package no.nav.brukerdialog.security.jaspic;

import java.util.Arrays;
import java.util.Optional;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import no.nav.brukerdialog.security.domain.IdentType;
import no.nav.brukerdialog.security.jwks.CacheMissAction;
import no.nav.brukerdialog.security.jwks.JwtHeader;
import no.nav.brukerdialog.security.oidc.OidcTokenValidator;
import no.nav.brukerdialog.security.oidc.OidcTokenValidatorResult;
import no.nav.brukerdialog.security.oidc.provider.OidcProvider;
import no.nav.common.auth.SsoToken;
import no.nav.common.auth.Subject;
import no.nav.common.auth.TestSubjectUtils;
import no.nav.json.JsonUtils;
import org.assertj.core.api.Assertions;
import org.jose4j.jwt.JwtClaims;
import org.junit.Before;
import org.junit.Test;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;

/* loaded from: input_file:no/nav/brukerdialog/security/jaspic/OidcAuthModuleTest.class */
public class OidcAuthModuleTest {
    private static final IdentType IDENT_TYPE = IdentType.values()[0];
    private HttpServletRequest httpServletRequest = new MockHttpServletRequest();
    private HttpServletResponse httpServletResponse = new MockHttpServletResponse();
    private OidcProvider provider1 = oidcProvider();
    private OidcProvider provider2 = oidcProvider();
    private OidcProvider provider3 = oidcProvider();
    private OidcTokenValidator oidcTokenValidator = (OidcTokenValidator) Mockito.mock(OidcTokenValidator.class);
    private OidcAuthModule oidcAuthModule = new OidcAuthModule(Arrays.asList(this.provider1, this.provider2, this.provider3), this.oidcTokenValidator);

    @Before
    public void setup() {
        Mockito.when(this.oidcTokenValidator.validate(ArgumentMatchers.anyString(), (OidcProvider) ArgumentMatchers.any(), (CacheMissAction) ArgumentMatchers.any())).thenReturn(OidcTokenValidatorResult.invalid("invalid by default"));
    }

    @Test
    public void authenticate__no_matching_token__empty() {
        Assertions.assertThat(this.oidcAuthModule.authenticate(this.httpServletRequest, this.httpServletResponse)).isEmpty();
    }

    @Test
    public void authenticate__matching_token__returns_subject() {
        Subject testSubject = testSubject("token3");
        mockValidSubjectForProvider(testSubject, this.provider3, CacheMissAction.NO_REFRESH);
        Assertions.assertThat(this.oidcAuthModule.authenticate(this.httpServletRequest, this.httpServletResponse)).hasValue(testSubject);
    }

    @Test
    public void authenticate__key_rotation__refresh_key_cache_and_return_subject() {
        Subject testSubject = testSubject("token3");
        mockValidSubjectForProvider(testSubject, this.provider3, CacheMissAction.REFRESH);
        Assertions.assertThat(this.oidcAuthModule.authenticate(this.httpServletRequest, this.httpServletResponse)).hasValue(testSubject);
    }

    @Test
    public void authenticate__matching_token_in_cache__no_refresh_of_key_caches() {
        Mockito.when(this.provider1.getToken(this.httpServletRequest)).thenReturn(Optional.of("1"));
        Mockito.when(this.provider2.getToken(this.httpServletRequest)).thenReturn(Optional.of("2"));
        Mockito.when(this.provider3.getToken(this.httpServletRequest)).thenReturn(Optional.of("3"));
        Assertions.assertThat(this.oidcAuthModule.authenticate(this.httpServletRequest, this.httpServletResponse)).isEmpty();
        ((OidcProvider) Mockito.verify(this.provider1, Mockito.never())).getVerificationKey((JwtHeader) ArgumentMatchers.any(), (CacheMissAction) Mockito.eq(CacheMissAction.REFRESH));
        ((OidcProvider) Mockito.verify(this.provider2, Mockito.never())).getVerificationKey((JwtHeader) ArgumentMatchers.any(), (CacheMissAction) Mockito.eq(CacheMissAction.REFRESH));
        ((OidcProvider) Mockito.verify(this.provider3, Mockito.never())).getVerificationKey((JwtHeader) ArgumentMatchers.any(), (CacheMissAction) Mockito.eq(CacheMissAction.REFRESH));
    }

    @Test
    public void authenticate__ignore_failing_providers() {
        Subject testSubject = testSubject("token3");
        mockValidSubjectForProvider(testSubject, this.provider3, CacheMissAction.NO_REFRESH);
        Mockito.when(this.provider1.getToken(this.httpServletRequest)).thenThrow(Throwable.class);
        Mockito.when(this.provider2.getToken(this.httpServletRequest)).thenThrow(Throwable.class);
        Assertions.assertThat(this.oidcAuthModule.authenticate(this.httpServletRequest, this.httpServletResponse)).hasValue(testSubject);
    }

    private void mockValidSubjectForProvider(Subject subject, OidcProvider oidcProvider, CacheMissAction cacheMissAction) {
        String str = (String) subject.getSsoToken(SsoToken.Type.OIDC).get();
        Mockito.when(oidcProvider.getToken(this.httpServletRequest)).thenReturn(Optional.of(str));
        Mockito.when(this.oidcTokenValidator.validate(str, oidcProvider, cacheMissAction)).thenReturn(OidcTokenValidatorResult.valid(JwtClaims.parse(JsonUtils.toJson(subject.getSsoToken().getAttributes()))));
    }

    private Subject testSubject(String str) {
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setSubject("test-subject");
        jwtClaims.setExpirationTimeMinutesInTheFuture(600.0f);
        return TestSubjectUtils.builder().uid("test-subject").identType(IDENT_TYPE).token(str).tokenType(SsoToken.Type.OIDC).attributes(jwtClaims.getClaimsMap()).build();
    }

    private OidcProvider oidcProvider() {
        OidcProvider oidcProvider = (OidcProvider) Mockito.mock(OidcProvider.class);
        Mockito.when(oidcProvider.getIdentType(ArgumentMatchers.anyString())).thenReturn(IDENT_TYPE);
        return oidcProvider;
    }
}
