package org.apache.wss4j.dom.saml;

import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import javax.security.auth.callback.CallbackHandler;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.SAMLCallback;
import org.apache.wss4j.common.saml.SAMLUtil;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.saml.bean.AudienceRestrictionBean;
import org.apache.wss4j.common.saml.bean.ConditionsBean;
import org.apache.wss4j.common.saml.bean.ProxyRestrictionBean;
import org.apache.wss4j.common.util.XMLUtils;
import org.apache.wss4j.dom.WSSConfig;
import org.apache.wss4j.dom.WSSecurityEngine;
import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.dom.common.AbstractSAMLCallbackHandler;
import org.apache.wss4j.dom.common.CustomSamlAssertionValidator;
import org.apache.wss4j.dom.common.SAML1CallbackHandler;
import org.apache.wss4j.dom.common.SAML2CallbackHandler;
import org.apache.wss4j.dom.common.SOAPUtil;
import org.apache.wss4j.dom.common.SecurityTestUtil;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.message.WSSecHeader;
import org.apache.wss4j.dom.message.WSSecSAMLToken;
import org.joda.time.DateTime;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.Test;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;

/* loaded from: input_file:org/apache/wss4j/dom/saml/SamlConditionsTest.class */
public class SamlConditionsTest extends Assert {
    private static final Logger LOG = LoggerFactory.getLogger(SamlConditionsTest.class);
    private WSSecurityEngine secEngine = new WSSecurityEngine();

    @AfterClass
    public static void cleanup() throws Exception {
        SecurityTestUtil.cleanup();
    }

    public SamlConditionsTest() {
        WSSConfig newInstance = WSSConfig.getNewInstance();
        newInstance.setValidator(WSSecurityEngine.SAML_TOKEN, new CustomSamlAssertionValidator());
        newInstance.setValidator(WSSecurityEngine.SAML2_TOKEN, new CustomSamlAssertionValidator());
        newInstance.setValidateSamlSubjectConfirmation(false);
        this.secEngine.setWssConfig(newInstance);
    }

    @Test
    public void testSAML1Conditions() throws Exception {
        SAML1CallbackHandler sAML1CallbackHandler = new SAML1CallbackHandler();
        sAML1CallbackHandler.setStatement(AbstractSAMLCallbackHandler.Statement.AUTHN);
        sAML1CallbackHandler.setIssuer("www.example.com");
        ConditionsBean conditionsBean = new ConditionsBean();
        DateTime dateTime = new DateTime();
        conditionsBean.setNotBefore(dateTime);
        conditionsBean.setNotAfter(dateTime.plusMinutes(20));
        sAML1CallbackHandler.setConditions(conditionsBean);
        createAndVerifyMessage(sAML1CallbackHandler, true);
    }

    @Test
    public void testSAML2InvalidAfterConditions() throws Exception {
        SAML2CallbackHandler sAML2CallbackHandler = new SAML2CallbackHandler();
        sAML2CallbackHandler.setStatement(AbstractSAMLCallbackHandler.Statement.AUTHN);
        sAML2CallbackHandler.setIssuer("www.example.com");
        ConditionsBean conditionsBean = new ConditionsBean();
        DateTime dateTime = new DateTime();
        conditionsBean.setNotBefore(dateTime.minusMinutes(5));
        conditionsBean.setNotAfter(dateTime.minusMinutes(3));
        sAML2CallbackHandler.setConditions(conditionsBean);
        createAndVerifyMessage(sAML2CallbackHandler, false);
    }

    @Test
    public void testSAML2StaleNotOnOrAfter() throws Exception {
        SAML2CallbackHandler sAML2CallbackHandler = new SAML2CallbackHandler();
        sAML2CallbackHandler.setStatement(AbstractSAMLCallbackHandler.Statement.AUTHN);
        sAML2CallbackHandler.setIssuer("www.example.com");
        ConditionsBean conditionsBean = new ConditionsBean();
        DateTime dateTime = new DateTime();
        conditionsBean.setNotAfter(dateTime.minusMinutes(60));
        conditionsBean.setNotBefore(dateTime.minusMinutes(70));
        sAML2CallbackHandler.setConditions(conditionsBean);
        createAndVerifyMessage(sAML2CallbackHandler, false);
    }

    @Test
    public void testSAML2FutureNotBefore() throws Exception {
        SAML2CallbackHandler sAML2CallbackHandler = new SAML2CallbackHandler();
        sAML2CallbackHandler.setStatement(AbstractSAMLCallbackHandler.Statement.AUTHN);
        sAML2CallbackHandler.setIssuer("www.example.com");
        ConditionsBean conditionsBean = new ConditionsBean();
        DateTime dateTime = new DateTime();
        conditionsBean.setNotAfter(new DateTime().plusMinutes(70));
        conditionsBean.setNotBefore(dateTime.plusMinutes(60));
        sAML2CallbackHandler.setConditions(conditionsBean);
        createAndVerifyMessage(sAML2CallbackHandler, false);
    }

    @Test
    public void testSAML2FutureIssueInstant() throws Exception {
        SAML2CallbackHandler sAML2CallbackHandler = new SAML2CallbackHandler();
        sAML2CallbackHandler.setStatement(AbstractSAMLCallbackHandler.Statement.AUTHN);
        sAML2CallbackHandler.setIssuer("www.example.com");
        SAMLCallback sAMLCallback = new SAMLCallback();
        SAMLUtil.doSAMLCallback(sAML2CallbackHandler, sAMLCallback);
        SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper(sAMLCallback);
        samlAssertionWrapper.getSaml2().setIssueInstant(new DateTime().plusMinutes(60));
        WSSecSAMLToken wSSecSAMLToken = new WSSecSAMLToken();
        Document sOAPPart = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
        WSSecHeader wSSecHeader = new WSSecHeader();
        wSSecHeader.insertSecurityHeader(sOAPPart);
        Document build = wSSecSAMLToken.build(sOAPPart, samlAssertionWrapper, wSSecHeader);
        if (LOG.isDebugEnabled()) {
            LOG.debug("SAML 2 Authn Assertion (sender vouches):");
            LOG.debug(XMLUtils.PrettyDocumentToString(build));
        }
        try {
            verify(build);
            fail("Failure expected in processing the SAML Conditions element");
        } catch (WSSecurityException e) {
            assertTrue(e.getMessage().contains("SAML token security failure"));
        }
    }

    @Test
    public void testSAML2StaleIssueInstant() throws Exception {
        SAML2CallbackHandler sAML2CallbackHandler = new SAML2CallbackHandler();
        sAML2CallbackHandler.setStatement(AbstractSAMLCallbackHandler.Statement.AUTHN);
        sAML2CallbackHandler.setIssuer("www.example.com");
        SAMLCallback sAMLCallback = new SAMLCallback();
        SAMLUtil.doSAMLCallback(sAML2CallbackHandler, sAMLCallback);
        SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper(sAMLCallback);
        samlAssertionWrapper.getSaml2().setIssueInstant(new DateTime().minusMinutes(31));
        samlAssertionWrapper.getSaml2().getConditions().setNotOnOrAfter((DateTime) null);
        WSSecSAMLToken wSSecSAMLToken = new WSSecSAMLToken();
        Document sOAPPart = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
        WSSecHeader wSSecHeader = new WSSecHeader();
        wSSecHeader.insertSecurityHeader(sOAPPart);
        Document build = wSSecSAMLToken.build(sOAPPart, samlAssertionWrapper, wSSecHeader);
        if (LOG.isDebugEnabled()) {
            LOG.debug("SAML 2 Authn Assertion (sender vouches):");
            LOG.debug(XMLUtils.PrettyDocumentToString(build));
        }
        try {
            verify(build);
            fail("Failure expected in processing a stale SAML Assertion");
        } catch (WSSecurityException e) {
            assertTrue(e.getMessage().contains("SAML token security failure"));
        }
    }

    @Test
    public void testSAML2StaleIssueInstantButWithNotOnOrAfter() throws Exception {
        SAML2CallbackHandler sAML2CallbackHandler = new SAML2CallbackHandler();
        sAML2CallbackHandler.setStatement(AbstractSAMLCallbackHandler.Statement.AUTHN);
        sAML2CallbackHandler.setIssuer("www.example.com");
        SAMLCallback sAMLCallback = new SAMLCallback();
        SAMLUtil.doSAMLCallback(sAML2CallbackHandler, sAMLCallback);
        SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper(sAMLCallback);
        ConditionsBean conditionsBean = new ConditionsBean();
        conditionsBean.setNotBefore(new DateTime());
        conditionsBean.setNotAfter(new DateTime().plusMinutes(35));
        samlAssertionWrapper.getSaml2().setIssueInstant(new DateTime().minusMinutes(31));
        WSSecSAMLToken wSSecSAMLToken = new WSSecSAMLToken();
        Document sOAPPart = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
        WSSecHeader wSSecHeader = new WSSecHeader();
        wSSecHeader.insertSecurityHeader(sOAPPart);
        Document build = wSSecSAMLToken.build(sOAPPart, samlAssertionWrapper, wSSecHeader);
        if (LOG.isDebugEnabled()) {
            LOG.debug("SAML 2 Authn Assertion (sender vouches):");
            LOG.debug(XMLUtils.PrettyDocumentToString(build));
        }
        verify(build);
    }

    @Test
    public void testSAML1StaleIssueInstant() throws Exception {
        SAML1CallbackHandler sAML1CallbackHandler = new SAML1CallbackHandler();
        sAML1CallbackHandler.setStatement(AbstractSAMLCallbackHandler.Statement.AUTHN);
        sAML1CallbackHandler.setIssuer("www.example.com");
        SAMLCallback sAMLCallback = new SAMLCallback();
        SAMLUtil.doSAMLCallback(sAML1CallbackHandler, sAMLCallback);
        SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper(sAMLCallback);
        samlAssertionWrapper.getSaml1().setIssueInstant(new DateTime().minusMinutes(31));
        samlAssertionWrapper.getSaml1().getConditions().setNotOnOrAfter((DateTime) null);
        WSSecSAMLToken wSSecSAMLToken = new WSSecSAMLToken();
        Document sOAPPart = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
        WSSecHeader wSSecHeader = new WSSecHeader();
        wSSecHeader.insertSecurityHeader(sOAPPart);
        Document build = wSSecSAMLToken.build(sOAPPart, samlAssertionWrapper, wSSecHeader);
        if (LOG.isDebugEnabled()) {
            LOG.debug("SAML 1 Authn Assertion (sender vouches):");
            LOG.debug(XMLUtils.PrettyDocumentToString(build));
        }
        try {
            verify(build);
            fail("Failure expected in processing a stale SAML Assertion");
        } catch (WSSecurityException e) {
            assertTrue(e.getMessage().contains("SAML token security failure"));
        }
    }

    @Test
    public void testSAML2InvalidBeforeConditions() throws Exception {
        SAML2CallbackHandler sAML2CallbackHandler = new SAML2CallbackHandler();
        sAML2CallbackHandler.setStatement(AbstractSAMLCallbackHandler.Statement.AUTHN);
        sAML2CallbackHandler.setIssuer("www.example.com");
        ConditionsBean conditionsBean = new ConditionsBean();
        DateTime dateTime = new DateTime();
        conditionsBean.setNotBefore(dateTime.plusMinutes(2));
        conditionsBean.setNotAfter(dateTime.plusMinutes(5));
        sAML2CallbackHandler.setConditions(conditionsBean);
        createAndVerifyMessage(sAML2CallbackHandler, false);
    }

    @Test
    public void testSAML2FutureTTLConditions() throws Exception {
        SAML2CallbackHandler sAML2CallbackHandler = new SAML2CallbackHandler();
        sAML2CallbackHandler.setStatement(AbstractSAMLCallbackHandler.Statement.AUTHN);
        sAML2CallbackHandler.setIssuer("www.example.com");
        ConditionsBean conditionsBean = new ConditionsBean();
        DateTime dateTime = new DateTime();
        conditionsBean.setNotBefore(dateTime.plusSeconds(30));
        conditionsBean.setNotAfter(dateTime.plusMinutes(5));
        sAML2CallbackHandler.setConditions(conditionsBean);
        createAndVerifyMessage(sAML2CallbackHandler, true);
    }

    @Test
    public void testSAML2OneTimeUse() throws Exception {
        SAML2CallbackHandler sAML2CallbackHandler = new SAML2CallbackHandler();
        sAML2CallbackHandler.setStatement(AbstractSAMLCallbackHandler.Statement.AUTHN);
        sAML2CallbackHandler.setIssuer("www.example.com");
        ConditionsBean conditionsBean = new ConditionsBean();
        conditionsBean.setTokenPeriodMinutes(5);
        conditionsBean.setOneTimeUse(true);
        sAML2CallbackHandler.setConditions(conditionsBean);
        SAMLCallback sAMLCallback = new SAMLCallback();
        SAMLUtil.doSAMLCallback(sAML2CallbackHandler, sAMLCallback);
        SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper(sAMLCallback);
        WSSecSAMLToken wSSecSAMLToken = new WSSecSAMLToken();
        Document sOAPPart = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
        WSSecHeader wSSecHeader = new WSSecHeader();
        wSSecHeader.insertSecurityHeader(sOAPPart);
        Document build = wSSecSAMLToken.build(sOAPPart, samlAssertionWrapper, wSSecHeader);
        String PrettyDocumentToString = XMLUtils.PrettyDocumentToString(build);
        assertTrue(PrettyDocumentToString.contains("OneTimeUse"));
        if (LOG.isDebugEnabled()) {
            LOG.debug(PrettyDocumentToString);
        }
        verify(build);
    }

    @Test
    public void testSAML2ProxyRestriction() throws Exception {
        SAML2CallbackHandler sAML2CallbackHandler = new SAML2CallbackHandler();
        sAML2CallbackHandler.setStatement(AbstractSAMLCallbackHandler.Statement.AUTHN);
        sAML2CallbackHandler.setIssuer("www.example.com");
        ConditionsBean conditionsBean = new ConditionsBean();
        conditionsBean.setTokenPeriodMinutes(5);
        ProxyRestrictionBean proxyRestrictionBean = new ProxyRestrictionBean();
        ArrayList arrayList = new ArrayList();
        arrayList.add("http://apache.org/one");
        arrayList.add("http://apache.org/two");
        proxyRestrictionBean.getAudienceURIs().addAll(arrayList);
        proxyRestrictionBean.setCount(5);
        conditionsBean.setProxyRestriction(proxyRestrictionBean);
        sAML2CallbackHandler.setConditions(conditionsBean);
        SAMLCallback sAMLCallback = new SAMLCallback();
        SAMLUtil.doSAMLCallback(sAML2CallbackHandler, sAMLCallback);
        SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper(sAMLCallback);
        WSSecSAMLToken wSSecSAMLToken = new WSSecSAMLToken();
        Document sOAPPart = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
        WSSecHeader wSSecHeader = new WSSecHeader();
        wSSecHeader.insertSecurityHeader(sOAPPart);
        Document build = wSSecSAMLToken.build(sOAPPart, samlAssertionWrapper, wSSecHeader);
        String PrettyDocumentToString = XMLUtils.PrettyDocumentToString(build);
        assertTrue(PrettyDocumentToString.contains("ProxyRestriction"));
        if (LOG.isDebugEnabled()) {
            LOG.debug(PrettyDocumentToString);
        }
        verify(build);
    }

    @Test
    public void testSAML2AudienceRestriction() throws Exception {
        SAML2CallbackHandler sAML2CallbackHandler = new SAML2CallbackHandler();
        sAML2CallbackHandler.setStatement(AbstractSAMLCallbackHandler.Statement.AUTHN);
        sAML2CallbackHandler.setIssuer("www.example.com");
        ConditionsBean conditionsBean = new ConditionsBean();
        conditionsBean.setTokenPeriodMinutes(5);
        ArrayList arrayList = new ArrayList();
        arrayList.add("http://apache.org/one");
        arrayList.add("http://apache.org/two");
        AudienceRestrictionBean audienceRestrictionBean = new AudienceRestrictionBean();
        audienceRestrictionBean.setAudienceURIs(arrayList);
        conditionsBean.setAudienceRestrictions(Collections.singletonList(audienceRestrictionBean));
        sAML2CallbackHandler.setConditions(conditionsBean);
        SAMLCallback sAMLCallback = new SAMLCallback();
        SAMLUtil.doSAMLCallback(sAML2CallbackHandler, sAMLCallback);
        SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper(sAMLCallback);
        WSSecSAMLToken wSSecSAMLToken = new WSSecSAMLToken();
        Document sOAPPart = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
        WSSecHeader wSSecHeader = new WSSecHeader();
        wSSecHeader.insertSecurityHeader(sOAPPart);
        Document build = wSSecSAMLToken.build(sOAPPart, samlAssertionWrapper, wSSecHeader);
        String PrettyDocumentToString = XMLUtils.PrettyDocumentToString(build);
        assertTrue(PrettyDocumentToString.contains("AudienceRestriction"));
        if (LOG.isDebugEnabled()) {
            LOG.debug(PrettyDocumentToString);
        }
        verify(build);
    }

    @Test
    public void testSAML2AudienceRestrictionVerification() throws Exception {
        SAML2CallbackHandler sAML2CallbackHandler = new SAML2CallbackHandler();
        sAML2CallbackHandler.setStatement(AbstractSAMLCallbackHandler.Statement.AUTHN);
        sAML2CallbackHandler.setIssuer("www.example.com");
        ConditionsBean conditionsBean = new ConditionsBean();
        conditionsBean.setTokenPeriodMinutes(5);
        ArrayList arrayList = new ArrayList();
        arrayList.add("http://apache.org/one");
        arrayList.add("http://apache.org/two");
        AudienceRestrictionBean audienceRestrictionBean = new AudienceRestrictionBean();
        audienceRestrictionBean.setAudienceURIs(arrayList);
        conditionsBean.setAudienceRestrictions(Collections.singletonList(audienceRestrictionBean));
        sAML2CallbackHandler.setConditions(conditionsBean);
        SAMLCallback sAMLCallback = new SAMLCallback();
        SAMLUtil.doSAMLCallback(sAML2CallbackHandler, sAMLCallback);
        SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper(sAMLCallback);
        WSSecSAMLToken wSSecSAMLToken = new WSSecSAMLToken();
        Document sOAPPart = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
        WSSecHeader wSSecHeader = new WSSecHeader();
        wSSecHeader.insertSecurityHeader(sOAPPart);
        String PrettyDocumentToString = XMLUtils.PrettyDocumentToString(wSSecSAMLToken.build(sOAPPart, samlAssertionWrapper, wSSecHeader));
        assertTrue(PrettyDocumentToString.contains("AudienceRestriction"));
        if (LOG.isDebugEnabled()) {
            LOG.debug(PrettyDocumentToString);
        }
        arrayList.clear();
        arrayList.add("http://apache.org/three");
        WSSecurityEngine wSSecurityEngine = new WSSecurityEngine();
        RequestData requestData = new RequestData();
        requestData.setAudienceRestrictions(arrayList);
        WSSConfig newInstance = WSSConfig.getNewInstance();
        newInstance.setValidateSamlSubjectConfirmation(false);
        wSSecurityEngine.setWssConfig(newInstance);
        try {
            wSSecurityEngine.processSecurityHeader(sOAPPart, "", requestData);
            fail("Failure expected on a bad audience restriction");
        } catch (WSSecurityException e) {
        }
        arrayList.add("http://apache.org/one");
        requestData.setAudienceRestrictions(arrayList);
        wSSecurityEngine.processSecurityHeader(sOAPPart, "", requestData);
    }

    @Test
    public void testSAML1AudienceRestrictionVerification() throws Exception {
        SAML1CallbackHandler sAML1CallbackHandler = new SAML1CallbackHandler();
        sAML1CallbackHandler.setStatement(AbstractSAMLCallbackHandler.Statement.AUTHN);
        sAML1CallbackHandler.setIssuer("www.example.com");
        ConditionsBean conditionsBean = new ConditionsBean();
        conditionsBean.setTokenPeriodMinutes(5);
        ArrayList arrayList = new ArrayList();
        arrayList.add("http://apache.org/one");
        arrayList.add("http://apache.org/two");
        AudienceRestrictionBean audienceRestrictionBean = new AudienceRestrictionBean();
        audienceRestrictionBean.setAudienceURIs(arrayList);
        conditionsBean.setAudienceRestrictions(Collections.singletonList(audienceRestrictionBean));
        sAML1CallbackHandler.setConditions(conditionsBean);
        SAMLCallback sAMLCallback = new SAMLCallback();
        SAMLUtil.doSAMLCallback(sAML1CallbackHandler, sAMLCallback);
        SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper(sAMLCallback);
        WSSecSAMLToken wSSecSAMLToken = new WSSecSAMLToken();
        Document sOAPPart = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
        WSSecHeader wSSecHeader = new WSSecHeader();
        wSSecHeader.insertSecurityHeader(sOAPPart);
        String PrettyDocumentToString = XMLUtils.PrettyDocumentToString(wSSecSAMLToken.build(sOAPPart, samlAssertionWrapper, wSSecHeader));
        assertTrue(PrettyDocumentToString.contains("AudienceRestriction"));
        if (LOG.isDebugEnabled()) {
            LOG.debug(PrettyDocumentToString);
        }
        arrayList.clear();
        arrayList.add("http://apache.org/three");
        WSSecurityEngine wSSecurityEngine = new WSSecurityEngine();
        RequestData requestData = new RequestData();
        requestData.setAudienceRestrictions(arrayList);
        WSSConfig newInstance = WSSConfig.getNewInstance();
        newInstance.setValidateSamlSubjectConfirmation(false);
        wSSecurityEngine.setWssConfig(newInstance);
        try {
            wSSecurityEngine.processSecurityHeader(sOAPPart, "", requestData);
            fail("Failure expected on a bad audience restriction");
        } catch (WSSecurityException e) {
        }
        arrayList.add("http://apache.org/one");
        requestData.setAudienceRestrictions(arrayList);
        wSSecurityEngine.processSecurityHeader(sOAPPart, "", requestData);
    }

    @Test
    public void testSAML2AudienceRestrictionSeparateRestrictions() throws Exception {
        SAML2CallbackHandler sAML2CallbackHandler = new SAML2CallbackHandler();
        sAML2CallbackHandler.setStatement(AbstractSAMLCallbackHandler.Statement.AUTHN);
        sAML2CallbackHandler.setIssuer("www.example.com");
        ConditionsBean conditionsBean = new ConditionsBean();
        conditionsBean.setTokenPeriodMinutes(5);
        ArrayList arrayList = new ArrayList();
        AudienceRestrictionBean audienceRestrictionBean = new AudienceRestrictionBean();
        audienceRestrictionBean.setAudienceURIs(Collections.singletonList("http://apache.org/one"));
        arrayList.add(audienceRestrictionBean);
        AudienceRestrictionBean audienceRestrictionBean2 = new AudienceRestrictionBean();
        audienceRestrictionBean2.setAudienceURIs(Collections.singletonList("http://apache.org/two"));
        arrayList.add(audienceRestrictionBean2);
        conditionsBean.setAudienceRestrictions(arrayList);
        sAML2CallbackHandler.setConditions(conditionsBean);
        SAMLCallback sAMLCallback = new SAMLCallback();
        SAMLUtil.doSAMLCallback(sAML2CallbackHandler, sAMLCallback);
        SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper(sAMLCallback);
        WSSecSAMLToken wSSecSAMLToken = new WSSecSAMLToken();
        Document sOAPPart = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
        WSSecHeader wSSecHeader = new WSSecHeader();
        wSSecHeader.insertSecurityHeader(sOAPPart);
        Document build = wSSecSAMLToken.build(sOAPPart, samlAssertionWrapper, wSSecHeader);
        String PrettyDocumentToString = XMLUtils.PrettyDocumentToString(build);
        assertTrue(PrettyDocumentToString.contains("AudienceRestriction"));
        if (LOG.isDebugEnabled()) {
            LOG.debug(PrettyDocumentToString);
        }
        verify(build);
    }

    @Test
    public void testSAML2AudienceRestrictionSeparateRestrictionsValidation() throws Exception {
        SAML2CallbackHandler sAML2CallbackHandler = new SAML2CallbackHandler();
        sAML2CallbackHandler.setStatement(AbstractSAMLCallbackHandler.Statement.AUTHN);
        sAML2CallbackHandler.setIssuer("www.example.com");
        ConditionsBean conditionsBean = new ConditionsBean();
        conditionsBean.setTokenPeriodMinutes(5);
        ArrayList arrayList = new ArrayList();
        AudienceRestrictionBean audienceRestrictionBean = new AudienceRestrictionBean();
        audienceRestrictionBean.setAudienceURIs(Collections.singletonList("http://apache.org/one"));
        arrayList.add(audienceRestrictionBean);
        AudienceRestrictionBean audienceRestrictionBean2 = new AudienceRestrictionBean();
        audienceRestrictionBean2.setAudienceURIs(Collections.singletonList("http://apache.org/two"));
        arrayList.add(audienceRestrictionBean2);
        conditionsBean.setAudienceRestrictions(arrayList);
        sAML2CallbackHandler.setConditions(conditionsBean);
        SAMLCallback sAMLCallback = new SAMLCallback();
        SAMLUtil.doSAMLCallback(sAML2CallbackHandler, sAMLCallback);
        SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper(sAMLCallback);
        WSSecSAMLToken wSSecSAMLToken = new WSSecSAMLToken();
        Document sOAPPart = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
        WSSecHeader wSSecHeader = new WSSecHeader();
        wSSecHeader.insertSecurityHeader(sOAPPart);
        String PrettyDocumentToString = XMLUtils.PrettyDocumentToString(wSSecSAMLToken.build(sOAPPart, samlAssertionWrapper, wSSecHeader));
        assertTrue(PrettyDocumentToString.contains("AudienceRestriction"));
        if (LOG.isDebugEnabled()) {
            LOG.debug(PrettyDocumentToString);
        }
        ArrayList arrayList2 = new ArrayList();
        arrayList2.add("http://apache.org/three");
        WSSecurityEngine wSSecurityEngine = new WSSecurityEngine();
        RequestData requestData = new RequestData();
        requestData.setAudienceRestrictions(arrayList2);
        WSSConfig newInstance = WSSConfig.getNewInstance();
        newInstance.setValidateSamlSubjectConfirmation(false);
        wSSecurityEngine.setWssConfig(newInstance);
        try {
            wSSecurityEngine.processSecurityHeader(sOAPPart, "", requestData);
            fail("Failure expected on a bad audience restriction");
        } catch (WSSecurityException e) {
        }
        arrayList2.add("http://apache.org/one");
        requestData.setAudienceRestrictions(arrayList2);
        wSSecurityEngine.processSecurityHeader(sOAPPart, "", requestData);
    }

    private void createAndVerifyMessage(CallbackHandler callbackHandler, boolean z) throws Exception {
        SAMLCallback sAMLCallback = new SAMLCallback();
        SAMLUtil.doSAMLCallback(callbackHandler, sAMLCallback);
        SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper(sAMLCallback);
        WSSecSAMLToken wSSecSAMLToken = new WSSecSAMLToken();
        Document sOAPPart = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
        WSSecHeader wSSecHeader = new WSSecHeader();
        wSSecHeader.insertSecurityHeader(sOAPPart);
        Document build = wSSecSAMLToken.build(sOAPPart, samlAssertionWrapper, wSSecHeader);
        if (LOG.isDebugEnabled()) {
            LOG.debug(XMLUtils.PrettyDocumentToString(build));
        }
        try {
            verify(build);
            if (!z) {
                fail("Failure expected in processing the SAML assertion");
            }
        } catch (WSSecurityException e) {
            assertTrue(!z);
            assertTrue(e.getMessage().contains("SAML token security failure"));
        }
    }

    private List<WSSecurityEngineResult> verify(Document document) throws Exception {
        List<WSSecurityEngineResult> processSecurityHeader = this.secEngine.processSecurityHeader(document, (String) null, (CallbackHandler) null, (Crypto) null);
        assertTrue(XMLUtils.PrettyDocumentToString(document).indexOf("counter_port_type") > 0);
        return processSecurityHeader;
    }
}
