package net.shibboleth.idp.plugin.oidc.op.userinfo.profile.impl;

import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.id.ClientID;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.NoSuchAlgorithmException;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Collections;
import java.util.function.Function;
import net.shibboleth.idp.plugin.oidc.op.profile.impl.BaseOIDCResponseActionTest;
import net.shibboleth.idp.plugin.oidc.op.token.support.AccessTokenClaimsSet;
import net.shibboleth.idp.profile.testing.ActionTestingSupport;
import net.shibboleth.oidc.jwt.claims.ClaimsValidator;
import net.shibboleth.oidc.security.jwt.claims.impl.AudienceClaimsValidator;
import net.shibboleth.oidc.security.jwt.claims.impl.ChainingJWTClaimsValidator;
import net.shibboleth.oidc.security.jwt.claims.impl.ExpiryClaimsValidator;
import net.shibboleth.oidc.security.jwt.claims.impl.NotBeforeClaimsValidator;
import net.shibboleth.oidc.security.jwt.claims.impl.RequiredClaimsValidator;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.logic.BiFunctionSupport;
import net.shibboleth.utilities.java.support.security.DataSealerException;
import org.opensaml.profile.context.ProfileRequestContext;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/userinfo/profile/impl/ValidateAccessTokenTest.class */
public class ValidateAccessTokenTest extends BaseOIDCResponseActionTest {
    private ValidateAccessToken action;

    /* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/userinfo/profile/impl/ValidateAccessTokenTest$ClaimsValidatorLookup.class */
    private class ClaimsValidatorLookup implements Function<ProfileRequestContext, ClaimsValidator> {
        private ClaimsValidatorLookup() {
        }

        @Override // java.util.function.Function
        public ClaimsValidator apply(ProfileRequestContext profileRequestContext) {
            ChainingJWTClaimsValidator chainingJWTClaimsValidator = new ChainingJWTClaimsValidator();
            chainingJWTClaimsValidator.setId("test");
            chainingJWTClaimsValidator.setRequireAll(true);
            ArrayList arrayList = new ArrayList();
            RequiredClaimsValidator requiredClaimsValidator = new RequiredClaimsValidator();
            requiredClaimsValidator.setRequiredClaims(Collections.singletonList("jti"));
            arrayList.add(requiredClaimsValidator);
            arrayList.add(new NotBeforeClaimsValidator());
            arrayList.add(new ExpiryClaimsValidator());
            AudienceClaimsValidator audienceClaimsValidator = new AudienceClaimsValidator();
            audienceClaimsValidator.setAudienceLookupStrategy(BiFunctionSupport.constant("issuer"));
            audienceClaimsValidator.setAllowMissing(true);
            arrayList.add(audienceClaimsValidator);
            chainingJWTClaimsValidator.setClaimValidators(arrayList);
            return chainingJWTClaimsValidator;
        }
    }

    @BeforeMethod
    private void init() throws ComponentInitializationException, NoSuchAlgorithmException {
        this.action = new ValidateAccessToken();
        this.action.setClaimsValidatorLookupStrategy(new ClaimsValidatorLookup());
        this.action.initialize();
    }

    @Test
    public void testSuccess() throws NoSuchAlgorithmException, ComponentInitializationException, URISyntaxException, DataSealerException {
        this.respCtx.setAuthorizationGrantClaimsSet(new AccessTokenClaimsSet.Builder().setJWTID(this.idGenerator).setClientID(new ClientID()).setIssuer("issuer").setPrincipal("userPrin").setSubject("subject").setIssuedAt(Instant.now()).setExpiresAt(Instant.now().plusSeconds(300L)).setAuthenticationTime(Instant.now()).setRedirectURI(new URI("http://example.com")).setScope(new Scope()).build());
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.requestCtx));
    }

    @Test
    public void testFailsAudience() throws NoSuchAlgorithmException, ComponentInitializationException, URISyntaxException, DataSealerException {
        this.respCtx.setAuthorizationGrantClaimsSet(new AccessTokenClaimsSet.Builder().setJWTID(this.idGenerator).setClientID(new ClientID()).setIssuer("issuer").setPrincipal("userPrin").setSubject("subject").setIssuedAt(Instant.now()).setExpiresAt(Instant.now().plusSeconds(300L)).setAuthenticationTime(Instant.now()).setRedirectURI(new URI("http://example.com")).setScope(new Scope()).setAudience(Collections.singletonList("foo")).build());
        ActionTestingSupport.assertEvent(this.action.execute(this.requestCtx), "InvalidAcessToken");
    }

    @Test
    public void testFailsExpired() throws NoSuchAlgorithmException, ComponentInitializationException, URISyntaxException, DataSealerException {
        this.respCtx.setAuthorizationGrantClaimsSet(new AccessTokenClaimsSet.Builder().setJWTID(this.idGenerator).setClientID(new ClientID()).setIssuer("issuer").setPrincipal("userPrin").setSubject("subject").setIssuedAt(Instant.now()).setExpiresAt(Instant.now().minusSeconds(120L)).setAuthenticationTime(Instant.now()).setRedirectURI(new URI("http://example.com")).setScope(new Scope()).build());
        ActionTestingSupport.assertEvent(this.action.execute(this.requestCtx), "InvalidAcessToken");
    }
}
