package org.keycloak.testsuite.client;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.stream.Collectors;
import javax.ws.rs.NotFoundException;
import org.apache.http.Header;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.entity.StringEntity;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.util.EntityUtils;
import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.hamcrest.core.Is;
import org.junit.Assert;
import org.junit.Test;
import org.keycloak.client.registration.Auth;
import org.keycloak.client.registration.ClientRegistration;
import org.keycloak.client.registration.ClientRegistrationException;
import org.keycloak.client.registration.HttpErrorException;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.OAuth2ErrorRepresentation;
import org.keycloak.representations.idm.ProtocolMapperRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected;
import org.keycloak.util.JsonSerialization;

@AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
/* loaded from: input_file:org/keycloak/testsuite/client/ClientRegistrationTest.class */
public class ClientRegistrationTest extends AbstractClientRegistrationTest {
    private static final String CLIENT_ID = "test-client";
    private static final String CLIENT_SECRET = "test-client-secret";

    private ClientRepresentation buildClient() {
        ClientRepresentation clientRepresentation = new ClientRepresentation();
        clientRepresentation.setClientId(CLIENT_ID);
        clientRepresentation.setSecret(CLIENT_SECRET);
        return clientRepresentation;
    }

    private ClientRepresentation registerClient() throws ClientRegistrationException {
        return registerClient(buildClient());
    }

    private ClientRepresentation registerClient(ClientRepresentation clientRepresentation) throws ClientRegistrationException {
        ClientRepresentation create = this.reg.create(clientRepresentation);
        Assert.assertEquals(CLIENT_ID, create.getClientId());
        Assert.assertEquals(CLIENT_ID, this.adminClient.realm("test").clients().get(create.getId()).toRepresentation().getClientId());
        getCleanup().addClientUuid(create.getId());
        return create;
    }

    @Test
    public void registerClientAsAdmin() throws ClientRegistrationException {
        authManageClients();
        registerClient();
    }

    @Test
    public void withServiceAccount() throws ClientRegistrationException {
        authManageClients();
        ClientRepresentation buildClient = buildClient();
        buildClient.setServiceAccountsEnabled(true);
        ClientRepresentation registerClient = registerClient(buildClient);
        UserRepresentation serviceAccountUser = this.adminClient.realm("test").clients().get(registerClient.getId()).getServiceAccountUser();
        Assert.assertNotNull(serviceAccountUser);
        deleteClient(registerClient);
        try {
            this.adminClient.realm("test").users().get(serviceAccountUser.getId()).toRepresentation();
            Assert.fail("Expected NotFoundException");
        } catch (NotFoundException e) {
        }
    }

    @Test
    public void registerClientInMasterRealm() throws Exception {
        ClientRegistration build = ClientRegistration.create().url(this.suiteContext.getAuthServerInfo().getContextRoot() + "/auth", "master").build();
        build.auth(Auth.token(this.oauth.doGrantAccessTokenRequest("master", "admin", "admin", (String) null, "admin-cli", (String) null).getAccessToken()));
        ClientRepresentation clientRepresentation = new ClientRepresentation();
        clientRepresentation.setClientId(CLIENT_ID);
        clientRepresentation.setSecret(CLIENT_SECRET);
        ClientRepresentation create = build.create(clientRepresentation);
        Assert.assertNotNull(create);
        this.adminClient.realm("master").clients().get(create.getId()).remove();
    }

    @Test
    public void registerClientWithoutProtocol() throws ClientRegistrationException {
        authCreateClients();
        Assert.assertEquals("openid-connect", registerClient().getProtocol());
    }

    @Test
    public void registerClientAsAdminWithCreateOnly() throws ClientRegistrationException {
        authCreateClients();
        registerClient();
    }

    @Test
    public void registerClientAsAdminWithNoAccess() throws ClientRegistrationException {
        authNoAccess();
        try {
            registerClient();
            Assert.fail("Expected 403");
        } catch (ClientRegistrationException e) {
            Assert.assertEquals(403L, e.getCause().getStatusLine().getStatusCode());
        }
    }

    @Test
    public void registerClientWithNonAsciiChars() throws ClientRegistrationException {
        authCreateClients();
        ClientRepresentation buildClient = buildClient();
        buildClient.setName("Cliënt");
        Assert.assertEquals("Cliënt", registerClient(buildClient).getName());
    }

    @Test
    public void clientWithDefaultRoles() throws ClientRegistrationException {
        authCreateClients();
        ClientRepresentation buildClient = buildClient();
        buildClient.setDefaultRoles(new String[]{"test-default-role"});
        MatcherAssert.assertThat(registerClient(buildClient).getDefaultRoles(), Matchers.arrayContaining(new String[]{"test-default-role"}));
        authManageClients();
        MatcherAssert.assertThat(this.reg.get(CLIENT_ID).getDefaultRoles(), Matchers.arrayContaining(new String[]{"test-default-role"}));
        buildClient.setDefaultRoles(new String[]{"test-default-role1", "test-default-role2"});
        MatcherAssert.assertThat(this.reg.update(buildClient).getDefaultRoles(), Matchers.arrayContainingInAnyOrder(new String[]{"test-default-role1", "test-default-role2"}));
    }

    @Test
    public void testInvalidUrlClientValidation() {
        testClientUriValidation("Root URL is not a valid URL", "Base URL is not a valid URL", "Backchannel logout URL is not a valid URL", null, "invalid", "myapp://some-fake-app");
    }

    @Test
    public void testIllegalSchemeClientValidation() {
        testClientUriValidation("Root URL uses an illegal scheme", "Base URL uses an illegal scheme", "Backchannel logout URL uses an illegal scheme", "A redirect URI uses an illegal scheme", "data:text/html;base64,PHNjcmlwdD5jb25maXJtKGRvY3VtZW50LmRvbWFpbik7PC9zY3JpcHQ+", "javascript:confirm(document.domain)/*");
    }

    @Test
    public void testFragmentProhibitedClientValidation() {
        testClientUriValidation("Root URL must not contain an URL fragment", null, null, "Redirect URIs must not contain an URI fragment", "http://redhat.com/abcd#someFragment");
    }

    private void testClientUriValidation(String str, String str2, String str3, String str4, String... strArr) {
        testClientUriValidation(true, str, str2, str3, str4, strArr);
        testClientUriValidation(false, str, str2, str3, str4, strArr);
    }

    private void testClientUriValidation(boolean z, String str, String str2, String str3, String str4, String... strArr) {
        ClientRepresentation clientRepresentation;
        if (z) {
            authCreateClients();
            clientRepresentation = buildClient();
        } else {
            try {
                registerClientAsAdmin();
                clientRepresentation = this.reg.get(CLIENT_ID);
            } catch (ClientRegistrationException e) {
                throw new RuntimeException((Throwable) e);
            }
        }
        for (String str5 : strArr) {
            if (str != null) {
                clientRepresentation.setRootUrl(str5);
                registerOrUpdateClientExpectingValidationErrors(clientRepresentation, z, false, str);
            }
            clientRepresentation.setRootUrl((String) null);
            if (str2 != null) {
                clientRepresentation.setBaseUrl(str5);
                registerOrUpdateClientExpectingValidationErrors(clientRepresentation, z, false, str2);
            }
            clientRepresentation.setBaseUrl((String) null);
            if (str3 != null) {
                OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRepresentation).setBackchannelLogoutUrl(str5);
                registerOrUpdateClientExpectingValidationErrors(clientRepresentation, z, false, str3);
            }
            OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRepresentation).setBackchannelLogoutUrl((String) null);
            if (str4 != null) {
                clientRepresentation.setRedirectUris(Collections.singletonList(str5));
                registerOrUpdateClientExpectingValidationErrors(clientRepresentation, z, true, str4);
            }
            clientRepresentation.setRedirectUris((List) null);
            if (str != null) {
                clientRepresentation.setRootUrl(str5);
            }
            if (str2 != null) {
                clientRepresentation.setBaseUrl(str5);
            }
            if (str4 != null) {
                clientRepresentation.setRedirectUris(Collections.singletonList(str5));
            }
            registerOrUpdateClientExpectingValidationErrors(clientRepresentation, z, str4 != null, str, str2, str4);
            clientRepresentation.setRootUrl((String) null);
            clientRepresentation.setBaseUrl((String) null);
            clientRepresentation.setRedirectUris((List) null);
        }
    }

    private void registerOrUpdateClientExpectingValidationErrors(ClientRepresentation clientRepresentation, boolean z, boolean z2, String... strArr) {
        HttpErrorException httpErrorException = null;
        try {
            if (z) {
                registerClient(clientRepresentation);
            } else {
                this.reg.update(clientRepresentation);
            }
            Assert.fail("Expected exception");
        } catch (ClientRegistrationException e) {
            httpErrorException = e.getCause();
        }
        String[] strArr2 = (String[]) Arrays.stream(strArr).filter((v0) -> {
            return Objects.nonNull(v0);
        }).toArray(i -> {
            return new String[i];
        });
        Assert.assertEquals(httpErrorException.getStatusLine().getStatusCode(), 400L);
        try {
            OAuth2ErrorRepresentation oAuth2ErrorRepresentation = (OAuth2ErrorRepresentation) JsonSerialization.readValue(httpErrorException.getErrorResponse(), OAuth2ErrorRepresentation.class);
            MatcherAssert.assertThat(Arrays.asList(oAuth2ErrorRepresentation.getErrorDescription().split("; ")), Matchers.containsInAnyOrder(strArr2));
            Assert.assertEquals(z2 ? "invalid_redirect_uri" : "invalid_client_metadata", oAuth2ErrorRepresentation.getError());
        } catch (IOException e2) {
            throw new RuntimeException(e2);
        }
    }

    @Test
    public void getClientAsAdmin() throws ClientRegistrationException {
        registerClientAsAdmin();
        Assert.assertNotNull(this.reg.get(CLIENT_ID));
    }

    @Test
    public void getClientAsAdminWithCreateOnly() throws ClientRegistrationException {
        registerClientAsAdmin();
        authCreateClients();
        try {
            this.reg.get(CLIENT_ID);
            Assert.fail("Expected 403");
        } catch (ClientRegistrationException e) {
            Assert.assertEquals(403L, e.getCause().getStatusLine().getStatusCode());
        }
    }

    @Test
    public void getClientAsAdminWithNoAccess() throws ClientRegistrationException {
        registerClientAsAdmin();
        authNoAccess();
        try {
            this.reg.get(CLIENT_ID);
            Assert.fail("Expected 403");
        } catch (ClientRegistrationException e) {
            Assert.assertEquals(403L, e.getCause().getStatusLine().getStatusCode());
        }
    }

    @Test
    public void getClientNotFound() throws ClientRegistrationException {
        authManageClients();
        Assert.assertNull(this.reg.get("invalid"));
    }

    @Test
    public void getClientNotFoundNoAccess() throws ClientRegistrationException {
        authNoAccess();
        try {
            this.reg.get("invalid");
            Assert.fail("Expected 403");
        } catch (ClientRegistrationException e) {
            Assert.assertEquals(403L, e.getCause().getStatusLine().getStatusCode());
        }
    }

    private void updateClient() throws ClientRegistrationException {
        ClientRepresentation clientRepresentation = this.reg.get(CLIENT_ID);
        clientRepresentation.setRedirectUris(Collections.singletonList("http://localhost:8080/app"));
        this.reg.update(clientRepresentation);
        ClientRepresentation clientRepresentation2 = this.reg.get(CLIENT_ID);
        Assert.assertEquals(1L, clientRepresentation2.getRedirectUris().size());
        Assert.assertEquals("http://localhost:8080/app", clientRepresentation2.getRedirectUris().get(0));
    }

    @Test
    public void updateClientAsAdmin() throws ClientRegistrationException {
        registerClientAsAdmin();
        authManageClients();
        updateClient();
    }

    @Test
    public void updateClientSecret() throws ClientRegistrationException {
        authManageClients();
        registerClient();
        ClientRepresentation clientRepresentation = this.reg.get(CLIENT_ID);
        Assert.assertNotNull(clientRepresentation.getSecret());
        clientRepresentation.setSecret("mysecret");
        this.reg.update(clientRepresentation);
        Assert.assertEquals("mysecret", this.reg.get(CLIENT_ID).getSecret());
    }

    @Test
    public void addClientProtcolMappers() throws ClientRegistrationException {
        authManageClients();
        registerClient(buildClient());
        ClientRepresentation clientRepresentation = this.reg.get(CLIENT_ID);
        addProtocolMapper(clientRepresentation, "mapperA");
        this.reg.update(clientRepresentation);
        MatcherAssert.assertThat("Adding protocolMapper failed", Integer.valueOf(this.reg.get(CLIENT_ID).getProtocolMappers().size()), Is.is(1));
    }

    @Test
    public void removeClientProtcolMappers() throws ClientRegistrationException {
        authManageClients();
        ClientRepresentation buildClient = buildClient();
        addProtocolMapper(buildClient, "mapperA");
        registerClient(buildClient);
        ClientRepresentation clientRepresentation = this.reg.get(CLIENT_ID);
        clientRepresentation.setProtocolMappers(new ArrayList());
        this.reg.update(clientRepresentation);
        MatcherAssert.assertThat("Removing protocolMapper failed", this.reg.get(CLIENT_ID).getProtocolMappers(), Matchers.nullValue());
    }

    @Test
    public void updateClientProtcolMappers() throws ClientRegistrationException {
        authManageClients();
        ClientRepresentation buildClient = buildClient();
        addProtocolMapper(buildClient, "mapperA");
        registerClient(buildClient);
        ClientRepresentation clientRepresentation = this.reg.get(CLIENT_ID);
        ((ProtocolMapperRepresentation) clientRepresentation.getProtocolMappers().get(0)).getConfig().put("claim.name", "updatedClaimName");
        this.reg.update(clientRepresentation);
        MatcherAssert.assertThat("Updating protocolMapper failed", ((ProtocolMapperRepresentation) this.reg.get(CLIENT_ID).getProtocolMappers().get(0)).getConfig().get("claim.name"), Is.is("updatedClaimName"));
    }

    private void addProtocolMapper(ClientRepresentation clientRepresentation, String str) {
        ProtocolMapperRepresentation protocolMapperRepresentation = new ProtocolMapperRepresentation();
        protocolMapperRepresentation.setName(str);
        protocolMapperRepresentation.setProtocol("openid-connect");
        protocolMapperRepresentation.setProtocolMapper("oidc-usermodel-attribute-mapper");
        protocolMapperRepresentation.getConfig().put("userinfo.token.claim", "true");
        protocolMapperRepresentation.getConfig().put("user.attribute", "someAttribute");
        protocolMapperRepresentation.getConfig().put("id.token.claim", "true");
        protocolMapperRepresentation.getConfig().put("access.token.claim", "true");
        protocolMapperRepresentation.getConfig().put("claim.name", "someClaimName");
        protocolMapperRepresentation.getConfig().put("jsonType.label", "long");
        clientRepresentation.setProtocolMappers(new ArrayList());
        clientRepresentation.getProtocolMappers().add(protocolMapperRepresentation);
    }

    @Test
    public void updateClientAsAdminWithCreateOnly() throws ClientRegistrationException {
        authCreateClients();
        try {
            updateClient();
            Assert.fail("Expected 403");
        } catch (ClientRegistrationException e) {
            Assert.assertEquals(403L, e.getCause().getStatusLine().getStatusCode());
        }
    }

    @Test
    public void updateClientAsAdminWithNoAccess() throws ClientRegistrationException {
        authNoAccess();
        try {
            updateClient();
            Assert.fail("Expected 403");
        } catch (ClientRegistrationException e) {
            Assert.assertEquals(403L, e.getCause().getStatusLine().getStatusCode());
        }
    }

    @Test
    public void updateClientNotFound() throws ClientRegistrationException {
        authManageClients();
        try {
            ClientRepresentation clientRepresentation = new ClientRepresentation();
            clientRepresentation.setClientId("invalid");
            this.reg.update(clientRepresentation);
            Assert.fail("Expected 404");
        } catch (ClientRegistrationException e) {
            Assert.assertEquals(404L, e.getCause().getStatusLine().getStatusCode());
        }
    }

    @Test
    public void updateClientWithNonAsciiChars() throws ClientRegistrationException {
        authCreateClients();
        registerClient();
        authManageClients();
        ClientRepresentation clientRepresentation = this.reg.get(CLIENT_ID);
        clientRepresentation.setName("Cliënt");
        Assert.assertEquals("Cliënt", this.reg.update(clientRepresentation).getName());
    }

    private void deleteClient(ClientRepresentation clientRepresentation) throws ClientRegistrationException {
        this.reg.delete(CLIENT_ID);
        try {
            this.adminClient.realm("test").clients().get(clientRepresentation.getId()).toRepresentation();
            Assert.fail("Expected 403");
        } catch (NotFoundException e) {
        }
    }

    @Test
    public void deleteClientAsAdmin() throws ClientRegistrationException {
        authCreateClients();
        ClientRepresentation registerClient = registerClient();
        authManageClients();
        deleteClient(registerClient);
    }

    @Test
    public void deleteClientAsAdminWithCreateOnly() throws ClientRegistrationException {
        authManageClients();
        ClientRepresentation registerClient = registerClient();
        try {
            authCreateClients();
            deleteClient(registerClient);
            Assert.fail("Expected 403");
        } catch (ClientRegistrationException e) {
            Assert.assertEquals(403L, e.getCause().getStatusLine().getStatusCode());
        }
    }

    @Test
    public void deleteClientAsAdminWithNoAccess() throws ClientRegistrationException {
        authManageClients();
        ClientRepresentation registerClient = registerClient();
        try {
            authNoAccess();
            deleteClient(registerClient);
            Assert.fail("Expected 403");
        } catch (ClientRegistrationException e) {
            Assert.assertEquals(403L, e.getCause().getStatusLine().getStatusCode());
        }
    }

    @Test
    public void registerClientAsAdminWithScope() throws ClientRegistrationException {
        authManageClients();
        ClientRepresentation clientRepresentation = new ClientRepresentation();
        clientRepresentation.setClientId(CLIENT_ID);
        clientRepresentation.setSecret(CLIENT_SECRET);
        ArrayList arrayList = new ArrayList(Arrays.asList("address", "phone"));
        clientRepresentation.setOptionalClientScopes(arrayList);
        ClientRepresentation create = this.reg.create(clientRepresentation);
        Assert.assertEquals(CLIENT_ID, create.getClientId());
        ClientRepresentation representation = this.adminClient.realm("test").clients().get(create.getId()).toRepresentation();
        Assert.assertEquals(CLIENT_ID, representation.getClientId());
        getCleanup().addClientUuid(create.getId());
        Assert.assertTrue(new HashSet(arrayList).equals(new HashSet(representation.getOptionalClientScopes())));
        Assert.assertTrue(representation.getDefaultClientScopes().isEmpty());
    }

    @Test
    public void registerClientAsAdminWithoutScope() throws ClientRegistrationException {
        HashSet hashSet = new HashSet((Collection) this.adminClient.realm("test").getDefaultDefaultClientScopes().stream().filter(clientScopeRepresentation -> {
            return Objects.equals(clientScopeRepresentation.getProtocol(), "openid-connect");
        }).map(clientScopeRepresentation2 -> {
            return clientScopeRepresentation2.getName();
        }).collect(Collectors.toList()));
        HashSet hashSet2 = new HashSet((Collection) this.adminClient.realm("test").getDefaultOptionalClientScopes().stream().filter(clientScopeRepresentation3 -> {
            return Objects.equals(clientScopeRepresentation3.getProtocol(), "openid-connect");
        }).map(clientScopeRepresentation4 -> {
            return clientScopeRepresentation4.getName();
        }).collect(Collectors.toList()));
        authManageClients();
        ClientRepresentation clientRepresentation = new ClientRepresentation();
        clientRepresentation.setClientId(CLIENT_ID);
        clientRepresentation.setSecret(CLIENT_SECRET);
        ClientRepresentation create = this.reg.create(clientRepresentation);
        Assert.assertEquals(CLIENT_ID, create.getClientId());
        ClientRepresentation representation = this.adminClient.realm("test").clients().get(create.getId()).toRepresentation();
        Assert.assertEquals(CLIENT_ID, representation.getClientId());
        getCleanup().addClientUuid(create.getId());
        Assert.assertTrue(hashSet.equals(new HashSet(representation.getDefaultClientScopes())));
        Assert.assertTrue(hashSet2.equals(new HashSet(representation.getOptionalClientScopes())));
    }

    @Test
    public void registerClientAsAdminWithNotDefinedScope() throws ClientRegistrationException {
        authManageClients();
        ClientRepresentation clientRepresentation = new ClientRepresentation();
        clientRepresentation.setClientId(CLIENT_ID);
        clientRepresentation.setSecret(CLIENT_SECRET);
        clientRepresentation.setOptionalClientScopes(new ArrayList(Arrays.asList("notdefinedscope", "phone")));
        try {
            registerClient(clientRepresentation);
            Assert.fail("Expected 403");
        } catch (ClientRegistrationException e) {
            Assert.assertEquals(403L, e.getCause().getStatusLine().getStatusCode());
        }
    }

    @Test
    @UncaughtServerErrorExpected
    public void registerMaliciousClient() throws IOException {
        CloseableHttpClient build = HttpClientBuilder.create().build();
        Throwable th = null;
        try {
            HttpPost httpPost = new HttpPost(this.suiteContext.getAuthServerInfo().getUriBuilder().path("/auth/realms/master/clients-registrations/openid-connect").build(new Object[0]));
            httpPost.setEntity(new StringEntity("{\"<img src=alert(1)>\":1}"));
            httpPost.setHeader("Content-Type", "application/json");
            CloseableHttpResponse execute = build.execute(httpPost);
            Throwable th2 = null;
            try {
                try {
                    MatcherAssert.assertThat(Integer.valueOf(execute.getStatusLine().getStatusCode()), Is.is(400));
                    Header firstHeader = execute.getFirstHeader("Content-Type");
                    MatcherAssert.assertThat(firstHeader, Matchers.notNullValue());
                    MatcherAssert.assertThat(Boolean.valueOf(Arrays.stream(firstHeader.getElements()).map((v0) -> {
                        return v0.getName();
                    }).filter((v0) -> {
                        return Objects.nonNull(v0);
                    }).anyMatch(str -> {
                        return str.equals("application/json");
                    })), Is.is(true));
                    MatcherAssert.assertThat(EntityUtils.toString(execute.getEntity()), CoreMatchers.containsString("Unrecognized field \\\"<img src=alert(1)>\\\""));
                    if (execute != null) {
                        if (0 != 0) {
                            try {
                                execute.close();
                            } catch (Throwable th3) {
                                th2.addSuppressed(th3);
                            }
                        } else {
                            execute.close();
                        }
                    }
                    if (build != null) {
                        if (0 == 0) {
                            build.close();
                            return;
                        }
                        try {
                            build.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    }
                } catch (Throwable th5) {
                    th2 = th5;
                    throw th5;
                }
            } catch (Throwable th6) {
                if (execute != null) {
                    if (th2 != null) {
                        try {
                            execute.close();
                        } catch (Throwable th7) {
                            th2.addSuppressed(th7);
                        }
                    } else {
                        execute.close();
                    }
                }
                throw th6;
            }
        } catch (Throwable th8) {
            if (build != null) {
                if (0 != 0) {
                    try {
                        build.close();
                    } catch (Throwable th9) {
                        th.addSuppressed(th9);
                    }
                } else {
                    build.close();
                }
            }
            throw th8;
        }
    }
}
