package org.keycloak.testsuite.authz;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import org.hamcrest.Matchers;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.keycloak.admin.client.resource.AuthorizationResource;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.ClientsResource;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.authorization.client.AuthzClient;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.authorization.DecisionStrategy;
import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.representations.idm.authorization.PolicyEnforcementMode;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.ResourceServerRepresentation;
import org.keycloak.representations.idm.authorization.ScopePermissionRepresentation;
import org.keycloak.representations.idm.authorization.ScopeRepresentation;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.testsuite.util.UserBuilder;
import org.keycloak.util.JsonSerialization;

@AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
/* loaded from: input_file:org/keycloak/testsuite/authz/ConflictingScopePermissionTest.class */
public class ConflictingScopePermissionTest extends AbstractAuthzTest {
    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        list.add(RealmBuilder.create().name("authz-test").user(UserBuilder.create().username("marta").password("password")).user(UserBuilder.create().username("kolo").password("password")).client(ClientBuilder.create().clientId("resource-server-test").secret("secret").authorizationServicesEnabled(true).redirectUris("http://localhost/resource-server-test").defaultRoles("uma_protection").directAccessGrants()).build());
    }

    @Before
    public void configureAuthorization() throws Exception {
        RealmResource realm = getRealm();
        ClientResource client = getClient(realm);
        if (client.authorization().resources().findByName("Resource A").isEmpty()) {
            createResourcesAndScopes();
            createPolicies(realm, client);
            createPermissions(client);
        }
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:5:0x0079. Please report as an issue. */
    @Test
    public void testMartaCanAccessResourceAWithExecuteAndWrite() throws Exception {
        AuthorizationResource authorization = getClient(getRealm()).authorization();
        ResourceServerRepresentation settings = authorization.getSettings();
        settings.setPolicyEnforcementMode(PolicyEnforcementMode.ENFORCING);
        settings.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
        authorization.update(settings);
        Collection<Permission> entitlements = getEntitlements("marta", "password");
        Assert.assertEquals(1L, entitlements.size());
        Iterator it = new ArrayList(entitlements).iterator();
        while (it.hasNext()) {
            Permission permission = (Permission) it.next();
            String resourceName = permission.getResourceName();
            boolean z = -1;
            switch (resourceName.hashCode()) {
                case 647813327:
                    if (resourceName.equals("Resource A")) {
                        z = false;
                        break;
                    }
                    break;
                case 647813329:
                    if (resourceName.equals("Resource C")) {
                        z = true;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    Assert.assertThat(permission.getScopes(), Matchers.containsInAnyOrder(new String[]{"execute", "write"}));
                    entitlements.remove(permission);
                    break;
                case true:
                    Assert.assertThat(permission.getScopes(), Matchers.containsInAnyOrder(new String[]{"execute", "write", "read"}));
                    entitlements.remove(permission);
                    break;
                default:
                    Assert.fail("Unexpected permission for resource [" + resourceName + "]");
                    break;
            }
        }
        Assert.assertTrue(entitlements.isEmpty());
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:5:0x0079. Please report as an issue. */
    @Test
    public void testMartaCanAccessResourceA() throws Exception {
        AuthorizationResource authorization = getClient(getRealm()).authorization();
        ResourceServerRepresentation settings = authorization.getSettings();
        settings.setPolicyEnforcementMode(PolicyEnforcementMode.ENFORCING);
        settings.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
        authorization.update(settings);
        Collection<Permission> entitlements = getEntitlements("marta", "password");
        Assert.assertEquals(1L, entitlements.size());
        Iterator it = new ArrayList(entitlements).iterator();
        while (it.hasNext()) {
            Permission permission = (Permission) it.next();
            String resourceName = permission.getResourceName();
            boolean z = -1;
            switch (resourceName.hashCode()) {
                case 647813327:
                    if (resourceName.equals("Resource A")) {
                        z = false;
                        break;
                    }
                    break;
                case 647813329:
                    if (resourceName.equals("Resource C")) {
                        z = true;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    Assert.assertThat(permission.getScopes(), Matchers.containsInAnyOrder(new String[]{"execute", "write", "read"}));
                    entitlements.remove(permission);
                    break;
                case true:
                    Assert.assertThat(permission.getScopes(), Matchers.containsInAnyOrder(new String[]{"execute", "write", "read"}));
                    entitlements.remove(permission);
                    break;
                default:
                    Assert.fail("Unexpected permission for resource [" + resourceName + "]");
                    break;
            }
        }
        Assert.assertTrue(entitlements.isEmpty());
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:5:0x007b. Please report as an issue. */
    @Test
    public void testWithPermissiveMode() throws Exception {
        AuthorizationResource authorization = getClient(getRealm()).authorization();
        ResourceServerRepresentation settings = authorization.getSettings();
        settings.setPolicyEnforcementMode(PolicyEnforcementMode.PERMISSIVE);
        settings.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
        authorization.update(settings);
        Collection<Permission> entitlements = getEntitlements("marta", "password");
        Assert.assertEquals(3L, entitlements.size());
        Iterator it = new ArrayList(entitlements).iterator();
        while (it.hasNext()) {
            Permission permission = (Permission) it.next();
            String resourceName = permission.getResourceName();
            boolean z = -1;
            switch (resourceName.hashCode()) {
                case 647813327:
                    if (resourceName.equals("Resource A")) {
                        z = false;
                        break;
                    }
                    break;
                case 647813328:
                    if (resourceName.equals("Resource B")) {
                        z = 2;
                        break;
                    }
                    break;
                case 647813329:
                    if (resourceName.equals("Resource C")) {
                        z = true;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    Assert.assertThat(permission.getScopes(), Matchers.containsInAnyOrder(new String[]{"execute", "write"}));
                    entitlements.remove(permission);
                    break;
                case true:
                    Assert.assertThat(permission.getScopes(), Matchers.containsInAnyOrder(new String[]{"execute", "write", "read"}));
                    entitlements.remove(permission);
                    break;
                case true:
                    Assert.assertThat(permission.getScopes(), Matchers.containsInAnyOrder(new String[]{"execute", "write", "read"}));
                    entitlements.remove(permission);
                    break;
                default:
                    Assert.fail("Unexpected permission for resource [" + resourceName + "]");
                    break;
            }
        }
        Assert.assertTrue(entitlements.isEmpty());
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:5:0x007b. Please report as an issue. */
    @Test
    public void testWithDisabledMode() throws Exception {
        AuthorizationResource authorization = getClient(getRealm()).authorization();
        ResourceServerRepresentation settings = authorization.getSettings();
        settings.setPolicyEnforcementMode(PolicyEnforcementMode.DISABLED);
        settings.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
        authorization.update(settings);
        Collection<Permission> entitlements = getEntitlements("marta", "password");
        Assert.assertEquals(3L, entitlements.size());
        Iterator it = new ArrayList(entitlements).iterator();
        while (it.hasNext()) {
            Permission permission = (Permission) it.next();
            String resourceName = permission.getResourceName();
            boolean z = -1;
            switch (resourceName.hashCode()) {
                case 647813327:
                    if (resourceName.equals("Resource A")) {
                        z = false;
                        break;
                    }
                    break;
                case 647813328:
                    if (resourceName.equals("Resource B")) {
                        z = 2;
                        break;
                    }
                    break;
                case 647813329:
                    if (resourceName.equals("Resource C")) {
                        z = true;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    Assert.assertThat(permission.getScopes(), Matchers.containsInAnyOrder(new String[]{"execute", "write", "read"}));
                    entitlements.remove(permission);
                    break;
                case true:
                    Assert.assertThat(permission.getScopes(), Matchers.containsInAnyOrder(new String[]{"execute", "write", "read"}));
                    entitlements.remove(permission);
                    break;
                case true:
                    Assert.assertThat(permission.getScopes(), Matchers.containsInAnyOrder(new String[]{"execute", "write", "read"}));
                    entitlements.remove(permission);
                    break;
                default:
                    Assert.fail("Unexpected permission for resource [" + resourceName + "]");
                    break;
            }
        }
        Assert.assertTrue(entitlements.isEmpty());
    }

    private Collection<Permission> getEntitlements(String str, String str2) {
        try {
            AccessToken.Authorization authorization = ((AccessToken) new JWSInput(getAuthzClient().authorization(str, str2).authorize().getToken()).readJsonContent(AccessToken.class)).getAuthorization();
            Assert.assertNotNull("RPT does not contain any authorization data", authorization);
            return authorization.getPermissions();
        } catch (JWSInputException e) {
            throw new RuntimeException("Failed to deserialize RPT", e);
        }
    }

    private RealmResource getRealm() throws Exception {
        return this.adminClient.realm("authz-test");
    }

    private ClientResource getClient(RealmResource realmResource) {
        ClientsResource clients = realmResource.clients();
        return (ClientResource) clients.findByClientId("resource-server-test").stream().map(clientRepresentation -> {
            return clients.get(clientRepresentation.getId());
        }).findFirst().orElseThrow(() -> {
            return new RuntimeException("Expected client [resource-server-test]");
        });
    }

    private void createPermissions(ClientResource clientResource) throws IOException {
        createResourcePermission("Resource A Only For Marta Permission", "Resource A", Arrays.asList("Only Marta Policy"), clientResource);
        createScopePermission("Resource A Scope Read Only For Marta Permission", "Resource A", Arrays.asList("read"), Arrays.asList("Only Marta Policy"), clientResource);
        createScopePermission("Resource A Scope Read Only For Kolo Permission", "Resource A", Arrays.asList("read"), Arrays.asList("Only Kolo Policy"), clientResource);
    }

    private void createPolicies(RealmResource realmResource, ClientResource clientResource) throws IOException {
        createUserPolicy("Only Marta Policy", realmResource, clientResource, "marta");
        createUserPolicy("Only Kolo Policy", realmResource, clientResource, "kolo");
    }

    private void createResourcesAndScopes() throws IOException {
        AuthzClient authzClient = getAuthzClient();
        HashSet hashSet = new HashSet();
        hashSet.add(new ScopeRepresentation("read"));
        hashSet.add(new ScopeRepresentation("write"));
        hashSet.add(new ScopeRepresentation("execute"));
        ArrayList arrayList = new ArrayList();
        arrayList.add(new ResourceRepresentation("Resource A", hashSet));
        arrayList.add(new ResourceRepresentation("Resource B", hashSet));
        arrayList.add(new ResourceRepresentation("Resource C", hashSet));
        arrayList.forEach(resourceRepresentation -> {
            authzClient.protection().resource().create(resourceRepresentation);
        });
    }

    private void createUserPolicy(String str, RealmResource realmResource, ClientResource clientResource, String str2) throws IOException {
        String str3 = (String) realmResource.users().search(str2).stream().map(userRepresentation -> {
            return userRepresentation.getId();
        }).findFirst().orElseThrow(() -> {
            return new RuntimeException("Expected user [userId]");
        });
        PolicyRepresentation policyRepresentation = new PolicyRepresentation();
        policyRepresentation.setName(str);
        policyRepresentation.setType("user");
        HashMap hashMap = new HashMap();
        hashMap.put("users", JsonSerialization.writeValueAsString(new String[]{str3}));
        policyRepresentation.setConfig(hashMap);
        clientResource.authorization().policies().create(policyRepresentation).close();
    }

    private void createResourcePermission(String str, String str2, List<String> list, ClientResource clientResource) throws IOException {
        ResourcePermissionRepresentation resourcePermissionRepresentation = new ResourcePermissionRepresentation();
        resourcePermissionRepresentation.setName(str);
        resourcePermissionRepresentation.addResource(str2);
        resourcePermissionRepresentation.addPolicy((String[]) list.toArray(new String[list.size()]));
        clientResource.authorization().permissions().resource().create(resourcePermissionRepresentation).close();
    }

    private void createScopePermission(String str, String str2, List<String> list, List<String> list2, ClientResource clientResource) throws IOException {
        AuthorizationResource authorization = clientResource.authorization();
        ScopePermissionRepresentation scopePermissionRepresentation = new ScopePermissionRepresentation();
        scopePermissionRepresentation.setName(str);
        if (str2 != null) {
            scopePermissionRepresentation.addResource(str2);
        }
        scopePermissionRepresentation.addScope((String[]) list.toArray(new String[list.size()]));
        scopePermissionRepresentation.addPolicy((String[]) list2.toArray(new String[list2.size()]));
        authorization.permissions().scope().create(scopePermissionRepresentation).close();
    }

    private AuthzClient getAuthzClient() {
        return AuthzClient.create(getClass().getResourceAsStream("/authorization-test/default-keycloak.json"));
    }
}
