package net.shibboleth.idp.plugin.oidc.op.profile.flow;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jwt.JWT;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.TokenIntrospectionSuccessResponse;
import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
import com.nimbusds.oauth2.sdk.id.Audience;
import com.nimbusds.oauth2.sdk.id.ClientID;
import java.io.IOException;
import java.net.URISyntaxException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.time.Instant;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import net.shibboleth.idp.plugin.oidc.op.storage.RevocationCacheContexts;
import net.shibboleth.idp.plugin.oidc.op.token.support.AccessTokenClaimsSet;
import net.shibboleth.oidc.security.credential.JWKCredential;
import net.shibboleth.utilities.java.support.collection.Pair;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.security.DataSealerException;
import org.opensaml.storage.RevocationCache;
import org.opensaml.storage.StorageService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.webflow.core.collection.MutableAttributeMap;
import org.springframework.webflow.executor.FlowExecutionResult;
import org.testng.Assert;
import org.testng.annotations.AfterMethod;
import org.testng.annotations.Test;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/profile/flow/IntrospectionFlowTest.class */
public class IntrospectionFlowTest extends AbstractOidcClientAuthenticationFlowTest {
    public static final String FLOW_ID = "oauth2/introspection";
    private Scope scope;

    @Autowired
    @Qualifier("testbed.DefaultRSSigningCredential")
    private JWKCredential signingKey;

    @Autowired
    @Qualifier("shibboleth.StorageService")
    private StorageService storageService;

    @Autowired
    @Qualifier("shibboleth.oidc.RevocationCache")
    private RevocationCache revocationCache;

    public IntrospectionFlowTest() {
        super(FLOW_ID);
        this.scope = Scope.parse("openid profile email");
        this.signingKey = null;
    }

    @AfterMethod
    public void tearDown() throws IOException {
        removeMetadata(this.storageService, this.clientId);
    }

    @Test
    public void testUntrustedClient() throws NoSuchAlgorithmException, URISyntaxException, DataSealerException, ComponentInitializationException {
        setBasicAuth(this.clientId, this.clientSecret + "bad");
        setHttpFormRequest("POST", Collections.singletonMap("token", buildToken(this.clientId, "sub", Scope.parse("openid")).toJSONObject().getAsString("access_token")));
        assertErrorCode(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), "invalid_client");
    }

    @Test
    public void testFailedAuthentication() throws IOException, NoSuchAlgorithmException, URISyntaxException, DataSealerException, ComponentInitializationException {
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, new String[0]);
        setBasicAuth(this.clientId, this.clientSecret + "X");
        setHttpFormRequest("POST", Collections.singletonMap("token", buildToken(this.clientId, "sub", Scope.parse("openid")).toJSONObject().getAsString("access_token")));
        Assert.assertEquals(parseErrorResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext)).getErrorObject().getCode(), "invalid_client");
    }

    @Test
    public void testInvalidMessage() throws IOException, NoSuchAlgorithmException, URISyntaxException, DataSealerException, ComponentInitializationException {
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, new String[0]);
        setBasicAuth(this.clientId, this.clientSecret);
        setHttpFormRequest("POST", Collections.singletonMap("token_not", buildToken(this.clientId, "sub", Scope.parse("openid")).toJSONObject().getAsString("access_token")));
        assertErrorCode(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), "invalid_request");
    }

    @Test
    public void testFailureUnverified() throws IOException, NoSuchAlgorithmException, URISyntaxException, DataSealerException, ComponentInitializationException {
        setBasicAuth(this.clientId, this.clientSecret);
        setHttpFormRequest("POST", Map.of("token", buildToken(this.clientId + "2", "sub", Scope.parse("openid")).toJSONObject().getAsString("access_token"), "token_type", "access_token"));
        Assert.assertFalse(parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), TokenIntrospectionSuccessResponse.class).isActive());
    }

    @Test
    public void testSuccessUnverified() throws IOException, NoSuchAlgorithmException, URISyntaxException, DataSealerException, ComponentInitializationException {
        setBasicAuth(this.clientId, this.clientSecret);
        setHttpFormRequest("POST", Map.of("token", buildToken(this.clientId, "sub", Scope.parse("openid")).toJSONObject().getAsString("access_token"), "token_type", "access_token"));
        TokenIntrospectionSuccessResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), TokenIntrospectionSuccessResponse.class);
        Assert.assertTrue(parseSuccessResponse.isActive());
        Assert.assertEquals(parseSuccessResponse.getClientID().getValue(), this.clientId);
        Assert.assertEquals(parseSuccessResponse.getScope(), Scope.parse("openid"));
        Assert.assertNull(parseSuccessResponse.getAudience());
    }

    @Test
    public void testSuccess() throws IOException, NoSuchAlgorithmException, URISyntaxException, DataSealerException, ComponentInitializationException {
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, new String[0]);
        setBasicAuth(this.clientId, this.clientSecret);
        setHttpFormRequest("POST", Map.of("token", buildToken(this.clientId, "sub", Scope.parse("openid")).toJSONObject().getAsString("access_token"), "token_type", "access_token"));
        TokenIntrospectionSuccessResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), TokenIntrospectionSuccessResponse.class);
        Assert.assertTrue(parseSuccessResponse.isActive());
        Assert.assertEquals(parseSuccessResponse.getClientID().getValue(), this.clientId);
        Assert.assertEquals(parseSuccessResponse.getScope(), Scope.parse("openid"));
        Assert.assertNull(parseSuccessResponse.getAudience());
    }

    @Test
    public void testSuccessWithRefreshToken() throws IOException, NoSuchAlgorithmException, URISyntaxException, DataSealerException, ComponentInitializationException {
        String generateIdentifier = this.idGenerator.generateIdentifier();
        String generateIdentifier2 = this.idGenerator.generateIdentifier();
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, new String[0]);
        setBasicAuth(this.clientId, this.clientSecret);
        setHttpFormRequest("POST", Map.of("token", buildRefreshToken(this.clientId, "sub", Scope.parse("openid"), null, generateIdentifier2, generateIdentifier).toJSONObject().getAsString("refresh_token"), "token_type", "refresh_token"));
        TokenIntrospectionSuccessResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), TokenIntrospectionSuccessResponse.class);
        Assert.assertTrue(parseSuccessResponse.isActive());
        Assert.assertEquals(parseSuccessResponse.getClientID().getValue(), this.clientId);
        Assert.assertEquals(parseSuccessResponse.getScope(), Scope.parse("openid"));
        Assert.assertNull(parseSuccessResponse.getAudience());
    }

    @Test
    public void testFailureWithChainExpiredRefreshToken() throws IOException, NoSuchAlgorithmException, URISyntaxException, DataSealerException, ComponentInitializationException {
        String generateIdentifier = this.idGenerator.generateIdentifier();
        String generateIdentifier2 = this.idGenerator.generateIdentifier();
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, new String[0]);
        setBasicAuth(this.clientId, this.clientSecret);
        setHttpFormRequest("POST", Map.of("token", buildRefreshToken(this.clientId, "sub", Scope.parse("openid"), null, generateIdentifier2, generateIdentifier, Instant.now(), Instant.now().minusSeconds(120L)).toJSONObject().getAsString("refresh_token"), "token_type", "refresh_token"));
        Assert.assertFalse(parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), TokenIntrospectionSuccessResponse.class).isActive());
    }

    @Test
    public void testRevokedSingleToken() throws IOException, NoSuchAlgorithmException, URISyntaxException, DataSealerException, ComponentInitializationException {
        String generateIdentifier = this.idGenerator.generateIdentifier();
        String generateIdentifier2 = this.idGenerator.generateIdentifier();
        this.revocationCache.revoke(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, generateIdentifier2);
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, new String[0]);
        setBasicAuth(this.clientId, this.clientSecret);
        setHttpFormRequest("POST", Map.of("token", buildToken(this.clientId, "sub", Scope.parse("openid"), null, generateIdentifier2, generateIdentifier).toJSONObject().getAsString("access_token"), "token_type", "access_token"));
        Assert.assertFalse(parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), TokenIntrospectionSuccessResponse.class).isActive());
    }

    @Test
    public void testRevokedChain() throws IOException, NoSuchAlgorithmException, URISyntaxException, DataSealerException, ComponentInitializationException {
        String generateIdentifier = this.idGenerator.generateIdentifier();
        String generateIdentifier2 = this.idGenerator.generateIdentifier();
        this.revocationCache.revoke(RevocationCacheContexts.AUTHORIZATION_CODE, generateIdentifier);
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, new String[0]);
        setBasicAuth(this.clientId, this.clientSecret);
        setHttpFormRequest("POST", Map.of("token", buildToken(this.clientId, "sub", Scope.parse("openid"), null, generateIdentifier2, generateIdentifier).toJSONObject().getAsString("access_token"), "token_type", "access_token"));
        Assert.assertFalse(parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), TokenIntrospectionSuccessResponse.class).isActive());
    }

    @Test
    public void testRevokedChainViaJti() throws IOException, NoSuchAlgorithmException, URISyntaxException, DataSealerException, ComponentInitializationException {
        String generateIdentifier = this.idGenerator.generateIdentifier();
        this.revocationCache.revoke(RevocationCacheContexts.AUTHORIZATION_CODE, generateIdentifier);
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, new String[0]);
        setBasicAuth(this.clientId, this.clientSecret);
        setHttpFormRequest("POST", Map.of("token", buildToken(this.clientId, "sub", Scope.parse("openid"), null, generateIdentifier, null).toJSONObject().getAsString("access_token"), "token_type", "access_token"));
        Assert.assertFalse(parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), TokenIntrospectionSuccessResponse.class).isActive());
    }

    @Test
    public void testSuccessWithSamlMetadata() throws NoSuchAlgorithmException, URISyntaxException, DataSealerException, ComponentInitializationException {
        setBasicAuth(this.clientIdSaml, this.clientSecretSaml);
        setHttpFormRequest("POST", Collections.singletonMap("token", buildToken(this.clientIdSaml, "sub", Scope.parse("openid")).toJSONObject().getAsString("access_token")));
        TokenIntrospectionSuccessResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), TokenIntrospectionSuccessResponse.class);
        Assert.assertEquals(parseSuccessResponse.getClientID().getValue(), this.clientIdSaml);
        Assert.assertTrue(parseSuccessResponse.isActive());
    }

    @Test
    public void testSuccessWithLegacyToken() throws IOException, NoSuchAlgorithmException, URISyntaxException, DataSealerException, ComponentInitializationException {
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, new String[0]);
        setBasicAuth(this.clientId, this.clientSecret);
        setHttpFormRequest("POST", Collections.singletonMap("token", buildLegacyToken(this.clientId, "sub", Scope.parse("openid"), new String[0]).toJSONObject().getAsString("access_token")));
        TokenIntrospectionSuccessResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), TokenIntrospectionSuccessResponse.class);
        Assert.assertEquals(parseSuccessResponse.getClientID().getValue(), this.clientId);
        Assert.assertTrue(parseSuccessResponse.isActive());
    }

    @Test
    public void testSuccessWithLegacyConsentToken() throws IOException, NoSuchAlgorithmException, URISyntaxException, DataSealerException, ComponentInitializationException {
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, new String[0]);
        setBasicAuth(this.clientId, this.clientSecret);
        setHttpFormRequest("POST", Collections.singletonMap("token", buildLegacyToken(this.clientId, "sub", Scope.parse("openid"), "mail").toJSONObject().getAsString("access_token")));
        TokenIntrospectionSuccessResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), TokenIntrospectionSuccessResponse.class);
        Assert.assertEquals(parseSuccessResponse.getClientID().getValue(), this.clientId);
        Assert.assertTrue(parseSuccessResponse.isActive());
    }

    @Test
    public void testSuccessJWTNoAudience() throws JOSEException, IOException {
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, new String[0]);
        setBasicAuth(this.clientId, this.clientSecret);
        setHttpFormRequest("POST", Map.of("token", buildJWTToken(this.clientId, "sub", this.scope, null, this.signingKey.getPrivateKey(), "RS256").toJSONObject().getAsString("access_token"), "token_type", "access_token"));
        TokenIntrospectionSuccessResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), TokenIntrospectionSuccessResponse.class);
        Assert.assertTrue(parseSuccessResponse.isActive());
        Assert.assertEquals(parseSuccessResponse.getClientID().getValue(), this.clientId);
        Assert.assertEquals(parseSuccessResponse.getScope(), this.scope);
        Assert.assertNull(parseSuccessResponse.getAudience());
    }

    @Test
    public void testSuccessJWTAudience() throws JOSEException, IOException {
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, new String[0]);
        setBasicAuth(this.clientId, this.clientSecret);
        setHttpFormRequest("POST", Map.of("token", buildJWTToken("https://sp2.example.org", "sub", this.scope, List.of("https://sp.example.org", this.clientId), this.signingKey.getPrivateKey(), "RS256").toJSONObject().getAsString("access_token"), "token_type", "access_token"));
        TokenIntrospectionSuccessResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), TokenIntrospectionSuccessResponse.class);
        Assert.assertTrue(parseSuccessResponse.isActive());
        Assert.assertEquals(parseSuccessResponse.getClientID().getValue(), "https://sp2.example.org");
        Assert.assertEquals(parseSuccessResponse.getScope(), this.scope);
        Assert.assertEquals(parseSuccessResponse.getAudience(), List.of(new Audience("https://sp.example.org"), new Audience(this.clientId)));
    }

    @Test
    public void testFailureJWTExpired() throws JOSEException, IOException {
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, new String[0]);
        setBasicAuth(this.clientId, this.clientSecret);
        setHttpFormRequest("POST", Map.of("token", buildJWTToken((AccessTokenClaimsSet) new AccessTokenClaimsSet.Builder().setJWTID(this.idGenerator).setClientID(new ClientID(this.clientId)).setIssuer("https://op.example.org").setSubject(this.clientId).setIssuedAt(Instant.now().minusSeconds(300L)).setNotBefore(Instant.now().minusSeconds(300L)).setExpiresAt(Instant.now().minusSeconds(200L)).setAuthenticationTime(Instant.now()).setScope(this.scope).build(), this.signingKey.getPrivateKey(), "RS256").toJSONObject().getAsString("access_token"), "token_type", "access_token"));
        Assert.assertFalse(parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), TokenIntrospectionSuccessResponse.class).isActive());
    }

    @Test
    public void testFailureJWTNotYetValid() throws JOSEException, IOException {
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, new String[0]);
        setBasicAuth(this.clientId, this.clientSecret);
        setHttpFormRequest("POST", Map.of("token", buildJWTToken((AccessTokenClaimsSet) new AccessTokenClaimsSet.Builder().setJWTID(this.idGenerator).setClientID(new ClientID(this.clientId)).setIssuer("https://op.example.org").setSubject(this.clientId).setIssuedAt(Instant.now()).setNotBefore(Instant.now().plusSeconds(300L)).setExpiresAt(Instant.now().plusSeconds(1800L)).setAuthenticationTime(Instant.now()).setScope(this.scope).build(), this.signingKey.getPrivateKey(), "RS256").toJSONObject().getAsString("access_token"), "token_type", "access_token"));
        Assert.assertFalse(parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), TokenIntrospectionSuccessResponse.class).isActive());
    }

    @Test
    public void testFailureJWTNotAuthorized() throws JOSEException, IOException {
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, new String[0]);
        setBasicAuth(this.clientId, this.clientSecret);
        setHttpFormRequest("POST", Map.of("token", buildJWTToken("https://sp3.example.org", "sub", this.scope, List.of("https://sp.example.org", "https://sp2.example.org"), this.signingKey.getPrivateKey(), "RS256").toJSONObject().getAsString("access_token"), "token_type", "access_token"));
        Assert.assertFalse(parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), TokenIntrospectionSuccessResponse.class).isActive());
    }

    @Test
    public void testFailureJWTWrongKey() throws JOSEException, IOException {
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, new String[0]);
        setBasicAuth(this.clientId, this.clientSecret);
        setHttpFormRequest("POST", Map.of("token", buildJWTToken(this.clientId, "sub", this.scope, null, this.rsaPrivateKey, "RS256").toJSONObject().getAsString("access_token"), "token_type", "access_token"));
        Assert.assertFalse(parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), TokenIntrospectionSuccessResponse.class).isActive());
    }

    @Test
    public void testUnidentifiedToken() throws IOException, NoSuchAlgorithmException, URISyntaxException, DataSealerException, ComponentInitializationException {
        storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, new String[0]);
        setBasicAuth(this.clientId, this.clientSecret);
        setHttpFormRequest("POST", Collections.singletonMap("token", "unknowntoken"));
        TokenIntrospectionSuccessResponse parseSuccessResponse = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), TokenIntrospectionSuccessResponse.class);
        Assert.assertNull(parseSuccessResponse.getClientID());
        Assert.assertFalse(parseSuccessResponse.isActive());
    }

    @Override // net.shibboleth.idp.plugin.oidc.op.profile.flow.AbstractOidcClientAuthenticationFlowTest
    protected FlowExecutionResult launchWithJwtAuthentication(JWT jwt, JWSAlgorithm jWSAlgorithm, ClientAuthenticationMethod clientAuthenticationMethod, PublicKey publicKey) throws Exception {
        if (publicKey == null) {
            storeMetadata(this.storageService, this.clientId, this.clientSecret, this.scope, jWSAlgorithm, clientAuthenticationMethod, new String[0]);
        } else {
            storeMetadata(this.storageService, this.clientId, (String) null, this.scope, jWSAlgorithm, clientAuthenticationMethod, (JWSAlgorithm) null, publicKey, new String[0]);
        }
        Map<String, String> createRequestParameters = createRequestParameters(buildToken(this.clientId, "sub", this.scope).toJSONObject().getAsString("access_token"), this.clientId);
        populateClientAssertionParams(createRequestParameters, jwt);
        setHttpFormRequest("POST", createRequestParameters);
        return this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext);
    }

    protected Map<String, String> createRequestParameters(String str, String str2) {
        HashMap hashMap = new HashMap();
        hashMap.put("token", str);
        hashMap.put("client_id", str2);
        return hashMap;
    }

    @Override // net.shibboleth.idp.plugin.oidc.op.profile.flow.AbstractOidcClientAuthenticationFlowTest
    protected Pair<String, String> getErrorDetaisForJWTValidation() {
        return new Pair<>("invalid_client", "Client authentication failed");
    }

    @Override // net.shibboleth.idp.plugin.oidc.op.profile.flow.AbstractOidcClientAuthenticationFlowTest
    protected void assertSuccessResponse(FlowExecutionResult flowExecutionResult) {
        TokenIntrospectionSuccessResponse parseSuccessResponse = parseSuccessResponse(flowExecutionResult, TokenIntrospectionSuccessResponse.class);
        Assert.assertNotNull(parseSuccessResponse);
        Assert.assertTrue(parseSuccessResponse.isActive());
        Assert.assertEquals(parseSuccessResponse.getClientID().getValue(), this.clientId);
        Assert.assertEquals(parseSuccessResponse.getScope(), this.scope);
        Assert.assertNull(parseSuccessResponse.getAudience());
    }
}
