package net.shibboleth.idp.plugin.oidc.op.profile.flow;

import com.nimbusds.langtag.LangTag;
import com.nimbusds.langtag.LangTagException;
import com.nimbusds.oauth2.sdk.GrantType;
import com.nimbusds.oauth2.sdk.client.RegistrationError;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientInformation;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientInformationResponse;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.time.Instant;
import java.util.Set;
import net.minidev.json.JSONObject;
import net.minidev.json.parser.JSONParser;
import net.shibboleth.idp.plugin.oidc.op.profile.impl.BaseOIDCResponseActionTest;
import org.opensaml.storage.StorageService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.webflow.core.collection.MutableAttributeMap;
import org.springframework.webflow.executor.FlowExecutionResult;
import org.testng.Assert;
import org.testng.annotations.AfterMethod;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/profile/flow/RegistrationFlowTest.class */
public class RegistrationFlowTest extends AbstractOidcFlowTest {
    public static final String FLOW_ID = "oidc/register";
    private final String redirectUri = "https://example.org/cb";
    private String rpId;
    private String clientId;

    @Autowired
    @Qualifier("shibboleth.StorageService")
    StorageService storageService;

    public RegistrationFlowTest() {
        super(FLOW_ID);
        this.redirectUri = "https://example.org/cb";
    }

    @BeforeMethod
    public void setUp() {
        this.rpId = "mockRpId";
        this.clientId = null;
    }

    @AfterMethod
    public void tearDown() throws IOException {
        if (this.clientId != null) {
            this.storageService.delete("oidcClientInformation", this.clientId);
        }
    }

    @Test
    public void testInvalidMessage() throws Exception {
        setJsonRequest("POST", "{ \"test\":not_json");
        assertErrorCode(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), "invalid_client_metadata");
    }

    @Test
    public void testUnauthenticated_nonCompliantWithProfilePolicy1() {
        setJsonRequest("POST", "{ \"redirect_uris\":[\"https://not.compliant.org/cb\"] }");
        assertErrorCode(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), "invalid_client_metadata");
    }

    @Test
    public void testUnauthenticated_nonCompliantWithProfilePolicy2() {
        setJsonRequest("POST", "{ \"redirect_uris\":[\"https://example.org/cb\"], \"id_token_signed_response_alg\":\"HS256\" }");
        assertErrorCode(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), "invalid_client_metadata");
    }

    @Test
    public void testUnauthenticated_success() throws Exception {
        setJsonRequest("POST", "{ \"redirect_uris\":[\"https://example.org/cb\"], \"request_uris\":[\"https://client.example.org/rf.txt#qpXaRLh_n93TTR9F252ValdatUQvQiJi5BDub2BeznA\"] }");
        OIDCClientInformation oIDCClientInformation = parseSuccessResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), OIDCClientInformationResponse.class).getOIDCClientInformation();
        OIDCClientMetadata oIDCMetadata = oIDCClientInformation.getOIDCMetadata();
        String value = this.storageService.read("oidcClientInformation", oIDCClientInformation.getID().toString()).getValue();
        Assert.assertNotNull(value);
        OIDCClientInformation parse = OIDCClientInformation.parse((JSONObject) new JSONParser(JSONParser.DEFAULT_PERMISSIVE_MODE).parse(value));
        Assert.assertEquals(parse.getID(), oIDCClientInformation.getID());
        Assert.assertEquals(parse.getSecret(), oIDCClientInformation.getSecret());
        Assert.assertEquals(parse.getOIDCMetadata().getRedirectionURIStrings(), oIDCMetadata.getRedirectionURIStrings());
        Assert.assertEquals(parse.getOIDCMetadata().getRequestObjectURIs(), Set.of(new URI("https://client.example.org/rf.txt#qpXaRLh_n93TTR9F252ValdatUQvQiJi5BDub2BeznA")));
        Assert.assertTrue(oIDCMetadata.getRedirectionURIStrings().contains("https://example.org/cb"));
    }

    @Test
    public void testAccessToken_nonCompliantWithProfilePolicy1() throws Exception {
        setJsonRequest("POST", "{ \"redirect_uris\":[\"https://example.org/cb\"] }");
        this.request.addHeader("Authorization", buildRegistrationAccessToken(false, "[\"https://invalid.domain.org/cb\"]", new String[0]).toAuthorizationHeader());
        assertErrorCode(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), RegistrationError.INVALID_CLIENT_METADATA.getCode());
    }

    @Test
    public void testAccessToken_nonCompliantWithProfilePolicy2() throws Exception {
        setJsonRequest("POST", "{ \"redirect_uris\":[\"https://example.org/cb\"], \"id_token_signed_response_alg\":\"HS256\" }");
        this.request.addHeader("Authorization", buildRegistrationAccessToken(false, "[\"https://example.org/cb\"]", new String[0]).toAuthorizationHeader());
        assertErrorCode(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), RegistrationError.INVALID_CLIENT_METADATA.getCode());
    }

    @Test
    public void testAccessToken_success() throws Exception {
        setJsonRequest("POST", buildRequestMessage("https://example.org/cb"));
        this.request.addHeader("Authorization", buildRegistrationAccessToken(false, "[\"https://example.org/cb\"]", new String[0]).toAuthorizationHeader());
        assertSuccessfulResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), null);
    }

    @Test
    public void testAccessToken_success_withClientID() throws Exception {
        this.clientId = "https://example.org";
        setJsonRequest("POST", buildRequestMessage("https://example.org/cb"));
        this.request.addHeader("Authorization", buildRegistrationAccessToken(true, "[\"https://example.org/cb\"]", new String[0]).toAuthorizationHeader());
        assertSuccessfulResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), this.clientId);
    }

    @Test
    public void testAccessToken_successReplace() throws Exception {
        this.clientId = "https://example.org";
        setJsonRequest("POST", buildRequestMessage("https://example.org/cb"));
        this.request.addHeader("Authorization", buildRegistrationAccessToken(false, "[\"https://example.org/cb\"]", new String[0]).toAuthorizationHeader());
        assertSuccessfulResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), null);
        initializeMocks();
        initializeThreadLocals();
        setJsonRequest("POST", buildRequestMessage("https://example.org/cb"));
        this.request.addHeader("Authorization", buildRegistrationAccessToken(true, "[\"https://example.org/cb\"]", new String[0]).toAuthorizationHeader());
        assertSuccessfulResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), null);
    }

    @Test
    public void testAccessToken_NoReplace() throws Exception {
        this.clientId = "https://example.org";
        setJsonRequest("POST", buildRequestMessage("https://example.org/cb"));
        this.request.addHeader("Authorization", buildRegistrationAccessToken(false, "[\"https://example.org/cb\"]", new String[0]).toAuthorizationHeader());
        assertSuccessfulResponse(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), null);
        initializeMocks();
        initializeThreadLocals();
        setJsonRequest("POST", buildRequestMessage("https://example.org/cb"));
        this.request.addHeader("Authorization", buildRegistrationAccessToken(false, "[\"https://example.org/cb\"]", new String[0]).toAuthorizationHeader());
        assertErrorCode(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), "server_error");
    }

    @Test
    public void testAccessToken_successCustomClaimIgnored() throws Exception {
        setJsonRequest("POST", buildRequestMessage("https://example.org/cb", "\"customClaim\":\"customValue\""));
        this.request.addHeader("Authorization", buildRegistrationAccessToken(false, "[\"https://example.org/cb\"]", new String[0]).toAuthorizationHeader());
        FlowExecutionResult launchExecution = this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext);
        assertSuccessfulResponse(launchExecution, null);
        Assert.assertNull(parseSuccessResponse(launchExecution, OIDCClientInformationResponse.class).getOIDCClientInformation().getOIDCMetadata().getCustomField("customClaim"));
    }

    @Test
    public void testAccessToken_successCustomClaimInPolicyAdded() throws Exception {
        setJsonRequest("POST", buildRequestMessage("https://example.org/cb", "\"customClaim\":\"customValue\""));
        this.request.addHeader("Authorization", buildRegistrationAccessToken(false, "[\"https://example.org/cb\"]", "customClaim").toAuthorizationHeader());
        FlowExecutionResult launchExecution = this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext);
        assertSuccessfulResponse(launchExecution, null);
        Assert.assertEquals(parseSuccessResponse(launchExecution, OIDCClientInformationResponse.class).getOIDCClientInformation().getOIDCMetadata().getCustomField("customClaim"), "customValue");
    }

    @Test
    public void testAccessToken_noPolicyNoRedirectUri() throws Exception {
        setJsonRequest("POST", "{ \"test\":false }");
        this.rpId = "mockDynRegClientNoProfilePolicy";
        this.request.addHeader("Authorization", buildRegistrationAccessToken(false, (String) null, (String[]) null).toAuthorizationHeader());
        assertErrorCode(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), RegistrationError.INVALID_REDIRECT_URI.getCode());
    }

    @Test
    public void testAccessToken_nonDefaultPolicyActive_failsWhenIncompatibleRequest() throws Exception {
        setJsonRequest("POST", buildRequestMessage("https://example.org/cb", "\"grant_types\":[\"authorization_code\"]"));
        this.rpId = "mockDynRegClientAnotherProfilePolicy";
        this.request.addHeader("Authorization", buildRegistrationAccessToken(false, (String) null, (String[]) null).toAuthorizationHeader());
        assertErrorCode(this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext), "invalid_client_metadata");
    }

    @Test
    public void testAccessToken_nonDefaultPolicyActive_successWithCompatibleRequest() throws Exception {
        setJsonRequest("POST", buildRequestMessage("https://example.org/cb", "\"grant_types\":[\"implicit\"]"));
        this.rpId = "mockDynRegClientAnotherProfilePolicy";
        this.request.addHeader("Authorization", buildRegistrationAccessToken(false, (String) null, (String[]) null).toAuthorizationHeader());
        FlowExecutionResult launchExecution = this.flowExecutor.launchExecution(FLOW_ID, (MutableAttributeMap) null, this.externalContext);
        assertSuccessfulResponse(launchExecution, null);
        Assert.assertTrue(parseSuccessResponse(launchExecution, OIDCClientInformationResponse.class).getOIDCClientInformation().getOIDCMetadata().getGrantTypes().contains(GrantType.IMPLICIT));
    }

    protected void assertSuccessfulResponse(FlowExecutionResult flowExecutionResult, String str) throws Exception {
        OIDCClientInformation parse = OIDCClientInformation.parse(parseSuccessResponse(flowExecutionResult, OIDCClientInformationResponse.class).getOIDCClientInformation().toJSONObject());
        OIDCClientMetadata oIDCMetadata = parse.getOIDCMetadata();
        if (str != null) {
            Assert.assertEquals(str, parse.getID().getValue());
        } else {
            Assert.assertNotEquals(str, parse.getID().getValue());
        }
        String value = this.storageService.read("oidcClientInformation", parse.getID().toString()).getValue();
        Assert.assertNotNull(value);
        OIDCClientInformation parse2 = OIDCClientInformation.parse((JSONObject) new JSONParser(JSONParser.DEFAULT_PERMISSIVE_MODE).parse(value));
        OIDCClientMetadata oIDCMetadata2 = parse2.getOIDCMetadata();
        Assert.assertEquals(parse2.getID(), parse.getID());
        Assert.assertEquals(parse2.getSecret(), parse.getSecret());
        Assert.assertEquals(oIDCMetadata2.getRedirectionURIStrings(), oIDCMetadata.getRedirectionURIStrings());
        Assert.assertTrue(oIDCMetadata.getRedirectionURIStrings().contains("https://example.org/cb"));
        Assert.assertEquals(oIDCMetadata.getPolicyURIEntries().size(), 2);
        try {
            Assert.assertEquals(oIDCMetadata.getPolicyURI(LangTag.parse("fi")), new URI("https://policy.org/finnish"));
            Assert.assertEquals(oIDCMetadata.getPolicyURI(LangTag.parse("en")), new URI("https://policy.org/english"));
        } catch (LangTagException | URISyntaxException e) {
            Assert.fail();
        }
        Assert.assertEquals(oIDCMetadata2.getPolicyURIEntries(), oIDCMetadata.getPolicyURIEntries());
        Assert.assertNull(parse.getSecret().getExpirationDate());
    }

    protected BearerAccessToken buildRegistrationAccessToken(boolean z, String str, String... strArr) throws Exception {
        StringBuilder sb = new StringBuilder();
        if (strArr != null) {
            for (int i = 0; i < strArr.length; i++) {
                sb.append("\"" + strArr[i] + "\":{}");
                if (i + 1 < strArr.length) {
                    sb.append(",");
                }
            }
        }
        if (str != null) {
            if (sb.length() > 0) {
                sb.append(",");
            }
            sb.append("\"redirect_uris\":{\"subset_of\":" + str + "}");
        }
        long epochSecond = Instant.now().plusSeconds(30L).getEpochSecond();
        long epochSecond2 = Instant.now().getEpochSecond();
        String generateIdentifier = this.idGenerator.generateIdentifier();
        String str2 = this.rpId;
        String str3 = this.clientId != null ? "\"client_id\":\"" + this.clientId + "\"," : "";
        Boolean.toString(z);
        if (sb.length() != 0) {
            String str4 = "{" + sb.toString();
        }
        return new BearerAccessToken(BaseOIDCResponseActionTest.initializeDataSealer().wrap("{\"prncpl\":\"jdoe\",\"type\":\"rat\",\"exp\":" + epochSecond + ",\"iat\":" + epochSecond + ",\"jti\":\"" + epochSecond2 + "\",\"rp_id\":\"" + epochSecond + "\"," + generateIdentifier + "\"replacement\":" + str2 + ",\"metadata\":" + str3 + "}}", Instant.now().plusSeconds(30L)));
    }

    protected String buildRequestMessage(String str) {
        return buildRequestMessage(str, null);
    }

    protected String buildRequestMessage(String str, String str2) {
        StringBuilder append = new StringBuilder("{ \"redirect_uris\":[\"" + str + "\"],").append("\"policy_uri#en\":\"https://policy.org/english\",").append("\"policy_uri#fi\":\"https://policy.org/finnish\"");
        return str2 == null ? append.append("}").toString() : append.append("," + str2 + "}").toString();
    }
}
