package org.sonar.server.authentication;

import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.assertj.core.api.Assertions;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.mockito.ArgumentCaptor;
import org.mockito.Mockito;
import org.sonar.server.authentication.event.AuthenticationEvent;
import org.sonar.server.authentication.event.AuthenticationExceptionMatcher;

/* loaded from: input_file:org/sonar/server/authentication/JwtCsrfVerifierTest.class */
public class JwtCsrfVerifierTest {
    private static final int TIMEOUT = 30;
    private static final String CSRF_STATE = "STATE";
    private static final String JAVA_WS_URL = "/api/metrics/create";
    private static final String LOGIN = "foo login";

    @Rule
    public ExpectedException thrown = ExpectedException.none();
    private ArgumentCaptor<Cookie> cookieArgumentCaptor = ArgumentCaptor.forClass(Cookie.class);
    private HttpServletResponse response = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
    private HttpServletRequest request = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
    private JwtCsrfVerifier underTest = new JwtCsrfVerifier();

    @Before
    public void setUp() throws Exception {
        Mockito.when(this.request.getContextPath()).thenReturn("");
    }

    @Test
    public void generate_state() throws Exception {
        Assertions.assertThat(this.underTest.generateState(this.request, this.response, TIMEOUT)).isNotEmpty();
        ((HttpServletResponse) Mockito.verify(this.response)).addCookie((Cookie) this.cookieArgumentCaptor.capture());
        verifyCookie((Cookie) this.cookieArgumentCaptor.getValue());
    }

    @Test
    public void verify_state() throws Exception {
        mockRequestCsrf(CSRF_STATE);
        mockPostJavaWsRequest();
        this.underTest.verifyState(this.request, CSRF_STATE, LOGIN);
    }

    @Test
    public void fail_with_AuthenticationException_when_state_header_is_not_the_same_as_state_parameter() throws Exception {
        mockRequestCsrf("other value");
        mockPostJavaWsRequest();
        this.thrown.expect(AuthenticationExceptionMatcher.authenticationException().from(AuthenticationEvent.Source.local(AuthenticationEvent.Method.JWT)).withLogin(LOGIN).andNoPublicMessage());
        this.thrown.expectMessage("Wrong CSFR in request");
        this.underTest.verifyState(this.request, CSRF_STATE, LOGIN);
    }

    @Test
    public void fail_with_AuthenticationException_when_state_is_null() throws Exception {
        mockRequestCsrf(CSRF_STATE);
        mockPostJavaWsRequest();
        this.thrown.expect(AuthenticationExceptionMatcher.authenticationException().from(AuthenticationEvent.Source.local(AuthenticationEvent.Method.JWT)).withLogin(LOGIN).andNoPublicMessage());
        this.thrown.expectMessage("Missing reference CSRF value");
        this.underTest.verifyState(this.request, (String) null, LOGIN);
    }

    @Test
    public void fail_with_AuthenticationException_when_state_parameter_is_empty() throws Exception {
        mockRequestCsrf(CSRF_STATE);
        mockPostJavaWsRequest();
        this.thrown.expect(AuthenticationExceptionMatcher.authenticationException().from(AuthenticationEvent.Source.local(AuthenticationEvent.Method.JWT)).withLogin(LOGIN).andNoPublicMessage());
        this.thrown.expectMessage("Missing reference CSRF value");
        this.underTest.verifyState(this.request, "", LOGIN);
    }

    @Test
    public void verify_POST_request() throws Exception {
        mockRequestCsrf("other value");
        Mockito.when(this.request.getRequestURI()).thenReturn(JAVA_WS_URL);
        Mockito.when(this.request.getMethod()).thenReturn("POST");
        this.thrown.expect(AuthenticationExceptionMatcher.authenticationException().from(AuthenticationEvent.Source.local(AuthenticationEvent.Method.JWT)).withLogin(LOGIN).andNoPublicMessage());
        this.thrown.expectMessage("Wrong CSFR in request");
        this.underTest.verifyState(this.request, CSRF_STATE, LOGIN);
    }

    @Test
    public void verify_PUT_request() throws Exception {
        mockRequestCsrf("other value");
        Mockito.when(this.request.getRequestURI()).thenReturn(JAVA_WS_URL);
        Mockito.when(this.request.getMethod()).thenReturn("PUT");
        this.thrown.expect(AuthenticationExceptionMatcher.authenticationException().from(AuthenticationEvent.Source.local(AuthenticationEvent.Method.JWT)).withLogin(LOGIN).andNoPublicMessage());
        this.thrown.expectMessage("Wrong CSFR in request");
        this.underTest.verifyState(this.request, CSRF_STATE, LOGIN);
    }

    @Test
    public void verify_DELETE_request() throws Exception {
        mockRequestCsrf("other value");
        Mockito.when(this.request.getRequestURI()).thenReturn(JAVA_WS_URL);
        Mockito.when(this.request.getMethod()).thenReturn("DELETE");
        this.thrown.expect(AuthenticationExceptionMatcher.authenticationException().from(AuthenticationEvent.Source.local(AuthenticationEvent.Method.JWT)).withLogin(LOGIN).andNoPublicMessage());
        this.thrown.expectMessage("Wrong CSFR in request");
        this.underTest.verifyState(this.request, CSRF_STATE, LOGIN);
    }

    @Test
    public void ignore_GET_request() throws Exception {
        Mockito.when(this.request.getRequestURI()).thenReturn(JAVA_WS_URL);
        Mockito.when(this.request.getMethod()).thenReturn("GET");
        this.underTest.verifyState(this.request, (String) null, LOGIN);
    }

    @Test
    public void ignore_not_api_requests() throws Exception {
        executeVerifyStateDoesNotFailOnRequest("/events", "POST");
        executeVerifyStateDoesNotFailOnRequest("/favorites", "POST");
    }

    @Test
    public void refresh_state() throws Exception {
        this.underTest.refreshState(this.request, this.response, CSRF_STATE, TIMEOUT);
        ((HttpServletResponse) Mockito.verify(this.response)).addCookie((Cookie) this.cookieArgumentCaptor.capture());
        verifyCookie((Cookie) this.cookieArgumentCaptor.getValue());
    }

    @Test
    public void remove_state() throws Exception {
        this.underTest.removeState(this.request, this.response);
        ((HttpServletResponse) Mockito.verify(this.response)).addCookie((Cookie) this.cookieArgumentCaptor.capture());
        Cookie cookie = (Cookie) this.cookieArgumentCaptor.getValue();
        Assertions.assertThat(cookie.getValue()).isNull();
        Assertions.assertThat(cookie.getMaxAge()).isEqualTo(0);
    }

    private void verifyCookie(Cookie cookie) {
        Assertions.assertThat(cookie.getName()).isEqualTo("XSRF-TOKEN");
        Assertions.assertThat(cookie.getValue()).isNotEmpty();
        Assertions.assertThat(cookie.getPath()).isEqualTo("/");
        Assertions.assertThat(cookie.isHttpOnly()).isFalse();
        Assertions.assertThat(cookie.getMaxAge()).isEqualTo(TIMEOUT);
        Assertions.assertThat(cookie.getSecure()).isFalse();
    }

    private void mockPostJavaWsRequest() {
        Mockito.when(this.request.getRequestURI()).thenReturn(JAVA_WS_URL);
        Mockito.when(this.request.getMethod()).thenReturn("POST");
    }

    private void mockRequestCsrf(String str) {
        Mockito.when(this.request.getHeader("X-XSRF-TOKEN")).thenReturn(str);
    }

    private void executeVerifyStateDoesNotFailOnRequest(String str, String str2) {
        Mockito.when(this.request.getRequestURI()).thenReturn(str);
        Mockito.when(this.request.getMethod()).thenReturn(str2);
        this.underTest.verifyState(this.request, (String) null, LOGIN);
    }
}
