package net.shibboleth.idp.plugin.oidc.op.oauth2.profile.impl;

import com.nimbusds.oauth2.sdk.AuthorizationCode;
import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
import com.nimbusds.oauth2.sdk.ClientCredentialsGrant;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.TokenRequest;
import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.nimbusds.openid.connect.sdk.claims.ACR;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientInformation;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata;
import java.net.URI;
import java.net.URISyntaxException;
import java.time.Instant;
import java.util.Date;
import java.util.List;
import java.util.Map;
import net.shibboleth.idp.plugin.oidc.op.profile.impl.BaseOIDCResponseActionTest;
import net.shibboleth.idp.plugin.oidc.op.token.support.AuthorizeCodeClaimsSet;
import net.shibboleth.idp.profile.testing.ActionTestingSupport;
import net.shibboleth.oidc.metadata.context.OIDCMetadataContext;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import org.testng.Assert;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/oauth2/profile/impl/ValidateAudienceTest.class */
public class ValidateAudienceTest extends BaseOIDCResponseActionTest {
    private ValidateAudience action;
    private OIDCClientMetadata metaData;

    @BeforeMethod
    private void init() throws ComponentInitializationException, URISyntaxException {
        this.action = new ValidateAudience();
        this.action.initialize();
        OIDCMetadataContext subcontext = this.profileRequestCtx.getInboundMessageContext().getSubcontext(OIDCMetadataContext.class, true);
        this.metaData = new OIDCClientMetadata();
        this.metaData.setCustomField("audience", List.of("https://sp.example.org", "https://sp2.example.org"));
        subcontext.setClientInformation(new OIDCClientInformation(new ClientID("test"), (Date) null, this.metaData, (Secret) null, (URI) null, (BearerAccessToken) null));
    }

    @Test
    public void testTokenNoneAllowed() throws ComponentInitializationException, URISyntaxException {
        setTokenRequest(new TokenRequest(new URI("http://localhost"), new ClientSecretBasic(new ClientID("s6BhdRkqt3"), new Secret("foo")), new ClientCredentialsGrant(), (Scope) null, List.of(new URI("https://sp3.example.org")), (Map) null));
        ActionTestingSupport.assertEvent(this.action.execute(this.requestCtx), "InvalidTarget");
    }

    @Test
    public void testTokenSuccess() throws ComponentInitializationException, URISyntaxException {
        setTokenRequest(new TokenRequest(new URI("http://localhost"), new ClientSecretBasic(new ClientID("s6BhdRkqt3"), new Secret("foo")), new ClientCredentialsGrant(), (Scope) null, List.of(new URI("https://sp.example.org"), new URI("https://sp3.example.org"), new URI("https://sp2.example.org")), (Map) null));
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.requestCtx));
        Assert.assertEquals(this.respCtx.getAudience(), List.of("https://sp.example.org", "https://sp2.example.org"));
    }

    @Test
    public void testTokenFirstAudience() throws ComponentInitializationException, URISyntaxException {
        setTokenRequest(new TokenRequest(new URI("http://localhost"), new ClientSecretBasic(new ClientID("s6BhdRkqt3"), new Secret("foo")), new ClientCredentialsGrant(), (Scope) null));
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.requestCtx));
        Assert.assertEquals(this.respCtx.getAudience(), List.of("https://sp.example.org"));
    }

    @Test
    public void testTokenFailNonePrevGranted() throws ComponentInitializationException, URISyntaxException {
        setTokenRequest(new TokenRequest(new URI("http://localhost"), new ClientSecretBasic(new ClientID("s6BhdRkqt3"), new Secret("foo")), new AuthorizationCodeGrant(new AuthorizationCode("foo"), new URI("http://localhost")), (Scope) null, List.of(new URI("https://sp.example.org")), (Map) null));
        this.respCtx.setAuthorizationGrantClaimsSet(new AuthorizeCodeClaimsSet.Builder().setJWTID(this.idGenerator).setClientID(new ClientID("s6BhdRkqt3")).setIssuer("issuer").setPrincipal("userPrin").setSubject("subject").setIssuedAt(Instant.now()).setExpiresAt(Instant.now()).setAuthenticationTime(Instant.now()).setRedirectURI(new URI("http://localhost")).setACR(new ACR("0")).setScope(new Scope()).build());
        ActionTestingSupport.assertEvent(this.action.execute(this.requestCtx), "InvalidTarget");
    }

    @Test
    public void testTokenFailPrevGranted() throws ComponentInitializationException, URISyntaxException {
        setTokenRequest(new TokenRequest(new URI("http://localhost"), new ClientSecretBasic(new ClientID("s6BhdRkqt3"), new Secret("foo")), new AuthorizationCodeGrant(new AuthorizationCode("foo"), new URI("http://localhost")), (Scope) null, List.of(new URI("https://sp3.example.org")), (Map) null));
        this.respCtx.setAuthorizationGrantClaimsSet(new AuthorizeCodeClaimsSet.Builder().setJWTID(this.idGenerator).setClientID(new ClientID("s6BhdRkqt3")).setIssuer("issuer").setPrincipal("userPrin").setSubject("subject").setIssuedAt(Instant.now()).setExpiresAt(Instant.now()).setAuthenticationTime(Instant.now()).setRedirectURI(new URI("http://localhost")).setScope(Scope.parse("openid email")).setAudience(List.of("https://sp3.example.org")).setACR(new ACR("0")).build());
        ActionTestingSupport.assertEvent(this.action.execute(this.requestCtx), "InvalidTarget");
    }
}
