package net.shibboleth.idp.plugin.oidc.op.profile.flow;

import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.langtag.LangTag;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.openid.connect.sdk.AuthenticationResponse;
import com.nimbusds.openid.connect.sdk.AuthenticationSuccessResponse;
import com.nimbusds.openid.connect.sdk.claims.ClaimRequirement;
import com.nimbusds.openid.connect.sdk.claims.ClaimsSetRequest;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPrivateKey;
import java.text.ParseException;
import java.util.Iterator;
import java.util.List;
import net.shibboleth.idp.plugin.oidc.op.profile.flow.AbstractIssuedJWTSecurityTest;
import net.shibboleth.idp.plugin.oidc.op.token.support.AuthorizeCodeClaimsSet;
import net.shibboleth.oidc.security.credential.BasicJWKCredential;
import net.shibboleth.utilities.java.support.collection.Pair;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import net.shibboleth.utilities.java.support.security.DataSealerException;
import org.springframework.webflow.core.collection.MutableAttributeMap;
import org.springframework.webflow.executor.FlowExecutionResult;
import org.testng.Assert;
import org.testng.annotations.Test;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/profile/flow/RequestObjectJWETest.class */
public class RequestObjectJWETest extends IssuedEncryptedJWTTest {
    String defaultClientIdEncryptionEnforced;

    public RequestObjectJWETest(boolean z, boolean z2) {
        super(AbstractIssuedJWTSecurityTest.JWT_FETCHING_TYPE.REQUEST_OBJECT, AuthorizeFlowTest.FLOW_ID, z, z2);
        this.defaultClientIdEncryptionEnforced = "mockClientIdRequestObjectEncryptionEnforced";
    }

    @Override // net.shibboleth.idp.plugin.oidc.op.profile.flow.IssuedEncryptedJWTTest
    @Test
    public void testJwtEncryption_noSigAlgNorEncSpecified() throws Exception {
        JWT obtainRequestObject = obtainRequestObject(null, null, null, null, null, null);
        if (this.encryptionOptional) {
            assertSuccessRequestObjectResponse(obtainRequestObject.serialize(), null, null, null, this.defaultClientSecret64B, null);
        } else {
            assertErrorRequestObjectResponse(obtainRequestObject.serialize(), null, null, null, this.defaultClientSecret64B, null);
        }
    }

    @Test
    public void testJwtEncryption_noSigAlgNorEncSpecified_noRequestObject() throws Exception {
        if (this.encryptionOptional) {
            assertSuccessRequestObjectResponse("", null, null, null, this.defaultClientSecret64B, null);
        } else {
            assertErrorRequestObjectResponse("", null, null, null, this.defaultClientSecret64B, null);
        }
    }

    @Test
    public void testJwtEncryption_noSigAlgNorEncSpecified_signedRequestObject() throws Exception {
        JWT obtainRequestObject = obtainRequestObject(this.defaultClientSecret64B, null, null, JWSAlgorithm.HS256, null, null);
        if (this.encryptionOptional) {
            assertSuccessRequestObjectResponse(obtainRequestObject.serialize(), null, null, null, this.defaultClientSecret64B, null);
        } else {
            assertErrorRequestObjectResponse(obtainRequestObject.serialize(), null, null, null, this.defaultClientSecret64B, null);
        }
    }

    @Test
    public void testJwtEncryption_noSigAlgNorEncSpecified_encryptedRequestObject() throws Exception {
        if (!this.testSignedJwt) {
            for (JWEAlgorithm jWEAlgorithm : JWE_ALGORITHMS) {
                Iterator<EncryptionMethod> it = ENCRYPTION_METHODS.iterator();
                while (it.hasNext()) {
                    assertSuccessRequestObjectResponse(obtainRequestObject(this.defaultClientSecret64B, getProviderEncryptionKey(jWEAlgorithm), null, null, jWEAlgorithm, it.next()).serialize(), null, null, null, this.defaultClientSecret64B, null);
                }
            }
            return;
        }
        for (JWSAlgorithm jWSAlgorithm : JWS_ALGORITHMS) {
            for (JWEAlgorithm jWEAlgorithm2 : JWE_ALGORITHMS) {
                Iterator<EncryptionMethod> it2 = ENCRYPTION_METHODS.iterator();
                while (it2.hasNext()) {
                    assertSuccessRequestObjectResponse(obtainRequestObject(this.defaultClientSecret64B, getProviderEncryptionKey(jWEAlgorithm2), getSigningKey(jWSAlgorithm), jWSAlgorithm, jWEAlgorithm2, it2.next()).serialize(), null, null, null, this.defaultClientSecret64B, getSignatureVerificationKey(jWSAlgorithm));
                }
            }
        }
    }

    @Test
    public void testRequestObjectEncryption_onlySigAlgNoEncSpecified() throws Exception {
        JWT obtainRequestObject = obtainRequestObject(null, null, this.rsaPrivateKey, JWSAlgorithm.RS256, null, null);
        if (this.encryptionOptional) {
            assertSuccessRequestObjectResponse(obtainRequestObject.serialize(), JWSAlgorithm.RS256, null, null, null, this.rsaPublicKey);
        } else {
            assertErrorRequestObjectResponse(obtainRequestObject.serialize(), JWSAlgorithm.RS256, null, null, null, this.rsaPublicKey);
        }
    }

    @Override // net.shibboleth.idp.plugin.oidc.op.profile.flow.IssuedEncryptedJWTTest
    protected void assertSecretBasedEncryption(JWEAlgorithm jWEAlgorithm, EncryptionMethod encryptionMethod) {
        if (!this.testSignedJwt) {
            assertSuccessRequestObjectResponse(obtainRequestObject(this.defaultClientSecret, null, null, null, jWEAlgorithm, encryptionMethod).serialize(), null, jWEAlgorithm, encryptionMethod, this.defaultClientSecret, null);
            return;
        }
        for (JWSAlgorithm jWSAlgorithm : JWS_ALGORITHMS) {
            assertSuccessRequestObjectResponse(obtainRequestObject(this.defaultClientSecret64B, null, getSigningKey(jWSAlgorithm), jWSAlgorithm, jWEAlgorithm, encryptionMethod).serialize(), jWSAlgorithm, jWEAlgorithm, encryptionMethod, this.defaultClientSecret64B, getSignatureVerificationKey(jWSAlgorithm));
        }
    }

    protected PublicKey getProviderEncryptionKeyViaKeyType(PublicKey publicKey) {
        return publicKey instanceof ECPublicKey ? loadCredential("/credentials/idp-encryption-ec.jwk").getPublicKey() : loadEncryptionCredential().getPublicKey();
    }

    protected PublicKey getRandomEncryptionKey(JWEAlgorithm jWEAlgorithm) {
        if (JWEAlgorithm.Family.ECDH_ES.contains(jWEAlgorithm)) {
            try {
                return this.ecKey.toPublicKey();
            } catch (JOSEException e) {
                Assert.fail("Could not obtain a public key from the ECKey object", e);
            }
        }
        return this.rsaPublicKey;
    }

    protected PublicKey getProviderEncryptionKey(JWEAlgorithm jWEAlgorithm) {
        return JWEAlgorithm.Family.ECDH_ES.contains(jWEAlgorithm) ? loadCredential("/credentials/idp-encryption-ec.jwk").getPublicKey() : loadEncryptionCredential().getPublicKey();
    }

    @Override // net.shibboleth.idp.plugin.oidc.op.profile.flow.IssuedEncryptedJWTTest
    protected void assertPublicKeyBasedEncryption(PublicKey publicKey, PrivateKey privateKey, JWEAlgorithm jWEAlgorithm, EncryptionMethod encryptionMethod) {
        PublicKey providerEncryptionKeyViaKeyType = getProviderEncryptionKeyViaKeyType(publicKey);
        if (!this.testSignedJwt) {
            assertSuccessRequestObjectResponse(obtainRequestObject(this.defaultClientSecret64B, providerEncryptionKeyViaKeyType, privateKey, null, jWEAlgorithm, encryptionMethod).serialize(), null, jWEAlgorithm, encryptionMethod, this.defaultClientSecret64B, publicKey);
            return;
        }
        for (JWSAlgorithm jWSAlgorithm : JWS_ALGORITHMS) {
            assertSuccessRequestObjectResponse(obtainRequestObject(this.defaultClientSecret64B, providerEncryptionKeyViaKeyType, getSigningKey(jWSAlgorithm), jWSAlgorithm, jWEAlgorithm, encryptionMethod).serialize(), jWSAlgorithm, jWEAlgorithm, encryptionMethod, this.defaultClientSecret64B, getSignatureVerificationKey(jWSAlgorithm));
        }
    }

    @Override // net.shibboleth.idp.plugin.oidc.op.profile.flow.IssuedEncryptedJWTTest
    protected void assertNoSymmetricKeyResponse(JWEAlgorithm jWEAlgorithm, EncryptionMethod encryptionMethod) throws Exception {
        PublicKey providerEncryptionKey = getProviderEncryptionKey(jWEAlgorithm);
        if (!this.testSignedJwt) {
            assertErrorRequestObjectResponse(obtainRequestObject(this.defaultClientSecret64B, providerEncryptionKey, this.rsaPrivateKey, null, jWEAlgorithm, encryptionMethod).serialize(), null, jWEAlgorithm, encryptionMethod, null, providerEncryptionKey);
            return;
        }
        for (JWSAlgorithm jWSAlgorithm : JWS_ALGORITHMS) {
            JWT obtainRequestObject = obtainRequestObject(this.defaultClientSecret64B, this.rsaPublicKey, getSigningKey(jWSAlgorithm), jWSAlgorithm, jWEAlgorithm, encryptionMethod);
            Assert.assertNotNull(obtainRequestObject, "The JWT could not be obtained with JWS alg " + jWSAlgorithm);
            assertErrorRequestObjectResponse(obtainRequestObject.serialize(), jWSAlgorithm, jWEAlgorithm, encryptionMethod, null, getSignatureVerificationKey(jWSAlgorithm));
        }
    }

    @Override // net.shibboleth.idp.plugin.oidc.op.profile.flow.IssuedEncryptedJWTTest
    protected void assertExcludedAlgorithm(JWEAlgorithm jWEAlgorithm, EncryptionMethod encryptionMethod) {
        if (!this.testSignedJwt) {
            JWT obtainRequestObject = obtainRequestObject(this.defaultClientSecret64B, getProviderEncryptionKey(jWEAlgorithm), null, null, jWEAlgorithm, encryptionMethod);
            Assert.assertTrue(obtainRequestObject instanceof EncryptedJWT, "Was not encrypted " + jWEAlgorithm);
            assertErrorRequestObjectResponse(obtainRequestObject.serialize(), null, jWEAlgorithm, encryptionMethod, this.defaultClientSecret64B, this.rsaPublicKey);
        } else {
            for (JWSAlgorithm jWSAlgorithm : JWS_ALGORITHMS) {
                assertErrorRequestObjectResponse(obtainRequestObject(this.defaultClientSecret64B, getProviderEncryptionKey(jWEAlgorithm), getSigningKey(jWSAlgorithm), jWSAlgorithm, jWEAlgorithm, encryptionMethod).serialize(), jWSAlgorithm, jWEAlgorithm, encryptionMethod, this.defaultClientSecret64B, getSignatureVerificationKey(jWSAlgorithm));
            }
        }
    }

    @Override // net.shibboleth.idp.plugin.oidc.op.profile.flow.IssuedEncryptedJWTTest
    protected void assertNoPublicKeyResponse(JWEAlgorithm jWEAlgorithm, EncryptionMethod encryptionMethod) {
        PublicKey randomEncryptionKey = getRandomEncryptionKey(jWEAlgorithm);
        if (!this.testSignedJwt) {
            assertErrorRequestObjectResponse(obtainRequestObject(this.defaultClientSecret64B, randomEncryptionKey, this.rsaPrivateKey, null, jWEAlgorithm, encryptionMethod).serialize(), null, jWEAlgorithm, encryptionMethod, this.defaultClientSecret64B, null);
            return;
        }
        for (JWSAlgorithm jWSAlgorithm : JWS_ALGORITHMS) {
            assertErrorRequestObjectResponse(obtainRequestObject(this.defaultClientSecret64B, randomEncryptionKey, getSigningKey(jWSAlgorithm), jWSAlgorithm, jWEAlgorithm, encryptionMethod).serialize(), jWSAlgorithm, jWEAlgorithm, encryptionMethod, this.defaultClientSecret64B, null);
        }
    }

    protected void assertErrorRequestObjectResponse(String str, JWSAlgorithm jWSAlgorithm, JWEAlgorithm jWEAlgorithm, EncryptionMethod encryptionMethod, String str2, PublicKey publicKey) {
        this.request.setMethod("GET");
        String str3 = this.encryptionOptional ? this.defaultClientId : this.defaultClientIdEncryptionEnforced;
        AuthorizeFlowTest.setRequestParameters(this.request, List.of(new Pair("client_id", str3), new Pair("response_type", "code"), new Pair("scope", "openid profile"), new Pair("redirect_uri", "https://example.org/cb"), new Pair("request", str)));
        initializeThreadLocals();
        OIDCClientMetadata buildMetadataSkeleton = buildMetadataSkeleton();
        buildMetadataSkeleton.setScope(new Scope(new String[]{"openid"}));
        buildMetadataSkeleton.setRequestObjectJWSAlg(jWSAlgorithm);
        buildMetadataSkeleton.setRequestObjectJWEAlg(jWEAlgorithm);
        buildMetadataSkeleton.setRequestObjectJWEEnc(encryptionMethod);
        if (publicKey != null) {
            buildMetadataSkeleton.setJWKSet(IssuedEncryptedJWTTest.buildJWKSet(publicKey));
        }
        try {
            buildMetadataSkeleton.setRedirectionURI(new URI("https://example.org/cb"));
            storeMetadataObject(this.storageService, str3, str2, buildMetadataSkeleton);
            setBasicAuth("jdoe", "changeit");
            FlowExecutionResult launchExecution = this.flowExecutor.launchExecution(this.flowId, (MutableAttributeMap) null, this.externalContext);
            removeMetadata(this.storageService, str3);
            Assert.assertEquals(launchExecution.getOutcome().getId(), "ErrorView");
        } catch (IOException | URISyntaxException e) {
            Assert.fail();
        }
    }

    protected void assertSuccessRequestObjectResponse(String str, JWSAlgorithm jWSAlgorithm, JWEAlgorithm jWEAlgorithm, EncryptionMethod encryptionMethod, String str2, PublicKey publicKey) {
        this.request.setMethod("GET");
        String str3 = this.encryptionOptional ? this.defaultClientId : this.defaultClientIdEncryptionEnforced;
        AuthorizeFlowTest.setRequestParameters(this.request, List.of(new Pair("client_id", str3), new Pair("response_type", "code"), new Pair("scope", "openid profile"), new Pair("redirect_uri", "https://example.org/cb"), new Pair("request", str)));
        initializeThreadLocals();
        OIDCClientMetadata buildMetadataSkeleton = buildMetadataSkeleton();
        buildMetadataSkeleton.setScope(new Scope(new String[]{"openid"}));
        buildMetadataSkeleton.setRequestObjectJWSAlg(jWSAlgorithm);
        buildMetadataSkeleton.setRequestObjectJWEAlg(jWEAlgorithm);
        buildMetadataSkeleton.setRequestObjectJWEEnc(encryptionMethod);
        if (publicKey != null) {
            buildMetadataSkeleton.setJWKSet(IssuedEncryptedJWTTest.buildJWKSet(publicKey));
        }
        try {
            buildMetadataSkeleton.setRedirectionURI(new URI("https://example.org/cb"));
            storeMetadataObject(this.storageService, str3, str2, buildMetadataSkeleton);
            setBasicAuth("jdoe", "changeit");
            FlowExecutionResult launchExecution = this.flowExecutor.launchExecution(this.flowId, (MutableAttributeMap) null, this.externalContext);
            removeMetadata(this.storageService, str3);
            AuthenticationSuccessResponse successResponse = parseSuccessResponse(launchExecution, AuthenticationResponse.class).toSuccessResponse();
            Assert.assertEquals(successResponse.getRedirectionURI().toString(), "https://example.org/cb");
            Assert.assertNull(successResponse.getIDToken());
            Assert.assertNull(successResponse.getAccessToken());
            Assert.assertNotNull(successResponse.getAuthorizationCode());
            Assert.assertNull(successResponse.getIssuer());
            try {
                AuthorizeCodeClaimsSet parse = AuthorizeCodeClaimsSet.parse(successResponse.getAuthorizationCode().getValue(), getDataSealer());
                if (StringSupport.trimOrNull(str) != null) {
                    Assert.assertNotNull(parse.getClaimsRequest());
                    Assert.assertNotNull(parse.getClaimsRequest().getIDTokenClaimsRequest());
                    Assert.assertNotNull(parse.getClaimsRequest().getUserInfoClaimsRequest());
                    Assert.assertTrue(parse.getClaimsRequest().getUserInfoClaimsRequest().getClaimNames(false).contains("family_name"));
                    Assert.assertTrue(parse.getClaimsRequest().getIDTokenClaimsRequest().getClaimNames(false).contains("given_name"));
                    ClaimsSetRequest.Entry entry = parse.getClaimsRequest().getUserInfoClaimsRequest().get("family_name", (LangTag) null);
                    Assert.assertEquals(entry.getClaimName(), "family_name");
                    Assert.assertEquals(entry.getClaimRequirement(), ClaimRequirement.ESSENTIAL);
                    ClaimsSetRequest.Entry entry2 = parse.getClaimsRequest().getIDTokenClaimsRequest().get("given_name", (LangTag) null);
                    Assert.assertEquals(entry2.getClaimName(), "given_name");
                    Assert.assertEquals(entry2.getClaimRequirement(), ClaimRequirement.ESSENTIAL);
                }
            } catch (ParseException | DataSealerException e) {
                Assert.fail("Could not create an authorize code", e);
            }
        } catch (IOException | URISyntaxException e2) {
            Assert.fail();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.plugin.oidc.op.profile.flow.AbstractIssuedJWTSecurityTest
    public void assertEncryptedSignedJwt(JWT jwt, JWSAlgorithm jWSAlgorithm, JWEAlgorithm jWEAlgorithm, EncryptionMethod encryptionMethod, String str, PrivateKey privateKey, PublicKey publicKey, PublicKey publicKey2) {
        assertSuccessRequestObjectResponse(jwt.serialize(), jWSAlgorithm, jWEAlgorithm, encryptionMethod, str, publicKey2);
    }

    @Override // net.shibboleth.idp.plugin.oidc.op.profile.flow.AbstractIssuedJWTSecurityTest
    protected void assertSignedJwt(JWT jwt, JWSAlgorithm jWSAlgorithm, PublicKey publicKey, String str) {
        assertSuccessRequestObjectResponse(jwt.serialize(), jWSAlgorithm, null, null, str, publicKey);
    }

    protected JWT obtainRequestObject(String str, PublicKey publicKey, PrivateKey privateKey, JWSAlgorithm jWSAlgorithm, JWEAlgorithm jWEAlgorithm, EncryptionMethod encryptionMethod) {
        JWT processJwsForRequestObject = processJwsForRequestObject(jWSAlgorithm, AuthorizeFlowTest.getRequestObjectWithClaimsRequestPayload(this.encryptionOptional ? this.defaultClientId : this.defaultClientIdEncryptionEnforced, "https://example.org/cb"), str, privateKey);
        if (jWEAlgorithm != null) {
            try {
                if (publicKey != null) {
                    BasicJWKCredential basicJWKCredential = new BasicJWKCredential();
                    basicJWKCredential.setPublicKey(publicKey);
                    return createEncryptedJWT(processJwsForRequestObject.serialize(), jWEAlgorithm, encryptionMethod, basicJWKCredential, str);
                }
                if (str != null) {
                    return createEncryptedJWT(processJwsForRequestObject.serialize(), jWEAlgorithm, encryptionMethod, null, str, false);
                }
            } catch (JOSEException | ParseException e) {
                Assert.fail("Could not encrypt the JWT", e);
            }
        }
        return processJwsForRequestObject;
    }

    protected JWT processJwsForRequestObject(JWSAlgorithm jWSAlgorithm, String str, String str2, PrivateKey privateKey) {
        try {
            if (jWSAlgorithm == null) {
                return new PlainJWT(JWTClaimsSet.parse(str));
            }
            if (JWSAlgorithm.Family.EC.contains(jWSAlgorithm)) {
                return createPrivateKeyJWT(JWTClaimsSet.parse(str), (ECPrivateKey) privateKey, jWSAlgorithm);
            }
            if (JWSAlgorithm.Family.RSA.contains(jWSAlgorithm)) {
                return createPrivateKeyJWT(JWTClaimsSet.parse(str), (RSAPrivateKey) privateKey, jWSAlgorithm);
            }
            if (!JWSAlgorithm.Family.HMAC_SHA.contains(jWSAlgorithm) || str2 == null) {
                return null;
            }
            return createSecretJWT(JWTClaimsSet.parse(str), str2, jWSAlgorithm);
        } catch (JOSEException | ParseException e) {
            Assert.fail(e.getMessage(), e);
            return null;
        }
    }
}
