package org.apereo.cas.support.saml.web.idp.profile.builders.enc;

import java.io.File;
import java.util.Objects;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.Criterion;
import org.apache.commons.io.FileUtils;
import org.apereo.cas.support.saml.BaseSamlIdPConfigurationTests;
import org.apereo.cas.support.saml.InMemoryResourceMetadataResolver;
import org.apereo.cas.support.saml.SamlIdPUtils;
import org.apereo.cas.support.saml.services.SamlRegisteredService;
import org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Tag;
import org.junit.jupiter.api.Test;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.saml.common.binding.security.impl.SAMLOutboundProtocolMessageSigningHandler;
import org.opensaml.saml.common.messaging.context.SAMLMetadataContext;
import org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext;
import org.opensaml.saml.common.messaging.context.SAMLSelfEntityContext;
import org.opensaml.saml.criterion.EntityRoleCriterion;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml.saml2.metadata.RoleDescriptor;
import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import org.opensaml.xmlsec.context.SecurityParametersContext;
import org.pac4j.jee.context.JEEContext;
import org.pac4j.saml.client.SAML2Client;
import org.pac4j.saml.config.SAML2Configuration;
import org.pac4j.saml.context.SAML2MessageContext;
import org.pac4j.saml.crypto.DefaultSignatureSigningParametersProvider;
import org.pac4j.saml.sso.impl.SAML2AuthnRequestBuilder;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.test.context.TestPropertySource;

@Tag("SAML2")
@TestPropertySource(properties = {"cas.authn.saml-idp.algs.override-blocked-signature-signing-algorithms=http://www.w3.org/2001/04/xmldsig-more#md5", "cas.authn.saml-idp.algs.override-allowed-signature-signing-algorithms=http://www.w3.org/2001/04/xmldsig-more#hmac-md5"})
/* loaded from: input_file:org/apereo/cas/support/saml/web/idp/profile/builders/enc/SamlObjectSignatureValidatorTests.class */
public class SamlObjectSignatureValidatorTests extends BaseSamlIdPConfigurationTests {
    private SAML2Configuration saml2ClientConfiguration;
    private SAML2MessageContext saml2MessageContext;
    private MessageContext samlContext;
    private SamlRegisteredServiceServiceProviderMetadataFacade adaptor;

    private void setupTestContextFor(String str, String str2) throws Exception {
        this.saml2ClientConfiguration = new SAML2Configuration(new File(FileUtils.getTempDirectory(), "keystore").getCanonicalPath(), "changeit", "changeit", new File("src/test/resources/metadata/idp-metadata.xml").getCanonicalPath());
        this.saml2ClientConfiguration.setServiceProviderEntityId(str2);
        this.saml2ClientConfiguration.setServiceProviderMetadataPath(str);
        this.saml2ClientConfiguration.init();
        SAML2Client sAML2Client = new SAML2Client(this.saml2ClientConfiguration);
        sAML2Client.setCallbackUrl("http://callback.example.org");
        sAML2Client.init();
        this.samlContext = new MessageContext();
        this.saml2MessageContext = new SAML2MessageContext();
        this.saml2MessageContext.setSaml2Configuration(this.saml2ClientConfiguration);
        this.saml2MessageContext.setWebContext(new JEEContext(new MockHttpServletRequest(), new MockHttpServletResponse()));
        SAMLPeerEntityContext subcontext = this.saml2MessageContext.getMessageContext().getSubcontext(SAMLPeerEntityContext.class, true);
        Assertions.assertNotNull(subcontext);
        subcontext.setEntityId("https://cas.example.org/idp");
        SAMLMetadataContext subcontext2 = subcontext.getSubcontext(SAMLMetadataContext.class, true);
        Assertions.assertNotNull(subcontext2);
        subcontext2.setRoleDescriptor((RoleDescriptor) SamlIdPUtils.getRoleDescriptorResolver(this.casSamlIdPMetadataResolver, true).resolveSingle(new CriteriaSet(new Criterion[]{new EntityIdCriterion((String) Objects.requireNonNull(subcontext.getEntityId())), new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME)})));
        SAMLSelfEntityContext subcontext3 = this.saml2MessageContext.getMessageContext().getSubcontext(SAMLSelfEntityContext.class, true);
        Assertions.assertNotNull(subcontext3);
        subcontext3.setEntityId(this.saml2ClientConfiguration.getServiceProviderEntityId());
        SAMLMetadataContext subcontext4 = subcontext3.getSubcontext(SAMLMetadataContext.class, true);
        Assertions.assertNotNull(subcontext4);
        InMemoryResourceMetadataResolver inMemoryResourceMetadataResolver = new InMemoryResourceMetadataResolver(this.saml2ClientConfiguration.getServiceProviderMetadataResource(), this.openSamlConfigBean);
        inMemoryResourceMetadataResolver.setId(getClass().getSimpleName());
        inMemoryResourceMetadataResolver.initialize();
        subcontext4.setRoleDescriptor((RoleDescriptor) SamlIdPUtils.getRoleDescriptorResolver(inMemoryResourceMetadataResolver, true).resolveSingle(new CriteriaSet(new Criterion[]{new EntityIdCriterion((String) Objects.requireNonNull(subcontext3.getEntityId())), new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME)})));
        SamlRegisteredService samlRegisteredService = new SamlRegisteredService();
        samlRegisteredService.setName("Sample");
        samlRegisteredService.setServiceId(this.saml2ClientConfiguration.getServiceProviderEntityId());
        samlRegisteredService.setId(100L);
        samlRegisteredService.setDescription("SAML Service");
        samlRegisteredService.setMetadataLocation(str);
        this.adaptor = (SamlRegisteredServiceServiceProviderMetadataFacade) SamlRegisteredServiceServiceProviderMetadataFacade.get(this.samlRegisteredServiceCachingMetadataResolver, samlRegisteredService, samlRegisteredService.getServiceId()).get();
    }

    @Test
    public void verifySamlAuthnRequestNotSigned() throws Exception {
        setupTestContextFor(new File(FileUtils.getTempDirectory(), "sp-metadata.xml").getCanonicalPath(), "cas:example:sp");
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
        this.samlObjectSignatureValidator.verifySamlProfileRequestIfNeeded(new SAML2AuthnRequestBuilder().build(this.saml2MessageContext), this.adaptor, mockHttpServletRequest, this.samlContext);
    }

    @Test
    public void verifySamlAuthnRequestSigned() throws Exception {
        setupTestContextFor(new File(FileUtils.getTempDirectory(), "sp-metadata.xml").getCanonicalPath(), "cas:example:sp");
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
        AuthnRequest build = new SAML2AuthnRequestBuilder().build(this.saml2MessageContext);
        MessageContext messageContext = new MessageContext();
        messageContext.setMessage(build);
        ((SecurityParametersContext) Objects.requireNonNull(messageContext.getSubcontext(SecurityParametersContext.class, true))).setSignatureSigningParameters(new DefaultSignatureSigningParametersProvider(this.saml2ClientConfiguration).build(this.adaptor.getSsoDescriptor()));
        SAMLOutboundProtocolMessageSigningHandler sAMLOutboundProtocolMessageSigningHandler = new SAMLOutboundProtocolMessageSigningHandler();
        sAMLOutboundProtocolMessageSigningHandler.initialize();
        sAMLOutboundProtocolMessageSigningHandler.invoke(messageContext);
        Assertions.assertDoesNotThrow(() -> {
            this.samlObjectSignatureValidator.verifySamlProfileRequestIfNeeded(build, this.adaptor, mockHttpServletRequest, this.samlContext);
        });
    }

    @Test
    public void verifySamlAuthnRequestSignedMultipleCertificates() throws Exception {
        setupTestContextFor("classpath:metadata/sp-metadata-multicerts.xml", "https://bard.zoom.us");
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
        SAML2AuthnRequestBuilder sAML2AuthnRequestBuilder = new SAML2AuthnRequestBuilder();
        this.saml2ClientConfiguration.setAuthnRequestSigned(true);
        AuthnRequest build = sAML2AuthnRequestBuilder.build(this.saml2MessageContext);
        Assertions.assertDoesNotThrow(() -> {
            this.samlObjectSignatureValidator.verifySamlProfileRequestIfNeeded(build, this.adaptor, mockHttpServletRequest, this.samlContext);
        });
    }

    @Test
    public void verifySamlAuthnRequestWithoutSig() throws Exception {
        setupTestContextFor(new File(FileUtils.getTempDirectory(), "sp-metadata.xml").getCanonicalPath(), "cas:example:sp");
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
        AuthnRequest build = new SAML2AuthnRequestBuilder().build(this.saml2MessageContext);
        MessageContext messageContext = new MessageContext();
        messageContext.setMessage(build);
        ((SecurityParametersContext) Objects.requireNonNull(messageContext.getSubcontext(SecurityParametersContext.class, true))).setSignatureSigningParameters(new DefaultSignatureSigningParametersProvider(this.saml2ClientConfiguration).build(this.adaptor.getSsoDescriptor()));
        Assertions.assertDoesNotThrow(() -> {
            this.samlObjectSignatureValidator.verifySamlProfileRequestIfNeeded(build, this.adaptor, mockHttpServletRequest, this.samlContext);
        });
    }
}
