package org.apache.james.jwt;

import io.jsonwebtoken.CompressionCodecs;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.impl.compression.DefaultCompressionCodecResolver;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.util.Optional;
import org.apache.james.jwt.introspection.IntrospectionEndpoint;
import org.apache.james.jwt.introspection.TokenIntrospectionException;
import org.apache.james.jwt.userinfo.UserInfoCheckException;
import org.assertj.core.api.Assertions;
import org.assertj.core.api.SoftAssertions;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.mockserver.integration.ClientAndServer;
import org.mockserver.model.HttpRequest;
import org.mockserver.model.HttpResponse;
import reactor.core.publisher.Mono;

/* loaded from: input_file:org/apache/james/jwt/OidcJwtTokenVerifierTest.class */
class OidcJwtTokenVerifierTest {
    private static final String JWKS_URI_PATH = "/auth/realms/realm1/protocol/openid-connect/certs";
    private static final String USERINFO_PATH = "/auth/realms/oidc/protocol/openid-connect/userinfo";
    private static final String INTROSPECTION_PATH = "/auth/realms/oidc/protocol/openid-connect/token/introspect";
    ClientAndServer mockServer;

    OidcJwtTokenVerifierTest() {
    }

    @BeforeEach
    public void setUp() {
        this.mockServer = ClientAndServer.startClientAndServer(new Integer[]{0});
        this.mockServer.when(HttpRequest.request().withPath(JWKS_URI_PATH)).respond(HttpResponse.response().withStatusCode(200).withHeader("Content-Type", new String[]{"application/json"}).withBody(OidcTokenFixture.JWKS_RESPONSE, StandardCharsets.UTF_8));
    }

    @AfterEach
    public void afterEach() {
        if (this.mockServer != null) {
            this.mockServer.close();
        }
    }

    @Test
    void verifyAndClaimShouldReturnClaimValueWhenValidTokenHasKid() {
        Optional verifySignatureAndExtractClaim = OidcJwtTokenVerifier.verifySignatureAndExtractClaim(OidcTokenFixture.VALID_TOKEN, getJwksURL(), OidcTokenFixture.CLAIM);
        SoftAssertions.assertSoftly(softAssertions -> {
            softAssertions.assertThat(verifySignatureAndExtractClaim.isPresent()).isTrue();
            softAssertions.assertThat((String) verifySignatureAndExtractClaim.get()).isEqualTo("user@domain.org");
        });
    }

    @Test
    void verifyAndClaimShouldReturnClaimValueWhenValidTokenHasNotKid() {
        Optional verifySignatureAndExtractClaim = OidcJwtTokenVerifier.verifySignatureAndExtractClaim(OidcTokenFixture.VALID_TOKEN_HAS_NOT_KID, getJwksURL(), OidcTokenFixture.CLAIM);
        SoftAssertions.assertSoftly(softAssertions -> {
            softAssertions.assertThat(verifySignatureAndExtractClaim.isPresent()).isTrue();
            softAssertions.assertThat((String) verifySignatureAndExtractClaim.get()).isEqualTo("user@domain.org");
        });
    }

    @Test
    void shouldRejectZippedJWTByDefault() {
        String compact = Jwts.builder().claim("kid", "a".repeat(100)).compressWith(CompressionCodecs.DEFLATE).signWith(SignatureAlgorithm.HS256, OidcTokenFixture.PRIVATE_KEY_BASE64.replace("\n", "")).compact();
        Assertions.assertThatThrownBy(() -> {
            OidcJwtTokenVerifier.verifySignatureAndExtractClaim(compact, getJwksURL(), "kid");
        }).isInstanceOf(RuntimeException.class).hasMessageContaining("Rejecting a ZIP JWT");
    }

    @Test
    void shouldAcceptZippedJWTWhenConfigured() {
        String compact = Jwts.builder().claim("kid", "a".repeat(100)).compressWith(CompressionCodecs.DEFLATE).signWith(SignatureAlgorithm.HS256, OidcTokenFixture.PRIVATE_KEY_BASE64.replace("\n", "")).compact();
        JwtTokenVerifier.CONFIGURED_COMPRESSION_CODEC_RESOLVER = new DefaultCompressionCodecResolver();
        Assertions.assertThatCode(() -> {
            OidcJwtTokenVerifier.verifySignatureAndExtractClaim(compact, getJwksURL(), "kid");
        }).doesNotThrowAnyException();
    }

    @Test
    void verifyAndClaimShouldReturnEmptyWhenValidTokenHasNotFoundKid() {
        Assertions.assertThat(OidcJwtTokenVerifier.verifySignatureAndExtractClaim(OidcTokenFixture.VALID_TOKEN_HAS_NOT_FOUND_KID, getJwksURL(), OidcTokenFixture.CLAIM)).isEmpty();
    }

    @Test
    void verifyAndClaimShouldReturnEmptyWhenClaimNameNotFound() {
        Assertions.assertThat(OidcJwtTokenVerifier.verifySignatureAndExtractClaim(OidcTokenFixture.VALID_TOKEN, getJwksURL(), "not_found")).isEmpty();
    }

    @Test
    void verifyAndClaimShouldReturnEmptyWhenInvalidToken() {
        Assertions.assertThat(OidcJwtTokenVerifier.verifySignatureAndExtractClaim(OidcTokenFixture.INVALID_TOKEN, getJwksURL(), OidcTokenFixture.CLAIM)).isEmpty();
    }

    @Test
    void verifyWithUserinfoShouldFailWhenUserInfoEndpointNotReturnOKHttpStatus() {
        this.mockServer.when(HttpRequest.request().withPath(USERINFO_PATH)).respond(HttpResponse.response().withStatusCode(201));
        Assertions.assertThatThrownBy(() -> {
            Mono.from(OidcJwtTokenVerifier.verifyWithUserinfo(OidcTokenFixture.VALID_TOKEN, getJwksURL(), OidcTokenFixture.CLAIM, getUserInfoEndpoint())).block();
        }).isInstanceOf(UserInfoCheckException.class).hasMessageContaining("Error when check token by userInfo");
    }

    @Test
    void verifyWithUserinfoShouldFailWhenUserInfoEndpointReturnBadResponse() {
        this.mockServer.when(HttpRequest.request().withPath(USERINFO_PATH)).respond(HttpResponse.response().withStatusCode(200).withHeader("Content-Type", new String[]{"application/json"}).withBody("badResponse1", StandardCharsets.UTF_8));
        Assertions.assertThatThrownBy(() -> {
            Mono.from(OidcJwtTokenVerifier.verifyWithUserinfo(OidcTokenFixture.VALID_TOKEN, getJwksURL(), OidcTokenFixture.CLAIM, getUserInfoEndpoint())).block();
        }).isInstanceOf(UserInfoCheckException.class).hasMessageContaining("Error when check token by userInfo");
    }

    @Test
    void verifyWithUserinfoShouldReturnEmptyWhenClaimValueIsEmpty() {
        this.mockServer.when(HttpRequest.request().withPath(USERINFO_PATH)).respond(HttpResponse.response().withStatusCode(200).withHeader("Content-Type", new String[]{"application/json"}).withBody("{    \"sub\": \"a0d03864-12f7-4f0b-b732-699c27eff3e7\",    \"email_verified\": false,    \"name\": \"User name 1\",    \"email\": \"user1@example.com\"}", StandardCharsets.UTF_8));
        Assertions.assertThat((String) Mono.from(OidcJwtTokenVerifier.verifyWithUserinfo(OidcTokenFixture.VALID_TOKEN, getJwksURL(), "preferred_username", getUserInfoEndpoint())).block()).isNull();
    }

    @Test
    void verifyWithUserinfoShouldReturnClaimValueWhenPassCheckToken() {
        this.mockServer.when(HttpRequest.request().withPath(USERINFO_PATH)).respond(HttpResponse.response().withStatusCode(200).withHeader("Content-Type", new String[]{"application/json"}).withBody(OidcTokenFixture.USERINFO_RESPONSE, StandardCharsets.UTF_8));
        Assertions.assertThat((String) Mono.from(OidcJwtTokenVerifier.verifyWithUserinfo(OidcTokenFixture.VALID_TOKEN, getJwksURL(), OidcTokenFixture.CLAIM, getUserInfoEndpoint())).block()).isEqualTo("user@domain.org");
    }

    @Test
    void verifyWithUserinfoShouldReturnEmptyWhenINVALIDToken() {
        this.mockServer.when(HttpRequest.request().withPath(USERINFO_PATH)).respond(HttpResponse.response().withStatusCode(200).withHeader("Content-Type", new String[]{"application/json"}).withBody(OidcTokenFixture.USERINFO_RESPONSE, StandardCharsets.UTF_8));
        Assertions.assertThat((String) Mono.from(OidcJwtTokenVerifier.verifyWithUserinfo(OidcTokenFixture.INVALID_TOKEN, getJwksURL(), OidcTokenFixture.CLAIM, getUserInfoEndpoint())).block()).isNull();
    }

    @Test
    void verifyWithUserinfoShouldReturnEmptyWhenClaimValueIsNotMatch() {
        this.mockServer.when(HttpRequest.request().withPath(USERINFO_PATH)).respond(HttpResponse.response().withStatusCode(200).withHeader("Content-Type", new String[]{"application/json"}).withBody("{    \"sub\": \"a0d03864-12f7-4f0b-b732-699c27eff3e7\",    \"email_verified\": false,    \"name\": \"User name 1\",    \"preferred_username\": \"different1\",    \"email\": \"user1@example.com\"}", StandardCharsets.UTF_8));
        Assertions.assertThat((String) Mono.from(OidcJwtTokenVerifier.verifyWithUserinfo(OidcTokenFixture.INVALID_TOKEN, getJwksURL(), "preferred_username", getUserInfoEndpoint())).block()).isNull();
    }

    @Test
    void verifyWithIntrospectionShouldFailWhenEndpointNotReturnOKHttpStatus() {
        this.mockServer.when(HttpRequest.request().withPath(INTROSPECTION_PATH)).respond(HttpResponse.response().withStatusCode(201));
        Assertions.assertThatThrownBy(() -> {
            Mono.from(OidcJwtTokenVerifier.verifyWithIntrospection(OidcTokenFixture.VALID_TOKEN, getJwksURL(), OidcTokenFixture.CLAIM, new IntrospectionEndpoint(getIntrospectionEndpoint(), Optional.empty()))).block();
        }).isInstanceOf(TokenIntrospectionException.class).hasMessageContaining("Error when introspecting token");
    }

    @Test
    void verifyWithIntrospectionShouldFailWhenEndpointReturnBadResponse() {
        this.mockServer.when(HttpRequest.request().withPath(INTROSPECTION_PATH)).respond(HttpResponse.response().withStatusCode(200).withHeader("Content-Type", new String[]{"application/json"}).withBody("badResponse1", StandardCharsets.UTF_8));
        Assertions.assertThatThrownBy(() -> {
            Mono.from(OidcJwtTokenVerifier.verifyWithIntrospection(OidcTokenFixture.VALID_TOKEN, getJwksURL(), OidcTokenFixture.CLAIM, new IntrospectionEndpoint(getIntrospectionEndpoint(), Optional.empty()))).block();
        }).isInstanceOf(TokenIntrospectionException.class).hasMessageContaining("Error when introspecting token");
    }

    @Test
    void verifyWithIntrospectionInfoShouldFailWhenActivePropertyIsAbsent() {
        this.mockServer.when(HttpRequest.request().withPath(INTROSPECTION_PATH)).respond(HttpResponse.response().withStatusCode(200).withHeader("Content-Type", new String[]{"application/json"}).withBody("{    \"exp\": 1669719841,    \"iat\": 1669719541,    \"aud\": \"account\",    \"sub\": \"a0d03864-12f7-4f0b-b732-699c27eff3e7\",    \"typ\": \"Bearer\",    \"session_state\": \"42799d76-be33-4f24-bcec-fc0dbb5d126d\",    \"preferred_username\": \"user1\",    \"email\": \"user1@example.com\",    \"scope\": \"profile email\",    \"sid\": \"42799d76-be33-4f24-bcec-fc0dbb5d126d\",    \"client_id\": \"james-thunderbird\",    \"username\": \"user1\"}", StandardCharsets.UTF_8));
        Assertions.assertThatThrownBy(() -> {
            Mono.from(OidcJwtTokenVerifier.verifyWithIntrospection(OidcTokenFixture.VALID_TOKEN, getJwksURL(), OidcTokenFixture.CLAIM, new IntrospectionEndpoint(getIntrospectionEndpoint(), Optional.empty()))).block();
        }).isInstanceOf(TokenIntrospectionException.class).hasMessageContaining("Error when introspecting token");
    }

    @Test
    void verifyWithIntrospectionInfoShouldFailWhenActiveIsFalse() {
        this.mockServer.when(HttpRequest.request().withPath(INTROSPECTION_PATH)).respond(HttpResponse.response().withStatusCode(200).withHeader("Content-Type", new String[]{"application/json"}).withBody("{    \"exp\": 1669719841,    \"iat\": 1669719541,    \"aud\": \"account\",    \"sub\": \"a0d03864-12f7-4f0b-b732-699c27eff3e7\",    \"typ\": \"Bearer\",    \"session_state\": \"42799d76-be33-4f24-bcec-fc0dbb5d126d\",    \"preferred_username\": \"user1\",    \"email\": \"user1@example.com\",    \"scope\": \"profile email\",    \"sid\": \"42799d76-be33-4f24-bcec-fc0dbb5d126d\",    \"client_id\": \"james-thunderbird\",    \"username\": \"user1\",    \"active\": false,}", StandardCharsets.UTF_8));
        Assertions.assertThatThrownBy(() -> {
            Mono.from(OidcJwtTokenVerifier.verifyWithIntrospection(OidcTokenFixture.VALID_TOKEN, getJwksURL(), OidcTokenFixture.CLAIM, new IntrospectionEndpoint(getIntrospectionEndpoint(), Optional.empty()))).block();
        }).isInstanceOf(TokenIntrospectionException.class).hasMessageContaining("Error when introspecting token");
    }

    @Test
    void verifyWithIntrospectionShouldReturnClaimValueWhenPassCheckToken() {
        this.mockServer.when(HttpRequest.request().withPath(INTROSPECTION_PATH)).respond(HttpResponse.response().withStatusCode(200).withHeader("Content-Type", new String[]{"application/json"}).withBody(OidcTokenFixture.INTROSPECTION_RESPONSE, StandardCharsets.UTF_8));
        Assertions.assertThat((String) Mono.from(OidcJwtTokenVerifier.verifyWithIntrospection(OidcTokenFixture.VALID_TOKEN, getJwksURL(), OidcTokenFixture.CLAIM, new IntrospectionEndpoint(getIntrospectionEndpoint(), Optional.empty()))).block()).isEqualTo("user@domain.org");
    }

    @Test
    void verifyWithIntrospectionShouldReturnEmptyWhenClaimValueIsNotMatch() {
        this.mockServer.when(HttpRequest.request().withPath(INTROSPECTION_PATH)).respond(HttpResponse.response().withStatusCode(200).withHeader("Content-Type", new String[]{"application/json"}).withBody("{    \"exp\": 1669719841,    \"iat\": 1669719541,    \"aud\": \"account\",    \"sub\": \"a0d03864-12f7-4f0b-b732-699c27eff3e7\",    \"preferred_username\": \"difference1\",    \"active\": true}", StandardCharsets.UTF_8));
        Assertions.assertThat((String) Mono.from(OidcJwtTokenVerifier.verifyWithIntrospection(OidcTokenFixture.VALID_TOKEN, getJwksURL(), "preferred_username", new IntrospectionEndpoint(getIntrospectionEndpoint(), Optional.empty()))).block()).isNull();
    }

    @Test
    void verifyWithIntrospectionShouldReturnEmptyWhenClaimValueIsAbsent() {
        this.mockServer.when(HttpRequest.request().withPath(INTROSPECTION_PATH)).respond(HttpResponse.response().withStatusCode(200).withHeader("Content-Type", new String[]{"application/json"}).withBody("{    \"exp\": 1669719841,    \"iat\": 1669719541,    \"aud\": \"account\",    \"sub\": \"a0d03864-12f7-4f0b-b732-699c27eff3e7\",    \"typ\": \"Bearer\",    \"active\": true}", StandardCharsets.UTF_8));
        Assertions.assertThat((String) Mono.from(OidcJwtTokenVerifier.verifyWithIntrospection(OidcTokenFixture.VALID_TOKEN, getJwksURL(), "preferred_username", new IntrospectionEndpoint(getIntrospectionEndpoint(), Optional.empty()))).block()).isNull();
    }

    @Test
    void verifyWithIntrospectionShouldReturnEmptyWhenINVALIDToken() {
        this.mockServer.when(HttpRequest.request().withPath(INTROSPECTION_PATH)).respond(HttpResponse.response().withStatusCode(200).withHeader("Content-Type", new String[]{"application/json"}).withBody(OidcTokenFixture.INTROSPECTION_RESPONSE, StandardCharsets.UTF_8));
        Assertions.assertThat((String) Mono.from(OidcJwtTokenVerifier.verifyWithIntrospection(OidcTokenFixture.INVALID_TOKEN, getJwksURL(), OidcTokenFixture.CLAIM, new IntrospectionEndpoint(getIntrospectionEndpoint(), Optional.empty()))).block()).isNull();
    }

    private URL getJwksURL() {
        try {
            return new URI(String.format("http://127.0.0.1:%s%s", this.mockServer.getLocalPort(), JWKS_URI_PATH)).toURL();
        } catch (MalformedURLException | URISyntaxException e) {
            throw new RuntimeException(e);
        }
    }

    private URL getUserInfoEndpoint() {
        try {
            return new URI(String.format("http://127.0.0.1:%s%s", this.mockServer.getLocalPort(), USERINFO_PATH)).toURL();
        } catch (MalformedURLException | URISyntaxException e) {
            throw new RuntimeException(e);
        }
    }

    private URL getIntrospectionEndpoint() {
        try {
            return new URI(String.format("http://127.0.0.1:%s%s", this.mockServer.getLocalPort(), INTROSPECTION_PATH)).toURL();
        } catch (MalformedURLException | URISyntaxException e) {
            throw new RuntimeException(e);
        }
    }
}
