package com.mulesoft.modules.oauth2.provider;

import com.mulesoft.modules.oauth2.provider.api.Constants;
import com.mulesoft.modules.oauth2.provider.api.client.ClientType;
import java.io.File;
import java.io.IOException;
import java.net.URI;
import java.security.GeneralSecurityException;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import javax.net.ssl.SSLContext;
import net.smartam.leeloo.client.request.OAuthClientRequest;
import net.smartam.leeloo.common.message.types.GrantType;
import org.apache.commons.io.FileUtils;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.http.HttpResponse;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.methods.HttpPut;
import org.apache.http.entity.ContentType;
import org.apache.http.entity.StringEntity;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.ssl.SSLContexts;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.junit.Test;
import org.mule.runtime.api.metadata.MediaType;
import org.mule.runtime.core.api.util.IOUtils;
import org.mule.runtime.http.api.HttpConstants;
import org.mule.runtime.http.api.HttpHeaders;

/* loaded from: input_file:com/mulesoft/modules/oauth2/provider/OAuth2ProviderModuleCoreSecureTestCase.class */
public class OAuth2ProviderModuleCoreSecureTestCase extends AbstractOAuth2ProviderModuleTestCase {
    private static final String PROTECTED_RESOURCE_PATH = "/protected";
    private static final String CLIENT_RESTRICTED_RESOURCE_PATH = "/client_only";
    private static final String keyStorePath = "tls/clientKeystore";
    private static final String trustStorePath = "tls/trustStore";
    private static final String storePassword = "mulepassword";
    private static final String keyPassword = "mulepassword";
    private static final String protocol = "TLSv1.2";

    @Override // com.mulesoft.modules.oauth2.provider.AbstractOAuth2ProviderModuleTestCase
    protected String doGetConfigFile() {
        return "oauth2-core-tests-https-config.xml";
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.mulesoft.modules.oauth2.provider.AbstractOAuth2ProviderModuleTestCase
    public String getProtocol() {
        return "https";
    }

    protected static HttpResponse executeGetRequest(String str) throws IOException, GeneralSecurityException {
        return getSecureClient(false).execute(new HttpGet(str));
    }

    private static HttpClient getSecureClient(boolean z) throws IOException, GeneralSecurityException {
        HttpClientBuilder sslcontext = HttpClients.custom().setSslcontext(getSslContext());
        if (z) {
            sslcontext.disableRedirectHandling();
        }
        return sslcontext.build();
    }

    private static SSLContext getSslContext() throws IOException, GeneralSecurityException {
        File file = FileUtils.getFile(new String[]{org.mule.runtime.core.api.util.FileUtils.getResourcePath(keyStorePath, OAuth2ProviderModuleCoreSecureTestCase.class)});
        File file2 = FileUtils.getFile(new String[]{org.mule.runtime.core.api.util.FileUtils.getResourcePath(trustStorePath, OAuth2ProviderModuleCoreSecureTestCase.class)});
        char[] charArray = "mulepassword".toCharArray();
        return SSLContexts.custom().useProtocol(protocol).loadKeyMaterial(file, charArray, "mulepassword".toCharArray()).loadTrustMaterial(file2, charArray).build();
    }

    @Test
    public void accessLoginPageBadMethod() throws Exception {
        MatcherAssert.assertThat(Integer.valueOf(getSecureClient(false).execute(new HttpPut(OAuthClientRequest.authorizationLocation(getAuthorizationEndpointUrl()).buildQueryMessage().getLocationUri())).getStatusLine().getStatusCode()), Matchers.is(405));
    }

    @Test
    public void accessLoginPageEmptyRequest() throws Exception {
        HttpResponse execute = getSecureClient(false).execute(new HttpGet(OAuthClientRequest.authorizationLocation(getAuthorizationEndpointUrl()).buildQueryMessage().getLocationUri()));
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(400));
        Map<String, List<String>> decodeParameters = decodeParameters(IOUtils.toString(execute.getEntity().getContent()));
        MatcherAssert.assertThat(decodeParameters.get("error").get(0), Matchers.is(Matchers.equalTo("unsupported_response_type")));
        MatcherAssert.assertThat(decodeParameters.get("error_description").get(0), Matchers.is(Matchers.equalTo("Missing mandatory parameter: response_type")));
    }

    @Test
    public void accessLoginPageBadResponseType() throws Exception {
        HttpResponse execute = getSecureClient(false).execute(new HttpGet(OAuthClientRequest.authorizationLocation(getAuthorizationEndpointUrl()).setResponseType("_bad_").buildQueryMessage().getLocationUri()));
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(400));
        Map<String, List<String>> decodeParameters = decodeParameters(IOUtils.toString(execute.getEntity().getContent()));
        MatcherAssert.assertThat(decodeParameters.get("error").get(0), Matchers.is(Matchers.equalTo("unsupported_response_type")));
        MatcherAssert.assertThat(decodeParameters.get("error_description").get(0), Matchers.is(Matchers.equalTo("Response type '_bad_' is not supported")));
    }

    @Test
    public void accessLoginPageBadClientId() throws Exception {
        HttpResponse execute = getSecureClient(false).execute(new HttpGet(OAuthClientRequest.authorizationLocation(getAuthorizationEndpointUrl()).setResponseType("code").setClientId("_bad_").buildQueryMessage().getLocationUri()));
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(400));
        MatcherAssert.assertThat(decodeParameters(IOUtils.toString(execute.getEntity().getContent())).get("error").get(0), Matchers.is(Matchers.equalTo("unauthorized_client")));
    }

    @Test
    public void accessLoginPageBadRedirectUri() throws Exception {
        HttpResponse execute = getSecureClient(false).execute(new HttpGet(OAuthClientRequest.authorizationLocation(getAuthorizationEndpointUrl()).setResponseType("code").setClientId("clientId1").setRedirectURI("_bad_").buildQueryMessage().getLocationUri()));
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(400));
        MatcherAssert.assertThat(decodeParameters(IOUtils.toString(execute.getEntity().getContent())).get("error").get(0), Matchers.is(Matchers.equalTo("invalid_redirection_uri")));
    }

    @Test
    public void accessLoginPageWithScopeFailureAuthorizationCodeGrant() throws Exception {
        HttpResponse execute = getSecureClient(true).execute(new HttpGet(OAuthClientRequest.authorizationLocation(getAuthorizationEndpointUrl()).setResponseType("code").setClientId("clientId1").setRedirectURI(AbstractOAuth2ProviderModuleTestCase.TEST_REDIRECT_URI).setScope("test_scope").buildQueryMessage().getLocationUri()));
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(302));
        String value = execute.getHeaders("Location")[0].getValue();
        MatcherAssert.assertThat(value, Matchers.is(Matchers.not(Matchers.nullValue())));
        MatcherAssert.assertThat("authorization code grant type location has query", new URI(value).getQuery(), Matchers.is(Matchers.not(Matchers.nullValue())));
        MatcherAssert.assertThat(decodeParameters(value).get("error").get(0), Matchers.is(Matchers.equalTo("invalid_scope")));
    }

    @Test
    public void accessLoginPageWithScopeFailureImplicitGrant() throws Exception {
        HttpResponse execute = getSecureClient(true).execute(new HttpGet(OAuthClientRequest.authorizationLocation(getAuthorizationEndpointUrl()).setResponseType("token").setClientId("clientId1").setRedirectURI(AbstractOAuth2ProviderModuleTestCase.TEST_REDIRECT_URI).setScope("test_scope").buildQueryMessage().getLocationUri()));
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(302));
        String value = execute.getHeaders("Location")[0].getValue();
        MatcherAssert.assertThat(value, Matchers.is(Matchers.not(Matchers.nullValue())));
        URI uri = new URI(value);
        MatcherAssert.assertThat("token grant type location has no query", uri.getQuery(), Matchers.is(Matchers.nullValue()));
        MatcherAssert.assertThat("token grant type location has fragment", uri.getFragment(), Matchers.is(Matchers.not(Matchers.nullValue())));
        MatcherAssert.assertThat(decodeParameters(value).get("error").get(0), Matchers.is(Matchers.equalTo("invalid_scope")));
    }

    @Test
    public void accessLoginPageSuccess() throws Exception {
        HttpResponse execute = getSecureClient(false).execute(new HttpGet(OAuthClientRequest.authorizationLocation(getAuthorizationEndpointUrl()).setResponseType("code").setClientId("clientId1").setRedirectURI(AbstractOAuth2ProviderModuleTestCase.TEST_REDIRECT_URI).buildQueryMessage().getLocationUri()));
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(200));
        MatcherAssert.assertThat(execute.getHeaders("Content-Type")[0].getValue(), Matchers.is(Matchers.equalTo(MediaType.HTML.toRfcString())));
        String iOUtils = IOUtils.toString(execute.getEntity().getContent());
        MatcherAssert.assertThat(iOUtils, Matchers.containsString("<html>"));
        assertHasFormFieldContaining(iOUtils, "code");
        assertHasFormFieldContaining(iOUtils, "clientId1");
        assertHasFormFieldContaining(iOUtils, AbstractOAuth2ProviderModuleTestCase.TEST_REDIRECT_URI);
    }

    @Test
    public void validateCredentialsNoParamProvided() throws Exception {
        HttpResponse execute = getSecureClient(false).execute(new HttpPost(OAuthClientRequest.authorizationLocation(getAuthorizationEndpointUrl()).buildBodyMessage().getLocationUri()));
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(400));
        MatcherAssert.assertThat(execute.getHeaders("Location"), Matchers.emptyArray());
        Map<String, List<String>> decodeParameters = decodeParameters(IOUtils.toString(execute.getEntity().getContent()));
        MatcherAssert.assertThat(decodeParameters.get("error").get(0), Matchers.is(Matchers.equalTo("unsupported_response_type")));
        MatcherAssert.assertThat(decodeParameters.get("error_description").get(0), Matchers.is(Matchers.equalTo("Missing mandatory parameter: response_type")));
    }

    @Test
    public void validateCredentialsNoCredentialsProvided() throws Exception {
        OAuthClientRequest buildBodyMessage = OAuthClientRequest.authorizationLocation(getAuthorizationEndpointUrl()).setResponseType("code").setClientId("clientId1").setRedirectURI(AbstractOAuth2ProviderModuleTestCase.TEST_REDIRECT_URI).buildBodyMessage();
        HttpPost httpPost = new HttpPost(buildBodyMessage.getLocationUri());
        httpPost.setEntity(new StringEntity(buildBodyMessage.getBody(), ContentType.APPLICATION_FORM_URLENCODED));
        HttpResponse execute = getSecureClient(false).execute(httpPost);
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(302));
        String value = execute.getHeaders("Location")[0].getValue();
        MatcherAssert.assertThat(value, Matchers.is(Matchers.not(Matchers.nullValue())));
        Map<String, List<String>> decodeParameters = decodeParameters(value);
        MatcherAssert.assertThat(decodeParameters.get("error").get(0), Matchers.is(Matchers.equalTo("invalid_request")));
        MatcherAssert.assertThat(decodeParameters.get("error_description").get(0), Matchers.is(Matchers.equalTo("Missing mandatory parameter: username")));
        MatcherAssert.assertThat(IOUtils.toString(execute.getEntity().getContent()), Matchers.isEmptyString());
    }

    @Test
    public void validateCredentialsInvalidCredentialsAuthorizationCodeGrant() throws Exception {
        doValidateCredentialsInvalidCredentials("code");
    }

    @Test
    public void validateCredentialsInvalidCredentialsImplicitGrant() throws Exception {
        doValidateCredentialsInvalidCredentials("token");
    }

    @Test
    public void validateCredentialsValidCredentials() throws Exception {
        OAuthClientRequest buildBodyMessage = OAuthClientRequest.authorizationLocation(getAuthorizationEndpointUrl()).setResponseType("code").setClientId("clientId1").setRedirectURI(AbstractOAuth2ProviderModuleTestCase.TEST_REDIRECT_URI).setParameter("username", "rousr").setParameter("password", "ropwd+%").buildBodyMessage();
        HttpPost httpPost = new HttpPost(buildBodyMessage.getLocationUri());
        httpPost.setEntity(new StringEntity(buildBodyMessage.getBody(), ContentType.APPLICATION_FORM_URLENCODED));
        HttpResponse execute = getSecureClient(false).execute(httpPost);
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(302));
        validateSuccessfulLoginResponse(execute, "code");
    }

    @Test
    public void validateCredentialsValidCredentialsWithState() throws Exception {
        String randomAlphanumeric = RandomStringUtils.randomAlphanumeric(10);
        OAuthClientRequest buildBodyMessage = OAuthClientRequest.authorizationLocation(getAuthorizationEndpointUrl()).setResponseType("code").setClientId("clientId1").setRedirectURI(AbstractOAuth2ProviderModuleTestCase.TEST_REDIRECT_URI).setParameter("username", "rousr").setParameter("password", "ropwd+%").setState(randomAlphanumeric).buildBodyMessage();
        HttpPost httpPost = new HttpPost(buildBodyMessage.getLocationUri());
        httpPost.setEntity(new StringEntity(buildBodyMessage.getBody(), ContentType.APPLICATION_FORM_URLENCODED));
        HttpResponse execute = getSecureClient(false).execute(httpPost);
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(302));
        MatcherAssert.assertThat(validateSuccessfulLoginResponse(execute, "code").get("state").get(0), Matchers.is(Matchers.equalTo(randomAlphanumeric)));
    }

    @Test
    public void tokenExchangeEmptyRequest() throws Exception {
        HttpPost httpPost = new HttpPost(getTokenEndpointURL());
        httpPost.setHeader("Content-Type", HttpHeaders.Values.APPLICATION_X_WWW_FORM_URLENCODED.toRfcString());
        HttpResponse execute = getSecureClient(false).execute(httpPost);
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(400));
        assertEqualJsonObj("{\"error\":\"invalid_request\",\"error_description\":\"Missing mandatory parameter: grant_type\"}", execute);
    }

    @Test
    public void tokenExchangeUnsupportedGrantType() throws Exception {
        OAuthClientRequest buildBodyMessage = OAuthClientRequest.tokenLocation(getTokenEndpointURL()).setGrantType(GrantType.NONE).buildBodyMessage();
        HttpPost httpPost = new HttpPost(getTokenEndpointURL());
        httpPost.setEntity(new StringEntity(buildBodyMessage.getBody(), ContentType.APPLICATION_FORM_URLENCODED));
        HttpResponse execute = getSecureClient(false).execute(httpPost);
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(400));
        assertEqualJsonObj("{\"error\":\"unsupported_grant_type\",\"error_description\":\"Grant type 'none' is not supported\"}", execute);
    }

    @Test
    public void tokenExchangeNoCredentials() throws Exception {
        OAuthClientRequest buildBodyMessage = OAuthClientRequest.tokenLocation(getTokenEndpointURL()).setGrantType(GrantType.AUTHORIZATION_CODE).setClientId("clientId1").buildBodyMessage();
        HttpPost httpPost = new HttpPost(getTokenEndpointURL());
        httpPost.setEntity(new StringEntity(buildBodyMessage.getBody(), ContentType.APPLICATION_FORM_URLENCODED));
        HttpResponse execute = getSecureClient(false).execute(httpPost);
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(400));
        assertEqualJsonObj("{\"error\":\"invalid_client\",\"error_description\":\"Invalid credentials\"}", execute);
    }

    @Test
    public void tokenExchangeBrokenAuthorization() throws Exception {
        OAuthClientRequest buildBodyMessage = OAuthClientRequest.tokenLocation(getTokenEndpointURL()).setGrantType(GrantType.AUTHORIZATION_CODE).setClientId("clientId1").buildBodyMessage();
        HttpPost httpPost = new HttpPost(buildBodyMessage.getLocationUri());
        httpPost.setEntity(new StringEntity(buildBodyMessage.getBody(), ContentType.APPLICATION_FORM_URLENCODED));
        httpPost.setHeader("Authorization", "_broken_");
        HttpResponse execute = getSecureClient(false).execute(httpPost);
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(400));
        assertEqualJsonObj("{\"error\":\"invalid_request\",\"error_description\":\"Invalid 'Authorization' header\"}", execute);
    }

    @Test
    public void tokenExchangeBadAuthorization() throws Exception {
        OAuthClientRequest buildBodyMessage = OAuthClientRequest.tokenLocation(getTokenEndpointURL()).setGrantType(GrantType.AUTHORIZATION_CODE).setClientId("clientId1").buildBodyMessage();
        HttpPost httpPost = new HttpPost(buildBodyMessage.getLocationUri());
        httpPost.setEntity(new StringEntity(buildBodyMessage.getBody(), ContentType.APPLICATION_FORM_URLENCODED));
        httpPost.setHeader("Authorization", getValidBasicAuthHeaderValue("_bad_", "_bad_"));
        HttpResponse execute = getSecureClient(false).execute(httpPost);
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(401));
        MatcherAssert.assertThat(IOUtils.toString(execute.getEntity().getContent()), Matchers.containsString("\"error\":\"invalid_client\""));
    }

    @Test
    public void tokenExchangeInvalidRequestUri() throws Exception {
        OAuthClientRequest buildBodyMessage = OAuthClientRequest.tokenLocation(getTokenEndpointURL()).setGrantType(GrantType.AUTHORIZATION_CODE).setClientId("clientId1").setCode("_ignored_").buildBodyMessage();
        HttpPost httpPost = new HttpPost(buildBodyMessage.getLocationUri());
        httpPost.setEntity(new StringEntity(buildBodyMessage.getBody(), ContentType.APPLICATION_FORM_URLENCODED));
        httpPost.setHeader("Authorization", getValidBasicAuthHeaderValue("clientId1", "clpwd+%"));
        HttpResponse execute = getSecureClient(false).execute(httpPost);
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(400));
        assertEqualJsonObj("{\"error\":\"invalid_redirection_uri\",\"error_description\":\"Missing mandatory parameter: redirect_uri\"}", execute);
    }

    @Test
    public void tokenExchangeInvalidGrant() throws Exception {
        OAuthClientRequest buildBodyMessage = OAuthClientRequest.tokenLocation(getTokenEndpointURL()).setGrantType(GrantType.AUTHORIZATION_CODE).setClientId("clientId1").setCode("_invalid_").setRedirectURI(AbstractOAuth2ProviderModuleTestCase.TEST_REDIRECT_URI).buildBodyMessage();
        HttpPost httpPost = new HttpPost(buildBodyMessage.getLocationUri());
        httpPost.setEntity(new StringEntity(buildBodyMessage.getBody(), ContentType.APPLICATION_FORM_URLENCODED));
        httpPost.setHeader("Authorization", getValidBasicAuthHeaderValue("clientId1", "clpwd+%"));
        HttpResponse execute = getSecureClient(false).execute(httpPost);
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(400));
        assertEqualJsonObj("{\"error\":\"invalid_grant\",\"error_description\":\"Authorization code is invalid or expired\"}", execute);
    }

    @Test
    public void tokenExchangeMultipleAuthentications() throws Exception {
        OAuthClientRequest buildBodyMessage = OAuthClientRequest.tokenLocation(getTokenEndpointURL()).setGrantType(GrantType.AUTHORIZATION_CODE).setCode("__valid__").setRedirectURI(AbstractOAuth2ProviderModuleTestCase.TEST_REDIRECT_URI).setClientId("clientId1").setClientSecret("clientSecret1").buildBodyMessage();
        buildBodyMessage.setHeaders(Collections.singletonMap("Authorization", getValidBasicAuthHeaderValue("clientId1", "clpwd+%")));
        HttpPost httpPost = new HttpPost(buildBodyMessage.getLocationUri());
        httpPost.setEntity(new StringEntity(buildBodyMessage.getBody(), ContentType.APPLICATION_FORM_URLENCODED));
        httpPost.setHeader("Authorization", getValidBasicAuthHeaderValue("clientId1", "clpwd+%"));
        HttpResponse execute = getSecureClient(false).execute(httpPost);
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(400));
        assertEqualJsonObj("{\"error\":\"invalid_request\",\"error_description\":\"Multiple client authentications found\"}", execute);
    }

    @Test
    public void tokenExchangeExpiredAuthorizationCode() throws Exception {
        tokenExchangeValidUsernamePassword();
        OAuthClientRequest buildBodyMessage = OAuthClientRequest.tokenLocation(getTokenEndpointURL()).setGrantType(GrantType.AUTHORIZATION_CODE).setCode("__valid__").setClientId("clientId1").setClientSecret("clientSecret1").setRedirectURI(AbstractOAuth2ProviderModuleTestCase.TEST_REDIRECT_URI).buildBodyMessage();
        HttpPost httpPost = new HttpPost(buildBodyMessage.getLocationUri());
        httpPost.setEntity(new StringEntity(buildBodyMessage.getBody(), ContentType.APPLICATION_FORM_URLENCODED));
        HttpResponse execute = getSecureClient(false).execute(httpPost);
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(400));
        assertEqualJsonObj("{\"error\":\"invalid_grant\",\"error_description\":\"Authorization code is invalid or expired\"}", execute);
    }

    @Test
    public void tokenExchangeClientNotFoundInSecurityProvider() throws Exception {
        this.client.setPrincipal((String) null);
        updateClientInOS();
        OAuthClientRequest buildBodyMessage = OAuthClientRequest.tokenLocation(getTokenEndpointURL()).setGrantType(GrantType.AUTHORIZATION_CODE).setCode("__valid__").setClientId("clientId1").setRedirectURI(AbstractOAuth2ProviderModuleTestCase.TEST_REDIRECT_URI).buildBodyMessage();
        HttpPost httpPost = new HttpPost(buildBodyMessage.getLocationUri());
        httpPost.setEntity(new StringEntity(buildBodyMessage.getBody(), ContentType.APPLICATION_FORM_URLENCODED));
        httpPost.setHeader("Authorization", getValidBasicAuthHeaderValue("clientId1", "_bad_"));
        HttpResponse execute = getSecureClient(false).execute(httpPost);
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(401));
        MatcherAssert.assertThat(execute.getHeaders("WWW-Authenticate")[0], Matchers.is(Matchers.not(Matchers.nullValue())));
        assertEqualJsonObj("{\"error\":\"invalid_client\",\"error_description\":\"Invalid credentials\"}", execute);
    }

    @Test
    public void tokenExchangeClientIdIsValidSecurityProviderPrincipal() throws Exception {
        setupClient("clusr", null);
        OAuthClientRequest buildBodyMessage = OAuthClientRequest.tokenLocation(getTokenEndpointURL()).setGrantType(GrantType.AUTHORIZATION_CODE).setCode("__valid__").setClientId("clientId1").setClientSecret("clientSecret1").setRedirectURI(AbstractOAuth2ProviderModuleTestCase.TEST_REDIRECT_URI).buildBodyMessage();
        HttpPost httpPost = new HttpPost(buildBodyMessage.getLocationUri());
        httpPost.setEntity(new StringEntity(buildBodyMessage.getBody(), ContentType.APPLICATION_FORM_URLENCODED));
        HttpResponse execute = getSecureClient(false).execute(httpPost);
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(200));
        validateSuccessfulTokenResponseNoScopeNoRefresh(getContentAsMap(execute));
    }

    @Test
    public void tokenExchangeValidUsernamePassword() throws Exception {
        OAuthClientRequest buildBodyMessage = OAuthClientRequest.tokenLocation(getTokenEndpointURL()).setGrantType(GrantType.AUTHORIZATION_CODE).setCode("__valid__").setClientId("clientId1").setClientSecret("clientSecret1").setRedirectURI(AbstractOAuth2ProviderModuleTestCase.TEST_REDIRECT_URI).buildBodyMessage();
        HttpPost httpPost = new HttpPost(buildBodyMessage.getLocationUri());
        httpPost.setEntity(new StringEntity(buildBodyMessage.getBody(), ContentType.APPLICATION_FORM_URLENCODED));
        HttpResponse execute = getSecureClient(false).execute(httpPost);
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(200));
        validateSuccessfulTokenResponseNoScopeNoRefresh(getContentAsMap(execute));
    }

    @Test
    public void tokenExchangeValidBasicAuth() throws Exception {
        OAuthClientRequest buildBodyMessage = OAuthClientRequest.tokenLocation(getTokenEndpointURL()).setGrantType(GrantType.AUTHORIZATION_CODE).setCode("__valid__").setClientId("clientId1").setRedirectURI(AbstractOAuth2ProviderModuleTestCase.TEST_REDIRECT_URI).buildBodyMessage();
        HttpPost httpPost = new HttpPost(buildBodyMessage.getLocationUri());
        httpPost.setEntity(new StringEntity(buildBodyMessage.getBody(), ContentType.APPLICATION_FORM_URLENCODED));
        httpPost.setHeader("Authorization", getValidBasicAuthHeaderValue("clientId1", "clpwd+%"));
        HttpResponse execute = getSecureClient(false).execute(httpPost);
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(200));
        validateSuccessfulTokenResponseNoScopeNoRefresh(getContentAsMap(execute));
    }

    @Test
    public void tokenExchangeValidClientSecret() throws Exception {
        OAuthClientRequest buildBodyMessage = OAuthClientRequest.tokenLocation(getTokenEndpointURL()).setGrantType(GrantType.AUTHORIZATION_CODE).setCode("__valid__").setClientId("clientId1").setClientSecret("clientSecret1").setRedirectURI(AbstractOAuth2ProviderModuleTestCase.TEST_REDIRECT_URI).buildBodyMessage();
        HttpPost httpPost = new HttpPost(buildBodyMessage.getLocationUri());
        httpPost.setEntity(new StringEntity(buildBodyMessage.getBody(), ContentType.APPLICATION_FORM_URLENCODED));
        HttpResponse execute = getSecureClient(false).execute(httpPost);
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(200));
        validateSuccessfulTokenResponseNoScopeNoRefresh(getContentAsMap(execute));
    }

    @Test
    public void tokenExchangePublicClient() throws Exception {
        this.client.setSecret((String) null);
        this.client.setType(ClientType.PUBLIC);
        updateClientInOS();
        OAuthClientRequest buildBodyMessage = OAuthClientRequest.tokenLocation(getTokenEndpointURL()).setGrantType(GrantType.AUTHORIZATION_CODE).setCode("__valid__").setClientId("clientId1").setRedirectURI(AbstractOAuth2ProviderModuleTestCase.TEST_REDIRECT_URI).buildBodyMessage();
        HttpPost httpPost = new HttpPost(buildBodyMessage.getLocationUri());
        httpPost.setEntity(new StringEntity(buildBodyMessage.getBody(), ContentType.APPLICATION_FORM_URLENCODED));
        HttpResponse execute = getSecureClient(false).execute(httpPost);
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(200));
        validateSuccessfulTokenResponseNoScopeNoRefresh(getContentAsMap(execute));
    }

    @Test
    public void tokenRequestBadClientAuthorization() throws Exception {
        OAuthClientRequest buildBodyMessage = OAuthClientRequest.tokenLocation(getTokenEndpointURL()).setGrantType(GrantType.PASSWORD).setUsername("rousr").setPassword("ropwd+%").buildBodyMessage();
        HttpPost httpPost = new HttpPost(buildBodyMessage.getLocationUri());
        httpPost.setEntity(new StringEntity(buildBodyMessage.getBody(), ContentType.APPLICATION_FORM_URLENCODED));
        httpPost.setHeader("Authorization", getValidBasicAuthHeaderValue("_bad_", "_bad_"));
        HttpResponse execute = getSecureClient(false).execute(httpPost);
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(401));
        MatcherAssert.assertThat(IOUtils.toString(execute.getEntity().getContent()), Matchers.containsString("\"error\":\"invalid_client\""));
    }

    @Test
    public void tokenRequestBadResourceOwnerCredentials() throws Exception {
        this.client.getAuthorizedGrantTypes().add(Constants.RequestGrantType.PASSWORD);
        updateClientInOS();
        OAuthClientRequest buildBodyMessage = OAuthClientRequest.tokenLocation(getTokenEndpointURL()).setGrantType(GrantType.PASSWORD).setUsername("rousr").setPassword("_bad_").buildBodyMessage();
        HttpPost httpPost = new HttpPost(buildBodyMessage.getLocationUri());
        httpPost.setEntity(new StringEntity(buildBodyMessage.getBody(), ContentType.APPLICATION_FORM_URLENCODED));
        httpPost.setHeader("Authorization", getValidBasicAuthHeaderValue("clientId1", "clpwd+%"));
        HttpResponse execute = getSecureClient(false).execute(httpPost);
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(400));
        MatcherAssert.assertThat(IOUtils.toString(execute.getEntity().getContent()), Matchers.containsString("\"error\":\"access_denied\""));
    }

    @Test
    public void accessProtectedResourceWithoutToken() throws Exception {
        HttpResponse execute = getSecureClient(false).execute(new HttpGet(getProtectedResourceURL(PROTECTED_RESOURCE_PATH)));
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(Integer.valueOf(HttpConstants.HttpStatus.UNAUTHORIZED.getStatusCode())));
        MatcherAssert.assertThat(execute.getHeaders("WWW-Authenticate")[0], Matchers.is(Matchers.not(Matchers.nullValue())));
        MatcherAssert.assertThat(execute.getHeaders("WWW-Authenticate")[0].getValue(), Matchers.is(Matchers.equalTo("Bearer realm=\"OAuth2 Client Realm\"")));
    }

    @Test
    public void accessProtectedResourceWithBadAccessToken() throws Exception {
        HttpResponse execute = getSecureClient(false).execute(new HttpGet(getProtectedResourceURL(PROTECTED_RESOURCE_PATH) + "?access_token=_bad_"));
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(401));
        MatcherAssert.assertThat(execute.getHeaders("WWW-Authenticate")[0], Matchers.is(Matchers.not(Matchers.nullValue())));
        MatcherAssert.assertThat(execute.getHeaders("WWW-Authenticate")[0].getValue(), Matchers.is(Matchers.equalTo("Bearer realm=\"OAuth2 Client Realm\"")));
    }

    @Test
    public void accessProtectedResourceWithExpiredAccessToken() throws Exception {
        HttpResponse execute = getSecureClient(false).execute(new HttpGet(getProtectedResourceURL(PROTECTED_RESOURCE_PATH) + "?access_token=" + RandomStringUtils.randomAlphanumeric(20)));
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(401));
        MatcherAssert.assertThat(execute.getHeaders("WWW-Authenticate")[0], Matchers.is(Matchers.not(Matchers.nullValue())));
        MatcherAssert.assertThat(execute.getHeaders("WWW-Authenticate")[0].getValue(), Matchers.is(Matchers.equalTo("Bearer realm=\"OAuth2 Client Realm\"")));
    }

    @Test
    public void accessProtectedResourceWithAccessTokenQueryParam() throws Exception {
        String randomAlphanumeric = RandomStringUtils.randomAlphanumeric(20);
        addAccessTokenToStore(randomAlphanumeric);
        accessProtectedResource(randomAlphanumeric);
    }

    @Test
    public void accessProtectedResourceWithBearerHeader() throws Exception {
        String randomAlphanumeric = RandomStringUtils.randomAlphanumeric(20);
        addAccessTokenToStore(randomAlphanumeric);
        HttpGet httpGet = new HttpGet(getProtectedResourceURL("/protected-with-bearer"));
        httpGet.addHeader("Authorization", "Bearer " + randomAlphanumeric);
        HttpResponse execute = getSecureClient(false).execute(httpGet);
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(200));
        MatcherAssert.assertThat(IOUtils.toString(execute.getEntity().getContent()), Matchers.is(Matchers.equalTo("accessing::protected_resource")));
        MatcherAssert.assertThat(execute.getHeaders("WWW-Authenticate"), Matchers.is(Matchers.emptyArray()));
    }

    @Test
    public void performAuthorizationCodeOAuth2DanceAndAccessProtectedResource() throws Exception {
        OAuthClientRequest buildBodyMessage = OAuthClientRequest.authorizationLocation(getAuthorizationEndpointUrl()).setResponseType("code").setClientId("clientId1").setRedirectURI(AbstractOAuth2ProviderModuleTestCase.TEST_REDIRECT_URI).setParameter("username", "rousr").setParameter("password", "ropwd+%").buildBodyMessage();
        HttpPost httpPost = new HttpPost(buildBodyMessage.getLocationUri());
        httpPost.setEntity(new StringEntity(buildBodyMessage.getBody(), ContentType.APPLICATION_FORM_URLENCODED));
        HttpResponse execute = getSecureClient(false).execute(httpPost);
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(302));
        OAuthClientRequest buildBodyMessage2 = OAuthClientRequest.tokenLocation(getTokenEndpointURL()).setGrantType(GrantType.AUTHORIZATION_CODE).setCode(validateSuccessfulLoginResponse(execute, "code").get("code").get(0)).setClientId("clientId1").setClientSecret("clientSecret1").setRedirectURI(AbstractOAuth2ProviderModuleTestCase.TEST_REDIRECT_URI).buildBodyMessage();
        HttpPost httpPost2 = new HttpPost(buildBodyMessage2.getLocationUri());
        httpPost2.setEntity(new StringEntity(buildBodyMessage2.getBody(), ContentType.APPLICATION_FORM_URLENCODED));
        HttpResponse execute2 = getSecureClient(false).execute(httpPost2);
        MatcherAssert.assertThat(Integer.valueOf(execute2.getStatusLine().getStatusCode()), Matchers.is(200));
        accessProtectedResource((String) validateSuccessfulTokenResponseNoScopeNoRefresh(getContentAsMap(execute2)).get("access_token"));
    }

    @Test
    public void performImplicitGrantOAuth2DanceAndAccessProtectedResource() throws Exception {
        OAuthClientRequest buildBodyMessage = OAuthClientRequest.authorizationLocation(getAuthorizationEndpointUrl()).setResponseType("token").setClientId("clientId1").setRedirectURI(AbstractOAuth2ProviderModuleTestCase.TEST_REDIRECT_URI).setParameter("username", "rousr").setParameter("password", "ropwd+%").buildBodyMessage();
        HttpPost httpPost = new HttpPost(buildBodyMessage.getLocationUri());
        httpPost.setEntity(new StringEntity(buildBodyMessage.getBody(), ContentType.APPLICATION_FORM_URLENCODED));
        HttpResponse execute = getSecureClient(false).execute(httpPost);
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(302));
        accessProtectedResource(validateSuccessfulLoginResponse(execute, "access_token").get("access_token").get(0));
    }

    @Test
    public void performResourceOwnerPasswordCredentialsGrantOAuth2DanceAndAccessProtectedResource() throws Exception {
        this.client.getAuthorizedGrantTypes().add(Constants.RequestGrantType.PASSWORD);
        updateClientInOS();
        OAuthClientRequest buildBodyMessage = OAuthClientRequest.tokenLocation(getTokenEndpointURL()).setGrantType(GrantType.PASSWORD).setParameter("username", "rousr").setParameter("password", "ropwd+%").buildBodyMessage();
        HttpPost httpPost = new HttpPost(buildBodyMessage.getLocationUri());
        httpPost.setEntity(new StringEntity(buildBodyMessage.getBody(), ContentType.APPLICATION_FORM_URLENCODED));
        httpPost.setHeader("Authorization", getValidBasicAuthHeaderValue("clientId1", "clpwd+%"));
        HttpResponse execute = getSecureClient(false).execute(httpPost);
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(200));
        accessProtectedResource((String) validateSuccessfulTokenResponseNoScopeNoRefresh(getContentAsMap(execute)).get("access_token"));
    }

    @Test
    public void performClientCredentialsGrantOAuth2DanceAndAccessProtectedResource() throws Exception {
        this.client.getAuthorizedGrantTypes().add(Constants.RequestGrantType.CLIENT_CREDENTIALS);
        updateClientInOS();
        OAuthClientRequest buildBodyMessage = OAuthClientRequest.tokenLocation(getTokenEndpointURL()).setParameter("grant_type", "client_credentials").buildBodyMessage();
        HttpPost httpPost = new HttpPost(buildBodyMessage.getLocationUri());
        httpPost.setEntity(new StringEntity(buildBodyMessage.getBody(), ContentType.APPLICATION_FORM_URLENCODED));
        httpPost.setHeader("Authorization", getValidBasicAuthHeaderValue("clientId1", "clpwd+%"));
        HttpResponse execute = getSecureClient(false).execute(httpPost);
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(200));
        accessProtectedResource((String) validateSuccessfulTokenResponseNoScopeNoRefresh(getContentAsMap(execute)).get("access_token"));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.mulesoft.modules.oauth2.provider.AbstractOAuth2ProviderModuleTestCase
    public void accessProtectedResource(String str) throws Exception {
        HttpResponse execute = getSecureClient(false).execute(new HttpGet(getProtectedResourceURL(PROTECTED_RESOURCE_PATH) + "?access_token=" + str));
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(200));
        MatcherAssert.assertThat(execute.getHeaders("WWW-Authenticate"), Matchers.is(Matchers.emptyArray()));
        MatcherAssert.assertThat(IOUtils.toString(execute.getEntity().getContent()), Matchers.is(Matchers.equalTo("accessing::protected_resource")));
    }

    private void doValidateCredentialsInvalidCredentials(String str) throws Exception {
        OAuthClientRequest buildBodyMessage = OAuthClientRequest.authorizationLocation(getAuthorizationEndpointUrl()).setResponseType(str).setClientId("clientId1").setRedirectURI(AbstractOAuth2ProviderModuleTestCase.TEST_REDIRECT_URI).setParameter("username", "rousr").setParameter("password", "__BAD__").buildBodyMessage();
        HttpPost httpPost = new HttpPost(buildBodyMessage.getLocationUri());
        httpPost.setEntity(new StringEntity(buildBodyMessage.getBody(), ContentType.APPLICATION_FORM_URLENCODED));
        HttpResponse execute = getSecureClient(false).execute(httpPost);
        MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Matchers.is(302));
        String value = execute.getHeaders("Location")[0].getValue();
        MatcherAssert.assertThat(value, Matchers.is(Matchers.not(Matchers.nullValue())));
        MatcherAssert.assertThat(decodeParameters(value).get("error").get(0), Matchers.is(Matchers.equalTo("access_denied")));
        MatcherAssert.assertThat(IOUtils.toString(execute.getEntity().getContent()), Matchers.isEmptyString());
    }
}
