package net.shibboleth.oidc.security.jwt.claims.impl;

import com.nimbusds.jwt.JWTClaimsSet;
import java.util.List;
import java.util.Set;
import java.util.function.Function;
import javax.annotation.Nonnull;
import net.shibboleth.oidc.jwt.claims.JWTValidationException;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import org.mockito.Mockito;
import org.opensaml.profile.context.ProfileRequestContext;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;

/* loaded from: input_file:net/shibboleth/oidc/security/jwt/claims/impl/AuthenticationAudienceClaimsValidatorTest.class */
public class AuthenticationAudienceClaimsValidatorTest extends AbstractClaimsValidatorTest {

    @Nonnull
    private AuthenticationAudienceClaimsValidator validator;
    private final Function<ProfileRequestContext, String> responderIdLookup = (Function) Mockito.mock(Function.class);

    @Override // net.shibboleth.oidc.security.jwt.claims.impl.AbstractClaimsValidatorTest
    @BeforeMethod
    public void setup() throws ComponentInitializationException {
        super.setup();
        this.validator = new AuthenticationAudienceClaimsValidator();
        this.validator.setId("test-validator");
    }

    @Test(expectedExceptions = {JWTValidationException.class})
    public void doRejectedTest_NoAcceptedAudience() throws JWTValidationException, ComponentInitializationException {
        JWTClaimsSet build = new JWTClaimsSet.Builder().audience("https://localhost/idp/profile/oauth2/notMatching").build();
        this.validator.setExtraAudienceValidation(false);
        this.validator.setAudienceLookupStrategy((profileRequestContext, jWTClaimsSet) -> {
            return "https://localhost/idp/profile/oauth2/one";
        });
        this.validator.initialize();
        this.validator.validate(build, this.prc);
    }

    @Test
    public void doValidTest_EndpointAsOnlyAudience() throws JWTValidationException, ComponentInitializationException {
        JWTClaimsSet build = new JWTClaimsSet.Builder().audience("https://localhost/idp/profile/oauth2/one").build();
        this.validator.setExtraAudienceValidation(false);
        this.validator.setAudienceLookupStrategy((profileRequestContext, jWTClaimsSet) -> {
            return "https://localhost/idp/profile/oauth2/one";
        });
        this.validator.setEndpointTargets(List.of("/profile/oauth2/one", "/profile/oauth2/two"));
        this.validator.setEndpointReplacement("/profile/oidc/token");
        this.validator.initialize();
        this.validator.validate(build, this.prc);
    }

    @Test
    public void doValidTest_EndpointAsOneAudience_noAdditionalAudience() throws JWTValidationException, ComponentInitializationException {
        JWTClaimsSet build = new JWTClaimsSet.Builder().audience(List.of("https://localhost/idp/profile/oauth2/one", "another")).build();
        this.validator.setExtraAudienceValidation(false);
        this.validator.setAudienceLookupStrategy((profileRequestContext, jWTClaimsSet) -> {
            return "https://localhost/idp/profile/oauth2/one";
        });
        this.validator.setEndpointTargets(List.of("/profile/oauth2/one", "/profile/oauth2/two"));
        this.validator.setEndpointReplacement("/profile/oidc/token");
        this.validator.initialize();
        this.validator.validate(build, this.prc);
    }

    @Test(expectedExceptions = {JWTValidationException.class})
    public void doRejectedTest_EndpointAsOneAudience_noAdditionalAudience() throws JWTValidationException, ComponentInitializationException {
        JWTClaimsSet build = new JWTClaimsSet.Builder().audience(List.of("https://localhost/idp/profile/oauth2/one", "another")).build();
        this.validator.setExtraAudienceValidation(true);
        this.validator.setAudienceLookupStrategy((profileRequestContext, jWTClaimsSet) -> {
            return "https://localhost/idp/profile/oauth2/one";
        });
        this.validator.setEndpointTargets(List.of("/profile/oauth2/one", "/profile/oauth2/two"));
        this.validator.setEndpointReplacement("/profile/oidc/token");
        this.validator.initialize();
        this.validator.validate(build, this.prc);
    }

    @Test
    public void doValidTest_EndpointAsOneAudience_withTrustedAdditionalAudience() throws JWTValidationException, ComponentInitializationException {
        JWTClaimsSet build = new JWTClaimsSet.Builder().audience(List.of("https://localhost/idp/profile/oauth2/one", "another")).build();
        this.validator.setExtraAudienceValidation(true);
        this.validator.setAudienceLookupStrategy((profileRequestContext, jWTClaimsSet) -> {
            return "https://localhost/idp/profile/oauth2/one";
        });
        this.validator.setEndpointTargets(List.of("/profile/oauth2/one", "/profile/oauth2/two"));
        this.validator.setEndpointReplacement("/profile/oidc/token");
        this.validator.setAdditionalAudiencesLookupStrategy((profileRequestContext2, jWTClaimsSet2) -> {
            return Set.of("another");
        });
        this.validator.initialize();
        this.validator.validate(build, this.prc);
    }

    @Test
    public void doValidTest_ReplacedEndpointAsOnlyAudience() throws JWTValidationException, ComponentInitializationException {
        JWTClaimsSet build = new JWTClaimsSet.Builder().audience("https://localhost/idp/profile/oidc/token").build();
        this.validator.setExtraAudienceValidation(false);
        this.validator.setAudienceLookupStrategy((profileRequestContext, jWTClaimsSet) -> {
            return "https://localhost/idp/profile/oauth2/one";
        });
        this.validator.setEndpointTargets(List.of("/profile/oauth2/one", "/profile/oauth2/two"));
        this.validator.setEndpointReplacement("/profile/oidc/token");
        this.validator.initialize();
        this.validator.validate(build, this.prc);
    }

    @Test
    public void doValidTest_ReplacedEndpointAsOneAudience_noAdditionalAudience() throws JWTValidationException, ComponentInitializationException {
        JWTClaimsSet build = new JWTClaimsSet.Builder().audience(List.of("https://localhost/idp/profile/oidc/token", "another")).build();
        this.validator.setExtraAudienceValidation(false);
        this.validator.setAudienceLookupStrategy((profileRequestContext, jWTClaimsSet) -> {
            return "https://localhost/idp/profile/oauth2/one";
        });
        this.validator.setEndpointTargets(List.of("/profile/oauth2/one", "/profile/oauth2/two"));
        this.validator.setEndpointReplacement("/profile/oidc/token");
        this.validator.initialize();
        this.validator.validate(build, this.prc);
    }

    @Test(expectedExceptions = {JWTValidationException.class})
    public void doRejectedTest_ReplacedEndpointAsOneAudience_noMandatoryAdditionalAudience() throws JWTValidationException, ComponentInitializationException {
        JWTClaimsSet build = new JWTClaimsSet.Builder().audience(List.of("https://localhost/idp/profile/oidc/token", "another")).build();
        this.validator.setExtraAudienceValidation(true);
        this.validator.setAudienceLookupStrategy((profileRequestContext, jWTClaimsSet) -> {
            return "https://localhost/idp/profile/oauth2/one";
        });
        this.validator.setEndpointTargets(List.of("/profile/oauth2/one", "/profile/oauth2/two"));
        this.validator.setEndpointReplacement("/profile/oidc/token");
        this.validator.initialize();
        this.validator.validate(build, this.prc);
    }

    @Test
    public void doValidTest_ReplacedEndpointAsOneAudience_withTrustedAdditionalAudience() throws JWTValidationException, ComponentInitializationException {
        JWTClaimsSet build = new JWTClaimsSet.Builder().audience(List.of("https://localhost/idp/profile/oidc/token", "another")).build();
        this.validator.setExtraAudienceValidation(true);
        this.validator.setAudienceLookupStrategy((profileRequestContext, jWTClaimsSet) -> {
            return "https://localhost/idp/profile/oauth2/one";
        });
        this.validator.setEndpointTargets(List.of("/profile/oauth2/one", "/profile/oauth2/two"));
        this.validator.setEndpointReplacement("/profile/oidc/token");
        this.validator.setAdditionalAudiencesLookupStrategy((profileRequestContext2, jWTClaimsSet2) -> {
            return Set.of("another");
        });
        this.validator.initialize();
        this.validator.validate(build, this.prc);
    }

    @Test
    public void doValidTest_ResponderIdAsOnlyAudience() throws JWTValidationException, ComponentInitializationException {
        JWTClaimsSet build = new JWTClaimsSet.Builder().audience("https://op.example.org").build();
        this.validator.setExtraAudienceValidation(false);
        this.validator.setAudienceLookupStrategy((profileRequestContext, jWTClaimsSet) -> {
            return "https://localhost/idp/profile/oauth2/one";
        });
        this.validator.setEndpointTargets(List.of("/profile/oauth2/one", "/profile/oauth2/two"));
        this.validator.setEndpointReplacement("/profile/oidc/token");
        Mockito.when(this.responderIdLookup.apply((ProfileRequestContext) Mockito.any())).thenReturn("https://op.example.org");
        this.validator.setResponderIdLookupStrategy(this.responderIdLookup);
        this.validator.initialize();
        this.validator.validate(build, this.prc);
    }

    @Test
    public void doValidTest_ResponderIdAsOneAudience_noAdditionalAudience() throws JWTValidationException, ComponentInitializationException {
        JWTClaimsSet build = new JWTClaimsSet.Builder().audience(List.of("https://op.example.org", "another")).build();
        this.validator.setExtraAudienceValidation(false);
        this.validator.setAudienceLookupStrategy((profileRequestContext, jWTClaimsSet) -> {
            return "https://localhost/idp/profile/oauth2/one";
        });
        this.validator.setEndpointTargets(List.of("/profile/oauth2/one", "/profile/oauth2/two"));
        this.validator.setEndpointReplacement("/profile/oidc/token");
        Mockito.when(this.responderIdLookup.apply((ProfileRequestContext) Mockito.any())).thenReturn("https://op.example.org");
        this.validator.setResponderIdLookupStrategy(this.responderIdLookup);
        this.validator.initialize();
        this.validator.validate(build, this.prc);
    }

    @Test(expectedExceptions = {JWTValidationException.class})
    public void doRejectedTest_ResponderIdAsOneAudience_noMandatoryAdditionalAudience() throws JWTValidationException, ComponentInitializationException {
        JWTClaimsSet build = new JWTClaimsSet.Builder().audience(List.of("https://op.example.org", "another")).build();
        this.validator.setExtraAudienceValidation(true);
        this.validator.setAudienceLookupStrategy((profileRequestContext, jWTClaimsSet) -> {
            return "https://localhost/idp/profile/oauth2/one";
        });
        this.validator.setEndpointTargets(List.of("/profile/oauth2/one", "/profile/oauth2/two"));
        this.validator.setEndpointReplacement("/profile/oidc/token");
        Mockito.when(this.responderIdLookup.apply((ProfileRequestContext) Mockito.any())).thenReturn("https://op.example.org");
        this.validator.setResponderIdLookupStrategy(this.responderIdLookup);
        this.validator.initialize();
        this.validator.validate(build, this.prc);
    }

    @Test
    public void doValidTest_ResponderIdAsOneAudience_withTrustedAdditionalAudience() throws JWTValidationException, ComponentInitializationException {
        JWTClaimsSet build = new JWTClaimsSet.Builder().audience(List.of("https://op.example.org", "another")).build();
        this.validator.setExtraAudienceValidation(true);
        this.validator.setAudienceLookupStrategy((profileRequestContext, jWTClaimsSet) -> {
            return "https://localhost/idp/profile/oauth2/one";
        });
        this.validator.setEndpointTargets(List.of("/profile/oauth2/one", "/profile/oauth2/two"));
        this.validator.setEndpointReplacement("/profile/oidc/token");
        this.validator.setAdditionalAudiencesLookupStrategy((profileRequestContext2, jWTClaimsSet2) -> {
            return Set.of("another");
        });
        Mockito.when(this.responderIdLookup.apply((ProfileRequestContext) Mockito.any())).thenReturn("https://op.example.org");
        this.validator.setResponderIdLookupStrategy(this.responderIdLookup);
        this.validator.initialize();
        this.validator.validate(build, this.prc);
    }
}
