package com.atlassian.crowd.acceptance.tests.applications.crowdid.server;

import com.atlassian.crowd.acceptance.utils.AcceptanceTestHelper;
import com.atlassian.crowd.console.action.BaseAction;
import java.util.ResourceBundle;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import net.sourceforge.jwebunit.exception.TestingEngineResponseException;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.hamcrest.Matchers;
import org.hamcrest.text.IsEqualIgnoringWhiteSpace;
import org.junit.Assert;

/* loaded from: input_file:com/atlassian/crowd/acceptance/tests/applications/crowdid/server/OpenIDServerTest.class */
public class OpenIDServerTest extends CrowdIDServerAcceptanceTestCase {
    protected static String OPENIDSERVER_LOGIN_URL_ADMIN;
    protected static String OPENID_CLIENT_LOGIN;
    protected static String OPENID_SERVER_URL;
    protected static final String CLIENT_NAME = "crowdidclient";
    private ResourceBundle openIdClientI18n;

    @Override // com.atlassian.crowd.acceptance.tests.ApplicationAcceptanceTestCase
    public void setUp() throws Exception {
        super.setUp();
        setScriptingEnabled(true);
        this.openIdClientI18n = ResourceBundle.getBundle(BaseAction.class.getName());
        loginToCrowd();
        restoreCrowdFromXML("openidauthtest.xml");
        logoutFromCrowd();
        this.specProperties = AcceptanceTestHelper.loadProperties("localtest.properties");
        String testProperty = getTestProperty("crowdidclient.port");
        String testProperty2 = getTestProperty("crowdidclient.context");
        String str = "http://" + getTestProperty("host.location") + ":" + testProperty;
        String testProperty3 = getTestProperty(getApplicationName() + ".port");
        String testProperty4 = getTestProperty(getApplicationName() + ".context");
        String str2 = "http://" + getTestProperty("host.location") + ":" + testProperty3;
        OPENID_CLIENT_LOGIN = str + testProperty2;
        OPENID_SERVER_URL = str2 + testProperty4;
        OPENIDSERVER_LOGIN_URL_ADMIN = OPENID_SERVER_URL + "/users/admin";
    }

    @Override // com.atlassian.crowd.acceptance.tests.ApplicationAcceptanceTestCase
    public void tearDown() throws Exception {
        setScriptingEnabled(false);
        super.tearDown();
    }

    public void testHeaderUserInfoContainsFullName() {
        gotoPage(OPENID_CLIENT_LOGIN);
        setTextField("openid_identifier", OPENIDSERVER_LOGIN_URL_ADMIN);
        submit();
        setTextField("username", "admin");
        setTextField("password", "admin");
        submit();
        Assert.assertThat(getElementTextByXPath("id('userInfo')/strong"), Matchers.equalTo("Super User"));
        clickLinkWithExactText(openIdClientText("menu.logout.label"));
        assertElementNotPresentByXPath("id('userInfo')");
    }

    public void testProfile() {
        log("Running testProfile");
        gotoPage(OPENID_CLIENT_LOGIN);
        setTextField("openid_identifier", OPENIDSERVER_LOGIN_URL_ADMIN);
        submit();
        setTextField("username", "admin");
        setTextField("password", "admin");
        submit();
        clickLink("myprofiles");
        assertKeyPresent("profiles.select.title");
        selectOptionByValue("profileID", "-1");
        setTextField("profileName", "");
        submit();
        assertKeyPresent("profiles.nameempty.error");
        setTextField("profileName", "My Profile");
        submit();
        assertKeyPresent("exception.profile.already.exists");
        setTextField("profileName", "Test Profile");
        assertTextFieldEquals("nickname", "admin");
        setTextField("nickname", "tester");
        assertTextFieldEquals("fullName", "Super User");
        setTextField("fullName", "Test User");
        assertTextFieldEquals("email", "admin@example.com");
        setTextField("email", "test@example.com");
        selectOption("dobDay", "1");
        selectOption("dobMonth", "April");
        selectOption("dobYear", "1990");
        submit();
        assertKeyPresent("profiles.updated.message");
        clickLink("resumeauthentication");
        selectOption("profileID", "Test Profile");
        assertTextInTable("attributeTable", new String[]{getText("sreg.nickname.label"), "tester"});
        assertTextInTable("attributeTable", new String[]{getText("sreg.fullname.label"), "Test User"});
        assertTextInTable("attributeTable", new String[]{getText("sreg.email.label"), "test@example.com"});
        assertTextInTable("attributeTable", new String[]{getText("sreg.dob.label"), "1 April 1990"});
        deleteProfile("Test Profile");
    }

    public void testApprovedSites() {
        log("Running testApprovedSites");
        gotoPage(OPENID_CLIENT_LOGIN);
        setTextField("openid_identifier", OPENIDSERVER_LOGIN_URL_ADMIN);
        submit();
        setTextField("username", "admin");
        setTextField("password", "admin");
        submit();
        clickLink("mysites");
        assertKeyPresent("allow.nosites.label");
        clickLink("resumeauthentication");
        clickLink("allowAlways");
        gotoPage(OPENID_SERVER_URL);
        clickLink("mysites");
        assertKeyPresent("allow.siteurl.label");
        assertTextPresent(OPENID_CLIENT_LOGIN);
        clickElementByXPath("//img[@id='removeSite-0']");
        assertTextNotPresent(OPENID_CLIENT_LOGIN);
        clickButtonWithText(getText("allow.edit.applychanges.label"));
        assertKeyPresent("updatesuccessful.label");
        assertKeyPresent("allow.nosites.label");
    }

    public void testLoginHistory() {
        gotoPage(OPENID_CLIENT_LOGIN);
        setTextField("openid_identifier", OPENIDSERVER_LOGIN_URL_ADMIN);
        submit();
        setTextField("username", "admin");
        setTextField("password", "admin");
        submit();
        clickLink("allow");
        clickLinkWithExactText(openIdClientText("menu.logout.label"));
        setTextField("openid_identifier", OPENIDSERVER_LOGIN_URL_ADMIN);
        submit();
        clickLink("deny");
        setTextField("openid_identifier", OPENIDSERVER_LOGIN_URL_ADMIN);
        submit();
        clickLink("allowAlways");
        clickLinkWithExactText(openIdClientText("menu.logout.label"));
        gotoPage(OPENID_SERVER_URL);
        clickLink("activity");
        assertKeyPresent("authaction.allow.label");
        assertKeyPresent("authaction.deny.label");
        assertKeyPresent("authaction.allowalways.label");
        clickLink("mysites");
        assertKeyPresent("allow.siteurl.label");
        assertTextPresent(OPENID_CLIENT_LOGIN);
        clickElementByXPath("//img[@id='removeSite-0']");
        assertTextNotPresent(OPENID_CLIENT_LOGIN);
        clickButtonWithText(getText("allow.edit.applychanges.label"));
        assertKeyPresent("updatesuccessful.label");
        assertKeyPresent("allow.nosites.label");
    }

    public void testAdminTrustRelationships() {
        gotoPage(OPENID_SERVER_URL);
        setTextField("username", "admin");
        setTextField("password", "admin");
        submit();
        clickLinkWithExactText("Administration");
        clickLink("loginrestrictions");
        assertKeyPresent("trusts.label");
        clickRadioOption("trustType", "2");
        assertKeyPresent("blacklisthost.label");
        setTextField("address", "localhost");
        submit();
        setTextField("address", "127.0.0.2");
        submit();
        assertTextInTable("addressesTable", new String[]{"localhost", "Remove"});
        assertTextInTable("addressesTable", new String[]{"127.0.0.2", "Remove"});
        clickLink("remove-1");
        assertTextInTable("addressesTable", new String[]{"localhost", "Remove"});
        assertTextNotInTable("addressesTable", "127.0.0.2");
        gotoPage(OPENID_CLIENT_LOGIN);
        setTextField("openid_identifier", OPENIDSERVER_LOGIN_URL_ADMIN);
        submit();
        assertKeyPresent("allow.error.title");
        clickLinkWithExactText("Administration");
        clickLink("loginrestrictions");
        assertKeyPresent("trusts.label");
        clickRadioOption("trustType", "1");
        assertKeyPresent("whitelisthost.label");
        assertTextInTable("addressesTable", new String[]{"localhost", "Remove"});
        gotoPage(OPENID_CLIENT_LOGIN);
        setTextField("openid_identifier", OPENIDSERVER_LOGIN_URL_ADMIN);
        submit();
        assertKeyPresent("allow.auth.title");
        clickLinkWithExactText("Administration");
        clickLink("loginrestrictions");
        clickLink("remove-0");
        clickRadioOption("trustType", "0");
    }

    public void testInternalOpenIDProfilePageShowsURLInEncodedFormat() {
        gotoPage(OPENID_SERVER_URL);
        setTextField("username", "john.tøstinógé");
        setTextField("password", "john");
        submit();
        clickLinkWithText("My OpenID");
        Assert.assertThat(getElementTextByXPath("//div[@class='identity-bar']"), IsEqualIgnoringWhiteSpace.equalToIgnoringWhiteSpace(OPENID_SERVER_URL + "/users/john.t%C3%B8stin%C3%B3g%C3%A9"));
    }

    public void testViewPublicProfilePageWithEncodedCharactersShowsOpenIdUrlInEncodedFormat() {
        gotoPage(OPENID_SERVER_URL + "/users/john.t%C3%B8stin%C3%B3g%C3%A9");
        Assert.assertThat(getElementTextByXPath("//div[@class='identity-bar']"), IsEqualIgnoringWhiteSpace.equalToIgnoringWhiteSpace(OPENID_SERVER_URL + "/users/john.t%C3%B8stin%C3%B3g%C3%A9"));
    }

    public void testEditProfilesXsrfProtectionRejectsActionWithNoXsrfToken() {
        gotoPage(OPENID_SERVER_URL);
        setTextField("username", "admin");
        setTextField("password", "admin");
        submit();
        this.tester.setIgnoreFailingStatusCodes(true);
        try {
            gotoPage(OPENID_SERVER_URL + "/secure/profile/editprofiles!update.action");
            assertTrue(getPageSource().contains("warningBox"));
            assertTrue(getPageSource().contains(getMessage("atlassian.xwork.xsrf.notoken")));
            this.tester.setIgnoreFailingStatusCodes(false);
        } catch (Throwable th) {
            this.tester.setIgnoreFailingStatusCodes(false);
            throw th;
        }
    }

    public void testEditProfilesSetDefaultProfileForUserIsCsrfProtected() {
        gotoPage(OPENID_SERVER_URL);
        setTextField("username", "admin");
        setTextField("password", "admin");
        submit();
        this.tester.setIgnoreFailingStatusCodes(true);
        try {
            gotoPage(OPENID_SERVER_URL + "/secure/profile/editprofiles!makeDefault.action");
            assertTrue(getPageSource().contains("warningBox"));
            assertTrue(getPageSource().contains(getMessage("atlassian.xwork.xsrf.notoken")));
            this.tester.setIgnoreFailingStatusCodes(false);
        } catch (Throwable th) {
            this.tester.setIgnoreFailingStatusCodes(false);
            throw th;
        }
    }

    public void testEditProfilesCanSetNewDefaultProfileForUser() {
        gotoPage(OPENID_SERVER_URL);
        setTextField("username", "admin");
        setTextField("password", "admin");
        submit();
        gotoPage(OPENID_SERVER_URL + "/secure/profile/editprofiles.action");
        selectOption("profileID", getText("profiles.newprofile.text"));
        setTextField("profileName", "Second Profile");
        submit();
        clickLinkWithKey("profiles.makedefault.label");
        assertTextPresent("Second Profile (default)");
        selectOption("profileID", "My Profile");
        clickLinkWithKey("profiles.makedefault.label");
        deleteProfile("Second Profile");
    }

    private void deleteProfile(String str) {
        gotoPage(OPENID_SERVER_URL + "/secure/profile/editprofiles.action");
        selectOption("profileID", str);
        clickButtonWithText(getText("profiles.delete.label"));
        assertKeyPresent("profiles.deleted.message");
    }

    public void testRejectedAuthenticationRepeatsCorrectlyEncodedUsername() {
        gotoPage(OPENID_SERVER_URL);
        setTextField("username", "john.tøstinógé");
        setTextField("password", "");
        submit();
        if (getPageSource().indexOf("warningBox") < 0) {
            System.err.print(getPageSource());
            Assert.fail("Warning not present in page!");
        }
        assertTextFieldEquals("username", "john.tøstinógé");
        assertTextFieldEquals("password", "");
    }

    public void testFooterShowsVersion() {
        gotoPage(OPENID_SERVER_URL);
        String elementTextByXPath = getElementTextByXPath("id('footer')/p");
        Assert.assertThat(elementTextByXPath, Matchers.startsWith("Powered by Atlassian CrowdID Version:"));
        Assert.assertThat(elementTextByXPath.replaceFirst(".*?:\\s+", ""), Matchers.not(Matchers.isEmptyString()));
    }

    public void testEditProfilesPageCorrectlyEscapesProfileNameToProtectAgainstPersistedXSS() {
        gotoPage(OPENID_SERVER_URL);
        setTextField("username", "admin");
        setTextField("password", "admin");
        submit();
        gotoPage(OPENID_SERVER_URL + "/secure/profile/editprofiles.action");
        selectOption("profileID", getText("profiles.newprofile.text"));
        setTextField("profileName", "profileNameDoubleEscape&amp;XssTest<script>alert(1)</script>");
        submit();
        Assert.assertThat(getPageSource(), Matchers.containsString("profileNameDoubleEscape&amp;amp;XssTest&lt;script&gt;alert(1)&lt;/script&gt;"));
        deleteProfile("profileNameDoubleEscape&amp;XssTest<script>alert(1)</script>");
    }

    public void testEditProfilesPageIsNotVulnerableToReflectedXSS() {
        gotoPage(OPENID_SERVER_URL);
        setTextField("username", "admin");
        setTextField("password", "admin");
        submit();
        gotoPage(OPENID_SERVER_URL + "/secure/profile/editprofiles.action?warning=escapeWarning<script>alert(1);</script>&description=escapeDescription<script>alert(2);</script>");
        String pageSource = getPageSource();
        Assert.assertThat(pageSource, Matchers.not(Matchers.containsString("escapeWarning<script>alert(1);</script>")));
        Assert.assertThat(pageSource, Matchers.not(Matchers.containsString("escapeDescription<script>alert(2);</script>")));
    }

    public void testIncludeFilesAreNotDirectlyAccessible() {
        try {
            gotoPage(OPENID_SERVER_URL + "/include/nonExistentFile.jsp");
            fail("/include/* files should be inaccessible before login");
        } catch (TestingEngineResponseException e) {
            Assert.assertThat(e.getMessage(), Matchers.containsString("unexpected status code [403]"));
        }
        gotoPage(OPENID_SERVER_URL);
        setTextField("username", "admin");
        setTextField("password", "admin");
        submit();
        try {
            gotoPage(OPENID_SERVER_URL + "/include/nonExistentFile.jsp");
            fail("/include/* files should still be inaccessible after login");
        } catch (TestingEngineResponseException e2) {
            Assert.assertThat(e2.getMessage(), Matchers.containsString("unexpected status code [403]"));
        }
    }

    private long getProfileIdForAdmin() {
        gotoPage(OPENID_SERVER_URL);
        setTextField("username", "admin");
        setTextField("password", "admin");
        submit();
        clickLink("myprofiles");
        assertKeyPresent("profiles.select.title");
        Matcher matcher = Pattern.compile("\\?profileID=(\\d+)(?!\\d)").matcher(getPageSource());
        assertTrue(matcher.find());
        String group = matcher.group(1);
        gotoPage(OPENID_SERVER_URL + "/logoff.action");
        assertKeyPresent("login.title");
        return Long.parseLong(group);
    }

    public void testUnableToViewProfileForAnotherUser() {
        long profileIdForAdmin = getProfileIdForAdmin();
        gotoPage(OPENID_SERVER_URL);
        setTextField("username", "john.tøstinógé");
        setTextField("password", "john");
        submit();
        gotoPage(OPENID_SERVER_URL + "/secure/profile/editprofiles.action?profileID=" + profileIdForAdmin);
        assertKeyPresent("exception.profile.access.violation.exception");
    }

    public void testUnableToEditProfileForAnotherUser() {
        long profileIdForAdmin = getProfileIdForAdmin();
        gotoPage(OPENID_SERVER_URL);
        setTextField("username", "john.tøstinógé");
        setTextField("password", "john");
        submit();
        gotoPage(OPENID_SERVER_URL + "/secure/profile/editprofiles.action");
        Matcher matcher = Pattern.compile("atl_token=(.*)'").matcher(getPageSource());
        assertTrue(matcher.find());
        gotoPage(OPENID_SERVER_URL + "/secure/profile/editprofiles!update.action?profileID=" + profileIdForAdmin + "&nickname=Modified&atl_token=" + matcher.group(1));
        assertKeyPresent("exception.profile.access.violation.exception");
        assertKeyNotPresent("profiles.updated.message");
        gotoPage(OPENID_SERVER_URL + "/logoff.action");
        assertKeyPresent("login.title");
        setTextField("username", "admin");
        setTextField("password", "admin");
        submit();
        clickLink("myprofiles");
        assertKeyPresent("profiles.select.title");
        assertTextInElement("nickname", "admin");
    }

    public void testLoginPageHasCsrfProtection() throws Exception {
        CloseableHttpClient createDefault = HttpClients.createDefault();
        HttpPost httpPost = new HttpPost(OPENID_SERVER_URL + "/login!update.action");
        try {
            Assert.assertThat(Integer.valueOf(createDefault.execute(httpPost).getStatusLine().getStatusCode()), Matchers.equalTo(403));
            httpPost.releaseConnection();
        } catch (Throwable th) {
            httpPost.releaseConnection();
            throw th;
        }
    }

    public void testAboutPageAccessible() {
        gotoPage(OPENID_SERVER_URL + "/about.jsp");
        assertKeyPresent("about.title");
    }

    private String openIdClientText(String str) {
        return this.openIdClientI18n.getString(str);
    }
}
