package org.keycloak.testsuite.openshift;

import java.io.IOException;
import java.util.Arrays;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Objects;
import javax.ws.rs.core.Response;
import org.apache.http.Header;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.entity.ContentType;
import org.apache.http.entity.StringEntity;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.util.EntityUtils;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.hamcrest.collection.IsIterableContainingInAnyOrder;
import org.hamcrest.core.Is;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.common.Profile;
import org.keycloak.common.util.Base64Url;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.protocol.openshift.OpenShiftTokenReviewRequestRepresentation;
import org.keycloak.protocol.openshift.OpenShiftTokenReviewResponseRepresentation;
import org.keycloak.representations.idm.AuthenticationExecutionInfoRepresentation;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.ClientScopeRepresentation;
import org.keycloak.representations.idm.EventRepresentation;
import org.keycloak.representations.idm.ProtocolMapperRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.testsuite.AbstractTestRealmKeycloakTest;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.arquillian.annotation.EnableFeature;
import org.keycloak.testsuite.oauth.BackchannelLogoutTest;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.ServerURLs;
import org.keycloak.testsuite.util.UserBuilder;
import org.keycloak.util.JsonSerialization;

@AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE, AuthServerContainerExclude.AuthServer.QUARKUS})
@EnableFeature(value = Profile.Feature.OPENSHIFT_INTEGRATION, skipRestart = true)
/* loaded from: input_file:org/keycloak/testsuite/openshift/OpenShiftTokenReviewEndpointTest.class */
public class OpenShiftTokenReviewEndpointTest extends AbstractTestRealmKeycloakTest {
    private static boolean flowConfigured;

    @Rule
    public AssertEvents events = new AssertEvents(this);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/keycloak/testsuite/openshift/OpenShiftTokenReviewEndpointTest$InvokeRunnable.class */
    public interface InvokeRunnable {
        void run(Review review);
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/keycloak/testsuite/openshift/OpenShiftTokenReviewEndpointTest$Review.class */
    public class Review {
        private String realm;
        private String clientId;
        private String username;
        private String password;
        private String algorithm;
        private InvokeRunnable runAfterTokenRequest;
        private String token;
        private String clientAuthMethod;
        private int responseStatus;
        private OpenShiftTokenReviewResponseRepresentation response;

        private Review() {
            this.realm = "test";
            this.clientId = AssertEvents.DEFAULT_CLIENT_ID;
            this.username = AssertEvents.DEFAULT_USERNAME;
            this.password = "password";
            this.algorithm = "RS256";
            this.clientAuthMethod = "testsuite-client-dummy";
        }

        public Review username(String str) {
            this.username = str;
            return this;
        }

        public Review algorithm(String str) {
            this.algorithm = str;
            return this;
        }

        public Review clientAuthMethod(String str) {
            this.clientAuthMethod = str;
            return this;
        }

        public Review runAfterTokenRequest(InvokeRunnable invokeRunnable) {
            this.runAfterTokenRequest = invokeRunnable;
            return this;
        }

        public Review invoke() {
            try {
                if (this.token == null) {
                    String id = ((UserRepresentation) OpenShiftTokenReviewEndpointTest.this.testRealm().users().search(this.username).get(0)).getId();
                    OpenShiftTokenReviewEndpointTest.this.oauth.doLogin(this.username, this.password);
                    EventRepresentation assertEvent = OpenShiftTokenReviewEndpointTest.this.events.expectLogin().user(id).assertEvent();
                    OAuthClient.AccessTokenResponse doAccessTokenRequest = OpenShiftTokenReviewEndpointTest.this.oauth.doAccessTokenRequest((String) OpenShiftTokenReviewEndpointTest.this.oauth.getCurrentQuery().get("code"), "password");
                    OpenShiftTokenReviewEndpointTest.this.events.expectCodeToToken((String) assertEvent.getDetails().get("code_id"), assertEvent.getSessionId()).detail("client_auth_method", this.clientAuthMethod).user(id).assertEvent();
                    this.token = doAccessTokenRequest.getAccessToken();
                }
                Assert.assertEquals(this.algorithm, new JWSInput(this.token).getHeader().getAlgorithm().name());
                if (this.runAfterTokenRequest != null) {
                    this.runAfterTokenRequest.run(this);
                }
                CloseableHttpClient build = HttpClientBuilder.create().build();
                Throwable th = null;
                try {
                    String str = ServerURLs.getAuthServerContextRoot() + "/auth/realms/" + this.realm + "/protocol/openid-connect/ext/openshift-token-review/" + this.clientId;
                    OpenShiftTokenReviewRequestRepresentation openShiftTokenReviewRequestRepresentation = new OpenShiftTokenReviewRequestRepresentation();
                    OpenShiftTokenReviewRequestRepresentation.Spec spec = new OpenShiftTokenReviewRequestRepresentation.Spec();
                    spec.setToken(this.token);
                    spec.setAudiences(new String[]{BackchannelLogoutTest.ACCOUNT_CLIENT_NAME});
                    openShiftTokenReviewRequestRepresentation.setSpec(spec);
                    HttpPost httpPost = new HttpPost(str);
                    httpPost.setHeader("Content-Type", ContentType.APPLICATION_JSON.toString());
                    httpPost.setHeader("Accept", ContentType.APPLICATION_JSON.toString());
                    httpPost.setEntity(new StringEntity(JsonSerialization.writeValueAsString(openShiftTokenReviewRequestRepresentation)));
                    CloseableHttpResponse execute = build.execute(httpPost);
                    Throwable th2 = null;
                    try {
                        this.responseStatus = execute.getStatusLine().getStatusCode();
                        this.response = (OpenShiftTokenReviewResponseRepresentation) JsonSerialization.readValue(execute.getEntity().getContent(), OpenShiftTokenReviewResponseRepresentation.class);
                        if (execute != null) {
                            if (0 != 0) {
                                try {
                                    execute.close();
                                } catch (Throwable th3) {
                                    th2.addSuppressed(th3);
                                }
                            } else {
                                execute.close();
                            }
                        }
                        Assert.assertEquals("authentication.k8s.io/v1beta1", this.response.getApiVersion());
                        Assert.assertEquals("TokenReview", this.response.getKind());
                        if (build != null) {
                            if (0 != 0) {
                                try {
                                    build.close();
                                } catch (Throwable th4) {
                                    th.addSuppressed(th4);
                                }
                            } else {
                                build.close();
                            }
                        }
                        return this;
                    } catch (Throwable th5) {
                        if (execute != null) {
                            if (0 != 0) {
                                try {
                                    execute.close();
                                } catch (Throwable th6) {
                                    th2.addSuppressed(th6);
                                }
                            } else {
                                execute.close();
                            }
                        }
                        throw th5;
                    }
                } finally {
                }
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }

        public Review assertSuccess() {
            Assert.assertEquals(200L, this.responseStatus);
            Assert.assertTrue(this.response.getStatus().isAuthenticated());
            Assert.assertNotNull(this.response.getStatus().getUser());
            return this;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Review assertError(int i, String str) {
            Assert.assertEquals(i, this.responseStatus);
            Assert.assertFalse(this.response.getStatus().isAuthenticated());
            Assert.assertNull(this.response.getStatus().getUser());
            if (str != null) {
                Assert.assertEquals(str, OpenShiftTokenReviewEndpointTest.this.events.poll().getDetails().get("reason"));
            }
            return this;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void assertScope(String... strArr) {
            List asList = Arrays.asList(this.response.getStatus().getUser().getExtra().getScopes());
            Assert.assertEquals(strArr.length, asList.size());
            MatcherAssert.assertThat(asList, IsIterableContainingInAnyOrder.containsInAnyOrder(strArr));
        }

        private void assertEmptyScope() {
            Assert.assertNull(this.response.getStatus().getUser().getExtra());
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void assertGroups(String... strArr) {
            LinkedList linkedList = new LinkedList(this.response.getStatus().getUser().getGroups());
            Assert.assertEquals(strArr.length, linkedList.size());
            MatcherAssert.assertThat(linkedList, IsIterableContainingInAnyOrder.containsInAnyOrder(strArr));
        }
    }

    @Override // org.keycloak.testsuite.AbstractTestRealmKeycloakTest
    public void configureTestRealm(RealmRepresentation realmRepresentation) {
        ClientRepresentation clientRepresentation = (ClientRepresentation) realmRepresentation.getClients().stream().filter(clientRepresentation2 -> {
            return clientRepresentation2.getClientId().equals(AssertEvents.DEFAULT_CLIENT_ID);
        }).findFirst().get();
        LinkedList linkedList = new LinkedList();
        ProtocolMapperRepresentation protocolMapperRepresentation = new ProtocolMapperRepresentation();
        protocolMapperRepresentation.setName("groups");
        protocolMapperRepresentation.setProtocolMapper("oidc-group-membership-mapper");
        protocolMapperRepresentation.setProtocol("openid-connect");
        HashMap hashMap = new HashMap();
        hashMap.put("full.path", "false");
        hashMap.put("claim.name", "groups");
        hashMap.put("access.token.claim", "true");
        hashMap.put("id.token.claim", "true");
        protocolMapperRepresentation.setConfig(hashMap);
        linkedList.add(protocolMapperRepresentation);
        clientRepresentation.setProtocolMappers(linkedList);
        clientRepresentation.setPublicClient(false);
        clientRepresentation.setClientAuthenticatorType("testsuite-client-dummy");
        realmRepresentation.getUsers().add(UserBuilder.create().username("groups-user").password("password").addGroups("/topGroup", "/topGroup/level2group").role(BackchannelLogoutTest.ACCOUNT_CLIENT_NAME, "view-profile").build());
        realmRepresentation.getUsers().add(UserBuilder.create().username("empty-audience").password("password").build());
    }

    @Before
    public void enablePassthroughAuthenticator() {
        if (flowConfigured) {
            return;
        }
        HashMap hashMap = new HashMap();
        hashMap.put("newName", "testsuite-client-dummy");
        Response copy = testRealm().flows().copy("clients", hashMap);
        Assert.assertEquals(201L, copy.getStatus());
        copy.close();
        HashMap hashMap2 = new HashMap();
        hashMap2.put("provider", "testsuite-client-dummy");
        hashMap2.put("requirement", "ALTERNATIVE");
        testRealm().flows().addExecution("testsuite-client-dummy", hashMap2);
        RealmRepresentation representation = testRealm().toRepresentation();
        representation.setClientAuthenticationFlow("testsuite-client-dummy");
        testRealm().update(representation);
        for (AuthenticationExecutionInfoRepresentation authenticationExecutionInfoRepresentation : testRealm().flows().getExecutions("testsuite-client-dummy")) {
            if (authenticationExecutionInfoRepresentation.getProviderId().equals("testsuite-client-dummy")) {
                authenticationExecutionInfoRepresentation.setRequirement("ALTERNATIVE");
                testRealm().flows().updateExecutions("testsuite-client-dummy", authenticationExecutionInfoRepresentation);
            }
        }
        flowConfigured = true;
    }

    @Test
    public void basicTest() {
        Review invoke = new Review().invoke();
        String id = ((UserRepresentation) testRealm().users().search(invoke.username).get(0)).getId();
        OpenShiftTokenReviewResponseRepresentation.User user = invoke.response.getStatus().getUser();
        Assert.assertEquals(id, user.getUid());
        Assert.assertEquals(AssertEvents.DEFAULT_USERNAME, user.getUsername());
        Assert.assertNotNull(user.getExtra());
        invoke.assertScope("openid", "email", "profile");
    }

    @Test
    public void longExpiration() {
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), AssertEvents.DEFAULT_CLIENT_ID);
        ClientRepresentation representation = findClientByClientId.toRepresentation();
        try {
            representation.getAttributes().put("access.token.lifespan", "-1");
            findClientByClientId.update(representation);
            setTimeOffset(1500);
            Review review = new Review();
            review.invoke().assertSuccess();
            setTimeOffset(3000);
            review.invoke().assertSuccess();
            setTimeOffset(4500);
            review.invoke().assertSuccess();
            representation.getAttributes().put("access.token.lifespan", null);
            findClientByClientId.update(representation);
        } catch (Throwable th) {
            representation.getAttributes().put("access.token.lifespan", null);
            findClientByClientId.update(representation);
            throw th;
        }
    }

    @Test
    public void hs256() {
        RealmResource realm = this.adminClient.realm("test");
        RealmRepresentation representation = realm.toRepresentation();
        try {
            representation.setDefaultSignatureAlgorithm("HS256");
            realm.update(representation);
            Review assertSuccess = new Review().algorithm("HS256").invoke().assertSuccess();
            String id = ((UserRepresentation) testRealm().users().search(assertSuccess.username).get(0)).getId();
            OpenShiftTokenReviewResponseRepresentation.User user = assertSuccess.response.getStatus().getUser();
            Assert.assertEquals(id, user.getUid());
            Assert.assertEquals(AssertEvents.DEFAULT_USERNAME, user.getUsername());
            Assert.assertNotNull(user.getExtra());
            assertSuccess.assertScope("openid", "email", "profile");
            representation.setDefaultSignatureAlgorithm((String) null);
            realm.update(representation);
        } catch (Throwable th) {
            representation.setDefaultSignatureAlgorithm((String) null);
            realm.update(representation);
            throw th;
        }
    }

    @Test
    public void groups() {
        new Review().username("groups-user").invoke().assertSuccess().assertGroups("topGroup", "level2group");
    }

    @Test
    public void customScopes() {
        ClientScopeRepresentation clientScopeRepresentation = new ClientScopeRepresentation();
        clientScopeRepresentation.setProtocol("openid-connect");
        clientScopeRepresentation.setName("user:info");
        Response create = testRealm().clientScopes().create(clientScopeRepresentation);
        Throwable th = null;
        try {
            try {
                String createdId = ApiUtil.getCreatedId(create);
                if (create != null) {
                    if (0 != 0) {
                        try {
                            create.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        create.close();
                    }
                }
                ClientRepresentation clientRepresentation = (ClientRepresentation) testRealm().clients().findByClientId(AssertEvents.DEFAULT_CLIENT_ID).get(0);
                testRealm().clients().get(clientRepresentation.getId()).addOptionalClientScope(createdId);
                try {
                    this.oauth.scope("user:info");
                    new Review().invoke().assertSuccess().assertScope("openid", "user:info", "profile", "email");
                    testRealm().clients().get(clientRepresentation.getId()).removeOptionalClientScope(createdId);
                } catch (Throwable th3) {
                    testRealm().clients().get(clientRepresentation.getId()).removeOptionalClientScope(createdId);
                    throw th3;
                }
            } finally {
            }
        } catch (Throwable th4) {
            if (create != null) {
                if (th != null) {
                    try {
                        create.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    create.close();
                }
            }
            throw th4;
        }
    }

    @Test
    public void emptyAudience() {
        new Review().username("empty-audience").invoke().assertError(401, "Token verification failure");
    }

    @Test
    public void expiredToken() {
        try {
            new Review().runAfterTokenRequest(review -> {
                setTimeOffset(testRealm().toRepresentation().getAccessTokenLifespan().intValue() + 10);
            }).invoke().assertError(401, "Token verification failure");
        } finally {
            resetTimeOffset();
        }
    }

    @Test
    public void invalidPublicKey() {
        new Review().runAfterTokenRequest(review -> {
            String str = review.token.split("\\.")[0];
            review.token = review.token.replaceFirst(str, Base64Url.encode(new String(Base64Url.decode(str)).replace(",\"kid\" : \"", ",\"kid\" : \"x").getBytes()));
        }).invoke().assertError(401, "Token verification failure");
    }

    @Test
    public void noUserSession() {
        new Review().runAfterTokenRequest(review -> {
            testRealm().users().get(((UserRepresentation) testRealm().users().search(review.username).get(0)).getId()).logout();
        }).invoke().assertError(401, "Token verification failure");
    }

    @Test
    public void invalidTokenSignature() {
        new Review().runAfterTokenRequest(review -> {
            review.token += "x";
        }).invoke().assertError(401, "Token verification failure");
    }

    @Test
    public void realmDisabled() {
        RealmRepresentation representation = testRealm().toRepresentation();
        try {
            new Review().runAfterTokenRequest(review -> {
                representation.setEnabled(false);
                testRealm().update(representation);
            }).invoke().assertError(401, null);
        } finally {
            representation.setEnabled(Boolean.valueOf(true));
            testRealm().update(representation);
        }
    }

    @Test
    public void publicClientNotPermitted() {
        ClientRepresentation clientRepresentation = (ClientRepresentation) testRealm().clients().findByClientId(AssertEvents.DEFAULT_CLIENT_ID).get(0);
        clientRepresentation.setPublicClient(true);
        testRealm().clients().get(clientRepresentation.getId()).update(clientRepresentation);
        try {
            new Review().clientAuthMethod("client-secret").invoke().assertError(401, "Public client is not permitted to invoke token review endpoint");
        } finally {
            clientRepresentation.setPublicClient(Boolean.valueOf(false));
            clientRepresentation.setSecret("password");
            testRealm().clients().get(clientRepresentation.getId()).update(clientRepresentation);
        }
    }

    @Test
    public void checkXSSValidation() throws IOException {
        CloseableHttpClient build = HttpClientBuilder.create().build();
        Throwable th = null;
        try {
            HttpPost httpPost = new HttpPost(ServerURLs.getAuthServerContextRoot() + "/auth/realms/test/protocol/openid-connect/ext/openshift-token-review/");
            httpPost.setHeader("Content-Type", ContentType.APPLICATION_JSON.toString());
            httpPost.setHeader("Accept", ContentType.APPLICATION_JSON.toString());
            httpPost.setEntity(new StringEntity("{\"<img src=alert(1)>\":1}"));
            CloseableHttpResponse execute = build.execute(httpPost);
            Throwable th2 = null;
            try {
                try {
                    Header firstHeader = execute.getFirstHeader("Content-Type");
                    MatcherAssert.assertThat(firstHeader, Matchers.notNullValue());
                    MatcherAssert.assertThat(Boolean.valueOf(Arrays.stream(firstHeader.getElements()).map((v0) -> {
                        return v0.getName();
                    }).filter((v0) -> {
                        return Objects.nonNull(v0);
                    }).anyMatch(str -> {
                        return str.equals("application/json");
                    })), Is.is(true));
                    MatcherAssert.assertThat(Boolean.valueOf(EntityUtils.toString(execute.getEntity()).contains("Unrecognized field \\\"<img src=alert(1)>\\\"")), Is.is(false));
                    if (execute != null) {
                        if (0 != 0) {
                            try {
                                execute.close();
                            } catch (Throwable th3) {
                                th2.addSuppressed(th3);
                            }
                        } else {
                            execute.close();
                        }
                    }
                    if (build != null) {
                        if (0 == 0) {
                            build.close();
                            return;
                        }
                        try {
                            build.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    }
                } catch (Throwable th5) {
                    th2 = th5;
                    throw th5;
                }
            } catch (Throwable th6) {
                if (execute != null) {
                    if (th2 != null) {
                        try {
                            execute.close();
                        } catch (Throwable th7) {
                            th2.addSuppressed(th7);
                        }
                    } else {
                        execute.close();
                    }
                }
                throw th6;
            }
        } catch (Throwable th8) {
            if (build != null) {
                if (0 != 0) {
                    try {
                        build.close();
                    } catch (Throwable th9) {
                        th.addSuppressed(th9);
                    }
                } else {
                    build.close();
                }
            }
            throw th8;
        }
    }
}
