package org.keycloak.testsuite.authz;

import java.io.InputStream;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.KeycloakDeploymentBuilder;
import org.keycloak.adapters.authentication.ClientCredentialsProviderUtils;
import org.keycloak.admin.client.resource.AuthorizationResource;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.ClientsResource;
import org.keycloak.authorization.client.AuthzClient;
import org.keycloak.authorization.client.ClientAuthenticator;
import org.keycloak.authorization.client.Configuration;
import org.keycloak.authorization.client.resource.ProtectionResource;
import org.keycloak.authorization.client.util.HttpResponseException;
import org.keycloak.common.util.Time;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.RoleRepresentation;
import org.keycloak.representations.idm.authorization.AuthorizationRequest;
import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.representations.idm.authorization.PermissionRequest;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.ResourceServerRepresentation;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.testsuite.util.RolesBuilder;
import org.keycloak.testsuite.util.UserBuilder;

@AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
/* loaded from: input_file:org/keycloak/testsuite/authz/AuthzClientCredentialsTest.class */
public class AuthzClientCredentialsTest extends AbstractAuthzTest {
    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        list.add(configureRealm(RealmBuilder.create().name("authz-client-jwt-test"), ClientBuilder.create().attribute("jwt.credential.certificate", "MIICnTCCAYUCBgFPPLDaTzANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdjbGllbnQxMB4XDTE1MDgxNzE3MjI0N1oXDTI1MDgxNzE3MjQyN1owEjEQMA4GA1UEAwwHY2xpZW50MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIUjjgv+V3s96O+Za9002Lp/trtGuHBeaeVL9dFKMKzO2MPqdRmHB4PqNlDdd28Rwf5Xn6iWdFpyUKOnI/yXDLhdcuFpR0sMNK/C9Lt+hSpPFLuzDqgtPgDotlMxiHIWDOZ7g9/gPYNXbNvjv8nSiyqoguoCQiiafW90bPHsiVLdP7ZIUwCcfi1qQm7FhxRJ1NiW5dvUkuCnnWEf0XR+Wzc5eC9EgB0taLFiPsSEIlWMm5xlahYyXkPdNOqZjiRnrTWm5Y4uk8ZcsD/KbPTf/7t7cQXipVaswgjdYi1kK2/zRwOhg1QwWFX/qmvdd+fLxV0R6VqRDhn7Qep2cxwMxLsCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAKE6OA46sf20bz8LZPoiNsqRwBUDkaMGXfnob7s/hJZIIwDEx0IAQ3uKsG7q9wb+aA6s+v7S340zb2k3IxuhFaHaZpAd4CyR5cn1FHylbzoZ7rI/3ASqHDqpljdJaFqPH+m7nZWtyDvtZf+gkZ8OjsndwsSBK1d/jMZPp29qYbl1+XfO7RCp/jDqro/R3saYFaIFiEZPeKn1hUJn6BO48vxH1xspSu9FmlvDOEAOz4AuM58z4zRMP49GcFdCWr1wkonJUHaSptJaQwmBwLFUkCbE5I1ixGMb7mjEud6Y5jhfzJiZMo2U8RfcjNbrN0diZl3jB6LQIwESnhYSghaTjNQ==").authenticatorType("client-jwt")).build());
        list.add(configureRealm(RealmBuilder.create().name("authz-test"), ClientBuilder.create().secret("secret")).build());
        list.add(configureRealm(RealmBuilder.create().name("authz-test-session").accessTokenLifespan(1), ClientBuilder.create().secret("secret")).build());
        list.add(configureRealm(RealmBuilder.create().name("authz-test-no-rt").accessTokenLifespan(1), ClientBuilder.create().secret("secret").attribute("client_credentials.use_refresh_token", "false")).build());
    }

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    @Before
    public void beforeAbstractKeycloakTest() throws Exception {
        super.beforeAbstractKeycloakTest();
        this.testContext.getTestRealmReps().forEach(realmRepresentation -> {
            ClientsResource clients = getAdminClient().realm(realmRepresentation.getRealm()).clients();
            ClientRepresentation clientRepresentation = (ClientRepresentation) clients.findByClientId("resource-server-test").get(0);
            clientRepresentation.setAuthorizationServicesEnabled(false);
            clients.get(clientRepresentation.getId()).update(clientRepresentation);
            clientRepresentation.setAuthorizationServicesEnabled(true);
            clients.get(clientRepresentation.getId()).update(clientRepresentation);
            AuthorizationResource authorization = clients.get(clientRepresentation.getId()).authorization();
            ResourceServerRepresentation settings = authorization.getSettings();
            settings.setAllowRemoteResourceManagement(true);
            authorization.update(settings);
        });
    }

    @Test
    public void testSuccessfulJWTAuthentication() {
        assertAccessProtectionAPI(getAuthzClient("keycloak-with-jwt-authentication.json").protection());
    }

    @Test
    public void testSuccessfulAuthorizationRequest() throws Exception {
        AuthzClient authzClient = getAuthzClient("keycloak-with-jwt-authentication.json");
        ProtectionResource protection = authzClient.protection();
        String token = authzClient.authorization("marta", "password").authorize(new AuthorizationRequest(protection.permission().create(new PermissionRequest("Default Resource", new String[0])).getTicket())).getToken();
        Assert.assertNotNull(token);
        AccessToken.Authorization authorization = ((AccessToken) new JWSInput(token).readJsonContent(AccessToken.class)).getAuthorization();
        Assert.assertNotNull(authorization);
        ArrayList arrayList = new ArrayList(authorization.getPermissions());
        Assert.assertFalse(arrayList.isEmpty());
        Assert.assertEquals("Default Resource", ((Permission) arrayList.get(0)).getResourceName());
    }

    @Test
    public void failJWTAuthentication() {
        try {
            getAuthzClient("keycloak-with-invalid-keys-jwt-authentication.json").protection().resource().findAll();
            Assert.fail("Should fail due to invalid signature");
        } catch (Exception e) {
            Assert.assertTrue(HttpResponseException.class.isInstance(e.getCause().getCause()));
            Assert.assertEquals(400L, ((HttpResponseException) HttpResponseException.class.cast(e.getCause().getCause())).getStatusCode());
        }
    }

    @Test
    public void testSuccessfulClientSecret() {
        assertAccessProtectionAPI(getAuthzClient("default-keycloak.json").protection());
    }

    @Test
    public void testReusingAccessAndRefreshTokens_refreshDisabled() throws Exception {
        testReusingAccessAndRefreshTokens(0);
    }

    @Test
    public void testReusingAccessAndRefreshTokens_refreshEnabled() throws Exception {
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(getAdminClient().realm("authz-test-session"), "resource-server-test");
        ClientRepresentation build = ClientBuilder.edit(findClientByClientId.toRepresentation()).attribute("client_credentials.use_refresh_token", "true").build();
        findClientByClientId.update(build);
        testReusingAccessAndRefreshTokens(1);
        build.getAttributes().put("client_credentials.use_refresh_token", "false");
        findClientByClientId.update(build);
    }

    private void testReusingAccessAndRefreshTokens(int i) throws Exception {
        ClientRepresentation clientRepresentation = (ClientRepresentation) getAdminClient().realm("authz-test-session").clients().findByClientId("resource-server-test").get(0);
        Assert.assertEquals(0L, r0.get(clientRepresentation.getId()).getUserSessions(-1, -1).size());
        AuthzClient authzClient = getAuthzClient("default-session-keycloak.json");
        authzClient.protection().resource().findByName("Default Resource");
        Assert.assertEquals(i, r0.get(clientRepresentation.getId()).getUserSessions((Integer) null, (Integer) null).size());
        Thread.sleep(2000L);
        authzClient.protection().resource().findByName("Default Resource");
        Assert.assertEquals(i, r0.get(clientRepresentation.getId()).getUserSessions((Integer) null, (Integer) null).size());
    }

    @Test
    public void testPermissionWhenResourceServerIsCurrentUser() throws Exception {
        ClientsResource clients = getAdminClient().realm("authz-test-session").clients();
        Assert.assertEquals(0L, clients.get(((ClientRepresentation) clients.findByClientId("resource-server-test").get(0)).getId()).getUserSessions(-1, -1).size());
        AuthzClient authzClient = getAuthzClient("default-session-keycloak.json");
        AccessToken accessToken = toAccessToken(authzClient.authorization(authzClient.obtainAccessToken().getToken()).authorize().getToken());
        Assert.assertEquals(1L, accessToken.getAuthorization().getPermissions().size());
        Assert.assertEquals("Default Resource", ((Permission) accessToken.getAuthorization().getPermissions().iterator().next()).getResourceName());
    }

    @Test
    public void testSingleSessionPerUser() throws Exception {
        ClientRepresentation clientRepresentation = (ClientRepresentation) getAdminClient().realm("authz-test-session").clients().findByClientId("resource-server-test").get(0);
        Assert.assertEquals(0L, r0.get(clientRepresentation.getId()).getUserSessions(-1, -1).size());
        org.keycloak.authorization.client.resource.AuthorizationResource authorization = getAuthzClient("default-session-keycloak.json").authorization("marta", "password");
        AccessToken accessToken = toAccessToken(authorization.authorize().getToken());
        String sessionState = accessToken.getSessionState();
        Assert.assertEquals(1L, accessToken.getAuthorization().getPermissions().size());
        Assert.assertEquals("Default Resource", ((Permission) accessToken.getAuthorization().getPermissions().iterator().next()).getResourceName());
        Assert.assertEquals(1L, r0.get(clientRepresentation.getId()).getUserSessions((Integer) null, (Integer) null).size());
        for (int i = 0; i < 3; i++) {
            Assert.assertEquals(sessionState, toAccessToken(authorization.authorize().getToken()).getSessionState());
            Thread.sleep(1000L);
        }
        Assert.assertEquals(1L, r0.get(clientRepresentation.getId()).getUserSessions((Integer) null, (Integer) null).size());
    }

    @Test
    public void testNoRefreshToken() throws Exception {
        getAdminClient().realm("authz-test-no-rt").clients();
        AuthzClient authzClient = getAuthzClient("default-session-keycloak-no-rt.json");
        AccessToken accessToken = toAccessToken(authzClient.authorization().authorize().getToken());
        Assert.assertEquals(1L, accessToken.getAuthorization().getPermissions().size());
        Assert.assertEquals("Default Resource", ((Permission) accessToken.getAuthorization().getPermissions().iterator().next()).getResourceName());
        ProtectionResource protection = authzClient.protection();
        Assert.assertEquals(1L, protection.resource().findAll().length);
        try {
            Time.setOffset(1000);
            Assert.assertEquals(1L, protection.resource().findAll().length);
            Time.setOffset(0);
        } catch (Throwable th) {
            Time.setOffset(0);
            throw th;
        }
    }

    @Test
    public void testFindByName() {
        AuthzClient authzClient = getAuthzClient("default-session-keycloak.json");
        ProtectionResource protection = authzClient.protection();
        protection.resource().create(new ResourceRepresentation("Admin Resources", new String[0]));
        protection.resource().create(new ResourceRepresentation("Resource", new String[0]));
        ResourceRepresentation findByName = authzClient.protection().resource().findByName("Resource");
        Assert.assertEquals("Resource", findByName.getName());
        ResourceRepresentation findByName2 = authzClient.protection().resource().findByName("Admin Resources");
        Assert.assertEquals("Admin Resources", findByName2.getName());
        Assert.assertNotEquals(findByName.getId(), findByName2.getId());
    }

    private RealmBuilder configureRealm(RealmBuilder realmBuilder, ClientBuilder clientBuilder) {
        return realmBuilder.roles(RolesBuilder.create().realmRole(new RoleRepresentation("uma_authorization", "", false))).user(UserBuilder.create().username("marta").password("password").addRoles("uma_authorization")).user(UserBuilder.create().username("kolo").password("password")).client(clientBuilder.clientId("resource-server-test").authorizationServicesEnabled(true).redirectUris("http://localhost/resource-server-test").defaultRoles("uma_protection").directAccessGrants());
    }

    private void assertAccessProtectionAPI(ProtectionResource protectionResource) {
        ResourceRepresentation resourceRepresentation = new ResourceRepresentation("Resource A", Collections.emptySet());
        String id = protectionResource.resource().create(resourceRepresentation).getId();
        ResourceRepresentation findById = protectionResource.resource().findById(id);
        Assert.assertNotNull(findById);
        Assert.assertEquals(resourceRepresentation.getName(), findById.getName());
        Assert.assertEquals(id, findById.getId());
    }

    private AuthzClient getAuthzClient(String str) {
        final KeycloakDeployment build = KeycloakDeploymentBuilder.build(getConfigurationStream(str));
        return AuthzClient.create(new Configuration(build.getAuthServerBaseUrl(), build.getRealm(), build.getResourceName(), build.getResourceCredentials(), build.getClient()), new ClientAuthenticator() { // from class: org.keycloak.testsuite.authz.AuthzClientCredentialsTest.1
            /* JADX WARN: Multi-variable type inference failed */
            public void configureClientCredentials(Map<String, List<String>> map, Map<String, String> map2) {
                HashMap hashMap = new HashMap();
                ClientCredentialsProviderUtils.setClientCredentials(build, map2, hashMap);
                for (Map.Entry entry : hashMap.entrySet()) {
                    map.put(entry.getKey(), Arrays.asList((String) entry.getValue()));
                }
            }
        });
    }

    private InputStream getConfigurationStream(String str) {
        return getClass().getResourceAsStream("/authorization-test/" + str);
    }
}
