package org.keycloak.testsuite.saml;

import java.io.IOException;
import java.net.URI;
import java.security.Signature;
import java.util.Objects;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.util.EntityUtils;
import org.hamcrest.CoreMatchers;
import org.hamcrest.Matcher;
import org.hamcrest.Matchers;
import org.jboss.resteasy.util.Encode;
import org.junit.Assert;
import org.junit.Test;
import org.keycloak.dom.saml.v2.protocol.AuthnRequestType;
import org.keycloak.saml.SignatureAlgorithm;
import org.keycloak.saml.common.constants.GeneralConstants;
import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
import org.keycloak.saml.common.exceptions.ConfigurationException;
import org.keycloak.saml.common.exceptions.ParsingException;
import org.keycloak.saml.common.exceptions.ProcessingException;
import org.keycloak.saml.common.util.DocumentUtil;
import org.keycloak.saml.processing.api.saml.v2.request.SAML2Request;
import org.keycloak.saml.processing.web.util.RedirectBindingUtil;
import org.keycloak.services.resources.RealmsResource;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.util.KeyUtils;
import org.keycloak.testsuite.util.SamlClient;
import org.keycloak.testsuite.util.SamlClientBuilder;
import org.keycloak.testsuite.util.ServerURLs;
import org.keycloak.testsuite.utils.io.IOUtil;
import org.w3c.dom.Attr;
import org.w3c.dom.Element;

/* loaded from: input_file:org/keycloak/testsuite/saml/BasicSamlTest.class */
public class BasicSamlTest extends AbstractSamlTest {
    @Test
    public void testPropertyValueInAssertion() throws ParsingException, ConfigurationException, ProcessingException {
        Assert.assertThat(IOUtil.documentToString(new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(AbstractSamlTest.REALM_NAME), AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, SamlClient.Binding.POST).transformDocument(document -> {
            IOUtil.setDocElementAttributeValue(document, "samlp:AuthnRequest", "ID", "${java.version}");
            return document;
        }).build().login().user(this.bburkeUser).build().getSamlResponse(SamlClient.Binding.POST).getSamlDocument()), CoreMatchers.not(Matchers.containsString("InResponseTo=\"" + System.getProperty("java.version") + "\"")));
    }

    @Test
    public void testRedirectUrlSigned() throws Exception {
        testSpecialCharsInRelayState(null);
    }

    @Test
    public void testRedirectUrlUnencodedSpecialChars() throws Exception {
        testSpecialCharsInRelayState("New%20Document%20(1).doc");
    }

    @Test
    public void testRedirectUrlEncodedSpecialChars() throws Exception {
        testSpecialCharsInRelayState("New%20Document%20%281%29.doc");
    }

    private void testSpecialCharsInRelayState(String str) throws Exception {
        URI uri = SamlClient.Binding.REDIRECT.createSamlUnsignedRequest(getAuthServerSamlEndpoint(AbstractSamlTest.REALM_NAME), (String) null, SAML2Request.convert(SamlClient.createLoginRequestDocument(AbstractSamlTest.SAML_CLIENT_ID_SALES_POST_SIG, SAML_ASSERTION_CONSUMER_URL_SALES_POST_SIG, getAuthServerSamlEndpoint(AbstractSamlTest.REALM_NAME)))).getURI();
        String rawQuery = uri.getRawQuery();
        SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.RSA_SHA256;
        String str2 = str == null ? "" : "&RelayState=" + str;
        String str3 = "&SigAlg=" + Encode.encodeQueryParamAsIs(signatureAlgorithm.getXmlSignatureMethod());
        Signature createSignature = signatureAlgorithm.createSignature();
        createSignature.initSign(KeyUtils.privateKeyFromString(AbstractSamlTest.SAML_CLIENT_SALES_POST_SIG_PRIVATE_KEY));
        createSignature.update(rawQuery.getBytes(GeneralConstants.SAML_CHARSET));
        createSignature.update(str2.getBytes(GeneralConstants.SAML_CHARSET));
        createSignature.update(str3.getBytes(GeneralConstants.SAML_CHARSET));
        new SamlClientBuilder().navigateTo(uri.toString() + str2 + str3 + ("&Signature=" + Encode.encodeQueryParamAsIs(RedirectBindingUtil.base64Encode(createSignature.sign())))).assertResponse(org.keycloak.testsuite.util.Matchers.statusCodeIsHC(Response.Status.OK)).execute();
    }

    @Test
    public void testNoDestinationPost() throws Exception {
        HttpUriRequest createSamlUnsignedRequest = SamlClient.Binding.POST.createSamlUnsignedRequest(getAuthServerSamlEndpoint(AbstractSamlTest.REALM_NAME), (String) null, SAML2Request.convert(SamlClient.createLoginRequestDocument(AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, (URI) null)));
        CloseableHttpClient build = HttpClientBuilder.create().setRedirectStrategy(new SamlClient.RedirectStrategyWithSwitchableFollowRedirect()).build();
        Throwable th = null;
        try {
            CloseableHttpResponse execute = build.execute(createSamlUnsignedRequest);
            Throwable th2 = null;
            try {
                Assert.assertThat(execute, org.keycloak.testsuite.util.Matchers.statusCodeIsHC(Response.Status.OK));
                Assert.assertThat(EntityUtils.toString(execute.getEntity(), "UTF-8"), Matchers.containsString("login"));
                if (execute != null) {
                    if (0 != 0) {
                        try {
                            execute.close();
                        } catch (Throwable th3) {
                            th2.addSuppressed(th3);
                        }
                    } else {
                        execute.close();
                    }
                }
                if (build != null) {
                    if (0 == 0) {
                        build.close();
                        return;
                    }
                    try {
                        build.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                }
            } catch (Throwable th5) {
                if (execute != null) {
                    if (0 != 0) {
                        try {
                            execute.close();
                        } catch (Throwable th6) {
                            th2.addSuppressed(th6);
                        }
                    } else {
                        execute.close();
                    }
                }
                throw th5;
            }
        } catch (Throwable th7) {
            if (build != null) {
                if (0 != 0) {
                    try {
                        build.close();
                    } catch (Throwable th8) {
                        th.addSuppressed(th8);
                    }
                } else {
                    build.close();
                }
            }
            throw th7;
        }
    }

    @Test
    public void testNoDestinationRedirect() throws Exception {
        HttpUriRequest createSamlUnsignedRequest = SamlClient.Binding.REDIRECT.createSamlUnsignedRequest(getAuthServerSamlEndpoint(AbstractSamlTest.REALM_NAME), (String) null, SAML2Request.convert(SamlClient.createLoginRequestDocument(AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, (URI) null)));
        CloseableHttpClient build = HttpClientBuilder.create().setRedirectStrategy(new SamlClient.RedirectStrategyWithSwitchableFollowRedirect()).build();
        Throwable th = null;
        try {
            CloseableHttpResponse execute = build.execute(createSamlUnsignedRequest);
            Throwable th2 = null;
            try {
                Assert.assertThat(execute, org.keycloak.testsuite.util.Matchers.statusCodeIsHC(Response.Status.OK));
                Assert.assertThat(EntityUtils.toString(execute.getEntity(), "UTF-8"), Matchers.containsString("login"));
                if (execute != null) {
                    if (0 != 0) {
                        try {
                            execute.close();
                        } catch (Throwable th3) {
                            th2.addSuppressed(th3);
                        }
                    } else {
                        execute.close();
                    }
                }
                if (build != null) {
                    if (0 == 0) {
                        build.close();
                        return;
                    }
                    try {
                        build.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                }
            } catch (Throwable th5) {
                if (execute != null) {
                    if (0 != 0) {
                        try {
                            execute.close();
                        } catch (Throwable th6) {
                            th2.addSuppressed(th6);
                        }
                    } else {
                        execute.close();
                    }
                }
                throw th5;
            }
        } catch (Throwable th7) {
            if (build != null) {
                if (0 != 0) {
                    try {
                        build.close();
                    } catch (Throwable th8) {
                        th.addSuppressed(th8);
                    }
                } else {
                    build.close();
                }
            }
            throw th7;
        }
    }

    @Test
    public void testNoDestinationSignedPost() throws Exception {
        HttpUriRequest createSamlSignedRequest = SamlClient.Binding.POST.createSamlSignedRequest(getAuthServerSamlEndpoint(AbstractSamlTest.REALM_NAME), (String) null, SAML2Request.convert(SamlClient.createLoginRequestDocument(AbstractSamlTest.SAML_CLIENT_ID_SALES_POST_SIG, SAML_ASSERTION_CONSUMER_URL_SALES_POST_SIG, (URI) null)), AbstractSamlTest.SAML_CLIENT_SALES_POST_SIG_PRIVATE_KEY, AbstractSamlTest.SAML_CLIENT_SALES_POST_SIG_PUBLIC_KEY);
        CloseableHttpClient build = HttpClientBuilder.create().setRedirectStrategy(new SamlClient.RedirectStrategyWithSwitchableFollowRedirect()).build();
        Throwable th = null;
        try {
            CloseableHttpResponse execute = build.execute(createSamlSignedRequest);
            Throwable th2 = null;
            try {
                Assert.assertThat(execute, org.keycloak.testsuite.util.Matchers.statusCodeIsHC(Response.Status.BAD_REQUEST));
                if (execute != null) {
                    if (0 != 0) {
                        try {
                            execute.close();
                        } catch (Throwable th3) {
                            th2.addSuppressed(th3);
                        }
                    } else {
                        execute.close();
                    }
                }
                if (build != null) {
                    if (0 == 0) {
                        build.close();
                        return;
                    }
                    try {
                        build.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                }
            } catch (Throwable th5) {
                if (execute != null) {
                    if (0 != 0) {
                        try {
                            execute.close();
                        } catch (Throwable th6) {
                            th2.addSuppressed(th6);
                        }
                    } else {
                        execute.close();
                    }
                }
                throw th5;
            }
        } catch (Throwable th7) {
            if (build != null) {
                if (0 != 0) {
                    try {
                        build.close();
                    } catch (Throwable th8) {
                        th.addSuppressed(th8);
                    }
                } else {
                    build.close();
                }
            }
            throw th7;
        }
    }

    @Test
    @AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE, AuthServerContainerExclude.AuthServer.QUARKUS})
    public void testNoPortInDestination() throws Exception {
        testWithOverriddenPort(-1, Response.Status.OK, Matchers.containsString("login"));
    }

    @Test
    public void testExplicitPortInDestination() throws Exception {
        testWithOverriddenPort(Integer.valueOf(ServerURLs.AUTH_SERVER_PORT).intValue(), Response.Status.OK, Matchers.containsString("login"));
    }

    @Test
    public void testWrongPortInDestination() throws Exception {
        testWithOverriddenPort(123, Response.Status.BAD_REQUEST, Matchers.containsString("Invalid Request"));
    }

    private void testWithOverriddenPort(int i, Response.Status status, Matcher<String> matcher) throws Exception {
        HttpUriRequest createSamlUnsignedRequest = SamlClient.Binding.POST.createSamlUnsignedRequest(getAuthServerSamlEndpoint(AbstractSamlTest.REALM_NAME), (String) null, SAML2Request.convert(SamlClient.createLoginRequestDocument(AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, RealmsResource.protocolUrl(UriBuilder.fromUri(getAuthServerRoot()).port(i)).build(new Object[]{AbstractSamlTest.REALM_NAME, "saml"}))));
        CloseableHttpClient build = HttpClientBuilder.create().setRedirectStrategy(new SamlClient.RedirectStrategyWithSwitchableFollowRedirect()).build();
        Throwable th = null;
        try {
            CloseableHttpResponse execute = build.execute(createSamlUnsignedRequest);
            Throwable th2 = null;
            try {
                try {
                    Assert.assertThat(execute, org.keycloak.testsuite.util.Matchers.statusCodeIsHC(status));
                    Assert.assertThat(EntityUtils.toString(execute.getEntity(), "UTF-8"), matcher);
                    if (execute != null) {
                        if (0 != 0) {
                            try {
                                execute.close();
                            } catch (Throwable th3) {
                                th2.addSuppressed(th3);
                            }
                        } else {
                            execute.close();
                        }
                    }
                    if (build != null) {
                        if (0 == 0) {
                            build.close();
                            return;
                        }
                        try {
                            build.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    }
                } catch (Throwable th5) {
                    th2 = th5;
                    throw th5;
                }
            } catch (Throwable th6) {
                if (execute != null) {
                    if (th2 != null) {
                        try {
                            execute.close();
                        } catch (Throwable th7) {
                            th2.addSuppressed(th7);
                        }
                    } else {
                        execute.close();
                    }
                }
                throw th6;
            }
        } catch (Throwable th8) {
            if (build != null) {
                if (0 != 0) {
                    try {
                        build.close();
                    } catch (Throwable th9) {
                        th.addSuppressed(th9);
                    }
                } else {
                    build.close();
                }
            }
            throw th8;
        }
    }

    @Test
    public void testReauthnWithForceAuthnNotSet() throws Exception {
        testReauthnWithForceAuthn(null);
    }

    @Test
    public void testReauthnWithForceAuthnFalse() throws Exception {
        testReauthnWithForceAuthn(false);
    }

    @Test
    public void testReauthnWithForceAuthnTrue() throws Exception {
        testReauthnWithForceAuthn(true);
    }

    private void testReauthnWithForceAuthn(Boolean bool) throws Exception {
        new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(AbstractSamlTest.REALM_NAME), AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, SamlClient.Binding.POST).build().login().user(this.bburkeUser).build().execute(closeableHttpResponse -> {
            try {
                Assert.assertThat(SamlClient.Binding.POST.extractResponse(closeableHttpResponse).getSamlObject(), org.keycloak.testsuite.util.Matchers.isSamlStatusResponse(new JBossSAMLURIConstants[]{JBossSAMLURIConstants.STATUS_SUCCESS}));
            } catch (IOException e) {
                Logger.getLogger(BasicSamlTest.class.getName()).log(Level.SEVERE, (String) null, (Throwable) e);
            }
        }).execute(new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(AbstractSamlTest.REALM_NAME), AbstractSamlTest.SAML_CLIENT_ID_SALES_POST2, SAML_ASSERTION_CONSUMER_URL_SALES_POST2, SamlClient.Binding.POST).transformObject(authnRequestType -> {
            authnRequestType.setForceAuthn(bool);
            return authnRequestType;
        }).build().assertResponse(org.keycloak.testsuite.util.Matchers.bodyHC(Matchers.containsString(Objects.equals(bool, Boolean.TRUE) ? "Sign in" : "SAMLResponse"))).getSteps());
    }

    @Test
    public void testIsPassiveAttributeEmittedWhenTrue() throws Exception {
        AuthnRequestType createLoginRequestDocument = SamlClient.createLoginRequestDocument(AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, getAuthServerSamlEndpoint(AbstractSamlTest.REALM_NAME));
        createLoginRequestDocument.setIsPassive(true);
        Attr attributeNode = SAML2Request.convert(createLoginRequestDocument).getDocumentElement().getAttributeNode("IsPassive");
        Assert.assertThat("AuthnRequest element should contain the IsPassive attribute when isPassive is true, but it doesn't", attributeNode, Matchers.notNullValue());
        Assert.assertThat("AuthnRequest/IsPassive attribute should be true when isPassive is true, but it isn't", attributeNode.getNodeValue(), Matchers.is("true"));
    }

    @Test
    public void testIsPassiveAttributeOmittedWhenFalse() throws Exception {
        AuthnRequestType createLoginRequestDocument = SamlClient.createLoginRequestDocument(AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, getAuthServerSamlEndpoint(AbstractSamlTest.REALM_NAME));
        createLoginRequestDocument.setIsPassive(false);
        Assert.assertThat("AuthnRequest element shouldn't contain the IsPassive attribute when isPassive is false, but it does", SAML2Request.convert(createLoginRequestDocument).getDocumentElement().getAttributeNode("IsPassive"), Matchers.nullValue());
    }

    @Test
    public void testAllowCreateAttributeOmittedWhenTransient() throws Exception {
        AuthnRequestType createLoginRequestDocument = SamlClient.createLoginRequestDocument(AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, getAuthServerSamlEndpoint(AbstractSamlTest.REALM_NAME));
        createLoginRequestDocument.getNameIDPolicy().setFormat(JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.getUri());
        createLoginRequestDocument.getNameIDPolicy().setAllowCreate(true);
        Element directChildElement = DocumentUtil.getDirectChildElement(SAML2Request.convert(createLoginRequestDocument).getDocumentElement(), JBossSAMLURIConstants.PROTOCOL_NSURI.get(), "NameIDPolicy");
        Attr attributeNode = directChildElement.getAttributeNode("Format");
        Attr attributeNode2 = directChildElement.getAttributeNode("AllowCreate");
        Assert.assertThat("AuthnRequest/NameIdPolicy Format should be present, but it is not", attributeNode, Matchers.notNullValue());
        Assert.assertThat("AuthnRequest/NameIdPolicy Format should be Transient, but it is not", attributeNode.getNodeValue(), Matchers.is(JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get()));
        Assert.assertThat("AuthnRequest/NameIdPolicy element shouldn't contain the AllowCreate attribute when Format is set to Transient, but it does", attributeNode2, Matchers.nullValue());
    }
}
