package org.apereo.cas.oidc.util;

import jakarta.servlet.http.HttpServletRequest;
import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import java.util.Optional;
import java.util.UUID;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.CoreAuthenticationTestUtils;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.support.oidc.OidcProperties;
import org.apereo.cas.oidc.AbstractOidcTests;
import org.apereo.cas.oidc.issuer.OidcDefaultIssuerService;
import org.apereo.cas.ticket.registry.TicketRegistrySupport;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.web.cookie.CasCookieBuilder;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Tag;
import org.junit.jupiter.api.Test;
import org.mockito.Mockito;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.profile.CommonProfile;
import org.pac4j.jee.context.JEEContext;
import org.pac4j.jee.context.session.JEESessionStore;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;

@Tag("OIDC")
/* loaded from: input_file:org/apereo/cas/oidc/util/OidcRequestSupportTests.class */
class OidcRequestSupportTests extends AbstractOidcTests {
    OidcRequestSupportTests() {
    }

    protected static JEEContext getContextForEndpoint(String str) {
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
        mockHttpServletRequest.setScheme("https");
        mockHttpServletRequest.setServerName("sso.example.org");
        mockHttpServletRequest.setServerPort(8443);
        mockHttpServletRequest.setRequestURI("/cas/oidc/" + str);
        return new JEEContext(mockHttpServletRequest, new MockHttpServletResponse());
    }

    @Test
    void verifyRemovePrompt() throws Throwable {
        Assertions.assertFalse(OidcRequestSupport.removeOidcPromptFromAuthorizationRequest("https://tralala.whapi.com/something?prompt=consent", "consent").contains("prompt"));
    }

    @Test
    void verifyOidcPrompt() throws Throwable {
        Assertions.assertEquals("login", this.oauthRequestParameterResolver.resolveSupportedPromptValues("https://tralala.whapi.com/something?prompt=login").toArray()[0]);
    }

    @Test
    void verifyOidcPromptFromContext() throws Throwable {
        WebContext webContext = (WebContext) Mockito.mock(WebContext.class);
        Mockito.when(webContext.getFullRequestURL()).thenReturn("https://tralala.whapi.com/something?prompt=login");
        Assertions.assertEquals("login", this.oauthRequestParameterResolver.resolveSupportedPromptValues(webContext).toArray()[0]);
    }

    @Test
    void verifyOidcMaxAgeTooOld() throws Throwable {
        WebContext webContext = (WebContext) Mockito.mock(WebContext.class);
        Mockito.when(webContext.getFullRequestURL()).thenReturn("https://tralala.whapi.com/something?max_age=1");
        ZonedDateTime minusSeconds = ZonedDateTime.now(ZoneOffset.UTC).minusSeconds(5L);
        Assertions.assertTrue(OidcRequestSupport.isCasAuthenticationOldForMaxAgeAuthorizationRequest(webContext, minusSeconds));
        Assertions.assertTrue(OidcRequestSupport.isCasAuthenticationOldForMaxAgeAuthorizationRequest(webContext, CoreAuthenticationTestUtils.getAuthentication("casuser", minusSeconds)));
        CommonProfile commonProfile = new CommonProfile();
        commonProfile.setClientName("OIDC");
        commonProfile.setId("casuser");
        commonProfile.addAuthenticationAttribute("authenticationDate", minusSeconds);
        Assertions.assertTrue(OidcRequestSupport.isCasAuthenticationOldForMaxAgeAuthorizationRequest(webContext, commonProfile));
    }

    @Test
    void verifyOidcMaxAgeTooOldForContext() throws Throwable {
        Authentication authentication = CoreAuthenticationTestUtils.getAuthentication("casuser", ZonedDateTime.now(ZoneOffset.UTC).minusSeconds(5L));
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
        mockHttpServletRequest.setRequestURI("https://tralala.whapi.com/something?max_age=1");
        JEEContext jEEContext = new JEEContext(mockHttpServletRequest, new MockHttpServletResponse());
        CasCookieBuilder casCookieBuilder = (CasCookieBuilder) Mockito.mock(CasCookieBuilder.class);
        Mockito.when(casCookieBuilder.retrieveCookieValue((HttpServletRequest) Mockito.any())).thenReturn(UUID.randomUUID().toString());
        TicketRegistrySupport ticketRegistrySupport = (TicketRegistrySupport) Mockito.mock(TicketRegistrySupport.class);
        Mockito.when(ticketRegistrySupport.getAuthenticationFrom(Mockito.anyString())).thenReturn(authentication);
        Assertions.assertTrue(new OidcRequestSupport(casCookieBuilder, ticketRegistrySupport).isCasAuthenticationOldForMaxAgeAuthorizationRequest(jEEContext));
    }

    @Test
    void verifyOidcMaxAge() throws Throwable {
        WebContext webContext = (WebContext) Mockito.mock(WebContext.class);
        Mockito.when(webContext.getFullRequestURL()).thenReturn("https://tralala.whapi.com/something?max_age=1000");
        Optional oidcMaxAgeFromAuthorizationRequest = OidcRequestSupport.getOidcMaxAgeFromAuthorizationRequest(webContext);
        Assertions.assertTrue(oidcMaxAgeFromAuthorizationRequest.isPresent());
        Assertions.assertEquals(1000L, ((Long) oidcMaxAgeFromAuthorizationRequest.get()).longValue());
        Mockito.when(webContext.getFullRequestURL()).thenReturn("https://tralala.whapi.com/something?max_age=NA");
        Optional oidcMaxAgeFromAuthorizationRequest2 = OidcRequestSupport.getOidcMaxAgeFromAuthorizationRequest(webContext);
        Assertions.assertTrue(oidcMaxAgeFromAuthorizationRequest2.isPresent());
        Assertions.assertEquals(-1L, ((Long) oidcMaxAgeFromAuthorizationRequest2.get()).longValue());
        Mockito.when(webContext.getFullRequestURL()).thenReturn("https://tralala.whapi.com/something?");
        Assertions.assertFalse(OidcRequestSupport.getOidcMaxAgeFromAuthorizationRequest(webContext).isPresent());
    }

    @Test
    void verifyAuthnProfile() throws Throwable {
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
        mockHttpServletRequest.setRequestURI("https://www.example.org");
        mockHttpServletRequest.setQueryString("param=value");
        JEEContext jEEContext = new JEEContext(mockHttpServletRequest, new MockHttpServletResponse());
        CommonProfile commonProfile = new CommonProfile();
        jEEContext.setRequestAttribute("pac4jUserProfiles", CollectionUtils.wrapLinkedHashMap(commonProfile.getClientName(), commonProfile));
        Assertions.assertTrue(OidcRequestSupport.isAuthenticationProfileAvailable(jEEContext, new JEESessionStore()).isPresent());
    }

    @Test
    void verifyGetRedirectUrlWithError() throws Throwable {
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
        mockHttpServletRequest.setScheme("https");
        mockHttpServletRequest.setServerName("example.org");
        mockHttpServletRequest.addParameter("state", "123456");
        mockHttpServletRequest.setServerPort(443);
        JEEContext jEEContext = new JEEContext(mockHttpServletRequest, new MockHttpServletResponse());
        Assertions.assertEquals(jEEContext.getRequestURL() + "?error=login_required&state=123456", OidcRequestSupport.getRedirectUrlWithError(jEEContext.getRequestURL(), "login_required", jEEContext));
    }

    @Test
    void validateStaticIssuer() {
        OidcProperties oidc = new CasConfigurationProperties().getAuthn().getOidc();
        oidc.getCore().setIssuer("https://sso.example.org:8443/cas/oidc");
        OidcDefaultIssuerService oidcDefaultIssuerService = new OidcDefaultIssuerService(oidc);
        Assertions.assertTrue(oidcDefaultIssuerService.validateIssuer(getContextForEndpoint("authorize"), "authorize"));
        Assertions.assertTrue(oidcDefaultIssuerService.validateIssuer(getContextForEndpoint("profile"), "profile"));
        Assertions.assertTrue(oidcDefaultIssuerService.validateIssuer(getContextForEndpoint("logout"), "logout"));
        Assertions.assertTrue(oidcDefaultIssuerService.validateIssuer(getContextForEndpoint("realms/authorize"), "authorize"));
    }

    @Test
    void validateDynamicIssuer() {
        OidcProperties oidc = new CasConfigurationProperties().getAuthn().getOidc();
        oidc.getCore().setIssuer("https://sso.example.org:8443/cas/oidc/custom/fawnoos/issuer");
        OidcDefaultIssuerService oidcDefaultIssuerService = new OidcDefaultIssuerService(oidc);
        Assertions.assertTrue(oidcDefaultIssuerService.validateIssuer(getContextForEndpoint("custom/fawnoos/issuer/authorize"), "authorize"));
        Assertions.assertTrue(oidcDefaultIssuerService.validateIssuer(getContextForEndpoint("custom/fawnoos/issuer/profile"), "profile"));
        Assertions.assertTrue(oidcDefaultIssuerService.validateIssuer(getContextForEndpoint("custom/fawnoos/issuer/oidcAuthorize"), "oidcAuthorize"));
        Assertions.assertTrue(oidcDefaultIssuerService.validateIssuer(getContextForEndpoint("custom/fawnoos/issuer"), "unknown"));
    }

    @Test
    void validateDynamicIssuerForLogout() {
        OidcProperties oidc = new CasConfigurationProperties().getAuthn().getOidc();
        oidc.getCore().setIssuer("https://sso.example.org:8443/cas/oidc");
        Assertions.assertTrue(new OidcDefaultIssuerService(oidc).validateIssuer(getContextForEndpoint("logout"), "oidcLogout"));
    }

    @Test
    void validateIssuerMismatch() {
        OidcProperties oidc = new CasConfigurationProperties().getAuthn().getOidc();
        oidc.getCore().setIssuer("https://sso.example.org:8443/cas/openid-connect");
        Assertions.assertFalse(new OidcDefaultIssuerService(oidc).validateIssuer(getContextForEndpoint("logout"), "oidcLogout"));
    }
}
