package org.keycloak.testsuite.x509;

import javax.ws.rs.core.Response;
import org.hamcrest.Matchers;
import org.jboss.arquillian.drone.api.annotation.Drone;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Ignore;
import org.junit.Test;
import org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.util.ContainerAssume;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.PhantomJSBrowser;
import org.openqa.selenium.WebDriver;

/* loaded from: input_file:org/keycloak/testsuite/x509/X509DirectGrantTest.class */
public class X509DirectGrantTest extends AbstractX509AuthenticationTest {

    @Drone
    @PhantomJSBrowser
    private WebDriver phantomJS;

    @Before
    public void replaceTheDefaultDriver() {
        replaceDefaultWebDriver(this.phantomJS);
    }

    @Test
    public void loginFailedOnDuplicateUsers() throws Exception {
        Assert.assertNotNull(createConfig(this.directGrantExecution.getId(), newConfig("x509-directgrant-config", createLoginIssuerDN_OU2CustomAttributeConfig().getConfig())));
        UserRepresentation representation = testRealm().users().get(this.userId2).toRepresentation();
        Assert.assertNotNull(representation);
        representation.singleAttribute("x509_certificate_identity", "Red Hat");
        updateUser(representation);
        UserRepresentation representation2 = testRealm().users().get(this.userId).toRepresentation();
        Assert.assertNotNull(representation2);
        representation2.singleAttribute("x509_certificate_identity", "Red Hat");
        updateUser(representation2);
        this.events.clear();
        this.oauth.clientId("resource-owner");
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest = this.oauth.doGrantAccessTokenRequest("secret", "", "", (String) null);
        Assert.assertEquals(401L, doGrantAccessTokenRequest.getStatusCode());
        Assert.assertEquals("invalid_request", doGrantAccessTokenRequest.getError());
        Assert.assertThat(doGrantAccessTokenRequest.getErrorDescription(), Matchers.containsString("X509 certificate authentication's failed."));
    }

    @Test
    public void loginFailedOnInvalidUser() throws Exception {
        Assert.assertNotNull(createConfig(this.directGrantExecution.getId(), newConfig("x509-directgrant-config", createLoginIssuerDN_OU2CustomAttributeConfig().getConfig())));
        UserRepresentation representation = testRealm().users().get(this.userId2).toRepresentation();
        Assert.assertNotNull(representation);
        representation.singleAttribute("x509_certificate_identity", "-");
        updateUser(representation);
        this.events.clear();
        this.oauth.clientId("resource-owner");
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest = this.oauth.doGrantAccessTokenRequest("secret", "", "", (String) null);
        this.events.expectLogin().user((String) null).session((String) null).error("invalid_user_credentials").client("resource-owner").removeDetail("code_id").removeDetail("username").removeDetail("consent").removeDetail("redirect_uri").assertEvent();
        Assert.assertEquals(401L, doGrantAccessTokenRequest.getStatusCode());
        Assert.assertEquals("invalid_grant", doGrantAccessTokenRequest.getError());
        Assert.assertEquals("Invalid user credentials", doGrantAccessTokenRequest.getErrorDescription());
    }

    @Test
    public void loginWithNonSupportedCertKeyUsage() throws Exception {
        Assert.assertNotNull(createConfig(this.directGrantExecution.getId(), newConfig("x509-directgrant-config", createLoginSubjectEmailWithKeyUsage("dataEncipherment").getConfig())));
        this.oauth.clientId("resource-owner");
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest = this.oauth.doGrantAccessTokenRequest("secret", "", "", (String) null);
        Assert.assertEquals(401L, doGrantAccessTokenRequest.getStatusCode());
        Assert.assertEquals("invalid_request", doGrantAccessTokenRequest.getError());
        Assert.assertThat(doGrantAccessTokenRequest.getErrorDescription(), Matchers.containsString("Key Usage bit 'dataEncipherment' is not set."));
        this.events.clear();
    }

    @Test
    public void loginWithNonSupportedCertExtendedKeyUsage() throws Exception {
        Assert.assertNotNull(createConfig(this.directGrantExecution.getId(), newConfig("x509-directgrant-config", createLoginSubjectEmailWithExtendedKeyUsage("serverAuth").getConfig())));
        this.oauth.clientId("resource-owner");
        Assert.assertEquals(200L, this.oauth.doGrantAccessTokenRequest("secret", "", "", (String) null).getStatusCode());
    }

    @Test
    public void loginWithNonMatchingRegex() throws Exception {
        X509AuthenticatorConfigModel createLoginIssuerDN_OU2CustomAttributeConfig = createLoginIssuerDN_OU2CustomAttributeConfig();
        createLoginIssuerDN_OU2CustomAttributeConfig.setRegularExpression("INVALID=(.*?)(?:,|$)");
        Assert.assertNotNull(createConfig(this.directGrantExecution.getId(), newConfig("x509-directgrant-config", createLoginIssuerDN_OU2CustomAttributeConfig.getConfig())));
        this.oauth.clientId("resource-owner");
        Assert.assertEquals(401L, this.oauth.doGrantAccessTokenRequest("secret", "", "", (String) null).getStatusCode());
        addX509CertificateDetails(this.events.expectLogin().user((String) null).session((String) null).error("invalid_user_credentials").client("resource-owner").removeDetail("code_id").removeDetail("consent").removeDetail("redirect_uri")).assertEvent();
    }

    @Test
    public void loginFailedDisabledUser() throws Exception {
        setUserEnabled(AssertEvents.DEFAULT_USERNAME, false);
        try {
            Assert.assertNotNull(createConfig(this.directGrantExecution.getId(), newConfig("x509-directgrant-config", createLoginSubjectEmail2UsernameOrEmailConfig().getConfig())));
            this.oauth.clientId("resource-owner");
            OAuthClient.AccessTokenResponse doGrantAccessTokenRequest = this.oauth.doGrantAccessTokenRequest("secret", "", "", (String) null);
            this.events.expectLogin().user(this.userId).session((String) null).error("user_disabled").client("resource-owner").detail("username", AssertEvents.DEFAULT_USERNAME).removeDetail("code_id").removeDetail("consent").removeDetail("redirect_uri").assertEvent();
            Assert.assertEquals(Response.Status.BAD_REQUEST.getStatusCode(), doGrantAccessTokenRequest.getStatusCode());
            Assert.assertEquals("invalid_grant", doGrantAccessTokenRequest.getError());
            Assert.assertEquals("Account disabled", doGrantAccessTokenRequest.getErrorDescription());
            setUserEnabled(AssertEvents.DEFAULT_USERNAME, true);
        } catch (Throwable th) {
            setUserEnabled(AssertEvents.DEFAULT_USERNAME, true);
            throw th;
        }
    }

    @Test
    public void loginCertificateRevoked() throws Exception {
        ContainerAssume.assumeNotAuthServerUndertow();
        Assert.assertNotNull(createConfig(this.directGrantExecution.getId(), newConfig("x509-directgrant-config", new X509AuthenticatorConfigModel().setCRLEnabled(true).setCRLRelativePath(AbstractX509AuthenticationTest.INTERMEDIATE_CA_CRL_PATH).setConfirmationPageAllowed(true).setMappingSourceType(X509AuthenticatorConfigModel.MappingSourceType.SUBJECTDN_EMAIL).setUserIdentityMapperType(X509AuthenticatorConfigModel.IdentityMapperType.USERNAME_EMAIL).getConfig())));
        this.oauth.clientId("resource-owner");
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest = this.oauth.doGrantAccessTokenRequest("secret", "", "", (String) null);
        Assert.assertEquals(401L, doGrantAccessTokenRequest.getStatusCode());
        Assert.assertEquals("invalid_request", doGrantAccessTokenRequest.getError());
        Assert.assertThat(doGrantAccessTokenRequest.getErrorDescription(), Matchers.containsString("Certificate has been revoked, certificate's subject:"));
    }

    @Test
    public void loginCertificateNotExpired() throws Exception {
        Assert.assertNotNull(createConfig(this.directGrantExecution.getId(), newConfig("x509-directgrant-config", new X509AuthenticatorConfigModel().setCertValidationEnabled(true).setConfirmationPageAllowed(true).setMappingSourceType(X509AuthenticatorConfigModel.MappingSourceType.SUBJECTDN_EMAIL).setUserIdentityMapperType(X509AuthenticatorConfigModel.IdentityMapperType.USERNAME_EMAIL).getConfig())));
        this.oauth.clientId("resource-owner");
        Assert.assertEquals(200L, this.oauth.doGrantAccessTokenRequest("secret", "", "", (String) null).getStatusCode());
    }

    @Test
    public void loginCertificateExpired() throws Exception {
        Assert.assertNotNull(createConfig(this.directGrantExecution.getId(), newConfig("x509-directgrant-config", new X509AuthenticatorConfigModel().setCertValidationEnabled(true).setConfirmationPageAllowed(true).setMappingSourceType(X509AuthenticatorConfigModel.MappingSourceType.SUBJECTDN_EMAIL).setUserIdentityMapperType(X509AuthenticatorConfigModel.IdentityMapperType.USERNAME_EMAIL).getConfig())));
        setTimeOffset(1576800000);
        this.oauth.clientId("resource-owner");
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest = this.oauth.doGrantAccessTokenRequest("secret", "", "", (String) null);
        setTimeOffset(0);
        Assert.assertEquals(401L, doGrantAccessTokenRequest.getStatusCode());
        Assert.assertEquals("invalid_request", doGrantAccessTokenRequest.getError());
        Assert.assertThat(doGrantAccessTokenRequest.getErrorDescription(), Matchers.containsString("has expired on:"));
    }

    private void loginForceTemporaryAccountLock() throws Exception {
        Assert.assertNotNull(createConfig(this.directGrantExecution.getId(), newConfig("x509-directgrant-config", new X509AuthenticatorConfigModel().setMappingSourceType(X509AuthenticatorConfigModel.MappingSourceType.ISSUERDN).setRegularExpression("OU=(.*?)(?:,|$)").setUserIdentityMapperType(X509AuthenticatorConfigModel.IdentityMapperType.USER_ATTRIBUTE).setCustomAttributeName("x509_certificate_identity").getConfig())));
        UserRepresentation representation = testRealm().users().get(this.userId).toRepresentation();
        Assert.assertNotNull(representation);
        representation.singleAttribute("x509_certificate_identity", "-");
        updateUser(representation);
        this.events.clear();
        this.oauth.clientId("resource-owner");
        this.oauth.doGrantAccessTokenRequest("secret", "", "", (String) null);
        this.oauth.doGrantAccessTokenRequest("secret", "", "", (String) null);
        this.oauth.doGrantAccessTokenRequest("secret", "", "", (String) null);
        this.events.clear();
    }

    @Test
    @Ignore
    public void loginFailedTemporarilyDisabledUser() throws Exception {
        loginForceTemporaryAccountLock();
        Assert.assertNotNull(createConfig(this.directGrantExecution.getId(), newConfig("x509-directgrant-config", createLoginSubjectEmail2UsernameOrEmailConfig().getConfig())));
        this.oauth.clientId("resource-owner");
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest = this.oauth.doGrantAccessTokenRequest("secret", "", "", (String) null);
        this.events.expectLogin().user(this.userId).session((String) null).error("user_temporarily_disabled").detail("username", AssertEvents.DEFAULT_USERNAME).removeDetail("code_id").removeDetail("consent").removeDetail("redirect_uri").assertEvent();
        Assert.assertEquals(Response.Status.BAD_REQUEST.getStatusCode(), doGrantAccessTokenRequest.getStatusCode());
        Assert.assertEquals("invalid_grant", doGrantAccessTokenRequest.getError());
        Assert.assertEquals("Account temporarily disabled", doGrantAccessTokenRequest.getErrorDescription());
    }

    private void doResourceOwnerCredentialsLogin(String str, String str2, String str3, String str4) throws Exception {
        this.oauth.clientId(str);
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest = this.oauth.doGrantAccessTokenRequest(str2, "", "", (String) null);
        Assert.assertEquals(200L, doGrantAccessTokenRequest.getStatusCode());
        AccessToken verifyToken = this.oauth.verifyToken(doGrantAccessTokenRequest.getAccessToken());
        addX509CertificateDetails(this.events.expectLogin().client(str).user(this.userId).session(verifyToken.getSessionState()).detail("grant_type", "password").detail("token_id", verifyToken.getId()).detail("refresh_token_id", this.oauth.parseRefreshToken(doGrantAccessTokenRequest.getRefreshToken()).getId()).detail("username", str3).removeDetail("code_id").removeDetail("redirect_uri").removeDetail("consent")).assertEvent();
    }

    @Test
    public void loginResourceOwnerCredentialsSuccess() throws Exception {
        Assert.assertNotNull(createConfig(this.directGrantExecution.getId(), newConfig("x509-directgrant-config", new X509AuthenticatorConfigModel().setMappingSourceType(X509AuthenticatorConfigModel.MappingSourceType.SUBJECTDN_EMAIL).setUserIdentityMapperType(X509AuthenticatorConfigModel.IdentityMapperType.USERNAME_EMAIL).getConfig())));
        doResourceOwnerCredentialsLogin("resource-owner", "secret", AssertEvents.DEFAULT_USERNAME, "");
    }
}
