package io.gravitee.am.gateway.handler.common.vertx.web.handler;

import io.gravitee.am.common.jwt.JWT;
import io.gravitee.am.gateway.certificate.CertificateProvider;
import io.gravitee.am.gateway.handler.common.certificate.CertificateManager;
import io.gravitee.am.gateway.handler.common.client.ClientSyncService;
import io.gravitee.am.gateway.handler.common.jwt.JWTService;
import io.gravitee.am.gateway.handler.common.jwt.SubjectManager;
import io.gravitee.am.gateway.handler.common.role.impl.InMemoryRoleManagerImplTest;
import io.gravitee.am.gateway.handler.common.vertx.RxWebTestBase;
import io.gravitee.am.gateway.handler.common.vertx.web.handler.impl.CookieSessionHandler;
import io.gravitee.am.model.Domain;
import io.gravitee.am.model.LoginAttempt;
import io.gravitee.am.model.User;
import io.gravitee.am.model.UserIdentity;
import io.gravitee.am.model.account.AccountSettings;
import io.gravitee.am.model.idp.ApplicationIdentityProvider;
import io.gravitee.am.model.oidc.Client;
import io.gravitee.am.repository.management.api.search.LoginAttemptCriteria;
import io.gravitee.am.service.AuthenticationFlowContextService;
import io.gravitee.am.service.LoginAttemptService;
import io.gravitee.am.service.impl.user.UserEnhancer;
import io.reactivex.rxjava3.core.Completable;
import io.reactivex.rxjava3.core.Maybe;
import io.reactivex.rxjava3.core.Single;
import io.vertx.core.http.HttpMethod;
import java.util.Date;
import java.util.List;
import java.util.SortedSet;
import java.util.TreeSet;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.ArgumentMatchers;
import org.mockito.Mock;
import org.mockito.Mockito;
import org.mockito.exceptions.misusing.InvalidUseOfMatchersException;
import org.mockito.junit.MockitoJUnitRunner;

@RunWith(MockitoJUnitRunner.class)
/* loaded from: input_file:io/gravitee/am/gateway/handler/common/vertx/web/handler/SSOSessionHandlerTest.class */
public class SSOSessionHandlerTest extends RxWebTestBase {

    @Mock
    private ClientSyncService clientSyncService;

    @Mock
    private JWTService jwtService;

    @Mock
    private CertificateManager certificateManager;

    @Mock
    private UserEnhancer userEnhancer;

    @Mock
    private SubjectManager subjectManager;

    @Mock
    private AuthenticationFlowContextService authenticationFlowContextService;

    @Mock
    private LoginAttemptService loginAttemptService;

    @Mock
    private Domain domain;

    @Override // io.gravitee.am.gateway.handler.common.vertx.RxWebTestBase, io.gravitee.am.gateway.handler.common.vertx.RxVertxTestBase
    public void setUp() throws Exception {
        super.setUp();
        Mockito.when(this.authenticationFlowContextService.clearContext((String) ArgumentMatchers.any())).thenReturn(Completable.complete());
        Mockito.when(this.jwtService.encode((JWT) ArgumentMatchers.any(JWT.class), (CertificateProvider) ArgumentMatchers.eq((Object) null))).thenReturn(Single.just("token"));
        this.router.route("/login").handler(new CookieSessionHandler(this.jwtService, this.certificateManager, this.subjectManager, this.userEnhancer, "am-cookie", 108000L)).handler(new SSOSessionHandler(this.clientSyncService, this.authenticationFlowContextService, this.loginAttemptService, this.domain)).handler(routingContext -> {
            if (routingContext.session().isDestroyed()) {
                routingContext.response().setStatusCode(401).end();
            } else {
                routingContext.response().setStatusCode(200).end();
            }
        }).failureHandler(new ErrorHandler());
    }

    @Test
    public void shouldInvoke_noUser() throws Exception {
        testRequest(HttpMethod.GET, "/login", 200, "OK");
    }

    @Test
    public void shouldInvoke_userDisabled() throws Exception {
        User user = new User();
        user.setEnabled(false);
        this.router.route().order(-1).handler(routingContext -> {
            routingContext.setUser(new io.vertx.rxjava3.ext.auth.User(new io.gravitee.am.gateway.handler.common.vertx.web.auth.user.User(user)));
            routingContext.next();
        });
        testRequest(HttpMethod.GET, "/login?client_id=test-client", 401, "Unauthorized");
    }

    @Test
    public void shouldInvoke_user_password_reset() throws Exception {
        User user = new User();
        user.setId(InMemoryRoleManagerImplTest.USER_ID);
        user.setLastPasswordReset(new Date(System.currentTimeMillis() - 60000));
        this.router.route().order(-1).handler(routingContext -> {
            routingContext.setUser(new io.vertx.rxjava3.ext.auth.User(new io.gravitee.am.gateway.handler.common.vertx.web.auth.user.User(user)));
            routingContext.next();
        });
        testRequest(HttpMethod.GET, "/login?client_id=test-client", 200, "OK");
    }

    @Test
    public void shouldNotInvoke_user_password_reset() throws Exception {
        User user = new User();
        user.setId(InMemoryRoleManagerImplTest.USER_ID);
        user.setLastPasswordReset(new Date(System.currentTimeMillis() + 60000));
        this.router.route().order(-1).handler(routingContext -> {
            routingContext.setUser(new io.vertx.rxjava3.ext.auth.User(new io.gravitee.am.gateway.handler.common.vertx.web.auth.user.User(user)));
            routingContext.next();
        });
        testRequest(HttpMethod.GET, "/login?client_id=test-client", 401, "Unauthorized");
    }

    @Test
    public void shouldInvoke_user_username_reset() throws Exception {
        User user = new User();
        user.setId(InMemoryRoleManagerImplTest.USER_ID);
        user.setLastUsernameReset(new Date(System.currentTimeMillis() - 60000));
        this.router.route().order(-1).handler(routingContext -> {
            routingContext.setUser(new io.vertx.rxjava3.ext.auth.User(new io.gravitee.am.gateway.handler.common.vertx.web.auth.user.User(user)));
            routingContext.next();
        });
        testRequest(HttpMethod.GET, "/login?client_id=test-client", 200, "OK");
    }

    @Test
    public void shouldNotInvoke_user_username_reset() throws Exception {
        User user = new User();
        user.setId(InMemoryRoleManagerImplTest.USER_ID);
        user.setLastUsernameReset(new Date(System.currentTimeMillis() + 60000));
        this.router.route().order(-1).handler(routingContext -> {
            routingContext.setUser(new io.vertx.rxjava3.ext.auth.User(new io.gravitee.am.gateway.handler.common.vertx.web.auth.user.User(user)));
            routingContext.next();
        });
        testRequest(HttpMethod.GET, "/login?client_id=test-client", 401, "Unauthorized");
    }

    @Test
    public void shouldInvoke_sameClient() throws Exception {
        User user = new User();
        user.setId(InMemoryRoleManagerImplTest.USER_ID);
        user.setClient("test-client");
        Client client = new Client();
        client.setId("client-id");
        client.setClientId("test-client");
        Mockito.when(this.clientSyncService.findById(ArgumentMatchers.anyString())).thenReturn(Maybe.empty());
        Mockito.when(this.clientSyncService.findByClientId(client.getClientId())).thenReturn(Maybe.just(client));
        this.router.route().order(-1).handler(routingContext -> {
            routingContext.setUser(new io.vertx.rxjava3.ext.auth.User(new io.gravitee.am.gateway.handler.common.vertx.web.auth.user.User(user)));
            routingContext.next();
        });
        testRequest(HttpMethod.GET, "/login?client_id=test-client", 200, "OK");
    }

    @Test
    public void shouldInvoke_differentClient_sameIdp() throws Exception {
        User userFromTestClient = userFromTestClient();
        Client client = new Client();
        client.setId("client-id");
        client.setClientId("test-client");
        Client client2 = new Client();
        client2.setId("client-requested-id");
        client2.setClientId("requested-client");
        client2.setIdentityProviders(getApplicationIdentityProviders("idp-1"));
        Mockito.when(this.clientSyncService.findById(ArgumentMatchers.anyString())).thenReturn(Maybe.empty());
        Mockito.when(this.clientSyncService.findByClientId(ArgumentMatchers.anyString())).thenAnswer(invocationOnMock -> {
            String str = (String) invocationOnMock.getArgument(0);
            if (str.equals("test-client")) {
                return Maybe.just(client);
            }
            if (str.equals("requested-client")) {
                return Maybe.just(client2);
            }
            throw new InvalidUseOfMatchersException(String.format("Argument %s does not match", str));
        });
        this.router.route().order(-1).handler(routingContext -> {
            routingContext.setUser(new io.vertx.rxjava3.ext.auth.User(new io.gravitee.am.gateway.handler.common.vertx.web.auth.user.User(userFromTestClient)));
            routingContext.next();
        });
        testRequest(HttpMethod.GET, "/login?client_id=requested-client", 200, "OK");
    }

    @Test
    public void shouldInvoke_differentClient_sameIdp_using_UserIdentities() throws Exception {
        User userFromTestClient = userFromTestClient();
        UserIdentity userIdentity = new UserIdentity();
        userIdentity.setProviderId("idp-2");
        userFromTestClient.setIdentities(List.of(userIdentity));
        Client client = new Client();
        client.setId("client-id");
        client.setClientId("test-client");
        Client client2 = new Client();
        client2.setId("client-requested-id");
        client2.setClientId("requested-client");
        client2.setIdentityProviders(getApplicationIdentityProviders("idp-2"));
        Mockito.when(this.clientSyncService.findById(ArgumentMatchers.anyString())).thenReturn(Maybe.empty());
        Mockito.when(this.clientSyncService.findByClientId(ArgumentMatchers.anyString())).thenAnswer(invocationOnMock -> {
            String str = (String) invocationOnMock.getArgument(0);
            if (str.equals("test-client")) {
                return Maybe.just(client);
            }
            if (str.equals("requested-client")) {
                return Maybe.just(client2);
            }
            throw new InvalidUseOfMatchersException(String.format("Argument %s does not match", str));
        });
        this.router.route().order(-1).handler(routingContext -> {
            routingContext.setUser(new io.vertx.rxjava3.ext.auth.User(new io.gravitee.am.gateway.handler.common.vertx.web.auth.user.User(userFromTestClient)));
            routingContext.next();
        });
        testRequest(HttpMethod.GET, "/login?client_id=requested-client", 200, "OK");
    }

    @Test
    public void shouldInvoke_differentClient_sameIdp_UserBlocked() throws Exception {
        User userFromTestClient = userFromTestClient();
        Client client = new Client();
        client.setId("client-id");
        client.setClientId("test-client");
        Client client2 = new Client();
        client2.setId("client-requested-id");
        client2.setClientId("requested-client");
        ApplicationIdentityProvider applicationIdentityProvider = new ApplicationIdentityProvider();
        applicationIdentityProvider.setIdentity("idp-1");
        TreeSet treeSet = new TreeSet();
        treeSet.add(applicationIdentityProvider);
        client2.setIdentityProviders(treeSet);
        AccountSettings accountSettings = new AccountSettings();
        accountSettings.setMaxLoginAttempts(2);
        accountSettings.setAccountBlockedDuration(360000);
        accountSettings.setLoginAttemptsDetectionEnabled(true);
        Mockito.when(this.domain.getAccountSettings()).thenReturn(accountSettings);
        LoginAttempt loginAttempt = new LoginAttempt();
        loginAttempt.setAttempts(2);
        Mockito.when(this.loginAttemptService.checkAccount((LoginAttemptCriteria) ArgumentMatchers.any(), (AccountSettings) ArgumentMatchers.any())).thenReturn(Maybe.just(loginAttempt));
        Mockito.when(this.clientSyncService.findById(ArgumentMatchers.anyString())).thenReturn(Maybe.empty());
        Mockito.when(this.clientSyncService.findByClientId(ArgumentMatchers.anyString())).thenAnswer(invocationOnMock -> {
            String str = (String) invocationOnMock.getArgument(0);
            if (str.equals("test-client")) {
                return Maybe.just(client);
            }
            if (str.equals("requested-client")) {
                return Maybe.just(client2);
            }
            throw new InvalidUseOfMatchersException(String.format("Argument %s does not match", str));
        });
        this.router.route().order(-1).handler(routingContext -> {
            routingContext.setUser(new io.vertx.rxjava3.ext.auth.User(new io.gravitee.am.gateway.handler.common.vertx.web.auth.user.User(userFromTestClient)));
            routingContext.next();
        });
        testRequest(HttpMethod.GET, "/login?client_id=requested-client", 401, "Unauthorized");
    }

    private static User userFromTestClient() {
        User user = new User();
        user.setId(InMemoryRoleManagerImplTest.USER_ID);
        user.setClient("test-client");
        user.setSource("idp-1");
        user.setExternalId("idp1-user-id");
        return user;
    }

    @Test
    public void shouldInvoke_differentClient_sameIdp_UserNotBlocked() throws Exception {
        User userFromTestClient = userFromTestClient();
        Client client = new Client();
        client.setId("client-id");
        client.setClientId("test-client");
        Client client2 = new Client();
        client2.setId("client-requested-id");
        client2.setClientId("requested-client");
        TreeSet treeSet = new TreeSet();
        ApplicationIdentityProvider applicationIdentityProvider = new ApplicationIdentityProvider();
        applicationIdentityProvider.setIdentity("idp-1");
        treeSet.add(applicationIdentityProvider);
        client2.setIdentityProviders(treeSet);
        AccountSettings accountSettings = new AccountSettings();
        accountSettings.setMaxLoginAttempts(2);
        accountSettings.setAccountBlockedDuration(360000);
        accountSettings.setLoginAttemptsDetectionEnabled(true);
        Mockito.when(this.domain.getAccountSettings()).thenReturn(accountSettings);
        LoginAttempt loginAttempt = new LoginAttempt();
        loginAttempt.setAttempts(1);
        Mockito.when(this.loginAttemptService.checkAccount((LoginAttemptCriteria) ArgumentMatchers.any(), (AccountSettings) ArgumentMatchers.any())).thenReturn(Maybe.just(loginAttempt));
        Mockito.when(this.clientSyncService.findById(ArgumentMatchers.anyString())).thenReturn(Maybe.empty());
        Mockito.when(this.clientSyncService.findByClientId(ArgumentMatchers.anyString())).thenAnswer(invocationOnMock -> {
            String str = (String) invocationOnMock.getArgument(0);
            if (str.equals("test-client")) {
                return Maybe.just(client);
            }
            if (str.equals("requested-client")) {
                return Maybe.just(client2);
            }
            throw new InvalidUseOfMatchersException(String.format("Argument %s does not match", str));
        });
        this.router.route().order(-1).handler(routingContext -> {
            routingContext.setUser(new io.vertx.rxjava3.ext.auth.User(new io.gravitee.am.gateway.handler.common.vertx.web.auth.user.User(userFromTestClient)));
            routingContext.next();
        });
        testRequest(HttpMethod.GET, "/login?client_id=requested-client", 200, "OK");
    }

    @Test
    public void shouldInvoke_differentClient_differentIdp() throws Exception {
        User userFromTestClient = userFromTestClient();
        Client client = new Client();
        client.setId("client-id");
        client.setClientId("test-client");
        Client client2 = new Client();
        client2.setId("client-requested-id");
        client2.setClientId("requested-client");
        client2.setIdentityProviders(getApplicationIdentityProviders("idp-2"));
        Mockito.when(this.clientSyncService.findById(ArgumentMatchers.anyString())).thenReturn(Maybe.empty());
        Mockito.when(this.clientSyncService.findByClientId(ArgumentMatchers.anyString())).thenAnswer(invocationOnMock -> {
            String str = (String) invocationOnMock.getArgument(0);
            if (str.equals("test-client")) {
                return Maybe.just(client);
            }
            if (str.equals("requested-client")) {
                return Maybe.just(client2);
            }
            throw new InvalidUseOfMatchersException(String.format("Argument %s does not match", str));
        });
        this.router.route().order(-1).handler(routingContext -> {
            routingContext.setUser(new io.vertx.rxjava3.ext.auth.User(new io.gravitee.am.gateway.handler.common.vertx.web.auth.user.User(userFromTestClient)));
            routingContext.next();
        });
        testRequest(HttpMethod.GET, "/login?client_id=requested-client", 403, "Forbidden");
    }

    private SortedSet<ApplicationIdentityProvider> getApplicationIdentityProviders(String str) {
        ApplicationIdentityProvider applicationIdentityProvider = new ApplicationIdentityProvider();
        applicationIdentityProvider.setIdentity(str);
        TreeSet treeSet = new TreeSet();
        treeSet.add(applicationIdentityProvider);
        return treeSet;
    }
}
