package org.keycloak.protocol.saml;

import java.nio.charset.StandardCharsets;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Collections;
import java.util.function.Function;
import javax.crypto.Cipher;
import javax.crypto.NoSuchPaddingException;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.junit.Assert;
import org.junit.Assume;
import org.junit.BeforeClass;
import org.junit.Test;
import org.keycloak.dom.saml.v2.assertion.AssertionType;
import org.keycloak.dom.saml.v2.assertion.NameIDType;
import org.keycloak.dom.saml.v2.protocol.ResponseType;
import org.keycloak.saml.SAML2LoginResponseBuilder;
import org.keycloak.saml.SAMLRequestParser;
import org.keycloak.saml.common.constants.JBossSAMLConstants;
import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
import org.keycloak.saml.common.util.DocumentUtil;
import org.keycloak.saml.processing.core.saml.v2.util.AssertionUtil;
import org.keycloak.saml.processing.core.util.XMLEncryptionUtil;
import org.keycloak.services.resteasy.ResteasyKeycloakSession;
import org.keycloak.services.resteasy.ResteasyKeycloakSessionFactory;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:org/keycloak/protocol/saml/SamlEncryptionTest.class */
public class SamlEncryptionTest {
    private static final KeyPair rsaKeyPair;
    private static final XMLEncryptionUtil.DecryptionKeyLocator keyLocator;

    @BeforeClass
    public static void beforeClass() {
        Cipher cipher = null;
        SecureRandom secureRandom = null;
        try {
            secureRandom = SecureRandom.getInstance("SHA1PRNG");
            cipher = Cipher.getInstance("RSA/ECB/OAEPPadding");
        } catch (NoSuchAlgorithmException | NoSuchPaddingException e) {
        }
        Assume.assumeNotNull(new Object[]{"OAEPPadding not supported", cipher});
        Assume.assumeNotNull(new Object[]{"SHA1PRNG required for Apache santuario xmlsec", secureRandom});
    }

    private void testEncryption(KeyPair keyPair, String str, int i, String str2, String str3, String str4) throws Exception {
        testEncryption(keyPair, str, i, str2, str3, str4, Function.identity());
    }

    private void testEncryption(KeyPair keyPair, String str, int i, String str2, String str3, String str4, Function<Document, Document> function) throws Exception {
        SAML2LoginResponseBuilder sAML2LoginResponseBuilder = new SAML2LoginResponseBuilder();
        sAML2LoginResponseBuilder.requestID("requestId").destination("http://localhost").issuer("issuer").assertionExpiration(300).subjectExpiration(300).sessionExpiration(300).requestIssuer("clientId").authMethod(JBossSAMLURIConstants.AC_UNSPECIFIED.get()).sessionIndex("sessionIndex").nameIdentifier(JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.get(), "nameId");
        ResponseType buildModel = sAML2LoginResponseBuilder.buildModel();
        JaxrsSAML2BindingBuilder jaxrsSAML2BindingBuilder = new JaxrsSAML2BindingBuilder(new ResteasyKeycloakSession(new ResteasyKeycloakSessionFactory()));
        if (str != null) {
            jaxrsSAML2BindingBuilder.encryptionAlgorithm(str);
        }
        if (i > 0) {
            jaxrsSAML2BindingBuilder.encryptionKeySize(i);
        }
        if (str2 != null) {
            jaxrsSAML2BindingBuilder.keyEncryptionAlgorithm(str2);
        }
        if (str3 != null) {
            jaxrsSAML2BindingBuilder.keyEncryptionDigestMethod(str3);
        }
        if (str4 != null) {
            jaxrsSAML2BindingBuilder.keyEncryptionMgfAlgorithm(str4);
        }
        jaxrsSAML2BindingBuilder.encrypt(keyPair.getPublic());
        Document buildDocument = sAML2LoginResponseBuilder.buildDocument(buildModel);
        jaxrsSAML2BindingBuilder.postBinding(buildDocument);
        ResponseType samlObject = SAMLRequestParser.parseResponseDocument(DocumentUtil.getDocumentAsString(function.apply(buildDocument)).getBytes(StandardCharsets.UTF_8)).getSamlObject();
        Assert.assertTrue("Assertion is not encrypted", AssertionUtil.isAssertionEncrypted(samlObject));
        AssertionUtil.decryptAssertion(samlObject, keyLocator);
        AssertionType assertion = ((ResponseType.RTChoiceType) samlObject.getAssertions().get(0)).getAssertion();
        Assert.assertEquals("issuer", assertion.getIssuer().getValue());
        MatcherAssert.assertThat(assertion.getSubject().getSubType().getBaseID(), Matchers.instanceOf(NameIDType.class));
        Assert.assertEquals("nameId", assertion.getSubject().getSubType().getBaseID().getValue());
    }

    private Document moveEncryptedKeyToRetrievalMethod(Document document) {
        Element element = (Element) document.getElementsByTagNameNS(JBossSAMLURIConstants.XMLENC_NSURI.get(), JBossSAMLConstants.ENCRYPTED_KEY.get()).item(0);
        Element element2 = (Element) element.getParentNode();
        element2.removeChild(element);
        element.setAttribute("Id", "encryption-key-123");
        element2.getParentNode().getParentNode().appendChild(element);
        Element createElementNS = document.createElementNS(JBossSAMLURIConstants.XMLENC_NSURI.get(), "xenc:RetrievalMethod");
        createElementNS.setAttribute("Type", "http://www.w3.org/2001/04/xmlenc#EncryptedKey");
        createElementNS.setAttribute("URI", "encryption-key-123");
        element2.appendChild(createElementNS);
        return document;
    }

    @Test
    public void testDefault() throws Exception {
        testEncryption(rsaKeyPair, null, -1, null, null, null);
    }

    @Test
    public void testAES256() throws Exception {
        testEncryption(rsaKeyPair, "AES", 256, null, null, null);
    }

    @Test
    public void testDefaultKeyWraps() throws Exception {
        for (SAMLEncryptionAlgorithms sAMLEncryptionAlgorithms : SAMLEncryptionAlgorithms.values()) {
            for (String str : sAMLEncryptionAlgorithms.getXmlEncIdentifiers()) {
                testEncryption(rsaKeyPair, null, -1, str, null, null);
            }
        }
    }

    @Test
    public void testKeyWrapsWithSha512() throws Exception {
        for (SAMLEncryptionAlgorithms sAMLEncryptionAlgorithms : SAMLEncryptionAlgorithms.values()) {
            for (String str : sAMLEncryptionAlgorithms.getXmlEncIdentifiers()) {
                testEncryption(rsaKeyPair, null, -1, str, "http://www.w3.org/2001/04/xmlenc#sha512", null);
            }
        }
    }

    @Test
    public void testRsaOaep11WithSha512AndMgfSha512() throws Exception {
        testEncryption(rsaKeyPair, "AES", 256, "http://www.w3.org/2009/xmlenc11#rsa-oaep", "http://www.w3.org/2001/04/xmlenc#sha512", "http://www.w3.org/2009/xmlenc11#mgf1sha512");
    }

    @Test
    public void testEncryptionWithRetrievalMethod() throws Exception {
        testEncryption(rsaKeyPair, null, -1, null, null, null, this::moveEncryptedKeyToRetrievalMethod);
    }

    static {
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
            keyPairGenerator.initialize(2048);
            rsaKeyPair = keyPairGenerator.generateKeyPair();
            keyLocator = encryptedData -> {
                try {
                    Assert.assertNotNull("EncryptedData does not contain KeyInfo", encryptedData.getKeyInfo());
                    Assert.assertNotNull("EncryptedData does not contain EncryptedKey", encryptedData.getKeyInfo().itemEncryptedKey(0));
                    return Collections.singletonList(rsaKeyPair.getPrivate());
                } catch (XMLSecurityException e) {
                    throw new IllegalArgumentException("EncryptedData does not contain KeyInfo ", e);
                }
            };
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalStateException(e);
        }
    }
}
