package org.keycloak.testsuite.saml;

import java.io.IOException;
import java.util.Collections;
import java.util.HashMap;
import java.util.Set;
import java.util.stream.Collectors;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.keycloak.protocol.saml.mappers.RoleNameMapper;
import org.keycloak.representations.idm.ProtocolMapperRepresentation;
import org.keycloak.representations.idm.RoleRepresentation;
import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
import org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder;
import org.keycloak.testsuite.broker.AbstractBrokerTest;
import org.keycloak.testsuite.updaters.ClientAttributeUpdater;
import org.keycloak.testsuite.updaters.ProtocolMappersUpdater;
import org.keycloak.testsuite.updaters.RoleScopeUpdater;
import org.keycloak.testsuite.updaters.UserAttributeUpdater;
import org.keycloak.testsuite.util.Matchers;
import org.keycloak.testsuite.util.SamlClient;
import org.keycloak.testsuite.util.SamlClientBuilder;
import org.keycloak.testsuite.util.SamlStreams;
import org.keycloak.testsuite.util.ServerURLs;

/* loaded from: input_file:org/keycloak/testsuite/saml/RoleMapperTest.class */
public class RoleMapperTest extends AbstractSamlTest {
    public static final String ROLE_ATTRIBUTE_NAME = "Role";
    public static final String SAML_ASSERTION_CONSUMER_URL_EMPLOYEE_2;
    private ClientAttributeUpdater cau;
    private ProtocolMappersUpdater pmu;
    private static int COUNTER;

    @Before
    public void cleanMappersAndScopes() {
        this.cau = ClientAttributeUpdater.forClient(this.adminClient, AbstractSamlTest.REALM_NAME, AbstractSamlTest.SAML_CLIENT_ID_EMPLOYEE_2).setDefaultClientScopes(Collections.EMPTY_LIST).update();
        this.pmu = this.cau.protocolMappers().clear().update();
    }

    @After
    public void revertCleanMappersAndScopes() throws IOException {
        this.pmu.close();
        this.cau.close();
    }

    public static ProtocolMapperRepresentation createSamlProtocolMapper(String str, String... strArr) {
        ProtocolMapperRepresentation protocolMapperRepresentation = new ProtocolMapperRepresentation();
        protocolMapperRepresentation.setProtocol("saml");
        StringBuilder append = new StringBuilder().append(str).append("-");
        int i = COUNTER;
        COUNTER = i + 1;
        protocolMapperRepresentation.setName(append.append(i).toString());
        protocolMapperRepresentation.setProtocolMapper(str);
        HashMap hashMap = new HashMap();
        for (int i2 = 0; i2 < strArr.length - 1; i2 += 2) {
            hashMap.put(strArr[i2], strArr[i2 + 1]);
        }
        protocolMapperRepresentation.setConfig(hashMap);
        return protocolMapperRepresentation;
    }

    @Test
    public void singleRoleMapper() throws Exception {
        this.cau.setClientId("http://localhost:8280/employee2/.empl.oyee").update();
        this.pmu.add(new ProtocolMapperRepresentation[]{createSamlProtocolMapper("saml-role-list-mapper", "attribute.name", ROLE_ATTRIBUTE_NAME, "attribute.nameformat", "Basic", "single", "true"), createSamlProtocolMapper("saml-role-name-mapper", "role", "http://localhost:8280/employee2/.empl.oyee.empl.oyee", RoleNameMapper.NEW_ROLE_NAME, "blah")}).update();
        testExpectedRoles("http://localhost:8280/employee2/.empl.oyee", "user", AbstractBrokerTest.ROLE_MANAGER, "blah", "employee");
    }

    @Test
    public void singleRealmRoleWithDots() throws Exception {
        this.pmu.add(new ProtocolMapperRepresentation[]{createSamlProtocolMapper("saml-role-list-mapper", "attribute.name", ROLE_ATTRIBUTE_NAME, "attribute.nameformat", "Basic", "single", "true")}).update();
        RoleRepresentation representation = realmsResouce().realm(AbstractSamlTest.REALM_NAME).roles().get("role.with.dots").toRepresentation();
        UserAttributeUpdater update = UserAttributeUpdater.forUserByUsername(this.adminClient, AbstractSamlTest.REALM_NAME, this.bburkeUser.getUsername()).update();
        Throwable th = null;
        try {
            RoleScopeUpdater update2 = update.realmRoleScope().removeByName("user").add(representation).update();
            Throwable th2 = null;
            try {
                try {
                    testExpectedRoles(AbstractSamlTest.SAML_CLIENT_ID_EMPLOYEE_2, AbstractBrokerTest.ROLE_MANAGER, "role.with.dots", "empl.oyee", "employee");
                    if (update2 != null) {
                        if (0 != 0) {
                            try {
                                update2.close();
                            } catch (Throwable th3) {
                                th2.addSuppressed(th3);
                            }
                        } else {
                            update2.close();
                        }
                    }
                    if (update != null) {
                        if (0 == 0) {
                            update.close();
                            return;
                        }
                        try {
                            update.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    }
                } catch (Throwable th5) {
                    th2 = th5;
                    throw th5;
                }
            } catch (Throwable th6) {
                if (update2 != null) {
                    if (th2 != null) {
                        try {
                            update2.close();
                        } catch (Throwable th7) {
                            th2.addSuppressed(th7);
                        }
                    } else {
                        update2.close();
                    }
                }
                throw th6;
            }
        } catch (Throwable th8) {
            if (update != null) {
                if (0 != 0) {
                    try {
                        update.close();
                    } catch (Throwable th9) {
                        th.addSuppressed(th9);
                    }
                } else {
                    update.close();
                }
            }
            throw th8;
        }
    }

    @Test
    public void singleRealmRoleWithDotsRemapped() throws Exception {
        this.pmu.add(new ProtocolMapperRepresentation[]{createSamlProtocolMapper("saml-role-list-mapper", "attribute.name", ROLE_ATTRIBUTE_NAME, "attribute.nameformat", "Basic", "single", "true"), createSamlProtocolMapper("saml-role-name-mapper", "role", "role.with.dots", RoleNameMapper.NEW_ROLE_NAME, "blahWithDots")}).update();
        RoleRepresentation representation = realmsResouce().realm(AbstractSamlTest.REALM_NAME).roles().get("role.with.dots").toRepresentation();
        UserAttributeUpdater update = UserAttributeUpdater.forUserByUsername(this.adminClient, AbstractSamlTest.REALM_NAME, this.bburkeUser.getUsername()).update();
        Throwable th = null;
        try {
            RoleScopeUpdater update2 = update.realmRoleScope().removeByName("user").add(representation).update();
            Throwable th2 = null;
            try {
                try {
                    testExpectedRoles(AbstractSamlTest.SAML_CLIENT_ID_EMPLOYEE_2, AbstractBrokerTest.ROLE_MANAGER, "blahWithDots", "empl.oyee", "employee");
                    if (update2 != null) {
                        if (0 != 0) {
                            try {
                                update2.close();
                            } catch (Throwable th3) {
                                th2.addSuppressed(th3);
                            }
                        } else {
                            update2.close();
                        }
                    }
                    if (update != null) {
                        if (0 == 0) {
                            update.close();
                            return;
                        }
                        try {
                            update.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    }
                } catch (Throwable th5) {
                    th2 = th5;
                    throw th5;
                }
            } catch (Throwable th6) {
                if (update2 != null) {
                    if (th2 != null) {
                        try {
                            update2.close();
                        } catch (Throwable th7) {
                            th2.addSuppressed(th7);
                        }
                    } else {
                        update2.close();
                    }
                }
                throw th6;
            }
        } catch (Throwable th8) {
            if (update != null) {
                if (0 != 0) {
                    try {
                        update.close();
                    } catch (Throwable th9) {
                        th.addSuppressed(th9);
                    }
                } else {
                    update.close();
                }
            }
            throw th8;
        }
    }

    @Test
    public void defaultRoleMapperSingleAttribute() throws Exception {
        this.pmu.add(new ProtocolMapperRepresentation[]{createSamlProtocolMapper("saml-role-list-mapper", "attribute.name", ROLE_ATTRIBUTE_NAME, "attribute.nameformat", "Basic", "single", "true")}).update();
        testExpectedRoles(AbstractSamlTest.SAML_CLIENT_ID_EMPLOYEE_2, "user", AbstractBrokerTest.ROLE_MANAGER, "empl.oyee", "employee");
    }

    @Test
    public void defaultRoleMapperMultipleAttributes() throws Exception {
        this.pmu.add(new ProtocolMapperRepresentation[]{createSamlProtocolMapper("saml-role-list-mapper", "attribute.name", ROLE_ATTRIBUTE_NAME, "attribute.nameformat", "Basic", "single", "false")}).update();
        testExpectedRoles(AbstractSamlTest.SAML_CLIENT_ID_EMPLOYEE_2, "user", AbstractBrokerTest.ROLE_MANAGER, "empl.oyee", "employee");
    }

    @Test
    public void noRoleMappers() throws Exception {
        testExpectedRoles(AbstractSamlTest.SAML_CLIENT_ID_EMPLOYEE_2, new String[0]);
    }

    public void testExpectedRoles(String str, String... strArr) {
        SAMLDocumentHolder samlResponse = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(AbstractSamlTest.REALM_NAME), str, SAML_ASSERTION_CONSUMER_URL_EMPLOYEE_2, SamlClient.Binding.POST).build().login().user(this.bburkeUser).build().getSamlResponse(SamlClient.Binding.POST);
        Assert.assertThat(samlResponse.getSamlObject(), Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
        Assert.assertThat((Set) SamlStreams.attributesUnecrypted(SamlStreams.attributeStatements(SamlStreams.assertionsUnencrypted(samlResponse.getSamlObject()))).filter(attributeType -> {
            return attributeType.getName().equals(ROLE_ATTRIBUTE_NAME);
        }).flatMap(attributeType2 -> {
            return attributeType2.getAttributeValue().stream();
        }).map((v0) -> {
            return v0.toString();
        }).collect(Collectors.toSet()), org.hamcrest.Matchers.containsInAnyOrder(strArr));
    }

    static {
        SAML_ASSERTION_CONSUMER_URL_EMPLOYEE_2 = ServerURLs.AUTH_SERVER_SCHEME + "://localhost:" + (ServerURLs.AUTH_SERVER_SSL_REQUIRED ? ServerURLs.AUTH_SERVER_PORT : 8080) + "/employee2/";
        COUNTER = 1;
    }
}
