package org.keycloak.testsuite.authz;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.function.Supplier;
import javax.ws.rs.core.Response;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
import org.hamcrest.CoreMatchers;
import org.hamcrest.Matchers;
import org.jboss.arquillian.container.test.api.ContainerController;
import org.jboss.arquillian.test.api.ArquillianResource;
import org.jetbrains.annotations.NotNull;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.keycloak.admin.client.resource.AuthorizationResource;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.ClientsResource;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.admin.client.resource.ResourceResource;
import org.keycloak.admin.client.resource.ScopePermissionsResource;
import org.keycloak.authorization.client.AuthorizationDeniedException;
import org.keycloak.authorization.client.AuthzClient;
import org.keycloak.authorization.client.Configuration;
import org.keycloak.authorization.client.representation.TokenIntrospectionResponse;
import org.keycloak.authorization.client.util.HttpResponseException;
import org.keycloak.common.util.Base64Url;
import org.keycloak.events.EventType;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.ProtocolMapperRepresentation;
import org.keycloak.representations.idm.RealmEventsConfigRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.authorization.AuthorizationRequest;
import org.keycloak.representations.idm.authorization.AuthorizationResponse;
import org.keycloak.representations.idm.authorization.DecisionStrategy;
import org.keycloak.representations.idm.authorization.JSPolicyRepresentation;
import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.representations.idm.authorization.PermissionRequest;
import org.keycloak.representations.idm.authorization.PermissionResponse;
import org.keycloak.representations.idm.authorization.PermissionTicketRepresentation;
import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.ResourceServerRepresentation;
import org.keycloak.representations.idm.authorization.ScopePermissionRepresentation;
import org.keycloak.representations.idm.authorization.ScopeRepresentation;
import org.keycloak.representations.idm.authorization.UserPolicyRepresentation;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.client.resources.TestApplicationResourceUrls;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.testsuite.util.RoleBuilder;
import org.keycloak.testsuite.util.RolesBuilder;
import org.keycloak.testsuite.util.UserBuilder;
import org.keycloak.util.JsonSerialization;

@AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
/* loaded from: input_file:org/keycloak/testsuite/authz/EntitlementAPITest.class */
public class EntitlementAPITest extends AbstractAuthzTest {
    private static final String RESOURCE_SERVER_TEST = "resource-server-test";
    private static final String TEST_CLIENT = "test-client";
    private static final String AUTHZ_CLIENT_CONFIG = "default-keycloak.json";
    private static final String PAIRWISE_RESOURCE_SERVER_TEST = "pairwise-resource-server-test";
    private static final String PAIRWISE_TEST_CLIENT = "test-client-pairwise";
    private static final String PAIRWISE_AUTHZ_CLIENT_CONFIG = "default-keycloak-pairwise.json";
    private static final String PUBLIC_TEST_CLIENT = "test-public-client";
    private static final String PUBLIC_TEST_CLIENT_CONFIG = "default-keycloak-public-client.json";
    private AuthzClient authzClient;

    @ArquillianResource
    protected ContainerController controller;

    @Rule
    public ExpectedException expectedException = ExpectedException.none();

    @Rule
    public AssertEvents events = new AssertEvents(this);

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        list.add(RealmBuilder.create().name("authz-test").roles(RolesBuilder.create().realmRole(RoleBuilder.create().name("uma_authorization").build())).user(UserBuilder.create().username("marta").password("password").addRoles("uma_authorization")).user(UserBuilder.create().username("kolo").password("password")).user(UserBuilder.create().username("offlineuser").password("password").addRoles("offline_access")).client(ClientBuilder.create().clientId(RESOURCE_SERVER_TEST).secret("secret").authorizationServicesEnabled(true).redirectUris("http://localhost/resource-server-test").defaultRoles("uma_protection").directAccessGrants()).client(ClientBuilder.create().clientId(PAIRWISE_RESOURCE_SERVER_TEST).secret("secret").authorizationServicesEnabled(true).redirectUris("http://localhost/resource-server-test").defaultRoles("uma_protection").pairwise(TestApplicationResourceUrls.pairwiseSectorIdentifierUri()).directAccessGrants()).client(ClientBuilder.create().clientId(TEST_CLIENT).secret("secret").authorizationServicesEnabled(true).redirectUris("http://localhost/test-client").directAccessGrants()).client(ClientBuilder.create().clientId(PAIRWISE_TEST_CLIENT).secret("secret").authorizationServicesEnabled(true).redirectUris("http://localhost/test-client").pairwise(TestApplicationResourceUrls.pairwiseSectorIdentifierUri()).directAccessGrants()).client(ClientBuilder.create().clientId(PUBLIC_TEST_CLIENT).secret("secret").redirectUris("http://localhost:8180/auth/realms/master/app/auth/*", "https://localhost:8543/auth/realms/master/app/auth/*").publicClient()).testEventListener().build());
        configureSectorIdentifierRedirectUris();
    }

    private void configureSectorIdentifierRedirectUris() {
        this.testingClient.testApp().oidcClientEndpoints().setSectorIdentifierRedirectUris(Arrays.asList("http://localhost/resource-server-test", "http://localhost/test-client"));
    }

    @Before
    public void configureAuthorization() throws Exception {
        configureAuthorization(RESOURCE_SERVER_TEST);
        configureAuthorization(PAIRWISE_RESOURCE_SERVER_TEST);
    }

    @After
    public void removeAuthorization() throws Exception {
        removeAuthorization(RESOURCE_SERVER_TEST);
        removeAuthorization(PAIRWISE_RESOURCE_SERVER_TEST);
    }

    @Test
    public void testRptRequestWithoutResourceName() {
        testRptRequestWithoutResourceName(AUTHZ_CLIENT_CONFIG);
    }

    @Test
    public void testRptRequestWithoutResourceNamePairwise() {
        testRptRequestWithoutResourceName(PAIRWISE_AUTHZ_CLIENT_CONFIG);
    }

    public void testRptRequestWithoutResourceName(String str) {
        AuthorizationRequest.Metadata metadata = new AuthorizationRequest.Metadata();
        metadata.setIncludeResourceName(false);
        assertResponse(metadata, () -> {
            AuthorizationRequest authorizationRequest = new AuthorizationRequest();
            authorizationRequest.setMetadata(metadata);
            authorizationRequest.addPermission("Resource 1", new String[0]);
            return getAuthzClient(str).authorization("marta", "password").authorize(authorizationRequest);
        });
    }

    @Test
    public void testRptRequestWithResourceName() {
        testRptRequestWithResourceName(AUTHZ_CLIENT_CONFIG);
    }

    @Test
    public void testRptRequestWithResourceNamePairwise() {
        testRptRequestWithResourceName(PAIRWISE_AUTHZ_CLIENT_CONFIG);
    }

    @Test
    public void testInvalidRequestWithClaimsFromConfidentialClient() throws IOException {
        AuthorizationRequest authorizationRequest = new AuthorizationRequest();
        authorizationRequest.addPermission("Resource 13", new String[0]);
        HashMap hashMap = new HashMap();
        hashMap.put("claim-a", "claim-a");
        authorizationRequest.setClaimToken(Base64Url.encode(JsonSerialization.writeValueAsBytes(hashMap)));
        assertResponse(new AuthorizationRequest.Metadata(), () -> {
            return getAuthzClient(AUTHZ_CLIENT_CONFIG).authorization("marta", "password").authorize(authorizationRequest);
        });
    }

    @Test
    public void testInvalidRequestWithClaimsFromPublicClient() throws IOException {
        this.oauth.realm("authz-test");
        this.oauth.clientId(PUBLIC_TEST_CLIENT);
        this.oauth.doLogin("marta", "password");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), (String) null);
        AuthorizationRequest authorizationRequest = new AuthorizationRequest();
        authorizationRequest.addPermission("Resource 13", new String[0]);
        HashMap hashMap = new HashMap();
        hashMap.put("claim-a", "claim-a");
        authorizationRequest.setClaimToken(Base64Url.encode(JsonSerialization.writeValueAsBytes(hashMap)));
        this.expectedException.expect(AuthorizationDeniedException.class);
        this.expectedException.expectCause(Matchers.allOf(Matchers.instanceOf(HttpResponseException.class), Matchers.hasProperty("statusCode", Matchers.is(403))));
        this.expectedException.expectMessage("Public clients are not allowed to send claims");
        this.expectedException.reportMissingExceptionWithMessage("Should fail, public clients not allowed");
        getAuthzClient(AUTHZ_CLIENT_CONFIG).authorization(doAccessTokenRequest.getAccessToken()).authorize(authorizationRequest);
    }

    @Test
    public void testRequestWithoutClaimsFromPublicClient() {
        this.oauth.realm("authz-test");
        this.oauth.clientId(PUBLIC_TEST_CLIENT);
        this.oauth.doLogin("marta", "password");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), (String) null);
        AuthorizationRequest authorizationRequest = new AuthorizationRequest();
        authorizationRequest.addPermission("Resource 13", new String[0]);
        assertResponse(new AuthorizationRequest.Metadata(), () -> {
            return getAuthzClient(AUTHZ_CLIENT_CONFIG).authorization(doAccessTokenRequest.getAccessToken()).authorize(authorizationRequest);
        });
    }

    @Test
    public void testPermissionLimit() {
        testPermissionLimit(AUTHZ_CLIENT_CONFIG);
    }

    @Test
    public void testPermissionLimitPairwise() {
        testPermissionLimit(PAIRWISE_AUTHZ_CLIENT_CONFIG);
    }

    public void testPermissionLimit(String str) {
        AuthorizationRequest authorizationRequest = new AuthorizationRequest();
        for (int i = 1; i <= 10; i++) {
            authorizationRequest.addPermission("Resource " + i, new String[0]);
        }
        AuthorizationRequest.Metadata metadata = new AuthorizationRequest.Metadata();
        metadata.setLimit(10);
        authorizationRequest.setMetadata(metadata);
        AuthorizationResponse authorize = getAuthzClient(str).authorization("marta", "password").authorize(authorizationRequest);
        ArrayList arrayList = new ArrayList(toAccessToken(authorize.getToken()).getAuthorization().getPermissions());
        Assert.assertEquals(10L, arrayList.size());
        for (int i2 = 0; i2 < 10; i2++) {
            Assert.assertEquals("Resource " + (i2 + 1), ((Permission) arrayList.get(i2)).getResourceName());
        }
        AuthorizationRequest authorizationRequest2 = new AuthorizationRequest();
        for (int i3 = 11; i3 <= 15; i3++) {
            authorizationRequest2.addPermission("Resource " + i3, new String[0]);
        }
        authorizationRequest2.setMetadata(metadata);
        authorizationRequest2.setRpt(authorize.getToken());
        AuthorizationResponse authorize2 = getAuthzClient(str).authorization("marta", "password").authorize(authorizationRequest2);
        ArrayList arrayList2 = new ArrayList(toAccessToken(authorize2.getToken()).getAuthorization().getPermissions());
        Assert.assertEquals(10L, arrayList2.size());
        for (int i4 = 0; i4 < 10; i4++) {
            if (i4 < 5) {
                Assert.assertEquals("Resource " + (i4 + 11), ((Permission) arrayList2.get(i4)).getResourceName());
            } else {
                Assert.assertEquals("Resource " + (i4 - 4), ((Permission) arrayList2.get(i4)).getResourceName());
            }
        }
        AuthorizationRequest authorizationRequest3 = new AuthorizationRequest();
        for (int i5 = 16; i5 <= 18; i5++) {
            authorizationRequest3.addPermission("Resource " + i5, new String[0]);
        }
        authorizationRequest3.setMetadata(metadata);
        authorizationRequest3.setRpt(authorize2.getToken());
        AuthorizationResponse authorize3 = getAuthzClient(str).authorization("marta", "password").authorize(authorizationRequest3);
        ArrayList arrayList3 = new ArrayList(toAccessToken(authorize3.getToken()).getAuthorization().getPermissions());
        Assert.assertEquals(10L, arrayList3.size());
        Assert.assertEquals("Resource 16", ((Permission) arrayList3.get(0)).getResourceName());
        Assert.assertEquals("Resource 17", ((Permission) arrayList3.get(1)).getResourceName());
        Assert.assertEquals("Resource 18", ((Permission) arrayList3.get(2)).getResourceName());
        Assert.assertEquals("Resource 11", ((Permission) arrayList3.get(3)).getResourceName());
        Assert.assertEquals("Resource 12", ((Permission) arrayList3.get(4)).getResourceName());
        Assert.assertEquals("Resource 13", ((Permission) arrayList3.get(5)).getResourceName());
        Assert.assertEquals("Resource 14", ((Permission) arrayList3.get(6)).getResourceName());
        Assert.assertEquals("Resource 15", ((Permission) arrayList3.get(7)).getResourceName());
        Assert.assertEquals("Resource 1", ((Permission) arrayList3.get(8)).getResourceName());
        Assert.assertEquals("Resource 2", ((Permission) arrayList3.get(9)).getResourceName());
        AuthorizationRequest authorizationRequest4 = new AuthorizationRequest();
        metadata.setLimit(5);
        authorizationRequest4.setMetadata(metadata);
        authorizationRequest4.setRpt(authorize3.getToken());
        ArrayList arrayList4 = new ArrayList(toAccessToken(getAuthzClient(str).authorization("marta", "password").authorize(authorizationRequest4).getToken()).getAuthorization().getPermissions());
        Assert.assertEquals(5L, arrayList4.size());
        Assert.assertEquals("Resource 16", ((Permission) arrayList4.get(0)).getResourceName());
        Assert.assertEquals("Resource 17", ((Permission) arrayList4.get(1)).getResourceName());
        Assert.assertEquals("Resource 18", ((Permission) arrayList4.get(2)).getResourceName());
        Assert.assertEquals("Resource 11", ((Permission) arrayList4.get(3)).getResourceName());
        Assert.assertEquals("Resource 12", ((Permission) arrayList4.get(4)).getResourceName());
    }

    @Test
    public void testResourceServerAsAudience() throws Exception {
        testResourceServerAsAudience(TEST_CLIENT, RESOURCE_SERVER_TEST, AUTHZ_CLIENT_CONFIG);
    }

    @Test
    public void testResourceServerAsAudienceWithPairwiseClient() throws Exception {
        testResourceServerAsAudience(PAIRWISE_TEST_CLIENT, RESOURCE_SERVER_TEST, AUTHZ_CLIENT_CONFIG);
    }

    @Test
    public void testPairwiseResourceServerAsAudience() throws Exception {
        testResourceServerAsAudience(TEST_CLIENT, PAIRWISE_RESOURCE_SERVER_TEST, PAIRWISE_AUTHZ_CLIENT_CONFIG);
    }

    @Test
    public void testPairwiseResourceServerAsAudienceWithPairwiseClient() throws Exception {
        testResourceServerAsAudience(PAIRWISE_TEST_CLIENT, PAIRWISE_RESOURCE_SERVER_TEST, PAIRWISE_AUTHZ_CLIENT_CONFIG);
    }

    @Test
    public void testObtainAllEntitlements() throws Exception {
        AuthorizationResource authorization = getClient(getRealm(), RESOURCE_SERVER_TEST).authorization();
        JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
        jSPolicyRepresentation.setName("Only Owner Policy");
        jSPolicyRepresentation.setCode("if ($evaluation.getContext().getIdentity().getId() == $evaluation.getPermission().getResource().getOwner()) {$evaluation.grant();}");
        authorization.policies().js().create(jSPolicyRepresentation).close();
        ResourceRepresentation resourceRepresentation = new ResourceRepresentation();
        resourceRepresentation.setName("Marta Resource");
        resourceRepresentation.setOwner("marta");
        resourceRepresentation.setOwnerManagedAccess(true);
        Response create = authorization.resources().create(resourceRepresentation);
        Throwable th = null;
        try {
            try {
                ResourceRepresentation resourceRepresentation2 = (ResourceRepresentation) create.readEntity(ResourceRepresentation.class);
                if (create != null) {
                    if (0 != 0) {
                        try {
                            create.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        create.close();
                    }
                }
                ResourcePermissionRepresentation resourcePermissionRepresentation = new ResourcePermissionRepresentation();
                resourcePermissionRepresentation.setName("Marta Resource Permission");
                resourcePermissionRepresentation.addResource(resourceRepresentation2.getId());
                resourcePermissionRepresentation.addPolicy(new String[]{jSPolicyRepresentation.getName()});
                authorization.permissions().resource().create(resourcePermissionRepresentation).close();
                Assert.assertTrue(hasPermission("marta", "password", resourceRepresentation2.getId()));
                Assert.assertFalse(hasPermission("kolo", "password", resourceRepresentation2.getId()));
                String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
                AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
                PermissionResponse create2 = authzClient.protection().permission().create(new PermissionRequest(resourceRepresentation2.getId(), new String[0]));
                AuthorizationRequest authorizationRequest = new AuthorizationRequest();
                authorizationRequest.setTicket(create2.getTicket());
                try {
                    authzClient.authorization(accessToken).authorize(authorizationRequest);
                } catch (Exception e) {
                }
                List findByResource = authzClient.protection().permission().findByResource(resourceRepresentation2.getId());
                Assert.assertEquals(1L, findByResource.size());
                PermissionTicketRepresentation permissionTicketRepresentation = (PermissionTicketRepresentation) findByResource.get(0);
                permissionTicketRepresentation.setGranted(true);
                authzClient.protection().permission().update(permissionTicketRepresentation);
                Assert.assertTrue(hasPermission("kolo", "password", resourceRepresentation2.getId()));
                resourceRepresentation2.addScope(new String[]{"Scope A"});
                authorization.resources().resource(resourceRepresentation2.getId()).update(resourceRepresentation2);
                Assert.assertFalse(hasPermission("kolo", "password", resourceRepresentation2.getId()));
                String accessToken2 = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
                PermissionResponse create3 = authzClient.protection().permission().create(new PermissionRequest(resourceRepresentation2.getId(), new String[]{"Scope A"}));
                AuthorizationRequest authorizationRequest2 = new AuthorizationRequest();
                authorizationRequest2.setTicket(create3.getTicket());
                try {
                    authzClient.authorization(accessToken2).authorize(authorizationRequest2);
                } catch (Exception e2) {
                }
                List find = authzClient.protection().permission().find(resourceRepresentation2.getId(), "Scope A", (String) null, (String) null, false, false, (Integer) null, (Integer) null);
                Assert.assertEquals(1L, find.size());
                PermissionTicketRepresentation permissionTicketRepresentation2 = (PermissionTicketRepresentation) find.get(0);
                permissionTicketRepresentation2.setGranted(true);
                authzClient.protection().permission().update(permissionTicketRepresentation2);
                Assert.assertTrue(hasPermission("kolo", "password", resourceRepresentation2.getId(), "Scope A"));
                resourceRepresentation2.addScope(new String[]{"Scope B"});
                authorization.resources().resource(resourceRepresentation2.getId()).update(resourceRepresentation2);
                Assert.assertTrue(hasPermission("kolo", "password", resourceRepresentation2.getId()));
                Assert.assertTrue(hasPermission("kolo", "password", resourceRepresentation2.getId(), "Scope A"));
                Assert.assertFalse(hasPermission("kolo", "password", resourceRepresentation2.getId(), "Scope B"));
                resourceRepresentation2.setScopes(new HashSet());
                authorization.resources().resource(resourceRepresentation2.getId()).update(resourceRepresentation2);
                Assert.assertTrue(hasPermission("kolo", "password", resourceRepresentation2.getId()));
                Assert.assertFalse(hasPermission("kolo", "password", resourceRepresentation2.getId(), "Scope A"));
                Assert.assertFalse(hasPermission("kolo", "password", resourceRepresentation2.getId(), "Scope B"));
            } finally {
            }
        } catch (Throwable th3) {
            if (create != null) {
                if (th != null) {
                    try {
                        create.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    create.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testObtainAllEntitlementsWithLimit() throws Exception {
        Assert.assertTrue(toAccessToken(getAuthzClient(AUTHZ_CLIENT_CONFIG).authorization("marta", "password").authorize().getToken()).getAuthorization().getPermissions().size() >= 20);
        AuthorizationRequest authorizationRequest = new AuthorizationRequest();
        AuthorizationRequest.Metadata metadata = new AuthorizationRequest.Metadata();
        metadata.setLimit(10);
        authorizationRequest.setMetadata(metadata);
        Assert.assertEquals(10L, toAccessToken(r0.authorize(authorizationRequest).getToken()).getAuthorization().getPermissions().size());
        metadata.setLimit(1);
        authorizationRequest.setMetadata(metadata);
        Assert.assertEquals(1L, toAccessToken(r0.authorize(authorizationRequest).getToken()).getAuthorization().getPermissions().size());
    }

    @Test
    public void testObtainAllEntitlementsInvalidResource() throws Exception {
        AuthorizationResource authorization = getClient(getRealm(), RESOURCE_SERVER_TEST).authorization();
        JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
        jSPolicyRepresentation.setName(KeycloakModelUtils.generateId());
        jSPolicyRepresentation.setCode("$evaluation.grant();");
        authorization.policies().js().create(jSPolicyRepresentation).close();
        ResourceRepresentation resourceRepresentation = new ResourceRepresentation();
        resourceRepresentation.setName("Sensors");
        resourceRepresentation.addScope(new String[]{"sensors:view", "sensors:update", "sensors:delete"});
        authorization.resources().create(resourceRepresentation).close();
        ScopePermissionRepresentation scopePermissionRepresentation = new ScopePermissionRepresentation();
        scopePermissionRepresentation.setName("View Sensor");
        scopePermissionRepresentation.addScope(new String[]{"sensors:view"});
        scopePermissionRepresentation.addPolicy(new String[]{jSPolicyRepresentation.getName()});
        authorization.permissions().scope().create(scopePermissionRepresentation).close();
        String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
        AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
        AuthorizationRequest authorizationRequest = new AuthorizationRequest();
        authorizationRequest.addPermission("Sensortest", new String[]{"sensors:view"});
        getTestContext().getTestingClient().testing().clearEventQueue();
        try {
            authzClient.authorization(accessToken).authorize(authorizationRequest);
            Assert.fail("resource is invalid");
        } catch (RuntimeException e) {
            Assert.assertEquals(400L, ((HttpResponseException) HttpResponseException.class.cast(e.getCause())).getStatusCode());
            Assert.assertTrue(((HttpResponseException) HttpResponseException.class.cast(e.getCause())).toString().contains("invalid_resource"));
        }
        this.events.expect(EventType.PERMISSION_TOKEN_ERROR).realm(getRealm().toRepresentation().getId()).client(RESOURCE_SERVER_TEST).session((String) null).error("invalid_request").detail("reason", "Resource with id [Sensortest] does not exist.").user(AssertEvents.isUUID()).assertEvent();
    }

    @Test
    public void testObtainAllEntitlementsInvalidScope() throws Exception {
        AuthorizationResource authorization = getClient(getRealm(), RESOURCE_SERVER_TEST).authorization();
        JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
        jSPolicyRepresentation.setName(KeycloakModelUtils.generateId());
        jSPolicyRepresentation.setCode("$evaluation.grant();");
        authorization.policies().js().create(jSPolicyRepresentation).close();
        ResourceRepresentation resourceRepresentation = new ResourceRepresentation();
        resourceRepresentation.setName(KeycloakModelUtils.generateId());
        resourceRepresentation.addScope(new String[]{"sensors:view", "sensors:update", "sensors:delete"});
        Response create = authorization.resources().create(resourceRepresentation);
        Throwable th = null;
        try {
            ResourceRepresentation resourceRepresentation2 = (ResourceRepresentation) create.readEntity(ResourceRepresentation.class);
            if (create != null) {
                if (0 != 0) {
                    try {
                        create.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    create.close();
                }
            }
            ScopePermissionRepresentation scopePermissionRepresentation = new ScopePermissionRepresentation();
            scopePermissionRepresentation.setName(KeycloakModelUtils.generateId());
            scopePermissionRepresentation.addScope(new String[]{"sensors:view"});
            scopePermissionRepresentation.addPolicy(new String[]{jSPolicyRepresentation.getName()});
            authorization.permissions().scope().create(scopePermissionRepresentation).close();
            String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
            AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
            AuthorizationRequest authorizationRequest = new AuthorizationRequest();
            authorizationRequest.addPermission(resourceRepresentation2.getId(), new String[]{"sensors:view_invalid"});
            try {
                authzClient.authorization(accessToken).authorize(authorizationRequest);
                Assert.fail("scope is invalid");
            } catch (RuntimeException e) {
                Assert.assertEquals(400L, ((HttpResponseException) HttpResponseException.class.cast(e.getCause())).getStatusCode());
                Assert.assertTrue(((HttpResponseException) HttpResponseException.class.cast(e.getCause())).toString().contains("invalid_scope"));
            }
            AuthorizationRequest authorizationRequest2 = new AuthorizationRequest();
            authorizationRequest2.addPermission((String) null, new String[]{"sensors:view_invalid"});
            try {
                authzClient.authorization(accessToken).authorize(authorizationRequest2);
                Assert.fail("scope is invalid");
            } catch (RuntimeException e2) {
                Assert.assertEquals(400L, ((HttpResponseException) HttpResponseException.class.cast(e2.getCause())).getStatusCode());
                Assert.assertTrue(((HttpResponseException) HttpResponseException.class.cast(e2.getCause())).toString().contains("invalid_scope"));
            }
        } catch (Throwable th3) {
            if (create != null) {
                if (0 != 0) {
                    try {
                        create.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    create.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testObtainAllEntitlementsForScope() throws Exception {
        Throwable th;
        AuthorizationResource authorization = getClient(getRealm(), RESOURCE_SERVER_TEST).authorization();
        JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
        jSPolicyRepresentation.setName(KeycloakModelUtils.generateId());
        jSPolicyRepresentation.setCode("$evaluation.grant();");
        authorization.policies().js().create(jSPolicyRepresentation).close();
        HashSet hashSet = new HashSet();
        ResourceRepresentation resourceRepresentation = new ResourceRepresentation();
        resourceRepresentation.setName(KeycloakModelUtils.generateId());
        resourceRepresentation.addScope(new String[]{"sensors:view", "sensors:update", "sensors:delete"});
        Response create = authorization.resources().create(resourceRepresentation);
        Throwable th2 = null;
        try {
            try {
                hashSet.add(((ResourceRepresentation) create.readEntity(ResourceRepresentation.class)).getId());
                if (create != null) {
                    if (0 != 0) {
                        try {
                            create.close();
                        } catch (Throwable th3) {
                            th2.addSuppressed(th3);
                        }
                    } else {
                        create.close();
                    }
                }
                ResourceRepresentation resourceRepresentation2 = new ResourceRepresentation();
                resourceRepresentation2.setName(KeycloakModelUtils.generateId());
                resourceRepresentation2.addScope(new String[]{"sensors:view", "sensors:update"});
                create = authorization.resources().create(resourceRepresentation2);
                th = null;
            } finally {
            }
            try {
                try {
                    hashSet.add(((ResourceRepresentation) create.readEntity(ResourceRepresentation.class)).getId());
                    if (create != null) {
                        if (0 != 0) {
                            try {
                                create.close();
                            } catch (Throwable th4) {
                                th.addSuppressed(th4);
                            }
                        } else {
                            create.close();
                        }
                    }
                    ScopePermissionRepresentation scopePermissionRepresentation = new ScopePermissionRepresentation();
                    scopePermissionRepresentation.setName(KeycloakModelUtils.generateId());
                    scopePermissionRepresentation.addScope(new String[]{"sensors:view", "sensors:update"});
                    scopePermissionRepresentation.addPolicy(new String[]{jSPolicyRepresentation.getName()});
                    authorization.permissions().scope().create(scopePermissionRepresentation).close();
                    String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
                    AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
                    AuthorizationRequest authorizationRequest = new AuthorizationRequest();
                    authorizationRequest.addPermission((String) null, new String[]{"sensors:view"});
                    AuthorizationResponse authorize = authzClient.authorization(accessToken).authorize(authorizationRequest);
                    Assert.assertNotNull(authorize.getToken());
                    Collection<Permission> permissions = toAccessToken(authorize.getToken()).getAuthorization().getPermissions();
                    Assert.assertEquals(2L, permissions.size());
                    for (Permission permission : permissions) {
                        Assert.assertTrue(hashSet.containsAll(Arrays.asList(permission.getResourceId())));
                        Assert.assertEquals(1L, permission.getScopes().size());
                        Assert.assertTrue(permission.getScopes().containsAll(Arrays.asList("sensors:view")));
                    }
                    authorizationRequest.addPermission((String) null, new String[]{"sensors:view", "sensors:update"});
                    AuthorizationResponse authorize2 = authzClient.authorization(accessToken).authorize(authorizationRequest);
                    Assert.assertNotNull(authorize2.getToken());
                    Collection<Permission> permissions2 = toAccessToken(authorize2.getToken()).getAuthorization().getPermissions();
                    Assert.assertEquals(2L, permissions2.size());
                    for (Permission permission2 : permissions2) {
                        Assert.assertTrue(hashSet.containsAll(Arrays.asList(permission2.getResourceId())));
                        Assert.assertEquals(2L, permission2.getScopes().size());
                        Assert.assertTrue(permission2.getScopes().containsAll(Arrays.asList("sensors:view", "sensors:update")));
                    }
                    authorizationRequest.addPermission((String) null, new String[]{"sensors:view", "sensors:update", "sensors:delete"});
                    AuthorizationResponse authorize3 = authzClient.authorization(accessToken).authorize(authorizationRequest);
                    Assert.assertNotNull(authorize3.getToken());
                    Collection<Permission> permissions3 = toAccessToken(authorize3.getToken()).getAuthorization().getPermissions();
                    Assert.assertEquals(2L, permissions3.size());
                    for (Permission permission3 : permissions3) {
                        Assert.assertTrue(hashSet.containsAll(Arrays.asList(permission3.getResourceId())));
                        Assert.assertEquals(2L, permission3.getScopes().size());
                        Assert.assertTrue(permission3.getScopes().containsAll(Arrays.asList("sensors:view", "sensors:update")));
                    }
                    AuthorizationRequest authorizationRequest2 = new AuthorizationRequest();
                    authorizationRequest2.addPermission((String) null, new String[]{"sensors:view"});
                    authorizationRequest2.addPermission((String) null, new String[]{"sensors:update"});
                    AuthorizationResponse authorize4 = authzClient.authorization(accessToken).authorize(authorizationRequest2);
                    Assert.assertNotNull(authorize4.getToken());
                    Collection<Permission> permissions4 = toAccessToken(authorize4.getToken()).getAuthorization().getPermissions();
                    Assert.assertEquals(2L, permissions4.size());
                    for (Permission permission4 : permissions4) {
                        Assert.assertTrue(hashSet.containsAll(Arrays.asList(permission4.getResourceId())));
                        Assert.assertEquals(2L, permission4.getScopes().size());
                        Assert.assertTrue(permission4.getScopes().containsAll(Arrays.asList("sensors:view", "sensors:update")));
                    }
                } finally {
                }
            } finally {
            }
        } finally {
        }
    }

    @Test
    public void testObtainAllEntitlementsForScopeWithDeny() throws Exception {
        AuthorizationResource authorization = getClient(getRealm(), RESOURCE_SERVER_TEST).authorization();
        JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
        jSPolicyRepresentation.setName(KeycloakModelUtils.generateId());
        jSPolicyRepresentation.setCode("$evaluation.grant();");
        authorization.policies().js().create(jSPolicyRepresentation).close();
        authorization.scopes().create(new ScopeRepresentation("sensors:view")).close();
        ScopePermissionRepresentation scopePermissionRepresentation = new ScopePermissionRepresentation();
        scopePermissionRepresentation.setName(KeycloakModelUtils.generateId());
        scopePermissionRepresentation.addScope(new String[]{"sensors:view"});
        scopePermissionRepresentation.addPolicy(new String[]{jSPolicyRepresentation.getName()});
        authorization.permissions().scope().create(scopePermissionRepresentation).close();
        String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
        AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
        AuthorizationRequest authorizationRequest = new AuthorizationRequest();
        authorizationRequest.addPermission((String) null, new String[]{"sensors:view"});
        AuthorizationResponse authorize = authzClient.authorization(accessToken).authorize(authorizationRequest);
        Assert.assertNotNull(authorize.getToken());
        Collection<Permission> permissions = toAccessToken(authorize.getToken()).getAuthorization().getPermissions();
        Assert.assertEquals(1L, permissions.size());
        for (Permission permission : permissions) {
            Assert.assertNull(permission.getResourceId());
            Assert.assertEquals(1L, permission.getScopes().size());
            Assert.assertTrue(permission.getScopes().containsAll(Arrays.asList("sensors:view")));
        }
    }

    @Test
    public void testObtainAllEntitlementsForResourceWithResourcePermission() throws Exception {
        AuthorizationResource authorization = getClient(getRealm(), RESOURCE_SERVER_TEST).authorization();
        JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
        jSPolicyRepresentation.setName(KeycloakModelUtils.generateId());
        jSPolicyRepresentation.setCode("$evaluation.grant();");
        authorization.policies().js().create(jSPolicyRepresentation).close();
        ResourceRepresentation resourceRepresentation = new ResourceRepresentation();
        resourceRepresentation.setName(KeycloakModelUtils.generateId());
        resourceRepresentation.addScope(new String[]{"scope:view", "scope:update", "scope:delete"});
        Response create = authorization.resources().create(resourceRepresentation);
        Throwable th = null;
        try {
            try {
                ResourceRepresentation resourceRepresentation2 = (ResourceRepresentation) create.readEntity(ResourceRepresentation.class);
                if (create != null) {
                    if (0 != 0) {
                        try {
                            create.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        create.close();
                    }
                }
                ResourcePermissionRepresentation resourcePermissionRepresentation = new ResourcePermissionRepresentation();
                resourcePermissionRepresentation.setName(KeycloakModelUtils.generateId());
                resourcePermissionRepresentation.addResource(resourceRepresentation2.getId());
                resourcePermissionRepresentation.addPolicy(new String[]{jSPolicyRepresentation.getName()});
                authorization.permissions().resource().create(resourcePermissionRepresentation).close();
                String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
                AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
                AuthorizationRequest authorizationRequest = new AuthorizationRequest();
                authorizationRequest.addPermission((String) null, new String[]{"scope:view", "scope:update", "scope:delete"});
                AuthorizationResponse authorize = authzClient.authorization(accessToken).authorize(authorizationRequest);
                Assert.assertNotNull(authorize.getToken());
                Collection<Permission> permissions = toAccessToken(authorize.getToken()).getAuthorization().getPermissions();
                Assert.assertEquals(1L, permissions.size());
                for (Permission permission : permissions) {
                    Assert.assertEquals(resourceRepresentation2.getId(), permission.getResourceId());
                    Assert.assertEquals(3L, permission.getScopes().size());
                    Assert.assertTrue(permission.getScopes().containsAll(Arrays.asList("scope:view")));
                }
                resourceRepresentation2.setScopes(new HashSet());
                resourceRepresentation2.addScope(new String[]{"scope:view", "scope:update"});
                authorization.resources().resource(resourceRepresentation2.getId()).update(resourceRepresentation2);
                AuthorizationRequest authorizationRequest2 = new AuthorizationRequest();
                authorizationRequest2.addPermission((String) null, new String[]{"scope:view", "scope:update", "scope:delete"});
                AuthorizationResponse authorize2 = authzClient.authorization(accessToken).authorize(authorizationRequest2);
                Assert.assertNotNull(authorize2.getToken());
                Collection<Permission> permissions2 = toAccessToken(authorize2.getToken()).getAuthorization().getPermissions();
                Assert.assertEquals(1L, permissions2.size());
                for (Permission permission2 : permissions2) {
                    Assert.assertEquals(resourceRepresentation2.getId(), permission2.getResourceId());
                    Assert.assertEquals(2L, permission2.getScopes().size());
                    Assert.assertTrue(permission2.getScopes().containsAll(Arrays.asList("scope:view", "scope:update")));
                }
                AuthorizationRequest authorizationRequest3 = new AuthorizationRequest();
                authorizationRequest3.addPermission(resourceRepresentation2.getId(), new String[]{"scope:view", "scope:update", "scope:delete"});
                AuthorizationResponse authorize3 = authzClient.authorization(accessToken).authorize(authorizationRequest3);
                Assert.assertNotNull(authorize3.getToken());
                Collection<Permission> permissions3 = toAccessToken(authorize3.getToken()).getAuthorization().getPermissions();
                Assert.assertEquals(1L, permissions3.size());
                for (Permission permission3 : permissions3) {
                    Assert.assertEquals(resourceRepresentation2.getId(), permission3.getResourceId());
                    Assert.assertEquals(2L, permission3.getScopes().size());
                    Assert.assertTrue(permission3.getScopes().containsAll(Arrays.asList("scope:view", "scope:update")));
                }
            } finally {
            }
        } catch (Throwable th3) {
            if (create != null) {
                if (th != null) {
                    try {
                        create.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    create.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testObtainAllEntitlementsForResourceWithScopePermission() throws Exception {
        ResourceRepresentation resourceRepresentation;
        Throwable th;
        AuthorizationResource authorization = getClient(getRealm(), RESOURCE_SERVER_TEST).authorization();
        JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
        jSPolicyRepresentation.setName(KeycloakModelUtils.generateId());
        jSPolicyRepresentation.setCode("$evaluation.grant();");
        authorization.policies().js().create(jSPolicyRepresentation).close();
        ResourceRepresentation resourceRepresentation2 = new ResourceRepresentation();
        resourceRepresentation2.setName(KeycloakModelUtils.generateId());
        resourceRepresentation2.addScope(new String[]{"scope:view", "scope:update", "scope:delete"});
        Response create = authorization.resources().create(resourceRepresentation2);
        Throwable th2 = null;
        try {
            try {
                resourceRepresentation = (ResourceRepresentation) create.readEntity(ResourceRepresentation.class);
                if (create != null) {
                    if (0 != 0) {
                        try {
                            create.close();
                        } catch (Throwable th3) {
                            th2.addSuppressed(th3);
                        }
                    } else {
                        create.close();
                    }
                }
                ResourceRepresentation resourceRepresentation3 = new ResourceRepresentation();
                resourceRepresentation3.setName(KeycloakModelUtils.generateId());
                resourceRepresentation3.setType("type-one");
                resourceRepresentation3.addScope(new String[]{"scope:view", "scope:update", "scope:delete"});
                create = authorization.resources().create(resourceRepresentation3);
                th = null;
            } finally {
            }
            try {
                try {
                    ResourceRepresentation resourceRepresentation4 = (ResourceRepresentation) create.readEntity(ResourceRepresentation.class);
                    if (create != null) {
                        if (0 != 0) {
                            try {
                                create.close();
                            } catch (Throwable th4) {
                                th.addSuppressed(th4);
                            }
                        } else {
                            create.close();
                        }
                    }
                    ScopePermissionRepresentation scopePermissionRepresentation = new ScopePermissionRepresentation();
                    scopePermissionRepresentation.setName(KeycloakModelUtils.generateId());
                    scopePermissionRepresentation.addResource(resourceRepresentation.getId());
                    scopePermissionRepresentation.addScope(new String[]{"scope:view"});
                    scopePermissionRepresentation.addPolicy(new String[]{jSPolicyRepresentation.getName()});
                    authorization.permissions().scope().create(scopePermissionRepresentation).close();
                    ScopePermissionRepresentation scopePermissionRepresentation2 = new ScopePermissionRepresentation();
                    scopePermissionRepresentation2.setName(KeycloakModelUtils.generateId());
                    scopePermissionRepresentation2.setResourceType("type-one");
                    scopePermissionRepresentation2.addScope(new String[]{"scope:update"});
                    scopePermissionRepresentation2.addPolicy(new String[]{jSPolicyRepresentation.getName()});
                    authorization.permissions().scope().create(scopePermissionRepresentation2).close();
                    String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
                    AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
                    AuthorizationRequest authorizationRequest = new AuthorizationRequest();
                    authorizationRequest.addPermission(resourceRepresentation.getId(), new String[]{"scope:view", "scope:update", "scope:delete"});
                    AuthorizationResponse authorize = authzClient.authorization(accessToken).authorize(authorizationRequest);
                    Assert.assertNotNull(authorize.getToken());
                    Collection<Permission> permissions = toAccessToken(authorize.getToken()).getAuthorization().getPermissions();
                    Assert.assertEquals(1L, permissions.size());
                    for (Permission permission : permissions) {
                        Assert.assertEquals(resourceRepresentation.getId(), permission.getResourceId());
                        Assert.assertEquals(1L, permission.getScopes().size());
                        Assert.assertTrue(permission.getScopes().containsAll(Arrays.asList("scope:view")));
                    }
                    AuthorizationRequest authorizationRequest2 = new AuthorizationRequest();
                    authorizationRequest2.addPermission(resourceRepresentation4.getId(), new String[]{"scope:view", "scope:update", "scope:delete"});
                    AuthorizationResponse authorize2 = authzClient.authorization(accessToken).authorize(authorizationRequest2);
                    Assert.assertNotNull(authorize2.getToken());
                    Collection<Permission> permissions2 = toAccessToken(authorize2.getToken()).getAuthorization().getPermissions();
                    Assert.assertEquals(1L, permissions2.size());
                    for (Permission permission2 : permissions2) {
                        Assert.assertEquals(resourceRepresentation4.getId(), permission2.getResourceId());
                        Assert.assertEquals(1L, permission2.getScopes().size());
                        Assert.assertTrue(permission2.getScopes().containsAll(Arrays.asList("scope:update")));
                    }
                } finally {
                }
            } finally {
            }
        } finally {
        }
    }

    @Test
    public void testServerDecisionStrategy() throws Exception {
        AuthorizationResource authorization = getClient(getRealm(), RESOURCE_SERVER_TEST).authorization();
        ResourceRepresentation resourceRepresentation = new ResourceRepresentation();
        resourceRepresentation.setName(KeycloakModelUtils.generateId());
        resourceRepresentation.addScope(new String[]{"read", "write", "delete"});
        Response create = authorization.resources().create(resourceRepresentation);
        Throwable th = null;
        try {
            try {
                ResourceRepresentation resourceRepresentation2 = (ResourceRepresentation) create.readEntity(ResourceRepresentation.class);
                if (create != null) {
                    if (0 != 0) {
                        try {
                            create.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        create.close();
                    }
                }
                JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
                jSPolicyRepresentation.setName(KeycloakModelUtils.generateId());
                jSPolicyRepresentation.setCode("$evaluation.grant();");
                authorization.policies().js().create(jSPolicyRepresentation).close();
                JSPolicyRepresentation jSPolicyRepresentation2 = new JSPolicyRepresentation();
                jSPolicyRepresentation2.setName(KeycloakModelUtils.generateId());
                jSPolicyRepresentation2.setCode("$evaluation.deny();");
                authorization.policies().js().create(jSPolicyRepresentation2).close();
                ResourcePermissionRepresentation resourcePermissionRepresentation = new ResourcePermissionRepresentation();
                resourcePermissionRepresentation.setName(KeycloakModelUtils.generateId());
                resourcePermissionRepresentation.addResource(resourceRepresentation2.getId());
                resourcePermissionRepresentation.addPolicy(new String[]{jSPolicyRepresentation2.getName()});
                authorization.permissions().resource().create(resourcePermissionRepresentation).close();
                ScopePermissionRepresentation scopePermissionRepresentation = new ScopePermissionRepresentation();
                scopePermissionRepresentation.setName(KeycloakModelUtils.generateId());
                scopePermissionRepresentation.addScope(new String[]{"read"});
                scopePermissionRepresentation.addPolicy(new String[]{jSPolicyRepresentation.getName()});
                ScopePermissionsResource scope = authorization.permissions().scope();
                scope.create(scopePermissionRepresentation).close();
                String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
                AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
                AuthorizationRequest authorizationRequest = new AuthorizationRequest();
                authorizationRequest.addPermission(resourceRepresentation2.getName(), new String[0]);
                try {
                    authzClient.authorization(accessToken).authorize(authorizationRequest);
                    Assert.fail("kolo can not access the resource");
                } catch (RuntimeException e) {
                    Assert.assertEquals(403L, ((HttpResponseException) HttpResponseException.class.cast(e.getCause())).getStatusCode());
                    Assert.assertTrue(((HttpResponseException) HttpResponseException.class.cast(e.getCause())).toString().contains("access_denied"));
                }
                ResourceServerRepresentation settings = authorization.getSettings();
                settings.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
                authorization.update(settings);
                assertPermissions(authzClient, accessToken, authorizationRequest, resourceRepresentation2, "read");
                ScopePermissionRepresentation findByName = scope.findByName(scopePermissionRepresentation.getName());
                findByName.addScope(new String[]{"read", "delete"});
                scope.findById(findByName.getId()).update(findByName);
                assertPermissions(authzClient, accessToken, authorizationRequest, resourceRepresentation2, "read", "delete");
                ScopePermissionRepresentation scopePermissionRepresentation2 = new ScopePermissionRepresentation();
                scopePermissionRepresentation2.setName(KeycloakModelUtils.generateId());
                scopePermissionRepresentation2.addScope(new String[]{"write"});
                scopePermissionRepresentation2.addPolicy(new String[]{jSPolicyRepresentation.getName()});
                scope.create(scopePermissionRepresentation2).close();
                assertPermissions(authzClient, accessToken, authorizationRequest, resourceRepresentation2, "read", "delete", "write");
                ScopePermissionRepresentation scopePermissionRepresentation3 = new ScopePermissionRepresentation();
                scopePermissionRepresentation3.setName(KeycloakModelUtils.generateId());
                scopePermissionRepresentation3.addResource(resourceRepresentation2.getId());
                scopePermissionRepresentation3.addScope(new String[]{"write", "read", "delete"});
                scopePermissionRepresentation3.addPolicy(new String[]{jSPolicyRepresentation.getName()});
                scope.create(scopePermissionRepresentation3).close();
                assertPermissions(authzClient, accessToken, authorizationRequest, resourceRepresentation2, "read", "delete", "write");
                scope.findById(scope.findByName(scopePermissionRepresentation2.getName()).getId()).remove();
                assertPermissions(authzClient, accessToken, authorizationRequest, resourceRepresentation2, "read", "delete", "write");
                scope.findById(scope.findByName(findByName.getName()).getId()).remove();
                assertPermissions(authzClient, accessToken, authorizationRequest, resourceRepresentation2, "read", "delete", "write");
                ScopePermissionRepresentation findByName2 = scope.findByName(scopePermissionRepresentation3.getName());
                findByName2.addScope(new String[]{"write", "delete"});
                scope.findById(findByName2.getId()).update(findByName2);
                assertPermissions(authzClient, accessToken, authorizationRequest, resourceRepresentation2, "delete", "write");
                scope.findById(findByName2.getId()).remove();
                try {
                    authzClient.authorization(accessToken).authorize(authorizationRequest);
                    Assert.fail("kolo can not access the resource");
                } catch (RuntimeException e2) {
                    Assert.assertEquals(403L, ((HttpResponseException) HttpResponseException.class.cast(e2.getCause())).getStatusCode());
                    Assert.assertTrue(((HttpResponseException) HttpResponseException.class.cast(e2.getCause())).toString().contains("access_denied"));
                }
                ResourcePermissionRepresentation resourcePermissionRepresentation2 = new ResourcePermissionRepresentation();
                resourcePermissionRepresentation2.setName(KeycloakModelUtils.generateId());
                resourcePermissionRepresentation2.addResource(resourceRepresentation2.getId());
                resourcePermissionRepresentation2.addPolicy(new String[]{jSPolicyRepresentation.getName()});
                authorization.permissions().resource().create(resourcePermissionRepresentation2).close();
                assertPermissions(authzClient, accessToken, authorizationRequest, resourceRepresentation2, "read", "delete", "write");
                settings.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
                authorization.update(settings);
                try {
                    authzClient.authorization(accessToken).authorize(authorizationRequest);
                    Assert.fail("kolo can not access the resource");
                } catch (RuntimeException e3) {
                    Assert.assertEquals(403L, ((HttpResponseException) HttpResponseException.class.cast(e3.getCause())).getStatusCode());
                    Assert.assertTrue(((HttpResponseException) HttpResponseException.class.cast(e3.getCause())).toString().contains("access_denied"));
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (create != null) {
                if (th != null) {
                    try {
                        create.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    create.close();
                }
            }
            throw th4;
        }
    }

    @Test
    public void testObtainAllEntitlementsForResourceType() throws Exception {
        ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
        AuthorizationResource authorization = client.authorization();
        JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
        jSPolicyRepresentation.setName(KeycloakModelUtils.generateId());
        jSPolicyRepresentation.setCode("$evaluation.grant();");
        authorization.policies().js().create(jSPolicyRepresentation).close();
        for (int i = 0; i < 10; i++) {
            ResourceRepresentation resourceRepresentation = new ResourceRepresentation();
            resourceRepresentation.setType("type-one");
            resourceRepresentation.setName(KeycloakModelUtils.generateId());
            authorization.resources().create(resourceRepresentation).close();
        }
        for (int i2 = 0; i2 < 10; i2++) {
            ResourceRepresentation resourceRepresentation2 = new ResourceRepresentation();
            resourceRepresentation2.setType("type-two");
            resourceRepresentation2.setName(KeycloakModelUtils.generateId());
            authorization.resources().create(resourceRepresentation2).close();
        }
        for (int i3 = 0; i3 < 10; i3++) {
            ResourceRepresentation resourceRepresentation3 = new ResourceRepresentation();
            resourceRepresentation3.setType("type-three");
            resourceRepresentation3.setName(KeycloakModelUtils.generateId());
            authorization.resources().create(resourceRepresentation3).close();
        }
        for (int i4 = 0; i4 < 10; i4++) {
            ResourceRepresentation resourceRepresentation4 = new ResourceRepresentation();
            resourceRepresentation4.setType("type-four");
            resourceRepresentation4.setName(KeycloakModelUtils.generateId());
            resourceRepresentation4.addScope(new String[]{"scope:view", "scope:update"});
            authorization.resources().create(resourceRepresentation4).close();
        }
        for (int i5 = 0; i5 < 10; i5++) {
            ResourceRepresentation resourceRepresentation5 = new ResourceRepresentation();
            resourceRepresentation5.setType("type-five");
            resourceRepresentation5.setName(KeycloakModelUtils.generateId());
            resourceRepresentation5.addScope(new String[]{"scope:view"});
            authorization.resources().create(resourceRepresentation5).close();
        }
        ResourcePermissionRepresentation resourcePermissionRepresentation = new ResourcePermissionRepresentation();
        resourcePermissionRepresentation.setName(KeycloakModelUtils.generateId());
        resourcePermissionRepresentation.setResourceType("type-one");
        resourcePermissionRepresentation.addPolicy(new String[]{jSPolicyRepresentation.getName()});
        authorization.permissions().resource().create(resourcePermissionRepresentation).close();
        ResourcePermissionRepresentation resourcePermissionRepresentation2 = new ResourcePermissionRepresentation();
        resourcePermissionRepresentation2.setName(KeycloakModelUtils.generateId());
        resourcePermissionRepresentation2.setResourceType("type-two");
        resourcePermissionRepresentation2.addPolicy(new String[]{jSPolicyRepresentation.getName()});
        authorization.permissions().resource().create(resourcePermissionRepresentation2).close();
        ResourcePermissionRepresentation resourcePermissionRepresentation3 = new ResourcePermissionRepresentation();
        resourcePermissionRepresentation3.setName(KeycloakModelUtils.generateId());
        resourcePermissionRepresentation3.setResourceType("type-three");
        resourcePermissionRepresentation3.addPolicy(new String[]{jSPolicyRepresentation.getName()});
        authorization.permissions().resource().create(resourcePermissionRepresentation3).close();
        ScopePermissionRepresentation scopePermissionRepresentation = new ScopePermissionRepresentation();
        scopePermissionRepresentation.setName(KeycloakModelUtils.generateId());
        scopePermissionRepresentation.setResourceType("type-four");
        scopePermissionRepresentation.addScope(new String[]{"scope:view"});
        scopePermissionRepresentation.addPolicy(new String[]{jSPolicyRepresentation.getName()});
        authorization.permissions().scope().create(scopePermissionRepresentation).close();
        String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
        AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
        AuthorizationRequest authorizationRequest = new AuthorizationRequest();
        authorizationRequest.addPermission("resource-type:type-one", new String[0]);
        Assert.assertNotNull(authzClient.authorization(accessToken).authorize(authorizationRequest).getToken());
        Assert.assertEquals(10L, toAccessToken(r0.getToken()).getAuthorization().getPermissions().size());
        AuthorizationRequest authorizationRequest2 = new AuthorizationRequest();
        authorizationRequest2.addPermission("resource-type:type-three", new String[0]);
        Assert.assertNotNull(authzClient.authorization(accessToken).authorize(authorizationRequest2).getToken());
        Assert.assertEquals(10L, toAccessToken(r0.getToken()).getAuthorization().getPermissions().size());
        AuthorizationRequest authorizationRequest3 = new AuthorizationRequest();
        authorizationRequest3.addPermission("resource-type:type-four", new String[]{"scope:view"});
        AuthorizationResponse authorize = authzClient.authorization(accessToken).authorize(authorizationRequest3);
        Assert.assertNotNull(authorize.getToken());
        Collection<Permission> permissions = toAccessToken(authorize.getToken()).getAuthorization().getPermissions();
        Assert.assertEquals(10L, permissions.size());
        for (Permission permission : permissions) {
            Assert.assertEquals(1L, permission.getScopes().size());
            Assert.assertTrue(permission.getScopes().containsAll(Arrays.asList("scope:view")));
        }
        AuthorizationRequest authorizationRequest4 = new AuthorizationRequest();
        authorizationRequest4.addPermission("resource-type:type-five", new String[]{"scope:view"});
        try {
            authzClient.authorization(accessToken).authorize(authorizationRequest4);
            Assert.fail("no type-five resources can be granted since scope permission for scope:view only applies to type-four");
        } catch (RuntimeException e) {
            Assert.assertEquals(403L, ((HttpResponseException) HttpResponseException.class.cast(e.getCause())).getStatusCode());
            Assert.assertTrue(((HttpResponseException) HttpResponseException.class.cast(e.getCause())).toString().contains("access_denied"));
        }
        for (int i6 = 0; i6 < 5; i6++) {
            ResourceRepresentation resourceRepresentation6 = new ResourceRepresentation();
            resourceRepresentation6.setOwner("kolo");
            resourceRepresentation6.setType("type-two");
            resourceRepresentation6.setName(KeycloakModelUtils.generateId());
            authorization.resources().create(resourceRepresentation6).close();
        }
        AuthorizationRequest authorizationRequest5 = new AuthorizationRequest();
        authorizationRequest5.addPermission("resource-type-any:type-two", new String[0]);
        Assert.assertNotNull(authzClient.authorization(accessToken).authorize(authorizationRequest5).getToken());
        Assert.assertEquals(15L, toAccessToken(r0.getToken()).getAuthorization().getPermissions().size());
        AuthorizationRequest authorizationRequest6 = new AuthorizationRequest();
        authorizationRequest6.addPermission("resource-type-owner:type-two", new String[0]);
        Assert.assertNotNull(authzClient.authorization(accessToken).authorize(authorizationRequest6).getToken());
        Assert.assertEquals(5L, toAccessToken(r0.getToken()).getAuthorization().getPermissions().size());
        AuthorizationRequest authorizationRequest7 = new AuthorizationRequest();
        authorizationRequest7.addPermission("resource-type-instance:type-two", new String[0]);
        AuthorizationResponse authorize2 = authzClient.authorization(accessToken).authorize(authorizationRequest7);
        Assert.assertNotNull(authorize2.getToken());
        Collection permissions2 = toAccessToken(authorize2.getToken()).getAuthorization().getPermissions();
        Assert.assertEquals(5L, permissions2.size());
        ResourceResource resource = client.authorization().resources().resource(((Permission) permissions2.iterator().next()).getResourceId());
        ResourceRepresentation representation = resource.toRepresentation();
        representation.setType("type-three");
        resource.update(representation);
        AuthorizationRequest authorizationRequest8 = new AuthorizationRequest();
        authorizationRequest8.addPermission("resource-type-instance:type-two", new String[0]);
        Assert.assertNotNull(authzClient.authorization(accessToken).authorize(authorizationRequest8).getToken());
        Assert.assertEquals(4L, toAccessToken(r0.getToken()).getAuthorization().getPermissions().size());
        AuthorizationRequest authorizationRequest9 = new AuthorizationRequest();
        authorizationRequest9.addPermission("resource-type-instance:type-three", new String[0]);
        Assert.assertNotNull(authzClient.authorization(accessToken).authorize(authorizationRequest9).getToken());
        Assert.assertEquals(1L, toAccessToken(r0.getToken()).getAuthorization().getPermissions().size());
        AuthorizationRequest authorizationRequest10 = new AuthorizationRequest();
        authorizationRequest10.addPermission("resource-type-any:type-three", new String[0]);
        Assert.assertNotNull(authzClient.authorization(accessToken).authorize(authorizationRequest10).getToken());
        Assert.assertEquals(11L, toAccessToken(r0.getToken()).getAuthorization().getPermissions().size());
        for (int i7 = 0; i7 < 2; i7++) {
            ResourceRepresentation resourceRepresentation7 = new ResourceRepresentation();
            resourceRepresentation7.setOwner("marta");
            resourceRepresentation7.setType("type-one");
            resourceRepresentation7.setName(KeycloakModelUtils.generateId());
            authorization.resources().create(resourceRepresentation7).close();
        }
        AuthorizationRequest authorizationRequest11 = new AuthorizationRequest();
        authorizationRequest11.addPermission("resource-type:type-one", new String[0]);
        Assert.assertNotNull(authzClient.authorization(accessToken).authorize(authorizationRequest11).getToken());
        Assert.assertEquals(10L, toAccessToken(r0.getToken()).getAuthorization().getPermissions().size());
        String accessToken2 = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken();
        AuthorizationRequest authorizationRequest12 = new AuthorizationRequest();
        authorizationRequest12.addPermission("resource-type-owner:type-one", new String[0]);
        Assert.assertNotNull(authzClient.authorization(accessToken2).authorize(authorizationRequest12).getToken());
        Assert.assertEquals(2L, toAccessToken(r0.getToken()).getAuthorization().getPermissions().size());
        AuthorizationRequest authorizationRequest13 = new AuthorizationRequest();
        authorizationRequest13.addPermission("resource-type-instance:type-one", new String[0]);
        Assert.assertNotNull(authzClient.authorization(accessToken2).authorize(authorizationRequest13).getToken());
        Assert.assertEquals(2L, toAccessToken(r0.getToken()).getAuthorization().getPermissions().size());
        AuthorizationRequest authorizationRequest14 = new AuthorizationRequest();
        authorizationRequest14.addPermission("resource-type-any:type-one", new String[0]);
        Assert.assertNotNull(authzClient.authorization(accessToken2).authorize(authorizationRequest14).getToken());
        Assert.assertEquals(12L, toAccessToken(r0.getToken()).getAuthorization().getPermissions().size());
    }

    @Test
    public void testOverridePermission() throws Exception {
        ResourceRepresentation resourceRepresentation;
        Response create;
        Throwable th;
        ResourcePermissionRepresentation resourcePermissionRepresentation;
        Throwable th2;
        ResourceRepresentation resourceRepresentation2;
        String accessToken;
        AuthzClient authzClient;
        AuthorizationRequest authorizationRequest;
        UserPolicyRepresentation userPolicyRepresentation;
        Throwable th3;
        AuthorizationResource authorization = getClient(getRealm(), RESOURCE_SERVER_TEST).authorization();
        JSPolicyRepresentation createOnlyOwnerPolicy = createOnlyOwnerPolicy();
        authorization.policies().js().create(createOnlyOwnerPolicy).close();
        ResourceRepresentation resourceRepresentation3 = new ResourceRepresentation();
        resourceRepresentation3.setType("resource");
        resourceRepresentation3.setName(KeycloakModelUtils.generateId());
        resourceRepresentation3.addScope(new String[]{"read", "update"});
        Response create2 = authorization.resources().create(resourceRepresentation3);
        Throwable th4 = null;
        try {
            try {
                resourceRepresentation = (ResourceRepresentation) create2.readEntity(ResourceRepresentation.class);
                if (create2 != null) {
                    if (0 != 0) {
                        try {
                            create2.close();
                        } catch (Throwable th5) {
                            th4.addSuppressed(th5);
                        }
                    } else {
                        create2.close();
                    }
                }
                ResourcePermissionRepresentation resourcePermissionRepresentation2 = new ResourcePermissionRepresentation();
                resourcePermissionRepresentation2.setName(KeycloakModelUtils.generateId());
                resourcePermissionRepresentation2.setResourceType("resource");
                resourcePermissionRepresentation2.addPolicy(new String[]{createOnlyOwnerPolicy.getName()});
                create = authorization.permissions().resource().create(resourcePermissionRepresentation2);
                th = null;
            } catch (Throwable th6) {
                th4 = th6;
                throw th6;
            }
            try {
                try {
                    resourcePermissionRepresentation = (ResourcePermissionRepresentation) create.readEntity(ResourcePermissionRepresentation.class);
                    if (create != null) {
                        if (0 != 0) {
                            try {
                                create.close();
                            } catch (Throwable th7) {
                                th.addSuppressed(th7);
                            }
                        } else {
                            create.close();
                        }
                    }
                    ResourceRepresentation resourceRepresentation4 = new ResourceRepresentation();
                    resourceRepresentation4.setType("resource");
                    resourceRepresentation4.setName(KeycloakModelUtils.generateId());
                    resourceRepresentation4.addScope(new String[]{"read", "update"});
                    resourceRepresentation4.setOwner("marta");
                    create2 = authorization.resources().create(resourceRepresentation4);
                    th2 = null;
                } catch (Throwable th8) {
                    th = th8;
                    throw th8;
                }
                try {
                    try {
                        resourceRepresentation2 = (ResourceRepresentation) create2.readEntity(ResourceRepresentation.class);
                        if (create2 != null) {
                            if (0 != 0) {
                                try {
                                    create2.close();
                                } catch (Throwable th9) {
                                    th2.addSuppressed(th9);
                                }
                            } else {
                                create2.close();
                            }
                        }
                        String accessToken2 = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken();
                        AuthzClient authzClient2 = getAuthzClient(AUTHZ_CLIENT_CONFIG);
                        AuthorizationRequest authorizationRequest2 = new AuthorizationRequest();
                        authorizationRequest2.addPermission(resourceRepresentation2.getName(), new String[0]);
                        AuthorizationResponse authorize = authzClient2.authorization(accessToken2).authorize(authorizationRequest2);
                        Assert.assertNotNull(authorize.getToken());
                        Collection<Permission> permissions = toAccessToken(authorize.getToken()).getAuthorization().getPermissions();
                        Assert.assertEquals(1L, permissions.size());
                        for (Permission permission : permissions) {
                            Assert.assertEquals(resourceRepresentation2.getName(), permission.getResourceName());
                            Set scopes = permission.getScopes();
                            Assert.assertEquals(2L, scopes.size());
                            Assert.assertThat(scopes, Matchers.containsInAnyOrder(new String[]{"read", "update"}));
                        }
                        accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
                        authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
                        authorizationRequest = new AuthorizationRequest();
                        authorizationRequest.addPermission(resourceRepresentation2.getId(), new String[0]);
                        try {
                            authzClient.authorization(accessToken).authorize(authorizationRequest);
                            Assert.fail("kolo can not access marta resource");
                        } catch (RuntimeException e) {
                            Assert.assertEquals(403L, ((HttpResponseException) HttpResponseException.class.cast(e.getCause())).getStatusCode());
                            Assert.assertTrue(((HttpResponseException) HttpResponseException.class.cast(e.getCause())).toString().contains("access_denied"));
                        }
                        userPolicyRepresentation = new UserPolicyRepresentation();
                        userPolicyRepresentation.setName(KeycloakModelUtils.generateId());
                        userPolicyRepresentation.addUser("kolo");
                        authorization.policies().user().create(userPolicyRepresentation).close();
                        ResourcePermissionRepresentation resourcePermissionRepresentation3 = new ResourcePermissionRepresentation();
                        resourcePermissionRepresentation3.setName(KeycloakModelUtils.generateId());
                        resourcePermissionRepresentation3.addResource(resourceRepresentation2.getId());
                        resourcePermissionRepresentation3.addPolicy(new String[]{userPolicyRepresentation.getName()});
                        create = authorization.permissions().resource().create(resourcePermissionRepresentation3);
                        th3 = null;
                    } catch (Throwable th10) {
                        th2 = th10;
                        throw th10;
                    }
                    try {
                        try {
                            ResourcePermissionRepresentation resourcePermissionRepresentation4 = (ResourcePermissionRepresentation) create.readEntity(ResourcePermissionRepresentation.class);
                            if (create != null) {
                                if (0 != 0) {
                                    try {
                                        create.close();
                                    } catch (Throwable th11) {
                                        th3.addSuppressed(th11);
                                    }
                                } else {
                                    create.close();
                                }
                            }
                            AuthorizationResponse authorize2 = authzClient.authorization(accessToken).authorize(authorizationRequest);
                            Assert.assertNotNull(authorize2.getToken());
                            Collection<Permission> permissions2 = toAccessToken(authorize2.getToken()).getAuthorization().getPermissions();
                            Assert.assertEquals(1L, permissions2.size());
                            for (Permission permission2 : permissions2) {
                                Assert.assertEquals(resourceRepresentation2.getName(), permission2.getResourceName());
                                Set scopes2 = permission2.getScopes();
                                Assert.assertEquals(2L, scopes2.size());
                                Assert.assertThat(scopes2, Matchers.containsInAnyOrder(new String[]{"read", "update"}));
                            }
                            resourcePermissionRepresentation.setResourceType((String) null);
                            resourcePermissionRepresentation.addResource(resourceRepresentation.getName());
                            authorization.permissions().resource().findById(resourcePermissionRepresentation.getId()).update(resourcePermissionRepresentation);
                            AuthorizationResponse authorize3 = authzClient.authorization(accessToken).authorize(authorizationRequest);
                            Assert.assertNotNull(authorize3.getToken());
                            Collection<Permission> permissions3 = toAccessToken(authorize3.getToken()).getAuthorization().getPermissions();
                            Assert.assertEquals(1L, permissions3.size());
                            for (Permission permission3 : permissions3) {
                                Assert.assertEquals(resourceRepresentation2.getName(), permission3.getResourceName());
                                Set scopes3 = permission3.getScopes();
                                Assert.assertEquals(2L, scopes3.size());
                                Assert.assertThat(scopes3, Matchers.containsInAnyOrder(new String[]{"read", "update"}));
                            }
                            ScopePermissionRepresentation scopePermissionRepresentation = new ScopePermissionRepresentation();
                            scopePermissionRepresentation.setName(KeycloakModelUtils.generateId());
                            scopePermissionRepresentation.addResource(resourceRepresentation2.getId());
                            scopePermissionRepresentation.addScope(new String[]{"update"});
                            scopePermissionRepresentation.addPolicy(new String[]{createOnlyOwnerPolicy.getName()});
                            Response create3 = authorization.permissions().scope().create(scopePermissionRepresentation);
                            Throwable th12 = null;
                            try {
                                try {
                                    ScopePermissionRepresentation scopePermissionRepresentation2 = (ScopePermissionRepresentation) create3.readEntity(ScopePermissionRepresentation.class);
                                    if (create3 != null) {
                                        if (0 != 0) {
                                            try {
                                                create3.close();
                                            } catch (Throwable th13) {
                                                th12.addSuppressed(th13);
                                            }
                                        } else {
                                            create3.close();
                                        }
                                    }
                                    AuthorizationResponse authorize4 = authzClient.authorization(accessToken).authorize(authorizationRequest);
                                    Assert.assertNotNull(authorize4.getToken());
                                    Collection<Permission> permissions4 = toAccessToken(authorize4.getToken()).getAuthorization().getPermissions();
                                    Assert.assertEquals(1L, permissions4.size());
                                    for (Permission permission4 : permissions4) {
                                        Assert.assertEquals(resourceRepresentation2.getName(), permission4.getResourceName());
                                        Set scopes4 = permission4.getScopes();
                                        Assert.assertEquals(1L, scopes4.size());
                                        Assert.assertThat(scopes4, Matchers.containsInAnyOrder(new String[]{"read"}));
                                    }
                                    authorization.permissions().resource().findById(resourcePermissionRepresentation4.getId()).remove();
                                    try {
                                        authzClient.authorization(accessToken).authorize(authorizationRequest);
                                        Assert.fail("kolo can not access marta resource");
                                    } catch (RuntimeException e2) {
                                        Assert.assertEquals(403L, ((HttpResponseException) HttpResponseException.class.cast(e2.getCause())).getStatusCode());
                                        Assert.assertTrue(((HttpResponseException) HttpResponseException.class.cast(e2.getCause())).toString().contains("access_denied"));
                                    }
                                    scopePermissionRepresentation2.addPolicy(new String[]{userPolicyRepresentation.getName()});
                                    scopePermissionRepresentation2.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
                                    authorization.permissions().scope().findById(scopePermissionRepresentation2.getId()).update(scopePermissionRepresentation2);
                                    AuthorizationResponse authorize5 = authzClient.authorization(accessToken).authorize(authorizationRequest);
                                    Assert.assertNotNull(authorize5.getToken());
                                    Collection<Permission> permissions5 = toAccessToken(authorize5.getToken()).getAuthorization().getPermissions();
                                    Assert.assertEquals(1L, permissions5.size());
                                    for (Permission permission5 : permissions5) {
                                        Assert.assertEquals(resourceRepresentation2.getName(), permission5.getResourceName());
                                        Set scopes5 = permission5.getScopes();
                                        Assert.assertEquals(1L, scopes5.size());
                                        Assert.assertThat(scopes5, Matchers.containsInAnyOrder(new String[]{"update"}));
                                    }
                                    AuthorizationResponse authorize6 = authzClient.authorization(new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken()).authorize(authorizationRequest);
                                    Assert.assertNotNull(authorize6.getToken());
                                    Collection<Permission> permissions6 = toAccessToken(authorize6.getToken()).getAuthorization().getPermissions();
                                    Assert.assertEquals(1L, permissions6.size());
                                    for (Permission permission6 : permissions6) {
                                        Assert.assertEquals(resourceRepresentation2.getName(), permission6.getResourceName());
                                        Set scopes6 = permission6.getScopes();
                                        Assert.assertEquals(2L, scopes6.size());
                                        Assert.assertThat(scopes6, Matchers.containsInAnyOrder(new String[]{"update", "read"}));
                                    }
                                    authorization.permissions().scope().findById(scopePermissionRepresentation2.getId()).remove();
                                    try {
                                        authzClient.authorization(new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken()).authorize(authorizationRequest);
                                        Assert.fail("kolo can not access marta resource");
                                    } catch (RuntimeException e3) {
                                        Assert.assertEquals(403L, ((HttpResponseException) HttpResponseException.class.cast(e3.getCause())).getStatusCode());
                                        Assert.assertTrue(((HttpResponseException) HttpResponseException.class.cast(e3.getCause())).toString().contains("access_denied"));
                                    }
                                } catch (Throwable th14) {
                                    th12 = th14;
                                    throw th14;
                                }
                            } catch (Throwable th15) {
                                if (create3 != null) {
                                    if (th12 != null) {
                                        try {
                                            create3.close();
                                        } catch (Throwable th16) {
                                            th12.addSuppressed(th16);
                                        }
                                    } else {
                                        create3.close();
                                    }
                                }
                                throw th15;
                            }
                        } catch (Throwable th17) {
                            th3 = th17;
                            throw th17;
                        }
                    } finally {
                    }
                } finally {
                }
            } finally {
            }
        } finally {
        }
    }

    @Test
    public void testOverrideParentScopePermission() throws Exception {
        Throwable th;
        AuthorizationResource authorization = getClient(getRealm(), RESOURCE_SERVER_TEST).authorization();
        JSPolicyRepresentation createOnlyOwnerPolicy = createOnlyOwnerPolicy();
        authorization.policies().js().create(createOnlyOwnerPolicy).close();
        ResourceRepresentation resourceRepresentation = new ResourceRepresentation();
        resourceRepresentation.setType("resource");
        resourceRepresentation.setName(KeycloakModelUtils.generateId());
        resourceRepresentation.addScope(new String[]{"read", "update"});
        Response create = authorization.resources().create(resourceRepresentation);
        Throwable th2 = null;
        try {
            try {
                ResourceRepresentation resourceRepresentation2 = (ResourceRepresentation) create.readEntity(ResourceRepresentation.class);
                if (create != null) {
                    if (0 != 0) {
                        try {
                            create.close();
                        } catch (Throwable th3) {
                            th2.addSuppressed(th3);
                        }
                    } else {
                        create.close();
                    }
                }
                ScopePermissionRepresentation scopePermissionRepresentation = new ScopePermissionRepresentation();
                scopePermissionRepresentation.setName(KeycloakModelUtils.generateId());
                scopePermissionRepresentation.addResource(resourceRepresentation2.getName());
                scopePermissionRepresentation.addPolicy(new String[]{createOnlyOwnerPolicy.getName()});
                scopePermissionRepresentation.addScope(new String[]{"read", "update"});
                authorization.permissions().scope().create(scopePermissionRepresentation).close();
                ResourceRepresentation resourceRepresentation3 = new ResourceRepresentation();
                resourceRepresentation3.setType("resource");
                resourceRepresentation3.setName(KeycloakModelUtils.generateId());
                resourceRepresentation3.addScope(new String[]{"read"});
                resourceRepresentation3.setOwner("marta");
                create = authorization.resources().create(resourceRepresentation3);
                th = null;
            } catch (Throwable th4) {
                th2 = th4;
                throw th4;
            }
            try {
                try {
                    ResourceRepresentation resourceRepresentation4 = (ResourceRepresentation) create.readEntity(ResourceRepresentation.class);
                    if (create != null) {
                        if (0 != 0) {
                            try {
                                create.close();
                            } catch (Throwable th5) {
                                th.addSuppressed(th5);
                            }
                        } else {
                            create.close();
                        }
                    }
                    String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken();
                    AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
                    AuthorizationRequest authorizationRequest = new AuthorizationRequest();
                    authorizationRequest.addPermission(resourceRepresentation4.getName(), new String[0]);
                    AuthorizationResponse authorize = authzClient.authorization(accessToken).authorize(authorizationRequest);
                    Assert.assertNotNull(authorize.getToken());
                    Collection<Permission> permissions = toAccessToken(authorize.getToken()).getAuthorization().getPermissions();
                    Assert.assertEquals(1L, permissions.size());
                    for (Permission permission : permissions) {
                        Assert.assertEquals(resourceRepresentation4.getName(), permission.getResourceName());
                        Set scopes = permission.getScopes();
                        Assert.assertEquals(2L, scopes.size());
                        Assert.assertThat(scopes, Matchers.containsInAnyOrder(new String[]{"read", "update"}));
                    }
                    String accessToken2 = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
                    AuthzClient authzClient2 = getAuthzClient(AUTHZ_CLIENT_CONFIG);
                    AuthorizationRequest authorizationRequest2 = new AuthorizationRequest();
                    authorizationRequest2.addPermission(resourceRepresentation4.getId(), new String[0]);
                    try {
                        authzClient2.authorization(accessToken2).authorize(authorizationRequest2);
                        Assert.fail("kolo can not access marta resource");
                    } catch (RuntimeException e) {
                        Assert.assertEquals(403L, ((HttpResponseException) HttpResponseException.class.cast(e.getCause())).getStatusCode());
                        Assert.assertTrue(((HttpResponseException) HttpResponseException.class.cast(e.getCause())).toString().contains("access_denied"));
                    }
                    UserPolicyRepresentation userPolicyRepresentation = new UserPolicyRepresentation();
                    userPolicyRepresentation.setName(KeycloakModelUtils.generateId());
                    userPolicyRepresentation.addUser("kolo");
                    authorization.policies().user().create(userPolicyRepresentation).close();
                    ResourcePermissionRepresentation resourcePermissionRepresentation = new ResourcePermissionRepresentation();
                    resourcePermissionRepresentation.setName(KeycloakModelUtils.generateId());
                    resourcePermissionRepresentation.addResource(resourceRepresentation4.getId());
                    resourcePermissionRepresentation.addPolicy(new String[]{userPolicyRepresentation.getName()});
                    Response create2 = authorization.permissions().resource().create(resourcePermissionRepresentation);
                    Throwable th6 = null;
                    try {
                        try {
                            ResourcePermissionRepresentation resourcePermissionRepresentation2 = (ResourcePermissionRepresentation) create2.readEntity(ResourcePermissionRepresentation.class);
                            if (create2 != null) {
                                if (0 != 0) {
                                    try {
                                        create2.close();
                                    } catch (Throwable th7) {
                                        th6.addSuppressed(th7);
                                    }
                                } else {
                                    create2.close();
                                }
                            }
                            AuthorizationResponse authorize2 = authzClient2.authorization(accessToken2).authorize(authorizationRequest2);
                            Assert.assertNotNull(authorize2.getToken());
                            Collection<Permission> permissions2 = toAccessToken(authorize2.getToken()).getAuthorization().getPermissions();
                            Assert.assertEquals(1L, permissions2.size());
                            for (Permission permission2 : permissions2) {
                                Assert.assertEquals(resourceRepresentation4.getName(), permission2.getResourceName());
                                Set scopes2 = permission2.getScopes();
                                Assert.assertEquals(2L, scopes2.size());
                                Assert.assertThat(scopes2, Matchers.containsInAnyOrder(new String[]{"read", "update"}));
                            }
                            ScopePermissionRepresentation scopePermissionRepresentation2 = new ScopePermissionRepresentation();
                            scopePermissionRepresentation2.setName(KeycloakModelUtils.generateId());
                            scopePermissionRepresentation2.addResource(resourceRepresentation4.getId());
                            scopePermissionRepresentation2.addScope(new String[]{"update"});
                            scopePermissionRepresentation2.addPolicy(new String[]{createOnlyOwnerPolicy.getName()});
                            Response create3 = authorization.permissions().scope().create(scopePermissionRepresentation2);
                            Throwable th8 = null;
                            try {
                                try {
                                    ScopePermissionRepresentation scopePermissionRepresentation3 = (ScopePermissionRepresentation) create3.readEntity(ScopePermissionRepresentation.class);
                                    if (create3 != null) {
                                        if (0 != 0) {
                                            try {
                                                create3.close();
                                            } catch (Throwable th9) {
                                                th8.addSuppressed(th9);
                                            }
                                        } else {
                                            create3.close();
                                        }
                                    }
                                    AuthorizationResponse authorize3 = authzClient2.authorization(accessToken2).authorize(authorizationRequest2);
                                    Assert.assertNotNull(authorize3.getToken());
                                    Collection<Permission> permissions3 = toAccessToken(authorize3.getToken()).getAuthorization().getPermissions();
                                    Assert.assertEquals(1L, permissions3.size());
                                    for (Permission permission3 : permissions3) {
                                        Assert.assertEquals(resourceRepresentation4.getName(), permission3.getResourceName());
                                        Set scopes3 = permission3.getScopes();
                                        Assert.assertEquals(1L, scopes3.size());
                                        Assert.assertThat(scopes3, Matchers.containsInAnyOrder(new String[]{"read"}));
                                    }
                                    authorization.permissions().resource().findById(resourcePermissionRepresentation2.getId()).remove();
                                    try {
                                        authzClient2.authorization(accessToken2).authorize(authorizationRequest2);
                                        Assert.fail("kolo can not access marta resource");
                                    } catch (RuntimeException e2) {
                                        Assert.assertEquals(403L, ((HttpResponseException) HttpResponseException.class.cast(e2.getCause())).getStatusCode());
                                        Assert.assertTrue(((HttpResponseException) HttpResponseException.class.cast(e2.getCause())).toString().contains("access_denied"));
                                    }
                                    scopePermissionRepresentation3.addPolicy(new String[]{userPolicyRepresentation.getName()});
                                    scopePermissionRepresentation3.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
                                    authorization.permissions().scope().findById(scopePermissionRepresentation3.getId()).update(scopePermissionRepresentation3);
                                    AuthorizationResponse authorize4 = authzClient2.authorization(accessToken2).authorize(authorizationRequest2);
                                    Assert.assertNotNull(authorize4.getToken());
                                    Collection<Permission> permissions4 = toAccessToken(authorize4.getToken()).getAuthorization().getPermissions();
                                    Assert.assertEquals(1L, permissions4.size());
                                    for (Permission permission4 : permissions4) {
                                        Assert.assertEquals(resourceRepresentation4.getName(), permission4.getResourceName());
                                        Set scopes4 = permission4.getScopes();
                                        Assert.assertEquals(1L, scopes4.size());
                                        Assert.assertThat(scopes4, Matchers.containsInAnyOrder(new String[]{"update"}));
                                    }
                                    AuthorizationResponse authorize5 = authzClient2.authorization(new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken()).authorize(authorizationRequest2);
                                    Assert.assertNotNull(authorize5.getToken());
                                    Collection<Permission> permissions5 = toAccessToken(authorize5.getToken()).getAuthorization().getPermissions();
                                    Assert.assertEquals(1L, permissions5.size());
                                    for (Permission permission5 : permissions5) {
                                        Assert.assertEquals(resourceRepresentation4.getName(), permission5.getResourceName());
                                        Set scopes5 = permission5.getScopes();
                                        Assert.assertEquals(2L, scopes5.size());
                                        Assert.assertThat(scopes5, Matchers.containsInAnyOrder(new String[]{"update", "read"}));
                                    }
                                    authorization.permissions().scope().findById(scopePermissionRepresentation3.getId()).remove();
                                    try {
                                        authzClient2.authorization(new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken()).authorize(authorizationRequest2);
                                        Assert.fail("kolo can not access marta resource");
                                    } catch (RuntimeException e3) {
                                        Assert.assertEquals(403L, ((HttpResponseException) HttpResponseException.class.cast(e3.getCause())).getStatusCode());
                                        Assert.assertTrue(((HttpResponseException) HttpResponseException.class.cast(e3.getCause())).toString().contains("access_denied"));
                                    }
                                } catch (Throwable th10) {
                                    th8 = th10;
                                    throw th10;
                                }
                            } catch (Throwable th11) {
                                if (create3 != null) {
                                    if (th8 != null) {
                                        try {
                                            create3.close();
                                        } catch (Throwable th12) {
                                            th8.addSuppressed(th12);
                                        }
                                    } else {
                                        create3.close();
                                    }
                                }
                                throw th11;
                            }
                        } catch (Throwable th13) {
                            th6 = th13;
                            throw th13;
                        }
                    } catch (Throwable th14) {
                        if (create2 != null) {
                            if (th6 != null) {
                                try {
                                    create2.close();
                                } catch (Throwable th15) {
                                    th6.addSuppressed(th15);
                                }
                            } else {
                                create2.close();
                            }
                        }
                        throw th14;
                    }
                } catch (Throwable th16) {
                    th = th16;
                    throw th16;
                }
            } finally {
            }
        } finally {
        }
    }

    @NotNull
    private JSPolicyRepresentation createOnlyOwnerPolicy() {
        JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
        jSPolicyRepresentation.setName(KeycloakModelUtils.generateId());
        jSPolicyRepresentation.setCode("var context = $evaluation.getContext();\nvar identity = context.getIdentity();\nvar permission = $evaluation.getPermission();\nvar resource = permission.getResource();\n\nif (resource) {\n    if (resource.owner == identity.id) {\n        $evaluation.grant();\n    }\n}");
        return jSPolicyRepresentation;
    }

    @Test
    public void testPermissionsWithResourceAttributes() throws Exception {
        ResourceRepresentation resourceRepresentation;
        HashMap hashMap;
        ResourceRepresentation resourceRepresentation2;
        Response create;
        Throwable th;
        AuthorizationResource authorization = getClient(getRealm(), RESOURCE_SERVER_TEST).authorization();
        JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
        jSPolicyRepresentation.setName(KeycloakModelUtils.generateId());
        jSPolicyRepresentation.setCode("var createPermission = $evaluation.getPermission();\nvar resource = createPermission.getResource();\n\nif (resource) {\n    var attributes = resource.getAttributes();\n    var visibility = attributes.get('visibility');\n    \n    if (visibility && \"private\".equals(visibility.get(0))) {\n        $evaluation.deny();\n      } else {\n        $evaluation.grant();\n    }\n}");
        authorization.policies().js().create(jSPolicyRepresentation).close();
        JSPolicyRepresentation createOnlyOwnerPolicy = createOnlyOwnerPolicy();
        authorization.policies().js().create(createOnlyOwnerPolicy).close();
        ResourceRepresentation resourceRepresentation3 = new ResourceRepresentation();
        resourceRepresentation3.setType("resource");
        resourceRepresentation3.setName(KeycloakModelUtils.generateId());
        Response create2 = authorization.resources().create(resourceRepresentation3);
        Throwable th2 = null;
        try {
            try {
                resourceRepresentation = (ResourceRepresentation) create2.readEntity(ResourceRepresentation.class);
                if (create2 != null) {
                    if (0 != 0) {
                        try {
                            create2.close();
                        } catch (Throwable th3) {
                            th2.addSuppressed(th3);
                        }
                    } else {
                        create2.close();
                    }
                }
                ResourceRepresentation resourceRepresentation4 = new ResourceRepresentation();
                resourceRepresentation4.setName(KeycloakModelUtils.generateId());
                resourceRepresentation4.setType("resource");
                resourceRepresentation4.setOwner("marta");
                hashMap = new HashMap();
                hashMap.put("visibility", Arrays.asList("private"));
                resourceRepresentation4.setAttributes(hashMap);
                create2 = authorization.resources().create(resourceRepresentation4);
                Throwable th4 = null;
                try {
                    try {
                        resourceRepresentation2 = (ResourceRepresentation) create2.readEntity(ResourceRepresentation.class);
                        if (create2 != null) {
                            if (0 != 0) {
                                try {
                                    create2.close();
                                } catch (Throwable th5) {
                                    th4.addSuppressed(th5);
                                }
                            } else {
                                create2.close();
                            }
                        }
                        ResourcePermissionRepresentation resourcePermissionRepresentation = new ResourcePermissionRepresentation();
                        resourcePermissionRepresentation.setName(KeycloakModelUtils.generateId());
                        resourcePermissionRepresentation.setResourceType("resource");
                        resourcePermissionRepresentation.addPolicy(new String[]{jSPolicyRepresentation.getName()});
                        create = authorization.permissions().resource().create(resourcePermissionRepresentation);
                        th = null;
                    } finally {
                    }
                } finally {
                }
            } finally {
            }
            try {
                try {
                    ResourcePermissionRepresentation resourcePermissionRepresentation2 = (ResourcePermissionRepresentation) create.readEntity(ResourcePermissionRepresentation.class);
                    if (create != null) {
                        if (0 != 0) {
                            try {
                                create.close();
                            } catch (Throwable th6) {
                                th.addSuppressed(th6);
                            }
                        } else {
                            create.close();
                        }
                    }
                    AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
                    AuthorizationRequest authorizationRequest = new AuthorizationRequest();
                    authorizationRequest.addPermission(resourceRepresentation.getId(), new String[0]);
                    authorizationRequest.addPermission(resourceRepresentation2.getId(), new String[0]);
                    AuthorizationResponse authorize = authzClient.authorization("marta", "password").authorize(authorizationRequest);
                    Assert.assertNotNull(authorize.getToken());
                    Collection permissions = toAccessToken(authorize.getToken()).getAuthorization().getPermissions();
                    Assert.assertEquals(1L, permissions.size());
                    Iterator it = permissions.iterator();
                    while (it.hasNext()) {
                        Assert.assertEquals(resourceRepresentation.getName(), ((Permission) it.next()).getResourceName());
                    }
                    resourcePermissionRepresentation2.addPolicy(new String[]{createOnlyOwnerPolicy.getName()});
                    resourcePermissionRepresentation2.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
                    authorization.permissions().resource().findById(resourcePermissionRepresentation2.getId()).update(resourcePermissionRepresentation2);
                    AuthorizationResponse authorize2 = authzClient.authorization("marta", "password").authorize(authorizationRequest);
                    Assert.assertNotNull(authorize2.getToken());
                    Collection permissions2 = toAccessToken(authorize2.getToken()).getAuthorization().getPermissions();
                    Assert.assertEquals(2L, permissions2.size());
                    Iterator it2 = permissions2.iterator();
                    while (it2.hasNext()) {
                        Assert.assertThat(Arrays.asList(resourceRepresentation.getName(), resourceRepresentation2.getName()), Matchers.hasItem(((Permission) it2.next()).getResourceName()));
                    }
                    resourceRepresentation.setAttributes(hashMap);
                    authorization.resources().resource(resourceRepresentation.getId()).update(resourceRepresentation);
                    AuthorizationResponse authorize3 = authzClient.authorization("marta", "password").authorize(authorizationRequest);
                    Assert.assertNotNull(authorize3.getToken());
                    Collection permissions3 = toAccessToken(authorize3.getToken()).getAuthorization().getPermissions();
                    Assert.assertEquals(1L, permissions3.size());
                    Iterator it3 = permissions3.iterator();
                    while (it3.hasNext()) {
                        Assert.assertThat(resourceRepresentation2.getName(), Matchers.equalTo(((Permission) it3.next()).getResourceName()));
                    }
                    resourceRepresentation2.addScope(new String[]{"create", "read"});
                    authorization.resources().resource(resourceRepresentation2.getId()).update(resourceRepresentation2);
                    resourceRepresentation.addScope(new String[]{"create", "read"});
                    authorization.resources().resource(resourceRepresentation.getId()).update(resourceRepresentation);
                    ScopePermissionRepresentation scopePermissionRepresentation = new ScopePermissionRepresentation();
                    scopePermissionRepresentation.setName(KeycloakModelUtils.generateId());
                    scopePermissionRepresentation.addScope(new String[]{"create"});
                    scopePermissionRepresentation.addPolicy(new String[]{jSPolicyRepresentation.getName()});
                    authorization.permissions().scope().create(scopePermissionRepresentation).close();
                    AuthorizationResponse authorize4 = authzClient.authorization("marta", "password").authorize(authorizationRequest);
                    Assert.assertNotNull(authorize4.getToken());
                    Collection<Permission> permissions4 = toAccessToken(authorize4.getToken()).getAuthorization().getPermissions();
                    Assert.assertEquals(1L, permissions4.size());
                    for (Permission permission : permissions4) {
                        Assert.assertThat(resourceRepresentation2.getName(), Matchers.equalTo(permission.getResourceName()));
                        Assert.assertThat(permission.getScopes(), Matchers.not(Matchers.hasItem("create")));
                    }
                    resourceRepresentation.setAttributes(new HashMap());
                    authorization.resources().resource(resourceRepresentation.getId()).update(resourceRepresentation);
                    AuthorizationResponse authorize5 = authzClient.authorization("marta", "password").authorize();
                    Assert.assertNotNull(authorize5.getToken());
                    for (Permission permission2 : toAccessToken(authorize5.getToken()).getAuthorization().getPermissions()) {
                        if (permission2.getResourceName().equals(resourceRepresentation2.getName())) {
                            Assert.assertThat(permission2.getScopes(), Matchers.not(Matchers.hasItem("create")));
                        } else if (permission2.getResourceName().equals(resourceRepresentation.getName())) {
                            Assert.assertThat(permission2.getScopes(), Matchers.containsInAnyOrder(new String[]{"create", "read"}));
                        }
                    }
                    AuthorizationRequest authorizationRequest2 = new AuthorizationRequest();
                    authorizationRequest2.addPermission(resourceRepresentation.getId(), new String[0]);
                    authorizationRequest2.addPermission(resourceRepresentation2.getId(), new String[0]);
                    AuthorizationResponse authorize6 = authzClient.authorization("marta", "password").authorize(authorizationRequest2);
                    Assert.assertNotNull(authorize6.getToken());
                    for (Permission permission3 : toAccessToken(authorize6.getToken()).getAuthorization().getPermissions()) {
                        if (permission3.getResourceName().equals(resourceRepresentation2.getName())) {
                            Assert.assertThat(permission3.getScopes(), Matchers.not(Matchers.hasItem("create")));
                        } else if (permission3.getResourceName().equals(resourceRepresentation.getName())) {
                            Assert.assertThat(permission3.getScopes(), Matchers.containsInAnyOrder(new String[]{"create", "read"}));
                        }
                    }
                    AuthorizationRequest authorizationRequest3 = new AuthorizationRequest();
                    authorizationRequest3.addPermission(resourceRepresentation2.getId(), new String[0]);
                    authorizationRequest3.addPermission(resourceRepresentation.getId(), new String[0]);
                    AuthorizationResponse authorize7 = authzClient.authorization("marta", "password").authorize(authorizationRequest3);
                    Assert.assertNotNull(authorize7.getToken());
                    for (Permission permission4 : toAccessToken(authorize7.getToken()).getAuthorization().getPermissions()) {
                        if (permission4.getResourceName().equals(resourceRepresentation2.getName())) {
                            Assert.assertThat(permission4.getScopes(), Matchers.not(Matchers.hasItem("create")));
                        } else if (permission4.getResourceName().equals(resourceRepresentation.getName())) {
                            Assert.assertThat(permission4.getScopes(), Matchers.containsInAnyOrder(new String[]{"create", "read"}));
                        }
                    }
                } finally {
                }
            } catch (Throwable th7) {
                if (create != null) {
                    if (th != null) {
                        try {
                            create.close();
                        } catch (Throwable th8) {
                            th.addSuppressed(th8);
                        }
                    } else {
                        create.close();
                    }
                }
                throw th7;
            }
        } finally {
        }
    }

    @Test
    public void testOfflineRequestingPartyToken() throws Exception {
        AuthorizationResource authorization = getClient(getRealm(), RESOURCE_SERVER_TEST).authorization();
        JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
        jSPolicyRepresentation.setName(KeycloakModelUtils.generateId());
        jSPolicyRepresentation.setCode("$evaluation.grant();");
        authorization.policies().js().create(jSPolicyRepresentation).close();
        ResourceRepresentation resourceRepresentation = new ResourceRepresentation();
        resourceRepresentation.setName("Sensors");
        resourceRepresentation.addScope(new String[]{"sensors:view", "sensors:update", "sensors:delete"});
        Response create = authorization.resources().create(resourceRepresentation);
        Throwable th = null;
        try {
            if (create != null) {
                if (0 != 0) {
                    try {
                        create.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    create.close();
                }
            }
            ScopePermissionRepresentation scopePermissionRepresentation = new ScopePermissionRepresentation();
            scopePermissionRepresentation.setName("View Sensor");
            scopePermissionRepresentation.addScope(new String[]{"sensors:view"});
            scopePermissionRepresentation.addPolicy(new String[]{jSPolicyRepresentation.getName()});
            authorization.permissions().scope().create(scopePermissionRepresentation).close();
            String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).scope("offline_access").doGrantAccessTokenRequest("secret", "offlineuser", "password").getAccessToken();
            AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
            AuthorizationResponse authorize = authzClient.authorization(accessToken).authorize();
            Assert.assertNotNull(authorize.getToken());
            this.controller.stop(this.suiteContext.getAuthServerInfo().getQualifier());
            this.controller.start(this.suiteContext.getAuthServerInfo().getQualifier());
            reconnectAdminClient();
            configureSectorIdentifierRedirectUris();
            TokenIntrospectionResponse introspectRequestingPartyToken = authzClient.protection().introspectRequestingPartyToken(authorize.getToken());
            Assert.assertTrue(introspectRequestingPartyToken.getActive().booleanValue());
            Assert.assertFalse(introspectRequestingPartyToken.getPermissions().isEmpty());
            Assert.assertNotNull(authzClient.authorization(accessToken).authorize().getToken());
        } catch (Throwable th3) {
            if (create != null) {
                if (0 != 0) {
                    try {
                        create.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    create.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testProcessMappersForTargetAudience() throws Exception {
        ClientResource client = getClient(getRealm(), PUBLIC_TEST_CLIENT);
        ProtocolMapperRepresentation protocolMapperRepresentation = new ProtocolMapperRepresentation();
        protocolMapperRepresentation.setName("custom_claim");
        protocolMapperRepresentation.setProtocolMapper("oidc-hardcoded-claim-mapper");
        protocolMapperRepresentation.setProtocol("openid-connect");
        HashMap hashMap = new HashMap();
        hashMap.put("claim.name", "custom_claim");
        hashMap.put("claim.value", PUBLIC_TEST_CLIENT);
        hashMap.put("access.token.claim", "true");
        protocolMapperRepresentation.setConfig(hashMap);
        client.getProtocolMappers().createMapper(protocolMapperRepresentation);
        ClientResource client2 = getClient(getRealm(), RESOURCE_SERVER_TEST);
        hashMap.put("claim.value", RESOURCE_SERVER_TEST);
        client2.getProtocolMappers().createMapper(protocolMapperRepresentation);
        AuthorizationResource authorization = client2.authorization();
        JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
        jSPolicyRepresentation.setName(KeycloakModelUtils.generateId());
        jSPolicyRepresentation.setCode("$evaluation.grant();");
        authorization.policies().js().create(jSPolicyRepresentation).close();
        ResourceRepresentation resourceRepresentation = new ResourceRepresentation();
        resourceRepresentation.setName("Sensors");
        Response create = authorization.resources().create(resourceRepresentation);
        Throwable th = null;
        try {
            try {
                ResourceRepresentation resourceRepresentation2 = (ResourceRepresentation) create.readEntity(ResourceRepresentation.class);
                if (create != null) {
                    if (0 != 0) {
                        try {
                            create.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        create.close();
                    }
                }
                ResourcePermissionRepresentation resourcePermissionRepresentation = new ResourcePermissionRepresentation();
                resourcePermissionRepresentation.setName("View Sensor");
                resourcePermissionRepresentation.addResource(resourceRepresentation2.getName());
                resourcePermissionRepresentation.addPolicy(new String[]{jSPolicyRepresentation.getName()});
                authorization.permissions().resource().create(resourcePermissionRepresentation).close();
                this.oauth.realm("authz-test");
                this.oauth.clientId(PUBLIC_TEST_CLIENT);
                this.oauth.doLogin("marta", "password");
                OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), (String) null);
                Assert.assertEquals(PUBLIC_TEST_CLIENT, toAccessToken(doAccessTokenRequest.getAccessToken()).getOtherClaims().get("custom_claim"));
                AuthorizationRequest authorizationRequest = new AuthorizationRequest();
                authorizationRequest.addPermission("Sensors", new String[0]);
                AccessToken accessToken = toAccessToken(getAuthzClient(AUTHZ_CLIENT_CONFIG).authorization(doAccessTokenRequest.getAccessToken()).authorize(authorizationRequest).getToken());
                Assert.assertEquals(RESOURCE_SERVER_TEST, accessToken.getOtherClaims().get("custom_claim"));
                Assert.assertEquals(PUBLIC_TEST_CLIENT, accessToken.getIssuedFor());
                AccessToken accessToken2 = toAccessToken(getAuthzClient(AUTHZ_CLIENT_CONFIG).authorization(doAccessTokenRequest.getAccessToken()).authorize(authorizationRequest).getToken());
                Assert.assertEquals(RESOURCE_SERVER_TEST, accessToken2.getOtherClaims().get("custom_claim"));
                Assert.assertEquals(PUBLIC_TEST_CLIENT, accessToken2.getIssuedFor());
            } finally {
            }
        } catch (Throwable th3) {
            if (create != null) {
                if (th != null) {
                    try {
                        create.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    create.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testUsingExpiredToken() throws Exception {
        AuthorizationResource authorization = getClient(getRealm(), RESOURCE_SERVER_TEST).authorization();
        JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
        jSPolicyRepresentation.setName(KeycloakModelUtils.generateId());
        jSPolicyRepresentation.setCode("$evaluation.grant();");
        authorization.policies().js().create(jSPolicyRepresentation).close();
        ResourceRepresentation resourceRepresentation = new ResourceRepresentation();
        resourceRepresentation.setName("Sensors");
        Response create = authorization.resources().create(resourceRepresentation);
        Throwable th = null;
        try {
            try {
                if (create != null) {
                    if (0 != 0) {
                        try {
                            create.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        create.close();
                    }
                }
                ResourcePermissionRepresentation resourcePermissionRepresentation = new ResourcePermissionRepresentation();
                resourcePermissionRepresentation.setName("View Sensor");
                resourcePermissionRepresentation.addPolicy(new String[]{jSPolicyRepresentation.getName()});
                authorization.permissions().resource().create(resourcePermissionRepresentation).close();
                String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken();
                AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
                Assert.assertNotNull(authzClient.authorization(accessToken).authorize().getToken());
                getRealm().logoutAll();
                AuthorizationRequest authorizationRequest = new AuthorizationRequest();
                authorizationRequest.addPermission("Sensors", new String[0]);
                authorizationRequest.setSubjectToken(accessToken);
                try {
                    authzClient.authorization().authorize(authorizationRequest);
                    Assert.fail("should fail, session invalidated");
                } catch (Exception e) {
                    Throwable cause = e.getCause();
                    Assert.assertEquals(400L, ((HttpResponseException) HttpResponseException.class.cast(cause)).getStatusCode());
                    Assert.assertTrue(((HttpResponseException) HttpResponseException.class.cast(cause)).toString().contains("unauthorized_client"));
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (create != null) {
                if (th != null) {
                    try {
                        create.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    create.close();
                }
            }
            throw th4;
        }
    }

    @Test
    public void testInvalidTokenSignature() throws Exception {
        RealmEventsConfigRepresentation realmEventsConfig = getRealm().getRealmEventsConfig();
        realmEventsConfig.setEventsEnabled(true);
        realmEventsConfig.setEnabledEventTypes(Arrays.asList(EventType.PERMISSION_TOKEN_ERROR.name()));
        getRealm().updateRealmEventsConfig(realmEventsConfig);
        AuthorizationResource authorization = getClient(getRealm(), RESOURCE_SERVER_TEST).authorization();
        JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
        jSPolicyRepresentation.setName(KeycloakModelUtils.generateId());
        jSPolicyRepresentation.setCode("$evaluation.grant();");
        authorization.policies().js().create(jSPolicyRepresentation).close();
        ResourceRepresentation resourceRepresentation = new ResourceRepresentation();
        resourceRepresentation.setName("Sensors");
        Response create = authorization.resources().create(resourceRepresentation);
        Throwable th = null;
        try {
            try {
                create.readEntity(ResourceRepresentation.class);
                if (create != null) {
                    if (0 != 0) {
                        try {
                            create.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        create.close();
                    }
                }
                ResourcePermissionRepresentation resourcePermissionRepresentation = new ResourcePermissionRepresentation();
                resourcePermissionRepresentation.setName("View Sensor");
                resourcePermissionRepresentation.addPolicy(new String[]{jSPolicyRepresentation.getName()});
                authorization.permissions().resource().create(resourcePermissionRepresentation).close();
                String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken();
                AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
                AuthorizationRequest authorizationRequest = new AuthorizationRequest();
                authorizationRequest.addPermission("Sensors", new String[0]);
                authorizationRequest.setSubjectToken(accessToken + "i");
                try {
                    authzClient.authorization().authorize(authorizationRequest);
                    Assert.fail("should fail, session invalidated");
                } catch (Exception e) {
                    Throwable cause = e.getCause();
                    Assert.assertEquals(400L, ((HttpResponseException) HttpResponseException.class.cast(cause)).getStatusCode());
                    Assert.assertTrue(((HttpResponseException) HttpResponseException.class.cast(cause)).toString().contains("unauthorized_client"));
                }
                Assert.assertEquals(1L, getRealm().getEvents(Arrays.asList(EventType.PERMISSION_TOKEN_ERROR.name()), (String) null, (String) null, (String) null, (String) null, (String) null, (Integer) null, (Integer) null).size());
            } finally {
            }
        } catch (Throwable th3) {
            if (create != null) {
                if (th != null) {
                    try {
                        create.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    create.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testDenyScopeNotManagedByScopePolicy() throws Exception {
        AuthorizationResource authorization = getClient(getRealm(), RESOURCE_SERVER_TEST).authorization();
        JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
        jSPolicyRepresentation.setName(KeycloakModelUtils.generateId());
        jSPolicyRepresentation.setCode("$evaluation.grant();");
        authorization.policies().js().create(jSPolicyRepresentation).close();
        ResourceRepresentation resourceRepresentation = new ResourceRepresentation();
        resourceRepresentation.setName(KeycloakModelUtils.generateId());
        resourceRepresentation.addScope(new String[]{"sensors:view", "sensors:update", "sensors:delete"});
        Response create = authorization.resources().create(resourceRepresentation);
        Throwable th = null;
        try {
            ResourceRepresentation resourceRepresentation2 = (ResourceRepresentation) create.readEntity(ResourceRepresentation.class);
            if (create != null) {
                if (0 != 0) {
                    try {
                        create.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    create.close();
                }
            }
            ScopePermissionRepresentation scopePermissionRepresentation = new ScopePermissionRepresentation();
            scopePermissionRepresentation.setName(KeycloakModelUtils.generateId());
            scopePermissionRepresentation.addResource(resourceRepresentation2.getId());
            scopePermissionRepresentation.addScope(new String[]{"sensors:view"});
            scopePermissionRepresentation.addPolicy(new String[]{jSPolicyRepresentation.getName()});
            authorization.permissions().scope().create(scopePermissionRepresentation).close();
            String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", "kolo", "password").getAccessToken();
            AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
            AuthorizationRequest authorizationRequest = new AuthorizationRequest();
            authorizationRequest.addPermission(resourceRepresentation2.getId(), new String[]{"sensors:view"});
            AuthorizationResponse authorize = authzClient.authorization(accessToken).authorize(authorizationRequest);
            Assert.assertNotNull(authorize.getToken());
            Collection<Permission> permissions = toAccessToken(authorize.getToken()).getAuthorization().getPermissions();
            Assert.assertEquals(1L, permissions.size());
            for (Permission permission : permissions) {
                Assert.assertEquals(resourceRepresentation2.getId(), permission.getResourceId());
                Assert.assertEquals(1L, permission.getScopes().size());
                Assert.assertThat(permission.getScopes(), CoreMatchers.hasItem("sensors:view"));
            }
            AuthorizationRequest authorizationRequest2 = new AuthorizationRequest();
            authorizationRequest2.addPermission(resourceRepresentation2.getId(), new String[]{"sensors:update"});
            this.expectedException.expect(AuthorizationDeniedException.class);
            this.expectedException.expectCause(Matchers.allOf(Matchers.instanceOf(HttpResponseException.class), Matchers.hasProperty("statusCode", Matchers.is(403))));
            this.expectedException.reportMissingExceptionWithMessage("should fail, session invalidated");
            authzClient.authorization().authorize(authorizationRequest2);
        } catch (Throwable th3) {
            if (create != null) {
                if (0 != 0) {
                    try {
                        create.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    create.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testPermissionsAcrossResourceServers() throws Exception {
        Throwable th;
        Response create = getRealm().clients().create(ClientBuilder.create().clientId("rs-a").secret("secret").serviceAccount().authorizationServicesEnabled(true).build());
        Throwable th2 = null;
        try {
            try {
                ApiUtil.getCreatedId(create);
                if (create != null) {
                    if (0 != 0) {
                        try {
                            create.close();
                        } catch (Throwable th3) {
                            th2.addSuppressed(th3);
                        }
                    } else {
                        create.close();
                    }
                }
                create = getRealm().clients().create(ClientBuilder.create().clientId("rs-b").secret("secret").serviceAccount().authorizationServicesEnabled(true).build());
                th = null;
            } finally {
            }
            try {
                try {
                    String createdId = ApiUtil.getCreatedId(create);
                    if (create != null) {
                        if (0 != 0) {
                            try {
                                create.close();
                            } catch (Throwable th4) {
                                th.addSuppressed(th4);
                            }
                        } else {
                            create.close();
                        }
                    }
                    ClientResource clientResource = getRealm().clients().get(createdId);
                    clientResource.authorization().resources().create(new ResourceRepresentation("Resource A", new String[0]));
                    JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
                    jSPolicyRepresentation.setName("Grant Policy");
                    jSPolicyRepresentation.setCode("$evaluation.grant();");
                    clientResource.authorization().policies().js().create(jSPolicyRepresentation);
                    ResourcePermissionRepresentation resourcePermissionRepresentation = new ResourcePermissionRepresentation();
                    resourcePermissionRepresentation.setName("Resource A Permission");
                    resourcePermissionRepresentation.addResource("Resource A");
                    resourcePermissionRepresentation.addPolicy(new String[]{jSPolicyRepresentation.getName()});
                    clientResource.authorization().permissions().resource().create(resourcePermissionRepresentation);
                    Configuration configuration = getAuthzClient(AUTHZ_CLIENT_CONFIG).getConfiguration();
                    configuration.setResource("rs-a");
                    AuthzClient create2 = AuthzClient.create(configuration);
                    AccessTokenResponse obtainAccessToken = create2.obtainAccessToken();
                    toAccessToken(obtainAccessToken.getToken());
                    configuration.setResource("rs-b");
                    AuthorizationRequest authorizationRequest = new AuthorizationRequest();
                    authorizationRequest.addPermission("Resource A", new String[0]);
                    AuthorizationResponse authorize = create2.authorization(obtainAccessToken.getToken()).authorize(authorizationRequest);
                    Assert.assertNotNull(authorize.getToken());
                    Collection permissions = toAccessToken(authorize.getToken()).getAuthorization().getPermissions();
                    Assert.assertEquals(1L, permissions.size());
                    Assert.assertEquals("Resource A", ((Permission) permissions.iterator().next()).getResourceName());
                } finally {
                }
            } finally {
            }
        } finally {
        }
    }

    @Test
    public void testClientToClientPermissionRequest() throws Exception {
        AuthorizationResource authorization = getClient(getRealm(), RESOURCE_SERVER_TEST).authorization();
        JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
        jSPolicyRepresentation.setName(KeycloakModelUtils.generateId());
        jSPolicyRepresentation.setCode("$evaluation.grant();");
        authorization.policies().js().create(jSPolicyRepresentation).close();
        ResourceRepresentation resourceRepresentation = new ResourceRepresentation();
        resourceRepresentation.setName("Sensors");
        Response create = authorization.resources().create(resourceRepresentation);
        Throwable th = null;
        try {
            try {
                create.readEntity(ResourceRepresentation.class);
                if (create != null) {
                    if (0 != 0) {
                        try {
                            create.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        create.close();
                    }
                }
                ResourcePermissionRepresentation resourcePermissionRepresentation = new ResourcePermissionRepresentation();
                resourcePermissionRepresentation.setName("View Sensor");
                resourcePermissionRepresentation.addPolicy(new String[]{jSPolicyRepresentation.getName()});
                authorization.permissions().resource().create(resourcePermissionRepresentation).close();
                ClientRepresentation clientRepresentation = new ClientRepresentation();
                clientRepresentation.setClientId("serviceB");
                clientRepresentation.setServiceAccountsEnabled(true);
                clientRepresentation.setSecret("secret");
                clientRepresentation.setPublicClient(false);
                getRealm().clients().create(clientRepresentation);
                HashMap hashMap = new HashMap();
                hashMap.put("secret", "secret");
                AuthzClient create2 = AuthzClient.create(new Configuration(this.suiteContext.getAuthServerInfo().getContextRoot().toString() + "/auth", getRealm().toRepresentation().getRealm(), clientRepresentation.getClientId(), hashMap, getAuthzClient(AUTHZ_CLIENT_CONFIG).getConfiguration().getHttpClient()));
                AuthorizationRequest authorizationRequest = new AuthorizationRequest();
                authorizationRequest.setAudience(RESOURCE_SERVER_TEST);
                AuthorizationResponse authorize = create2.authorization().authorize(authorizationRequest);
                Assert.assertNotNull(authorize.getToken());
                Assert.assertNull(authorize.getRefreshToken());
            } finally {
            }
        } catch (Throwable th3) {
            if (create != null) {
                if (th != null) {
                    try {
                        create.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    create.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testPermissionOrder() throws Exception {
        AuthorizationResource authorization = getClient(getRealm(), RESOURCE_SERVER_TEST).authorization();
        JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
        jSPolicyRepresentation.setName(KeycloakModelUtils.generateId());
        jSPolicyRepresentation.setCode("$evaluation.grant();");
        authorization.policies().js().create(jSPolicyRepresentation).close();
        ResourceRepresentation resourceRepresentation = new ResourceRepresentation();
        resourceRepresentation.setName("my_resource");
        resourceRepresentation.addScope(new String[]{"entity:read"});
        Response create = authorization.resources().create(resourceRepresentation);
        Throwable th = null;
        try {
            try {
                ResourceRepresentation resourceRepresentation2 = (ResourceRepresentation) create.readEntity(ResourceRepresentation.class);
                if (create != null) {
                    if (0 != 0) {
                        try {
                            create.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        create.close();
                    }
                }
                ScopeRepresentation scopeRepresentation = new ScopeRepresentation("feature:access");
                authorization.scopes().create(scopeRepresentation);
                ResourcePermissionRepresentation resourcePermissionRepresentation = new ResourcePermissionRepresentation();
                resourcePermissionRepresentation.setName(KeycloakModelUtils.generateId());
                resourcePermissionRepresentation.addPolicy(new String[]{jSPolicyRepresentation.getName()});
                resourcePermissionRepresentation.addResource(resourceRepresentation2.getId());
                authorization.permissions().resource().create(resourcePermissionRepresentation).close();
                ScopePermissionRepresentation scopePermissionRepresentation = new ScopePermissionRepresentation();
                scopePermissionRepresentation.setName(KeycloakModelUtils.generateId());
                scopePermissionRepresentation.addPolicy(new String[]{jSPolicyRepresentation.getName()});
                scopePermissionRepresentation.addScope(new String[]{scopeRepresentation.getName()});
                authorization.permissions().scope().create(scopePermissionRepresentation).close();
                AuthorizationRequest authorizationRequest = new AuthorizationRequest();
                authorizationRequest.addPermission((String) null, new String[]{"entity:read"});
                authorizationRequest.addPermission((String) null, new String[]{"feature:access"});
                AuthzClient authzClient = getAuthzClient(AUTHZ_CLIENT_CONFIG);
                AccessToken.Authorization authorization2 = toAccessToken(authzClient.authorization().authorize(authorizationRequest).getToken()).getAuthorization();
                Assert.assertEquals(2L, authorization2.getPermissions().size());
                Assert.assertTrue(authorization2.getPermissions().stream().anyMatch(permission -> {
                    return permission.getResourceId() == null && permission.getScopes().contains(scopeRepresentation.getName());
                }));
                String id = resourceRepresentation2.getId();
                Assert.assertTrue(authorization2.getPermissions().stream().anyMatch(permission2 -> {
                    return permission2.getResourceId() != null && permission2.getResourceId().equals(id) && permission2.getScopes().contains("entity:read");
                }));
                AuthorizationRequest authorizationRequest2 = new AuthorizationRequest();
                authorizationRequest2.addPermission((String) null, new String[]{"feature:access"});
                authorizationRequest2.addPermission((String) null, new String[]{"entity:read"});
                AccessToken.Authorization authorization3 = toAccessToken(authzClient.authorization().authorize(authorizationRequest2).getToken()).getAuthorization();
                Assert.assertEquals(2L, authorization3.getPermissions().size());
                Assert.assertTrue(authorization3.getPermissions().stream().anyMatch(permission3 -> {
                    return permission3.getResourceId() == null && permission3.getScopes().contains(scopeRepresentation.getName());
                }));
                Assert.assertTrue(authorization3.getPermissions().stream().anyMatch(permission4 -> {
                    return permission4.getResourceId() != null && permission4.getResourceId().equals(id) && permission4.getScopes().contains("entity:read");
                }));
            } finally {
            }
        } catch (Throwable th3) {
            if (create != null) {
                if (th != null) {
                    try {
                        create.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    create.close();
                }
            }
            throw th3;
        }
    }

    private void testRptRequestWithResourceName(String str) {
        AuthorizationRequest.Metadata metadata = new AuthorizationRequest.Metadata();
        metadata.setIncludeResourceName(true);
        assertResponse(metadata, () -> {
            return getAuthzClient(str).authorization("marta", "password").authorize();
        });
        AuthorizationRequest authorizationRequest = new AuthorizationRequest();
        authorizationRequest.setMetadata(metadata);
        authorizationRequest.addPermission("Resource 13", new String[0]);
        assertResponse(metadata, () -> {
            return getAuthzClient(str).authorization("marta", "password").authorize(authorizationRequest);
        });
        authorizationRequest.setMetadata((AuthorizationRequest.Metadata) null);
        assertResponse(metadata, () -> {
            return getAuthzClient(str).authorization("marta", "password").authorize(authorizationRequest);
        });
    }

    private void testResourceServerAsAudience(String str, String str2, String str3) throws Exception {
        AuthorizationRequest authorizationRequest = new AuthorizationRequest();
        authorizationRequest.addPermission("Resource 1", new String[0]);
        Assert.assertEquals(str2, toAccessToken(getAuthzClient(str3).authorization(new OAuthClient().realm("authz-test").clientId(str).doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken()).authorize(authorizationRequest).getToken()).getAudience()[0]);
    }

    private boolean hasPermission(String str, String str2, String str3, String... strArr) throws Exception {
        Collection<Permission> permissions = toAccessToken(getAuthzClient(AUTHZ_CLIENT_CONFIG).authorization(new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", str, str2).getAccessToken()).authorize(new AuthorizationRequest()).getToken()).getAuthorization().getPermissions();
        Assert.assertNotNull(permissions);
        Assert.assertFalse(permissions.isEmpty());
        for (Permission permission : permissions) {
            if (permission.getResourceId().equals(str3)) {
                return strArr == null || strArr.length == 0 || permission.getScopes().containsAll(Arrays.asList(strArr));
            }
        }
        return false;
    }

    private boolean hasPermission(String str, String str2, String str3) throws Exception {
        return hasPermission(str, str2, str3, null);
    }

    private void assertResponse(AuthorizationRequest.Metadata metadata, Supplier<AuthorizationResponse> supplier) {
        Collection<Permission> permissions = toAccessToken(supplier.get().getToken()).getAuthorization().getPermissions();
        Assert.assertNotNull(permissions);
        Assert.assertFalse(permissions.isEmpty());
        for (Permission permission : permissions) {
            if (metadata.getIncludeResourceName().booleanValue()) {
                Assert.assertNotNull(permission.getResourceName());
            } else {
                Assert.assertNull(permission.getResourceName());
            }
        }
    }

    private RealmResource getRealm() throws Exception {
        return this.adminClient.realm("authz-test");
    }

    private ClientResource getClient(RealmResource realmResource, String str) {
        ClientsResource clients = realmResource.clients();
        return (ClientResource) clients.findByClientId(str).stream().map(clientRepresentation -> {
            return clients.get(clientRepresentation.getId());
        }).findFirst().orElseThrow(() -> {
            return new RuntimeException("Expected client [resource-server-test]");
        });
    }

    private AuthzClient getAuthzClient(String str) {
        if (this.authzClient == null) {
            try {
                Configuration configuration = (Configuration) JsonSerialization.readValue(httpsAwareConfigurationStream(getClass().getResourceAsStream("/authorization-test/" + str)), Configuration.class);
                PoolingHttpClientConnectionManager poolingHttpClientConnectionManager = new PoolingHttpClientConnectionManager();
                poolingHttpClientConnectionManager.setValidateAfterInactivity(10);
                poolingHttpClientConnectionManager.setMaxTotal(10);
                this.authzClient = AuthzClient.create(new Configuration(configuration.getAuthServerUrl(), configuration.getRealm(), configuration.getResource(), configuration.getCredentials(), HttpClients.custom().setConnectionManager(poolingHttpClientConnectionManager).build()));
            } catch (IOException e) {
                throw new RuntimeException("Failed to read configuration", e);
            }
        }
        return this.authzClient;
    }

    private void configureAuthorization(String str) throws Exception {
        AuthorizationResource authorization = getClient(getRealm(), str).authorization();
        JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
        jSPolicyRepresentation.setName("Default Policy");
        jSPolicyRepresentation.setCode("$evaluation.grant();");
        authorization.policies().js().create(jSPolicyRepresentation).close();
        for (int i = 1; i <= 20; i++) {
            ResourceRepresentation resourceRepresentation = new ResourceRepresentation("Resource " + i, new String[0]);
            authorization.resources().create(resourceRepresentation).close();
            ResourcePermissionRepresentation resourcePermissionRepresentation = new ResourcePermissionRepresentation();
            resourcePermissionRepresentation.setName(resourceRepresentation.getName() + " Permission");
            resourcePermissionRepresentation.addResource(resourceRepresentation.getName());
            resourcePermissionRepresentation.addPolicy(new String[]{jSPolicyRepresentation.getName()});
            authorization.permissions().resource().create(resourcePermissionRepresentation).close();
        }
    }

    private void removeAuthorization(String str) throws Exception {
        ClientResource client = getClient(getRealm(), str);
        ClientRepresentation representation = client.toRepresentation();
        representation.setAuthorizationServicesEnabled(false);
        client.update(representation);
        representation.setAuthorizationServicesEnabled(true);
        client.update(representation);
    }

    private void assertPermissions(AuthzClient authzClient, String str, AuthorizationRequest authorizationRequest, ResourceRepresentation resourceRepresentation, String... strArr) {
        AuthorizationResponse authorize = authzClient.authorization(str).authorize(authorizationRequest);
        Assert.assertNotNull(authorize.getToken());
        Collection<Permission> permissions = toAccessToken(authorize.getToken()).getAuthorization().getPermissions();
        Assert.assertEquals(1L, permissions.size());
        for (Permission permission : permissions) {
            Assert.assertEquals(resourceRepresentation.getId(), permission.getResourceId());
            Assert.assertEquals(strArr.length, permission.getScopes().size());
            Assert.assertTrue(permission.getScopes().containsAll(Arrays.asList(strArr)));
        }
    }
}
