package org.keycloak.testsuite.oidc;

import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import javax.ws.rs.core.Response;
import org.junit.Before;
import org.junit.Test;
import org.keycloak.admin.client.resource.ClientScopeResource;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.ClientScopeRepresentation;
import org.keycloak.representations.idm.ProtocolMapperRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.RoleRepresentation;
import org.keycloak.testsuite.Assert;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.oauth.BackchannelLogoutTest;
import org.keycloak.testsuite.oidc.AbstractOIDCScopeTest;
import org.keycloak.testsuite.util.ProtocolMapperUtil;
import org.keycloak.testsuite.util.UserBuilder;

@AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
/* loaded from: input_file:org/keycloak/testsuite/oidc/AudienceTest.class */
public class AudienceTest extends AbstractOIDCScopeTest {
    private static final String userId = KeycloakModelUtils.generateId();

    @Override // org.keycloak.testsuite.AbstractTestRealmKeycloakTest
    public void configureTestRealm(RealmRepresentation realmRepresentation) {
        ClientRepresentation clientRepresentation = new ClientRepresentation();
        clientRepresentation.setClientId("service-client");
        clientRepresentation.setProtocol("openid-connect");
        clientRepresentation.setBearerOnly(true);
        clientRepresentation.setBaseUrl("http://foo/service-client");
        realmRepresentation.getClients().add(clientRepresentation);
        RoleRepresentation roleRepresentation = new RoleRepresentation();
        roleRepresentation.setName("role1");
        realmRepresentation.getRoles().getClient().put("service-client", Arrays.asList(roleRepresentation));
        ((ClientRepresentation) realmRepresentation.getClients().stream().filter(clientRepresentation2 -> {
            return AssertEvents.DEFAULT_CLIENT_ID.equals(clientRepresentation2.getClientId());
        }).findFirst().get()).setFullScopeAllowed(false);
        realmRepresentation.getUsers().add(UserBuilder.create().id(userId).username("john").enabled(true).email("john@email.cz").firstName("John").lastName("Doe").password("password").role(BackchannelLogoutTest.ACCOUNT_CLIENT_NAME, "manage-account").role(BackchannelLogoutTest.ACCOUNT_CLIENT_NAME, "view-profile").role("service-client", "role1").build());
    }

    @Before
    public void beforeTest() {
        if (ApiUtil.findClientScopeByName(testRealm(), "audience-scope") != null) {
            return;
        }
        ClientScopeRepresentation clientScopeRepresentation = new ClientScopeRepresentation();
        clientScopeRepresentation.setName("audience-scope");
        clientScopeRepresentation.setProtocol("openid-connect");
        Response create = testRealm().clientScopes().create(clientScopeRepresentation);
        String createdId = ApiUtil.getCreatedId(create);
        create.close();
        ApiUtil.findClientByClientId(testRealm(), AssertEvents.DEFAULT_CLIENT_ID).addOptionalClientScope(createdId);
    }

    @Test
    public void testAudienceProtocolMapperWithClientAudience() throws Exception {
        ProtocolMapperRepresentation createAudienceMapper = ProtocolMapperUtil.createAudienceMapper("audience mapper", "service-client", null, true, false);
        ClientScopeResource findClientScopeByName = ApiUtil.findClientScopeByName(testRealm(), "audience-scope");
        Response createMapper = findClientScopeByName.getProtocolMappers().createMapper(createAudienceMapper);
        String createdId = ApiUtil.getCreatedId(createMapper);
        createMapper.close();
        this.oauth.scope("openid audience-scope");
        this.oauth.doLogin("john", "password");
        AbstractOIDCScopeTest.Tokens sendTokenRequest = sendTokenRequest(this.events.expectLogin().user(userId).assertEvent(), userId, "openid profile email audience-scope", AssertEvents.DEFAULT_CLIENT_ID);
        assertAudiences(sendTokenRequest.accessToken, "service-client");
        assertAudiences(sendTokenRequest.idToken, AssertEvents.DEFAULT_CLIENT_ID);
        findClientScopeByName.getProtocolMappers().delete(createdId);
    }

    @Test
    public void testAudienceProtocolMapperWithCustomAudience() throws Exception {
        ProtocolMapperRepresentation createAudienceMapper = ProtocolMapperUtil.createAudienceMapper("audience mapper 1", null, "http://host/service/ctx1", true, false);
        ClientScopeResource findClientScopeByName = ApiUtil.findClientScopeByName(testRealm(), "audience-scope");
        Response createMapper = findClientScopeByName.getProtocolMappers().createMapper(createAudienceMapper);
        String createdId = ApiUtil.getCreatedId(createMapper);
        createMapper.close();
        Response createMapper2 = findClientScopeByName.getProtocolMappers().createMapper(ProtocolMapperUtil.createAudienceMapper("audience mapper 2", null, "http://host/service/ctx2", true, true));
        String createdId2 = ApiUtil.getCreatedId(createMapper2);
        createMapper2.close();
        this.oauth.scope("openid audience-scope");
        this.oauth.doLogin("john", "password");
        AbstractOIDCScopeTest.Tokens sendTokenRequest = sendTokenRequest(this.events.expectLogin().user(userId).assertEvent(), userId, "openid profile email audience-scope", AssertEvents.DEFAULT_CLIENT_ID);
        assertAudiences(sendTokenRequest.accessToken, "http://host/service/ctx1", "http://host/service/ctx2");
        assertAudiences(sendTokenRequest.idToken, AssertEvents.DEFAULT_CLIENT_ID, "http://host/service/ctx2");
        findClientScopeByName.getProtocolMappers().delete(createdId);
        findClientScopeByName.getProtocolMappers().delete(createdId2);
    }

    private void assertAudiences(JsonWebToken jsonWebToken, String... strArr) {
        List emptyList = jsonWebToken.getAudience() == null ? Collections.emptyList() : Arrays.asList(jsonWebToken.getAudience());
        List asList = Arrays.asList(strArr);
        Assert.assertTrue("Not matched. expectedAudiences: " + asList + ", audiences: " + emptyList, asList.containsAll(emptyList) && emptyList.containsAll(asList));
    }
}
