package net.shibboleth.oidc.security.impl;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.Curve;
import com.nimbusds.jose.jwk.ECKey;
import com.nimbusds.jose.jwk.gen.ECKeyGenerator;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientInformation;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata;
import java.security.KeyException;
import java.util.List;
import java.util.function.Function;
import net.shibboleth.oidc.security.credential.BasicJWKCredential;
import net.shibboleth.oidc.security.credential.impl.BasicJOSEObjectCredentialResolver;
import net.shibboleth.oidc.security.impl.support.TestCredentialHelper;
import net.shibboleth.oidc.security.jose.criterion.ClientInformationCriterion;
import net.shibboleth.shared.resolver.CriteriaSet;
import net.shibboleth.shared.resolver.ResolverException;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.CredentialResolver;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.testng.Assert;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;

/* loaded from: input_file:net/shibboleth/oidc/security/impl/ClientInformationJWTTrustEngineTest.class */
public class ClientInformationJWTTrustEngineTest {
    private ClientInformationJWTTrustEngine engine;
    private ECKey key;
    private static final String CLIENT_SECRET = "Xp2s5v8y/B?E(H+MbQeThWmYq3t6w9z$";

    @BeforeMethod
    public void setup() throws JOSEException {
        setup(null, oIDCClientInformation -> {
            return "RS256";
        });
    }

    public void setup(String str) throws JOSEException {
        setup(str, oIDCClientInformation -> {
            return "RS256";
        });
    }

    public void setup(String str, Function<OIDCClientInformation, String> function) throws JOSEException {
        this.key = new ECKeyGenerator(Curve.P_256).keyID("123").generate();
        this.engine = new ClientInformationJWTTrustEngine(new CredentialResolver() { // from class: net.shibboleth.oidc.security.impl.ClientInformationJWTTrustEngineTest.1
            public Credential resolveSingle(CriteriaSet criteriaSet) throws ResolverException {
                BasicJWKCredential basicJWKCredential = new BasicJWKCredential();
                basicJWKCredential.setAlgorithm(ClientInformationJWTTrustEngineTest.this.key.getAlgorithm());
                basicJWKCredential.setKid(ClientInformationJWTTrustEngineTest.this.key.getKeyID());
                try {
                    basicJWKCredential.setPublicKey(ClientInformationJWTTrustEngineTest.this.key.toPublicKey());
                } catch (JOSEException e) {
                    Assert.fail();
                }
                return basicJWKCredential;
            }

            public Iterable<Credential> resolve(CriteriaSet criteriaSet) throws ResolverException {
                return List.of(resolveSingle(criteriaSet));
            }
        }, new BasicJOSEObjectCredentialResolver(), function, str);
    }

    public void setupSymmetric(String str, Function<OIDCClientInformation, String> function) {
        this.engine = new ClientInformationJWTTrustEngine(new CredentialResolver() { // from class: net.shibboleth.oidc.security.impl.ClientInformationJWTTrustEngineTest.2
            public Credential resolveSingle(CriteriaSet criteriaSet) throws ResolverException {
                try {
                    return TestCredentialHelper.createClientSecretCredential(ClientInformationJWTTrustEngineTest.CLIENT_SECRET).toSigningCredential();
                } catch (KeyException e) {
                    Assert.fail(e.getMessage());
                    return null;
                }
            }

            public Iterable<Credential> resolve(CriteriaSet criteriaSet) throws ResolverException {
                return List.of(resolveSingle(criteriaSet));
            }
        }, new BasicJOSEObjectCredentialResolver(), function, str);
    }

    @Test
    public void testValid_WithTrustedCredential_NoValueNorDefault() throws JOSEException, SecurityException {
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
        Assert.assertTrue(this.engine.validate(ExplicitKeySignedJWTTrustEngineTest.createECSignedJWT(this.key, this.key.getKeyID(), JWSAlgorithm.ES256, "https://op.example.com/", "https://rp.example.com"), criteriaSet));
    }

    @Test
    public void testValid_WithTrustedCredential_NoValueDefaultMatch() throws JOSEException, SecurityException {
        setup(JWSAlgorithm.ES256.getName());
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
        Assert.assertTrue(this.engine.validate(ExplicitKeySignedJWTTrustEngineTest.createECSignedJWT(this.key, this.key.getKeyID(), JWSAlgorithm.ES256, "https://op.example.com/", "https://rp.example.com"), criteriaSet));
    }

    @Test
    public void testValid_WithTrustedCredential_NoValueDefaultNotMatching() throws JOSEException, SecurityException {
        setup(JWSAlgorithm.ES512.getName());
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
        Assert.assertFalse(this.engine.validate(ExplicitKeySignedJWTTrustEngineTest.createECSignedJWT(this.key, this.key.getKeyID(), JWSAlgorithm.ES256, "https://op.example.com/", "https://rp.example.com"), criteriaSet));
    }

    @Test
    public void testValid_WithTrustedCredential_ValueMatch() throws JOSEException, SecurityException {
        setup(null, oIDCClientInformation -> {
            return "ES256";
        });
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(buildClientInformationCriterion());
        criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
        Assert.assertTrue(this.engine.validate(ExplicitKeySignedJWTTrustEngineTest.createECSignedJWT(this.key, this.key.getKeyID(), JWSAlgorithm.ES256, "https://op.example.com/", "https://rp.example.com"), criteriaSet));
    }

    @Test
    public void testValid_WithTrustedCredential_ValueNotMatching() throws JOSEException, SecurityException {
        setup(null, oIDCClientInformation -> {
            return "ES512";
        });
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(buildClientInformationCriterion());
        criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
        Assert.assertFalse(this.engine.validate(ExplicitKeySignedJWTTrustEngineTest.createECSignedJWT(this.key, this.key.getKeyID(), JWSAlgorithm.ES256, "https://op.example.com/", "https://rp.example.com"), criteriaSet));
    }

    @Test
    public void testValid_WithSymmetricKeyCredential_NoValueNorDefault() throws JOSEException, SecurityException {
        setupSymmetric(null, oIDCClientInformation -> {
            return "HS256";
        });
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
        Assert.assertTrue(this.engine.validate(ExplicitKeySignedJWTTrustEngineTest.createMACSignedJWT(CLIENT_SECRET, this.key.getKeyID(), JWSAlgorithm.HS256, "https://op.example.com/", "https://rp.example.com"), criteriaSet));
    }

    @Test
    public void testValid_WithSymmetricKeyCredential_NoValueDefaultMatching() throws JOSEException, SecurityException {
        setupSymmetric("HS256", oIDCClientInformation -> {
            return "HS256";
        });
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
        Assert.assertTrue(this.engine.validate(ExplicitKeySignedJWTTrustEngineTest.createMACSignedJWT(CLIENT_SECRET, this.key.getKeyID(), JWSAlgorithm.HS256, "https://op.example.com/", "https://rp.example.com"), criteriaSet));
    }

    @Test
    public void testValid_WithSymmetricKeyCredential_NoValueDefaultNotMatching() throws JOSEException, SecurityException {
        setupSymmetric("HS512", oIDCClientInformation -> {
            return "HS512";
        });
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
        Assert.assertFalse(this.engine.validate(ExplicitKeySignedJWTTrustEngineTest.createMACSignedJWT(CLIENT_SECRET, this.key.getKeyID(), JWSAlgorithm.HS256, "https://op.example.com/", "https://rp.example.com"), criteriaSet));
    }

    @Test
    public void testValid_WithSymmetricKeyCredential_ValueMatch() throws JOSEException, SecurityException {
        setupSymmetric(null, oIDCClientInformation -> {
            return "HS256";
        });
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(buildClientInformationCriterion());
        criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
        Assert.assertTrue(this.engine.validate(ExplicitKeySignedJWTTrustEngineTest.createMACSignedJWT(CLIENT_SECRET, this.key.getKeyID(), JWSAlgorithm.HS256, "https://op.example.com/", "https://rp.example.com"), criteriaSet));
    }

    @Test
    public void testValid_WithSymmetricKeyCredential_ValueNotNatching() throws JOSEException, SecurityException {
        setupSymmetric(null, oIDCClientInformation -> {
            return "HS512";
        });
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(buildClientInformationCriterion());
        criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
        Assert.assertFalse(this.engine.validate(ExplicitKeySignedJWTTrustEngineTest.createMACSignedJWT(CLIENT_SECRET, this.key.getKeyID(), JWSAlgorithm.HS256, "https://op.example.com/", "https://rp.example.com"), criteriaSet));
    }

    @Test
    public void testValid_WithInlineJWK() throws JOSEException, SecurityException {
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
        Assert.assertTrue(this.engine.validate(ExplicitKeySignedJWTTrustEngineTest.createECSignedJWTWithInlineJWK(this.key, this.key.getKeyID(), JWSAlgorithm.ES256, "https://op.example.com/", "https://rp.example.com"), criteriaSet));
    }

    protected static ClientInformationCriterion buildClientInformationCriterion() {
        return new ClientInformationCriterion(new OIDCClientInformation(new ClientID("mockClient"), new OIDCClientMetadata()));
    }
}
