package com.atlassian.crowd.acceptance.tests.rest;

import com.atlassian.crowd.acceptance.rest.RestServer;
import com.atlassian.crowd.acceptance.tests.soap.InformationLeakingTestBase;
import java.io.IOException;
import java.io.InputStream;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import javax.ws.rs.core.MediaType;
import org.apache.commons.io.IOUtils;
import org.apache.http.HttpException;
import org.apache.http.HttpResponse;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.UsernamePasswordCredentials;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.protocol.HttpClientContext;
import org.apache.http.entity.ContentType;
import org.apache.http.entity.StringEntity;
import org.apache.http.impl.client.BasicCredentialsProvider;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.protocol.HttpContext;
import org.apache.http.util.EntityUtils;
import org.hamcrest.CoreMatchers;
import org.junit.Assert;

/* loaded from: input_file:com/atlassian/crowd/acceptance/tests/rest/RestXmlParsingTest.class */
public class RestXmlParsingTest extends InformationLeakingTestBase {
    private final RestServer restServer;

    public RestXmlParsingTest() {
        this(RestServerImpl.INSTANCE);
    }

    public RestXmlParsingTest(RestServer restServer) {
        this.restServer = restServer;
    }

    @Override // com.atlassian.crowd.acceptance.tests.applications.crowd.CrowdAcceptanceTestCase
    public void setUp() throws Exception {
        super.setUp();
        this.restServer.before();
    }

    @Override // com.atlassian.crowd.acceptance.tests.applications.crowd.CrowdAcceptanceTestCase
    public void tearDown() throws Exception {
        this.restServer.after();
        super.tearDown();
    }

    @Override // com.atlassian.crowd.acceptance.tests.applications.crowd.CrowdAcceptanceTestCase
    public String getCrowdApplicationPassword() {
        return "qybhDMZh";
    }

    HttpResponse postToRestEndpoint(String str) throws HttpException, UnsupportedEncodingException, IOException {
        StringEntity stringEntity = new StringEntity(str, ContentType.APPLICATION_XML.withCharset("us-ascii"));
        String str2 = getBaseUrl() + "/rest/usermanagement/1/search?entity-type=user";
        CloseableHttpClient createDefault = HttpClients.createDefault();
        URI create = URI.create(HOST_PATH);
        BasicCredentialsProvider basicCredentialsProvider = new BasicCredentialsProvider();
        basicCredentialsProvider.setCredentials(new AuthScope(create.getHost(), create.getPort(), AuthScope.ANY_REALM), new UsernamePasswordCredentials("crowd", getCrowdApplicationPassword()));
        HttpContext create2 = HttpClientContext.create();
        create2.setCredentialsProvider(basicCredentialsProvider);
        HttpPost httpPost = new HttpPost(str2);
        httpPost.setHeader("Accept", "application/xml");
        httpPost.setEntity(stringEntity);
        return createDefault.execute(httpPost, create2);
    }

    public void testEntityExpansionDoesNotIncludeFileContents() throws Exception {
        InputStream resourceAsStream = getClass().getResourceAsStream("RestXmlParsingTest-rest-include-external-entity.xml");
        assertNotNull(resourceAsStream);
        HttpResponse postToRestEndpoint = postToRestEndpoint(IOUtils.toString(resourceAsStream, "us-ascii").replace("/etc/passwd", createSecretFile().toURI().toString()));
        String entityUtils = EntityUtils.toString(postToRestEndpoint.getEntity(), "us-ascii");
        MediaType valueOf = MediaType.valueOf(postToRestEndpoint.getFirstHeader("content-type").getValue());
        assertEquals("The response should be XML", "application/xml", valueOf.getType() + '/' + valueOf.getSubtype());
        Assert.assertThat(entityUtils, CoreMatchers.not(CoreMatchers.containsString(this.secret)));
    }

    public void testValidEntitiesAreExpanded() throws Exception {
        InputStream resourceAsStream = getClass().getResourceAsStream("RestXmlParsingTest-rest-with-amp-entity.xml");
        assertNotNull(resourceAsStream);
        HttpResponse postToRestEndpoint = postToRestEndpoint(IOUtils.toString(resourceAsStream, "us-ascii"));
        String entityUtils = EntityUtils.toString(postToRestEndpoint.getEntity(), "us-ascii");
        MediaType valueOf = MediaType.valueOf(postToRestEndpoint.getFirstHeader("content-type").getValue());
        assertEquals("The response should be XML", "application/xml", valueOf.getType() + '/' + valueOf.getSubtype());
        Assert.assertThat(entityUtils, CoreMatchers.anyOf(CoreMatchers.containsString("No enum const class com.atlassian.crowd.search.query.entity.restriction.MatchMode.&amp;"), CoreMatchers.containsString("No enum constant com.atlassian.crowd.search.query.entity.restriction.MatchMode.&amp;")));
    }

    public void testEntityExpansionDoesNotCauseDenialOfService() throws Exception {
        InputStream resourceAsStream = getClass().getResourceAsStream("RestXmlParsingTest-rest-billion-laughs.xml");
        assertNotNull(resourceAsStream);
        String entityUtils = EntityUtils.toString(postToRestEndpoint(IOUtils.toString(resourceAsStream, "us-ascii")).getEntity(), "us-ascii");
        Assert.assertThat("The response should indicate a parsing error", entityUtils, CoreMatchers.containsString("The request sent by the client was syntactically incorrect"));
        Assert.assertThat("The response should not indicate a server memory error", entityUtils, CoreMatchers.not(CoreMatchers.containsString("java.lang.OutOfMemoryError")));
    }
}
