package com.sap.cloud.security.test;

import com.github.tomakehurst.wiremock.WireMockServer;
import com.github.tomakehurst.wiremock.client.WireMock;
import com.github.tomakehurst.wiremock.core.WireMockConfiguration;
import com.sap.cloud.environment.servicebinding.SapVcapServicesServiceBindingAccessor;
import com.sap.cloud.environment.servicebinding.api.ServiceBinding;
import com.sap.cloud.security.config.OAuth2ServiceConfigurationBuilder;
import com.sap.cloud.security.config.Service;
import com.sap.cloud.security.config.ServiceBindingMapper;
import com.sap.cloud.security.json.JsonParsingException;
import com.sap.cloud.security.test.api.ApplicationServerConfiguration;
import com.sap.cloud.security.test.api.SecurityTestContext;
import com.sap.cloud.security.test.api.ServiceMockConfiguration;
import com.sap.cloud.security.test.jetty.JettyTokenAuthenticator;
import com.sap.cloud.security.token.Token;
import com.sap.cloud.security.xsuaa.client.XsuaaDefaultEndpoints;
import com.sap.cloud.security.xsuaa.http.MediaType;
import jakarta.servlet.DispatcherType;
import jakarta.servlet.Filter;
import jakarta.servlet.Servlet;
import java.io.File;
import java.io.IOException;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.security.NoSuchAlgorithmException;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.InvalidKeySpecException;
import java.util.ArrayList;
import java.util.Base64;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import javax.annotation.Nullable;
import org.apache.commons.io.IOUtils;
import org.eclipse.jetty.ee10.servlet.FilterHolder;
import org.eclipse.jetty.ee10.servlet.ServletHolder;
import org.eclipse.jetty.ee10.servlet.security.ConstraintSecurityHandler;
import org.eclipse.jetty.ee10.webapp.WebAppContext;
import org.eclipse.jetty.server.Server;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/sap/cloud/security/test/SecurityTest.class */
public class SecurityTest implements SecurityTestContext, ServiceMockConfiguration, ApplicationServerConfiguration {
    protected static final Logger LOGGER = LoggerFactory.getLogger(SecurityTest.class);
    public static final String DEFAULT_APP_ID = "xsapp!t0815";
    public static final String DEFAULT_CLIENT_ID = "sb-clientId!t0815";
    public static final String DEFAULT_DOMAIN = "localhost";
    public static final String DEFAULT_UAA_DOMAIN = "http://localhost";
    public static final String DEFAULT_URL = "http://localhost";
    protected static final String LOCALHOST_PATTERN = "http://localhost:%d";
    protected Server applicationServer;
    protected ApplicationServerOptions applicationServerOptions;
    protected boolean useApplicationServer;
    protected final Service service;
    protected static final String clientId = "sb-clientId!t0815";
    protected String jwksUrl;
    private String issuerUrl;
    protected final Map<String, ServletHolder> applicationServletsByPath = new HashMap();
    protected final List<FilterHolder> applicationServletFilters = new ArrayList();
    protected RSAKeys keys = RSAKeys.generate();
    protected WireMockServer wireMockServer = new WireMockServer(WireMockConfiguration.options().dynamicPort());

    public SecurityTest(Service service) {
        this.service = service;
    }

    @Override // com.sap.cloud.security.test.api.ApplicationServerConfiguration
    public SecurityTest useApplicationServer() {
        this.useApplicationServer = true;
        return this;
    }

    @Override // com.sap.cloud.security.test.api.ApplicationServerConfiguration
    public SecurityTest useApplicationServer(ApplicationServerOptions applicationServerOptions) {
        this.applicationServerOptions = applicationServerOptions;
        this.useApplicationServer = true;
        return this;
    }

    @Override // com.sap.cloud.security.test.api.ApplicationServerConfiguration
    public SecurityTest addApplicationServlet(Class<? extends Servlet> cls, String str) {
        this.applicationServletsByPath.put(str, new ServletHolder(cls));
        return this;
    }

    @Override // com.sap.cloud.security.test.api.ApplicationServerConfiguration
    public SecurityTest addApplicationServlet(ServletHolder servletHolder, String str) {
        this.applicationServletsByPath.put(str, servletHolder);
        return this;
    }

    @Override // com.sap.cloud.security.test.api.ApplicationServerConfiguration
    public SecurityTest addApplicationServletFilter(Class<? extends Filter> cls) {
        this.applicationServletFilters.add(new FilterHolder(cls));
        return this;
    }

    @Override // com.sap.cloud.security.test.api.ServiceMockConfiguration
    public SecurityTest setPort(int i) {
        this.wireMockServer = new WireMockServer(WireMockConfiguration.options().port(i));
        return this;
    }

    @Override // com.sap.cloud.security.test.api.ServiceMockConfiguration
    public SecurityTest setKeys(String str, String str2) {
        try {
            this.keys = RSAKeys.fromKeyFiles(str, str2);
            return this;
        } catch (IOException | NoSuchAlgorithmException | InvalidKeySpecException e) {
            throw new UnsupportedOperationException(e);
        }
    }

    @Override // com.sap.cloud.security.test.api.SecurityTestContext
    public JwtGenerator getPreconfiguredJwtGenerator() {
        JwtGenerator withPrivateKey = JwtGenerator.getInstance(this.service, "sb-clientId!t0815").withPrivateKey(this.keys.getPrivate());
        if (this.jwksUrl == null || this.issuerUrl == null) {
            LOGGER.warn("Method getPreconfiguredJwtGenerator was called too soon. Cannot set mock jwks/issuer url!");
        }
        if (Service.XSUAA.equals(this.service)) {
            withPrivateKey.withHeaderParameter("jku", this.jwksUrl).withAppId("xsapp!t0815").withClaimValue("grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer");
        }
        return withPrivateKey.withClaimValue("iss", this.issuerUrl);
    }

    @Override // com.sap.cloud.security.test.api.SecurityTestContext
    public JwtGenerator getJwtGeneratorFromFile(String str) {
        JwtGenerator withPrivateKey = JwtGenerator.getInstanceFromFile(this.service, str).withClaimValue("iss", this.issuerUrl).withPrivateKey(this.keys.getPrivate());
        if (Service.XSUAA == this.service) {
            withPrivateKey.withHeaderParameter("jku", this.jwksUrl);
        }
        return withPrivateKey;
    }

    @Override // com.sap.cloud.security.test.api.SecurityTestContext
    public OAuth2ServiceConfigurationBuilder getOAuth2ServiceConfigurationBuilderFromFile(String str) {
        try {
            String resourceToString = IOUtils.resourceToString(str, StandardCharsets.UTF_8);
            List list = new SapVcapServicesServiceBindingAccessor(str2 -> {
                return resourceToString;
            }).getServiceBindings().stream().filter(serviceBinding -> {
                return serviceBinding.getServiceName().isPresent() && Service.from((String) serviceBinding.getServiceName().get()) != null;
            }).limit(2L).toList();
            if (list.isEmpty()) {
                throw new JsonParsingException("No supported binding found in VCAP_SERVICES!");
            }
            if (list.size() > 1) {
                LOGGER.warn("More than one OAuth2 service binding found in resource. Using configuration of first one!");
            }
            ServiceBinding serviceBinding2 = (ServiceBinding) list.get(0);
            OAuth2ServiceConfigurationBuilder mapToOAuth2ServiceConfigurationBuilder = ServiceBindingMapper.mapToOAuth2ServiceConfigurationBuilder(serviceBinding2);
            if (mapToOAuth2ServiceConfigurationBuilder != null) {
                mapToOAuth2ServiceConfigurationBuilder = mapToOAuth2ServiceConfigurationBuilder.withDomains(new String[]{URI.create(this.issuerUrl).getHost()}).withUrl(this.issuerUrl);
                if (Objects.equals(Service.from((String) serviceBinding2.getServiceName().get()), Service.XSUAA)) {
                    mapToOAuth2ServiceConfigurationBuilder.withProperty("uaadomain", this.wireMockServer.baseUrl());
                }
            }
            return mapToOAuth2ServiceConfigurationBuilder;
        } catch (IOException e) {
            throw new IllegalArgumentException("Error reading configuration file: " + e.getMessage());
        }
    }

    @Override // com.sap.cloud.security.test.api.SecurityTestContext
    public Token createToken() {
        return getPreconfiguredJwtGenerator().createToken();
    }

    @Override // com.sap.cloud.security.test.api.SecurityTestContext
    public WireMockServer getWireMockServer() {
        return this.wireMockServer;
    }

    @Override // com.sap.cloud.security.test.api.SecurityTestContext
    @Nullable
    public String getApplicationServerUri() {
        if (this.useApplicationServer) {
            return String.format(LOCALHOST_PATTERN, Integer.valueOf(this.applicationServer.getURI().getPort()));
        }
        return null;
    }

    void startApplicationServer() throws Exception {
        ConstraintSecurityHandler constraintSecurityHandler = new ConstraintSecurityHandler();
        constraintSecurityHandler.setAuthenticator(new JettyTokenAuthenticator(this.applicationServerOptions.getTokenAuthenticator()));
        WebAppContext webAppContext = new WebAppContext();
        webAppContext.setContextPath("/");
        webAppContext.setSecurityHandler(constraintSecurityHandler);
        File file = new File("src/main/webapp");
        if (file.exists() && file.isDirectory()) {
            webAppContext.setBaseResourceAsString("src/main/webapp");
        } else {
            webAppContext.setBaseResourceAsString("src/main/java");
        }
        this.applicationServletsByPath.forEach((str, servletHolder) -> {
            webAppContext.addServlet(servletHolder, str);
        });
        this.applicationServletFilters.forEach(filterHolder -> {
            webAppContext.addFilter(filterHolder, "/*", EnumSet.of(DispatcherType.REQUEST));
        });
        webAppContext.addFilter(new FilterHolder(new SecurityFilter()), "/*", EnumSet.of(DispatcherType.REQUEST));
        this.applicationServer = new Server(this.applicationServerOptions.getPort());
        this.applicationServer.setHandler(webAppContext);
        this.applicationServer.start();
    }

    String createDefaultTokenKeyResponse() throws IOException {
        return IOUtils.resourceToString("/token_keys_template.json", StandardCharsets.UTF_8).replace("$kid", getKeyId()).replace("$public_key", Base64.getEncoder().encodeToString(this.keys.getPublic().getEncoded())).replace("$modulus", Base64.getUrlEncoder().encodeToString(((RSAPublicKey) this.keys.getPublic()).getModulus().toByteArray()));
    }

    private String getKeyId() {
        return this.service == Service.IAS ? JwtGenerator.DEFAULT_KEY_ID_IAS : JwtGenerator.DEFAULT_KEY_ID;
    }

    String createDefaultOidcConfigurationResponse() throws IOException {
        return IOUtils.resourceToString("/oidcConfigurationTemplate.json", StandardCharsets.UTF_8).replace("$issuer", this.wireMockServer.baseUrl());
    }

    public void setup() throws Exception {
        if (this.wireMockServer.isRunning()) {
            this.wireMockServer.resetAll();
        } else {
            this.wireMockServer.start();
        }
        if (this.useApplicationServer && (this.applicationServer == null || !this.applicationServer.isStarted())) {
            if (this.applicationServerOptions == null) {
                this.applicationServerOptions = ApplicationServerOptions.forService(this.service, this.wireMockServer.port());
            }
            startApplicationServer();
        }
        XsuaaDefaultEndpoints xsuaaDefaultEndpoints = new XsuaaDefaultEndpoints(String.format(LOCALHOST_PATTERN, Integer.valueOf(this.wireMockServer.port())), (String) null);
        this.wireMockServer.stubFor(WireMock.get(WireMock.urlPathEqualTo(xsuaaDefaultEndpoints.getJwksUri().getPath())).willReturn(WireMock.aResponse().withBody(createDefaultTokenKeyResponse()).withHeader("Content-Type", new String[]{MediaType.APPLICATION_JSON.value()})));
        this.wireMockServer.stubFor(WireMock.get(WireMock.urlEqualTo("/.well-known/openid-configuration")).willReturn(WireMock.aResponse().withBody(createDefaultOidcConfigurationResponse()).withHeader("Content-Type", new String[]{MediaType.APPLICATION_JSON.value()})));
        this.jwksUrl = xsuaaDefaultEndpoints.getJwksUri().toString();
        this.issuerUrl = this.wireMockServer.baseUrl();
    }

    public void tearDown() {
        shutdownWireMock();
        try {
            if (this.useApplicationServer) {
                this.applicationServer.stop();
            }
        } catch (Exception e) {
            LOGGER.error("Failed to stop jetty server", e);
        }
    }

    private void shutdownWireMock() {
        this.wireMockServer.shutdown();
        for (int i = 0; i < 100 && this.wireMockServer.isRunning(); i++) {
            try {
                Thread.sleep(50L);
            } catch (InterruptedException e) {
                LOGGER.warn("Got interrupted while waiting for WireMock to shutdown. Giving up!");
                Thread.currentThread().interrupt();
                return;
            }
        }
    }

    @Override // com.sap.cloud.security.test.api.ApplicationServerConfiguration
    public /* bridge */ /* synthetic */ ApplicationServerConfiguration addApplicationServletFilter(Class cls) {
        return addApplicationServletFilter((Class<? extends Filter>) cls);
    }

    @Override // com.sap.cloud.security.test.api.ApplicationServerConfiguration
    public /* bridge */ /* synthetic */ ApplicationServerConfiguration addApplicationServlet(Class cls, String str) {
        return addApplicationServlet((Class<? extends Servlet>) cls, str);
    }
}
