package org.wildfly.security.auth.client;

import jakarta.json.Json;
import jakarta.json.JsonObjectBuilder;
import java.io.IOException;
import java.net.URI;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.security.AccessController;
import java.security.Provider;
import java.security.Security;
import java.util.Arrays;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslServer;
import okhttp3.mockwebserver.Dispatcher;
import okhttp3.mockwebserver.MockResponse;
import okhttp3.mockwebserver.MockWebServer;
import okhttp3.mockwebserver.RecordedRequest;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;
import org.wildfly.security.auth.realm.token.TokenSecurityRealm;
import org.wildfly.security.auth.realm.token.validator.JwtValidator;
import org.wildfly.security.auth.server.SecurityRealm;
import org.wildfly.security.credential.source.OAuth2CredentialSource;
import org.wildfly.security.password.WildFlyElytronPasswordProvider;
import org.wildfly.security.sasl.SaslMechanismSelector;
import org.wildfly.security.sasl.oauth2.OAuth2SaslServerFactory;
import org.wildfly.security.sasl.oauth2.WildFlyElytronSaslOAuth2Provider;
import org.wildfly.security.sasl.plain.PlainSaslServerFactory;
import org.wildfly.security.sasl.plain.WildFlyElytronSaslPlainProvider;
import org.wildfly.security.sasl.test.SaslServerBuilder;
import org.wildfly.security.sasl.util.AbstractSaslParticipant;

/* loaded from: input_file:org/wildfly/security/auth/client/MaskedPasswordSaslAuthenticationTest.class */
public class MaskedPasswordSaslAuthenticationTest {
    private static final String PLAIN = "PLAIN";
    private static final String USERNAME = "Guest";
    private static final String PASSWORD = "gpwd";
    private static final String CONFIG_FILE = "wildfly-masked-password-sasl-config-v1_4.xml";
    private static final MockWebServer server = new MockWebServer();
    private static final Provider[] providers = {WildFlyElytronSaslPlainProvider.getInstance(), WildFlyElytronSaslOAuth2Provider.getInstance(), WildFlyElytronPasswordProvider.getInstance()};

    @BeforeClass
    public static void registerProvider() throws IOException {
        for (Provider provider : providers) {
            Security.insertProviderAt(provider, 1);
        }
        server.setDispatcher(createTokenEndpoint());
        server.start(50831);
        System.setProperty("wildfly.config.url", MaskedPasswordSaslAuthenticationTest.class.getResource(CONFIG_FILE).toExternalForm());
    }

    @AfterClass
    public static void removeProvider() throws IOException {
        for (Provider provider : providers) {
            Security.removeProvider(provider.getName());
        }
        server.shutdown();
    }

    private static Dispatcher createTokenEndpoint() {
        return new Dispatcher() { // from class: org.wildfly.security.auth.client.MaskedPasswordSaslAuthenticationTest.1
            public MockResponse dispatch(RecordedRequest recordedRequest) throws InterruptedException {
                String readUtf8 = recordedRequest.getBody().readUtf8();
                boolean contains = readUtf8.contains("grant_type=password");
                boolean contains2 = readUtf8.contains("grant_type=client_credentials");
                if (contains && readUtf8.contains("client_id=elytron-client") && readUtf8.contains("client_secret=dont_tell_me") && ((readUtf8.contains("username=alice") || readUtf8.contains("username=jdoe")) && readUtf8.contains("password=dont_tell_me"))) {
                    JsonObjectBuilder createObjectBuilder = Json.createObjectBuilder();
                    createObjectBuilder.add("access_token", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiaXNzIjoiYXV0aC5zZXJ2ZXIiLCJhdWQiOiJmb3JfbWUiLCJleHAiOjE3NjA5OTE2MzUsInByZWZlcnJlZF91c2VybmFtZSI6Impkb2UifQ.SoPW41_mOFnKXdkwVG63agWQ2k09dEnEtTBztnxHN64");
                    return new MockResponse().setBody(createObjectBuilder.build().toString());
                }
                if (!contains2 || !readUtf8.contains("client_id=elytron-client") || !readUtf8.contains("client_secret=dont_tell_me") || readUtf8.contains("username=")) {
                    return new MockResponse().setResponseCode(400);
                }
                JsonObjectBuilder createObjectBuilder2 = Json.createObjectBuilder();
                createObjectBuilder2.add("access_token", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiaXNzIjoiYXV0aC5zZXJ2ZXIiLCJhdWQiOiJmb3JfbWUiLCJleHAiOjE3NjA5OTE2MzUsInByZWZlcnJlZF91c2VybmFtZSI6Impkb2UifQ.SoPW41_mOFnKXdkwVG63agWQ2k09dEnEtTBztnxHN64");
                return new MockResponse().setBody(createObjectBuilder2.build().toString());
            }
        };
    }

    @Test
    public void testSuccessfulExchangeWithXmlConfig() throws Exception {
        SaslServer build = new SaslServerBuilder(PlainSaslServerFactory.class, PLAIN).setUserName(USERNAME).setPassword(PASSWORD.toCharArray()).build();
        AccessController.doPrivileged(() -> {
            return Integer.valueOf(Security.insertProviderAt(WildFlyElytronPasswordProvider.getInstance(), 1));
        });
        SaslClient createSaslClient = ((AuthenticationContextConfigurationClient) AccessController.doPrivileged(AuthenticationContextConfigurationClient.ACTION)).createSaslClient(new URI(CONFIG_FILE), (AuthenticationConfiguration) AuthenticationContext.getContextManager().get().authRules.configuration, Arrays.asList(PLAIN));
        Assert.assertTrue(createSaslClient.hasInitialResponse());
        byte[] evaluateChallenge = createSaslClient.evaluateChallenge(new byte[0]);
        Assert.assertEquals("��Guest��gpwd", new String(evaluateChallenge, StandardCharsets.UTF_8));
        build.evaluateResponse(evaluateChallenge);
        Assert.assertTrue(build.isComplete());
        Assert.assertTrue(createSaslClient.isComplete());
        Assert.assertEquals(USERNAME, build.getAuthorizationID());
    }

    @Test
    public void testSuccessfulExchangeWithProgrammaticConfig() throws Exception {
        SaslServer build = new SaslServerBuilder(PlainSaslServerFactory.class, PLAIN).setUserName(USERNAME).setPassword(PASSWORD.toCharArray()).build();
        SaslClient createSaslClient = ((AuthenticationContextConfigurationClient) AccessController.doPrivileged(AuthenticationContextConfigurationClient.ACTION)).createSaslClient(URI.create("http://masked/"), (AuthenticationConfiguration) AuthenticationContext.empty().with(MatchRule.ALL.matchHost("masked"), AuthenticationConfiguration.empty().setSaslMechanismSelector(SaslMechanismSelector.NONE.addMechanism(PLAIN)).useName(USERNAME).useMaskedPassword("YFBlotObdCo=", (String) null, (String) null, 100, "12345678", (String) null)).authRules.configuration, Arrays.asList(PLAIN));
        Assert.assertTrue(createSaslClient.hasInitialResponse());
        byte[] evaluateChallenge = createSaslClient.evaluateChallenge(new byte[0]);
        Assert.assertEquals("��Guest��gpwd", new String(evaluateChallenge, StandardCharsets.UTF_8));
        build.evaluateResponse(evaluateChallenge);
        Assert.assertTrue(build.isComplete());
        Assert.assertTrue(createSaslClient.isComplete());
        Assert.assertEquals(USERNAME, build.getAuthorizationID());
    }

    @Test
    public void testSuccessfulOAuth2ExchangeWithXmlConfig() throws Exception {
        URI create = URI.create("protocol://oauth2/");
        SaslServer build = new SaslServerBuilder(OAuth2SaslServerFactory.class, "OAUTHBEARER").setServerName("resourceserver.comn").setProtocol("imap").addRealm("oauth-realm", createSecurityRealmMock()).setDefaultRealmName("oauth-realm").build();
        AuthenticationContext authenticationContext = AuthenticationContext.getContextManager().get();
        AuthenticationContextConfigurationClient authenticationContextConfigurationClient = (AuthenticationContextConfigurationClient) AccessController.doPrivileged(AuthenticationContextConfigurationClient.ACTION);
        SaslClient createSaslClient = authenticationContextConfigurationClient.createSaslClient(create, authenticationContextConfigurationClient.getAuthenticationConfiguration(create, authenticationContext), Arrays.asList("OAUTHBEARER"));
        Assert.assertNotNull("OAuth2SaslClient is null", createSaslClient);
        byte[] bArr = AbstractSaslParticipant.NO_BYTES;
        do {
            byte[] evaluateChallenge = createSaslClient.evaluateChallenge(bArr);
            if (evaluateChallenge == null) {
                break;
            } else {
                bArr = build.evaluateResponse(evaluateChallenge);
            }
        } while (bArr != null);
        Assert.assertTrue(build.isComplete());
        Assert.assertTrue(createSaslClient.isComplete());
    }

    @Test
    public void testSuccessfulOAuth2ExchangeWithProgrammaticConfig() throws Exception {
        AuthenticationContext with = AuthenticationContext.empty().with(MatchRule.ALL.matchHost("resourceserver.com"), AuthenticationConfiguration.empty().useCredentials(OAuth2CredentialSource.builder(new URL("http://localhost:50831/token")).maskedClientCredentials("elytron-client", "FMkAWSbPn9SCEejW71SvLA==", "masked-MD5-DES", "somearbitrarycrazystringthatdoesnotmatter", 100, "12345678", (String) null).useResourceOwnerMaskedPassword("alice", "FMkAWSbPn9SCEejW71SvLA==", (String) null, (String) null, 100, "12345678", (String) null).build()).setSaslMechanismSelector(SaslMechanismSelector.NONE.addMechanism("OAUTHBEARER")));
        AuthenticationContextConfigurationClient authenticationContextConfigurationClient = (AuthenticationContextConfigurationClient) AccessController.doPrivileged(AuthenticationContextConfigurationClient.ACTION);
        SaslClient createSaslClient = authenticationContextConfigurationClient.createSaslClient(URI.create("http://resourceserver.com"), authenticationContextConfigurationClient.getAuthenticationConfiguration(URI.create("http://resourceserver.com"), with), Arrays.asList("OAUTHBEARER"));
        SaslServer build = new SaslServerBuilder(OAuth2SaslServerFactory.class, "OAUTHBEARER").setServerName("resourceserver.comn").setProtocol("imap").addRealm("oauth-realm", createSecurityRealmMock()).setDefaultRealmName("oauth-realm").build();
        byte[] bArr = AbstractSaslParticipant.NO_BYTES;
        do {
            byte[] evaluateChallenge = createSaslClient.evaluateChallenge(bArr);
            if (evaluateChallenge == null) {
                break;
            } else {
                bArr = build.evaluateResponse(evaluateChallenge);
            }
        } while (bArr != null);
        Assert.assertTrue(build.isComplete());
        Assert.assertTrue(createSaslClient.isComplete());
    }

    private SecurityRealm createSecurityRealmMock() {
        return TokenSecurityRealm.builder().validator(JwtValidator.builder().build()).principalClaimName("preferred_username").build();
    }
}
