package org.apache.nifi.web.security.jwt.provider;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.time.Duration;
import java.time.Instant;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import java.util.UUID;
import java.util.stream.Collectors;
import org.apache.nifi.web.security.jwt.jws.JwsSignerContainer;
import org.apache.nifi.web.security.jwt.jws.JwsSignerProvider;
import org.apache.nifi.web.security.token.LoginAuthenticationToken;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.ArgumentMatchers;
import org.mockito.Mock;
import org.mockito.Mockito;
import org.mockito.junit.jupiter.MockitoExtension;
import org.springframework.security.core.authority.SimpleGrantedAuthority;

@ExtendWith({MockitoExtension.class})
/* loaded from: input_file:org/apache/nifi/web/security/jwt/provider/StandardBearerTokenProviderTest.class */
public class StandardBearerTokenProviderTest {
    private static final String USERNAME = "USERNAME";
    private static final String IDENTITY = "IDENTITY";
    private static final String ISSUER = "ISSUER";
    private static final String KEY_ALGORITHM = "RSA";
    private static final int KEY_SIZE = 4096;
    private static final String GROUP = "ProviderGroup";
    private static KeyPair keyPair;

    @Mock
    private JwsSignerProvider jwsSignerProvider;
    private StandardBearerTokenProvider provider;
    private JWSVerifier jwsVerifier;
    private static final Duration EXPIRATION = Duration.ofHours(1);
    private static final Duration MAXIMUM_DURATION_EXCEEDED = Duration.parse("PT12H5M");
    private static final Duration MINIMUM_DURATION_EXCEEDED = Duration.parse("PT30S");
    private static final JWSAlgorithm JWS_ALGORITHM = JWSAlgorithm.PS512;

    @BeforeAll
    public static void setKeyPair() throws NoSuchAlgorithmException {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(KEY_ALGORITHM);
        keyPairGenerator.initialize(KEY_SIZE);
        keyPair = keyPairGenerator.generateKeyPair();
    }

    @BeforeEach
    public void setProvider() {
        this.provider = new StandardBearerTokenProvider(this.jwsSignerProvider);
        this.jwsVerifier = new RSASSAVerifier((RSAPublicKey) keyPair.getPublic());
        Mockito.when(this.jwsSignerProvider.getJwsSignerContainer((Instant) ArgumentMatchers.isA(Instant.class))).thenReturn(new JwsSignerContainer(UUID.randomUUID().toString(), JWS_ALGORITHM, new RSASSASigner(keyPair.getPrivate())));
    }

    @Test
    public void testGetBearerToken() throws ParseException, JOSEException {
        LoginAuthenticationToken loginAuthenticationToken = new LoginAuthenticationToken(IDENTITY, USERNAME, EXPIRATION.toMillis(), ISSUER);
        assertTokenMatched(this.provider.getBearerToken(loginAuthenticationToken), loginAuthenticationToken);
    }

    @Test
    public void testGetBearerTokenGroups() throws ParseException, JOSEException {
        LoginAuthenticationToken loginAuthenticationToken = new LoginAuthenticationToken(IDENTITY, USERNAME, EXPIRATION.toMillis(), ISSUER, Collections.singletonList(new SimpleGrantedAuthority(GROUP)));
        assertTokenMatched(this.provider.getBearerToken(loginAuthenticationToken), loginAuthenticationToken);
    }

    @Test
    public void testGetBearerTokenExpirationMaximum() throws ParseException, JOSEException {
        LoginAuthenticationToken loginAuthenticationToken = new LoginAuthenticationToken(IDENTITY, USERNAME, MAXIMUM_DURATION_EXCEEDED.toMillis(), ISSUER);
        Date expirationTime = assertTokenVerified(this.provider.getBearerToken(loginAuthenticationToken)).getJWTClaimsSet().getExpirationTime();
        Assertions.assertNotNull(expirationTime, "Expiration Time not found");
        Date date = new Date(loginAuthenticationToken.getExpiration());
        Assertions.assertNotSame(date.toString(), expirationTime.toString(), "Expiration Time matched");
        Assertions.assertTrue(expirationTime.toInstant().isBefore(date.toInstant()), "Claim Expiration after Login Expiration");
    }

    @Test
    public void testGetBearerTokenExpirationMinimum() throws ParseException, JOSEException {
        LoginAuthenticationToken loginAuthenticationToken = new LoginAuthenticationToken(IDENTITY, USERNAME, MINIMUM_DURATION_EXCEEDED.toMillis(), ISSUER);
        Date expirationTime = assertTokenVerified(this.provider.getBearerToken(loginAuthenticationToken)).getJWTClaimsSet().getExpirationTime();
        Assertions.assertNotNull(expirationTime, "Expiration Time not found");
        Date date = new Date(loginAuthenticationToken.getExpiration());
        Assertions.assertNotSame(date.toString(), expirationTime.toString(), "Expiration Time matched");
        Assertions.assertTrue(expirationTime.toInstant().isAfter(date.toInstant()), "Claim Expiration before Login Expiration");
    }

    private SignedJWT assertTokenVerified(String str) throws ParseException, JOSEException {
        SignedJWT parse = SignedJWT.parse(str);
        Assertions.assertTrue(parse.verify(this.jwsVerifier), "Verification Failed");
        return parse;
    }

    private void assertTokenMatched(String str, LoginAuthenticationToken loginAuthenticationToken) throws ParseException, JOSEException {
        JWTClaimsSet jWTClaimsSet = assertTokenVerified(str).getJWTClaimsSet();
        Assertions.assertNotNull(jWTClaimsSet.getIssueTime(), "Issue Time not found");
        Assertions.assertNotNull(jWTClaimsSet.getNotBeforeTime(), "Not Before Time not found");
        Date expirationTime = jWTClaimsSet.getExpirationTime();
        Assertions.assertNotNull(expirationTime, "Expiration Time not found");
        Assertions.assertEquals(new Date(loginAuthenticationToken.getExpiration()).toString(), expirationTime.toString(), "Expiration Time not matched");
        Assertions.assertEquals(ISSUER, jWTClaimsSet.getIssuer());
        Assertions.assertEquals(Collections.singletonList(ISSUER), jWTClaimsSet.getAudience());
        Assertions.assertEquals(IDENTITY, jWTClaimsSet.getSubject());
        Assertions.assertEquals(USERNAME, jWTClaimsSet.getClaim(SupportedClaim.PREFERRED_USERNAME.getClaim()));
        Assertions.assertNotNull(jWTClaimsSet.getJWTID(), "JSON Web Token Identifier not found");
        List stringListClaim = jWTClaimsSet.getStringListClaim(SupportedClaim.GROUPS.getClaim());
        Assertions.assertNotNull(stringListClaim);
        Assertions.assertEquals((List) loginAuthenticationToken.getAuthorities().stream().map((v0) -> {
            return v0.getAuthority();
        }).collect(Collectors.toList()), stringListClaim);
    }
}
