package org.wildfly.security.sasl.oauth2;

import jakarta.json.Json;
import jakarta.json.JsonObjectBuilder;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URL;
import java.security.AccessController;
import java.security.Provider;
import java.security.Security;
import java.util.Arrays;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import okhttp3.mockwebserver.Dispatcher;
import okhttp3.mockwebserver.MockResponse;
import okhttp3.mockwebserver.MockWebServer;
import okhttp3.mockwebserver.RecordedRequest;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;
import org.wildfly.common.iteration.ByteIterator;
import org.wildfly.security.auth.client.AuthenticationConfiguration;
import org.wildfly.security.auth.client.AuthenticationContext;
import org.wildfly.security.auth.client.AuthenticationContextConfigurationClient;
import org.wildfly.security.auth.client.MatchRule;
import org.wildfly.security.auth.realm.token.TokenSecurityRealm;
import org.wildfly.security.auth.realm.token.validator.JwtValidator;
import org.wildfly.security.auth.server.SecurityRealm;
import org.wildfly.security.credential.source.OAuth2CredentialSource;
import org.wildfly.security.sasl.SaslMechanismSelector;
import org.wildfly.security.sasl.test.SaslServerBuilder;
import org.wildfly.security.sasl.util.AbstractSaslParticipant;

/* loaded from: input_file:org/wildfly/security/sasl/oauth2/OAuth2SaslClientV10Test.class */
public class OAuth2SaslClientV10Test {
    private static final MockWebServer server = new MockWebServer();
    private static final Provider provider = WildFlyElytronSaslOAuth2Provider.getInstance();

    @BeforeClass
    public static void registerProvider() {
        Security.insertProviderAt(provider, 1);
    }

    @AfterClass
    public static void removeProvider() {
        Security.removeProvider(provider.getName());
    }

    @BeforeClass
    public static void onBefore() throws Exception {
        System.setProperty("wildfly.config.url", OAuth2SaslClientV10Test.class.getResource("wildfly-oauth2-test-config-v1_0.xml").toExternalForm());
        server.setDispatcher(createTokenEndpoint());
        server.start(50831);
    }

    @AfterClass
    public static void onAfter() throws Exception {
        server.shutdown();
    }

    @Test
    public void testWithResourceOwnerCredentialsUsingConfiguration() throws Exception {
        SaslClient createSaslClientFromConfiguration = createSaslClientFromConfiguration(URI.create("protocol://test1.org"));
        Assert.assertNotNull("OAuth2SaslClient is null", createSaslClientFromConfiguration);
        SaslServer build = new SaslServerBuilder(OAuth2SaslServerFactory.class, "OAUTHBEARER").setServerName("resourceserver.comn").setProtocol("imap").addRealm("oauth-realm", createSecurityRealmMock()).setDefaultRealmName("oauth-realm").build();
        byte[] bArr = AbstractSaslParticipant.NO_BYTES;
        do {
            byte[] evaluateChallenge = createSaslClientFromConfiguration.evaluateChallenge(bArr);
            if (evaluateChallenge == null) {
                break;
            } else {
                bArr = build.evaluateResponse(evaluateChallenge);
            }
        } while (bArr != null);
        Assert.assertTrue(build.isComplete());
        Assert.assertTrue(createSaslClientFromConfiguration.isComplete());
    }

    @Test
    public void testWithClientCredentialsUsingConfiguration() throws Exception {
        SaslClient createSaslClientFromConfiguration = createSaslClientFromConfiguration(URI.create("protocol://test2.org"));
        Assert.assertNotNull("OAuth2SaslClient is null", createSaslClientFromConfiguration);
        SaslServer build = new SaslServerBuilder(OAuth2SaslServerFactory.class, "OAUTHBEARER").setServerName("resourceserver.comn").setProtocol("imap").addRealm("oauth-realm", createSecurityRealmMock()).setDefaultRealmName("oauth-realm").build();
        byte[] bArr = AbstractSaslParticipant.NO_BYTES;
        do {
            byte[] evaluateChallenge = createSaslClientFromConfiguration.evaluateChallenge(bArr);
            if (evaluateChallenge == null) {
                break;
            } else {
                bArr = build.evaluateResponse(evaluateChallenge);
            }
        } while (bArr != null);
        Assert.assertTrue(build.isComplete());
        Assert.assertTrue(createSaslClientFromConfiguration.isComplete());
    }

    @Test
    public void failedWithBearerTokenFromConfiguration() throws Exception {
        SaslClient createSaslClientFromConfiguration = createSaslClientFromConfiguration(URI.create("protocol://test3.org"));
        Assert.assertNotNull("OAuth2SaslClient is null", createSaslClientFromConfiguration);
        SaslServer build = new SaslServerBuilder(OAuth2SaslServerFactory.class, "OAUTHBEARER").setServerName("resourceserver.comn").setProtocol("imap").addRealm("oauth-realm", createSecurityRealmMock()).setDefaultRealmName("oauth-realm").build();
        byte[] evaluateResponse = build.evaluateResponse(createSaslClientFromConfiguration.evaluateChallenge(AbstractSaslParticipant.NO_BYTES));
        Assert.assertFalse(build.isComplete());
        Assert.assertEquals("{\"status\":\"invalid_token\"}", ByteIterator.ofBytes(evaluateResponse).asUtf8String().base64Decode().asUtf8String().drainToString());
    }

    @Test
    public void failedInvalidClientCredentialsUsingConfiguration() throws Exception {
        SaslClient createSaslClientFromConfiguration = createSaslClientFromConfiguration(URI.create("protocol://test4.org"));
        Assert.assertNotNull("OAuth2SaslClient is null", createSaslClientFromConfiguration);
        SaslServer build = new SaslServerBuilder(OAuth2SaslServerFactory.class, "OAUTHBEARER").setServerName("resourceserver.comn").setProtocol("imap").addRealm("oauth-realm", createSecurityRealmMock()).setDefaultRealmName("oauth-realm").build();
        byte[] bArr = AbstractSaslParticipant.NO_BYTES;
        do {
            try {
                byte[] evaluateChallenge = createSaslClientFromConfiguration.evaluateChallenge(bArr);
                if (evaluateChallenge == null) {
                    break;
                } else {
                    bArr = build.evaluateResponse(evaluateChallenge);
                }
            } catch (Exception e) {
                e.printStackTrace();
                Assert.assertTrue(e.getCause().getMessage().contains("ELY05125"));
                return;
            }
        } while (bArr != null);
        Assert.fail("Expected bad response from server");
    }

    @Test
    public void testWithResourceOwnerCredentials() throws Exception {
        SaslClient createSaslClientFromConfiguration = createSaslClientFromConfiguration(URI.create("protocol://test5.org"));
        Assert.assertNotNull("OAuth2SaslClient is null", createSaslClientFromConfiguration);
        SaslServer build = new SaslServerBuilder(OAuth2SaslServerFactory.class, "OAUTHBEARER").setServerName("resourceserver.comn").setProtocol("imap").addRealm("oauth-realm", createSecurityRealmMock()).setDefaultRealmName("oauth-realm").build();
        byte[] bArr = AbstractSaslParticipant.NO_BYTES;
        do {
            byte[] evaluateChallenge = createSaslClientFromConfiguration.evaluateChallenge(bArr);
            if (evaluateChallenge == null) {
                break;
            } else {
                bArr = build.evaluateResponse(evaluateChallenge);
            }
        } while (bArr != null);
        Assert.assertTrue(build.isComplete());
        Assert.assertTrue(createSaslClientFromConfiguration.isComplete());
    }

    @Test
    public void testWithBearerTokenFromConfiguration() throws Exception {
        SaslClient createSaslClientFromConfiguration = createSaslClientFromConfiguration(URI.create("protocol://test5.org"));
        Assert.assertNotNull("OAuth2SaslClient is null", createSaslClientFromConfiguration);
        SaslServer build = new SaslServerBuilder(OAuth2SaslServerFactory.class, "OAUTHBEARER").setServerName("resourceserver.comn").setProtocol("imap").addRealm("oauth-realm", createSecurityRealmMock()).setDefaultRealmName("oauth-realm").build();
        byte[] bArr = AbstractSaslParticipant.NO_BYTES;
        do {
            byte[] evaluateChallenge = createSaslClientFromConfiguration.evaluateChallenge(bArr);
            if (evaluateChallenge == null) {
                break;
            } else {
                bArr = build.evaluateResponse(evaluateChallenge);
            }
        } while (bArr != null);
        Assert.assertTrue(build.isComplete());
        Assert.assertTrue(createSaslClientFromConfiguration.isComplete());
    }

    @Test
    public void failedResourceOwnerCredentialsUsingConfiguration() throws Exception {
        URI create = URI.create("protocol://test6.org");
        AuthenticationContext authenticationContext = AuthenticationContext.getContextManager().get();
        AuthenticationContextConfigurationClient authenticationContextConfigurationClient = (AuthenticationContextConfigurationClient) AccessController.doPrivileged(AuthenticationContextConfigurationClient.ACTION);
        SaslClient createSaslClient = authenticationContextConfigurationClient.createSaslClient(create, authenticationContextConfigurationClient.getAuthenticationConfiguration(create, authenticationContext), Arrays.asList("OAUTHBEARER"));
        Assert.assertNotNull("OAuth2SaslClient is null", createSaslClient);
        SaslServer build = new SaslServerBuilder(OAuth2SaslServerFactory.class, "OAUTHBEARER").setServerName("resourceserver.comn").setProtocol("imap").addRealm("oauth-realm", createSecurityRealmMock()).setDefaultRealmName("oauth-realm").build();
        byte[] bArr = AbstractSaslParticipant.NO_BYTES;
        do {
            try {
                byte[] evaluateChallenge = createSaslClient.evaluateChallenge(bArr);
                if (evaluateChallenge == null) {
                    break;
                } else {
                    bArr = build.evaluateResponse(evaluateChallenge);
                }
            } catch (Exception e) {
                e.printStackTrace();
                Assert.assertTrue(e.getCause().getMessage().contains("ELY09001"));
                return;
            }
        } while (bArr != null);
        Assert.fail("Expected bad response from server");
    }

    @Test
    public void testResourceOwnerCredentialsUsingAPI() throws Exception {
        AuthenticationContext with = AuthenticationContext.empty().with(MatchRule.ALL.matchHost("resourceserver.com"), AuthenticationConfiguration.empty().useCredentials(OAuth2CredentialSource.builder(new URL("http://localhost:50831/token")).clientCredentials("elytron-client", "dont_tell_me").useResourceOwnerPassword("alice", "dont_tell_me").build()).setSaslMechanismSelector(SaslMechanismSelector.NONE.addMechanism("OAUTHBEARER")));
        AuthenticationContextConfigurationClient authenticationContextConfigurationClient = (AuthenticationContextConfigurationClient) AccessController.doPrivileged(AuthenticationContextConfigurationClient.ACTION);
        SaslClient createSaslClient = authenticationContextConfigurationClient.createSaslClient(URI.create("http://resourceserver.com"), authenticationContextConfigurationClient.getAuthenticationConfiguration(URI.create("http://resourceserver.com"), with), Arrays.asList("OAUTHBEARER"));
        SaslServer build = new SaslServerBuilder(OAuth2SaslServerFactory.class, "OAUTHBEARER").setServerName("resourceserver.comn").setProtocol("imap").addRealm("oauth-realm", createSecurityRealmMock()).setDefaultRealmName("oauth-realm").build();
        byte[] bArr = AbstractSaslParticipant.NO_BYTES;
        do {
            byte[] evaluateChallenge = createSaslClient.evaluateChallenge(bArr);
            if (evaluateChallenge == null) {
                break;
            } else {
                bArr = build.evaluateResponse(evaluateChallenge);
            }
        } while (bArr != null);
        Assert.assertTrue(build.isComplete());
        Assert.assertTrue(createSaslClient.isComplete());
    }

    @Test
    public void failedResourceOwnerCredentialsUsingAPI() throws Exception {
        AuthenticationContext with = AuthenticationContext.empty().with(MatchRule.ALL.matchHost("resourceserver.com"), AuthenticationConfiguration.empty().useCredentials(OAuth2CredentialSource.builder(new URL("http://localhost:50831/token")).useResourceOwnerPassword("unknown", "dont_tell_me").clientCredentials("bad", "bad").build()).setSaslMechanismSelector(SaslMechanismSelector.NONE.addMechanism("OAUTHBEARER"))).with(MatchRule.ALL.matchHost("localhost").matchPort(50831).matchPath("/token"), AuthenticationConfiguration.empty().useName("elytron_client").usePassword("dont_tell_me"));
        AuthenticationContextConfigurationClient authenticationContextConfigurationClient = (AuthenticationContextConfigurationClient) AccessController.doPrivileged(AuthenticationContextConfigurationClient.ACTION);
        SaslClient createSaslClient = authenticationContextConfigurationClient.createSaslClient(URI.create("http://resourceserver.com"), authenticationContextConfigurationClient.getAuthenticationConfiguration(URI.create("http://resourceserver.com"), with), Arrays.asList("OAUTHBEARER"));
        SaslServer build = new SaslServerBuilder(OAuth2SaslServerFactory.class, "OAUTHBEARER").setServerName("resourceserver.comn").setProtocol("imap").addRealm("oauth-realm", createSecurityRealmMock()).setDefaultRealmName("oauth-realm").build();
        byte[] bArr = AbstractSaslParticipant.NO_BYTES;
        do {
            try {
                byte[] evaluateChallenge = createSaslClient.evaluateChallenge(bArr);
                if (evaluateChallenge == null) {
                    break;
                } else {
                    bArr = build.evaluateResponse(evaluateChallenge);
                }
            } catch (Exception e) {
                e.printStackTrace();
                Assert.assertTrue(e.getCause().getMessage().contains("ELY05125"));
                return;
            }
        } while (bArr != null);
        Assert.fail("Expected bad response from server");
    }

    @Test
    public void testResourceOwnerCredentialsFromExternalCallback() throws Exception {
        URI create = URI.create("protocol://test7.org");
        AuthenticationContext authenticationContext = AuthenticationContext.getContextManager().get();
        AuthenticationContextConfigurationClient authenticationContextConfigurationClient = (AuthenticationContextConfigurationClient) AccessController.doPrivileged(AuthenticationContextConfigurationClient.ACTION);
        SaslClient createSaslClient = authenticationContextConfigurationClient.createSaslClient(create, authenticationContextConfigurationClient.getAuthenticationConfiguration(create, authenticationContext), Arrays.asList("OAUTHBEARER"));
        Assert.assertNotNull("OAuth2SaslClient is null", createSaslClient);
        SaslServer build = new SaslServerBuilder(OAuth2SaslServerFactory.class, "OAUTHBEARER").setServerName("resourceserver.comn").setProtocol("imap").addRealm("oauth-realm", createSecurityRealmMock()).setDefaultRealmName("oauth-realm").build();
        AuthenticationContext.empty().with(MatchRule.ALL.matchHost("localhost"), AuthenticationConfiguration.empty().useCallbackHandler(new CallbackHandler() { // from class: org.wildfly.security.sasl.oauth2.OAuth2SaslClientV10Test.1
            @Override // javax.security.auth.callback.CallbackHandler
            public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
                for (Callback callback : callbackArr) {
                    if (callback instanceof NameCallback) {
                        ((NameCallback) NameCallback.class.cast(callback)).setName("alice");
                    } else {
                        if (!(callback instanceof PasswordCallback)) {
                            throw new RuntimeException("Unexpected callback");
                        }
                        ((PasswordCallback) PasswordCallback.class.cast(callback)).setPassword("dont_tell_me".toCharArray());
                    }
                }
            }
        })).run(() -> {
            try {
                byte[] bArr = AbstractSaslParticipant.NO_BYTES;
                do {
                    byte[] evaluateChallenge = createSaslClient.evaluateChallenge(bArr);
                    if (evaluateChallenge == null) {
                        break;
                    } else {
                        bArr = build.evaluateResponse(evaluateChallenge);
                    }
                } while (bArr != null);
                Assert.assertTrue(build.isComplete());
                Assert.assertTrue(createSaslClient.isComplete());
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        });
    }

    @Test
    public void failedResourceOwnerCredentialsFromExternalCallback() throws Exception {
        URI create = URI.create("protocol://test7.org");
        AuthenticationContext authenticationContext = AuthenticationContext.getContextManager().get();
        AuthenticationContextConfigurationClient authenticationContextConfigurationClient = (AuthenticationContextConfigurationClient) AccessController.doPrivileged(AuthenticationContextConfigurationClient.ACTION);
        SaslClient createSaslClient = authenticationContextConfigurationClient.createSaslClient(create, authenticationContextConfigurationClient.getAuthenticationConfiguration(create, authenticationContext), Arrays.asList("OAUTHBEARER"));
        Assert.assertNotNull("OAuth2SaslClient is null", createSaslClient);
        SaslServer build = new SaslServerBuilder(OAuth2SaslServerFactory.class, "OAUTHBEARER").setServerName("resourceserver.comn").setProtocol("imap").addRealm("oauth-realm", createSecurityRealmMock()).setDefaultRealmName("oauth-realm").build();
        AuthenticationContext.empty().with(MatchRule.ALL.matchHost("localhost"), AuthenticationConfiguration.empty().useCallbackHandler(new CallbackHandler() { // from class: org.wildfly.security.sasl.oauth2.OAuth2SaslClientV10Test.2
            @Override // javax.security.auth.callback.CallbackHandler
            public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
                for (Callback callback : callbackArr) {
                    if (callback instanceof NameCallback) {
                        ((NameCallback) NameCallback.class.cast(callback)).setName("alice");
                    } else {
                        if (!(callback instanceof PasswordCallback)) {
                            throw new RuntimeException("Unexpected callback");
                        }
                        ((PasswordCallback) PasswordCallback.class.cast(callback)).setPassword("bad_password".toCharArray());
                    }
                }
            }
        })).run(() -> {
            byte[] bArr = AbstractSaslParticipant.NO_BYTES;
            do {
                try {
                    byte[] evaluateChallenge = createSaslClient.evaluateChallenge(bArr);
                    if (evaluateChallenge == null) {
                        break;
                    } else {
                        bArr = build.evaluateResponse(evaluateChallenge);
                    }
                } catch (Exception e) {
                    e.printStackTrace();
                    Assert.assertTrue(e.getCause().getMessage().contains("ELY05125"));
                    return;
                }
            } while (bArr != null);
            Assert.fail("Expected bad response from server");
        });
    }

    private SecurityRealm createSecurityRealmMock() throws MalformedURLException {
        return TokenSecurityRealm.builder().validator(JwtValidator.builder().build()).principalClaimName("preferred_username").build();
    }

    private static Dispatcher createTokenEndpoint() {
        return new Dispatcher() { // from class: org.wildfly.security.sasl.oauth2.OAuth2SaslClientV10Test.3
            public MockResponse dispatch(RecordedRequest recordedRequest) throws InterruptedException {
                String readUtf8 = recordedRequest.getBody().readUtf8();
                boolean contains = readUtf8.contains("grant_type=password");
                boolean contains2 = readUtf8.contains("grant_type=client_credentials");
                if (contains && readUtf8.contains("client_id=elytron-client") && readUtf8.contains("client_secret=dont_tell_me") && ((readUtf8.contains("username=alice") || readUtf8.contains("username=jdoe")) && readUtf8.contains("password=dont_tell_me"))) {
                    JsonObjectBuilder createObjectBuilder = Json.createObjectBuilder();
                    createObjectBuilder.add("access_token", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiaXNzIjoiYXV0aC5zZXJ2ZXIiLCJhdWQiOiJmb3JfbWUiLCJleHAiOjE3NjA5OTE2MzUsInByZWZlcnJlZF91c2VybmFtZSI6Impkb2UifQ.SoPW41_mOFnKXdkwVG63agWQ2k09dEnEtTBztnxHN64");
                    return new MockResponse().setBody(createObjectBuilder.build().toString());
                }
                if (!contains2 || !readUtf8.contains("client_id=elytron-client") || !readUtf8.contains("client_secret=dont_tell_me") || readUtf8.contains("username=")) {
                    return new MockResponse().setResponseCode(400);
                }
                JsonObjectBuilder createObjectBuilder2 = Json.createObjectBuilder();
                createObjectBuilder2.add("access_token", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiaXNzIjoiYXV0aC5zZXJ2ZXIiLCJhdWQiOiJmb3JfbWUiLCJleHAiOjE3NjA5OTE2MzUsInByZWZlcnJlZF91c2VybmFtZSI6Impkb2UifQ.SoPW41_mOFnKXdkwVG63agWQ2k09dEnEtTBztnxHN64");
                return new MockResponse().setBody(createObjectBuilder2.build().toString());
            }
        };
    }

    private SaslClient createSaslClientFromConfiguration(URI uri) throws SaslException {
        AuthenticationContext authenticationContext = AuthenticationContext.getContextManager().get();
        AuthenticationContextConfigurationClient authenticationContextConfigurationClient = (AuthenticationContextConfigurationClient) AccessController.doPrivileged(AuthenticationContextConfigurationClient.ACTION);
        return authenticationContextConfigurationClient.createSaslClient(uri, authenticationContextConfigurationClient.getAuthenticationConfiguration(uri, authenticationContext), Arrays.asList("OAUTHBEARER"));
    }
}
