package org.sonar.server.authentication;

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.impl.DefaultClaims;
import java.util.Date;
import java.util.Optional;
import javax.annotation.Nullable;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.assertj.core.api.Assertions;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.mockito.ArgumentCaptor;
import org.mockito.Matchers;
import org.mockito.Mockito;
import org.sonar.api.config.internal.MapSettings;
import org.sonar.api.utils.System2;
import org.sonar.db.DbClient;
import org.sonar.db.DbSession;
import org.sonar.db.DbTester;
import org.sonar.db.user.UserDto;
import org.sonar.db.user.UserTesting;
import org.sonar.server.authentication.JwtSerializer;

/* loaded from: input_file:org/sonar/server/authentication/JwtHttpHandlerTest.class */
public class JwtHttpHandlerTest {
    private static final String JWT_TOKEN = "TOKEN";
    private static final String CSRF_STATE = "CSRF_STATE";
    private static final String USER_LOGIN = "john";
    private static final long NOW = 10000000000L;
    private static final long FOUR_MINUTES_AGO = 9999760000L;
    private static final long SIX_MINUTES_AGO = 9999640000L;
    private static final long TEN_DAYS_AGO = 9136000000L;

    @Rule
    public ExpectedException expectedException = ExpectedException.none();

    @Rule
    public DbTester dbTester = DbTester.create(System2.INSTANCE);
    private DbClient dbClient = this.dbTester.getDbClient();
    private DbSession dbSession = this.dbTester.getSession();
    private ArgumentCaptor<Cookie> cookieArgumentCaptor = ArgumentCaptor.forClass(Cookie.class);
    private ArgumentCaptor<JwtSerializer.JwtSession> jwtArgumentCaptor = ArgumentCaptor.forClass(JwtSerializer.JwtSession.class);
    private HttpServletRequest request = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
    private HttpServletResponse response = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
    private HttpSession httpSession = (HttpSession) Mockito.mock(HttpSession.class);
    private System2 system2 = (System2) Mockito.spy(System2.INSTANCE);
    private MapSettings settings = new MapSettings();
    private JwtSerializer jwtSerializer = (JwtSerializer) Mockito.mock(JwtSerializer.class);
    private JwtCsrfVerifier jwtCsrfVerifier = (JwtCsrfVerifier) Mockito.mock(JwtCsrfVerifier.class);
    private UserDto userDto = UserTesting.newUserDto().setLogin(USER_LOGIN);
    private JwtHttpHandler underTest = new JwtHttpHandler(this.system2, this.dbClient, this.settings.asConfig(), this.jwtSerializer, this.jwtCsrfVerifier);

    @Before
    public void setUp() throws Exception {
        Mockito.when(Long.valueOf(this.system2.now())).thenReturn(Long.valueOf(NOW));
        Mockito.when(this.request.getSession()).thenReturn(this.httpSession);
        Mockito.when(this.jwtSerializer.encode((JwtSerializer.JwtSession) Matchers.any(JwtSerializer.JwtSession.class))).thenReturn(JWT_TOKEN);
        Mockito.when(this.jwtCsrfVerifier.generateState((HttpServletRequest) Matchers.eq(this.request), (HttpServletResponse) Matchers.eq(this.response), Matchers.anyInt())).thenReturn(CSRF_STATE);
        this.dbClient.userDao().insert(this.dbSession, this.userDto);
        this.dbSession.commit();
    }

    @Test
    public void create_token() throws Exception {
        this.underTest.generateToken(this.userDto, this.request, this.response);
        Optional<Cookie> findCookie = findCookie("JWT-SESSION");
        Assertions.assertThat(findCookie).isPresent();
        verifyCookie(findCookie.get(), JWT_TOKEN, 259200);
        ((JwtSerializer) Mockito.verify(this.jwtSerializer)).encode((JwtSerializer.JwtSession) this.jwtArgumentCaptor.capture());
        verifyToken((JwtSerializer.JwtSession) this.jwtArgumentCaptor.getValue(), 259200, NOW);
    }

    @Test
    public void generate_csrf_state_when_creating_token() throws Exception {
        this.underTest.generateToken(this.userDto, this.request, this.response);
        ((JwtCsrfVerifier) Mockito.verify(this.jwtCsrfVerifier)).generateState(this.request, this.response, 259200);
        ((JwtSerializer) Mockito.verify(this.jwtSerializer)).encode((JwtSerializer.JwtSession) this.jwtArgumentCaptor.capture());
        Assertions.assertThat(((JwtSerializer.JwtSession) this.jwtArgumentCaptor.getValue()).getProperties().get("xsrfToken")).isEqualTo(CSRF_STATE);
    }

    @Test
    public void generate_token_is_using_session_timeout_from_settings() throws Exception {
        this.settings.setProperty("sonar.web.sessionTimeoutInMinutes", 10);
        this.underTest = new JwtHttpHandler(this.system2, this.dbClient, this.settings.asConfig(), this.jwtSerializer, this.jwtCsrfVerifier);
        this.underTest.generateToken(this.userDto, this.request, this.response);
        ((JwtSerializer) Mockito.verify(this.jwtSerializer)).encode((JwtSerializer.JwtSession) this.jwtArgumentCaptor.capture());
        verifyToken((JwtSerializer.JwtSession) this.jwtArgumentCaptor.getValue(), 10 * 60, NOW);
    }

    @Test
    public void session_timeout_property_cannot_be_updated() throws Exception {
        this.settings.setProperty("sonar.web.sessionTimeoutInMinutes", 10);
        this.underTest = new JwtHttpHandler(this.system2, this.dbClient, this.settings.asConfig(), this.jwtSerializer, this.jwtCsrfVerifier);
        this.underTest.generateToken(this.userDto, this.request, this.response);
        this.settings.setProperty("sonar.web.sessionTimeoutInMinutes", 15);
        this.underTest.generateToken(this.userDto, this.request, this.response);
        ((JwtSerializer) Mockito.verify(this.jwtSerializer, Mockito.times(2))).encode((JwtSerializer.JwtSession) this.jwtArgumentCaptor.capture());
        verifyToken((JwtSerializer.JwtSession) this.jwtArgumentCaptor.getAllValues().get(0), 10 * 60, NOW);
        verifyToken((JwtSerializer.JwtSession) this.jwtArgumentCaptor.getAllValues().get(1), 10 * 60, NOW);
    }

    @Test
    public void session_timeout_property_cannot_be_zero() throws Exception {
        this.settings.setProperty("sonar.web.sessionTimeoutInMinutes", 0);
        this.expectedException.expect(IllegalArgumentException.class);
        this.expectedException.expectMessage("Property sonar.web.sessionTimeoutInMinutes must be strictly positive. Got 0");
        new JwtHttpHandler(this.system2, this.dbClient, this.settings.asConfig(), this.jwtSerializer, this.jwtCsrfVerifier);
    }

    @Test
    public void session_timeout_property_cannot_be_negative() throws Exception {
        this.settings.setProperty("sonar.web.sessionTimeoutInMinutes", -10);
        this.expectedException.expect(IllegalArgumentException.class);
        this.expectedException.expectMessage("Property sonar.web.sessionTimeoutInMinutes must be strictly positive. Got -10");
        new JwtHttpHandler(this.system2, this.dbClient, this.settings.asConfig(), this.jwtSerializer, this.jwtCsrfVerifier);
    }

    @Test
    public void session_timeout_property_cannot_be_greater_than_three_months() throws Exception {
        this.settings.setProperty("sonar.web.sessionTimeoutInMinutes", 172800);
        this.expectedException.expect(IllegalArgumentException.class);
        this.expectedException.expectMessage("Property sonar.web.sessionTimeoutInMinutes must not be greater than 3 months (129600 minutes). Got 172800 minutes");
        new JwtHttpHandler(this.system2, this.dbClient, this.settings.asConfig(), this.jwtSerializer, this.jwtCsrfVerifier);
    }

    @Test
    public void validate_token() throws Exception {
        addJwtCookie();
        Mockito.when(this.jwtSerializer.decode(JWT_TOKEN)).thenReturn(Optional.of(createToken(USER_LOGIN, NOW)));
        Assertions.assertThat(this.underTest.validateToken(this.request, this.response).isPresent()).isTrue();
        ((JwtSerializer) Mockito.verify(this.jwtSerializer, Mockito.never())).encode((JwtSerializer.JwtSession) Matchers.any(JwtSerializer.JwtSession.class));
    }

    @Test
    public void validate_token_refresh_session_when_refresh_time_is_reached() throws Exception {
        addJwtCookie();
        Claims createToken = createToken(USER_LOGIN, TEN_DAYS_AGO);
        createToken.put("lastRefreshTime", Long.valueOf(SIX_MINUTES_AGO));
        Mockito.when(this.jwtSerializer.decode(JWT_TOKEN)).thenReturn(Optional.of(createToken));
        Assertions.assertThat(this.underTest.validateToken(this.request, this.response).isPresent()).isTrue();
        ((JwtSerializer) Mockito.verify(this.jwtSerializer)).refresh((Claims) Matchers.any(Claims.class), Matchers.eq(259200));
    }

    @Test
    public void validate_token_does_not_refresh_session_when_refresh_time_is_not_reached() throws Exception {
        addJwtCookie();
        Claims createToken = createToken(USER_LOGIN, TEN_DAYS_AGO);
        createToken.put("lastRefreshTime", Long.valueOf(FOUR_MINUTES_AGO));
        Mockito.when(this.jwtSerializer.decode(JWT_TOKEN)).thenReturn(Optional.of(createToken));
        Assertions.assertThat(this.underTest.validateToken(this.request, this.response).isPresent()).isTrue();
        ((JwtSerializer) Mockito.verify(this.jwtSerializer, Mockito.never())).refresh((Claims) Matchers.any(Claims.class), Matchers.anyInt());
    }

    @Test
    public void validate_token_does_not_refresh_session_when_disconnected_timeout_is_reached() throws Exception {
        addJwtCookie();
        Claims createToken = createToken(USER_LOGIN, -368000000L);
        createToken.setExpiration(new Date(10000300000L));
        createToken.put("lastRefreshTime", Long.valueOf(FOUR_MINUTES_AGO));
        Mockito.when(this.jwtSerializer.decode(JWT_TOKEN)).thenReturn(Optional.of(createToken));
        Assertions.assertThat(this.underTest.validateToken(this.request, this.response).isPresent()).isFalse();
    }

    @Test
    public void validate_token_does_not_refresh_session_when_user_is_disabled() throws Exception {
        addJwtCookie();
        Mockito.when(this.jwtSerializer.decode(JWT_TOKEN)).thenReturn(Optional.of(createToken(addUser(false).getLogin(), NOW)));
        Assertions.assertThat(this.underTest.validateToken(this.request, this.response).isPresent()).isFalse();
    }

    @Test
    public void validate_token_does_not_refresh_session_when_token_is_no_more_valid() throws Exception {
        addJwtCookie();
        Mockito.when(this.jwtSerializer.decode(JWT_TOKEN)).thenReturn(Optional.empty());
        Assertions.assertThat(this.underTest.validateToken(this.request, this.response).isPresent()).isFalse();
    }

    @Test
    public void validate_token_does_nothing_when_no_jwt_cookie() throws Exception {
        this.underTest.validateToken(this.request, this.response);
        Mockito.verifyZeroInteractions(new Object[]{this.httpSession, this.jwtSerializer});
        Assertions.assertThat(this.underTest.validateToken(this.request, this.response).isPresent()).isFalse();
    }

    @Test
    public void validate_token_does_nothing_when_empty_value_in_jwt_cookie() throws Exception {
        Mockito.when(this.request.getCookies()).thenReturn(new Cookie[]{new Cookie("JWT-SESSION", "")});
        this.underTest.validateToken(this.request, this.response);
        Mockito.verifyZeroInteractions(new Object[]{this.httpSession, this.jwtSerializer});
        Assertions.assertThat(this.underTest.validateToken(this.request, this.response).isPresent()).isFalse();
    }

    @Test
    public void validate_token_verify_csrf_state() throws Exception {
        addJwtCookie();
        Claims createToken = createToken(USER_LOGIN, NOW);
        createToken.put("xsrfToken", CSRF_STATE);
        Mockito.when(this.jwtSerializer.decode(JWT_TOKEN)).thenReturn(Optional.of(createToken));
        this.underTest.validateToken(this.request, this.response);
        ((JwtCsrfVerifier) Mockito.verify(this.jwtCsrfVerifier)).verifyState(this.request, CSRF_STATE, USER_LOGIN);
    }

    @Test
    public void validate_token_refresh_state_when_refreshing_token() throws Exception {
        addJwtCookie();
        Claims createToken = createToken(USER_LOGIN, TEN_DAYS_AGO);
        createToken.put("xsrfToken", CSRF_STATE);
        Mockito.when(this.jwtSerializer.decode(JWT_TOKEN)).thenReturn(Optional.of(createToken));
        this.underTest.validateToken(this.request, this.response);
        ((JwtSerializer) Mockito.verify(this.jwtSerializer)).refresh((Claims) Matchers.any(Claims.class), Matchers.anyInt());
        ((JwtCsrfVerifier) Mockito.verify(this.jwtCsrfVerifier)).refreshState(this.request, this.response, CSRF_STATE, 259200);
    }

    @Test
    public void remove_token() throws Exception {
        this.underTest.removeToken(this.request, this.response);
        verifyCookie(findCookie("JWT-SESSION").get(), null, 0);
        ((JwtCsrfVerifier) Mockito.verify(this.jwtCsrfVerifier)).removeState(this.request, this.response);
    }

    private void verifyToken(JwtSerializer.JwtSession jwtSession, int i, long j) {
        Assertions.assertThat(jwtSession.getExpirationTimeInSeconds()).isEqualTo(i);
        Assertions.assertThat(jwtSession.getUserLogin()).isEqualTo(USER_LOGIN);
        Assertions.assertThat(jwtSession.getProperties().get("lastRefreshTime")).isEqualTo(Long.valueOf(j));
    }

    private Optional<Cookie> findCookie(String str) {
        ((HttpServletResponse) Mockito.verify(this.response)).addCookie((Cookie) this.cookieArgumentCaptor.capture());
        return this.cookieArgumentCaptor.getAllValues().stream().filter(cookie -> {
            return str.equals(cookie.getName());
        }).findFirst();
    }

    private void verifyCookie(Cookie cookie, @Nullable String str, int i) {
        Assertions.assertThat(cookie.getPath()).isEqualTo("/");
        Assertions.assertThat(cookie.isHttpOnly()).isTrue();
        Assertions.assertThat(cookie.getMaxAge()).isEqualTo(i);
        Assertions.assertThat(cookie.getSecure()).isFalse();
        Assertions.assertThat(cookie.getValue()).isEqualTo(str);
    }

    private UserDto addUser(boolean z) {
        UserDto active = UserTesting.newUserDto().setActive(z);
        this.dbClient.userDao().insert(this.dbSession, active);
        this.dbSession.commit();
        return active;
    }

    private Cookie addJwtCookie() {
        Cookie cookie = new Cookie("JWT-SESSION", JWT_TOKEN);
        Mockito.when(this.request.getCookies()).thenReturn(new Cookie[]{cookie});
        return cookie;
    }

    private Claims createToken(String str, long j) {
        return createToken(str, j, 10000300000L);
    }

    private Claims createToken(String str, long j, long j2) {
        DefaultClaims defaultClaims = new DefaultClaims();
        defaultClaims.setId("ID");
        defaultClaims.setSubject(str);
        defaultClaims.setIssuedAt(new Date(j));
        defaultClaims.setExpiration(new Date(j2));
        defaultClaims.put("lastRefreshTime", Long.valueOf(j));
        return defaultClaims;
    }
}
