package no.nav.apiapp.security;

import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import no.nav.brukerdialog.security.domain.IdentType;
import no.nav.common.auth.AuthorizationModule;
import no.nav.common.auth.SecurityLevel;
import no.nav.common.auth.SsoToken;
import no.nav.common.auth.Subject;
import org.assertj.core.api.Assertions;
import org.junit.Test;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;

/* loaded from: input_file:no/nav/apiapp/security/ApiAppAuthorizationModuleTest.class */
public class ApiAppAuthorizationModuleTest {
    private HttpServletRequest request = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
    private AuthorizationModule customAuthorization = (AuthorizationModule) Mockito.mock(AuthorizationModule.class);

    @Test
    public void authorized__equal_security_level__without_custom_authorization() {
        Assertions.assertThat(authModule(SecurityLevel.Level3).authorized(createSubjectEksternBruker(SecurityLevel.Level3), this.request)).isTrue();
    }

    @Test
    public void authorized__high_security_level__without_custom_authorization() {
        Assertions.assertThat(authModule(SecurityLevel.Level3).authorized(createSubjectEksternBruker(SecurityLevel.Level4), this.request)).isTrue();
    }

    @Test
    public void authorized__highest_security_level__without_custom_authorization() {
        Arrays.stream(SecurityLevel.values()).forEach(securityLevel -> {
            Assertions.assertThat(authModule(securityLevel).authorized(createSubjectEksternBruker(SecurityLevel.Level4), this.request)).isTrue();
        });
    }

    @Test
    public void authorized__handles_no_security_level__without_custom_authorization() {
        Assertions.assertThat(authModule(null).authorized(createSubjectEksternBruker(SecurityLevel.Ukjent), this.request)).isTrue();
        Assertions.assertThat(authModule(null).authorized(createSubjectInternBruker(SecurityLevel.Ukjent), this.request)).isTrue();
    }

    @Test
    public void unauthorized__low_security_level__without_custom_authorization() {
        Assertions.assertThat(authModule(SecurityLevel.Level3).authorized(createSubjectEksternBruker(SecurityLevel.Level2), this.request)).isFalse();
    }

    @Test
    public void autorized__non_external_ident_types__without_custom_authorization() {
        Arrays.stream(IdentType.values()).filter(identType -> {
            return !identType.equals(IdentType.EksternBruker);
        }).forEach(identType2 -> {
            Assertions.assertThat(authModule(SecurityLevel.Level4).authorized(createSubject(identType2), this.request)).isTrue();
        });
    }

    @Test
    public void autorized__non_external_ident_types__no_security_level_without_custom_authorization() {
        Arrays.stream(IdentType.values()).filter(identType -> {
            return !identType.equals(IdentType.EksternBruker);
        }).forEach(identType2 -> {
            Assertions.assertThat(authModule(null).authorized(createSubject(identType2), this.request)).isTrue();
        });
    }

    @Test
    public void authorized__authorized_custom_authorization() {
        Mockito.when(Boolean.valueOf(this.customAuthorization.authorized((Subject) ArgumentMatchers.any(), (HttpServletRequest) ArgumentMatchers.any()))).thenReturn(true);
        Assertions.assertThat(authModuleWithCustom(SecurityLevel.Level3).authorized(createSubjectEksternBruker(SecurityLevel.Level3), this.request)).isTrue();
    }

    @Test
    public void authorized__unauthorized_custom_authorization() {
        Mockito.when(Boolean.valueOf(this.customAuthorization.authorized((Subject) ArgumentMatchers.any(), (HttpServletRequest) ArgumentMatchers.any()))).thenReturn(false);
        Assertions.assertThat(authModuleWithCustom(SecurityLevel.Level3).authorized(createSubjectEksternBruker(SecurityLevel.Level3), this.request)).isFalse();
    }

    @Test
    public void unauthorized__authorized_custom_authorization() {
        Mockito.when(Boolean.valueOf(this.customAuthorization.authorized((Subject) ArgumentMatchers.any(), (HttpServletRequest) ArgumentMatchers.any()))).thenReturn(true);
        Assertions.assertThat(authModuleWithCustom(SecurityLevel.Level4).authorized(createSubjectEksternBruker(SecurityLevel.Level3), this.request)).isFalse();
    }

    @Test
    public void unauthorized__unauthorized_custom_authorization() {
        Mockito.when(Boolean.valueOf(this.customAuthorization.authorized((Subject) ArgumentMatchers.any(), (HttpServletRequest) ArgumentMatchers.any()))).thenReturn(false);
        Assertions.assertThat(authModuleWithCustom(SecurityLevel.Level4).authorized(createSubjectEksternBruker(SecurityLevel.Level3), this.request)).isFalse();
    }

    @Test
    public void authorized__non_external_ident_types__authorized_custom_authorization() {
        Mockito.when(Boolean.valueOf(this.customAuthorization.authorized((Subject) ArgumentMatchers.any(), (HttpServletRequest) ArgumentMatchers.any()))).thenReturn(true);
        Arrays.stream(IdentType.values()).filter(identType -> {
            return !identType.equals(IdentType.EksternBruker);
        }).forEach(identType2 -> {
            Assertions.assertThat(authModuleWithCustom(SecurityLevel.Level4).authorized(createSubject(identType2), this.request)).isTrue();
        });
    }

    @Test
    public void unauthorized__non_external_ident_types__unauthorized_custom_authorization() {
        Mockito.when(Boolean.valueOf(this.customAuthorization.authorized((Subject) ArgumentMatchers.any(), (HttpServletRequest) ArgumentMatchers.any()))).thenReturn(false);
        Arrays.stream(IdentType.values()).filter(identType -> {
            return !identType.equals(IdentType.EksternBruker);
        }).forEach(identType2 -> {
            Assertions.assertThat(authModuleWithCustom(SecurityLevel.Level4).authorized(createSubject(identType2), this.request)).isFalse();
        });
    }

    @Test
    public void custom_security_levels_for_paths_applied_only_to_external_users() {
        HashMap hashMap = new HashMap();
        hashMap.put(SecurityLevel.Level4, Arrays.asList("level4"));
        hashMap.put(SecurityLevel.Level2, Arrays.asList("level2"));
        hashMap.put(SecurityLevel.Level1, Arrays.asList("level1"));
        ApiAppAuthorizationModule authModuleWithPaths = authModuleWithPaths(SecurityLevel.Level3, hashMap);
        Mockito.when(this.request.getPathInfo()).thenReturn("/level4");
        Assertions.assertThat(authModuleWithPaths.authorized(createSubjectEksternBruker(SecurityLevel.Level3), this.request)).isFalse();
        Assertions.assertThat(authModuleWithPaths.authorized(createSubjectInternBruker(SecurityLevel.Level3), this.request)).isTrue();
        Mockito.when(this.request.getPathInfo()).thenReturn("/level4");
        Assertions.assertThat(authModuleWithPaths.authorized(createSubjectEksternBruker(SecurityLevel.Level4), this.request)).isTrue();
        Assertions.assertThat(authModuleWithPaths.authorized(createSubjectInternBruker(SecurityLevel.Level4), this.request)).isTrue();
        Mockito.when(this.request.getPathInfo()).thenReturn("/level3");
        Assertions.assertThat(authModuleWithPaths.authorized(createSubjectEksternBruker(SecurityLevel.Level3), this.request)).isTrue();
        Assertions.assertThat(authModuleWithPaths.authorized(createSubjectEksternBruker(SecurityLevel.Level2), this.request)).isFalse();
        Assertions.assertThat(authModuleWithPaths.authorized(createSubjectInternBruker(SecurityLevel.Level3), this.request)).isTrue();
        Assertions.assertThat(authModuleWithPaths.authorized(createSubjectInternBruker(SecurityLevel.Level2), this.request)).isTrue();
        Mockito.when(this.request.getPathInfo()).thenReturn("/level3/");
        Assertions.assertThat(authModuleWithPaths.authorized(createSubjectEksternBruker(SecurityLevel.Level3), this.request)).isTrue();
        Assertions.assertThat(authModuleWithPaths.authorized(createSubjectInternBruker(SecurityLevel.Level3), this.request)).isTrue();
        Mockito.when(this.request.getPathInfo()).thenReturn("/level3/ok");
        Assertions.assertThat(authModuleWithPaths.authorized(createSubjectEksternBruker(SecurityLevel.Level3), this.request)).isTrue();
        Assertions.assertThat(authModuleWithPaths.authorized(createSubjectInternBruker(SecurityLevel.Level3), this.request)).isTrue();
        Mockito.when(this.request.getPathInfo()).thenReturn("/level2");
        Assertions.assertThat(authModuleWithPaths.authorized(createSubjectEksternBruker(SecurityLevel.Level2), this.request)).isTrue();
        Assertions.assertThat(authModuleWithPaths.authorized(createSubjectInternBruker(SecurityLevel.Level2), this.request)).isTrue();
        Mockito.when(this.request.getPathInfo()).thenReturn("/level2");
        Assertions.assertThat(authModuleWithPaths.authorized(createSubjectEksternBruker(SecurityLevel.Level3), this.request)).isTrue();
        Assertions.assertThat(authModuleWithPaths.authorized(createSubjectInternBruker(SecurityLevel.Level3), this.request)).isTrue();
        Mockito.when(this.request.getPathInfo()).thenReturn("/level2");
        Assertions.assertThat(authModuleWithPaths.authorized(createSubjectEksternBruker(SecurityLevel.Level1), this.request)).isFalse();
        Assertions.assertThat(authModuleWithPaths.authorized(createSubjectInternBruker(SecurityLevel.Level1), this.request)).isTrue();
        Mockito.when(this.request.getPathInfo()).thenReturn("/level2/nested/path/ok");
        Assertions.assertThat(authModuleWithPaths.authorized(createSubjectEksternBruker(SecurityLevel.Level2), this.request)).isTrue();
        Assertions.assertThat(authModuleWithPaths.authorized(createSubjectInternBruker(SecurityLevel.Level2), this.request)).isTrue();
        Mockito.when(this.request.getPathInfo()).thenReturn("/level1");
        Assertions.assertThat(authModuleWithPaths.authorized(createSubjectEksternBruker(SecurityLevel.Level1), this.request)).isTrue();
        Assertions.assertThat(authModuleWithPaths.authorized(createSubjectInternBruker(SecurityLevel.Level1), this.request)).isTrue();
    }

    @Test(expected = IllegalStateException.class)
    public void ambiguous_security_level_for_path_not_allowed() {
        HashMap hashMap = new HashMap();
        hashMap.put(SecurityLevel.Level4, Arrays.asList("level"));
        hashMap.put(SecurityLevel.Level1, Arrays.asList("level"));
        authModuleWithPaths(SecurityLevel.Level3, hashMap);
    }

    @Test
    public void base_path_for_security_level_should_not_be_empty_nested_or_contain_query_params() {
        Assertions.assertThat(isValidBasePathForSecurityLevel("")).isFalse();
        Assertions.assertThat(isValidBasePathForSecurityLevel("level")).isTrue();
        Assertions.assertThat(isValidBasePathForSecurityLevel("/level?a=1&b=2")).isFalse();
        Assertions.assertThat(isValidBasePathForSecurityLevel("/level")).isFalse();
        Assertions.assertThat(isValidBasePathForSecurityLevel("level/abc")).isFalse();
        Assertions.assertThat(isValidBasePathForSecurityLevel("level?")).isFalse();
        Assertions.assertThat(isValidBasePathForSecurityLevel("level&")).isFalse();
        Assertions.assertThat(isValidBasePathForSecurityLevel("level=")).isFalse();
    }

    private boolean isValidBasePathForSecurityLevel(String str) {
        try {
            HashMap hashMap = new HashMap();
            hashMap.put(SecurityLevel.Level4, Arrays.asList(str));
            authModuleWithPaths(null, hashMap);
            return true;
        } catch (IllegalStateException e) {
            return e.getMessage().equals("Ambiguous security level for " + str);
        }
    }

    private ApiAppAuthorizationModule authModule(SecurityLevel securityLevel) {
        return new ApiAppAuthorizationModule((AuthorizationModule) null, securityLevel, Collections.emptyMap());
    }

    private ApiAppAuthorizationModule authModuleWithCustom(SecurityLevel securityLevel) {
        return new ApiAppAuthorizationModule(this.customAuthorization, securityLevel, Collections.emptyMap());
    }

    private ApiAppAuthorizationModule authModuleWithPaths(SecurityLevel securityLevel, Map<SecurityLevel, List<String>> map) {
        return new ApiAppAuthorizationModule((AuthorizationModule) null, securityLevel, map);
    }

    private Subject createSubjectEksternBruker(SecurityLevel securityLevel) {
        HashMap hashMap = new HashMap();
        hashMap.put("acr", securityLevel.name());
        return new Subject("test-ident", IdentType.EksternBruker, SsoToken.oidcToken("test-token", hashMap));
    }

    private Subject createSubjectInternBruker(SecurityLevel securityLevel) {
        HashMap hashMap = new HashMap();
        hashMap.put("acr", securityLevel.name());
        return new Subject("test-ident", IdentType.InternBruker, SsoToken.oidcToken("test-token", hashMap));
    }

    private Subject createSubject(IdentType identType) {
        return new Subject("test-ident", identType, SsoToken.oidcToken("test-token", new HashMap()));
    }
}
