package com.evolveum.midpoint.web;

import com.evolveum.midpoint.model.api.authentication.MidPointUserProfilePrincipal;
import com.evolveum.midpoint.model.api.authentication.UserProfileService;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.PolicyViolationException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.web.security.MidPointGuiAuthorizationEvaluator;
import java.io.File;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collection;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.FilterInvocation;
import org.springframework.test.annotation.DirtiesContext;
import org.springframework.test.context.ContextConfiguration;
import org.testng.annotations.Test;

@ContextConfiguration(locations = {"classpath:ctx-admin-gui-test-main.xml"})
@DirtiesContext(classMode = DirtiesContext.ClassMode.AFTER_CLASS)
/* loaded from: input_file:com/evolveum/midpoint/web/TestIntegrationSecurity.class */
public class TestIntegrationSecurity extends AbstractInitializedGuiIntegrationTest {
    protected static final String ROLE_UI_ALLOW_ALL_OID = "d8f78cfe-d05d-11e7-8ee6-038ce21862f3";
    protected static final String ROLE_UI_DENY_ALL_OID = "c4a5923c-d02b-11e7-9ac5-13b0d906fa81";
    protected static final String ROLE_UI_DENY_ALLOW_OID = "da47fcf6-d02b-11e7-9e78-f31ae9aa0674";

    @Autowired
    private UserProfileService userProfileService;
    private MidPointGuiAuthorizationEvaluator midPointGuiAuthorizationEvaluator;
    public static final File TEST_DIR = new File("src/test/resources/security");
    protected static final File ROLE_UI_ALLOW_ALL_FILE = new File(TEST_DIR, "role-ui-allow-all.xml");
    protected static final File ROLE_UI_DENY_ALL_FILE = new File(TEST_DIR, "role-ui-deny-all.xml");
    protected static final File ROLE_UI_DENY_ALLOW_FILE = new File(TEST_DIR, "role-ui-deny-allow.xml");
    private static final Trace LOGGER = TraceManager.getTrace(TestIntegrationSecurity.class);

    @Override // com.evolveum.midpoint.web.AbstractInitializedGuiIntegrationTest, com.evolveum.midpoint.web.AbstractGuiIntegrationTest
    public void initSystem(Task task, OperationResult operationResult) throws Exception {
        super.initSystem(task, operationResult);
        this.midPointGuiAuthorizationEvaluator = new MidPointGuiAuthorizationEvaluator(this.securityEnforcer, this.securityContextManager, this.taskManager);
        repoAddObjectFromFile(ROLE_UI_ALLOW_ALL_FILE, operationResult);
        repoAddObjectFromFile(ROLE_UI_DENY_ALL_FILE, operationResult);
        repoAddObjectFromFile(ROLE_UI_DENY_ALLOW_FILE, operationResult);
    }

    @Test
    public void test100DecideNoRole() throws Exception {
        displayTestTitle("test100DecideNoRole");
        cleanupAutzTest(AdminGuiTestConstants.USER_JACK_OID);
        display("user before", getUser(AdminGuiTestConstants.USER_JACK_OID));
        login(AdminGuiTestConstants.USER_JACK_USERNAME);
        Authentication createPasswordAuthentication = createPasswordAuthentication(AdminGuiTestConstants.USER_JACK_USERNAME);
        displayWhen("test100DecideNoRole");
        assertAllow(createPasswordAuthentication, "/login");
        assertAllow(createPasswordAuthentication, "/");
        assertDeny(createPasswordAuthentication, "/noautz");
        assertDeny(createPasswordAuthentication, "/admin/users");
        assertDeny(createPasswordAuthentication, "/self/dashboard");
        assertDeny(createPasswordAuthentication, "/admin/config/system");
        assertDeny(createPasswordAuthentication, "/admin/config/debugs");
        displayThen("test100DecideNoRole");
    }

    @Test
    public void test110DecideRoleUiAllowAll() throws Exception {
        displayTestTitle("test110DecideRoleUiAllowAll");
        cleanupAutzTest(AdminGuiTestConstants.USER_JACK_OID);
        assignRole(AdminGuiTestConstants.USER_JACK_OID, ROLE_UI_ALLOW_ALL_OID);
        display("user before", getUser(AdminGuiTestConstants.USER_JACK_OID));
        login(AdminGuiTestConstants.USER_JACK_USERNAME);
        Authentication createPasswordAuthentication = createPasswordAuthentication(AdminGuiTestConstants.USER_JACK_USERNAME);
        displayWhen("test110DecideRoleUiAllowAll");
        assertAllow(createPasswordAuthentication, "/login");
        assertAllow(createPasswordAuthentication, "/");
        assertDeny(createPasswordAuthentication, "/noautz");
        assertAllow(createPasswordAuthentication, "/admin/users");
        assertAllow(createPasswordAuthentication, "/self/dashboard");
        assertAllow(createPasswordAuthentication, "/admin/config/system");
        assertAllow(createPasswordAuthentication, "/admin/config/debugs");
        displayThen("test110DecideRoleUiAllowAll");
    }

    @Test
    public void test120DecideRoleUiDenyAll() throws Exception {
        displayTestTitle("test120DecideRoleUiDenyAll");
        cleanupAutzTest(AdminGuiTestConstants.USER_JACK_OID);
        assignRole(AdminGuiTestConstants.USER_JACK_OID, ROLE_UI_DENY_ALL_OID);
        display("user before", getUser(AdminGuiTestConstants.USER_JACK_OID));
        login(AdminGuiTestConstants.USER_JACK_USERNAME);
        Authentication createPasswordAuthentication = createPasswordAuthentication(AdminGuiTestConstants.USER_JACK_USERNAME);
        displayWhen("test120DecideRoleUiDenyAll");
        assertAllow(createPasswordAuthentication, "/login");
        assertAllow(createPasswordAuthentication, "/");
        assertDeny(createPasswordAuthentication, "/noautz");
        assertDeny(createPasswordAuthentication, "/admin/users");
        assertDeny(createPasswordAuthentication, "/self/dashboard");
        assertDeny(createPasswordAuthentication, "/admin/config/system");
        assertDeny(createPasswordAuthentication, "/admin/config/debugs");
        displayThen("test120DecideRoleUiDenyAll");
    }

    @Test
    public void test200DecideRoleUiDenyAllow() throws Exception {
        displayTestTitle("test200DecideRoleUiDenyAllow");
        cleanupAutzTest(AdminGuiTestConstants.USER_JACK_OID);
        assignRole(AdminGuiTestConstants.USER_JACK_OID, ROLE_UI_DENY_ALLOW_OID);
        display("user before", getUser(AdminGuiTestConstants.USER_JACK_OID));
        login(AdminGuiTestConstants.USER_JACK_USERNAME);
        Authentication createPasswordAuthentication = createPasswordAuthentication(AdminGuiTestConstants.USER_JACK_USERNAME);
        displayWhen("test200DecideRoleUiDenyAllow");
        assertAllow(createPasswordAuthentication, "/login");
        assertAllow(createPasswordAuthentication, "/");
        assertDeny(createPasswordAuthentication, "/noautz");
        assertAllow(createPasswordAuthentication, "/self/dashboard");
        assertAllow(createPasswordAuthentication, "/admin/users");
        assertDeny(createPasswordAuthentication, "/admin/config/system");
        assertDeny(createPasswordAuthentication, "/admin/config/debugs");
        displayThen("test200DecideRoleUiDenyAllow");
    }

    private void assertAllow(Authentication authentication, String str) {
        try {
            LOGGER.debug("*** Attempt to DECIDE {} (expected allow)", str);
            this.midPointGuiAuthorizationEvaluator.decide(authentication, createFilterInvocation(str), createAuthConfigAttributes());
            display("DECIDE OK allowed access to " + str);
        } catch (AccessDeniedException e) {
            display("DECIDE WRONG failed to allowed access to " + str);
            throw new AssertionError("Expected that access to " + str + " is allowed, but it was denied", e);
        }
    }

    private void assertDeny(Authentication authentication, String str) {
        try {
            LOGGER.debug("*** Attempt to DECIDE {} (expected deny)", str);
            this.midPointGuiAuthorizationEvaluator.decide(authentication, createFilterInvocation(str), createAuthConfigAttributes());
            display("DECIDE WRONG failed to deny access to " + str);
            fail("Expected that access to " + str + " is denied, but it was allowed");
        } catch (AccessDeniedException e) {
            display("DECIDE OK denied access to " + str);
        }
    }

    private Authentication createPasswordAuthentication(String str) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        MidPointUserProfilePrincipal principal = this.userProfileService.getPrincipal(str);
        return new UsernamePasswordAuthenticationToken(principal, (Object) null, principal.getAuthorities());
    }

    private FilterInvocation createFilterInvocation(String str) {
        return new FilterInvocation(str, "http");
    }

    private Collection<ConfigAttribute> createAuthConfigAttributes() {
        return createConfigAttributes("fullyAuthenticated");
    }

    private Collection<ConfigAttribute> createConfigAttributes(String... strArr) {
        ArrayList arrayList = new ArrayList();
        for (final String str : strArr) {
            arrayList.add(new ConfigAttribute() { // from class: com.evolveum.midpoint.web.TestIntegrationSecurity.1
                private static final long serialVersionUID = 1;

                public String getAttribute() {
                    return str;
                }

                public String toString() {
                    return str;
                }
            });
        }
        return null;
    }

    private void cleanupAutzTest(String str) throws ObjectNotFoundException, SchemaException, ExpressionEvaluationException, CommunicationException, ConfigurationException, ObjectAlreadyExistsException, PolicyViolationException, SecurityViolationException, IOException {
        login(this.userAdministrator);
        unassignAllRoles(str);
    }
}
