package org.keycloak.testsuite.authz;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.UUID;
import javax.ws.rs.core.Response;
import org.jetbrains.annotations.NotNull;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.keycloak.admin.client.resource.AuthorizationResource;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.ClientsResource;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.admin.client.resource.ResourcesResource;
import org.keycloak.authorization.client.AuthzClient;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.authorization.AuthorizationRequest;
import org.keycloak.representations.idm.authorization.JSPolicyRepresentation;
import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.representations.idm.authorization.ResourceOwnerRepresentation;
import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.testsuite.util.RoleBuilder;
import org.keycloak.testsuite.util.RolesBuilder;
import org.keycloak.testsuite.util.UserBuilder;

@AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
/* loaded from: input_file:org/keycloak/testsuite/authz/AuthorizationTest.class */
public class AuthorizationTest extends AbstractAuthzTest {
    private AuthzClient authzClient;

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        list.add(RealmBuilder.create().name("authz-test").roles(RolesBuilder.create().realmRole(RoleBuilder.create().name("uma_authorization").build())).user(UserBuilder.create().username("marta").password("password").addRoles("uma_authorization")).user(UserBuilder.create().username("kolo").password("password")).client(ClientBuilder.create().clientId("resource-server-test").secret("secret").authorizationServicesEnabled(true).redirectUris("http://localhost/resource-server-test").defaultRoles("uma_protection").directAccessGrants()).client(ClientBuilder.create().clientId("test-client").secret("secret").authorizationServicesEnabled(true).redirectUris("http://localhost/test-client").directAccessGrants()).build());
    }

    @Before
    public void configureAuthorization() throws Exception {
        AuthorizationResource authorization = getClient().authorization();
        JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
        jSPolicyRepresentation.setName("Grant Policy");
        jSPolicyRepresentation.setCode("$evaluation.grant();");
        authorization.policies().js().create(jSPolicyRepresentation).close();
        JSPolicyRepresentation jSPolicyRepresentation2 = new JSPolicyRepresentation();
        jSPolicyRepresentation2.setName("Deny Policy");
        jSPolicyRepresentation2.setCode("$evaluation.deny();");
    }

    @After
    public void onAfter() {
        ResourcesResource resources = getClient().authorization().resources();
        Iterator it = resources.resources().iterator();
        while (it.hasNext()) {
            resources.resource(((ResourceRepresentation) it.next()).getId()).remove();
        }
    }

    @Test
    public void testResourceWithSameNameDifferentOwner() throws JWSInputException {
        ResourceRepresentation createResource = createResource("Resource A", "kolo", "Scope A", "Scope B");
        createResourcePermission(createResource, "Grant Policy");
        ResourceRepresentation createResource2 = createResource("Resource A", "marta", "Scope A", "Scope B");
        createResourcePermission(createResource2, "Grant Policy");
        Assert.assertNotEquals(createResource.getId(), createResource2.getId());
        AuthorizationRequest authorizationRequest = new AuthorizationRequest();
        authorizationRequest.addPermission("Resource A", new String[0]);
        List<Permission> authorize = authorize("kolo", "password", authorizationRequest);
        Assert.assertEquals(1L, authorize.size());
        Permission permission = authorize.get(0);
        Assert.assertTrue(permission.getScopes().containsAll(Arrays.asList("Scope A", "Scope B")));
        Assert.assertEquals(createResource.getId(), permission.getResourceId());
        List<Permission> authorize2 = authorize("marta", "password", authorizationRequest);
        Assert.assertEquals(1L, authorize2.size());
        Permission permission2 = authorize2.get(0);
        Assert.assertEquals(createResource2.getId(), permission2.getResourceId());
        Assert.assertTrue(permission2.getScopes().containsAll(Arrays.asList("Scope A", "Scope B")));
    }

    @Test
    public void testResourceServerWithSameNameDifferentOwner() {
        ResourceRepresentation createResource = createResource("Resource A", "kolo", "Scope A", "Scope B");
        createResourcePermission(createResource, "Grant Policy");
        ResourceRepresentation createResource2 = createResource("Resource A", null, "Scope A", "Scope B");
        createResourcePermission(createResource2, "Grant Policy");
        AuthorizationRequest authorizationRequest = new AuthorizationRequest();
        authorizationRequest.addPermission("Resource A", new String[0]);
        List<Permission> authorize = authorize("kolo", "password", authorizationRequest);
        Assert.assertEquals(2L, authorize.size());
        for (Permission permission : authorize) {
            Assert.assertTrue(permission.getResourceId().equals(createResource.getId()) || permission.getResourceId().equals(createResource2.getId()));
            Assert.assertEquals("Resource A", permission.getResourceName());
        }
    }

    private List<Permission> authorize(String str, String str2, AuthorizationRequest authorizationRequest) {
        return new ArrayList(toAccessToken(getAuthzClient().authorization(str, str2).authorize(authorizationRequest).getToken()).getAuthorization().getPermissions());
    }

    private void createResourcePermission(ResourceRepresentation resourceRepresentation, String... strArr) {
        ResourcePermissionRepresentation resourcePermissionRepresentation = new ResourcePermissionRepresentation();
        resourcePermissionRepresentation.setName(resourceRepresentation.getName() + UUID.randomUUID().toString());
        resourcePermissionRepresentation.addResource(resourceRepresentation.getId());
        resourcePermissionRepresentation.addPolicy(strArr);
        Response create = getClient().authorization().permissions().resource().create(resourcePermissionRepresentation);
        Throwable th = null;
        try {
            try {
                Assert.assertEquals(201L, create.getStatus());
                if (create != null) {
                    if (0 == 0) {
                        create.close();
                        return;
                    }
                    try {
                        create.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (create != null) {
                if (th != null) {
                    try {
                        create.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    create.close();
                }
            }
            throw th4;
        }
    }

    @NotNull
    private ResourceRepresentation createResource(String str, String str2, String... strArr) {
        ResourceRepresentation resourceRepresentation = new ResourceRepresentation();
        resourceRepresentation.setName(str);
        resourceRepresentation.setOwner(str2 != null ? new ResourceOwnerRepresentation(str2) : null);
        resourceRepresentation.addScope(strArr);
        Response create = getClient().authorization().resources().create(resourceRepresentation);
        ResourceRepresentation resourceRepresentation2 = (ResourceRepresentation) create.readEntity(ResourceRepresentation.class);
        create.close();
        resourceRepresentation.setId(resourceRepresentation2.getId());
        return resourceRepresentation;
    }

    private RealmResource getRealm() {
        return this.adminClient.realm("authz-test");
    }

    private ClientResource getClient() {
        ClientsResource clients = getRealm().clients();
        return (ClientResource) clients.findByClientId("resource-server-test").stream().map(clientRepresentation -> {
            return clients.get(clientRepresentation.getId());
        }).findFirst().orElseThrow(() -> {
            return new RuntimeException("Expected client [resource-server-test]");
        });
    }

    private AuthzClient getAuthzClient() {
        if (this.authzClient == null) {
            this.authzClient = AuthzClient.create(getClass().getResourceAsStream("/authorization-test/default-keycloak.json"));
        }
        return this.authzClient;
    }
}
