package org.apereo.cas.support.oauth.authenticator;

import java.util.ArrayList;
import java.util.HashMap;
import org.apereo.cas.AbstractOAuth20Tests;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.mock.MockTicketGrantingTicket;
import org.apereo.cas.services.RegisteredServiceAccessStrategyAuditableEnforcer;
import org.apereo.cas.services.RegisteredServiceTestUtils;
import org.apereo.cas.support.oauth.OAuth20GrantTypes;
import org.apereo.cas.support.oauth.OAuth20ResponseTypes;
import org.apereo.cas.ticket.code.OAuth20DefaultCode;
import org.apereo.cas.ticket.expiration.HardTimeoutExpirationPolicy;
import org.apereo.cas.util.DigestUtils;
import org.apereo.cas.util.EncodingUtils;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Tag;
import org.junit.jupiter.api.Test;
import org.pac4j.core.credentials.UsernamePasswordCredentials;
import org.pac4j.core.exception.CredentialsException;
import org.pac4j.jee.context.JEEContext;
import org.pac4j.jee.context.session.JEESessionStore;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;

@Tag("OAuth")
/* loaded from: input_file:org/apereo/cas/support/oauth/authenticator/OAuth20ProofKeyCodeExchangeAuthenticatorTests.class */
public class OAuth20ProofKeyCodeExchangeAuthenticatorTests extends BaseOAuth20AuthenticatorTests {
    protected OAuth20ProofKeyCodeExchangeAuthenticator authenticator;

    @BeforeEach
    public void init() {
        this.authenticator = new OAuth20ProofKeyCodeExchangeAuthenticator(this.servicesManager, this.serviceFactory, new RegisteredServiceAccessStrategyAuditableEnforcer(new CasConfigurationProperties()), this.ticketRegistry, this.defaultPrincipalResolver, this.oauthRequestParameterResolver, this.oauth20ClientSecretValidator);
    }

    @Test
    public void verifyNoToken() {
        UsernamePasswordCredentials usernamePasswordCredentials = new UsernamePasswordCredentials("clientWithoutSecret", "ABCD123");
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
        mockHttpServletRequest.addParameter("client_id", "clientWithoutSecret");
        mockHttpServletRequest.addParameter("code_verifier", "ABCD123");
        mockHttpServletRequest.addParameter("code", "CODE-1234567890");
        JEEContext jEEContext = new JEEContext(mockHttpServletRequest, new MockHttpServletResponse());
        Assertions.assertThrows(CredentialsException.class, () -> {
            this.authenticator.validate(usernamePasswordCredentials, jEEContext, JEESessionStore.INSTANCE);
        });
    }

    @Test
    public void verifyAuthenticationPlainWithoutSecret() throws Exception {
        UsernamePasswordCredentials usernamePasswordCredentials = new UsernamePasswordCredentials("clientWithoutSecret", "ABCD123");
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
        this.ticketRegistry.addTicket(new OAuth20DefaultCode("CODE-1234567890", RegisteredServiceTestUtils.getService(), RegisteredServiceTestUtils.getAuthentication(), new HardTimeoutExpirationPolicy(10L), new MockTicketGrantingTicket(AbstractOAuth20Tests.ID), new ArrayList(), "ABCD123", AbstractOAuth20Tests.CODE_CHALLENGE_METHOD_PLAIN, "clientid12345", new HashMap(), OAuth20ResponseTypes.CODE, OAuth20GrantTypes.AUTHORIZATION_CODE));
        mockHttpServletRequest.addParameter("client_id", "clientWithoutSecret");
        mockHttpServletRequest.addParameter("code_verifier", "ABCD123");
        mockHttpServletRequest.addParameter("code", "CODE-1234567890");
        this.authenticator.validate(usernamePasswordCredentials, new JEEContext(mockHttpServletRequest, new MockHttpServletResponse()), JEESessionStore.INSTANCE);
        Assertions.assertNotNull(usernamePasswordCredentials.getUserProfile());
        Assertions.assertEquals("clientWithoutSecret", usernamePasswordCredentials.getUserProfile().getId());
    }

    @Test
    public void verifyAuthenticationPlainWithSecretTransmittedByFormAuthn() throws Exception {
        UsernamePasswordCredentials usernamePasswordCredentials = new UsernamePasswordCredentials("client", "ABCD123");
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
        this.ticketRegistry.addTicket(new OAuth20DefaultCode("CODE-1234567890", RegisteredServiceTestUtils.getService(), RegisteredServiceTestUtils.getAuthentication(), new HardTimeoutExpirationPolicy(10L), new MockTicketGrantingTicket(AbstractOAuth20Tests.ID), new ArrayList(), "ABCD123", AbstractOAuth20Tests.CODE_CHALLENGE_METHOD_PLAIN, "clientid12345", new HashMap(), OAuth20ResponseTypes.CODE, OAuth20GrantTypes.AUTHORIZATION_CODE));
        mockHttpServletRequest.addParameter("client_id", "client");
        mockHttpServletRequest.addParameter("code_verifier", "ABCD123");
        mockHttpServletRequest.addParameter("client_secret", "secret");
        mockHttpServletRequest.addParameter("code", "CODE-1234567890");
        this.authenticator.validate(usernamePasswordCredentials, new JEEContext(mockHttpServletRequest, new MockHttpServletResponse()), JEESessionStore.INSTANCE);
        Assertions.assertNotNull(usernamePasswordCredentials.getUserProfile());
        Assertions.assertEquals("client", usernamePasswordCredentials.getUserProfile().getId());
    }

    @Test
    public void verifyAuthenticationPlainWithSecretTransmittedByBasicAuthn() throws Exception {
        UsernamePasswordCredentials usernamePasswordCredentials = new UsernamePasswordCredentials("client", "secret");
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
        this.ticketRegistry.addTicket(new OAuth20DefaultCode("CODE-1234567890", RegisteredServiceTestUtils.getService(), RegisteredServiceTestUtils.getAuthentication(), new HardTimeoutExpirationPolicy(10L), new MockTicketGrantingTicket(AbstractOAuth20Tests.ID), new ArrayList(), "ABCD123", AbstractOAuth20Tests.CODE_CHALLENGE_METHOD_PLAIN, "clientid12345", new HashMap(), OAuth20ResponseTypes.CODE, OAuth20GrantTypes.AUTHORIZATION_CODE));
        mockHttpServletRequest.addHeader("Authorization", "Basic " + EncodingUtils.encodeBase64("client:secret"));
        mockHttpServletRequest.addParameter("code_verifier", "ABCD123");
        mockHttpServletRequest.addParameter("code", "CODE-1234567890");
        this.authenticator.validate(usernamePasswordCredentials, new JEEContext(mockHttpServletRequest, new MockHttpServletResponse()), JEESessionStore.INSTANCE);
        Assertions.assertNotNull(usernamePasswordCredentials.getUserProfile());
        Assertions.assertEquals("client", usernamePasswordCredentials.getUserProfile().getId());
    }

    @Test
    public void verifyAuthenticationHashedWithoutSecret() throws Exception {
        String encodeUrlSafeBase64 = EncodingUtils.encodeUrlSafeBase64(DigestUtils.rawDigestSha256("ABCD123"));
        UsernamePasswordCredentials usernamePasswordCredentials = new UsernamePasswordCredentials("clientWithoutSecret", "ABCD123");
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
        OAuth20DefaultCode oAuth20DefaultCode = new OAuth20DefaultCode("CODE-1234567890", RegisteredServiceTestUtils.getService(), RegisteredServiceTestUtils.getAuthentication(), new HardTimeoutExpirationPolicy(10L), new MockTicketGrantingTicket(AbstractOAuth20Tests.ID), new ArrayList(), encodeUrlSafeBase64, "s256", "clientid12345", new HashMap(), OAuth20ResponseTypes.CODE, OAuth20GrantTypes.AUTHORIZATION_CODE);
        this.ticketRegistry.addTicket(oAuth20DefaultCode);
        mockHttpServletRequest.addParameter("client_id", "clientWithoutSecret");
        mockHttpServletRequest.addParameter("code_verifier", "ABCD123");
        mockHttpServletRequest.addParameter("code", oAuth20DefaultCode.getId());
        this.authenticator.validate(usernamePasswordCredentials, new JEEContext(mockHttpServletRequest, new MockHttpServletResponse()), JEESessionStore.INSTANCE);
        Assertions.assertNotNull(usernamePasswordCredentials.getUserProfile());
        Assertions.assertEquals("clientWithoutSecret", usernamePasswordCredentials.getUserProfile().getId());
    }

    @Test
    public void verifyUnknownDigest() throws Exception {
        String encodeUrlSafeBase64 = EncodingUtils.encodeUrlSafeBase64(DigestUtils.rawDigestSha256("ABCD123"));
        UsernamePasswordCredentials usernamePasswordCredentials = new UsernamePasswordCredentials("clientWithoutSecret", "ABCD123");
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
        OAuth20DefaultCode oAuth20DefaultCode = new OAuth20DefaultCode("CODE-1234567890", RegisteredServiceTestUtils.getService(), RegisteredServiceTestUtils.getAuthentication(), new HardTimeoutExpirationPolicy(10L), new MockTicketGrantingTicket(AbstractOAuth20Tests.ID), new ArrayList(), encodeUrlSafeBase64, "unknown", "clientid12345", new HashMap(), OAuth20ResponseTypes.CODE, OAuth20GrantTypes.AUTHORIZATION_CODE);
        this.ticketRegistry.addTicket(oAuth20DefaultCode);
        mockHttpServletRequest.addParameter("client_id", "clientWithoutSecret");
        mockHttpServletRequest.addParameter("code_verifier", "ABCD123");
        mockHttpServletRequest.addParameter("code", oAuth20DefaultCode.getId());
        JEEContext jEEContext = new JEEContext(mockHttpServletRequest, new MockHttpServletResponse());
        Assertions.assertThrows(CredentialsException.class, () -> {
            this.authenticator.validate(usernamePasswordCredentials, jEEContext, JEESessionStore.INSTANCE);
        });
    }

    @Test
    public void verifyAuthenticationHashedWithSecretTransmittedByFormAuthn() throws Exception {
        String encodeUrlSafeBase64 = EncodingUtils.encodeUrlSafeBase64(DigestUtils.rawDigestSha256("ABCD123"));
        UsernamePasswordCredentials usernamePasswordCredentials = new UsernamePasswordCredentials("client", "ABCD123");
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
        OAuth20DefaultCode oAuth20DefaultCode = new OAuth20DefaultCode("CODE-1234567890", RegisteredServiceTestUtils.getService(), RegisteredServiceTestUtils.getAuthentication(), new HardTimeoutExpirationPolicy(10L), new MockTicketGrantingTicket(AbstractOAuth20Tests.ID), new ArrayList(), encodeUrlSafeBase64, "s256", "clientid12345", new HashMap(), OAuth20ResponseTypes.CODE, OAuth20GrantTypes.AUTHORIZATION_CODE);
        this.ticketRegistry.addTicket(oAuth20DefaultCode);
        mockHttpServletRequest.addParameter("client_id", "client");
        mockHttpServletRequest.addParameter("code_verifier", "ABCD123");
        mockHttpServletRequest.addParameter("client_secret", "secret");
        mockHttpServletRequest.addParameter("code", oAuth20DefaultCode.getId());
        this.authenticator.validate(usernamePasswordCredentials, new JEEContext(mockHttpServletRequest, new MockHttpServletResponse()), JEESessionStore.INSTANCE);
        Assertions.assertNotNull(usernamePasswordCredentials.getUserProfile());
        Assertions.assertEquals("client", usernamePasswordCredentials.getUserProfile().getId());
    }

    @Test
    public void verifyAuthenticationHashedWithSecretTransmittedByBasicFormAuthn() throws Exception {
        String encodeUrlSafeBase64 = EncodingUtils.encodeUrlSafeBase64(DigestUtils.rawDigestSha256("ABCD123"));
        UsernamePasswordCredentials usernamePasswordCredentials = new UsernamePasswordCredentials("client", "ABCD123");
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
        OAuth20DefaultCode oAuth20DefaultCode = new OAuth20DefaultCode("CODE-1234567890", RegisteredServiceTestUtils.getService(), RegisteredServiceTestUtils.getAuthentication(), new HardTimeoutExpirationPolicy(10L), new MockTicketGrantingTicket(AbstractOAuth20Tests.ID), new ArrayList(), encodeUrlSafeBase64, "s256", "clientid12345", new HashMap(), OAuth20ResponseTypes.CODE, OAuth20GrantTypes.AUTHORIZATION_CODE);
        this.ticketRegistry.addTicket(oAuth20DefaultCode);
        mockHttpServletRequest.addHeader("Authorization", "Basic " + EncodingUtils.encodeBase64("client:secret"));
        mockHttpServletRequest.addHeader("Authorization", "Basic " + EncodingUtils.encodeBase64("client:secret"));
        mockHttpServletRequest.addParameter("code_verifier", "ABCD123");
        mockHttpServletRequest.addParameter("code", oAuth20DefaultCode.getId());
        this.authenticator.validate(usernamePasswordCredentials, new JEEContext(mockHttpServletRequest, new MockHttpServletResponse()), JEESessionStore.INSTANCE);
        Assertions.assertNotNull(usernamePasswordCredentials.getUserProfile());
        Assertions.assertEquals("client", usernamePasswordCredentials.getUserProfile().getId());
    }

    @Test
    public void verifyAuthenticationNotHashedCorrectly() throws Exception {
        UsernamePasswordCredentials usernamePasswordCredentials = new UsernamePasswordCredentials("client", "ABCD123");
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
        OAuth20DefaultCode oAuth20DefaultCode = new OAuth20DefaultCode("CODE-1234567890", RegisteredServiceTestUtils.getService(), RegisteredServiceTestUtils.getAuthentication(), new HardTimeoutExpirationPolicy(10L), new MockTicketGrantingTicket(AbstractOAuth20Tests.ID), new ArrayList(), "something-else", "s256", "clientid12345", new HashMap(), OAuth20ResponseTypes.CODE, OAuth20GrantTypes.AUTHORIZATION_CODE);
        this.ticketRegistry.addTicket(oAuth20DefaultCode);
        mockHttpServletRequest.addParameter("client_id", "client");
        mockHttpServletRequest.addParameter("code_verifier", "ABCD123");
        mockHttpServletRequest.addParameter("client_secret", "secret");
        mockHttpServletRequest.addParameter("code", oAuth20DefaultCode.getId());
        JEEContext jEEContext = new JEEContext(mockHttpServletRequest, new MockHttpServletResponse());
        Assertions.assertThrows(CredentialsException.class, () -> {
            this.authenticator.validate(usernamePasswordCredentials, jEEContext, JEESessionStore.INSTANCE);
        });
    }
}
