package net.shibboleth.idp.plugin.oidc.op.profile.impl;

import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
import com.nimbusds.openid.connect.sdk.claims.ACR;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.NoSuchAlgorithmException;
import java.text.ParseException;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalAmount;
import java.util.Date;
import java.util.Map;
import java.util.function.BiFunction;
import java.util.function.Function;
import net.shibboleth.idp.plugin.oidc.op.profile.logic.DefaultTokenRevocationLifetimeLookupStrategy;
import net.shibboleth.idp.plugin.oidc.op.storage.RevocationCacheContexts;
import net.shibboleth.idp.plugin.oidc.op.token.support.AccessTokenClaimsSet;
import net.shibboleth.idp.plugin.oidc.op.token.support.AuthorizeCodeClaimsSet;
import net.shibboleth.idp.plugin.oidc.op.token.support.RefreshTokenClaimsSet;
import net.shibboleth.idp.plugin.oidc.op.token.support.TokenClaimsSet;
import net.shibboleth.idp.profile.config.ProfileConfiguration;
import net.shibboleth.idp.profile.context.RelyingPartyContext;
import net.shibboleth.idp.profile.testing.ActionTestingSupport;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.security.DataSealerException;
import net.shibboleth.utilities.java.support.security.impl.SecureRandomIdentifierGenerationStrategy;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.storage.RevocationCache;
import org.opensaml.storage.impl.MemoryStorageService;
import org.testng.Assert;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/profile/impl/SetRefreshTokenToResponseContextTest.class */
public class SetRefreshTokenToResponseContextTest extends BaseOIDCResponseActionTest {
    private SetRefreshTokenToResponseContext action;
    RevocationCache revocationCache;
    private boolean enforceRotation;

    @BeforeMethod
    private void init() throws ComponentInitializationException, NoSuchAlgorithmException, URISyntaxException {
        Scope scope = new Scope();
        scope.add(OIDCScopeValue.OFFLINE_ACCESS);
        this.respCtx.setScope(scope);
        this.respCtx.setAuthorizationGrantClaimsSet(new AuthorizeCodeClaimsSet.Builder().setJWTID(this.idGenerator).setClientID(new ClientID()).setIssuer("issuer").setPrincipal("userPrin").setSubject("subject").setIssuedAt(Instant.now()).setExpiresAt(Instant.now()).setAuthenticationTime(Instant.now()).setRedirectURI(new URI("http://example.com")).setScope(new Scope()).setACR(new ACR("0")).build());
        MemoryStorageService memoryStorageService = new MemoryStorageService();
        memoryStorageService.setId("id");
        memoryStorageService.initialize();
        this.revocationCache = new RevocationCache();
        this.revocationCache.setStorage(memoryStorageService);
        this.revocationCache.setId("mockCache");
        this.revocationCache.initialize();
        this.enforceRotation = false;
        this.action = initAction(null);
    }

    protected SetRefreshTokenToResponseContext initAction(Function<ProfileRequestContext, BiFunction<ProfileRequestContext, Map<String, Object>, Map<String, Object>>> function) throws ComponentInitializationException, NoSuchAlgorithmException {
        SetRefreshTokenToResponseContext setRefreshTokenToResponseContext = new SetRefreshTokenToResponseContext(getDataSealer());
        setRefreshTokenToResponseContext.setRevocationCache(this.revocationCache);
        if (function != null) {
            setRefreshTokenToResponseContext.setTokenClaimsSetManipulationStrategyLookupStrategy(function);
        }
        DefaultTokenRevocationLifetimeLookupStrategy defaultTokenRevocationLifetimeLookupStrategy = new DefaultTokenRevocationLifetimeLookupStrategy();
        defaultTokenRevocationLifetimeLookupStrategy.setClockSkew(Duration.ZERO);
        setRefreshTokenToResponseContext.setTokenRevocationLifetimeLookupStrategy(defaultTokenRevocationLifetimeLookupStrategy);
        setRefreshTokenToResponseContext.setEnforceRefreshTokenRotationCondition(profileRequestContext -> {
            return this.enforceRotation;
        });
        setRefreshTokenToResponseContext.initialize();
        return setRefreshTokenToResponseContext;
    }

    @Test
    public void testSuccessViaCode() throws ComponentInitializationException, NoSuchAlgorithmException, URISyntaxException, ParseException, DataSealerException {
        String id = this.respCtx.getAuthorizationGrantClaimsSet().getID();
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.requestCtx));
        Assert.assertNotNull(this.respCtx.getRefreshToken());
        RefreshTokenClaimsSet parse = RefreshTokenClaimsSet.parse(this.respCtx.getRefreshToken().getValue(), getDataSealer());
        Assert.assertNotNull(parse);
        Assert.assertNotEquals(parse.getID(), id);
        Assert.assertEquals(parse.getRootTokenIdentifier(), id);
    }

    @Test
    public void testSuccessViaCodeWithCustomClaim() throws ComponentInitializationException, NoSuchAlgorithmException, URISyntaxException, ParseException, DataSealerException {
        String id = this.respCtx.getAuthorizationGrantClaimsSet().getID();
        this.action = initAction(profileRequestContext -> {
            return (profileRequestContext, map) -> {
                return addEntryToMap(map, "custom_claim", "custom_value");
            };
        });
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.requestCtx));
        Assert.assertNotNull(this.respCtx.getRefreshToken());
        RefreshTokenClaimsSet parse = RefreshTokenClaimsSet.parse(this.respCtx.getRefreshToken().getValue(), getDataSealer());
        Assert.assertNotNull(parse);
        Assert.assertNotEquals(parse.getID(), id);
        Assert.assertEquals(parse.getRootTokenIdentifier(), id);
        Assert.assertNotNull(parse.getClaimsSet().getClaim("custom_claim"));
        Assert.assertEquals(parse.getClaimsSet().getStringClaim("custom_claim"), "custom_value");
    }

    @Test
    public void testSuccessViaRefresh() throws ComponentInitializationException, NoSuchAlgorithmException, URISyntaxException, ParseException, DataSealerException {
        String generateIdentifier = new SecureRandomIdentifierGenerationStrategy().generateIdentifier();
        TokenClaimsSet build = new RefreshTokenClaimsSet.Builder().setJWTID(this.idGenerator).setClientID(new ClientID()).setIssuer("issuer").setPrincipal("userPrin").setSubject("subject").setIssuedAt(Instant.now()).setExpiresAt(Instant.now()).setAuthenticationTime(Instant.now()).setRedirectURI(new URI("http://example.com")).setScope(new Scope()).setACR(new ACR("0")).setRootTokenIdentifier(generateIdentifier).build();
        String id = build.getID();
        this.respCtx.setAuthorizationGrantClaimsSet(build);
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.requestCtx));
        Assert.assertNotNull(this.respCtx.getRefreshToken());
        RefreshTokenClaimsSet parse = RefreshTokenClaimsSet.parse(this.respCtx.getRefreshToken().getValue(), getDataSealer());
        Assert.assertNotNull(parse);
        Assert.assertNotEquals(parse.getID(), id);
        Assert.assertEquals(parse.getRootTokenIdentifier(), generateIdentifier);
        Assert.assertTrue(parse.getChainExp().isAfter(Instant.now()));
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, id));
    }

    @Test
    public void testSuccessViaRefresh_existingChainExp() throws ComponentInitializationException, NoSuchAlgorithmException, URISyntaxException, ParseException, DataSealerException {
        String generateIdentifier = new SecureRandomIdentifierGenerationStrategy().generateIdentifier();
        Instant truncatedTo = Instant.now().plusSeconds(300L).truncatedTo(ChronoUnit.SECONDS);
        TokenClaimsSet build = new RefreshTokenClaimsSet.Builder().setJWTID(this.idGenerator).setClientID(new ClientID()).setIssuer("issuer").setPrincipal("userPrin").setSubject("subject").setIssuedAt(Instant.now()).setExpiresAt(Instant.now()).setAuthenticationTime(Instant.now()).setRedirectURI(new URI("http://example.com")).setScope(new Scope()).setACR(new ACR("0")).setRootTokenIdentifier(generateIdentifier).addCustomClaim("c_exp", Date.from(truncatedTo)).build();
        String id = build.getID();
        this.respCtx.setAuthorizationGrantClaimsSet(build);
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.requestCtx));
        Assert.assertNotNull(this.respCtx.getRefreshToken());
        RefreshTokenClaimsSet parse = RefreshTokenClaimsSet.parse(this.respCtx.getRefreshToken().getValue(), getDataSealer());
        Assert.assertNotNull(parse);
        Assert.assertNotEquals(parse.getID(), id);
        Assert.assertEquals(parse.getRootTokenIdentifier(), generateIdentifier);
        Assert.assertEquals(parse.getChainExp(), truncatedTo);
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, id));
    }

    @Test
    public void testSuccessViaRefreshWithCustomClaim() throws ComponentInitializationException, NoSuchAlgorithmException, URISyntaxException, ParseException, DataSealerException {
        String generateIdentifier = new SecureRandomIdentifierGenerationStrategy().generateIdentifier();
        TokenClaimsSet build = new RefreshTokenClaimsSet.Builder().setJWTID(this.idGenerator).setClientID(new ClientID()).setIssuer("issuer").setPrincipal("userPrin").setSubject("subject").setIssuedAt(Instant.now()).setExpiresAt(Instant.now()).setAuthenticationTime(Instant.now()).setRedirectURI(new URI("http://example.com")).setScope(new Scope()).setACR(new ACR("0")).setRootTokenIdentifier(generateIdentifier).build();
        String id = build.getID();
        this.respCtx.setAuthorizationGrantClaimsSet(build);
        this.action = initAction(profileRequestContext -> {
            return (profileRequestContext, map) -> {
                return addEntryToMap(map, "custom_claim", "custom_value");
            };
        });
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.requestCtx));
        Assert.assertNotNull(this.respCtx.getRefreshToken());
        RefreshTokenClaimsSet parse = RefreshTokenClaimsSet.parse(this.respCtx.getRefreshToken().getValue(), getDataSealer());
        Assert.assertNotNull(parse);
        Assert.assertNotEquals(parse.getID(), id);
        Assert.assertEquals(parse.getRootTokenIdentifier(), generateIdentifier);
        Assert.assertTrue(parse.getChainExp().isAfter(Instant.now()));
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, id));
        Assert.assertNotNull(parse.getClaimsSet().getClaim("custom_claim"));
        Assert.assertEquals(parse.getClaimsSet().getStringClaim("custom_claim"), "custom_value");
    }

    @Test
    public void testSuccessViaRefreshRotationEnforced() throws ComponentInitializationException, NoSuchAlgorithmException, URISyntaxException, ParseException, DataSealerException {
        String generateIdentifier = new SecureRandomIdentifierGenerationStrategy().generateIdentifier();
        TokenClaimsSet build = new RefreshTokenClaimsSet.Builder().setJWTID(this.idGenerator).setClientID(new ClientID()).setIssuer("issuer").setPrincipal("userPrin").setSubject("subject").setIssuedAt(Instant.now()).setExpiresAt(Instant.now().plus((TemporalAmount) Duration.ofHours(1L))).setAuthenticationTime(Instant.now()).setRedirectURI(new URI("http://example.com")).setScope(new Scope()).setACR(new ACR("0")).setRootTokenIdentifier(generateIdentifier).build();
        String id = build.getID();
        this.respCtx.setAuthorizationGrantClaimsSet(build);
        this.enforceRotation = true;
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.requestCtx));
        Assert.assertNotNull(this.respCtx.getRefreshToken());
        RefreshTokenClaimsSet parse = RefreshTokenClaimsSet.parse(this.respCtx.getRefreshToken().getValue(), getDataSealer());
        Assert.assertNotNull(parse);
        Assert.assertNotEquals(parse.getID(), id);
        Assert.assertEquals(parse.getRootTokenIdentifier(), generateIdentifier);
        Assert.assertTrue(parse.getChainExp().isAfter(Instant.now()));
        Assert.assertTrue(this.revocationCache.isRevoked(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, id));
    }

    @Test
    public void testFailWithExpiredRefreshRotationEnforced() throws ComponentInitializationException, NoSuchAlgorithmException, URISyntaxException, ParseException, DataSealerException {
        this.respCtx.setAuthorizationGrantClaimsSet(new RefreshTokenClaimsSet.Builder().setJWTID(this.idGenerator).setClientID(new ClientID()).setIssuer("issuer").setPrincipal("userPrin").setSubject("subject").setIssuedAt(Instant.now()).setExpiresAt(Instant.now()).setAuthenticationTime(Instant.now()).setRedirectURI(new URI("http://example.com")).setScope(new Scope()).setACR(new ACR("0")).setRootTokenIdentifier(new SecureRandomIdentifierGenerationStrategy().generateIdentifier()).build());
        this.enforceRotation = true;
        ActionTestingSupport.assertEvent(this.action.execute(this.requestCtx), "InvalidProfileConfiguration");
    }

    @Test
    public void testFailNoRPCtx() throws NoSuchAlgorithmException, ComponentInitializationException, URISyntaxException {
        this.profileRequestCtx.removeSubcontext(RelyingPartyContext.class);
        ActionTestingSupport.assertEvent(this.action.execute(this.requestCtx), "InvalidProfileConfiguration");
    }

    @Test
    public void testFailNoProfileConf() throws NoSuchAlgorithmException, ComponentInitializationException, URISyntaxException {
        this.profileRequestCtx.getSubcontext(RelyingPartyContext.class, false).setProfileConfig((ProfileConfiguration) null);
        ActionTestingSupport.assertEvent(this.action.execute(this.requestCtx), "InvalidProfileConfiguration");
    }

    @Test
    public void testFailTokenNotCodeOrRefresh() throws NoSuchAlgorithmException, ComponentInitializationException, URISyntaxException {
        this.respCtx.setAuthorizationGrantClaimsSet(new AccessTokenClaimsSet.Builder().setJWTID(this.idGenerator).setClientID(new ClientID()).setIssuer("issuer").setPrincipal("userPrin").setSubject("subject").setIssuedAt(Instant.now()).setExpiresAt(Instant.now()).setAuthenticationTime(Instant.now()).setRedirectURI(new URI("http://example.com")).setScope(new Scope()).build());
        ActionTestingSupport.assertEvent(this.action.execute(this.requestCtx), "InvalidProfileContext");
    }

    @Test
    public void testFailNoToken() throws NoSuchAlgorithmException, ComponentInitializationException, URISyntaxException {
        this.respCtx.setAuthorizationGrantClaimsSet((TokenClaimsSet) null);
        ActionTestingSupport.assertEvent(this.action.execute(this.requestCtx), "InvalidProfileContext");
    }
}
