package org.keycloak.testsuite.saml;

import java.io.IOException;
import java.net.URI;
import java.security.KeyPair;
import java.util.Objects;
import java.util.UUID;
import java.util.concurrent.atomic.AtomicReference;
import java.util.stream.Stream;
import javax.ws.rs.core.Response;
import javax.xml.datatype.XMLGregorianCalendar;
import javax.xml.namespace.QName;
import org.apache.http.Header;
import org.hamcrest.MatcherAssert;
import org.junit.Assert;
import org.junit.Test;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.admin.client.resource.UsersResource;
import org.keycloak.dom.saml.v2.SAML2Object;
import org.keycloak.dom.saml.v2.assertion.AssertionType;
import org.keycloak.dom.saml.v2.assertion.AttributeStatementType;
import org.keycloak.dom.saml.v2.assertion.AttributeType;
import org.keycloak.dom.saml.v2.assertion.ConditionsType;
import org.keycloak.dom.saml.v2.assertion.NameIDType;
import org.keycloak.dom.saml.v2.assertion.SubjectType;
import org.keycloak.dom.saml.v2.protocol.AuthnRequestType;
import org.keycloak.dom.saml.v2.protocol.NameIDPolicyType;
import org.keycloak.dom.saml.v2.protocol.ResponseType;
import org.keycloak.models.AuthenticationExecutionModel;
import org.keycloak.protocol.saml.SamlPrincipalType;
import org.keycloak.representations.idm.AuthenticationExecutionInfoRepresentation;
import org.keycloak.representations.idm.IdentityProviderRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.saml.BaseSAML2BindingBuilder;
import org.keycloak.saml.SAML2LoginResponseBuilder;
import org.keycloak.saml.SignatureAlgorithm;
import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
import org.keycloak.saml.common.exceptions.ConfigurationException;
import org.keycloak.saml.common.exceptions.ProcessingException;
import org.keycloak.saml.processing.core.parsers.saml.xmldsig.XmlDSigQNames;
import org.keycloak.saml.processing.core.parsers.util.HasQName;
import org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder;
import org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil;
import org.keycloak.testsuite.updaters.IdentityProviderCreator;
import org.keycloak.testsuite.util.IdentityProviderBuilder;
import org.keycloak.testsuite.util.Matchers;
import org.keycloak.testsuite.util.SamlClient;
import org.keycloak.testsuite.util.SamlClientBuilder;
import org.w3c.dom.DOMException;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;

/* loaded from: input_file:org/keycloak/testsuite/saml/BrokerTest.class */
public class BrokerTest extends AbstractSamlTest {
    private static final String XMLNS_VETINARI = "vetinari";
    private static final String NS_VETINARI = "urn:dw:am:havelock";

    private IdentityProviderRepresentation addIdentityProvider(String str) {
        return IdentityProviderBuilder.create().providerId("saml").alias(AbstractSamlTest.SAML_BROKER_ALIAS).displayName("SAML").setAttribute("singleSignOnServiceUrl", str).setAttribute("singleLogoutServiceUrl", str).setAttribute("nameIDPolicyFormat", JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.get()).setAttribute("postBindingResponse", "false").setAttribute("postBindingAuthnRequest", "false").setAttribute("backchannelSupported", "false").build();
    }

    private SAML2Object createAuthnResponse(SAML2Object sAML2Object) {
        AuthnRequestType authnRequestType = (AuthnRequestType) sAML2Object;
        try {
            ResponseType buildModel = new SAML2LoginResponseBuilder().requestID(authnRequestType.getID()).destination(authnRequestType.getAssertionConsumerServiceURL().toString()).issuer("https://saml.idp/saml").assertionExpiration(1000000).subjectExpiration(1000000).requestIssuer(getAuthServerRealmBase(AbstractSamlTest.REALM_NAME).toString()).sessionIndex("idp:" + UUID.randomUUID()).buildModel();
            AttributeStatementType attributeStatementType = new AttributeStatementType();
            AttributeType attributeType = new AttributeType("mail");
            attributeType.addAttributeValue("v@w.x");
            attributeStatementType.addAttribute(new AttributeStatementType.ASTChoiceType(attributeType));
            ((ResponseType.RTChoiceType) buildModel.getAssertions().get(0)).getAssertion().addStatement(attributeStatementType);
            return buildModel;
        } catch (ConfigurationException | ProcessingException e) {
            throw new RuntimeException((Throwable) e);
        }
    }

    @Test
    public void testLogoutPropagatesToSamlIdentityProvider() throws IOException {
        RealmResource realm = this.adminClient.realm(AbstractSamlTest.REALM_NAME);
        realm.clients();
        AuthenticationExecutionInfoRepresentation authenticationExecutionInfoRepresentation = null;
        String str = null;
        try {
            IdentityProviderCreator identityProviderCreator = new IdentityProviderCreator(realm, addIdentityProvider("https://saml.idp/saml"));
            Throwable th = null;
            try {
                try {
                    str = identityProviderCreator.identityProvider().toRepresentation().getFirstBrokerLoginFlowAlias();
                    authenticationExecutionInfoRepresentation = (AuthenticationExecutionInfoRepresentation) realm.flows().getExecutions(str).stream().filter(authenticationExecutionInfoRepresentation2 -> {
                        return Objects.equals(authenticationExecutionInfoRepresentation2.getProviderId(), "idp-review-profile");
                    }).findFirst().orElseGet(() -> {
                        Assert.fail("Could not find update profile in first broker login flow");
                        return null;
                    });
                    authenticationExecutionInfoRepresentation.setRequirement(AuthenticationExecutionModel.Requirement.DISABLED.name());
                    realm.flows().updateExecutions(str, authenticationExecutionInfoRepresentation);
                    MatcherAssert.assertThat(new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(AbstractSamlTest.REALM_NAME), AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, SamlClient.Binding.POST).transformObject(authnRequestType -> {
                        NameIDPolicyType nameIDPolicyType = new NameIDPolicyType();
                        nameIDPolicyType.setAllowCreate(Boolean.TRUE);
                        nameIDPolicyType.setFormat(JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.getUri());
                        authnRequestType.setNameIDPolicy(nameIDPolicyType);
                        return authnRequestType;
                    }).build().login().idp(AbstractSamlTest.SAML_BROKER_ALIAS).build().processSamlResponse(SamlClient.Binding.REDIRECT).transformObject(this::createAuthnResponse).targetAttributeSamlResponse().targetUri(getSamlBrokerUrl(AbstractSamlTest.REALM_NAME)).build().followOneRedirect().followOneRedirect().getSamlResponse(SamlClient.Binding.POST).getSamlObject(), Matchers.isSamlStatusResponse(new JBossSAMLURIConstants[]{JBossSAMLURIConstants.STATUS_RESPONDER, JBossSAMLURIConstants.STATUS_INVALID_NAMEIDPOLICY}));
                    if (identityProviderCreator != null) {
                        if (0 != 0) {
                            try {
                                identityProviderCreator.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            identityProviderCreator.close();
                        }
                    }
                    authenticationExecutionInfoRepresentation.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED.name());
                    realm.flows().updateExecutions(str, authenticationExecutionInfoRepresentation);
                } finally {
                }
            } finally {
            }
        } catch (Throwable th3) {
            authenticationExecutionInfoRepresentation.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED.name());
            realm.flows().updateExecutions(str, authenticationExecutionInfoRepresentation);
            throw th3;
        }
    }

    @Test
    public void testInResponseToSetCorrectly() throws IOException {
        RealmResource realm = this.adminClient.realm(AbstractSamlTest.REALM_NAME);
        try {
            IdentityProviderCreator identityProviderCreator = new IdentityProviderCreator(realm, addIdentityProvider("https://saml.idp/saml"));
            Throwable th = null;
            try {
                try {
                    AtomicReference atomicReference = new AtomicReference();
                    SAMLDocumentHolder samlResponse = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(AbstractSamlTest.REALM_NAME), AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, SamlClient.Binding.POST).transformObject(authnRequestType -> {
                        atomicReference.set(authnRequestType.getID());
                        return authnRequestType;
                    }).build().login().idp(AbstractSamlTest.SAML_BROKER_ALIAS).build().processSamlResponse(SamlClient.Binding.REDIRECT).transformObject(this::createAuthnResponse).targetAttributeSamlResponse().targetUri(getSamlBrokerUrl(AbstractSamlTest.REALM_NAME)).build().followOneRedirect().updateProfile().username("userInResponseTo").email("f@g.h").firstName("a").lastName("b").build().followOneRedirect().getSamlResponse(SamlClient.Binding.POST);
                    MatcherAssert.assertThat(samlResponse.getSamlObject(), Matchers.isSamlStatusResponse(new JBossSAMLURIConstants[]{JBossSAMLURIConstants.STATUS_SUCCESS}));
                    MatcherAssert.assertThat(samlResponse.getSamlObject().getInResponseTo(), org.hamcrest.Matchers.is(atomicReference.get()));
                    if (identityProviderCreator != null) {
                        if (0 != 0) {
                            try {
                                identityProviderCreator.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            identityProviderCreator.close();
                        }
                    }
                } finally {
                }
            } finally {
            }
        } finally {
            clearUsers(realm);
        }
    }

    private void clearUsers(RealmResource realmResource) {
        Stream map = realmResource.users().list().stream().map((v0) -> {
            return v0.getId();
        });
        UsersResource users = realmResource.users();
        users.getClass();
        map.map(users::get).forEach((v0) -> {
            v0.remove();
        });
    }

    @Test
    public void testNoNameIDAndPrincipalFromAttribute() throws IOException {
        String str = "newUser-" + UUID.randomUUID();
        RealmResource realm = this.adminClient.realm(AbstractSamlTest.REALM_NAME);
        IdentityProviderRepresentation addIdentityProvider = addIdentityProvider("https://saml.idp/");
        addIdentityProvider.getConfig().put("nameIDPolicyFormat", "undefined");
        addIdentityProvider.getConfig().put("principalType", SamlPrincipalType.ATTRIBUTE.toString());
        addIdentityProvider.getConfig().put("principalAttribute", "user");
        IdentityProviderCreator identityProviderCreator = new IdentityProviderCreator(realm, addIdentityProvider);
        Throwable th = null;
        try {
            new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(AbstractSamlTest.REALM_NAME), AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, SamlClient.Binding.POST).build().login().idp(AbstractSamlTest.SAML_BROKER_ALIAS).build().processSamlResponse(SamlClient.Binding.REDIRECT).transformObject(this::createAuthnResponse).transformObject(sAML2Object -> {
                ResponseType responseType = (ResponseType) sAML2Object;
                ((ResponseType.RTChoiceType) responseType.getAssertions().get(0)).getAssertion().getSubject().setSubType((SubjectType.STSubType) null);
                AttributeStatementType attributeStatementType = new AttributeStatementType();
                AttributeType attributeType = new AttributeType("user");
                attributeType.addAttributeValue(str);
                attributeStatementType.addAttribute(new AttributeStatementType.ASTChoiceType(attributeType));
                ((ResponseType.RTChoiceType) responseType.getAssertions().get(0)).getAssertion().addStatement(attributeStatementType);
                return responseType;
            }).targetAttributeSamlResponse().targetUri(getSamlBrokerUrl(AbstractSamlTest.REALM_NAME)).build().followOneRedirect().updateProfile().username(str).firstName("someFirstName").lastName("someLastName").email("some@email.com").build().followOneRedirect().assertResponse(Matchers.statusCodeIsHC(200)).execute();
            if (identityProviderCreator != null) {
                if (0 != 0) {
                    try {
                        identityProviderCreator.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    identityProviderCreator.close();
                }
            }
            MatcherAssert.assertThat(realm.users().get(((UserRepresentation) realm.users().search(str).stream().findFirst().get()).getId()).getUserSessions(), org.hamcrest.Matchers.hasSize(1));
        } catch (Throwable th3) {
            if (identityProviderCreator != null) {
                if (0 != 0) {
                    try {
                        identityProviderCreator.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    identityProviderCreator.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testRedirectQueryParametersPreserved() throws IOException {
        IdentityProviderCreator identityProviderCreator = new IdentityProviderCreator(this.adminClient.realm(AbstractSamlTest.REALM_NAME), addIdentityProvider("https://saml.idp/?service=name&serviceType=prod"));
        Throwable th = null;
        try {
            SAMLDocumentHolder samlResponse = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(AbstractSamlTest.REALM_NAME), AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, SamlClient.Binding.POST).build().login().idp(AbstractSamlTest.SAML_BROKER_ALIAS).build().getSamlResponse(SamlClient.Binding.REDIRECT);
            MatcherAssert.assertThat(samlResponse.getSamlObject(), org.hamcrest.Matchers.instanceOf(AuthnRequestType.class));
            MatcherAssert.assertThat(samlResponse.getSamlObject().getDestination(), org.hamcrest.Matchers.equalTo(URI.create("https://saml.idp/?service=name&serviceType=prod")));
            Header[] headerArr = (Header[]) new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(AbstractSamlTest.REALM_NAME), AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, SamlClient.Binding.POST).build().login().idp(AbstractSamlTest.SAML_BROKER_ALIAS).build().doNotFollowRedirects().executeAndTransform(closeableHttpResponse -> {
                return closeableHttpResponse.getHeaders("Location");
            });
            MatcherAssert.assertThat(Integer.valueOf(headerArr.length), org.hamcrest.Matchers.is(1));
            MatcherAssert.assertThat(headerArr[0].getValue(), org.hamcrest.Matchers.containsString("https://saml.idp/?service=name&serviceType=prod"));
            MatcherAssert.assertThat(headerArr[0].getValue(), org.hamcrest.Matchers.containsString("SAMLRequest"));
            if (identityProviderCreator != null) {
                if (0 == 0) {
                    identityProviderCreator.close();
                    return;
                }
                try {
                    identityProviderCreator.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
        } catch (Throwable th3) {
            if (identityProviderCreator != null) {
                if (0 != 0) {
                    try {
                        identityProviderCreator.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    identityProviderCreator.close();
                }
            }
            throw th3;
        }
    }

    private static Element appendNewElement(Element element, QName qName, String str) throws DOMException {
        Element createElementNS = element.getOwnerDocument().createElementNS(qName.getNamespaceURI(), str + ":" + qName.getLocalPart());
        element.appendChild(createElementNS);
        return createElementNS;
    }

    private static void signAndAddCustomNamespaceElementToSignature(Document document) {
        document.getDocumentElement().setAttribute("xmlns:vetinari", NS_VETINARI);
        try {
            new BaseSAML2BindingBuilder().signWith("kn", new KeyPair(SAML_CLIENT_SALES_POST_SIG_PUBLIC_KEY_PK, SAML_CLIENT_SALES_POST_SIG_PRIVATE_KEY_PK)).signatureAlgorithm(SignatureAlgorithm.RSA_SHA1).signAssertions().signAssertion(document);
            appendNewElement(findFirstElement(document, XmlDSigQNames.KEY_INFO), new QName(NS_VETINARI, "Patrician"), XMLNS_VETINARI);
        } catch (ProcessingException e) {
            throw new RuntimeException((Throwable) e);
        }
    }

    private static Element findFirstElement(Document document, HasQName hasQName) {
        NodeList elementsByTagNameNS = document.getElementsByTagNameNS(hasQName.getQName().getNamespaceURI(), hasQName.getQName().getLocalPart());
        if (elementsByTagNameNS == null || elementsByTagNameNS.getLength() == 0) {
            return null;
        }
        return (Element) elementsByTagNameNS.item(0);
    }

    @Test
    public void testAnyNamespacePreservedInContext() throws IOException {
        IdentityProviderCreator identityProviderCreator = new IdentityProviderCreator(this.adminClient.realm(AbstractSamlTest.REALM_NAME), addIdentityProvider("https://saml.idp/"));
        Throwable th = null;
        try {
            try {
                new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(AbstractSamlTest.REALM_NAME), AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, SamlClient.Binding.POST).build().login().idp(AbstractSamlTest.SAML_BROKER_ALIAS).build().processSamlResponse(SamlClient.Binding.REDIRECT).transformObject(this::createAuthnResponse).transformDocument(BrokerTest::signAndAddCustomNamespaceElementToSignature).targetAttributeSamlResponse().targetUri(getSamlBrokerUrl(AbstractSamlTest.REALM_NAME)).targetBinding(SamlClient.Binding.POST).build().assertResponse(Matchers.statusCodeIsHC(Response.Status.OK)).execute();
                if (identityProviderCreator != null) {
                    if (0 == 0) {
                        identityProviderCreator.close();
                        return;
                    }
                    try {
                        identityProviderCreator.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (identityProviderCreator != null) {
                if (th != null) {
                    try {
                        identityProviderCreator.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    identityProviderCreator.close();
                }
            }
            throw th4;
        }
    }

    @Test
    public void testExpiredAssertion() throws Exception {
        XMLGregorianCalendar issueInstant = XMLTimeUtil.getIssueInstant();
        XMLGregorianCalendar subtract = XMLTimeUtil.subtract(issueInstant, 3600000L);
        XMLGregorianCalendar subtract2 = XMLTimeUtil.subtract(issueInstant, 3540000L);
        XMLGregorianCalendar add = XMLTimeUtil.add(issueInstant, 3540000L);
        XMLGregorianCalendar add2 = XMLTimeUtil.add(issueInstant, 3600000L);
        assertExpired(subtract, subtract2, false);
        assertExpired(add, subtract2, false);
        assertExpired(null, subtract2, false);
        assertExpired(add, add2, false);
        assertExpired(add, null, false);
        assertExpired(subtract, add2, true);
        assertExpired(subtract, null, true);
        assertExpired(null, add2, true);
        assertExpired(null, null, true);
    }

    @Test(expected = AssertionError.class)
    public void testNonexpiredAssertionShouldFail() throws Exception {
        assertExpired(null, null, false);
    }

    @Test(expected = AssertionError.class)
    public void testExpiredAssertionShouldFail() throws Exception {
        XMLGregorianCalendar issueInstant = XMLTimeUtil.getIssueInstant();
        assertExpired(XMLTimeUtil.subtract(issueInstant, 3600000L), XMLTimeUtil.subtract(issueInstant, 3540000L), true);
    }

    private void assertExpired(XMLGregorianCalendar xMLGregorianCalendar, XMLGregorianCalendar xMLGregorianCalendar2, boolean z) throws Exception {
        Response.Status status = z ? Response.Status.OK : Response.Status.BAD_REQUEST;
        IdentityProviderCreator identityProviderCreator = new IdentityProviderCreator(this.adminClient.realm(AbstractSamlTest.REALM_NAME), addIdentityProvider("https://saml.idp/"));
        Throwable th = null;
        try {
            try {
                new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(AbstractSamlTest.REALM_NAME), AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, SamlClient.Binding.POST).build().login().idp(AbstractSamlTest.SAML_BROKER_ALIAS).build().processSamlResponse(SamlClient.Binding.REDIRECT).transformObject(this::createAuthnResponse).transformObject(sAML2Object -> {
                    ResponseType responseType = (ResponseType) sAML2Object;
                    AssertionType assertion = ((ResponseType.RTChoiceType) responseType.getAssertions().get(0)).getAssertion();
                    NameIDType nameIDType = new NameIDType();
                    nameIDType.setFormat(URI.create(JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.get()));
                    nameIDType.setValue(UUID.randomUUID() + "@random.email.org");
                    SubjectType subjectType = new SubjectType();
                    SubjectType.STSubType sTSubType = new SubjectType.STSubType();
                    sTSubType.addBaseID(nameIDType);
                    subjectType.setSubType(sTSubType);
                    assertion.setSubject(subjectType);
                    ConditionsType conditions = assertion.getConditions();
                    conditions.setNotBefore(xMLGregorianCalendar);
                    conditions.setNotOnOrAfter(xMLGregorianCalendar2);
                    return responseType;
                }).targetAttributeSamlResponse().targetUri(getSamlBrokerUrl(AbstractSamlTest.REALM_NAME)).build().assertResponse(Matchers.statusCodeIsHC(status)).execute();
                if (identityProviderCreator != null) {
                    if (0 == 0) {
                        identityProviderCreator.close();
                        return;
                    }
                    try {
                        identityProviderCreator.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (identityProviderCreator != null) {
                if (th != null) {
                    try {
                        identityProviderCreator.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    identityProviderCreator.close();
                }
            }
            throw th4;
        }
    }
}
