package org.alfresco.repo.security.authentication.identityservice;

import java.util.Collection;
import java.util.List;
import java.util.UUID;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacadeFactoryBean;
import org.assertj.core.api.Assertions;
import org.junit.Test;
import org.mockito.Mockito;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.web.client.RestOperations;

/* loaded from: input_file:org/alfresco/repo/security/authentication/identityservice/IdentityServiceFacadeFactoryBeanTest.class */
public class IdentityServiceFacadeFactoryBeanTest {
    private static final String EXPECTED_ISSUER = "expected-issuer";
    private static final String EXPECTED_AUDIENCE = "expected-audience";

    @Test
    public void shouldCreateJwtDecoderWithoutIDSWhenPublicKeyIsProvided() {
        IdentityServiceConfig identityServiceConfig = (IdentityServiceConfig) Mockito.mock(IdentityServiceConfig.class);
        Mockito.when(identityServiceConfig.getRealmKey()).thenReturn("MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAve3MabX/rp3LbE7/zNqKxuid8WT7y4qSXsNaiPvl/OVbNWW/cu5td1VndItYhH6/gL7Z5W/r4MOeTlz/fOdXfjrRJou2f3UiPQwLV9RdOH3oS4/BUe+sviD8Q3eRfWBWWz3yw8f2YNtD4bMztIMMjqthvwdEEb9S9jbxxD0o71Bsrz/FwPi7HhSDA+Z/p01Hct8m4wx13ZlKRd4YjyC12FBmi9MSgsrFuWzyQHhHTeBDoALpfuiut3rhVxUtFmVTpy6p9vil7C5J5pok4MXPH0dJCyDNQz05ww5+fD+tfksIEpFeokRpN226F+P21oQVFUWwYIaXaFlG/hfvwmnlfQIDAQAB");
        Mockito.when(Boolean.valueOf(identityServiceConfig.isClientIdValidationDisabled())).thenReturn(true);
        ClientRegistration.ProviderDetails providerDetails = (ClientRegistration.ProviderDetails) Mockito.mock(ClientRegistration.ProviderDetails.class);
        Mockito.when(providerDetails.getIssuerUri()).thenReturn("https://my.issuer");
        Jwt decode = new IdentityServiceFacadeFactoryBean.JwtDecoderProvider(identityServiceConfig).createJwtDecoder((RestOperations) null, providerDetails).decode("eyJhbGciOiJSUzI1NiJ9.eyJleHAiOjIxNDc0ODM2NDcsImp0aSI6IjEyMzQiLCJpc3MiOiJodHRwczovL215Lmlzc3VlciIsInN1YiI6ImFiYzEyMyIsInR5cCI6IkJlYXJlciIsInByZWZlcnJlZF91c2VybmFtZSI6InBpb3RyZWsifQ.k_KaOrLLh3QsT8mKphkcz2vKpulgxp92UoEDccpHJ1mxE3Pa3gFXPKTj4goUBKXieGPZRMvBDhfWNxMvRYZPiQr2NXJKapkh0bTd0qoaSWz9ICe9Nu3eg7_VA_nwUVPz_35wwmrxgVk0_kpUYQN_VtaO7ZgFE2sJzFjbkVls5aqfAMnEjEgQl837hqZvmlW2ZRWebtxXfQxAjtp0gcTg-xtAHKIINYo_1_uAtt_H9L8KqFaioxrVAEDDIlcKnb-Ks3Y62CrZauaGUJeN_aNj2gdOpdkhvCw79yJyZSGZ7okjGbidCNSAf7Bo2Y6h3dP1Gga7kRmD648ftZESrNvbyg");
        Assertions.assertThat(decode).isNotNull();
        Assertions.assertThat(decode.getClaims()).isNotNull().isNotEmpty().containsEntry("preferred_username", "piotrek");
    }

    @Test
    public void shouldFailWithNotMatchingIssuerURIs() {
        OAuth2TokenValidatorResult validate = new IdentityServiceFacadeFactoryBean.JwtIssuerValidator(EXPECTED_ISSUER).validate(tokenWithIssuer("different-issuer"));
        Assertions.assertThat(validate).isNotNull();
        Assertions.assertThat(validate.hasErrors()).isTrue();
        Assertions.assertThat(validate.getErrors()).hasSize(1);
        OAuth2Error oAuth2Error = (OAuth2Error) validate.getErrors().iterator().next();
        Assertions.assertThat(oAuth2Error).isNotNull();
        Assertions.assertThat(oAuth2Error.getDescription()).contains(new CharSequence[]{EXPECTED_ISSUER, "different-issuer"});
    }

    @Test
    public void shouldFailWithNullIssuerURI() {
        OAuth2TokenValidatorResult validate = new IdentityServiceFacadeFactoryBean.JwtIssuerValidator(EXPECTED_ISSUER).validate(tokenWithIssuer(null));
        Assertions.assertThat(validate).isNotNull();
        Assertions.assertThat(validate.hasErrors()).isTrue();
        Assertions.assertThat(validate.getErrors()).hasSize(1);
        OAuth2Error oAuth2Error = (OAuth2Error) validate.getErrors().iterator().next();
        Assertions.assertThat(oAuth2Error).isNotNull();
        Assertions.assertThat(oAuth2Error.getDescription()).contains(new CharSequence[]{EXPECTED_ISSUER, "null"});
    }

    @Test
    public void shouldSucceedWithMatchingIssuerURI() {
        OAuth2TokenValidatorResult validate = new IdentityServiceFacadeFactoryBean.JwtIssuerValidator(EXPECTED_ISSUER).validate(tokenWithIssuer(EXPECTED_ISSUER));
        Assertions.assertThat(validate).isNotNull();
        Assertions.assertThat(validate.hasErrors()).isFalse();
        Assertions.assertThat(validate.getErrors()).isEmpty();
    }

    @Test
    public void shouldFailWithNotMatchingAudienceList() {
        OAuth2TokenValidatorResult validate = new IdentityServiceFacadeFactoryBean.JwtAudienceValidator(EXPECTED_AUDIENCE).validate(tokenWithAudience(List.of("different-audience")));
        Assertions.assertThat(validate).isNotNull();
        Assertions.assertThat(validate.hasErrors()).isTrue();
        Assertions.assertThat(validate.getErrors()).hasSize(1);
        OAuth2Error oAuth2Error = (OAuth2Error) validate.getErrors().iterator().next();
        Assertions.assertThat(oAuth2Error).isNotNull();
        Assertions.assertThat(oAuth2Error.getDescription()).contains(new CharSequence[]{EXPECTED_AUDIENCE});
    }

    @Test
    public void shouldFailWithNullAudience() {
        OAuth2TokenValidatorResult validate = new IdentityServiceFacadeFactoryBean.JwtAudienceValidator(EXPECTED_AUDIENCE).validate(tokenWithAudience(null));
        Assertions.assertThat(validate).isNotNull();
        Assertions.assertThat(validate.hasErrors()).isTrue();
        Assertions.assertThat(validate.getErrors()).hasSize(1);
        OAuth2Error oAuth2Error = (OAuth2Error) validate.getErrors().iterator().next();
        Assertions.assertThat(oAuth2Error).isNotNull();
        Assertions.assertThat(oAuth2Error.getDescription()).contains(new CharSequence[]{EXPECTED_AUDIENCE});
    }

    @Test
    public void shouldSucceedWithMatchingAudienceList() {
        OAuth2TokenValidatorResult validate = new IdentityServiceFacadeFactoryBean.JwtAudienceValidator(EXPECTED_AUDIENCE).validate(tokenWithAudience(List.of(EXPECTED_AUDIENCE)));
        Assertions.assertThat(validate).isNotNull();
        Assertions.assertThat(validate.hasErrors()).isFalse();
        Assertions.assertThat(validate.getErrors()).isEmpty();
    }

    @Test
    public void shouldSucceedWithMatchingSingleAudience() {
        OAuth2TokenValidatorResult validate = new IdentityServiceFacadeFactoryBean.JwtAudienceValidator(EXPECTED_AUDIENCE).validate(Jwt.withTokenValue(UUID.randomUUID().toString()).claim("aud", EXPECTED_AUDIENCE).header("JUST", "FOR TESTING").build());
        Assertions.assertThat(validate).isNotNull();
        Assertions.assertThat(validate.hasErrors()).isFalse();
        Assertions.assertThat(validate.getErrors()).isEmpty();
    }

    private Jwt tokenWithIssuer(String str) {
        return Jwt.withTokenValue(UUID.randomUUID().toString()).issuer(str).header("JUST", "FOR TESTING").build();
    }

    private Jwt tokenWithAudience(Collection<String> collection) {
        return Jwt.withTokenValue(UUID.randomUUID().toString()).audience(collection).header("JUST", "FOR TESTING").build();
    }
}
