package org.apache.cxf.systest.jaxrs.security.oauth2.grants;

import java.util.HashMap;
import javax.ws.rs.core.MultivaluedMap;
import org.apache.cxf.bus.spring.SpringBusFactory;
import org.apache.cxf.common.util.Base64UrlUtility;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.jaxrs.client.JAXRSClientFactoryBean;
import org.apache.cxf.jaxrs.client.WebClient;
import org.apache.cxf.jaxrs.impl.MetadataMap;
import org.apache.cxf.rs.security.common.CryptoLoader;
import org.apache.cxf.rs.security.oauth2.auth.saml.Saml2BearerAuthOutInterceptor;
import org.apache.cxf.rs.security.oauth2.client.Consumer;
import org.apache.cxf.rs.security.oauth2.client.OAuthClientUtils;
import org.apache.cxf.rs.security.oauth2.common.AccessTokenGrant;
import org.apache.cxf.rs.security.oauth2.grants.clientcred.ClientCredentialsGrant;
import org.apache.cxf.rs.security.oauth2.grants.jwt.JwtBearerGrant;
import org.apache.cxf.rs.security.oauth2.grants.saml.Saml2BearerGrant;
import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
import org.apache.cxf.rs.security.saml.SAMLUtils;
import org.apache.cxf.systest.jaxrs.security.oauth2.common.OAuth2TestUtils;
import org.apache.cxf.systest.jaxrs.security.oauth2.common.SamlCallbackHandler;
import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
import org.apache.wss4j.common.saml.SAMLCallback;
import org.apache.wss4j.common.saml.SAMLUtil;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.util.DOM2Writer;
import org.junit.BeforeClass;
import org.junit.Test;

/* loaded from: input_file:org/apache/cxf/systest/jaxrs/security/oauth2/grants/JAXRSOAuth2Test.class */
public class JAXRSOAuth2Test extends AbstractBusClientServerTestBase {
    public static final String PORT = BookServerOAuth2.PORT;
    private static final String CRYPTO_RESOURCE_PROPERTIES = "org/apache/cxf/systest/jaxrs/security/alice.properties";

    /* loaded from: input_file:org/apache/cxf/systest/jaxrs/security/oauth2/grants/JAXRSOAuth2Test$CustomGrant.class */
    private static class CustomGrant implements AccessTokenGrant {
        private static final long serialVersionUID = -4007538779198315873L;

        private CustomGrant() {
        }

        public String getType() {
            return "custom_grant";
        }

        public MultivaluedMap<String, String> toMap() {
            MetadataMap metadataMap = new MetadataMap();
            metadataMap.putSingle("grant_type", "custom_grant");
            return metadataMap;
        }
    }

    @BeforeClass
    public static void startServers() throws Exception {
        assertTrue("server did not launch correctly", launchServer(BookServerOAuth2.class, true));
    }

    @Test
    public void testSAML2BearerGrant() throws Exception {
        WebClient createWebClient = createWebClient("https://localhost:" + PORT + "/oauth2/token");
        SAMLUtils.SelfSignInfo selfSignInfo = new SAMLUtils.SelfSignInfo(new CryptoLoader().loadCrypto(CRYPTO_RESOURCE_PROPERTIES), "alice", "password");
        SamlCallbackHandler samlCallbackHandler = new SamlCallbackHandler(false);
        samlCallbackHandler.setAudience("https://localhost:" + PORT + "/oauth2/token");
        assertNotNull(OAuthClientUtils.getAccessToken(createWebClient, new Consumer("alice", "alice"), new Saml2BearerGrant(DOM2Writer.nodeToString(SAMLUtils.createAssertion(samlCallbackHandler, selfSignInfo).toDOM(DOMUtils.newDocument()))), false).getTokenKey());
    }

    @Test
    public void testSAML2BearerAuthenticationDirect() throws Exception {
        WebClient createWebClient = createWebClient("https://localhost:" + PORT + "/oauth2-auth/token");
        SAMLUtils.SelfSignInfo selfSignInfo = new SAMLUtils.SelfSignInfo(new CryptoLoader().loadCrypto(CRYPTO_RESOURCE_PROPERTIES), "alice", "password");
        SamlCallbackHandler samlCallbackHandler = new SamlCallbackHandler(true);
        samlCallbackHandler.setIssuer("alice");
        samlCallbackHandler.setAudience("https://localhost:" + PORT + "/oauth2-auth/token");
        String encode = Base64UrlUtility.encode(DOM2Writer.nodeToString(SAMLUtils.createAssertion(samlCallbackHandler, selfSignInfo).toDOM(DOMUtils.newDocument())));
        HashMap hashMap = new HashMap();
        hashMap.put("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:saml2-bearer");
        hashMap.put("client_assertion", encode);
        assertNotNull(OAuthClientUtils.getAccessToken(createWebClient, new CustomGrant(), hashMap).getTokenKey());
    }

    @Test
    public void testTwoWayTLSAuthenticationCustomGrant() throws Exception {
        assertNotNull(OAuthClientUtils.getAccessToken(createWebClient("https://localhost:" + PORT + "/oauth2/token"), new CustomGrant()).getTokenKey());
    }

    @Test
    public void testBasicAuthClientCred() throws Exception {
        WebClient createWebClient = createWebClient("https://localhost:" + PORT + "/oauth2/token");
        ClientCredentialsGrant clientCredentialsGrant = new ClientCredentialsGrant();
        clientCredentialsGrant.setClientId("bob");
        clientCredentialsGrant.setClientSecret("bobPassword");
        assertNotNull(OAuthClientUtils.getAccessToken(createWebClient, clientCredentialsGrant).getTokenKey());
    }

    @Test
    public void testSAML2BearerAuthenticationInterceptor() throws Exception {
        assertNotNull(OAuthClientUtils.getAccessToken(createWebClientWithProps("https://localhost:" + PORT + "/oauth2-auth/token"), new CustomGrant()).getTokenKey());
    }

    @Test
    public void testJWTBearerGrant() throws Exception {
        String str = "https://localhost:" + PORT + "/oauth2/token";
        assertNotNull(OAuthClientUtils.getAccessToken(createWebClient(str), new Consumer("alice", "alice"), new JwtBearerGrant(OAuth2TestUtils.createToken("resourceOwner", "alice", str, true, true)), false).getTokenKey());
    }

    @Test
    public void testJWTBearerAuthenticationDirect() throws Exception {
        String str = "https://localhost:" + PORT + "/oauth2-auth-jwt/token";
        WebClient createWebClient = createWebClient(str);
        String createToken = OAuth2TestUtils.createToken("resourceOwner", "alice", str, true, true);
        HashMap hashMap = new HashMap();
        hashMap.put("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
        hashMap.put("client_assertion", createToken);
        assertNotNull(OAuthClientUtils.getAccessToken(createWebClient, new CustomGrant(), hashMap).getTokenKey());
    }

    @Test
    public void testSAML11() throws Exception {
        WebClient createWebClient = createWebClient("https://localhost:" + PORT + "/oauth2-auth/token");
        String encode = Base64UrlUtility.encode(OAuth2TestUtils.createToken("https://localhost:" + PORT + "/oauth2-auth/token", false, true));
        HashMap hashMap = new HashMap();
        hashMap.put("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:saml2-bearer");
        hashMap.put("client_assertion", encode);
        try {
            OAuthClientUtils.getAccessToken(createWebClient, new CustomGrant(), hashMap);
            fail("Failure expected on a SAML 1.1 Assertion");
        } catch (OAuthServiceException e) {
        }
    }

    @Test
    public void testSAMLAudRestr() throws Exception {
        WebClient createWebClient = createWebClient("https://localhost:" + PORT + "/oauth2-auth/token");
        String encode = Base64UrlUtility.encode(OAuth2TestUtils.createToken("https://localhost:" + PORT + "/oauth2-auth/token2", true, true));
        HashMap hashMap = new HashMap();
        hashMap.put("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:saml2-bearer");
        hashMap.put("client_assertion", encode);
        try {
            OAuthClientUtils.getAccessToken(createWebClient, new CustomGrant(), hashMap);
            fail("Failure expected on a bad audience restriction");
        } catch (OAuthServiceException e) {
        }
    }

    @Test
    public void testSAMLBadSubjectName() throws Exception {
        WebClient createWebClient = createWebClient("https://localhost:" + PORT + "/oauth2-auth/token");
        String str = "https://localhost:" + PORT + "/oauth2-auth/token";
        SamlCallbackHandler samlCallbackHandler = new SamlCallbackHandler(true);
        samlCallbackHandler.setSubjectName("bob");
        samlCallbackHandler.setAudience(str);
        SAMLCallback sAMLCallback = new SAMLCallback();
        SAMLUtil.doSAMLCallback(samlCallbackHandler, sAMLCallback);
        SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper(sAMLCallback);
        if (sAMLCallback.isSignAssertion()) {
            samlAssertionWrapper.signAssertion(sAMLCallback.getIssuerKeyName(), sAMLCallback.getIssuerKeyPassword(), sAMLCallback.getIssuerCrypto(), sAMLCallback.isSendKeyValue(), sAMLCallback.getCanonicalizationAlgorithm(), sAMLCallback.getSignatureAlgorithm());
        }
        String encode = Base64UrlUtility.encode(samlAssertionWrapper.assertionToString());
        HashMap hashMap = new HashMap();
        hashMap.put("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:saml2-bearer");
        hashMap.put("client_assertion", encode);
        try {
            OAuthClientUtils.getAccessToken(createWebClient, new CustomGrant(), hashMap);
            fail("Failure expected on a bad subject name");
        } catch (OAuthServiceException e) {
        }
    }

    @Test
    public void testSAMLUnsigned() throws Exception {
        WebClient createWebClient = createWebClient("https://localhost:" + PORT + "/oauth2-auth/token");
        String encode = Base64UrlUtility.encode(OAuth2TestUtils.createToken("https://localhost:" + PORT + "/oauth2-auth/token", true, false));
        HashMap hashMap = new HashMap();
        hashMap.put("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:saml2-bearer");
        hashMap.put("client_assertion", encode);
        try {
            OAuthClientUtils.getAccessToken(createWebClient, new CustomGrant(), hashMap);
            fail("Failure expected on an unsigned token");
        } catch (Exception e) {
        }
    }

    @Test
    public void testSAMLHolderOfKey() throws Exception {
        WebClient createWebClient = createWebClient("https://localhost:" + PORT + "/oauth2-auth/token");
        String str = "https://localhost:" + PORT + "/oauth2-auth/token";
        SamlCallbackHandler samlCallbackHandler = new SamlCallbackHandler(true);
        samlCallbackHandler.setConfirmationMethod("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key");
        samlCallbackHandler.setSubjectName("alice");
        samlCallbackHandler.setAudience(str);
        SAMLCallback sAMLCallback = new SAMLCallback();
        SAMLUtil.doSAMLCallback(samlCallbackHandler, sAMLCallback);
        SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper(sAMLCallback);
        if (sAMLCallback.isSignAssertion()) {
            samlAssertionWrapper.signAssertion(sAMLCallback.getIssuerKeyName(), sAMLCallback.getIssuerKeyPassword(), sAMLCallback.getIssuerCrypto(), sAMLCallback.isSendKeyValue(), sAMLCallback.getCanonicalizationAlgorithm(), sAMLCallback.getSignatureAlgorithm());
        }
        String encode = Base64UrlUtility.encode(samlAssertionWrapper.assertionToString());
        HashMap hashMap = new HashMap();
        hashMap.put("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:saml2-bearer");
        hashMap.put("client_assertion", encode);
        try {
            OAuthClientUtils.getAccessToken(createWebClient, new CustomGrant(), hashMap);
            fail("Failure expected on a bad subject confirmation method");
        } catch (OAuthServiceException e) {
        }
    }

    @Test
    public void testJWTBadSubjectName() throws Exception {
        String str = "https://localhost:" + PORT + "/oauth2-auth-jwt/token";
        WebClient createWebClient = createWebClient(str);
        String createToken = OAuth2TestUtils.createToken("resourceOwner", "bob", str, true, true);
        HashMap hashMap = new HashMap();
        hashMap.put("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
        hashMap.put("client_assertion", createToken);
        try {
            OAuthClientUtils.getAccessToken(createWebClient, new CustomGrant(), hashMap);
            fail("Failure expected on a bad subject name");
        } catch (OAuthServiceException e) {
        }
    }

    @Test
    public void testJWTUnsigned() throws Exception {
        String str = "https://localhost:" + PORT + "/oauth2-auth-jwt/token";
        WebClient createWebClient = createWebClient(str);
        String createToken = OAuth2TestUtils.createToken("resourceOwner", "alice", str, true, false);
        HashMap hashMap = new HashMap();
        hashMap.put("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
        hashMap.put("client_assertion", createToken);
        try {
            OAuthClientUtils.getAccessToken(createWebClient, new CustomGrant(), hashMap);
            fail("Failure expected on an unsigned token");
        } catch (Exception e) {
        }
    }

    @Test
    public void testJWTNoIssuer() throws Exception {
        String str = "https://localhost:" + PORT + "/oauth2-auth-jwt/token";
        WebClient createWebClient = createWebClient(str);
        String createToken = OAuth2TestUtils.createToken(null, "alice", str, true, true);
        HashMap hashMap = new HashMap();
        hashMap.put("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
        hashMap.put("client_assertion", createToken);
        try {
            OAuthClientUtils.getAccessToken(createWebClient, new CustomGrant(), hashMap);
            fail("Failure expected on no issuer");
        } catch (Exception e) {
        }
    }

    @Test
    public void testJWTNoExpiry() throws Exception {
        String str = "https://localhost:" + PORT + "/oauth2-auth-jwt/token";
        WebClient createWebClient = createWebClient(str);
        String createToken = OAuth2TestUtils.createToken("resourceOwner", "alice", str, false, true);
        HashMap hashMap = new HashMap();
        hashMap.put("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
        hashMap.put("client_assertion", createToken);
        try {
            OAuthClientUtils.getAccessToken(createWebClient, new CustomGrant(), hashMap);
            fail("Failure expected on no expiry");
        } catch (Exception e) {
        }
    }

    @Test
    public void testJWTBadAudienceRestriction() throws Exception {
        String str = "https://localhost:" + PORT + "/oauth2-auth-jwt/token";
        WebClient createWebClient = createWebClient(str);
        String createToken = OAuth2TestUtils.createToken("resourceOwner", "alice", str + "/badtoken", true, true);
        HashMap hashMap = new HashMap();
        hashMap.put("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
        hashMap.put("client_assertion", createToken);
        try {
            OAuthClientUtils.getAccessToken(createWebClient, new CustomGrant(), hashMap);
            fail("Failure expected on a bad audience restriction");
        } catch (Exception e) {
        }
    }

    private WebClient createWebClient(String str) {
        JAXRSClientFactoryBean jAXRSClientFactoryBean = new JAXRSClientFactoryBean();
        jAXRSClientFactoryBean.setAddress(str);
        jAXRSClientFactoryBean.setBus(new SpringBusFactory().createBus(JAXRSOAuth2Test.class.getResource("client.xml").toString()));
        WebClient createWebClient = jAXRSClientFactoryBean.createWebClient();
        createWebClient.type("application/x-www-form-urlencoded").accept(new String[]{"application/json"});
        return createWebClient;
    }

    private WebClient createWebClientWithProps(String str) {
        JAXRSClientFactoryBean jAXRSClientFactoryBean = new JAXRSClientFactoryBean();
        jAXRSClientFactoryBean.setAddress(str);
        jAXRSClientFactoryBean.setBus(new SpringBusFactory().createBus(JAXRSOAuth2Test.class.getResource("client.xml").toString()));
        HashMap hashMap = new HashMap();
        hashMap.put("security.callback-handler", "org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback");
        SamlCallbackHandler samlCallbackHandler = new SamlCallbackHandler(true);
        samlCallbackHandler.setIssuer("alice");
        samlCallbackHandler.setAudience("https://localhost:" + PORT + "/oauth2-auth/token");
        hashMap.put("security.saml-callback-handler", samlCallbackHandler);
        hashMap.put("security.signature.username", "alice");
        hashMap.put("security.signature.properties", CRYPTO_RESOURCE_PROPERTIES);
        jAXRSClientFactoryBean.setProperties(hashMap);
        jAXRSClientFactoryBean.getOutInterceptors().add(new Saml2BearerAuthOutInterceptor());
        WebClient createWebClient = jAXRSClientFactoryBean.createWebClient();
        createWebClient.type("application/x-www-form-urlencoded").accept(new String[]{"application/json"});
        return createWebClient;
    }
}
