package org.keycloak.testsuite.broker;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.net.URI;
import java.security.PrivateKey;
import java.util.List;
import java.util.Properties;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.hamcrest.Matchers;
import org.jboss.arquillian.graphene.page.Page;
import org.junit.Before;
import org.junit.Test;
import org.keycloak.admin.client.resource.ClientsResource;
import org.keycloak.admin.client.resource.IdentityProviderResource;
import org.keycloak.admin.client.resource.UsersResource;
import org.keycloak.common.util.StreamUtil;
import org.keycloak.common.util.StringPropertyReplacer;
import org.keycloak.dom.saml.v2.assertion.AssertionType;
import org.keycloak.dom.saml.v2.assertion.AttributeStatementType;
import org.keycloak.dom.saml.v2.assertion.AttributeType;
import org.keycloak.dom.saml.v2.assertion.AudienceRestrictionType;
import org.keycloak.dom.saml.v2.assertion.NameIDType;
import org.keycloak.dom.saml.v2.protocol.ResponseType;
import org.keycloak.protocol.saml.SamlPrincipalType;
import org.keycloak.representations.idm.FederatedIdentityRepresentation;
import org.keycloak.representations.idm.IdentityProviderRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.representations.idm.UserSessionRepresentation;
import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
import org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder;
import org.keycloak.saml.processing.core.saml.v2.constants.X500SAMLProfileConstants;
import org.keycloak.saml.processing.core.saml.v2.util.AssertionUtil;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.Assert;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.oauth.BackchannelLogoutTest;
import org.keycloak.testsuite.pages.LoginPage;
import org.keycloak.testsuite.pages.PageUtils;
import org.keycloak.testsuite.pages.UpdateAccountInformationPage;
import org.keycloak.testsuite.util.SamlClient;
import org.keycloak.testsuite.util.SamlClientBuilder;
import org.keycloak.testsuite.utils.io.IOUtil;
import org.openqa.selenium.By;
import org.openqa.selenium.support.ui.WebDriverWait;

@AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
/* loaded from: input_file:org/keycloak/testsuite/broker/KcSamlIdPInitiatedSsoTest.class */
public class KcSamlIdPInitiatedSsoTest extends AbstractKeycloakTest {
    private static final String PROVIDER_REALM_USER_NAME = "test";
    private static final String PROVIDER_REALM_USER_PASSWORD = "test";
    private static final String CONSUMER_CHOSEN_USERNAME = "mytest";

    @Page
    protected LoginPage accountLoginPage;

    @Page
    protected UpdateAccountInformationPage updateAccountInformationPage;
    private String urlRealmConsumer2;
    private String urlRealmConsumer;
    private String urlRealmProvider;

    protected String getAuthRoot() {
        return this.suiteContext.getAuthServerInfo().getContextRoot().toString();
    }

    private RealmRepresentation loadFromClasspath(String str, Properties properties) {
        try {
            return IOUtil.loadRealm(new ByteArrayInputStream(StringPropertyReplacer.replaceProperties(StreamUtil.readString(KcSamlIdPInitiatedSsoTest.class.getResourceAsStream(str)), properties).getBytes("UTF-8")));
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    @Before
    public void cleanupTestUserInConsumerRealm() {
        UsersResource users = this.adminClient.realm("consumer").users();
        Stream map = users.search(CONSUMER_CHOSEN_USERNAME).stream().map((v0) -> {
            return v0.getId();
        });
        users.getClass();
        map.map(users::delete).forEach((v0) -> {
            v0.close();
        });
    }

    @Before
    public void initRealmUrls() {
        this.urlRealmProvider = getAuthRoot() + "/auth/realms/provider";
        this.urlRealmConsumer = getAuthRoot() + "/auth/realms/consumer";
        this.urlRealmConsumer2 = getAuthRoot() + "/auth/realms/consumer-2";
    }

    @Before
    public void resetPrincipalType() {
        IdentityProviderResource identityProviderResource = this.adminClient.realm("consumer").identityProviders().get("saml-leaf");
        IdentityProviderRepresentation representation = identityProviderResource.toRepresentation();
        representation.getConfig().put("nameIDPolicyFormat", JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get());
        representation.getConfig().put("principalType", SamlPrincipalType.SUBJECT.name());
        identityProviderResource.update(representation);
    }

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        initRealmUrls();
        Properties properties = new Properties();
        properties.put("name.realm.provider", "provider");
        properties.put("name.realm.consumer", "consumer");
        properties.put("url.realm.provider", this.urlRealmProvider);
        properties.put("url.realm.consumer", this.urlRealmConsumer);
        properties.put("url.realm.consumer-2", this.urlRealmConsumer2);
        list.add(loadFromClasspath("kc3731-provider-realm.json", properties));
        list.add(loadFromClasspath("kc3731-broker-realm.json", properties));
    }

    @Test
    public void testProviderIdpInitiatedLogin() throws Exception {
        this.driver.navigate().to(getSamlIdpInitiatedUrl("provider", "samlbroker"));
        waitForPage("sign in to", true);
        Assert.assertThat("Driver should be on the provider realm page right now", this.driver.getCurrentUrl(), Matchers.containsString("/auth/realms/provider/"));
        this.log.debug("Logging in");
        this.accountLoginPage.login("test", "test");
        waitForPage("update account information", false);
        Assert.assertTrue(this.updateAccountInformationPage.isCurrent());
        Assert.assertThat("We must be on consumer realm right now", this.driver.getCurrentUrl(), Matchers.containsString("/auth/realms/consumer/"));
        this.log.debug("Updating info on updateAccount page");
        this.updateAccountInformationPage.updateAccountInformation(CONSUMER_CHOSEN_USERNAME, "test@localhost", "Firstname", "Lastname");
        UsersResource users = this.adminClient.realm("consumer").users();
        int intValue = users.count().intValue();
        Assert.assertTrue("There must be at least one user", intValue > 0);
        Assert.assertTrue("There must be user mytest in realm consumer", users.search("", 0, Integer.valueOf(intValue)).stream().anyMatch(userRepresentation -> {
            return userRepresentation.getUsername().equals(CONSUMER_CHOSEN_USERNAME) && userRepresentation.getEmail().equals("test@localhost");
        }));
        Assert.assertThat(this.driver.findElement(By.tagName("a")).getAttribute("id"), Matchers.containsString(BackchannelLogoutTest.ACCOUNT_CLIENT_NAME));
    }

    private String getSamlIdpInitiatedUrl(String str, String str2) {
        return getAuthRoot() + "/auth/realms/" + str + "/protocol/saml/clients/" + str2;
    }

    private String getSamlBrokerIdpInitiatedUrl(String str, String str2) {
        return getAuthRoot() + "/auth/realms/" + str + "/broker/saml-leaf/endpoint/clients/" + str2;
    }

    private String getSamlBrokerUrl(String str) {
        return getAuthRoot() + "/auth/realms/" + str + "/broker/saml-leaf/endpoint";
    }

    private void waitForPage(String str, boolean z) {
        new WebDriverWait(this.driver, 5L).until(webDriver -> {
            return Boolean.valueOf(z ? webDriver.getTitle().toLowerCase().contains(str) : PageUtils.getPageTitle(webDriver).toLowerCase().contains(str));
        });
    }

    private void assertAudience(ResponseType responseType, String str) throws Exception {
        AssertionType assertion = AssertionUtil.getAssertion((SAMLDocumentHolder) null, responseType, (PrivateKey) null);
        org.junit.Assert.assertThat(assertion, Matchers.notNullValue());
        org.junit.Assert.assertThat(assertion.getConditions(), Matchers.notNullValue());
        org.junit.Assert.assertThat(assertion.getConditions().getConditions(), Matchers.notNullValue());
        org.junit.Assert.assertThat(assertion.getConditions().getConditions(), Matchers.hasSize(Matchers.greaterThan(0)));
        org.junit.Assert.assertThat(assertion.getConditions().getConditions().get(0), Matchers.instanceOf(AudienceRestrictionType.class));
        org.junit.Assert.assertThat(((AudienceRestrictionType) assertion.getConditions().getConditions().get(0)).getAudience(), Matchers.contains(new URI[]{URI.create(str)}));
    }

    @Test
    public void testProviderIdpInitiatedLoginToApp() throws Exception {
        SAMLDocumentHolder samlResponse = new SamlClientBuilder().navigateTo(getSamlIdpInitiatedUrl("provider", "samlbroker")).login().user("test", "test").build().processSamlResponse(SamlClient.Binding.POST).transformObject(sAML2Object -> {
            org.junit.Assert.assertThat(sAML2Object, org.keycloak.testsuite.util.Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
            ResponseType responseType = (ResponseType) sAML2Object;
            org.junit.Assert.assertThat(responseType.getDestination(), Matchers.is(getSamlBrokerIdpInitiatedUrl("consumer", "sales")));
            assertAudience(responseType, getSamlBrokerIdpInitiatedUrl("consumer", "sales"));
            return sAML2Object;
        }).build().updateProfile().username(CONSUMER_CHOSEN_USERNAME).email("test@localhost").firstName("Firstname").lastName("Lastname").build().followOneRedirect().getSamlResponse(SamlClient.Binding.POST);
        org.junit.Assert.assertThat(samlResponse.getSamlObject(), org.keycloak.testsuite.util.Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
        ResponseType responseType = (ResponseType) samlResponse.getSamlObject();
        org.junit.Assert.assertThat(responseType.getDestination(), Matchers.is(this.urlRealmConsumer + "/app/auth"));
        assertAudience(responseType, this.urlRealmConsumer + "/app/auth");
    }

    @Test
    public void testConsumerIdpInitiatedLoginToApp() throws Exception {
        SAMLDocumentHolder samlResponse = new SamlClientBuilder().navigateTo(getSamlIdpInitiatedUrl("consumer", "sales")).login().idp("saml-leaf").build().processSamlResponse(SamlClient.Binding.POST).targetAttributeSamlRequest().build().login().user("test", "test").build().processSamlResponse(SamlClient.Binding.POST).transformObject(sAML2Object -> {
            org.junit.Assert.assertThat(sAML2Object, org.keycloak.testsuite.util.Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
            ResponseType responseType = (ResponseType) sAML2Object;
            org.junit.Assert.assertThat(responseType.getDestination(), Matchers.is(getSamlBrokerUrl("consumer")));
            assertAudience(responseType, this.urlRealmConsumer);
            return sAML2Object;
        }).build().updateProfile().username(CONSUMER_CHOSEN_USERNAME).email("test@localhost").firstName("Firstname").lastName("Lastname").build().followOneRedirect().getSamlResponse(SamlClient.Binding.POST);
        org.junit.Assert.assertThat(samlResponse.getSamlObject(), org.keycloak.testsuite.util.Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
        ResponseType responseType = (ResponseType) samlResponse.getSamlObject();
        org.junit.Assert.assertThat(responseType.getDestination(), Matchers.is(this.urlRealmConsumer + "/app/auth"));
        assertAudience(responseType, this.urlRealmConsumer + "/app/auth");
    }

    @Test
    public void testTwoConsequentIdpInitiatedLogins() throws Exception {
        SAMLDocumentHolder samlResponse = new SamlClientBuilder().navigateTo(getSamlIdpInitiatedUrl("provider", "samlbroker")).login().user("test", "test").build().processSamlResponse(SamlClient.Binding.POST).transformObject(sAML2Object -> {
            org.junit.Assert.assertThat(sAML2Object, org.keycloak.testsuite.util.Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
            ResponseType responseType = (ResponseType) sAML2Object;
            org.junit.Assert.assertThat(responseType.getDestination(), Matchers.is(getSamlBrokerIdpInitiatedUrl("consumer", "sales")));
            assertAudience(responseType, getSamlBrokerIdpInitiatedUrl("consumer", "sales"));
            return sAML2Object;
        }).build().updateProfile().username(CONSUMER_CHOSEN_USERNAME).email("test@localhost").firstName("Firstname").lastName("Lastname").build().followOneRedirect().processSamlResponse(SamlClient.Binding.POST).transformObject(sAML2Object2 -> {
            org.junit.Assert.assertThat(sAML2Object2, org.keycloak.testsuite.util.Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
            ResponseType responseType = (ResponseType) sAML2Object2;
            org.junit.Assert.assertThat(responseType.getDestination(), Matchers.is(this.urlRealmConsumer + "/app/auth"));
            assertAudience(responseType, this.urlRealmConsumer + "/app/auth");
            return null;
        }).build().navigateTo(getSamlIdpInitiatedUrl("provider", "samlbroker-2")).login().sso(true).build().processSamlResponse(SamlClient.Binding.POST).transformObject(sAML2Object3 -> {
            org.junit.Assert.assertThat(sAML2Object3, org.keycloak.testsuite.util.Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
            ResponseType responseType = (ResponseType) sAML2Object3;
            org.junit.Assert.assertThat(responseType.getDestination(), Matchers.is(getSamlBrokerIdpInitiatedUrl("consumer", "sales2")));
            assertAudience(responseType, getSamlBrokerIdpInitiatedUrl("consumer", "sales2"));
            return sAML2Object3;
        }).build().getSamlResponse(SamlClient.Binding.POST);
        org.junit.Assert.assertThat(samlResponse.getSamlObject(), org.keycloak.testsuite.util.Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
        ResponseType responseType = (ResponseType) samlResponse.getSamlObject();
        org.junit.Assert.assertThat(responseType.getDestination(), Matchers.is(this.urlRealmConsumer + "/app/auth2/saml"));
        assertAudience(responseType, this.urlRealmConsumer + "/app/auth2");
        assertSingleUserSession("consumer", CONSUMER_CHOSEN_USERNAME, this.urlRealmConsumer + "/app/auth", this.urlRealmConsumer + "/app/auth2");
        assertSingleUserSession("provider", "test", this.urlRealmConsumer + "/broker/saml-leaf/endpoint/clients/sales", this.urlRealmConsumer + "/broker/saml-leaf/endpoint/clients/sales2");
    }

    @Test
    public void testProviderIdpInitiatedLoginWithPrincipalAttribute() throws Exception {
        IdentityProviderResource identityProviderResource = this.adminClient.realm("consumer").identityProviders().get("saml-leaf");
        IdentityProviderRepresentation representation = identityProviderResource.toRepresentation();
        representation.getConfig().put("principalType", SamlPrincipalType.ATTRIBUTE.name());
        representation.getConfig().put("principalAttribute", X500SAMLProfileConstants.UID.get());
        identityProviderResource.update(representation);
        SAMLDocumentHolder samlResponse = new SamlClientBuilder().navigateTo(getSamlIdpInitiatedUrl("provider", "samlbroker")).login().user("test", "test").build().processSamlResponse(SamlClient.Binding.POST).transformObject(sAML2Object -> {
            org.junit.Assert.assertThat(sAML2Object, org.keycloak.testsuite.util.Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
            ResponseType responseType = (ResponseType) sAML2Object;
            org.junit.Assert.assertThat(responseType.getDestination(), Matchers.is(getSamlBrokerIdpInitiatedUrl("consumer", "sales")));
            assertAudience(responseType, getSamlBrokerIdpInitiatedUrl("consumer", "sales"));
            AttributeStatementType attributeStatementType = (AttributeStatementType) ((ResponseType.RTChoiceType) responseType.getAssertions().get(0)).getAssertion().getStatements().stream().filter(statementAbstractType -> {
                return statementAbstractType instanceof AttributeStatementType;
            }).findFirst().orElse(new AttributeStatementType());
            AttributeType attributeType = new AttributeType(X500SAMLProfileConstants.UID.get());
            attributeType.addAttributeValue("test");
            attributeStatementType.addAttribute(new AttributeStatementType.ASTChoiceType(attributeType));
            ((ResponseType.RTChoiceType) responseType.getAssertions().get(0)).getAssertion().addStatement(attributeStatementType);
            return sAML2Object;
        }).build().updateProfile().username(CONSUMER_CHOSEN_USERNAME).email("test@localhost").firstName("Firstname").lastName("Lastname").build().followOneRedirect().getSamlResponse(SamlClient.Binding.POST);
        org.junit.Assert.assertThat(samlResponse.getSamlObject(), org.keycloak.testsuite.util.Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
        ResponseType responseType = (ResponseType) samlResponse.getSamlObject();
        org.junit.Assert.assertThat(responseType.getDestination(), Matchers.is(this.urlRealmConsumer + "/app/auth"));
        assertAudience(responseType, this.urlRealmConsumer + "/app/auth");
        UsersResource users = this.adminClient.realm("consumer").users();
        FederatedIdentityRepresentation federatedIdentityRepresentation = (FederatedIdentityRepresentation) users.get(((UserRepresentation) users.search(CONSUMER_CHOSEN_USERNAME).get(0)).getId()).getFederatedIdentity().get(0);
        org.junit.Assert.assertThat(federatedIdentityRepresentation.getUserId(), Matchers.is("test"));
        org.junit.Assert.assertThat(federatedIdentityRepresentation.getUserName(), Matchers.is("test"));
    }

    @Test
    public void testProviderTransientIdpInitiatedLogin() throws Exception {
        IdentityProviderResource identityProviderResource = this.adminClient.realm("consumer").identityProviders().get("saml-leaf");
        IdentityProviderRepresentation representation = identityProviderResource.toRepresentation();
        representation.getConfig().put("nameIDPolicyFormat", JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get());
        representation.getConfig().put("principalType", SamlPrincipalType.ATTRIBUTE.name());
        representation.getConfig().put("principalAttribute", X500SAMLProfileConstants.UID.get());
        identityProviderResource.update(representation);
        SAMLDocumentHolder samlResponse = new SamlClientBuilder().navigateTo(getSamlIdpInitiatedUrl("provider", "samlbroker")).login().user("test", "test").build().processSamlResponse(SamlClient.Binding.POST).transformObject(sAML2Object -> {
            org.junit.Assert.assertThat(sAML2Object, org.keycloak.testsuite.util.Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
            ResponseType responseType = (ResponseType) sAML2Object;
            org.junit.Assert.assertThat(responseType.getDestination(), Matchers.is(getSamlBrokerIdpInitiatedUrl("consumer", "sales")));
            assertAudience(responseType, getSamlBrokerIdpInitiatedUrl("consumer", "sales"));
            NameIDType nameIDType = new NameIDType();
            nameIDType.setFormat(URI.create(JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get()));
            nameIDType.setValue("subjectId1");
            ((ResponseType.RTChoiceType) responseType.getAssertions().get(0)).getAssertion().getSubject().getSubType().addBaseID(nameIDType);
            AttributeStatementType attributeStatementType = (AttributeStatementType) ((ResponseType.RTChoiceType) responseType.getAssertions().get(0)).getAssertion().getStatements().stream().filter(statementAbstractType -> {
                return statementAbstractType instanceof AttributeStatementType;
            }).findFirst().orElse(new AttributeStatementType());
            AttributeType attributeType = new AttributeType(X500SAMLProfileConstants.UID.get());
            attributeType.addAttributeValue("test");
            attributeStatementType.addAttribute(new AttributeStatementType.ASTChoiceType(attributeType));
            ((ResponseType.RTChoiceType) responseType.getAssertions().get(0)).getAssertion().addStatement(attributeStatementType);
            return sAML2Object;
        }).build().navigateTo(getSamlIdpInitiatedUrl("provider", "samlbroker-2")).login().sso(true).build().processSamlResponse(SamlClient.Binding.POST).transformObject(sAML2Object2 -> {
            org.junit.Assert.assertThat(sAML2Object2, org.keycloak.testsuite.util.Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
            ResponseType responseType = (ResponseType) sAML2Object2;
            org.junit.Assert.assertThat(responseType.getDestination(), Matchers.is(getSamlBrokerIdpInitiatedUrl("consumer", "sales2")));
            assertAudience(responseType, getSamlBrokerIdpInitiatedUrl("consumer", "sales2"));
            NameIDType nameIDType = new NameIDType();
            nameIDType.setFormat(URI.create(JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get()));
            nameIDType.setValue("subjectId2");
            ((ResponseType.RTChoiceType) responseType.getAssertions().get(0)).getAssertion().getSubject().getSubType().addBaseID(nameIDType);
            AttributeStatementType attributeStatementType = (AttributeStatementType) ((ResponseType.RTChoiceType) responseType.getAssertions().get(0)).getAssertion().getStatements().stream().filter(statementAbstractType -> {
                return statementAbstractType instanceof AttributeStatementType;
            }).findFirst().orElse(new AttributeStatementType());
            AttributeType attributeType = new AttributeType(X500SAMLProfileConstants.UID.get());
            attributeType.addAttributeValue("test");
            attributeStatementType.addAttribute(new AttributeStatementType.ASTChoiceType(attributeType));
            ((ResponseType.RTChoiceType) responseType.getAssertions().get(0)).getAssertion().addStatement(attributeStatementType);
            return sAML2Object2;
        }).build().updateProfile().username(CONSUMER_CHOSEN_USERNAME).email("test@localhost").firstName("Firstname").lastName("Lastname").build().followOneRedirect().getSamlResponse(SamlClient.Binding.POST);
        org.junit.Assert.assertThat(samlResponse.getSamlObject(), org.keycloak.testsuite.util.Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
        ResponseType responseType = (ResponseType) samlResponse.getSamlObject();
        org.junit.Assert.assertThat(responseType.getDestination(), Matchers.is(this.urlRealmConsumer + "/app/auth2/saml"));
        assertAudience(responseType, this.urlRealmConsumer + "/app/auth2");
        UsersResource users = this.adminClient.realm("consumer").users();
        List search = users.search(CONSUMER_CHOSEN_USERNAME);
        org.junit.Assert.assertEquals(1L, search.size());
        FederatedIdentityRepresentation federatedIdentityRepresentation = (FederatedIdentityRepresentation) users.get(((UserRepresentation) search.get(0)).getId()).getFederatedIdentity().get(0);
        org.junit.Assert.assertThat(federatedIdentityRepresentation.getUserId(), Matchers.is("test"));
        org.junit.Assert.assertThat(federatedIdentityRepresentation.getUserName(), Matchers.is("test"));
        org.junit.Assert.assertTrue(users.search("subjectId1").isEmpty());
        org.junit.Assert.assertTrue(users.search("subjectId2").isEmpty());
    }

    private void assertSingleUserSession(String str, String str2, String... strArr) {
        UsersResource users = this.adminClient.realm(str).users();
        ClientsResource clients = this.adminClient.realm(str).clients();
        List userSessions = users.get(((UserRepresentation) users.search(str2).stream().findFirst().get()).getId()).getUserSessions();
        org.junit.Assert.assertThat(userSessions, Matchers.hasSize(1));
        org.junit.Assert.assertThat((Set) ((UserSessionRepresentation) userSessions.get(0)).getClients().values().stream().flatMap(str3 -> {
            return clients.findByClientId(str3).stream();
        }).map((v0) -> {
            return v0.getClientId();
        }).collect(Collectors.toSet()), Matchers.containsInAnyOrder(strArr));
    }
}
