package net.shibboleth.idp.plugin.oidc.op.profile.flow;

import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.langtag.LangTag;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.openid.connect.sdk.AuthenticationResponse;
import com.nimbusds.openid.connect.sdk.AuthenticationSuccessResponse;
import com.nimbusds.openid.connect.sdk.claims.ClaimRequirement;
import com.nimbusds.openid.connect.sdk.claims.ClaimsSetRequest;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.RSAPrivateKey;
import java.text.ParseException;
import java.util.List;
import net.shibboleth.idp.plugin.oidc.op.profile.flow.AbstractIssuedJWTSecurityTest;
import net.shibboleth.idp.plugin.oidc.op.token.support.AuthorizeCodeClaimsSet;
import net.shibboleth.utilities.java.support.collection.Pair;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import net.shibboleth.utilities.java.support.security.DataSealerException;
import org.springframework.webflow.core.collection.MutableAttributeMap;
import org.springframework.webflow.executor.FlowExecutionResult;
import org.testng.Assert;
import org.testng.annotations.Test;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/profile/flow/RequestObjectJWSTest.class */
public class RequestObjectJWSTest extends IssuedSignedJWTTest {
    String defaultClientIdSigningEnforced;
    private final boolean signingOptional;

    public RequestObjectJWSTest(boolean z) {
        super(AbstractIssuedJWTSecurityTest.JWT_FETCHING_TYPE.REQUEST_OBJECT, AuthorizeFlowTest.FLOW_ID);
        this.defaultClientIdSigningEnforced = "mockClientIdRequestObjectSigningEnforced";
        this.signingOptional = z;
    }

    @Override // net.shibboleth.idp.plugin.oidc.op.profile.flow.IssuedSignedJWTTest
    @Test
    public void testJwtSecurity_jwtSigAlgAndEncNotSpecified() throws Exception {
        JWT obtainJwt = obtainJwt(null);
        if (this.signingOptional) {
            assertSuccessRequestObjectResponse(obtainJwt.serialize(), null, this.defaultClientSecret64B, null);
        } else {
            assertErrorRequestObjectResponse(obtainJwt.serialize(), null, this.defaultClientSecret64B, null);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.plugin.oidc.op.profile.flow.AbstractIssuedJWTSecurityTest
    public JWT obtainJwt(JWSAlgorithm jWSAlgorithm) {
        return obtainJwt(this.defaultClientSecret64B, jWSAlgorithm);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.plugin.oidc.op.profile.flow.AbstractIssuedJWTSecurityTest
    public JWT obtainJwt(String str, JWSAlgorithm jWSAlgorithm) {
        return obtainRequestObject(str, jWSAlgorithm);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.plugin.oidc.op.profile.flow.AbstractIssuedJWTSecurityTest
    public void assertNoJwtResponse(String str, String str2, PublicKey publicKey, JWSAlgorithm jWSAlgorithm, JWEAlgorithm jWEAlgorithm, EncryptionMethod encryptionMethod, AbstractIssuedJWTSecurityTest.JWT_FETCHING_TYPE jwt_fetching_type) {
        assertErrorRequestObjectResponse(obtainRequestObject(this.defaultClientSecret64B, jWSAlgorithm).serialize(), jWSAlgorithm, str2, publicKey);
    }

    @Override // net.shibboleth.idp.plugin.oidc.op.profile.flow.IssuedSignedJWTTest
    protected void assertExcludedAlgorithm(String str, String str2, PublicKey publicKey, JWSAlgorithm jWSAlgorithm) throws ParseException, DataSealerException, IOException {
        assertErrorRequestObjectResponse(obtainJwt(str2, jWSAlgorithm).serialize(), jWSAlgorithm, str2, publicKey);
    }

    protected void assertErrorRequestObjectResponse(String str, JWSAlgorithm jWSAlgorithm, String str2, PublicKey publicKey) {
        this.request.setMethod("GET");
        String str3 = this.signingOptional ? this.defaultClientId : this.defaultClientIdSigningEnforced;
        AuthorizeFlowTest.setRequestParameters(this.request, List.of(new Pair("client_id", str3), new Pair("response_type", "code"), new Pair("scope", "openid profile"), new Pair("redirect_uri", "https://example.org/cb"), new Pair("request", str)));
        initializeThreadLocals();
        OIDCClientMetadata buildMetadataSkeleton = buildMetadataSkeleton();
        buildMetadataSkeleton.setScope(new Scope(new String[]{"openid"}));
        buildMetadataSkeleton.setRequestObjectJWSAlg(jWSAlgorithm);
        if (publicKey != null) {
            buildMetadataSkeleton.setJWKSet(IssuedSignedJWTTest.buildJWKSet(publicKey));
        }
        try {
            buildMetadataSkeleton.setRedirectionURI(new URI("https://example.org/cb"));
            storeMetadataObject(this.storageService, str3, str2, buildMetadataSkeleton);
            setBasicAuth("jdoe", "changeit");
            FlowExecutionResult launchExecution = this.flowExecutor.launchExecution(this.flowId, (MutableAttributeMap) null, this.externalContext);
            removeMetadata(this.storageService, str3);
            Assert.assertEquals(launchExecution.getOutcome().getId(), "ErrorView");
        } catch (IOException | URISyntaxException e) {
            Assert.fail();
        }
    }

    protected void assertSuccessRequestObjectResponse(String str, JWSAlgorithm jWSAlgorithm, String str2, PublicKey publicKey) {
        this.request.setMethod("GET");
        String str3 = this.signingOptional ? this.defaultClientId : this.defaultClientIdSigningEnforced;
        AuthorizeFlowTest.setRequestParameters(this.request, List.of(new Pair("client_id", str3), new Pair("response_type", "code"), new Pair("scope", "openid profile"), new Pair("redirect_uri", "https://example.org/cb"), new Pair("request", str)));
        initializeThreadLocals();
        OIDCClientMetadata buildMetadataSkeleton = buildMetadataSkeleton();
        buildMetadataSkeleton.setScope(new Scope(new String[]{"openid"}));
        buildMetadataSkeleton.setRequestObjectJWSAlg(jWSAlgorithm);
        if (publicKey != null) {
            buildMetadataSkeleton.setJWKSet(IssuedSignedJWTTest.buildJWKSet(publicKey));
        }
        try {
            buildMetadataSkeleton.setRedirectionURI(new URI("https://example.org/cb"));
            storeMetadataObject(this.storageService, str3, str2, buildMetadataSkeleton);
            setBasicAuth("jdoe", "changeit");
            FlowExecutionResult launchExecution = this.flowExecutor.launchExecution(this.flowId, (MutableAttributeMap) null, this.externalContext);
            removeMetadata(this.storageService, str3);
            AuthenticationSuccessResponse successResponse = parseSuccessResponse(launchExecution, AuthenticationResponse.class).toSuccessResponse();
            Assert.assertEquals(successResponse.getRedirectionURI().toString(), "https://example.org/cb");
            Assert.assertNull(successResponse.getIDToken());
            Assert.assertNull(successResponse.getAccessToken());
            Assert.assertNotNull(successResponse.getAuthorizationCode());
            Assert.assertNull(successResponse.getIssuer());
            try {
                AuthorizeCodeClaimsSet parse = AuthorizeCodeClaimsSet.parse(successResponse.getAuthorizationCode().getValue(), getDataSealer());
                if (StringSupport.trimOrNull(str) != null) {
                    Assert.assertNotNull(parse.getClaimsRequest());
                    Assert.assertNotNull(parse.getClaimsRequest().getIDTokenClaimsRequest());
                    Assert.assertNotNull(parse.getClaimsRequest().getUserInfoClaimsRequest());
                    Assert.assertTrue(parse.getClaimsRequest().getUserInfoClaimsRequest().getClaimNames(false).contains("family_name"));
                    Assert.assertTrue(parse.getClaimsRequest().getIDTokenClaimsRequest().getClaimNames(false).contains("given_name"));
                    ClaimsSetRequest.Entry entry = parse.getClaimsRequest().getUserInfoClaimsRequest().get("family_name", (LangTag) null);
                    Assert.assertEquals(entry.getClaimName(), "family_name");
                    Assert.assertEquals(entry.getClaimRequirement(), ClaimRequirement.ESSENTIAL);
                    ClaimsSetRequest.Entry entry2 = parse.getClaimsRequest().getIDTokenClaimsRequest().get("given_name", (LangTag) null);
                    Assert.assertEquals(entry2.getClaimName(), "given_name");
                    Assert.assertEquals(entry2.getClaimRequirement(), ClaimRequirement.ESSENTIAL);
                }
            } catch (ParseException | DataSealerException e) {
                Assert.fail("Could not create an authorize code", e);
            }
        } catch (IOException | URISyntaxException e2) {
            Assert.fail();
        }
    }

    @Override // net.shibboleth.idp.plugin.oidc.op.profile.flow.AbstractIssuedJWTSecurityTest
    protected void assertSignedJwt(JWT jwt, JWSAlgorithm jWSAlgorithm, PublicKey publicKey, String str) {
        assertSuccessRequestObjectResponse(jwt.serialize(), jWSAlgorithm, str, publicKey);
    }

    protected JWT obtainRequestObject(String str, JWSAlgorithm jWSAlgorithm) {
        return processJwsForRequestObject(jWSAlgorithm, AuthorizeFlowTest.getRequestObjectWithClaimsRequestPayload(this.signingOptional ? this.defaultClientId : this.defaultClientIdSigningEnforced, "https://example.org/cb"), str, getSigningKey(jWSAlgorithm));
    }

    protected static PrivateKey getSigningKey(JWSAlgorithm jWSAlgorithm) {
        return JWSAlgorithm.ES256.equals(jWSAlgorithm) ? loadESSigningCredential().getPrivateKey() : JWSAlgorithm.ES384.equals(jWSAlgorithm) ? loadES384SigningCredential().getPrivateKey() : JWSAlgorithm.ES512.equals(jWSAlgorithm) ? loadES512SigningCredential().getPrivateKey() : loadRSSigningCredential().getPrivateKey();
    }

    protected static JWT processJwsForRequestObject(JWSAlgorithm jWSAlgorithm, String str, String str2, PrivateKey privateKey) {
        try {
            if (jWSAlgorithm == null) {
                return new PlainJWT(JWTClaimsSet.parse(str));
            }
            if (JWSAlgorithm.Family.EC.contains(jWSAlgorithm)) {
                return createPrivateKeyJWT(JWTClaimsSet.parse(str), (ECPrivateKey) privateKey, jWSAlgorithm);
            }
            if (JWSAlgorithm.Family.RSA.contains(jWSAlgorithm)) {
                return createPrivateKeyJWT(JWTClaimsSet.parse(str), (RSAPrivateKey) privateKey, jWSAlgorithm);
            }
            if (!JWSAlgorithm.Family.HMAC_SHA.contains(jWSAlgorithm) || str2 == null) {
                return null;
            }
            return createSecretJWT(JWTClaimsSet.parse(str), str2, jWSAlgorithm);
        } catch (JOSEException | ParseException e) {
            Assert.fail(e.getMessage(), e);
            return null;
        }
    }
}
