package org.apereo.cas.webauthn.web;

import jakarta.servlet.http.HttpServletRequest;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.services.RegisteredServiceTestUtils;
import org.apereo.cas.util.MockRequestContext;
import org.apereo.cas.util.MockServletContext;
import org.apereo.cas.web.security.BaseWebSecurityTests;
import org.apereo.cas.web.support.WebUtils;
import org.apereo.cas.webauthn.web.flow.BaseWebAuthnWebflowTests;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Tag;
import org.junit.jupiter.api.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.security.SecurityProperties;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.http.MediaType;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors;
import org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers;
import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.security.web.csrf.CsrfTokenRepository;
import org.springframework.security.web.csrf.DeferredCsrfToken;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.MvcResult;
import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.result.MockMvcResultMatchers;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.webflow.context.servlet.ServletExternalContext;
import org.springframework.webflow.execution.Action;

@Tag("MFAProvider")
@EnableConfigurationProperties({CasConfigurationProperties.class})
@SpringBootTest(classes = {BaseWebSecurityTests.SharedTestConfiguration.class, BaseWebAuthnWebflowTests.SharedTestConfiguration.class}, properties = {"server.port=8080", "management.endpoints.enabled-by-default=true", "management.endpoints.web.exposure.include=*", "--spring.security.user.name=s#kiooritea", "--spring.security.user.password=p@$$W0rd", "cas.monitor.endpoints.endpoint.env.access=AUTHENTICATED", "cas.monitor.endpoints.endpoint.info.access=ANONYMOUS"}, webEnvironment = SpringBootTest.WebEnvironment.DEFINED_PORT)
/* loaded from: input_file:org/apereo/cas/webauthn/web/WebAuthnControllerMvcTests.class */
class WebAuthnControllerMvcTests {

    @Autowired
    private WebApplicationContext webApplicationContext;

    @Autowired
    @Qualifier("webAuthnCsrfTokenRepository")
    private CsrfTokenRepository csrfTokenRepository;

    @Autowired
    @Qualifier("populateSpringSecurityContextAction")
    private Action populateSecurityContextAction;

    @Autowired
    private SecurityProperties securityProperties;
    private MockMvc mvc;

    WebAuthnControllerMvcTests() {
    }

    @BeforeEach
    public void setup() {
        this.mvc = MockMvcBuilders.webAppContextSetup(this.webApplicationContext).apply(SecurityMockMvcConfigurers.springSecurity()).defaultRequest(MockMvcRequestBuilders.get("/", new Object[0]).contextPath("/cas").accept(new MediaType[]{MediaType.APPLICATION_JSON, MediaType.TEXT_PLAIN}).contentType(MediaType.APPLICATION_JSON)).build();
    }

    @Test
    void verifyRegistrationEndpoint() throws Throwable {
        executeRequest("/register", new MockHttpServletRequest(), true, 403);
        MvcResult fetchAndStoreCsrfToken = fetchAndStoreCsrfToken();
        executeRequest("/register", fetchAndStoreCsrfToken.getRequest(), true, 403);
        populateSecurityContext(executeRequest("/register", fetchAndStoreCsrfToken.getRequest(), true, 403));
        executeRequest("/register", fetchAndStoreCsrfToken.getRequest(), false, 400);
        this.mvc.perform(MockMvcRequestBuilders.get("/cas/actuator/env", new Object[0])).andExpect(MockMvcResultMatchers.status().isUnauthorized());
        this.mvc.perform(MockMvcRequestBuilders.get("/cas/actuator/env", new Object[0]).with(SecurityMockMvcRequestPostProcessors.httpBasic("hello", "world"))).andExpect(MockMvcResultMatchers.status().isUnauthorized());
        this.mvc.perform(MockMvcRequestBuilders.get("/cas/actuator/env", new Object[0]).with(SecurityMockMvcRequestPostProcessors.httpBasic(this.securityProperties.getUser().getName(), this.securityProperties.getUser().getPassword()))).andExpect(MockMvcResultMatchers.status().isOk());
    }

    @Test
    void verifyAuthenticationEndpoint() throws Throwable {
        executeRequest("/authenticate", new MockHttpServletRequest(), false, 403);
        executeRequest("/authenticate", new MockHttpServletRequest(), true, 403);
        executeRequest("/authenticate", fetchAndStoreCsrfToken().getRequest(), true, 200);
    }

    private void populateSecurityContext(MvcResult mvcResult) throws Exception {
        MockRequestContext create = MockRequestContext.create(this.webApplicationContext);
        create.setExternalContext(new ServletExternalContext(new MockServletContext(), mvcResult.getRequest(), mvcResult.getResponse()));
        WebUtils.putAuthentication(RegisteredServiceTestUtils.getAuthentication(), create);
        this.populateSecurityContextAction.execute(create);
    }

    private MvcResult executeRequest(String str, HttpServletRequest httpServletRequest, boolean z, int i) throws Exception {
        CsrfToken csrfToken = getCsrfToken(httpServletRequest);
        MockHttpServletRequestBuilder session = MockMvcRequestBuilders.post("/cas//webauthn" + str, new Object[0]).session(httpServletRequest.getSession());
        if (z) {
            session = session.with(SecurityMockMvcRequestPostProcessors.httpBasic(this.securityProperties.getUser().getName(), this.securityProperties.getUser().getPassword()));
        }
        MockMvc mockMvc = this.mvc;
        MockHttpServletRequestBuilder mockHttpServletRequestBuilder = session;
        Object[] objArr = new Object[1];
        objArr[0] = csrfToken != null ? csrfToken.getToken() : "";
        return mockMvc.perform(mockHttpServletRequestBuilder.header("X-CSRF-TOKEN", objArr)).andExpect(MockMvcResultMatchers.status().is(i)).andReturn();
    }

    private static CsrfToken getCsrfToken(HttpServletRequest httpServletRequest) {
        Object attribute = httpServletRequest.getAttribute(DeferredCsrfToken.class.getName());
        if (attribute != null) {
            return ((DeferredCsrfToken) attribute).get();
        }
        return null;
    }

    private MvcResult fetchAndStoreCsrfToken() throws Exception {
        MvcResult andReturn = this.mvc.perform(MockMvcRequestBuilders.get("/cas/actuator/info", new Object[0])).andExpect(MockMvcResultMatchers.status().isOk()).andReturn();
        this.csrfTokenRepository.saveToken(getCsrfToken(andReturn.getRequest()), andReturn.getRequest(), andReturn.getResponse());
        return andReturn;
    }
}
