package org.keycloak.testsuite.broker;

import java.io.Closeable;
import java.net.URI;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.ws.rs.core.Response;
import javax.xml.namespace.QName;
import org.hamcrest.Matcher;
import org.hamcrest.Matchers;
import org.junit.Assert;
import org.junit.Test;
import org.keycloak.models.IdentityProviderSyncMode;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.IdentityProviderRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
import org.keycloak.saml.common.util.DocumentUtil;
import org.keycloak.saml.processing.api.saml.v2.request.SAML2Request;
import org.keycloak.saml.processing.core.parsers.saml.assertion.SAMLAssertionQNames;
import org.keycloak.saml.processing.core.parsers.saml.protocol.SAMLProtocolQNames;
import org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder;
import org.keycloak.testsuite.saml.AbstractSamlTest;
import org.keycloak.testsuite.updaters.ClientAttributeUpdater;
import org.keycloak.testsuite.updaters.IdentityProviderAttributeUpdater;
import org.keycloak.testsuite.updaters.RealmAttributeUpdater;
import org.keycloak.testsuite.updaters.ServerResourceUpdater;
import org.keycloak.testsuite.util.KeyUtils;
import org.keycloak.testsuite.util.SamlClient;
import org.keycloak.testsuite.util.SamlClientBuilder;
import org.keycloak.testsuite.util.saml.SamlDocumentStepBuilder;
import org.w3c.dom.DOMException;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NamedNodeMap;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

/* loaded from: input_file:org/keycloak/testsuite/broker/KcSamlSignedBrokerTest.class */
public class KcSamlSignedBrokerTest extends AbstractBrokerTest {
    private static final String PRIVATE_KEY = "MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAs46ICYPRIkmr8diECmyT59cChTWIEiXYBY3T6OLlZrF8ofVCzbEeoUOmhrtHijxxuKSoqLWP4nNOt3rINtQNBQIDAQABAkBL2nyxuFQTLhhLdPJjDPd2y6gu6ixvrjkSL5ZEHgZXWRHzhTzBT0eRxg/5rJA2NDRMBzTTegaEGkWUt7lF5wDJAiEA5pC+h9NEgqDJSw42I52BOml3II35Z6NlNwl6OMfnD1sCIQDHXUiOIJy4ZcSgv5WGue1KbdNVOT2gop1XzfuyWgtjHwIhAOCjLb9QC3PqC7Tgx8azcnDiyHojWVesTrTsuvQPcAP5AiAkX5OeQrr1NbQTNAEe7IsrmjAFi4T/6stUOsOiPaV4NwIhAJIeyh4foIXIVQ+M4To2koaDFRssxKI9/O72vnZSJ+uA";
    private static final String PUBLIC_KEY = "MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALOOiAmD0SJJq/HYhApsk+fXAoU1iBIl2AWN0+ji5WaxfKH1Qs2xHqFDpoa7R4o8cbikqKi1j+JzTrd6yDbUDQUCAwEAAQ==";

    /* loaded from: input_file:org/keycloak/testsuite/broker/KcSamlSignedBrokerTest$KcSamlSignedBrokerConfiguration.class */
    public class KcSamlSignedBrokerConfiguration extends KcSamlBrokerConfiguration {
        public KcSamlSignedBrokerConfiguration() {
        }

        @Override // org.keycloak.testsuite.broker.KcSamlBrokerConfiguration, org.keycloak.testsuite.broker.BrokerConfiguration
        public RealmRepresentation createProviderRealm() {
            RealmRepresentation createProviderRealm = super.createProviderRealm();
            createProviderRealm.setPublicKey("MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgj8r0029eL0jJKXv6XbNj+QqsZO25HhZ0IjTEtb8mfh0tju/X8c6dXgILh5wU7OF00U+0mSYSE/+rrYKmY5g4oCleTe1+abavATP1tamtXGAUYqdutaXPrVn9yMsCWEPchSPZlEGq5iBJdA+xh9ejUmZJYXmln26HUVWq71/jC9GpjbRmFQ37f0X7WJoGyiqyttfKkKfUeBmRbX/0P0Zm6DVze8HjCDVPBllZE0a3HCgSF0rp0+s1xn7o91qdWKVattAVsGNjjDPz/sgwHOyyhDtSyajwXU+K/QUZ9pV4moGtwC9uIEymTylP7bu7qnxXIhfouEa+fEjAzTs0HJ5JQIDAQAB");
            createProviderRealm.setPrivateKey("MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCCPyvTTb14vSMkpe/pds2P5Cqxk7bkeFnQiNMS1vyZ+HS2O79fxzp1eAguHnBTs4XTRT7SZJhIT/6utgqZjmDigKV5N7X5ptq8BM/W1qa1cYBRip261pc+tWf3IywJYQ9yFI9mUQarmIEl0D7GH16NSZklheaWfbodRVarvX+ML0amNtGYVDft/RftYmgbKKrK218qQp9R4GZFtf/Q/RmboNXN7weMINU8GWVkTRrccKBIXSunT6zXGfuj3Wp1YpVq20BWwY2OMM/P+yDAc7LKEO1LJqPBdT4r9BRn2lXiaga3AL24gTKZPKU/tu7uqfFciF+i4Rr58SMDNOzQcnklAgMBAAECggEAc0eibJYEO5d8QXW1kPgcHV2gBChv2mxDYnWYDLbIQSdNdfYP/qABt/MTmm5KkWr16fcCEYoD1w0mqFBrtVn1msSusUmEAYGTXJMNumOmjjX1kzaTQMmqeFBrwqwYz/xehWR5P+A7fSmwNV3KEeW19GvN5w5K96w0TLAQdFV3TQVPSytusDunwuR1yltMe1voaEDZ9z0Pi08YiEk2f6xhj5CMkoiw3mNImzfruphHullxU4FD05fH6tDeJ381527ILpAzDsgYZh4aFLKjUHem96bX4EL7FIzBJ6okgN78AZnUC/EaVfgFTw0qfhoWvZV4ruVXXiMhCg4CMMRDq/k9iQKBgQDBNWsJMT84OnnWmQoJmZogkFV+tsGrSK6Re+aJxLWpishh7dwAnT2OcagZvVdUb0FwNWu1D0B9/SKDDMRnnHBhOGDpH57m/eQdRU0oX1BD27xvffk0lLcfD4BTxnR5e9jss8K4twc9jf0P1rxC/loGJ2NtCH0BrPHgz54Ea+96ewKBgQCsk3JDaaPnFwzVYm2BXlhxOxLPsF4wvD2rIRAswZV4C5xebjand8nwiMmVpNd0PRLkEnkI+waURGv2EY/P3JsssoiY8Xqe8f/1G+SQKre7lbqOas8rFoALepC0BYDiZDFy0Z9ZnRAFzRI5sgIt7jpoMRD4xDNlmiV8X+yBxc3Y3wKBgQChDQsU1YUyNKQ8+sLAL9anEEkD4Ald4q8JPHN2IY+gLLxNzT0XEfsu0pTiJ8805axxgUYv3e/PVYNAJBNPnrqaf6lgiegl+jr9Hzhqz9CTUAYqFaL2boSakoxQyNtsLI0s+cb1vDN/3uy0GDZDzcty18BsMagqDmRtFgNNAj/UIwKBgQCahbeFBv0cOPZjxisY8Bou4N8aGehsqNBq/0LVYExuXa8YmoTTdJ3bgw9Er4G/ccQNdUDsuqAMeCtW/CiRzQ0ge4d1sprB4Rv3I4+HSsiS7SFKzfZLtWzXWlpg5qCdlWr1TR7qhYjIOPO9t1beO3YOvwhcRoliyyAPenBxTmTfbwKBgDtm2WJ5VlQgNpIdOs1CCiqd0DFmWOmvBPspPC1kySiy+Ndr9jNohRZkR7pEjgqA5E8rdzc88LirUN7bY5HFHRWN9KXrs5/o3O1K3GFCp64N6nvnPEYZ2zSJalcMC2fjSsJg26z8Dg1H+gfTIDUMoGiEAAnJXuqk+WayPU+fZMLn");
            return createProviderRealm;
        }

        @Override // org.keycloak.testsuite.broker.KcSamlBrokerConfiguration, org.keycloak.testsuite.broker.BrokerConfiguration
        public RealmRepresentation createConsumerRealm() {
            RealmRepresentation createConsumerRealm = super.createConsumerRealm();
            createConsumerRealm.setPublicKey("MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgj8r0029eL0jJKXv6XbNj+QqsZO25HhZ0IjTEtb8mfh0tju/X8c6dXgILh5wU7OF00U+0mSYSE/+rrYKmY5g4oCleTe1+abavATP1tamtXGAUYqdutaXPrVn9yMsCWEPchSPZlEGq5iBJdA+xh9ejUmZJYXmln26HUVWq71/jC9GpjbRmFQ37f0X7WJoGyiqyttfKkKfUeBmRbX/0P0Zm6DVze8HjCDVPBllZE0a3HCgSF0rp0+s1xn7o91qdWKVattAVsGNjjDPz/sgwHOyyhDtSyajwXU+K/QUZ9pV4moGtwC9uIEymTylP7bu7qnxXIhfouEa+fEjAzTs0HJ5JQIDAQAB");
            createConsumerRealm.setPrivateKey("MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCCPyvTTb14vSMkpe/pds2P5Cqxk7bkeFnQiNMS1vyZ+HS2O79fxzp1eAguHnBTs4XTRT7SZJhIT/6utgqZjmDigKV5N7X5ptq8BM/W1qa1cYBRip261pc+tWf3IywJYQ9yFI9mUQarmIEl0D7GH16NSZklheaWfbodRVarvX+ML0amNtGYVDft/RftYmgbKKrK218qQp9R4GZFtf/Q/RmboNXN7weMINU8GWVkTRrccKBIXSunT6zXGfuj3Wp1YpVq20BWwY2OMM/P+yDAc7LKEO1LJqPBdT4r9BRn2lXiaga3AL24gTKZPKU/tu7uqfFciF+i4Rr58SMDNOzQcnklAgMBAAECggEAc0eibJYEO5d8QXW1kPgcHV2gBChv2mxDYnWYDLbIQSdNdfYP/qABt/MTmm5KkWr16fcCEYoD1w0mqFBrtVn1msSusUmEAYGTXJMNumOmjjX1kzaTQMmqeFBrwqwYz/xehWR5P+A7fSmwNV3KEeW19GvN5w5K96w0TLAQdFV3TQVPSytusDunwuR1yltMe1voaEDZ9z0Pi08YiEk2f6xhj5CMkoiw3mNImzfruphHullxU4FD05fH6tDeJ381527ILpAzDsgYZh4aFLKjUHem96bX4EL7FIzBJ6okgN78AZnUC/EaVfgFTw0qfhoWvZV4ruVXXiMhCg4CMMRDq/k9iQKBgQDBNWsJMT84OnnWmQoJmZogkFV+tsGrSK6Re+aJxLWpishh7dwAnT2OcagZvVdUb0FwNWu1D0B9/SKDDMRnnHBhOGDpH57m/eQdRU0oX1BD27xvffk0lLcfD4BTxnR5e9jss8K4twc9jf0P1rxC/loGJ2NtCH0BrPHgz54Ea+96ewKBgQCsk3JDaaPnFwzVYm2BXlhxOxLPsF4wvD2rIRAswZV4C5xebjand8nwiMmVpNd0PRLkEnkI+waURGv2EY/P3JsssoiY8Xqe8f/1G+SQKre7lbqOas8rFoALepC0BYDiZDFy0Z9ZnRAFzRI5sgIt7jpoMRD4xDNlmiV8X+yBxc3Y3wKBgQChDQsU1YUyNKQ8+sLAL9anEEkD4Ald4q8JPHN2IY+gLLxNzT0XEfsu0pTiJ8805axxgUYv3e/PVYNAJBNPnrqaf6lgiegl+jr9Hzhqz9CTUAYqFaL2boSakoxQyNtsLI0s+cb1vDN/3uy0GDZDzcty18BsMagqDmRtFgNNAj/UIwKBgQCahbeFBv0cOPZjxisY8Bou4N8aGehsqNBq/0LVYExuXa8YmoTTdJ3bgw9Er4G/ccQNdUDsuqAMeCtW/CiRzQ0ge4d1sprB4Rv3I4+HSsiS7SFKzfZLtWzXWlpg5qCdlWr1TR7qhYjIOPO9t1beO3YOvwhcRoliyyAPenBxTmTfbwKBgDtm2WJ5VlQgNpIdOs1CCiqd0DFmWOmvBPspPC1kySiy+Ndr9jNohRZkR7pEjgqA5E8rdzc88LirUN7bY5HFHRWN9KXrs5/o3O1K3GFCp64N6nvnPEYZ2zSJalcMC2fjSsJg26z8Dg1H+gfTIDUMoGiEAAnJXuqk+WayPU+fZMLn");
            return createConsumerRealm;
        }

        @Override // org.keycloak.testsuite.broker.KcSamlBrokerConfiguration, org.keycloak.testsuite.broker.BrokerConfiguration
        public List<ClientRepresentation> createProviderClients() {
            List<ClientRepresentation> createProviderClients = super.createProviderClients();
            String certificate = KeyUtils.getActiveSigningKey(KcSamlSignedBrokerTest.this.adminClient.realm(consumerRealmName()).keys().getKeyMetadata(), "RS256").getCertificate();
            Assert.assertThat(certificate, Matchers.notNullValue());
            for (ClientRepresentation clientRepresentation : createProviderClients) {
                clientRepresentation.setClientAuthenticatorType("client-secret");
                clientRepresentation.setSurrogateAuthRequired(false);
                Map attributes = clientRepresentation.getAttributes();
                if (attributes == null) {
                    attributes = new HashMap();
                    clientRepresentation.setAttributes(attributes);
                }
                attributes.put("saml.assertion.signature", "true");
                attributes.put("saml.server.signature", "true");
                attributes.put("saml.client.signature", "true");
                attributes.put("saml.signature.algorithm", "RSA_SHA256");
                attributes.put("saml.signing.certificate", certificate);
            }
            return createProviderClients;
        }

        @Override // org.keycloak.testsuite.broker.KcSamlBrokerConfiguration, org.keycloak.testsuite.broker.BrokerConfiguration
        public IdentityProviderRepresentation setUpIdentityProvider(IdentityProviderSyncMode identityProviderSyncMode) {
            IdentityProviderRepresentation upIdentityProvider = super.setUpIdentityProvider(identityProviderSyncMode);
            String certificate = KeyUtils.getActiveSigningKey(KcSamlSignedBrokerTest.this.adminClient.realm(providerRealmName()).keys().getKeyMetadata(), "RS256").getCertificate();
            Assert.assertThat(certificate, Matchers.notNullValue());
            Map config = upIdentityProvider.getConfig();
            config.put("validateSignature", "true");
            config.put("wantAssertionsSigned", "true");
            config.put("wantAuthnRequestsSigned", "true");
            config.put("signingCertificate", certificate);
            return upIdentityProvider;
        }
    }

    public void withSignedEncryptedAssertions(Runnable runnable, boolean z, boolean z2, boolean z3) throws Exception {
        String certificate = KeyUtils.getActiveSigningKey(this.adminClient.realm(this.bc.providerRealmName()).keys().getKeyMetadata(), "RS256").getCertificate();
        Assert.assertThat(certificate, Matchers.notNullValue());
        String certificate2 = KeyUtils.getActiveSigningKey(this.adminClient.realm(this.bc.consumerRealmName()).keys().getKeyMetadata(), "RS256").getCertificate();
        Assert.assertThat(certificate2, Matchers.notNullValue());
        Closeable update = new IdentityProviderAttributeUpdater(this.identityProviderResource).setAttribute("validateSignature", Boolean.toString(z2 || z)).setAttribute("wantAssertionsSigned", Boolean.toString(z2)).setAttribute("wantAssertionsEncrypted", Boolean.toString(z3)).setAttribute("wantAuthnRequestsSigned", "false").setAttribute("encryptionPublicKey", PUBLIC_KEY).setAttribute("signingCertificate", certificate).update();
        Throwable th = null;
        try {
            ServerResourceUpdater update2 = ClientAttributeUpdater.forClient(this.adminClient, this.bc.providerRealmName(), this.bc.getIDPClientIdInProviderRealm()).setAttribute("saml.encrypt", Boolean.toString(z3)).setAttribute("saml.encryption.certificate", certificate2).setAttribute("saml.server.signature", Boolean.toString(z)).setAttribute("saml.assertion.signature", Boolean.toString(z2)).setAttribute("saml.encryption.private.key", PRIVATE_KEY).setAttribute("saml.client.signature", "false").update();
            Throwable th2 = null;
            try {
                try {
                    runnable.run();
                    if (update2 != null) {
                        if (0 != 0) {
                            try {
                                update2.close();
                            } catch (Throwable th3) {
                                th2.addSuppressed(th3);
                            }
                        } else {
                            update2.close();
                        }
                    }
                    if (update != null) {
                        if (0 == 0) {
                            update.close();
                            return;
                        }
                        try {
                            update.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    }
                } catch (Throwable th5) {
                    th2 = th5;
                    throw th5;
                }
            } catch (Throwable th6) {
                if (update2 != null) {
                    if (th2 != null) {
                        try {
                            update2.close();
                        } catch (Throwable th7) {
                            th2.addSuppressed(th7);
                        }
                    } else {
                        update2.close();
                    }
                }
                throw th6;
            }
        } catch (Throwable th8) {
            if (update != null) {
                if (0 != 0) {
                    try {
                        update.close();
                    } catch (Throwable th9) {
                        th.addSuppressed(th9);
                    }
                } else {
                    update.close();
                }
            }
            throw th8;
        }
    }

    @Override // org.keycloak.testsuite.broker.AbstractBaseBrokerTest
    protected BrokerConfiguration getBrokerConfiguration() {
        return new KcSamlSignedBrokerConfiguration();
    }

    /* JADX WARN: Finally extract failed */
    @Test
    public void testWithExpiredBrokerCertificate() throws Exception {
        Closeable update = new IdentityProviderAttributeUpdater(this.identityProviderResource).setAttribute("validateSignature", Boolean.toString(true)).setAttribute("wantAssertionsSigned", Boolean.toString(true)).setAttribute("wantAssertionsEncrypted", Boolean.toString(false)).setAttribute("wantAuthnRequestsSigned", "true").setAttribute("signingCertificate", AbstractSamlTest.SAML_CLIENT_SALES_POST_SIG_EXPIRED_CERTIFICATE).update();
        Throwable th = null;
        try {
            ServerResourceUpdater update2 = ClientAttributeUpdater.forClient(this.adminClient, this.bc.providerRealmName(), this.bc.getIDPClientIdInProviderRealm()).setAttribute("saml.encrypt", Boolean.toString(false)).setAttribute("saml.server.signature", "true").setAttribute("saml.assertion.signature", Boolean.toString(true)).setAttribute("saml.client.signature", "false").update();
            Throwable th2 = null;
            try {
                ServerResourceUpdater update3 = new RealmAttributeUpdater(this.adminClient.realm(this.bc.providerRealmName())).setPublicKey(AbstractSamlTest.SAML_CLIENT_SALES_POST_SIG_EXPIRED_PUBLIC_KEY).setPrivateKey(AbstractSamlTest.SAML_CLIENT_SALES_POST_SIG_EXPIRED_PRIVATE_KEY).update();
                Throwable th3 = null;
                try {
                    try {
                        new SamlClientBuilder().authnRequest(getConsumerSamlEndpoint(this.bc.consumerRealmName()), SAML2Request.convert(SamlClient.createLoginRequestDocument("http://localhost:8280/sales-post/.dot/ted", BrokerTestTools.getConsumerRoot() + "/sales-post/saml", (URI) null)), SamlClient.Binding.POST).build().login().idp(this.bc.getIDPAlias()).build().assertResponse(org.keycloak.testsuite.util.Matchers.statusCodeIsHC(Response.Status.BAD_REQUEST));
                        if (update3 != null) {
                            if (0 != 0) {
                                try {
                                    update3.close();
                                } catch (Throwable th4) {
                                    th3.addSuppressed(th4);
                                }
                            } else {
                                update3.close();
                            }
                        }
                        if (update2 != null) {
                            if (0 != 0) {
                                try {
                                    update2.close();
                                } catch (Throwable th5) {
                                    th2.addSuppressed(th5);
                                }
                            } else {
                                update2.close();
                            }
                        }
                        if (update != null) {
                            if (0 == 0) {
                                update.close();
                                return;
                            }
                            try {
                                update.close();
                            } catch (Throwable th6) {
                                th.addSuppressed(th6);
                            }
                        }
                    } catch (Throwable th7) {
                        th3 = th7;
                        throw th7;
                    }
                } catch (Throwable th8) {
                    if (update3 != null) {
                        if (th3 != null) {
                            try {
                                update3.close();
                            } catch (Throwable th9) {
                                th3.addSuppressed(th9);
                            }
                        } else {
                            update3.close();
                        }
                    }
                    throw th8;
                }
            } catch (Throwable th10) {
                if (update2 != null) {
                    if (0 != 0) {
                        try {
                            update2.close();
                        } catch (Throwable th11) {
                            th2.addSuppressed(th11);
                        }
                    } else {
                        update2.close();
                    }
                }
                throw th10;
            }
        } catch (Throwable th12) {
            if (update != null) {
                if (0 != 0) {
                    try {
                        update.close();
                    } catch (Throwable th13) {
                        th.addSuppressed(th13);
                    }
                } else {
                    update.close();
                }
            }
            throw th12;
        }
    }

    @Test
    public void testSignedEncryptedAssertions() throws Exception {
        withSignedEncryptedAssertions(this::testAssertionSignatureRespected, false, true, true);
    }

    @Test
    public void testSignedAssertion() throws Exception {
        withSignedEncryptedAssertions(this::testAssertionSignatureRespected, false, true, false);
    }

    private void testAssertionSignatureRespected() {
        loginUser();
        this.driver.navigate().to(this.oauth.realm(this.bc.providerRealmName()).getLogoutUrl().redirectUri(getAccountUrl(BrokerTestTools.getProviderRoot(), this.bc.providerRealmName())).build());
        this.errorPage.assertCurrent();
    }

    private Document extractNamespacesToTopLevelElement(Document document) {
        HashMap<String, String> hashMap = new HashMap<>();
        enumerateAndRemoveNamespaces(document.getDocumentElement(), hashMap);
        this.log.infof("Namespaces: %s", hashMap);
        this.log.infof("Document: %s", DocumentUtil.asString(document));
        Element documentElement = document.getDocumentElement();
        for (Map.Entry<String, String> entry : hashMap.entrySet()) {
            documentElement.setAttribute(entry.getKey(), entry.getValue());
        }
        this.log.infof("Updated document: %s", DocumentUtil.asString(document));
        return document;
    }

    private void enumerateAndRemoveNamespaces(Element element, HashMap<String, String> hashMap) {
        NamedNodeMap attributes = element.getAttributes();
        if (attributes != null) {
            HashSet hashSet = new HashSet();
            for (int length = attributes.getLength() - 1; length >= 0; length--) {
                Node item = attributes.item(length);
                String nodeName = item.getNodeName();
                if (nodeName != null && nodeName.startsWith("xmlns:")) {
                    hashMap.put(nodeName, item.getNodeValue());
                    hashSet.add(nodeName);
                }
            }
            element.getClass();
            hashSet.forEach(element::removeAttribute);
        }
        NodeList childNodes = element.getChildNodes();
        for (int i = 0; i < childNodes.getLength(); i++) {
            Node item2 = childNodes.item(i);
            if (item2 instanceof Element) {
                enumerateAndRemoveNamespaces((Element) item2, hashMap);
            }
        }
    }

    @Test
    public void loginUserAllNamespacesInTopElement() {
        try {
            SAMLDocumentHolder samlResponse = new SamlClientBuilder().authnRequest(getConsumerSamlEndpoint(this.bc.consumerRealmName()), extractNamespacesToTopLevelElement(SAML2Request.convert(SamlClient.createLoginRequestDocument(AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, BrokerTestTools.getConsumerRoot() + "/sales-post/saml", (URI) null))), SamlClient.Binding.POST).build().login().idp(this.bc.getIDPAlias()).build().processSamlResponse(SamlClient.Binding.POST).targetAttributeSamlRequest().transformDocument(this::extractNamespacesToTopLevelElement).build().login().user(this.bc.getUserLogin(), this.bc.getUserPassword()).build().processSamlResponse(SamlClient.Binding.POST).transformDocument(this::extractNamespacesToTopLevelElement).build().updateProfile().firstName("a").lastName("b").email(this.bc.getUserEmail()).username(this.bc.getUserLogin()).build().followOneRedirect().getSamlResponse(SamlClient.Binding.POST);
            Assert.assertThat(samlResponse, Matchers.notNullValue());
            Assert.assertThat(samlResponse.getSamlObject(), org.keycloak.testsuite.util.Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    @Test
    public void loginUserAllNamespacesInTopElementSignedEncryptedAssertion() throws Exception {
        withSignedEncryptedAssertions(this::loginUserAllNamespacesInTopElement, false, true, true);
    }

    @Test
    public void loginUserAllNamespacesInTopElementSignedAssertion() throws Exception {
        withSignedEncryptedAssertions(this::loginUserAllNamespacesInTopElement, false, true, false);
    }

    @Test
    public void loginUserAllNamespacesInTopElementEncryptedAssertion() throws Exception {
        withSignedEncryptedAssertions(this::loginUserAllNamespacesInTopElement, false, false, true);
    }

    @Test
    public void testSignatureTampering_NOsignDoc_NOsignAssert_NOencAssert() throws Exception {
        loginAttackChangeSignature(false, false, false);
    }

    @Test
    public void testSignatureTampering_NOsignDoc_NOsignAssert_encAssert() throws Exception {
        loginAttackChangeSignature(false, false, true);
    }

    @Test
    public void testSignatureTampering_NOsignDoc_signAssert_NOencAssert() throws Exception {
        loginAttackChangeSignature(false, true, false);
    }

    @Test
    public void testSignatureTampering_NOsignDoc_signAssert_encAssert() throws Exception {
        loginAttackChangeSignature(false, true, true);
    }

    @Test
    public void testSignatureTampering_signDoc_NOsignAssert_NOencAssert() throws Exception {
        loginAttackChangeSignature(true, false, false);
    }

    @Test
    public void testSignatureTampering_signDoc_NOsignAssert_encAssert() throws Exception {
        loginAttackChangeSignature(true, false, true);
    }

    @Test
    public void testSignatureTampering_signDoc_signAssert_NOencAssert() throws Exception {
        loginAttackChangeSignature(true, true, false);
    }

    @Test
    public void testSignatureTampering_signDoc_signAssert_encAssert() throws Exception {
        loginAttackChangeSignature(true, true, true);
    }

    private Document removeDocumentSignature(Document document) {
        return removeSignatureTag(document, Collections.singleton(SAMLProtocolQNames.RESPONSE.getQName()));
    }

    private Document removeAssertionSignature(Document document) {
        return removeSignatureTag(document, Collections.singleton(SAMLAssertionQNames.ASSERTION.getQName()));
    }

    private Document removeDocumentAndAssertionSignature(Document document) {
        return removeSignatureTag(document, new HashSet(Arrays.asList(SAMLProtocolQNames.RESPONSE.getQName(), SAMLAssertionQNames.ASSERTION.getQName())));
    }

    private Document removeSignatureTag(Document document, Set<QName> set) throws DOMException {
        NodeList elementsByTagNameNS = document.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");
        LinkedList linkedList = new LinkedList();
        for (int i = 0; i < elementsByTagNameNS.getLength(); i++) {
            Node item = elementsByTagNameNS.item(i);
            Node parentNode = item.getParentNode();
            if (set.contains(new QName(parentNode.getNamespaceURI(), parentNode.getLocalName()))) {
                linkedList.add(item);
            }
        }
        linkedList.forEach(node -> {
            node.getParentNode().removeChild(node);
        });
        return document;
    }

    private void loginAttackChangeSignature(boolean z, boolean z2, boolean z3) throws Exception {
        this.log.debug("");
        loginAttackChangeSignature("No changes to SAML document", z, z2, z3, document -> {
            return document;
        }, true);
        loginAttackChangeSignature("Remove document signature", z, z2, z3, this::removeDocumentSignature, !z || z2);
        if (z3) {
            return;
        }
        boolean z4 = !z2;
        boolean z5 = (z || z2) ? false : true;
        loginAttackChangeSignature("Remove assertion signature", z, z2, z3, this::removeAssertionSignature, z4);
        loginAttackChangeSignature("Remove both document and assertion signature", z, z2, z3, this::removeDocumentAndAssertionSignature, z5);
    }

    private void loginAttackChangeSignature(String str, boolean z, boolean z2, boolean z3, SamlDocumentStepBuilder.Saml2DocumentTransformer saml2DocumentTransformer, boolean z4) throws Exception {
        this.log.infof("producerSignDocument: %s, producerSignAssertions: %s, producerEncryptAssertions: %s", Boolean.valueOf(z), Boolean.valueOf(z2), Boolean.valueOf(z3));
        Matcher bodyHC = z4 ? org.keycloak.testsuite.util.Matchers.bodyHC(Matchers.containsString("Update Account Information")) : Matchers.not(org.keycloak.testsuite.util.Matchers.bodyHC(Matchers.containsString("Update Account Information")));
        Document convert = SAML2Request.convert(SamlClient.createLoginRequestDocument(AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, BrokerTestTools.getConsumerRoot() + "/sales-post/saml", (URI) null));
        withSignedEncryptedAssertions(() -> {
            new SamlClientBuilder().authnRequest(getConsumerSamlEndpoint(this.bc.consumerRealmName()), convert, SamlClient.Binding.POST).build().login().idp(this.bc.getIDPAlias()).build().processSamlResponse(SamlClient.Binding.POST).build().login().user(this.bc.getUserLogin(), this.bc.getUserPassword()).build().processSamlResponse(SamlClient.Binding.POST).transformDocument(saml2DocumentTransformer).build().execute(closeableHttpResponse -> {
                Assert.assertThat(str, closeableHttpResponse, bodyHC);
            });
        }, z, z2, z3);
    }

    @Test
    public void testSignatureDataWhenWantsRequestsSigned() throws Exception {
        Assert.assertThat(KeyUtils.getActiveSigningKey(this.adminClient.realm(this.bc.providerRealmName()).keys().getKeyMetadata(), "RS256").getCertificate(), Matchers.notNullValue());
        Assert.assertThat(KeyUtils.getActiveSigningKey(this.adminClient.realm(this.bc.consumerRealmName()).keys().getKeyMetadata(), "RS256").getCertificate(), Matchers.notNullValue());
        Closeable update = new IdentityProviderAttributeUpdater(this.identityProviderResource).setAttribute("validateSignature", Boolean.toString(true)).setAttribute("wantAssertionsSigned", Boolean.toString(true)).setAttribute("wantAssertionsEncrypted", Boolean.toString(false)).setAttribute("wantAuthnRequestsSigned", "true").setAttribute("signingCertificate", AbstractSamlTest.SAML_CLIENT_SALES_POST_SIG_EXPIRED_CERTIFICATE).update();
        Throwable th = null;
        try {
            ServerResourceUpdater update2 = ClientAttributeUpdater.forClient(this.adminClient, this.bc.providerRealmName(), this.bc.getIDPClientIdInProviderRealm()).setAttribute("saml.encrypt", Boolean.toString(false)).setAttribute("saml.server.signature", "true").setAttribute("saml.assertion.signature", Boolean.toString(true)).setAttribute("saml.client.signature", "false").update();
            Throwable th2 = null;
            try {
                try {
                    new SamlClientBuilder().authnRequest(getConsumerSamlEndpoint(this.bc.consumerRealmName()), SAML2Request.convert(SamlClient.createLoginRequestDocument("http://localhost:8280/sales-post/.dot/ted", BrokerTestTools.getConsumerRoot() + "/sales-post/saml", (URI) null)), SamlClient.Binding.POST).build().login().idp(this.bc.getIDPAlias()).build().processSamlResponse(SamlClient.Binding.POST).targetAttributeSamlRequest().transformDocument(this::extractNamespacesToTopLevelElement).transformDocument(document -> {
                        try {
                            Element directChildElement = DocumentUtil.getDirectChildElement(document.getDocumentElement(), "http://www.w3.org/2000/09/xmldsig#", "Signature");
                            Assert.assertThat("Signature element not found in request document", directChildElement, Matchers.notNullValue());
                            Element directChildElement2 = DocumentUtil.getDirectChildElement(directChildElement, "http://www.w3.org/2000/09/xmldsig#", "KeyInfo");
                            Assert.assertThat("KeyInfo element not found in request Signature element", directChildElement2, Matchers.notNullValue());
                            Assert.assertThat("X509Data element not found in request Signature/KeyInfo element", DocumentUtil.getDirectChildElement(directChildElement2, "http://www.w3.org/2000/09/xmldsig#", "X509Data"), Matchers.notNullValue());
                        } catch (Exception e) {
                            throw new RuntimeException(e);
                        }
                    }).build().execute();
                    if (update2 != null) {
                        if (0 != 0) {
                            try {
                                update2.close();
                            } catch (Throwable th3) {
                                th2.addSuppressed(th3);
                            }
                        } else {
                            update2.close();
                        }
                    }
                    if (update != null) {
                        if (0 == 0) {
                            update.close();
                            return;
                        }
                        try {
                            update.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    }
                } catch (Throwable th5) {
                    th2 = th5;
                    throw th5;
                }
            } catch (Throwable th6) {
                if (update2 != null) {
                    if (th2 != null) {
                        try {
                            update2.close();
                        } catch (Throwable th7) {
                            th2.addSuppressed(th7);
                        }
                    } else {
                        update2.close();
                    }
                }
                throw th6;
            }
        } catch (Throwable th8) {
            if (update != null) {
                if (0 != 0) {
                    try {
                        update.close();
                    } catch (Throwable th9) {
                        th.addSuppressed(th9);
                    }
                } else {
                    update.close();
                }
            }
            throw th8;
        }
    }
}
