package net.shibboleth.idp.plugin.oidc.op.oauth2.profile.impl;

import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.id.ClientID;
import java.security.NoSuchAlgorithmException;
import java.text.ParseException;
import java.time.Duration;
import java.time.Instant;
import java.util.Collection;
import java.util.Collections;
import java.util.Map;
import java.util.function.BiFunction;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.authn.context.SubjectContext;
import net.shibboleth.idp.plugin.oidc.op.messaging.context.AccessTokenContext;
import net.shibboleth.idp.plugin.oidc.op.profile.impl.BaseOIDCResponseActionTest;
import net.shibboleth.idp.plugin.oidc.op.token.support.AccessTokenClaimsSet;
import net.shibboleth.idp.profile.testing.ActionTestingSupport;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.logic.FunctionSupport;
import net.shibboleth.utilities.java.support.security.DataSealerException;
import org.opensaml.profile.context.ProfileRequestContext;
import org.testng.Assert;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/oauth2/profile/impl/BuildAccessTokenTest.class */
public class BuildAccessTokenTest extends BaseOIDCResponseActionTest {

    @Nullable
    private BuildAccessToken action;

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.plugin.oidc.op.profile.impl.BaseOIDCResponseActionTest
    @BeforeMethod
    public void setUp() throws Exception {
        super.setUp();
        this.profileRequestCtx.getSubcontext(SubjectContext.class, true).setPrincipalName("jdoe");
        this.respCtx.setAuthTime(Instant.now());
        this.respCtx.setSubject(this.clientId);
        this.respCtx.setAcr("0");
        this.respCtx.setScope(new Scope());
        this.respCtx.getAudience().add("https://rp.example.org");
        this.action = new BuildAccessToken();
    }

    @Test
    public void testNoClientID() throws NoSuchAlgorithmException, ComponentInitializationException {
        this.action.setClientIDLookupStrategy(FunctionSupport.constant((Object) null));
        this.action.setDataSealer(getDataSealer());
        this.action.initialize();
        ActionTestingSupport.assertEvent(this.action.execute(this.requestCtx), "MessageProcessingError");
    }

    @Test
    public void testOpaqueSuccess() throws ParseException, DataSealerException, ComponentInitializationException, NoSuchAlgorithmException {
        initAction(null, null);
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.requestCtx));
        verifyClaims((AccessTokenContext) this.respCtx.getSubcontext(AccessTokenContext.class), new Scope(), Collections.singletonList("https://rp.example.org"), null);
    }

    @Test
    public void testOpaqueSuccessSid() throws ParseException, DataSealerException, ComponentInitializationException, NoSuchAlgorithmException {
        initAction(null, null);
        this.respCtx.setSessionId("mockSid");
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.requestCtx));
        verifyClaims((AccessTokenContext) this.respCtx.getSubcontext(AccessTokenContext.class), new Scope(), Collections.singletonList("https://rp.example.org"), null, "mockSid");
    }

    @Test
    public void testOpaqueSuccessWithCustomClaims() throws ParseException, DataSealerException, ComponentInitializationException, NoSuchAlgorithmException {
        initAction(null, profileRequestContext -> {
            return (profileRequestContext, map) -> {
                return addEntryToMap(map, "custom_claim", "custom_value");
            };
        });
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.requestCtx));
        verifyClaims((AccessTokenContext) this.respCtx.getSubcontext(AccessTokenContext.class), new Scope(), Collections.singletonList("https://rp.example.org"), Map.of("custom_claim", "custom_value"));
    }

    @Test
    public void testJWTSuccess() throws ParseException, ComponentInitializationException, NoSuchAlgorithmException, DataSealerException {
        initAction("JWT", null);
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.requestCtx));
        verifyClaims((AccessTokenContext) this.respCtx.getSubcontext(AccessTokenContext.class), new Scope(), Collections.singletonList("https://rp.example.org"), null);
    }

    @Test
    public void testJWTSuccessSid() throws ParseException, ComponentInitializationException, NoSuchAlgorithmException, DataSealerException {
        initAction("JWT", null);
        this.respCtx.setSessionId("mockSid");
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.requestCtx));
        verifyClaims((AccessTokenContext) this.respCtx.getSubcontext(AccessTokenContext.class), new Scope(), Collections.singletonList("https://rp.example.org"), null, "mockSid");
    }

    @Test
    public void testJWTSuccessWithCustomClaim() throws ParseException, ComponentInitializationException, NoSuchAlgorithmException, DataSealerException {
        initAction("JWT", profileRequestContext -> {
            return (profileRequestContext, map) -> {
                return addEntryToMap(map, "custom_claim", "custom_value");
            };
        });
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.requestCtx));
        verifyClaims((AccessTokenContext) this.respCtx.getSubcontext(AccessTokenContext.class), new Scope(), Collections.singletonList("https://rp.example.org"), Map.of("custom_claim", "custom_value"));
    }

    private void initAction(@NotEmpty @Nullable String str, @Nullable Function<ProfileRequestContext, BiFunction<ProfileRequestContext, Map<String, Object>, Map<String, Object>>> function) throws ComponentInitializationException, NoSuchAlgorithmException {
        if ("JWT".equals(str)) {
            this.action.setAccessTokenTypeLookupStrategy(FunctionSupport.constant("JWT"));
        }
        if (function != null) {
            this.action.setTokenClaimsSetManipulationStrategyLookupStrategy(function);
        }
        this.action.setDataSealer(getDataSealer());
        this.action.setClientIDLookupStrategy(FunctionSupport.constant(new ClientID(this.clientId)));
        this.action.initialize();
    }

    private void verifyClaims(@Nonnull AccessTokenContext accessTokenContext, @Nonnull Scope scope, @NonnullElements @Nonnull Collection<String> collection, Map<String, Object> map) throws NoSuchAlgorithmException, ParseException, DataSealerException, ComponentInitializationException {
        verifyClaims(accessTokenContext, scope, collection, map, null);
    }

    private void verifyClaims(@Nonnull AccessTokenContext accessTokenContext, @Nonnull Scope scope, @NonnullElements @Nonnull Collection<String> collection, Map<String, Object> map, @Nullable String str) throws NoSuchAlgorithmException, ParseException, DataSealerException, ComponentInitializationException {
        Assert.assertEquals(accessTokenContext.getLifetime(), Duration.ofMinutes(10L));
        if (accessTokenContext.getOpaque() != null) {
            AccessTokenClaimsSet parse = AccessTokenClaimsSet.parse(accessTokenContext.getOpaque(), getDataSealer());
            Assert.assertNotNull(parse);
            Assert.assertEquals(parse.getACR(), "0");
            Assert.assertEquals(parse.getAudience(), collection);
            Assert.assertTrue(parse.getAuthenticationTime().isBefore(Instant.now()));
            Assert.assertEquals(parse.getClientID().getValue(), this.clientId);
            Assert.assertEquals(parse.getExp(), parse.getIssuedAt().plusSeconds(600L));
            Assert.assertEquals(parse.getIssuer(), "http://idp.example.org");
            Assert.assertTrue(parse.getIssuedAt().isBefore(Instant.now()));
            Assert.assertEquals(parse.getScope(), scope);
            Assert.assertEquals(parse.getSubject(), this.clientId);
            Assert.assertEquals(parse.getPrincipal(), "jdoe");
            verifyCustomClaims(parse.getClaimsSet(), map);
            if (str == null) {
                Assert.assertNull(parse.getSessionIdentifier());
                return;
            } else {
                Assert.assertEquals(parse.getSessionIdentifier(), str);
                return;
            }
        }
        if (accessTokenContext.getJWT() == null) {
            throw new RuntimeException("No token found");
        }
        JWTClaimsSet jWTClaimsSet = accessTokenContext.getJWT().getJWTClaimsSet();
        Assert.assertNotNull(jWTClaimsSet);
        Assert.assertEquals(jWTClaimsSet.getStringClaim("acr"), "0");
        Assert.assertEquals(jWTClaimsSet.getAudience(), collection);
        Assert.assertTrue(jWTClaimsSet.getDateClaim("auth_time").toInstant().isBefore(Instant.now()));
        Assert.assertEquals(jWTClaimsSet.getStringClaim("client_id"), this.clientId);
        Assert.assertEquals(jWTClaimsSet.getExpirationTime().toInstant(), jWTClaimsSet.getIssueTime().toInstant().plusSeconds(600L));
        Assert.assertEquals(jWTClaimsSet.getIssuer(), "http://idp.example.org");
        Assert.assertTrue(jWTClaimsSet.getIssueTime().toInstant().isBefore(Instant.now()));
        Assert.assertEquals(jWTClaimsSet.getStringClaim("scope"), scope.toString());
        Assert.assertEquals(jWTClaimsSet.getSubject(), this.clientId);
        Assert.assertEquals(JWTClaimsSet.parse(getDataSealer().unwrap(jWTClaimsSet.getStringClaim("for_op"))).getStringClaim("prncpl"), "jdoe");
        verifyCustomClaims(jWTClaimsSet, map);
        if (str == null) {
            Assert.assertNull(jWTClaimsSet.getStringClaim("sid"));
        } else {
            Assert.assertEquals(jWTClaimsSet.getStringClaim("sid"), str);
        }
    }

    protected void verifyCustomClaims(JWTClaimsSet jWTClaimsSet, Map<String, Object> map) {
        if (map == null) {
            return;
        }
        for (String str : map.keySet()) {
            Assert.assertNotNull(jWTClaimsSet.getClaim(str));
            Assert.assertEquals(jWTClaimsSet.getClaim(str), map.get(str));
        }
    }
}
