package net.shibboleth.idp.plugin.oidc.op.authn.impl;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.MACSigner;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.oauth2.sdk.AuthorizationCode;
import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
import com.nimbusds.oauth2.sdk.TokenRequest;
import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
import com.nimbusds.oauth2.sdk.auth.ClientSecretJWT;
import com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientInformation;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.time.Instant;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import net.shibboleth.idp.authn.AuthenticationFlowDescriptor;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.impl.ValidateCredentials;
import net.shibboleth.idp.authn.impl.testing.BaseAuthenticationContextTest;
import net.shibboleth.idp.authn.principal.UsernamePrincipal;
import net.shibboleth.idp.profile.context.RelyingPartyContext;
import net.shibboleth.idp.profile.context.navigate.RelyingPartyIdLookupFunction;
import net.shibboleth.idp.profile.testing.ActionTestingSupport;
import net.shibboleth.oidc.authn.context.OAuth2ClientAuthenticationContext;
import net.shibboleth.oidc.jwt.claims.ClaimsValidator;
import net.shibboleth.oidc.metadata.context.OIDCMetadataContext;
import net.shibboleth.oidc.profile.oauth2.config.impl.DefaultOAuth2TokenConfiguration;
import net.shibboleth.oidc.security.jose.context.SecurityParametersContext;
import net.shibboleth.oidc.security.jwt.claims.impl.AudienceClaimsValidator;
import net.shibboleth.oidc.security.jwt.claims.impl.ChainingJWTClaimsValidator;
import net.shibboleth.oidc.security.jwt.claims.impl.ExactMatchClaimsValidator;
import net.shibboleth.oidc.security.jwt.claims.impl.ExpiryClaimsValidator;
import net.shibboleth.oidc.security.jwt.claims.impl.IssuedAtClaimsValidator;
import net.shibboleth.oidc.security.jwt.claims.impl.JWTIdentifierClaimsValidator;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.logic.BiFunctionSupport;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.storage.ReplayCache;
import org.opensaml.storage.impl.MemoryStorageService;
import org.springframework.webflow.execution.Event;
import org.testng.Assert;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/authn/impl/JWTCredentialValidatorTest.class */
public class JWTCredentialValidatorTest extends BaseAuthenticationContextTest {
    ClientID clientId;
    Secret clientSecret;
    URI endpointUri;
    RSAPrivateKey rsaPrivateKey;
    RSAPublicKey rsaPublicKey;
    private ClaimsValidator claimsValidator;
    private JWTCredentialValidator validator;
    private ValidateCredentials action;

    @BeforeClass
    public void initKeys() throws NoSuchAlgorithmException {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        keyPairGenerator.initialize(2048);
        KeyPair genKeyPair = keyPairGenerator.genKeyPair();
        this.rsaPrivateKey = (RSAPrivateKey) genKeyPair.getPrivate();
        this.rsaPublicKey = (RSAPublicKey) genKeyPair.getPublic();
    }

    @BeforeMethod
    public void setUp() throws ComponentInitializationException {
        super.setUp();
        this.clientId = new ClientID("mockId");
        this.clientSecret = new Secret("secret1234567890secret1234567890secret1234567890");
        try {
            this.endpointUri = new URI("http://localhost");
            ReplayCache replayCache = new ReplayCache();
            MemoryStorageService memoryStorageService = new MemoryStorageService();
            memoryStorageService.setId("mockId");
            memoryStorageService.initialize();
            replayCache.setStorage(memoryStorageService);
            this.claimsValidator = constructClaimsValidator((HttpServletRequest) this.src.getExternalContext().getNativeRequest(), replayCache);
            DefaultOAuth2TokenConfiguration defaultOAuth2TokenConfiguration = new DefaultOAuth2TokenConfiguration();
            defaultOAuth2TokenConfiguration.setClaimsValidator(this.claimsValidator);
            this.prc.getSubcontext(RelyingPartyContext.class).setProfileConfig(defaultOAuth2TokenConfiguration);
            this.validator = new JWTCredentialValidator();
            this.validator.setId("test");
            this.validator.setSecurityParametersLookupStrategy(new ChildContextLookup(SecurityParametersContext.class));
            this.validator.initialize();
            this.action = new ValidateCredentials();
            this.action.setValidators(Collections.singletonList(this.validator));
            this.action.initialize();
        } catch (URISyntaxException e) {
            throw new ComponentInitializationException(e);
        }
    }

    protected void completeSetup(TokenRequest tokenRequest, ClientAuthenticationMethod clientAuthenticationMethod, boolean z) throws NoSuchAlgorithmException, JOSEException {
        OIDCMetadataContext oIDCMetadataContext = new OIDCMetadataContext();
        OIDCClientMetadata oIDCClientMetadata = new OIDCClientMetadata();
        oIDCClientMetadata.setTokenEndpointAuthMethod(clientAuthenticationMethod);
        oIDCMetadataContext.setClientInformation(new OIDCClientInformation(this.clientId, new Date(), oIDCClientMetadata, this.clientSecret));
        this.prc.getInboundMessageContext().addSubcontext(oIDCMetadataContext);
    }

    protected void initializeTokenRequest(ClientAuthenticationMethod clientAuthenticationMethod, SignedJWT signedJWT, boolean z) throws JOSEException, NoSuchAlgorithmException {
        ClientSecretJWT clientSecretJWT = clientAuthenticationMethod.equals(ClientAuthenticationMethod.CLIENT_SECRET_JWT) ? new ClientSecretJWT(signedJWT) : clientAuthenticationMethod.equals(ClientAuthenticationMethod.PRIVATE_KEY_JWT) ? new PrivateKeyJWT(signedJWT) : null;
        AuthenticationContext subcontext = this.prc.getSubcontext(AuthenticationContext.class, true);
        subcontext.setAttemptedFlow((AuthenticationFlowDescriptor) this.authenticationFlows.get(0));
        subcontext.getSubcontext(OAuth2ClientAuthenticationContext.class, true).setClientAuthentication(clientSecretJWT);
        this.prc.getSubcontext(RelyingPartyContext.class, true).setRelyingPartyId(this.clientId.getValue());
        completeSetup(new TokenRequest((URI) null, clientSecretJWT, new AuthorizationCodeGrant(new AuthorizationCode(), (URI) null)), clientAuthenticationMethod, z);
    }

    protected ClaimsValidator constructClaimsValidator(HttpServletRequest httpServletRequest, ReplayCache replayCache) {
        ChainingJWTClaimsValidator chainingJWTClaimsValidator = new ChainingJWTClaimsValidator();
        ExpiryClaimsValidator expiryClaimsValidator = new ExpiryClaimsValidator();
        IssuedAtClaimsValidator issuedAtClaimsValidator = new IssuedAtClaimsValidator();
        issuedAtClaimsValidator.setRequiredRule(false);
        ExactMatchClaimsValidator exactMatchClaimsValidator = new ExactMatchClaimsValidator();
        exactMatchClaimsValidator.setClaimName("iss");
        exactMatchClaimsValidator.setValueToMatchLookupStrategy(BiFunctionSupport.forFunctionOfFirstArg(new RelyingPartyIdLookupFunction()));
        ExactMatchClaimsValidator exactMatchClaimsValidator2 = new ExactMatchClaimsValidator();
        exactMatchClaimsValidator2.setClaimName("sub");
        exactMatchClaimsValidator2.setValueToMatchLookupStrategy(BiFunctionSupport.forFunctionOfFirstArg(new RelyingPartyIdLookupFunction()));
        AudienceClaimsValidator audienceClaimsValidator = new AudienceClaimsValidator();
        audienceClaimsValidator.setAudienceLookupStrategy((profileRequestContext, jWTClaimsSet) -> {
            return httpServletRequest.getRequestURL().toString();
        });
        JWTIdentifierClaimsValidator jWTIdentifierClaimsValidator = new JWTIdentifierClaimsValidator();
        jWTIdentifierClaimsValidator.setReplayCache(replayCache);
        chainingJWTClaimsValidator.setClaimValidators(List.of(expiryClaimsValidator, issuedAtClaimsValidator, exactMatchClaimsValidator, exactMatchClaimsValidator2, audienceClaimsValidator, jWTIdentifierClaimsValidator));
        return chainingJWTClaimsValidator;
    }

    protected void testFailingJwtAuth(ClientAuthenticationMethod clientAuthenticationMethod, SignedJWT signedJWT, boolean z, boolean z2) throws Exception {
        initializeTokenRequest(clientAuthenticationMethod, signedJWT, z2);
        Event execute = this.action.execute(this.src);
        if (z) {
            ActionTestingSupport.assertProceedEvent(execute);
            execute = this.action.execute(this.src);
        }
        ActionTestingSupport.assertEvent(execute, "InvalidCredentials");
    }

    protected JWTClaimsSet claimsSetWithIatInTheFuture() {
        return new JWTClaimsSet.Builder().subject(this.clientId.toString()).issuer(this.clientId.toString()).audience(this.endpointUri.toString()).expirationTime(Date.from(Instant.now().plusSeconds(600L))).issueTime(Date.from(Instant.now().plusSeconds(600L))).jwtID("mockId").build();
    }

    protected JWTClaimsSet claimsSetWithExpInThePast() {
        return new JWTClaimsSet.Builder().subject(this.clientId.toString()).issuer(this.clientId.toString()).audience(this.endpointUri.toString()).expirationTime(Date.from(Instant.now().minusSeconds(600L))).issueTime(Date.from(Instant.now())).jwtID("mockId").build();
    }

    protected JWTClaimsSet claimsSetWithoutJit() {
        return new JWTClaimsSet.Builder().subject(this.clientId.toString()).issuer(this.clientId.toString()).audience(this.endpointUri.toString()).expirationTime(Date.from(Instant.now().plusSeconds(600L))).issueTime(Date.from(Instant.now())).build();
    }

    protected JWTClaimsSet validClaimsSet() {
        return new JWTClaimsSet.Builder().subject(this.clientId.toString()).issuer(this.clientId.toString()).audience(this.endpointUri.toString()).expirationTime(Date.from(Instant.now().plusSeconds(600L))).issueTime(Date.from(Instant.now())).jwtID("mockId").build();
    }

    protected SignedJWT createSecretJWT(JWTClaimsSet jWTClaimsSet) throws JOSEException {
        return createSecretJWT(jWTClaimsSet, this.clientSecret.getValue());
    }

    protected SignedJWT createSecretJWT(JWTClaimsSet jWTClaimsSet, String str) throws JOSEException {
        SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.HS256), jWTClaimsSet);
        signedJWT.sign(new MACSigner(str));
        return signedJWT;
    }

    protected SignedJWT createPrivateKeyJWT(JWTClaimsSet jWTClaimsSet) throws JOSEException {
        SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.RS256), jWTClaimsSet);
        signedJWT.sign(new RSASSASigner(this.rsaPrivateKey));
        return signedJWT;
    }

    @Test
    public void testNoClaimsValidator() throws Exception {
        this.prc.getSubcontext(RelyingPartyContext.class).getProfileConfig().setClaimsValidator((ClaimsValidator) null);
        testFailingJwtAuth(ClientAuthenticationMethod.CLIENT_SECRET_JWT, createSecretJWT(validClaimsSet()), false, true);
    }

    @Test
    public void testSecretJwt() throws JOSEException, NoSuchAlgorithmException {
        initializeTokenRequest(ClientAuthenticationMethod.CLIENT_SECRET_JWT, createSecretJWT(validClaimsSet()), true);
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.src));
        AuthenticationContext subcontext = this.prc.getSubcontext(AuthenticationContext.class);
        Assert.assertNotNull(subcontext.getAuthenticationResult());
        Assert.assertEquals(((UsernamePrincipal) subcontext.getAuthenticationResult().getSubject().getPrincipals(UsernamePrincipal.class).iterator().next()).getName(), this.clientId.getValue());
    }

    @Test
    public void testPrivateKeyJwt() throws JOSEException, NoSuchAlgorithmException {
        initializeTokenRequest(ClientAuthenticationMethod.PRIVATE_KEY_JWT, createPrivateKeyJWT(validClaimsSet()), true);
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.src));
        AuthenticationContext subcontext = this.prc.getSubcontext(AuthenticationContext.class);
        Assert.assertNotNull(subcontext.getAuthenticationResult());
        Assert.assertEquals(((UsernamePrincipal) subcontext.getAuthenticationResult().getSubject().getPrincipals(UsernamePrincipal.class).iterator().next()).getName(), this.clientId.getValue());
    }

    @Test
    public void testInvalidSecretJwt_iatInTheFuture() throws Exception {
        testFailingJwtAuth(ClientAuthenticationMethod.CLIENT_SECRET_JWT, createSecretJWT(claimsSetWithIatInTheFuture()), false, true);
    }

    @Test
    public void testInvalidSecretJwt_expInThePast() throws Exception {
        testFailingJwtAuth(ClientAuthenticationMethod.CLIENT_SECRET_JWT, createSecretJWT(claimsSetWithExpInThePast()), false, true);
    }

    @Test
    public void testInvalidSecretJwt_withoutJit() throws Exception {
        testFailingJwtAuth(ClientAuthenticationMethod.CLIENT_SECRET_JWT, createSecretJWT(claimsSetWithoutJit()), false, true);
    }

    @Test
    public void testInvalidSecretJwt_jitReplayDetected() throws Exception {
        testFailingJwtAuth(ClientAuthenticationMethod.CLIENT_SECRET_JWT, createSecretJWT(validClaimsSet()), true, true);
    }

    @Test
    public void testInvalidPrivateKeyJwt_iatInTheFuture() throws Exception {
        testFailingJwtAuth(ClientAuthenticationMethod.PRIVATE_KEY_JWT, createPrivateKeyJWT(claimsSetWithIatInTheFuture()), false, true);
    }

    @Test
    public void testInvalidPrivateKeyJwt_expInThePast() throws Exception {
        testFailingJwtAuth(ClientAuthenticationMethod.PRIVATE_KEY_JWT, createPrivateKeyJWT(claimsSetWithExpInThePast()), false, true);
    }

    @Test
    public void testInvalidPrivateKeyJwt_withoutJit() throws Exception {
        testFailingJwtAuth(ClientAuthenticationMethod.PRIVATE_KEY_JWT, createPrivateKeyJWT(claimsSetWithoutJit()), false, true);
    }

    @Test
    public void testInvalidPrivateKeyJwt_jitReplayDetected() throws Exception {
        testFailingJwtAuth(ClientAuthenticationMethod.PRIVATE_KEY_JWT, createPrivateKeyJWT(validClaimsSet()), true, true);
    }
}
