package org.keycloak.testsuite.client;

import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import javax.ws.rs.core.Response;
import org.junit.After;
import org.junit.Test;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.client.registration.Auth;
import org.keycloak.client.registration.ClientRegistrationException;
import org.keycloak.client.registration.HttpErrorException;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.representations.idm.ClientInitialAccessCreatePresentation;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.ClientScopeRepresentation;
import org.keycloak.representations.idm.ComponentRepresentation;
import org.keycloak.representations.idm.ComponentTypeRepresentation;
import org.keycloak.representations.idm.ConfigPropertyRepresentation;
import org.keycloak.representations.idm.ProtocolMapperRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.oidc.OIDCClientRepresentation;
import org.keycloak.services.clientregistration.RegistrationAccessToken;
import org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy;
import org.keycloak.services.clientregistration.policy.ClientRegistrationPolicyManager;
import org.keycloak.services.clientregistration.policy.RegistrationAuth;
import org.keycloak.testsuite.Assert;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.docker.DockerClientTest;
import org.keycloak.testsuite.oauth.RefreshTokenTest;
import org.keycloak.testsuite.saml.ConcurrentAuthnRequestTest;
import org.keycloak.util.JsonSerialization;

/* loaded from: input_file:org/keycloak/testsuite/client/ClientRegistrationPoliciesTest.class */
public class ClientRegistrationPoliciesTest extends AbstractClientRegistrationTest {
    private static final String PRIVATE_KEY = "MIICXAIBAAKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQABAoGAfmO8gVhyBxdqlxmIuglbz8bcjQbhXJLR2EoS8ngTXmN1bo2L90M0mUKSdc7qF10LgETBzqL8jYlQIbt+e6TH8fcEpKCjUlyq0Mf/vVbfZSNaVycY13nTzo27iPyWQHK5NLuJzn1xvxxrUeXI6A2WFpGEBLbHjwpx5WQG9A+2scECQQDvdn9NE75HPTVPxBqsEd2z10TKkl9CZxu10Qby3iQQmWLEJ9LNmy3acvKrE3gMiYNWb6xHPKiIqOR1as7L24aTAkEAtyvQOlCvr5kAjVqrEKXalj0Tzewjweuxc0pskvArTI2Oo070h65GpoIKLc9jf+UA69cRtquwP93aZKtW06U8dQJAF2Y44ks/mK5+eyDqik3koCI08qaC8HYq2wVl7G2QkJ6sbAaILtcvD92ToOvyGyeE0flvmDZxMYlvaZnaQ0lcSQJBAKZU6umJi3/xeEbkJqMfeLclD27XGEFoPeNrmdx0q10Azp4NfJAY+Z8KRyQCR2BEG+oNitBOZ+YXF9KCpH3cdmECQHEigJhYg+ykOvr1aiZUMFT72HU0jnmQe2FVekuG+LJUt2Tm7GtMjTFoGpf0JwrVuZN39fOYAlo+nTixgeW7X8Y=";
    private static final String PUBLIC_KEY = "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB";

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.keycloak.testsuite.client.ClientRegistrationPoliciesTest$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/testsuite/client/ClientRegistrationPoliciesTest$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$testsuite$client$ClientRegistrationPoliciesTest$ClientRegOp = new int[ClientRegOp.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$testsuite$client$ClientRegistrationPoliciesTest$ClientRegOp[ClientRegOp.CREATE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$keycloak$testsuite$client$ClientRegistrationPoliciesTest$ClientRegOp[ClientRegOp.UPDATE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$keycloak$testsuite$client$ClientRegistrationPoliciesTest$ClientRegOp[ClientRegOp.DELETE.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    /* loaded from: input_file:org/keycloak/testsuite/client/ClientRegistrationPoliciesTest$ClientRegOp.class */
    private enum ClientRegOp {
        CREATE,
        READ,
        UPDATE,
        DELETE
    }

    @Override // org.keycloak.testsuite.client.AbstractClientRegistrationTest, org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        super.addTestRealms(list);
        list.get(0).setId("test");
        list.get(0).setPrivateKey("MIICXAIBAAKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQABAoGAfmO8gVhyBxdqlxmIuglbz8bcjQbhXJLR2EoS8ngTXmN1bo2L90M0mUKSdc7qF10LgETBzqL8jYlQIbt+e6TH8fcEpKCjUlyq0Mf/vVbfZSNaVycY13nTzo27iPyWQHK5NLuJzn1xvxxrUeXI6A2WFpGEBLbHjwpx5WQG9A+2scECQQDvdn9NE75HPTVPxBqsEd2z10TKkl9CZxu10Qby3iQQmWLEJ9LNmy3acvKrE3gMiYNWb6xHPKiIqOR1as7L24aTAkEAtyvQOlCvr5kAjVqrEKXalj0Tzewjweuxc0pskvArTI2Oo070h65GpoIKLc9jf+UA69cRtquwP93aZKtW06U8dQJAF2Y44ks/mK5+eyDqik3koCI08qaC8HYq2wVl7G2QkJ6sbAaILtcvD92ToOvyGyeE0flvmDZxMYlvaZnaQ0lcSQJBAKZU6umJi3/xeEbkJqMfeLclD27XGEFoPeNrmdx0q10Azp4NfJAY+Z8KRyQCR2BEG+oNitBOZ+YXF9KCpH3cdmECQHEigJhYg+ykOvr1aiZUMFT72HU0jnmQe2FVekuG+LJUt2Tm7GtMjTFoGpf0JwrVuZN39fOYAlo+nTixgeW7X8Y=");
        list.get(0).setPublicKey("MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB");
    }

    @Override // org.keycloak.testsuite.client.AbstractClientRegistrationTest
    @After
    public void after() throws Exception {
        super.after();
        ComponentRepresentation findPolicyByProviderAndAuth = findPolicyByProviderAndAuth("trusted-hosts", getPolicyAnon());
        findPolicyByProviderAndAuth.getConfig().putSingle("host-sending-registration-request-must-match", "true");
        findPolicyByProviderAndAuth.getConfig().putSingle("client-uris-must-match", "true");
        findPolicyByProviderAndAuth.getConfig().put("trusted-hosts", Collections.emptyList());
        realmResource().components().component(findPolicyByProviderAndAuth.getId()).update(findPolicyByProviderAndAuth);
    }

    private RealmResource realmResource() {
        return this.adminClient.realm("test");
    }

    private ClientRepresentation createRep(String str) {
        ClientRepresentation clientRepresentation = new ClientRepresentation();
        clientRepresentation.setClientId(str);
        clientRepresentation.setSecret("test-secret");
        return clientRepresentation;
    }

    private OIDCClientRepresentation createRepOidc() {
        return createRepOidc("http://localhost:8080/foo", "http://localhost:8080/foo");
    }

    private OIDCClientRepresentation createRepOidc(String str, String str2) {
        OIDCClientRepresentation oIDCClientRepresentation = new OIDCClientRepresentation();
        oIDCClientRepresentation.setClientName("RegistrationAccessTokenTest");
        oIDCClientRepresentation.setClientUri(str);
        oIDCClientRepresentation.setRedirectUris(Collections.singletonList(str2));
        return oIDCClientRepresentation;
    }

    public OIDCClientRepresentation create() throws ClientRegistrationException {
        OIDCClientRepresentation create = this.reg.oidc().create(createRepOidc());
        this.reg.auth(Auth.token(create));
        return create;
    }

    private void assertOidcFail(ClientRegOp clientRegOp, OIDCClientRepresentation oIDCClientRepresentation, int i) {
        assertOidcFail(clientRegOp, oIDCClientRepresentation, i, null);
    }

    private void assertOidcFail(ClientRegOp clientRegOp, OIDCClientRepresentation oIDCClientRepresentation, int i, String str) {
        try {
            switch (AnonymousClass1.$SwitchMap$org$keycloak$testsuite$client$ClientRegistrationPoliciesTest$ClientRegOp[clientRegOp.ordinal()]) {
                case 1:
                    this.reg.oidc().create(oIDCClientRepresentation);
                    break;
                case 2:
                    this.reg.oidc().update(oIDCClientRepresentation);
                    break;
                case RefreshTokenTest.ALLOWED_CLOCK_SKEW /* 3 */:
                    this.reg.oidc().delete(oIDCClientRepresentation);
                    break;
            }
            Assert.fail("Not expected to successfuly run operation " + clientRegOp.toString() + " on client");
        } catch (ClientRegistrationException e) {
            HttpErrorException cause = e.getCause();
            Assert.assertEquals(i, cause.getStatusLine().getStatusCode());
            if (str != null) {
                org.junit.Assert.assertTrue("Error response doesn't contain expected text. The error response text is: " + cause.getErrorResponse(), cause.getErrorResponse().contains(str));
            }
        }
    }

    private void assertFail(ClientRegOp clientRegOp, ClientRepresentation clientRepresentation, int i, String str) {
        try {
            switch (AnonymousClass1.$SwitchMap$org$keycloak$testsuite$client$ClientRegistrationPoliciesTest$ClientRegOp[clientRegOp.ordinal()]) {
                case 1:
                    this.reg.create(clientRepresentation);
                    break;
                case 2:
                    this.reg.update(clientRepresentation);
                    break;
                case RefreshTokenTest.ALLOWED_CLOCK_SKEW /* 3 */:
                    this.reg.delete(clientRepresentation);
                    break;
            }
            Assert.fail("Not expected to successfuly run operation " + clientRegOp.toString() + " on client");
        } catch (ClientRegistrationException e) {
            HttpErrorException cause = e.getCause();
            Assert.assertEquals(i, cause.getStatusLine().getStatusCode());
            if (str != null) {
                org.junit.Assert.assertTrue("Error response doesn't contain expected text. The error response text is: " + cause.getErrorResponse(), cause.getErrorResponse().contains(str));
            }
        }
    }

    @Test
    @AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
    public void testAnonCreateWithTrustedHost() throws Exception {
        OIDCClientRepresentation createRepOidc = createRepOidc("http://root", "http://redirect");
        assertOidcFail(ClientRegOp.CREATE, createRepOidc, 403, "Host not trusted");
        setTrustedHost(DockerClientTest.REGISTRY_HOSTNAME);
        assertOidcFail(ClientRegOp.CREATE, createRepOidc, 403, "URL doesn't match");
        createRepOidc.setRedirectUris(Collections.singletonList("http://localhost:8080/foo"));
        assertOidcFail(ClientRegOp.CREATE, createRepOidc, 403, "URL doesn't match");
        createRepOidc.setClientUri("http://localhost:8080/foo");
        assertRegAccessToken(this.reg.oidc().create(createRepOidc).getRegistrationAccessToken(), RegistrationAuth.ANONYMOUS);
    }

    @Test
    @AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
    public void testAnonUpdateWithTrustedHost() throws Exception {
        setTrustedHost(DockerClientTest.REGISTRY_HOSTNAME);
        OIDCClientRepresentation create = create();
        create.setRedirectUris(Collections.singletonList("http://bad:8080/foo"));
        assertOidcFail(ClientRegOp.UPDATE, create, 403, "URL doesn't match");
        create.setRedirectUris(Collections.singletonList("http://localhost:8080/foo"));
        this.reg.oidc().update(create);
    }

    @Test
    public void testRedirectUriWithDomain() throws Exception {
        ComponentRepresentation findPolicyByProviderAndAuth = findPolicyByProviderAndAuth("trusted-hosts", getPolicyAnon());
        findPolicyByProviderAndAuth.getConfig().putSingle("host-sending-registration-request-must-match", "false");
        findPolicyByProviderAndAuth.getConfig().put("trusted-hosts", Arrays.asList("www.host.com", "*.example.com"));
        realmResource().components().component(findPolicyByProviderAndAuth.getId()).update(findPolicyByProviderAndAuth);
        this.reg.oidc().create(createRepOidc("http://www.host.com", "http://www.example.com"));
        findPolicyByProviderAndAuth.getConfig().put("trusted-hosts", Arrays.asList("www.host.com", "www1.example.com"));
        realmResource().components().component(findPolicyByProviderAndAuth.getId()).update(findPolicyByProviderAndAuth);
        assertOidcFail(ClientRegOp.CREATE, createRepOidc("http://www.host.com", "http://www.example.com"), 403, "URL doesn't match");
    }

    @Test
    @AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
    public void testAnonConsentRequired() throws Exception {
        setTrustedHost(DockerClientTest.REGISTRY_HOSTNAME);
        ClientRepresentation representation = ApiUtil.findClientByClientId(realmResource(), create().getClientId()).toRepresentation();
        Assert.assertTrue(representation.isConsentRequired().booleanValue());
        representation.setConsentRequired(false);
        assertFail(ClientRegOp.UPDATE, representation, 403, "Not permitted to update consentRequired to false");
        representation.setConsentRequired(true);
        this.reg.update(representation);
    }

    @Test
    @AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
    public void testAnonFullScopeAllowed() throws Exception {
        setTrustedHost(DockerClientTest.REGISTRY_HOSTNAME);
        ClientRepresentation representation = ApiUtil.findClientByClientId(realmResource(), create().getClientId()).toRepresentation();
        Assert.assertFalse(representation.isFullScopeAllowed().booleanValue());
        representation.setFullScopeAllowed(true);
        assertFail(ClientRegOp.UPDATE, representation, 403, "Not permitted to enable fullScopeAllowed");
        representation.setFullScopeAllowed(false);
        this.reg.update(representation);
    }

    @Test
    @AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
    public void testClientDisabledPolicy() throws Exception {
        setTrustedHost(DockerClientTest.REGISTRY_HOSTNAME);
        Assert.assertTrue(ApiUtil.findClientByClientId(realmResource(), create().getClientId()).toRepresentation().isEnabled().booleanValue());
        ComponentRepresentation componentRepresentation = new ComponentRepresentation();
        componentRepresentation.setName("Clients disabled");
        componentRepresentation.setParentId("test");
        componentRepresentation.setProviderId("client-disabled");
        componentRepresentation.setProviderType(ClientRegistrationPolicy.class.getName());
        componentRepresentation.setSubType(getPolicyAnon());
        Response add = realmResource().components().add(componentRepresentation);
        String createdId = ApiUtil.getCreatedId(add);
        add.close();
        ClientRepresentation representation = ApiUtil.findClientByClientId(realmResource(), create().getClientId()).toRepresentation();
        Assert.assertFalse(representation.isEnabled().booleanValue());
        representation.setEnabled(true);
        assertFail(ClientRegOp.UPDATE, representation, 403, "Not permitted to enable client");
        representation.setEnabled(false);
        this.reg.update(representation);
        realmResource().components().component(createdId).remove();
    }

    @Test
    @AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
    public void testMaxClientsPolicy() throws Exception {
        setTrustedHost(DockerClientTest.REGISTRY_HOSTNAME);
        int size = realmResource().clients().findAll().size() + 1;
        ComponentRepresentation findPolicyByProviderAndAuth = findPolicyByProviderAndAuth("max-clients", getPolicyAnon());
        findPolicyByProviderAndAuth.getConfig().putSingle("max-clients", String.valueOf(size));
        realmResource().components().component(findPolicyByProviderAndAuth.getId()).update(findPolicyByProviderAndAuth);
        create();
        assertOidcFail(ClientRegOp.CREATE, createRepOidc(), 403, "It's allowed to have max " + size + " clients per realm");
        findPolicyByProviderAndAuth.getConfig().putSingle("max-clients", String.valueOf(ConcurrentAuthnRequestTest.ITERATIONS));
        realmResource().components().component(findPolicyByProviderAndAuth.getId()).update(findPolicyByProviderAndAuth);
    }

    @Test
    public void testProviders() throws Exception {
        Map map = (Map) realmResource().clientRegistrationPolicy().getProviders().stream().collect(Collectors.toMap(componentTypeRepresentation -> {
            return componentTypeRepresentation.getId();
        }, componentTypeRepresentation2 -> {
            return componentTypeRepresentation2;
        }));
        getProviderConfigProperty((ComponentTypeRepresentation) map.get("allowed-protocol-mappers"), "allowed-protocol-mapper-types").containsAll(Arrays.asList("saml-user-attribute-mapper", "oidc-usermodel-attribute-mapper", "saml-user-property-mapper", "oidc-usermodel-property-mapper", "oidc-hardcoded-role-mapper"));
        List<String> providerConfigProperty = getProviderConfigProperty((ComponentTypeRepresentation) map.get("allowed-client-templates"), "allowed-client-scopes");
        Assert.assertFalse(providerConfigProperty.isEmpty());
        Assert.assertTrue(providerConfigProperty.contains("profile"));
        Assert.assertFalse(providerConfigProperty.contains("foo"));
        Assert.assertFalse(providerConfigProperty.contains("bar"));
        ClientScopeRepresentation clientScopeRepresentation = new ClientScopeRepresentation();
        clientScopeRepresentation.setName("foo");
        clientScopeRepresentation.setProtocol("openid-connect");
        Response create = realmResource().clientScopes().create(clientScopeRepresentation);
        String createdId = ApiUtil.getCreatedId(create);
        create.close();
        ClientScopeRepresentation clientScopeRepresentation2 = new ClientScopeRepresentation();
        clientScopeRepresentation2.setName("bar");
        clientScopeRepresentation2.setProtocol("openid-connect");
        Response create2 = realmResource().clientScopes().create(clientScopeRepresentation2);
        String createdId2 = ApiUtil.getCreatedId(create2);
        create2.close();
        List<String> providerConfigProperty2 = getProviderConfigProperty((ComponentTypeRepresentation) realmResource().clientRegistrationPolicy().getProviders().stream().filter(componentTypeRepresentation3 -> {
            return componentTypeRepresentation3.getId().equals("allowed-client-templates");
        }).findFirst().get(), "allowed-client-scopes");
        Assert.assertTrue(providerConfigProperty2.contains("foo"));
        Assert.assertTrue(providerConfigProperty2.contains("bar"));
        realmResource().clientScopes().get(createdId).remove();
        realmResource().clientScopes().get(createdId2).remove();
    }

    private List<String> getProviderConfigProperty(ComponentTypeRepresentation componentTypeRepresentation, String str) {
        Assert.assertNotNull(componentTypeRepresentation);
        List list = (List) componentTypeRepresentation.getProperties().stream().filter(configPropertyRepresentation -> {
            return configPropertyRepresentation.getName().equals(str);
        }).collect(Collectors.toList());
        Assert.assertEquals(list.size(), 1L);
        ConfigPropertyRepresentation configPropertyRepresentation2 = (ConfigPropertyRepresentation) list.get(0);
        Assert.assertEquals(configPropertyRepresentation2.getName(), str);
        return configPropertyRepresentation2.getOptions();
    }

    @Test
    @AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
    public void testClientScopesPolicy() throws Exception {
        setTrustedHost(DockerClientTest.REGISTRY_HOSTNAME);
        ClientScopeRepresentation clientScopeRepresentation = new ClientScopeRepresentation();
        clientScopeRepresentation.setName("foo");
        clientScopeRepresentation.setProtocol("openid-connect");
        Response create = realmResource().clientScopes().create(clientScopeRepresentation);
        String createdId = ApiUtil.getCreatedId(create);
        create.close();
        ClientRepresentation createRep = createRep(AssertEvents.DEFAULT_CLIENT_ID);
        createRep.setDefaultClientScopes(Collections.singletonList("foo"));
        assertFail(ClientRegOp.CREATE, createRep, 403, "Not permitted to use specified clientScope");
        createRep.setDefaultClientScopes((List) null);
        ClientRepresentation create2 = this.reg.create(createRep);
        this.reg.auth(Auth.token(create2));
        create2.setDefaultClientScopes(Collections.singletonList("foo"));
        assertFail(ClientRegOp.UPDATE, create2, 403, "Not permitted to use specified clientScope");
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(realmResource(), AssertEvents.DEFAULT_CLIENT_ID);
        findClientByClientId.addDefaultClientScope(createdId);
        this.reg.update(create2);
        realmResource().clients().get(findClientByClientId.toRepresentation().getId()).remove();
        realmResource().clientScopes().get(createdId).remove();
    }

    @Test
    @AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
    public void testClientScopesPolicyWithPermittedScope() throws Exception {
        setTrustedHost(DockerClientTest.REGISTRY_HOSTNAME);
        ClientScopeRepresentation clientScopeRepresentation = new ClientScopeRepresentation();
        clientScopeRepresentation.setName("foo");
        clientScopeRepresentation.setProtocol("openid-connect");
        Response create = realmResource().clientScopes().create(clientScopeRepresentation);
        String createdId = ApiUtil.getCreatedId(create);
        create.close();
        ClientRepresentation createRep = createRep(AssertEvents.DEFAULT_CLIENT_ID);
        createRep.setDefaultClientScopes(Collections.singletonList("foo"));
        assertFail(ClientRegOp.CREATE, createRep, 403, "Not permitted to use specified clientScope");
        ComponentRepresentation findPolicyByProviderAndAuth = findPolicyByProviderAndAuth("allowed-client-templates", getPolicyAnon());
        findPolicyByProviderAndAuth.getConfig().putSingle("allowed-client-scopes", "foo");
        realmResource().components().component(findPolicyByProviderAndAuth.getId()).update(findPolicyByProviderAndAuth);
        Assert.assertNotNull(this.reg.create(createRep).getRegistrationAccessToken());
        ApiUtil.findClientResourceByClientId(realmResource(), AssertEvents.DEFAULT_CLIENT_ID).remove();
        realmResource().clientScopes().get(createdId).remove();
    }

    @Test
    @AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
    public void testProtocolMappersCreate() throws Exception {
        setTrustedHost(DockerClientTest.REGISTRY_HOSTNAME);
        ClientRepresentation createRep = createRep(AssertEvents.DEFAULT_CLIENT_ID);
        createRep.setProtocolMappers(Collections.singletonList(createHardcodedMapperRep()));
        assertFail(ClientRegOp.CREATE, createRep, 403, "ProtocolMapper type not allowed");
        this.reg.auth(Auth.token(this.adminClient.realm("test").clientInitialAccess().create(new ClientInitialAccessCreatePresentation(0, 10))));
        assertFail(ClientRegOp.CREATE, createRep, 403, "ProtocolMapper type not allowed");
        ComponentRepresentation findPolicyByProviderAndAuth = findPolicyByProviderAndAuth("allowed-protocol-mappers", getPolicyAuth());
        findPolicyByProviderAndAuth.getConfig().add("allowed-protocol-mapper-types", "oidc-hardcoded-role-mapper");
        realmResource().components().component(findPolicyByProviderAndAuth.getId()).update(findPolicyByProviderAndAuth);
        Assert.assertNotNull(this.reg.create(createRep).getRegistrationAccessToken());
        ClientRepresentation createRep2 = createRep("test-app-2");
        createRep2.setProtocolMappers(Collections.singletonList(createHardcodedMapperRep()));
        this.reg.auth((Auth) null);
        assertFail(ClientRegOp.CREATE, createRep2, 403, "ProtocolMapper type not allowed");
        ApiUtil.findClientResourceByClientId(realmResource(), AssertEvents.DEFAULT_CLIENT_ID).remove();
        findPolicyByProviderAndAuth.getConfig().remove("allowed-protocol-mapper-types", "oidc-hardcoded-role-mapper");
        realmResource().components().component(findPolicyByProviderAndAuth.getId()).update(findPolicyByProviderAndAuth);
    }

    private ProtocolMapperRepresentation createHardcodedMapperRep() {
        ProtocolMapperRepresentation protocolMapperRepresentation = new ProtocolMapperRepresentation();
        protocolMapperRepresentation.setName("Hardcoded foo role");
        protocolMapperRepresentation.setProtocolMapper("oidc-hardcoded-role-mapper");
        protocolMapperRepresentation.setProtocol("openid-connect");
        protocolMapperRepresentation.getConfig().put("role", "foo-role");
        return protocolMapperRepresentation;
    }

    @Test
    @AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
    public void testProtocolMappersUpdate() throws Exception {
        setTrustedHost(DockerClientTest.REGISTRY_HOSTNAME);
        ProtocolMapperRepresentation protocolMapperRepresentation = new ProtocolMapperRepresentation();
        protocolMapperRepresentation.setName("Full name");
        protocolMapperRepresentation.setProtocolMapper("oidc-full-name-mapper");
        protocolMapperRepresentation.setProtocol("openid-connect");
        ClientRepresentation createRep = createRep(AssertEvents.DEFAULT_CLIENT_ID);
        createRep.setProtocolMappers(Collections.singletonList(protocolMapperRepresentation));
        ClientRepresentation create = this.reg.create(createRep);
        this.reg.auth(Auth.token(create));
        create.getProtocolMappers().add(createHardcodedMapperRep());
        assertFail(ClientRegOp.UPDATE, create, 403, "ProtocolMapper type not allowed");
        create.getProtocolMappers().removeIf(protocolMapperRepresentation2 -> {
            return protocolMapperRepresentation2.getProtocolMapper().equals("oidc-hardcoded-role-mapper");
        });
        this.reg.update(create);
        ApiUtil.findClientResourceByClientId(realmResource(), AssertEvents.DEFAULT_CLIENT_ID).remove();
    }

    @Test
    @AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
    public void testProtocolMappersConsentRequired() throws Exception {
        setTrustedHost(DockerClientTest.REGISTRY_HOSTNAME);
        Assert.assertNull(this.reg.create(createRep(AssertEvents.DEFAULT_CLIENT_ID)).getProtocolMappers());
        ApiUtil.findClientResourceByClientId(realmResource(), AssertEvents.DEFAULT_CLIENT_ID).remove();
    }

    @Test
    @AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
    public void testProtocolMappersRemoveBuiltins() throws Exception {
        setTrustedHost(DockerClientTest.REGISTRY_HOSTNAME);
        ComponentRepresentation findPolicyByProviderAndAuth = findPolicyByProviderAndAuth("allowed-protocol-mappers", getPolicyAnon());
        findPolicyByProviderAndAuth.getConfig().add("allowed-protocol-mapper-types", "oidc-hardcoded-role-mapper");
        realmResource().components().component(findPolicyByProviderAndAuth.getId()).update(findPolicyByProviderAndAuth);
        ClientRepresentation createRep = createRep(AssertEvents.DEFAULT_CLIENT_ID);
        createRep.setProtocolMappers(Collections.singletonList(createHardcodedMapperRep()));
        ClientRepresentation create = this.reg.create(createRep);
        Assert.assertEquals(1L, create.getProtocolMappers().size());
        ApiUtil.findClientResourceByClientId(realmResource(), AssertEvents.DEFAULT_CLIENT_ID).remove();
        findPolicyByProviderAndAuth.getConfig().remove("allowed-protocol-mapper-types", "oidc-hardcoded-role-mapper");
        realmResource().components().component(findPolicyByProviderAndAuth.getId()).update(findPolicyByProviderAndAuth);
    }

    private String getPolicyAnon() {
        return ClientRegistrationPolicyManager.getComponentTypeKey(RegistrationAuth.ANONYMOUS);
    }

    private String getPolicyAuth() {
        return ClientRegistrationPolicyManager.getComponentTypeKey(RegistrationAuth.AUTHENTICATED);
    }

    private ComponentRepresentation findPolicyByProviderAndAuth(String str, String str2) {
        for (ComponentRepresentation componentRepresentation : realmResource().components().query("test", ClientRegistrationPolicy.class.getName())) {
            if (componentRepresentation.getSubType().equals(str2) && componentRepresentation.getProviderId().equals(str)) {
                return componentRepresentation;
            }
        }
        return null;
    }

    private void setTrustedHost(String str) {
        ComponentRepresentation findPolicyByProviderAndAuth = findPolicyByProviderAndAuth("trusted-hosts", getPolicyAnon());
        findPolicyByProviderAndAuth.getConfig().putSingle("trusted-hosts", str);
        realmResource().components().component(findPolicyByProviderAndAuth.getId()).update(findPolicyByProviderAndAuth);
    }

    private void assertRegAccessToken(String str, RegistrationAuth registrationAuth) throws Exception {
        Assert.assertEquals(((RegistrationAccessToken) JsonSerialization.readValue(new JWSInput(str).getContent(), RegistrationAccessToken.class)).getRegistrationAuth(), registrationAuth.toString().toLowerCase());
    }
}
