package org.apache.shindig.social.core.oauth;

import java.util.Arrays;
import java.util.Date;
import net.oauth.OAuthConsumer;
import net.oauth.OAuthProblemException;
import net.oauth.OAuthServiceProvider;
import net.oauth.OAuthValidator;
import net.oauth.SimpleOAuthValidator;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.shindig.auth.AnonymousSecurityToken;
import org.apache.shindig.auth.AuthenticationHandler;
import org.apache.shindig.auth.SecurityToken;
import org.apache.shindig.common.EasyMockTestCase;
import org.apache.shindig.common.testing.FakeHttpServletRequest;
import org.apache.shindig.common.util.CharsetUtil;
import org.apache.shindig.social.core.oauth.FakeOAuthRequest;
import org.apache.shindig.social.opensocial.oauth.OAuthDataStore;
import org.apache.shindig.social.opensocial.oauth.OAuthEntry;
import org.easymock.EasyMock;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:org/apache/shindig/social/core/oauth/OAuthAuthenticationHanderTest.class */
public class OAuthAuthenticationHanderTest extends EasyMockTestCase {
    OAuthDataStore mockStore = (OAuthDataStore) mock(OAuthDataStore.class);
    OAuthValidator validator = new SimpleOAuthValidator();
    OAuthAuthenticationHandler reqHandler;
    private FakeOAuthRequest formEncodedPost;
    private FakeOAuthRequest nonFormEncodedPost;
    private static final String TEST_URL = "http://www.example.org/a/b?x=y";
    private static final String TOKEN = "atoken";
    private static final String APP_ID = "app:12345";
    private static final String DOMAIN = "example.org";
    private static final String CONTAINER = "sandbox";

    @Before
    public void setUp() throws Exception {
        this.reqHandler = new OAuthAuthenticationHandler(this.mockStore, this.validator);
        this.formEncodedPost = new FakeOAuthRequest("POST", TEST_URL, "a=b&c=d", "application/x-www-form-urlencoded");
        this.nonFormEncodedPost = new FakeOAuthRequest("POST", TEST_URL, "BODY", "text/plain");
    }

    private void expectTokenEntry() {
        expectTokenEntry(createOAuthEntry());
    }

    private void expectTokenEntry(OAuthEntry oAuthEntry) {
        EasyMock.expect(this.mockStore.getEntry((String) EasyMock.eq(TOKEN))).andReturn(oAuthEntry).anyTimes();
    }

    private OAuthEntry createOAuthEntry() {
        OAuthEntry oAuthEntry = new OAuthEntry();
        oAuthEntry.setAppId(APP_ID);
        oAuthEntry.setAuthorized(true);
        oAuthEntry.setConsumerKey(FakeOAuthRequest.CONSUMER_KEY);
        oAuthEntry.setToken(TOKEN);
        oAuthEntry.setTokenSecret(FakeOAuthRequest.CONSUMER_SECRET);
        oAuthEntry.setType(OAuthEntry.Type.ACCESS);
        oAuthEntry.setUserId(FakeOAuthRequest.REQUESTOR);
        oAuthEntry.setIssueTime(new Date());
        oAuthEntry.setDomain(DOMAIN);
        oAuthEntry.setContainer(CONTAINER);
        return oAuthEntry;
    }

    private void expectConsumer() {
        try {
            EasyMock.expect(this.mockStore.getConsumer((String) EasyMock.eq(FakeOAuthRequest.CONSUMER_KEY))).andReturn(new OAuthConsumer((String) null, FakeOAuthRequest.CONSUMER_KEY, FakeOAuthRequest.CONSUMER_SECRET, new OAuthServiceProvider((String) null, (String) null, (String) null))).anyTimes();
        } catch (OAuthProblemException e) {
        }
    }

    private void expectSecurityToken() {
        try {
            EasyMock.expect(this.mockStore.getSecurityTokenForConsumerRequest((String) EasyMock.eq(FakeOAuthRequest.CONSUMER_KEY), (String) EasyMock.eq(FakeOAuthRequest.REQUESTOR))).andReturn(new AnonymousSecurityToken());
        } catch (OAuthProblemException e) {
        }
    }

    @Test
    public void testVerifyOAuthRequest() throws Exception {
        expectTokenEntry();
        expectConsumer();
        replay();
        SecurityToken securityTokenFromRequest = this.reqHandler.getSecurityTokenFromRequest(this.formEncodedPost.sign(TOKEN, FakeOAuthRequest.OAuthParamLocation.URI_QUERY, FakeOAuthRequest.BodySigning.NONE));
        assertEquals(FakeOAuthRequest.REQUESTOR, securityTokenFromRequest.getViewerId());
        assertEquals(APP_ID, securityTokenFromRequest.getAppId());
        assertEquals(DOMAIN, securityTokenFromRequest.getDomain());
        assertEquals(CONTAINER, securityTokenFromRequest.getContainer());
        assertNotNull(securityTokenFromRequest);
        assertTrue(securityTokenFromRequest instanceof OAuthSecurityToken);
        verify();
    }

    @Test
    public void testVerifyGet() throws Exception {
        expectTokenEntry();
        expectConsumer();
        replay();
        assertNotNull(this.reqHandler.getSecurityTokenFromRequest(new FakeOAuthRequest("GET", TEST_URL, null, null).sign(TOKEN, FakeOAuthRequest.OAuthParamLocation.URI_QUERY, FakeOAuthRequest.BodySigning.NONE)));
    }

    @Test
    public void testVerifyGetSignatureInHeader() throws Exception {
        expectTokenEntry();
        expectConsumer();
        replay();
        assertNotNull(this.reqHandler.getSecurityTokenFromRequest(new FakeOAuthRequest("GET", TEST_URL, null, null).sign(TOKEN, FakeOAuthRequest.OAuthParamLocation.AUTH_HEADER, FakeOAuthRequest.BodySigning.NONE)));
    }

    @Test
    public void testVerifyRequestSignatureInBody() throws Exception {
        expectTokenEntry();
        expectConsumer();
        replay();
        assertNotNull(this.reqHandler.getSecurityTokenFromRequest(this.formEncodedPost.sign(TOKEN, FakeOAuthRequest.OAuthParamLocation.POST_BODY, FakeOAuthRequest.BodySigning.NONE)));
        verify();
    }

    @Test
    public void testVerifyFailNoTokenEntry() throws Exception {
        expectTokenEntry(null);
        expectConsumer();
        replay();
        try {
            this.reqHandler.getSecurityTokenFromRequest(this.formEncodedPost.sign(TOKEN, FakeOAuthRequest.OAuthParamLocation.URI_QUERY, FakeOAuthRequest.BodySigning.NONE));
            fail("Expect failure as no token entry in store");
        } catch (AuthenticationHandler.InvalidAuthenticationException e) {
        }
        verify();
    }

    @Test
    public void testVerifyFailTokenSecretMismatch() throws Exception {
        OAuthEntry createOAuthEntry = createOAuthEntry();
        createOAuthEntry.setTokenSecret("badsecret");
        expectTokenEntry(createOAuthEntry);
        expectConsumer();
        replay();
        try {
            this.reqHandler.getSecurityTokenFromRequest(this.formEncodedPost.sign(TOKEN, FakeOAuthRequest.OAuthParamLocation.URI_QUERY, FakeOAuthRequest.BodySigning.NONE));
            fail("Expect failure as token secrets mismatch");
        } catch (AuthenticationHandler.InvalidAuthenticationException e) {
        }
        verify();
    }

    @Test
    public void testVerifyFailTokenIsRequest() throws Exception {
        OAuthEntry createOAuthEntry = createOAuthEntry();
        createOAuthEntry.setType(OAuthEntry.Type.REQUEST);
        expectTokenEntry(createOAuthEntry);
        expectConsumer();
        replay();
        try {
            this.reqHandler.getSecurityTokenFromRequest(this.formEncodedPost.sign(TOKEN, FakeOAuthRequest.OAuthParamLocation.URI_QUERY, FakeOAuthRequest.BodySigning.NONE));
            fail("Expect failure as token is a request token not an access token");
        } catch (AuthenticationHandler.InvalidAuthenticationException e) {
        }
        verify();
    }

    @Test
    public void testVerifyFailTokenIsExpired() throws Exception {
        OAuthEntry createOAuthEntry = createOAuthEntry();
        createOAuthEntry.setIssueTime(new Date(System.currentTimeMillis() - 31536000001L));
        createOAuthEntry.setType(OAuthEntry.Type.REQUEST);
        expectTokenEntry(createOAuthEntry);
        expectConsumer();
        replay();
        try {
            this.reqHandler.getSecurityTokenFromRequest(this.formEncodedPost.sign(TOKEN, FakeOAuthRequest.OAuthParamLocation.URI_QUERY, FakeOAuthRequest.BodySigning.NONE));
            fail("Expect failure as token is expired");
        } catch (AuthenticationHandler.InvalidAuthenticationException e) {
        }
        verify();
    }

    @Test
    public void testVerifyConsumerRequest() throws Exception {
        expectConsumer();
        expectSecurityToken();
        replay();
        SecurityToken securityTokenFromRequest = this.reqHandler.getSecurityTokenFromRequest(this.formEncodedPost.sign(null, FakeOAuthRequest.OAuthParamLocation.URI_QUERY, FakeOAuthRequest.BodySigning.NONE));
        assertNotNull(securityTokenFromRequest);
        assertFalse(securityTokenFromRequest instanceof OAuthSecurityToken);
        verify();
    }

    @Test
    public void testVerifyConsumerGet() throws Exception {
        expectConsumer();
        expectSecurityToken();
        replay();
        assertNotNull(this.reqHandler.getSecurityTokenFromRequest(new FakeOAuthRequest("GET", TEST_URL, null, null).sign(null, FakeOAuthRequest.OAuthParamLocation.URI_QUERY, FakeOAuthRequest.BodySigning.NONE)));
    }

    @Test
    public void testVerifyConsumerGetSignatureInHeader() throws Exception {
        expectConsumer();
        expectSecurityToken();
        replay();
        assertNotNull(this.reqHandler.getSecurityTokenFromRequest(new FakeOAuthRequest("GET", TEST_URL, null, null).sign(null, FakeOAuthRequest.OAuthParamLocation.AUTH_HEADER, FakeOAuthRequest.BodySigning.NONE)));
    }

    @Test
    public void testVerifyConsumerRequestSignatureInAuthHeader() throws Exception {
        expectConsumer();
        expectSecurityToken();
        replay();
        this.reqHandler.getSecurityTokenFromRequest(this.formEncodedPost.sign(null, FakeOAuthRequest.OAuthParamLocation.AUTH_HEADER, FakeOAuthRequest.BodySigning.NONE));
        verify();
    }

    @Test
    public void testVerifyConsumerRequestSignatureInBody() throws Exception {
        expectConsumer();
        expectSecurityToken();
        replay();
        this.reqHandler.getSecurityTokenFromRequest(this.formEncodedPost.sign(null, FakeOAuthRequest.OAuthParamLocation.POST_BODY, FakeOAuthRequest.BodySigning.NONE));
        verify();
    }

    @Test
    public void testNoSignature() throws Exception {
        replay();
        FakeHttpServletRequest sign = this.formEncodedPost.sign(null, FakeOAuthRequest.OAuthParamLocation.URI_QUERY, FakeOAuthRequest.BodySigning.NONE);
        sign.setParameter("oauth_signature", new String[]{""});
        assertNull(this.reqHandler.getSecurityTokenFromRequest(sign));
    }

    @Test
    public void testBodyHashSigning() throws Exception {
        expectConsumer();
        expectSecurityToken();
        replay();
        assertNotNull(this.reqHandler.getSecurityTokenFromRequest(this.nonFormEncodedPost.sign(null, FakeOAuthRequest.OAuthParamLocation.URI_QUERY, FakeOAuthRequest.BodySigning.HASH)));
    }

    @Test
    public void testConsumerFailBodyHashSigningWithFormEncoding() throws Exception {
        replay();
        try {
            this.reqHandler.getSecurityTokenFromRequest(new FakeOAuthRequest("POST", TEST_URL, "a=b&c=d&oauth_body_hash=hash", "application/x-www-form-urlencoded").sign(null, FakeOAuthRequest.OAuthParamLocation.URI_QUERY, FakeOAuthRequest.BodySigning.NONE));
            fail("Cant have body signing with form-encoded post bodies");
        } catch (AuthenticationHandler.InvalidAuthenticationException e) {
        }
    }

    @Test
    public void testStashBody() throws Exception {
        FakeHttpServletRequest fakeHttpServletRequest = new FakeHttpServletRequest();
        fakeHttpServletRequest.setPostData(CharsetUtil.getUtf8Bytes("BODY"));
        byte[] readBody = OAuthAuthenticationHandler.readBody(fakeHttpServletRequest);
        assertTrue(Arrays.equals(readBody, CharsetUtil.getUtf8Bytes("BODY")));
        assertEquals(fakeHttpServletRequest.getAttribute("STASHED_BODY"), readBody);
    }

    @Test
    public void testBodySigning() throws Exception {
        FakeHttpServletRequest fakeHttpServletRequest = new FakeHttpServletRequest();
        fakeHttpServletRequest.setContentType("text/plain");
        fakeHttpServletRequest.setPostData(CharsetUtil.getUtf8Bytes("BODY"));
        String str = new String(Base64.encodeBase64(DigestUtils.sha(CharsetUtil.getUtf8Bytes("BODY"))), "UTF-8");
        fakeHttpServletRequest.setParameter("oauth_body_hash", new String[]{str});
        OAuthAuthenticationHandler.verifyBodyHash(fakeHttpServletRequest, str);
    }

    @Test
    public void testFailBodySigning() throws Exception {
        FakeHttpServletRequest fakeHttpServletRequest = new FakeHttpServletRequest();
        fakeHttpServletRequest.setContentType("text/plain");
        fakeHttpServletRequest.setPostData(CharsetUtil.getUtf8Bytes("BODY"));
        String str = new String(Base64.encodeBase64(DigestUtils.sha(CharsetUtil.getUtf8Bytes("NOTBODY"))), "UTF-8");
        fakeHttpServletRequest.setParameter("oauth_body_hash", new String[]{str});
        try {
            OAuthAuthenticationHandler.verifyBodyHash(fakeHttpServletRequest, str);
            fail("Body verification should fail");
        } catch (AuthenticationHandler.InvalidAuthenticationException e) {
        }
    }

    @Test
    public void testFailBodySigningWithFormEncoded() throws Exception {
        FakeHttpServletRequest fakeHttpServletRequest = new FakeHttpServletRequest();
        fakeHttpServletRequest.setContentType("application/x-www-form-urlencoded");
        fakeHttpServletRequest.setPostData(CharsetUtil.getUtf8Bytes("BODY"));
        String str = new String(Base64.encodeBase64(DigestUtils.sha(CharsetUtil.getUtf8Bytes("BODY"))), "UTF-8");
        fakeHttpServletRequest.setParameter("oauth_body_hash", new String[]{str});
        try {
            OAuthAuthenticationHandler.verifyBodyHash(fakeHttpServletRequest, str);
            fail("Body verification should fail");
        } catch (AuthenticationHandler.InvalidAuthenticationException e) {
        }
    }

    @Test
    public void testBodyHashNoContentType() throws Exception {
        FakeHttpServletRequest fakeHttpServletRequest = new FakeHttpServletRequest();
        fakeHttpServletRequest.setPostData(CharsetUtil.getUtf8Bytes(""));
        OAuthAuthenticationHandler.verifyBodyHash(fakeHttpServletRequest, new String(Base64.encodeBase64(DigestUtils.sha(CharsetUtil.getUtf8Bytes(""))), "UTF-8"));
    }
}
