package org.keycloak.testsuite.oidc;

import com.fasterxml.jackson.databind.node.ObjectNode;
import java.io.IOException;
import java.util.List;
import java.util.Map;
import javax.ws.rs.client.Client;
import javax.ws.rs.client.Invocation;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.jboss.resteasy.client.jaxrs.ResteasyClient;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.keycloak.broker.provider.util.SimpleHttp;
import org.keycloak.jose.jwk.JSONWebKeySet;
import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
import org.keycloak.protocol.oidc.representations.MTLSEndpointAliases;
import org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation;
import org.keycloak.representations.IDToken;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.services.clientregistration.ClientRegistrationService;
import org.keycloak.services.resources.RealmsResource;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.AbstractAdminTest;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.util.AdminClientUtil;
import org.keycloak.testsuite.util.ClientManager;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.TokenSignatureUtil;
import org.keycloak.util.JsonSerialization;

/* loaded from: input_file:org/keycloak/testsuite/oidc/OIDCWellKnownProviderTest.class */
public class OIDCWellKnownProviderTest extends AbstractKeycloakTest {
    private CloseableHttpClient client;

    @Before
    public void before() {
        this.client = HttpClientBuilder.create().build();
    }

    @After
    public void after() {
        try {
            this.client.close();
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        list.add((RealmRepresentation) AbstractAdminTest.loadJson(getClass().getResourceAsStream("/testrealm.json"), RealmRepresentation.class));
    }

    @Before
    public void clientConfiguration() {
        ClientManager.realm(this.adminClient.realm("test")).clientId(AssertEvents.DEFAULT_CLIENT_ID).directAccessGrant(true);
        this.oauth.clientId(AssertEvents.DEFAULT_CLIENT_ID);
    }

    @Test
    public void testDiscovery() {
        ResteasyClient createResteasyClient = AdminClientUtil.createResteasyClient();
        try {
            OIDCConfigurationRepresentation oIDCDiscoveryRepresentation = getOIDCDiscoveryRepresentation(createResteasyClient, OAuthClient.AUTH_SERVER_ROOT);
            Assert.assertEquals(oIDCDiscoveryRepresentation.getAuthorizationEndpoint(), OIDCLoginProtocolService.authUrl(UriBuilder.fromUri(OAuthClient.AUTH_SERVER_ROOT)).build(new Object[]{"test"}).toString());
            Assert.assertEquals(oIDCDiscoveryRepresentation.getTokenEndpoint(), this.oauth.getAccessTokenUrl());
            Assert.assertEquals(oIDCDiscoveryRepresentation.getUserinfoEndpoint(), OIDCLoginProtocolService.userInfoUrl(UriBuilder.fromUri(OAuthClient.AUTH_SERVER_ROOT)).build(new Object[]{"test"}).toString());
            Assert.assertEquals(oIDCDiscoveryRepresentation.getJwksUri(), this.oauth.getCertsUrl("test"));
            Assert.assertEquals(oIDCDiscoveryRepresentation.getRegistrationEndpoint(), UriBuilder.fromUri(OAuthClient.AUTH_SERVER_ROOT).path(RealmsResource.class).path(RealmsResource.class, "getClientsService").path(ClientRegistrationService.class, "provider").build(new Object[]{"test", "openid-connect"}).toString());
            assertContains(oIDCDiscoveryRepresentation.getResponseTypesSupported(), "code", "id_token", "id_token token", "code id_token", "code token", "code id_token token");
            assertContains(oIDCDiscoveryRepresentation.getGrantTypesSupported(), "authorization_code", "implicit", "urn:ietf:params:oauth:grant-type:device_code");
            assertContains(oIDCDiscoveryRepresentation.getResponseModesSupported(), "query", "fragment", "form_post", "jwt", "query.jwt", "fragment.jwt", "form_post.jwt");
            org.keycloak.testsuite.Assert.assertNames(oIDCDiscoveryRepresentation.getSubjectTypesSupported(), "pairwise", "public");
            org.keycloak.testsuite.Assert.assertNames(oIDCDiscoveryRepresentation.getIdTokenSigningAlgValuesSupported(), "PS256", "PS384", "PS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512");
            org.keycloak.testsuite.Assert.assertNames(oIDCDiscoveryRepresentation.getUserInfoSigningAlgValuesSupported(), "none", "PS256", "PS384", "PS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512");
            org.keycloak.testsuite.Assert.assertNames(oIDCDiscoveryRepresentation.getRequestObjectSigningAlgValuesSupported(), "none", "PS256", "PS384", "PS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512");
            org.keycloak.testsuite.Assert.assertNames(oIDCDiscoveryRepresentation.getAuthorizationSigningAlgValuesSupported(), "PS256", "PS384", "PS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512");
            org.keycloak.testsuite.Assert.assertNames(oIDCDiscoveryRepresentation.getRequestObjectEncryptionAlgValuesSupported(), "RSA-OAEP", "RSA-OAEP-256", "RSA1_5");
            org.keycloak.testsuite.Assert.assertNames(oIDCDiscoveryRepresentation.getRequestObjectEncryptionEncValuesSupported(), "A256GCM", "A192GCM", "A128GCM", "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512");
            org.keycloak.testsuite.Assert.assertNames(oIDCDiscoveryRepresentation.getIdTokenEncryptionAlgValuesSupported(), "RSA1_5", "RSA-OAEP", "RSA-OAEP-256");
            org.keycloak.testsuite.Assert.assertNames(oIDCDiscoveryRepresentation.getIdTokenEncryptionEncValuesSupported(), "A128CBC-HS256", "A128GCM", "A192CBC-HS384", "A192GCM", "A256CBC-HS512", "A256GCM");
            org.keycloak.testsuite.Assert.assertNames(oIDCDiscoveryRepresentation.getAuthorizationEncryptionAlgValuesSupported(), "RSA1_5", "RSA-OAEP", "RSA-OAEP-256");
            org.keycloak.testsuite.Assert.assertNames(oIDCDiscoveryRepresentation.getAuthorizationEncryptionEncValuesSupported(), "A128CBC-HS256", "A128GCM", "A192CBC-HS384", "A192GCM", "A256CBC-HS512", "A256GCM");
            org.keycloak.testsuite.Assert.assertNames(oIDCDiscoveryRepresentation.getTokenEndpointAuthMethodsSupported(), "client_secret_basic", "client_secret_post", "private_key_jwt", "client_secret_jwt", "tls_client_auth");
            org.keycloak.testsuite.Assert.assertNames(oIDCDiscoveryRepresentation.getTokenEndpointAuthSigningAlgValuesSupported(), "PS256", "PS384", "PS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512");
            org.keycloak.testsuite.Assert.assertNames(oIDCDiscoveryRepresentation.getIntrospectionEndpointAuthSigningAlgValuesSupported(), "PS256", "PS384", "PS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512");
            assertContains(oIDCDiscoveryRepresentation.getClaimsSupported(), "name", "email", "preferred_username", "family_name", "acr");
            org.keycloak.testsuite.Assert.assertNames(oIDCDiscoveryRepresentation.getClaimTypesSupported(), "normal");
            org.keycloak.testsuite.Assert.assertTrue(oIDCDiscoveryRepresentation.getClaimsParameterSupported().booleanValue());
            assertScopesSupportedMatchesWithRealm(oIDCDiscoveryRepresentation);
            org.keycloak.testsuite.Assert.assertTrue(oIDCDiscoveryRepresentation.getRequestParameterSupported().booleanValue());
            org.keycloak.testsuite.Assert.assertTrue(oIDCDiscoveryRepresentation.getRequestUriParameterSupported().booleanValue());
            org.keycloak.testsuite.Assert.assertTrue(oIDCDiscoveryRepresentation.getRequireRequestUriRegistration().booleanValue());
            org.keycloak.testsuite.Assert.assertNames(oIDCDiscoveryRepresentation.getCodeChallengeMethodsSupported(), "plain", "S256");
            org.keycloak.testsuite.Assert.assertTrue(oIDCDiscoveryRepresentation.getTlsClientCertificateBoundAccessTokens().booleanValue());
            MTLSEndpointAliases mtlsEndpointAliases = oIDCDiscoveryRepresentation.getMtlsEndpointAliases();
            org.keycloak.testsuite.Assert.assertEquals(oIDCDiscoveryRepresentation.getTokenEndpoint(), mtlsEndpointAliases.getTokenEndpoint());
            org.keycloak.testsuite.Assert.assertEquals(oIDCDiscoveryRepresentation.getRevocationEndpoint(), mtlsEndpointAliases.getRevocationEndpoint());
            Assert.assertEquals(oIDCDiscoveryRepresentation.getBackchannelAuthenticationEndpoint(), this.oauth.getBackchannelAuthenticationUrl());
            assertContains(oIDCDiscoveryRepresentation.getGrantTypesSupported(), "urn:openid:params:grant-type:ciba");
            org.keycloak.testsuite.Assert.assertNames(oIDCDiscoveryRepresentation.getBackchannelTokenDeliveryModesSupported(), "poll", "ping");
            org.keycloak.testsuite.Assert.assertNames(oIDCDiscoveryRepresentation.getBackchannelAuthenticationRequestSigningAlgValuesSupported(), "PS256", "PS384", "PS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512");
            org.keycloak.testsuite.Assert.assertTrue(oIDCDiscoveryRepresentation.getBackchannelLogoutSupported().booleanValue());
            org.keycloak.testsuite.Assert.assertTrue(oIDCDiscoveryRepresentation.getBackchannelLogoutSessionSupported().booleanValue());
            Assert.assertEquals(oIDCDiscoveryRepresentation.getRevocationEndpoint(), this.oauth.getTokenRevocationUrl());
            org.keycloak.testsuite.Assert.assertNames(oIDCDiscoveryRepresentation.getRevocationEndpointAuthMethodsSupported(), "client_secret_basic", "client_secret_post", "private_key_jwt", "client_secret_jwt", "tls_client_auth");
            org.keycloak.testsuite.Assert.assertNames(oIDCDiscoveryRepresentation.getRevocationEndpointAuthSigningAlgValuesSupported(), "PS256", "PS384", "PS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512");
            Assert.assertEquals(oIDCDiscoveryRepresentation.getDeviceAuthorizationEndpoint(), this.oauth.getDeviceAuthorizationUrl());
            Assert.assertEquals(this.oauth.getParEndpointUrl(), oIDCDiscoveryRepresentation.getPushedAuthorizationRequestEndpoint());
            Assert.assertEquals(Boolean.FALSE, oIDCDiscoveryRepresentation.getRequirePushedAuthorizationRequests());
            createResteasyClient.close();
        } catch (Throwable th) {
            createResteasyClient.close();
            throw th;
        }
    }

    @Test
    public void testHttpDiscovery() {
        ResteasyClient createResteasyClient = AdminClientUtil.createResteasyClient();
        try {
            OIDCConfigurationRepresentation oIDCDiscoveryRepresentation = getOIDCDiscoveryRepresentation(createResteasyClient, "http://localhost:8180/auth");
            org.keycloak.testsuite.Assert.assertNotNull(oIDCDiscoveryRepresentation.getJwksUri());
            org.keycloak.testsuite.Assert.assertNotNull(oIDCDiscoveryRepresentation.getRevocationEndpoint());
            org.keycloak.testsuite.Assert.assertNotNull(oIDCDiscoveryRepresentation.getRevocationEndpointAuthMethodsSupported());
            org.keycloak.testsuite.Assert.assertNotNull(oIDCDiscoveryRepresentation.getRevocationEndpointAuthSigningAlgValuesSupported());
        } finally {
            createResteasyClient.close();
        }
    }

    @Test
    public void testIssuerMatches() throws Exception {
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password").getCode(), "password");
        Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
        IDToken verifyIDToken = this.oauth.verifyIDToken(doAccessTokenRequest.getIdToken());
        ResteasyClient createResteasyClient = AdminClientUtil.createResteasyClient();
        try {
            Assert.assertEquals(verifyIDToken.getIssuer(), getOIDCDiscoveryRepresentation(createResteasyClient, OAuthClient.AUTH_SERVER_ROOT).getIssuer());
            createResteasyClient.close();
        } catch (Throwable th) {
            createResteasyClient.close();
            throw th;
        }
    }

    @Test
    public void corsTest() {
        Invocation.Builder request = AdminClientUtil.createResteasyClient().target(RealmsResource.wellKnownProviderUrl(UriBuilder.fromUri(OAuthClient.AUTH_SERVER_ROOT)).build(new Object[]{"test", "openid-configuration"})).request();
        request.header("Origin", "http://somehost");
        Assert.assertEquals("http://somehost", request.get().getHeaders().getFirst("Access-Control-Allow-Origin"));
    }

    @Test
    public void certs() throws IOException {
        TokenSignatureUtil.registerKeyProvider("ES256", this.adminClient, this.testContext);
        Assert.assertEquals(2L, ((JSONWebKeySet) SimpleHttp.doGet(((OIDCConfigurationRepresentation) SimpleHttp.doGet(getAuthServerRoot().toString() + "realms/test/.well-known/openid-configuration", this.client).asJson(OIDCConfigurationRepresentation.class)).getJwksUri(), this.client).asJson(JSONWebKeySet.class)).getKeys().length);
    }

    @Test
    public void testIntrospectionEndpointClaim() throws IOException {
        ResteasyClient createResteasyClient = AdminClientUtil.createResteasyClient();
        try {
            Assert.assertEquals(((ObjectNode) JsonSerialization.readValue(getOIDCDiscoveryConfiguration(createResteasyClient, OAuthClient.AUTH_SERVER_ROOT), ObjectNode.class)).get("introspection_endpoint").asText(), getOIDCDiscoveryRepresentation(createResteasyClient, OAuthClient.AUTH_SERVER_ROOT).getIntrospectionEndpoint());
        } finally {
            createResteasyClient.close();
        }
    }

    @Test
    @AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
    public void testDefaultProviderCustomizations() throws IOException {
        ResteasyClient createResteasyClient = AdminClientUtil.createResteasyClient();
        try {
            OIDCConfigurationRepresentation oIDCDiscoveryRepresentation = getOIDCDiscoveryRepresentation(createResteasyClient, OAuthClient.AUTH_SERVER_ROOT);
            org.keycloak.testsuite.Assert.assertEquals("https://placeholder-host-set-by-testsuite-provider/registration", oIDCDiscoveryRepresentation.getMtlsEndpointAliases().getRegistrationEndpoint());
            org.keycloak.testsuite.Assert.assertEquals("bar", oIDCDiscoveryRepresentation.getOtherClaims().get("foo"));
            org.keycloak.testsuite.Assert.assertEquals("some-new-property-value", oIDCDiscoveryRepresentation.getOtherClaims().get("some-new-property"));
            org.keycloak.testsuite.Assert.assertEquals("nested-value", ((Map) oIDCDiscoveryRepresentation.getOtherClaims().get("some-new-property-compound")).get("nested1"));
            org.keycloak.testsuite.Assert.assertNames(oIDCDiscoveryRepresentation.getIntrospectionEndpointAuthMethodsSupported(), "private_key_jwt", "client_secret_jwt", "tls_client_auth", "custom_nonexisting_authenticator");
            assertScopesSupportedMatchesWithRealm(oIDCDiscoveryRepresentation);
            getTestingClient().testing().setSystemPropertyOnServer("oidc.wellknown.include.client.scopes", "false");
            org.keycloak.testsuite.Assert.assertNull(getOIDCDiscoveryRepresentation(createResteasyClient, OAuthClient.AUTH_SERVER_ROOT).getScopesSupported());
            getTestingClient().testing().setSystemPropertyOnServer("oidc.wellknown.include.client.scopes", (String) null);
            createResteasyClient.close();
        } catch (Throwable th) {
            getTestingClient().testing().setSystemPropertyOnServer("oidc.wellknown.include.client.scopes", (String) null);
            createResteasyClient.close();
            throw th;
        }
    }

    private void assertScopesSupportedMatchesWithRealm(OIDCConfigurationRepresentation oIDCConfigurationRepresentation) {
        org.keycloak.testsuite.Assert.assertNames(oIDCConfigurationRepresentation.getScopesSupported(), "openid", "offline_access", "profile", "email", "phone", "address", "roles", "web-origins", "microprofile-jwt");
    }

    private OIDCConfigurationRepresentation getOIDCDiscoveryRepresentation(Client client, String str) {
        try {
            return (OIDCConfigurationRepresentation) JsonSerialization.readValue(getOIDCDiscoveryConfiguration(client, str), OIDCConfigurationRepresentation.class);
        } catch (IOException e) {
            throw new RuntimeException("Failed to parse OIDC configuration", e);
        }
    }

    private String getOIDCDiscoveryConfiguration(Client client, String str) {
        Response response = client.target(RealmsResource.wellKnownProviderUrl(UriBuilder.fromUri(str)).build(new Object[]{"test", "openid-configuration"})).request().get();
        Assert.assertEquals("no-cache, must-revalidate, no-transform, no-store", response.getHeaders().getFirst("Cache-Control"));
        return (String) response.readEntity(String.class);
    }

    private void assertContains(List<String> list, String... strArr) {
        for (String str : strArr) {
            org.keycloak.testsuite.Assert.assertTrue(list.contains(str));
        }
    }
}
