package net.shibboleth.idp.plugin.oidc.op.profile.impl;

import com.google.common.base.Predicates;
import com.nimbusds.oauth2.sdk.AuthorizationCode;
import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
import com.nimbusds.oauth2.sdk.AuthorizationGrant;
import com.nimbusds.oauth2.sdk.ClientCredentialsGrant;
import com.nimbusds.oauth2.sdk.RefreshTokenGrant;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.TokenRequest;
import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.token.RefreshToken;
import com.nimbusds.openid.connect.sdk.claims.ClaimsSet;
import java.net.URI;
import java.security.NoSuchAlgorithmException;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Collection;
import java.util.function.Function;
import net.minidev.json.JSONObject;
import net.shibboleth.idp.plugin.oidc.op.messaging.context.OIDCAuthenticationResponseContext;
import net.shibboleth.idp.plugin.oidc.op.profile.impl.BaseOIDCResponseActionTest;
import net.shibboleth.idp.plugin.oidc.op.storage.RevocationCacheContexts;
import net.shibboleth.idp.plugin.oidc.op.token.support.AuthorizeCodeClaimsSet;
import net.shibboleth.idp.plugin.oidc.op.token.support.RefreshTokenClaimsSet;
import net.shibboleth.idp.plugin.oidc.op.token.support.TokenClaimsSet;
import net.shibboleth.idp.profile.testing.ActionTestingSupport;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.logic.ConstraintViolationException;
import net.shibboleth.utilities.java.support.security.DataSealer;
import net.shibboleth.utilities.java.support.security.impl.SecureRandomIdentifierGenerationStrategy;
import org.mockito.Mockito;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.storage.ReplayCache;
import org.opensaml.storage.RevocationCache;
import org.opensaml.storage.impl.MemoryStorageService;
import org.testng.Assert;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/profile/impl/ValidateGrantTest.class */
public class ValidateGrantTest extends BaseOIDCResponseActionTest {
    private ValidateGrant action;
    TokenClaimsSet acClaims;
    TokenClaimsSet rfClaims;
    AuthorizationGrant codeGrant;
    RefreshTokenGrant rfGrant;
    URI callback;
    MemoryStorageService storageService;
    String rootTokenId;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/profile/impl/ValidateGrantTest$DeliveryClaimsSet.class */
    public static class DeliveryClaimsSet extends ClaimsSet {
        public DeliveryClaimsSet(JSONObject jSONObject) {
            super(jSONObject);
        }
    }

    @BeforeMethod
    protected void setupStorage() throws ComponentInitializationException {
        this.storageService = new MemoryStorageService();
        this.storageService.setId("id");
        this.storageService.initialize();
    }

    private void init() throws Exception {
        init(true);
    }

    private void init(boolean z) throws Exception {
        init(z, new BaseOIDCResponseActionTest.MockRevocationCache(false, true), null);
    }

    private void init(Instant instant) throws Exception {
        init(true, new BaseOIDCResponseActionTest.MockRevocationCache(false, true), null, instant);
    }

    private void init(boolean z, RevocationCache revocationCache, Function<ProfileRequestContext, Duration> function) throws Exception {
        init(z, revocationCache, function, Instant.now());
    }

    private void init(boolean z, RevocationCache revocationCache, Function<ProfileRequestContext, Duration> function, Instant instant) throws Exception {
        Instant now = Instant.now();
        this.rootTokenId = "mockId" + now.toEpochMilli();
        this.acClaims = new AuthorizeCodeClaimsSet.Builder().setJWTID(this.idGenerator).setClientID(new ClientID(this.clientId)).setIssuer("issuer").setPrincipal("userPrin").setSubject("subject").setIssuedAt(Instant.now()).setExpiresAt(Instant.now().plusSeconds(100L)).setAuthenticationTime(instant).setRedirectURI(new URI("http://example.com")).setScope(new Scope()).build();
        this.rfClaims = new RefreshTokenClaimsSet.Builder(this.acClaims, now, now.plusSeconds(100L)).setRootTokenIdentifier(this.rootTokenId).build();
        AuthorizationCode authorizationCode = new AuthorizationCode(this.acClaims.serialize(getDataSealer()));
        RefreshToken refreshToken = new RefreshToken(this.rfClaims.serialize(getDataSealer()));
        this.callback = new URI("https://client.com/callback");
        this.codeGrant = new AuthorizationCodeGrant(authorizationCode, this.callback);
        this.rfGrant = new RefreshTokenGrant(refreshToken);
        this.profileRequestCtx.getInboundMessageContext().setMessage(new TokenRequest(this.callback, new ClientID(this.clientId), this.codeGrant));
        this.action = new ValidateGrant(getDataSealer());
        if (function != null) {
            this.action.setChainRevocationLifetimeLookupStrategy(function);
        }
        this.action.setRevocationCache(revocationCache);
        ReplayCache replayCache = new ReplayCache();
        replayCache.setStorage(this.storageService);
        this.action.setReplayCache(replayCache);
        if (z) {
            this.action.setRefreshTokensEnabledPredicate(Predicates.alwaysTrue());
        } else {
            this.action.setRefreshTokensEnabledPredicate(Predicates.alwaysFalse());
        }
        this.action.initialize();
    }

    public static AuthorizationCode buildAuthorizationCode(String str, String str2, String str3, String str4, String str5) throws Exception {
        return buildAuthorizationCode(str, str2, str3, str4, str5, null);
    }

    public static AuthorizationCode buildAuthorizationCode(String str, String str2, String str3, String str4, String str5, String str6) throws Exception {
        return buildAuthorizationCode(str, str2, str3, str4, str5, null, str6);
    }

    public static AuthorizationCode buildAuthorizationCode(String str, String str2, String str3, String str4, String str5, String str6, String str7) throws Exception {
        return buildAuthorizationCode(str, str2, str3, str4, str5, str6, null, null, null, str7);
    }

    public static AuthorizationCode buildAuthorizationCode(String str, String str2, String str3, String str4, String str5, String str6, JSONObject jSONObject, JSONObject jSONObject2, JSONObject jSONObject3, String str7) throws Exception {
        return buildAuthorizationCode(str, str2, str3, str4, str5, str6, jSONObject, jSONObject2, jSONObject3, str7, null);
    }

    public static AuthorizationCode buildAuthorizationCode(String str, String str2, String str3, String str4, String str5, String str6, JSONObject jSONObject, JSONObject jSONObject2, JSONObject jSONObject3, String str7, Collection<String> collection) throws Exception {
        return new AuthorizationCode(buildTokenClaimsSet(str, str2, str3, str4, str5, str6, jSONObject, jSONObject2, jSONObject3, str7, collection).serialize(new ValidateGrantTest().getDataSealer()));
    }

    public static TokenClaimsSet buildTokenClaimsSet(String str, String str2, String str3, String str4, String str5, String str6, JSONObject jSONObject, JSONObject jSONObject2, JSONObject jSONObject3, String str7, Collection<String> collection) throws Exception {
        Instant now = Instant.now();
        AuthorizeCodeClaimsSet.Builder builder = new AuthorizeCodeClaimsSet.Builder();
        builder.setJWTID(new SecureRandomIdentifierGenerationStrategy()).setClientID(new ClientID(str)).setIssuer(str2).setPrincipal(str3).setSubject(str4).setIssuedAt(now).setExpiresAt(now.plusSeconds(100L)).setAuthenticationTime(now).setRedirectURI(new URI(str5)).setAudience(collection).setScope(str7 == null ? new Scope() : Scope.parse(str7));
        if (str6 != null) {
            builder.setCodeChallenge(str6);
        }
        if (jSONObject != null) {
            builder.setDlClaims(new DeliveryClaimsSet(jSONObject));
        }
        if (jSONObject2 != null) {
            builder.setDlClaimsID(new DeliveryClaimsSet(jSONObject2));
        }
        if (jSONObject3 != null) {
            builder.setDlClaimsUI(new DeliveryClaimsSet(jSONObject3));
        }
        return builder.build();
    }

    @Test
    public void testAuthorizeCodeSuccess() throws Exception {
        init();
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.requestCtx));
        Assert.assertNotNull(this.profileRequestCtx.getOutboundMessageContext().getSubcontext(OIDCAuthenticationResponseContext.class).getAuthorizationGrantClaimsSet());
    }

    @Test
    public void testAuthorizeCodeReplayed() throws Exception {
        init();
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.requestCtx));
        ActionTestingSupport.assertEvent(this.action.execute(this.requestCtx), "InvalidGrant");
    }

    @Test
    public void testRefreshTokenSuccess() throws Exception {
        init();
        this.profileRequestCtx.getInboundMessageContext().setMessage(new TokenRequest(this.callback, new ClientID(this.clientId), this.rfGrant));
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.requestCtx));
        Assert.assertNotNull(this.profileRequestCtx.getOutboundMessageContext().getSubcontext(OIDCAuthenticationResponseContext.class).getAuthorizationGrantClaimsSet());
    }

    @Test
    public void testRefreshTokenChainExpired() throws Exception {
        init(Instant.now().minus((TemporalAmount) Duration.ofHours(2L)));
        this.profileRequestCtx.getInboundMessageContext().setMessage(new TokenRequest(this.callback, new ClientID(this.clientId), this.rfGrant));
        ActionTestingSupport.assertEvent(this.action.execute(this.requestCtx), "InvalidGrant");
        Assert.assertNull(this.profileRequestCtx.getOutboundMessageContext().getSubcontext(OIDCAuthenticationResponseContext.class).getAuthorizationGrantClaimsSet());
    }

    @Test
    public void testRefreshTokenNotEnabled() throws Exception {
        init(false);
        this.profileRequestCtx.getInboundMessageContext().setMessage(new TokenRequest(this.callback, new ClientID(this.clientId), this.rfGrant));
        ActionTestingSupport.assertEvent(this.action.execute(this.requestCtx), "InvalidGrant");
        Assert.assertNull(this.profileRequestCtx.getOutboundMessageContext().getSubcontext(OIDCAuthenticationResponseContext.class).getAuthorizationGrantClaimsSet());
    }

    @Test
    public void testRefreshTokenReplayed() throws Exception {
        init();
        this.profileRequestCtx.getInboundMessageContext().setMessage(new TokenRequest(this.callback, new ClientID(this.clientId), this.rfGrant));
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.requestCtx));
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.requestCtx));
        Assert.assertNotNull(this.profileRequestCtx.getOutboundMessageContext().getSubcontext(OIDCAuthenticationResponseContext.class).getAuthorizationGrantClaimsSet());
    }

    @Test
    public void testRefreshTokenAuthorizationGrantRevoked() throws Exception {
        RevocationCache buildRevocationCache = buildRevocationCache();
        init(true, buildRevocationCache, null);
        Assert.assertTrue(buildRevocationCache.revoke(RevocationCacheContexts.AUTHORIZATION_CODE, this.rfClaims.getRootTokenIdentifier()));
        this.profileRequestCtx.getInboundMessageContext().setMessage(new TokenRequest(this.callback, new ClientID(this.clientId), this.rfGrant));
        ActionTestingSupport.assertEvent(this.action.execute(this.requestCtx), "InvalidGrant");
        Assert.assertNull(this.profileRequestCtx.getOutboundMessageContext().getSubcontext(OIDCAuthenticationResponseContext.class).getAuthorizationGrantClaimsSet());
    }

    @Test
    public void testRefreshTokenRevokedShouldRevokeAuthorizationCode() throws Exception {
        RevocationCache buildRevocationCache = buildRevocationCache();
        init(true, buildRevocationCache, null);
        Assert.assertTrue(buildRevocationCache.revoke(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, this.rfClaims.getID()));
        this.profileRequestCtx.getInboundMessageContext().setMessage(new TokenRequest(this.callback, new ClientID(this.clientId), this.rfGrant));
        ActionTestingSupport.assertEvent(this.action.execute(this.requestCtx), "InvalidGrant");
        Assert.assertNull(this.profileRequestCtx.getOutboundMessageContext().getSubcontext(OIDCAuthenticationResponseContext.class).getAuthorizationGrantClaimsSet());
        Assert.assertTrue(buildRevocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, this.rfClaims.getRootTokenIdentifier()));
    }

    protected RevocationCache buildRevocationCache() throws ComponentInitializationException {
        RevocationCache revocationCache = new RevocationCache();
        revocationCache.setId("mockCache");
        revocationCache.setStorage(this.storageService);
        revocationCache.initialize();
        return revocationCache;
    }

    @Test
    public void testTokenRevocationViaRevokedTokenFailsReturnsInvalidProfileConfig() throws Exception {
        RevocationCache revocationCache = (RevocationCache) Mockito.mock(RevocationCache.class);
        Mockito.when(Boolean.valueOf(revocationCache.isRevoked(Mockito.matches(RevocationCacheContexts.AUTHORIZATION_CODE), Mockito.anyString()))).thenReturn(false);
        Mockito.when(Boolean.valueOf(revocationCache.isRevoked(Mockito.matches(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS), Mockito.anyString()))).thenReturn(true);
        Mockito.when(Boolean.valueOf(revocationCache.revoke(Mockito.anyString(), Mockito.anyString()))).thenReturn(false);
        init(true, revocationCache, profileRequestContext -> {
            return null;
        });
        this.profileRequestCtx.getInboundMessageContext().setMessage(new TokenRequest(this.callback, new ClientID(this.clientId), this.rfGrant));
        ActionTestingSupport.assertEvent(this.action.execute(this.requestCtx), "InvalidProfileConfiguration");
        Assert.assertNull(this.profileRequestCtx.getOutboundMessageContext().getSubcontext(OIDCAuthenticationResponseContext.class).getAuthorizationGrantClaimsSet());
    }

    @Test
    public void testMixGrant() throws Exception {
        init();
        this.profileRequestCtx.getInboundMessageContext().setMessage(new TokenRequest(this.callback, new ClientID(this.clientId), new RefreshTokenGrant(new RefreshToken(this.acClaims.serialize(getDataSealer())))));
        ActionTestingSupport.assertEvent(this.action.execute(this.requestCtx), "InvalidGrant");
        Assert.assertNull(this.profileRequestCtx.getOutboundMessageContext().getSubcontext(OIDCAuthenticationResponseContext.class).getAuthorizationGrantClaimsSet());
    }

    @Test
    public void testWrongClient() throws Exception {
        init();
        this.profileRequestCtx.getInboundMessageContext().setMessage(new TokenRequest(this.callback, new ClientID(this.clientId), new AuthorizationCodeGrant(buildAuthorizationCode("clientIdWrong", "issuer", "userPrin", "subject", "http://example.com"), this.callback)));
        ActionTestingSupport.assertEvent(this.action.execute(this.requestCtx), "InvalidGrant");
        Assert.assertNull(this.profileRequestCtx.getOutboundMessageContext().getSubcontext(OIDCAuthenticationResponseContext.class).getAuthorizationGrantClaimsSet());
    }

    @Test
    public void testExpired() throws Exception {
        init();
        Instant now = Instant.now();
        this.rfClaims = new RefreshTokenClaimsSet.Builder(this.acClaims, now, now.minusMillis(10L)).build();
        this.profileRequestCtx.getInboundMessageContext().setMessage(new TokenRequest(this.callback, new ClientID(this.clientId), new RefreshTokenGrant(new RefreshToken(this.rfClaims.serialize(getDataSealer())))));
        ActionTestingSupport.assertEvent(this.action.execute(this.requestCtx), "InvalidGrant");
        Assert.assertNull(this.profileRequestCtx.getOutboundMessageContext().getSubcontext(OIDCAuthenticationResponseContext.class).getAuthorizationGrantClaimsSet());
    }

    @Test
    public void testClientCredentialsSuccess() throws Exception {
        init();
        this.profileRequestCtx.getInboundMessageContext().setMessage(new TokenRequest(this.callback, new ClientSecretBasic(new ClientID(this.clientId), new Secret("foo")), new ClientCredentialsGrant()));
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.requestCtx));
        Assert.assertNull(this.profileRequestCtx.getOutboundMessageContext().getSubcontext(OIDCAuthenticationResponseContext.class).getAuthorizationGrantClaimsSet());
    }

    @Test(expectedExceptions = {ComponentInitializationException.class})
    public void testNoRevocationCache() throws ComponentInitializationException, NoSuchAlgorithmException {
        this.action = new ValidateGrant(getDataSealer());
        ReplayCache replayCache = new ReplayCache();
        MemoryStorageService memoryStorageService = new MemoryStorageService();
        memoryStorageService.setId("mockId");
        memoryStorageService.initialize();
        replayCache.setStorage(memoryStorageService);
        this.action.setReplayCache(replayCache);
        this.action.initialize();
    }

    @Test(expectedExceptions = {ComponentInitializationException.class})
    public void testNoReplayCache() throws ComponentInitializationException, NoSuchAlgorithmException {
        this.action = new ValidateGrant(getDataSealer());
        this.action.setRevocationCache(new BaseOIDCResponseActionTest.MockRevocationCache(false, true));
        this.action.initialize();
    }

    @Test(expectedExceptions = {ConstraintViolationException.class})
    public void testNoDataSealer() {
        this.action = new ValidateGrant((DataSealer) null);
    }
}
