package org.apache.nifi.web.security.x509;

import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.authentication.AuthenticationResponse;
import org.apache.nifi.authorization.AuthorizationRequest;
import org.apache.nifi.authorization.AuthorizationResult;
import org.apache.nifi.authorization.Authorizer;
import org.apache.nifi.authorization.user.NiFiUser;
import org.apache.nifi.authorization.user.NiFiUserDetails;
import org.apache.nifi.authorization.user.StandardNiFiUser;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.web.security.InvalidAuthenticationException;
import org.apache.nifi.web.security.UntrustedProxyException;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;

/* loaded from: input_file:org/apache/nifi/web/security/x509/X509AuthenticationProviderTest.class */
public class X509AuthenticationProviderTest {
    private static final String INVALID_CERTIFICATE = "invalid-certificate";
    private static final String IDENTITY_1 = "identity-1";
    private static final String ANONYMOUS = "";
    private static final String UNTRUSTED_PROXY = "untrusted-proxy";
    private static final String PROXY_1 = "proxy-1";
    private static final String PROXY_2 = "proxy-2";
    private static final String GT = ">";
    private static final String ESCAPED_GT = "\\\\>";
    private static final String LT = "<";
    private static final String ESCAPED_LT = "\\\\<";
    private X509AuthenticationProvider x509AuthenticationProvider;
    private X509IdentityProvider certificateIdentityProvider;
    private SubjectDnX509PrincipalExtractor extractor;
    private Authorizer authorizer;

    @BeforeEach
    public void setup() {
        System.clearProperty("nifi.properties.file.path");
        this.extractor = new SubjectDnX509PrincipalExtractor();
        this.certificateIdentityProvider = (X509IdentityProvider) Mockito.mock(X509IdentityProvider.class);
        Mockito.when(this.certificateIdentityProvider.authenticate((X509Certificate[]) ArgumentMatchers.any(X509Certificate[].class))).then(invocationOnMock -> {
            String obj = this.extractor.extractPrincipal(((X509Certificate[]) invocationOnMock.getArgument(0))[0]).toString();
            if (INVALID_CERTIFICATE.equals(obj)) {
                throw new IllegalArgumentException();
            }
            return new AuthenticationResponse(obj, obj, TimeUnit.MILLISECONDS.convert(12L, TimeUnit.HOURS), ANONYMOUS);
        });
        this.authorizer = (Authorizer) Mockito.mock(Authorizer.class);
        Mockito.when(this.authorizer.authorize((AuthorizationRequest) ArgumentMatchers.any(AuthorizationRequest.class))).then(invocationOnMock2 -> {
            return UNTRUSTED_PROXY.equals(((AuthorizationRequest) invocationOnMock2.getArgument(0)).getIdentity()) ? AuthorizationResult.denied() : AuthorizationResult.approved();
        });
        this.x509AuthenticationProvider = new X509AuthenticationProvider(this.certificateIdentityProvider, this.authorizer, NiFiProperties.createBasicNiFiProperties((String) null));
    }

    @Test
    public void testInvalidCertificate() {
        Assertions.assertThrows(InvalidAuthenticationException.class, () -> {
            this.x509AuthenticationProvider.authenticate(getX509Request(ANONYMOUS, INVALID_CERTIFICATE));
        });
    }

    @Test
    public void testNoProxyChain() {
        NiFiUser niFiUser = ((NiFiUserDetails) this.x509AuthenticationProvider.authenticate(getX509Request(ANONYMOUS, IDENTITY_1)).getDetails()).getNiFiUser();
        Assertions.assertNotNull(niFiUser);
        Assertions.assertEquals(IDENTITY_1, niFiUser.getIdentity());
        Assertions.assertFalse(niFiUser.isAnonymous());
    }

    @Test
    public void testUntrustedProxy() {
        Assertions.assertThrows(UntrustedProxyException.class, () -> {
            this.x509AuthenticationProvider.authenticate(getX509Request(buildProxyChain(IDENTITY_1), UNTRUSTED_PROXY));
        });
    }

    @Test
    public void testOneProxy() {
        NiFiUser niFiUser = ((NiFiUserDetails) this.x509AuthenticationProvider.authenticate(getX509Request(buildProxyChain(IDENTITY_1), PROXY_1)).getDetails()).getNiFiUser();
        Assertions.assertNotNull(niFiUser);
        Assertions.assertEquals(IDENTITY_1, niFiUser.getIdentity());
        Assertions.assertFalse(niFiUser.isAnonymous());
        Assertions.assertNotNull(niFiUser.getChain());
        Assertions.assertEquals(PROXY_1, niFiUser.getChain().getIdentity());
        Assertions.assertFalse(niFiUser.getChain().isAnonymous());
    }

    @Test
    public void testAnonymousWithOneProxy() {
        this.x509AuthenticationProvider = new X509AuthenticationProvider(this.certificateIdentityProvider, this.authorizer, NiFiProperties.createBasicNiFiProperties((String) null, new HashMap<String, String>() { // from class: org.apache.nifi.web.security.x509.X509AuthenticationProviderTest.1
            {
                put("nifi.security.allow.anonymous.authentication", Boolean.TRUE.toString());
            }
        }));
        NiFiUser niFiUser = ((NiFiUserDetails) this.x509AuthenticationProvider.authenticate(getX509Request(buildProxyChain(ANONYMOUS), PROXY_1)).getDetails()).getNiFiUser();
        Assertions.assertNotNull(niFiUser);
        Assertions.assertEquals("anonymous", niFiUser.getIdentity());
        Assertions.assertTrue(niFiUser.isAnonymous());
        Assertions.assertNotNull(niFiUser.getChain());
        Assertions.assertEquals(PROXY_1, niFiUser.getChain().getIdentity());
        Assertions.assertFalse(niFiUser.getChain().isAnonymous());
    }

    @Test
    public void testAnonymousWithOneProxyWhileAnonymousAuthenticationPrevented() {
        Assertions.assertThrows(InvalidAuthenticationException.class, () -> {
            this.x509AuthenticationProvider.authenticate(getX509Request(buildProxyChain(ANONYMOUS), PROXY_1));
        });
    }

    @Test
    public void testTwoProxies() {
        NiFiUser niFiUser = ((NiFiUserDetails) this.x509AuthenticationProvider.authenticate(getX509Request(buildProxyChain(IDENTITY_1, PROXY_2), PROXY_1)).getDetails()).getNiFiUser();
        Assertions.assertNotNull(niFiUser);
        Assertions.assertEquals(IDENTITY_1, niFiUser.getIdentity());
        Assertions.assertFalse(niFiUser.isAnonymous());
        Assertions.assertNotNull(niFiUser.getChain());
        Assertions.assertEquals(PROXY_2, niFiUser.getChain().getIdentity());
        Assertions.assertFalse(niFiUser.getChain().isAnonymous());
        Assertions.assertNotNull(niFiUser.getChain().getChain());
        Assertions.assertEquals(PROXY_1, niFiUser.getChain().getChain().getIdentity());
        Assertions.assertFalse(niFiUser.getChain().getChain().isAnonymous());
    }

    @Test
    public void testUntrustedProxyInChain() {
        Assertions.assertThrows(UntrustedProxyException.class, () -> {
            this.x509AuthenticationProvider.authenticate(getX509Request(buildProxyChain(IDENTITY_1, UNTRUSTED_PROXY), PROXY_1));
        });
    }

    @Test
    public void testAnonymousProxyInChain() {
        this.x509AuthenticationProvider = new X509AuthenticationProvider(this.certificateIdentityProvider, this.authorizer, NiFiProperties.createBasicNiFiProperties((String) null, new HashMap<String, String>() { // from class: org.apache.nifi.web.security.x509.X509AuthenticationProviderTest.2
            {
                put("nifi.security.allow.anonymous.authentication", Boolean.TRUE.toString());
            }
        }));
        NiFiUser niFiUser = ((NiFiUserDetails) this.x509AuthenticationProvider.authenticate(getX509Request(buildProxyChain(IDENTITY_1, ANONYMOUS), PROXY_1)).getDetails()).getNiFiUser();
        Assertions.assertNotNull(niFiUser);
        Assertions.assertEquals(IDENTITY_1, niFiUser.getIdentity());
        Assertions.assertFalse(niFiUser.isAnonymous());
        Assertions.assertNotNull(niFiUser.getChain());
        Assertions.assertEquals("anonymous", niFiUser.getChain().getIdentity());
        Assertions.assertTrue(niFiUser.getChain().isAnonymous());
        Assertions.assertNotNull(niFiUser.getChain().getChain());
        Assertions.assertEquals(PROXY_1, niFiUser.getChain().getChain().getIdentity());
        Assertions.assertFalse(niFiUser.getChain().getChain().isAnonymous());
    }

    @Test
    public void testAnonymousProxyInChainWhileAnonymousAuthenticationPrevented() {
        Assertions.assertThrows(InvalidAuthenticationException.class, () -> {
            this.x509AuthenticationProvider.authenticate(getX509Request(buildProxyChain(IDENTITY_1, ANONYMOUS), PROXY_1));
        });
    }

    @Test
    public void testShouldCreateAnonymousUser() {
        NiFiUser createUser = X509AuthenticationProvider.createUser("someone", (Set) null, (Set) null, (NiFiUser) null, (String) null, true);
        Assertions.assertInstanceOf(StandardNiFiUser.class, createUser);
        Assertions.assertEquals("anonymous", createUser.getIdentity());
        Assertions.assertTrue(createUser.isAnonymous());
    }

    @Test
    public void testShouldCreateKnownUser() {
        NiFiUser createUser = X509AuthenticationProvider.createUser("someone", (Set) null, (Set) null, (NiFiUser) null, (String) null, false);
        Assertions.assertInstanceOf(StandardNiFiUser.class, createUser);
        Assertions.assertEquals("someone", createUser.getIdentity());
        Assertions.assertFalse(createUser.isAnonymous());
    }

    private String buildProxyChain(String... strArr) {
        return StringUtils.join((Iterable) Arrays.asList(strArr).stream().map(X509AuthenticationProviderTest::formatDn).collect(Collectors.toList()), ANONYMOUS);
    }

    private static String formatDn(String str) {
        return LT + sanitizeDn(str) + GT;
    }

    private static String sanitizeDn(String str) {
        return StringUtils.isEmpty(str) ? str : str.replaceAll(GT, ESCAPED_GT).replaceAll(LT, ESCAPED_LT);
    }

    private static String unsanitizeDn(String str) {
        return StringUtils.isEmpty(str) ? str : str.replaceAll(ESCAPED_GT, GT).replaceAll(ESCAPED_LT, LT);
    }

    private X509AuthenticationRequestToken getX509Request(String str, String str2) {
        return getX509Request(str, null, str2);
    }

    private X509AuthenticationRequestToken getX509Request(String str, String str2, String str3) {
        return new X509AuthenticationRequestToken(str, str2, this.extractor, new X509Certificate[]{getX509Certificate(str3)}, ANONYMOUS);
    }

    private X509Certificate getX509Certificate(String str) {
        X509Certificate x509Certificate = (X509Certificate) Mockito.mock(X509Certificate.class);
        Mockito.when(x509Certificate.getSubjectDN()).then(invocationOnMock -> {
            Principal principal = (Principal) Mockito.mock(Principal.class);
            Mockito.when(principal.getName()).thenReturn(str);
            return principal;
        });
        return x509Certificate;
    }
}
