package org.apereo.cas.support.oauth.validator.token;

import java.time.Clock;
import java.time.ZonedDateTime;
import java.util.UUID;
import org.apereo.cas.AbstractOAuth20Tests;
import org.apereo.cas.mock.MockTicketGrantingTicket;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.RegisteredServiceTestUtils;
import org.apereo.cas.support.oauth.OAuth20GrantTypes;
import org.apereo.cas.ticket.expiration.NeverExpiresExpirationPolicy;
import org.apereo.cas.ticket.refreshtoken.OAuth20RefreshToken;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.EncodingUtils;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Tag;
import org.junit.jupiter.api.Test;
import org.mockito.Mockito;
import org.pac4j.core.profile.CommonProfile;
import org.pac4j.jee.context.JEEContext;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.test.context.TestPropertySource;

@Tag("OAuth")
@TestPropertySource(properties = {"cas.authn.oauth.session-replication.replicate-sessions=false"})
/* loaded from: input_file:org/apereo/cas/support/oauth/validator/token/OAuth20RefreshTokenGrantTypeTokenRequestValidatorTests.class */
class OAuth20RefreshTokenGrantTypeTokenRequestValidatorTests extends AbstractOAuth20Tests {
    private static final String SUPPORTING_TICKET = "RT-SUPPORTING";
    private static final String NON_SUPPORTING_TICKET = "RT-NON-SUPPORTING";
    private static final String PROMISCUOUS_TICKET = "RT-PROMISCUOUS";
    private static final String SUPPORTING_CLIENT_ID = UUID.randomUUID().toString();
    private static final String NON_SUPPORTING_CLIENT_ID = UUID.randomUUID().toString();
    private static final String PROMISCUOUS_CLIENT_ID = UUID.randomUUID().toString();

    @Autowired
    @Qualifier("oauthRefreshTokenGrantTypeTokenRequestValidator")
    private OAuth20TokenRequestValidator validator;

    OAuth20RefreshTokenGrantTypeTokenRequestValidatorTests() {
    }

    @BeforeEach
    public void before() throws Throwable {
        this.servicesManager.save(new RegisteredService[]{RequestValidatorTestUtils.getService("https://google.com", SUPPORTING_CLIENT_ID, SUPPORTING_CLIENT_ID, "secret", CollectionUtils.wrapSet(OAuth20GrantTypes.REFRESH_TOKEN)), RequestValidatorTestUtils.getService("https://example.com", NON_SUPPORTING_CLIENT_ID, NON_SUPPORTING_CLIENT_ID, "secret", CollectionUtils.wrapSet(OAuth20GrantTypes.PASSWORD)), RequestValidatorTestUtils.getPromiscuousService("https://another.example.com", PROMISCUOUS_CLIENT_ID, PROMISCUOUS_CLIENT_ID, "secret")});
        registerTicket(SUPPORTING_TICKET, SUPPORTING_CLIENT_ID);
        registerTicket(NON_SUPPORTING_TICKET, NON_SUPPORTING_CLIENT_ID);
        registerTicket(PROMISCUOUS_TICKET, PROMISCUOUS_CLIENT_ID);
    }

    @Test
    void verifyRefreshTokenFromAnotherClientId() throws Throwable {
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
        CommonProfile commonProfile = new CommonProfile();
        commonProfile.setClientName("clientBasicAuth");
        commonProfile.setId(SUPPORTING_CLIENT_ID);
        storeProfileIntoSession(mockHttpServletRequest, commonProfile);
        MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
        mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.REFRESH_TOKEN.getType());
        mockHttpServletRequest.setParameter("client_id", PROMISCUOUS_CLIENT_ID);
        mockHttpServletRequest.setParameter("client_secret", "secret");
        mockHttpServletRequest.setParameter("refresh_token", SUPPORTING_TICKET);
        Assertions.assertFalse(this.validator.validate(new JEEContext(mockHttpServletRequest, mockHttpServletResponse)));
    }

    @Test
    void verifyOperationClientSecretPost() throws Throwable {
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
        CommonProfile commonProfile = new CommonProfile();
        commonProfile.setClientName("clientBasicAuth");
        commonProfile.setId(SUPPORTING_CLIENT_ID);
        storeProfileIntoSession(mockHttpServletRequest, commonProfile);
        MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
        mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.REFRESH_TOKEN.getType());
        mockHttpServletRequest.setParameter("client_id", SUPPORTING_CLIENT_ID);
        mockHttpServletRequest.setParameter("client_secret", "secret");
        mockHttpServletRequest.setParameter("refresh_token", SUPPORTING_TICKET);
        Assertions.assertTrue(this.validator.validate(new JEEContext(mockHttpServletRequest, mockHttpServletResponse)));
        commonProfile.setId(NON_SUPPORTING_CLIENT_ID);
        storeProfileIntoSession(mockHttpServletRequest, commonProfile);
        mockHttpServletRequest.setParameter("client_id", NON_SUPPORTING_CLIENT_ID);
        mockHttpServletRequest.setParameter("client_secret", "secret");
        mockHttpServletRequest.setParameter("refresh_token", NON_SUPPORTING_TICKET);
        Assertions.assertFalse(this.validator.validate(new JEEContext(mockHttpServletRequest, mockHttpServletResponse)));
        commonProfile.setId(PROMISCUOUS_CLIENT_ID);
        storeProfileIntoSession(mockHttpServletRequest, commonProfile);
        mockHttpServletRequest.setParameter("client_id", PROMISCUOUS_CLIENT_ID);
        mockHttpServletRequest.setParameter("client_secret", "secret");
        mockHttpServletRequest.setParameter("refresh_token", PROMISCUOUS_TICKET);
        Assertions.assertTrue(this.validator.validate(new JEEContext(mockHttpServletRequest, mockHttpServletResponse)));
    }

    @Test
    void verifyOperationClientSecretBasic() throws Throwable {
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
        CommonProfile commonProfile = new CommonProfile();
        commonProfile.setClientName("clientBasicAuth");
        commonProfile.setId(SUPPORTING_CLIENT_ID);
        storeProfileIntoSession(mockHttpServletRequest, commonProfile);
        MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
        mockHttpServletRequest.addHeader("Authorization", "Basic " + EncodingUtils.encodeBase64(SUPPORTING_CLIENT_ID + ":secret"));
        mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.REFRESH_TOKEN.getType());
        mockHttpServletRequest.setParameter("refresh_token", SUPPORTING_TICKET);
        Assertions.assertTrue(this.validator.validate(new JEEContext(mockHttpServletRequest, mockHttpServletResponse)));
        commonProfile.setId(NON_SUPPORTING_CLIENT_ID);
        storeProfileIntoSession(mockHttpServletRequest, commonProfile);
        mockHttpServletRequest.removeHeader("Authorization");
        mockHttpServletRequest.addHeader("Authorization", "Basic " + EncodingUtils.encodeBase64(NON_SUPPORTING_CLIENT_ID + ":secret"));
        mockHttpServletRequest.setParameter("refresh_token", NON_SUPPORTING_TICKET);
        Assertions.assertFalse(this.validator.validate(new JEEContext(mockHttpServletRequest, mockHttpServletResponse)));
        commonProfile.setId(PROMISCUOUS_CLIENT_ID);
        storeProfileIntoSession(mockHttpServletRequest, commonProfile);
        mockHttpServletRequest.removeHeader("Authorization");
        mockHttpServletRequest.addHeader("Authorization", "Basic " + EncodingUtils.encodeBase64(PROMISCUOUS_CLIENT_ID + ":secret"));
        mockHttpServletRequest.setParameter("refresh_token", PROMISCUOUS_TICKET);
        Assertions.assertTrue(this.validator.validate(new JEEContext(mockHttpServletRequest, mockHttpServletResponse)));
    }

    private void registerTicket(String str, String str2) throws Throwable {
        MockTicketGrantingTicket mockTicketGrantingTicket = new MockTicketGrantingTicket(AbstractOAuth20Tests.ID);
        OAuth20RefreshToken oAuth20RefreshToken = (OAuth20RefreshToken) Mockito.mock(OAuth20RefreshToken.class);
        Mockito.when(oAuth20RefreshToken.getId()).thenReturn(str);
        Mockito.when(oAuth20RefreshToken.getService()).thenReturn(RegisteredServiceTestUtils.getService(str));
        Mockito.when(Boolean.valueOf(oAuth20RefreshToken.isExpired())).thenReturn(false);
        Mockito.when(oAuth20RefreshToken.getAuthentication()).thenReturn(mockTicketGrantingTicket.getAuthentication());
        Mockito.when(oAuth20RefreshToken.getTicketGrantingTicket()).thenReturn(mockTicketGrantingTicket);
        Mockito.when(oAuth20RefreshToken.getClientId()).thenReturn(str2);
        Mockito.when(oAuth20RefreshToken.getExpirationPolicy()).thenReturn(NeverExpiresExpirationPolicy.INSTANCE);
        Mockito.when(oAuth20RefreshToken.getCreationTime()).thenReturn(ZonedDateTime.now(Clock.systemUTC()));
        this.ticketRegistry.addTicket(oAuth20RefreshToken);
    }
}
