package org.keycloak.testsuite.oauth;

import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import org.junit.Assert;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.AbstractAdminTest;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.OAuthClient;

/* loaded from: input_file:org/keycloak/testsuite/oauth/TokenEndpointCorsTest.class */
public class TokenEndpointCorsTest extends AbstractKeycloakTest {
    private static final String VALID_CORS_URL = "http://localtest.me:8180";
    private static final String INVALID_CORS_URL = "http://invalid.localtest.me:8180";

    @Rule
    public AssertEvents events = new AssertEvents(this);

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void beforeAbstractKeycloakTest() throws Exception {
        super.beforeAbstractKeycloakTest();
    }

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        RealmRepresentation realmRepresentation = (RealmRepresentation) AbstractAdminTest.loadJson(getClass().getResourceAsStream("/testrealm.json"), RealmRepresentation.class);
        realmRepresentation.getClients().add(ClientBuilder.create().redirectUris("http://localtest.me:8180/realms/master/app").addWebOrigin(VALID_CORS_URL).clientId("test-app2").publicClient().directAccessGrants().build());
        list.add(realmRepresentation);
    }

    @Test
    public void preflightRequest() throws Exception {
        HashSet hashSet = new HashSet(Arrays.asList(this.oauth.doPreflightRequest().getHeaders("Access-Control-Allow-Methods")[0].getValue().split(", ")));
        Assert.assertEquals(2L, hashSet.size());
        Assert.assertTrue(hashSet.containsAll(Arrays.asList("POST", "OPTIONS")));
    }

    @Test
    @AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
    public void accessTokenCorsRequest() throws Exception {
        this.oauth.realm("test");
        this.oauth.clientId("test-app2");
        this.oauth.redirectUri("http://localtest.me:8180/realms/master/app");
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        String str = (String) this.oauth.getCurrentQuery().get("code");
        this.oauth.origin(VALID_CORS_URL);
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(str, "password");
        Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
        assertCors(doAccessTokenRequest);
        OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), (String) null);
        Assert.assertEquals(200L, doRefreshTokenRequest.getStatusCode());
        assertCors(doRefreshTokenRequest);
        this.oauth.origin(INVALID_CORS_URL);
        OAuthClient.AccessTokenResponse doRefreshTokenRequest2 = this.oauth.doRefreshTokenRequest(doRefreshTokenRequest.getRefreshToken(), "password");
        Assert.assertEquals(200L, doRefreshTokenRequest2.getStatusCode());
        assertNotCors(doRefreshTokenRequest2);
        this.oauth.origin(VALID_CORS_URL);
        this.oauth.openLogout();
        OAuthClient.AccessTokenResponse doRefreshTokenRequest3 = this.oauth.doRefreshTokenRequest(doRefreshTokenRequest2.getRefreshToken(), (String) null);
        Assert.assertEquals(400L, doRefreshTokenRequest3.getStatusCode());
        assertCors(doRefreshTokenRequest3);
        Assert.assertEquals("invalid_grant", doRefreshTokenRequest3.getError());
        Assert.assertEquals("Session not active", doRefreshTokenRequest3.getErrorDescription());
    }

    @Test
    public void accessTokenResourceOwnerCorsRequest() throws Exception {
        this.oauth.realm("test");
        this.oauth.clientId("test-app2");
        this.oauth.origin(VALID_CORS_URL);
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest = this.oauth.doGrantAccessTokenRequest("password", AssertEvents.DEFAULT_USERNAME, "password");
        Assert.assertEquals(200L, doGrantAccessTokenRequest.getStatusCode());
        assertCors(doGrantAccessTokenRequest);
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest2 = this.oauth.doGrantAccessTokenRequest("password", AssertEvents.DEFAULT_USERNAME, "invalid");
        Assert.assertEquals(401L, doGrantAccessTokenRequest2.getStatusCode());
        assertCors(doGrantAccessTokenRequest2);
    }

    @Test
    public void accessTokenWithConfidentialClientCorsRequest() throws Exception {
        this.oauth.realm("test");
        this.oauth.clientId("direct-grant");
        this.oauth.origin(VALID_CORS_URL);
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest = this.oauth.doGrantAccessTokenRequest("password", AssertEvents.DEFAULT_USERNAME, "password");
        Assert.assertEquals(200L, doGrantAccessTokenRequest.getStatusCode());
        assertCors(doGrantAccessTokenRequest);
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest2 = this.oauth.doGrantAccessTokenRequest("invalid", AssertEvents.DEFAULT_USERNAME, "password");
        Assert.assertEquals(401L, doGrantAccessTokenRequest2.getStatusCode());
        assertCors(doGrantAccessTokenRequest2);
        this.oauth.origin(INVALID_CORS_URL);
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest3 = this.oauth.doGrantAccessTokenRequest("password", AssertEvents.DEFAULT_USERNAME, "password");
        Assert.assertEquals(200L, doGrantAccessTokenRequest3.getStatusCode());
        assertNotCors(doGrantAccessTokenRequest3);
    }

    private static void assertCors(OAuthClient.AccessTokenResponse accessTokenResponse) {
        Assert.assertEquals("true", accessTokenResponse.getHeaders().get("Access-Control-Allow-Credentials"));
        Assert.assertEquals(VALID_CORS_URL, accessTokenResponse.getHeaders().get("Access-Control-Allow-Origin"));
        Assert.assertEquals("Access-Control-Allow-Methods", accessTokenResponse.getHeaders().get("Access-Control-Expose-Headers"));
    }

    private static void assertNotCors(OAuthClient.AccessTokenResponse accessTokenResponse) {
        Assert.assertNull(accessTokenResponse.getHeaders().get("Access-Control-Allow-Credentials"));
        Assert.assertNull(accessTokenResponse.getHeaders().get("Access-Control-Allow-Origin"));
        Assert.assertNull(accessTokenResponse.getHeaders().get("Access-Control-Expose-Headers"));
    }
}
