package org.keycloak.testsuite.authz;

import java.util.HashMap;
import java.util.List;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.keycloak.admin.client.resource.AuthorizationResource;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.ClientsResource;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.authorization.client.AuthorizationDeniedException;
import org.keycloak.authorization.client.AuthzClient;
import org.keycloak.representations.idm.ProtocolMapperRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.authorization.AuthorizationRequest;
import org.keycloak.representations.idm.authorization.PermissionRequest;
import org.keycloak.representations.idm.authorization.RegexPolicyRepresentation;
import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.testsuite.util.UserBuilder;

@AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
/* loaded from: input_file:org/keycloak/testsuite/authz/RegexPolicyTest.class */
public class RegexPolicyTest extends AbstractAuthzTest {
    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        ProtocolMapperRepresentation protocolMapperRepresentation = new ProtocolMapperRepresentation();
        protocolMapperRepresentation.setName("userAttrFoo");
        protocolMapperRepresentation.setProtocolMapper("oidc-usermodel-attribute-mapper");
        protocolMapperRepresentation.setProtocol("openid-connect");
        HashMap hashMap = new HashMap();
        hashMap.put("access.token.claim", "true");
        hashMap.put("id.token.claim", "true");
        hashMap.put("jsonType.label", "String");
        hashMap.put("user.attribute", "foo");
        hashMap.put("claim.name", "foo");
        protocolMapperRepresentation.setConfig(hashMap);
        ProtocolMapperRepresentation protocolMapperRepresentation2 = new ProtocolMapperRepresentation();
        protocolMapperRepresentation2.setName("userAttrBar");
        protocolMapperRepresentation2.setProtocolMapper("oidc-usermodel-attribute-mapper");
        protocolMapperRepresentation2.setProtocol("openid-connect");
        HashMap hashMap2 = new HashMap();
        hashMap2.put("access.token.claim", "true");
        hashMap2.put("id.token.claim", "true");
        hashMap2.put("jsonType.label", "String");
        hashMap2.put("user.attribute", "bar");
        hashMap2.put("claim.name", "bar");
        protocolMapperRepresentation2.setConfig(hashMap2);
        list.add(RealmBuilder.create().name("authz-test").user(UserBuilder.create().username("marta").password("password").addAttribute("foo", "foo").addAttribute("bar", "barbar")).user(UserBuilder.create().username("taro").password("password").addAttribute("foo", "faa").addAttribute("bar", "bbarbar")).client(ClientBuilder.create().clientId("resource-server-test").secret("secret").authorizationServicesEnabled(true).redirectUris("http://localhost/resource-server-test").directAccessGrants().protocolMapper(protocolMapperRepresentation, protocolMapperRepresentation2)).build());
    }

    @Before
    public void configureAuthorization() throws Exception {
        createResource("Resource A");
        createResource("Resource B");
        createRegexPolicy("Regex foo Policy", "foo", "foo");
        createRegexPolicy("Regex bar Policy", "bar", "^bar.+$");
        createResourcePermission("Resource A Permission", "Resource A", "Regex foo Policy");
        createResourcePermission("Resource B Permission", "Resource B", "Regex bar Policy");
    }

    private void createResource(String str) {
        AuthorizationResource authorization = getClient().authorization();
        authorization.resources().create(new ResourceRepresentation(str, new String[0])).close();
    }

    private void createRegexPolicy(String str, String str2, String str3) {
        RegexPolicyRepresentation regexPolicyRepresentation = new RegexPolicyRepresentation();
        regexPolicyRepresentation.setName(str);
        regexPolicyRepresentation.setTargetClaim(str2);
        regexPolicyRepresentation.setPattern(str3);
        getClient().authorization().policies().regex().create(regexPolicyRepresentation).close();
    }

    private void createResourcePermission(String str, String str2, String... strArr) {
        ResourcePermissionRepresentation resourcePermissionRepresentation = new ResourcePermissionRepresentation();
        resourcePermissionRepresentation.setName(str);
        resourcePermissionRepresentation.addResource(str2);
        resourcePermissionRepresentation.addPolicy(strArr);
        getClient().authorization().permissions().resource().create(resourcePermissionRepresentation).close();
    }

    private ClientResource getClient() {
        return getClient(getRealm());
    }

    private ClientResource getClient(RealmResource realmResource) {
        ClientsResource clients = realmResource.clients();
        return (ClientResource) clients.findByClientId("resource-server-test").stream().map(clientRepresentation -> {
            return clients.get(clientRepresentation.getId());
        }).findFirst().orElseThrow(() -> {
            return new RuntimeException("Expected client [resource-server-test]");
        });
    }

    private RealmResource getRealm() {
        try {
            return getAdminClient().realm("authz-test");
        } catch (Exception e) {
            throw new RuntimeException("Failed to create admin client");
        }
    }

    @Test
    public void testWithExpectedUserAttribute() {
        AuthzClient authzClient = getAuthzClient();
        Assert.assertNotNull(authzClient.authorization("marta", "password").authorize(new AuthorizationRequest(authzClient.protection().permission().create(new PermissionRequest("Resource A", new String[0])).getTicket())).getToken());
        Assert.assertNotNull(authzClient.authorization("marta", "password").authorize(new AuthorizationRequest(authzClient.protection().permission().create(new PermissionRequest("Resource B", new String[0])).getTicket())).getToken());
    }

    @Test
    public void testWithoutExpectedUserAttribute() {
        AuthzClient authzClient = getAuthzClient();
        try {
            authzClient.authorization("taro", "password").authorize(new AuthorizationRequest(authzClient.protection().permission().create(new PermissionRequest("Resource A", new String[0])).getTicket()));
            Assert.fail("Should fail.");
        } catch (AuthorizationDeniedException e) {
        }
        try {
            authzClient.authorization("taro", "password").authorize(new AuthorizationRequest(authzClient.protection().permission().create(new PermissionRequest("Resource B", new String[0])).getTicket()));
            Assert.fail("Should fail.");
        } catch (AuthorizationDeniedException e2) {
        }
    }

    private AuthzClient getAuthzClient() {
        return AuthzClient.create(getClass().getResourceAsStream("/authorization-test/default-keycloak.json"));
    }
}
