package org.keycloak.testsuite.client;

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Collections;
import org.apache.commons.lang.StringUtils;
import org.jboss.resteasy.client.jaxrs.ResteasyClient;
import org.junit.Before;
import org.junit.Test;
import org.keycloak.client.registration.Auth;
import org.keycloak.client.registration.ClientRegistrationException;
import org.keycloak.client.registration.HttpErrorException;
import org.keycloak.protocol.oidc.mappers.SHA256PairwiseSubMapper;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.IDToken;
import org.keycloak.representations.RefreshToken;
import org.keycloak.representations.idm.ClientInitialAccessCreatePresentation;
import org.keycloak.representations.idm.ProtocolMapperRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.representations.oidc.OIDCClientRepresentation;
import org.keycloak.testsuite.Assert;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.client.resources.TestApplicationResourceUrls;
import org.keycloak.testsuite.util.AdminClientUtil;
import org.keycloak.testsuite.util.ClientManager;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.UserInfoClientUtil;
import org.keycloak.testsuite.util.UserManager;

/* loaded from: input_file:org/keycloak/testsuite/client/OIDCPairwiseClientRegistrationTest.class */
public class OIDCPairwiseClientRegistrationTest extends AbstractClientRegistrationTest {
    @Override // org.keycloak.testsuite.client.AbstractClientRegistrationTest
    @Before
    public void before() throws Exception {
        super.before();
        this.reg.auth(Auth.token(this.adminClient.realm("test").clientInitialAccess().create(new ClientInitialAccessCreatePresentation(0, 10))));
    }

    private OIDCClientRepresentation createRep() {
        OIDCClientRepresentation oIDCClientRepresentation = new OIDCClientRepresentation();
        oIDCClientRepresentation.setClientName("RegistrationAccessTokenTest");
        oIDCClientRepresentation.setClientUri(OAuthClient.APP_ROOT);
        oIDCClientRepresentation.setRedirectUris(Collections.singletonList(this.oauth.getRedirectUri()));
        return oIDCClientRepresentation;
    }

    public OIDCClientRepresentation create() throws ClientRegistrationException {
        return this.reg.oidc().create(createRep());
    }

    public OIDCClientRepresentation createPairwise() throws ClientRegistrationException {
        OIDCClientRepresentation createRep = createRep();
        createRep.setSubjectType("pairwise");
        return this.reg.oidc().create(createRep);
    }

    private void assertCreateFail(OIDCClientRepresentation oIDCClientRepresentation, int i, String str) {
        try {
            this.reg.oidc().create(oIDCClientRepresentation);
            Assert.fail("Not expected to successfuly register client");
        } catch (ClientRegistrationException e) {
            HttpErrorException cause = e.getCause();
            Assert.assertEquals(i, cause.getStatusLine().getStatusCode());
            if (str != null) {
                org.junit.Assert.assertTrue("Error response doesn't contain expected text", cause.getErrorResponse().contains(str));
            }
        }
    }

    @Test
    public void createPairwiseClient() throws Exception {
        OIDCClientRepresentation createRep = createRep();
        createRep.setSubjectType("pairwise");
        Assert.assertEquals("pairwise", this.reg.oidc().create(createRep).getSubjectType());
    }

    @Test
    public void updateClientToPairwise() throws Exception {
        OIDCClientRepresentation create = create();
        Assert.assertEquals("public", create.getSubjectType());
        this.reg.auth(Auth.token(create));
        create.setSubjectType("pairwise");
        Assert.assertEquals("pairwise", this.reg.oidc().update(create).getSubjectType());
    }

    @Test
    public void updateSectorIdentifierUri() throws Exception {
        OIDCClientRepresentation createRep = createRep();
        createRep.setSubjectType("pairwise");
        OIDCClientRepresentation create = this.reg.oidc().create(createRep);
        Assert.assertEquals("pairwise", create.getSubjectType());
        Assert.assertNull(create.getSectorIdentifierUri());
        this.reg.auth(Auth.token(create));
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(create.getRedirectUris());
        this.testingClient.testApp().oidcClientEndpoints().setSectorIdentifierRedirectUris(arrayList);
        create.setSectorIdentifierUri(TestApplicationResourceUrls.pairwiseSectorIdentifierUri());
        OIDCClientRepresentation update = this.reg.oidc().update(create);
        Assert.assertEquals("pairwise", update.getSubjectType());
        Assert.assertEquals(TestApplicationResourceUrls.pairwiseSectorIdentifierUri(), update.getSectorIdentifierUri());
    }

    @Test
    public void updateToPairwiseThroughAdminRESTSuccess() throws Exception {
        OIDCClientRepresentation create = create();
        Assert.assertEquals("public", create.getSubjectType());
        Assert.assertNull(create.getSectorIdentifierUri());
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(create.getRedirectUris());
        this.testingClient.testApp().oidcClientEndpoints().setSectorIdentifierRedirectUris(arrayList);
        String pairwiseSectorIdentifierUri = TestApplicationResourceUrls.pairwiseSectorIdentifierUri();
        String clientId = create.getClientId();
        ClientManager.realm(realmsResouce().realm("test")).clientId(clientId).addProtocolMapper(SHA256PairwiseSubMapper.createPairwiseMapper(pairwiseSectorIdentifierUri, (String) null));
        this.reg.auth(Auth.token(create));
        OIDCClientRepresentation oIDCClientRepresentation = this.reg.oidc().get(create.getClientId());
        Assert.assertEquals("pairwise", oIDCClientRepresentation.getSubjectType());
        Assert.assertEquals(pairwiseSectorIdentifierUri, oIDCClientRepresentation.getSectorIdentifierUri());
    }

    @Test
    public void updateToPairwiseThroughAdminRESTFailure() throws Exception {
        OIDCClientRepresentation create = create();
        Assert.assertEquals("public", create.getSubjectType());
        Assert.assertNull(create.getSectorIdentifierUri());
        this.testingClient.testApp().oidcClientEndpoints().setSectorIdentifierRedirectUris(new ArrayList());
        String pairwiseSectorIdentifierUri = TestApplicationResourceUrls.pairwiseSectorIdentifierUri();
        String clientId = create.getClientId();
        ProtocolMapperRepresentation createPairwiseMapper = SHA256PairwiseSubMapper.createPairwiseMapper(pairwiseSectorIdentifierUri, (String) null);
        realmsResouce().realm("test");
        Assert.assertEquals(400L, ApiUtil.findClientByClientId(realmsResouce().realm("test"), clientId).getProtocolMappers().createMapper(createPairwiseMapper).getStatus());
        this.reg.auth(Auth.token(create));
        OIDCClientRepresentation oIDCClientRepresentation = this.reg.oidc().get(create.getClientId());
        Assert.assertEquals("public", oIDCClientRepresentation.getSubjectType());
        Assert.assertNull(oIDCClientRepresentation.getSectorIdentifierUri());
    }

    @Test
    public void createPairwiseClientWithSectorIdentifierURI() throws Exception {
        OIDCClientRepresentation createRep = createRep();
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(createRep.getRedirectUris());
        this.testingClient.testApp().oidcClientEndpoints().setSectorIdentifierRedirectUris(arrayList);
        createRep.setSubjectType("pairwise");
        createRep.setSectorIdentifierUri(TestApplicationResourceUrls.pairwiseSectorIdentifierUri());
        OIDCClientRepresentation create = this.reg.oidc().create(createRep);
        Assert.assertEquals("pairwise", create.getSubjectType());
        Assert.assertEquals(TestApplicationResourceUrls.pairwiseSectorIdentifierUri(), create.getSectorIdentifierUri());
    }

    @Test
    public void createPairwiseClientWithRedirectsToMultipleHostsWithoutSectorIdentifierURI() throws Exception {
        OIDCClientRepresentation createRep = createRep();
        ArrayList arrayList = new ArrayList();
        arrayList.add("http://redirect1");
        arrayList.add("http://redirect2");
        createRep.setSubjectType("pairwise");
        createRep.setRedirectUris(arrayList);
        assertCreateFail(createRep, 400, "Without a configured Sector Identifier URI, client redirect URIs must not contain multiple host components.");
    }

    @Test
    public void createPairwiseClientWithRedirectsToMultipleHosts() throws Exception {
        OIDCClientRepresentation createRep = createRep();
        ArrayList arrayList = new ArrayList();
        arrayList.add("http://redirect1");
        arrayList.add("http://redirect2");
        this.testingClient.testApp().oidcClientEndpoints().setSectorIdentifierRedirectUris(arrayList);
        createRep.setSubjectType("pairwise");
        createRep.setSectorIdentifierUri(TestApplicationResourceUrls.pairwiseSectorIdentifierUri());
        createRep.setRedirectUris(arrayList);
        OIDCClientRepresentation create = this.reg.oidc().create(createRep);
        Assert.assertEquals("pairwise", create.getSubjectType());
        Assert.assertEquals(TestApplicationResourceUrls.pairwiseSectorIdentifierUri(), create.getSectorIdentifierUri());
        Assert.assertNames(create.getRedirectUris(), "http://redirect1", "http://redirect2");
    }

    @Test
    public void createPairwiseClientWithSectorIdentifierURIContainingMismatchedRedirects() throws Exception {
        OIDCClientRepresentation createRep = createRep();
        ArrayList arrayList = new ArrayList();
        arrayList.add("http://someotherredirect");
        this.testingClient.testApp().oidcClientEndpoints().setSectorIdentifierRedirectUris(arrayList);
        createRep.setSubjectType("pairwise");
        createRep.setSectorIdentifierUri(TestApplicationResourceUrls.pairwiseSectorIdentifierUri());
        assertCreateFail(createRep, 400, "Client redirect URIs does not match redirect URIs fetched from the Sector Identifier URI.");
    }

    @Test
    public void createPairwiseClientWithSectorIdentifierURIContainingMismatchedRedirectsPublicSubject() throws Exception {
        OIDCClientRepresentation createRep = createRep();
        ArrayList arrayList = new ArrayList();
        arrayList.add("http://someotherredirect");
        this.testingClient.testApp().oidcClientEndpoints().setSectorIdentifierRedirectUris(arrayList);
        createRep.setSubjectType("public");
        createRep.setSectorIdentifierUri(TestApplicationResourceUrls.pairwiseSectorIdentifierUri());
        assertCreateFail(createRep, 400, "Client redirect URIs does not match redirect URIs fetched from the Sector Identifier URI.");
    }

    @Test
    public void createPairwiseClientWithInvalidSectorIdentifierURI() throws Exception {
        OIDCClientRepresentation createRep = createRep();
        createRep.setSubjectType("pairwise");
        createRep.setSectorIdentifierUri("malformed");
        assertCreateFail(createRep, 400, "Invalid Sector Identifier URI.");
    }

    @Test
    public void createPairwiseClientWithUnreachableSectorIdentifierURI() throws Exception {
        OIDCClientRepresentation createRep = createRep();
        createRep.setSubjectType("pairwise");
        createRep.setSectorIdentifierUri("http://localhost/dummy");
        assertCreateFail(createRep, 400, "Failed to get redirect URIs from the Sector Identifier URI.");
    }

    @Test
    public void loginUserToPairwiseClient() throws Exception {
        OIDCClientRepresentation create = create();
        this.oauth.clientId(create.getClientId());
        AccessToken verifyToken = this.oauth.verifyToken(this.oauth.doAccessTokenRequest(this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password").getCode(), create.getClientSecret()).getAccessToken());
        Assert.assertEquals("test-user", verifyToken.getPreferredUsername());
        Assert.assertEquals(AssertEvents.DEFAULT_USERNAME, verifyToken.getEmail());
        String subject = verifyToken.getSubject();
        UserRepresentation userRepresentation = (UserRepresentation) realmsResouce().realm("test").users().search("test-user", 0, 1).get(0);
        Assert.assertEquals(userRepresentation.getId(), subject);
        OIDCClientRepresentation createRep = createRep();
        createRep.setSubjectType("pairwise");
        OIDCClientRepresentation create2 = this.reg.oidc().create(createRep);
        Assert.assertEquals("pairwise", create2.getSubjectType());
        this.oauth.clientId(create2.getClientId());
        this.oauth.openLoginForm();
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(new OAuthClient.AuthorizationEndpointResponse(this.oauth).getCode(), create2.getClientSecret());
        Assert.assertEquals(1L, StringUtils.countMatches(getPayload(doAccessTokenRequest.getAccessToken()), "\"sub\""));
        Assert.assertEquals(1L, StringUtils.countMatches(getPayload(doAccessTokenRequest.getIdToken()), "\"sub\""));
        Assert.assertEquals(1L, StringUtils.countMatches(getPayload(doAccessTokenRequest.getRefreshToken()), "\"sub\""));
        AccessToken verifyToken2 = this.oauth.verifyToken(doAccessTokenRequest.getAccessToken());
        Assert.assertEquals("test-user", verifyToken2.getPreferredUsername());
        Assert.assertEquals(AssertEvents.DEFAULT_USERNAME, verifyToken2.getEmail());
        String subject2 = verifyToken2.getSubject();
        Assert.assertNotEquals(subject2, userRepresentation.getId());
        ResteasyClient createResteasyClient = AdminClientUtil.createResteasyClient();
        try {
            Assert.assertEquals(subject2, UserInfoClientUtil.testSuccessfulUserInfoResponse(UserInfoClientUtil.executeUserInfoRequest_getMethod(createResteasyClient, doAccessTokenRequest.getAccessToken()), "test-user", AssertEvents.DEFAULT_USERNAME).getSubject());
            createResteasyClient.close();
        } catch (Throwable th) {
            createResteasyClient.close();
            throw th;
        }
    }

    @Test
    public void refreshPairwiseToken() throws Exception {
        OIDCClientRepresentation createPairwise = createPairwise();
        OAuthClient.AccessTokenResponse login = login(createPairwise, AssertEvents.DEFAULT_USERNAME, "password");
        this.oauth.parseRefreshToken(login.getAccessToken());
        IDToken verifyIDToken = this.oauth.verifyIDToken(login.getIdToken());
        this.oauth.parseRefreshToken(login.getRefreshToken());
        OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(login.getRefreshToken(), createPairwise.getClientSecret());
        this.oauth.verifyToken(doRefreshTokenRequest.getAccessToken());
        RefreshToken parseRefreshToken = this.oauth.parseRefreshToken(doRefreshTokenRequest.getRefreshToken());
        IDToken verifyIDToken2 = this.oauth.verifyIDToken(doRefreshTokenRequest.getIdToken());
        Assert.assertEquals(verifyIDToken.getIssuer(), parseRefreshToken.getIssuer());
        Assert.assertEquals(verifyIDToken.getSubject(), parseRefreshToken.getSubject());
        Assert.assertEquals(verifyIDToken2.getIssuedAt(), parseRefreshToken.getIssuedAt());
        Assert.assertEquals(verifyIDToken.getAuthTime(), verifyIDToken2.getAuthTime());
        Assert.assertEquals(verifyIDToken.getIssuedFor(), verifyIDToken2.getIssuedFor());
    }

    @Test
    public void introspectPairwiseAccessToken() throws Exception {
        OIDCClientRepresentation createPairwise = createPairwise();
        JsonNode readTree = new ObjectMapper().readTree(this.oauth.introspectAccessTokenWithClientCredential(createPairwise.getClientId(), createPairwise.getClientSecret(), login(createPairwise, AssertEvents.DEFAULT_USERNAME, "password").getAccessToken()));
        Assert.assertEquals(true, Boolean.valueOf(readTree.get("active").asBoolean()));
        Assert.assertEquals(AssertEvents.DEFAULT_USERNAME, readTree.get("email").asText());
    }

    @Test
    public void refreshPairwiseTokenDeletedUser() throws Exception {
        String createUser = createUser("test", "delete-me@localhost", "password", new String[0]);
        OIDCClientRepresentation createPairwise = createPairwise();
        this.oauth.clientId(createPairwise.getClientId());
        this.oauth.clientId(createPairwise.getClientId());
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(this.oauth.doLogin("delete-me@localhost", "password").getCode(), createPairwise.getClientSecret());
        org.junit.Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
        this.adminClient.realm("test").users().delete(createUser);
        OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), createPairwise.getClientSecret());
        org.junit.Assert.assertEquals(400L, doRefreshTokenRequest.getStatusCode());
        org.junit.Assert.assertEquals("invalid_grant", doRefreshTokenRequest.getError());
        org.junit.Assert.assertNull(doRefreshTokenRequest.getAccessToken());
        org.junit.Assert.assertNull(doRefreshTokenRequest.getIdToken());
        org.junit.Assert.assertNull(doRefreshTokenRequest.getRefreshToken());
    }

    @Test
    public void refreshPairwiseTokenDisabledUser() throws Exception {
        createUser("test", "disable-me@localhost", "password", new String[0]);
        OIDCClientRepresentation createPairwise = createPairwise();
        this.oauth.clientId(createPairwise.getClientId());
        this.oauth.clientId(createPairwise.getClientId());
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(this.oauth.doLogin("disable-me@localhost", "password").getCode(), createPairwise.getClientSecret());
        org.junit.Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
        try {
            UserManager.realm(this.adminClient.realm("test")).username("disable-me@localhost").enabled(false);
            OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), createPairwise.getClientSecret());
            org.junit.Assert.assertEquals(400L, doRefreshTokenRequest.getStatusCode());
            org.junit.Assert.assertEquals("invalid_grant", doRefreshTokenRequest.getError());
            org.junit.Assert.assertNull(doRefreshTokenRequest.getAccessToken());
            org.junit.Assert.assertNull(doRefreshTokenRequest.getIdToken());
            org.junit.Assert.assertNull(doRefreshTokenRequest.getRefreshToken());
            UserManager.realm(this.adminClient.realm("test")).username("disable-me@localhost").enabled(true);
        } catch (Throwable th) {
            UserManager.realm(this.adminClient.realm("test")).username("disable-me@localhost").enabled(true);
            throw th;
        }
    }

    private OAuthClient.AccessTokenResponse login(OIDCClientRepresentation oIDCClientRepresentation, String str, String str2) {
        this.oauth.clientId(oIDCClientRepresentation.getClientId());
        return this.oauth.doAccessTokenRequest(this.oauth.doLogin(str, str2).getCode(), oIDCClientRepresentation.getClientSecret());
    }

    private String getPayload(String str) {
        return new String(Base64.getDecoder().decode(str.split("\\.")[1]));
    }
}
