package org.apereo.cas.oidc.token;

import java.util.Optional;
import org.apereo.cas.oidc.AbstractOidcTests;
import org.apereo.cas.services.OidcRegisteredService;
import org.jose4j.jwt.JwtClaims;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Nested;
import org.junit.jupiter.api.Tag;
import org.junit.jupiter.api.Test;
import org.springframework.test.context.TestPropertySource;

@Tag("OIDC")
/* loaded from: input_file:org/apereo/cas/oidc/token/OidcIdTokenSigningAndEncryptionServiceTests.class */
class OidcIdTokenSigningAndEncryptionServiceTests {

    @Nested
    @TestPropertySource(properties = {"cas.authn.oidc.discovery.id-token-signing-alg-values-supported=RS256,RS384,RS512", "cas.authn.oidc.discovery.id-token-encryption-encoding-values-supported=A128CBC-HS256,A192CBC-HS384,A256CBC-HS512,A128GCM,A192GCM,A256GCM"})
    /* loaded from: input_file:org/apereo/cas/oidc/token/OidcIdTokenSigningAndEncryptionServiceTests$DefaultTests.class */
    class DefaultTests extends AbstractOidcTests {
        DefaultTests(OidcIdTokenSigningAndEncryptionServiceTests oidcIdTokenSigningAndEncryptionServiceTests) {
        }

        @Test
        void verifyOperation() throws Throwable {
            Assertions.assertNotNull(this.oidcTokenSigningAndEncryptionService.encode(getOidcRegisteredService(), getClaims()));
        }

        @Test
        void verifyEncryptionOptional() throws Throwable {
            JwtClaims claims = getClaims();
            OidcRegisteredService oidcRegisteredService = getOidcRegisteredService();
            oidcRegisteredService.setJwks((String) null);
            oidcRegisteredService.setEncryptIdToken(true);
            oidcRegisteredService.setIdTokenEncryptionOptional(true);
            Assertions.assertNotNull(this.oidcTokenSigningAndEncryptionService.encode(oidcRegisteredService, claims));
        }

        @Test
        void verifyWrongType() throws Throwable {
            Assertions.assertFalse(this.oidcTokenSigningAndEncryptionService.shouldEncryptToken(getOAuthRegisteredService("1", "http://localhost/cas")));
            Assertions.assertFalse(this.oidcTokenSigningAndEncryptionService.shouldSignToken(getOAuthRegisteredService("1", "http://localhost/cas")));
        }

        @Test
        void verifySkipSigning() throws Throwable {
            Assertions.assertFalse(this.oidcTokenSigningAndEncryptionService.shouldSignToken(getOidcRegisteredService(false, false)));
        }

        @Test
        void verifyValidationOperation() throws Throwable {
            JwtClaims claims = getClaims();
            OidcRegisteredService oidcRegisteredService = getOidcRegisteredService(true, false);
            Assertions.assertNotNull(this.oidcTokenSigningAndEncryptionService.decode(this.oidcTokenSigningAndEncryptionService.encode(oidcRegisteredService, claims), Optional.of(oidcRegisteredService)));
        }

        @Test
        void verifyDecodingFailureBadToken() throws Throwable {
            OidcRegisteredService oidcRegisteredService = getOidcRegisteredService(true, false);
            Assertions.assertThrows(IllegalArgumentException.class, () -> {
                this.oidcTokenSigningAndEncryptionService.decode("bad-token", Optional.of(oidcRegisteredService));
            });
        }

        @Test
        void verifyDecodingFailureNoIssuer() throws Throwable {
            OidcRegisteredService oidcRegisteredService = getOidcRegisteredService(true, false);
            JwtClaims claims = getClaims();
            claims.setIssuer("");
            String encode = this.oidcTokenSigningAndEncryptionService.encode(oidcRegisteredService, claims);
            Assertions.assertThrows(IllegalArgumentException.class, () -> {
                this.oidcTokenSigningAndEncryptionService.decode(encode, Optional.of(oidcRegisteredService));
            });
        }

        @Test
        void verifyDecodingFailureBadIssuer() throws Throwable {
            OidcRegisteredService oidcRegisteredService = getOidcRegisteredService(true, false);
            JwtClaims claims = getClaims();
            claims.setIssuer("bad-issuer");
            String encode = this.oidcTokenSigningAndEncryptionService.encode(oidcRegisteredService, claims);
            Assertions.assertThrows(IllegalArgumentException.class, () -> {
                this.oidcTokenSigningAndEncryptionService.decode(encode, Optional.of(oidcRegisteredService));
            });
        }

        @Test
        void verifyDecodingFailureBadClient() throws Throwable {
            OidcRegisteredService oidcRegisteredService = getOidcRegisteredService(true, false);
            JwtClaims claims = getClaims();
            claims.setStringClaim("client_id", "");
            String encode = this.oidcTokenSigningAndEncryptionService.encode(oidcRegisteredService, claims);
            Assertions.assertThrows(IllegalArgumentException.class, () -> {
                this.oidcTokenSigningAndEncryptionService.decode(encode, Optional.of(oidcRegisteredService));
            });
        }

        @Test
        void verifyNoneNotSupported() throws Throwable {
            JwtClaims claims = getClaims();
            OidcRegisteredService oidcRegisteredService = getOidcRegisteredService();
            oidcRegisteredService.setIdTokenSigningAlg("none");
            Assertions.assertThrows(IllegalArgumentException.class, () -> {
                this.oidcTokenSigningAndEncryptionService.encode(oidcRegisteredService, claims);
            });
            oidcRegisteredService.setIdTokenSigningAlg("RS256");
            oidcRegisteredService.setIdTokenEncryptionAlg("none");
            Assertions.assertThrows(IllegalArgumentException.class, () -> {
                this.oidcTokenSigningAndEncryptionService.encode(oidcRegisteredService, claims);
            });
        }
    }

    @Nested
    @TestPropertySource(properties = {"cas.authn.oidc.jwks.file-system.jwks-file=classpath:multiple-keys.jwks"})
    /* loaded from: input_file:org/apereo/cas/oidc/token/OidcIdTokenSigningAndEncryptionServiceTests$KeystoreWithMultipleKeysTests.class */
    class KeystoreWithMultipleKeysTests extends AbstractOidcTests {
        KeystoreWithMultipleKeysTests(OidcIdTokenSigningAndEncryptionServiceTests oidcIdTokenSigningAndEncryptionServiceTests) {
        }

        @Test
        void verifyOperation() throws Throwable {
            JwtClaims claims = getClaims();
            OidcRegisteredService oidcRegisteredService = getOidcRegisteredService("ES512");
            oidcRegisteredService.setIdTokenSigningAlg("ES512");
            oidcRegisteredService.setJwksKeyId("EC");
            oidcRegisteredService.setEncryptIdToken(false);
            OidcRegisteredService oidcRegisteredService2 = getOidcRegisteredService("RS256");
            oidcRegisteredService2.setIdTokenSigningAlg("RS256");
            oidcRegisteredService2.setJwksKeyId("RSA");
            oidcRegisteredService2.setEncryptIdToken(false);
            Assertions.assertNotNull(this.oidcTokenSigningAndEncryptionService.encode(oidcRegisteredService, claims));
            Assertions.assertNotNull(this.oidcTokenSigningAndEncryptionService.encode(oidcRegisteredService2, claims));
            Assertions.assertNotNull(this.oidcTokenSigningAndEncryptionService.encode(getOidcRegisteredService(), claims));
        }
    }

    @Nested
    @TestPropertySource(properties = {"cas.authn.oidc.discovery.id-token-signing-alg-values-supported=none", "cas.authn.oidc.discovery.id-token-encryption-encoding-values-supported=none"})
    /* loaded from: input_file:org/apereo/cas/oidc/token/OidcIdTokenSigningAndEncryptionServiceTests$NoneTests.class */
    class NoneTests extends AbstractOidcTests {
        NoneTests(OidcIdTokenSigningAndEncryptionServiceTests oidcIdTokenSigningAndEncryptionServiceTests) {
        }

        @Test
        void verifyNoneSupported() throws Throwable {
            JwtClaims claims = getClaims();
            OidcRegisteredService oidcRegisteredService = getOidcRegisteredService();
            oidcRegisteredService.setIdTokenSigningAlg("none");
            oidcRegisteredService.setIdTokenEncryptionAlg("none");
            Assertions.assertNotNull(this.oidcTokenSigningAndEncryptionService.encode(oidcRegisteredService, claims));
        }
    }

    OidcIdTokenSigningAndEncryptionServiceTests() {
    }
}
