package org.keycloak.testsuite.account;

import java.io.IOException;
import java.util.List;
import javax.ws.rs.BadRequestException;
import org.hamcrest.Matchers;
import org.jboss.logging.Logger;
import org.junit.Assert;
import org.junit.Test;
import org.keycloak.admin.client.resource.UserResource;
import org.keycloak.broker.provider.util.SimpleHttp;
import org.keycloak.representations.account.UserRepresentation;
import org.keycloak.representations.idm.ErrorRepresentation;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;

@AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE, AuthServerContainerExclude.AuthServer.QUARKUS})
/* loaded from: input_file:org/keycloak/testsuite/account/AccountRestServiceReadOnlyAttributesTest.class */
public class AccountRestServiceReadOnlyAttributesTest extends AbstractRestServiceTest {
    private static final Logger logger = Logger.getLogger(AccountRestServiceReadOnlyAttributesTest.class);

    @Test
    public void testUpdateProfileCannotUpdateReadOnlyAttributes() throws IOException {
        testAccountUpdateAttributeExpectFailure("usercertificate");
        testAccountUpdateAttributeExpectFailure("uSErCertificate");
        testAccountUpdateAttributeExpectFailure("KERBEROS_PRINCIPAL", true);
        testAccountUpdateAttributeExpectSuccess("noKerberos_Principal");
        testAccountUpdateAttributeExpectSuccess("KERBEROS_PRINCIPALno");
        testAccountUpdateAttributeExpectFailure("enabled");
        testAccountUpdateAttributeExpectFailure("CREATED_TIMESTAMP", true);
        testAccountUpdateAttributeExpectSuccess("saml.something");
        testAccountUpdateAttributeExpectFailure("deniedfoo");
        testAccountUpdateAttributeExpectFailure("deniedFOo");
        testAccountUpdateAttributeExpectSuccess("deniedFoot");
        testAccountUpdateAttributeExpectFailure("deniedbar");
        testAccountUpdateAttributeExpectFailure("deniedBAr");
        testAccountUpdateAttributeExpectFailure("deniedBArr");
        testAccountUpdateAttributeExpectFailure("deniedbarrier");
        testAccountUpdateAttributeExpectSuccess("nodeniedbar");
        testAccountUpdateAttributeExpectSuccess("nodeniedBARrier");
        testAccountUpdateAttributeExpectFailure("saml.persistent.name.id.for.foo");
        testAccountUpdateAttributeExpectFailure("saml.persistent.name.id.for._foo_");
        testAccountUpdateAttributeExpectSuccess("saml.persistent.name.idafor.foo");
        testAccountUpdateAttributeExpectFailure("deniedsome/thing");
        testAccountUpdateAttributeExpectFailure("deniedsome*thing");
        testAccountUpdateAttributeExpectSuccess("deniedsomeithing");
        testAccountUpdateAttributeExpectSuccess("deniedSomeAdmin");
    }

    private void testAccountUpdateAttributeExpectFailure(String str) throws IOException {
        testAccountUpdateAttributeExpectFailure(str, false);
    }

    private void testAccountUpdateAttributeExpectFailure(String str, boolean z) throws IOException {
        UserRepresentation userRepresentation = (UserRepresentation) SimpleHttp.doGet(getAccountUrl(null), this.httpClient).auth(this.tokenUtil.getToken()).asJson(UserRepresentation.class);
        Assert.assertThat(userRepresentation.getAttributes().keySet(), Matchers.not(Matchers.contains(new String[]{str})));
        userRepresentation.singleAttribute(str, "foo");
        updateError(userRepresentation, 400, "updateReadOnlyAttributesRejectedMessage");
        try {
            UserResource findUserByUsernameId = ApiUtil.findUserByUsernameId(testRealm(), userRepresentation.getUsername());
            org.keycloak.representations.idm.UserRepresentation representation = findUserByUsernameId.toRepresentation();
            representation.singleAttribute(str, "foo");
            findUserByUsernameId.update(representation);
            if (z) {
                Assert.fail("Not expected to update attribute " + str + " by admin REST API");
            }
            UserRepresentation userRepresentation2 = (UserRepresentation) SimpleHttp.doGet(getAccountUrl(null), this.httpClient).auth(this.tokenUtil.getToken()).asJson(UserRepresentation.class);
            Assert.assertEquals("foo", ((List) userRepresentation2.getAttributes().get(str)).get(0));
            userRepresentation2.singleAttribute("someOtherAttr", "foo");
            UserRepresentation updateAndGet = updateAndGet(userRepresentation2);
            updateAndGet.singleAttribute(str, "foo-updated");
            updateError(updateAndGet, 400, "updateReadOnlyAttributesRejectedMessage");
            updateAndGet.getAttributes().remove(str);
            Assert.assertTrue(updateAndGet(updateAndGet).getAttributes().containsKey(str));
            representation.getAttributes().remove(str);
            representation.getAttributes().remove("someOtherAttr");
            findUserByUsernameId.update(representation);
        } catch (BadRequestException e) {
            if (z) {
                return;
            }
            Assert.fail("Was expected to update attribute " + str + " by admin REST API");
        }
    }

    private void testAccountUpdateAttributeExpectSuccess(String str) throws IOException {
        UserRepresentation userRepresentation = (UserRepresentation) SimpleHttp.doGet(getAccountUrl(null), this.httpClient).auth(this.tokenUtil.getToken()).asJson(UserRepresentation.class);
        Assert.assertThat(userRepresentation.getAttributes().keySet(), Matchers.not(Matchers.contains(new String[]{str})));
        userRepresentation.singleAttribute(str, "foo");
        updateAndGet(userRepresentation);
        UserRepresentation userRepresentation2 = (UserRepresentation) SimpleHttp.doGet(getAccountUrl(null), this.httpClient).auth(this.tokenUtil.getToken()).asJson(UserRepresentation.class);
        Assert.assertEquals("foo", ((List) userRepresentation2.getAttributes().get(str)).get(0));
        userRepresentation2.singleAttribute("someOtherAttr", "foo");
        UserRepresentation updateAndGet = updateAndGet(userRepresentation2);
        updateAndGet.singleAttribute(str, "foo-updated");
        UserRepresentation updateAndGet2 = updateAndGet(updateAndGet);
        updateAndGet2.getAttributes().remove(str);
        UserRepresentation updateAndGet3 = updateAndGet(updateAndGet2);
        updateAndGet3.getAttributes().remove("foo");
        updateAndGet3.getAttributes().remove("someOtherAttr");
        updateAndGet(updateAndGet3);
    }

    private UserRepresentation updateAndGet(UserRepresentation userRepresentation) throws IOException {
        Assert.assertEquals(204L, SimpleHttp.doPost(getAccountUrl(null), this.httpClient).auth(this.tokenUtil.getToken()).json(userRepresentation).asStatus());
        return (UserRepresentation) SimpleHttp.doGet(getAccountUrl(null), this.httpClient).auth(this.tokenUtil.getToken()).asJson(UserRepresentation.class);
    }

    private void updateError(UserRepresentation userRepresentation, int i, String str) throws IOException {
        SimpleHttp.Response asResponse = SimpleHttp.doPost(getAccountUrl(null), this.httpClient).auth(this.tokenUtil.getToken()).json(userRepresentation).asResponse();
        Assert.assertEquals(i, asResponse.getStatus());
        Assert.assertEquals(str, ((ErrorRepresentation) asResponse.asJson(ErrorRepresentation.class)).getErrorMessage());
    }
}
