package org.geoserver.security;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.Future;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.function.Function;
import javax.servlet.Filter;
import org.apache.commons.codec.binary.Base64;
import org.geoserver.data.test.SystemTestData;
import org.geoserver.security.config.BruteForcePreventionConfig;
import org.geoserver.security.config.SecurityManagerConfig;
import org.geoserver.security.filter.GeoServerBasicAuthenticationFilterTest;
import org.geoserver.test.GeoServerSystemTestSupport;
import org.hamcrest.Matchers;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;

/* loaded from: input_file:org/geoserver/security/BruteForceAttackTest.class */
public class BruteForceAttackTest extends GeoServerSystemTestSupport {
    private static final String HELLO_GET_REQUEST = "ows?service=hello&request=hello&message=Hello_World";

    protected void setUpSpring(List<String> list) {
        super.setUpSpring(list);
        list.add("classpath*:/org/geoserver/ows/applicationContext.xml");
    }

    protected void setUpTestData(SystemTestData systemTestData) throws Exception {
        systemTestData.setUpSecurity();
    }

    protected List<Filter> getFilters() {
        return Arrays.asList((Filter) applicationContext.getBean(GeoServerSecurityFilterChainProxy.class));
    }

    @Before
    public void resetAuthentication() {
        setRequestAuth(null, null);
    }

    @Before
    public void resetBruteForceAttackConfig() throws Exception {
        GeoServerSecurityManager geoServerSecurityManager = (GeoServerSecurityManager) applicationContext.getBean(GeoServerSecurityManager.class);
        SecurityManagerConfig securityConfig = geoServerSecurityManager.getSecurityConfig();
        BruteForcePreventionConfig bruteForcePrevention = securityConfig.getBruteForcePrevention();
        bruteForcePrevention.setEnabled(true);
        bruteForcePrevention.setMinDelaySeconds(1);
        bruteForcePrevention.setMaxDelaySeconds(1);
        bruteForcePrevention.setMaxBlockedThreads(100);
        bruteForcePrevention.setWhitelistedMasks(Collections.emptyList());
        geoServerSecurityManager.saveSecurityConfig(securityConfig);
    }

    @Test
    public void testLoginDelay() throws Exception {
        setRequestAuth("admin", GeoServerBasicAuthenticationFilterTest.PASSWORD);
        Assert.assertEquals(200L, getAsServletResponse(HELLO_GET_REQUEST).getStatus());
        setRequestAuth("admin", "foobar");
        long currentTimeMillis = System.currentTimeMillis();
        Assert.assertEquals(401L, getAsServletResponse(HELLO_GET_REQUEST).getStatus());
        Assert.assertThat(Long.valueOf(System.currentTimeMillis() - currentTimeMillis), Matchers.greaterThan(1000L));
    }

    @Test
    public void testParallelLogin() throws Exception {
        testParallelLogin("Concurrent login attempts during delay period not allowed", num -> {
            return "foo";
        });
    }

    @Test
    public void testTooManyBlockedThreads() throws Exception {
        GeoServerSecurityManager geoServerSecurityManager = (GeoServerSecurityManager) applicationContext.getBean(GeoServerSecurityManager.class);
        SecurityManagerConfig securityConfig = geoServerSecurityManager.getSecurityConfig();
        securityConfig.getBruteForcePrevention().setMaxBlockedThreads(1);
        geoServerSecurityManager.saveSecurityConfig(securityConfig);
        testParallelLogin("Too many failed logins waiting on delay", num -> {
            return "foo" + num;
        });
    }

    private void testParallelLogin(String str, Function<Integer, String> function) throws InterruptedException, ExecutionException {
        ExecutorService newFixedThreadPool = Executors.newFixedThreadPool(32);
        CountDownLatch countDownLatch = new CountDownLatch(32);
        AtomicInteger atomicInteger = new AtomicInteger(0);
        ArrayList arrayList = new ArrayList();
        long currentTimeMillis = System.currentTimeMillis();
        for (int i = 0; i < 32; i++) {
            int i2 = i;
            arrayList.add(newFixedThreadPool.submit(() -> {
                countDownLatch.countDown();
                countDownLatch.await();
                MockHttpServletRequest createRequest = createRequest(HELLO_GET_REQUEST);
                createRequest.setMethod("GET");
                createRequest.setContent(new byte[0]);
                createRequest.addHeader("Authorization", "Basic " + new String(Base64.encodeBase64((((String) function.apply(Integer.valueOf(i2))) + ":foobar").getBytes())));
                MockHttpServletResponse dispatch = dispatch(createRequest, "UTF-8");
                Assert.assertEquals(401L, dispatch.getStatus());
                if (!dispatch.getErrorMessage().contains(str)) {
                    return null;
                }
                atomicInteger.incrementAndGet();
                return null;
            }));
        }
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            ((Future) it.next()).get();
        }
        long currentTimeMillis2 = System.currentTimeMillis() - currentTimeMillis;
        newFixedThreadPool.shutdown();
        Assert.assertTrue(currentTimeMillis2 > 32000 || atomicInteger.get() > 0);
    }
}
