package com.atlassian.jira.webtests.ztests.security;

import com.atlassian.jira.functest.framework.Administration;
import com.atlassian.jira.functest.framework.BaseJiraFuncTest;
import com.atlassian.jira.functest.framework.LoginAs;
import com.atlassian.jira.functest.framework.suite.Category;
import com.atlassian.jira.functest.framework.suite.WebTest;
import com.atlassian.plugins.rest.api.internal.security.cors.CorsHeaders;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import javax.inject.Inject;
import javax.ws.rs.core.UriBuilder;
import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.UsernamePasswordCredentials;
import org.apache.commons.httpclient.auth.AuthScope;
import org.apache.commons.httpclient.methods.GetMethod;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

@LoginAs(user = "admin")
@WebTest({Category.FUNC_TEST, Category.SECURITY})
/* loaded from: input_file:com/atlassian/jira/webtests/ztests/security/TestCorsAllowedResource.class */
public class TestCorsAllowedResource extends BaseJiraFuncTest {
    private static final String allowedOrigin = "http://localhost:8550/";
    private static final String notAllowedOrigin = "http://localhost:8560/";
    private final HttpClient client = new HttpClient();

    @Inject
    private Administration administration;

    @Before
    public void setUpTest() {
        this.administration.restoreData("TestCorsAllowedResource.xml");
    }

    @Test
    public void testRequestToResourceWithCorsAllowedAnnotationFromAllowedOrigin() throws IOException, URISyntaxException {
        GetMethod getMethod = new GetMethod(restURI("/rest/api/2/project").toString());
        getMethod.addRequestHeader(CorsHeaders.ORIGIN.value(), allowedOrigin);
        Assert.assertEquals(200L, this.client.executeMethod(getMethod));
        Assert.assertEquals(allowedOrigin, getMethod.getResponseHeader(CorsHeaders.ACCESS_CONTROL_ALLOW_ORIGIN.value()).getValue());
    }

    @Test
    public void testRequestToResourceWithCorsAllowedAnnotationFromNotAllowedOrigin() throws IOException, URISyntaxException {
        GetMethod getMethod = new GetMethod(restURI("/rest/api/2/project").toString());
        getMethod.addRequestHeader(CorsHeaders.ORIGIN.value(), notAllowedOrigin);
        Assert.assertEquals(200L, this.client.executeMethod(getMethod));
        Assert.assertNull(getMethod.getResponseHeader(CorsHeaders.ACCESS_CONTROL_ALLOW_ORIGIN.value()));
    }

    @Test
    public void testRequestToResourceWithCorsAllowedAnnotationFromAllowedOriginWithPreflight() throws IOException, URISyntaxException {
        GetMethod getMethod = new GetMethod(restURI("/rest/api/2/project").toString());
        getMethod.addRequestHeader(CorsHeaders.ORIGIN.value(), allowedOrigin);
        Assert.assertEquals(200L, this.client.executeMethod(getMethod));
        Assert.assertNotNull(getMethod.getResponseHeader(CorsHeaders.ACCESS_CONTROL_ALLOW_ORIGIN.value()));
    }

    @Test
    public void testRequestToResourceWithCorsAllowedAnnotationFromNotAllowedOriginWithPreflight() throws IOException, URISyntaxException {
        GetMethod getMethod = new GetMethod(restURI("/rest/api/2/project").toString());
        getMethod.addRequestHeader(CorsHeaders.ORIGIN.value(), notAllowedOrigin);
        Assert.assertEquals(200L, this.client.executeMethod(getMethod));
        Assert.assertNull(getMethod.getResponseHeader(CorsHeaders.ACCESS_CONTROL_ALLOW_ORIGIN.value()));
    }

    @Test
    public void testRequestToResourceWithoutCorsAllowedAnnotationFromAllowedOrigin() throws IOException, URISyntaxException {
        this.client.getParams().setAuthenticationPreemptive(true);
        this.client.getState().setCredentials(AuthScope.ANY, new UsernamePasswordCredentials("admin", "admin"));
        GetMethod getMethod = new GetMethod(restURI("/rest/internal/1.0/darkFeatures/jira.user.darkfeature.admin").toString());
        getMethod.addRequestHeader(CorsHeaders.ORIGIN.value(), allowedOrigin);
        Assert.assertEquals(200L, this.client.executeMethod(getMethod));
        Assert.assertNull(getMethod.getResponseHeader(CorsHeaders.ACCESS_CONTROL_ALLOW_ORIGIN.value()));
    }

    @Test
    public void testRequestToResourceWithoutCorsAllowedAnnotationFromNotAllowedOrigin() throws IOException, URISyntaxException {
        this.client.getParams().setAuthenticationPreemptive(true);
        this.client.getState().setCredentials(AuthScope.ANY, new UsernamePasswordCredentials("admin", "admin"));
        GetMethod getMethod = new GetMethod(restURI("/rest/internal/1.0/darkFeatures/jira.user.darkfeature.admin").toString());
        getMethod.addRequestHeader(CorsHeaders.ORIGIN.value(), notAllowedOrigin);
        Assert.assertEquals(200L, this.client.executeMethod(getMethod));
        Assert.assertNull(getMethod.getResponseHeader(CorsHeaders.ACCESS_CONTROL_ALLOW_ORIGIN.value()));
    }

    private URI restURI(String str) throws URISyntaxException {
        return UriBuilder.fromUri(this.environmentData.getBaseUrl().toURI()).path(str).build(new Object[0]);
    }
}
