package org.apache.nifi.web.security.saml2.registration;

import java.net.URL;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Objects;
import java.util.Properties;
import javax.security.auth.x500.X500Principal;
import org.apache.nifi.security.util.TemporaryKeyStoreBuilder;
import org.apache.nifi.security.util.TlsConfiguration;
import org.apache.nifi.util.NiFiProperties;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;
import org.springframework.security.saml2.core.Saml2X509Credential;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;

/* loaded from: input_file:org/apache/nifi/web/security/saml2/registration/StandardRelyingPartyRegistrationRepositoryTest.class */
class StandardRelyingPartyRegistrationRepositoryTest {
    private static final String METADATA_PATH = "/saml/sso-circle-meta.xml";
    private static final String ENTITY_ID = "nifi";
    private static final X500Principal CERTIFICATE_PRINCIPAL = new X500Principal("CN=localhost");

    StandardRelyingPartyRegistrationRepositoryTest() {
    }

    @Test
    void testFindByRegistrationId() {
        RelyingPartyRegistration findByRegistrationId = new StandardRelyingPartyRegistrationRepository(getProperties()).findByRegistrationId(Saml2RegistrationProperty.REGISTRATION_ID.getProperty());
        assertRegistrationPropertiesFound(findByRegistrationId);
        Assertions.assertNull(findByRegistrationId.getSingleLogoutServiceLocation());
        Assertions.assertNull(findByRegistrationId.getSingleLogoutServiceResponseLocation());
        RelyingPartyRegistration.AssertingPartyDetails assertingPartyDetails = findByRegistrationId.getAssertingPartyDetails();
        Assertions.assertFalse(assertingPartyDetails.getWantAuthnRequestsSigned());
        Assertions.assertTrue(assertingPartyDetails.getSigningAlgorithms().contains("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"));
        Assertions.assertTrue(findByRegistrationId.getSigningX509Credentials().isEmpty());
    }

    @Test
    void testFindByRegistrationIdSingleLogoutEnabled() {
        RelyingPartyRegistration findByRegistrationId = new StandardRelyingPartyRegistrationRepository(getSingleLogoutProperties(new TemporaryKeyStoreBuilder().build())).findByRegistrationId(Saml2RegistrationProperty.REGISTRATION_ID.getProperty());
        assertRegistrationPropertiesFound(findByRegistrationId);
        Assertions.assertEquals(StandardRelyingPartyRegistrationRepository.SINGLE_LOGOUT_RESPONSE_SERVICE_LOCATION, findByRegistrationId.getSingleLogoutServiceLocation());
        Assertions.assertEquals(StandardRelyingPartyRegistrationRepository.SINGLE_LOGOUT_RESPONSE_SERVICE_LOCATION, findByRegistrationId.getSingleLogoutServiceResponseLocation());
        RelyingPartyRegistration.AssertingPartyDetails assertingPartyDetails = findByRegistrationId.getAssertingPartyDetails();
        Assertions.assertFalse(assertingPartyDetails.getWantAuthnRequestsSigned());
        Assertions.assertTrue(assertingPartyDetails.getSigningAlgorithms().contains("http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"));
        assertSigningCredentialsFound(findByRegistrationId);
        assertEncryptionCredentialsFound(assertingPartyDetails);
    }

    private void assertSigningCredentialsFound(RelyingPartyRegistration relyingPartyRegistration) {
        Collection signingX509Credentials = relyingPartyRegistration.getSigningX509Credentials();
        Assertions.assertFalse(signingX509Credentials.isEmpty());
        X509Certificate certificate = ((Saml2X509Credential) signingX509Credentials.iterator().next()).getCertificate();
        Assertions.assertEquals(CERTIFICATE_PRINCIPAL, certificate.getSubjectX500Principal());
        Assertions.assertEquals(CERTIFICATE_PRINCIPAL, certificate.getIssuerX500Principal());
    }

    private void assertEncryptionCredentialsFound(RelyingPartyRegistration.AssertingPartyDetails assertingPartyDetails) {
        Collection encryptionX509Credentials = assertingPartyDetails.getEncryptionX509Credentials();
        Assertions.assertFalse(encryptionX509Credentials.isEmpty());
        Assertions.assertTrue(encryptionX509Credentials.stream().filter(saml2X509Credential -> {
            return CERTIFICATE_PRINCIPAL.equals(saml2X509Credential.getCertificate().getSubjectX500Principal());
        }).findFirst().isPresent(), "Trust Store certificate credential not found");
    }

    private void assertRegistrationPropertiesFound(RelyingPartyRegistration relyingPartyRegistration) {
        Assertions.assertNotNull(relyingPartyRegistration);
        Assertions.assertEquals(Saml2RegistrationProperty.REGISTRATION_ID.getProperty(), relyingPartyRegistration.getRegistrationId());
        Assertions.assertEquals(ENTITY_ID, relyingPartyRegistration.getEntityId());
        Assertions.assertEquals(StandardRelyingPartyRegistrationRepository.LOGIN_RESPONSE_LOCATION, relyingPartyRegistration.getAssertionConsumerServiceLocation());
    }

    private NiFiProperties getProperties() {
        return NiFiProperties.createBasicNiFiProperties((String) null, getStandardProperties());
    }

    private NiFiProperties getSingleLogoutProperties(TlsConfiguration tlsConfiguration) {
        Properties standardProperties = getStandardProperties();
        standardProperties.setProperty("nifi.security.user.saml.single.logout.enabled", Boolean.TRUE.toString());
        standardProperties.setProperty("nifi.security.user.saml.signature.algorithm", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512");
        standardProperties.setProperty("nifi.security.keystore", tlsConfiguration.getKeystorePath());
        standardProperties.setProperty("nifi.security.keystoreType", tlsConfiguration.getKeystoreType().getType());
        standardProperties.setProperty("nifi.security.keystorePasswd", tlsConfiguration.getKeystorePassword());
        standardProperties.setProperty("nifi.security.keyPasswd", tlsConfiguration.getKeyPassword());
        standardProperties.setProperty("nifi.security.truststore", tlsConfiguration.getTruststorePath());
        standardProperties.setProperty("nifi.security.truststoreType", tlsConfiguration.getTruststoreType().getType());
        standardProperties.setProperty("nifi.security.truststorePasswd", tlsConfiguration.getTruststorePassword());
        return NiFiProperties.createBasicNiFiProperties((String) null, standardProperties);
    }

    private Properties getStandardProperties() {
        Properties properties = new Properties();
        properties.setProperty("nifi.security.user.saml.idp.metadata.url", getFileMetadataUrl());
        properties.setProperty("nifi.security.user.saml.sp.entity.id", ENTITY_ID);
        return properties;
    }

    private String getFileMetadataUrl() {
        return ((URL) Objects.requireNonNull(getClass().getResource(METADATA_PATH))).toString();
    }
}
