package org.keycloak.testsuite.admin.partialexport;

import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.hamcrest.Matchers;
import org.junit.Test;
import org.keycloak.common.util.MultivaluedHashMap;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.ComponentExportRepresentation;
import org.keycloak.representations.idm.GroupRepresentation;
import org.keycloak.representations.idm.IdentityProviderRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.RoleRepresentation;
import org.keycloak.representations.idm.ScopeMappingRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.testsuite.Assert;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.AbstractAdminTest;
import org.keycloak.testsuite.oauth.BackchannelLogoutTest;
import org.keycloak.testsuite.oauth.OAuthGrantTest;

/* loaded from: input_file:org/keycloak/testsuite/admin/partialexport/PartialExportTest.class */
public class PartialExportTest extends AbstractAdminTest {
    private static final String EXPORT_TEST_REALM = "partial-export-test";

    @Override // org.keycloak.testsuite.admin.AbstractAdminTest, org.keycloak.testsuite.AbstractTestRealmKeycloakTest, org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        super.addTestRealms(list);
        list.add((RealmRepresentation) loadJson(getClass().getResourceAsStream("/export/partialexport-testrealm.json"), RealmRepresentation.class));
    }

    @Test
    public void testExport() {
        RealmRepresentation partialExport = this.adminClient.realm(EXPORT_TEST_REALM).partialExport(false, false);
        Assert.assertNull("Users are null", partialExport.getUsers());
        Assert.assertNull("Default groups are empty", partialExport.getDefaultGroups());
        Assert.assertNull("Groups are empty", partialExport.getGroups());
        Assert.assertNull("Realm and client roles are empty", partialExport.getRoles());
        Assert.assertNull("Clients are empty", partialExport.getClients());
        checkScopeMappings(partialExport.getScopeMappings(), true);
        Assert.assertNull("Client scope mappings empty", partialExport.getClientScopeMappings());
        RealmRepresentation partialExport2 = this.adminClient.realm(EXPORT_TEST_REALM).partialExport(true, false);
        Assert.assertNull("Users are null", partialExport2.getUsers());
        Assert.assertNull("Default groups are empty", partialExport2.getDefaultGroups());
        Assert.assertNotNull("Groups not empty", partialExport2.getGroups());
        checkGroups(partialExport2.getGroups());
        Assert.assertNotNull("Realm and client roles not empty", partialExport2.getRoles());
        Assert.assertNotNull("Realm roles not empty", partialExport2.getRoles().getRealm());
        checkRealmRoles(partialExport2.getRoles().getRealm());
        Assert.assertNull("Client roles are empty", partialExport2.getRoles().getClient());
        Assert.assertNull("Clients are empty", partialExport2.getClients());
        checkScopeMappings(partialExport2.getScopeMappings(), true);
        Assert.assertNull("Client scope mappings empty", partialExport2.getClientScopeMappings());
        RealmRepresentation partialExport3 = this.adminClient.realm(EXPORT_TEST_REALM).partialExport(false, true);
        Assert.assertNotNull("The service accout user should be exported", partialExport3.getUsers());
        Assert.assertEquals("Only one client has a service account", 1L, partialExport3.getUsers().size());
        checkServiceAccountRoles((UserRepresentation) partialExport3.getUsers().get(0), false);
        Assert.assertNull("Default groups are empty", partialExport3.getDefaultGroups());
        Assert.assertNull("Groups are empty", partialExport3.getGroups());
        Assert.assertNull("Realm and client roles are empty", partialExport3.getRoles());
        Assert.assertNotNull("Clients not empty", partialExport3.getClients());
        checkClients(partialExport3.getClients());
        checkScopeMappings(partialExport3.getScopeMappings(), false);
        checkClientScopeMappings(partialExport3.getClientScopeMappings());
        RealmRepresentation partialExport4 = this.adminClient.realm(EXPORT_TEST_REALM).partialExport(true, true);
        Assert.assertNotNull("The service accout user should be exported", partialExport4.getUsers());
        Assert.assertEquals("Only one client has a service account", 1L, partialExport4.getUsers().size());
        checkServiceAccountRoles((UserRepresentation) partialExport4.getUsers().get(0), true);
        Assert.assertNull("Default groups are empty", partialExport4.getDefaultGroups());
        Assert.assertNotNull("Groups not empty", partialExport4.getGroups());
        checkGroups(partialExport4.getGroups());
        Assert.assertNotNull("Realm and client roles not empty", partialExport4.getRoles());
        Assert.assertNotNull("Realm roles not empty", partialExport4.getRoles().getRealm());
        checkRealmRoles(partialExport4.getRoles().getRealm());
        Assert.assertNotNull("Client roles not empty", partialExport4.getRoles().getClient());
        checkClientRoles(partialExport4.getRoles().getClient());
        Assert.assertNotNull("Clients not empty", partialExport4.getClients());
        checkClients(partialExport4.getClients());
        checkScopeMappings(partialExport4.getScopeMappings(), false);
        checkClientScopeMappings(partialExport4.getClientScopeMappings());
        checkSecretsAreMasked(partialExport4);
    }

    private void checkServiceAccountRoles(UserRepresentation userRepresentation, boolean z) {
        Assert.assertTrue("User is a service account", userRepresentation.getUsername().startsWith("service-account-"));
        Assert.assertNull("Password should be null", userRepresentation.getCredentials());
        if (!z) {
            Assert.assertNull("Service account should be exported without realm roles", userRepresentation.getRealmRoles());
            Assert.assertNull("Service account should be exported without client roles", userRepresentation.getClientRoles());
            return;
        }
        Assert.assertThat("Realm roles are OK", userRepresentation.getRealmRoles(), Matchers.containsInAnyOrder(new String[]{"uma_authorization", "user", "offline_access"}));
        Map clientRoles = userRepresentation.getClientRoles();
        Assert.assertNotNull("Client roles are exported", clientRoles);
        Assert.assertThat("Client roles for test-app-service-account are OK", clientRoles.get("test-app-service-account"), Matchers.containsInAnyOrder(new String[]{"test-app-service-account", "test-app-service-account-parent"}));
        Assert.assertThat("Client roles for account are OK", clientRoles.get(BackchannelLogoutTest.ACCOUNT_CLIENT_NAME), Matchers.containsInAnyOrder(new String[]{"manage-account", "view-profile"}));
    }

    private void checkSecretsAreMasked(RealmRepresentation realmRepresentation) {
        for (ClientRepresentation clientRepresentation : realmRepresentation.getClients()) {
            if (Boolean.FALSE.equals(clientRepresentation.isPublicClient()) && Boolean.FALSE.equals(clientRepresentation.isBearerOnly())) {
                Assert.assertEquals("Client secret masked", "**********", clientRepresentation.getSecret());
            }
        }
        Iterator it = realmRepresentation.getIdentityProviders().iterator();
        while (it.hasNext()) {
            Assert.assertEquals("IdentityProvider clientSecret masked", "**********", ((IdentityProviderRepresentation) it.next()).getConfig().get("clientSecret"));
        }
        Assert.assertEquals("SMTP password masked", "**********", realmRepresentation.getSmtpServer().get("password"));
        MultivaluedHashMap components = realmRepresentation.getComponents();
        List<ComponentExportRepresentation> list = (List) components.get("org.keycloak.keys.KeyProvider");
        Assert.assertNotNull("Keys not null", list);
        Assert.assertTrue("At least one key returned", list.size() > 0);
        boolean z = false;
        for (ComponentExportRepresentation componentExportRepresentation : list) {
            if ("rsa".equals(componentExportRepresentation.getProviderId())) {
                Assert.assertEquals("RSA KeyProvider privateKey masked", "**********", componentExportRepresentation.getConfig().getFirst("privateKey"));
                z = true;
            }
        }
        Assert.assertTrue("Found rsa private key", z);
        List<ComponentExportRepresentation> list2 = (List) components.get("org.keycloak.storage.UserStorageProvider");
        Assert.assertNotNull("UserStorageProvider not null", list2);
        Assert.assertTrue("At least one UserStorageProvider returned", list2.size() > 0);
        boolean z2 = false;
        for (ComponentExportRepresentation componentExportRepresentation2 : list2) {
            if ("ldap".equals(componentExportRepresentation2.getProviderId())) {
                Assert.assertEquals("LDAP provider bindCredential masked", "**********", componentExportRepresentation2.getConfig().getFirst("bindCredential"));
                z2 = true;
            }
        }
        Assert.assertTrue("Found ldap bindCredential", z2);
    }

    private void checkClientScopeMappings(Map<String, List<ScopeMappingRepresentation>> map) {
        Map<String, Set<String>> extractScopeMappings = extractScopeMappings(map.get(AssertEvents.DEFAULT_CLIENT_ID));
        Assert.assertTrue("Client test-app / test-app-scope contains customer-admin-composite-role", extractScopeMappings.get("test-app-scope").contains("customer-admin-composite-role"));
        Assert.assertTrue("Client test-app / third-party contains customer-user", extractScopeMappings.get(OAuthGrantTest.THIRD_PARTY_APP).contains("customer-user"));
        Assert.assertTrue("Client test-app-scope / test-app-scope contains test-app-allowed-by-scope", extractScopeMappings(map.get("test-app-scope")).get("test-app-scope").contains("test-app-allowed-by-scope"));
    }

    private void checkScopeMappings(List<ScopeMappingRepresentation> list, boolean z) {
        Assert.assertTrue(list.stream().filter(scopeMappingRepresentation -> {
            return "offline_access".equals(scopeMappingRepresentation.getClientScope());
        }).findFirst().get().getRoles().contains("offline_access"));
        if (z) {
            Assert.assertEquals(1L, list.size());
            return;
        }
        Map<String, Set<String>> extractScopeMappings = extractScopeMappings(list);
        Assert.assertTrue("Client test-app contains user", extractScopeMappings.get(AssertEvents.DEFAULT_CLIENT_ID).contains("user"));
        Set<String> set = extractScopeMappings.get("test-app-scope");
        Assert.assertTrue("Client test-app contains user", set.contains("user"));
        Assert.assertTrue("Client test-app contains admin", set.contains("admin"));
        Assert.assertTrue("Client test-app contains third-party", extractScopeMappings.get(OAuthGrantTest.THIRD_PARTY_APP).contains("user"));
    }

    private Map<String, Set<String>> extractScopeMappings(List<ScopeMappingRepresentation> list) {
        HashMap hashMap = new HashMap();
        for (ScopeMappingRepresentation scopeMappingRepresentation : list) {
            hashMap.put(scopeMappingRepresentation.getClient(), scopeMappingRepresentation.getRoles());
        }
        return hashMap;
    }

    private void checkClientRoles(Map<String, List<RoleRepresentation>> map) {
        Map<String, RoleRepresentation> collectRoles = collectRoles(map.get(AssertEvents.DEFAULT_CLIENT_ID));
        Assert.assertTrue("Client role customer-admin for test-app", collectRoles.containsKey("customer-admin"));
        Assert.assertTrue("Client role sample-client-role for test-app", collectRoles.containsKey("sample-client-role"));
        Assert.assertTrue("Client role customer-user for test-app", collectRoles.containsKey("customer-user"));
        Assert.assertTrue("Client role customer-admin-composite-role for test-app", collectRoles.containsKey("customer-admin-composite-role"));
        RoleRepresentation.Composites composites = collectRoles.get("customer-admin-composite-role").getComposites();
        Assert.assertTrue("customer-admin-composite-role / realm / customer-user-premium", composites.getRealm().contains("customer-user-premium"));
        Assert.assertTrue("customer-admin-composite-role / client['test-app'] / customer-admin", ((List) composites.getClient().get(AssertEvents.DEFAULT_CLIENT_ID)).contains("customer-admin"));
        Map<String, RoleRepresentation> collectRoles2 = collectRoles(map.get("test-app-scope"));
        Assert.assertTrue("Client role test-app-disallowed-by-scope for test-app-scope", collectRoles2.containsKey("test-app-disallowed-by-scope"));
        Assert.assertTrue("Client role test-app-allowed-by-scope for test-app-scope", collectRoles2.containsKey("test-app-allowed-by-scope"));
        Assert.assertThat("Client roles are OK for test-app-service-account", collectRoles(map.get("test-app-service-account")).keySet(), Matchers.containsInAnyOrder(new String[]{"test-app-service-account", "test-app-service-account-parent", "test-app-service-account-child"}));
    }

    private Map<String, RoleRepresentation> collectRoles(List<RoleRepresentation> list) {
        HashMap hashMap = new HashMap();
        if (list == null) {
            return hashMap;
        }
        for (RoleRepresentation roleRepresentation : list) {
            hashMap.put(roleRepresentation.getName(), roleRepresentation);
        }
        return hashMap;
    }

    private void checkClients(List<ClientRepresentation> list) {
        HashSet hashSet = new HashSet();
        Iterator<ClientRepresentation> it = list.iterator();
        while (it.hasNext()) {
            hashSet.add(it.next().getClientId());
        }
        Assert.assertTrue("Client test-app", hashSet.contains(AssertEvents.DEFAULT_CLIENT_ID));
        Assert.assertTrue("Client test-app-scope", hashSet.contains("test-app-scope"));
        Assert.assertTrue("Client third-party", hashSet.contains(OAuthGrantTest.THIRD_PARTY_APP));
    }

    private void checkRealmRoles(List<RoleRepresentation> list) {
        HashSet hashSet = new HashSet();
        Iterator<RoleRepresentation> it = list.iterator();
        while (it.hasNext()) {
            hashSet.add(it.next().getName());
        }
        Assert.assertTrue("Role sample-realm-role", hashSet.contains("sample-realm-role"));
        Assert.assertTrue("Role realm-composite-role", hashSet.contains("realm-composite-role"));
        Assert.assertTrue("Role customer-user-premium", hashSet.contains("customer-user-premium"));
        Assert.assertTrue("Role admin", hashSet.contains("admin"));
        Assert.assertTrue("Role user", hashSet.contains("user"));
    }

    private void checkGroups(List<GroupRepresentation> list) {
        HashSet hashSet = new HashSet();
        Iterator<GroupRepresentation> it = list.iterator();
        while (it.hasNext()) {
            compileGroups(hashSet, it.next());
        }
        Assert.assertTrue("Group /roleRichGroup", hashSet.contains("/roleRichGroup"));
        Assert.assertTrue("Group /roleRichGroup/level2group", hashSet.contains("/roleRichGroup/level2group"));
        Assert.assertTrue("Group /topGroup", hashSet.contains("/topGroup"));
        Assert.assertTrue("Group /topGroup/level2group", hashSet.contains("/topGroup/level2group"));
    }

    private void compileGroups(Set<String> set, GroupRepresentation groupRepresentation) {
        set.add(groupRepresentation.getPath());
        if (groupRepresentation.getSubGroups() != null) {
            Iterator it = groupRepresentation.getSubGroups().iterator();
            while (it.hasNext()) {
                compileGroups(set, (GroupRepresentation) it.next());
            }
        }
    }

    private void checkDefaultRoles(List<String> list) {
        HashSet hashSet = new HashSet(list);
        Assert.assertTrue("Default role 'uma_authorization'", hashSet.contains("uma_authorization"));
        Assert.assertTrue("Default role 'offline_access'", hashSet.contains("offline_access"));
        Assert.assertTrue("Default role 'user'", hashSet.contains("user"));
    }
}
