package org.apache.qpid.server.security.auth.manager.oauth2;

import java.nio.charset.StandardCharsets;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.apache.qpid.server.configuration.updater.CurrentThreadTaskExecutor;
import org.apache.qpid.server.configuration.updater.TaskExecutor;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.BrokerTestHelper;
import org.apache.qpid.server.model.NamedAddressSpace;
import org.apache.qpid.server.model.State;
import org.apache.qpid.server.security.auth.AuthenticationResult;
import org.apache.qpid.server.security.auth.sasl.SaslSettings;
import org.apache.qpid.test.utils.UnitTestBase;
import org.apache.qpid.test.utils.tls.TlsResource;
import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.ClassRule;
import org.junit.Test;
import org.mockito.Mockito;

/* loaded from: input_file:org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImplTest.class */
public class OAuth2AuthenticationProviderImplTest extends UnitTestBase {
    private static final String TEST_ENDPOINT_HOST = "localhost";
    private static final String TEST_AUTHORIZATION_ENDPOINT_PATH = "/testauth";
    private static final String TEST_TOKEN_ENDPOINT_PATH = "/testtoken";
    private static final String TEST_IDENTITY_RESOLVER_ENDPOINT_PATH = "/testidresolver";
    private static final String TEST_POST_LOGOUT_PATH = "/testpostlogout";
    static final String TEST_CLIENT_ID = "testClientId";
    static final String TEST_CLIENT_SECRET = "testClientSecret";
    private static final String TEST_IDENTITY_RESOLVER_TYPE = "CloudFoundryIdentityResolver";
    private static final String TEST_AUTHORIZATION_ENDPOINT_URI_PATTERN = "https://%s:%d%s";
    private static final String TEST_TOKEN_ENDPOINT_URI_PATTERN = "https://%s:%d%s";
    private static final String TEST_AUTHORIZATION_ENDPOINT_NEEDS_AUTH = "true";
    private static final String TEST_IDENTITY_RESOLVER_ENDPOINT_URI_PATTERN = "https://%s:%d%s";
    private static final String TEST_POST_LOGOUT_URI_PATTERN = "https://%s:%d%s";
    private static final String TEST_SCOPE = "testScope";
    private static final String TEST_VALID_AUTHORIZATION_CODE = "validAuthorizationCode";
    private static final String TEST_INVALID_AUTHORIZATION_CODE = "invalidAuthorizationCode";
    private static final String TEST_VALID_ACCESS_TOKEN = "validAccessToken";
    private static final String TEST_INVALID_ACCESS_TOKEN = "invalidAccessToken";
    private static final String TEST_USER_NAME = "testUser";
    private static final String TEST_REDIRECT_URI = "localhost:23523";
    private OAuth2AuthenticationProvider<?> _authProvider;
    private OAuth2MockEndpointHolder _server;

    @ClassRule
    public static final TlsResource TLS_RESOURCE = new TlsResource();
    static final String UTF8 = StandardCharsets.UTF_8.name();
    private static final String TEST_TRUST_STORE_NAME = null;

    /* loaded from: input_file:org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImplTest$BlindHostnameVerifier.class */
    private static final class BlindHostnameVerifier implements HostnameVerifier {
        private BlindHostnameVerifier() {
        }

        @Override // javax.net.ssl.HostnameVerifier
        public boolean verify(String str, SSLSession sSLSession) {
            return true;
        }
    }

    /* loaded from: input_file:org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImplTest$TrustingTrustManager.class */
    private static final class TrustingTrustManager implements X509TrustManager {
        private TrustingTrustManager() {
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) {
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) {
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return null;
        }
    }

    @Before
    public void setUp() throws Exception {
        this._server = new OAuth2MockEndpointHolder(TLS_RESOURCE.createSelfSignedKeyStore("CN=foo").toFile().getAbsolutePath(), TLS_RESOURCE.getSecret(), TLS_RESOURCE.getKeyStoreType());
        this._server.start();
        this._authProvider = createAuthenticationProvider(Collections.emptyMap());
        Assert.assertEquals("Could not successfully open authProvider", State.ACTIVE, this._authProvider.getState());
        TrustManager[] trustManagerArr = {new TrustingTrustManager()};
        SSLContext sSLContext = SSLContext.getInstance("SSL");
        sSLContext.init(null, trustManagerArr, new SecureRandom());
        HttpsURLConnection.setDefaultSSLSocketFactory(sSLContext.getSocketFactory());
        HttpsURLConnection.setDefaultHostnameVerifier(new BlindHostnameVerifier());
    }

    private OAuth2AuthenticationProvider<?> createAuthenticationProvider(Map<String, Object> map) {
        Broker<?> createBrokerMock = BrokerTestHelper.createBrokerMock();
        TaskExecutor newStartedInstance = CurrentThreadTaskExecutor.newStartedInstance();
        Mockito.when(createBrokerMock.getTaskExecutor()).thenReturn(newStartedInstance);
        Mockito.when(createBrokerMock.getChildExecutor()).thenReturn(newStartedInstance);
        HashMap hashMap = new HashMap();
        hashMap.put("name", "testOAuthProvider");
        hashMap.put("clientId", TEST_CLIENT_ID);
        hashMap.put("clientSecret", TEST_CLIENT_SECRET);
        hashMap.put("identityResolverType", TEST_IDENTITY_RESOLVER_TYPE);
        hashMap.put("authorizationEndpointURI", String.format("https://%s:%d%s", TEST_ENDPOINT_HOST, Integer.valueOf(this._server.getPort()), TEST_AUTHORIZATION_ENDPOINT_PATH));
        hashMap.put("tokenEndpointURI", String.format("https://%s:%d%s", TEST_ENDPOINT_HOST, Integer.valueOf(this._server.getPort()), TEST_TOKEN_ENDPOINT_PATH));
        hashMap.put("tokenEndpointNeedsAuth", TEST_AUTHORIZATION_ENDPOINT_NEEDS_AUTH);
        hashMap.put("identityResolverEndpointURI", String.format("https://%s:%d%s", TEST_ENDPOINT_HOST, Integer.valueOf(this._server.getPort()), TEST_IDENTITY_RESOLVER_ENDPOINT_PATH));
        hashMap.put("postLogoutURI", String.format("https://%s:%d%s", TEST_ENDPOINT_HOST, Integer.valueOf(this._server.getPort()), TEST_POST_LOGOUT_PATH));
        hashMap.put("scope", TEST_SCOPE);
        hashMap.put("trustStore", TEST_TRUST_STORE_NAME);
        hashMap.putAll(map);
        setTestSystemProperty("qpid.auth.cache.size", "0");
        OAuth2AuthenticationProviderImpl oAuth2AuthenticationProviderImpl = new OAuth2AuthenticationProviderImpl(hashMap, createBrokerMock);
        oAuth2AuthenticationProviderImpl.open();
        return oAuth2AuthenticationProviderImpl;
    }

    @After
    public void tearDown() throws Exception {
        if (this._server != null) {
            this._server.stop();
        }
    }

    @Test
    public void testGetSecureOnlyMechanisms() throws Exception {
        Assert.assertEquals("OAuth2 should be a secure only mechanism", Collections.singletonList("XOAUTH2"), this._authProvider.getSecureOnlyMechanisms());
    }

    @Test
    public void testAuthenticateViaSasl() throws Exception {
        this._server.setEndpoints(Collections.singletonMap(TEST_IDENTITY_RESOLVER_ENDPOINT_PATH, createMockIdentityResolverEndpoint()));
        assertSuccess(this._authProvider.createSaslNegotiator("XOAUTH2", (SaslSettings) null, (NamedAddressSpace) null).handleResponse("auth=Bearer validAccessToken\u0001\u0001".getBytes(UTF8)));
    }

    @Test
    public void testFailAuthenticateViaSasl() throws Exception {
        OAuth2MockEndpoint createMockIdentityResolverEndpoint = createMockIdentityResolverEndpoint();
        createMockIdentityResolverEndpoint.putExpectedParameter("token", TEST_INVALID_ACCESS_TOKEN);
        createMockIdentityResolverEndpoint.setResponse(400, "{\"error\":\"invalid_token\"}");
        this._server.setEndpoints(Collections.singletonMap(TEST_IDENTITY_RESOLVER_ENDPOINT_PATH, createMockIdentityResolverEndpoint));
        assertFailure(this._authProvider.createSaslNegotiator("XOAUTH2", (SaslSettings) null, (NamedAddressSpace) null).handleResponse("auth=Bearer invalidAccessToken\u0001\u0001".getBytes(UTF8)), "invalid_token");
    }

    @Test
    public void testAuthenticateViaAuthorizationCode() throws Exception {
        HashMap hashMap = new HashMap();
        hashMap.put(TEST_TOKEN_ENDPOINT_PATH, createMockTokenEndpoint());
        hashMap.put(TEST_IDENTITY_RESOLVER_ENDPOINT_PATH, createMockIdentityResolverEndpoint());
        this._server.setEndpoints(hashMap);
        NamedAddressSpace namedAddressSpace = (NamedAddressSpace) Mockito.mock(NamedAddressSpace.class);
        Mockito.when(namedAddressSpace.getName()).thenReturn("mock");
        assertSuccess(this._authProvider.authenticateViaAuthorizationCode(TEST_VALID_AUTHORIZATION_CODE, TEST_REDIRECT_URI, namedAddressSpace));
    }

    @Test
    public void testFailAuthenticateViaInvalidAuthorizationCode() throws Exception {
        HashMap hashMap = new HashMap();
        OAuth2MockEndpoint createMockTokenEndpoint = createMockTokenEndpoint();
        createMockTokenEndpoint.putExpectedParameter("code", TEST_INVALID_AUTHORIZATION_CODE);
        createMockTokenEndpoint.setResponse(400, "{\"error\":\"invalid_grant\",\"error_description\":\"authorization grant is not valid\"}");
        hashMap.put(TEST_TOKEN_ENDPOINT_PATH, createMockTokenEndpoint);
        hashMap.put(TEST_IDENTITY_RESOLVER_ENDPOINT_PATH, createMockIdentityResolverEndpoint());
        this._server.setEndpoints(hashMap);
        NamedAddressSpace namedAddressSpace = (NamedAddressSpace) Mockito.mock(NamedAddressSpace.class);
        Mockito.when(namedAddressSpace.getName()).thenReturn("mock");
        assertFailure(this._authProvider.authenticateViaAuthorizationCode(TEST_INVALID_AUTHORIZATION_CODE, TEST_REDIRECT_URI, namedAddressSpace), "invalid_grant");
    }

    @Test
    public void testAuthenticateViaAccessToken() throws Exception {
        this._server.setEndpoints(Collections.singletonMap(TEST_IDENTITY_RESOLVER_ENDPOINT_PATH, createMockIdentityResolverEndpoint()));
        assertSuccess(this._authProvider.authenticateViaAccessToken(TEST_VALID_ACCESS_TOKEN, (NamedAddressSpace) null));
    }

    @Test
    public void testFailAuthenticateViaInvalidAccessToken() throws Exception {
        OAuth2MockEndpoint createMockIdentityResolverEndpoint = createMockIdentityResolverEndpoint();
        createMockIdentityResolverEndpoint.putExpectedParameter("token", TEST_INVALID_ACCESS_TOKEN);
        createMockIdentityResolverEndpoint.setResponse(400, "{\"error\":\"invalid_token\"}");
        this._server.setEndpoints(Collections.singletonMap(TEST_IDENTITY_RESOLVER_ENDPOINT_PATH, createMockIdentityResolverEndpoint));
        assertFailure(this._authProvider.authenticateViaAccessToken(TEST_INVALID_ACCESS_TOKEN, (NamedAddressSpace) null), "invalid_token");
    }

    @Test
    public void testTlProtocolsAndCypherSuitesUsingAllowDenyListContextVariable() {
        HashMap hashMap = new HashMap();
        hashMap.put("qpid.security.tls.protocolAllowList", "[\"TLSv1.3\"]");
        hashMap.put("qpid.security.tls.protocolDenyList", "[\"Ssl.*\",\"TLSv1\",\"TLSv1.1\",\"TLSv1.2\"]");
        hashMap.put("qpid.security.tls.cipherSuiteAllowList", "[\"(TLS|SSL)_AES_128_GCM_SHA256\", \"(TLS|SSL)_AES_256_GCM_SHA384\"]");
        hashMap.put("qpid.security.tls.cipherSuiteDenyList", "[\".*CBC.*\"]");
        OAuth2AuthenticationProvider<?> createAuthenticationProvider = createAuthenticationProvider(Collections.singletonMap("context", hashMap));
        List singletonList = Collections.singletonList("TLSv1.3");
        List asList = Arrays.asList("Ssl.*", "TLSv1", "TLSv1.1", "TLSv1.2");
        List asList2 = Arrays.asList("(TLS|SSL)_AES_128_GCM_SHA256", "(TLS|SSL)_AES_256_GCM_SHA384");
        List singletonList2 = Collections.singletonList(".*CBC.*");
        MatcherAssert.assertThat(createAuthenticationProvider.getTlsProtocolAllowList(), CoreMatchers.is(CoreMatchers.equalTo(singletonList)));
        MatcherAssert.assertThat(createAuthenticationProvider.getTlsProtocolWhiteList(), CoreMatchers.is(CoreMatchers.equalTo(singletonList)));
        MatcherAssert.assertThat(createAuthenticationProvider.getTlsProtocolDenyList(), CoreMatchers.is(CoreMatchers.equalTo(asList)));
        MatcherAssert.assertThat(createAuthenticationProvider.getTlsProtocolBlackList(), CoreMatchers.is(CoreMatchers.equalTo(asList)));
        MatcherAssert.assertThat(createAuthenticationProvider.getTlsCipherSuiteAllowList(), CoreMatchers.is(CoreMatchers.equalTo(asList2)));
        MatcherAssert.assertThat(createAuthenticationProvider.getTlsCipherSuiteWhiteList(), CoreMatchers.is(CoreMatchers.equalTo(asList2)));
        MatcherAssert.assertThat(createAuthenticationProvider.getTlsCipherSuiteDenyList(), CoreMatchers.is(CoreMatchers.equalTo(singletonList2)));
        MatcherAssert.assertThat(createAuthenticationProvider.getTlsCipherSuiteBlackList(), CoreMatchers.is(CoreMatchers.equalTo(singletonList2)));
    }

    @Test
    public void testTlProtocolsAndCypherSuitesUsingBlackWhiteListContextVariable() {
        HashMap hashMap = new HashMap();
        hashMap.put("qpid.security.tls.protocolWhiteList", "[\"TLSv1.3\"]");
        hashMap.put("qpid.security.tls.protocolBlackList", "[\"Ssl.*\",\"TLSv1\",\"TLSv1.1\",\"TLSv1.2\"]");
        hashMap.put("qpid.security.tls.cipherSuiteWhiteList", "[\"(TLS|SSL)_AES_128_GCM_SHA256\", \"(TLS|SSL)_AES_256_GCM_SHA384\"]");
        hashMap.put("qpid.security.tls.cipherSuiteBlackList", "[\".*CBC.*\"]");
        OAuth2AuthenticationProvider<?> createAuthenticationProvider = createAuthenticationProvider(Collections.singletonMap("context", hashMap));
        List singletonList = Collections.singletonList("TLSv1.3");
        List asList = Arrays.asList("Ssl.*", "TLSv1", "TLSv1.1", "TLSv1.2");
        List asList2 = Arrays.asList("(TLS|SSL)_AES_128_GCM_SHA256", "(TLS|SSL)_AES_256_GCM_SHA384");
        List singletonList2 = Collections.singletonList(".*CBC.*");
        MatcherAssert.assertThat(createAuthenticationProvider.getTlsProtocolAllowList(), CoreMatchers.is(CoreMatchers.equalTo(singletonList)));
        MatcherAssert.assertThat(createAuthenticationProvider.getTlsProtocolWhiteList(), CoreMatchers.is(CoreMatchers.equalTo(singletonList)));
        MatcherAssert.assertThat(createAuthenticationProvider.getTlsProtocolDenyList(), CoreMatchers.is(CoreMatchers.equalTo(asList)));
        MatcherAssert.assertThat(createAuthenticationProvider.getTlsProtocolBlackList(), CoreMatchers.is(CoreMatchers.equalTo(asList)));
        MatcherAssert.assertThat(createAuthenticationProvider.getTlsCipherSuiteAllowList(), CoreMatchers.is(CoreMatchers.equalTo(asList2)));
        MatcherAssert.assertThat(createAuthenticationProvider.getTlsCipherSuiteWhiteList(), CoreMatchers.is(CoreMatchers.equalTo(asList2)));
        MatcherAssert.assertThat(createAuthenticationProvider.getTlsCipherSuiteDenyList(), CoreMatchers.is(CoreMatchers.equalTo(singletonList2)));
        MatcherAssert.assertThat(createAuthenticationProvider.getTlsCipherSuiteBlackList(), CoreMatchers.is(CoreMatchers.equalTo(singletonList2)));
    }

    private void assertSuccess(AuthenticationResult authenticationResult) {
        Assert.assertEquals("Authentication was not successful: " + authenticationResult.getCause(), AuthenticationResult.AuthenticationStatus.SUCCESS, authenticationResult.getStatus());
        Assert.assertEquals("AuthenticationResult has the wrong Principal", "testUser", authenticationResult.getMainPrincipal().getName());
    }

    private void assertFailure(AuthenticationResult authenticationResult, String str) {
        Assert.assertEquals("Authentication should not succeed", AuthenticationResult.AuthenticationStatus.ERROR, authenticationResult.getStatus());
        Assert.assertTrue(authenticationResult.getCause().toString(), authenticationResult.getCause().toString().contains(str));
        Assert.assertEquals("AuthenticationResult has the wrong Principal", (Object) null, authenticationResult.getMainPrincipal());
    }

    private OAuth2MockEndpoint createMockTokenEndpoint() {
        OAuth2MockEndpoint oAuth2MockEndpoint = new OAuth2MockEndpoint();
        oAuth2MockEndpoint.putExpectedParameter("grant_type", "authorization_code");
        oAuth2MockEndpoint.putExpectedParameter("response_type", "token");
        oAuth2MockEndpoint.putExpectedParameter("code", TEST_VALID_AUTHORIZATION_CODE);
        oAuth2MockEndpoint.putExpectedParameter("redirect_uri", TEST_REDIRECT_URI);
        oAuth2MockEndpoint.setExpectedMethod("POST");
        oAuth2MockEndpoint.setNeedsAuth(true);
        oAuth2MockEndpoint.setResponse(200, String.format("{\"access_token\":\"%s\",\"token_type\":\"bearer\",\"expires_in\":3600}", TEST_VALID_ACCESS_TOKEN));
        return oAuth2MockEndpoint;
    }

    private OAuth2MockEndpoint createMockIdentityResolverEndpoint() {
        OAuth2MockEndpoint oAuth2MockEndpoint = new OAuth2MockEndpoint();
        oAuth2MockEndpoint.putExpectedParameter("token", TEST_VALID_ACCESS_TOKEN);
        oAuth2MockEndpoint.setExpectedMethod("POST");
        oAuth2MockEndpoint.setNeedsAuth(true);
        oAuth2MockEndpoint.setResponse(200, String.format("{\"user_name\":\"%s\"}", "testUser"));
        return oAuth2MockEndpoint;
    }
}
