package org.keycloak.testsuite.oauth;

import java.util.LinkedList;
import java.util.List;
import org.apache.http.NameValuePair;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.message.BasicNameValuePair;
import org.jboss.logging.Logger;
import org.junit.Assert;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.adapters.authentication.JWTClientSecretCredentialsProvider;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.common.util.KeycloakUriBuilder;
import org.keycloak.common.util.UriUtils;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.EventRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.AbstractAdminTest;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.util.OAuthClient;

@AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
/* loaded from: input_file:org/keycloak/testsuite/oauth/ClientAuthSecretSignedJWTTest.class */
public class ClientAuthSecretSignedJWTTest extends AbstractKeycloakTest {
    private static final Logger logger = Logger.getLogger(ClientAuthSecretSignedJWTTest.class);

    @Rule
    public AssertEvents events = new AssertEvents(this);

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void beforeAbstractKeycloakTest() throws Exception {
        super.beforeAbstractKeycloakTest();
    }

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        list.add((RealmRepresentation) AbstractAdminTest.loadJson(getClass().getResourceAsStream("/client-auth-test/testrealm-jwt-client-secret.json"), RealmRepresentation.class));
    }

    @Test
    public void testCodeToTokenRequestSuccess() throws Exception {
        testCodeToTokenRequestSuccess("HS256");
    }

    @Test
    public void testCodeToTokenRequestSuccessHS384() throws Exception {
        testCodeToTokenRequestSuccess("HS384");
    }

    @Test
    public void testCodeToTokenRequestSuccessHS512() throws Exception {
        testCodeToTokenRequestSuccess("HS512");
    }

    @Test
    public void testInvalidIssuer() throws Exception {
        this.oauth.clientId(AssertEvents.DEFAULT_CLIENT_ID);
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        String str = (String) this.oauth.getCurrentQuery().get("code");
        JWTClientSecretCredentialsProvider jWTClientSecretCredentialsProvider = new JWTClientSecretCredentialsProvider() { // from class: org.keycloak.testsuite.oauth.ClientAuthSecretSignedJWTTest.1
            protected JsonWebToken createRequestToken(String str2, String str3) {
                JsonWebToken createRequestToken = super.createRequestToken(str2, str3);
                createRequestToken.issuer("bad-issuer");
                return createRequestToken;
            }
        };
        jWTClientSecretCredentialsProvider.setClientSecret("password", "HS256");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = doAccessTokenRequest(str, jWTClientSecretCredentialsProvider.createSignedRequestToken(this.oauth.getClientId(), getRealmInfoUrl(), "HS256"));
        Assert.assertEquals(400L, doAccessTokenRequest.getStatusCode());
        Assert.assertEquals("invalid_client", doAccessTokenRequest.getError());
    }

    @Test
    public void testCodeToTokenRequestFailureHS384Enforced() throws Exception {
        try {
            try {
                ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
                ClientRepresentation representation = findClientByClientId.toRepresentation();
                OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setTokenEndpointAuthSigningAlg("HS384");
                findClientByClientId.update(representation);
                testCodeToTokenRequestSuccess("HS384");
                ClientResource findClientByClientId2 = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
                ClientRepresentation representation2 = findClientByClientId2.toRepresentation();
                OIDCAdvancedConfigWrapper.fromClientRepresentation(representation2).setTokenEndpointAuthSigningAlg((String) null);
                findClientByClientId2.update(representation2);
            } catch (Exception e) {
                org.keycloak.testsuite.Assert.fail();
                ClientResource findClientByClientId3 = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
                ClientRepresentation representation3 = findClientByClientId3.toRepresentation();
                OIDCAdvancedConfigWrapper.fromClientRepresentation(representation3).setTokenEndpointAuthSigningAlg((String) null);
                findClientByClientId3.update(representation3);
            }
        } catch (Throwable th) {
            ClientResource findClientByClientId4 = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            ClientRepresentation representation4 = findClientByClientId4.toRepresentation();
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation4).setTokenEndpointAuthSigningAlg((String) null);
            findClientByClientId4.update(representation4);
            throw th;
        }
    }

    @Test
    public void testCodeToTokenRequestFailureHS512Enforced() throws Exception {
        try {
            try {
                ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
                ClientRepresentation representation = findClientByClientId.toRepresentation();
                OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setTokenEndpointAuthSigningAlg("HS512");
                findClientByClientId.update(representation);
                this.oauth.clientId(AssertEvents.DEFAULT_CLIENT_ID);
                this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
                this.events.expectLogin().client(AssertEvents.DEFAULT_CLIENT_ID).assertEvent();
                OAuthClient.AccessTokenResponse doAccessTokenRequest = doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), getClientSignedJWT("password", 20, "HS256"));
                Assert.assertEquals(400L, doAccessTokenRequest.getStatusCode());
                Assert.assertEquals("invalid_client", doAccessTokenRequest.getError());
                ClientResource findClientByClientId2 = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
                ClientRepresentation representation2 = findClientByClientId2.toRepresentation();
                OIDCAdvancedConfigWrapper.fromClientRepresentation(representation2).setTokenEndpointAuthSigningAlg((String) null);
                findClientByClientId2.update(representation2);
            } catch (Exception e) {
                org.keycloak.testsuite.Assert.fail();
                ClientResource findClientByClientId3 = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
                ClientRepresentation representation3 = findClientByClientId3.toRepresentation();
                OIDCAdvancedConfigWrapper.fromClientRepresentation(representation3).setTokenEndpointAuthSigningAlg((String) null);
                findClientByClientId3.update(representation3);
            }
        } catch (Throwable th) {
            ClientResource findClientByClientId4 = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            ClientRepresentation representation4 = findClientByClientId4.toRepresentation();
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation4).setTokenEndpointAuthSigningAlg((String) null);
            findClientByClientId4.update(representation4);
            throw th;
        }
    }

    private void testCodeToTokenRequestSuccess(String str) throws Exception {
        this.oauth.clientId(AssertEvents.DEFAULT_CLIENT_ID);
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().client(AssertEvents.DEFAULT_CLIENT_ID).assertEvent();
        OAuthClient.AccessTokenResponse doAccessTokenRequest = doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), getClientSignedJWT("password", 20, str));
        Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
        this.oauth.verifyToken(doAccessTokenRequest.getAccessToken());
        this.oauth.parseRefreshToken(doAccessTokenRequest.getRefreshToken());
        this.events.expectCodeToToken((String) assertEvent.getDetails().get("code_id"), assertEvent.getSessionId()).client(this.oauth.getClientId()).detail("client_auth_method", "client-secret-jwt").assertEvent();
    }

    @Test
    public void testAssertionInvalidSignature() throws Exception {
        this.oauth.clientId(AssertEvents.DEFAULT_CLIENT_ID);
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        this.events.expectLogin().client(AssertEvents.DEFAULT_CLIENT_ID).assertEvent();
        OAuthClient.AccessTokenResponse doAccessTokenRequest = doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), getClientSignedJWT("ppassswordd", 20));
        Assert.assertEquals(400L, doAccessTokenRequest.getStatusCode());
        Assert.assertEquals("unauthorized_client", doAccessTokenRequest.getError());
    }

    @Test
    public void testAssertionReuse() throws Exception {
        this.oauth.clientId(AssertEvents.DEFAULT_CLIENT_ID);
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().client(AssertEvents.DEFAULT_CLIENT_ID).assertEvent();
        String str = (String) this.oauth.getCurrentQuery().get("code");
        String clientSignedJWT = getClientSignedJWT("password", 20);
        Assert.assertEquals(200L, doAccessTokenRequest(str, clientSignedJWT).getStatusCode());
        this.events.expectCodeToToken((String) assertEvent.getDetails().get("code_id"), assertEvent.getSessionId()).client(this.oauth.getClientId()).detail("client_auth_method", "client-secret-jwt").assertEvent();
        this.oauth.openLoginForm();
        EventRepresentation assertEvent2 = this.events.expectLogin().client(AssertEvents.DEFAULT_CLIENT_ID).assertEvent();
        OAuthClient.AccessTokenResponse doAccessTokenRequest = doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), clientSignedJWT);
        this.events.expectCodeToToken((String) assertEvent2.getDetails().get("code_id"), assertEvent2.getSessionId()).error("invalid_client_credentials").clearDetails().user((String) null).session((String) null).assertEvent();
        Assert.assertEquals(400L, doAccessTokenRequest.getStatusCode());
        Assert.assertEquals("unauthorized_client", doAccessTokenRequest.getError());
    }

    private String getClientSignedJWT(String str, int i) {
        return getClientSignedJWT(str, i, "HS256");
    }

    private String getClientSignedJWT(String str, int i, String str2) {
        JWTClientSecretCredentialsProvider jWTClientSecretCredentialsProvider = new JWTClientSecretCredentialsProvider();
        jWTClientSecretCredentialsProvider.setClientSecret(str, str2);
        return jWTClientSecretCredentialsProvider.createSignedRequestToken(this.oauth.getClientId(), getRealmInfoUrl(), str2);
    }

    private String getRealmInfoUrl() {
        return KeycloakUriBuilder.fromUri(UriUtils.getOrigin(this.oauth.getRedirectUri()) + "/auth").path("/realms/{realm-name}").build(new Object[]{"test"}).toString();
    }

    private OAuthClient.AccessTokenResponse doAccessTokenRequest(String str, String str2) throws Exception {
        LinkedList linkedList = new LinkedList();
        linkedList.add(new BasicNameValuePair("grant_type", "authorization_code"));
        linkedList.add(new BasicNameValuePair("code", str));
        linkedList.add(new BasicNameValuePair("redirect_uri", this.oauth.getRedirectUri()));
        linkedList.add(new BasicNameValuePair("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"));
        linkedList.add(new BasicNameValuePair("client_assertion", str2));
        return new OAuthClient.AccessTokenResponse(sendRequest(this.oauth.getAccessTokenUrl(), linkedList));
    }

    private CloseableHttpResponse sendRequest(String str, List<NameValuePair> list) throws Exception {
        DefaultHttpClient defaultHttpClient = new DefaultHttpClient();
        try {
            HttpPost httpPost = new HttpPost(str);
            httpPost.setEntity(new UrlEncodedFormEntity(list, "UTF-8"));
            CloseableHttpResponse execute = defaultHttpClient.execute(httpPost);
            this.oauth.closeClient(defaultHttpClient);
            return execute;
        } catch (Throwable th) {
            this.oauth.closeClient(defaultHttpClient);
            throw th;
        }
    }
}
