package org.apache.nifi.web.security.oidc.web.authentication;

import java.time.Duration;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalAmount;
import java.util.Collections;
import java.util.regex.Pattern;
import javax.servlet.http.Cookie;
import org.apache.nifi.authorization.util.IdentityMapping;
import org.apache.nifi.web.security.cookie.ApplicationCookieName;
import org.apache.nifi.web.security.jwt.provider.BearerTokenProvider;
import org.apache.nifi.web.security.oidc.client.web.OidcRegistrationProperty;
import org.apache.nifi.web.security.oidc.client.web.converter.StandardOAuth2AuthenticationToken;
import org.apache.nifi.web.security.token.LoginAuthenticationToken;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.ArgumentCaptor;
import org.mockito.ArgumentMatchers;
import org.mockito.Captor;
import org.mockito.Mock;
import org.mockito.Mockito;
import org.mockito.junit.jupiter.MockitoExtension;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;

@ExtendWith({MockitoExtension.class})
/* loaded from: input_file:org/apache/nifi/web/security/oidc/web/authentication/OidcAuthenticationSuccessHandlerTest.class */
class OidcAuthenticationSuccessHandlerTest {

    @Mock
    OidcUser oidcUser;

    @Mock
    BearerTokenProvider bearerTokenProvider;

    @Captor
    ArgumentCaptor<LoginAuthenticationToken> authenticationTokenCaptor;
    MockHttpServletRequest httpServletRequest;
    MockHttpServletResponse httpServletResponse;
    OidcAuthenticationSuccessHandler handler;
    private static final String REQUEST_URI = "/nifi-api";
    private static final String ROOT_PATH = "/";
    private static final int SERVER_PORT = 8080;
    private static final String USER_NAME_CLAIM = "email";
    private static final String GROUPS_CLAIM = "groups";
    private static final String ACCESS_TOKEN = "access-token";
    private static final String ALLOWED_CONTEXT_PATHS_PARAMETER = "allowedContextPaths";
    private static final String LOCALHOST_URL = "http://localhost:8080";
    private static final String UI_PATH = "/nifi/";
    private static final String TARGET_URL = String.format("%s%s", LOCALHOST_URL, UI_PATH);
    private static final String IDENTITY = Authentication.class.getSimpleName();
    private static final String AUTHORITY = GrantedAuthority.class.getSimpleName();
    private static final Duration TOKEN_EXPIRATION = Duration.ofHours(1);
    private static final Instant ACCESS_TOKEN_ISSUED = Instant.ofEpochSecond(0);
    private static final Instant ACCESS_TOKEN_EXPIRES = ACCESS_TOKEN_ISSUED.plus((TemporalAmount) TOKEN_EXPIRATION);
    private static final Pattern MATCH_PATTERN = Pattern.compile("(.*)");
    static final String FORWARDED_PATH = "/forwarded";
    static final String FORWARDED_COOKIE_PATH = String.format("%s/", FORWARDED_PATH);
    private static final String FORWARDED_TARGET_URL = String.format("%s%s%s", LOCALHOST_URL, FORWARDED_PATH, UI_PATH);
    private static final String FIRST_GROUP = "$1";
    private static final IdentityMapping UPPER_IDENTITY_MAPPING = new IdentityMapping(IdentityMapping.Transform.UPPER.toString(), MATCH_PATTERN, FIRST_GROUP, IdentityMapping.Transform.UPPER);
    private static final IdentityMapping LOWER_IDENTITY_MAPPING = new IdentityMapping(IdentityMapping.Transform.LOWER.toString(), MATCH_PATTERN, FIRST_GROUP, IdentityMapping.Transform.LOWER);

    OidcAuthenticationSuccessHandlerTest() {
    }

    @BeforeEach
    void setHandler() {
        this.handler = new OidcAuthenticationSuccessHandler(this.bearerTokenProvider, Collections.singletonList(UPPER_IDENTITY_MAPPING), Collections.singletonList(LOWER_IDENTITY_MAPPING), Collections.singletonList(USER_NAME_CLAIM), GROUPS_CLAIM);
        this.httpServletRequest = new MockHttpServletRequest();
        this.httpServletRequest.setServerPort(SERVER_PORT);
        this.httpServletResponse = new MockHttpServletResponse();
    }

    @Test
    void testDetermineTargetUrl() {
        this.httpServletRequest.setRequestURI(REQUEST_URI);
        assertTargetUrlEquals(TARGET_URL);
        assertBearerCookieAdded(ROOT_PATH);
    }

    @Test
    void testDetermineTargetUrlForwardedPath() {
        this.httpServletRequest.getServletContext().setInitParameter(ALLOWED_CONTEXT_PATHS_PARAMETER, FORWARDED_PATH);
        this.httpServletRequest.addHeader("X-Forwarded-Prefix", FORWARDED_PATH);
        this.httpServletRequest.setRequestURI(REQUEST_URI);
        assertTargetUrlEquals(FORWARDED_TARGET_URL);
        assertBearerCookieAdded(FORWARDED_COOKIE_PATH);
    }

    void assertTargetUrlEquals(String str) {
        setOidcUser();
        Assertions.assertEquals(str, this.handler.determineTargetUrl(this.httpServletRequest, this.httpServletResponse, getAuthenticationToken()));
    }

    void assertBearerCookieAdded(String str) {
        Cookie cookie = this.httpServletResponse.getCookie(ApplicationCookieName.AUTHORIZATION_BEARER.getCookieName());
        Assertions.assertNotNull(cookie);
        Assertions.assertEquals(str, cookie.getPath());
        ((BearerTokenProvider) Mockito.verify(this.bearerTokenProvider)).getBearerToken((LoginAuthenticationToken) this.authenticationTokenCaptor.capture());
        Assertions.assertEquals(ACCESS_TOKEN_EXPIRES, ((LoginAuthenticationToken) this.authenticationTokenCaptor.getValue()).getExpiration().truncatedTo(ChronoUnit.MINUTES));
    }

    void setOidcUser() {
        Mockito.when(this.oidcUser.getClaimAsString((String) ArgumentMatchers.eq(USER_NAME_CLAIM))).thenReturn(IDENTITY);
        Mockito.when(this.oidcUser.getClaimAsStringList((String) ArgumentMatchers.eq(GROUPS_CLAIM))).thenReturn(Collections.singletonList(AUTHORITY));
    }

    StandardOAuth2AuthenticationToken getAuthenticationToken() {
        OAuth2AccessToken oAuth2AccessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, ACCESS_TOKEN, ACCESS_TOKEN_ISSUED, ACCESS_TOKEN_EXPIRES);
        return new StandardOAuth2AuthenticationToken(this.oidcUser, Collections.singletonList(new SimpleGrantedAuthority(AUTHORITY)), OidcRegistrationProperty.REGISTRATION_ID.getProperty(), oAuth2AccessToken);
    }
}
