package org.keycloak.testsuite.jaas;

import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.lang.invoke.MethodHandles;
import java.net.URI;
import java.util.HashMap;
import java.util.List;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.junit.AfterClass;
import org.junit.Assume;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.keycloak.KeycloakPrincipal;
import org.keycloak.adapters.jaas.BearerTokenLoginModule;
import org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule;
import org.keycloak.adapters.jaas.RolePrincipal;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.Assert;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.saml.AbstractSamlTest;
import org.keycloak.testsuite.util.ServerURLs;
import org.keycloak.testsuite.utils.io.IOUtil;

@AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
/* loaded from: input_file:org/keycloak/testsuite/jaas/LoginModulesTest.class */
public class LoginModulesTest extends AbstractKeycloakTest {
    public static final URI DIRECT_GRANT_CONFIG;
    public static final URI BEARER_CONFIG;
    private static final File DIRECT_GRANT_CONFIG_FILE;
    private static final File BEARER_CONFIG_FILE;

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        list.add(IOUtil.loadRealm("/adapter-test/demorealm.json"));
    }

    private static void enabled() {
        Assume.assumeTrue(ServerURLs.AUTH_SERVER_SSL_REQUIRED);
    }

    @BeforeClass
    public static void createTemporaryFiles() throws Exception {
        enabled();
        copyContentAndReplaceAuthServerAddress(new File(DIRECT_GRANT_CONFIG), DIRECT_GRANT_CONFIG_FILE);
        copyContentAndReplaceAuthServerAddress(new File(BEARER_CONFIG), BEARER_CONFIG_FILE);
    }

    @AfterClass
    public static void removeTemporaryFiles() {
        DIRECT_GRANT_CONFIG_FILE.deleteOnExit();
        BEARER_CONFIG_FILE.deleteOnExit();
    }

    private static void copyContentAndReplaceAuthServerAddress(File file, File file2) throws IOException {
        InputStream httpsAwareConfigurationStream = httpsAwareConfigurationStream(new FileInputStream(file));
        Throwable th = null;
        try {
            FileOutputStream fileOutputStream = new FileOutputStream(file2);
            Throwable th2 = null;
            try {
                byte[] bArr = new byte[httpsAwareConfigurationStream.available()];
                httpsAwareConfigurationStream.read(bArr);
                fileOutputStream.write(bArr);
                if (fileOutputStream != null) {
                    if (0 != 0) {
                        try {
                            fileOutputStream.close();
                        } catch (Throwable th3) {
                            th2.addSuppressed(th3);
                        }
                    } else {
                        fileOutputStream.close();
                    }
                }
                if (httpsAwareConfigurationStream != null) {
                    if (0 == 0) {
                        httpsAwareConfigurationStream.close();
                        return;
                    }
                    try {
                        httpsAwareConfigurationStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                }
            } catch (Throwable th5) {
                if (fileOutputStream != null) {
                    if (0 != 0) {
                        try {
                            fileOutputStream.close();
                        } catch (Throwable th6) {
                            th2.addSuppressed(th6);
                        }
                    } else {
                        fileOutputStream.close();
                    }
                }
                throw th5;
            }
        } catch (Throwable th7) {
            if (httpsAwareConfigurationStream != null) {
                if (0 != 0) {
                    try {
                        httpsAwareConfigurationStream.close();
                    } catch (Throwable th8) {
                        th.addSuppressed(th8);
                    }
                } else {
                    httpsAwareConfigurationStream.close();
                }
            }
            throw th7;
        }
    }

    @Before
    public void generateAudienceClientScope() {
        if (ApiUtil.findClientScopeByName(this.adminClient.realm(AbstractSamlTest.REALM_NAME), "customer-db-audience-required") != null) {
            return;
        }
        ApiUtil.findClientByClientId(this.adminClient.realm(AbstractSamlTest.REALM_NAME), "customer-portal").addOptionalClientScope(this.testingClient.testing().generateAudienceClientScope(AbstractSamlTest.REALM_NAME, "customer-db-audience-required"));
    }

    @Test
    public void testDirectAccessGrantLoginModuleLoginFailed() throws Exception {
        try {
            new LoginContext("does-not-matter", (Subject) null, createJaasCallbackHandler("bburke@redhat.com", "bad-password"), createJaasConfigurationForDirectGrant(null)).login();
            Assert.fail("Not expected to successfully login");
        } catch (LoginException e) {
        }
    }

    @Test
    public void testDirectAccessGrantLoginModuleLoginSuccess() throws Exception {
        this.oauth.realm(AbstractSamlTest.REALM_NAME);
        LoginContext directGrantLogin = directGrantLogin(null);
        Subject subject = directGrantLogin.getSubject();
        KeycloakPrincipal keycloakPrincipal = (KeycloakPrincipal) subject.getPrincipals(KeycloakPrincipal.class).iterator().next();
        Assert.assertEquals("bburke@redhat.com", keycloakPrincipal.getKeycloakSecurityContext().getToken().getPreferredUsername());
        assertToken(keycloakPrincipal.getKeycloakSecurityContext().getTokenString(), true);
        Set principals = subject.getPrincipals(RolePrincipal.class);
        Assert.assertEquals(1L, principals.size());
        Assert.assertEquals("user", ((RolePrincipal) principals.iterator().next()).getName());
        directGrantLogin.logout();
        assertToken(keycloakPrincipal.getKeycloakSecurityContext().getTokenString(), false);
    }

    @Test
    public void testBearerLoginFailedLogin() throws Exception {
        this.oauth.realm(AbstractSamlTest.REALM_NAME);
        LoginContext directGrantLogin = directGrantLogin(null);
        try {
            new LoginContext("does-not-matter", (Subject) null, createJaasCallbackHandler("doesn-not-matter", ((KeycloakPrincipal) directGrantLogin.getSubject().getPrincipals(KeycloakPrincipal.class).iterator().next()).getKeycloakSecurityContext().getTokenString()), createJaasConfigurationForBearer()).login();
            Assert.fail("Not expected to successfully login");
        } catch (LoginException e) {
        }
        directGrantLogin.logout();
    }

    @Test
    public void testBearerLoginSuccess() throws Exception {
        this.oauth.realm(AbstractSamlTest.REALM_NAME);
        LoginContext directGrantLogin = directGrantLogin("customer-db-audience-required");
        LoginContext loginContext = new LoginContext("does-not-matter", (Subject) null, createJaasCallbackHandler("doesn-not-matter", ((KeycloakPrincipal) directGrantLogin.getSubject().getPrincipals(KeycloakPrincipal.class).iterator().next()).getKeycloakSecurityContext().getTokenString()), createJaasConfigurationForBearer());
        loginContext.login();
        Subject subject = loginContext.getSubject();
        KeycloakPrincipal keycloakPrincipal = (KeycloakPrincipal) subject.getPrincipals(KeycloakPrincipal.class).iterator().next();
        Assert.assertEquals("bburke@redhat.com", keycloakPrincipal.getKeycloakSecurityContext().getToken().getPreferredUsername());
        assertToken(keycloakPrincipal.getKeycloakSecurityContext().getTokenString(), true);
        Set principals = subject.getPrincipals(RolePrincipal.class);
        Assert.assertEquals(1L, principals.size());
        Assert.assertEquals("user", ((RolePrincipal) principals.iterator().next()).getName());
        loginContext.logout();
        directGrantLogin.logout();
    }

    private LoginContext directGrantLogin(String str) throws LoginException {
        LoginContext loginContext = new LoginContext("does-not-matter", (Subject) null, createJaasCallbackHandler("bburke@redhat.com", "password"), createJaasConfigurationForDirectGrant(str));
        loginContext.login();
        return loginContext;
    }

    private void assertToken(String str, boolean z) throws IOException {
        Assert.assertEquals(Boolean.valueOf(z), Boolean.valueOf(new ObjectMapper().readTree(this.oauth.introspectAccessTokenWithClientCredential("customer-portal", "password", str)).get("active").asBoolean()));
    }

    private CallbackHandler createJaasCallbackHandler(final String str, final String str2) {
        return new CallbackHandler() { // from class: org.keycloak.testsuite.jaas.LoginModulesTest.1
            @Override // javax.security.auth.callback.CallbackHandler
            public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
                for (Callback callback : callbackArr) {
                    if (callback instanceof NameCallback) {
                        ((NameCallback) callback).setName(str);
                    } else {
                        if (!(callback instanceof PasswordCallback)) {
                            throw new UnsupportedCallbackException(callback, "Unsupported callback: " + callback.getClass().getCanonicalName());
                        }
                        ((PasswordCallback) callback).setPassword(str2.toCharArray());
                    }
                }
            }
        };
    }

    private Configuration createJaasConfigurationForDirectGrant(final String str) {
        return new Configuration() { // from class: org.keycloak.testsuite.jaas.LoginModulesTest.2
            public AppConfigurationEntry[] getAppConfigurationEntry(String str2) {
                HashMap hashMap = new HashMap();
                hashMap.put("keycloak-config-file", LoginModulesTest.DIRECT_GRANT_CONFIG_FILE.getAbsolutePath());
                if (str != null) {
                    hashMap.put("scope", str);
                }
                return new AppConfigurationEntry[]{new AppConfigurationEntry(DirectAccessGrantsLoginModule.class.getName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, hashMap)};
            }
        };
    }

    private Configuration createJaasConfigurationForBearer() {
        return new Configuration() { // from class: org.keycloak.testsuite.jaas.LoginModulesTest.3
            public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
                HashMap hashMap = new HashMap();
                hashMap.put("keycloak-config-file", LoginModulesTest.BEARER_CONFIG_FILE.getAbsolutePath());
                return new AppConfigurationEntry[]{new AppConfigurationEntry(BearerTokenLoginModule.class.getName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, hashMap)};
            }
        };
    }

    static {
        try {
            DIRECT_GRANT_CONFIG = MethodHandles.lookup().lookupClass().getResource("/adapter-test/customer-portal/WEB-INF/keycloak.json").toURI();
            BEARER_CONFIG = MethodHandles.lookup().lookupClass().getResource("/adapter-test/customer-db-audience-required/WEB-INF/keycloak.json").toURI();
            DIRECT_GRANT_CONFIG_FILE = File.createTempFile("LoginModulesTest", "testDirectAccessGrantLoginModuleLoginFailed");
            BEARER_CONFIG_FILE = File.createTempFile("LoginModulesTest", "testBearerLoginFailedLogin");
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }
}
