package org.keycloak.testsuite.broker;

import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import org.junit.Before;
import org.junit.Test;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.common.util.KeyUtils;
import org.keycloak.common.util.MultivaluedHashMap;
import org.keycloak.common.util.PemUtils;
import org.keycloak.keys.KeyProvider;
import org.keycloak.keys.PublicKeyStorageUtils;
import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
import org.keycloak.representations.idm.ComponentRepresentation;
import org.keycloak.representations.idm.IdentityProviderRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.testsuite.Assert;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.client.resources.TestingCacheResource;
import org.keycloak.testsuite.util.OAuthClient;

/* loaded from: input_file:org/keycloak/testsuite/broker/KcOIDCBrokerWithSignatureTest.class */
public class KcOIDCBrokerWithSignatureTest extends AbstractBaseBrokerTest {
    @Override // org.keycloak.testsuite.broker.AbstractBaseBrokerTest
    protected BrokerConfiguration getBrokerConfiguration() {
        return KcOidcBrokerConfiguration.INSTANCE;
    }

    @Before
    public void createUser() {
        this.log.debug("creating user for realm " + this.bc.providerRealmName());
        UserRepresentation userRepresentation = new UserRepresentation();
        userRepresentation.setUsername(this.bc.getUserLogin());
        userRepresentation.setEmail(this.bc.getUserEmail());
        userRepresentation.setEmailVerified(true);
        userRepresentation.setEnabled(true);
        RealmResource realm = this.adminClient.realm(this.bc.providerRealmName());
        ApiUtil.resetUserPassword(realm.users().get(ApiUtil.createUserWithAdminClient(realm, userRepresentation)), this.bc.getUserPassword(), false);
    }

    @Before
    public void addIdentityProviderToProviderRealm() {
        this.log.debug("adding identity provider to realm " + this.bc.consumerRealmName());
        this.adminClient.realm(this.bc.consumerRealmName()).identityProviders().create(this.bc.setUpIdentityProvider()).close();
    }

    @Before
    public void addClients() {
        addClientsToProviderAndConsumer();
    }

    @Test
    public void testSignatureVerificationJwksUrl() throws Exception {
        updateIdentityProviderWithJwksUrl();
        logInAsUserInIDPForFirstTime();
        assertLoggedInAccountManagement();
        logoutFromRealm(BrokerTestTools.getConsumerRoot(), this.bc.consumerRealmName());
        rotateKeys();
        logInAsUserInIDP();
        assertErrorPage("Unexpected error when authenticating with identity provider");
        logoutFromRealm(BrokerTestTools.getConsumerRoot(), this.bc.consumerRealmName());
        setTimeOffset(20);
        logInAsUserInIDP();
        assertLoggedInAccountManagement();
    }

    private void updateIdentityProviderWithJwksUrl() {
        IdentityProviderRepresentation identityProvider = getIdentityProvider();
        OIDCIdentityProviderConfigRep oIDCIdentityProviderConfigRep = new OIDCIdentityProviderConfigRep(identityProvider);
        oIDCIdentityProviderConfigRep.setValidateSignature(true);
        oIDCIdentityProviderConfigRep.setUseJwksUrl(true);
        oIDCIdentityProviderConfigRep.setJwksUrl(OIDCLoginProtocolService.certsUrl(UriBuilder.fromUri(OAuthClient.AUTH_SERVER_ROOT)).build(new Object[]{this.bc.providerRealmName()}).toString());
        updateIdentityProvider(identityProvider);
    }

    @Test
    public void testSignatureVerificationHardcodedPublicKey() throws Exception {
        IdentityProviderRepresentation identityProvider = getIdentityProvider();
        OIDCIdentityProviderConfigRep oIDCIdentityProviderConfigRep = new OIDCIdentityProviderConfigRep(identityProvider);
        oIDCIdentityProviderConfigRep.setValidateSignature(true);
        oIDCIdentityProviderConfigRep.setUseJwksUrl(false);
        oIDCIdentityProviderConfigRep.setPublicKeySignatureVerifier(ApiUtil.findActiveSigningKey(providerRealm()).getPublicKey());
        updateIdentityProvider(identityProvider);
        logInAsUserInIDPForFirstTime();
        assertLoggedInAccountManagement();
        logoutFromRealm(BrokerTestTools.getConsumerRoot(), this.bc.consumerRealmName());
        rotateKeys();
        logInAsUserInIDP();
        assertErrorPage("Unexpected error when authenticating with identity provider");
        logoutFromRealm(BrokerTestTools.getConsumerRoot(), this.bc.consumerRealmName());
        setTimeOffset(20);
        logInAsUserInIDP();
        assertErrorPage("Unexpected error when authenticating with identity provider");
    }

    @Test
    public void testSignatureVerificationHardcodedPublicKeyWithKeyIdSetExplicitly() throws Exception {
        IdentityProviderRepresentation identityProvider = getIdentityProvider();
        OIDCIdentityProviderConfigRep oIDCIdentityProviderConfigRep = new OIDCIdentityProviderConfigRep(identityProvider);
        oIDCIdentityProviderConfigRep.setValidateSignature(true);
        oIDCIdentityProviderConfigRep.setUseJwksUrl(false);
        String publicKey = ApiUtil.findActiveSigningKey(providerRealm()).getPublicKey();
        oIDCIdentityProviderConfigRep.setPublicKeySignatureVerifier(publicKey);
        String createKeyId = KeyUtils.createKeyId(PemUtils.decodePublicKey(publicKey));
        updateIdentityProvider(identityProvider);
        logInAsUserInIDPForFirstTime();
        assertLoggedInAccountManagement();
        logoutFromRealm(BrokerTestTools.getConsumerRoot(), this.bc.consumerRealmName());
        oIDCIdentityProviderConfigRep.setPublicKeySignatureVerifierKeyId("invalid-key-id");
        updateIdentityProvider(identityProvider);
        logInAsUserInIDP();
        assertErrorPage("Unexpected error when authenticating with identity provider");
        oIDCIdentityProviderConfigRep.setPublicKeySignatureVerifierKeyId(createKeyId);
        updateIdentityProvider(identityProvider);
        logInAsUserInIDP();
        assertLoggedInAccountManagement();
        logoutFromRealm(BrokerTestTools.getConsumerRoot(), this.bc.consumerRealmName());
        oIDCIdentityProviderConfigRep.setPublicKeySignatureVerifierKeyId("");
        updateIdentityProvider(identityProvider);
        logInAsUserInIDP();
        assertLoggedInAccountManagement();
        logoutFromRealm(BrokerTestTools.getConsumerRoot(), this.bc.consumerRealmName());
        oIDCIdentityProviderConfigRep.setPublicKeySignatureVerifierKeyId(null);
        updateIdentityProvider(identityProvider);
        logInAsUserInIDP();
        assertLoggedInAccountManagement();
        logoutFromRealm(BrokerTestTools.getConsumerRoot(), this.bc.consumerRealmName());
    }

    @Test
    public void testClearKeysCache() throws Exception {
        updateIdentityProviderWithJwksUrl();
        logInAsUserInIDPForFirstTime();
        assertLoggedInAccountManagement();
        logoutFromRealm(BrokerTestTools.getConsumerRoot(), this.bc.consumerRealmName());
        String idpModelCacheKey = PublicKeyStorageUtils.getIdpModelCacheKey(consumerRealm().toRepresentation().getId(), getIdentityProvider().getInternalId());
        TestingCacheResource cache = this.testingClient.testing(this.bc.consumerRealmName()).cache("keys");
        Assert.assertTrue(cache.contains(idpModelCacheKey));
        consumerRealm().clearKeysCache();
        Assert.assertFalse(cache.contains(idpModelCacheKey));
        Assert.assertEquals(cache.size(), 0L);
    }

    @Test
    public void testPublicKeyCacheInvalidatedWhenProviderUpdated() throws Exception {
        updateIdentityProviderWithJwksUrl();
        logInAsUserInIDPForFirstTime();
        assertLoggedInAccountManagement();
        logoutFromRealm(BrokerTestTools.getConsumerRoot(), this.bc.consumerRealmName());
        IdentityProviderRepresentation identityProvider = getIdentityProvider();
        String idpModelCacheKey = PublicKeyStorageUtils.getIdpModelCacheKey(consumerRealm().toRepresentation().getId(), identityProvider.getInternalId());
        TestingCacheResource cache = this.testingClient.testing(this.bc.consumerRealmName()).cache("keys");
        Assert.assertTrue(cache.contains(idpModelCacheKey));
        new OIDCIdentityProviderConfigRep(identityProvider).setJwksUrl("https://localhost:43214/non-existent");
        updateIdentityProvider(identityProvider);
        Assert.assertFalse(cache.contains(idpModelCacheKey));
        setTimeOffset(20);
        logInAsUserInIDP();
        assertErrorPage("Unexpected error when authenticating with identity provider");
    }

    private void rotateKeys() {
        String str = (String) providerRealm().keys().getKeyMetadata().getActive().get("RS256");
        String id = providerRealm().toRepresentation().getId();
        ComponentRepresentation componentRepresentation = new ComponentRepresentation();
        componentRepresentation.setName("generated");
        componentRepresentation.setProviderType(KeyProvider.class.getName());
        componentRepresentation.setProviderId("rsa-generated");
        componentRepresentation.setParentId(id);
        componentRepresentation.setConfig(new MultivaluedHashMap());
        componentRepresentation.getConfig().putSingle("priority", Long.toString(System.currentTimeMillis()));
        Response add = providerRealm().components().add(componentRepresentation);
        org.junit.Assert.assertEquals(201L, add.getStatus());
        add.close();
        org.junit.Assert.assertNotEquals(str, (String) providerRealm().keys().getKeyMetadata().getActive().get("RS256"));
    }

    private RealmResource providerRealm() {
        return this.adminClient.realm(this.bc.providerRealmName());
    }

    private IdentityProviderRepresentation getIdentityProvider() {
        return consumerRealm().identityProviders().get("kc-oidc-idp").toRepresentation();
    }

    private void updateIdentityProvider(IdentityProviderRepresentation identityProviderRepresentation) {
        consumerRealm().identityProviders().get("kc-oidc-idp").update(identityProviderRepresentation);
    }

    private RealmResource consumerRealm() {
        return this.adminClient.realm(this.bc.consumerRealmName());
    }
}
