package org.keycloak.testsuite.client;

import com.google.common.base.Charsets;
import java.io.IOException;
import java.util.Arrays;
import java.util.Collections;
import java.util.LinkedList;
import java.util.function.Supplier;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.message.BasicNameValuePair;
import org.junit.Assert;
import org.junit.Assume;
import org.junit.BeforeClass;
import org.junit.Test;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.testsuite.AbstractTestRealmKeycloakTest;
import org.keycloak.testsuite.util.KeycloakModelUtils;
import org.keycloak.testsuite.util.MutualTLSUtils;
import org.keycloak.testsuite.util.OAuthClient;

/* loaded from: input_file:org/keycloak/testsuite/client/MutualTLSClientTest.class */
public class MutualTLSClientTest extends AbstractTestRealmKeycloakTest {
    private static final boolean sslRequired = Boolean.parseBoolean(System.getProperty("auth.server.ssl.required"));
    private static final String CLIENT_ID = "confidential-x509";
    private static final String DISABLED_CLIENT_ID = "confidential-disabled-x509";
    private static final String EXACT_SUBJECT_DN_CLIENT_ID = "confidential-subjectdn-x509";
    private static final String USER = "keycloak-user@localhost";
    private static final String PASSWORD = "password";
    private static final String REALM = "test";
    private static final String EXACT_CERTIFICATE_SUBJECT_DN = "EMAILADDRESS=contact@keycloak.org, CN=Keycloak Intermediate CA, OU=Keycloak, O=Red Hat, ST=MA, C=US";

    @Override // org.keycloak.testsuite.AbstractTestRealmKeycloakTest
    public void configureTestRealm(RealmRepresentation realmRepresentation) {
        ClientRepresentation createClient = KeycloakModelUtils.createClient(realmRepresentation, CLIENT_ID);
        createClient.setServiceAccountsEnabled(Boolean.TRUE);
        createClient.setRedirectUris(Arrays.asList("https://localhost:8543/auth/realms/master/app/auth"));
        createClient.setClientAuthenticatorType("client-x509");
        createClient.setAttributes(Collections.singletonMap("x509.subjectdn", "(.*?)(?:$)"));
        ClientRepresentation createClient2 = KeycloakModelUtils.createClient(realmRepresentation, DISABLED_CLIENT_ID);
        createClient2.setServiceAccountsEnabled(Boolean.TRUE);
        createClient2.setRedirectUris(Arrays.asList("https://localhost:8543/auth/realms/master/app/auth"));
        createClient2.setClientAuthenticatorType("client-x509");
        createClient2.setAttributes(Collections.singletonMap("x509.subjectdn", "(.*?)(?:$)"));
        ClientRepresentation createClient3 = KeycloakModelUtils.createClient(realmRepresentation, EXACT_SUBJECT_DN_CLIENT_ID);
        createClient3.setServiceAccountsEnabled(Boolean.TRUE);
        createClient3.setRedirectUris(Arrays.asList("https://localhost:8543/auth/realms/master/app/auth"));
        createClient3.setClientAuthenticatorType("client-x509");
        createClient3.setAttributes(Collections.singletonMap("x509.subjectdn", EXACT_CERTIFICATE_SUBJECT_DN));
    }

    @BeforeClass
    public static void sslRequired() {
        Assume.assumeTrue("\"auth.server.ssl.required\" is required for Mutual TLS tests", sslRequired);
    }

    @Test
    public void testSuccessfulClientInvocationWithProperCertificate() throws Exception {
        assertTokenObtained(loginAndGetAccessTokenResponse(CLIENT_ID, MutualTLSUtils::newCloseableHttpClientWithDefaultKeyStoreAndTrustStore));
    }

    @Test
    public void testSuccessfulClientInvocationWithProperCertificateAndSubjectDN() throws Exception {
        assertTokenObtained(loginAndGetAccessTokenResponse(EXACT_SUBJECT_DN_CLIENT_ID, MutualTLSUtils::newCloseableHttpClientWithDefaultKeyStoreAndTrustStore));
    }

    @Test
    public void testSuccessfulClientInvocationWithClientIdInQueryParams() throws Exception {
        CloseableHttpClient newCloseableHttpClientWithDefaultKeyStoreAndTrustStore = MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore();
        Throwable th = null;
        try {
            try {
                login(CLIENT_ID);
                OAuthClient.AccessTokenResponse accessTokenResponseWithQueryParams = getAccessTokenResponseWithQueryParams(CLIENT_ID, newCloseableHttpClientWithDefaultKeyStoreAndTrustStore);
                if (newCloseableHttpClientWithDefaultKeyStoreAndTrustStore != null) {
                    if (0 != 0) {
                        try {
                            newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                    }
                }
                assertTokenObtained(accessTokenResponseWithQueryParams);
            } finally {
            }
        } catch (Throwable th3) {
            if (newCloseableHttpClientWithDefaultKeyStoreAndTrustStore != null) {
                if (th != null) {
                    try {
                        newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testFailedClientInvocationWithProperCertificateAndWrongSubjectDN() throws Exception {
        assertTokenNotObtained(loginAndGetAccessTokenResponse(EXACT_SUBJECT_DN_CLIENT_ID, MutualTLSUtils::newCloseableHttpClientWithOtherKeyStoreAndTrustStore));
    }

    @Test
    public void testFailedClientInvocationWithoutCertificateCertificate() throws Exception {
        assertTokenNotObtained(loginAndGetAccessTokenResponse(CLIENT_ID, MutualTLSUtils::newCloseableHttpClientWithoutKeyStoreAndTrustStore));
    }

    @Test
    public void testFailedClientInvocationWithDisabledClient() throws Exception {
        CloseableHttpClient newCloseableHttpClientWithDefaultKeyStoreAndTrustStore = MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore();
        Throwable th = null;
        try {
            try {
                login(DISABLED_CLIENT_ID);
                disableClient(DISABLED_CLIENT_ID);
                OAuthClient.AccessTokenResponse accessTokenResponse = getAccessTokenResponse(DISABLED_CLIENT_ID, newCloseableHttpClientWithDefaultKeyStoreAndTrustStore);
                if (newCloseableHttpClientWithDefaultKeyStoreAndTrustStore != null) {
                    if (0 != 0) {
                        try {
                            newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                    }
                }
                assertTokenNotObtained(accessTokenResponse);
            } finally {
            }
        } catch (Throwable th3) {
            if (newCloseableHttpClientWithDefaultKeyStoreAndTrustStore != null) {
                if (th != null) {
                    try {
                        newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                }
            }
            throw th3;
        }
    }

    private OAuthClient.AccessTokenResponse loginAndGetAccessTokenResponse(String str, Supplier<CloseableHttpClient> supplier) throws IOException {
        try {
            CloseableHttpClient closeableHttpClient = supplier.get();
            Throwable th = null;
            try {
                try {
                    login(str);
                    OAuthClient.AccessTokenResponse accessTokenResponse = getAccessTokenResponse(str, closeableHttpClient);
                    if (closeableHttpClient != null) {
                        if (0 != 0) {
                            try {
                                closeableHttpClient.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            closeableHttpClient.close();
                        }
                    }
                    return accessTokenResponse;
                } finally {
                }
            } finally {
            }
        } catch (IOException e) {
            throw e;
        }
    }

    private OAuthClient.AccessTokenResponse getAccessTokenResponse(String str, CloseableHttpClient closeableHttpClient) {
        return this.oauth.httpClient(() -> {
            return closeableHttpClient;
        }).clientId(str).doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), (String) null, closeableHttpClient);
    }

    private void login(String str) {
        this.oauth.httpClient(OAuthClient::newCloseableHttpClient).clientId(str).doLogin(USER, "password");
    }

    private void assertTokenObtained(OAuthClient.AccessTokenResponse accessTokenResponse) {
        Assert.assertEquals(200L, accessTokenResponse.getStatusCode());
        Assert.assertNotNull(accessTokenResponse.getAccessToken());
    }

    private void assertTokenNotObtained(OAuthClient.AccessTokenResponse accessTokenResponse) {
        Assert.assertEquals(400L, accessTokenResponse.getStatusCode());
        Assert.assertNull(accessTokenResponse.getAccessToken());
    }

    private OAuthClient.AccessTokenResponse getAccessTokenResponseWithQueryParams(String str, CloseableHttpClient closeableHttpClient) throws Exception {
        HttpPost httpPost = new HttpPost(this.oauth.getAccessTokenUrl() + "?client_id=" + str);
        LinkedList linkedList = new LinkedList();
        linkedList.add(new BasicNameValuePair("grant_type", "authorization_code"));
        linkedList.add(new BasicNameValuePair("code", (String) this.oauth.getCurrentQuery().get("code")));
        linkedList.add(new BasicNameValuePair("redirect_uri", this.oauth.getRedirectUri()));
        httpPost.setEntity(new UrlEncodedFormEntity(linkedList, Charsets.UTF_8));
        return new OAuthClient.AccessTokenResponse(closeableHttpClient.execute(httpPost));
    }

    private void disableClient(String str) {
        ClientRepresentation clientRepresentation = (ClientRepresentation) this.adminClient.realm("test").clients().findByClientId(str).get(0);
        ClientResource clientResource = this.adminClient.realms().realm("test").clients().get(clientRepresentation.getId());
        clientRepresentation.setEnabled(false);
        clientResource.update(clientRepresentation);
    }
}
