package org.keycloak.sdjwt;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.node.ObjectNode;
import java.time.Instant;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert;
import org.junit.Assert;
import org.junit.ClassRule;
import org.junit.Test;
import org.keycloak.common.VerificationException;
import org.keycloak.rule.CryptoInitRule;
import org.keycloak.sdjwt.IssuerSignedJwtVerificationOpts;
import org.keycloak.sdjwt.SdJwt;

/* loaded from: input_file:org/keycloak/sdjwt/SdJwtVerificationTest.class */
public abstract class SdJwtVerificationTest {

    @ClassRule
    public static CryptoInitRule cryptoInitRule = new CryptoInitRule();
    static ObjectMapper mapper = new ObjectMapper();
    static TestSettings testSettings = TestSettings.getInstance();

    @Test
    public void settingsTest() {
        Assert.assertNotNull(testSettings.issuerSigContext);
    }

    @Test
    public void testSdJwtVerification_FlatSdJwt() throws VerificationException {
        Iterator it = Arrays.asList("sha-256", "sha-384", "sha-512").iterator();
        while (it.hasNext()) {
            exampleFlatSdJwtV1().withHashAlgorithm((String) it.next()).build().verify(defaultIssuerSignedJwtVerificationOpts().build());
        }
    }

    @Test
    public void testSdJwtVerification_EnforceIdempotence() throws VerificationException {
        SdJwt build = exampleFlatSdJwtV1().build();
        build.verify(defaultIssuerSignedJwtVerificationOpts().build());
        build.verify(defaultIssuerSignedJwtVerificationOpts().build());
    }

    @Test
    public void testSdJwtVerification_SdJwtWithUndisclosedNestedFields() throws VerificationException {
        exampleSdJwtWithUndisclosedNestedFieldsV1().build().verify(defaultIssuerSignedJwtVerificationOpts().build());
    }

    @Test
    public void testSdJwtVerification_SdJwtWithUndisclosedArrayElements() throws Exception {
        exampleSdJwtWithUndisclosedArrayElementsV1().build().verify(defaultIssuerSignedJwtVerificationOpts().build());
    }

    @Test
    public void testSdJwtVerification_RecursiveSdJwt() throws Exception {
        exampleRecursiveSdJwtV1().build().verify(defaultIssuerSignedJwtVerificationOpts().build());
    }

    @Test
    public void sdJwtVerificationShouldFail_OnInsecureHashAlg() {
        SdJwt build = exampleFlatSdJwtV1().withHashAlgorithm("sha-224").build();
        Assert.assertEquals("Unexpected or insecure hash algorithm: sha-224", Assert.assertThrows(VerificationException.class, () -> {
            build.verify(defaultIssuerSignedJwtVerificationOpts().build());
        }).getMessage());
    }

    @Test
    public void sdJwtVerificationShouldFail_WithWrongVerifier() {
        SdJwt build = exampleFlatSdJwtV1().build();
        VerificationException assertThrows = Assert.assertThrows(VerificationException.class, () -> {
            build.verify(defaultIssuerSignedJwtVerificationOpts().withVerifier(testSettings.holderVerifierContext).build());
        });
        MatcherAssert.assertThat(assertThrows.getMessage(), CoreMatchers.is("Invalid Issuer-Signed JWT"));
        MatcherAssert.assertThat(assertThrows.getCause().getMessage(), CoreMatchers.endsWith("Invalid jws signature"));
    }

    @Test
    public void sdJwtVerificationShouldFail_IfExpired() {
        long epochSecond = Instant.now().getEpochSecond();
        ObjectNode createObjectNode = mapper.createObjectNode();
        createObjectNode.put("given_name", "John");
        createObjectNode.put("exp", epochSecond - 1000);
        for (SdJwt sdJwt : Arrays.asList(exampleFlatSdJwtV2(createObjectNode, DisclosureSpec.builder().build()).build(), exampleFlatSdJwtV2(createObjectNode, DisclosureSpec.builder().withRedListedClaimNames(DisclosureRedList.of(Collections.emptySet())).withUndisclosedClaim("exp", "eluV5Og3gSNII8EYnsxA_A").build()).build())) {
            VerificationException assertThrows = Assert.assertThrows(VerificationException.class, () -> {
                sdJwt.verify(defaultIssuerSignedJwtVerificationOpts().withValidateExpirationClaim(true).build());
            });
            Assert.assertEquals("Issuer-Signed JWT: Invalid `exp` claim", assertThrows.getMessage());
            Assert.assertEquals("JWT has expired", assertThrows.getCause().getMessage());
        }
    }

    @Test
    public void sdJwtVerificationShouldFail_IfExpired_CaseExpInvalid() {
        ObjectNode createObjectNode = mapper.createObjectNode();
        createObjectNode.put("given_name", "John");
        ObjectNode createObjectNode2 = mapper.createObjectNode();
        createObjectNode.put("given_name", "John");
        createObjectNode.put("exp", "should-not-be-a-string");
        DisclosureSpec build = DisclosureSpec.builder().withUndisclosedClaim("given_name", "eluV5Og3gSNII8EYnsxA_A").build();
        for (SdJwt sdJwt : Arrays.asList(exampleFlatSdJwtV2(createObjectNode, build).build(), exampleFlatSdJwtV2(createObjectNode2, build).build())) {
            VerificationException assertThrows = Assert.assertThrows(VerificationException.class, () -> {
                sdJwt.verify(defaultIssuerSignedJwtVerificationOpts().withValidateExpirationClaim(true).build());
            });
            Assert.assertEquals("Issuer-Signed JWT: Invalid `exp` claim", assertThrows.getMessage());
            Assert.assertEquals("Missing or invalid 'exp' claim", assertThrows.getCause().getMessage());
        }
    }

    @Test
    public void sdJwtVerificationShouldFail_IfIssuedInTheFuture() {
        long epochSecond = Instant.now().getEpochSecond();
        ObjectNode createObjectNode = mapper.createObjectNode();
        createObjectNode.put("given_name", "John");
        createObjectNode.put("iat", epochSecond + 1000);
        for (SdJwt sdJwt : Arrays.asList(exampleFlatSdJwtV2(createObjectNode, DisclosureSpec.builder().build()).build(), exampleFlatSdJwtV2(createObjectNode, DisclosureSpec.builder().withRedListedClaimNames(DisclosureRedList.of(Collections.emptySet())).withUndisclosedClaim("iat", "eluV5Og3gSNII8EYnsxA_A").build()).build())) {
            VerificationException assertThrows = Assert.assertThrows(VerificationException.class, () -> {
                sdJwt.verify(defaultIssuerSignedJwtVerificationOpts().withValidateIssuedAtClaim(true).build());
            });
            Assert.assertEquals("Issuer-Signed JWT: Invalid `iat` claim", assertThrows.getMessage());
            Assert.assertEquals("JWT issued in the future", assertThrows.getCause().getMessage());
        }
    }

    @Test
    public void sdJwtVerificationShouldFail_IfNbfInvalid() {
        long epochSecond = Instant.now().getEpochSecond();
        ObjectNode createObjectNode = mapper.createObjectNode();
        createObjectNode.put("given_name", "John");
        createObjectNode.put("nbf", epochSecond + 1000);
        for (SdJwt sdJwt : Arrays.asList(exampleFlatSdJwtV2(createObjectNode, DisclosureSpec.builder().build()).build(), exampleFlatSdJwtV2(createObjectNode, DisclosureSpec.builder().withRedListedClaimNames(DisclosureRedList.of(Collections.emptySet())).withUndisclosedClaim("iat", "eluV5Og3gSNII8EYnsxA_A").build()).build())) {
            VerificationException assertThrows = Assert.assertThrows(VerificationException.class, () -> {
                sdJwt.verify(defaultIssuerSignedJwtVerificationOpts().withValidateNotBeforeClaim(true).build());
            });
            Assert.assertEquals("Issuer-Signed JWT: Invalid `nbf` claim", assertThrows.getMessage());
            Assert.assertEquals("JWT is not yet valid", assertThrows.getCause().getMessage());
        }
    }

    @Test
    public void sdJwtVerificationShouldFail_IfSdArrayElementIsNotString() throws JsonProcessingException {
        ObjectNode createObjectNode = mapper.createObjectNode();
        createObjectNode.put("given_name", "John");
        createObjectNode.set("_sd", mapper.readTree("[123]"));
        SdJwt build = exampleFlatSdJwtV2(createObjectNode, DisclosureSpec.builder().build()).build();
        Assert.assertEquals("Unexpected non-string element inside _sd array: 123", Assert.assertThrows(VerificationException.class, () -> {
            build.verify(defaultIssuerSignedJwtVerificationOpts().build());
        }).getMessage());
    }

    @Test
    public void sdJwtVerificationShouldFail_IfForbiddenClaimNames() {
        for (String str : Arrays.asList("_sd", "...")) {
            ObjectNode createObjectNode = mapper.createObjectNode();
            createObjectNode.put(str, "Value");
            SdJwt build = exampleFlatSdJwtV2(createObjectNode, DisclosureSpec.builder().withUndisclosedClaim(str, "eluV5Og3gSNII8EYnsxA_A").build()).build();
            Assert.assertEquals("Disclosure claim name must not be '_sd' or '...'", Assert.assertThrows(VerificationException.class, () -> {
                build.verify(defaultIssuerSignedJwtVerificationOpts().build());
            }).getMessage());
        }
    }

    @Test
    public void sdJwtVerificationShouldFail_IfDuplicateDigestValue() {
        ObjectNode createObjectNode = mapper.createObjectNode();
        createObjectNode.put("given_name", "John");
        SdJwt build = exampleFlatSdJwtV2(createObjectNode, DisclosureSpec.builder().withUndisclosedClaim("given_name", "eluV5Og3gSNII8EYnsxA_A").withDecoyClaim("G02NSrQfjFXQ7Io09syajA").withDecoyClaim("G02NSrQfjFXQ7Io09syajA").build()).build();
        Assert.assertTrue(Assert.assertThrows(VerificationException.class, () -> {
            build.verify(defaultIssuerSignedJwtVerificationOpts().build());
        }).getMessage().startsWith("A digest was encountered more than once:"));
    }

    @Test
    public void sdJwtVerificationShouldFail_IfDuplicateSaltValue() {
        ObjectNode createObjectNode = mapper.createObjectNode();
        createObjectNode.put("given_name", "John");
        createObjectNode.put("family_name", "Doe");
        SdJwt build = exampleFlatSdJwtV2(createObjectNode, DisclosureSpec.builder().withUndisclosedClaim("given_name", "eluV5Og3gSNII8EYnsxA_A").withUndisclosedClaim("family_name", "eluV5Og3gSNII8EYnsxA_A").build()).build();
        Assert.assertEquals("A salt value was reused: eluV5Og3gSNII8EYnsxA_A", Assert.assertThrows(VerificationException.class, () -> {
            build.verify(defaultIssuerSignedJwtVerificationOpts().build());
        }).getMessage());
    }

    private IssuerSignedJwtVerificationOpts.Builder defaultIssuerSignedJwtVerificationOpts() {
        return IssuerSignedJwtVerificationOpts.builder().withVerifier(testSettings.issuerVerifierContext).withValidateIssuedAtClaim(false).withValidateExpirationClaim(false).withValidateNotBeforeClaim(false);
    }

    private SdJwt.Builder exampleFlatSdJwtV1() {
        ObjectNode createObjectNode = mapper.createObjectNode();
        createObjectNode.put("sub", "6c5c0a49-b589-431d-bae7-219122a9ec2c");
        createObjectNode.put("given_name", "John");
        createObjectNode.put("family_name", "Doe");
        createObjectNode.put("email", "john.doe@example.com");
        return SdJwt.builder().withDisclosureSpec(DisclosureSpec.builder().withUndisclosedClaim("given_name", "eluV5Og3gSNII8EYnsxA_A").withUndisclosedClaim("family_name", "6Ij7tM-a5iVPGboS5tmvVA").withUndisclosedClaim("email", "eI8ZWm9QnKPpNPeNenHdhQ").withDecoyClaim("G02NSrQfjFXQ7Io09syajA").build()).withClaimSet(createObjectNode).withSigner(testSettings.issuerSigContext);
    }

    private SdJwt.Builder exampleFlatSdJwtV2(ObjectNode objectNode, DisclosureSpec disclosureSpec) {
        return SdJwt.builder().withDisclosureSpec(disclosureSpec).withClaimSet(objectNode).withSigner(testSettings.issuerSigContext);
    }

    private SdJwt exampleAddrSdJwt() {
        ObjectNode createObjectNode = mapper.createObjectNode();
        createObjectNode.put("street_address", "Rue des Oliviers");
        createObjectNode.put("city", "Paris");
        createObjectNode.put("country", "France");
        return SdJwt.builder().withDisclosureSpec(DisclosureSpec.builder().withUndisclosedClaim("street_address", "AJx-095VPrpTtN4QMOqROA").withUndisclosedClaim("city", "G02NSrQfjFXQ7Io09syajA").withDecoyClaim("G02NSrQfjFXQ7Io09syajA").build()).withClaimSet(createObjectNode).build();
    }

    private SdJwt.Builder exampleSdJwtWithUndisclosedNestedFieldsV1() {
        SdJwt exampleAddrSdJwt = exampleAddrSdJwt();
        ObjectNode createObjectNode = mapper.createObjectNode();
        createObjectNode.put("sub", "6c5c0a49-b589-431d-bae7-219122a9ec2c");
        createObjectNode.put("given_name", "John");
        createObjectNode.put("family_name", "Doe");
        createObjectNode.put("email", "john.doe@example.com");
        createObjectNode.set("address", exampleAddrSdJwt.asNestedPayload());
        return SdJwt.builder().withDisclosureSpec(DisclosureSpec.builder().withUndisclosedClaim("given_name", "eluV5Og3gSNII8EYnsxA_A").withUndisclosedClaim("family_name", "6Ij7tM-a5iVPGboS5tmvVA").withUndisclosedClaim("email", "eI8ZWm9QnKPpNPeNenHdhQ").build()).withClaimSet(createObjectNode).withNestedSdJwt(exampleAddrSdJwt).withSigner(testSettings.issuerSigContext);
    }

    private SdJwt.Builder exampleSdJwtWithUndisclosedArrayElementsV1() throws JsonProcessingException {
        ObjectNode createObjectNode = mapper.createObjectNode();
        createObjectNode.put("sub", "6c5c0a49-b589-431d-bae7-219122a9ec2c");
        createObjectNode.put("given_name", "John");
        createObjectNode.put("family_name", "Doe");
        createObjectNode.put("email", "john.doe@example.com");
        createObjectNode.set("nationalities", mapper.readTree("[\"US\", \"DE\"]"));
        return SdJwt.builder().withDisclosureSpec(DisclosureSpec.builder().withUndisclosedClaim("given_name", "eluV5Og3gSNII8EYnsxA_A").withUndisclosedClaim("family_name", "6Ij7tM-a5iVPGboS5tmvVA").withUndisclosedClaim("email", "eI8ZWm9QnKPpNPeNenHdhQ").withUndisclosedArrayElt("nationalities", 1, "nPuoQnkRFq3BIeAm7AnXFA").withDecoyArrayElt("nationalities", 2, "G02NSrQfjFXQ7Io09syajA").build()).withClaimSet(createObjectNode).withSigner(testSettings.issuerSigContext);
    }

    private SdJwt.Builder exampleRecursiveSdJwtV1() {
        SdJwt exampleAddrSdJwt = exampleAddrSdJwt();
        ObjectNode createObjectNode = mapper.createObjectNode();
        createObjectNode.put("sub", "6c5c0a49-b589-431d-bae7-219122a9ec2c");
        createObjectNode.put("given_name", "John");
        createObjectNode.put("family_name", "Doe");
        createObjectNode.put("email", "john.doe@example.com");
        createObjectNode.set("address", exampleAddrSdJwt.asNestedPayload());
        return SdJwt.builder().withDisclosureSpec(DisclosureSpec.builder().withUndisclosedClaim("given_name", "eluV5Og3gSNII8EYnsxA_A").withUndisclosedClaim("family_name", "6Ij7tM-a5iVPGboS5tmvVA").withUndisclosedClaim("email", "eI8ZWm9QnKPpNPeNenHdhQ").withUndisclosedClaim("address", "BZFzhQsdPfZY1WSL-1GXKg").build()).withClaimSet(createObjectNode).withNestedSdJwt(exampleAddrSdJwt).withSigner(testSettings.issuerSigContext);
    }
}
