package org.keycloak.testsuite.client;

import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.LinkedList;
import java.util.List;
import java.util.function.Function;
import java.util.function.Supplier;
import org.apache.http.NameValuePair;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.message.BasicNameValuePair;
import org.hamcrest.Matchers;
import org.jboss.arquillian.graphene.page.Page;
import org.junit.Assert;
import org.junit.Assume;
import org.junit.BeforeClass;
import org.junit.Test;
import org.keycloak.adapters.authentication.JWTClientSecretCredentialsProvider;
import org.keycloak.admin.client.resource.UserResource;
import org.keycloak.client.registration.ClientRegistrationException;
import org.keycloak.common.util.KeycloakUriBuilder;
import org.keycloak.common.util.UriUtils;
import org.keycloak.jose.jws.Algorithm;
import org.keycloak.jose.jws.crypto.HashUtils;
import org.keycloak.models.AdminRoles;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.representations.IDToken;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.CredentialRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.testsuite.admin.AbstractAdminTest;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.client.resources.TestApplicationResourceUrls;
import org.keycloak.testsuite.pages.AppPage;
import org.keycloak.testsuite.pages.ErrorPage;
import org.keycloak.testsuite.pages.LoginPage;
import org.keycloak.testsuite.pages.OAuthGrantPage;
import org.keycloak.testsuite.rest.resource.TestingOIDCEndpointsApplicationResource;
import org.keycloak.testsuite.util.ClientPoliciesUtil;
import org.keycloak.testsuite.util.MutualTLSUtils;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.ServerURLs;

@AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
/* loaded from: input_file:org/keycloak/testsuite/client/FAPI1Test.class */
public class FAPI1Test extends AbstractClientPoliciesTest {

    @Page
    protected ErrorPage errorPage;

    @Page
    protected LoginPage loginPage;

    @Page
    protected OAuthGrantPage grantPage;

    @Page
    protected AppPage appPage;

    @BeforeClass
    public static void verifySSL() {
        Assume.assumeTrue("The FAPI test requires SSL to be enabled.", ServerURLs.AUTH_SERVER_SSL_REQUIRED);
    }

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        RealmRepresentation realmRepresentation = (RealmRepresentation) AbstractAdminTest.loadJson(getClass().getResourceAsStream("/testrealm.json"), RealmRepresentation.class);
        List users = realmRepresentation.getUsers();
        LinkedList linkedList = new LinkedList();
        CredentialRepresentation credentialRepresentation = new CredentialRepresentation();
        credentialRepresentation.setType("password");
        credentialRepresentation.setValue("password");
        linkedList.add(credentialRepresentation);
        UserRepresentation userRepresentation = new UserRepresentation();
        userRepresentation.setEnabled(true);
        userRepresentation.setUsername("john");
        userRepresentation.setEmail("john@keycloak.org");
        userRepresentation.setFirstName("Johny");
        userRepresentation.setCredentials(linkedList);
        userRepresentation.setClientRoles(Collections.singletonMap("realm-management", Arrays.asList(AdminRoles.CREATE_CLIENT, AdminRoles.MANAGE_CLIENTS)));
        users.add(userRepresentation);
        realmRepresentation.setUsers(users);
        list.add(realmRepresentation);
    }

    @Test
    public void testFAPIBaselineClientAuthenticator() throws Exception {
        setupPolicyFAPIBaselineForAllClient();
        try {
            createClientByAdmin("invalid", clientRepresentation -> {
                clientRepresentation.setClientAuthenticatorType("client-secret");
            });
            Assert.fail();
        } catch (ClientPolicyException e) {
            Assert.assertEquals("invalid_client_metadata", e.getMessage());
        }
        org.keycloak.testsuite.Assert.assertEquals("client-jwt", getClientByAdmin(createClientByAdmin("client-jwt", clientRepresentation2 -> {
            clientRepresentation2.setClientAuthenticatorType("client-jwt");
        })).getClientAuthenticatorType());
        org.keycloak.testsuite.Assert.assertEquals("client-secret-jwt", getClientByAdmin(createClientByAdmin("client-secret-jwt", clientRepresentation3 -> {
            clientRepresentation3.setClientAuthenticatorType("client-secret-jwt");
        })).getClientAuthenticatorType());
        org.keycloak.testsuite.Assert.assertEquals("client-x509", getClientByAdmin(createClientByAdmin("client-x509", clientRepresentation4 -> {
            clientRepresentation4.setClientAuthenticatorType("client-x509");
        })).getClientAuthenticatorType());
        ClientRepresentation clientByAdmin = getClientByAdmin(createClientByAdmin("client-jwt-2", clientRepresentation5 -> {
        }));
        org.keycloak.testsuite.Assert.assertEquals("client-jwt", clientByAdmin.getClientAuthenticatorType());
        org.keycloak.testsuite.Assert.assertTrue(clientByAdmin.isConsentRequired().booleanValue());
        org.keycloak.testsuite.Assert.assertEquals("S256", OIDCAdvancedConfigWrapper.fromClientRepresentation(clientByAdmin).getPkceCodeChallengeMethod());
    }

    @Test
    public void testFAPIBaselineOIDCClientRegistration() throws Exception {
        setupPolicyFAPIBaselineForAllClient();
        try {
            createClientDynamically(generateSuffixedName("foo"), oIDCClientRepresentation -> {
                oIDCClientRepresentation.setTokenEndpointAuthMethod("client_secret_basic");
            });
            Assert.fail();
        } catch (ClientRegistrationException e) {
            Assert.assertEquals("Failed to send request", e.getMessage());
        }
        ClientRepresentation clientByAdmin = getClientByAdmin(createClientDynamically("client-jwt", oIDCClientRepresentation2 -> {
            oIDCClientRepresentation2.setTokenEndpointAuthMethod("private_key_jwt");
            oIDCClientRepresentation2.setJwksUri("https://foo");
        }));
        org.keycloak.testsuite.Assert.assertEquals("client-jwt", clientByAdmin.getClientAuthenticatorType());
        org.keycloak.testsuite.Assert.assertFalse(clientByAdmin.isFullScopeAllowed().booleanValue());
        setInitialAccessTokenForDynamicClientRegistration();
        org.keycloak.testsuite.Assert.assertEquals("client-secret-jwt", getClientByAdmin(createClientDynamically("client-secret-jwt", oIDCClientRepresentation3 -> {
            oIDCClientRepresentation3.setTokenEndpointAuthMethod("client_secret_jwt");
        })).getClientAuthenticatorType());
        setInitialAccessTokenForDynamicClientRegistration();
        ClientRepresentation clientByAdmin2 = getClientByAdmin(createClientDynamically("client-x509", oIDCClientRepresentation4 -> {
            oIDCClientRepresentation4.setTokenEndpointAuthMethod("tls_client_auth");
        }));
        org.keycloak.testsuite.Assert.assertEquals("client-x509", clientByAdmin2.getClientAuthenticatorType());
        org.keycloak.testsuite.Assert.assertTrue(clientByAdmin2.isConsentRequired().booleanValue());
        org.keycloak.testsuite.Assert.assertEquals("S256", OIDCAdvancedConfigWrapper.fromClientRepresentation(clientByAdmin2).getPkceCodeChallengeMethod());
    }

    @Test
    public void testFAPIBaselineRedirectUri() throws Exception {
        setupPolicyFAPIBaselineForAllClient();
        try {
            createClientByAdmin("invalid", clientRepresentation -> {
                clientRepresentation.setRedirectUris(Collections.singletonList("http://hostname.com"));
            });
            Assert.fail();
        } catch (ClientPolicyException e) {
            Assert.assertEquals("invalid_client_metadata", e.getMessage());
        }
        try {
            createClientByAdmin("invalid", clientRepresentation2 -> {
                clientRepresentation2.setRedirectUris(Collections.singletonList("https://hostname.com/foo/*"));
            });
            Assert.fail();
        } catch (ClientPolicyException e2) {
            Assert.assertEquals("invalid_client_metadata", e2.getMessage());
        }
        org.keycloak.testsuite.Assert.assertNames(getClientByAdmin(createClientByAdmin("invalid", clientRepresentation3 -> {
            clientRepresentation3.setRedirectUris(Collections.singletonList("https://hostname.com"));
        })).getRedirectUris(), "https://hostname.com");
    }

    @Test
    public void testFAPIBaselineConfidentialClientLogin() throws Exception {
        setupPolicyFAPIBaselineForAllClient();
        ClientRepresentation clientByAdmin = getClientByAdmin(createClientByAdmin("foo", clientRepresentation -> {
            clientRepresentation.setClientAuthenticatorType("client-secret-jwt");
            clientRepresentation.setSecret("secret");
        }));
        org.keycloak.testsuite.Assert.assertFalse(clientByAdmin.isPublicClient().booleanValue());
        org.keycloak.testsuite.Assert.assertEquals("client-secret-jwt", clientByAdmin.getClientAuthenticatorType());
        org.keycloak.testsuite.Assert.assertFalse(clientByAdmin.isFullScopeAllowed().booleanValue());
        checkPKCEWithS256RequiredDuringLogin("foo");
        String str = "1234567890123456789012345678901234567890123";
        this.oauth.codeChallenge(generateS256CodeChallenge("1234567890123456789012345678901234567890123"));
        this.oauth.codeChallengeMethod("S256");
        checkNonceAndStateForCurrentClientDuringLogin();
        checkRedirectUriForCurrentClientDuringLogin();
        successfulLoginAndLogout("foo", false, str2 -> {
            return doAccessTokenRequestWithClientSignedJWT(str2, getClientSecretSignedJWT("secret", "HS256"), str, DefaultHttpClient::new);
        });
    }

    @Test
    public void testFAPIBaselinePublicClientLogin() throws Exception {
        setupPolicyFAPIBaselineForAllClient();
        org.keycloak.testsuite.Assert.assertTrue(getClientByAdmin(createClientByAdmin("foo", clientRepresentation -> {
            clientRepresentation.setPublicClient(true);
        })).isPublicClient().booleanValue());
        checkPKCEWithS256RequiredDuringLogin("foo");
        String str = "1234567890123456789012345678901234567890123";
        this.oauth.codeChallenge(generateS256CodeChallenge("1234567890123456789012345678901234567890123"));
        this.oauth.codeChallengeMethod("S256");
        checkNonceAndStateForCurrentClientDuringLogin();
        checkRedirectUriForCurrentClientDuringLogin();
        successfulLoginAndLogout("foo", false, str2 -> {
            this.oauth.codeVerifier(str);
            return this.oauth.doAccessTokenRequest(str2, (String) null);
        });
    }

    @Test
    public void testFAPIAdvancedClientRegistration() throws Exception {
        setupPolicyFAPIAdvancedForAllClient();
        try {
            createClientByAdmin("invalid", clientRepresentation -> {
                clientRepresentation.setClientAuthenticatorType("client-secret");
            });
            Assert.fail();
        } catch (ClientPolicyException e) {
            Assert.assertEquals("invalid_client_metadata", e.getMessage());
        }
        try {
            createClientByAdmin("invalid", clientRepresentation2 -> {
                clientRepresentation2.setClientAuthenticatorType("client-secret-jwt");
            });
            Assert.fail();
        } catch (ClientPolicyException e2) {
            Assert.assertEquals("invalid_client_metadata", e2.getMessage());
        }
        try {
            createClientByAdmin("invalid", clientRepresentation3 -> {
                clientRepresentation3.setClientAuthenticatorType("client-jwt");
                clientRepresentation3.setRedirectUris(Collections.singletonList("http://foo"));
            });
            Assert.fail();
        } catch (ClientPolicyException e3) {
            Assert.assertEquals("invalid_client_metadata", e3.getMessage());
        }
        org.keycloak.testsuite.Assert.assertEquals("client-jwt", getClientByAdmin(createClientByAdmin("client-jwt", clientRepresentation4 -> {
            clientRepresentation4.setClientAuthenticatorType("client-jwt");
        })).getClientAuthenticatorType());
        org.keycloak.testsuite.Assert.assertEquals("client-x509", getClientByAdmin(createClientByAdmin("client-x509", clientRepresentation5 -> {
            clientRepresentation5.setClientAuthenticatorType("client-x509");
        })).getClientAuthenticatorType());
        ClientRepresentation clientByAdmin = getClientByAdmin(createClientByAdmin("client-jwt-2", clientRepresentation6 -> {
        }));
        org.keycloak.testsuite.Assert.assertEquals("client-jwt", clientByAdmin.getClientAuthenticatorType());
        org.keycloak.testsuite.Assert.assertTrue(clientByAdmin.isConsentRequired().booleanValue());
        OIDCAdvancedConfigWrapper fromClientRepresentation = OIDCAdvancedConfigWrapper.fromClientRepresentation(clientByAdmin);
        org.keycloak.testsuite.Assert.assertTrue(fromClientRepresentation.isUseMtlsHokToken());
        org.keycloak.testsuite.Assert.assertEquals("PS256", fromClientRepresentation.getIdTokenSignedResponseAlg());
        org.keycloak.testsuite.Assert.assertEquals("PS256", fromClientRepresentation.getRequestObjectSignatureAlg().toString());
        org.keycloak.testsuite.Assert.assertFalse(clientByAdmin.isFullScopeAllowed().booleanValue());
    }

    @Test
    public void testFAPIAdvancedPublicClientLoginNotPossible() throws Exception {
        setupPolicyFAPIBaselineForAllClient();
        org.keycloak.testsuite.Assert.assertTrue(getClientByAdmin(createClientByAdmin("foo", clientRepresentation -> {
            clientRepresentation.setPublicClient(true);
        })).isPublicClient().booleanValue());
        this.oauth.nonce("123456");
        String str = "1234567890123456789012345678901234567890123";
        this.oauth.codeChallenge(generateS256CodeChallenge("1234567890123456789012345678901234567890123"));
        this.oauth.codeChallengeMethod("S256");
        successfulLoginAndLogout("foo", false, str2 -> {
            this.oauth.codeVerifier(str);
            return this.oauth.doAccessTokenRequest(str2, (String) null);
        });
        setupPolicyFAPIAdvancedForAllClient();
        this.oauth.openLoginForm();
        assertRedirectedToClientWithError("invalid_client", false, "invalid client access type");
    }

    @Test
    public void testFAPIAdvancedSignatureAlgorithms() throws Exception {
        setupPolicyFAPIAdvancedForAllClient();
        try {
            createClientByAdmin("invalid", clientRepresentation -> {
                clientRepresentation.setClientAuthenticatorType("client-jwt");
                OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRepresentation).setIdTokenSignedResponseAlg("RS256");
            });
            Assert.fail();
        } catch (ClientPolicyException e) {
            Assert.assertEquals("invalid_request", e.getMessage());
        }
        OIDCAdvancedConfigWrapper fromClientRepresentation = OIDCAdvancedConfigWrapper.fromClientRepresentation(getClientByAdmin(createClientByAdmin("client-jwt", clientRepresentation2 -> {
            clientRepresentation2.setClientAuthenticatorType("client-jwt");
            OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRepresentation2).setIdTokenSignedResponseAlg("ES256");
        })));
        org.keycloak.testsuite.Assert.assertEquals("ES256", fromClientRepresentation.getIdTokenSignedResponseAlg());
        org.keycloak.testsuite.Assert.assertEquals("PS256", fromClientRepresentation.getRequestObjectSignatureAlg().toString());
        ClientRepresentation clientByAdmin = getClientByAdmin(createClientByAdmin("client-jwt-default-alg", clientRepresentation3 -> {
            clientRepresentation3.setClientAuthenticatorType("client-jwt");
        }));
        OIDCAdvancedConfigWrapper fromClientRepresentation2 = OIDCAdvancedConfigWrapper.fromClientRepresentation(clientByAdmin);
        org.keycloak.testsuite.Assert.assertEquals("PS256", fromClientRepresentation2.getIdTokenSignedResponseAlg());
        org.keycloak.testsuite.Assert.assertEquals("PS256", fromClientRepresentation2.getRequestObjectSignatureAlg().toString());
        org.keycloak.testsuite.Assert.assertEquals("PS256", fromClientRepresentation2.getUserInfoSignedResponseAlg().toString());
        org.keycloak.testsuite.Assert.assertEquals("PS256", fromClientRepresentation2.getTokenEndpointAuthSigningAlg());
        org.keycloak.testsuite.Assert.assertEquals("PS256", clientByAdmin.getAttributes().get("access.token.signed.response.alg"));
    }

    @Test
    public void testFAPIAdvancedLoginWithPrivateKeyJWT() throws Exception {
        setupPolicyFAPIAdvancedForAllClient();
        Assert.assertEquals("client-jwt", this.adminClient.realm("test").clients().get(createClientByAdmin("foo", clientRepresentation -> {
            clientRepresentation.setClientAuthenticatorType("client-jwt");
            clientRepresentation.setImplicitFlowEnabled(true);
            OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRepresentation).setRequestUris(Collections.singletonList(TestApplicationResourceUrls.clientRequestUri()));
        })).toRepresentation().getClientAuthenticatorType());
        this.oauth.clientId("foo");
        checkNonceAndStateForCurrentClientDuringLogin();
        checkRedirectUriForCurrentClientDuringLogin();
        this.oauth.openLoginForm();
        assertRedirectedToClientWithError("invalid_request", false, "Missing parameter: 'request' or 'request_uri'");
        TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createValidRequestObjectForSecureRequestObjectExecutor = createValidRequestObjectForSecureRequestObjectExecutor("foo");
        createValidRequestObjectForSecureRequestObjectExecutor.nbf((Long) null);
        registerRequestObject(createValidRequestObjectForSecureRequestObjectExecutor, "foo", Algorithm.PS256, true);
        this.oauth.openLoginForm();
        assertRedirectedToClientWithError("invalid_request_uri", false, "Missing parameter in the 'request' object: nbf");
        TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createValidRequestObjectForSecureRequestObjectExecutor2 = createValidRequestObjectForSecureRequestObjectExecutor("foo");
        createValidRequestObjectForSecureRequestObjectExecutor2.setNonce("123456");
        registerRequestObject(createValidRequestObjectForSecureRequestObjectExecutor2, "foo", Algorithm.PS256, true);
        this.oauth.openLoginForm();
        assertRedirectedToClientWithError("invalid_request", false, "invalid response_type");
        this.oauth.responseType("code id_token token");
        createValidRequestObjectForSecureRequestObjectExecutor2.setResponseType("code id_token token");
        registerRequestObject(createValidRequestObjectForSecureRequestObjectExecutor2, "foo", Algorithm.PS256, true);
        this.oauth.openLoginForm();
        assertRedirectedToClientWithError("invalid_request", true, "invalid response_type");
        this.oauth.responseType("code id_token");
        createValidRequestObjectForSecureRequestObjectExecutor2.setResponseType("code id_token");
        registerRequestObject(createValidRequestObjectForSecureRequestObjectExecutor2, "foo", Algorithm.PS256, true);
        this.oauth.openLoginForm();
        this.loginPage.assertCurrent();
        KeyPair keyPairFromGeneratedBase64 = getKeyPairFromGeneratedBase64(this.testingClient.testApp().oidcClientEndpoints().getKeysAsBase64(), "PS256");
        PrivateKey privateKey = keyPairFromGeneratedBase64.getPrivate();
        PublicKey publicKey = keyPairFromGeneratedBase64.getPublic();
        String loginUserAndGetCode = loginUserAndGetCode("foo", true);
        org.keycloak.testsuite.Assert.assertNull(getParameterFromUrl("access_token", true));
        assertIDTokenAsDetachedSignature(getParameterFromUrl("id_token", true), loginUserAndGetCode);
        OAuthClient.AccessTokenResponse doAccessTokenRequestWithClientSignedJWT = doAccessTokenRequestWithClientSignedJWT(loginUserAndGetCode, createSignedRequestToken("foo", privateKey, publicKey, "PS256"), null, DefaultHttpClient::new);
        org.keycloak.testsuite.Assert.assertEquals("invalid_grant", doAccessTokenRequestWithClientSignedJWT.getError());
        org.keycloak.testsuite.Assert.assertEquals("Client Certification missing for MTLS HoK Token Binding", doAccessTokenRequestWithClientSignedJWT.getErrorDescription());
        this.oauth.openLoginForm();
        String str = (String) this.oauth.getCurrentFragment().get("code");
        org.keycloak.testsuite.Assert.assertNotNull(str);
        OAuthClient.AccessTokenResponse doAccessTokenRequestWithClientSignedJWT2 = doAccessTokenRequestWithClientSignedJWT(str, createSignedRequestToken("foo", privateKey, publicKey, "PS256"), null, () -> {
            return MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore();
        });
        assertSuccessfulTokenResponse(doAccessTokenRequestWithClientSignedJWT2);
        org.keycloak.testsuite.Assert.assertNotNull(this.oauth.verifyToken(doAccessTokenRequestWithClientSignedJWT2.getAccessToken()).getCertConf().getCertThumbprint());
        logoutUserAndRevokeConsent("foo");
    }

    @Test
    public void testFAPIAdvancedLoginWithMTLS() throws Exception {
        setupPolicyFAPIAdvancedForAllClient();
        Assert.assertEquals("client-x509", this.adminClient.realm("test").clients().get(createClientByAdmin("foo", clientRepresentation -> {
            clientRepresentation.setClientAuthenticatorType("client-x509");
            clientRepresentation.setImplicitFlowEnabled(true);
            OIDCAdvancedConfigWrapper fromClientRepresentation = OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRepresentation);
            fromClientRepresentation.setRequestUris(Collections.singletonList(TestApplicationResourceUrls.clientRequestUri()));
            fromClientRepresentation.setTlsClientAuthSubjectDn("EMAILADDRESS=contact@keycloak.org, CN=Keycloak Intermediate CA, OU=Keycloak, O=Red Hat, ST=MA, C=US");
        })).toRepresentation().getClientAuthenticatorType());
        this.oauth.clientId("foo");
        checkNonceAndStateForCurrentClientDuringLogin();
        checkRedirectUriForCurrentClientDuringLogin();
        this.oauth.openLoginForm();
        assertRedirectedToClientWithError("invalid_request", false, "Missing parameter: 'request' or 'request_uri'");
        TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createValidRequestObjectForSecureRequestObjectExecutor = createValidRequestObjectForSecureRequestObjectExecutor("foo");
        createValidRequestObjectForSecureRequestObjectExecutor.setNonce("123456");
        this.oauth.responseType("code id_token");
        createValidRequestObjectForSecureRequestObjectExecutor.setResponseType("code id_token");
        registerRequestObject(createValidRequestObjectForSecureRequestObjectExecutor, "foo", Algorithm.PS256, true);
        this.oauth.openLoginForm();
        this.loginPage.assertCurrent();
        String loginUserAndGetCode = loginUserAndGetCode("foo", true);
        org.keycloak.testsuite.Assert.assertNull(getParameterFromUrl("access_token", true));
        assertIDTokenAsDetachedSignature(getParameterFromUrl("id_token", true), loginUserAndGetCode);
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(loginUserAndGetCode, (String) null);
        assertSuccessfulTokenResponse(doAccessTokenRequest);
        org.keycloak.testsuite.Assert.assertNotNull(this.oauth.verifyToken(doAccessTokenRequest.getAccessToken()).getCertConf().getCertThumbprint());
        logoutUserAndRevokeConsent("foo");
    }

    private void checkPKCEWithS256RequiredDuringLogin(String str) {
        this.oauth.clientId(str);
        this.oauth.openLoginForm();
        assertRedirectedToClientWithError("invalid_request", false, "Missing parameter: code_challenge_method");
        this.oauth.codeChallenge("234567890_234567890123");
        this.oauth.codeChallengeMethod("plain");
        this.oauth.openLoginForm();
        assertRedirectedToClientWithError("invalid_request", false, "Invalid parameter: code challenge method is not configured one");
    }

    private void checkNonceAndStateForCurrentClientDuringLogin() {
        this.oauth.openLoginForm();
        assertRedirectedToClientWithError("invalid_request", false, "Missing parameter: nonce");
        this.oauth.nonce("123456");
        this.oauth.stateParamHardcoded((String) null);
        this.oauth.openid(false);
        this.oauth.openLoginForm();
        assertRedirectedToClientWithError("invalid_request", false, "Missing parameter: state");
        this.oauth.stateParamRandom();
    }

    private void checkRedirectUriForCurrentClientDuringLogin() {
        String redirectUri = this.oauth.getRedirectUri();
        this.oauth.openid(true);
        this.oauth.redirectUri((String) null);
        this.oauth.openLoginForm();
        this.errorPage.assertCurrent();
        org.keycloak.testsuite.Assert.assertEquals("Invalid parameter: redirect_uri", this.errorPage.getError());
        this.oauth.redirectUri(redirectUri);
    }

    private void setupPolicyFAPIBaselineForAllClient() throws Exception {
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "Policy for enable FAPI Baseline for all clients", Boolean.TRUE).addCondition("any-client", ClientPoliciesUtil.createAnyClientConditionConfig()).addProfile("fapi-1-baseline").toRepresentation()).toString());
    }

    private void setupPolicyFAPIAdvancedForAllClient() throws Exception {
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "Policy for enable FAPI Advanced for all clients", Boolean.TRUE).addCondition("any-client", ClientPoliciesUtil.createAnyClientConditionConfig()).addProfile("fapi-1-advanced").toRepresentation()).toString());
    }

    private void successfulLoginAndLogout(String str, boolean z, Function<String, OAuthClient.AccessTokenResponse> function) throws Exception {
        assertSuccessfulTokenResponse(function.apply(loginUserAndGetCode(str, z)));
        logoutUserAndRevokeConsent(str);
    }

    private String loginUserAndGetCode(String str, boolean z) {
        this.oauth.clientId(str);
        this.oauth.doLogin("john", "password");
        this.grantPage.assertCurrent();
        this.grantPage.assertGrants(new String[]{"User profile", "Email address", "User roles"});
        this.grantPage.accept();
        String parameterFromUrl = getParameterFromUrl("code", z);
        org.keycloak.testsuite.Assert.assertNotNull(parameterFromUrl);
        return parameterFromUrl;
    }

    private void assertSuccessfulTokenResponse(OAuthClient.AccessTokenResponse accessTokenResponse) {
        Assert.assertEquals(200L, accessTokenResponse.getStatusCode());
        org.keycloak.testsuite.Assert.assertThat(accessTokenResponse.getIdToken(), Matchers.notNullValue());
        org.keycloak.testsuite.Assert.assertThat(accessTokenResponse.getAccessToken(), Matchers.notNullValue());
        org.keycloak.testsuite.Assert.assertNotNull(accessTokenResponse.getScope());
        assertScopes("openid profile email", accessTokenResponse.getScope());
        IDToken verifyIDToken = this.oauth.verifyIDToken(accessTokenResponse.getIdToken());
        org.keycloak.testsuite.Assert.assertNotNull(verifyIDToken.getId());
        org.keycloak.testsuite.Assert.assertEquals("foo", verifyIDToken.getIssuedFor());
        org.keycloak.testsuite.Assert.assertEquals("john", verifyIDToken.getPreferredUsername());
        org.keycloak.testsuite.Assert.assertEquals("john@keycloak.org", verifyIDToken.getEmail());
        org.keycloak.testsuite.Assert.assertEquals("Johny", verifyIDToken.getGivenName());
        org.keycloak.testsuite.Assert.assertEquals(verifyIDToken.getNonce(), "123456");
    }

    private void assertIDTokenAsDetachedSignature(String str, String str2) {
        org.keycloak.testsuite.Assert.assertNotNull(str);
        IDToken verifyIDToken = this.oauth.verifyIDToken(str);
        org.keycloak.testsuite.Assert.assertNotNull(verifyIDToken.getId());
        org.keycloak.testsuite.Assert.assertEquals("foo", verifyIDToken.getIssuedFor());
        org.keycloak.testsuite.Assert.assertNull(verifyIDToken.getPreferredUsername());
        org.keycloak.testsuite.Assert.assertNull(verifyIDToken.getEmail());
        org.keycloak.testsuite.Assert.assertNull(verifyIDToken.getGivenName());
        org.keycloak.testsuite.Assert.assertNull(verifyIDToken.getAccessTokenHash());
        org.keycloak.testsuite.Assert.assertEquals(verifyIDToken.getNonce(), "123456");
        org.keycloak.testsuite.Assert.assertEquals(verifyIDToken.getStateHash(), HashUtils.oidcHash("PS256", getParameterFromUrl("state", true)));
        org.keycloak.testsuite.Assert.assertEquals(verifyIDToken.getCodeHash(), HashUtils.oidcHash("PS256", str2));
    }

    private String getClientSecretSignedJWT(String str, String str2) {
        JWTClientSecretCredentialsProvider jWTClientSecretCredentialsProvider = new JWTClientSecretCredentialsProvider();
        jWTClientSecretCredentialsProvider.setClientSecret(str, str2);
        return jWTClientSecretCredentialsProvider.createSignedRequestToken(this.oauth.getClientId(), getRealmInfoUrl(), str2);
    }

    private String getRealmInfoUrl() {
        return KeycloakUriBuilder.fromUri(UriUtils.getOrigin(this.oauth.getRedirectUri()) + "/auth").path("/realms/{realm-name}").build(new Object[]{"test"}).toString();
    }

    private OAuthClient.AccessTokenResponse doAccessTokenRequestWithClientSignedJWT(String str, String str2, String str3, Supplier<CloseableHttpClient> supplier) {
        try {
            LinkedList linkedList = new LinkedList();
            linkedList.add(new BasicNameValuePair("grant_type", "authorization_code"));
            linkedList.add(new BasicNameValuePair("code", str));
            linkedList.add(new BasicNameValuePair("code_verifier", str3));
            linkedList.add(new BasicNameValuePair("redirect_uri", this.oauth.getRedirectUri()));
            linkedList.add(new BasicNameValuePair("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"));
            linkedList.add(new BasicNameValuePair("client_assertion", str2));
            return new OAuthClient.AccessTokenResponse(sendRequest(this.oauth.getAccessTokenUrl(), linkedList, supplier));
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    private CloseableHttpResponse sendRequest(String str, List<NameValuePair> list, Supplier<CloseableHttpClient> supplier) throws Exception {
        CloseableHttpClient closeableHttpClient = supplier.get();
        try {
            HttpPost httpPost = new HttpPost(str);
            httpPost.setEntity(new UrlEncodedFormEntity(list, "UTF-8"));
            CloseableHttpResponse execute = closeableHttpClient.execute(httpPost);
            this.oauth.closeClient(closeableHttpClient);
            return execute;
        } catch (Throwable th) {
            this.oauth.closeClient(closeableHttpClient);
            throw th;
        }
    }

    public static void assertScopes(String str, String str2) {
        Collection<?> asList = Arrays.asList(str.split(" "));
        List asList2 = Arrays.asList(str2.split(" "));
        org.keycloak.testsuite.Assert.assertTrue("Not matched. expectedScope: " + str + ", receivedScope: " + str2, asList.containsAll(asList2) && asList2.containsAll(asList));
    }

    private void assertRedirectedToClientWithError(String str, boolean z, String str2) {
        this.appPage.assertCurrent();
        Assert.assertEquals(str, getParameterFromUrl("error", z));
        Assert.assertEquals(str2, getParameterFromUrl("error_description", z));
    }

    private String getParameterFromUrl(String str, boolean z) {
        return z ? (String) this.oauth.getCurrentFragment().get(str) : (String) this.oauth.getCurrentQuery().get(str);
    }

    private void logoutUserAndRevokeConsent(String str) {
        UserResource findUserByUsernameId = ApiUtil.findUserByUsernameId(this.adminClient.realm("test"), "john");
        findUserByUsernameId.logout();
        Assert.assertEquals(1L, findUserByUsernameId.getConsents().size());
        findUserByUsernameId.revokeConsent(str);
    }
}
