package net.shibboleth.idp.plugin.oidc.op.oauth2.profile.impl;

import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import net.shibboleth.idp.plugin.oidc.op.oauth2.messaging.context.OAuth2TokenMgmtResponseContext;
import net.shibboleth.idp.plugin.oidc.op.storage.RevocationCacheContexts;
import net.shibboleth.idp.plugin.oidc.op.token.support.AccessTokenClaimsSet;
import net.shibboleth.idp.plugin.oidc.op.token.support.AuthorizeCodeClaimsSet;
import net.shibboleth.idp.plugin.oidc.op.token.support.RefreshTokenClaimsSet;
import net.shibboleth.idp.plugin.oidc.op.token.support.testing.BaseTokenClaimsSetTest;
import net.shibboleth.idp.profile.context.navigate.WebflowRequestContextProfileRequestContextLookup;
import net.shibboleth.idp.profile.testing.ActionTestingSupport;
import net.shibboleth.idp.profile.testing.RequestContextBuilder;
import net.shibboleth.oidc.profile.oauth2.config.OAuth2TokenRevocationConfiguration;
import net.shibboleth.utilities.java.support.security.impl.SecureRandomIdentifierGenerationStrategy;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.storage.RevocationCache;
import org.opensaml.storage.impl.MemoryStorageService;
import org.springframework.webflow.execution.RequestContext;
import org.testng.Assert;
import org.testng.annotations.AfterMethod;
import org.testng.annotations.Test;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/oauth2/profile/impl/RevokeTokenTest.class */
public class RevokeTokenTest extends BaseTokenClaimsSetTest {
    private RevokeToken action;
    private MemoryStorageService storageService;
    private AccessTokenClaimsSet atClaimsSet;
    private RefreshTokenClaimsSet rfClaimsSet;
    private RevocationCache revocationCache;
    private RequestContext src;
    private ProfileRequestContext prc;
    private OAuth2TokenMgmtResponseContext tokenCtx;

    protected void setUp(OAuth2TokenRevocationConfiguration.OAuth2TokenRevocationMethod oAuth2TokenRevocationMethod, String str) throws Exception {
        setUp(oAuth2TokenRevocationMethod, str, this.exp);
    }

    protected void setUp(OAuth2TokenRevocationConfiguration.OAuth2TokenRevocationMethod oAuth2TokenRevocationMethod, String str, Instant instant) throws Exception {
        this.storageService = new MemoryStorageService();
        this.storageService.setId("test");
        this.storageService.initialize();
        this.revocationCache = new RevocationCache();
        this.revocationCache.setId("mockCache");
        this.revocationCache.setEntryExpiration(Duration.ofHours(1L));
        this.revocationCache.setStorage(this.storageService);
        this.revocationCache.initialize();
        AuthorizeCodeClaimsSet build = new AuthorizeCodeClaimsSet.Builder().setJWTID(new SecureRandomIdentifierGenerationStrategy()).setClientID(this.clientID).setIssuer(this.issuer).setPrincipal(this.userPrincipal).setSubject(this.subject).setIssuedAt(this.iat).setExpiresAt(instant).setAuthenticationTime(this.authTime).setRedirectURI(this.redirectURI).setScope(this.scope).build();
        this.atClaimsSet = new AccessTokenClaimsSet.Builder(build, this.scope, this.dlClaims, this.dlClaimsUI, this.iat, instant).setRootTokenIdentifier(str).build();
        this.rfClaimsSet = new RefreshTokenClaimsSet.Builder(build, this.iat, instant).setRootTokenIdentifier(str).build();
        this.action = new RevokeToken();
        this.action.setRevocationCache(this.revocationCache);
        this.action.setRevocationMethodLookupStrategy(profileRequestContext -> {
            return oAuth2TokenRevocationMethod;
        });
        this.action.setChainRevocationLifetimeLookupStrategy(profileRequestContext2 -> {
            return Duration.ofHours(1L);
        });
        this.action.initialize();
        this.src = new RequestContextBuilder().buildRequestContext();
        this.prc = new WebflowRequestContextProfileRequestContextLookup().apply(this.src);
        this.tokenCtx = this.prc.getOutboundMessageContext().getSubcontext(OAuth2TokenMgmtResponseContext.class, true);
    }

    @AfterMethod
    protected void tearDown() {
        this.action.destroy();
        this.revocationCache.destroy();
        this.storageService.destroy();
    }

    @Test
    public void testChain_NoToken() throws Exception {
        setUp(OAuth2TokenRevocationConfiguration.OAuth2TokenRevocationMethod.CHAIN, null);
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.src));
    }

    @Test
    public void testChain_RevokeAccessToken() throws Exception {
        setUp(OAuth2TokenRevocationConfiguration.OAuth2TokenRevocationMethod.CHAIN, null);
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, this.atClaimsSet.getID()));
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, this.atClaimsSet.getID()));
        this.tokenCtx.setTokenClaimsSet(this.atClaimsSet.getClaimsSet());
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.src));
        Assert.assertTrue(this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, this.atClaimsSet.getID()));
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, this.atClaimsSet.getID()));
    }

    @Test
    public void testChain_RevokeRefreshToken() throws Exception {
        setUp(OAuth2TokenRevocationConfiguration.OAuth2TokenRevocationMethod.CHAIN, null);
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, this.rfClaimsSet.getID()));
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, this.rfClaimsSet.getID()));
        this.tokenCtx.setTokenClaimsSet(this.rfClaimsSet.getClaimsSet());
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.src));
        Assert.assertTrue(this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, this.rfClaimsSet.getID()));
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, this.rfClaimsSet.getID()));
    }

    @Test
    public void testChain_RevokeAccessTokenViaRootToken() throws Exception {
        String generateIdentifier = new SecureRandomIdentifierGenerationStrategy().generateIdentifier();
        setUp(OAuth2TokenRevocationConfiguration.OAuth2TokenRevocationMethod.CHAIN, generateIdentifier);
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, this.atClaimsSet.getID()));
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, generateIdentifier));
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, this.atClaimsSet.getID()));
        this.tokenCtx.setTokenClaimsSet(this.atClaimsSet.getClaimsSet());
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.src));
        Assert.assertTrue(this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, generateIdentifier));
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, this.atClaimsSet.getID()));
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, this.atClaimsSet.getID()));
    }

    @Test
    public void testChain_RevokeRefreshTokenViaRootToken() throws Exception {
        String generateIdentifier = new SecureRandomIdentifierGenerationStrategy().generateIdentifier();
        setUp(OAuth2TokenRevocationConfiguration.OAuth2TokenRevocationMethod.CHAIN, generateIdentifier);
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, this.rfClaimsSet.getID()));
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, generateIdentifier));
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, this.rfClaimsSet.getID()));
        this.tokenCtx.setTokenClaimsSet(this.rfClaimsSet.getClaimsSet());
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.src));
        Assert.assertTrue(this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, generateIdentifier));
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, this.rfClaimsSet.getID()));
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, this.rfClaimsSet.getID()));
    }

    @Test
    public void testSingleToken_NoToken() throws Exception {
        setUp(OAuth2TokenRevocationConfiguration.OAuth2TokenRevocationMethod.TOKEN, null);
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.src));
    }

    @Test
    public void testSingleToken_ExpiredAccessToken() throws Exception {
        setUp(OAuth2TokenRevocationConfiguration.OAuth2TokenRevocationMethod.TOKEN, null, Instant.now().minus((TemporalAmount) Duration.ofMinutes(10L)));
        this.tokenCtx.setTokenClaimsSet(this.atClaimsSet.getClaimsSet());
        ActionTestingSupport.assertEvent(this.action.execute(this.src), "InvalidProfileConfiguration");
    }

    @Test
    public void testSingleToken_ExpiredRefreshToken() throws Exception {
        setUp(OAuth2TokenRevocationConfiguration.OAuth2TokenRevocationMethod.TOKEN, null, Instant.now().minus((TemporalAmount) Duration.ofMinutes(10L)));
        this.tokenCtx.setTokenClaimsSet(this.rfClaimsSet.getClaimsSet());
        ActionTestingSupport.assertEvent(this.action.execute(this.src), "InvalidProfileConfiguration");
    }

    @Test
    public void testSingleToken_RevokeAccessToken() throws Exception {
        setUp(OAuth2TokenRevocationConfiguration.OAuth2TokenRevocationMethod.TOKEN, null);
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, this.atClaimsSet.getID()));
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, this.atClaimsSet.getID()));
        this.tokenCtx.setTokenClaimsSet(this.atClaimsSet.getClaimsSet());
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.src));
        Assert.assertTrue(this.revocationCache.isRevoked(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, this.atClaimsSet.getID()));
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, this.atClaimsSet.getID()));
    }

    @Test
    public void testSingleToken_RevokeRefreshToken() throws Exception {
        setUp(OAuth2TokenRevocationConfiguration.OAuth2TokenRevocationMethod.TOKEN, null);
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, this.rfClaimsSet.getID()));
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, this.rfClaimsSet.getID()));
        this.tokenCtx.setTokenClaimsSet(this.rfClaimsSet.getClaimsSet());
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.src));
        Assert.assertTrue(this.revocationCache.isRevoked(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, this.rfClaimsSet.getID()));
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, this.rfClaimsSet.getID()));
    }

    @Test
    public void testSingleToken_RevokeAccessTokenViaRootToken() throws Exception {
        String generateIdentifier = new SecureRandomIdentifierGenerationStrategy().generateIdentifier();
        setUp(OAuth2TokenRevocationConfiguration.OAuth2TokenRevocationMethod.TOKEN, generateIdentifier);
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, this.atClaimsSet.getID()));
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, this.atClaimsSet.getID()));
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, generateIdentifier));
        this.tokenCtx.setTokenClaimsSet(this.atClaimsSet.getClaimsSet());
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.src));
        Assert.assertTrue(this.revocationCache.isRevoked(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, this.atClaimsSet.getID()));
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, this.atClaimsSet.getID()));
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, generateIdentifier));
    }

    @Test
    public void testSingleToken_RevokeRefreshTokenViaRootToken() throws Exception {
        String generateIdentifier = new SecureRandomIdentifierGenerationStrategy().generateIdentifier();
        setUp(OAuth2TokenRevocationConfiguration.OAuth2TokenRevocationMethod.TOKEN, generateIdentifier);
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, this.rfClaimsSet.getID()));
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, this.rfClaimsSet.getID()));
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, generateIdentifier));
        this.tokenCtx.setTokenClaimsSet(this.rfClaimsSet.getClaimsSet());
        ActionTestingSupport.assertProceedEvent(this.action.execute(this.src));
        Assert.assertTrue(this.revocationCache.isRevoked(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, this.rfClaimsSet.getID()));
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, this.rfClaimsSet.getID()));
        Assert.assertFalse(this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, generateIdentifier));
    }
}
