package org.keycloak.testsuite.openshift;

import io.undertow.Undertow;
import io.undertow.server.HttpHandler;
import io.undertow.server.HttpServerExchange;
import java.io.IOException;
import java.util.Arrays;
import javax.ws.rs.core.Response;
import org.jboss.arquillian.graphene.page.Page;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.admin.client.resource.ComponentResource;
import org.keycloak.common.Profile;
import org.keycloak.common.util.MultivaluedHashMap;
import org.keycloak.common.util.StreamUtil;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.idm.ComponentRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.storage.client.ClientStorageProvider;
import org.keycloak.testsuite.AbstractTestRealmKeycloakTest;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.ProfileAssume;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.arquillian.annotation.EnableFeature;
import org.keycloak.testsuite.docker.DockerClientTest;
import org.keycloak.testsuite.pages.AppPage;
import org.keycloak.testsuite.pages.ConsentPage;
import org.keycloak.testsuite.pages.ErrorPage;
import org.keycloak.testsuite.pages.LoginPage;
import org.keycloak.testsuite.util.OAuthClient;

@AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE, AuthServerContainerExclude.AuthServer.QUARKUS})
@EnableFeature(value = Profile.Feature.OPENSHIFT_INTEGRATION, skipRestart = true)
/* loaded from: input_file:org/keycloak/testsuite/openshift/OpenshiftClientStorageTest.class */
public final class OpenshiftClientStorageTest extends AbstractTestRealmKeycloakTest {
    private static Undertow OPENSHIFT_API_SERVER;

    @Rule
    public AssertEvents events = new AssertEvents(this);

    @Page
    private LoginPage loginPage;

    @Page
    private AppPage appPage;

    @Page
    private ConsentPage consentPage;

    @Page
    private ErrorPage errorPage;
    private String userId;
    private String clientStorageId;

    @Override // org.keycloak.testsuite.AbstractTestRealmKeycloakTest
    public void configureTestRealm(RealmRepresentation realmRepresentation) {
    }

    @BeforeClass
    public static void onBeforeClass() {
        OPENSHIFT_API_SERVER = Undertow.builder().addHttpListener(8880, DockerClientTest.REGISTRY_HOSTNAME, new HttpHandler() { // from class: org.keycloak.testsuite.openshift.OpenshiftClientStorageTest.1
            public void handleRequest(HttpServerExchange httpServerExchange) throws Exception {
                String requestURI = httpServerExchange.getRequestURI();
                if (requestURI.endsWith("/version/openshift") || requestURI.endsWith("/version")) {
                    writeResponse("openshift-version.json", httpServerExchange);
                    return;
                }
                if (requestURI.endsWith("/oapi")) {
                    writeResponse("oapi-response.json", httpServerExchange);
                    return;
                }
                if (requestURI.endsWith("/apis")) {
                    writeResponse("apis-response.json", httpServerExchange);
                    return;
                }
                if (requestURI.endsWith("/api")) {
                    writeResponse("api.json", httpServerExchange);
                    return;
                }
                if (requestURI.endsWith("/api/v1")) {
                    writeResponse("api-v1.json", httpServerExchange);
                    return;
                }
                if (requestURI.endsWith("/oapi/v1")) {
                    writeResponse("oapi-v1.json", httpServerExchange);
                    return;
                }
                if (requestURI.contains("/apis/route.openshift.io/v1")) {
                    writeResponse("apis-route-v1.json", httpServerExchange);
                    return;
                }
                if (requestURI.endsWith("/api/v1/namespaces/default")) {
                    writeResponse("namespace-default.json", httpServerExchange);
                    return;
                }
                if (requestURI.endsWith("/oapi/v1/namespaces/default/routes/proxy")) {
                    writeResponse("route-response.json", httpServerExchange);
                } else if (requestURI.contains("/serviceaccounts/system")) {
                    writeResponse("sa-system.json", httpServerExchange);
                } else if (requestURI.contains("/serviceaccounts/")) {
                    writeResponse(requestURI.substring(requestURI.lastIndexOf(47) + 1) + ".json", httpServerExchange);
                }
            }

            private void writeResponse(String str, HttpServerExchange httpServerExchange) throws IOException {
                httpServerExchange.getResponseSender().send(StreamUtil.readString(getClass().getResourceAsStream("/openshift/client-storage/" + str)));
            }
        }).build();
        OPENSHIFT_API_SERVER.start();
    }

    @AfterClass
    public static void onAfterClass() {
        if (OPENSHIFT_API_SERVER != null) {
            OPENSHIFT_API_SERVER.stop();
        }
    }

    @Before
    public void onBefore() {
        ProfileAssume.assumeFeatureEnabled(Profile.Feature.OPENSHIFT_INTEGRATION);
        ComponentRepresentation componentRepresentation = new ComponentRepresentation();
        componentRepresentation.setName("openshift-client-storage");
        componentRepresentation.setProviderId("openshift-oauth-client");
        componentRepresentation.setProviderType(ClientStorageProvider.class.getName());
        componentRepresentation.setConfig(new MultivaluedHashMap());
        componentRepresentation.getConfig().putSingle("openshift.uri", "http://localhost:8880");
        componentRepresentation.getConfig().putSingle("openshift.access_token", "token");
        componentRepresentation.getConfig().putSingle("openshift.namespace.default", "default");
        componentRepresentation.getConfig().putSingle("user.consent.require", "true");
        Response add = this.adminClient.realm("test").components().add(componentRepresentation);
        add.close();
        this.clientStorageId = ApiUtil.getCreatedId(add);
        getCleanup().addComponentId(this.clientStorageId);
    }

    @Before
    public void clientConfiguration() {
        this.userId = ApiUtil.findUserByUsername(this.adminClient.realm("test"), AssertEvents.DEFAULT_USERNAME).getId();
    }

    @Test
    public void testCodeGrantFlowWithServiceAccountUsingOAuthRedirectReference() {
        String str = "system:serviceaccount:default:sa-oauth-redirect-reference";
        testCodeGrantFlow("system:serviceaccount:default:sa-oauth-redirect-reference", "https://myapp.org/callback", () -> {
            assertSuccessfulResponseWithoutConsent(str);
        });
    }

    @Test
    public void failCodeGrantFlowWithServiceAccountUsingOAuthRedirectReference() throws Exception {
        testCodeGrantFlow("system:serviceaccount:default:sa-oauth-redirect-reference", "http://myapp.org/callback", () -> {
            Assert.assertEquals("invalid_redirect_uri", this.events.poll().getError());
        });
    }

    @Test
    public void testCodeGrantFlowWithServiceAccountUsingOAuthRedirectUri() {
        String str = "system:serviceaccount:default:sa-oauth-redirect-uri";
        testCodeGrantFlow("system:serviceaccount:default:sa-oauth-redirect-uri", "http://localhost:8180/auth/realms/master/app/auth", () -> {
            assertSuccessfulResponseWithoutConsent(str);
        });
        testCodeGrantFlow("system:serviceaccount:default:sa-oauth-redirect-uri", "http://localhost:8180/auth/realms/master/app/auth/second", () -> {
            assertSuccessfulResponseWithoutConsent(str);
        });
        testCodeGrantFlow("system:serviceaccount:default:sa-oauth-redirect-uri", "http://localhost:8180/auth/realms/master/app/auth/third", () -> {
            assertSuccessfulResponseWithoutConsent(str);
        });
    }

    @Test
    public void testCodeGrantFlowWithUserConsent() {
        String str = "system:serviceaccount:default:sa-oauth-redirect-uri";
        testCodeGrantFlow("system:serviceaccount:default:sa-oauth-redirect-uri", "http://localhost:8180/auth/realms/master/app/auth", () -> {
            assertSuccessfulResponseWithConsent(str);
        }, "user:info user:check-access");
        ComponentResource component = testRealm().components().component(this.clientStorageId);
        ComponentRepresentation representation = component.toRepresentation();
        representation.getConfig().put("user.consent.require", Arrays.asList("false"));
        component.update(representation);
        testCodeGrantFlow("system:serviceaccount:default:sa-oauth-redirect-uri", "http://localhost:8180/auth/realms/master/app/auth", () -> {
            assertSuccessfulResponseWithoutConsent(str);
        }, "user:info user:check-access");
        representation.getConfig().put("user.consent.require", Arrays.asList("true"));
        component.update(representation);
        testCodeGrantFlow("system:serviceaccount:default:sa-oauth-redirect-uri", "http://localhost:8180/auth/realms/master/app/auth", () -> {
            assertSuccessfulResponseWithoutConsent(str, "persistent_consent");
        }, "user:info user:check-access");
        testRealm().users().get(this.userId).revokeConsent("system:serviceaccount:default:sa-oauth-redirect-uri");
        testCodeGrantFlow("system:serviceaccount:default:sa-oauth-redirect-uri", "http://localhost:8180/auth/realms/master/app/auth", () -> {
            assertSuccessfulResponseWithConsent(str);
        }, "user:info user:check-access");
    }

    @Test
    public void failCodeGrantFlowWithServiceAccountUsingOAuthRedirectUri() throws Exception {
        testCodeGrantFlow("system:serviceaccount:default:sa-oauth-redirect-uri", "http://myapp.org/callback", () -> {
            Assert.assertEquals("invalid_redirect_uri", this.events.poll().getError());
        });
    }

    private void testCodeGrantFlow(String str, String str2, Runnable runnable) {
        testCodeGrantFlow(str, str2, runnable, null);
    }

    private void testCodeGrantFlow(String str, String str2, Runnable runnable, String str3) {
        if (str3 != null) {
            this.oauth.scope(str3);
        }
        this.oauth.clientId(str);
        this.oauth.redirectUri(str2);
        this.driver.navigate().to(this.oauth.getLoginFormUrl());
        this.loginPage.assertCurrent();
        try {
            this.oauth.fillLoginForm(AssertEvents.DEFAULT_USERNAME, "password");
        } catch (Exception e) {
        }
        runnable.run();
    }

    private void assertSuccessfulResponseWithoutConsent(String str) {
        assertSuccessfulResponseWithoutConsent(str, null);
    }

    private void assertSuccessfulResponseWithoutConsent(String str, String str2) {
        AssertEvents.ExpectedEvent detail = this.events.expectLogin().client(str).detail("redirect_uri", this.oauth.getRedirectUri()).detail("username", AssertEvents.DEFAULT_USERNAME);
        if (str2 != null) {
            detail.detail("consent", "persistent_consent");
        }
        detail.assertEvent();
        assertSuccessfulRedirect(new String[0]);
    }

    private void assertSuccessfulResponseWithConsent(String str) {
        this.consentPage.assertCurrent();
        this.driver.getPageSource().contains("user:info");
        this.driver.getPageSource().contains("user:check-access");
        this.consentPage.confirm();
        this.events.expectLogin().client(str).detail("redirect_uri", this.oauth.getRedirectUri()).detail("username", AssertEvents.DEFAULT_USERNAME).detail("consent", "consent_granted").assertEvent();
        assertSuccessfulRedirect("user:info", "user:check-access");
    }

    private void assertSuccessfulRedirect(String... strArr) {
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), (String) null);
        String accessToken = doAccessTokenRequest.getAccessToken();
        Assert.assertNotNull(accessToken);
        try {
            AccessToken accessToken2 = (AccessToken) new JWSInput(accessToken).readJsonContent(AccessToken.class);
            for (String str : strArr) {
                accessToken2.getScope().contains(str);
            }
        } catch (Exception e) {
            Assert.fail("Failed to parse access token");
            e.printStackTrace();
        }
        Assert.assertNotNull(doAccessTokenRequest.getRefreshToken());
        this.oauth.doLogout(doAccessTokenRequest.getRefreshToken(), (String) null);
        this.events.clear();
    }
}
