package org.keycloak.testsuite.adapter.servlet;

import java.net.URI;
import java.util.HashMap;
import java.util.LinkedHashMap;
import javax.ws.rs.core.Response;
import org.jboss.arquillian.container.test.api.Deployment;
import org.jboss.arquillian.graphene.page.Page;
import org.jboss.arquillian.graphene.wait.StringMatcher;
import org.jboss.shrinkwrap.api.spec.WebArchive;
import org.junit.Assert;
import org.junit.Test;
import org.keycloak.adapters.rotation.PublicKeyLocator;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.ProtocolMappersResource;
import org.keycloak.dom.saml.v2.assertion.AttributeStatementType;
import org.keycloak.dom.saml.v2.assertion.AttributeType;
import org.keycloak.dom.saml.v2.protocol.ResponseType;
import org.keycloak.representations.idm.ProtocolMapperRepresentation;
import org.keycloak.saml.SAML2ErrorResponseBuilder;
import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
import org.keycloak.saml.processing.core.saml.v2.constants.X500SAMLProfileConstants;
import org.keycloak.testsuite.adapter.filter.AdapterActionsFilter;
import org.keycloak.testsuite.adapter.page.Employee2Servlet;
import org.keycloak.testsuite.adapter.page.EmployeeSigServlet;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.arquillian.annotation.AppServerContainer;
import org.keycloak.testsuite.arquillian.annotation.AppServerContainers;
import org.keycloak.testsuite.page.AbstractPage;
import org.keycloak.testsuite.saml.AbstractSamlTest;
import org.keycloak.testsuite.util.Matchers;
import org.keycloak.testsuite.util.SamlClient;
import org.keycloak.testsuite.util.SamlClientBuilder;
import org.keycloak.testsuite.util.UIUtils;
import org.keycloak.testsuite.util.URLAssert;
import org.keycloak.testsuite.util.WaitUtils;
import org.openqa.selenium.By;
import org.w3c.dom.Document;

@AppServerContainers({@AppServerContainer("app-server-undertow"), @AppServerContainer("app-server-wildfly"), @AppServerContainer("app-server-wildfly-deprecated"), @AppServerContainer("app-server-eap"), @AppServerContainer("app-server-eap6"), @AppServerContainer("app-server-eap71"), @AppServerContainer("app-server-tomcat7"), @AppServerContainer("app-server-tomcat8"), @AppServerContainer("app-server-tomcat9"), @AppServerContainer("app-server-jetty92"), @AppServerContainer("app-server-jetty93"), @AppServerContainer("app-server-jetty94")})
/* loaded from: input_file:org/keycloak/testsuite/adapter/servlet/SAMLLoginResponseHandlingTest.class */
public class SAMLLoginResponseHandlingTest extends AbstractSAMLServletAdapterTest {

    @Page
    protected Employee2Servlet employee2ServletPage;

    @Page
    protected EmployeeSigServlet employeeSigServletPage;

    @Deployment(name = "employee2")
    protected static WebArchive employee2() {
        return samlServletDeployment("employee2", AbstractSAMLServletAdapterTest.WEB_XML_WITH_ACTION_FILTER, SendUsernameServlet.class, AdapterActionsFilter.class, PublicKeyLocator.class);
    }

    @Deployment(name = "employee-sig")
    protected static WebArchive employeeSig() {
        return samlServletDeployment("employee-sig", SendUsernameServlet.class);
    }

    @Test
    public void testNilAttributeValueAttribute() {
        beginAuthenticationAndLogin(this.employee2ServletPage, SamlClient.Binding.POST).processSamlResponse(SamlClient.Binding.POST).transformObject(sAML2Object -> {
            Assert.assertThat(sAML2Object, Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
            ResponseType responseType = (ResponseType) sAML2Object;
            AttributeStatementType attributeStatementType = (AttributeStatementType) ((ResponseType.RTChoiceType) responseType.getAssertions().get(0)).getAssertion().getStatements().stream().filter(statementAbstractType -> {
                return statementAbstractType instanceof AttributeStatementType;
            }).findFirst().orElse(new AttributeStatementType());
            AttributeType attributeType = new AttributeType("attribute-with-null-attribute-value");
            attributeType.addAttributeValue((Object) null);
            attributeStatementType.addAttribute(new AttributeStatementType.ASTChoiceType(attributeType));
            ((ResponseType.RTChoiceType) responseType.getAssertions().get(0)).getAssertion().addStatement(attributeStatementType);
            return sAML2Object;
        }).build().navigateTo(this.employee2ServletPage.getUriBuilder().clone().path("getAttributes").build(new Object[0])).execute(closeableHttpResponse -> {
            Assert.assertThat(closeableHttpResponse, Matchers.statusCodeIsHC(Response.Status.OK));
            Assert.assertThat(closeableHttpResponse, Matchers.bodyHC(org.hamcrest.Matchers.containsString("attribute-with-null-attribute-value: <br />")));
        });
    }

    @Test
    public void testErrorHandlingUnsigned() throws Exception {
        Document buildDocument = new SAML2ErrorResponseBuilder().destination(this.employeeSigServletPage.toString() + "saml").issuer("http://localhost:" + System.getProperty("auth.server.http.port", "8180") + "/realms/demo").status(JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get()).buildDocument();
        new SamlClientBuilder().addStep((closeableHttpClient, uri, closeableHttpResponse, httpClientContext) -> {
            return SamlClient.Binding.REDIRECT.createSamlUnsignedResponse(URI.create(this.employeeSigServletPage.toString() + "/saml"), (String) null, buildDocument);
        }).execute(closeableHttpResponse2 -> {
            Assert.assertThat(closeableHttpResponse2, Matchers.bodyHC(org.hamcrest.Matchers.containsString("INVALID_SIGNATURE")));
        });
    }

    @Test
    public void testErrorHandlingSigned() throws Exception {
        Document buildDocument = new SAML2ErrorResponseBuilder().destination(this.employeeSigServletPage.toString() + "saml").issuer("http://localhost:" + System.getProperty("auth.server.http.port", "8180") + "/realms/demo").status(JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get()).buildDocument();
        new SamlClientBuilder().addStep((closeableHttpClient, uri, closeableHttpResponse, httpClientContext) -> {
            return SamlClient.Binding.REDIRECT.createSamlSignedResponse(URI.create(this.employeeSigServletPage.toString() + "/saml"), (String) null, buildDocument, AbstractSamlTest.REALM_PRIVATE_KEY, AbstractSamlTest.REALM_PUBLIC_KEY);
        }).execute(closeableHttpResponse2 -> {
            Assert.assertThat(closeableHttpResponse2, Matchers.bodyHC(org.hamcrest.Matchers.containsString("ERROR_STATUS")));
        });
    }

    @Test
    public void testAttributes() throws Exception {
        ClientResource findClientResourceByClientId = ApiUtil.findClientResourceByClientId(testRealmResource(), AbstractSamlTest.SAML_CLIENT_ID_EMPLOYEE_2);
        ProtocolMappersResource protocolMappers = findClientResourceByClientId.getProtocolMappers();
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put("attribute.nameformat", "Basic");
        linkedHashMap.put("user.attribute", "topAttribute");
        linkedHashMap.put("attribute.name", "topAttribute");
        getCleanup().addCleanup(createProtocolMapper(protocolMappers, "topAttribute", "saml", "saml-user-attribute-mapper", linkedHashMap));
        LinkedHashMap linkedHashMap2 = new LinkedHashMap();
        linkedHashMap2.put("attribute.nameformat", "Basic");
        linkedHashMap2.put("user.attribute", "level2Attribute");
        linkedHashMap2.put("attribute.name", "level2Attribute");
        getCleanup().addCleanup(createProtocolMapper(protocolMappers, "level2Attribute", "saml", "saml-user-attribute-mapper", linkedHashMap2));
        LinkedHashMap linkedHashMap3 = new LinkedHashMap();
        linkedHashMap3.put("attribute.nameformat", "Basic");
        linkedHashMap3.put("single", "true");
        linkedHashMap3.put("attribute.name", "group");
        getCleanup().addCleanup(createProtocolMapper(protocolMappers, "groups", "saml", "saml-group-membership-mapper", linkedHashMap3));
        setRolesToCheck("manager,user");
        this.employee2ServletPage.navigateTo();
        URLAssert.assertCurrentUrlStartsWith((AbstractPage) this.testRealmSAMLPostLoginPage);
        this.testRealmSAMLPostLoginPage.form().login("level2GroupUser", "password");
        this.driver.navigate().to(this.employee2ServletPage.getUriBuilder().clone().path("getAttributes").build(new Object[0]).toURL());
        WaitUtils.waitUntilElement(By.xpath("//body")).text().contains("topAttribute: true");
        WaitUtils.waitUntilElement(By.xpath("//body")).text().contains("level2Attribute: true");
        WaitUtils.waitUntilElement(By.xpath("//body")).text().contains(X500SAMLProfileConstants.EMAIL.get() + ": level2@redhat.com");
        ((StringMatcher) WaitUtils.waitUntilElement(By.xpath("//body")).text().not()).contains("group: []");
        ((StringMatcher) WaitUtils.waitUntilElement(By.xpath("//body")).text().not()).contains("group: null");
        ((StringMatcher) WaitUtils.waitUntilElement(By.xpath("//body")).text().not()).contains("group: <br />");
        WaitUtils.waitUntilElement(By.xpath("//body")).text().contains("group: level2");
        this.employee2ServletPage.logout();
        checkLoggedOut(this.employee2ServletPage, this.testRealmSAMLPostLoginPage);
        setRolesToCheck("manager,employee,user");
        this.employee2ServletPage.navigateTo();
        URLAssert.assertCurrentUrlStartsWith((AbstractPage) this.testRealmSAMLPostLoginPage);
        this.testRealmSAMLPostLoginPage.form().login(this.bburkeUser);
        this.driver.navigate().to(this.employee2ServletPage.getUriBuilder().clone().path("getAttributes").build(new Object[0]).toURL());
        WaitUtils.waitUntilElement(By.xpath("//body")).text().contains(X500SAMLProfileConstants.EMAIL.get() + ": bburke@redhat.com");
        WaitUtils.waitUntilElement(By.xpath("//body")).text().contains("friendly email: bburke@redhat.com");
        WaitUtils.waitUntilElement(By.xpath("//body")).text().contains("phone: 617");
        ((StringMatcher) WaitUtils.waitUntilElement(By.xpath("//body")).text().not()).contains("friendly phone:");
        this.driver.navigate().to(this.employee2ServletPage.getUriBuilder().clone().path("getAssertionFromDocument").build(new Object[0]).toURL());
        WaitUtils.waitForPageToLoad();
        Assert.assertEquals("", UIUtils.getRawPageSource());
        this.employee2ServletPage.logout();
        checkLoggedOut(this.employee2ServletPage, this.testRealmSAMLPostLoginPage);
        LinkedHashMap linkedHashMap4 = new LinkedHashMap();
        linkedHashMap4.put("attribute.value", "hard");
        linkedHashMap4.put("attribute.nameformat", "Basic");
        linkedHashMap4.put("attribute.name", "hardcoded-attribute");
        getCleanup().addCleanup(createProtocolMapper(protocolMappers, "hardcoded-attribute", "saml", "saml-hardcode-attribute-mapper", linkedHashMap4));
        LinkedHashMap linkedHashMap5 = new LinkedHashMap();
        linkedHashMap5.put("role", "hardcoded-role");
        getCleanup().addCleanup(createProtocolMapper(protocolMappers, "hardcoded-role", "saml", "saml-hardcode-role-mapper", linkedHashMap5));
        LinkedHashMap linkedHashMap6 = new LinkedHashMap();
        linkedHashMap6.put("new.role.name", "pee-on");
        linkedHashMap6.put("role", "http://localhost:8280/employee/.employee");
        getCleanup().addCleanup(createProtocolMapper(protocolMappers, "renamed-employee-role", "saml", "saml-role-name-mapper", linkedHashMap6));
        for (ProtocolMapperRepresentation protocolMapperRepresentation : findClientResourceByClientId.toRepresentation().getProtocolMappers()) {
            if (protocolMapperRepresentation.getName().equals("role-list")) {
                protocolMappers.delete(protocolMapperRepresentation.getId());
                HashMap hashMap = new HashMap(protocolMapperRepresentation.getConfig());
                protocolMapperRepresentation.setId((String) null);
                protocolMapperRepresentation.getConfig().put("single", "true");
                protocolMapperRepresentation.getConfig().put("attribute.name", "memberOf");
                Response createMapper = protocolMappers.createMapper(protocolMapperRepresentation);
                Throwable th = null;
                try {
                    try {
                        String createdId = ApiUtil.getCreatedId(createMapper);
                        getCleanup().addCleanup(() -> {
                            protocolMappers.delete(createdId);
                            protocolMapperRepresentation.setConfig(hashMap);
                            protocolMappers.createMapper(protocolMapperRepresentation).close();
                        });
                        if (createMapper != null) {
                            if (0 != 0) {
                                try {
                                    createMapper.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                createMapper.close();
                            }
                        }
                    } catch (Throwable th3) {
                        if (createMapper != null) {
                            if (th != null) {
                                try {
                                    createMapper.close();
                                } catch (Throwable th4) {
                                    th.addSuppressed(th4);
                                }
                            } else {
                                createMapper.close();
                            }
                        }
                        throw th3;
                    }
                } finally {
                }
            }
        }
        setRolesToCheck("pee-on,el-jefe,manager,hardcoded-role");
        LinkedHashMap linkedHashMap7 = new LinkedHashMap();
        linkedHashMap7.put("new.role.name", "el-jefe");
        linkedHashMap7.put("role", "user");
        getCleanup().addCleanup(createProtocolMapper(protocolMappers, "renamed-role", "saml", "saml-role-name-mapper", linkedHashMap7));
        this.employee2ServletPage.navigateTo();
        URLAssert.assertCurrentUrlStartsWith((AbstractPage) this.testRealmSAMLPostLoginPage);
        this.testRealmSAMLPostLoginPage.form().login(this.bburkeUser);
        this.driver.navigate().to(this.employee2ServletPage.getUriBuilder().clone().path("getAttributes").build(new Object[0]).toURL());
        WaitUtils.waitUntilElement(By.xpath("//body")).text().contains("hardcoded-attribute: hard");
        this.employee2ServletPage.checkRolesEndPoint(false);
        this.employee2ServletPage.logout();
        checkLoggedOut(this.employee2ServletPage, this.testRealmSAMLPostLoginPage);
    }

    private void setRolesToCheck(String str) throws Exception {
        this.employee2ServletPage.navigateTo();
        URLAssert.assertCurrentUrlStartsWith((AbstractPage) this.testRealmSAMLPostLoginPage);
        this.testRealmSAMLPostLoginPage.form().login(this.bburkeUser);
        this.driver.navigate().to(this.employee2ServletPage.getUriBuilder().clone().path("setCheckRoles").queryParam("roles", new Object[]{str}).build(new Object[0]).toURL());
        WaitUtils.waitUntilElement(By.tagName("body")).text().contains("These roles will be checked:");
        this.employee2ServletPage.logout();
    }
}
