package com.vmware.xenon.common;

import com.vmware.xenon.common.Claims;
import com.vmware.xenon.common.Operation;
import com.vmware.xenon.common.Service;
import com.vmware.xenon.common.test.VerificationHost;
import com.vmware.xenon.services.common.GuestUserService;
import com.vmware.xenon.services.common.QueryTask;
import com.vmware.xenon.services.common.ResourceGroupService;
import com.vmware.xenon.services.common.RoleService;
import com.vmware.xenon.services.common.ServiceUriPaths;
import com.vmware.xenon.services.common.UserGroupService;
import com.vmware.xenon.services.common.UserService;
import java.net.URI;
import java.security.GeneralSecurityException;
import java.util.HashMap;
import java.util.HashSet;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.TimeUnit;
import org.junit.Assert;
import org.junit.Test;

/* loaded from: input_file:com/vmware/xenon/common/TestAuthorizationContext.class */
public class TestAuthorizationContext extends BasicTestCase {

    /* loaded from: input_file:com/vmware/xenon/common/TestAuthorizationContext$ClaimsVerificationService.class */
    public static class ClaimsVerificationService extends StatelessService {
        public static final String SELF_LINK = "/claims-verification";

        public void authorizeRequest(Operation operation) {
            operation.complete();
        }

        public void handleStart(Operation operation) {
            if (verifyNewOperationHasSubject(operation)) {
                operation.complete();
            }
        }

        public void handleGet(Operation operation) {
            if (verifyNewOperationHasSubject(operation)) {
                operation.complete();
            }
        }

        private boolean verifyNewOperationHasSubject(Operation operation) {
            String str = (String) UriUtils.parseUriQueryParams(operation.getUri()).get("subject");
            Operation.AuthorizationContext authorizationContext = Operation.createGet(this, "/not-important").getAuthorizationContext();
            if (authorizationContext == null) {
                operation.fail(new IllegalStateException("ctx == null"));
                return false;
            }
            Claims claims = authorizationContext.getClaims();
            if (claims == null) {
                operation.fail(new IllegalStateException("claims == null"));
                return false;
            }
            if (!str.equals(claims.getSubject())) {
                operation.fail(new IllegalStateException("subject mismatch"));
                return false;
            }
            if (claims.getProperties().size() != 0) {
                return true;
            }
            operation.fail(new IllegalStateException("properties empty"));
            return false;
        }
    }

    /* loaded from: input_file:com/vmware/xenon/common/TestAuthorizationContext$SetAuthorizationContextTestService.class */
    public static class SetAuthorizationContextTestService extends StatelessService {
        public static final String SELF_LINK = "/set-authorization-context-test";
        public static final String EXPECT_USER_CONTEXT = "expectUserContext";

        public void authorizeRequest(Operation operation) {
            operation.complete();
        }

        public void handleRequest(Operation operation) {
            if (operation.getAction() == Service.Action.POST) {
                handleSetAuthorizationContext(operation);
            } else if (operation.getAction() == Service.Action.GET) {
                handleGetAuthorizationContext(operation);
            } else {
                operation.fail(new IllegalArgumentException());
            }
        }

        private void handleSetAuthorizationContext(Operation operation) {
            Claims claims = (Claims) operation.getBody(Claims.class);
            try {
                String sign = getTokenSigner().sign(claims);
                Operation.AuthorizationContext.Builder create = Operation.AuthorizationContext.Builder.create();
                create.setClaims(claims);
                create.setToken(sign);
                create.setPropagateToClient(true);
                setAuthorizationContext(operation, create.getResult());
                operation.complete();
            } catch (Exception e) {
                operation.fail(e);
            }
        }

        private void handleGetAuthorizationContext(Operation operation) {
            Operation.AuthorizationContext authorizationContext = operation.getAuthorizationContext();
            if (authorizationContext == null) {
                operation.fail(new IllegalStateException("ctx == null"));
                return;
            }
            Claims claims = authorizationContext.getClaims();
            if (claims == null) {
                operation.fail(new IllegalStateException("claims == null"));
                return;
            }
            if (((String) UriUtils.parseUriQueryParams(operation.getUri()).get(EXPECT_USER_CONTEXT)).equals(Boolean.toString(true))) {
                Assert.assertNotEquals(GuestUserService.SELF_LINK, claims.getSubject());
            } else {
                Assert.assertEquals(GuestUserService.SELF_LINK, claims.getSubject());
            }
            operation.setBody(claims).complete();
        }
    }

    /* loaded from: input_file:com/vmware/xenon/common/TestAuthorizationContext$WhitelistAuthorizationContextTestService.class */
    public static class WhitelistAuthorizationContextTestService extends StatelessService {
        public static final String SELF_LINK = "/whitelist-authorization-context-test";

        public void authorizeRequest(Operation operation) {
            operation.complete();
        }

        public void handleGet(Operation operation) {
            if (testWhitelistedFunctions(operation)) {
                operation.complete();
            }
        }

        private boolean testWhitelistedFunctions(Operation operation) {
            try {
                setAuthorizationContext(operation, getSystemAuthorizationContext());
                getTokenSigner();
                return true;
            } catch (Exception e) {
                operation.fail(e);
                return false;
            }
        }
    }

    @Override // com.vmware.xenon.common.BasicTestCase
    public void beforeHostStart(VerificationHost verificationHost) {
        verificationHost.setAuthorizationEnabled(true);
    }

    Operation.AuthorizationContext createAuthorizationContext(String str, VerificationHost verificationHost) throws GeneralSecurityException {
        HashMap hashMap = new HashMap();
        hashMap.put("hello", "world");
        Claims.Builder builder = new Claims.Builder();
        builder.setIssuer("xn");
        builder.setSubject(UriUtils.buildUriPath(new String[]{ServiceUriPaths.CORE_AUTHZ_USERS, str}));
        builder.setExpirationTime(Long.valueOf(Utils.fromNowMicrosUtc(TimeUnit.HOURS.toMicros(1L))));
        builder.setProperties(hashMap);
        Claims result = builder.getResult();
        Operation.AuthorizationContext.Builder create = Operation.AuthorizationContext.Builder.create();
        create.setClaims(result);
        create.setToken(verificationHost.getTokenSigner().sign(result));
        return create.getResult();
    }

    @Test
    public void testPropagation() throws Throwable {
        Operation.AuthorizationContext createAuthorizationContext = createAuthorizationContext("unnamed-user@test.com", this.host);
        provisionUser("unnamed-user@test.com", ClaimsVerificationService.SELF_LINK);
        URI extendUriWithQuery = UriUtils.extendUriWithQuery(UriUtils.buildUri(this.host, ClaimsVerificationService.SELF_LINK), new String[]{"subject", createAuthorizationContext.getClaims().getSubject()});
        Operation createPost = Operation.createPost(extendUriWithQuery);
        createPost.setAuthorizationContext(createAuthorizationContext);
        createPost.setCompletion(this.host.getCompletion());
        this.host.testStart(1L);
        this.host.startService(createPost, new ClaimsVerificationService());
        this.host.testWait();
        Operation createGet = Operation.createGet(extendUriWithQuery);
        createGet.setAuthorizationContext(createAuthorizationContext);
        createGet.setCompletion(this.host.getCompletion());
        createGet.forceRemote();
        this.host.testStart(1L);
        this.host.send(createGet);
        this.host.testWait();
    }

    @Test
    public void internalAuthorizationContextSetsCookie() throws Throwable {
        this.host.setSystemAuthorizationContext();
        this.host.addPrivilegedService(SetAuthorizationContextTestService.class);
        this.host.startServiceAndWait(SetAuthorizationContextTestService.class, SetAuthorizationContextTestService.SELF_LINK);
        this.host.resetAuthorizationContext();
        provisionUser("test-subject@test.com", SetAuthorizationContextTestService.SELF_LINK);
        Claims.Builder builder = new Claims.Builder();
        builder.setSubject(UriUtils.buildUriPath(new String[]{ServiceUriPaths.CORE_AUTHZ_USERS, "test-subject@test.com"}));
        builder.setExpirationTime(Long.valueOf(Utils.fromNowMicrosUtc(TimeUnit.HOURS.toMicros(1L))));
        Claims result = builder.getResult();
        URI buildUri = UriUtils.buildUri(this.host, SetAuthorizationContextTestService.SELF_LINK);
        this.host.testStart(1L);
        this.host.send(Operation.createPost(buildUri).setBody(result).setCompletion(this.host.getCompletion()).forceRemote());
        this.host.testWait();
        URI extendUriWithQuery = UriUtils.extendUriWithQuery(UriUtils.buildUri(this.host, SetAuthorizationContextTestService.SELF_LINK), new String[]{SetAuthorizationContextTestService.EXPECT_USER_CONTEXT, "true"});
        this.host.testStart(1L);
        this.host.send(Operation.createGet(extendUriWithQuery).setCompletion((operation, th) -> {
            if (th != null) {
                this.host.failIteration(th);
                return;
            }
            if (result.getSubject().equals(((Claims) operation.getBody(Claims.class)).getSubject())) {
                this.host.completeIteration();
            } else {
                this.host.failIteration(new IllegalStateException("subject mismatch"));
            }
        }).forceRemote());
        this.host.testWait();
    }

    @Test
    public void testExpiredAuthorizationContext() throws Throwable {
        this.host.setSystemAuthorizationContext();
        this.host.addPrivilegedService(SetAuthorizationContextTestService.class);
        this.host.startServiceAndWait(SetAuthorizationContextTestService.class, SetAuthorizationContextTestService.SELF_LINK);
        this.host.resetAuthorizationContext();
        provisionUser("test-subject@test.com", SetAuthorizationContextTestService.SELF_LINK);
        Claims.Builder builder = new Claims.Builder();
        builder.setSubject("test-subject");
        builder.setExpirationTime(0L);
        Claims result = builder.getResult();
        URI buildUri = UriUtils.buildUri(this.host, SetAuthorizationContextTestService.SELF_LINK);
        this.host.testStart(1L);
        this.host.send(Operation.createPost(buildUri).setBody(result).setCompletion(this.host.getCompletion()).forceRemote());
        this.host.testWait();
        URI extendUriWithQuery = UriUtils.extendUriWithQuery(UriUtils.buildUri(this.host, SetAuthorizationContextTestService.SELF_LINK), new String[]{SetAuthorizationContextTestService.EXPECT_USER_CONTEXT, "false"});
        this.host.testStart(1L);
        this.host.send(Operation.createGet(extendUriWithQuery).setCompletion((operation, th) -> {
            if (th != null) {
                this.host.failIteration(th);
            } else {
                this.host.completeIteration();
            }
        }).forceRemote());
        this.host.testWait();
    }

    @Test
    public void privilegedServiceAuthContextCheck() throws Throwable {
        this.host.setSystemAuthorizationContext();
        this.host.startServiceAndWait(WhitelistAuthorizationContextTestService.class, WhitelistAuthorizationContextTestService.SELF_LINK);
        this.host.resetAuthorizationContext();
        URI buildUri = UriUtils.buildUri(this.host, WhitelistAuthorizationContextTestService.SELF_LINK);
        this.host.testStart(1L);
        this.host.send(Operation.createGet(buildUri).setCompletion((operation, th) -> {
            if (th == null) {
                this.host.failIteration(new IllegalStateException("Whitelist functions failed to throw exception"));
            } else {
                this.host.completeIteration();
            }
        }).forceRemote());
        this.host.testWait();
        this.host.addPrivilegedService(WhitelistAuthorizationContextTestService.class);
        this.host.testStart(1L);
        this.host.send(Operation.createGet(buildUri).setCompletion((operation2, th2) -> {
            if (th2 != null) {
                this.host.failIteration(new IllegalStateException("Whitelist functions threw an exception on whitelisted service"));
            } else {
                this.host.completeIteration();
            }
        }).forceRemote());
        this.host.testWait();
    }

    private void provisionUser(String str, String str2) throws Throwable {
        UserService.UserState userState = new UserService.UserState();
        userState.email = str;
        userState.documentSelfLink = str;
        UserGroupService.UserGroupState userGroupState = new UserGroupService.UserGroupState();
        userGroupState.documentSelfLink = str + "-user-group";
        userGroupState.query = new QueryTask.Query();
        userGroupState.query.setTermPropertyName("email");
        userGroupState.query.setTermMatchType(QueryTask.QueryTerm.MatchType.TERM);
        userGroupState.query.setTermMatchValue(userState.email);
        ResourceGroupService.ResourceGroupState resourceGroupState = new ResourceGroupService.ResourceGroupState();
        resourceGroupState.documentSelfLink = str + "-resource-group";
        resourceGroupState.query = new QueryTask.Query();
        QueryTask.Query query = new QueryTask.Query();
        query.setTermPropertyName("documentSelfLink");
        query.setTermMatchValue(str2);
        query.setTermMatchType(QueryTask.QueryTerm.MatchType.TERM);
        resourceGroupState.query.addBooleanClause(query);
        RoleService.RoleState roleState = new RoleService.RoleState();
        roleState.userGroupLink = UriUtils.buildUriPath(new String[]{ServiceUriPaths.CORE_AUTHZ_USER_GROUPS, userGroupState.documentSelfLink});
        roleState.resourceGroupLink = UriUtils.buildUriPath(new String[]{ServiceUriPaths.CORE_AUTHZ_RESOURCE_GROUPS, resourceGroupState.documentSelfLink});
        roleState.verbs = new HashSet();
        roleState.verbs.add(Service.Action.GET);
        roleState.verbs.add(Service.Action.POST);
        roleState.policy = RoleService.Policy.ALLOW;
        OperationContext.setAuthorizationContext(this.host.getSystemAuthorizationContext());
        URI buildUri = UriUtils.buildUri(this.host, ServiceUriPaths.CORE_AUTHZ_USERS);
        this.host.testStart(4L);
        this.host.send(Operation.createPost(buildUri).setBody(userState).setCompletion((operation, th) -> {
            if (th != null) {
                this.host.failIteration(th);
            } else {
                this.host.completeIteration();
            }
        }));
        this.host.send(Operation.createPost(UriUtils.buildUri(this.host, ServiceUriPaths.CORE_AUTHZ_USER_GROUPS)).setBody(userGroupState).setCompletion(this.host.getCompletion()));
        this.host.send(Operation.createPost(UriUtils.buildUri(this.host, ServiceUriPaths.CORE_AUTHZ_RESOURCE_GROUPS)).setBody(resourceGroupState).setCompletion(this.host.getCompletion()));
        this.host.send(Operation.createPost(UriUtils.buildUri(this.host, ServiceUriPaths.CORE_AUTHZ_ROLES)).setBody(roleState).setCompletion(this.host.getCompletion()));
        this.host.testWait();
        OperationContext.setAuthorizationContext((Operation.AuthorizationContext) null);
    }

    @Test
    public void testOperationJoin() throws Throwable {
        Operation.AuthorizationContext createAuthorizationContext = createAuthorizationContext("user1@test.com", this.host);
        provisionUser("user1@test.com", "/claims-1");
        Operation.AuthorizationContext createAuthorizationContext2 = createAuthorizationContext("user2@test.com", this.host);
        provisionUser("user2@test.com", "/claims-2");
        URI extendUriWithQuery = UriUtils.extendUriWithQuery(UriUtils.buildUri(this.host, "/claims-1"), new String[]{"subject", createAuthorizationContext.getClaims().getSubject()});
        URI extendUriWithQuery2 = UriUtils.extendUriWithQuery(UriUtils.buildUri(this.host, "/claims-2"), new String[]{"subject", createAuthorizationContext2.getClaims().getSubject()});
        Operation.CompletionHandler completionHandler = (operation, th) -> {
            if (th != null) {
                this.host.failIteration(th);
            }
            String str = (String) UriUtils.parseUriQueryParams(operation.getUri()).get("subject");
            if (OperationContext.getAuthorizationContext() == null) {
                this.host.failIteration(new IllegalStateException("auth context is null"));
            }
            if (OperationContext.getAuthorizationContext().getClaims().getSubject().equals(str)) {
                this.host.completeIteration();
            } else {
                this.host.failIteration(new IllegalStateException("subject mismatch"));
            }
        };
        Operation createPost = Operation.createPost(extendUriWithQuery);
        createPost.setAuthorizationContext(createAuthorizationContext);
        createPost.setCompletion(completionHandler);
        Operation createPost2 = Operation.createPost(extendUriWithQuery2);
        createPost2.setAuthorizationContext(createAuthorizationContext2);
        createPost2.setCompletion(completionHandler);
        this.host.testStart(2L);
        this.host.startService(createPost, new ClaimsVerificationService());
        this.host.startService(createPost2, new ClaimsVerificationService());
        this.host.testWait();
        Operation referer = Operation.createGet(extendUriWithQuery).setCompletion(completionHandler).setReferer(this.host.getReferer());
        referer.setAuthorizationContext(createAuthorizationContext);
        Operation referer2 = Operation.createGet(extendUriWithQuery2).setCompletion(completionHandler).setReferer(this.host.getReferer());
        referer2.setAuthorizationContext(createAuthorizationContext2);
        this.host.setSystemAuthorizationContext();
        OperationJoin create = OperationJoin.create(new Operation[]{referer, referer2});
        this.host.testStart(2L);
        create.sendWith(this.host);
        this.host.testWait();
        OperationJoin create2 = OperationJoin.create(new Operation[]{referer, referer2});
        create2.setCompletion((map, map2) -> {
            if (OperationContext.getAuthorizationContext() == null) {
                this.host.failIteration(new IllegalStateException("auth context is null"));
            }
            if (OperationContext.getAuthorizationContext().getClaims().getSubject().equals(ServiceUriPaths.CORE_AUTHZ_SYSTEM_USER)) {
                this.host.completeIteration();
            } else {
                this.host.failIteration(new IllegalStateException("subject mismatch"));
            }
        });
        this.host.testStart(1L);
        create2.sendWith(this.host);
        this.host.testWait();
        this.host.resetSystemAuthorizationContext();
    }

    @Test
    public void testAuthPropForThreadPool() throws Throwable {
        ExecutorService newFixedThreadPool = Executors.newFixedThreadPool(2);
        String str = "user1@test.com";
        OperationContext.setAuthorizationContext(createAuthorizationContext("user1@test.com", this.host));
        this.host.testStart(1L);
        this.host.run(newFixedThreadPool, () -> {
            String subject = OperationContext.getAuthorizationContext().getClaims().getSubject();
            if (subject.endsWith(str)) {
                this.host.completeIteration();
            } else {
                this.host.failIteration(new Exception("expected subject for " + str + ", received " + subject));
            }
        });
        this.host.testWait();
    }
}
