package net.shibboleth.idp.plugin.oidc.op.profile.flow;

import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.crypto.RSADecrypter;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.oauth2.sdk.AccessTokenResponse;
import com.nimbusds.oauth2.sdk.GrantType;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
import com.nimbusds.oauth2.sdk.auth.JWTAuthentication;
import com.nimbusds.oauth2.sdk.token.AccessToken;
import java.io.IOException;
import java.security.PublicKey;
import java.text.ParseException;
import java.time.Instant;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.plugin.oidc.op.token.support.AccessTokenClaimsSet;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.collection.Pair;
import net.shibboleth.utilities.java.support.security.DataSealerException;
import org.opensaml.storage.StorageService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.webflow.core.collection.MutableAttributeMap;
import org.springframework.webflow.executor.FlowExecutionResult;
import org.testng.Assert;
import org.testng.annotations.AfterMethod;
import org.testng.annotations.Test;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/profile/flow/ClientCredentialsTokenFlowTest.class */
public class ClientCredentialsTokenFlowTest extends AbstractOidcClientAuthenticationFlowTest {
    public static final String FLOW_ID = "oidc/token";
    private final Scope scope;
    private final String resource = "https://rp.example.org";
    private final String resourceSaml = "https://resource.example.org";

    @Autowired
    @Qualifier("shibboleth.StorageService")
    StorageService storageService;

    public ClientCredentialsTokenFlowTest() {
        super("oidc/token");
        this.scope = Scope.parse("profile email");
        this.resource = "https://rp.example.org";
        this.resourceSaml = "https://resource.example.org";
    }

    @AfterMethod
    public void tearDown() throws IOException {
        removeMetadata(this.storageService, this.clientId);
        removeMetadata(this.storageService, "https://rp.example.org");
    }

    @Test
    public void testUntrustedClient() throws IOException, ParseException {
        setHttpFormRequest("POST", createRequestParameters(this.clientId + "2", this.scope, "https://rp.example.org"));
        FlowExecutionResult launchExecution = this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext);
        assertErrorCode(launchExecution, "invalid_request");
        assertErrorDescriptionContains(launchExecution, "UnableToDecode");
    }

    @Test
    public void testInvalidClientSecret() throws ParseException, IOException {
        setHttpFormRequest("POST", createRequestParameters(this.clientId, this.scope, "https://rp.example.org"));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, new String[0]);
        setBasicAuth(this.clientId, this.clientSecret + "2");
        assertErrorCode(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), "invalid_client");
    }

    @Test
    public void testInvalidAudience() throws ParseException, IOException {
        setHttpFormRequest("POST", createRequestParameters(this.clientId, this.scope, "https://rp.example.org/invalid"));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, null, new String[0]);
        setBasicAuth(this.clientId, this.clientSecret);
        assertErrorCode(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), "invalid_target");
    }

    @Test
    public void testNoScope() throws Exception {
        setHttpFormRequest("POST", createRequestParameters(this.clientId, this.scope, "https://rp.example.org"));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, null, new String[0]);
        setBasicAuth(this.clientId, this.clientSecret);
        AccessTokenResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), AccessTokenResponse.class);
        Assert.assertNotNull(parseSuccessResponse.getTokens().getBearerAccessToken());
        Assert.assertEquals(parseSuccessResponse.getTokens().getBearerAccessToken().getLifetime(), 600L);
        Assert.assertNull(parseSuccessResponse.getTokens().getBearerAccessToken().getScope());
        verifyClaims(null, parseSuccessResponse.getTokens().getBearerAccessToken(), this.clientId, new Scope(), Collections.singletonList("https://rp.example.org"), "eduPersonScopedAffiliation");
    }

    @Test
    public void testNoScopeUnverifiedClient() throws Exception {
        setHttpFormRequest("POST", createRequestParameters(this.clientId, this.scope, "https://rp.example.org"));
        setBasicAuth(this.clientId, this.clientSecret);
        AccessTokenResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), AccessTokenResponse.class);
        Assert.assertNotNull(parseSuccessResponse.getTokens().getBearerAccessToken());
        Assert.assertEquals(parseSuccessResponse.getTokens().getBearerAccessToken().getLifetime(), 600L);
        Assert.assertNull(parseSuccessResponse.getTokens().getBearerAccessToken().getScope());
        verifyClaims(null, parseSuccessResponse.getTokens().getBearerAccessToken(), this.clientId, new Scope(), Collections.singletonList("https://rp.example.org"), "eduPersonScopedAffiliation");
    }

    @Test
    public void testNoScopeUnverifiedClientBadAudience() throws Exception {
        setHttpFormRequest("POST", createRequestParameters(this.clientId, this.scope, "https://rp.example.org/invalid"));
        setBasicAuth(this.clientId, this.clientSecret);
        assertErrorCode(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), "invalid_target");
    }

    @Test
    public void testRequestedScope() throws Exception {
        setHttpFormRequest("POST", createRequestParameters(this.clientId, this.scope, "https://rp.example.org"));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, new String[0]);
        setBasicAuth(this.clientId, this.clientSecret);
        AccessTokenResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), AccessTokenResponse.class);
        Assert.assertNotNull(parseSuccessResponse.getTokens().getBearerAccessToken());
        Assert.assertEquals(parseSuccessResponse.getTokens().getBearerAccessToken().getLifetime(), 600L);
        Assert.assertEquals(parseSuccessResponse.getTokens().getBearerAccessToken().getScope(), this.scope);
        verifyClaims(null, parseSuccessResponse.getTokens().getBearerAccessToken(), this.clientId, this.scope, Collections.singletonList("https://rp.example.org"), "email", "eduPersonScopedAffiliation");
    }

    @Test
    public void testRequestedScopeUnverifiedClient() throws Exception {
        setHttpFormRequest("POST", createRequestParameters(this.clientId, this.scope, "https://rp.example.org"));
        setBasicAuth(this.clientId, this.clientSecret);
        AccessTokenResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), AccessTokenResponse.class);
        Assert.assertNotNull(parseSuccessResponse.getTokens().getBearerAccessToken());
        Assert.assertEquals(parseSuccessResponse.getTokens().getBearerAccessToken().getLifetime(), 600L);
        Assert.assertNull(parseSuccessResponse.getTokens().getBearerAccessToken().getScope());
        verifyClaims(null, parseSuccessResponse.getTokens().getBearerAccessToken(), this.clientId, new Scope(), Collections.singletonList("https://rp.example.org"), "email", "eduPersonScopedAffiliation");
    }

    @Test
    public void testRequestedScopeNoAudienceJWT() throws Exception {
        setHttpFormRequest("POST", createRequestParameters(this.clientId + "JWT", this.scope, null));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, new String[0]);
        storeMetadata(this.storageService, "https://rp.example.org", null, null, new String[0]);
        setBasicAuth(this.clientId, this.clientSecret);
        AccessTokenResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), AccessTokenResponse.class);
        Assert.assertNotNull(parseSuccessResponse.getTokens().getBearerAccessToken());
        Assert.assertEquals(parseSuccessResponse.getTokens().getBearerAccessToken().getLifetime(), 600L);
        Assert.assertEquals(parseSuccessResponse.getTokens().getBearerAccessToken().getScope(), this.scope);
        verifyClaims("JWT", parseSuccessResponse.getTokens().getBearerAccessToken(), this.clientId, this.scope, Collections.singletonList("https://rp.example.org"), "email", "eduPersonScopedAffiliation");
    }

    @Test
    public void testRequestedScopeJWT() throws Exception {
        setHttpFormRequest("POST", createRequestParameters(this.clientId, this.scope, "https://rp.example.org"));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, new String[0]);
        storeMetadata(this.storageService, "https://rp.example.org", null, null, new String[0]);
        setBasicAuth(this.clientId, this.clientSecret);
        AccessTokenResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), AccessTokenResponse.class);
        Assert.assertNotNull(parseSuccessResponse.getTokens().getBearerAccessToken());
        Assert.assertEquals(parseSuccessResponse.getTokens().getBearerAccessToken().getLifetime(), 600L);
        Assert.assertEquals(parseSuccessResponse.getTokens().getBearerAccessToken().getScope(), this.scope);
        verifyClaims("JWT", parseSuccessResponse.getTokens().getBearerAccessToken(), this.clientId, this.scope, Collections.singletonList("https://rp.example.org"), "email", "eduPersonScopedAffiliation");
    }

    @Test
    public void testRequestedScopeJWTUnverifiedClient() throws Exception {
        setHttpFormRequest("POST", createRequestParameters(this.clientId, this.scope, "https://rp.example.org"));
        storeMetadata(this.storageService, "https://rp.example.org", null, null, new String[0]);
        setBasicAuth(this.clientId, this.clientSecret);
        AccessTokenResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), AccessTokenResponse.class);
        Assert.assertNotNull(parseSuccessResponse.getTokens().getBearerAccessToken());
        Assert.assertEquals(parseSuccessResponse.getTokens().getBearerAccessToken().getLifetime(), 600L);
        Assert.assertNull(parseSuccessResponse.getTokens().getBearerAccessToken().getScope());
        verifyClaims("JWT", parseSuccessResponse.getTokens().getBearerAccessToken(), this.clientId, new Scope(), Collections.singletonList("https://rp.example.org"), "eduPersonScopedAffiliation");
    }

    @Test
    public void testRequestedScopeJWTEncrypted() throws Exception {
        setHttpFormRequest("POST", createRequestParameters(this.clientId, this.scope, "https://rp.example.org"));
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, new String[0]);
        storeMetadata(this.storageService, "https://rp.example.org", null, null, JWSAlgorithm.RS256, JWEAlgorithm.RSA_OAEP_256, EncryptionMethod.A128GCM, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, JWSAlgorithm.RS256, this.rsaPublicKey, (String[]) null);
        setBasicAuth(this.clientId, this.clientSecret);
        AccessTokenResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), AccessTokenResponse.class);
        Assert.assertNotNull(parseSuccessResponse.getTokens().getBearerAccessToken());
        Assert.assertEquals(parseSuccessResponse.getTokens().getBearerAccessToken().getLifetime(), 600L);
        Assert.assertEquals(parseSuccessResponse.getTokens().getBearerAccessToken().getScope(), this.scope);
        verifyClaims("JWE", parseSuccessResponse.getTokens().getBearerAccessToken(), this.clientId, this.scope, Collections.singletonList("https://rp.example.org"), "email", "eduPersonScopedAffiliation");
    }

    @Test
    public void testInvalidSecretJWTAuthn() throws Exception {
        assertErrorCode(launchWithJwtAuthentication(buildSecretJwtAuth(this.clientSecret + "invalid"), JWSAlgorithm.HS256), "invalid_client");
    }

    @Test
    public void testValidSecretJWTAuthn() throws Exception {
        AccessTokenResponse parseSuccessResponse = parseSuccessResponse(launchWithJwtAuthentication(buildSecretJwtAuth(this.clientSecret), JWSAlgorithm.HS256), AccessTokenResponse.class);
        Assert.assertNotNull(parseSuccessResponse.getTokens().getBearerAccessToken());
        Assert.assertEquals(parseSuccessResponse.getTokens().getBearerAccessToken().getLifetime(), 600L);
        Assert.assertEquals(parseSuccessResponse.getTokens().getBearerAccessToken().getScope(), this.scope);
        verifyClaims(null, parseSuccessResponse.getTokens().getBearerAccessToken(), this.clientId, this.scope, Collections.singletonList("https://rp.example.org"), "email", "eduPersonScopedAffiliation");
    }

    @Test
    public void testSaml() throws Exception {
        setHttpFormRequest("POST", createRequestParameters(this.clientIdSaml, this.scope, "https://resource.example.org"));
        setBasicAuth(this.clientIdSaml, this.clientSecretSaml);
        AccessTokenResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext), AccessTokenResponse.class);
        Assert.assertNotNull(parseSuccessResponse.getTokens().getBearerAccessToken());
        Assert.assertEquals(parseSuccessResponse.getTokens().getBearerAccessToken().getLifetime(), 600L);
        Assert.assertEquals(parseSuccessResponse.getTokens().getBearerAccessToken().getScope(), this.scope);
        verifyClaims("JWT", parseSuccessResponse.getTokens().getBearerAccessToken(), this.clientIdSaml, this.scope, Collections.singletonList("https://resource.example.org"), "email", "eduPersonScopedAffiliation");
    }

    private AccessTokenClaimsSet unwrapAccessToken(AccessTokenResponse accessTokenResponse) {
        AccessToken accessToken = accessTokenResponse.getTokens().getAccessToken();
        Assert.assertNotNull(accessToken);
        try {
            return AccessTokenClaimsSet.parse(accessToken.getValue(), getDataSealer());
        } catch (ParseException | DataSealerException e) {
            return null;
        }
    }

    protected FlowExecutionResult launchWithJwtAuthentication(JWTAuthentication jWTAuthentication, JWSAlgorithm jWSAlgorithm) throws Exception {
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, JWSAlgorithm.HS256, ClientAuthenticationMethod.CLIENT_SECRET_JWT, new String[0]);
        Map<String, String> createRequestParameters = createRequestParameters(this.clientId, this.scope, "https://rp.example.org");
        populateClientAssertionParams(createRequestParameters, jWTAuthentication);
        setHttpFormRequest("POST", createRequestParameters);
        return this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext);
    }

    @Override // net.shibboleth.idp.plugin.oidc.op.profile.flow.AbstractOidcClientAuthenticationFlowTest
    protected FlowExecutionResult launchWithJwtAuthentication(JWT jwt, JWSAlgorithm jWSAlgorithm, ClientAuthenticationMethod clientAuthenticationMethod, PublicKey publicKey) throws Exception {
        if (ClientAuthenticationMethod.CLIENT_SECRET_JWT.equals(clientAuthenticationMethod)) {
            storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, jWSAlgorithm, clientAuthenticationMethod, new String[0]);
        } else {
            storeMetadata(this.storageService, this.clientId, (String) null, this.scope, jWSAlgorithm, clientAuthenticationMethod, (JWSAlgorithm) null, publicKey, new String[0]);
        }
        Map<String, String> createRequestParameters = createRequestParameters(this.clientId, this.scope, "https://rp.example.org");
        populateClientAssertionParams(createRequestParameters, jwt);
        setHttpFormRequest("POST", createRequestParameters);
        return this.flowExecutor.launchExecution("oidc/token", (MutableAttributeMap) null, this.externalContext);
    }

    protected Map<String, String> createRequestParameters(String str, Scope scope, String str2) {
        HashMap hashMap = new HashMap();
        addNonNullValue(hashMap, "grant_type", GrantType.CLIENT_CREDENTIALS.getValue());
        if (scope != null) {
            addNonNullValue(hashMap, "scope", scope.toString());
        }
        if (str2 != null) {
            addNonNullValue(hashMap, "resource", str2);
        }
        return hashMap;
    }

    private void addNonNullValue(Map<String, String> map, String str, String str2) {
        if (str2 != null) {
            map.put(str, str2);
        }
    }

    @Override // net.shibboleth.idp.plugin.oidc.op.profile.flow.AbstractOidcClientAuthenticationFlowTest
    protected Pair<String, String> getErrorDetaisForJWTValidation() {
        return new Pair<>("invalid_client", "Client authentication failed");
    }

    private void verifyClaims(@Nullable String str, @Nonnull AccessToken accessToken, @Nonnull String str2, @Nonnull Scope scope, @NonnullElements @Nonnull Collection<String> collection, @Nullable String... strArr) throws ParseException, DataSealerException, JOSEException {
        JWTClaimsSet jWTClaimsSet;
        if (str == null) {
            AccessTokenClaimsSet parse = AccessTokenClaimsSet.parse(accessToken.getValue(), getDataSealer());
            Assert.assertNotNull(parse);
            Assert.assertEquals(parse.getACR(), (String) null);
            Assert.assertEquals(parse.getAudience(), collection);
            Assert.assertTrue(parse.getAuthenticationTime().isBefore(Instant.now()));
            Assert.assertEquals(parse.getClientID().getValue(), str2);
            Assert.assertEquals(parse.getExp(), parse.getIssuedAt().plusSeconds(600L));
            Assert.assertEquals(parse.getIssuer(), "https://op.example.org");
            Assert.assertTrue(parse.getIssuedAt().isBefore(Instant.now()));
            Assert.assertEquals(parse.getScope(), scope);
            Assert.assertEquals(parse.getSubject(), str2);
            if (strArr != null) {
                for (String str3 : strArr) {
                    Assert.assertNull(parse.getClaimsSet().getClaim(str3));
                }
                return;
            }
            return;
        }
        if ("JWE".equals(str)) {
            EncryptedJWT parse2 = EncryptedJWT.parse(accessToken.getValue());
            parse2.decrypt(new RSADecrypter(this.rsaPrivateKey));
            jWTClaimsSet = SignedJWT.parse(parse2.getPayload().toString()).getJWTClaimsSet();
        } else {
            if (!"JWT".equals(str)) {
                throw new RuntimeException("Bad token type");
            }
            jWTClaimsSet = SignedJWT.parse(accessToken.getValue()).getJWTClaimsSet();
        }
        Assert.assertNotNull(jWTClaimsSet);
        Assert.assertEquals(jWTClaimsSet.getClaim("acr"), (Object) null);
        Assert.assertEquals(jWTClaimsSet.getAudience(), collection);
        Assert.assertTrue(jWTClaimsSet.getDateClaim("auth_time").toInstant().isBefore(Instant.now()));
        Assert.assertEquals(jWTClaimsSet.getStringClaim("client_id"), str2);
        Assert.assertEquals(jWTClaimsSet.getExpirationTime().toInstant(), jWTClaimsSet.getIssueTime().toInstant().plusSeconds(600L));
        Assert.assertEquals(jWTClaimsSet.getIssuer(), "https://op.example.org");
        Assert.assertTrue(jWTClaimsSet.getIssueTime().toInstant().isBefore(Instant.now()));
        Assert.assertEquals(jWTClaimsSet.getStringClaim("scope"), scope.toString());
        Assert.assertEquals(jWTClaimsSet.getSubject(), str2);
        if (strArr != null) {
            for (String str4 : strArr) {
                Assert.assertNotNull(jWTClaimsSet.getClaim(str4));
            }
        }
    }

    @Override // net.shibboleth.idp.plugin.oidc.op.profile.flow.AbstractOidcClientAuthenticationFlowTest
    protected void assertSuccessResponse(FlowExecutionResult flowExecutionResult) {
        AccessTokenResponse parseSuccessResponse = parseSuccessResponse(flowExecutionResult, AccessTokenResponse.class);
        Assert.assertNotNull(parseSuccessResponse.getTokens().getBearerAccessToken());
        Assert.assertEquals(parseSuccessResponse.getTokens().getBearerAccessToken().getLifetime(), 600L);
        Assert.assertEquals(parseSuccessResponse.getTokens().getBearerAccessToken().getScope(), this.scope);
    }
}
