package com.atlassian.jira.webtests.ztests.security.xsrf;

import com.atlassian.jira.functest.framework.BaseJiraFuncTest;
import com.atlassian.jira.functest.framework.RestoreBlankInstance;
import com.atlassian.jira.functest.framework.suite.Category;
import com.atlassian.jira.functest.framework.suite.WebTest;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import javax.ws.rs.core.UriBuilder;
import org.apache.commons.httpclient.Header;
import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.methods.GetMethod;
import org.hamcrest.Matchers;
import org.junit.Assert;
import org.junit.Test;

@RestoreBlankInstance
@WebTest({Category.FUNC_TEST, Category.SECURITY})
/* loaded from: input_file:com/atlassian/jira/webtests/ztests/security/xsrf/TestXsrfSessionBoundToken.class */
public class TestXsrfSessionBoundToken extends BaseJiraFuncTest {
    private final HttpClient client = new HttpClient();
    private static final String HEADER = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:70.0) Gecko/20100101 Firefox/70.0";
    private static final String DASHBOARD_URI = "/secure/Dashboard.jspa";
    private static final String XSRF_TOKEN_KEY = "atlassian.xsrf.token";
    private static final String JSESSIONID = "JSESSIONID";

    @Test
    public void testRequestToRestEndpointAsUnknownBrowserShouldNotReturnSessionCookie() throws IOException, URISyntaxException {
        GetMethod getMethod = new GetMethod(requestURI("/rest/gadgets/1.0/g/feed").toString());
        getMethod.setRequestHeader("User-Agent", "Random-Unknown-Browser");
        Assert.assertEquals(200L, this.client.executeMethod(getMethod));
        Header responseHeader = getMethod.getResponseHeader("Set-Cookie");
        Assert.assertThat(responseHeader.getValue(), Matchers.containsString(XSRF_TOKEN_KEY));
        Assert.assertThat(responseHeader.getValue(), Matchers.not(Matchers.containsString("JSESSIONID")));
    }

    private URI requestURI(String str) throws URISyntaxException {
        return UriBuilder.fromUri(this.environmentData.getBaseUrl().toURI()).path(str).build(new Object[0]);
    }

    @Test
    public void testRequestToRestEndpointAsKnownBrowserShouldNotReturnSessionCookie() throws IOException, URISyntaxException {
        GetMethod getMethod = new GetMethod(requestURI("/rest/gadgets/1.0/g/feed").toString());
        getMethod.setRequestHeader("User-Agent", HEADER);
        Assert.assertEquals(200L, this.client.executeMethod(getMethod));
        Header responseHeader = getMethod.getResponseHeader("Set-Cookie");
        Assert.assertThat(responseHeader.getValue(), Matchers.containsString(XSRF_TOKEN_KEY));
        Assert.assertThat(responseHeader.getValue(), Matchers.not(Matchers.containsString("JSESSIONID")));
    }

    @Test
    public void testRequestToWebworkEndpointShouldReturnSessionCookie() throws IOException, URISyntaxException {
        GetMethod getMethod = new GetMethod(requestURI(DASHBOARD_URI).toString());
        getMethod.setRequestHeader("User-Agent", HEADER);
        Assert.assertEquals(200L, this.client.executeMethod(getMethod));
        Header responseHeader = getMethod.getResponseHeader("Set-Cookie");
        Assert.assertThat(responseHeader.getValue(), Matchers.containsString(XSRF_TOKEN_KEY));
        Assert.assertThat(responseHeader.getValue(), Matchers.containsString("JSESSIONID"));
    }
}
