package org.wso2.am.integration.tests.jwt;

import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.nio.charset.Charset;
import java.nio.file.Paths;
import java.security.KeyStore;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang3.StringUtils;
import org.apache.http.message.BasicNameValuePair;
import org.json.JSONException;
import org.json.JSONObject;
import org.testng.Assert;
import org.testng.annotations.AfterClass;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.DataProvider;
import org.testng.annotations.Factory;
import org.testng.annotations.Test;
import org.wso2.am.integration.clients.publisher.api.v1.dto.ScopeDTO;
import org.wso2.am.integration.clients.store.api.v1.dto.ApplicationDTO;
import org.wso2.am.integration.clients.store.api.v1.dto.ApplicationKeyDTO;
import org.wso2.am.integration.clients.store.api.v1.dto.ApplicationKeyGenerateRequestDTO;
import org.wso2.am.integration.test.utils.http.HTTPSClientUtils;
import org.wso2.am.integration.test.utils.token.TokenUtils;
import org.wso2.am.integration.tests.api.lifecycle.APIManagerLifecycleBaseTest;
import org.wso2.am.integration.tests.jwt.idp.JWTGeneratorUtil;
import org.wso2.am.integration.tests.restapi.RESTAPITestConstants;
import org.wso2.carbon.automation.engine.context.TestUserMode;
import org.wso2.carbon.automation.test.utils.http.client.HttpResponse;
import org.wso2.carbon.identity.application.common.model.idp.xsd.Claim;
import org.wso2.carbon.identity.application.common.model.idp.xsd.ClaimConfig;
import org.wso2.carbon.identity.application.common.model.idp.xsd.ClaimMapping;
import org.wso2.carbon.identity.application.common.model.idp.xsd.IdentityProvider;
import org.wso2.carbon.identity.application.common.model.idp.xsd.LocalRole;
import org.wso2.carbon.identity.application.common.model.idp.xsd.PermissionsAndRoleConfig;
import org.wso2.carbon.identity.application.common.model.idp.xsd.RoleMapping;

/* loaded from: input_file:org/wso2/am/integration/tests/jwt/JWTGrantTestCase.class */
public class JWTGrantTestCase extends APIManagerLifecycleBaseTest {
    private String jwtApplicationId;
    private String consumerKey;
    private String consumerSecret;
    private String scopeId;
    private String tokenUrl;
    private final String jwtAudience = UUID.randomUUID().toString();
    private final String jwtIssuer = "jwtgrant_test_issuer";
    private final String keystoreFileValid = "extidpjwt.jks";
    private final String keystoreFileValidPass = "extidpjwt";
    private final String keystoreFileValidAlias = "extidpjwt";
    private final String scopeToRequest = "scope-jwt";
    List<String> grantTypesWithJWT = new ArrayList();

    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Object[], java.lang.Object[][]] */
    @DataProvider
    public static Object[][] userModeDataProvider() {
        return new Object[]{new Object[]{TestUserMode.SUPER_TENANT_ADMIN}, new Object[]{TestUserMode.TENANT_ADMIN}};
    }

    @Factory(dataProvider = "userModeDataProvider")
    public JWTGrantTestCase(TestUserMode testUserMode) {
        this.userMode = testUserMode;
    }

    @BeforeClass(alwaysRun = true)
    public void setEnvironment() throws Exception {
        super.init(this.userMode);
        this.tokenUrl = getKeyManagerURLHttps() + "/oauth2/token";
        this.grantTypesWithJWT.add("urn:ietf:params:oauth:grant-type:jwt-bearer");
        ApplicationDTO addApplication = this.restAPIStore.addApplication("JWTGrantApp", "Unlimited", (String) null, "JWTGrantApp description");
        Assert.assertNotNull(addApplication, "consumerKey generation of the application doesn't work as expected");
        Assert.assertTrue(StringUtils.isNotBlank(addApplication.getApplicationId()), "application is not created as expected");
        this.jwtApplicationId = addApplication.getApplicationId();
        ApplicationKeyDTO generateKeys = this.restAPIStore.generateKeys(this.jwtApplicationId, "3600", "", ApplicationKeyGenerateRequestDTO.KeyTypeEnum.PRODUCTION, (ArrayList) null, this.grantTypesWithJWT);
        this.consumerKey = generateKeys.getConsumerKey();
        this.consumerSecret = generateKeys.getConsumerSecret();
        Assert.assertNotNull(this.consumerKey, "consumerKey generation of the application doesn't work as expected");
        Assert.assertNotNull(this.consumerSecret, "consumerSecret generation of the application doesn't work as expected");
        addValidIdentityProvider();
        ScopeDTO scopeDTO = new ScopeDTO();
        scopeDTO.setName("scope-jwt");
        scopeDTO.setBindings(new ArrayList<String>() { // from class: org.wso2.am.integration.tests.jwt.JWTGrantTestCase.1
            {
                add("admin");
            }
        });
        scopeDTO.setDisplayName("Scope for JWT grant test");
        this.scopeId = this.restAPIPublisher.addSharedScope(scopeDTO).getId();
    }

    @Test(groups = {"wso2.am"}, description = "Testing JWT grant for a JWT token with a registered IDP for it")
    public void testGenerateTokenWithValidRegisteredIDP() throws Exception {
        HttpResponse invokeTokenEndpoint = invokeTokenEndpoint(generateJWTTokenForValidIDP());
        Assert.assertEquals(invokeTokenEndpoint.getResponseCode(), 200, "Response code is not 200 as expected");
        Assert.assertNotNull(new JSONObject(invokeTokenEndpoint.getData()).getString(RESTAPITestConstants.ACCESS_TOKEN_TEXT), "Couldn't find accessToken");
    }

    @Test(groups = {"wso2.am"}, description = "Testing JWT grant for a JWT token without a registered IDP for it")
    public void testGenerateTokenForNonRegisteredIDP() throws Exception {
        assertErrorResponse("Checking the JWT grant with non-registered IDP as issuer, didn't get the expected ", "No Registered IDP found", invokeTokenEndpoint(generateJWTTokenForInvalidIDP()));
    }

    @Test(groups = {"wso2.am"}, description = "Testing JWT grant for a JWT token which is expired")
    public void testGenerateTokenWithExpiredJWT() throws Exception {
        assertErrorResponse("Checking the JWT grant with expired jwt, didn't get the expected ", "JSON Web Token is expired", invokeTokenEndpoint(generateExpiredJWTToken()));
    }

    @Test(groups = {"wso2.am"}, description = "Testing JWT grant for a JWT token which is tampered")
    public void testGenerateTokenWithTamperedJWT() throws Exception {
        assertErrorResponse("Checking the JWT grant with tampered jwt, didn't get the expected ", "Signature or Message Authentication invalid", invokeTokenEndpoint(generateTamperedJWTToken()));
    }

    @Test(groups = {"wso2.am"}, description = "Testing JWT grant for a JWT token signed with a different cert not matching IDP")
    public void testGenerateTokenWithJWTSignedWithDifferentCert() throws Exception {
        assertErrorResponse("Checking the JWT grant with jwt signed with different cert, didn't get the expected ", "Signature or Message Authentication invalid", invokeTokenEndpoint(generateJWTTokenSignedFromDifferentCertificate()));
    }

    @Test(groups = {"wso2.am"}, description = "Testing JWT grant for a JWT token without IDP roles/mappings are added and try to generate a token with a scope which is restricted by a role. The Scope shouldn't be returned.", dependsOnMethods = {"testGenerateTokenWithValidRegisteredIDP"})
    public void testGenerateTokenWithScopesUsingJWTBeforeAddingIdpRoles() throws Exception {
        if (this.userMode == TestUserMode.TENANT_ADMIN) {
            return;
        }
        HttpResponse invokeTokenEndpoint = invokeTokenEndpoint(generateJWTTokenForValidIDPWithIdpRoles(), new String[]{"scope-jwt"});
        Assert.assertEquals(invokeTokenEndpoint.getResponseCode(), 200, "Response code is not 200 as expected");
        JSONObject jSONObject = new JSONObject(invokeTokenEndpoint.getData());
        Assert.assertNotNull(jSONObject.getString(RESTAPITestConstants.ACCESS_TOKEN_TEXT), "Couldn't find accessToken");
        Assert.assertFalse(jSONObject.getString("scope").contains("scope-jwt"), "Received scopes contains requested scope (scope-jwt) even without adding role mappings to the IDP.");
    }

    @Test(groups = {"wso2.am"}, description = "Testing JWT grant for a JWT token with IDP roles and generate token with scope which is restricted by a role. This should succeed.", dependsOnMethods = {"testGenerateTokenWithScopesUsingJWTBeforeAddingIdpRoles"})
    public void testGenerateTokenWithScopesUsingJWTWithIdpRoles() throws Exception {
        String generateJWTTokenForValidIDPWithIdpRoles = generateJWTTokenForValidIDPWithIdpRoles();
        updateIdentityProviderWithRoleMappings("jwtgrant_test_issuer");
        JSONObject jSONObject = new JSONObject(invokeTokenEndpoint(generateJWTTokenForValidIDPWithIdpRoles, new String[]{"scope-jwt"}).getData());
        Assert.assertNotNull(jSONObject.getString(RESTAPITestConstants.ACCESS_TOKEN_TEXT), "Couldn't find accessToken");
        Assert.assertTrue(jSONObject.getString("scope").contains("scope-jwt"), "Received scopes doesn't contain requested scope (scope-jwt) even after adding role mappings to the IDP.");
    }

    private void assertErrorResponse(String str, String str2, HttpResponse httpResponse) throws JSONException {
        Assert.assertEquals(httpResponse.getResponseCode(), 400, str + " 400 status code.");
        String string = new JSONObject(httpResponse.getData()).getString("error_description");
        Assert.assertTrue(string.contains(str2), str + "'" + str2 + "' in the error_description but was '" + string + "'");
    }

    private HttpResponse invokeTokenEndpoint(String str) throws IOException {
        return invokeTokenEndpoint(str, new String[0]);
    }

    private HttpResponse invokeTokenEndpoint(String str, String[] strArr) throws IOException {
        ArrayList arrayList = new ArrayList();
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", "Basic " + TokenUtils.getBase64EncodedAppCredentials(this.consumerKey, this.consumerSecret));
        arrayList.add(new BasicNameValuePair("grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer"));
        arrayList.add(new BasicNameValuePair("assertion", str));
        if (strArr != null && strArr.length > 0) {
            arrayList.add(new BasicNameValuePair("scope", String.join(" ", strArr)));
        }
        return HTTPSClientUtils.doPost(this.tokenUrl, hashMap, arrayList);
    }

    private String generateJWTTokenForValidIDP() throws Exception {
        return generateJWTTokenFromExternalIDP("extidpjwt.jks", "extidpjwt", "extidpjwt", this.jwtAudience, "jwtgrant_test_issuer", System.currentTimeMillis());
    }

    private String generateJWTTokenForValidIDPWithIdpRoles() throws Exception {
        Map<String, Object> hashMap = new HashMap<>();
        hashMap.put("http://extidp.org/claims/role", new String[]{"idp_admin"});
        return generateJWTTokenFromExternalIDP("extidpjwt.jks", "extidpjwt", "extidpjwt", this.jwtAudience, "jwtgrant_test_issuer", System.currentTimeMillis(), hashMap);
    }

    private String generateJWTTokenForInvalidIDP() throws Exception {
        return generateJWTTokenFromExternalIDP("extidpjwt.jks", "extidpjwt", "extidpjwt", this.jwtAudience, "jwtgrant_test_issuer_invalid", System.currentTimeMillis());
    }

    private String generateJWTTokenFromExternalIDP(String str, String str2, String str3, String str4, String str5, long j) throws Exception {
        return generateJWTTokenFromExternalIDP(str, str2, str3, str4, str5, j, new HashMap());
    }

    private String generateJWTTokenFromExternalIDP(String str, String str2, String str3, String str4, String str5, long j, Map<String, Object> map) throws Exception {
        File file = Paths.get(getAMResourceLocation(), "configFiles", "jwtgrant", str).toFile();
        HashMap hashMap = new HashMap();
        hashMap.put("azp", str4);
        hashMap.put("aud", str4);
        hashMap.putAll(map);
        return JWTGeneratorUtil.generatedJWT(file, UUID.randomUUID().toString(), str3, str2, str2, "ext-user", str5, j, hashMap);
    }

    private String generateTamperedJWTToken() throws Exception {
        String[] split = generateJWTTokenForValidIDP().split("\\.");
        return split[0] + "." + new String(Base64.encodeBase64(new String(Base64.decodeBase64(split[1]), Charset.defaultCharset()).replace("ext-user", "attacker").getBytes())).replace("=", "") + "." + split[2];
    }

    private String generateExpiredJWTToken() throws Exception {
        return generateJWTTokenFromExternalIDP("extidpjwt.jks", "extidpjwt", "extidpjwt", this.jwtAudience, "jwtgrant_test_issuer", System.currentTimeMillis() - 1800000);
    }

    private String generateJWTTokenSignedFromDifferentCertificate() throws Exception {
        return generateJWTTokenFromExternalIDP("other-keystore.jks", "wso2carbon", "idptest", this.jwtAudience, "jwtgrant_test_issuer", System.currentTimeMillis() - 1800000);
    }

    private void addValidIdentityProvider() throws Exception {
        addIdentityProvider(this.jwtAudience, "jwtgrant_test_issuer", "extidpjwt.jks", "extidpjwt", "extidpjwt");
    }

    private void addIdentityProvider(String str, String str2, String str3, String str4, String str5) throws Exception {
        File file = Paths.get(getAMResourceLocation(), "configFiles", "jwtgrant", str3).toFile();
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        keyStore.load(new FileInputStream(file), str4.toCharArray());
        byte[] encodeBase64 = Base64.encodeBase64(keyStore.getCertificate("extidpjwt").getEncoded());
        IdentityProvider identityProvider = new IdentityProvider();
        identityProvider.setEnable(true);
        identityProvider.setAlias(str);
        identityProvider.setDisplayName("disp_name");
        identityProvider.setCertificate(new String(encodeBase64));
        identityProvider.setIdentityProviderName(str2);
        this.identityProviderMgtServiceClient.addIdP(identityProvider);
        IdentityProvider idPByName = this.identityProviderMgtServiceClient.getIdPByName("jwtgrant_test_issuer");
        Assert.assertNotNull(idPByName, "Identity provider was not added correctly");
        Assert.assertEquals(idPByName.getIdentityProviderName(), "jwtgrant_test_issuer", "Identity provider was not added correctly");
    }

    private void updateIdentityProviderWithRoleMappings(String str) throws Exception {
        IdentityProvider idPByName = this.identityProviderMgtServiceClient.getIdPByName(str);
        idPByName.setClaimConfig(getClaimConfig());
        idPByName.setPermissionAndRoleConfig(getPermissionsAndRoleConfig());
        this.identityProviderMgtServiceClient.updateIdP(str, idPByName);
        IdentityProvider idPByName2 = this.identityProviderMgtServiceClient.getIdPByName(str);
        Assert.assertNotNull(idPByName2.getClaimConfig());
        Assert.assertNotNull(idPByName2.getClaimConfig().getClaimMappings());
        Assert.assertEquals(idPByName2.getClaimConfig().getClaimMappings().length, 1);
        Assert.assertNotNull(idPByName2.getPermissionAndRoleConfig());
        Assert.assertNotNull(idPByName2.getPermissionAndRoleConfig().getIdpRoles());
        Assert.assertEquals(idPByName2.getPermissionAndRoleConfig().getIdpRoles().length, 1);
    }

    private static ClaimConfig getClaimConfig() {
        ClaimConfig claimConfig = new ClaimConfig();
        ClaimMapping claimMapping = new ClaimMapping();
        Claim claim = new Claim();
        claim.setClaimUri("http://wso2.org/claims/role");
        Claim claim2 = new Claim();
        claim2.setClaimUri("http://extidp.org/claims/role");
        claimMapping.setLocalClaim(claim);
        claimMapping.setRemoteClaim(claim2);
        claimConfig.setClaimMappings(new ClaimMapping[]{claimMapping});
        claimConfig.setIdpClaims(new Claim[]{claim2});
        claimConfig.setRoleClaimURI("http://extidp.org/claims/role");
        return claimConfig;
    }

    private static PermissionsAndRoleConfig getPermissionsAndRoleConfig() {
        PermissionsAndRoleConfig permissionsAndRoleConfig = new PermissionsAndRoleConfig();
        permissionsAndRoleConfig.addIdpRoles("idp_admin");
        RoleMapping roleMapping = new RoleMapping();
        LocalRole localRole = new LocalRole();
        localRole.setLocalRoleName("admin");
        roleMapping.setLocalRole(localRole);
        roleMapping.setRemoteRole("idp_admin");
        permissionsAndRoleConfig.addRoleMappings(roleMapping);
        return permissionsAndRoleConfig;
    }

    @AfterClass(alwaysRun = true)
    public void destroy() throws Exception {
        this.restAPIStore.deleteApplication(this.jwtApplicationId);
        this.identityProviderMgtServiceClient.deleteIdP("jwtgrant_test_issuer");
        this.restAPIPublisher.removeSharedScope(this.scopeId);
        super.cleanUp();
    }
}
