;; webid-oidc, implementation of the Solid specification
;; Copyright (C) 2020, 2021  Vivien Kraus

;; This program is free software: you can redistribute it and/or modify
;; it under the terms of the GNU Affero General Public License as
;; published by the Free Software Foundation, either version 3 of the
;; License, or (at your option) any later version.

;; This program is distributed in the hope that it will be useful,
;; but WITHOUT ANY WARRANTY; without even the implied warranty of
;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;; GNU Affero General Public License for more details.

;; You should have received a copy of the GNU Affero General Public License
;; along with this program.  If not, see <https://www.gnu.org/licenses/>.

(use-modules (webid-oidc oidc-configuration)
             (webid-oidc jwk)
             (webid-oidc cache)
             (webid-oidc testing)
             ((webid-oidc stubs) #:prefix stubs:)
             (web uri)
             (web response)
             (srfi srfi-19)
             (ice-9 receive))

(with-test-environment
 "jwks-get"
 (lambda ()
   (define* (respond uri #:key (headers '()))
     (unless (null? headers)
       (exit 1))
     (when (string? uri)
       (set! uri (string->uri uri)))
     (cond
      ((string=? (uri->string uri) "https://example.com/keys")
       (values
        (build-response #:headers `((expires . ,(time-utc->date (make-time time-utc 0 10)))
                                    (content-type application/json)))
        "{
  \"keys\": [
    {
      \"e\": \"AQAB\",
      \"use\": \"sig\",
      \"kid\": \"dedc012d07f52aedfd5f97784e1bcbe23c19724d\",
      \"n\": \"sV158-MQ-5-sP2iTJibiMap1ug8tNY97laOud3Se_3jd4INq36NwhLpgU3FC5SCfJOs9wehTLzv_hBuo-sW0JNjAEtMEE-SDtx5486gjymDR-5Iwv7bgt25tD0cDgiboZLt1RLn-nP-V3zgYHZa_s9zLjpNyArsWWcSh6tWe2R8yW6BqS8l4_9z8jkKeyAwWmdpkY8BtKS0zZ9yljiCxKvs8CKjfHmrayg45sZ8V1-aRcjtR2ECxATHjE8L96_oNddZ-rj2axf2vTmnkx3OvIMgx0tZ0ycMG6Wy8wxxaR5ir2LV3Gkyfh72U7tI8Q1sokPmH6G62JcduNY66jEQlvQ\",
      \"alg\": \"RS256\",
      \"kty\": \"RSA\"
    },
    {
      \"alg\": \"RS256\",
      \"kid\": \"2e3025f26b595f96eac907cc2b9471422bcaeb93\",
      \"e\": \"AQAB\",
      \"use\": \"sig\",
      \"kty\": \"RSA\",
      \"n\": \"syWuIlYmoWSl5rBQGOtYGwO5OCCZnhoWBCyl-x5gby5ofc4HNhBoVVMUggk-f_MH-pyMI5yRYsS_aPQ2bmSox2s4i9cPhxqtSAYMhTPwSwQ2BROC7xxi_N0ovp5Ivut5q8TwAn5kQZa_jR9d7JO20BUB7UqbMkBsqg2J8QTtMJ9YtA5BmUn4Y6vhIjTFtvrA6iM4i1cKoUD5Rirt5CYpcKwsLxBZbVk4E4rqgv7G0UlWt6NAs-z7XDkchlNBVpMUuiUBzxHl4LChc7dsWXRaO5vhu3j_2WnxuWCQZPlGoB51jD_ynZ027hhIcoa_tXg28_qb5Al78ZttiRCQDKueAQ\"
    }
  ]
}
"))
      ((string=? (uri->string uri) "https://example.com/.well-known/openid-configuration")
       (values
        (build-response #:headers `((expires . ,(time-utc->date (make-time time-utc 0 10)))
                                    (content-type application/json)))
        "{
  \"issuer\": \"https://accounts.google.com\",
  \"authorization_endpoint\": \"https://accounts.google.com/o/oauth2/v2/auth\",
  \"device_authorization_endpoint\": \"https://oauth2.googleapis.com/device/code\",
  \"token_endpoint\": \"https://oauth2.googleapis.com/token\",
  \"userinfo_endpoint\": \"https://openidconnect.googleapis.com/v1/userinfo\",
  \"revocation_endpoint\": \"https://oauth2.googleapis.com/revoke\",
  \"jwks_uri\": \"https://example.com/keys\",
  \"response_types_supported\": [
    \"code\",
    \"token\",
    \"id_token\",
    \"code token\",
    \"code id_token\",
    \"token id_token\",
    \"code token id_token\",
    \"none\"
  ],
  \"subject_types_supported\": [
    \"public\"
  ],
  \"id_token_signing_alg_values_supported\": [
    \"RS256\"
  ],
  \"scopes_supported\": [
    \"openid\",
    \"email\",
    \"profile\"
  ],
  \"token_endpoint_auth_methods_supported\": [
    \"client_secret_post\",
    \"client_secret_basic\"
  ],
  \"claims_supported\": [
    \"aud\",
    \"email\",
    \"email_verified\",
    \"exp\",
    \"family_name\",
    \"given_name\",
    \"iat\",
    \"iss\",
    \"locale\",
    \"name\",
    \"picture\",
    \"sub\"
  ],
  \"code_challenge_methods_supported\": [
    \"plain\",
    \"S256\"
  ]
}"))
      (else (exit 2))))
   (define cache-http-get
     (with-cache
      #:http-get respond))
   (define cfg (get-oidc-configuration
                "example.com"
                #:http-get cache-http-get))
   (define jwks (oidc-configuration-jwks 
                 cfg
                 #:http-get cache-http-get))
   (unless (oidc-configuration? cfg)
     (exit 3))
   (unless (jwks? jwks)
     (exit 4))
   (let ((my-oidc (make-oidc-configuration
                   "https://example.com/keys"
                   "https://example.com/authorize"
                   "https://example.com/token")))
     (receive (response response-body)
         (serve-oidc-configuration (time-utc->date (make-time time-utc 0 3600))
                                   my-oidc)
       (unless (eqv? (car (response-content-type response)) 'application/json)
         (exit 5))
       (let ((parsed (stubs:json-string->scm response-body)))
         (unless (oidc-configuration? parsed)
           (exit 6))
         (unless (equal? (assq-ref parsed 'jwks_uri)
                         "https://example.com/keys")
           (exit 7))
         (unless (equal? (assq-ref parsed 'authorization_endpoint)
                         "https://example.com/authorize")
           (exit 8))
         (unless (equal? (assq-ref parsed 'token_endpoint)
                         "https://example.com/token")
           (exit 9))
         (unless (equal? (assq-ref parsed 'solid_oidc_supported)
                         "https://solidproject.org/TR/solid-oidc")
           (exit 10)))))))