package org.keycloak.testsuite.adapter.servlet;

import java.io.File;
import java.lang.invoke.SerializedLambda;
import java.net.URL;
import java.util.LinkedList;
import java.util.List;
import javax.ws.rs.client.Client;
import javax.ws.rs.client.Entity;
import javax.ws.rs.client.WebTarget;
import javax.ws.rs.core.Form;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import org.jboss.arquillian.container.test.api.Deployment;
import org.jboss.arquillian.container.test.api.OperateOnDeployment;
import org.jboss.arquillian.graphene.page.Page;
import org.jboss.arquillian.test.api.ArquillianResource;
import org.jboss.resteasy.client.jaxrs.ResteasyClient;
import org.jboss.shrinkwrap.api.spec.WebArchive;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.authorization.model.Policy;
import org.keycloak.common.Profile;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.models.ClientModel;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.IdentityProviderRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.RoleRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.representations.idm.authorization.ClientPolicyRepresentation;
import org.keycloak.representations.idm.authorization.DecisionStrategy;
import org.keycloak.services.resources.admin.permissions.AdminPermissionManagement;
import org.keycloak.services.resources.admin.permissions.AdminPermissions;
import org.keycloak.testsuite.ProfileAssume;
import org.keycloak.testsuite.adapter.AbstractServletsAdapterTest;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.arquillian.annotation.AppServerContainer;
import org.keycloak.testsuite.arquillian.annotation.AppServerContainers;
import org.keycloak.testsuite.arquillian.annotation.DisableFeature;
import org.keycloak.testsuite.arquillian.annotation.EnableFeature;
import org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected;
import org.keycloak.testsuite.broker.BrokerTestTools;
import org.keycloak.testsuite.page.AbstractPageWithInjectedUrl;
import org.keycloak.testsuite.pages.AccountUpdateProfilePage;
import org.keycloak.testsuite.pages.ErrorPage;
import org.keycloak.testsuite.pages.LoginPage;
import org.keycloak.testsuite.pages.LoginUpdateProfilePage;
import org.keycloak.testsuite.util.AdminClientUtil;
import org.keycloak.testsuite.util.ContainerAssume;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.WaitUtils;
import org.keycloak.util.BasicAuthHelper;

@AppServerContainers({@AppServerContainer("app-server-undertow"), @AppServerContainer("app-server-wildfly"), @AppServerContainer("app-server-wildfly-deprecated"), @AppServerContainer("app-server-eap"), @AppServerContainer("app-server-eap6"), @AppServerContainer("app-server-eap71")})
@EnableFeature(value = Profile.Feature.TOKEN_EXCHANGE, skipRestart = true)
/* loaded from: input_file:org/keycloak/testsuite/adapter/servlet/BrokerLinkAndTokenExchangeTest.class */
public class BrokerLinkAndTokenExchangeTest extends AbstractServletsAdapterTest {
    public static final String CHILD_IDP = "child";
    public static final String PARENT_IDP = "parent-idp";
    public static final String PARENT_USERNAME = "parent";
    public static final String PARENT2_USERNAME = "parent2";
    public static final String PARENT3_USERNAME = "parent3";
    public static final String UNAUTHORIZED_CHILD_CLIENT = "unauthorized-child-client";
    public static final String PARENT_CLIENT = "parent-client";

    @Page
    protected LoginUpdateProfilePage loginUpdateProfilePage;

    @Page
    protected AccountUpdateProfilePage profilePage;

    @Page
    private LoginPage loginPage;

    @Page
    protected ErrorPage errorPage;

    @Page
    private ClientApp appPage;
    private String childUserId = null;

    /* loaded from: input_file:org/keycloak/testsuite/adapter/servlet/BrokerLinkAndTokenExchangeTest$ClientApp.class */
    public static class ClientApp extends AbstractPageWithInjectedUrl {
        public static final String DEPLOYMENT_NAME = "exchange-linking";

        @ArquillianResource
        @OperateOnDeployment(DEPLOYMENT_NAME)
        private URL url;

        public URL getInjectedUrl() {
            return this.url;
        }
    }

    @BeforeClass
    public static void enabled() {
        ProfileAssume.assumeFeatureEnabled(Profile.Feature.AUTHORIZATION);
    }

    @Deployment(name = ClientApp.DEPLOYMENT_NAME)
    protected static WebArchive accountLink() {
        return servletDeployment(ClientApp.DEPLOYMENT_NAME, LinkAndExchangeServlet.class, ServletTestUtils.class);
    }

    @Override // org.keycloak.testsuite.AbstractAuthTest
    public void beforeAuthTest() {
    }

    @Override // org.keycloak.testsuite.adapter.AbstractServletsAdapterTest, org.keycloak.testsuite.adapter.AbstractAdapterTest
    public void addAdapterTestRealms(List<RealmRepresentation> list) {
        String str;
        RealmRepresentation realmRepresentation = new RealmRepresentation();
        realmRepresentation.setRealm("child");
        realmRepresentation.setEnabled(true);
        ClientRepresentation clientRepresentation = new ClientRepresentation();
        clientRepresentation.setClientId(ClientApp.DEPLOYMENT_NAME);
        clientRepresentation.setProtocol("openid-connect");
        str = "/exchange-linking";
        str = isRelative() ? "/exchange-linking" : this.appServerContextRootPage.toString() + str;
        clientRepresentation.setEnabled(true);
        clientRepresentation.setAdminUrl(str);
        clientRepresentation.setDirectAccessGrantsEnabled(true);
        clientRepresentation.setBaseUrl(str);
        clientRepresentation.setRedirectUris(new LinkedList());
        clientRepresentation.getRedirectUris().add(str + "/*");
        clientRepresentation.setSecret("password");
        clientRepresentation.setFullScopeAllowed(true);
        realmRepresentation.setClients(new LinkedList());
        realmRepresentation.getClients().add(clientRepresentation);
        ClientRepresentation clientRepresentation2 = new ClientRepresentation();
        clientRepresentation2.setEnabled(true);
        clientRepresentation2.setClientId(UNAUTHORIZED_CHILD_CLIENT);
        clientRepresentation2.setProtocol("openid-connect");
        clientRepresentation2.setDirectAccessGrantsEnabled(true);
        clientRepresentation2.setSecret("password");
        clientRepresentation2.setFullScopeAllowed(true);
        realmRepresentation.getClients().add(clientRepresentation2);
        list.add(realmRepresentation);
        RealmRepresentation realmRepresentation2 = new RealmRepresentation();
        realmRepresentation2.setRealm("parent-idp");
        realmRepresentation2.setEnabled(true);
        ClientRepresentation clientRepresentation3 = new ClientRepresentation();
        clientRepresentation3.setEnabled(true);
        clientRepresentation3.setClientId(PARENT_CLIENT);
        clientRepresentation3.setProtocol("openid-connect");
        clientRepresentation3.setDirectAccessGrantsEnabled(true);
        clientRepresentation3.setSecret("password");
        clientRepresentation3.setFullScopeAllowed(true);
        realmRepresentation2.setClients(new LinkedList());
        realmRepresentation2.getClients().add(clientRepresentation3);
        list.add(realmRepresentation2);
    }

    @Test
    @UncaughtServerErrorExpected
    @DisableFeature(value = Profile.Feature.TOKEN_EXCHANGE, skipRestart = true)
    public void testFeatureDisabled() throws Exception {
        checkFeature(Response.Status.NOT_IMPLEMENTED.getStatusCode());
    }

    @Test
    public void testFeatureEnabled() throws Exception {
        checkFeature(Response.Status.OK.getStatusCode());
    }

    @Before
    public void beforeTest() throws Exception {
        addIdpUser();
        addChildUser();
        createBroker();
    }

    public void addIdpUser() {
        RealmResource realm = this.adminClient.realms().realm("parent-idp");
        UserRepresentation userRepresentation = new UserRepresentation();
        userRepresentation.setUsername("parent");
        userRepresentation.setEnabled(true);
        ApiUtil.createUserAndResetPasswordWithAdminClient(realm, userRepresentation, "password");
        UserRepresentation userRepresentation2 = new UserRepresentation();
        userRepresentation2.setUsername(PARENT2_USERNAME);
        userRepresentation2.setEnabled(true);
        ApiUtil.createUserAndResetPasswordWithAdminClient(realm, userRepresentation2, "password");
        UserRepresentation userRepresentation3 = new UserRepresentation();
        userRepresentation3.setUsername(PARENT3_USERNAME);
        userRepresentation3.setFirstName("first name");
        userRepresentation3.setLastName("last name");
        userRepresentation3.setEmail("email");
        userRepresentation3.setEnabled(true);
        ApiUtil.createUserAndResetPasswordWithAdminClient(realm, userRepresentation3, "password");
    }

    public void addChildUser() {
        RealmResource realm = this.adminClient.realms().realm("child");
        UserRepresentation userRepresentation = new UserRepresentation();
        userRepresentation.setUsername("child");
        userRepresentation.setEnabled(true);
        this.childUserId = ApiUtil.createUserAndResetPasswordWithAdminClient(realm, userRepresentation, "password");
        UserRepresentation userRepresentation2 = new UserRepresentation();
        userRepresentation2.setUsername("child2");
        userRepresentation2.setEnabled(true);
        String createUserAndResetPasswordWithAdminClient = ApiUtil.createUserAndResetPasswordWithAdminClient(realm, userRepresentation2, "password");
        realm.roles().create(new RoleRepresentation("user", (String) null, false));
        RoleRepresentation representation = realm.roles().get("user").toRepresentation();
        LinkedList linkedList = new LinkedList();
        linkedList.add(representation);
        realm.users().get(this.childUserId).roles().realmLevel().add(linkedList);
        realm.users().get(createUserAndResetPasswordWithAdminClient).roles().realmLevel().add(linkedList);
        ClientRepresentation clientRepresentation = (ClientRepresentation) realm.clients().findByClientId("broker").get(0);
        RoleRepresentation representation2 = realm.clients().get(clientRepresentation.getId()).roles().get("read-token").toRepresentation();
        linkedList.clear();
        linkedList.add(representation2);
        realm.users().get(this.childUserId).roles().clientLevel(clientRepresentation.getId()).add(linkedList);
        realm.users().get(createUserAndResetPasswordWithAdminClient).roles().clientLevel(clientRepresentation.getId()).add(linkedList);
    }

    public static void setupRealm(KeycloakSession keycloakSession) {
        RealmModel realmByName = keycloakSession.realms().getRealmByName("child");
        ClientModel clientByClientId = realmByName.getClientByClientId(ClientApp.DEPLOYMENT_NAME);
        IdentityProviderModel identityProviderByAlias = realmByName.getIdentityProviderByAlias("parent-idp");
        Assert.assertNotNull(identityProviderByAlias);
        ClientModel addClient = realmByName.addClient("direct-exchanger");
        addClient.setClientId("direct-exchanger");
        addClient.setPublicClient(false);
        addClient.setDirectAccessGrantsEnabled(true);
        addClient.setEnabled(true);
        addClient.setSecret("secret");
        addClient.setProtocol("openid-connect");
        addClient.setFullScopeAllowed(false);
        AdminPermissionManagement management = AdminPermissions.management(keycloakSession, realmByName);
        management.idps().setPermissionsEnabled(identityProviderByAlias, true);
        ClientPolicyRepresentation clientPolicyRepresentation = new ClientPolicyRepresentation();
        clientPolicyRepresentation.setName("toIdp");
        clientPolicyRepresentation.addClient(new String[]{clientByClientId.getId()});
        clientPolicyRepresentation.addClient(new String[]{addClient.getId()});
        management.idps().exchangeToPermission(identityProviderByAlias).addAssociatedPolicy(management.authz().getStoreFactory().getPolicyStore().create(clientPolicyRepresentation, management.realmResourceServer()));
        ClientPolicyRepresentation clientPolicyRepresentation2 = new ClientPolicyRepresentation();
        clientPolicyRepresentation2.setName("clientImpersonators");
        clientPolicyRepresentation2.addClient(new String[]{addClient.getId()});
        Policy create = management.authz().getStoreFactory().getPolicyStore().create(clientPolicyRepresentation2, management.realmResourceServer());
        management.users().setPermissionsEnabled(true);
        management.users().adminImpersonatingPermission().addAssociatedPolicy(create);
        management.users().adminImpersonatingPermission().setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
    }

    public static void turnOffTokenStore(KeycloakSession keycloakSession) {
        RealmModel realmByName = keycloakSession.realms().getRealmByName("child");
        IdentityProviderModel identityProviderByAlias = realmByName.getIdentityProviderByAlias("parent-idp");
        identityProviderByAlias.setStoreToken(false);
        realmByName.updateIdentityProvider(identityProviderByAlias);
    }

    public static void turnOnTokenStore(KeycloakSession keycloakSession) {
        RealmModel realmByName = keycloakSession.realms().getRealmByName("child");
        IdentityProviderModel identityProviderByAlias = realmByName.getIdentityProviderByAlias("parent-idp");
        identityProviderByAlias.setStoreToken(true);
        realmByName.updateIdentityProvider(identityProviderByAlias);
    }

    public void createBroker() {
        createParentChild();
        this.testingClient.server().run(BrokerLinkAndTokenExchangeTest::setupRealm);
    }

    public void createParentChild() {
        BrokerTestTools.createKcOidcBroker(this.adminClient, "child", "parent-idp");
    }

    @Test
    @UncaughtServerErrorExpected
    public void testAccountLink() throws Exception {
        this.testingClient.server().run(BrokerLinkAndTokenExchangeTest::turnOnTokenStore);
        RealmResource realm = this.adminClient.realms().realm("child");
        Assert.assertTrue(realm.users().get(this.childUserId).getFederatedIdentity().isEmpty());
        UriBuilder path = UriBuilder.fromUri(this.appPage.getInjectedUrl().toString()).path("link");
        String uri = path.clone().queryParam("realm", new Object[]{"child"}).queryParam("provider", new Object[]{"parent-idp"}).build(new Object[0]).toString();
        System.out.println("linkUrl: " + uri);
        navigateTo(uri);
        Assert.assertTrue(this.loginPage.isCurrent("child"));
        Assert.assertTrue(this.driver.getPageSource().contains("parent-idp"));
        this.loginPage.login("child", "password");
        Assert.assertTrue(this.loginPage.isCurrent("parent-idp"));
        this.loginPage.login("parent", "password");
        System.out.println("After linking: " + this.driver.getCurrentUrl());
        System.out.println(this.driver.getPageSource());
        Assert.assertTrue(this.driver.getCurrentUrl().startsWith(path.toTemplate()));
        Assert.assertTrue(this.driver.getPageSource().contains("Account Linked"));
        Assert.assertTrue(this.driver.getPageSource().contains("Exchange token received"));
        Assert.assertFalse(realm.users().get(this.childUserId).getFederatedIdentity().isEmpty());
        String accessToken = this.oauth.doGrantAccessTokenRequest("child", "child", "password", (String) null, ClientApp.DEPLOYMENT_NAME, "password").getAccessToken();
        ResteasyClient createResteasyClient = AdminClientUtil.createResteasyClient();
        try {
            WebTarget childTokenExchangeWebTarget = childTokenExchangeWebTarget(createResteasyClient);
            System.out.println("Exchange url: " + childTokenExchangeWebTarget.getUri().toString());
            Response post = childTokenExchangeWebTarget.request().header("Authorization", BasicAuthHelper.createHeader(ClientApp.DEPLOYMENT_NAME, "password")).post(Entity.form(new Form().param("grant_type", "urn:ietf:params:oauth:grant-type:token-exchange").param("subject_token", accessToken).param("subject_token_type", "urn:ietf:params:oauth:token-type:access_token").param("requested_issuer", "parent-idp")));
            Assert.assertEquals(200L, post.getStatus());
            AccessTokenResponse accessTokenResponse = (AccessTokenResponse) post.readEntity(AccessTokenResponse.class);
            post.close();
            String token = accessTokenResponse.getToken();
            Assert.assertNotNull(token);
            Assert.assertTrue(accessTokenResponse.getExpiresIn() > 0);
            setTimeOffset(((int) accessTokenResponse.getExpiresIn()) + 1);
            Response post2 = childTokenExchangeWebTarget.request().header("Authorization", BasicAuthHelper.createHeader(ClientApp.DEPLOYMENT_NAME, "password")).post(Entity.form(new Form().param("grant_type", "urn:ietf:params:oauth:grant-type:token-exchange").param("subject_token", this.oauth.doGrantAccessTokenRequest("child", "child", "password", (String) null, ClientApp.DEPLOYMENT_NAME, "password").getAccessToken()).param("subject_token_type", "urn:ietf:params:oauth:token-type:access_token").param("requested_issuer", "parent-idp")));
            Assert.assertEquals(200L, post2.getStatus());
            AccessTokenResponse accessTokenResponse2 = (AccessTokenResponse) post2.readEntity(AccessTokenResponse.class);
            post2.close();
            Assert.assertNotEquals(token, accessTokenResponse2.getToken());
            Response post3 = childTokenExchangeWebTarget.request().header("Authorization", BasicAuthHelper.createHeader("direct-exchanger", "secret")).post(Entity.form(new Form().param("grant_type", "urn:ietf:params:oauth:grant-type:token-exchange").param("requested_subject", "child").param("requested_issuer", "parent-idp")));
            Assert.assertEquals(200L, post3.getStatus());
            AccessTokenResponse accessTokenResponse3 = (AccessTokenResponse) post3.readEntity(AccessTokenResponse.class);
            post3.close();
            Assert.assertNotEquals(token, accessTokenResponse3.getToken());
            logoutAll();
            realm.users().get(this.childUserId).removeFederatedIdentity("parent-idp");
            Assert.assertTrue(realm.users().get(this.childUserId).getFederatedIdentity().isEmpty());
            createResteasyClient.close();
        } catch (Throwable th) {
            createResteasyClient.close();
            throw th;
        }
    }

    protected WebTarget childTokenExchangeWebTarget(Client client) {
        return client.target(OAuthClient.AUTH_SERVER_ROOT).path("/realms").path("child").path("protocol/openid-connect/token");
    }

    protected WebTarget childLogoutWebTarget(Client client) {
        return client.target(OAuthClient.AUTH_SERVER_ROOT).path("/realms").path("child").path("protocol/openid-connect/logout");
    }

    protected String parentJwksUrl() {
        return UriBuilder.fromUri(OAuthClient.AUTH_SERVER_ROOT).path("/realms").path("parent-idp").path("protocol/openid-connect").path(OIDCLoginProtocolService.class, "certs").build(new Object[0]).toString();
    }

    @Test
    @UncaughtServerErrorExpected
    public void testAccountLinkNoTokenStore() throws Exception {
        this.testingClient.server().run(BrokerLinkAndTokenExchangeTest::turnOffTokenStore);
        RealmResource realm = this.adminClient.realms().realm("child");
        Assert.assertTrue(realm.users().get(this.childUserId).getFederatedIdentity().isEmpty());
        UriBuilder path = UriBuilder.fromUri(this.appPage.getInjectedUrl().toString()).path("link");
        String uri = path.clone().queryParam("realm", new Object[]{"child"}).queryParam("provider", new Object[]{"parent-idp"}).build(new Object[0]).toString();
        System.out.println("linkUrl: " + uri);
        navigateTo(uri);
        Assert.assertTrue(this.loginPage.isCurrent("child"));
        Assert.assertTrue(this.driver.getPageSource().contains("parent-idp"));
        this.loginPage.login("child", "password");
        Assert.assertTrue(this.loginPage.isCurrent("parent-idp"));
        this.loginPage.login("parent", "password");
        System.out.println("After linking: " + this.driver.getCurrentUrl());
        System.out.println(this.driver.getPageSource());
        Assert.assertTrue(this.driver.getCurrentUrl().startsWith(path.toTemplate()));
        Assert.assertTrue(this.driver.getPageSource().contains("Account Linked"));
        Assert.assertTrue(this.driver.getPageSource().contains("Exchange token received"));
        Assert.assertFalse(realm.users().get(this.childUserId).getFederatedIdentity().isEmpty());
        logoutAll();
        realm.users().get(this.childUserId).removeFederatedIdentity("parent-idp");
        Assert.assertTrue(realm.users().get(this.childUserId).getFederatedIdentity().isEmpty());
    }

    @Test
    @UncaughtServerErrorExpected
    public void testExportImport() throws Exception {
        ContainerAssume.assumeNotAuthServerRemote();
        ContainerAssume.assumeNotAuthServerQuarkus();
        testExternalExchange();
        this.testingClient.testing().exportImport().setProvider("singleFile");
        this.testingClient.testing().exportImport().setFile(this.testingClient.testing().exportImport().getExportImportTestDirectory() + File.separator + "singleFile-full.json");
        this.testingClient.testing().exportImport().setAction("export");
        this.testingClient.testing().exportImport().setRealmName("child");
        this.testingClient.testing().exportImport().runExport();
        this.adminClient.realms().realm("child").remove();
        this.testingClient.testing().exportImport().setAction("import");
        this.testingClient.testing().exportImport().runImport();
        this.testingClient.testing().exportImport().clear();
        testExternalExchange();
    }

    @Test
    @UncaughtServerErrorExpected
    public void testExternalExchange() throws Exception {
        RealmResource realm = this.adminClient.realms().realm("child");
        String accessToken = this.oauth.doGrantAccessTokenRequest("parent-idp", PARENT2_USERNAME, "password", (String) null, PARENT_CLIENT, "password").getAccessToken();
        Assert.assertEquals(0L, this.adminClient.realm("child").getClientSessionStats().size());
        ResteasyClient createResteasyClient = AdminClientUtil.createResteasyClient();
        try {
            WebTarget childTokenExchangeWebTarget = childTokenExchangeWebTarget(createResteasyClient);
            System.out.println("Exchange url: " + childTokenExchangeWebTarget.getUri().toString());
            checkFeature(200);
            IdentityProviderRepresentation representation = this.adminClient.realm("child").identityProviders().get("parent-idp").toRepresentation();
            representation.getConfig().put("validateSignature", String.valueOf(true));
            representation.getConfig().put("useJwksUrl", String.valueOf(true));
            representation.getConfig().put("jwksUrl", parentJwksUrl());
            representation.getConfig().put("issuer", UriBuilder.fromUri(OAuthClient.AUTH_SERVER_ROOT).path("/realms").path("parent-idp").build(new Object[0]).toString());
            this.adminClient.realm("child").identityProviders().get("parent-idp").update(representation);
            Response post = childTokenExchangeWebTarget.request().header("Authorization", BasicAuthHelper.createHeader(ClientApp.DEPLOYMENT_NAME, "password")).post(Entity.form(new Form().param("grant_type", "urn:ietf:params:oauth:grant-type:token-exchange").param("subject_token", accessToken).param("subject_token_type", "urn:ietf:params:oauth:token-type:jwt").param("subject_issuer", "parent-idp").param("scope", "openid")));
            Assert.assertEquals(200L, post.getStatus());
            AccessTokenResponse accessTokenResponse = (AccessTokenResponse) post.readEntity(AccessTokenResponse.class);
            String idToken = accessTokenResponse.getIdToken();
            AccessToken accessToken2 = (AccessToken) new JWSInput(accessTokenResponse.getToken()).readJsonContent(AccessToken.class);
            post.close();
            String subject = accessToken2.getSubject();
            String preferredUsername = accessToken2.getPreferredUsername();
            System.out.println("exchangedUserId: " + subject);
            System.out.println("exchangedUsername: " + preferredUsername);
            Response post2 = childTokenExchangeWebTarget.request().header("Authorization", BasicAuthHelper.createHeader(ClientApp.DEPLOYMENT_NAME, "password")).post(Entity.form(new Form().param("grant_type", "urn:ietf:params:oauth:grant-type:token-exchange").param("subject_token", accessTokenResponse.getToken()).param("subject_token_type", "urn:ietf:params:oauth:token-type:access_token").param("requested_issuer", "parent-idp")));
            Assert.assertEquals(200L, post2.getStatus());
            Assert.assertEquals(accessToken, ((AccessTokenResponse) post2.readEntity(AccessTokenResponse.class)).getToken());
            post2.close();
            Assert.assertEquals(1L, this.adminClient.realm("child").getClientSessionStats().size());
            childLogoutWebTarget(createResteasyClient).queryParam("id_token_hint", new Object[]{idToken}).request().get().close();
            Assert.assertEquals(0L, this.adminClient.realm("child").getClientSessionStats().size());
            Assert.assertEquals(1L, realm.users().get(subject).getFederatedIdentity().size());
            Response post3 = childTokenExchangeWebTarget.request().header("Authorization", BasicAuthHelper.createHeader(ClientApp.DEPLOYMENT_NAME, "password")).post(Entity.form(new Form().param("grant_type", "urn:ietf:params:oauth:grant-type:token-exchange").param("subject_token", accessToken).param("subject_token_type", "urn:ietf:params:oauth:token-type:jwt").param("subject_issuer", "parent-idp").param("scope", "openid")));
            Assert.assertEquals(200L, post3.getStatus());
            AccessTokenResponse accessTokenResponse2 = (AccessTokenResponse) post3.readEntity(AccessTokenResponse.class);
            String idToken2 = accessTokenResponse2.getIdToken();
            AccessToken accessToken3 = (AccessToken) new JWSInput(accessTokenResponse2.getToken()).readJsonContent(AccessToken.class);
            post3.close();
            String subject2 = accessToken3.getSubject();
            String preferredUsername2 = accessToken3.getPreferredUsername();
            Assert.assertEquals(subject, subject2);
            Assert.assertEquals(preferredUsername, preferredUsername2);
            childLogoutWebTarget(createResteasyClient).queryParam("id_token_hint", new Object[]{idToken2}).request().get().close();
            Assert.assertEquals(0L, this.adminClient.realm("child").getClientSessionStats().size());
            Assert.assertEquals(1L, realm.users().get(subject).getFederatedIdentity().size());
            Response post4 = childTokenExchangeWebTarget.request().header("Authorization", BasicAuthHelper.createHeader(ClientApp.DEPLOYMENT_NAME, "password")).post(Entity.form(new Form().param("grant_type", "urn:ietf:params:oauth:grant-type:token-exchange").param("subject_token", accessToken).param("subject_token_type", "urn:ietf:params:oauth:token-type:jwt").param("scope", "openid")));
            Assert.assertEquals(200L, post4.getStatus());
            AccessTokenResponse accessTokenResponse3 = (AccessTokenResponse) post4.readEntity(AccessTokenResponse.class);
            String idToken3 = accessTokenResponse3.getIdToken();
            AccessToken accessToken4 = (AccessToken) new JWSInput(accessTokenResponse3.getToken()).readJsonContent(AccessToken.class);
            post4.close();
            String subject3 = accessToken4.getSubject();
            String preferredUsername3 = accessToken4.getPreferredUsername();
            Assert.assertEquals(subject, subject3);
            Assert.assertEquals(preferredUsername, preferredUsername3);
            childLogoutWebTarget(createResteasyClient).queryParam("id_token_hint", new Object[]{idToken3}).request().get().close();
            Assert.assertEquals(0L, this.adminClient.realm("child").getClientSessionStats().size());
            Assert.assertEquals(1L, realm.users().get(subject).getFederatedIdentity().size());
            realm.users().get(subject).remove();
            Assert.assertEquals(403L, childTokenExchangeWebTarget.request().header("Authorization", BasicAuthHelper.createHeader(UNAUTHORIZED_CHILD_CLIENT, "password")).post(Entity.form(new Form().param("grant_type", "urn:ietf:params:oauth:grant-type:token-exchange").param("subject_token", accessToken).param("subject_token_type", "urn:ietf:params:oauth:token-type:jwt").param("subject_issuer", "parent-idp"))).getStatus());
            createResteasyClient.close();
        } catch (Throwable th) {
            createResteasyClient.close();
            throw th;
        }
    }

    @Test
    public void testExternalExchange_extractIdentityFromProfile() throws Exception {
        RealmResource realm = this.adminClient.realms().realm("child");
        String accessToken = this.oauth.doGrantAccessTokenRequest("parent-idp", PARENT3_USERNAME, "password", (String) null, PARENT_CLIENT, "password").getAccessToken();
        Assert.assertEquals(0L, this.adminClient.realm("child").getClientSessionStats().size());
        ResteasyClient createResteasyClient = AdminClientUtil.createResteasyClient();
        try {
            WebTarget childTokenExchangeWebTarget = childTokenExchangeWebTarget(createResteasyClient);
            IdentityProviderRepresentation representation = this.adminClient.realm("child").identityProviders().get("parent-idp").toRepresentation();
            representation.getConfig().put("validateSignature", String.valueOf(false));
            this.adminClient.realm("child").identityProviders().get("parent-idp").update(representation);
            Response post = childTokenExchangeWebTarget.request().header("Authorization", BasicAuthHelper.createHeader(ClientApp.DEPLOYMENT_NAME, "password")).post(Entity.form(new Form().param("grant_type", "urn:ietf:params:oauth:grant-type:token-exchange").param("subject_token", accessToken).param("subject_token_type", "urn:ietf:params:oauth:token-type:jwt").param("subject_issuer", "parent-idp").param("scope", "openid")));
            Throwable th = null;
            try {
                try {
                    Assert.assertEquals(200L, post.getStatus());
                    AccessToken accessToken2 = (AccessToken) new JWSInput(((AccessTokenResponse) post.readEntity(AccessTokenResponse.class)).getToken()).readJsonContent(AccessToken.class);
                    if (post != null) {
                        if (0 != 0) {
                            try {
                                post.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            post.close();
                        }
                    }
                    Assert.assertNotNull(accessToken2);
                    Assert.assertNotNull(accessToken2.getSubject());
                    Assert.assertEquals(PARENT3_USERNAME, accessToken2.getPreferredUsername());
                    Assert.assertEquals("first name", accessToken2.getGivenName());
                    Assert.assertEquals("last name", accessToken2.getFamilyName());
                    Assert.assertEquals("email", accessToken2.getEmail());
                    realm.users().get(accessToken2.getSubject()).remove();
                    createResteasyClient.close();
                } finally {
                }
            } finally {
            }
        } catch (Throwable th3) {
            createResteasyClient.close();
            throw th3;
        }
    }

    public void logoutAll() {
        navigateTo(OIDCLoginProtocolService.logoutUrl(this.authServerPage.createUriBuilder()).build(new Object[]{"child"}).toString());
        navigateTo(OIDCLoginProtocolService.logoutUrl(this.authServerPage.createUriBuilder()).build(new Object[]{"parent-idp"}).toString());
    }

    private void navigateTo(String str) {
        this.driver.navigate().to(str);
        WaitUtils.waitForPageToLoad();
    }

    private void checkFeature(int i) throws Exception {
        String accessToken = this.oauth.doGrantAccessTokenRequest("parent-idp", PARENT2_USERNAME, "password", (String) null, PARENT_CLIENT, "password").getAccessToken();
        if (i != Response.Status.NOT_IMPLEMENTED.getStatusCode()) {
            Assert.assertEquals(0L, this.adminClient.realm("child").getClientSessionStats().size());
        }
        ResteasyClient createResteasyClient = AdminClientUtil.createResteasyClient();
        try {
            WebTarget childTokenExchangeWebTarget = childTokenExchangeWebTarget(createResteasyClient);
            IdentityProviderRepresentation representation = this.adminClient.realm("child").identityProviders().get("parent-idp").toRepresentation();
            representation.getConfig().put("validateSignature", String.valueOf(false));
            this.adminClient.realm("child").identityProviders().get("parent-idp").update(representation);
            Response post = childTokenExchangeWebTarget.request().header("Authorization", BasicAuthHelper.createHeader(ClientApp.DEPLOYMENT_NAME, "password")).post(Entity.form(new Form().param("grant_type", "urn:ietf:params:oauth:grant-type:token-exchange").param("subject_token", accessToken).param("subject_token_type", "urn:ietf:params:oauth:token-type:jwt").param("subject_issuer", "parent-idp").param("scope", "openid")));
            Assert.assertEquals(i, post.getStatus());
            if (i != Response.Status.NOT_IMPLEMENTED.getStatusCode()) {
                String idToken = ((AccessTokenResponse) post.readEntity(AccessTokenResponse.class)).getIdToken();
                Assert.assertNotNull(idToken);
                post.close();
                Assert.assertEquals(1L, this.adminClient.realm("child").getClientSessionStats().size());
                childLogoutWebTarget(createResteasyClient).queryParam("id_token_hint", new Object[]{idToken}).request().get().close();
                Assert.assertEquals(0L, this.adminClient.realm("child").getClientSessionStats().size());
            }
        } finally {
            createResteasyClient.close();
        }
    }

    private static /* synthetic */ Object $deserializeLambda$(SerializedLambda serializedLambda) {
        String implMethodName = serializedLambda.getImplMethodName();
        boolean z = -1;
        switch (implMethodName.hashCode()) {
            case 784138948:
                if (implMethodName.equals("turnOnTokenStore")) {
                    z = true;
                    break;
                }
                break;
            case 808488890:
                if (implMethodName.equals("turnOffTokenStore")) {
                    z = 2;
                    break;
                }
                break;
            case 1058059794:
                if (implMethodName.equals("setupRealm")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("org/keycloak/testsuite/runonserver/RunOnServer") && serializedLambda.getFunctionalInterfaceMethodName().equals("run") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V") && serializedLambda.getImplClass().equals("org/keycloak/testsuite/adapter/servlet/BrokerLinkAndTokenExchangeTest") && serializedLambda.getImplMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V")) {
                    return BrokerLinkAndTokenExchangeTest::setupRealm;
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("org/keycloak/testsuite/runonserver/RunOnServer") && serializedLambda.getFunctionalInterfaceMethodName().equals("run") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V") && serializedLambda.getImplClass().equals("org/keycloak/testsuite/adapter/servlet/BrokerLinkAndTokenExchangeTest") && serializedLambda.getImplMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V")) {
                    return BrokerLinkAndTokenExchangeTest::turnOnTokenStore;
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("org/keycloak/testsuite/runonserver/RunOnServer") && serializedLambda.getFunctionalInterfaceMethodName().equals("run") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V") && serializedLambda.getImplClass().equals("org/keycloak/testsuite/adapter/servlet/BrokerLinkAndTokenExchangeTest") && serializedLambda.getImplMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V")) {
                    return BrokerLinkAndTokenExchangeTest::turnOffTokenStore;
                }
                break;
        }
        throw new IllegalArgumentException("Invalid lambda deserialization");
    }
}
