package org.keycloak.testsuite.x509;

import javax.ws.rs.core.Response;
import org.hamcrest.Matchers;
import org.jboss.arquillian.drone.api.annotation.Drone;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.ProfileAssume;
import org.keycloak.testsuite.pages.AppPage;
import org.keycloak.testsuite.util.DroneUtils;
import org.keycloak.testsuite.util.PhantomJSBrowser;
import org.openqa.selenium.WebDriver;

/* loaded from: input_file:org/keycloak/testsuite/x509/X509BrowserLoginTest.class */
public class X509BrowserLoginTest extends AbstractX509AuthenticationTest {

    @Drone
    @PhantomJSBrowser
    private WebDriver phantomJS;

    @Before
    public void replaceTheDefaultDriver() {
        replaceDefaultWebDriver(this.phantomJS);
    }

    @Test
    public void loginAsUserFromCertSubjectEmail() throws Exception {
        x509BrowserLogin(createLoginSubjectEmail2UsernameOrEmailConfig(), this.userId, AssertEvents.DEFAULT_USERNAME, AssertEvents.DEFAULT_USERNAME);
    }

    @Test
    public void loginWithNonMatchingRegex() throws Exception {
        X509AuthenticatorConfigModel createLoginIssuerDN_OU2CustomAttributeConfig = createLoginIssuerDN_OU2CustomAttributeConfig();
        createLoginIssuerDN_OU2CustomAttributeConfig.setRegularExpression("INVALID=(.*?)(?:,|$)");
        Assert.assertNotNull(createConfig(this.browserExecution.getId(), newConfig("x509-browser-config", createLoginIssuerDN_OU2CustomAttributeConfig.getConfig())));
        this.loginConfirmationPage.open();
        this.events.expectLogin().user((String) null).session((String) null).error("invalid_user_credentials").removeDetail("consent").removeDetail("redirect_uri").assertEvent();
    }

    @Test
    public void loginWithNonSupportedCertKeyUsage() throws Exception {
        Assert.assertNotNull(createConfig(this.browserExecution.getId(), newConfig("x509-browser-config", createLoginSubjectEmailWithKeyUsage("dataEncipherment").getConfig())));
        this.loginConfirmationPage.open();
        Assert.assertThat(this.loginPage.getError(), Matchers.containsString("Certificate validation's failed.\nKey Usage bit 'dataEncipherment' is not set."));
    }

    @Test
    public void loginWithNonSupportedCertExtendedKeyUsage() throws Exception {
        x509BrowserLogin(createLoginSubjectEmailWithExtendedKeyUsage("serverAuth"), this.userId, AssertEvents.DEFAULT_USERNAME, AssertEvents.DEFAULT_USERNAME);
    }

    @Test
    public void loginIgnoreX509IdentityContinueToFormLogin() throws Exception {
        Assert.assertNotNull(createConfig(this.browserExecution.getId(), newConfig("x509-browser-config", createLoginSubjectEmail2UsernameOrEmailConfig().getConfig())));
        this.loginConfirmationPage.open();
        Assert.assertTrue(this.loginConfirmationPage.getSubjectDistinguishedNameText().startsWith("EMAILADDRESS=test-user@localhost"));
        Assert.assertEquals(AssertEvents.DEFAULT_USERNAME, this.loginConfirmationPage.getUsernameText());
        this.loginConfirmationPage.ignore();
        this.loginPage.login(AssertEvents.DEFAULT_USERNAME, "password");
        Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, this.appPage.getRequestType());
        Assert.assertNotNull(this.oauth.getCurrentQuery().get("code"));
        this.events.expectLogin().user(this.userId).detail("username", AssertEvents.DEFAULT_USERNAME).removeDetail("redirect_uri").assertEvent();
    }

    @Test
    public void loginAsUserFromCertSubjectCN() {
        x509BrowserLogin(createLoginSubjectCN2UsernameOrEmailConfig(), this.userId, AssertEvents.DEFAULT_USERNAME, AssertEvents.DEFAULT_USERNAME);
    }

    @Test
    public void loginAsUserFromCertSerialnumberAndIssuerDNMappedToUserAttribute() {
        UserRepresentation representation = testRealm().users().get(this.userId2).toRepresentation();
        Assert.assertNotNull(representation);
        representation.singleAttribute("x509_certificate_serialnumber", "4105");
        representation.singleAttribute("x509_issuer_dn", "EMAILADDRESS=contact@keycloak.org, CN=Keycloak Intermediate CA, OU=Keycloak, O=Red Hat, ST=MA, C=US");
        updateUser(representation);
        this.events.clear();
        x509BrowserLogin(createLoginWithSpecifiedSourceTypeToCustomAttributeConfig(X509AuthenticatorConfigModel.MappingSourceType.SERIALNUMBER_ISSUERDN, "x509_certificate_serialnumber##x509_issuer_dn"), this.userId2, "keycloak", "4105##EMAILADDRESS=contact@keycloak.org, CN=Keycloak Intermediate CA, OU=Keycloak, O=Red Hat, ST=MA, C=US");
    }

    @Test
    public void loginAsUserFromHexCertSerialnumberAndIssuerDNMappedToUserAttribute() {
        UserRepresentation representation = testRealm().users().get(this.userId2).toRepresentation();
        Assert.assertNotNull(representation);
        representation.singleAttribute("x509_certificate_serialnumber", "1009");
        representation.singleAttribute("x509_issuer_dn", "EMAILADDRESS=contact@keycloak.org, CN=Keycloak Intermediate CA, OU=Keycloak, O=Red Hat, ST=MA, C=US");
        updateUser(representation);
        this.events.clear();
        X509AuthenticatorConfigModel createLoginWithSpecifiedSourceTypeToCustomAttributeConfig = createLoginWithSpecifiedSourceTypeToCustomAttributeConfig(X509AuthenticatorConfigModel.MappingSourceType.SERIALNUMBER_ISSUERDN, "x509_certificate_serialnumber##x509_issuer_dn");
        createLoginWithSpecifiedSourceTypeToCustomAttributeConfig.setSerialnumberHex(true);
        x509BrowserLogin(createLoginWithSpecifiedSourceTypeToCustomAttributeConfig, this.userId2, "keycloak", "1009##EMAILADDRESS=contact@keycloak.org, CN=Keycloak Intermediate CA, OU=Keycloak, O=Red Hat, ST=MA, C=US");
    }

    @Test
    public void loginAsUserFromCertIssuerDNMappedToUserAttribute() {
        UserRepresentation representation = testRealm().users().get(this.userId2).toRepresentation();
        Assert.assertNotNull(representation);
        representation.singleAttribute("x509_certificate_identity", "Red Hat");
        updateUser(representation);
        this.events.clear();
        x509BrowserLogin(createLoginIssuerDN_OU2CustomAttributeConfig(), this.userId2, "keycloak", "Red Hat");
    }

    @Test
    public void loginAsUserFromCertSHA256MappedToUserAttribute() {
        UserRepresentation representation = testRealm().users().get(this.userId2).toRepresentation();
        Assert.assertNotNull(representation);
        representation.singleAttribute("x509_cert_sha256thumbprint", "71237a14c118a90cc8406f14d039ed3431c9065f68e535293ee919d4c33b5e15");
        updateUser(representation);
        this.events.clear();
        x509BrowserLogin(createLoginWithSpecifiedSourceTypeToCustomAttributeConfig(X509AuthenticatorConfigModel.MappingSourceType.SHA256_THUMBPRINT, "x509_cert_sha256thumbprint"), this.userId2, "keycloak", "71237a14c118a90cc8406f14d039ed3431c9065f68e535293ee919d4c33b5e15");
    }

    @Test
    public void loginAsUserFromCertSerialNumberMappedToUserAttribute() {
        UserRepresentation representation = testRealm().users().get(this.userId2).toRepresentation();
        Assert.assertNotNull(representation);
        representation.singleAttribute("x509_serial_number", "4105");
        updateUser(representation);
        this.events.clear();
        x509BrowserLogin(createLoginWithSpecifiedSourceTypeToCustomAttributeConfig(X509AuthenticatorConfigModel.MappingSourceType.SERIALNUMBER, "x509_serial_number"), this.userId2, "keycloak", "4105");
    }

    @Test
    public void loginAsUserFromHexCertSerialNumberMappedToUserAttribute() {
        UserRepresentation representation = testRealm().users().get(this.userId2).toRepresentation();
        Assert.assertNotNull(representation);
        representation.singleAttribute("x509_serial_number", "1009");
        updateUser(representation);
        this.events.clear();
        X509AuthenticatorConfigModel createLoginWithSpecifiedSourceTypeToCustomAttributeConfig = createLoginWithSpecifiedSourceTypeToCustomAttributeConfig(X509AuthenticatorConfigModel.MappingSourceType.SERIALNUMBER, "x509_serial_number");
        createLoginWithSpecifiedSourceTypeToCustomAttributeConfig.setSerialnumberHex(true);
        x509BrowserLogin(createLoginWithSpecifiedSourceTypeToCustomAttributeConfig, this.userId2, "keycloak", "1009");
    }

    @Test
    public void loginDuplicateUsersNotAllowed() {
        Assert.assertNotNull(createConfig(this.browserExecution.getId(), newConfig("x509-browser-config", createLoginIssuerDN_OU2CustomAttributeConfig().getConfig())));
        UserRepresentation representation = testRealm().users().get(this.userId2).toRepresentation();
        Assert.assertNotNull(representation);
        representation.singleAttribute("x509_certificate_identity", "Red Hat");
        updateUser(representation);
        UserRepresentation representation2 = testRealm().users().get(this.userId).toRepresentation();
        Assert.assertNotNull(representation2);
        representation2.singleAttribute("x509_certificate_identity", "Red Hat");
        updateUser(representation2);
        this.events.clear();
        this.loginPage.open();
        Assert.assertThat(this.loginPage.getError(), Matchers.containsString("X509 certificate authentication's failed."));
        this.loginPage.login(AssertEvents.DEFAULT_USERNAME, "password");
        Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, this.appPage.getRequestType());
        Assert.assertNotNull(this.oauth.getCurrentQuery().get("code"));
        this.events.expectLogin().user(this.userId).detail("username", AssertEvents.DEFAULT_USERNAME).removeDetail("redirect_uri").assertEvent();
    }

    @Test
    public void loginAttemptedNoConfig() {
        this.loginConfirmationPage.open();
        this.loginPage.assertCurrent();
        Assert.assertThat(this.loginPage.getInfoMessage(), Matchers.containsString("X509 client authentication has not been configured yet"));
        this.loginPage.login(AssertEvents.DEFAULT_USERNAME, "password");
        Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, this.appPage.getRequestType());
        Assert.assertNotNull(this.oauth.getCurrentQuery().get("code"));
        this.events.expectLogin().user(this.userId).detail("username", AssertEvents.DEFAULT_USERNAME).removeDetail("redirect_uri").assertEvent();
    }

    @Test
    public void loginWithX509CertCustomAttributeUserNotFound() {
        Assert.assertNotNull(createConfig(this.browserExecution.getId(), newConfig("x509-browser-config", new X509AuthenticatorConfigModel().setConfirmationPageAllowed(true).setMappingSourceType(X509AuthenticatorConfigModel.MappingSourceType.SUBJECTDN).setRegularExpression("O=(.*?)(?:,|$)").setCustomAttributeName("x509_certificate_identity").setUserIdentityMapperType(X509AuthenticatorConfigModel.IdentityMapperType.USER_ATTRIBUTE).getConfig())));
        this.loginConfirmationPage.open();
        this.loginPage.assertCurrent();
        Assert.assertNotNull(this.loginPage.getError());
        Assert.assertThat(this.loginPage.getError(), Matchers.containsString("X509 certificate authentication's failed."));
        this.events.expectLogin().user((String) null).session((String) null).error("user_not_found").detail("username", "Red Hat").removeDetail("consent").removeDetail("redirect_uri").assertEvent();
        this.loginPage.login(AssertEvents.DEFAULT_USERNAME, "password");
        Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, this.appPage.getRequestType());
        Assert.assertNotNull(this.oauth.getCurrentQuery().get("code"));
        this.events.expectLogin().user(this.userId).detail("username", AssertEvents.DEFAULT_USERNAME).removeDetail("redirect_uri").assertEvent();
    }

    @Test
    public void loginWithX509CertCustomAttributeSuccess() {
        Assert.assertNotNull(createConfig(this.browserExecution.getId(), newConfig("x509-browser-config", new X509AuthenticatorConfigModel().setConfirmationPageAllowed(true).setMappingSourceType(X509AuthenticatorConfigModel.MappingSourceType.SUBJECTDN).setRegularExpression("O=(.*?)(?:,|$)").setCustomAttributeName("x509_certificate_identity").setUserIdentityMapperType(X509AuthenticatorConfigModel.IdentityMapperType.USER_ATTRIBUTE).getConfig())));
        UserRepresentation findUser = findUser(AssertEvents.DEFAULT_USERNAME);
        Assert.assertNotNull(findUser);
        findUser.singleAttribute("x509_certificate_identity", "Red Hat");
        updateUser(findUser);
        this.events.clear();
        this.loginConfirmationPage.open();
        Assert.assertTrue(this.loginConfirmationPage.getSubjectDistinguishedNameText().startsWith("EMAILADDRESS=test-user@localhost"));
        Assert.assertEquals(AssertEvents.DEFAULT_USERNAME, this.loginConfirmationPage.getUsernameText());
        this.loginConfirmationPage.confirm();
        Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, this.appPage.getRequestType());
        Assert.assertNotNull(this.oauth.getCurrentQuery().get("code"));
    }

    @Test
    public void loginWithX509CertBadUserOrNotFound() {
        Assert.assertNotNull(createConfig(this.browserExecution.getId(), newConfig("x509-browser-config", createLoginSubjectEmail2UsernameOrEmailConfig().getConfig())));
        Assert.assertNotNull(findUser(AssertEvents.DEFAULT_USERNAME));
        Response delete = testRealm().users().delete(this.userId);
        Assert.assertEquals(204L, delete.getStatus());
        delete.close();
        this.loginConfirmationPage.open();
        this.loginPage.assertCurrent();
        Assert.assertNotNull(this.loginPage.getError());
        Assert.assertThat(this.loginPage.getError(), Matchers.containsString("X509 certificate authentication's failed."));
        addX509CertificateDetails(this.events.expectLogin().user((String) null).session((String) null).error("user_not_found").detail("username", AssertEvents.DEFAULT_USERNAME).removeDetail("consent").removeDetail("redirect_uri")).assertEvent();
        this.loginPage.login(AssertEvents.DEFAULT_USERNAME, "password");
        this.loginPage.assertCurrent();
        Assert.assertEquals(AssertEvents.DEFAULT_USERNAME, this.loginPage.getUsername());
        Assert.assertEquals("", this.loginPage.getPassword());
        Assert.assertEquals("Invalid username or password.", this.loginPage.getInputError());
    }

    @Test
    public void loginValidCertificateDisabledUser() {
        setUserEnabled(AssertEvents.DEFAULT_USERNAME, false);
        try {
            Assert.assertNotNull(createConfig(this.browserExecution.getId(), newConfig("x509-browser-config", createLoginSubjectEmail2UsernameOrEmailConfig().getConfig())));
            this.loginConfirmationPage.open();
            this.loginPage.assertCurrent();
            Assert.assertNotNull(this.loginPage.getError());
            Assert.assertThat(this.loginPage.getError(), Matchers.containsString("X509 certificate authentication's failed.\nUser is disabled"));
            this.events.expectLogin().user(this.userId).session((String) null).error("user_disabled").detail("username", AssertEvents.DEFAULT_USERNAME).removeDetail("consent").removeDetail("redirect_uri").assertEvent();
            this.loginPage.login(AssertEvents.DEFAULT_USERNAME, "password");
            this.loginPage.assertCurrent();
            Assert.assertEquals(AssertEvents.DEFAULT_USERNAME, this.loginPage.getUsername());
            Assert.assertEquals("", this.loginPage.getPassword());
            Assert.assertEquals("Account is disabled, contact your administrator.", this.loginPage.getError());
            this.events.expectLogin().user(this.userId).session((String) null).error("user_disabled").detail("username", AssertEvents.DEFAULT_USERNAME).removeDetail("consent").removeDetail("redirect_uri").assertEvent();
        } finally {
            setUserEnabled(AssertEvents.DEFAULT_USERNAME, true);
        }
    }

    @Test
    public void loginNoIdentityConfirmationPage() {
        Assert.assertNotNull(createConfig(this.browserExecution.getId(), newConfig("x509-browser-config", new X509AuthenticatorConfigModel().setConfirmationPageAllowed(false).setMappingSourceType(X509AuthenticatorConfigModel.MappingSourceType.SUBJECTDN_EMAIL).setUserIdentityMapperType(X509AuthenticatorConfigModel.IdentityMapperType.USERNAME_EMAIL).getConfig())));
        this.oauth.openLoginForm();
        Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, this.appPage.getRequestType());
        Assert.assertNotNull(this.oauth.getCurrentQuery().get("code"));
        addX509CertificateDetails(this.events.expectLogin().user(this.userId).detail("username", AssertEvents.DEFAULT_USERNAME).removeDetail("redirect_uri")).assertEvent();
    }

    @Test
    public void loginWithCertificateAddedLater() throws Exception {
        this.loginConfirmationPage.open();
        this.loginPage.assertCurrent();
        Assert.assertThat(this.loginPage.getInfoMessage(), Matchers.containsString("X509 client authentication has not been configured yet"));
        this.loginPage.assertCurrent();
        loginAsUserFromCertSubjectEmail();
    }

    @Test
    public void changeLocaleOnX509InfoPage() {
        ProfileAssume.assumeCommunity();
        Assert.assertNotNull(createConfig(this.browserExecution.getId(), newConfig("x509-browser-config", createLoginSubjectEmail2UsernameOrEmailConfig().getConfig())));
        this.log.debug("Open confirm page");
        this.loginConfirmationPage.open();
        this.log.debug("check if on confirm page");
        Assert.assertThat(this.loginConfirmationPage.getSubjectDistinguishedNameText(), Matchers.startsWith("EMAILADDRESS=test-user@localhost"));
        this.log.debug("check if locale is EN");
        Assert.assertThat(this.loginConfirmationPage.getLanguageDropdownText(), Matchers.is(Matchers.equalTo("English")));
        this.log.debug("change locale to DE");
        this.loginConfirmationPage.openLanguage("Deutsch");
        this.log.debug("check if locale is DE");
        Assert.assertThat(this.loginConfirmationPage.getLanguageDropdownText(), Matchers.is(Matchers.equalTo("Deutsch")));
        Assert.assertThat(DroneUtils.getCurrentDriver().getPageSource(), Matchers.containsString("X509 Client Zertifikat:"));
        this.log.debug("confirm cert");
        this.loginConfirmationPage.confirm();
        this.log.debug("check if logged in");
        Assert.assertThat(this.appPage.getRequestType(), Matchers.is(Matchers.equalTo(AppPage.RequestType.AUTH_RESPONSE)));
    }
}
