package org.wildfly.security.sasl.oauth2;

import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.nio.file.FileVisitResult;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.SimpleFileVisitor;
import java.nio.file.attribute.BasicFileAttributes;
import java.nio.file.attribute.FileAttribute;
import java.security.Permissions;
import java.security.Provider;
import java.security.Security;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.regex.Pattern;
import javax.json.Json;
import javax.json.JsonObject;
import javax.json.JsonObjectBuilder;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslClientFactory;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import mockit.Mock;
import mockit.MockUp;
import mockit.integration.junit4.JMockit;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.wildfly.common.iteration.CodePointIterator;
import org.wildfly.security.auth.callback.CredentialCallback;
import org.wildfly.security.auth.permission.LoginPermission;
import org.wildfly.security.auth.principal.NamePrincipal;
import org.wildfly.security.auth.realm.AggregateSecurityRealm;
import org.wildfly.security.auth.realm.FileSystemSecurityRealm;
import org.wildfly.security.auth.realm.token.TokenSecurityRealm;
import org.wildfly.security.auth.realm.token.validator.OAuth2IntrospectValidator;
import org.wildfly.security.auth.server.ModifiableRealmIdentity;
import org.wildfly.security.auth.server.SecurityRealm;
import org.wildfly.security.auth.util.RegexNameRewriter;
import org.wildfly.security.authz.MapAttributes;
import org.wildfly.security.credential.BearerTokenCredential;
import org.wildfly.security.sasl.test.SaslServerBuilder;
import org.wildfly.security.sasl.test.SaslTestUtil;
import org.wildfly.security.sasl.util.AbstractSaslParticipant;

@RunWith(JMockit.class)
/* loaded from: input_file:org/wildfly/security/sasl/oauth2/OAuth2SaslTest.class */
public class OAuth2SaslTest {
    private static final Provider provider = WildFlyElytronSaslOAuth2Provider.getInstance();

    @BeforeClass
    public static void registerProvider() {
        Security.insertProviderAt(provider, 1);
    }

    @AfterClass
    public static void removeProvider() {
        Security.removeProvider(provider.getName());
    }

    @Test
    public void testQueryMechanisms() {
        String[] mechanismNames = SaslTestUtil.obtainSaslServerFactory(OAuth2SaslServerFactory.class).getMechanismNames(Collections.emptyMap());
        Assert.assertEquals(1L, mechanismNames.length);
        Assert.assertEquals("OAUTHBEARER", mechanismNames[0]);
    }

    @Test
    public void testAbstractMessageFlow() throws Exception {
        SaslClientFactory obtainSaslClientFactory = SaslTestUtil.obtainSaslClientFactory(OAuth2SaslClientFactory.class);
        Assert.assertNotNull("OAuth2SaslClientFactory not found", obtainSaslClientFactory);
        SaslClient createSaslClient = obtainSaslClientFactory.createSaslClient(new String[]{"OAUTHBEARER"}, "user", "imap", "resourceserver.com", Collections.emptyMap(), new CallbackHandler() { // from class: org.wildfly.security.sasl.oauth2.OAuth2SaslTest.1
            @Override // javax.security.auth.callback.CallbackHandler
            public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
                for (Callback callback : callbackArr) {
                    if (callback instanceof CredentialCallback) {
                        CredentialCallback credentialCallback = (CredentialCallback) callback;
                        JsonObjectBuilder createObjectBuilder = Json.createObjectBuilder();
                        createObjectBuilder.add("active", true);
                        createObjectBuilder.add("username", "elytron@jboss.org");
                        credentialCallback.setCredential(new BearerTokenCredential(createObjectBuilder.build().toString()));
                    }
                }
            }
        });
        Assert.assertNotNull("OAuth2SaslClient is null", createSaslClient);
        SaslServer build = new SaslServerBuilder(OAuth2SaslServerFactory.class, "OAUTHBEARER").setServerName("resourceserver.com").setProtocol("imap").addRealm("oauth-realm", createSecurityRealmMock()).setDefaultRealmName("oauth-realm").build();
        byte[] bArr = AbstractSaslParticipant.NO_BYTES;
        do {
            byte[] evaluateChallenge = createSaslClient.evaluateChallenge(bArr);
            if (evaluateChallenge == null) {
                break;
            } else {
                bArr = build.evaluateResponse(evaluateChallenge);
            }
        } while (bArr != null);
        Assert.assertTrue(build.isComplete());
        Assert.assertTrue(createSaslClient.isComplete());
    }

    @Test
    public void testSuccessfulWithoutAuthorizationId() throws Exception {
        SaslClientFactory obtainSaslClientFactory = SaslTestUtil.obtainSaslClientFactory(OAuth2SaslClientFactory.class);
        Assert.assertNotNull("OAuth2SaslClientFactory not found", obtainSaslClientFactory);
        SaslClient createSaslClient = obtainSaslClientFactory.createSaslClient(new String[]{"OAUTHBEARER"}, (String) null, "imap", "resourceserver.com", Collections.emptyMap(), new CallbackHandler() { // from class: org.wildfly.security.sasl.oauth2.OAuth2SaslTest.2
            @Override // javax.security.auth.callback.CallbackHandler
            public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
                for (Callback callback : callbackArr) {
                    if (callback instanceof CredentialCallback) {
                        CredentialCallback credentialCallback = (CredentialCallback) callback;
                        JsonObjectBuilder createObjectBuilder = Json.createObjectBuilder();
                        createObjectBuilder.add("active", true);
                        createObjectBuilder.add("username", "elytron@jboss.org");
                        credentialCallback.setCredential(new BearerTokenCredential(createObjectBuilder.build().toString()));
                    }
                }
            }
        });
        Assert.assertNotNull("OAuth2SaslClient is null", createSaslClient);
        SaslServer build = new SaslServerBuilder(OAuth2SaslServerFactory.class, "OAUTHBEARER").setServerName("resourceserver.com").setProtocol("imap").addRealm("oauth-realm", createSecurityRealmMock()).setDefaultRealmName("oauth-realm").build();
        byte[] bArr = AbstractSaslParticipant.NO_BYTES;
        do {
            byte[] evaluateChallenge = createSaslClient.evaluateChallenge(bArr);
            if (evaluateChallenge == null) {
                break;
            } else {
                bArr = build.evaluateResponse(evaluateChallenge);
            }
        } while (bArr != null);
        Assert.assertTrue(build.isComplete());
        Assert.assertTrue(createSaslClient.isComplete());
    }

    @Test
    public void testSuccessfulAuthorizationWithAggregateRealmWithoutPrincipalTransformer() throws Exception {
        testSuccessfulAuthorizationWithAggregateRealm(false);
    }

    @Test
    public void testSuccessfulAuthorizationWithAggregateRealmWithPrincipalTransformer() throws Exception {
        testSuccessfulAuthorizationWithAggregateRealm(true);
    }

    private void testSuccessfulAuthorizationWithAggregateRealm(boolean z) throws Exception {
        SaslClientFactory obtainSaslClientFactory = SaslTestUtil.obtainSaslClientFactory(OAuth2SaslClientFactory.class);
        Assert.assertNotNull("OAuth2SaslClientFactory not found", obtainSaslClientFactory);
        SaslClient createSaslClient = obtainSaslClientFactory.createSaslClient(new String[]{"OAUTHBEARER"}, (String) null, "imap", "resourceserver.com", Collections.emptyMap(), new CallbackHandler() { // from class: org.wildfly.security.sasl.oauth2.OAuth2SaslTest.3
            @Override // javax.security.auth.callback.CallbackHandler
            public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
                for (Callback callback : callbackArr) {
                    if (callback instanceof CredentialCallback) {
                        CredentialCallback credentialCallback = (CredentialCallback) callback;
                        JsonObjectBuilder createObjectBuilder = Json.createObjectBuilder();
                        createObjectBuilder.add("active", true);
                        createObjectBuilder.add("username", "elytron@jboss.org");
                        credentialCallback.setCredential(new BearerTokenCredential(createObjectBuilder.build().toString()));
                    }
                }
            }
        });
        Assert.assertNotNull("OAuth2SaslClient is null", createSaslClient);
        Permissions permissions = new Permissions();
        permissions.add(new LoginPermission());
        SaslServer build = new SaslServerBuilder(OAuth2SaslServerFactory.class, "OAUTHBEARER").setServerName("resourceserver.com").setProtocol("imap").addRealm("oauth-realm", createAggregateSecurityRealmMock(z)).setDefaultRealmName("oauth-realm").setPermissionsMap(Collections.singletonMap("admin", permissions)).build();
        byte[] bArr = AbstractSaslParticipant.NO_BYTES;
        do {
            byte[] evaluateChallenge = createSaslClient.evaluateChallenge(bArr);
            if (evaluateChallenge == null) {
                break;
            } else {
                bArr = build.evaluateResponse(evaluateChallenge);
            }
        } while (bArr != null);
        Assert.assertTrue(build.isComplete());
        Assert.assertTrue(createSaslClient.isComplete());
    }

    @Test
    public void testFailedAuthenticationFlow() throws Exception {
        SaslClientFactory obtainSaslClientFactory = SaslTestUtil.obtainSaslClientFactory(OAuth2SaslClientFactory.class);
        Assert.assertNotNull("OAuth2SaslClientFactory not found", obtainSaslClientFactory);
        SaslClient createSaslClient = obtainSaslClientFactory.createSaslClient(new String[]{"OAUTHBEARER"}, "user", "imap", "resourceserver.com", Collections.emptyMap(), new CallbackHandler() { // from class: org.wildfly.security.sasl.oauth2.OAuth2SaslTest.4
            @Override // javax.security.auth.callback.CallbackHandler
            public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
                for (Callback callback : callbackArr) {
                    if (callback instanceof CredentialCallback) {
                        CredentialCallback credentialCallback = (CredentialCallback) callback;
                        JsonObjectBuilder createObjectBuilder = Json.createObjectBuilder();
                        createObjectBuilder.add("active", false);
                        credentialCallback.setCredential(new BearerTokenCredential(createObjectBuilder.build().toString()));
                    }
                }
            }
        });
        Assert.assertNotNull("OAuth2SaslClient is null", createSaslClient);
        HashMap hashMap = new HashMap();
        hashMap.put("openid-configuration", "http://as.test.org/oauth2/.well-known/openid-configuration");
        SaslServer build = new SaslServerBuilder(OAuth2SaslServerFactory.class, "OAUTHBEARER").setServerName("resourceserver.com").setProperties(hashMap).setProtocol("imap").addRealm("oauth-realm", createSecurityRealmMock()).setDefaultRealmName("oauth-realm").build();
        byte[] evaluateChallenge = createSaslClient.evaluateChallenge(AbstractSaslParticipant.NO_BYTES);
        Assert.assertNotNull(evaluateChallenge);
        byte[] evaluateResponse = build.evaluateResponse(evaluateChallenge);
        Assert.assertNotNull(evaluateResponse);
        byte[] evaluateChallenge2 = createSaslClient.evaluateChallenge(evaluateResponse);
        Assert.assertNotNull(evaluateChallenge2);
        try {
            build.evaluateResponse(evaluateChallenge2);
            Assert.fail("Expected SaslException not thrown");
        } catch (SaslException e) {
        }
        Assert.assertFalse(build.isComplete());
        Assert.assertFalse(createSaslClient.isComplete());
        Assert.assertEquals("{\"status\":\"invalid_token\",\"openid-configuration\":\"http://as.test.org/oauth2/.well-known/openid-configuration\"}", new String(CodePointIterator.ofUtf8Bytes(evaluateResponse).base64Decode().drain()));
    }

    private SecurityRealm createSecurityRealmMock() throws MalformedURLException {
        configureReplayTokenIntrospectionEndpoint();
        return TokenSecurityRealm.builder().validator(OAuth2IntrospectValidator.builder().clientId("wildfly-elytron").clientSecret("dont_tell_me").tokenIntrospectionUrl(new URL("http://as.test.org/oauth2/token/introspect")).build()).build();
    }

    private SecurityRealm createAggregateSecurityRealmMock(boolean z) throws Exception {
        configureReplayTokenIntrospectionEndpoint();
        TokenSecurityRealm build = TokenSecurityRealm.builder().validator(OAuth2IntrospectValidator.builder().clientId("wildfly-elytron").clientSecret("dont_tell_me").tokenIntrospectionUrl(new URL("http://as.test.org/oauth2/token/introspect")).build()).build();
        ModifiableRealmIdentity realmIdentityForUpdate = new FileSystemSecurityRealm(getRootPath(), 1).getRealmIdentityForUpdate(new NamePrincipal(z ? "elytron" : "elytron@jboss.org"));
        realmIdentityForUpdate.create();
        MapAttributes mapAttributes = new MapAttributes();
        mapAttributes.addAll("roles", Arrays.asList("admin"));
        realmIdentityForUpdate.setAttributes(mapAttributes);
        realmIdentityForUpdate.dispose();
        SecurityRealm fileSystemSecurityRealm = new FileSystemSecurityRealm(getRootPath(false), 1);
        return z ? new AggregateSecurityRealm(build, new RegexNameRewriter(Pattern.compile("(.*)@jboss\\.org"), "$1", true).asPrincipalRewriter(), new SecurityRealm[]{fileSystemSecurityRealm}) : new AggregateSecurityRealm(build, fileSystemSecurityRealm);
    }

    private Path getRootPath(boolean z) throws Exception {
        Path resolve = Paths.get(getClass().getResource(File.separator).toURI()).resolve("filesystem-realm");
        return (!resolve.toFile().exists() || z) ? Files.walkFileTree(Files.createDirectories(resolve, new FileAttribute[0]), new SimpleFileVisitor<Path>() { // from class: org.wildfly.security.sasl.oauth2.OAuth2SaslTest.5
            @Override // java.nio.file.SimpleFileVisitor, java.nio.file.FileVisitor
            public FileVisitResult visitFile(Path path, BasicFileAttributes basicFileAttributes) throws IOException {
                Files.delete(path);
                return FileVisitResult.CONTINUE;
            }

            @Override // java.nio.file.SimpleFileVisitor, java.nio.file.FileVisitor
            public FileVisitResult postVisitDirectory(Path path, IOException iOException) throws IOException {
                return FileVisitResult.CONTINUE;
            }
        }) : resolve;
    }

    private Path getRootPath() throws Exception {
        return getRootPath(true);
    }

    private void configureReplayTokenIntrospectionEndpoint() {
        try {
            new MockUp<Object>(Class.forName("org.wildfly.security.auth.realm.token.validator.OAuth2IntrospectValidator", true, TokenSecurityRealm.class.getClassLoader())) { // from class: org.wildfly.security.sasl.oauth2.OAuth2SaslTest.6
                @Mock
                public JsonObject introspectAccessToken(URL url, String str, String str2, String str3, SSLContext sSLContext, HostnameVerifier hostnameVerifier) throws IOException {
                    return Json.createReader(new ByteArrayInputStream(str3.getBytes())).readObject();
                }
            };
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError(e.getMessage());
        }
    }
}
