package org.apache.cxf.systest.jaxrs.security.oauth2.grants;

import java.net.URL;
import java.time.Instant;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Properties;
import javax.ws.rs.client.ResponseProcessingException;
import javax.ws.rs.core.Form;
import org.apache.cxf.Bus;
import org.apache.cxf.BusFactory;
import org.apache.cxf.bus.spring.SpringBusFactory;
import org.apache.cxf.common.util.Base64UrlUtility;
import org.apache.cxf.jaxrs.client.WebClient;
import org.apache.cxf.message.Message;
import org.apache.cxf.rs.security.jose.jws.JwsHeaders;
import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer;
import org.apache.cxf.rs.security.jose.jws.JwsUtils;
import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
import org.apache.cxf.systest.jaxrs.security.SecurityTestUtil;
import org.apache.cxf.systest.jaxrs.security.oauth2.common.OAuth2TestUtils;
import org.apache.cxf.systest.jaxrs.security.oauth2.common.SamlCallbackHandler;
import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
import org.apache.cxf.testutil.common.AbstractBusTestServerBase;
import org.apache.cxf.testutil.common.TestUtil;
import org.apache.wss4j.common.saml.SAMLCallback;
import org.apache.wss4j.common.saml.SAMLUtil;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.junit.AfterClass;
import org.junit.BeforeClass;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;

@RunWith(Parameterized.class)
/* loaded from: input_file:org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantNegativeTest.class */
public class AuthorizationGrantNegativeTest extends AbstractBusClientServerTestBase {
    public static final String PORT = TestUtil.getPortNumber("jaxrs-oauth2-grants-negative");
    public static final String PORT2 = TestUtil.getPortNumber("jaxrs-oauth2-grants2-negative");
    public static final String JWT_PORT = TestUtil.getPortNumber("jaxrs-oauth2-grants-negative-jwt");
    public static final String JWT_PORT2 = TestUtil.getPortNumber("jaxrs-oauth2-grants2-negative-jwt");
    public static final String JCACHE_PORT = TestUtil.getPortNumber("jaxrs-oauth2-grants-negative-jcache");
    public static final String JCACHE_PORT2 = TestUtil.getPortNumber("jaxrs-oauth2-grants2-negative-jcache");
    public static final String JWT_JCACHE_PORT = TestUtil.getPortNumber("jaxrs-oauth2-grants-negative-jcache-jwt");
    public static final String JWT_JCACHE_PORT2 = TestUtil.getPortNumber("jaxrs-oauth2-grants2-negative-jcache-jwt");
    public static final String JPA_PORT = TestUtil.getPortNumber("jaxrs-oauth2-grants-negative-jpa");
    public static final String JPA_PORT2 = TestUtil.getPortNumber("jaxrs-oauth2-grants2-negative-jpa");
    public static final String JWT_NON_PERSIST_JCACHE_PORT = TestUtil.getPortNumber("jaxrs-oauth2-grants-negative-jcache-jwt-non-persist");
    public static final String JWT_NON_PERSIST_JCACHE_PORT2 = TestUtil.getPortNumber("jaxrs-oauth2-grants2-negative-jcache-jwt-non-persist");
    final String port;

    /* loaded from: input_file:org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantNegativeTest$BookServerOAuth2GrantsNegative.class */
    public static class BookServerOAuth2GrantsNegative extends AbstractBusTestServerBase {
        private static final URL SERVER_CONFIG_FILE = BookServerOAuth2GrantsNegative.class.getResource("grants-negative-server.xml");

        protected void run() {
            Bus createBus = new SpringBusFactory().createBus(SERVER_CONFIG_FILE);
            BusFactory.setDefaultBus(createBus);
            setBus(createBus);
            try {
                new BookServerOAuth2GrantsNegative();
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }
    }

    /* loaded from: input_file:org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantNegativeTest$BookServerOAuth2GrantsNegativeJCache.class */
    public static class BookServerOAuth2GrantsNegativeJCache extends AbstractBusTestServerBase {
        private static final URL SERVER_CONFIG_FILE = BookServerOAuth2GrantsNegative.class.getResource("grants-negative-server-jcache.xml");

        protected void run() {
            Bus createBus = new SpringBusFactory().createBus(SERVER_CONFIG_FILE);
            BusFactory.setDefaultBus(createBus);
            setBus(createBus);
            try {
                new BookServerOAuth2GrantsNegativeJCache();
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }
    }

    /* loaded from: input_file:org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantNegativeTest$BookServerOAuth2GrantsNegativeJCacheJWT.class */
    public static class BookServerOAuth2GrantsNegativeJCacheJWT extends AbstractBusTestServerBase {
        private static final URL SERVER_CONFIG_FILE = BookServerOAuth2GrantsNegativeJWT.class.getResource("grants-negative-server-jcache-jwt.xml");

        protected void run() {
            Bus createBus = new SpringBusFactory().createBus(SERVER_CONFIG_FILE);
            BusFactory.setDefaultBus(createBus);
            setBus(createBus);
            try {
                new BookServerOAuth2GrantsNegativeJCacheJWT();
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }
    }

    /* loaded from: input_file:org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantNegativeTest$BookServerOAuth2GrantsNegativeJCacheJWTNonPersist.class */
    public static class BookServerOAuth2GrantsNegativeJCacheJWTNonPersist extends AbstractBusTestServerBase {
        private static final URL SERVER_CONFIG_FILE = BookServerOAuth2GrantsNegativeJWT.class.getResource("grants-negative-server-jcache-jwt-non-persist.xml");

        protected void run() {
            Bus createBus = new SpringBusFactory().createBus(SERVER_CONFIG_FILE);
            BusFactory.setDefaultBus(createBus);
            setBus(createBus);
            try {
                new BookServerOAuth2GrantsNegativeJCacheJWTNonPersist();
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }
    }

    /* loaded from: input_file:org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantNegativeTest$BookServerOAuth2GrantsNegativeJPA.class */
    public static class BookServerOAuth2GrantsNegativeJPA extends AbstractBusTestServerBase {
        private static final URL SERVER_CONFIG_FILE = BookServerOAuth2GrantsNegative.class.getResource("grants-negative-server-jpa.xml");

        protected void run() {
            Bus createBus = new SpringBusFactory().createBus(SERVER_CONFIG_FILE);
            BusFactory.setDefaultBus(createBus);
            setBus(createBus);
            try {
                new BookServerOAuth2GrantsNegativeJPA();
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }
    }

    /* loaded from: input_file:org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantNegativeTest$BookServerOAuth2GrantsNegativeJWT.class */
    public static class BookServerOAuth2GrantsNegativeJWT extends AbstractBusTestServerBase {
        private static final URL SERVER_CONFIG_FILE = BookServerOAuth2GrantsNegativeJWT.class.getResource("grants-negative-server-jwt.xml");

        protected void run() {
            Bus createBus = new SpringBusFactory().createBus(SERVER_CONFIG_FILE);
            BusFactory.setDefaultBus(createBus);
            setBus(createBus);
            try {
                new BookServerOAuth2GrantsNegativeJWT();
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }
    }

    public AuthorizationGrantNegativeTest(String str) {
        this.port = str;
    }

    @BeforeClass
    public static void startServers() throws Exception {
        assertTrue("server did not launch correctly", launchServer(BookServerOAuth2GrantsNegative.class, true));
        assertTrue("server did not launch correctly", launchServer(BookServerOAuth2GrantsNegativeJWT.class, true));
        assertTrue("server did not launch correctly", launchServer(BookServerOAuth2GrantsNegativeJCache.class, true));
        assertTrue("server did not launch correctly", launchServer(BookServerOAuth2GrantsNegativeJCacheJWT.class, true));
        assertTrue("server did not launch correctly", launchServer(BookServerOAuth2GrantsNegativeJPA.class, true));
        assertTrue("server did not launch correctly", launchServer(BookServerOAuth2GrantsNegativeJCacheJWTNonPersist.class, true));
    }

    @AfterClass
    public static void cleanup() throws Exception {
        SecurityTestUtil.cleanup();
    }

    @Parameterized.Parameters(name = "{0}")
    public static Collection<String> data() {
        return Arrays.asList(PORT, JWT_PORT, JCACHE_PORT, JWT_JCACHE_PORT, JPA_PORT, JWT_NON_PERSIST_JCACHE_PORT);
    }

    @Test
    public void testAuthorizationCodeBadClient() throws Exception {
        WebClient create = WebClient.create("https://localhost:" + this.port + "/services/", OAuth2TestUtils.setupProviders(), "alice", "security", AuthorizationGrantTest.class.getResource("client.xml").toString());
        WebClient.getConfig(create).getRequestContext().put(Message.MAINTAIN_SESSION, Boolean.TRUE);
        create.type("application/json").accept(new String[]{"application/json"});
        create.query("redirect_uri", new Object[]{"http://www.blah.apache.org"});
        create.query("response_type", new Object[]{"code"});
        create.path("authorize/");
        assertEquals(400L, create.get().getStatus());
        create.query("client_id", new Object[]{"bad-consumer-id"});
        assertEquals(400L, create.get().getStatus());
    }

    @Test
    public void testAuthorizationCodeBadRedirectionURI() throws Exception {
        WebClient create = WebClient.create("https://localhost:" + this.port + "/services/", OAuth2TestUtils.setupProviders(), "alice", "security", AuthorizationGrantTest.class.getResource("client.xml").toString());
        WebClient.getConfig(create).getRequestContext().put(Message.MAINTAIN_SESSION, Boolean.TRUE);
        create.type("application/json").accept(new String[]{"application/json"});
        create.query("client_id", new Object[]{"consumer-id"});
        create.query("response_type", new Object[]{"code"});
        create.path("authorize/");
        create.query("redirect_uri", new Object[]{"http://www.blah.bad.apache.org"});
        assertEquals(400L, create.get().getStatus());
    }

    @Test
    public void testResponseType() throws Exception {
        WebClient create = WebClient.create("https://localhost:" + this.port + "/services/", OAuth2TestUtils.setupProviders(), "alice", "security", AuthorizationGrantTest.class.getResource("client.xml").toString());
        WebClient.getConfig(create).getRequestContext().put(Message.MAINTAIN_SESSION, Boolean.TRUE);
        create.type("application/json").accept(new String[]{"application/json"});
        create.query("client_id", new Object[]{"consumer-id"});
        create.query("redirect_uri", new Object[]{"http://www.blah.apache.org"});
        create.path("authorize/");
        assertEquals(303L, create.get().getStatus());
        create.query("response_type", new Object[]{"unknown"});
        assertEquals(303L, create.get().getStatus());
    }

    @Test
    public void testAuthorizationCodeBadScope() throws Exception {
        WebClient create = WebClient.create("https://localhost:" + this.port + "/services/", OAuth2TestUtils.setupProviders(), "alice", "security", AuthorizationGrantTest.class.getResource("client.xml").toString());
        WebClient.getConfig(create).getRequestContext().put(Message.MAINTAIN_SESSION, Boolean.TRUE);
        create.type("application/json").accept(new String[]{"application/json"});
        create.query("client_id", new Object[]{"consumer-id"});
        create.query("response_type", new Object[]{"code"});
        create.query("redirect_uri", new Object[]{"http://www.blah.bad.apache.org"});
        create.query("scope", new Object[]{"unknown-scope"});
        create.path("authorize/");
        assertEquals(400L, create.get().getStatus());
    }

    @Test
    public void testRepeatAuthorizationCode() throws Exception {
        URL resource = AuthorizationGrantTest.class.getResource("client.xml");
        String str = "https://localhost:" + this.port + "/services/";
        WebClient create = WebClient.create(str, OAuth2TestUtils.setupProviders(), "alice", "security", resource.toString());
        WebClient.getConfig(create).getRequestContext().put(Message.MAINTAIN_SESSION, Boolean.TRUE);
        String authorizationCode = OAuth2TestUtils.getAuthorizationCode(create);
        assertNotNull(authorizationCode);
        WebClient create2 = WebClient.create(str, OAuth2TestUtils.setupProviders(), "consumer-id", "this-is-a-secret", resource.toString());
        WebClient.getConfig(create2).getRequestContext().put(Message.MAINTAIN_SESSION, Boolean.TRUE);
        create2.type("application/x-www-form-urlencoded").accept(new String[]{"application/json"});
        create2.path("token");
        Form form = new Form();
        form.param("grant_type", "authorization_code");
        form.param("code", authorizationCode);
        form.param("client_id", "consumer-id");
        assertNotNull(((ClientAccessToken) create2.post(form).readEntity(ClientAccessToken.class)).getTokenKey());
        try {
            create2.post(form).readEntity(ClientAccessToken.class);
            fail("Failure expected on trying to get a second access token");
        } catch (ResponseProcessingException e) {
        }
    }

    @Test
    public void testRepeatRefreshCall() throws Exception {
        URL resource = AuthorizationGrantTest.class.getResource("client.xml");
        String str = "https://localhost:" + this.port + "/services/";
        WebClient create = WebClient.create(str, OAuth2TestUtils.setupProviders(), "alice", "security", resource.toString());
        WebClient.getConfig(create).getRequestContext().put(Message.MAINTAIN_SESSION, Boolean.TRUE);
        String authorizationCode = OAuth2TestUtils.getAuthorizationCode(create, "read_balance");
        assertNotNull(authorizationCode);
        WebClient create2 = WebClient.create(str, OAuth2TestUtils.setupProviders(), "consumer-id", "this-is-a-secret", resource.toString());
        WebClient.getConfig(create2).getRequestContext().put(Message.MAINTAIN_SESSION, Boolean.TRUE);
        ClientAccessToken accessTokenWithAuthorizationCode = OAuth2TestUtils.getAccessTokenWithAuthorizationCode(create2, authorizationCode);
        assertNotNull(accessTokenWithAuthorizationCode.getTokenKey());
        assertNotNull(accessTokenWithAuthorizationCode.getRefreshToken());
        create2.type("application/x-www-form-urlencoded").accept(new String[]{"application/json"});
        Form form = new Form();
        form.param("grant_type", "refresh_token");
        form.param("refresh_token", accessTokenWithAuthorizationCode.getRefreshToken());
        form.param("client_id", "consumer-id");
        form.param("scope", "read_balance");
        ClientAccessToken clientAccessToken = (ClientAccessToken) create2.post(form).readEntity(ClientAccessToken.class);
        assertNotNull(clientAccessToken.getTokenKey());
        assertNotNull(clientAccessToken.getRefreshToken());
        try {
            create2.post(form).readEntity(ClientAccessToken.class);
            fail("Failure expected on trying to reuse a refresh token");
        } catch (ResponseProcessingException e) {
        }
    }

    @Test
    public void testRefreshWithBadToken() throws Exception {
        URL resource = AuthorizationGrantTest.class.getResource("client.xml");
        String str = "https://localhost:" + this.port + "/services/";
        WebClient create = WebClient.create(str, OAuth2TestUtils.setupProviders(), "alice", "security", resource.toString());
        WebClient.getConfig(create).getRequestContext().put(Message.MAINTAIN_SESSION, Boolean.TRUE);
        String authorizationCode = OAuth2TestUtils.getAuthorizationCode(create, "read_balance");
        assertNotNull(authorizationCode);
        WebClient create2 = WebClient.create(str, OAuth2TestUtils.setupProviders(), "consumer-id", "this-is-a-secret", resource.toString());
        WebClient.getConfig(create2).getRequestContext().put(Message.MAINTAIN_SESSION, Boolean.TRUE);
        ClientAccessToken accessTokenWithAuthorizationCode = OAuth2TestUtils.getAccessTokenWithAuthorizationCode(create2, authorizationCode);
        assertNotNull(accessTokenWithAuthorizationCode.getTokenKey());
        assertNotNull(accessTokenWithAuthorizationCode.getRefreshToken());
        create2.type("application/x-www-form-urlencoded").accept(new String[]{"application/json"});
        Form form = new Form();
        form.param("grant_type", "refresh_token");
        form.param("client_id", "consumer-id");
        form.param("scope", "read_balance");
        create2.post(form);
        try {
            create2.post(form).readEntity(ClientAccessToken.class);
            fail("Failure expected on no refresh token");
        } catch (ResponseProcessingException e) {
        }
        form.param("refresh_token", "12345");
        try {
            create2.post(form).readEntity(ClientAccessToken.class);
            fail("Failure expected on a bad refresh token");
        } catch (ResponseProcessingException e2) {
        }
    }

    @Test
    public void testAccessTokenBadCode() throws Exception {
        URL resource = AuthorizationGrantTest.class.getResource("client.xml");
        String str = "https://localhost:" + this.port + "/services/";
        WebClient create = WebClient.create(str, OAuth2TestUtils.setupProviders(), "alice", "security", resource.toString());
        WebClient.getConfig(create).getRequestContext().put(Message.MAINTAIN_SESSION, Boolean.TRUE);
        assertNotNull(OAuth2TestUtils.getAuthorizationCode(create));
        WebClient create2 = WebClient.create(str, OAuth2TestUtils.setupProviders(), "consumer-id", "this-is-a-secret", resource.toString());
        WebClient.getConfig(create2).getRequestContext().put(Message.MAINTAIN_SESSION, Boolean.TRUE);
        create2.type("application/x-www-form-urlencoded").accept(new String[]{"application/json"});
        create2.path("token");
        Form form = new Form();
        form.param("grant_type", "authorization_code");
        form.param("client_id", "consumer-id");
        try {
            create2.post(form).readEntity(ClientAccessToken.class);
            fail("Failure expected on no code");
        } catch (ResponseProcessingException e) {
        }
        form.param("code", "123456677");
        try {
            create2.post(form).readEntity(ClientAccessToken.class);
            fail("Failure expected on a bad code");
        } catch (ResponseProcessingException e2) {
        }
    }

    @Test
    public void testUnknownGrantType() throws Exception {
        WebClient create = WebClient.create("https://localhost:" + this.port + "/services/", OAuth2TestUtils.setupProviders(), "consumer-id", "this-is-a-secret", AuthorizationGrantTest.class.getResource("client.xml").toString());
        create.type("application/x-www-form-urlencoded").accept(new String[]{"application/json"});
        create.path("token");
        Form form = new Form();
        form.param("username", "alice");
        form.param("password", "security");
        try {
            create.post(form).readEntity(ClientAccessToken.class);
            fail("Failure expected on no grant type");
        } catch (ResponseProcessingException e) {
        }
        form.param("grant_type", "unknown");
        try {
            create.post(form).readEntity(ClientAccessToken.class);
            fail("Failure expected on an unknown grant type");
        } catch (ResponseProcessingException e2) {
        }
    }

    @Test
    public void testPasswordCredentialsGrantUnknownUsers() throws Exception {
        WebClient create = WebClient.create("https://localhost:" + this.port + "/services/", OAuth2TestUtils.setupProviders(), "consumer-id", "this-is-a-secret", AuthorizationGrantTest.class.getResource("client.xml").toString());
        create.type("application/x-www-form-urlencoded").accept(new String[]{"application/json"});
        create.path("token");
        Form form = new Form();
        try {
            create.post(form).readEntity(ClientAccessToken.class);
            fail("Failure expected on no username");
        } catch (ResponseProcessingException e) {
        }
        form.param("username", "alice2");
        try {
            create.post(form).readEntity(ClientAccessToken.class);
            fail("Failure expected on a bad username");
        } catch (ResponseProcessingException e2) {
        }
        form.param("username", "alice");
        try {
            create.post(form).readEntity(ClientAccessToken.class);
            fail("Failure expected on no password");
        } catch (ResponseProcessingException e3) {
        }
        form.param("password", "security2");
        try {
            create.post(form).readEntity(ClientAccessToken.class);
            fail("Failure expected on a bad password");
        } catch (ResponseProcessingException e4) {
        }
    }

    @Test
    public void testAuthorizationCodeGrantWithUnknownAudience() throws Exception {
        URL resource = AuthorizationGrantTest.class.getResource("client.xml");
        String str = "https://localhost:" + this.port + "/services/";
        WebClient create = WebClient.create(str, OAuth2TestUtils.setupProviders(), "alice", "security", resource.toString());
        WebClient.getConfig(create).getRequestContext().put(Message.MAINTAIN_SESSION, Boolean.TRUE);
        String authorizationCode = OAuth2TestUtils.getAuthorizationCode(create, null, "consumer-id-aud");
        assertNotNull(authorizationCode);
        WebClient create2 = WebClient.create(str, OAuth2TestUtils.setupProviders(), "consumer-id-aud", "this-is-a-secret", resource.toString());
        WebClient.getConfig(create2).getRequestContext().put(Message.MAINTAIN_SESSION, Boolean.TRUE);
        try {
            OAuth2TestUtils.getAccessTokenWithAuthorizationCode(create2, authorizationCode, "consumer-id-aud", "https://localhost:/secured/bookstore/books");
            fail("Failure expected on an unknown audience");
        } catch (Exception e) {
        }
    }

    @Test
    public void testSAML11() throws Exception {
        URL resource = AuthorizationGrantNegativeTest.class.getResource("client.xml");
        String str = "https://localhost:" + this.port + "/services/";
        WebClient create = WebClient.create(str, OAuth2TestUtils.setupProviders(), "alice", "security", resource.toString());
        String createToken = OAuth2TestUtils.createToken(str + "token", false, true);
        create.type("application/x-www-form-urlencoded").accept(new String[]{"application/json"});
        create.path("token");
        Form form = new Form();
        form.param("grant_type", "urn:ietf:params:oauth:grant-type:saml2-bearer");
        form.param("assertion", Base64UrlUtility.encode(createToken));
        form.param("client_id", "consumer-id");
        try {
            create.post(form).readEntity(ClientAccessToken.class);
            fail("Failure expected on a SAML 1.1 assertion");
        } catch (Exception e) {
        }
    }

    @Test
    public void testSAMLAudRestr() throws Exception {
        URL resource = AuthorizationGrantNegativeTest.class.getResource("client.xml");
        String str = "https://localhost:" + this.port + "/services/";
        WebClient create = WebClient.create(str, OAuth2TestUtils.setupProviders(), "alice", "security", resource.toString());
        String createToken = OAuth2TestUtils.createToken(str + "token2", true, true);
        create.type("application/x-www-form-urlencoded").accept(new String[]{"application/json"});
        create.path("token");
        Form form = new Form();
        form.param("grant_type", "urn:ietf:params:oauth:grant-type:saml2-bearer");
        form.param("assertion", Base64UrlUtility.encode(createToken));
        form.param("client_id", "consumer-id");
        try {
            create.post(form).readEntity(ClientAccessToken.class);
            fail("Failure expected on a bad audience restriction");
        } catch (Exception e) {
        }
    }

    @Test
    public void testSAMLUnsigned() throws Exception {
        URL resource = AuthorizationGrantNegativeTest.class.getResource("client.xml");
        String str = "https://localhost:" + this.port + "/services/";
        WebClient create = WebClient.create(str, OAuth2TestUtils.setupProviders(), "alice", "security", resource.toString());
        String createToken = OAuth2TestUtils.createToken(str + "token", true, false);
        create.type("application/x-www-form-urlencoded").accept(new String[]{"application/json"});
        create.path("token");
        Form form = new Form();
        form.param("grant_type", "urn:ietf:params:oauth:grant-type:saml2-bearer");
        form.param("assertion", Base64UrlUtility.encode(createToken));
        form.param("client_id", "consumer-id");
        try {
            create.post(form).readEntity(ClientAccessToken.class);
            fail("Failure expected on an unsigned assertion");
        } catch (Exception e) {
        }
    }

    @Test
    public void testSAMLHolderOfKey() throws Exception {
        URL resource = AuthorizationGrantNegativeTest.class.getResource("client.xml");
        String str = "https://localhost:" + this.port + "/services/";
        WebClient create = WebClient.create(str, OAuth2TestUtils.setupProviders(), "alice", "security", resource.toString());
        SamlCallbackHandler samlCallbackHandler = new SamlCallbackHandler(true);
        samlCallbackHandler.setConfirmationMethod("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key");
        samlCallbackHandler.setAudience(str + "token");
        SAMLCallback sAMLCallback = new SAMLCallback();
        SAMLUtil.doSAMLCallback(samlCallbackHandler, sAMLCallback);
        SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper(sAMLCallback);
        samlAssertionWrapper.signAssertion(sAMLCallback.getIssuerKeyName(), sAMLCallback.getIssuerKeyPassword(), sAMLCallback.getIssuerCrypto(), sAMLCallback.isSendKeyValue(), sAMLCallback.getCanonicalizationAlgorithm(), sAMLCallback.getSignatureAlgorithm());
        String assertionToString = samlAssertionWrapper.assertionToString();
        create.type("application/x-www-form-urlencoded").accept(new String[]{"application/json"});
        create.path("token");
        Form form = new Form();
        form.param("grant_type", "urn:ietf:params:oauth:grant-type:saml2-bearer");
        form.param("assertion", Base64UrlUtility.encode(assertionToString));
        form.param("client_id", "consumer-id");
        try {
            create.post(form).readEntity(ClientAccessToken.class);
            fail("Failure expected on an incorrect subject confirmation method");
        } catch (Exception e) {
        }
    }

    @Test
    public void testSAMLUnauthenticatedSignature() throws Exception {
        URL resource = AuthorizationGrantNegativeTest.class.getResource("client.xml");
        String str = "https://localhost:" + this.port + "/services/";
        WebClient create = WebClient.create(str, OAuth2TestUtils.setupProviders(), "alice", "security", resource.toString());
        SamlCallbackHandler samlCallbackHandler = new SamlCallbackHandler(true);
        samlCallbackHandler.setConfirmationMethod("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key");
        samlCallbackHandler.setAudience(str + "token");
        samlCallbackHandler.setIssuerKeyName("smallkey");
        samlCallbackHandler.setIssuerKeyPassword("security");
        samlCallbackHandler.setCryptoPropertiesFile("org/apache/cxf/systest/jaxrs/security/smallkey.properties");
        SAMLCallback sAMLCallback = new SAMLCallback();
        SAMLUtil.doSAMLCallback(samlCallbackHandler, sAMLCallback);
        SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper(sAMLCallback);
        samlAssertionWrapper.signAssertion(sAMLCallback.getIssuerKeyName(), sAMLCallback.getIssuerKeyPassword(), sAMLCallback.getIssuerCrypto(), sAMLCallback.isSendKeyValue(), sAMLCallback.getCanonicalizationAlgorithm(), sAMLCallback.getSignatureAlgorithm());
        String assertionToString = samlAssertionWrapper.assertionToString();
        create.type("application/x-www-form-urlencoded").accept(new String[]{"application/json"});
        create.path("token");
        Form form = new Form();
        form.param("grant_type", "urn:ietf:params:oauth:grant-type:saml2-bearer");
        form.param("assertion", Base64UrlUtility.encode(assertionToString));
        form.param("client_id", "consumer-id");
        try {
            create.post(form).readEntity(ClientAccessToken.class);
            fail("Failure expected on an incorrect subject confirmation method");
        } catch (Exception e) {
        }
    }

    @Test
    public void testJWTUnsigned() throws Exception {
        WebClient create = WebClient.create("https://localhost:" + this.port + "/services/", OAuth2TestUtils.setupProviders(), "alice", "security", AuthorizationGrantNegativeTest.class.getResource("client.xml").toString());
        String createToken = OAuth2TestUtils.createToken("DoubleItSTSIssuer", "consumer-id", "https://localhost:" + this.port + "/services/token", true, false);
        create.type("application/x-www-form-urlencoded").accept(new String[]{"application/json"});
        create.path("token");
        Form form = new Form();
        form.param("grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer");
        form.param("assertion", createToken);
        form.param("client_id", "consumer-id");
        try {
            create.post(form).readEntity(ClientAccessToken.class);
            fail("Failure expected on an unsigned token");
        } catch (Exception e) {
        }
    }

    @Test
    public void testJWTNoIssuer() throws Exception {
        WebClient create = WebClient.create("https://localhost:" + this.port + "/services/", OAuth2TestUtils.setupProviders(), "alice", "security", AuthorizationGrantNegativeTest.class.getResource("client.xml").toString());
        String createToken = OAuth2TestUtils.createToken(null, "consumer-id", "https://localhost:" + this.port + "/services/token", true, true);
        create.type("application/x-www-form-urlencoded").accept(new String[]{"application/json"});
        create.path("token");
        Form form = new Form();
        form.param("grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer");
        form.param("assertion", createToken);
        form.param("client_id", "consumer-id");
        try {
            create.post(form).readEntity(ClientAccessToken.class);
            fail("Failure expected on no issuer");
        } catch (Exception e) {
        }
    }

    @Test
    public void testJWTNoExpiry() throws Exception {
        WebClient create = WebClient.create("https://localhost:" + this.port + "/services/", OAuth2TestUtils.setupProviders(), "alice", "security", AuthorizationGrantNegativeTest.class.getResource("client.xml").toString());
        String createToken = OAuth2TestUtils.createToken("DoubleItSTSIssuer", "consumer-id", "https://localhost:" + this.port + "/services/token", false, true);
        create.type("application/x-www-form-urlencoded").accept(new String[]{"application/json"});
        create.path("token");
        Form form = new Form();
        form.param("grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer");
        form.param("assertion", createToken);
        form.param("client_id", "consumer-id");
        try {
            create.post(form).readEntity(ClientAccessToken.class);
            fail("Failure expected on no expiry");
        } catch (Exception e) {
        }
    }

    @Test
    public void testJWTBadAudienceRestriction() throws Exception {
        WebClient create = WebClient.create("https://localhost:" + this.port + "/services/", OAuth2TestUtils.setupProviders(), "alice", "security", AuthorizationGrantNegativeTest.class.getResource("client.xml").toString());
        String createToken = OAuth2TestUtils.createToken("DoubleItSTSIssuer", "consumer-id", "https://localhost:" + this.port + "/services/badtoken", true, true);
        create.type("application/x-www-form-urlencoded").accept(new String[]{"application/json"});
        create.path("token");
        Form form = new Form();
        form.param("grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer");
        form.param("assertion", createToken);
        form.param("client_id", "consumer-id");
        try {
            create.post(form).readEntity(ClientAccessToken.class);
            fail("Failure expected on a bad audience restriction");
        } catch (Exception e) {
        }
    }

    @Test
    public void testJWTUnauthenticatedSignature() throws Exception {
        WebClient create = WebClient.create("https://localhost:" + this.port + "/services/", OAuth2TestUtils.setupProviders(), "alice", "security", AuthorizationGrantNegativeTest.class.getResource("client.xml").toString());
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setSubject("consumer-id");
        jwtClaims.setIssuer("DoubleItSTSIssuer");
        Instant now = Instant.now();
        jwtClaims.setIssuedAt(Long.valueOf(now.getEpochSecond()));
        jwtClaims.setExpiryTime(Long.valueOf(now.plusSeconds(60L).getEpochSecond()));
        jwtClaims.setAudiences(Collections.singletonList("https://localhost:" + this.port + "/services/token"));
        Properties properties = new Properties();
        properties.put("rs.security.keystore.type", "jks");
        properties.put("rs.security.keystore.password", "security");
        properties.put("rs.security.keystore.alias", "smallkey");
        properties.put("rs.security.keystore.file", "org/apache/cxf/systest/jaxrs/security/certs/smallkeysize.jks");
        properties.put("rs.security.key.password", "security");
        properties.put("rs.security.signature.algorithm", "RS256");
        JwsHeaders jwsHeaders = new JwsHeaders(properties);
        String signWith = new JwsJwtCompactProducer(jwsHeaders, jwtClaims).signWith(JwsUtils.loadSignatureProvider(properties, jwsHeaders));
        create.type("application/x-www-form-urlencoded").accept(new String[]{"application/json"});
        create.path("token");
        Form form = new Form();
        form.param("grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer");
        form.param("assertion", signWith);
        form.param("client_id", "consumer-id");
        try {
            create.post(form).readEntity(ClientAccessToken.class);
            fail("Failure expected on an unauthenticated token");
        } catch (Exception e) {
        }
    }
}
