package org.apereo.cas.support.saml.services;

import com.fasterxml.jackson.databind.ObjectMapper;
import jakarta.validation.constraints.NotNull;
import java.io.File;
import java.io.IOException;
import java.util.List;
import java.util.Objects;
import java.util.UUID;
import net.shibboleth.shared.resolver.CriteriaSet;
import net.shibboleth.shared.resolver.Criterion;
import org.apache.commons.io.FileUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apereo.cas.authentication.CoreAuthenticationTestUtils;
import org.apereo.cas.services.RegisteredServiceAttributeReleasePolicyContext;
import org.apereo.cas.support.saml.BaseSamlIdPConfigurationTests;
import org.apereo.cas.support.saml.InMemoryResourceMetadataResolver;
import org.apereo.cas.support.saml.SamlIdPTestUtils;
import org.apereo.cas.support.saml.SamlIdPUtils;
import org.apereo.cas.support.saml.idp.SamlIdPSessionManager;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.http.HttpRequestUtils;
import org.apereo.cas.util.serialization.JacksonObjectMapperFactory;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Tag;
import org.junit.jupiter.api.Test;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.saml.common.messaging.context.SAMLMetadataContext;
import org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext;
import org.opensaml.saml.common.messaging.context.SAMLSelfEntityContext;
import org.opensaml.saml.criterion.EntityRoleCriterion;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.Extensions;
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml.saml2.metadata.RequestedAttribute;
import org.opensaml.saml.saml2.metadata.RoleDescriptor;
import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import org.pac4j.core.context.CallContext;
import org.pac4j.jee.context.JEEContext;
import org.pac4j.jee.context.session.JEESessionStore;
import org.pac4j.saml.client.SAML2Client;
import org.pac4j.saml.config.SAML2Configuration;
import org.pac4j.saml.context.SAML2MessageContext;
import org.pac4j.saml.sso.impl.SAML2AuthnRequestBuilder;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.test.context.TestPropertySource;

@Tag("SAMLAttributes")
@TestPropertySource(properties = {"cas.authn.saml-idp.core.session-replication.cookie.auto-configure-cookie-path=true", "cas.authn.saml-idp.core.session-storage-type=TICKET_REGISTRY", "cas.authn.saml-idp.core.entity-id=https://cas.example.org/idp", "cas.authn.saml-idp.metadata.file-system.location=${#systemProperties['java.io.tmpdir']}/idp-metadata46"})
/* loaded from: input_file:org/apereo/cas/support/saml/services/AuthnRequestRequestedAttributesAttributeReleasePolicyTests.class */
class AuthnRequestRequestedAttributesAttributeReleasePolicyTests extends BaseSamlIdPConfigurationTests {
    private static final File JSON_FILE = new File(FileUtils.getTempDirectoryPath(), "AuthnRequestRequestedAttributesAttributeReleasePolicyTests.json");
    private static final ObjectMapper MAPPER = JacksonObjectMapperFactory.builder().defaultTypingEnabled(true).build().toObjectMapper();
    private SAML2MessageContext saml2MessageContext;

    AuthnRequestRequestedAttributesAttributeReleasePolicyTests() {
    }

    @BeforeEach
    public void initialize() throws Throwable {
        String canonicalPath = new File("src/test/resources/metadata/idp-metadata.xml").getCanonicalPath();
        String canonicalPath2 = new File(FileUtils.getTempDirectory(), "keystore").getCanonicalPath();
        String canonicalPath3 = new File(FileUtils.getTempDirectory(), "sp-metadata.xml").getCanonicalPath();
        SAML2Configuration sAML2Configuration = new SAML2Configuration(canonicalPath2, "changeit", "changeit", canonicalPath);
        sAML2Configuration.setServiceProviderEntityId("cas:example:sp");
        sAML2Configuration.setServiceProviderMetadataPath(canonicalPath3);
        sAML2Configuration.init();
        SAML2Client sAML2Client = new SAML2Client(sAML2Configuration);
        sAML2Client.setCallbackUrl("http://callback.example.org");
        sAML2Client.init();
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
        mockHttpServletRequest.addHeader("user-agent", "Mozilla/5.0 (Windows NT 10.0; WOW64)");
        this.saml2MessageContext = new SAML2MessageContext(new CallContext(new JEEContext(mockHttpServletRequest, new MockHttpServletResponse()), new JEESessionStore()));
        this.saml2MessageContext.setSaml2Configuration(sAML2Configuration);
        SAMLPeerEntityContext ensureSubcontext = this.saml2MessageContext.getMessageContext().ensureSubcontext(SAMLPeerEntityContext.class);
        Assertions.assertNotNull(ensureSubcontext);
        ensureSubcontext.setEntityId("https://cas.example.org/idp");
        SAMLMetadataContext ensureSubcontext2 = ensureSubcontext.ensureSubcontext(SAMLMetadataContext.class);
        Assertions.assertNotNull(ensureSubcontext2);
        ensureSubcontext2.setRoleDescriptor((RoleDescriptor) SamlIdPUtils.getRoleDescriptorResolver(this.casSamlIdPMetadataResolver, true).resolveSingle(new CriteriaSet(new Criterion[]{new EntityIdCriterion((String) Objects.requireNonNull(ensureSubcontext.getEntityId())), new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME)})));
        SAMLSelfEntityContext ensureSubcontext3 = this.saml2MessageContext.getMessageContext().ensureSubcontext(SAMLSelfEntityContext.class);
        Assertions.assertNotNull(ensureSubcontext3);
        ensureSubcontext3.setEntityId(sAML2Configuration.getServiceProviderEntityId());
        SAMLMetadataContext ensureSubcontext4 = ensureSubcontext3.ensureSubcontext(SAMLMetadataContext.class);
        Assertions.assertNotNull(ensureSubcontext4);
        InMemoryResourceMetadataResolver inMemoryResourceMetadataResolver = new InMemoryResourceMetadataResolver(new File(canonicalPath3), this.openSamlConfigBean);
        inMemoryResourceMetadataResolver.setId(getClass().getSimpleName());
        inMemoryResourceMetadataResolver.initialize();
        ensureSubcontext4.setRoleDescriptor((RoleDescriptor) SamlIdPUtils.getRoleDescriptorResolver(inMemoryResourceMetadataResolver, true).resolveSingle(new CriteriaSet(new Criterion[]{new EntityIdCriterion((String) Objects.requireNonNull(ensureSubcontext3.getEntityId())), new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME)})));
    }

    @Test
    void verifySerializationToJson() throws IOException {
        AuthnRequestRequestedAttributesAttributeReleasePolicy authnRequestRequestedAttributesAttributeReleasePolicy = new AuthnRequestRequestedAttributesAttributeReleasePolicy();
        authnRequestRequestedAttributesAttributeReleasePolicy.setUseFriendlyName(true);
        MAPPER.writeValue(JSON_FILE, authnRequestRequestedAttributesAttributeReleasePolicy);
        AuthnRequestRequestedAttributesAttributeReleasePolicy authnRequestRequestedAttributesAttributeReleasePolicy2 = (AuthnRequestRequestedAttributesAttributeReleasePolicy) MAPPER.readValue(JSON_FILE, AuthnRequestRequestedAttributesAttributeReleasePolicy.class);
        Assertions.assertEquals(authnRequestRequestedAttributesAttributeReleasePolicy, authnRequestRequestedAttributesAttributeReleasePolicy2);
        Assertions.assertNotNull(authnRequestRequestedAttributesAttributeReleasePolicy2.toString());
    }

    @Test
    void verifyNoAuthnRequest() throws Throwable {
        AuthnRequestRequestedAttributesAttributeReleasePolicy authnRequestRequestedAttributesAttributeReleasePolicy = new AuthnRequestRequestedAttributesAttributeReleasePolicy();
        authnRequestRequestedAttributesAttributeReleasePolicy.setAllowedAttributes(List.of("eduPersonPrincipalAttribute"));
        authnRequestRequestedAttributesAttributeReleasePolicy.setUseFriendlyName(true);
        SamlRegisteredService samlRegisteredService = SamlIdPTestUtils.getSamlRegisteredService();
        samlRegisteredService.setAttributeReleasePolicy(authnRequestRequestedAttributesAttributeReleasePolicy);
        RegisteredServiceAttributeReleasePolicyContext build = RegisteredServiceAttributeReleasePolicyContext.builder().registeredService(samlRegisteredService).applicationContext(this.applicationContext).service(CoreAuthenticationTestUtils.getService()).principal(CoreAuthenticationTestUtils.getPrincipal("casuser", CollectionUtils.wrap("eduPersonPrincipalName", "casuser"))).build();
        Assertions.assertThrows(IllegalArgumentException.class, () -> {
            authnRequestRequestedAttributesAttributeReleasePolicy.getAttributes(build);
        });
    }

    @Test
    void verifyAuthnRequestWithoutExtensions() throws Throwable {
        AuthnRequestRequestedAttributesAttributeReleasePolicy authnRequestRequestedAttributesAttributeReleasePolicy = new AuthnRequestRequestedAttributesAttributeReleasePolicy();
        authnRequestRequestedAttributesAttributeReleasePolicy.setAllowedAttributes(List.of("eduPersonPrincipalAttribute"));
        authnRequestRequestedAttributesAttributeReleasePolicy.setUseFriendlyName(true);
        SamlRegisteredService samlRegisteredService = SamlIdPTestUtils.getSamlRegisteredService();
        samlRegisteredService.setAttributeReleasePolicy(authnRequestRequestedAttributesAttributeReleasePolicy);
        storeSamlAuthnRequest(new SAML2AuthnRequestBuilder().build(this.saml2MessageContext));
        Assertions.assertTrue(authnRequestRequestedAttributesAttributeReleasePolicy.getAttributes(RegisteredServiceAttributeReleasePolicyContext.builder().registeredService(samlRegisteredService).service(CoreAuthenticationTestUtils.getService()).applicationContext(this.applicationContext).principal(CoreAuthenticationTestUtils.getPrincipal("casuser", CollectionUtils.wrap("eduPersonPrincipalName", "casuser"))).build()).isEmpty());
    }

    @Test
    void verifyAuthnRequestWithExtensionsNotAllowed() throws Throwable {
        AuthnRequestRequestedAttributesAttributeReleasePolicy authnRequestRequestedAttributesAttributeReleasePolicy = new AuthnRequestRequestedAttributesAttributeReleasePolicy();
        authnRequestRequestedAttributesAttributeReleasePolicy.setAllowedAttributes(List.of("eduPersonPrincipalAttribute"));
        authnRequestRequestedAttributesAttributeReleasePolicy.setUseFriendlyName(false);
        SamlRegisteredService samlRegisteredService = SamlIdPTestUtils.getSamlRegisteredService();
        samlRegisteredService.setAttributeReleasePolicy(authnRequestRequestedAttributesAttributeReleasePolicy);
        AuthnRequest build = new SAML2AuthnRequestBuilder().build(this.saml2MessageContext);
        Extensions buildObject = this.openSamlConfigBean.getBuilderFactory().getBuilder(Extensions.DEFAULT_ELEMENT_NAME).buildObject();
        RequestedAttribute buildObject2 = this.openSamlConfigBean.getBuilderFactory().getBuilder(RequestedAttribute.DEFAULT_ELEMENT_NAME).buildObject(RequestedAttribute.DEFAULT_ELEMENT_NAME);
        buildObject2.setIsRequired(false);
        buildObject2.setName("givenName");
        buildObject.getUnknownXMLObjects().add(buildObject2);
        build.setExtensions(buildObject);
        storeSamlAuthnRequest(build);
        Assertions.assertTrue(authnRequestRequestedAttributesAttributeReleasePolicy.getAttributes(RegisteredServiceAttributeReleasePolicyContext.builder().registeredService(samlRegisteredService).service(CoreAuthenticationTestUtils.getService()).applicationContext(this.applicationContext).principal(CoreAuthenticationTestUtils.getPrincipal("casuser", CollectionUtils.wrap("eduPersonPrincipalName", "casuser", "givenName", "CAS"))).build()).isEmpty());
    }

    @Test
    void verifyAuthnRequestWithExtensionsAllowed() throws Throwable {
        AuthnRequestRequestedAttributesAttributeReleasePolicy authnRequestRequestedAttributesAttributeReleasePolicy = new AuthnRequestRequestedAttributesAttributeReleasePolicy();
        authnRequestRequestedAttributesAttributeReleasePolicy.setAllowedAttributes(List.of("eduPersonPrincipalName"));
        authnRequestRequestedAttributesAttributeReleasePolicy.setUseFriendlyName(false);
        SamlRegisteredService samlRegisteredService = SamlIdPTestUtils.getSamlRegisteredService();
        samlRegisteredService.setAttributeReleasePolicy(authnRequestRequestedAttributesAttributeReleasePolicy);
        AuthnRequest build = new SAML2AuthnRequestBuilder().build(this.saml2MessageContext);
        Extensions buildObject = this.openSamlConfigBean.getBuilderFactory().getBuilder(Extensions.DEFAULT_ELEMENT_NAME).buildObject();
        RequestedAttribute buildObject2 = this.openSamlConfigBean.getBuilderFactory().getBuilder(RequestedAttribute.DEFAULT_ELEMENT_NAME).buildObject(RequestedAttribute.DEFAULT_ELEMENT_NAME);
        buildObject2.setIsRequired(false);
        buildObject2.setName("eduPersonPrincipalName");
        buildObject.getUnknownXMLObjects().add(buildObject2);
        build.setExtensions(buildObject);
        build.setID(UUID.randomUUID().toString());
        storeSamlAuthnRequest(build);
        RegisteredServiceAttributeReleasePolicyContext build2 = RegisteredServiceAttributeReleasePolicyContext.builder().registeredService(samlRegisteredService).service(CoreAuthenticationTestUtils.getService()).applicationContext(this.applicationContext).principal(CoreAuthenticationTestUtils.getPrincipal("casuser", CollectionUtils.wrap("eduPersonPrincipalName", "casuser", "givenName", "CAS"))).build();
        Assertions.assertTrue(authnRequestRequestedAttributesAttributeReleasePolicy.getAttributes(build2).containsKey("eduPersonPrincipalName"));
        Assertions.assertTrue(authnRequestRequestedAttributesAttributeReleasePolicy.determineRequestedAttributeDefinitions(build2).contains("eduPersonPrincipalName"));
    }

    private void storeSamlAuthnRequest(@NotNull AuthnRequest authnRequest) throws Throwable {
        MockHttpServletRequest httpServletRequestFromRequestAttributes = HttpRequestUtils.getHttpServletRequestFromRequestAttributes();
        httpServletRequestFromRequestAttributes.setParameter("srid", authnRequest.getID());
        JEEContext jEEContext = new JEEContext(httpServletRequestFromRequestAttributes, HttpRequestUtils.getHttpServletResponseFromRequestAttributes());
        MessageContext messageContext = new MessageContext();
        messageContext.setMessage(authnRequest);
        SamlIdPSessionManager.of(this.openSamlConfigBean, this.samlIdPDistributedSessionStore).store(jEEContext, Pair.of(authnRequest, messageContext));
    }
}
