package net.shibboleth.idp.plugin.oidc.op.profile.flow;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jwt.JWT;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
import com.nimbusds.oauth2.sdk.id.ClientID;
import java.io.IOException;
import java.net.URISyntaxException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.time.Instant;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import net.shibboleth.idp.plugin.oidc.op.oauth2.messaging.impl.OAuth2RevocationSuccessResponse;
import net.shibboleth.idp.plugin.oidc.op.storage.RevocationCacheContexts;
import net.shibboleth.idp.plugin.oidc.op.token.support.AccessTokenClaimsSet;
import net.shibboleth.oidc.security.credential.JWKCredential;
import net.shibboleth.utilities.java.support.collection.Pair;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.security.DataSealerException;
import org.opensaml.storage.RevocationCache;
import org.opensaml.storage.StorageService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.webflow.core.collection.MutableAttributeMap;
import org.springframework.webflow.executor.FlowExecutionResult;
import org.testng.Assert;
import org.testng.annotations.AfterMethod;
import org.testng.annotations.Test;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/profile/flow/RevocationFlowTest.class */
public class RevocationFlowTest extends AbstractOidcClientAuthenticationFlowTest {
    public static final String FLOW_ID = "oauth2/revocation";
    String clientIdSingle;
    Scope scope;

    @Autowired
    @Qualifier("testbed.DefaultRSSigningCredential")
    private JWKCredential signingKey;

    @Autowired
    @Qualifier("shibboleth.StorageService")
    StorageService storageService;

    @Autowired
    @Qualifier("shibboleth.oidc.RevocationCache")
    RevocationCache revocationCache;

    public RevocationFlowTest() {
        super(FLOW_ID);
        this.clientIdSingle = "mockClientIdRefreshTokenRotation";
        this.scope = Scope.parse("openid profile email");
        this.signingKey = null;
    }

    @AfterMethod
    public void tearDown() throws IOException {
        removeMetadata(this.storageService, this.clientId);
        removeMetadata(this.storageService, this.clientIdSingle);
    }

    @Test
    public void testUntrustedClient() throws IOException, NoSuchAlgorithmException, URISyntaxException, DataSealerException, ComponentInitializationException {
        setBasicAuth(this.clientId, this.clientSecret + "bad");
        setHttpFormRequest("POST", Collections.singletonMap("token", super.buildToken(this.clientId, "sub", Scope.parse("openid")).toJSONObject().getAsString("access_token")));
        assertErrorCode(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), "invalid_client");
    }

    @Test
    public void testFailedAuthentication() throws IOException, NoSuchAlgorithmException, URISyntaxException, DataSealerException, ComponentInitializationException {
        setBasicAuth(this.clientId, this.clientSecret + "X");
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, new String[0]);
        setHttpFormRequest("POST", Collections.singletonMap("token", super.buildLegacyToken(this.clientId, "sub", Scope.parse("openid"), "mail").toJSONObject().getAsString("access_token")));
        assertErrorCode(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), "invalid_client");
    }

    @Test
    public void testSuccessUnverified() throws IOException, NoSuchAlgorithmException, URISyntaxException, DataSealerException, ComponentInitializationException {
        setBasicAuth(this.clientId, this.clientSecret);
        setHttpFormRequest("POST", Collections.singletonMap("token", super.buildToken(this.clientId, "sub", Scope.parse("openid")).toJSONObject().getAsString("access_token")));
        parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), OAuth2RevocationSuccessResponse.class);
    }

    @Test
    public void testSuccess() throws IOException, NoSuchAlgorithmException, URISyntaxException, DataSealerException, ComponentInitializationException {
        String generateIdentifier = this.idGenerator.generateIdentifier();
        String generateIdentifier2 = this.idGenerator.generateIdentifier();
        setBasicAuth(this.clientId, this.clientSecret);
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, new String[0]);
        setHttpFormRequest("POST", Collections.singletonMap("token", super.buildToken(this.clientId, "sub", Scope.parse("openid"), null, generateIdentifier, generateIdentifier2).toJSONObject().getAsString("access_token")));
        parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), OAuth2RevocationSuccessResponse.class);
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, generateIdentifier));
        Assert.assertTrue(this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, generateIdentifier2));
    }

    @Test
    public void testSuccessSingleAccessToken() throws IOException, NoSuchAlgorithmException, URISyntaxException, DataSealerException, ComponentInitializationException {
        String generateIdentifier = this.idGenerator.generateIdentifier();
        String generateIdentifier2 = this.idGenerator.generateIdentifier();
        setBasicAuth(this.clientIdSingle, this.clientSecret);
        storeMetadata(this.storageService, this.clientIdSingle, this.clientSecret, this.scope, new String[0]);
        setHttpFormRequest("POST", Collections.singletonMap("token", super.buildToken(this.clientIdSingle, "sub", Scope.parse("openid"), null, generateIdentifier, generateIdentifier2).toJSONObject().getAsString("access_token")));
        parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), OAuth2RevocationSuccessResponse.class);
        Assert.assertTrue(this.revocationCache.isRevoked(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, generateIdentifier));
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, generateIdentifier2));
    }

    @Test
    public void testSuccessSingleRefreshToken() throws IOException, NoSuchAlgorithmException, URISyntaxException, DataSealerException, ComponentInitializationException {
        String generateIdentifier = this.idGenerator.generateIdentifier();
        String generateIdentifier2 = this.idGenerator.generateIdentifier();
        setBasicAuth(this.clientIdSingle, this.clientSecret);
        storeMetadata(this.storageService, this.clientIdSingle, this.clientSecret, this.scope, new String[0]);
        setHttpFormRequest("POST", Collections.singletonMap("token", super.buildRefreshToken(this.clientIdSingle, "sub", Scope.parse("openid"), null, generateIdentifier, generateIdentifier2).toJSONObject().getAsString("refresh_token")));
        parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), OAuth2RevocationSuccessResponse.class);
        Assert.assertTrue(this.revocationCache.isRevoked(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, generateIdentifier));
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, generateIdentifier2));
    }

    @Test
    public void testSuccessSingleChainExpiredRefreshToken_notRevoked() throws IOException, NoSuchAlgorithmException, URISyntaxException, DataSealerException, ComponentInitializationException {
        String generateIdentifier = this.idGenerator.generateIdentifier();
        String generateIdentifier2 = this.idGenerator.generateIdentifier();
        setBasicAuth(this.clientIdSingle, this.clientSecret);
        storeMetadata(this.storageService, this.clientIdSingle, this.clientSecret, this.scope, new String[0]);
        setHttpFormRequest("POST", Collections.singletonMap("token", super.buildRefreshToken(this.clientIdSingle, "sub", Scope.parse("openid"), null, generateIdentifier, generateIdentifier2, Instant.now(), Instant.now().minusSeconds(120L)).toJSONObject().getAsString("refresh_token")));
        parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), OAuth2RevocationSuccessResponse.class);
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, generateIdentifier));
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, generateIdentifier2));
    }

    @Test
    public void testSuccessWithSamlMetadata() throws NoSuchAlgorithmException, URISyntaxException, DataSealerException, ComponentInitializationException {
        setBasicAuth(this.clientIdSaml, this.clientSecretSaml);
        setHttpFormRequest("POST", Collections.singletonMap("token", super.buildToken(this.clientIdSaml, "sub", Scope.parse("openid")).toJSONObject().getAsString("access_token")));
        parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), OAuth2RevocationSuccessResponse.class);
    }

    @Test
    public void testSuccessWithLegacyToken() throws IOException, NoSuchAlgorithmException, URISyntaxException, DataSealerException, ComponentInitializationException, ParseException {
        setBasicAuth(this.clientId, this.clientSecret);
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, new String[0]);
        setHttpFormRequest("POST", Collections.singletonMap("token", super.buildLegacyToken(this.clientId, "sub", Scope.parse("openid"), new String[0]).toJSONObject().getAsString("access_token")));
        parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), OAuth2RevocationSuccessResponse.class);
    }

    @Test
    public void testSuccessWithLegacyConsentToken() throws IOException, NoSuchAlgorithmException, URISyntaxException, DataSealerException, ComponentInitializationException, ParseException {
        setBasicAuth(this.clientId, this.clientSecret);
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, new String[0]);
        setHttpFormRequest("POST", Collections.singletonMap("token", super.buildLegacyToken(this.clientId, "sub", Scope.parse("openid"), "mail").toJSONObject().getAsString("access_token")));
        parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), OAuth2RevocationSuccessResponse.class);
    }

    @Override // net.shibboleth.idp.plugin.oidc.op.profile.flow.AbstractOidcClientAuthenticationFlowTest
    protected FlowExecutionResult launchWithJwtAuthentication(JWT jwt, JWSAlgorithm jWSAlgorithm, ClientAuthenticationMethod clientAuthenticationMethod, PublicKey publicKey) throws Exception {
        if (publicKey == null) {
            storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, jWSAlgorithm, clientAuthenticationMethod, new String[0]);
        } else {
            storeMetadata(this.storageService, this.clientId, (String) null, this.scope, jWSAlgorithm, clientAuthenticationMethod, (JWSAlgorithm) null, publicKey, new String[0]);
        }
        String asString = super.buildToken(this.clientId, "sub", Scope.parse("openid")).toJSONObject().getAsString("access_token");
        HashMap hashMap = new HashMap();
        hashMap.put("token", asString);
        populateClientAssertionParams(hashMap, jwt);
        setHttpFormRequest("POST", hashMap);
        return this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext);
    }

    @Override // net.shibboleth.idp.plugin.oidc.op.profile.flow.AbstractOidcClientAuthenticationFlowTest
    protected Pair<String, String> getErrorDetaisForJWTValidation() {
        return new Pair<>("invalid_client", "Client authentication failed");
    }

    @Test
    public void testSuccessJWTNoAudience() throws JOSEException, IOException {
        setBasicAuth(this.clientId, this.clientSecret);
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, new String[0]);
        setHttpFormRequest("POST", Map.of("token", buildJWTToken(this.clientId, "sub", this.scope, null, this.signingKey.getPrivateKey(), "RS256").toJSONObject().getAsString("access_token"), "token_type", "access_token"));
        parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), OAuth2RevocationSuccessResponse.class);
    }

    @Test
    public void testSuccessJWTAudience() throws JOSEException, IOException {
        setBasicAuth(this.clientId, this.clientSecret);
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, new String[0]);
        setHttpFormRequest("POST", Map.of("token", buildJWTToken("https://sp2.example.org", "sub", this.scope, List.of("https://sp.example.org", this.clientId), this.signingKey.getPrivateKey(), "RS256").toJSONObject().getAsString("access_token"), "token_type", "access_token"));
        parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), OAuth2RevocationSuccessResponse.class);
    }

    @Test
    public void testSuccessJWTExpired() throws JOSEException, IOException {
        setBasicAuth(this.clientId, this.clientSecret);
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, new String[0]);
        setHttpFormRequest("POST", Map.of("token", buildJWTToken((AccessTokenClaimsSet) new AccessTokenClaimsSet.Builder().setJWTID(this.idGenerator).setClientID(new ClientID(this.clientId)).setIssuer("https://op.example.org").setSubject(this.clientId).setIssuedAt(Instant.now().minusSeconds(300L)).setNotBefore(Instant.now().minusSeconds(300L)).setExpiresAt(Instant.now().minusSeconds(200L)).setAuthenticationTime(Instant.now()).setScope(this.scope).build(), this.signingKey.getPrivateKey(), "RS256").toJSONObject().getAsString("access_token"), "token_type", "access_token"));
        parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), OAuth2RevocationSuccessResponse.class);
    }

    @Test
    public void testSuccessJWTNotAuthorized() throws JOSEException, IOException {
        setBasicAuth(this.clientId, this.clientSecret);
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, new String[0]);
        setHttpFormRequest("POST", Map.of("token", buildJWTToken("https://sp3.example.org", "sub", this.scope, List.of("https://sp.example.org", "https://sp2.example.org"), this.signingKey.getPrivateKey(), "RS256").toJSONObject().getAsString("access_token"), "token_type", "access_token"));
        parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), OAuth2RevocationSuccessResponse.class);
    }

    @Test
    public void testSuccessJWTWrongKey() throws JOSEException, IOException {
        setBasicAuth(this.clientId, this.clientSecret);
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, new String[0]);
        setHttpFormRequest("POST", Map.of("token", buildJWTToken(this.clientId, "sub", this.scope, null, this.rsaPrivateKey, "RS256").toJSONObject().getAsString("access_token"), "token_type", "access_token"));
        parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), OAuth2RevocationSuccessResponse.class);
    }

    @Override // net.shibboleth.idp.plugin.oidc.op.profile.flow.AbstractOidcClientAuthenticationFlowTest
    protected void assertSuccessResponse(FlowExecutionResult flowExecutionResult) {
        Assert.assertNotNull(parseSuccessResponse(flowExecutionResult, OAuth2RevocationSuccessResponse.class));
    }
}
