package org.apache.nifi.web.security.oidc.logout;

import jakarta.servlet.http.Cookie;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Collections;
import java.util.Iterator;
import java.util.UUID;
import org.apache.nifi.web.security.cookie.ApplicationCookieName;
import org.apache.nifi.web.security.logout.LogoutRequest;
import org.apache.nifi.web.security.logout.LogoutRequestManager;
import org.apache.nifi.web.security.oidc.client.web.OidcAuthorizedClient;
import org.apache.nifi.web.security.oidc.client.web.OidcRegistrationProperty;
import org.apache.nifi.web.security.oidc.revocation.TokenRevocationRequest;
import org.apache.nifi.web.security.oidc.revocation.TokenRevocationResponse;
import org.apache.nifi.web.security.oidc.revocation.TokenRevocationResponseClient;
import org.apache.nifi.web.security.oidc.revocation.TokenTypeHint;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.ArgumentCaptor;
import org.mockito.ArgumentMatchers;
import org.mockito.Captor;
import org.mockito.Mock;
import org.mockito.Mockito;
import org.mockito.junit.jupiter.MockitoExtension;
import org.springframework.http.HttpStatus;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2RefreshToken;
import org.springframework.security.oauth2.core.oidc.OidcIdToken;

@ExtendWith({MockitoExtension.class})
/* loaded from: input_file:org/apache/nifi/web/security/oidc/logout/OidcLogoutSuccessHandlerTest.class */
class OidcLogoutSuccessHandlerTest {
    private static final String CLIENT_ID = "client-id";
    private static final String REDIRECT_URI = "http://localhost:8080";
    private static final String AUTHORIZATION_URI = "http://localhost/authorize";
    private static final String TOKEN_URI = "http://localhost/token";
    private static final String REQUEST_URI = "/nifi-api";
    private static final int SERVER_PORT = 8080;
    private static final String ACCESS_TOKEN = "access-token";
    private static final String REFRESH_TOKEN = "refresh-token";

    @Mock
    ClientRegistrationRepository clientRegistrationRepository;

    @Mock
    OAuth2AuthorizedClientRepository authorizedClientRepository;

    @Mock
    Authentication authentication;

    @Mock
    OAuth2AccessToken accessToken;

    @Mock
    OAuth2RefreshToken refreshToken;

    @Mock
    OidcIdToken idToken;

    @Mock
    TokenRevocationResponseClient tokenRevocationResponseClient;

    @Captor
    ArgumentCaptor<TokenRevocationRequest> revocationRequestCaptor;
    MockHttpServletRequest httpServletRequest;
    MockHttpServletResponse httpServletResponse;
    LogoutRequestManager logoutRequestManager;
    OidcLogoutSuccessHandler handler;
    private static final String REQUEST_IDENTIFIER = UUID.randomUUID().toString();
    private static final String USER_IDENTITY = LogoutRequest.class.getSimpleName();
    private static final String END_SESSION_URI = "http://localhost/end_session";
    private static final String ID_TOKEN = "oidc-id-token";
    private static final String REDIRECTED_URL = "http://localhost:8080/nifi/logout-complete";
    private static final String END_SESSION_REDIRECT_URL = String.format("%s?id_token_hint=%s&post_logout_redirect_uri=%s", END_SESSION_URI, ID_TOKEN, REDIRECTED_URL);

    OidcLogoutSuccessHandlerTest() {
    }

    @BeforeEach
    void setHandler() {
        this.logoutRequestManager = new LogoutRequestManager();
        this.handler = new OidcLogoutSuccessHandler(this.logoutRequestManager, this.clientRegistrationRepository, this.authorizedClientRepository, this.tokenRevocationResponseClient);
        this.httpServletRequest = new MockHttpServletRequest();
        this.httpServletRequest.setServerPort(SERVER_PORT);
        this.httpServletResponse = new MockHttpServletResponse();
    }

    @Test
    void testOnLogoutSuccessRequestNotFound() throws IOException {
        setRequestCookie();
        this.handler.onLogoutSuccess(this.httpServletRequest, this.httpServletResponse, this.authentication);
        Assertions.assertEquals(REDIRECTED_URL, this.httpServletResponse.getRedirectedUrl());
    }

    @Test
    void testOnLogoutSuccessRequestFoundEndSessionNotSupported() throws IOException {
        setRequestCookie();
        startLogoutRequest();
        Mockito.when(this.clientRegistrationRepository.findByRegistrationId((String) ArgumentMatchers.eq(OidcRegistrationProperty.REGISTRATION_ID.getProperty()))).thenReturn(getClientRegistrationBuilder().build());
        this.handler.onLogoutSuccess(this.httpServletRequest, this.httpServletResponse, this.authentication);
        Assertions.assertEquals(REDIRECTED_URL, this.httpServletResponse.getRedirectedUrl());
    }

    @Test
    void testOnLogoutSuccessRequestFoundEndSessionSupportedTokenNotFound() throws IOException {
        setRequestCookie();
        startLogoutRequest();
        Mockito.when(this.clientRegistrationRepository.findByRegistrationId((String) ArgumentMatchers.eq(OidcRegistrationProperty.REGISTRATION_ID.getProperty()))).thenReturn(getClientRegistrationBuilder().providerConfigurationMetadata(Collections.singletonMap("end_session_endpoint", END_SESSION_URI)).build());
        this.handler.onLogoutSuccess(this.httpServletRequest, this.httpServletResponse, this.authentication);
        Assertions.assertEquals(REDIRECTED_URL, this.httpServletResponse.getRedirectedUrl());
    }

    @Test
    void testOnLogoutSuccessRequestFoundEndSessionSupportedTokenFound() throws IOException {
        setRequestCookie();
        startLogoutRequest();
        ClientRegistration build = getClientRegistrationBuilder().providerConfigurationMetadata(Collections.singletonMap("end_session_endpoint", END_SESSION_URI)).build();
        Mockito.when(this.clientRegistrationRepository.findByRegistrationId((String) ArgumentMatchers.eq(OidcRegistrationProperty.REGISTRATION_ID.getProperty()))).thenReturn(build);
        Mockito.when(this.idToken.getTokenValue()).thenReturn(ID_TOKEN);
        Mockito.when(this.authorizedClientRepository.loadAuthorizedClient((String) ArgumentMatchers.eq(OidcRegistrationProperty.REGISTRATION_ID.getProperty()), (Authentication) ArgumentMatchers.isA(Authentication.class), (HttpServletRequest) ArgumentMatchers.eq(this.httpServletRequest))).thenReturn(new OidcAuthorizedClient(build, USER_IDENTITY, this.accessToken, this.refreshToken, this.idToken));
        Mockito.when(this.tokenRevocationResponseClient.getRevocationResponse((TokenRevocationRequest) ArgumentMatchers.any())).thenReturn(new TokenRevocationResponse(true, HttpStatus.OK.value()));
        Mockito.when(this.accessToken.getTokenValue()).thenReturn(ACCESS_TOKEN);
        Mockito.when(this.refreshToken.getTokenValue()).thenReturn(REFRESH_TOKEN);
        this.handler.onLogoutSuccess(this.httpServletRequest, this.httpServletResponse, this.authentication);
        Assertions.assertEquals(END_SESSION_REDIRECT_URL, this.httpServletResponse.getRedirectedUrl());
        ((OAuth2AuthorizedClientRepository) Mockito.verify(this.authorizedClientRepository)).removeAuthorizedClient((String) ArgumentMatchers.eq(OidcRegistrationProperty.REGISTRATION_ID.getProperty()), (Authentication) ArgumentMatchers.any(), (HttpServletRequest) ArgumentMatchers.eq(this.httpServletRequest), (HttpServletResponse) ArgumentMatchers.eq(this.httpServletResponse));
        ((TokenRevocationResponseClient) Mockito.verify(this.tokenRevocationResponseClient, Mockito.times(2))).getRevocationResponse((TokenRevocationRequest) this.revocationRequestCaptor.capture());
        Iterator it = this.revocationRequestCaptor.getAllValues().iterator();
        TokenRevocationRequest tokenRevocationRequest = (TokenRevocationRequest) it.next();
        Assertions.assertEquals(TokenTypeHint.REFRESH_TOKEN.getHint(), tokenRevocationRequest.getTokenTypeHint());
        Assertions.assertEquals(REFRESH_TOKEN, tokenRevocationRequest.getToken());
        TokenRevocationRequest tokenRevocationRequest2 = (TokenRevocationRequest) it.next();
        Assertions.assertEquals(TokenTypeHint.ACCESS_TOKEN.getHint(), tokenRevocationRequest2.getTokenTypeHint());
        Assertions.assertEquals(ACCESS_TOKEN, tokenRevocationRequest2.getToken());
    }

    void setRequestCookie() {
        this.httpServletRequest.setCookies(new Cookie[]{new Cookie(ApplicationCookieName.LOGOUT_REQUEST_IDENTIFIER.getCookieName(), REQUEST_IDENTIFIER)});
        this.httpServletRequest.setRequestURI(REQUEST_URI);
    }

    void startLogoutRequest() {
        this.logoutRequestManager.start(new LogoutRequest(REQUEST_IDENTIFIER, USER_IDENTITY));
    }

    ClientRegistration.Builder getClientRegistrationBuilder() {
        return ClientRegistration.withRegistrationId(OidcRegistrationProperty.REGISTRATION_ID.getProperty()).authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE).clientId(CLIENT_ID).redirectUri(REDIRECT_URI).authorizationUri(AUTHORIZATION_URI).tokenUri(TOKEN_URI);
    }
}
