package org.keycloak.testsuite.adapter.servlet;

import java.net.URI;
import java.util.List;
import java.util.UUID;
import java.util.function.Consumer;
import java.util.stream.Collectors;
import javax.ws.rs.core.Response;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.hamcrest.Matchers;
import org.jboss.arquillian.container.test.api.Deployment;
import org.jboss.arquillian.graphene.page.Page;
import org.jboss.shrinkwrap.api.spec.WebArchive;
import org.junit.Assert;
import org.junit.Assume;
import org.junit.Before;
import org.junit.Test;
import org.keycloak.admin.client.resource.UserResource;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.RoleRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
import org.keycloak.testsuite.adapter.AbstractAdapterTest;
import org.keycloak.testsuite.adapter.AbstractServletsAdapterTest;
import org.keycloak.testsuite.adapter.page.SalesPostAssertionAndResponseSig;
import org.keycloak.testsuite.arquillian.annotation.AppServerContainer;
import org.keycloak.testsuite.arquillian.annotation.AppServerContainers;
import org.keycloak.testsuite.saml.AbstractSamlTest;
import org.keycloak.testsuite.updaters.Creator;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.IdentityProviderBuilder;
import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.testsuite.util.RoleBuilder;
import org.keycloak.testsuite.util.RolesBuilder;
import org.keycloak.testsuite.util.SamlClient;
import org.keycloak.testsuite.util.SamlClientBuilder;
import org.keycloak.testsuite.util.UserBuilder;
import org.w3c.dom.DOMException;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

@AppServerContainers({@AppServerContainer("app-server-undertow"), @AppServerContainer("app-server-wildfly"), @AppServerContainer("app-server-wildfly-deprecated"), @AppServerContainer("app-server-eap"), @AppServerContainer("app-server-eap6"), @AppServerContainer("app-server-eap71"), @AppServerContainer("app-server-tomcat7"), @AppServerContainer("app-server-tomcat8"), @AppServerContainer("app-server-tomcat9")})
/* loaded from: input_file:org/keycloak/testsuite/adapter/servlet/SamlSignatureTest.class */
public class SamlSignatureTest extends AbstractAdapterTest {
    private static final String REQUIRED_ROLE_NAME = "manager";
    private static final RoleRepresentation REQUIRED_ROLE = RoleBuilder.create().name("manager").build();
    private static final String BROKER = "broker";
    private static final String APP_CLIENT_ID = "http://localhost:8280/sales-post-assertion-and-response-sig/";

    @Page
    private SalesPostAssertionAndResponseSig salesPostAssertionAndResponseSigPage;
    private UserRepresentation user;

    /* loaded from: input_file:org/keycloak/testsuite/adapter/servlet/SamlSignatureTest$XSWHelpers.class */
    public static class XSWHelpers {
        public static void applyXSW1(Document document) {
            Element element = (Element) document.getElementsByTagNameNS(JBossSAMLURIConstants.PROTOCOL_NSURI.get(), "Response").item(0);
            Element element2 = (Element) element.cloneNode(true);
            Element element3 = (Element) element2.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature").item(0);
            Assume.assumeThat("Response needs to be signed", element3, Matchers.notNullValue());
            element2.removeChild(element3);
            ((Element) element.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature").item(0)).appendChild(element2);
            element.setAttribute("ID", "_evil_response_ID");
        }

        public static void applyXSW2(Document document) {
            Element element = (Element) document.getElementsByTagNameNS(JBossSAMLURIConstants.PROTOCOL_NSURI.get(), "Response").item(0);
            Element element2 = (Element) element.cloneNode(true);
            Element element3 = (Element) element2.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature").item(0);
            Assume.assumeThat("Response needs to be signed", element3, Matchers.notNullValue());
            element2.removeChild(element3);
            element.insertBefore(element2, (Element) element.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature").item(0));
            element.setAttribute("ID", "_evil_response_ID");
        }

        public static void applyXSW3(Document document) {
            Element element = (Element) document.getElementsByTagNameNS(JBossSAMLURIConstants.ASSERTION_NSURI.get(), "Assertion").item(0);
            Element element2 = (Element) element.cloneNode(true);
            Element element3 = (Element) element2.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature").item(0);
            Assume.assumeThat("Assertion needs to be signed", element3, Matchers.notNullValue());
            element2.setAttribute("ID", "_evil_assertion_ID");
            element2.removeChild(element3);
            document.getDocumentElement().insertBefore(element2, element);
        }

        public static void applyXSW4(Document document) {
            Element element = (Element) document.getElementsByTagNameNS(JBossSAMLURIConstants.ASSERTION_NSURI.get(), "Assertion").item(0);
            Element element2 = (Element) element.cloneNode(true);
            Element element3 = (Element) element2.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature").item(0);
            Assume.assumeThat("Assertion needs to be signed", element3, Matchers.notNullValue());
            element2.setAttribute("ID", "_evil_assertion_ID");
            element2.removeChild(element3);
            document.getDocumentElement().appendChild(element2);
            element2.appendChild(element);
        }

        public static void applyXSW5(Document document) {
            Element element = (Element) document.getElementsByTagNameNS(JBossSAMLURIConstants.ASSERTION_NSURI.get(), "Assertion").item(0);
            Element element2 = (Element) element.cloneNode(true);
            Element element3 = (Element) element2.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature").item(0);
            Assume.assumeThat("Assertion needs to be signed", element3, Matchers.notNullValue());
            element2.removeChild(element3);
            document.getDocumentElement().appendChild(element2);
            element.setAttribute("ID", "_evil_assertion_ID");
        }

        public static void applyXSW6(Document document) {
            Element element = (Element) document.getElementsByTagNameNS(JBossSAMLURIConstants.ASSERTION_NSURI.get(), "Assertion").item(0);
            Element element2 = (Element) element.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature").item(0);
            Element element3 = (Element) element.cloneNode(true);
            Element element4 = (Element) element3.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature").item(0);
            Assume.assumeThat("Assertion needs to be signed", element4, Matchers.notNullValue());
            element3.removeChild(element4);
            element2.appendChild(element3);
            element.setAttribute("ID", "_evil_assertion_ID");
        }

        public static void applyXSW7(Document document) {
            Element element = (Element) document.getElementsByTagNameNS(JBossSAMLURIConstants.ASSERTION_NSURI.get(), "Assertion").item(0);
            Element createElement = document.createElement("Extensions");
            document.getDocumentElement().insertBefore(createElement, element);
            Element element2 = (Element) element.cloneNode(true);
            Element element3 = (Element) element2.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature").item(0);
            Assume.assumeThat("Assertion needs to be signed", element3, Matchers.notNullValue());
            element2.removeChild(element3);
            createElement.appendChild(element2);
        }

        public static void applyXSW8(Document document) {
            Element element = (Element) document.getElementsByTagNameNS(JBossSAMLURIConstants.ASSERTION_NSURI.get(), "Assertion").item(0);
            Element element2 = (Element) element.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature").item(0);
            Element element3 = (Element) element.cloneNode(true);
            Element element4 = (Element) element3.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature").item(0);
            Assume.assumeThat("Assertion needs to be signed", element4, Matchers.notNullValue());
            element3.removeChild(element4);
            Element createElement = document.createElement("Object");
            element2.appendChild(createElement);
            createElement.appendChild(element3);
        }
    }

    @Deployment(name = "sales-post-assertion-and-response-sig")
    protected static WebArchive salesPostAssertionAndResponseSig() {
        return AbstractServletsAdapterTest.samlServletDeployment("sales-post-assertion-and-response-sig", SendUsernameServlet.class);
    }

    @Override // org.keycloak.testsuite.adapter.AbstractAdapterTest, org.keycloak.testsuite.AbstractKeycloakTest
    protected boolean isImportAfterEachMethod() {
        return false;
    }

    private static ClientBuilder signingSamlClient(String str) {
        return ClientBuilder.create().protocol("saml").enabled(true).attribute("saml.assertion.signature", "true").attribute("saml_name_id_format", "username").attribute("saml.server.signature", "true").attribute("saml.signature.algorithm", "RSA_SHA256").attribute("saml.authnstatement", "true").clientId(str);
    }

    @Override // org.keycloak.testsuite.adapter.AbstractAdapterTest
    public void addAdapterTestRealms(List<RealmRepresentation> list) {
        ClientBuilder redirectUris = signingSamlClient("http://localhost:8280/sales-post-assertion-and-response-sig/").baseUrl("http://localhost:8080/sales-post-assertion-and-response-sig").redirectUris("http://localhost:8080/sales-post-assertion-and-response-sig/*");
        String str = getAuthServerRoot() + "realms/" + BROKER;
        list.add(RealmBuilder.create().name(AbstractSamlTest.REALM_NAME).publicKey(AbstractSamlTest.REALM_PUBLIC_KEY).privateKey(AbstractSamlTest.REALM_PRIVATE_KEY).client(redirectUris).client(signingSamlClient(str).baseUrl(str + "/broker/" + AbstractSamlTest.REALM_NAME + "/endpoint").redirectUris(str + "/broker/" + AbstractSamlTest.REALM_NAME + "/endpoint")).roles(RolesBuilder.create().realmRole(REQUIRED_ROLE)).build());
        list.add(RealmBuilder.create().name(BROKER).publicKey(AbstractSamlTest.REALM_PUBLIC_KEY).privateKey(AbstractSamlTest.REALM_PRIVATE_KEY).client(redirectUris).identityProvider(IdentityProviderBuilder.create().alias(AbstractSamlTest.REALM_NAME).providerId("saml").setAttribute("singleSignOnServiceUrl", getAuthServerRoot() + "realms/" + AbstractSamlTest.REALM_NAME + "/protocol/saml").setAttribute("postBindingAuthnRequest", "true").setAttribute("postBindingResponse", "true").setAttribute("signingCertificate", AbstractSamlTest.REALM_SIGNING_CERTIFICATE).setAttribute("wantAssertionsSigned", "true").setAttribute("validateSignature", "true")).roles(RolesBuilder.create().realmRole(REQUIRED_ROLE)).build());
    }

    @Before
    public void addFreshUserToDemoRealm() {
        this.user = UserBuilder.edit(createUserRepresentation(("U-" + UUID.randomUUID().toString()).toLowerCase(), "a@b.c", "A", "B", true)).password("password").build();
        Creator create = Creator.create(this.adminClient.realm(AbstractSamlTest.REALM_NAME), this.user);
        getCleanup(AbstractSamlTest.REALM_NAME).addCleanup(create);
        ((UserResource) create.resource()).roles().realmLevel().add((List) ((UserResource) create.resource()).roles().realmLevel().listAvailable().stream().filter(roleRepresentation -> {
            return roleRepresentation.getName().equals("manager");
        }).collect(Collectors.toList()));
    }

    private void testSamlResponseModifications(Consumer<Document> consumer, boolean z) throws Exception {
        Consumer<CloseableHttpResponse> consumer2 = z ? this::assertCorrectUserLoggedIn : SamlSignatureTest::assertUserAccessDenied;
        Consumer<CloseableHttpResponse> consumer3 = z ? SamlSignatureTest::assertUpdateProfilePage : SamlSignatureTest::assertNotUpdateProfilePage;
        testSamlResponseModificationsClient(consumer, consumer2);
        testSamlResponseModificationsBroker(consumer, consumer3);
    }

    private void testSamlResponseModificationsBroker(Consumer<Document> consumer, Consumer<CloseableHttpResponse> consumer2) throws Exception {
        new SamlClientBuilder().authnRequest(new URI(getAuthServerRoot() + "realms/" + BROKER + "/protocol/saml"), "http://localhost:8280/sales-post-assertion-and-response-sig/", this.salesPostAssertionAndResponseSigPage.toString(), SamlClient.Binding.POST).build().login().idp(AbstractSamlTest.REALM_NAME).build().processSamlResponse(SamlClient.Binding.POST).build().login().user(this.user).build().processSamlResponse(SamlClient.Binding.POST).transformDocument(document -> {
            consumer.accept(document);
            return document;
        }).build().executeAndTransform(closeableHttpResponse -> {
            consumer2.accept(closeableHttpResponse);
            return null;
        });
    }

    private void testSamlResponseModificationsClient(Consumer<Document> consumer, Consumer<CloseableHttpResponse> consumer2) {
        new SamlClientBuilder().navigateTo(this.salesPostAssertionAndResponseSigPage).processSamlResponse(SamlClient.Binding.POST).build().login().user(this.user).build().processSamlResponse(SamlClient.Binding.POST).transformDocument(document -> {
            consumer.accept(document);
            return document;
        }).build().executeAndTransform(closeableHttpResponse -> {
            consumer2.accept(closeableHttpResponse);
            return null;
        });
    }

    private void assertCorrectUserLoggedIn(CloseableHttpResponse closeableHttpResponse) {
        Assert.assertThat(closeableHttpResponse, org.keycloak.testsuite.util.Matchers.statusCodeHC(Matchers.is(Integer.valueOf(Response.Status.OK.getStatusCode()))));
        Assert.assertThat(closeableHttpResponse, org.keycloak.testsuite.util.Matchers.bodyHC(Matchers.containsString(this.user.getUsername())));
    }

    private static void assertUpdateProfilePage(CloseableHttpResponse closeableHttpResponse) {
        Assert.assertThat(closeableHttpResponse, org.keycloak.testsuite.util.Matchers.statusCodeIsHC(Response.Status.OK));
        Assert.assertThat(closeableHttpResponse, org.keycloak.testsuite.util.Matchers.bodyHC(Matchers.containsString("Update Account Information")));
    }

    private static void assertNotUpdateProfilePage(CloseableHttpResponse closeableHttpResponse) {
        Assert.assertThat(closeableHttpResponse, org.keycloak.testsuite.util.Matchers.statusCodeHC(Matchers.greaterThanOrEqualTo(400)));
        Assert.assertThat(closeableHttpResponse, org.keycloak.testsuite.util.Matchers.bodyHC(Matchers.not(Matchers.containsString("Update Account Information"))));
    }

    private static void assertUserAccessDenied(CloseableHttpResponse closeableHttpResponse) {
        Assert.assertThat(closeableHttpResponse, org.keycloak.testsuite.util.Matchers.bodyHC(Matchers.anyOf(Matchers.containsString("INVALID_SIGNATURE"), Matchers.containsString("EXTRACTION_FAILURE"), Matchers.containsString("There was an error"))));
    }

    private static void removeAllSignatures(Document document) throws DOMException {
        while (true) {
            NodeList elementsByTagNameNS = document.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");
            if (elementsByTagNameNS.getLength() <= 0) {
                return;
            }
            Node item = elementsByTagNameNS.item(0);
            item.getParentNode().removeChild(item);
        }
    }

    @Test
    public void testNoChange() throws Exception {
        testSamlResponseModifications(document -> {
        }, true);
    }

    @Test
    public void testRemoveSignatures() throws Exception {
        testSamlResponseModifications(SamlSignatureTest::removeAllSignatures, false);
    }

    @Test
    public void testXSW1() throws Exception {
        testSamlResponseModifications(XSWHelpers::applyXSW1, false);
    }

    @Test
    public void testXSW2() throws Exception {
        testSamlResponseModifications(XSWHelpers::applyXSW2, false);
    }

    @Test
    public void testXSW3() throws Exception {
        testSamlResponseModifications(XSWHelpers::applyXSW3, false);
    }

    @Test
    public void testXSW4() throws Exception {
        testSamlResponseModifications(XSWHelpers::applyXSW4, false);
    }

    @Test
    public void testXSW5() throws Exception {
        testSamlResponseModifications(XSWHelpers::applyXSW5, false);
    }

    @Test
    public void testXSW6() throws Exception {
        testSamlResponseModifications(XSWHelpers::applyXSW6, false);
    }

    @Test
    public void testXSW7() throws Exception {
        testSamlResponseModifications(XSWHelpers::applyXSW7, false);
    }

    @Test
    public void testXSW8() throws Exception {
        testSamlResponseModifications(XSWHelpers::applyXSW8, false);
    }
}
