package org.apereo.cas.oidc.web.controllers.token;

import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.Curve;
import com.nimbusds.jose.jwk.gen.ECKeyGenerator;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.oauth2.sdk.dpop.DefaultDPoPProofFactory;
import com.nimbusds.oauth2.sdk.dpop.verifiers.InvalidDPoPProofException;
import com.nimbusds.oauth2.sdk.token.DPoPAccessToken;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.security.cert.X509Certificate;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.UUID;
import org.apereo.cas.authentication.CoreAuthenticationTestUtils;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.config.CasWebSecurityConfiguration;
import org.apereo.cas.oidc.AbstractOidcTests;
import org.apereo.cas.oidc.web.controllers.profile.OidcUserProfileEndpointController;
import org.apereo.cas.services.OidcRegisteredService;
import org.apereo.cas.support.oauth.OAuth20ClientAuthenticationMethods;
import org.apereo.cas.support.oauth.OAuth20GrantTypes;
import org.apereo.cas.ticket.code.OAuth20Code;
import org.apereo.cas.util.EncodingUtils;
import org.apereo.cas.util.crypto.CertUtils;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.keys.AesKey;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Nested;
import org.junit.jupiter.api.Tag;
import org.junit.jupiter.api.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Import;
import org.springframework.core.io.ClassPathResource;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers;
import org.springframework.test.context.TestPropertySource;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.result.MockMvcResultMatchers;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import org.springframework.web.servlet.ModelAndView;

@Tag("OIDC")
/* loaded from: input_file:org/apereo/cas/oidc/web/controllers/token/OidcAccessTokenEndpointControllerTests.class */
class OidcAccessTokenEndpointControllerTests {

    @Nested
    /* loaded from: input_file:org/apereo/cas/oidc/web/controllers/token/OidcAccessTokenEndpointControllerTests$DefaultTests.class */
    class DefaultTests extends AbstractOidcTests {

        @Autowired
        @Qualifier("oidcAccessTokenController")
        protected OidcAccessTokenEndpointController oidcAccessTokenEndpointController;

        @Autowired
        @Qualifier("oidcProfileController")
        private OidcUserProfileEndpointController oidcProfileController;

        DefaultTests(OidcAccessTokenEndpointControllerTests oidcAccessTokenEndpointControllerTests) {
        }

        @Test
        void verifyBadEndpointRequest() throws Throwable {
            MockHttpServletRequest httpRequestForEndpoint = getHttpRequestForEndpoint("unknown/issuer");
            httpRequestForEndpoint.setRequestURI("unknown/issuer");
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            Assertions.assertEquals(HttpStatus.BAD_REQUEST, this.oidcAccessTokenEndpointController.handleRequest(httpRequestForEndpoint, mockHttpServletResponse).getStatus());
            ModelAndView handleInvalidDPoPProofException = this.oidcAccessTokenEndpointController.handleInvalidDPoPProofException(mockHttpServletResponse, new InvalidDPoPProofException("invalid"));
            Assertions.assertTrue(handleInvalidDPoPProofException.getModel().containsKey("error"));
            Assertions.assertEquals("invalid_dpop_proof", handleInvalidDPoPProofException.getModel().get("error"));
        }

        @Test
        void verifyClientNoCode() throws Throwable {
            MockHttpServletRequest httpRequestForEndpoint = getHttpRequestForEndpoint("oidcAccessToken");
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            this.oidcAccessTokenEndpointController.handleRequest(httpRequestForEndpoint, mockHttpServletResponse);
            Assertions.assertEquals(HttpStatus.BAD_REQUEST.value(), mockHttpServletResponse.getStatus());
            this.oidcAccessTokenEndpointController.handleGetRequest(httpRequestForEndpoint, mockHttpServletResponse);
            Assertions.assertEquals(HttpStatus.BAD_REQUEST.value(), mockHttpServletResponse.getStatus());
        }

        @Test
        void verifyDPoPRequest() throws Throwable {
            DefaultDPoPProofFactory defaultDPoPProofFactory = new DefaultDPoPProofFactory(new ECKeyGenerator(Curve.P_256).keyID("1234567890").generate(), JWSAlgorithm.ES256);
            MockHttpServletRequest httpRequestForEndpoint = getHttpRequestForEndpoint("token");
            httpRequestForEndpoint.setMethod(HttpMethod.POST.name());
            MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
            httpRequestForEndpoint.addHeader("DPoP", defaultDPoPProofFactory.createDPoPJWT(HttpMethod.POST.name(), new URI(httpRequestForEndpoint.getRequestURL().toString())).serialize());
            Principal principal = CoreAuthenticationTestUtils.getPrincipal("casuser");
            OidcRegisteredService oidcRegisteredService = getOidcRegisteredService(UUID.randomUUID().toString());
            this.servicesManager.save(oidcRegisteredService);
            httpRequestForEndpoint.addParameter("client_id", oidcRegisteredService.getClientId());
            OAuth20Code addCode = addCode(principal, oidcRegisteredService);
            httpRequestForEndpoint.addParameter("grant_type", OAuth20GrantTypes.AUTHORIZATION_CODE.getType());
            httpRequestForEndpoint.addParameter("redirect_uri", "https://oauth.example.org");
            httpRequestForEndpoint.addParameter("code", addCode.getId());
            this.oauthInterceptor.preHandle(httpRequestForEndpoint, mockHttpServletResponse, new Object());
            String obj = this.oidcAccessTokenEndpointController.handleRequest(httpRequestForEndpoint, mockHttpServletResponse).getModel().get("access_token").toString();
            Assertions.assertNotNull(obj);
            Assertions.assertNotNull(JWTParser.parse(obj));
            MockHttpServletRequest httpRequestForEndpoint2 = getHttpRequestForEndpoint("oidcProfile");
            httpRequestForEndpoint2.setMethod(HttpMethod.POST.name());
            MockHttpServletResponse mockHttpServletResponse2 = new MockHttpServletResponse();
            httpRequestForEndpoint2.addHeader("DPoP", defaultDPoPProofFactory.createDPoPJWT(HttpMethod.POST.name(), new URI(httpRequestForEndpoint2.getRequestURL().toString()), new DPoPAccessToken(obj)).serialize());
            httpRequestForEndpoint2.addParameter("token", obj);
            Assertions.assertEquals(HttpStatus.OK, this.oidcProfileController.handlePostRequest(httpRequestForEndpoint2, mockHttpServletResponse2).getStatusCode());
        }
    }

    @Nested
    @Import({CasWebSecurityConfiguration.class})
    @TestPropertySource(properties = {"cas.authn.oidc.core.accepted-issuers-pattern=.*"})
    /* loaded from: input_file:org/apereo/cas/oidc/web/controllers/token/OidcAccessTokenEndpointControllerTests$MvcTests.class */
    class MvcTests extends AbstractOidcTests {
        private MockMvc mvc;

        MvcTests(OidcAccessTokenEndpointControllerTests oidcAccessTokenEndpointControllerTests) {
        }

        @BeforeEach
        public void setup() {
            this.mvc = MockMvcBuilders.webAppContextSetup(this.applicationContext).apply(SecurityMockMvcConfigurers.springSecurity()).defaultRequest(MockMvcRequestBuilders.post("/", new Object[0]).contextPath("/cas").header("X-Forwarded-Proto", new Object[]{"https"}).header("Host", new Object[]{"sso.example.org"}).accept(new MediaType[]{MediaType.APPLICATION_JSON, MediaType.TEXT_PLAIN}).contentType(MediaType.APPLICATION_JSON)).build();
        }

        @Test
        void verifyClientCredentialsWithPrivateJWT() throws Throwable {
            String generateJsonWebKey = EncodingUtils.generateJsonWebKey(512);
            OidcRegisteredService oidcRegisteredService = getOidcRegisteredService(UUID.randomUUID().toString());
            oidcRegisteredService.setEncryptIdToken(false);
            oidcRegisteredService.setJwks(generateJsonWebKey);
            oidcRegisteredService.setTokenEndpointAuthenticationMethod(OAuth20ClientAuthenticationMethods.PRIVATE_KEY_JWT.getType());
            JwtClaims claims = getClaims(oidcRegisteredService.getClientId(), this.oidcIssuerService.determineIssuer(Optional.of(oidcRegisteredService)), oidcRegisteredService.getClientId(), oidcRegisteredService.getClientId());
            oidcRegisteredService.setSupportedGrantTypes(Set.of(OAuth20GrantTypes.CLIENT_CREDENTIALS.getType()));
            this.servicesManager.save(oidcRegisteredService);
            this.mvc.perform(MockMvcRequestBuilders.post("/cas/oidc/oidcAccessToken", new Object[0]).secure(true).queryParam("client_id", new String[]{oidcRegisteredService.getClientId()}).queryParam("client_assertion_type", new String[]{"urn:ietf:params:oauth:client-assertion-type:jwt-bearer"}).queryParam("client_assertion", new String[]{new String(EncodingUtils.signJwsHMACSha512(new AesKey(generateJsonWebKey.getBytes(StandardCharsets.UTF_8)), claims.toJson().getBytes(StandardCharsets.UTF_8), Map.of()), StandardCharsets.UTF_8)}).queryParam("grant_type", new String[]{OAuth20GrantTypes.CLIENT_CREDENTIALS.name()})).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.access_token", new Object[0]).exists()).andReturn();
        }

        @Test
        void verifyClientCredentialsWithFormPost() throws Throwable {
            OidcRegisteredService oidcRegisteredService = getOidcRegisteredService(UUID.randomUUID().toString());
            oidcRegisteredService.setEncryptIdToken(false);
            oidcRegisteredService.setJwtAccessToken(true);
            oidcRegisteredService.setSupportedGrantTypes(Set.of(OAuth20GrantTypes.CLIENT_CREDENTIALS.getType()));
            oidcRegisteredService.setTokenEndpointAuthenticationMethod(OAuth20ClientAuthenticationMethods.CLIENT_SECRET_POST.getType());
            this.servicesManager.save(oidcRegisteredService);
            this.mvc.perform(MockMvcRequestBuilders.post("/cas/oidc/oidcToken", new Object[0]).secure(true).param("client_id", new String[]{oidcRegisteredService.getClientId()}).param("client_secret", new String[]{oidcRegisteredService.getClientSecret()}).queryParam("client_id", new String[]{oidcRegisteredService.getClientId()}).queryParam("grant_type", new String[]{OAuth20GrantTypes.CLIENT_CREDENTIALS.name()})).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.access_token", new Object[0]).exists()).andReturn();
        }

        @Test
        void verifyClientCredentialsWithTlsEnabled() throws Throwable {
            OidcRegisteredService oidcRegisteredService = getOidcRegisteredService(UUID.randomUUID().toString());
            oidcRegisteredService.setEncryptIdToken(false);
            oidcRegisteredService.setJwtAccessToken(true);
            oidcRegisteredService.setSupportedGrantTypes(Set.of(OAuth20GrantTypes.CLIENT_CREDENTIALS.getType()));
            oidcRegisteredService.setTokenEndpointAuthenticationMethod(OAuth20ClientAuthenticationMethods.TLS_CLIENT_AUTH.getType());
            this.servicesManager.save(oidcRegisteredService);
            this.mvc.perform(MockMvcRequestBuilders.post("/cas/oidc/oidcToken", new Object[0]).secure(true).queryParam("client_id", new String[]{oidcRegisteredService.getClientId()}).queryParam("grant_type", new String[]{OAuth20GrantTypes.CLIENT_CREDENTIALS.name()}).requestAttr("jakarta.servlet.request.X509Certificate", new X509Certificate[]{CertUtils.readCertificate(new ClassPathResource("RSA1024x509Cert.pem").getInputStream())})).andExpect(MockMvcResultMatchers.status().isOk()).andExpect(MockMvcResultMatchers.jsonPath("$.access_token", new Object[0]).exists()).andReturn();
        }
    }

    OidcAccessTokenEndpointControllerTests() {
    }
}
