package org.keycloak.testsuite.authz;

import java.lang.invoke.SerializedLambda;
import java.text.SimpleDateFormat;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.function.Function;
import java.util.stream.Collectors;
import org.junit.Assert;
import org.junit.Test;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.Decision;
import org.keycloak.authorization.attribute.Attributes;
import org.keycloak.authorization.common.DefaultEvaluationContext;
import org.keycloak.authorization.identity.Identity;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.permission.ResourcePermission;
import org.keycloak.authorization.policy.evaluation.DefaultEvaluation;
import org.keycloak.authorization.policy.provider.PolicyProvider;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.models.utils.RepresentationToModel;
import org.keycloak.representations.idm.GroupRepresentation;
import org.keycloak.representations.idm.ProtocolMapperRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.authorization.AuthorizationRequest;
import org.keycloak.representations.idm.authorization.JSPolicyRepresentation;
import org.keycloak.representations.idm.authorization.Logic;
import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation;
import org.keycloak.representations.idm.authorization.ScopePermissionRepresentation;
import org.keycloak.representations.idm.authorization.TimePolicyRepresentation;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.oauth.RefreshTokenTest;
import org.keycloak.testsuite.saml.ConcurrentAuthnRequestTest;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.GroupBuilder;
import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.testsuite.util.RoleBuilder;
import org.keycloak.testsuite.util.RolesBuilder;
import org.keycloak.testsuite.util.UserBuilder;

@AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
/* loaded from: input_file:org/keycloak/testsuite/authz/PolicyEvaluationTest.class */
public class PolicyEvaluationTest extends AbstractAuthzTest {
    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        ProtocolMapperRepresentation protocolMapperRepresentation = new ProtocolMapperRepresentation();
        protocolMapperRepresentation.setName("groups");
        protocolMapperRepresentation.setProtocolMapper("oidc-group-membership-mapper");
        protocolMapperRepresentation.setProtocol("openid-connect");
        HashMap hashMap = new HashMap();
        hashMap.put("claim.name", "groups");
        hashMap.put("access.token.claim", "true");
        hashMap.put("id.token.claim", "true");
        hashMap.put("full.path", "true");
        protocolMapperRepresentation.setConfig(hashMap);
        list.add(RealmBuilder.create().name("authz-test").roles(RolesBuilder.create().realmRole(RoleBuilder.create().name("uma_authorization").build()).realmRole(RoleBuilder.create().name("role-a").build()).realmRole(RoleBuilder.create().name("role-b").build())).group(GroupBuilder.create().name("Group A").subGroups((List) Arrays.asList("Group B", "Group D").stream().map(str -> {
            return "Group B".equals(str) ? GroupBuilder.create().name(str).subGroups((List) Arrays.asList("Group C", "Group E").stream().map(new Function<String, GroupRepresentation>() { // from class: org.keycloak.testsuite.authz.PolicyEvaluationTest.1
                @Override // java.util.function.Function
                public GroupRepresentation apply(String str) {
                    return GroupBuilder.create().name(str).build();
                }
            }).collect(Collectors.toList())).build() : GroupBuilder.create().name(str).realmRoles(Arrays.asList("role-a")).build();
        }).collect(Collectors.toList())).build()).group(GroupBuilder.create().name("Group E").build()).user(UserBuilder.create().username("marta").password("password").addRoles("uma_authorization", "role-a").addGroups("Group A")).user(UserBuilder.create().username("alice").password("password").addRoles("uma_authorization").addGroups("/Group A/Group B/Group E")).user(UserBuilder.create().username("kolo").password("password").addRoles("uma_authorization").addGroups("/Group A/Group D")).user(UserBuilder.create().username("trinity").password("password").addRoles("uma_authorization").role("role-mapping-client", "client-role-a")).user(UserBuilder.create().username("jdoe").password("password").addGroups("/Group A/Group B", "/Group A/Group D")).client(ClientBuilder.create().clientId("resource-server-test").secret("secret").authorizationServicesEnabled(true).redirectUris("http://localhost/resource-server-test").defaultRoles("uma_protection").directAccessGrants().protocolMapper(protocolMapperRepresentation)).client(ClientBuilder.create().clientId("role-mapping-client").defaultRoles("client-role-a", "client-role-b")).build());
    }

    @Test
    public void testCheckDateAndTime() {
        this.testingClient.server().run(PolicyEvaluationTest::testCheckDateAndTime);
    }

    public static void testCheckDateAndTime(KeycloakSession keycloakSession) {
        keycloakSession.getContext().setRealm(keycloakSession.realms().getRealmByName("authz-test"));
        AuthorizationProvider provider = keycloakSession.getProvider(AuthorizationProvider.class);
        ClientModel clientByClientId = keycloakSession.clients().getClientByClientId(keycloakSession.getContext().getRealm(), "resource-server-test");
        StoreFactory storeFactory = provider.getStoreFactory();
        ResourceServer findById = storeFactory.getResourceServerStore().findById(clientByClientId.getId());
        TimePolicyRepresentation timePolicyRepresentation = new TimePolicyRepresentation();
        timePolicyRepresentation.setName("testCheckDateAndTime");
        timePolicyRepresentation.setNotOnOrAfter(new SimpleDateFormat("yyyy-MM-dd HH:mm:ss").format(new Date(System.currentTimeMillis() + 3600000)));
        Policy create = storeFactory.getPolicyStore().create(timePolicyRepresentation, findById);
        PolicyProvider provider2 = provider.getProvider(create.getType());
        DefaultEvaluation createEvaluation = createEvaluation(keycloakSession, provider, findById, create);
        provider2.evaluate(createEvaluation);
        Assert.assertEquals(Decision.Effect.PERMIT, createEvaluation.getEffect());
        long currentTimeMillis = System.currentTimeMillis() + 5400000;
        HashMap hashMap = new HashMap();
        hashMap.put("kc.time.date_time", Arrays.asList(new SimpleDateFormat("yyyy-MM-dd HH:mm:ss").format(new Date(currentTimeMillis))));
        DefaultEvaluation createEvaluation2 = createEvaluation(keycloakSession, provider, null, findById, create, hashMap);
        provider2.evaluate(createEvaluation2);
        Assert.assertEquals(Decision.Effect.DENY, createEvaluation2.getEffect());
    }

    @Test
    public void testCheckUserInGroup() {
        this.testingClient.server().run(PolicyEvaluationTest::testCheckUserInGroup);
    }

    public static void testCheckUserInGroup(KeycloakSession keycloakSession) {
        keycloakSession.getContext().setRealm(keycloakSession.realms().getRealmByName("authz-test"));
        AuthorizationProvider provider = keycloakSession.getProvider(AuthorizationProvider.class);
        ClientModel clientByClientId = keycloakSession.clients().getClientByClientId(keycloakSession.getContext().getRealm(), "resource-server-test");
        StoreFactory storeFactory = provider.getStoreFactory();
        ResourceServer findById = storeFactory.getResourceServerStore().findById(clientByClientId.getId());
        JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
        jSPolicyRepresentation.setName("testCheckUserInGroup");
        jSPolicyRepresentation.setCode("var realm = $evaluation.getRealm();if (realm.isUserInGroup('marta', 'Group C')) { $evaluation.grant(); }");
        Policy create = storeFactory.getPolicyStore().create(jSPolicyRepresentation, findById);
        PolicyProvider provider2 = provider.getProvider(create.getType());
        DefaultEvaluation createEvaluation = createEvaluation(keycloakSession, provider, findById, create);
        provider2.evaluate(createEvaluation);
        Assert.assertNull(createEvaluation.getEffect());
        jSPolicyRepresentation.setCode("var realm = $evaluation.getRealm();if (realm.isUserInGroup('marta', 'Group A')) { $evaluation.grant(); }");
        jSPolicyRepresentation.setId(create.getId());
        Policy model = RepresentationToModel.toModel(jSPolicyRepresentation, provider, create);
        DefaultEvaluation createEvaluation2 = createEvaluation(keycloakSession, provider, findById, model);
        provider2.evaluate(createEvaluation2);
        Assert.assertEquals(Decision.Effect.PERMIT, createEvaluation2.getEffect());
        jSPolicyRepresentation.setCode("var realm = $evaluation.getRealm();if (realm.isUserInGroup('marta', '/Group A')) { $evaluation.grant(); }");
        jSPolicyRepresentation.setId(model.getId());
        Policy model2 = RepresentationToModel.toModel(jSPolicyRepresentation, provider, model);
        DefaultEvaluation createEvaluation3 = createEvaluation(keycloakSession, provider, findById, model2);
        provider2.evaluate(createEvaluation3);
        Assert.assertEquals(Decision.Effect.PERMIT, createEvaluation3.getEffect());
        jSPolicyRepresentation.setCode("var realm = $evaluation.getRealm();if (realm.isUserInGroup('marta', '/Group A/Group B')) { $evaluation.grant(); }");
        jSPolicyRepresentation.setId(model2.getId());
        Policy model3 = RepresentationToModel.toModel(jSPolicyRepresentation, provider, model2);
        DefaultEvaluation createEvaluation4 = createEvaluation(keycloakSession, provider, findById, model3);
        provider2.evaluate(createEvaluation4);
        Assert.assertNull(createEvaluation4.getEffect());
        jSPolicyRepresentation.setCode("var realm = $evaluation.getRealm();if (realm.isUserInGroup('alice', '/Group A/Group B/Group E')) { $evaluation.grant(); }");
        jSPolicyRepresentation.setId(model3.getId());
        Policy model4 = RepresentationToModel.toModel(jSPolicyRepresentation, provider, model3);
        DefaultEvaluation createEvaluation5 = createEvaluation(keycloakSession, provider, findById, model4);
        provider2.evaluate(createEvaluation5);
        Assert.assertEquals(Decision.Effect.PERMIT, createEvaluation5.getEffect());
        jSPolicyRepresentation.setCode("var realm = $evaluation.getRealm();if (realm.isUserInGroup('alice', '/Group A')) { $evaluation.grant(); }");
        jSPolicyRepresentation.setId(model4.getId());
        Policy model5 = RepresentationToModel.toModel(jSPolicyRepresentation, provider, model4);
        DefaultEvaluation createEvaluation6 = createEvaluation(keycloakSession, provider, findById, model5);
        provider2.evaluate(createEvaluation6);
        Assert.assertEquals(Decision.Effect.PERMIT, createEvaluation6.getEffect());
        jSPolicyRepresentation.setCode("var realm = $evaluation.getRealm();if (!realm.isUserInGroup('alice', '/Group A', false)) { $evaluation.grant(); }");
        jSPolicyRepresentation.setId(model5.getId());
        Policy model6 = RepresentationToModel.toModel(jSPolicyRepresentation, provider, model5);
        DefaultEvaluation createEvaluation7 = createEvaluation(keycloakSession, provider, findById, model6);
        provider2.evaluate(createEvaluation7);
        Assert.assertNull(createEvaluation7.getEffect());
        jSPolicyRepresentation.setCode("var realm = $evaluation.getRealm();if (realm.isUserInGroup('alice', '/Group E')) { $evaluation.grant(); }");
        jSPolicyRepresentation.setId(model6.getId());
        Policy model7 = RepresentationToModel.toModel(jSPolicyRepresentation, provider, model6);
        DefaultEvaluation createEvaluation8 = createEvaluation(keycloakSession, provider, findById, model7);
        provider2.evaluate(createEvaluation8);
        Assert.assertNull(createEvaluation8.getEffect());
        jSPolicyRepresentation.setCode("var realm = $evaluation.getRealm();if (realm.isUserInGroup('alice', 'Group E')) { $evaluation.grant(); }");
        jSPolicyRepresentation.setId(model7.getId());
        DefaultEvaluation createEvaluation9 = createEvaluation(keycloakSession, provider, findById, RepresentationToModel.toModel(jSPolicyRepresentation, provider, model7));
        provider2.evaluate(createEvaluation9);
        Assert.assertNull(createEvaluation9.getEffect());
    }

    @Test
    public void testCheckUserInRole() {
        this.testingClient.server().run(PolicyEvaluationTest::testCheckUserInRole);
    }

    public static void testCheckUserInRole(KeycloakSession keycloakSession) {
        keycloakSession.getContext().setRealm(keycloakSession.realms().getRealmByName("authz-test"));
        AuthorizationProvider provider = keycloakSession.getProvider(AuthorizationProvider.class);
        ClientModel clientByClientId = keycloakSession.clients().getClientByClientId(keycloakSession.getContext().getRealm(), "resource-server-test");
        StoreFactory storeFactory = provider.getStoreFactory();
        ResourceServer findById = storeFactory.getResourceServerStore().findById(clientByClientId.getId());
        JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
        jSPolicyRepresentation.setName("testCheckUserInRole");
        jSPolicyRepresentation.setCode("var realm = $evaluation.getRealm();if (realm.isUserInRealmRole('marta', 'role-a')) { $evaluation.grant(); }");
        Policy create = storeFactory.getPolicyStore().create(jSPolicyRepresentation, findById);
        PolicyProvider provider2 = provider.getProvider(create.getType());
        DefaultEvaluation createEvaluation = createEvaluation(keycloakSession, provider, findById, create);
        provider2.evaluate(createEvaluation);
        Assert.assertEquals(Decision.Effect.PERMIT, createEvaluation.getEffect());
        jSPolicyRepresentation.setCode("var realm = $evaluation.getRealm();if (realm.isUserInRealmRole('marta', 'role-b')) { $evaluation.grant(); }");
        jSPolicyRepresentation.setId(create.getId());
        DefaultEvaluation createEvaluation2 = createEvaluation(keycloakSession, provider, findById, RepresentationToModel.toModel(jSPolicyRepresentation, provider, create));
        provider2.evaluate(createEvaluation2);
        Assert.assertNull(createEvaluation2.getEffect());
    }

    @Test
    public void testCheckUserInClientRole() {
        this.testingClient.server().run(PolicyEvaluationTest::testCheckUserInClientRole);
    }

    public static void testCheckUserInClientRole(KeycloakSession keycloakSession) {
        keycloakSession.getContext().setRealm(keycloakSession.realms().getRealmByName("authz-test"));
        AuthorizationProvider provider = keycloakSession.getProvider(AuthorizationProvider.class);
        ClientModel clientByClientId = keycloakSession.clients().getClientByClientId(keycloakSession.getContext().getRealm(), "resource-server-test");
        StoreFactory storeFactory = provider.getStoreFactory();
        ResourceServer findById = storeFactory.getResourceServerStore().findById(clientByClientId.getId());
        JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
        jSPolicyRepresentation.setName("testCheckUserInClientRole");
        jSPolicyRepresentation.setCode("var realm = $evaluation.getRealm();if (realm.isUserInClientRole('trinity', 'role-mapping-client', 'client-role-a')) { $evaluation.grant(); }");
        Policy create = storeFactory.getPolicyStore().create(jSPolicyRepresentation, findById);
        PolicyProvider provider2 = provider.getProvider(create.getType());
        DefaultEvaluation createEvaluation = createEvaluation(keycloakSession, provider, findById, create);
        provider2.evaluate(createEvaluation);
        Assert.assertEquals(Decision.Effect.PERMIT, createEvaluation.getEffect());
        jSPolicyRepresentation.setCode("var realm = $evaluation.getRealm();if (realm.isUserInRealmRole('trinity', 'client-role-b')) { $evaluation.grant(); }");
        jSPolicyRepresentation.setId(create.getId());
        DefaultEvaluation createEvaluation2 = createEvaluation(keycloakSession, provider, findById, RepresentationToModel.toModel(jSPolicyRepresentation, provider, create));
        provider2.evaluate(createEvaluation2);
        Assert.assertNull(createEvaluation2.getEffect());
    }

    @Test
    public void testCheckGroupInRole() {
        this.testingClient.server().run(PolicyEvaluationTest::testCheckGroupInRole);
    }

    public static void testCheckGroupInRole(KeycloakSession keycloakSession) {
        keycloakSession.getContext().setRealm(keycloakSession.realms().getRealmByName("authz-test"));
        AuthorizationProvider provider = keycloakSession.getProvider(AuthorizationProvider.class);
        ClientModel clientByClientId = keycloakSession.clients().getClientByClientId(keycloakSession.getContext().getRealm(), "resource-server-test");
        StoreFactory storeFactory = provider.getStoreFactory();
        ResourceServer findById = storeFactory.getResourceServerStore().findById(clientByClientId.getId());
        JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
        jSPolicyRepresentation.setName("testCheckGroupInRole");
        jSPolicyRepresentation.setCode("var realm = $evaluation.getRealm();if (realm.isGroupInRole('/Group A/Group D', 'role-a')) { $evaluation.grant(); }");
        Policy create = storeFactory.getPolicyStore().create(jSPolicyRepresentation, findById);
        PolicyProvider provider2 = provider.getProvider(create.getType());
        DefaultEvaluation createEvaluation = createEvaluation(keycloakSession, provider, findById, create);
        provider2.evaluate(createEvaluation);
        Assert.assertEquals(Decision.Effect.PERMIT, createEvaluation.getEffect());
        jSPolicyRepresentation.setCode("var realm = $evaluation.getRealm();if (realm.isGroupInRole('/Group A/Group D', 'role-b')) { $evaluation.grant(); }");
        jSPolicyRepresentation.setId(create.getId());
        DefaultEvaluation createEvaluation2 = createEvaluation(keycloakSession, provider, findById, RepresentationToModel.toModel(jSPolicyRepresentation, provider, create));
        provider2.evaluate(createEvaluation2);
        Assert.assertNull(createEvaluation2.getEffect());
    }

    @Test
    public void testCheckUserRealmRoles() {
        this.testingClient.server().run(PolicyEvaluationTest::testCheckUserRealmRoles);
    }

    public static void testCheckUserRealmRoles(KeycloakSession keycloakSession) {
        keycloakSession.getContext().setRealm(keycloakSession.realms().getRealmByName("authz-test"));
        AuthorizationProvider provider = keycloakSession.getProvider(AuthorizationProvider.class);
        ClientModel clientByClientId = keycloakSession.clients().getClientByClientId(keycloakSession.getContext().getRealm(), "resource-server-test");
        StoreFactory storeFactory = provider.getStoreFactory();
        ResourceServer findById = storeFactory.getResourceServerStore().findById(clientByClientId.getId());
        JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
        jSPolicyRepresentation.setName("testCheckUserRealmRoles");
        jSPolicyRepresentation.setCode("var realm = $evaluation.getRealm();var roles = realm.getUserRealmRoles('marta');if (roles.size() == 2 && roles.contains('uma_authorization') && roles.contains('role-a')) { $evaluation.grant(); }");
        Policy create = storeFactory.getPolicyStore().create(jSPolicyRepresentation, findById);
        PolicyProvider provider2 = provider.getProvider(create.getType());
        DefaultEvaluation createEvaluation = createEvaluation(keycloakSession, provider, findById, create);
        provider2.evaluate(createEvaluation);
        Assert.assertEquals(Decision.Effect.PERMIT, createEvaluation.getEffect());
    }

    @Test
    public void testCheckUserClientRoles() {
        this.testingClient.server().run(PolicyEvaluationTest::testCheckUserClientRoles);
    }

    public static void testCheckUserClientRoles(KeycloakSession keycloakSession) {
        keycloakSession.getContext().setRealm(keycloakSession.realms().getRealmByName("authz-test"));
        AuthorizationProvider provider = keycloakSession.getProvider(AuthorizationProvider.class);
        ClientModel clientByClientId = keycloakSession.clients().getClientByClientId(keycloakSession.getContext().getRealm(), "resource-server-test");
        StoreFactory storeFactory = provider.getStoreFactory();
        ResourceServer findById = storeFactory.getResourceServerStore().findById(clientByClientId.getId());
        JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
        jSPolicyRepresentation.setName("testCheckUserClientRoles");
        jSPolicyRepresentation.setCode("var realm = $evaluation.getRealm();var roles = realm.getUserClientRoles('trinity', 'role-mapping-client');if (roles.size() == 1 && roles.contains('client-role-a')) { $evaluation.grant(); }");
        Policy create = storeFactory.getPolicyStore().create(jSPolicyRepresentation, findById);
        PolicyProvider provider2 = provider.getProvider(create.getType());
        DefaultEvaluation createEvaluation = createEvaluation(keycloakSession, provider, findById, create);
        provider2.evaluate(createEvaluation);
        Assert.assertEquals(Decision.Effect.PERMIT, createEvaluation.getEffect());
    }

    @Test
    public void testCheckUserGroups() {
        this.testingClient.server().run(PolicyEvaluationTest::testCheckUserGroups);
    }

    public static void testCheckUserGroups(KeycloakSession keycloakSession) {
        keycloakSession.getContext().setRealm(keycloakSession.realms().getRealmByName("authz-test"));
        AuthorizationProvider provider = keycloakSession.getProvider(AuthorizationProvider.class);
        ClientModel clientByClientId = keycloakSession.clients().getClientByClientId(keycloakSession.getContext().getRealm(), "resource-server-test");
        StoreFactory storeFactory = provider.getStoreFactory();
        ResourceServer findById = storeFactory.getResourceServerStore().findById(clientByClientId.getId());
        JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
        jSPolicyRepresentation.setName("testCheckUserGroups");
        jSPolicyRepresentation.setCode("var realm = $evaluation.getRealm();var groups = realm.getUserGroups('jdoe');if (groups.size() == 2 && groups.contains('/Group A/Group B') && groups.contains('/Group A/Group D')) { $evaluation.grant(); }");
        Policy create = storeFactory.getPolicyStore().create(jSPolicyRepresentation, findById);
        PolicyProvider provider2 = provider.getProvider(create.getType());
        DefaultEvaluation createEvaluation = createEvaluation(keycloakSession, provider, findById, create);
        provider2.evaluate(createEvaluation);
        Assert.assertEquals(Decision.Effect.PERMIT, createEvaluation.getEffect());
    }

    @Test
    public void testCheckUserAttributes() {
        this.testingClient.server().run(PolicyEvaluationTest::testCheckUserAttributes);
    }

    public static void testCheckUserAttributes(KeycloakSession keycloakSession) {
        RealmModel realmByName = keycloakSession.realms().getRealmByName("authz-test");
        UserModel userByUsername = keycloakSession.users().getUserByUsername(realmByName, "jdoe");
        userByUsername.setAttribute("a1", Arrays.asList("1", "2"));
        userByUsername.setSingleAttribute("a2", "3");
        keycloakSession.getContext().setRealm(realmByName);
        AuthorizationProvider provider = keycloakSession.getProvider(AuthorizationProvider.class);
        ClientModel clientByClientId = keycloakSession.clients().getClientByClientId(keycloakSession.getContext().getRealm(), "resource-server-test");
        StoreFactory storeFactory = provider.getStoreFactory();
        ResourceServer findById = storeFactory.getResourceServerStore().findById(clientByClientId.getId());
        JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
        jSPolicyRepresentation.setName("testCheckUserAttributes");
        jSPolicyRepresentation.setCode("var realm = $evaluation.getRealm();var attributes = realm.getUserAttributes('jdoe');if (attributes.size() == 6 && attributes.containsKey('a1') && attributes.containsKey('a2') && attributes.get('a1').size() == 2 && attributes.get('a2').get(0).equals('3')) { $evaluation.grant(); }");
        Policy create = storeFactory.getPolicyStore().create(jSPolicyRepresentation, findById);
        PolicyProvider provider2 = provider.getProvider(create.getType());
        DefaultEvaluation createEvaluation = createEvaluation(keycloakSession, provider, findById, create);
        provider2.evaluate(createEvaluation);
        Assert.assertEquals(Decision.Effect.PERMIT, createEvaluation.getEffect());
    }

    @Test
    public void testCheckResourceAttributes() {
        this.testingClient.server().run(PolicyEvaluationTest::testCheckResourceAttributes);
    }

    public static void testCheckResourceAttributes(KeycloakSession keycloakSession) {
        keycloakSession.getContext().setRealm(keycloakSession.realms().getRealmByName("authz-test"));
        AuthorizationProvider provider = keycloakSession.getProvider(AuthorizationProvider.class);
        ClientModel clientByClientId = keycloakSession.clients().getClientByClientId(keycloakSession.getContext().getRealm(), "resource-server-test");
        StoreFactory storeFactory = provider.getStoreFactory();
        ResourceServer findById = storeFactory.getResourceServerStore().findById(clientByClientId.getId());
        JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
        jSPolicyRepresentation.setName("testCheckResourceAttributes");
        jSPolicyRepresentation.setCode("var permission = $evaluation.getPermission();var resource = permission.getResource();var attributes = resource.getAttributes();if (attributes.size() == 2 && attributes.containsKey('a1') && attributes.containsKey('a2') && attributes.get('a1').size() == 2 && attributes.get('a2').get(0).equals('3') && resource.getAttribute('a1').size() == 2 && resource.getSingleAttribute('a2').equals('3')) { $evaluation.grant(); }");
        Policy create = storeFactory.getPolicyStore().create(jSPolicyRepresentation, findById);
        PolicyProvider provider2 = provider.getProvider(create.getType());
        Resource create2 = storeFactory.getResourceStore().create("testCheckResourceAttributesResource", findById, findById.getId());
        create2.setAttribute("a1", Arrays.asList("1", "2"));
        create2.setAttribute("a2", Arrays.asList("3"));
        DefaultEvaluation createEvaluation = createEvaluation(keycloakSession, provider, create2, findById, create);
        provider2.evaluate(createEvaluation);
        Assert.assertEquals(Decision.Effect.PERMIT, createEvaluation.getEffect());
    }

    @Test
    public void testCheckReadOnlyInstances() {
        this.testingClient.server().run(PolicyEvaluationTest::testCheckReadOnlyInstances);
    }

    public static void testCheckReadOnlyInstances(KeycloakSession keycloakSession) {
        keycloakSession.getContext().setRealm(keycloakSession.realms().getRealmByName("authz-test"));
        AuthorizationProvider provider = keycloakSession.getProvider(AuthorizationProvider.class);
        ClientModel clientByClientId = keycloakSession.clients().getClientByClientId(keycloakSession.getContext().getRealm(), "resource-server-test");
        StoreFactory storeFactory = provider.getStoreFactory();
        ResourceServer findById = storeFactory.getResourceServerStore().findById(clientByClientId.getId());
        JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
        jSPolicyRepresentation.setName("testCheckReadOnlyInstances");
        jSPolicyRepresentation.setCode("$evaluation.getPermission().getResource().setName('test')");
        Policy create = storeFactory.getPolicyStore().create(jSPolicyRepresentation, findById);
        Resource create2 = storeFactory.getResourceStore().create("Resource A", findById, findById.getId());
        Scope create3 = storeFactory.getScopeStore().create("Scope A", findById);
        create2.updateScopes(new HashSet(Arrays.asList(create3)));
        ResourcePermissionRepresentation resourcePermissionRepresentation = new ResourcePermissionRepresentation();
        resourcePermissionRepresentation.setName("testCheckReadOnlyInstances permission");
        resourcePermissionRepresentation.addPolicy(new String[]{create.getId()});
        resourcePermissionRepresentation.addResource(create2.getId());
        storeFactory.getPolicyStore().create(resourcePermissionRepresentation, findById);
        keycloakSession.getTransactionManager().commit();
        try {
            provider.evaluators().from(Arrays.asList(new ResourcePermission(create2, Arrays.asList(create3), findById)), createEvaluationContext(keycloakSession, Collections.emptyMap())).evaluate(findById, (AuthorizationRequest) null);
            Assert.fail("Instances should be marked as read-only");
        } catch (Exception e) {
        }
    }

    @Test
    public void testCachedDecisionsWithNegativePolicies() {
        this.testingClient.server().run(PolicyEvaluationTest::testCachedDecisionsWithNegativePolicies);
    }

    public static void testCachedDecisionsWithNegativePolicies(KeycloakSession keycloakSession) {
        keycloakSession.getContext().setRealm(keycloakSession.realms().getRealmByName("authz-test"));
        AuthorizationProvider provider = keycloakSession.getProvider(AuthorizationProvider.class);
        ClientModel clientByClientId = keycloakSession.clients().getClientByClientId(keycloakSession.getContext().getRealm(), "resource-server-test");
        StoreFactory storeFactory = provider.getStoreFactory();
        ResourceServer findById = storeFactory.getResourceServerStore().findById(clientByClientId.getId());
        Scope create = storeFactory.getScopeStore().create("read", findById);
        Scope create2 = storeFactory.getScopeStore().create("write", findById);
        JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
        jSPolicyRepresentation.setName(KeycloakModelUtils.generateId());
        jSPolicyRepresentation.setCode("$evaluation.grant()");
        jSPolicyRepresentation.setLogic(Logic.NEGATIVE);
        storeFactory.getPolicyStore().create(jSPolicyRepresentation, findById);
        ScopePermissionRepresentation scopePermissionRepresentation = new ScopePermissionRepresentation();
        scopePermissionRepresentation.setName(KeycloakModelUtils.generateId());
        scopePermissionRepresentation.addScope(new String[]{create.getId()});
        scopePermissionRepresentation.addPolicy(new String[]{jSPolicyRepresentation.getName()});
        storeFactory.getPolicyStore().create(scopePermissionRepresentation, findById);
        ScopePermissionRepresentation scopePermissionRepresentation2 = new ScopePermissionRepresentation();
        scopePermissionRepresentation2.setName(KeycloakModelUtils.generateId());
        scopePermissionRepresentation2.addScope(new String[]{create2.getId()});
        scopePermissionRepresentation2.addPolicy(new String[]{jSPolicyRepresentation.getName()});
        storeFactory.getPolicyStore().create(scopePermissionRepresentation2, findById);
        Assert.assertEquals(0L, provider.evaluators().from(Arrays.asList(new ResourcePermission(storeFactory.getResourceStore().create(KeycloakModelUtils.generateId(), findById, findById.getId()), Arrays.asList(create, create2), findById)), createEvaluationContext(keycloakSession, Collections.emptyMap())).evaluate(findById, (AuthorizationRequest) null).size());
    }

    private static DefaultEvaluation createEvaluation(KeycloakSession keycloakSession, AuthorizationProvider authorizationProvider, ResourceServer resourceServer, Policy policy) {
        return createEvaluation(keycloakSession, authorizationProvider, null, resourceServer, policy);
    }

    private static DefaultEvaluation createEvaluation(KeycloakSession keycloakSession, AuthorizationProvider authorizationProvider, Resource resource, ResourceServer resourceServer, Policy policy) {
        return createEvaluation(keycloakSession, authorizationProvider, resource, resourceServer, policy, null);
    }

    private static DefaultEvaluation createEvaluation(KeycloakSession keycloakSession, AuthorizationProvider authorizationProvider, Resource resource, ResourceServer resourceServer, Policy policy, Map<String, Collection<String>> map) {
        return new DefaultEvaluation(new ResourcePermission(resource, (Collection) null, resourceServer), createEvaluationContext(keycloakSession, map), policy, evaluation -> {
        }, authorizationProvider, (Map) null);
    }

    private static DefaultEvaluationContext createEvaluationContext(KeycloakSession keycloakSession, final Map<String, Collection<String>> map) {
        return new DefaultEvaluationContext(new Identity() { // from class: org.keycloak.testsuite.authz.PolicyEvaluationTest.2
            public String getId() {
                return null;
            }

            public Attributes getAttributes() {
                return null;
            }
        }, keycloakSession) { // from class: org.keycloak.testsuite.authz.PolicyEvaluationTest.3
            public Map<String, Collection<String>> getBaseAttributes() {
                Map<String, Collection<String>> baseAttributes = super.getBaseAttributes();
                if (map != null) {
                    baseAttributes.putAll(map);
                }
                return baseAttributes;
            }
        };
    }

    private static /* synthetic */ Object $deserializeLambda$(SerializedLambda serializedLambda) {
        String implMethodName = serializedLambda.getImplMethodName();
        boolean z = -1;
        switch (implMethodName.hashCode()) {
            case -2046117824:
                if (implMethodName.equals("testCheckDateAndTime")) {
                    z = 6;
                    break;
                }
                break;
            case -2016673355:
                if (implMethodName.equals("testCheckUserGroups")) {
                    z = 5;
                    break;
                }
                break;
            case -1963978980:
                if (implMethodName.equals("testCheckUserInRole")) {
                    z = 11;
                    break;
                }
                break;
            case -1912364764:
                if (implMethodName.equals("testCheckGroupInRole")) {
                    z = 3;
                    break;
                }
                break;
            case -1531774792:
                if (implMethodName.equals("testCheckUserAttributes")) {
                    z = 7;
                    break;
                }
                break;
            case -1520366021:
                if (implMethodName.equals("testCheckResourceAttributes")) {
                    z = 8;
                    break;
                }
                break;
            case -763872103:
                if (implMethodName.equals("testCheckUserInGroup")) {
                    z = true;
                    break;
                }
                break;
            case -116330895:
                if (implMethodName.equals("testCheckUserClientRoles")) {
                    z = 2;
                    break;
                }
                break;
            case -69986226:
                if (implMethodName.equals("testCachedDecisionsWithNegativePolicies")) {
                    z = 9;
                    break;
                }
                break;
            case -43066042:
                if (implMethodName.equals("testCheckReadOnlyInstances")) {
                    z = 4;
                    break;
                }
                break;
            case 1080317135:
                if (implMethodName.equals("testCheckUserRealmRoles")) {
                    z = 10;
                    break;
                }
                break;
            case 1528268039:
                if (implMethodName.equals("testCheckUserInClientRole")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("org/keycloak/testsuite/runonserver/RunOnServer") && serializedLambda.getFunctionalInterfaceMethodName().equals("run") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V") && serializedLambda.getImplClass().equals("org/keycloak/testsuite/authz/PolicyEvaluationTest") && serializedLambda.getImplMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V")) {
                    return PolicyEvaluationTest::testCheckUserInClientRole;
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("org/keycloak/testsuite/runonserver/RunOnServer") && serializedLambda.getFunctionalInterfaceMethodName().equals("run") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V") && serializedLambda.getImplClass().equals("org/keycloak/testsuite/authz/PolicyEvaluationTest") && serializedLambda.getImplMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V")) {
                    return PolicyEvaluationTest::testCheckUserInGroup;
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("org/keycloak/testsuite/runonserver/RunOnServer") && serializedLambda.getFunctionalInterfaceMethodName().equals("run") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V") && serializedLambda.getImplClass().equals("org/keycloak/testsuite/authz/PolicyEvaluationTest") && serializedLambda.getImplMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V")) {
                    return PolicyEvaluationTest::testCheckUserClientRoles;
                }
                break;
            case RefreshTokenTest.ALLOWED_CLOCK_SKEW /* 3 */:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("org/keycloak/testsuite/runonserver/RunOnServer") && serializedLambda.getFunctionalInterfaceMethodName().equals("run") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V") && serializedLambda.getImplClass().equals("org/keycloak/testsuite/authz/PolicyEvaluationTest") && serializedLambda.getImplMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V")) {
                    return PolicyEvaluationTest::testCheckGroupInRole;
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("org/keycloak/testsuite/runonserver/RunOnServer") && serializedLambda.getFunctionalInterfaceMethodName().equals("run") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V") && serializedLambda.getImplClass().equals("org/keycloak/testsuite/authz/PolicyEvaluationTest") && serializedLambda.getImplMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V")) {
                    return PolicyEvaluationTest::testCheckReadOnlyInstances;
                }
                break;
            case ConcurrentAuthnRequestTest.CONCURRENT_THREADS /* 5 */:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("org/keycloak/testsuite/runonserver/RunOnServer") && serializedLambda.getFunctionalInterfaceMethodName().equals("run") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V") && serializedLambda.getImplClass().equals("org/keycloak/testsuite/authz/PolicyEvaluationTest") && serializedLambda.getImplMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V")) {
                    return PolicyEvaluationTest::testCheckUserGroups;
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("org/keycloak/testsuite/runonserver/RunOnServer") && serializedLambda.getFunctionalInterfaceMethodName().equals("run") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V") && serializedLambda.getImplClass().equals("org/keycloak/testsuite/authz/PolicyEvaluationTest") && serializedLambda.getImplMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V")) {
                    return PolicyEvaluationTest::testCheckDateAndTime;
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("org/keycloak/testsuite/runonserver/RunOnServer") && serializedLambda.getFunctionalInterfaceMethodName().equals("run") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V") && serializedLambda.getImplClass().equals("org/keycloak/testsuite/authz/PolicyEvaluationTest") && serializedLambda.getImplMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V")) {
                    return PolicyEvaluationTest::testCheckUserAttributes;
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("org/keycloak/testsuite/runonserver/RunOnServer") && serializedLambda.getFunctionalInterfaceMethodName().equals("run") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V") && serializedLambda.getImplClass().equals("org/keycloak/testsuite/authz/PolicyEvaluationTest") && serializedLambda.getImplMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V")) {
                    return PolicyEvaluationTest::testCheckResourceAttributes;
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("org/keycloak/testsuite/runonserver/RunOnServer") && serializedLambda.getFunctionalInterfaceMethodName().equals("run") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V") && serializedLambda.getImplClass().equals("org/keycloak/testsuite/authz/PolicyEvaluationTest") && serializedLambda.getImplMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V")) {
                    return PolicyEvaluationTest::testCachedDecisionsWithNegativePolicies;
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("org/keycloak/testsuite/runonserver/RunOnServer") && serializedLambda.getFunctionalInterfaceMethodName().equals("run") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V") && serializedLambda.getImplClass().equals("org/keycloak/testsuite/authz/PolicyEvaluationTest") && serializedLambda.getImplMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V")) {
                    return PolicyEvaluationTest::testCheckUserRealmRoles;
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("org/keycloak/testsuite/runonserver/RunOnServer") && serializedLambda.getFunctionalInterfaceMethodName().equals("run") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V") && serializedLambda.getImplClass().equals("org/keycloak/testsuite/authz/PolicyEvaluationTest") && serializedLambda.getImplMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)V")) {
                    return PolicyEvaluationTest::testCheckUserInRole;
                }
                break;
        }
        throw new IllegalArgumentException("Invalid lambda deserialization");
    }
}
