package org.keycloak.testsuite.broker;

import com.google.common.collect.ImmutableMap;
import java.net.URI;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Set;
import java.util.stream.Collectors;
import javax.ws.rs.core.Response;
import org.hamcrest.Matchers;
import org.junit.Assert;
import org.junit.Test;
import org.keycloak.admin.client.resource.UserResource;
import org.keycloak.dom.saml.v2.assertion.AttributeStatementType;
import org.keycloak.dom.saml.v2.assertion.AttributeType;
import org.keycloak.dom.saml.v2.protocol.ResponseType;
import org.keycloak.models.IdentityProviderMapperSyncMode;
import org.keycloak.representations.idm.IdentityProviderMapperRepresentation;
import org.keycloak.representations.idm.RoleRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
import org.keycloak.saml.common.exceptions.ConfigurationException;
import org.keycloak.saml.common.exceptions.ParsingException;
import org.keycloak.saml.common.exceptions.ProcessingException;
import org.keycloak.saml.processing.api.saml.v2.request.SAML2Request;
import org.keycloak.saml.processing.core.parsers.saml.protocol.SAMLProtocolQNames;
import org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder;
import org.keycloak.testsuite.saml.RoleMapperTest;
import org.keycloak.testsuite.util.SamlClient;
import org.keycloak.testsuite.util.SamlClientBuilder;
import org.keycloak.testsuite.util.SamlStreams;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:org/keycloak/testsuite/broker/KcSamlBrokerTest.class */
public final class KcSamlBrokerTest extends AbstractAdvancedBrokerTest {
    private static final String EMPTY_ATTRIBUTE_NAME = "empty.attribute.name";

    @Override // org.keycloak.testsuite.broker.AbstractBaseBrokerTest
    protected BrokerConfiguration getBrokerConfiguration() {
        return KcSamlBrokerConfiguration.INSTANCE;
    }

    @Override // org.keycloak.testsuite.broker.AbstractAdvancedBrokerTest
    protected Iterable<IdentityProviderMapperRepresentation> createIdentityProviderMappers(IdentityProviderMapperSyncMode identityProviderMapperSyncMode) {
        IdentityProviderMapperRepresentation identityProviderMapperRepresentation = new IdentityProviderMapperRepresentation();
        identityProviderMapperRepresentation.setName("manager-role-mapper");
        identityProviderMapperRepresentation.setIdentityProviderMapper("saml-role-idp-mapper");
        identityProviderMapperRepresentation.setConfig(ImmutableMap.builder().put("syncMode", identityProviderMapperSyncMode.toString()).put("attribute.name", RoleMapperTest.ROLE_ATTRIBUTE_NAME).put("attribute.value", AbstractBrokerTest.ROLE_MANAGER).put("role", AbstractBrokerTest.ROLE_MANAGER).build());
        IdentityProviderMapperRepresentation identityProviderMapperRepresentation2 = new IdentityProviderMapperRepresentation();
        identityProviderMapperRepresentation2.setName("user-role-mapper");
        identityProviderMapperRepresentation2.setIdentityProviderMapper("saml-role-idp-mapper");
        identityProviderMapperRepresentation2.setConfig(ImmutableMap.builder().put("syncMode", identityProviderMapperSyncMode.toString()).put("attribute.name", RoleMapperTest.ROLE_ATTRIBUTE_NAME).put("attribute.value", "user").put("role", "user").build());
        IdentityProviderMapperRepresentation identityProviderMapperRepresentation3 = new IdentityProviderMapperRepresentation();
        identityProviderMapperRepresentation3.setName("friendly-mapper");
        identityProviderMapperRepresentation3.setIdentityProviderMapper("saml-role-idp-mapper");
        identityProviderMapperRepresentation3.setConfig(ImmutableMap.builder().put("syncMode", identityProviderMapperSyncMode.toString()).put("attribute.friendly.name", KcSamlBrokerConfiguration.ATTRIBUTE_TO_MAP_FRIENDLY_NAME).put("attribute.value", AbstractBrokerTest.ROLE_FRIENDLY_MANAGER).put("role", AbstractBrokerTest.ROLE_FRIENDLY_MANAGER).build());
        IdentityProviderMapperRepresentation identityProviderMapperRepresentation4 = new IdentityProviderMapperRepresentation();
        identityProviderMapperRepresentation4.setName("user-role-dot-guide-mapper");
        identityProviderMapperRepresentation4.setIdentityProviderMapper("saml-role-idp-mapper");
        identityProviderMapperRepresentation4.setConfig(ImmutableMap.builder().put("syncMode", identityProviderMapperSyncMode.toString()).put("attribute.name", RoleMapperTest.ROLE_ATTRIBUTE_NAME).put("attribute.value", AbstractBrokerTest.ROLE_USER_DOT_GUIDE).put("role", AbstractBrokerTest.ROLE_USER_DOT_GUIDE).build());
        IdentityProviderMapperRepresentation identityProviderMapperRepresentation5 = new IdentityProviderMapperRepresentation();
        identityProviderMapperRepresentation5.setName("empty-attribute-to-role-mapper");
        identityProviderMapperRepresentation5.setIdentityProviderMapper("saml-role-idp-mapper");
        identityProviderMapperRepresentation5.setConfig(ImmutableMap.builder().put("syncMode", identityProviderMapperSyncMode.toString()).put("attribute.name", EMPTY_ATTRIBUTE_NAME).put("attribute.value", "").put("role", AbstractBrokerTest.EMPTY_ATTRIBUTE_ROLE).build());
        return Arrays.asList(identityProviderMapperRepresentation, identityProviderMapperRepresentation2, identityProviderMapperRepresentation3, identityProviderMapperRepresentation4, identityProviderMapperRepresentation5);
    }

    @Override // org.keycloak.testsuite.broker.AbstractAdvancedBrokerTest
    protected void createAdditionalMapperWithCustomSyncMode(IdentityProviderMapperSyncMode identityProviderMapperSyncMode) {
        IdentityProviderMapperRepresentation identityProviderMapperRepresentation = new IdentityProviderMapperRepresentation();
        identityProviderMapperRepresentation.setName("friendly-manager-role-mapper");
        identityProviderMapperRepresentation.setIdentityProviderMapper("saml-role-idp-mapper");
        identityProviderMapperRepresentation.setConfig(ImmutableMap.builder().put("syncMode", identityProviderMapperSyncMode.toString()).put("attribute.name", RoleMapperTest.ROLE_ATTRIBUTE_NAME).put("attribute.value", AbstractBrokerTest.ROLE_FRIENDLY_MANAGER).put("role", AbstractBrokerTest.ROLE_FRIENDLY_MANAGER).build());
        identityProviderMapperRepresentation.setIdentityProviderAlias(this.bc.getIDPAlias());
        this.adminClient.realm(this.bc.consumerRealmName()).identityProviders().get(this.bc.getIDPAlias()).addMapper(identityProviderMapperRepresentation).close();
    }

    @Test
    public void mapperUpdatesRolesOnEveryLogInForLegacyMode() {
        createRolesForRealm(this.bc.providerRealmName());
        createRolesForRealm(this.bc.consumerRealmName());
        createRoleMappersForConsumerRealm(IdentityProviderMapperSyncMode.FORCE);
        RoleRepresentation representation = this.adminClient.realm(this.bc.providerRealmName()).roles().get(AbstractBrokerTest.ROLE_MANAGER).toRepresentation();
        RoleRepresentation representation2 = this.adminClient.realm(this.bc.providerRealmName()).roles().get(AbstractBrokerTest.ROLE_FRIENDLY_MANAGER).toRepresentation();
        RoleRepresentation representation3 = this.adminClient.realm(this.bc.providerRealmName()).roles().get("user").toRepresentation();
        UserResource userResource = this.adminClient.realm(this.bc.providerRealmName()).users().get(this.userId);
        userResource.roles().realmLevel().add(Collections.singletonList(representation));
        logInAsUserInIDPForFirstTime();
        Set set = (Set) userResource.roles().realmLevel().listAll().stream().map((v0) -> {
            return v0.getName();
        }).collect(Collectors.toSet());
        Assert.assertThat(set, Matchers.hasItems(new String[]{AbstractBrokerTest.ROLE_MANAGER}));
        Assert.assertThat(set, Matchers.not(Matchers.hasItems(new String[]{"user", AbstractBrokerTest.ROLE_FRIENDLY_MANAGER})));
        logoutFromRealm(BrokerTestTools.getConsumerRoot(), this.bc.consumerRealmName());
        userResource.roles().realmLevel().add(Collections.singletonList(representation3));
        userResource.roles().realmLevel().add(Collections.singletonList(representation2));
        logInAsUserInIDP();
        Assert.assertThat((Set) userResource.roles().realmLevel().listAll().stream().map((v0) -> {
            return v0.getName();
        }).collect(Collectors.toSet()), Matchers.hasItems(new String[]{AbstractBrokerTest.ROLE_MANAGER, "user", AbstractBrokerTest.ROLE_FRIENDLY_MANAGER}));
        logoutFromRealm(BrokerTestTools.getConsumerRoot(), this.bc.consumerRealmName());
        userResource.roles().realmLevel().remove(Collections.singletonList(representation2));
        logInAsUserInIDP();
        Set set2 = (Set) userResource.roles().realmLevel().listAll().stream().map((v0) -> {
            return v0.getName();
        }).collect(Collectors.toSet());
        Assert.assertThat(set2, Matchers.hasItems(new String[]{AbstractBrokerTest.ROLE_MANAGER, "user"}));
        Assert.assertThat(set2, Matchers.not(Matchers.hasItems(new String[]{AbstractBrokerTest.ROLE_FRIENDLY_MANAGER})));
        logoutFromRealm(BrokerTestTools.getProviderRoot(), this.bc.providerRealmName());
        logoutFromRealm(BrokerTestTools.getConsumerRoot(), this.bc.consumerRealmName());
    }

    @Test
    public void roleWithDots() {
        createRolesForRealm(this.bc.providerRealmName());
        createRolesForRealm(this.bc.consumerRealmName());
        createRoleMappersForConsumerRealm();
        RoleRepresentation representation = this.adminClient.realm(this.bc.providerRealmName()).roles().get(AbstractBrokerTest.ROLE_MANAGER).toRepresentation();
        RoleRepresentation representation2 = this.adminClient.realm(this.bc.providerRealmName()).roles().get("user").toRepresentation();
        RoleRepresentation representation3 = this.adminClient.realm(this.bc.providerRealmName()).roles().get(AbstractBrokerTest.ROLE_USER_DOT_GUIDE).toRepresentation();
        UserResource userResource = this.adminClient.realm(this.bc.providerRealmName()).users().get(this.userId);
        userResource.roles().realmLevel().add(Collections.singletonList(representation));
        logInAsUserInIDPForFirstTime();
        UserResource userResource2 = this.adminClient.realm(this.bc.consumerRealmName()).users().get(((UserRepresentation) this.adminClient.realm(this.bc.consumerRealmName()).users().search(this.bc.getUserLogin()).iterator().next()).getId());
        Set set = (Set) userResource2.roles().realmLevel().listAll().stream().map((v0) -> {
            return v0.getName();
        }).collect(Collectors.toSet());
        Assert.assertThat(set, Matchers.hasItems(new String[]{AbstractBrokerTest.ROLE_MANAGER}));
        Assert.assertThat(set, Matchers.not(Matchers.hasItems(new String[]{"user", AbstractBrokerTest.ROLE_FRIENDLY_MANAGER, AbstractBrokerTest.ROLE_USER_DOT_GUIDE})));
        logoutFromRealm(BrokerTestTools.getConsumerRoot(), this.bc.consumerRealmName());
        UserRepresentation representation4 = userResource.toRepresentation();
        representation4.setAttributes(new HashMap());
        representation4.getAttributes().put(KcSamlBrokerConfiguration.ATTRIBUTE_TO_MAP_FRIENDLY_NAME, Collections.singletonList(AbstractBrokerTest.ROLE_FRIENDLY_MANAGER));
        userResource.update(representation4);
        userResource.roles().realmLevel().add(Collections.singletonList(representation2));
        userResource.roles().realmLevel().add(Collections.singletonList(representation3));
        logInAsUserInIDP();
        Assert.assertThat((Set) userResource2.roles().realmLevel().listAll().stream().map((v0) -> {
            return v0.getName();
        }).collect(Collectors.toSet()), Matchers.hasItems(new String[]{AbstractBrokerTest.ROLE_MANAGER, "user", AbstractBrokerTest.ROLE_USER_DOT_GUIDE, AbstractBrokerTest.ROLE_FRIENDLY_MANAGER}));
        logoutFromRealm(BrokerTestTools.getConsumerRoot(), this.bc.consumerRealmName());
        UserRepresentation representation5 = userResource.toRepresentation();
        representation5.setAttributes(new HashMap());
        userResource.update(representation5);
        logInAsUserInIDP();
        Set set2 = (Set) userResource2.roles().realmLevel().listAll().stream().map((v0) -> {
            return v0.getName();
        }).collect(Collectors.toSet());
        Assert.assertThat(set2, Matchers.hasItems(new String[]{AbstractBrokerTest.ROLE_MANAGER, "user", AbstractBrokerTest.ROLE_USER_DOT_GUIDE}));
        Assert.assertThat(set2, Matchers.not(Matchers.hasItems(new String[]{AbstractBrokerTest.ROLE_FRIENDLY_MANAGER})));
        logoutFromRealm(BrokerTestTools.getProviderRoot(), this.bc.providerRealmName());
        logoutFromRealm(BrokerTestTools.getConsumerRoot(), this.bc.consumerRealmName());
    }

    @Test
    public void loginClientWithDotsInName() throws Exception {
        SAMLDocumentHolder samlResponse = new SamlClientBuilder().authnRequest(getConsumerSamlEndpoint(this.bc.consumerRealmName()), SAML2Request.convert(SamlClient.createLoginRequestDocument("http://localhost:8280/sales-post/.dot/ted", BrokerTestTools.getConsumerRoot() + "/sales-post/saml", (URI) null)), SamlClient.Binding.POST).build().login().idp(this.bc.getIDPAlias()).build().processSamlResponse(SamlClient.Binding.POST).targetAttributeSamlRequest().build().login().user(this.bc.getUserLogin(), this.bc.getUserPassword()).build().processSamlResponse(SamlClient.Binding.POST).build().updateProfile().firstName("a").lastName("b").email(this.bc.getUserEmail()).username(this.bc.getUserLogin()).build().followOneRedirect().getSamlResponse(SamlClient.Binding.POST);
        Assert.assertThat(samlResponse, Matchers.notNullValue());
        Assert.assertThat(samlResponse.getSamlObject(), org.keycloak.testsuite.util.Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
    }

    @Test
    public void emptyAttributeToRoleMapperTest() throws ParsingException, ConfigurationException, ProcessingException {
        createRolesForRealm(this.bc.consumerRealmName());
        createRoleMappersForConsumerRealm();
        SAMLDocumentHolder samlResponse = new SamlClientBuilder().authnRequest(getConsumerSamlEndpoint(this.bc.consumerRealmName()), SAML2Request.convert(SamlClient.createLoginRequestDocument("http://localhost:8280/sales-post/.dot/ted", BrokerTestTools.getConsumerRoot() + "/sales-post/saml", (URI) null)), SamlClient.Binding.POST).build().login().idp(this.bc.getIDPAlias()).build().processSamlResponse(SamlClient.Binding.POST).targetAttributeSamlRequest().build().login().user(this.bc.getUserLogin(), this.bc.getUserPassword()).build().processSamlResponse(SamlClient.Binding.POST).transformObject(sAML2Object -> {
            Assert.assertThat(sAML2Object, org.keycloak.testsuite.util.Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
            ResponseType responseType = (ResponseType) sAML2Object;
            AttributeStatementType attributeStatementType = (AttributeStatementType) ((ResponseType.RTChoiceType) responseType.getAssertions().get(0)).getAssertion().getStatements().stream().filter(statementAbstractType -> {
                return statementAbstractType instanceof AttributeStatementType;
            }).findFirst().orElse(new AttributeStatementType());
            AttributeType attributeType = new AttributeType(EMPTY_ATTRIBUTE_NAME);
            attributeType.addAttributeValue((Object) null);
            attributeStatementType.addAttribute(new AttributeStatementType.ASTChoiceType(attributeType));
            ((ResponseType.RTChoiceType) responseType.getAssertions().get(0)).getAssertion().addStatement(attributeStatementType);
            return sAML2Object;
        }).build().updateProfile().firstName("a").lastName("b").email(this.bc.getUserEmail()).username(this.bc.getUserLogin()).build().followOneRedirect().getSamlResponse(SamlClient.Binding.POST);
        Assert.assertThat(samlResponse, Matchers.notNullValue());
        Assert.assertThat(samlResponse.getSamlObject(), org.keycloak.testsuite.util.Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
        Assert.assertThat((Set) SamlStreams.attributesUnecrypted(SamlStreams.attributeStatements(SamlStreams.assertionsUnencrypted(samlResponse.getSamlObject()))).filter(attributeType -> {
            return attributeType.getName().equals(RoleMapperTest.ROLE_ATTRIBUTE_NAME);
        }).flatMap(attributeType2 -> {
            return attributeType2.getAttributeValue().stream();
        }).map((v0) -> {
            return v0.toString();
        }).collect(Collectors.toSet()), Matchers.hasItems(new String[]{AbstractBrokerTest.EMPTY_ATTRIBUTE_ROLE}));
    }

    @Test
    public void loginInResponseToMismatch() throws Exception {
        new SamlClientBuilder().authnRequest(getConsumerSamlEndpoint(this.bc.consumerRealmName()), SAML2Request.convert(SamlClient.createLoginRequestDocument("http://localhost:8280/sales-post/.dot/ted", BrokerTestTools.getConsumerRoot() + "/sales-post/saml", (URI) null)), SamlClient.Binding.POST).build().login().idp(this.bc.getIDPAlias()).build().processSamlResponse(SamlClient.Binding.POST).targetAttributeSamlRequest().build().login().user(this.bc.getUserLogin(), this.bc.getUserPassword()).build().processSamlResponse(SamlClient.Binding.POST).transformDocument(this::tamperInResponseTo).build().execute(closeableHttpResponse -> {
            Assert.assertThat(closeableHttpResponse, org.keycloak.testsuite.util.Matchers.statusCodeIsHC(Response.Status.BAD_REQUEST));
        });
    }

    @Test
    public void loginInResponseToMissing() throws Exception {
        new SamlClientBuilder().authnRequest(getConsumerSamlEndpoint(this.bc.consumerRealmName()), SAML2Request.convert(SamlClient.createLoginRequestDocument("http://localhost:8280/sales-post/.dot/ted", BrokerTestTools.getConsumerRoot() + "/sales-post/saml", (URI) null)), SamlClient.Binding.POST).build().login().idp(this.bc.getIDPAlias()).build().processSamlResponse(SamlClient.Binding.POST).targetAttributeSamlRequest().build().login().user(this.bc.getUserLogin(), this.bc.getUserPassword()).build().processSamlResponse(SamlClient.Binding.POST).transformDocument(this::removeInResponseTo).build().execute(closeableHttpResponse -> {
            Assert.assertThat(closeableHttpResponse, org.keycloak.testsuite.util.Matchers.statusCodeIsHC(Response.Status.BAD_REQUEST));
        });
    }

    @Test
    public void loginInResponseToEmpty() throws Exception {
        new SamlClientBuilder().authnRequest(getConsumerSamlEndpoint(this.bc.consumerRealmName()), SAML2Request.convert(SamlClient.createLoginRequestDocument("http://localhost:8280/sales-post/.dot/ted", BrokerTestTools.getConsumerRoot() + "/sales-post/saml", (URI) null)), SamlClient.Binding.POST).build().login().idp(this.bc.getIDPAlias()).build().processSamlResponse(SamlClient.Binding.POST).targetAttributeSamlRequest().build().login().user(this.bc.getUserLogin(), this.bc.getUserPassword()).build().processSamlResponse(SamlClient.Binding.POST).transformDocument(this::clearInResponseTo).build().execute(closeableHttpResponse -> {
            Assert.assertThat(closeableHttpResponse, org.keycloak.testsuite.util.Matchers.statusCodeIsHC(Response.Status.BAD_REQUEST));
        });
    }

    private Document tamperInResponseTo(Document document) {
        Element documentElement = document.getDocumentElement();
        documentElement.setAttribute(SAMLProtocolQNames.ATTR_IN_RESPONSE_TO.getQName().getLocalPart(), "TAMPERED_" + documentElement.getAttribute("InResponseTo"));
        return document;
    }

    private Document removeInResponseTo(Document document) {
        document.getDocumentElement().removeAttribute(SAMLProtocolQNames.ATTR_IN_RESPONSE_TO.getQName().getLocalPart());
        return document;
    }

    private Document clearInResponseTo(Document document) {
        document.getDocumentElement().setAttribute(SAMLProtocolQNames.ATTR_IN_RESPONSE_TO.getQName().getLocalPart(), "");
        return document;
    }
}
