package net.shibboleth.idp.plugin.authn.webauthn.client.impl;

import com.yubico.webauthn.RegisteredCredential;
import com.yubico.webauthn.RelyingParty;
import com.yubico.webauthn.data.AttestedCredentialData;
import com.yubico.webauthn.data.AuthenticatorAttestationResponse;
import com.yubico.webauthn.data.ByteArray;
import com.yubico.webauthn.data.ClientRegistrationExtensionOutputs;
import com.yubico.webauthn.data.PublicKeyCredential;
import com.yubico.webauthn.data.PublicKeyCredentialCreationOptions;
import com.yubico.webauthn.data.PublicKeyCredentialRequestOptions;
import com.yubico.webauthn.data.RelyingPartyIdentity;
import com.yubico.webauthn.data.UserIdentity;
import com.yubico.webauthn.data.UserVerificationRequirement;
import java.time.Instant;
import java.util.Optional;
import java.util.TreeSet;
import net.shibboleth.idp.plugin.authn.webauthn.authn.AssertionResult;
import net.shibboleth.idp.plugin.authn.webauthn.exception.AssertionFailureException;
import net.shibboleth.idp.plugin.authn.webauthn.exception.RegistrationFailureException;
import net.shibboleth.idp.plugin.authn.webauthn.impl.AbstractWebAuthnTest;
import net.shibboleth.idp.plugin.authn.webauthn.storage.CredentialRegistration;
import net.shibboleth.idp.plugin.authn.webauthn.storage.impl.InMemoryRegistrationStorage;
import net.shibboleth.idp.plugin.authn.webauthn.storage.impl.MockAuthenticator;
import net.shibboleth.shared.codec.Base64Support;
import net.shibboleth.shared.collection.CollectionSupport;
import org.testng.Assert;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;

/* loaded from: input_file:net/shibboleth/idp/plugin/authn/webauthn/client/impl/YubicoWebauthnAuthenticationClientTest.class */
public class YubicoWebauthnAuthenticationClientTest extends AbstractWebAuthnTest {
    private static final String CHALLENGE_2_B64 = "8gneM8yvE20CqnSCUkyD";
    private YubicoWebAuthnAuthenticationClient client;
    private PublicKeyCredentialCreationOptions credentialCreationOptions;
    private PublicKeyCredentialRequestOptions credentialRequestOptions;
    private InMemoryRegistrationStorage storage;
    private UserIdentity userIdentity;

    @Override // net.shibboleth.idp.plugin.authn.webauthn.impl.AbstractWebAuthnTest
    @BeforeMethod
    public void setup() throws Exception {
        super.setup();
        this.storage = new InMemoryRegistrationStorage();
        RelyingParty build = RelyingParty.builder().identity(RelyingPartyIdentity.builder().id("idp.example.com").name("Demo IdP as a WebAuthn RP").build()).credentialRepository(this.storage).allowOriginPort(true).allowOriginSubdomain(true).build();
        this.client = new YubicoWebAuthnAuthenticationClient(build, this.preferredPublickeyParams);
        this.userIdentity = UserIdentity.builder().name("test-user").displayName("test user").id(new ByteArray(Base64Support.decode("dGhpc2lzYWNoYWxsZW5nZQ=="))).build();
        this.credentialCreationOptions = PublicKeyCredentialCreationOptions.builder().rp(build.getIdentity()).user(this.userIdentity).challenge(new ByteArray(Base64Support.decode("dGhpc2lzBaNoYWxsZW5nZQ=="))).pubKeyCredParams(this.preferredPublickeyParams).excludeCredentials(Optional.empty()).timeout(Optional.empty()).build();
        this.credentialRequestOptions = PublicKeyCredentialRequestOptions.builder().challenge(new ByteArray(Base64Support.decode("dGhpc2lzBaNoYWxsZW5nZQ=="))).rpId(build.getIdentity().getId()).userVerification(UserVerificationRequirement.REQUIRED).timeout(Optional.of(60000L)).build();
    }

    @Test
    public void testValidateRegistration_Successs() throws Exception {
        this.mockAuthenticator = new MockAuthenticator("idp.example.com");
        Assert.assertNotNull(this.client.validateAuthenticatorAttestationResponse(this.credentialCreationOptions, this.mockAuthenticator.createAuthenticatorAttestationResponse("dGhpc2lzBaNoYWxsZW5nZQ==", createClientData("webauthn.create", "https://idp.example.com", "dGhpc2lzBaNoYWxsZW5nZQ=="), Base64Support.decode("dGhpc2lzYWNoYWxsZW5nZQ=="))));
    }

    @Test(expectedExceptions = {RegistrationFailureException.class})
    public void testValidateRegistration_Fail_BadRpId() throws Exception {
        this.mockAuthenticator = new MockAuthenticator("wrong-rpid.example.com");
        Assert.assertNotNull(this.client.validateAuthenticatorAttestationResponse(this.credentialCreationOptions, this.mockAuthenticator.createAuthenticatorAttestationResponse("dGhpc2lzBaNoYWxsZW5nZQ==", createClientData("webauthn.create", "https://idp.example.com", "dGhpc2lzBaNoYWxsZW5nZQ=="), Base64Support.decode("dGhpc2lzYWNoYWxsZW5nZQ=="))));
    }

    @Test(expectedExceptions = {RegistrationFailureException.class})
    public void testValidateRegistrationFail_BadOrigin() throws Exception {
        this.mockAuthenticator = new MockAuthenticator("idp.example.com");
        this.client.validateAuthenticatorAttestationResponse(this.credentialCreationOptions, this.mockAuthenticator.createAuthenticatorAttestationResponse("dGhpc2lzBaNoYWxsZW5nZQ==", createClientData("webauthn.create", "wrong-origin", "dGhpc2lzBaNoYWxsZW5nZQ=="), Base64Support.decode("dGhpc2lzYWNoYWxsZW5nZQ==")));
    }

    @Test
    public void testValidateAuthentication_Success() throws Exception {
        this.mockAuthenticator = new MockAuthenticator("idp.example.com");
        PublicKeyCredential<AuthenticatorAttestationResponse, ClientRegistrationExtensionOutputs> createAuthenticatorAttestationResponse = this.mockAuthenticator.createAuthenticatorAttestationResponse("dGhpc2lzBaNoYWxsZW5nZQ==", createClientData("webauthn.create", "https://idp.example.com", "dGhpc2lzBaNoYWxsZW5nZQ=="), Base64Support.decode("dGhpc2lzYWNoYWxsZW5nZQ=="));
        this.storage.addRegistrationByUsername("test-user", CredentialRegistration.builder().withUserIdentity(this.userIdentity).withTransports(new TreeSet()).withRegistrationTime(Instant.now()).withCredential(RegisteredCredential.builder().credentialId(createAuthenticatorAttestationResponse.getId()).userHandle(new ByteArray(Base64Support.decode("dGhpc2lzYWNoYWxsZW5nZQ=="))).publicKeyCose(((AttestedCredentialData) createAuthenticatorAttestationResponse.getResponse().getParsedAuthenticatorData().getAttestedCredentialData().get()).getCredentialPublicKey()).build()).withAttestationMetadata(CollectionSupport.emptySet()).withCredentialNickname("Nickname").withDiscoverable(Optional.of(Boolean.TRUE)).withUserVerified(true).build());
        AssertionResult validateAuthenticatorAssertionResponse = this.client.validateAuthenticatorAssertionResponse("test-user", Base64Support.decode("dGhpc2lzYWNoYWxsZW5nZQ=="), this.credentialRequestOptions, this.mockAuthenticator.createAuthenticatorAssertionResponse(createAuthenticatorAttestationResponse.getId().getBytes(), createClientData("webauthn.get", "https://idp.example.com", "dGhpc2lzBaNoYWxsZW5nZQ==")));
        Assert.assertNotNull(validateAuthenticatorAssertionResponse);
        Assert.assertTrue(validateAuthenticatorAssertionResponse.isSuccess());
    }

    @Test(expectedExceptions = {AssertionFailureException.class})
    public void testValidateAuthentication_Fail_WrongOrigin() throws Exception {
        this.mockAuthenticator = new MockAuthenticator("idp.example.com");
        PublicKeyCredential<AuthenticatorAttestationResponse, ClientRegistrationExtensionOutputs> createAuthenticatorAttestationResponse = this.mockAuthenticator.createAuthenticatorAttestationResponse("dGhpc2lzBaNoYWxsZW5nZQ==", createClientData("webauthn.create", "https://idp.example.com", "dGhpc2lzBaNoYWxsZW5nZQ=="), Base64Support.decode("dGhpc2lzYWNoYWxsZW5nZQ=="));
        this.storage.addRegistrationByUsername("test-user", CredentialRegistration.builder().withUserIdentity(this.userIdentity).withTransports(new TreeSet()).withRegistrationTime(Instant.now()).withCredential(RegisteredCredential.builder().credentialId(createAuthenticatorAttestationResponse.getId()).userHandle(new ByteArray(Base64Support.decode("dGhpc2lzYWNoYWxsZW5nZQ=="))).publicKeyCose(((AttestedCredentialData) createAuthenticatorAttestationResponse.getResponse().getParsedAuthenticatorData().getAttestedCredentialData().get()).getCredentialPublicKey()).build()).withAttestationMetadata(CollectionSupport.emptySet()).withCredentialNickname("Nickname").withDiscoverable(Optional.of(Boolean.TRUE)).withUserVerified(true).build());
        this.client.validateAuthenticatorAssertionResponse("test-user", Base64Support.decode("dGhpc2lzYWNoYWxsZW5nZQ=="), this.credentialRequestOptions, this.mockAuthenticator.createAuthenticatorAssertionResponse(createAuthenticatorAttestationResponse.getId().getBytes(), createClientData("webauthn.get", "wrong", "dGhpc2lzBaNoYWxsZW5nZQ==")));
    }

    @Test(expectedExceptions = {AssertionFailureException.class})
    public void testValidateAuthentication_Fail_WrongOperationType() throws Exception {
        this.mockAuthenticator = new MockAuthenticator("idp.example.com");
        PublicKeyCredential<AuthenticatorAttestationResponse, ClientRegistrationExtensionOutputs> createAuthenticatorAttestationResponse = this.mockAuthenticator.createAuthenticatorAttestationResponse("dGhpc2lzBaNoYWxsZW5nZQ==", createClientData("webauthn.create", "https://idp.example.com", "dGhpc2lzBaNoYWxsZW5nZQ=="), Base64Support.decode("dGhpc2lzYWNoYWxsZW5nZQ=="));
        this.storage.addRegistrationByUsername("test-user", CredentialRegistration.builder().withUserIdentity(this.userIdentity).withTransports(new TreeSet()).withRegistrationTime(Instant.now()).withCredential(RegisteredCredential.builder().credentialId(createAuthenticatorAttestationResponse.getId()).userHandle(new ByteArray(Base64Support.decode("dGhpc2lzYWNoYWxsZW5nZQ=="))).publicKeyCose(((AttestedCredentialData) createAuthenticatorAttestationResponse.getResponse().getParsedAuthenticatorData().getAttestedCredentialData().get()).getCredentialPublicKey()).build()).withAttestationMetadata(CollectionSupport.emptySet()).withCredentialNickname("Nickname").withDiscoverable(Optional.of(Boolean.TRUE)).withUserVerified(true).build());
        this.client.validateAuthenticatorAssertionResponse("test-user", Base64Support.decode("dGhpc2lzYWNoYWxsZW5nZQ=="), this.credentialRequestOptions, this.mockAuthenticator.createAuthenticatorAssertionResponse(createAuthenticatorAttestationResponse.getId().getBytes(), createClientData("webauthn.create", "https://idp.example.com", "dGhpc2lzBaNoYWxsZW5nZQ==")));
    }

    @Test(expectedExceptions = {AssertionFailureException.class})
    public void testValidateAuthentication_Fail_BadSignature_DifferentKey() throws Exception {
        this.mockAuthenticator = new MockAuthenticator("idp.example.com");
        this.mockAuthenticator.setProduceBadAssertionSignatures(true);
        PublicKeyCredential<AuthenticatorAttestationResponse, ClientRegistrationExtensionOutputs> createAuthenticatorAttestationResponse = this.mockAuthenticator.createAuthenticatorAttestationResponse("dGhpc2lzBaNoYWxsZW5nZQ==", createClientData("webauthn.create", "https://idp.example.com", "dGhpc2lzBaNoYWxsZW5nZQ=="), Base64Support.decode("dGhpc2lzYWNoYWxsZW5nZQ=="));
        this.storage.addRegistrationByUsername("test-user", CredentialRegistration.builder().withUserIdentity(this.userIdentity).withTransports(new TreeSet()).withRegistrationTime(Instant.now()).withCredential(RegisteredCredential.builder().credentialId(createAuthenticatorAttestationResponse.getId()).userHandle(new ByteArray(Base64Support.decode("dGhpc2lzYWNoYWxsZW5nZQ=="))).publicKeyCose(((AttestedCredentialData) createAuthenticatorAttestationResponse.getResponse().getParsedAuthenticatorData().getAttestedCredentialData().get()).getCredentialPublicKey()).build()).withAttestationMetadata(CollectionSupport.emptySet()).withCredentialNickname("Nickname").withDiscoverable(Optional.of(Boolean.TRUE)).withUserVerified(true).build());
        this.client.validateAuthenticatorAssertionResponse("test-user", Base64Support.decode("dGhpc2lzYWNoYWxsZW5nZQ=="), this.credentialRequestOptions, this.mockAuthenticator.createAuthenticatorAssertionResponse(createAuthenticatorAttestationResponse.getId().getBytes(), createClientData("webauthn.get", "https://idp.example.com", "dGhpc2lzBaNoYWxsZW5nZQ==")));
    }
}
