package org.keycloak.testsuite.oauth;

import java.net.URL;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import org.junit.Assert;
import org.junit.Test;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.ClientsResource;
import org.keycloak.common.util.MultivaluedHashMap;
import org.keycloak.common.util.UriUtils;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.ClientScopeRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.AbstractAdminTest;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.util.OAuthClient;

/* loaded from: input_file:org/keycloak/testsuite/oauth/OAuthScopeInTokenResponseTest.class */
public class OAuthScopeInTokenResponseTest extends AbstractKeycloakTest {
    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void beforeAbstractKeycloakTest() throws Exception {
        super.beforeAbstractKeycloakTest();
    }

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        list.add((RealmRepresentation) AbstractAdminTest.loadJson(getClass().getResourceAsStream("/testrealm.json"), RealmRepresentation.class));
    }

    @Test
    public void specifyNoScopeTest() throws Exception {
        this.oauth.doLogin("john-doh@localhost", "password");
        expectSuccessfulResponseFromTokenEndpoint((String) this.oauth.getCurrentQuery().get("code"), "openid profile email", "password");
    }

    @Test
    public void specifyEmptyScopeTest() throws Exception {
        this.oauth.scope("");
        this.oauth.doLogin("john-doh@localhost", "password");
        expectSuccessfulResponseFromTokenEndpoint((String) this.oauth.getCurrentQuery().get("code"), "openid profile email", "password");
    }

    @Test
    public void failCodeNotExistingScope() throws Exception {
        ClientsResource clients = realmsResouce().realm("test").clients();
        ClientResource clientResource = clients.get(((ClientRepresentation) clients.findByClientId(this.oauth.getClientId()).get(0)).getId());
        List defaultClientScopes = clientResource.getDefaultClientScopes();
        Iterator it = defaultClientScopes.iterator();
        while (it.hasNext()) {
            clientResource.removeDefaultClientScope(((ClientScopeRepresentation) it.next()).getId());
        }
        this.oauth.openid(false);
        this.oauth.scope("user openid phone");
        this.oauth.openLoginForm();
        MultivaluedHashMap decodeQueryString = UriUtils.decodeQueryString(new URL(this.driver.getCurrentUrl()).getQuery());
        Assert.assertEquals("invalid_scope", decodeQueryString.getFirst("error"));
        Assert.assertTrue(((String) decodeQueryString.getFirst("error_description")).startsWith("Invalid scopes"));
        this.oauth.scope("user");
        this.oauth.openLoginForm();
        MultivaluedHashMap decodeQueryString2 = UriUtils.decodeQueryString(new URL(this.driver.getCurrentUrl()).getQuery());
        Assert.assertEquals("invalid_scope", decodeQueryString2.getFirst("error"));
        Assert.assertTrue(((String) decodeQueryString2.getFirst("error_description")).startsWith("Invalid scopes"));
        this.oauth.scope("phone");
        this.oauth.doLogin("john-doh@localhost", "password");
        expectSuccessfulResponseFromTokenEndpoint((String) this.oauth.getCurrentQuery().get("code"), "phone", "password");
        this.oauth.openLogout();
        this.oauth.scope((String) null);
        this.oauth.doLogin("john-doh@localhost", "password");
        expectSuccessfulResponseFromTokenEndpoint((String) this.oauth.getCurrentQuery().get("code"), "", "password");
        Iterator it2 = defaultClientScopes.iterator();
        while (it2.hasNext()) {
            clientResource.addDefaultClientScope(((ClientScopeRepresentation) it2.next()).getId());
        }
    }

    @Test
    public void failTokenNotExistingScope() throws Exception {
        ClientsResource clients = realmsResouce().realm("test").clients();
        ClientRepresentation clientRepresentation = (ClientRepresentation) clients.findByClientId(this.oauth.getClientId()).get(0);
        clientRepresentation.setDirectAccessGrantsEnabled(true);
        ClientResource clientResource = clients.get(clientRepresentation.getId());
        clientResource.update(clientRepresentation);
        List defaultClientScopes = clientResource.getDefaultClientScopes();
        Iterator it = defaultClientScopes.iterator();
        while (it.hasNext()) {
            clientResource.removeDefaultClientScope(((ClientScopeRepresentation) it.next()).getId());
        }
        this.oauth.openid(false);
        this.oauth.scope("user phone");
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest = this.oauth.doGrantAccessTokenRequest("password", "john-doh@localhost", "password");
        Assert.assertNotNull(doGrantAccessTokenRequest.getError());
        Assert.assertEquals("invalid_scope", doGrantAccessTokenRequest.getError());
        this.oauth.scope("user");
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest2 = this.oauth.doGrantAccessTokenRequest("password", "john-doh@localhost", "password");
        Assert.assertNotNull(doGrantAccessTokenRequest2.getError());
        Assert.assertEquals("invalid_scope", doGrantAccessTokenRequest2.getError());
        this.oauth.scope((String) null);
        Assert.assertNotNull(this.oauth.doGrantAccessTokenRequest("password", "john-doh@localhost", "password").getAccessToken());
        Iterator it2 = defaultClientScopes.iterator();
        while (it2.hasNext()) {
            clientResource.addDefaultClientScope(((ClientScopeRepresentation) it2.next()).getId());
        }
    }

    @Test
    public void specifyMultipleScopeTest() throws Exception {
        this.oauth.scope("address");
        this.oauth.doLogin("rich.roles@redhat.com", "password");
        expectSuccessfulResponseFromTokenEndpoint((String) this.oauth.getCurrentQuery().get("code"), "openid profile email address", "password");
    }

    @Test
    public void specifyMultipleExistingScopesTest() throws Exception {
        ClientScopeRepresentation clientScopeRepresentation = new ClientScopeRepresentation();
        clientScopeRepresentation.setName("user");
        clientScopeRepresentation.setProtocol("openid-connect");
        String createdId = ApiUtil.getCreatedId(realmsResouce().realm("test").clientScopes().create(clientScopeRepresentation));
        getCleanup().addClientScopeId(createdId);
        ApiUtil.findClientResourceByClientId(realmsResouce().realm("test"), AssertEvents.DEFAULT_CLIENT_ID).addOptionalClientScope(createdId);
        this.oauth.scope("address phone");
        this.oauth.doLogin("john-doh@localhost", "password");
        expectSuccessfulResponseFromTokenEndpoint((String) this.oauth.getCurrentQuery().get("code"), "openid profile email address phone", "password");
        this.oauth.scope("user address phone");
        this.oauth.doLogin("john-doh@localhost", "password");
        expectSuccessfulResponseFromTokenEndpoint((String) this.oauth.getCurrentQuery().get("code"), "openid profile email user address phone", "password");
        ApiUtil.findClientResourceByClientId(realmsResouce().realm("test"), AssertEvents.DEFAULT_CLIENT_ID).removeOptionalClientScope(createdId);
    }

    private void expectSuccessfulResponseFromTokenEndpoint(String str, String str2, String str3) throws Exception {
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(str, str3);
        Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
        this.log.info("expectedScopes = " + str2);
        this.log.info("receivedScopes = " + doAccessTokenRequest.getScope());
        Collection<?> asList = Arrays.asList(str2.split(" "));
        List asList2 = Arrays.asList(doAccessTokenRequest.getScope().split(" "));
        Assert.assertTrue(asList.containsAll(asList2) && asList2.containsAll(asList));
        this.oauth.doLogout(doAccessTokenRequest.getRefreshToken(), str3);
    }
}
