package org.apereo.cas.support.saml.util;

import java.util.Iterator;
import java.util.Optional;
import java.util.UUID;
import net.shibboleth.shared.resolver.CriteriaSet;
import org.apache.commons.lang3.tuple.Pair;
import org.apereo.cas.support.saml.BaseSamlIdPConfigurationTests;
import org.apereo.cas.support.saml.SamlException;
import org.apereo.cas.support.saml.SamlIdPUtils;
import org.apereo.cas.support.saml.services.SamlRegisteredService;
import org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor;
import org.apereo.cas.util.CollectionUtils;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Tag;
import org.junit.jupiter.api.Test;
import org.mockito.Mockito;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.saml.common.messaging.context.SAMLBindingContext;
import org.opensaml.saml.criterion.BindingCriterion;
import org.opensaml.saml.criterion.EntityRoleCriterion;
import org.opensaml.saml.metadata.resolver.MetadataResolver;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.metadata.Endpoint;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.IndexedEndpoint;
import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml.saml2.metadata.SingleLogoutService;

@Tag("SAML2")
/* loaded from: input_file:org/apereo/cas/support/saml/util/SamlIdPUtilsTests.class */
class SamlIdPUtilsTests extends BaseSamlIdPConfigurationTests {
    SamlIdPUtilsTests() {
    }

    @BeforeEach
    public void before() {
        this.servicesManager.deleteAll();
    }

    @Test
    void verifyServiceNameQualifier() throws Throwable {
        SamlRegisteredService samlRegisteredServiceForTestShib = getSamlRegisteredServiceForTestShib();
        String uuid = UUID.randomUUID().toString();
        samlRegisteredServiceForTestShib.setNameIdQualifier(uuid);
        this.servicesManager.save(samlRegisteredServiceForTestShib);
        Assertions.assertEquals(uuid, SamlIdPUtils.determineNameIdNameQualifier(samlRegisteredServiceForTestShib, (MetadataResolver) Mockito.mock(MetadataResolver.class)));
    }

    @Test
    void verifyEndpointWithoutLocation() throws Throwable {
        LogoutRequest logoutRequest = (LogoutRequest) Mockito.mock(LogoutRequest.class);
        SingleLogoutService singleLogoutService = (SingleLogoutService) Mockito.mock(SingleLogoutService.class);
        SamlRegisteredServiceMetadataAdaptor samlRegisteredServiceMetadataAdaptor = (SamlRegisteredServiceMetadataAdaptor) Mockito.mock(SamlRegisteredServiceMetadataAdaptor.class);
        Mockito.when(samlRegisteredServiceMetadataAdaptor.getSingleLogoutService(Mockito.anyString())).thenReturn(singleLogoutService);
        Assertions.assertThrows(SamlException.class, () -> {
            SamlIdPUtils.determineEndpointForRequest(Pair.of(logoutRequest, new MessageContext()), samlRegisteredServiceMetadataAdaptor, "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        });
    }

    @Test
    void verifyMetadataForAllServices() throws Throwable {
        SamlRegisteredService samlRegisteredServiceForTestShib = getSamlRegisteredServiceForTestShib();
        this.servicesManager.save(samlRegisteredServiceForTestShib);
        MetadataResolver metadataResolverForAllSamlServices = SamlIdPUtils.getMetadataResolverForAllSamlServices(this.servicesManager, samlRegisteredServiceForTestShib.getServiceId(), this.samlRegisteredServiceCachingMetadataResolver);
        Assertions.assertNotNull(metadataResolverForAllSamlServices);
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new EntityIdCriterion(samlRegisteredServiceForTestShib.getServiceId()));
        criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
        criteriaSet.add(new BindingCriterion(CollectionUtils.wrap("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST")));
        Iterator it = metadataResolverForAllSamlServices.resolve(criteriaSet).iterator();
        Assertions.assertTrue(it.hasNext());
        Assertions.assertEquals(samlRegisteredServiceForTestShib.getServiceId(), ((EntityDescriptor) it.next()).getEntityID());
    }

    @Test
    void verifyUnsignedRequestWithAssertionConsumerServiceUrlNotMatchingMetadataAcsUrl() throws Throwable {
        SamlRegisteredService samlRegisteredServiceForTestShib = getSamlRegisteredServiceForTestShib();
        this.servicesManager.save(samlRegisteredServiceForTestShib);
        AuthnRequest authnRequest = (AuthnRequest) Mockito.mock(AuthnRequest.class);
        Issuer issuer = (Issuer) Mockito.mock(Issuer.class);
        Mockito.when(issuer.getValue()).thenReturn(samlRegisteredServiceForTestShib.getServiceId());
        Mockito.when(authnRequest.getIssuer()).thenReturn(issuer);
        Mockito.when(authnRequest.getProtocolBinding()).thenReturn("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        Mockito.when(authnRequest.getAssertionConsumerServiceURL()).thenReturn("https://some.acs.url");
        Mockito.when(authnRequest.getAssertionConsumerServiceIndex()).thenReturn(120);
        MessageContext messageContext = new MessageContext();
        messageContext.setMessage(authnRequest);
        Optional optional = SamlRegisteredServiceMetadataAdaptor.get(this.samlRegisteredServiceCachingMetadataResolver, samlRegisteredServiceForTestShib, samlRegisteredServiceForTestShib.getServiceId());
        Assertions.assertThrows(SamlException.class, () -> {
            SamlIdPUtils.determineEndpointForRequest(Pair.of(authnRequest, messageContext), (SamlRegisteredServiceMetadataAdaptor) optional.get(), "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        });
    }

    @Test
    void verifyUnsignedRequestWithAssertionConsumerServiceUrlNotMatchingMetadataAcsUrlWithIndex() throws Throwable {
        SamlRegisteredService samlRegisteredServiceForTestShib = getSamlRegisteredServiceForTestShib();
        this.servicesManager.save(samlRegisteredServiceForTestShib);
        AuthnRequest authnRequest = (AuthnRequest) Mockito.mock(AuthnRequest.class);
        Issuer issuer = (Issuer) Mockito.mock(Issuer.class);
        Mockito.when(issuer.getValue()).thenReturn(samlRegisteredServiceForTestShib.getServiceId());
        Mockito.when(authnRequest.getIssuer()).thenReturn(issuer);
        Mockito.when(authnRequest.getProtocolBinding()).thenReturn("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        Mockito.when(authnRequest.getAssertionConsumerServiceURL()).thenReturn("https://some.acs.url");
        Mockito.when(authnRequest.getAssertionConsumerServiceIndex()).thenReturn(1);
        MessageContext messageContext = new MessageContext();
        messageContext.setMessage(authnRequest);
        Endpoint determineEndpointForRequest = SamlIdPUtils.determineEndpointForRequest(Pair.of(authnRequest, messageContext), (SamlRegisteredServiceMetadataAdaptor) SamlRegisteredServiceMetadataAdaptor.get(this.samlRegisteredServiceCachingMetadataResolver, samlRegisteredServiceForTestShib, samlRegisteredServiceForTestShib.getServiceId()).get(), "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        Assertions.assertNotNull(determineEndpointForRequest);
        Assertions.assertEquals("https://sp.testshib.org/Shibboleth.sso/SAML2/POST", determineEndpointForRequest.getResponseLocation());
        Assertions.assertEquals("https://sp.testshib.org/Shibboleth.sso/SAML2/POST", determineEndpointForRequest.getLocation());
    }

    @Test
    void verifySignedRequestWithAssertionConsumerServiceUrlNotMatchingMetadataAcsUrl() throws Throwable {
        SamlRegisteredService samlRegisteredServiceForTestShib = getSamlRegisteredServiceForTestShib();
        this.servicesManager.save(samlRegisteredServiceForTestShib);
        AuthnRequest authnRequest = (AuthnRequest) Mockito.mock(AuthnRequest.class);
        Issuer issuer = (Issuer) Mockito.mock(Issuer.class);
        Mockito.when(issuer.getValue()).thenReturn(samlRegisteredServiceForTestShib.getServiceId());
        Mockito.when(authnRequest.getIssuer()).thenReturn(issuer);
        Mockito.when(authnRequest.getProtocolBinding()).thenReturn("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        Mockito.when(Boolean.valueOf(authnRequest.isSigned())).thenReturn(true);
        Mockito.when(authnRequest.getAssertionConsumerServiceURL()).thenReturn("https://some.acs.url");
        Endpoint determineEndpointForRequest = SamlIdPUtils.determineEndpointForRequest(Pair.of(authnRequest, new MessageContext()), (SamlRegisteredServiceMetadataAdaptor) SamlRegisteredServiceMetadataAdaptor.get(this.samlRegisteredServiceCachingMetadataResolver, samlRegisteredServiceForTestShib, samlRegisteredServiceForTestShib.getServiceId()).get(), "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        Assertions.assertNotNull(determineEndpointForRequest);
        Assertions.assertEquals("https://some.acs.url", determineEndpointForRequest.getLocation());
    }

    @Test
    void verifySignedRequestWithAssertionConsumerServiceIndex() throws Throwable {
        SamlRegisteredService samlRegisteredServiceForTestShib = getSamlRegisteredServiceForTestShib();
        this.servicesManager.save(samlRegisteredServiceForTestShib);
        AuthnRequest authnRequest = (AuthnRequest) Mockito.mock(AuthnRequest.class);
        Issuer issuer = (Issuer) Mockito.mock(Issuer.class);
        Mockito.when(issuer.getValue()).thenReturn(samlRegisteredServiceForTestShib.getServiceId());
        Mockito.when(authnRequest.getIssuer()).thenReturn(issuer);
        Mockito.when(authnRequest.getAssertionConsumerServiceIndex()).thenReturn(9);
        Mockito.when(authnRequest.getProtocolBinding()).thenReturn("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        Mockito.when(Boolean.valueOf(authnRequest.isSigned())).thenReturn(true);
        IndexedEndpoint determineEndpointForRequest = SamlIdPUtils.determineEndpointForRequest(Pair.of(authnRequest, new MessageContext()), (SamlRegisteredServiceMetadataAdaptor) SamlRegisteredServiceMetadataAdaptor.get(this.samlRegisteredServiceCachingMetadataResolver, samlRegisteredServiceForTestShib, samlRegisteredServiceForTestShib.getServiceId()).get(), "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        Assertions.assertNotNull(determineEndpointForRequest);
        Assertions.assertEquals("https://index9.testshib.org/Shibboleth.sso/SAML/POST", determineEndpointForRequest.getLocation());
        Assertions.assertEquals(9, determineEndpointForRequest.getIndex());
    }

    @Test
    void verifyUnsignedRequestWithAssertionConsumerServiceIndex() throws Throwable {
        SamlRegisteredService samlRegisteredServiceForTestShib = getSamlRegisteredServiceForTestShib();
        this.servicesManager.save(samlRegisteredServiceForTestShib);
        AuthnRequest authnRequest = (AuthnRequest) Mockito.mock(AuthnRequest.class);
        Issuer issuer = (Issuer) Mockito.mock(Issuer.class);
        Mockito.when(issuer.getValue()).thenReturn(samlRegisteredServiceForTestShib.getServiceId());
        Mockito.when(authnRequest.getIssuer()).thenReturn(issuer);
        Mockito.when(authnRequest.getAssertionConsumerServiceIndex()).thenReturn(9);
        Mockito.when(authnRequest.getProtocolBinding()).thenReturn("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        Mockito.when(Boolean.valueOf(authnRequest.isSigned())).thenReturn(false);
        Optional optional = SamlRegisteredServiceMetadataAdaptor.get(this.samlRegisteredServiceCachingMetadataResolver, samlRegisteredServiceForTestShib, samlRegisteredServiceForTestShib.getServiceId());
        MessageContext messageContext = new MessageContext();
        messageContext.setMessage(authnRequest);
        IndexedEndpoint determineEndpointForRequest = SamlIdPUtils.determineEndpointForRequest(Pair.of(authnRequest, messageContext), (SamlRegisteredServiceMetadataAdaptor) optional.get(), "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        Assertions.assertNotNull(determineEndpointForRequest);
        Assertions.assertEquals("https://index9.testshib.org/Shibboleth.sso/SAML/POST", determineEndpointForRequest.getLocation());
        Assertions.assertEquals(9, determineEndpointForRequest.getIndex());
    }

    @Test
    void verifySignedRequestWithAssertionConsumerServiceUnknownIndex() throws Throwable {
        SamlRegisteredService samlRegisteredServiceForTestShib = getSamlRegisteredServiceForTestShib();
        this.servicesManager.save(samlRegisteredServiceForTestShib);
        AuthnRequest authnRequest = (AuthnRequest) Mockito.mock(AuthnRequest.class);
        Issuer issuer = (Issuer) Mockito.mock(Issuer.class);
        Mockito.when(issuer.getValue()).thenReturn(samlRegisteredServiceForTestShib.getServiceId());
        Mockito.when(authnRequest.getIssuer()).thenReturn(issuer);
        Mockito.when(authnRequest.getAssertionConsumerServiceIndex()).thenReturn(999);
        Mockito.when(authnRequest.getProtocolBinding()).thenReturn("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        Mockito.when(Boolean.valueOf(authnRequest.isSigned())).thenReturn(true);
        IndexedEndpoint determineEndpointForRequest = SamlIdPUtils.determineEndpointForRequest(Pair.of(authnRequest, new MessageContext()), (SamlRegisteredServiceMetadataAdaptor) SamlRegisteredServiceMetadataAdaptor.get(this.samlRegisteredServiceCachingMetadataResolver, samlRegisteredServiceForTestShib, samlRegisteredServiceForTestShib.getServiceId()).get(), "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        Assertions.assertNotNull(determineEndpointForRequest);
        Assertions.assertEquals("https://www.testshib.org/Shibboleth.sso/SAML2/POST", determineEndpointForRequest.getLocation());
        Assertions.assertEquals(7, determineEndpointForRequest.getIndex());
    }

    @Test
    void verifySignedRequestWithEmbeddedSignature() throws Throwable {
        SamlRegisteredService samlRegisteredServiceForTestShib = getSamlRegisteredServiceForTestShib();
        this.servicesManager.save(samlRegisteredServiceForTestShib);
        AuthnRequest authnRequest = (AuthnRequest) Mockito.mock(AuthnRequest.class);
        Issuer issuer = (Issuer) Mockito.mock(Issuer.class);
        Mockito.when(issuer.getValue()).thenReturn(samlRegisteredServiceForTestShib.getServiceId());
        Mockito.when(authnRequest.getIssuer()).thenReturn(issuer);
        Mockito.when(authnRequest.getProtocolBinding()).thenReturn("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        Mockito.when(authnRequest.getAssertionConsumerServiceURL()).thenReturn("https://sp.unknown.org/Shibboleth.sso/SAML2/POST");
        MessageContext messageContext = new MessageContext();
        messageContext.setMessage(authnRequest);
        SAMLBindingContext ensureSubcontext = messageContext.ensureSubcontext(SAMLBindingContext.class);
        ensureSubcontext.setHasBindingSignature(true);
        ensureSubcontext.setRelayState(UUID.randomUUID().toString());
        Endpoint determineEndpointForRequest = SamlIdPUtils.determineEndpointForRequest(Pair.of(authnRequest, messageContext), (SamlRegisteredServiceMetadataAdaptor) SamlRegisteredServiceMetadataAdaptor.get(this.samlRegisteredServiceCachingMetadataResolver, samlRegisteredServiceForTestShib, samlRegisteredServiceForTestShib.getServiceId()).get(), "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        Assertions.assertNotNull(determineEndpointForRequest);
        Assertions.assertEquals("https://sp.unknown.org/Shibboleth.sso/SAML2/POST", determineEndpointForRequest.getLocation());
    }

    @Test
    void verifyUnsignedRequestWithAssertionConsumerServiceUrlMatchingMetadataAcsUrl() throws Throwable {
        SamlRegisteredService samlRegisteredServiceForTestShib = getSamlRegisteredServiceForTestShib();
        this.servicesManager.save(samlRegisteredServiceForTestShib);
        AuthnRequest authnRequest = (AuthnRequest) Mockito.mock(AuthnRequest.class);
        Issuer issuer = (Issuer) Mockito.mock(Issuer.class);
        Mockito.when(issuer.getValue()).thenReturn(samlRegisteredServiceForTestShib.getServiceId());
        Mockito.when(authnRequest.getIssuer()).thenReturn(issuer);
        Mockito.when(authnRequest.getProtocolBinding()).thenReturn("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        Mockito.when(authnRequest.getAssertionConsumerServiceURL()).thenReturn("https://sp.testshib.org/Shibboleth.sso/SAML2/POST");
        MessageContext messageContext = new MessageContext();
        messageContext.setMessage(authnRequest);
        Endpoint determineEndpointForRequest = SamlIdPUtils.determineEndpointForRequest(Pair.of(authnRequest, messageContext), (SamlRegisteredServiceMetadataAdaptor) SamlRegisteredServiceMetadataAdaptor.get(this.samlRegisteredServiceCachingMetadataResolver, samlRegisteredServiceForTestShib, samlRegisteredServiceForTestShib.getServiceId()).get(), "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        Assertions.assertNotNull(determineEndpointForRequest);
        Assertions.assertEquals("https://sp.testshib.org/Shibboleth.sso/SAML2/POST", determineEndpointForRequest.getLocation());
    }

    @Test
    void verifyUnsignedRequestWithAssertionConsumerServiceUrlMatchingAlternateMetadataAcsUrl() throws Throwable {
        SamlRegisteredService samlRegisteredServiceForTestShib = getSamlRegisteredServiceForTestShib();
        this.servicesManager.save(samlRegisteredServiceForTestShib);
        AuthnRequest authnRequest = (AuthnRequest) Mockito.mock(AuthnRequest.class);
        Issuer issuer = (Issuer) Mockito.mock(Issuer.class);
        Mockito.when(issuer.getValue()).thenReturn(samlRegisteredServiceForTestShib.getServiceId());
        Mockito.when(authnRequest.getIssuer()).thenReturn(issuer);
        Mockito.when(authnRequest.getProtocolBinding()).thenReturn("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        Mockito.when(authnRequest.getAssertionConsumerServiceURL()).thenReturn("https://www.testshib.org/Shibboleth.sso/SAML2/POST");
        MessageContext messageContext = new MessageContext();
        messageContext.setMessage(authnRequest);
        Endpoint determineEndpointForRequest = SamlIdPUtils.determineEndpointForRequest(Pair.of(authnRequest, messageContext), (SamlRegisteredServiceMetadataAdaptor) SamlRegisteredServiceMetadataAdaptor.get(this.samlRegisteredServiceCachingMetadataResolver, samlRegisteredServiceForTestShib, samlRegisteredServiceForTestShib.getServiceId()).get(), "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        Assertions.assertNotNull(determineEndpointForRequest);
        Assertions.assertEquals("https://www.testshib.org/Shibboleth.sso/SAML2/POST", determineEndpointForRequest.getLocation());
    }

    @Test
    void verifyPreparePeerEntitySamlEndpointContext() throws Throwable {
        MessageContext messageContext = new MessageContext();
        SamlRegisteredServiceMetadataAdaptor samlRegisteredServiceMetadataAdaptor = (SamlRegisteredServiceMetadataAdaptor) Mockito.mock(SamlRegisteredServiceMetadataAdaptor.class);
        SamlRegisteredService samlRegisteredServiceForTestShib = getSamlRegisteredServiceForTestShib();
        this.servicesManager.save(samlRegisteredServiceForTestShib);
        AuthnRequest authnRequest = (AuthnRequest) Mockito.mock(AuthnRequest.class);
        Issuer issuer = (Issuer) Mockito.mock(Issuer.class);
        Mockito.when(issuer.getValue()).thenReturn(samlRegisteredServiceForTestShib.getServiceId());
        Mockito.when(authnRequest.getIssuer()).thenReturn(issuer);
        Mockito.when(Boolean.valueOf(samlRegisteredServiceMetadataAdaptor.containsAssertionConsumerServices())).thenReturn(false);
        Assertions.assertThrows(SamlException.class, () -> {
            SamlIdPUtils.preparePeerEntitySamlEndpointContext(Pair.of(authnRequest, messageContext), messageContext, samlRegisteredServiceMetadataAdaptor, "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        });
        Mockito.when(Boolean.valueOf(samlRegisteredServiceMetadataAdaptor.containsAssertionConsumerServices())).thenReturn(true);
        Mockito.when(Boolean.valueOf(authnRequest.isSigned())).thenReturn(true);
        Assertions.assertThrows(SamlException.class, () -> {
            SamlIdPUtils.preparePeerEntitySamlEndpointContext(Pair.of(authnRequest, messageContext), messageContext, samlRegisteredServiceMetadataAdaptor, "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        });
    }
}
