package com.ibm.ws.security.jwtsso.fat;

import com.gargoylesoftware.htmlunit.Page;
import com.gargoylesoftware.htmlunit.WebClient;
import com.gargoylesoftware.htmlunit.WebRequest;
import com.gargoylesoftware.htmlunit.util.Cookie;
import com.gargoylesoftware.htmlunit.util.NameValuePair;
import com.ibm.websphere.simplicity.log.Log;
import com.ibm.ws.common.internal.encoder.Base64Coder;
import com.ibm.ws.security.fat.common.CommonSecurityFat;
import com.ibm.ws.security.fat.common.apps.CommonFatApplications;
import com.ibm.ws.security.fat.common.apps.jwtbuilder.JwtBuilderServlet;
import com.ibm.ws.security.fat.common.apps.jwtbuilder.ProtectedServlet;
import com.ibm.ws.security.fat.common.expectations.Expectation;
import com.ibm.ws.security.fat.common.expectations.Expectations;
import com.ibm.ws.security.fat.common.expectations.ResponseStatusExpectation;
import com.ibm.ws.security.fat.common.expectations.ResponseUrlExpectation;
import com.ibm.ws.security.fat.common.expectations.ServerMessageExpectation;
import com.ibm.ws.security.fat.common.validation.TestValidationUtils;
import com.ibm.ws.security.fat.common.web.WebResponseUtils;
import com.ibm.ws.security.jwtsso.fat.utils.CommonExpectations;
import com.ibm.ws.security.jwtsso.fat.utils.JwtFatActions;
import com.ibm.ws.security.jwtsso.fat.utils.JwtFatConstants;
import com.ibm.ws.security.jwtsso.fat.utils.MessageConstants;
import componenttest.annotation.ExpectedFFDC;
import componenttest.annotation.Server;
import componenttest.custom.junit.runner.FATRunner;
import componenttest.custom.junit.runner.Mode;
import componenttest.topology.impl.LibertyServer;
import java.io.StringReader;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.ArrayList;
import javax.json.Json;
import org.junit.BeforeClass;
import org.junit.Test;
import org.junit.runner.RunWith;

@Mode(Mode.TestMode.FULL)
@RunWith(FATRunner.class)
/* loaded from: input_file:com/ibm/ws/security/jwtsso/fat/ReplayCookieTests.class */
public class ReplayCookieTests extends CommonSecurityFat {
    protected static Class<?> thisClass = ReplayCookieTests.class;

    @Server("com.ibm.ws.security.jwtsso.fat")
    public static LibertyServer server;
    static final String DEFAULT_CONFIG = "server_withBuilderApp.xml";
    static final String APP_NAME_JWT_BUILDER = "jwtbuilder";
    private final JwtFatActions actions = new JwtFatActions();
    private final TestValidationUtils validationUtils = new TestValidationUtils();
    String httpUrlBase = "http://" + server.getHostname() + ":" + server.getHttpDefaultPort();
    String httpsUrlBase = "https://" + server.getHostname() + ":" + server.getHttpDefaultSecurePort();
    String protectedUrl = this.httpUrlBase + JwtFatConstants.SIMPLE_SERVLET_PATH;
    String defaultUser = "testuser";
    String defaultPassword = "testuserpwd";

    @BeforeClass
    public static void setUp() throws Exception {
        CommonFatApplications.buildAndDeployApp(server, APP_NAME_JWT_BUILDER, new String[]{"com.ibm.ws.security.fat.common.apps.jwtbuilder.*"});
        server.addInstalledAppForValidation("formlogin");
        serverTracker.addServer(server);
        server.startServerUsingExpandedConfiguration(DEFAULT_CONFIG);
    }

    @Test
    public void test_reaccessResource_useSameWebConversation_includeJwtCookie() throws Exception {
        WebClient webClient = new WebClient();
        this.actions.logInAndObtainJwtCookie(this._testName, webClient, this.protectedUrl, JwtFatConstants.USER_1, JwtFatConstants.USER_1_PWD);
        Expectations expectations = new Expectations();
        expectations.addExpectations(CommonExpectations.successfullyReachedProtectedResourceWithJwtCookie("invokeProtectedResource", this.protectedUrl, JwtFatConstants.USER_1));
        expectations.addExpectations(CommonExpectations.jwtCookieExists("invokeProtectedResource", webClient, JwtFatConstants.JWT_COOKIE_NAME));
        expectations.addExpectations(CommonExpectations.cookieDoesNotExist("invokeProtectedResource", webClient, JwtFatConstants.LTPA_COOKIE_NAME));
        expectations.addExpectations(CommonExpectations.responseTextMissingCookie("invokeProtectedResource", JwtFatConstants.LTPA_COOKIE_NAME));
        this.validationUtils.validateResult(this.actions.invokeUrl(this._testName, webClient, this.protectedUrl), "invokeProtectedResource", expectations);
    }

    @Test
    public void test_reaccessResource_useSameWebConversation_deleteJwtCookie() throws Exception {
        WebClient webClient = new WebClient();
        this.actions.logInAndObtainJwtCookie(this._testName, webClient, this.protectedUrl, this.defaultUser, this.defaultPassword);
        webClient.getCookieManager().clearCookies();
        Expectations expectations = new Expectations();
        expectations.addExpectations(CommonExpectations.successfullyReachedLoginPage("invokeProtectedResource"));
        this.validationUtils.validateResult(this.actions.invokeUrl(this._testName, webClient, this.protectedUrl), "invokeProtectedResource", expectations);
    }

    @Test
    public void test_reaccessResource_newConversationWithoutJwtCookie() throws Exception {
        this.actions.logInAndObtainJwtCookie(this._testName, this.protectedUrl, this.defaultUser, this.defaultPassword);
        Expectations expectations = new Expectations();
        expectations.addExpectations(CommonExpectations.successfullyReachedLoginPage("invokeProtectedResource"));
        this.validationUtils.validateResult(this.actions.invokeUrl(this._testName, this.protectedUrl), "invokeProtectedResource", expectations);
    }

    @Test
    public void test_reaccessResource_newConversationWithValidJwtCookie() throws Exception {
        Cookie logInAndObtainJwtCookie = this.actions.logInAndObtainJwtCookie(this._testName, this.protectedUrl, this.defaultUser, this.defaultPassword);
        Expectations expectations = new Expectations();
        expectations.addExpectations(CommonExpectations.successfullyReachedProtectedResourceWithJwtCookie("invokeProtectedResource", this.protectedUrl, this.defaultUser));
        expectations.addExpectations(CommonExpectations.responseTextMissingCookie("invokeProtectedResource", JwtFatConstants.LTPA_COOKIE_NAME));
        this.validationUtils.validateResult(this.actions.invokeUrlWithCookie(this._testName, this.protectedUrl, logInAndObtainJwtCookie), "invokeProtectedResource", expectations);
    }

    @Test
    @ExpectedFFDC({"org.jose4j.jwt.consumer.InvalidJwtException", "com.ibm.websphere.security.jwt.InvalidTokenException", "com.ibm.ws.security.authentication.AuthenticationException"})
    public void test_reaccessResource_jwtCookieWithEmptySignature() throws Exception {
        Cookie logInAndObtainJwtCookie = this.actions.logInAndObtainJwtCookie(this._testName, this.protectedUrl, this.defaultUser, this.defaultPassword);
        String value = logInAndObtainJwtCookie.getValue();
        Cookie createIdenticalCookieWithNewValue = createIdenticalCookieWithNewValue(logInAndObtainJwtCookie, value.substring(0, value.lastIndexOf(".") + 1));
        Log.info(thisClass, this._testName, "Original cookie value  : " + value);
        Log.info(thisClass, this._testName, "Truncated cookie value : " + createIdenticalCookieWithNewValue.getValue());
        Expectations expectations = new Expectations();
        expectations.addExpectations(CommonExpectations.successfullyReachedLoginPage("invokeProtectedResource"));
        expectations.addExpectation(new ServerMessageExpectation("invokeProtectedResource", server, MessageConstants.CWWKS5524E_ERROR_CREATING_JWT));
        expectations.addExpectation(new ServerMessageExpectation("invokeProtectedResource", server, MessageConstants.CWWKS5523E_ERROR_CREATING_JWT_USING_TOKEN_IN_REQ));
        expectations.addExpectation(new ServerMessageExpectation("invokeProtectedResource", server, "CWWKS6031E.+Problem verifying signature"));
        this.validationUtils.validateResult(this.actions.invokeUrlWithCookie(this._testName, this.protectedUrl, createIdenticalCookieWithNewValue), "invokeProtectedResource", expectations);
    }

    @Test
    @ExpectedFFDC({"org.jose4j.jwt.consumer.InvalidJwtException", "com.ibm.websphere.security.jwt.InvalidTokenException", "com.ibm.ws.security.authentication.AuthenticationException"})
    public void test_reaccessResource_signatureRemovedFromJwtCookie() throws Exception {
        Cookie logInAndObtainJwtCookie = this.actions.logInAndObtainJwtCookie(this._testName, this.protectedUrl, this.defaultUser, this.defaultPassword);
        String value = logInAndObtainJwtCookie.getValue();
        Cookie createIdenticalCookieWithNewValue = createIdenticalCookieWithNewValue(logInAndObtainJwtCookie, value.substring(0, value.lastIndexOf(".")));
        Log.info(thisClass, this._testName, "Original cookie value  : " + value);
        Log.info(thisClass, this._testName, "Truncated cookie value : " + createIdenticalCookieWithNewValue.getValue());
        Expectations expectations = new Expectations();
        expectations.addExpectations(CommonExpectations.successfullyReachedLoginPage("invokeProtectedResource"));
        expectations.addExpectation(new ServerMessageExpectation("invokeProtectedResource", server, MessageConstants.CWWKS5524E_ERROR_CREATING_JWT));
        expectations.addExpectation(new ServerMessageExpectation("invokeProtectedResource", server, MessageConstants.CWWKS5523E_ERROR_CREATING_JWT_USING_TOKEN_IN_REQ));
        expectations.addExpectation(new ServerMessageExpectation("invokeProtectedResource", server, "CWWKS6031E.+Invalid JOSE Compact Serialization"));
        this.validationUtils.validateResult(this.actions.invokeUrlWithCookie(this._testName, this.protectedUrl, createIdenticalCookieWithNewValue), "invokeProtectedResource", expectations);
    }

    @Test
    public void test_obtainLtpa_reconfigureToUseJwtSso_reaccessResourceWithLtpaCookie() throws Exception {
        server.removeInstalledAppForValidation(APP_NAME_JWT_BUILDER);
        server.reconfigureServerUsingExpandedConfiguration(this._testName, "server_noFeature.xml", new String[0]);
        Cookie logInAndObtainLtpaCookie = this.actions.logInAndObtainLtpaCookie(this._testName, this.protectedUrl, this.defaultUser, this.defaultPassword);
        server.addInstalledAppForValidation(APP_NAME_JWT_BUILDER);
        server.reconfigureServerUsingExpandedConfiguration(this._testName, DEFAULT_CONFIG, new String[0]);
        Expectations expectations = new Expectations();
        expectations.addExpectations(CommonExpectations.successfullyReachedLoginPage("invokeProtectedResource"));
        this.validationUtils.validateResult(this.actions.invokeUrlWithCookie(this._testName, this.protectedUrl, logInAndObtainLtpaCookie), "invokeProtectedResource", expectations);
    }

    @Test
    public void test_obtainLtpa_reconfigureToUseJwtSso_reaccessResourceWithLtpaCookie_useLtpaIfJwtAbsent() throws Exception {
        server.removeInstalledAppForValidation(APP_NAME_JWT_BUILDER);
        server.reconfigureServerUsingExpandedConfiguration(this._testName, "server_noFeature.xml", new String[0]);
        Cookie logInAndObtainLtpaCookie = this.actions.logInAndObtainLtpaCookie(this._testName, this.protectedUrl, this.defaultUser, this.defaultPassword);
        server.reconfigureServerUsingExpandedConfiguration(this._testName, "server_useLtpaIfJwtAbsent_true.xml", new String[0]);
        Expectations expectations = new Expectations();
        expectations.addExpectations(CommonExpectations.successfullyReachedUrl("invokeProtectedResource", this.protectedUrl));
        expectations.addExpectations(CommonExpectations.responseTextIncludesCookie("invokeProtectedResource", JwtFatConstants.LTPA_COOKIE_NAME));
        expectations.addExpectations(CommonExpectations.responseTextMissingCookie("invokeProtectedResource", JwtFatConstants.JWT_COOKIE_NAME));
        expectations.addExpectations(CommonExpectations.responseTextIncludesExpectedRemoteUser("invokeProtectedResource", this.defaultUser));
        expectations.addExpectations(CommonExpectations.responseTextIncludesJwtPrincipal("invokeProtectedResource"));
        expectations.addExpectations(CommonExpectations.responseTextIncludesExpectedAccessId("invokeProtectedResource", "BasicRealm", this.defaultUser));
        expectations.addExpectations(CommonExpectations.getJwtPrincipalExpectations("invokeProtectedResource", this.defaultUser, JwtFatConstants.DEFAULT_ISS_REGEX));
        this.validationUtils.validateResult(this.actions.invokeUrlWithCookie(this._testName, this.protectedUrl, logInAndObtainLtpaCookie), "invokeProtectedResource", expectations);
        server.addInstalledAppForValidation(APP_NAME_JWT_BUILDER);
    }

    @Test
    public void test_obtainJwt_reconfigureToDisableJwtSso_reaccessResourceWithJwtCookie() throws Exception {
        Cookie logInAndObtainJwtCookie = this.actions.logInAndObtainJwtCookie(this._testName, this.protectedUrl, this.defaultUser, this.defaultPassword);
        server.removeInstalledAppForValidation(APP_NAME_JWT_BUILDER);
        server.reconfigureServerUsingExpandedConfiguration(this._testName, "server_noFeature.xml", new String[0]);
        Expectations expectations = new Expectations();
        expectations.addExpectations(CommonExpectations.successfullyReachedLoginPage("invokeProtectedResource"));
        this.validationUtils.validateResult(this.actions.invokeUrlWithCookie(this._testName, this.protectedUrl, logInAndObtainJwtCookie), "invokeProtectedResource", expectations);
        server.addInstalledAppForValidation(APP_NAME_JWT_BUILDER);
    }

    @Test
    public void test_obtainJwt_accessNewProtectedResource_withoutJwtCookie() throws Exception {
        this.actions.logInAndObtainJwtCookie(this._testName, this.protectedUrl, this.defaultUser, this.defaultPassword);
        String str = this.httpUrlBase + JwtFatConstants.JWT_BUILDER_CONTEXT_ROOT + "/protected";
        Expectations expectations = new Expectations();
        expectations.addExpectation(new ResponseStatusExpectation("invokeProtectedResource", 401));
        this.validationUtils.validateResult(this.actions.invokeUrl(this._testName, str), "invokeProtectedResource", expectations);
    }

    @Test
    public void test_obtainJwt_accessNewProtectedResource_withJwtCookie() throws Exception {
        Cookie logInAndObtainJwtCookie = this.actions.logInAndObtainJwtCookie(this._testName, this.protectedUrl, this.defaultUser, this.defaultPassword);
        String str = this.httpUrlBase + JwtFatConstants.JWT_BUILDER_CONTEXT_ROOT + "/protected";
        Expectations expectations = new Expectations();
        expectations.addExpectation(new ResponseStatusExpectation("invokeProtectedResource", 200));
        expectations.addExpectation(new ResponseUrlExpectation("invokeProtectedResource", "equals", str, "Did not reach the expected URL."));
        expectations.addExpectation(Expectation.createResponseExpectation("invokeProtectedResource", String.format(ProtectedServlet.SUCCESS_MESSAGE, this.defaultUser), "Did not find the expected success message in the servlet response."));
        expectations.addExpectations(CommonExpectations.getJwtPrincipalExpectations("invokeProtectedResource", this.defaultUser, JwtFatConstants.DEFAULT_ISS_REGEX));
        this.validationUtils.validateResult(this.actions.invokeUrlWithCookie(this._testName, str, logInAndObtainJwtCookie), "invokeProtectedResource", expectations);
    }

    @Test
    @ExpectedFFDC({"com.ibm.ws.security.mp.jwt.error.MpJwtProcessingException", "com.ibm.ws.security.authentication.AuthenticationException"})
    public void test_buildJwt_missingClaims_accessProtectedResource() throws Exception {
        server.reconfigureServerUsingExpandedConfiguration(this._testName, "server_withBuilderApp_consumerTrustsAllIssuers.xml", new String[0]);
        Cookie buildThirdPartyJwtCookieUsingBuilderApp = buildThirdPartyJwtCookieUsingBuilderApp("builder_defaults");
        Expectations expectations = new Expectations();
        expectations.addExpectations(CommonExpectations.successfullyReachedLoginPage("invokeProtectedResource"));
        expectations.addExpectation(new ServerMessageExpectation("invokeProtectedResource", server, "CWWKS5519E.+upn"));
        expectations.addExpectation(new ServerMessageExpectation("invokeProtectedResource", server, MessageConstants.CWWKS5506E_USERNAME_NOT_FOUND));
        expectations.addExpectation(new ServerMessageExpectation("invokeProtectedResource", server, MessageConstants.CWWKS5508E_ERROR_CREATING_RESULT));
        this.validationUtils.validateResult(this.actions.invokeUrlWithCookie(this._testName, this.protectedUrl, buildThirdPartyJwtCookieUsingBuilderApp), "invokeProtectedResource", expectations);
    }

    @Test
    @ExpectedFFDC({"com.ibm.websphere.security.jwt.InvalidClaimException", "com.ibm.websphere.security.jwt.InvalidTokenException", "com.ibm.ws.security.authentication.AuthenticationException"})
    public void test_buildJwt_accessProtectedResource_defaultMpJwtConsumer() throws Exception {
        Cookie buildThirdPartyJwtCookie = buildThirdPartyJwtCookie("builder_defaults");
        Expectations expectations = new Expectations();
        expectations.addExpectations(CommonExpectations.successfullyReachedLoginPage("invokeProtectedResource"));
        expectations.addExpectation(new ServerMessageExpectation("invokeProtectedResource", server, "CWWKS6022E.+" + ("https://[^/]+/jwt/builder_defaults")));
        expectations.addExpectation(new ServerMessageExpectation("invokeProtectedResource", server, MessageConstants.CWWKS6031E_JWT_ERROR_PROCESSING_JWT));
        expectations.addExpectation(new ServerMessageExpectation("invokeProtectedResource", server, MessageConstants.CWWKS5524E_ERROR_CREATING_JWT));
        expectations.addExpectation(new ServerMessageExpectation("invokeProtectedResource", server, MessageConstants.CWWKS5523E_ERROR_CREATING_JWT_USING_TOKEN_IN_REQ));
        this.validationUtils.validateResult(this.actions.invokeUrlWithCookie(this._testName, this.protectedUrl, buildThirdPartyJwtCookie), "invokeProtectedResource", expectations);
    }

    @Test
    public void test_buildJwt_accessProtectedResource_issuerTrusted() throws Exception {
        server.reconfigureServerUsingExpandedConfiguration(this._testName, "server_withBuilderApp_consumerTrustsAllIssuers.xml", new String[0]);
        Cookie buildThirdPartyJwtCookie = buildThirdPartyJwtCookie("builder_defaults");
        Expectations expectations = new Expectations();
        expectations.addExpectations(CommonExpectations.successfullyReachedProtectedResourceWithJwtCookie("invokeProtectedResource", this.protectedUrl, this.defaultUser, "https://[^/]+/jwt/builder_defaults"));
        expectations.addExpectations(CommonExpectations.responseTextMissingCookie("invokeProtectedResource", JwtFatConstants.LTPA_COOKIE_NAME));
        this.validationUtils.validateResult(this.actions.invokeUrlWithCookie(this._testName, this.protectedUrl, buildThirdPartyJwtCookie), "invokeProtectedResource", expectations);
    }

    @Test
    @ExpectedFFDC({"org.jose4j.jwt.consumer.InvalidJwtSignatureException", "com.ibm.websphere.security.jwt.InvalidTokenException", "com.ibm.ws.security.authentication.AuthenticationException"})
    public void test_buildJwt_signedWithNonDefaultKey_accessProtectedResource() throws Exception {
        server.reconfigureServerUsingExpandedConfiguration(this._testName, "server_withBuilderApp_consumerTrustsAllIssuers.xml", new String[0]);
        Cookie buildThirdPartyJwtCookie = buildThirdPartyJwtCookie("builder_signWithUniqueKey");
        Expectations expectations = new Expectations();
        expectations.addExpectations(CommonExpectations.successfullyReachedLoginPage("invokeProtectedResource"));
        expectations.addExpectation(new ServerMessageExpectation("invokeProtectedResource", server, MessageConstants.CWWKS6041E_JWT_INVALID_SIGNATURE));
        expectations.addExpectation(new ServerMessageExpectation("invokeProtectedResource", server, MessageConstants.CWWKS6031E_JWT_ERROR_PROCESSING_JWT));
        expectations.addExpectation(new ServerMessageExpectation("invokeProtectedResource", server, MessageConstants.CWWKS5524E_ERROR_CREATING_JWT));
        expectations.addExpectation(new ServerMessageExpectation("invokeProtectedResource", server, MessageConstants.CWWKS5523E_ERROR_CREATING_JWT_USING_TOKEN_IN_REQ));
        this.validationUtils.validateResult(this.actions.invokeUrlWithCookie(this._testName, this.protectedUrl, buildThirdPartyJwtCookie), "invokeProtectedResource", expectations);
    }

    private Cookie createIdenticalCookieWithNewValue(Cookie cookie, String str) {
        return new Cookie(cookie.getDomain(), cookie.getName(), str, cookie.getPath(), cookie.getExpires(), cookie.isSecure(), cookie.isHttpOnly());
    }

    private Cookie buildThirdPartyJwtCookieUsingBuilderApp(String str) throws Exception {
        String str2 = this.httpUrlBase + JwtFatConstants.JWT_BUILDER_CONTEXT_ROOT + "/build";
        ArrayList arrayList = new ArrayList();
        arrayList.add(new NameValuePair(JwtBuilderServlet.PARAM_BUILDER_ID, str));
        WebClient webClient = new WebClient();
        Log.info(thisClass, this._testName, "JWT builder app response: " + WebResponseUtils.getResponseText(this.actions.invokeUrlWithParameters(this._testName, webClient, str2, arrayList)));
        Cookie cookie = webClient.getCookieManager().getCookie(JwtFatConstants.JWT_COOKIE_NAME);
        Log.info(thisClass, this._testName, "Built JWT cookie: " + cookie);
        return cookie;
    }

    private Cookie buildThirdPartyJwtCookie(String str) throws Exception {
        String jwtFromTokenEndpoint = getJwtFromTokenEndpoint(str);
        Log.info(thisClass, this._testName, "Received JWT string : " + jwtFromTokenEndpoint);
        Cookie cookie = new Cookie("*", JwtFatConstants.JWT_COOKIE_NAME, jwtFromTokenEndpoint);
        Log.info(thisClass, this._testName, "Built JWT cookie: " + cookie);
        return cookie;
    }

    private String getJwtFromTokenEndpoint(String str) throws MalformedURLException, Exception {
        WebRequest buildJwtTokenEndpointRequest = buildJwtTokenEndpointRequest(str);
        WebClient webClient = new WebClient();
        webClient.getOptions().setUseInsecureSSL(true);
        Page submitRequest = this.actions.submitRequest(this._testName, webClient, buildJwtTokenEndpointRequest);
        Log.info(thisClass, this._testName, "Response: " + WebResponseUtils.getResponseText(submitRequest));
        return extractJwtFromTokenEndpointResponse(submitRequest);
    }

    private WebRequest buildJwtTokenEndpointRequest(String str) throws MalformedURLException {
        WebRequest webRequest = new WebRequest(new URL(this.httpsUrlBase + String.format("/jwt/ibm/api/%s/token", str)));
        webRequest.setAdditionalHeader("Authorization", "Basic " + Base64Coder.base64Encode(this.defaultUser + ":" + this.defaultPassword));
        return webRequest;
    }

    private String extractJwtFromTokenEndpointResponse(Page page) throws Exception {
        return Json.createReader(new StringReader(WebResponseUtils.getResponseText(page))).readObject().getString("token");
    }
}
