package no.nav.common.auth.oidc.filter;

import java.io.IOException;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import no.nav.common.auth.context.AuthContextHolderThreadLocal;
import no.nav.common.auth.context.UserRole;
import no.nav.common.auth.test_provider.JwtTestTokenIssuer;
import no.nav.common.auth.test_provider.JwtTestTokenIssuerConfig;
import no.nav.common.auth.test_provider.OidcProviderTestRule;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.mockito.Mockito;

/* loaded from: input_file:no/nav/common/auth/oidc/filter/OidcAuthenticationFilterTest.class */
public class OidcAuthenticationFilterTest {
    private static final String AZURE_AD_ID = "oidc-provider-test-rule-aad";
    private static final String OPEN_AM_ID = "oidc-provider-test-rule-aad";

    @Rule
    public OidcProviderTestRule naisStsOidcProviderRule = new OidcProviderTestRule(naisStsIssuerConfig);

    @Rule
    public OidcProviderTestRule azureAdOidcProviderRule = new OidcProviderTestRule(azureAdIssuerConfig);

    @Rule
    public OidcProviderTestRule openAMOidcProviderRule = new OidcProviderTestRule(openAMIssuerConfig);
    private OidcAuthenticatorConfig naisStsAuthenticatorConfig;
    private OidcAuthenticatorConfig azureAdAuthenticatorConfig;
    private OidcAuthenticatorConfig openAMAuthenticatorConfig;
    private static final String NAIS_STS_ID = "oidc-provider-test-rule-nais-sts";
    private static final JwtTestTokenIssuerConfig naisStsIssuerConfig = JwtTestTokenIssuerConfig.builder().id(NAIS_STS_ID).issuer(NAIS_STS_ID).audience(NAIS_STS_ID).build();
    private static final JwtTestTokenIssuerConfig azureAdIssuerConfig = JwtTestTokenIssuerConfig.builder().id("oidc-provider-test-rule-aad").issuer("oidc-provider-test-rule-aad").audience("oidc-provider-test-rule-aad").build();
    private static final JwtTestTokenIssuerConfig openAMIssuerConfig = JwtTestTokenIssuerConfig.builder().id("oidc-provider-test-rule-aad").issuer("oidc-provider-test-rule-aad").audience("oidc-provider-test-rule-aad").build();

    @Before
    public void before() {
        this.naisStsAuthenticatorConfig = new OidcAuthenticatorConfig().withDiscoveryUrl(this.naisStsOidcProviderRule.getDiscoveryUri()).withClientIds(List.of("srvveilarbtest", "srvveilarbdemo")).withUserRole(UserRole.SYSTEM);
        this.azureAdAuthenticatorConfig = new OidcAuthenticatorConfig().withDiscoveryUrl(this.azureAdOidcProviderRule.getDiscoveryUri()).withClientId(this.azureAdOidcProviderRule.getAudience()).withUserRole(UserRole.INTERN).withRefreshUrl(this.azureAdOidcProviderRule.getRefreshUri()).withIdTokenCookieName("isso-idtoken").withRefreshTokenCookieName("refresh_token");
        this.openAMAuthenticatorConfig = new OidcAuthenticatorConfig().withDiscoveryUrl(this.openAMOidcProviderRule.getDiscoveryUri()).withClientId(this.openAMOidcProviderRule.getAudience()).withIdTokenCookieName("ID_token").withUserRole(UserRole.INTERN);
    }

    @Test
    public void should_set_auth_context() throws IOException, ServletException {
        OidcAuthenticationFilter oidcAuthenticationFilter = new OidcAuthenticationFilter(Collections.singletonList(OidcAuthenticator.fromConfig(this.naisStsAuthenticatorConfig)));
        oidcAuthenticationFilter.init(config("/abc"));
        final String token = this.naisStsOidcProviderRule.getToken(new JwtTestTokenIssuer.Claims("srvveilarbtest").setClaim("aud", List.of(NAIS_STS_ID, "srvveilarbtest")).setClaim("azp", "srvveilarbtest"));
        HttpServletRequest request = request("/hello");
        HttpServletResponse httpServletResponse = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
        FilterChain filterChain = (FilterChain) Mockito.spy(new FilterChain() { // from class: no.nav.common.auth.oidc.filter.OidcAuthenticationFilterTest.1
            public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse) {
                Assert.assertEquals(token, AuthContextHolderThreadLocal.instance().requireIdTokenString());
                Assert.assertEquals(UserRole.SYSTEM, AuthContextHolderThreadLocal.instance().requireRole());
            }
        });
        Mockito.when(request.getHeader("Authorization")).thenReturn("Bearer " + token);
        Mockito.when(request.getCookies()).thenReturn(new Cookie[0]);
        oidcAuthenticationFilter.doFilter(request, httpServletResponse, filterChain);
        ((HttpServletResponse) Mockito.verify(httpServletResponse, Mockito.never())).setStatus(401);
        ((FilterChain) Mockito.verify(filterChain, Mockito.times(1))).doFilter(request, httpServletResponse);
    }

    @Test
    public void srvveilarbtestIsAuthorized() throws IOException, ServletException {
        OidcAuthenticationFilter oidcAuthenticationFilter = new OidcAuthenticationFilter(Collections.singletonList(OidcAuthenticator.fromConfig(this.naisStsAuthenticatorConfig)));
        oidcAuthenticationFilter.init(config("/abc"));
        HttpServletRequest request = request("/hello");
        HttpServletResponse httpServletResponse = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
        FilterChain filterChain = (FilterChain) Mockito.mock(FilterChain.class);
        Mockito.when(request.getHeader("Authorization")).thenReturn("Bearer " + this.naisStsOidcProviderRule.getToken(new JwtTestTokenIssuer.Claims("srvveilarbtest").setClaim("aud", List.of(NAIS_STS_ID, "srvveilarbtest")).setClaim("azp", "srvveilarbtest")));
        oidcAuthenticationFilter.doFilter(request, httpServletResponse, filterChain);
        ((HttpServletResponse) Mockito.verify(httpServletResponse, Mockito.never())).setStatus(401);
        ((FilterChain) Mockito.verify(filterChain, Mockito.times(1))).doFilter(request, httpServletResponse);
    }

    @Test
    public void srvveilarbdemoIsAuthorized() throws IOException, ServletException {
        OidcAuthenticationFilter oidcAuthenticationFilter = new OidcAuthenticationFilter(Collections.singletonList(OidcAuthenticator.fromConfig(this.naisStsAuthenticatorConfig)));
        oidcAuthenticationFilter.init(config("/abc"));
        HttpServletRequest request = request("/hello");
        HttpServletResponse httpServletResponse = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
        FilterChain filterChain = (FilterChain) Mockito.mock(FilterChain.class);
        Mockito.when(request.getHeader("Authorization")).thenReturn("Bearer " + this.naisStsOidcProviderRule.getToken(new JwtTestTokenIssuer.Claims("srvveilarbdemo").setClaim("aud", List.of(NAIS_STS_ID, "srvveilarbdemo")).setClaim("azp", "srvveilarbdemo")));
        oidcAuthenticationFilter.doFilter(request, httpServletResponse, filterChain);
        ((HttpServletResponse) Mockito.verify(httpServletResponse, Mockito.never())).setStatus(401);
        ((FilterChain) Mockito.verify(filterChain, Mockito.times(1))).doFilter(request, httpServletResponse);
    }

    @Test
    public void srvunknownIsNotAuthorized() {
        OidcAuthenticationFilter oidcAuthenticationFilter = new OidcAuthenticationFilter(Collections.singletonList(OidcAuthenticator.fromConfig(this.naisStsAuthenticatorConfig)));
        oidcAuthenticationFilter.init(config("/abc"));
        HttpServletRequest request = request("/hello");
        HttpServletResponse httpServletResponse = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
        FilterChain filterChain = (FilterChain) Mockito.mock(FilterChain.class);
        Mockito.when(request.getHeader("Authorization")).thenReturn("Bearer " + this.naisStsOidcProviderRule.getToken(new JwtTestTokenIssuer.Claims("srvunknown").setClaim("aud", List.of(NAIS_STS_ID, "srvunknown")).setClaim("azp", "srvunknown")));
        oidcAuthenticationFilter.doFilter(request, httpServletResponse, filterChain);
        ((HttpServletResponse) Mockito.verify(httpServletResponse, Mockito.times(1))).setStatus(401);
    }

    @Test
    public void returns401IfMissingToken() {
        OidcAuthenticationFilter oidcAuthenticationFilter = new OidcAuthenticationFilter(Collections.singletonList(OidcAuthenticator.fromConfig(this.azureAdAuthenticatorConfig)));
        oidcAuthenticationFilter.init(config("/abc"));
        HttpServletRequest request = request("/hello");
        HttpServletResponse httpServletResponse = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
        FilterChain filterChain = (FilterChain) Mockito.mock(FilterChain.class);
        Mockito.when(request.getCookies()).thenReturn(new Cookie[0]);
        oidcAuthenticationFilter.doFilter(request, httpServletResponse, filterChain);
        ((HttpServletResponse) Mockito.verify(httpServletResponse)).setStatus(401);
    }

    @Test
    public void returns401IfWrongToken() {
        OidcAuthenticationFilter oidcAuthenticationFilter = new OidcAuthenticationFilter(Collections.singletonList(OidcAuthenticator.fromConfig(this.azureAdAuthenticatorConfig)));
        oidcAuthenticationFilter.init(config("/abc"));
        HttpServletRequest request = request("/hello");
        Mockito.when(request.getCookies()).thenReturn(new Cookie[]{new Cookie(this.azureAdAuthenticatorConfig.idTokenCookieName, this.openAMOidcProviderRule.getToken(new JwtTestTokenIssuer.Claims("me")))});
        HttpServletResponse httpServletResponse = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
        oidcAuthenticationFilter.doFilter(request, httpServletResponse, (FilterChain) Mockito.mock(FilterChain.class));
        ((HttpServletResponse) Mockito.verify(httpServletResponse)).setStatus(401);
    }

    @Test
    public void authorizedRequestIsForwarded() throws IOException, ServletException {
        OidcAuthenticationFilter oidcAuthenticationFilter = new OidcAuthenticationFilter(Collections.singletonList(OidcAuthenticator.fromConfig(this.azureAdAuthenticatorConfig)));
        String token = this.azureAdOidcProviderRule.getToken(new JwtTestTokenIssuer.Claims("me"));
        HttpServletResponse httpServletResponse = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
        FilterChain filterChain = (FilterChain) Mockito.mock(FilterChain.class);
        HttpServletRequest request = request("/hello");
        Mockito.when(request.getCookies()).thenReturn(new Cookie[]{new Cookie(this.azureAdAuthenticatorConfig.idTokenCookieName, token)});
        oidcAuthenticationFilter.init(config("/abc"));
        oidcAuthenticationFilter.doFilter(request, httpServletResponse, filterChain);
        ((HttpServletResponse) Mockito.verify(httpServletResponse, Mockito.never())).setStatus(401);
        ((FilterChain) Mockito.verify(filterChain, Mockito.times(1))).doFilter(request, httpServletResponse);
    }

    @Test
    public void authorizedRequestIsForwardedWithMultipleAuthenticators() throws IOException, ServletException {
        OidcAuthenticationFilter oidcAuthenticationFilter = new OidcAuthenticationFilter(Arrays.asList(OidcAuthenticator.fromConfig(this.azureAdAuthenticatorConfig), OidcAuthenticator.fromConfig(this.openAMAuthenticatorConfig)));
        String token = this.azureAdOidcProviderRule.getToken(new JwtTestTokenIssuer.Claims("me"));
        HttpServletResponse httpServletResponse = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
        FilterChain filterChain = (FilterChain) Mockito.mock(FilterChain.class);
        HttpServletRequest request = request("/hello");
        Mockito.when(request.getCookies()).thenReturn(new Cookie[]{new Cookie(this.azureAdAuthenticatorConfig.idTokenCookieName, token)});
        oidcAuthenticationFilter.init(config("/abc"));
        oidcAuthenticationFilter.doFilter(request, httpServletResponse, filterChain);
        ((HttpServletResponse) Mockito.verify(httpServletResponse, Mockito.never())).setStatus(401);
        ((FilterChain) Mockito.verify(filterChain, Mockito.times(1))).doFilter(request, httpServletResponse);
    }

    @Test
    public void shouldNotRefreshTokenWhenNotExpired() throws IOException, ServletException {
        OidcAuthenticationFilter oidcAuthenticationFilter = new OidcAuthenticationFilter(Collections.singletonList(OidcAuthenticator.fromConfig(this.azureAdAuthenticatorConfig)));
        String token = this.azureAdOidcProviderRule.getToken(new JwtTestTokenIssuer.Claims("me"));
        HttpServletResponse httpServletResponse = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
        FilterChain filterChain = (FilterChain) Mockito.mock(FilterChain.class);
        HttpServletRequest request = request("/hello");
        Mockito.when(request.getCookies()).thenReturn(new Cookie[]{new Cookie(this.azureAdAuthenticatorConfig.idTokenCookieName, token)});
        oidcAuthenticationFilter.init(config("/abc"));
        oidcAuthenticationFilter.doFilter(request, httpServletResponse, filterChain);
        ((HttpServletResponse) Mockito.verify(httpServletResponse, Mockito.never())).addCookie((Cookie) Mockito.any());
        ((HttpServletResponse) Mockito.verify(httpServletResponse, Mockito.never())).setStatus(401);
        ((FilterChain) Mockito.verify(filterChain, Mockito.times(1))).doFilter(request, httpServletResponse);
    }

    @Test
    public void shouldRefreshTokenWhenSoonToBeExpired() throws IOException, ServletException {
        OidcAuthenticationFilter oidcAuthenticationFilter = new OidcAuthenticationFilter(Collections.singletonList(OidcAuthenticator.fromConfig(this.azureAdAuthenticatorConfig)));
        JwtTestTokenIssuer.Claims claims = new JwtTestTokenIssuer.Claims("me");
        claims.setClaim("exp", Long.valueOf((System.currentTimeMillis() + 180000) / 1000));
        String token = this.azureAdOidcProviderRule.getToken(claims);
        HttpServletResponse httpServletResponse = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
        FilterChain filterChain = (FilterChain) Mockito.mock(FilterChain.class);
        HttpServletRequest request = request("/hello");
        Mockito.when(request.getServerName()).thenReturn("test.local");
        Mockito.when(request.getCookies()).thenReturn(new Cookie[]{new Cookie(this.azureAdAuthenticatorConfig.idTokenCookieName, token), new Cookie("refresh_token", "my-refresh-token")});
        oidcAuthenticationFilter.init(config("/abc"));
        oidcAuthenticationFilter.doFilter(request, httpServletResponse, filterChain);
        ((HttpServletResponse) Mockito.verify(httpServletResponse, Mockito.atLeastOnce())).addCookie((Cookie) Mockito.any());
        ((HttpServletResponse) Mockito.verify(httpServletResponse, Mockito.never())).setStatus(401);
        ((FilterChain) Mockito.verify(filterChain, Mockito.times(1))).doFilter(request, httpServletResponse);
    }

    @Test
    public void shouldNotRefreshTokenIfExpiredWhenMissingConfig() throws IOException, ServletException {
        OidcAuthenticationFilter oidcAuthenticationFilter = new OidcAuthenticationFilter(Collections.singletonList(OidcAuthenticator.fromConfig(this.openAMAuthenticatorConfig)));
        JwtTestTokenIssuer.Claims claims = new JwtTestTokenIssuer.Claims("me");
        claims.setClaim("exp", Long.valueOf((System.currentTimeMillis() + 180000) / 1000));
        String token = this.openAMOidcProviderRule.getToken(claims);
        HttpServletResponse httpServletResponse = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
        FilterChain filterChain = (FilterChain) Mockito.mock(FilterChain.class);
        HttpServletRequest request = request("/hello");
        Mockito.when(request.getServerName()).thenReturn("test.local");
        Mockito.when(request.getCookies()).thenReturn(new Cookie[]{new Cookie("ID_token", token), new Cookie("refresh_token", "my-refresh-token")});
        oidcAuthenticationFilter.init(config("/abc"));
        oidcAuthenticationFilter.doFilter(request, httpServletResponse, filterChain);
        ((HttpServletResponse) Mockito.verify(httpServletResponse, Mockito.never())).addCookie((Cookie) Mockito.any());
        ((HttpServletResponse) Mockito.verify(httpServletResponse, Mockito.never())).setStatus(401);
        ((FilterChain) Mockito.verify(filterChain, Mockito.times(1))).doFilter(request, httpServletResponse);
    }

    private HttpServletRequest request(String str) {
        HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
        Mockito.when(httpServletRequest.getRequestURI()).thenReturn(str);
        return httpServletRequest;
    }

    private FilterConfig config(String str) {
        FilterConfig filterConfig = (FilterConfig) Mockito.mock(FilterConfig.class);
        ServletContext servletContext = (ServletContext) Mockito.mock(ServletContext.class);
        Mockito.when(servletContext.getContextPath()).thenReturn(str);
        Mockito.when(filterConfig.getServletContext()).thenReturn(servletContext);
        return filterConfig;
    }
}
