package org.apache.nifi.web.security.oidc.client.web;

import java.io.IOException;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Collections;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import org.apache.nifi.authorization.user.NiFiUserDetails;
import org.apache.nifi.authorization.user.StandardNiFiUser;
import org.apache.nifi.web.security.cookie.ApplicationCookieName;
import org.apache.nifi.web.security.jwt.provider.BearerTokenProvider;
import org.apache.nifi.web.security.token.LoginAuthenticationToken;
import org.apache.nifi.web.security.token.NiFiAuthenticationToken;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.ArgumentCaptor;
import org.mockito.ArgumentMatchers;
import org.mockito.Captor;
import org.mockito.Mock;
import org.mockito.Mockito;
import org.mockito.junit.jupiter.MockitoExtension;
import org.springframework.mock.web.MockFilterChain;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextImpl;
import org.springframework.security.oauth2.client.endpoint.AbstractOAuth2AuthorizationGrantRequest;
import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
import org.springframework.security.oauth2.client.endpoint.OAuth2RefreshTokenGrantRequest;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2RefreshToken;
import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
import org.springframework.security.oauth2.core.oidc.OidcIdToken;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver;

@ExtendWith({MockitoExtension.class})
/* loaded from: input_file:org/apache/nifi/web/security/oidc/client/web/OidcBearerTokenRefreshFilterTest.class */
class OidcBearerTokenRefreshFilterTest {
    private static final String CLIENT_ID = "client-id";
    private static final String REDIRECT_URI = "http://localhost:8080";
    private static final String AUTHORIZATION_URI = "http://localhost/authorize";
    private static final String TOKEN_URI = "http://localhost/token";
    private static final String SUB_CLAIM = "sub";
    private static final String IDENTITY = "user-identity";
    private static final String CURRENT_USER_URI = "/flow/current-user";
    private static final String BEARER_TOKEN = "bearer-token";
    private static final String BEARER_TOKEN_REFRESHED = "bearer-token-refreshed";
    private static final String ACCESS_TOKEN = "access-token";
    private static final String REFRESH_TOKEN = "refresh-token";
    private static final String ID_TOKEN = "id-token";
    private static final String EXP_CLAIM = "exp";
    private static final int INSTANT_OFFSET = 1;

    @Mock
    BearerTokenProvider bearerTokenProvider;

    @Mock
    BearerTokenResolver bearerTokenResolver;

    @Mock
    JwtDecoder jwtDecoder;

    @Mock
    OAuth2AuthorizedClientRepository authorizedClientRepository;

    @Mock
    OAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> refreshTokenResponseClient;

    @Mock
    OidcAuthorizedClient authorizedClient;

    @Captor
    ArgumentCaptor<LoginAuthenticationToken> tokenArgumentCaptor;
    MockHttpServletRequest request;
    MockHttpServletResponse response;
    MockFilterChain filterChain;
    OidcBearerTokenRefreshFilter filter;
    private static final Duration REFRESH_WINDOW = Duration.ZERO;
    private static final String PROVIDER_GROUP = "Authorized";
    private static final Set<String> PROVIDER_GROUPS = Collections.singleton(PROVIDER_GROUP);

    OidcBearerTokenRefreshFilterTest() {
    }

    @BeforeEach
    void setFilter() {
        this.filter = new OidcBearerTokenRefreshFilter(REFRESH_WINDOW, this.bearerTokenProvider, this.bearerTokenResolver, this.jwtDecoder, this.authorizedClientRepository, this.refreshTokenResponseClient);
        this.request = new MockHttpServletRequest();
        this.response = new MockHttpServletResponse();
        this.filterChain = new MockFilterChain();
    }

    @AfterEach
    void clearContext() {
        SecurityContextHolder.clearContext();
    }

    @Test
    void testDoFilterPathNotMatched() throws ServletException, IOException {
        this.filter.doFilter(this.request, this.response, this.filterChain);
        Mockito.verifyNoInteractions(new Object[]{this.bearerTokenResolver});
    }

    @Test
    void testDoFilterBearerTokenNotFound() throws ServletException, IOException {
        this.request.setServletPath(CURRENT_USER_URI);
        this.filter.doFilter(this.request, this.response, this.filterChain);
        ((BearerTokenResolver) Mockito.verify(this.bearerTokenResolver)).resolve((HttpServletRequest) ArgumentMatchers.eq(this.request));
    }

    @Test
    void testDoFilterBearerTokenFoundRefreshNotRequired() throws ServletException, IOException {
        this.request.setServletPath(CURRENT_USER_URI);
        Mockito.when(this.bearerTokenResolver.resolve((HttpServletRequest) ArgumentMatchers.eq(this.request))).thenReturn(BEARER_TOKEN);
        Mockito.when(this.jwtDecoder.decode((String) ArgumentMatchers.eq(BEARER_TOKEN))).thenReturn(getJwt(Instant.MAX));
        this.filter.doFilter(this.request, this.response, this.filterChain);
        Mockito.verifyNoInteractions(new Object[]{this.authorizedClientRepository});
    }

    @Test
    void testDoFilterRefreshRequiredClientNotFound() throws ServletException, IOException {
        this.request.setServletPath(CURRENT_USER_URI);
        Mockito.when(this.bearerTokenResolver.resolve((HttpServletRequest) ArgumentMatchers.eq(this.request))).thenReturn(BEARER_TOKEN);
        Mockito.when(this.jwtDecoder.decode((String) ArgumentMatchers.eq(BEARER_TOKEN))).thenReturn(getJwt(Instant.now().minusSeconds(1L)));
        Mockito.when(this.authorizedClientRepository.loadAuthorizedClient((String) ArgumentMatchers.eq(OidcRegistrationProperty.REGISTRATION_ID.getProperty()), (Authentication) ArgumentMatchers.any(), (HttpServletRequest) ArgumentMatchers.eq(this.request))).thenReturn((Object) null);
        this.filter.doFilter(this.request, this.response, this.filterChain);
        Assertions.assertNull(this.response.getCookie(ApplicationCookieName.AUTHORIZATION_BEARER.getCookieName()));
    }

    @Test
    void testDoFilterRefreshRequiredRefreshTokenNotFound() throws ServletException, IOException {
        this.request.setServletPath(CURRENT_USER_URI);
        Mockito.when(this.bearerTokenResolver.resolve((HttpServletRequest) ArgumentMatchers.eq(this.request))).thenReturn(BEARER_TOKEN);
        Mockito.when(this.jwtDecoder.decode((String) ArgumentMatchers.eq(BEARER_TOKEN))).thenReturn(getJwt(Instant.now().minusSeconds(1L)));
        Mockito.when(this.authorizedClientRepository.loadAuthorizedClient((String) ArgumentMatchers.eq(OidcRegistrationProperty.REGISTRATION_ID.getProperty()), (Authentication) ArgumentMatchers.any(), (HttpServletRequest) ArgumentMatchers.eq(this.request))).thenReturn(this.authorizedClient);
        this.filter.doFilter(this.request, this.response, this.filterChain);
        Assertions.assertNull(this.response.getCookie(ApplicationCookieName.AUTHORIZATION_BEARER.getCookieName()));
    }

    @Test
    void testDoFilterBearerTokenTokenRefreshed() throws ServletException, IOException {
        SecurityContextHolder.setContext(new SecurityContextImpl(new NiFiAuthenticationToken(new NiFiUserDetails(new StandardNiFiUser.Builder().identity(IDENTITY).identityProviderGroups(PROVIDER_GROUPS).build()))));
        this.request.setServletPath(CURRENT_USER_URI);
        Mockito.when(this.bearerTokenResolver.resolve((HttpServletRequest) ArgumentMatchers.eq(this.request))).thenReturn(BEARER_TOKEN);
        Instant minusSeconds = Instant.now().minusSeconds(1L);
        Mockito.when(this.jwtDecoder.decode((String) ArgumentMatchers.eq(BEARER_TOKEN))).thenReturn(getJwt(minusSeconds));
        Instant minus = minusSeconds.minus((TemporalAmount) Duration.ofHours(1L));
        OAuth2AccessToken oAuth2AccessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, ACCESS_TOKEN, minus, minusSeconds);
        OAuth2RefreshToken oAuth2RefreshToken = new OAuth2RefreshToken(REFRESH_TOKEN, minus);
        OidcIdToken oidcIdToken = new OidcIdToken(ID_TOKEN, minus, minusSeconds, Collections.singletonMap(SUB_CLAIM, IDENTITY));
        Mockito.when(this.authorizedClient.getAccessToken()).thenReturn(oAuth2AccessToken);
        Mockito.when(this.authorizedClient.getRefreshToken()).thenReturn(oAuth2RefreshToken);
        Mockito.when(this.authorizedClient.getIdToken()).thenReturn(oidcIdToken);
        Mockito.when(this.authorizedClient.getClientRegistration()).thenReturn(getClientRegistration());
        Mockito.when(this.authorizedClient.getPrincipalName()).thenReturn(IDENTITY);
        Mockito.when(this.authorizedClientRepository.loadAuthorizedClient((String) ArgumentMatchers.eq(OidcRegistrationProperty.REGISTRATION_ID.getProperty()), (Authentication) ArgumentMatchers.any(), (HttpServletRequest) ArgumentMatchers.eq(this.request))).thenReturn(this.authorizedClient);
        Mockito.when(this.refreshTokenResponseClient.getTokenResponse((AbstractOAuth2AuthorizationGrantRequest) ArgumentMatchers.any())).thenReturn(OAuth2AccessTokenResponse.withToken(ACCESS_TOKEN).tokenType(OAuth2AccessToken.TokenType.BEARER).expiresIn(1L).build());
        Mockito.when(this.bearerTokenProvider.getBearerToken((LoginAuthenticationToken) this.tokenArgumentCaptor.capture())).thenReturn(BEARER_TOKEN_REFRESHED);
        this.filter.doFilter(this.request, this.response, this.filterChain);
        Cookie cookie = this.response.getCookie(ApplicationCookieName.AUTHORIZATION_BEARER.getCookieName());
        Assertions.assertNotNull(cookie);
        Assertions.assertEquals(BEARER_TOKEN_REFRESHED, cookie.getValue());
        Iterator it = ((LoginAuthenticationToken) this.tokenArgumentCaptor.getValue()).getAuthorities().iterator();
        Assertions.assertTrue(it.hasNext());
        Assertions.assertEquals(PROVIDER_GROUP, ((GrantedAuthority) it.next()).getAuthority());
    }

    private Jwt getJwt(Instant instant) {
        Map singletonMap = Collections.singletonMap(EXP_CLAIM, instant);
        return new Jwt(BEARER_TOKEN, instant.minus((TemporalAmount) Duration.ofHours(1L)), instant, singletonMap, singletonMap);
    }

    ClientRegistration getClientRegistration() {
        return ClientRegistration.withRegistrationId(OidcRegistrationProperty.REGISTRATION_ID.getProperty()).authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE).clientId(CLIENT_ID).redirectUri(REDIRECT_URI).authorizationUri(AUTHORIZATION_URI).tokenUri(TOKEN_URI).userNameAttributeName(SUB_CLAIM).build();
    }
}
