package org.keycloak.testsuite.oauth;

import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.nio.file.Files;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.ws.rs.core.Response;
import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
import org.apache.http.NameValuePair;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.entity.mime.MultipartEntityBuilder;
import org.apache.http.entity.mime.content.FileBody;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.message.BasicNameValuePair;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.adapters.AdapterUtils;
import org.keycloak.adapters.authentication.JWTClientCredentialsProvider;
import org.keycloak.admin.client.resource.ClientAttributeCertificateResource;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.authentication.AuthenticationFlowError;
import org.keycloak.common.util.Base64;
import org.keycloak.common.util.Base64Url;
import org.keycloak.common.util.BouncyIntegration;
import org.keycloak.common.util.KeyUtils;
import org.keycloak.common.util.KeycloakUriBuilder;
import org.keycloak.common.util.KeystoreUtil;
import org.keycloak.common.util.PemUtils;
import org.keycloak.common.util.Time;
import org.keycloak.common.util.UriUtils;
import org.keycloak.crypto.ECDSASignatureProvider;
import org.keycloak.events.EventType;
import org.keycloak.jose.jws.JWSBuilder;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.representations.KeyStoreConfig;
import org.keycloak.representations.RefreshToken;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.CredentialRepresentation;
import org.keycloak.representations.idm.EventRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.client.resources.TestApplicationResourceUrls;
import org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource;
import org.keycloak.testsuite.saml.AbstractSamlTest;
import org.keycloak.testsuite.saml.ConcurrentAuthnRequestTest;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.ClientManager;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.testsuite.util.UserBuilder;

@AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
/* loaded from: input_file:org/keycloak/testsuite/oauth/ClientAuthSignedJWTTest.class */
public class ClientAuthSignedJWTTest extends AbstractKeycloakTest {

    @Rule
    public AssertEvents events = new AssertEvents(this);
    private static String client1SAUserId;
    private static RealmRepresentation testRealm;
    private static ClientRepresentation app1;
    private static ClientRepresentation app2;
    private static ClientRepresentation app3;
    private static UserRepresentation defaultUser;
    private static UserRepresentation serviceAccountUser;

    /* renamed from: org.keycloak.testsuite.oauth.ClientAuthSignedJWTTest$1CertificateHolder, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/testsuite/oauth/ClientAuthSignedJWTTest$1CertificateHolder.class */
    class C1CertificateHolder {
        String certificate;

        C1CertificateHolder() {
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/keycloak/testsuite/oauth/ClientAuthSignedJWTTest$CustomJWTClientCredentialsProvider.class */
    public class CustomJWTClientCredentialsProvider extends JWTClientCredentialsProvider {
        private Map<String, Boolean> enabledClaims = new HashMap();

        public CustomJWTClientCredentialsProvider() {
            for (String str : new String[]{"id", "issuer", "subject", "audience", "expiration", "notBefore", "issuedAt"}) {
                this.enabledClaims.put(str, true);
            }
        }

        public void enableClaim(String str, boolean z) {
            if (!this.enabledClaims.containsKey(str)) {
                throw new IllegalArgumentException("Claim \"" + str + "\" doesn't exist");
            }
            this.enabledClaims.put(str, Boolean.valueOf(z));
        }

        public boolean isClaimEnabled(String str) {
            Boolean bool = this.enabledClaims.get(str);
            if (bool == null) {
                throw new IllegalArgumentException("Claim \"" + str + "\" doesn't exist");
            }
            return bool.booleanValue();
        }

        public Set<String> getClaims() {
            return this.enabledClaims.keySet();
        }

        protected JsonWebToken createRequestToken(String str, String str2) {
            JsonWebToken jsonWebToken = new JsonWebToken();
            if (isClaimEnabled("id")) {
                jsonWebToken.id(AdapterUtils.generateId());
            }
            if (isClaimEnabled("issuer")) {
                jsonWebToken.issuer(str);
            }
            if (isClaimEnabled("subject")) {
                jsonWebToken.subject(str);
            }
            if (isClaimEnabled("audience")) {
                jsonWebToken.audience(new String[]{str2});
            }
            int currentTime = Time.currentTime();
            if (isClaimEnabled("issuedAt")) {
                jsonWebToken.issuedAt(currentTime);
            }
            if (isClaimEnabled("expiration")) {
                jsonWebToken.expiration(currentTime + getTokenTimeout());
            }
            if (isClaimEnabled("notBefore")) {
                jsonWebToken.notBefore(currentTime);
            }
            return jsonWebToken;
        }
    }

    @BeforeClass
    public static void beforeClientAuthSignedJWTTest() {
        BouncyIntegration.init();
    }

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void beforeAbstractKeycloakTest() throws Exception {
        super.beforeAbstractKeycloakTest();
    }

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        RealmBuilder testEventListener = RealmBuilder.create().name("test").privateKey(AbstractSamlTest.REALM_PRIVATE_KEY).publicKey(AbstractSamlTest.REALM_PUBLIC_KEY).testEventListener();
        app1 = ClientBuilder.create().id(KeycloakModelUtils.generateId()).clientId("client1").attribute("jwt.credential.certificate", "MIICnTCCAYUCBgFPPLDaTzANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdjbGllbnQxMB4XDTE1MDgxNzE3MjI0N1oXDTI1MDgxNzE3MjQyN1owEjEQMA4GA1UEAwwHY2xpZW50MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIUjjgv+V3s96O+Za9002Lp/trtGuHBeaeVL9dFKMKzO2MPqdRmHB4PqNlDdd28Rwf5Xn6iWdFpyUKOnI/yXDLhdcuFpR0sMNK/C9Lt+hSpPFLuzDqgtPgDotlMxiHIWDOZ7g9/gPYNXbNvjv8nSiyqoguoCQiiafW90bPHsiVLdP7ZIUwCcfi1qQm7FhxRJ1NiW5dvUkuCnnWEf0XR+Wzc5eC9EgB0taLFiPsSEIlWMm5xlahYyXkPdNOqZjiRnrTWm5Y4uk8ZcsD/KbPTf/7t7cQXipVaswgjdYi1kK2/zRwOhg1QwWFX/qmvdd+fLxV0R6VqRDhn7Qep2cxwMxLsCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAKE6OA46sf20bz8LZPoiNsqRwBUDkaMGXfnob7s/hJZIIwDEx0IAQ3uKsG7q9wb+aA6s+v7S340zb2k3IxuhFaHaZpAd4CyR5cn1FHylbzoZ7rI/3ASqHDqpljdJaFqPH+m7nZWtyDvtZf+gkZ8OjsndwsSBK1d/jMZPp29qYbl1+XfO7RCp/jDqro/R3saYFaIFiEZPeKn1hUJn6BO48vxH1xspSu9FmlvDOEAOz4AuM58z4zRMP49GcFdCWr1wkonJUHaSptJaQwmBwLFUkCbE5I1ixGMb7mjEud6Y5jhfzJiZMo2U8RfcjNbrN0diZl3jB6LQIwESnhYSghaTjNQ==").attribute("client_credentials.use_refresh_token", "true").authenticatorType("client-jwt").serviceAccountsEnabled(true).build();
        testEventListener.client(app1);
        app2 = ClientBuilder.create().id(KeycloakModelUtils.generateId()).clientId("client2").directAccessGrants().serviceAccountsEnabled(true).redirectUris(OAuthClient.APP_ROOT + "/auth").attribute("jwt.credential.certificate", "MIICnTCCAYUCBgFPPQDGxTANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdjbGllbnQxMB4XDTE1MDgxNzE4NTAwNVoXDTI1MDgxNzE4NTE0NVowEjEQMA4GA1UEAwwHY2xpZW50MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMMw3PaBffWxgS2PYSDDBp6As+cNvv9kt2C4f/RDAGmvSIHPFev9kuQiKs3Oaws3ZsV4JG3qHEuYgnh9W4vfe3DwNwtD1bjL5FYBhPBFTw0lAQECYxaBHnkjHwUKp957FqdSPPICm3LjmTcEdlH+9dpp9xHCMbbiNiWDzWI1xSxC8Fs2d0hwz1sd+Q4QeTBPIBWcPM+ICZtNG5MN+ORfayu4X+Me5d0tXG2fQO//rAevk1i5IFjKZuOjTwyKB5SJIY4b8QTeg0g/50IU7Ht00Pxw6CK02dHS+FvXHasZlD3ckomqCDjStTBWdhJo5dST0CbOqalkkpLlCCbGA1yEQRsCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAUIMeJ+EAo8eNpCG/nXImacjrKakbFnZYBGD/gqeTGaZynkX+jgBSructTHR83zSH+yELEhsAy+3BfK4EEihp+PEcRnK2fASVkHste8AQ7rlzC+HGGirlwrVhWCdizNUCGK80DE537IZ7nmZw6LFG9P5/Q2MvCsOCYjRUvMkukq6TdXBXR9tETwZ+0gpSfsOxjj0ZF7ftTRUSzx4rFfcbM9fRNdVizdOuKGc8HJPA5lLOxV6CyaYIvi3y5RlQI1OHeS34lE4w9CNPRFa/vdxXvN7ClyzA0HMFNWxBN7pC/Ht/FbhSvaAagJBHg+vCrcY5C26Oli7lAglf/zZrwUPs0w==").authenticatorType("client-jwt").build();
        testEventListener.client(app2);
        defaultUser = UserBuilder.create().id(KeycloakModelUtils.generateId()).username(AssertEvents.DEFAULT_USERNAME).password("password").build();
        testEventListener.user(defaultUser);
        client1SAUserId = KeycloakModelUtils.generateId();
        serviceAccountUser = UserBuilder.create().id(client1SAUserId).username("service-account-" + app1.getClientId()).serviceAccountId(app1.getClientId()).build();
        testEventListener.user(serviceAccountUser);
        testRealm = testEventListener.build();
        list.add(testRealm);
    }

    @Before
    public void recreateApp3() {
        app3 = ClientBuilder.create().id(KeycloakModelUtils.generateId()).clientId("client3").directAccessGrants().authenticatorType("client-jwt").build();
        Response create = this.adminClient.realm("test").clients().create(app3);
        getCleanup().addClientUuid(ApiUtil.getCreatedId(create));
        create.close();
    }

    @Test
    public void testServiceAccountAndLogoutSuccess() throws Exception {
        OAuthClient.AccessTokenResponse doClientCredentialsGrantRequest = doClientCredentialsGrantRequest(getClient1SignedJWT());
        Assert.assertEquals(200L, doClientCredentialsGrantRequest.getStatusCode());
        AccessToken verifyToken = this.oauth.verifyToken(doClientCredentialsGrantRequest.getAccessToken());
        RefreshToken parseRefreshToken = this.oauth.parseRefreshToken(doClientCredentialsGrantRequest.getRefreshToken());
        this.events.expectClientLogin().client("client1").user(client1SAUserId).session(verifyToken.getSessionState()).detail("token_id", verifyToken.getId()).detail("refresh_token_id", parseRefreshToken.getId()).detail("username", "service-account-client1").detail("client_auth_method", "client-jwt").assertEvent();
        Assert.assertEquals(verifyToken.getSessionState(), parseRefreshToken.getSessionState());
        OAuthClient.AccessTokenResponse doRefreshTokenRequest = doRefreshTokenRequest(doClientCredentialsGrantRequest.getRefreshToken(), getClient1SignedJWT());
        AccessToken verifyToken2 = this.oauth.verifyToken(doRefreshTokenRequest.getAccessToken());
        RefreshToken parseRefreshToken2 = this.oauth.parseRefreshToken(doRefreshTokenRequest.getRefreshToken());
        Assert.assertEquals(verifyToken.getSessionState(), verifyToken2.getSessionState());
        Assert.assertEquals(verifyToken.getSessionState(), parseRefreshToken2.getSessionState());
        this.events.expectRefresh(parseRefreshToken.getId(), parseRefreshToken.getSessionState()).user(client1SAUserId).client("client1").detail("client_auth_method", "client-jwt").assertEvent();
        Assert.assertEquals(204L, doLogout(doClientCredentialsGrantRequest.getRefreshToken(), getClient1SignedJWT()).getStatusLine().getStatusCode());
        this.events.expectLogout(verifyToken.getSessionState()).client("client1").user(client1SAUserId).removeDetail("redirect_uri").detail("client_auth_method", "client-jwt").assertEvent();
        OAuthClient.AccessTokenResponse doRefreshTokenRequest2 = doRefreshTokenRequest(doClientCredentialsGrantRequest.getRefreshToken(), getClient1SignedJWT());
        Assert.assertEquals(400L, doRefreshTokenRequest2.getStatusCode());
        Assert.assertEquals("invalid_grant", doRefreshTokenRequest2.getError());
        this.events.expectRefresh(parseRefreshToken.getId(), parseRefreshToken.getSessionState()).client("client1").user(client1SAUserId).removeDetail("token_id").removeDetail("updated_refresh_token_id").detail("client_auth_method", "client-jwt").error("invalid_token").assertEvent();
    }

    @Test
    public void testCodeToTokenRequestSuccess() throws Exception {
        this.oauth.clientId("client2");
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().client("client2").assertEvent();
        OAuthClient.AccessTokenResponse doAccessTokenRequest = doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), getClient2SignedJWT());
        Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
        this.oauth.verifyToken(doAccessTokenRequest.getAccessToken());
        this.oauth.parseRefreshToken(doAccessTokenRequest.getRefreshToken());
        this.events.expectCodeToToken((String) assertEvent.getDetails().get("code_id"), assertEvent.getSessionId()).client("client2").detail("client_auth_method", "client-jwt").assertEvent();
    }

    @Test
    public void testCodeToTokenRequestSuccessES256() throws Exception {
        testCodeToTokenRequestSuccess("ES256");
    }

    @Test
    public void testCodeToTokenRequestSuccessRS256() throws Exception {
        testCodeToTokenRequestSuccess("RS256");
    }

    @Test
    public void testCodeToTokenRequestSuccessPS256() throws Exception {
        testCodeToTokenRequestSuccess("PS256");
    }

    @Test
    public void testECDSASignature() throws Exception {
        testECDSASignatureLength(getClientSignedToken("ES256"), "ES256");
        testECDSASignatureLength(getClientSignedToken("ES384"), "ES384");
        testECDSASignatureLength(getClientSignedToken("ES512"), "ES512");
    }

    @Test
    public void testCodeToTokenRequestSuccessES256Enforced() throws Exception {
        try {
            try {
                ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), "client2");
                ClientRepresentation representation = findClientByClientId.toRepresentation();
                OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setTokenEndpointAuthSigningAlg("ES256");
                findClientByClientId.update(representation);
                testCodeToTokenRequestSuccess("ES256");
                ClientResource findClientByClientId2 = ApiUtil.findClientByClientId(this.adminClient.realm("test"), "client2");
                ClientRepresentation representation2 = findClientByClientId2.toRepresentation();
                OIDCAdvancedConfigWrapper.fromClientRepresentation(representation2).setTokenEndpointAuthSigningAlg((String) null);
                findClientByClientId2.update(representation2);
            } catch (Exception e) {
                org.keycloak.testsuite.Assert.fail();
                ClientResource findClientByClientId3 = ApiUtil.findClientByClientId(this.adminClient.realm("test"), "client2");
                ClientRepresentation representation3 = findClientByClientId3.toRepresentation();
                OIDCAdvancedConfigWrapper.fromClientRepresentation(representation3).setTokenEndpointAuthSigningAlg((String) null);
                findClientByClientId3.update(representation3);
            }
        } catch (Throwable th) {
            ClientResource findClientByClientId4 = ApiUtil.findClientByClientId(this.adminClient.realm("test"), "client2");
            ClientRepresentation representation4 = findClientByClientId4.toRepresentation();
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation4).setTokenEndpointAuthSigningAlg((String) null);
            findClientByClientId4.update(representation4);
            throw th;
        }
    }

    private void testECDSASignatureLength(String str, String str2) {
        Assert.assertEquals(ECDSASignatureProvider.ECDSA.valueOf(str2).getSignatureLength(), Base64Url.decode(str.split("\\.", 3)[2]).length);
    }

    private String getClientSignedToken(String str) throws Exception {
        ClientResource client = getClient(testRealm.getRealm(), app2.getId());
        ClientRepresentation representation = client.toRepresentation();
        try {
            KeyPair keyPair = setupJwks(str, representation, client);
            PublicKey publicKey = keyPair.getPublic();
            PrivateKey privateKey = keyPair.getPrivate();
            this.oauth.clientId("client2");
            this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
            String str2 = (String) this.oauth.getCurrentQuery().get("code");
            String createSignedRequestToken = createSignedRequestToken("client2", getRealmInfoUrl(), privateKey, publicKey, str);
            OAuthClient.AccessTokenResponse doAccessTokenRequest = doAccessTokenRequest(str2, createSignedRequestToken);
            Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
            this.oauth.verifyToken(doAccessTokenRequest.getAccessToken());
            this.oauth.openLogout();
            revertJwksSettings(representation, client);
            return createSignedRequestToken;
        } catch (Throwable th) {
            revertJwksSettings(representation, client);
            throw th;
        }
    }

    private void testCodeToTokenRequestSuccess(String str) throws Exception {
        ClientResource client = getClient(testRealm.getRealm(), app2.getId());
        ClientRepresentation representation = client.toRepresentation();
        try {
            KeyPair keyPair = setupJwks(str, representation, client);
            PublicKey publicKey = keyPair.getPublic();
            PrivateKey privateKey = keyPair.getPrivate();
            this.oauth.clientId("client2");
            this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
            EventRepresentation assertEvent = this.events.expectLogin().client("client2").assertEvent();
            OAuthClient.AccessTokenResponse doAccessTokenRequest = doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), createSignedRequestToken("client2", getRealmInfoUrl(), privateKey, publicKey, str));
            Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
            this.oauth.verifyToken(doAccessTokenRequest.getAccessToken());
            this.oauth.parseRefreshToken(doAccessTokenRequest.getRefreshToken());
            this.events.expectCodeToToken((String) assertEvent.getDetails().get("code_id"), assertEvent.getSessionId()).client("client2").detail("client_auth_method", "client-jwt").assertEvent();
            revertJwksSettings(representation, client);
        } catch (Throwable th) {
            revertJwksSettings(representation, client);
            throw th;
        }
    }

    @Test
    public void testDirectGrantRequestSuccess() throws Exception {
        this.oauth.clientId("client2");
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest = doGrantAccessTokenRequest(AssertEvents.DEFAULT_USERNAME, "password", getClient2SignedJWT());
        Assert.assertEquals(200L, doGrantAccessTokenRequest.getStatusCode());
        AccessToken verifyToken = this.oauth.verifyToken(doGrantAccessTokenRequest.getAccessToken());
        this.events.expectLogin().client("client2").session(verifyToken.getSessionState()).detail("grant_type", "password").detail("token_id", verifyToken.getId()).detail("refresh_token_id", this.oauth.parseRefreshToken(doGrantAccessTokenRequest.getRefreshToken()).getId()).detail("username", AssertEvents.DEFAULT_USERNAME).detail("client_auth_method", "client-jwt").removeDetail("code_id").removeDetail("redirect_uri").removeDetail("consent").assertEvent();
    }

    @Test
    public void testSuccessWhenNoAlgSetInJWK() throws Exception {
        ClientResource client = getClient(testRealm.getRealm(), app2.getId());
        ClientRepresentation representation = client.toRepresentation();
        try {
            KeyPair keyPair = setupJwks("PS256", false, representation, client);
            PublicKey publicKey = keyPair.getPublic();
            PrivateKey privateKey = keyPair.getPrivate();
            this.oauth.clientId("client2");
            Assert.assertEquals(200L, doGrantAccessTokenRequest(AssertEvents.DEFAULT_USERNAME, "password", createSignedRequestToken("client2", getRealmInfoUrl(), privateKey, publicKey, "PS256")).getStatusCode());
            revertJwksSettings(representation, client);
        } catch (Throwable th) {
            revertJwksSettings(representation, client);
            throw th;
        }
    }

    @Test
    public void testSuccessDefaultAlgWhenNoAlgSetInJWK() throws Exception {
        ClientResource client = getClient(testRealm.getRealm(), app2.getId());
        ClientRepresentation representation = client.toRepresentation();
        try {
            KeyPair keyPair = setupJwks("RS256", false, representation, client);
            PublicKey publicKey = keyPair.getPublic();
            PrivateKey privateKey = keyPair.getPrivate();
            this.oauth.clientId("client2");
            Assert.assertEquals(200L, doGrantAccessTokenRequest(AssertEvents.DEFAULT_USERNAME, "password", createSignedRequestToken("client2", getRealmInfoUrl(), privateKey, publicKey, "RS256")).getStatusCode());
            PublicKey publicKey2 = keyPair.getPublic();
            PrivateKey privateKey2 = keyPair.getPrivate();
            this.oauth.clientId("client2");
            OAuthClient.AccessTokenResponse doGrantAccessTokenRequest = doGrantAccessTokenRequest(AssertEvents.DEFAULT_USERNAME, "password", createSignedRequestToken("client2", getRealmInfoUrl(), privateKey2, publicKey2, "PS256"));
            Assert.assertEquals(400L, doGrantAccessTokenRequest.getStatusCode());
            Assert.assertEquals("Client authentication with signed JWT failed: Signature on JWT token failed validation", doGrantAccessTokenRequest.getErrorDescription());
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setTokenEndpointAuthSigningAlg("ES256");
            client.update(representation);
            OAuthClient.AccessTokenResponse doGrantAccessTokenRequest2 = doGrantAccessTokenRequest(AssertEvents.DEFAULT_USERNAME, "password", createSignedRequestToken("client2", getRealmInfoUrl(), privateKey2, publicKey2, "PS256"));
            Assert.assertEquals(400L, doGrantAccessTokenRequest2.getStatusCode());
            Assert.assertEquals("invalid signature algorithm", doGrantAccessTokenRequest2.getErrorDescription());
            revertJwksSettings(representation, client);
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setTokenEndpointAuthSigningAlg((String) null);
            client.update(representation);
        } catch (Throwable th) {
            revertJwksSettings(representation, client);
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setTokenEndpointAuthSigningAlg((String) null);
            client.update(representation);
            throw th;
        }
    }

    @Test
    public void testDirectGrantRequestSuccessES256() throws Exception {
        testDirectGrantRequestSuccess("ES256");
    }

    @Test
    public void testDirectGrantRequestSuccessRS256() throws Exception {
        testDirectGrantRequestSuccess("RS256");
    }

    @Test
    public void testDirectGrantRequestSuccessPS256() throws Exception {
        testDirectGrantRequestSuccess("PS256");
    }

    private void testDirectGrantRequestSuccess(String str) throws Exception {
        ClientResource client = getClient(testRealm.getRealm(), app2.getId());
        ClientRepresentation representation = client.toRepresentation();
        try {
            KeyPair keyPair = setupJwks(str, representation, client);
            PublicKey publicKey = keyPair.getPublic();
            PrivateKey privateKey = keyPair.getPrivate();
            this.oauth.clientId("client2");
            OAuthClient.AccessTokenResponse doGrantAccessTokenRequest = doGrantAccessTokenRequest(AssertEvents.DEFAULT_USERNAME, "password", createSignedRequestToken("client2", getRealmInfoUrl(), privateKey, publicKey, str));
            Assert.assertEquals(200L, doGrantAccessTokenRequest.getStatusCode());
            AccessToken verifyToken = this.oauth.verifyToken(doGrantAccessTokenRequest.getAccessToken());
            this.events.expectLogin().client("client2").session(verifyToken.getSessionState()).detail("grant_type", "password").detail("token_id", verifyToken.getId()).detail("refresh_token_id", this.oauth.parseRefreshToken(doGrantAccessTokenRequest.getRefreshToken()).getId()).detail("username", AssertEvents.DEFAULT_USERNAME).detail("client_auth_method", "client-jwt").removeDetail("code_id").removeDetail("redirect_uri").removeDetail("consent").assertEvent();
            revertJwksSettings(representation, client);
        } catch (Throwable th) {
            revertJwksSettings(representation, client);
            throw th;
        }
    }

    @Test
    public void testClientWithGeneratedKeysJKS() throws Exception {
        testClientWithGeneratedKeys("JKS");
    }

    @Test
    public void testClientWithGeneratedKeysPKCS12() throws Exception {
        testClientWithGeneratedKeys("PKCS12");
    }

    private void testClientWithGeneratedKeys(String str) throws Exception {
        ClientRepresentation clientRepresentation = app3;
        UserRepresentation userRepresentation = defaultUser;
        KeyStoreConfig keyStoreConfig = new KeyStoreConfig();
        keyStoreConfig.setFormat(str);
        keyStoreConfig.setKeyPassword("pwd1");
        keyStoreConfig.setStorePassword("pwd2");
        keyStoreConfig.setKeyAlias("somekey");
        ClientRepresentation representation = getClient(testRealm.getRealm(), clientRepresentation.getId()).toRepresentation();
        String str2 = (String) representation.getAttributes().get("jwt.credential.certificate");
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(getClientAttributeCertificateResource(testRealm.getRealm(), representation.getId()).generateAndGetKeystore(keyStoreConfig));
        KeyStore keystore = getKeystore(byteArrayInputStream, "pwd2", str);
        byteArrayInputStream.close();
        ClientRepresentation representation2 = getClient(testRealm.getRealm(), representation.getId()).toRepresentation();
        X509Certificate x509Certificate = (X509Certificate) keystore.getCertificate("somekey");
        assertCertificate(representation2, str2, KeycloakModelUtils.getPemFromCertificate(x509Certificate));
        this.oauth.clientId(representation2.getClientId());
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest = doGrantAccessTokenRequest(userRepresentation.getUsername(), ((CredentialRepresentation) userRepresentation.getCredentials().get(0)).getValue(), getClientSignedJWT(new KeyPair(x509Certificate.getPublicKey(), (PrivateKey) keystore.getKey("somekey", "pwd1".toCharArray())), representation2.getClientId()));
        Assert.assertEquals(200L, doGrantAccessTokenRequest.getStatusCode());
        AccessToken verifyToken = this.oauth.verifyToken(doGrantAccessTokenRequest.getAccessToken());
        this.events.expectLogin().client(representation2.getClientId()).session(verifyToken.getSessionState()).detail("grant_type", "password").detail("token_id", verifyToken.getId()).detail("refresh_token_id", this.oauth.parseRefreshToken(doGrantAccessTokenRequest.getRefreshToken()).getId()).detail("username", userRepresentation.getUsername()).detail("client_auth_method", "client-jwt").removeDetail("code_id").removeDetail("redirect_uri").removeDetail("consent").assertEvent();
    }

    @Test
    public void testUploadKeystoreJKS() throws Exception {
        testUploadKeystore("JKS", "client-auth-test/keystore-client1.jks", "clientkey", "storepass");
    }

    @Test
    public void testUploadKeystorePKCS12() throws Exception {
        testUploadKeystore("PKCS12", "client-auth-test/keystore-client2.p12", "clientkey", "pwd2");
    }

    @Test
    public void testUploadCertificatePEM() throws Exception {
        testUploadKeystore("Certificate PEM", "client-auth-test/certificate.pem", "undefined", "undefined");
    }

    @Test
    public void testUploadPublicKeyPEM() throws Exception {
        testUploadKeystore("Public Key PEM", "client-auth-test/publickey.pem", "undefined", "undefined");
    }

    @Test
    public void testUploadJWKS() throws Exception {
        testUploadKeystore("JSON Web Key Set", "clientreg-test/jwks.json", "undefined", "undefined");
    }

    private void testUploadKeystore(String str, String str2, String str3, String str4) throws Exception {
        ClientRepresentation representation = getClient(testRealm.getRealm(), app3.getId()).toRepresentation();
        String str5 = (String) representation.getAttributes().get("jwt.credential.certificate");
        URL resource = getClass().getClassLoader().getResource(str2);
        if (resource == null) {
            throw new IOException("File not found: " + str2);
        }
        File file = new File(resource.getFile());
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest = this.oauth.doGrantAccessTokenRequest("master", "admin", "admin", (String) null, "admin-cli", (String) null);
        Assert.assertEquals(200L, doGrantAccessTokenRequest.getStatusCode());
        String str6 = this.suiteContext.getAuthServerInfo().getContextRoot() + "/auth/admin/realms/" + testRealm.getRealm() + "/clients/" + representation.getId() + "/certificates/jwt.credential/upload-certificate";
        HttpEntity build = MultipartEntityBuilder.create().addPart("file", new FileBody(file)).addTextBody("keystoreFormat", str).addTextBody("keyAlias", str3).addTextBody("storePassword", str4).addTextBody("keyPassword", "undefined").build();
        HttpPost httpPost = new HttpPost(str6);
        httpPost.setHeader("Authorization", "Bearer " + doGrantAccessTokenRequest.getAccessToken());
        httpPost.setEntity(build);
        Assert.assertEquals(200L, HttpClients.createDefault().execute(httpPost).getStatusLine().getStatusCode());
        ClientRepresentation representation2 = getClient(testRealm.getRealm(), representation.getId()).toRepresentation();
        if (str.equals("Public Key PEM")) {
            Assert.assertEquals("Certificates don't match", new String(Files.readAllBytes(file.toPath())), (String) representation2.getAttributes().get("jwt.credential.public.key"));
            return;
        }
        if (str.equals("JSON Web Key Set")) {
            org.keycloak.testsuite.Assert.assertNotNull(KeycloakModelUtils.getPublicKey((String) representation2.getAttributes().get("jwt.credential.public.key")));
            return;
        }
        if (str.equals("Certificate PEM")) {
            assertCertificate(representation2, str5, new String(Files.readAllBytes(file.toPath())));
            return;
        }
        FileInputStream fileInputStream = new FileInputStream(file);
        KeyStore keystore = getKeystore(fileInputStream, str4, str);
        fileInputStream.close();
        assertCertificate(representation2, str5, KeycloakModelUtils.getPemFromCertificate((X509Certificate) keystore.getCertificate(str3)));
    }

    @Test
    public void testMissingClientAssertionType() throws Exception {
        LinkedList linkedList = new LinkedList();
        linkedList.add(new BasicNameValuePair("grant_type", "client_credentials"));
        assertError(new OAuthClient.AccessTokenResponse(sendRequest(this.oauth.getServiceAccountUrl(), linkedList)), null, "invalid_client", "invalid_client_credentials");
    }

    @Test
    public void testInvalidClientAssertionType() throws Exception {
        LinkedList linkedList = new LinkedList();
        linkedList.add(new BasicNameValuePair("grant_type", "client_credentials"));
        linkedList.add(new BasicNameValuePair("client_assertion_type", "invalid"));
        assertError(new OAuthClient.AccessTokenResponse(sendRequest(this.oauth.getServiceAccountUrl(), linkedList)), null, "invalid_client", "invalid_client_credentials");
    }

    @Test
    public void testMissingClientAssertion() throws Exception {
        LinkedList linkedList = new LinkedList();
        linkedList.add(new BasicNameValuePair("grant_type", "client_credentials"));
        linkedList.add(new BasicNameValuePair("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"));
        assertError(new OAuthClient.AccessTokenResponse(sendRequest(this.oauth.getServiceAccountUrl(), linkedList)), null, "invalid_client", "invalid_client_credentials");
    }

    @Test
    public void testAssertionMissingIssuer() throws Exception {
        String clientSignedJWT = getClientSignedJWT(getClient1KeyPair(), null);
        LinkedList linkedList = new LinkedList();
        linkedList.add(new BasicNameValuePair("grant_type", "client_credentials"));
        linkedList.add(new BasicNameValuePair("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"));
        linkedList.add(new BasicNameValuePair("client_assertion", clientSignedJWT));
        assertError(new OAuthClient.AccessTokenResponse(sendRequest(this.oauth.getServiceAccountUrl(), linkedList)), null, "invalid_client", "invalid_client_credentials");
    }

    @Test
    public void testAssertionUnknownClient() throws Exception {
        String clientSignedJWT = getClientSignedJWT(getClient1KeyPair(), "unknown-client");
        LinkedList linkedList = new LinkedList();
        linkedList.add(new BasicNameValuePair("grant_type", "client_credentials"));
        linkedList.add(new BasicNameValuePair("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"));
        linkedList.add(new BasicNameValuePair("client_assertion", clientSignedJWT));
        assertError(new OAuthClient.AccessTokenResponse(sendRequest(this.oauth.getServiceAccountUrl(), linkedList)), "unknown-client", "invalid_client", "invalid_client_credentials");
    }

    @Test
    public void testAssertionDisabledClient() throws Exception {
        ClientManager.realm(this.adminClient.realm("test")).clientId("client1").enabled(false);
        String client1SignedJWT = getClient1SignedJWT();
        LinkedList linkedList = new LinkedList();
        linkedList.add(new BasicNameValuePair("grant_type", "client_credentials"));
        linkedList.add(new BasicNameValuePair("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"));
        linkedList.add(new BasicNameValuePair("client_assertion", client1SignedJWT));
        assertError(new OAuthClient.AccessTokenResponse(sendRequest(this.oauth.getServiceAccountUrl(), linkedList)), "client1", "unauthorized_client", "client_disabled");
        ClientManager.realm(this.adminClient.realm("test")).clientId("client1").enabled(true);
    }

    @Test
    public void testAssertionUnconfiguredClientCertificate() throws Exception {
        C1CertificateHolder c1CertificateHolder = new C1CertificateHolder();
        c1CertificateHolder.certificate = (String) ApiUtil.findClientByClientId(this.adminClient.realm("test"), "client1").toRepresentation().getAttributes().get("jwt.credential.certificate");
        ClientManager.realm(this.adminClient.realm("test")).clientId("client1").updateAttribute("jwt.credential.certificate", null);
        String client1SignedJWT = getClient1SignedJWT();
        LinkedList linkedList = new LinkedList();
        linkedList.add(new BasicNameValuePair("grant_type", "client_credentials"));
        linkedList.add(new BasicNameValuePair("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"));
        linkedList.add(new BasicNameValuePair("client_assertion", client1SignedJWT));
        assertError(new OAuthClient.AccessTokenResponse(sendRequest(this.oauth.getServiceAccountUrl(), linkedList)), "client1", "invalid_client", "client_credentials_setup_required");
        ClientManager.realm(this.adminClient.realm("test")).clientId("client1").updateAttribute("jwt.credential.certificate", c1CertificateHolder.certificate);
    }

    @Test
    public void testAssertionInvalidSignature() throws Exception {
        String clientSignedJWT = getClientSignedJWT(getClient2KeyPair(), "client1");
        LinkedList linkedList = new LinkedList();
        linkedList.add(new BasicNameValuePair("grant_type", "client_credentials"));
        linkedList.add(new BasicNameValuePair("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"));
        linkedList.add(new BasicNameValuePair("client_assertion", clientSignedJWT));
        assertError(new OAuthClient.AccessTokenResponse(sendRequest(this.oauth.getServiceAccountUrl(), linkedList)), "client1", "invalid_client", AuthenticationFlowError.CLIENT_CREDENTIALS_SETUP_REQUIRED.toString().toLowerCase());
    }

    @Test
    public void testAssertionExpired() throws Exception {
        String client1SignedJWT = getClient1SignedJWT();
        setTimeOffset(1000);
        LinkedList linkedList = new LinkedList();
        linkedList.add(new BasicNameValuePair("grant_type", "client_credentials"));
        linkedList.add(new BasicNameValuePair("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"));
        linkedList.add(new BasicNameValuePair("client_assertion", client1SignedJWT));
        OAuthClient.AccessTokenResponse accessTokenResponse = new OAuthClient.AccessTokenResponse(sendRequest(this.oauth.getServiceAccountUrl(), linkedList));
        setTimeOffset(0);
        assertError(accessTokenResponse, "client1", "invalid_client", "invalid_client_credentials");
    }

    @Test
    public void testParEndpointAsAudience() throws Exception {
        testEndpointAsAudience(this.oauth.getParEndpointUrl());
    }

    @Test
    public void testBackchannelAuthenticationEndpointAsAudience() throws Exception {
        testEndpointAsAudience(this.oauth.getBackchannelAuthenticationUrl());
    }

    private void testEndpointAsAudience(String str) throws Exception {
        ClientResource client = getClient(testRealm.getRealm(), app2.getId());
        KeyPair keyPair = setupJwks("PS256", client.toRepresentation(), client);
        PublicKey publicKey = keyPair.getPublic();
        PrivateKey privateKey = keyPair.getPrivate();
        JsonWebToken createRequestToken = createRequestToken(app2.getClientId(), getRealmInfoUrl());
        createRequestToken.audience(new String[]{str});
        LinkedList linkedList = new LinkedList();
        linkedList.add(new BasicNameValuePair("grant_type", "client_credentials"));
        linkedList.add(new BasicNameValuePair("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"));
        linkedList.add(new BasicNameValuePair("client_assertion", createSignledRequestToken(privateKey, publicKey, "PS256", createRequestToken)));
        CloseableHttpResponse sendRequest = sendRequest(this.oauth.getServiceAccountUrl(), linkedList);
        Throwable th = null;
        try {
            try {
                Assert.assertNotNull(new OAuthClient.AccessTokenResponse(sendRequest).getAccessToken());
                if (sendRequest != null) {
                    if (0 == 0) {
                        sendRequest.close();
                        return;
                    }
                    try {
                        sendRequest.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (sendRequest != null) {
                if (th != null) {
                    try {
                        sendRequest.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    sendRequest.close();
                }
            }
            throw th4;
        }
    }

    @Test
    public void testInvalidAudience() throws Exception {
        ClientResource client = getClient(testRealm.getRealm(), app2.getId());
        KeyPair keyPair = setupJwks("PS256", client.toRepresentation(), client);
        PublicKey publicKey = keyPair.getPublic();
        PrivateKey privateKey = keyPair.getPrivate();
        JsonWebToken createRequestToken = createRequestToken(app2.getClientId(), getRealmInfoUrl());
        createRequestToken.audience(new String[]{"https://as.other.org"});
        LinkedList linkedList = new LinkedList();
        linkedList.add(new BasicNameValuePair("grant_type", "client_credentials"));
        linkedList.add(new BasicNameValuePair("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"));
        linkedList.add(new BasicNameValuePair("client_assertion", createSignledRequestToken(privateKey, publicKey, "PS256", createRequestToken)));
        CloseableHttpResponse sendRequest = sendRequest(this.oauth.getServiceAccountUrl(), linkedList);
        Throwable th = null;
        try {
            try {
                Assert.assertNull(new OAuthClient.AccessTokenResponse(sendRequest).getAccessToken());
                if (sendRequest != null) {
                    if (0 == 0) {
                        sendRequest.close();
                        return;
                    }
                    try {
                        sendRequest.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (sendRequest != null) {
                if (th != null) {
                    try {
                        sendRequest.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    sendRequest.close();
                }
            }
            throw th4;
        }
    }

    @Test
    public void testAssertionInvalidNotBefore() throws Exception {
        String client1SignedJWT = getClient1SignedJWT();
        setTimeOffset(-1000);
        LinkedList linkedList = new LinkedList();
        linkedList.add(new BasicNameValuePair("grant_type", "client_credentials"));
        linkedList.add(new BasicNameValuePair("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"));
        linkedList.add(new BasicNameValuePair("client_assertion", client1SignedJWT));
        OAuthClient.AccessTokenResponse accessTokenResponse = new OAuthClient.AccessTokenResponse(sendRequest(this.oauth.getServiceAccountUrl(), linkedList));
        setTimeOffset(0);
        assertError(accessTokenResponse, "client1", "invalid_client", "invalid_client_credentials");
    }

    @Test
    public void testAssertionReuse() throws Exception {
        String client1SignedJWT = getClient1SignedJWT();
        OAuthClient.AccessTokenResponse doClientCredentialsGrantRequest = doClientCredentialsGrantRequest(client1SignedJWT);
        Assert.assertEquals(200L, doClientCredentialsGrantRequest.getStatusCode());
        org.keycloak.testsuite.Assert.assertNotNull(this.oauth.verifyToken(doClientCredentialsGrantRequest.getAccessToken()));
        org.keycloak.testsuite.Assert.assertNull(doClientCredentialsGrantRequest.getError());
        OAuthClient.AccessTokenResponse doClientCredentialsGrantRequest2 = doClientCredentialsGrantRequest(client1SignedJWT);
        Assert.assertEquals(400L, doClientCredentialsGrantRequest2.getStatusCode());
        Assert.assertEquals("invalid_client", doClientCredentialsGrantRequest2.getError());
    }

    @Test
    public void testMissingIdClaim() throws Exception {
        assertError(testMissingClaim("id"), app1.getClientId(), "invalid_client", "invalid_client_credentials");
    }

    @Test
    public void testMissingIssuerClaim() throws Exception {
        assertError(testMissingClaim("issuer"), null, "invalid_client", "invalid_client_credentials");
    }

    @Test
    public void testMissingSubjectClaim() throws Exception {
        assertError(testMissingClaim("subject"), null, "invalid_client", "invalid_client_credentials");
    }

    @Test
    public void testMissingAudienceClaim() throws Exception {
        assertError(testMissingClaim("audience"), app1.getClientId(), "invalid_client", "invalid_client_credentials");
    }

    @Test
    public void testMissingIssuedAtClaim() throws Exception {
        assertSuccess(testMissingClaim("issuedAt"), app1.getClientId(), serviceAccountUser.getId(), serviceAccountUser.getUsername());
    }

    @Test
    public void testMissingExpirationClaim() throws Exception {
        assertSuccess(testMissingClaim("expiration"), app1.getClientId(), serviceAccountUser.getId(), serviceAccountUser.getUsername());
        assertError(testMissingClaim(-11, "expiration"), app1.getClientId(), "invalid_client", "invalid_client_credentials");
        assertError(testMissingClaim("expiration", "issuedAt"), app1.getClientId(), "invalid_client", "invalid_client_credentials");
    }

    @Test
    public void testMissingNotBeforeClaim() throws Exception {
        assertSuccess(testMissingClaim("notBefore"), app1.getClientId(), serviceAccountUser.getId(), serviceAccountUser.getUsername());
    }

    private OAuthClient.AccessTokenResponse testMissingClaim(String... strArr) throws Exception {
        return testMissingClaim(0, strArr);
    }

    private OAuthClient.AccessTokenResponse testMissingClaim(int i, String... strArr) throws Exception {
        CustomJWTClientCredentialsProvider customJWTClientCredentialsProvider = new CustomJWTClientCredentialsProvider();
        customJWTClientCredentialsProvider.setupKeyPair(getClient1KeyPair());
        customJWTClientCredentialsProvider.setTokenTimeout(10);
        for (String str : strArr) {
            customJWTClientCredentialsProvider.enableClaim(str, false);
        }
        Time.setOffset(i);
        String createSignedRequestToken = customJWTClientCredentialsProvider.createSignedRequestToken(app1.getClientId(), getRealmInfoUrl());
        Time.setOffset(0);
        return doClientCredentialsGrantRequest(createSignedRequestToken);
    }

    private void assertError(OAuthClient.AccessTokenResponse accessTokenResponse, String str, String str2, String str3) {
        Assert.assertEquals(400L, accessTokenResponse.getStatusCode());
        Assert.assertEquals(str2, accessTokenResponse.getError());
        this.events.expectClientLogin().client(str).session((String) null).clearDetails().error(str3).user((String) null).assertEvent();
    }

    private void assertSuccess(OAuthClient.AccessTokenResponse accessTokenResponse, String str, String str2, String str3) {
        Assert.assertEquals(200L, accessTokenResponse.getStatusCode());
        AccessToken verifyToken = this.oauth.verifyToken(accessTokenResponse.getAccessToken());
        this.events.expectClientLogin().client(str).user(str2).session(verifyToken.getSessionState()).detail("token_id", verifyToken.getId()).detail("refresh_token_id", this.oauth.parseRefreshToken(accessTokenResponse.getRefreshToken()).getId()).detail("username", str3).detail("client_auth_method", "client-jwt").assertEvent();
    }

    private static void assertCertificate(ClientRepresentation clientRepresentation, String str, String str2) {
        String removeBeginEnd = PemUtils.removeBeginEnd(str2);
        String str3 = (String) clientRepresentation.getAttributes().get("jwt.credential.certificate");
        Assert.assertNotEquals("The old and new certificates shouldn't match", str, str3);
        Assert.assertEquals("Certificates don't match", removeBeginEnd, str3);
    }

    @Test
    public void testCodeToTokenRequestFailureRS256() throws Exception {
        testCodeToTokenRequestFailure("RS256", "invalid_client", "client_credentials_setup_required");
    }

    @Test
    public void testCodeToTokenRequestFailureES256Enforced() throws Exception {
        try {
            try {
                ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), "client2");
                ClientRepresentation representation = findClientByClientId.toRepresentation();
                OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setTokenEndpointAuthSigningAlg("ES256");
                findClientByClientId.update(representation);
                testCodeToTokenRequestFailure("RS256", "invalid_client", "invalid_client_credentials");
                ClientResource findClientByClientId2 = ApiUtil.findClientByClientId(this.adminClient.realm("test"), "client2");
                ClientRepresentation representation2 = findClientByClientId2.toRepresentation();
                OIDCAdvancedConfigWrapper.fromClientRepresentation(representation2).setTokenEndpointAuthSigningAlg((String) null);
                findClientByClientId2.update(representation2);
            } catch (Exception e) {
                org.keycloak.testsuite.Assert.fail();
                ClientResource findClientByClientId3 = ApiUtil.findClientByClientId(this.adminClient.realm("test"), "client2");
                ClientRepresentation representation3 = findClientByClientId3.toRepresentation();
                OIDCAdvancedConfigWrapper.fromClientRepresentation(representation3).setTokenEndpointAuthSigningAlg((String) null);
                findClientByClientId3.update(representation3);
            }
        } catch (Throwable th) {
            ClientResource findClientByClientId4 = ApiUtil.findClientByClientId(this.adminClient.realm("test"), "client2");
            ClientRepresentation representation4 = findClientByClientId4.toRepresentation();
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation4).setTokenEndpointAuthSigningAlg((String) null);
            findClientByClientId4.update(representation4);
            throw th;
        }
    }

    private void testCodeToTokenRequestFailure(String str, String str2, String str3) throws Exception {
        ClientResource client = getClient(testRealm.getRealm(), app2.getId());
        ClientRepresentation representation = client.toRepresentation();
        try {
            KeyPair keyPair = setupJwks(str, representation, client);
            keyPair.getPublic();
            keyPair.getPrivate();
            this.oauth.clientId("client2");
            this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
            this.events.expectLogin().client("client2").assertEvent();
            OAuthClient.AccessTokenResponse doAccessTokenRequest = doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), getClient2SignedJWT());
            Assert.assertEquals(400L, doAccessTokenRequest.getStatusCode());
            Assert.assertEquals(str2, doAccessTokenRequest.getError());
            this.events.expect(EventType.CODE_TO_TOKEN_ERROR).client("client2").session((String) null).clearDetails().error(str3).user((String) null).assertEvent();
            revertJwksSettings(representation, client);
        } catch (Throwable th) {
            revertJwksSettings(representation, client);
            throw th;
        }
    }

    @Test
    public void testDirectGrantRequestFailureES256() throws Exception {
        testDirectGrantRequestFailure("ES256");
    }

    private void testDirectGrantRequestFailure(String str) throws Exception {
        ClientResource client = getClient(testRealm.getRealm(), app2.getId());
        ClientRepresentation representation = client.toRepresentation();
        try {
            setupJwks(str, representation, client);
            this.oauth.clientId("client2");
            OAuthClient.AccessTokenResponse doGrantAccessTokenRequest = doGrantAccessTokenRequest(AssertEvents.DEFAULT_USERNAME, "password", getClient2SignedJWT());
            Assert.assertEquals(400L, doGrantAccessTokenRequest.getStatusCode());
            Assert.assertEquals("invalid_client", doGrantAccessTokenRequest.getError());
            this.events.expect(EventType.LOGIN_ERROR).client("client2").session((String) null).clearDetails().error("client_credentials_setup_required").user((String) null).assertEvent();
            revertJwksSettings(representation, client);
        } catch (Throwable th) {
            revertJwksSettings(representation, client);
            throw th;
        }
    }

    private OAuthClient.AccessTokenResponse doAccessTokenRequest(String str, String str2) throws Exception {
        LinkedList linkedList = new LinkedList();
        linkedList.add(new BasicNameValuePair("grant_type", "authorization_code"));
        linkedList.add(new BasicNameValuePair("code", str));
        linkedList.add(new BasicNameValuePair("redirect_uri", this.oauth.getRedirectUri()));
        linkedList.add(new BasicNameValuePair("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"));
        linkedList.add(new BasicNameValuePair("client_assertion", str2));
        return new OAuthClient.AccessTokenResponse(sendRequest(this.oauth.getAccessTokenUrl(), linkedList));
    }

    private OAuthClient.AccessTokenResponse doRefreshTokenRequest(String str, String str2) throws Exception {
        LinkedList linkedList = new LinkedList();
        linkedList.add(new BasicNameValuePair("grant_type", "refresh_token"));
        linkedList.add(new BasicNameValuePair("refresh_token", str));
        linkedList.add(new BasicNameValuePair("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"));
        linkedList.add(new BasicNameValuePair("client_assertion", str2));
        return new OAuthClient.AccessTokenResponse(sendRequest(this.oauth.getRefreshTokenUrl(), linkedList));
    }

    private HttpResponse doLogout(String str, String str2) throws Exception {
        LinkedList linkedList = new LinkedList();
        linkedList.add(new BasicNameValuePair("grant_type", "refresh_token"));
        linkedList.add(new BasicNameValuePair("refresh_token", str));
        linkedList.add(new BasicNameValuePair("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"));
        linkedList.add(new BasicNameValuePair("client_assertion", str2));
        return sendRequest(this.oauth.getLogoutUrl().build(), linkedList);
    }

    private OAuthClient.AccessTokenResponse doClientCredentialsGrantRequest(String str) throws Exception {
        LinkedList linkedList = new LinkedList();
        linkedList.add(new BasicNameValuePair("grant_type", "client_credentials"));
        linkedList.add(new BasicNameValuePair("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"));
        linkedList.add(new BasicNameValuePair("client_assertion", str));
        return new OAuthClient.AccessTokenResponse(sendRequest(this.oauth.getServiceAccountUrl(), linkedList));
    }

    private OAuthClient.AccessTokenResponse doGrantAccessTokenRequest(String str, String str2, String str3) throws Exception {
        LinkedList linkedList = new LinkedList();
        linkedList.add(new BasicNameValuePair("grant_type", "password"));
        linkedList.add(new BasicNameValuePair("username", str));
        linkedList.add(new BasicNameValuePair("password", str2));
        linkedList.add(new BasicNameValuePair("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"));
        linkedList.add(new BasicNameValuePair("client_assertion", str3));
        return new OAuthClient.AccessTokenResponse(sendRequest(this.oauth.getResourceOwnerPasswordCredentialGrantUrl(), linkedList));
    }

    private CloseableHttpResponse sendRequest(String str, List<NameValuePair> list) throws Exception {
        DefaultHttpClient defaultHttpClient = new DefaultHttpClient();
        try {
            HttpPost httpPost = new HttpPost(str);
            httpPost.setEntity(new UrlEncodedFormEntity(list, "UTF-8"));
            CloseableHttpResponse execute = defaultHttpClient.execute(httpPost);
            this.oauth.closeClient(defaultHttpClient);
            return execute;
        } catch (Throwable th) {
            this.oauth.closeClient(defaultHttpClient);
            throw th;
        }
    }

    private String getClient1SignedJWT() {
        return getClientSignedJWT(getClient1KeyPair(), "client1");
    }

    private String getClient2SignedJWT() {
        return getClientSignedJWT(getClient2KeyPair(), "client2");
    }

    private KeyPair getClient1KeyPair() {
        return KeystoreUtil.loadKeyPairFromKeystore("classpath:client-auth-test/keystore-client1.jks", "storepass", "keypass", "clientkey", KeystoreUtil.KeystoreFormat.JKS);
    }

    private KeyPair getClient2KeyPair() {
        return KeystoreUtil.loadKeyPairFromKeystore("classpath:client-auth-test/keystore-client2.jks", "storepass", "keypass", "clientkey", KeystoreUtil.KeystoreFormat.JKS);
    }

    private String getClientSignedJWT(KeyPair keyPair, String str) {
        JWTClientCredentialsProvider jWTClientCredentialsProvider = new JWTClientCredentialsProvider();
        jWTClientCredentialsProvider.setupKeyPair(keyPair);
        jWTClientCredentialsProvider.setTokenTimeout(10);
        return jWTClientCredentialsProvider.createSignedRequestToken(str, getRealmInfoUrl());
    }

    private String getRealmInfoUrl() {
        return KeycloakUriBuilder.fromUri(UriUtils.getOrigin(this.oauth.getRedirectUri()) + "/auth").path("/realms/{realm-name}").build(new Object[]{"test"}).toString();
    }

    private ClientAttributeCertificateResource getClientAttributeCertificateResource(String str, String str2) {
        return getClient(str, str2).getCertficateResource("jwt.credential");
    }

    private ClientResource getClient(String str, String str2) {
        return realmsResouce().realm(str).clients().get(str2);
    }

    private static KeyStore getKeystore(InputStream inputStream, String str, String str2) throws Exception {
        KeyStore keyStore = str2.equals("JKS") ? KeyStore.getInstance(str2) : KeyStore.getInstance(str2, "BC");
        keyStore.load(inputStream, str.toCharArray());
        return keyStore;
    }

    private KeyPair setupJwks(String str, ClientRepresentation clientRepresentation, ClientResource clientResource) throws Exception {
        return setupJwks(str, true, clientRepresentation, clientResource);
    }

    private KeyPair setupJwks(String str, boolean z, ClientRepresentation clientRepresentation, ClientResource clientResource) throws Exception {
        TestOIDCEndpointsApplicationResource oidcClientEndpoints = this.testingClient.testApp().oidcClientEndpoints();
        oidcClientEndpoints.generateKeys(str, Boolean.valueOf(z));
        KeyPair keyPairFromGeneratedBase64 = getKeyPairFromGeneratedBase64(oidcClientEndpoints.getKeysAsBase64(), str);
        OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRepresentation).setUseJwksUrl(true);
        OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRepresentation).setJwksUrl(TestApplicationResourceUrls.clientJwksUri());
        clientResource.update(clientRepresentation);
        setTimeOffset(20);
        return keyPairFromGeneratedBase64;
    }

    private void revertJwksSettings(ClientRepresentation clientRepresentation, ClientResource clientResource) {
        OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRepresentation).setUseJwksUrl(false);
        OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRepresentation).setJwksUrl((String) null);
        clientResource.update(clientRepresentation);
    }

    private KeyPair getKeyPairFromGeneratedBase64(Map<String, String> map, String str) throws Exception {
        String str2 = map.get("privateKey");
        String str3 = map.get("publicKey");
        return new KeyPair(decodePublicKey(Base64.decode(str3), str), decodePrivateKey(Base64.decode(str2), str));
    }

    private static PrivateKey decodePrivateKey(byte[] bArr, String str) throws NoSuchAlgorithmException, InvalidKeySpecException, NoSuchProviderException {
        return KeyFactory.getInstance(getKeyAlgorithmFromJwaAlgorithm(str), "BC").generatePrivate(new PKCS8EncodedKeySpec(bArr));
    }

    private static PublicKey decodePublicKey(byte[] bArr, String str) throws NoSuchAlgorithmException, InvalidKeySpecException, NoSuchProviderException {
        return KeyFactory.getInstance(getKeyAlgorithmFromJwaAlgorithm(str), "BC").generatePublic(new X509EncodedKeySpec(bArr));
    }

    private String createSignedRequestToken(String str, String str2, PrivateKey privateKey, PublicKey publicKey, String str3) {
        return createSignledRequestToken(privateKey, publicKey, str3, createRequestToken(str, str2));
    }

    private String createSignledRequestToken(PrivateKey privateKey, PublicKey publicKey, String str, JsonWebToken jsonWebToken) {
        String createKeyId = KeyUtils.createKeyId(publicKey);
        return new JWSBuilder().kid(createKeyId).jsonContent(jsonWebToken).sign(this.oauth.createSigner(privateKey, createKeyId, str));
    }

    private JsonWebToken createRequestToken(String str, String str2) {
        JsonWebToken jsonWebToken = new JsonWebToken();
        jsonWebToken.id(AdapterUtils.generateId());
        jsonWebToken.issuer(str);
        jsonWebToken.subject(str);
        jsonWebToken.audience(new String[]{str2});
        int currentTime = Time.currentTime();
        jsonWebToken.issuedAt(currentTime);
        jsonWebToken.expiration(currentTime + 10);
        jsonWebToken.notBefore(currentTime);
        return jsonWebToken;
    }

    private static String getKeyAlgorithmFromJwaAlgorithm(String str) {
        String str2;
        boolean z = -1;
        switch (str.hashCode()) {
            case 66245349:
                if (str.equals("ES256")) {
                    z = 6;
                    break;
                }
                break;
            case 66246401:
                if (str.equals("ES384")) {
                    z = 7;
                    break;
                }
                break;
            case 66248104:
                if (str.equals("ES512")) {
                    z = 8;
                    break;
                }
                break;
            case 76404080:
                if (str.equals("PS256")) {
                    z = 3;
                    break;
                }
                break;
            case 76405132:
                if (str.equals("PS384")) {
                    z = 4;
                    break;
                }
                break;
            case 76406835:
                if (str.equals("PS512")) {
                    z = 5;
                    break;
                }
                break;
            case 78251122:
                if (str.equals("RS256")) {
                    z = false;
                    break;
                }
                break;
            case 78252174:
                if (str.equals("RS384")) {
                    z = true;
                    break;
                }
                break;
            case 78253877:
                if (str.equals("RS512")) {
                    z = 2;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
            case true:
            case true:
            case RefreshTokenTest.ALLOWED_CLOCK_SKEW /* 3 */:
            case true:
            case ConcurrentAuthnRequestTest.CONCURRENT_THREADS /* 5 */:
                str2 = "RSA";
                break;
            case true:
            case true:
            case true:
                str2 = "EC";
                break;
            default:
                throw new RuntimeException("Unsupported signature algorithm");
        }
        return str2;
    }
}
