package net.shibboleth.idp.plugin.oidc.op.profile.flow;

import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.nimbusds.oauth2.sdk.token.BearerTokenError;
import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
import com.nimbusds.openid.connect.sdk.claims.ClaimsSet;
import com.nimbusds.openid.connect.sdk.claims.UserInfo;
import java.io.IOException;
import java.net.URISyntaxException;
import java.security.NoSuchAlgorithmException;
import net.shibboleth.idp.plugin.oidc.op.profile.flow.AbstractIssuedJWTSecurityTest;
import net.shibboleth.idp.plugin.oidc.op.storage.RevocationCacheContexts;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.security.DataSealerException;
import org.opensaml.storage.RevocationCache;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.webflow.core.collection.MutableAttributeMap;
import org.springframework.webflow.executor.FlowExecutionResult;
import org.testng.Assert;
import org.testng.annotations.AfterMethod;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Factory;
import org.testng.annotations.Test;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/profile/flow/UserInfoTest.class */
public class UserInfoTest extends AbstractOidcApiFlowTest {
    public static final String FLOW_ID = "oidc/userinfo";
    String clientId;
    String clientIdSaml;
    String subject;
    Scope scope;

    @Autowired
    @Qualifier("shibboleth.oidc.RevocationCache")
    private RevocationCache revocationCache;

    public UserInfoTest() {
        super(FLOW_ID);
        this.clientId = "mockClientId";
        this.clientIdSaml = "mockSamlClientId";
        this.subject = "mockSubject";
        this.scope = Scope.parse("openid profile email");
    }

    @BeforeMethod
    public void init() throws IOException {
        this.request.setMethod("GET");
        removeMetadata(this.storageService, this.clientId);
    }

    @AfterMethod
    public void tearDown() throws IOException {
        removeMetadata(this.storageService, this.clientId);
    }

    @Test
    public void testNoAccessToken() {
        FlowExecutionResult launchExecution = this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext);
        assertErrorCode(launchExecution, "invalid_request");
        assertErrorDescriptionContains(launchExecution, "UnableToDecode");
    }

    @Test
    public void testUnparseableAccessToken() {
        this.request.addHeader("Authorization", "Bearer mockAccessToken");
        assertErrorCode(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), "invalid_grant");
    }

    @Test
    public void testFailsUntrustedClient() throws URISyntaxException, NoSuchAlgorithmException, DataSealerException, ComponentInitializationException {
        this.request.addHeader("Authorization", buildToken(this.idGenerator.generateIdentifier(), this.subject, new Scope()).toAuthorizationHeader());
        assertErrorCode(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), "unauthorized_client");
    }

    @Test
    public void testSuccessOnlySubject() throws URISyntaxException, NoSuchAlgorithmException, DataSealerException, ComponentInitializationException, IOException {
        BearerAccessToken buildToken = buildToken(this.clientId, this.subject, new Scope(new String[]{"openid"}));
        storeMetadata(this.storageService, this.clientId, "mockSecret", this.scope, new String[0]);
        this.request.addHeader("Authorization", buildToken.toAuthorizationHeader());
        UserInfoSuccessResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), UserInfoSuccessResponse.class);
        Assert.assertEquals(parseSuccessResponse.getUserInfo().getSubject().getValue(), this.subject);
        UserInfo userInfo = parseSuccessResponse.getUserInfo();
        Assert.assertNotNull(userInfo);
        Assert.assertNull(userInfo.getEmailAddress());
        Assert.assertNull(userInfo.getNickname());
        Assert.assertNull(parseSuccessResponse.getUserInfoJWT());
    }

    @Test
    public void testFailsWhenNoOpenidScopeRequested() throws URISyntaxException, NoSuchAlgorithmException, DataSealerException, ComponentInitializationException, IOException {
        BearerAccessToken buildToken = buildToken(this.clientId, this.subject, new Scope(new String[]{"profile"}));
        storeMetadata(this.storageService, this.clientId, "mockSecret", this.scope, new String[0]);
        this.request.addHeader("Authorization", buildToken.toAuthorizationHeader());
        assertErrorCode(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), "invalid_scope");
    }

    @Test
    public void testFailsWhenNoOpenidScopeRegistered() throws URISyntaxException, NoSuchAlgorithmException, DataSealerException, ComponentInitializationException, IOException {
        BearerAccessToken buildToken = buildToken(this.clientId, this.subject, new Scope(new String[]{"openid profile"}));
        storeMetadata(this.storageService, this.clientId, "mockSecret", new Scope(new String[]{"profile"}), new String[0]);
        this.request.addHeader("Authorization", buildToken.toAuthorizationHeader());
        assertErrorCode(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), "invalid_scope");
    }

    @Test
    public void testFailsWhenNoAnyScopeRegistered() throws URISyntaxException, NoSuchAlgorithmException, DataSealerException, ComponentInitializationException, IOException {
        BearerAccessToken buildToken = buildToken(this.clientId, this.subject, new Scope(new String[]{"openid profile"}));
        storeMetadata(this.storageService, this.clientId, "mockSecret", null, new String[0]);
        this.request.addHeader("Authorization", buildToken.toAuthorizationHeader());
        assertErrorCode(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), "invalid_scope");
    }

    @Test
    public void testSuccessOnlySubjectWithLegacyToken() throws URISyntaxException, NoSuchAlgorithmException, DataSealerException, ComponentInitializationException, IOException, ParseException {
        BearerAccessToken buildLegacyToken = buildLegacyToken(this.clientId, this.subject, new Scope(new String[]{"openid"}), new String[0]);
        storeMetadata(this.storageService, this.clientId, "mockSecret", this.scope, new String[0]);
        this.request.addHeader("Authorization", buildLegacyToken.toAuthorizationHeader());
        UserInfoSuccessResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), UserInfoSuccessResponse.class);
        Assert.assertEquals(parseSuccessResponse.getUserInfo().getSubject().getValue(), this.subject);
        UserInfo userInfo = parseSuccessResponse.getUserInfo();
        Assert.assertNotNull(userInfo);
        Assert.assertNull(userInfo.getEmailAddress());
        Assert.assertNull(userInfo.getNickname());
        Assert.assertNull(parseSuccessResponse.getUserInfoJWT());
    }

    @Test
    public void testSuccessOnlySubjectSaml() throws URISyntaxException, NoSuchAlgorithmException, DataSealerException, ComponentInitializationException, IOException {
        this.request.addHeader("Authorization", buildToken(this.clientIdSaml, this.subject, new Scope(new String[]{"openid"})).toAuthorizationHeader());
        UserInfoSuccessResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), UserInfoSuccessResponse.class);
        Assert.assertEquals(parseSuccessResponse.getUserInfo().getSubject().getValue(), this.subject);
        UserInfo userInfo = parseSuccessResponse.getUserInfo();
        Assert.assertNotNull(userInfo);
        Assert.assertNull(userInfo.getEmailAddress());
        Assert.assertNull(userInfo.getNickname());
        Assert.assertNull(parseSuccessResponse.getUserInfoJWT());
    }

    @Test
    public void testSuccessEmailResolution() throws URISyntaxException, NoSuchAlgorithmException, DataSealerException, ComponentInitializationException, IOException {
        BearerAccessToken buildToken = buildToken(this.clientId, this.subject, new Scope(new String[]{"openid", "email", "profile"}));
        storeMetadata(this.storageService, this.clientId, "mockSecret", this.scope, new String[0]);
        storeConsent(this.storageService, "jdoe", this.clientId, "mail");
        this.request.addHeader("Authorization", buildToken.toAuthorizationHeader());
        UserInfoSuccessResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), UserInfoSuccessResponse.class);
        UserInfo userInfo = parseSuccessResponse.getUserInfo();
        Assert.assertNotNull(userInfo);
        Assert.assertEquals(userInfo.getSubject().getValue(), this.subject);
        Assert.assertEquals(userInfo.getEmailAddress(), "jdoe@example.org");
        Assert.assertNull(userInfo.getNickname());
        Assert.assertNull(parseSuccessResponse.getUserInfoJWT());
    }

    @Test
    public void testSuccessEmailResolutionWithLegacyToken() throws URISyntaxException, NoSuchAlgorithmException, DataSealerException, ComponentInitializationException, IOException, ParseException {
        BearerAccessToken buildLegacyToken = buildLegacyToken(this.clientId, this.subject, new Scope(new String[]{"openid", "email", "profile"}), new String[0]);
        storeMetadata(this.storageService, this.clientId, "mockSecret", this.scope, new String[0]);
        storeConsent(this.storageService, "jdoe", this.clientId, "mail");
        this.request.addHeader("Authorization", buildLegacyToken.toAuthorizationHeader());
        UserInfoSuccessResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), UserInfoSuccessResponse.class);
        UserInfo userInfo = parseSuccessResponse.getUserInfo();
        Assert.assertNotNull(userInfo);
        Assert.assertEquals(userInfo.getSubject().getValue(), this.subject);
        Assert.assertEquals(userInfo.getEmailAddress(), "jdoe@example.org");
        Assert.assertNull(userInfo.getNickname());
        Assert.assertNull(parseSuccessResponse.getUserInfoJWT());
    }

    @Test
    public void testSuccessEmailResolutionWithLegacyConsentToken() throws URISyntaxException, NoSuchAlgorithmException, DataSealerException, ComponentInitializationException, IOException, ParseException {
        BearerAccessToken buildLegacyToken = buildLegacyToken(this.clientId, this.subject, new Scope(new String[]{"openid", "email", "profile"}), "mail");
        storeMetadata(this.storageService, this.clientId, "mockSecret", this.scope, new String[0]);
        storeConsent(this.storageService, "jdoe", this.clientId, "mail");
        this.request.addHeader("Authorization", buildLegacyToken.toAuthorizationHeader());
        UserInfoSuccessResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), UserInfoSuccessResponse.class);
        UserInfo userInfo = parseSuccessResponse.getUserInfo();
        Assert.assertNotNull(userInfo);
        Assert.assertEquals(userInfo.getSubject().getValue(), this.subject);
        Assert.assertEquals(userInfo.getEmailAddress(), "jdoe@example.org");
        Assert.assertNull(userInfo.getNickname());
        Assert.assertNull(parseSuccessResponse.getUserInfoJWT());
    }

    @Test
    public void testNotConsentedEmailResolutionWithLegacyConsentToken() throws URISyntaxException, NoSuchAlgorithmException, DataSealerException, ComponentInitializationException, IOException, ParseException {
        BearerAccessToken buildLegacyToken = buildLegacyToken(this.clientId, this.subject, new Scope(new String[]{"openid", "email", "profile"}), "not_mail");
        storeMetadata(this.storageService, this.clientId, "mockSecret", this.scope, new String[0]);
        storeConsent(this.storageService, "jdoe", this.clientId, "mail");
        this.request.addHeader("Authorization", buildLegacyToken.toAuthorizationHeader());
        UserInfoSuccessResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), UserInfoSuccessResponse.class);
        UserInfo userInfo = parseSuccessResponse.getUserInfo();
        Assert.assertNotNull(userInfo);
        Assert.assertEquals(userInfo.getSubject().getValue(), this.subject);
        Assert.assertNull(userInfo.getEmailAddress());
        Assert.assertNull(userInfo.getNickname());
        Assert.assertNull(parseSuccessResponse.getUserInfoJWT());
    }

    @Test
    public void testSuccessNicknameInToken() throws URISyntaxException, NoSuchAlgorithmException, DataSealerException, ComponentInitializationException, IOException {
        ClaimsSet claimsSet = new ClaimsSet();
        claimsSet.setClaim("nickname", "mockNickname");
        BearerAccessToken buildToken = buildToken(this.clientId, this.subject, new Scope(new String[]{"openid", "profile"}), claimsSet);
        storeMetadata(this.storageService, this.clientId, "mockSecret", this.scope, new String[0]);
        this.request.addHeader("Authorization", buildToken.toAuthorizationHeader());
        UserInfoSuccessResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), UserInfoSuccessResponse.class);
        UserInfo userInfo = parseSuccessResponse.getUserInfo();
        Assert.assertNotNull(userInfo);
        Assert.assertEquals(userInfo.getSubject().getValue(), this.subject);
        Assert.assertNull(userInfo.getEmailAddress());
        Assert.assertEquals(userInfo.getNickname(), "mockNickname");
        Assert.assertNull(parseSuccessResponse.getUserInfoJWT());
    }

    @Test
    public void testSuccessEmailResolutionAndIssuerWithSignedResponse() throws URISyntaxException, NoSuchAlgorithmException, DataSealerException, ComponentInitializationException, IOException, java.text.ParseException {
        BearerAccessToken buildToken = buildToken(this.clientId, this.subject, new Scope(new String[]{"openid", "email", "profile"}));
        storeMetadata(this.storageService, this.clientId, "mockSecret", this.scope, null, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, JWSAlgorithm.RS256, new String[0]);
        storeConsent(this.storageService, "jdoe", this.clientId, "mail");
        this.request.addHeader("Authorization", buildToken.toAuthorizationHeader());
        UserInfoSuccessResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), UserInfoSuccessResponse.class);
        Assert.assertNull(parseSuccessResponse.getUserInfo());
        JWT userInfoJWT = parseSuccessResponse.getUserInfoJWT();
        Assert.assertNotNull(userInfoJWT);
        Assert.assertTrue(userInfoJWT instanceof SignedJWT);
        JWTClaimsSet jWTClaimsSet = userInfoJWT.getJWTClaimsSet();
        Assert.assertEquals(jWTClaimsSet.getSubject(), this.subject);
        Assert.assertEquals(jWTClaimsSet.getClaim("email"), "jdoe@example.org");
        Assert.assertEquals(jWTClaimsSet.getClaim("iss"), "https://op.example.org");
    }

    @Test
    public void testRevokedSingleToken() throws URISyntaxException, NoSuchAlgorithmException, DataSealerException, ComponentInitializationException, IOException {
        String generateIdentifier = this.idGenerator.generateIdentifier();
        String generateIdentifier2 = this.idGenerator.generateIdentifier();
        this.revocationCache.revoke(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, generateIdentifier2);
        BearerAccessToken buildToken = buildToken(this.clientId, this.subject, new Scope(new String[]{"openid"}), null, generateIdentifier2, generateIdentifier);
        storeMetadata(this.storageService, this.clientId, "mockSecret", this.scope, new String[0]);
        this.request.addHeader("Authorization", buildToken.toAuthorizationHeader());
        assertErrorCode(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), BearerTokenError.INVALID_TOKEN.getCode());
    }

    @Test
    public void testRevokedChain() throws URISyntaxException, NoSuchAlgorithmException, DataSealerException, ComponentInitializationException, IOException {
        String generateIdentifier = this.idGenerator.generateIdentifier();
        String generateIdentifier2 = this.idGenerator.generateIdentifier();
        this.revocationCache.revoke(RevocationCacheContexts.AUTHORIZATION_CODE, generateIdentifier);
        BearerAccessToken buildToken = buildToken(this.clientId, this.subject, new Scope(new String[]{"openid"}), null, generateIdentifier2, generateIdentifier);
        storeMetadata(this.storageService, this.clientId, "mockSecret", this.scope, new String[0]);
        this.request.addHeader("Authorization", buildToken.toAuthorizationHeader());
        assertErrorCode(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), BearerTokenError.INVALID_TOKEN.getCode());
    }

    @Test
    public void testRevokedChainViaJti() throws URISyntaxException, NoSuchAlgorithmException, DataSealerException, ComponentInitializationException, IOException {
        String generateIdentifier = this.idGenerator.generateIdentifier();
        this.revocationCache.revoke(RevocationCacheContexts.AUTHORIZATION_CODE, generateIdentifier);
        BearerAccessToken buildToken = buildToken(this.clientId, this.subject, new Scope(new String[]{"openid"}), null, generateIdentifier, null);
        storeMetadata(this.storageService, this.clientId, "mockSecret", this.scope, new String[0]);
        this.request.addHeader("Authorization", buildToken.toAuthorizationHeader());
        assertErrorCode(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), BearerTokenError.INVALID_TOKEN.getCode());
    }

    @Factory
    public Object[] createUserInfoAsJwtSecurityTests() {
        return new Object[]{new IssuedSignedJWTTest(AbstractIssuedJWTSecurityTest.JWT_FETCHING_TYPE.USERINFO, FLOW_ID), new IssuedEncryptedJWTTest(AbstractIssuedJWTSecurityTest.JWT_FETCHING_TYPE.USERINFO, FLOW_ID, false, false), new IssuedEncryptedJWTTest(AbstractIssuedJWTSecurityTest.JWT_FETCHING_TYPE.USERINFO, FLOW_ID, false, true), new IssuedEncryptedJWTTest(AbstractIssuedJWTSecurityTest.JWT_FETCHING_TYPE.USERINFO, FLOW_ID, true, false), new IssuedEncryptedJWTTest(AbstractIssuedJWTSecurityTest.JWT_FETCHING_TYPE.USERINFO, FLOW_ID, true, true)};
    }
}
