package org.keycloak.testsuite.saml;

import java.io.IOException;
import java.util.Collections;
import java.util.List;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.ws.rs.core.Response;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.keycloak.dom.saml.v2.assertion.AudienceRestrictionType;
import org.keycloak.dom.saml.v2.protocol.ResponseType;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.ClientScopeRepresentation;
import org.keycloak.representations.idm.ProtocolMapperRepresentation;
import org.keycloak.representations.idm.RoleRepresentation;
import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
import org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.updaters.ClientAttributeUpdater;
import org.keycloak.testsuite.updaters.ProtocolMappersUpdater;
import org.keycloak.testsuite.updaters.RoleScopeUpdater;
import org.keycloak.testsuite.updaters.UserAttributeUpdater;
import org.keycloak.testsuite.util.Matchers;
import org.keycloak.testsuite.util.SamlClient;
import org.keycloak.testsuite.util.SamlClientBuilder;
import org.keycloak.testsuite.util.ServerURLs;

/* loaded from: input_file:org/keycloak/testsuite/saml/AudienceProtocolMappersTest.class */
public class AudienceProtocolMappersTest extends AbstractSamlTest {
    public static final String SAML_ASSERTION_CONSUMER_URL_EMPLOYEE_2;
    private ProtocolMappersUpdater pmu;

    @Before
    public void cleanMappersAndScopes() {
        this.pmu = ClientAttributeUpdater.forClient(this.adminClient, AbstractSamlTest.REALM_NAME, AbstractSamlTest.SAML_CLIENT_ID_EMPLOYEE_2).protocolMappers().clear().update();
    }

    @After
    public void revertCleanMappersAndScopes() throws IOException {
        this.pmu.close();
    }

    public void testExpectedAudiences(String... strArr) {
        SAMLDocumentHolder samlResponse = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(AbstractSamlTest.REALM_NAME), AbstractSamlTest.SAML_CLIENT_ID_EMPLOYEE_2, SAML_ASSERTION_CONSUMER_URL_EMPLOYEE_2, SamlClient.Binding.POST).build().login().user(this.bburkeUser).build().getSamlResponse(SamlClient.Binding.POST);
        Assert.assertNotNull(samlResponse.getSamlObject());
        Assert.assertThat(samlResponse.getSamlObject(), Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
        Assert.assertNotNull(samlResponse.getSamlObject().getAssertions());
        Assert.assertThat(Integer.valueOf(samlResponse.getSamlObject().getAssertions().size()), org.hamcrest.Matchers.greaterThan(0));
        Assert.assertNotNull(samlResponse.getSamlObject().getAssertions().get(0));
        Assert.assertNotNull(((ResponseType.RTChoiceType) samlResponse.getSamlObject().getAssertions().get(0)).getAssertion());
        Stream stream = ((ResponseType.RTChoiceType) samlResponse.getSamlObject().getAssertions().get(0)).getAssertion().getConditions().getConditions().stream();
        Class<AudienceRestrictionType> cls = AudienceRestrictionType.class;
        AudienceRestrictionType.class.getClass();
        Stream filter = stream.filter((v1) -> {
            return r1.isInstance(v1);
        });
        Class<AudienceRestrictionType> cls2 = AudienceRestrictionType.class;
        AudienceRestrictionType.class.getClass();
        AudienceRestrictionType audienceRestrictionType = (AudienceRestrictionType) filter.map((v1) -> {
            return r1.cast(v1);
        }).findFirst().orElse(null);
        Assert.assertNotNull(audienceRestrictionType);
        Assert.assertNotNull(audienceRestrictionType.getAudience());
        Assert.assertThat((List) audienceRestrictionType.getAudience().stream().map(uri -> {
            return uri.toString();
        }).collect(Collectors.toList()), org.hamcrest.Matchers.containsInAnyOrder(strArr));
    }

    @Test
    public void testDefaultAudience() throws Exception {
        testExpectedAudiences(AbstractSamlTest.SAML_CLIENT_ID_EMPLOYEE_2);
    }

    @Test
    public void testCustomAudience() throws Exception {
        this.pmu.add(new ProtocolMapperRepresentation[]{RoleMapperTest.createSamlProtocolMapper("saml-audience-mapper", "included.custom.audience", "https://test.com/test")}).update();
        testExpectedAudiences(AbstractSamlTest.SAML_CLIENT_ID_EMPLOYEE_2, "https://test.com/test");
    }

    @Test
    public void testClientAudience() throws Exception {
        this.pmu.add(new ProtocolMapperRepresentation[]{RoleMapperTest.createSamlProtocolMapper("saml-audience-mapper", "included.client.audience", AbstractSamlTest.SAML_CLIENT_ID_SALES_POST)}).update();
        testExpectedAudiences(AbstractSamlTest.SAML_CLIENT_ID_EMPLOYEE_2, AbstractSamlTest.SAML_CLIENT_ID_SALES_POST);
    }

    @Test
    public void testClientAndCustomAudience() throws Exception {
        this.pmu.add(new ProtocolMapperRepresentation[]{RoleMapperTest.createSamlProtocolMapper("saml-audience-mapper", "included.client.audience", AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, "included.custom.audience", "https://test.com/test")}).update();
        testExpectedAudiences(AbstractSamlTest.SAML_CLIENT_ID_EMPLOYEE_2, AbstractSamlTest.SAML_CLIENT_ID_SALES_POST);
    }

    @Test
    public void testAudienceResolveFullScope() throws Exception {
        this.pmu.add(new ProtocolMapperRepresentation[]{RoleMapperTest.createSamlProtocolMapper("saml-audience-resolve-mapper", new String[0])}).update();
        testExpectedAudiences(AbstractSamlTest.SAML_CLIENT_ID_EMPLOYEE_2, "http://localhost:8280/employee/", "http://localhost:8280/employee-role-mapping/");
        String id = ((ClientRepresentation) this.adminClient.realm(AbstractSamlTest.REALM_NAME).clients().findByClientId("http://localhost:8280/employee/").get(0)).getId();
        Assert.assertNotNull(id);
        RoleScopeUpdater update = UserAttributeUpdater.forUserByUsername(this.adminClient, AbstractSamlTest.REALM_NAME, this.bburkeUser.getUsername()).clientRoleScope(id).removeByName("employee").update();
        Throwable th = null;
        try {
            try {
                testExpectedAudiences(AbstractSamlTest.SAML_CLIENT_ID_EMPLOYEE_2, "http://localhost:8280/employee-role-mapping/");
                if (update != null) {
                    if (0 == 0) {
                        update.close();
                        return;
                    }
                    try {
                        update.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (update != null) {
                if (th != null) {
                    try {
                        update.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    update.close();
                }
            }
            throw th4;
        }
    }

    @Test
    public void testAudienceResolveNoFullScope() throws Exception {
        this.pmu.add(new ProtocolMapperRepresentation[]{RoleMapperTest.createSamlProtocolMapper("saml-audience-resolve-mapper", new String[0])}).update();
        ClientAttributeUpdater update = ClientAttributeUpdater.forClient(this.adminClient, AbstractSamlTest.REALM_NAME, AbstractSamlTest.SAML_CLIENT_ID_EMPLOYEE_2).setFullScopeAllowed(false).update();
        Throwable th = null;
        try {
            testExpectedAudiences(AbstractSamlTest.SAML_CLIENT_ID_EMPLOYEE_2);
            String id = ((ClientRepresentation) this.adminClient.realm(AbstractSamlTest.REALM_NAME).clients().findByClientId(AbstractSamlTest.SAML_CLIENT_ID_EMPLOYEE_2).get(0)).getId();
            Assert.assertNotNull(id);
            String id2 = ((ClientRepresentation) this.adminClient.realm(AbstractSamlTest.REALM_NAME).clients().findByClientId("http://localhost:8280/employee/").get(0)).getId();
            Assert.assertNotNull(id2);
            List listAvailable = this.adminClient.realm(AbstractSamlTest.REALM_NAME).clients().get(id).getScopeMappings().clientLevel(id2).listAvailable();
            Assert.assertThat(Integer.valueOf(listAvailable.size()), org.hamcrest.Matchers.greaterThan(0));
            RoleScopeUpdater update2 = update.clientRoleScope(id2).add((RoleRepresentation) listAvailable.get(0)).update();
            Throwable th2 = null;
            try {
                try {
                    testExpectedAudiences(AbstractSamlTest.SAML_CLIENT_ID_EMPLOYEE_2, "http://localhost:8280/employee/");
                    if (update2 != null) {
                        if (0 != 0) {
                            try {
                                update2.close();
                            } catch (Throwable th3) {
                                th2.addSuppressed(th3);
                            }
                        } else {
                            update2.close();
                        }
                    }
                    if (update != null) {
                        if (0 == 0) {
                            update.close();
                            return;
                        }
                        try {
                            update.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    }
                } catch (Throwable th5) {
                    th2 = th5;
                    throw th5;
                }
            } catch (Throwable th6) {
                if (update2 != null) {
                    if (th2 != null) {
                        try {
                            update2.close();
                        } catch (Throwable th7) {
                            th2.addSuppressed(th7);
                        }
                    } else {
                        update2.close();
                    }
                }
                throw th6;
            }
        } catch (Throwable th8) {
            if (update != null) {
                if (0 != 0) {
                    try {
                        update.close();
                    } catch (Throwable th9) {
                        th.addSuppressed(th9);
                    }
                } else {
                    update.close();
                }
            }
            throw th8;
        }
    }

    @Test
    public void testAudienceResolveNoFullScopeClientScopes() throws Exception {
        ClientScopeRepresentation clientScopeRepresentation = new ClientScopeRepresentation();
        clientScopeRepresentation.setName("audience-mapper-test-client-scope");
        clientScopeRepresentation.setProtocol("saml");
        clientScopeRepresentation.setProtocolMappers(Collections.singletonList(RoleMapperTest.createSamlProtocolMapper("saml-audience-resolve-mapper", new String[0])));
        Response create = this.adminClient.realm(AbstractSamlTest.REALM_NAME).clientScopes().create(clientScopeRepresentation);
        Assert.assertEquals(Response.Status.CREATED.getStatusCode(), create.getStatus());
        String createdId = ApiUtil.getCreatedId(create);
        try {
            Assert.assertNotNull(((ClientRepresentation) this.adminClient.realm(AbstractSamlTest.REALM_NAME).clients().findByClientId(AbstractSamlTest.SAML_CLIENT_ID_EMPLOYEE_2).get(0)).getId());
            String id = ((ClientRepresentation) this.adminClient.realm(AbstractSamlTest.REALM_NAME).clients().findByClientId("http://localhost:8280/employee/").get(0)).getId();
            Assert.assertNotNull(id);
            List listAvailable = this.adminClient.realm(AbstractSamlTest.REALM_NAME).clientScopes().get(createdId).getScopeMappings().clientLevel(id).listAvailable();
            Assert.assertThat(Integer.valueOf(listAvailable.size()), org.hamcrest.Matchers.greaterThan(0));
            this.adminClient.realm(AbstractSamlTest.REALM_NAME).clientScopes().get(createdId).getScopeMappings().clientLevel(id).add(listAvailable);
            ClientAttributeUpdater update = ClientAttributeUpdater.forClient(this.adminClient, AbstractSamlTest.REALM_NAME, AbstractSamlTest.SAML_CLIENT_ID_EMPLOYEE_2).setFullScopeAllowed(false).addDefaultClientScope("audience-mapper-test-client-scope").update();
            Throwable th = null;
            try {
                testExpectedAudiences(AbstractSamlTest.SAML_CLIENT_ID_EMPLOYEE_2, "http://localhost:8280/employee/");
                if (update != null) {
                    if (0 != 0) {
                        try {
                            update.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        update.close();
                    }
                }
            } finally {
            }
        } finally {
            this.adminClient.realm(AbstractSamlTest.REALM_NAME).clientScopes().get(createdId).remove();
        }
    }

    static {
        SAML_ASSERTION_CONSUMER_URL_EMPLOYEE_2 = ServerURLs.AUTH_SERVER_SCHEME + "://localhost:" + (ServerURLs.AUTH_SERVER_SSL_REQUIRED ? ServerURLs.AUTH_SERVER_PORT : 8080) + "/employee2/";
    }
}
