package no.nav.apiapp.security.veilarbabac;

import com.github.tomakehurst.wiremock.client.WireMock;
import com.github.tomakehurst.wiremock.http.RequestMethod;
import com.github.tomakehurst.wiremock.junit.WireMockRule;
import com.github.tomakehurst.wiremock.matching.RequestPatternBuilder;
import java.util.Optional;
import junit.framework.Assert;
import junit.framework.TestCase;
import no.nav.apiapp.feil.IngenTilgang;
import no.nav.apiapp.security.veilarbabac.VeilarbAbacPepClient;
import no.nav.sbl.dialogarena.common.abac.pep.Pep;
import no.nav.sbl.dialogarena.common.abac.pep.RequestData;
import no.nav.sbl.dialogarena.common.abac.pep.domain.ResourceType;
import no.nav.sbl.dialogarena.common.abac.pep.domain.request.Action;
import no.nav.sbl.dialogarena.common.abac.pep.domain.response.BiasedDecisionResponse;
import no.nav.sbl.dialogarena.common.abac.pep.domain.response.Decision;
import no.nav.sbl.dialogarena.common.abac.pep.domain.response.XacmlResponse;
import no.nav.sbl.dialogarena.common.abac.pep.exception.PepException;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.mockito.Mockito;
import org.slf4j.Logger;

/* loaded from: input_file:no/nav/apiapp/security/veilarbabac/VeilarbAbacPepClientTest.class */
public class VeilarbAbacPepClientTest {
    private static final String SYSTEM_TOKEN = "token";
    public static final String OIDC_TOKEN = "OIDC-token";
    private BiasedDecisionResponse PERMIT = new BiasedDecisionResponse(Decision.Permit, new XacmlResponse());
    private BiasedDecisionResponse DENY = new BiasedDecisionResponse(Decision.Deny, new XacmlResponse());

    @Rule
    public WireMockRule wireMockRule = new WireMockRule(0);
    private final Pep pep = (Pep) Mockito.mock(Pep.class);
    private final Logger logger = (Logger) Mockito.mock(Logger.class);
    private static final String AKTOER_ID = "aktorId";
    private static final String URL_REGEX_AKTOER_ID_WRITE = String.format("/person\\?aktorId=%s&action=update", AKTOER_ID);
    private static final String FNR = "fnr";
    private static final String URL_REGEX_FNR_READ = String.format("/person\\?fnr=%s&action=read", FNR);
    private static final String URL_REGEX_AKTOER_ID_READ = String.format("/person\\?aktorId=%s&action=read", AKTOER_ID);
    private static final String ENHET_ID = "enhetId";
    private static final String URL_REGEX_ENHET_READ = String.format("/veilarbenhet\\?enhetId=%s&action=read", ENHET_ID);
    private static final Bruker BRUKER = Bruker.fraFnr(FNR).medAktoerId(AKTOER_ID);
    private static final String APPLICATION_DOMAIN = "veilarb";
    public static final RequestData PEP_REQUEST_DATA_ENHET = new RequestData().withResourceType(ResourceType.Enhet).withDomain(APPLICATION_DOMAIN).withEnhet(ENHET_ID);

    @Before
    public void setup() throws PepException {
        Mockito.when(this.pep.nyRequest()).thenReturn(new RequestData());
    }

    @Test
    public void testAbacMedLesetilgang() throws PepException {
        Mockito.when(this.pep.harInnloggetBrukerTilgangTilPerson(FNR, APPLICATION_DOMAIN, Action.ActionId.READ, ResourceType.VeilArbPerson)).thenReturn(this.PERMIT);
        lagBygger().bygg().sjekkLesetilgangTilBruker(BRUKER);
        ((Pep) Mockito.verify(this.pep, Mockito.times(1))).harInnloggetBrukerTilgangTilPerson(FNR, APPLICATION_DOMAIN, Action.ActionId.READ, ResourceType.VeilArbPerson);
    }

    @Test(expected = IngenTilgang.class)
    public void testAbacUtenLesetilgang() throws PepException {
        Mockito.when(this.pep.harInnloggetBrukerTilgangTilPerson(FNR, APPLICATION_DOMAIN, Action.ActionId.READ, ResourceType.VeilArbPerson)).thenReturn(this.DENY);
        lagBygger().bygg().sjekkLesetilgangTilBruker(BRUKER);
        ((Pep) Mockito.verify(this.pep, Mockito.times(1))).harInnloggetBrukerTilgangTilPerson(FNR, APPLICATION_DOMAIN, Action.ActionId.READ, ResourceType.VeilArbPerson);
    }

    @Test
    public void testAbacMedSkrivetilgang() throws PepException {
        Mockito.when(this.pep.harInnloggetBrukerTilgangTilPerson(FNR, APPLICATION_DOMAIN, Action.ActionId.WRITE, ResourceType.VeilArbPerson)).thenReturn(this.PERMIT);
        lagBygger().bygg().sjekkSkrivetilgangTilBruker(BRUKER);
        ((Pep) Mockito.verify(this.pep, Mockito.times(1))).harInnloggetBrukerTilgangTilPerson(FNR, APPLICATION_DOMAIN, Action.ActionId.WRITE, ResourceType.VeilArbPerson);
    }

    @Test
    public void testVeilarbAbacMedLesetilgangForAktoerId() {
        lagVeilarbAbacResponse(URL_REGEX_AKTOER_ID_READ, "permit");
        lagBygger().brukAktoerId(() -> {
            return true;
        }).bygg().sjekkLesetilgangTilBruker(BRUKER);
        WireMock.verify(1, RequestPatternBuilder.newRequestPattern(RequestMethod.GET, WireMock.urlMatching(URL_REGEX_AKTOER_ID_READ)));
    }

    @Test
    public void testVeilarbAbacMedSkrivetilgangForAktoerId() {
        lagVeilarbAbacResponse(URL_REGEX_AKTOER_ID_WRITE, "permit");
        lagBygger().brukAktoerId(() -> {
            return true;
        }).bygg().sjekkSkrivetilgangTilBruker(BRUKER);
        WireMock.verify(1, RequestPatternBuilder.newRequestPattern(RequestMethod.GET, WireMock.urlMatching(URL_REGEX_AKTOER_ID_WRITE)));
    }

    @Test(expected = IngenTilgang.class)
    public void testVeilarbAbacUtenLesetilgangForAktoerId() {
        lagVeilarbAbacResponse(URL_REGEX_AKTOER_ID_READ, "hallo");
        lagBygger().brukAktoerId(() -> {
            return true;
        }).bygg().sjekkLesetilgangTilBruker(BRUKER);
    }

    @Test
    public void testSammenliknAbacOgVeilarbabacMedLesetilgangTilFnr() throws PepException {
        Mockito.when(this.pep.harInnloggetBrukerTilgangTilPerson(FNR, APPLICATION_DOMAIN, Action.ActionId.READ, ResourceType.VeilArbPerson)).thenReturn(this.PERMIT);
        lagVeilarbAbacResponse(URL_REGEX_FNR_READ, "permit");
        lagBygger().sammenlikneTilgang(() -> {
            return true;
        }).bygg().sjekkLesetilgangTilBruker(BRUKER);
        ((Pep) Mockito.verify(this.pep, Mockito.times(1))).harInnloggetBrukerTilgangTilPerson(FNR, APPLICATION_DOMAIN, Action.ActionId.READ, ResourceType.VeilArbPerson);
        WireMock.verify(1, RequestPatternBuilder.newRequestPattern(RequestMethod.GET, WireMock.urlMatching(URL_REGEX_FNR_READ)));
        ((Logger) Mockito.verify(this.logger, Mockito.times(0))).warn("Fikk avvik i tilgang for %s", AKTOER_ID);
    }

    @Test
    public void testSammenliknAbacOgVeilarbabacMedLesetilgangTilFnrOgUlikRespons() throws PepException {
        Mockito.when(this.pep.harInnloggetBrukerTilgangTilPerson(FNR, APPLICATION_DOMAIN, Action.ActionId.READ, ResourceType.VeilArbPerson)).thenReturn(this.PERMIT);
        lagVeilarbAbacResponse(URL_REGEX_FNR_READ, "hallo");
        lagBygger().sammenlikneTilgang(() -> {
            return true;
        }).bygg().sjekkLesetilgangTilBruker(BRUKER);
        ((Pep) Mockito.verify(this.pep, Mockito.times(1))).harInnloggetBrukerTilgangTilPerson(FNR, APPLICATION_DOMAIN, Action.ActionId.READ, ResourceType.VeilArbPerson);
        WireMock.verify(1, RequestPatternBuilder.newRequestPattern(RequestMethod.GET, WireMock.urlMatching(URL_REGEX_FNR_READ)));
        ((Logger) Mockito.verify(this.logger, Mockito.times(1))).warn("Fikk avvik i tilgang for {}", AKTOER_ID);
    }

    @Test
    public void testSammenliknAbacOgVeilarbabacMedLesetilgangTilFnrOgAbacGirDeny() throws PepException {
        Mockito.when(this.pep.harInnloggetBrukerTilgangTilPerson(FNR, APPLICATION_DOMAIN, Action.ActionId.READ, ResourceType.VeilArbPerson)).thenReturn(this.DENY);
        String str = URL_REGEX_FNR_READ;
        lagVeilarbAbacResponse(str, "permit");
        try {
            lagBygger().sammenlikneTilgang(() -> {
                return true;
            }).bygg().sjekkLesetilgangTilBruker(BRUKER);
            TestCase.fail("Forventet IngenTilgang-exception");
        } catch (IngenTilgang e) {
        }
        ((Pep) Mockito.verify(this.pep, Mockito.times(1))).harInnloggetBrukerTilgangTilPerson(FNR, APPLICATION_DOMAIN, Action.ActionId.READ, ResourceType.VeilArbPerson);
        WireMock.verify(1, RequestPatternBuilder.newRequestPattern(RequestMethod.GET, WireMock.urlMatching(str)));
        ((Logger) Mockito.verify(this.logger, Mockito.times(1))).warn("Fikk avvik i tilgang for {}", AKTOER_ID);
    }

    @Test
    public void testSammenliknAktoerIdOgFnrVeilarbabacMedLesetilgangFnrOk() throws PepException {
        Mockito.when(this.pep.harInnloggetBrukerTilgangTilPerson(FNR, APPLICATION_DOMAIN, Action.ActionId.READ, ResourceType.VeilArbPerson)).thenReturn(this.DENY);
        lagVeilarbAbacResponse(URL_REGEX_FNR_READ, "permit");
        lagVeilarbAbacResponse(URL_REGEX_AKTOER_ID_READ, "deny");
        lagBygger().sammenlikneTilgang(() -> {
            return true;
        }).brukAktoerId(() -> {
            return true;
        }).bygg().sjekkLesetilgangTilBruker(BRUKER);
        ((Pep) Mockito.verify(this.pep, Mockito.times(0))).harInnloggetBrukerTilgangTilPerson(FNR, APPLICATION_DOMAIN, Action.ActionId.READ, ResourceType.VeilArbPerson);
        WireMock.verify(1, RequestPatternBuilder.newRequestPattern(RequestMethod.GET, WireMock.urlMatching(URL_REGEX_FNR_READ)));
        WireMock.verify(1, RequestPatternBuilder.newRequestPattern(RequestMethod.GET, WireMock.urlMatching(URL_REGEX_AKTOER_ID_READ)));
        ((Logger) Mockito.verify(this.logger, Mockito.times(1))).warn("Fikk avvik i tilgang for {}", AKTOER_ID);
    }

    @Test
    public void testSammenliknAktoerIdOgFnrVeilarbabacMedLesetilgangFnrIkkeOk() throws PepException {
        Mockito.when(this.pep.harInnloggetBrukerTilgangTilPerson(FNR, APPLICATION_DOMAIN, Action.ActionId.READ, ResourceType.VeilArbPerson)).thenReturn(this.DENY);
        lagVeilarbAbacResponse(URL_REGEX_FNR_READ, "deny");
        lagVeilarbAbacResponse(URL_REGEX_AKTOER_ID_READ, "permit");
        try {
            lagBygger().sammenlikneTilgang(() -> {
                return true;
            }).brukAktoerId(() -> {
                return true;
            }).bygg().sjekkLesetilgangTilBruker(BRUKER);
            TestCase.fail("Forventet IngenTilgang-exception");
        } catch (IngenTilgang e) {
        }
        ((Pep) Mockito.verify(this.pep, Mockito.times(0))).harInnloggetBrukerTilgangTilPerson(FNR, APPLICATION_DOMAIN, Action.ActionId.READ, ResourceType.VeilArbPerson);
        WireMock.verify(1, RequestPatternBuilder.newRequestPattern(RequestMethod.GET, WireMock.urlMatching(URL_REGEX_FNR_READ)));
        WireMock.verify(1, RequestPatternBuilder.newRequestPattern(RequestMethod.GET, WireMock.urlMatching(URL_REGEX_AKTOER_ID_READ)));
        ((Logger) Mockito.verify(this.logger, Mockito.times(1))).warn("Fikk avvik i tilgang for {}", AKTOER_ID);
    }

    @Test
    public void testSammenliknAbacOgVeilarbabacMedEnhet() throws PepException {
        Mockito.when(this.pep.harTilgang(PEP_REQUEST_DATA_ENHET)).thenReturn(this.PERMIT);
        lagVeilarbAbacResponse(URL_REGEX_ENHET_READ, "permit");
        Assert.assertTrue(lagBygger().sammenlikneTilgang(() -> {
            return true;
        }).bygg().harTilgangTilEnhet(ENHET_ID));
        ((Pep) Mockito.verify(this.pep, Mockito.times(1))).harTilgang(PEP_REQUEST_DATA_ENHET);
        WireMock.verify(1, RequestPatternBuilder.newRequestPattern(RequestMethod.GET, WireMock.urlMatching(URL_REGEX_ENHET_READ)));
        ((Logger) Mockito.verify(this.logger, Mockito.times(0))).warn("Fikk avvik i tilgang for {}", ENHET_ID);
    }

    @Test
    public void testSammenliknAbacOgVeilarbabacMedEnhetUlikResonse() throws PepException {
        Mockito.when(this.pep.harTilgang(PEP_REQUEST_DATA_ENHET)).thenReturn(this.DENY);
        lagVeilarbAbacResponse(URL_REGEX_ENHET_READ, "permit");
        TestCase.assertFalse(lagBygger().sammenlikneTilgang(() -> {
            return true;
        }).bygg().harTilgangTilEnhet(ENHET_ID));
        ((Pep) Mockito.verify(this.pep, Mockito.times(1))).harTilgang(PEP_REQUEST_DATA_ENHET);
        WireMock.verify(1, RequestPatternBuilder.newRequestPattern(RequestMethod.GET, WireMock.urlMatching(URL_REGEX_ENHET_READ)));
        ((Logger) Mockito.verify(this.logger, Mockito.times(1))).warn("Fikk avvik i tilgang for {}", ENHET_ID);
    }

    @Test
    public void testSammenliknAbacOgVeilarbabacMedEnhetUlikResonseOGVeilarbAbacForetrukket() throws PepException {
        Mockito.when(this.pep.harTilgang(PEP_REQUEST_DATA_ENHET)).thenReturn(this.DENY);
        lagVeilarbAbacResponse(URL_REGEX_ENHET_READ, "permit");
        Assert.assertTrue(lagBygger().sammenlikneTilgang(() -> {
            return true;
        }).foretrekkVeilarbAbacResultat(() -> {
            return true;
        }).bygg().harTilgangTilEnhet(ENHET_ID));
        ((Pep) Mockito.verify(this.pep, Mockito.times(1))).harTilgang(PEP_REQUEST_DATA_ENHET);
        WireMock.verify(1, RequestPatternBuilder.newRequestPattern(RequestMethod.GET, WireMock.urlMatching(URL_REGEX_ENHET_READ)));
        ((Logger) Mockito.verify(this.logger, Mockito.times(1))).warn("Fikk avvik i tilgang for {}", ENHET_ID);
    }

    @Test
    public void testAbacMedLesetilgangMedOverstyrtRessurs() throws PepException {
        Mockito.when(this.pep.harInnloggetBrukerTilgangTilPerson(FNR, APPLICATION_DOMAIN, Action.ActionId.READ, ResourceType.Person)).thenReturn(this.PERMIT);
        lagBygger().medResourceTypePerson().bygg().sjekkLesetilgangTilBruker(BRUKER);
        ((Pep) Mockito.verify(this.pep, Mockito.times(1))).harInnloggetBrukerTilgangTilPerson(FNR, APPLICATION_DOMAIN, Action.ActionId.READ, ResourceType.Person);
    }

    @Test
    public void testVeilarbAbacMedOverstyrtRessurs() {
        String str = URL_REGEX_AKTOER_ID_READ + "&resource=no.nav.abac.attributter.resource.felles.person";
        lagVeilarbAbacResponse(str, "permit");
        lagBygger().brukAktoerId(() -> {
            return true;
        }).medResourceTypePerson().bygg().sjekkLesetilgangTilBruker(BRUKER);
        WireMock.verify(1, RequestPatternBuilder.newRequestPattern(RequestMethod.GET, WireMock.urlMatching(str)));
    }

    @Test
    public void testEndring() {
        String str = URL_REGEX_AKTOER_ID_READ + "&resource=no.nav.abac.attributter.resource.felles.person";
        String str2 = URL_REGEX_AKTOER_ID_READ + "&resource=no.nav.abac.attributter.resource.veilarb.under_oppfoelging";
        lagVeilarbAbacResponse(str, "permit");
        lagVeilarbAbacResponse(str2, "permit");
        VeilarbAbacPepClient bygg = lagBygger().brukAktoerId(() -> {
            return true;
        }).medResourceTypePerson().bygg();
        VeilarbAbacPepClient bygg2 = bygg.endre().medResourceTypeUnderOppfolging().bygg();
        bygg.sjekkLesetilgangTilBruker(BRUKER);
        WireMock.verify(1, RequestPatternBuilder.newRequestPattern(RequestMethod.GET, WireMock.urlMatching(str)));
        WireMock.verify(0, RequestPatternBuilder.newRequestPattern(RequestMethod.GET, WireMock.urlMatching(str2)));
        bygg2.sjekkLesetilgangTilBruker(BRUKER);
        WireMock.verify(1, RequestPatternBuilder.newRequestPattern(RequestMethod.GET, WireMock.urlMatching(str)));
        WireMock.verify(1, RequestPatternBuilder.newRequestPattern(RequestMethod.GET, WireMock.urlMatching(str2)));
        bygg.sjekkLesetilgangTilBruker(BRUKER);
        WireMock.verify(2, RequestPatternBuilder.newRequestPattern(RequestMethod.GET, WireMock.urlMatching(str)));
        WireMock.verify(1, RequestPatternBuilder.newRequestPattern(RequestMethod.GET, WireMock.urlMatching(str2)));
    }

    private void lagVeilarbAbacResponse(String str, String str2) {
        WireMock.givenThat(WireMock.get(WireMock.urlMatching(str)).withHeader("Authorization", WireMock.matching("Bearer token")).withHeader("subject", WireMock.matching(OIDC_TOKEN)).willReturn(WireMock.aResponse().withStatus(200).withBody(str2)));
    }

    private VeilarbAbacPepClient.Builder lagBygger() {
        return VeilarbAbacPepClient.ny().medPep(this.pep).medLogger(this.logger).medSystemUserTokenProvider(() -> {
            return SYSTEM_TOKEN;
        }).medOidcTokenProvider(() -> {
            return Optional.of(OIDC_TOKEN);
        }).medVeilarbAbacUrl("http://localhost:" + this.wireMockRule.port());
    }
}
