package org.keycloak.testsuite.oauth;

import java.util.List;
import java.util.Map;
import javax.ws.rs.core.Response;
import org.hamcrest.Matchers;
import org.jboss.arquillian.graphene.page.Page;
import org.junit.Assert;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.ClientScopeResource;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.common.Profile;
import org.keycloak.events.EventType;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.idm.ClientScopeRepresentation;
import org.keycloak.representations.idm.EventRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.AbstractAdminTest;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.arquillian.annotation.DisableFeature;
import org.keycloak.testsuite.pages.AccountApplicationsPage;
import org.keycloak.testsuite.pages.AppPage;
import org.keycloak.testsuite.pages.ErrorPage;
import org.keycloak.testsuite.pages.OAuthGrantPage;
import org.keycloak.testsuite.util.ProtocolMapperUtil;
import org.openqa.selenium.By;

@DisableFeature(value = Profile.Feature.ACCOUNT2, skipRestart = true)
/* loaded from: input_file:org/keycloak/testsuite/oauth/OAuthGrantTest.class */
public class OAuthGrantTest extends AbstractKeycloakTest {
    public static final String THIRD_PARTY_APP = "third-party";
    public static final String REALM_NAME = "test";

    @Rule
    public AssertEvents events = new AssertEvents(this);

    @Page
    protected OAuthGrantPage grantPage;

    @Page
    protected AccountApplicationsPage accountAppsPage;

    @Page
    protected AppPage appPage;

    @Page
    protected ErrorPage errorPage;
    private static String ROLE_USER = "Have User privileges";
    private static String ROLE_CUSTOMER = "Have Customer User privileges";

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        list.add((RealmRepresentation) AbstractAdminTest.loadJson(getClass().getResourceAsStream("/testrealm.json"), RealmRepresentation.class));
    }

    @Test
    public void oauthGrantAcceptTest() {
        this.oauth.clientId(THIRD_PARTY_APP);
        this.oauth.doLoginGrant(AssertEvents.DEFAULT_USERNAME, "password");
        this.grantPage.assertCurrent();
        this.grantPage.assertGrants(new String[]{"User profile", "Email address", "User roles"});
        this.grantPage.accept();
        Assert.assertTrue(this.oauth.getCurrentQuery().containsKey("code"));
        EventRepresentation assertEvent = this.events.expectLogin().client(THIRD_PARTY_APP).detail("consent", "consent_granted").assertEvent();
        String str = (String) assertEvent.getDetails().get("code_id");
        String sessionId = assertEvent.getSessionId();
        String accessToken = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password").getAccessToken();
        Assert.assertNotNull(accessToken);
        AccessToken verifyToken = this.oauth.verifyToken(accessToken);
        Assert.assertEquals(sessionId, verifyToken.getSessionState());
        AccessToken.Access realmAccess = verifyToken.getRealmAccess();
        Assert.assertEquals(1L, realmAccess.getRoles().size());
        Assert.assertTrue(realmAccess.isUserInRole("user"));
        Map resourceAccess = verifyToken.getResourceAccess();
        Assert.assertEquals(1L, resourceAccess.size());
        Assert.assertEquals(1L, ((AccessToken.Access) resourceAccess.get(AssertEvents.DEFAULT_CLIENT_ID)).getRoles().size());
        Assert.assertTrue(((AccessToken.Access) resourceAccess.get(AssertEvents.DEFAULT_CLIENT_ID)).isUserInRole("customer-user"));
        this.events.expectCodeToToken(str, assertEvent.getSessionId()).client(THIRD_PARTY_APP).assertEvent();
        this.accountAppsPage.open();
        Assert.assertEquals(1L, this.driver.findElements(By.id("revoke-third-party")).size());
        this.accountAppsPage.revokeGrant(THIRD_PARTY_APP);
        this.events.expect(EventType.REVOKE_GRANT).client(BackchannelLogoutTest.ACCOUNT_CLIENT_NAME).detail("revoked_client", THIRD_PARTY_APP).assertEvent();
        Assert.assertEquals(0L, this.driver.findElements(By.id("revoke-third-party")).size());
    }

    @Test
    public void oauthGrantCancelTest() {
        this.oauth.clientId(THIRD_PARTY_APP);
        this.oauth.doLoginGrant(AssertEvents.DEFAULT_USERNAME, "password");
        this.grantPage.assertCurrent();
        this.grantPage.assertGrants(new String[]{"User profile", "Email address", "User roles"});
        this.grantPage.cancel();
        Assert.assertTrue(this.oauth.getCurrentQuery().containsKey("error"));
        Assert.assertEquals("access_denied", this.oauth.getCurrentQuery().get("error"));
        this.events.expectLogin().client(THIRD_PARTY_APP).error("rejected_by_user").removeDetail("consent").session(Matchers.nullValue(String.class)).assertEvent();
    }

    @Test
    public void oauthGrantNotShownWhenAlreadyGranted() {
        this.oauth.clientId(THIRD_PARTY_APP);
        this.oauth.doLoginGrant(AssertEvents.DEFAULT_USERNAME, "password");
        this.grantPage.assertCurrent();
        this.grantPage.accept();
        this.events.expectLogin().client(THIRD_PARTY_APP).detail("consent", "consent_granted").assertEvent();
        this.accountAppsPage.open();
        AccountApplicationsPage.AppEntry appEntry = (AccountApplicationsPage.AppEntry) this.accountAppsPage.getApplications().get(THIRD_PARTY_APP);
        appEntry.getClientScopesGranted().contains("User profile");
        appEntry.getClientScopesGranted().contains("Email address");
        this.oauth.openLoginForm();
        this.appPage.assertCurrent();
        this.events.expectLogin().detail("auth_method", "openid-connect").detail("consent", "persistent_consent").removeDetail("username").client(THIRD_PARTY_APP).assertEvent();
        this.accountAppsPage.open();
        this.accountAppsPage.revokeGrant(THIRD_PARTY_APP);
        this.events.expect(EventType.REVOKE_GRANT).client(BackchannelLogoutTest.ACCOUNT_CLIENT_NAME).detail("revoked_client", THIRD_PARTY_APP).assertEvent();
        this.oauth.openLoginForm();
        this.grantPage.assertCurrent();
        this.grantPage.assertGrants(new String[]{"User profile", "Email address", "User roles"});
    }

    @Test
    public void oauthGrantAddAnotherScope() {
        this.oauth.clientId(THIRD_PARTY_APP);
        this.oauth.doLoginGrant(AssertEvents.DEFAULT_USERNAME, "password");
        RealmResource realm = this.adminClient.realm("test");
        ClientScopeRepresentation clientScopeRepresentation = new ClientScopeRepresentation();
        clientScopeRepresentation.setName("foo-scope");
        clientScopeRepresentation.setProtocol("openid-connect");
        Response create = realm.clientScopes().create(clientScopeRepresentation);
        String createdId = ApiUtil.getCreatedId(create);
        create.close();
        getCleanup().addClientScopeId(createdId);
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(realm, THIRD_PARTY_APP);
        findClientByClientId.addDefaultClientScope(createdId);
        this.grantPage.assertCurrent();
        this.grantPage.accept();
        this.events.expectLogin().client(THIRD_PARTY_APP).detail("consent", "consent_granted").assertEvent();
        this.accountAppsPage.open();
        Assert.assertFalse(((AccountApplicationsPage.AppEntry) this.accountAppsPage.getApplications().get(THIRD_PARTY_APP)).getClientScopesGranted().contains("foo-scope"));
        this.oauth.openLoginForm();
        this.grantPage.assertCurrent();
        this.grantPage.assertGrants(new String[]{"foo-scope"});
        this.grantPage.accept();
        this.events.expectLogin().client(THIRD_PARTY_APP).detail("consent", "consent_granted").assertEvent();
        this.accountAppsPage.open();
        Assert.assertTrue(((AccountApplicationsPage.AppEntry) this.accountAppsPage.getApplications().get(THIRD_PARTY_APP)).getClientScopesGranted().contains("foo-scope"));
        this.accountAppsPage.revokeGrant(THIRD_PARTY_APP);
        this.events.expect(EventType.REVOKE_GRANT).client(BackchannelLogoutTest.ACCOUNT_CLIENT_NAME).detail("revoked_client", THIRD_PARTY_APP).assertEvent();
        findClientByClientId.removeDefaultClientScope(createdId);
    }

    @Test
    public void oauthGrantScopeParamRequired() throws Exception {
        RealmResource realm = this.adminClient.realm("test");
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(realm, THIRD_PARTY_APP);
        ClientScopeRepresentation clientScopeRepresentation = new ClientScopeRepresentation();
        clientScopeRepresentation.setName("foo-scope");
        clientScopeRepresentation.setProtocol("openid-connect");
        Response create = realm.clientScopes().create(clientScopeRepresentation);
        String createdId = ApiUtil.getCreatedId(create);
        create.close();
        getCleanup().addClientScopeId(createdId);
        findClientByClientId.addOptionalClientScope(createdId);
        this.oauth.clientId(THIRD_PARTY_APP);
        this.oauth.doLoginGrant(AssertEvents.DEFAULT_USERNAME, "password");
        this.grantPage.assertCurrent();
        Assert.assertFalse(this.grantPage.getDisplayedGrants().contains("foo-scope"));
        this.grantPage.cancel();
        this.events.expectLogin().client(THIRD_PARTY_APP).error("rejected_by_user").removeDetail("consent").session(Matchers.nullValue(String.class)).assertEvent();
        this.oauth.scope("foo-scope");
        this.oauth.doLoginGrant(AssertEvents.DEFAULT_USERNAME, "password");
        this.grantPage.assertCurrent();
        Assert.assertTrue(this.grantPage.getDisplayedGrants().contains("foo-scope"));
        this.grantPage.accept();
        this.events.expectLogin().client(THIRD_PARTY_APP).detail("consent", "consent_granted").assertEvent();
        this.accountAppsPage.open();
        this.accountAppsPage.revokeGrant(THIRD_PARTY_APP);
        this.events.expect(EventType.REVOKE_GRANT).client(BackchannelLogoutTest.ACCOUNT_CLIENT_NAME).detail("revoked_client", THIRD_PARTY_APP).assertEvent();
        this.oauth.scope((String) null);
        findClientByClientId.removeOptionalClientScope(createdId);
    }

    @Test
    public void oauthGrantClientScopeMappers() throws Exception {
        RealmResource realm = this.adminClient.realm("test");
        ClientScopeRepresentation clientScopeRepresentation = new ClientScopeRepresentation();
        clientScopeRepresentation.setName("foo-addr");
        clientScopeRepresentation.setProtocol("openid-connect");
        Response create = realm.clientScopes().create(clientScopeRepresentation);
        String createdId = ApiUtil.getCreatedId(create);
        create.close();
        realm.clientScopes().get(createdId).getProtocolMappers().createMapper(ProtocolMapperUtil.createAddressMapper(true, true, true)).close();
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(realm, THIRD_PARTY_APP);
        findClientByClientId.addDefaultClientScope(createdId);
        getCleanup().addClientScopeId(createdId);
        this.oauth.clientId(THIRD_PARTY_APP);
        this.oauth.doLoginGrant(AssertEvents.DEFAULT_USERNAME, "password");
        this.grantPage.assertCurrent();
        this.grantPage.assertGrants(new String[]{"Email address", "User profile", "User roles", "foo-addr"});
        this.grantPage.accept();
        this.events.expectLogin().client(THIRD_PARTY_APP).detail("consent", "consent_granted").assertEvent();
        this.accountAppsPage.open();
        Assert.assertTrue(this.accountAppsPage.isCurrent());
        Map applications = this.accountAppsPage.getApplications();
        Assert.assertTrue(applications.containsKey(THIRD_PARTY_APP));
        Assert.assertTrue(((AccountApplicationsPage.AppEntry) applications.get(THIRD_PARTY_APP)).getClientScopesGranted().contains("foo-addr"));
        Assert.assertEquals(1L, ApiUtil.findUserByUsernameId(realm, AssertEvents.DEFAULT_USERNAME).getConsents().size());
        this.oauth.openLoginForm();
        this.appPage.assertCurrent();
        this.events.expectLogin().detail("auth_method", "openid-connect").detail("consent", "persistent_consent").removeDetail("username").client(THIRD_PARTY_APP).assertEvent();
        this.accountAppsPage.open();
        this.accountAppsPage.revokeGrant(THIRD_PARTY_APP);
        this.events.expect(EventType.REVOKE_GRANT).client(BackchannelLogoutTest.ACCOUNT_CLIENT_NAME).detail("revoked_client", THIRD_PARTY_APP).assertEvent();
        findClientByClientId.removeDefaultClientScope(createdId);
    }

    @Test
    public void oauthGrantExpiredAuthSession() throws Exception {
        this.oauth.clientId(THIRD_PARTY_APP);
        this.oauth.doLoginGrant(AssertEvents.DEFAULT_USERNAME, "password");
        this.grantPage.assertCurrent();
        this.driver.manage().deleteAllCookies();
        this.grantPage.accept();
        this.errorPage.assertCurrent();
        Assert.assertEquals(this.errorPage.getBackToApplicationLink(), ApiUtil.findClientByClientId(this.adminClient.realm("test"), THIRD_PARTY_APP).toRepresentation().getBaseUrl());
    }

    @Test
    public void oauthGrantOrderedClientScopes() throws Exception {
        RealmResource realm = this.adminClient.realm("test");
        ClientScopeResource findClientScopeByName = ApiUtil.findClientScopeByName(realm, "email");
        ClientScopeRepresentation representation = findClientScopeByName.toRepresentation();
        representation.getAttributes().put("gui.order", "1");
        findClientScopeByName.update(representation);
        ClientScopeResource findClientScopeByName2 = ApiUtil.findClientScopeByName(realm, "profile");
        ClientScopeRepresentation representation2 = findClientScopeByName2.toRepresentation();
        representation2.getAttributes().put("gui.order", "2");
        findClientScopeByName2.update(representation2);
        this.oauth.clientId(THIRD_PARTY_APP);
        this.oauth.doLoginGrant(AssertEvents.DEFAULT_USERNAME, "password");
        this.grantPage.assertCurrent();
        List displayedGrants = this.grantPage.getDisplayedGrants();
        Assert.assertEquals("Email address", displayedGrants.get(0));
        Assert.assertEquals("User profile", displayedGrants.get(1));
        this.grantPage.accept();
        this.accountAppsPage.open();
        List clientScopesGranted = ((AccountApplicationsPage.AppEntry) this.accountAppsPage.getApplications().get(THIRD_PARTY_APP)).getClientScopesGranted();
        Assert.assertEquals("Email address", clientScopesGranted.get(0));
        Assert.assertEquals("User profile", clientScopesGranted.get(1));
        ClientScopeRepresentation representation3 = findClientScopeByName.toRepresentation();
        representation3.getAttributes().put("gui.order", "3");
        findClientScopeByName.update(representation3);
        this.accountAppsPage.open();
        List clientScopesGranted2 = ((AccountApplicationsPage.AppEntry) this.accountAppsPage.getApplications().get(THIRD_PARTY_APP)).getClientScopesGranted();
        Assert.assertEquals("User profile", clientScopesGranted2.get(0));
        Assert.assertEquals("Email address", clientScopesGranted2.get(1));
        this.accountAppsPage.revokeGrant(THIRD_PARTY_APP);
        this.oauth.openLoginForm();
        this.grantPage.assertCurrent();
        List displayedGrants2 = this.grantPage.getDisplayedGrants();
        Assert.assertEquals("User profile", displayedGrants2.get(0));
        Assert.assertEquals("Email address", displayedGrants2.get(1));
    }

    @Test
    public void oauthGrantUserNotLoggedOutAfterConsentRevoke() throws Exception {
        this.oauth.clientId(THIRD_PARTY_APP);
        this.oauth.doLoginGrant(AssertEvents.DEFAULT_USERNAME, "password");
        this.grantPage.assertCurrent();
        this.grantPage.assertGrants(new String[]{"User profile", "Email address", "User roles"});
        this.grantPage.accept();
        Assert.assertTrue(this.oauth.getCurrentQuery().containsKey("code"));
        EventRepresentation assertEvent = this.events.expectLogin().client(THIRD_PARTY_APP).detail("consent", "consent_granted").assertEvent();
        String sessionId = assertEvent.getSessionId();
        this.adminClient.realm("test").users().get(assertEvent.getUserId()).revokeConsent(THIRD_PARTY_APP);
        this.oauth.openLoginForm();
        this.grantPage.assertCurrent();
        this.grantPage.assertGrants(new String[]{"User profile", "Email address", "User roles"});
        this.grantPage.accept();
        EventRepresentation assertEvent2 = this.events.expectLogin().client(THIRD_PARTY_APP).detail("consent", "consent_granted").assertEvent();
        Assert.assertEquals(sessionId, assertEvent2.getSessionId());
        this.adminClient.realm("test").users().get(assertEvent2.getUserId()).revokeConsent(THIRD_PARTY_APP);
    }
}
