package org.apereo.cas.oidc.token;

import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.CoreAuthenticationTestUtils;
import org.apereo.cas.authentication.principal.WebApplicationServiceFactory;
import org.apereo.cas.configuration.model.support.mfa.MultifactorAuthenticationProperties;
import org.apereo.cas.oidc.AbstractOidcTests;
import org.apereo.cas.oidc.OidcConstants;
import org.apereo.cas.services.DefaultRegisteredServiceProperty;
import org.apereo.cas.services.OidcRegisteredService;
import org.apereo.cas.services.RegisteredServiceProperty;
import org.apereo.cas.services.RegisteredServiceTestUtils;
import org.apereo.cas.support.oauth.OAuth20ResponseTypes;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.support.oauth.util.OAuth20Utils;
import org.apereo.cas.support.oauth.web.response.accesstoken.OAuth20AccessTokenAtHashGenerator;
import org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20JwtAccessTokenEncoder;
import org.apereo.cas.ticket.TicketGrantingTicket;
import org.apereo.cas.ticket.accesstoken.OAuth20AccessToken;
import org.apereo.cas.util.CollectionUtils;
import org.jose4j.jwt.JwtClaims;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.RepeatedTest;
import org.junit.jupiter.api.RepetitionInfo;
import org.junit.jupiter.api.Tag;
import org.junit.jupiter.api.Test;
import org.mockito.Mockito;
import org.pac4j.core.profile.CommonProfile;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.test.context.TestPropertySource;

@Tag("OIDC")
@TestPropertySource(properties = {"cas.authn.oauth.access-token.crypto.encryption-enabled=false", "cas.authn.oidc.core.claims-map.preferred_username=custom-attribute"})
/* loaded from: input_file:org/apereo/cas/oidc/token/OidcIdTokenGeneratorServiceTests.class */
public class OidcIdTokenGeneratorServiceTests extends AbstractOidcTests {
    private static final String OIDC_CLAIM_EMAIL = "email";
    private static final String OIDC_CLAIM_PHONE_NUMBER = "phone_number";
    private static final String OIDC_CLAIM_NAME = "name";

    /* loaded from: input_file:org/apereo/cas/oidc/token/OidcIdTokenGeneratorServiceTests$MockOAuthRegisteredService.class */
    private static class MockOAuthRegisteredService extends OAuthRegisteredService {
        private static final long serialVersionUID = 8152953800891665827L;

        private MockOAuthRegisteredService() {
        }
    }

    @Test
    public void verifyTokenGeneration() throws Exception {
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
        CommonProfile commonProfile = new CommonProfile();
        commonProfile.setClientName("OIDC");
        commonProfile.setId("casuser");
        mockHttpServletRequest.setAttribute("pac4jUserProfiles", CollectionUtils.wrapLinkedHashMap(commonProfile.getClientName(), commonProfile));
        MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
        TicketGrantingTicket ticketGrantingTicket = (TicketGrantingTicket) Mockito.mock(TicketGrantingTicket.class);
        Mockito.when(ticketGrantingTicket.getId()).thenReturn("TGT-0");
        Mockito.when(ticketGrantingTicket.getServices()).thenReturn(CollectionUtils.wrap("service", new WebApplicationServiceFactory().createService(this.casProperties.getServer().getPrefix() + "/oauth2.0/callbackAuthorize.*")));
        List of = List.of("123456789", "4805553241");
        Authentication authentication = CoreAuthenticationTestUtils.getAuthentication(RegisteredServiceTestUtils.getPrincipal("casuser", CollectionUtils.wrap(OIDC_CLAIM_EMAIL, List.of("casuser@example.org"), OIDC_CLAIM_PHONE_NUMBER, of, OIDC_CLAIM_NAME, List.of("casuser"))), CollectionUtils.wrap("state", List.of("some-state"), "nonce", List.of("some-nonce")));
        Mockito.when(ticketGrantingTicket.getAuthentication()).thenReturn(authentication);
        OAuth20AccessToken oAuth20AccessToken = (OAuth20AccessToken) Mockito.mock(OAuth20AccessToken.class);
        Mockito.when(oAuth20AccessToken.getAuthentication()).thenReturn(authentication);
        Mockito.when(oAuth20AccessToken.getTicketGrantingTicket()).thenReturn(ticketGrantingTicket);
        Mockito.when(oAuth20AccessToken.getId()).thenReturn(getClass().getSimpleName());
        Mockito.when(oAuth20AccessToken.getScopes()).thenReturn(Set.of(OidcConstants.StandardScopes.OPENID.getScope(), OidcConstants.StandardScopes.PROFILE.getScope(), OidcConstants.StandardScopes.EMAIL.getScope(), OidcConstants.StandardScopes.PHONE.getScope()));
        OidcRegisteredService registeredOAuthServiceByClientId = OAuth20Utils.getRegisteredOAuthServiceByClientId(this.servicesManager, "clientid");
        registeredOAuthServiceByClientId.setScopes(CollectionUtils.wrapSet(new String[]{OidcConstants.StandardScopes.EMAIL.getScope(), OidcConstants.StandardScopes.PROFILE.getScope(), OidcConstants.StandardScopes.PHONE.getScope()}));
        String generate = this.oidcIdTokenGenerator.generate(mockHttpServletRequest, mockHttpServletResponse, oAuth20AccessToken, 30L, OAuth20ResponseTypes.CODE, registeredOAuthServiceByClientId);
        Assertions.assertNotNull(generate);
        JwtClaims decode = this.oidcTokenSigningAndEncryptionService.decode(generate, Optional.ofNullable(registeredOAuthServiceByClientId));
        Assertions.assertNotNull(decode);
        Assertions.assertTrue(decode.hasClaim(OIDC_CLAIM_EMAIL));
        Assertions.assertTrue(decode.hasClaim("auth_time"));
        Assertions.assertTrue(decode.hasClaim(OIDC_CLAIM_NAME));
        Assertions.assertTrue(decode.hasClaim(OIDC_CLAIM_PHONE_NUMBER));
        Assertions.assertEquals("casuser@example.org", decode.getStringClaimValue(OIDC_CLAIM_EMAIL));
        Assertions.assertEquals("casuser", decode.getStringClaimValue(OIDC_CLAIM_NAME));
        Assertions.assertEquals(of, decode.getStringListClaimValue(OIDC_CLAIM_PHONE_NUMBER));
    }

    @Test
    public void verifyTokenGenerationWithoutCallbackService() {
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
        CommonProfile commonProfile = new CommonProfile();
        commonProfile.setClientName("OIDC");
        commonProfile.setId("casuser");
        mockHttpServletRequest.setAttribute("pac4jUserProfiles", CollectionUtils.wrapLinkedHashMap(commonProfile.getClientName(), commonProfile));
        MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
        TicketGrantingTicket ticketGrantingTicket = (TicketGrantingTicket) Mockito.mock(TicketGrantingTicket.class);
        Mockito.when(ticketGrantingTicket.getId()).thenReturn("TGT-0");
        MultifactorAuthenticationProperties mfa = this.casProperties.getAuthn().getMfa();
        Mockito.when(ticketGrantingTicket.getServices()).thenReturn(new HashMap());
        Authentication authentication = CoreAuthenticationTestUtils.getAuthentication("casuser", CollectionUtils.wrap("state", List.of("some-state"), "nonce", List.of("some-nonce"), mfa.getCore().getAuthenticationContextAttribute(), List.of("context-cass"), "successfulAuthenticationHandlers", List.of("Handler1")));
        Mockito.when(ticketGrantingTicket.getAuthentication()).thenReturn(authentication);
        OAuth20AccessToken oAuth20AccessToken = (OAuth20AccessToken) Mockito.mock(OAuth20AccessToken.class);
        Mockito.when(oAuth20AccessToken.getAuthentication()).thenReturn(authentication);
        Mockito.when(oAuth20AccessToken.getTicketGrantingTicket()).thenReturn(ticketGrantingTicket);
        Mockito.when(oAuth20AccessToken.getId()).thenReturn(getClass().getSimpleName());
        Assertions.assertNotNull(this.oidcIdTokenGenerator.generate(mockHttpServletRequest, mockHttpServletResponse, oAuth20AccessToken, 30L, OAuth20ResponseTypes.CODE, OAuth20Utils.getRegisteredOAuthServiceByClientId(this.servicesManager, "clientid")));
    }

    @Test
    public void verifyTokenGenerationFailsWithoutProfile() {
        Assertions.assertThrows(IllegalArgumentException.class, () -> {
            this.oidcIdTokenGenerator.generate(new MockHttpServletRequest(), new MockHttpServletResponse(), (OAuth20AccessToken) Mockito.mock(OAuth20AccessToken.class), 30L, OAuth20ResponseTypes.CODE, OAuth20Utils.getRegisteredOAuthServiceByClientId(this.servicesManager, "clientid"));
        });
    }

    @Test
    public void verifyUnknownServiceType() {
        Assertions.assertThrows(IllegalArgumentException.class, () -> {
            this.oidcIdTokenGenerator.generate(new MockHttpServletRequest(), new MockHttpServletResponse(), (OAuth20AccessToken) Mockito.mock(OAuth20AccessToken.class), 30L, OAuth20ResponseTypes.CODE, new MockOAuthRegisteredService());
        });
    }

    @RepeatedTest(2)
    public void verifyAccessTokenAsJwt(RepetitionInfo repetitionInfo) throws Exception {
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
        CommonProfile commonProfile = new CommonProfile();
        commonProfile.setClientName("OIDC");
        commonProfile.setId("casuser");
        mockHttpServletRequest.setAttribute("pac4jUserProfiles", CollectionUtils.wrapLinkedHashMap(commonProfile.getClientName(), commonProfile));
        MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
        TicketGrantingTicket ticketGrantingTicket = (TicketGrantingTicket) Mockito.mock(TicketGrantingTicket.class);
        Mockito.when(ticketGrantingTicket.getServices()).thenReturn(new HashMap());
        Mockito.when(ticketGrantingTicket.getAuthentication()).thenReturn(CoreAuthenticationTestUtils.getAuthentication("casuser", CollectionUtils.wrap("state", List.of("some-state"), "nonce", List.of("some-nonce"))));
        OAuth20AccessToken accessToken = getAccessToken();
        OidcRegisteredService oidcRegisteredService = getOidcRegisteredService(accessToken.getClientId());
        oidcRegisteredService.setJwtAccessToken(true);
        oidcRegisteredService.setIdTokenSigningAlg("RS256");
        String propertyName = RegisteredServiceProperty.RegisteredServiceProperties.ACCESS_TOKEN_AS_JWT_ENCRYPTION_ENABLED.getPropertyName();
        DefaultRegisteredServiceProperty defaultRegisteredServiceProperty = new DefaultRegisteredServiceProperty(new String[]{"false"});
        String propertyName2 = RegisteredServiceProperty.RegisteredServiceProperties.ACCESS_TOKEN_AS_JWT_SIGNING_ENABLED.getPropertyName();
        String[] strArr = new String[1];
        strArr[0] = repetitionInfo.getCurrentRepetition() % 2 == 0 ? "false" : "true";
        oidcRegisteredService.setProperties(Map.of(propertyName, defaultRegisteredServiceProperty, propertyName2, new DefaultRegisteredServiceProperty(strArr)));
        this.servicesManager.save(oidcRegisteredService);
        String generate = this.oidcIdTokenGenerator.generate(mockHttpServletRequest, mockHttpServletResponse, accessToken, 30L, OAuth20ResponseTypes.CODE, oidcRegisteredService);
        Assertions.assertNotNull(generate);
        JwtClaims decode = this.oidcTokenSigningAndEncryptionService.decode(generate, Optional.of(oidcRegisteredService));
        Assertions.assertNotNull(decode);
        Assertions.assertTrue(decode.hasClaim("at_hash"));
        Assertions.assertTrue(decode.hasClaim("auth_time"));
        Assertions.assertEquals((String) decode.getClaimValue("at_hash", String.class), OAuth20AccessTokenAtHashGenerator.builder().encodedAccessToken(OAuth20JwtAccessTokenEncoder.builder().accessToken(accessToken).registeredService(oidcRegisteredService).service(accessToken.getService()).casProperties(this.casProperties).accessTokenJwtBuilder(this.oidcAccessTokenJwtBuilder).build().encode()).registeredService(oidcRegisteredService).algorithm(oidcRegisteredService.getIdTokenSigningAlg()).build().generate());
    }
}
