;; webid-oidc, implementation of the Solid specification
;; Copyright (C) 2021  Vivien Kraus

;; This program is free software: you can redistribute it and/or modify
;; it under the terms of the GNU Affero General Public License as
;; published by the Free Software Foundation, either version 3 of the
;; License, or (at your option) any later version.

;; This program is distributed in the hope that it will be useful,
;; but WITHOUT ANY WARRANTY; without even the implied warranty of
;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;; GNU Affero General Public License for more details.

;; You should have received a copy of the GNU Affero General Public License
;; along with this program.  If not, see <https://www.gnu.org/licenses/>.

(use-modules (webid-oidc dpop-proof)
             (webid-oidc access-token)
             (webid-oidc jti)
             (webid-oidc jwk)
             (webid-oidc testing)
             (webid-oidc errors)
             ((webid-oidc stubs) #:prefix stubs:)
             (web uri)
             (srfi srfi-19)
             (web response))

(with-test-environment
 "dpop-proof-invalid-ath"
 (lambda ()
   (define jwk (generate-key #:n-size 2048))
   (define idp-key (generate-key #:n-size 2048))
   (define cnf (jkt jwk))
   (define blacklist (make-jti-list))
   (define access-token
     (issue-access-token
      idp-key
      #:alg 'RS256
      #:webid "https://data.provider/subject"
      #:iss "https://identity.provider"
      #:iat 10
      #:exp 3610
      #:client-key jwk
      #:client-id "https://client"))
   (define proof
     (issue-dpop-proof
      jwk
      #:alg 'RS256
      #:htm 'GET
      #:htu (string->uri "https://example.com/res?query")
      #:iat (time-utc->date (make-time time-utc 0 0))
      #:access-token "aaaaaaaaaaaaaaa"))
   (with-exception-handler
       (lambda (error)
         (let ((cause
                ((record-accessor &cannot-decode-dpop-proof 'cause) error)))
           (unless (dpop-invalid-access-token-hash? cause)
             (raise-exception error))
           (unless (and (equal? (dpop-invalid-access-token-hash-hash cause)
                                (stubs:hash 'SHA-256 "aaaaaaaaaaaaaaa"))
                        (equal? (dpop-invalid-access-token-hash-access-token cause) access-token))
             (exit 1))))
     (lambda ()
       (dpop-proof-decode (time-utc->date (make-time time-utc 0 10))
                          blacklist
                          'GET
                          (string->uri "https://example.com/res?query")
                          proof
                          cnf
                          #:access-token access-token)
       (exit 2))
     #:unwind? #t
     #:unwind-for-type &cannot-decode-dpop-proof)))