package org.primeframework.mvc;

import com.google.inject.Inject;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.util.Base64;
import org.example.action.SecureAction;
import org.example.domain.User;
import org.primeframework.mvc.security.CBCCipherProvider;
import org.primeframework.mvc.security.DefaultEncryptor;
import org.primeframework.mvc.security.MockUserLoginSecurityContext;
import org.primeframework.mvc.security.UserLoginSecurityContext;
import org.testng.Assert;
import org.testng.annotations.Test;

/* loaded from: input_file:org/primeframework/mvc/CSRFTest.class */
public class CSRFTest extends PrimeBaseTest {

    @Inject
    public UserLoginSecurityContext securityContext;

    /* loaded from: input_file:org/primeframework/mvc/CSRFTest$CSRFToken.class */
    private static final class CSRFToken extends Record {
        private final String sid;
        private final long instant;

        private CSRFToken(String str, long j) {
            this.sid = str;
            this.instant = j;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, CSRFToken.class), CSRFToken.class, "sid;instant", "FIELD:Lorg/primeframework/mvc/CSRFTest$CSRFToken;->sid:Ljava/lang/String;", "FIELD:Lorg/primeframework/mvc/CSRFTest$CSRFToken;->instant:J").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, CSRFToken.class), CSRFToken.class, "sid;instant", "FIELD:Lorg/primeframework/mvc/CSRFTest$CSRFToken;->sid:Ljava/lang/String;", "FIELD:Lorg/primeframework/mvc/CSRFTest$CSRFToken;->instant:J").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, CSRFToken.class, Object.class), CSRFToken.class, "sid;instant", "FIELD:Lorg/primeframework/mvc/CSRFTest$CSRFToken;->sid:Ljava/lang/String;", "FIELD:Lorg/primeframework/mvc/CSRFTest$CSRFToken;->instant:J").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public String sid() {
            return this.sid;
        }

        public long instant() {
            return this.instant;
        }
    }

    @Test
    public void delete_CSRFTokenSuccess() {
        MockUserLoginSecurityContext.roles.add("delete-only");
        this.securityContext.login(new User());
        configuration.csrfEnabled = true;
        simulator.test("/secure").withSingleHeader("Referer", "http://localhost:" + simulator.getPort() + "/secure").withSingleHeader(this.csrfProvider.getHeaderName(), this.csrfProvider.getToken(this.request)).delete().assertStatusCode(200).assertBody("Secure!");
        simulator.test("/secure").withSingleHeader(this.csrfProvider.getHeaderName(), this.csrfProvider.getToken(this.request)).delete().assertStatusCode(200).assertBody("Secure!");
    }

    @Test
    public void get_CSRFToken() {
        MockUserLoginSecurityContext.roles.add("admin");
        this.securityContext.login(new User());
        configuration.csrfEnabled = true;
        simulator.test("/secure").get().assertStatusCode(200).assertBody("Secure!");
        Assert.assertFalse(SecureAction.UnknownParameters.containsKey(this.csrfProvider.getParameterName()));
    }

    @Test
    public void patch_CSRFTokenSuccess() {
        MockUserLoginSecurityContext.roles.add("patch-only");
        this.securityContext.login(new User());
        configuration.csrfEnabled = true;
        simulator.test("/secure").withSingleHeader("Referer", "http://localhost:" + simulator.getPort() + "/secure").withSingleHeader(this.csrfProvider.getHeaderName(), this.csrfProvider.getToken(this.request)).patch().assertStatusCode(200).assertBody("Secure!");
        simulator.test("/secure").withSingleHeader(this.csrfProvider.getHeaderName(), this.csrfProvider.getToken(this.request)).patch().assertStatusCode(200).assertBody("Secure!");
    }

    @Test
    public void post_CSRFOriginFailure() {
        MockUserLoginSecurityContext.roles.add("admin");
        this.securityContext.login(new User());
        configuration.csrfEnabled = true;
        simulator.test("/secure").withSingleHeader("Origin", "https://malicious.com").post().assertStatusCode(403);
        simulator.test("/secure").withSingleHeader("Origin", "null").post().assertStatusCode(403);
    }

    @Test
    public void post_CSRFRefererFailure() {
        MockUserLoginSecurityContext.roles.add("admin");
        this.securityContext.login(new User());
        configuration.csrfEnabled = true;
        simulator.test("/secure").withSingleHeader("Referer", "https://malicious.com").post().assertStatusCode(403);
    }

    @Test
    public void post_CSRFTokenFailure() {
        MockUserLoginSecurityContext.roles.add("admin");
        this.securityContext.login(new User());
        configuration.csrfEnabled = true;
        simulator.test("/secure").withCSRFToken("bad-token").post().assertStatusCode(403);
    }

    @Test
    public void post_CSRFTokenSuccess() {
        MockUserLoginSecurityContext.roles.add("admin");
        this.securityContext.login(new User());
        configuration.csrfEnabled = true;
        simulator.test("/secure").withSingleHeader("Referer", "http://localhost:" + simulator.getPort() + "/secure").withCSRFToken(this.csrfProvider.getToken(this.request)).post().assertStatusCode(200).assertBody("Secure!");
        simulator.test("/secure").withCSRFToken(this.csrfProvider.getToken(this.request)).post().assertStatusCode(200).assertBody("Secure!");
        simulator.test("/secure").post().assertStatusCode(200).assertBody("Secure!");
    }

    @Test
    public void post_CSRFTokenCompatibility() throws Exception {
        MockUserLoginSecurityContext.roles.add("admin");
        this.securityContext.login(new User());
        configuration.csrfEnabled = true;
        simulator.test("/secure").withSingleHeader("Referer", "http://localhost:" + simulator.getPort() + "/secure").withCSRFToken(Base64.getUrlEncoder().encodeToString(new DefaultEncryptor(new CBCCipherProvider(configuration), new CBCCipherProvider(configuration)).encrypt(this.objectMapper.writeValueAsBytes(new CSRFToken(this.securityContext.getSessionId(), System.currentTimeMillis()))))).post().assertStatusCode(200).assertBody("Secure!");
        Assert.assertTrue(SecureAction.UnknownParameters.containsKey(this.csrfProvider.getParameterName()));
    }

    @Test
    public void put_CSRFTokenSuccess() {
        MockUserLoginSecurityContext.roles.add("put-only");
        this.securityContext.login(new User());
        configuration.csrfEnabled = true;
        simulator.test("/secure").withSingleHeader("Referer", "http://localhost:" + simulator.getPort() + "/secure").withSingleHeader(this.csrfProvider.getHeaderName(), this.csrfProvider.getToken(this.request)).put().assertStatusCode(200).assertBody("Secure!");
        simulator.test("/secure").withSingleHeader(this.csrfProvider.getHeaderName(), this.csrfProvider.getToken(this.request)).put().assertStatusCode(200).assertBody("Secure!");
    }
}
