package org.keycloak.testsuite.admin.client.authorization;

import java.io.BufferedInputStream;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.function.Function;
import java.util.stream.Collectors;
import javax.security.cert.X509Certificate;
import javax.ws.rs.core.Response;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.keycloak.AuthorizationContext;
import org.keycloak.KeycloakSecurityContext;
import org.keycloak.adapters.AdapterTokenStore;
import org.keycloak.adapters.AuthenticatedActionsHandler;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.KeycloakDeploymentBuilder;
import org.keycloak.adapters.OIDCHttpFacade;
import org.keycloak.adapters.RefreshableKeycloakSecurityContext;
import org.keycloak.adapters.authorization.PolicyEnforcer;
import org.keycloak.adapters.spi.AuthenticationError;
import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.adapters.spi.LogoutError;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.ClientsResource;
import org.keycloak.admin.client.resource.PermissionsResource;
import org.keycloak.admin.client.resource.ResourcesResource;
import org.keycloak.authorization.client.AuthzClient;
import org.keycloak.common.Profile;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.IDToken;
import org.keycloak.representations.adapters.config.PolicyEnforcerConfig;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.authorization.AuthorizationRequest;
import org.keycloak.representations.idm.authorization.JSPolicyRepresentation;
import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.RolePolicyRepresentation;
import org.keycloak.representations.idm.authorization.ScopePermissionRepresentation;
import org.keycloak.representations.idm.authorization.ScopeRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.ProfileAssume;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.arquillian.annotation.EnableFeature;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.testsuite.util.RoleBuilder;
import org.keycloak.testsuite.util.RolesBuilder;
import org.keycloak.testsuite.util.UserBuilder;

@AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
@EnableFeature(value = Profile.Feature.UPLOAD_SCRIPTS, skipRestart = true)
/* loaded from: input_file:org/keycloak/testsuite/admin/client/authorization/PolicyEnforcerTest.class */
public class PolicyEnforcerTest extends AbstractKeycloakTest {
    private static final String RESOURCE_SERVER_CLIENT_ID = "resource-server-test";
    private static final String REALM_NAME = "authz-test";

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/keycloak/testsuite/admin/client/authorization/PolicyEnforcerTest$TestResponse.class */
    public class TestResponse implements HttpFacade.Response {
        private final Map<String, List<String>> headers;
        private int status;

        public TestResponse(Map<String, List<String>> map) {
            this.headers = map;
        }

        public void setStatus(int i) {
            this.status = i;
        }

        public int getStatus() {
            return this.status;
        }

        public void addHeader(String str, String str2) {
            setHeader(str, str2);
        }

        public void setHeader(String str, String str2) {
            this.headers.put(str, Arrays.asList(str2));
        }

        public Map<String, List<String>> getHeaders() {
            return this.headers;
        }

        public void resetCookie(String str, String str2) {
        }

        public void setCookie(String str, String str2, String str3, String str4, int i, boolean z, boolean z2) {
        }

        public OutputStream getOutputStream() {
            return null;
        }

        public void sendError(int i) {
            this.status = i;
        }

        public void sendError(int i, String str) {
            this.status = i;
        }

        public void end() {
        }
    }

    @BeforeClass
    public static void enabled() {
        ProfileAssume.assumeFeatureEnabled(Profile.Feature.AUTHORIZATION);
    }

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        list.add(RealmBuilder.create().name(REALM_NAME).roles(RolesBuilder.create().realmRole(RoleBuilder.create().name("uma_authorization").build()).realmRole(RoleBuilder.create().name("uma_protection").build()).realmRole(RoleBuilder.create().name("user").build())).user(UserBuilder.create().username("marta").password("password").addRoles("uma_authorization", "uma_protection", "user").role(RESOURCE_SERVER_CLIENT_ID, "uma_protection")).user(UserBuilder.create().username("kolo").password("password")).client(ClientBuilder.create().clientId("resource-server-uma-test").secret("secret").authorizationServicesEnabled(true).redirectUris("http://localhost/resource-server-uma-test").defaultRoles("uma_protection").directAccessGrants()).client(ClientBuilder.create().clientId(RESOURCE_SERVER_CLIENT_ID).secret("secret").authorizationServicesEnabled(true).redirectUris("http://localhost/resource-server-test").defaultRoles("uma_protection").directAccessGrants()).client(ClientBuilder.create().clientId("public-client-test").publicClient().redirectUris("http://localhost:8180/auth/realms/master/app/auth/*", "https://localhost:8543/auth/realms/master/app/auth/*").directAccessGrants()).build());
    }

    @Before
    public void onBefore() {
        initAuthorizationSettings(getClientResource(RESOURCE_SERVER_CLIENT_ID));
    }

    @Test
    public void testBearerOnlyClientResponse() {
        PolicyEnforcer policyEnforcer = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-bearer-only.json")).getPolicyEnforcer();
        Assert.assertFalse(policyEnforcer.enforce(createHttpFacade("/api/resourcea")).isGranted());
        Assert.assertEquals(403L, ((TestResponse) TestResponse.class.cast(r0.getResponse())).getStatus());
        this.oauth.realm(REALM_NAME);
        this.oauth.clientId("public-client-test");
        this.oauth.doLogin("marta", "password");
        Assert.assertTrue(policyEnforcer.enforce(createHttpFacade("/api/resourcea", this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), (String) null).getAccessToken())).isGranted());
        Assert.assertFalse(policyEnforcer.enforce(createHttpFacade("/api/resourceb")).isGranted());
        Assert.assertEquals(403L, ((TestResponse) TestResponse.class.cast(r0.getResponse())).getStatus());
    }

    @Test
    public void testPathConfigurationPrecendenceWhenLazyLoadingPaths() {
        PolicyEnforcer policyEnforcer = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-paths.json")).getPolicyEnforcer();
        Assert.assertFalse(policyEnforcer.enforce(createHttpFacade("/api/resourcea")).isGranted());
        Assert.assertEquals(403L, ((TestResponse) TestResponse.class.cast(r0.getResponse())).getStatus());
        this.oauth.realm(REALM_NAME);
        this.oauth.clientId("public-client-test");
        this.oauth.doLogin("marta", "password");
        Assert.assertTrue(policyEnforcer.enforce(createHttpFacade("/api/resourcea", this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), (String) null).getAccessToken())).isGranted());
        Assert.assertTrue(policyEnforcer.enforce(createHttpFacade("/")).isGranted());
    }

    @Test
    public void testResolvingClaimsOnce() {
        PolicyEnforcer policyEnforcer = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-bearer-only-with-cip.json")).getPolicyEnforcer();
        this.oauth.realm(REALM_NAME);
        this.oauth.clientId("public-client-test");
        this.oauth.doLogin("marta", "password");
        AuthorizationContext enforce = policyEnforcer.enforce(createHttpFacade("/api/resourcea", this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), (String) null).getAccessToken(), new Function<String, String>() { // from class: org.keycloak.testsuite.admin.client.authorization.PolicyEnforcerTest.1
            AtomicBoolean resolved = new AtomicBoolean();

            @Override // java.util.function.Function
            public String apply(String str) {
                Assert.assertTrue(this.resolved.compareAndSet(false, true));
                return "value-" + str;
            }
        }));
        Map claims = ((Permission) enforce.getPermissions().get(0)).getClaims();
        Assert.assertTrue(enforce.isGranted());
        Assert.assertEquals("value-claim-a", ((Set) claims.get("claim-a")).iterator().next());
        Assert.assertEquals("claim-b", ((Set) claims.get("claim-b")).iterator().next());
    }

    @Test
    public void testCustomClaimProvider() {
        PolicyEnforcer policyEnforcer = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-bearer-only-with-cip.json")).getPolicyEnforcer();
        this.oauth.realm(REALM_NAME);
        this.oauth.clientId("public-client-test");
        this.oauth.doLogin("marta", "password");
        AuthorizationContext enforce = policyEnforcer.enforce(createHttpFacade("/api/resourcea", this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), (String) null).getAccessToken()));
        Map claims = ((Permission) enforce.getPermissions().get(0)).getClaims();
        Assert.assertTrue(enforce.isGranted());
        Assert.assertEquals("test", ((Set) claims.get("resolved-claim")).iterator().next());
    }

    @Test
    public void testOnDenyRedirectTo() {
        PolicyEnforcer policyEnforcer = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-on-deny-redirect.json")).getPolicyEnforcer();
        OIDCHttpFacade createHttpFacade = createHttpFacade("/api/resourcea");
        Assert.assertFalse(policyEnforcer.enforce(createHttpFacade).isGranted());
        TestResponse testResponse = (TestResponse) TestResponse.class.cast(createHttpFacade.getResponse());
        Assert.assertEquals(302L, testResponse.getStatus());
        List<String> orDefault = testResponse.getHeaders().getOrDefault("Location", Collections.emptyList());
        Assert.assertFalse(orDefault.isEmpty());
        Assert.assertEquals("/accessDenied", orDefault.get(0));
    }

    @Test
    public void testNotAuthenticatedDenyUnmapedPath() {
        Assert.assertFalse(KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-bearer-only.json")).getPolicyEnforcer().enforce(createHttpFacade("/api/unmmaped")).isGranted());
        Assert.assertEquals(403L, ((TestResponse) TestResponse.class.cast(r0.getResponse())).getStatus());
    }

    @Test
    public void testPublicEndpointNoBearerAbortRequest() {
        KeycloakDeployment build = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-bearer-only.json"));
        Assert.assertTrue(new AuthenticatedActionsHandler(build, createHttpFacade("/api/public")).handledRequest());
        this.oauth.realm(REALM_NAME);
        this.oauth.clientId("public-client-test");
        this.oauth.doLogin("marta", "password");
        Assert.assertFalse(new AuthenticatedActionsHandler(build, createHttpFacade("/api/resourcea", this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), (String) null).getAccessToken())).handledRequest());
    }

    @Test
    public void testMappedPathEnforcementModeDisabled() {
        PolicyEnforcer policyEnforcer = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-disabled-enforce-mode-path.json")).getPolicyEnforcer();
        Assert.assertTrue(policyEnforcer.enforce(createHttpFacade("/api/resource/public")).isGranted());
        Assert.assertFalse(policyEnforcer.enforce(createHttpFacade("/api/resourceb")).isGranted());
        Assert.assertEquals(403L, ((TestResponse) TestResponse.class.cast(r0.getResponse())).getStatus());
        this.oauth.realm(REALM_NAME);
        this.oauth.clientId("public-client-test");
        this.oauth.doLogin("marta", "password");
        String accessToken = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), (String) null).getAccessToken();
        Assert.assertTrue(policyEnforcer.enforce(createHttpFacade("/api/resourcea", accessToken)).isGranted());
        Assert.assertFalse(policyEnforcer.enforce(createHttpFacade("/api/resourceb", accessToken)).isGranted());
        Assert.assertEquals(403L, ((TestResponse) TestResponse.class.cast(r0.getResponse())).getStatus());
        Assert.assertTrue(policyEnforcer.enforce(createHttpFacade("/api/resource/public", accessToken)).isGranted());
    }

    @Test
    public void testEnforcementModeDisabled() {
        KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-disabled-enforce-mode.json")).getPolicyEnforcer().enforce(createHttpFacade("/api/resource/public"));
        Assert.assertEquals(401L, ((TestResponse) TestResponse.class.cast(r0.getResponse())).getStatus());
    }

    @Test
    public void testDefaultWWWAuthenticateCorsHeader() {
        KeycloakDeployment build = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-disabled-enforce-mode-path.json"));
        build.setCors(true);
        HashMap hashMap = new HashMap();
        hashMap.put("Origin", Arrays.asList("http://localhost:8180"));
        this.oauth.realm(REALM_NAME);
        this.oauth.clientId("public-client-test");
        this.oauth.doLogin("marta", "password");
        new AuthenticatedActionsHandler(build, createHttpFacade("http://server/api/resource/public", "OPTIONS", this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), (String) null).getAccessToken(), hashMap, Collections.emptyMap(), null, build)).handledRequest();
        Assert.assertEquals("WWW-Authenticate", hashMap.get("Access-Control-Expose-Headers").get(0));
    }

    @Test
    public void testMatchHttpVerbsToScopes() {
        ClientResource clientResource = getClientResource(RESOURCE_SERVER_CLIENT_ID);
        ResourceRepresentation createResource = createResource(clientResource, "Resource With HTTP Scopes", "/api/resource-with-scope", new String[0]);
        ResourcePermissionRepresentation resourcePermissionRepresentation = new ResourcePermissionRepresentation();
        resourcePermissionRepresentation.setName(createResource.getName() + " Permission");
        resourcePermissionRepresentation.addResource(createResource.getName());
        resourcePermissionRepresentation.addPolicy(new String[]{"Always Grant Policy"});
        PermissionsResource permissions = clientResource.authorization().permissions();
        permissions.resource().create(resourcePermissionRepresentation).close();
        PolicyEnforcer policyEnforcer = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-match-http-verbs-scopes.json")).getPolicyEnforcer();
        this.oauth.realm(REALM_NAME);
        this.oauth.clientId("public-client-test");
        this.oauth.doLogin("marta", "password");
        String accessToken = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), (String) null).getAccessToken();
        OIDCHttpFacade createHttpFacade = createHttpFacade("/api/resource-with-scope", accessToken);
        Assert.assertFalse("Should fail because resource does not have any scope named GET", policyEnforcer.enforce(createHttpFacade).isGranted());
        Assert.assertEquals(403L, ((TestResponse) TestResponse.class.cast(createHttpFacade.getResponse())).getStatus());
        createResource.addScope(new String[]{"GET", "POST"});
        clientResource.authorization().resources().resource(createResource.getId()).update(createResource);
        PolicyEnforcer policyEnforcer2 = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-match-http-verbs-scopes.json")).getPolicyEnforcer();
        Assert.assertTrue(policyEnforcer2.enforce(createHttpFacade).isGranted());
        Assert.assertTrue(policyEnforcer2.enforce(createHttpFacade("/api/resource-with-scope", accessToken, "POST")).isGranted());
        clientResource.authorization().scopes().create(new ScopeRepresentation("PATCH"));
        Assert.assertFalse(policyEnforcer2.enforce(createHttpFacade("/api/resource-with-scope", accessToken, "PATCH")).isGranted());
        ScopePermissionRepresentation scopePermissionRepresentation = new ScopePermissionRepresentation();
        scopePermissionRepresentation.setName("GET permission");
        scopePermissionRepresentation.addScope(new String[]{"GET"});
        scopePermissionRepresentation.addPolicy(new String[]{"Always Deny Policy"});
        permissions.scope().create(scopePermissionRepresentation).close();
        Assert.assertFalse(policyEnforcer2.enforce(createHttpFacade("/api/resource-with-scope", accessToken)).isGranted());
        ScopePermissionRepresentation findByName = permissions.scope().findByName(scopePermissionRepresentation.getName());
        findByName.addScope(new String[]{"GET"});
        findByName.addPolicy(new String[]{"Always Grant Policy"});
        permissions.scope().findById(findByName.getId()).update(findByName);
        AuthzClient authzClient = getAuthzClient("default-keycloak.json");
        String token = authzClient.authorization(accessToken).authorize().getToken();
        Assert.assertTrue(policyEnforcer2.enforce(createHttpFacade("/api/resource-with-scope", token)).isGranted());
        Assert.assertTrue(policyEnforcer2.enforce(createHttpFacade("/api/resource-with-scope", token, "POST")).isGranted());
        ScopePermissionRepresentation findByName2 = permissions.scope().findByName(findByName.getName());
        findByName2.addScope(new String[]{"GET"});
        findByName2.addPolicy(new String[]{"Always Deny Policy"});
        permissions.scope().findById(findByName2.getId()).update(findByName2);
        String token2 = authzClient.authorization(token).authorize().getToken();
        Assert.assertFalse(policyEnforcer2.enforce(createHttpFacade("/api/resource-with-scope", token2)).isGranted());
        Assert.assertTrue(policyEnforcer2.enforce(createHttpFacade("/api/resource-with-scope", token2, "POST")).isGranted());
        ScopePermissionRepresentation findByName3 = permissions.scope().findByName(findByName2.getName());
        findByName3.addScope(new String[]{"GET"});
        findByName3.addPolicy(new String[]{"Always Grant Policy"});
        permissions.scope().findById(findByName3.getId()).update(findByName3);
        String token3 = authzClient.authorization(token2).authorize().getToken();
        Assert.assertTrue(policyEnforcer2.enforce(createHttpFacade("/api/resource-with-scope", token3)).isGranted());
        Assert.assertTrue(policyEnforcer2.enforce(createHttpFacade("/api/resource-with-scope", token3, "POST")).isGranted());
        ScopePermissionRepresentation findByName4 = permissions.scope().findByName(findByName3.getName());
        findByName4.addScope(new String[]{"POST"});
        findByName4.addPolicy(new String[]{"Always Deny Policy"});
        permissions.scope().findById(findByName4.getId()).update(findByName4);
        AuthorizationRequest authorizationRequest = new AuthorizationRequest();
        authorizationRequest.addPermission((String) null, new String[]{"GET"});
        String token4 = authzClient.authorization(token3).authorize(authorizationRequest).getToken();
        Assert.assertTrue(policyEnforcer2.enforce(createHttpFacade("/api/resource-with-scope", token4)).isGranted());
        Assert.assertFalse(policyEnforcer2.enforce(createHttpFacade("/api/resource-with-scope", token4, "POST")).isGranted());
    }

    @Test
    public void testUsingSubjectToken() {
        ClientResource clientResource = getClientResource(RESOURCE_SERVER_CLIENT_ID);
        ResourceRepresentation createResource = createResource(clientResource, "Resource Subject Token", "/api/check-subject-token", new String[0]);
        ResourcePermissionRepresentation resourcePermissionRepresentation = new ResourcePermissionRepresentation();
        resourcePermissionRepresentation.setName(createResource.getName() + " Permission");
        resourcePermissionRepresentation.addResource(createResource.getName());
        resourcePermissionRepresentation.addPolicy(new String[]{"Only User Policy"});
        clientResource.authorization().permissions().resource().create(resourcePermissionRepresentation).close();
        PolicyEnforcer policyEnforcer = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-bearer-only.json")).getPolicyEnforcer();
        Assert.assertFalse(policyEnforcer.enforce(createHttpFacade("/api/check-subject-token")).isGranted());
        Assert.assertEquals(403L, ((TestResponse) TestResponse.class.cast(r0.getResponse())).getStatus());
        this.oauth.realm(REALM_NAME);
        this.oauth.clientId("public-client-test");
        this.oauth.doLogin("marta", "password");
        Assert.assertTrue(policyEnforcer.enforce(createHttpFacade("/api/check-subject-token", this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), (String) null).getAccessToken())).isGranted());
    }

    @Test
    public void testUsingInvalidToken() {
        ClientResource clientResource = getClientResource(RESOURCE_SERVER_CLIENT_ID);
        ResourceRepresentation createResource = createResource(clientResource, "Resource Subject Invalid Token", "/api/check-subject-token", new String[0]);
        ResourcePermissionRepresentation resourcePermissionRepresentation = new ResourcePermissionRepresentation();
        resourcePermissionRepresentation.setName(createResource.getName() + " Permission");
        resourcePermissionRepresentation.addResource(createResource.getName());
        resourcePermissionRepresentation.addPolicy(new String[]{"Only User Policy"});
        clientResource.authorization().permissions().resource().create(resourcePermissionRepresentation).close();
        PolicyEnforcer policyEnforcer = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-bearer-only.json")).getPolicyEnforcer();
        createHttpFacade("/api/check-subject-token");
        this.oauth.realm(REALM_NAME);
        this.oauth.clientId("public-client-test");
        this.oauth.doLogin("marta", "password");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), (String) null);
        OIDCHttpFacade createHttpFacade = createHttpFacade("/api/check-subject-token", doAccessTokenRequest.getAccessToken());
        Assert.assertTrue(policyEnforcer.enforce(createHttpFacade).isGranted());
        this.oauth.doLogout(doAccessTokenRequest.getRefreshToken(), (String) null);
        Assert.assertFalse(policyEnforcer.enforce(createHttpFacade).isGranted());
    }

    @Test
    public void testLazyLoadPaths() {
        ClientResource clientResource = getClientResource(RESOURCE_SERVER_CLIENT_ID);
        for (int i = 0; i < 200; i++) {
            ResourceRepresentation resourceRepresentation = new ResourceRepresentation();
            resourceRepresentation.setType("test");
            resourceRepresentation.setName("Resource " + i);
            resourceRepresentation.setUri("/api/" + i);
            Response create = clientResource.authorization().resources().create(resourceRepresentation);
            resourceRepresentation.setId(((ResourceRepresentation) create.readEntity(ResourceRepresentation.class)).getId());
            create.close();
        }
        ResourcePermissionRepresentation resourcePermissionRepresentation = new ResourcePermissionRepresentation();
        resourcePermissionRepresentation.setName("Test Permission");
        resourcePermissionRepresentation.setResourceType("test");
        resourcePermissionRepresentation.addPolicy(new String[]{"Only User Policy"});
        clientResource.authorization().permissions().resource().create(resourcePermissionRepresentation).close();
        Assert.assertEquals(205L, KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-no-lazyload.json")).getPolicyEnforcer().getPaths().size());
        PolicyEnforcer policyEnforcer = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-lazyload.json")).getPolicyEnforcer();
        Assert.assertEquals(0L, policyEnforcer.getPathMatcher().getPathCache().size());
        Assert.assertEquals(0L, policyEnforcer.getPaths().size());
        this.oauth.realm(REALM_NAME);
        this.oauth.clientId("public-client-test");
        this.oauth.doLogin("marta", "password");
        String accessToken = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), (String) null).getAccessToken();
        for (int i2 = 0; i2 < 101; i2++) {
            policyEnforcer.enforce(createHttpFacade("/api/" + i2, accessToken));
        }
        Assert.assertEquals(101L, policyEnforcer.getPathMatcher().getPathCache().size());
        for (int i3 = 101; i3 < 200; i3++) {
            policyEnforcer.enforce(createHttpFacade("/api/" + i3, accessToken));
        }
        Assert.assertEquals(200L, policyEnforcer.getPathMatcher().getPathCache().size());
        Assert.assertEquals(0L, policyEnforcer.getPaths().size());
        clientResource.authorization().resources().resource(((ResourceRepresentation) clientResource.authorization().resources().findByName("Root").get(0)).getId()).remove();
        Assert.assertTrue(KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-lazyload-with-paths.json")).getPolicyEnforcer().enforce(createHttpFacade("/api/0", accessToken)).isGranted());
    }

    @Test
    public void testSetMethodConfigs() {
        ClientResource clientResource = getClientResource(RESOURCE_SERVER_CLIENT_ID);
        ResourceRepresentation resourceRepresentation = new ResourceRepresentation();
        resourceRepresentation.setName(KeycloakModelUtils.generateId());
        resourceRepresentation.setUris(Collections.singleton("/api-method/*"));
        ResourcesResource resources = clientResource.authorization().resources();
        Response create = resources.create(resourceRepresentation);
        resourceRepresentation.setId(((ResourceRepresentation) create.readEntity(ResourceRepresentation.class)).getId());
        create.close();
        try {
            PolicyEnforcer policyEnforcer = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-paths-use-method-config.json")).getPolicyEnforcer();
            this.oauth.realm(REALM_NAME);
            this.oauth.clientId("public-client-test");
            this.oauth.doLogin("marta", "password");
            String accessToken = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), (String) null).getAccessToken();
            Assert.assertTrue(policyEnforcer.enforce(createHttpFacade("/api-method/foo", accessToken)).isGranted());
            PolicyEnforcerConfig.PathConfig pathConfig = (PolicyEnforcerConfig.PathConfig) policyEnforcer.getPaths().get("/api-method/*");
            Assert.assertNotNull(pathConfig);
            List methods = pathConfig.getMethods();
            Assert.assertEquals(1L, methods.size());
            Assert.assertTrue(PolicyEnforcerConfig.ScopeEnforcementMode.DISABLED.equals(((PolicyEnforcerConfig.MethodConfig) methods.get(0)).getScopesEnforcementMode()));
            Assert.assertFalse(policyEnforcer.enforce(createHttpFacade("/api-method/foo", accessToken, "POST")).isGranted());
            resources.resource(resourceRepresentation.getId()).remove();
        } catch (Throwable th) {
            resources.resource(resourceRepresentation.getId()).remove();
            throw th;
        }
    }

    private void initAuthorizationSettings(ClientResource clientResource) {
        if (clientResource.authorization().resources().findByName("Resource A").isEmpty()) {
            JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
            jSPolicyRepresentation.setName("Always Grant Policy");
            jSPolicyRepresentation.setCode("$evaluation.grant();");
            clientResource.authorization().policies().js().create(jSPolicyRepresentation).close();
            RolePolicyRepresentation rolePolicyRepresentation = new RolePolicyRepresentation();
            rolePolicyRepresentation.setName("Only User Policy");
            rolePolicyRepresentation.addRole("user");
            clientResource.authorization().policies().role().create(rolePolicyRepresentation).close();
            createResource(clientResource, "Resource A", "/api/resourcea", new String[0]);
            ResourcePermissionRepresentation resourcePermissionRepresentation = new ResourcePermissionRepresentation();
            resourcePermissionRepresentation.setName("Resource A Permission");
            resourcePermissionRepresentation.addResource("Resource A");
            resourcePermissionRepresentation.addPolicy(new String[]{jSPolicyRepresentation.getName()});
            clientResource.authorization().permissions().resource().create(resourcePermissionRepresentation).close();
        }
        if (clientResource.authorization().resources().findByName("Resource B").isEmpty()) {
            JSPolicyRepresentation jSPolicyRepresentation2 = new JSPolicyRepresentation();
            jSPolicyRepresentation2.setName("Always Deny Policy");
            jSPolicyRepresentation2.setCode("$evaluation.deny();");
            clientResource.authorization().policies().js().create(jSPolicyRepresentation2).close();
            createResource(clientResource, "Resource B", "/api/resourceb", new String[0]);
            ResourcePermissionRepresentation resourcePermissionRepresentation2 = new ResourcePermissionRepresentation();
            resourcePermissionRepresentation2.setName("Resource B Permission");
            resourcePermissionRepresentation2.addResource("Resource B");
            resourcePermissionRepresentation2.addPolicy(new String[]{jSPolicyRepresentation2.getName()});
            clientResource.authorization().permissions().resource().create(resourcePermissionRepresentation2).close();
        }
        if (clientResource.authorization().resources().findByName("Root").isEmpty()) {
            createResource(clientResource, "Root", "/*", new String[0]);
        }
    }

    private InputStream getAdapterConfiguration(String str) {
        try {
            return httpsAwareConfigurationStream(getClass().getResourceAsStream("/authorization-test/" + str));
        } catch (IOException e) {
            throw new AssertionError("Unexpected I/O error while dealing with configuration", e);
        }
    }

    private ResourceRepresentation createResource(ClientResource clientResource, String str, String str2, String... strArr) {
        ResourceRepresentation resourceRepresentation = new ResourceRepresentation();
        resourceRepresentation.setName(str);
        resourceRepresentation.setUri(str2);
        resourceRepresentation.setScopes((Set) Arrays.asList(strArr).stream().map(ScopeRepresentation::new).collect(Collectors.toSet()));
        Response create = clientResource.authorization().resources().create(resourceRepresentation);
        resourceRepresentation.setId(((ResourceRepresentation) create.readEntity(ResourceRepresentation.class)).getId());
        create.close();
        return resourceRepresentation;
    }

    private ClientResource getClientResource(String str) {
        ClientsResource clients = realmsResouce().realm(REALM_NAME).clients();
        return clients.get(((ClientRepresentation) clients.findByClientId(str).get(0)).getId());
    }

    private OIDCHttpFacade createHttpFacade(String str, String str2, String str3, Map<String, List<String>> map, Map<String, List<String>> map2, InputStream inputStream, KeycloakDeployment keycloakDeployment) {
        return createHttpFacade(str, str2, str3, map, map2, inputStream, keycloakDeployment, null);
    }

    private OIDCHttpFacade createHttpFacade(final String str, final String str2, final String str3, final Map<String, List<String>> map, final Map<String, List<String>> map2, final InputStream inputStream, final KeycloakDeployment keycloakDeployment, final Function<String, String> function) {
        return new OIDCHttpFacade() { // from class: org.keycloak.testsuite.admin.client.authorization.PolicyEnforcerTest.2
            HttpFacade.Request request;
            HttpFacade.Response response;

            public KeycloakSecurityContext getSecurityContext() {
                if (str3 == null) {
                    return null;
                }
                try {
                    return new RefreshableKeycloakSecurityContext(keycloakDeployment, (AdapterTokenStore) null, str3, (AccessToken) new JWSInput(str3).readJsonContent(AccessToken.class), (String) null, (IDToken) null, (String) null);
                } catch (JWSInputException e) {
                    throw new RuntimeException((Throwable) e);
                }
            }

            public HttpFacade.Request getRequest() {
                if (this.request == null) {
                    this.request = PolicyEnforcerTest.this.createHttpRequest(str, str2, map, map2, inputStream, function);
                }
                return this.request;
            }

            public HttpFacade.Response getResponse() {
                if (this.response == null) {
                    this.response = PolicyEnforcerTest.this.createHttpResponse(map);
                }
                return this.response;
            }

            public X509Certificate[] getCertificateChain() {
                return new X509Certificate[0];
            }
        };
    }

    private OIDCHttpFacade createHttpFacade(String str, String str2) {
        return createHttpFacade(str, null, str2, new HashMap(), new HashMap(), null, null);
    }

    private OIDCHttpFacade createHttpFacade(String str, String str2, String str3) {
        return createHttpFacade(str, str3, str2, new HashMap(), new HashMap(), null, null);
    }

    private OIDCHttpFacade createHttpFacade(String str) {
        return createHttpFacade(str, null, null, new HashMap(), new HashMap(), null, null);
    }

    private OIDCHttpFacade createHttpFacade(String str, String str2, Function<String, String> function) {
        return createHttpFacade(str, null, str2, new HashMap(), new HashMap(), null, null, function);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public HttpFacade.Response createHttpResponse(Map<String, List<String>> map) {
        return new TestResponse(map);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public HttpFacade.Request createHttpRequest(final String str, final String str2, final Map<String, List<String>> map, Map<String, List<String>> map2, final InputStream inputStream, Function<String, String> function) {
        if (function == null) {
            function = str3 -> {
                List list = (List) map2.getOrDefault(str3, Collections.emptyList());
                if (list.isEmpty()) {
                    return null;
                }
                return (String) list.get(0);
            };
        }
        final Function<String, String> function2 = function;
        return new HttpFacade.Request() { // from class: org.keycloak.testsuite.admin.client.authorization.PolicyEnforcerTest.3
            private InputStream inputStream;

            public String getMethod() {
                return str2 == null ? "GET" : str2;
            }

            public String getURI() {
                return str;
            }

            public String getRelativePath() {
                return str;
            }

            public boolean isSecure() {
                return true;
            }

            public String getFirstParam(String str4) {
                return (String) function2.apply(str4);
            }

            public String getQueryParamValue(String str4) {
                return getFirstParam(str4);
            }

            public HttpFacade.Cookie getCookie(String str4) {
                return null;
            }

            public String getHeader(String str4) {
                List<String> headers = getHeaders(str4);
                if (headers.isEmpty()) {
                    return null;
                }
                return headers.get(0);
            }

            public List<String> getHeaders(String str4) {
                return (List) map.getOrDefault(str4, Collections.emptyList());
            }

            public InputStream getInputStream() {
                return getInputStream(false);
            }

            public InputStream getInputStream(boolean z) {
                if (inputStream == null) {
                    return new ByteArrayInputStream(new byte[0]);
                }
                if (this.inputStream != null) {
                    return this.inputStream;
                }
                if (!z) {
                    return inputStream;
                }
                BufferedInputStream bufferedInputStream = new BufferedInputStream(inputStream);
                this.inputStream = bufferedInputStream;
                return bufferedInputStream;
            }

            public String getRemoteAddr() {
                return "user-remote-addr";
            }

            public void setError(AuthenticationError authenticationError) {
            }

            public void setError(LogoutError logoutError) {
            }
        };
    }

    protected AuthzClient getAuthzClient(String str) {
        return AuthzClient.create(getAdapterConfiguration(str));
    }
}
