package org.keycloak.testsuite.oidc.flows;

import java.io.IOException;
import java.security.Security;
import java.util.Iterator;
import java.util.List;
import javax.ws.rs.core.UriBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.jboss.arquillian.graphene.page.Page;
import org.junit.BeforeClass;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.jose.jws.JWSHeader;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.crypto.HashUtils;
import org.keycloak.representations.IDToken;
import org.keycloak.representations.idm.EventRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.testsuite.AbstractTestRealmKeycloakTest;
import org.keycloak.testsuite.Assert;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.AbstractAdminTest;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.pages.AppPage;
import org.keycloak.testsuite.pages.LoginPage;
import org.keycloak.testsuite.util.ClientManager;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.TokenSignatureUtil;

/* loaded from: input_file:org/keycloak/testsuite/oidc/flows/AbstractOIDCResponseTypeTest.class */
public abstract class AbstractOIDCResponseTypeTest extends AbstractTestRealmKeycloakTest {

    @Page
    protected AppPage appPage;

    @Page
    protected LoginPage loginPage;

    @Rule
    public AssertEvents events = new AssertEvents(this);
    private String idTokenSigAlgName = "RS256";

    @BeforeClass
    public static void addBouncyCastleProvider() {
        if (Security.getProvider("BC") == null) {
            Security.addProvider(new BouncyCastleProvider());
        }
    }

    @Override // org.keycloak.testsuite.AbstractTestRealmKeycloakTest
    public void configureTestRealm(RealmRepresentation realmRepresentation) {
    }

    @Override // org.keycloak.testsuite.AbstractTestRealmKeycloakTest, org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        list.add((RealmRepresentation) AbstractAdminTest.loadJson(getClass().getResourceAsStream("/testrealm.json"), RealmRepresentation.class));
    }

    @Test
    public void nonceAndSessionStateMatches() {
        EventRepresentation loginUser = loginUser("abcdef123456");
        OAuthClient.AuthorizationEndpointResponse authorizationEndpointResponse = new OAuthClient.AuthorizationEndpointResponse(this.oauth, isFragment());
        Assert.assertNotNull(authorizationEndpointResponse.getSessionState());
        for (IDToken iDToken : testAuthzResponseAndRetrieveIDTokens(authorizationEndpointResponse, loginUser)) {
            Assert.assertEquals("abcdef123456", iDToken.getNonce());
            Assert.assertEquals(authorizationEndpointResponse.getSessionState(), iDToken.getSessionState());
        }
    }

    @Test
    public void initialSessionStateUsedInRedirect() {
        EventRepresentation loginUserWithRedirect = loginUserWithRedirect("abcdef123456", OAuthClient.APP_ROOT + "/auth?session_state=foo");
        OAuthClient.AuthorizationEndpointResponse authorizationEndpointResponse = new OAuthClient.AuthorizationEndpointResponse(this.oauth, isFragment());
        Assert.assertNotNull(authorizationEndpointResponse.getSessionState());
        Iterator<IDToken> it = testAuthzResponseAndRetrieveIDTokens(authorizationEndpointResponse, loginUserWithRedirect).iterator();
        while (it.hasNext()) {
            Assert.assertEquals(authorizationEndpointResponse.getSessionState(), it.next().getSessionState());
        }
    }

    @Test
    public void authorizationRequestMissingResponseType() throws IOException {
        this.oauth.responseType((String) null);
        this.driver.navigate().to(UriBuilder.fromUri(this.oauth.getLoginFormUrl()).build(new Object[0]).toURL());
        OAuthClient.AuthorizationEndpointResponse authorizationEndpointResponse = new OAuthClient.AuthorizationEndpointResponse(this.oauth, false);
        org.junit.Assert.assertTrue(authorizationEndpointResponse.isRedirected());
        org.junit.Assert.assertEquals(authorizationEndpointResponse.getError(), "invalid_request");
        this.events.expectLogin().error("invalid_request").user((String) null).session((String) null).clearDetails().assertEvent();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateNonceNotUsedErrorExpected() {
        this.oauth.nonce((String) null);
        this.driver.navigate().to(this.oauth.getLoginFormUrl());
        org.junit.Assert.assertFalse(this.loginPage.isCurrent());
        org.junit.Assert.assertTrue(this.appPage.isCurrent());
        OAuthClient.AuthorizationEndpointResponse authorizationEndpointResponse = new OAuthClient.AuthorizationEndpointResponse(this.oauth);
        Assert.assertNull(authorizationEndpointResponse.getCode());
        Assert.assertNull(authorizationEndpointResponse.getIdToken());
        Assert.assertEquals("invalid_request", authorizationEndpointResponse.getError());
        Assert.assertEquals("Missing parameter: nonce", authorizationEndpointResponse.getErrorDescription());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateErrorImplicitFlowNotAllowed() throws Exception {
        clientManagerBuilder().implicitFlow(false);
        this.driver.navigate().to(UriBuilder.fromUri(this.oauth.getLoginFormUrl()).build(new Object[0]).toURL());
        OAuthClient.AuthorizationEndpointResponse authorizationEndpointResponse = new OAuthClient.AuthorizationEndpointResponse(this.oauth);
        Assert.assertTrue(authorizationEndpointResponse.isRedirected());
        Assert.assertEquals(authorizationEndpointResponse.getError(), "unauthorized_client");
        Assert.assertEquals(authorizationEndpointResponse.getErrorDescription(), "Client is not allowed to initiate browser login with given response_type. Implicit flow is disabled for the client.");
        this.events.expectLogin().error("not_allowed").user((String) null).session((String) null).clearDetails().assertEvent();
        clientManagerBuilder().implicitFlow(true);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateErrorStandardFlowNotAllowed() throws Exception {
        clientManagerBuilder().standardFlow(false);
        this.driver.navigate().to(UriBuilder.fromUri(this.oauth.getLoginFormUrl()).build(new Object[0]).toURL());
        OAuthClient.AuthorizationEndpointResponse authorizationEndpointResponse = new OAuthClient.AuthorizationEndpointResponse(this.oauth);
        Assert.assertTrue(authorizationEndpointResponse.isRedirected());
        Assert.assertEquals(authorizationEndpointResponse.getError(), "unauthorized_client");
        Assert.assertEquals(authorizationEndpointResponse.getErrorDescription(), "Client is not allowed to initiate browser login with given response_type. Standard flow is disabled for the client.");
        this.events.expectLogin().error("not_allowed").user((String) null).session((String) null).clearDetails().assertEvent();
        clientManagerBuilder().standardFlow(true);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public EventRepresentation loginUser(String str) {
        if (str != null) {
            this.oauth.nonce(str);
        }
        this.driver.navigate().to(this.oauth.getLoginFormUrl());
        this.loginPage.assertCurrent();
        this.loginPage.login(AssertEvents.DEFAULT_USERNAME, "password");
        Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, this.appPage.getRequestType());
        return this.events.expectLogin().detail("username", AssertEvents.DEFAULT_USERNAME).assertEvent();
    }

    protected EventRepresentation loginUserWithRedirect(String str, String str2) {
        if (str != null) {
            this.oauth.nonce(str);
        }
        if (str2 != null) {
            this.oauth.redirectUri(str2);
        }
        this.driver.navigate().to(this.oauth.getLoginFormUrl());
        this.loginPage.assertCurrent();
        this.loginPage.login(AssertEvents.DEFAULT_USERNAME, "password");
        Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, this.appPage.getRequestType());
        return this.events.expectLogin().detail("redirect_uri", str2).detail("username", AssertEvents.DEFAULT_USERNAME).assertEvent();
    }

    protected abstract boolean isFragment();

    protected abstract List<IDToken> testAuthzResponseAndRetrieveIDTokens(OAuthClient.AuthorizationEndpointResponse authorizationEndpointResponse, EventRepresentation eventRepresentation);

    /* JADX INFO: Access modifiers changed from: protected */
    public ClientManager.ClientManagerBuilder clientManagerBuilder() {
        return ClientManager.realm(this.adminClient.realm("test")).clientId(AssertEvents.DEFAULT_CLIENT_ID);
    }

    private void oidcFlow(String str, String str2) throws Exception {
        EventRepresentation loginUser = loginUser("abcdef123456");
        OAuthClient.AuthorizationEndpointResponse authorizationEndpointResponse = new OAuthClient.AuthorizationEndpointResponse(this.oauth, isFragment());
        Assert.assertNotNull(authorizationEndpointResponse.getSessionState());
        String idToken = authorizationEndpointResponse.getIdToken();
        String accessToken = authorizationEndpointResponse.getAccessToken();
        if (idToken != null) {
            JWSHeader header = new JWSInput(idToken).getHeader();
            org.junit.Assert.assertEquals(str2, header.getAlgorithm().name());
            org.junit.Assert.assertEquals("JWT", header.getType());
            org.junit.Assert.assertNull(header.getContentType());
        }
        if (accessToken != null) {
            JWSHeader header2 = new JWSInput(accessToken).getHeader();
            org.junit.Assert.assertEquals(str, header2.getAlgorithm().name());
            org.junit.Assert.assertEquals("JWT", header2.getType());
            org.junit.Assert.assertNull(header2.getContentType());
        }
        for (IDToken iDToken : testAuthzResponseAndRetrieveIDTokens(authorizationEndpointResponse, loginUser)) {
            Assert.assertEquals("abcdef123456", iDToken.getNonce());
            Assert.assertEquals(authorizationEndpointResponse.getSessionState(), iDToken.getSessionState());
        }
    }

    @Test
    public void oidcFlow_RealmRS256_ClientRS384() throws Exception {
        oidcFlowRequest("RS256", "RS384");
    }

    @Test
    public void oidcFlow_RealmES256_ClientES384() throws Exception {
        oidcFlowRequest("ES256", "ES384");
    }

    @Test
    public void oidcFlow_RealmRS256_ClientPS256() throws Exception {
        oidcFlowRequest("RS256", "PS256");
    }

    @Test
    public void oidcFlow_RealmPS256_ClientES256() throws Exception {
        oidcFlowRequest("PS256", "ES256");
    }

    private void oidcFlowRequest(String str, String str2) throws Exception {
        try {
            setIdTokenSignatureAlgorithm(str2);
            TokenSignatureUtil.changeRealmTokenSignatureProvider(this.adminClient, str);
            TokenSignatureUtil.changeClientIdTokenSignatureProvider(ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID), str2);
            oidcFlow(str, str2);
        } finally {
            setIdTokenSignatureAlgorithm("RS256");
            TokenSignatureUtil.changeRealmTokenSignatureProvider(this.adminClient, "RS256");
            TokenSignatureUtil.changeClientIdTokenSignatureProvider(ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID), "RS256");
        }
    }

    private void setIdTokenSignatureAlgorithm(String str) {
        this.idTokenSigAlgName = str;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getIdTokenSignatureAlgorithm() {
        return this.idTokenSigAlgName;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void assertValidAccessTokenHash(String str, String str2) {
        Assert.assertNotNull(str);
        Assert.assertNotNull(str2);
        org.junit.Assert.assertEquals(str, HashUtils.oidcHash(getIdTokenSignatureAlgorithm(), str2));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void assertValidCodeHash(String str, String str2) {
        Assert.assertNotNull(str);
        Assert.assertNotNull(str2);
        Assert.assertEquals(str, HashUtils.oidcHash(getIdTokenSignatureAlgorithm(), str2));
    }
}
