package org.graylog2.shared.security;

import com.google.common.collect.ImmutableList;
import java.util.ArrayList;
import java.util.Date;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.atomic.AtomicBoolean;
import javax.annotation.Nonnull;
import org.apache.commons.lang3.StringUtils;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.mgt.DefaultSecurityManager;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.realm.SimpleAccountRealm;
import org.apache.shiro.session.Session;
import org.apache.shiro.session.mgt.SimpleSession;
import org.apache.shiro.util.LifecycleUtils;
import org.apache.shiro.util.ThreadContext;
import org.assertj.core.api.Assertions;
import org.graylog2.audit.AuditActor;
import org.graylog2.audit.AuditEventSender;
import org.graylog2.plugin.database.users.User;
import org.graylog2.rest.resources.users.UsersResourceTest;
import org.graylog2.shared.users.UserService;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.mockito.ArgumentMatchers;
import org.mockito.InjectMocks;
import org.mockito.Mock;
import org.mockito.Mockito;
import org.mockito.MockitoAnnotations;

/* loaded from: input_file:org/graylog2/shared/security/SessionCreatorTest.class */
public class SessionCreatorTest {
    private static final long SESSION_TIMEOUT = Long.MAX_VALUE;
    private final ActorAwareUsernamePasswordToken validToken = new ActorAwareUsernamePasswordToken("username", UsersResourceTest.PASSWORD);
    private final ActorAwareUsernamePasswordToken invalidToken = new ActorAwareUsernamePasswordToken("username", "wrong password");

    @Mock
    private UserService userService;

    @Mock
    private AuditEventSender auditEventSender;

    @InjectMocks
    private SessionCreator sessionCreator;
    private DefaultSecurityManager securityManager;

    @Before
    public void setUp() throws Exception {
        MockitoAnnotations.initMocks(this);
        SimpleAccountRealm simpleAccountRealm = new SimpleAccountRealm();
        simpleAccountRealm.addAccount(this.validToken.getUsername(), String.valueOf(this.validToken.getPassword()));
        this.securityManager = new DefaultSecurityManager(simpleAccountRealm);
        ThrowingFirstSuccessfulStrategy throwingFirstSuccessfulStrategy = new ThrowingFirstSuccessfulStrategy();
        throwingFirstSuccessfulStrategy.setStopAfterFirstSuccess(true);
        this.securityManager.getAuthenticator().setAuthenticationStrategy(throwingFirstSuccessfulStrategy);
        SecurityUtils.setSecurityManager(this.securityManager);
    }

    @After
    public void tearDown() {
        try {
            LifecycleUtils.destroy(SecurityUtils.getSecurityManager());
            SecurityUtils.setSecurityManager((SecurityManager) null);
            ThreadContext.unbindSubject();
        } catch (Exception e) {
        }
    }

    @Test
    public void validAuthToken() {
        setUpUserMock();
        Assert.assertFalse(SecurityUtils.getSubject().isAuthenticated());
        Optional login = this.sessionCreator.login((String) null, "host", this.validToken);
        Assert.assertTrue(login.isPresent());
        Assert.assertEquals(SESSION_TIMEOUT, ((Session) login.get()).getTimeout());
        Assert.assertTrue(SecurityUtils.getSubject().isAuthenticated());
        ((AuditEventSender) Mockito.verify(this.auditEventSender)).success((AuditActor) Mockito.eq(AuditActor.user("username")), Mockito.anyString(), Mockito.anyMap());
    }

    @Test
    public void invalidAuthToken() {
        this.sessionCreator.login((String) null, "host", this.invalidToken);
        ((AuditEventSender) Mockito.verify(this.auditEventSender)).failure((AuditActor) Mockito.eq(this.validToken.getActor()), Mockito.anyString(), Mockito.anyMap());
    }

    @Test
    public void extendSession() {
        setUpUserMock();
        SimpleSession simpleSession = new SimpleSession();
        this.securityManager.getSessionManager().getSessionDAO().create(simpleSession);
        String obj = simpleSession.getId().toString();
        Assert.assertFalse(SecurityUtils.getSubject().isAuthenticated());
        Optional login = this.sessionCreator.login(obj, "host", this.validToken);
        Assert.assertTrue(login.isPresent());
        Assert.assertEquals(SESSION_TIMEOUT, ((Session) login.get()).getTimeout());
        Assert.assertEquals(obj, ((Session) login.get()).getId());
        Assert.assertTrue(SecurityUtils.getSubject().isAuthenticated());
        ((AuditEventSender) Mockito.verify(this.auditEventSender)).success((AuditActor) Mockito.eq(AuditActor.user("username")), Mockito.anyString(), Mockito.anyMap());
    }

    @Test
    public void extendExpiredSession() {
        setUpUserMock();
        SimpleSession simpleSession = new SimpleSession();
        simpleSession.setLastAccessTime(new Date(0L));
        this.securityManager.getSessionManager().getSessionDAO().create(simpleSession);
        String obj = simpleSession.getId().toString();
        Assert.assertFalse(SecurityUtils.getSubject().isAuthenticated());
        Optional login = this.sessionCreator.login(obj, "host", this.validToken);
        Assert.assertTrue(login.isPresent());
        Assert.assertNotEquals(obj, ((Session) login.get()).getId());
        Assert.assertTrue(SecurityUtils.getSubject().isAuthenticated());
    }

    @Test
    public void throwingRealmDoesNotInhibitAuthentication() {
        setUpUserMock();
        Assert.assertFalse(SecurityUtils.getSubject().isAuthenticated());
        ArrayList arrayList = new ArrayList(this.securityManager.getRealms());
        arrayList.add(0, throwingRealm());
        this.securityManager.setRealms(arrayList);
        Assertions.assertThat(this.sessionCreator.login((String) null, "host", this.validToken)).isPresent();
        Assertions.assertThat(SecurityUtils.getSubject().isAuthenticated()).isTrue();
        ((AuditEventSender) Mockito.verify(this.auditEventSender)).success((AuditActor) Mockito.eq(AuditActor.user("username")), Mockito.anyString(), Mockito.anyMap());
    }

    @Test
    public void serviceUnavailable() {
        setUpUserMock();
        Assert.assertFalse(SecurityUtils.getSubject().isAuthenticated());
        this.securityManager.setRealms(ImmutableList.of(throwingRealm(), new SimpleAccountRealm()));
        Assertions.assertThatThrownBy(() -> {
            this.sessionCreator.login((String) null, "host", this.validToken);
        }).isInstanceOf(AuthenticationServiceUnavailableException.class);
        Assertions.assertThat(SecurityUtils.getSubject().isAuthenticated()).isFalse();
        ((AuditEventSender) Mockito.verify(this.auditEventSender)).failure((AuditActor) Mockito.eq(AuditActor.user("username")), Mockito.anyString(), (Map) ArgumentMatchers.argThat(map -> {
            return StringUtils.containsIgnoreCase((String) map.get("message"), "unavailable");
        }));
    }

    @Test
    public void serviceUnavailableStateIsCleared() {
        setUpUserMock();
        Assert.assertFalse(SecurityUtils.getSubject().isAuthenticated());
        final AtomicBoolean atomicBoolean = new AtomicBoolean(true);
        this.securityManager.setRealms(ImmutableList.of(new SimpleAccountRealm() { // from class: org.graylog2.shared.security.SessionCreatorTest.1
            protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
                if (atomicBoolean.get()) {
                    throw new AuthenticationServiceUnavailableException("not available");
                }
                return super.doGetAuthenticationInfo(authenticationToken);
            }
        }, new SimpleAccountRealm()));
        Assertions.assertThatThrownBy(() -> {
            this.sessionCreator.login((String) null, "host", this.validToken);
        }).isInstanceOf(AuthenticationServiceUnavailableException.class);
        Assertions.assertThat(SecurityUtils.getSubject().isAuthenticated()).isFalse();
        atomicBoolean.set(false);
        this.sessionCreator.login((String) null, "host", this.validToken);
        Assertions.assertThat(SecurityUtils.getSubject().isAuthenticated()).isFalse();
    }

    private void setUpUserMock() {
        User user = (User) Mockito.mock(User.class);
        Mockito.when(user.getName()).thenReturn("username");
        Mockito.when(Long.valueOf(user.getSessionTimeoutMs())).thenReturn(Long.valueOf(SESSION_TIMEOUT));
        Mockito.when(this.userService.load("username")).thenReturn(user);
        Mockito.when(this.userService.loadById("username")).thenReturn(user);
    }

    @Nonnull
    private SimpleAccountRealm throwingRealm() {
        return new SimpleAccountRealm() { // from class: org.graylog2.shared.security.SessionCreatorTest.2
            protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
                throw new AuthenticationServiceUnavailableException("not available");
            }
        };
    }
}
