package com.zimbra.qa.unittest;

import com.zimbra.client.ZMailbox;
import com.zimbra.common.httpclient.HttpClientUtil;
import com.zimbra.common.localconfig.LC;
import com.zimbra.common.service.ServiceException;
import com.zimbra.common.soap.SoapHttpTransport;
import com.zimbra.common.soap.SoapProtocol;
import com.zimbra.common.util.ZimbraCookie;
import com.zimbra.common.util.ZimbraHttpConnectionManager;
import com.zimbra.common.util.ZimbraLog;
import com.zimbra.cs.account.Provisioning;
import com.zimbra.soap.JaxbUtil;
import com.zimbra.soap.SoapEngine;
import com.zimbra.soap.admin.message.AuthRequest;
import com.zimbra.soap.admin.message.AuthResponse;
import java.io.IOException;
import java.net.URI;
import java.util.ArrayList;
import java.util.Date;
import org.apache.commons.httpclient.Cookie;
import org.apache.commons.httpclient.HeaderElement;
import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.HttpMethod;
import org.apache.commons.httpclient.HttpState;
import org.apache.commons.httpclient.methods.PostMethod;
import org.apache.commons.httpclient.methods.multipart.ByteArrayPartSource;
import org.apache.commons.httpclient.methods.multipart.FilePart;
import org.apache.commons.httpclient.methods.multipart.MultipartRequestEntity;
import org.apache.commons.httpclient.methods.multipart.Part;
import org.apache.commons.httpclient.methods.multipart.StringPart;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.TestName;

/* loaded from: input_file:com/zimbra/qa/unittest/TestFileUpload.class */
public class TestFileUpload {

    @Rule
    public TestName testInfo = new TestName();
    private static final String FILE_NAME = "my_zimlet.zip";
    private static String USER_NAME = null;
    private static final String NAME_PREFIX = TestFileUpload.class.getSimpleName();
    private static String RESP_STR = "window.parent._uploadManager.loaded";
    private static String ADMIN_UPLOAD_URL = "/service/upload";

    @Before
    public void setUp() throws Exception {
        USER_NAME = (NAME_PREFIX + "-" + this.testInfo.getMethodName() + "-") + "user";
        cleanUp();
        TestUtil.createAccount(USER_NAME);
    }

    @Test
    public void testUnauthorizedExtended() throws Exception {
        ZMailbox zMailbox = TestUtil.getZMailbox(USER_NAME);
        String postAndVerify = postAndVerify(zMailbox, new URI(zMailbox.getUploadURI().toString().replace("fmt=raw", "fmt=extended")), true);
        Assert.assertTrue(postAndVerify, postAndVerify.contains("401,"));
    }

    @Test
    public void testUnauthorizedRaw() throws Exception {
        ZMailbox zMailbox = TestUtil.getZMailbox(USER_NAME);
        String postAndVerify = postAndVerify(zMailbox, zMailbox.getUploadURI(), true);
        Assert.assertTrue(postAndVerify, postAndVerify.startsWith("401,"));
    }

    @Test
    public void testRaw() throws Exception {
        ZMailbox zMailbox = TestUtil.getZMailbox(USER_NAME);
        String postAndVerify = postAndVerify(zMailbox, zMailbox.getUploadURI(), false);
        Assert.assertTrue(postAndVerify, postAndVerify.startsWith("200,"));
    }

    @Test
    public void testRawEmpty() throws Exception {
        ZMailbox zMailbox = TestUtil.getZMailbox(USER_NAME);
        String postAndVerify = postAndVerify(zMailbox, zMailbox.getUploadURI(), false, "rawEmpty", null);
        Assert.assertTrue(postAndVerify, postAndVerify.startsWith("204,"));
    }

    @Test
    public void testAdminUploadWithCsrfInHeader() throws Exception {
        SoapHttpTransport soapHttpTransport = new SoapHttpTransport(TestUtil.getAdminSoapUrl());
        AuthRequest authRequest = new AuthRequest(LC.zimbra_ldap_user.value(), LC.zimbra_ldap_password.value());
        authRequest.setCsrfSupported(true);
        AuthResponse authResponse = (AuthResponse) JaxbUtil.elementToJaxb(soapHttpTransport.invoke(JaxbUtil.jaxbToElement(authRequest, SoapProtocol.SoapJS.getFactory())));
        String authToken = authResponse.getAuthToken();
        String csrfToken = authResponse.getCsrfToken();
        int i = 7071;
        try {
            i = Provisioning.getInstance().getLocalServer().getIntAttr("zimbraAdminPort", 0);
        } catch (ServiceException e) {
            ZimbraLog.test.error("Unable to get admin SOAP port", e);
        }
        PostMethod postMethod = new PostMethod("https://localhost:" + i + ADMIN_UPLOAD_URL);
        Part filePart = new FilePart(FILE_NAME, new ByteArrayPartSource(FILE_NAME, "some file content".getBytes()));
        filePart.setContentType("application/x-msdownload");
        HttpClient newHttpClient = ZimbraHttpConnectionManager.getInternalHttpConnMgr().newHttpClient();
        HttpState httpState = new HttpState();
        httpState.addCookie(new Cookie("localhost", ZimbraCookie.authTokenCookieName(true), authToken, "/", (Date) null, false));
        newHttpClient.getParams().setCookiePolicy("compatibility");
        newHttpClient.setState(httpState);
        postMethod.setRequestEntity(new MultipartRequestEntity(new Part[]{filePart}, postMethod.getParams()));
        postMethod.addRequestHeader("X-Zimbra-Csrf-Token", csrfToken);
        int executeMethod = HttpClientUtil.executeMethod(newHttpClient, postMethod);
        Assert.assertEquals("This request should succeed. Getting status code " + executeMethod, 200L, executeMethod);
        String responseBodyAsString = postMethod.getResponseBodyAsString();
        Assert.assertNotNull("Response should not be empty", responseBodyAsString);
        Assert.assertTrue("Incorrect HTML response", responseBodyAsString.contains(RESP_STR));
    }

    @Test
    public void testMissingCsrfAdminUpload() throws Exception {
        SoapHttpTransport soapHttpTransport = new SoapHttpTransport(TestUtil.getAdminSoapUrl());
        AuthRequest authRequest = new AuthRequest(LC.zimbra_ldap_user.value(), LC.zimbra_ldap_password.value());
        authRequest.setCsrfSupported(true);
        String authToken = ((AuthResponse) JaxbUtil.elementToJaxb(soapHttpTransport.invoke(JaxbUtil.jaxbToElement(authRequest, SoapProtocol.SoapJS.getFactory())))).getAuthToken();
        int i = 7071;
        try {
            i = Provisioning.getInstance().getLocalServer().getIntAttr("zimbraAdminPort", 0);
        } catch (ServiceException e) {
            ZimbraLog.test.error("Unable to get admin SOAP port", e);
        }
        PostMethod postMethod = new PostMethod("https://localhost:" + i + ADMIN_UPLOAD_URL);
        Part filePart = new FilePart(FILE_NAME, new ByteArrayPartSource(FILE_NAME, "some file content".getBytes()));
        filePart.setContentType("application/x-msdownload");
        HttpClient newHttpClient = ZimbraHttpConnectionManager.getInternalHttpConnMgr().newHttpClient();
        HttpState httpState = new HttpState();
        httpState.addCookie(new Cookie("localhost", ZimbraCookie.authTokenCookieName(true), authToken, "/", (Date) null, false));
        newHttpClient.getParams().setCookiePolicy("compatibility");
        newHttpClient.setState(httpState);
        postMethod.setRequestEntity(new MultipartRequestEntity(new Part[]{filePart}, postMethod.getParams()));
        int executeMethod = HttpClientUtil.executeMethod(newHttpClient, postMethod);
        Assert.assertEquals("This request should succeed. Getting status code " + executeMethod, 200L, executeMethod);
        String responseBodyAsString = postMethod.getResponseBodyAsString();
        Assert.assertNotNull("Response should not be empty", responseBodyAsString);
        Assert.assertTrue("Incorrect HTML response", responseBodyAsString.contains(RESP_STR));
    }

    @Test
    public void testAdminUploadWithCsrfInFormField() throws Exception {
        SoapHttpTransport soapHttpTransport = new SoapHttpTransport(TestUtil.getAdminSoapUrl());
        AuthRequest authRequest = new AuthRequest(LC.zimbra_ldap_user.value(), LC.zimbra_ldap_password.value());
        authRequest.setCsrfSupported(true);
        AuthResponse authResponse = (AuthResponse) JaxbUtil.elementToJaxb(soapHttpTransport.invoke(JaxbUtil.jaxbToElement(authRequest, SoapProtocol.SoapJS.getFactory())));
        String authToken = authResponse.getAuthToken();
        String csrfToken = authResponse.getCsrfToken();
        int i = 7071;
        try {
            i = Provisioning.getInstance().getLocalServer().getIntAttr("zimbraAdminPort", 0);
        } catch (ServiceException e) {
            ZimbraLog.test.error("Unable to get admin SOAP port", e);
        }
        PostMethod postMethod = new PostMethod("https://localhost:" + i + ADMIN_UPLOAD_URL);
        Part filePart = new FilePart(FILE_NAME, new ByteArrayPartSource(FILE_NAME, "some file content".getBytes()));
        Part stringPart = new StringPart("csrfToken", csrfToken);
        filePart.setContentType("application/x-msdownload");
        HttpClient newHttpClient = ZimbraHttpConnectionManager.getInternalHttpConnMgr().newHttpClient();
        HttpState httpState = new HttpState();
        httpState.addCookie(new Cookie("localhost", ZimbraCookie.authTokenCookieName(true), authToken, "/", (Date) null, false));
        newHttpClient.getParams().setCookiePolicy("compatibility");
        newHttpClient.setState(httpState);
        postMethod.setRequestEntity(new MultipartRequestEntity(new Part[]{filePart, stringPart}, postMethod.getParams()));
        int executeMethod = HttpClientUtil.executeMethod(newHttpClient, postMethod);
        Assert.assertEquals("This request should succeed. Getting status code " + executeMethod, 200L, executeMethod);
        String responseBodyAsString = postMethod.getResponseBodyAsString();
        Assert.assertNotNull("Response should not be empty", responseBodyAsString);
        Assert.assertTrue("Incorrect HTML response", responseBodyAsString.contains(RESP_STR));
    }

    @Test
    public void testRequestIdScript() throws Exception {
        ZMailbox zMailbox = TestUtil.getZMailbox(USER_NAME);
        String postAndVerify = postAndVerify(zMailbox, zMailbox.getUploadURI(), false, "<script></script>", "anything");
        Assert.assertFalse("Response does not contain 'script': " + postAndVerify, postAndVerify.contains("script"));
        Assert.assertTrue(postAndVerify, postAndVerify.startsWith("400,"));
    }

    @Test
    public void testRequestIdAlert() throws Exception {
        ZMailbox zMailbox = TestUtil.getZMailbox(USER_NAME);
        String postAndVerify = postAndVerify(zMailbox, zMailbox.getUploadURI(), false, "alert(1)", null);
        Assert.assertFalse("Response does not contain 'alert': " + postAndVerify, postAndVerify.contains("alert"));
        Assert.assertTrue(postAndVerify, postAndVerify.startsWith("400,"));
    }

    private String postAndVerify(ZMailbox zMailbox, URI uri, boolean z) throws IOException {
        return postAndVerify(zMailbox, uri, z, "myReqId", "some data");
    }

    private String postAndVerify(ZMailbox zMailbox, URI uri, boolean z, String str, String str2) throws IOException {
        HttpClient httpClient = zMailbox.getHttpClient(uri);
        if (z) {
            httpClient.getState().clearCookies();
        }
        ArrayList arrayList = new ArrayList();
        arrayList.add(new StringPart(SoapEngine.A_REQUEST_CORRELATOR, str));
        if (str2 != null) {
            arrayList.add(zMailbox.createAttachmentPart("test.txt", str2.getBytes()));
        }
        PostMethod postMethod = new PostMethod(uri.toString());
        postMethod.setRequestEntity(new MultipartRequestEntity((Part[]) arrayList.toArray(new Part[arrayList.size()]), postMethod.getParams()));
        Assert.assertEquals(200L, HttpClientUtil.executeMethod(httpClient, postMethod));
        String headerValue = getHeaderValue(postMethod, "Content-Type");
        Assert.assertTrue(headerValue, headerValue.startsWith("text/html"));
        String responseBodyAsString = postMethod.getResponseBodyAsString();
        postMethod.releaseConnection();
        return responseBodyAsString;
    }

    private String getHeaderValue(HttpMethod httpMethod, String str) {
        HeaderElement[] elements = httpMethod.getResponseHeader(str).getElements();
        String str2 = null;
        if (elements.length > 0) {
            str2 = elements[0].getName();
        }
        return str2;
    }

    @After
    public void tearDown() throws Exception {
        cleanUp();
    }

    private void cleanUp() throws Exception {
        TestUtil.deleteAccountIfExists(USER_NAME);
    }

    public static void main(String[] strArr) throws Exception {
        TestUtil.cliSetup();
        TestUtil.runTest(TestFileUpload.class);
    }
}
