package org.apereo.cas.support.oauth.web.endpoints;

import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import java.util.stream.Stream;
import org.apereo.cas.AbstractOAuth20Tests;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.CoreAuthenticationTestUtils;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.authentication.principal.WebApplicationServiceFactory;
import org.apereo.cas.mock.MockTicketGrantingTicket;
import org.apereo.cas.support.oauth.OAuth20ClientAuthenticationMethods;
import org.apereo.cas.support.oauth.OAuth20GrantTypes;
import org.apereo.cas.support.oauth.OAuth20ResponseTypes;
import org.apereo.cas.support.oauth.OAuth20TokenExchangeTypes;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.ticket.accesstoken.OAuth20AccessToken;
import org.apereo.cas.ticket.code.OAuth20Code;
import org.apereo.cas.ticket.code.OAuth20DefaultOAuthCodeFactory;
import org.apereo.cas.ticket.refreshtoken.OAuth20DefaultRefreshTokenFactory;
import org.apereo.cas.ticket.refreshtoken.OAuth20RefreshToken;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.DefaultUniqueTicketIdGenerator;
import org.apereo.cas.util.crypto.CertUtils;
import org.apereo.cas.util.crypto.CipherExecutor;
import org.apereo.cas.util.http.HttpUtils;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Nested;
import org.junit.jupiter.api.Tag;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.MethodSource;
import org.pac4j.core.profile.CommonProfile;
import org.pac4j.core.profile.ProfileManager;
import org.pac4j.jee.context.JEEContext;
import org.springframework.core.io.ClassPathResource;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatusCode;
import org.springframework.http.MediaType;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.mock.web.MockHttpSession;
import org.springframework.test.context.TestPropertySource;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.result.MockMvcResultMatchers;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import org.springframework.web.servlet.ModelAndView;

@Tag("OAuthWeb")
/* loaded from: input_file:org/apereo/cas/support/oauth/web/endpoints/OAuth20AccessTokenEndpointControllerTests.class */
class OAuth20AccessTokenEndpointControllerTests {

    @Nested
    @TestPropertySource(properties = {"cas.ticket.track-descendant-tickets=false"})
    /* loaded from: input_file:org/apereo/cas/support/oauth/web/endpoints/OAuth20AccessTokenEndpointControllerTests$DefaultTests.class */
    class DefaultTests extends AbstractOAuth20Tests {
        DefaultTests(OAuth20AccessTokenEndpointControllerTests oAuth20AccessTokenEndpointControllerTests) {
        }

        public static Stream<OAuthRegisteredService> getParameters() {
            return Stream.of((Object[]) new OAuthRegisteredService[]{getRegisteredService(AbstractOAuth20Tests.REDIRECT_URI, "secret", (Set<OAuth20GrantTypes>) CollectionUtils.wrapSet(OAuth20GrantTypes.AUTHORIZATION_CODE)), getRegisteredService(AbstractOAuth20Tests.REDIRECT_URI, "secret", EnumSet.noneOf(OAuth20GrantTypes.class))});
        }

        @BeforeEach
        public void initialize() {
            this.ticketRegistry.deleteAll();
        }

        @MethodSource({"getParameters"})
        @ParameterizedTest
        void verifyClientNoClientId(OAuthRegisteredService oAuthRegisteredService) throws Throwable {
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest(HttpMethod.GET.name(), "/oauth2.0/accessToken");
            mockHttpServletRequest.setParameter("redirect_uri", AbstractOAuth20Tests.REDIRECT_URI);
            mockHttpServletRequest.setParameter("client_secret", "secret");
            mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.AUTHORIZATION_CODE.name().toLowerCase(Locale.ENGLISH));
            Principal createPrincipal = createPrincipal();
            this.servicesManager.save(oAuthRegisteredService);
            mockHttpServletRequest.setParameter("code", addCode(createPrincipal, oAuthRegisteredService).getId());
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            this.requiresAuthenticationInterceptor.preHandle(mockHttpServletRequest, mockHttpServletResponse, (Object) null);
            ModelAndView handleRequest = this.accessTokenController.handleRequest(mockHttpServletRequest, mockHttpServletResponse);
            Assertions.assertEquals(401, mockHttpServletResponse.getStatus());
            Assertions.assertEquals("invalid_grant", handleRequest.getModel().get("error"));
        }

        @Test
        void verifyClientNoRedirectUri() throws Throwable {
            Principal createPrincipal = createPrincipal();
            OAuthRegisteredService addRegisteredService = addRegisteredService(CollectionUtils.wrapSet(OAuth20GrantTypes.AUTHORIZATION_CODE));
            OAuth20Code addCode = addCode(createPrincipal, addRegisteredService);
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest(HttpMethod.GET.name(), "/oauth2.0/accessToken");
            mockHttpServletRequest.setParameter("client_id", addRegisteredService.getClientId());
            mockHttpServletRequest.setParameter("client_secret", "secret");
            mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.AUTHORIZATION_CODE.name().toLowerCase(Locale.ENGLISH));
            mockHttpServletRequest.setParameter("code", addCode.getId());
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            this.requiresAuthenticationInterceptor.preHandle(mockHttpServletRequest, mockHttpServletResponse, (Object) null);
            ModelAndView handleRequest = this.accessTokenController.handleRequest(mockHttpServletRequest, mockHttpServletResponse);
            Assertions.assertEquals(400, mockHttpServletResponse.getStatus());
            Assertions.assertEquals("invalid_grant", handleRequest.getModel().get("error"));
        }

        @Test
        void verifyClientNoAuthorizationCode() throws Throwable {
            Principal createPrincipal = createPrincipal();
            OAuthRegisteredService addRegisteredService = addRegisteredService(CollectionUtils.wrapSet(OAuth20GrantTypes.AUTHORIZATION_CODE));
            OAuth20Code addCode = addCode(createPrincipal, addRegisteredService);
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest(HttpMethod.GET.name(), "/oauth2.0/accessToken");
            mockHttpServletRequest.setParameter("client_id", addRegisteredService.getClientId());
            mockHttpServletRequest.setParameter("redirect_uri", AbstractOAuth20Tests.REDIRECT_URI);
            mockHttpServletRequest.setParameter("client_secret", "secret");
            mockHttpServletRequest.setParameter("code", addCode.getId());
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            this.requiresAuthenticationInterceptor.preHandle(mockHttpServletRequest, mockHttpServletResponse, (Object) null);
            ModelAndView handleRequest = this.accessTokenController.handleRequest(mockHttpServletRequest, mockHttpServletResponse);
            Assertions.assertEquals(400, mockHttpServletResponse.getStatus());
            Assertions.assertEquals("invalid_request", handleRequest.getModel().get("error"));
        }

        @Test
        void verifyClientBadGrantType() throws Throwable {
            Principal createPrincipal = createPrincipal();
            OAuthRegisteredService addRegisteredService = addRegisteredService(CollectionUtils.wrapSet(OAuth20GrantTypes.AUTHORIZATION_CODE));
            OAuth20Code addCode = addCode(createPrincipal, addRegisteredService);
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest(HttpMethod.GET.name(), "/oauth2.0/accessToken");
            mockHttpServletRequest.setParameter("client_id", addRegisteredService.getClientId());
            mockHttpServletRequest.setParameter("redirect_uri", AbstractOAuth20Tests.REDIRECT_URI);
            mockHttpServletRequest.setParameter("client_secret", "secret");
            mockHttpServletRequest.setParameter("grant_type", "badValue");
            mockHttpServletRequest.setParameter("code", addCode.getId());
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            this.requiresAuthenticationInterceptor.preHandle(mockHttpServletRequest, mockHttpServletResponse, (Object) null);
            ModelAndView handleRequest = this.accessTokenController.handleRequest(mockHttpServletRequest, mockHttpServletResponse);
            Assertions.assertEquals(400, mockHttpServletResponse.getStatus());
            Assertions.assertEquals("invalid_request", handleRequest.getModel().get("error"));
        }

        @Test
        void verifyClientDisallowedGrantType() throws Throwable {
            Principal createPrincipal = createPrincipal();
            OAuthRegisteredService addRegisteredService = addRegisteredService(CollectionUtils.wrapSet(OAuth20GrantTypes.AUTHORIZATION_CODE));
            OAuth20Code addCode = addCode(createPrincipal, addRegisteredService);
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest(HttpMethod.GET.name(), "/oauth2.0/accessToken");
            mockHttpServletRequest.setParameter("client_id", addRegisteredService.getClientId());
            mockHttpServletRequest.setParameter("redirect_uri", AbstractOAuth20Tests.REDIRECT_URI);
            mockHttpServletRequest.setParameter("client_secret", "secret");
            mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.CLIENT_CREDENTIALS.getType());
            mockHttpServletRequest.setParameter("code", addCode.getId());
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            this.requiresAuthenticationInterceptor.preHandle(mockHttpServletRequest, mockHttpServletResponse, (Object) null);
            ModelAndView handleRequest = this.accessTokenController.handleRequest(mockHttpServletRequest, mockHttpServletResponse);
            Assertions.assertEquals(400, mockHttpServletResponse.getStatus());
            Assertions.assertEquals("invalid_grant", handleRequest.getModel().get("error"));
        }

        @Test
        void verifyClientNoClientSecret() throws Throwable {
            Principal createPrincipal = createPrincipal();
            OAuthRegisteredService addRegisteredService = addRegisteredService(CollectionUtils.wrapSet(OAuth20GrantTypes.AUTHORIZATION_CODE));
            OAuth20Code addCode = addCode(createPrincipal, addRegisteredService);
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest(HttpMethod.GET.name(), "/oauth2.0/accessToken");
            mockHttpServletRequest.setParameter("client_id", addRegisteredService.getClientId());
            mockHttpServletRequest.setParameter("redirect_uri", AbstractOAuth20Tests.REDIRECT_URI);
            mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.AUTHORIZATION_CODE.name().toLowerCase(Locale.ENGLISH));
            mockHttpServletRequest.setParameter("code", addCode.getId());
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            this.requiresAuthenticationInterceptor.preHandle(mockHttpServletRequest, mockHttpServletResponse, (Object) null);
            ModelAndView handleRequest = this.accessTokenController.handleRequest(mockHttpServletRequest, mockHttpServletResponse);
            Assertions.assertEquals(401, mockHttpServletResponse.getStatus());
            Assertions.assertEquals("invalid_grant", handleRequest.getModel().get("error"));
        }

        @Test
        void verifyClientNoCode() throws Throwable {
            Principal createPrincipal = createPrincipal();
            OAuthRegisteredService addRegisteredService = addRegisteredService(CollectionUtils.wrapSet(OAuth20GrantTypes.AUTHORIZATION_CODE));
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest(HttpMethod.GET.name(), "/oauth2.0/accessToken");
            mockHttpServletRequest.setParameter("client_id", addRegisteredService.getClientId());
            mockHttpServletRequest.setParameter("redirect_uri", AbstractOAuth20Tests.REDIRECT_URI);
            mockHttpServletRequest.setParameter("client_secret", "secret");
            mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.AUTHORIZATION_CODE.name().toLowerCase(Locale.ENGLISH));
            addCode(createPrincipal, addRegisteredService);
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            this.requiresAuthenticationInterceptor.preHandle(mockHttpServletRequest, mockHttpServletResponse, (Object) null);
            ModelAndView handleRequest = this.accessTokenController.handleRequest(mockHttpServletRequest, mockHttpServletResponse);
            Assertions.assertEquals(400, mockHttpServletResponse.getStatus());
            Assertions.assertEquals("invalid_grant", handleRequest.getModel().get("error"));
        }

        @MethodSource({"getParameters"})
        @ParameterizedTest
        void verifyClientNoCasService(OAuthRegisteredService oAuthRegisteredService) throws Throwable {
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest(HttpMethod.GET.name(), "/oauth2.0/accessToken");
            mockHttpServletRequest.setParameter("client_id", oAuthRegisteredService.getClientId());
            mockHttpServletRequest.setParameter("redirect_uri", AbstractOAuth20Tests.REDIRECT_URI);
            mockHttpServletRequest.setParameter("client_secret", "secret");
            mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.AUTHORIZATION_CODE.name().toLowerCase(Locale.ENGLISH));
            mockHttpServletRequest.setParameter("code", addCode(createPrincipal(), oAuthRegisteredService).getId());
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            this.requiresAuthenticationInterceptor.preHandle(mockHttpServletRequest, mockHttpServletResponse, (Object) null);
            ModelAndView handleRequest = this.accessTokenController.handleRequest(mockHttpServletRequest, mockHttpServletResponse);
            Assertions.assertEquals(401, mockHttpServletResponse.getStatus());
            Assertions.assertEquals("invalid_grant", handleRequest.getModel().get("error"));
        }

        @MethodSource({"getParameters"})
        @ParameterizedTest
        void verifyClientRedirectUriDoesNotStartWithServiceId(OAuthRegisteredService oAuthRegisteredService) throws Throwable {
            Principal createPrincipal = createPrincipal();
            this.servicesManager.save(oAuthRegisteredService);
            OAuth20Code addCode = addCode(createPrincipal, oAuthRegisteredService);
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest(HttpMethod.GET.name(), "/oauth2.0/accessToken");
            mockHttpServletRequest.setParameter("client_id", oAuthRegisteredService.getClientId());
            mockHttpServletRequest.setParameter("redirect_uri", AbstractOAuth20Tests.OTHER_REDIRECT_URI);
            mockHttpServletRequest.setParameter("client_secret", "secret");
            mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.AUTHORIZATION_CODE.name().toLowerCase(Locale.ENGLISH));
            mockHttpServletRequest.setParameter("code", addCode.getId());
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            this.requiresAuthenticationInterceptor.preHandle(mockHttpServletRequest, mockHttpServletResponse, (Object) null);
            ModelAndView handleRequest = this.accessTokenController.handleRequest(mockHttpServletRequest, mockHttpServletResponse);
            Assertions.assertEquals(400, mockHttpServletResponse.getStatus());
            Assertions.assertEquals("invalid_grant", handleRequest.getModel().get("error"));
        }

        @MethodSource({"getParameters"})
        @ParameterizedTest
        void verifyClientWrongSecret(OAuthRegisteredService oAuthRegisteredService) throws Throwable {
            Principal createPrincipal = createPrincipal();
            this.servicesManager.save(oAuthRegisteredService);
            OAuth20Code addCode = addCode(createPrincipal, oAuthRegisteredService);
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest(HttpMethod.GET.name(), "/oauth2.0/accessToken");
            mockHttpServletRequest.setParameter("client_id", oAuthRegisteredService.getClientId());
            mockHttpServletRequest.setParameter("redirect_uri", AbstractOAuth20Tests.REDIRECT_URI);
            mockHttpServletRequest.setParameter("client_secret", AbstractOAuth20Tests.WRONG_CLIENT_SECRET);
            mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.AUTHORIZATION_CODE.name().toLowerCase(Locale.ENGLISH));
            mockHttpServletRequest.setParameter("code", addCode.getId());
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            this.requiresAuthenticationInterceptor.preHandle(mockHttpServletRequest, mockHttpServletResponse, (Object) null);
            ModelAndView handleRequest = this.accessTokenController.handleRequest(mockHttpServletRequest, mockHttpServletResponse);
            Assertions.assertEquals(401, mockHttpServletResponse.getStatus());
            Assertions.assertEquals("invalid_grant", handleRequest.getModel().get("error"));
        }

        @Test
        void verifyClientEmptySecret() throws Throwable {
            Principal createPrincipal = createPrincipal();
            OAuthRegisteredService addRegisteredService = addRegisteredService(CollectionUtils.wrapSet(OAuth20GrantTypes.AUTHORIZATION_CODE), "");
            OAuth20Code addCode = addCode(createPrincipal, addRegisteredService);
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest(HttpMethod.GET.name(), "/oauth2.0/accessToken");
            mockHttpServletRequest.setParameter("client_id", addRegisteredService.getClientId());
            mockHttpServletRequest.setParameter("redirect_uri", AbstractOAuth20Tests.REDIRECT_URI);
            mockHttpServletRequest.setParameter("client_secret", "");
            mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.AUTHORIZATION_CODE.name().toLowerCase(Locale.ENGLISH));
            mockHttpServletRequest.setParameter("code", addCode.getId());
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            this.requiresAuthenticationInterceptor.preHandle(mockHttpServletRequest, mockHttpServletResponse, (Object) null);
            ModelAndView handleRequest = this.accessTokenController.handleRequest(mockHttpServletRequest, mockHttpServletResponse);
            Assertions.assertEquals(200, mockHttpServletResponse.getStatus());
            Assertions.assertTrue(handleRequest.getModel().containsKey("access_token"));
        }

        @Test
        void verifyPKCECodeVerifier() throws Throwable {
            Principal createPrincipal = createPrincipal();
            OAuthRegisteredService addRegisteredService = addRegisteredService(CollectionUtils.wrapSet(OAuth20GrantTypes.AUTHORIZATION_CODE), "secret");
            OAuth20Code addCodeWithChallenge = addCodeWithChallenge(createPrincipal, addRegisteredService, AbstractOAuth20Tests.CODE_CHALLENGE, AbstractOAuth20Tests.CODE_CHALLENGE_METHOD_PLAIN);
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest(HttpMethod.GET.name(), "/oauth2.0/accessToken");
            mockHttpServletRequest.setParameter("client_id", addRegisteredService.getClientId());
            mockHttpServletRequest.setParameter("redirect_uri", AbstractOAuth20Tests.REDIRECT_URI);
            mockHttpServletRequest.setParameter("client_secret", "secret");
            mockHttpServletRequest.setParameter("code_verifier", AbstractOAuth20Tests.CODE_CHALLENGE);
            mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.AUTHORIZATION_CODE.name().toLowerCase(Locale.ENGLISH));
            mockHttpServletRequest.setParameter("code", addCodeWithChallenge.getId());
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            this.requiresAuthenticationInterceptor.preHandle(mockHttpServletRequest, mockHttpServletResponse, (Object) null);
            ModelAndView handleRequest = this.accessTokenController.handleRequest(mockHttpServletRequest, mockHttpServletResponse);
            Assertions.assertEquals(200, mockHttpServletResponse.getStatus());
            Assertions.assertTrue(handleRequest.getModel().containsKey("access_token"));
        }

        @MethodSource({"getParameters"})
        @ParameterizedTest
        void verifyPKCEInvalidCodeVerifier(OAuthRegisteredService oAuthRegisteredService) throws Throwable {
            Principal createPrincipal = createPrincipal();
            this.servicesManager.save(oAuthRegisteredService);
            OAuth20Code addCodeWithChallenge = addCodeWithChallenge(createPrincipal, oAuthRegisteredService, AbstractOAuth20Tests.CODE_CHALLENGE, AbstractOAuth20Tests.CODE_CHALLENGE_METHOD_PLAIN);
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest(HttpMethod.GET.name(), "/oauth2.0/accessToken");
            mockHttpServletRequest.setParameter("client_id", oAuthRegisteredService.getClientId());
            mockHttpServletRequest.setParameter("redirect_uri", AbstractOAuth20Tests.REDIRECT_URI);
            mockHttpServletRequest.setParameter("client_secret", "secret");
            mockHttpServletRequest.setParameter("code_verifier", "invalidcode");
            mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.AUTHORIZATION_CODE.name().toLowerCase(Locale.ENGLISH));
            mockHttpServletRequest.setParameter("code", addCodeWithChallenge.getId());
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            this.requiresAuthenticationInterceptor.preHandle(mockHttpServletRequest, mockHttpServletResponse, (Object) null);
            ModelAndView handleRequest = this.accessTokenController.handleRequest(mockHttpServletRequest, mockHttpServletResponse);
            Assertions.assertEquals(401, mockHttpServletResponse.getStatus());
            Assertions.assertEquals("invalid_grant", handleRequest.getModel().get("error"));
        }

        @Test
        void verifyPKCEEmptySecret() throws Throwable {
            Principal createPrincipal = createPrincipal();
            OAuthRegisteredService addRegisteredService = addRegisteredService(CollectionUtils.wrapSet(OAuth20GrantTypes.AUTHORIZATION_CODE), "");
            OAuth20Code addCodeWithChallenge = addCodeWithChallenge(createPrincipal, addRegisteredService, AbstractOAuth20Tests.CODE_CHALLENGE, AbstractOAuth20Tests.CODE_CHALLENGE_METHOD_PLAIN);
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest(HttpMethod.GET.name(), "/oauth2.0/accessToken");
            mockHttpServletRequest.setParameter("client_id", addRegisteredService.getClientId());
            mockHttpServletRequest.setParameter("redirect_uri", AbstractOAuth20Tests.REDIRECT_URI);
            mockHttpServletRequest.setParameter("client_secret", "");
            mockHttpServletRequest.setParameter("code_verifier", AbstractOAuth20Tests.CODE_CHALLENGE);
            mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.AUTHORIZATION_CODE.name().toLowerCase(Locale.ENGLISH));
            mockHttpServletRequest.setParameter("code", addCodeWithChallenge.getId());
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            this.requiresAuthenticationInterceptor.preHandle(mockHttpServletRequest, mockHttpServletResponse, (Object) null);
            ModelAndView handleRequest = this.accessTokenController.handleRequest(mockHttpServletRequest, mockHttpServletResponse);
            Assertions.assertEquals(200, mockHttpServletResponse.getStatus());
            Assertions.assertTrue(handleRequest.getModel().containsKey("access_token"));
        }

        @MethodSource({"getParameters"})
        @ParameterizedTest
        void verifyPKCEWrongSecret(OAuthRegisteredService oAuthRegisteredService) throws Throwable {
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest(HttpMethod.GET.name(), "/oauth2.0/accessToken");
            mockHttpServletRequest.setParameter("client_id", oAuthRegisteredService.getClientId());
            mockHttpServletRequest.setParameter("redirect_uri", AbstractOAuth20Tests.REDIRECT_URI);
            mockHttpServletRequest.setParameter("client_secret", AbstractOAuth20Tests.WRONG_CLIENT_SECRET);
            mockHttpServletRequest.setParameter("code_verifier", AbstractOAuth20Tests.CODE_CHALLENGE);
            mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.AUTHORIZATION_CODE.name().toLowerCase(Locale.ENGLISH));
            Principal createPrincipal = createPrincipal();
            this.servicesManager.save(oAuthRegisteredService);
            mockHttpServletRequest.setParameter("code", addCodeWithChallenge(createPrincipal, oAuthRegisteredService, AbstractOAuth20Tests.CODE_CHALLENGE, AbstractOAuth20Tests.CODE_CHALLENGE_METHOD_PLAIN).getId());
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            this.requiresAuthenticationInterceptor.preHandle(mockHttpServletRequest, mockHttpServletResponse, (Object) null);
            ModelAndView handleRequest = this.accessTokenController.handleRequest(mockHttpServletRequest, mockHttpServletResponse);
            Assertions.assertEquals(401, mockHttpServletResponse.getStatus());
            Assertions.assertEquals("invalid_grant", handleRequest.getModel().get("error"));
        }

        @MethodSource({"getParameters"})
        @ParameterizedTest
        void verifyClientExpiredCode(OAuthRegisteredService oAuthRegisteredService) throws Throwable {
            this.servicesManager.save(oAuthRegisteredService);
            HashMap hashMap = new HashMap();
            hashMap.put(AbstractOAuth20Tests.NAME, List.of(AbstractOAuth20Tests.VALUE));
            hashMap.put(AbstractOAuth20Tests.NAME2, List.of(AbstractOAuth20Tests.VALUE, AbstractOAuth20Tests.VALUE));
            OAuth20Code create = new OAuth20DefaultOAuthCodeFactory(new DefaultUniqueTicketIdGenerator(), alwaysExpiresExpirationPolicyBuilder(), this.servicesManager, CipherExecutor.noOpOfStringToString(), this.descendantTicketsTrackingPolicy).create(new WebApplicationServiceFactory().createService(oAuthRegisteredService.getServiceId()), getAuthentication(CoreAuthenticationTestUtils.getPrincipal(AbstractOAuth20Tests.ID, hashMap)), new MockTicketGrantingTicket(AbstractOAuth20Tests.ID), new ArrayList(), (String) null, (String) null, oAuthRegisteredService.getClientId(), new HashMap(), OAuth20ResponseTypes.CODE, OAuth20GrantTypes.AUTHORIZATION_CODE);
            this.ticketRegistry.addTicket(create);
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest(HttpMethod.GET.name(), "/oauth2.0/accessToken");
            mockHttpServletRequest.setParameter("client_id", oAuthRegisteredService.getClientId());
            mockHttpServletRequest.setParameter("redirect_uri", AbstractOAuth20Tests.REDIRECT_URI);
            mockHttpServletRequest.setParameter("client_secret", "secret");
            mockHttpServletRequest.setParameter("code", create.getId());
            mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.AUTHORIZATION_CODE.name().toLowerCase(Locale.ENGLISH));
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            this.requiresAuthenticationInterceptor.preHandle(mockHttpServletRequest, mockHttpServletResponse, (Object) null);
            ModelAndView handleRequest = this.accessTokenController.handleRequest(mockHttpServletRequest, mockHttpServletResponse);
            Assertions.assertEquals(400, mockHttpServletResponse.getStatus());
            Assertions.assertEquals("invalid_grant", handleRequest.getModel().get("error"));
        }

        @MethodSource({"getParameters"})
        @ParameterizedTest
        void verifyClientAuthByParameter(OAuthRegisteredService oAuthRegisteredService) throws Throwable {
            this.servicesManager.save(oAuthRegisteredService);
            assertClientOK(oAuthRegisteredService, false);
        }

        @MethodSource({"getParameters"})
        @ParameterizedTest
        void verifyClientAuthWithJwtAccessToken(OAuthRegisteredService oAuthRegisteredService) throws Throwable {
            oAuthRegisteredService.setJwtAccessToken(true);
            this.servicesManager.save(oAuthRegisteredService);
            assertClientOK(oAuthRegisteredService, false);
        }

        @Test
        void verifyDeviceFlowGeneratesCode() throws Throwable {
            OAuthRegisteredService addRegisteredService = addRegisteredService();
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest(HttpMethod.GET.name(), "/oauth2.0/accessToken");
            mockHttpServletRequest.setParameter("client_id", addRegisteredService.getClientId());
            mockHttpServletRequest.setParameter("response_type", OAuth20ResponseTypes.DEVICE_CODE.getType());
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            CommonProfile commonProfile = new CommonProfile();
            commonProfile.setId("testuser");
            new ProfileManager(new JEEContext(mockHttpServletRequest, mockHttpServletResponse), this.oauthDistributedSessionStore).save(true, commonProfile, false);
            this.requiresAuthenticationInterceptor.preHandle(mockHttpServletRequest, mockHttpServletResponse, (Object) null);
            Map model = this.accessTokenController.handleRequest(mockHttpServletRequest, mockHttpServletResponse).getModel();
            Assertions.assertTrue(model.containsKey("device_code"));
            Assertions.assertTrue(model.containsKey("verification_uri"));
            Assertions.assertTrue(model.containsKey("user_code"));
            Assertions.assertTrue(model.containsKey("interval"));
            Assertions.assertTrue(model.containsKey("expires_in"));
            String obj = model.get("device_code").toString();
            String obj2 = model.get("user_code").toString();
            MockHttpServletRequest mockHttpServletRequest2 = new MockHttpServletRequest(HttpMethod.GET.name(), "/oauth2.0/device");
            mockHttpServletRequest2.setParameter("usercode", obj2);
            ModelAndView handlePostRequest = this.deviceController.handlePostRequest(mockHttpServletRequest2, new MockHttpServletResponse());
            Assertions.assertNotNull(handlePostRequest);
            HttpStatusCode status = handlePostRequest.getStatus();
            Assertions.assertNotNull(status);
            Assertions.assertTrue(status.is2xxSuccessful());
            mockHttpServletRequest.setParameter("client_id", addRegisteredService.getClientId());
            mockHttpServletRequest.setParameter("response_type", OAuth20ResponseTypes.DEVICE_CODE.getType());
            mockHttpServletRequest.setParameter("device_code", obj);
            MockHttpServletResponse mockHttpServletResponse2 = new MockHttpServletResponse();
            this.requiresAuthenticationInterceptor.preHandle(mockHttpServletRequest, mockHttpServletResponse2, (Object) null);
            ModelAndView handleGetRequest = this.accessTokenController.handleGetRequest(mockHttpServletRequest, mockHttpServletResponse2);
            Assertions.assertTrue(handleGetRequest.getModel().containsKey("access_token"));
            Assertions.assertEquals(Long.valueOf(getDefaultAccessTokenExpiration()), handleGetRequest.getModel().get("expires_in"));
            Assertions.assertTrue(handleGetRequest.getModel().containsKey("token_type"));
        }

        @MethodSource({"getParameters"})
        @ParameterizedTest
        void verifyClientAuthByHeader(OAuthRegisteredService oAuthRegisteredService) throws Throwable {
            this.servicesManager.save(oAuthRegisteredService);
            assertClientOK(oAuthRegisteredService, false);
        }

        @Test
        void verifyClientAuthByParameterWithRefreshToken() throws Throwable {
            OAuthRegisteredService addRegisteredService = addRegisteredService(Set.of(OAuth20GrantTypes.AUTHORIZATION_CODE), randomServiceUrl());
            addRegisteredService.setGenerateRefreshToken(true);
            assertClientOK(addRegisteredService, true);
        }

        @Test
        void verifyClientAuthByHeaderWithRefreshToken() throws Throwable {
            OAuthRegisteredService addRegisteredService = addRegisteredService(Set.of(OAuth20GrantTypes.AUTHORIZATION_CODE), randomServiceUrl());
            addRegisteredService.setGenerateRefreshToken(true);
            assertClientOK(addRegisteredService, true);
        }

        @Test
        void verifyClientAuthJsonByParameterWithRefreshToken() throws Throwable {
            OAuthRegisteredService addRegisteredService = addRegisteredService(Set.of(OAuth20GrantTypes.AUTHORIZATION_CODE), randomServiceUrl());
            addRegisteredService.setGenerateRefreshToken(true);
            assertClientOK(addRegisteredService, true);
        }

        @Test
        void verifyClientAuthJsonByHeaderWithRefreshToken() throws Throwable {
            OAuthRegisteredService addRegisteredService = addRegisteredService(Set.of(OAuth20GrantTypes.AUTHORIZATION_CODE), randomServiceUrl());
            addRegisteredService.setGenerateRefreshToken(true);
            assertClientOK(addRegisteredService, true);
        }

        @Test
        void ensureOnlyRefreshTokenIsAcceptedForRefreshGrant() throws Throwable {
            OAuthRegisteredService addRegisteredService = addRegisteredService(true, CollectionUtils.wrapSet(new OAuth20GrantTypes[]{OAuth20GrantTypes.PASSWORD, OAuth20GrantTypes.REFRESH_TOKEN}));
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest(HttpMethod.GET.name(), "/oauth2.0/accessToken");
            mockHttpServletRequest.setSession(new MockHttpSession());
            mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.PASSWORD.name().toLowerCase(Locale.ENGLISH));
            mockHttpServletRequest.setParameter(AbstractOAuth20Tests.USERNAME, "test");
            mockHttpServletRequest.setParameter(AbstractOAuth20Tests.PASSWORD, "test");
            mockHttpServletRequest.setParameter("client_id", addRegisteredService.getClientId());
            mockHttpServletRequest.setParameter("client_secret", "secret");
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            this.requiresAuthenticationInterceptor.preHandle(mockHttpServletRequest, mockHttpServletResponse, (Object) null);
            ModelAndView handleRequest = this.accessTokenController.handleRequest(mockHttpServletRequest, mockHttpServletResponse);
            Assertions.assertTrue(handleRequest.getModel().containsKey("refresh_token"));
            Assertions.assertTrue(handleRequest.getModel().containsKey("access_token"));
            String obj = handleRequest.getModel().get("refresh_token").toString();
            String obj2 = handleRequest.getModel().get("access_token").toString();
            mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.REFRESH_TOKEN.name().toLowerCase(Locale.ENGLISH));
            mockHttpServletRequest.setParameter("client_secret", "secret");
            mockHttpServletRequest.setParameter("refresh_token", obj2);
            MockHttpServletResponse mockHttpServletResponse2 = new MockHttpServletResponse();
            this.accessTokenController.handleRequest(mockHttpServletRequest, mockHttpServletResponse2);
            Assertions.assertEquals(400, mockHttpServletResponse2.getStatus());
            mockHttpServletRequest.setParameter("refresh_token", obj);
            MockHttpServletResponse mockHttpServletResponse3 = new MockHttpServletResponse();
            ModelAndView handleRequest2 = this.accessTokenController.handleRequest(mockHttpServletRequest, mockHttpServletResponse3);
            Assertions.assertEquals(200, mockHttpServletResponse3.getStatus());
            Assertions.assertTrue(handleRequest2.getModel().containsKey("access_token"));
        }

        @Test
        void verifyUserNoClientId() throws Throwable {
            addRegisteredService(CollectionUtils.wrapSet(OAuth20GrantTypes.PASSWORD));
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest(HttpMethod.GET.name(), "/oauth2.0/accessToken");
            mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.PASSWORD.name().toLowerCase(Locale.ENGLISH));
            mockHttpServletRequest.setParameter(AbstractOAuth20Tests.USERNAME, "test");
            mockHttpServletRequest.setParameter(AbstractOAuth20Tests.PASSWORD, "test");
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            this.requiresAuthenticationInterceptor.preHandle(mockHttpServletRequest, mockHttpServletResponse, (Object) null);
            ModelAndView handleRequest = this.accessTokenController.handleRequest(mockHttpServletRequest, mockHttpServletResponse);
            Assertions.assertEquals(401, mockHttpServletResponse.getStatus());
            Assertions.assertEquals("invalid_grant", handleRequest.getModel().get("error"));
        }

        @Test
        void verifyUserNoCasService() throws Throwable {
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest(HttpMethod.GET.name(), "/oauth2.0/accessToken");
            mockHttpServletRequest.setParameter("client_id", "unknown-client-id");
            mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.PASSWORD.name().toLowerCase(Locale.ENGLISH));
            mockHttpServletRequest.setParameter(AbstractOAuth20Tests.USERNAME, "test");
            mockHttpServletRequest.setParameter(AbstractOAuth20Tests.PASSWORD, "test");
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            this.requiresAuthenticationInterceptor.preHandle(mockHttpServletRequest, mockHttpServletResponse, (Object) null);
            ModelAndView handleRequest = this.accessTokenController.handleRequest(mockHttpServletRequest, mockHttpServletResponse);
            Assertions.assertEquals(401, mockHttpServletResponse.getStatus());
            Assertions.assertEquals("invalid_grant", handleRequest.getModel().get("error"));
        }

        @Test
        void verifyUserBadAuthorizationCode() throws Throwable {
            OAuthRegisteredService addRegisteredService = addRegisteredService(Set.of(OAuth20GrantTypes.AUTHORIZATION_CODE), UUID.randomUUID().toString(), randomServiceUrl());
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest(HttpMethod.GET.name(), "/oauth2.0/accessToken");
            mockHttpServletRequest.setParameter("client_id", addRegisteredService.getClientId());
            mockHttpServletRequest.setParameter("client_secret", addRegisteredService.getClientSecret());
            mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.AUTHORIZATION_CODE.name().toLowerCase(Locale.ENGLISH));
            mockHttpServletRequest.setParameter(AbstractOAuth20Tests.USERNAME, "test");
            mockHttpServletRequest.setParameter(AbstractOAuth20Tests.PASSWORD, "test");
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            this.requiresAuthenticationInterceptor.preHandle(mockHttpServletRequest, mockHttpServletResponse, (Object) null);
            ModelAndView handleRequest = this.accessTokenController.handleRequest(mockHttpServletRequest, mockHttpServletResponse);
            Assertions.assertEquals(400, mockHttpServletResponse.getStatus());
            Assertions.assertEquals("invalid_grant", handleRequest.getModel().get("error"));
        }

        @Test
        void verifyUserBadCredentials() throws Throwable {
            OAuthRegisteredService addRegisteredService = addRegisteredService(Set.of(OAuth20GrantTypes.PASSWORD), UUID.randomUUID().toString(), randomServiceUrl());
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest(HttpMethod.GET.name(), "/oauth2.0/accessToken");
            mockHttpServletRequest.setParameter("client_id", addRegisteredService.getClientId());
            mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.PASSWORD.name().toLowerCase(Locale.ENGLISH));
            mockHttpServletRequest.setParameter(AbstractOAuth20Tests.USERNAME, "test");
            mockHttpServletRequest.setParameter(AbstractOAuth20Tests.PASSWORD, "badPassword");
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            this.requiresAuthenticationInterceptor.preHandle(mockHttpServletRequest, mockHttpServletResponse, (Object) null);
            ModelAndView handleRequest = this.accessTokenController.handleRequest(mockHttpServletRequest, mockHttpServletResponse);
            Assertions.assertEquals(401, mockHttpServletResponse.getStatus());
            Assertions.assertEquals("invalid_grant", handleRequest.getModel().get("error"));
        }

        @Test
        void verifyUserAuth() throws Throwable {
            assertUserAuth(false, true, addRegisteredService(CollectionUtils.wrapSet(OAuth20GrantTypes.PASSWORD)));
        }

        @Test
        void verifyUserAuthForServiceWithoutSecret() throws Throwable {
            assertUserAuth(false, false, addRegisteredService(CollectionUtils.wrapSet(OAuth20GrantTypes.PASSWORD), ""));
        }

        @Test
        void verifyUserAuthWithRefreshToken() throws Throwable {
            OAuthRegisteredService addRegisteredService = addRegisteredService(Set.of(OAuth20GrantTypes.PASSWORD), UUID.randomUUID().toString(), randomServiceUrl());
            addRegisteredService.setGenerateRefreshToken(true);
            assertUserAuth(true, true, addRegisteredService);
        }

        @Test
        void verifyJsonUserAuth() throws Throwable {
            assertUserAuth(false, true, addRegisteredService(Set.of(OAuth20GrantTypes.PASSWORD), UUID.randomUUID().toString(), randomServiceUrl()));
        }

        @Test
        void verifyJsonUserAuthWithRefreshToken() throws Throwable {
            OAuthRegisteredService addRegisteredService = addRegisteredService(Set.of(OAuth20GrantTypes.PASSWORD), UUID.randomUUID().toString(), randomServiceUrl());
            addRegisteredService.setGenerateRefreshToken(true);
            assertUserAuth(true, true, addRegisteredService);
        }

        @Test
        void verifyRefreshTokenExpiredToken() throws Throwable {
            Principal createPrincipal = createPrincipal();
            OAuthRegisteredService addRegisteredService = addRegisteredService(Set.of(OAuth20GrantTypes.REFRESH_TOKEN), UUID.randomUUID().toString(), randomServiceUrl());
            Authentication authentication = getAuthentication(createPrincipal);
            OAuth20RefreshToken create = new OAuth20DefaultRefreshTokenFactory(alwaysExpiresExpirationPolicyBuilder(), this.ticketRegistry, this.servicesManager, this.descendantTicketsTrackingPolicy, this.casProperties).create(new WebApplicationServiceFactory().createService(addRegisteredService.getServiceId()), authentication, new MockTicketGrantingTicket(AbstractOAuth20Tests.ID), new ArrayList(), addRegisteredService.getClientId(), "", new HashMap(), OAuth20ResponseTypes.CODE, OAuth20GrantTypes.AUTHORIZATION_CODE);
            this.ticketRegistry.addTicket(create);
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest(HttpMethod.GET.name(), "/oauth2.0/accessToken");
            mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.REFRESH_TOKEN.name().toLowerCase(Locale.ENGLISH));
            mockHttpServletRequest.setParameter("client_id", addRegisteredService.getClientId());
            mockHttpServletRequest.setParameter("client_secret", addRegisteredService.getClientSecret());
            mockHttpServletRequest.setParameter("refresh_token", create.getId());
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            this.requiresAuthenticationInterceptor.preHandle(mockHttpServletRequest, mockHttpServletResponse, (Object) null);
            ModelAndView handleRequest = this.accessTokenController.handleRequest(mockHttpServletRequest, mockHttpServletResponse);
            Assertions.assertEquals(400, mockHttpServletResponse.getStatus());
            Assertions.assertEquals("invalid_grant", handleRequest.getModel().get("error"));
        }

        @Test
        void verifyRefreshTokenBadCredentials() throws Throwable {
            Principal createPrincipal = createPrincipal();
            OAuthRegisteredService addRegisteredService = addRegisteredService(Set.of(OAuth20GrantTypes.REFRESH_TOKEN), UUID.randomUUID().toString(), randomServiceUrl());
            OAuth20RefreshToken addRefreshToken = addRefreshToken(createPrincipal, addRegisteredService);
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest(HttpMethod.GET.name(), "/oauth2.0/accessToken");
            mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.REFRESH_TOKEN.name().toLowerCase(Locale.ENGLISH));
            mockHttpServletRequest.setParameter("client_id", addRegisteredService.getClientId());
            mockHttpServletRequest.setParameter("client_secret", AbstractOAuth20Tests.WRONG_CLIENT_SECRET);
            mockHttpServletRequest.setParameter("refresh_token", addRefreshToken.getId());
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            this.requiresAuthenticationInterceptor.preHandle(mockHttpServletRequest, mockHttpServletResponse, (Object) null);
            ModelAndView handleRequest = this.accessTokenController.handleRequest(mockHttpServletRequest, mockHttpServletResponse);
            Assertions.assertEquals(401, mockHttpServletResponse.getStatus());
            Assertions.assertEquals("invalid_grant", handleRequest.getModel().get("error"));
        }

        @Test
        void verifyRefreshTokenEmptySecret() throws Throwable {
            Principal createPrincipal = createPrincipal();
            OAuthRegisteredService addRegisteredService = addRegisteredService(Set.of(OAuth20GrantTypes.REFRESH_TOKEN), UUID.randomUUID().toString(), "", randomServiceUrl());
            OAuth20RefreshToken addRefreshToken = addRefreshToken(createPrincipal, addRegisteredService);
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest(HttpMethod.GET.name(), "/oauth2.0/accessToken");
            mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.REFRESH_TOKEN.name().toLowerCase(Locale.ENGLISH));
            mockHttpServletRequest.setParameter("client_id", addRegisteredService.getClientId());
            mockHttpServletRequest.setParameter("client_secret", "");
            mockHttpServletRequest.setParameter("refresh_token", addRefreshToken.getId());
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            this.requiresAuthenticationInterceptor.preHandle(mockHttpServletRequest, mockHttpServletResponse, (Object) null);
            ModelAndView handleRequest = this.accessTokenController.handleRequest(mockHttpServletRequest, mockHttpServletResponse);
            Assertions.assertEquals(200, mockHttpServletResponse.getStatus());
            Assertions.assertTrue(handleRequest.getModel().containsKey("access_token"));
        }

        @Test
        void verifyRefreshTokenMissingToken() throws Throwable {
            OAuthRegisteredService addRegisteredService = addRegisteredService(Set.of(OAuth20GrantTypes.REFRESH_TOKEN), UUID.randomUUID().toString(), randomServiceUrl());
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest(HttpMethod.GET.name(), "/oauth2.0/accessToken");
            mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.REFRESH_TOKEN.name().toLowerCase(Locale.ENGLISH));
            mockHttpServletRequest.setParameter("client_id", addRegisteredService.getClientId());
            mockHttpServletRequest.setParameter("client_secret", addRegisteredService.getClientSecret());
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            this.requiresAuthenticationInterceptor.preHandle(mockHttpServletRequest, mockHttpServletResponse, (Object) null);
            ModelAndView handleRequest = this.accessTokenController.handleRequest(mockHttpServletRequest, mockHttpServletResponse);
            Assertions.assertEquals(400, mockHttpServletResponse.getStatus());
            Assertions.assertEquals("invalid_grant", handleRequest.getModel().get("error"));
        }

        @Test
        void verifyRefreshTokenOKWithExpiredTicketGrantingTicket() throws Throwable {
            Principal createPrincipal = createPrincipal();
            OAuthRegisteredService addRegisteredService = addRegisteredService(Set.of(OAuth20GrantTypes.REFRESH_TOKEN), UUID.randomUUID().toString(), randomServiceUrl());
            OAuth20RefreshToken addRefreshToken = addRefreshToken(createPrincipal, addRegisteredService);
            addRefreshToken.getTicketGrantingTicket().markTicketExpired();
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest(HttpMethod.GET.name(), "/oauth2.0/accessToken");
            mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.REFRESH_TOKEN.name().toLowerCase(Locale.ENGLISH));
            mockHttpServletRequest.setParameter("client_id", addRegisteredService.getClientId());
            mockHttpServletRequest.setParameter("client_secret", addRegisteredService.getClientSecret());
            mockHttpServletRequest.setParameter("refresh_token", addRefreshToken.getId());
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            this.requiresAuthenticationInterceptor.preHandle(mockHttpServletRequest, mockHttpServletResponse, (Object) null);
            ModelAndView handleRequest = this.accessTokenController.handleRequest(mockHttpServletRequest, mockHttpServletResponse);
            Assertions.assertEquals(200, mockHttpServletResponse.getStatus());
            Assertions.assertEquals(createPrincipal, this.ticketRegistry.getTicket(handleRequest.getModel().get("access_token").toString(), OAuth20AccessToken.class).getAuthentication().getPrincipal());
            Assertions.assertTrue(Integer.parseInt(handleRequest.getModel().get("expires_in").toString()) >= 7188);
        }

        @Test
        void verifyRefreshTokenOK() throws Throwable {
            assertRefreshTokenOk(addRegisteredService(Set.of(OAuth20GrantTypes.REFRESH_TOKEN), UUID.randomUUID().toString(), randomServiceUrl()));
        }

        @Test
        void verifyRefreshTokenOKCustomizedWithNullAuthentication() throws Throwable {
            OAuthRegisteredService addRegisteredService = addRegisteredService(Set.of(OAuth20GrantTypes.REFRESH_TOKEN), UUID.randomUUID().toString(), randomServiceUrl());
            Principal createPrincipal = createPrincipal();
            OAuth20RefreshToken create = this.defaultRefreshTokenFactory.create(new WebApplicationServiceFactory().createService(addRegisteredService.getServiceId()), (Authentication) null, new MockTicketGrantingTicket(AbstractOAuth20Tests.ID), new ArrayList(), addRegisteredService.getClientId(), "", new HashMap(), OAuth20ResponseTypes.CODE, OAuth20GrantTypes.AUTHORIZATION_CODE);
            this.ticketRegistry.addTicket(create);
            assertRefreshTokenOk(addRegisteredService, create, createPrincipal);
        }

        @Test
        void verifyRefreshTokenOKWithRefreshToken() throws Throwable {
            OAuthRegisteredService addRegisteredService = addRegisteredService(Set.of(OAuth20GrantTypes.REFRESH_TOKEN), UUID.randomUUID().toString(), randomServiceUrl());
            addRegisteredService.setGenerateRefreshToken(true);
            addRegisteredService.setRenewRefreshToken(true);
            assertRefreshTokenOk(addRegisteredService);
        }

        @Test
        void verifyJsonRefreshTokenOK() throws Throwable {
            assertRefreshTokenOk(addRegisteredService(Set.of(OAuth20GrantTypes.REFRESH_TOKEN), UUID.randomUUID().toString(), randomServiceUrl()));
        }

        @Test
        void verifyJsonRefreshTokenOKWithRefreshToken() throws Throwable {
            OAuthRegisteredService addRegisteredService = addRegisteredService(Set.of(OAuth20GrantTypes.REFRESH_TOKEN), UUID.randomUUID().toString(), randomServiceUrl());
            addRegisteredService.setGenerateRefreshToken(true);
            addRegisteredService.setRenewRefreshToken(true);
            assertRefreshTokenOk(addRegisteredService);
        }

        @Test
        void verifyAccessTokenRequestWithRefreshTokenCannotExceedScopes() throws Throwable {
            OAuthRegisteredService addRegisteredService = addRegisteredService(Set.of(OAuth20GrantTypes.REFRESH_TOKEN), UUID.randomUUID().toString(), randomServiceUrl());
            OAuth20RefreshToken addRefreshTokenWithScope = addRefreshTokenWithScope(createPrincipal(), List.of("profile"), addRegisteredService);
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest(HttpMethod.GET.name(), "/oauth2.0/accessToken");
            mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.REFRESH_TOKEN.name().toLowerCase(Locale.ENGLISH));
            mockHttpServletRequest.setParameter("client_id", addRegisteredService.getClientId());
            mockHttpServletRequest.setParameter("client_secret", addRegisteredService.getClientSecret());
            mockHttpServletRequest.setParameter("refresh_token", addRefreshTokenWithScope.getId());
            mockHttpServletRequest.setParameter("scope", "email");
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            this.requiresAuthenticationInterceptor.preHandle(mockHttpServletRequest, mockHttpServletResponse, (Object) null);
            ModelAndView handleRequest = this.accessTokenController.handleRequest(mockHttpServletRequest, mockHttpServletResponse);
            Assertions.assertEquals(400, mockHttpServletResponse.getStatus());
            Assertions.assertEquals("invalid_scope", handleRequest.getModel().get("error").toString());
        }

        @Test
        void verifyAccessTokenRequestWithRefreshTokenWithoutRequestingScopes() throws Throwable {
            OAuthRegisteredService addRegisteredService = addRegisteredService(CollectionUtils.wrapSet(OAuth20GrantTypes.REFRESH_TOKEN));
            Principal createPrincipal = createPrincipal();
            OAuth20RefreshToken addRefreshTokenWithScope = addRefreshTokenWithScope(createPrincipal, List.of("profile"), addRegisteredService);
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest(HttpMethod.GET.name(), "/oauth2.0/accessToken");
            mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.REFRESH_TOKEN.name().toLowerCase(Locale.ENGLISH));
            mockHttpServletRequest.setParameter("client_id", addRegisteredService.getClientId());
            mockHttpServletRequest.setParameter("client_secret", "secret");
            mockHttpServletRequest.setParameter("refresh_token", addRefreshTokenWithScope.getId());
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            this.requiresAuthenticationInterceptor.preHandle(mockHttpServletRequest, mockHttpServletResponse, (Object) null);
            ModelAndView handleRequest = this.accessTokenController.handleRequest(mockHttpServletRequest, mockHttpServletResponse);
            Assertions.assertEquals(200, mockHttpServletResponse.getStatus());
            Assertions.assertTrue(handleRequest.getModel().containsKey("access_token"));
            if (addRegisteredService.isRenewRefreshToken()) {
                Assertions.assertTrue(handleRequest.getModel().containsKey("refresh_token"));
            } else {
                Assertions.assertFalse(handleRequest.getModel().containsKey("refresh_token"));
            }
            Assertions.assertNotNull(addRegisteredService.isRenewRefreshToken() ? (OAuth20RefreshToken) this.ticketRegistry.getTicket(handleRequest.getModel().get("refresh_token").toString(), OAuth20RefreshToken.class) : addRefreshTokenWithScope);
            Assertions.assertTrue(handleRequest.getModel().containsKey("expires_in"));
            Assertions.assertEquals(createPrincipal, this.ticketRegistry.getTicket(handleRequest.getModel().get("access_token").toString(), OAuth20AccessToken.class).getAuthentication().getPrincipal());
            Assertions.assertTrue(Integer.parseInt(handleRequest.getModel().get("expires_in").toString()) >= 7188);
        }

        private void assertUserAuth(boolean z, boolean z2, OAuthRegisteredService oAuthRegisteredService) throws Throwable {
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest(HttpMethod.GET.name(), "/oauth2.0/accessToken");
            mockHttpServletRequest.setParameter("client_id", oAuthRegisteredService.getClientId());
            if (z2) {
                mockHttpServletRequest.setParameter("client_secret", oAuthRegisteredService.getClientSecret());
            }
            mockHttpServletRequest.setParameter("grant_type", OAuth20GrantTypes.PASSWORD.name().toLowerCase(Locale.ENGLISH));
            mockHttpServletRequest.setParameter(AbstractOAuth20Tests.USERNAME, "test");
            mockHttpServletRequest.setParameter(AbstractOAuth20Tests.PASSWORD, "test");
            mockHttpServletRequest.addHeader("service", AbstractOAuth20Tests.REDIRECT_URI);
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            this.requiresAuthenticationInterceptor.preHandle(mockHttpServletRequest, mockHttpServletResponse, (Object) null);
            ModelAndView handleRequest = this.accessTokenController.handleRequest(mockHttpServletRequest, mockHttpServletResponse);
            Assertions.assertEquals(200, mockHttpServletResponse.getStatus());
            Assertions.assertTrue(handleRequest.getModel().containsKey("access_token"));
            if (z) {
                Assertions.assertTrue(handleRequest.getModel().containsKey("refresh_token"));
            }
            Assertions.assertTrue(handleRequest.getModel().containsKey("expires_in"));
            Assertions.assertEquals("test", this.ticketRegistry.getTicket(handleRequest.getModel().get("access_token").toString(), OAuth20AccessToken.class).getAuthentication().getPrincipal().getId());
            Assertions.assertTrue(Integer.parseInt(handleRequest.getModel().get("expires_in").toString()) >= 7188);
        }

        private OAuth20RefreshToken addRefreshTokenWithScope(Principal principal, List<String> list, OAuthRegisteredService oAuthRegisteredService) throws Throwable {
            Authentication authentication = getAuthentication(principal);
            OAuth20RefreshToken create = this.defaultRefreshTokenFactory.create(new WebApplicationServiceFactory().createService(oAuthRegisteredService.getServiceId()), authentication, new MockTicketGrantingTicket(AbstractOAuth20Tests.ID), list, oAuthRegisteredService.getClientId(), "", new HashMap(), OAuth20ResponseTypes.CODE, OAuth20GrantTypes.AUTHORIZATION_CODE);
            this.ticketRegistry.addTicket(create);
            return create;
        }
    }

    @Nested
    @TestPropertySource(properties = {"cas.authn.oidc.discovery.scopes=openid,profile,create,email,read,update"})
    /* loaded from: input_file:org/apereo/cas/support/oauth/web/endpoints/OAuth20AccessTokenEndpointControllerTests$MvcTests.class */
    class MvcTests extends AbstractOAuth20Tests {
        private MockMvc mvc;

        MvcTests(OAuth20AccessTokenEndpointControllerTests oAuth20AccessTokenEndpointControllerTests) {
        }

        @BeforeEach
        public void setup() {
            this.mvc = MockMvcBuilders.webAppContextSetup(this.applicationContext).defaultRequest(MockMvcRequestBuilders.get("/", new Object[0]).contextPath("/cas").accept(new MediaType[]{MediaType.APPLICATION_JSON, MediaType.TEXT_PLAIN}).contentType(MediaType.APPLICATION_JSON)).build();
        }

        @Test
        void verifyClientCredentialsWithTlsEnabled() throws Throwable {
            OAuthRegisteredService registeredService = getRegisteredService(OAuth20GrantTypes.CLIENT_CREDENTIALS);
            registeredService.setTokenEndpointAuthenticationMethod(OAuth20ClientAuthenticationMethods.TLS_CLIENT_AUTH.getType());
            this.servicesManager.save(registeredService);
            this.mvc.perform(MockMvcRequestBuilders.post("/cas/oauth2.0/accessToken", new Object[0]).queryParam("client_id", new String[]{registeredService.getClientId()}).queryParam("grant_type", new String[]{OAuth20GrantTypes.CLIENT_CREDENTIALS.name()}).requestAttr("jakarta.servlet.request.X509Certificate", new X509Certificate[]{CertUtils.readCertificate(new ClassPathResource("RSA1024x509Cert.pem").getInputStream())})).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.access_token", new Object[0]).exists()).andReturn();
        }

        @Test
        void verifyClientCredentialsWithTlsUnknown() throws Throwable {
            OAuthRegisteredService registeredService = getRegisteredService(OAuth20GrantTypes.CLIENT_CREDENTIALS);
            registeredService.setTokenEndpointAuthenticationMethod("unknown");
            this.servicesManager.save(registeredService);
            this.mvc.perform(MockMvcRequestBuilders.post("/cas/oauth2.0/accessToken", new Object[0]).queryParam("client_id", new String[]{registeredService.getClientId()}).queryParam("grant_type", new String[]{OAuth20GrantTypes.CLIENT_CREDENTIALS.name()}).requestAttr("jakarta.servlet.request.X509Certificate", new X509Certificate[]{CertUtils.readCertificate(new ClassPathResource("RSA1024x509Cert.pem").getInputStream())})).andExpect(MockMvcResultMatchers.status().isUnauthorized()).andExpect(MockMvcResultMatchers.jsonPath("$.access_token", new Object[0]).doesNotExist()).andReturn();
        }

        @Test
        void verifyX509ClientCredentialsFailsToPassIP() throws Throwable {
            OAuthRegisteredService registeredService = getRegisteredService(OAuth20GrantTypes.CLIENT_CREDENTIALS);
            registeredService.setJwtAccessToken(true);
            registeredService.setTokenEndpointAuthenticationMethod(OAuth20ClientAuthenticationMethods.TLS_CLIENT_AUTH.getType());
            registeredService.setTlsClientAuthSanIp("1.2.3.4");
            this.servicesManager.save(registeredService);
            this.mvc.perform(MockMvcRequestBuilders.post("/cas/oauth2.0/accessToken", new Object[0]).queryParam("client_id", new String[]{registeredService.getClientId()}).queryParam("grant_type", new String[]{OAuth20GrantTypes.CLIENT_CREDENTIALS.name()}).requestAttr("jakarta.servlet.request.X509Certificate", new X509Certificate[]{CertUtils.readCertificate(new ClassPathResource("RSA1024x509Cert.pem").getInputStream())})).andExpect(MockMvcResultMatchers.status().isUnauthorized()).andExpect(MockMvcResultMatchers.jsonPath("$.access_token", new Object[0]).doesNotExist());
        }

        @Test
        void verifyX509ClientCredentialsAsJWT() throws Throwable {
            OAuthRegisteredService registeredService = getRegisteredService(OAuth20GrantTypes.CLIENT_CREDENTIALS);
            registeredService.setJwtAccessToken(true);
            registeredService.setTokenEndpointAuthenticationMethod(OAuth20ClientAuthenticationMethods.TLS_CLIENT_AUTH.getType());
            this.servicesManager.save(registeredService);
            this.mvc.perform(MockMvcRequestBuilders.post("/cas/oauth2.0/introspect", new Object[0]).param("token", new String[]{this.mvc.perform(MockMvcRequestBuilders.post("/cas/oauth2.0/accessToken", new Object[0]).queryParam("client_id", new String[]{registeredService.getClientId()}).queryParam("grant_type", new String[]{OAuth20GrantTypes.CLIENT_CREDENTIALS.name()}).requestAttr("jakarta.servlet.request.X509Certificate", new X509Certificate[]{CertUtils.readCertificate(new ClassPathResource("RSA1024x509Cert.pem").getInputStream())})).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.access_token", new Object[0]).exists()).andExpect(MockMvcResultMatchers.request().attribute("oauth.request.access-token", Boolean.TRUE)).andReturn().getModelAndView().getModel().get("access_token").toString()}).headers(HttpUtils.createBasicAuthHeaders(registeredService.getClientId(), registeredService.getClientSecret()))).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.cnf.x5t#S256", new Object[0]).exists()).andReturn();
        }

        @Test
        void verifyClientCredentialsWithBasicAuth() throws Throwable {
            OAuthRegisteredService registeredService = getRegisteredService(OAuth20GrantTypes.CLIENT_CREDENTIALS);
            registeredService.setJwtAccessToken(true);
            registeredService.setTokenEndpointAuthenticationMethod(OAuth20ClientAuthenticationMethods.CLIENT_SECRET_BASIC.getType());
            this.servicesManager.save(registeredService);
            this.mvc.perform(MockMvcRequestBuilders.post("/cas/oauth2.0/accessToken", new Object[0]).headers(HttpUtils.createBasicAuthHeaders(registeredService.getClientId(), registeredService.getClientSecret())).queryParam("client_id", new String[]{registeredService.getClientId()}).queryParam("grant_type", new String[]{OAuth20GrantTypes.CLIENT_CREDENTIALS.name()})).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.access_token", new Object[0]).exists()).andReturn();
        }

        @Test
        void verifyClientCredentialsWithFormPost() throws Throwable {
            OAuthRegisteredService registeredService = getRegisteredService(OAuth20GrantTypes.CLIENT_CREDENTIALS);
            registeredService.setJwtAccessToken(true);
            registeredService.setTokenEndpointAuthenticationMethod(OAuth20ClientAuthenticationMethods.CLIENT_SECRET_POST.getType());
            this.servicesManager.save(registeredService);
            this.mvc.perform(MockMvcRequestBuilders.post("/cas/oauth2.0/accessToken", new Object[0]).param("client_id", new String[]{registeredService.getClientId()}).param("client_secret", new String[]{registeredService.getClientSecret()}).queryParam("client_id", new String[]{registeredService.getClientId()}).queryParam("grant_type", new String[]{OAuth20GrantTypes.CLIENT_CREDENTIALS.name()})).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.access_token", new Object[0]).exists()).andReturn();
        }

        @Test
        void verifyClientCredentialsUnauthorized() throws Throwable {
            OAuthRegisteredService registeredService = getRegisteredService(OAuth20GrantTypes.CLIENT_CREDENTIALS);
            registeredService.setJwtAccessToken(true);
            registeredService.setTokenEndpointAuthenticationMethod("authn_method_invalid");
            this.servicesManager.save(registeredService);
            this.mvc.perform(MockMvcRequestBuilders.post("/cas/oauth2.0/accessToken", new Object[0]).param("client_id", new String[]{registeredService.getClientId()}).param("client_secret", new String[]{registeredService.getClientSecret()}).queryParam("client_id", new String[]{registeredService.getClientId()}).queryParam("grant_type", new String[]{OAuth20GrantTypes.CLIENT_CREDENTIALS.name()})).andExpect(MockMvcResultMatchers.status().isUnauthorized()).andExpect(MockMvcResultMatchers.jsonPath("$.access_token", new Object[0]).doesNotExist()).andReturn();
        }

        @Test
        void verifyAccessTokenToAccessTokenExchange() throws Throwable {
            OAuthRegisteredService registeredService = getRegisteredService(UUID.randomUUID().toString(), OAuth20GrantTypes.TOKEN_EXCHANGE);
            OAuth20AccessToken accessToken = getAccessToken(registeredService.getServiceId(), registeredService.getClientId());
            registeredService.setScopes(Set.of("create", "update"));
            this.servicesManager.save(registeredService);
            this.ticketRegistry.addTicket(accessToken);
            this.mvc.perform(MockMvcRequestBuilders.post("/cas/oauth2.0/accessToken", new Object[0]).param("client_id", new String[]{registeredService.getClientId()}).param("client_secret", new String[]{registeredService.getClientSecret()}).queryParam("resource", new String[]{"https://api.example.org/%s".formatted(UUID.randomUUID().toString())}).queryParam("subject_token", new String[]{accessToken.getId()}).queryParam("subject_token_type", new String[]{OAuth20TokenExchangeTypes.ACCESS_TOKEN.getType()}).queryParam("requested_token_type", new String[]{OAuth20TokenExchangeTypes.ACCESS_TOKEN.getType()}).queryParam("grant_type", new String[]{OAuth20GrantTypes.TOKEN_EXCHANGE.getType()}).queryParam("scope", new String[]{"update"})).andExpect(MockMvcResultMatchers.jsonPath("$.scope", new Object[0]).value("update")).andExpect(MockMvcResultMatchers.jsonPath("$.access_token", new Object[0]).exists()).andExpect(MockMvcResultMatchers.jsonPath("$.issued_token_type", new Object[0]).value(OAuth20TokenExchangeTypes.ACCESS_TOKEN.getType()));
        }

        @Test
        void verifyAccessTokenToJWTExchange() throws Throwable {
            OAuthRegisteredService registeredService = getRegisteredService(UUID.randomUUID().toString(), OAuth20GrantTypes.TOKEN_EXCHANGE);
            OAuth20AccessToken accessToken = getAccessToken(registeredService.getServiceId(), registeredService.getClientId());
            registeredService.setScopes(Set.of("create", "update"));
            this.servicesManager.save(registeredService);
            this.ticketRegistry.addTicket(accessToken);
            this.mvc.perform(MockMvcRequestBuilders.post("/cas/oauth2.0/accessToken", new Object[0]).param("client_id", new String[]{registeredService.getClientId()}).param("client_secret", new String[]{registeredService.getClientSecret()}).queryParam("resource", new String[]{"https://api.example.org/%s".formatted(UUID.randomUUID().toString())}).queryParam("subject_token", new String[]{accessToken.getId()}).queryParam("subject_token_type", new String[]{OAuth20TokenExchangeTypes.ACCESS_TOKEN.getType()}).queryParam("requested_token_type", new String[]{OAuth20TokenExchangeTypes.JWT.getType()}).queryParam("grant_type", new String[]{OAuth20GrantTypes.TOKEN_EXCHANGE.getType()}).queryParam("scope", new String[]{"update"})).andExpect(MockMvcResultMatchers.jsonPath("$.scope", new Object[0]).value("update")).andExpect(MockMvcResultMatchers.jsonPath("$.access_token", new Object[0]).exists()).andExpect(MockMvcResultMatchers.jsonPath("$.issued_token_type", new Object[0]).value(OAuth20TokenExchangeTypes.JWT.getType()));
        }
    }

    OAuth20AccessTokenEndpointControllerTests() {
    }
}
