package pl.edu.icm.unity.ws;

import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import eu.unicore.security.wsutil.client.WSClientFactory;
import eu.unicore.util.httpclient.DefaultClientConfiguration;
import javax.xml.ws.soap.SOAPFaultException;
import org.junit.Assert;
import org.junit.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import pl.edu.icm.unity.engine.DBIntegrationTestBase;
import pl.edu.icm.unity.engine.api.AuthenticationFlowManagement;
import pl.edu.icm.unity.engine.api.AuthenticatorManagement;
import pl.edu.icm.unity.engine.api.EntityCredentialManagement;
import pl.edu.icm.unity.engine.api.authn.EntityWithCredential;
import pl.edu.icm.unity.types.I18nString;
import pl.edu.icm.unity.types.authn.AuthenticationFlowDefinition;
import pl.edu.icm.unity.types.authn.AuthenticationRealm;
import pl.edu.icm.unity.types.authn.RememberMePolicy;
import pl.edu.icm.unity.types.basic.EntityParam;
import pl.edu.icm.unity.types.endpoint.EndpointConfiguration;
import pl.edu.icm.unity.ws.mock.MockWSEndpointFactory;
import pl.edu.icm.unity.ws.mock.MockWSSEI;

/* loaded from: input_file:pl/edu/icm/unity/ws/TestWSCore.class */
public class TestWSCore extends DBIntegrationTestBase {
    public static final String AUTHENTICATOR_WS_PASS = "ApassWS";
    public static final String AUTHENTICATOR_WS_CERT = "AcertWS";
    public static final String AUTHENTICATION_FLOW = "flow1";
    public static final String AUTHENTICATION_FLOW_CERT_SECOND_FACTOR = "flow2";
    public static final String AUTHENTICATION_FLOW_OPTIN = "flow3";

    @Autowired
    private AuthenticatorManagement authnMan;

    @Autowired
    @Qualifier("insecure")
    private EntityCredentialManagement ecredMan;

    @Autowired
    private AuthenticationFlowManagement authnFlowMan;

    @Test
    public void shouldBlockAccessAfterTooManyFailedLogins() throws Exception {
        initializeHTTPServer();
        DefaultClientConfiguration defaultClientConfiguration = new DefaultClientConfiguration();
        defaultClientConfiguration.setCredential(getDemoCredential());
        defaultClientConfiguration.setValidator(getDemoValidator());
        defaultClientConfiguration.setSslEnabled(true);
        defaultClientConfiguration.setHttpUser("mockuser1");
        defaultClientConfiguration.setHttpPassword("wrong");
        defaultClientConfiguration.setSslAuthn(false);
        defaultClientConfiguration.setHttpAuthn(true);
        MockWSSEI mockWSSEI = (MockWSSEI) new WSClientFactory(defaultClientConfiguration).createPlainWSProxy(MockWSSEI.class, "https://localhost:53456/mock/mock-ws");
        defaultClientConfiguration.setHttpPassword("mock~!)(@*#&$^%:?,'.\\|");
        MockWSSEI mockWSSEI2 = (MockWSSEI) new WSClientFactory(defaultClientConfiguration).createPlainWSProxy(MockWSSEI.class, "https://localhost:53456/mock/mock-ws");
        mockWSSEI2.getAuthenticatedUser();
        for (int i = 0; i < 4; i++) {
            try {
                Assert.fail("Managed to authenticate with wrong password: " + mockWSSEI.getAuthenticatedUser().xmlText());
            } catch (SOAPFaultException e) {
            }
        }
        mockWSSEI2.getAuthenticatedUser();
        for (int i2 = 0; i2 < 5; i2++) {
            try {
                Assert.fail("Managed to authenticate with wrong password: " + mockWSSEI.getAuthenticatedUser().xmlText());
            } catch (SOAPFaultException e2) {
            }
        }
        try {
            mockWSSEI2.getAuthenticatedUser();
            Assert.fail("Managed to authenticate with correct password when access should be blocked");
        } catch (SOAPFaultException e3) {
        }
    }

    @Test
    public void shouldRespectUserOptinAttr() throws Exception {
        initializeHTTPServer(AUTHENTICATION_FLOW_OPTIN);
        DefaultClientConfiguration defaultClientConfiguration = new DefaultClientConfiguration();
        defaultClientConfiguration.setCredential(getDemoCredential());
        defaultClientConfiguration.setValidator(getDemoValidator());
        defaultClientConfiguration.setSslEnabled(true);
        defaultClientConfiguration.setHttpUser("mockuser1");
        defaultClientConfiguration.setHttpPassword("mock~!)(@*#&$^%:?,'.\\|");
        MockWSSEI mockWSSEI = (MockWSSEI) new WSClientFactory(defaultClientConfiguration).createPlainWSProxy(MockWSSEI.class, "https://localhost:53456/mock/mock-ws");
        defaultClientConfiguration.setSslAuthn(false);
        defaultClientConfiguration.setHttpAuthn(true);
        EntityWithCredential resolveIdentity = this.identityResolver.resolveIdentity("mockuser1", new String[]{"userName"}, "mockpassword");
        this.ecredMan.setUserMFAOptIn(new EntityParam(Long.valueOf(resolveIdentity.getEntityId())), true);
        try {
            mockWSSEI = (MockWSSEI) new WSClientFactory(defaultClientConfiguration).createPlainWSProxy(MockWSSEI.class, "https://localhost:53456/mock/mock-ws");
            mockWSSEI.getAuthenticatedUser();
            Assert.fail("Managed to authenticate with sigle cred when USER_OPTIN flow policy is used, userOptin attr is set and second credential is not given");
        } catch (SOAPFaultException e) {
        }
        this.ecredMan.setUserMFAOptIn(new EntityParam(Long.valueOf(resolveIdentity.getEntityId())), false);
        Assert.assertEquals("[mockuser1]", mockWSSEI.getAuthenticatedUser().getNameID().getStringValue());
    }

    @Test
    public void shouldFailToAuthenticateWithWrongPassword() throws Exception {
        initializeHTTPServer();
        DefaultClientConfiguration defaultClientConfiguration = new DefaultClientConfiguration();
        defaultClientConfiguration.setCredential(getDemoCredential());
        defaultClientConfiguration.setValidator(getDemoValidator());
        defaultClientConfiguration.setSslEnabled(true);
        defaultClientConfiguration.setHttpUser("mockuser1");
        defaultClientConfiguration.setHttpPassword("wrong");
        defaultClientConfiguration.setSslAuthn(false);
        defaultClientConfiguration.setHttpAuthn(true);
        try {
            Assert.fail("Managed to authenticate with wrong password: " + ((MockWSSEI) new WSClientFactory(defaultClientConfiguration).createPlainWSProxy(MockWSSEI.class, "https://localhost:53456/mock/mock-ws")).getAuthenticatedUser().xmlText());
        } catch (SOAPFaultException e) {
        }
    }

    @Test
    public void shouldAuthenticateWithTLSCert() throws Exception {
        initializeHTTPServer();
        DefaultClientConfiguration defaultClientConfiguration = new DefaultClientConfiguration();
        defaultClientConfiguration.setCredential(getDemoCredential());
        defaultClientConfiguration.setValidator(getDemoValidator());
        defaultClientConfiguration.setSslEnabled(true);
        defaultClientConfiguration.setSslAuthn(true);
        defaultClientConfiguration.setHttpAuthn(false);
        Assert.assertEquals("[CN=localhost,O=Unity,L=Warsaw,C=EU]", ((MockWSSEI) new WSClientFactory(defaultClientConfiguration).createPlainWSProxy(MockWSSEI.class, "https://localhost:53456/mock/mock-ws")).getAuthenticatedUser().getNameID().getStringValue());
    }

    @Test
    public void shouldAuthenticateWithPassword() throws Exception {
        initializeHTTPServer();
        DefaultClientConfiguration defaultClientConfiguration = new DefaultClientConfiguration();
        defaultClientConfiguration.setCredential(getDemoCredential());
        defaultClientConfiguration.setValidator(getDemoValidator());
        defaultClientConfiguration.setSslEnabled(true);
        defaultClientConfiguration.setHttpUser("mockuser1");
        defaultClientConfiguration.setHttpPassword("mock~!)(@*#&$^%:?,'.\\|");
        defaultClientConfiguration.setSslAuthn(false);
        defaultClientConfiguration.setHttpAuthn(true);
        Assert.assertEquals("[mockuser1]", ((MockWSSEI) new WSClientFactory(defaultClientConfiguration).createPlainWSProxy(MockWSSEI.class, "https://localhost:53456/mock/mock-ws")).getAuthenticatedUser().getNameID().getStringValue());
    }

    @Test
    public void shouldAuthenticateWithTLSCertWhenWrongPasswordProvided() throws Exception {
        initializeHTTPServer();
        DefaultClientConfiguration defaultClientConfiguration = new DefaultClientConfiguration();
        defaultClientConfiguration.setCredential(getDemoCredential());
        defaultClientConfiguration.setValidator(getDemoValidator());
        defaultClientConfiguration.setSslEnabled(true);
        defaultClientConfiguration.setSslAuthn(true);
        defaultClientConfiguration.setHttpAuthn(true);
        defaultClientConfiguration.setHttpPassword("wrong");
        Assert.assertEquals("[CN=localhost,O=Unity,L=Warsaw,C=EU]", ((MockWSSEI) new WSClientFactory(defaultClientConfiguration).createPlainWSProxy(MockWSSEI.class, "https://localhost:53456/mock/mock-ws")).getAuthenticatedUser().getNameID().getStringValue());
    }

    @Test
    public void shouldAuthenticateWith2Factors() throws Exception {
        initializeHTTPServer();
        DefaultClientConfiguration defaultClientConfiguration = new DefaultClientConfiguration();
        defaultClientConfiguration.setCredential(getDemoCredential());
        defaultClientConfiguration.setValidator(getDemoValidator());
        defaultClientConfiguration.setSslEnabled(true);
        defaultClientConfiguration.setSslAuthn(true);
        defaultClientConfiguration.setHttpAuthn(true);
        defaultClientConfiguration.setHttpUser("user2");
        defaultClientConfiguration.setHttpPassword("mockPassword2");
        Assert.assertEquals("[CN=localhost,O=Unity,L=Warsaw,C=EU, user2]", ((MockWSSEI) new WSClientFactory(defaultClientConfiguration).createPlainWSProxy(MockWSSEI.class, "https://localhost:53456/mock2/mock-ws")).getAuthenticatedUser().getNameID().getStringValue());
    }

    @Test
    public void shouldFailToAuthenticateWithPasswordWhen2FactorsRequired() throws Exception {
        initializeHTTPServer();
        DefaultClientConfiguration defaultClientConfiguration = new DefaultClientConfiguration();
        defaultClientConfiguration.setCredential(getDemoCredential());
        defaultClientConfiguration.setValidator(getDemoValidator());
        defaultClientConfiguration.setSslEnabled(true);
        defaultClientConfiguration.setSslAuthn(false);
        defaultClientConfiguration.setHttpAuthn(true);
        defaultClientConfiguration.setHttpUser("user2");
        defaultClientConfiguration.setHttpPassword("mockPassword2");
        try {
            ((MockWSSEI) new WSClientFactory(defaultClientConfiguration).createPlainWSProxy(MockWSSEI.class, "https://localhost:53456/mock2/mock-ws")).getAuthenticatedUser();
            Assert.fail("Managed to authenticate with single cred when 2 req");
        } catch (SOAPFaultException e) {
        }
    }

    @Test
    public void shouldFailToAuthenticateWithTLSCertWhen2FactorsRequired() throws Exception {
        initializeHTTPServer();
        DefaultClientConfiguration defaultClientConfiguration = new DefaultClientConfiguration();
        defaultClientConfiguration.setCredential(getDemoCredential());
        defaultClientConfiguration.setValidator(getDemoValidator());
        defaultClientConfiguration.setSslEnabled(true);
        defaultClientConfiguration.setSslAuthn(true);
        defaultClientConfiguration.setHttpAuthn(false);
        try {
            ((MockWSSEI) new WSClientFactory(defaultClientConfiguration).createPlainWSProxy(MockWSSEI.class, "https://localhost:53456/mock2/mock-ws")).getAuthenticatedUser();
            Assert.fail("Managed to authenticate with single cred when 2 req");
        } catch (SOAPFaultException e) {
        }
    }

    private void initializeHTTPServer() throws Exception {
        initializeHTTPServer(AUTHENTICATION_FLOW);
    }

    private void initializeHTTPServer(String str) throws Exception {
        setupAuth();
        createUsers();
        AuthenticationRealm authenticationRealm = new AuthenticationRealm("testr", "", 5, 1, RememberMePolicy.disallow, 1, 600);
        this.realmsMan.addRealm(authenticationRealm);
        this.endpointMan.deploy(MockWSEndpointFactory.NAME, "endpoint1", "/mock", new EndpointConfiguration(new I18nString("endpoint1"), "desc", Lists.newArrayList(new String[]{str}), "", authenticationRealm.getName()));
        Assert.assertEquals(1L, this.endpointMan.getDeployedEndpoints().size());
        this.endpointMan.deploy(MockWSEndpointFactory.NAME, "endpoint2", "/mock2", new EndpointConfiguration(new I18nString("endpoint2"), "desc", Lists.newArrayList(new String[]{AUTHENTICATION_FLOW_CERT_SECOND_FACTOR}), "", authenticationRealm.getName()));
        this.httpServer.start();
    }

    protected void createUsers() throws Exception {
        createUsernameUser("mockuser1", null, "mock~!)(@*#&$^%:?,'.\\|", "cr-pass");
        createCertUser();
    }

    protected void setupAuth() throws Exception {
        setupPasswordAuthn();
        setupPasswordAndCertAuthn();
        this.authnMan.createAuthenticator(AUTHENTICATOR_WS_CERT, "certificate", "", "credential2");
        this.authnMan.createAuthenticator(AUTHENTICATOR_WS_PASS, "password", "", "credential1");
        this.authnFlowMan.addAuthenticationFlow(new AuthenticationFlowDefinition(AUTHENTICATION_FLOW, AuthenticationFlowDefinition.Policy.NEVER, Sets.newHashSet(new String[]{AUTHENTICATOR_WS_PASS, AUTHENTICATOR_WS_CERT})));
        this.authnFlowMan.addAuthenticationFlow(new AuthenticationFlowDefinition(AUTHENTICATION_FLOW_CERT_SECOND_FACTOR, AuthenticationFlowDefinition.Policy.REQUIRE, Sets.newHashSet(new String[]{AUTHENTICATOR_WS_PASS}), Lists.newArrayList(new String[]{AUTHENTICATOR_WS_CERT})));
        this.authnFlowMan.addAuthenticationFlow(new AuthenticationFlowDefinition(AUTHENTICATION_FLOW_OPTIN, AuthenticationFlowDefinition.Policy.USER_OPTIN, Sets.newHashSet(new String[]{AUTHENTICATOR_WS_PASS, AUTHENTICATOR_WS_CERT})));
    }
}
