package com.google.api.client.auth.openidconnect;

import com.google.api.client.auth.openidconnect.IdToken;
import com.google.api.client.auth.openidconnect.IdTokenVerifier;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.http.LowLevelHttpRequest;
import com.google.api.client.http.LowLevelHttpResponse;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.gson.GsonFactory;
import com.google.api.client.json.webtoken.JsonWebSignature;
import com.google.api.client.testing.http.MockHttpTransport;
import com.google.api.client.testing.http.MockLowLevelHttpRequest;
import com.google.api.client.testing.http.MockLowLevelHttpResponse;
import com.google.api.client.util.Clock;
import com.google.api.client.util.Lists;
import com.google.common.io.CharStreams;
import java.io.IOException;
import java.io.InputStreamReader;
import java.util.ArrayDeque;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import junit.framework.TestCase;
import org.junit.Assert;

/* loaded from: input_file:com/google/api/client/auth/openidconnect/IdTokenVerifierTest.class */
public class IdTokenVerifierTest extends TestCase {
    private static final String ISSUER = "issuer.example.com";
    private static final String ISSUER2 = "issuer.example.com2";
    private static final String ISSUER3 = "issuer.example.com3";
    private static final String LEGACY_FEDERATED_SIGNON_CERT_URL = "https://www.googleapis.com/oauth2/v1/certs";
    private static final String SERVICE_ACCOUNT_CERT_URL = "https://www.googleapis.com/robot/v1/metadata/x509/integration-tests%40chingor-test.iam.gserviceaccount.com";
    private static final String CLIENT_ID = "myclientid";
    private static final String CLIENT_ID2 = "myclientid2";
    private static final List<String> TRUSTED_CLIENT_IDS = Arrays.asList(CLIENT_ID, CLIENT_ID2);
    private static final String ES256_TOKEN = "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Im1wZjBEQSJ9.eyJhdWQiOiIvcHJvamVjdHMvNjUyNTYyNzc2Nzk4L2FwcHMvY2xvdWQtc2FtcGxlcy10ZXN0cy1waHAtaWFwIiwiZW1haWwiOiJjaGluZ29yQGdvb2dsZS5jb20iLCJleHAiOjE1ODQwNDc2MTcsImdvb2dsZSI6eyJhY2Nlc3NfbGV2ZWxzIjpbImFjY2Vzc1BvbGljaWVzLzUxODU1MTI4MDkyNC9hY2Nlc3NMZXZlbHMvcmVjZW50U2VjdXJlQ29ubmVjdERhdGEiLCJhY2Nlc3NQb2xpY2llcy81MTg1NTEyODA5MjQvYWNjZXNzTGV2ZWxzL3Rlc3ROb09wIiwiYWNjZXNzUG9saWNpZXMvNTE4NTUxMjgwOTI0L2FjY2Vzc0xldmVscy9ldmFwb3JhdGlvblFhRGF0YUZ1bGx5VHJ1c3RlZCJdfSwiaGQiOiJnb29nbGUuY29tIiwiaWF0IjoxNTg0MDQ3MDE3LCJpc3MiOiJodHRwczovL2Nsb3VkLmdvb2dsZS5jb20vaWFwIiwic3ViIjoiYWNjb3VudHMuZ29vZ2xlLmNvbToxMTIxODE3MTI3NzEyMDE5NzI4OTEifQ.yKNtdFY5EKkRboYNexBdfugzLhC3VuGyFcuFYA8kgpxMqfyxa41zkML68hYKrWu2kOBTUW95UnbGpsIi_u1fiA";
    private static final String FEDERATED_SIGNON_RS256_TOKEN = "eyJhbGciOiJSUzI1NiIsImtpZCI6ImY5ZDk3YjRjYWU5MGJjZDc2YWViMjAwMjZmNmI3NzBjYWMyMjE3ODMiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwczovL2V4YW1wbGUuY29tL3BhdGgiLCJhenAiOiJpbnRlZ3JhdGlvbi10ZXN0c0BjaGluZ29yLXRlc3QuaWFtLmdzZXJ2aWNlYWNjb3VudC5jb20iLCJlbWFpbCI6ImludGVncmF0aW9uLXRlc3RzQGNoaW5nb3ItdGVzdC5pYW0uZ3NlcnZpY2VhY2NvdW50LmNvbSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJleHAiOjE1ODc2Mjk4ODgsImlhdCI6MTU4NzYyNjI4OCwiaXNzIjoiaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tIiwic3ViIjoiMTA0MDI5MjkyODUzMDk5OTc4MjkzIn0.Pj4KsJh7riU7ZIbPMcHcHWhasWEcbVjGP4yx_5E0iOpeDalTdri97E-o0dSSkuVX2FeBIgGUg_TNNgJ3YY97T737jT5DUYwdv6M51dDlLmmNqlu_P6toGCSRC8-Beu5gGmqS2Y82TmpHH9Vhoh5PsK7_rVHk8U6VrrVVKKTWm_IzTFhqX1oYKPdvfyaNLsXPbCt_NFE0C3DNmFkgVhRJu7LtzQQN-ghaqd3Ga3i6KH222OEI_PU4BUTvEiNOqRGoMlT_YOsyFN3XwqQ6jQGWhhkArL1z3CG2BVQjHTKpgVsRyy_H6WTZiju2Q-XWobgH-UPSZbyymV8-cFT9XKEtZQ";
    private static final String SERVICE_ACCOUNT_RS256_TOKEN = "eyJhbGciOiJSUzI1NiIsImtpZCI6IjJlZjc3YjM4YTFiMDM3MDQ4NzA0MzkxNmFjYmYyN2Q3NGVkZDA4YjEiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwczovL2V4YW1wbGUuY29tL2F1ZGllbmNlIiwiZXhwIjoxNTg3NjMwNTQzLCJpYXQiOjE1ODc2MjY5NDMsImlzcyI6InNvbWUgaXNzdWVyIiwic3ViIjoic29tZSBzdWJqZWN0In0.gGOQW0qQgs4jGUmCsgRV83RqsJLaEy89-ZOG6p1u0Y26FyY06b6Odgd7xXLsSTiiSnch62dl0Lfi9D0x2ByxvsGOCbovmBl2ZZ0zHr1wpc4N0XS9lMUq5RJQbonDibxXG4nC2zroDfvD0h7i-L8KMXeJb9pYwW7LkmrM_YwYfJnWnZ4bpcsDjojmPeUBlACg7tjjOgBFbyQZvUtaERJwSRlaWibvNjof7eCVfZChE0PwBpZc_cGqSqKXv544L4ttqdCnmONjqrTATXwC4gYxruevkjHfYI5ojcQmXoWDJJ0-_jzfyPE4MFFdCFgzLgnfIOwe5ve0MtquKuv2O0pgvg";
    private static final List<String> ALL_TOKENS = Arrays.asList(ES256_TOKEN, FEDERATED_SIGNON_RS256_TOKEN, SERVICE_ACCOUNT_RS256_TOKEN);
    static final JsonFactory JSON_FACTORY = GsonFactory.getDefaultInstance();
    static final MockClock FIXED_CLOCK = new MockClock(1584047020000L);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.google.api.client.auth.openidconnect.IdTokenVerifierTest$6, reason: invalid class name */
    /* loaded from: input_file:com/google/api/client/auth/openidconnect/IdTokenVerifierTest$6.class */
    public static class AnonymousClass6 implements HttpTransportFactory {
        final /* synthetic */ String val$certificatesUrl;
        final /* synthetic */ String val$certificatesContent;

        AnonymousClass6(String str, String str2) {
            this.val$certificatesUrl = str;
            this.val$certificatesContent = str2;
        }

        public HttpTransport create() {
            return new MockHttpTransport() { // from class: com.google.api.client.auth.openidconnect.IdTokenVerifierTest.6.1
                public LowLevelHttpRequest buildRequest(String str, String str2) throws IOException {
                    TestCase.assertEquals(AnonymousClass6.this.val$certificatesUrl, str2);
                    return new MockLowLevelHttpRequest() { // from class: com.google.api.client.auth.openidconnect.IdTokenVerifierTest.6.1.1
                        public LowLevelHttpResponse execute() throws IOException {
                            MockLowLevelHttpResponse mockLowLevelHttpResponse = new MockLowLevelHttpResponse();
                            mockLowLevelHttpResponse.setStatusCode(200);
                            mockLowLevelHttpResponse.setContentType("application/json");
                            mockLowLevelHttpResponse.setContent(AnonymousClass6.this.val$certificatesContent);
                            return mockLowLevelHttpResponse;
                        }
                    };
                }
            };
        }
    }

    /* loaded from: input_file:com/google/api/client/auth/openidconnect/IdTokenVerifierTest$DefaultHttpTransportFactory.class */
    static class DefaultHttpTransportFactory implements HttpTransportFactory {
        DefaultHttpTransportFactory() {
        }

        public HttpTransport create() {
            return new NetHttpTransport();
        }
    }

    /* loaded from: input_file:com/google/api/client/auth/openidconnect/IdTokenVerifierTest$MockClock.class */
    static class MockClock implements Clock {
        long timeMillis;

        public MockClock() {
        }

        public MockClock(long j) {
            this.timeMillis = j;
        }

        public long currentTimeMillis() {
            return this.timeMillis;
        }
    }

    /* loaded from: input_file:com/google/api/client/auth/openidconnect/IdTokenVerifierTest$MockEnvironment.class */
    class MockEnvironment extends Environment {
        private final Map<String, String> variables = new HashMap();

        MockEnvironment() {
        }

        public String getVariable(String str) {
            return this.variables.get(str);
        }

        public void setVariable(String str, String str2) {
            this.variables.put(str, str2);
        }
    }

    private static IdToken newIdToken(String str, String str2) {
        IdToken.Payload payload = new IdToken.Payload();
        payload.setIssuer(str);
        payload.setAudience(str2);
        payload.setExpirationTimeSeconds(2000L);
        payload.setIssuedAtTimeSeconds(1000L);
        return new IdToken(new JsonWebSignature.Header(), payload, new byte[0], new byte[0]);
    }

    public void testBuilder() throws Exception {
        IdTokenVerifier.Builder audience = new IdTokenVerifier.Builder().setIssuer(ISSUER).setAudience(TRUSTED_CLIENT_IDS);
        assertEquals(Clock.SYSTEM, audience.getClock());
        assertEquals(ISSUER, audience.getIssuer());
        assertEquals(Collections.singleton(ISSUER), audience.getIssuers());
        assertEquals(TRUSTED_CLIENT_IDS, audience.getAudience());
        MockClock mockClock = new MockClock();
        audience.setClock(mockClock);
        assertEquals(mockClock, audience.getClock());
        IdTokenVerifier build = audience.build();
        assertEquals(mockClock, build.getClock());
        assertEquals(ISSUER, build.getIssuer());
        assertEquals(Collections.singleton(ISSUER), audience.getIssuers());
        assertEquals(TRUSTED_CLIENT_IDS, Lists.newArrayList(build.getAudience()));
    }

    public void testVerifyPayload() throws Exception {
        MockClock mockClock = new MockClock();
        MockEnvironment mockEnvironment = new MockEnvironment();
        mockEnvironment.setVariable("OAUTH_CLIENT_SKIP_SIGNATURE", "true");
        IdTokenVerifier build = new IdTokenVerifier.Builder().setIssuers(Arrays.asList(ISSUER, ISSUER3)).setAudience(Arrays.asList(CLIENT_ID)).setClock(mockClock).setEnvironment(mockEnvironment).build();
        IdTokenVerifier build2 = new IdTokenVerifier.Builder().setClock(mockClock).setEnvironment(mockEnvironment).build();
        mockClock.timeMillis = 1500000L;
        IdToken newIdToken = newIdToken(ISSUER, CLIENT_ID);
        assertTrue(build.verify(newIdToken));
        assertTrue(build.verifyPayload(newIdToken));
        assertTrue(build2.verify(newIdToken(ISSUER2, CLIENT_ID)));
        assertTrue(build2.verifyPayload(newIdToken(ISSUER2, CLIENT_ID)));
        assertFalse(build.verify(newIdToken(ISSUER2, CLIENT_ID)));
        assertFalse(build.verifyPayload(newIdToken(ISSUER2, CLIENT_ID)));
        assertTrue(build.verify(newIdToken(ISSUER3, CLIENT_ID)));
        assertTrue(build.verifyPayload(newIdToken(ISSUER3, CLIENT_ID)));
        assertTrue(build2.verify(newIdToken(ISSUER, CLIENT_ID2)));
        assertTrue(build2.verifyPayload(newIdToken(ISSUER, CLIENT_ID2)));
        assertFalse(build.verify(newIdToken(ISSUER, CLIENT_ID2)));
        assertFalse(build.verifyPayload(newIdToken(ISSUER, CLIENT_ID2)));
        mockClock.timeMillis = 700000L;
        assertTrue(build.verify(newIdToken));
        assertTrue(build.verifyPayload(newIdToken));
        mockClock.timeMillis = 2300000L;
        assertTrue(build.verify(newIdToken));
        assertTrue(build.verifyPayload(newIdToken));
        mockClock.timeMillis = 699999L;
        assertFalse(build.verify(newIdToken));
        assertFalse(build.verifyPayload(newIdToken));
        mockClock.timeMillis = 2300001L;
        assertFalse(build.verify(newIdToken));
        assertFalse(build.verifyPayload(newIdToken));
    }

    public void testEmptyIssuersFails() throws Exception {
        try {
            new IdTokenVerifier.Builder().setIssuers(Collections.emptyList());
            fail("Exception expected");
        } catch (IllegalArgumentException e) {
        }
    }

    public void testBuilderSetNullIssuers() throws Exception {
        IdTokenVerifier.Builder builder = new IdTokenVerifier.Builder();
        IdTokenVerifier build = builder.build();
        assertNull(builder.getIssuers());
        assertNull(builder.getIssuer());
        assertNull(build.getIssuers());
        assertNull(build.getIssuer());
        builder.setIssuers((Collection) null);
        IdTokenVerifier build2 = builder.build();
        assertNull(builder.getIssuers());
        assertNull(builder.getIssuer());
        assertNull(build2.getIssuers());
        assertNull(build2.getIssuer());
        builder.setIssuer((String) null);
        IdTokenVerifier build3 = builder.build();
        assertNull(builder.getIssuers());
        assertNull(builder.getIssuer());
        assertNull(build3.getIssuers());
        assertNull(build3.getIssuer());
    }

    public void testMissingAudience() throws IdTokenVerifier.VerificationException {
        IdToken newIdToken = newIdToken(ISSUER, null);
        MockClock mockClock = new MockClock();
        mockClock.timeMillis = 1500000L;
        assertFalse(new IdTokenVerifier.Builder().setIssuers(Arrays.asList(ISSUER, ISSUER3)).setAudience(Collections.emptyList()).setClock(mockClock).build().verify(newIdToken));
    }

    public void testVerifyEs256TokenPublicKeyMismatch() throws Exception {
        IdTokenVerifier build = new IdTokenVerifier.Builder().setClock(FIXED_CLOCK).setHttpTransportFactory(mockTransport(new MockLowLevelHttpRequest() { // from class: com.google.api.client.auth.openidconnect.IdTokenVerifierTest.1
            public LowLevelHttpResponse execute() throws IOException {
                throw new IOException("test io exception");
            }
        }, new MockLowLevelHttpRequest() { // from class: com.google.api.client.auth.openidconnect.IdTokenVerifierTest.2
            public LowLevelHttpResponse execute() throws IOException {
                MockLowLevelHttpResponse mockLowLevelHttpResponse = new MockLowLevelHttpResponse();
                mockLowLevelHttpResponse.setStatusCode(404);
                mockLowLevelHttpResponse.setContentType("application/json");
                mockLowLevelHttpResponse.setContent("");
                return mockLowLevelHttpResponse;
            }
        }, new MockLowLevelHttpRequest() { // from class: com.google.api.client.auth.openidconnect.IdTokenVerifierTest.3
            public LowLevelHttpResponse execute() throws IOException {
                MockLowLevelHttpResponse mockLowLevelHttpResponse = new MockLowLevelHttpResponse();
                mockLowLevelHttpResponse.setStatusCode(200);
                mockLowLevelHttpResponse.setContentType("application/json");
                mockLowLevelHttpResponse.setContent("{\"keys\":[]}");
                return mockLowLevelHttpResponse;
            }
        }, new MockLowLevelHttpRequest() { // from class: com.google.api.client.auth.openidconnect.IdTokenVerifierTest.4
            public LowLevelHttpResponse execute() throws IOException {
                MockLowLevelHttpResponse mockLowLevelHttpResponse = new MockLowLevelHttpResponse();
                mockLowLevelHttpResponse.setStatusCode(200);
                mockLowLevelHttpResponse.setContentType("application/json");
                mockLowLevelHttpResponse.setContent(IdTokenVerifierTest.readResourceAsString("iap_keys.json"));
                return mockLowLevelHttpResponse;
            }
        })).build();
        try {
            build.verifySignature(IdToken.parse(JSON_FACTORY, ES256_TOKEN));
            fail("Should have failed verification");
        } catch (IdTokenVerifier.VerificationException e) {
            assertTrue(e.getMessage().contains("Error fetching public key"));
        }
        try {
            build.verifySignature(IdToken.parse(JSON_FACTORY, ES256_TOKEN));
            fail("Should have failed verification");
        } catch (IdTokenVerifier.VerificationException e2) {
            assertTrue(e2.getMessage().contains("Error fetching public key"));
        }
        try {
            build.verifySignature(IdToken.parse(JSON_FACTORY, ES256_TOKEN));
            fail("Should have failed verification");
        } catch (IdTokenVerifier.VerificationException e3) {
            assertTrue(e3.getCause().getMessage().contains("No valid public key returned"));
        }
        Assert.assertTrue(build.verifySignature(IdToken.parse(JSON_FACTORY, ES256_TOKEN)));
    }

    public void testVerifyEs256Token() throws IdTokenVerifier.VerificationException, IOException {
        assertTrue(new IdTokenVerifier.Builder().setClock(FIXED_CLOCK).setHttpTransportFactory(mockTransport("https://www.gstatic.com/iap/verify/public_key-jwk", readResourceAsString("iap_keys.json"))).build().verify(IdToken.parse(JSON_FACTORY, ES256_TOKEN)));
    }

    public void testVerifyRs256Token() throws IdTokenVerifier.VerificationException, IOException {
        assertTrue(new IdTokenVerifier.Builder().setClock(new MockClock(1587625988000L)).setHttpTransportFactory(mockTransport("https://www.googleapis.com/oauth2/v3/certs", readResourceAsString("federated_keys.json"))).build().verify(IdToken.parse(JSON_FACTORY, FEDERATED_SIGNON_RS256_TOKEN)));
    }

    public void testVerifyRs256TokenWithLegacyCertificateUrlFormat() throws IdTokenVerifier.VerificationException, IOException {
        assertTrue(new IdTokenVerifier.Builder().setCertificatesLocation(LEGACY_FEDERATED_SIGNON_CERT_URL).setClock(new MockClock(1587626288000L)).setHttpTransportFactory(mockTransport(LEGACY_FEDERATED_SIGNON_CERT_URL, readResourceAsString("legacy_federated_keys.json"))).build().verify(IdToken.parse(JSON_FACTORY, FEDERATED_SIGNON_RS256_TOKEN)));
    }

    public void testVerifyServiceAccountRs256Token() throws IdTokenVerifier.VerificationException, IOException {
        assertTrue(new IdTokenVerifier.Builder().setClock(new MockClock(1587626643000L)).setCertificatesLocation(SERVICE_ACCOUNT_CERT_URL).setHttpTransportFactory(new DefaultHttpTransportFactory()).build().verify(IdToken.parse(JSON_FACTORY, SERVICE_ACCOUNT_RS256_TOKEN)));
    }

    static String readResourceAsString(String str) throws IOException {
        InputStreamReader inputStreamReader = new InputStreamReader(IdTokenVerifierTest.class.getClassLoader().getResourceAsStream(str));
        Throwable th = null;
        try {
            try {
                String charStreams = CharStreams.toString(inputStreamReader);
                if (inputStreamReader != null) {
                    if (0 != 0) {
                        try {
                            inputStreamReader.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        inputStreamReader.close();
                    }
                }
                return charStreams;
            } finally {
            }
        } catch (Throwable th3) {
            if (inputStreamReader != null) {
                if (th != null) {
                    try {
                        inputStreamReader.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    inputStreamReader.close();
                }
            }
            throw th3;
        }
    }

    static HttpTransportFactory mockTransport(LowLevelHttpRequest... lowLevelHttpRequestArr) {
        LowLevelHttpRequest lowLevelHttpRequest = lowLevelHttpRequestArr[0];
        final ArrayDeque arrayDeque = new ArrayDeque();
        for (LowLevelHttpRequest lowLevelHttpRequest2 : lowLevelHttpRequestArr) {
            arrayDeque.add(lowLevelHttpRequest2);
        }
        return new HttpTransportFactory() { // from class: com.google.api.client.auth.openidconnect.IdTokenVerifierTest.5
            public HttpTransport create() {
                return new MockHttpTransport() { // from class: com.google.api.client.auth.openidconnect.IdTokenVerifierTest.5.1
                    public LowLevelHttpRequest buildRequest(String str, String str2) throws IOException {
                        return (LowLevelHttpRequest) arrayDeque.poll();
                    }
                };
            }
        };
    }

    static HttpTransportFactory mockTransport(String str, String str2) {
        return new AnonymousClass6(str, str2);
    }
}
