package org.eclipse.microprofile.jwt.tck.util;

import java.security.Key;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import org.eclipse.microprofile.jwt.tck.TCKConstants;
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jwe.JsonWebEncryption;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.NumericDate;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.jwt.consumer.JwtContext;
import org.jose4j.lang.JoseException;
import org.testng.Assert;
import org.testng.annotations.Test;

/* loaded from: input_file:org/eclipse/microprofile/jwt/tck/util/TokenUtilsSignEncryptTest.class */
public class TokenUtilsSignEncryptTest {
    @Test(groups = {TCKConstants.TEST_GROUP_UTILS}, description = "Illustrate an encryption of the nested JWT")
    public void testEncryptSignedClaims() throws Exception {
        validateToken(TokenUtils.signEncryptClaims("/Token1.json"), true);
    }

    @Test(groups = {TCKConstants.TEST_GROUP_UTILS}, description = "Illustrate an encryption of the nested JWT")
    public void testEncryptECSignedClaims() throws Exception {
        validateToken(TokenUtils.signEncryptClaims("/Token1.json", SignatureAlgorithm.ES256), SignatureAlgorithm.ES256, true);
    }

    @Test(groups = {TCKConstants.TEST_GROUP_UTILS}, description = "Illustrate validation of a JWT", expectedExceptions = {InvalidJwtException.class})
    public void testNestedSignedByRSKeyVerifiedByECKey() throws Exception {
        validateToken(TokenUtils.signEncryptClaims("/Token1.json", SignatureAlgorithm.RS256), SignatureAlgorithm.ES256, true);
    }

    @Test(groups = {TCKConstants.TEST_GROUP_UTILS}, description = "Illustrate validation of a JWT", expectedExceptions = {InvalidJwtException.class})
    public void testNestedSignedByECKeyVerifiedByRSKey() throws Exception {
        validateToken(TokenUtils.signEncryptClaims("/Token1.json", SignatureAlgorithm.ES256), SignatureAlgorithm.RS256, true);
    }

    @Test(groups = {TCKConstants.TEST_GROUP_UTILS}, expectedExceptions = {InvalidJwtException.class}, description = "Illustrate validation failure if signed token is encrypted and no 'cty' header is set")
    public void testEncryptSignedClaimsWithoutCty() throws Exception {
        validateToken(TokenUtils.signEncryptClaims(TokenUtils.readPrivateKey("/privateKey.pem"), "1", TokenUtils.readPublicKey("/publicKey.pem"), "2", "/Token1.json", false), true);
    }

    @Test(groups = {TCKConstants.TEST_GROUP_UTILS}, expectedExceptions = {JoseException.class}, description = "Illustrate validation failure if signed token is used")
    public void testValidateSignedToken() throws Exception {
        validateToken(TokenUtils.signClaims("/Token1.json"), false);
    }

    @Test(groups = {TCKConstants.TEST_GROUP_UTILS}, expectedExceptions = {InvalidJwtException.class}, description = "Illustrate validation failure if encrypted token without nested token is used")
    public void testValidateEncryptedOnlyToken() throws Exception {
        validateToken(TokenUtils.encryptClaims("/Token1.json"), false);
    }

    private void validateToken(String str, boolean z) throws Exception {
        validateToken(str, SignatureAlgorithm.RS256, z);
    }

    private void validateToken(String str, SignatureAlgorithm signatureAlgorithm, boolean z) throws Exception {
        JsonWebEncryption jsonWebEncryption = new JsonWebEncryption();
        jsonWebEncryption.setAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.WHITELIST, new String[]{"RSA-OAEP"}));
        jsonWebEncryption.setCompactSerialization(str);
        jsonWebEncryption.setKey(TokenUtils.readPrivateKey("/privateKey.pem"));
        String plaintextString = jsonWebEncryption.getPlaintextString();
        if (!z) {
            Assert.assertNull(jsonWebEncryption.getHeader("cty"));
        } else if (!"JWT".equals(jsonWebEncryption.getHeader("cty"))) {
            throw new InvalidJwtException("'cty' header is missing", Collections.emptyList(), (JwtContext) null);
        }
        Key readPublicKey = signatureAlgorithm == SignatureAlgorithm.RS256 ? TokenUtils.readPublicKey("/publicKey.pem") : TokenUtils.readECPublicKey("/ecPublicKey.pem");
        JwtConsumerBuilder jwtConsumerBuilder = new JwtConsumerBuilder();
        jwtConsumerBuilder.setRequireExpirationTime();
        jwtConsumerBuilder.setSkipDefaultAudienceValidation();
        jwtConsumerBuilder.setRequireIssuedAt();
        jwtConsumerBuilder.setJwsAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.WHITELIST, new String[]{signatureAlgorithm.getAlgorithm()}));
        jwtConsumerBuilder.setExpectedIssuer(true, TCKConstants.TEST_ISSUER);
        jwtConsumerBuilder.setVerificationKey(readPublicKey);
        jwtConsumerBuilder.setAllowedClockSkewInSeconds(60);
        JwtClaims processToClaims = jwtConsumerBuilder.build().processToClaims(plaintextString);
        Assert.assertEquals(processToClaims.getClaimsMap().size(), 19);
        Assert.assertEquals(processToClaims.getIssuer(), TCKConstants.TEST_ISSUER);
        Assert.assertEquals(processToClaims.getJwtId(), "a-123");
        Assert.assertEquals(processToClaims.getSubject(), "24400320");
        Assert.assertEquals(processToClaims.getClaimValueAsString("upn"), "jdoe@example.com");
        Assert.assertEquals(processToClaims.getClaimValueAsString("preferred_username"), "jdoe");
        Assert.assertEquals(processToClaims.getAudience().size(), 1);
        Assert.assertEquals((String) processToClaims.getAudience().get(0), "s6BhdRkqt3");
        Assert.assertNotNull(processToClaims.getExpirationTime());
        long value = processToClaims.getExpirationTime().getValue();
        Assert.assertEquals(processToClaims.getIssuedAt().getValue(), value - 300);
        Assert.assertEquals(NumericDate.fromSeconds(((Long) processToClaims.getClaimValue("auth_time", Long.class)).longValue()).getValue(), value - 300);
        Assert.assertEquals(processToClaims.getClaimValueAsString("customString"), "customStringValue");
        Assert.assertEquals(processToClaims.getClaimValue("customInteger", Long.class), 123456789L);
        Assert.assertEquals(processToClaims.getClaimValue("customDouble", Double.class), Double.valueOf(3.141592653589793d));
        Assert.assertEquals(((List) processToClaims.getClaimsMap().get("roles")).size(), 1);
        Assert.assertEquals(((List) processToClaims.getClaimsMap().get("groups")).size(), 4);
        Assert.assertEquals(((List) processToClaims.getClaimsMap().get("customStringArray")).size(), 3);
        Assert.assertEquals(((List) processToClaims.getClaimsMap().get("customIntegerArray")).size(), 4);
        Assert.assertEquals(((List) processToClaims.getClaimsMap().get("customDoubleArray")).size(), 5);
        Assert.assertEquals(((Map) processToClaims.getClaimsMap().get("customObject")).size(), 3);
    }
}
