package org.keycloak.testsuite.authz;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.ws.rs.core.Response;
import org.hamcrest.Matchers;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.keycloak.admin.client.resource.AuthorizationResource;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.ClientsResource;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.admin.client.resource.ResourcesResource;
import org.keycloak.authorization.client.AuthzClient;
import org.keycloak.authorization.client.util.HttpResponseException;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.authorization.AuthorizationRequest;
import org.keycloak.representations.idm.authorization.AuthorizationResponse;
import org.keycloak.representations.idm.authorization.JSPolicyRepresentation;
import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.representations.idm.authorization.PermissionRequest;
import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.ScopePermissionRepresentation;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.testsuite.util.RoleBuilder;
import org.keycloak.testsuite.util.RolesBuilder;
import org.keycloak.testsuite.util.UserBuilder;

@AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
/* loaded from: input_file:org/keycloak/testsuite/authz/PermissionClaimTest.class */
public class PermissionClaimTest extends AbstractAuthzTest {
    private JSPolicyRepresentation claimAPolicy;
    private JSPolicyRepresentation claimBPolicy;
    private JSPolicyRepresentation claimCPolicy;
    private JSPolicyRepresentation denyPolicy;

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        list.add(RealmBuilder.create().name("authz-test").roles(RolesBuilder.create().realmRole(RoleBuilder.create().name("uma_authorization").build())).user(UserBuilder.create().username("marta").password("password").addRoles("uma_authorization")).user(UserBuilder.create().username("kolo").password("password")).client(ClientBuilder.create().clientId("resource-server-test").secret("secret").authorizationServicesEnabled(true).redirectUris("http://localhost/resource-server-test").defaultRoles("uma_protection").directAccessGrants()).client(ClientBuilder.create().clientId("test-client").secret("secret").authorizationServicesEnabled(true).redirectUris("http://localhost/test-client").directAccessGrants()).build());
    }

    @Before
    public void configureAuthorization() throws Exception {
        AuthorizationResource authorization = getClient(getRealm()).authorization();
        this.claimAPolicy = new JSPolicyRepresentation();
        this.claimAPolicy.setName("Claim A Policy");
        this.claimAPolicy.setCode("$evaluation.getPermission().addClaim('claim-a', 'claim-a');$evaluation.getPermission().addClaim('claim-a', 'claim-a1');$evaluation.grant();");
        authorization.policies().js().create(this.claimAPolicy).close();
        this.claimBPolicy = new JSPolicyRepresentation();
        this.claimBPolicy.setName("Policy Claim B");
        this.claimBPolicy.setCode("$evaluation.getPermission().addClaim('claim-b', 'claim-b');$evaluation.grant();");
        authorization.policies().js().create(this.claimBPolicy).close();
        this.claimCPolicy = new JSPolicyRepresentation();
        this.claimCPolicy.setName("Policy Claim C");
        this.claimCPolicy.setCode("$evaluation.getPermission().addClaim('claim-c', 'claim-c');$evaluation.grant();");
        authorization.policies().js().create(this.claimCPolicy).close();
        this.denyPolicy = new JSPolicyRepresentation();
        this.denyPolicy.setName("Deny Policy");
        this.denyPolicy.setCode("$evaluation.getPermission().addClaim('deny-policy', 'deny-policy');$evaluation.deny();");
        authorization.policies().js().create(this.denyPolicy).close();
    }

    @After
    public void removeAuthorization() throws Exception {
        ClientResource client = getClient(getRealm());
        ClientRepresentation representation = client.toRepresentation();
        representation.setAuthorizationServicesEnabled(false);
        client.update(representation);
        representation.setAuthorizationServicesEnabled(true);
        client.update(representation);
        ResourcesResource resources = client.authorization().resources();
        resources.resource(((ResourceRepresentation) resources.findByName("Default Resource").get(0)).getId()).remove();
    }

    @Test
    public void testPermissionWithClaims() throws Exception {
        AuthorizationResource authorization = getClient(getRealm()).authorization();
        ResourceRepresentation resourceRepresentation = new ResourceRepresentation("Resource A", new String[0]);
        authorization.resources().create(resourceRepresentation).close();
        ResourcePermissionRepresentation resourcePermissionRepresentation = new ResourcePermissionRepresentation();
        resourcePermissionRepresentation.setName(resourceRepresentation.getName() + " Permission");
        resourcePermissionRepresentation.addResource(resourceRepresentation.getName());
        resourcePermissionRepresentation.addPolicy(new String[]{this.claimAPolicy.getName()});
        authorization.permissions().resource().create(resourcePermissionRepresentation).close();
        PermissionRequest permissionRequest = new PermissionRequest();
        permissionRequest.setResourceId(resourceRepresentation.getName());
        String accessToken = new OAuthClient().realm("authz-test").clientId("test-client").doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken();
        AuthzClient authzClient = getAuthzClient();
        AuthorizationResponse authorize = authzClient.authorization(accessToken).authorize(new AuthorizationRequest(authzClient.protection().permission().create(permissionRequest).getTicket()));
        Assert.assertNotNull(authorize.getToken());
        ArrayList arrayList = new ArrayList(toAccessToken(authorize.getToken()).getAuthorization().getPermissions());
        Assert.assertEquals(1L, arrayList.size());
        Assert.assertTrue(((Set) ((Permission) arrayList.get(0)).getClaims().get("claim-a")).containsAll(Arrays.asList("claim-a", "claim-a1")));
    }

    @Test
    public void testPermissionWithClaimsDifferentPolicies() throws Exception {
        AuthorizationResource authorization = getClient(getRealm()).authorization();
        ResourceRepresentation resourceRepresentation = new ResourceRepresentation("Resource B", new String[0]);
        authorization.resources().create(resourceRepresentation).close();
        ResourcePermissionRepresentation resourcePermissionRepresentation = new ResourcePermissionRepresentation();
        resourcePermissionRepresentation.setName(resourceRepresentation.getName() + " Permission");
        resourcePermissionRepresentation.addResource(resourceRepresentation.getName());
        resourcePermissionRepresentation.addPolicy(new String[]{this.claimAPolicy.getName(), this.claimBPolicy.getName()});
        authorization.permissions().resource().create(resourcePermissionRepresentation).close();
        PermissionRequest permissionRequest = new PermissionRequest();
        permissionRequest.setResourceId(resourceRepresentation.getName());
        String accessToken = new OAuthClient().realm("authz-test").clientId("test-client").doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken();
        AuthzClient authzClient = getAuthzClient();
        AuthorizationResponse authorize = authzClient.authorization(accessToken).authorize(new AuthorizationRequest(authzClient.protection().permission().forResource(permissionRequest).getTicket()));
        Assert.assertNotNull(authorize.getToken());
        ArrayList arrayList = new ArrayList(toAccessToken(authorize.getToken()).getAuthorization().getPermissions());
        Assert.assertEquals(1L, arrayList.size());
        Map claims = ((Permission) arrayList.get(0)).getClaims();
        Assert.assertTrue(claims.containsKey("claim-a"));
        Assert.assertTrue(claims.containsKey("claim-b"));
    }

    @Test
    public void testClaimsFromDifferentScopePermissions() throws Exception {
        AuthorizationResource authorization = getClient(getRealm()).authorization();
        authorization.resources().create(new ResourceRepresentation(KeycloakModelUtils.generateId(), new String[]{"create", "update"})).close();
        authorization.resources().create(new ResourceRepresentation(KeycloakModelUtils.generateId(), new String[]{"create", "update"})).close();
        ScopePermissionRepresentation scopePermissionRepresentation = new ScopePermissionRepresentation();
        scopePermissionRepresentation.setName(KeycloakModelUtils.generateId());
        scopePermissionRepresentation.addScope(new String[]{"create", "update"});
        scopePermissionRepresentation.addPolicy(new String[]{this.claimAPolicy.getName(), this.claimBPolicy.getName()});
        authorization.permissions().scope().create(scopePermissionRepresentation).close();
        ScopePermissionRepresentation scopePermissionRepresentation2 = new ScopePermissionRepresentation();
        scopePermissionRepresentation2.setName(KeycloakModelUtils.generateId());
        scopePermissionRepresentation2.addScope(new String[]{"update"});
        scopePermissionRepresentation2.addPolicy(new String[]{this.claimCPolicy.getName()});
        Response create = authorization.permissions().scope().create(scopePermissionRepresentation2);
        Throwable th = null;
        try {
            try {
                ScopePermissionRepresentation scopePermissionRepresentation3 = (ScopePermissionRepresentation) create.readEntity(ScopePermissionRepresentation.class);
                if (create != null) {
                    if (0 != 0) {
                        try {
                            create.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        create.close();
                    }
                }
                AuthzClient authzClient = getAuthzClient();
                AuthorizationRequest authorizationRequest = new AuthorizationRequest();
                authorizationRequest.addPermission((String) null, new String[]{"create", "update"});
                AuthorizationResponse authorize = authzClient.authorization("marta", "password").authorize(authorizationRequest);
                Assert.assertNotNull(authorize.getToken());
                ArrayList arrayList = new ArrayList(toAccessToken(authorize.getToken()).getAuthorization().getPermissions());
                Assert.assertEquals(2L, arrayList.size());
                Iterator it = arrayList.iterator();
                while (it.hasNext()) {
                    Map claims = ((Permission) it.next()).getClaims();
                    Assert.assertNotNull(claims);
                    Assert.assertThat(claims.get("claim-a"), Matchers.containsInAnyOrder(new String[]{"claim-a", "claim-a1"}));
                    Assert.assertThat(claims.get("claim-b"), Matchers.containsInAnyOrder(new String[]{"claim-b"}));
                    Assert.assertThat(claims.get("claim-c"), Matchers.containsInAnyOrder(new String[]{"claim-c"}));
                }
                scopePermissionRepresentation3.addPolicy(new String[]{this.denyPolicy.getName()});
                authorization.permissions().scope().findById(scopePermissionRepresentation3.getId()).update(scopePermissionRepresentation3);
                AuthorizationResponse authorize2 = authzClient.authorization("marta", "password").authorize(authorizationRequest);
                Assert.assertNotNull(authorize2.getToken());
                ArrayList arrayList2 = new ArrayList(toAccessToken(authorize2.getToken()).getAuthorization().getPermissions());
                Assert.assertEquals(2L, arrayList2.size());
                Iterator it2 = arrayList2.iterator();
                while (it2.hasNext()) {
                    Map claims2 = ((Permission) it2.next()).getClaims();
                    Assert.assertNotNull(claims2);
                    Assert.assertThat(claims2.get("claim-a"), Matchers.containsInAnyOrder(new String[]{"claim-a", "claim-a1"}));
                    Assert.assertThat(claims2.get("claim-b"), Matchers.containsInAnyOrder(new String[]{"claim-b"}));
                    Assert.assertThat(claims2.get("claim-c"), Matchers.containsInAnyOrder(new String[]{"claim-c"}));
                    Assert.assertThat(claims2.get("deny-policy"), Matchers.containsInAnyOrder(new String[]{"deny-policy"}));
                }
            } finally {
            }
        } catch (Throwable th3) {
            if (create != null) {
                if (th != null) {
                    try {
                        create.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    create.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testClaimsFromDifferentResourcePermissions() throws Exception {
        AuthorizationResource authorization = getClient(getRealm()).authorization();
        ResourceRepresentation resourceRepresentation = new ResourceRepresentation(KeycloakModelUtils.generateId(), new String[0]);
        resourceRepresentation.setType("typed-resource");
        authorization.resources().create(resourceRepresentation).close();
        ResourcePermissionRepresentation resourcePermissionRepresentation = new ResourcePermissionRepresentation();
        resourcePermissionRepresentation.setName(KeycloakModelUtils.generateId());
        resourcePermissionRepresentation.addResource(resourceRepresentation.getName());
        resourcePermissionRepresentation.addPolicy(new String[]{this.claimAPolicy.getName(), this.claimBPolicy.getName()});
        authorization.permissions().resource().create(resourcePermissionRepresentation).close();
        ResourcePermissionRepresentation resourcePermissionRepresentation2 = new ResourcePermissionRepresentation();
        resourcePermissionRepresentation2.setName(KeycloakModelUtils.generateId());
        resourcePermissionRepresentation2.addResource(resourceRepresentation.getName());
        resourcePermissionRepresentation2.addPolicy(new String[]{this.claimCPolicy.getName()});
        Response create = authorization.permissions().resource().create(resourcePermissionRepresentation2);
        Throwable th = null;
        try {
            try {
                ResourcePermissionRepresentation resourcePermissionRepresentation3 = (ResourcePermissionRepresentation) create.readEntity(ResourcePermissionRepresentation.class);
                if (create != null) {
                    if (0 != 0) {
                        try {
                            create.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        create.close();
                    }
                }
                AuthzClient authzClient = getAuthzClient();
                AuthorizationResponse authorize = authzClient.authorization("marta", "password").authorize();
                Assert.assertNotNull(authorize.getToken());
                ArrayList arrayList = new ArrayList(toAccessToken(authorize.getToken()).getAuthorization().getPermissions());
                Assert.assertEquals(1L, arrayList.size());
                Iterator it = arrayList.iterator();
                while (it.hasNext()) {
                    Map claims = ((Permission) it.next()).getClaims();
                    Assert.assertNotNull(claims);
                    Assert.assertThat(claims.get("claim-a"), Matchers.containsInAnyOrder(new String[]{"claim-a", "claim-a1"}));
                    Assert.assertThat(claims.get("claim-b"), Matchers.containsInAnyOrder(new String[]{"claim-b"}));
                    Assert.assertThat(claims.get("claim-c"), Matchers.containsInAnyOrder(new String[]{"claim-c"}));
                }
                resourcePermissionRepresentation3.addPolicy(new String[]{this.denyPolicy.getName()});
                authorization.permissions().resource().findById(resourcePermissionRepresentation3.getId()).update(resourcePermissionRepresentation3);
                try {
                    authzClient.authorization("marta", "password").authorize();
                    Assert.fail("can not access resource");
                } catch (RuntimeException e) {
                    Assert.assertEquals(403L, ((HttpResponseException) HttpResponseException.class.cast(e.getCause())).getStatusCode());
                    Assert.assertTrue(((HttpResponseException) HttpResponseException.class.cast(e.getCause())).toString().contains("access_denied"));
                }
                ResourceRepresentation resourceRepresentation2 = new ResourceRepresentation(KeycloakModelUtils.generateId(), new String[]{"create", "update"});
                resourceRepresentation2.setType(resourceRepresentation.getType());
                resourceRepresentation2.setOwner("marta");
                Response create2 = authorization.resources().create(resourceRepresentation2);
                Throwable th3 = null;
                try {
                    try {
                        ResourceRepresentation resourceRepresentation3 = (ResourceRepresentation) create2.readEntity(ResourceRepresentation.class);
                        if (create2 != null) {
                            if (0 != 0) {
                                try {
                                    create2.close();
                                } catch (Throwable th4) {
                                    th3.addSuppressed(th4);
                                }
                            } else {
                                create2.close();
                            }
                        }
                        AuthorizationRequest authorizationRequest = new AuthorizationRequest();
                        authorizationRequest.addPermission((String) null, new String[]{"create", "update"});
                        try {
                            authzClient.authorization("marta", "password").authorize(authorizationRequest);
                            Assert.fail("can not access resource");
                        } catch (RuntimeException e2) {
                            Assert.assertEquals(403L, ((HttpResponseException) HttpResponseException.class.cast(e2.getCause())).getStatusCode());
                            Assert.assertTrue(((HttpResponseException) HttpResponseException.class.cast(e2.getCause())).toString().contains("access_denied"));
                        }
                        ResourcePermissionRepresentation resourcePermissionRepresentation4 = new ResourcePermissionRepresentation();
                        resourcePermissionRepresentation4.setName(KeycloakModelUtils.generateId());
                        resourcePermissionRepresentation4.addResource(resourceRepresentation3.getId());
                        resourcePermissionRepresentation4.addPolicy(new String[]{this.claimCPolicy.getName()});
                        create = authorization.permissions().resource().create(resourcePermissionRepresentation4);
                        Throwable th5 = null;
                        try {
                            try {
                                if (create != null) {
                                    if (0 != 0) {
                                        try {
                                            create.close();
                                        } catch (Throwable th6) {
                                            th5.addSuppressed(th6);
                                        }
                                    } else {
                                        create.close();
                                    }
                                }
                                AuthorizationResponse authorize2 = authzClient.authorization("marta", "password").authorize(authorizationRequest);
                                Assert.assertNotNull(authorize2.getToken());
                                ArrayList arrayList2 = new ArrayList(toAccessToken(authorize2.getToken()).getAuthorization().getPermissions());
                                Assert.assertEquals(1L, arrayList2.size());
                                Iterator it2 = arrayList2.iterator();
                                while (it2.hasNext()) {
                                    Map claims2 = ((Permission) it2.next()).getClaims();
                                    Assert.assertNotNull(claims2);
                                    Assert.assertThat(claims2.get("claim-a"), Matchers.containsInAnyOrder(new String[]{"claim-a", "claim-a1"}));
                                    Assert.assertThat(claims2.get("claim-b"), Matchers.containsInAnyOrder(new String[]{"claim-b"}));
                                    Assert.assertThat(claims2.get("claim-c"), Matchers.containsInAnyOrder(new String[]{"claim-c"}));
                                    Assert.assertThat(claims2.get("deny-policy"), Matchers.containsInAnyOrder(new String[]{"deny-policy"}));
                                }
                                AuthorizationResponse authorize3 = authzClient.authorization("marta", "password").authorize();
                                Assert.assertNotNull(authorize3.getToken());
                                ArrayList<Permission> arrayList3 = new ArrayList(toAccessToken(authorize3.getToken()).getAuthorization().getPermissions());
                                Assert.assertEquals(1L, arrayList3.size());
                                for (Permission permission : arrayList3) {
                                    Map claims3 = permission.getClaims();
                                    Assert.assertNotNull(claims3);
                                    Assert.assertThat(claims3.get("claim-a"), Matchers.containsInAnyOrder(new String[]{"claim-a", "claim-a1"}));
                                    Assert.assertThat(claims3.get("claim-b"), Matchers.containsInAnyOrder(new String[]{"claim-b"}));
                                    Assert.assertThat(claims3.get("claim-c"), Matchers.containsInAnyOrder(new String[]{"claim-c"}));
                                    Assert.assertThat(claims3.get("deny-policy"), Matchers.containsInAnyOrder(new String[]{"deny-policy"}));
                                    Assert.assertThat(permission.getScopes(), Matchers.containsInAnyOrder(new String[]{"create", "update"}));
                                }
                                resourcePermissionRepresentation3.setPolicies(new HashSet());
                                resourcePermissionRepresentation3.addPolicy(new String[]{this.claimCPolicy.getName()});
                                authorization.permissions().resource().findById(resourcePermissionRepresentation3.getId()).update(resourcePermissionRepresentation3);
                                AuthorizationResponse authorize4 = authzClient.authorization("marta", "password").authorize();
                                Assert.assertNotNull(authorize4.getToken());
                                ArrayList arrayList4 = new ArrayList(toAccessToken(authorize4.getToken()).getAuthorization().getPermissions());
                                Assert.assertEquals(2L, arrayList4.size());
                                Iterator it3 = arrayList4.iterator();
                                while (it3.hasNext()) {
                                    Map claims4 = ((Permission) it3.next()).getClaims();
                                    Assert.assertNotNull(claims4);
                                    Assert.assertThat(claims4.get("claim-a"), Matchers.containsInAnyOrder(new String[]{"claim-a", "claim-a1"}));
                                    Assert.assertThat(claims4.get("claim-b"), Matchers.containsInAnyOrder(new String[]{"claim-b"}));
                                    Assert.assertThat(claims4.get("claim-c"), Matchers.containsInAnyOrder(new String[]{"claim-c"}));
                                }
                            } finally {
                            }
                        } finally {
                        }
                    } finally {
                    }
                } catch (Throwable th7) {
                    if (create2 != null) {
                        if (th3 != null) {
                            try {
                                create2.close();
                            } catch (Throwable th8) {
                                th3.addSuppressed(th8);
                            }
                        } else {
                            create2.close();
                        }
                    }
                    throw th7;
                }
            } finally {
            }
        } finally {
        }
    }

    private RealmResource getRealm() throws Exception {
        return this.adminClient.realm("authz-test");
    }

    private ClientResource getClient(RealmResource realmResource) {
        ClientsResource clients = realmResource.clients();
        return (ClientResource) clients.findByClientId("resource-server-test").stream().map(clientRepresentation -> {
            return clients.get(clientRepresentation.getId());
        }).findFirst().orElseThrow(() -> {
            return new RuntimeException("Expected client [resource-server-test]");
        });
    }

    private AuthzClient getAuthzClient() {
        try {
            return AuthzClient.create(httpsAwareConfigurationStream(getClass().getResourceAsStream("/authorization-test/default-keycloak.json")));
        } catch (IOException e) {
            throw new RuntimeException("Failed to create authz client", e);
        }
    }
}
