package org.apereo.cas.support.saml.web.idp.delegation;

import java.io.File;
import java.util.Arrays;
import java.util.List;
import java.util.UUID;
import org.apache.commons.io.FileUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apereo.cas.authentication.CoreAuthenticationTestUtils;
import org.apereo.cas.authentication.principal.AbstractWebApplicationService;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.pac4j.client.DelegatedClientAuthenticationRequestCustomizer;
import org.apereo.cas.services.CasRegisteredService;
import org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy;
import org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy;
import org.apereo.cas.services.RegisteredServiceTestUtils;
import org.apereo.cas.support.saml.BaseSamlIdPConfigurationTests;
import org.apereo.cas.support.saml.SamlIdPTestUtils;
import org.apereo.cas.support.saml.idp.SamlIdPSessionManager;
import org.apereo.cas.support.saml.services.SamlRegisteredService;
import org.apereo.cas.util.RandomUtils;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Tag;
import org.junit.jupiter.api.Test;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.saml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml.saml2.core.AuthnContextComparisonTypeEnumeration;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.IDPEntry;
import org.opensaml.saml.saml2.core.IDPList;
import org.opensaml.saml.saml2.core.RequestedAuthnContext;
import org.opensaml.saml.saml2.core.Scoping;
import org.pac4j.http.client.indirect.FormClient;
import org.pac4j.jee.context.JEEContext;
import org.pac4j.saml.client.SAML2Client;
import org.pac4j.saml.config.SAML2Configuration;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;

@Tag("SAML2")
/* loaded from: input_file:org/apereo/cas/support/saml/web/idp/delegation/SamlIdPDelegatedClientAuthenticationRequestCustomizerTests.class */
class SamlIdPDelegatedClientAuthenticationRequestCustomizerTests extends BaseSamlIdPConfigurationTests {

    @Autowired
    @Qualifier("saml2DelegatedClientAuthenticationRequestCustomizer")
    private DelegatedClientAuthenticationRequestCustomizer customizer;

    SamlIdPDelegatedClientAuthenticationRequestCustomizerTests() {
    }

    @Test
    void verifyScopedIdentityProviderPerServiceImplicitly() throws Throwable {
        SAML2Client buildMockSaml2Client = buildMockSaml2Client();
        JEEContext jEEContext = new JEEContext(new MockHttpServletRequest(), new MockHttpServletResponse());
        AbstractWebApplicationService service = RegisteredServiceTestUtils.getService(UUID.randomUUID().toString());
        CasRegisteredService registeredService = RegisteredServiceTestUtils.getRegisteredService(service.getId());
        DefaultRegisteredServiceDelegatedAuthenticationPolicy defaultRegisteredServiceDelegatedAuthenticationPolicy = new DefaultRegisteredServiceDelegatedAuthenticationPolicy();
        defaultRegisteredServiceDelegatedAuthenticationPolicy.setPermitUndefined(true);
        registeredService.setAccessStrategy(new DefaultRegisteredServiceAccessStrategy().setDelegatedAuthenticationPolicy(defaultRegisteredServiceDelegatedAuthenticationPolicy));
        this.servicesManager.save(registeredService);
        setAuthnRequestFor(jEEContext, buildMockSaml2Client.getIdentityProviderResolvedEntityId());
        Assertions.assertTrue(this.customizer.isAuthorized(jEEContext, buildMockSaml2Client, service));
    }

    @Test
    void verifyScopedIdentityProviderPerService() throws Throwable {
        SAML2Client buildMockSaml2Client = buildMockSaml2Client();
        JEEContext jEEContext = new JEEContext(new MockHttpServletRequest(), new MockHttpServletResponse());
        AbstractWebApplicationService service = RegisteredServiceTestUtils.getService(UUID.randomUUID().toString());
        CasRegisteredService registeredService = RegisteredServiceTestUtils.getRegisteredService(service.getId());
        DefaultRegisteredServiceDelegatedAuthenticationPolicy defaultRegisteredServiceDelegatedAuthenticationPolicy = new DefaultRegisteredServiceDelegatedAuthenticationPolicy();
        defaultRegisteredServiceDelegatedAuthenticationPolicy.setAllowedProviders(List.of(buildMockSaml2Client.getName()));
        registeredService.setAccessStrategy(new DefaultRegisteredServiceAccessStrategy().setDelegatedAuthenticationPolicy(defaultRegisteredServiceDelegatedAuthenticationPolicy));
        this.servicesManager.save(registeredService);
        setAuthnRequestFor(jEEContext, buildMockSaml2Client.getIdentityProviderResolvedEntityId());
        Assertions.assertTrue(this.customizer.isAuthorized(jEEContext, buildMockSaml2Client, service));
    }

    @Test
    void verifyAuthorization() throws Throwable {
        SAML2Client buildMockSaml2Client = buildMockSaml2Client();
        JEEContext jEEContext = new JEEContext(new MockHttpServletRequest(), new MockHttpServletResponse());
        WebApplicationService webApplicationService = CoreAuthenticationTestUtils.getWebApplicationService();
        Assertions.assertDoesNotThrow(() -> {
            this.customizer.customize(buildMockSaml2Client, jEEContext);
        });
        Assertions.assertTrue(this.customizer.isAuthorized(jEEContext, buildMockSaml2Client, webApplicationService));
        setAuthnRequestFor(jEEContext, new String[0]);
        Assertions.assertTrue(this.customizer.isAuthorized(jEEContext, buildMockSaml2Client, webApplicationService));
        setAuthnRequestFor(jEEContext, UUID.randomUUID().toString());
        Assertions.assertFalse(this.customizer.isAuthorized(jEEContext, buildMockSaml2Client, webApplicationService));
        setAuthnRequestFor(jEEContext, buildMockSaml2Client.getIdentityProviderResolvedEntityId());
        Assertions.assertTrue(this.customizer.isAuthorized(jEEContext, buildMockSaml2Client, webApplicationService));
        Assertions.assertDoesNotThrow(() -> {
            this.customizer.customize(buildMockSaml2Client, jEEContext);
        });
        Assertions.assertTrue(this.customizer.isAuthorized(jEEContext, new FormClient(), webApplicationService));
    }

    private void storeRequest(AuthnRequest authnRequest, JEEContext jEEContext) throws Exception {
        MessageContext messageContext = new MessageContext();
        messageContext.setMessage(authnRequest);
        Pair of = Pair.of(authnRequest, messageContext);
        jEEContext.getNativeRequest().addParameter("srid", authnRequest.getID());
        SamlIdPSessionManager.of(this.openSamlConfigBean, this.samlIdPDistributedSessionStore).store(jEEContext, of);
    }

    private void setAuthnRequestFor(JEEContext jEEContext, String... strArr) throws Exception {
        SamlRegisteredService samlRegisteredServiceFor = getSamlRegisteredServiceFor("https://cassp.example.org");
        samlRegisteredServiceFor.setId(RandomUtils.nextInt());
        AuthnRequest authnRequest = SamlIdPTestUtils.getAuthnRequest(this.openSamlConfigBean, samlRegisteredServiceFor);
        Scoping buildObject = this.openSamlConfigBean.getBuilderFactory().getBuilder(Scoping.DEFAULT_ELEMENT_NAME).buildObject(Scoping.DEFAULT_ELEMENT_NAME);
        IDPList buildObject2 = this.openSamlConfigBean.getBuilderFactory().getBuilder(IDPList.DEFAULT_ELEMENT_NAME).buildObject(IDPList.DEFAULT_ELEMENT_NAME);
        Arrays.stream(strArr).forEach(str -> {
            IDPEntry buildObject3 = this.openSamlConfigBean.getBuilderFactory().getBuilder(IDPEntry.DEFAULT_ELEMENT_NAME).buildObject(IDPEntry.DEFAULT_ELEMENT_NAME);
            buildObject3.setProviderID(str);
            buildObject2.getIDPEntrys().add(buildObject3);
        });
        buildObject.setIDPList(buildObject2);
        authnRequest.setScoping(buildObject);
        RequestedAuthnContext buildObject3 = this.openSamlConfigBean.getBuilderFactory().getBuilder(RequestedAuthnContext.DEFAULT_ELEMENT_NAME).buildObject(RequestedAuthnContext.DEFAULT_ELEMENT_NAME);
        buildObject3.setComparison(AuthnContextComparisonTypeEnumeration.EXACT);
        AuthnContextClassRef buildObject4 = this.openSamlConfigBean.getBuilderFactory().getBuilder(AuthnContextClassRef.DEFAULT_ELEMENT_NAME).buildObject(AuthnContextClassRef.DEFAULT_ELEMENT_NAME);
        buildObject4.setURI(UUID.randomUUID().toString());
        buildObject3.getAuthnContextClassRefs().add(buildObject4);
        authnRequest.setRequestedAuthnContext(buildObject3);
        authnRequest.setIsPassive(Boolean.TRUE);
        authnRequest.setForceAuthn(Boolean.TRUE);
        storeRequest(authnRequest, jEEContext);
    }

    private static SAML2Client buildMockSaml2Client() throws Exception {
        SAML2Client sAML2Client = new SAML2Client(getSAML2Configuration());
        sAML2Client.setCallbackUrl("https://cas.example.org/cas/login");
        sAML2Client.init(true);
        return sAML2Client;
    }

    private static SAML2Configuration getSAML2Configuration() throws Exception {
        String canonicalPath = new File("src/test/resources/metadata/idp-metadata.xml").getCanonicalPath();
        String canonicalPath2 = new File(FileUtils.getTempDirectory(), "keystore-" + RandomUtils.nextInt()).getCanonicalPath();
        FileUtils.deleteQuietly(new File(canonicalPath2));
        String canonicalPath3 = new File(FileUtils.getTempDirectory(), "sp-metadata-%s.xml".formatted(Integer.valueOf(RandomUtils.nextInt()))).getCanonicalPath();
        FileUtils.deleteQuietly(new File(canonicalPath3));
        SAML2Configuration sAML2Configuration = new SAML2Configuration(canonicalPath2, "changeit", "changeit", canonicalPath);
        sAML2Configuration.setForceKeystoreGeneration(true);
        sAML2Configuration.setForceServiceProviderMetadataGeneration(true);
        sAML2Configuration.setServiceProviderEntityId("cas:example:sp");
        sAML2Configuration.setServiceProviderMetadataPath(canonicalPath3);
        sAML2Configuration.setAuthnRequestBindingType("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        sAML2Configuration.init(true);
        return sAML2Configuration;
    }
}
