package org.gridgain.grid.security.oidc;

import java.util.Collections;
import java.util.UUID;
import org.apache.ignite.IgniteCheckedException;
import org.apache.ignite.cluster.ClusterState;
import org.apache.ignite.configuration.IgniteConfiguration;
import org.apache.ignite.internal.IgniteEx;
import org.apache.ignite.internal.processors.security.SecurityContext;
import org.apache.ignite.internal.util.typedef.F;
import org.apache.ignite.internal.util.typedef.internal.U;
import org.apache.ignite.plugin.PluginConfiguration;
import org.apache.ignite.plugin.security.AuthenticationContext;
import org.apache.ignite.plugin.security.SecurityCredentials;
import org.apache.ignite.plugin.security.SecurityCredentialsBasicProvider;
import org.apache.ignite.plugin.security.SecurityPermission;
import org.apache.ignite.plugin.security.SecuritySubjectType;
import org.gridgain.control.agent.AbstractSelfTest;
import org.gridgain.grid.configuration.GridGainConfiguration;
import org.gridgain.grid.security.Authenticator;
import org.gridgain.grid.security.composite.CompositeAuthenticator;
import org.gridgain.grid.security.passcode.AuthenticationAclBasicProvider;
import org.gridgain.grid.security.passcode.PasscodeAuthenticator;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.mockserver.integration.ClientAndServer;
import org.mockserver.matchers.Times;
import org.mockserver.model.HttpRequest;
import org.mockserver.model.HttpResponse;

/* loaded from: input_file:org/gridgain/grid/security/oidc/OpenIdAuthenticatorTest.class */
public class OpenIdAuthenticatorTest extends AbstractSelfTest {
    private static ClientAndServer mockServer;
    private static IgniteEx ignite;

    @Before
    public void setup() {
        cleanPersistenceDir();
        mockServer = ClientAndServer.startClientAndServer(new Integer[0]);
        ignite = startGrid();
        ignite.cluster().state(ClusterState.ACTIVE);
    }

    @After
    public void teardown() {
        stopAllGrids();
        mockServer.stop();
    }

    @Test
    public void shouldUseDefaultRole() throws Exception {
        mockServer.when(HttpRequest.request().withMethod("GET").withPath("/userinfo").withHeader("Authorization", new String[]{"Bearer access_token"}), Times.exactly(1)).respond(HttpResponse.response("{\"sub\": \"id\", \"gg-role\": \"readOnly\"}").withStatusCode(200));
        SecurityCredentials securityCredentials = new SecurityCredentials();
        securityCredentials.setUserObject(F.asMap("accessToken", "access_token"));
        SecurityContext authenticate = authenticate(securityCredentials);
        Assert.assertNotNull(authenticate);
        Assert.assertTrue(authenticate.cacheOperationAllowed("test", SecurityPermission.CACHE_READ));
        Assert.assertFalse(authenticate.cacheOperationAllowed("test", SecurityPermission.CACHE_PUT));
    }

    @Test
    public void shouldUseClusterRole() throws Exception {
        mockServer.when(HttpRequest.request().withMethod("GET").withPath("/userinfo").withHeader("Authorization", new String[]{"Bearer access_token"}), Times.exactly(1)).respond(HttpResponse.response("{\"sub\": \"id\", \"gg-role\": \"readOnly\", \"gg-role-" + ignite.cluster().id() + "\": \"write\"}").withStatusCode(200));
        SecurityCredentials securityCredentials = new SecurityCredentials();
        securityCredentials.setUserObject(F.asMap("accessToken", "access_token"));
        SecurityContext authenticate = authenticate(securityCredentials);
        Assert.assertNotNull(authenticate);
        Assert.assertTrue(authenticate.cacheOperationAllowed("test", SecurityPermission.CACHE_READ));
        Assert.assertTrue(authenticate.cacheOperationAllowed("test", SecurityPermission.CACHE_PUT));
    }

    @Test
    public void shouldBlockAccessIfTokenIsInvalid() throws Exception {
        mockServer.when(HttpRequest.request().withMethod("GET").withPath("/userinfo"), Times.exactly(1)).respond(HttpResponse.response().withStatusCode(401));
        SecurityCredentials securityCredentials = new SecurityCredentials();
        securityCredentials.setUserObject(F.asMap("accessToken", "access_token"));
        Assert.assertNull(authenticate(securityCredentials));
    }

    @Test
    public void shouldBlockAccessIfRoleIsMissing() throws Exception {
        mockServer.when(HttpRequest.request().withMethod("GET").withPath("/userinfo").withHeader("Authorization", new String[]{"Bearer access_token"}), Times.exactly(1)).respond(HttpResponse.response("{\"sub\": \"id\"}").withStatusCode(200));
        SecurityCredentials securityCredentials = new SecurityCredentials();
        securityCredentials.setUserObject(F.asMap("accessToken", "access_token"));
        Assert.assertNull(authenticate(securityCredentials));
    }

    @Test
    public void shouldBlockAccessIfPermissionsAreMissing() throws Exception {
        mockServer.when(HttpRequest.request().withMethod("GET").withPath("/userinfo").withHeader("Authorization", new String[]{"Bearer access_token"}), Times.exactly(1)).respond(HttpResponse.response("{\"sub\": \"id\", \"gg-role\": \"non-existing\"}").withStatusCode(200));
        SecurityCredentials securityCredentials = new SecurityCredentials();
        securityCredentials.setUserObject(F.asMap("accessToken", "access_token"));
        Assert.assertNull(authenticate(securityCredentials));
    }

    @Test
    public void shouldReturnNullIfAuthenticationDidNotPass() throws Exception {
        Assert.assertNull(authenticate(null));
    }

    private SecurityContext authenticate(SecurityCredentials securityCredentials) throws IgniteCheckedException {
        AuthenticationContext authenticationContext = new AuthenticationContext();
        authenticationContext.subjectType(SecuritySubjectType.REMOTE_CLIENT);
        authenticationContext.subjectId(UUID.randomUUID());
        authenticationContext.nodeAttributes(Collections.emptyMap());
        authenticationContext.credentials(securityCredentials);
        return ignite.context().security().authenticate(authenticationContext);
    }

    /* JADX WARN: Multi-variable type inference failed */
    private IgniteConfiguration getConfiguration(String str, GridGainConfiguration gridGainConfiguration) {
        return super.getConfiguration(str).setPluginConfigurations(new PluginConfiguration[]{gridGainConfiguration});
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.gridgain.control.agent.AbstractSelfTest
    public IgniteConfiguration getConfiguration(String str) {
        try {
            SecurityCredentials securityCredentials = new SecurityCredentials("login", "pass");
            Authenticator passcodeAuthenticator = new PasscodeAuthenticator();
            passcodeAuthenticator.setAclProvider(new AuthenticationAclBasicProvider(F.asMap(securityCredentials, "{defaultAllow:true}")));
            return getConfiguration(str, new GridGainConfiguration().setAuthenticator(new CompositeAuthenticator().setAuthenticators(F.asList(new Authenticator[]{passcodeAuthenticator, new OpenIdAuthenticator().setUserInfoUrl("http://localhost:" + mockServer.getLocalPort() + "/userinfo").setPermissionsJson(F.asMap("readOnly", "{defaultAllow:true, {cache:'test',permissions:[CACHE_READ]}}", "write", "{defaultAllow:true, {cache:'test',permissions:[CACHE_READ, CACHE_PUT]}}"))}))).setSecurityCredentialsProvider(new SecurityCredentialsBasicProvider(securityCredentials)));
        } catch (IgniteCheckedException e) {
            throw U.convertException(e);
        }
    }
}
