package org.keycloak.testsuite.federation.kerberos;

import java.util.concurrent.atomic.AtomicReference;
import javax.ws.rs.core.Response;
import org.junit.Assume;
import org.junit.Test;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.common.Profile;
import org.keycloak.common.util.KerberosSerializationUtils;
import org.keycloak.models.AuthenticationExecutionModel;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.protocol.oidc.mappers.UserSessionNoteMapper;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.idm.ProtocolMapperRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.storage.UserStorageProvider;
import org.keycloak.testsuite.Assert;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.arquillian.annotation.DisableFeature;

@DisableFeature(value = Profile.Feature.ACCOUNT2, skipRestart = true)
/* loaded from: input_file:org/keycloak/testsuite/federation/kerberos/AbstractKerberosSingleRealmTest.class */
public abstract class AbstractKerberosSingleRealmTest extends AbstractKerberosTest {
    @Test
    public void spnegoNotAvailableTest() throws Exception {
        initHttpClient(false);
        Response response = this.client.target(this.oauth.getLoginFormUrl()).request().get();
        Assert.assertEquals(401L, response.getStatus());
        Assert.assertEquals("Negotiate", response.getHeaderString("WWW-Authenticate"));
        response.close();
    }

    @Test
    public void spnegoWithInvalidTokenTest() throws Exception {
        initHttpClient(true);
        AtomicReference atomicReference = new AtomicReference();
        updateUserStorageProvider(componentRepresentation -> {
            String str = (String) componentRepresentation.getConfig().getFirst("keyTab");
            atomicReference.set(str);
            componentRepresentation.getConfig().putSingle("keyTab", str + "-invalid");
        });
        try {
            Response spnegoLogin = spnegoLogin("hnelson", "secret");
            Assert.assertEquals(200L, spnegoLogin.getStatus());
            String str = (String) spnegoLogin.readEntity(String.class);
            spnegoLogin.close();
            org.junit.Assert.assertTrue(str.contains("Sign in to test"));
            this.events.clear();
            updateUserStorageProvider(componentRepresentation2 -> {
                componentRepresentation2.getConfig().putSingle("keyTab", atomicReference.get());
            });
        } catch (Throwable th) {
            updateUserStorageProvider(componentRepresentation22 -> {
                componentRepresentation22.getConfig().putSingle("keyTab", atomicReference.get());
            });
            throw th;
        }
    }

    @Test
    public void spnegoLoginWithRequiredKerberosAuthExecutionTest() {
        AuthenticationExecutionModel.Requirement updateKerberosAuthExecutionRequirement = updateKerberosAuthExecutionRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
        Response spnegoLogin = spnegoLogin("hnelson", "secret");
        updateKerberosAuthExecutionRequirement(updateKerberosAuthExecutionRequirement);
        Assert.assertEquals(302L, spnegoLogin.getStatus());
    }

    @Test
    public void spnegoCaseInsensitiveTest() throws Exception {
        assertSuccessfulSpnegoLogin(getKerberosRule().isCaseSensitiveLogin() ? "MyDuke" : "myduke", "myduke", "theduke");
    }

    @Test
    public void usernamePasswordLoginTest() throws Exception {
        updateProviderEditMode(UserStorageProvider.EditMode.READ_ONLY);
        this.changePasswordPage.open();
        this.loginPage.assertCurrent();
        this.loginPage.login("jduke", "theduke");
        this.changePasswordPage.assertCurrent();
        this.changePasswordPage.changePassword("theduke-invalid", "newPass", "newPass");
        Assert.assertTrue(this.driver.getPageSource().contains("Invalid existing password."));
        this.changePasswordPage.changePassword("theduke", "newPass", "newPass");
        Assert.assertTrue(this.driver.getPageSource().contains("You can't update your password as your account is read-only"));
        updateProviderEditMode(UserStorageProvider.EditMode.UNSYNCED);
        this.changePasswordPage.changePassword("theduke", "newPass", "newPass");
        Assert.assertTrue(this.driver.getPageSource().contains("Your password has been updated."));
        this.changePasswordPage.logout();
        this.loginPage.login("jduke", "theduke");
        this.loginPage.assertCurrent();
        this.loginPage.login("jduke", "newPass");
        this.changePasswordPage.assertCurrent();
        this.changePasswordPage.logout();
        this.events.clear();
        Response spnegoLogin = spnegoLogin("jduke", "theduke");
        Assert.assertEquals(302L, spnegoLogin.getStatus());
        this.events.expectLogin().client("kerberos-app").user(((UserRepresentation) testRealmResource().users().search("jduke", 0, 1).get(0)).getId()).detail("username", "jduke").assertEvent();
        assertAuthenticationSuccess(spnegoLogin.getLocation().toString());
    }

    @Test
    public void credentialDelegationTest() throws Exception {
        Assume.assumeTrue("Ignoring test as the embedded server is not started", getKerberosRule().isStartEmbeddedLdapServer());
        ProtocolMapperRepresentation representation = ModelToRepresentation.toRepresentation(UserSessionNoteMapper.createClaimMapper("gss delegation credential", "gss_delegation_credential", "gss_delegation_credential", "String", true, false));
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(testRealmResource(), "kerberos-app");
        Response createMapper = findClientByClientId.getProtocolMappers().createMapper(representation);
        String createdId = ApiUtil.getCreatedId(createMapper);
        createMapper.close();
        AccessToken assertSuccessfulSpnegoLogin = assertSuccessfulSpnegoLogin("hnelson", "hnelson", "secret");
        String str = (String) assertSuccessfulSpnegoLogin.getOtherClaims().get("gss_delegation_credential");
        Assert.assertNotNull(str);
        Assert.assertEquals("Horatio Nelson", invokeLdap(KerberosSerializationUtils.deserializeCredential(str), assertSuccessfulSpnegoLogin.getPreferredUsername()));
        this.oauth.openLogout();
        findClientByClientId.getProtocolMappers().delete(createdId);
        Assert.assertFalse(assertSuccessfulSpnegoLogin("hnelson", "hnelson", "secret").getOtherClaims().containsKey("gss_delegation_credential"));
        this.events.clear();
    }
}
