package org.eclipse.sensinact.gateway.northbound.security.oidc.integration;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.json.JsonMapper;
import com.sun.net.httpserver.HttpServer;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.jackson.io.JacksonSerializer;
import java.io.IOException;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.security.Key;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.SecureRandom;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.ECPublicKeySpec;
import java.security.spec.RSAPublicKeySpec;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Base64;
import java.util.Date;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.crypto.spec.SecretKeySpec;
import org.eclipse.sensinact.core.security.UserInfo;
import org.eclipse.sensinact.gateway.northbound.security.oidc.Certificates;
import org.eclipse.sensinact.northbound.security.api.Authenticator;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.EnumSource;
import org.osgi.service.cm.Configuration;
import org.osgi.service.cm.ConfigurationAdmin;
import org.osgi.service.cm.annotations.RequireConfigurationAdmin;
import org.osgi.test.common.annotation.InjectService;

@RequireConfigurationAdmin
/* loaded from: input_file:org/eclipse/sensinact/gateway/northbound/security/oidc/integration/ValidatorTest.class */
public class ValidatorTest {
    private static final Map<String, String> EC_CURVE_NAME_MAPPING = Map.of("ES256", "secp256r1", "ES384", "secp384r1", "ES512", "secp521r1");
    private final Map<SignatureAlgorithm, KeyPair> asymmetricKeys = new HashMap();
    private final Map<SignatureAlgorithm, Key> keys = new HashMap();
    private final ObjectMapper mapper = JsonMapper.builder().build();
    private HttpServer httpServer;
    private String DISCOVERY;
    private Configuration config;

    @BeforeEach
    public void startCertificateEndpoint(@InjectService ConfigurationAdmin configurationAdmin) throws Exception {
        for (SignatureAlgorithm signatureAlgorithm : SignatureAlgorithm.values()) {
            if (signatureAlgorithm != SignatureAlgorithm.NONE) {
                if (signatureAlgorithm.isHmac()) {
                    byte[] bArr = new byte[signatureAlgorithm.getMinKeyLength()];
                    new SecureRandom().nextBytes(bArr);
                    this.keys.put(signatureAlgorithm, new SecretKeySpec(bArr, signatureAlgorithm.getJcaName()));
                } else if (signatureAlgorithm.isRsa()) {
                    KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
                    keyPairGenerator.initialize(signatureAlgorithm.getMinKeyLength());
                    this.asymmetricKeys.put(signatureAlgorithm, keyPairGenerator.genKeyPair());
                } else {
                    if (!signatureAlgorithm.isEllipticCurve()) {
                        throw new IllegalArgumentException("Unknown key type " + signatureAlgorithm.getDescription());
                    }
                    KeyPairGenerator keyPairGenerator2 = KeyPairGenerator.getInstance("EC");
                    keyPairGenerator2.initialize(new ECGenParameterSpec(EC_CURVE_NAME_MAPPING.get(signatureAlgorithm.getValue())));
                    this.asymmetricKeys.put(signatureAlgorithm, keyPairGenerator2.genKeyPair());
                }
            }
        }
        Certificates certificates = new Certificates();
        certificates.setKeys((List) Stream.concat(this.asymmetricKeys.entrySet().stream().map(entry -> {
            try {
                SignatureAlgorithm signatureAlgorithm2 = (SignatureAlgorithm) entry.getKey();
                Certificates.KeyInfo keyInfo = new Certificates.KeyInfo();
                keyInfo.setAlgorithm(signatureAlgorithm2.getValue());
                keyInfo.setKeyId(signatureAlgorithm2.getDescription());
                Base64.Encoder urlEncoder = Base64.getUrlEncoder();
                if (signatureAlgorithm2.isRsa()) {
                    KeyFactory keyFactory = KeyFactory.getInstance("RSA");
                    keyInfo.setType("RSA");
                    RSAPublicKeySpec rSAPublicKeySpec = (RSAPublicKeySpec) keyFactory.getKeySpec(((KeyPair) entry.getValue()).getPublic(), RSAPublicKeySpec.class);
                    keyInfo.setRsaModulus(urlEncoder.encodeToString(rSAPublicKeySpec.getModulus().toByteArray()));
                    keyInfo.setRsaExponent(urlEncoder.encodeToString(rSAPublicKeySpec.getPublicExponent().toByteArray()));
                } else {
                    if (!signatureAlgorithm2.isEllipticCurve()) {
                        throw new IllegalArgumentException("Unknown key type " + signatureAlgorithm2.getDescription());
                    }
                    KeyFactory keyFactory2 = KeyFactory.getInstance("EC");
                    keyInfo.setType("EC");
                    ECPublicKeySpec eCPublicKeySpec = (ECPublicKeySpec) keyFactory2.getKeySpec(((KeyPair) entry.getValue()).getPublic(), ECPublicKeySpec.class);
                    keyInfo.setEcCurve(signatureAlgorithm2.getValue());
                    keyInfo.setEcXCoordinate(urlEncoder.encodeToString(eCPublicKeySpec.getW().getAffineX().toByteArray()));
                    keyInfo.setEcYCoordinate(urlEncoder.encodeToString(eCPublicKeySpec.getW().getAffineY().toByteArray()));
                }
                return keyInfo;
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }), this.keys.entrySet().stream().map(entry2 -> {
            try {
                SignatureAlgorithm signatureAlgorithm2 = (SignatureAlgorithm) entry2.getKey();
                Certificates.KeyInfo keyInfo = new Certificates.KeyInfo();
                keyInfo.setAlgorithm(signatureAlgorithm2.getValue());
                keyInfo.setKeyId(signatureAlgorithm2.getDescription());
                Base64.Encoder urlEncoder = Base64.getUrlEncoder();
                if (!signatureAlgorithm2.isHmac()) {
                    throw new IllegalArgumentException("Unknown key type " + signatureAlgorithm2.getDescription());
                }
                keyInfo.setType("HMAC");
                keyInfo.setSymmetricKey(urlEncoder.encodeToString(((Key) entry2.getValue()).getEncoded()));
                return keyInfo;
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        })).collect(Collectors.toList()));
        this.httpServer = HttpServer.create();
        this.httpServer.bind(new InetSocketAddress(InetAddress.getLoopbackAddress(), 0), 0);
        this.httpServer.start();
        InetSocketAddress address = this.httpServer.getAddress();
        String format = String.format("http://%s:%d/", address.getAddress().getHostAddress(), Integer.valueOf(address.getPort()));
        this.DISCOVERY = format + "discovery";
        this.httpServer.createContext("/discovery", httpExchange -> {
            httpExchange.sendResponseHeaders(200, 0L);
            this.mapper.writeValue(httpExchange.getResponseBody(), Map.of("jwks_uri", format + "certificates"));
        });
        this.httpServer.createContext("/certificates", httpExchange2 -> {
            httpExchange2.sendResponseHeaders(200, 0L);
            this.mapper.writeValue(httpExchange2.getResponseBody(), certificates);
        });
        this.config = configurationAdmin.getFactoryConfiguration("sensinact.northbound.auth.oidc", "test", "?");
        this.config.update(new Hashtable(Map.of("realm", "test", "discoveryURL", this.DISCOVERY)));
    }

    @AfterEach
    public void clear() throws IOException {
        this.config.delete();
        this.httpServer.stop(0);
        this.httpServer = null;
        this.asymmetricKeys.clear();
        this.keys.clear();
    }

    @EnumSource(value = SignatureAlgorithm.class, mode = EnumSource.Mode.EXCLUDE, names = {"NONE"})
    @ParameterizedTest
    void testValidSignatures(SignatureAlgorithm signatureAlgorithm, @InjectService(timeout = 5000) Authenticator authenticator) throws Exception {
        Date date = new Date(Instant.now().minus((TemporalAmount) Duration.ofHours(1L)).toEpochMilli());
        UserInfo authenticate = authenticator.authenticate((String) null, Jwts.builder().setSubject("test").setIssuedAt(date).setExpiration(new Date(Instant.now().plus((TemporalAmount) Duration.ofHours(1L)).toEpochMilli())).setHeaderParam("kid", signatureAlgorithm.getDescription()).serializeToJsonWith(new JacksonSerializer(this.mapper)).signWith(this.asymmetricKeys.containsKey(signatureAlgorithm) ? this.asymmetricKeys.get(signatureAlgorithm).getPrivate() : this.keys.get(signatureAlgorithm), signatureAlgorithm).compact());
        Assertions.assertEquals("test", authenticate.getUserId());
        Assertions.assertTrue(authenticate.isAuthenticated());
    }
}
