package org.keycloak.testsuite.broker;

import com.google.common.collect.ImmutableMap;
import java.util.Collections;
import org.junit.Before;
import org.junit.Test;
import org.keycloak.admin.client.resource.IdentityProviderResource;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.models.IdentityProviderMapperSyncMode;
import org.keycloak.representations.idm.IdentityProviderMapperRepresentation;
import org.keycloak.representations.idm.IdentityProviderRepresentation;
import org.keycloak.representations.idm.UserRepresentation;

/* loaded from: input_file:org/keycloak/testsuite/broker/ExternalKeycloakRoleToRoleMapperTest.class */
public class ExternalKeycloakRoleToRoleMapperTest extends AbstractRoleMapperTest {
    private RealmResource realm;
    private boolean deleteRoleFromUser = true;

    @Override // org.keycloak.testsuite.broker.AbstractBaseBrokerTest
    protected BrokerConfiguration getBrokerConfiguration() {
        return new KcOidcBrokerConfiguration();
    }

    @Before
    public void setupRealm() {
        super.addClients();
        this.realm = this.adminClient.realm(this.bc.consumerRealmName());
    }

    @Test
    public void mapperGrantsRoleOnFirstLogin() {
        assertThatRoleHasBeenAssignedInConsumerRealmTo(createMapperThenLoginAsUserTwiceWithExternalKeycloakRoleToRoleMapper(IdentityProviderMapperSyncMode.IMPORT));
    }

    @Test
    public void updateBrokeredUserDoesNotGrantRoleInLegacyMode() {
        assertThatRoleHasNotBeenAssignedInConsumerRealmTo(loginAsUserThenCreateMapperAndLoginAgainWithExternalKeycloakRoleToRoleMapper(IdentityProviderMapperSyncMode.LEGACY));
    }

    @Test
    public void updateBrokeredUserGrantsRoleInForceMode() {
        assertThatRoleHasBeenAssignedInConsumerRealmTo(loginAsUserThenCreateMapperAndLoginAgainWithExternalKeycloakRoleToRoleMapper(IdentityProviderMapperSyncMode.FORCE));
    }

    @Test
    public void updateBrokeredUserMatchDeletesRoleInForceMode() {
        assertThatRoleHasNotBeenAssignedInConsumerRealmTo(createMapperThenLoginAsUserTwiceWithExternalKeycloakRoleToRoleMapper(IdentityProviderMapperSyncMode.FORCE));
    }

    @Test
    public void updateBrokeredUserMatchDoesNotDeleteRoleInLegacyMode() {
        assertThatRoleHasBeenAssignedInConsumerRealmTo(createMapperThenLoginAsUserTwiceWithExternalKeycloakRoleToRoleMapper(IdentityProviderMapperSyncMode.LEGACY));
    }

    private UserRepresentation createMapperThenLoginAsUserTwiceWithExternalKeycloakRoleToRoleMapper(IdentityProviderMapperSyncMode identityProviderMapperSyncMode) {
        return loginAsUserTwiceWithMapper(identityProviderMapperSyncMode, false, ImmutableMap.builder().build());
    }

    private UserRepresentation loginAsUserThenCreateMapperAndLoginAgainWithExternalKeycloakRoleToRoleMapper(IdentityProviderMapperSyncMode identityProviderMapperSyncMode) {
        this.deleteRoleFromUser = false;
        return loginAsUserTwiceWithMapper(identityProviderMapperSyncMode, true, ImmutableMap.builder().build());
    }

    @Override // org.keycloak.testsuite.broker.AbstractRoleMapperTest
    protected void createMapperInIdp(IdentityProviderRepresentation identityProviderRepresentation, IdentityProviderMapperSyncMode identityProviderMapperSyncMode) {
        IdentityProviderMapperRepresentation identityProviderMapperRepresentation = new IdentityProviderMapperRepresentation();
        identityProviderMapperRepresentation.setName("external-keycloak-role-mapper");
        identityProviderMapperRepresentation.setIdentityProviderMapper("keycloak-oidc-role-to-role-idp-mapper");
        identityProviderMapperRepresentation.setConfig(ImmutableMap.builder().put("syncMode", identityProviderMapperSyncMode.toString()).put("external.role", "user").put("role", AbstractRoleMapperTest.CLIENT_ROLE_MAPPER_REPRESENTATION).build());
        IdentityProviderResource identityProviderResource = this.realm.identityProviders().get(identityProviderRepresentation.getAlias());
        identityProviderMapperRepresentation.setIdentityProviderAlias(this.bc.getIDPAlias());
        identityProviderResource.addMapper(identityProviderMapperRepresentation).close();
    }

    @Override // org.keycloak.testsuite.broker.AbstractRoleMapperTest
    public void updateUser() {
        if (this.deleteRoleFromUser) {
            this.adminClient.realm(this.bc.providerRealmName()).users().get(this.userId).roles().realmLevel().remove(Collections.singletonList(this.adminClient.realm(this.bc.providerRealmName()).roles().get("user").toRepresentation()));
        }
    }
}
