package org.dspace.app.rest;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jwt.SignedJWT;
import java.text.ParseException;
import java.util.Arrays;
import java.util.Map;
import org.dspace.app.rest.test.AbstractControllerIntegrationTest;
import org.dspace.authenticate.OidcAuthenticationBean;
import org.dspace.authenticate.oidc.OidcClient;
import org.dspace.authenticate.oidc.OidcClientException;
import org.dspace.authenticate.oidc.model.OidcTokenResponseDTO;
import org.dspace.builder.EPersonBuilder;
import org.dspace.eperson.EPerson;
import org.dspace.eperson.service.EPersonService;
import org.dspace.services.ConfigurationService;
import org.dspace.util.UUIDUtils;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.mockito.Mockito;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.test.web.servlet.MvcResult;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.result.MockMvcResultMatchers;

/* loaded from: input_file:org/dspace/app/rest/OidcAuthenticationRestControllerIT.class */
public class OidcAuthenticationRestControllerIT extends AbstractControllerIntegrationTest {
    private static final String CODE = "123456";
    private static final String EMAIL = "email";
    private static final String FIRST_NAME = "first_name";
    private static final String LAST_NAME = "last_name";
    private static final String ACCESS_TOKEN = "c41e37e5-c2de-4177-91d6-ed9e9d1f31bf";
    private static final String REFRESH_TOKEN = "0062a9eb-d4ec-4d94-9491-95dd75376d3e";
    private static final String[] OIDC_SCOPES = {"FirstScope", "SecondScope"};
    private OidcClient originalOidcClient;
    private OidcClient oidcClientMock = (OidcClient) Mockito.mock(OidcClient.class);
    private EPerson createdEperson;

    @Autowired
    private OidcAuthenticationBean oidcAuthentication;

    @Autowired
    private ConfigurationService configurationService;

    @Autowired
    private EPersonService ePersonService;

    @Before
    public void setup() {
        this.originalOidcClient = this.oidcAuthentication.getOidcClient();
        this.oidcAuthentication.setOidcClient(this.oidcClientMock);
        this.configurationService.setProperty("authentication-oidc.user-info.email", EMAIL);
        this.configurationService.setProperty("authentication-oidc.user-info.first-name", FIRST_NAME);
        this.configurationService.setProperty("authentication-oidc.user-info.last-name", LAST_NAME);
        this.configurationService.setProperty("plugin.sequence.org.dspace.authenticate.AuthenticationMethod", Arrays.asList("org.dspace.authenticate.OidcAuthentication", "org.dspace.authenticate.PasswordAuthentication"));
    }

    @After
    public void after() throws Exception {
        this.oidcAuthentication.setOidcClient(this.originalOidcClient);
        if (this.createdEperson != null) {
            this.context.turnOffAuthorisationSystem();
            this.ePersonService.delete(this.context, this.createdEperson);
            this.context.restoreAuthSystemState();
        }
    }

    @Test
    public void testEPersonCreationViaOidcLogin() throws Exception {
        Mockito.when(this.oidcClientMock.getAccessToken(CODE)).thenReturn(buildOidcTokenResponse(ACCESS_TOKEN));
        Mockito.when(this.oidcClientMock.getUserInfo(ACCESS_TOKEN)).thenReturn(buildUserInfo("test@email.it", "Test", "User"));
        MvcResult andReturn = getClient().perform(MockMvcRequestBuilders.get("/api/authn/oidc", new Object[0]).param("code", new String[]{CODE})).andExpect(MockMvcResultMatchers.status().is3xxRedirection()).andExpect(MockMvcResultMatchers.redirectedUrl(this.configurationService.getProperty("dspace.ui.url"))).andExpect(MockMvcResultMatchers.cookie().exists("Authorization-cookie")).andReturn();
        ((OidcClient) Mockito.verify(this.oidcClientMock)).getAccessToken(CODE);
        ((OidcClient) Mockito.verify(this.oidcClientMock)).getUserInfo(ACCESS_TOKEN);
        Mockito.verifyNoMoreInteractions(new Object[]{this.oidcClientMock});
        this.createdEperson = this.ePersonService.find(this.context, UUIDUtils.fromString(getEPersonIdFromAuthorizationCookie(andReturn)));
        MatcherAssert.assertThat(this.createdEperson, Matchers.notNullValue());
        MatcherAssert.assertThat(this.createdEperson.getEmail(), Matchers.equalTo("test@email.it"));
        MatcherAssert.assertThat(this.createdEperson.getFullName(), Matchers.equalTo("Test User"));
        MatcherAssert.assertThat(this.createdEperson.getNetid(), Matchers.equalTo("test@email.it"));
        MatcherAssert.assertThat(Boolean.valueOf(this.createdEperson.canLogIn()), Matchers.equalTo(true));
    }

    @Test
    public void testEPersonCreationViaOidcLoginWithoutEmail() throws Exception {
        Mockito.when(this.oidcClientMock.getAccessToken(CODE)).thenReturn(buildOidcTokenResponse(ACCESS_TOKEN));
        Mockito.when(this.oidcClientMock.getUserInfo(ACCESS_TOKEN)).thenReturn(buildUserInfo("test@email.it"));
        MvcResult andReturn = getClient().perform(MockMvcRequestBuilders.get("/api/authn/oidc", new Object[0]).param("code", new String[]{CODE})).andExpect(MockMvcResultMatchers.status().is3xxRedirection()).andExpect(MockMvcResultMatchers.redirectedUrl(this.configurationService.getProperty("dspace.ui.url"))).andExpect(MockMvcResultMatchers.cookie().exists("Authorization-cookie")).andReturn();
        ((OidcClient) Mockito.verify(this.oidcClientMock)).getAccessToken(CODE);
        ((OidcClient) Mockito.verify(this.oidcClientMock)).getUserInfo(ACCESS_TOKEN);
        Mockito.verifyNoMoreInteractions(new Object[]{this.oidcClientMock});
        this.createdEperson = this.ePersonService.find(this.context, UUIDUtils.fromString(getEPersonIdFromAuthorizationCookie(andReturn)));
        MatcherAssert.assertThat(this.createdEperson, Matchers.notNullValue());
    }

    @Test
    public void testWithoutSelfRegistrationEnabled() throws Exception {
        this.configurationService.setProperty("authentication-oidc.can-self-register", "false");
        Mockito.when(this.oidcClientMock.getAccessToken(CODE)).thenReturn(buildOidcTokenResponse(ACCESS_TOKEN));
        Mockito.when(this.oidcClientMock.getUserInfo(ACCESS_TOKEN)).thenReturn(buildUserInfo("test@email.it"));
        MatcherAssert.assertThat(getClient().perform(MockMvcRequestBuilders.get("/api/authn/oidc", new Object[0]).param("code", new String[]{CODE})).andExpect(MockMvcResultMatchers.status().isUnauthorized()).andExpect(MockMvcResultMatchers.cookie().doesNotExist("Authorization-cookie")).andExpect(MockMvcResultMatchers.header().exists("WWW-Authenticate")).andReturn().getResponse().getHeader("WWW-Authenticate"), Matchers.containsString("oidc realm=\"DSpace REST API\""));
        ((OidcClient) Mockito.verify(this.oidcClientMock)).getAccessToken(CODE);
        ((OidcClient) Mockito.verify(this.oidcClientMock)).getUserInfo(ACCESS_TOKEN);
        Mockito.verifyNoMoreInteractions(new Object[]{this.oidcClientMock});
    }

    @Test
    public void testWithoutAuthorizationCode() throws Exception {
        getClient().perform(MockMvcRequestBuilders.get("/api/authn/oidc", new Object[0])).andExpect(MockMvcResultMatchers.status().isUnauthorized()).andExpect(MockMvcResultMatchers.cookie().doesNotExist("Authorization-cookie")).andExpect(MockMvcResultMatchers.header().exists("WWW-Authenticate"));
        Mockito.verifyNoInteractions(new Object[]{this.oidcClientMock});
    }

    @Test
    public void testEPersonLoggedInByEmail() throws Exception {
        Mockito.when(this.oidcClientMock.getAccessToken(CODE)).thenReturn(buildOidcTokenResponse(ACCESS_TOKEN));
        Mockito.when(this.oidcClientMock.getUserInfo(ACCESS_TOKEN)).thenReturn(buildUserInfo("test@email.it"));
        this.context.turnOffAuthorisationSystem();
        EPerson build = EPersonBuilder.createEPerson(this.context).withEmail("test@email.it").withNameInMetadata("Test", "User").withCanLogin(true).build();
        this.context.restoreAuthSystemState();
        MvcResult andReturn = getClient().perform(MockMvcRequestBuilders.get("/api/authn/oidc", new Object[0]).param("code", new String[]{CODE})).andExpect(MockMvcResultMatchers.status().is3xxRedirection()).andExpect(MockMvcResultMatchers.redirectedUrl(this.configurationService.getProperty("dspace.ui.url"))).andExpect(MockMvcResultMatchers.cookie().exists("Authorization-cookie")).andReturn();
        ((OidcClient) Mockito.verify(this.oidcClientMock)).getAccessToken(CODE);
        ((OidcClient) Mockito.verify(this.oidcClientMock)).getUserInfo(ACCESS_TOKEN);
        Mockito.verifyNoMoreInteractions(new Object[]{this.oidcClientMock});
        String ePersonIdFromAuthorizationCookie = getEPersonIdFromAuthorizationCookie(andReturn);
        MatcherAssert.assertThat(ePersonIdFromAuthorizationCookie, Matchers.notNullValue());
        MatcherAssert.assertThat(ePersonIdFromAuthorizationCookie, Matchers.equalTo(build.getID().toString()));
    }

    @Test
    public void testEPersonCannotLogInByEmail() throws Exception {
        Mockito.when(this.oidcClientMock.getAccessToken(CODE)).thenReturn(buildOidcTokenResponse(ACCESS_TOKEN));
        Mockito.when(this.oidcClientMock.getUserInfo(ACCESS_TOKEN)).thenReturn(buildUserInfo("test@email.it"));
        this.context.turnOffAuthorisationSystem();
        EPersonBuilder.createEPerson(this.context).withEmail("test@email.it").withNameInMetadata("Test", "User").withCanLogin(false).build();
        this.context.restoreAuthSystemState();
        getClient().perform(MockMvcRequestBuilders.get("/api/authn/oidc", new Object[0]).param("code", new String[]{CODE})).andExpect(MockMvcResultMatchers.status().isUnauthorized()).andExpect(MockMvcResultMatchers.cookie().doesNotExist("Authorization-cookie")).andExpect(MockMvcResultMatchers.header().exists("WWW-Authenticate"));
        ((OidcClient) Mockito.verify(this.oidcClientMock)).getAccessToken(CODE);
        ((OidcClient) Mockito.verify(this.oidcClientMock)).getUserInfo(ACCESS_TOKEN);
        Mockito.verifyNoMoreInteractions(new Object[]{this.oidcClientMock});
    }

    @Test
    public void testNoAuthenticationIfAnErrorOccursRetrivingOidcToken() throws Exception {
        Mockito.when(this.oidcClientMock.getAccessToken(CODE)).thenThrow(new Throwable[]{new OidcClientException(500, "internal error")});
        this.context.turnOffAuthorisationSystem();
        EPersonBuilder.createEPerson(this.context).withEmail("test@email.it").withNameInMetadata("Test", "User").withCanLogin(false).build();
        this.context.restoreAuthSystemState();
        getClient().perform(MockMvcRequestBuilders.get("/api/authn/oidc", new Object[0]).param("code", new String[]{CODE})).andExpect(MockMvcResultMatchers.status().isUnauthorized()).andExpect(MockMvcResultMatchers.cookie().doesNotExist("Authorization-cookie")).andExpect(MockMvcResultMatchers.header().exists("WWW-Authenticate"));
        ((OidcClient) Mockito.verify(this.oidcClientMock)).getAccessToken(CODE);
        Mockito.verifyNoMoreInteractions(new Object[]{this.oidcClientMock});
    }

    @Test
    public void testNoAuthenticationIfAnErrorOccursRetrivingOidcPerson() throws Exception {
        Mockito.when(this.oidcClientMock.getAccessToken(CODE)).thenReturn(buildOidcTokenResponse(ACCESS_TOKEN));
        Mockito.when(this.oidcClientMock.getUserInfo(ACCESS_TOKEN)).thenThrow(new Throwable[]{new OidcClientException(500, "Internal Error")});
        this.context.turnOffAuthorisationSystem();
        EPersonBuilder.createEPerson(this.context).withEmail("test@email.it").withNameInMetadata("Test", "User").withCanLogin(false).build();
        this.context.restoreAuthSystemState();
        getClient().perform(MockMvcRequestBuilders.get("/api/authn/oidc", new Object[0]).param("code", new String[]{CODE})).andExpect(MockMvcResultMatchers.status().isUnauthorized()).andExpect(MockMvcResultMatchers.cookie().doesNotExist("Authorization-cookie")).andExpect(MockMvcResultMatchers.header().exists("WWW-Authenticate"));
        ((OidcClient) Mockito.verify(this.oidcClientMock)).getAccessToken(CODE);
        ((OidcClient) Mockito.verify(this.oidcClientMock)).getUserInfo(ACCESS_TOKEN);
        Mockito.verifyNoMoreInteractions(new Object[]{this.oidcClientMock});
    }

    private OidcTokenResponseDTO buildOidcTokenResponse(String str) {
        OidcTokenResponseDTO oidcTokenResponseDTO = new OidcTokenResponseDTO();
        oidcTokenResponseDTO.setAccessToken(str);
        oidcTokenResponseDTO.setTokenType("Bearer");
        oidcTokenResponseDTO.setRefreshToken(REFRESH_TOKEN);
        oidcTokenResponseDTO.setScope(String.join(" ", OIDC_SCOPES));
        return oidcTokenResponseDTO;
    }

    private Map<String, Object> buildUserInfo(String str) {
        return Map.of(EMAIL, str);
    }

    private Map<String, Object> buildUserInfo(String str, String str2, String str3) {
        return Map.of(EMAIL, str, FIRST_NAME, str2, LAST_NAME, str3);
    }

    private String getEPersonIdFromAuthorizationCookie(MvcResult mvcResult) throws ParseException, JOSEException {
        return (String) SignedJWT.parse(mvcResult.getResponse().getCookie("Authorization-cookie").getValue()).getJWTClaimsSet().getClaim("eid");
    }
}
