package org.keycloak.testsuite.authz;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.stream.Collectors;
import org.hamcrest.Matchers;
import org.junit.Assert;
import org.junit.Test;
import org.keycloak.admin.client.resource.AuthorizationResource;
import org.keycloak.admin.client.resource.ResourceScopesResource;
import org.keycloak.authorization.client.AuthzClient;
import org.keycloak.authorization.client.util.HttpResponseException;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.representations.idm.authorization.AuthorizationRequest;
import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.representations.idm.authorization.PermissionRequest;
import org.keycloak.representations.idm.authorization.PermissionResponse;
import org.keycloak.representations.idm.authorization.PermissionTicketRepresentation;
import org.keycloak.representations.idm.authorization.PermissionTicketToken;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.ScopeRepresentation;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;

@AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
/* loaded from: input_file:org/keycloak/testsuite/authz/PermissionManagementTest.class */
public class PermissionManagementTest extends AbstractResourceServerTest {
    @Test
    public void testCreatePermissionTicketWithResourceName() throws Exception {
        ResourceRepresentation addResource = addResource("Resource A", "kolo", true, new String[0]);
        AuthzClient authzClient = getAuthzClient();
        PermissionResponse create = authzClient.protection("marta", "password").permission().create(new PermissionRequest(addResource.getId(), new String[0]));
        AuthorizationRequest authorizationRequest = new AuthorizationRequest();
        authorizationRequest.setTicket(create.getTicket());
        authorizationRequest.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
        try {
            authzClient.authorization().authorize(authorizationRequest);
        } catch (Exception e) {
        }
        assertPersistence(create, addResource, new String[0]);
    }

    @Test
    public void removeUserWithPermissionTicketTest() throws Exception {
        String createUser = createUser("authz-test", "user-to-remove", "password", new String[0]);
        ResourceRepresentation addResource = addResource("Resource A", "kolo", true, new String[0]);
        AuthzClient authzClient = getAuthzClient();
        PermissionResponse create = authzClient.protection("user-to-remove", "password").permission().create(new PermissionRequest(addResource.getId(), new String[0]));
        AuthorizationRequest authorizationRequest = new AuthorizationRequest();
        authorizationRequest.setTicket(create.getTicket());
        authorizationRequest.setClaimToken(authzClient.obtainAccessToken("user-to-remove", "password").getToken());
        try {
            authzClient.authorization().authorize(authorizationRequest);
        } catch (Exception e) {
        }
        assertPersistence(create, addResource, new String[0]);
        this.adminClient.realm("authz-test").users().delete(createUser);
        Assert.assertThat(this.adminClient.realm("authz-test").users().list().stream().map((v0) -> {
            return v0.getId();
        }).collect(Collectors.toList()), Matchers.not(Matchers.hasItem(createUser)));
        Assert.assertThat(getAuthzClient().protection().permission().findByResource(addResource.getId()), Matchers.is(Matchers.empty()));
    }

    @Test
    public void testCreatePermissionTicketWithResourceId() throws Exception {
        ResourceRepresentation addResource = addResource("Resource A", "kolo", true, new String[0]);
        AuthzClient authzClient = getAuthzClient();
        PermissionResponse create = authzClient.protection("marta", "password").permission().create(new PermissionRequest(addResource.getId(), new String[0]));
        AuthorizationRequest authorizationRequest = new AuthorizationRequest();
        authorizationRequest.setTicket(create.getTicket());
        authorizationRequest.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
        try {
            authzClient.authorization().authorize(authorizationRequest);
        } catch (Exception e) {
        }
        Assert.assertNotNull(create.getTicket());
        Assert.assertFalse(authzClient.protection().permission().findByResource(addResource.getId()).isEmpty());
    }

    @Test
    public void testCreatePermissionTicketWithScopes() throws Exception {
        ResourceRepresentation addResource = addResource("Resource A", "kolo", true, "ScopeA", "ScopeB", "ScopeC");
        AuthzClient authzClient = getAuthzClient();
        PermissionResponse create = authzClient.protection("marta", "password").permission().create(new PermissionRequest(addResource.getId(), new String[]{"ScopeA", "ScopeB", "ScopeC"}));
        AuthorizationRequest authorizationRequest = new AuthorizationRequest();
        authorizationRequest.setTicket(create.getTicket());
        authorizationRequest.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
        try {
            authzClient.authorization().authorize(authorizationRequest);
        } catch (Exception e) {
        }
        assertPersistence(create, addResource, "ScopeA", "ScopeB", "ScopeC");
    }

    @Test
    public void testDeleteResourceAndPermissionTicket() throws Exception {
        ResourceRepresentation addResource = addResource("Resource A", "kolo", true, "ScopeA", "ScopeB", "ScopeC");
        AuthzClient authzClient = getAuthzClient();
        PermissionResponse create = authzClient.protection("marta", "password").permission().create(new PermissionRequest(addResource.getId(), new String[]{"ScopeA", "ScopeB", "ScopeC"}));
        AuthorizationRequest authorizationRequest = new AuthorizationRequest();
        authorizationRequest.setTicket(create.getTicket());
        authorizationRequest.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
        try {
            authzClient.authorization().authorize(authorizationRequest);
        } catch (Exception e) {
        }
        assertPersistence(create, addResource, "ScopeA", "ScopeB", "ScopeC");
        getAuthzClient().protection().resource().delete(addResource.getId());
        Assert.assertTrue(getAuthzClient().protection().permission().findByResource(addResource.getId()).isEmpty());
    }

    @Test
    public void testMultiplePermissionRequest() throws Exception {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new PermissionRequest(addResource("Resource A", true, new String[0]).getName(), new String[0]));
        arrayList.add(new PermissionRequest(addResource("Resource B", true, new String[0]).getName(), new String[0]));
        arrayList.add(new PermissionRequest(addResource("Resource C", true, new String[0]).getName(), new String[0]));
        arrayList.add(new PermissionRequest(addResource("Resource D", true, new String[0]).getName(), new String[0]));
        Assert.assertNotNull(getAuthzClient().protection().permission().create(arrayList).getTicket());
    }

    @Test
    public void testDeleteScopeAndPermissionTicket() throws Exception {
        ResourceRepresentation addResource = addResource("Resource A", "kolo", true, "ScopeA", "ScopeB", "ScopeC");
        PermissionRequest permissionRequest = new PermissionRequest(addResource.getId(), new String[0]);
        permissionRequest.setScopes(new HashSet(Arrays.asList("ScopeA", "ScopeB", "ScopeC")));
        AuthzClient authzClient = getAuthzClient();
        PermissionResponse create = authzClient.protection("marta", "password").permission().create(permissionRequest);
        Assert.assertNotNull(create.getTicket());
        AuthorizationRequest authorizationRequest = new AuthorizationRequest();
        authorizationRequest.setTicket(create.getTicket());
        authorizationRequest.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
        try {
            authzClient.authorization().authorize(authorizationRequest);
        } catch (Exception e) {
        }
        Assert.assertEquals(3L, authzClient.protection().permission().findByResource(addResource.getId()).size());
        AuthorizationResource authorization = getClient(getRealm()).authorization();
        ResourceScopesResource scopes = authorization.scopes();
        ScopeRepresentation findByName = scopes.findByName("ScopeA");
        Assert.assertFalse(authzClient.protection().permission().findByScope(findByName.getId()).isEmpty());
        Assert.assertEquals(1L, r0.size());
        addResource.setScopes(Collections.emptySet());
        authorization.resources().resource(addResource.getId()).update(addResource);
        scopes.scope(findByName.getId()).remove();
        Assert.assertTrue(authzClient.protection().permission().findByScope(findByName.getId()).isEmpty());
        Assert.assertEquals(0L, authzClient.protection().permission().findByResource(addResource.getId()).size());
    }

    @Test
    public void testRemoveScopeFromResource() throws Exception {
        ResourceRepresentation addResource = addResource("Resource A", "kolo", true, "ScopeA", "ScopeB");
        PermissionRequest permissionRequest = new PermissionRequest(addResource.getId(), new String[]{"ScopeA", "ScopeB"});
        AuthzClient authzClient = getAuthzClient();
        PermissionResponse create = authzClient.protection("marta", "password").permission().create(permissionRequest);
        Assert.assertNotNull(create.getTicket());
        AuthorizationRequest authorizationRequest = new AuthorizationRequest();
        authorizationRequest.setTicket(create.getTicket());
        authorizationRequest.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
        try {
            authzClient.authorization().authorize(authorizationRequest);
        } catch (Exception e) {
        }
        AuthorizationResource authorization = getClient(getRealm()).authorization();
        ResourceScopesResource scopes = authorization.scopes();
        ScopeRepresentation findByName = scopes.findByName("ScopeA");
        Assert.assertFalse(authzClient.protection().permission().findByScope(findByName.getId()).isEmpty());
        addResource.setScopes(new HashSet());
        addResource.addScope(new String[]{"ScopeB"});
        authorization.resources().resource(addResource.getId()).update(addResource);
        Assert.assertTrue(authzClient.protection().permission().findByScope(findByName.getId()).isEmpty());
        Assert.assertFalse(authzClient.protection().permission().findByScope(scopes.findByName("ScopeB").getId()).isEmpty());
    }

    @Test
    public void testCreatePermissionTicketWithResourceWithoutManagedAccess() throws Exception {
        ResourceRepresentation addResource = addResource("Resource A", new String[0]);
        Assert.assertNotNull(getAuthzClient().protection().permission().create(new PermissionRequest(addResource.getName(), new String[0])).getTicket());
        Assert.assertTrue(getAuthzClient().protection().permission().findByResource(addResource.getId()).isEmpty());
    }

    @Test
    public void testTicketNotCreatedWhenResourceOwner() throws Exception {
        ResourceRepresentation addResource = addResource("Resource A", "marta", true, new String[0]);
        AuthzClient authzClient = getAuthzClient();
        PermissionResponse create = authzClient.protection("marta", "password").permission().create(new PermissionRequest(addResource.getId(), new String[0]));
        Assert.assertNotNull(create.getTicket());
        AuthorizationRequest authorizationRequest = new AuthorizationRequest();
        authorizationRequest.setTicket(create.getTicket());
        authorizationRequest.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
        try {
            authzClient.authorization().authorize(authorizationRequest);
        } catch (Exception e) {
            e.printStackTrace();
        }
        Assert.assertTrue(authzClient.protection().permission().findByResource(addResource.getId()).isEmpty());
        PermissionResponse create2 = authzClient.protection("kolo", "password").permission().create(new PermissionRequest(addResource.getId(), new String[0]));
        Assert.assertNotNull(create2.getTicket());
        AuthorizationRequest authorizationRequest2 = new AuthorizationRequest();
        authorizationRequest2.setTicket(create2.getTicket());
        authorizationRequest2.setClaimToken(authzClient.obtainAccessToken("kolo", "password").getToken());
        try {
            authzClient.authorization().authorize(authorizationRequest2);
        } catch (Exception e2) {
        }
        Assert.assertFalse(authzClient.protection().permission().findByResource(addResource.getId()).isEmpty());
        Assert.assertEquals(1L, r0.size());
    }

    @Test
    public void testPermissionForTypedScope() throws Exception {
        ResourceRepresentation addResource = addResource("Typed Resource", "ScopeC");
        addResource.setType("typed-resource");
        getClient(getRealm()).authorization().resources().resource(addResource.getId()).update(addResource);
        ResourceRepresentation addResource2 = addResource("Resource A", "marta", true, "ScopeA", "ScopeB");
        addResource2.setType(addResource.getType());
        getClient(getRealm()).authorization().resources().resource(addResource2.getId()).update(addResource2);
        PermissionRequest permissionRequest = new PermissionRequest(addResource2.getId(), new String[0]);
        permissionRequest.setScopes(new HashSet(Arrays.asList("ScopeA", "ScopeC")));
        AuthzClient authzClient = getAuthzClient();
        PermissionResponse create = authzClient.protection("kolo", "password").permission().create(permissionRequest);
        AuthorizationRequest authorizationRequest = new AuthorizationRequest();
        authorizationRequest.setTicket(create.getTicket());
        authorizationRequest.setClaimToken(authzClient.obtainAccessToken("kolo", "password").getToken());
        try {
            authzClient.authorization().authorize(authorizationRequest);
        } catch (Exception e) {
        }
        assertPersistence(create, addResource2, "ScopeA", "ScopeC");
    }

    @Test
    public void testSameTicketForSamePermissionRequest() throws Exception {
        Assert.assertNotNull(getAuthzClient().protection("marta", "password").permission().create(new PermissionRequest(addResource("Resource A", true, new String[0]).getName(), new String[0])).getTicket());
    }

    private void assertPersistence(PermissionResponse permissionResponse, ResourceRepresentation resourceRepresentation, String... strArr) throws Exception {
        String ticket = permissionResponse.getTicket();
        Assert.assertNotNull(ticket);
        int length = strArr.length > 0 ? strArr.length : 1;
        List findByResource = getAuthzClient().protection().permission().findByResource(resourceRepresentation.getId());
        Assert.assertEquals(length, findByResource.size());
        List permissions = ((PermissionTicketToken) new JWSInput(ticket).readJsonContent(PermissionTicketToken.class)).getPermissions();
        Assert.assertNotNull(permissions);
        Assert.assertEquals(length, strArr.length > 0 ? strArr.length : permissions.size());
        Iterator it = permissions.iterator();
        while (it.hasNext()) {
            Permission permission = (Permission) it.next();
            if (findByResource.stream().filter(permissionTicketRepresentation -> {
                return permissionTicketRepresentation.getResource().equals(permission.getResourceId());
            }).count() == (strArr.length > 0 ? strArr.length : 1)) {
                it.remove();
            }
        }
        Assert.assertTrue(permissions.isEmpty());
        ArrayList arrayList = new ArrayList(findByResource);
        Iterator it2 = arrayList.iterator();
        while (it2.hasNext()) {
            PermissionTicketRepresentation permissionTicketRepresentation2 = (PermissionTicketRepresentation) it2.next();
            Assert.assertFalse(permissionTicketRepresentation2.isGranted());
            if (permissionTicketRepresentation2.getScope() != null) {
                if (Arrays.asList(strArr).contains(getClient(getRealm()).authorization().scopes().scope(permissionTicketRepresentation2.getScope()).toRepresentation().getName())) {
                    it2.remove();
                }
            } else if (permissionTicketRepresentation2.getResource().equals(resourceRepresentation.getId())) {
                it2.remove();
            }
        }
        Assert.assertTrue(arrayList.isEmpty());
    }

    @Test
    public void failInvalidResource() {
        try {
            getAuthzClient().protection().permission().create(new PermissionRequest("Invalid Resource", new String[0]));
            Assert.fail("Should fail, resource does not exist");
        } catch (RuntimeException e) {
            Assert.assertTrue(HttpResponseException.class.isInstance(e.getCause()));
            Assert.assertEquals(400L, ((HttpResponseException) HttpResponseException.class.cast(e.getCause())).getStatusCode());
            Assert.assertTrue(new String(((HttpResponseException) HttpResponseException.class.cast(e.getCause())).getBytes()).contains("invalid_resource_id"));
        }
        try {
            getAuthzClient().protection().permission().create(new PermissionRequest());
            Assert.fail("Should fail, resource is empty");
        } catch (RuntimeException e2) {
            e2.printStackTrace();
            Assert.assertTrue(HttpResponseException.class.isInstance(e2.getCause()));
            Assert.assertEquals(400L, ((HttpResponseException) HttpResponseException.class.cast(e2.getCause())).getStatusCode());
            Assert.assertTrue(new String(((HttpResponseException) HttpResponseException.class.cast(e2.getCause())).getBytes()).contains("invalid_resource_id"));
        }
    }

    @Test
    public void failInvalidScope() throws Exception {
        addResource("Resource A", "ScopeA", "ScopeB");
        try {
            PermissionRequest permissionRequest = new PermissionRequest("Resource A", new String[0]);
            permissionRequest.setScopes(new HashSet(Arrays.asList("ScopeA", "ScopeC")));
            getAuthzClient().protection().permission().create(permissionRequest);
            Assert.fail("Should fail, resource does not exist");
        } catch (RuntimeException e) {
            Assert.assertTrue(HttpResponseException.class.isInstance(e.getCause()));
            Assert.assertEquals(400L, ((HttpResponseException) HttpResponseException.class.cast(e.getCause())).getStatusCode());
            Assert.assertTrue(new String(((HttpResponseException) HttpResponseException.class.cast(e.getCause())).getBytes()).contains("invalid_scope"));
        }
    }

    @Test
    public void testGetPermissionTicketWithPagination() throws Exception {
        String[] strArr = {"ScopeA", "ScopeB", "ScopeC", "ScopeD"};
        ResourceRepresentation addResource = addResource("Resource A", "kolo", true, strArr);
        AuthzClient authzClient = getAuthzClient();
        PermissionResponse create = authzClient.protection("marta", "password").permission().create(new PermissionRequest(addResource.getId(), strArr));
        AuthorizationRequest authorizationRequest = new AuthorizationRequest();
        authorizationRequest.setTicket(create.getTicket());
        authorizationRequest.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
        try {
            authzClient.authorization().authorize(authorizationRequest);
        } catch (Exception e) {
        }
        ArrayList arrayList = new ArrayList(Arrays.asList(strArr));
        List find = getAuthzClient().protection().permission().find(addResource.getId(), (String) null, (String) null, (String) null, (Boolean) null, true, 2, 2);
        Assert.assertEquals("Returned number of permissions tickets must match the specified page size (i.e., 'maxResult').", 2L, find.size());
        Assert.assertTrue("Returned set of permission tickets must be only a sub-set as per pagination offset and specified page size.", arrayList.remove(((PermissionTicketRepresentation) find.get(0)).getScopeName()));
        Assert.assertTrue("Returned set of permission tickets must be only a sub-set as per pagination offset and specified page size.", arrayList.remove(((PermissionTicketRepresentation) find.get(1)).getScopeName()));
        List find2 = getAuthzClient().protection().permission().find(addResource.getId(), (String) null, (String) null, (String) null, (Boolean) null, true, 0, 2);
        Assert.assertEquals("Returned number of permissions tickets must match the specified page size (i.e., 'maxResult').", 2L, find2.size());
        Assert.assertTrue("Returned set of permission tickets must be only a sub-set as per pagination offset and specified page size.", arrayList.remove(((PermissionTicketRepresentation) find2.get(0)).getScopeName()));
        Assert.assertTrue("Returned set of permission tickets must be only a sub-set as per pagination offset and specified page size.", arrayList.remove(((PermissionTicketRepresentation) find2.get(1)).getScopeName()));
    }

    @Test
    public void testPermissionCount() throws Exception {
        String[] strArr = {"ScopeA", "ScopeB", "ScopeC", "ScopeD"};
        ResourceRepresentation addResource = addResource("Resource A", "kolo", true, strArr);
        AuthzClient authzClient = getAuthzClient();
        PermissionResponse create = authzClient.protection("marta", "password").permission().create(new PermissionRequest(addResource.getId(), strArr));
        AuthorizationRequest authorizationRequest = new AuthorizationRequest();
        authorizationRequest.setTicket(create.getTicket());
        authorizationRequest.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
        try {
            authzClient.authorization().authorize(authorizationRequest);
        } catch (Exception e) {
        }
        Assert.assertEquals("Returned number of permissions tickets must match the amount of permission tickets.", 4L, getAuthzClient().protection().permission().count(addResource.getId(), (String) null, (String) null, (String) null, (Boolean) null, true));
    }
}
