package org.keycloak.testsuite.adapter.servlet;

import java.util.concurrent.atomic.AtomicReference;
import javax.xml.datatype.XMLGregorianCalendar;
import org.jboss.arquillian.container.test.api.Deployment;
import org.jboss.arquillian.graphene.page.Page;
import org.jboss.shrinkwrap.api.spec.WebArchive;
import org.junit.Assert;
import org.junit.Test;
import org.keycloak.adapters.rotation.PublicKeyLocator;
import org.keycloak.dom.saml.v2.SAML2Object;
import org.keycloak.dom.saml.v2.assertion.AuthnStatementType;
import org.keycloak.dom.saml.v2.protocol.ResponseType;
import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
import org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil;
import org.keycloak.testsuite.adapter.filter.AdapterActionsFilter;
import org.keycloak.testsuite.adapter.page.Employee2Servlet;
import org.keycloak.testsuite.arquillian.annotation.AppServerContainer;
import org.keycloak.testsuite.arquillian.annotation.AppServerContainers;
import org.keycloak.testsuite.saml.AbstractSamlTest;
import org.keycloak.testsuite.updaters.RealmAttributeUpdater;
import org.keycloak.testsuite.updaters.ServerResourceUpdater;
import org.keycloak.testsuite.util.Matchers;
import org.keycloak.testsuite.util.SamlClient;

@AppServerContainers({@AppServerContainer("app-server-undertow"), @AppServerContainer("app-server-wildfly"), @AppServerContainer("app-server-wildfly-deprecated"), @AppServerContainer("app-server-eap"), @AppServerContainer("app-server-eap6"), @AppServerContainer("app-server-eap71"), @AppServerContainer("app-server-tomcat7"), @AppServerContainer("app-server-tomcat8"), @AppServerContainer("app-server-tomcat9"), @AppServerContainer("app-server-jetty92"), @AppServerContainer("app-server-jetty93"), @AppServerContainer("app-server-jetty94")})
/* loaded from: input_file:org/keycloak/testsuite/adapter/servlet/SAMLServletSessionTimeoutTest.class */
public class SAMLServletSessionTimeoutTest extends AbstractSAMLServletAdapterTest {

    @Page
    protected Employee2Servlet employee2ServletPage;
    private static final int SESSION_LENGTH_IN_SECONDS = 120;
    private static final int KEYCLOAK_SESSION_TIMEOUT = 1922;
    private AtomicReference<String> sessionNotOnOrAfter = new AtomicReference<>();

    @Deployment(name = "employee2")
    protected static WebArchive employee2() {
        return samlServletDeployment("employee2", AbstractSAMLServletAdapterTest.WEB_XML_WITH_ACTION_FILTER, SendUsernameServlet.class, AdapterActionsFilter.class, PublicKeyLocator.class);
    }

    private SAML2Object addSessionNotOnOrAfter(SAML2Object sAML2Object) {
        Assert.assertThat(sAML2Object, Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
        ResponseType responseType = (ResponseType) sAML2Object;
        AuthnStatementType authnStatementType = (AuthnStatementType) ((ResponseType.RTChoiceType) responseType.getAssertions().get(0)).getAssertion().getStatements().stream().filter(statementAbstractType -> {
            return statementAbstractType instanceof AuthnStatementType;
        }).findFirst().orElse(new AuthnStatementType(XMLTimeUtil.getIssueInstant()));
        XMLGregorianCalendar add = XMLTimeUtil.add(XMLTimeUtil.getIssueInstant(), 120000L);
        this.sessionNotOnOrAfter.set(add.toString());
        authnStatementType.setSessionNotOnOrAfter(add);
        ((ResponseType.RTChoiceType) responseType.getAssertions().get(0)).getAssertion().addStatement(authnStatementType);
        return sAML2Object;
    }

    @Test
    public void employee2TestSAMLRefreshingSession() {
        this.sessionNotOnOrAfter.set(null);
        beginAuthenticationAndLogin(this.employee2ServletPage, SamlClient.Binding.POST).processSamlResponse(SamlClient.Binding.POST).transformObject(this::addSessionNotOnOrAfter).build().addStep(() -> {
            setAdapterAndServerTimeOffset(100, this.employee2ServletPage.toString());
        }).navigateTo(this.employee2ServletPage.buildUri()).assertResponse(closeableHttpResponse -> {
            Assert.assertThat(closeableHttpResponse, Matchers.bodyHC(org.hamcrest.Matchers.allOf(org.hamcrest.Matchers.containsString("principal=bburke"), org.hamcrest.Matchers.containsString("SessionNotOnOrAfter: " + this.sessionNotOnOrAfter.get()))));
        }).addStep(() -> {
            setAdapterAndServerTimeOffset(SESSION_LENGTH_IN_SECONDS, this.employee2ServletPage.toString());
        }).navigateTo(this.employee2ServletPage.buildUri()).processSamlResponse(SamlClient.Binding.POST).transformObject(sAML2Object -> {
            Assert.assertThat(sAML2Object, Matchers.isSamlAuthnRequest());
            return sAML2Object;
        }).build().followOneRedirect().processSamlResponse(SamlClient.Binding.POST).build().assertResponse(Matchers.bodyHC(org.hamcrest.Matchers.containsString("principal=bburke"))).execute();
        setAdapterAndServerTimeOffset(0, this.employee2ServletPage.toString());
    }

    @Test
    public void employee2TestSAMLSessionTimeoutOnBothSides() {
        this.sessionNotOnOrAfter.set(null);
        beginAuthenticationAndLogin(this.employee2ServletPage, SamlClient.Binding.POST).processSamlResponse(SamlClient.Binding.POST).transformObject(this::addSessionNotOnOrAfter).build().navigateTo(this.employee2ServletPage.buildUri()).assertResponse(closeableHttpResponse -> {
            Assert.assertThat(closeableHttpResponse, Matchers.bodyHC(org.hamcrest.Matchers.allOf(org.hamcrest.Matchers.containsString("principal=bburke"), org.hamcrest.Matchers.containsString("SessionNotOnOrAfter: " + this.sessionNotOnOrAfter.get()))));
        }).addStep(() -> {
            setAdapterAndServerTimeOffset(KEYCLOAK_SESSION_TIMEOUT, this.employee2ServletPage.toString());
        }).navigateTo(this.employee2ServletPage.buildUri()).processSamlResponse(SamlClient.Binding.POST).transformObject(sAML2Object -> {
            Assert.assertThat(sAML2Object, Matchers.isSamlAuthnRequest());
            return sAML2Object;
        }).build().followOneRedirect().assertResponse(Matchers.bodyHC(org.hamcrest.Matchers.containsString("form id=\"kc-form-login\""))).execute();
        setAdapterAndServerTimeOffset(0, this.employee2ServletPage.toString());
    }

    @Test
    public void testKeycloakReturnsSessionNotOnOrAfter() throws Exception {
        this.sessionNotOnOrAfter.set(null);
        ServerResourceUpdater update = new RealmAttributeUpdater(this.adminClient.realm(AbstractSamlTest.REALM_NAME)).updateWith(realmRepresentation -> {
            realmRepresentation.setSsoSessionMaxLifespan(Integer.valueOf(SESSION_LENGTH_IN_SECONDS));
        }).update();
        Throwable th = null;
        try {
            beginAuthenticationAndLogin(this.employee2ServletPage, SamlClient.Binding.POST).processSamlResponse(SamlClient.Binding.POST).transformObject(sAML2Object -> {
                Assert.assertThat(sAML2Object, Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
                AuthnStatementType authnStatementType = (AuthnStatementType) ((ResponseType.RTChoiceType) ((ResponseType) sAML2Object).getAssertions().get(0)).getAssertion().getStatements().stream().filter(statementAbstractType -> {
                    return statementAbstractType instanceof AuthnStatementType;
                }).findFirst().orElseThrow(() -> {
                    return new RuntimeException("SamlReponse doesn't contain AuthStatement");
                });
                Assert.assertThat(authnStatementType.getSessionNotOnOrAfter(), org.hamcrest.Matchers.notNullValue());
                XMLGregorianCalendar add = XMLTimeUtil.add(authnStatementType.getAuthnInstant(), 120000L);
                Assert.assertThat(authnStatementType.getSessionNotOnOrAfter(), org.hamcrest.Matchers.is(add));
                this.sessionNotOnOrAfter.set(add.toString());
                return sAML2Object;
            }).build().navigateTo(this.employee2ServletPage.buildUri()).assertResponse(closeableHttpResponse -> {
                Assert.assertThat(closeableHttpResponse, Matchers.bodyHC(org.hamcrest.Matchers.allOf(org.hamcrest.Matchers.containsString("principal=bburke"), org.hamcrest.Matchers.containsString("SessionNotOnOrAfter: " + this.sessionNotOnOrAfter.get()))));
            }).addStep(() -> {
                setAdapterAndServerTimeOffset(KEYCLOAK_SESSION_TIMEOUT, this.employee2ServletPage.toString());
            }).navigateTo(this.employee2ServletPage.buildUri()).processSamlResponse(SamlClient.Binding.POST).transformObject(sAML2Object2 -> {
                Assert.assertThat(sAML2Object2, Matchers.isSamlAuthnRequest());
                return sAML2Object2;
            }).build().followOneRedirect().assertResponse(Matchers.bodyHC(org.hamcrest.Matchers.containsString("form id=\"kc-form-login\""))).execute();
            setAdapterAndServerTimeOffset(0, this.employee2ServletPage.toString());
            if (update != null) {
                if (0 == 0) {
                    update.close();
                    return;
                }
                try {
                    update.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
        } catch (Throwable th3) {
            if (update != null) {
                if (0 != 0) {
                    try {
                        update.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    update.close();
                }
            }
            throw th3;
        }
    }
}
