package org.apereo.cas.support.saml.services.idp.metadata.cache;

import com.github.benmanes.caffeine.cache.stats.CacheStats;
import java.io.File;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.attribute.FileAttribute;
import net.shibboleth.shared.resolver.CriteriaSet;
import org.apache.commons.io.FileUtils;
import org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties;
import org.apereo.cas.support.saml.SamlException;
import org.apereo.cas.support.saml.services.BaseSamlIdPServicesTests;
import org.apereo.cas.support.saml.services.SamlRegisteredService;
import org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.ClasspathResourceMetadataResolver;
import org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.MetadataQueryProtocolMetadataResolver;
import org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.UrlResourceMetadataResolver;
import org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.UrlResourceMetadataResolverTests;
import org.apereo.cas.support.saml.services.idp.metadata.plan.DefaultSamlRegisteredServiceMetadataResolutionPlan;
import org.apereo.cas.util.MockWebServer;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Tag;
import org.junit.jupiter.api.Test;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.saml.criterion.EntityRoleCriterion;
import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import org.springframework.core.io.ClassPathResource;
import org.springframework.test.context.TestPropertySource;

@Tag("SAMLMetadata")
@TestPropertySource(properties = {"cas.authn.saml-idp.metadata.http.metadata-backup-location=file:${#systemProperties['java.io.tmpdir']}"})
/* loaded from: input_file:org/apereo/cas/support/saml/services/idp/metadata/cache/SamlRegisteredServiceDefaultCachingMetadataResolverTests.class */
public class SamlRegisteredServiceDefaultCachingMetadataResolverTests extends BaseSamlIdPServicesTests {
    private static CriteriaSet getCriteriaFor(String str) {
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new EntityIdCriterion(str));
        criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
        return criteriaSet;
    }

    @Test
    public void verifyAggregateCacheOverUrlResource() {
        SamlRegisteredService samlRegisteredService = new SamlRegisteredService();
        samlRegisteredService.setName("AggregateMetadata");
        samlRegisteredService.setId(1000L);
        samlRegisteredService.setServiceId("https://.+");
        samlRegisteredService.setMetadataLocation("http://localhost:9191");
        SamlRegisteredServiceDefaultCachingMetadataResolver resolver = getResolver("PT1M");
        MockWebServer mockWebServer = new MockWebServer(9191, new ClassPathResource("aggregate-md.xml"), "application/xml");
        try {
            mockWebServer.start();
            CriteriaSet criteriaFor = getCriteriaFor("https://issues.shibboleth.net/shibboleth");
            Assertions.assertNotNull(resolver.resolve(samlRegisteredService, criteriaFor));
            Assertions.assertTrue(resolver.resolveIfPresent(samlRegisteredService, criteriaFor).isPresent());
            CriteriaSet criteriaFor2 = getCriteriaFor("unknown-entity");
            Assertions.assertThrows(SamlException.class, () -> {
                resolver.resolve(samlRegisteredService, criteriaFor2);
            });
            Assertions.assertTrue(resolver.resolveIfPresent(samlRegisteredService, criteriaFor).isPresent());
            mockWebServer.close();
        } catch (Throwable th) {
            try {
                mockWebServer.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    @Test
    public void verifyCacheValidityForAggregates() {
        CriteriaSet criteriaFor = getCriteriaFor("https://issues.shibboleth.net/shibboleth");
        SamlRegisteredService samlRegisteredService = new SamlRegisteredService();
        samlRegisteredService.setName("AggregateMetadata");
        samlRegisteredService.setId(1000L);
        samlRegisteredService.setServiceId("https://.+");
        samlRegisteredService.setMetadataLocation("classpath:aggregate-md.xml");
        SamlRegisteredServiceDefaultCachingMetadataResolver resolver = getResolver("PT1M");
        Assertions.assertNotNull(resolver.resolve(samlRegisteredService, criteriaFor));
        Assertions.assertTrue(resolver.resolveIfPresent(samlRegisteredService, criteriaFor).isPresent());
        CriteriaSet criteriaFor2 = getCriteriaFor("unknown-service-provider");
        Assertions.assertThrows(SamlException.class, () -> {
            resolver.resolve(samlRegisteredService, criteriaFor2);
        });
        Assertions.assertTrue(resolver.resolveIfPresent(samlRegisteredService, criteriaFor).isPresent());
        CriteriaSet criteriaFor3 = getCriteriaFor("https://mfa-auth.dev.phenoapp.com/Saml2");
        Assertions.assertNotNull(resolver.resolve(samlRegisteredService, criteriaFor3));
        Assertions.assertTrue(resolver.resolveIfPresent(samlRegisteredService, criteriaFor3).isPresent());
        resolver.invalidate();
    }

    @Test
    public void verifyCacheValidityWithUnknownEntityId() {
        CriteriaSet criteriaFor = getCriteriaFor("https://carmenwiki.osu.edu/shibboleth");
        SamlRegisteredService samlRegisteredService = new SamlRegisteredService();
        samlRegisteredService.setName("Example");
        samlRegisteredService.setId(1000L);
        samlRegisteredService.setServiceId("https://carmenwiki.osu.edu/shibboleth");
        samlRegisteredService.setMetadataLocation("classpath:sample-sp.xml");
        SamlRegisteredServiceDefaultCachingMetadataResolver resolver = getResolver("PT1M");
        Assertions.assertNotNull(resolver.resolve(samlRegisteredService, criteriaFor));
        Assertions.assertTrue(resolver.resolveIfPresent(samlRegisteredService, criteriaFor).isPresent());
        CriteriaSet criteriaFor2 = getCriteriaFor("unknown-service-provider");
        Assertions.assertThrows(SamlException.class, () -> {
            resolver.resolve(samlRegisteredService, criteriaFor2);
        });
        Assertions.assertFalse(resolver.resolveIfPresent(samlRegisteredService, criteriaFor).isPresent());
        resolver.invalidate();
    }

    @Test
    public void verifyRetryableOpWithFailure() {
        CriteriaSet criteriaFor = getCriteriaFor("urn:app.e2ma.net");
        SamlRegisteredService samlRegisteredService = new SamlRegisteredService();
        samlRegisteredService.setName("Example");
        samlRegisteredService.setId(1000L);
        samlRegisteredService.setServiceId("urn:.+");
        samlRegisteredService.setMetadataLocation("classpath:metadata-invalid.xml");
        SamlRegisteredServiceDefaultCachingMetadataResolver resolver = getResolver("PT5S");
        Assertions.assertThrows(SamlException.class, () -> {
            resolver.resolve(samlRegisteredService, criteriaFor);
        });
        resolver.invalidate();
    }

    @Test
    public void verifyRetryableOp() {
        SamlRegisteredService samlRegisteredService = new SamlRegisteredService();
        samlRegisteredService.setName("Example");
        samlRegisteredService.setId(1000L);
        samlRegisteredService.setServiceId(".+");
        samlRegisteredService.setMetadataLocation("classpath:sample-sp.xml");
        SamlRegisteredServiceDefaultCachingMetadataResolver resolver = getResolver("PT5S");
        CriteriaSet criteriaFor = getCriteriaFor("https://carmenwiki.osu.edu/shibboleth");
        Assertions.assertNotNull(resolver.resolve(samlRegisteredService, criteriaFor));
        CriteriaSet criteriaFor2 = getCriteriaFor("unknown-service-provider");
        Assertions.assertThrows(SamlException.class, () -> {
            resolver.resolve(samlRegisteredService, criteriaFor2);
        });
        Assertions.assertFalse(resolver.resolveIfPresent(samlRegisteredService, criteriaFor).isPresent());
        resolver.invalidate();
    }

    @Test
    public void verfifyAggregatedCacheLoading() throws Exception {
        SamlRegisteredServiceDefaultCachingMetadataResolver resolver = getResolver("PT5M");
        SamlRegisteredService samlRegisteredService = getSamlRegisteredService(1L, ".*", "classpath:aggregate-md.xml");
        Assertions.assertNotNull(resolver.resolve(samlRegisteredService, getCriteriaFor("https://issues.shibboleth.net/shibboleth")));
        Assertions.assertNotNull(resolver.resolve(samlRegisteredService, getCriteriaFor("https://mfa-auth.dev.phenoapp.com/Saml2")));
        Assertions.assertNotNull(resolver.resolve(samlRegisteredService, getCriteriaFor("https://gitlab.com")));
        Assertions.assertEquals(1L, resolver.getCacheStatistics().loadSuccessCount());
        for (int i = 0; i < 5; i++) {
            String replace = FileUtils.readFileToString(new ClassPathResource("placeholder-sp.xml").getFile(), StandardCharsets.UTF_8).replace("%ENTITY_ID%", "https://gitlab.com");
            File file = Files.createTempFile("samplesp", ".xml", new FileAttribute[0]).toFile();
            FileUtils.writeStringToFile(file, replace, StandardCharsets.UTF_8);
            Assertions.assertNotNull(resolver.resolve(getSamlRegisteredService(i, ".*", "file://" + file.getAbsolutePath()), getCriteriaFor("https://gitlab.com")));
            Assertions.assertEquals(1L, resolver.getCacheStatistics().loadSuccessCount());
            Assertions.assertTrue(file.delete());
        }
    }

    @Test
    public void verifyMissingMetadataInMDQ() {
        CriteriaSet criteriaFor = getCriteriaFor("https://shib-sp-test-preprod.dartmouth.edu/shibboleth");
        SamlRegisteredService samlRegisteredService = getSamlRegisteredService(1L, ".*", UrlResourceMetadataResolverTests.MDQ_URL);
        SamlRegisteredServiceDefaultCachingMetadataResolver resolver = getResolver("PT5M");
        Assertions.assertThrows(SamlException.class, () -> {
            resolver.resolve(samlRegisteredService, criteriaFor);
        });
    }

    @Test
    public void verifyDynamicMetadata() {
        CriteriaSet criteriaFor = getCriteriaFor("urn:mace:incommon:internet2.edu");
        SamlRegisteredService samlRegisteredService = new SamlRegisteredService();
        samlRegisteredService.setName("Example");
        samlRegisteredService.setId(1000L);
        samlRegisteredService.setServiceId(".+");
        samlRegisteredService.setMetadataLocation(UrlResourceMetadataResolverTests.MDQ_URL);
        SamlRegisteredServiceDefaultCachingMetadataResolver resolver = getResolver("PT5S");
        Assertions.assertNotNull(resolver.resolve(samlRegisteredService, criteriaFor));
        CacheStats cacheStatistics = resolver.getCacheStatistics();
        Assertions.assertEquals(1L, cacheStatistics.missCount());
        Assertions.assertEquals(1L, cacheStatistics.loadSuccessCount());
        Assertions.assertEquals(0L, cacheStatistics.hitCount());
        Assertions.assertNotNull(resolver.resolve(samlRegisteredService, criteriaFor));
        CacheStats cacheStatistics2 = resolver.getCacheStatistics();
        Assertions.assertEquals(1L, cacheStatistics2.missCount());
        Assertions.assertEquals(1L, cacheStatistics2.loadSuccessCount());
        Assertions.assertEquals(0L, cacheStatistics2.hitCount());
        Assertions.assertNotNull(resolver.resolve(samlRegisteredService, getCriteriaFor("https://vbushib.einsteinmed.org/idp/")));
        CacheStats cacheStatistics3 = resolver.getCacheStatistics();
        Assertions.assertEquals(2L, cacheStatistics3.missCount());
        Assertions.assertEquals(2L, cacheStatistics3.loadSuccessCount());
        Assertions.assertEquals(0L, cacheStatistics3.hitCount());
    }

    private SamlRegisteredServiceDefaultCachingMetadataResolver getResolver(String str) {
        DefaultSamlRegisteredServiceMetadataResolutionPlan defaultSamlRegisteredServiceMetadataResolutionPlan = new DefaultSamlRegisteredServiceMetadataResolutionPlan();
        SamlIdPProperties samlIdp = this.casProperties.getAuthn().getSamlIdp();
        defaultSamlRegisteredServiceMetadataResolutionPlan.registerMetadataResolver(new UrlResourceMetadataResolver(this.httpClient, samlIdp, this.openSamlConfigBean));
        defaultSamlRegisteredServiceMetadataResolutionPlan.registerMetadataResolver(new MetadataQueryProtocolMetadataResolver(this.httpClient, samlIdp, this.openSamlConfigBean));
        defaultSamlRegisteredServiceMetadataResolutionPlan.registerMetadataResolver(new ClasspathResourceMetadataResolver(samlIdp, this.openSamlConfigBean));
        SamlRegisteredServiceMetadataResolverCacheLoader samlRegisteredServiceMetadataResolverCacheLoader = new SamlRegisteredServiceMetadataResolverCacheLoader(this.openSamlConfigBean, this.httpClient, defaultSamlRegisteredServiceMetadataResolutionPlan);
        this.casProperties.getAuthn().getSamlIdp().getMetadata().getCore().setCacheExpiration(str);
        return new SamlRegisteredServiceDefaultCachingMetadataResolver(this.casProperties, samlRegisteredServiceMetadataResolverCacheLoader, this.openSamlConfigBean);
    }
}
