package org.keycloak.testsuite.authz;

import java.util.Collection;
import java.util.Map;
import org.hamcrest.Matchers;
import org.junit.Assert;
import org.junit.Test;
import org.keycloak.admin.client.resource.AuthorizationResource;
import org.keycloak.authorization.client.AuthzClient;
import org.keycloak.representations.idm.authorization.AuthorizationRequest;
import org.keycloak.representations.idm.authorization.AuthorizationResponse;
import org.keycloak.representations.idm.authorization.JSPolicyRepresentation;
import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.representations.idm.authorization.PermissionRequest;
import org.keycloak.representations.idm.authorization.PermissionResponse;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.ScopePermissionRepresentation;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;

@AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
/* loaded from: input_file:org/keycloak/testsuite/authz/UmaPermissionTicketPushedClaimsTest.class */
public class UmaPermissionTicketPushedClaimsTest extends AbstractResourceServerTest {
    @Test
    public void testEvaluatePermissionsWithPushedClaims() throws Exception {
        ResourceRepresentation addResource = addResource("Bank Account", "withdraw");
        JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
        jSPolicyRepresentation.setName("Withdraw Limit Policy");
        jSPolicyRepresentation.setCode("var context = $evaluation.getContext();var attributes = context.getAttributes();var withdrawValue = attributes.getValue('my.bank.account.withdraw.value');if (withdrawValue && withdrawValue.asDouble(0) <= 100) {   $evaluation.grant();}");
        AuthorizationResource authorization = getClient(getRealm()).authorization();
        authorization.policies().js().create(jSPolicyRepresentation).close();
        ScopePermissionRepresentation scopePermissionRepresentation = new ScopePermissionRepresentation();
        scopePermissionRepresentation.setName("Withdraw Permission");
        scopePermissionRepresentation.addScope(new String[]{"withdraw"});
        scopePermissionRepresentation.addPolicy(new String[]{jSPolicyRepresentation.getName()});
        authorization.permissions().scope().create(scopePermissionRepresentation).close();
        AuthzClient authzClient = getAuthzClient();
        PermissionRequest permissionRequest = new PermissionRequest(addResource.getId(), new String[0]);
        permissionRequest.addScope(new String[]{"withdraw"});
        permissionRequest.setClaim("my.bank.account.withdraw.value", new String[]{"50.5"});
        PermissionResponse create = authzClient.protection("marta", "password").permission().create(permissionRequest);
        AuthorizationRequest authorizationRequest = new AuthorizationRequest();
        authorizationRequest.setTicket(create.getTicket());
        authorizationRequest.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
        AuthorizationResponse authorize = authzClient.authorization().authorize(authorizationRequest);
        Assert.assertNotNull(authorize);
        Assert.assertNotNull(authorize.getToken());
        Collection permissions = toAccessToken(authorize.getToken()).getAuthorization().getPermissions();
        Assert.assertEquals(1L, permissions.size());
        Map claims = ((Permission) permissions.iterator().next()).getClaims();
        Assert.assertNotNull(claims);
        Assert.assertThat(claims.get("my.bank.account.withdraw.value"), Matchers.containsInAnyOrder(new String[]{"50.5"}));
        permissionRequest.setClaim("my.bank.account.withdraw.value", new String[]{"100.5"});
        PermissionResponse create2 = authzClient.protection("marta", "password").permission().create(permissionRequest);
        AuthorizationRequest authorizationRequest2 = new AuthorizationRequest();
        authorizationRequest2.setTicket(create2.getTicket());
        authorizationRequest2.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
        try {
            authzClient.authorization().authorize(authorizationRequest2);
            Assert.fail("Access should be denied");
        } catch (Exception e) {
        }
    }
}
