package org.keycloak.testsuite.oauth;

import java.io.IOException;
import java.io.OutputStream;
import java.io.UnsupportedEncodingException;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import javax.ws.rs.core.Response;
import org.apache.commons.io.output.ByteArrayOutputStream;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.message.BasicNameValuePair;
import org.jboss.arquillian.graphene.page.Page;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.admin.client.resource.UserResource;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.OAuth2ErrorRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.representations.idm.UserSessionRepresentation;
import org.keycloak.representations.oidc.TokenMetadataRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.AbstractAdminTest;
import org.keycloak.testsuite.pages.LoginPage;
import org.keycloak.testsuite.util.ClientManager;
import org.keycloak.testsuite.util.Matchers;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.util.JsonSerialization;

/* loaded from: input_file:org/keycloak/testsuite/oauth/TokenRevocationTest.class */
public class TokenRevocationTest extends AbstractKeycloakTest {
    private RealmResource realm;

    @Rule
    public AssertEvents events = new AssertEvents(this);

    @Page
    protected LoginPage loginPage;

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void beforeAbstractKeycloakTest() throws Exception {
        super.beforeAbstractKeycloakTest();
    }

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        list.add(RealmBuilder.edit((RealmRepresentation) AbstractAdminTest.loadJson(getClass().getResourceAsStream("/testrealm.json"), RealmRepresentation.class)).testEventListener().build());
    }

    @Before
    public void clientConfiguration() {
        this.realm = this.adminClient.realm("test");
        ClientManager.realm(this.realm).clientId(AssertEvents.DEFAULT_CLIENT_ID).directAccessGrant(true);
        ClientManager.realm(this.realm).clientId("test-app-scope").directAccessGrant(true);
    }

    @Test
    public void testRevokeToken() throws Exception {
        this.oauth.clientSessionState("client-session");
        OAuthClient.AccessTokenResponse login = login(AssertEvents.DEFAULT_CLIENT_ID, AssertEvents.DEFAULT_USERNAME, "password");
        OAuthClient.AccessTokenResponse login2 = login("test-app-scope", AssertEvents.DEFAULT_USERNAME, "password");
        UserResource userResource = this.realm.users().get(((UserRepresentation) this.realm.users().search(AssertEvents.DEFAULT_USERNAME).get(0)).getId());
        List userSessions = userResource.getUserSessions();
        Assert.assertEquals(1L, userSessions.size());
        Map clients = ((UserSessionRepresentation) userSessions.get(0)).getClients();
        Assert.assertEquals(AssertEvents.DEFAULT_CLIENT_ID, clients.get(((ClientRepresentation) this.realm.clients().findByClientId(AssertEvents.DEFAULT_CLIENT_ID).get(0)).getId()));
        Assert.assertEquals("test-app-scope", clients.get(((ClientRepresentation) this.realm.clients().findByClientId("test-app-scope").get(0)).getId()));
        isTokenEnabled(login, AssertEvents.DEFAULT_CLIENT_ID);
        isTokenEnabled(login2, "test-app-scope");
        this.oauth.clientId(AssertEvents.DEFAULT_CLIENT_ID);
        Assert.assertThat(this.oauth.doTokenRevoke(login.getRefreshToken(), "refresh_token", "password"), Matchers.statusCodeIsHC(Response.Status.OK));
        List userSessions2 = userResource.getUserSessions();
        Assert.assertEquals(1L, userSessions2.size());
        Map clients2 = ((UserSessionRepresentation) userSessions2.get(0)).getClients();
        Assert.assertNull(clients2.get(((ClientRepresentation) this.realm.clients().findByClientId(AssertEvents.DEFAULT_CLIENT_ID).get(0)).getId()));
        Assert.assertEquals("test-app-scope", clients2.get(((ClientRepresentation) this.realm.clients().findByClientId("test-app-scope").get(0)).getId()));
        isTokenDisabled(login, AssertEvents.DEFAULT_CLIENT_ID);
        isTokenEnabled(login2, "test-app-scope");
        Assert.assertThat(this.oauth.doTokenRevoke(login2.getRefreshToken(), "refresh_token", "password"), Matchers.statusCodeIsHC(Response.Status.OK));
        Assert.assertEquals(0L, userResource.getUserSessions().size());
    }

    @Test
    public void testRevokeAccessToken() throws Exception {
        this.oauth.clientId(AssertEvents.DEFAULT_CLIENT_ID);
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest = this.oauth.doGrantAccessTokenRequest("password", AssertEvents.DEFAULT_USERNAME, "password");
        isTokenEnabled(doGrantAccessTokenRequest, AssertEvents.DEFAULT_CLIENT_ID);
        Assert.assertThat(this.oauth.doTokenRevoke(doGrantAccessTokenRequest.getAccessToken(), "access_token", "password"), Matchers.statusCodeIsHC(Response.Status.OK));
        isAccessTokenDisabled(doGrantAccessTokenRequest.getAccessToken(), AssertEvents.DEFAULT_CLIENT_ID);
    }

    @Test
    public void testRevokeOfflineToken() throws Exception {
        this.oauth.scope("offline_access");
        this.oauth.clientId(AssertEvents.DEFAULT_CLIENT_ID);
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest = this.oauth.doGrantAccessTokenRequest("password", AssertEvents.DEFAULT_USERNAME, "password");
        isTokenEnabled(doGrantAccessTokenRequest, AssertEvents.DEFAULT_CLIENT_ID);
        Assert.assertThat(this.oauth.doTokenRevoke(doGrantAccessTokenRequest.getRefreshToken(), "refresh_token", "password"), Matchers.statusCodeIsHC(Response.Status.OK));
        isTokenDisabled(doGrantAccessTokenRequest, AssertEvents.DEFAULT_CLIENT_ID);
    }

    @Test
    public void testTokenTypeHint() throws Exception {
        this.oauth.clientId(AssertEvents.DEFAULT_CLIENT_ID);
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest = this.oauth.doGrantAccessTokenRequest("password", AssertEvents.DEFAULT_USERNAME, "password");
        isTokenEnabled(doGrantAccessTokenRequest, AssertEvents.DEFAULT_CLIENT_ID);
        Assert.assertThat(this.oauth.doTokenRevoke(doGrantAccessTokenRequest.getRefreshToken(), "access_token", "password"), Matchers.statusCodeIsHC(Response.Status.OK));
        isTokenDisabled(doGrantAccessTokenRequest, AssertEvents.DEFAULT_CLIENT_ID);
        this.oauth.clientId(AssertEvents.DEFAULT_CLIENT_ID);
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest2 = this.oauth.doGrantAccessTokenRequest("password", AssertEvents.DEFAULT_USERNAME, "password");
        isTokenEnabled(doGrantAccessTokenRequest2, AssertEvents.DEFAULT_CLIENT_ID);
        Assert.assertThat(this.oauth.doTokenRevoke(doGrantAccessTokenRequest2.getRefreshToken(), "invalid_token_type_hint", "password"), Matchers.statusCodeIsHC(Response.Status.OK));
        isTokenDisabled(doGrantAccessTokenRequest2, AssertEvents.DEFAULT_CLIENT_ID);
    }

    @Test
    public void testRevokeTokenFromDifferentClient() throws Exception {
        this.oauth.clientId(AssertEvents.DEFAULT_CLIENT_ID);
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest = this.oauth.doGrantAccessTokenRequest("password", AssertEvents.DEFAULT_USERNAME, "password");
        isTokenEnabled(doGrantAccessTokenRequest, AssertEvents.DEFAULT_CLIENT_ID);
        this.oauth.clientId("test-app-scope");
        Assert.assertThat(this.oauth.doTokenRevoke(doGrantAccessTokenRequest.getRefreshToken(), "refresh_token", "password"), Matchers.statusCodeIsHC(Response.Status.BAD_REQUEST));
        isTokenEnabled(doGrantAccessTokenRequest, AssertEvents.DEFAULT_CLIENT_ID);
    }

    @Test
    public void testRevokeAlreadyRevokedToken() throws Exception {
        this.oauth.clientId(AssertEvents.DEFAULT_CLIENT_ID);
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest = this.oauth.doGrantAccessTokenRequest("password", AssertEvents.DEFAULT_USERNAME, "password");
        isTokenEnabled(doGrantAccessTokenRequest, AssertEvents.DEFAULT_CLIENT_ID);
        this.oauth.doLogout(doGrantAccessTokenRequest.getRefreshToken(), "password");
        isTokenDisabled(doGrantAccessTokenRequest, AssertEvents.DEFAULT_CLIENT_ID);
        Assert.assertThat(this.oauth.doTokenRevoke(doGrantAccessTokenRequest.getRefreshToken(), "refresh_token", "password"), Matchers.statusCodeIsHC(Response.Status.OK));
        isTokenDisabled(doGrantAccessTokenRequest, AssertEvents.DEFAULT_CLIENT_ID);
    }

    @Test
    public void testRevokeRequestParamsMoreThanOnce() throws Exception {
        this.oauth.clientId(AssertEvents.DEFAULT_CLIENT_ID);
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest = this.oauth.doGrantAccessTokenRequest("password", AssertEvents.DEFAULT_USERNAME, "password");
        isTokenEnabled(doGrantAccessTokenRequest, AssertEvents.DEFAULT_CLIENT_ID);
        OAuth2ErrorRepresentation oAuth2ErrorRepresentation = (OAuth2ErrorRepresentation) JsonSerialization.readValue(doTokenRevokeWithDuplicateParams(doGrantAccessTokenRequest.getRefreshToken(), "refresh_token", "password"), OAuth2ErrorRepresentation.class);
        Assert.assertEquals("duplicated parameter", oAuth2ErrorRepresentation.getErrorDescription());
        Assert.assertEquals("invalid_request", oAuth2ErrorRepresentation.getError());
    }

    private OAuthClient.AccessTokenResponse login(String str, String str2, String str3) {
        this.oauth.clientId(str);
        this.oauth.openLoginForm();
        if (this.loginPage.isCurrent()) {
            this.loginPage.login(str2, str3);
        }
        return this.oauth.doAccessTokenRequest(new OAuthClient.AuthorizationEndpointResponse(this.oauth).getCode(), "password");
    }

    private void isTokenEnabled(OAuthClient.AccessTokenResponse accessTokenResponse, String str) throws IOException {
        Assert.assertTrue(((TokenMetadataRepresentation) JsonSerialization.readValue(this.oauth.introspectAccessTokenWithClientCredential(str, "password", accessTokenResponse.getAccessToken()), TokenMetadataRepresentation.class)).isActive());
        this.oauth.clientId(str);
        Assert.assertEquals(Response.Status.OK.getStatusCode(), this.oauth.doRefreshTokenRequest(accessTokenResponse.getRefreshToken(), "password").getStatusCode());
    }

    private void isTokenDisabled(OAuthClient.AccessTokenResponse accessTokenResponse, String str) throws IOException {
        isAccessTokenDisabled(accessTokenResponse.getAccessToken(), str);
        this.oauth.clientId(str);
        Assert.assertEquals(Response.Status.BAD_REQUEST.getStatusCode(), this.oauth.doRefreshTokenRequest(accessTokenResponse.getRefreshToken(), "password").getStatusCode());
    }

    private void isAccessTokenDisabled(String str, String str2) throws IOException {
        Assert.assertFalse(((TokenMetadataRepresentation) JsonSerialization.readValue(this.oauth.introspectAccessTokenWithClientCredential(str2, "password", str), TokenMetadataRepresentation.class)).isActive());
    }

    private String doTokenRevokeWithDuplicateParams(String str, String str2, String str3) throws IOException {
        CloseableHttpClient build = HttpClientBuilder.create().build();
        Throwable th = null;
        try {
            HttpPost httpPost = new HttpPost(this.oauth.getTokenRevocationUrl());
            LinkedList linkedList = new LinkedList();
            linkedList.add(new BasicNameValuePair("token", str));
            linkedList.add(new BasicNameValuePair("token", "foo"));
            linkedList.add(new BasicNameValuePair("token_type_hint", str2));
            linkedList.add(new BasicNameValuePair("client_id", this.oauth.getClientId()));
            linkedList.add(new BasicNameValuePair("client_secret", str3));
            try {
                httpPost.setEntity(new UrlEncodedFormEntity(linkedList, "UTF-8"));
                OutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                build.execute(httpPost).getEntity().writeTo(byteArrayOutputStream);
                String str4 = new String(byteArrayOutputStream.toByteArray());
                if (build != null) {
                    if (0 != 0) {
                        try {
                            build.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        build.close();
                    }
                }
                return str4;
            } catch (UnsupportedEncodingException e) {
                throw new RuntimeException(e);
            }
        } catch (Throwable th3) {
            if (build != null) {
                if (0 != 0) {
                    try {
                        build.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    build.close();
                }
            }
            throw th3;
        }
    }
}
