincipalPermission("strange=admin, \\и你��1⁄2 ́"));
        SaslServer build = new SaslServerBuilder(ScramSaslServerFactory.class, "SCRAM-SHA-1").setProtocol("protocol").setPasswordInstanceMap(hashMap).setPermissionsMap(Collections.singletonMap("strange=user, \\и你��1⁄2 ́", permissions)).build();
        Assert.assertEquals("r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=4096", new String(build.evaluateResponse("n,a=strange=3Dadmin=2C \\и你��1⁄2 ́,n=strange=3Duser=2C \\и你��½´,r=fyko+d2lbbFgONRv9qkxdawL".getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8));
        Assert.assertEquals("v=k1gWxds6QP4FdDqmsLtaxIl38NM=", new String(build.evaluateResponse("c=bixhPXN0cmFuZ2U9M0RhZG1pbj0yQyBc0LjkvaDwn4KhMeKBhDIgzIEs,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,p=ZWpaDThPD7OErOz+6Q+n9msNhMQ=".getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8));
        Assert.assertTrue(build.isComplete());
    }

    @Test
    public void testBindingCorrectY() throws Exception {
        mockNonce("3rfcNHYJY1ZVvWVs7j");
        SaslServer build = new SaslServerBuilder(ScramSaslServerFactory.class, "SCRAM-SHA-1").setUserName("user").setPassword(getPassword("pencil", "QSXCR+Q6sek8bf92")).build();
        Assert.assertEquals("r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=4096", new String(build.evaluateResponse("y,,n=user,r=fyko+d2lbbFgONRv9qkxdawL".getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8));
        Assert.assertEquals("v=dsprQ5R2AGYt1kn4bQRwTAE0PTU=", new String(build.evaluateResponse("c=eSws,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,p=BjZF5dV+EkD3YCb3pH3IP8riMGw=".getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8));
        Assert.assertTrue(build.isComplete());
    }

    @Test
    public void testBindingIncorrectYWithServerChannelBinding() throws Exception {
        mockNonce("3rfcNHYJY1ZVvWVs7j");
        SaslServer build = new SaslServerBuilder(ScramSaslServerFactory.class, "SCRAM-SHA-1").setUserName("user").setPassword(getPassword("pencil", "QSXCR+Q6sek8bf92")).setChannelBinding("same-type", new byte[]{0, 44, -1}).build();
        Assert.assertEquals("e=server-does-support-channel-binding", new String(build.evaluateResponse("y,,n=user,r=fyko+d2lbbFgONRv9qkxdawL".getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8));
        Assert.assertFalse(build.isComplete());
    }

    @Test
    public void testBindingIncorrectNWithChannelBinding() throws Exception {
        mockNonce("3rfcNHYJY1ZVvWVs7j");
        SaslServer build = new SaslServerBuilder(ScramSaslServerFactory.class, "SCRAM-SHA-1").setUserName("user").setPassword(getPassword("pencil", "QSXCR+Q6sek8bf92")).setChannelBinding("same-type", new byte[]{0, 44, -1}).build();
        Assert.assertEquals("e=server-does-support-channel-binding", new String(build.evaluateResponse("n,,n=user,r=fyko+d2lbbFgONRv9qkxdawL".getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8));
        Assert.assertFalse(build.isComplete());
    }

    @Test
    public void testBindingIncorrectY() throws Exception {
        mockNonce("3rfcNHYJY1ZVvWVs7j");
        Password password = getPassword("pencil", "QSXCR+Q6sek8bf92");
        HashMap hashMap = new HashMap();
        hashMap.put("wildfly.sasl.channel-binding-required", "true");
        SaslServer build = new SaslServerBuilder(ScramSaslServerFactory.class, "SCRAM-SHA-1-PLUS").setUserName("user").setPassword(password).setChannelBinding("sameType", new byte[]{18, 44, 0}).setProperties(hashMap).build();
        Assert.assertEquals("e=server-does-support-channel-binding", new String(build.evaluateResponse("y,,n=user,r=fyko+d2lbbFgONRv9qkxdawL".getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8));
        Assert.assertFalse(build.isComplete());
    }

    @Test
    public void testBindingCorrect() throws Exception {
        mockNonce("3rfcNHYJY1ZVvWVs7j");
        Password password = getPassword("pencil", "QSXCR+Q6sek8bf92");
        Assert.assertNotNull(SaslTestUtil.obtainSaslServerFactory(ScramSaslServerFactory.class));
        HashMap hashMap = new HashMap();
        hashMap.put("wildfly.sasl.channel-binding-required", "true");
        SaslServer build = new SaslServerBuilder(ScramSaslServerFactory.class, "SCRAM-SHA-1-PLUS").setUserName("user").setPassword(password).setChannelBinding("same-type", new byte[]{0, 44, -1}).setProperties(hashMap).build();
        Assert.assertEquals("r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=4096", new String(build.evaluateResponse("p=same-type,,n=user,r=fyko+d2lbbFgONRv9qkxdawL".getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8));
        Assert.assertEquals("v=/ubKPpiyDhhCsgGfHqY5Xm7msjM=", new String(build.evaluateResponse("c=cD1zYW1lLXR5cGUsLAAs/w==,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,p=H8mpU86Osa2lDJvFElvu7qys7LE=".getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8));
        Assert.assertTrue(build.isComplete());
    }

    @Test
    public void testBindingBadData() throws Exception {
        mockNonce("3rfcNHYJY1ZVvWVs7j");
        Password password = getPassword("pencil", "QSXCR+Q6sek8bf92");
        Assert.assertNotNull(SaslTestUtil.obtainSaslServerFactory(ScramSaslServerFactory.class));
        HashMap hashMap = new HashMap();
        hashMap.put("wildfly.sasl.channel-binding-required", "true");
        SaslServer build = new SaslServerBuilder(ScramSaslServerFactory.class, "SCRAM-SHA-1-PLUS").setUserName("user").setPassword(password).setChannelBinding("same-type", new byte[]{-103, -103}).setProperties(hashMap).build();
        Assert.assertEquals("r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=4096", new String(build.evaluateResponse("p=same-type,,n=user,r=fyko+d2lbbFgONRv9qkxdawL".getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8));
        Assert.assertEquals("e=channel-bindings-dont-match", new String(build.evaluateResponse("c=cD1zYW1lLXR5cGUsLAAs/w==,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,p=H8mpU86Osa2lDJvFElvu7qys7LE=".getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8));
        Assert.assertFalse(build.isComplete());
    }
}
