package org.apereo.cas;

import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.time.Clock;
import java.time.ZonedDateTime;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import java.util.stream.IntStream;
import java.util.stream.Stream;
import org.apereo.cas.audit.AuditableContext;
import org.apereo.cas.audit.AuditableExecution;
import org.apereo.cas.audit.AuditableExecutionResult;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.AuthenticationResult;
import org.apereo.cas.authentication.AuthenticationServiceSelectionStrategy;
import org.apereo.cas.authentication.CoreAuthenticationTestUtils;
import org.apereo.cas.authentication.DefaultAuthenticationServiceSelectionPlan;
import org.apereo.cas.authentication.DefaultAuthenticationServiceSelectionStrategy;
import org.apereo.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler;
import org.apereo.cas.authentication.policy.AtLeastOneCredentialValidatedAuthenticationPolicy;
import org.apereo.cas.authentication.principal.AbstractWebApplicationService;
import org.apereo.cas.authentication.principal.DefaultServiceMatchingStrategy;
import org.apereo.cas.authentication.principal.PrincipalFactoryUtils;
import org.apereo.cas.authentication.principal.PrincipalResolver;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.mock.MockServiceTicket;
import org.apereo.cas.mock.MockTicketGrantingTicket;
import org.apereo.cas.services.CasRegisteredService;
import org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy;
import org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy;
import org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.RegisteredServiceProxyPolicy;
import org.apereo.cas.services.RegisteredServiceTestUtils;
import org.apereo.cas.services.ReturnAllAttributeReleasePolicy;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.services.UnauthorizedProxyingException;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.apereo.cas.ticket.ExpirationPolicy;
import org.apereo.cas.ticket.InvalidTicketException;
import org.apereo.cas.ticket.ServiceTicket;
import org.apereo.cas.ticket.Ticket;
import org.apereo.cas.ticket.TicketFactory;
import org.apereo.cas.ticket.TicketGrantingTicket;
import org.apereo.cas.ticket.TicketGrantingTicketAwareTicket;
import org.apereo.cas.ticket.expiration.AlwaysExpiresExpirationPolicy;
import org.apereo.cas.ticket.expiration.NeverExpiresExpirationPolicy;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.apereo.cas.ticket.tracking.TicketTrackingPolicy;
import org.apereo.cas.util.RandomUtils;
import org.apereo.cas.util.crypto.CipherExecutor;
import org.apereo.cas.util.lock.LockRepository;
import org.apereo.cas.validation.Assertion;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Tag;
import org.junit.jupiter.api.Test;
import org.mockito.ArgumentMatcher;
import org.mockito.Mockito;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;

@Tag("CAS")
/* loaded from: input_file:org/apereo/cas/DefaultCentralAuthenticationServiceMockitoTests.class */
class DefaultCentralAuthenticationServiceMockitoTests extends BaseCasCoreTests {
    private static final String TGT_ID = "tgt-id";
    private static final String TGT2_ID = "tgt2-id";
    private static final String ST_ID = "st-id";
    private static final String ST2_ID = "st2-id";
    private static final String SVC1_ID = "test1";
    private static final String SVC2_ID = "test2";
    private static final String PRINCIPAL = "principal";
    private CentralAuthenticationService cas;
    private Authentication authentication;

    @Autowired
    @Qualifier("ticketRegistry")
    private TicketRegistry ticketRegistry;

    @Autowired
    @Qualifier("defaultTicketFactory")
    private TicketFactory ticketFactory;

    @Autowired
    @Qualifier("servicesManager")
    private ServicesManager servicesManager;

    @Autowired
    @Qualifier("defaultPrincipalResolver")
    private PrincipalResolver principalResolver;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apereo/cas/DefaultCentralAuthenticationServiceMockitoTests$VerifyServiceByIdMatcher.class */
    public static final class VerifyServiceByIdMatcher extends Record implements ArgumentMatcher<Service> {
        private final String id;

        private VerifyServiceByIdMatcher(String str) {
            this.id = str;
        }

        public boolean matches(Service service) {
            return service != null && service.getId().equals(id());
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, VerifyServiceByIdMatcher.class), VerifyServiceByIdMatcher.class, "id", "FIELD:Lorg/apereo/cas/DefaultCentralAuthenticationServiceMockitoTests$VerifyServiceByIdMatcher;->id:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, VerifyServiceByIdMatcher.class), VerifyServiceByIdMatcher.class, "id", "FIELD:Lorg/apereo/cas/DefaultCentralAuthenticationServiceMockitoTests$VerifyServiceByIdMatcher;->id:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, VerifyServiceByIdMatcher.class, Object.class), VerifyServiceByIdMatcher.class, "id", "FIELD:Lorg/apereo/cas/DefaultCentralAuthenticationServiceMockitoTests$VerifyServiceByIdMatcher;->id:Ljava/lang/String;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public String id() {
            return this.id;
        }
    }

    DefaultCentralAuthenticationServiceMockitoTests() {
    }

    private void addServices(Service service, Service service2) {
        this.servicesManager.save(new RegisteredService[]{createMockRegisteredService(service.getId(), true, getServiceProxyPolicy(false)), createMockRegisteredService("test", false, getServiceProxyPolicy(true)), createMockRegisteredService(service2.getId(), true, getServiceProxyPolicy(true))});
    }

    private static MockServiceTicket createMockServiceTicket(String str, Service service) {
        return new MockServiceTicket(str, service, (TicketGrantingTicket) null);
    }

    private static RegisteredServiceProxyPolicy getServiceProxyPolicy(boolean z) {
        return !z ? new RefuseRegisteredServiceProxyPolicy() : new RegexMatchingRegisteredServiceProxyPolicy().setPattern(".*");
    }

    private static RegisteredService createMockRegisteredService(String str, boolean z, RegisteredServiceProxyPolicy registeredServiceProxyPolicy) {
        CasRegisteredService casRegisteredService = new CasRegisteredService();
        casRegisteredService.setId(RandomUtils.nextInt());
        casRegisteredService.setName(UUID.randomUUID().toString());
        casRegisteredService.setServiceId(str);
        casRegisteredService.setAccessStrategy(new DefaultRegisteredServiceAccessStrategy(z, true));
        casRegisteredService.setProxyPolicy(registeredServiceProxyPolicy);
        casRegisteredService.setAttributeReleasePolicy(new ReturnAllAttributeReleasePolicy());
        return casRegisteredService;
    }

    @BeforeEach
    public void prepareNewCAS() throws Throwable {
        this.authentication = RegisteredServiceTestUtils.getAuthentication(PRINCIPAL, new SimpleTestUsernamePasswordAuthenticationHandler(), RegisteredServiceTestUtils.getCredentialsWithSameUsernameAndPassword(PRINCIPAL), Map.of());
        TicketGrantingTicket createRootTicketGrantingTicket = createRootTicketGrantingTicket();
        AbstractWebApplicationService service = RegisteredServiceTestUtils.getService(SVC1_ID);
        TicketGrantingTicketAwareTicket createMockServiceTicket = createMockServiceTicket(ST_ID, service);
        TicketGrantingTicketAwareTicket createMockTicketGrantingTicket = createMockTicketGrantingTicket(TGT_ID, createMockServiceTicket, false, createRootTicketGrantingTicket, new ArrayList());
        Mockito.when(createMockTicketGrantingTicket.getProxiedBy()).thenReturn(RegisteredServiceTestUtils.getService("proxiedBy"));
        createMockServiceTicket.setTicketGrantingTicket(createMockTicketGrantingTicket);
        List<Authentication> of = List.of(this.authentication, this.authentication);
        Mockito.when(createMockTicketGrantingTicket.getChainedAuthentications()).thenReturn(of);
        AbstractWebApplicationService service2 = RegisteredServiceTestUtils.getService(SVC2_ID);
        TicketGrantingTicketAwareTicket createMockServiceTicket2 = createMockServiceTicket(ST2_ID, service2);
        TicketGrantingTicketAwareTicket createMockTicketGrantingTicket2 = createMockTicketGrantingTicket(TGT2_ID, createMockServiceTicket2, false, createRootTicketGrantingTicket, of);
        createMockServiceTicket2.setTicketGrantingTicket(createMockTicketGrantingTicket2);
        this.ticketRegistry.addTicket(Stream.of((Object[]) new TicketGrantingTicketAwareTicket[]{createMockServiceTicket, createMockTicketGrantingTicket, createMockServiceTicket2, createMockTicketGrantingTicket2}));
        addServices(service, service2);
        DefaultAuthenticationServiceSelectionPlan defaultAuthenticationServiceSelectionPlan = new DefaultAuthenticationServiceSelectionPlan(new AuthenticationServiceSelectionStrategy[]{new DefaultAuthenticationServiceSelectionStrategy()});
        AuditableExecution auditableExecution = (AuditableExecution) Mockito.mock(AuditableExecution.class);
        Mockito.when(auditableExecution.execute((AuditableContext) Mockito.any())).thenReturn(new AuditableExecutionResult());
        this.cas = new DefaultCentralAuthenticationService(CentralAuthenticationServiceContext.builder().applicationContext(this.applicationContext).ticketRegistry(this.ticketRegistry).servicesManager(this.servicesManager).ticketFactory(this.ticketFactory).lockRepository(LockRepository.asDefault()).authenticationServiceSelectionPlan(defaultAuthenticationServiceSelectionPlan).authenticationPolicy(new AtLeastOneCredentialValidatedAuthenticationPolicy(false)).principalFactory(PrincipalFactoryUtils.newPrincipalFactory()).cipherExecutor(CipherExecutor.noOpOfStringToString()).registeredServiceAccessStrategyEnforcer(auditableExecution).serviceMatchingStrategy(new DefaultServiceMatchingStrategy(this.servicesManager)).principalResolver(this.principalResolver).build());
    }

    @Test
    void verifyNonExistentServiceWhenDelegatingTicketGrantingTicket() throws Throwable {
        Assertions.assertThrows(InvalidTicketException.class, () -> {
            this.cas.createProxyGrantingTicket("bad-st", getAuthenticationContext());
        });
    }

    @Test
    void verifyInvalidServiceWhenDelegatingTicketGrantingTicket() throws Throwable {
        Assertions.assertThrows(UnauthorizedServiceException.class, () -> {
            this.cas.createProxyGrantingTicket(ST_ID, getAuthenticationContext());
        });
    }

    @Test
    void disallowVendingServiceTicketsWhenServiceIsNotAllowedToProxyCAS1019() {
        Assertions.assertThrows(UnauthorizedProxyingException.class, () -> {
            this.cas.grantServiceTicket(TGT_ID, RegisteredServiceTestUtils.getService(SVC1_ID), getAuthenticationContext());
        });
    }

    @Test
    void verifyChainedAuthenticationsOnValidation() throws Throwable {
        AbstractWebApplicationService service = RegisteredServiceTestUtils.getService(SVC2_ID);
        Ticket grantServiceTicket = this.cas.grantServiceTicket(TGT2_ID, service, getAuthenticationContext());
        Assertions.assertNotNull(grantServiceTicket);
        Assertion validateServiceTicket = this.cas.validateServiceTicket(grantServiceTicket.getId(), service);
        Assertions.assertNotNull(validateServiceTicket);
        Assertions.assertEquals(validateServiceTicket.getService(), service);
        Assertions.assertEquals(PRINCIPAL, validateServiceTicket.getPrimaryAuthentication().getPrincipal().getId());
        Assertions.assertSame(2, Integer.valueOf(validateServiceTicket.getChainedAuthentications().size()));
        IntStream.range(0, validateServiceTicket.getChainedAuthentications().size()).forEach(i -> {
            Assertions.assertEquals(validateServiceTicket.getChainedAuthentications().get(i), this.authentication);
        });
    }

    private AuthenticationResult getAuthenticationContext() {
        return CoreAuthenticationTestUtils.getAuthenticationResult(this.authentication);
    }

    private TicketGrantingTicket createRootTicketGrantingTicket() {
        return new MockTicketGrantingTicket(this.authentication);
    }

    private TicketGrantingTicket createMockTicketGrantingTicket(String str, ServiceTicket serviceTicket, boolean z, TicketGrantingTicket ticketGrantingTicket, List<Authentication> list) {
        TicketGrantingTicket ticketGrantingTicket2 = (TicketGrantingTicket) Mockito.mock(TicketGrantingTicket.class);
        Mockito.when(Boolean.valueOf(ticketGrantingTicket2.isExpired())).thenReturn(Boolean.valueOf(z));
        Mockito.when(ticketGrantingTicket2.getId()).thenReturn(str);
        if (z) {
            Mockito.when(ticketGrantingTicket2.getExpirationPolicy()).thenReturn(AlwaysExpiresExpirationPolicy.INSTANCE);
        } else {
            Mockito.when(ticketGrantingTicket2.getExpirationPolicy()).thenReturn(NeverExpiresExpirationPolicy.INSTANCE);
        }
        Mockito.when(ticketGrantingTicket2.grantServiceTicket(Mockito.anyString(), (Service) Mockito.argThat(new VerifyServiceByIdMatcher(serviceTicket.getService().getId())), (ExpirationPolicy) Mockito.any(ExpirationPolicy.class), Mockito.anyBoolean(), (TicketTrackingPolicy) Mockito.any())).thenReturn(serviceTicket);
        Mockito.when(ticketGrantingTicket2.getRoot()).thenReturn(ticketGrantingTicket);
        Mockito.when(ticketGrantingTicket2.getChainedAuthentications()).thenReturn(list);
        Mockito.when(ticketGrantingTicket2.getAuthentication()).thenReturn(this.authentication);
        Mockito.when(ticketGrantingTicket2.getCreationTime()).thenReturn(ZonedDateTime.now(Clock.systemUTC()));
        return ticketGrantingTicket2;
    }
}
