package au.csiro.pathling.terminology;

import au.csiro.pathling.config.TerminologyAuthConfiguration;
import au.csiro.pathling.fhir.ClientAuthInterceptor;
import au.csiro.pathling.fhir.ClientCredentialsResponse;
import au.csiro.pathling.fhir.TerminologyClient;
import au.csiro.pathling.fhirpath.encoding.SimpleCoding;
import au.csiro.pathling.test.TestResources;
import au.csiro.pathling.test.helpers.TerminologyHelpers;
import ca.uhn.fhir.context.FhirContext;
import ca.uhn.fhir.rest.server.exceptions.InternalErrorException;
import com.github.tomakehurst.wiremock.WireMockServer;
import com.github.tomakehurst.wiremock.client.WireMock;
import com.github.tomakehurst.wiremock.core.WireMockConfiguration;
import com.github.tomakehurst.wiremock.stubbing.StubMapping;
import com.google.gson.FieldNamingPolicy;
import com.google.gson.Gson;
import com.google.gson.GsonBuilder;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.UUID;
import javax.annotation.Nonnull;
import org.apache.http.client.ClientProtocolException;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:au/csiro/pathling/terminology/TerminologyAuthenticationTest.class */
public class TerminologyAuthenticationTest {
    private static final Logger log = LoggerFactory.getLogger(TerminologyAuthenticationTest.class);
    public static final int WIREMOCK_PORT = 4072;
    WireMockServer wireMockServer;
    TerminologyService terminologyService;
    Gson gson;
    StubMapping codeSystemSearchStub;
    StubMapping expandStub;
    StubMapping clientCredentialsStub;
    String clientCredentialsResponse;
    Set<SimpleCoding> codings;
    FhirContext fhirContext;

    @BeforeEach
    void setUp() {
        this.wireMockServer = new WireMockServer(new WireMockConfiguration().port(WIREMOCK_PORT));
        WireMock.configureFor("localhost", WIREMOCK_PORT);
        log.info("Starting WireMock server");
        this.wireMockServer.start();
        TerminologyAuthConfiguration terminologyAuthConfiguration = new TerminologyAuthConfiguration();
        terminologyAuthConfiguration.setEnabled(true);
        terminologyAuthConfiguration.setTokenEndpoint("http://localhost:4072/auth/realms/aehrc/protocol/openid-connect/token");
        terminologyAuthConfiguration.setClientId("some-client-id");
        terminologyAuthConfiguration.setClientSecret("some-client-secret");
        terminologyAuthConfiguration.setScope("openid");
        terminologyAuthConfiguration.setTokenExpiryTolerance(120L);
        this.fhirContext = FhirContext.forR4();
        this.terminologyService = new DefaultTerminologyService(this.fhirContext, TerminologyClient.build(this.fhirContext, "http://localhost:4072/fhir", 60000, true, terminologyAuthConfiguration, log), UUID::randomUUID);
        this.gson = new GsonBuilder().setFieldNamingPolicy(FieldNamingPolicy.LOWER_CASE_WITH_UNDERSCORES).create();
        this.codeSystemSearchStub = WireMock.stubFor(WireMock.get(WireMock.urlMatching("/fhir/CodeSystem.*")).willReturn(WireMock.aResponse().withHeader("Content-Type", new String[]{"application/fhir+json"}).withBody(TestResources.getResourceAsString("txResponses/TerminologyAuthenticationTest/codeSystemSearch.Bundle.json"))));
        this.expandStub = WireMock.stubFor(WireMock.post(WireMock.urlMatching("/fhir/ValueSet.*")).willReturn(WireMock.aResponse().withHeader("Content-Type", new String[]{"application/fhir+json"}).withBody(TestResources.getResourceAsString("txResponses/TerminologyAuthenticationTest/intersect.ValueSet.json"))));
        this.clientCredentialsResponse = this.gson.toJson(new ClientCredentialsResponse("some-access-token", (String) null, 3600, "some-refresh-token", (String) null));
        this.clientCredentialsStub = WireMock.stubFor(WireMock.post(WireMock.urlMatching("/auth/realms/aehrc/protocol/openid-connect/token.*")).willReturn(WireMock.aResponse().withHeader("Content-Type", new String[]{"application/json"}).withBody(this.clientCredentialsResponse)));
        this.codings = new HashSet(List.of(new SimpleCoding(TerminologyHelpers.SNOMED_URI, "48429009")));
    }

    @AfterEach
    void tearDown() {
        log.info("Stopping WireMock server");
        this.wireMockServer.stop();
        ClientAuthInterceptor.clearAccessContexts();
    }

    @Nonnull
    private Set<SimpleCoding> sendRequest() {
        return this.terminologyService.intersect("http://snomed.info/sct?fhir_vs", this.codings);
    }

    @Test
    void intersect() {
        Assertions.assertEquals(this.codings, sendRequest());
        WireMock.verify(1, WireMock.postRequestedFor(WireMock.urlMatching("/auth/realms/aehrc/protocol/openid-connect/token.*")).withHeader("Content-Type", WireMock.equalTo("application/x-www-form-urlencoded")).withHeader("Accept", WireMock.equalTo("application/json")).withRequestBody(WireMock.equalTo("grant_type=client_credentials&client_id=some-client-id&client_secret=some-client-secret&scope=openid")));
        WireMock.verify(1, WireMock.getRequestedFor(WireMock.urlMatching("/fhir/CodeSystem.*")).withHeader("Authorization", WireMock.equalTo("Bearer some-access-token")));
        WireMock.verify(1, WireMock.postRequestedFor(WireMock.urlMatching("/fhir/ValueSet.*")).withHeader("Authorization", WireMock.equalTo("Bearer some-access-token")));
    }

    @Test
    void withoutScope() {
        TerminologyAuthConfiguration terminologyAuthConfiguration = new TerminologyAuthConfiguration();
        terminologyAuthConfiguration.setEnabled(true);
        terminologyAuthConfiguration.setTokenEndpoint("http://localhost:4072/auth/realms/aehrc/protocol/openid-connect/token");
        terminologyAuthConfiguration.setClientId("some-client-id");
        terminologyAuthConfiguration.setClientSecret("some-client-secret");
        terminologyAuthConfiguration.setTokenExpiryTolerance(120L);
        this.terminologyService = new DefaultTerminologyService(this.fhirContext, TerminologyClient.build(this.fhirContext, "http://localhost:4072/fhir", 60000, false, terminologyAuthConfiguration, log), UUID::randomUUID);
        sendRequest();
        WireMock.verify(1, WireMock.postRequestedFor(WireMock.urlMatching("/auth/realms/aehrc/protocol/openid-connect/token.*")).withHeader("Content-Type", WireMock.equalTo("application/x-www-form-urlencoded")).withHeader("Accept", WireMock.equalTo("application/json")).withRequestBody(WireMock.equalTo("grant_type=client_credentials&client_id=some-client-id&client_secret=some-client-secret")));
    }

    @Test
    void expired() throws InterruptedException {
        TerminologyAuthConfiguration terminologyAuthConfiguration = new TerminologyAuthConfiguration();
        terminologyAuthConfiguration.setEnabled(true);
        terminologyAuthConfiguration.setTokenEndpoint("http://localhost:4072/auth/realms/aehrc/protocol/openid-connect/token");
        terminologyAuthConfiguration.setClientId("some-client-id");
        terminologyAuthConfiguration.setClientSecret("some-client-secret");
        terminologyAuthConfiguration.setScope("openid");
        terminologyAuthConfiguration.setTokenExpiryTolerance(1L);
        this.fhirContext = FhirContext.forR4();
        this.terminologyService = new DefaultTerminologyService(this.fhirContext, TerminologyClient.build(this.fhirContext, "http://localhost:4072/fhir", 60000, false, terminologyAuthConfiguration, log), UUID::randomUUID);
        WireMock.editStub(WireMock.post(WireMock.urlMatching("/auth/realms/aehrc/protocol/openid-connect/token.*")).withId(this.clientCredentialsStub.getId()).willReturn(WireMock.aResponse().withHeader("Content-Type", new String[]{"application/json"}).withBody(this.gson.toJson(new ClientCredentialsResponse("some-access-token", (String) null, 2, "some-refresh-token", (String) null)))));
        sendRequest();
        Thread.sleep(1000L);
        sendRequest();
        WireMock.verify(2, WireMock.postRequestedFor(WireMock.urlMatching("/auth/realms/aehrc/protocol/openid-connect/token.*")).withHeader("Content-Type", WireMock.equalTo("application/x-www-form-urlencoded")).withHeader("Accept", WireMock.equalTo("application/json")).withRequestBody(WireMock.equalTo("grant_type=client_credentials&client_id=some-client-id&client_secret=some-client-secret&scope=openid")));
    }

    @Test
    void noContentTypeHeader() {
        WireMock.editStub(WireMock.post(WireMock.urlMatching("/auth/realms/aehrc/protocol/openid-connect/token.*")).withId(this.clientCredentialsStub.getId()).willReturn(WireMock.aResponse().withBody(this.clientCredentialsResponse)));
        InternalErrorException assertThrows = Assertions.assertThrows(InternalErrorException.class, this::sendRequest);
        Assertions.assertNotNull(assertThrows.getCause());
        Assertions.assertEquals(ClientProtocolException.class, assertThrows.getCause().getClass());
        Assertions.assertEquals("Client credentials response contains no Content-Type header", assertThrows.getCause().getMessage());
    }

    @Test
    void nonJsonContentType() {
        WireMock.editStub(WireMock.post(WireMock.urlMatching("/auth/realms/aehrc/protocol/openid-connect/token.*")).withId(this.clientCredentialsStub.getId()).willReturn(WireMock.aResponse().withHeader("Content-Type", new String[]{"text/plain"}).withBody(this.clientCredentialsResponse)));
        InternalErrorException assertThrows = Assertions.assertThrows(InternalErrorException.class, this::sendRequest);
        Assertions.assertNotNull(assertThrows.getCause());
        Assertions.assertEquals(ClientProtocolException.class, assertThrows.getCause().getClass());
        Assertions.assertEquals("Invalid response from token endpoint: content type is not application/json", assertThrows.getCause().getMessage());
    }

    @Test
    void missingAccessToken() {
        WireMock.editStub(WireMock.post(WireMock.urlMatching("/auth/realms/aehrc/protocol/openid-connect/token.*")).withId(this.clientCredentialsStub.getId()).willReturn(WireMock.aResponse().withHeader("Content-Type", new String[]{"application/json"}).withBody(this.gson.toJson(new ClientCredentialsResponse((String) null, (String) null, 3600, "some-refresh-token", (String) null)))));
        InternalErrorException assertThrows = Assertions.assertThrows(InternalErrorException.class, this::sendRequest);
        Assertions.assertNotNull(assertThrows.getCause());
        Assertions.assertEquals(ClientProtocolException.class, assertThrows.getCause().getClass());
        Assertions.assertEquals("Client credentials grant does not contain access token", assertThrows.getCause().getMessage());
    }

    @Test
    void expiryLessThanTolerance() {
        WireMock.editStub(WireMock.post(WireMock.urlMatching("/auth/realms/aehrc/protocol/openid-connect/token.*")).withId(this.clientCredentialsStub.getId()).willReturn(WireMock.aResponse().withHeader("Content-Type", new String[]{"application/json"}).withBody(this.gson.toJson(new ClientCredentialsResponse("some-access-token", (String) null, 1, "some-refresh-token", (String) null)))));
        InternalErrorException assertThrows = Assertions.assertThrows(InternalErrorException.class, this::sendRequest);
        Assertions.assertNotNull(assertThrows.getCause());
        Assertions.assertEquals(ClientProtocolException.class, assertThrows.getCause().getClass());
        Assertions.assertEquals("Client credentials grant expiry is less than the tolerance: 1", assertThrows.getCause().getMessage());
    }
}
