package no.nav.brukerdialog.security.oidc;

import java.beans.ConstructorProperties;
import java.security.Key;
import java.util.Optional;
import java.util.UUID;
import javax.servlet.http.HttpServletRequest;
import no.nav.brukerdialog.security.domain.IdentType;
import no.nav.brukerdialog.security.domain.OidcCredential;
import no.nav.brukerdialog.security.jwks.CacheMissAction;
import no.nav.brukerdialog.security.jwks.JwtHeader;
import no.nav.brukerdialog.security.oidc.provider.OidcProvider;
import no.nav.json.JsonUtils;
import org.assertj.core.api.Assertions;
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jwk.RsaJsonWebKey;
import org.jose4j.jwk.RsaJwkGenerator;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:no/nav/brukerdialog/security/oidc/OidcTokenValidatorTest.class */
public class OidcTokenValidatorTest {
    private static final String VALID_AUDIENCE = "valid audience";
    private static final String VALID_ISSUER = "valid issuer";
    private static final RsaJsonWebKey RSA_JSON_WEB_KEY = createKey();
    private TestToken tokenWithValidAudience;
    private TestToken tokenWithInvalidAudience;
    private TestToken tokenWithoutAudience;
    private TestToken tokenWithInvalidIssuer;
    private TestToken tokenWithoutAlgorithm;
    private OidcTokenValidator oidcTokenValidator = new OidcTokenValidator();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:no/nav/brukerdialog/security/oidc/OidcTokenValidatorTest$TestToken.class */
    public static final class TestToken {
        public final String token;
        public final String issuer;
        public final RsaJsonWebKey key;

        /* loaded from: input_file:no/nav/brukerdialog/security/oidc/OidcTokenValidatorTest$TestToken$TestTokenBuilder.class */
        public static class TestTokenBuilder {
            private String token;
            private String issuer;
            private RsaJsonWebKey key;

            TestTokenBuilder() {
            }

            public TestTokenBuilder token(String str) {
                this.token = str;
                return this;
            }

            public TestTokenBuilder issuer(String str) {
                this.issuer = str;
                return this;
            }

            public TestTokenBuilder key(RsaJsonWebKey rsaJsonWebKey) {
                this.key = rsaJsonWebKey;
                return this;
            }

            public TestToken build() {
                return new TestToken(this.token, this.issuer, this.key);
            }

            public String toString() {
                return "OidcTokenValidatorTest.TestToken.TestTokenBuilder(token=" + this.token + ", issuer=" + this.issuer + ", key=" + this.key + ")";
            }
        }

        @ConstructorProperties({"token", "issuer", "key"})
        TestToken(String str, String str2, RsaJsonWebKey rsaJsonWebKey) {
            this.token = str;
            this.issuer = str2;
            this.key = rsaJsonWebKey;
        }

        public static TestTokenBuilder builder() {
            return new TestTokenBuilder();
        }

        public String getToken() {
            return this.token;
        }

        public String getIssuer() {
            return this.issuer;
        }

        public RsaJsonWebKey getKey() {
            return this.key;
        }

        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof TestToken)) {
                return false;
            }
            TestToken testToken = (TestToken) obj;
            String token = getToken();
            String token2 = testToken.getToken();
            if (token == null) {
                if (token2 != null) {
                    return false;
                }
            } else if (!token.equals(token2)) {
                return false;
            }
            String issuer = getIssuer();
            String issuer2 = testToken.getIssuer();
            if (issuer == null) {
                if (issuer2 != null) {
                    return false;
                }
            } else if (!issuer.equals(issuer2)) {
                return false;
            }
            RsaJsonWebKey key = getKey();
            RsaJsonWebKey key2 = testToken.getKey();
            return key == null ? key2 == null : key.equals(key2);
        }

        public int hashCode() {
            String token = getToken();
            int hashCode = (1 * 59) + (token == null ? 43 : token.hashCode());
            String issuer = getIssuer();
            int hashCode2 = (hashCode * 59) + (issuer == null ? 43 : issuer.hashCode());
            RsaJsonWebKey key = getKey();
            return (hashCode2 * 59) + (key == null ? 43 : key.hashCode());
        }

        public String toString() {
            return "OidcTokenValidatorTest.TestToken(token=" + getToken() + ", issuer=" + getIssuer() + ", key=" + getKey() + ")";
        }
    }

    @Before
    public void setup() {
        this.tokenWithValidAudience = generate(VALID_AUDIENCE, VALID_ISSUER, "RS256");
        this.tokenWithInvalidAudience = generate("invalid audience", VALID_ISSUER, "RS256");
        this.tokenWithoutAudience = generate(null, VALID_ISSUER, "RS256");
        this.tokenWithInvalidIssuer = generate(VALID_AUDIENCE, "invalid issuer", "RS256");
        this.tokenWithoutAlgorithm = generate(VALID_AUDIENCE, VALID_ISSUER, "none");
    }

    @Test
    public void validate__valid_audience_and_issuer__valid() {
        Assertions.assertThat(validate(this.tokenWithValidAudience, provider(VALID_AUDIENCE))).satisfies(this::isValid);
    }

    @Test
    public void validate__invalid_audience__invalid() {
        Assertions.assertThat(validate(this.tokenWithInvalidAudience, provider(VALID_AUDIENCE)).getErrorMessage()).contains(new CharSequence[]{"aud"});
    }

    @Test
    public void validate__no_audience__invalid() {
        Assertions.assertThat(validate(this.tokenWithoutAudience, provider(VALID_AUDIENCE)).getErrorMessage()).contains(new CharSequence[]{"aud"});
    }

    @Test
    public void validate__audience_not_expected__any_audience_valid() {
        Assertions.assertThat(validate(this.tokenWithValidAudience, provider(null))).satisfies(this::isValid);
        Assertions.assertThat(validate(this.tokenWithInvalidAudience, provider(null))).satisfies(this::isValid);
        Assertions.assertThat(validate(this.tokenWithoutAudience, provider(null))).satisfies(this::isValid);
    }

    @Test
    public void validate__invalid_issuer__invalid() {
        Assertions.assertThat(validate(this.tokenWithInvalidIssuer, provider(VALID_AUDIENCE)).getErrorMessage()).contains(new CharSequence[]{"iss"});
    }

    @Test
    public void validate__no_algorithm__invalid() {
        Assertions.assertThat(validate(this.tokenWithoutAlgorithm, provider(VALID_AUDIENCE)).getErrorMessage()).contains(new CharSequence[]{"algorithm"});
    }

    private OidcTokenValidatorResult validate(TestToken testToken, OidcProvider oidcProvider) {
        return this.oidcTokenValidator.validate(testToken.token, oidcProvider);
    }

    private void isValid(OidcTokenValidatorResult oidcTokenValidatorResult) {
        Assertions.assertThat(oidcTokenValidatorResult.isValid()).describedAs(JsonUtils.toJson(oidcTokenValidatorResult), new Object[0]).isTrue();
    }

    private OidcProvider provider(final String str) {
        return new OidcProvider() { // from class: no.nav.brukerdialog.security.oidc.OidcTokenValidatorTest.1
            public Optional<String> getToken(HttpServletRequest httpServletRequest) {
                return Optional.empty();
            }

            public Optional<String> getRefreshToken(HttpServletRequest httpServletRequest) {
                return Optional.empty();
            }

            public OidcCredential getFreshToken(String str2, String str3) {
                return null;
            }

            public Optional<Key> getVerificationKey(JwtHeader jwtHeader, CacheMissAction cacheMissAction) {
                return Optional.of(OidcTokenValidatorTest.RSA_JSON_WEB_KEY.getRsaPublicKey());
            }

            public String getExpectedIssuer() {
                return OidcTokenValidatorTest.VALID_ISSUER;
            }

            public String getExpectedAudience(String str2) {
                return str;
            }

            public IdentType getIdentType(String str2) {
                return null;
            }
        };
    }

    private static TestToken generate(String str, String str2, String str3) {
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setIssuer(str2);
        jwtClaims.setAudience(str);
        jwtClaims.setExpirationTimeMinutesInTheFuture(120.0f);
        jwtClaims.setGeneratedJwtId();
        jwtClaims.setIssuedAtToNow();
        jwtClaims.setNotBeforeMinutesInThePast(2.0f);
        jwtClaims.setSubject("12345678901");
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setPayload(jwtClaims.toJson());
        if (!"none".equals(str3)) {
            jsonWebSignature.setKey(RSA_JSON_WEB_KEY.getPrivateKey());
        }
        jsonWebSignature.setKeyIdHeaderValue(RSA_JSON_WEB_KEY.getKeyId());
        jsonWebSignature.setAlgorithmHeaderValue(str3);
        jsonWebSignature.setAlgorithmConstraints(AlgorithmConstraints.NO_CONSTRAINTS);
        return TestToken.builder().issuer(str2).token(jsonWebSignature.getCompactSerialization()).key(RSA_JSON_WEB_KEY).build();
    }

    private static RsaJsonWebKey createKey() {
        RsaJsonWebKey generateJwk = RsaJwkGenerator.generateJwk(2048);
        generateJwk.setKeyId(UUID.randomUUID().toString());
        generateJwk.setUse("sig");
        generateJwk.setAlgorithm("RS256");
        return generateJwk;
    }
}
