package io.fusionauth.samlv2.service;

import io.fusionauth.samlv2.domain.Algorithm;
import io.fusionauth.samlv2.domain.AuthenticationRequest;
import io.fusionauth.samlv2.domain.AuthenticationResponse;
import io.fusionauth.samlv2.domain.Binding;
import io.fusionauth.samlv2.domain.LogoutRequest;
import io.fusionauth.samlv2.domain.LogoutResponse;
import io.fusionauth.samlv2.domain.MetaData;
import io.fusionauth.samlv2.domain.NameID;
import io.fusionauth.samlv2.domain.NameIDFormat;
import io.fusionauth.samlv2.domain.ResponseStatus;
import io.fusionauth.samlv2.domain.SAMLException;
import io.fusionauth.samlv2.domain.SignatureLocation;
import io.fusionauth.samlv2.domain.Status;
import io.fusionauth.samlv2.domain.jaxb.oasis.protocol.AuthnRequestType;
import io.fusionauth.samlv2.domain.jaxb.oasis.protocol.LogoutRequestType;
import io.fusionauth.samlv2.domain.jaxb.oasis.protocol.StatusResponseType;
import io.fusionauth.samlv2.util.SAMLTools;
import jakarta.xml.bind.JAXBContext;
import jakarta.xml.bind.JAXBElement;
import java.io.BufferedWriter;
import java.io.ByteArrayInputStream;
import java.io.FileWriter;
import java.io.IOException;
import java.io.InputStream;
import java.math.BigInteger;
import java.net.URLDecoder;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.attribute.FileAttribute;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.RSAPublicKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Date;
import java.util.List;
import java.util.UUID;
import javax.xml.crypto.KeySelector;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import org.testng.Assert;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.DataProvider;
import org.testng.annotations.Test;
import org.w3c.dom.Document;
import org.w3c.dom.Node;
import org.xml.sax.SAXException;
import sun.security.util.KnownOIDs;
import sun.security.util.ObjectIdentifier;
import sun.security.x509.AlgorithmId;
import sun.security.x509.CertificateAlgorithmId;
import sun.security.x509.CertificateSerialNumber;
import sun.security.x509.CertificateValidity;
import sun.security.x509.CertificateVersion;
import sun.security.x509.CertificateX509Key;
import sun.security.x509.X500Name;
import sun.security.x509.X509CertImpl;
import sun.security.x509.X509CertInfo;

@Test(groups = {"unit"})
/* loaded from: input_file:io/fusionauth/samlv2/service/DefaultSAMLv2ServiceTest.class */
public class DefaultSAMLv2ServiceTest {

    /* loaded from: input_file:io/fusionauth/samlv2/service/DefaultSAMLv2ServiceTest$MockDefaultSAMLv2Service.class */
    private static class MockDefaultSAMLv2Service extends DefaultSAMLv2Service {
        public boolean lowerCaseURLEncoding = false;

        private MockDefaultSAMLv2Service() {
        }

        protected String urlEncode(String str) {
            return this.lowerCaseURLEncoding ? URLEncoder.encode(str, StandardCharsets.UTF_8).replace("%2B", "%2b").replace("%2F", "%2f").replace("%3A", "%3a").replace("%3D", "%3d") : super.urlEncode(str);
        }
    }

    @BeforeClass
    public void beforeClass() {
        System.setProperty("com.sun.org.apache.xml.internal.security.ignoreLineBreaks", "true");
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Object[], java.lang.Object[][]] */
    @DataProvider(name = "bindings")
    public Object[][] bindings() {
        return new Object[]{new Object[]{Binding.HTTP_Redirect}, new Object[]{Binding.HTTP_POST}};
    }

    @Test
    public void buildIdPMetaData() throws Exception {
        MetaData metaData = new MetaData();
        metaData.id = UUID.randomUUID().toString();
        metaData.entityId = "https://fusionauth.io/samlv2/" + metaData.id;
        metaData.idp = new MetaData.IDPMetaData();
        metaData.idp.wantAuthnRequestsSigned = true;
        metaData.idp.postBindingSignInEndpoints.add("https://fusionauth.io/samlv2/login/POST");
        metaData.idp.redirectBindingSignInEndpoints.add("https://fusionauth.io/samlv2/login/REDIRECT");
        metaData.idp.postBindingLogoutEndpoints.add("https://fusionauth.io/samlv2/logout/POST");
        metaData.idp.redirectBindingLogoutEndpoints.add("https://fusionauth.io/samlv2/logout/REDIRECT");
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        keyPairGenerator.initialize(2048);
        metaData.idp.certificates.add(CertificateTools.fromKeyPair(keyPairGenerator.generateKeyPair(), Algorithm.RS256, "FusionAuth"));
        DefaultSAMLv2Service defaultSAMLv2Service = new DefaultSAMLv2Service();
        String buildMetadataResponse = defaultSAMLv2Service.buildMetadataResponse(metaData);
        Assert.assertTrue(buildMetadataResponse.contains("_" + metaData.id));
        Assert.assertTrue(buildMetadataResponse.contains(metaData.entityId));
        Assert.assertTrue(buildMetadataResponse.contains((CharSequence) metaData.idp.postBindingSignInEndpoints.get(0)));
        Assert.assertTrue(buildMetadataResponse.contains((CharSequence) metaData.idp.postBindingLogoutEndpoints.get(0)));
        Assert.assertTrue(buildMetadataResponse.contains((CharSequence) metaData.idp.redirectBindingLogoutEndpoints.get(0)));
        Assert.assertTrue(buildMetadataResponse.contains((CharSequence) metaData.idp.redirectBindingLogoutEndpoints.get(0)));
        Assert.assertTrue(buildMetadataResponse.contains("<ns2:IDPSSODescriptor WantAuthnRequestsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">"));
        MetaData parseMetaData = defaultSAMLv2Service.parseMetaData(buildMetadataResponse);
        Assert.assertEquals(parseMetaData.id, "_" + metaData.id);
        Assert.assertEquals(parseMetaData.entityId, metaData.entityId);
        Assert.assertEquals(parseMetaData.idp.postBindingSignInEndpoints, metaData.idp.postBindingSignInEndpoints);
        Assert.assertEquals(parseMetaData.idp.redirectBindingSignInEndpoints, metaData.idp.redirectBindingSignInEndpoints);
        Assert.assertEquals(parseMetaData.idp.postBindingLogoutEndpoints, metaData.idp.postBindingLogoutEndpoints);
        Assert.assertEquals(parseMetaData.idp.redirectBindingLogoutEndpoints, metaData.idp.redirectBindingLogoutEndpoints);
        Assert.assertEquals(parseMetaData.idp.certificates, metaData.idp.certificates);
    }

    @Test(dataProvider = "bindings")
    public void buildLogoutRequest(Binding binding) throws Exception {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        keyPairGenerator.initialize(2048);
        KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
        PrivateKey privateKey = generateKeyPair.getPrivate();
        X509Certificate generateX509Certificate = generateX509Certificate(generateKeyPair);
        LogoutRequest logoutRequest = new LogoutRequest();
        logoutRequest.id = "_1245";
        logoutRequest.issuer = "https://acme.corp/saml";
        logoutRequest.sessionIndex = "42";
        DefaultSAMLv2Service defaultSAMLv2Service = new DefaultSAMLv2Service();
        String buildRedirectLogoutRequest = binding == Binding.HTTP_Redirect ? defaultSAMLv2Service.buildRedirectLogoutRequest(logoutRequest, "Relay-State-String", true, privateKey, Algorithm.RS256) : defaultSAMLv2Service.buildPostLogoutRequest(logoutRequest, true, privateKey, generateX509Certificate, Algorithm.RS256, "http://www.w3.org/2001/10/xml-exc-c14n#WithComments");
        Assert.assertNotNull(buildRedirectLogoutRequest);
        String str = buildRedirectLogoutRequest;
        if (binding == Binding.HTTP_Redirect) {
            str = URLDecoder.decode(str.substring(str.indexOf(61) + 1, str.indexOf(38)), StandardCharsets.UTF_8);
        }
        JAXBElement jAXBElement = (JAXBElement) JAXBContext.newInstance(new Class[]{AuthnRequestType.class}).createUnmarshaller().unmarshal(new ByteArrayInputStream(binding == Binding.HTTP_Redirect ? SAMLTools.decodeAndInflate(str) : SAMLTools.decode(str)));
        Assert.assertEquals(((LogoutRequestType) jAXBElement.getValue()).getID(), "_1245");
        Assert.assertEquals(((LogoutRequestType) jAXBElement.getValue()).getIssuer().getValue(), "https://acme.corp/saml");
        Assert.assertEquals(((LogoutRequestType) jAXBElement.getValue()).getSessionIndex().size(), 1);
        Assert.assertEquals((String) ((LogoutRequestType) jAXBElement.getValue()).getSessionIndex().get(0), "42");
        Assert.assertEquals(((LogoutRequestType) jAXBElement.getValue()).getVersion(), "2.0");
        if (binding == Binding.HTTP_Redirect) {
            int indexOf = buildRedirectLogoutRequest.indexOf("RelayState=");
            Assert.assertEquals(URLDecoder.decode(buildRedirectLogoutRequest.substring(indexOf + "RelayState=".length(), buildRedirectLogoutRequest.indexOf(38, indexOf)), StandardCharsets.UTF_8), "Relay-State-String");
            int indexOf2 = buildRedirectLogoutRequest.indexOf("SigAlg=");
            Assert.assertEquals(URLDecoder.decode(buildRedirectLogoutRequest.substring(indexOf2 + "SigAlg=".length(), buildRedirectLogoutRequest.indexOf(38, indexOf2)), StandardCharsets.UTF_8), "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
        }
    }

    @Test(dataProvider = "bindings")
    public void buildLogoutResponse(Binding binding) throws Exception {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        keyPairGenerator.initialize(2048);
        KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
        PrivateKey privateKey = generateKeyPair.getPrivate();
        X509Certificate generateX509Certificate = generateX509Certificate(generateKeyPair);
        LogoutResponse logoutResponse = new LogoutResponse();
        logoutResponse.id = "_1245";
        logoutResponse.issuer = "https://acme.corp/saml";
        logoutResponse.sessionIndex = "42";
        logoutResponse.status = new Status();
        logoutResponse.status.code = ResponseStatus.Success;
        logoutResponse.status.message = "Ok";
        DefaultSAMLv2Service defaultSAMLv2Service = new DefaultSAMLv2Service();
        String buildRedirectLogoutResponse = binding == Binding.HTTP_Redirect ? defaultSAMLv2Service.buildRedirectLogoutResponse(logoutResponse, "Relay-State-String", true, privateKey, Algorithm.RS256) : defaultSAMLv2Service.buildPostLogoutResponse(logoutResponse, true, privateKey, generateX509Certificate, Algorithm.RS256, "http://www.w3.org/2001/10/xml-exc-c14n#WithComments");
        Assert.assertNotNull(buildRedirectLogoutResponse);
        String str = buildRedirectLogoutResponse;
        if (binding == Binding.HTTP_Redirect) {
            str = URLDecoder.decode(str.substring(str.indexOf(61) + 1, str.indexOf(38)), StandardCharsets.UTF_8);
        }
        JAXBElement jAXBElement = (JAXBElement) JAXBContext.newInstance(new Class[]{AuthnRequestType.class}).createUnmarshaller().unmarshal(new ByteArrayInputStream(binding == Binding.HTTP_Redirect ? SAMLTools.decodeAndInflate(str) : SAMLTools.decode(str)));
        Assert.assertEquals(((StatusResponseType) jAXBElement.getValue()).getID(), "_1245");
        Assert.assertEquals(((StatusResponseType) jAXBElement.getValue()).getIssuer().getValue(), "https://acme.corp/saml");
        Assert.assertEquals(((StatusResponseType) jAXBElement.getValue()).getVersion(), "2.0");
        if (binding == Binding.HTTP_Redirect) {
            int indexOf = buildRedirectLogoutResponse.indexOf("RelayState=");
            Assert.assertEquals(URLDecoder.decode(buildRedirectLogoutResponse.substring(indexOf + "RelayState=".length(), buildRedirectLogoutResponse.indexOf(38, indexOf)), StandardCharsets.UTF_8), "Relay-State-String");
            int indexOf2 = buildRedirectLogoutResponse.indexOf("SigAlg=");
            Assert.assertEquals(URLDecoder.decode(buildRedirectLogoutResponse.substring(indexOf2 + "SigAlg=".length(), buildRedirectLogoutResponse.indexOf(38, indexOf2)), StandardCharsets.UTF_8), "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
        }
    }

    @Test(dataProvider = "bindings")
    public void buildRedirectAuthnRequest(Binding binding) throws Exception {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        keyPairGenerator.initialize(2048);
        KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
        PrivateKey privateKey = generateKeyPair.getPrivate();
        X509Certificate generateX509Certificate = generateX509Certificate(generateKeyPair);
        AuthenticationRequest authenticationRequest = new AuthenticationRequest();
        authenticationRequest.id = "foobarbaz";
        authenticationRequest.issuer = "https://local.fusionauth.io";
        DefaultSAMLv2Service defaultSAMLv2Service = new DefaultSAMLv2Service();
        String buildRedirectAuthnRequest = binding == Binding.HTTP_Redirect ? defaultSAMLv2Service.buildRedirectAuthnRequest(authenticationRequest, "Relay-State-String", true, privateKey, Algorithm.RS256) : defaultSAMLv2Service.buildPostAuthnRequest(authenticationRequest, true, privateKey, generateX509Certificate, Algorithm.RS256, "http://www.w3.org/2001/10/xml-exc-c14n#WithComments");
        Assert.assertNotNull(buildRedirectAuthnRequest);
        String str = buildRedirectAuthnRequest;
        if (binding == Binding.HTTP_Redirect) {
            str = URLDecoder.decode(str.substring(str.indexOf(61) + 1, str.indexOf(38)), StandardCharsets.UTF_8);
        }
        JAXBElement jAXBElement = (JAXBElement) JAXBContext.newInstance(new Class[]{AuthnRequestType.class}).createUnmarshaller().unmarshal(new ByteArrayInputStream(binding == Binding.HTTP_Redirect ? SAMLTools.decodeAndInflate(str) : SAMLTools.decode(str)));
        Assert.assertEquals(((AuthnRequestType) jAXBElement.getValue()).getID(), "foobarbaz");
        Assert.assertEquals(((AuthnRequestType) jAXBElement.getValue()).getIssuer().getValue(), "https://local.fusionauth.io");
        Assert.assertEquals(((AuthnRequestType) jAXBElement.getValue()).getVersion(), "2.0");
        Assert.assertFalse(((AuthnRequestType) jAXBElement.getValue()).getNameIDPolicy().isAllowCreate().booleanValue());
        if (binding == Binding.HTTP_Redirect) {
            int indexOf = buildRedirectAuthnRequest.indexOf("RelayState=");
            Assert.assertEquals(URLDecoder.decode(buildRedirectAuthnRequest.substring(indexOf + "RelayState=".length(), buildRedirectAuthnRequest.indexOf(38, indexOf)), StandardCharsets.UTF_8), "Relay-State-String");
            int indexOf2 = buildRedirectAuthnRequest.indexOf("SigAlg=");
            Assert.assertEquals(URLDecoder.decode(buildRedirectAuthnRequest.substring(indexOf2 + "SigAlg=".length(), buildRedirectAuthnRequest.indexOf(38, indexOf2)), StandardCharsets.UTF_8), "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
        }
    }

    @Test
    public void buildSPMetaData() throws Exception {
        MetaData metaData = new MetaData();
        metaData.id = UUID.randomUUID().toString();
        metaData.entityId = "https://fusionauth.io/samlv2/sp/" + metaData.id;
        metaData.sp = new MetaData.SPMetaData();
        metaData.sp.acsEndpoint = "https://fusionauth.io/oauth2/callback";
        metaData.sp.nameIDFormat = NameIDFormat.EmailAddress;
        DefaultSAMLv2Service defaultSAMLv2Service = new DefaultSAMLv2Service();
        String buildMetadataResponse = defaultSAMLv2Service.buildMetadataResponse(metaData);
        Assert.assertTrue(buildMetadataResponse.contains("_" + metaData.id));
        Assert.assertTrue(buildMetadataResponse.contains(metaData.entityId));
        Assert.assertTrue(buildMetadataResponse.contains(metaData.sp.acsEndpoint));
        Assert.assertTrue(buildMetadataResponse.contains(metaData.sp.nameIDFormat.toSAMLFormat()));
        Assert.assertTrue(buildMetadataResponse.contains("<ns2:SPSSODescriptor AuthnRequestsSigned=\"false\" WantAssertionsSigned=\"false\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">"));
        MetaData parseMetaData = defaultSAMLv2Service.parseMetaData(buildMetadataResponse);
        Assert.assertEquals(parseMetaData.id, "_" + metaData.id);
        Assert.assertEquals(parseMetaData.entityId, metaData.entityId);
        Assert.assertEquals(parseMetaData.sp.acsEndpoint, metaData.sp.acsEndpoint);
        Assert.assertEquals(parseMetaData.sp.nameIDFormat, metaData.sp.nameIDFormat);
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Object[], java.lang.Object[][]] */
    @DataProvider(name = "maxLineLength")
    public Object[][] maxLineLength() {
        return new Object[]{new Object[]{42}, new Object[]{64}, new Object[]{76}, new Object[]{96}, new Object[]{128}};
    }

    @Test(dataProvider = "bindings")
    public void parseLogout_Request_raw(Binding binding) throws Exception {
        String str = new String(binding == Binding.HTTP_Redirect ? Files.readAllBytes(Paths.get("src/test/xml/encoded/logout-request.txt", new String[0])) : Files.readAllBytes(Paths.get("src/test/xml/encoded/logout-request-embedded-signature.txt", new String[0])), StandardCharsets.UTF_8);
        String readString = Files.readString(Paths.get("src/test/xml/signature/logout-request.txt", new String[0]));
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(Base64.getMimeDecoder().decode("MIICajCCAdOgAwIBAgIBADANBgkqhkiG9w0BAQ0FADBSMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRcwFQYDVQQDDA5zcC5leGFtcGxlLmNvbTAeFw0xNDA3MTcxNDEyNTZaFw0xNTA3MTcxNDEyNTZaMFIxCzAJBgNVBAYTAnVzMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQKDAxPbmVsb2dpbiBJbmMxFzAVBgNVBAMMDnNwLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZx+ON4IUoIWxgukTb1tOiX3bMYzYQiwWPUNMp+Fq82xoNogso2bykZG0yiJm5o8zv/sd6pGouayMgkx/2FSOdc36T0jGbCHuRSbtia0PEzNIRtmViMrt3AeoWBidRXmZsxCNLwgIV6dn2WpuE5Az0bHgpZnQxTKFek0BMKU/d8wIDAQABo1AwTjAdBgNVHQ4EFgQUGHxYqZYyX7cTxKVODVgZwSTdCnwwHwYDVR0jBBgwFoAUGHxYqZYyX7cTxKVODVgZwSTdCnwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQByFOl+hMFICbd3DJfnp2Rgd/dqttsZG/tyhILWvErbio/DEe98mXpowhTkC04ENprOyXi7ZbUqiicF89uAGyt1oqgTUCD1VsLahqIcmrzgumNyTwLGWo17WDAa1/usDhetWAMhgzF/Cnf5ek0nK00m0YZGyc4LzgD0CROMASTWNg=="));
        try {
            X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(byteArrayInputStream);
            byteArrayInputStream.close();
            Assert.assertNotNull(x509Certificate);
            PublicKey publicKey = x509Certificate.getPublicKey();
            String str2 = "SAMLRequest=" + URLEncoder.encode(str, StandardCharsets.UTF_8) + "&RelayState=" + URLEncoder.encode("http://sp.example.com/relaystate", StandardCharsets.UTF_8) + "&SigAlg=" + URLEncoder.encode(Algorithm.RS1.uri, StandardCharsets.UTF_8) + "&Signature=" + URLEncoder.encode(readString, StandardCharsets.UTF_8);
            boolean z = false;
            DefaultSAMLv2Service defaultSAMLv2Service = new DefaultSAMLv2Service();
            LogoutRequest parseLogoutRequestRedirectBinding = binding == Binding.HTTP_Redirect ? defaultSAMLv2Service.parseLogoutRequestRedirectBinding(str2, logoutRequest -> {
                return new TestRedirectBindingSignatureHelper(publicKey, z);
            }) : defaultSAMLv2Service.parseLogoutRequestPostBinding(str, logoutRequest2 -> {
                return new TestPostBindingSignatureHelper(KeySelector.singletonKeySelector(publicKey), z);
            });
            Assert.assertEquals(parseLogoutRequestRedirectBinding.id, binding == Binding.HTTP_Redirect ? "ONELOGIN_21df91a89767879fc0f7df6a1490c6000c81644d" : "pfxd4d369e8-9ea1-780c-aff8-a1d11a9862a1");
            Assert.assertEquals(parseLogoutRequestRedirectBinding.issuer, "http://sp.example.com/demo1/metadata.php");
            Assert.assertEquals(parseLogoutRequestRedirectBinding.nameIdFormat, NameIDFormat.Transient.toSAMLFormat());
            Assert.assertEquals(parseLogoutRequestRedirectBinding.version, "2.0");
            Assert.assertEquals(parseLogoutRequestRedirectBinding.xml.replace("\r\n", "\n"), (binding == Binding.HTTP_Redirect ? new String(Files.readAllBytes(Paths.get("src/test/xml/logout-request.xml", new String[0]))) : new String(Files.readAllBytes(Paths.get("src/test/xml/logout-request-embedded-signature.xml", new String[0])))).replace("\r\n", "\n"));
        } catch (Throwable th) {
            try {
                byteArrayInputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    @Test
    public void parseMetaData() throws Exception {
        byte[] readAllBytes = Files.readAllBytes(Paths.get("src/test/xml/metadata.xml", new String[0]));
        DefaultSAMLv2Service defaultSAMLv2Service = new DefaultSAMLv2Service();
        Assert.assertEquals(defaultSAMLv2Service.parseMetaData(new String(readAllBytes, StandardCharsets.UTF_8)).idp.certificates.size(), 3);
        Assert.assertEquals(defaultSAMLv2Service.parseMetaData(new String(Files.readAllBytes(Paths.get("src/test/xml/metadata-2.xml", new String[0])), StandardCharsets.UTF_8)).idp.certificates.size(), 1);
    }

    @Test(enabled = false)
    public void parseRequest_compassSecurity() throws Exception {
        DefaultSAMLv2Service defaultSAMLv2Service = new DefaultSAMLv2Service();
        TestPostBindingSignatureHelper testPostBindingSignatureHelper = new TestPostBindingSignatureHelper(KeySelector.singletonKeySelector(KeyFactory.getInstance("RSA").generatePublic(new RSAPublicKeySpec(new BigInteger("23016430918823899869174537266594866915196701755262955756947374683306171050449785978041642070945082562110926617344211216571596575890159654912559343561454566120924390651417182396241104494630512996615232908509829811443784313485862019497373006302688901954848508137355590138442254765794572625586049567608157223736747587462558785268970406066201827350377828581492579969240135441642716939367190425379788145244337250560138881783025442595121210838086638484878363941229167629103738547784336822433469701246494321129732432091196962736034404069520496182669787723781485938596516343326251546340541402004104537790138422441873446220669"), new BigInteger("65537")))), true);
        AuthenticationRequest parseRequestPostBinding = defaultSAMLv2Service.parseRequestPostBinding("PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIg0KICAgICAgICAgICAgICAgICAgICB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0iXzdmZTUxMGNjOGU1MWFhNDE1NThhIg0KICAgICAgICAgICAgICAgICAgICBJc3N1ZUluc3RhbnQ9IjIwMjEtMDEtMjFUMTY6NDY6MDVaIiBQcm92aWRlck5hbWU9IlNpbXBsZSBTQU1MIFNlcnZpY2UgUHJvdmlkZXIiDQogICAgICAgICAgICAgICAgICAgIEFzc2VydGlvbkNvbnN1bWVyU2VydmljZVVSTD0iaHR0cDovL2xvY2FsaG9zdDo3MDcwL3NhbWwvc3NvIg0KICAgICAgICAgICAgICAgICAgICBEZXN0aW5hdGlvbj0iaHR0cDovL2xvY2FsaG9zdDo5MDExL3NhbWx2Mi9sb2dpbi81YjJlNDgzZi03NTcyLTQ4NzktODE3ZS0xYTkwYWM0NGU3NTciDQogICAgICAgICAgICAgICAgICAgIFByb3RvY29sQmluZGluZz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmJpbmRpbmdzOkhUVFAtUE9TVCIgVmVyc2lvbj0iMi4wIj4NCiAgPHNhbWw6SXNzdWVyPnVybjpleGFtcGxlOnNwPC9zYW1sOklzc3Vlcj4NCiAgPFNpZ25hdHVyZSB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+DQogICAgPFNpZ25lZEluZm8+DQogICAgICA8Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPg0KICAgICAgPFNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGEyNTYiLz4NCiAgICAgIDxSZWZlcmVuY2UgVVJJPSIjXzdmZTUxMGNjOGU1MWFhNDE1NThhIj4NCiAgICAgICAgPFRyYW5zZm9ybXM+DQogICAgICAgICAgPFRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+DQogICAgICAgICAgPFRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPg0KICAgICAgICA8L1RyYW5zZm9ybXM+DQogICAgICAgIDxEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGEyNTYiLz4NCiAgICAgICAgPERpZ2VzdFZhbHVlPjV4V2cvaWRqOGpNV2Z3ZWRmaksyQkVZa2QveUxXY2pNa2ZKK1ZmOHQrRkE9PC9EaWdlc3RWYWx1ZT4NCiAgICAgIDwvUmVmZXJlbmNlPg0KICAgIDwvU2lnbmVkSW5mbz4NCiAgICA8U2lnbmF0dXJlVmFsdWU+DQogICAgICBsZ05CSEZ4UHFueHVKRmVRa0cwN3dNY0JwZll3TkVBc2pMeWpQTTBsQit5Nm8rNEtDSzN0U2padXVSUVlNWTRJb3J6Uk95b3piZGtsRitCT2UxL0tKNFhxRGhFaXFlbUEyTGszcEliakJQbit6NDdGcER0NWdsQUVxY3NmMlI2RDhKTndkNWJxSmgxYnVITXNUQ3dIOFhPVHZpdHlxQXZrZmp4WVhNU290SDFWSWxrRWxjZFF6aXA5ZlhsZW1ZdExCdXoybG5sTHYyS01DSkRpYTlQTzZrSHQySTRBL2s0WXBNRmx2NlF0aGlPcjdlVjROOWIxVk43VUxYRHJlUS9OUDhtZWdtWGVBcWxaMC81VnlXdGRYQ1E0QUlSUVlUeW5mTlZ3TDA1VG5JOXNYZDl5WTdPbXk5WVJwdEYzaHZBWVFqd0t1ak90bjNGUnJNSldKMzRha3c9PQ0KICAgIDwvU2lnbmF0dXJlVmFsdWU+DQogICAgPEtleUluZm8+DQogICAgICA8WDUwOURhdGE+DQogICAgICAgIDxYNTA5Q2VydGlmaWNhdGU+DQogICAgICAgICAgTUlJRFV6Q0NBanVnQXdJQkFnSUpBUEowbUE2V3pPcHZNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1HQXhDekFKQmdOVkJBWVRBbFZUTVJNd0VRWURWUVFJRXdwRFlXeHBabTl5Ym1saE1SWXdGQVlEVlFRSEV3MVRZVzRnUm5KaGJtTnBjMk52TVJBd0RnWURWUVFLRXdkS1lXNXJlVU52TVJJd0VBWURWUVFERXdsc2IyTmhiR2h2YzNRd0hoY05NVFF3TXpFeU1UazBOak16V2hjTk1qY3hNVEU1TVRrME5qTXpXakJnTVFzd0NRWURWUVFHRXdKVlV6RVRNQkVHQTFVRUNCTUtRMkZzYVdadmNtNXBZVEVXTUJRR0ExVUVCeE1OVTJGdUlFWnlZVzVqYVhOamJ6RVFNQTRHQTFVRUNoTUhTbUZ1YTNsRGJ6RVNNQkFHQTFVRUF4TUpiRzlqWVd4b2IzTjBNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXRsTkR5NERSMnRoWjJERGNpSVRvZlVwd1laY25Yay85cHFEdDhWMTZqQkQwMnVPZC9UZHlzZ2lLTGpyWlpiQy9YME9YMUVGZTVkTjY1VXJMT0RRQkJ6WjMvOFBZejY4MTlNS2M5aXJWOCs3MzJINWRHd3pnbVlCWUQrcXFmNEJjUjM2TDdUam1Pd2prZSsxY01jR2crV1hWU1hRTS9kalN4aFFIaldOamtSdDFUL21MZmxxTXFwb3B6Y21BUFFETEVIRXJ0dWFtOVh0dWRqaUZNOHI1anp2bXUvVXBJUGliYndBWThxM3NUUHBFN0pCTHI2SXk0cEJBY2lMbFhhNE5yRFE4YUw4akZwaWhqdm0rdUhWTUhNR215bkdpY0dRTGdyRktPV3M2NTVtVlZXWGZET2U2SjVwaUJYcjFteW5uQnN0ZGRTYWxaNWFMQVdGOGc2c3pmUUlEQVFBQm94QXdEakFNQmdOVkhSTUJBZjhFQWpBQU1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ2xaeStnTVlrTmZvK2RRakV1dmJ2eDYyTU1SM1dka3BmZXk0M1pnUHF4MTh2cEcwUDdhSXFUeWJreFRraGkvQXc4cExEY0l2QVBaSHFsTWZMQ05Cci80K3NucXJMbzNPaUdaSTFobDlRT0czaFFta3JqVDEwaGx5WFJTM29UbmpENWJoRGoraW5iRzFpOVFSSzdQTzBQUXFXaElLZ3J0THlZcDNXdlM2WjljWVh3UXQ1RmNZYmhLcCtDK2t2Q3pxK1RmYlFhbWx2ZWhXakJVTlIyN0NFMTFNLy9XVEYwbmZiT0Z1MzJFQzZrQjBFR2Q2UFRJd2h0eTJ6SHhnKyt1WU1qQVVMK1pOdU5pYU1jMzU1b1h2THRoMXE1cmszR2EzdW5wQmptUTdvYlUyLzQvV2RKblBmdmxEMmt0QVYvUzVkVlNLU0RObWthZzhJWDBuSGIvMUZODQogICAgICAgIDwvWDUwOUNlcnRpZmljYXRlPg0KICAgICAgPC9YNTA5RGF0YT4NCiAgICA8L0tleUluZm8+DQogIDwvU2lnbmF0dXJlPg0KICA8c2FtbHA6TmFtZUlEUG9saWN5IEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6ZW1haWxBZGRyZXNzIiBBbGxvd0NyZWF0ZT0idHJ1ZSIvPg0KICA8c2FtbHA6UmVxdWVzdGVkQXV0aG5Db250ZXh0IENvbXBhcmlzb249ImV4YWN0Ij4NCiAgICA8c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZFByb3RlY3RlZFRyYW5zcG9ydA0KICAgIDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj4NCiAgPC9zYW1scDpSZXF1ZXN0ZWRBdXRobkNvbnRleHQ+DQo8L3NhbWxwOkF1dGhuUmVxdWVzdD4=", authenticationRequest -> {
            return testPostBindingSignatureHelper;
        });
        Assert.assertEquals(parseRequestPostBinding.id, "_7fe510cc8e51aa41558a");
        Assert.assertEquals(parseRequestPostBinding.issuer, "urn:example:sp");
        Assert.assertEquals(parseRequestPostBinding.nameIdFormat, NameIDFormat.EmailAddress.toSAMLFormat());
        Assert.assertEquals(parseRequestPostBinding.version, "2.0");
    }

    @Test
    public void parseRequest_expandedEntity() throws Exception {
        try {
            Assert.fail("Expected an exception because we are declaring a DOCTYPE and expanding an entity. The issuer is now set to [" + new DefaultSAMLv2Service().parseRequestRedirectBinding("SAMLRequest=" + URLEncoder.encode(SAMLTools.deflateAndEncode(Files.readAllBytes(Paths.get("src/test/xml/authn-request-expanded-entity.xml", new String[0]))), StandardCharsets.UTF_8), authenticationRequest -> {
                return new TestRedirectBindingSignatureHelper();
            }).issuer + "] which is not good.");
        } catch (SAMLException e) {
            Assert.assertEquals(e.getMessage(), "Unable to parse SAML v2.0 document.");
            Assert.assertEquals(e.getCause().getClass().getCanonicalName(), "org.xml.sax.SAXParseException");
            Assert.assertEquals(e.getCause().getMessage(), "DOCTYPE is disallowed when the feature \"http://apache.org/xml/features/disallow-doctype-decl\" set to true.");
        }
    }

    @Test
    public void parseRequest_externalDTD() throws Exception {
        try {
            try {
                Path createTempFile = Files.createTempFile("readThisFile", ".tmp", new FileAttribute[0]);
                BufferedWriter bufferedWriter = new BufferedWriter(new FileWriter(createTempFile.toFile()));
                try {
                    bufferedWriter.write("You've been pwned.");
                    bufferedWriter.close();
                    Assert.fail("Expected an exception because we are declaring a DOCTYPE. The issuer is now set to [" + new DefaultSAMLv2Service().parseRequestRedirectBinding("SAMLRequest=" + URLEncoder.encode(SAMLTools.deflateAndEncode(new String(Files.readAllBytes(Paths.get("src/test/xml/authn-request-external-dtd.xml", new String[0]))).replace("{{tempFile}}", createTempFile.toFile().getAbsolutePath()).getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8), authenticationRequest -> {
                        return new TestRedirectBindingSignatureHelper();
                    }).issuer + "] which is not good.");
                    if (createTempFile != null) {
                        Files.deleteIfExists(createTempFile);
                    }
                } catch (Throwable th) {
                    try {
                        bufferedWriter.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                    throw th;
                }
            } catch (SAMLException e) {
                Assert.assertEquals(e.getMessage(), "Unable to parse SAML v2.0 document.");
                Assert.assertEquals(e.getCause().getClass().getCanonicalName(), "org.xml.sax.SAXParseException");
                Assert.assertEquals(e.getCause().getMessage(), "DOCTYPE is disallowed when the feature \"http://apache.org/xml/features/disallow-doctype-decl\" set to true.");
                if (0 != 0) {
                    Files.deleteIfExists(null);
                }
            }
        } catch (Throwable th3) {
            if (0 != 0) {
                Files.deleteIfExists(null);
            }
            throw th3;
        }
    }

    @Test
    public void parseRequest_hasDocType() throws Exception {
        try {
            new DefaultSAMLv2Service().parseRequestRedirectBinding("SAMLRequest=" + URLEncoder.encode(SAMLTools.deflateAndEncode(Files.readAllBytes(Paths.get("src/test/xml/authn-request-has-doctype.xml", new String[0]))), StandardCharsets.UTF_8), authenticationRequest -> {
                return new TestRedirectBindingSignatureHelper();
            });
            Assert.fail("expected an exception because we are declaring a DOCTYPE");
        } catch (SAMLException e) {
            Assert.assertEquals(e.getMessage(), "Unable to parse SAML v2.0 document.");
            Assert.assertEquals(e.getCause().getClass().getCanonicalName(), "org.xml.sax.SAXParseException");
            Assert.assertEquals(e.getCause().getMessage(), "DOCTYPE is disallowed when the feature \"http://apache.org/xml/features/disallow-doctype-decl\" set to true.");
        }
    }

    @Test(dataProvider = "maxLineLength")
    public void parseRequest_includeLineReturns(int i) throws Exception {
        String str = new String(Files.readAllBytes(Paths.get("src/test/xml/authn-request-control.xml", new String[0])));
        String str2 = new String(Files.readAllBytes(Paths.get("src/test/xml/deflated/authn-request-control.txt", new String[0])));
        ArrayList arrayList = new ArrayList();
        int i2 = 0;
        while (true) {
            int i3 = i2;
            if (i3 >= str2.length()) {
                AuthenticationRequest parseRequestRedirectBinding = new DefaultSAMLv2Service().parseRequestRedirectBinding("SAMLRequest=" + URLEncoder.encode(String.join("\n", arrayList), StandardCharsets.UTF_8), authenticationRequest -> {
                    return new TestRedirectBindingSignatureHelper();
                });
                Assert.assertEquals(parseRequestRedirectBinding.id, "_809707f0030a5d00620c9d9df97f627afe9dcc24");
                Assert.assertEquals(parseRequestRedirectBinding.issuer, "http://sp.example.com/demo1/metadata.php");
                Assert.assertEquals(parseRequestRedirectBinding.nameIdFormat, NameIDFormat.EmailAddress.toSAMLFormat());
                Assert.assertEquals(parseRequestRedirectBinding.version, "2.0");
                Assert.assertEquals(parseRequestRedirectBinding.xml.replace("\r\n", "\n"), str.replace("\r\n", "\n"));
                return;
            }
            arrayList.add(str2.substring(i3, Math.min(i3 + i, str2.length())));
            i2 = i3 + i;
        }
    }

    @Test(dataProvider = "bindings")
    public void parseRequest_noNameIdPolicy(Binding binding) throws Exception {
        String str = new String(Files.readAllBytes(Paths.get("src/test/xml/authn-request-noNameIdPolicy.xml", new String[0])));
        String str2 = new String(Files.readAllBytes(binding == Binding.HTTP_Redirect ? Paths.get("src/test/xml/deflated/authn-request-noNameIdPolicy.txt", new String[0]) : Paths.get("src/test/xml/encoded/authn-request-noNameIdPolicy.txt", new String[0])));
        DefaultSAMLv2Service defaultSAMLv2Service = new DefaultSAMLv2Service();
        AuthenticationRequest parseRequestRedirectBinding = binding == Binding.HTTP_Redirect ? defaultSAMLv2Service.parseRequestRedirectBinding("SAMLRequest=" + URLEncoder.encode(str2, StandardCharsets.UTF_8), authenticationRequest -> {
            return new TestRedirectBindingSignatureHelper();
        }) : defaultSAMLv2Service.parseRequestPostBinding(str2, authenticationRequest2 -> {
            return new TestPostBindingSignatureHelper();
        });
        Assert.assertEquals(parseRequestRedirectBinding.id, "id_4c6e5aa3");
        Assert.assertEquals(parseRequestRedirectBinding.issuer, "https://medallia.com/sso/mlg");
        Assert.assertEquals(parseRequestRedirectBinding.nameIdFormat, NameIDFormat.EmailAddress.toSAMLFormat());
        Assert.assertEquals(parseRequestRedirectBinding.version, "2.0");
        Assert.assertEquals(parseRequestRedirectBinding.xml.replace("\r\n", "\n"), str.replace("\r\n", "\n"));
    }

    @Test(dataProvider = "bindings")
    public void parseRequest_verifySignature(Binding binding) throws Exception {
        String str = new String(Files.readAllBytes(binding == Binding.HTTP_Redirect ? Paths.get("src/test/xml/authn-request-redirect-signed.xml", new String[0]) : Paths.get("src/test/xml/authn-request-post-signed.xml", new String[0])));
        String str2 = new String(Files.readAllBytes(binding == Binding.HTTP_Redirect ? Paths.get("src/test/xml/relay-state/authn-request-redirect.txt", new String[0]) : Paths.get("src/test/xml/relay-state/authn-request-post.txt", new String[0])));
        String str3 = new String(Files.readAllBytes(binding == Binding.HTTP_Redirect ? Paths.get("src/test/xml/deflated/authn-request-signed.txt", new String[0]) : Paths.get("src/test/xml/encoded/authn-request-signed.txt", new String[0])));
        String str4 = new String(Files.readAllBytes(binding == Binding.HTTP_Redirect ? Paths.get("src/test/xml/signature/authn-request-redirect.txt", new String[0]) : Paths.get("src/test/xml/signature/authn-request-post.txt", new String[0])));
        PublicKey generatePublic = KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(Base64.getMimeDecoder().decode(Files.readAllBytes(binding == Binding.HTTP_Redirect ? Paths.get("src/test/xml/public-key/authn-request-redirect.txt", new String[0]) : Paths.get("src/test/xml/public-key/authn-request-post.txt", new String[0])))));
        String str5 = "SAMLRequest=" + URLEncoder.encode(str3, StandardCharsets.UTF_8) + "&RelayState=" + URLEncoder.encode(str2, StandardCharsets.UTF_8) + "&SigAlg=" + URLEncoder.encode(Algorithm.RS256.uri, StandardCharsets.UTF_8) + "&Signature=" + URLEncoder.encode(str4, StandardCharsets.UTF_8);
        DefaultSAMLv2Service defaultSAMLv2Service = new DefaultSAMLv2Service();
        AuthenticationRequest parseRequestRedirectBinding = binding == Binding.HTTP_Redirect ? defaultSAMLv2Service.parseRequestRedirectBinding(str5, authenticationRequest -> {
            return new TestRedirectBindingSignatureHelper(generatePublic, true);
        }) : defaultSAMLv2Service.parseRequestPostBinding(str3, authenticationRequest2 -> {
            return new TestPostBindingSignatureHelper(KeySelector.singletonKeySelector(generatePublic), true);
        });
        Assert.assertEquals(parseRequestRedirectBinding.id, binding == Binding.HTTP_Redirect ? "ID_025417c8-50c8-4916-bfe0-e05694f8cea7" : "ID_26d69170-fc73-4b62-8bb6-c72769216134");
        Assert.assertEquals(parseRequestRedirectBinding.issuer, "http://localhost:8080/auth/realms/master");
        Assert.assertEquals(parseRequestRedirectBinding.nameIdFormat, NameIDFormat.EmailAddress.toSAMLFormat());
        Assert.assertEquals(parseRequestRedirectBinding.version, "2.0");
        Assert.assertEquals(parseRequestRedirectBinding.xml.replace("\r\n", "\n"), str.replace("\r\n", "\n"));
    }

    @Test(dataProvider = "bindings")
    public void parseRequest_verifySignature_badSignature(Binding binding) throws Exception {
        String str = new String(Files.readAllBytes(binding == Binding.HTTP_Redirect ? Paths.get("src/test/xml/relay-state/authn-request-redirect.txt", new String[0]) : Paths.get("src/test/xml/relay-state/authn-request-post.txt", new String[0])));
        String str2 = new String(Files.readAllBytes(binding == Binding.HTTP_Redirect ? Paths.get("src/test/xml/deflated/authn-request-signed.txt", new String[0]) : Paths.get("src/test/xml/encoded/authn-request-signed-badSignature.txt", new String[0])));
        PublicKey generatePublic = KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(Base64.getMimeDecoder().decode(Files.readAllBytes(binding == Binding.HTTP_Redirect ? Paths.get("src/test/xml/public-key/authn-request-redirect.txt", new String[0]) : Paths.get("src/test/xml/public-key/authn-request-post.txt", new String[0])))));
        try {
            DefaultSAMLv2Service defaultSAMLv2Service = new DefaultSAMLv2Service();
            if (binding == Binding.HTTP_Redirect) {
                defaultSAMLv2Service.parseRequestRedirectBinding("SAMLRequest=" + URLEncoder.encode(str2, StandardCharsets.UTF_8) + "&RelayState=" + URLEncoder.encode(str, StandardCharsets.UTF_8) + "&SigAlg=" + URLEncoder.encode("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", StandardCharsets.UTF_8) + "&Signature=" + URLEncoder.encode(new String(Files.readAllBytes(Paths.get("src/test/xml/signature/authn-request-redirect-bad.txt", new String[0]))), StandardCharsets.UTF_8), authenticationRequest -> {
                    return new TestRedirectBindingSignatureHelper(generatePublic, true);
                });
            } else {
                defaultSAMLv2Service.parseRequestPostBinding(str2, authenticationRequest2 -> {
                    return new TestPostBindingSignatureHelper(KeySelector.singletonKeySelector(generatePublic), true);
                });
            }
            Assert.fail("Should have failed signature validation");
        } catch (SAMLException e) {
            Assert.assertEquals(e.getMessage(), "Invalid SAML v2.0 operation. The signature is invalid.");
        }
    }

    @Test(dataProvider = "bindings")
    public void parseRequest_withNameIdPolicy(Binding binding) throws Exception {
        String str = new String(Files.readAllBytes(Paths.get("src/test/xml/authn-request-control.xml", new String[0])));
        String str2 = new String(Files.readAllBytes(binding == Binding.HTTP_Redirect ? Paths.get("src/test/xml/deflated/authn-request-control.txt", new String[0]) : Paths.get("src/test/xml/encoded/authn-request-control.txt", new String[0])));
        String str3 = "SAMLRequest=" + URLEncoder.encode(str2, StandardCharsets.UTF_8);
        DefaultSAMLv2Service defaultSAMLv2Service = new DefaultSAMLv2Service();
        AuthenticationRequest parseRequestRedirectBinding = binding == Binding.HTTP_Redirect ? defaultSAMLv2Service.parseRequestRedirectBinding(str3, authenticationRequest -> {
            return new TestRedirectBindingSignatureHelper();
        }) : defaultSAMLv2Service.parseRequestPostBinding(str2, authenticationRequest2 -> {
            return new TestPostBindingSignatureHelper();
        });
        Assert.assertEquals(parseRequestRedirectBinding.id, "_809707f0030a5d00620c9d9df97f627afe9dcc24");
        Assert.assertEquals(parseRequestRedirectBinding.issuer, "http://sp.example.com/demo1/metadata.php");
        Assert.assertEquals(parseRequestRedirectBinding.nameIdFormat, NameIDFormat.EmailAddress.toSAMLFormat());
        Assert.assertEquals(parseRequestRedirectBinding.version, "2.0");
        Assert.assertEquals(parseRequestRedirectBinding.xml.replace("\r\n", "\n"), str.replace("\r\n", "\n"));
    }

    @Test
    public void parseResponse() throws Exception {
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        InputStream newInputStream = Files.newInputStream(Paths.get("src/test/certificates/certificate.cer", new String[0]), new OpenOption[0]);
        try {
            PublicKey publicKey = certificateFactory.generateCertificate(newInputStream).getPublicKey();
            if (newInputStream != null) {
                newInputStream.close();
            }
            AuthenticationResponse parseResponse = new DefaultSAMLv2Service().parseResponse(new String(Files.readAllBytes(Paths.get("src/test/xml/encodedResponse.txt", new String[0]))), true, KeySelector.singletonKeySelector(publicKey));
            Assert.assertEquals(parseResponse.destination, "https://local.fusionauth.io/oauth2/callback");
            Assert.assertTrue(parseResponse.assertion.conditions.notBefore.isBefore(ZonedDateTime.now(ZoneOffset.UTC)));
            Assert.assertTrue(ZonedDateTime.now(ZoneOffset.UTC).isAfter(parseResponse.assertion.conditions.notOnOrAfter));
            Assert.assertTrue(parseResponse.issueInstant.isBefore(ZonedDateTime.now(ZoneOffset.UTC)));
            Assert.assertEquals(parseResponse.issuer, "https://sts.windows.net/c2150111-3c44-4508-9f08-790cb4032a23/");
            Assert.assertEquals(parseResponse.status.code, ResponseStatus.Success);
            Assert.assertEquals((String) ((List) parseResponse.assertion.attributes.get("http://schemas.microsoft.com/identity/claims/displayname")).get(0), "Brian Pontarelli");
            Assert.assertEquals((String) ((List) parseResponse.assertion.attributes.get("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname")).get(0), "Brian");
            Assert.assertEquals((String) ((List) parseResponse.assertion.attributes.get("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname")).get(0), "Pontarelli");
            Assert.assertEquals((String) ((List) parseResponse.assertion.attributes.get("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress")).get(0), "brian@inversoft.com");
            Assert.assertNotNull(parseResponse.assertion.subject.nameIDs);
            Assert.assertEquals(parseResponse.assertion.subject.nameIDs.size(), 1);
            Assert.assertEquals(((NameID) parseResponse.assertion.subject.nameIDs.get(0)).format, NameIDFormat.EmailAddress.toSAMLFormat());
        } catch (Throwable th) {
            if (newInputStream != null) {
                try {
                    newInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void parseResponse_handleNilAttribute() throws Exception {
        AuthenticationResponse parseResponse = new DefaultSAMLv2Service().parseResponse(new String(Files.readAllBytes(Paths.get("src/test/xml/deflated/example-response.txt", new String[0]))), false, (KeySelector) null);
        Assert.assertEquals(parseResponse.destination, "http://sp.example.com/demo1/index.php?acs");
        Assert.assertTrue(parseResponse.assertion.conditions.notBefore.isBefore(ZonedDateTime.now(ZoneOffset.UTC)));
        Assert.assertEquals(parseResponse.issuer, "http://idp.example.com/metadata.php");
        Assert.assertEquals(parseResponse.status.code, ResponseStatus.Success);
        Assert.assertEquals(((List) parseResponse.assertion.attributes.get("uid")).size(), 1);
        Assert.assertEquals((String) ((List) parseResponse.assertion.attributes.get("uid")).get(0), "test");
        Assert.assertEquals(((List) parseResponse.assertion.attributes.get("mail")).size(), 1);
        Assert.assertEquals((String) ((List) parseResponse.assertion.attributes.get("mail")).get(0), "test@example.com");
        Assert.assertEquals(((List) parseResponse.assertion.attributes.get("eduPersonAffiliation")).size(), 2);
        Assert.assertEquals((String) ((List) parseResponse.assertion.attributes.get("eduPersonAffiliation")).get(0), "users");
        Assert.assertEquals((String) ((List) parseResponse.assertion.attributes.get("eduPersonAffiliation")).get(1), "examplerole1");
        Assert.assertEquals(((List) parseResponse.assertion.attributes.get("memberOf")).size(), 1);
        Assert.assertEquals((String) ((List) parseResponse.assertion.attributes.get("memberOf")).get(0), "");
        Assert.assertEquals(((List) parseResponse.assertion.attributes.get("PersonImmutableID")).size(), 1);
        Assert.assertNull(((List) parseResponse.assertion.attributes.get("PersonImmutableID")).get(0));
        Assert.assertNotNull(parseResponse.assertion.subject.nameIDs);
        Assert.assertEquals(parseResponse.assertion.subject.nameIDs.size(), 1);
        Assert.assertEquals(((NameID) parseResponse.assertion.subject.nameIDs.get(0)).format, NameIDFormat.Transient.toSAMLFormat());
    }

    @Test(dataProvider = "maxLineLength")
    public void parseResponse_includeLineReturns(int i) throws Exception {
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        InputStream newInputStream = Files.newInputStream(Paths.get("src/test/certificates/certificate.cer", new String[0]), new OpenOption[0]);
        try {
            PublicKey publicKey = certificateFactory.generateCertificate(newInputStream).getPublicKey();
            if (newInputStream != null) {
                newInputStream.close();
            }
            String str = new String(Files.readAllBytes(Paths.get("src/test/xml/encodedResponse.txt", new String[0])));
            ArrayList arrayList = new ArrayList();
            int i2 = 0;
            while (true) {
                int i3 = i2;
                if (i3 >= str.length()) {
                    AuthenticationResponse parseResponse = new DefaultSAMLv2Service().parseResponse(String.join("\n", arrayList), true, KeySelector.singletonKeySelector(publicKey));
                    Assert.assertEquals(parseResponse.destination, "https://local.fusionauth.io/oauth2/callback");
                    Assert.assertTrue(parseResponse.assertion.conditions.notBefore.isBefore(ZonedDateTime.now(ZoneOffset.UTC)));
                    Assert.assertTrue(ZonedDateTime.now(ZoneOffset.UTC).isAfter(parseResponse.assertion.conditions.notOnOrAfter));
                    Assert.assertTrue(parseResponse.issueInstant.isBefore(ZonedDateTime.now(ZoneOffset.UTC)));
                    Assert.assertEquals(parseResponse.issuer, "https://sts.windows.net/c2150111-3c44-4508-9f08-790cb4032a23/");
                    Assert.assertEquals(parseResponse.status.code, ResponseStatus.Success);
                    Assert.assertEquals((String) ((List) parseResponse.assertion.attributes.get("http://schemas.microsoft.com/identity/claims/displayname")).get(0), "Brian Pontarelli");
                    Assert.assertEquals((String) ((List) parseResponse.assertion.attributes.get("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname")).get(0), "Brian");
                    Assert.assertEquals((String) ((List) parseResponse.assertion.attributes.get("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname")).get(0), "Pontarelli");
                    Assert.assertEquals((String) ((List) parseResponse.assertion.attributes.get("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress")).get(0), "brian@inversoft.com");
                    Assert.assertNotNull(parseResponse.assertion.subject.nameIDs);
                    Assert.assertEquals(parseResponse.assertion.subject.nameIDs.size(), 1);
                    Assert.assertEquals(((NameID) parseResponse.assertion.subject.nameIDs.get(0)).format, NameIDFormat.EmailAddress.toSAMLFormat());
                    return;
                }
                arrayList.add(str.substring(i3, Math.min(i3 + i, str.length())));
                i2 = i3 + i;
            }
        } catch (Throwable th) {
            if (newInputStream != null) {
                try {
                    newInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void parseResponse_signatureCheck_badSignature() throws Exception {
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        InputStream newInputStream = Files.newInputStream(Paths.get("src/test/certificates/certificate.cer", new String[0]), new OpenOption[0]);
        try {
            PublicKey publicKey = certificateFactory.generateCertificate(newInputStream).getPublicKey();
            if (newInputStream != null) {
                newInputStream.close();
            }
            String str = new String(Files.readAllBytes(Paths.get("src/test/xml/encodedResponse-badSignature.txt", new String[0])));
            try {
                new DefaultSAMLv2Service().parseResponse(str, true, KeySelector.singletonKeySelector(publicKey));
                Assert.fail("Should have thrown an exception");
            } catch (SAMLException e) {
                Assert.assertEquals(e.getMessage(), "Invalid SAML v2.0 operation. The signature is invalid.");
            }
        } catch (Throwable th) {
            if (newInputStream != null) {
                try {
                    newInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void parseResponse_signatureCheck_missing() throws Exception {
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        InputStream newInputStream = Files.newInputStream(Paths.get("src/test/certificates/certificate.cer", new String[0]), new OpenOption[0]);
        try {
            PublicKey publicKey = certificateFactory.generateCertificate(newInputStream).getPublicKey();
            if (newInputStream != null) {
                newInputStream.close();
            }
            String str = new String(Files.readAllBytes(Paths.get("src/test/xml/encodedResponse-signatureRemoved.txt", new String[0])));
            try {
                new DefaultSAMLv2Service().parseResponse(str, true, KeySelector.singletonKeySelector(publicKey));
                Assert.fail("Should have thrown an exception");
            } catch (SAMLException e) {
                Assert.assertEquals(e.getMessage(), "Invalid SAML v2.0 operation. The signature is missing from the XML but is required.");
            }
        } catch (Throwable th) {
            if (newInputStream != null) {
                try {
                    newInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test(dataProvider = "bindings")
    public void parse_LogoutRequest(Binding binding) throws Exception {
        byte[] readAllBytes = binding == Binding.HTTP_Redirect ? Files.readAllBytes(Paths.get("src/test/xml/logout-request.xml", new String[0])) : Files.readAllBytes(Paths.get("src/test/xml/logout-request-embedded-signature.xml", new String[0]));
        String deflateAndEncode = binding == Binding.HTTP_Redirect ? SAMLTools.deflateAndEncode(readAllBytes) : SAMLTools.encode(readAllBytes);
        String readString = Files.readString(Paths.get("src/test/xml/signature/logout-request.txt", new String[0]));
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(Base64.getMimeDecoder().decode("MIICajCCAdOgAwIBAgIBADANBgkqhkiG9w0BAQ0FADBSMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRcwFQYDVQQDDA5zcC5leGFtcGxlLmNvbTAeFw0xNDA3MTcxNDEyNTZaFw0xNTA3MTcxNDEyNTZaMFIxCzAJBgNVBAYTAnVzMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQKDAxPbmVsb2dpbiBJbmMxFzAVBgNVBAMMDnNwLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZx+ON4IUoIWxgukTb1tOiX3bMYzYQiwWPUNMp+Fq82xoNogso2bykZG0yiJm5o8zv/sd6pGouayMgkx/2FSOdc36T0jGbCHuRSbtia0PEzNIRtmViMrt3AeoWBidRXmZsxCNLwgIV6dn2WpuE5Az0bHgpZnQxTKFek0BMKU/d8wIDAQABo1AwTjAdBgNVHQ4EFgQUGHxYqZYyX7cTxKVODVgZwSTdCnwwHwYDVR0jBBgwFoAUGHxYqZYyX7cTxKVODVgZwSTdCnwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQByFOl+hMFICbd3DJfnp2Rgd/dqttsZG/tyhILWvErbio/DEe98mXpowhTkC04ENprOyXi7ZbUqiicF89uAGyt1oqgTUCD1VsLahqIcmrzgumNyTwLGWo17WDAa1/usDhetWAMhgzF/Cnf5ek0nK00m0YZGyc4LzgD0CROMASTWNg=="));
        try {
            X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(byteArrayInputStream);
            byteArrayInputStream.close();
            Assert.assertNotNull(x509Certificate);
            PublicKey publicKey = x509Certificate.getPublicKey();
            String str = "SAMLRequest=" + URLEncoder.encode(deflateAndEncode, StandardCharsets.UTF_8) + "&RelayState=" + URLEncoder.encode("http://sp.example.com/relaystate", StandardCharsets.UTF_8) + "&SigAlg=" + URLEncoder.encode(Algorithm.RS1.uri, StandardCharsets.UTF_8) + "&Signature=" + URLEncoder.encode(readString, StandardCharsets.UTF_8);
            boolean z = false;
            DefaultSAMLv2Service defaultSAMLv2Service = new DefaultSAMLv2Service();
            LogoutRequest parseLogoutRequestRedirectBinding = binding == Binding.HTTP_Redirect ? defaultSAMLv2Service.parseLogoutRequestRedirectBinding(str, logoutRequest -> {
                return new TestRedirectBindingSignatureHelper(publicKey, z);
            }) : defaultSAMLv2Service.parseLogoutRequestPostBinding(deflateAndEncode, logoutRequest2 -> {
                return new TestPostBindingSignatureHelper(KeySelector.singletonKeySelector(publicKey), z);
            });
            Assert.assertEquals(parseLogoutRequestRedirectBinding.id, binding == Binding.HTTP_Redirect ? "ONELOGIN_21df91a89767879fc0f7df6a1490c6000c81644d" : "pfxd4d369e8-9ea1-780c-aff8-a1d11a9862a1");
            Assert.assertEquals(parseLogoutRequestRedirectBinding.issuer, "http://sp.example.com/demo1/metadata.php");
            Assert.assertEquals(parseLogoutRequestRedirectBinding.nameIdFormat, NameIDFormat.Transient.toSAMLFormat());
            Assert.assertEquals(parseLogoutRequestRedirectBinding.version, "2.0");
            Assert.assertEquals(parseLogoutRequestRedirectBinding.xml.replace("\r\n", "\n"), new String(readAllBytes, StandardCharsets.UTF_8).replace("\r\n", "\n"));
        } catch (Throwable th) {
            try {
                byteArrayInputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    @Test(dataProvider = "bindings")
    public void parse_LogoutResponse(Binding binding) throws Exception {
        byte[] readAllBytes = binding == Binding.HTTP_Redirect ? Files.readAllBytes(Paths.get("src/test/xml/logout-response.xml", new String[0])) : Files.readAllBytes(Paths.get("src/test/xml/logout-response-embedded-signature.xml", new String[0]));
        String deflateAndEncode = binding == Binding.HTTP_Redirect ? SAMLTools.deflateAndEncode(readAllBytes) : SAMLTools.encode(readAllBytes);
        String readString = Files.readString(Paths.get("src/test/xml/signature/logout-response.txt", new String[0]));
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(Base64.getMimeDecoder().decode("MIICajCCAdOgAwIBAgIBADANBgkqhkiG9w0BAQ0FADBSMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRcwFQYDVQQDDA5zcC5leGFtcGxlLmNvbTAeFw0xNDA3MTcxNDEyNTZaFw0xNTA3MTcxNDEyNTZaMFIxCzAJBgNVBAYTAnVzMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQKDAxPbmVsb2dpbiBJbmMxFzAVBgNVBAMMDnNwLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZx+ON4IUoIWxgukTb1tOiX3bMYzYQiwWPUNMp+Fq82xoNogso2bykZG0yiJm5o8zv/sd6pGouayMgkx/2FSOdc36T0jGbCHuRSbtia0PEzNIRtmViMrt3AeoWBidRXmZsxCNLwgIV6dn2WpuE5Az0bHgpZnQxTKFek0BMKU/d8wIDAQABo1AwTjAdBgNVHQ4EFgQUGHxYqZYyX7cTxKVODVgZwSTdCnwwHwYDVR0jBBgwFoAUGHxYqZYyX7cTxKVODVgZwSTdCnwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQByFOl+hMFICbd3DJfnp2Rgd/dqttsZG/tyhILWvErbio/DEe98mXpowhTkC04ENprOyXi7ZbUqiicF89uAGyt1oqgTUCD1VsLahqIcmrzgumNyTwLGWo17WDAa1/usDhetWAMhgzF/Cnf5ek0nK00m0YZGyc4LzgD0CROMASTWNg=="));
        try {
            X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(byteArrayInputStream);
            byteArrayInputStream.close();
            Assert.assertNotNull(x509Certificate);
            PublicKey publicKey = x509Certificate.getPublicKey();
            String str = "SAMLRequest=" + URLEncoder.encode(deflateAndEncode, StandardCharsets.UTF_8) + "&RelayState=" + URLEncoder.encode("http://sp.example.com/relaystate", StandardCharsets.UTF_8) + "&SigAlg=" + URLEncoder.encode(Algorithm.RS1.uri, StandardCharsets.UTF_8) + "&Signature=" + URLEncoder.encode(readString, StandardCharsets.UTF_8);
            boolean z = false;
            DefaultSAMLv2Service defaultSAMLv2Service = new DefaultSAMLv2Service();
            LogoutResponse parseLogoutResponseRedirectBinding = binding == Binding.HTTP_Redirect ? defaultSAMLv2Service.parseLogoutResponseRedirectBinding(str, logoutResponse -> {
                return new TestRedirectBindingSignatureHelper(publicKey, z);
            }) : defaultSAMLv2Service.parseLogoutResponsePostBinding(deflateAndEncode, logoutResponse2 -> {
                return new TestPostBindingSignatureHelper(KeySelector.singletonKeySelector(publicKey), z);
            });
            Assert.assertEquals(parseLogoutResponseRedirectBinding.id, binding == Binding.HTTP_Redirect ? "_6c3737282f007720e736f0f4028feed8cb9b40291c" : "pfxe335499f-e73b-80bd-60c4-1628984aed4f");
            Assert.assertEquals(parseLogoutResponseRedirectBinding.issuer, "http://idp.example.com/metadata.php");
            Assert.assertEquals(parseLogoutResponseRedirectBinding.version, "2.0");
            Assert.assertNull(parseLogoutResponseRedirectBinding.inResponseTo);
            Assert.assertNull(parseLogoutResponseRedirectBinding.sessionIndex);
            Assert.assertEquals(parseLogoutResponseRedirectBinding.xml.replace("\r\n", "\n"), new String(readAllBytes, StandardCharsets.UTF_8).replace("\r\n", "\n"));
        } catch (Throwable th) {
            try {
                byteArrayInputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    @Test(dataProvider = "bindings")
    public void roundTripAuthnRequest(Binding binding) throws Exception {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        keyPairGenerator.initialize(2048);
        KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
        AuthenticationRequest authenticationRequest = new AuthenticationRequest();
        authenticationRequest.id = "foobarbaz";
        authenticationRequest.issuer = "https://local.fusionauth.io";
        DefaultSAMLv2Service defaultSAMLv2Service = new DefaultSAMLv2Service();
        String buildRedirectAuthnRequest = binding == Binding.HTTP_Redirect ? defaultSAMLv2Service.buildRedirectAuthnRequest(authenticationRequest, "Relay-State-String", true, generateKeyPair.getPrivate(), Algorithm.RS256) : defaultSAMLv2Service.buildPostAuthnRequest(authenticationRequest, true, generateKeyPair.getPrivate(), generateX509Certificate(generateKeyPair), Algorithm.RS256, "http://www.w3.org/2001/10/xml-exc-c14n#WithComments");
        AuthenticationRequest parseRequestRedirectBinding = binding == Binding.HTTP_Redirect ? defaultSAMLv2Service.parseRequestRedirectBinding(buildRedirectAuthnRequest, authenticationRequest2 -> {
            return new TestRedirectBindingSignatureHelper(generateKeyPair.getPublic(), true);
        }) : defaultSAMLv2Service.parseRequestPostBinding(buildRedirectAuthnRequest, authenticationRequest3 -> {
            return new TestPostBindingSignatureHelper(KeySelector.singletonKeySelector(generateKeyPair.getPublic()), true);
        });
        Assert.assertEquals(parseRequestRedirectBinding.id, "foobarbaz");
        Assert.assertEquals(parseRequestRedirectBinding.issuer, "https://local.fusionauth.io");
        Assert.assertEquals(parseRequestRedirectBinding.nameIdFormat, NameIDFormat.EmailAddress.toSAMLFormat());
        Assert.assertEquals(parseRequestRedirectBinding.version, "2.0");
    }

    @Test(dataProvider = "signatureLocation")
    public void roundTripResponseSignedAssertion(SignatureLocation signatureLocation, boolean z) throws Exception {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        keyPairGenerator.initialize(2048);
        KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
        String str = new String(Files.readAllBytes(Paths.get("src/test/xml/encodedResponse.txt", new String[0])));
        DefaultSAMLv2Service defaultSAMLv2Service = new DefaultSAMLv2Service();
        String buildAuthnResponse = defaultSAMLv2Service.buildAuthnResponse(defaultSAMLv2Service.parseResponse(str, false, (KeySelector) null), true, generateKeyPair.getPrivate(), CertificateTools.fromKeyPair(generateKeyPair, Algorithm.RS256, "FooBar"), Algorithm.RS256, "http://www.w3.org/2001/10/xml-exc-c14n#WithComments", signatureLocation, z);
        AuthenticationResponse parseResponse = defaultSAMLv2Service.parseResponse(buildAuthnResponse, true, new TestKeySelector(generateKeyPair.getPublic()));
        Node item = parseDocument(buildAuthnResponse).getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature").item(0);
        if (signatureLocation == SignatureLocation.Assertion) {
            Assert.assertEquals(item.getPreviousSibling().getLocalName(), "Issuer");
            Assert.assertEquals(item.getNextSibling().getLocalName(), "Subject");
            Assert.assertEquals(item.getParentNode().getLocalName(), "Assertion");
        } else {
            Assert.assertEquals(item.getParentNode().getLocalName(), "Response");
            Assert.assertEquals(item.getPreviousSibling().getLocalName(), "Issuer");
        }
        Assert.assertEquals(parseResponse.destination, "https://local.fusionauth.io/oauth2/callback");
        Assert.assertTrue(parseResponse.assertion.conditions.notBefore.isBefore(ZonedDateTime.now(ZoneOffset.UTC)));
        Assert.assertTrue(ZonedDateTime.now(ZoneOffset.UTC).isAfter(parseResponse.assertion.conditions.notOnOrAfter));
        Assert.assertTrue(parseResponse.issueInstant.isBefore(ZonedDateTime.now(ZoneOffset.UTC)));
        Assert.assertEquals(parseResponse.issuer, "https://sts.windows.net/c2150111-3c44-4508-9f08-790cb4032a23/");
        Assert.assertEquals(parseResponse.status.code, ResponseStatus.Success);
        Assert.assertEquals((String) ((List) parseResponse.assertion.attributes.get("http://schemas.microsoft.com/identity/claims/displayname")).get(0), "Brian Pontarelli");
        Assert.assertEquals((String) ((List) parseResponse.assertion.attributes.get("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname")).get(0), "Brian");
        Assert.assertEquals((String) ((List) parseResponse.assertion.attributes.get("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname")).get(0), "Pontarelli");
        Assert.assertEquals((String) ((List) parseResponse.assertion.attributes.get("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress")).get(0), "brian@inversoft.com");
        Assert.assertNotNull(parseResponse.assertion.subject.nameIDs);
        Assert.assertEquals(parseResponse.assertion.subject.nameIDs.size(), 1);
        Assert.assertEquals(((NameID) parseResponse.assertion.subject.nameIDs.get(0)).format, NameIDFormat.EmailAddress.toSAMLFormat());
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Object[], java.lang.Object[][]] */
    @DataProvider(name = "signatureLocation")
    public Object[][] signatureLocation() {
        return new Object[]{new Object[]{SignatureLocation.Assertion, true}, new Object[]{SignatureLocation.Assertion, false}, new Object[]{SignatureLocation.Response, true}, new Object[]{SignatureLocation.Response, false}};
    }

    @Test
    public void variousURLEncoding_SignatureVerification() throws Exception {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        keyPairGenerator.initialize(2048);
        KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
        AuthenticationRequest authenticationRequest = new AuthenticationRequest();
        authenticationRequest.id = "foobarbaz";
        authenticationRequest.issuer = "https://local.fusionauth.io";
        MockDefaultSAMLv2Service mockDefaultSAMLv2Service = new MockDefaultSAMLv2Service();
        AuthenticationRequest parseRequestRedirectBinding = mockDefaultSAMLv2Service.parseRequestRedirectBinding(mockDefaultSAMLv2Service.buildRedirectAuthnRequest(authenticationRequest, "Relay-State-String", true, generateKeyPair.getPrivate(), Algorithm.RS256), authenticationRequest2 -> {
            return new TestRedirectBindingSignatureHelper(generateKeyPair.getPublic(), true);
        });
        Assert.assertEquals(parseRequestRedirectBinding.id, "foobarbaz");
        Assert.assertEquals(parseRequestRedirectBinding.issuer, "https://local.fusionauth.io");
        Assert.assertEquals(parseRequestRedirectBinding.nameIdFormat, NameIDFormat.EmailAddress.toSAMLFormat());
        Assert.assertEquals(parseRequestRedirectBinding.version, "2.0");
        mockDefaultSAMLv2Service.lowerCaseURLEncoding = true;
        AuthenticationRequest parseRequestRedirectBinding2 = mockDefaultSAMLv2Service.parseRequestRedirectBinding(mockDefaultSAMLv2Service.buildRedirectAuthnRequest(parseRequestRedirectBinding, "Relay-State-String", true, generateKeyPair.getPrivate(), Algorithm.RS256), authenticationRequest22 -> {
            return new TestRedirectBindingSignatureHelper(generateKeyPair.getPublic(), true);
        });
        Assert.assertEquals(parseRequestRedirectBinding2.id, "foobarbaz");
        Assert.assertEquals(parseRequestRedirectBinding2.issuer, "https://local.fusionauth.io");
        Assert.assertEquals(parseRequestRedirectBinding2.nameIdFormat, NameIDFormat.EmailAddress.toSAMLFormat());
        Assert.assertEquals(parseRequestRedirectBinding2.version, "2.0");
    }

    private X509Certificate generateX509Certificate(KeyPair keyPair) throws IllegalArgumentException {
        try {
            ZonedDateTime now = ZonedDateTime.now(ZoneOffset.UTC);
            X509CertInfo x509CertInfo = new X509CertInfo();
            x509CertInfo.set("key", new CertificateX509Key(keyPair.getPublic()));
            x509CertInfo.set("version", new CertificateVersion(1));
            x509CertInfo.set("algorithmID", new CertificateAlgorithmId(new AlgorithmId(ObjectIdentifier.of(KnownOIDs.SHA256withRSA))));
            x509CertInfo.set("issuer", new X500Name("CN=FusionAuth"));
            x509CertInfo.set("subject", new X500Name("CN=FusionAuth"));
            x509CertInfo.set("validity", new CertificateValidity(Date.from(now.toInstant()), Date.from(now.plusYears(10L).toInstant())));
            x509CertInfo.set("serialNumber", new CertificateSerialNumber(new BigInteger(UUID.randomUUID().toString().replace("-", ""), 16)));
            X509CertImpl x509CertImpl = new X509CertImpl(x509CertInfo);
            x509CertImpl.sign(keyPair.getPrivate(), "SHA256withRSA");
            return x509CertImpl;
        } catch (Exception e) {
            throw new IllegalArgumentException(e);
        }
    }

    private Document parseDocument(String str) throws ParserConfigurationException {
        byte[] decode = Base64.getMimeDecoder().decode(str);
        DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
        newInstance.setExpandEntityReferences(false);
        newInstance.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true);
        newInstance.setNamespaceAware(true);
        try {
            return newInstance.newDocumentBuilder().parse(new ByteArrayInputStream(decode));
        } catch (IOException | ParserConfigurationException | SAXException e) {
            throw new RuntimeException(e);
        }
    }
}
