package org.apereo.cas;

import org.apereo.cas.authentication.AcceptUsersAuthenticationHandler;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.AuthenticationException;
import org.apereo.cas.authentication.AuthenticationResult;
import org.apereo.cas.authentication.AuthenticationSystemSupport;
import org.apereo.cas.authentication.Credential;
import org.apereo.cas.authentication.credential.OneTimePasswordCredential;
import org.apereo.cas.authentication.credential.UsernamePasswordCredential;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.config.CasMultifactorTestAuthenticationEventExecutionPlanConfiguration;
import org.apereo.cas.services.RegisteredServiceTestUtils;
import org.apereo.cas.ticket.ServiceTicket;
import org.apereo.cas.ticket.TicketGrantingTicket;
import org.apereo.cas.ticket.UnsatisfiedAuthenticationPolicyException;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Tag;
import org.junit.jupiter.api.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Import;
import org.springframework.test.context.TestPropertySource;

@Tag("MFA")
@TestPropertySource(properties = {"cas.authn.policy.required-handler-authentication-policy-enabled=true", "cas.authn.policy.any.try-all=true", "cas.ticket.st.time-to-kill-in-seconds=30"})
@Import({CasMultifactorTestAuthenticationEventExecutionPlanConfiguration.class})
/* loaded from: input_file:org/apereo/cas/MultifactorAuthenticationTests.class */
public class MultifactorAuthenticationTests extends BaseCasWebflowMultifactorAuthenticationTests {
    private static final Service NORMAL_SERVICE = newService("https://example.com/normal/");
    private static final Service HIGH_SERVICE = newService("https://example.com/high/");
    private static final String ALICE = "alice";
    private static final String PASSWORD_31415 = "31415";

    @Autowired
    @Qualifier("defaultAuthenticationSystemSupport")
    private AuthenticationSystemSupport authenticationSystemSupport;

    @Autowired
    @Qualifier("centralAuthenticationService")
    private CentralAuthenticationService cas;

    @Test
    public void verifyAllowsAccessToNormalSecurityServiceWithPassword() {
        AuthenticationResult processAuthenticationAttempt = processAuthenticationAttempt(NORMAL_SERVICE, newUserPassCredentials(ALICE, ALICE));
        TicketGrantingTicket createTicketGrantingTicket = this.cas.createTicketGrantingTicket(processAuthenticationAttempt);
        Assertions.assertNotNull(createTicketGrantingTicket);
        Assertions.assertNotNull(this.cas.grantServiceTicket(createTicketGrantingTicket.getId(), NORMAL_SERVICE, processAuthenticationAttempt));
    }

    @Test
    public void verifyAllowsAccessToNormalSecurityServiceWithOTP() {
        AuthenticationResult processAuthenticationAttempt = processAuthenticationAttempt(NORMAL_SERVICE, new OneTimePasswordCredential(ALICE, PASSWORD_31415));
        TicketGrantingTicket createTicketGrantingTicket = this.cas.createTicketGrantingTicket(processAuthenticationAttempt);
        Assertions.assertNotNull(createTicketGrantingTicket);
        Assertions.assertNotNull(this.cas.grantServiceTicket(createTicketGrantingTicket.getId(), NORMAL_SERVICE, processAuthenticationAttempt));
    }

    @Test
    public void verifyDeniesAccessToHighSecurityServiceWithPassword() {
        AuthenticationResult processAuthenticationAttempt = processAuthenticationAttempt(HIGH_SERVICE, newUserPassCredentials(ALICE, ALICE));
        TicketGrantingTicket createTicketGrantingTicket = this.cas.createTicketGrantingTicket(processAuthenticationAttempt);
        Assertions.assertNotNull(createTicketGrantingTicket);
        Assertions.assertThrows(UnsatisfiedAuthenticationPolicyException.class, () -> {
            this.cas.grantServiceTicket(createTicketGrantingTicket.getId(), HIGH_SERVICE, processAuthenticationAttempt);
        });
    }

    @Test
    public void verifyDeniesAccessToHighSecurityServiceWithOTP() {
        AuthenticationResult processAuthenticationAttempt = processAuthenticationAttempt(HIGH_SERVICE, new OneTimePasswordCredential(ALICE, PASSWORD_31415));
        TicketGrantingTicket createTicketGrantingTicket = this.cas.createTicketGrantingTicket(processAuthenticationAttempt);
        Assertions.assertNotNull(createTicketGrantingTicket);
        Assertions.assertThrows(UnsatisfiedAuthenticationPolicyException.class, () -> {
            this.cas.grantServiceTicket(createTicketGrantingTicket.getId(), HIGH_SERVICE, processAuthenticationAttempt);
        });
    }

    @Test
    public void verifyAllowsAccessToHighSecurityServiceWithPasswordAndOTP() {
        AuthenticationResult processAuthenticationAttempt = processAuthenticationAttempt(HIGH_SERVICE, newUserPassCredentials(ALICE, ALICE), new OneTimePasswordCredential(ALICE, PASSWORD_31415));
        TicketGrantingTicket createTicketGrantingTicket = this.cas.createTicketGrantingTicket(processAuthenticationAttempt);
        Assertions.assertNotNull(createTicketGrantingTicket);
        Assertions.assertNotNull(this.cas.grantServiceTicket(createTicketGrantingTicket.getId(), HIGH_SERVICE, processAuthenticationAttempt));
    }

    @Test
    public void verifyAllowsAccessToHighSecurityServiceWithPasswordAndOTPViaRenew() {
        AuthenticationResult processAuthenticationAttempt = processAuthenticationAttempt(HIGH_SERVICE, newUserPassCredentials(ALICE, ALICE), new OneTimePasswordCredential(ALICE, PASSWORD_31415));
        TicketGrantingTicket createTicketGrantingTicket = this.cas.createTicketGrantingTicket(processAuthenticationAttempt);
        Assertions.assertNotNull(createTicketGrantingTicket);
        ServiceTicket grantServiceTicket = this.cas.grantServiceTicket(createTicketGrantingTicket.getId(), HIGH_SERVICE, processAuthenticationAttempt);
        Assertions.assertNotNull(grantServiceTicket);
        Authentication primaryAuthentication = this.cas.validateServiceTicket(grantServiceTicket.getId(), HIGH_SERVICE).getPrimaryAuthentication();
        Assertions.assertEquals(2, primaryAuthentication.getSuccesses().size());
        Assertions.assertTrue(primaryAuthentication.getSuccesses().containsKey(AcceptUsersAuthenticationHandler.class.getSimpleName()));
        Assertions.assertTrue(primaryAuthentication.getSuccesses().containsKey(TestOneTimePasswordAuthenticationHandler.class.getSimpleName()));
        Assertions.assertTrue(primaryAuthentication.getAttributes().containsKey("successfulAuthenticationHandlers"));
    }

    private static UsernamePasswordCredential newUserPassCredentials(String str, String str2) {
        UsernamePasswordCredential usernamePasswordCredential = new UsernamePasswordCredential();
        usernamePasswordCredential.setUsername(str);
        usernamePasswordCredential.assignPassword(str2);
        return usernamePasswordCredential;
    }

    private static Service newService(String str) {
        return RegisteredServiceTestUtils.getService(str);
    }

    private AuthenticationResult processAuthenticationAttempt(Service service, Credential... credentialArr) throws AuthenticationException {
        return this.authenticationSystemSupport.finalizeAuthenticationTransaction(service, credentialArr);
    }
}
