package org.apereo.cas.oidc.web.controllers;

import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.SignedJWT;
import java.nio.charset.StandardCharsets;
import java.time.Instant;
import java.util.Set;
import java.util.UUID;
import org.apereo.cas.oidc.AbstractOidcTests;
import org.apereo.cas.oidc.web.controllers.introspection.OidcIntrospectionEndpointController;
import org.apereo.cas.services.OidcRegisteredService;
import org.apereo.cas.support.oauth.web.response.introspection.OAuth20IntrospectionAccessTokenResponse;
import org.apereo.cas.ticket.accesstoken.OAuth20AccessToken;
import org.apereo.cas.util.EncodingUtils;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Tag;
import org.junit.jupiter.api.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.test.context.TestPropertySource;

@Tag("OIDC")
@TestPropertySource(properties = {"cas.authn.oidc.discovery.introspection-signed-response-alg-values-supported=RS256,RS384,RS512", "cas.authn.oidc.discovery.introspection-encrypted-response-alg-values-supported=RSA-OAEP-256"})
/* loaded from: input_file:org/apereo/cas/oidc/web/controllers/OidcIntrospectionEndpointControllerTests.class */
class OidcIntrospectionEndpointControllerTests extends AbstractOidcTests {

    @Autowired
    @Qualifier("oidcIntrospectionEndpointController")
    protected OidcIntrospectionEndpointController oidcIntrospectionEndpointController;

    OidcIntrospectionEndpointControllerTests() {
    }

    @Test
    void verifyOperationWithValidTicketAsJwtSignedEncrypted() throws Throwable {
        MockHttpServletRequest httpRequestForEndpoint = getHttpRequestForEndpoint("introspect");
        MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
        httpRequestForEndpoint.addHeader("Accept", "application/token-introspection+jwt");
        OAuth20AccessToken accessToken = getAccessToken(UUID.randomUUID().toString());
        httpRequestForEndpoint.addHeader("Authorization", "Basic " + EncodingUtils.encodeBase64((accessToken.getClientId() + ":secret").getBytes(StandardCharsets.UTF_8)));
        OidcRegisteredService oidcRegisteredService = getOidcRegisteredService(accessToken.getClientId());
        oidcRegisteredService.setIntrospectionSignedResponseAlg("RS256");
        oidcRegisteredService.setIntrospectionEncryptedResponseAlg("RSA-OAEP-256");
        oidcRegisteredService.setIntrospectionEncryptedResponseEncoding("A128CBC-HS256");
        this.servicesManager.save(oidcRegisteredService);
        this.ticketRegistry.addTicket(accessToken);
        httpRequestForEndpoint.addParameter("token", accessToken.getId());
        ResponseEntity handleRequest = this.oidcIntrospectionEndpointController.handleRequest(httpRequestForEndpoint, mockHttpServletResponse);
        Assertions.assertInstanceOf(EncryptedJWT.class, JWTParser.parse(handleRequest.getBody().toString()));
        Assertions.assertEquals("application/token-introspection+jwt", handleRequest.getHeaders().getContentType().toString());
    }

    @Test
    void verifyOperationWithValidTicketAsJwtSigned() throws Throwable {
        MockHttpServletRequest httpRequestForEndpoint = getHttpRequestForEndpoint("introspect");
        MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
        httpRequestForEndpoint.addHeader("Accept", "application/token-introspection+jwt");
        OAuth20AccessToken accessToken = getAccessToken(UUID.randomUUID().toString());
        httpRequestForEndpoint.addHeader("Authorization", "Basic " + EncodingUtils.encodeBase64((accessToken.getClientId() + ":secret").getBytes(StandardCharsets.UTF_8)));
        OidcRegisteredService oidcRegisteredService = getOidcRegisteredService(accessToken.getClientId());
        oidcRegisteredService.setIntrospectionSignedResponseAlg("RS512");
        this.servicesManager.save(oidcRegisteredService);
        this.ticketRegistry.addTicket(accessToken);
        httpRequestForEndpoint.addParameter("token", accessToken.getId());
        Assertions.assertInstanceOf(SignedJWT.class, JWTParser.parse(this.oidcIntrospectionEndpointController.handleRequest(httpRequestForEndpoint, mockHttpServletResponse).getBody().toString()));
    }

    @Test
    void verifyOperationWithValidTicketAsJwtSignedWithNone() throws Throwable {
        MockHttpServletRequest httpRequestForEndpoint = getHttpRequestForEndpoint("introspect");
        MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
        httpRequestForEndpoint.addHeader("Accept", "application/token-introspection+jwt");
        OAuth20AccessToken accessToken = getAccessToken(UUID.randomUUID().toString());
        httpRequestForEndpoint.addHeader("Authorization", "Basic " + EncodingUtils.encodeBase64((accessToken.getClientId() + ":secret").getBytes(StandardCharsets.UTF_8)));
        OidcRegisteredService oidcRegisteredService = getOidcRegisteredService(accessToken.getClientId());
        oidcRegisteredService.setIntrospectionSignedResponseAlg("none");
        this.servicesManager.save(oidcRegisteredService);
        this.ticketRegistry.addTicket(accessToken);
        httpRequestForEndpoint.addParameter("token", accessToken.getId());
        Assertions.assertTrue(this.oidcIntrospectionEndpointController.handleRequest(httpRequestForEndpoint, mockHttpServletResponse).getStatusCode().is4xxClientError());
    }

    @Test
    void verifyOperationWithValidTicketAsJwtSignedWithNoneEncryption() throws Throwable {
        MockHttpServletRequest httpRequestForEndpoint = getHttpRequestForEndpoint("introspect");
        MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
        httpRequestForEndpoint.addHeader("Accept", "application/token-introspection+jwt");
        OAuth20AccessToken accessToken = getAccessToken(UUID.randomUUID().toString());
        httpRequestForEndpoint.addHeader("Authorization", "Basic " + EncodingUtils.encodeBase64((accessToken.getClientId() + ":secret").getBytes(StandardCharsets.UTF_8)));
        OidcRegisteredService oidcRegisteredService = getOidcRegisteredService(accessToken.getClientId());
        oidcRegisteredService.setIntrospectionEncryptedResponseAlg("none");
        this.servicesManager.save(oidcRegisteredService);
        this.ticketRegistry.addTicket(accessToken);
        httpRequestForEndpoint.addParameter("token", accessToken.getId());
        Assertions.assertTrue(this.oidcIntrospectionEndpointController.handleRequest(httpRequestForEndpoint, mockHttpServletResponse).getStatusCode().is4xxClientError());
    }

    @Test
    void verifyOperationWithValidTicketAsJwtPlain() throws Throwable {
        MockHttpServletRequest httpRequestForEndpoint = getHttpRequestForEndpoint("introspect");
        MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
        httpRequestForEndpoint.addHeader("Accept", "application/token-introspection+jwt");
        OAuth20AccessToken accessToken = getAccessToken(UUID.randomUUID().toString());
        httpRequestForEndpoint.addHeader("Authorization", "Basic " + EncodingUtils.encodeBase64((accessToken.getClientId() + ":secret").getBytes(StandardCharsets.UTF_8)));
        OidcRegisteredService oidcRegisteredService = getOidcRegisteredService(accessToken.getClientId());
        oidcRegisteredService.setIntrospectionSignedResponseAlg((String) null);
        this.servicesManager.save(oidcRegisteredService);
        this.ticketRegistry.addTicket(accessToken);
        httpRequestForEndpoint.addParameter("token", accessToken.getId());
        ResponseEntity handleRequest = this.oidcIntrospectionEndpointController.handleRequest(httpRequestForEndpoint, mockHttpServletResponse);
        Assertions.assertInstanceOf(PlainJWT.class, JWTParser.parse(handleRequest.getBody().toString()));
        Assertions.assertEquals("application/token-introspection+jwt", handleRequest.getHeaders().getContentType().toString());
    }

    @Test
    void verifyOperationWithValidTicket() throws Throwable {
        MockHttpServletRequest httpRequestForEndpoint = getHttpRequestForEndpoint("introspect");
        MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
        httpRequestForEndpoint.addHeader("Authorization", "Basic " + EncodingUtils.encodeBase64("clientid:secret".getBytes(StandardCharsets.UTF_8)));
        OAuth20AccessToken accessToken = getAccessToken();
        this.servicesManager.save(getOidcRegisteredService());
        this.ticketRegistry.addTicket(accessToken);
        httpRequestForEndpoint.addParameter("token", accessToken.getId());
        OAuth20IntrospectionAccessTokenResponse oAuth20IntrospectionAccessTokenResponse = (OAuth20IntrospectionAccessTokenResponse) this.oidcIntrospectionEndpointController.handleRequest(httpRequestForEndpoint, mockHttpServletResponse).getBody();
        Assertions.assertNotNull(oAuth20IntrospectionAccessTokenResponse);
        Assertions.assertTrue(Instant.ofEpochSecond(oAuth20IntrospectionAccessTokenResponse.getExp()).isAfter(Instant.ofEpochSecond(oAuth20IntrospectionAccessTokenResponse.getIat())));
        Assertions.assertTrue(oAuth20IntrospectionAccessTokenResponse.isActive());
        Assertions.assertEquals(accessToken.getScopes(), Set.of((Object[]) oAuth20IntrospectionAccessTokenResponse.getScope().split(" ")));
    }

    @Test
    void verifyBadEndpointRequest() throws Throwable {
        MockHttpServletRequest httpRequestForEndpoint = getHttpRequestForEndpoint("unknown/issuer");
        httpRequestForEndpoint.setRequestURI("unknown/issuer");
        Assertions.assertEquals(HttpStatus.BAD_REQUEST, this.oidcIntrospectionEndpointController.handleRequest(httpRequestForEndpoint, new MockHttpServletResponse()).getStatusCode());
    }

    @Test
    void verifyOperationWithInvalidTicket() throws Throwable {
        MockHttpServletRequest httpRequestForEndpoint = getHttpRequestForEndpoint("introspect");
        MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
        httpRequestForEndpoint.addHeader("Authorization", "Basic " + EncodingUtils.encodeBase64("clientid:secret".getBytes(StandardCharsets.UTF_8)));
        OAuth20AccessToken accessToken = getAccessToken();
        this.servicesManager.save(getOidcRegisteredService());
        httpRequestForEndpoint.addParameter("token", accessToken.getId());
        ResponseEntity handleRequest = this.oidcIntrospectionEndpointController.handleRequest(httpRequestForEndpoint, mockHttpServletResponse);
        Assertions.assertEquals(HttpStatus.OK, handleRequest.getStatusCode());
        OAuth20IntrospectionAccessTokenResponse oAuth20IntrospectionAccessTokenResponse = (OAuth20IntrospectionAccessTokenResponse) handleRequest.getBody();
        Assertions.assertNotNull(oAuth20IntrospectionAccessTokenResponse);
        Assertions.assertFalse(oAuth20IntrospectionAccessTokenResponse.isActive());
    }
}
