package com.ibm.ws.security.wim.adapter.ldap.fat;

import com.ibm.websphere.simplicity.config.Bell;
import com.ibm.websphere.simplicity.config.File;
import com.ibm.websphere.simplicity.config.Library;
import com.ibm.websphere.simplicity.config.ServerConfiguration;
import com.ibm.websphere.simplicity.config.wim.LdapRegistry;
import com.ibm.websphere.simplicity.log.Log;
import com.ibm.ws.apacheds.EmbeddedApacheDS;
import com.ibm.ws.webcontainer.security.test.servlets.ClientCertAuthClient;
import componenttest.annotation.ExpectedFFDC;
import componenttest.custom.junit.runner.FATRunner;
import componenttest.custom.junit.runner.Mode;
import componenttest.topology.impl.LibertyServer;
import componenttest.topology.impl.LibertyServerFactory;
import componenttest.topology.utils.LDAPFatUtils;
import org.apache.directory.api.ldap.model.entry.Entry;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;
import org.junit.runner.RunWith;

@RunWith(FATRunner.class)
@Mode(Mode.TestMode.LITE)
/* loaded from: input_file:com/ibm/ws/security/wim/adapter/ldap/fat/CustomCertificateMapperInBellTest.class */
public class CustomCertificateMapperInBellTest {
    private static ClientCertAuthClient client;
    private static final String CLIENT_CERT_SERVLET = "ClientCertServlet";
    private static final String KEYSTORE_PASSWORD = "security";
    private static final String AUTH_TYPE_CERT = "CLIENT_CERT";
    private static final String USER1_CERT_FILE = "LDAPUser1.jks";
    private static final String USER2_CERT_FILE = "LDAPUser2.jks";
    private static final String USER3_CERT_FILE = "LDAPUser3.jks";
    private static final String LDAP_USER_1 = "LDAPUser1";
    private static final String LDAP_USER_2 = "LDAPUser2";
    private static final String LDAP_USER_3 = "LDAPUser3";
    private static final String LDAP_PARTITION_1_DN = "O=IBM,C=US";
    private static final String LDAP_PARTITION_2_DN = "O=IBM,C=UK";
    private static final String LDAP_USER_1_DN = "CN=LDAPUser1,O=IBM,C=US";
    private static final String LDAP_USER_2_DN = "CN=LDAPUser2";
    private static final String LDAP_USER_3_DN = "CN=LDAPUser3,O=IBM,C=US";
    private static final String ID_MAPPER_1 = "mapper1";
    private static final String ID_MAPPER_2 = "mapper2";
    private static final String ID_MAPPER_3 = "mapper3";
    private static final String ID_MAPPER_4 = "mapper4";
    private static final String ID_MAPPER_5 = "mapper5";
    private static final String ID_MAPPER_6 = "mapper6";
    private static final String ID_LIBRARY_1 = "library1";
    private static final String PATH_LIBRARY_1 = "${wlp.user.dir}/shared/com.ibm.ws.security.wim.adapter.ldap.certificate.mapper.sample_1.0.jar";
    private static LibertyServer myServer = LibertyServerFactory.getLibertyServer("com.ibm.ws.security.wim.adapter.ldap.fat.custom.certmapper.bell");
    private static final Class<?> c = CustomCertificateMapperInBellTest.class;
    private static ServerConfiguration originalConfiguration = null;
    private static EmbeddedApacheDS ldapServer = null;

    @BeforeClass
    public static void setUp() throws Exception {
        setupLdapServer();
        setupLibertyServer();
    }

    @AfterClass
    public static void tearDown() throws Exception {
        Log.info(c, "tearDown", "Stopping the server...");
        myServer.stopServer(new String[]{"CWIML4538E", "CWWKS1102E"});
        if (ldapServer != null) {
            try {
                ldapServer.stopService();
            } catch (Exception e) {
                Log.error(c, "teardown", e, "LDAP server threw error while stopping. " + e.getMessage());
            }
        }
    }

    private static void setupLibertyServer() throws Exception {
        myServer.addInstalledAppForValidation("clientcert");
        myServer.startServer(true);
        Assert.assertNotNull("FeatureManager did not report update was complete", myServer.waitForStringInLog("CWWKF0008I"));
        Assert.assertNotNull("Security service did not report it was ready", myServer.waitForStringInLog("CWWKS0008I"));
        Assert.assertNotNull("The application did not report is was started", myServer.waitForStringInLog("CWWKZ0001I"));
        Assert.assertNotNull("We need to wait for the SSL port to be open", myServer.waitForStringInLog("CWWKO0219I:.*defaultHttpEndpoint-ssl"));
        Assert.assertNotNull("Server did not came up", myServer.waitForStringInLog("CWWKF0011I"));
        originalConfiguration = myServer.getServerConfiguration();
    }

    private static void setupLdapServer() throws Exception {
        ldapServer = new EmbeddedApacheDS("testserver");
        ldapServer.addPartition("partition1", LDAP_PARTITION_1_DN);
        ldapServer.addPartition("partition2", LDAP_PARTITION_2_DN);
        ldapServer.startServer();
        Entry newEntry = ldapServer.newEntry(LDAP_PARTITION_1_DN);
        newEntry.add("objectclass", new String[]{"organization"});
        newEntry.add("o", new String[]{"ibm"});
        ldapServer.add(newEntry);
        Entry newEntry2 = ldapServer.newEntry(LDAP_PARTITION_2_DN);
        newEntry2.add("objectclass", new String[]{"organization"});
        newEntry2.add("o", new String[]{"ibm"});
        ldapServer.add(newEntry2);
        Entry newEntry3 = ldapServer.newEntry(LDAP_USER_1_DN);
        newEntry3.add("objectclass", new String[]{"inetorgperson"});
        newEntry3.add("uid", new String[]{LDAP_USER_1});
        newEntry3.add("sn", new String[]{LDAP_USER_1});
        newEntry3.add("cn", new String[]{LDAP_USER_1});
        ldapServer.add(newEntry3);
        Entry newEntry4 = ldapServer.newEntry(LDAP_USER_3_DN);
        newEntry4.add("objectclass", new String[]{"inetorgperson"});
        newEntry4.add("uid", new String[]{LDAP_USER_3});
        newEntry4.add("sn", new String[]{LDAP_USER_3});
        newEntry4.add("cn", new String[]{LDAP_USER_3});
        ldapServer.add(newEntry4);
    }

    private static void updateLibertyServer(String str) throws Exception {
        ServerConfiguration clone = originalConfiguration.clone();
        LdapRegistry ldapRegistry = new LdapRegistry();
        ldapRegistry.setRealm("LDAPRealm");
        ldapRegistry.setHost("localhost");
        ldapRegistry.setPort(String.valueOf(ldapServer.getLdapServer().getPort()));
        ldapRegistry.setBaseDN(LDAP_PARTITION_1_DN);
        ldapRegistry.setBindDN(EmbeddedApacheDS.getBindDN());
        ldapRegistry.setBindPassword(EmbeddedApacheDS.getBindPassword());
        ldapRegistry.setLdapType("Custom");
        ldapRegistry.setCertificateMapMode("CUSTOM");
        clone.getLdapRegistries().add(ldapRegistry);
        if (str != null) {
            ldapRegistry.setCertificateMapperId(str);
        }
        File file = new File();
        file.setName(PATH_LIBRARY_1);
        Library library = new Library();
        library.setId(ID_LIBRARY_1);
        library.setNestedFile(file);
        clone.getLibraries().add(library);
        Bell bell = new Bell();
        bell.setLibraryRef(ID_LIBRARY_1);
        clone.getBells().add(bell);
        LDAPFatUtils.updateConfigDynamically(myServer, clone);
    }

    private static ClientCertAuthClient setupClient(String str, boolean z) {
        if (z) {
            client = new ClientCertAuthClient(myServer.getHostname(), myServer.getHttpDefaultSecurePort(), true, myServer, CLIENT_CERT_SERVLET, "/clientcert", myServer.pathToAutoFVTTestFiles + java.io.File.separator + "clientcert" + java.io.File.separator + str, KEYSTORE_PASSWORD);
        } else {
            client = new ClientCertAuthClient(myServer.getHostname(), myServer.getHttpDefaultSecurePort(), false, myServer, CLIENT_CERT_SERVLET, "/clientcert", (String) null, (String) null);
        }
        return client;
    }

    private static void verifyProgrammaticAPIValues(String str, String str2) {
        Assert.assertTrue("Failed to find expected getAuthType: " + str, str2.contains("getAuthType: CLIENT_CERT"));
        Assert.assertTrue("Failed to find expected getRemoteUser: " + str, str2.contains("getRemoteUser: " + str));
        Assert.assertTrue("Failed to find expected getUserPrincipal: " + str, str2.contains("getUserPrincipal: WSPrincipal:" + str));
    }

    @Test
    public void ldap_dn_mapper() throws Exception {
        updateLibertyServer(ID_MAPPER_1);
        client = setupClient(USER1_CERT_FILE, true);
        verifyProgrammaticAPIValues(LDAP_USER_1, client.access("/SimpleServlet", 200));
        Assert.assertFalse("Did not find mapping result in logs.", myServer.findStringsInLogsAndTraceUsingMark("The custom X.509 certificate mapper returned the following mapping: CN=LDAPUser1,O=IBM,C=US").isEmpty());
        Assert.assertTrue("Found unexpected CWWKS1101W error in logs.", myServer.findStringsInLogsAndTraceUsingMark("CWWKS1101W: CLIENT-CERT Authentication did not succeed for the client certificate with dn CN=LDAPUser1,O=IBM,C=US. The dn does not map to a user in the registry.").isEmpty());
    }

    @Test
    public void ldap_dn_mapper_no_user() throws Exception {
        updateLibertyServer(ID_MAPPER_1);
        client = setupClient(USER2_CERT_FILE, true);
        Assert.assertNull("Expected null response.", client.access("/SimpleServlet", 403));
        Assert.assertFalse("Did not find mapping result in logs.", myServer.findStringsInLogsAndTraceUsingMark("The custom X.509 certificate mapper returned the following mapping: CN=LDAPUser2").isEmpty());
        Assert.assertFalse("Did not find JNDI error in logs.", myServer.findStringsInLogsAndTraceUsingMark("LDAP: error code 32 - NO_SUCH_OBJECT").isEmpty());
        Assert.assertFalse("Did not find CWIML4537E error in logs.", myServer.findStringsInLogsAndTraceUsingMark("CWIML4537E: The login operation could not be completed. The specified principal name extracted from certificate is not found in the back-end repository.").isEmpty());
        Assert.assertFalse("Did not find expected CWWKS1101W error in logs.", myServer.findStringsInLogsAndTraceUsingMark("CWWKS1101W: CLIENT-CERT Authentication did not succeed for the client certificate with dn CN=LDAPUser2. The dn does not map to a user in the registry.").isEmpty());
    }

    @Test
    public void ldap_filter_mapper() throws Exception {
        updateLibertyServer(ID_MAPPER_2);
        client = setupClient(USER1_CERT_FILE, true);
        verifyProgrammaticAPIValues(LDAP_USER_1, client.access("/SimpleServlet", 200));
        Assert.assertFalse("Did not find mapping result in logs.", myServer.findStringsInLogsAndTraceUsingMark("The custom X.509 certificate mapper returned the following mapping: \\(CN=LDAPUser1\\)").isEmpty());
        Assert.assertTrue("Found unexpected CWWKS1101W error in logs.", myServer.findStringsInLogsAndTraceUsingMark("CWWKS1101W: CLIENT-CERT Authentication did not succeed for the client certificate with dn CN=LDAPUser1,O=IBM,C=US. The dn does not map to a user in the registry.").isEmpty());
    }

    @Test
    public void ldap_filter_mapper_no_user() throws Exception {
        updateLibertyServer(ID_MAPPER_2);
        client = setupClient(USER2_CERT_FILE, true);
        Assert.assertNull("Expected null response.", client.access("/SimpleServlet", 403));
        Assert.assertFalse("Did not find mapping result in logs.", myServer.findStringsInLogsAndTraceUsingMark("The custom X.509 certificate mapper returned the following mapping: \\(CN=LDAPUser2\\)").isEmpty());
        Assert.assertFalse("Did not find CWIML4537E error in logs.", myServer.findStringsInLogsAndTraceUsingMark("CWIML4537E: The login operation could not be completed. The specified principal name extracted from certificate is not found in the back-end repository.").isEmpty());
        Assert.assertFalse("Did not find expected CWWKS1101W error in logs.", myServer.findStringsInLogsAndTraceUsingMark("CWWKS1101W: CLIENT-CERT Authentication did not succeed for the client certificate with dn CN=LDAPUser2. The dn does not map to a user in the registry.").isEmpty());
    }

    @Test
    @ExpectedFFDC({"com.ibm.ws.security.registry.CertificateMapNotSupportedException"})
    public void certificate_map_not_supported_exception() throws Exception {
        updateLibertyServer(ID_MAPPER_3);
        client = setupClient(USER1_CERT_FILE, true);
        Assert.assertNull("Expected null response.", client.access("/SimpleServlet", 403));
        Assert.assertFalse("Did not find CertificateMapNotSupportedException in logs.", myServer.findStringsInLogsAndTraceUsingMark("CWIML4542E").isEmpty());
    }

    @Test
    @ExpectedFFDC({"com.ibm.wsspi.security.wim.exception.CertificateMapFailedException"})
    public void certificate_map_failed_exception() throws Exception {
        updateLibertyServer(ID_MAPPER_4);
        client = setupClient(USER1_CERT_FILE, true);
        Assert.assertNull("Expected null response.", client.access("/SimpleServlet", 403));
        Assert.assertFalse("Did not find CertificateMapFailedException in logs.", myServer.findStringsInLogsAndTraceUsingMark("CWIML4503E").isEmpty());
        Assert.assertFalse("Did not find expected CWWKS1101W error in logs.", myServer.findStringsInLogsAndTraceUsingMark("CWWKS1101W: CLIENT-CERT Authentication did not succeed for the client certificate with dn CN=LDAPUser1,O=IBM,C=US. The dn does not map to a user in the registry.").isEmpty());
    }

    @Test
    @ExpectedFFDC({"com.ibm.wsspi.security.wim.exception.CertificateMapFailedException"})
    public void invalid_mapper_id() throws Exception {
        updateLibertyServer("invalidCertificateMapperId");
        client = setupClient(USER1_CERT_FILE, true);
        Assert.assertNull("Expected null response.", client.access("/SimpleServlet", 403));
        Assert.assertFalse("Did not find expected error in logs.", myServer.findStringsInLogsAndTraceUsingMark("CWIML4500W").isEmpty());
        Assert.assertFalse("Did not find expected CWWKS1101W error in logs.", myServer.findStringsInLogsAndTraceUsingMark("CWWKS1101W: CLIENT-CERT Authentication did not succeed for the client certificate with dn CN=LDAPUser1,O=IBM,C=US. The dn does not map to a user in the registry.").isEmpty());
    }

    @Test
    @ExpectedFFDC({"com.ibm.wsspi.security.wim.exception.CertificateMapFailedException"})
    public void no_mapper_id() throws Exception {
        updateLibertyServer(null);
        client = setupClient(USER1_CERT_FILE, true);
        Assert.assertNull("Expected null response.", client.access("/SimpleServlet", 403));
        Assert.assertFalse("Did not find expected error in logs.", myServer.findStringsInLogsAndTraceUsingMark("CWIML4500W").isEmpty());
        Assert.assertFalse("Did not find expected CWWKS1101W error in logs.", myServer.findStringsInLogsAndTraceUsingMark("CWWKS1101W: CLIENT-CERT Authentication did not succeed for the client certificate with dn CN=LDAPUser1,O=IBM,C=US. The dn does not map to a user in the registry.").isEmpty());
    }

    @Test
    @ExpectedFFDC({"com.ibm.wsspi.security.wim.exception.CertificateMapFailedException"})
    public void certificate_map_null() throws Exception {
        updateLibertyServer(ID_MAPPER_5);
        client = setupClient(USER1_CERT_FILE, true);
        Assert.assertNull("Expected null response.", client.access("/SimpleServlet", 403));
        Assert.assertFalse("Did not find expected error in logs.", myServer.findStringsInLogsAndTraceUsingMark("CWIML4504W").isEmpty());
        Assert.assertFalse("Did not find expected CWWKS1101W error in logs.", myServer.findStringsInLogsAndTraceUsingMark("CWWKS1101W: CLIENT-CERT Authentication did not succeed for the client certificate with dn CN=LDAPUser1,O=IBM,C=US. The dn does not map to a user in the registry.").isEmpty());
    }

    @Test
    public void multiple_repositories_failed_valid() throws Exception {
        ServerConfiguration clone = originalConfiguration.clone();
        LdapRegistry ldapRegistry = new LdapRegistry();
        ldapRegistry.setRealm("LDAPRealm1");
        ldapRegistry.setHost("localhost");
        ldapRegistry.setPort(String.valueOf(ldapServer.getLdapServer().getPort()));
        ldapRegistry.setBaseDN(LDAP_PARTITION_2_DN);
        ldapRegistry.setBindDN(EmbeddedApacheDS.getBindDN());
        ldapRegistry.setBindPassword(EmbeddedApacheDS.getBindPassword());
        ldapRegistry.setLdapType("Custom");
        ldapRegistry.setCertificateMapMode("CUSTOM");
        clone.getLdapRegistries().add(ldapRegistry);
        ldapRegistry.setCertificateMapperId(ID_MAPPER_3);
        LdapRegistry ldapRegistry2 = new LdapRegistry();
        ldapRegistry2.setRealm("LDAPRealm2");
        ldapRegistry2.setHost("localhost");
        ldapRegistry2.setPort(String.valueOf(ldapServer.getLdapServer().getPort()));
        ldapRegistry2.setBaseDN(LDAP_PARTITION_1_DN);
        ldapRegistry2.setBindDN(EmbeddedApacheDS.getBindDN());
        ldapRegistry2.setBindPassword(EmbeddedApacheDS.getBindPassword());
        ldapRegistry2.setLdapType("Custom");
        ldapRegistry2.setCertificateMapMode("CUSTOM");
        clone.getLdapRegistries().add(ldapRegistry2);
        ldapRegistry2.setCertificateMapperId(ID_MAPPER_1);
        File file = new File();
        file.setName(PATH_LIBRARY_1);
        Library library = new Library();
        library.setId(ID_LIBRARY_1);
        library.setNestedFile(file);
        clone.getLibraries().add(library);
        Bell bell = new Bell();
        bell.setLibraryRef(ID_LIBRARY_1);
        clone.getBells().add(bell);
        LDAPFatUtils.updateConfigDynamically(myServer, clone);
        client = setupClient(USER1_CERT_FILE, true);
        verifyProgrammaticAPIValues(LDAP_USER_1, client.access("/SimpleServlet", 200));
        Assert.assertFalse("Did not find mapping result in logs.", myServer.findStringsInLogsAndTraceUsingMark("The custom X.509 certificate mapper returned the following mapping: CN=LDAPUser1,O=IBM,C=US").isEmpty());
    }

    @Test
    @ExpectedFFDC({"com.ibm.ws.security.registry.CertificateMapNotSupportedException"})
    public void multiple_repositories_notsupported_notsupported() throws Exception {
        ServerConfiguration clone = originalConfiguration.clone();
        LdapRegistry ldapRegistry = new LdapRegistry();
        ldapRegistry.setRealm("LDAPRealm1");
        ldapRegistry.setHost("localhost");
        ldapRegistry.setPort(String.valueOf(ldapServer.getLdapServer().getPort()));
        ldapRegistry.setBaseDN(LDAP_PARTITION_2_DN);
        ldapRegistry.setBindDN(EmbeddedApacheDS.getBindDN());
        ldapRegistry.setBindPassword(EmbeddedApacheDS.getBindPassword());
        ldapRegistry.setLdapType("Custom");
        ldapRegistry.setCertificateMapMode("CUSTOM");
        ldapRegistry.setCertificateMapperId(ID_MAPPER_3);
        clone.getLdapRegistries().add(ldapRegistry);
        LdapRegistry ldapRegistry2 = new LdapRegistry();
        ldapRegistry2.setRealm("LDAPRealm2");
        ldapRegistry2.setHost("localhost");
        ldapRegistry2.setPort(String.valueOf(ldapServer.getLdapServer().getPort()));
        ldapRegistry2.setBaseDN(LDAP_PARTITION_1_DN);
        ldapRegistry2.setBindDN(EmbeddedApacheDS.getBindDN());
        ldapRegistry2.setBindPassword(EmbeddedApacheDS.getBindPassword());
        ldapRegistry2.setLdapType("Custom");
        ldapRegistry2.setCertificateMapMode("NOT_SUPPORTED");
        clone.getLdapRegistries().add(ldapRegistry2);
        File file = new File();
        file.setName(PATH_LIBRARY_1);
        Library library = new Library();
        library.setId(ID_LIBRARY_1);
        library.setNestedFile(file);
        clone.getLibraries().add(library);
        Bell bell = new Bell();
        bell.setLibraryRef(ID_LIBRARY_1);
        clone.getBells().add(bell);
        LDAPFatUtils.updateConfigDynamically(myServer, clone);
        client = setupClient(USER1_CERT_FILE, true);
        Assert.assertNull("Expected null response.", client.access("/SimpleServlet", 403));
        Assert.assertFalse("Did not find CertificateMapNotSupportedException in logs.", myServer.findStringsInLogsAndTraceUsingMark("CWIML4542E").isEmpty());
    }

    @Test
    @ExpectedFFDC({"com.ibm.wsspi.security.wim.exception.CertificateMapFailedException"})
    public void multiple_repositories_failed_notsupported() throws Exception {
        ServerConfiguration clone = originalConfiguration.clone();
        LdapRegistry ldapRegistry = new LdapRegistry();
        ldapRegistry.setRealm("LDAPRealm1");
        ldapRegistry.setHost("localhost");
        ldapRegistry.setPort(String.valueOf(ldapServer.getLdapServer().getPort()));
        ldapRegistry.setBaseDN(LDAP_PARTITION_2_DN);
        ldapRegistry.setBindDN(EmbeddedApacheDS.getBindDN());
        ldapRegistry.setBindPassword(EmbeddedApacheDS.getBindPassword());
        ldapRegistry.setLdapType("Custom");
        ldapRegistry.setCertificateMapMode("CUSTOM");
        ldapRegistry.setCertificateMapperId(ID_MAPPER_3);
        clone.getLdapRegistries().add(ldapRegistry);
        LdapRegistry ldapRegistry2 = new LdapRegistry();
        ldapRegistry2.setRealm("LDAPRealm1");
        ldapRegistry2.setHost("localhost");
        ldapRegistry2.setPort(String.valueOf(ldapServer.getLdapServer().getPort()));
        ldapRegistry2.setBaseDN(LDAP_PARTITION_1_DN);
        ldapRegistry2.setBindDN(EmbeddedApacheDS.getBindDN());
        ldapRegistry2.setBindPassword(EmbeddedApacheDS.getBindPassword());
        ldapRegistry2.setLdapType("Custom");
        ldapRegistry2.setCertificateMapMode("CUSTOM");
        ldapRegistry2.setCertificateMapperId(ID_MAPPER_4);
        clone.getLdapRegistries().add(ldapRegistry2);
        File file = new File();
        file.setName(PATH_LIBRARY_1);
        Library library = new Library();
        library.setId(ID_LIBRARY_1);
        library.setNestedFile(file);
        clone.getLibraries().add(library);
        Bell bell = new Bell();
        bell.setLibraryRef(ID_LIBRARY_1);
        clone.getBells().add(bell);
        LDAPFatUtils.updateConfigDynamically(myServer, clone);
        client = setupClient(USER1_CERT_FILE, true);
        Assert.assertNull("Expected null response.", client.access("/SimpleServlet", 403));
        Assert.assertFalse("Did not find CertificateMapFailedException in logs.", myServer.findStringsInLogsAndTraceUsingMark("CWIML4503E").isEmpty());
    }

    @Test
    public void map_certificate_chain() throws Exception {
        updateLibertyServer(ID_MAPPER_6);
        client = setupClient(USER3_CERT_FILE, true);
        verifyProgrammaticAPIValues(LDAP_USER_3, client.access("/SimpleServlet", 200));
        Assert.assertFalse("Did not find mapping result in logs.", myServer.findStringsInLogsAndTraceUsingMark("The custom X.509 certificate mapper returned the following mapping: CN=LDAPUser3,O=IBM,C=US").isEmpty());
        Assert.assertTrue("Found unexpected CWWKS1101W error in logs.", myServer.findStringsInLogsAndTraceUsingMark("CWWKS1101W: CLIENT-CERT Authentication did not succeed for the client certificate with dn CN=LDAPUser3,O=IBM,C=US. The dn does not map to a user in the registry.").isEmpty());
    }
}
