package org.keycloak.testsuite.admin.client;

import java.io.IOException;
import java.io.StringReader;
import java.util.HashMap;
import java.util.Map;
import javax.ws.rs.NotFoundException;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import org.hamcrest.Matchers;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.common.Profile;
import org.keycloak.events.admin.OperationType;
import org.keycloak.events.admin.ResourceType;
import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
import org.keycloak.testsuite.ProfileAssume;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.updaters.ClientAttributeUpdater;
import org.keycloak.testsuite.util.AdminEventPaths;
import org.keycloak.testsuite.util.ServerURLs;
import org.w3c.dom.Document;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;

/* loaded from: input_file:org/keycloak/testsuite/admin/client/InstallationTest.class */
public class InstallationTest extends AbstractClientTest {
    private static final String OIDC_NAME = "oidcInstallationClient";
    private static final String OIDC_NAME_BEARER_ONLY_NAME = "oidcInstallationClientBearerOnly";
    private static final String OIDC_NAME_BEARER_ONLY_WITH_AUTHZ_NAME = "oidcInstallationClientBearerOnlyWithAuthz";
    private static final String SAML_NAME = "samlInstallationClient";
    private ClientResource oidcClient;
    private String oidcClientId;
    private ClientResource oidcBearerOnlyClient;
    private String oidcBearerOnlyClientId;
    private ClientResource oidcBearerOnlyClientWithAuthz;
    private String oidcBearerOnlyClientWithAuthzId;
    private ClientResource samlClient;
    private String samlClientId;

    @Before
    public void createClients() {
        this.oidcClientId = createOidcClient(OIDC_NAME);
        this.oidcBearerOnlyClientId = createOidcBearerOnlyClient(OIDC_NAME_BEARER_ONLY_NAME);
        this.oidcClient = findClientResource(OIDC_NAME);
        this.oidcBearerOnlyClient = findClientResource(OIDC_NAME_BEARER_ONLY_NAME);
        this.samlClientId = createSamlClient(SAML_NAME);
        this.samlClient = findClientResource(SAML_NAME);
    }

    @After
    public void tearDown() {
        removeClient(this.oidcClientId);
        removeClient(this.oidcBearerOnlyClientId);
        removeClient(this.samlClientId);
    }

    private String authServerUrl() {
        return ServerURLs.getAuthServerContextRoot() + "/auth";
    }

    private String samlUrl() {
        return authServerUrl() + "/realms/test/protocol/saml";
    }

    @Test
    public void testOidcJBossXml() {
        String installationProvider = this.oidcClient.getInstallationProvider("keycloak-oidc-jboss-subsystem");
        assertOidcInstallationConfig(installationProvider);
        Assert.assertThat(installationProvider, Matchers.containsString("<secure-deployment"));
    }

    @Test
    public void testOidcJson() {
        assertOidcInstallationConfig(this.oidcClient.getInstallationProvider("keycloak-oidc-keycloak-json"));
    }

    @Test
    public void testOidcJBossCli() {
        String installationProvider = this.oidcClient.getInstallationProvider("keycloak-oidc-jboss-subsystem-cli");
        assertOidcInstallationConfig(installationProvider);
        Assert.assertThat(installationProvider, Matchers.containsString("/subsystem=keycloak/secure-deployment=\"WAR MODULE NAME.war\""));
    }

    @Test
    public void testOidcBearerOnlyJson() {
        String installationProvider = this.oidcBearerOnlyClient.getInstallationProvider("keycloak-oidc-keycloak-json");
        assertOidcInstallationConfig(installationProvider);
        Assert.assertThat(installationProvider, Matchers.containsString("bearer-only"));
        Assert.assertThat(installationProvider, Matchers.not(Matchers.containsString("public-client")));
        Assert.assertThat(installationProvider, Matchers.not(Matchers.containsString("credentials")));
        Assert.assertThat(installationProvider, Matchers.not(Matchers.containsString("verify-token-audience")));
    }

    @Test
    public void testOidcBearerOnlyJsonWithAudienceClientScope() {
        String generateAudienceClientScope = this.testingClient.testing().generateAudienceClientScope("test", OIDC_NAME_BEARER_ONLY_NAME);
        String installationProvider = this.oidcBearerOnlyClient.getInstallationProvider("keycloak-oidc-keycloak-json");
        assertOidcInstallationConfig(installationProvider);
        Assert.assertThat(installationProvider, Matchers.containsString("bearer-only"));
        Assert.assertThat(installationProvider, Matchers.not(Matchers.containsString("public-client")));
        Assert.assertThat(installationProvider, Matchers.not(Matchers.containsString("credentials")));
        Assert.assertThat(installationProvider, Matchers.containsString("verify-token-audience"));
        testRealmResource().clientScopes().get(generateAudienceClientScope).remove();
        this.assertAdminEvents.assertEvent(getRealmId(), OperationType.DELETE, AdminEventPaths.clientScopeResourcePath(generateAudienceClientScope), (Object) null, ResourceType.CLIENT_SCOPE);
    }

    @Test
    public void testOidcBearerOnlyWithAuthzJson() {
        ProfileAssume.assumeFeatureEnabled(Profile.Feature.AUTHORIZATION);
        this.oidcBearerOnlyClientWithAuthzId = createOidcConfidentialClientWithAuthz(OIDC_NAME_BEARER_ONLY_WITH_AUTHZ_NAME);
        this.oidcBearerOnlyClientWithAuthz = findClientResource(OIDC_NAME_BEARER_ONLY_WITH_AUTHZ_NAME);
        String installationProvider = this.oidcBearerOnlyClientWithAuthz.getInstallationProvider("keycloak-oidc-keycloak-json");
        assertOidcInstallationConfig(installationProvider);
        Assert.assertThat(installationProvider, Matchers.not(Matchers.containsString("bearer-only")));
        Assert.assertThat(installationProvider, Matchers.not(Matchers.containsString("public-client")));
        Assert.assertThat(installationProvider, Matchers.containsString("credentials"));
        Assert.assertThat(installationProvider, Matchers.containsString("secret"));
        Assert.assertThat(installationProvider, Matchers.containsString("policy-enforcer"));
        removeClient(this.oidcBearerOnlyClientWithAuthzId);
    }

    private void assertOidcInstallationConfig(String str) {
        Assert.assertThat(str, Matchers.containsString("test"));
        Assert.assertThat(str, Matchers.not(Matchers.containsString(ApiUtil.findActiveSigningKey(testRealmResource()).getPublicKey())));
        Assert.assertThat(str, Matchers.containsString(authServerUrl()));
    }

    @Test(expected = NotFoundException.class)
    public void testSamlMetadataIdpDescriptor() {
        this.samlClient.getInstallationProvider("saml-idp-descriptor");
    }

    @Test
    public void testSamlAdapterXml() {
        String installationProvider = this.samlClient.getInstallationProvider("keycloak-saml");
        Assert.assertThat(installationProvider, Matchers.containsString("<keycloak-saml-adapter>"));
        Assert.assertThat(installationProvider, Matchers.containsString("SPECIFY YOUR entityID!"));
        Assert.assertThat(installationProvider, Matchers.not(Matchers.containsString(ApiUtil.findActiveSigningKey(testRealmResource()).getCertificate())));
        Assert.assertThat(installationProvider, Matchers.containsString(samlUrl()));
    }

    @Test
    public void testSamlAdapterCli() {
        String installationProvider = this.samlClient.getInstallationProvider("keycloak-saml-subsystem-cli");
        Assert.assertThat(installationProvider, Matchers.containsString("/subsystem=keycloak-saml/secure-deployment=YOUR-WAR.war/"));
        Assert.assertThat(installationProvider, Matchers.containsString("SPECIFY YOUR entityID!"));
        Assert.assertThat(installationProvider, Matchers.not(Matchers.containsString(ApiUtil.findActiveSigningKey(testRealmResource()).getCertificate())));
        Assert.assertThat(installationProvider, Matchers.containsString(samlUrl()));
    }

    @Test
    public void testSamlMetadataSpDescriptor() throws Exception {
        String installationProvider = this.samlClient.getInstallationProvider("saml-sp-descriptor");
        Document documentFromXmlString = getDocumentFromXmlString(installationProvider);
        assertElements(documentFromXmlString, JBossSAMLURIConstants.METADATA_NSURI.get(), "EntityDescriptor", null);
        assertElements(documentFromXmlString, JBossSAMLURIConstants.METADATA_NSURI.get(), "SPSSODescriptor", null);
        Assert.assertThat(installationProvider, Matchers.containsString(SAML_NAME));
    }

    @Test
    public void testSamlJBossXml() {
        String installationProvider = this.samlClient.getInstallationProvider("keycloak-saml-subsystem");
        Assert.assertThat(installationProvider, Matchers.containsString("<secure-deployment"));
        Assert.assertThat(installationProvider, Matchers.containsString("SPECIFY YOUR entityID!"));
        Assert.assertThat(installationProvider, Matchers.not(Matchers.containsString(ApiUtil.findActiveSigningKey(testRealmResource()).getCertificate())));
        Assert.assertThat(installationProvider, Matchers.containsString(samlUrl()));
    }

    @Test
    public void testSamlMetadataSpDescriptorPost() throws Exception {
        ClientAttributeUpdater forClient = ClientAttributeUpdater.forClient(this.adminClient, getRealmId(), SAML_NAME);
        Throwable th = null;
        try {
            Assert.assertThat(((ClientResource) forClient.getResource()).toRepresentation().getAttributes().get("saml.force.post.binding"), Matchers.equalTo("true"));
            Document documentFromXmlString = getDocumentFromXmlString(((ClientResource) forClient.getResource()).getInstallationProvider("saml-sp-descriptor"));
            HashMap hashMap = new HashMap();
            hashMap.put("Binding", JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get());
            hashMap.put("Location", "ERROR:ENDPOINT_NOT_SET");
            assertElements(documentFromXmlString, JBossSAMLURIConstants.METADATA_NSURI.get(), "SingleLogoutService", hashMap);
            assertElements(documentFromXmlString, JBossSAMLURIConstants.METADATA_NSURI.get(), "AssertionConsumerService", hashMap);
            hashMap.clear();
            forClient.setAdminUrl("admin-url").update();
            this.assertAdminEvents.assertEvent(getRealmId(), OperationType.UPDATE, AdminEventPaths.clientResourcePath(this.samlClientId), ResourceType.CLIENT);
            Document documentFromXmlString2 = getDocumentFromXmlString(((ClientResource) forClient.getResource()).getInstallationProvider("saml-sp-descriptor"));
            hashMap.put("Binding", JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get());
            hashMap.put("Location", "admin-url");
            assertElements(documentFromXmlString2, JBossSAMLURIConstants.METADATA_NSURI.get(), "SingleLogoutService", hashMap);
            assertElements(documentFromXmlString2, JBossSAMLURIConstants.METADATA_NSURI.get(), "AssertionConsumerService", hashMap);
            hashMap.clear();
            forClient.setAttribute("saml_assertion_consumer_url_post", "saml-assertion-post-url").setAttribute("saml_single_logout_service_url_post", "saml-logout-post-url").setAttribute("saml_assertion_consumer_url_redirect", "saml-assertion-redirect-url").setAttribute("saml_single_logout_service_url_redirect", "saml-logout-redirect-url").update();
            this.assertAdminEvents.assertEvent(getRealmId(), OperationType.UPDATE, AdminEventPaths.clientResourcePath(this.samlClientId), ResourceType.CLIENT);
            Document documentFromXmlString3 = getDocumentFromXmlString(((ClientResource) forClient.getResource()).getInstallationProvider("saml-sp-descriptor"));
            hashMap.put("Binding", JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get());
            hashMap.put("Location", "saml-logout-post-url");
            assertElements(documentFromXmlString3, JBossSAMLURIConstants.METADATA_NSURI.get(), "SingleLogoutService", hashMap);
            hashMap.clear();
            hashMap.put("Binding", JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get());
            hashMap.put("Location", "saml-assertion-post-url");
            assertElements(documentFromXmlString3, JBossSAMLURIConstants.METADATA_NSURI.get(), "AssertionConsumerService", hashMap);
            if (forClient != null) {
                if (0 != 0) {
                    try {
                        forClient.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    forClient.close();
                }
            }
            this.assertAdminEvents.assertEvent(getRealmId(), OperationType.UPDATE, AdminEventPaths.clientResourcePath(this.samlClientId), ResourceType.CLIENT);
        } catch (Throwable th3) {
            if (forClient != null) {
                if (0 != 0) {
                    try {
                        forClient.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    forClient.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testSamlMetadataSpDescriptorRedirect() throws Exception {
        ClientAttributeUpdater update = ClientAttributeUpdater.forClient(this.adminClient, getRealmId(), SAML_NAME).setAttribute("saml.force.post.binding", "false").update();
        Throwable th = null;
        try {
            this.assertAdminEvents.assertEvent(getRealmId(), OperationType.UPDATE, AdminEventPaths.clientResourcePath(this.samlClientId), ResourceType.CLIENT);
            Assert.assertThat(((ClientResource) update.getResource()).toRepresentation().getAttributes().get("saml.force.post.binding"), Matchers.equalTo("false"));
            Document documentFromXmlString = getDocumentFromXmlString(((ClientResource) update.getResource()).getInstallationProvider("saml-sp-descriptor"));
            HashMap hashMap = new HashMap();
            hashMap.put("Binding", JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get());
            hashMap.put("Location", "ERROR:ENDPOINT_NOT_SET");
            assertElements(documentFromXmlString, JBossSAMLURIConstants.METADATA_NSURI.get(), "SingleLogoutService", hashMap);
            assertElements(documentFromXmlString, JBossSAMLURIConstants.METADATA_NSURI.get(), "AssertionConsumerService", hashMap);
            hashMap.clear();
            update.setAdminUrl("admin-url").update();
            this.assertAdminEvents.assertEvent(getRealmId(), OperationType.UPDATE, AdminEventPaths.clientResourcePath(this.samlClientId), ResourceType.CLIENT);
            Document documentFromXmlString2 = getDocumentFromXmlString(((ClientResource) update.getResource()).getInstallationProvider("saml-sp-descriptor"));
            hashMap.put("Binding", JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get());
            hashMap.put("Location", "admin-url");
            assertElements(documentFromXmlString2, JBossSAMLURIConstants.METADATA_NSURI.get(), "SingleLogoutService", hashMap);
            assertElements(documentFromXmlString2, JBossSAMLURIConstants.METADATA_NSURI.get(), "AssertionConsumerService", hashMap);
            hashMap.clear();
            update.setAttribute("saml_assertion_consumer_url_post", "saml-assertion-post-url").setAttribute("saml_single_logout_service_url_post", "saml-logout-post-url").setAttribute("saml_assertion_consumer_url_redirect", "saml-assertion-redirect-url").setAttribute("saml_single_logout_service_url_redirect", "saml-logout-redirect-url").update();
            this.assertAdminEvents.assertEvent(getRealmId(), OperationType.UPDATE, AdminEventPaths.clientResourcePath(this.samlClientId), ResourceType.CLIENT);
            Document documentFromXmlString3 = getDocumentFromXmlString(((ClientResource) update.getResource()).getInstallationProvider("saml-sp-descriptor"));
            hashMap.put("Binding", JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get());
            hashMap.put("Location", "saml-logout-redirect-url");
            assertElements(documentFromXmlString3, JBossSAMLURIConstants.METADATA_NSURI.get(), "SingleLogoutService", hashMap);
            hashMap.clear();
            hashMap.put("Binding", JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get());
            hashMap.put("Location", "saml-assertion-redirect-url");
            assertElements(documentFromXmlString3, JBossSAMLURIConstants.METADATA_NSURI.get(), "AssertionConsumerService", hashMap);
            if (update != null) {
                if (0 != 0) {
                    try {
                        update.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    update.close();
                }
            }
            this.assertAdminEvents.assertEvent(getRealmId(), OperationType.UPDATE, AdminEventPaths.clientResourcePath(this.samlClientId), ResourceType.CLIENT);
        } catch (Throwable th3) {
            if (update != null) {
                if (0 != 0) {
                    try {
                        update.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    update.close();
                }
            }
            throw th3;
        }
    }

    private Document getDocumentFromXmlString(String str) throws SAXException, ParserConfigurationException, IOException {
        DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
        newInstance.setNamespaceAware(true);
        DocumentBuilder newDocumentBuilder = newInstance.newDocumentBuilder();
        InputSource inputSource = new InputSource();
        inputSource.setCharacterStream(new StringReader(str));
        return newDocumentBuilder.parse(inputSource);
    }

    private void assertElements(Document document, String str, String str2, Map<String, String> map) {
        NodeList elementsByTagNameNS = document.getElementsByTagNameNS(str, str2);
        Assert.assertThat("Expected exactly one " + str2 + " element!", Integer.valueOf(elementsByTagNameNS.getLength()), Matchers.is(Matchers.equalTo(1)));
        Node item = elementsByTagNameNS.item(0);
        if (map != null) {
            for (String str3 : map.keySet()) {
                Assert.assertThat(item.getAttributes().getNamedItem(str3).getNodeValue(), Matchers.containsString(map.get(str3)));
            }
        }
    }
}
