package org.keycloak.testsuite.authz;

import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.keycloak.admin.client.resource.AuthorizationResource;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.ClientsResource;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.authorization.client.AuthorizationDeniedException;
import org.keycloak.authorization.client.AuthzClient;
import org.keycloak.representations.idm.GroupRepresentation;
import org.keycloak.representations.idm.ProtocolMapperRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.representations.idm.authorization.AuthorizationRequest;
import org.keycloak.representations.idm.authorization.GroupPolicyRepresentation;
import org.keycloak.representations.idm.authorization.PermissionRequest;
import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.GroupBuilder;
import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.testsuite.util.RoleBuilder;
import org.keycloak.testsuite.util.RolesBuilder;
import org.keycloak.testsuite.util.UserBuilder;

@AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
/* loaded from: input_file:org/keycloak/testsuite/authz/GroupPathPolicyTest.class */
public class GroupPathPolicyTest extends AbstractAuthzTest {
    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        ProtocolMapperRepresentation protocolMapperRepresentation = new ProtocolMapperRepresentation();
        protocolMapperRepresentation.setName("groups");
        protocolMapperRepresentation.setProtocolMapper("oidc-group-membership-mapper");
        protocolMapperRepresentation.setProtocol("openid-connect");
        HashMap hashMap = new HashMap();
        hashMap.put("claim.name", "groups");
        hashMap.put("access.token.claim", "true");
        hashMap.put("id.token.claim", "true");
        hashMap.put("full.path", "true");
        protocolMapperRepresentation.setConfig(hashMap);
        list.add(RealmBuilder.create().name("authz-test").roles(RolesBuilder.create().realmRole(RoleBuilder.create().name("uma_authorization").build())).group(GroupBuilder.create().name("Group A").subGroups((List) Arrays.asList("Group B", "Group D").stream().map(str -> {
            return "Group B".equals(str) ? GroupBuilder.create().name(str).subGroups((List) Arrays.asList("Group C", "Group E").stream().map(new Function<String, GroupRepresentation>() { // from class: org.keycloak.testsuite.authz.GroupPathPolicyTest.1
                @Override // java.util.function.Function
                public GroupRepresentation apply(String str) {
                    return GroupBuilder.create().name(str).build();
                }
            }).collect(Collectors.toList())).build() : GroupBuilder.create().name(str).build();
        }).collect(Collectors.toList())).build()).group(GroupBuilder.create().name("Group E").build()).user(UserBuilder.create().username("marta").password("password").addRoles("uma_authorization").addGroups("Group A")).user(UserBuilder.create().username("alice").password("password").addRoles("uma_authorization")).user(UserBuilder.create().username("kolo").password("password").addRoles("uma_authorization")).client(ClientBuilder.create().clientId("resource-server-test").secret("secret").authorizationServicesEnabled(true).redirectUris("http://localhost/resource-server-test").defaultRoles("uma_protection").directAccessGrants().protocolMapper(protocolMapperRepresentation)).build());
    }

    @Before
    public void configureAuthorization() throws Exception {
        createResource("Resource A");
        createResource("Resource B");
        createGroupPolicy("Parent And Children Policy", "/Group A", true);
        createGroupPolicy("Only Children Policy", "/Group A/Group B/Group C", false);
        createResourcePermission("Resource A Permission", "Resource A", "Parent And Children Policy");
        createResourcePermission("Resource B Permission", "Resource B", "Only Children Policy");
    }

    @Test
    public void testAllowParentAndChildren() {
        AuthzClient authzClient = getAuthzClient();
        PermissionRequest permissionRequest = new PermissionRequest("Resource A", new String[0]);
        Assert.assertNotNull(authzClient.authorization("marta", "password").authorize(new AuthorizationRequest(authzClient.protection().permission().create(permissionRequest).getTicket())).getToken());
        RealmResource realm = getRealm();
        GroupRepresentation group = getGroup("/Group A/Group B/Group C");
        realm.users().get(((UserRepresentation) realm.users().search("kolo").get(0)).getId()).joinGroup(group.getId());
        Assert.assertNotNull(authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(authzClient.protection().permission().create(permissionRequest).getTicket())).getToken());
    }

    @Test
    public void testOnlyChildrenPolicy() throws Exception {
        RealmResource realm = getRealm();
        AuthzClient authzClient = getAuthzClient();
        String ticket = authzClient.protection().permission().create(new PermissionRequest("Resource B", new String[0])).getTicket();
        try {
            authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket));
            Assert.fail("Should fail because user is not granted with expected role");
        } catch (AuthorizationDeniedException e) {
        }
        GroupRepresentation group = getGroup("/Group A/Group B/Group C");
        realm.users().get(((UserRepresentation) realm.users().search("kolo").get(0)).getId()).joinGroup(group.getId());
        Assert.assertNotNull(authzClient.authorization("kolo", "password").authorize(new AuthorizationRequest(ticket)).getToken());
        try {
            authzClient.authorization("marta", "password").authorize(new AuthorizationRequest(ticket));
            Assert.fail("Should fail because user is not granted with expected role");
        } catch (AuthorizationDeniedException e2) {
        }
    }

    private void createGroupPolicy(String str, String str2, boolean z) {
        GroupPolicyRepresentation groupPolicyRepresentation = new GroupPolicyRepresentation();
        groupPolicyRepresentation.setName(str);
        groupPolicyRepresentation.setGroupsClaim("groups");
        groupPolicyRepresentation.addGroupPath(str2, z);
        getClient().authorization().policies().group().create(groupPolicyRepresentation).close();
    }

    private void createResourcePermission(String str, String str2, String... strArr) {
        ResourcePermissionRepresentation resourcePermissionRepresentation = new ResourcePermissionRepresentation();
        resourcePermissionRepresentation.setName(str);
        resourcePermissionRepresentation.addResource(str2);
        resourcePermissionRepresentation.addPolicy(strArr);
        getClient().authorization().permissions().resource().create(resourcePermissionRepresentation).close();
    }

    private void createResource(String str) {
        AuthorizationResource authorization = getClient().authorization();
        authorization.resources().create(new ResourceRepresentation(str, new String[0])).close();
    }

    private RealmResource getRealm() {
        try {
            return getAdminClient().realm("authz-test");
        } catch (Exception e) {
            throw new RuntimeException("Failed to create admin client");
        }
    }

    private ClientResource getClient(RealmResource realmResource) {
        ClientsResource clients = realmResource.clients();
        return (ClientResource) clients.findByClientId("resource-server-test").stream().map(clientRepresentation -> {
            return clients.get(clientRepresentation.getId());
        }).findFirst().orElseThrow(() -> {
            return new RuntimeException("Expected client [resource-server-test]");
        });
    }

    private AuthzClient getAuthzClient() {
        return AuthzClient.create(getClass().getResourceAsStream("/authorization-test/default-keycloak.json"));
    }

    private ClientResource getClient() {
        return getClient(getRealm());
    }

    private GroupRepresentation getGroup(String str) {
        String[] split = str.split("/");
        RealmResource realm = getRealm();
        GroupRepresentation groupRepresentation = null;
        for (final String str2 : split) {
            if (!"".equals(str2)) {
                if (groupRepresentation == null) {
                    groupRepresentation = (GroupRepresentation) realm.groups().groups().stream().filter(new Predicate<GroupRepresentation>() { // from class: org.keycloak.testsuite.authz.GroupPathPolicyTest.2
                        @Override // java.util.function.Predicate
                        public boolean test(GroupRepresentation groupRepresentation2) {
                            return str2.equals(groupRepresentation2.getName());
                        }
                    }).findFirst().get();
                } else {
                    GroupRepresentation group = getGroup(str2, groupRepresentation.getSubGroups());
                    if (str.endsWith(group.getName())) {
                        return group;
                    }
                    groupRepresentation = group;
                }
            }
        }
        return null;
    }

    private GroupRepresentation getGroup(String str, List<GroupRepresentation> list) {
        for (GroupRepresentation groupRepresentation : list) {
            if (str.equals(groupRepresentation.getName())) {
                return groupRepresentation;
            }
            GroupRepresentation group = getGroup(str, groupRepresentation.getSubGroups());
            if (group != null && str.equals(group.getName())) {
                return group;
            }
        }
        return null;
    }
}
