package org.keycloak.sdjwt.consumer;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.node.ObjectNode;
import java.rmi.UnknownHostException;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.regex.Pattern;
import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert;
import org.junit.Assert;
import org.junit.ClassRule;
import org.junit.Test;
import org.keycloak.common.VerificationException;
import org.keycloak.crypto.SignatureVerifierContext;
import org.keycloak.rule.CryptoInitRule;
import org.keycloak.sdjwt.IssuerSignedJWT;
import org.keycloak.sdjwt.SdJwtUtils;
import org.keycloak.sdjwt.TestUtils;
import org.keycloak.sdjwt.vp.SdJwtVP;

/* loaded from: input_file:org/keycloak/sdjwt/consumer/JwtVcMetadataTrustedSdJwtIssuerTest.class */
public abstract class JwtVcMetadataTrustedSdJwtIssuerTest {

    @ClassRule
    public static CryptoInitRule cryptoInitRule = new CryptoInitRule();

    @Test
    public void shouldResolveIssuerVerifyingKeys() throws Exception {
        Assert.assertEquals(3L, new JwtVcMetadataTrustedSdJwtIssuer("https://issuer.example.com", mockHttpDataFetcher()).resolveIssuerVerifyingKeys(exampleIssuerSignedJwt()).size());
    }

    @Test
    public void shouldResolveKeys_WhenIssuerTrustedOnRegexPattern() throws Exception {
        new JwtVcMetadataTrustedSdJwtIssuer(Pattern.compile("https://.*\\.example\\.com"), mockHttpDataFetcher()).resolveIssuerVerifyingKeys(exampleIssuerSignedJwt());
    }

    @Test
    public void shouldResolveKeys_WhenJwtSpecifiesKid() throws VerificationException, JsonProcessingException {
        List resolveIssuerVerifyingKeys = new JwtVcMetadataTrustedSdJwtIssuer("https://issuer.example.com", mockHttpDataFetcher()).resolveIssuerVerifyingKeys(exampleIssuerSignedJwt("sdjwt/s20.1-sdjwt+kb--explicit-kid.txt"));
        Assert.assertEquals(1L, resolveIssuerVerifyingKeys.size());
        Assert.assertEquals("doc-signer-05-25-2022", ((SignatureVerifierContext) resolveIssuerVerifyingKeys.get(0)).getKid());
    }

    @Test
    public void shouldRejectNonHttpsIssuerURIs() {
        String str = "http://issuer.example.com";
        MatcherAssert.assertThat(((IllegalArgumentException) Assert.assertThrows(IllegalArgumentException.class, () -> {
            new JwtVcMetadataTrustedSdJwtIssuer(str, mockHttpDataFetcher());
        })).getMessage(), CoreMatchers.endsWith("HTTPS URI required to retrieve JWT VC Issuer Metadata"));
    }

    @Test
    public void shouldRejectNonHttpsIssuerURIs_EvenIfIssuerBuiltWithRegexPattern() throws JsonProcessingException {
        JwtVcMetadataTrustedSdJwtIssuer jwtVcMetadataTrustedSdJwtIssuer = new JwtVcMetadataTrustedSdJwtIssuer(Pattern.compile(".*\\.example\\.com"), mockHttpDataFetcher());
        IssuerSignedJWT exampleIssuerSignedJwtWithIssuer = exampleIssuerSignedJwtWithIssuer("http://issuer.example.com");
        MatcherAssert.assertThat(Assert.assertThrows(VerificationException.class, () -> {
            jwtVcMetadataTrustedSdJwtIssuer.resolveIssuerVerifyingKeys(exampleIssuerSignedJwtWithIssuer);
        }).getMessage(), CoreMatchers.endsWith("HTTPS URI required to retrieve JWT VC Issuer Metadata"));
    }

    @Test
    public void shouldRejectJwtsWithUnexpectedIssuerClaims() throws JsonProcessingException {
        JwtVcMetadataTrustedSdJwtIssuer jwtVcMetadataTrustedSdJwtIssuer = new JwtVcMetadataTrustedSdJwtIssuer(Pattern.compile("https://.*\\.example\\.com"), mockHttpDataFetcher());
        IssuerSignedJWT exampleIssuerSignedJwtWithIssuer = exampleIssuerSignedJwtWithIssuer("https://trial.authlete.com");
        MatcherAssert.assertThat(Assert.assertThrows(VerificationException.class, () -> {
            jwtVcMetadataTrustedSdJwtIssuer.resolveIssuerVerifyingKeys(exampleIssuerSignedJwtWithIssuer);
        }).getMessage(), CoreMatchers.endsWith(String.format("Unexpected Issuer URI claim. Expected=/%s/, Got=%s", "https://.*\\.example\\.com", "https://trial.authlete.com")));
    }

    @Test
    public void shouldFailOnInvalidJwkExposed() throws JsonProcessingException {
        ObjectNode createObjectNode = SdJwtUtils.mapper.createObjectNode();
        createObjectNode.put("issuer", "https://issuer.example.com");
        createObjectNode.set("jwks", SdJwtUtils.mapper.readTree("{\n  \"keys\": [\n    {\n      \"kty\": \"EC\",\n      \"x\": \"invalid\",\n      \"y\": \"invalid\"\n    }\n  ]\n}"));
        genericTestShouldFail(exampleIssuerSignedJwt(), mockHttpDataFetcherWithMetadata("https://issuer.example.com", createObjectNode), "A potential JWK was retrieved but found invalid", "Unsupported or invalid JWK");
    }

    @Test
    public void shouldFailOnUnexpectedIssuerExposed() throws JsonProcessingException {
        ObjectNode createObjectNode = SdJwtUtils.mapper.createObjectNode();
        createObjectNode.put("issuer", "https://another-issuer.example.com");
        genericTestShouldFail(exampleIssuerSignedJwt(), mockHttpDataFetcherWithMetadata("https://issuer.example.com", createObjectNode), "Unexpected metadata's issuer", null);
    }

    @Test
    public void shouldFailOnMalformedJwtVcMetadataExposed() throws JsonProcessingException {
        ObjectNode createObjectNode = SdJwtUtils.mapper.createObjectNode();
        createObjectNode.set("issuer", SdJwtUtils.mapper.readTree("{}"));
        genericTestShouldFail(exampleIssuerSignedJwt(), mockHttpDataFetcherWithMetadata("https://issuer.example.com", createObjectNode), "Failed to parse exposed JWT VC Metadata", null);
    }

    @Test
    public void shouldFailOnMalformedJwksExposed() throws JsonProcessingException {
        for (JsonNode jsonNode : Arrays.asList(SdJwtUtils.mapper.readTree("[]"), SdJwtUtils.mapper.readTree("{\"keys\": {}}"))) {
            ObjectNode createObjectNode = SdJwtUtils.mapper.createObjectNode();
            createObjectNode.put("issuer", "https://issuer.example.com");
            createObjectNode.put("jwks_uri", "https://issuer.example.com/api/vci/jwks");
            genericTestShouldFail(exampleIssuerSignedJwt(), mockHttpDataFetcherWithMetadataAndJwks("https://issuer.example.com", createObjectNode, jsonNode), "Failed to parse exposed JWKS", null);
        }
    }

    @Test
    public void shouldFailOnMissingJwksOnMetadataEndpoint() throws JsonProcessingException {
        ObjectNode createObjectNode = SdJwtUtils.mapper.createObjectNode();
        createObjectNode.put("issuer", "https://issuer.example.com");
        genericTestShouldFail(exampleIssuerSignedJwt(), mockHttpDataFetcherWithMetadata("https://issuer.example.com", createObjectNode), String.format("Could not resolve issuer JWKs with URI: %s", "https://issuer.example.com"), null);
    }

    @Test
    public void shouldFailOnEmptyPublishedJwkList() throws Exception {
        JsonNode readTree = SdJwtUtils.mapper.readTree("{\"keys\": []}");
        ObjectNode createObjectNode = SdJwtUtils.mapper.createObjectNode();
        createObjectNode.put("issuer", "https://issuer.example.com");
        createObjectNode.set("jwks", readTree);
        genericTestShouldFail(exampleIssuerSignedJwt(), mockHttpDataFetcherWithMetadataAndJwks("https://issuer.example.com", createObjectNode, readTree), String.format("Issuer JWKs were unexpectedly resolved to an empty list. Issuer URI: %s", "https://issuer.example.com"), null);
    }

    @Test
    public void shouldFailOnNoPublishedJwkMatchingJwtKid() throws Exception {
        JsonNode exampleJwks = exampleJwks();
        Iterator it = exampleJwks.get("keys").iterator();
        while (it.hasNext()) {
            ObjectNode objectNode = (JsonNode) it.next();
            objectNode.put("kid", objectNode.get("kid").asText() + "-wont-match");
        }
        ObjectNode createObjectNode = SdJwtUtils.mapper.createObjectNode();
        createObjectNode.put("issuer", "https://issuer.example.com");
        createObjectNode.set("jwks", exampleJwks);
        IssuerSignedJWT exampleIssuerSignedJwt = exampleIssuerSignedJwt("sdjwt/s20.1-sdjwt+kb--explicit-kid.txt");
        genericTestShouldFail(exampleIssuerSignedJwt, mockHttpDataFetcherWithMetadataAndJwks("https://issuer.example.com", createObjectNode, exampleJwks), String.format("No published JWK was found to match kid: %s", exampleIssuerSignedJwt.getHeader().getKeyId()), null);
    }

    @Test
    public void shouldFailOnPublishedJwksWithDuplicateKid() throws JsonProcessingException {
        IssuerSignedJWT exampleIssuerSignedJwt = exampleIssuerSignedJwt("sdjwt/s20.1-sdjwt+kb--explicit-kid.txt");
        String keyId = exampleIssuerSignedJwt.getHeader().getKeyId();
        JsonNode exampleJwks = exampleJwks();
        Iterator it = exampleJwks.get("keys").iterator();
        while (it.hasNext()) {
            ((JsonNode) it.next()).put("kid", keyId);
        }
        ObjectNode createObjectNode = SdJwtUtils.mapper.createObjectNode();
        createObjectNode.put("issuer", "https://issuer.example.com");
        createObjectNode.set("jwks", exampleJwks);
        JwtVcMetadataTrustedSdJwtIssuer jwtVcMetadataTrustedSdJwtIssuer = new JwtVcMetadataTrustedSdJwtIssuer("https://issuer.example.com", mockHttpDataFetcherWithMetadata("https://issuer.example.com", createObjectNode));
        MatcherAssert.assertThat(Assert.assertThrows(VerificationException.class, () -> {
            jwtVcMetadataTrustedSdJwtIssuer.resolveIssuerVerifyingKeys(exampleIssuerSignedJwt);
        }).getMessage(), CoreMatchers.endsWith(String.format("Cannot choose between multiple exposed JWKs with same kid: %s", keyId)));
    }

    @Test
    public void shouldFailOnIOErrorWhileFetchingMetadata() throws JsonProcessingException {
        ObjectNode createObjectNode = SdJwtUtils.mapper.createObjectNode();
        createObjectNode.put("issuer", "https://issuer.example.com");
        genericTestShouldFail(exampleIssuerSignedJwt(), mockHttpDataFetcherWithMetadata("https://another-issuer.example.com", createObjectNode), String.format("Could not fetch data from URI: %s", "https://issuer.example.com"), null);
    }

    private void genericTestShouldFail(IssuerSignedJWT issuerSignedJWT, HttpDataFetcher httpDataFetcher, String str, String str2) {
        JwtVcMetadataTrustedSdJwtIssuer jwtVcMetadataTrustedSdJwtIssuer = new JwtVcMetadataTrustedSdJwtIssuer(issuerSignedJWT.getPayload().get("iss").asText(), httpDataFetcher);
        VerificationException assertThrows = Assert.assertThrows(VerificationException.class, () -> {
            jwtVcMetadataTrustedSdJwtIssuer.resolveIssuerVerifyingKeys(issuerSignedJWT);
        });
        Assert.assertTrue(assertThrows.getMessage().contains(str));
        if (str2 != null) {
            Assert.assertTrue(assertThrows.getCause().getMessage().contains(str2));
        }
    }

    private IssuerSignedJWT exampleIssuerSignedJwt() {
        return exampleIssuerSignedJwt("sdjwt/s20.1-sdjwt+kb.txt");
    }

    private IssuerSignedJWT exampleIssuerSignedJwt(String str) {
        return exampleIssuerSignedJwt(str, "https://issuer.example.com");
    }

    private IssuerSignedJWT exampleIssuerSignedJwtWithIssuer(String str) {
        return exampleIssuerSignedJwt("sdjwt/s20.1-sdjwt+kb.txt", str);
    }

    private IssuerSignedJWT exampleIssuerSignedJwt(String str, String str2) {
        IssuerSignedJWT issuerSignedJWT = SdJwtVP.of(TestUtils.readFileAsString(getClass(), str)).getIssuerSignedJWT();
        issuerSignedJWT.getPayload().put("iss", str2);
        return issuerSignedJWT;
    }

    private JsonNode exampleJwks() throws JsonProcessingException {
        return SdJwtUtils.mapper.readTree(TestUtils.readFileAsString(getClass(), "sdjwt/s30.1-jwt-vc-metadata-jwks.json"));
    }

    private HttpDataFetcher mockHttpDataFetcher() throws JsonProcessingException {
        ObjectNode createObjectNode = SdJwtUtils.mapper.createObjectNode();
        createObjectNode.put("issuer", "https://issuer.example.com");
        createObjectNode.put("jwks_uri", "https://issuer.example.com/api/vci/jwks");
        return mockHttpDataFetcherWithMetadata(createObjectNode.get("issuer").asText(), createObjectNode);
    }

    private HttpDataFetcher mockHttpDataFetcherWithMetadata(String str, JsonNode jsonNode) throws JsonProcessingException {
        return mockHttpDataFetcherWithMetadataAndJwks(str, jsonNode, exampleJwks());
    }

    private HttpDataFetcher mockHttpDataFetcherWithMetadataAndJwks(String str, JsonNode jsonNode, JsonNode jsonNode2) {
        return str2 -> {
            if (!str2.startsWith(str)) {
                throw new UnknownHostException("Unavailable URI");
            }
            if (str2.endsWith("/.well-known/jwt-vc-issuer")) {
                return jsonNode;
            }
            if (str2.endsWith("/api/vci/jwks")) {
                return jsonNode2;
            }
            throw new UnknownHostException("Unavailable URI");
        };
    }
}
