package org.apereo.cas.support.oauth.authenticator;

import java.util.UUID;
import org.apereo.cas.authentication.Credential;
import org.apereo.cas.authentication.principal.NullPrincipal;
import org.apereo.cas.authentication.principal.PrincipalResolver;
import org.apereo.cas.support.oauth.OAuth20GrantTypes;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.ticket.code.OAuth20Code;
import org.apereo.cas.ticket.refreshtoken.OAuth20RefreshToken;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Nested;
import org.junit.jupiter.api.Tag;
import org.junit.jupiter.api.Test;
import org.junitpioneer.jupiter.RetryingTest;
import org.mockito.Mockito;
import org.pac4j.core.context.CallContext;
import org.pac4j.core.credentials.UsernamePasswordCredentials;
import org.pac4j.core.exception.CredentialsException;
import org.pac4j.jee.context.JEEContext;
import org.pac4j.jee.context.session.JEESessionStore;
import org.springframework.boot.test.context.TestConfiguration;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Import;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;

@Tag("OAuth")
/* loaded from: input_file:org/apereo/cas/support/oauth/authenticator/OAuth20ClientIdClientSecretAuthenticatorTests.class */
public class OAuth20ClientIdClientSecretAuthenticatorTests {

    @Nested
    /* loaded from: input_file:org/apereo/cas/support/oauth/authenticator/OAuth20ClientIdClientSecretAuthenticatorTests$DefaultPrincipalResolutionTests.class */
    public class DefaultPrincipalResolutionTests extends BaseOAuth20AuthenticatorTests {
        public DefaultPrincipalResolutionTests() {
        }

        @RetryingTest(3)
        public void verifyAuthentication() {
            UsernamePasswordCredentials usernamePasswordCredentials = new UsernamePasswordCredentials("client", "secret");
            this.oauthClientAuthenticator.validate(new CallContext(new JEEContext(new MockHttpServletRequest(), new MockHttpServletResponse()), JEESessionStore.INSTANCE), usernamePasswordCredentials);
            Assertions.assertNotNull(usernamePasswordCredentials.getUserProfile());
            Assertions.assertEquals("client", usernamePasswordCredentials.getUserProfile().getId());
        }

        @Test
        public void verifyAuthenticationWithGrantTypePassword() {
            UsernamePasswordCredentials usernamePasswordCredentials = new UsernamePasswordCredentials("client", "secret");
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
            JEEContext jEEContext = new JEEContext(mockHttpServletRequest, new MockHttpServletResponse());
            mockHttpServletRequest.addParameter("grant_type", OAuth20GrantTypes.PASSWORD.name());
            this.oauthClientAuthenticator.validate(new CallContext(jEEContext, JEESessionStore.INSTANCE), usernamePasswordCredentials);
            Assertions.assertNull(usernamePasswordCredentials.getUserProfile());
        }

        @Test
        public void verifyAuthenticationWithBadSecret() throws Exception {
            OAuth20RefreshToken refreshToken = getRefreshToken(this.service);
            this.ticketRegistry.addTicket(refreshToken);
            UsernamePasswordCredentials usernamePasswordCredentials = new UsernamePasswordCredentials(this.service.getClientId(), UUID.randomUUID().toString());
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
            JEEContext jEEContext = new JEEContext(mockHttpServletRequest, new MockHttpServletResponse());
            mockHttpServletRequest.addParameter("grant_type", OAuth20GrantTypes.REFRESH_TOKEN.name());
            mockHttpServletRequest.addParameter("refresh_token", refreshToken.getId());
            Assertions.assertThrows(CredentialsException.class, () -> {
                this.oauthClientAuthenticator.validate(new CallContext(jEEContext, JEESessionStore.INSTANCE), usernamePasswordCredentials);
            });
        }

        @Test
        public void verifyAuthenticationWithCodeChallengePkce() throws Exception {
            OAuth20RefreshToken refreshToken = getRefreshToken(this.service);
            this.ticketRegistry.addTicket(refreshToken);
            OAuth20Code code = getCode();
            Mockito.when(code.getCodeChallenge()).thenReturn(UUID.randomUUID().toString());
            this.ticketRegistry.addTicket(code);
            UsernamePasswordCredentials usernamePasswordCredentials = new UsernamePasswordCredentials(this.service.getClientId(), this.service.getClientSecret());
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
            JEEContext jEEContext = new JEEContext(mockHttpServletRequest, new MockHttpServletResponse());
            mockHttpServletRequest.addParameter("grant_type", OAuth20GrantTypes.REFRESH_TOKEN.name());
            mockHttpServletRequest.addParameter("refresh_token", refreshToken.getId());
            mockHttpServletRequest.addParameter("code", code.getId());
            this.oauthClientAuthenticator.validate(new CallContext(jEEContext, JEESessionStore.INSTANCE), usernamePasswordCredentials);
            Assertions.assertNull(usernamePasswordCredentials.getUserProfile());
        }

        @Test
        public void verifyAuthenticationWithGrantTypeRefreshToken() throws Exception {
            OAuth20RefreshToken refreshToken = getRefreshToken(this.serviceWithoutSecret);
            this.ticketRegistry.addTicket(refreshToken);
            UsernamePasswordCredentials usernamePasswordCredentials = new UsernamePasswordCredentials("serviceWithoutSecret", refreshToken.getId());
            OAuthRegisteredService oAuthRegisteredService = new OAuthRegisteredService();
            oAuthRegisteredService.setClientId(usernamePasswordCredentials.getUsername());
            this.servicesManager.save(oAuthRegisteredService);
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
            JEEContext jEEContext = new JEEContext(mockHttpServletRequest, new MockHttpServletResponse());
            mockHttpServletRequest.addParameter("grant_type", OAuth20GrantTypes.REFRESH_TOKEN.name());
            mockHttpServletRequest.addParameter("client_id", oAuthRegisteredService.getClientId());
            mockHttpServletRequest.addParameter("refresh_token", refreshToken.getId());
            this.oauthClientAuthenticator.validate(new CallContext(jEEContext, JEESessionStore.INSTANCE), usernamePasswordCredentials);
            Assertions.assertNull(usernamePasswordCredentials.getUserProfile());
            mockHttpServletRequest.removeAllParameters();
            mockHttpServletRequest.addParameter("grant_type", OAuth20GrantTypes.REFRESH_TOKEN.name());
            mockHttpServletRequest.addParameter("refresh_token", refreshToken.getId());
            this.oauthClientAuthenticator.validate(new CallContext(jEEContext, JEESessionStore.INSTANCE), usernamePasswordCredentials);
            Assertions.assertNotNull(usernamePasswordCredentials.getUserProfile());
            mockHttpServletRequest.removeAllParameters();
            mockHttpServletRequest.addParameter("grant_type", OAuth20GrantTypes.REFRESH_TOKEN.name());
            mockHttpServletRequest.addParameter("client_id", oAuthRegisteredService.getClientId());
            mockHttpServletRequest.addParameter("client_secret", "serviceWithoutSecret");
            mockHttpServletRequest.addParameter("refresh_token", refreshToken.getId());
            this.oauthClientAuthenticator.validate(new CallContext(jEEContext, JEESessionStore.INSTANCE), usernamePasswordCredentials);
            Assertions.assertNotNull(usernamePasswordCredentials.getUserProfile());
        }

        @Test
        public void verifyAuthenticationWithAttributesMapping() {
            UsernamePasswordCredentials usernamePasswordCredentials = new UsernamePasswordCredentials(this.serviceWithAttributesMapping.getClientId(), "secret");
            this.oauthClientAuthenticator.validate(new CallContext(new JEEContext(new MockHttpServletRequest(), new MockHttpServletResponse()), JEESessionStore.INSTANCE), usernamePasswordCredentials);
            Assertions.assertNotNull(usernamePasswordCredentials.getUserProfile());
            Assertions.assertEquals(usernamePasswordCredentials.getUsername().toLowerCase(), usernamePasswordCredentials.getUserProfile().getId());
            Assertions.assertNotNull(usernamePasswordCredentials.getUserProfile().getAttribute("eduPersonAffiliation"));
            Assertions.assertNull(usernamePasswordCredentials.getUserProfile().getAttribute("groupMembership"));
        }
    }

    @Import({NullPrincipalTestConfiguration.class})
    @Nested
    /* loaded from: input_file:org/apereo/cas/support/oauth/authenticator/OAuth20ClientIdClientSecretAuthenticatorTests$NullPrincipalResolutionTests.class */
    public class NullPrincipalResolutionTests extends BaseOAuth20AuthenticatorTests {
        public NullPrincipalResolutionTests() {
        }

        @Test
        public void verifyAuthenticationWithoutResolvedPrincipal() {
            UsernamePasswordCredentials usernamePasswordCredentials = new UsernamePasswordCredentials("serviceWithAttributesMapping", "secret");
            OAuthRegisteredService oAuthRegisteredService = new OAuthRegisteredService();
            oAuthRegisteredService.setClientId(usernamePasswordCredentials.getUsername());
            this.servicesManager.save(oAuthRegisteredService);
            this.oauthClientAuthenticator.validate(new CallContext(new JEEContext(new MockHttpServletRequest(), new MockHttpServletResponse()), JEESessionStore.INSTANCE), usernamePasswordCredentials);
            Assertions.assertNotNull(usernamePasswordCredentials.getUserProfile());
            Assertions.assertEquals(usernamePasswordCredentials.getUsername(), usernamePasswordCredentials.getUserProfile().getId());
        }
    }

    @TestConfiguration(value = "NullPrincipalTestConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/support/oauth/authenticator/OAuth20ClientIdClientSecretAuthenticatorTests$NullPrincipalTestConfiguration.class */
    public static class NullPrincipalTestConfiguration {
        @Bean
        public PrincipalResolver defaultPrincipalResolver() {
            PrincipalResolver principalResolver = (PrincipalResolver) Mockito.mock(PrincipalResolver.class);
            Mockito.when(principalResolver.resolve((Credential) Mockito.any())).thenReturn(NullPrincipal.getInstance());
            return principalResolver;
        }
    }
}
