package org.keycloak.testsuite.hok;

import java.io.IOException;
import java.net.URI;
import java.security.MessageDigest;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.function.Supplier;
import javax.ws.rs.client.Client;
import javax.ws.rs.client.ClientBuilder;
import javax.ws.rs.core.Response;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.impl.client.CloseableHttpClient;
import org.hamcrest.Matchers;
import org.jboss.arquillian.drone.api.annotation.Drone;
import org.junit.Assert;
import org.junit.Assume;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.common.util.KeystoreUtil;
import org.keycloak.events.EventType;
import org.keycloak.jose.jws.JWSHeader;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.jose.jws.crypto.HashUtils;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.IDToken;
import org.keycloak.representations.RefreshToken;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.CredentialRepresentation;
import org.keycloak.representations.idm.EventRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.representations.oidc.TokenMetadataRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.AbstractTestRealmKeycloakTest;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.drone.Different;
import org.keycloak.testsuite.util.ClientManager;
import org.keycloak.testsuite.util.KeycloakModelUtils;
import org.keycloak.testsuite.util.MutualTLSUtils;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.ServerURLs;
import org.keycloak.testsuite.util.UserInfoClientUtil;
import org.keycloak.util.JsonSerialization;
import org.openqa.selenium.WebDriver;

/* loaded from: input_file:org/keycloak/testsuite/hok/HoKTest.class */
public class HoKTest extends AbstractTestRealmKeycloakTest {

    @Drone
    @Different
    protected WebDriver driver2;
    private static final List<String> CLIENT_LIST = Arrays.asList(AssertEvents.DEFAULT_CLIENT_ID, "named-test-app", "service-account-client");

    @Rule
    public HoKAssertEvents events = new HoKAssertEvents(this);

    /* loaded from: input_file:org/keycloak/testsuite/hok/HoKTest$HoKAssertEvents.class */
    public static class HoKAssertEvents extends AssertEvents {
        private final String defaultRedirectUri = "https://localhost:8543/auth/realms/master/app/auth";

        public HoKAssertEvents(AbstractKeycloakTest abstractKeycloakTest) {
            super(abstractKeycloakTest);
            this.defaultRedirectUri = "https://localhost:8543/auth/realms/master/app/auth";
        }

        @Override // org.keycloak.testsuite.AssertEvents
        public AssertEvents.ExpectedEvent expectLogin() {
            return expect(EventType.LOGIN).detail("code_id", isCodeId()).detail("redirect_uri", "https://localhost:8543/auth/realms/master/app/auth").detail("consent", "no_consent_required").session(isUUID());
        }
    }

    @Override // org.keycloak.testsuite.AbstractTestRealmKeycloakTest
    public void configureTestRealm(RealmRepresentation realmRepresentation) {
        Iterator<String> it = CLIENT_LIST.iterator();
        while (it.hasNext()) {
            addRedirectUrlForTls(realmRepresentation, it.next());
        }
        configTestRealmForTokenIntrospection(realmRepresentation);
    }

    @BeforeClass
    public static void checkIfTLSIsTurnedOn() {
        Assume.assumeTrue(ServerURLs.AUTH_SERVER_SSL_REQUIRED);
    }

    private void addRedirectUrlForTls(RealmRepresentation realmRepresentation, String str) {
        for (ClientRepresentation clientRepresentation : realmRepresentation.getClients()) {
            if (clientRepresentation.getClientId().equals(str)) {
                clientRepresentation.getRedirectUris().add(URI.create("https://localhost:" + System.getProperty("auth.server.https.port", "8543") + URI.create((String) clientRepresentation.getRedirectUris().get(0)).getRawPath()).toString());
                return;
            }
        }
    }

    private void configTestRealmForTokenIntrospection(RealmRepresentation realmRepresentation) {
        ClientRepresentation createClient = KeycloakModelUtils.createClient(realmRepresentation, "confidential-cli");
        createClient.setSecret("secret1");
        createClient.setServiceAccountsEnabled(Boolean.TRUE);
        ClientRepresentation createClient2 = KeycloakModelUtils.createClient(realmRepresentation, "service-account-client");
        createClient2.setSecret("secret1");
        createClient2.setServiceAccountsEnabled(Boolean.TRUE);
        KeycloakModelUtils.createClient(realmRepresentation, "public-cli").setPublicClient(Boolean.TRUE);
        UserRepresentation userRepresentation = new UserRepresentation();
        userRepresentation.setUsername("no-permissions");
        CredentialRepresentation credentialRepresentation = new CredentialRepresentation();
        credentialRepresentation.setType("password");
        credentialRepresentation.setValue("password");
        ArrayList arrayList = new ArrayList();
        arrayList.add(credentialRepresentation);
        userRepresentation.setCredentials(arrayList);
        userRepresentation.setEnabled(Boolean.TRUE);
        ArrayList arrayList2 = new ArrayList();
        arrayList2.add("user");
        userRepresentation.setRealmRoles(arrayList2);
        realmRepresentation.getUsers().add(userRepresentation);
    }

    @Before
    public void enableHoKToken() {
        Iterator<String> it = CLIENT_LIST.iterator();
        while (it.hasNext()) {
            enableHoKToken(it.next());
        }
    }

    private void enableHoKToken(String str) {
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), str);
        ClientRepresentation representation = findClientByClientId.toRepresentation();
        OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setUseMtlsHoKToken(true);
        findClientByClientId.update(representation);
    }

    @Test
    public void accessTokenRequestWithClientCertificate() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
        String sessionId = assertEvent.getSessionId();
        String str = (String) assertEvent.getDetails().get("code_id");
        String str2 = (String) this.oauth.getCurrentQuery().get("code");
        try {
            CloseableHttpClient newCloseableHttpClientWithDefaultKeyStoreAndTrustStore = MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore();
            Throwable th = null;
            try {
                try {
                    OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(str2, "password", newCloseableHttpClientWithDefaultKeyStoreAndTrustStore);
                    if (newCloseableHttpClientWithDefaultKeyStoreAndTrustStore != null) {
                        if (0 != 0) {
                            try {
                                newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                        }
                    }
                    expectSuccessfulResponseFromTokenEndpoint(sessionId, str, doAccessTokenRequest);
                    verifyHoKTokenDefaultCertThumbPrint(doAccessTokenRequest);
                } finally {
                }
            } finally {
            }
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    @Test
    public void accessTokenRequestWithoutClientCertificate() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        String str = (String) this.oauth.getCurrentQuery().get("code");
        try {
            CloseableHttpClient newCloseableHttpClientWithoutKeyStoreAndTrustStore = MutualTLSUtils.newCloseableHttpClientWithoutKeyStoreAndTrustStore();
            Throwable th = null;
            try {
                try {
                    OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(str, "password", newCloseableHttpClientWithoutKeyStoreAndTrustStore);
                    if (newCloseableHttpClientWithoutKeyStoreAndTrustStore != null) {
                        if (0 != 0) {
                            try {
                                newCloseableHttpClientWithoutKeyStoreAndTrustStore.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            newCloseableHttpClientWithoutKeyStoreAndTrustStore.close();
                        }
                    }
                    Assert.assertEquals(400L, doAccessTokenRequest.getStatusCode());
                    Assert.assertEquals("invalid_request", doAccessTokenRequest.getError());
                    Assert.assertEquals("Client Certification missing for MTLS HoK Token Binding", doAccessTokenRequest.getErrorDescription());
                } finally {
                }
            } finally {
            }
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    private void expectSuccessfulResponseFromTokenEndpoint(String str, String str2, OAuthClient.AccessTokenResponse accessTokenResponse) throws Exception {
        Assert.assertEquals(200L, accessTokenResponse.getStatusCode());
        Assert.assertThat(Integer.valueOf(accessTokenResponse.getExpiresIn()), Matchers.allOf(Matchers.greaterThanOrEqualTo(250), Matchers.lessThanOrEqualTo(300)));
        Assert.assertThat(Integer.valueOf(accessTokenResponse.getRefreshExpiresIn()), Matchers.allOf(Matchers.greaterThanOrEqualTo(1750), Matchers.lessThanOrEqualTo(1800)));
        Assert.assertEquals("Bearer", accessTokenResponse.getTokenType());
        String keyId = this.oauth.doCertsRequest("test").getKeys()[0].getKeyId();
        JWSHeader header = new JWSInput(accessTokenResponse.getAccessToken()).getHeader();
        Assert.assertEquals("RS256", header.getAlgorithm().name());
        Assert.assertEquals("JWT", header.getType());
        Assert.assertEquals(keyId, header.getKeyId());
        Assert.assertNull(header.getContentType());
        JWSHeader header2 = new JWSInput(accessTokenResponse.getIdToken()).getHeader();
        Assert.assertEquals("RS256", header2.getAlgorithm().name());
        Assert.assertEquals("JWT", header2.getType());
        Assert.assertEquals(keyId, header2.getKeyId());
        Assert.assertNull(header2.getContentType());
        JWSHeader header3 = new JWSInput(accessTokenResponse.getRefreshToken()).getHeader();
        Assert.assertEquals("HS256", header3.getAlgorithm().name());
        Assert.assertEquals("JWT", header3.getType());
        Assert.assertNull(header3.getContentType());
        AccessToken verifyToken = this.oauth.verifyToken(accessTokenResponse.getAccessToken());
        Assert.assertEquals(ApiUtil.findUserByUsername(this.adminClient.realm("test"), AssertEvents.DEFAULT_USERNAME).getId(), verifyToken.getSubject());
        Assert.assertNotEquals(AssertEvents.DEFAULT_USERNAME, verifyToken.getSubject());
        Assert.assertEquals(str, verifyToken.getSessionState());
        Assert.assertEquals(2L, verifyToken.getRealmAccess().getRoles().size());
        Assert.assertTrue(verifyToken.getRealmAccess().isUserInRole("user"));
        Assert.assertEquals(1L, verifyToken.getResourceAccess(this.oauth.getClientId()).getRoles().size());
        Assert.assertTrue(verifyToken.getResourceAccess(this.oauth.getClientId()).isUserInRole("customer-user"));
        EventRepresentation assertEvent = this.events.expectCodeToToken(str2, str).assertEvent();
        Assert.assertEquals(verifyToken.getId(), assertEvent.getDetails().get("token_id"));
        Assert.assertEquals(this.oauth.parseRefreshToken(accessTokenResponse.getRefreshToken()).getId(), assertEvent.getDetails().get("refresh_token_id"));
        Assert.assertEquals(str, verifyToken.getSessionState());
    }

    @Test
    public void refreshTokenRequestByHoKRefreshTokenByOtherClient() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        String str = (String) this.oauth.getCurrentQuery().get("code");
        try {
            CloseableHttpClient newCloseableHttpClientWithDefaultKeyStoreAndTrustStore = MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore();
            Throwable th = null;
            try {
                try {
                    OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(str, "password", newCloseableHttpClientWithDefaultKeyStoreAndTrustStore);
                    if (newCloseableHttpClientWithDefaultKeyStoreAndTrustStore != null) {
                        if (0 != 0) {
                            try {
                                newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                        }
                    }
                    verifyHoKTokenDefaultCertThumbPrint(doAccessTokenRequest);
                    String refreshToken = doAccessTokenRequest.getRefreshToken();
                    OAuthClient oAuthClient = new OAuthClient();
                    oAuthClient.init(this.driver2);
                    oAuthClient.doLogin("john-doh@localhost", "password");
                    String str2 = (String) oAuthClient.getCurrentQuery().get("code");
                    try {
                        CloseableHttpClient newCloseableHttpClientWithOtherKeyStoreAndTrustStore = MutualTLSUtils.newCloseableHttpClientWithOtherKeyStoreAndTrustStore();
                        Throwable th3 = null;
                        try {
                            try {
                                OAuthClient.AccessTokenResponse doAccessTokenRequest2 = oAuthClient.doAccessTokenRequest(str2, "password", newCloseableHttpClientWithOtherKeyStoreAndTrustStore);
                                if (newCloseableHttpClientWithOtherKeyStoreAndTrustStore != null) {
                                    if (0 != 0) {
                                        try {
                                            newCloseableHttpClientWithOtherKeyStoreAndTrustStore.close();
                                        } catch (Throwable th4) {
                                            th3.addSuppressed(th4);
                                        }
                                    } else {
                                        newCloseableHttpClientWithOtherKeyStoreAndTrustStore.close();
                                    }
                                }
                                verifyHoKTokenOtherCertThumbPrint(doAccessTokenRequest2);
                                try {
                                    newCloseableHttpClientWithOtherKeyStoreAndTrustStore = MutualTLSUtils.newCloseableHttpClientWithOtherKeyStoreAndTrustStore();
                                    Throwable th5 = null;
                                    try {
                                        try {
                                            OAuthClient.AccessTokenResponse doRefreshTokenRequest = oAuthClient.doRefreshTokenRequest(refreshToken, "password", newCloseableHttpClientWithOtherKeyStoreAndTrustStore);
                                            if (newCloseableHttpClientWithOtherKeyStoreAndTrustStore != null) {
                                                if (0 != 0) {
                                                    try {
                                                        newCloseableHttpClientWithOtherKeyStoreAndTrustStore.close();
                                                    } catch (Throwable th6) {
                                                        th5.addSuppressed(th6);
                                                    }
                                                } else {
                                                    newCloseableHttpClientWithOtherKeyStoreAndTrustStore.close();
                                                }
                                            }
                                            Assert.assertEquals(401L, doRefreshTokenRequest.getStatusCode());
                                            Assert.assertEquals("unauthorized_client", doRefreshTokenRequest.getError());
                                            Assert.assertEquals("Client certificate missing, or its thumbprint and one in the refresh token did NOT match", doRefreshTokenRequest.getErrorDescription());
                                        } finally {
                                        }
                                    } finally {
                                        if (newCloseableHttpClientWithOtherKeyStoreAndTrustStore != null) {
                                            if (th5 != null) {
                                                try {
                                                    newCloseableHttpClientWithOtherKeyStoreAndTrustStore.close();
                                                } catch (Throwable th7) {
                                                    th5.addSuppressed(th7);
                                                }
                                            } else {
                                                newCloseableHttpClientWithOtherKeyStoreAndTrustStore.close();
                                            }
                                        }
                                    }
                                } catch (IOException e) {
                                    throw new RuntimeException(e);
                                }
                            } finally {
                            }
                        } finally {
                        }
                    } catch (IOException e2) {
                        throw new RuntimeException(e2);
                    }
                } finally {
                }
            } finally {
            }
        } catch (IOException e3) {
            throw new RuntimeException(e3);
        }
    }

    @Test
    public void refreshTokenRequestByHoKRefreshTokenWithClientCertificate() throws Exception {
        AccessToken verifyToken;
        String refreshToken;
        RefreshToken parseRefreshToken;
        EventRepresentation assertEvent;
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent2 = this.events.expectLogin().assertEvent();
        String sessionId = assertEvent2.getSessionId();
        String str = (String) assertEvent2.getDetails().get("code_id");
        String str2 = (String) this.oauth.getCurrentQuery().get("code");
        try {
            CloseableHttpClient newCloseableHttpClientWithDefaultKeyStoreAndTrustStore = MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore();
            Throwable th = null;
            try {
                try {
                    OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(str2, "password", newCloseableHttpClientWithDefaultKeyStoreAndTrustStore);
                    if (newCloseableHttpClientWithDefaultKeyStoreAndTrustStore != null) {
                        if (0 != 0) {
                            try {
                                newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                        }
                    }
                    verifyHoKTokenDefaultCertThumbPrint(doAccessTokenRequest);
                    verifyToken = this.oauth.verifyToken(doAccessTokenRequest.getAccessToken());
                    refreshToken = doAccessTokenRequest.getRefreshToken();
                    parseRefreshToken = this.oauth.parseRefreshToken(refreshToken);
                    assertEvent = this.events.expectCodeToToken(str, sessionId).assertEvent();
                    Assert.assertNotNull(refreshToken);
                    Assert.assertEquals("Bearer", doAccessTokenRequest.getTokenType());
                    Assert.assertThat(Integer.valueOf(verifyToken.getExpiration() - getCurrentTime()), Matchers.allOf(Matchers.greaterThanOrEqualTo(200), Matchers.lessThanOrEqualTo(350)));
                    Assert.assertThat(Integer.valueOf(parseRefreshToken.getExpiration() - getCurrentTime()), Matchers.allOf(Matchers.greaterThanOrEqualTo(1796), Matchers.lessThanOrEqualTo(1803)));
                    Assert.assertEquals(sessionId, parseRefreshToken.getSessionState());
                    setTimeOffset(2);
                } finally {
                }
                try {
                    newCloseableHttpClientWithDefaultKeyStoreAndTrustStore = MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore();
                    Throwable th3 = null;
                    try {
                        try {
                            OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(refreshToken, "password", newCloseableHttpClientWithDefaultKeyStoreAndTrustStore);
                            if (newCloseableHttpClientWithDefaultKeyStoreAndTrustStore != null) {
                                if (0 != 0) {
                                    try {
                                        newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                                    } catch (Throwable th4) {
                                        th3.addSuppressed(th4);
                                    }
                                } else {
                                    newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                                }
                            }
                            expectSuccessfulResponseFromTokenEndpoint(doRefreshTokenRequest, sessionId, verifyToken, parseRefreshToken, assertEvent);
                            verifyHoKTokenDefaultCertThumbPrint(doRefreshTokenRequest);
                        } finally {
                        }
                    } finally {
                        if (newCloseableHttpClientWithDefaultKeyStoreAndTrustStore != null) {
                            if (th3 != null) {
                                try {
                                    newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                                } catch (Throwable th5) {
                                    th3.addSuppressed(th5);
                                }
                            } else {
                                newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                            }
                        }
                    }
                } catch (IOException e) {
                    throw new RuntimeException(e);
                }
            } finally {
            }
        } catch (IOException e2) {
            throw new RuntimeException(e2);
        }
    }

    @Test
    public void refreshTokenRequestByRefreshTokenWithoutClientCertificate() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        String sessionId = this.events.expectLogin().assertEvent().getSessionId();
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
        verifyHoKTokenDefaultCertThumbPrint(doAccessTokenRequest);
        AccessToken verifyToken = this.oauth.verifyToken(doAccessTokenRequest.getAccessToken());
        String refreshToken = doAccessTokenRequest.getRefreshToken();
        RefreshToken parseRefreshToken = this.oauth.parseRefreshToken(refreshToken);
        Assert.assertNotNull(refreshToken);
        Assert.assertEquals("Bearer", doAccessTokenRequest.getTokenType());
        Assert.assertThat(Integer.valueOf(verifyToken.getExpiration() - getCurrentTime()), Matchers.allOf(Matchers.greaterThanOrEqualTo(200), Matchers.lessThanOrEqualTo(350)));
        Assert.assertThat(Integer.valueOf(parseRefreshToken.getExpiration() - getCurrentTime()), Matchers.allOf(Matchers.greaterThanOrEqualTo(1796), Matchers.lessThanOrEqualTo(1803)));
        Assert.assertEquals(sessionId, parseRefreshToken.getSessionState());
        setTimeOffset(2);
        try {
            CloseableHttpClient newCloseableHttpClientWithoutKeyStoreAndTrustStore = MutualTLSUtils.newCloseableHttpClientWithoutKeyStoreAndTrustStore();
            Throwable th = null;
            try {
                try {
                    OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(refreshToken, "password", newCloseableHttpClientWithoutKeyStoreAndTrustStore);
                    if (newCloseableHttpClientWithoutKeyStoreAndTrustStore != null) {
                        if (0 != 0) {
                            try {
                                newCloseableHttpClientWithoutKeyStoreAndTrustStore.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            newCloseableHttpClientWithoutKeyStoreAndTrustStore.close();
                        }
                    }
                    Assert.assertEquals(401L, doRefreshTokenRequest.getStatusCode());
                    Assert.assertEquals("unauthorized_client", doRefreshTokenRequest.getError());
                    Assert.assertEquals("Client certificate missing, or its thumbprint and one in the refresh token did NOT match", doRefreshTokenRequest.getErrorDescription());
                } finally {
                }
            } finally {
            }
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    private void expectSuccessfulResponseFromTokenEndpoint(OAuthClient.AccessTokenResponse accessTokenResponse, String str, AccessToken accessToken, RefreshToken refreshToken, EventRepresentation eventRepresentation) {
        expectSuccessfulResponseFromTokenEndpoint(this.oauth, AssertEvents.DEFAULT_USERNAME, accessTokenResponse, str, accessToken, refreshToken, eventRepresentation);
    }

    private void expectSuccessfulResponseFromTokenEndpoint(OAuthClient oAuthClient, String str, OAuthClient.AccessTokenResponse accessTokenResponse, String str2, AccessToken accessToken, RefreshToken refreshToken, EventRepresentation eventRepresentation) {
        AccessToken verifyToken = oAuthClient.verifyToken(accessTokenResponse.getAccessToken());
        RefreshToken parseRefreshToken = oAuthClient.parseRefreshToken(accessTokenResponse.getRefreshToken());
        if (verifyToken.getCertConf() != null) {
            this.log.warnf("refreshed access token's cnf-x5t#256 = %s", verifyToken.getCertConf().getCertThumbprint());
            this.log.warnf("refreshed refresh token's cnf-x5t#256 = %s", parseRefreshToken.getCertConf().getCertThumbprint());
        }
        Assert.assertEquals(200L, accessTokenResponse.getStatusCode());
        Assert.assertEquals(str2, verifyToken.getSessionState());
        Assert.assertEquals(str2, parseRefreshToken.getSessionState());
        Assert.assertThat(Integer.valueOf(accessTokenResponse.getExpiresIn()), Matchers.allOf(Matchers.greaterThanOrEqualTo(250), Matchers.lessThanOrEqualTo(300)));
        Assert.assertThat(Integer.valueOf(verifyToken.getExpiration() - getCurrentTime()), Matchers.allOf(Matchers.greaterThanOrEqualTo(247), Matchers.lessThanOrEqualTo(303)));
        Assert.assertThat(Integer.valueOf(verifyToken.getExpiration() - accessToken.getExpiration()), Matchers.allOf(Matchers.greaterThanOrEqualTo(1), Matchers.lessThanOrEqualTo(10)));
        Assert.assertThat(Integer.valueOf(parseRefreshToken.getExpiration() - refreshToken.getExpiration()), Matchers.allOf(Matchers.greaterThanOrEqualTo(1), Matchers.lessThanOrEqualTo(10)));
        Assert.assertNotEquals(accessToken.getId(), verifyToken.getId());
        Assert.assertNotEquals(refreshToken.getId(), parseRefreshToken.getId());
        Assert.assertEquals("Bearer", accessTokenResponse.getTokenType());
        Assert.assertEquals(ApiUtil.findUserByUsername(this.adminClient.realm("test"), str).getId(), verifyToken.getSubject());
        Assert.assertNotEquals(str, verifyToken.getSubject());
        Assert.assertEquals(2L, verifyToken.getRealmAccess().getRoles().size());
        Assert.assertTrue(verifyToken.getRealmAccess().isUserInRole("user"));
        Assert.assertEquals(1L, verifyToken.getResourceAccess(oAuthClient.getClientId()).getRoles().size());
        Assert.assertTrue(verifyToken.getResourceAccess(oAuthClient.getClientId()).isUserInRole("customer-user"));
        EventRepresentation assertEvent = this.events.expectRefresh((String) eventRepresentation.getDetails().get("refresh_token_id"), str2).user(AssertEvents.isUUID()).assertEvent();
        Assert.assertNotEquals(eventRepresentation.getDetails().get("token_id"), assertEvent.getDetails().get("token_id"));
        Assert.assertNotEquals(eventRepresentation.getDetails().get("refresh_token_id"), assertEvent.getDetails().get("updated_refresh_token_id"));
        setTimeOffset(0);
    }

    @Test
    public void getUserInfoByHoKAccessTokenWithClientCertificate() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
        String sessionId = assertEvent.getSessionId();
        String str = (String) assertEvent.getDetails().get("code_id");
        String str2 = (String) this.oauth.getCurrentQuery().get("code");
        try {
            CloseableHttpClient newCloseableHttpClientWithDefaultKeyStoreAndTrustStore = MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore();
            Throwable th = null;
            try {
                try {
                    OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(str2, "password", newCloseableHttpClientWithDefaultKeyStoreAndTrustStore);
                    if (newCloseableHttpClientWithDefaultKeyStoreAndTrustStore != null) {
                        if (0 != 0) {
                            try {
                                newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                        }
                    }
                    verifyHoKTokenDefaultCertThumbPrint(doAccessTokenRequest);
                    this.events.expectCodeToToken(str, sessionId).assertEvent();
                    ClientBuilder newBuilder = ClientBuilder.newBuilder();
                    newBuilder.keyStore(KeystoreUtil.loadKeyStore(MutualTLSUtils.DEFAULT_KEYSTOREPATH, MutualTLSUtils.DEFAULT_KEYSTOREPASSWORD), MutualTLSUtils.DEFAULT_KEYSTOREPASSWORD);
                    Client build = newBuilder.build();
                    Response response = null;
                    try {
                        response = UserInfoClientUtil.getUserInfoWebTarget(build).request().header("Authorization", "Bearer " + doAccessTokenRequest.getAccessToken()).get();
                        testSuccessfulUserInfoResponse(response);
                        response.close();
                        build.close();
                    } catch (Throwable th3) {
                        response.close();
                        build.close();
                        throw th3;
                    }
                } finally {
                }
            } finally {
            }
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    @Test
    public void getUserInfoByHoKAccessTokenWithoutClientCertificate() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
        String sessionId = assertEvent.getSessionId();
        String str = (String) assertEvent.getDetails().get("code_id");
        String str2 = (String) this.oauth.getCurrentQuery().get("code");
        try {
            CloseableHttpClient newCloseableHttpClientWithDefaultKeyStoreAndTrustStore = MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore();
            Throwable th = null;
            try {
                try {
                    OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(str2, "password", newCloseableHttpClientWithDefaultKeyStoreAndTrustStore);
                    if (newCloseableHttpClientWithDefaultKeyStoreAndTrustStore != null) {
                        if (0 != 0) {
                            try {
                                newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                        }
                    }
                    verifyHoKTokenDefaultCertThumbPrint(doAccessTokenRequest);
                    this.events.expectCodeToToken(str, sessionId).assertEvent();
                    Client build = ClientBuilder.newBuilder().build();
                    Response response = null;
                    try {
                        response = UserInfoClientUtil.getUserInfoWebTarget(build).request().header("Authorization", "Bearer " + doAccessTokenRequest.getAccessToken()).get();
                        Assert.assertEquals(401L, response.getStatus());
                        response.close();
                        build.close();
                    } catch (Throwable th3) {
                        response.close();
                        build.close();
                        throw th3;
                    }
                } finally {
                }
            } finally {
            }
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    private void testSuccessfulUserInfoResponse(Response response) {
        this.events.expect(EventType.USER_INFO_REQUEST).session(Matchers.notNullValue(String.class)).detail("auth_method", "validate_access_token").detail("username", AssertEvents.DEFAULT_USERNAME).detail("signature_required", "false").assertEvent();
        UserInfoClientUtil.testSuccessfulUserInfoResponse(response, AssertEvents.DEFAULT_USERNAME, AssertEvents.DEFAULT_USERNAME);
    }

    @Test
    public void postLogoutByHoKRefreshTokenWithClientCertificate() throws Exception {
        String execPreProcessPostLogout = execPreProcessPostLogout();
        try {
            CloseableHttpClient newCloseableHttpClientWithDefaultKeyStoreAndTrustStore = MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore();
            Throwable th = null;
            try {
                try {
                    CloseableHttpResponse doLogout = this.oauth.doLogout(execPreProcessPostLogout, "password", newCloseableHttpClientWithDefaultKeyStoreAndTrustStore);
                    if (newCloseableHttpClientWithDefaultKeyStoreAndTrustStore != null) {
                        if (0 != 0) {
                            try {
                                newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                        }
                    }
                    Assert.assertThat(doLogout, org.keycloak.testsuite.util.Matchers.statusCodeIsHC(Response.Status.NO_CONTENT));
                    Assert.assertNotNull(this.testingClient.testApp().getAdminLogoutAction());
                } finally {
                }
            } finally {
            }
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    @Test
    public void postLogoutByHoKRefreshTokenWithoutClientCertificate() throws Exception {
        String execPreProcessPostLogout = execPreProcessPostLogout();
        try {
            CloseableHttpClient newCloseableHttpClientWithoutKeyStoreAndTrustStore = MutualTLSUtils.newCloseableHttpClientWithoutKeyStoreAndTrustStore();
            Throwable th = null;
            try {
                try {
                    CloseableHttpResponse doLogout = this.oauth.doLogout(execPreProcessPostLogout, "password", newCloseableHttpClientWithoutKeyStoreAndTrustStore);
                    if (newCloseableHttpClientWithoutKeyStoreAndTrustStore != null) {
                        if (0 != 0) {
                            try {
                                newCloseableHttpClientWithoutKeyStoreAndTrustStore.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            newCloseableHttpClientWithoutKeyStoreAndTrustStore.close();
                        }
                    }
                    Assert.assertEquals(401L, doLogout.getStatusLine().getStatusCode());
                } finally {
                }
            } finally {
            }
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    private String execPreProcessPostLogout() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        String str = (String) this.oauth.getCurrentQuery().get("code");
        this.oauth.clientSessionState("client-session");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(str, "password");
        verifyHoKTokenDefaultCertThumbPrint(doAccessTokenRequest);
        return doAccessTokenRequest.getRefreshToken();
    }

    @Test
    public void accessTokenRequestWithClientCertificateInHybridFlowWithCodeIDToken() throws Exception {
        ClientManager.realm(this.adminClient.realm("test")).clientId(AssertEvents.DEFAULT_CLIENT_ID).standardFlow(true).implicitFlow(true);
        this.oauth.clientId(AssertEvents.DEFAULT_CLIENT_ID);
        this.oauth.responseType("code id_token");
        this.oauth.nonce("ckw938gnspa93dj");
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
        OAuthClient.AuthorizationEndpointResponse authorizationEndpointResponse = new OAuthClient.AuthorizationEndpointResponse(this.oauth, true);
        Assert.assertNotNull(authorizationEndpointResponse.getSessionState());
        for (IDToken iDToken : testAuthzResponseAndRetrieveIDTokens(authorizationEndpointResponse, assertEvent)) {
            Assert.assertEquals("ckw938gnspa93dj", iDToken.getNonce());
            Assert.assertEquals(authorizationEndpointResponse.getSessionState(), iDToken.getSessionState());
        }
    }

    protected List<IDToken> testAuthzResponseAndRetrieveIDTokens(OAuthClient.AuthorizationEndpointResponse authorizationEndpointResponse, EventRepresentation eventRepresentation) {
        Assert.assertEquals("code id_token", eventRepresentation.getDetails().get("response_type"));
        Assert.assertNull(authorizationEndpointResponse.getAccessToken());
        IDToken verifyIDToken = this.oauth.verifyIDToken(authorizationEndpointResponse.getIdToken());
        Assert.assertNull(verifyIDToken.getAccessTokenHash());
        Assert.assertNotNull(verifyIDToken.getCodeHash());
        Assert.assertEquals(verifyIDToken.getCodeHash(), HashUtils.oidcHash("RS256", authorizationEndpointResponse.getCode()));
        return Arrays.asList(verifyIDToken, sendTokenRequestAndGetIDToken(eventRepresentation));
    }

    @Test
    public void testIntrospectHoKAccessToken() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        String str = (String) this.oauth.getCurrentQuery().get("code");
        EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
        try {
            CloseableHttpClient newCloseableHttpClientWithDefaultKeyStoreAndTrustStore = MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore();
            Throwable th = null;
            try {
                try {
                    OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(str, "password", newCloseableHttpClientWithDefaultKeyStoreAndTrustStore);
                    if (newCloseableHttpClientWithDefaultKeyStoreAndTrustStore != null) {
                        if (0 != 0) {
                            try {
                                newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                        }
                    }
                    try {
                        CloseableHttpClient newCloseableHttpClientWithoutKeyStoreAndTrustStore = MutualTLSUtils.newCloseableHttpClientWithoutKeyStoreAndTrustStore();
                        Throwable th3 = null;
                        try {
                            String introspectTokenWithClientCredential = this.oauth.introspectTokenWithClientCredential("confidential-cli", "secret1", "access_token", doAccessTokenRequest.getAccessToken(), newCloseableHttpClientWithoutKeyStoreAndTrustStore);
                            if (newCloseableHttpClientWithoutKeyStoreAndTrustStore != null) {
                                if (0 != 0) {
                                    try {
                                        newCloseableHttpClientWithoutKeyStoreAndTrustStore.close();
                                    } catch (Throwable th4) {
                                        th3.addSuppressed(th4);
                                    }
                                } else {
                                    newCloseableHttpClientWithoutKeyStoreAndTrustStore.close();
                                }
                            }
                            TokenMetadataRepresentation tokenMetadataRepresentation = (TokenMetadataRepresentation) JsonSerialization.readValue(introspectTokenWithClientCredential, TokenMetadataRepresentation.class);
                            AccessToken accessToken = (AccessToken) new JWSInput(doAccessTokenRequest.getAccessToken()).readJsonContent(AccessToken.class);
                            RefreshToken refreshToken = (RefreshToken) new JWSInput(doAccessTokenRequest.getRefreshToken()).readJsonContent(RefreshToken.class);
                            String certThumbprint = accessToken.getCertConf().getCertThumbprint();
                            String certThumbprint2 = refreshToken.getCertConf().getCertThumbprint();
                            String certThumbprint3 = tokenMetadataRepresentation.getCertConf().getCertThumbprint();
                            String thumbprintFromDefaultClientCert = MutualTLSUtils.getThumbprintFromDefaultClientCert();
                            Assert.assertTrue(tokenMetadataRepresentation.isActive());
                            Assert.assertEquals(AssertEvents.DEFAULT_USERNAME, tokenMetadataRepresentation.getUserName());
                            Assert.assertEquals(AssertEvents.DEFAULT_CLIENT_ID, tokenMetadataRepresentation.getClientId());
                            Assert.assertEquals(assertEvent.getUserId(), tokenMetadataRepresentation.getSubject());
                            Assert.assertEquals(certThumbprint3, thumbprintFromDefaultClientCert);
                            Assert.assertEquals(thumbprintFromDefaultClientCert, certThumbprint);
                            Assert.assertEquals(certThumbprint, certThumbprint2);
                        } finally {
                        }
                    } catch (IOException e) {
                        throw new RuntimeException(e);
                    }
                } finally {
                }
            } finally {
            }
        } catch (IOException e2) {
            throw new RuntimeException(e2);
        }
    }

    @Test
    public void serviceAccountWithClientCertificate() throws Exception {
        this.oauth.clientId("service-account-client");
        Supplier httpClient = this.oauth.getHttpClient();
        try {
            try {
                this.oauth.httpClient(MutualTLSUtils::newCloseableHttpClientWithoutKeyStoreAndTrustStore);
                OAuthClient.AccessTokenResponse doClientCredentialsGrantAccessTokenRequest = this.oauth.doClientCredentialsGrantAccessTokenRequest("secret1");
                Assert.assertEquals(400L, doClientCredentialsGrantAccessTokenRequest.getStatusCode());
                Assert.assertEquals("invalid_request", doClientCredentialsGrantAccessTokenRequest.getError());
                Assert.assertEquals("Client Certification missing for MTLS HoK Token Binding", doClientCredentialsGrantAccessTokenRequest.getErrorDescription());
                this.oauth.httpClient(MutualTLSUtils::newCloseableHttpClientWithDefaultKeyStoreAndTrustStore);
                OAuthClient.AccessTokenResponse doClientCredentialsGrantAccessTokenRequest2 = this.oauth.doClientCredentialsGrantAccessTokenRequest("secret1");
                Assert.assertEquals(200L, doClientCredentialsGrantAccessTokenRequest2.getStatusCode());
                verifyHoKTokenCertThumbPrint(doClientCredentialsGrantAccessTokenRequest2, MutualTLSUtils.getThumbprintFromDefaultClientCert(), false);
                this.oauth.httpClient(httpClient);
            } catch (IOException e) {
                throw new RuntimeException(e);
            }
        } catch (Throwable th) {
            this.oauth.httpClient(httpClient);
            throw th;
        }
    }

    private void verifyHoKTokenDefaultCertThumbPrint(OAuthClient.AccessTokenResponse accessTokenResponse) throws Exception {
        verifyHoKTokenCertThumbPrint(accessTokenResponse, MutualTLSUtils.getThumbprintFromDefaultClientCert(), true);
    }

    private void verifyHoKTokenOtherCertThumbPrint(OAuthClient.AccessTokenResponse accessTokenResponse) throws Exception {
        verifyHoKTokenCertThumbPrint(accessTokenResponse, MutualTLSUtils.getThumbprintFromOtherClientCert(), true);
    }

    private void verifyHoKTokenCertThumbPrint(OAuthClient.AccessTokenResponse accessTokenResponse, String str, boolean z) {
        AccessToken accessToken = null;
        try {
            accessToken = (AccessToken) new JWSInput(accessTokenResponse.getAccessToken()).readJsonContent(AccessToken.class);
        } catch (JWSInputException e) {
            Assert.fail(e.toString());
        }
        Assert.assertTrue(MessageDigest.isEqual(str.getBytes(), accessToken.getCertConf().getCertThumbprint().getBytes()));
        if (z) {
            RefreshToken refreshToken = null;
            try {
                refreshToken = (RefreshToken) new JWSInput(accessTokenResponse.getRefreshToken()).readJsonContent(RefreshToken.class);
            } catch (JWSInputException e2) {
                Assert.fail(e2.toString());
            }
            Assert.assertTrue(MessageDigest.isEqual(str.getBytes(), refreshToken.getCertConf().getCertThumbprint().getBytes()));
        }
    }
}
