package net.shibboleth.oidc.security.jwt.claims.impl;

import com.nimbusds.jwt.JWTClaimsSet;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.ArrayList;
import java.util.Date;
import java.util.List;
import java.util.Set;
import net.shibboleth.oidc.jwt.claims.AbstractClaimsValidator;
import net.shibboleth.oidc.jwt.claims.ClaimsValidator;
import net.shibboleth.oidc.jwt.claims.JWTValidationException;
import net.shibboleth.shared.component.ComponentInitializationException;
import org.opensaml.profile.context.ProfileRequestContext;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;

/* loaded from: input_file:net/shibboleth/oidc/security/jwt/claims/impl/ChainingJWTClaimsValidatorTest.class */
public class ChainingJWTClaimsValidatorTest extends AbstractClaimsValidatorTest {
    private ChainingJWTClaimsValidator validation;
    private List<ClaimsValidator> validators;

    @Override // net.shibboleth.oidc.security.jwt.claims.impl.AbstractClaimsValidatorTest
    @BeforeMethod
    public void setup() throws ComponentInitializationException {
        super.setup();
        this.validation = new ChainingJWTClaimsValidator();
        this.validation.setId("test");
        this.validators = new ArrayList(3);
        ClaimsValidator audienceClaimsValidator = new AudienceClaimsValidator();
        audienceClaimsValidator.setAudienceLookupStrategy((profileRequestContext, jWTClaimsSet) -> {
            return "audience";
        });
        audienceClaimsValidator.setId("audience-check");
        audienceClaimsValidator.initialize();
        this.validators.add(audienceClaimsValidator);
        ClaimsValidator notBeforeClaimsValidator = new NotBeforeClaimsValidator();
        notBeforeClaimsValidator.setId("nbf-validator");
        notBeforeClaimsValidator.setClockSkew(Duration.ofMinutes(1L));
        notBeforeClaimsValidator.initialize();
        this.validators.add(notBeforeClaimsValidator);
        ClaimsValidator expiryClaimsValidator = new ExpiryClaimsValidator();
        expiryClaimsValidator.setId("exp-validator");
        expiryClaimsValidator.setClockSkew(Duration.ofMinutes(1L));
        expiryClaimsValidator.initialize();
        this.validators.add(expiryClaimsValidator);
        ClaimsValidator issuedAtClaimsValidator = new IssuedAtClaimsValidator();
        issuedAtClaimsValidator.setId("iat-validator");
        issuedAtClaimsValidator.initialize();
        this.validators.add(issuedAtClaimsValidator);
        ClaimsValidator exactMatchClaimsValidator = new ExactMatchClaimsValidator();
        exactMatchClaimsValidator.setId("username-validation");
        exactMatchClaimsValidator.setClaimName("username");
        exactMatchClaimsValidator.setValueToMatchLookupStrategy((profileRequestContext2, jWTClaimsSet2) -> {
            return "jdoe";
        });
        exactMatchClaimsValidator.initialize();
        this.validators.add(exactMatchClaimsValidator);
        ClaimsValidator authenticationTimeClaimsValidator = new AuthenticationTimeClaimsValidator();
        authenticationTimeClaimsValidator.setId("auth-time-validator");
        authenticationTimeClaimsValidator.setAuthnLifetime(Duration.ofMinutes(1L));
        authenticationTimeClaimsValidator.setRequested(profileRequestContext3 -> {
            return true;
        });
        authenticationTimeClaimsValidator.initialize();
        this.validators.add(authenticationTimeClaimsValidator);
        ClaimsValidator exactMatchClaimsValidator2 = new ExactMatchClaimsValidator();
        exactMatchClaimsValidator2.setId("nonce-validator");
        exactMatchClaimsValidator2.setActivationCondition((profileRequestContext4, jWTClaimsSet3) -> {
            return true;
        });
        exactMatchClaimsValidator2.setClaimName(IDTokenClaims.NONCE.getClaimName());
        exactMatchClaimsValidator2.setValueToMatchLookupStrategy((profileRequestContext5, jWTClaimsSet4) -> {
            return "nonce";
        });
        this.validators.add(exactMatchClaimsValidator2);
        ClaimsValidator requiredClaimsValidator = new RequiredClaimsValidator();
        requiredClaimsValidator.setId("required-claims-validator");
        requiredClaimsValidator.setRequiredClaims(Set.of("iss", "sub", "aud", "exp", "iat"));
        requiredClaimsValidator.initialize();
        this.validators.add(requiredClaimsValidator);
        this.validation.setClaimValidators(this.validators);
        this.validation.initialize();
    }

    @Test(expectedExceptions = {ComponentInitializationException.class})
    public void testNoValidators() throws ComponentInitializationException {
        ChainingJWTClaimsValidator chainingJWTClaimsValidator = new ChainingJWTClaimsValidator();
        chainingJWTClaimsValidator.setId("test");
        chainingJWTClaimsValidator.initialize();
    }

    @Test
    public void testNullValidators() throws ComponentInitializationException {
        ChainingJWTClaimsValidator chainingJWTClaimsValidator = new ChainingJWTClaimsValidator();
        chainingJWTClaimsValidator.setId("test");
        chainingJWTClaimsValidator.setClaimValidators((List) null);
        chainingJWTClaimsValidator.initialize();
    }

    @Test(expectedExceptions = {JWTValidationException.class})
    public void testOptionalValidatorsFailure() throws ComponentInitializationException, JWTValidationException {
        AbstractClaimsValidator abstractClaimsValidator = new AbstractClaimsValidator() { // from class: net.shibboleth.oidc.security.jwt.claims.impl.ChainingJWTClaimsValidatorTest.1
            protected void doValidate(JWTClaimsSet jWTClaimsSet, ProfileRequestContext profileRequestContext) throws JWTValidationException {
            }
        };
        AbstractClaimsValidator abstractClaimsValidator2 = new AbstractClaimsValidator() { // from class: net.shibboleth.oidc.security.jwt.claims.impl.ChainingJWTClaimsValidatorTest.2
            protected void doValidate(JWTClaimsSet jWTClaimsSet, ProfileRequestContext profileRequestContext) throws JWTValidationException {
                throw new JWTValidationException("failure");
            }
        };
        ChainingJWTClaimsValidator chainingJWTClaimsValidator = new ChainingJWTClaimsValidator();
        chainingJWTClaimsValidator.setId("test");
        chainingJWTClaimsValidator.setClaimValidators(List.of(abstractClaimsValidator2, abstractClaimsValidator));
        chainingJWTClaimsValidator.initialize();
        chainingJWTClaimsValidator.validate(new JWTClaimsSet.Builder().build(), this.prc);
    }

    @Test
    public void testOptionalValidatorsSuccess() throws ComponentInitializationException, JWTValidationException {
        AbstractClaimsValidator abstractClaimsValidator = new AbstractClaimsValidator() { // from class: net.shibboleth.oidc.security.jwt.claims.impl.ChainingJWTClaimsValidatorTest.3
            protected void doValidate(JWTClaimsSet jWTClaimsSet, ProfileRequestContext profileRequestContext) throws JWTValidationException {
            }
        };
        AbstractClaimsValidator abstractClaimsValidator2 = new AbstractClaimsValidator() { // from class: net.shibboleth.oidc.security.jwt.claims.impl.ChainingJWTClaimsValidatorTest.4
            protected void doValidate(JWTClaimsSet jWTClaimsSet, ProfileRequestContext profileRequestContext) throws JWTValidationException {
                throw new JWTValidationException("failure");
            }
        };
        ChainingJWTClaimsValidator chainingJWTClaimsValidator = new ChainingJWTClaimsValidator();
        chainingJWTClaimsValidator.setId("test");
        chainingJWTClaimsValidator.setClaimValidators(List.of(abstractClaimsValidator2, abstractClaimsValidator));
        chainingJWTClaimsValidator.setRequireAll(false);
        chainingJWTClaimsValidator.initialize();
        chainingJWTClaimsValidator.validate(new JWTClaimsSet.Builder().build(), this.prc);
    }

    @Test
    public void testNestedValidatorsSuccess() throws ComponentInitializationException, JWTValidationException {
        AbstractClaimsValidator abstractClaimsValidator = new AbstractClaimsValidator() { // from class: net.shibboleth.oidc.security.jwt.claims.impl.ChainingJWTClaimsValidatorTest.5
            protected void doValidate(JWTClaimsSet jWTClaimsSet, ProfileRequestContext profileRequestContext) throws JWTValidationException {
            }
        };
        AbstractClaimsValidator abstractClaimsValidator2 = new AbstractClaimsValidator() { // from class: net.shibboleth.oidc.security.jwt.claims.impl.ChainingJWTClaimsValidatorTest.6
            protected void doValidate(JWTClaimsSet jWTClaimsSet, ProfileRequestContext profileRequestContext) throws JWTValidationException {
                throw new JWTValidationException("failure");
            }
        };
        ChainingJWTClaimsValidator chainingJWTClaimsValidator = new ChainingJWTClaimsValidator();
        chainingJWTClaimsValidator.setId("nested");
        chainingJWTClaimsValidator.setClaimValidators(List.of(abstractClaimsValidator2, abstractClaimsValidator));
        chainingJWTClaimsValidator.setRequireAll(false);
        chainingJWTClaimsValidator.initialize();
        ChainingJWTClaimsValidator chainingJWTClaimsValidator2 = new ChainingJWTClaimsValidator();
        chainingJWTClaimsValidator2.setId("test");
        chainingJWTClaimsValidator2.setClaimValidators(List.of(abstractClaimsValidator2, chainingJWTClaimsValidator));
        chainingJWTClaimsValidator2.setRequireAll(false);
        chainingJWTClaimsValidator2.initialize();
        chainingJWTClaimsValidator2.validate(new JWTClaimsSet.Builder().build(), this.prc);
    }

    @Test
    public void testNullClaims() throws ComponentInitializationException, JWTValidationException {
        this.validation.validate((JWTClaimsSet) null, this.prc);
    }

    @Test
    public void validationSuccess() throws ComponentInitializationException, JWTValidationException {
        this.validation.validate(new JWTClaimsSet.Builder().issuer("issuer").subject("jdoe").expirationTime(Date.from(Instant.now().plus((TemporalAmount) Duration.ofMinutes(10L)))).audience("audience").notBeforeTime(Date.from(Instant.now().minus((TemporalAmount) Duration.ofMinutes(1L)))).issueTime(Date.from(Instant.now())).claim(IDTokenClaims.AUTHENTICATION_TIME.getClaimName(), Long.valueOf(Instant.now().minus((TemporalAmount) Duration.ofSeconds(30L)).getEpochSecond())).claim("username", "jdoe").claim(IDTokenClaims.NONCE.getClaimName(), "nonce").build(), this.prc);
    }

    @Test(expectedExceptions = {JWTValidationException.class})
    public void validationFailedExpired() throws ComponentInitializationException, JWTValidationException {
        this.validation.validate(new JWTClaimsSet.Builder().issuer("issuer").subject("jdoe").expirationTime(Date.from(Instant.now().minus((TemporalAmount) Duration.ofMinutes(10L)))).audience("audience").notBeforeTime(Date.from(Instant.now().minus((TemporalAmount) Duration.ofMinutes(1L)))).issueTime(Date.from(Instant.now())).claim(IDTokenClaims.AUTHENTICATION_TIME.getClaimName(), Long.valueOf(Instant.now().minus((TemporalAmount) Duration.ofSeconds(30L)).getEpochSecond())).claim("username", "jdoe").claim(IDTokenClaims.NONCE.getClaimName(), "nonce").build(), this.prc);
    }

    @Test(expectedExceptions = {JWTValidationException.class})
    public void validationFailedNotBefore() throws ComponentInitializationException, JWTValidationException {
        this.validation.validate(new JWTClaimsSet.Builder().issuer("issuer").subject("jdoe").expirationTime(Date.from(Instant.now().plus((TemporalAmount) Duration.ofMinutes(10L)))).audience("audience").notBeforeTime(Date.from(Instant.now().plus((TemporalAmount) Duration.ofMinutes(10L)))).issueTime(Date.from(Instant.now())).claim(IDTokenClaims.AUTHENTICATION_TIME.getClaimName(), Long.valueOf(Instant.now().minus((TemporalAmount) Duration.ofSeconds(30L)).getEpochSecond())).claim("username", "jdoe").claim(IDTokenClaims.NONCE.getClaimName(), "nonce").build(), this.prc);
    }

    @Test(expectedExceptions = {JWTValidationException.class})
    public void validationFailedWrongNonce() throws ComponentInitializationException, JWTValidationException {
        this.validation.validate(new JWTClaimsSet.Builder().issuer("issuer").subject("jdoe").expirationTime(Date.from(Instant.now().plus((TemporalAmount) Duration.ofMinutes(10L)))).audience("audience").notBeforeTime(Date.from(Instant.now().minus((TemporalAmount) Duration.ofMinutes(1L)))).issueTime(Date.from(Instant.now())).claim(IDTokenClaims.AUTHENTICATION_TIME.getClaimName(), Long.valueOf(Instant.now().minus((TemporalAmount) Duration.ofSeconds(30L)).getEpochSecond())).claim("username", "jdoe").claim(IDTokenClaims.NONCE.getClaimName(), "wrong-nonce").build(), this.prc);
    }

    @Test(expectedExceptions = {JWTValidationException.class})
    public void validationFailedWrongUsername() throws ComponentInitializationException, JWTValidationException {
        this.validation.validate(new JWTClaimsSet.Builder().issuer("issuer").subject("jdoe").expirationTime(Date.from(Instant.now().plus((TemporalAmount) Duration.ofMinutes(10L)))).audience("audience").notBeforeTime(Date.from(Instant.now().minus((TemporalAmount) Duration.ofMinutes(1L)))).issueTime(Date.from(Instant.now())).claim(IDTokenClaims.AUTHENTICATION_TIME.getClaimName(), Long.valueOf(Instant.now().minus((TemporalAmount) Duration.ofSeconds(30L)).getEpochSecond())).claim("username", "wrong").claim(IDTokenClaims.NONCE.getClaimName(), "nonce").build(), this.prc);
    }

    @Test(expectedExceptions = {JWTValidationException.class})
    public void validationFailedAuthTimeTooFarInPast() throws ComponentInitializationException, JWTValidationException {
        this.validation.validate(new JWTClaimsSet.Builder().issuer("issuer").subject("jdoe").expirationTime(Date.from(Instant.now().plus((TemporalAmount) Duration.ofMinutes(10L)))).audience("audience").notBeforeTime(Date.from(Instant.now().minus((TemporalAmount) Duration.ofMinutes(1L)))).issueTime(Date.from(Instant.now())).claim(IDTokenClaims.AUTHENTICATION_TIME.getClaimName(), Long.valueOf(Instant.now().minus((TemporalAmount) Duration.ofSeconds(300L)).getEpochSecond())).claim("username", "jdoe").claim(IDTokenClaims.NONCE.getClaimName(), "nonce").build(), this.prc);
    }
}
