package org.keycloak.testsuite.oidc;

import java.io.UnsupportedEncodingException;
import java.util.List;
import org.jboss.arquillian.graphene.page.Page;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.common.util.PemUtils;
import org.keycloak.crypto.AesCbcHmacShaContentEncryptionProvider;
import org.keycloak.crypto.AesGcmContentEncryptionProvider;
import org.keycloak.crypto.RsaCekManagementProvider;
import org.keycloak.jose.jwe.JWEException;
import org.keycloak.jose.jwe.alg.JWEAlgorithmProvider;
import org.keycloak.jose.jwe.enc.JWEEncryptionProvider;
import org.keycloak.models.KeycloakSession;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.representations.IDToken;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.testsuite.AbstractTestRealmKeycloakTest;
import org.keycloak.testsuite.Assert;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.AbstractAdminTest;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected;
import org.keycloak.testsuite.client.resources.TestApplicationResourceUrls;
import org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource;
import org.keycloak.testsuite.oauth.RefreshTokenTest;
import org.keycloak.testsuite.pages.AccountUpdateProfilePage;
import org.keycloak.testsuite.pages.AppPage;
import org.keycloak.testsuite.pages.ErrorPage;
import org.keycloak.testsuite.pages.LoginPage;
import org.keycloak.testsuite.pages.OAuthGrantPage;
import org.keycloak.testsuite.saml.ConcurrentAuthnRequestTest;
import org.keycloak.testsuite.util.ClientManager;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.TokenSignatureUtil;
import org.keycloak.util.TokenUtil;

/* loaded from: input_file:org/keycloak/testsuite/oidc/IdTokenEncryptionTest.class */
public class IdTokenEncryptionTest extends AbstractTestRealmKeycloakTest {

    @Rule
    public AssertEvents events = new AssertEvents(this);

    @Page
    protected AppPage appPage;

    @Page
    protected LoginPage loginPage;

    @Page
    protected AccountUpdateProfilePage profilePage;

    @Page
    protected OAuthGrantPage grantPage;

    @Page
    protected ErrorPage errorPage;

    @Override // org.keycloak.testsuite.AbstractTestRealmKeycloakTest
    public void configureTestRealm(RealmRepresentation realmRepresentation) {
    }

    @Before
    public void clientConfiguration() {
        ClientManager.realm(this.adminClient.realm("test")).clientId(AssertEvents.DEFAULT_CLIENT_ID).directAccessGrant(true);
        this.oauth.clientId(AssertEvents.DEFAULT_CLIENT_ID);
        this.oauth.maxAge((String) null);
    }

    @Override // org.keycloak.testsuite.AbstractTestRealmKeycloakTest, org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        list.add((RealmRepresentation) AbstractAdminTest.loadJson(getClass().getResourceAsStream("/testrealm.json"), RealmRepresentation.class));
    }

    @Test
    public void testIdTokenEncryptionAlgRSA1_5EncA128CBC_HS256() {
        TokenSignatureUtil.registerKeyProvider("P-256", this.adminClient, this.testContext);
        testIdTokenSignatureAndEncryption("ES256", "RSA1_5", "A128CBC-HS256");
    }

    @Test
    public void testIdTokenEncryptionAlgRSA1_5EncA192CBC_HS384() {
        testIdTokenSignatureAndEncryption("PS256", "RSA1_5", "A192CBC-HS384");
    }

    @Test
    public void testIdTokenEncryptionAlgRSA1_5EncA256CBC_HS512() {
        testIdTokenSignatureAndEncryption("PS384", "RSA1_5", "A256CBC-HS512");
    }

    @Test
    public void testIdTokenEncryptionAlgRSA1_5EncA128GCM() {
        testIdTokenSignatureAndEncryption("RS384", "RSA1_5", "A128GCM");
    }

    @Test
    public void testIdTokenEncryptionAlgRSA1_5EncA192GCM() {
        testIdTokenSignatureAndEncryption("RS512", "RSA1_5", "A192GCM");
    }

    @Test
    public void testIdTokenEncryptionAlgRSA1_5EncA256GCM() {
        testIdTokenSignatureAndEncryption("RS256", "RSA1_5", "A256GCM");
    }

    @Test
    public void testIdTokenEncryptionAlgRSA_OAEPEncA128CBC_HS256() {
        TokenSignatureUtil.registerKeyProvider("P-521", this.adminClient, this.testContext);
        testIdTokenSignatureAndEncryption("ES512", "RSA-OAEP", "A128CBC-HS256");
    }

    @Test
    public void testIdTokenEncryptionAlgRSA_OAEPEncA192CBC_HS384() {
        testIdTokenSignatureAndEncryption("PS256", "RSA-OAEP", "A192CBC-HS384");
    }

    @Test
    public void testIdTokenEncryptionAlgRSA_OAEPEncA256CBC_HS512() {
        testIdTokenSignatureAndEncryption("PS512", "RSA-OAEP", "A256CBC-HS512");
    }

    @Test
    public void testIdTokenEncryptionAlgRSA_OAEP256EncA128CBC_HS256() {
        TokenSignatureUtil.registerKeyProvider("P-521", this.adminClient, this.testContext);
        testIdTokenSignatureAndEncryption("ES512", "RSA-OAEP-256", "A128CBC-HS256");
    }

    @Test
    public void testIdTokenEncryptionAlgRSA_OAEP256EncA192CBC_HS384() {
        testIdTokenSignatureAndEncryption("PS256", "RSA-OAEP-256", "A192CBC-HS384");
    }

    @Test
    public void testIdTokenEncryptionAlgRSA_OAEP256EncA256CBC_HS512() {
        testIdTokenSignatureAndEncryption("PS512", "RSA-OAEP-256", "A256CBC-HS512");
    }

    @Test
    public void testIdTokenEncryptionAlgRSA_OAEPEncA128GCM() {
        TokenSignatureUtil.registerKeyProvider("P-256", this.adminClient, this.testContext);
        testIdTokenSignatureAndEncryption("ES256", "RSA-OAEP", "A128GCM");
    }

    @Test
    public void testIdTokenEncryptionAlgRSA_OAEPEncA192GCM() {
        testIdTokenSignatureAndEncryption("PS384", "RSA-OAEP", "A192GCM");
    }

    @Test
    public void testIdTokenEncryptionAlgRSA_OAEPEncA256GCM() {
        testIdTokenSignatureAndEncryption("PS512", "RSA-OAEP", "A256GCM");
    }

    private void testIdTokenSignatureAndEncryption(String str, String str2, String str3) {
        try {
            try {
                TestOIDCEndpointsApplicationResource oidcClientEndpoints = this.testingClient.testApp().oidcClientEndpoints();
                oidcClientEndpoints.generateKeys(str2);
                ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
                ClientRepresentation representation = findClientByClientId.toRepresentation();
                OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setIdTokenSignedResponseAlg(str);
                OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setIdTokenEncryptedResponseAlg(str2);
                OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setIdTokenEncryptedResponseEnc(str3);
                OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setUseJwksUrl(true);
                OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setJwksUrl(TestApplicationResourceUrls.clientJwksUri());
                findClientByClientId.update(representation);
                String idToken = this.oauth.doAccessTokenRequest(this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password").getCode(), "password").getIdToken();
                Assert.assertEquals(idToken.split("\\.").length, 5L);
                IDToken verifyIDToken = this.oauth.verifyIDToken(new String(TokenUtil.jweKeyEncryptionVerifyAndDecode(PemUtils.decodePrivateKey((String) oidcClientEndpoints.getKeysAsPem().get("privateKey")), idToken, getJweAlgorithmProvider(str2), getJweEncryptionProvider(str3)), "UTF-8"));
                Assert.assertEquals(AssertEvents.DEFAULT_USERNAME, verifyIDToken.getPreferredUsername());
                Assert.assertEquals(AssertEvents.DEFAULT_CLIENT_ID, verifyIDToken.getIssuedFor());
                ClientResource findClientByClientId2 = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
                ClientRepresentation representation2 = findClientByClientId2.toRepresentation();
                OIDCAdvancedConfigWrapper.fromClientRepresentation(representation2).setIdTokenSignedResponseAlg("RS256");
                OIDCAdvancedConfigWrapper.fromClientRepresentation(representation2).setIdTokenEncryptedResponseAlg((String) null);
                OIDCAdvancedConfigWrapper.fromClientRepresentation(representation2).setIdTokenEncryptedResponseEnc((String) null);
                OIDCAdvancedConfigWrapper.fromClientRepresentation(representation2).setUseJwksUrl(false);
                OIDCAdvancedConfigWrapper.fromClientRepresentation(representation2).setJwksUrl((String) null);
                findClientByClientId2.update(representation2);
            } catch (JWEException | UnsupportedEncodingException e) {
                Assert.fail();
                ClientResource findClientByClientId3 = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
                ClientRepresentation representation3 = findClientByClientId3.toRepresentation();
                OIDCAdvancedConfigWrapper.fromClientRepresentation(representation3).setIdTokenSignedResponseAlg("RS256");
                OIDCAdvancedConfigWrapper.fromClientRepresentation(representation3).setIdTokenEncryptedResponseAlg((String) null);
                OIDCAdvancedConfigWrapper.fromClientRepresentation(representation3).setIdTokenEncryptedResponseEnc((String) null);
                OIDCAdvancedConfigWrapper.fromClientRepresentation(representation3).setUseJwksUrl(false);
                OIDCAdvancedConfigWrapper.fromClientRepresentation(representation3).setJwksUrl((String) null);
                findClientByClientId3.update(representation3);
            }
        } catch (Throwable th) {
            ClientResource findClientByClientId4 = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            ClientRepresentation representation4 = findClientByClientId4.toRepresentation();
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation4).setIdTokenSignedResponseAlg("RS256");
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation4).setIdTokenEncryptedResponseAlg((String) null);
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation4).setIdTokenEncryptedResponseEnc((String) null);
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation4).setUseJwksUrl(false);
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation4).setJwksUrl((String) null);
            findClientByClientId4.update(representation4);
            throw th;
        }
    }

    private JWEAlgorithmProvider getJweAlgorithmProvider(String str) {
        JWEAlgorithmProvider jWEAlgorithmProvider = null;
        if ("RSA1_5".equals(str) || "RSA-OAEP".equals(str) || "RSA-OAEP-256".equals(str)) {
            jWEAlgorithmProvider = new RsaCekManagementProvider((KeycloakSession) null, str).jweAlgorithmProvider();
        }
        return jWEAlgorithmProvider;
    }

    private JWEEncryptionProvider getJweEncryptionProvider(String str) {
        JWEEncryptionProvider jWEEncryptionProvider = null;
        boolean z = -1;
        switch (str.hashCode()) {
            case -1532459726:
                if (str.equals("A192CBC-HS384")) {
                    z = 4;
                    break;
                }
                break;
            case -991059749:
                if (str.equals("A128GCM")) {
                    z = false;
                    break;
                }
                break;
            case -984773848:
                if (str.equals("A192GCM")) {
                    z = true;
                    break;
                }
                break;
            case -959719617:
                if (str.equals("A256GCM")) {
                    z = 2;
                    break;
                }
                break;
            case 703408816:
                if (str.equals("A256CBC-HS512")) {
                    z = 5;
                    break;
                }
                break;
            case 1277183113:
                if (str.equals("A128CBC-HS256")) {
                    z = 3;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
            case true:
            case true:
                jWEEncryptionProvider = new AesGcmContentEncryptionProvider((KeycloakSession) null, str).jweEncryptionProvider();
                break;
            case RefreshTokenTest.ALLOWED_CLOCK_SKEW /* 3 */:
            case true:
            case ConcurrentAuthnRequestTest.CONCURRENT_THREADS /* 5 */:
                jWEEncryptionProvider = new AesCbcHmacShaContentEncryptionProvider((KeycloakSession) null, str).jweEncryptionProvider();
                break;
        }
        return jWEEncryptionProvider;
    }

    @Test
    @UncaughtServerErrorExpected
    public void testIdTokenEncryptionWithoutEncryptionKEK() {
        try {
            this.testingClient.testApp().oidcClientEndpoints().generateKeys("RS256");
            ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            ClientRepresentation representation = findClientByClientId.toRepresentation();
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setIdTokenSignedResponseAlg("RS256");
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setIdTokenEncryptedResponseAlg("RSA1_5");
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setIdTokenEncryptedResponseEnc("A128CBC-HS256");
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setUseJwksUrl(true);
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setJwksUrl(TestApplicationResourceUrls.clientJwksUri());
            findClientByClientId.update(representation);
            OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password").getCode(), "password");
            Assert.assertEquals("invalid_request", doAccessTokenRequest.getError());
            Assert.assertEquals("can not get encryption KEK", doAccessTokenRequest.getErrorDescription());
            ClientResource findClientByClientId2 = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            ClientRepresentation representation2 = findClientByClientId2.toRepresentation();
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation2).setIdTokenSignedResponseAlg("RS256");
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation2).setIdTokenEncryptedResponseAlg((String) null);
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation2).setIdTokenEncryptedResponseEnc((String) null);
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation2).setUseJwksUrl(false);
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation2).setJwksUrl((String) null);
            findClientByClientId2.update(representation2);
        } catch (Throwable th) {
            ClientResource findClientByClientId3 = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
            ClientRepresentation representation3 = findClientByClientId3.toRepresentation();
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation3).setIdTokenSignedResponseAlg("RS256");
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation3).setIdTokenEncryptedResponseAlg((String) null);
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation3).setIdTokenEncryptedResponseEnc((String) null);
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation3).setUseJwksUrl(false);
            OIDCAdvancedConfigWrapper.fromClientRepresentation(representation3).setJwksUrl((String) null);
            findClientByClientId3.update(representation3);
            throw th;
        }
    }
}
