package net.shibboleth.oidc.security.jose.impl;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.AsymmetricJWK;
import com.nimbusds.jose.jwk.Curve;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.jwk.gen.ECKeyGenerator;
import com.nimbusds.jose.jwk.gen.RSAKeyGenerator;
import com.nimbusds.oauth2.sdk.id.Issuer;
import com.nimbusds.openid.connect.sdk.SubjectType;
import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.RSAPrivateKey;
import java.time.Duration;
import java.util.List;
import java.util.stream.Collectors;
import net.shibboleth.oidc.profile.config.impl.DefaultOIDCAuthorizationConfiguration;
import net.shibboleth.oidc.security.credential.BasicExpiringJWKCredential;
import net.shibboleth.oidc.security.credential.DefaultClientSecretCredential;
import net.shibboleth.oidc.security.credential.JWKCredential;
import net.shibboleth.oidc.security.jose.SignatureSigningParameters;
import net.shibboleth.oidc.security.jose.criterion.ClientSecretCredentialCriterion;
import net.shibboleth.oidc.security.jose.criterion.ProviderMetadataCriterion;
import net.shibboleth.oidc.security.jose.criterion.SignatureSigningConfigurationCriterion;
import net.shibboleth.profile.context.RelyingPartyContext;
import net.shibboleth.profile.relyingparty.BasicRelyingPartyConfiguration;
import net.shibboleth.shared.collection.CollectionSupport;
import net.shibboleth.shared.resolver.CriteriaSet;
import net.shibboleth.shared.resolver.ResolverException;
import org.opensaml.core.config.InitializationException;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.UsageType;
import org.opensaml.xmlsec.config.GlobalAlgorithmRegistryInitializer;
import org.testng.Assert;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;

/* loaded from: input_file:net/shibboleth/oidc/security/jose/impl/RelyingPartySigningParametersResolverTest.class */
public class RelyingPartySigningParametersResolverTest {
    private static final String CLIENT_SECRET_256 = "!A%D*G-KaPdSgVkYp3s6v8y/B?E(H+Mb";
    private RelyingPartySigningParametersResolver resolver;
    private RelyingPartyContext rpc;
    protected ProfileRequestContext prc;
    private DefaultOIDCAuthorizationConfiguration oidcAuthzConfig;
    static final /* synthetic */ boolean $assertionsDisabled;

    @BeforeMethod
    public void setup() throws Exception {
        this.prc = new ProfileRequestContext();
        this.resolver = new RelyingPartySigningParametersResolver();
        this.rpc = this.prc.ensureSubcontext(RelyingPartyContext.class);
        this.oidcAuthzConfig = new DefaultOIDCAuthorizationConfiguration();
        BasicRelyingPartyConfiguration basicRelyingPartyConfiguration = new BasicRelyingPartyConfiguration();
        this.rpc.setProfileConfig(this.oidcAuthzConfig);
        this.rpc.setConfiguration(basicRelyingPartyConfiguration);
        this.resolver.setProviderMetadataAlgorithmLookupStrategy(oIDCProviderMetadata -> {
            return (List) oIDCProviderMetadata.getRequestObjectJWSAlgs().stream().map((v0) -> {
                return v0.getName();
            }).collect(Collectors.toList());
        });
        try {
            new GlobalAlgorithmRegistryInitializer().init();
        } catch (InitializationException e) {
            Assert.fail();
        }
    }

    @Test
    public void testResolveSuccess_StaticCredentials() throws ResolverException {
        CriteriaSet buildCriteria = buildCriteria(CollectionSupport.singletonList("HS256"));
        buildCriteria.add(new ClientSecretCredentialCriterion(new DefaultClientSecretCredential(CLIENT_SECRET_256)));
        Iterable resolve = this.resolver.resolve(buildCriteria);
        Assert.assertNotNull(resolve);
        Assert.assertTrue(resolve.iterator().hasNext());
        Credential signingCredential = ((SignatureSigningParameters) resolve.iterator().next()).getSigningCredential();
        if (!$assertionsDisabled && signingCredential == null) {
            throw new AssertionError();
        }
        Assert.assertNotNull(signingCredential.getSecretKey());
    }

    @Test
    public void testResolveFail_StaticCredentials_UnsupportedMethod() throws ResolverException {
        CriteriaSet buildCriteria = buildCriteria(CollectionSupport.singletonList("RS256"));
        buildCriteria.add(new ClientSecretCredentialCriterion(new DefaultClientSecretCredential(CLIENT_SECRET_256)));
        Iterable resolve = this.resolver.resolve(buildCriteria);
        Assert.assertNotNull(resolve);
        Assert.assertFalse(resolve.iterator().hasNext());
    }

    @Test
    public void testResolveSuccess_StaticCredentials_ConfigSupportsOne() throws ResolverException {
        CriteriaSet buildCriteria = buildCriteria(CollectionSupport.listOf("RS256", "HS256"));
        buildCriteria.add(new ClientSecretCredentialCriterion(new DefaultClientSecretCredential(CLIENT_SECRET_256)));
        Iterable resolve = this.resolver.resolve(buildCriteria);
        Assert.assertNotNull(resolve);
        Assert.assertTrue(resolve.iterator().hasNext());
        Credential signingCredential = ((SignatureSigningParameters) resolve.iterator().next()).getSigningCredential();
        if (!$assertionsDisabled && signingCredential == null) {
            throw new AssertionError();
        }
        Assert.assertNotNull(signingCredential.getSecretKey());
    }

    @Test
    public void testResolveSuccess_StaticCredentials_OPSupportsOne() throws ResolverException, URISyntaxException {
        CriteriaSet buildCriteria = buildCriteria(CollectionSupport.listOf("RS256", "HS256"));
        buildCriteria.add(new ClientSecretCredentialCriterion(new DefaultClientSecretCredential(CLIENT_SECRET_256)));
        OIDCProviderMetadata oIDCProviderMetadata = new OIDCProviderMetadata(new Issuer("test"), CollectionSupport.singletonList(SubjectType.PUBLIC), new URI("nowhere"));
        oIDCProviderMetadata.setRequestObjectJWSAlgs(CollectionSupport.singletonList(JWSAlgorithm.HS256));
        buildCriteria.add(new ProviderMetadataCriterion(oIDCProviderMetadata));
        Iterable resolve = this.resolver.resolve(buildCriteria);
        Assert.assertNotNull(resolve);
        Assert.assertTrue(resolve.iterator().hasNext());
        Credential signingCredential = ((SignatureSigningParameters) resolve.iterator().next()).getSigningCredential();
        if (!$assertionsDisabled && signingCredential == null) {
            throw new AssertionError();
        }
        Assert.assertNotNull(signingCredential.getSecretKey());
    }

    @Test
    public void testResolveSuccess_StaticCredentials_OPSupportsNone() throws ResolverException, URISyntaxException {
        CriteriaSet buildCriteria = buildCriteria(CollectionSupport.listOf("RS256", "HS256"));
        buildCriteria.add(new ClientSecretCredentialCriterion(new DefaultClientSecretCredential(CLIENT_SECRET_256)));
        OIDCProviderMetadata oIDCProviderMetadata = new OIDCProviderMetadata(new Issuer("test"), CollectionSupport.singletonList(SubjectType.PUBLIC), new URI("nowhere"));
        oIDCProviderMetadata.setRequestObjectJWSAlgs(CollectionSupport.singletonList(JWSAlgorithm.EdDSA));
        buildCriteria.add(new ProviderMetadataCriterion(oIDCProviderMetadata));
        Iterable resolve = this.resolver.resolve(buildCriteria);
        Assert.assertNotNull(resolve);
        Assert.assertFalse(resolve.iterator().hasNext());
    }

    @Test
    public void testResolveSuccess_RSACredentials_OPSupportsOne() throws Exception {
        CriteriaSet buildCriteria = buildCriteria(CollectionSupport.listOf("RS256", "HS256"));
        buildCriteria.add(new ClientSecretCredentialCriterion(new DefaultClientSecretCredential(CLIENT_SECRET_256)));
        SignatureSigningConfigurationCriterion signatureSigningConfigurationCriterion = (SignatureSigningConfigurationCriterion) buildCriteria.get(SignatureSigningConfigurationCriterion.class);
        if (!$assertionsDisabled && signatureSigningConfigurationCriterion == null) {
            throw new AssertionError();
        }
        ((BasicSignatureSigningConfiguration) signatureSigningConfigurationCriterion.getConfigurations().get(0)).setSigningCredentials(CollectionSupport.singletonList(createRSASigningCredential(new RSAKeyGenerator(2048).keyID("1").keyUse(KeyUse.SIGNATURE).generate())));
        OIDCProviderMetadata oIDCProviderMetadata = new OIDCProviderMetadata(new Issuer("test"), CollectionSupport.singletonList(SubjectType.PUBLIC), new URI("nowhere"));
        oIDCProviderMetadata.setRequestObjectJWSAlgs(CollectionSupport.singletonList(JWSAlgorithm.RS256));
        buildCriteria.add(new ProviderMetadataCriterion(oIDCProviderMetadata));
        Iterable resolve = this.resolver.resolve(buildCriteria);
        Assert.assertNotNull(resolve);
        Assert.assertTrue(resolve.iterator().hasNext());
        Credential signingCredential = ((SignatureSigningParameters) resolve.iterator().next()).getSigningCredential();
        if (!$assertionsDisabled && signingCredential == null) {
            throw new AssertionError();
        }
        Assert.assertNotNull(signingCredential.getPrivateKey());
        Assert.assertTrue(signingCredential.getPrivateKey() instanceof RSAPrivateKey);
    }

    @Test
    public void testResolveSuccess_ECCredentials_OPSupportsTwo() throws Exception {
        CriteriaSet buildCriteria = buildCriteria(CollectionSupport.listOf(new String[]{"RS256", "HS256", "ES256"}));
        buildCriteria.add(new ClientSecretCredentialCriterion(new DefaultClientSecretCredential(CLIENT_SECRET_256)));
        SignatureSigningConfigurationCriterion signatureSigningConfigurationCriterion = (SignatureSigningConfigurationCriterion) buildCriteria.get(SignatureSigningConfigurationCriterion.class);
        if (!$assertionsDisabled && signatureSigningConfigurationCriterion == null) {
            throw new AssertionError();
        }
        ((BasicSignatureSigningConfiguration) signatureSigningConfigurationCriterion.getConfigurations().get(0)).setSigningCredentials(CollectionSupport.singletonList(createRSASigningCredential(new ECKeyGenerator(Curve.P_256).keyID("123").generate())));
        OIDCProviderMetadata oIDCProviderMetadata = new OIDCProviderMetadata(new Issuer("test"), CollectionSupport.singletonList(SubjectType.PUBLIC), new URI("nowhere"));
        oIDCProviderMetadata.setRequestObjectJWSAlgs(CollectionSupport.listOf(JWSAlgorithm.ES256, JWSAlgorithm.RS256));
        buildCriteria.add(new ProviderMetadataCriterion(oIDCProviderMetadata));
        Iterable resolve = this.resolver.resolve(buildCriteria);
        Assert.assertNotNull(resolve);
        Assert.assertTrue(resolve.iterator().hasNext());
        Credential signingCredential = ((SignatureSigningParameters) resolve.iterator().next()).getSigningCredential();
        if (!$assertionsDisabled && signingCredential == null) {
            throw new AssertionError();
        }
        Assert.assertNotNull(signingCredential.getPrivateKey());
        Assert.assertTrue(signingCredential.getPrivateKey() instanceof ECPrivateKey);
    }

    @Test
    public void testResolveFail_AlgorithmExcluded() throws Exception {
        CriteriaSet buildCriteria = buildCriteria(CollectionSupport.singletonList("HS256"));
        buildCriteria.add(new ClientSecretCredentialCriterion(new DefaultClientSecretCredential(CLIENT_SECRET_256)));
        SignatureSigningConfigurationCriterion signatureSigningConfigurationCriterion = (SignatureSigningConfigurationCriterion) buildCriteria.get(SignatureSigningConfigurationCriterion.class);
        if (!$assertionsDisabled && signatureSigningConfigurationCriterion == null) {
            throw new AssertionError();
        }
        ((BasicSignatureSigningConfiguration) signatureSigningConfigurationCriterion.getConfigurations().get(0)).setExcludedAlgorithms(CollectionSupport.singletonList("HS256"));
        OIDCProviderMetadata oIDCProviderMetadata = new OIDCProviderMetadata(new Issuer("test"), CollectionSupport.singletonList(SubjectType.PUBLIC), new URI("nowhere"));
        oIDCProviderMetadata.setRequestObjectJWSAlgs(CollectionSupport.singletonList(JWSAlgorithm.HS256));
        buildCriteria.add(new ProviderMetadataCriterion(oIDCProviderMetadata));
        Iterable resolve = this.resolver.resolve(buildCriteria);
        Assert.assertNotNull(resolve);
        Assert.assertFalse(resolve.iterator().hasNext());
    }

    @Test
    public void testResolveFail_AlgorithmNotInIncludeList() throws Exception {
        CriteriaSet buildCriteria = buildCriteria(CollectionSupport.singletonList("HS256"));
        buildCriteria.add(new ClientSecretCredentialCriterion(new DefaultClientSecretCredential(CLIENT_SECRET_256)));
        SignatureSigningConfigurationCriterion signatureSigningConfigurationCriterion = (SignatureSigningConfigurationCriterion) buildCriteria.get(SignatureSigningConfigurationCriterion.class);
        if (!$assertionsDisabled && signatureSigningConfigurationCriterion == null) {
            throw new AssertionError();
        }
        ((BasicSignatureSigningConfiguration) signatureSigningConfigurationCriterion.getConfigurations().get(0)).setIncludedAlgorithms(CollectionSupport.singletonList("HS512"));
        OIDCProviderMetadata oIDCProviderMetadata = new OIDCProviderMetadata(new Issuer("test"), CollectionSupport.singletonList(SubjectType.PUBLIC), new URI("nowhere"));
        oIDCProviderMetadata.setRequestObjectJWSAlgs(CollectionSupport.singletonList(JWSAlgorithm.HS256));
        buildCriteria.add(new ProviderMetadataCriterion(oIDCProviderMetadata));
        Iterable resolve = this.resolver.resolve(buildCriteria);
        Assert.assertNotNull(resolve);
        Assert.assertFalse(resolve.iterator().hasNext());
    }

    private CriteriaSet buildCriteria(List<String> list) {
        CriteriaSet criteriaSet = new CriteriaSet();
        BasicSignatureSigningConfiguration basicSignatureSigningConfiguration = new BasicSignatureSigningConfiguration();
        basicSignatureSigningConfiguration.setSignatureAlgorithms(list);
        criteriaSet.add(new SignatureSigningConfigurationCriterion(CollectionSupport.singletonList(basicSignatureSigningConfiguration)));
        return criteriaSet;
    }

    private JWKCredential createRSASigningCredential(JWK jwk) throws JOSEException {
        Assert.assertTrue(jwk instanceof AsymmetricJWK);
        BasicExpiringJWKCredential basicExpiringJWKCredential = new BasicExpiringJWKCredential();
        basicExpiringJWKCredential.setPrivateKey(((AsymmetricJWK) jwk).toPrivateKey());
        basicExpiringJWKCredential.setPublicKey(((AsymmetricJWK) jwk).toPublicKey());
        basicExpiringJWKCredential.setCredentialExpiresAt(Duration.ZERO);
        basicExpiringJWKCredential.setUsageType(UsageType.SIGNING);
        basicExpiringJWKCredential.setKid(jwk.getKeyID());
        basicExpiringJWKCredential.getKeyNames().add("mockKey");
        basicExpiringJWKCredential.setAlgorithm(jwk.getAlgorithm());
        return basicExpiringJWKCredential;
    }

    static {
        $assertionsDisabled = !RelyingPartySigningParametersResolverTest.class.desiredAssertionStatus();
    }
}
