package net.shibboleth.idp.plugin.oidc.op.admin.impl;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.JsonMappingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.github.jasminb.jsonapi.models.errors.Error;
import com.github.jasminb.jsonapi.models.errors.Errors;
import com.nimbusds.oauth2.sdk.AccessTokenResponse;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import java.io.UnsupportedEncodingException;
import java.security.NoSuchAlgorithmException;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.HashMap;
import java.util.Map;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import net.shibboleth.idp.plugin.oidc.op.profile.impl.BaseOIDCResponseActionTest;
import net.shibboleth.idp.plugin.oidc.op.token.support.RegistrationClaimsSet;
import net.shibboleth.idp.profile.context.navigate.WebflowRequestContextProfileRequestContextLookup;
import net.shibboleth.idp.profile.testing.ActionTestingSupport;
import net.shibboleth.idp.profile.testing.RequestContextBuilder;
import net.shibboleth.oidc.metadata.policy.MetadataPolicy;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.logic.FunctionSupport;
import net.shibboleth.utilities.java.support.primitive.NonnullSupplier;
import net.shibboleth.utilities.java.support.security.AccessControl;
import net.shibboleth.utilities.java.support.security.AccessControlService;
import net.shibboleth.utilities.java.support.security.DataSealer;
import net.shibboleth.utilities.java.support.security.DataSealerException;
import org.opensaml.profile.context.ProfileRequestContext;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.webflow.execution.RequestContext;
import org.testng.Assert;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/admin/impl/IssueRegistrationAccessTokenTest.class */
public class IssueRegistrationAccessTokenTest {
    private IssueRegistrationAccessToken action;
    private RequestContext requestCtx;
    private ProfileRequestContext prc;
    private DataSealer dataSealer;
    private ObjectMapper objectMapper;
    private AccessControlService accessControlService;
    private String issuer = "mockIssuer";
    private String relyingPartyId = "tokenRpId";
    private String clientId = "mockClient";
    private String lifetime = "P1D";
    private MockHttpServletRequest httpRequest;
    private MockHttpServletResponse httpResponse;

    /* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/admin/impl/IssueRegistrationAccessTokenTest$MockAccessControlService.class */
    private class MockAccessControlService implements AccessControlService {
        private MockAccessControlService() {
        }

        public boolean isInitialized() {
            return true;
        }

        public void initialize() throws ComponentInitializationException {
        }

        public String getId() {
            return "mockACS";
        }

        public AccessControl getInstance(final String str) {
            return new AccessControl() { // from class: net.shibboleth.idp.plugin.oidc.op.admin.impl.IssueRegistrationAccessTokenTest.MockAccessControlService.1
                public boolean checkAccess(ServletRequest servletRequest, String str2, String str3) {
                    return "read".equals(str2) ? "policyIdPolicy".equals(str) && IssueRegistrationAccessTokenTest.this.relyingPartyId.equals(str3) : "write".equals(str2) && "clientIdPolicy".equals(str) && IssueRegistrationAccessTokenTest.this.clientId.equals(str3);
                }
            };
        }
    }

    @BeforeClass
    public void initOnce() {
        this.accessControlService = new MockAccessControlService();
    }

    @BeforeMethod
    public void init() throws ComponentInitializationException, NoSuchAlgorithmException {
        this.dataSealer = BaseOIDCResponseActionTest.initializeDataSealer();
        this.objectMapper = new ObjectMapper();
        this.action = new IssueRegistrationAccessToken();
        this.action.setObjectMapper(this.objectMapper);
        this.action.setMetadataPolicyLookupStrategy(FunctionSupport.constant(defaultMetadataPolicy()));
        this.action.setSealer(this.dataSealer);
        this.action.setAccessControlService(this.accessControlService);
        this.action.setPolicyLocationPolicyName("policyLocationPolicy");
        this.action.setPolicyIdPolicyName("policyIdPolicy");
        this.action.setClientIdPolicyName("clientIdPolicy");
        this.action.setIssuerLookupStrategy(FunctionSupport.constant(this.issuer));
        initRequestResponse();
        this.action.initialize();
        this.requestCtx = new RequestContextBuilder().buildRequestContext();
        this.prc = new WebflowRequestContextProfileRequestContextLookup().apply(this.requestCtx);
    }

    protected void initRequestResponse() {
        this.httpRequest = new MockHttpServletRequest();
        this.action.setHttpServletRequestSupplier(new NonnullSupplier<HttpServletRequest>() { // from class: net.shibboleth.idp.plugin.oidc.op.admin.impl.IssueRegistrationAccessTokenTest.1
            /* renamed from: get, reason: merged with bridge method [inline-methods] */
            public HttpServletRequest m0get() {
                return IssueRegistrationAccessTokenTest.this.httpRequest;
            }
        });
        this.httpResponse = new MockHttpServletResponse();
        this.action.setHttpServletResponseSupplier(new NonnullSupplier<HttpServletResponse>() { // from class: net.shibboleth.idp.plugin.oidc.op.admin.impl.IssueRegistrationAccessTokenTest.2
            /* renamed from: get, reason: merged with bridge method [inline-methods] */
            public HttpServletResponse m1get() {
                return IssueRegistrationAccessTokenTest.this.httpResponse;
            }
        });
    }

    protected Map<String, MetadataPolicy> defaultMetadataPolicy() {
        HashMap hashMap = new HashMap();
        hashMap.put("claim1", new MetadataPolicy.Builder().withAdd("addValue").build());
        return hashMap;
    }

    @Test(expectedExceptions = {ComponentInitializationException.class})
    public void testNoSealer() throws ComponentInitializationException {
        this.action = new IssueRegistrationAccessToken();
        this.action.setObjectMapper(this.objectMapper);
        this.action.setAccessControlService(this.accessControlService);
        this.action.setMetadataPolicyLookupStrategy(FunctionSupport.constant(defaultMetadataPolicy()));
        this.action.setIssuerLookupStrategy(FunctionSupport.constant(this.issuer));
        this.action.initialize();
    }

    @Test(expectedExceptions = {ComponentInitializationException.class})
    public void testNoObjectMapper() throws ComponentInitializationException {
        this.action = new IssueRegistrationAccessToken();
        this.action.setSealer(this.dataSealer);
        this.action.setAccessControlService(this.accessControlService);
        this.action.setMetadataPolicyLookupStrategy(FunctionSupport.constant(defaultMetadataPolicy()));
        this.action.setIssuerLookupStrategy(FunctionSupport.constant(this.issuer));
        this.action.initialize();
    }

    @Test(expectedExceptions = {ComponentInitializationException.class})
    public void testNoMetadataPolicyLookup() throws ComponentInitializationException {
        this.action = new IssueRegistrationAccessToken();
        this.action.setSealer(this.dataSealer);
        this.action.setObjectMapper(this.objectMapper);
        this.action.setAccessControlService(this.accessControlService);
        this.action.setIssuerLookupStrategy(FunctionSupport.constant(this.issuer));
        this.action.initialize();
    }

    @Test
    public void testNoMetadataPolicyNorId() throws ComponentInitializationException, JsonMappingException, JsonProcessingException, UnsupportedEncodingException {
        this.action = new IssueRegistrationAccessToken();
        this.action.setSealer(this.dataSealer);
        this.action.setObjectMapper(this.objectMapper);
        this.action.setAccessControlService(this.accessControlService);
        this.action.setMetadataPolicyLookupStrategy(FunctionSupport.constant((Object) null));
        this.action.setIssuerLookupStrategy(FunctionSupport.constant(this.issuer));
        initRequestResponse();
        this.action.initialize();
        this.requestCtx.getFlowScope().put("tokenLifetime", this.lifetime);
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.requestCtx));
        assertErrorResponse(400, "Invalid Request");
    }

    @Test
    public void testInvalidMetadataPolicyLocation() throws ComponentInitializationException, JsonMappingException, JsonProcessingException, UnsupportedEncodingException {
        this.action = new IssueRegistrationAccessToken();
        this.action.setSealer(this.dataSealer);
        this.action.setObjectMapper(this.objectMapper);
        this.action.setAccessControlService(this.accessControlService);
        this.action.setPolicyLocationLookupStrategy(FunctionSupport.constant("not_existing_location"));
        this.action.setMetadataPolicyLookupStrategy(FunctionSupport.constant((Object) null));
        this.action.setIssuerLookupStrategy(FunctionSupport.constant(this.issuer));
        initRequestResponse();
        this.action.initialize();
        this.requestCtx.getFlowScope().put("tokenLifetime", this.lifetime);
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.requestCtx));
        assertErrorResponse(400, "Invalid Request");
    }

    @Test
    public void testNoTokenLifetime() throws DataSealerException, JsonMappingException, JsonProcessingException {
        this.requestCtx.getFlowScope().put("policyId", this.relyingPartyId);
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.requestCtx));
        validateToken(this.relyingPartyId, null);
    }

    @Test
    public void testSuccessNoPolicyId() throws DataSealerException, JsonMappingException, JsonProcessingException {
        this.requestCtx.getFlowScope().put("tokenLifetime", this.lifetime);
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.requestCtx));
        validateToken(null, null);
    }

    @Test
    public void testSuccessWithPolicyId() throws DataSealerException, JsonMappingException, JsonProcessingException {
        this.requestCtx.getFlowScope().put("tokenLifetime", this.lifetime);
        this.requestCtx.getFlowScope().put("policyId", this.relyingPartyId);
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.requestCtx));
        validateToken(this.relyingPartyId, null);
    }

    @Test
    public void testSuccessWithClientIdPolicyId() throws DataSealerException, JsonMappingException, JsonProcessingException {
        this.requestCtx.getFlowScope().put("tokenLifetime", this.lifetime);
        this.requestCtx.getFlowScope().put("policyId", this.relyingPartyId);
        this.requestCtx.getFlowScope().put("clientId", this.clientId);
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.requestCtx));
        validateToken(this.relyingPartyId, this.clientId);
    }

    protected void validateToken(String str, String str2) throws DataSealerException, JsonMappingException, JsonProcessingException {
        Instant now = Instant.now();
        Object message = this.prc.getOutboundMessageContext().getMessage();
        Assert.assertNotNull(message);
        Assert.assertTrue(message instanceof AccessTokenResponse);
        AccessTokenResponse accessTokenResponse = (AccessTokenResponse) message;
        Assert.assertNotNull(accessTokenResponse.getTokens());
        BearerAccessToken bearerAccessToken = accessTokenResponse.getTokens().getBearerAccessToken();
        Assert.assertNotNull(bearerAccessToken);
        RegistrationClaimsSet registrationClaimsSet = (RegistrationClaimsSet) this.objectMapper.readValue(this.dataSealer.unwrap(bearerAccessToken.getValue()), RegistrationClaimsSet.class);
        Assert.assertEquals(registrationClaimsSet.getKeyType(), "rt");
        Assert.assertNotNull(registrationClaimsSet.getJti());
        Assert.assertEquals(registrationClaimsSet.getIssuer(), this.issuer);
        Assert.assertEquals(registrationClaimsSet.getRelyingPartyId(), str);
        Assert.assertEquals(registrationClaimsSet.getClientId(), str2);
        Map metadata = registrationClaimsSet.getMetadata();
        Assert.assertNotNull(metadata);
        Assert.assertEquals(metadata.size(), 1);
        Assert.assertTrue(metadata.containsKey("claim1"));
        Assert.assertEquals(((MetadataPolicy) metadata.get("claim1")).getAdd(), "addValue");
        assertInstantWithSkew(registrationClaimsSet.getIssuedAt(), now);
        assertInstantWithSkew(registrationClaimsSet.getExpiration(), now.plus((TemporalAmount) Duration.ofDays(1L)));
    }

    protected void assertInstantWithSkew(Instant instant, Instant instant2) {
        Duration ofSeconds = Duration.ofSeconds(5L);
        Assert.assertTrue(instant.isAfter(instant2.minus((TemporalAmount) ofSeconds)));
        Assert.assertTrue(instant.isBefore(instant2.plus((TemporalAmount) ofSeconds)));
    }

    protected void assertErrorResponse(int i, String str) throws UnsupportedEncodingException, JsonMappingException, JsonProcessingException {
        Assert.assertEquals(this.httpResponse.getStatus(), i);
        Errors errors = (Errors) new ObjectMapper().readerFor(Errors.class).readValue(this.httpResponse.getContentAsString());
        Assert.assertNotNull(errors);
        Assert.assertNotNull(errors.getErrors());
        Assert.assertEquals(errors.getErrors().size(), 1);
        Error error = (Error) errors.getErrors().get(0);
        Assert.assertNotNull(error);
        Assert.assertEquals(error.getStatus(), i);
        Assert.assertEquals(error.getTitle(), str);
    }
}
