package org.apereo.cas.oidc.web.controllers.ciba;

import com.fasterxml.jackson.databind.ObjectMapper;
import java.nio.charset.StandardCharsets;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import org.apereo.cas.oidc.AbstractOidcTests;
import org.apereo.cas.oidc.OidcConstants;
import org.apereo.cas.services.OidcBackchannelTokenDeliveryModes;
import org.apereo.cas.services.OidcRegisteredService;
import org.apereo.cas.services.RegisteredServiceTestUtils;
import org.apereo.cas.support.oauth.OAuth20GrantTypes;
import org.apereo.cas.support.oauth.OAuth20ResponseTypes;
import org.apereo.cas.util.EncodingUtils;
import org.apereo.cas.util.junit.EnabledIfListeningOnPort;
import org.apereo.cas.util.serialization.JacksonObjectMapperFactory;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Tag;
import org.junit.jupiter.api.Test;
import org.pac4j.core.profile.CommonProfile;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.http.MediaType;
import org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers;
import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.test.context.TestPropertySource;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.MvcResult;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.result.MockMvcResultMatchers;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;

@Tag("OIDC")
@EnabledIfListeningOnPort(port = {25000})
@TestPropertySource(properties = {"spring.mail.host=localhost", "spring.mail.port=25000", "cas.authn.oidc.ciba.verification.delay=PT1S", "cas.authn.oidc.ciba.verification.mail.html=false", "cas.authn.oidc.ciba.verification.mail.from=cas@apereo.org", "cas.authn.oidc.ciba.verification.mail.subject=CIBA Token", "cas.authn.oidc.ciba.verification.mail.text=URL is ${verificationUrl}"})
/* loaded from: input_file:org/apereo/cas/oidc/web/controllers/ciba/OidcCibaControllerTests.class */
public class OidcCibaControllerTests extends AbstractOidcTests {
    private static final ObjectMapper MAPPER = JacksonObjectMapperFactory.builder().defaultTypingEnabled(false).build().toObjectMapper();

    @Autowired
    @Qualifier("oidcCibaController")
    protected OidcCibaController oidcCibaController;
    private MockMvc mvc;

    @BeforeEach
    public void setup() {
        this.mvc = MockMvcBuilders.webAppContextSetup(this.applicationContext).apply(SecurityMockMvcConfigurers.springSecurity()).defaultRequest(MockMvcRequestBuilders.post("/", new Object[0]).contextPath("/cas").header("X-Forwarded-Proto", new Object[]{"https"}).header("Host", new Object[]{"sso.example.org"}).accept(new MediaType[]{MediaType.APPLICATION_JSON, MediaType.TEXT_PLAIN}).contentType(MediaType.APPLICATION_JSON)).build();
    }

    @Test
    void verifyRequestWithoutScopes() throws Throwable {
        OidcRegisteredService oidcRegisteredService = getOidcRegisteredService(UUID.randomUUID().toString());
        oidcRegisteredService.setSupportedGrantTypes(Set.of(OAuth20GrantTypes.CIBA.getType()));
        this.servicesManager.save(oidcRegisteredService);
        this.mvc.perform(MockMvcRequestBuilders.post("/cas/oidc/oidcCiba", new Object[0]).secure(true).header("Authorization", new Object[]{"Basic " + EncodingUtils.encodeBase64("%s:%s".formatted(oidcRegisteredService.getClientId(), oidcRegisteredService.getClientSecret()).getBytes(StandardCharsets.UTF_8))}).queryParam("grant_type", new String[]{OAuth20GrantTypes.CIBA.name()})).andExpect(MockMvcResultMatchers.status().isBadRequest());
    }

    @Test
    void verifyRequestWithMultipleHints() throws Throwable {
        OidcRegisteredService oidcRegisteredService = getOidcRegisteredService(UUID.randomUUID().toString());
        oidcRegisteredService.setSupportedGrantTypes(Set.of(OAuth20GrantTypes.CIBA.getType()));
        this.servicesManager.save(oidcRegisteredService);
        this.mvc.perform(MockMvcRequestBuilders.post("/cas/oidc/oidcCiba", new Object[0]).secure(true).header("Authorization", new Object[]{"Basic " + EncodingUtils.encodeBase64("%s:%s".formatted(oidcRegisteredService.getClientId(), oidcRegisteredService.getClientSecret()).getBytes(StandardCharsets.UTF_8))}).queryParam("scope", new String[]{OidcConstants.StandardScopes.OPENID.getScope()}).queryParam("grant_type", new String[]{OAuth20GrantTypes.CIBA.name()}).queryParam("login_hint_token", new String[]{UUID.randomUUID().toString()}).queryParam("login_hint", new String[]{UUID.randomUUID().toString()})).andExpect(MockMvcResultMatchers.status().isBadRequest());
    }

    @Test
    void verifyRequestWithInvalidUserCode() throws Throwable {
        OidcRegisteredService oidcRegisteredService = getOidcRegisteredService(UUID.randomUUID().toString());
        oidcRegisteredService.setSupportedGrantTypes(Set.of(OAuth20GrantTypes.CIBA.getType()));
        this.servicesManager.save(oidcRegisteredService);
        this.mvc.perform(MockMvcRequestBuilders.post("/cas/oidc/oidcCiba", new Object[0]).secure(true).header("Authorization", new Object[]{"Basic " + EncodingUtils.encodeBase64("%s:%s".formatted(oidcRegisteredService.getClientId(), oidcRegisteredService.getClientSecret()).getBytes(StandardCharsets.UTF_8))}).queryParam("scope", new String[]{OidcConstants.StandardScopes.OPENID.getScope()}).queryParam("grant_type", new String[]{OAuth20GrantTypes.CIBA.name()}).queryParam("user_code", new String[]{UUID.randomUUID().toString()}).queryParam("login_hint", new String[]{UUID.randomUUID().toString()})).andExpect(MockMvcResultMatchers.status().isBadRequest());
        oidcRegisteredService.setBackchannelUserCodeParameterSupported(true);
        this.servicesManager.save(oidcRegisteredService);
        this.mvc.perform(MockMvcRequestBuilders.post("/cas/oidc/oidcCiba", new Object[0]).secure(true).header("Authorization", new Object[]{"Basic " + EncodingUtils.encodeBase64("%s:%s".formatted(oidcRegisteredService.getClientId(), oidcRegisteredService.getClientSecret()).getBytes(StandardCharsets.UTF_8))}).queryParam("scope", new String[]{OidcConstants.StandardScopes.OPENID.getScope()}).queryParam("grant_type", new String[]{OAuth20GrantTypes.CIBA.name()}).queryParam("login_hint", new String[]{UUID.randomUUID().toString()})).andExpect(MockMvcResultMatchers.status().isBadRequest());
    }

    @Test
    void verifyRequestWithMissingClientToken() throws Throwable {
        OidcRegisteredService oidcRegisteredService = getOidcRegisteredService(UUID.randomUUID().toString());
        oidcRegisteredService.setBackchannelTokenDeliveryMode(OidcBackchannelTokenDeliveryModes.PUSH.getMode());
        oidcRegisteredService.setSupportedGrantTypes(Set.of(OAuth20GrantTypes.CIBA.getType()));
        this.servicesManager.save(oidcRegisteredService);
        this.mvc.perform(MockMvcRequestBuilders.post("/cas/oidc/oidcCiba", new Object[0]).secure(true).header("Authorization", new Object[]{"Basic " + EncodingUtils.encodeBase64("%s:%s".formatted(oidcRegisteredService.getClientId(), oidcRegisteredService.getClientSecret()).getBytes(StandardCharsets.UTF_8))}).queryParam("scope", new String[]{OidcConstants.StandardScopes.OPENID.getScope()}).queryParam("grant_type", new String[]{OAuth20GrantTypes.CIBA.name()}).queryParam("login_hint", new String[]{UUID.randomUUID().toString()})).andExpect(MockMvcResultMatchers.status().isBadRequest());
    }

    @Test
    void verifyRequestWithIdTokenHint() throws Throwable {
        OidcRegisteredService oidcRegisteredService = getOidcRegisteredService(UUID.randomUUID().toString());
        oidcRegisteredService.setBackchannelTokenDeliveryMode(OidcBackchannelTokenDeliveryModes.PUSH.getMode());
        oidcRegisteredService.setSupportedGrantTypes(Set.of(OAuth20GrantTypes.CIBA.getType()));
        this.servicesManager.save(oidcRegisteredService);
        CommonProfile commonProfile = new CommonProfile();
        commonProfile.setId("casuser");
        commonProfile.addAttributes(RegisteredServiceTestUtils.getTestAttributes());
        this.mvc.perform(MockMvcRequestBuilders.post("/cas/oidc/oidcCiba", new Object[0]).secure(true).header("Authorization", new Object[]{"Basic " + EncodingUtils.encodeBase64("%s:%s".formatted(oidcRegisteredService.getClientId(), oidcRegisteredService.getClientSecret()).getBytes(StandardCharsets.UTF_8))}).queryParam("scope", new String[]{OidcConstants.StandardScopes.OPENID.getScope()}).queryParam("grant_type", new String[]{OAuth20GrantTypes.CIBA.name()}).queryParam("client_notification_token", new String[]{UUID.randomUUID().toString()}).queryParam("id_token_hint", new String[]{this.oidcIdTokenGenerator.generate(getAccessToken(oidcRegisteredService.getClientId()), commonProfile, OAuth20ResponseTypes.CODE, OAuth20GrantTypes.AUTHORIZATION_CODE, oidcRegisteredService).token()})).andExpect(MockMvcResultMatchers.status().isOk());
    }

    @Test
    void verifyRequestWithPushDelivery() throws Throwable {
        OidcRegisteredService oidcRegisteredService = getOidcRegisteredService(UUID.randomUUID().toString());
        oidcRegisteredService.setBackchannelTokenDeliveryMode(OidcBackchannelTokenDeliveryModes.PUSH.getMode());
        oidcRegisteredService.setSupportedGrantTypes(Set.of(OAuth20GrantTypes.CIBA.getType()));
        this.servicesManager.save(oidcRegisteredService);
        String obj = ((Map) MAPPER.readValue(this.mvc.perform(MockMvcRequestBuilders.post("/cas/oidc/oidcCiba", new Object[0]).secure(true).header("Authorization", new Object[]{"Basic " + EncodingUtils.encodeBase64("%s:%s".formatted(oidcRegisteredService.getClientId(), oidcRegisteredService.getClientSecret()).getBytes(StandardCharsets.UTF_8))}).queryParam("scope", new String[]{OidcConstants.StandardScopes.OPENID.getScope()}).queryParam("grant_type", new String[]{OAuth20GrantTypes.CIBA.name()}).queryParam("client_notification_token", new String[]{UUID.randomUUID().toString()}).queryParam("binding_message", new String[]{UUID.randomUUID().toString()}).queryParam("login_hint", new String[]{UUID.randomUUID().toString()})).andExpect(MockMvcResultMatchers.status().isOk()).andReturn().getResponse().getContentAsString(), Map.class)).get("auth_req_id").toString();
        Assertions.assertNotNull(obj);
        Thread.sleep(3000L);
        String str = "/cas/oidc/oidcCiba/" + oidcRegisteredService.getClientId() + "/" + obj;
        MvcResult andReturn = this.mvc.perform(MockMvcRequestBuilders.get(str, new Object[0]).secure(true)).andExpect(MockMvcResultMatchers.status().isOk()).andReturn();
        Assertions.assertNotNull(andReturn.getModelAndView());
        Assertions.assertEquals("oidcCibaVerificationView", andReturn.getModelAndView().getViewName());
        Assertions.assertTrue(andReturn.getModelAndView().getModel().containsKey("registeredService"));
        Assertions.assertTrue(andReturn.getModelAndView().getModel().containsKey("cibaRequest"));
        Assertions.assertTrue(andReturn.getModelAndView().getModel().containsKey("bindingMessage"));
        CsrfToken csrfToken = (CsrfToken) andReturn.getRequest().getAttribute("_csrf");
        this.mvc.perform(MockMvcRequestBuilders.post(str, new Object[0]).secure(true).header(csrfToken.getHeaderName(), new Object[]{csrfToken.getToken()}).queryParam(csrfToken.getParameterName(), new String[]{csrfToken.getToken()}).cookie(andReturn.getResponse().getCookies())).andExpect(MockMvcResultMatchers.status().isOk());
    }

    @Test
    void verifyUnauthorizedRequest() throws Throwable {
        this.mvc.perform(MockMvcRequestBuilders.post("/cas/oidc/oidcCiba", new Object[0]).secure(true).queryParam("scope", new String[]{OidcConstants.StandardScopes.OPENID.getScope()}).queryParam("grant_type", new String[]{OAuth20GrantTypes.CIBA.name()}).queryParam("client_notification_token", new String[]{UUID.randomUUID().toString()}).queryParam("login_hint", new String[]{UUID.randomUUID().toString()})).andExpect(MockMvcResultMatchers.status().isUnauthorized());
    }
}
