package org.wildfly.security.auth.server;

import java.io.File;
import java.io.IOException;
import java.math.BigInteger;
import java.nio.file.FileVisitResult;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.SimpleFileVisitor;
import java.nio.file.attribute.BasicFileAttributes;
import java.nio.file.attribute.FileAttribute;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.util.Map;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSessionContext;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.x500.X500Principal;
import javax.security.cert.X509Certificate;
import javax.security.sasl.SaslException;
import mockit.Mock;
import mockit.MockUp;
import org.apache.commons.io.FileUtils;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;
import org.wildfly.security.auth.callback.SSLCallback;
import org.wildfly.security.auth.permission.LoginPermission;
import org.wildfly.security.auth.principal.NamePrincipal;
import org.wildfly.security.auth.realm.FileSystemSecurityRealm;
import org.wildfly.security.auth.server.ServerAuthenticationContext;
import org.wildfly.security.sasl.external.ExternalSaslServerFactory;
import org.wildfly.security.sasl.util.SetMechanismInformationSaslServerFactory;
import org.wildfly.security.ssl.SSLConnection;
import org.wildfly.security.x500.X500;
import org.wildfly.security.x500.cert.BasicConstraintsExtension;
import org.wildfly.security.x500.cert.X509CertificateBuilder;
import org.wildfly.security.x500.principal.X500AttributePrincipalDecoder;

/* loaded from: input_file:org/wildfly/security/auth/server/SaslExternalServerAuthenticationCallbackTest.class */
public class SaslExternalServerAuthenticationCallbackTest {
    static Path rootPath;
    static SecurityDomain securityDomain;
    static SetMechanismInformationSaslServerFactory factory;

    /* loaded from: input_file:org/wildfly/security/auth/server/SaslExternalServerAuthenticationCallbackTest$DummySessionContainingPeerCertificates.class */
    static class DummySessionContainingPeerCertificates implements SSLSession {
        DummySessionContainingPeerCertificates() {
        }

        @Override // javax.net.ssl.SSLSession
        public byte[] getId() {
            return new byte[0];
        }

        @Override // javax.net.ssl.SSLSession
        public SSLSessionContext getSessionContext() {
            return null;
        }

        @Override // javax.net.ssl.SSLSession
        public long getCreationTime() {
            return 0L;
        }

        @Override // javax.net.ssl.SSLSession
        public long getLastAccessedTime() {
            return 0L;
        }

        @Override // javax.net.ssl.SSLSession
        public void invalidate() {
        }

        @Override // javax.net.ssl.SSLSession
        public boolean isValid() {
            return false;
        }

        @Override // javax.net.ssl.SSLSession
        public void putValue(String str, Object obj) {
        }

        @Override // javax.net.ssl.SSLSession
        public Object getValue(String str) {
            return null;
        }

        @Override // javax.net.ssl.SSLSession
        public void removeValue(String str) {
        }

        @Override // javax.net.ssl.SSLSession
        public String[] getValueNames() {
            return new String[0];
        }

        @Override // javax.net.ssl.SSLSession
        public Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException {
            return new Certificate[0];
        }

        @Override // javax.net.ssl.SSLSession
        public Certificate[] getLocalCertificates() {
            return new Certificate[0];
        }

        @Override // javax.net.ssl.SSLSession
        public X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException {
            return new X509Certificate[0];
        }

        @Override // javax.net.ssl.SSLSession
        public Principal getPeerPrincipal() throws SSLPeerUnverifiedException {
            return null;
        }

        @Override // javax.net.ssl.SSLSession
        public Principal getLocalPrincipal() {
            return null;
        }

        @Override // javax.net.ssl.SSLSession
        public String getCipherSuite() {
            return null;
        }

        @Override // javax.net.ssl.SSLSession
        public String getProtocol() {
            return null;
        }

        @Override // javax.net.ssl.SSLSession
        public String getPeerHost() {
            return null;
        }

        @Override // javax.net.ssl.SSLSession
        public int getPeerPort() {
            return 0;
        }

        @Override // javax.net.ssl.SSLSession
        public int getPacketBufferSize() {
            return 0;
        }

        @Override // javax.net.ssl.SSLSession
        public int getApplicationBufferSize() {
            return 0;
        }
    }

    @BeforeClass
    public static void setup() throws Exception {
        mockClientsCertificateEvidence();
        FileSystemSecurityRealm fileSystemSecurityRealm = new FileSystemSecurityRealm(getRootPath(), 3);
        ModifiableRealmIdentity realmIdentityForUpdate = fileSystemSecurityRealm.getRealmIdentityForUpdate(new NamePrincipal("externalSaslUser"));
        realmIdentityForUpdate.create();
        realmIdentityForUpdate.dispose();
        Assert.assertTrue(realmIdentityForUpdate.exists());
        securityDomain = SecurityDomain.builder().setDefaultRealmName("default").addRealm("default", fileSystemSecurityRealm).build().setPermissionMapper((permissionMappable, roles) -> {
            return LoginPermission.getInstance();
        }).setPrincipalDecoder(new X500AttributePrincipalDecoder("2.5.4.3")).build();
        factory = new SetMechanismInformationSaslServerFactory(new ExternalSaslServerFactory());
        Assert.assertNotNull("SaslServerFactory not registered", factory);
    }

    @Test
    public void testWithSkipCertificateVerificationProp() throws GeneralSecurityException, IOException, UnsupportedCallbackException {
        CallbackHandler createCallbackHandler = securityDomain.createNewAuthenticationContext().createCallbackHandler();
        createCallbackHandler.handle(new SSLCallback[]{new SSLCallback(SSLConnection.forSession(new DummySessionContainingPeerCertificates(), true))});
        try {
            Assert.assertNull(factory.createSaslServer("EXTERNAL", "test", "localhost", setProp("org.wildfly.security.sasl.skip-certificate-verification", "true"), createCallbackHandler).evaluateResponse("externalSaslUser".getBytes()));
        } catch (SaslException e) {
            Assert.fail("SASL EXTERNAL authentication with org.wildfly.sasl.skip-certificate-verification property failed");
        }
    }

    @Test
    public void testWithSkipCertificateVerificationPropFalse() throws GeneralSecurityException, IOException, UnsupportedCallbackException {
        CallbackHandler createCallbackHandler = securityDomain.createNewAuthenticationContext().createCallbackHandler();
        createCallbackHandler.handle(new SSLCallback[]{new SSLCallback(SSLConnection.forSession(new DummySessionContainingPeerCertificates(), true))});
        try {
            factory.createSaslServer("EXTERNAL", "test", "localhost", setProp("org.wildfly.security.sasl.skip-certificate-verification", "false"), createCallbackHandler).evaluateResponse("externalSaslUser".getBytes());
            Assert.fail();
        } catch (SaslException e) {
        }
    }

    @Test
    public void testWithNullProperties() throws IOException, UnsupportedCallbackException {
        CallbackHandler createCallbackHandler = securityDomain.createNewAuthenticationContext().createCallbackHandler();
        createCallbackHandler.handle(new SSLCallback[]{new SSLCallback(SSLConnection.forSession(new DummySessionContainingPeerCertificates(), true))});
        try {
            factory.createSaslServer("EXTERNAL", "test", "localhost", (Map) null, createCallbackHandler).evaluateResponse("externalSaslUser".getBytes());
            Assert.fail();
        } catch (SaslException e) {
        }
    }

    @AfterClass
    public static void deleteTestFilesystemRealm() throws IOException {
        FileUtils.cleanDirectory(rootPath.toFile());
    }

    private Map<String, ?> setProp(String str, String str2) {
        return (Map) Stream.of(str).collect(Collectors.toMap(Function.identity(), str3 -> {
            return str2;
        }));
    }

    private static Path getRootPath() throws Exception {
        rootPath = Paths.get(SaslExternalServerAuthenticationCallbackTest.class.getResource(File.separator).toURI()).resolve("filesystem-realm");
        return Files.walkFileTree(Files.createDirectories(rootPath, new FileAttribute[0]), new SimpleFileVisitor<Path>() { // from class: org.wildfly.security.auth.server.SaslExternalServerAuthenticationCallbackTest.1
            @Override // java.nio.file.SimpleFileVisitor, java.nio.file.FileVisitor
            public FileVisitResult visitFile(Path path, BasicFileAttributes basicFileAttributes) throws IOException {
                Files.delete(path);
                return FileVisitResult.CONTINUE;
            }

            @Override // java.nio.file.SimpleFileVisitor, java.nio.file.FileVisitor
            public FileVisitResult postVisitDirectory(Path path, IOException iOException) throws IOException {
                return FileVisitResult.CONTINUE;
            }
        });
    }

    protected static void mockClientsCertificateEvidence() {
        new MockUp<ServerAuthenticationContext.InactiveState>() { // from class: org.wildfly.security.auth.server.SaslExternalServerAuthenticationCallbackTest.2
            @Mock
            public boolean canVerifyEvidence() {
                return true;
            }
        };
        new MockUp<X500>() { // from class: org.wildfly.security.auth.server.SaslExternalServerAuthenticationCallbackTest.3
            @Mock
            public java.security.cert.X509Certificate[] asX509CertificateArray(Object[] objArr) throws ArrayStoreException {
                return new java.security.cert.X509Certificate[]{SaslExternalServerAuthenticationCallbackTest.access$000()};
            }
        };
    }

    private static java.security.cert.X509Certificate generateX509CertificateWithExternalSaslUserCN() {
        java.security.cert.X509Certificate x509Certificate = null;
        try {
            KeyPair generateKeyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
            x509Certificate = new X509CertificateBuilder().setIssuerDn(new X500Principal("CN=issuer")).setSubjectDn(new X500Principal("CN=externalSaslUser")).setSignatureAlgorithmName("SHA1withRSA").setSigningKey(generateKeyPair.getPrivate()).setPublicKey(generateKeyPair.getPublic()).setSerialNumber(new BigInteger("3")).addExtension(new BasicConstraintsExtension(false, false, -1)).build();
        } catch (NoSuchAlgorithmException | CertificateException e) {
            Assert.fail();
        }
        return x509Certificate;
    }

    static /* synthetic */ java.security.cert.X509Certificate access$000() {
        return generateX509CertificateWithExternalSaslUserCN();
    }
}
