package org.wildfly.security.auth.realm.token;

import com.nimbusds.jose.Payload;
import com.nimbusds.jose.PlainHeader;
import com.nimbusds.jose.PlainObject;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.net.URI;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
import java.util.LinkedHashMap;
import javax.json.Json;
import javax.json.JsonObject;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.x500.X500Principal;
import mockit.integration.junit4.JMockit;
import okhttp3.mockwebserver.Dispatcher;
import okhttp3.mockwebserver.MockResponse;
import okhttp3.mockwebserver.MockWebServer;
import okhttp3.mockwebserver.QueueDispatcher;
import okhttp3.mockwebserver.RecordedRequest;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.wildfly.common.bytes.ByteStringBuilder;
import org.wildfly.security.auth.principal.NamePrincipal;
import org.wildfly.security.auth.realm.token.validator.JwtValidator;
import org.wildfly.security.auth.server.RealmIdentity;
import org.wildfly.security.auth.server.RealmUnavailableException;
import org.wildfly.security.auth.server.SecurityRealm;
import org.wildfly.security.evidence.BearerTokenEvidence;
import org.wildfly.security.evidence.Evidence;
import org.wildfly.security.pem.Pem;
import org.wildfly.security.realm.token.test.util.JwtTestUtil;
import org.wildfly.security.realm.token.test.util.RsaJwk;
import org.wildfly.security.ssl.SSLContextBuilder;
import org.wildfly.security.x500.cert.SelfSignedX509CertificateAndSigningKey;

@RunWith(JMockit.class)
/* loaded from: input_file:org/wildfly/security/auth/realm/token/JwtSecurityRealmTest.class */
public class JwtSecurityRealmTest {
    private static final String CA_JKS_LOCATION = "./target/test-classes/jwt/ca/jks/";
    private static KeyPair keyPair1;
    private static KeyPair keyPair2;
    private static KeyPair keyPair3;
    private static File trustStoreFile;
    private static String jwksResponse;
    private static final MockWebServer server = new MockWebServer();
    private static final MockWebServer nonTlsServer = new MockWebServer();
    private static char[] PASSWORD = "password".toCharArray();
    private static RsaJwk jwk1 = new RsaJwk();
    private static RsaJwk jwk2 = new RsaJwk();
    private static RsaJwk jwk3 = new RsaJwk();

    @BeforeClass
    public static void setup() throws GeneralSecurityException, IOException {
        System.setProperty("wildfly.config.url", JwtSecurityRealmTest.class.getResource("wildfly-jwt-test-config.xml").toExternalForm());
        keyPair1 = KeyPairGenerator.getInstance("RSA").generateKeyPair();
        jwk1 = JwtTestUtil.createRsaJwk(keyPair1, "1");
        keyPair2 = KeyPairGenerator.getInstance("RSA").generateKeyPair();
        jwk2 = JwtTestUtil.createRsaJwk(keyPair2, "2");
        keyPair3 = KeyPairGenerator.getInstance("RSA").generateKeyPair();
        jwk3 = JwtTestUtil.createRsaJwk(keyPair3, "3");
        JsonObject jwksToJson = JwtTestUtil.jwksToJson(new RsaJwk[]{jwk1, jwk2});
        File file = new File(CA_JKS_LOCATION);
        if (!file.exists()) {
            file.mkdirs();
        }
        trustStoreFile = new File("./target/test-classes/jwt/ca/jks/ca.truststore");
        if (trustStoreFile.exists()) {
            trustStoreFile.delete();
        }
        KeyStore keyStore = KeyStore.getInstance("JKS");
        KeyStore keyStore2 = KeyStore.getInstance("JKS");
        keyStore.load(null, null);
        keyStore2.load(null, null);
        String defaultAlgorithm = KeyManagerFactory.getDefaultAlgorithm();
        SelfSignedX509CertificateAndSigningKey build = SelfSignedX509CertificateAndSigningKey.builder().setDn(new X500Principal("CN=localhost, ST=Elytron, C=UK, EMAILADDRESS=elytron@wildfly.org, O=Root Certificate Authority")).setKeyAlgorithmName("RSA").setSignatureAlgorithmName("SHA256withRSA").addExtension(false, "BasicConstraints", "CA:true,pathlen:2147483647").build();
        X509Certificate selfSignedCertificate = build.getSelfSignedCertificate();
        keyStore.setKeyEntry("ca", build.getSigningKey(), PASSWORD, new X509Certificate[]{selfSignedCertificate});
        keyStore2.setCertificateEntry("ca", selfSignedCertificate);
        keyStore2.store(new FileOutputStream(trustStoreFile), PASSWORD);
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(defaultAlgorithm);
        keyManagerFactory.init(keyStore, PASSWORD);
        X509ExtendedKeyManager x509ExtendedKeyManager = null;
        KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
        int length = keyManagers.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            KeyManager keyManager = keyManagers[i];
            if (keyManager instanceof X509ExtendedKeyManager) {
                x509ExtendedKeyManager = (X509ExtendedKeyManager) X509ExtendedKeyManager.class.cast(keyManager);
                break;
            }
            i++;
        }
        SSLContext sSLContext = (SSLContext) new SSLContextBuilder().setKeyManager(x509ExtendedKeyManager).build().create();
        jwksResponse = jwksToJson.toString();
        server.useHttps(sSLContext.getSocketFactory(), false);
        server.setDispatcher(JwtTestUtil.createTokenDispatcher(jwksResponse));
        nonTlsServer.setDispatcher(JwtTestUtil.createTokenDispatcher(jwksResponse));
        server.start(50831);
        nonTlsServer.start(50832);
    }

    @AfterClass
    public static void cleanup() throws IOException {
        server.shutdown();
        nonTlsServer.shutdown();
    }

    @Test
    public void testChangedKeys() throws Exception {
        QueueDispatcher queueDispatcher = new QueueDispatcher();
        queueDispatcher.enqueueResponse(new MockResponse().setBody(JwtTestUtil.jwksToJson(new RsaJwk[]{jwk1}).toString()));
        queueDispatcher.enqueueResponse(new MockResponse().setBody(JwtTestUtil.jwksToJson(new RsaJwk[]{jwk1}).toString()));
        queueDispatcher.enqueueResponse(new MockResponse().setBody(JwtTestUtil.jwksToJson(new RsaJwk[]{jwk2}).toString()));
        queueDispatcher.enqueueResponse(new MockResponse().setBody(JwtTestUtil.jwksToJson(new RsaJwk[]{jwk2}).toString()));
        queueDispatcher.enqueueResponse(new MockResponse().setBody(JwtTestUtil.jwksToJson(new RsaJwk[]{jwk3.setKid("1")}).toString()));
        queueDispatcher.enqueueResponse(new MockResponse().setBody(JwtTestUtil.jwksToJson(new RsaJwk[]{jwk3}).toString()));
        jwk3.setKid("3");
        server.setDispatcher(queueDispatcher);
        BearerTokenEvidence bearerTokenEvidence = new BearerTokenEvidence(JwtTestUtil.createJwt(keyPair1, 60, -1, "1", new URI("https://localhost:50831")));
        BearerTokenEvidence bearerTokenEvidence2 = new BearerTokenEvidence(JwtTestUtil.createJwt(keyPair2, 60, -1, "2", new URI("https://localhost:50831")));
        BearerTokenEvidence bearerTokenEvidence3 = new BearerTokenEvidence(JwtTestUtil.createJwt(keyPair3, 60, -1, "1", new URI("https://localhost:50831")));
        TokenSecurityRealm build = TokenSecurityRealm.builder().principalClaimName("sub").validator(JwtValidator.builder().issuer(new String[]{"elytron-oauth2-realm"}).audience(new String[]{"my-app-valid"}).setAllowedJkuValues(new String[]{"https://localhost:50831"}).setJkuTimeout(0L).setJkuMinTimeBetweenRequests(0).useSslContext((SSLContext) new SSLContextBuilder().setTrustManager(getTrustManager()).setClientMode(true).setSessionTimeout(10).build().create()).useSslHostnameVerifier((str, sSLSession) -> {
            return true;
        }).build()).build();
        assertIdentityExist(build, bearerTokenEvidence);
        assertIdentityNotExist(build, bearerTokenEvidence2);
        assertIdentityExist(build, bearerTokenEvidence2);
        assertIdentityNotExist(build, bearerTokenEvidence3);
        assertIdentityExist(build, bearerTokenEvidence3);
        assertIdentityNotExist(build, bearerTokenEvidence);
        server.setDispatcher(JwtTestUtil.createTokenDispatcher(jwksResponse));
    }

    @Test
    public void testNewRotationKeys() throws Exception {
        server.setDispatcher(JwtTestUtil.createTokenDispatcher(JwtTestUtil.jwksToJson(new RsaJwk[]{jwk1}).toString()));
        BearerTokenEvidence bearerTokenEvidence = new BearerTokenEvidence(JwtTestUtil.createJwt(keyPair1, 60, -1, "1", new URI("https://localhost:50831")));
        TokenSecurityRealm build = TokenSecurityRealm.builder().principalClaimName("sub").validator(JwtValidator.builder().issuer(new String[]{"elytron-oauth2-realm"}).audience(new String[]{"my-app-valid"}).setAllowedJkuValues(new String[]{"https://localhost:50831"}).setJkuTimeout(60000L).setJkuMinTimeBetweenRequests(0).useSslContext((SSLContext) new SSLContextBuilder().setTrustManager(getTrustManager()).setClientMode(true).setSessionTimeout(10).build().create()).useSslHostnameVerifier((str, sSLSession) -> {
            return true;
        }).build()).build();
        assertIdentityExist(build, bearerTokenEvidence);
        server.setDispatcher(JwtTestUtil.createTokenDispatcher(jwksResponse));
        BearerTokenEvidence bearerTokenEvidence2 = new BearerTokenEvidence(JwtTestUtil.createJwt(keyPair2, 60, -1, "2", new URI("https://localhost:50831")));
        assertIdentityExist(build, bearerTokenEvidence);
        assertIdentityExist(build, bearerTokenEvidence2);
    }

    @Test
    public void testNewRotationKeysTimeBetweenRequests() throws Exception {
        server.setDispatcher(JwtTestUtil.createTokenDispatcher(JwtTestUtil.jwksToJson(new RsaJwk[]{jwk1}).toString()));
        BearerTokenEvidence bearerTokenEvidence = new BearerTokenEvidence(JwtTestUtil.createJwt(keyPair1, 60, -1, "1", new URI("https://localhost:50831")));
        TokenSecurityRealm build = TokenSecurityRealm.builder().principalClaimName("sub").validator(JwtValidator.builder().issuer(new String[]{"elytron-oauth2-realm"}).audience(new String[]{"my-app-valid"}).setAllowedJkuValues(new String[]{"https://localhost:50831"}).setJkuTimeout(60000L).setJkuMinTimeBetweenRequests(10000).useSslContext((SSLContext) new SSLContextBuilder().setTrustManager(getTrustManager()).setClientMode(true).setSessionTimeout(10).build().create()).useSslHostnameVerifier((str, sSLSession) -> {
            return true;
        }).build()).build();
        assertIdentityExist(build, bearerTokenEvidence);
        server.setDispatcher(JwtTestUtil.createTokenDispatcher(jwksResponse));
        BearerTokenEvidence bearerTokenEvidence2 = new BearerTokenEvidence(JwtTestUtil.createJwt(keyPair2, 60, -1, "2", new URI("https://localhost:50831")));
        assertIdentityExist(build, bearerTokenEvidence);
        assertIdentityNotExist(build, bearerTokenEvidence2);
    }

    @Test
    public void testMultipleTokenTypes() throws Exception {
        BearerTokenEvidence bearerTokenEvidence = new BearerTokenEvidence(JwtTestUtil.createJwt(keyPair3, 60, -1, "1", (URI) null));
        BearerTokenEvidence bearerTokenEvidence2 = new BearerTokenEvidence(JwtTestUtil.createJwt(keyPair3, 60, -1, "2", (URI) null));
        BearerTokenEvidence bearerTokenEvidence3 = new BearerTokenEvidence(JwtTestUtil.createJwt(keyPair2, 60, -1, "1", (URI) null));
        BearerTokenEvidence bearerTokenEvidence4 = new BearerTokenEvidence(JwtTestUtil.createJwt(keyPair2, 60, -1, "2", new URI("https://localhost:50831")));
        BearerTokenEvidence bearerTokenEvidence5 = new BearerTokenEvidence(JwtTestUtil.createJwt(keyPair3, 60, -1, "2", new URI("https://localhost:50831")));
        BearerTokenEvidence bearerTokenEvidence6 = new BearerTokenEvidence(JwtTestUtil.createJwt(keyPair2, 60, -1, "1", new URI("https://localhost:50831")));
        BearerTokenEvidence bearerTokenEvidence7 = new BearerTokenEvidence(JwtTestUtil.createJwt(keyPair1, 60, -1, "3", (URI) null));
        BearerTokenEvidence bearerTokenEvidence8 = new BearerTokenEvidence(JwtTestUtil.createJwt(keyPair3, 60, -1));
        BearerTokenEvidence bearerTokenEvidence9 = new BearerTokenEvidence(JwtTestUtil.createJwt(keyPair1, 60, -1));
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put("1", keyPair3.getPublic());
        TokenSecurityRealm build = TokenSecurityRealm.builder().principalClaimName("sub").validator(JwtValidator.builder().issuer(new String[]{"elytron-oauth2-realm"}).audience(new String[]{"my-app-valid"}).setAllowedJkuValues(new String[]{"https://localhost:50831"}).publicKeys(linkedHashMap).publicKey(keyPair3.getPublic()).useSslContext((SSLContext) new SSLContextBuilder().setTrustManager(getTrustManager()).setClientMode(true).setSessionTimeout(10).build().create()).useSslHostnameVerifier((str, sSLSession) -> {
            return true;
        }).build()).build();
        assertIdentityExist(build, bearerTokenEvidence);
        assertIdentityNotExist(build, bearerTokenEvidence2);
        assertIdentityNotExist(build, bearerTokenEvidence3);
        assertIdentityExist(build, bearerTokenEvidence4);
        assertIdentityNotExist(build, bearerTokenEvidence5);
        assertIdentityNotExist(build, bearerTokenEvidence6);
        assertIdentityNotExist(build, bearerTokenEvidence7);
        assertIdentityExist(build, bearerTokenEvidence8);
        assertIdentityNotExist(build, bearerTokenEvidence9);
    }

    @Test
    public void testUnsecuredJkuEndpoint() throws Exception {
        assertIdentityNotExist(TokenSecurityRealm.builder().principalClaimName("sub").validator(JwtValidator.builder().issuer(new String[]{"elytron-oauth2-realm"}).audience(new String[]{"my-app-valid"}).setAllowedJkuValues(new String[]{"https://localhost:50832"}).useSslContext((SSLContext) new SSLContextBuilder().setTrustManager(getTrustManager()).setClientMode(true).setSessionTimeout(10).build().create()).useSslHostnameVerifier((str, sSLSession) -> {
            return true;
        }).build()).build(), new BearerTokenEvidence(JwtTestUtil.createJwt(keyPair1, 60, -1, "1", new URI("https://localhost:50832"))));
    }

    @Test
    public void testKid() throws Exception {
        BearerTokenEvidence bearerTokenEvidence = new BearerTokenEvidence(JwtTestUtil.createJwt(keyPair1, 60, -1, "1", (URI) null));
        BearerTokenEvidence bearerTokenEvidence2 = new BearerTokenEvidence(JwtTestUtil.createJwt(keyPair2, 60, -1, "2", (URI) null));
        BearerTokenEvidence bearerTokenEvidence3 = new BearerTokenEvidence(JwtTestUtil.createJwt(keyPair2, 60, -1, "3", (URI) null));
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put("1", keyPair1.getPublic());
        linkedHashMap.put("2", keyPair2.getPublic());
        TokenSecurityRealm build = TokenSecurityRealm.builder().principalClaimName("sub").validator(JwtValidator.builder().issuer(new String[]{"elytron-oauth2-realm"}).audience(new String[]{"my-app-valid"}).publicKeys(linkedHashMap).build()).build();
        assertIdentityExist(build, bearerTokenEvidence);
        assertIdentityExist(build, bearerTokenEvidence2);
        assertIdentityNotExist(build, bearerTokenEvidence3);
    }

    @Test
    public void testStoppedJkuEndpoint() throws Exception {
        server.setDispatcher(createOneTimeDispatcher(jwksResponse));
        BearerTokenEvidence bearerTokenEvidence = new BearerTokenEvidence(JwtTestUtil.createJwt(keyPair1, 60, -1, "1", new URI("https://localhost:50831")));
        TokenSecurityRealm build = TokenSecurityRealm.builder().principalClaimName("sub").validator(JwtValidator.builder().issuer(new String[]{"elytron-oauth2-realm"}).audience(new String[]{"my-app-valid"}).setAllowedJkuValues(new String[]{"https://localhost:50831"}).setJkuTimeout(0L).setJkuMinTimeBetweenRequests(0).useSslContext((SSLContext) new SSLContextBuilder().setTrustManager(getTrustManager()).setClientMode(true).setSessionTimeout(10).build().create()).useSslHostnameVerifier((str, sSLSession) -> {
            return true;
        }).build()).build();
        assertIdentityExist(build, bearerTokenEvidence);
        assertIdentityNotExist(build, bearerTokenEvidence);
        server.setDispatcher(JwtTestUtil.createTokenDispatcher(jwksResponse));
    }

    @Test
    public void testJkuMultipleKeys() throws Exception {
        BearerTokenEvidence bearerTokenEvidence = new BearerTokenEvidence(JwtTestUtil.createJwt(keyPair1, 60, -1, "1", new URI("https://localhost:50831")));
        BearerTokenEvidence bearerTokenEvidence2 = new BearerTokenEvidence(JwtTestUtil.createJwt(keyPair2, 60, -1, "2", new URI("https://localhost:50831")));
        TokenSecurityRealm build = TokenSecurityRealm.builder().principalClaimName("sub").validator(JwtValidator.builder().issuer(new String[]{"elytron-oauth2-realm"}).audience(new String[]{"my-app-valid"}).setAllowedJkuValues(new String[]{"https://localhost:50831"}).useSslContext((SSLContext) new SSLContextBuilder().setTrustManager(getTrustManager()).setClientMode(true).setSessionTimeout(10).build().create()).useSslHostnameVerifier((str, sSLSession) -> {
            return true;
        }).build()).build();
        assertIdentityExist(build, bearerTokenEvidence);
        assertIdentityExist(build, bearerTokenEvidence2);
    }

    @Test
    public void testInvalidJku() throws Exception {
        assertIdentityNotExist(TokenSecurityRealm.builder().principalClaimName("sub").validator(JwtValidator.builder().issuer(new String[]{"elytron-oauth2-realm"}).audience(new String[]{"my-app-valid"}).setAllowedJkuValues(new String[]{"https://localhost:80"}).useSslContext((SSLContext) new SSLContextBuilder().setTrustManager(getTrustManager()).setClientMode(true).setSessionTimeout(10).build().create()).useSslHostnameVerifier((str, sSLSession) -> {
            return true;
        }).build()).build(), new BearerTokenEvidence(JwtTestUtil.createJwt(keyPair1, 60, -1, "1", new URI("https://localhost:80"))));
    }

    @Test
    public void testInvalidKid() throws Exception {
        assertIdentityNotExist(TokenSecurityRealm.builder().principalClaimName("sub").validator(JwtValidator.builder().issuer(new String[]{"elytron-oauth2-realm"}).audience(new String[]{"my-app-valid"}).setAllowedJkuValues(new String[]{"https://localhost:50831"}).useSslContext((SSLContext) new SSLContextBuilder().setTrustManager(getTrustManager()).setClientMode(true).setSessionTimeout(10).build().create()).useSslHostnameVerifier((str, sSLSession) -> {
            return true;
        }).build()).build(), new BearerTokenEvidence(JwtTestUtil.createJwt(keyPair1, 60, -1, "badkid", new URI("https://localhost:50831"))));
    }

    @Test
    public void testUsingGeneratedPublicKey() throws Exception {
        KeyPair generateKeyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
        ByteStringBuilder byteStringBuilder = new ByteStringBuilder();
        Pem.generatePemPublicKey(byteStringBuilder, generateKeyPair.getPublic());
        RealmIdentity realmIdentity = TokenSecurityRealm.builder().principalClaimName("sub").validator(JwtValidator.builder().issuer(new String[]{"elytron-oauth2-realm"}).audience(new String[]{"my-app-valid"}).publicKey(byteStringBuilder.toArray()).build()).build().getRealmIdentity(new BearerTokenEvidence(JwtTestUtil.createJwt(generateKeyPair, 10, 0)));
        Assert.assertNotNull(realmIdentity);
        Assert.assertTrue(realmIdentity.exists());
        Assert.assertEquals("elytron@jboss.org", realmIdentity.getRealmIdentityPrincipal().getName());
    }

    @Test
    public void testEmptyConfiguration() throws Exception {
        KeyPair generateKeyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
        Pem.generatePemPublicKey(new ByteStringBuilder(), generateKeyPair.getPublic());
        RealmIdentity realmIdentity = TokenSecurityRealm.builder().principalClaimName("sub").validator(JwtValidator.builder().build()).build().getRealmIdentity(new BearerTokenEvidence(JwtTestUtil.createJwt(generateKeyPair, 10, 0)));
        Assert.assertNotNull(realmIdentity);
        Assert.assertTrue(realmIdentity.exists());
        Assert.assertEquals("elytron@jboss.org", realmIdentity.getRealmIdentityPrincipal().getName());
    }

    @Test
    public void testWithMultipleAudience() throws Exception {
        KeyPair generateKeyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
        RealmIdentity realmIdentity = TokenSecurityRealm.builder().principalClaimName("sub").validator(JwtValidator.builder().issuer(new String[]{"elytron-oauth2-realm"}).audience(new String[]{"third-app", "another-app-valid", "my-app"}).publicKey(generateKeyPair.getPublic()).build()).build().getRealmIdentity(new BearerTokenEvidence(JwtTestUtil.createJwt(generateKeyPair)));
        Assert.assertNotNull(realmIdentity);
        Assert.assertTrue(realmIdentity.exists());
        Assert.assertEquals("elytron@jboss.org", realmIdentity.getRealmIdentityPrincipal().getName());
    }

    @Test
    public void testInvalidSignature() throws Exception {
        assertIdentityNotExist(TokenSecurityRealm.builder().principalClaimName("sub").validator(JwtValidator.builder().issuer(new String[]{"elytron-oauth2-realm"}).audience(new String[]{"my-app-valid"}).publicKey(KeyPairGenerator.getInstance("RSA").generateKeyPair().getPublic()).build()).build(), new BearerTokenEvidence(JwtTestUtil.createJwt(KeyPairGenerator.getInstance("RSA").generateKeyPair())));
    }

    @Test
    public void testInvalidIssuer() throws Exception {
        KeyPair generateKeyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
        assertIdentityNotExist(TokenSecurityRealm.builder().principalClaimName("sub").validator(JwtValidator.builder().issuer(new String[]{"different-issuer"}).audience(new String[]{"my-app-valid"}).publicKey(generateKeyPair.getPublic()).build()).build(), new BearerTokenEvidence(JwtTestUtil.createJwt(generateKeyPair)));
    }

    @Test
    public void testInvalidAudience() throws Exception {
        KeyPair generateKeyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
        assertIdentityNotExist(TokenSecurityRealm.builder().principalClaimName("sub").validator(JwtValidator.builder().issuer(new String[]{"elytron-oauth2-realm"}).audience(new String[]{"different-audience"}).publicKey(generateKeyPair.getPublic()).build()).build(), new BearerTokenEvidence(JwtTestUtil.createJwt(generateKeyPair)));
    }

    @Test
    public void testTokenExpired() throws Exception {
        KeyPair generateKeyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
        assertIdentityNotExist(TokenSecurityRealm.builder().principalClaimName("sub").validator(JwtValidator.builder().issuer(new String[]{"elytron-oauth2-realm"}).audience(new String[]{"different-audience"}).publicKey(generateKeyPair.getPublic()).build()).build(), new BearerTokenEvidence(JwtTestUtil.createJwt(generateKeyPair, -1)));
    }

    @Test
    public void testTokenNotBefore() throws Exception {
        KeyPair generateKeyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
        assertIdentityNotExist(TokenSecurityRealm.builder().principalClaimName("sub").validator(JwtValidator.builder().issuer(new String[]{"elytron-oauth2-realm"}).audience(new String[]{"different-audience"}).publicKey(generateKeyPair.getPublic()).build()).build(), new BearerTokenEvidence(JwtTestUtil.createJwt(generateKeyPair, 10, 10)));
    }

    @Test
    public void testUnsecuredJwt() throws Exception {
        RealmIdentity realmIdentity = TokenSecurityRealm.builder().principalClaimName("sub").validator(JwtValidator.builder().issuer(new String[]{"elytron-oauth2-realm"}).audience(new String[]{"my-app-valid"}).build()).build().getRealmIdentity(new BearerTokenEvidence(new PlainObject(new PlainHeader(), new Payload(JwtTestUtil.createClaims(10, 0).build().toString())).serialize()));
        Assert.assertNotNull(realmIdentity);
        Assert.assertTrue(realmIdentity.exists());
        Assert.assertEquals("elytron@jboss.org", realmIdentity.getRealmIdentityPrincipal().getName());
    }

    @Test
    public void testAltPrincipaNames() throws Exception {
        RealmIdentity realmIdentity = TokenSecurityRealm.builder().claimToPrincipal(attributes -> {
            String first = attributes.getFirst("upn");
            if (first == null) {
                first = attributes.getFirst("preferred_name");
            }
            if (first == null) {
                first = attributes.getFirst("sub");
            }
            return new NamePrincipal(first);
        }).validator(JwtValidator.builder().issuer(new String[]{"elytron-oauth2-realm"}).audience(new String[]{"my-app-valid"}).build()).build().getRealmIdentity(new BearerTokenEvidence(new PlainObject(new PlainHeader(), new Payload(JwtTestUtil.createClaims(10, 0, Json.createObjectBuilder().add("upn", "upn:elytron@jboss.org").build()).build().toString())).serialize()));
        Assert.assertNotNull(realmIdentity);
        Assert.assertTrue(realmIdentity.exists());
        Assert.assertEquals("upn:elytron@jboss.org", realmIdentity.getRealmIdentityPrincipal().getName());
    }

    @Test
    public void testAltPrincipaNamesSubFallback() throws Exception {
        RealmIdentity realmIdentity = TokenSecurityRealm.builder().principalClaimName("sub").validator(JwtValidator.builder().issuer(new String[]{"elytron-oauth2-realm"}).audience(new String[]{"my-app-valid"}).build()).build().getRealmIdentity(new BearerTokenEvidence(new PlainObject(new PlainHeader(), new Payload(JwtTestUtil.createClaims(10, 0).build().toString())).serialize()));
        Assert.assertNotNull(realmIdentity);
        Assert.assertTrue(realmIdentity.exists());
        Assert.assertEquals("elytron@jboss.org", realmIdentity.getRealmIdentityPrincipal().getName());
    }

    @Test
    public void testTokenWithJkuValueAllowed() throws Exception {
        assertIdentityExist(TokenSecurityRealm.builder().principalClaimName("sub").validator(JwtValidator.builder().issuer(new String[]{"elytron-oauth2-realm"}).audience(new String[]{"my-app-valid"}).setAllowedJkuValues(new String[]{"https://localhost:50832", "https://localhost:50831"}).useSslContext(getSSLContext()).useSslHostnameVerifier((str, sSLSession) -> {
            return true;
        }).build()).build(), new BearerTokenEvidence(JwtTestUtil.createJwt(keyPair1, 60, -1, "1", new URI("https://localhost:50831"))));
    }

    @Test
    public void testTokenWithJkuValueNotAllowed() throws Exception {
        assertIdentityNotExist(TokenSecurityRealm.builder().principalClaimName("sub").validator(JwtValidator.builder().issuer(new String[]{"elytron-oauth2-realm"}).audience(new String[]{"my-app-valid"}).setAllowedJkuValues(new String[]{"https://localhost:50832", "https://localhost:50831"}).useSslContext(getSSLContext()).useSslHostnameVerifier((str, sSLSession) -> {
            return true;
        }).build()).build(), new BearerTokenEvidence(JwtTestUtil.createJwt(keyPair1, 60, -1, "1", new URI("https://localhost:50834"))));
    }

    @Test
    public void testAllowedJkuValuesNotConfigured() throws Exception {
        assertIdentityNotExist(TokenSecurityRealm.builder().principalClaimName("sub").validator(JwtValidator.builder().issuer(new String[]{"elytron-oauth2-realm"}).audience(new String[]{"my-app-valid"}).useSslContext(getSSLContext()).useSslHostnameVerifier((str, sSLSession) -> {
            return true;
        }).build()).build(), new BearerTokenEvidence(JwtTestUtil.createJwt(keyPair1, 60, -1, "1", new URI("https://localhost:50831"))));
    }

    @Test
    public void testTokenWithoutJkuValue() throws Exception {
        BearerTokenEvidence bearerTokenEvidence = new BearerTokenEvidence(JwtTestUtil.createJwt(keyPair1, 60, -1, "1", (URI) null));
        BearerTokenEvidence bearerTokenEvidence2 = new BearerTokenEvidence(JwtTestUtil.createJwt(keyPair2, 60, -1, "2", (URI) null));
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put("1", keyPair1.getPublic());
        linkedHashMap.put("2", keyPair2.getPublic());
        TokenSecurityRealm build = TokenSecurityRealm.builder().principalClaimName("sub").validator(JwtValidator.builder().issuer(new String[]{"elytron-oauth2-realm"}).audience(new String[]{"my-app-valid"}).setAllowedJkuValues(new String[]{"https://localhost:50832", "https://localhost:50831"}).publicKeys(linkedHashMap).build()).build();
        assertIdentityExist(build, bearerTokenEvidence);
        assertIdentityExist(build, bearerTokenEvidence2);
    }

    private void assertIdentityNotExist(SecurityRealm securityRealm, Evidence evidence) throws RealmUnavailableException {
        RealmIdentity realmIdentity = securityRealm.getRealmIdentity(evidence);
        Assert.assertNotNull(realmIdentity);
        Assert.assertFalse(realmIdentity.exists());
    }

    private void assertIdentityExist(SecurityRealm securityRealm, Evidence evidence) throws RealmUnavailableException {
        RealmIdentity realmIdentity = securityRealm.getRealmIdentity(evidence);
        Assert.assertNotNull(realmIdentity);
        Assert.assertTrue(realmIdentity.exists());
    }

    private X509TrustManager getTrustManager() throws Exception {
        KeyStore keyStore = KeyStore.getInstance("JKS");
        keyStore.load(new FileInputStream(trustStoreFile), PASSWORD);
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(keyStore);
        X509TrustManager x509TrustManager = null;
        TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
        int length = trustManagers.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            TrustManager trustManager = trustManagers[i];
            if (trustManager instanceof X509TrustManager) {
                x509TrustManager = (X509TrustManager) X509TrustManager.class.cast(trustManager);
                break;
            }
            i++;
        }
        Assert.assertNotNull(x509TrustManager);
        return x509TrustManager;
    }

    private SSLContext getSSLContext() throws Exception {
        return (SSLContext) new SSLContextBuilder().setTrustManager(getTrustManager()).setClientMode(true).setSessionTimeout(10).build().create();
    }

    private static Dispatcher createOneTimeDispatcher(final String str) {
        return new Dispatcher() { // from class: org.wildfly.security.auth.realm.token.JwtSecurityRealmTest.1
            boolean used = false;

            public MockResponse dispatch(RecordedRequest recordedRequest) {
                if (this.used) {
                    return new MockResponse().setResponseCode(404);
                }
                this.used = true;
                return new MockResponse().setBody(str);
            }
        };
    }
}
