package org.dspace.app.rest;

import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.InputStream;
import java.util.Base64;
import java.util.Map;
import javax.servlet.http.Cookie;
import org.apache.commons.io.IOUtils;
import org.dspace.app.rest.matcher.AuthenticationStatusMatcher;
import org.dspace.app.rest.matcher.EPersonMatcher;
import org.dspace.app.rest.matcher.HalMatcher;
import org.dspace.app.rest.test.AbstractControllerIntegrationTest;
import org.dspace.builder.BitstreamBuilder;
import org.dspace.builder.BundleBuilder;
import org.dspace.builder.CollectionBuilder;
import org.dspace.builder.CommunityBuilder;
import org.dspace.builder.EPersonBuilder;
import org.dspace.builder.GroupBuilder;
import org.dspace.builder.ItemBuilder;
import org.dspace.content.Bitstream;
import org.dspace.content.Bundle;
import org.dspace.eperson.EPerson;
import org.dspace.eperson.Group;
import org.dspace.services.ConfigurationService;
import org.hamcrest.Matchers;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Ignore;
import org.junit.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.result.MockMvcResultHandlers;
import org.springframework.test.web.servlet.result.MockMvcResultMatchers;

/* loaded from: input_file:org/dspace/app/rest/AuthenticationRestControllerIT.class */
public class AuthenticationRestControllerIT extends AbstractControllerIntegrationTest {

    @Autowired
    ConfigurationService configurationService;
    public static final String[] PASS_ONLY = {"org.dspace.authenticate.PasswordAuthentication"};
    public static final String[] SHIB_ONLY = {"org.dspace.authenticate.ShibAuthentication"};
    public static final String[] SHIB_AND_PASS = {"org.dspace.authenticate.ShibAuthentication", "org.dspace.authenticate.PasswordAuthentication"};
    public static final String[] SHIB_AND_IP = {"org.dspace.authenticate.IPAuthentication", "org.dspace.authenticate.ShibAuthentication"};
    public static final String TRUSTED_IP = "7.7.7.7";
    public static final String UNTRUSTED_IP = "8.8.8.8";

    @Before
    public void setup() throws Exception {
        super.setUp();
        this.configurationService.setProperty("plugin.sequence.org.dspace.authenticate.AuthenticationMethod", PASS_ONLY);
    }

    @Test
    public void testStatusAuthenticatedAsAdmin() throws Exception {
        String authToken = getAuthToken(this.admin.getEmail(), this.password);
        getClient(authToken).perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0]).param("projection", new String[]{"full"})).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$", AuthenticationStatusMatcher.matchFullEmbeds())).andExpect(MockMvcResultMatchers.jsonPath("$", AuthenticationStatusMatcher.matchLinks())).andExpect(MockMvcResultMatchers.content().contentType(this.contentType)).andExpect(MockMvcResultMatchers.jsonPath("$.okay", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.authenticated", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.type", Matchers.is("status"))).andExpect(MockMvcResultMatchers.jsonPath("$._links.eperson.href", Matchers.startsWith(AbstractControllerIntegrationTest.REST_SERVER_URL))).andExpect(MockMvcResultMatchers.jsonPath("$._embedded.eperson", EPersonMatcher.matchEPersonWithGroups(this.admin.getEmail(), "Administrator")));
        getClient(authToken).perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0])).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$", HalMatcher.matchNoEmbeds()));
        getClient(authToken).perform(MockMvcRequestBuilders.post("/api/authn/logout", new Object[0])).andExpect(MockMvcResultMatchers.status().isNoContent());
    }

    @Test
    @Ignore
    public void testStatusAuthenticatedAsNormalUser() throws Exception {
        String authToken = getAuthToken(this.eperson.getEmail(), this.password);
        getClient(authToken).perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0]).param("projection", new String[]{"full"})).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$", AuthenticationStatusMatcher.matchFullEmbeds())).andExpect(MockMvcResultMatchers.jsonPath("$", AuthenticationStatusMatcher.matchLinks())).andExpect(MockMvcResultMatchers.content().contentType(this.contentType)).andExpect(MockMvcResultMatchers.jsonPath("$.okay", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.authenticated", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.type", Matchers.is("status"))).andExpect(MockMvcResultMatchers.jsonPath("$._links.eperson.href", Matchers.startsWith(AbstractControllerIntegrationTest.REST_SERVER_URL))).andExpect(MockMvcResultMatchers.jsonPath("$._embedded.eperson", EPersonMatcher.matchEPersonWithGroups(this.eperson.getEmail(), "Anonymous")));
        getClient(authToken).perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0])).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$", HalMatcher.matchNoEmbeds()));
        getClient(authToken).perform(MockMvcRequestBuilders.post("/api/authn/logout", new Object[0])).andExpect(MockMvcResultMatchers.status().isNoContent());
    }

    @Test
    public void testStatusNotAuthenticated() throws Exception {
        getClient().perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0])).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.content().contentType(this.contentType)).andExpect(MockMvcResultMatchers.jsonPath("$.okay", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.authenticated", Matchers.is(false))).andExpect(MockMvcResultMatchers.jsonPath("$.type", Matchers.is("status"))).andExpect(MockMvcResultMatchers.header().string("WWW-Authenticate", "password realm=\"DSpace REST API\""));
    }

    @Test
    public void testStatusShibAuthenticatedWithCookie() throws Exception {
        this.configurationService.setProperty("plugin.sequence.org.dspace.authenticate.AuthenticationMethod", SHIB_ONLY);
        String replace = getClient().perform(MockMvcRequestBuilders.post("/api/authn/login", new Object[0]).requestAttr("SHIB-MAIL", this.eperson.getEmail()).requestAttr("SHIB-SCOPED-AFFILIATION", "faculty;staff")).andExpect(MockMvcResultMatchers.status().isOk()).andReturn().getResponse().getHeader("Authorization").replace("Bearer ", "");
        getClient().perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0]).secure(true).cookie(new Cookie[]{new Cookie("Authorization-cookie", replace)})).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.content().contentType(this.contentType)).andExpect(MockMvcResultMatchers.jsonPath("$.okay", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.authenticated", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.type", Matchers.is("status")));
        getClient(replace).perform(MockMvcRequestBuilders.post("/api/authn/logout", new Object[0])).andExpect(MockMvcResultMatchers.status().isNoContent());
    }

    @Test
    public void testStatusPasswordAuthenticatedWithCookie() throws Exception {
        String replace = getAuthToken(this.eperson.getEmail(), this.password).replace("Bearer ", "");
        getClient().perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0]).secure(true).cookie(new Cookie[]{new Cookie("Authorization-cookie", replace)})).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.content().contentType(this.contentType)).andExpect(MockMvcResultMatchers.jsonPath("$.okay", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.authenticated", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.type", Matchers.is("status")));
        getClient(replace).perform(MockMvcRequestBuilders.post("/api/authn/logout", new Object[0])).andExpect(MockMvcResultMatchers.status().isNoContent());
    }

    @Test
    public void testTwoAuthenticationTokens() throws Exception {
        String authToken = getAuthToken(this.eperson.getEmail(), this.password);
        Thread.sleep(1200L);
        String authToken2 = getAuthToken(this.eperson.getEmail(), this.password);
        Assert.assertNotEquals(authToken, authToken2);
        getClient(authToken).perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0]).param("projection", new String[]{"full"})).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.content().contentType(this.contentType)).andExpect(MockMvcResultMatchers.jsonPath("$.okay", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.authenticated", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.type", Matchers.is("status"))).andExpect(MockMvcResultMatchers.jsonPath("$._links.eperson.href", Matchers.startsWith(AbstractControllerIntegrationTest.REST_SERVER_URL))).andExpect(MockMvcResultMatchers.jsonPath("$._embedded.eperson", EPersonMatcher.matchEPersonOnEmail(this.eperson.getEmail())));
        getClient(authToken2).perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0]).param("projection", new String[]{"full"})).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.content().contentType(this.contentType)).andExpect(MockMvcResultMatchers.jsonPath("$.okay", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.authenticated", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.type", Matchers.is("status"))).andExpect(MockMvcResultMatchers.jsonPath("$._links.eperson.href", Matchers.startsWith(AbstractControllerIntegrationTest.REST_SERVER_URL))).andExpect(MockMvcResultMatchers.jsonPath("$._embedded.eperson", EPersonMatcher.matchEPersonOnEmail(this.eperson.getEmail())));
    }

    @Test
    public void testTamperingWithToken() throws Exception {
        String authToken = getAuthToken(this.eperson.getEmail(), this.password);
        getClient(authToken).perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0])).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.okay", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.authenticated", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.type", Matchers.is("status")));
        this.context.turnOffAuthorisationSystem();
        Group build = GroupBuilder.createGroup(this.context).withName("Internal Group").build();
        this.context.restoreAuthSystemState();
        String[] split = authToken.split("\\.");
        getClient(split[0] + "." + new String(Base64.getUrlEncoder().encode(new String(Base64.getUrlDecoder().decode(authToken.split("\\.")[1])).replaceAll("\\[]", "[\"" + build.getID() + "\"]").getBytes())) + "." + split[2]).perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0])).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.okay", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.authenticated", Matchers.is(false))).andExpect(MockMvcResultMatchers.jsonPath("$.type", Matchers.is("status")));
    }

    @Test
    public void testLogout() throws Exception {
        String authToken = getAuthToken(this.eperson.getEmail(), this.password);
        getClient(authToken).perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0])).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.okay", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.authenticated", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.type", Matchers.is("status")));
        getClient(authToken).perform(MockMvcRequestBuilders.get("/api/authn/logout", new Object[0])).andExpect(MockMvcResultMatchers.status().isMethodNotAllowed()).andExpect(MockMvcResultMatchers.cookie().doesNotExist("DSPACE-XSRF-COOKIE")).andExpect(MockMvcResultMatchers.header().doesNotExist("DSPACE-XSRF-TOKEN"));
        getClient(authToken).perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0])).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.okay", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.authenticated", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.type", Matchers.is("status")));
        getClient(authToken).perform(MockMvcRequestBuilders.post("/api/authn/logout", new Object[0])).andExpect(MockMvcResultMatchers.status().isNoContent()).andExpect(MockMvcResultMatchers.cookie().exists("DSPACE-XSRF-COOKIE")).andExpect(MockMvcResultMatchers.header().exists("DSPACE-XSRF-TOKEN"));
        getClient(authToken).perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0])).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.okay", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.authenticated", Matchers.is(false))).andExpect(MockMvcResultMatchers.jsonPath("$.type", Matchers.is("status")));
    }

    @Test
    public void testLogoutInvalidatesAllTokens() throws Exception {
        String authToken = getAuthToken(this.eperson.getEmail(), this.password);
        Thread.sleep(1200L);
        String authToken2 = getAuthToken(this.eperson.getEmail(), this.password);
        Assert.assertNotEquals(authToken, authToken2);
        getClient(authToken).perform(MockMvcRequestBuilders.post("/api/authn/logout", new Object[0]));
        getClient(authToken).perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0])).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.okay", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.authenticated", Matchers.is(false))).andExpect(MockMvcResultMatchers.jsonPath("$.type", Matchers.is("status")));
        getClient(authToken2).perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0])).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.okay", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.authenticated", Matchers.is(false))).andExpect(MockMvcResultMatchers.jsonPath("$.type", Matchers.is("status")));
    }

    @Test
    public void testRefreshToken() throws Exception {
        String authToken = getAuthToken(this.eperson.getEmail(), this.password);
        Thread.sleep(1200L);
        String header = getClient(authToken).perform(MockMvcRequestBuilders.post("/api/authn/login", new Object[0])).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.cookie().exists("DSPACE-XSRF-COOKIE")).andExpect(MockMvcResultMatchers.header().exists("DSPACE-XSRF-TOKEN")).andExpect(MockMvcResultMatchers.cookie().value("DSPACE-XSRF-COOKIE", "")).andExpect(MockMvcResultMatchers.header().string("DSPACE-XSRF-TOKEN", Matchers.matchesPattern("[0-9a-fxA-FX]{8}-[0-9a-fxA-FX]{4}-[0-9a-fxA-FX]{4}-[0-9a-fxA-FX]{4}-[0-9a-fxA-FX]{12}"))).andReturn().getResponse().getHeader("Authorization");
        Assert.assertNotEquals(authToken, header);
        getClient(header).perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0])).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.okay", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.authenticated", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.type", Matchers.is("status")));
    }

    @Test
    public void testRefreshTokenWithInvalidCSRF() throws Exception {
        String replace = getAuthToken(this.eperson.getEmail(), this.password).replace("Bearer ", "");
        getClient().perform(MockMvcRequestBuilders.post("/api/authn/login", new Object[0]).with(SecurityMockMvcRequestPostProcessors.csrf().useInvalidToken().asHeader()).secure(true).cookie(new Cookie[]{new Cookie("Authorization-cookie", replace)})).andExpect(MockMvcResultMatchers.status().isForbidden()).andExpect(MockMvcResultMatchers.status().reason(Matchers.containsString("Invalid CSRF token"))).andExpect(MockMvcResultMatchers.cookie().exists("DSPACE-XSRF-COOKIE")).andExpect(MockMvcResultMatchers.header().exists("DSPACE-XSRF-TOKEN"));
        getClient(replace).perform(MockMvcRequestBuilders.post("/api/authn/logout", new Object[0])).andExpect(MockMvcResultMatchers.status().isNoContent());
    }

    @Test
    public void testLoginChangesCSRFToken() throws Exception {
        getClient(getClient().perform(MockMvcRequestBuilders.post("/api/authn/login", new Object[0]).param("user", new String[]{this.eperson.getEmail()}).param("password", new String[]{this.password})).andExpect(MockMvcResultMatchers.cookie().exists("DSPACE-XSRF-COOKIE")).andExpect(MockMvcResultMatchers.header().exists("DSPACE-XSRF-TOKEN")).andReturn().getResponse().getHeader("Authorization")).perform(MockMvcRequestBuilders.post("/api/authn/logout", new Object[0])).andExpect(MockMvcResultMatchers.status().isNoContent());
    }

    @Test
    public void testCannotReuseTokenFromUntrustedOrigin() throws Exception {
        String authToken = getAuthToken(this.eperson.getEmail(), this.password);
        getClient(authToken).perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0])).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.okay", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.authenticated", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.type", Matchers.is("status")));
        getClient(authToken).perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0]).header("Origin", new Object[]{"https://example.org"})).andExpect(MockMvcResultMatchers.status().isForbidden());
        getClient(authToken).perform(MockMvcRequestBuilders.post("/api/authn/logout", new Object[0])).andExpect(MockMvcResultMatchers.status().isNoContent());
    }

    @Test
    public void testCannotAuthenticateFromUntrustedOrigin() throws Exception {
        getClient().perform(MockMvcRequestBuilders.post("/api/authn/login", new Object[0]).header("Origin", new Object[]{"https://example.org"}).param("user", new String[]{this.eperson.getEmail()}).param("password", new String[]{this.password})).andExpect(MockMvcResultMatchers.status().isForbidden());
    }

    @Test
    public void testReuseTokenWithDifferentIP() throws Exception {
        String authToken = getAuthToken(this.eperson.getEmail(), this.password);
        getClient(authToken).perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0])).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.okay", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.authenticated", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.type", Matchers.is("status")));
        getClient(authToken).perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0]).header("X-FORWARDED-FOR", new Object[]{"1.1.1.1"})).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.okay", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.authenticated", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.type", Matchers.is("status")));
        getClient(authToken).perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0]).with(ip("1.1.1.1"))).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.okay", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.authenticated", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.type", Matchers.is("status")));
    }

    @Test
    public void testFailedLoginResponseCode() throws Exception {
        getClient().perform(MockMvcRequestBuilders.post("/api/authn/login", new Object[0]).param("user", new String[]{this.eperson.getEmail()}).param("password", new String[]{"fakePassword"})).andExpect(MockMvcResultMatchers.status().isUnauthorized());
    }

    @Test
    public void testLoginLogoutStatusLink() throws Exception {
        getClient().perform(MockMvcRequestBuilders.get("/api/authn", new Object[0])).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$._links.login.href", Matchers.endsWith("login"))).andExpect(MockMvcResultMatchers.jsonPath("$._links.logout.href", Matchers.endsWith("logout"))).andExpect(MockMvcResultMatchers.jsonPath("$._links.status.href", Matchers.endsWith("status")));
    }

    @Test
    public void testLoginAgainAfterLogout() throws Exception {
        String authToken = getAuthToken(this.eperson.getEmail(), this.password);
        getClient(authToken).perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0])).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.okay", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.authenticated", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.type", Matchers.is("status")));
        getClient(authToken).perform(MockMvcRequestBuilders.post("/api/authn/logout", new Object[0])).andExpect(MockMvcResultMatchers.status().isNoContent());
        getClient(authToken).perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0])).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.okay", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.authenticated", Matchers.is(false))).andExpect(MockMvcResultMatchers.jsonPath("$.type", Matchers.is("status")));
        getClient(getAuthToken(this.eperson.getEmail(), this.password)).perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0])).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.okay", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.authenticated", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.type", Matchers.is("status")));
    }

    @Test
    public void testLoginEmptyRequest() throws Exception {
        getClient().perform(MockMvcRequestBuilders.post("/api/authn/login", new Object[0])).andExpect(MockMvcResultMatchers.status().isUnauthorized()).andExpect(MockMvcResultMatchers.status().reason(Matchers.containsString("Authentication failed")));
    }

    @Test
    public void testLoginGetRequest() throws Exception {
        getClient().perform(MockMvcRequestBuilders.get("/api/authn/login", new Object[0]).param("user", new String[]{this.eperson.getEmail()}).param("password", new String[]{this.password})).andExpect(MockMvcResultMatchers.status().isMethodNotAllowed());
    }

    @Test
    public void testShibbolethLoginURLWithDefaultLazyURL() throws Exception {
        this.context.turnOffAuthorisationSystem();
        this.configurationService.setProperty("plugin.sequence.org.dspace.authenticate.AuthenticationMethod", SHIB_ONLY);
        GroupBuilder.createGroup(this.context).withName("Reviewers").build();
        this.configurationService.setProperty("authentication-shibboleth.role.faculty", "Reviewers");
        this.context.restoreAuthSystemState();
        getClient().perform(MockMvcRequestBuilders.post("/api/authn/login", new Object[0]).header("Referer", new Object[]{"http://my.uni.edu"})).andExpect(MockMvcResultMatchers.status().isUnauthorized()).andExpect(MockMvcResultMatchers.header().string("WWW-Authenticate", "shibboleth realm=\"DSpace REST API\", location=\"https://localhost/Shibboleth.sso/Login?target=http%3A%2F%2Flocalhost%2Fapi%2Fauthn%2Fshibboleth%3FredirectUrl%3Dhttp%3A%2F%2Fmy.uni.edu\""));
    }

    @Test
    public void testShibbolethLoginURLWithServerURLContainingPort() throws Exception {
        this.context.turnOffAuthorisationSystem();
        this.configurationService.setProperty("plugin.sequence.org.dspace.authenticate.AuthenticationMethod", SHIB_ONLY);
        this.configurationService.setProperty("dspace.server.url", "http://localhost:8080/server");
        this.configurationService.setProperty("authentication-shibboleth.lazysession.secure", false);
        GroupBuilder.createGroup(this.context).withName("Reviewers").build();
        this.configurationService.setProperty("authentication-shibboleth.role.faculty", "Reviewers");
        this.context.restoreAuthSystemState();
        getClient().perform(MockMvcRequestBuilders.post("/api/authn/login", new Object[0]).header("Referer", new Object[]{"http://my.uni.edu"})).andExpect(MockMvcResultMatchers.status().isUnauthorized()).andExpect(MockMvcResultMatchers.header().string("WWW-Authenticate", "shibboleth realm=\"DSpace REST API\", location=\"http://localhost:8080/Shibboleth.sso/Login?target=http%3A%2F%2Flocalhost%3A8080%2Fserver%2Fapi%2Fauthn%2Fshibboleth%3FredirectUrl%3Dhttp%3A%2F%2Fmy.uni.edu\""));
    }

    @Test
    public void testShibbolethLoginURLWithConfiguredLazyURL() throws Exception {
        this.context.turnOffAuthorisationSystem();
        this.configurationService.setProperty("plugin.sequence.org.dspace.authenticate.AuthenticationMethod", SHIB_ONLY);
        this.configurationService.setProperty("authentication-shibboleth.lazysession.loginurl", "http://shibboleth.org/Shibboleth.sso/Login");
        GroupBuilder.createGroup(this.context).withName("Reviewers").build();
        this.configurationService.setProperty("authentication-shibboleth.role.faculty", "Reviewers");
        this.context.restoreAuthSystemState();
        getClient().perform(MockMvcRequestBuilders.post("/api/authn/login", new Object[0]).header("Referer", new Object[]{"http://my.uni.edu"})).andExpect(MockMvcResultMatchers.status().isUnauthorized()).andExpect(MockMvcResultMatchers.header().string("WWW-Authenticate", "shibboleth realm=\"DSpace REST API\", location=\"http://shibboleth.org/Shibboleth.sso/Login?target=http%3A%2F%2Flocalhost%2Fapi%2Fauthn%2Fshibboleth%3FredirectUrl%3Dhttp%3A%2F%2Fmy.uni.edu\""));
    }

    @Test
    public void testShibbolethLoginURLWithConfiguredLazyURLWithPort() throws Exception {
        this.context.turnOffAuthorisationSystem();
        this.configurationService.setProperty("plugin.sequence.org.dspace.authenticate.AuthenticationMethod", SHIB_ONLY);
        this.configurationService.setProperty("authentication-shibboleth.lazysession.loginurl", "http://shibboleth.org:8080/Shibboleth.sso/Login");
        GroupBuilder.createGroup(this.context).withName("Reviewers").build();
        this.configurationService.setProperty("authentication-shibboleth.role.faculty", "Reviewers");
        this.context.restoreAuthSystemState();
        getClient().perform(MockMvcRequestBuilders.post("/api/authn/login", new Object[0]).header("Referer", new Object[]{"http://my.uni.edu"})).andExpect(MockMvcResultMatchers.status().isUnauthorized()).andExpect(MockMvcResultMatchers.header().string("WWW-Authenticate", "shibboleth realm=\"DSpace REST API\", location=\"http://shibboleth.org:8080/Shibboleth.sso/Login?target=http%3A%2F%2Flocalhost%2Fapi%2Fauthn%2Fshibboleth%3FredirectUrl%3Dhttp%3A%2F%2Fmy.uni.edu\""));
    }

    @Test
    @Ignore
    public void testShibbolethLoginRequestAttribute() throws Exception {
        this.context.turnOffAuthorisationSystem();
        this.configurationService.setProperty("plugin.sequence.org.dspace.authenticate.AuthenticationMethod", SHIB_ONLY);
        GroupBuilder.createGroup(this.context).withName("Reviewers").build();
        this.configurationService.setProperty("authentication-shibboleth.role.faculty", "Reviewers");
        this.context.restoreAuthSystemState();
        getClient().perform(MockMvcRequestBuilders.post("/api/authn/login", new Object[0]).header("Referer", new Object[]{"http://my.uni.edu"})).andExpect(MockMvcResultMatchers.status().isUnauthorized()).andExpect(MockMvcResultMatchers.header().string("WWW-Authenticate", "shibboleth realm=\"DSpace REST API\", location=\"https://localhost/Shibboleth.sso/Login?target=http%3A%2F%2Flocalhost%2Fapi%2Fauthn%2Fshibboleth%3FredirectUrl%3Dhttp%3A%2F%2Fmy.uni.edu\""));
        getClient(getClient().perform(MockMvcRequestBuilders.post("/api/authn/login", new Object[0]).requestAttr("SHIB-MAIL", this.eperson.getEmail()).requestAttr("SHIB-SCOPED-AFFILIATION", "faculty;staff")).andExpect(MockMvcResultMatchers.status().isOk()).andReturn().getResponse().getHeader("Authorization")).perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0]).param("projection", new String[]{"full"})).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.content().contentType(this.contentType)).andExpect(MockMvcResultMatchers.jsonPath("$.okay", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.authenticated", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.type", Matchers.is("status"))).andExpect(MockMvcResultMatchers.jsonPath("$._links.eperson.href", Matchers.startsWith(AbstractControllerIntegrationTest.REST_SERVER_URL))).andExpect(MockMvcResultMatchers.jsonPath("$._embedded.eperson", EPersonMatcher.matchEPersonWithGroups(this.eperson.getEmail(), "Anonymous", "Reviewers")));
    }

    @Test
    @Ignore
    public void testShibbolethLoginRequestHeaderWithIpAuthentication() throws Exception {
        this.configurationService.setProperty("plugin.sequence.org.dspace.authenticate.AuthenticationMethod", SHIB_AND_IP);
        this.configurationService.setProperty("authentication-ip.Administrator", "123.123.123.123");
        getClient().perform(MockMvcRequestBuilders.post("/api/authn/login", new Object[0]).header("Referer", new Object[]{"http://my.uni.edu"}).with(ip("123.123.123.123"))).andExpect(MockMvcResultMatchers.status().isUnauthorized()).andExpect(MockMvcResultMatchers.header().string("WWW-Authenticate", "ip realm=\"DSpace REST API\", shibboleth realm=\"DSpace REST API\", location=\"https://localhost/Shibboleth.sso/Login?target=http%3A%2F%2Flocalhost%2Fapi%2Fauthn%2Fshibboleth%3FredirectUrl%3Dhttp%3A%2F%2Fmy.uni.edu\""));
        getClient(getClient().perform(MockMvcRequestBuilders.post("/api/authn/login", new Object[0]).with(ip("123.123.123.123")).header("SHIB-MAIL", new Object[]{this.eperson.getEmail()})).andExpect(MockMvcResultMatchers.status().isOk()).andReturn().getResponse().getHeader("Authorization")).perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0]).param("projection", new String[]{"full"}).with(ip("123.123.123.123"))).andDo(MockMvcResultHandlers.print()).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.content().contentType(this.contentType)).andExpect(MockMvcResultMatchers.jsonPath("$.okay", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.authenticated", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.type", Matchers.is("status"))).andExpect(MockMvcResultMatchers.jsonPath("$._links.eperson.href", Matchers.startsWith(AbstractControllerIntegrationTest.REST_SERVER_URL))).andExpect(MockMvcResultMatchers.jsonPath("$._embedded.eperson", EPersonMatcher.matchEPersonWithGroups(this.eperson.getEmail(), "Anonymous", "Administrator")));
        getClient(getClient().perform(MockMvcRequestBuilders.post("/api/authn/login", new Object[0]).with(ip("234.234.234.234")).header("SHIB-MAIL", new Object[]{this.eperson.getEmail()})).andExpect(MockMvcResultMatchers.status().isOk()).andReturn().getResponse().getHeader("Authorization")).perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0]).param("projection", new String[]{"full"}).with(ip("234.234.234.234"))).andDo(MockMvcResultHandlers.print()).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.content().contentType(this.contentType)).andExpect(MockMvcResultMatchers.jsonPath("$.okay", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.authenticated", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.type", Matchers.is("status"))).andExpect(MockMvcResultMatchers.jsonPath("$._links.eperson.href", Matchers.startsWith(AbstractControllerIntegrationTest.REST_SERVER_URL))).andExpect(MockMvcResultMatchers.jsonPath("$._embedded.eperson", EPersonMatcher.matchEPersonWithGroups(this.eperson.getEmail(), "Anonymous")));
    }

    @Test
    public void testShibbolethAndPasswordAuthentication() throws Exception {
        this.configurationService.setProperty("plugin.sequence.org.dspace.authenticate.AuthenticationMethod", SHIB_AND_PASS);
        getClient().perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0]).header("Referer", new Object[]{"http://my.uni.edu"})).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.header().string("WWW-Authenticate", "shibboleth realm=\"DSpace REST API\", location=\"https://localhost/Shibboleth.sso/Login?target=http%3A%2F%2Flocalhost%2Fapi%2Fauthn%2Fshibboleth%3FredirectUrl%3Dhttp%3A%2F%2Fmy.uni.edu\", password realm=\"DSpace REST API\""));
        String authToken = getAuthToken(this.eperson.getEmail(), this.password);
        getClient(authToken).perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0])).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.okay", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.authenticated", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.type", Matchers.is("status")));
        getClient(authToken).perform(MockMvcRequestBuilders.post("/api/authn/logout", new Object[0])).andExpect(MockMvcResultMatchers.status().isNoContent());
        getClient(authToken).perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0])).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.okay", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.authenticated", Matchers.is(false))).andExpect(MockMvcResultMatchers.jsonPath("$.type", Matchers.is("status")));
        String replace = getClient().perform(MockMvcRequestBuilders.post("/api/authn/login", new Object[0]).requestAttr("SHIB-MAIL", this.eperson.getEmail()).requestAttr("SHIB-SCOPED-AFFILIATION", "faculty;staff")).andExpect(MockMvcResultMatchers.status().isOk()).andReturn().getResponse().getHeader("Authorization").replace("Bearer ", "");
        getClient(replace).perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0])).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.okay", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.authenticated", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.type", Matchers.is("status")));
        getClient(replace).perform(MockMvcRequestBuilders.post("/api/authn/logout", new Object[0])).andExpect(MockMvcResultMatchers.status().isNoContent());
        getClient(replace).perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0])).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.okay", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.authenticated", Matchers.is(false))).andExpect(MockMvcResultMatchers.jsonPath("$.type", Matchers.is("status")));
    }

    @Test
    public void testOnlyPasswordAuthenticationWorks() throws Exception {
        this.configurationService.setProperty("plugin.sequence.org.dspace.authenticate.AuthenticationMethod", PASS_ONLY);
        getClient().perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0]).header("Referer", new Object[]{"http://my.uni.edu"})).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.header().string("WWW-Authenticate", "password realm=\"DSpace REST API\""));
        String authToken = getAuthToken(this.eperson.getEmail(), this.password);
        getClient(authToken).perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0])).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.okay", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.authenticated", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.type", Matchers.is("status")));
        getClient(authToken).perform(MockMvcRequestBuilders.post("/api/authn/logout", new Object[0])).andExpect(MockMvcResultMatchers.status().isNoContent());
        getClient(authToken).perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0])).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.okay", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.authenticated", Matchers.is(false))).andExpect(MockMvcResultMatchers.jsonPath("$.type", Matchers.is("status")));
    }

    @Test
    public void testShibbolethAuthenticationDoesNotWorkWithPassOnly() throws Exception {
        this.configurationService.setProperty("plugin.sequence.org.dspace.authenticate.AuthenticationMethod", PASS_ONLY);
        getClient().perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0]).header("Referer", new Object[]{"http://my.uni.edu"})).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.header().string("WWW-Authenticate", "password realm=\"DSpace REST API\""));
        getClient().perform(MockMvcRequestBuilders.post("/api/authn/login", new Object[0]).requestAttr("SHIB-MAIL", this.eperson.getEmail()).requestAttr("SHIB-SCOPED-AFFILIATION", "faculty;staff")).andExpect(MockMvcResultMatchers.status().isUnauthorized());
    }

    @Test
    public void testOnlyShibbolethAuthenticationWorks() throws Exception {
        this.configurationService.setProperty("plugin.sequence.org.dspace.authenticate.AuthenticationMethod", SHIB_ONLY);
        getClient().perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0]).header("Referer", new Object[]{"http://my.uni.edu"})).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.header().string("WWW-Authenticate", "shibboleth realm=\"DSpace REST API\", location=\"https://localhost/Shibboleth.sso/Login?target=http%3A%2F%2Flocalhost%2Fapi%2Fauthn%2Fshibboleth%3FredirectUrl%3Dhttp%3A%2F%2Fmy.uni.edu\""));
        String header = getClient().perform(MockMvcRequestBuilders.post("/api/authn/login", new Object[0]).requestAttr("SHIB-MAIL", this.eperson.getEmail()).requestAttr("SHIB-SCOPED-AFFILIATION", "faculty;staff")).andExpect(MockMvcResultMatchers.status().isOk()).andReturn().getResponse().getHeader("Authorization");
        getClient(header).perform(MockMvcRequestBuilders.post("/api/authn/logout", new Object[0])).andExpect(MockMvcResultMatchers.status().isNoContent());
        getClient(header).perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0])).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.okay", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.authenticated", Matchers.is(false))).andExpect(MockMvcResultMatchers.jsonPath("$.type", Matchers.is("status")));
    }

    @Test
    public void testPasswordAuthenticationDoesNotWorkWithShibOnly() throws Exception {
        this.configurationService.setProperty("plugin.sequence.org.dspace.authenticate.AuthenticationMethod", SHIB_ONLY);
        getClient().perform(MockMvcRequestBuilders.post("/api/authn/login", new Object[0]).param("user", new String[]{this.eperson.getEmail()}).param("password", new String[]{this.password})).andExpect(MockMvcResultMatchers.status().isUnauthorized());
    }

    @Test
    public void testShortLivedToken() throws Exception {
        String authToken = getAuthToken(this.eperson.getEmail(), this.password);
        String sessionSalt = this.eperson.getSessionSalt();
        getClient(authToken).perform(MockMvcRequestBuilders.post("/api/authn/shortlivedtokens", new Object[0])).andExpect(MockMvcResultMatchers.jsonPath("$.token", Matchers.notNullValue())).andExpect(MockMvcResultMatchers.jsonPath("$.type", Matchers.is("shortlivedtoken"))).andExpect(MockMvcResultMatchers.jsonPath("$._links.self.href", Matchers.containsString("/api/authn/shortlivedtokens"))).andExpect(MockMvcResultMatchers.cookie().doesNotExist("DSPACE-XSRF-COOKIE")).andExpect(MockMvcResultMatchers.header().doesNotExist("DSPACE-XSRF-TOKEN"));
        Assert.assertEquals(sessionSalt, this.eperson.getSessionSalt());
    }

    @Test
    public void testShortLivedTokenUsingGet() throws Exception {
        String authToken = getAuthToken(this.eperson.getEmail(), this.password);
        String sessionSalt = this.eperson.getSessionSalt();
        getClient(authToken).perform(MockMvcRequestBuilders.get("/api/authn/shortlivedtokens", new Object[0]).with(ip(TRUSTED_IP))).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.token", Matchers.notNullValue())).andExpect(MockMvcResultMatchers.jsonPath("$.type", Matchers.is("shortlivedtoken"))).andExpect(MockMvcResultMatchers.jsonPath("$._links.self.href", Matchers.containsString("/api/authn/shortlivedtokens"))).andExpect(MockMvcResultMatchers.cookie().doesNotExist("DSPACE-XSRF-COOKIE")).andExpect(MockMvcResultMatchers.header().doesNotExist("DSPACE-XSRF-TOKEN"));
        Assert.assertEquals(sessionSalt, this.eperson.getSessionSalt());
    }

    @Test
    public void testShortLivedTokenUsingGetFromUntrustedIpShould403() throws Exception {
        getClient(getAuthToken(this.eperson.getEmail(), this.password)).perform(MockMvcRequestBuilders.get("/api/authn/shortlivedtokens", new Object[0]).with(ip(UNTRUSTED_IP))).andExpect(MockMvcResultMatchers.status().isForbidden());
    }

    @Test
    public void testShortLivedTokenUsingGetFromUntrustedIpWithForwardHeaderShould403() throws Exception {
        getClient(getAuthToken(this.eperson.getEmail(), this.password)).perform(MockMvcRequestBuilders.get("/api/authn/shortlivedtokens", new Object[0]).with(ip(UNTRUSTED_IP)).header("X-Forwarded-For", new Object[]{TRUSTED_IP})).andExpect(MockMvcResultMatchers.status().isForbidden());
    }

    @Test
    public void testShortLivedTokenWithCSRFSentViaParam() throws Exception {
        getClient(getAuthToken(this.eperson.getEmail(), this.password)).perform(MockMvcRequestBuilders.post("/api/authn/shortlivedtokens", new Object[0]).with(SecurityMockMvcRequestPostProcessors.csrf())).andExpect(MockMvcResultMatchers.cookie().exists("DSPACE-XSRF-COOKIE")).andExpect(MockMvcResultMatchers.header().exists("DSPACE-XSRF-TOKEN"));
    }

    @Test
    public void testShortLivedTokenNotAuthenticated() throws Exception {
        getClient().perform(MockMvcRequestBuilders.post("/api/authn/shortlivedtokens", new Object[0])).andExpect(MockMvcResultMatchers.status().isUnauthorized());
    }

    @Test
    public void testShortLivedTokenNotAuthenticatedUsingGet() throws Exception {
        getClient().perform(MockMvcRequestBuilders.get("/api/authn/shortlivedtokens", new Object[0]).with(ip(TRUSTED_IP))).andExpect(MockMvcResultMatchers.status().isUnauthorized());
    }

    @Test
    public void testShortLivedTokenToDownloadBitstream() throws Exception {
        Bitstream createPrivateBitstream = createPrivateBitstream();
        getClient().perform(MockMvcRequestBuilders.get("/api/core/bitstreams/" + createPrivateBitstream.getID() + "/content?authentication-token=" + getShortLivedToken(this.eperson), new Object[0])).andExpect(MockMvcResultMatchers.status().isOk());
    }

    @Test
    public void testShortLivedTokenToDownloadBitstreamUnauthorized() throws Exception {
        Bitstream createPrivateBitstream = createPrivateBitstream();
        this.context.turnOffAuthorisationSystem();
        EPerson build = EPersonBuilder.createEPerson(this.context).withNameInMetadata("John", "Doe").withEmail("UnauthorizedUser@example.com").withPassword(this.password).build();
        this.context.restoreAuthSystemState();
        getClient().perform(MockMvcRequestBuilders.get("/api/core/bitstreams/" + createPrivateBitstream.getID() + "/content?authentication-token=" + getShortLivedToken(build), new Object[0])).andExpect(MockMvcResultMatchers.status().isForbidden());
    }

    @Test
    public void testLoginTokenToDownloadBitstream() throws Exception {
        Bitstream createPrivateBitstream = createPrivateBitstream();
        getClient().perform(MockMvcRequestBuilders.get("/api/core/bitstreams/" + createPrivateBitstream.getID() + "/content?authentication-token=" + getAuthToken(this.eperson.getEmail(), this.password), new Object[0])).andExpect(MockMvcResultMatchers.status().isForbidden());
    }

    @Test
    public void testExpiredShortLivedTokenToDownloadBitstream() throws Exception {
        Bitstream createPrivateBitstream = createPrivateBitstream();
        this.configurationService.setProperty("jwt.shortLived.token.expiration", "1");
        String shortLivedToken = getShortLivedToken(this.eperson);
        Thread.sleep(1L);
        getClient().perform(MockMvcRequestBuilders.get("/api/core/bitstreams/" + createPrivateBitstream.getID() + "/content?authentication-token=" + shortLivedToken, new Object[0])).andExpect(MockMvcResultMatchers.status().isForbidden());
    }

    @Test
    public void testShortLivedAndLoginTokenSeparation() throws Exception {
        this.configurationService.setProperty("jwt.shortLived.token.expiration", "1");
        String authToken = getAuthToken(this.eperson.getEmail(), this.password);
        Thread.sleep(2L);
        getClient(authToken).perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0]).param("projection", new String[]{"full"})).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.authenticated", Matchers.is(true)));
    }

    @Test(expected = Exception.class)
    public void testLoginWithShortLivedToken() throws Exception {
        getClient().perform(MockMvcRequestBuilders.post("/api/authn/login?authentication-token=" + getShortLivedToken(this.eperson), new Object[0])).andExpect(MockMvcResultMatchers.status().isInternalServerError());
    }

    @Test
    public void testGenerateShortLivedTokenWithShortLivedToken() throws Exception {
        getClient().perform(MockMvcRequestBuilders.post("/api/authn/shortlivedtokens?authentication-token=" + getShortLivedToken(this.eperson), new Object[0])).andExpect(MockMvcResultMatchers.status().isForbidden());
    }

    @Test
    public void testGenerateShortLivedTokenWithShortLivedTokenUsingGet() throws Exception {
        getClient().perform(MockMvcRequestBuilders.get("/api/authn/shortlivedtokens?authentication-token=" + getShortLivedToken(this.eperson), new Object[0]).with(ip(TRUSTED_IP))).andExpect(MockMvcResultMatchers.status().isForbidden());
    }

    private String getShortLivedToken(EPerson ePerson) throws Exception {
        return String.valueOf(((Map) new ObjectMapper().readValue(getClient(getAuthToken(ePerson.getEmail(), this.password)).perform(MockMvcRequestBuilders.post("/api/authn/shortlivedtokens", new Object[0])).andReturn().getResponse().getContentAsString(), Map.class)).get("token"));
    }

    private Bitstream createPrivateBitstream() throws Exception {
        this.context.turnOffAuthorisationSystem();
        this.parentCommunity = CommunityBuilder.createCommunity(this.context).withName("Parent Community").build();
        Bundle build = BundleBuilder.createBundle(this.context, ItemBuilder.createItem(this.context, CollectionBuilder.createCollection(this.context, this.parentCommunity).withName("Collection 1").build()).withTitle("Test").withIssueDate("2010-10-17").withAuthor("Smith, Donald").withSubject("ExtraEntry").build()).withName("TEST BUNDLE").build();
        Group build2 = GroupBuilder.createGroup(this.context).withName("Staff").addMember(this.eperson).build();
        InputStream inputStream = IOUtils.toInputStream("ThisIsSomeDummyText", "UTF-8");
        try {
            Bitstream build3 = BitstreamBuilder.createBitstream(this.context, build, inputStream).withName("Bitstream").withDescription("description").withMimeType("text/plain").withReaderGroup(build2).build();
            if (inputStream != null) {
                inputStream.close();
            }
            this.context.restoreAuthSystemState();
            return build3;
        } catch (Throwable th) {
            if (inputStream != null) {
                try {
                    inputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }
}
