package org.apereo.cas.support.saml.services;

import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.File;
import java.io.IOException;
import java.io.StringWriter;
import java.nio.charset.StandardCharsets;
import java.util.List;
import java.util.Objects;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.Criterion;
import org.apache.commons.io.FileUtils;
import org.apereo.cas.authentication.CoreAuthenticationTestUtils;
import org.apereo.cas.services.RegisteredServiceAttributeReleasePolicyContext;
import org.apereo.cas.support.saml.BaseSamlIdPConfigurationTests;
import org.apereo.cas.support.saml.InMemoryResourceMetadataResolver;
import org.apereo.cas.support.saml.SamlIdPTestUtils;
import org.apereo.cas.support.saml.SamlIdPUtils;
import org.apereo.cas.support.saml.SamlUtils;
import org.apereo.cas.support.saml.authentication.SamlIdPAuthenticationContext;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.EncodingUtils;
import org.apereo.cas.util.HttpRequestUtils;
import org.apereo.cas.util.serialization.JacksonObjectMapperFactory;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Tag;
import org.junit.jupiter.api.Test;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.saml.common.messaging.context.SAMLMetadataContext;
import org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext;
import org.opensaml.saml.common.messaging.context.SAMLSelfEntityContext;
import org.opensaml.saml.criterion.EntityRoleCriterion;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.Extensions;
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml.saml2.metadata.RequestedAttribute;
import org.opensaml.saml.saml2.metadata.RoleDescriptor;
import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import org.pac4j.core.context.JEEContext;
import org.pac4j.saml.client.SAML2Client;
import org.pac4j.saml.config.SAML2Configuration;
import org.pac4j.saml.context.SAML2MessageContext;
import org.pac4j.saml.sso.impl.SAML2AuthnRequestBuilder;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.test.context.TestPropertySource;

@Tag("SAML")
@TestPropertySource(properties = {"cas.session-replication.cookie.auto-configure-cookie-path=true", "cas.authn.saml-idp.core.session-storage-type=TICKET_REGISTRY", "cas.authn.saml-idp.core.entity-id=https://cas.example.org/idp", "cas.authn.saml-idp.metadata.file-system.location=${#systemProperties['java.io.tmpdir']}/idp-metadata4"})
/* loaded from: input_file:org/apereo/cas/support/saml/services/AuthnRequestRequestedAttributesAttributeReleasePolicyTests.class */
public class AuthnRequestRequestedAttributesAttributeReleasePolicyTests extends BaseSamlIdPConfigurationTests {
    private static final File JSON_FILE = new File(FileUtils.getTempDirectoryPath(), "AuthnRequestRequestedAttributesAttributeReleasePolicyTests.json");
    private static final ObjectMapper MAPPER = JacksonObjectMapperFactory.builder().defaultTypingEnabled(true).build().toObjectMapper();
    private SAML2Configuration saml2Configuration;
    private SAML2MessageContext saml2MessageContext;

    @BeforeEach
    public void initialize() throws Exception {
        String canonicalPath = new File("src/test/resources/metadata/idp-metadata.xml").getCanonicalPath();
        String canonicalPath2 = new File(FileUtils.getTempDirectory(), "keystore").getCanonicalPath();
        String canonicalPath3 = new File(FileUtils.getTempDirectory(), "sp-metadata.xml").getCanonicalPath();
        this.saml2Configuration = new SAML2Configuration(canonicalPath2, "changeit", "changeit", canonicalPath);
        this.saml2Configuration.setServiceProviderEntityId("cas:example:sp");
        this.saml2Configuration.setServiceProviderMetadataPath(canonicalPath3);
        this.saml2Configuration.init();
        SAML2Client sAML2Client = new SAML2Client(this.saml2Configuration);
        sAML2Client.setCallbackUrl("http://callback.example.org");
        sAML2Client.init();
        this.saml2MessageContext = new SAML2MessageContext();
        this.saml2MessageContext.setSaml2Configuration(this.saml2Configuration);
        this.saml2MessageContext.setWebContext(new JEEContext(new MockHttpServletRequest(), new MockHttpServletResponse()));
        SAMLPeerEntityContext subcontext = this.saml2MessageContext.getMessageContext().getSubcontext(SAMLPeerEntityContext.class, true);
        Assertions.assertNotNull(subcontext);
        subcontext.setEntityId("https://cas.example.org/idp");
        SAMLMetadataContext subcontext2 = subcontext.getSubcontext(SAMLMetadataContext.class, true);
        Assertions.assertNotNull(subcontext2);
        subcontext2.setRoleDescriptor((RoleDescriptor) SamlIdPUtils.getRoleDescriptorResolver(this.casSamlIdPMetadataResolver, true).resolveSingle(new CriteriaSet(new Criterion[]{new EntityIdCriterion((String) Objects.requireNonNull(subcontext.getEntityId())), new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME)})));
        SAMLSelfEntityContext subcontext3 = this.saml2MessageContext.getMessageContext().getSubcontext(SAMLSelfEntityContext.class, true);
        Assertions.assertNotNull(subcontext3);
        subcontext3.setEntityId(this.saml2Configuration.getServiceProviderEntityId());
        SAMLMetadataContext subcontext4 = subcontext3.getSubcontext(SAMLMetadataContext.class, true);
        Assertions.assertNotNull(subcontext4);
        InMemoryResourceMetadataResolver inMemoryResourceMetadataResolver = new InMemoryResourceMetadataResolver(new File(canonicalPath3), this.openSamlConfigBean);
        inMemoryResourceMetadataResolver.setId(getClass().getSimpleName());
        inMemoryResourceMetadataResolver.initialize();
        subcontext4.setRoleDescriptor((RoleDescriptor) SamlIdPUtils.getRoleDescriptorResolver(inMemoryResourceMetadataResolver, true).resolveSingle(new CriteriaSet(new Criterion[]{new EntityIdCriterion((String) Objects.requireNonNull(subcontext3.getEntityId())), new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME)})));
    }

    @Test
    public void verifySerializationToJson() throws IOException {
        AuthnRequestRequestedAttributesAttributeReleasePolicy authnRequestRequestedAttributesAttributeReleasePolicy = new AuthnRequestRequestedAttributesAttributeReleasePolicy();
        authnRequestRequestedAttributesAttributeReleasePolicy.setUseFriendlyName(true);
        MAPPER.writeValue(JSON_FILE, authnRequestRequestedAttributesAttributeReleasePolicy);
        AuthnRequestRequestedAttributesAttributeReleasePolicy authnRequestRequestedAttributesAttributeReleasePolicy2 = (AuthnRequestRequestedAttributesAttributeReleasePolicy) MAPPER.readValue(JSON_FILE, AuthnRequestRequestedAttributesAttributeReleasePolicy.class);
        Assertions.assertEquals(authnRequestRequestedAttributesAttributeReleasePolicy, authnRequestRequestedAttributesAttributeReleasePolicy2);
        Assertions.assertNotNull(authnRequestRequestedAttributesAttributeReleasePolicy2.toString());
    }

    @Test
    public void verifyNoAuthnRequest() {
        AuthnRequestRequestedAttributesAttributeReleasePolicy authnRequestRequestedAttributesAttributeReleasePolicy = new AuthnRequestRequestedAttributesAttributeReleasePolicy();
        authnRequestRequestedAttributesAttributeReleasePolicy.setAllowedAttributes(List.of("eduPersonPrincipalAttribute"));
        authnRequestRequestedAttributesAttributeReleasePolicy.setUseFriendlyName(true);
        SamlRegisteredService samlRegisteredService = SamlIdPTestUtils.getSamlRegisteredService();
        samlRegisteredService.setAttributeReleasePolicy(authnRequestRequestedAttributesAttributeReleasePolicy);
        RegisteredServiceAttributeReleasePolicyContext build = RegisteredServiceAttributeReleasePolicyContext.builder().registeredService(samlRegisteredService).service(CoreAuthenticationTestUtils.getService()).principal(CoreAuthenticationTestUtils.getPrincipal("casuser", CollectionUtils.wrap("eduPersonPrincipalName", "casuser"))).build();
        Assertions.assertThrows(IllegalArgumentException.class, () -> {
            authnRequestRequestedAttributesAttributeReleasePolicy.getAttributes(build);
        });
    }

    @Test
    public void verifyAuthnRequestWithoutExtensions() throws IOException {
        AuthnRequestRequestedAttributesAttributeReleasePolicy authnRequestRequestedAttributesAttributeReleasePolicy = new AuthnRequestRequestedAttributesAttributeReleasePolicy();
        authnRequestRequestedAttributesAttributeReleasePolicy.setAllowedAttributes(List.of("eduPersonPrincipalAttribute"));
        authnRequestRequestedAttributesAttributeReleasePolicy.setUseFriendlyName(true);
        SamlRegisteredService samlRegisteredService = SamlIdPTestUtils.getSamlRegisteredService();
        samlRegisteredService.setAttributeReleasePolicy(authnRequestRequestedAttributesAttributeReleasePolicy);
        AuthnRequest build = new SAML2AuthnRequestBuilder().build(this.saml2MessageContext);
        StringWriter transformSamlObject = SamlUtils.transformSamlObject(this.openSamlConfigBean, build);
        try {
            String encodeBase64 = EncodingUtils.encodeBase64(transformSamlObject.toString().getBytes(StandardCharsets.UTF_8));
            JEEContext jEEContext = new JEEContext(HttpRequestUtils.getHttpServletRequestFromRequestAttributes(), HttpRequestUtils.getHttpServletResponseFromRequestAttributes());
            this.samlIdPDistributedSessionStore.set(jEEContext, "SAMLRequest", encodeBase64);
            MessageContext messageContext = new MessageContext();
            messageContext.setMessage(build);
            this.samlIdPDistributedSessionStore.set(jEEContext, MessageContext.class.getName(), SamlIdPAuthenticationContext.from(messageContext).encode());
            Assertions.assertTrue(authnRequestRequestedAttributesAttributeReleasePolicy.getAttributes(RegisteredServiceAttributeReleasePolicyContext.builder().registeredService(samlRegisteredService).service(CoreAuthenticationTestUtils.getService()).principal(CoreAuthenticationTestUtils.getPrincipal("casuser", CollectionUtils.wrap("eduPersonPrincipalName", "casuser"))).build()).isEmpty());
            if (transformSamlObject != null) {
                transformSamlObject.close();
            }
        } catch (Throwable th) {
            if (transformSamlObject != null) {
                try {
                    transformSamlObject.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void verifyAuthnRequestWithExtensionsNotAllowed() throws IOException {
        AuthnRequestRequestedAttributesAttributeReleasePolicy authnRequestRequestedAttributesAttributeReleasePolicy = new AuthnRequestRequestedAttributesAttributeReleasePolicy();
        authnRequestRequestedAttributesAttributeReleasePolicy.setAllowedAttributes(List.of("eduPersonPrincipalAttribute"));
        authnRequestRequestedAttributesAttributeReleasePolicy.setUseFriendlyName(false);
        SamlRegisteredService samlRegisteredService = SamlIdPTestUtils.getSamlRegisteredService();
        samlRegisteredService.setAttributeReleasePolicy(authnRequestRequestedAttributesAttributeReleasePolicy);
        AuthnRequest build = new SAML2AuthnRequestBuilder().build(this.saml2MessageContext);
        Extensions buildObject = this.openSamlConfigBean.getBuilderFactory().getBuilder(Extensions.DEFAULT_ELEMENT_NAME).buildObject();
        RequestedAttribute buildObject2 = this.openSamlConfigBean.getBuilderFactory().getBuilder(RequestedAttribute.DEFAULT_ELEMENT_NAME).buildObject(RequestedAttribute.DEFAULT_ELEMENT_NAME);
        buildObject2.setIsRequired(false);
        buildObject2.setName("givenName");
        buildObject.getUnknownXMLObjects().add(buildObject2);
        build.setExtensions(buildObject);
        StringWriter transformSamlObject = SamlUtils.transformSamlObject(this.openSamlConfigBean, build);
        try {
            String encodeBase64 = EncodingUtils.encodeBase64(transformSamlObject.toString().getBytes(StandardCharsets.UTF_8));
            JEEContext jEEContext = new JEEContext(HttpRequestUtils.getHttpServletRequestFromRequestAttributes(), HttpRequestUtils.getHttpServletResponseFromRequestAttributes());
            this.samlIdPDistributedSessionStore.set(jEEContext, "SAMLRequest", encodeBase64);
            MessageContext messageContext = new MessageContext();
            messageContext.setMessage(build);
            this.samlIdPDistributedSessionStore.set(jEEContext, MessageContext.class.getName(), SamlIdPAuthenticationContext.from(messageContext).encode());
            Assertions.assertTrue(authnRequestRequestedAttributesAttributeReleasePolicy.getAttributes(RegisteredServiceAttributeReleasePolicyContext.builder().registeredService(samlRegisteredService).service(CoreAuthenticationTestUtils.getService()).principal(CoreAuthenticationTestUtils.getPrincipal("casuser", CollectionUtils.wrap("eduPersonPrincipalName", "casuser", "givenName", "CAS"))).build()).isEmpty());
            if (transformSamlObject != null) {
                transformSamlObject.close();
            }
        } catch (Throwable th) {
            if (transformSamlObject != null) {
                try {
                    transformSamlObject.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void verifyAuthnRequestWithExtensionsAllowed() throws IOException {
        AuthnRequestRequestedAttributesAttributeReleasePolicy authnRequestRequestedAttributesAttributeReleasePolicy = new AuthnRequestRequestedAttributesAttributeReleasePolicy();
        authnRequestRequestedAttributesAttributeReleasePolicy.setAllowedAttributes(List.of("eduPersonPrincipalName"));
        authnRequestRequestedAttributesAttributeReleasePolicy.setUseFriendlyName(false);
        SamlRegisteredService samlRegisteredService = SamlIdPTestUtils.getSamlRegisteredService();
        samlRegisteredService.setAttributeReleasePolicy(authnRequestRequestedAttributesAttributeReleasePolicy);
        AuthnRequest build = new SAML2AuthnRequestBuilder().build(this.saml2MessageContext);
        Extensions buildObject = this.openSamlConfigBean.getBuilderFactory().getBuilder(Extensions.DEFAULT_ELEMENT_NAME).buildObject();
        RequestedAttribute buildObject2 = this.openSamlConfigBean.getBuilderFactory().getBuilder(RequestedAttribute.DEFAULT_ELEMENT_NAME).buildObject(RequestedAttribute.DEFAULT_ELEMENT_NAME);
        buildObject2.setIsRequired(false);
        buildObject2.setName("eduPersonPrincipalName");
        buildObject.getUnknownXMLObjects().add(buildObject2);
        build.setExtensions(buildObject);
        StringWriter transformSamlObject = SamlUtils.transformSamlObject(this.openSamlConfigBean, build);
        try {
            String encodeBase64 = EncodingUtils.encodeBase64(transformSamlObject.toString().getBytes(StandardCharsets.UTF_8));
            JEEContext jEEContext = new JEEContext(HttpRequestUtils.getHttpServletRequestFromRequestAttributes(), HttpRequestUtils.getHttpServletResponseFromRequestAttributes());
            this.samlIdPDistributedSessionStore.set(jEEContext, "SAMLRequest", encodeBase64);
            MessageContext messageContext = new MessageContext();
            messageContext.setMessage(build);
            this.samlIdPDistributedSessionStore.set(jEEContext, MessageContext.class.getName(), SamlIdPAuthenticationContext.from(messageContext).encode());
            RegisteredServiceAttributeReleasePolicyContext build2 = RegisteredServiceAttributeReleasePolicyContext.builder().registeredService(samlRegisteredService).service(CoreAuthenticationTestUtils.getService()).principal(CoreAuthenticationTestUtils.getPrincipal("casuser", CollectionUtils.wrap("eduPersonPrincipalName", "casuser", "givenName", "CAS"))).build();
            Assertions.assertTrue(authnRequestRequestedAttributesAttributeReleasePolicy.getAttributes(build2).containsKey("eduPersonPrincipalName"));
            Assertions.assertTrue(authnRequestRequestedAttributesAttributeReleasePolicy.determineRequestedAttributeDefinitions(build2).contains("eduPersonPrincipalName"));
            if (transformSamlObject != null) {
                transformSamlObject.close();
            }
        } catch (Throwable th) {
            if (transformSamlObject != null) {
                try {
                    transformSamlObject.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }
}
