package org.keycloak.testsuite.client;

import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PublicKey;
import java.util.Collections;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import javax.ws.rs.core.UriBuilder;
import org.apache.http.NameValuePair;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.message.BasicNameValuePair;
import org.junit.Before;
import org.junit.Test;
import org.keycloak.adapters.authentication.JWTClientCredentialsProvider;
import org.keycloak.client.registration.Auth;
import org.keycloak.common.util.KeycloakUriBuilder;
import org.keycloak.jose.jwk.JSONWebKeySet;
import org.keycloak.jose.jwk.JWK;
import org.keycloak.jose.jwk.JWKBuilder;
import org.keycloak.jose.jws.JWSBuilder;
import org.keycloak.keys.PublicKeyStorageUtils;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.representations.idm.ClientInitialAccessCreatePresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.oidc.OIDCClientRepresentation;
import org.keycloak.testsuite.Assert;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.client.resources.TestApplicationResourceUrls;
import org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource;
import org.keycloak.testsuite.util.OAuthClient;

@AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
/* loaded from: input_file:org/keycloak/testsuite/client/OIDCJwksClientRegistrationTest.class */
public class OIDCJwksClientRegistrationTest extends AbstractClientRegistrationTest {
    private static final String PRIVATE_KEY = "MIICXAIBAAKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQABAoGAfmO8gVhyBxdqlxmIuglbz8bcjQbhXJLR2EoS8ngTXmN1bo2L90M0mUKSdc7qF10LgETBzqL8jYlQIbt+e6TH8fcEpKCjUlyq0Mf/vVbfZSNaVycY13nTzo27iPyWQHK5NLuJzn1xvxxrUeXI6A2WFpGEBLbHjwpx5WQG9A+2scECQQDvdn9NE75HPTVPxBqsEd2z10TKkl9CZxu10Qby3iQQmWLEJ9LNmy3acvKrE3gMiYNWb6xHPKiIqOR1as7L24aTAkEAtyvQOlCvr5kAjVqrEKXalj0Tzewjweuxc0pskvArTI2Oo070h65GpoIKLc9jf+UA69cRtquwP93aZKtW06U8dQJAF2Y44ks/mK5+eyDqik3koCI08qaC8HYq2wVl7G2QkJ6sbAaILtcvD92ToOvyGyeE0flvmDZxMYlvaZnaQ0lcSQJBAKZU6umJi3/xeEbkJqMfeLclD27XGEFoPeNrmdx0q10Azp4NfJAY+Z8KRyQCR2BEG+oNitBOZ+YXF9KCpH3cdmECQHEigJhYg+ykOvr1aiZUMFT72HU0jnmQe2FVekuG+LJUt2Tm7GtMjTFoGpf0JwrVuZN39fOYAlo+nTixgeW7X8Y=";
    private static final String PUBLIC_KEY = "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB";
    private static final String KEEP_GENERATED_KID = "KEEP_GENERATED_KID";

    @Override // org.keycloak.testsuite.client.AbstractClientRegistrationTest, org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        super.addTestRealms(list);
        list.get(0).setPrivateKey("MIICXAIBAAKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQABAoGAfmO8gVhyBxdqlxmIuglbz8bcjQbhXJLR2EoS8ngTXmN1bo2L90M0mUKSdc7qF10LgETBzqL8jYlQIbt+e6TH8fcEpKCjUlyq0Mf/vVbfZSNaVycY13nTzo27iPyWQHK5NLuJzn1xvxxrUeXI6A2WFpGEBLbHjwpx5WQG9A+2scECQQDvdn9NE75HPTVPxBqsEd2z10TKkl9CZxu10Qby3iQQmWLEJ9LNmy3acvKrE3gMiYNWb6xHPKiIqOR1as7L24aTAkEAtyvQOlCvr5kAjVqrEKXalj0Tzewjweuxc0pskvArTI2Oo070h65GpoIKLc9jf+UA69cRtquwP93aZKtW06U8dQJAF2Y44ks/mK5+eyDqik3koCI08qaC8HYq2wVl7G2QkJ6sbAaILtcvD92ToOvyGyeE0flvmDZxMYlvaZnaQ0lcSQJBAKZU6umJi3/xeEbkJqMfeLclD27XGEFoPeNrmdx0q10Azp4NfJAY+Z8KRyQCR2BEG+oNitBOZ+YXF9KCpH3cdmECQHEigJhYg+ykOvr1aiZUMFT72HU0jnmQe2FVekuG+LJUt2Tm7GtMjTFoGpf0JwrVuZN39fOYAlo+nTixgeW7X8Y=");
        list.get(0).setPublicKey("MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB");
    }

    @Override // org.keycloak.testsuite.client.AbstractClientRegistrationTest
    @Before
    public void before() throws Exception {
        super.before();
        this.reg.auth(Auth.token(this.adminClient.realm("test").clientInitialAccess().create(new ClientInitialAccessCreatePresentation(0, 10))));
    }

    private OIDCClientRepresentation createRep() {
        OIDCClientRepresentation oIDCClientRepresentation = new OIDCClientRepresentation();
        oIDCClientRepresentation.setClientName("RegistrationAccessTokenTest");
        oIDCClientRepresentation.setClientUri(OAuthClient.APP_ROOT);
        oIDCClientRepresentation.setRedirectUris(Collections.singletonList(this.oauth.getRedirectUri()));
        return oIDCClientRepresentation;
    }

    @Test
    public void createClientWithJWKS_generatedKid() throws Exception {
        OIDCClientRepresentation createRep = createRep();
        createRep.setGrantTypes(Collections.singletonList("client_credentials"));
        createRep.setTokenEndpointAuthMethod("private_key_jwt");
        TestOIDCEndpointsApplicationResource oidcClientEndpoints = this.testingClient.testApp().oidcClientEndpoints();
        Map<String, String> generateKeys = oidcClientEndpoints.generateKeys("RS256");
        createRep.setJwks(oidcClientEndpoints.getJwks());
        OIDCClientRepresentation create = this.reg.oidc().create(createRep);
        Assert.assertEquals("private_key_jwt", create.getTokenEndpointAuthMethod());
        Assert.assertNull(create.getClientSecret());
        Assert.assertNull(create.getClientSecretExpiresAt());
        assertAuthenticateClientSuccess(generateKeys, create, KEEP_GENERATED_KID);
    }

    @Test
    public void createClientWithJWKS_nullKid() throws Exception {
        OIDCClientRepresentation createRep = createRep();
        createRep.setGrantTypes(Collections.singletonList("client_credentials"));
        createRep.setTokenEndpointAuthMethod("private_key_jwt");
        TestOIDCEndpointsApplicationResource oidcClientEndpoints = this.testingClient.testApp().oidcClientEndpoints();
        Map<String, String> generateKeys = oidcClientEndpoints.generateKeys("RS256");
        createRep.setJwks(oidcClientEndpoints.getJwks());
        assertAuthenticateClientSuccess(generateKeys, this.reg.oidc().create(createRep), null);
    }

    @Test
    public void createClientWithJWKS_customKid() throws Exception {
        assertAuthenticateClientSuccess(this.testingClient.testApp().oidcClientEndpoints().getKeysAsPem(), createClientWithManuallySetKid("a1"), "a1");
    }

    private OIDCClientRepresentation createClientWithManuallySetKid(String str) throws Exception {
        OIDCClientRepresentation createRep = createRep();
        createRep.setGrantTypes(Collections.singletonList("client_credentials"));
        createRep.setTokenEndpointAuthMethod("private_key_jwt");
        TestOIDCEndpointsApplicationResource oidcClientEndpoints = this.testingClient.testApp().oidcClientEndpoints();
        oidcClientEndpoints.generateKeys("RS256");
        JSONWebKeySet jwks = oidcClientEndpoints.getJwks();
        jwks.getKeys()[0].setKeyId(str);
        createRep.setJwks(jwks);
        return this.reg.oidc().create(createRep);
    }

    @Test
    public void testTwoClientsWithSameKid() throws Exception {
        OIDCClientRepresentation createClientWithManuallySetKid = createClientWithManuallySetKid("a1");
        OIDCClientRepresentation createRep = createRep();
        createRep.setGrantTypes(Collections.singletonList("client_credentials"));
        createRep.setTokenEndpointAuthMethod("private_key_jwt");
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        keyPairGenerator.initialize(2048);
        PublicKey publicKey = keyPairGenerator.generateKeyPair().getPublic();
        JSONWebKeySet jSONWebKeySet = new JSONWebKeySet();
        jSONWebKeySet.setKeys(new JWK[]{JWKBuilder.create().kid("a1").rs256(publicKey)});
        createRep.setJwks(jSONWebKeySet);
        OIDCClientRepresentation create = this.reg.oidc().create(createRep);
        Map<String, String> keysAsPem = this.testingClient.testApp().oidcClientEndpoints().getKeysAsPem();
        assertAuthenticateClientSuccess(keysAsPem, createClientWithManuallySetKid, "a1");
        Assert.assertTrue(this.testingClient.testing().cache("keys").contains(PublicKeyStorageUtils.getClientModelCacheKey("test", createClientWithManuallySetKid.getClientId())));
        assertAuthenticateClientError(keysAsPem, create, "a1");
    }

    @Test
    public void testPublicKeyCacheInvalidatedWhenUpdatingClient() throws Exception {
        OIDCClientRepresentation createClientWithManuallySetKid = createClientWithManuallySetKid("a1");
        Map<String, String> keysAsPem = this.testingClient.testApp().oidcClientEndpoints().getKeysAsPem();
        assertAuthenticateClientSuccess(keysAsPem, createClientWithManuallySetKid, "a1");
        String clientModelCacheKey = PublicKeyStorageUtils.getClientModelCacheKey("test", createClientWithManuallySetKid.getClientId());
        Assert.assertTrue(this.testingClient.testing().cache("keys").contains(clientModelCacheKey));
        createClientWithManuallySetKid.setJwksUri("http://localhost:4321/non-existent");
        this.reg.auth(Auth.token(createClientWithManuallySetKid.getRegistrationAccessToken())).oidc().update(createClientWithManuallySetKid);
        Assert.assertFalse(this.testingClient.testing().cache("keys").contains(clientModelCacheKey));
        assertAuthenticateClientError(keysAsPem, createClientWithManuallySetKid, "a1");
    }

    @Test
    public void createClientWithJWKSURI() throws Exception {
        OIDCClientRepresentation createRep = createRep();
        createRep.setGrantTypes(Collections.singletonList("client_credentials"));
        createRep.setTokenEndpointAuthMethod("private_key_jwt");
        Map<String, String> generateKeys = this.testingClient.testApp().oidcClientEndpoints().generateKeys("RS256");
        createRep.setJwksUri(TestApplicationResourceUrls.clientJwksUri());
        OIDCClientRepresentation create = this.reg.oidc().create(createRep);
        Assert.assertEquals("private_key_jwt", create.getTokenEndpointAuthMethod());
        Assert.assertNull(create.getClientSecret());
        Assert.assertNull(create.getClientSecretExpiresAt());
        Assert.assertEquals(create.getJwksUri(), TestApplicationResourceUrls.clientJwksUri());
        assertAuthenticateClientSuccess(generateKeys, create, KEEP_GENERATED_KID);
    }

    @Test
    public void createClientWithJWKSURI_rotateClientKeys() throws Exception {
        OIDCClientRepresentation createRep = createRep();
        createRep.setGrantTypes(Collections.singletonList("client_credentials"));
        createRep.setTokenEndpointAuthMethod("private_key_jwt");
        TestOIDCEndpointsApplicationResource oidcClientEndpoints = this.testingClient.testApp().oidcClientEndpoints();
        Map<String, String> generateKeys = oidcClientEndpoints.generateKeys("RS256");
        createRep.setJwksUri(TestApplicationResourceUrls.clientJwksUri());
        OIDCClientRepresentation create = this.reg.oidc().create(createRep);
        Assert.assertEquals("private_key_jwt", create.getTokenEndpointAuthMethod());
        Assert.assertNull(create.getClientSecret());
        Assert.assertNull(create.getClientSecretExpiresAt());
        Assert.assertEquals(create.getJwksUri(), TestApplicationResourceUrls.clientJwksUri());
        assertAuthenticateClientSuccess(generateKeys, create, KEEP_GENERATED_KID);
        Map<String, String> generateKeys2 = oidcClientEndpoints.generateKeys("RS256");
        assertAuthenticateClientError(generateKeys2, create, KEEP_GENERATED_KID);
        setTimeOffset(20);
        assertAuthenticateClientSuccess(generateKeys2, create, KEEP_GENERATED_KID);
    }

    private void assertAuthenticateClientSuccess(Map<String, String> map, OIDCClientRepresentation oIDCClientRepresentation, String str) throws Exception {
        OAuthClient.AccessTokenResponse doClientCredentialsGrantRequest = doClientCredentialsGrantRequest(getClientSignedJWT(oIDCClientRepresentation.getClientId(), getKeyPairFromGeneratedPems(map), str));
        Assert.assertEquals(200L, doClientCredentialsGrantRequest.getStatusCode());
        Assert.assertEquals(oIDCClientRepresentation.getClientId(), this.oauth.verifyToken(doClientCredentialsGrantRequest.getAccessToken()).getIssuedFor());
    }

    private void assertAuthenticateClientError(Map<String, String> map, OIDCClientRepresentation oIDCClientRepresentation, String str) throws Exception {
        OAuthClient.AccessTokenResponse doClientCredentialsGrantRequest = doClientCredentialsGrantRequest(getClientSignedJWT(oIDCClientRepresentation.getClientId(), getKeyPairFromGeneratedPems(map), str));
        Assert.assertEquals(400L, doClientCredentialsGrantRequest.getStatusCode());
        Assert.assertNull(doClientCredentialsGrantRequest.getAccessToken());
        Assert.assertNotNull(doClientCredentialsGrantRequest.getError());
    }

    private KeyPair getKeyPairFromGeneratedPems(Map<String, String> map) {
        String str = map.get("privateKey");
        String str2 = map.get("publicKey");
        return new KeyPair(KeycloakModelUtils.getPublicKey(str2), KeycloakModelUtils.getPrivateKey(str));
    }

    private String getClientSignedJWT(String str, final KeyPair keyPair, final String str2) {
        String uri = KeycloakUriBuilder.fromUri(getAuthServerRoot()).path("/realms/{realm-name}").build(new Object[]{"test"}).toString();
        JWTClientCredentialsProvider jWTClientCredentialsProvider = new JWTClientCredentialsProvider() { // from class: org.keycloak.testsuite.client.OIDCJwksClientRegistrationTest.1
            public String createSignedRequestToken(String str3, String str4) {
                if (OIDCJwksClientRegistrationTest.KEEP_GENERATED_KID.equals(str2)) {
                    return super.createSignedRequestToken(str3, str4);
                }
                return new JWSBuilder().kid(str2).jsonContent(createRequestToken(str3, str4)).rsa256(keyPair.getPrivate());
            }

            protected JsonWebToken createRequestToken(String str3, String str4) {
                JsonWebToken createRequestToken = super.createRequestToken(str3, str4);
                createRequestToken.audience(new String[]{OIDCLoginProtocolService.tokenUrl(UriBuilder.fromUri(OIDCJwksClientRegistrationTest.this.getAuthServerRoot())).build(new Object[]{"test"}).toString()});
                return createRequestToken;
            }
        };
        jWTClientCredentialsProvider.setupKeyPair(keyPair);
        jWTClientCredentialsProvider.setTokenTimeout(10);
        return jWTClientCredentialsProvider.createSignedRequestToken(str, uri);
    }

    private OAuthClient.AccessTokenResponse doClientCredentialsGrantRequest(String str) throws Exception {
        LinkedList linkedList = new LinkedList();
        linkedList.add(new BasicNameValuePair("grant_type", "client_credentials"));
        linkedList.add(new BasicNameValuePair("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"));
        linkedList.add(new BasicNameValuePair("client_assertion", str));
        return new OAuthClient.AccessTokenResponse(sendRequest(this.oauth.getServiceAccountUrl(), linkedList));
    }

    private CloseableHttpResponse sendRequest(String str, List<NameValuePair> list) throws Exception {
        DefaultHttpClient defaultHttpClient = new DefaultHttpClient();
        try {
            HttpPost httpPost = new HttpPost(str);
            httpPost.setEntity(new UrlEncodedFormEntity(list, "UTF-8"));
            CloseableHttpResponse execute = defaultHttpClient.execute(httpPost);
            this.oauth.closeClient(defaultHttpClient);
            return execute;
        } catch (Throwable th) {
            this.oauth.closeClient(defaultHttpClient);
            throw th;
        }
    }
}
