package net.krotscheck.kangaroo.authz.oauth2.rfc6749;

import java.math.BigInteger;
import java.net.URI;
import java.util.Date;
import java.util.Map;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.NewCookie;
import javax.ws.rs.core.Response;
import net.krotscheck.kangaroo.authz.common.authenticator.AuthenticatorType;
import net.krotscheck.kangaroo.authz.common.database.entity.ClientType;
import net.krotscheck.kangaroo.authz.common.database.entity.HttpSession;
import net.krotscheck.kangaroo.authz.common.database.entity.OAuthToken;
import net.krotscheck.kangaroo.authz.common.database.entity.OAuthTokenType;
import net.krotscheck.kangaroo.authz.test.ApplicationBuilder;
import net.krotscheck.kangaroo.common.exception.ErrorResponseBuilder;
import net.krotscheck.kangaroo.common.hibernate.id.IdUtil;
import net.krotscheck.kangaroo.test.rule.TestDataResource;
import net.krotscheck.kangaroo.util.HttpUtil;
import org.hibernate.Session;
import org.hibernate.criterion.Restrictions;
import org.junit.Assert;
import org.junit.ClassRule;
import org.junit.Test;
import org.junit.rules.TestRule;

/* loaded from: input_file:net/krotscheck/kangaroo/authz/oauth2/rfc6749/Section420ImplicitGrantTest.class */
public final class Section420ImplicitGrantTest extends AbstractRFC6749Test {
    private static ApplicationBuilder.ApplicationContext context;
    private static ApplicationBuilder.ApplicationContext twoRedirectContext;
    private static ApplicationBuilder.ApplicationContext noRoleContext;
    private static ApplicationBuilder.ApplicationContext roleNoScopeContext;
    private static ApplicationBuilder.ApplicationContext bareContext;
    private static ApplicationBuilder.ApplicationContext noauthContext;

    @ClassRule
    public static final TestRule TEST_DATA_RULE = new TestDataResource(HIBERNATE_RESOURCE) { // from class: net.krotscheck.kangaroo.authz.oauth2.rfc6749.Section420ImplicitGrantTest.1
        protected void loadTestData(Session session) {
            ApplicationBuilder.ApplicationContext unused = Section420ImplicitGrantTest.context = ApplicationBuilder.newApplication(session).scope("debug").role("test", new String[]{"debug"}).client(ClientType.Implicit).authenticator(AuthenticatorType.Test).redirect("http://valid.example.com/redirect").build();
            ApplicationBuilder.ApplicationContext unused2 = Section420ImplicitGrantTest.twoRedirectContext = ApplicationBuilder.newApplication(session).scope("debug").role("test", new String[]{"debug"}).client(ClientType.Implicit).authenticator(AuthenticatorType.Test).redirect("http://valid.example.com/redirect").redirect("http://other.example.com/redirect").build();
            ApplicationBuilder.ApplicationContext unused3 = Section420ImplicitGrantTest.bareContext = ApplicationBuilder.newApplication(session).client(ClientType.Implicit).authenticator(AuthenticatorType.Test).build();
            ApplicationBuilder.ApplicationContext unused4 = Section420ImplicitGrantTest.noRoleContext = ApplicationBuilder.newApplication(session).client(ClientType.Implicit).authenticator(AuthenticatorType.Test).redirect("http://valid.example.com/redirect").build();
            ApplicationBuilder.ApplicationContext unused5 = Section420ImplicitGrantTest.roleNoScopeContext = ApplicationBuilder.newApplication(session).client(ClientType.Implicit).authenticator(AuthenticatorType.Test).scope("debug").redirect("http://valid.example.com/redirect").role("test", new String[0]).build();
            ApplicationBuilder.ApplicationContext unused6 = Section420ImplicitGrantTest.noauthContext = ApplicationBuilder.newApplication(session).scope("debug").role("test", new String[]{"debug"}).client(ClientType.Implicit).redirect("http://valid.example.com/redirect").build();
        }
    };

    private HttpSession assertNewSession(Response response) {
        Map cookies = response.getCookies();
        Assert.assertTrue(cookies.containsKey("kangaroo"));
        NewCookie newCookie = (NewCookie) cookies.get("kangaroo");
        BigInteger fromString = IdUtil.fromString(newCookie.getValue());
        Session session = getSession();
        session.beginTransaction();
        HttpSession httpSession = (HttpSession) session.get(HttpSession.class, fromString);
        session.getTransaction().commit();
        Assert.assertNotNull(httpSession);
        Assert.assertTrue(newCookie.isHttpOnly());
        Assert.assertTrue(newCookie.isSecure());
        Assert.assertTrue(newCookie.getExpiry().compareTo(new Date()) > 0);
        Assert.assertEquals("localhost", newCookie.getDomain());
        return httpSession;
    }

    private void assertRotatedSession(Response response, Response response2) {
        NewCookie newCookie = (NewCookie) response.getCookies().get("kangaroo");
        NewCookie newCookie2 = (NewCookie) response2.getCookies().get("kangaroo");
        Assert.assertEquals(newCookie.getMaxAge(), newCookie2.getMaxAge());
        Assert.assertEquals(newCookie.getDomain(), newCookie2.getDomain());
        Assert.assertEquals(newCookie.getName(), newCookie2.getName());
        Assert.assertEquals(newCookie.getPath(), newCookie2.getPath());
        Assert.assertNotEquals(newCookie.getValue(), newCookie2.getValue());
        BigInteger fromString = IdUtil.fromString(newCookie.getValue());
        BigInteger fromString2 = IdUtil.fromString(newCookie2.getValue());
        Session session = getSession();
        session.clear();
        session.beginTransaction();
        HttpSession httpSession = (HttpSession) session.get(HttpSession.class, fromString);
        HttpSession httpSession2 = (HttpSession) session.get(HttpSession.class, fromString2);
        session.getTransaction().commit();
        Assert.assertNull(httpSession);
        Assert.assertNotNull(httpSession2);
    }

    private void assertNoNewSession(Response response) {
        Assert.assertNull(response.getCookies().get("kangaroo"));
    }

    private void assertValidSessionRefreshToken(MultivaluedMap<String, String> multivaluedMap) {
        OAuthToken oAuthToken = (OAuthToken) getSession().get(OAuthToken.class, IdUtil.fromString((String) multivaluedMap.getFirst("access_token")));
        Assert.assertNotNull(oAuthToken);
        Assert.assertTrue(oAuthToken.getTokenType().equals(OAuthTokenType.Bearer));
        OAuthToken oAuthToken2 = (OAuthToken) getSession().createCriteria(OAuthToken.class).add(Restrictions.eq("authToken", oAuthToken)).uniqueResult();
        Assert.assertNotNull(oAuthToken2);
        Assert.assertTrue(oAuthToken2.getTokenType().equals(OAuthTokenType.Refresh));
    }

    @Test
    public void testAuthorizeSimpleRequest() {
        Response response = target("/authorize").queryParam("response_type", new Object[]{"token"}).queryParam("client_id", new Object[]{IdUtil.toString(context.getClient().getId())}).request().get();
        assertNewSession(response);
        Response followRedirect = followRedirect(response);
        assertRotatedSession(response, followRedirect);
        URI location = followRedirect.getLocation();
        Assert.assertEquals("http", location.getScheme());
        Assert.assertEquals("valid.example.com", location.getHost());
        Assert.assertEquals("/redirect", location.getPath());
        MultivaluedMap<String, String> parseQueryParams = HttpUtil.parseQueryParams(location.getFragment());
        assertValidBearerToken(parseQueryParams, true);
        assertValidSessionRefreshToken(parseQueryParams);
        Assert.assertFalse(parseQueryParams.containsKey("scope"));
    }

    @Test
    public void testAuthorizeResponseTypeInvalid() {
        Response response = target("/authorize").queryParam("response_type", new Object[]{"invalid"}).queryParam("client_id", new Object[]{IdUtil.toString(context.getClient().getId())}).request().get();
        assertNewSession(response);
        Assert.assertEquals(Response.Status.FOUND.getStatusCode(), response.getStatus());
        URI location = response.getLocation();
        Assert.assertEquals("http", location.getScheme());
        Assert.assertEquals("valid.example.com", location.getHost());
        Assert.assertEquals("/redirect", location.getPath());
        MultivaluedMap parseQueryParams = HttpUtil.parseQueryParams(location.getFragment());
        Assert.assertTrue(parseQueryParams.containsKey("error"));
        Assert.assertEquals("unsupported_response_type", parseQueryParams.getFirst("error"));
        Assert.assertTrue(parseQueryParams.containsKey("error_description"));
    }

    @Test
    public void testAuthorizeClientIdInvalid() {
        Response response = target("/authorize").queryParam("response_type", new Object[]{"token"}).queryParam("client_id", new Object[]{"invalid_client_id"}).request().get();
        assertNoNewSession(response);
        Assert.assertEquals(Response.Status.BAD_REQUEST.getStatusCode(), response.getStatus());
        Assert.assertNull(response.getLocation());
        Assert.assertEquals(MediaType.APPLICATION_JSON_TYPE, response.getMediaType());
        ErrorResponseBuilder.ErrorResponse errorResponse = (ErrorResponseBuilder.ErrorResponse) response.readEntity(ErrorResponseBuilder.ErrorResponse.class);
        Assert.assertEquals("invalid_client", errorResponse.getError());
        Assert.assertNotNull(errorResponse.getErrorDescription());
    }

    @Test
    public void testAuthorizeScopeSimple() {
        Response response = target("/authorize").queryParam("response_type", new Object[]{"token"}).queryParam("client_id", new Object[]{IdUtil.toString(context.getClient().getId())}).queryParam("scope", new Object[]{"debug"}).request().get();
        assertNewSession(response);
        Response followRedirect = followRedirect(response);
        assertNewSession(followRedirect);
        URI location = followRedirect.getLocation();
        Assert.assertEquals("http", location.getScheme());
        Assert.assertEquals("valid.example.com", location.getHost());
        Assert.assertEquals("/redirect", location.getPath());
        MultivaluedMap<String, String> parseQueryParams = HttpUtil.parseQueryParams(location.getFragment());
        assertValidBearerToken(parseQueryParams, true);
        assertValidSessionRefreshToken(parseQueryParams);
        Assert.assertEquals("debug", parseQueryParams.getFirst("scope"));
        Assert.assertFalse(parseQueryParams.containsKey("state"));
    }

    @Test
    public void testAuthorizeNone() {
        Response response = target("/authorize").queryParam("response_type", new Object[]{"token"}).queryParam("client_id", new Object[]{IdUtil.toString(noauthContext.getClient().getId())}).queryParam("scope", new Object[]{"debug"}).request().get();
        assertNewSession(response);
        Assert.assertEquals(Response.Status.FOUND.getStatusCode(), response.getStatus());
        URI location = response.getLocation();
        Assert.assertEquals("http", location.getScheme());
        Assert.assertEquals("valid.example.com", location.getHost());
        Assert.assertEquals("/redirect", location.getPath());
        MultivaluedMap parseQueryParams = HttpUtil.parseQueryParams(location.getFragment());
        Assert.assertTrue(parseQueryParams.containsKey("error"));
        Assert.assertEquals("invalid_request", parseQueryParams.getFirst("error"));
        Assert.assertTrue(parseQueryParams.containsKey("error_description"));
    }

    @Test
    public void testAuthorizeScopeInvalid() {
        Response response = target("/authorize").queryParam("response_type", new Object[]{"token"}).queryParam("client_id", new Object[]{IdUtil.toString(context.getClient().getId())}).queryParam("scope", new Object[]{"invalid"}).request().get();
        assertNewSession(response);
        Response followRedirect = followRedirect(response);
        assertRotatedSession(response, followRedirect);
        URI location = followRedirect.getLocation();
        Assert.assertEquals("http", location.getScheme());
        Assert.assertEquals("valid.example.com", location.getHost());
        Assert.assertEquals("/redirect", location.getPath());
        MultivaluedMap<String, String> parseQueryParams = HttpUtil.parseQueryParams(location.getFragment());
        assertValidBearerToken(parseQueryParams, true);
        assertValidSessionRefreshToken(parseQueryParams);
        Assert.assertFalse(parseQueryParams.containsKey("scope"));
        Assert.assertFalse(parseQueryParams.containsKey("state"));
    }

    @Test
    public void testAuthorizeStateSimple() {
        String idUtil = IdUtil.toString(IdUtil.next());
        Response response = target("/authorize").queryParam("response_type", new Object[]{"token"}).queryParam("client_id", new Object[]{IdUtil.toString(context.getClient().getId())}).queryParam("scope", new Object[]{"debug"}).queryParam("state", new Object[]{idUtil}).request().get();
        assertNewSession(response);
        Response followRedirect = followRedirect(response);
        assertRotatedSession(response, followRedirect);
        URI location = followRedirect.getLocation();
        Assert.assertEquals("http", location.getScheme());
        Assert.assertEquals("valid.example.com", location.getHost());
        Assert.assertEquals("/redirect", location.getPath());
        MultivaluedMap<String, String> parseQueryParams = HttpUtil.parseQueryParams(location.getFragment());
        assertValidBearerToken(parseQueryParams, true);
        assertValidSessionRefreshToken(parseQueryParams);
        Assert.assertEquals("debug", parseQueryParams.getFirst("scope"));
        Assert.assertEquals(idUtil, parseQueryParams.getFirst("state"));
    }

    @Test
    public void testAuthorizeRedirectSimple() {
        Response response = target("/authorize").queryParam("response_type", new Object[]{"token"}).queryParam("scope", new Object[]{"debug"}).queryParam("client_id", new Object[]{IdUtil.toString(context.getClient().getId())}).queryParam("redirect_uri", new Object[]{"http://valid.example.com/redirect"}).request().get();
        assertNewSession(response);
        Response followRedirect = followRedirect(response);
        assertRotatedSession(response, followRedirect);
        URI location = followRedirect.getLocation();
        Assert.assertEquals("http", location.getScheme());
        Assert.assertEquals("valid.example.com", location.getHost());
        Assert.assertEquals("/redirect", location.getPath());
        MultivaluedMap<String, String> parseQueryParams = HttpUtil.parseQueryParams(location.getFragment());
        assertValidBearerToken(parseQueryParams, true);
        assertValidSessionRefreshToken(parseQueryParams);
        Assert.assertEquals("debug", parseQueryParams.getFirst("scope"));
        Assert.assertFalse(parseQueryParams.containsKey("state"));
    }

    @Test
    public void testAuthorizeRedirectMulti() {
        Response response = target("/authorize").queryParam("response_type", new Object[]{"token"}).queryParam("client_id", new Object[]{IdUtil.toString(twoRedirectContext.getClient().getId())}).queryParam("redirect_uri", new Object[]{"http://other.example.com/redirect"}).request().get();
        assertNewSession(response);
        Response followRedirect = followRedirect(response);
        assertRotatedSession(response, followRedirect);
        URI location = followRedirect.getLocation();
        Assert.assertEquals("http", location.getScheme());
        Assert.assertEquals("other.example.com", location.getHost());
        Assert.assertEquals("/redirect", location.getPath());
        MultivaluedMap<String, String> parseQueryParams = HttpUtil.parseQueryParams(location.getFragment());
        assertValidBearerToken(parseQueryParams, true);
        assertValidSessionRefreshToken(parseQueryParams);
        Assert.assertFalse(parseQueryParams.containsKey("scope"));
        Assert.assertFalse(parseQueryParams.containsKey("state"));
    }

    @Test
    public void testAuthorizeRedirectNoneRegistered() {
        Response response = target("/authorize").queryParam("response_type", new Object[]{"token"}).queryParam("client_id", new Object[]{IdUtil.toString(bareContext.getClient().getId())}).request().get();
        assertNewSession(response);
        Assert.assertEquals(Response.Status.BAD_REQUEST.getStatusCode(), response.getStatus());
        Assert.assertNull(response.getLocation());
        Assert.assertEquals(MediaType.APPLICATION_JSON_TYPE, response.getMediaType());
        ErrorResponseBuilder.ErrorResponse errorResponse = (ErrorResponseBuilder.ErrorResponse) response.readEntity(ErrorResponseBuilder.ErrorResponse.class);
        Assert.assertEquals("invalid_request", errorResponse.getError());
        Assert.assertNotNull(errorResponse.getErrorDescription());
    }

    @Test
    public void testAuthorizeRedirectNoneRegisteredWithRequest() {
        Response response = target("/authorize").queryParam("response_type", new Object[]{"token"}).queryParam("client_id", new Object[]{IdUtil.toString(bareContext.getClient().getId())}).queryParam("redirect_uri", new Object[]{"http://redirect.example.com/redirect"}).request().get();
        assertNewSession(response);
        Assert.assertEquals(Response.Status.BAD_REQUEST.getStatusCode(), response.getStatus());
        Assert.assertNull(response.getLocation());
        Assert.assertEquals(MediaType.APPLICATION_JSON_TYPE, response.getMediaType());
        ErrorResponseBuilder.ErrorResponse errorResponse = (ErrorResponseBuilder.ErrorResponse) response.readEntity(ErrorResponseBuilder.ErrorResponse.class);
        Assert.assertEquals("invalid_request", errorResponse.getError());
        Assert.assertNotNull(errorResponse.getErrorDescription());
    }

    @Test
    public void testAuthorizeRedirectMultiNoneProvided() {
        Response response = target("/authorize").queryParam("response_type", new Object[]{"token"}).queryParam("client_id", new Object[]{IdUtil.toString(twoRedirectContext.getClient().getId())}).request().get();
        assertNewSession(response);
        Assert.assertEquals(Response.Status.BAD_REQUEST.getStatusCode(), response.getStatus());
        Assert.assertNull(response.getLocation());
        Assert.assertEquals(MediaType.APPLICATION_JSON_TYPE, response.getMediaType());
        ErrorResponseBuilder.ErrorResponse errorResponse = (ErrorResponseBuilder.ErrorResponse) response.readEntity(ErrorResponseBuilder.ErrorResponse.class);
        Assert.assertEquals("invalid_request", errorResponse.getError());
        Assert.assertNotNull(errorResponse.getErrorDescription());
    }

    @Test
    public void testAuthorizeRedirectDefault() {
        Response response = target("/authorize").queryParam("response_type", new Object[]{"token"}).queryParam("client_id", new Object[]{IdUtil.toString(context.getClient().getId())}).request().get();
        assertNewSession(response);
        Assert.assertEquals(Response.Status.FOUND.getStatusCode(), response.getStatus());
        URI location = response.getLocation();
        Assert.assertEquals("http", location.getScheme());
        Assert.assertEquals("localhost", location.getHost());
        Assert.assertEquals("/authorize/callback", location.getPath());
        Response followRedirect = followRedirect(response);
        assertRotatedSession(response, followRedirect);
        MultivaluedMap<String, String> parseQueryParams = HttpUtil.parseQueryParams(followRedirect.getLocation().getFragment());
        assertValidBearerToken(parseQueryParams, true);
        assertValidSessionRefreshToken(parseQueryParams);
        Assert.assertFalse(parseQueryParams.containsKey("scope"));
        Assert.assertFalse(parseQueryParams.containsKey("state"));
    }

    @Test
    public void testAuthorizeRedirectInvalid() {
        Response response = target("/authorize").queryParam("response_type", new Object[]{"token"}).queryParam("client_id", new Object[]{IdUtil.toString(context.getClient().getId())}).queryParam("redirect_uri", new Object[]{"http://invalid.example.com/redirect"}).request().get();
        assertNewSession(response);
        Assert.assertEquals(Response.Status.BAD_REQUEST.getStatusCode(), response.getStatus());
        Assert.assertNull(response.getLocation());
        Assert.assertEquals(MediaType.APPLICATION_JSON_TYPE, response.getMediaType());
        ErrorResponseBuilder.ErrorResponse errorResponse = (ErrorResponseBuilder.ErrorResponse) response.readEntity(ErrorResponseBuilder.ErrorResponse.class);
        Assert.assertEquals("invalid_request", errorResponse.getError());
        Assert.assertNotNull(errorResponse.getErrorDescription());
    }

    @Test
    public void testAuthorizeRedirectNoRole() {
        Response response = target("/authorize").queryParam("response_type", new Object[]{"token"}).queryParam("client_id", new Object[]{IdUtil.toString(noRoleContext.getClient().getId())}).request().get();
        assertNewSession(response);
        Assert.assertEquals(Response.Status.FOUND.getStatusCode(), response.getStatus());
        URI location = response.getLocation();
        Assert.assertEquals("http", location.getScheme());
        Assert.assertEquals("localhost", location.getHost());
        Assert.assertEquals("/authorize/callback", location.getPath());
        Response followRedirect = followRedirect(response);
        assertNoNewSession(followRedirect);
        MultivaluedMap parseQueryParams = HttpUtil.parseQueryParams(followRedirect.getLocation().getFragment());
        Assert.assertTrue(parseQueryParams.containsKey("error"));
        Assert.assertEquals("invalid_scope", parseQueryParams.getFirst("error"));
        Assert.assertTrue(parseQueryParams.containsKey("error_description"));
    }

    @Test
    public void testAuthorizeRedirectRoleWithoutRequestedScope() {
        Response response = target("/authorize").queryParam("response_type", new Object[]{"token"}).queryParam("scope", new Object[]{"debug"}).queryParam("client_id", new Object[]{IdUtil.toString(bareContext.getBuilder().scope("debug").redirect("http://valid.example.com/redirect").role("test", new String[0]).build().getClient().getId())}).request().get();
        assertNewSession(response);
        Assert.assertEquals(Response.Status.FOUND.getStatusCode(), response.getStatus());
        URI location = response.getLocation();
        Assert.assertEquals("http", location.getScheme());
        Assert.assertEquals("localhost", location.getHost());
        Assert.assertEquals("/authorize/callback", location.getPath());
        Response followRedirect = followRedirect(response);
        assertNoNewSession(followRedirect);
        MultivaluedMap parseQueryParams = HttpUtil.parseQueryParams(followRedirect.getLocation().getFragment());
        Assert.assertTrue(parseQueryParams.containsKey("error"));
        Assert.assertEquals("invalid_scope", parseQueryParams.getFirst("error"));
        Assert.assertTrue(parseQueryParams.containsKey("error_description"));
    }

    @Test
    public void testAuthorizeRedirectRoleWantsNoScope() {
        Response response = target("/authorize").queryParam("response_type", new Object[]{"token"}).queryParam("client_id", new Object[]{IdUtil.toString(roleNoScopeContext.getClient().getId())}).request().get();
        assertNewSession(response);
        Assert.assertEquals(Response.Status.FOUND.getStatusCode(), response.getStatus());
        URI location = response.getLocation();
        Assert.assertEquals("http", location.getScheme());
        Assert.assertEquals("localhost", location.getHost());
        Assert.assertEquals("/authorize/callback", location.getPath());
        Response followRedirect = followRedirect(response);
        assertRotatedSession(response, followRedirect);
        MultivaluedMap<String, String> parseQueryParams = HttpUtil.parseQueryParams(followRedirect.getLocation().getFragment());
        assertValidBearerToken(parseQueryParams, true);
        assertValidSessionRefreshToken(parseQueryParams);
        Assert.assertFalse(parseQueryParams.containsKey("scope"));
        Assert.assertFalse(parseQueryParams.containsKey("state"));
    }

    @Test
    public void testRefreshSimpleRequest() {
        ApplicationBuilder.ApplicationContext build = context.getBuilder().user().identity().bearerToken().refreshToken().httpSession(false).build();
        Response response = target("/authorize").queryParam("response_type", new Object[]{"token"}).queryParam("client_id", new Object[]{IdUtil.toString(build.getClient().getId())}).request().cookie("kangaroo", build.getHttpSessionId()).get();
        assertNewSession(response);
        Assert.assertNull(getSession().get(HttpSession.class, build.getHttpSession().getId()));
        URI location = response.getLocation();
        Assert.assertEquals("http", location.getScheme());
        Assert.assertEquals("valid.example.com", location.getHost());
        Assert.assertEquals("/redirect", location.getPath());
        MultivaluedMap<String, String> parseQueryParams = HttpUtil.parseQueryParams(location.getFragment());
        assertValidBearerToken(parseQueryParams, true);
        assertValidSessionRefreshToken(parseQueryParams);
        Assert.assertFalse(parseQueryParams.containsKey("scope"));
    }

    @Test
    public void testRefreshSimpleRequestWithoutBearer() {
        ApplicationBuilder.ApplicationContext build = context.getBuilder().user().identity().refreshToken().httpSession(false).build();
        Response response = target("/authorize").queryParam("response_type", new Object[]{"token"}).queryParam("client_id", new Object[]{IdUtil.toString(build.getClient().getId())}).request().cookie("kangaroo", build.getHttpSessionId()).get();
        assertNewSession(response);
        Assert.assertNull(getSession().get(HttpSession.class, build.getHttpSession().getId()));
        URI location = response.getLocation();
        Assert.assertEquals("http", location.getScheme());
        Assert.assertEquals("valid.example.com", location.getHost());
        Assert.assertEquals("/redirect", location.getPath());
        MultivaluedMap<String, String> parseQueryParams = HttpUtil.parseQueryParams(location.getFragment());
        assertValidBearerToken(parseQueryParams, true);
        assertValidSessionRefreshToken(parseQueryParams);
        Assert.assertFalse(parseQueryParams.containsKey("scope"));
    }

    @Test
    public void testRefreshResponseTypeInvalid() {
        ApplicationBuilder.ApplicationContext build = context.getBuilder().user().identity().bearerToken().refreshToken().httpSession(false).build();
        Response response = target("/authorize").queryParam("response_type", new Object[]{"invalid"}).queryParam("client_id", new Object[]{IdUtil.toString(build.getClient().getId())}).request().cookie("kangaroo", build.getHttpSessionId()).get();
        Assert.assertNotNull(getSession().get(HttpSession.class, build.getHttpSession().getId()));
        Assert.assertEquals(Response.Status.FOUND.getStatusCode(), response.getStatus());
        URI location = response.getLocation();
        Assert.assertEquals("http", location.getScheme());
        Assert.assertEquals("valid.example.com", location.getHost());
        Assert.assertEquals("/redirect", location.getPath());
        MultivaluedMap parseQueryParams = HttpUtil.parseQueryParams(location.getFragment());
        Assert.assertTrue(parseQueryParams.containsKey("error"));
        Assert.assertEquals("unsupported_response_type", parseQueryParams.getFirst("error"));
        Assert.assertTrue(parseQueryParams.containsKey("error_description"));
    }

    @Test
    public void testRefreshClientIdInvalid() {
        Response response = target("/authorize").queryParam("response_type", new Object[]{"token"}).queryParam("client_id", new Object[]{"invalid_client_id"}).request().cookie("kangaroo", context.getBuilder().user().identity().bearerToken().refreshToken().httpSession(false).build().getHttpSessionId()).get();
        Assert.assertEquals(Response.Status.BAD_REQUEST.getStatusCode(), response.getStatus());
        Assert.assertNull(response.getLocation());
        Assert.assertEquals(MediaType.APPLICATION_JSON_TYPE, response.getMediaType());
        ErrorResponseBuilder.ErrorResponse errorResponse = (ErrorResponseBuilder.ErrorResponse) response.readEntity(ErrorResponseBuilder.ErrorResponse.class);
        Assert.assertEquals("invalid_client", errorResponse.getError());
        Assert.assertNotNull(errorResponse.getErrorDescription());
    }

    @Test
    public void testRefreshScopeSimple() {
        ApplicationBuilder.ApplicationContext build = context.getBuilder().user().identity().bearerToken("debug").refreshToken().httpSession(false).build();
        Response response = target("/authorize").queryParam("response_type", new Object[]{"token"}).queryParam("client_id", new Object[]{IdUtil.toString(build.getClient().getId())}).queryParam("scope", new Object[]{"debug"}).request().cookie("kangaroo", build.getHttpSessionId()).get();
        assertNewSession(response);
        URI location = response.getLocation();
        Assert.assertEquals("http", location.getScheme());
        Assert.assertEquals("valid.example.com", location.getHost());
        Assert.assertEquals("/redirect", location.getPath());
        MultivaluedMap<String, String> parseQueryParams = HttpUtil.parseQueryParams(location.getFragment());
        assertValidBearerToken(parseQueryParams, true);
        assertValidSessionRefreshToken(parseQueryParams);
        Assert.assertEquals("debug", parseQueryParams.getFirst("scope"));
        Assert.assertFalse(parseQueryParams.containsKey("state"));
    }

    @Test
    public void testRefreshScopeInvalid() {
        ApplicationBuilder.ApplicationContext build = context.getBuilder().user().identity().bearerToken("debug").refreshToken().httpSession(false).build();
        URI location = target("/authorize").queryParam("response_type", new Object[]{"token"}).queryParam("client_id", new Object[]{IdUtil.toString(build.getClient().getId())}).queryParam("scope", new Object[]{"invalid"}).request().cookie("kangaroo", build.getHttpSessionId()).get().getLocation();
        Assert.assertEquals("http", location.getScheme());
        Assert.assertEquals("valid.example.com", location.getHost());
        Assert.assertEquals("/redirect", location.getPath());
        MultivaluedMap<String, String> parseQueryParams = HttpUtil.parseQueryParams(location.getFragment());
        assertValidBearerToken(parseQueryParams, true);
        assertValidSessionRefreshToken(parseQueryParams);
        Assert.assertFalse(parseQueryParams.containsKey("scope"));
        Assert.assertFalse(parseQueryParams.containsKey("state"));
    }

    @Test
    public void testRefreshStateSimple() {
        ApplicationBuilder.ApplicationContext build = context.getBuilder().user().identity().bearerToken("debug").refreshToken().httpSession(false).build();
        String idUtil = IdUtil.toString(IdUtil.next());
        Response response = target("/authorize").queryParam("response_type", new Object[]{"token"}).queryParam("client_id", new Object[]{IdUtil.toString(build.getClient().getId())}).queryParam("scope", new Object[]{"debug"}).queryParam("state", new Object[]{idUtil}).request().cookie("kangaroo", build.getHttpSessionId()).get();
        assertNewSession(response);
        URI location = response.getLocation();
        Assert.assertEquals("http", location.getScheme());
        Assert.assertEquals("valid.example.com", location.getHost());
        Assert.assertEquals("/redirect", location.getPath());
        MultivaluedMap<String, String> parseQueryParams = HttpUtil.parseQueryParams(location.getFragment());
        assertValidBearerToken(parseQueryParams, true);
        assertValidSessionRefreshToken(parseQueryParams);
        Assert.assertEquals("debug", parseQueryParams.getFirst("scope"));
        Assert.assertEquals(idUtil, parseQueryParams.getFirst("state"));
    }

    @Test
    public void testRefreshRedirectSimple() {
        ApplicationBuilder.ApplicationContext build = context.getBuilder().user().identity().token(OAuthTokenType.Bearer, false, "debug", "http://valid.example.com/redirect", null).refreshToken().httpSession(false).build();
        Response response = target("/authorize").queryParam("response_type", new Object[]{"token"}).queryParam("scope", new Object[]{"debug"}).queryParam("client_id", new Object[]{IdUtil.toString(build.getClient().getId())}).queryParam("redirect_uri", new Object[]{"http://valid.example.com/redirect"}).request().cookie("kangaroo", build.getHttpSessionId()).get();
        assertNewSession(response);
        URI location = response.getLocation();
        Assert.assertEquals("http", location.getScheme());
        Assert.assertEquals("valid.example.com", location.getHost());
        Assert.assertEquals("/redirect", location.getPath());
        MultivaluedMap<String, String> parseQueryParams = HttpUtil.parseQueryParams(location.getFragment());
        assertValidBearerToken(parseQueryParams, true);
        assertValidSessionRefreshToken(parseQueryParams);
        Assert.assertEquals("debug", parseQueryParams.getFirst("scope"));
        Assert.assertFalse(parseQueryParams.containsKey("state"));
    }

    @Test
    public void testRefreshClientIsolation() {
        Response response = target("/authorize").queryParam("response_type", new Object[]{"token"}).queryParam("client_id", new Object[]{IdUtil.toString(roleNoScopeContext.getClient().getId())}).request().cookie("kangaroo", context.getBuilder().user().identity().bearerToken().refreshToken().httpSession(false).build().getHttpSessionId()).get();
        assertNewSession(response);
        Response followRedirect = followRedirect(response);
        assertRotatedSession(response, followRedirect);
        URI location = followRedirect.getLocation();
        Assert.assertEquals("http", location.getScheme());
        Assert.assertEquals("valid.example.com", location.getHost());
        Assert.assertEquals("/redirect", location.getPath());
        MultivaluedMap<String, String> parseQueryParams = HttpUtil.parseQueryParams(location.getFragment());
        assertValidBearerToken(parseQueryParams, true);
        assertValidSessionRefreshToken(parseQueryParams);
        Assert.assertFalse(parseQueryParams.containsKey("scope"));
    }

    @Test
    public void testRefreshWithExpiredToken() {
        ApplicationBuilder.ApplicationContext build = context.getBuilder().user().identity().bearerToken("debug").build();
        ApplicationBuilder.ApplicationContext build2 = build.getBuilder().token(OAuthTokenType.Refresh, true, null, null, build.getToken()).httpSession(false).build();
        URI location = target("/authorize").queryParam("response_type", new Object[]{"token"}).queryParam("client_id", new Object[]{IdUtil.toString(build2.getClient().getId())}).queryParam("scope", new Object[]{"debug"}).request().cookie("kangaroo", build2.getHttpSessionId()).get().getLocation();
        Assert.assertEquals("http", location.getScheme());
        Assert.assertEquals("localhost", location.getHost());
        Assert.assertEquals("/authorize/callback", location.getPath());
    }

    @Test
    public void testRefreshWithTooManyTokens() {
        ApplicationBuilder refreshToken = context.getBuilder().user().identity().bearerToken("debug").refreshToken().httpSession(false).refreshToken();
        refreshToken.getContext().getToken().setHttpSession(refreshToken.getContext().getHttpSession());
        ApplicationBuilder.ApplicationContext build = refreshToken.build();
        URI location = target("/authorize").queryParam("response_type", new Object[]{"token"}).queryParam("client_id", new Object[]{IdUtil.toString(build.getClient().getId())}).queryParam("scope", new Object[]{"debug"}).request().cookie("kangaroo", build.getHttpSessionId()).get().getLocation();
        Assert.assertEquals("http", location.getScheme());
        Assert.assertEquals("localhost", location.getHost());
        Assert.assertEquals("/authorize/callback", location.getPath());
        Session session = getSession();
        session.beginTransaction();
        Assert.assertNull(session.get(OAuthToken.class, build.getToken().getId()));
        session.getTransaction().commit();
    }
}
