package com.atlassian.seraph.auth;
   
   import com.atlassian.seraph.config.ConfigurationException;
   import com.atlassian.seraph.config.SecurityConfigFactory;
   import com.atlassian.seraph.config.SecurityConfigImpl;
   import com.atlassian.seraph.elevatedsecurity.CountingElevatedSecurityGuard;
   import com.atlassian.seraph.interceptor.Interceptor;
   import com.atlassian.seraph.interceptor.LogoutInterceptor;
   import com.atlassian.seraph.service.rememberme.RememberMeService;
  import com.atlassian.seraph.util.CharsetUtils;
  import com.atlassian.seraph.util.SecurityUtils;
  import com.mockobjects.dynamic.C;
  import com.mockobjects.dynamic.Mock;
  import junit.framework.TestCase;
  
  import javax.servlet.http.HttpServletRequest;
  import javax.servlet.http.HttpServletResponse;
  import javax.servlet.http.HttpSession;
  import java.security.Principal;
  
  import static org.mockito.Mockito.mock;
  import static org.mockito.Mockito.when;
  
  /**
   * This test uses a mix of shitty old Mock objects and the new Mockito framework.
   * <p/>
   * Like most of the olden day Atlassian code, this test is an abomination of hacks and forced calls.
   * <p/>
   * I tried but failed to get it into shape and hence its still an abomination of hacks and forced calls.
   */
  public class TestDefaultAuthenticator extends TestCase
  {
      private Mock request;
      private Mock response;
      private SecurityConfigImpl config;
      private StubAuthenticator authenticator;
      private Mock session;
      private Principal user;
      private RememberMeService rememberMeService;
      private static final String TEST_USERNAME = CharsetUtils.stringFromBytes(new byte[]{(byte) 0xfc, 0x03, 0x05, 0x02, 0x0e, (byte) 0xf5, 0x0d, 0x05}, CharsetUtils.ISO_LATIN_1_CHARSET); // "üsernåme"
      private static final String TEST_PASSWORD = CharsetUtils.stringFromBytes(new byte[]{0x00, (byte) 0xf4, 0x03, 0x03, 0x07, 0x0f, 0x02, 0x04}, CharsetUtils.ISO_LATIN_1_CHARSET); // "pässword"
  
      protected void setUp() throws Exception
      {
          super.setUp();
          request = new Mock(HttpServletRequest.class);
          response = new Mock(HttpServletResponse.class);
          session = new Mock(HttpSession.class);
          SecurityConfigFactory.setSecurityConfig(null);
          config = (SecurityConfigImpl) SecurityConfigFactory.getInstance("test-seraph-config.xml");
          authenticator = (StubAuthenticator) config.getAuthenticator();
          user = new Principal()
          {
              public String getName()
              {
                  return "Test User";
              }
          };
  
          rememberMeService = mock(RememberMeService.class);
          authenticator.setRememberMeService(rememberMeService);
  
          authenticator.addUser(user.getName(), user);
      }
  
      public void testLogout() throws ConfigurationException, AuthenticatorException
      {
          // mocks
          final Mock logoutInterceptor = new Mock(LogoutInterceptor.class);
  
          // expectations
          request.expectAndReturn("getSession", session.proxy());
  
          mockOutLoginReason(LoginReason.OUT);
  
          session.expect("setAttribute", C.args(C.eq(DefaultAuthenticator.LOGGED_IN_KEY), C.IS_NULL));
          session.expect("setAttribute", C.args(C.eq(DefaultAuthenticator.LOGGED_OUT_KEY), C.eq(Boolean.TRUE)));
  
          logoutInterceptor.expect("beforeLogout", C.ANY_ARGS);
          logoutInterceptor.expect("afterLogout", C.ANY_ARGS);
          config.addInterceptor((Interceptor) logoutInterceptor.proxy());
  
          // do test!
          authenticator.logout((HttpServletRequest) request.proxy(), (HttpServletResponse) response.proxy());
  
          // verify everything
          request.verify();
          response.verify();
          session.verify();
          logoutInterceptor.verify();
      }
  
      public void testGetUserChecksSessionFirst()
      {
  
          request.matchAndReturn("getSession", C.ANY_ARGS, session.proxy());
          session.matchAndReturn("getAttribute", C.args(C.eq(DefaultAuthenticator.LOGGED_OUT_KEY)), null);
          session.matchAndReturn("getAttribute", C.args(C.eq(DefaultAuthenticator.LOGGED_IN_KEY)), user);
  
         mockOutLoginReason(LoginReason.OK);
 
         final Principal result = authenticator.getUser((HttpServletRequest) request.proxy(), (HttpServletResponse) response.proxy());
         assertEquals(user, result);
 
         request.verify();
         response.verify();
         session.verify();
     }
 
     private StubAuthenticator setupRememberMeCookieState(LoginReason loginReason)
     {
         request.matchAndReturn("getSession", C.IS_FALSE, null); // no session during initial check
         request.matchAndReturn("getSession", C.NO_ARGS, session.proxy()); // session "created" when cookie login() gets it
 
         mockOutLoginReason(loginReason);
 
         session.matchAndReturn("getAttribute", C.args(C.eq(DefaultAuthenticator.LOGGED_OUT_KEY)), null);
         session.matchAndReturn("getAttribute", C.args(C.eq(DefaultAuthenticator.LOGGED_IN_KEY)), user);
         return authenticator;
     }
 
     public void testGetUserChecksCookieIfNoSession()
     {
         setupRememberMeCookieState(LoginReason.OK);
 
         final HttpServletRequest httpServletRequest = (HttpServletRequest) request.proxy();
         final HttpServletResponse httpServletResponse = (HttpServletResponse) response.proxy();
 
         when(rememberMeService.getRememberMeCookieAuthenticatedUsername(httpServletRequest, httpServletResponse)).thenReturn(user.getName());
 
         final Principal result = authenticator.getUser(httpServletRequest, httpServletResponse);
         assertEquals(user, result);
 
         request.verify();
         response.verify();
         session.verify();
     }
 
     public void testGetUserChecksCookieIfNoSession_ButFailedAuthorisation()
     {
         authenticator.setDesiredLoginAnswer(false);
         setupRememberMeCookieState(LoginReason.AUTHORISATION_FAILED);
 
         // basic auth checks happen now if we fail
         request.expectAndReturn("getQueryString", "p=v");
         request.expectAndReturn("getHeader", "Authorization", null);
 
         final HttpServletRequest httpServletRequest = (HttpServletRequest) request.proxy();
         final HttpServletResponse httpServletResponse = (HttpServletResponse) response.proxy();
 
         when(rememberMeService.getRememberMeCookieAuthenticatedUsername(httpServletRequest, httpServletResponse)).thenReturn(user.getName());
 
         final Principal result = authenticator.getUser(httpServletRequest, httpServletResponse);
         assertNull(result);
 
         request.verify();
         response.verify();
         session.verify();
     }
 
 
     public void testGetUserReturnsNullWithNoValidAuthentication()
     {
         request.matchAndReturn("getSession", C.IS_FALSE, null);
         request.expectAndReturn("getQueryString", null); // no basic auth
         request.expectAndReturn("getHeader", C.args(C.eq("Authorization")), null);
 
         final Principal result = authenticator.getUser((HttpServletRequest) request.proxy(), (HttpServletResponse) response.proxy());
         assertEquals(null, result);
 
         request.verify();
         response.verify();
         session.verify();
     }
 
     public void testGetUserBasicAuthRequiredButMissing()
     {
         request.matchAndReturn("getSession", C.IS_FALSE, null);
         request.matchAndReturn("getCookies", null);
         request.matchAndReturn("getQueryString", "os_authType=basic"); // basic auth
 
         // no Authorization header
         request.expectAndReturn("getHeader", C.eq("Authorization"), null);
         // so we expect a 401 Authentication required
         response.expect("setStatus", C.eq(401));
         response.expect("setHeader", C.eq("WWW-Authenticate", "Basic realm=\"protected-area\""));
 
         final Principal result = authenticator.getUser((HttpServletRequest) request.proxy(), (HttpServletResponse) response.proxy());
         assertEquals(null, result);
 
         request.verify();
         response.verify();
         session.verify();
     }
 
     private StubAuthenticator setupBasicAuthHttpState(LoginReason loginReason)
     {
         request.matchAndReturn("getSession", C.IS_FALSE, null);
         request.matchAndReturn("getCookies", null);
         request.matchAndReturn("getQueryString", "os_authType=basic"); // basic auth
 
         mockOutLoginReason(loginReason);
 
         // valid Authorization header
         request.expectAndReturn("getHeader", C.eq("Authorization"),
                 SecurityUtils.encodeBasicAuthorizationCredentials(TEST_USERNAME, TEST_PASSWORD));
         // add the correct user to the stub
         final StubAuthenticator stubAuthenticator = authenticator;
         stubAuthenticator.addUser(TEST_USERNAME, user);
         return stubAuthenticator;
     }
 
     public void testGetUserBasicAuthProvidedUsingRequestParameter()
     {
         setupBasicAuthHttpState(LoginReason.OK);
 
         final Principal result = authenticator.getUser((HttpServletRequest) request.proxy(), (HttpServletResponse) response.proxy());
         assertEquals(user, result);
 
         request.verify();
         response.verify();
         session.verify();
     }
 
     public void testGetUserBasicAuthProvidedUsingRequestParameter_ButFailsElevatedSecurity() throws ConfigurationException
     {
         final StubAuthenticator stubAuthenticator = setupBasicAuthHttpState(LoginReason.AUTHENTICATION_DENIED);
 
         final CountingElevatedSecurityGuard securityGuard = new CountingElevatedSecurityGuard(false, TEST_USERNAME);
         stubAuthenticator.setElevatedSecurityGuard(securityGuard);
 
         // when we fail we send this back
         response.expect("sendError", C.args(C.eq(401), C.eq("Basic Authentication Failure - Reason : " + LoginReason.AUTHENTICATION_DENIED)));
 
         final Principal result = authenticator.getUser((HttpServletRequest) request.proxy(), (HttpServletResponse) response.proxy());
         assertNull(result);
 
         assertEquals(0, securityGuard.getSuccessCount());
         assertEquals(1, securityGuard.getFailedCount());
 
         request.verify();
         response.verify();
         session.verify();
     }
 
     public void testGetUserBasicAuthProvidedUsingRequestParameter_PassesElevatedSecurity_ButFailsLogin() throws ConfigurationException
     {
         final StubAuthenticator stubAuthenticator = setupBasicAuthHttpState(LoginReason.AUTHENTICATED_FAILED);
         stubAuthenticator.setDesiredLoginAnswer(false);
 
         final CountingElevatedSecurityGuard securityGuard = new CountingElevatedSecurityGuard(true, TEST_USERNAME);
         stubAuthenticator.setElevatedSecurityGuard(securityGuard);
 
         // when we fail we send this back
         response.expect("sendError", C.args(C.eq(401), C.eq("Basic Authentication Failure - Reason : " + LoginReason.AUTHENTICATED_FAILED)));
 
         final Principal result = authenticator.getUser((HttpServletRequest) request.proxy(), (HttpServletResponse) response.proxy());
         assertNull(result);
 
         assertEquals(0, securityGuard.getSuccessCount());
         assertEquals(1, securityGuard.getFailedCount());
 
         request.verify();
         response.verify();
         session.verify();
     }
 
     public void testGetUserBasicAuthProvidedUsingRequestParameter_PassesElevatedSecurity_AndPassesLogin() throws ConfigurationException
     {
         final StubAuthenticator stubAuthenticator = setupBasicAuthHttpState(LoginReason.OK);
         stubAuthenticator.setDesiredLoginAnswer(true);
 
         final CountingElevatedSecurityGuard securityGuard = new CountingElevatedSecurityGuard(true, TEST_USERNAME);
         stubAuthenticator.setElevatedSecurityGuard(securityGuard);
 
         final Principal result = authenticator.getUser((HttpServletRequest) request.proxy(), (HttpServletResponse) response.proxy());
         assertEquals(user, result);
 
         assertEquals(1, securityGuard.getSuccessCount());
         assertEquals(0, securityGuard.getFailedCount());
 
         request.verify();
         response.verify();
         session.verify();
     }
 
     public void testGetUserBasicAuthProvidedUsingHeader()
     {
         final String authorizationHeader = SecurityUtils.encodeBasicAuthorizationCredentials(TEST_USERNAME, TEST_PASSWORD);
 
         request.matchAndReturn("getSession", C.IS_FALSE, null);
         request.matchAndReturn("getCookies", null);
         request.matchAndReturn("getQueryString", null); // no basic auth
 
         request.expectAndReturn("getHeader", C.eq("Authorization"), authorizationHeader);
         request.expectAndReturn("getHeader", C.eq("Authorization"), authorizationHeader);
 
         mockOutLoginReason(LoginReason.OK);
 
         // add the correct user to the stub
         final StubAuthenticator stubAuthenticator = authenticator;
         stubAuthenticator.addUser(TEST_USERNAME, user);
 
         final CountingElevatedSecurityGuard securityGuard = new CountingElevatedSecurityGuard(true, TEST_USERNAME);
         stubAuthenticator.setElevatedSecurityGuard(securityGuard);
 
         final Principal result = authenticator.getUser((HttpServletRequest) request.proxy(), (HttpServletResponse) response.proxy());
         assertEquals(user, result);
 
         assertEquals(1, securityGuard.getSuccessCount());
         assertEquals(0, securityGuard.getFailedCount());
 
         request.verify();
         response.verify();
         session.verify();
     }
 
     private void mockOutLoginReason(LoginReason loginReason)
     {
         request.expectAndReturn("getAttribute", C.args(C.eq("com.atlassian.seraph.auth.LoginReason")), null);
         request.expect("setAttribute", C.args(C.eq("com.atlassian.seraph.auth.LoginReason"), C.eq(loginReason)));
 
         response.expect("addHeader", C.ANY_ARGS);
     }
 }