package org.keycloak.testsuite.composites;

import java.util.Collections;
import java.util.LinkedList;
import java.util.List;
import org.jboss.arquillian.graphene.page.Page;
import org.junit.Before;
import org.junit.Test;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.RoleResource;
import org.keycloak.admin.client.resource.UserResource;
import org.keycloak.common.enums.SslRequired;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.RoleRepresentation;
import org.keycloak.testsuite.Assert;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.pages.LoginPage;
import org.keycloak.testsuite.saml.AbstractSamlTest;
import org.keycloak.testsuite.saml.ConcurrentAuthnRequestTest;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.testsuite.util.RoleBuilder;
import org.keycloak.testsuite.util.RolesBuilder;
import org.keycloak.testsuite.util.UserBuilder;

/* loaded from: input_file:org/keycloak/testsuite/composites/CompositeRoleTest.class */
public class CompositeRoleTest extends AbstractCompositeKeycloakTest {

    @Page
    protected LoginPage loginPage;

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        RealmBuilder sslRequired = RealmBuilder.create().name("test").publicKey(AbstractSamlTest.REALM_PUBLIC_KEY).privateKey(AbstractSamlTest.REALM_PRIVATE_KEY).ssoSessionIdleTimeout(3000).accessTokenLifespan(ConcurrentAuthnRequestTest.ITERATIONS).ssoSessionMaxLifespan(ConcurrentAuthnRequestTest.ITERATIONS).accessCodeLifespanUserAction(1000).accessCodeLifespan(1000).sslRequired(SslRequired.EXTERNAL.toString());
        RoleRepresentation build = RoleBuilder.create().name("REALM_ROLE_1").build();
        RoleRepresentation build2 = RoleBuilder.create().name("REALM_COMPOSITE_1").composite().realmComposite(build).build();
        sslRequired.roles(RolesBuilder.create().realmRole(build).realmRole(RoleBuilder.create().name("REALM_ROLE_2").build()).realmRole(RoleBuilder.create().name("REALM_ROLE_3").build()).realmRole(build2));
        sslRequired.user(UserBuilder.create().username("REALM_COMPOSITE_1_USER").enabled(true).password("password").addRoles(build2.getName()));
        sslRequired.user(UserBuilder.create().username("REALM_ROLE_1_USER").enabled(true).password("password").addRoles(build.getName()));
        sslRequired.client(ClientBuilder.create().clientId("REALM_COMPOSITE_1_APPLICATION").name("REALM_COMPOSITE_1_APPLICATION").fullScopeEnabled(Boolean.FALSE).redirectUris("http://localhost:8180/auth/realms/master/app/*", "https://localhost:8543/auth/realms/master/app/*").baseUrl("http://localhost:8180/auth/realms/master/app/auth").adminUrl("http://localhost:8180/auth/realms/master/app/logout").secret("password"));
        sslRequired.client(ClientBuilder.create().clientId("REALM_ROLE_1_APPLICATION").name("REALM_ROLE_1_APPLICATION").fullScopeEnabled(Boolean.FALSE).redirectUris("http://localhost:8180/auth/realms/master/app/*", "https://localhost:8543/auth/realms/master/app/*").baseUrl("http://localhost:8180/auth/realms/master/app/auth").adminUrl("http://localhost:8180/auth/realms/master/app/logout").secret("password"));
        sslRequired.client(ClientBuilder.create().clientId("APP_ROLE_APPLICATION").name("APP_ROLE_APPLICATION").fullScopeEnabled(Boolean.FALSE).redirectUris("http://localhost:8180/auth/realms/master/app/*", "https://localhost:8543/auth/realms/master/app/*").baseUrl("http://localhost:8180/auth/realms/master/app/auth").adminUrl("http://localhost:8180/auth/realms/master/app/logout").defaultRoles("APP_ROLE_1", "APP_ROLE_2").secret("password"));
        sslRequired.user(UserBuilder.create().username("REALM_APP_COMPOSITE_USER").password("password"));
        sslRequired.user(UserBuilder.create().username("REALM_APP_ROLE_USER").password("password").addRoles("APP_ROLE_2"));
        sslRequired.client(ClientBuilder.create().clientId("APP_COMPOSITE_APPLICATION").name("APP_COMPOSITE_APPLICATION").fullScopeEnabled(Boolean.FALSE).defaultRoles("APP_COMPOSITE_ROLE").redirectUris("http://localhost:8180/auth/realms/master/app/*", "https://localhost:8543/auth/realms/master/app/*").baseUrl("http://localhost:8180/auth/realms/master/app/auth").adminUrl("http://localhost:8180/auth/realms/master/app/logout").secret("password"));
        sslRequired.user(UserBuilder.create().username("APP_COMPOSITE_USER").password("password").addRoles("REALM_COMPOSITE_1"));
        list.add(sslRequired.build());
    }

    @Before
    public void before() {
        if (this.testContext.isInitialized()) {
            return;
        }
        addRealmLevelScopeMapping("REALM_COMPOSITE_1_APPLICATION", "REALM_COMPOSITE_1");
        addRealmLevelScopeMapping("REALM_ROLE_1_APPLICATION", "REALM_ROLE_1");
        addClientLevelScopeMapping("APP_COMPOSITE_APPLICATION", "APP_ROLE_APPLICATION", "APP_ROLE_2");
        RoleResource roleResource = ApiUtil.findClientByClientId(testRealm(), "APP_ROLE_APPLICATION").roles().get("APP_ROLE_1");
        testRealm().roles().create(RoleBuilder.create().name("REALM_APP_COMPOSITE_ROLE").build());
        testRealm().rolesById().addComposites(testRealm().roles().get("REALM_APP_COMPOSITE_ROLE").toRepresentation().getId(), Collections.singletonList(roleResource.toRepresentation()));
        UserResource findUserByUsernameId = ApiUtil.findUserByUsernameId(testRealm(), "REALM_APP_COMPOSITE_USER");
        RoleRepresentation representation = testRealm().roles().get("REALM_APP_COMPOSITE_ROLE").toRepresentation();
        findUserByUsernameId.roles().realmLevel().add(Collections.singletonList(representation));
        ApiUtil.findUserByUsernameId(testRealm(), "APP_COMPOSITE_USER").roles().realmLevel().add(Collections.singletonList(representation));
        RoleResource roleResource2 = ApiUtil.findClientByClientId(testRealm(), "APP_COMPOSITE_APPLICATION").roles().get("APP_COMPOSITE_ROLE");
        LinkedList linkedList = new LinkedList();
        linkedList.add(testRealm().roles().get("REALM_ROLE_1").toRepresentation());
        linkedList.add(testRealm().roles().get("REALM_ROLE_2").toRepresentation());
        linkedList.add(testRealm().roles().get("REALM_ROLE_3").toRepresentation());
        linkedList.add(ApiUtil.findClientByClientId(testRealm(), "APP_ROLE_APPLICATION").roles().get("APP_ROLE_1").toRepresentation());
        roleResource2.addComposites(linkedList);
        this.testContext.setInitialized(true);
    }

    private void addRealmLevelScopeMapping(String str, String str2) {
        ApiUtil.findClientByClientId(testRealm(), str).getScopeMappings().realmLevel().add(Collections.singletonList(testRealm().roles().get(str2).toRepresentation()));
    }

    private void addClientLevelScopeMapping(String str, String str2, String str3) {
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(testRealm(), str);
        ClientResource findClientByClientId2 = ApiUtil.findClientByClientId(testRealm(), str2);
        findClientByClientId.getScopeMappings().clientLevel(findClientByClientId2.toRepresentation().getId()).add(Collections.singletonList(findClientByClientId2.roles().get(str3).toRepresentation()));
    }

    @Test
    public void testAppCompositeUser() throws Exception {
        this.oauth.realm("test");
        this.oauth.clientId("APP_COMPOSITE_APPLICATION");
        this.oauth.doLogin("APP_COMPOSITE_USER", "password");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
        Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
        Assert.assertEquals("Bearer", doAccessTokenRequest.getTokenType());
        AccessToken verifyToken = this.oauth.verifyToken(doAccessTokenRequest.getAccessToken());
        Assert.assertEquals(getUserId("APP_COMPOSITE_USER"), verifyToken.getSubject());
        Assert.assertEquals(1L, verifyToken.getResourceAccess("APP_ROLE_APPLICATION").getRoles().size());
        Assert.assertEquals(1L, verifyToken.getRealmAccess().getRoles().size());
        Assert.assertTrue(verifyToken.getResourceAccess("APP_ROLE_APPLICATION").isUserInRole("APP_ROLE_1"));
        Assert.assertTrue(verifyToken.getRealmAccess().isUserInRole("REALM_ROLE_1"));
        Assert.assertEquals(200L, this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password").getStatusCode());
    }

    @Test
    public void testRealmAppCompositeUser() throws Exception {
        this.oauth.realm("test");
        this.oauth.clientId("APP_ROLE_APPLICATION");
        this.oauth.doLogin("REALM_APP_COMPOSITE_USER", "password");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
        Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
        Assert.assertEquals("Bearer", doAccessTokenRequest.getTokenType());
        AccessToken verifyToken = this.oauth.verifyToken(doAccessTokenRequest.getAccessToken());
        Assert.assertEquals(getUserId("REALM_APP_COMPOSITE_USER"), verifyToken.getSubject());
        Assert.assertEquals(1L, verifyToken.getResourceAccess("APP_ROLE_APPLICATION").getRoles().size());
        Assert.assertTrue(verifyToken.getResourceAccess("APP_ROLE_APPLICATION").isUserInRole("APP_ROLE_1"));
        Assert.assertEquals(200L, this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password").getStatusCode());
    }

    @Test
    public void testRealmOnlyWithUserCompositeAppComposite() throws Exception {
        this.oauth.realm("test");
        this.oauth.clientId("REALM_COMPOSITE_1_APPLICATION");
        this.oauth.doLogin("REALM_COMPOSITE_1_USER", "password");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
        Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
        Assert.assertEquals("Bearer", doAccessTokenRequest.getTokenType());
        AccessToken verifyToken = this.oauth.verifyToken(doAccessTokenRequest.getAccessToken());
        Assert.assertEquals(getUserId("REALM_COMPOSITE_1_USER"), verifyToken.getSubject());
        Assert.assertEquals(2L, verifyToken.getRealmAccess().getRoles().size());
        Assert.assertTrue(verifyToken.getRealmAccess().isUserInRole("REALM_COMPOSITE_1"));
        Assert.assertTrue(verifyToken.getRealmAccess().isUserInRole("REALM_ROLE_1"));
        Assert.assertEquals(200L, this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password").getStatusCode());
    }

    @Test
    public void testRealmOnlyWithUserCompositeAppRole() throws Exception {
        this.oauth.realm("test");
        this.oauth.clientId("REALM_ROLE_1_APPLICATION");
        this.oauth.doLogin("REALM_COMPOSITE_1_USER", "password");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
        Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
        Assert.assertEquals("Bearer", doAccessTokenRequest.getTokenType());
        AccessToken verifyToken = this.oauth.verifyToken(doAccessTokenRequest.getAccessToken());
        Assert.assertEquals(getUserId("REALM_COMPOSITE_1_USER"), verifyToken.getSubject());
        Assert.assertEquals(1L, verifyToken.getRealmAccess().getRoles().size());
        Assert.assertTrue(verifyToken.getRealmAccess().isUserInRole("REALM_ROLE_1"));
        Assert.assertEquals(200L, this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password").getStatusCode());
    }

    @Test
    public void testRealmOnlyWithUserRoleAppComposite() throws Exception {
        this.oauth.realm("test");
        this.oauth.clientId("REALM_COMPOSITE_1_APPLICATION");
        this.oauth.doLogin("REALM_ROLE_1_USER", "password");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
        Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
        Assert.assertEquals("Bearer", doAccessTokenRequest.getTokenType());
        AccessToken verifyToken = this.oauth.verifyToken(doAccessTokenRequest.getAccessToken());
        Assert.assertEquals(getUserId("REALM_ROLE_1_USER"), verifyToken.getSubject());
        Assert.assertEquals(1L, verifyToken.getRealmAccess().getRoles().size());
        Assert.assertTrue(verifyToken.getRealmAccess().isUserInRole("REALM_ROLE_1"));
        Assert.assertEquals(200L, this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password").getStatusCode());
    }

    @Test
    public void testRecursiveComposites() throws Exception {
        RoleRepresentation representation = testRealm().roles().get("REALM_COMPOSITE_1").toRepresentation();
        testRealm().roles().get("REALM_ROLE_1").addComposites(Collections.singletonList(representation));
        Assert.assertNames(ApiUtil.findUserByUsernameId(testRealm(), "REALM_COMPOSITE_1_USER").roles().realmLevel().listEffective(), "REALM_COMPOSITE_1", "REALM_ROLE_1");
        Assert.assertNames(ApiUtil.findUserByUsernameId(testRealm(), "REALM_ROLE_1_USER").roles().realmLevel().listEffective(), "REALM_COMPOSITE_1", "REALM_ROLE_1");
        testRealm().roles().get("REALM_ROLE_1").deleteComposites(Collections.singletonList(representation));
    }
}
