package org.apereo.cas.support.oauth.validator.token;

import java.util.HashMap;
import java.util.HashSet;
import java.util.UUID;
import org.apereo.cas.AbstractOAuth20Tests;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.authentication.principal.PrincipalFactoryUtils;
import org.apereo.cas.authentication.principal.WebApplicationServiceFactory;
import org.apereo.cas.mock.MockTicketGrantingTicket;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.RegisteredServiceTestUtils;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.oauth.OAuth20GrantTypes;
import org.apereo.cas.support.oauth.OAuth20ResponseTypes;
import org.apereo.cas.support.oauth.authenticator.OAuth20DefaultCasAuthenticationBuilder;
import org.apereo.cas.support.oauth.profile.DefaultOAuth20ProfileScopeToAttributesFilter;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.ticket.ExpirationPolicy;
import org.apereo.cas.ticket.ExpirationPolicyBuilder;
import org.apereo.cas.ticket.accesstoken.OAuth20AccessToken;
import org.apereo.cas.ticket.code.OAuth20Code;
import org.apereo.cas.ticket.code.OAuth20CodeExpirationPolicy;
import org.apereo.cas.ticket.code.OAuth20DefaultOAuthCodeFactory;
import org.apereo.cas.ticket.tracking.TicketTrackingPolicy;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.DefaultUniqueTicketIdGenerator;
import org.apereo.cas.util.crypto.CipherExecutor;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Nested;
import org.junit.jupiter.api.Tag;
import org.junit.jupiter.api.Test;
import org.mockito.Mockito;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.profile.CommonProfile;
import org.pac4j.jee.context.JEEContext;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.test.context.TestPropertySource;

@Tag("OAuth")
@TestPropertySource(properties = {"cas.authn.oauth.session-replication.replicate-sessions=false"})
/* loaded from: input_file:org/apereo/cas/support/oauth/validator/token/OAuth20AuthorizationCodeGrantTypeTokenRequestValidatorTests.class */
class OAuth20AuthorizationCodeGrantTypeTokenRequestValidatorTests {
    private static final String SUPPORTING_CLIENT_ID = UUID.randomUUID().toString();
    private static final String NON_SUPPORTING_CLIENT_ID = UUID.randomUUID().toString();
    private static final String PROMISCUOUS_CLIENT_ID = UUID.randomUUID().toString();

    @Nested
    /* loaded from: input_file:org/apereo/cas/support/oauth/validator/token/OAuth20AuthorizationCodeGrantTypeTokenRequestValidatorTests$DefaultTests.class */
    class DefaultTests extends AbstractOAuth20Tests {
        private OAuth20Code supportingServiceTicket;
        private OAuth20Code nonSupportingServiceTicket;
        private OAuth20Code promiscuousServiceTicket;

        @Autowired
        @Qualifier("oauthAuthorizationCodeGrantTypeTokenRequestValidator")
        private OAuth20TokenRequestValidator validator;

        DefaultTests(OAuth20AuthorizationCodeGrantTypeTokenRequestValidatorTests oAuth20AuthorizationCodeGrantTypeTokenRequestValidatorTests) {
        }

        @BeforeEach
        public void before() throws Throwable {
            RegisteredService service = RequestValidatorTestUtils.getService("https://google.com", OAuth20AuthorizationCodeGrantTypeTokenRequestValidatorTests.SUPPORTING_CLIENT_ID, OAuth20AuthorizationCodeGrantTypeTokenRequestValidatorTests.SUPPORTING_CLIENT_ID, "secret", CollectionUtils.wrapSet(OAuth20GrantTypes.AUTHORIZATION_CODE));
            RegisteredService service2 = RequestValidatorTestUtils.getService("https://example.com", OAuth20AuthorizationCodeGrantTypeTokenRequestValidatorTests.NON_SUPPORTING_CLIENT_ID, OAuth20AuthorizationCodeGrantTypeTokenRequestValidatorTests.NON_SUPPORTING_CLIENT_ID, "secret", CollectionUtils.wrapSet(OAuth20GrantTypes.PASSWORD));
            RegisteredService promiscuousService = RequestValidatorTestUtils.getPromiscuousService("https://another.example.com", OAuth20AuthorizationCodeGrantTypeTokenRequestValidatorTests.PROMISCUOUS_CLIENT_ID, OAuth20AuthorizationCodeGrantTypeTokenRequestValidatorTests.PROMISCUOUS_CLIENT_ID, "secret");
            this.supportingServiceTicket = registerTicket(service);
            this.nonSupportingServiceTicket = registerTicket(service2);
            this.promiscuousServiceTicket = registerTicket(promiscuousService);
            this.servicesManager.save(new RegisteredService[]{service, service2, promiscuousService});
        }

        @Test
        void verifyBadToken() throws Throwable {
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            CommonProfile commonProfile = new CommonProfile();
            commonProfile.setClientName("clientBasicAuth");
            commonProfile.setId(OAuth20AuthorizationCodeGrantTypeTokenRequestValidatorTests.SUPPORTING_CLIENT_ID);
            storeProfileIntoSession(mockHttpServletRequest, commonProfile);
            mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.AUTHORIZATION_CODE.getType());
            mockHttpServletRequest.setParameter("redirect_uri", "https://google.com");
            mockHttpServletRequest.setParameter("code", "UnknownToken");
            Assertions.assertFalse(this.validator.validate(new JEEContext(mockHttpServletRequest, mockHttpServletResponse)));
        }

        @Test
        void verifyBadService() throws Throwable {
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            CommonProfile commonProfile = new CommonProfile();
            commonProfile.setClientName("clientBasicAuth");
            commonProfile.setId(OAuth20AuthorizationCodeGrantTypeTokenRequestValidatorTests.SUPPORTING_CLIENT_ID);
            storeProfileIntoSession(mockHttpServletRequest, commonProfile);
            mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.AUTHORIZATION_CODE.getType());
            mockHttpServletRequest.setParameter("redirect_uri", "https://google.com");
            mockHttpServletRequest.setParameter("code", this.nonSupportingServiceTicket.getId());
            Assertions.assertFalse(this.validator.validate(new JEEContext(mockHttpServletRequest, mockHttpServletResponse)));
        }

        @Test
        void verifyBadRequest() throws Throwable {
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            CommonProfile commonProfile = new CommonProfile();
            commonProfile.setClientName("clientBasicAuth");
            commonProfile.setId(OAuth20AuthorizationCodeGrantTypeTokenRequestValidatorTests.SUPPORTING_CLIENT_ID);
            storeProfileIntoSession(mockHttpServletRequest, commonProfile);
            mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.AUTHORIZATION_CODE.getType());
            mockHttpServletRequest.setParameter("redirect_uri", "https://google.com");
            Assertions.assertFalse(this.validator.validate(new JEEContext(mockHttpServletRequest, mockHttpServletResponse)));
        }

        @Test
        void verifyUnknownCodeRevokesPreviousAccessTokens() throws Throwable {
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            CommonProfile commonProfile = new CommonProfile();
            commonProfile.setClientName("clientBasicAuth");
            commonProfile.setId(OAuth20AuthorizationCodeGrantTypeTokenRequestValidatorTests.SUPPORTING_CLIENT_ID);
            storeProfileIntoSession(mockHttpServletRequest, commonProfile);
            OAuth20AccessToken addAccessToken = addAccessToken(PrincipalFactoryUtils.newPrincipalFactory().createPrincipal(AbstractOAuth20Tests.ID), addRegisteredService());
            OAuth20Code ticket = this.ticketRegistry.getTicket(addAccessToken.getToken(), OAuth20Code.class);
            Assertions.assertNotNull(ticket);
            ticket.markTicketExpired();
            mockHttpServletRequest.setParameter("code", ticket.getId());
            commonProfile.setId(OAuth20AuthorizationCodeGrantTypeTokenRequestValidatorTests.PROMISCUOUS_CLIENT_ID);
            mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.AUTHORIZATION_CODE.getType());
            mockHttpServletRequest.setParameter("redirect_uri", "https://another.example.com");
            storeProfileIntoSession(mockHttpServletRequest, commonProfile);
            Assertions.assertFalse(this.validator.validate(new JEEContext(mockHttpServletRequest, mockHttpServletResponse)));
            Assertions.assertNull(this.ticketRegistry.getTicket(addAccessToken.getToken()));
        }

        @Test
        void verifyOperation() throws Throwable {
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            CommonProfile commonProfile = new CommonProfile();
            commonProfile.setClientName("clientBasicAuth");
            commonProfile.setId(OAuth20AuthorizationCodeGrantTypeTokenRequestValidatorTests.SUPPORTING_CLIENT_ID);
            storeProfileIntoSession(mockHttpServletRequest, commonProfile);
            mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.AUTHORIZATION_CODE.getType());
            mockHttpServletRequest.setParameter("redirect_uri", "https://google.com");
            mockHttpServletRequest.setParameter("code", this.supportingServiceTicket.getId());
            Assertions.assertTrue(this.validator.validate(new JEEContext(mockHttpServletRequest, mockHttpServletResponse)));
            mockHttpServletRequest.setParameter("grant_type", "unsupported");
            Assertions.assertFalse(this.validator.validate(new JEEContext(mockHttpServletRequest, mockHttpServletResponse)));
            mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.PASSWORD.getType());
            Assertions.assertFalse(this.validator.validate(new JEEContext(mockHttpServletRequest, mockHttpServletResponse)));
            mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.AUTHORIZATION_CODE.getType());
            mockHttpServletRequest.setParameter("code", this.nonSupportingServiceTicket.getId());
            mockHttpServletRequest.setParameter("redirect_uri", "https://example.com");
            commonProfile.setId(OAuth20AuthorizationCodeGrantTypeTokenRequestValidatorTests.NON_SUPPORTING_CLIENT_ID);
            storeProfileIntoSession(mockHttpServletRequest, commonProfile);
            Assertions.assertFalse(this.validator.validate(new JEEContext(mockHttpServletRequest, mockHttpServletResponse)));
            mockHttpServletRequest.setParameter("code", this.promiscuousServiceTicket.getId());
            commonProfile.setId(OAuth20AuthorizationCodeGrantTypeTokenRequestValidatorTests.PROMISCUOUS_CLIENT_ID);
            mockHttpServletRequest.setParameter("redirect_uri", "https://another.example.com");
            storeProfileIntoSession(mockHttpServletRequest, commonProfile);
            Assertions.assertTrue(this.validator.validate(new JEEContext(mockHttpServletRequest, mockHttpServletResponse)));
        }

        private OAuth20Code registerTicket(OAuthRegisteredService oAuthRegisteredService) throws Throwable {
            OAuth20Code create = new OAuth20DefaultOAuthCodeFactory(new DefaultUniqueTicketIdGenerator(), new ExpirationPolicyBuilder() { // from class: org.apereo.cas.support.oauth.validator.token.OAuth20AuthorizationCodeGrantTypeTokenRequestValidatorTests.DefaultTests.1
                private static final long serialVersionUID = 3911344031977989503L;

                public ExpirationPolicy buildTicketExpirationPolicy() {
                    return new OAuth20CodeExpirationPolicy(1L, 60L);
                }
            }, (ServicesManager) Mockito.mock(ServicesManager.class), CipherExecutor.noOpOfStringToString(), TicketTrackingPolicy.noOp()).create(new OAuth20DefaultCasAuthenticationBuilder(PrincipalFactoryUtils.newPrincipalFactory(), new WebApplicationServiceFactory(), new DefaultOAuth20ProfileScopeToAttributesFilter(), this.oauthRequestParameterResolver, this.casProperties).buildService(oAuthRegisteredService, (WebContext) null, false), RegisteredServiceTestUtils.getAuthentication(), new MockTicketGrantingTicket(AbstractOAuth20Tests.ID), new HashSet(), (String) null, (String) null, "clientid12345", new HashMap(), OAuth20ResponseTypes.CODE, OAuth20GrantTypes.AUTHORIZATION_CODE);
            this.ticketRegistry.addTicket(create);
            return create;
        }
    }

    @Nested
    @TestPropertySource(properties = {"cas.authn.oauth.code.remove-related-access-tokens=true"})
    /* loaded from: input_file:org/apereo/cas/support/oauth/validator/token/OAuth20AuthorizationCodeGrantTypeTokenRequestValidatorTests$RemovingInvalidTokenTests.class */
    class RemovingInvalidTokenTests extends AbstractOAuth20Tests {

        @Autowired
        @Qualifier("oauthAuthorizationCodeGrantTypeTokenRequestValidator")
        private OAuth20TokenRequestValidator validator;

        RemovingInvalidTokenTests(OAuth20AuthorizationCodeGrantTypeTokenRequestValidatorTests oAuth20AuthorizationCodeGrantTypeTokenRequestValidatorTests) {
        }

        @Test
        void verifyPreviousAccessTokensRemoved() throws Throwable {
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            CommonProfile commonProfile = new CommonProfile();
            commonProfile.setClientName("clientBasicAuth");
            commonProfile.setId(OAuth20AuthorizationCodeGrantTypeTokenRequestValidatorTests.SUPPORTING_CLIENT_ID);
            storeProfileIntoSession(mockHttpServletRequest, commonProfile);
            Principal createPrincipal = PrincipalFactoryUtils.newPrincipalFactory().createPrincipal(AbstractOAuth20Tests.ID);
            OAuthRegisteredService addRegisteredService = addRegisteredService("https://another.example.com", UUID.randomUUID().toString());
            OAuth20Code addCode = addCode(createPrincipal, addRegisteredService);
            OAuth20AccessToken addAccessToken = addAccessToken(createPrincipal, addRegisteredService, addCode.getId());
            Assertions.assertNotNull(addAccessToken);
            OAuth20AccessToken addAccessToken2 = addAccessToken(createPrincipal, addRegisteredService, addCode.getId());
            Assertions.assertNotNull(addAccessToken2);
            addCode.markTicketExpired();
            mockHttpServletRequest.setParameter("code", addCode.getId());
            commonProfile.setId(addRegisteredService.getClientId());
            mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.AUTHORIZATION_CODE.getType());
            mockHttpServletRequest.setParameter("redirect_uri", addRegisteredService.getServiceId());
            storeProfileIntoSession(mockHttpServletRequest, commonProfile);
            Assertions.assertFalse(this.validator.validate(new JEEContext(mockHttpServletRequest, mockHttpServletResponse)));
            Assertions.assertNull(this.ticketRegistry.getTicket(addAccessToken.getId()));
            Assertions.assertNull(this.ticketRegistry.getTicket(addAccessToken2.getId()));
        }
    }

    OAuth20AuthorizationCodeGrantTypeTokenRequestValidatorTests() {
    }
}
