package org.apereo.cas;

import org.apereo.cas.authentication.AcceptUsersAuthenticationHandler;
import org.apereo.cas.authentication.AuthenticationException;
import org.apereo.cas.authentication.AuthenticationResult;
import org.apereo.cas.authentication.AuthenticationSystemSupport;
import org.apereo.cas.authentication.CoreAuthenticationTestUtils;
import org.apereo.cas.authentication.Credential;
import org.apereo.cas.authentication.OneTimePasswordCredential;
import org.apereo.cas.authentication.UsernamePasswordCredential;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.config.CasCoreAuthenticationConfiguration;
import org.apereo.cas.config.CasCoreAuthenticationHandlersConfiguration;
import org.apereo.cas.config.CasCoreAuthenticationMetadataConfiguration;
import org.apereo.cas.config.CasCoreAuthenticationPolicyConfiguration;
import org.apereo.cas.config.CasCoreAuthenticationPrincipalConfiguration;
import org.apereo.cas.config.CasCoreAuthenticationServiceSelectionStrategyConfiguration;
import org.apereo.cas.config.CasCoreAuthenticationSupportConfiguration;
import org.apereo.cas.config.CasCoreConfiguration;
import org.apereo.cas.config.CasCoreHttpConfiguration;
import org.apereo.cas.config.CasCoreServicesConfiguration;
import org.apereo.cas.config.CasCoreTicketCatalogConfiguration;
import org.apereo.cas.config.CasCoreTicketIdGeneratorsConfiguration;
import org.apereo.cas.config.CasCoreTicketsConfiguration;
import org.apereo.cas.config.CasCoreUtilConfiguration;
import org.apereo.cas.config.CasDefaultServiceTicketIdGeneratorsConfiguration;
import org.apereo.cas.config.CasMultifactorTestAuthenticationEventExecutionPlanConfiguration;
import org.apereo.cas.config.CasPersonDirectoryConfiguration;
import org.apereo.cas.config.support.CasWebApplicationServiceFactoryConfiguration;
import org.apereo.cas.logout.config.CasCoreLogoutConfiguration;
import org.apereo.cas.ticket.ServiceTicket;
import org.apereo.cas.ticket.TicketGrantingTicket;
import org.apereo.cas.ticket.UnsatisfiedAuthenticationPolicyException;
import org.apereo.cas.validation.Assertion;
import org.apereo.cas.validation.config.CasCoreValidationConfiguration;
import org.junit.Assert;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.junit.runner.RunWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.aop.AopAutoConfiguration;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.cloud.autoconfigure.RefreshAutoConfiguration;
import org.springframework.test.context.ContextConfiguration;
import org.springframework.test.context.TestPropertySource;
import org.springframework.test.context.junit4.SpringRunner;

@SpringBootTest(classes = {CasMultifactorTestAuthenticationEventExecutionPlanConfiguration.class, CasWebApplicationServiceFactoryConfiguration.class, CasDefaultServiceTicketIdGeneratorsConfiguration.class, CasCoreAuthenticationConfiguration.class, CasCoreServicesConfiguration.class, CasCoreTicketCatalogConfiguration.class, CasCoreAuthenticationPrincipalConfiguration.class, CasCoreAuthenticationPolicyConfiguration.class, CasCoreAuthenticationMetadataConfiguration.class, CasCoreAuthenticationSupportConfiguration.class, CasCoreAuthenticationHandlersConfiguration.class, CasCoreHttpConfiguration.class, AopAutoConfiguration.class, CasCoreUtilConfiguration.class, CasPersonDirectoryConfiguration.class, CasCoreConfiguration.class, CasCoreAuthenticationServiceSelectionStrategyConfiguration.class, CasCoreLogoutConfiguration.class, RefreshAutoConfiguration.class, CasCoreTicketsConfiguration.class, CasCoreTicketIdGeneratorsConfiguration.class, CasCoreValidationConfiguration.class})
@TestPropertySource(locations = {"classpath:/core.properties"}, properties = {"cas.authn.policy.requiredHandlerAuthenticationPolicyEnabled=true"})
@ContextConfiguration(locations = {"/mfa-test-context.xml"})
@RunWith(SpringRunner.class)
/* loaded from: input_file:org/apereo/cas/MultifactorAuthenticationTests.class */
public class MultifactorAuthenticationTests {
    private static final Service NORMAL_SERVICE = newService("https://example.com/normal/");
    private static final Service HIGH_SERVICE = newService("https://example.com/high/");
    private static final String ALICE = "alice";
    private static final String PASSWORD_31415 = "31415";

    @Rule
    public ExpectedException thrown = ExpectedException.none();

    @Autowired(required = false)
    @Qualifier("defaultAuthenticationSystemSupport")
    private AuthenticationSystemSupport authenticationSystemSupport;

    @Autowired
    @Qualifier("centralAuthenticationService")
    private CentralAuthenticationService cas;

    @Test
    public void verifyAllowsAccessToNormalSecurityServiceWithPassword() throws Exception {
        AuthenticationResult processAuthenticationAttempt = processAuthenticationAttempt(NORMAL_SERVICE, newUserPassCredentials(ALICE, ALICE));
        TicketGrantingTicket createTicketGrantingTicket = this.cas.createTicketGrantingTicket(processAuthenticationAttempt);
        Assert.assertNotNull(createTicketGrantingTicket);
        Assert.assertNotNull(this.cas.grantServiceTicket(createTicketGrantingTicket.getId(), NORMAL_SERVICE, processAuthenticationAttempt));
    }

    @Test
    public void verifyAllowsAccessToNormalSecurityServiceWithOTP() throws Exception {
        AuthenticationResult processAuthenticationAttempt = processAuthenticationAttempt(NORMAL_SERVICE, new OneTimePasswordCredential(ALICE, PASSWORD_31415));
        TicketGrantingTicket createTicketGrantingTicket = this.cas.createTicketGrantingTicket(processAuthenticationAttempt);
        Assert.assertNotNull(createTicketGrantingTicket);
        Assert.assertNotNull(this.cas.grantServiceTicket(createTicketGrantingTicket.getId(), NORMAL_SERVICE, processAuthenticationAttempt));
    }

    @Test
    public void verifyDeniesAccessToHighSecurityServiceWithPassword() throws Exception {
        AuthenticationResult processAuthenticationAttempt = processAuthenticationAttempt(HIGH_SERVICE, newUserPassCredentials(ALICE, ALICE));
        this.thrown.expect(UnsatisfiedAuthenticationPolicyException.class);
        TicketGrantingTicket createTicketGrantingTicket = this.cas.createTicketGrantingTicket(processAuthenticationAttempt);
        Assert.assertNotNull(createTicketGrantingTicket);
        this.cas.grantServiceTicket(createTicketGrantingTicket.getId(), HIGH_SERVICE, processAuthenticationAttempt);
    }

    @Test
    public void verifyDeniesAccessToHighSecurityServiceWithOTP() throws Exception {
        AuthenticationResult processAuthenticationAttempt = processAuthenticationAttempt(HIGH_SERVICE, new OneTimePasswordCredential(ALICE, PASSWORD_31415));
        TicketGrantingTicket createTicketGrantingTicket = this.cas.createTicketGrantingTicket(processAuthenticationAttempt);
        Assert.assertNotNull(createTicketGrantingTicket);
        this.thrown.expect(UnsatisfiedAuthenticationPolicyException.class);
        Assert.assertNotNull(this.cas.grantServiceTicket(createTicketGrantingTicket.getId(), HIGH_SERVICE, processAuthenticationAttempt));
    }

    @Test
    public void verifyAllowsAccessToHighSecurityServiceWithPasswordAndOTP() throws Exception {
        AuthenticationResult processAuthenticationAttempt = processAuthenticationAttempt(HIGH_SERVICE, newUserPassCredentials(ALICE, ALICE), new OneTimePasswordCredential(ALICE, PASSWORD_31415));
        TicketGrantingTicket createTicketGrantingTicket = this.cas.createTicketGrantingTicket(processAuthenticationAttempt);
        Assert.assertNotNull(createTicketGrantingTicket);
        Assert.assertNotNull(this.cas.grantServiceTicket(createTicketGrantingTicket.getId(), HIGH_SERVICE, processAuthenticationAttempt));
    }

    @Test
    public void verifyAllowsAccessToHighSecurityServiceWithPasswordAndOTPViaRenew() throws Exception {
        AuthenticationResult processAuthenticationAttempt = processAuthenticationAttempt(HIGH_SERVICE, newUserPassCredentials(ALICE, ALICE), new OneTimePasswordCredential(ALICE, PASSWORD_31415));
        TicketGrantingTicket createTicketGrantingTicket = this.cas.createTicketGrantingTicket(processAuthenticationAttempt);
        Assert.assertNotNull(createTicketGrantingTicket);
        ServiceTicket grantServiceTicket = this.cas.grantServiceTicket(createTicketGrantingTicket.getId(), HIGH_SERVICE, processAuthenticationAttempt);
        Assert.assertNotNull(grantServiceTicket);
        Assertion validateServiceTicket = this.cas.validateServiceTicket(grantServiceTicket.getId(), HIGH_SERVICE);
        Assert.assertEquals(2L, validateServiceTicket.getPrimaryAuthentication().getSuccesses().size());
        Assert.assertTrue(validateServiceTicket.getPrimaryAuthentication().getSuccesses().containsKey(AcceptUsersAuthenticationHandler.class.getSimpleName()));
        Assert.assertTrue(validateServiceTicket.getPrimaryAuthentication().getSuccesses().containsKey(TestOneTimePasswordAuthenticationHandler.class.getSimpleName()));
        Assert.assertTrue(validateServiceTicket.getPrimaryAuthentication().getAttributes().containsKey("successfulAuthenticationHandlers"));
    }

    private static UsernamePasswordCredential newUserPassCredentials(String str, String str2) {
        UsernamePasswordCredential usernamePasswordCredential = new UsernamePasswordCredential();
        usernamePasswordCredential.setUsername(str);
        usernamePasswordCredential.setPassword(str2);
        return usernamePasswordCredential;
    }

    private static Service newService(String str) {
        return CoreAuthenticationTestUtils.getService(str);
    }

    private AuthenticationResult processAuthenticationAttempt(Service service, Credential... credentialArr) throws AuthenticationException {
        return this.authenticationSystemSupport.handleAndFinalizeSingleAuthenticationTransaction(service, credentialArr);
    }
}
