package org.dspace.app.rest.security;

import java.util.ArrayList;
import org.dspace.app.rest.authorization.AuthorizationFeatureService;
import org.dspace.app.rest.converter.EPersonConverter;
import org.dspace.app.rest.model.EPersonRest;
import org.dspace.app.rest.model.patch.AddOperation;
import org.dspace.app.rest.projection.DefaultProjection;
import org.dspace.app.rest.test.AbstractControllerIntegrationTest;
import org.dspace.app.rest.utils.Utils;
import org.dspace.builder.EPersonBuilder;
import org.dspace.eperson.EPerson;
import org.dspace.services.ConfigurationService;
import org.hamcrest.Matchers;
import org.junit.Before;
import org.junit.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.result.MockMvcResultMatchers;

/* loaded from: input_file:org/dspace/app/rest/security/ShibbolethLoginFilterIT.class */
public class ShibbolethLoginFilterIT extends AbstractControllerIntegrationTest {

    @Autowired
    ConfigurationService configurationService;

    @Autowired
    private EPersonConverter ePersonConverter;

    @Autowired
    private AuthorizationFeatureService authorizationFeatureService;

    @Autowired
    private Utils utils;
    public static final String[] PASS_ONLY = {"org.dspace.authenticate.PasswordAuthentication"};
    public static final String[] SHIB_ONLY = {"org.dspace.authenticate.ShibAuthentication"};
    private EPersonRest ePersonRest;
    private final String feature = "canChangePassword";

    @Before
    public void setup() throws Exception {
        super.setUp();
        this.authorizationFeatureService.find("canChangePassword");
        this.ePersonRest = this.ePersonConverter.convert(this.eperson, DefaultProjection.DEFAULT);
        this.configurationService.setProperty("rest.cors.allowed-origins", "${dspace.ui.url}, http://anotherdspacehost:4000");
        this.configurationService.setProperty("plugin.sequence.org.dspace.authenticate.AuthenticationMethod", SHIB_ONLY);
    }

    @Test
    public void testRedirectToDefaultDspaceUrl() throws Exception {
        String header = getClient().perform(MockMvcRequestBuilders.get("/api/authn/shibboleth", new Object[0]).requestAttr("SHIB-MAIL", this.eperson.getEmail())).andExpect(MockMvcResultMatchers.status().is3xxRedirection()).andExpect(MockMvcResultMatchers.redirectedUrl("http://localhost:4000")).andReturn().getResponse().getHeader("Authorization");
        getClient(header).perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0])).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.authenticated", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.authenticationMethod", Matchers.is("shibboleth")));
        getClient(header).perform(MockMvcRequestBuilders.get("/api/authz/authorizations/search/object", new Object[0]).param("embed", new String[]{"feature"}).param("feature", new String[]{"canChangePassword"}).param("uri", new String[]{this.utils.linkToSingleResource(this.ePersonRest, "self").getHref()})).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.page.totalElements", Matchers.is(0))).andExpect(MockMvcResultMatchers.jsonPath("$._embedded", new Object[0]).doesNotExist());
    }

    @Test
    public void testRedirectToGivenTrustedUrl() throws Exception {
        String header = getClient().perform(MockMvcRequestBuilders.get("/api/authn/shibboleth", new Object[0]).param("redirectUrl", new String[]{"http://localhost:8080/server/api/authn/status"}).requestAttr("SHIB-MAIL", this.eperson.getEmail())).andExpect(MockMvcResultMatchers.status().is3xxRedirection()).andExpect(MockMvcResultMatchers.redirectedUrl("http://localhost:8080/server/api/authn/status")).andReturn().getResponse().getHeader("Authorization");
        getClient(header).perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0])).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.authenticated", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.authenticationMethod", Matchers.is("shibboleth")));
        getClient(header).perform(MockMvcRequestBuilders.get("/api/authz/authorizations/search/object", new Object[0]).param("embed", new String[]{"feature"}).param("feature", new String[]{"canChangePassword"}).param("uri", new String[]{this.utils.linkToSingleResource(this.ePersonRest, "self").getHref()})).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.page.totalElements", Matchers.is(0))).andExpect(MockMvcResultMatchers.jsonPath("$._embedded", new Object[0]).doesNotExist());
    }

    @Test
    public void testNoRedirectIfShibbolethDisabled() throws Exception {
        this.configurationService.setProperty("plugin.sequence.org.dspace.authenticate.AuthenticationMethod", PASS_ONLY);
        getClient().perform(MockMvcRequestBuilders.get("/api/authn/shibboleth", new Object[0]).param("redirectUrl", new String[]{"http://localhost:8080/server/api/authn/status"}).requestAttr("SHIB-MAIL", this.eperson.getEmail())).andExpect(MockMvcResultMatchers.status().isUnauthorized());
    }

    @Test
    public void testRedirectToAnotherGivenTrustedUrl() throws Exception {
        getAuthToken(this.eperson.getEmail(), this.password);
        getClient().perform(MockMvcRequestBuilders.get("/api/authn/shibboleth", new Object[0]).param("redirectUrl", new String[]{"http://anotherdspacehost:4000/home"}).requestAttr("SHIB-MAIL", this.eperson.getEmail())).andExpect(MockMvcResultMatchers.status().is3xxRedirection()).andExpect(MockMvcResultMatchers.redirectedUrl("http://anotherdspacehost:4000/home"));
    }

    @Test
    public void testRedirectToGivenUntrustedUrl() throws Exception {
        getClient().perform(MockMvcRequestBuilders.get("/api/authn/shibboleth", new Object[0]).param("redirectUrl", new String[]{"http://dspace.org"}).requestAttr("SHIB-MAIL", this.eperson.getEmail())).andExpect(MockMvcResultMatchers.status().isBadRequest());
    }

    @Test
    public void testNoRedirectIfInvalidShibAttributes() throws Exception {
        getClient().perform(MockMvcRequestBuilders.get("/api/authn/shibboleth", new Object[0]).requestAttr("SHIB-MAIL", "not-an-eperson@example.com")).andExpect(MockMvcResultMatchers.status().isUnauthorized());
    }

    @Test
    public void testRedirectRequiresShibAttributes() throws Exception {
        getClient().perform(MockMvcRequestBuilders.get("/api/authn/shibboleth", new Object[0])).andExpect(MockMvcResultMatchers.status().isUnauthorized());
    }

    @Test
    public void testRedirectRequiresShibAttributes2() throws Exception {
        getClient(getAuthToken(this.eperson.getEmail(), this.password)).perform(MockMvcRequestBuilders.get("/api/authn/shibboleth", new Object[0])).andExpect(MockMvcResultMatchers.status().isUnauthorized());
    }

    @Test
    public void patchPassword() throws Exception {
        this.context.turnOffAuthorisationSystem();
        EPerson build = EPersonBuilder.createEPerson(this.context).withNameInMetadata("John", "Doe").withEmail("Johndoe@example.com").withPassword(this.password).build();
        this.context.restoreAuthSystemState();
        ArrayList arrayList = new ArrayList();
        arrayList.add(new AddOperation("/password", "newpassword"));
        String patchContent = getPatchContent(arrayList);
        String header = getClient().perform(MockMvcRequestBuilders.get("/api/authn/shibboleth", new Object[0]).requestAttr("SHIB-MAIL", this.eperson.getEmail())).andExpect(MockMvcResultMatchers.status().is3xxRedirection()).andExpect(MockMvcResultMatchers.redirectedUrl("http://localhost:4000")).andReturn().getResponse().getHeader("Authorization");
        getClient(header).perform(MockMvcRequestBuilders.get("/api/authn/status", new Object[0])).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.authenticated", Matchers.is(true))).andExpect(MockMvcResultMatchers.jsonPath("$.authenticationMethod", Matchers.is("shibboleth")));
        getClient(header).perform(MockMvcRequestBuilders.patch("/api/eperson/epersons/" + build.getID(), new Object[0]).content(patchContent).contentType("application/json-patch+json")).andExpect(MockMvcResultMatchers.status().isForbidden());
    }
}
