package org.keycloak.testsuite.oauth;

import com.sun.net.httpserver.HttpExchange;
import com.sun.net.httpserver.HttpHandler;
import com.sun.net.httpserver.HttpServer;
import java.io.IOException;
import java.io.OutputStream;
import java.net.InetSocketAddress;
import java.net.URL;
import java.util.List;
import java.util.concurrent.Executor;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.protocol.HttpClientContext;
import org.apache.http.impl.client.BasicCookieStore;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.hamcrest.Matchers;
import org.jboss.arquillian.graphene.page.Page;
import org.junit.Assert;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.broker.provider.util.SimpleHttp;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.AbstractAdminTest;
import org.keycloak.testsuite.pages.ErrorPage;
import org.keycloak.testsuite.pages.LoginPage;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.ClientManager;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.RealmBuilder;

/* loaded from: input_file:org/keycloak/testsuite/oauth/OAuthRedirectUriTest.class */
public class OAuthRedirectUriTest extends AbstractKeycloakTest {

    @Rule
    public AssertEvents events = new AssertEvents(this);

    @Page
    protected ErrorPage errorPage;

    @Page
    protected LoginPage loginPage;
    private HttpServer server;

    /* loaded from: input_file:org/keycloak/testsuite/oauth/OAuthRedirectUriTest$MyHandler.class */
    static class MyHandler implements HttpHandler {
        MyHandler() {
        }

        public void handle(HttpExchange httpExchange) throws IOException {
            httpExchange.sendResponseHeaders(200, "Hello".length());
            OutputStream responseBody = httpExchange.getResponseBody();
            responseBody.write("Hello".getBytes());
            responseBody.close();
        }
    }

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void beforeAbstractKeycloakTest() throws Exception {
        super.beforeAbstractKeycloakTest();
        this.server = HttpServer.create(new InetSocketAddress(8280), 0);
        this.server.createContext("/", new MyHandler());
        this.server.setExecutor((Executor) null);
        this.server.start();
    }

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void afterAbstractKeycloakTest() throws Exception {
        super.afterAbstractKeycloakTest();
        this.server.stop(0);
    }

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        RealmBuilder testEventListener = RealmBuilder.edit((RealmRepresentation) AbstractAdminTest.loadJson(getClass().getResourceAsStream("/testrealm.json"), RealmRepresentation.class)).testEventListener();
        testEventListener.client(ClientBuilder.create().clientId("test-installed").name("test-installed").redirectUris("urn:ietf:wg:oauth:2.0:oob", "http://localhost").secret("password"));
        testEventListener.client(ClientBuilder.create().clientId("test-installed2").name("test-installed2").redirectUris("http://localhost/myapp").secret("password"));
        testEventListener.client(ClientBuilder.create().clientId("test-wildcard").name("test-wildcard").redirectUris("http://example.com/foo/*", "http://with-dash.example.local/foo/*", "http://localhost:8280/foo/*").secret("password"));
        testEventListener.client(ClientBuilder.create().clientId("test-dash").name("test-dash").redirectUris("http://with-dash.example.local", "http://with-dash.example.local/foo").secret("password"));
        testEventListener.client(ClientBuilder.create().clientId("test-root-url").name("test-root-url").rootUrl("http://with-dash.example.local").redirectUris("/foo").secret("password"));
        testEventListener.client(ClientBuilder.create().clientId("test-relative-url").name("test-relative-url").rootUrl("").redirectUris("/auth").secret("password"));
        testEventListener.client(ClientBuilder.create().clientId("test-query-component").name("test-query-component").redirectUris("http://localhost?foo=bar", "http://localhost?foo=bar*").secret("password"));
        testEventListener.client(ClientBuilder.create().clientId("test-fragment").name("test-fragment").redirectUris("http://localhost:8180/*", "https://localhost:8543/*").secret("password"));
        testEventListener.client(ClientBuilder.create().clientId("custom-scheme").name("custom-scheme").redirectUris("android-app://org.keycloak.examples.cordova/https/keycloak-cordova-example.github.io/login").secret("password"));
        testEventListener.client(ClientBuilder.create().clientId("test-installed-loopback").name("test-installed-loopback").redirectUris("http://127.0.0.1").secret("password"));
        testEventListener.client(ClientBuilder.create().clientId("test-installed-loopback2").name("test-installed-loopback2").redirectUris("http://127.0.0.1/myapp").secret("password"));
        list.add(testEventListener.build());
    }

    @Test
    public void testNoParam() throws IOException {
        this.oauth.redirectUri((String) null);
        this.oauth.openLoginForm();
        Assert.assertTrue(this.errorPage.isCurrent());
        Assert.assertEquals("Invalid parameter: redirect_uri", this.errorPage.getError());
    }

    @Test
    public void testRelativeUri() throws IOException {
        this.oauth.redirectUri("/foo/../bar");
        this.oauth.openLoginForm();
        Assert.assertTrue(this.errorPage.isCurrent());
        Assert.assertEquals("Invalid parameter: redirect_uri", this.errorPage.getError());
    }

    @Test
    public void testFileUri() throws IOException {
        this.oauth.redirectUri("file://test");
        this.oauth.openLoginForm();
        Assert.assertTrue(this.errorPage.isCurrent());
        Assert.assertEquals("Invalid parameter: redirect_uri", this.errorPage.getError());
    }

    @Test
    public void testNoParamMultipleValidUris() throws IOException {
        ClientManager.realm(this.adminClient.realm("test")).clientId(AssertEvents.DEFAULT_CLIENT_ID).addRedirectUris("http://localhost:8180/app2");
        try {
            this.oauth.redirectUri((String) null);
            this.oauth.openLoginForm();
            Assert.assertTrue(this.errorPage.isCurrent());
            Assert.assertEquals("Invalid parameter: redirect_uri", this.errorPage.getError());
            ClientManager.realm(this.adminClient.realm("test")).clientId(AssertEvents.DEFAULT_CLIENT_ID).removeRedirectUris("http://localhost:8180/app2");
        } catch (Throwable th) {
            ClientManager.realm(this.adminClient.realm("test")).clientId(AssertEvents.DEFAULT_CLIENT_ID).removeRedirectUris("http://localhost:8180/app2");
            throw th;
        }
    }

    @Test
    public void testNoParamNoValidUris() throws IOException {
        ClientManager.realm(this.adminClient.realm("test")).clientId(AssertEvents.DEFAULT_CLIENT_ID).removeRedirectUris("http://localhost:8180/auth/realms/master/app/auth/*");
        try {
            this.oauth.redirectUri((String) null);
            this.oauth.openLoginForm();
            Assert.assertTrue(this.errorPage.isCurrent());
            Assert.assertEquals("Invalid parameter: redirect_uri", this.errorPage.getError());
            ClientManager.realm(this.adminClient.realm("test")).clientId(AssertEvents.DEFAULT_CLIENT_ID).addRedirectUris("http://localhost:8180/auth/realms/master/app/auth/*");
        } catch (Throwable th) {
            ClientManager.realm(this.adminClient.realm("test")).clientId(AssertEvents.DEFAULT_CLIENT_ID).addRedirectUris("http://localhost:8180/auth/realms/master/app/auth/*");
            throw th;
        }
    }

    @Test
    public void testNoValidUris() throws IOException {
        ClientManager.realm(this.adminClient.realm("test")).clientId(AssertEvents.DEFAULT_CLIENT_ID).removeRedirectUris("http://localhost:8180/auth/realms/master/app/auth/*");
        try {
            this.oauth.redirectUri((String) null);
            this.oauth.openLoginForm();
            Assert.assertTrue(this.errorPage.isCurrent());
            Assert.assertEquals("Invalid parameter: redirect_uri", this.errorPage.getError());
            ClientManager.realm(this.adminClient.realm("test")).clientId(AssertEvents.DEFAULT_CLIENT_ID).addRedirectUris("http://localhost:8180/auth/realms/master/app/auth/*");
        } catch (Throwable th) {
            ClientManager.realm(this.adminClient.realm("test")).clientId(AssertEvents.DEFAULT_CLIENT_ID).addRedirectUris("http://localhost:8180/auth/realms/master/app/auth/*");
            throw th;
        }
    }

    @Test
    public void testValid() throws IOException {
        this.oauth.redirectUri(OAuthClient.APP_ROOT + "/auth");
        Assert.assertNotNull(this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password").getCode());
        URL url = new URL(this.driver.getCurrentUrl());
        Assert.assertTrue(url.toString().startsWith(OAuthClient.APP_ROOT));
        Assert.assertTrue(url.getQuery().contains("code="));
        Assert.assertTrue(url.getQuery().contains("state="));
    }

    @Test
    public void testInvalid() throws IOException {
        this.oauth.redirectUri("http://localhost:8180/app2");
        this.oauth.openLoginForm();
        Assert.assertTrue(this.errorPage.isCurrent());
        Assert.assertEquals("Invalid parameter: redirect_uri", this.errorPage.getError());
    }

    @Test
    public void testWithParams() throws IOException {
        this.oauth.redirectUri(OAuthClient.APP_ROOT + "/auth?key=value");
        Assert.assertNotNull(this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password").getCode());
        URL url = new URL(this.driver.getCurrentUrl());
        Assert.assertTrue(url.toString().startsWith(OAuthClient.APP_ROOT));
        Assert.assertTrue(url.getQuery().contains("key=value"));
        Assert.assertTrue(url.getQuery().contains("state="));
        Assert.assertTrue(url.getQuery().contains("code="));
    }

    @Test
    public void testWithFragment() throws IOException {
        this.oauth.clientId("test-fragment");
        this.oauth.responseMode("fragment");
        this.oauth.redirectUri(OAuthClient.APP_ROOT + "/auth#key=value");
        Assert.assertNotNull(this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password").getCode());
        URL url = new URL(this.driver.getCurrentUrl());
        Assert.assertTrue(url.toString().startsWith(OAuthClient.APP_ROOT));
        Assert.assertTrue(url.toString().contains("key=value"));
    }

    @Test
    public void testWithCustomScheme() throws IOException {
        this.oauth.clientId("custom-scheme");
        this.oauth.redirectUri("android-app://org.keycloak.examples.cordova/https/keycloak-cordova-example.github.io/login");
        this.oauth.openLoginForm();
        RequestConfig build = RequestConfig.custom().setCookieSpec("best-match").build();
        BasicCookieStore basicCookieStore = new BasicCookieStore();
        HttpClientContext.create().setCookieStore(basicCookieStore);
        String currentUrl = this.driver.getCurrentUrl();
        CloseableHttpClient build2 = HttpClients.custom().setDefaultRequestConfig(build).setDefaultCookieStore(basicCookieStore).build();
        try {
            SimpleHttp.Response asResponse = SimpleHttp.doPost(SimpleHttp.doGet(currentUrl, build2).asString().split("action=\"")[1].split("\"")[0].replaceAll("&amp;", "&"), build2).param("username", AssertEvents.DEFAULT_USERNAME).param("password", "password").asResponse();
            asResponse.getStatus();
            Assert.assertThat(asResponse.getFirstHeader("Location"), Matchers.startsWith("android-app://org.keycloak.examples.cordova/https/keycloak-cordova-example.github.io/login"));
            build2.close();
        } catch (Throwable th) {
            build2.close();
            throw th;
        }
    }

    @Test
    public void testQueryComponents() throws IOException {
        this.oauth.clientId("test-query-component");
        checkRedirectUri("http://localhost?foo=bar", true);
        checkRedirectUri("http://localhost?foo=bara", false);
        checkRedirectUri("http://localhost?foo=bar/", false);
        checkRedirectUri("http://localhost?foo2=bar2&foo=bar", false);
        checkRedirectUri("http://localhost?foo=b", false);
        checkRedirectUri("http://localhost?foo", false);
        checkRedirectUri("http://localhost?foo=bar&bar=foo", false);
        checkRedirectUri("http://localhost?foo&bar=foo", false);
        checkRedirectUri("http://localhost?foo&bar", false);
        checkRedirectUri("http://localhost", false);
        this.oauth.clientId("test-installed");
        checkRedirectUri("http://localhost?foo=bar", false);
    }

    @Test
    public void testWildcard() throws IOException {
        this.oauth.clientId("test-wildcard");
        checkRedirectUri("http://example.com", false);
        checkRedirectUri("http://localhost:8080", false, true);
        checkRedirectUri("http://example.com/foo", true);
        checkRedirectUri("http://example.com/foo/bar", true);
        checkRedirectUri("http://localhost:8280/foo", true, true);
        checkRedirectUri("http://localhost:8280/foo/bar", true, true);
        checkRedirectUri("http://example.com/foobar", false);
        checkRedirectUri("http://localhost:8280/foobar", false, true);
    }

    @Test
    public void testDash() throws IOException {
        this.oauth.clientId("test-dash");
        checkRedirectUri("http://with-dash.example.local/foo", true);
    }

    @Test
    public void testDifferentCaseInHostname() throws IOException {
        this.oauth.clientId("test-dash");
        checkRedirectUri("http://with-dash.example.local", true);
        checkRedirectUri("http://wiTh-dAsh.example.local", true);
        checkRedirectUri("http://with-dash.example.local/foo", true);
        checkRedirectUri("http://wiTh-dAsh.example.local/foo", true);
        checkRedirectUri("http://with-dash.example.local/foo", true);
        checkRedirectUri("http://wiTh-dAsh.example.local/foo", true);
        checkRedirectUri("http://wiTh-dAsh.example.local/Foo", false);
        checkRedirectUri("http://wiTh-dAsh.example.local/foO", false);
    }

    @Test
    public void testDifferentCaseInScheme() throws IOException {
        this.oauth.clientId("test-dash");
        checkRedirectUri("HTTP://with-dash.example.local", true);
        checkRedirectUri("Http://wiTh-dAsh.example.local", true);
    }

    @Test
    public void testRelativeWithRoot() throws IOException {
        this.oauth.clientId("test-root-url");
        checkRedirectUri("http://with-dash.example.local/foo", true);
        checkRedirectUri("http://localhost:8180/foo", false);
    }

    @Test
    public void testRelative() throws IOException {
        this.oauth.clientId("test-relative-url");
        checkRedirectUri("http://with-dash.example.local/foo", false);
        checkRedirectUri("http://localhost:8180/auth", true);
    }

    @Test
    public void testLocalhost() throws IOException {
        this.oauth.clientId("test-installed");
        checkRedirectUri("urn:ietf:wg:oauth:2.0:oob", true, true);
        checkRedirectUri("http://localhost", true);
        checkRedirectUri("http://localhost:8280", true, true);
        checkRedirectUri("http://localhosts", false);
        checkRedirectUri("http://localhost/myapp", false);
        checkRedirectUri("http://localhost:8180/myapp", false, true);
        this.oauth.clientId("test-installed2");
        checkRedirectUri("http://localhost/myapp", true);
        checkRedirectUri("http://localhost:8280/myapp", true, true);
        checkRedirectUri("http://localhosts/myapp", false);
        checkRedirectUri("http://localhost", false);
        checkRedirectUri("http://localhost/myapp2", false);
    }

    @Test
    public void testLoopback() throws IOException {
        this.oauth.clientId("test-installed-loopback");
        checkRedirectUri("http://127.0.0.1", true);
        checkRedirectUri("http://127.0.0.1:8280", true, true);
        checkRedirectUri("http://127.0.0.1/myapp", false);
        checkRedirectUri("http://127.0.0.1:8180/myapp", false, true);
        this.oauth.clientId("test-installed-loopback2");
        checkRedirectUri("http://127.0.0.1/myapp", true);
        checkRedirectUri("http://127.0.0.1:8280/myapp", true, true);
        checkRedirectUri("http://127.0.0.1", false);
        checkRedirectUri("http://127.0.0.1/myapp2", false);
    }

    @Test
    public void okThenNull() throws IOException {
        this.oauth.clientId("test-wildcard");
        this.oauth.redirectUri("http://localhost:8280/foo");
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        Assert.assertNotNull((String) this.oauth.getCurrentQuery().get("code"));
        this.oauth.redirectUri((String) null);
        Assert.assertEquals("Expected 400, but got something else", 400L, this.oauth.doAccessTokenRequest(r0, "password").getStatusCode());
    }

    private void checkRedirectUri(String str, boolean z) throws IOException {
        checkRedirectUri(str, z, false);
    }

    private void checkRedirectUri(String str, boolean z, boolean z2) throws IOException {
        this.oauth.redirectUri(str);
        if (!z) {
            this.oauth.openLoginForm();
            Assert.assertTrue(this.errorPage.isCurrent());
            Assert.assertEquals("Invalid parameter: redirect_uri", this.errorPage.getError());
        } else {
            if (!z2) {
                this.oauth.openLoginForm();
                Assert.assertTrue(this.loginPage.isCurrent());
                return;
            }
            this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
            String str2 = (String) this.oauth.getCurrentQuery().get("code");
            Assert.assertNotNull(str2);
            OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(str2, "password");
            Assert.assertEquals("Expected success, but got error: " + doAccessTokenRequest.getError(), 200L, doAccessTokenRequest.getStatusCode());
            this.oauth.doLogout(doAccessTokenRequest.getRefreshToken(), "password");
        }
    }
}
