package org.keycloak.testsuite.forms;

import java.lang.invoke.SerializedLambda;
import java.util.HashMap;
import java.util.Map;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.jboss.arquillian.graphene.page.Page;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.models.AuthenticationExecutionModel;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.testsuite.AbstractTestRealmKeycloakTest;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.oauth.RefreshTokenTest;
import org.keycloak.testsuite.pages.ErrorPage;
import org.keycloak.testsuite.pages.LoginUsernameOnlyPage;
import org.keycloak.testsuite.pages.PasswordPage;
import org.keycloak.testsuite.saml.ConcurrentAuthnRequestTest;
import org.keycloak.testsuite.util.FlowUtil;

@AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
/* loaded from: input_file:org/keycloak/testsuite/forms/AllowDenyAuthenticatorTest.class */
public class AllowDenyAuthenticatorTest extends AbstractTestRealmKeycloakTest {

    @Page
    protected LoginUsernameOnlyPage loginUsernameOnlyPage;

    @Page
    protected PasswordPage passwordPage;

    @Page
    protected ErrorPage errorPage;

    @Rule
    public AssertEvents events = new AssertEvents(this);

    @Override // org.keycloak.testsuite.AbstractTestRealmKeycloakTest
    public void configureTestRealm(RealmRepresentation realmRepresentation) {
    }

    @Test
    public void testDenyAccessWithDefaultMessage() {
        testErrorMessageInDenyAccess(null, "Access denied");
    }

    @Test
    public void testDenyAccessWithParticularMessage() {
        testErrorMessageInDenyAccess("You are not allowed to authenticate.", "You are not allowed to authenticate.");
    }

    @Test
    public void testDenyAccessWithProperty() {
        testErrorMessageInDenyAccess("brokerLinkingSessionExpired", "Requested broker account linking, but current session is no longer valid.");
    }

    @Test
    public void testDenyAccessWithNotExistingProperty() {
        testErrorMessageInDenyAccess("not-existing-property", "not-existing-property");
    }

    private void testErrorMessageInDenyAccess(String str, String str2) {
        HashMap hashMap = new HashMap();
        if (str != null) {
            hashMap.put("denyErrorMessage", str);
        }
        configureBrowserFlowWithDenyAccess("browser - deny defaultMessage", hashMap);
        try {
            this.loginUsernameOnlyPage.open();
            this.loginUsernameOnlyPage.assertCurrent();
            this.loginUsernameOnlyPage.login(AssertEvents.DEFAULT_USERNAME);
            this.errorPage.assertCurrent();
            MatcherAssert.assertThat(this.errorPage.getError(), Matchers.is(str2));
            this.events.expectLogin().user((String) null).session((String) null).error("access_denied").detail("username", AssertEvents.DEFAULT_USERNAME).removeDetail("consent").assertEvent();
            BrowserFlowTest.revertFlows(testRealm(), "browser - deny defaultMessage");
        } catch (Throwable th) {
            BrowserFlowTest.revertFlows(testRealm(), "browser - deny defaultMessage");
            throw th;
        }
    }

    @Test
    public void testDenyAccessWithNegateUserAttributeCondition() {
        HashMap hashMap = new HashMap();
        hashMap.put("attribute_name", "attribute");
        hashMap.put("attribute_expected_value", "value");
        hashMap.put("not", "true");
        HashMap hashMap2 = new HashMap();
        hashMap2.put("denyErrorMessage", "You don't have necessary attribute.");
        configureBrowserFlowWithDenyAccessInConditionalFlow("browser - user attribute condition", "conditional-user-attribute", hashMap, hashMap2);
        try {
            this.loginUsernameOnlyPage.open();
            this.loginUsernameOnlyPage.assertCurrent();
            this.loginUsernameOnlyPage.login(AssertEvents.DEFAULT_USERNAME);
            this.errorPage.assertCurrent();
            MatcherAssert.assertThat(this.errorPage.getError(), Matchers.is("You don't have necessary attribute."));
            this.events.expectLogin().user((String) null).session((String) null).error("access_denied").detail("username", AssertEvents.DEFAULT_USERNAME).removeDetail("consent").assertEvent();
            BrowserFlowTest.revertFlows(testRealm(), "browser - user attribute condition");
        } catch (Throwable th) {
            BrowserFlowTest.revertFlows(testRealm(), "browser - user attribute condition");
            throw th;
        }
    }

    @Test
    public void testDenyAccessWithRoleCondition() {
        denyAccessWithRoleCondition(false);
    }

    @Test
    public void testDenyAccessWithNegateRoleCondition() {
        denyAccessWithRoleCondition(true);
    }

    private void denyAccessWithRoleCondition(boolean z) {
        HashMap hashMap = new HashMap();
        hashMap.put("condUserRole", "offline_access");
        hashMap.put("negate", Boolean.toString(z));
        HashMap hashMap2 = new HashMap();
        hashMap2.put("denyErrorMessage", "Your account doesn't have the required role");
        configureBrowserFlowWithDenyAccessInConditionalFlow("browser-deny", "conditional-user-role", hashMap, hashMap2);
        denyAccessInConditionalFlow("browser-deny", z ? "john-doh@localhost" : AssertEvents.DEFAULT_USERNAME, z ? AssertEvents.DEFAULT_USERNAME : "john-doh@localhost", "Your account doesn't have the required role");
    }

    private void denyAccessInConditionalFlow(String str, String str2, String str3, String str4) {
        try {
            this.loginUsernameOnlyPage.open();
            this.loginUsernameOnlyPage.assertCurrent();
            this.loginUsernameOnlyPage.login(str2);
            this.errorPage.assertCurrent();
            MatcherAssert.assertThat(this.errorPage.getError(), Matchers.is(str4));
            this.events.expectLogin().user((String) null).session((String) null).error("access_denied").detail("username", str2).removeDetail("consent").assertEvent();
            String id = ((UserRepresentation) testRealm().users().search(str3).get(0)).getId();
            this.loginUsernameOnlyPage.open();
            this.loginUsernameOnlyPage.assertCurrent();
            this.loginUsernameOnlyPage.login(str3);
            this.passwordPage.assertCurrent();
            this.passwordPage.login("password");
            this.events.expectLogin().user(id).detail("username", str3).removeDetail("consent").assertEvent();
            BrowserFlowTest.revertFlows(testRealm(), str);
        } catch (Throwable th) {
            BrowserFlowTest.revertFlows(testRealm(), str);
            throw th;
        }
    }

    @Test
    public void testSkipExecutionUserHasNotRoleCondition() {
        HashMap hashMap = new HashMap();
        hashMap.put("condUserRole", "offline_access");
        hashMap.put("negate", "false");
        configureBrowserFlowWithSkipExecutionInConditionalFlow("browser - allow skip", "conditional-user-role", hashMap);
        try {
            this.loginUsernameOnlyPage.open();
            this.loginUsernameOnlyPage.assertCurrent();
            this.loginUsernameOnlyPage.login("john-doh@localhost");
            String id = ((UserRepresentation) testRealm().users().search("john-doh@localhost").get(0)).getId();
            this.passwordPage.assertCurrent();
            this.passwordPage.login("password");
            this.events.expectLogin().user(id).detail("username", "john-doh@localhost").removeDetail("consent").assertEvent();
            BrowserFlowTest.revertFlows(testRealm(), "browser - allow skip");
        } catch (Throwable th) {
            BrowserFlowTest.revertFlows(testRealm(), "browser - allow skip");
            throw th;
        }
    }

    @Test
    public void testSkipOtherExecutionsIfUserHasRoleCondition() {
        HashMap hashMap = new HashMap();
        hashMap.put("condUserRole", "offline_access");
        hashMap.put("negate", "false");
        configureBrowserFlowWithSkipExecutionInConditionalFlow("browser - allow skip", "conditional-user-role", hashMap);
        try {
            this.loginUsernameOnlyPage.open();
            this.loginUsernameOnlyPage.assertCurrent();
            this.loginUsernameOnlyPage.login(AssertEvents.DEFAULT_USERNAME);
            this.events.expectLogin().user(((UserRepresentation) testRealm().users().search(AssertEvents.DEFAULT_USERNAME).get(0)).getId()).detail("username", AssertEvents.DEFAULT_USERNAME).removeDetail("consent").assertEvent();
            BrowserFlowTest.revertFlows(testRealm(), "browser - allow skip");
        } catch (Throwable th) {
            BrowserFlowTest.revertFlows(testRealm(), "browser - allow skip");
            throw th;
        }
    }

    private void configureBrowserFlowWithDenyAccessInConditionalFlow(String str, String str2, Map<String, String> map, Map<String, String> map2) {
        this.testingClient.server("test").run(keycloakSession -> {
            FlowUtil.inCurrentRealm(keycloakSession).copyBrowserFlow(str);
        });
        this.testingClient.server("test").run(keycloakSession2 -> {
            FlowUtil.inCurrentRealm(keycloakSession2).selectFlow(str).inForms(flowUtil -> {
                flowUtil.clear().addAuthenticatorExecution(AuthenticationExecutionModel.Requirement.REQUIRED, "auth-username-form").addSubFlowExecution(AuthenticationExecutionModel.Requirement.CONDITIONAL, flowUtil -> {
                    flowUtil.addAuthenticatorExecution(AuthenticationExecutionModel.Requirement.REQUIRED, str2, authenticatorConfigModel -> {
                        authenticatorConfigModel.setConfig(map);
                    }).addAuthenticatorExecution(AuthenticationExecutionModel.Requirement.REQUIRED, "deny-access-authenticator", authenticatorConfigModel2 -> {
                        authenticatorConfigModel2.setConfig(map2);
                    });
                }).addAuthenticatorExecution(AuthenticationExecutionModel.Requirement.REQUIRED, "auth-password-form");
            }).defineAsBrowserFlow();
        });
    }

    private void configureBrowserFlowWithDenyAccess(String str, Map<String, String> map) {
        this.testingClient.server("test").run(keycloakSession -> {
            FlowUtil.inCurrentRealm(keycloakSession).copyBrowserFlow(str);
        });
        this.testingClient.server("test").run(keycloakSession2 -> {
            FlowUtil.inCurrentRealm(keycloakSession2).selectFlow(str).inForms(flowUtil -> {
                flowUtil.clear().addAuthenticatorExecution(AuthenticationExecutionModel.Requirement.REQUIRED, "auth-username-form").addAuthenticatorExecution(AuthenticationExecutionModel.Requirement.REQUIRED, "deny-access-authenticator", authenticatorConfigModel -> {
                    authenticatorConfigModel.setConfig(map);
                });
            }).defineAsBrowserFlow();
        });
    }

    private void configureBrowserFlowWithSkipExecutionInConditionalFlow(String str, String str2, Map<String, String> map) {
        this.testingClient.server("test").run(keycloakSession -> {
            FlowUtil.inCurrentRealm(keycloakSession).copyBrowserFlow(str);
        });
        this.testingClient.server("test").run(keycloakSession2 -> {
            FlowUtil.inCurrentRealm(keycloakSession2).selectFlow(str).inForms(flowUtil -> {
                flowUtil.clear().addAuthenticatorExecution(AuthenticationExecutionModel.Requirement.REQUIRED, "auth-username-form").addSubFlowExecution(AuthenticationExecutionModel.Requirement.REQUIRED, flowUtil -> {
                    flowUtil.addSubFlowExecution(AuthenticationExecutionModel.Requirement.ALTERNATIVE, flowUtil -> {
                        flowUtil.addSubFlowExecution(AuthenticationExecutionModel.Requirement.CONDITIONAL, flowUtil -> {
                            flowUtil.addAuthenticatorExecution(AuthenticationExecutionModel.Requirement.REQUIRED, str2, authenticatorConfigModel -> {
                                authenticatorConfigModel.setConfig(map);
                            }).addAuthenticatorExecution(AuthenticationExecutionModel.Requirement.REQUIRED, "allow-access-authenticator");
                        });
                    }).addAuthenticatorExecution(AuthenticationExecutionModel.Requirement.ALTERNATIVE, "auth-password-form");
                });
            }).defineAsBrowserFlow();
        });
    }

    private static /* synthetic */ Object $deserializeLambda$(SerializedLambda serializedLambda) {
        String implMethodName = serializedLambda.getImplMethodName();
        boolean z = -1;
        switch (implMethodName.hashCode()) {
            case -1465939330:
                if (implMethodName.equals("lambda$configureBrowserFlowWithDenyAccess$880004e1$1")) {
                    z = 2;
                    break;
                }
                break;
            case -1132303314:
                if (implMethodName.equals("lambda$configureBrowserFlowWithDenyAccessInConditionalFlow$18e813c0$1")) {
                    z = 5;
                    break;
                }
                break;
            case -1112882246:
                if (implMethodName.equals("lambda$configureBrowserFlowWithSkipExecutionInConditionalFlow$420a7659$1")) {
                    z = true;
                    break;
                }
                break;
            case 1600358617:
                if (implMethodName.equals("lambda$configureBrowserFlowWithDenyAccess$25c367a$1")) {
                    z = 4;
                    break;
                }
                break;
            case 1728566327:
                if (implMethodName.equals("lambda$configureBrowserFlowWithSkipExecutionInConditionalFlow$451d317$1")) {
                    z = false;
                    break;
                }
                break;
            case 1877217740:
                if (implMethodName.equals("lambda$configureBrowserFlowWithDenyAccessInConditionalFlow$607ccc12$1")) {
                    z = 3;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("org/keycloak/testsuite/runonserver/RunOnServer") && serializedLambda.getFunctionalInterfaceMethodName().equals("run") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V") && serializedLambda.getImplClass().equals("org/keycloak/testsuite/forms/AllowDenyAuthenticatorTest") && serializedLambda.getImplMethodSignature().equals("(Ljava/lang/String;Lorg/keycloak/models/KeycloakSession;)V")) {
                    String str = (String) serializedLambda.getCapturedArg(0);
                    return keycloakSession -> {
                        FlowUtil.inCurrentRealm(keycloakSession).copyBrowserFlow(str);
                    };
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("org/keycloak/testsuite/runonserver/RunOnServer") && serializedLambda.getFunctionalInterfaceMethodName().equals("run") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V") && serializedLambda.getImplClass().equals("org/keycloak/testsuite/forms/AllowDenyAuthenticatorTest") && serializedLambda.getImplMethodSignature().equals("(Ljava/lang/String;Ljava/lang/String;Ljava/util/Map;Lorg/keycloak/models/KeycloakSession;)V")) {
                    String str2 = (String) serializedLambda.getCapturedArg(0);
                    String str3 = (String) serializedLambda.getCapturedArg(1);
                    Map map = (Map) serializedLambda.getCapturedArg(2);
                    return keycloakSession2 -> {
                        FlowUtil.inCurrentRealm(keycloakSession2).selectFlow(str2).inForms(flowUtil -> {
                            flowUtil.clear().addAuthenticatorExecution(AuthenticationExecutionModel.Requirement.REQUIRED, "auth-username-form").addSubFlowExecution(AuthenticationExecutionModel.Requirement.REQUIRED, flowUtil -> {
                                flowUtil.addSubFlowExecution(AuthenticationExecutionModel.Requirement.ALTERNATIVE, flowUtil -> {
                                    flowUtil.addSubFlowExecution(AuthenticationExecutionModel.Requirement.CONDITIONAL, flowUtil -> {
                                        flowUtil.addAuthenticatorExecution(AuthenticationExecutionModel.Requirement.REQUIRED, str3, authenticatorConfigModel -> {
                                            authenticatorConfigModel.setConfig(map);
                                        }).addAuthenticatorExecution(AuthenticationExecutionModel.Requirement.REQUIRED, "allow-access-authenticator");
                                    });
                                }).addAuthenticatorExecution(AuthenticationExecutionModel.Requirement.ALTERNATIVE, "auth-password-form");
                            });
                        }).defineAsBrowserFlow();
                    };
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("org/keycloak/testsuite/runonserver/RunOnServer") && serializedLambda.getFunctionalInterfaceMethodName().equals("run") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V") && serializedLambda.getImplClass().equals("org/keycloak/testsuite/forms/AllowDenyAuthenticatorTest") && serializedLambda.getImplMethodSignature().equals("(Ljava/lang/String;Lorg/keycloak/models/KeycloakSession;)V")) {
                    String str4 = (String) serializedLambda.getCapturedArg(0);
                    return keycloakSession3 -> {
                        FlowUtil.inCurrentRealm(keycloakSession3).copyBrowserFlow(str4);
                    };
                }
                break;
            case RefreshTokenTest.ALLOWED_CLOCK_SKEW /* 3 */:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("org/keycloak/testsuite/runonserver/RunOnServer") && serializedLambda.getFunctionalInterfaceMethodName().equals("run") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V") && serializedLambda.getImplClass().equals("org/keycloak/testsuite/forms/AllowDenyAuthenticatorTest") && serializedLambda.getImplMethodSignature().equals("(Ljava/lang/String;Lorg/keycloak/models/KeycloakSession;)V")) {
                    String str5 = (String) serializedLambda.getCapturedArg(0);
                    return keycloakSession4 -> {
                        FlowUtil.inCurrentRealm(keycloakSession4).copyBrowserFlow(str5);
                    };
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("org/keycloak/testsuite/runonserver/RunOnServer") && serializedLambda.getFunctionalInterfaceMethodName().equals("run") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V") && serializedLambda.getImplClass().equals("org/keycloak/testsuite/forms/AllowDenyAuthenticatorTest") && serializedLambda.getImplMethodSignature().equals("(Ljava/lang/String;Ljava/util/Map;Lorg/keycloak/models/KeycloakSession;)V")) {
                    String str6 = (String) serializedLambda.getCapturedArg(0);
                    Map map2 = (Map) serializedLambda.getCapturedArg(1);
                    return keycloakSession22 -> {
                        FlowUtil.inCurrentRealm(keycloakSession22).selectFlow(str6).inForms(flowUtil -> {
                            flowUtil.clear().addAuthenticatorExecution(AuthenticationExecutionModel.Requirement.REQUIRED, "auth-username-form").addAuthenticatorExecution(AuthenticationExecutionModel.Requirement.REQUIRED, "deny-access-authenticator", authenticatorConfigModel -> {
                                authenticatorConfigModel.setConfig(map2);
                            });
                        }).defineAsBrowserFlow();
                    };
                }
                break;
            case ConcurrentAuthnRequestTest.CONCURRENT_THREADS /* 5 */:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("org/keycloak/testsuite/runonserver/RunOnServer") && serializedLambda.getFunctionalInterfaceMethodName().equals("run") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V") && serializedLambda.getImplClass().equals("org/keycloak/testsuite/forms/AllowDenyAuthenticatorTest") && serializedLambda.getImplMethodSignature().equals("(Ljava/lang/String;Ljava/lang/String;Ljava/util/Map;Ljava/util/Map;Lorg/keycloak/models/KeycloakSession;)V")) {
                    String str7 = (String) serializedLambda.getCapturedArg(0);
                    String str8 = (String) serializedLambda.getCapturedArg(1);
                    Map map3 = (Map) serializedLambda.getCapturedArg(2);
                    Map map4 = (Map) serializedLambda.getCapturedArg(3);
                    return keycloakSession23 -> {
                        FlowUtil.inCurrentRealm(keycloakSession23).selectFlow(str7).inForms(flowUtil -> {
                            flowUtil.clear().addAuthenticatorExecution(AuthenticationExecutionModel.Requirement.REQUIRED, "auth-username-form").addSubFlowExecution(AuthenticationExecutionModel.Requirement.CONDITIONAL, flowUtil -> {
                                flowUtil.addAuthenticatorExecution(AuthenticationExecutionModel.Requirement.REQUIRED, str8, authenticatorConfigModel -> {
                                    authenticatorConfigModel.setConfig(map3);
                                }).addAuthenticatorExecution(AuthenticationExecutionModel.Requirement.REQUIRED, "deny-access-authenticator", authenticatorConfigModel2 -> {
                                    authenticatorConfigModel2.setConfig(map4);
                                });
                            }).addAuthenticatorExecution(AuthenticationExecutionModel.Requirement.REQUIRED, "auth-password-form");
                        }).defineAsBrowserFlow();
                    };
                }
                break;
        }
        throw new IllegalArgumentException("Invalid lambda deserialization");
    }
}
