package org.keycloak.testsuite.authz;

import java.lang.invoke.SerializedLambda;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.Set;
import java.util.UUID;
import javax.ws.rs.NotFoundException;
import org.junit.Assert;
import org.junit.Test;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.client.AuthorizationDeniedException;
import org.keycloak.authorization.client.resource.AuthorizationResource;
import org.keycloak.authorization.client.resource.PolicyResource;
import org.keycloak.authorization.client.resource.ProtectionResource;
import org.keycloak.authorization.client.util.HttpResponseException;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.common.Profile;
import org.keycloak.models.ClientModel;
import org.keycloak.models.GroupModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.authorization.AuthorizationRequest;
import org.keycloak.representations.idm.authorization.AuthorizationResponse;
import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.representations.idm.authorization.PermissionRequest;
import org.keycloak.representations.idm.authorization.PermissionResponse;
import org.keycloak.representations.idm.authorization.PermissionTicketRepresentation;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.UmaPermissionRepresentation;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.arquillian.annotation.DisableFeature;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.GroupBuilder;
import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.testsuite.util.RoleBuilder;
import org.keycloak.testsuite.util.RolesBuilder;
import org.keycloak.testsuite.util.UserBuilder;

@AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
/* loaded from: input_file:org/keycloak/testsuite/authz/UserManagedPermissionServiceTest.class */
public class UserManagedPermissionServiceTest extends AbstractResourceServerTest {
    @Override // org.keycloak.testsuite.authz.AbstractResourceServerTest, org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        list.add(RealmBuilder.create().name("authz-test").roles(RolesBuilder.create().realmRole(RoleBuilder.create().name("uma_authorization").build()).realmRole(RoleBuilder.create().name("uma_protection").build()).realmRole(RoleBuilder.create().name("role_a").build()).realmRole(RoleBuilder.create().name("role_b").build()).realmRole(RoleBuilder.create().name("role_c").build()).realmRole(RoleBuilder.create().name("role_d").build())).group(GroupBuilder.create().name("group_a").subGroups(Arrays.asList(GroupBuilder.create().name("group_b").build())).build()).group(GroupBuilder.create().name("group_c").build()).group(GroupBuilder.create().name("group_remove").build()).user(UserBuilder.create().username("marta").password("password").addRoles("uma_authorization", "uma_protection").role("resource-server-test", "uma_protection")).user(UserBuilder.create().username("alice").password("password").addRoles("uma_authorization", "uma_protection").role("resource-server-test", "uma_protection")).user(UserBuilder.create().username("kolo").password("password").addRoles("role_a").addGroups("group_a")).client(ClientBuilder.create().clientId("resource-server-test").secret("secret").authorizationServicesEnabled(true).redirectUris("http://localhost/resource-server-test").defaultRoles("uma_protection").directAccessGrants().serviceAccountsEnabled(true)).client(ClientBuilder.create().clientId("client-a").redirectUris("http://localhost/resource-server-test").publicClient()).build());
    }

    private void testCreate() {
        ResourceRepresentation resourceRepresentation = new ResourceRepresentation();
        resourceRepresentation.setName("Resource A");
        resourceRepresentation.setOwnerManagedAccess(true);
        resourceRepresentation.setOwner("marta");
        resourceRepresentation.addScope(new String[]{"Scope A", "Scope B", "Scope C"});
        ResourceRepresentation create = getAuthzClient().protection().resource().create(resourceRepresentation);
        UmaPermissionRepresentation umaPermissionRepresentation = new UmaPermissionRepresentation();
        umaPermissionRepresentation.setName("Custom User-Managed Permission");
        umaPermissionRepresentation.setDescription("Users from specific roles are allowed to access");
        umaPermissionRepresentation.addScope(new String[]{"Scope A", "Scope B", "Scope C"});
        umaPermissionRepresentation.addRole(new String[]{"role_a", "role_b", "role_c", "role_d"});
        umaPermissionRepresentation.addGroup(new String[]{"/group_a", "/group_a/group_b", "/group_c"});
        umaPermissionRepresentation.addClient(new String[]{"client-a", "resource-server-test"});
        if (Profile.isFeatureEnabled(Profile.Feature.UPLOAD_SCRIPTS)) {
            umaPermissionRepresentation.setCondition("$evaluation.grant()");
        }
        umaPermissionRepresentation.addUser(new String[]{"kolo"});
        UmaPermissionRepresentation create2 = getAuthzClient().protection("marta", "password").policy(create.getId()).create(umaPermissionRepresentation);
        Assert.assertEquals(umaPermissionRepresentation.getName(), create2.getName());
        Assert.assertEquals(umaPermissionRepresentation.getDescription(), create2.getDescription());
        Assert.assertNotNull(create2.getScopes());
        Assert.assertTrue(create2.getScopes().containsAll(umaPermissionRepresentation.getScopes()));
        Assert.assertNotNull(create2.getRoles());
        Assert.assertTrue(create2.getRoles().containsAll(umaPermissionRepresentation.getRoles()));
        Assert.assertNotNull(create2.getGroups());
        Assert.assertTrue(create2.getGroups().containsAll(umaPermissionRepresentation.getGroups()));
        Assert.assertNotNull(create2.getClients());
        Assert.assertTrue(create2.getClients().containsAll(umaPermissionRepresentation.getClients()));
        Assert.assertEquals(umaPermissionRepresentation.getCondition(), create2.getCondition());
        Assert.assertNotNull(create2.getUsers());
        Assert.assertTrue(create2.getUsers().containsAll(umaPermissionRepresentation.getUsers()));
    }

    @Test
    public void testCreateDeprecatedFeaturesEnabled() {
        testCreate();
    }

    @Test
    @DisableFeature(value = Profile.Feature.UPLOAD_SCRIPTS, skipRestart = true)
    public void testCreateDeprecatedFeaturesDisabled() {
        testCreate();
    }

    private void testUpdate() {
        ResourceRepresentation resourceRepresentation = new ResourceRepresentation();
        resourceRepresentation.setName("Resource A");
        resourceRepresentation.setOwnerManagedAccess(true);
        resourceRepresentation.setOwner("marta");
        resourceRepresentation.addScope(new String[]{"Scope A", "Scope B", "Scope C"});
        ResourceRepresentation create = getAuthzClient().protection().resource().create(resourceRepresentation);
        UmaPermissionRepresentation umaPermissionRepresentation = new UmaPermissionRepresentation();
        umaPermissionRepresentation.setName("Custom User-Managed Permission");
        umaPermissionRepresentation.setDescription("Users from specific roles are allowed to access");
        umaPermissionRepresentation.addScope(new String[]{"Scope A"});
        umaPermissionRepresentation.addRole(new String[]{"role_a"});
        ProtectionResource protection = getAuthzClient().protection("marta", "password");
        UmaPermissionRepresentation create2 = protection.policy(create.getId()).create(umaPermissionRepresentation);
        Assert.assertEquals(1L, getAssociatedPolicies(create2).size());
        create2.setName("Changed");
        create2.setDescription("Changed");
        protection.policy(create.getId()).update(create2);
        UmaPermissionRepresentation findById = protection.policy(create.getId()).findById(create2.getId());
        Assert.assertEquals(create2.getName(), findById.getName());
        Assert.assertEquals(create2.getDescription(), findById.getDescription());
        create2.removeRole("role_a");
        create2.addRole(new String[]{"role_b", "role_c"});
        protection.policy(create.getId()).update(create2);
        Assert.assertEquals(1L, getAssociatedPolicies(create2).size());
        Assert.assertTrue(create2.getRoles().containsAll(protection.policy(create.getId()).findById(create2.getId()).getRoles()));
        create2.addRole(new String[]{"role_d"});
        protection.policy(create.getId()).update(create2);
        Assert.assertEquals(1L, getAssociatedPolicies(create2).size());
        Assert.assertTrue(create2.getRoles().containsAll(protection.policy(create.getId()).findById(create2.getId()).getRoles()));
        create2.addGroup(new String[]{"/group_a/group_b"});
        protection.policy(create.getId()).update(create2);
        Assert.assertEquals(2L, getAssociatedPolicies(create2).size());
        Assert.assertTrue(create2.getGroups().containsAll(protection.policy(create.getId()).findById(create2.getId()).getGroups()));
        create2.addGroup(new String[]{"/group_a"});
        protection.policy(create.getId()).update(create2);
        Assert.assertEquals(2L, getAssociatedPolicies(create2).size());
        Assert.assertTrue(create2.getGroups().containsAll(protection.policy(create.getId()).findById(create2.getId()).getGroups()));
        create2.removeGroup("/group_a/group_b");
        create2.addGroup(new String[]{"/group_c"});
        protection.policy(create.getId()).update(create2);
        Assert.assertEquals(2L, getAssociatedPolicies(create2).size());
        Assert.assertTrue(create2.getGroups().containsAll(protection.policy(create.getId()).findById(create2.getId()).getGroups()));
        create2.addClient(new String[]{"client-a"});
        protection.policy(create.getId()).update(create2);
        Assert.assertEquals(3L, getAssociatedPolicies(create2).size());
        Assert.assertTrue(create2.getClients().containsAll(protection.policy(create.getId()).findById(create2.getId()).getClients()));
        create2.addClient(new String[]{"resource-server-test"});
        protection.policy(create.getId()).update(create2);
        Assert.assertEquals(3L, getAssociatedPolicies(create2).size());
        Assert.assertTrue(create2.getClients().containsAll(protection.policy(create.getId()).findById(create2.getId()).getClients()));
        create2.removeClient("client-a");
        protection.policy(create.getId()).update(create2);
        Assert.assertEquals(3L, getAssociatedPolicies(create2).size());
        Assert.assertTrue(create2.getClients().containsAll(protection.policy(create.getId()).findById(create2.getId()).getClients()));
        if (Profile.isFeatureEnabled(Profile.Feature.UPLOAD_SCRIPTS)) {
            create2.setCondition("$evaluation.grant()");
            protection.policy(create.getId()).update(create2);
            Assert.assertEquals(4L, getAssociatedPolicies(create2).size());
            Assert.assertEquals(create2.getCondition(), protection.policy(create.getId()).findById(create2.getId()).getCondition());
        }
        create2.addUser(new String[]{"alice"});
        protection.policy(create.getId()).update(create2);
        int i = Profile.isFeatureEnabled(Profile.Feature.UPLOAD_SCRIPTS) ? 5 : 4;
        Assert.assertEquals(i, getAssociatedPolicies(create2).size());
        UmaPermissionRepresentation findById2 = protection.policy(create.getId()).findById(create2.getId());
        Assert.assertEquals(1L, findById2.getUsers().size());
        Assert.assertEquals(create2.getUsers(), findById2.getUsers());
        create2.addUser(new String[]{"kolo"});
        protection.policy(create.getId()).update(create2);
        Assert.assertEquals(i, getAssociatedPolicies(create2).size());
        UmaPermissionRepresentation findById3 = protection.policy(create.getId()).findById(create2.getId());
        Assert.assertEquals(2L, findById3.getUsers().size());
        Assert.assertEquals(create2.getUsers(), findById3.getUsers());
        create2.removeUser("alice");
        protection.policy(create.getId()).update(create2);
        Assert.assertEquals(i, getAssociatedPolicies(create2).size());
        UmaPermissionRepresentation findById4 = protection.policy(create.getId()).findById(create2.getId());
        Assert.assertEquals(1L, findById4.getUsers().size());
        Assert.assertEquals(create2.getUsers(), findById4.getUsers());
        create2.setUsers((Set) null);
        protection.policy(create.getId()).update(create2);
        int i2 = i - 1;
        Assert.assertEquals(i2, getAssociatedPolicies(create2).size());
        Assert.assertEquals(create2.getUsers(), protection.policy(create.getId()).findById(create2.getId()).getUsers());
        if (Profile.isFeatureEnabled(Profile.Feature.UPLOAD_SCRIPTS)) {
            create2.setCondition((String) null);
            protection.policy(create.getId()).update(create2);
            i2--;
            Assert.assertEquals(i2, getAssociatedPolicies(create2).size());
            Assert.assertEquals(create2.getCondition(), protection.policy(create.getId()).findById(create2.getId()).getCondition());
        }
        create2.setRoles((Set) null);
        protection.policy(create.getId()).update(create2);
        Assert.assertEquals(i2 - 1, getAssociatedPolicies(create2).size());
        Assert.assertEquals(create2.getRoles(), protection.policy(create.getId()).findById(create2.getId()).getRoles());
        create2.setClients((Set) null);
        protection.policy(create.getId()).update(create2);
        Assert.assertEquals(r11 - 1, getAssociatedPolicies(create2).size());
        Assert.assertEquals(create2.getClients(), protection.policy(create.getId()).findById(create2.getId()).getClients());
        create2.setGroups((Set) null);
        try {
            protection.policy(create.getId()).update(create2);
            Assert.assertEquals(1L, getAssociatedPolicies(create2).size());
            Assert.fail("Permission must be removed because the last associated policy was removed");
        } catch (Exception e) {
            Assert.fail("Expected not found");
        } catch (NotFoundException e2) {
        }
    }

    @Test
    public void testUpdateDeprecatedFeaturesEnabled() {
        testUpdate();
    }

    @Test
    @DisableFeature(value = Profile.Feature.UPLOAD_SCRIPTS, skipRestart = true)
    public void testUpdateDeprecatedFeaturesDisabled() {
        testUpdate();
    }

    @Test
    @DisableFeature(value = Profile.Feature.UPLOAD_SCRIPTS, skipRestart = true)
    public void testUploadScriptDisabled() {
        ResourceRepresentation resourceRepresentation = new ResourceRepresentation();
        resourceRepresentation.setName("Resource A");
        resourceRepresentation.setOwnerManagedAccess(true);
        resourceRepresentation.setOwner("marta");
        resourceRepresentation.addScope(new String[]{"Scope A", "Scope B", "Scope C"});
        ResourceRepresentation create = getAuthzClient().protection().resource().create(resourceRepresentation);
        UmaPermissionRepresentation umaPermissionRepresentation = new UmaPermissionRepresentation();
        umaPermissionRepresentation.setName("Custom User-Managed Permission");
        umaPermissionRepresentation.setDescription("Users from specific roles are allowed to access");
        umaPermissionRepresentation.setCondition("$evaluation.grant()");
        ProtectionResource protection = getAuthzClient().protection("marta", "password");
        try {
            protection.policy(create.getId()).create(umaPermissionRepresentation);
            Assert.fail("Should fail because upload scripts is disabled");
        } catch (Exception e) {
        }
        umaPermissionRepresentation.setCondition((String) null);
        protection.policy(create.getId()).create(umaPermissionRepresentation).setCondition("$evaluation.grant();");
        try {
            protection.policy(create.getId()).update(umaPermissionRepresentation);
            Assert.fail("Should fail because upload scripts is disabled");
        } catch (Exception e2) {
        }
    }

    @Test
    public void testUserManagedPermission() {
        ResourceRepresentation resourceRepresentation = new ResourceRepresentation();
        resourceRepresentation.setName("Resource A");
        resourceRepresentation.setOwnerManagedAccess(true);
        resourceRepresentation.setOwner("marta");
        resourceRepresentation.addScope(new String[]{"Scope A", "Scope B", "Scope C"});
        ResourceRepresentation create = getAuthzClient().protection().resource().create(resourceRepresentation);
        UmaPermissionRepresentation umaPermissionRepresentation = new UmaPermissionRepresentation();
        umaPermissionRepresentation.setName("Custom User-Managed Permission");
        umaPermissionRepresentation.setDescription("Users from specific roles are allowed to access");
        umaPermissionRepresentation.addScope(new String[]{"Scope A"});
        umaPermissionRepresentation.addRole(new String[]{"role_a"});
        ProtectionResource protection = getAuthzClient().protection("marta", "password");
        UmaPermissionRepresentation create2 = protection.policy(create.getId()).create(umaPermissionRepresentation);
        AuthorizationResource authorization = getAuthzClient().authorization("kolo", "password");
        AuthorizationRequest authorizationRequest = new AuthorizationRequest();
        authorizationRequest.addPermission(create.getId(), new String[]{"Scope A"});
        Assert.assertNotNull(authorization.authorize(authorizationRequest));
        create2.removeRole("role_a");
        create2.addRole(new String[]{"role_b"});
        protection.policy(create.getId()).update(create2);
        try {
            authorization.authorize(authorizationRequest);
            Assert.fail("User should not have permission");
        } catch (Exception e) {
            Assert.assertTrue(AuthorizationDeniedException.class.isInstance(e));
        }
        try {
            getAuthzClient().authorization("alice", "password").authorize(authorizationRequest);
            Assert.fail("User should not have permission");
        } catch (Exception e2) {
            Assert.assertTrue(AuthorizationDeniedException.class.isInstance(e2));
        }
        create2.addRole(new String[]{"role_a"});
        protection.policy(create.getId()).update(create2);
        Assert.assertNotNull(authorization.authorize(authorizationRequest));
        protection.policy(create.getId()).delete(create2.getId());
        try {
            authorization.authorize(authorizationRequest);
            Assert.fail("User should not have permission");
        } catch (Exception e3) {
            Assert.assertTrue(AuthorizationDeniedException.class.isInstance(e3));
        }
        try {
            getAuthzClient().protection("marta", "password").policy(create.getId()).findById(create2.getId());
            Assert.fail("Permission must not exist");
        } catch (Exception e4) {
            Assert.assertEquals(404L, ((HttpResponseException) HttpResponseException.class.cast(e4.getCause())).getStatusCode());
        }
        UmaPermissionRepresentation umaPermissionRepresentation2 = new UmaPermissionRepresentation();
        umaPermissionRepresentation2.setName("Custom User-Managed Permission");
        umaPermissionRepresentation2.setDescription("Specific users are allowed access to the resource");
        umaPermissionRepresentation2.addScope(new String[]{"Scope A"});
        umaPermissionRepresentation2.addUser(new String[]{"alice"});
        protection.policy(create.getId()).create(umaPermissionRepresentation2);
        Assert.assertNotNull(getAuthzClient().authorization("alice", "password").authorize(authorizationRequest));
        try {
            authorization.authorize(authorizationRequest);
            Assert.fail("User should not have permission to access the protected resource");
        } catch (Exception e5) {
            Assert.assertTrue(AuthorizationDeniedException.class.isInstance(e5));
        }
    }

    @Test
    public void testPermissionInAdditionToUserGrantedPermission() {
        ResourceRepresentation resourceRepresentation = new ResourceRepresentation();
        resourceRepresentation.setName("Resource A");
        resourceRepresentation.setOwnerManagedAccess(true);
        resourceRepresentation.setOwner("marta");
        resourceRepresentation.addScope(new String[]{"Scope A", "Scope B", "Scope C"});
        ResourceRepresentation create = getAuthzClient().protection().resource().create(resourceRepresentation);
        PermissionResponse create2 = getAuthzClient().protection().permission().create(new PermissionRequest(create.getId(), new String[]{"Scope A"}));
        AuthorizationRequest authorizationRequest = new AuthorizationRequest();
        authorizationRequest.setTicket(create2.getTicket());
        try {
            getAuthzClient().authorization("kolo", "password").authorize(authorizationRequest);
            Assert.fail("User should not have permission");
        } catch (Exception e) {
            Assert.assertTrue(AuthorizationDeniedException.class.isInstance(e));
            Assert.assertTrue(e.getMessage().contains("request_submitted"));
        }
        List findByResource = getAuthzClient().protection().permission().findByResource(create.getId());
        Assert.assertEquals(1L, findByResource.size());
        PermissionTicketRepresentation permissionTicketRepresentation = (PermissionTicketRepresentation) findByResource.get(0);
        permissionTicketRepresentation.setGranted(true);
        getAuthzClient().protection().permission().update(permissionTicketRepresentation);
        Assert.assertNotNull(getAuthzClient().authorization("kolo", "password").authorize(authorizationRequest));
        UmaPermissionRepresentation umaPermissionRepresentation = new UmaPermissionRepresentation();
        umaPermissionRepresentation.setName("Custom User-Managed Permission");
        umaPermissionRepresentation.addScope(new String[]{"Scope A"});
        umaPermissionRepresentation.addRole(new String[]{"role_a"});
        UmaPermissionRepresentation create3 = getAuthzClient().protection("marta", "password").policy(create.getId()).create(umaPermissionRepresentation);
        getAuthzClient().authorization("kolo", "password").authorize(authorizationRequest);
        permissionTicketRepresentation.setGranted(false);
        getAuthzClient().protection().permission().update(permissionTicketRepresentation);
        getAuthzClient().authorization("kolo", "password").authorize(authorizationRequest);
        UmaPermissionRepresentation findById = getAuthzClient().protection("marta", "password").policy(create.getId()).findById(create3.getId());
        Assert.assertNotNull(findById);
        findById.removeRole("role_a");
        findById.addRole(new String[]{"role_b"});
        getAuthzClient().protection("marta", "password").policy(create.getId()).update(findById);
        try {
            getAuthzClient().authorization("kolo", "password").authorize(authorizationRequest);
            Assert.fail("User should not have permission");
        } catch (Exception e2) {
            Assert.assertTrue(AuthorizationDeniedException.class.isInstance(e2));
        }
        AuthorizationRequest authorizationRequest2 = new AuthorizationRequest();
        authorizationRequest2.addPermission(create.getId(), new String[0]);
        try {
            getAuthzClient().authorization("kolo", "password").authorize(authorizationRequest2);
            Assert.fail("User should not have permission");
        } catch (Exception e3) {
            Assert.assertTrue(AuthorizationDeniedException.class.isInstance(e3));
        }
        getAuthzClient().protection("marta", "password").policy(create.getId()).delete(findById.getId());
        try {
            getAuthzClient().authorization("kolo", "password").authorize(authorizationRequest2);
            Assert.fail("User should not have permission");
        } catch (Exception e4) {
            Assert.assertTrue(AuthorizationDeniedException.class.isInstance(e4));
        }
    }

    @Test
    public void testPermissionWithoutScopes() {
        ResourceRepresentation resourceRepresentation = new ResourceRepresentation();
        resourceRepresentation.setName(UUID.randomUUID().toString());
        resourceRepresentation.setOwner("marta");
        resourceRepresentation.setOwnerManagedAccess(true);
        resourceRepresentation.addScope(new String[]{"Scope A", "Scope B", "Scope C"});
        ResourceRepresentation create = getAuthzClient().protection().resource().create(resourceRepresentation);
        UmaPermissionRepresentation umaPermissionRepresentation = new UmaPermissionRepresentation();
        umaPermissionRepresentation.setName("Custom User-Managed Policy");
        umaPermissionRepresentation.addRole(new String[]{"role_a"});
        PolicyResource policy = getAuthzClient().protection("marta", "password").policy(create.getId());
        UmaPermissionRepresentation create2 = policy.create(umaPermissionRepresentation);
        Assert.assertEquals(3L, create2.getScopes().size());
        Assert.assertTrue(Arrays.asList("Scope A", "Scope B", "Scope C").containsAll(create2.getScopes()));
        UmaPermissionRepresentation findById = policy.findById(create2.getId());
        Assert.assertTrue(Arrays.asList("Scope A", "Scope B", "Scope C").containsAll(findById.getScopes()));
        Assert.assertEquals(3L, findById.getScopes().size());
        findById.removeScope("Scope B");
        policy.update(findById);
        UmaPermissionRepresentation findById2 = policy.findById(findById.getId());
        Assert.assertEquals(2L, findById2.getScopes().size());
        Assert.assertTrue(Arrays.asList("Scope A", "Scope C").containsAll(findById2.getScopes()));
    }

    @Test
    public void testOnlyResourceOwnerCanManagePolicies() {
        ResourceRepresentation resourceRepresentation = new ResourceRepresentation();
        resourceRepresentation.setName(UUID.randomUUID().toString());
        resourceRepresentation.setOwner("marta");
        resourceRepresentation.addScope(new String[]{"Scope A", "Scope B", "Scope C"});
        try {
            getAuthzClient().protection("alice", "password").policy(getAuthzClient().protection().resource().create(resourceRepresentation).getId()).create(new UmaPermissionRepresentation());
            Assert.fail("Error expected");
        } catch (Exception e) {
            Assert.assertTrue(((HttpResponseException) HttpResponseException.class.cast(e.getCause())).toString().contains("Only resource owner can access policies for resource"));
        }
    }

    @Test
    public void testOnlyResourcesWithOwnerManagedAccess() {
        ResourceRepresentation resourceRepresentation = new ResourceRepresentation();
        resourceRepresentation.setName(UUID.randomUUID().toString());
        resourceRepresentation.setOwner("marta");
        resourceRepresentation.addScope(new String[]{"Scope A", "Scope B", "Scope C"});
        try {
            getAuthzClient().protection("marta", "password").policy(getAuthzClient().protection().resource().create(resourceRepresentation).getId()).create(new UmaPermissionRepresentation());
            Assert.fail("Error expected");
        } catch (Exception e) {
            Assert.assertTrue(((HttpResponseException) HttpResponseException.class.cast(e.getCause())).toString().contains("Only resources with owner managed accessed can have policies"));
        }
    }

    @Test
    public void testOwnerAccess() {
        ResourceRepresentation resourceRepresentation = new ResourceRepresentation();
        resourceRepresentation.setName(UUID.randomUUID().toString());
        resourceRepresentation.setOwner("marta");
        resourceRepresentation.addScope(new String[]{"Scope A", "Scope B", "Scope C"});
        resourceRepresentation.setOwnerManagedAccess(true);
        ResourceRepresentation create = getAuthzClient().protection().resource().create(resourceRepresentation);
        UmaPermissionRepresentation umaPermissionRepresentation = null;
        try {
            UmaPermissionRepresentation umaPermissionRepresentation2 = new UmaPermissionRepresentation();
            umaPermissionRepresentation2.setName("test");
            umaPermissionRepresentation2.addRole(new String[]{"role_b"});
            umaPermissionRepresentation = getAuthzClient().protection("marta", "password").policy(create.getId()).create(umaPermissionRepresentation2);
        } catch (Exception e) {
            Assert.assertTrue(((HttpResponseException) HttpResponseException.class.cast(e.getCause())).toString().contains("Only resources with owner managed accessed can have policies"));
        }
        AuthorizationResource authorization = getAuthzClient().authorization("marta", "password");
        AuthorizationRequest authorizationRequest = new AuthorizationRequest();
        authorizationRequest.addPermission(create.getId(), new String[]{"Scope A"});
        Assert.assertNotNull(authorization.authorize(authorizationRequest));
        try {
            getAuthzClient().authorization("kolo", "password").authorize(authorizationRequest);
            Assert.fail("User should not have permission");
        } catch (Exception e2) {
            Assert.assertTrue(AuthorizationDeniedException.class.isInstance(e2));
        }
        umaPermissionRepresentation.addRole(new String[]{"role_a"});
        getAuthzClient().protection("marta", "password").policy(create.getId()).update(umaPermissionRepresentation);
        Assert.assertNotNull(getAuthzClient().authorization("kolo", "password").authorize(authorizationRequest));
    }

    @Test
    public void testFindPermission() {
        ResourceRepresentation resourceRepresentation = new ResourceRepresentation();
        resourceRepresentation.setName(UUID.randomUUID().toString());
        resourceRepresentation.setOwner("marta");
        resourceRepresentation.setOwnerManagedAccess(true);
        resourceRepresentation.addScope(new String[]{"Scope A", "Scope B", "Scope C"});
        PolicyResource policy = getAuthzClient().protection("marta", "password").policy(getAuthzClient().protection().resource().create(resourceRepresentation).getId());
        for (int i = 0; i < 10; i++) {
            UmaPermissionRepresentation umaPermissionRepresentation = new UmaPermissionRepresentation();
            umaPermissionRepresentation.setName("Custom User-Managed Policy " + i);
            umaPermissionRepresentation.addRole(new String[]{"role_a"});
            policy.create(umaPermissionRepresentation);
        }
        Assert.assertEquals(10L, policy.find((String) null, (String) null, (Integer) null, (Integer) null).size());
        List find = policy.find("Custom User-Managed Policy 8", (String) null, (Integer) null, (Integer) null);
        Assert.assertEquals(1L, find.size());
        Assert.assertEquals(((UmaPermissionRepresentation) find.get(0)).getId(), policy.findById(((UmaPermissionRepresentation) find.get(0)).getId()).getId());
        Assert.assertEquals(10L, policy.find((String) null, "Scope A", (Integer) null, (Integer) null).size());
        Assert.assertEquals(5L, policy.find((String) null, (String) null, -1, 5).size());
        Assert.assertEquals(2L, policy.find((String) null, (String) null, -1, 2).size());
    }

    @Test
    public void testGrantRequestedScopesOnly() {
        ResourceRepresentation resourceRepresentation = new ResourceRepresentation();
        resourceRepresentation.setName(UUID.randomUUID().toString());
        resourceRepresentation.setOwnerManagedAccess(true);
        resourceRepresentation.setOwner("marta");
        resourceRepresentation.addScope(new String[]{"view", "delete"});
        ProtectionResource protection = getAuthzClient().protection("marta", "password");
        ResourceRepresentation create = protection.resource().create(resourceRepresentation);
        UmaPermissionRepresentation umaPermissionRepresentation = new UmaPermissionRepresentation();
        umaPermissionRepresentation.setName("Custom User-Managed Permission");
        umaPermissionRepresentation.addScope(new String[]{"view"});
        umaPermissionRepresentation.addUser(new String[]{"kolo"});
        protection.policy(create.getId()).create(umaPermissionRepresentation);
        AuthorizationRequest authorizationRequest = new AuthorizationRequest();
        authorizationRequest.addPermission(create.getId(), new String[]{"view"});
        Collection<Permission> permissions = toAccessToken(getAuthzClient().authorization("kolo", "password").authorize(authorizationRequest).getToken()).getAuthorization().getPermissions();
        assertPermissions(permissions, create.getId(), "view");
        Assert.assertTrue(permissions.isEmpty());
        AuthorizationRequest authorizationRequest2 = new AuthorizationRequest();
        authorizationRequest2.addPermission(create.getId(), new String[]{"delete"});
        try {
            getAuthzClient().authorization("kolo", "password").authorize(authorizationRequest2);
            Assert.fail("User should not have permission");
        } catch (Exception e) {
            Assert.assertTrue(AuthorizationDeniedException.class.isInstance(e));
        }
        AuthorizationRequest authorizationRequest3 = new AuthorizationRequest();
        authorizationRequest3.addPermission(create.getId(), new String[]{"delete"});
        try {
            getAuthzClient().authorization("kolo", "password").authorize(authorizationRequest3);
            Assert.fail("User should not have permission");
        } catch (Exception e2) {
            Assert.assertTrue(AuthorizationDeniedException.class.isInstance(e2));
        }
        AuthorizationRequest authorizationRequest4 = new AuthorizationRequest();
        authorizationRequest4.addPermission(create.getId(), new String[0]);
        Collection<Permission> permissions2 = toAccessToken(getAuthzClient().authorization("kolo", "password").authorize(authorizationRequest4).getToken()).getAuthorization().getPermissions();
        assertPermissions(permissions2, create.getId(), "view");
        Assert.assertTrue(permissions2.isEmpty());
    }

    @Test
    public void testDoNotGrantPermissionWhenObtainAllEntitlements() {
        ResourceRepresentation resourceRepresentation = new ResourceRepresentation();
        resourceRepresentation.setName("Resource A");
        resourceRepresentation.setOwnerManagedAccess(true);
        resourceRepresentation.setOwner("marta");
        resourceRepresentation.addScope(new String[]{"Scope A", "Scope B", "Scope C"});
        ResourceRepresentation create = getAuthzClient().protection().resource().create(resourceRepresentation);
        UmaPermissionRepresentation umaPermissionRepresentation = new UmaPermissionRepresentation();
        umaPermissionRepresentation.setName("Custom User-Managed Permission");
        umaPermissionRepresentation.addScope(new String[]{"Scope A", "Scope B"});
        umaPermissionRepresentation.addUser(new String[]{"kolo"});
        getAuthzClient().protection("marta", "password").policy(create.getId()).create(umaPermissionRepresentation);
        AuthorizationResource authorization = getAuthzClient().authorization("kolo", "password");
        AuthorizationRequest authorizationRequest = new AuthorizationRequest();
        authorizationRequest.addPermission(create.getId(), new String[]{"Scope A", "Scope B"});
        AuthorizationResponse authorize = authorization.authorize(authorizationRequest);
        Assert.assertNotNull(authorize);
        AccessToken accessToken = toAccessToken(authorize.getToken());
        Assert.assertNotNull(accessToken.getAuthorization());
        Collection permissions = accessToken.getAuthorization().getPermissions();
        Assert.assertEquals(1L, permissions.size());
        Assert.assertTrue(((Permission) permissions.iterator().next()).getScopes().containsAll(Arrays.asList("Scope A", "Scope B")));
        try {
            getAuthzClient().authorization("kolo", "password").authorize();
            Assert.fail("User should not have permission");
        } catch (Exception e) {
            Assert.assertTrue(AuthorizationDeniedException.class.isInstance(e));
        }
    }

    @Test
    public void testRemovePoliciesOnResourceDelete() {
        ResourceRepresentation resourceRepresentation = new ResourceRepresentation();
        resourceRepresentation.setName("Resource A");
        resourceRepresentation.setOwnerManagedAccess(true);
        resourceRepresentation.setOwner("marta");
        resourceRepresentation.addScope(new String[]{"Scope A", "Scope B", "Scope C"});
        ResourceRepresentation create = getAuthzClient().protection().resource().create(resourceRepresentation);
        UmaPermissionRepresentation umaPermissionRepresentation = new UmaPermissionRepresentation();
        umaPermissionRepresentation.setName("Custom User-Managed Permission");
        umaPermissionRepresentation.setDescription("Users from specific roles are allowed to access");
        umaPermissionRepresentation.addScope(new String[]{"Scope A", "Scope B", "Scope C"});
        umaPermissionRepresentation.addRole(new String[]{"role_a", "role_b", "role_c", "role_d"});
        umaPermissionRepresentation.addGroup(new String[]{"/group_a", "/group_a/group_b", "/group_c"});
        umaPermissionRepresentation.addClient(new String[]{"client-a", "resource-server-test"});
        if (Profile.isFeatureEnabled(Profile.Feature.UPLOAD_SCRIPTS)) {
            umaPermissionRepresentation.setCondition("$evaluation.grant()");
        }
        umaPermissionRepresentation.addUser(new String[]{"kolo"});
        getAuthzClient().protection("marta", "password").policy(create.getId()).create(umaPermissionRepresentation);
        getTestingClient().server().run(UserManagedPermissionServiceTest::testRemovePoliciesOnResourceDelete);
    }

    private static void testRemovePoliciesOnResourceDelete(KeycloakSession keycloakSession) {
        RealmModel realmByName = keycloakSession.realms().getRealmByName("authz-test");
        ClientModel clientByClientId = realmByName.getClientByClientId("resource-server-test");
        AuthorizationProvider provider = keycloakSession.getProvider(AuthorizationProvider.class);
        UserModel userByUsername = keycloakSession.users().getUserByUsername(realmByName, "marta");
        HashMap hashMap = new HashMap();
        hashMap.put(Policy.FilterOption.TYPE, new String[]{"uma"});
        hashMap.put(Policy.FilterOption.OWNER, new String[]{userByUsername.getId()});
        List findByResourceServer = provider.getStoreFactory().getPolicyStore().findByResourceServer(hashMap, clientByClientId.getId(), -1, -1);
        Assert.assertEquals(1L, findByResourceServer.size());
        Policy policy = (Policy) findByResourceServer.get(0);
        Assert.assertFalse(policy.getResources().isEmpty());
        Resource resource = (Resource) policy.getResources().iterator().next();
        Assert.assertEquals("Resource A", resource.getName());
        provider.getStoreFactory().getResourceStore().delete(resource.getId());
        HashMap hashMap2 = new HashMap();
        hashMap2.put(Policy.FilterOption.OWNER, new String[]{userByUsername.getId()});
        Assert.assertTrue(provider.getStoreFactory().getPolicyStore().findByResourceServer(hashMap2, clientByClientId.getId(), -1, -1).isEmpty());
    }

    @Test
    public void testRemovePoliciesOnGroupDelete() {
        ResourceRepresentation resourceRepresentation = new ResourceRepresentation();
        resourceRepresentation.setName("Resource A");
        resourceRepresentation.setOwnerManagedAccess(true);
        resourceRepresentation.setOwner("marta");
        resourceRepresentation.addScope(new String[]{"Scope A", "Scope B", "Scope C"});
        ResourceRepresentation create = getAuthzClient().protection().resource().create(resourceRepresentation);
        UmaPermissionRepresentation umaPermissionRepresentation = new UmaPermissionRepresentation();
        umaPermissionRepresentation.setName("Custom User-Managed Permission");
        umaPermissionRepresentation.addGroup(new String[]{"/group_remove"});
        getAuthzClient().protection("marta", "password").policy(create.getId()).create(umaPermissionRepresentation);
        getTestingClient().server().run(UserManagedPermissionServiceTest::testRemovePoliciesOnGroupDelete);
    }

    private static void testRemovePoliciesOnGroupDelete(KeycloakSession keycloakSession) {
        RealmModel realmByName = keycloakSession.realms().getRealmByName("authz-test");
        ClientModel clientByClientId = realmByName.getClientByClientId("resource-server-test");
        AuthorizationProvider provider = keycloakSession.getProvider(AuthorizationProvider.class);
        UserModel userByUsername = keycloakSession.users().getUserByUsername(realmByName, "marta");
        HashMap hashMap = new HashMap();
        hashMap.put(Policy.FilterOption.TYPE, new String[]{"uma"});
        hashMap.put(Policy.FilterOption.OWNER, new String[]{userByUsername.getId()});
        List findByResourceServer = provider.getStoreFactory().getPolicyStore().findByResourceServer(hashMap, clientByClientId.getId(), -1, -1);
        Assert.assertEquals(1L, findByResourceServer.size());
        Policy policy = (Policy) findByResourceServer.get(0);
        Assert.assertFalse(policy.getResources().isEmpty());
        Assert.assertEquals("Resource A", ((Resource) policy.getResources().iterator().next()).getName());
        realmByName.removeGroup((GroupModel) realmByName.searchForGroupByNameStream("group_remove", -1, -1).findAny().get());
        HashMap hashMap2 = new HashMap();
        hashMap2.put(Policy.FilterOption.OWNER, new String[]{userByUsername.getId()});
        Assert.assertTrue(provider.getStoreFactory().getPolicyStore().findByResourceServer(hashMap2, clientByClientId.getId(), -1, -1).isEmpty());
    }

    private List<PolicyRepresentation> getAssociatedPolicies(UmaPermissionRepresentation umaPermissionRepresentation) {
        return getClient(getRealm()).authorization().policies().policy(umaPermissionRepresentation.getId()).associatedPolicies();
    }

    private static /* synthetic */ Object $deserializeLambda$(SerializedLambda serializedLambda) {
        String implMethodName = serializedLambda.getImplMethodName();
        boolean z = -1;
        switch (implMethodName.hashCode()) {
            case 388997157:
                if (implMethodName.equals("testRemovePoliciesOnGroupDelete")) {
                    z = true;
                    break;
                }
                break;
            case 1461093982:
                if (implMethodName.equals("testRemovePoliciesOnResourceDelete")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("org/keycloak/testsuite/runonserver/RunOnServer") && serializedLambda.getFunctionalInterfaceMethodName().equals("run") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V") && serializedLambda.getImplClass().equals("org/keycloak/testsuite/authz/UserManagedPermissionServiceTest") && serializedLambda.getImplMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V")) {
                    return UserManagedPermissionServiceTest::testRemovePoliciesOnResourceDelete;
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("org/keycloak/testsuite/runonserver/RunOnServer") && serializedLambda.getFunctionalInterfaceMethodName().equals("run") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V") && serializedLambda.getImplClass().equals("org/keycloak/testsuite/authz/UserManagedPermissionServiceTest") && serializedLambda.getImplMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V")) {
                    return UserManagedPermissionServiceTest::testRemovePoliciesOnGroupDelete;
                }
                break;
        }
        throw new IllegalArgumentException("Invalid lambda deserialization");
    }
}
