package org.apache.cxf.systest.jaxrs.security.oidc;

import java.net.URL;
import java.time.Instant;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import javax.ws.rs.client.ResponseProcessingException;
import javax.ws.rs.core.Form;
import javax.ws.rs.core.Response;
import org.apache.cxf.Bus;
import org.apache.cxf.BusFactory;
import org.apache.cxf.bus.spring.SpringBusFactory;
import org.apache.cxf.jaxrs.client.WebClient;
import org.apache.cxf.message.Message;
import org.apache.cxf.rs.security.jose.jws.JwsHeaders;
import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer;
import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
import org.apache.cxf.rs.security.oauth2.common.OAuthAuthorizationData;
import org.apache.cxf.rs.security.oidc.common.UserInfo;
import org.apache.cxf.systest.jaxrs.security.SecurityTestUtil;
import org.apache.cxf.systest.jaxrs.security.oauth2.common.OAuth2TestUtils;
import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
import org.apache.cxf.testutil.common.AbstractBusTestServerBase;
import org.apache.cxf.testutil.common.TestUtil;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Ignore;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;

@RunWith(Parameterized.class)
/* loaded from: input_file:org/apache/cxf/systest/jaxrs/security/oidc/OIDCNegativeTest.class */
public class OIDCNegativeTest extends AbstractBusClientServerTestBase {
    static final String PORT = TestUtil.getPortNumber("jaxrs-negative-oidc");
    static final String JWT_PORT = TestUtil.getPortNumber("jaxrs-negative-oidc-jwt");
    static final String JCACHE_PORT = TestUtil.getPortNumber("jaxrs-negative-oidc-jcache");
    static final String JWT_JCACHE_PORT = TestUtil.getPortNumber("jaxrs-negative-oidc-jcache-jwt");
    static final String JPA_PORT = TestUtil.getPortNumber("jaxrs-negative-oidc-jpa");
    static final String JWT_NON_PERSIST_JCACHE_PORT = TestUtil.getPortNumber("jaxrs-negative-oidc-jcache-jwt-non-persist");
    final String port;

    /* loaded from: input_file:org/apache/cxf/systest/jaxrs/security/oidc/OIDCNegativeTest$OIDCNegativeServer.class */
    public static class OIDCNegativeServer extends AbstractBusTestServerBase {
        private static final URL SERVER_CONFIG_FILE = OIDCNegativeServer.class.getResource("oidc-negative-server.xml");

        protected void run() {
            Bus createBus = new SpringBusFactory().createBus(SERVER_CONFIG_FILE);
            BusFactory.setDefaultBus(createBus);
            setBus(createBus);
            try {
                new OIDCNegativeServer();
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }
    }

    /* loaded from: input_file:org/apache/cxf/systest/jaxrs/security/oidc/OIDCNegativeTest$OIDCNegativeServerJCache.class */
    public static class OIDCNegativeServerJCache extends AbstractBusTestServerBase {
        private static final URL SERVER_CONFIG_FILE = OIDCNegativeServerJWT.class.getResource("oidc-negative-server-jcache.xml");

        protected void run() {
            Bus createBus = new SpringBusFactory().createBus(SERVER_CONFIG_FILE);
            BusFactory.setDefaultBus(createBus);
            setBus(createBus);
            try {
                new OIDCNegativeServerJCache();
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }
    }

    /* loaded from: input_file:org/apache/cxf/systest/jaxrs/security/oidc/OIDCNegativeTest$OIDCNegativeServerJCacheJWT.class */
    public static class OIDCNegativeServerJCacheJWT extends AbstractBusTestServerBase {
        private static final URL SERVER_CONFIG_FILE = OIDCNegativeServerJWT.class.getResource("oidc-negative-server-jcache-jwt.xml");

        protected void run() {
            Bus createBus = new SpringBusFactory().createBus(SERVER_CONFIG_FILE);
            BusFactory.setDefaultBus(createBus);
            setBus(createBus);
            try {
                new OIDCNegativeServerJCacheJWT();
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }
    }

    /* loaded from: input_file:org/apache/cxf/systest/jaxrs/security/oidc/OIDCNegativeTest$OIDCNegativeServerJCacheJWTNonPersist.class */
    public static class OIDCNegativeServerJCacheJWTNonPersist extends AbstractBusTestServerBase {
        private static final URL SERVER_CONFIG_FILE = OIDCNegativeServerJWT.class.getResource("oidc-negative-server-jcache-jwt-non-persist.xml");

        protected void run() {
            Bus createBus = new SpringBusFactory().createBus(SERVER_CONFIG_FILE);
            BusFactory.setDefaultBus(createBus);
            setBus(createBus);
            try {
                new OIDCNegativeServerJCacheJWTNonPersist();
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }
    }

    /* loaded from: input_file:org/apache/cxf/systest/jaxrs/security/oidc/OIDCNegativeTest$OIDCNegativeServerJPA.class */
    public static class OIDCNegativeServerJPA extends AbstractBusTestServerBase {
        private static final URL SERVER_CONFIG_FILE = OIDCNegativeServer.class.getResource("oidc-negative-server-jpa.xml");

        protected void run() {
            Bus createBus = new SpringBusFactory().createBus(SERVER_CONFIG_FILE);
            BusFactory.setDefaultBus(createBus);
            setBus(createBus);
            try {
                new OIDCNegativeServerJPA();
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }
    }

    /* loaded from: input_file:org/apache/cxf/systest/jaxrs/security/oidc/OIDCNegativeTest$OIDCNegativeServerJWT.class */
    public static class OIDCNegativeServerJWT extends AbstractBusTestServerBase {
        private static final URL SERVER_CONFIG_FILE = OIDCNegativeServerJWT.class.getResource("oidc-negative-server-jwt.xml");

        protected void run() {
            Bus createBus = new SpringBusFactory().createBus(SERVER_CONFIG_FILE);
            BusFactory.setDefaultBus(createBus);
            setBus(createBus);
            try {
                new OIDCNegativeServerJWT();
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }
    }

    public OIDCNegativeTest(String str) {
        this.port = str;
    }

    @BeforeClass
    public static void startServers() throws Exception {
        assertTrue("Server failed to launch", launchServer(OIDCNegativeServer.class, true));
        assertTrue("Server failed to launch", launchServer(OIDCNegativeServerJWT.class, true));
        assertTrue("Server failed to launch", launchServer(OIDCNegativeServerJCache.class, true));
        assertTrue("Server failed to launch", launchServer(OIDCNegativeServerJCacheJWT.class, true));
        assertTrue("Server failed to launch", launchServer(OIDCNegativeServerJPA.class, true));
        assertTrue("Server failed to launch", launchServer(OIDCNegativeServerJCacheJWTNonPersist.class, true));
    }

    @AfterClass
    public static void cleanup() throws Exception {
        SecurityTestUtil.cleanup();
    }

    @Parameterized.Parameters(name = "{0}")
    public static Collection<String> data() {
        return Arrays.asList(PORT, JWT_PORT, JCACHE_PORT, JWT_JCACHE_PORT, JPA_PORT, JWT_NON_PERSIST_JCACHE_PORT);
    }

    @Test
    public void testImplicitFlowPromptNone() throws Exception {
        WebClient create = WebClient.create("https://localhost:" + this.port + "/services/", OAuth2TestUtils.setupProviders(), "alice", "security", OIDCFlowTest.class.getResource("client.xml").toString());
        WebClient.getConfig(create).getRequestContext().put(Message.MAINTAIN_SESSION, Boolean.TRUE);
        create.type("application/json").accept(new String[]{"application/json"});
        create.query("client_id", new Object[]{"consumer-id"});
        create.query("redirect_uri", new Object[]{"http://www.blah.apache.org"});
        create.query("scope", new Object[]{"openid"});
        create.query("response_type", new Object[]{"id_token"});
        create.query("nonce", new Object[]{"1234565635"});
        create.query("prompt", new Object[]{"none login"});
        create.path("authorize-implicit/");
        try {
            create.get().readEntity(OAuthAuthorizationData.class);
            fail("Failure expected on a bad prompt");
        } catch (Exception e) {
        }
    }

    @Test
    @Ignore
    public void testImplicitFlowMaxAge() throws Exception {
        WebClient create = WebClient.create("https://localhost:" + this.port + "/services/", OAuth2TestUtils.setupProviders(), "alice", "security", OIDCFlowTest.class.getResource("client.xml").toString());
        WebClient.getConfig(create).getRequestContext().put(Message.MAINTAIN_SESSION, Boolean.TRUE);
        create.type("application/json").accept(new String[]{"application/json"});
        create.query("client_id", new Object[]{"consumer-id"});
        create.query("redirect_uri", new Object[]{"http://www.blah.apache.org"});
        create.query("scope", new Object[]{"openid"});
        create.query("response_type", new Object[]{"id_token"});
        create.query("nonce", new Object[]{"1234565635"});
        create.query("max_age", new Object[]{"300"});
        create.path("authorize-implicit/");
        OAuthAuthorizationData oAuthAuthorizationData = (OAuthAuthorizationData) create.get().readEntity(OAuthAuthorizationData.class);
        create.path("decision");
        create.type("application/x-www-form-urlencoded");
        Form form = new Form();
        form.param("session_authenticity_token", oAuthAuthorizationData.getAuthenticityToken());
        form.param("client_id", oAuthAuthorizationData.getClientId());
        form.param("redirect_uri", oAuthAuthorizationData.getRedirectUri());
        form.param("scope", oAuthAuthorizationData.getProposedScope());
        if (oAuthAuthorizationData.getResponseType() != null) {
            form.param("response_type", oAuthAuthorizationData.getResponseType());
        }
        if (oAuthAuthorizationData.getNonce() != null) {
            form.param("nonce", oAuthAuthorizationData.getNonce());
        }
        form.param("oauthDecision", "allow");
        String substring = OAuth2TestUtils.getSubstring(create.post(form).getHeaderString("Location"), "id_token");
        assertNotNull(substring);
        Assert.assertNotNull(new JwsJwtCompactConsumer(substring).getJwtToken().getClaims().getClaim("auth_time"));
    }

    @Test
    public void testImplicitFlowNoNonce() throws Exception {
        WebClient create = WebClient.create("https://localhost:" + this.port + "/services/", OAuth2TestUtils.setupProviders(), "alice", "security", OIDCFlowTest.class.getResource("client.xml").toString());
        WebClient.getConfig(create).getRequestContext().put(Message.MAINTAIN_SESSION, Boolean.TRUE);
        create.type("application/json").accept(new String[]{"application/json"});
        create.query("client_id", new Object[]{"consumer-id"});
        create.query("redirect_uri", new Object[]{"http://www.blah.apache.org"});
        create.query("scope", new Object[]{"openid"});
        create.query("response_type", new Object[]{"id_token"});
        create.path("authorize-implicit/");
        try {
            create.get().readEntity(OAuthAuthorizationData.class);
            fail("Failure expected on no nonce");
        } catch (Exception e) {
        }
        create.query("nonce", new Object[]{"1234565635"});
        create.get().readEntity(OAuthAuthorizationData.class);
    }

    @Test
    public void testImplicitFlowNoATHash() throws Exception {
        WebClient create = WebClient.create("https://localhost:" + this.port + "/services/", OAuth2TestUtils.setupProviders(), "alice", "security", OIDCFlowTest.class.getResource("client.xml").toString());
        WebClient.getConfig(create).getRequestContext().put(Message.MAINTAIN_SESSION, Boolean.TRUE);
        create.type("application/json").accept(new String[]{"application/json"});
        create.query("client_id", new Object[]{"consumer-id"});
        create.query("redirect_uri", new Object[]{"http://www.blah.apache.org"});
        create.query("scope", new Object[]{"openid"});
        create.query("response_type", new Object[]{"id_token"});
        create.query("nonce", new Object[]{"1234565635"});
        create.query("max_age", new Object[]{"300"});
        create.path("authorize-implicit/");
        OAuthAuthorizationData oAuthAuthorizationData = (OAuthAuthorizationData) create.get().readEntity(OAuthAuthorizationData.class);
        create.path("decision");
        create.type("application/x-www-form-urlencoded");
        Form form = new Form();
        form.param("session_authenticity_token", oAuthAuthorizationData.getAuthenticityToken());
        form.param("client_id", oAuthAuthorizationData.getClientId());
        form.param("redirect_uri", oAuthAuthorizationData.getRedirectUri());
        form.param("scope", oAuthAuthorizationData.getProposedScope());
        if (oAuthAuthorizationData.getResponseType() != null) {
            form.param("response_type", oAuthAuthorizationData.getResponseType());
        }
        if (oAuthAuthorizationData.getNonce() != null) {
            form.param("nonce", oAuthAuthorizationData.getNonce());
        }
        form.param("oauthDecision", "allow");
        String substring = OAuth2TestUtils.getSubstring(create.post(form).getHeaderString("Location"), "id_token");
        assertNotNull(substring);
        Assert.assertNull(new JwsJwtCompactConsumer(substring).getJwtToken().getClaims().getClaim("at_hash"));
    }

    @Test
    public void testJWTRequestNonmatchingResponseType() throws Exception {
        WebClient create = WebClient.create("https://localhost:" + this.port + "/unsignedjwtservices/", OAuth2TestUtils.setupProviders(), "alice", "security", OIDCNegativeTest.class.getResource("client.xml").toString());
        WebClient.getConfig(create).getRequestContext().put(Message.MAINTAIN_SESSION, Boolean.TRUE);
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setIssuer("consumer-id");
        jwtClaims.setIssuedAt(Long.valueOf(Instant.now().getEpochSecond()));
        jwtClaims.setAudiences(Collections.singletonList("https://localhost:" + this.port + "/unsignedjwtservices/"));
        jwtClaims.setProperty("response_type", "token");
        JwsHeaders jwsHeaders = new JwsHeaders();
        jwsHeaders.setAlgorithm("none");
        String signedEncodedJws = new JwsJwtCompactProducer(new JwtToken(jwsHeaders, jwtClaims)).getSignedEncodedJws();
        OAuth2TestUtils.AuthorizationCodeParameters authorizationCodeParameters = new OAuth2TestUtils.AuthorizationCodeParameters();
        authorizationCodeParameters.setConsumerId("consumer-id");
        authorizationCodeParameters.setScope("openid");
        authorizationCodeParameters.setResponseType("code");
        authorizationCodeParameters.setPath("authorize/");
        authorizationCodeParameters.setRequest(signedEncodedJws);
        try {
            OAuth2TestUtils.getLocation(create, authorizationCodeParameters);
            fail("Failure expected on a non-matching response_type");
        } catch (ResponseProcessingException e) {
        }
    }

    @Test
    public void testJWTRequestNonmatchingClientId() throws Exception {
        WebClient create = WebClient.create("https://localhost:" + this.port + "/unsignedjwtservices/", OAuth2TestUtils.setupProviders(), "alice", "security", OIDCNegativeTest.class.getResource("client.xml").toString());
        WebClient.getConfig(create).getRequestContext().put(Message.MAINTAIN_SESSION, Boolean.TRUE);
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setIssuer("consumer-id");
        jwtClaims.setIssuedAt(Long.valueOf(Instant.now().getEpochSecond()));
        jwtClaims.setAudiences(Collections.singletonList("https://localhost:" + this.port + "/unsignedjwtservices/"));
        jwtClaims.setProperty("client_id", "consumer-id2");
        JwsHeaders jwsHeaders = new JwsHeaders();
        jwsHeaders.setAlgorithm("none");
        String signedEncodedJws = new JwsJwtCompactProducer(new JwtToken(jwsHeaders, jwtClaims)).getSignedEncodedJws();
        OAuth2TestUtils.AuthorizationCodeParameters authorizationCodeParameters = new OAuth2TestUtils.AuthorizationCodeParameters();
        authorizationCodeParameters.setConsumerId("consumer-id");
        authorizationCodeParameters.setScope("openid");
        authorizationCodeParameters.setResponseType("code");
        authorizationCodeParameters.setPath("authorize/");
        authorizationCodeParameters.setRequest(signedEncodedJws);
        try {
            OAuth2TestUtils.getLocation(create, authorizationCodeParameters);
            fail("Failure expected on a non-matching client id");
        } catch (ResponseProcessingException e) {
        }
    }

    @Test
    public void testUserInfoRefreshToken() throws Exception {
        URL resource = UserInfoTest.class.getResource("client.xml");
        String str = "https://localhost:" + this.port + "/services/";
        WebClient create = WebClient.create(str, OAuth2TestUtils.setupProviders(), "alice", "security", resource.toString());
        WebClient.getConfig(create).getRequestContext().put(Message.MAINTAIN_SESSION, Boolean.TRUE);
        String authorizationCode = OAuth2TestUtils.getAuthorizationCode(create, "openid");
        assertNotNull(authorizationCode);
        WebClient create2 = WebClient.create(str, OAuth2TestUtils.setupProviders(), "consumer-id", "this-is-a-secret", resource.toString());
        WebClient.getConfig(create2).getRequestContext().put(Message.MAINTAIN_SESSION, Boolean.TRUE);
        ClientAccessToken accessTokenWithAuthorizationCode = OAuth2TestUtils.getAccessTokenWithAuthorizationCode(create2, authorizationCode);
        assertNotNull(accessTokenWithAuthorizationCode.getTokenKey());
        String tokenKey = accessTokenWithAuthorizationCode.getTokenKey();
        assertTrue(accessTokenWithAuthorizationCode.getApprovedScope().contains("openid"));
        String str2 = (String) accessTokenWithAuthorizationCode.getParameters().get("id_token");
        assertNotNull(str2);
        create2.type("application/x-www-form-urlencoded").accept(new String[]{"application/json"});
        Form form = new Form();
        form.param("grant_type", "refresh_token");
        form.param("refresh_token", accessTokenWithAuthorizationCode.getRefreshToken());
        form.param("client_id", "consumer-id");
        form.param("scope", "openid");
        ClientAccessToken clientAccessToken = (ClientAccessToken) create2.post(form).readEntity(ClientAccessToken.class);
        assertNotNull(clientAccessToken.getTokenKey());
        assertNotNull(clientAccessToken.getRefreshToken());
        clientAccessToken.getParameters().get("id_token");
        assertNotNull(str2);
        String tokenKey2 = clientAccessToken.getTokenKey();
        WebClient create3 = WebClient.create("https://localhost:" + this.port + "/ui/plain/userinfo", OAuth2TestUtils.setupProviders(), resource.toString());
        create3.accept(new String[]{"application/json"});
        create3.header("Authorization", new Object[]{"Bearer " + tokenKey});
        assertEquals(create3.get().getStatus(), 401L);
        create3.replaceHeader("Authorization", "Bearer " + tokenKey2);
        Response response = create3.get();
        assertEquals(response.getStatus(), 200L);
        UserInfo userInfo = (UserInfo) response.readEntity(UserInfo.class);
        assertNotNull(userInfo);
        assertEquals("alice", userInfo.getSubject());
        assertEquals("consumer-id", userInfo.getAudience());
    }
}
