package org.sonar.server.authentication;

import com.google.common.collect.ImmutableMap;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import javax.annotation.Nullable;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.assertj.core.api.Java6Assertions;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.mockito.Matchers;
import org.mockito.Mockito;
import org.sonar.api.config.MapSettings;
import org.sonar.api.config.Settings;
import org.sonar.api.utils.System2;
import org.sonar.api.utils.internal.AlwaysIncreasingSystem2;
import org.sonar.core.util.stream.MoreCollectors;
import org.sonar.db.DbTester;
import org.sonar.db.user.GroupDto;
import org.sonar.db.user.UserDto;
import org.sonar.db.user.UserTesting;
import org.sonar.server.authentication.JwtHttpHandler;
import org.sonar.server.authentication.event.AuthenticationEvent;
import org.sonar.server.authentication.event.AuthenticationExceptionMatcher;
import org.sonar.server.organization.DefaultOrganizationProvider;
import org.sonar.server.organization.OrganizationCreation;
import org.sonar.server.organization.TestDefaultOrganizationProvider;
import org.sonar.server.organization.TestOrganizationFlags;
import org.sonar.server.permission.index.FooIndexDefinition;
import org.sonar.server.user.NewUserNotifier;
import org.sonar.server.user.UserUpdater;
import org.sonar.server.user.index.UserIndexer;
import org.sonar.server.usergroups.DefaultGroupFinder;

/* loaded from: input_file:org/sonar/server/authentication/SsoAuthenticatorTest.class */
public class SsoAuthenticatorTest {
    private static final String GROUP1 = "dev";
    private static final String GROUP2 = "admin";
    private static final String GROUPS = "dev,admin";
    private GroupDto group1;
    private GroupDto group2;
    private GroupDto sonarUsers;
    private static final Long NOW = 1000000L;
    private static final Long CLOSE_REFRESH_TIME = Long.valueOf(NOW.longValue() - 1000);
    private static final String DEFAULT_LOGIN = "john";
    private static final String DEFAULT_NAME = "John";
    private static final String DEFAULT_EMAIL = "john@doo.com";
    private static final UserDto DEFAULT_USER = UserTesting.newUserDto().setLogin(DEFAULT_LOGIN).setName(DEFAULT_NAME).setEmail(DEFAULT_EMAIL).setExternalIdentity(DEFAULT_LOGIN).setExternalIdentityProvider("sonarqube");

    @Rule
    public ExpectedException expectedException = ExpectedException.none();

    @Rule
    public DbTester db = DbTester.create(new AlwaysIncreasingSystem2());
    private System2 system2 = (System2) Mockito.mock(System2.class);
    private Settings settings = new MapSettings();
    private OrganizationCreation organizationCreation = (OrganizationCreation) Mockito.mock(OrganizationCreation.class);
    private DefaultOrganizationProvider defaultOrganizationProvider = TestDefaultOrganizationProvider.from(this.db);
    private TestOrganizationFlags organizationFlags = TestOrganizationFlags.standalone();
    private UserIdentityAuthenticator userIdentityAuthenticator = new UserIdentityAuthenticator(this.db.getDbClient(), new UserUpdater((NewUserNotifier) Mockito.mock(NewUserNotifier.class), this.db.getDbClient(), (UserIndexer) Mockito.mock(UserIndexer.class), System2.INSTANCE, this.organizationFlags, this.defaultOrganizationProvider, this.organizationCreation, new DefaultGroupFinder(this.db.getDbClient())), this.defaultOrganizationProvider, this.organizationFlags, new DefaultGroupFinder(this.db.getDbClient()));
    private HttpServletResponse response = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
    private JwtHttpHandler jwtHttpHandler = (JwtHttpHandler) Mockito.mock(JwtHttpHandler.class);
    private AuthenticationEvent authenticationEvent = (AuthenticationEvent) Mockito.mock(AuthenticationEvent.class);
    private SsoAuthenticator underTest = new SsoAuthenticator(this.system2, this.settings, this.userIdentityAuthenticator, this.jwtHttpHandler, this.authenticationEvent);

    @Before
    public void setUp() throws Exception {
        Mockito.when(Long.valueOf(this.system2.now())).thenReturn(NOW);
        this.group1 = this.db.users().insertGroup(this.db.getDefaultOrganization(), GROUP1);
        this.group2 = this.db.users().insertGroup(this.db.getDefaultOrganization(), GROUP2);
        this.sonarUsers = this.db.users().insertDefaultGroup(this.db.getDefaultOrganization(), "sonar-users");
    }

    @Test
    public void create_user_when_authenticating_new_user() throws Exception {
        startWithSso();
        setNotUserInToken();
        HttpServletRequest createRequest = createRequest(DEFAULT_LOGIN, DEFAULT_NAME, DEFAULT_EMAIL, GROUPS);
        this.underTest.authenticate(createRequest, this.response);
        verifyUserInDb(DEFAULT_LOGIN, DEFAULT_NAME, DEFAULT_EMAIL, this.group1, this.group2, this.sonarUsers);
        verifyTokenIsUpdated(NOW.longValue());
        ((AuthenticationEvent) Mockito.verify(this.authenticationEvent)).loginSuccess(createRequest, DEFAULT_LOGIN, AuthenticationEvent.Source.sso());
    }

    @Test
    public void use_login_when_name_is_not_provided() throws Exception {
        startWithSso();
        setNotUserInToken();
        HttpServletRequest createRequest = createRequest(DEFAULT_LOGIN, null, null, null);
        this.underTest.authenticate(createRequest, this.response);
        verifyUserInDb(DEFAULT_LOGIN, DEFAULT_LOGIN, null, this.sonarUsers);
        ((AuthenticationEvent) Mockito.verify(this.authenticationEvent)).loginSuccess(createRequest, DEFAULT_LOGIN, AuthenticationEvent.Source.sso());
    }

    @Test
    public void update_user_when_authenticating_exiting_user() throws Exception {
        startWithSso();
        setNotUserInToken();
        insertUser(UserTesting.newUserDto().setLogin(DEFAULT_LOGIN).setName("old name").setEmail("old email"), this.group1);
        HttpServletRequest createRequest = createRequest(DEFAULT_LOGIN, DEFAULT_NAME, DEFAULT_EMAIL, GROUP2);
        this.underTest.authenticate(createRequest, this.response);
        verifyUserInDb(DEFAULT_LOGIN, DEFAULT_NAME, DEFAULT_EMAIL, this.group2);
        verifyTokenIsUpdated(NOW.longValue());
        ((AuthenticationEvent) Mockito.verify(this.authenticationEvent)).loginSuccess(createRequest, DEFAULT_LOGIN, AuthenticationEvent.Source.sso());
    }

    @Test
    public void remove_groups_when_group_headers_is_empty() throws Exception {
        startWithSso();
        setNotUserInToken();
        insertUser(DEFAULT_USER, this.group1);
        HttpServletRequest createRequest = createRequest(DEFAULT_LOGIN, DEFAULT_NAME, DEFAULT_EMAIL, "");
        this.underTest.authenticate(createRequest, this.response);
        verityUserHasNoGroup(DEFAULT_LOGIN);
        ((AuthenticationEvent) Mockito.verify(this.authenticationEvent)).loginSuccess(createRequest, DEFAULT_LOGIN, AuthenticationEvent.Source.sso());
    }

    @Test
    public void remove_groups_when_group_headers_is_null() throws Exception {
        startWithSso();
        setNotUserInToken();
        insertUser(DEFAULT_USER, this.group1);
        HashMap hashMap = new HashMap();
        hashMap.put("X-Forwarded-Login", DEFAULT_LOGIN);
        hashMap.put("X-Forwarded-Groups", null);
        HttpServletRequest createRequest = createRequest(hashMap);
        this.underTest.authenticate(createRequest, this.response);
        verityUserHasNoGroup(DEFAULT_LOGIN);
        ((AuthenticationEvent) Mockito.verify(this.authenticationEvent)).loginSuccess(createRequest, DEFAULT_LOGIN, AuthenticationEvent.Source.sso());
    }

    @Test
    public void does_not_update_groups_when_no_group_headers() throws Exception {
        startWithSso();
        setNotUserInToken();
        insertUser(DEFAULT_USER, this.group1, this.sonarUsers);
        HttpServletRequest createRequest = createRequest(DEFAULT_LOGIN, DEFAULT_NAME, DEFAULT_EMAIL, null);
        this.underTest.authenticate(createRequest, this.response);
        verityUserGroups(DEFAULT_LOGIN, this.group1, this.sonarUsers);
        ((AuthenticationEvent) Mockito.verify(this.authenticationEvent)).loginSuccess(createRequest, DEFAULT_LOGIN, AuthenticationEvent.Source.sso());
    }

    @Test
    public void does_not_update_user_when_user_is_in_token_and_refresh_time_is_close() throws Exception {
        startWithSso();
        setUserInToken(insertUser(DEFAULT_USER, this.group1), CLOSE_REFRESH_TIME);
        this.underTest.authenticate(createRequest(DEFAULT_LOGIN, "new name", "new email", GROUP2), this.response);
        verifyUserInDb(DEFAULT_LOGIN, DEFAULT_NAME, DEFAULT_EMAIL, this.group1);
        verifyTokenIsNotUpdated();
        Mockito.verifyZeroInteractions(new Object[]{this.authenticationEvent});
    }

    @Test
    public void update_user_when_user_in_token_but_refresh_time_is_old() throws Exception {
        startWithSso();
        setUserInToken(insertUser(DEFAULT_USER, this.group1), Long.valueOf(NOW.longValue() - 360000));
        HttpServletRequest createRequest = createRequest(DEFAULT_LOGIN, "new name", "new email", GROUP2);
        this.underTest.authenticate(createRequest, this.response);
        verifyUserInDb(DEFAULT_LOGIN, "new name", "new email", this.group2);
        verifyTokenIsUpdated(NOW.longValue());
        ((AuthenticationEvent) Mockito.verify(this.authenticationEvent)).loginSuccess(createRequest, DEFAULT_LOGIN, AuthenticationEvent.Source.sso());
    }

    @Test
    public void update_user_when_user_in_token_but_no_refresh_time() throws Exception {
        startWithSso();
        setUserInToken(insertUser(DEFAULT_USER, this.group1), null);
        HttpServletRequest createRequest = createRequest(DEFAULT_LOGIN, "new name", "new email", GROUP2);
        this.underTest.authenticate(createRequest, this.response);
        verifyUserInDb(DEFAULT_LOGIN, "new name", "new email", this.group2);
        verifyTokenIsUpdated(NOW.longValue());
        ((AuthenticationEvent) Mockito.verify(this.authenticationEvent)).loginSuccess(createRequest, DEFAULT_LOGIN, AuthenticationEvent.Source.sso());
    }

    @Test
    public void use_refresh_time_from_settings() throws Exception {
        this.settings.setProperty("sonar.web.sso.refreshIntervalInMinutes", "10");
        startWithSso();
        setUserInToken(insertUser(DEFAULT_USER, this.group1), Long.valueOf(NOW.longValue() - 360000));
        this.underTest.authenticate(createRequest(DEFAULT_LOGIN, "new name", "new email", GROUP2), this.response);
        verifyUserInDb(DEFAULT_LOGIN, DEFAULT_NAME, DEFAULT_EMAIL, this.group1);
        verifyTokenIsNotUpdated();
        Mockito.verifyZeroInteractions(new Object[]{this.authenticationEvent});
    }

    @Test
    public void update_user_when_login_from_token_is_different_than_login_from_request() throws Exception {
        startWithSso();
        insertUser(DEFAULT_USER, this.group1);
        setUserInToken(DEFAULT_USER, CLOSE_REFRESH_TIME);
        HttpServletRequest createRequest = createRequest("AnotherLogin", "Another name", "Another email", GROUP2);
        this.underTest.authenticate(createRequest, this.response);
        verifyUserInDb("AnotherLogin", "Another name", "Another email", this.group2, this.sonarUsers);
        verifyTokenIsUpdated(NOW.longValue());
        ((AuthenticationEvent) Mockito.verify(this.authenticationEvent)).loginSuccess(createRequest, "AnotherLogin", AuthenticationEvent.Source.sso());
    }

    @Test
    public void use_headers_from_settings() throws Exception {
        this.settings.setProperty("sonar.web.sso.loginHeader", "head-login");
        this.settings.setProperty("sonar.web.sso.nameHeader", "head-name");
        this.settings.setProperty("sonar.web.sso.emailHeader", "head-email");
        this.settings.setProperty("sonar.web.sso.groupsHeader", "head-groups");
        startWithSso();
        setNotUserInToken();
        HttpServletRequest createRequest = createRequest(ImmutableMap.of("head-login", DEFAULT_LOGIN, "head-name", DEFAULT_NAME, "head-email", DEFAULT_EMAIL, "head-groups", GROUPS));
        this.underTest.authenticate(createRequest, this.response);
        verifyUserInDb(DEFAULT_LOGIN, DEFAULT_NAME, DEFAULT_EMAIL, this.group1, this.group2, this.sonarUsers);
        ((AuthenticationEvent) Mockito.verify(this.authenticationEvent)).loginSuccess(createRequest, DEFAULT_LOGIN, AuthenticationEvent.Source.sso());
    }

    @Test
    public void detect_group_header_even_with_wrong_case() throws Exception {
        this.settings.setProperty("sonar.web.sso.loginHeader", "login");
        this.settings.setProperty("sonar.web.sso.nameHeader", FooIndexDefinition.FIELD_NAME);
        this.settings.setProperty("sonar.web.sso.emailHeader", "email");
        this.settings.setProperty("sonar.web.sso.groupsHeader", "Groups");
        startWithSso();
        setNotUserInToken();
        HttpServletRequest createRequest = createRequest(ImmutableMap.of("login", DEFAULT_LOGIN, FooIndexDefinition.FIELD_NAME, DEFAULT_NAME, "email", DEFAULT_EMAIL, "groups", GROUPS));
        this.underTest.authenticate(createRequest, this.response);
        verifyUserInDb(DEFAULT_LOGIN, DEFAULT_NAME, DEFAULT_EMAIL, this.group1, this.group2, this.sonarUsers);
        ((AuthenticationEvent) Mockito.verify(this.authenticationEvent)).loginSuccess(createRequest, DEFAULT_LOGIN, AuthenticationEvent.Source.sso());
    }

    @Test
    public void trim_groups() throws Exception {
        startWithSso();
        setNotUserInToken();
        HttpServletRequest createRequest = createRequest(DEFAULT_LOGIN, null, null, "  dev ,    admin ");
        this.underTest.authenticate(createRequest, this.response);
        verifyUserInDb(DEFAULT_LOGIN, DEFAULT_LOGIN, null, this.group1, this.group2, this.sonarUsers);
        ((AuthenticationEvent) Mockito.verify(this.authenticationEvent)).loginSuccess(createRequest, DEFAULT_LOGIN, AuthenticationEvent.Source.sso());
    }

    @Test
    public void does_not_authenticate_when_no_header() throws Exception {
        startWithSso();
        setNotUserInToken();
        this.underTest.authenticate(createRequest(Collections.emptyMap()), this.response);
        verifyUserNotAuthenticated();
        verifyTokenIsNotUpdated();
        Mockito.verifyZeroInteractions(new Object[]{this.authenticationEvent});
    }

    @Test
    public void does_not_authenticate_when_not_enabled() throws Exception {
        startWithoutSso();
        this.underTest.authenticate(createRequest(DEFAULT_LOGIN, DEFAULT_NAME, DEFAULT_EMAIL, GROUPS), this.response);
        verifyUserNotAuthenticated();
        Mockito.verifyZeroInteractions(new Object[]{this.jwtHttpHandler, this.authenticationEvent});
    }

    @Test
    public void throw_AuthenticationException_when_BadRequestException_is_generated() throws Exception {
        startWithSso();
        setNotUserInToken();
        this.expectedException.expect(AuthenticationExceptionMatcher.authenticationException().from(AuthenticationEvent.Source.sso()).withoutLogin().andNoPublicMessage());
        this.expectedException.expectMessage("Use only letters, numbers, and .-_@ please.");
        try {
            this.underTest.authenticate(createRequest("invalid login", DEFAULT_NAME, DEFAULT_EMAIL, GROUPS), this.response);
            Mockito.verifyZeroInteractions(new Object[]{this.authenticationEvent});
        } catch (Throwable th) {
            Mockito.verifyZeroInteractions(new Object[]{this.authenticationEvent});
            throw th;
        }
    }

    private void startWithSso() {
        this.settings.setProperty("sonar.web.sso.enable", true);
        this.underTest.start();
    }

    private void startWithoutSso() {
        this.settings.setProperty("sonar.web.sso.enable", false);
        this.underTest.start();
    }

    private void setUserInToken(UserDto userDto, @Nullable Long l) {
        Mockito.when(this.jwtHttpHandler.getToken((HttpServletRequest) Matchers.any(HttpServletRequest.class), (HttpServletResponse) Matchers.any(HttpServletResponse.class))).thenReturn(Optional.of(new JwtHttpHandler.Token(userDto, l == null ? Collections.emptyMap() : ImmutableMap.of("ssoLastRefreshTime", l))));
    }

    private void setNotUserInToken() {
        Mockito.when(this.jwtHttpHandler.getToken((HttpServletRequest) Matchers.any(HttpServletRequest.class), (HttpServletResponse) Matchers.any(HttpServletResponse.class))).thenReturn(Optional.empty());
    }

    private UserDto insertUser(UserDto userDto, GroupDto... groupDtoArr) {
        this.db.users().insertUser(userDto);
        Arrays.stream(groupDtoArr).forEach(groupDto -> {
            this.db.users().insertMember(groupDto, userDto);
        });
        this.db.commit();
        return userDto;
    }

    private static HttpServletRequest createRequest(Map<String, String> map) {
        HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
        setHeaders(httpServletRequest, map);
        return httpServletRequest;
    }

    private static HttpServletRequest createRequest(String str, @Nullable String str2, @Nullable String str3, @Nullable String str4) {
        HashMap hashMap = new HashMap();
        hashMap.put("X-Forwarded-Login", str);
        if (str2 != null) {
            hashMap.put("X-Forwarded-Name", str2);
        }
        if (str3 != null) {
            hashMap.put("X-Forwarded-Email", str3);
        }
        if (str4 != null) {
            hashMap.put("X-Forwarded-Groups", str4);
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
        setHeaders(httpServletRequest, hashMap);
        return httpServletRequest;
    }

    private static void setHeaders(HttpServletRequest httpServletRequest, Map<String, String> map) {
        map.entrySet().forEach(entry -> {
            Mockito.when(httpServletRequest.getHeader((String) entry.getKey())).thenReturn(entry.getValue());
        });
        Mockito.when(httpServletRequest.getHeaderNames()).thenReturn(Collections.enumeration(map.keySet()));
    }

    private void verifyUserInDb(String str, String str2, @Nullable String str3, GroupDto... groupDtoArr) {
        UserDto userDto = (UserDto) this.db.users().selectUserByLogin(str).get();
        Java6Assertions.assertThat(userDto.isActive()).isTrue();
        Java6Assertions.assertThat(userDto.getName()).isEqualTo(str2);
        Java6Assertions.assertThat(userDto.getEmail()).isEqualTo(str3);
        Java6Assertions.assertThat(userDto.getExternalIdentity()).isEqualTo(str);
        Java6Assertions.assertThat(userDto.getExternalIdentityProvider()).isEqualTo("sonarqube");
        verityUserGroups(str, groupDtoArr);
    }

    private void verityUserGroups(String str, GroupDto... groupDtoArr) {
        UserDto userDto = (UserDto) this.db.users().selectUserByLogin(str).get();
        if (groupDtoArr.length == 0) {
            Java6Assertions.assertThat(this.db.users().selectGroupIdsOfUser(userDto)).isEmpty();
        } else {
            Java6Assertions.assertThat(this.db.users().selectGroupIdsOfUser(userDto)).containsOnly(((List) Arrays.stream(groupDtoArr).map((v0) -> {
                return v0.getId();
            }).collect(MoreCollectors.toList())).toArray(new Integer[0]));
        }
    }

    private void verityUserHasNoGroup(String str) {
        verityUserGroups(str, new GroupDto[0]);
    }

    private void verifyUserNotAuthenticated() {
        Java6Assertions.assertThat(this.db.countRowsOfTable(this.db.getSession(), "users")).isZero();
        verifyTokenIsNotUpdated();
    }

    private void verifyTokenIsUpdated(long j) {
        ((JwtHttpHandler) Mockito.verify(this.jwtHttpHandler)).generateToken((UserDto) Matchers.any(UserDto.class), (Map) Matchers.eq(ImmutableMap.of("ssoLastRefreshTime", Long.valueOf(j))), (HttpServletRequest) Matchers.any(HttpServletRequest.class), (HttpServletResponse) Matchers.any(HttpServletResponse.class));
    }

    private void verifyTokenIsNotUpdated() {
        ((JwtHttpHandler) Mockito.verify(this.jwtHttpHandler, Mockito.never())).generateToken((UserDto) Matchers.any(UserDto.class), Matchers.anyMap(), (HttpServletRequest) Matchers.any(HttpServletRequest.class), (HttpServletResponse) Matchers.any(HttpServletResponse.class));
    }
}
