package org.keycloak.testsuite.oauth;

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.IOException;
import java.net.URI;
import java.security.Security;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import javax.ws.rs.client.Entity;
import javax.ws.rs.client.WebTarget;
import javax.ws.rs.core.Form;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.message.BasicNameValuePair;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.hamcrest.Matchers;
import org.hamcrest.collection.IsArrayContaining;
import org.jboss.resteasy.client.jaxrs.ResteasyClient;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.ClientScopeResource;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.admin.client.resource.UserResource;
import org.keycloak.common.enums.SslRequired;
import org.keycloak.common.util.Base64Url;
import org.keycloak.crypto.ECDSASignatureProvider;
import org.keycloak.jose.jws.JWSHeader;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
import org.keycloak.protocol.oidc.mappers.HardcodedClaim;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.representations.IDToken;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.ClientScopeRepresentation;
import org.keycloak.representations.idm.EventRepresentation;
import org.keycloak.representations.idm.ProtocolMapperRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.RoleRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.ActionURIUtils;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.AbstractAdminTest;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.util.AdminClientUtil;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.ClientManager;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.ProtocolMapperUtil;
import org.keycloak.testsuite.util.RealmManager;
import org.keycloak.testsuite.util.RoleBuilder;
import org.keycloak.testsuite.util.ServerURLs;
import org.keycloak.testsuite.util.TokenSignatureUtil;
import org.keycloak.testsuite.util.UserBuilder;
import org.keycloak.testsuite.util.UserInfoClientUtil;
import org.keycloak.testsuite.util.UserManager;
import org.keycloak.util.BasicAuthHelper;
import org.keycloak.util.JsonSerialization;
import org.openqa.selenium.By;

/* loaded from: input_file:org/keycloak/testsuite/oauth/AccessTokenTest.class */
public class AccessTokenTest extends AbstractKeycloakTest {

    @Rule
    public AssertEvents events = new AssertEvents(this);

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void beforeAbstractKeycloakTest() throws Exception {
        super.beforeAbstractKeycloakTest();
    }

    @BeforeClass
    public static void addBouncyCastleProvider() {
        if (Security.getProvider("BC") == null) {
            Security.addProvider(new BouncyCastleProvider());
        }
    }

    @Before
    public void clientConfiguration() {
        ClientManager.realm(this.adminClient.realm("test")).clientId(AssertEvents.DEFAULT_CLIENT_ID).directAccessGrant(true);
        this.oauth.clientId(AssertEvents.DEFAULT_CLIENT_ID);
    }

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        RealmRepresentation realmRepresentation = (RealmRepresentation) AbstractAdminTest.loadJson(getClass().getResourceAsStream("/testrealm.json"), RealmRepresentation.class);
        realmRepresentation.getUsers().add(UserBuilder.create().id(KeycloakModelUtils.generateId()).username("no-permissions").addRoles("user").password("password").build());
        realmRepresentation.getClients().stream().filter(clientRepresentation -> {
            return AssertEvents.DEFAULT_CLIENT_ID.equals(clientRepresentation.getClientId());
        }).forEach(clientRepresentation2 -> {
            clientRepresentation2.setFullScopeAllowed(false);
        });
        list.add(realmRepresentation);
    }

    @Test
    public void loginFormUsernameOrEmailLabel() throws Exception {
        this.oauth.openLoginForm();
        Assert.assertEquals("Username or email", this.driver.findElement(By.xpath("//label[@for='username']")).getText());
    }

    @Test
    public void accessTokenRequest() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
        String sessionId = assertEvent.getSessionId();
        String str = (String) assertEvent.getDetails().get("code_id");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
        Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
        Assert.assertThat(Integer.valueOf(doAccessTokenRequest.getExpiresIn()), Matchers.allOf(Matchers.greaterThanOrEqualTo(250), Matchers.lessThanOrEqualTo(300)));
        Assert.assertThat(Integer.valueOf(doAccessTokenRequest.getRefreshExpiresIn()), Matchers.allOf(Matchers.greaterThanOrEqualTo(1750), Matchers.lessThanOrEqualTo(1800)));
        Assert.assertEquals("Bearer", doAccessTokenRequest.getTokenType());
        String keyId = this.oauth.doCertsRequest("test").getKeys()[0].getKeyId();
        JWSHeader header = new JWSInput(doAccessTokenRequest.getAccessToken()).getHeader();
        Assert.assertEquals("RS256", header.getAlgorithm().name());
        Assert.assertEquals("JWT", header.getType());
        Assert.assertEquals(keyId, header.getKeyId());
        Assert.assertNull(header.getContentType());
        JWSHeader header2 = new JWSInput(doAccessTokenRequest.getIdToken()).getHeader();
        Assert.assertEquals("RS256", header2.getAlgorithm().name());
        Assert.assertEquals("JWT", header2.getType());
        Assert.assertEquals(keyId, header2.getKeyId());
        Assert.assertNull(header2.getContentType());
        JWSHeader header3 = new JWSInput(doAccessTokenRequest.getRefreshToken()).getHeader();
        Assert.assertEquals("HS256", header3.getAlgorithm().name());
        Assert.assertEquals("JWT", header3.getType());
        Assert.assertNull(header3.getContentType());
        AccessToken verifyToken = this.oauth.verifyToken(doAccessTokenRequest.getAccessToken());
        Assert.assertEquals(ApiUtil.findUserByUsername(this.adminClient.realm("test"), AssertEvents.DEFAULT_USERNAME).getId(), verifyToken.getSubject());
        Assert.assertNotEquals(AssertEvents.DEFAULT_USERNAME, verifyToken.getSubject());
        Assert.assertEquals(sessionId, verifyToken.getSessionState());
        JWSInput jWSInput = new JWSInput(doAccessTokenRequest.getIdToken());
        ObjectMapper objectMapper = JsonSerialization.mapper;
        Assert.assertEquals(sessionId, objectMapper.readTree(objectMapper.getFactory().createParser(jWSInput.readContentAsString())).get("sid").asText());
        Assert.assertNull(verifyToken.getNbf());
        Assert.assertEquals(0L, verifyToken.getNotBefore());
        Assert.assertNotNull(verifyToken.getIat());
        Assert.assertEquals(verifyToken.getIat().intValue(), verifyToken.getIssuedAt());
        Assert.assertNotNull(verifyToken.getExp());
        Assert.assertEquals(verifyToken.getExp().intValue(), verifyToken.getExpiration());
        Assert.assertEquals(1L, verifyToken.getRealmAccess().getRoles().size());
        Assert.assertTrue(verifyToken.getRealmAccess().isUserInRole("user"));
        Assert.assertEquals(1L, verifyToken.getResourceAccess(this.oauth.getClientId()).getRoles().size());
        Assert.assertTrue(verifyToken.getResourceAccess(this.oauth.getClientId()).isUserInRole("customer-user"));
        EventRepresentation assertEvent2 = this.events.expectCodeToToken(str, sessionId).assertEvent();
        Assert.assertEquals(verifyToken.getId(), assertEvent2.getDetails().get("token_id"));
        Assert.assertEquals(this.oauth.parseRefreshToken(doAccessTokenRequest.getRefreshToken()).getId(), assertEvent2.getDetails().get("refresh_token_id"));
        Assert.assertEquals(sessionId, verifyToken.getSessionState());
    }

    @Test
    public void accessTokenWrongCode() throws Exception {
        this.oauth.openLoginForm();
        String str = (String) ActionURIUtils.parseQueryParamsFromActionURI(ActionURIUtils.getActionURIFromPageSource(this.driver.getPageSource())).get("code");
        this.oauth.fillLoginForm(AssertEvents.DEFAULT_USERNAME, "password");
        this.events.expectLogin().assertEvent();
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(str, "password");
        Assert.assertEquals(400L, doAccessTokenRequest.getStatusCode());
        Assert.assertNull(doAccessTokenRequest.getRefreshToken());
    }

    @Test
    public void accessTokenInvalidClientCredentials() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
        String str = (String) assertEvent.getDetails().get("code_id");
        Assert.assertEquals(401L, this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "invalid").getStatusCode());
        this.events.expectCodeToToken(str, assertEvent.getSessionId()).error("invalid_client_credentials").clearDetails().user((String) null).session((String) null).assertEvent();
    }

    @Test
    public void accessTokenMissingClientCredentials() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
        String str = (String) assertEvent.getDetails().get("code_id");
        Assert.assertEquals(401L, this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), (String) null).getStatusCode());
        this.events.expectCodeToToken(str, assertEvent.getSessionId()).error("invalid_client_credentials").clearDetails().user((String) null).session((String) null).assertEvent();
    }

    @Test
    public void accessTokenInvalidRedirectUri() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
        String str = (String) assertEvent.getDetails().get("code_id");
        String str2 = (String) this.oauth.getCurrentQuery().get("code");
        String redirectUri = this.oauth.getRedirectUri();
        this.oauth.redirectUri("http://invalid");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(str2, "password");
        Assert.assertEquals(400L, doAccessTokenRequest.getStatusCode());
        Assert.assertEquals("invalid_grant", doAccessTokenRequest.getError());
        Assert.assertEquals("Incorrect redirect_uri", doAccessTokenRequest.getErrorDescription());
        this.events.expectCodeToToken(str, assertEvent.getSessionId()).error("invalid_code").removeDetail("token_id").removeDetail("refresh_token_id").removeDetail("refresh_token_type").assertEvent();
        this.oauth.redirectUri(redirectUri);
    }

    @Test
    public void accessTokenUserSessionExpired() {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
        String str = (String) assertEvent.getDetails().get("code_id");
        String sessionId = assertEvent.getSessionId();
        this.testingClient.testing().removeUserSession("test", sessionId);
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
        Assert.assertEquals(400L, doAccessTokenRequest.getStatusCode());
        Assert.assertNull(doAccessTokenRequest.getAccessToken());
        Assert.assertNull(doAccessTokenRequest.getRefreshToken());
        this.events.expectCodeToToken(str, sessionId).removeDetail("token_id").user((String) null).removeDetail("refresh_token_id").removeDetail("refresh_token_type").error("invalid_code").assertEvent();
        this.events.clear();
    }

    @Test
    public void accessTokenCodeExpired() {
        RealmManager.realm(this.adminClient.realm("test")).accessCodeLifeSpan(1);
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
        String str = (String) assertEvent.getDetails().get("code_id");
        assertEvent.getSessionId();
        String str2 = (String) this.oauth.getCurrentQuery().get("code");
        setTimeOffset(2);
        Assert.assertEquals(400L, this.oauth.doAccessTokenRequest(str2, "password").getStatusCode());
        setTimeOffset(0);
        AssertEvents.ExpectedEvent expectCodeToToken = this.events.expectCodeToToken(str, str);
        expectCodeToToken.error("expired_code").removeDetail("token_id").removeDetail("refresh_token_id").removeDetail("refresh_token_type").user((String) null);
        expectCodeToToken.assertEvent();
        this.events.clear();
        RealmManager.realm(this.adminClient.realm("test")).accessCodeLifeSpan(60);
    }

    @Test
    public void accessTokenCodeUsed() throws IOException {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
        String str = (String) assertEvent.getDetails().get("code_id");
        assertEvent.getSessionId();
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
        Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
        String accessToken = doAccessTokenRequest.getAccessToken();
        ResteasyClient createResteasyClient = AdminClientUtil.createResteasyClient();
        try {
            UserInfoClientUtil.testSuccessfulUserInfoResponse(UserInfoClientUtil.executeUserInfoRequest_getMethod(createResteasyClient, accessToken), AssertEvents.DEFAULT_USERNAME, AssertEvents.DEFAULT_USERNAME);
            JsonNode readTree = new ObjectMapper().readTree(this.oauth.introspectAccessTokenWithClientCredential(AssertEvents.DEFAULT_CLIENT_ID, "password", accessToken));
            Assert.assertEquals(true, Boolean.valueOf(readTree.get("active").asBoolean()));
            Assert.assertEquals(AssertEvents.DEFAULT_USERNAME, readTree.get("email").asText());
            this.events.clear();
            Assert.assertEquals(400L, this.oauth.doAccessTokenRequest(r0, "password").getStatusCode());
            AssertEvents.ExpectedEvent expectCodeToToken = this.events.expectCodeToToken(str, str);
            expectCodeToToken.error("invalid_code").removeDetail("token_id").removeDetail("refresh_token_id").removeDetail("refresh_token_type").user((String) null);
            expectCodeToToken.assertEvent();
            Response executeUserInfoRequest_getMethod = UserInfoClientUtil.executeUserInfoRequest_getMethod(createResteasyClient, accessToken);
            Assert.assertEquals(Response.Status.UNAUTHORIZED.getStatusCode(), executeUserInfoRequest_getMethod.getStatus());
            executeUserInfoRequest_getMethod.close();
            JsonNode readTree2 = new ObjectMapper().readTree(this.oauth.introspectAccessTokenWithClientCredential(AssertEvents.DEFAULT_CLIENT_ID, "password", accessToken));
            Assert.assertEquals(false, Boolean.valueOf(readTree2.get("active").asBoolean()));
            Assert.assertNull(readTree2.get("email"));
            this.events.clear();
            RealmManager.realm(this.adminClient.realm("test")).accessCodeLifeSpan(60);
            createResteasyClient.close();
        } catch (Throwable th) {
            createResteasyClient.close();
            throw th;
        }
    }

    @Test
    public void accessTokenCodeRoleMissing() {
        RealmResource realm = this.adminClient.realm("test");
        RoleRepresentation build = RoleBuilder.create().name("tmp-role").build();
        realm.roles().create(build);
        UserManager.realm(realm).user(ApiUtil.findUserByUsernameId(realm, AssertEvents.DEFAULT_USERNAME)).assignRoles(build.getName());
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        this.events.expectLogin().assertEvent().getDetails().get("code_id");
        String str = (String) this.oauth.getCurrentQuery().get("code");
        realm.roles().deleteRole("tmp-role");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(str, "password");
        Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
        AccessToken verifyToken = this.oauth.verifyToken(doAccessTokenRequest.getAccessToken());
        Assert.assertEquals(1L, verifyToken.getRealmAccess().getRoles().size());
        Assert.assertTrue(verifyToken.getRealmAccess().isUserInRole("user"));
        this.events.clear();
    }

    @Test
    public void accessTokenCodeHasRequiredAction() {
        UserResource findUserByUsernameId = ApiUtil.findUserByUsernameId(this.adminClient.realm("test"), AssertEvents.DEFAULT_USERNAME);
        UserManager.realm(this.adminClient.realm("test")).user(findUserByUsernameId).addRequiredAction(UserModel.RequiredAction.UPDATE_PROFILE.toString());
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        Assert.assertEquals(400L, this.oauth.doAccessTokenRequest((String) ActionURIUtils.parseQueryParamsFromActionURI(ActionURIUtils.getActionURIFromPageSource(this.driver.getPageSource())).get("code"), "password").getStatusCode());
        Assert.assertNull(this.events.poll().getDetails().get("code_id"));
        UserManager.realm(this.adminClient.realm("test")).user(findUserByUsernameId).removeRequiredAction(UserModel.RequiredAction.UPDATE_PROFILE.toString());
    }

    @Test
    public void testGrantAccessToken() throws Exception {
        ResteasyClient createResteasyClient = AdminClientUtil.createResteasyClient();
        WebTarget target = createResteasyClient.target(OIDCLoginProtocolService.tokenUrl(UriBuilder.fromUri(OAuthClient.AUTH_SERVER_ROOT)).build(new Object[]{"test"}));
        RealmResource realm = this.adminClient.realm("test");
        RealmRepresentation representation = realm.toRepresentation();
        representation.setSslRequired(SslRequired.ALL.toString());
        realm.update(representation);
        Response executeGrantAccessTokenRequest = executeGrantAccessTokenRequest(target);
        Assert.assertEquals(ServerURLs.AUTH_SERVER_SSL_REQUIRED ? 200L : 403L, executeGrantAccessTokenRequest.getStatus());
        executeGrantAccessTokenRequest.close();
        RealmResource realm2 = realmsResouce().realm("test");
        RealmRepresentation representation2 = realm2.toRepresentation();
        representation2.setSslRequired(SslRequired.EXTERNAL.toString());
        realm2.update(representation2);
        String createHeader = BasicAuthHelper.createHeader(AssertEvents.DEFAULT_CLIENT_ID, "password");
        Form form = new Form();
        form.param("grant_type", "password");
        form.param("password", "password");
        Response post = target.request().header("Authorization", createHeader).post(Entity.form(form));
        Assert.assertEquals(401L, post.getStatus());
        post.close();
        String createHeader2 = BasicAuthHelper.createHeader(AssertEvents.DEFAULT_CLIENT_ID, "password");
        Form form2 = new Form();
        form2.param("grant_type", "password");
        form2.param("username", AssertEvents.DEFAULT_USERNAME);
        Response post2 = target.request().header("Authorization", createHeader2).post(Entity.form(form2));
        Assert.assertEquals(401L, post2.getStatus());
        post2.close();
        String createHeader3 = BasicAuthHelper.createHeader(AssertEvents.DEFAULT_CLIENT_ID, "password");
        Form form3 = new Form();
        form3.param("grant_type", "password");
        form3.param("username", AssertEvents.DEFAULT_USERNAME);
        form3.param("password", "invalid");
        Response post3 = target.request().header("Authorization", createHeader3).post(Entity.form(form3));
        Assert.assertEquals(401L, post3.getStatus());
        post3.close();
        String createHeader4 = BasicAuthHelper.createHeader(AssertEvents.DEFAULT_CLIENT_ID, "password");
        Form form4 = new Form();
        form4.param("grant_type", "password");
        form4.param("username", AssertEvents.DEFAULT_USERNAME);
        Response post4 = target.request().header("Authorization", createHeader4).post(Entity.form(form4));
        Assert.assertEquals(401L, post4.getStatus());
        post4.close();
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
        ClientRepresentation representation3 = findClientByClientId.toRepresentation();
        representation3.setBearerOnly(true);
        findClientByClientId.update(representation3);
        Response executeGrantAccessTokenRequest2 = executeGrantAccessTokenRequest(target);
        Assert.assertEquals(401L, executeGrantAccessTokenRequest2.getStatus());
        executeGrantAccessTokenRequest2.close();
        ClientResource findClientByClientId2 = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
        ClientRepresentation representation4 = findClientByClientId2.toRepresentation();
        representation4.setBearerOnly(false);
        representation4.setSecret("password");
        findClientByClientId2.update(representation4);
        RealmResource realm3 = realmsResouce().realm("test");
        RealmRepresentation representation5 = realm3.toRepresentation();
        representation5.setEnabled(false);
        realm3.update(representation5);
        Response executeGrantAccessTokenRequest3 = executeGrantAccessTokenRequest(target);
        Assert.assertEquals(403L, executeGrantAccessTokenRequest3.getStatus());
        executeGrantAccessTokenRequest3.close();
        RealmResource realm4 = realmsResouce().realm("test");
        RealmRepresentation representation6 = realm4.toRepresentation();
        representation6.setEnabled(true);
        realm4.update(representation6);
        ClientResource findClientByClientId3 = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
        ClientRepresentation representation7 = findClientByClientId3.toRepresentation();
        representation7.setEnabled(false);
        findClientByClientId3.update(representation7);
        Response executeGrantAccessTokenRequest4 = executeGrantAccessTokenRequest(target);
        Assert.assertEquals(400L, executeGrantAccessTokenRequest4.getStatus());
        executeGrantAccessTokenRequest4.close();
        ClientResource findClientByClientId4 = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
        ClientRepresentation representation8 = findClientByClientId4.toRepresentation();
        representation8.setEnabled(true);
        findClientByClientId4.update(representation8);
        UserResource findUserByUsernameId = ApiUtil.findUserByUsernameId(this.adminClient.realm("test"), AssertEvents.DEFAULT_USERNAME);
        UserRepresentation representation9 = findUserByUsernameId.toRepresentation();
        representation9.getRequiredActions().add(UserModel.RequiredAction.UPDATE_PASSWORD.toString());
        findUserByUsernameId.update(representation9);
        Response executeGrantAccessTokenRequest5 = executeGrantAccessTokenRequest(target);
        Throwable th = null;
        try {
            Assert.assertEquals(400L, executeGrantAccessTokenRequest5.getStatus());
            JsonNode readTree = new ObjectMapper().readTree((String) executeGrantAccessTokenRequest5.readEntity(String.class));
            Assert.assertEquals("invalid_grant", readTree.get("error").asText());
            Assert.assertEquals("Account is not fully set up", readTree.get("error_description").asText());
            if (executeGrantAccessTokenRequest5 != null) {
                if (0 != 0) {
                    try {
                        executeGrantAccessTokenRequest5.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    executeGrantAccessTokenRequest5.close();
                }
            }
            Response executeGrantAccessTokenRequestWrongPassword = executeGrantAccessTokenRequestWrongPassword(target);
            Throwable th3 = null;
            try {
                try {
                    Assert.assertEquals(401L, executeGrantAccessTokenRequestWrongPassword.getStatus());
                    JsonNode readTree2 = new ObjectMapper().readTree((String) executeGrantAccessTokenRequestWrongPassword.readEntity(String.class));
                    Assert.assertEquals("invalid_grant", readTree2.get("error").asText());
                    Assert.assertEquals("Invalid user credentials", readTree2.get("error_description").asText());
                    if (executeGrantAccessTokenRequestWrongPassword != null) {
                        if (0 != 0) {
                            try {
                                executeGrantAccessTokenRequestWrongPassword.close();
                            } catch (Throwable th4) {
                                th3.addSuppressed(th4);
                            }
                        } else {
                            executeGrantAccessTokenRequestWrongPassword.close();
                        }
                    }
                    UserResource findUserByUsernameId2 = ApiUtil.findUserByUsernameId(this.adminClient.realm("test"), AssertEvents.DEFAULT_USERNAME);
                    UserRepresentation representation10 = findUserByUsernameId2.toRepresentation();
                    representation10.getRequiredActions().remove(UserModel.RequiredAction.UPDATE_PASSWORD.toString());
                    findUserByUsernameId2.update(representation10);
                    UserResource findUserByUsernameId3 = ApiUtil.findUserByUsernameId(this.adminClient.realm("test"), AssertEvents.DEFAULT_USERNAME);
                    UserRepresentation representation11 = findUserByUsernameId3.toRepresentation();
                    representation11.setEnabled(false);
                    findUserByUsernameId3.update(representation11);
                    Response executeGrantAccessTokenRequest6 = executeGrantAccessTokenRequest(target);
                    Assert.assertEquals(400L, executeGrantAccessTokenRequest6.getStatus());
                    executeGrantAccessTokenRequest6.close();
                    UserResource findUserByUsernameId4 = ApiUtil.findUserByUsernameId(this.adminClient.realm("test"), AssertEvents.DEFAULT_USERNAME);
                    UserRepresentation representation12 = findUserByUsernameId4.toRepresentation();
                    representation12.setEnabled(true);
                    findUserByUsernameId4.update(representation12);
                    Response executeGrantAccessTokenRequest7 = executeGrantAccessTokenRequest(target);
                    Assert.assertEquals(200L, executeGrantAccessTokenRequest7.getStatus());
                    executeGrantAccessTokenRequest7.close();
                    createResteasyClient.close();
                    this.events.clear();
                } finally {
                }
            } catch (Throwable th5) {
                if (executeGrantAccessTokenRequestWrongPassword != null) {
                    if (th3 != null) {
                        try {
                            executeGrantAccessTokenRequestWrongPassword.close();
                        } catch (Throwable th6) {
                            th3.addSuppressed(th6);
                        }
                    } else {
                        executeGrantAccessTokenRequestWrongPassword.close();
                    }
                }
                throw th5;
            }
        } catch (Throwable th7) {
            if (executeGrantAccessTokenRequest5 != null) {
                if (0 != 0) {
                    try {
                        executeGrantAccessTokenRequest5.close();
                    } catch (Throwable th8) {
                        th.addSuppressed(th8);
                    }
                } else {
                    executeGrantAccessTokenRequest5.close();
                }
            }
            throw th7;
        }
    }

    @Test
    public void testKeycloak2221() throws Exception {
        WebTarget target = AdminClientUtil.createResteasyClient().target(OIDCLoginProtocolService.tokenUrl(UriBuilder.fromUri(OAuthClient.AUTH_SERVER_ROOT)).build(new Object[]{"test"}));
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
        findClientByClientId.getProtocolMappers().createMapper(ProtocolMapperUtil.createRoleNameMapper("rename-role", "user", "realm-user"));
        findClientByClientId.getProtocolMappers().createMapper(ProtocolMapperUtil.createRoleNameMapper("rename-role2", "admin", "the-admin"));
        Response executeGrantRequest = executeGrantRequest(target, "no-permissions", "password");
        Assert.assertEquals(200L, executeGrantRequest.getStatus());
        AccessToken accessToken = getAccessToken((AccessTokenResponse) executeGrantRequest.readEntity(AccessTokenResponse.class));
        Assert.assertEquals(accessToken.getRealmAccess().getRoles().size(), 1L);
        Assert.assertTrue(accessToken.getRealmAccess().getRoles().contains("realm-user"));
        executeGrantRequest.close();
        for (ProtocolMapperRepresentation protocolMapperRepresentation : ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID).toRepresentation().getProtocolMappers()) {
            if (protocolMapperRepresentation.getName().startsWith("rename-role")) {
                findClientByClientId.getProtocolMappers().delete(protocolMapperRepresentation.getId());
            }
        }
        this.events.clear();
    }

    @Test
    public void testClientScope() throws Exception {
        RealmResource realm = this.adminClient.realm("test");
        RoleRepresentation roleRepresentation = new RoleRepresentation();
        roleRepresentation.setName("realm-test-role");
        realm.roles().create(roleRepresentation);
        RoleRepresentation representation = realm.roles().get("realm-test-role").toRepresentation();
        RoleRepresentation roleRepresentation2 = new RoleRepresentation();
        roleRepresentation2.setName("realm-test-role2");
        realm.roles().create(roleRepresentation2);
        RoleRepresentation representation2 = realm.roles().get("realm-test-role2").toRepresentation();
        List search = realm.users().search(AssertEvents.DEFAULT_USERNAME, -1, -1);
        Assert.assertEquals(1L, search.size());
        UserRepresentation userRepresentation = (UserRepresentation) search.get(0);
        LinkedList linkedList = new LinkedList();
        linkedList.add(representation);
        linkedList.add(representation2);
        realm.users().get(userRepresentation.getId()).roles().realmLevel().add(linkedList);
        ClientScopeRepresentation clientScopeRepresentation = new ClientScopeRepresentation();
        clientScopeRepresentation.setName("scope");
        clientScopeRepresentation.setProtocol("openid-connect");
        Response create = realm.clientScopes().create(clientScopeRepresentation);
        Assert.assertEquals(201L, create.getStatus());
        URI location = create.getLocation();
        String createdId = ApiUtil.getCreatedId(create);
        create.close();
        ClientScopeResource clientScopeResource = (ClientScopeResource) this.adminClient.proxy(ClientScopeResource.class, location);
        Response createMapper = clientScopeResource.getProtocolMappers().createMapper(ModelToRepresentation.toRepresentation(HardcodedClaim.create("hard", "hard", "coded", "String", true, true)));
        Assert.assertEquals(201L, createMapper.getStatus());
        createMapper.close();
        ClientRepresentation representation3 = ApiUtil.findClientByClientId(realm, AssertEvents.DEFAULT_CLIENT_ID).toRepresentation();
        realm.clients().get(representation3.getId()).addDefaultClientScope(createdId);
        representation3.setFullScopeAllowed(false);
        realm.clients().get(representation3.getId()).update(representation3);
        ResteasyClient createResteasyClient = AdminClientUtil.createResteasyClient();
        Response executeGrantAccessTokenRequest = executeGrantAccessTokenRequest(createResteasyClient.target(OIDCLoginProtocolService.tokenUrl(UriBuilder.fromUri(OAuthClient.AUTH_SERVER_ROOT)).build(new Object[]{"test"})));
        Assert.assertEquals(200L, executeGrantAccessTokenRequest.getStatus());
        AccessTokenResponse accessTokenResponse = (AccessTokenResponse) executeGrantAccessTokenRequest.readEntity(AccessTokenResponse.class);
        Assert.assertEquals("coded", getIdToken(accessTokenResponse).getOtherClaims().get("hard"));
        AccessToken accessToken = getAccessToken(accessTokenResponse);
        Assert.assertEquals("coded", accessToken.getOtherClaims().get("hard"));
        Assert.assertFalse(accessToken.getRealmAccess().getRoles().contains(representation.getName()));
        Assert.assertFalse(accessToken.getRealmAccess().getRoles().contains(representation2.getName()));
        executeGrantAccessTokenRequest.close();
        createResteasyClient.close();
        LinkedList linkedList2 = new LinkedList();
        linkedList2.add(representation);
        clientScopeResource.getScopeMappings().realmLevel().add(linkedList2);
        ResteasyClient createResteasyClient2 = AdminClientUtil.createResteasyClient();
        Response executeGrantAccessTokenRequest2 = executeGrantAccessTokenRequest(createResteasyClient2.target(OIDCLoginProtocolService.tokenUrl(UriBuilder.fromUri(OAuthClient.AUTH_SERVER_ROOT)).build(new Object[]{"test"})));
        Assert.assertEquals(200L, executeGrantAccessTokenRequest2.getStatus());
        AccessToken accessToken2 = getAccessToken((AccessTokenResponse) executeGrantAccessTokenRequest2.readEntity(AccessTokenResponse.class));
        Assert.assertNotNull(accessToken2.getRealmAccess());
        Assert.assertTrue(accessToken2.getRealmAccess().getRoles().contains(representation.getName()));
        Assert.assertFalse(accessToken2.getRealmAccess().getRoles().contains(representation2.getName()));
        executeGrantAccessTokenRequest2.close();
        createResteasyClient2.close();
        LinkedList linkedList3 = new LinkedList();
        linkedList3.add(representation2);
        realm.clients().get(representation3.getId()).getScopeMappings().realmLevel().add(linkedList3);
        ResteasyClient createResteasyClient3 = AdminClientUtil.createResteasyClient();
        Response executeGrantAccessTokenRequest3 = executeGrantAccessTokenRequest(createResteasyClient3.target(OIDCLoginProtocolService.tokenUrl(UriBuilder.fromUri(OAuthClient.AUTH_SERVER_ROOT)).build(new Object[]{"test"})));
        Assert.assertEquals(200L, executeGrantAccessTokenRequest3.getStatus());
        AccessToken accessToken3 = getAccessToken((AccessTokenResponse) executeGrantAccessTokenRequest3.readEntity(AccessTokenResponse.class));
        Assert.assertNotNull(accessToken3.getRealmAccess());
        Assert.assertTrue(accessToken3.getRealmAccess().getRoles().contains(representation.getName()));
        Assert.assertTrue(accessToken3.getRealmAccess().getRoles().contains(representation2.getName()));
        executeGrantAccessTokenRequest3.close();
        createResteasyClient3.close();
        clientScopeResource.getScopeMappings().realmLevel().remove(linkedList2);
        realm.clients().get(representation3.getId()).getScopeMappings().realmLevel().remove(linkedList3);
        ResteasyClient createResteasyClient4 = AdminClientUtil.createResteasyClient();
        Response executeGrantAccessTokenRequest4 = executeGrantAccessTokenRequest(createResteasyClient4.target(OIDCLoginProtocolService.tokenUrl(UriBuilder.fromUri(OAuthClient.AUTH_SERVER_ROOT)).build(new Object[]{"test"})));
        Assert.assertEquals(200L, executeGrantAccessTokenRequest4.getStatus());
        AccessToken accessToken4 = getAccessToken((AccessTokenResponse) executeGrantAccessTokenRequest4.readEntity(AccessTokenResponse.class));
        Assert.assertFalse(accessToken4.getRealmAccess().getRoles().contains(representation.getName()));
        Assert.assertFalse(accessToken4.getRealmAccess().getRoles().contains(representation2.getName()));
        executeGrantAccessTokenRequest4.close();
        createResteasyClient4.close();
        realm.clients().get(representation3.getId()).removeDefaultClientScope(createdId);
        clientScopeResource.getScopeMappings().realmLevel().add(linkedList2);
        clientScopeResource.getScopeMappings().realmLevel().add(linkedList3);
        ResteasyClient createResteasyClient5 = AdminClientUtil.createResteasyClient();
        Response executeGrantAccessTokenRequest5 = executeGrantAccessTokenRequest(createResteasyClient5.target(OIDCLoginProtocolService.tokenUrl(UriBuilder.fromUri(OAuthClient.AUTH_SERVER_ROOT)).build(new Object[]{"test"})));
        Assert.assertEquals(200L, executeGrantAccessTokenRequest5.getStatus());
        AccessTokenResponse accessTokenResponse2 = (AccessTokenResponse) executeGrantAccessTokenRequest5.readEntity(AccessTokenResponse.class);
        AccessToken accessToken5 = getAccessToken(accessTokenResponse2);
        Assert.assertFalse(accessToken5.getRealmAccess().getRoles().contains(representation.getName()));
        Assert.assertFalse(accessToken5.getRealmAccess().getRoles().contains(representation2.getName()));
        Assert.assertNull(accessToken5.getOtherClaims().get("hard"));
        Assert.assertNull(getIdToken(accessTokenResponse2).getOtherClaims().get("hard"));
        executeGrantAccessTokenRequest5.close();
        createResteasyClient5.close();
        realm.users().get(userRepresentation.getId()).roles().realmLevel().remove(linkedList);
        realm.roles().get(representation.getName()).remove();
        realm.roles().get(representation2.getName()).remove();
        clientScopeResource.remove();
        ResteasyClient createResteasyClient6 = AdminClientUtil.createResteasyClient();
        Response executeGrantAccessTokenRequest6 = executeGrantAccessTokenRequest(createResteasyClient6.target(OIDCLoginProtocolService.tokenUrl(UriBuilder.fromUri(OAuthClient.AUTH_SERVER_ROOT)).build(new Object[]{"test"})));
        Assert.assertEquals(200L, executeGrantAccessTokenRequest6.getStatus());
        AccessTokenResponse accessTokenResponse3 = (AccessTokenResponse) executeGrantAccessTokenRequest6.readEntity(AccessTokenResponse.class);
        Assert.assertNull(getIdToken(accessTokenResponse3).getOtherClaims().get("hard"));
        Assert.assertNull(getAccessToken(accessTokenResponse3).getOtherClaims().get("hard"));
        executeGrantAccessTokenRequest6.close();
        createResteasyClient6.close();
        this.events.clear();
    }

    @Test
    public void testAuthorizationNegotiateHeaderIgnored() throws Exception {
        this.adminClient.realm("test").clients().create(ClientBuilder.create().clientId("sample-public-client").authenticatorType("client-secret").redirectUris(this.oauth.getRedirectUri() + "/*").publicClient().build());
        this.oauth.clientId("sample-public-client");
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().client("sample-public-client").assertEvent();
        String sessionId = assertEvent.getSessionId();
        String str = (String) assertEvent.getDetails().get("code_id");
        String str2 = (String) this.oauth.getCurrentQuery().get("code");
        CloseableHttpClient build = HttpClientBuilder.create().build();
        Throwable th = null;
        try {
            try {
                HttpPost httpPost = new HttpPost(this.oauth.getAccessTokenUrl());
                LinkedList linkedList = new LinkedList();
                linkedList.add(new BasicNameValuePair("grant_type", "authorization_code"));
                linkedList.add(new BasicNameValuePair("code", str2));
                linkedList.add(new BasicNameValuePair("redirect_uri", this.oauth.getRedirectUri()));
                linkedList.add(new BasicNameValuePair("client_id", this.oauth.getClientId()));
                httpPost.setHeader("Authorization", "Negotiate something-which-will-be-ignored");
                httpPost.setEntity(new UrlEncodedFormEntity(linkedList, "UTF-8"));
                OAuthClient.AccessTokenResponse accessTokenResponse = new OAuthClient.AccessTokenResponse(build.execute(httpPost));
                Assert.assertEquals(200L, accessTokenResponse.getStatusCode());
                this.oauth.verifyToken(accessTokenResponse.getAccessToken());
                this.events.expectCodeToToken(str, sessionId).client("sample-public-client").assertEvent();
                if (build != null) {
                    if (0 == 0) {
                        build.close();
                        return;
                    }
                    try {
                        build.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (build != null) {
                if (th != null) {
                    try {
                        build.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    build.close();
                }
            }
            throw th4;
        }
    }

    @Test
    public void expiration() throws Exception {
        int seconds = (int) TimeUnit.MINUTES.toSeconds(30L);
        int seconds2 = (int) TimeUnit.MINUTES.toSeconds(30L);
        int seconds3 = (int) TimeUnit.MINUTES.toSeconds(5L);
        RealmResource realm = this.adminClient.realm("test");
        RealmRepresentation representation = realm.toRepresentation();
        Integer ssoSessionMaxLifespan = representation.getSsoSessionMaxLifespan();
        representation.setSsoSessionMaxLifespan(Integer.valueOf(seconds));
        realm.update(representation);
        try {
            this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
            OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
            Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
            org.keycloak.testsuite.Assert.assertExpiration(doAccessTokenRequest.getRefreshExpiresIn(), seconds2);
            org.keycloak.testsuite.Assert.assertExpiration(doAccessTokenRequest.getExpiresIn(), seconds3);
            setTimeOffset(seconds - 60);
            OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password");
            Assert.assertEquals(200L, doRefreshTokenRequest.getStatusCode());
            org.keycloak.testsuite.Assert.assertExpiration(doRefreshTokenRequest.getRefreshExpiresIn(), 60);
            org.keycloak.testsuite.Assert.assertExpiration(doRefreshTokenRequest.getExpiresIn(), 60);
            representation.setSsoSessionMaxLifespan(ssoSessionMaxLifespan);
            realm.update(representation);
        } catch (Throwable th) {
            representation.setSsoSessionMaxLifespan(ssoSessionMaxLifespan);
            realm.update(representation);
            throw th;
        }
    }

    @Test
    public void accessTokenResponseHeader() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
        assertEvent.getSessionId();
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
        Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
        Map headers = doAccessTokenRequest.getHeaders();
        Assert.assertEquals("application/json", headers.get("Content-Type"));
        Assert.assertEquals("no-store", headers.get("Cache-Control"));
        Assert.assertEquals("no-cache", headers.get("Pragma"));
    }

    private IDToken getIdToken(AccessTokenResponse accessTokenResponse) throws JWSInputException {
        return (IDToken) new JWSInput(accessTokenResponse.getIdToken()).readJsonContent(IDToken.class);
    }

    private AccessToken getAccessToken(AccessTokenResponse accessTokenResponse) throws JWSInputException {
        return (AccessToken) new JWSInput(accessTokenResponse.getToken()).readJsonContent(AccessToken.class);
    }

    protected Response executeGrantAccessTokenRequest(WebTarget webTarget) {
        return executeGrantRequest(webTarget, AssertEvents.DEFAULT_USERNAME, "password");
    }

    protected Response executeGrantAccessTokenRequestWrongPassword(WebTarget webTarget) {
        return executeGrantRequest(webTarget, AssertEvents.DEFAULT_USERNAME, "bad-password");
    }

    protected Response executeGrantRequest(WebTarget webTarget, String str, String str2) {
        String createHeader = BasicAuthHelper.createHeader(AssertEvents.DEFAULT_CLIENT_ID, "password");
        Form form = new Form();
        form.param("grant_type", "password").param("username", str).param("password", str2).param("scope", "openid");
        return webTarget.request().header("Authorization", createHeader).post(Entity.form(form));
    }

    @Test
    public void clientAccessTokenLifespanOverride() {
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
        ClientRepresentation representation = findClientByClientId.toRepresentation();
        int intValue = this.adminClient.realm("test").toRepresentation().getSsoSessionMaxLifespan().intValue();
        Assert.assertNotEquals(r0.getAccessTokenLifespan().intValue(), 500L);
        try {
            representation.getAttributes().put("access.token.lifespan", "500");
            findClientByClientId.update(representation);
            this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
            OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
            Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
            org.keycloak.testsuite.Assert.assertExpiration(doAccessTokenRequest.getExpiresIn(), 500);
            representation.getAttributes().put("access.token.lifespan", "-1");
            findClientByClientId.update(representation);
            OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password");
            Assert.assertEquals(200L, doRefreshTokenRequest.getStatusCode());
            org.keycloak.testsuite.Assert.assertExpiration(doRefreshTokenRequest.getExpiresIn(), intValue);
            representation.getAttributes().put("access.token.lifespan", null);
            findClientByClientId.update(representation);
        } catch (Throwable th) {
            representation.getAttributes().put("access.token.lifespan", null);
            findClientByClientId.update(representation);
            throw th;
        }
    }

    @Test
    public void testClientSessionMaxLifespan() throws Exception {
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
        ClientRepresentation representation = findClientByClientId.toRepresentation();
        RealmResource realm = this.adminClient.realm("test");
        RealmRepresentation representation2 = realm.toRepresentation();
        int intValue = representation2.getAccessTokenLifespan().intValue();
        Integer clientSessionMaxLifespan = representation2.getClientSessionMaxLifespan();
        try {
            this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
            OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
            Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
            org.keycloak.testsuite.Assert.assertExpiration(doAccessTokenRequest.getExpiresIn(), intValue);
            representation2.setClientSessionMaxLifespan(Integer.valueOf(intValue - 100));
            realm.update(representation2);
            OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password");
            Assert.assertEquals(200L, doRefreshTokenRequest.getStatusCode());
            org.keycloak.testsuite.Assert.assertExpiration(doRefreshTokenRequest.getExpiresIn(), intValue - 100);
            representation.getAttributes().put("client.session.max.lifespan", Integer.toString(intValue - 200));
            findClientByClientId.update(representation);
            OAuthClient.AccessTokenResponse doRefreshTokenRequest2 = this.oauth.doRefreshTokenRequest(doRefreshTokenRequest.getRefreshToken(), "password");
            Assert.assertEquals(200L, doRefreshTokenRequest2.getStatusCode());
            org.keycloak.testsuite.Assert.assertExpiration(doRefreshTokenRequest2.getExpiresIn(), intValue - 200);
            representation2.setClientSessionMaxLifespan(clientSessionMaxLifespan);
            realm.update(representation2);
            representation.getAttributes().put("client.session.max.lifespan", null);
            findClientByClientId.update(representation);
        } catch (Throwable th) {
            representation2.setClientSessionMaxLifespan(clientSessionMaxLifespan);
            realm.update(representation2);
            representation.getAttributes().put("client.session.max.lifespan", null);
            findClientByClientId.update(representation);
            throw th;
        }
    }

    @Test
    public void testClientOfflineSessionMaxLifespan() throws Exception {
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
        ClientRepresentation representation = findClientByClientId.toRepresentation();
        RealmResource realm = this.adminClient.realm("test");
        RealmRepresentation representation2 = realm.toRepresentation();
        int intValue = representation2.getAccessTokenLifespan().intValue();
        Boolean offlineSessionMaxLifespanEnabled = representation2.getOfflineSessionMaxLifespanEnabled();
        Integer clientOfflineSessionMaxLifespan = representation2.getClientOfflineSessionMaxLifespan();
        try {
            representation2.setOfflineSessionMaxLifespanEnabled(true);
            realm.update(representation2);
            this.oauth.scope("offline_access");
            this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
            OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
            Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
            org.keycloak.testsuite.Assert.assertExpiration(doAccessTokenRequest.getExpiresIn(), intValue);
            representation2.setClientOfflineSessionMaxLifespan(Integer.valueOf(intValue - 100));
            realm.update(representation2);
            OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password");
            Assert.assertEquals(200L, doRefreshTokenRequest.getStatusCode());
            org.keycloak.testsuite.Assert.assertExpiration(doRefreshTokenRequest.getExpiresIn(), intValue - 100);
            representation.getAttributes().put("client.offline.session.max.lifespan", Integer.toString(intValue - 200));
            findClientByClientId.update(representation);
            OAuthClient.AccessTokenResponse doRefreshTokenRequest2 = this.oauth.doRefreshTokenRequest(doRefreshTokenRequest.getRefreshToken(), "password");
            Assert.assertEquals(200L, doRefreshTokenRequest2.getStatusCode());
            org.keycloak.testsuite.Assert.assertExpiration(doRefreshTokenRequest2.getExpiresIn(), intValue - 200);
            representation2.setOfflineSessionMaxLifespanEnabled(offlineSessionMaxLifespanEnabled);
            representation2.setClientOfflineSessionMaxLifespan(clientOfflineSessionMaxLifespan);
            realm.update(representation2);
            representation.getAttributes().put("client.offline.session.max.lifespan", null);
            findClientByClientId.update(representation);
        } catch (Throwable th) {
            representation2.setOfflineSessionMaxLifespanEnabled(offlineSessionMaxLifespanEnabled);
            representation2.setClientOfflineSessionMaxLifespan(clientOfflineSessionMaxLifespan);
            realm.update(representation2);
            representation.getAttributes().put("client.offline.session.max.lifespan", null);
            findClientByClientId.update(representation);
            throw th;
        }
    }

    @Test
    public void accessTokenRequestNoRefreshToken() {
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
        ClientRepresentation representation = findClientByClientId.toRepresentation();
        representation.getAttributes().put("use.refresh.tokens", "false");
        findClientByClientId.update(representation);
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
        Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
        Assert.assertNotNull(doAccessTokenRequest.getAccessToken());
        Assert.assertNull(doAccessTokenRequest.getRefreshToken());
        representation.getAttributes().put("use.refresh.tokens", "true");
        findClientByClientId.update(representation);
    }

    @Test
    public void accessTokenRequest_ClientPS384_RealmRS256() throws Exception {
        conductAccessTokenRequest("HS256", "PS384", "RS256");
    }

    @Test
    public void accessTokenRequest_ClientPS256_RealmPS256() throws Exception {
        conductAccessTokenRequest("HS256", "PS256", "PS256");
    }

    @Test
    public void accessTokenRequest_ClientPS512_RealmPS256() throws Exception {
        conductAccessTokenRequest("HS256", "PS512", "PS256");
    }

    @Test
    public void accessTokenRequest_ClientRS384_RealmRS256() throws Exception {
        conductAccessTokenRequest("HS256", "RS384", "RS256");
    }

    @Test
    public void accessTokenRequest_ClientRS512_RealmRS512() throws Exception {
        conductAccessTokenRequest("HS256", "RS512", "RS512");
    }

    @Test
    public void accessTokenRequest_ClientES256_RealmPS256() throws Exception {
        conductAccessTokenRequest("HS256", "ES256", "PS256");
    }

    @Test
    public void accessTokenRequest_ClientES384_RealmES384() throws Exception {
        conductAccessTokenRequest("HS256", "ES384", "ES384");
    }

    @Test
    public void accessTokenRequest_ClientES512_RealmRS256() throws Exception {
        conductAccessTokenRequest("HS256", "ES512", "RS256");
    }

    @Test
    public void validateECDSASignatures() {
        validateTokenECDSASignature("ES256");
        validateTokenECDSASignature("ES384");
        validateTokenECDSASignature("ES512");
    }

    private void validateTokenECDSASignature(String str) {
        Assert.assertThat(ECDSASignatureProvider.ECDSA.values(), IsArrayContaining.hasItemInArray(ECDSASignatureProvider.ECDSA.valueOf(str)));
        try {
            TokenSignatureUtil.changeRealmTokenSignatureProvider(this.adminClient, str);
            TokenSignatureUtil.changeClientAccessTokenSignatureProvider(ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID), str);
            validateTokenSignatureLength(ECDSASignatureProvider.ECDSA.valueOf(str).getSignatureLength());
        } finally {
            TokenSignatureUtil.changeRealmTokenSignatureProvider(this.adminClient, "RS256");
            TokenSignatureUtil.changeClientAccessTokenSignatureProvider(ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID), "RS256");
        }
    }

    private void validateTokenSignatureLength(int i) {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        this.oauth.verifyToken(this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password").getAccessToken());
        Assert.assertEquals(i, Base64Url.decode(r0.split("\\.", 3)[2]).length);
        this.oauth.openLogout();
    }

    private void conductAccessTokenRequest(String str, String str2, String str3) throws Exception {
        try {
            TokenSignatureUtil.changeRealmTokenSignatureProvider(this.adminClient, str3);
            TokenSignatureUtil.changeClientAccessTokenSignatureProvider(ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID), str2);
            tokenRequest(str, str2, str3);
            TokenSignatureUtil.changeRealmTokenSignatureProvider(this.adminClient, "RS256");
            TokenSignatureUtil.changeClientAccessTokenSignatureProvider(ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID), "RS256");
        } catch (Throwable th) {
            TokenSignatureUtil.changeRealmTokenSignatureProvider(this.adminClient, "RS256");
            TokenSignatureUtil.changeClientAccessTokenSignatureProvider(ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID), "RS256");
            throw th;
        }
    }

    private void tokenRequest(String str, String str2, String str3) throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
        String sessionId = assertEvent.getSessionId();
        String str4 = (String) assertEvent.getDetails().get("code_id");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
        Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
        Assert.assertEquals("Bearer", doAccessTokenRequest.getTokenType());
        JWSHeader header = new JWSInput(doAccessTokenRequest.getAccessToken()).getHeader();
        Assert.assertEquals(str2, header.getAlgorithm().name());
        Assert.assertEquals("JWT", header.getType());
        Assert.assertNull(header.getContentType());
        JWSHeader header2 = new JWSInput(doAccessTokenRequest.getIdToken()).getHeader();
        Assert.assertEquals(str3, header2.getAlgorithm().name());
        Assert.assertEquals("JWT", header2.getType());
        Assert.assertNull(header2.getContentType());
        JWSHeader header3 = new JWSInput(doAccessTokenRequest.getRefreshToken()).getHeader();
        Assert.assertEquals(str, header3.getAlgorithm().name());
        Assert.assertEquals("JWT", header3.getType());
        Assert.assertNull(header3.getContentType());
        AccessToken verifyToken = this.oauth.verifyToken(doAccessTokenRequest.getAccessToken());
        Assert.assertEquals(ApiUtil.findUserByUsername(this.adminClient.realm("test"), AssertEvents.DEFAULT_USERNAME).getId(), verifyToken.getSubject());
        Assert.assertNotEquals(AssertEvents.DEFAULT_USERNAME, verifyToken.getSubject());
        Assert.assertEquals(sessionId, verifyToken.getSessionState());
        EventRepresentation assertEvent2 = this.events.expectCodeToToken(str4, sessionId).assertEvent();
        Assert.assertEquals(verifyToken.getId(), assertEvent2.getDetails().get("token_id"));
        Assert.assertEquals(this.oauth.parseRefreshToken(doAccessTokenRequest.getRefreshToken()).getId(), assertEvent2.getDetails().get("refresh_token_id"));
        Assert.assertEquals(sessionId, verifyToken.getSessionState());
    }

    @Test
    public void tokenRequestParamsMoreThanOnce() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        String str = (String) this.oauth.getCurrentQuery().get("code");
        CloseableHttpClient build = HttpClientBuilder.create().build();
        Throwable th = null;
        try {
            try {
                HttpPost httpPost = new HttpPost(this.oauth.getAccessTokenUrl());
                LinkedList linkedList = new LinkedList();
                linkedList.add(new BasicNameValuePair("grant_type", "authorization_code"));
                linkedList.add(new BasicNameValuePair("code", str));
                linkedList.add(new BasicNameValuePair("redirect_uri", this.oauth.getRedirectUri()));
                linkedList.add(new BasicNameValuePair("client_id", this.oauth.getClientId()));
                linkedList.add(new BasicNameValuePair("client_id", "foo"));
                httpPost.setHeader("Authorization", BasicAuthHelper.createHeader("client_id", "password"));
                httpPost.setEntity(new UrlEncodedFormEntity(linkedList, "UTF-8"));
                OAuthClient.AccessTokenResponse accessTokenResponse = new OAuthClient.AccessTokenResponse(build.execute(httpPost));
                Assert.assertEquals(400L, accessTokenResponse.getStatusCode());
                Assert.assertEquals("invalid_request", accessTokenResponse.getError());
                Assert.assertEquals("duplicated parameter", accessTokenResponse.getErrorDescription());
                if (build != null) {
                    if (0 == 0) {
                        build.close();
                        return;
                    }
                    try {
                        build.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (build != null) {
                if (th != null) {
                    try {
                        build.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    build.close();
                }
            }
            throw th4;
        }
    }
}
