package org.keycloak.testsuite.forms;

import java.lang.invoke.SerializedLambda;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.ws.rs.BadRequestException;
import org.jboss.arquillian.graphene.page.Page;
import org.junit.Assert;
import org.junit.Test;
import org.keycloak.common.Profile;
import org.keycloak.common.util.Base64;
import org.keycloak.credential.CredentialModel;
import org.keycloak.credential.hash.Pbkdf2PasswordHashProvider;
import org.keycloak.models.RealmModel;
import org.keycloak.models.credential.PasswordCredentialModel;
import org.keycloak.representations.idm.ErrorRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.testsuite.AbstractTestRealmKeycloakTest;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.arquillian.annotation.DisableFeature;
import org.keycloak.testsuite.pages.AccountUpdateProfilePage;
import org.keycloak.testsuite.pages.LoginPage;
import org.keycloak.testsuite.util.UserBuilder;

@AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
/* loaded from: input_file:org/keycloak/testsuite/forms/PasswordHashingTest.class */
public class PasswordHashingTest extends AbstractTestRealmKeycloakTest {

    @Page
    private AccountUpdateProfilePage updateProfilePage;

    @Page
    protected LoginPage loginPage;

    @Override // org.keycloak.testsuite.AbstractTestRealmKeycloakTest
    public void configureTestRealm(RealmRepresentation realmRepresentation) {
    }

    @Test
    public void testSetInvalidProvider() throws Exception {
        try {
            setPasswordPolicy("hashAlgorithm(nosuch)");
            Assert.fail("Expected error");
        } catch (BadRequestException e) {
            Assert.assertEquals("Invalid config for hashAlgorithm: Password hashing provider not found", ((ErrorRepresentation) e.getResponse().readEntity(ErrorRepresentation.class)).getErrorMessage());
        }
    }

    @Test
    public void testPasswordRehashedOnAlgorithmChanged() throws Exception {
        setPasswordPolicy("hashAlgorithm(pbkdf2-sha256) and hashIterations(1)");
        createUser("testPasswordRehashedOnAlgorithmChanged");
        PasswordCredentialModel createFromCredentialModel = PasswordCredentialModel.createFromCredentialModel(fetchCredentials("testPasswordRehashedOnAlgorithmChanged"));
        Assert.assertEquals("pbkdf2-sha256", createFromCredentialModel.getPasswordCredentialData().getAlgorithm());
        assertEncoded(createFromCredentialModel, "password", createFromCredentialModel.getPasswordSecretData().getSalt(), "PBKDF2WithHmacSHA256", 1);
        setPasswordPolicy("hashAlgorithm(pbkdf2) and hashIterations(1)");
        this.loginPage.open();
        this.loginPage.login("testPasswordRehashedOnAlgorithmChanged", "password");
        PasswordCredentialModel createFromCredentialModel2 = PasswordCredentialModel.createFromCredentialModel(fetchCredentials("testPasswordRehashedOnAlgorithmChanged"));
        Assert.assertEquals("pbkdf2", createFromCredentialModel2.getPasswordCredentialData().getAlgorithm());
        assertEncoded(createFromCredentialModel2, "password", createFromCredentialModel2.getPasswordSecretData().getSalt(), "PBKDF2WithHmacSHA1", 1);
    }

    @Test
    public void testPasswordRehashedOnIterationsChanged() throws Exception {
        setPasswordPolicy("hashIterations(10000)");
        createUser("testPasswordRehashedOnIterationsChanged");
        Assert.assertEquals(10000L, PasswordCredentialModel.createFromCredentialModel(fetchCredentials("testPasswordRehashedOnIterationsChanged")).getPasswordCredentialData().getHashIterations());
        setPasswordPolicy("hashIterations(1)");
        this.loginPage.open();
        this.loginPage.login("testPasswordRehashedOnIterationsChanged", "password");
        PasswordCredentialModel createFromCredentialModel = PasswordCredentialModel.createFromCredentialModel(fetchCredentials("testPasswordRehashedOnIterationsChanged"));
        Assert.assertEquals(1L, createFromCredentialModel.getPasswordCredentialData().getHashIterations());
        assertEncoded(createFromCredentialModel, "password", createFromCredentialModel.getPasswordSecretData().getSalt(), "PBKDF2WithHmacSHA256", 1);
    }

    @Test
    @DisableFeature(value = Profile.Feature.ACCOUNT2, skipRestart = true)
    public void testPasswordNotRehasedUnchangedIterations() {
        setPasswordPolicy("");
        createUser("testPasswordNotRehasedUnchangedIterations");
        PasswordCredentialModel createFromCredentialModel = PasswordCredentialModel.createFromCredentialModel(fetchCredentials("testPasswordNotRehasedUnchangedIterations"));
        String id = createFromCredentialModel.getId();
        byte[] salt = createFromCredentialModel.getPasswordSecretData().getSalt();
        setPasswordPolicy("hashIterations");
        this.loginPage.open();
        this.loginPage.login("testPasswordNotRehasedUnchangedIterations", "password");
        PasswordCredentialModel createFromCredentialModel2 = PasswordCredentialModel.createFromCredentialModel(fetchCredentials("testPasswordNotRehasedUnchangedIterations"));
        Assert.assertEquals(id, createFromCredentialModel2.getId());
        Assert.assertArrayEquals(salt, createFromCredentialModel2.getPasswordSecretData().getSalt());
        setPasswordPolicy("hashIterations(27500)");
        this.updateProfilePage.open();
        this.updateProfilePage.logout();
        this.loginPage.open();
        this.loginPage.login("testPasswordNotRehasedUnchangedIterations", "password");
        PasswordCredentialModel createFromCredentialModel3 = PasswordCredentialModel.createFromCredentialModel(fetchCredentials("testPasswordNotRehasedUnchangedIterations"));
        Assert.assertEquals(id, createFromCredentialModel3.getId());
        Assert.assertArrayEquals(salt, createFromCredentialModel3.getPasswordSecretData().getSalt());
    }

    @Test
    public void testPasswordRehashedWhenCredentialImportedWithDifferentKeySize() {
        setPasswordPolicy("hashAlgorithm(pbkdf2-sha512) and hashIterations(30000)");
        ApiUtil.createUserWithAdminClient(this.adminClient.realm("test"), UserBuilder.create().username("testPasswordRehashedWhenCredentialImportedWithDifferentKeySize").password(new Pbkdf2PasswordHashProvider("pbkdf2-sha512", "PBKDF2WithHmacSHA512", 30000, 256).encode("password", -1)).build());
        this.loginPage.open();
        this.loginPage.login("testPasswordRehashedWhenCredentialImportedWithDifferentKeySize", "password");
        Assert.assertEquals(r0.length() * 2, PasswordCredentialModel.createFromCredentialModel(fetchCredentials("testPasswordRehashedWhenCredentialImportedWithDifferentKeySize")).getPasswordSecretData().getValue().length());
    }

    @Test
    public void testPbkdf2Sha1() throws Exception {
        setPasswordPolicy("hashAlgorithm(pbkdf2)");
        createUser("testPbkdf2Sha1");
        PasswordCredentialModel createFromCredentialModel = PasswordCredentialModel.createFromCredentialModel(fetchCredentials("testPbkdf2Sha1"));
        assertEncoded(createFromCredentialModel, "password", createFromCredentialModel.getPasswordSecretData().getSalt(), "PBKDF2WithHmacSHA1", 20000);
    }

    @Test
    public void testDefault() throws Exception {
        setPasswordPolicy("");
        createUser("testDefault");
        PasswordCredentialModel createFromCredentialModel = PasswordCredentialModel.createFromCredentialModel(fetchCredentials("testDefault"));
        assertEncoded(createFromCredentialModel, "password", createFromCredentialModel.getPasswordSecretData().getSalt(), "PBKDF2WithHmacSHA256", 27500);
    }

    @Test
    public void testPbkdf2Sha256() throws Exception {
        setPasswordPolicy("hashAlgorithm(pbkdf2-sha256)");
        createUser("testPbkdf2Sha256");
        PasswordCredentialModel createFromCredentialModel = PasswordCredentialModel.createFromCredentialModel(fetchCredentials("testPbkdf2Sha256"));
        assertEncoded(createFromCredentialModel, "password", createFromCredentialModel.getPasswordSecretData().getSalt(), "PBKDF2WithHmacSHA256", 27500);
    }

    @Test
    public void testPbkdf2Sha512() throws Exception {
        setPasswordPolicy("hashAlgorithm(pbkdf2-sha512)");
        createUser("testPbkdf2Sha512");
        PasswordCredentialModel createFromCredentialModel = PasswordCredentialModel.createFromCredentialModel(fetchCredentials("testPbkdf2Sha512"));
        assertEncoded(createFromCredentialModel, "password", createFromCredentialModel.getPasswordSecretData().getSalt(), "PBKDF2WithHmacSHA512", 30000);
    }

    private void createUser(String str) {
        ApiUtil.createUserAndResetPasswordWithAdminClient(this.adminClient.realm("test"), UserBuilder.create().username(str).build(), "password");
    }

    private void setPasswordPolicy(String str) {
        RealmRepresentation representation = testRealm().toRepresentation();
        representation.setPasswordPolicy(str);
        testRealm().update(representation);
    }

    private CredentialModel fetchCredentials(String str) {
        return (CredentialModel) this.testingClient.server("test").fetch(keycloakSession -> {
            RealmModel realm = keycloakSession.getContext().getRealm();
            return keycloakSession.userCredentialManager().getStoredCredentialsByTypeStream(realm, keycloakSession.users().getUserByUsername(realm, str), "password").findFirst().orElse(null);
        }, CredentialModel.class);
    }

    private void assertEncoded(PasswordCredentialModel passwordCredentialModel, String str, byte[] bArr, String str2, int i) throws Exception {
        Assert.assertEquals(Base64.encodeBytes(SecretKeyFactory.getInstance(str2).generateSecret(new PBEKeySpec(str.toCharArray(), bArr, i, 512)).getEncoded()), passwordCredentialModel.getPasswordSecretData().getValue());
    }

    private static /* synthetic */ Object $deserializeLambda$(SerializedLambda serializedLambda) {
        String implMethodName = serializedLambda.getImplMethodName();
        boolean z = -1;
        switch (implMethodName.hashCode()) {
            case -40876790:
                if (implMethodName.equals("lambda$fetchCredentials$d40e74c9$1")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("org/keycloak/testsuite/runonserver/FetchOnServer") && serializedLambda.getFunctionalInterfaceMethodName().equals("run") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)Ljava/lang/Object;") && serializedLambda.getImplClass().equals("org/keycloak/testsuite/forms/PasswordHashingTest") && serializedLambda.getImplMethodSignature().equals("(Ljava/lang/String;Lorg/keycloak/models/KeycloakSession;)Ljava/lang/Object;")) {
                    String str = (String) serializedLambda.getCapturedArg(0);
                    return keycloakSession -> {
                        RealmModel realm = keycloakSession.getContext().getRealm();
                        return keycloakSession.userCredentialManager().getStoredCredentialsByTypeStream(realm, keycloakSession.users().getUserByUsername(realm, str), "password").findFirst().orElse(null);
                    };
                }
                break;
        }
        throw new IllegalArgumentException("Invalid lambda deserialization");
    }
}
