package org.keycloak.testsuite.admin;

import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.jboss.arquillian.graphene.page.Page;
import org.junit.After;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.admin.client.resource.UserResource;
import org.keycloak.admin.client.resource.UsersResource;
import org.keycloak.common.Profile;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.ClientScopeRepresentation;
import org.keycloak.representations.idm.IdentityProviderRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.representations.idm.UserSessionRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.Assert;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.arquillian.annotation.DisableFeature;
import org.keycloak.testsuite.oauth.BackchannelLogoutTest;
import org.keycloak.testsuite.pages.AppPage;
import org.keycloak.testsuite.pages.ConsentPage;
import org.keycloak.testsuite.pages.ErrorPage;
import org.keycloak.testsuite.pages.LoginPage;
import org.keycloak.testsuite.util.OAuthClient;

@DisableFeature(value = Profile.Feature.ACCOUNT2, skipRestart = true)
/* loaded from: input_file:org/keycloak/testsuite/admin/ConsentsTest.class */
public class ConsentsTest extends AbstractKeycloakTest {
    static final String REALM_PROV_NAME = "provider";
    static final String REALM_CONS_NAME = "consumer";
    static final String IDP_OIDC_ALIAS = "kc-oidc-idp";
    static final String IDP_OIDC_PROVIDER_ID = "keycloak-oidc";
    static final String CLIENT_ID = "brokerapp";
    static final String CLIENT_SECRET = "secret";
    static final String USER_LOGIN = "testuser";
    static final String USER_EMAIL = "user@localhost.com";
    static final String USER_PASSWORD = "password";
    static final String USER_FIRSTNAME = "User";
    static final String USER_LASTNAME = "Tester";

    @Rule
    public AssertEvents events = new AssertEvents(this);

    @Page
    protected LoginPage accountLoginPage;

    @Page
    protected ConsentPage consentPage;

    @Page
    protected AppPage appPage;

    @Page
    protected ErrorPage errorPage;

    protected RealmRepresentation createProviderRealm() {
        RealmRepresentation realmRepresentation = new RealmRepresentation();
        realmRepresentation.setRealm(REALM_PROV_NAME);
        realmRepresentation.setEnabled(true);
        return realmRepresentation;
    }

    protected RealmRepresentation createConsumerRealm() {
        RealmRepresentation realmRepresentation = new RealmRepresentation();
        realmRepresentation.setRealm(REALM_CONS_NAME);
        realmRepresentation.setEnabled(true);
        return realmRepresentation;
    }

    protected List<ClientRepresentation> createProviderClients() {
        ClientRepresentation clientRepresentation = new ClientRepresentation();
        clientRepresentation.setClientId("brokerapp");
        clientRepresentation.setName("brokerapp");
        clientRepresentation.setSecret(CLIENT_SECRET);
        clientRepresentation.setEnabled(true);
        clientRepresentation.setConsentRequired(true);
        clientRepresentation.setRedirectUris(Collections.singletonList(getAuthRoot() + "/auth/realms/" + REALM_CONS_NAME + "/broker/" + IDP_OIDC_ALIAS + "/endpoint/*"));
        clientRepresentation.setAdminUrl(getAuthRoot() + "/auth/realms/" + REALM_CONS_NAME + "/broker/" + IDP_OIDC_ALIAS + "/endpoint");
        return Collections.singletonList(clientRepresentation);
    }

    protected IdentityProviderRepresentation setUpIdentityProvider() {
        IdentityProviderRepresentation createIdentityProvider = createIdentityProvider(IDP_OIDC_ALIAS, "keycloak-oidc");
        Map config = createIdentityProvider.getConfig();
        config.put("clientId", "brokerapp");
        config.put("clientSecret", CLIENT_SECRET);
        config.put("prompt", "login");
        config.put("authorizationUrl", getAuthRoot() + "/auth/realms/" + REALM_PROV_NAME + "/protocol/openid-connect/auth");
        config.put("tokenUrl", getAuthRoot() + "/auth/realms/" + REALM_PROV_NAME + "/protocol/openid-connect/token");
        config.put("logoutUrl", getAuthRoot() + "/auth/realms/" + REALM_PROV_NAME + "/protocol/openid-connect/logout");
        config.put("userInfoUrl", getAuthRoot() + "/auth/realms/" + REALM_PROV_NAME + "/protocol/openid-connect/userinfo");
        config.put("defaultScope", "email profile");
        config.put("backchannelSupported", "true");
        return createIdentityProvider;
    }

    protected String getUserLogin() {
        return USER_LOGIN;
    }

    protected String getUserPassword() {
        return "password";
    }

    protected String getUserEmail() {
        return USER_EMAIL;
    }

    protected String getUserFirstName() {
        return USER_FIRSTNAME;
    }

    protected String getUserLastName() {
        return USER_LASTNAME;
    }

    protected String providerRealmName() {
        return REALM_PROV_NAME;
    }

    protected String consumerRealmName() {
        return REALM_CONS_NAME;
    }

    protected String getIDPAlias() {
        return IDP_OIDC_ALIAS;
    }

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        RealmRepresentation createProviderRealm = createProviderRealm();
        RealmRepresentation createConsumerRealm = createConsumerRealm();
        RealmRepresentation realmRepresentation = (RealmRepresentation) AbstractAdminTest.loadJson(getClass().getResourceAsStream("/testrealm.json"), RealmRepresentation.class);
        list.add(createProviderRealm);
        list.add(createConsumerRealm);
        list.add(realmRepresentation);
    }

    @Before
    public void createUser() {
        this.log.debug("creating user for realm " + providerRealmName());
        UserRepresentation userRepresentation = new UserRepresentation();
        userRepresentation.setUsername(getUserLogin());
        userRepresentation.setEmail(getUserEmail());
        userRepresentation.setFirstName(getUserFirstName());
        userRepresentation.setLastName(getUserLastName());
        userRepresentation.setEmailVerified(true);
        userRepresentation.setEnabled(true);
        RealmResource realm = this.adminClient.realm(providerRealmName());
        ApiUtil.resetUserPassword(realm.users().get(ApiUtil.createUserWithAdminClient(realm, userRepresentation)), getUserPassword(), false);
    }

    @Before
    public void addIdentityProviderToProviderRealm() {
        this.log.debug("adding identity provider to realm " + consumerRealmName());
        this.adminClient.realm(consumerRealmName()).identityProviders().create(setUpIdentityProvider());
    }

    @Before
    public void addClients() {
        List<ClientRepresentation> createProviderClients = createProviderClients();
        if (createProviderClients != null) {
            RealmResource realm = this.adminClient.realm(providerRealmName());
            for (ClientRepresentation clientRepresentation : createProviderClients) {
                this.log.debug("adding client " + clientRepresentation.getName() + " to realm " + providerRealmName());
                realm.clients().create(clientRepresentation);
            }
        }
    }

    protected String getAuthRoot() {
        return this.suiteContext.getAuthServerInfo().getContextRoot().toString();
    }

    protected IdentityProviderRepresentation createIdentityProvider(String str, String str2) {
        IdentityProviderRepresentation identityProviderRepresentation = new IdentityProviderRepresentation();
        identityProviderRepresentation.setAlias(str);
        identityProviderRepresentation.setDisplayName(str2);
        identityProviderRepresentation.setProviderId(str2);
        identityProviderRepresentation.setEnabled(true);
        return identityProviderRepresentation;
    }

    private void waitForPage(String str) {
        long currentTimeMillis = System.currentTimeMillis();
        while (!this.driver.getTitle().toLowerCase().contains(str) && System.currentTimeMillis() - currentTimeMillis < 200) {
            try {
                Thread.sleep(5L);
            } catch (InterruptedException e) {
            }
        }
    }

    @After
    public void cleanUser() {
        this.adminClient.realm(providerRealmName()).users().delete(((UserRepresentation) this.adminClient.realm(providerRealmName()).users().search(getUserLogin()).get(0)).getId());
    }

    @Test
    @AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
    public void testConsents() {
        this.driver.navigate().to(getAccountUrl(consumerRealmName()));
        this.log.debug("Clicking social " + getIDPAlias());
        this.accountLoginPage.clickSocial(getIDPAlias());
        if (!this.driver.getCurrentUrl().contains("/auth/realms/" + providerRealmName() + "/")) {
            this.log.debug("Not on provider realm page, url: " + this.driver.getCurrentUrl());
        }
        Assert.assertTrue("Driver should be on the provider realm page right now", this.driver.getCurrentUrl().contains("/auth/realms/" + providerRealmName() + "/"));
        this.log.debug("Logging in");
        this.accountLoginPage.login(getUserLogin(), getUserPassword());
        waitForPage("grant access");
        Assert.assertTrue(this.consentPage.isCurrent());
        this.consentPage.confirm();
        Assert.assertTrue("We must be on correct realm right now", this.driver.getCurrentUrl().contains("/auth/realms/" + consumerRealmName() + "/"));
        UsersResource users = this.adminClient.realm(consumerRealmName()).users();
        Assert.assertTrue("There must be at least one user", users.count().intValue() > 0);
        UserRepresentation userRepresentation = null;
        Iterator it = users.search("", 0, 5).iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            UserRepresentation userRepresentation2 = (UserRepresentation) it.next();
            if (userRepresentation2.getUsername().equals(getUserLogin()) && userRepresentation2.getEmail().equals(getUserEmail())) {
                userRepresentation = userRepresentation2;
                break;
            }
        }
        Assert.assertNotNull("There must be user " + getUserLogin() + " in realm " + consumerRealmName(), userRepresentation);
        RealmResource realm = this.adminClient.realm(providerRealmName());
        List search = realm.users().search((String) null, userRepresentation.getFirstName(), userRepresentation.getLastName(), (String) null, 0, 1);
        Assert.assertEquals("Same user should be in provider realm", 1L, search.size());
        UserResource userResource = realm.users().get(((UserRepresentation) search.get(0)).getId());
        List consents = userResource.getConsents();
        Assert.assertEquals("There should be one consent", 1L, consents.size());
        Assert.assertEquals("Consent should be given to brokerapp", "brokerapp", ((Map) consents.get(0)).get("clientId"));
        List userSessions = userResource.getUserSessions();
        Assert.assertEquals("There should be one active session", 1L, userSessions.size());
        Assert.assertEquals("There should be one client in user session", 1L, ((UserSessionRepresentation) userSessions.get(0)).getClients().size());
        userResource.revokeConsent("brokerapp");
        Assert.assertEquals("There should be no consents", 0L, userResource.getConsents().size());
        List userSessions2 = userResource.getUserSessions();
        Assert.assertEquals("There should be one active session", 1L, userSessions2.size());
        Assert.assertEquals("There should be no client in user session", 0L, ((UserSessionRepresentation) userSessions2.get(0)).getClients().size());
    }

    @Test
    @AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
    public void testRetrieveConsentsForUserWithClientsWithGrantedOfflineAccess() throws Exception {
        RealmResource realm = this.adminClient.realm(providerRealmName());
        RealmRepresentation representation = realm.toRepresentation();
        representation.setAccountTheme("keycloak");
        realm.update(representation);
        ClientRepresentation clientRepresentation = (ClientRepresentation) realm.clients().findByClientId(BackchannelLogoutTest.ACCOUNT_CLIENT_NAME).get(0);
        ClientScopeRepresentation clientScopeRepresentation = (ClientScopeRepresentation) realm.getDefaultOptionalClientScopes().stream().filter(clientScopeRepresentation2 -> {
            return clientScopeRepresentation2.getName().equals("offline_access");
        }).findFirst().get();
        realm.clients().get(clientRepresentation.getId()).removeOptionalClientScope(clientScopeRepresentation.getId());
        realm.clients().get(clientRepresentation.getId()).addDefaultClientScope(clientScopeRepresentation.getId());
        clientRepresentation.setConsentRequired(true);
        clientRepresentation.setDirectAccessGrantsEnabled(true);
        realm.clients().get(clientRepresentation.getId()).update(clientRepresentation);
        UserRepresentation userRepresentation = (UserRepresentation) realm.users().search(getUserLogin()).get(0);
        this.driver.navigate().to(getAccountUrl(providerRealmName()));
        waitForPage("Sign in to provider");
        this.log.debug("Logging in");
        this.accountLoginPage.login(getUserLogin(), getUserPassword());
        waitForPage("grant access");
        this.log.debug("Grant consent for offline_access");
        Assert.assertTrue(this.consentPage.isCurrent());
        this.consentPage.confirm();
        waitForPage("keycloak account console");
        clientRepresentation.setConsentRequired(false);
        realm.clients().get(clientRepresentation.getId()).update(clientRepresentation);
        this.log.debug("Obtain offline_token");
        org.junit.Assert.assertNotNull(this.oauth.realm(representation.getRealm()).clientId(clientRepresentation.getClientId()).scope("openid profile offline_access").doGrantAccessTokenRequest((String) null, getUserLogin(), getUserPassword()).getRefreshToken());
        this.log.debug("Check for Offline Token in consents");
        List consents = realm.users().get(userRepresentation.getId()).getConsents();
        org.junit.Assert.assertFalse("Consents should not be empty", consents.isEmpty());
        org.junit.Assert.assertTrue(consents.toString().contains("Offline Token"));
    }

    @Test
    public void testConsentCancel() {
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm(providerRealmName()), BackchannelLogoutTest.ACCOUNT_CLIENT_NAME);
        ClientRepresentation representation = findClientByClientId.toRepresentation();
        representation.setConsentRequired(true);
        findClientByClientId.update(representation);
        this.accountPage.setAuthRealm(providerRealmName());
        this.accountPage.navigateTo();
        this.loginPage.form().login(getUserLogin(), getUserPassword());
        this.consentPage.assertCurrent();
        this.consentPage.cancel();
        this.errorPage.assertCurrent();
        org.junit.Assert.assertEquals("No access", this.errorPage.getError());
        this.errorPage.clickBackToApplication();
        this.loginPage.form().login(getUserLogin(), getUserPassword());
        this.consentPage.confirm();
        this.accountPage.assertCurrent();
    }

    @Test
    public void clientConsentRequiredAfterLogin() {
        this.oauth.realm("test").clientId(AssertEvents.DEFAULT_CLIENT_ID);
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password").getCode(), "password");
        Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, this.appPage.getRequestType());
        Assert.assertNotNull(this.oauth.getCurrentQuery().get("code"));
        String sessionId = this.events.expectLogin().detail("username", AssertEvents.DEFAULT_USERNAME).assertEvent().getSessionId();
        ClientRepresentation clientRepresentation = (ClientRepresentation) this.adminClient.realm("test").clients().findByClientId(AssertEvents.DEFAULT_CLIENT_ID).get(0);
        try {
            clientRepresentation.setConsentRequired(true);
            this.adminClient.realm("test").clients().get(clientRepresentation.getId()).update(clientRepresentation);
            this.events.clear();
            OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password");
            Assert.assertEquals("invalid_scope", doRefreshTokenRequest.getError());
            Assert.assertEquals("Client no longer has requested consent from user", doRefreshTokenRequest.getErrorDescription());
            this.events.expectRefresh(doAccessTokenRequest.getRefreshToken(), sessionId).clearDetails().error("invalid_token").assertEvent();
            clientRepresentation.setConsentRequired(false);
            this.adminClient.realm("test").clients().get(clientRepresentation.getId()).update(clientRepresentation);
        } catch (Throwable th) {
            clientRepresentation.setConsentRequired(false);
            this.adminClient.realm("test").clients().get(clientRepresentation.getId()).update(clientRepresentation);
            throw th;
        }
    }

    private String getAccountUrl(String str) {
        return getAuthRoot() + "/auth/realms/" + str + "/account";
    }
}
