package com.atlassian.asap.it;

import com.atlassian.asap.api.Jwt;
import com.atlassian.asap.api.JwtBuilder;
import com.atlassian.asap.api.SigningAlgorithm;
import com.atlassian.asap.core.client.http.AuthorizationHeaderGeneratorImpl;
import com.atlassian.asap.core.keys.KeyProvider;
import com.atlassian.asap.core.keys.PemReader;
import com.atlassian.asap.core.keys.publickey.ClasspathPublicKeyProvider;
import java.io.IOException;
import java.net.URI;
import java.security.PublicKey;
import java.util.Optional;
import javax.annotation.Nullable;
import org.apache.http.HttpResponse;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.utils.HttpClientUtils;
import org.apache.http.impl.client.HttpClients;
import org.hamcrest.Matchers;
import org.junit.After;
import org.junit.Assert;
import org.junit.Test;

/* loaded from: input_file:com/atlassian/asap/it/BaseIntegrationTest.class */
public abstract class BaseIntegrationTest {
    protected static final String AUDIENCE = "test-resource-server";
    protected static final String ISSUER1 = "issuer1";
    protected static final String ISSUER2 = "issuer2";
    protected static final String ISSUER1_RSA_KEY_ID = "issuer1/rsa-key-for-tests";
    protected static final String ISSUER1_EC_KEY_ID = "issuer1/es256-key-for-tests";
    protected static final String ISSUER1_ONLY_PRIV_KEY_RSA_KEY_ID = "issuer1/only-private-key-for-tests";
    protected static final String ISSUER2_RSA_KEY_ID = "issuer2/rsa-key-for-tests";
    protected static final KeyProvider<PublicKey> PUBLIC_KEY_PROVIDER = new ClasspathPublicKeyProvider("/publickeyrepo/", new PemReader());
    protected static final String RESOURCE = "resource";
    protected static final String UNAUTHORIZED_SUBJECT = "unauthorized-subject";
    private HttpClient httpClient = HttpClients.createDefault();

    protected abstract URI getUrlForResourceName(String str);

    @After
    public void shutdownHttpClient() {
        HttpClientUtils.closeQuietly(this.httpClient);
    }

    private String generateAuthorizationHeader(Jwt jwt) throws Exception {
        return AuthorizationHeaderGeneratorImpl.createDefault(URI.create("classpath:///privatekeys/")).generateAuthorizationHeader(jwt);
    }

    private HttpResponse executeRequestWithJwt(String str, Jwt jwt) throws Exception {
        return executeRequestWithAuthorization(str, generateAuthorizationHeader(jwt));
    }

    private HttpResponse executeRequestWithAuthorization(String str, @Nullable String str2) throws IOException {
        HttpGet httpGet = new HttpGet(getUrlForResourceName(str));
        httpGet.setHeader("Authorization", str2);
        return this.httpClient.execute(httpGet);
    }

    @Test
    public void shouldRejectRequestWithoutAuthenticationHeader() throws Exception {
        assertUnauthorized(executeRequestWithAuthorization(RESOURCE, null));
    }

    @Test
    public void shouldRejectRequestWithBasicAuth() throws Exception {
        assertUnauthorized(executeRequestWithAuthorization(RESOURCE, "Basic foobar"));
    }

    @Test
    public void shouldRejectRequestWithMalformedToken() throws Exception {
        assertUnauthorized(executeRequestWithAuthorization(RESOURCE, "Bearer this-is-not-jwt"));
    }

    @Test
    public void shouldAcceptRequestWithValidRS256Token() throws Exception {
        assertOk(executeRequestWithJwt(RESOURCE, JwtBuilder.newJwt().keyId(ISSUER1_RSA_KEY_ID).issuer(ISSUER1).audience(new String[]{AUDIENCE}).build()));
    }

    @Test
    public void shouldAcceptRequestWithValidPS256Token() throws Exception {
        assertOk(executeRequestWithJwt(RESOURCE, JwtBuilder.newJwt().algorithm(SigningAlgorithm.PS256).keyId(ISSUER1_RSA_KEY_ID).issuer(ISSUER1).audience(new String[]{AUDIENCE}).build()));
    }

    @Test
    public void shouldAcceptRequestWithValidES256Token() throws Exception {
        assertOk(executeRequestWithJwt(RESOURCE, JwtBuilder.newJwt().algorithm(SigningAlgorithm.ES256).keyId(ISSUER1_EC_KEY_ID).issuer(ISSUER1).audience(new String[]{AUDIENCE}).build()));
    }

    @Test
    public void shouldRejectRequestWithUnauthorizedSubject() throws Exception {
        assertForbidden(executeRequestWithJwt(RESOURCE, JwtBuilder.newJwt().keyId(ISSUER1_RSA_KEY_ID).issuer(ISSUER1).audience(new String[]{AUDIENCE}).subject(Optional.of(UNAUTHORIZED_SUBJECT)).build()));
    }

    @Test
    public void shouldRejectRequestIfPublicKeyCannotBeFound() throws Exception {
        assertUnauthorized(executeRequestWithJwt(RESOURCE, JwtBuilder.newJwt().keyId(ISSUER1_ONLY_PRIV_KEY_RSA_KEY_ID).issuer(ISSUER1).audience(new String[]{AUDIENCE}).build()));
    }

    @Test
    public void shouldRejectRequestWithUnauthorizedIssuer() throws Exception {
        assertForbidden(executeRequestWithJwt(RESOURCE, JwtBuilder.newJwt().keyId(ISSUER2_RSA_KEY_ID).issuer(ISSUER2).audience(new String[]{AUDIENCE}).subject(Optional.of(ISSUER1)).build()));
    }

    private static void assertOk(HttpResponse httpResponse) {
        Assert.assertThat(Integer.valueOf(httpResponse.getStatusLine().getStatusCode()), Matchers.is(200));
    }

    private static void assertUnauthorized(HttpResponse httpResponse) {
        Assert.assertThat(Integer.valueOf(httpResponse.getStatusLine().getStatusCode()), Matchers.is(401));
    }

    private static void assertForbidden(HttpResponse httpResponse) {
        Assert.assertThat(Integer.valueOf(httpResponse.getStatusLine().getStatusCode()), Matchers.is(403));
    }
}
