package org.apereo.cas.oidc.token;

import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.UUID;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.CoreAuthenticationTestUtils;
import org.apereo.cas.authentication.principal.WebApplicationServiceFactory;
import org.apereo.cas.mock.MockTicketGrantingTicket;
import org.apereo.cas.oidc.AbstractOidcTests;
import org.apereo.cas.oidc.OidcConstants;
import org.apereo.cas.services.DefaultRegisteredServiceProperty;
import org.apereo.cas.services.OidcRegisteredService;
import org.apereo.cas.services.RegisteredServiceProperty;
import org.apereo.cas.services.RegisteredServiceTestUtils;
import org.apereo.cas.support.oauth.OAuth20GrantTypes;
import org.apereo.cas.support.oauth.OAuth20ResponseTypes;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.support.oauth.util.OAuth20Utils;
import org.apereo.cas.support.oauth.web.response.accesstoken.OAuth20AccessTokenAtHashGenerator;
import org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20JwtAccessTokenEncoder;
import org.apereo.cas.ticket.accesstoken.OAuth20AccessToken;
import org.apereo.cas.util.CollectionUtils;
import org.jose4j.jwt.JwtClaims;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Nested;
import org.junit.jupiter.api.RepeatedTest;
import org.junit.jupiter.api.RepetitionInfo;
import org.junit.jupiter.api.Tag;
import org.junit.jupiter.api.Test;
import org.mockito.Mockito;
import org.pac4j.core.profile.CommonProfile;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.test.context.TestPropertySource;

@Tag("OIDC")
/* loaded from: input_file:org/apereo/cas/oidc/token/OidcIdTokenGeneratorServiceTests.class */
public class OidcIdTokenGeneratorServiceTests {
    private static final String OIDC_CLAIM_EMAIL = "email";
    private static final String OIDC_CLAIM_PHONE_NUMBER = "phone_number";
    private static final String OIDC_CLAIM_NAME = "name";
    private static final String OIDC_CLAIM_PREFERRED_USERNAME = "preferred_username";

    @Nested
    @TestPropertySource(properties = {"cas.authn.oidc.id-token.include-id-token-claims=false", "cas.authn.oauth.access-token.crypto.encryption-enabled=false", "cas.authn.oidc.core.claims-map.preferred_username=custom-attribute"})
    /* loaded from: input_file:org/apereo/cas/oidc/token/OidcIdTokenGeneratorServiceTests$DefaultTests.class */
    public class DefaultTests extends AbstractOidcTests {
        public DefaultTests() {
        }

        @Test
        public void verifyTokenGeneration() throws Exception {
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
            CommonProfile commonProfile = new CommonProfile();
            commonProfile.setClientName("OIDC");
            commonProfile.setId("casuser");
            mockHttpServletRequest.setAttribute("pac4jUserProfiles", CollectionUtils.wrapLinkedHashMap(commonProfile.getClientName(), commonProfile));
            List of = List.of("\\\\123456789", "4805553241");
            Authentication authentication = CoreAuthenticationTestUtils.getAuthentication(RegisteredServiceTestUtils.getPrincipal("casuser", CollectionUtils.wrap(OidcIdTokenGeneratorServiceTests.OIDC_CLAIM_EMAIL, List.of("casuser@example.org"), OidcIdTokenGeneratorServiceTests.OIDC_CLAIM_PHONE_NUMBER, of, "color", List.of("yellow"), "custom-attribute", "test", OidcIdTokenGeneratorServiceTests.OIDC_CLAIM_NAME, List.of("casuser"))), CollectionUtils.wrap("state", List.of("some-state"), "nonce", List.of("some-nonce")));
            MockTicketGrantingTicket mockTicketGrantingTicket = new MockTicketGrantingTicket(authentication);
            mockTicketGrantingTicket.getServices().putAll(CollectionUtils.wrap("service", new WebApplicationServiceFactory().createService(this.casProperties.getServer().getPrefix() + "/oauth2.0/callbackAuthorize.*")));
            OAuth20AccessToken oAuth20AccessToken = (OAuth20AccessToken) Mockito.mock(OAuth20AccessToken.class);
            Mockito.when(oAuth20AccessToken.getAuthentication()).thenReturn(authentication);
            Mockito.when(oAuth20AccessToken.getTicketGrantingTicket()).thenReturn(mockTicketGrantingTicket);
            Mockito.when(oAuth20AccessToken.getId()).thenReturn(getClass().getSimpleName());
            Mockito.when(oAuth20AccessToken.getScopes()).thenReturn(Set.of(OidcConstants.StandardScopes.OPENID.getScope(), OidcConstants.StandardScopes.PROFILE.getScope(), OidcConstants.StandardScopes.EMAIL.getScope(), OidcConstants.StandardScopes.PHONE.getScope()));
            OidcRegisteredService oidcRegisteredService = getOidcRegisteredService("clientid");
            oidcRegisteredService.setIdTokenIssuer(UUID.randomUUID().toString());
            oidcRegisteredService.setScopes(CollectionUtils.wrapSet(new String[]{OidcConstants.StandardScopes.EMAIL.getScope(), OidcConstants.StandardScopes.PROFILE.getScope(), OidcConstants.StandardScopes.PHONE.getScope()}));
            this.servicesManager.save(oidcRegisteredService);
            String generate = this.oidcIdTokenGenerator.generate(oAuth20AccessToken, commonProfile, OAuth20ResponseTypes.ID_TOKEN, OAuth20GrantTypes.NONE, oidcRegisteredService);
            Assertions.assertNotNull(generate);
            JwtClaims decode = this.oidcTokenSigningAndEncryptionService.decode(generate, Optional.ofNullable(oidcRegisteredService));
            Assertions.assertNotNull(decode);
            Assertions.assertTrue(decode.hasClaim(OidcIdTokenGeneratorServiceTests.OIDC_CLAIM_EMAIL));
            Assertions.assertEquals(authentication.getAuthenticationDate().toEpochSecond(), ((Long) decode.getClaimValue("auth_time")).longValue());
            Assertions.assertTrue(decode.hasClaim(OidcIdTokenGeneratorServiceTests.OIDC_CLAIM_NAME));
            Assertions.assertTrue(decode.hasClaim(OidcIdTokenGeneratorServiceTests.OIDC_CLAIM_PHONE_NUMBER));
            Assertions.assertTrue(decode.hasClaim(OidcIdTokenGeneratorServiceTests.OIDC_CLAIM_PREFERRED_USERNAME));
            Assertions.assertEquals("casuser@example.org", decode.getStringClaimValue(OidcIdTokenGeneratorServiceTests.OIDC_CLAIM_EMAIL));
            Assertions.assertEquals("casuser", decode.getStringClaimValue(OidcIdTokenGeneratorServiceTests.OIDC_CLAIM_NAME));
            Assertions.assertEquals(of, decode.getStringListClaimValue(OidcIdTokenGeneratorServiceTests.OIDC_CLAIM_PHONE_NUMBER));
            Assertions.assertEquals("test", decode.getStringClaimValue(OidcIdTokenGeneratorServiceTests.OIDC_CLAIM_PREFERRED_USERNAME));
            Assertions.assertEquals(oidcRegisteredService.getIdTokenIssuer(), decode.getStringClaimValue("iss"));
        }

        @Test
        public void verifyTokenGenerationWithoutClaimsForCodeResponseType() throws Exception {
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
            CommonProfile commonProfile = new CommonProfile();
            commonProfile.setClientName("OIDC");
            commonProfile.setId("casuser");
            mockHttpServletRequest.setAttribute("pac4jUserProfiles", CollectionUtils.wrapLinkedHashMap(commonProfile.getClientName(), commonProfile));
            Authentication authentication = CoreAuthenticationTestUtils.getAuthentication(RegisteredServiceTestUtils.getPrincipal("casuser", CollectionUtils.wrap(OidcIdTokenGeneratorServiceTests.OIDC_CLAIM_EMAIL, List.of("casuser@example.org"), OidcIdTokenGeneratorServiceTests.OIDC_CLAIM_PHONE_NUMBER, List.of("123456789", "4805553241"), "color", List.of("yellow"), OidcIdTokenGeneratorServiceTests.OIDC_CLAIM_NAME, List.of("casuser"))), CollectionUtils.wrap("state", List.of("some-state"), "nonce", List.of("some-nonce")));
            MockTicketGrantingTicket mockTicketGrantingTicket = new MockTicketGrantingTicket(authentication);
            mockTicketGrantingTicket.getServices().putAll(CollectionUtils.wrap("service", new WebApplicationServiceFactory().createService(this.casProperties.getServer().getPrefix() + "/oauth2.0/callbackAuthorize.*")));
            OAuth20AccessToken oAuth20AccessToken = (OAuth20AccessToken) Mockito.mock(OAuth20AccessToken.class);
            Mockito.when(oAuth20AccessToken.getAuthentication()).thenReturn(authentication);
            Mockito.when(oAuth20AccessToken.getTicketGrantingTicket()).thenReturn(mockTicketGrantingTicket);
            Mockito.when(oAuth20AccessToken.getId()).thenReturn(getClass().getSimpleName());
            Mockito.when(oAuth20AccessToken.getScopes()).thenReturn(Set.of(OidcConstants.StandardScopes.OPENID.getScope(), OidcConstants.StandardScopes.PROFILE.getScope(), OidcConstants.StandardScopes.EMAIL.getScope(), OidcConstants.StandardScopes.PHONE.getScope()));
            OidcRegisteredService registeredOAuthServiceByClientId = OAuth20Utils.getRegisteredOAuthServiceByClientId(this.servicesManager, "clientid");
            registeredOAuthServiceByClientId.setScopes(CollectionUtils.wrapSet(new String[]{OidcConstants.StandardScopes.EMAIL.getScope(), OidcConstants.StandardScopes.PROFILE.getScope(), OidcConstants.StandardScopes.PHONE.getScope()}));
            String generate = this.oidcIdTokenGenerator.generate(oAuth20AccessToken, commonProfile, OAuth20ResponseTypes.CODE, OAuth20GrantTypes.NONE, registeredOAuthServiceByClientId);
            Assertions.assertNotNull(generate);
            JwtClaims decode = this.oidcTokenSigningAndEncryptionService.decode(generate, Optional.ofNullable(registeredOAuthServiceByClientId));
            Assertions.assertNotNull(decode);
            Assertions.assertFalse(decode.hasClaim(OidcIdTokenGeneratorServiceTests.OIDC_CLAIM_EMAIL));
            Assertions.assertFalse(decode.hasClaim(OidcIdTokenGeneratorServiceTests.OIDC_CLAIM_NAME));
            Assertions.assertFalse(decode.hasClaim(OidcIdTokenGeneratorServiceTests.OIDC_CLAIM_PHONE_NUMBER));
        }

        @Test
        public void verifyTokenGenerationWithOutClaimsForAuthzCodeGrantType() throws Exception {
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
            CommonProfile commonProfile = new CommonProfile();
            commonProfile.setClientName("OIDC");
            commonProfile.setId("casuser");
            mockHttpServletRequest.setAttribute("pac4jUserProfiles", CollectionUtils.wrapLinkedHashMap(commonProfile.getClientName(), commonProfile));
            Authentication authentication = CoreAuthenticationTestUtils.getAuthentication(RegisteredServiceTestUtils.getPrincipal("casuser", CollectionUtils.wrap(OidcIdTokenGeneratorServiceTests.OIDC_CLAIM_EMAIL, List.of("casuser@example.org"), "color", List.of("yellow"), OidcIdTokenGeneratorServiceTests.OIDC_CLAIM_PHONE_NUMBER, List.of("123456789", "4805553241"), OidcIdTokenGeneratorServiceTests.OIDC_CLAIM_NAME, List.of("casuser"))), CollectionUtils.wrap("state", List.of("some-state"), "nonce", List.of("some-nonce")));
            MockTicketGrantingTicket mockTicketGrantingTicket = new MockTicketGrantingTicket(authentication);
            mockTicketGrantingTicket.getServices().putAll(CollectionUtils.wrap("service", new WebApplicationServiceFactory().createService(this.casProperties.getServer().getPrefix() + "/oauth2.0/callbackAuthorize.*")));
            OAuth20AccessToken oAuth20AccessToken = (OAuth20AccessToken) Mockito.mock(OAuth20AccessToken.class);
            Mockito.when(oAuth20AccessToken.getAuthentication()).thenReturn(authentication);
            Mockito.when(oAuth20AccessToken.getTicketGrantingTicket()).thenReturn(mockTicketGrantingTicket);
            Mockito.when(oAuth20AccessToken.getId()).thenReturn(getClass().getSimpleName());
            Mockito.when(oAuth20AccessToken.getScopes()).thenReturn(Set.of(OidcConstants.StandardScopes.OPENID.getScope(), OidcConstants.StandardScopes.PROFILE.getScope(), OidcConstants.StandardScopes.EMAIL.getScope(), OidcConstants.StandardScopes.PHONE.getScope()));
            OidcRegisteredService registeredOAuthServiceByClientId = OAuth20Utils.getRegisteredOAuthServiceByClientId(this.servicesManager, "clientid");
            Assertions.assertNotNull(registeredOAuthServiceByClientId);
            registeredOAuthServiceByClientId.setScopes(CollectionUtils.wrapSet(new String[]{OidcConstants.StandardScopes.EMAIL.getScope(), OidcConstants.StandardScopes.PROFILE.getScope(), OidcConstants.StandardScopes.PHONE.getScope()}));
            String generate = this.oidcIdTokenGenerator.generate(oAuth20AccessToken, commonProfile, OAuth20ResponseTypes.ID_TOKEN, OAuth20GrantTypes.AUTHORIZATION_CODE, registeredOAuthServiceByClientId);
            Assertions.assertNotNull(generate);
            JwtClaims decode = this.oidcTokenSigningAndEncryptionService.decode(generate, Optional.of(registeredOAuthServiceByClientId));
            Assertions.assertNotNull(decode);
            Assertions.assertFalse(decode.hasClaim(OidcIdTokenGeneratorServiceTests.OIDC_CLAIM_EMAIL));
            Assertions.assertFalse(decode.hasClaim(OidcIdTokenGeneratorServiceTests.OIDC_CLAIM_NAME));
            Assertions.assertFalse(decode.hasClaim(OidcIdTokenGeneratorServiceTests.OIDC_CLAIM_PHONE_NUMBER));
        }

        @Test
        public void verifyTokenGenerationWithoutCallbackService() throws Exception {
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
            CommonProfile commonProfile = new CommonProfile();
            commonProfile.setClientName("OIDC");
            commonProfile.setId("casuser");
            mockHttpServletRequest.setAttribute("pac4jUserProfiles", CollectionUtils.wrapLinkedHashMap(commonProfile.getClientName(), commonProfile));
            Authentication authentication = CoreAuthenticationTestUtils.getAuthentication("casuser", CollectionUtils.wrap("state", List.of("some-state"), "nonce", List.of("some-nonce"), this.casProperties.getAuthn().getMfa().getCore().getAuthenticationContextAttribute(), List.of("context-cass"), "successfulAuthenticationHandlers", List.of("Handler1")));
            MockTicketGrantingTicket mockTicketGrantingTicket = new MockTicketGrantingTicket(authentication);
            OAuth20AccessToken oAuth20AccessToken = (OAuth20AccessToken) Mockito.mock(OAuth20AccessToken.class);
            Mockito.when(oAuth20AccessToken.getAuthentication()).thenReturn(authentication);
            Mockito.when(oAuth20AccessToken.getTicketGrantingTicket()).thenReturn(mockTicketGrantingTicket);
            Mockito.when(oAuth20AccessToken.getId()).thenReturn(getClass().getSimpleName());
            Assertions.assertNotNull(this.oidcIdTokenGenerator.generate(oAuth20AccessToken, commonProfile, OAuth20ResponseTypes.CODE, OAuth20GrantTypes.NONE, OAuth20Utils.getRegisteredOAuthServiceByClientId(this.servicesManager, "clientid")));
        }

        @Test
        public void verifyUnknownServiceType() {
            Assertions.assertThrows(IllegalArgumentException.class, () -> {
                this.oidcIdTokenGenerator.generate((OAuth20AccessToken) Mockito.mock(OAuth20AccessToken.class), new CommonProfile(), OAuth20ResponseTypes.CODE, OAuth20GrantTypes.NONE, new MockOAuthRegisteredService());
            });
        }

        @RepeatedTest(2)
        public void verifyAccessTokenAsJwt(RepetitionInfo repetitionInfo) throws Exception {
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
            CommonProfile commonProfile = new CommonProfile();
            commonProfile.setClientName("OIDC");
            commonProfile.setId("casuser");
            mockHttpServletRequest.setAttribute("pac4jUserProfiles", CollectionUtils.wrapLinkedHashMap(commonProfile.getClientName(), commonProfile));
            OAuth20AccessToken accessToken = getAccessToken();
            OidcRegisteredService oidcRegisteredService = getOidcRegisteredService(accessToken.getClientId());
            oidcRegisteredService.setJwtAccessToken(true);
            oidcRegisteredService.setIdTokenSigningAlg("RS256");
            String propertyName = RegisteredServiceProperty.RegisteredServiceProperties.ACCESS_TOKEN_AS_JWT_ENCRYPTION_ENABLED.getPropertyName();
            DefaultRegisteredServiceProperty defaultRegisteredServiceProperty = new DefaultRegisteredServiceProperty(new String[]{"false"});
            String propertyName2 = RegisteredServiceProperty.RegisteredServiceProperties.ACCESS_TOKEN_AS_JWT_SIGNING_ENABLED.getPropertyName();
            String[] strArr = new String[1];
            strArr[0] = repetitionInfo.getCurrentRepetition() % 2 == 0 ? "false" : "true";
            oidcRegisteredService.setProperties(Map.of(propertyName, defaultRegisteredServiceProperty, propertyName2, new DefaultRegisteredServiceProperty(strArr)));
            this.servicesManager.save(oidcRegisteredService);
            String generate = this.oidcIdTokenGenerator.generate(accessToken, commonProfile, OAuth20ResponseTypes.CODE, OAuth20GrantTypes.NONE, oidcRegisteredService);
            Assertions.assertNotNull(generate);
            JwtClaims decode = this.oidcTokenSigningAndEncryptionService.decode(generate, Optional.of(oidcRegisteredService));
            Assertions.assertNotNull(decode);
            Assertions.assertTrue(decode.hasClaim("at_hash"));
            Assertions.assertTrue(decode.hasClaim("auth_time"));
            String determineIssuer = this.oidcIssuerService.determineIssuer(Optional.of(oidcRegisteredService));
            Assertions.assertEquals(determineIssuer, decode.getIssuer());
            Assertions.assertEquals((String) decode.getClaimValue("at_hash", String.class), OAuth20AccessTokenAtHashGenerator.builder().encodedAccessToken((String) OAuth20JwtAccessTokenEncoder.builder().accessToken(accessToken).registeredService(oidcRegisteredService).service(accessToken.getService()).casProperties(this.casProperties).accessTokenJwtBuilder(this.oidcAccessTokenJwtBuilder).issuer(determineIssuer).build().encode(accessToken.getId())).registeredService(oidcRegisteredService).algorithm(oidcRegisteredService.getIdTokenSigningAlg()).build().generate());
        }
    }

    @Nested
    @TestPropertySource(properties = {"cas.authn.oauth.access-token.crypto.encryption-enabled=false", "cas.authn.oidc.id-token.include-id-token-claims=true"})
    /* loaded from: input_file:org/apereo/cas/oidc/token/OidcIdTokenGeneratorServiceTests$IgnoringResponseTypeTests.class */
    public class IgnoringResponseTypeTests extends AbstractOidcTests {
        public IgnoringResponseTypeTests() {
        }

        @Test
        public void verifyTokenGenerationWithClaimsForCodeResponseType() throws Exception {
            MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
            CommonProfile commonProfile = new CommonProfile();
            commonProfile.setClientName("OIDC");
            commonProfile.setId("casuser");
            mockHttpServletRequest.setAttribute("pac4jUserProfiles", CollectionUtils.wrapLinkedHashMap(commonProfile.getClientName(), commonProfile));
            Authentication authentication = CoreAuthenticationTestUtils.getAuthentication(RegisteredServiceTestUtils.getPrincipal("casuser", CollectionUtils.wrap(OidcIdTokenGeneratorServiceTests.OIDC_CLAIM_EMAIL, List.of("casuser@example.org"), "color", List.of("yellow"), OidcIdTokenGeneratorServiceTests.OIDC_CLAIM_PHONE_NUMBER, List.of("123456789", "4805553241"), OidcIdTokenGeneratorServiceTests.OIDC_CLAIM_NAME, List.of("casuser"))), CollectionUtils.wrap("state", List.of("some-state"), "nonce", List.of("some-nonce")));
            MockTicketGrantingTicket mockTicketGrantingTicket = new MockTicketGrantingTicket(authentication);
            mockTicketGrantingTicket.getServices().putAll(CollectionUtils.wrap("service", new WebApplicationServiceFactory().createService(this.casProperties.getServer().getPrefix() + "/oauth2.0/callbackAuthorize.*")));
            OAuth20AccessToken oAuth20AccessToken = (OAuth20AccessToken) Mockito.mock(OAuth20AccessToken.class);
            Mockito.when(oAuth20AccessToken.getAuthentication()).thenReturn(authentication);
            Mockito.when(oAuth20AccessToken.getTicketGrantingTicket()).thenReturn(mockTicketGrantingTicket);
            Mockito.when(oAuth20AccessToken.getId()).thenReturn(getClass().getSimpleName());
            Mockito.when(oAuth20AccessToken.getScopes()).thenReturn(Set.of(OidcConstants.StandardScopes.OPENID.getScope(), OidcConstants.StandardScopes.PROFILE.getScope(), OidcConstants.StandardScopes.EMAIL.getScope(), OidcConstants.StandardScopes.PHONE.getScope()));
            OidcRegisteredService registeredOAuthServiceByClientId = OAuth20Utils.getRegisteredOAuthServiceByClientId(this.servicesManager, "clientid");
            registeredOAuthServiceByClientId.setScopes(CollectionUtils.wrapSet(new String[]{OidcConstants.StandardScopes.EMAIL.getScope(), OidcConstants.StandardScopes.PROFILE.getScope(), OidcConstants.StandardScopes.PHONE.getScope()}));
            String generate = this.oidcIdTokenGenerator.generate(oAuth20AccessToken, commonProfile, OAuth20ResponseTypes.CODE, OAuth20GrantTypes.NONE, registeredOAuthServiceByClientId);
            Assertions.assertNotNull(generate);
            JwtClaims decode = this.oidcTokenSigningAndEncryptionService.decode(generate, Optional.ofNullable(registeredOAuthServiceByClientId));
            Assertions.assertNotNull(decode);
            Assertions.assertTrue(decode.hasClaim(OidcIdTokenGeneratorServiceTests.OIDC_CLAIM_EMAIL));
            Assertions.assertTrue(decode.hasClaim(OidcIdTokenGeneratorServiceTests.OIDC_CLAIM_NAME));
            Assertions.assertTrue(decode.hasClaim(OidcIdTokenGeneratorServiceTests.OIDC_CLAIM_PHONE_NUMBER));
        }
    }

    /* loaded from: input_file:org/apereo/cas/oidc/token/OidcIdTokenGeneratorServiceTests$MockOAuthRegisteredService.class */
    private static class MockOAuthRegisteredService extends OAuthRegisteredService {
        private static final long serialVersionUID = 8152953800891665827L;

        private MockOAuthRegisteredService() {
        }
    }
}
