package org.keycloak.testsuite.client;

import com.fasterxml.jackson.databind.JsonNode;
import java.io.IOException;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.impl.client.CloseableHttpClient;
import org.hamcrest.Matchers;
import org.jboss.logging.Logger;
import org.junit.Assert;
import org.junit.Assume;
import org.junit.Test;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.RolesResource;
import org.keycloak.client.registration.ClientRegistrationException;
import org.keycloak.common.util.Base64Url;
import org.keycloak.events.EventType;
import org.keycloak.jose.jws.Algorithm;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.Constants;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.IDToken;
import org.keycloak.representations.RefreshToken;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.CredentialRepresentation;
import org.keycloak.representations.idm.EventRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.representations.oidc.OIDCClientRepresentation;
import org.keycloak.representations.oidc.TokenMetadataRepresentation;
import org.keycloak.services.clientpolicy.ClientPolicyEvent;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.executor.SecureRequestObjectExecutor;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.AbstractAdminTest;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.client.resources.TestApplicationResourceUrls;
import org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource;
import org.keycloak.testsuite.docker.DockerClientTest;
import org.keycloak.testsuite.rest.resource.TestingOIDCEndpointsApplicationResource;
import org.keycloak.testsuite.updaters.ClientAttributeUpdater;
import org.keycloak.testsuite.util.ClientPoliciesUtil;
import org.keycloak.testsuite.util.MutualTLSUtils;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.RoleBuilder;
import org.keycloak.testsuite.util.ServerURLs;
import org.keycloak.util.JsonSerialization;

/* loaded from: input_file:org/keycloak/testsuite/client/ClientPoliciesTest.class */
public class ClientPoliciesTest extends AbstractClientPoliciesTest {
    private static final Logger logger = Logger.getLogger(ClientPoliciesTest.class);
    private static final String CLIENT_NAME = "Zahlungs-App";
    private static final String TEST_USER_NAME = "test-user@localhost";
    private static final String TEST_USER_PASSWORD = "password";

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        RealmRepresentation realmRepresentation = (RealmRepresentation) AbstractAdminTest.loadJson(getClass().getResourceAsStream("/testrealm.json"), RealmRepresentation.class);
        List users = realmRepresentation.getUsers();
        LinkedList linkedList = new LinkedList();
        CredentialRepresentation credentialRepresentation = new CredentialRepresentation();
        credentialRepresentation.setType("password");
        credentialRepresentation.setValue("password");
        linkedList.add(credentialRepresentation);
        UserRepresentation userRepresentation = new UserRepresentation();
        userRepresentation.setEnabled(true);
        userRepresentation.setUsername("manage-clients");
        userRepresentation.setCredentials(linkedList);
        userRepresentation.setClientRoles(Collections.singletonMap("realm-management", Collections.singletonList(AdminRoles.MANAGE_CLIENTS)));
        users.add(userRepresentation);
        UserRepresentation userRepresentation2 = new UserRepresentation();
        userRepresentation2.setEnabled(true);
        userRepresentation2.setUsername("create-clients");
        userRepresentation2.setCredentials(linkedList);
        userRepresentation2.setClientRoles(Collections.singletonMap("realm-management", Collections.singletonList(AdminRoles.CREATE_CLIENT)));
        userRepresentation2.setGroups(Arrays.asList("topGroup"));
        users.add(userRepresentation2);
        realmRepresentation.setUsers(users);
        list.add(realmRepresentation);
    }

    @Test
    public void testAdminClientRegisterUnacceptableAuthType() throws Exception {
        setupPolicyClientIdAndSecretNotAcceptableAuthType("MyPolicy");
        try {
            createClientByAdmin(generateSuffixedName(CLIENT_NAME), clientRepresentation -> {
                clientRepresentation.setClientAuthenticatorType("client-secret");
            });
            Assert.fail();
        } catch (ClientPolicyException e) {
            Assert.assertEquals("invalid_client_metadata", e.getMessage());
        }
    }

    @Test
    public void testAdminClientRegisterAcceptableAuthType() throws Exception {
        setupPolicyClientIdAndSecretNotAcceptableAuthType("MyPolicy");
        Assert.assertEquals("client-secret-jwt", getClientByAdmin(createClientByAdmin(generateSuffixedName(CLIENT_NAME), clientRepresentation -> {
            clientRepresentation.setClientAuthenticatorType("client-secret-jwt");
        })).getClientAuthenticatorType());
    }

    @Test
    public void testAdminClientRegisterDefaultAuthType() throws Exception {
        setupPolicyClientIdAndSecretNotAcceptableAuthType("MyPolicy");
        try {
            createClientByAdmin(generateSuffixedName(CLIENT_NAME), clientRepresentation -> {
            });
            Assert.fail();
        } catch (ClientPolicyException e) {
            Assert.assertEquals("invalid_client_metadata", e.getMessage());
        }
    }

    @Test
    public void testAdminClientUpdateUnacceptableAuthType() throws Exception {
        setupPolicyClientIdAndSecretNotAcceptableAuthType("MyPolicy");
        String createClientByAdmin = createClientByAdmin(generateSuffixedName(CLIENT_NAME), clientRepresentation -> {
            clientRepresentation.setClientAuthenticatorType("client-secret-jwt");
        });
        Assert.assertEquals("client-secret-jwt", getClientByAdmin(createClientByAdmin).getClientAuthenticatorType());
        try {
            updateClientByAdmin(createClientByAdmin, clientRepresentation2 -> {
                clientRepresentation2.setClientAuthenticatorType("client-secret");
            });
            Assert.fail();
        } catch (ClientPolicyException e) {
            Assert.assertEquals("invalid_client_metadata", e.getError());
        }
        Assert.assertEquals("client-secret-jwt", getClientByAdmin(createClientByAdmin).getClientAuthenticatorType());
    }

    @Test
    public void testTwoProfilesWithDifferentConfigurationOfSameExecutorType() throws Exception {
        setupPolicyClientIdAndSecretNotAcceptableAuthType("MyPolicy");
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder(getProfilesWithoutGlobals()).addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("UnusedProfile", "Profile with SecureClientAuthEnforceExecutorFactory").addExecutor("secure-client-authenticator", ClientPoliciesUtil.createSecureClientAuthenticatorExecutorConfig(Arrays.asList("client-jwt", "client-x509"), null)).toRepresentation()).toString());
        Assert.assertEquals("client-secret-jwt", getClientByAdmin(createClientByAdmin(generateSuffixedName(CLIENT_NAME), clientRepresentation -> {
            clientRepresentation.setClientAuthenticatorType("client-secret-jwt");
        })).getClientAuthenticatorType());
    }

    @Test
    public void testAdminClientUpdateAcceptableAuthType() throws Exception {
        setupPolicyClientIdAndSecretNotAcceptableAuthType("MyPolicy");
        String createClientByAdmin = createClientByAdmin(generateSuffixedName(CLIENT_NAME), clientRepresentation -> {
            clientRepresentation.setClientAuthenticatorType("client-secret-jwt");
        });
        Assert.assertEquals("client-secret-jwt", getClientByAdmin(createClientByAdmin).getClientAuthenticatorType());
        updateClientByAdmin(createClientByAdmin, clientRepresentation2 -> {
            clientRepresentation2.setClientAuthenticatorType("client-jwt");
        });
        Assert.assertEquals("client-jwt", getClientByAdmin(createClientByAdmin).getClientAuthenticatorType());
    }

    @Test
    public void testAdminClientUpdateDefaultAuthType() throws Exception {
        setupPolicyClientIdAndSecretNotAcceptableAuthType("MyPolicy");
        String createClientByAdmin = createClientByAdmin(generateSuffixedName(CLIENT_NAME), clientRepresentation -> {
            clientRepresentation.setClientAuthenticatorType("client-secret-jwt");
        });
        Assert.assertEquals("client-secret-jwt", getClientByAdmin(createClientByAdmin).getClientAuthenticatorType());
        updateClientByAdmin(createClientByAdmin, clientRepresentation2 -> {
            clientRepresentation2.setServiceAccountsEnabled(Boolean.FALSE);
        });
        Assert.assertEquals("client-secret-jwt", getClientByAdmin(createClientByAdmin).getClientAuthenticatorType());
        Assert.assertEquals(Boolean.FALSE, getClientByAdmin(createClientByAdmin).isServiceAccountsEnabled());
    }

    @Test
    public void testAdminClientAutoConfiguredClientAuthType() throws Exception {
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Pershyy Profil").addExecutor("secure-client-authenticator", ClientPoliciesUtil.createSecureClientAuthenticatorExecutorConfig(Arrays.asList("client-jwt", "client-secret-jwt", "client-x509"), "client-x509")).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "Persha Polityka", Boolean.TRUE).addCondition("client-updater-context", ClientPoliciesUtil.createClientUpdateContextConditionConfig(Arrays.asList("ByAuthenticatedUser"))).addProfile("MyProfile").toRepresentation()).toString());
        try {
            createClientByAdmin(generateSuffixedName(CLIENT_NAME), clientRepresentation -> {
                clientRepresentation.setClientAuthenticatorType("client-secret");
            });
            Assert.fail();
        } catch (ClientPolicyException e) {
            Assert.assertEquals("invalid_client_metadata", e.getMessage());
        }
        String createClientByAdmin = createClientByAdmin(generateSuffixedName(CLIENT_NAME), clientRepresentation2 -> {
        });
        Assert.assertEquals("client-x509", getClientByAdmin(createClientByAdmin).getClientAuthenticatorType());
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Pershyy Profil").addExecutor("secure-client-authenticator", ClientPoliciesUtil.createSecureClientAuthenticatorExecutorConfig(Arrays.asList("client-jwt", "client-secret-jwt", "client-x509"), "client-jwt")).toRepresentation()).toString());
        updateClientByAdmin(createClientByAdmin, clientRepresentation3 -> {
            clientRepresentation3.setClientAuthenticatorType("client-secret-jwt");
        });
        Assert.assertEquals("client-secret-jwt", getClientByAdmin(createClientByAdmin).getClientAuthenticatorType());
    }

    @Test
    public void testSecureClientAuthenticatorDuringLogin() throws Exception {
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Primum Profile").addExecutor("secure-client-authenticator", ClientPoliciesUtil.createSecureClientAuthenticatorExecutorConfig(Arrays.asList("client-jwt", "client-secret-jwt", "client-x509"), null)).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "Den Forste Politikken", Boolean.TRUE).addCondition("client-roles", ClientPoliciesUtil.createClientRolesConditionConfig(Arrays.asList("sample-client-role-alpha", "sample-client-role-zeta"))).addProfile("MyProfile").toRepresentation()).toString());
        String generateSuffixedName = generateSuffixedName(CLIENT_NAME);
        createClientByAdmin(generateSuffixedName, clientRepresentation -> {
            clientRepresentation.setSecret("secret");
        });
        successfulLoginAndLogout(generateSuffixedName, "secret");
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), generateSuffixedName);
        Assert.assertEquals("client-secret", findClientByClientId.toRepresentation().getClientAuthenticatorType());
        findClientByClientId.roles().create(RoleBuilder.create().name("sample-client-role-alpha").build());
        this.oauth.clientId(generateSuffixedName);
        this.oauth.doLogin("test-user@localhost", "password");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "secret");
        Assert.assertEquals(400L, doAccessTokenRequest.getStatusCode());
        Assert.assertEquals("invalid_grant", doAccessTokenRequest.getError());
        Assert.assertEquals("Configured client authentication method not allowed for client", doAccessTokenRequest.getErrorDescription());
    }

    @Test
    public void testDynamicClientRegisterAndUpdate() throws Exception {
        setupPolicyClientIdAndSecretNotAcceptableAuthType("MyPolicy");
        String createClientDynamically = createClientDynamically(generateSuffixedName(CLIENT_NAME), oIDCClientRepresentation -> {
        });
        Assert.assertEquals("client_secret_basic", getClientDynamically(createClientDynamically).getTokenEndpointAuthMethod());
        Assert.assertEquals(Boolean.FALSE, getClientDynamically(createClientDynamically).getTlsClientCertificateBoundAccessTokens());
        updateClientDynamically(createClientDynamically, oIDCClientRepresentation2 -> {
            oIDCClientRepresentation2.setTokenEndpointAuthMethod("client_secret_basic");
            oIDCClientRepresentation2.setTlsClientCertificateBoundAccessTokens(Boolean.TRUE);
        });
        Assert.assertEquals("client_secret_basic", getClientDynamically(createClientDynamically).getTokenEndpointAuthMethod());
        Assert.assertEquals(Boolean.TRUE, getClientDynamically(createClientDynamically).getTlsClientCertificateBoundAccessTokens());
    }

    @Test
    public void testCreateDeletePolicyRuntime() throws Exception {
        String createClientDynamically = createClientDynamically(generateSuffixedName(CLIENT_NAME), oIDCClientRepresentation -> {
        });
        OIDCClientRepresentation clientDynamically = getClientDynamically(createClientDynamically);
        Assert.assertEquals("client_secret_basic", clientDynamically.getTokenEndpointAuthMethod());
        this.events.expect(EventType.CLIENT_REGISTER).client(createClientDynamically).user(Matchers.isEmptyOrNullString()).assertEvent();
        this.events.expect(EventType.CLIENT_INFO).client(createClientDynamically).user(Matchers.isEmptyOrNullString()).assertEvent();
        this.adminClient.realm("test").clients().get(createClientDynamically).roles().create(RoleBuilder.create().name("sample-client-role").build());
        successfulLoginAndLogout(createClientDynamically, clientDynamically.getClientSecret());
        setupPolicyAuthzCodeFlowUnderMultiPhasePolicy("MyPolicy");
        failLoginByNotFollowingPKCE(createClientDynamically);
        deletePolicy("MyPolicy");
        logger.info("... Deleted Policy : MyPolicy");
        successfulLoginAndLogout(createClientDynamically, clientDynamically.getClientSecret());
    }

    @Test
    public void testCreateUpdateDeleteConditionRuntime() throws Exception {
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Den Eichte profil").addExecutor("pkce-enforcer", ClientPoliciesUtil.createPKCEEnforceExecutorConfig(Boolean.TRUE)).toRepresentation()).toString());
        String generateSuffixedName = generateSuffixedName(CLIENT_NAME);
        String str = "secret";
        this.adminClient.realm("test").clients().get(createClientByAdmin(generateSuffixedName, clientRepresentation -> {
            clientRepresentation.setSecret(str);
        })).roles().create(RoleBuilder.create().name("sample-client-role").build());
        successfulLoginAndLogout(generateSuffixedName, "secret");
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "Dei Eischt Politik", Boolean.TRUE).addCondition("client-roles", ClientPoliciesUtil.createClientRolesConditionConfig(Arrays.asList("sample-client-role"))).addProfile("MyProfile").toRepresentation()).toString());
        failLoginByNotFollowingPKCE(generateSuffixedName);
        updatePolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "Dei Aktualiseiert Eischt Politik", Boolean.TRUE).addCondition("client-roles", ClientPoliciesUtil.createClientRolesConditionConfig(Arrays.asList("anothor-client-role"))).addProfile("MyProfile").toRepresentation());
        successfulLoginAndLogout(generateSuffixedName, "secret");
        updatePolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "Dei Aktualiseiert Eischt Politik", Boolean.TRUE).addProfile("MyProfile").toRepresentation());
        successfulLoginAndLogout(generateSuffixedName, "secret");
    }

    @Test
    public void testCreateUpdateDeleteExecutorRuntime() throws Exception {
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Purofairu Sono Ichi").addExecutor("pkce-enforcer", ClientPoliciesUtil.createPKCEEnforceExecutorConfig(Boolean.FALSE)).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "Porishii Sono Ichi", Boolean.TRUE).addCondition("client-roles", ClientPoliciesUtil.createClientRolesConditionConfig(Arrays.asList("sample-client-role"))).addCondition("client-updater-context", ClientPoliciesUtil.createClientUpdateContextConditionConfig(Arrays.asList("ByAuthenticatedUser"))).toRepresentation()).toString());
        String generateSuffixedName = generateSuffixedName(CLIENT_NAME);
        String str = "secret";
        String createClientByAdmin = createClientByAdmin(generateSuffixedName, clientRepresentation -> {
            clientRepresentation.setSecret(str);
        });
        this.adminClient.realm("test").clients().get(createClientByAdmin).roles().create(RoleBuilder.create().name("sample-client-role").build());
        successfulLoginAndLogout(generateSuffixedName, "secret");
        updatePolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "Koushinsareta Porishii Sono Ichi", Boolean.TRUE).addCondition("client-roles", ClientPoliciesUtil.createClientRolesConditionConfig(Arrays.asList("sample-client-role"))).addCondition("client-updater-context", ClientPoliciesUtil.createClientUpdateContextConditionConfig(Arrays.asList("ByAuthenticatedUser"))).addProfile("MyProfile").toRepresentation());
        failLoginByNotFollowingPKCE(generateSuffixedName);
        updateProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Koushinsareta Purofairu Sono Ichi").addExecutor("pkce-enforcer", ClientPoliciesUtil.createPKCEEnforceExecutorConfig(Boolean.TRUE)).toRepresentation());
        updateClientByAdmin(createClientByAdmin, clientRepresentation2 -> {
            clientRepresentation2.setServiceAccountsEnabled(Boolean.FALSE);
        });
        Assert.assertEquals(false, getClientByAdmin(createClientByAdmin).isServiceAccountsEnabled());
        Assert.assertEquals("S256", OIDCAdvancedConfigWrapper.fromClientRepresentation(getClientByAdmin(createClientByAdmin)).getPkceCodeChallengeMethod());
        updateProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Sarani Koushinsareta Purofairu Sono Ichi").toRepresentation());
        updateClientByAdmin(createClientByAdmin, clientRepresentation3 -> {
            OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRepresentation3).setPkceCodeChallengeMethod((String) null);
        });
        Assert.assertEquals((Object) null, OIDCAdvancedConfigWrapper.fromClientRepresentation(getClientByAdmin(createClientByAdmin)).getPkceCodeChallengeMethod());
        successfulLoginAndLogout(generateSuffixedName, "secret");
    }

    @Test
    public void testAuthzCodeFlowUnderMultiPhasePolicy() throws Exception {
        setupPolicyAuthzCodeFlowUnderMultiPhasePolicy("MyPolicy");
        String generateSuffixedName = generateSuffixedName(CLIENT_NAME);
        String createClientDynamically = createClientDynamically(generateSuffixedName, oIDCClientRepresentation -> {
        });
        this.events.expect(EventType.CLIENT_REGISTER).client(createClientDynamically).user(Matchers.isEmptyOrNullString()).assertEvent();
        OIDCClientRepresentation clientDynamically = getClientDynamically(createClientDynamically);
        String clientSecret = clientDynamically.getClientSecret();
        Assert.assertEquals(generateSuffixedName, clientDynamically.getClientName());
        Assert.assertEquals("client_secret_basic", clientDynamically.getTokenEndpointAuthMethod());
        this.events.expect(EventType.CLIENT_INFO).client(createClientDynamically).user(Matchers.isEmptyOrNullString()).assertEvent();
        this.adminClient.realm("test").clients().get(createClientDynamically).roles().create(RoleBuilder.create().name("sample-client-role").build());
        successfulLoginAndLogoutWithPKCE(clientDynamically.getClientId(), clientSecret, "test-user@localhost", "password");
    }

    @Test
    public void testMultiplePolicies() throws Exception {
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile-alpha", "Pierwszy Profil").addExecutor("secure-client-authenticator", ClientPoliciesUtil.createSecureClientAuthenticatorExecutorConfig(Arrays.asList("client-secret"), "client-secret")).toRepresentation()).addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile-beta", "Drugi Profil").addExecutor("pkce-enforcer", ClientPoliciesUtil.createPKCEEnforceExecutorConfig(Boolean.TRUE)).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy-alpha", "Pierwsza Zasada", Boolean.TRUE).addCondition("client-roles", ClientPoliciesUtil.createClientRolesConditionConfig(Arrays.asList("sample-client-role-alpha", "sample-client-role-zeta"))).addCondition("client-updater-context", ClientPoliciesUtil.createClientUpdateContextConditionConfig(Arrays.asList("ByAuthenticatedUser"))).addProfile("MyProfile-alpha").toRepresentation()).addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy-beta", "Drugi Zasada", Boolean.TRUE).addCondition("client-roles", ClientPoliciesUtil.createClientRolesConditionConfig(Arrays.asList("sample-client-role-beta", "sample-client-role-zeta"))).addProfile("MyProfile-beta").toRepresentation()).toString());
        String generateSuffixedName = generateSuffixedName("Alpha-App");
        String str = "secretAlpha";
        try {
            createClientByAdmin(generateSuffixedName(CLIENT_NAME), clientRepresentation -> {
                clientRepresentation.setSecret(str);
                clientRepresentation.setClientAuthenticatorType("client-secret-jwt");
            });
            Assert.fail();
        } catch (ClientPolicyException e) {
            Assert.assertEquals("invalid_client_metadata", e.getMessage());
        }
        String createClientByAdmin = createClientByAdmin(generateSuffixedName, clientRepresentation2 -> {
            clientRepresentation2.setSecret(str);
            clientRepresentation2.setClientAuthenticatorType("client-secret");
        });
        RolesResource roles = this.adminClient.realm("test").clients().get(createClientByAdmin).roles();
        roles.create(RoleBuilder.create().name("sample-client-role-alpha").build());
        roles.create(RoleBuilder.create().name("sample-client-role-common").build());
        String generateSuffixedName2 = generateSuffixedName("Beta-App");
        RolesResource roles2 = this.adminClient.realm("test").clients().get(createClientByAdmin(generateSuffixedName2, clientRepresentation3 -> {
            clientRepresentation3.setSecret("secretBeta");
        })).roles();
        roles2.create(RoleBuilder.create().name("sample-client-role-beta").build());
        roles2.create(RoleBuilder.create().name("sample-client-role-common").build());
        Assert.assertEquals("client-secret", getClientByAdmin(createClientByAdmin).getClientAuthenticatorType());
        successfulLoginAndLogout(generateSuffixedName, "secretAlpha");
        failLoginByNotFollowingPKCE(generateSuffixedName2);
    }

    @Test
    public void testIntentionalExceptionOnCondition() throws Exception {
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "Fyrsta Stefnan", Boolean.TRUE).addCondition("test-raise-exception", ClientPoliciesUtil.createTestRaiseExeptionConditionConfig()).toRepresentation()).toString());
        try {
            createClientByAdmin(generateSuffixedName(CLIENT_NAME), clientRepresentation -> {
            });
            Assert.fail();
        } catch (ClientPolicyException e) {
            Assert.assertEquals("server_error", e.getMessage());
        }
    }

    @Test
    public void testAnyClientCondition() throws Exception {
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Le Premier Profil").addExecutor("secure-session", null).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "La Premiere Politique", Boolean.TRUE).addCondition("any-client", ClientPoliciesUtil.createAnyClientConditionConfig()).addProfile("MyProfile").toRepresentation()).toString());
        String generateSuffixedName = generateSuffixedName("Alpha-App");
        String str = "secretAlpha";
        createClientByAdmin(generateSuffixedName, clientRepresentation -> {
            clientRepresentation.setDefaultRoles((String[]) Arrays.asList("sample-client-role-alpha").toArray(new String[1]));
            clientRepresentation.setSecret(str);
        });
        String generateSuffixedName2 = generateSuffixedName("Beta-App");
        createClientByAdmin(generateSuffixedName2, clientRepresentation2 -> {
            clientRepresentation2.setSecret("secretBeta");
        });
        try {
            failLoginWithoutSecureSessionParameter(generateSuffixedName2, "Missing parameter: nonce");
            this.oauth.nonce("yesitisnonce");
            successfulLoginAndLogout(generateSuffixedName, "secretAlpha");
        } catch (Exception e) {
            Assert.fail();
        }
    }

    @Test
    public void testConditionWithoutNoConfiguration() throws Exception {
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Die Erste Politik").addExecutor("secure-client-authenticator", null).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy-ClientAccessTypeCondition", "Die Erste Politik", Boolean.TRUE).addCondition("client-access-type", null).addProfile("MyProfile").toRepresentation()).addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy-ClientUpdateSourceGroupsCondition", "Die Zweite Politik", Boolean.TRUE).addCondition("client-updater-source-groups", null).addProfile("MyProfile").toRepresentation()).addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy-ClientUpdateSourceRolesCondition", "Die Dritte Politik", Boolean.TRUE).addCondition("client-updater-source-roles", null).addProfile("MyProfile").toRepresentation()).addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy-ClientUpdateContextCondition", "Die Vierte Politik", Boolean.TRUE).addCondition("client-updater-context", null).addProfile("MyProfile").toRepresentation()).toString());
        String generateSuffixedName = generateSuffixedName(CLIENT_NAME);
        String str = "secret";
        createClientByAdmin(generateSuffixedName, clientRepresentation -> {
            clientRepresentation.setSecret(str);
            clientRepresentation.setBearerOnly(Boolean.FALSE);
            clientRepresentation.setPublicClient(Boolean.FALSE);
        });
        successfulLoginAndLogout(generateSuffixedName, "secret");
    }

    @Test
    @AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
    public void testClientUpdateSourceHostsCondition() throws Exception {
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Prvni Profil").addExecutor("secure-client-authenticator", ClientPoliciesUtil.createSecureClientAuthenticatorExecutorConfig(Arrays.asList("client-jwt", "client-secret-jwt", "client-x509"), null)).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "Prvni Politika", Boolean.TRUE).addCondition("client-updater-source-host", ClientPoliciesUtil.createClientUpdateSourceHostsConditionConfig(Arrays.asList(DockerClientTest.REGISTRY_HOSTNAME, AssertEvents.DEFAULT_IP_ADDRESS))).addProfile("MyProfile").toRepresentation()).toString());
        String generateSuffixedName = generateSuffixedName(CLIENT_NAME);
        String str = "secret";
        try {
            createClientByAdmin(generateSuffixedName, clientRepresentation -> {
                clientRepresentation.setSecret(str);
            });
            Assert.fail();
        } catch (ClientPolicyException e) {
            Assert.assertEquals("invalid_client_metadata", e.getMessage());
        }
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "Aktualizovana Prvni Politika", Boolean.TRUE).addCondition("client-updater-source-host", ClientPoliciesUtil.createClientUpdateSourceHostsConditionConfig(Arrays.asList("example.com"))).addProfile("MyProfile").toRepresentation()).toString());
        try {
            createClientByAdmin(generateSuffixedName, clientRepresentation2 -> {
                clientRepresentation2.setSecret(str);
            });
        } catch (Exception e2) {
            Assert.fail();
        }
    }

    @Test
    public void testClientUpdateSourceGroupsCondition() throws Exception {
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Den Forste Profil").addExecutor("secure-client-authenticator", ClientPoliciesUtil.createSecureClientAuthenticatorExecutorConfig(Arrays.asList("client-jwt"), null)).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "Den Forste Politik", Boolean.TRUE).addCondition("client-updater-source-groups", ClientPoliciesUtil.createClientUpdateSourceGroupsConditionConfig(Arrays.asList("topGroup"))).addProfile("MyProfile").toRepresentation()).toString());
        try {
            authCreateClients();
            createClientDynamically(generateSuffixedName(CLIENT_NAME), oIDCClientRepresentation -> {
            });
            Assert.fail();
        } catch (ClientRegistrationException e) {
            Assert.assertEquals("Failed to send request", e.getMessage());
        }
        authManageClients();
        try {
            createClientDynamically(generateSuffixedName(CLIENT_NAME), oIDCClientRepresentation2 -> {
            });
        } catch (Exception e2) {
            Assert.fail();
        }
    }

    @Test
    public void testClientUpdateSourceRolesCondition() throws Exception {
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Il Primo Profilo").addExecutor("secure-client-authenticator", ClientPoliciesUtil.createSecureClientAuthenticatorExecutorConfig(Arrays.asList("client-secret-jwt"), null)).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "La Prima Politica", Boolean.TRUE).addCondition("client-updater-source-roles", ClientPoliciesUtil.createClientUpdateSourceRolesConditionConfig(Arrays.asList("realm-management." + AdminRoles.CREATE_CLIENT))).addProfile("MyProfile").toRepresentation()).toString());
        try {
            authCreateClients();
            createClientDynamically(generateSuffixedName(CLIENT_NAME), oIDCClientRepresentation -> {
            });
            Assert.fail();
        } catch (ClientRegistrationException e) {
            Assert.assertEquals("Failed to send request", e.getMessage());
        }
        authManageClients();
        try {
            createClientDynamically(generateSuffixedName(CLIENT_NAME), oIDCClientRepresentation2 -> {
            });
        } catch (Exception e2) {
            Assert.fail();
        }
    }

    @Test
    public void testClientScopesCondition() throws Exception {
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Het Eerste Profiel").addExecutor("pkce-enforcer", ClientPoliciesUtil.createPKCEEnforceExecutorConfig(Boolean.TRUE)).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "Het Eerste Beleid", Boolean.TRUE).addCondition("client-scopes", ClientPoliciesUtil.createClientScopesConditionConfig("Optional", Arrays.asList("offline_access", "microprofile-jwt"))).addProfile("MyProfile").toRepresentation()).toString());
        String generateSuffixedName = generateSuffixedName(CLIENT_NAME);
        String str = "secret";
        createClientByAdmin(generateSuffixedName, clientRepresentation -> {
            clientRepresentation.setSecret(str);
        });
        try {
            this.oauth.scope("address phone");
            successfulLoginAndLogout(generateSuffixedName, "secret");
            this.oauth.scope("microprofile-jwt profile");
            failLoginByNotFollowingPKCE(generateSuffixedName);
            this.oauth.scope("microprofile-jwt profile");
            failLoginByNotFollowingPKCE(generateSuffixedName);
            successfulLoginAndLogoutWithPKCE(generateSuffixedName, "secret", "test-user@localhost", "password");
        } catch (Exception e) {
            Assert.fail();
        }
    }

    @Test
    public void testClientAccessTypeCondition() throws Exception {
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "El Primer Perfil").addExecutor("secure-session", null).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "La Primera Plitica", Boolean.TRUE).addCondition("client-access-type", ClientPoliciesUtil.createClientAccessTypeConditionConfig(Arrays.asList("confidential"))).addProfile("MyProfile").toRepresentation()).toString());
        String generateSuffixedName = generateSuffixedName("Alpha-App");
        createClientByAdmin(generateSuffixedName, clientRepresentation -> {
            clientRepresentation.setSecret("secretAlpha");
            clientRepresentation.setBearerOnly(Boolean.FALSE);
            clientRepresentation.setPublicClient(Boolean.FALSE);
        });
        String generateSuffixedName2 = generateSuffixedName("Beta-App");
        createClientByAdmin(generateSuffixedName2, clientRepresentation2 -> {
            clientRepresentation2.setBearerOnly(Boolean.FALSE);
            clientRepresentation2.setPublicClient(Boolean.TRUE);
        });
        successfulLoginAndLogout(generateSuffixedName2, null);
        failLoginWithoutNonce(generateSuffixedName);
    }

    @Test
    public void testSecureResponseTypeExecutor() throws Exception {
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "O Primeiro Perfil").addExecutor("secure-response-type", null).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "A Primeira Politica", Boolean.TRUE).addCondition("client-roles", ClientPoliciesUtil.createClientRolesConditionConfig(Arrays.asList("sample-client-role"))).addProfile("MyProfile").toRepresentation()).toString());
        String generateSuffixedName = generateSuffixedName(CLIENT_NAME);
        String str = "secret";
        this.adminClient.realm("test").clients().get(createClientByAdmin(generateSuffixedName, clientRepresentation -> {
            clientRepresentation.setSecret(str);
            clientRepresentation.setStandardFlowEnabled(Boolean.TRUE);
            clientRepresentation.setImplicitFlowEnabled(Boolean.TRUE);
            clientRepresentation.setPublicClient(Boolean.FALSE);
        })).roles().create(RoleBuilder.create().name("sample-client-role").build());
        this.oauth.clientId(generateSuffixedName);
        this.oauth.openLoginForm();
        Assert.assertEquals("invalid_request", this.oauth.getCurrentQuery().get("error"));
        Assert.assertEquals("invalid response_type", this.oauth.getCurrentQuery().get("error_description"));
        this.oauth.responseType("code id_token");
        this.oauth.nonce("vbwe566fsfffds");
        this.oauth.doLogin("test-user@localhost", "password");
        EventRepresentation assertEvent = this.events.expectLogin().client(generateSuffixedName).assertEvent();
        String sessionId = assertEvent.getSessionId();
        String str2 = (String) assertEvent.getDetails().get("code_id");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(new OAuthClient.AuthorizationEndpointResponse(this.oauth).getCode(), "secret");
        Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
        this.events.expectCodeToToken(str2, sessionId).client(generateSuffixedName).assertEvent();
        this.oauth.doLogout(doAccessTokenRequest.getRefreshToken(), "secret");
        this.events.expectLogout(sessionId).client(generateSuffixedName).clearDetails().assertEvent();
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "O Primeiro Perfil").addExecutor("secure-response-type", ClientPoliciesUtil.createSecureResponseTypeExecutor(Boolean.FALSE, Boolean.TRUE)).toRepresentation()).toString());
        this.oauth.responseType("code id_token token");
        this.oauth.nonce("cie8cjcwiw");
        this.oauth.doLogin("test-user@localhost", "password");
        EventRepresentation assertEvent2 = this.events.expectLogin().client(generateSuffixedName).assertEvent();
        String sessionId2 = assertEvent2.getSessionId();
        String str3 = (String) assertEvent2.getDetails().get("code_id");
        OAuthClient.AccessTokenResponse doAccessTokenRequest2 = this.oauth.doAccessTokenRequest(new OAuthClient.AuthorizationEndpointResponse(this.oauth).getCode(), "secret");
        Assert.assertEquals(200L, doAccessTokenRequest2.getStatusCode());
        this.events.expectCodeToToken(str3, sessionId2).client(generateSuffixedName).assertEvent();
        this.oauth.doLogout(doAccessTokenRequest2.getRefreshToken(), "secret");
        this.events.expectLogout(sessionId2).client(generateSuffixedName).clearDetails().assertEvent();
        this.oauth.responseType("code");
        this.oauth.responseMode("jwt");
        Assert.assertEquals(200L, this.oauth.doAccessTokenRequest((String) this.oauth.verifyAuthorizationResponseToken(this.oauth.doLogin("test-user@localhost", "password").getResponse()).getOtherClaims().get("code"), "secret").getStatusCode());
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "O Primeiro Perfil").addExecutor("secure-response-type", ClientPoliciesUtil.createSecureResponseTypeExecutor(Boolean.FALSE, Boolean.FALSE)).toRepresentation()).toString());
        this.oauth.openLogout();
        this.oauth.responseType("code id_token token");
        this.oauth.responseMode("jwt");
        this.oauth.openLoginForm();
        Assert.assertEquals("invalid_request", ((JsonNode) JsonSerialization.readValue(new JWSInput(new OAuthClient.AuthorizationEndpointResponse(this.oauth).getResponse()).getContent(), JsonNode.class)).get("error").asText());
    }

    @Test
    public void testSecureResponseTypeExecutorAllowTokenResponseType() throws Exception {
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "O Primeiro Perfil").addExecutor("secure-response-type", ClientPoliciesUtil.createSecureResponseTypeExecutor(null, Boolean.TRUE)).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "Den Forsta Policyn", Boolean.TRUE).addCondition("client-updater-context", ClientPoliciesUtil.createClientUpdateContextConditionConfig(Arrays.asList("ByAuthenticatedUser", "ByInitialAccessToken", "ByRegistrationAccessToken"))).addCondition("client-roles", ClientPoliciesUtil.createClientRolesConditionConfig(Arrays.asList("sample-client-role"))).addProfile("MyProfile").toRepresentation()).toString());
        try {
            createClientByAdmin(generateSuffixedName("App-by-Admin"), clientRepresentation -> {
                clientRepresentation.setSecret("secret");
            });
            Assert.fail();
        } catch (ClientPolicyException e) {
            Assert.assertEquals("invalid_client_metadata", e.getMessage());
        }
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "O Primeiro Perfil").addExecutor("secure-response-type", ClientPoliciesUtil.createSecureResponseTypeExecutor(Boolean.TRUE, null)).toRepresentation()).toString());
        String str = null;
        String generateSuffixedName = generateSuffixedName(CLIENT_NAME);
        String str2 = "secret";
        try {
            str = createClientByAdmin(generateSuffixedName, clientRepresentation2 -> {
                clientRepresentation2.setSecret(str2);
                clientRepresentation2.setStandardFlowEnabled(Boolean.TRUE);
                clientRepresentation2.setImplicitFlowEnabled(Boolean.TRUE);
                clientRepresentation2.setPublicClient(Boolean.FALSE);
            });
        } catch (ClientPolicyException e2) {
            Assert.fail();
        }
        Assert.assertEquals(Boolean.TRUE.toString(), getClientByAdmin(str).getAttributes().get("id.token.as.detached.signature"));
        this.adminClient.realm("test").clients().get(str).roles().create(RoleBuilder.create().name("sample-client-role").build());
        this.oauth.clientId(generateSuffixedName);
        this.oauth.openLoginForm();
        Assert.assertEquals("invalid_request", this.oauth.getCurrentQuery().get("error"));
        Assert.assertEquals("invalid response_type", this.oauth.getCurrentQuery().get("error_description"));
        this.oauth.responseType("code id_token");
        this.oauth.nonce("LIVieviDie028f");
        this.oauth.doLogin("test-user@localhost", "password");
        EventRepresentation assertEvent = this.events.expectLogin().client(generateSuffixedName).assertEvent();
        String sessionId = assertEvent.getSessionId();
        String str3 = (String) assertEvent.getDetails().get("code_id");
        String code = new OAuthClient.AuthorizationEndpointResponse(this.oauth).getCode();
        IDToken verifyIDToken = this.oauth.verifyIDToken(new OAuthClient.AuthorizationEndpointResponse(this.oauth).getIdToken());
        Assert.assertNull(verifyIDToken.getEmailVerified());
        Assert.assertNull(verifyIDToken.getName());
        Assert.assertNull(verifyIDToken.getPreferredUsername());
        Assert.assertNull(verifyIDToken.getGivenName());
        Assert.assertNull(verifyIDToken.getFamilyName());
        Assert.assertNull(verifyIDToken.getEmail());
        Assert.assertEquals("LIVieviDie028f", verifyIDToken.getNonce());
        Assert.assertNull(new OAuthClient.AuthorizationEndpointResponse(this.oauth).getAccessToken());
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(code, "secret");
        Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
        this.events.expectCodeToToken(str3, sessionId).client(generateSuffixedName).assertEvent();
        this.oauth.doLogout(doAccessTokenRequest.getRefreshToken(), "secret");
        this.events.expectLogout(sessionId).client(generateSuffixedName).clearDetails().assertEvent();
    }

    @Test
    public void testSecureRequestObjectExecutor() throws Exception {
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Prvy Profil").addExecutor("secure-request-object", ClientPoliciesUtil.createSecureRequestObjectExecutorConfig(Integer.valueOf(SecureRequestObjectExecutor.DEFAULT_AVAILABLE_PERIOD.intValue() + 400), null)).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "Prva Politika", Boolean.TRUE).addCondition("client-roles", ClientPoliciesUtil.createClientRolesConditionConfig(Arrays.asList("sample-client-role"))).addProfile("MyProfile").toRepresentation()).toString());
        String generateSuffixedName = generateSuffixedName(CLIENT_NAME);
        String str = "secret";
        this.adminClient.realm("test").clients().get(createClientByAdmin(generateSuffixedName, clientRepresentation -> {
            clientRepresentation.setSecret(str);
            OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRepresentation).setRequestUris(Arrays.asList(TestApplicationResourceUrls.clientRequestUri()));
        })).roles().create(RoleBuilder.create().name("sample-client-role").build());
        this.oauth.clientId(generateSuffixedName);
        this.oauth.request((String) null);
        this.oauth.requestUri((String) null);
        this.oauth.openLoginForm();
        Assert.assertEquals("invalid_request", this.oauth.getCurrentQuery().get("error"));
        Assert.assertEquals("Missing parameter: 'request' or 'request_uri'", this.oauth.getCurrentQuery().get("error_description"));
        TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createValidRequestObjectForSecureRequestObjectExecutor = createValidRequestObjectForSecureRequestObjectExecutor(generateSuffixedName);
        createValidRequestObjectForSecureRequestObjectExecutor.setScope((String) null);
        registerRequestObject(createValidRequestObjectForSecureRequestObjectExecutor, generateSuffixedName, Algorithm.ES256, true);
        this.oauth.openLoginForm();
        Assert.assertEquals("invalid_request", this.oauth.getCurrentQuery().get("error"));
        Assert.assertEquals("Invalid parameter. Parameters in 'request' object not matching with request parameters", this.oauth.getCurrentQuery().get("error_description"));
        registerRequestObject(createValidRequestObjectForSecureRequestObjectExecutor, generateSuffixedName, Algorithm.ES256, true);
        this.oauth.scope((String) null);
        this.oauth.openid(false);
        this.oauth.openLoginForm();
        Assert.assertEquals("invalid_request", this.oauth.getCurrentQuery().get("error"));
        Assert.assertEquals("Parameter 'scope' missing in the request parameters or in 'request' object", this.oauth.getCurrentQuery().get("error_description"));
        this.oauth.openid(true);
        TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createValidRequestObjectForSecureRequestObjectExecutor2 = createValidRequestObjectForSecureRequestObjectExecutor(generateSuffixedName);
        createValidRequestObjectForSecureRequestObjectExecutor2.exp((Long) null);
        registerRequestObject(createValidRequestObjectForSecureRequestObjectExecutor2, generateSuffixedName, Algorithm.ES256, false);
        this.oauth.openLoginForm();
        Assert.assertEquals("invalid_request_object", this.oauth.getCurrentQuery().get("error"));
        Assert.assertEquals("Missing parameter in the 'request' object: exp", this.oauth.getCurrentQuery().get("error_description"));
        TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createValidRequestObjectForSecureRequestObjectExecutor3 = createValidRequestObjectForSecureRequestObjectExecutor(generateSuffixedName);
        createValidRequestObjectForSecureRequestObjectExecutor3.exp(0L);
        registerRequestObject(createValidRequestObjectForSecureRequestObjectExecutor3, generateSuffixedName, Algorithm.ES256, true);
        this.oauth.openLoginForm();
        Assert.assertEquals("invalid_request_object", this.oauth.getCurrentQuery().get("error"));
        Assert.assertEquals("Request Expired", this.oauth.getCurrentQuery().get("error_description"));
        TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createValidRequestObjectForSecureRequestObjectExecutor4 = createValidRequestObjectForSecureRequestObjectExecutor(generateSuffixedName);
        createValidRequestObjectForSecureRequestObjectExecutor4.nbf((Long) null);
        registerRequestObject(createValidRequestObjectForSecureRequestObjectExecutor4, generateSuffixedName, Algorithm.ES256, false);
        this.oauth.openLoginForm();
        Assert.assertEquals("invalid_request_object", this.oauth.getCurrentQuery().get("error"));
        Assert.assertEquals("Missing parameter in the 'request' object: nbf", this.oauth.getCurrentQuery().get("error_description"));
        TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createValidRequestObjectForSecureRequestObjectExecutor5 = createValidRequestObjectForSecureRequestObjectExecutor(generateSuffixedName);
        createValidRequestObjectForSecureRequestObjectExecutor5.nbf(Long.valueOf(createValidRequestObjectForSecureRequestObjectExecutor5.getNbf().longValue() + 600));
        registerRequestObject(createValidRequestObjectForSecureRequestObjectExecutor5, generateSuffixedName, Algorithm.ES256, false);
        this.oauth.openLoginForm();
        Assert.assertEquals("invalid_request_object", this.oauth.getCurrentQuery().get("error"));
        Assert.assertEquals("Request not yet being processed", this.oauth.getCurrentQuery().get("error_description"));
        TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createValidRequestObjectForSecureRequestObjectExecutor6 = createValidRequestObjectForSecureRequestObjectExecutor(generateSuffixedName);
        createValidRequestObjectForSecureRequestObjectExecutor6.exp(Long.valueOf(createValidRequestObjectForSecureRequestObjectExecutor6.getNbf().longValue() + r0.intValue() + 1));
        registerRequestObject(createValidRequestObjectForSecureRequestObjectExecutor6, generateSuffixedName, Algorithm.ES256, false);
        this.oauth.openLoginForm();
        Assert.assertEquals("invalid_request_object", this.oauth.getCurrentQuery().get("error"));
        Assert.assertEquals("Request's available period is long", this.oauth.getCurrentQuery().get("error_description"));
        TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createValidRequestObjectForSecureRequestObjectExecutor7 = createValidRequestObjectForSecureRequestObjectExecutor(generateSuffixedName);
        createValidRequestObjectForSecureRequestObjectExecutor7.audience(new String[]{(String) null});
        registerRequestObject(createValidRequestObjectForSecureRequestObjectExecutor7, generateSuffixedName, Algorithm.ES256, false);
        this.oauth.openLoginForm();
        Assert.assertEquals("invalid_request_object", this.oauth.getCurrentQuery().get("error"));
        Assert.assertEquals("Missing parameter in the 'request' object: aud", this.oauth.getCurrentQuery().get("error_description"));
        TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createValidRequestObjectForSecureRequestObjectExecutor8 = createValidRequestObjectForSecureRequestObjectExecutor(generateSuffixedName);
        createValidRequestObjectForSecureRequestObjectExecutor8.audience(new String[]{this.suiteContext.getAuthServerInfo().getContextRoot().toString()});
        registerRequestObject(createValidRequestObjectForSecureRequestObjectExecutor8, generateSuffixedName, Algorithm.ES256, true);
        this.oauth.openLoginForm();
        Assert.assertEquals("invalid_request_uri", this.oauth.getCurrentQuery().get("error"));
        Assert.assertEquals("Invalid parameter in the 'request' object: aud", this.oauth.getCurrentQuery().get("error_description"));
        TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createValidRequestObjectForSecureRequestObjectExecutor9 = createValidRequestObjectForSecureRequestObjectExecutor(generateSuffixedName);
        createValidRequestObjectForSecureRequestObjectExecutor9.setState("notmatchstate");
        registerRequestObject(createValidRequestObjectForSecureRequestObjectExecutor9, generateSuffixedName, Algorithm.ES256, false);
        this.oauth.openLoginForm();
        Assert.assertEquals("invalid_request", this.oauth.getCurrentQuery().get("error"));
        Assert.assertEquals("Invalid parameter. Parameters in 'request' object not matching with request parameters", this.oauth.getCurrentQuery().get("error_description"));
        registerRequestObject(createValidRequestObjectForSecureRequestObjectExecutor(generateSuffixedName), generateSuffixedName, Algorithm.ES256, true);
        successfulLoginAndLogout(generateSuffixedName, "secret");
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Prvy Profil").addExecutor("secure-request-object", null).toRepresentation()).toString());
        TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createValidRequestObjectForSecureRequestObjectExecutor10 = createValidRequestObjectForSecureRequestObjectExecutor(generateSuffixedName);
        createValidRequestObjectForSecureRequestObjectExecutor10.nbf((Long) null);
        registerRequestObject(createValidRequestObjectForSecureRequestObjectExecutor10, generateSuffixedName, Algorithm.ES256, false);
        this.oauth.openLoginForm();
        Assert.assertEquals("invalid_request_object", this.oauth.getCurrentQuery().get("error"));
        Assert.assertEquals("Missing parameter in the 'request' object: nbf", this.oauth.getCurrentQuery().get("error_description"));
        TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createValidRequestObjectForSecureRequestObjectExecutor11 = createValidRequestObjectForSecureRequestObjectExecutor(generateSuffixedName);
        createValidRequestObjectForSecureRequestObjectExecutor11.nbf(Long.valueOf(createValidRequestObjectForSecureRequestObjectExecutor11.getNbf().longValue() + 600));
        registerRequestObject(createValidRequestObjectForSecureRequestObjectExecutor11, generateSuffixedName, Algorithm.ES256, false);
        this.oauth.openLoginForm();
        Assert.assertEquals("invalid_request_object", this.oauth.getCurrentQuery().get("error"));
        Assert.assertEquals("Request not yet being processed", this.oauth.getCurrentQuery().get("error_description"));
        TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createValidRequestObjectForSecureRequestObjectExecutor12 = createValidRequestObjectForSecureRequestObjectExecutor(generateSuffixedName);
        createValidRequestObjectForSecureRequestObjectExecutor12.exp(Long.valueOf(createValidRequestObjectForSecureRequestObjectExecutor12.getNbf().longValue() + SecureRequestObjectExecutor.DEFAULT_AVAILABLE_PERIOD.intValue() + 1));
        registerRequestObject(createValidRequestObjectForSecureRequestObjectExecutor12, generateSuffixedName, Algorithm.ES256, false);
        this.oauth.openLoginForm();
        Assert.assertEquals("invalid_request_object", this.oauth.getCurrentQuery().get("error"));
        Assert.assertEquals("Request's available period is long", this.oauth.getCurrentQuery().get("error_description"));
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Prvy Profil").addExecutor("secure-request-object", ClientPoliciesUtil.createSecureRequestObjectExecutorConfig(null, Boolean.FALSE)).toRepresentation()).toString());
        TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createValidRequestObjectForSecureRequestObjectExecutor13 = createValidRequestObjectForSecureRequestObjectExecutor(generateSuffixedName);
        createValidRequestObjectForSecureRequestObjectExecutor13.nbf((Long) null);
        registerRequestObject(createValidRequestObjectForSecureRequestObjectExecutor13, generateSuffixedName, Algorithm.ES256, false);
        successfulLoginAndLogout(generateSuffixedName, "secret");
        TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createValidRequestObjectForSecureRequestObjectExecutor14 = createValidRequestObjectForSecureRequestObjectExecutor(generateSuffixedName);
        createValidRequestObjectForSecureRequestObjectExecutor14.nbf(Long.valueOf(createValidRequestObjectForSecureRequestObjectExecutor14.getNbf().longValue() + 600));
        registerRequestObject(createValidRequestObjectForSecureRequestObjectExecutor14, generateSuffixedName, Algorithm.ES256, false);
        successfulLoginAndLogout(generateSuffixedName, "secret");
        TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createValidRequestObjectForSecureRequestObjectExecutor15 = createValidRequestObjectForSecureRequestObjectExecutor(generateSuffixedName);
        createValidRequestObjectForSecureRequestObjectExecutor15.exp(Long.valueOf(createValidRequestObjectForSecureRequestObjectExecutor15.getNbf().longValue() + SecureRequestObjectExecutor.DEFAULT_AVAILABLE_PERIOD.intValue() + 1));
        registerRequestObject(createValidRequestObjectForSecureRequestObjectExecutor15, generateSuffixedName, Algorithm.ES256, false);
        successfulLoginAndLogout(generateSuffixedName, "secret");
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Prvy Profil").addExecutor("secure-request-object", ClientPoliciesUtil.createSecureRequestObjectExecutorConfig(null, null, true)).toRepresentation()).toString());
        registerRequestObject(createValidRequestObjectForSecureRequestObjectExecutor(generateSuffixedName), generateSuffixedName, Algorithm.ES256, false);
        this.oauth.openLoginForm();
        Assert.assertEquals("invalid_request_object", this.oauth.getCurrentQuery().get("error"));
        Assert.assertEquals("Request object not encrypted", this.oauth.getCurrentQuery().get("error_description"));
    }

    @Test
    public void testParSecureRequestObjectExecutor() throws Exception {
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Prvy Profil").addExecutor("secure-request-object", ClientPoliciesUtil.createSecureRequestObjectExecutorConfig(Integer.valueOf(SecureRequestObjectExecutor.DEFAULT_AVAILABLE_PERIOD.intValue() + 400), true)).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "Prva Politika", Boolean.TRUE).addCondition("client-roles", ClientPoliciesUtil.createClientRolesConditionConfig(Arrays.asList("sample-client-role"))).addProfile("MyProfile").toRepresentation()).toString());
        String generateSuffixedName = generateSuffixedName(CLIENT_NAME);
        String str = "secret";
        String createClientByAdmin = createClientByAdmin(generateSuffixedName, clientRepresentation -> {
            clientRepresentation.setSecret(str);
            OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRepresentation).setRequestUris(Arrays.asList(TestApplicationResourceUrls.clientRequestUri()));
        });
        this.oauth.realm("test");
        this.oauth.clientId(generateSuffixedName);
        this.adminClient.realm("test").clients().get(createClientByAdmin).roles().create(RoleBuilder.create().name("sample-client-role").build());
        TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createValidRequestObjectForSecureRequestObjectExecutor = createValidRequestObjectForSecureRequestObjectExecutor(generateSuffixedName);
        this.oauth.request(signRequestObject(createValidRequestObjectForSecureRequestObjectExecutor));
        OAuthClient.ParResponse doPushedAuthorizationRequest = this.oauth.doPushedAuthorizationRequest(generateSuffixedName, "secret");
        Assert.assertEquals(201L, doPushedAuthorizationRequest.getStatusCode());
        String requestUri = doPushedAuthorizationRequest.getRequestUri();
        this.oauth.scope((String) null);
        this.oauth.responseType((String) null);
        this.oauth.request((String) null);
        this.oauth.requestUri(requestUri);
        Assert.assertNotNull(this.oauth.doLogin("test-user@localhost", "password").getCode());
        this.oauth.openLogout();
        createValidRequestObjectForSecureRequestObjectExecutor.exp((Long) null);
        this.oauth.requestUri((String) null);
        this.oauth.request(signRequestObject(createValidRequestObjectForSecureRequestObjectExecutor));
        String requestUri2 = this.oauth.doPushedAuthorizationRequest(generateSuffixedName, "secret").getRequestUri();
        this.oauth.request((String) null);
        this.oauth.requestUri(requestUri2);
        this.oauth.openLoginForm();
        Assert.assertEquals("invalid_request_uri", this.oauth.getCurrentQuery().get("error"));
        TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createValidRequestObjectForSecureRequestObjectExecutor2 = createValidRequestObjectForSecureRequestObjectExecutor(generateSuffixedName);
        createValidRequestObjectForSecureRequestObjectExecutor2.nbf((Long) null);
        this.oauth.requestUri((String) null);
        this.oauth.request(signRequestObject(createValidRequestObjectForSecureRequestObjectExecutor2));
        String requestUri3 = this.oauth.doPushedAuthorizationRequest(generateSuffixedName, "secret").getRequestUri();
        this.oauth.request((String) null);
        this.oauth.requestUri(requestUri3);
        this.oauth.openLoginForm();
        Assert.assertEquals("invalid_request_uri", this.oauth.getCurrentQuery().get("error"));
        TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createValidRequestObjectForSecureRequestObjectExecutor3 = createValidRequestObjectForSecureRequestObjectExecutor(generateSuffixedName);
        createValidRequestObjectForSecureRequestObjectExecutor3.audience(new String[]{"https://www.other1.example.com/"});
        this.oauth.request(signRequestObject(createValidRequestObjectForSecureRequestObjectExecutor3));
        this.oauth.requestUri((String) null);
        String requestUri4 = this.oauth.doPushedAuthorizationRequest(generateSuffixedName, "secret").getRequestUri();
        this.oauth.request((String) null);
        this.oauth.requestUri(requestUri4);
        this.oauth.openLoginForm();
        Assert.assertEquals("invalid_request_uri", this.oauth.getCurrentQuery().get("error"));
        TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject createValidRequestObjectForSecureRequestObjectExecutor4 = createValidRequestObjectForSecureRequestObjectExecutor(generateSuffixedName);
        createValidRequestObjectForSecureRequestObjectExecutor4.setOtherClaims("request_uri", "foo");
        this.oauth.request(signRequestObject(createValidRequestObjectForSecureRequestObjectExecutor4));
        this.oauth.requestUri((String) null);
        Assert.assertEquals("invalid_request_object", this.oauth.doPushedAuthorizationRequest(generateSuffixedName, "secret").getError());
    }

    private String signRequestObject(TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject authorizationEndpointRequestObject) throws IOException {
        String encode = Base64Url.encode(JsonSerialization.writeValueAsBytes(authorizationEndpointRequestObject));
        TestOIDCEndpointsApplicationResource oidcClientEndpoints = this.testingClient.testApp().oidcClientEndpoints();
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm(this.oauth.getRealm()), this.oauth.getClientId());
        ClientRepresentation representation = findClientByClientId.toRepresentation();
        OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setUseJwksUrl(true);
        OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setJwksUrl(TestApplicationResourceUrls.clientJwksUri());
        findClientByClientId.update(representation);
        oidcClientEndpoints.generateKeys("PS256");
        oidcClientEndpoints.registerOIDCRequest(encode, "PS256");
        return oidcClientEndpoints.getOIDCRequest();
    }

    @Test
    public void testSecureSessionEnforceExecutor() throws Exception {
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Den Forste Profilen").addExecutor("secure-session", null).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "Den Forste Politikken", Boolean.TRUE).addCondition("client-roles", ClientPoliciesUtil.createClientRolesConditionConfig(Arrays.asList("sample-client-role-beta"))).addProfile("MyProfile").toRepresentation()).toString());
        String generateSuffixedName = generateSuffixedName("Alpha-App");
        String str = "secretAlpha";
        this.adminClient.realm("test").clients().get(createClientByAdmin(generateSuffixedName, clientRepresentation -> {
            clientRepresentation.setSecret(str);
        })).roles().create(RoleBuilder.create().name("sample-client-role-alpha").build());
        String generateSuffixedName2 = generateSuffixedName("Beta-App");
        String str2 = "secretBeta";
        this.adminClient.realm("test").clients().get(createClientByAdmin(generateSuffixedName2, clientRepresentation2 -> {
            clientRepresentation2.setSecret(str2);
        })).roles().create(RoleBuilder.create().name("sample-client-role-beta").build());
        successfulLoginAndLogout(generateSuffixedName, "secretAlpha");
        this.oauth.openid(false);
        successfulLoginAndLogout(generateSuffixedName, "secretAlpha");
        this.oauth.openid(true);
        failLoginWithoutSecureSessionParameter(generateSuffixedName2, "Missing parameter: nonce");
        this.oauth.nonce("yesitisnonce");
        successfulLoginAndLogout(generateSuffixedName2, "secretBeta");
        this.oauth.openid(false);
        this.oauth.stateParamHardcoded((String) null);
        failLoginWithoutSecureSessionParameter(generateSuffixedName2, "Missing parameter: state");
        this.oauth.stateParamRandom();
        successfulLoginAndLogout(generateSuffixedName2, "secretBeta");
    }

    @Test
    public void testSecureSigningAlgorithmEnforceExecutor() throws Exception {
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Den Forsta Profilen").addExecutor("secure-signature-algorithm", null).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "Den Forsta Policyn", Boolean.TRUE).addCondition("client-updater-context", ClientPoliciesUtil.createClientUpdateContextConditionConfig(Arrays.asList("ByAuthenticatedUser", "ByInitialAccessToken", "ByRegistrationAccessToken"))).addProfile("MyProfile").toRepresentation()).toString());
        try {
            createClientByAdmin(generateSuffixedName("App-by-Admin"), clientRepresentation -> {
                clientRepresentation.setSecret("secret");
                clientRepresentation.setAttributes(new HashMap());
                clientRepresentation.getAttributes().put("user.info.response.signature.alg", Algorithm.none.name());
            });
            Assert.fail();
        } catch (ClientPolicyException e) {
            Assert.assertEquals("invalid_request", e.getMessage());
        }
        String createClientByAdmin = createClientByAdmin(generateSuffixedName("App-by-Admin"), clientRepresentation2 -> {
            clientRepresentation2.setAttributes(new HashMap());
            clientRepresentation2.getAttributes().put("user.info.response.signature.alg", "PS256");
            clientRepresentation2.getAttributes().put("request.object.signature.alg", "ES256");
            clientRepresentation2.getAttributes().put("id.token.signed.response.alg", "ES256");
            clientRepresentation2.getAttributes().put("token.endpoint.auth.signing.alg", "ES256");
            clientRepresentation2.getAttributes().put("access.token.signed.response.alg", "ES256");
        });
        String createClientByAdmin2 = createClientByAdmin(generateSuffixedName("App-by-Admin2"), clientRepresentation3 -> {
        });
        ClientRepresentation clientByAdmin = getClientByAdmin(createClientByAdmin2);
        Assert.assertEquals("PS256", clientByAdmin.getAttributes().get("user.info.response.signature.alg"));
        Assert.assertEquals("PS256", clientByAdmin.getAttributes().get("request.object.signature.alg"));
        Assert.assertEquals("PS256", clientByAdmin.getAttributes().get("id.token.signed.response.alg"));
        Assert.assertEquals("PS256", clientByAdmin.getAttributes().get("token.endpoint.auth.signing.alg"));
        Assert.assertEquals("PS256", clientByAdmin.getAttributes().get("access.token.signed.response.alg"));
        try {
            updateClientByAdmin(createClientByAdmin, clientRepresentation4 -> {
                clientRepresentation4.setAttributes(new HashMap());
                clientRepresentation4.getAttributes().put("access.token.signed.response.alg", "RS512");
            });
        } catch (ClientPolicyException e2) {
            Assert.assertEquals("invalid_request", e2.getError());
        }
        Assert.assertEquals("ES256", getClientByAdmin(createClientByAdmin).getAttributes().get("access.token.signed.response.alg"));
        updateClientByAdmin(createClientByAdmin, clientRepresentation5 -> {
            clientRepresentation5.setAttributes(new HashMap());
            clientRepresentation5.getAttributes().put("access.token.signed.response.alg", "PS384");
        });
        Assert.assertEquals("PS384", getClientByAdmin(createClientByAdmin).getAttributes().get("access.token.signed.response.alg"));
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Den Forsta Profilen").addExecutor("secure-signature-algorithm", ClientPoliciesUtil.createSecureSigningAlgorithmEnforceExecutorConfig("ES256")).toRepresentation()).toString());
        updateClientByAdmin(createClientByAdmin2, clientRepresentation6 -> {
            clientRepresentation6.getAttributes().remove("user.info.response.signature.alg");
            clientRepresentation6.getAttributes().remove("request.object.signature.alg");
            clientRepresentation6.getAttributes().remove("id.token.signed.response.alg");
            clientRepresentation6.getAttributes().remove("token.endpoint.auth.signing.alg");
            clientRepresentation6.getAttributes().remove("access.token.signed.response.alg");
        });
        ClientRepresentation clientByAdmin2 = getClientByAdmin(createClientByAdmin2);
        Assert.assertEquals("ES256", clientByAdmin2.getAttributes().get("user.info.response.signature.alg"));
        Assert.assertEquals("ES256", clientByAdmin2.getAttributes().get("request.object.signature.alg"));
        Assert.assertEquals("ES256", clientByAdmin2.getAttributes().get("id.token.signed.response.alg"));
        Assert.assertEquals("ES256", clientByAdmin2.getAttributes().get("token.endpoint.auth.signing.alg"));
        Assert.assertEquals("ES256", clientByAdmin2.getAttributes().get("access.token.signed.response.alg"));
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Den Forsta Profilen").addExecutor("secure-signature-algorithm", ClientPoliciesUtil.createSecureSigningAlgorithmEnforceExecutorConfig("RS512")).toRepresentation()).toString());
        try {
            createClientByAdmin(generateSuffixedName("App-in-Dynamic"), clientRepresentation7 -> {
                clientRepresentation7.setSecret("secret");
                clientRepresentation7.setAttributes(new HashMap());
                clientRepresentation7.getAttributes().put("user.info.response.signature.alg", "RS384");
            });
            Assert.fail();
        } catch (ClientPolicyException e3) {
            Assert.assertEquals("invalid_request", e3.getMessage());
        }
        String createClientDynamically = createClientDynamically(generateSuffixedName("App-in-Dynamic"), oIDCClientRepresentation -> {
            oIDCClientRepresentation.setUserinfoSignedResponseAlg("ES256");
            oIDCClientRepresentation.setRequestObjectSigningAlg("ES256");
            oIDCClientRepresentation.setIdTokenSignedResponseAlg("PS256");
            oIDCClientRepresentation.setTokenEndpointAuthSigningAlg("PS256");
        });
        this.events.expect(EventType.CLIENT_REGISTER).client(createClientDynamically).user(Matchers.isEmptyOrNullString()).assertEvent();
        try {
            updateClientDynamically(createClientDynamically, oIDCClientRepresentation2 -> {
                oIDCClientRepresentation2.setIdTokenSignedResponseAlg("RS256");
            });
            Assert.fail();
        } catch (ClientRegistrationException e4) {
            Assert.assertEquals("Failed to send request", e4.getMessage());
        }
        Assert.assertEquals("PS256", getClientDynamically(createClientDynamically).getIdTokenSignedResponseAlg());
        updateClientDynamically(createClientDynamically, oIDCClientRepresentation3 -> {
            oIDCClientRepresentation3.setIdTokenSignedResponseAlg("ES384");
        });
        Assert.assertEquals("ES384", getClientDynamically(createClientDynamically).getIdTokenSignedResponseAlg());
        restartAuthenticatedClientRegistrationSetting();
        String createClientDynamically2 = createClientDynamically(generateSuffixedName("App-in-Dynamic"), oIDCClientRepresentation4 -> {
        });
        OIDCClientRepresentation clientDynamically = getClientDynamically(createClientDynamically2);
        Assert.assertEquals("PS256", clientDynamically.getUserinfoSignedResponseAlg());
        Assert.assertEquals("PS256", clientDynamically.getRequestObjectSigningAlg());
        Assert.assertEquals("PS256", clientDynamically.getIdTokenSignedResponseAlg());
        Assert.assertEquals("PS256", clientDynamically.getTokenEndpointAuthSigningAlg());
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Den Forsta Profilen").addExecutor("secure-signature-algorithm", ClientPoliciesUtil.createSecureSigningAlgorithmEnforceExecutorConfig("ES256")).toRepresentation()).toString());
        updateClientDynamically(createClientDynamically2, oIDCClientRepresentation5 -> {
            oIDCClientRepresentation5.setUserinfoSignedResponseAlg((String) null);
            oIDCClientRepresentation5.setRequestObjectSigningAlg((String) null);
            oIDCClientRepresentation5.setIdTokenSignedResponseAlg((String) null);
            oIDCClientRepresentation5.setTokenEndpointAuthSigningAlg((String) null);
        });
        OIDCClientRepresentation clientDynamically2 = getClientDynamically(createClientDynamically2);
        Assert.assertEquals("ES256", clientDynamically2.getUserinfoSignedResponseAlg());
        Assert.assertEquals("ES256", clientDynamically2.getRequestObjectSigningAlg());
        Assert.assertEquals("ES256", clientDynamically2.getIdTokenSignedResponseAlg());
        Assert.assertEquals("ES256", clientDynamically2.getTokenEndpointAuthSigningAlg());
    }

    @Test
    public void testSecureClientRegisteringUriEnforceExecutor() throws Exception {
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Ensimmainen Profiili").addExecutor("secure-client-uris", null).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "Ensimmainen Politiikka", Boolean.TRUE).addCondition("client-updater-context", ClientPoliciesUtil.createClientUpdateContextConditionConfig(Arrays.asList("ByAuthenticatedUser", "ByInitialAccessToken", "ByRegistrationAccessToken"))).addProfile("MyProfile").toRepresentation()).toString());
        try {
            createClientDynamically(generateSuffixedName(CLIENT_NAME), oIDCClientRepresentation -> {
                oIDCClientRepresentation.setRedirectUris(Collections.singletonList("http://newredirect"));
            });
            Assert.fail();
        } catch (ClientRegistrationException e) {
            Assert.assertEquals("Failed to send request", e.getMessage());
        }
        String str = null;
        String generateSuffixedName = generateSuffixedName(CLIENT_NAME);
        try {
            str = createClientByAdmin(generateSuffixedName, clientRepresentation -> {
                clientRepresentation.setServiceAccountsEnabled(Boolean.TRUE);
                clientRepresentation.setRedirectUris((List) null);
            });
        } catch (Exception e2) {
            Assert.fail();
        }
        updateClientByAdmin(str, clientRepresentation2 -> {
            clientRepresentation2.setRedirectUris((List) null);
            clientRepresentation2.setServiceAccountsEnabled(Boolean.FALSE);
        });
        Assert.assertEquals(false, getClientByAdmin(str).isServiceAccountsEnabled());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "Paivitetyn Ensimmaisen Politiikka", Boolean.TRUE).addCondition("client-updater-context", ClientPoliciesUtil.createClientUpdateContextConditionConfig(Arrays.asList("ByAuthenticatedUser", "ByRegistrationAccessToken"))).addProfile("MyProfile").toRepresentation()).toString());
        try {
            updateClientDynamically(generateSuffixedName, oIDCClientRepresentation2 -> {
                oIDCClientRepresentation2.setRedirectUris(Collections.singletonList("https://newredirect/*"));
            });
            Assert.fail();
        } catch (ClientRegistrationException e3) {
            Assert.assertEquals("Failed to send request", e3.getMessage());
        }
        try {
            updateClientByAdmin(str, clientRepresentation3 -> {
                clientRepresentation3.setRootUrl("https://client.example.com/");
                clientRepresentation3.setAdminUrl("https://client.example.com/admin/");
                clientRepresentation3.setBaseUrl("https://client.example.com/base/");
                clientRepresentation3.setWebOrigins(Arrays.asList("https://valid.other.client.example.com/", "https://valid.another.client.example.com/"));
                Map map = (Map) Optional.ofNullable(clientRepresentation3.getAttributes()).orElse(new HashMap());
                map.put("backchannel.logout.url", "https://client.example.com/logout/");
                clientRepresentation3.setAttributes(map);
                clientRepresentation3.setRedirectUris(Arrays.asList("https://client.example.com/redirect/", "https://client.example.com/callback/"));
                map.put("jwks.url", "https://client.example.com/jwks/");
                clientRepresentation3.setAttributes(map);
                setAttributeMultivalued(clientRepresentation3, "request.uris", Arrays.asList("https://client.example.com/request/", "https://client.example.com/reqobj/"));
                map.put("ciba.backchannel.client.notification.endpoint", "https://client.example.com/client-notification/");
                clientRepresentation3.setAttributes(map);
            });
        } catch (Exception e4) {
            Assert.fail();
        }
        try {
            updateClientByAdmin(str, clientRepresentation4 -> {
                clientRepresentation4.setRootUrl("http://client.example.com/*/");
            });
            Assert.fail();
        } catch (ClientPolicyException e5) {
            Assert.assertEquals("invalid_client_metadata", e5.getError());
            Assert.assertEquals("Invalid rootUrl", e5.getErrorDetail());
        }
        try {
            updateClientByAdmin(str, clientRepresentation5 -> {
                clientRepresentation5.setAdminUrl("http://client.example.com/admin/");
            });
            Assert.fail();
        } catch (ClientPolicyException e6) {
            Assert.assertEquals("invalid_client_metadata", e6.getError());
            Assert.assertEquals("Invalid adminUrl", e6.getErrorDetail());
        }
        try {
            updateClientByAdmin(str, clientRepresentation6 -> {
                clientRepresentation6.setBaseUrl("https://client.example.com/base/*");
            });
            Assert.fail();
        } catch (ClientPolicyException e7) {
            Assert.assertEquals("invalid_client_metadata", e7.getError());
            Assert.assertEquals("Invalid baseUrl", e7.getErrorDetail());
        }
        try {
            updateClientByAdmin(str, clientRepresentation7 -> {
                clientRepresentation7.setWebOrigins(Arrays.asList("http://valid.another.client.example.com/"));
            });
            Assert.fail();
        } catch (ClientPolicyException e8) {
            Assert.assertEquals("invalid_client_metadata", e8.getError());
            Assert.assertEquals("Invalid webOrigins", e8.getErrorDetail());
        }
        try {
            updateClientByAdmin(str, clientRepresentation8 -> {
                Map map = (Map) Optional.ofNullable(clientRepresentation8.getAttributes()).orElse(new HashMap());
                map.put("backchannel.logout.url", "httpss://client.example.com/logout/");
                clientRepresentation8.setAttributes(map);
            });
            Assert.fail();
        } catch (ClientPolicyException e9) {
            Assert.assertEquals("invalid_client_metadata", e9.getError());
            Assert.assertEquals("Invalid logoutUrl", e9.getErrorDetail());
        }
        try {
            updateClientByAdmin(str, clientRepresentation9 -> {
                clientRepresentation9.setRedirectUris(Arrays.asList("https://client.example.com/redirect/", "ftp://client.example.com/callback/"));
            });
            Assert.fail();
        } catch (ClientPolicyException e10) {
            Assert.assertEquals("invalid_client_metadata", e10.getError());
            Assert.assertEquals("Invalid redirectUris", e10.getErrorDetail());
        }
        try {
            updateClientByAdmin(str, clientRepresentation10 -> {
                Map map = (Map) Optional.ofNullable(clientRepresentation10.getAttributes()).orElse(new HashMap());
                map.put("jwks.url", "http s://client.example.com/jwks/");
                clientRepresentation10.setAttributes(map);
            });
            Assert.fail();
        } catch (ClientPolicyException e11) {
            Assert.assertEquals("invalid_client_metadata", e11.getError());
            Assert.assertEquals("Invalid jwksUri", e11.getErrorDetail());
        }
        try {
            updateClientByAdmin(str, clientRepresentation11 -> {
                setAttributeMultivalued(clientRepresentation11, "request.uris", Arrays.asList("https://client.example.com/request/*", "https://client.example.com/reqobj/"));
            });
            Assert.fail();
        } catch (ClientPolicyException e12) {
            Assert.assertEquals("invalid_client_metadata", e12.getError());
            Assert.assertEquals("Invalid requestUris", e12.getErrorDetail());
        }
        try {
            updateClientByAdmin(str, clientRepresentation12 -> {
                Map map = (Map) Optional.ofNullable(clientRepresentation12.getAttributes()).orElse(new HashMap());
                map.put("ciba.backchannel.client.notification.endpoint", "http://client.example.com/client-notification/");
                clientRepresentation12.setAttributes(map);
            });
            Assert.fail();
        } catch (ClientPolicyException e13) {
            Assert.assertEquals("invalid_client_metadata", e13.getError());
            Assert.assertEquals("Invalid cibaClientNotificationEndpoint", e13.getErrorDetail());
        }
    }

    @Test
    public void testClientPolicyTriggeredForServiceAccountRequest() throws Exception {
        String str = "app-secret";
        createClientByAdmin("service-account-app", clientRepresentation -> {
            clientRepresentation.setSecret(str);
            clientRepresentation.setStandardFlowEnabled(Boolean.FALSE);
            clientRepresentation.setImplicitFlowEnabled(Boolean.FALSE);
            clientRepresentation.setServiceAccountsEnabled(Boolean.TRUE);
            clientRepresentation.setPublicClient(Boolean.FALSE);
            clientRepresentation.setBearerOnly(Boolean.FALSE);
        });
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Den Forste Profilen").addExecutor("test-raise-exception", null).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "La Premiere Politique", Boolean.TRUE).addCondition("any-client", ClientPoliciesUtil.createAnyClientConditionConfig()).addProfile("MyProfile").toRepresentation()).toString());
        String clientId = this.oauth.getClientId();
        this.oauth.clientId("service-account-app");
        try {
            OAuthClient.AccessTokenResponse doClientCredentialsGrantAccessTokenRequest = this.oauth.doClientCredentialsGrantAccessTokenRequest("app-secret");
            Assert.assertEquals(400L, doClientCredentialsGrantAccessTokenRequest.getStatusCode());
            Assert.assertEquals(ClientPolicyEvent.SERVICE_ACCOUNT_TOKEN_REQUEST.toString(), doClientCredentialsGrantAccessTokenRequest.getError());
            Assert.assertEquals("Exception thrown intentionally", doClientCredentialsGrantAccessTokenRequest.getErrorDescription());
            this.oauth.clientId(clientId);
        } catch (Throwable th) {
            this.oauth.clientId(clientId);
            throw th;
        }
    }

    private List<String> getAttributeMultivalued(ClientRepresentation clientRepresentation, String str) {
        String str2 = (String) ((Map) Optional.ofNullable(clientRepresentation.getAttributes()).orElse(Collections.emptyMap())).get(str);
        return str2 == null ? Collections.emptyList() : Arrays.asList(Constants.CFG_DELIMITER_PATTERN.split(str2));
    }

    private void setAttributeMultivalued(ClientRepresentation clientRepresentation, String str, List<String> list) {
        clientRepresentation.getAttributes().put(str, String.join("##", list));
    }

    @Test
    public void testSecureSigningAlgorithmForSignedJwtEnforceExecutorWithSecureAlg() throws Exception {
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Ensimmainen Profiili").addExecutor("secure-signature-algorithm-signed-jwt", ClientPoliciesUtil.createSecureSigningAlgorithmForSignedJwtEnforceExecutorConfig(Boolean.TRUE)).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "Den Forste Politikken", Boolean.TRUE).addCondition("client-roles", ClientPoliciesUtil.createClientRolesConditionConfig(Arrays.asList("sample-client-role-alpha", "sample-client-role-zeta"))).addProfile("MyProfile").toRepresentation()).toString());
        String generateSuffixedName = generateSuffixedName(CLIENT_NAME);
        String createClientByAdmin = createClientByAdmin(generateSuffixedName, clientRepresentation -> {
            clientRepresentation.setSecret("secret");
            clientRepresentation.setClientAuthenticatorType("client-jwt");
            clientRepresentation.setAttributes(new HashMap());
            clientRepresentation.getAttributes().put("token.endpoint.auth.signing.alg", "ES256");
        });
        this.adminClient.realm("test").clients().get(createClientByAdmin).roles().create(RoleBuilder.create().name("sample-client-role-alpha").build());
        this.adminClient.realm("test").clients().get(createClientByAdmin).roles().create(RoleBuilder.create().name("sample-client-role-common").build());
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), generateSuffixedName);
        KeyPair keyPair = setupJwks("ES256", findClientByClientId.toRepresentation(), findClientByClientId);
        PublicKey publicKey = keyPair.getPublic();
        PrivateKey privateKey = keyPair.getPrivate();
        String createSignedRequestToken = createSignedRequestToken(generateSuffixedName, privateKey, publicKey, "ES256");
        this.oauth.clientId(generateSuffixedName);
        this.oauth.doLogin("test-user@localhost", "password");
        EventRepresentation assertEvent = this.events.expectLogin().client(generateSuffixedName).assertEvent();
        String sessionId = assertEvent.getSessionId();
        OAuthClient.AccessTokenResponse doAccessTokenRequestWithSignedJWT = doAccessTokenRequestWithSignedJWT((String) this.oauth.getCurrentQuery().get("code"), createSignedRequestToken);
        Assert.assertEquals(200L, doAccessTokenRequestWithSignedJWT.getStatusCode());
        this.oauth.verifyToken(doAccessTokenRequestWithSignedJWT.getAccessToken());
        RefreshToken parseRefreshToken = this.oauth.parseRefreshToken(doAccessTokenRequestWithSignedJWT.getRefreshToken());
        Assert.assertEquals(sessionId, parseRefreshToken.getSessionState());
        Assert.assertEquals(sessionId, parseRefreshToken.getSessionState());
        this.events.expectCodeToToken((String) assertEvent.getDetails().get("code_id"), assertEvent.getSessionId()).client(generateSuffixedName).detail("client_auth_method", "client-jwt").assertEvent();
        OAuthClient.AccessTokenResponse doRefreshTokenRequestWithSignedJWT = doRefreshTokenRequestWithSignedJWT(doAccessTokenRequestWithSignedJWT.getRefreshToken(), createSignedRequestToken(generateSuffixedName, privateKey, publicKey, "ES256"));
        Assert.assertEquals(200L, doRefreshTokenRequestWithSignedJWT.getStatusCode());
        Assert.assertEquals(200L, doTokenIntrospectionWithSignedJWT("access_token", doRefreshTokenRequestWithSignedJWT.getAccessToken(), createSignedRequestToken(generateSuffixedName, privateKey, publicKey, "ES256")).getStatusLine().getStatusCode());
        Assert.assertEquals(200L, doTokenRevokeWithSignedJWT("refresh_toke", doRefreshTokenRequestWithSignedJWT.getRefreshToken(), createSignedRequestToken(generateSuffixedName, privateKey, publicKey, "ES256")).getStatusLine().getStatusCode());
        OAuthClient.AccessTokenResponse doRefreshTokenRequestWithSignedJWT2 = doRefreshTokenRequestWithSignedJWT(doRefreshTokenRequestWithSignedJWT.getRefreshToken(), createSignedRequestToken(generateSuffixedName, privateKey, publicKey, "ES256"));
        Assert.assertEquals(400L, doRefreshTokenRequestWithSignedJWT2.getStatusCode());
        Assert.assertEquals("invalid_grant", doRefreshTokenRequestWithSignedJWT2.getError());
        Assert.assertEquals(204L, doLogoutWithSignedJWT(doRefreshTokenRequestWithSignedJWT.getRefreshToken(), createSignedRequestToken(generateSuffixedName, privateKey, publicKey, "ES256")).getStatusLine().getStatusCode());
    }

    @Test
    public void testSecureSigningAlgorithmForSignedJwtEnforceExecutorWithNotSecureAlg() throws Exception {
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Ensimmainen Profiili").addExecutor("secure-signature-algorithm-signed-jwt", ClientPoliciesUtil.createSecureSigningAlgorithmForSignedJwtEnforceExecutorConfig(Boolean.FALSE)).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "Den Forste Politikken", Boolean.TRUE).addCondition("client-roles", ClientPoliciesUtil.createClientRolesConditionConfig(Arrays.asList("sample-client-role-alpha", "sample-client-role-zeta"))).addProfile("MyProfile").toRepresentation()).toString());
        String generateSuffixedName = generateSuffixedName(CLIENT_NAME);
        String createClientByAdmin = createClientByAdmin(generateSuffixedName, clientRepresentation -> {
            clientRepresentation.setSecret("secret");
            clientRepresentation.setClientAuthenticatorType("client-jwt");
            clientRepresentation.setAttributes(new HashMap());
            clientRepresentation.getAttributes().put("token.endpoint.auth.signing.alg", "RS256");
        });
        this.adminClient.realm("test").clients().get(createClientByAdmin).roles().create(RoleBuilder.create().name("sample-client-role-alpha").build());
        this.adminClient.realm("test").clients().get(createClientByAdmin).roles().create(RoleBuilder.create().name("sample-client-role-common").build());
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), generateSuffixedName);
        KeyPair keyPair = setupJwks("RS256", findClientByClientId.toRepresentation(), findClientByClientId);
        String createSignedRequestToken = createSignedRequestToken(generateSuffixedName, keyPair.getPrivate(), keyPair.getPublic(), "RS256");
        this.oauth.clientId(generateSuffixedName);
        this.oauth.doLogin("test-user@localhost", "password");
        this.events.expectLogin().client(generateSuffixedName).assertEvent().getSessionId();
        OAuthClient.AccessTokenResponse doAccessTokenRequestWithSignedJWT = doAccessTokenRequestWithSignedJWT((String) this.oauth.getCurrentQuery().get("code"), createSignedRequestToken);
        Assert.assertEquals(400L, doAccessTokenRequestWithSignedJWT.getStatusCode());
        Assert.assertEquals("invalid_grant", doAccessTokenRequestWithSignedJWT.getError());
        Assert.assertEquals("not allowed signature algorithm.", doAccessTokenRequestWithSignedJWT.getErrorDescription());
    }

    @Test
    public void testHolderOfKeyEnforceExecutor() throws Exception {
        Assume.assumeTrue("This test must be executed with enabled TLS.", ServerURLs.AUTH_SERVER_SSL_REQUIRED);
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Az Elso Profil").addExecutor("holder-of-key-enforcer", ClientPoliciesUtil.createHolderOfKeyEnforceExecutorConfig(Boolean.TRUE)).addExecutor("secure-signature-algorithm-signed-jwt", ClientPoliciesUtil.createSecureSigningAlgorithmForSignedJwtEnforceExecutorConfig(Boolean.FALSE)).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "Az Elso Politika", Boolean.TRUE).addCondition("any-client", ClientPoliciesUtil.createAnyClientConditionConfig()).addProfile("MyProfile").toRepresentation()).toString());
        ClientAttributeUpdater forClient = ClientAttributeUpdater.forClient(this.adminClient, "test", AssertEvents.DEFAULT_CLIENT_ID);
        Throwable th = null;
        try {
            try {
                ClientRepresentation representation = ((ClientResource) forClient.getResource()).toRepresentation();
                Assert.assertNotNull(representation);
                OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setUseMtlsHoKToken(true);
                forClient.update();
                checkMtlsFlow();
                if (forClient != null) {
                    if (0 == 0) {
                        forClient.close();
                        return;
                    }
                    try {
                        forClient.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (forClient != null) {
                if (th != null) {
                    try {
                        forClient.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    forClient.close();
                }
            }
            throw th4;
        }
    }

    @Test
    public void testNegativeLogicCondition() throws Exception {
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Den Forste Profilen").addExecutor("secure-session", null).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "La Premiere Politique", Boolean.TRUE).addCondition("any-client", ClientPoliciesUtil.createAnyClientConditionConfig()).addProfile("MyProfile").toRepresentation()).toString());
        String generateSuffixedName = generateSuffixedName(CLIENT_NAME);
        String str = "secretBeta";
        createClientByAdmin(generateSuffixedName, clientRepresentation -> {
            clientRepresentation.setSecret(str);
        });
        try {
            failLoginWithoutSecureSessionParameter(generateSuffixedName, "Missing parameter: nonce");
            updatePolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "La Premiere Politique", Boolean.TRUE).addCondition("any-client", ClientPoliciesUtil.createAnyClientConditionConfig(Boolean.TRUE)).addProfile("MyProfile").toRepresentation());
            successfulLoginAndLogout(generateSuffixedName, "secretBeta");
            updatePolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "La Premiere Politique", Boolean.TRUE).addCondition("any-client", ClientPoliciesUtil.createAnyClientConditionConfig(Boolean.FALSE)).addProfile("MyProfile").toRepresentation());
            failLoginWithoutSecureSessionParameter(generateSuffixedName, "Missing parameter: nonce");
        } catch (Exception e) {
            Assert.fail();
        }
    }

    @Test
    public void testExtendedClientPolicyIntefacesForClientRegistrationPolicyMigration() throws Exception {
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Den Forste Profilen").addExecutor("test-raise-exception", null).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "La Premiere Politique", Boolean.TRUE).addCondition("any-client", ClientPoliciesUtil.createAnyClientConditionConfig()).addProfile("MyProfile").toRepresentation()).toString());
        String str = "ByAdmin-App" + KeycloakModelUtils.generateId().substring(0, 7);
        try {
            createClientByAdmin(str, clientRepresentation -> {
            });
            Assert.fail();
        } catch (ClientPolicyException e) {
            Assert.assertEquals(ClientPolicyEvent.REGISTERED.toString(), e.getError());
        }
        String id = getClientByAdminWithName(str).getId();
        Assert.assertEquals(true, getClientByAdmin(id).isEnabled());
        try {
            updateClientByAdmin(id, clientRepresentation2 -> {
                clientRepresentation2.setEnabled(false);
            });
            Assert.fail();
        } catch (ClientPolicyException e2) {
            Assert.assertEquals(ClientPolicyEvent.UPDATED.toString(), e2.getError());
        }
        Assert.assertEquals(false, getClientByAdmin(id).isEnabled());
        try {
            deleteClientByAdmin(id);
            Assert.fail();
        } catch (ClientPolicyException e3) {
            Assert.assertEquals(ClientPolicyEvent.UNREGISTER.toString(), e3.getError());
        }
    }

    @Test
    public void testUpdatePolicyWithoutNameNotAllowed() throws Exception {
        try {
            updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy(null, "La Premiere Politique", Boolean.TRUE).addCondition("any-client", ClientPoliciesUtil.createAnyClientConditionConfig()).addProfile("MyProfile").toRepresentation()).toString());
            Assert.fail();
        } catch (ClientPolicyException e) {
            Assert.assertEquals("update policies failed", e.getError());
        }
    }

    @Test
    public void testConfidentialClientAcceptExecutorExecutor() throws Exception {
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Erstes Profil").addExecutor("confidential-client", null).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "Erstes Politik", Boolean.TRUE).addCondition("client-roles", ClientPoliciesUtil.createClientRolesConditionConfig(Arrays.asList("sample-client-role"))).addProfile("MyProfile").toRepresentation()).toString());
        String generateSuffixedName = generateSuffixedName("confidential-app");
        String str = "app-secret";
        this.adminClient.realm("test").clients().get(createClientByAdmin(generateSuffixedName, clientRepresentation -> {
            clientRepresentation.setSecret(str);
            clientRepresentation.setStandardFlowEnabled(Boolean.TRUE);
            clientRepresentation.setImplicitFlowEnabled(Boolean.TRUE);
            clientRepresentation.setPublicClient(Boolean.FALSE);
            clientRepresentation.setBearerOnly(Boolean.FALSE);
        })).roles().create(RoleBuilder.create().name("sample-client-role").build());
        successfulLoginAndLogout(generateSuffixedName, "app-secret");
        String generateSuffixedName2 = generateSuffixedName("public-app");
        this.adminClient.realm("test").clients().get(createClientByAdmin(generateSuffixedName2, clientRepresentation2 -> {
            clientRepresentation2.setSecret(str);
            clientRepresentation2.setStandardFlowEnabled(Boolean.TRUE);
            clientRepresentation2.setImplicitFlowEnabled(Boolean.TRUE);
            clientRepresentation2.setPublicClient(Boolean.TRUE);
            clientRepresentation2.setBearerOnly(Boolean.FALSE);
        })).roles().create(RoleBuilder.create().name("sample-client-role").build());
        this.oauth.clientId(generateSuffixedName2);
        this.oauth.openLoginForm();
        Assert.assertEquals("invalid_client", this.oauth.getCurrentQuery().get("error"));
        Assert.assertEquals("invalid client access type", this.oauth.getCurrentQuery().get("error_description"));
    }

    @Test
    public void testConsentRequiredExecutorExecutor() throws Exception {
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Test Profile").addExecutor("consent-required", null).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "Test Policy", Boolean.TRUE).addCondition("any-client", ClientPoliciesUtil.createAnyClientConditionConfig()).addProfile("MyProfile").toRepresentation()).toString());
        String createClientByAdmin = createClientByAdmin(generateSuffixedName("aaa-app"), clientRepresentation -> {
            clientRepresentation.setImplicitFlowEnabled(Boolean.FALSE);
            clientRepresentation.setConsentRequired(Boolean.FALSE);
        });
        Assert.assertEquals(Boolean.TRUE, getClientByAdmin(createClientByAdmin).isConsentRequired());
        try {
            updateClientByAdmin(createClientByAdmin, clientRepresentation2 -> {
                clientRepresentation2.setConsentRequired(Boolean.FALSE);
            });
            Assert.fail();
        } catch (ClientPolicyException e) {
            Assert.assertEquals("invalid_registration", e.getError());
        }
        Assert.assertEquals(Boolean.TRUE, getClientByAdmin(createClientByAdmin).isConsentRequired());
        try {
            updateClientByAdmin(createClientByAdmin, clientRepresentation3 -> {
                clientRepresentation3.setImplicitFlowEnabled(Boolean.TRUE);
            });
            Assert.assertEquals(Boolean.TRUE, getClientByAdmin(createClientByAdmin).isImplicitFlowEnabled());
        } catch (ClientPolicyException e2) {
            Assert.fail();
        }
    }

    @Test
    public void testFullScopeDisabledExecutor() throws Exception {
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Test Profile").addExecutor("full-scope-disabled", ClientPoliciesUtil.createFullScopeDisabledExecutorConfig(true)).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy("MyPolicy", "Test Policy", Boolean.TRUE).addCondition("any-client", ClientPoliciesUtil.createAnyClientConditionConfig()).addProfile("MyProfile").toRepresentation()).toString());
        String generateSuffixedName = generateSuffixedName("aaa-app");
        String createClientByAdmin = createClientByAdmin(generateSuffixedName, clientRepresentation -> {
            clientRepresentation.setImplicitFlowEnabled(Boolean.FALSE);
            clientRepresentation.setFullScopeAllowed(Boolean.TRUE);
        });
        Assert.assertEquals(Boolean.FALSE, getClientByAdmin(createClientByAdmin).isFullScopeAllowed());
        updateClientByAdmin(createClientByAdmin, clientRepresentation2 -> {
            clientRepresentation2.setFullScopeAllowed(Boolean.TRUE);
        });
        Assert.assertEquals(Boolean.FALSE, getClientByAdmin(createClientByAdmin).isFullScopeAllowed());
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Test Profile").addExecutor("full-scope-disabled", ClientPoliciesUtil.createFullScopeDisabledExecutorConfig(false)).toRepresentation()).toString());
        try {
            createClientByAdmin(generateSuffixedName, clientRepresentation3 -> {
                clientRepresentation3.setFullScopeAllowed(Boolean.TRUE);
            });
            Assert.fail();
        } catch (ClientPolicyException e) {
            Assert.assertEquals("invalid_registration", e.getError());
        }
        try {
            updateClientByAdmin(createClientByAdmin, clientRepresentation4 -> {
                clientRepresentation4.setFullScopeAllowed(Boolean.TRUE);
            });
            Assert.fail();
        } catch (ClientPolicyException e2) {
            Assert.assertEquals("invalid_registration", e2.getError());
        }
        Assert.assertEquals(Boolean.FALSE, getClientByAdmin(createClientByAdmin).isFullScopeAllowed());
        try {
            updateClientByAdmin(createClientByAdmin, clientRepresentation5 -> {
                clientRepresentation5.setImplicitFlowEnabled(Boolean.TRUE);
            });
            ClientRepresentation clientByAdmin = getClientByAdmin(createClientByAdmin);
            Assert.assertEquals(Boolean.TRUE, clientByAdmin.isImplicitFlowEnabled());
            Assert.assertEquals(Boolean.FALSE, clientByAdmin.isFullScopeAllowed());
        } catch (ClientPolicyException e3) {
            Assert.fail();
        }
    }

    private void checkMtlsFlow() throws IOException {
        OAuthClient.AccessTokenResponse doAccessTokenRequest;
        String str;
        Assert.assertNull(this.oauth.doLogin("test-user@localhost", "password").getError());
        String str2 = (String) this.oauth.getCurrentQuery().get("code");
        try {
            CloseableHttpClient newCloseableHttpClientWithDefaultKeyStoreAndTrustStore = MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore();
            Throwable th = null;
            try {
                try {
                    doAccessTokenRequest = this.oauth.doAccessTokenRequest(str2, "password", newCloseableHttpClientWithDefaultKeyStoreAndTrustStore);
                    if (newCloseableHttpClientWithDefaultKeyStoreAndTrustStore != null) {
                        if (0 != 0) {
                            try {
                                newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                        }
                    }
                    Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
                } finally {
                }
                try {
                    CloseableHttpClient newCloseableHttpClientWithDefaultKeyStoreAndTrustStore2 = MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore();
                    Throwable th3 = null;
                    try {
                        OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password", newCloseableHttpClientWithDefaultKeyStoreAndTrustStore2);
                        if (newCloseableHttpClientWithDefaultKeyStoreAndTrustStore2 != null) {
                            if (0 != 0) {
                                try {
                                    newCloseableHttpClientWithDefaultKeyStoreAndTrustStore2.close();
                                } catch (Throwable th4) {
                                    th3.addSuppressed(th4);
                                }
                            } else {
                                newCloseableHttpClientWithDefaultKeyStoreAndTrustStore2.close();
                            }
                        }
                        Assert.assertEquals(200L, doRefreshTokenRequest.getStatusCode());
                        try {
                            newCloseableHttpClientWithDefaultKeyStoreAndTrustStore = MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore();
                            Throwable th5 = null;
                            try {
                                try {
                                    String introspectTokenWithClientCredential = this.oauth.introspectTokenWithClientCredential(AssertEvents.DEFAULT_CLIENT_ID, "password", "access_token", doAccessTokenRequest.getAccessToken(), newCloseableHttpClientWithDefaultKeyStoreAndTrustStore);
                                    if (newCloseableHttpClientWithDefaultKeyStoreAndTrustStore != null) {
                                        if (0 != 0) {
                                            try {
                                                newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                                            } catch (Throwable th6) {
                                                th5.addSuppressed(th6);
                                            }
                                        } else {
                                            newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                                        }
                                    }
                                    Assert.assertNotNull(introspectTokenWithClientCredential);
                                    Assert.assertTrue(((TokenMetadataRepresentation) JsonSerialization.readValue(introspectTokenWithClientCredential, TokenMetadataRepresentation.class)).isActive());
                                } finally {
                                }
                                try {
                                    CloseableHttpClient newCloseableHttpClientWithDefaultKeyStoreAndTrustStore3 = MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore();
                                    Throwable th7 = null;
                                    try {
                                        CloseableHttpResponse doTokenRevoke = this.oauth.doTokenRevoke(doAccessTokenRequest.getRefreshToken(), "refresh_token", "password", newCloseableHttpClientWithDefaultKeyStoreAndTrustStore3);
                                        if (newCloseableHttpClientWithDefaultKeyStoreAndTrustStore3 != null) {
                                            if (0 != 0) {
                                                try {
                                                    newCloseableHttpClientWithDefaultKeyStoreAndTrustStore3.close();
                                                } catch (Throwable th8) {
                                                    th7.addSuppressed(th8);
                                                }
                                            } else {
                                                newCloseableHttpClientWithDefaultKeyStoreAndTrustStore3.close();
                                            }
                                        }
                                        Assert.assertEquals(200L, doTokenRevoke.getStatusLine().getStatusCode());
                                        try {
                                            CloseableHttpClient newCloseableHttpClientWithDefaultKeyStoreAndTrustStore4 = MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore();
                                            Throwable th9 = null;
                                            try {
                                                CloseableHttpResponse doLogout = this.oauth.doLogout(doAccessTokenRequest.getRefreshToken(), "password", newCloseableHttpClientWithDefaultKeyStoreAndTrustStore4);
                                                if (newCloseableHttpClientWithDefaultKeyStoreAndTrustStore4 != null) {
                                                    if (0 != 0) {
                                                        try {
                                                            newCloseableHttpClientWithDefaultKeyStoreAndTrustStore4.close();
                                                        } catch (Throwable th10) {
                                                            th9.addSuppressed(th10);
                                                        }
                                                    } else {
                                                        newCloseableHttpClientWithDefaultKeyStoreAndTrustStore4.close();
                                                    }
                                                }
                                                Assert.assertEquals(204L, doLogout.getStatusLine().getStatusCode());
                                                Assert.assertNull(this.oauth.doLogin("test-user@localhost", "password").getError());
                                                String str3 = (String) this.oauth.getCurrentQuery().get("code");
                                                try {
                                                    CloseableHttpClient newCloseableHttpClientWithoutKeyStoreAndTrustStore = MutualTLSUtils.newCloseableHttpClientWithoutKeyStoreAndTrustStore();
                                                    Throwable th11 = null;
                                                    try {
                                                        try {
                                                            OAuthClient.AccessTokenResponse doAccessTokenRequest2 = this.oauth.doAccessTokenRequest(str3, "password", newCloseableHttpClientWithoutKeyStoreAndTrustStore);
                                                            if (newCloseableHttpClientWithoutKeyStoreAndTrustStore != null) {
                                                                if (0 != 0) {
                                                                    try {
                                                                        newCloseableHttpClientWithoutKeyStoreAndTrustStore.close();
                                                                    } catch (Throwable th12) {
                                                                        th11.addSuppressed(th12);
                                                                    }
                                                                } else {
                                                                    newCloseableHttpClientWithoutKeyStoreAndTrustStore.close();
                                                                }
                                                            }
                                                            Assert.assertEquals(400L, doAccessTokenRequest2.getStatusCode());
                                                            Assert.assertEquals("invalid_grant", doAccessTokenRequest2.getError());
                                                            this.oauth.openLogout();
                                                            Assert.assertNull(this.oauth.doLogin("test-user@localhost", "password").getError());
                                                            str = (String) this.oauth.getCurrentQuery().get("code");
                                                        } finally {
                                                        }
                                                        try {
                                                            CloseableHttpClient newCloseableHttpClientWithDefaultKeyStoreAndTrustStore5 = MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore();
                                                            Throwable th13 = null;
                                                            try {
                                                                OAuthClient.AccessTokenResponse doAccessTokenRequest3 = this.oauth.doAccessTokenRequest(str, "password", newCloseableHttpClientWithDefaultKeyStoreAndTrustStore5);
                                                                if (newCloseableHttpClientWithDefaultKeyStoreAndTrustStore5 != null) {
                                                                    if (0 != 0) {
                                                                        try {
                                                                            newCloseableHttpClientWithDefaultKeyStoreAndTrustStore5.close();
                                                                        } catch (Throwable th14) {
                                                                            th13.addSuppressed(th14);
                                                                        }
                                                                    } else {
                                                                        newCloseableHttpClientWithDefaultKeyStoreAndTrustStore5.close();
                                                                    }
                                                                }
                                                                Assert.assertEquals(200L, doAccessTokenRequest3.getStatusCode());
                                                                try {
                                                                    CloseableHttpClient newCloseableHttpClientWithOtherKeyStoreAndTrustStore = MutualTLSUtils.newCloseableHttpClientWithOtherKeyStoreAndTrustStore();
                                                                    Throwable th15 = null;
                                                                    try {
                                                                        OAuthClient.AccessTokenResponse doRefreshTokenRequest2 = this.oauth.doRefreshTokenRequest(doAccessTokenRequest3.getRefreshToken(), "password", newCloseableHttpClientWithOtherKeyStoreAndTrustStore);
                                                                        if (newCloseableHttpClientWithOtherKeyStoreAndTrustStore != null) {
                                                                            if (0 != 0) {
                                                                                try {
                                                                                    newCloseableHttpClientWithOtherKeyStoreAndTrustStore.close();
                                                                                } catch (Throwable th16) {
                                                                                    th15.addSuppressed(th16);
                                                                                }
                                                                            } else {
                                                                                newCloseableHttpClientWithOtherKeyStoreAndTrustStore.close();
                                                                            }
                                                                        }
                                                                        Assert.assertEquals(400L, doRefreshTokenRequest2.getStatusCode());
                                                                        Assert.assertEquals("invalid_grant", doRefreshTokenRequest2.getError());
                                                                        try {
                                                                            CloseableHttpClient newCloseableHttpClientWithOtherKeyStoreAndTrustStore2 = MutualTLSUtils.newCloseableHttpClientWithOtherKeyStoreAndTrustStore();
                                                                            Throwable th17 = null;
                                                                            try {
                                                                                CloseableHttpResponse doTokenRevoke2 = this.oauth.doTokenRevoke(doAccessTokenRequest3.getRefreshToken(), "refresh_token", "password", newCloseableHttpClientWithOtherKeyStoreAndTrustStore2);
                                                                                if (newCloseableHttpClientWithOtherKeyStoreAndTrustStore2 != null) {
                                                                                    if (0 != 0) {
                                                                                        try {
                                                                                            newCloseableHttpClientWithOtherKeyStoreAndTrustStore2.close();
                                                                                        } catch (Throwable th18) {
                                                                                            th17.addSuppressed(th18);
                                                                                        }
                                                                                    } else {
                                                                                        newCloseableHttpClientWithOtherKeyStoreAndTrustStore2.close();
                                                                                    }
                                                                                }
                                                                                Assert.assertEquals(401L, doTokenRevoke2.getStatusLine().getStatusCode());
                                                                                try {
                                                                                    newCloseableHttpClientWithoutKeyStoreAndTrustStore = MutualTLSUtils.newCloseableHttpClientWithoutKeyStoreAndTrustStore();
                                                                                    Throwable th19 = null;
                                                                                    try {
                                                                                        try {
                                                                                            CloseableHttpResponse doLogout2 = this.oauth.doLogout(doAccessTokenRequest3.getRefreshToken(), "password", newCloseableHttpClientWithoutKeyStoreAndTrustStore);
                                                                                            if (newCloseableHttpClientWithoutKeyStoreAndTrustStore != null) {
                                                                                                if (0 != 0) {
                                                                                                    try {
                                                                                                        newCloseableHttpClientWithoutKeyStoreAndTrustStore.close();
                                                                                                    } catch (Throwable th20) {
                                                                                                        th19.addSuppressed(th20);
                                                                                                    }
                                                                                                } else {
                                                                                                    newCloseableHttpClientWithoutKeyStoreAndTrustStore.close();
                                                                                                }
                                                                                            }
                                                                                            Assert.assertEquals(401L, doLogout2.getStatusLine().getStatusCode());
                                                                                        } finally {
                                                                                        }
                                                                                        try {
                                                                                            CloseableHttpClient newCloseableHttpClientWithDefaultKeyStoreAndTrustStore6 = MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore();
                                                                                            Throwable th21 = null;
                                                                                            try {
                                                                                                try {
                                                                                                    this.oauth.doLogout(doAccessTokenRequest3.getRefreshToken(), "password", newCloseableHttpClientWithDefaultKeyStoreAndTrustStore6);
                                                                                                    if (newCloseableHttpClientWithDefaultKeyStoreAndTrustStore6 != null) {
                                                                                                        if (0 != 0) {
                                                                                                            try {
                                                                                                                newCloseableHttpClientWithDefaultKeyStoreAndTrustStore6.close();
                                                                                                            } catch (Throwable th22) {
                                                                                                                th21.addSuppressed(th22);
                                                                                                            }
                                                                                                        } else {
                                                                                                            newCloseableHttpClientWithDefaultKeyStoreAndTrustStore6.close();
                                                                                                        }
                                                                                                    }
                                                                                                } finally {
                                                                                                }
                                                                                            } finally {
                                                                                                if (newCloseableHttpClientWithDefaultKeyStoreAndTrustStore6 != null) {
                                                                                                    if (th21 != null) {
                                                                                                        try {
                                                                                                            newCloseableHttpClientWithDefaultKeyStoreAndTrustStore6.close();
                                                                                                        } catch (Throwable th23) {
                                                                                                            th21.addSuppressed(th23);
                                                                                                        }
                                                                                                    } else {
                                                                                                        newCloseableHttpClientWithDefaultKeyStoreAndTrustStore6.close();
                                                                                                    }
                                                                                                }
                                                                                            }
                                                                                        } catch (IOException e) {
                                                                                            throw new RuntimeException(e);
                                                                                        }
                                                                                    } finally {
                                                                                        if (newCloseableHttpClientWithoutKeyStoreAndTrustStore != null) {
                                                                                            if (th19 != null) {
                                                                                                try {
                                                                                                    newCloseableHttpClientWithoutKeyStoreAndTrustStore.close();
                                                                                                } catch (Throwable th24) {
                                                                                                    th19.addSuppressed(th24);
                                                                                                }
                                                                                            } else {
                                                                                                newCloseableHttpClientWithoutKeyStoreAndTrustStore.close();
                                                                                            }
                                                                                        }
                                                                                    }
                                                                                } catch (IOException e2) {
                                                                                    throw new RuntimeException(e2);
                                                                                }
                                                                            } finally {
                                                                            }
                                                                        } catch (IOException e3) {
                                                                            throw new RuntimeException(e3);
                                                                        }
                                                                    } finally {
                                                                    }
                                                                } catch (IOException e4) {
                                                                    throw new RuntimeException(e4);
                                                                }
                                                            } finally {
                                                            }
                                                        } catch (IOException e5) {
                                                            throw new RuntimeException(e5);
                                                        }
                                                    } finally {
                                                    }
                                                } catch (IOException e6) {
                                                    throw new RuntimeException(e6);
                                                }
                                            } finally {
                                            }
                                        } catch (IOException e7) {
                                            throw new RuntimeException(e7);
                                        }
                                    } finally {
                                    }
                                } catch (IOException e8) {
                                    throw new RuntimeException(e8);
                                }
                            } finally {
                                if (newCloseableHttpClientWithDefaultKeyStoreAndTrustStore != null) {
                                    if (th5 != null) {
                                        try {
                                            newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                                        } catch (Throwable th25) {
                                            th5.addSuppressed(th25);
                                        }
                                    } else {
                                        newCloseableHttpClientWithDefaultKeyStoreAndTrustStore.close();
                                    }
                                }
                            }
                        } catch (IOException e9) {
                            throw new RuntimeException(e9);
                        }
                    } finally {
                    }
                } catch (IOException e10) {
                    throw new RuntimeException(e10);
                }
            } finally {
            }
        } catch (IOException e11) {
            throw new RuntimeException(e11);
        }
    }

    private void setupPolicyClientIdAndSecretNotAcceptableAuthType(String str) throws Exception {
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Primum Profile").addExecutor("secure-client-authenticator", ClientPoliciesUtil.createSecureClientAuthenticatorExecutorConfig(Arrays.asList("client-jwt", "client-secret-jwt", "client-x509"), null)).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy(str, "Primum Consilium", Boolean.TRUE).addCondition("client-updater-context", ClientPoliciesUtil.createClientUpdateContextConditionConfig(Arrays.asList("ByAuthenticatedUser"))).addProfile("MyProfile").toRepresentation()).toString());
    }

    private void setupPolicyAuthzCodeFlowUnderMultiPhasePolicy(String str) throws Exception {
        updateProfiles(new ClientPoliciesUtil.ClientProfilesBuilder().addProfile(new ClientPoliciesUtil.ClientProfileBuilder().createProfile("MyProfile", "Primul Profil").addExecutor("secure-client-authenticator", ClientPoliciesUtil.createSecureClientAuthenticatorExecutorConfig(Arrays.asList("client-secret", "client-jwt"), "client-secret")).addExecutor("pkce-enforcer", ClientPoliciesUtil.createPKCEEnforceExecutorConfig(Boolean.TRUE)).toRepresentation()).toString());
        updatePolicies(new ClientPoliciesUtil.ClientPoliciesBuilder().addPolicy(new ClientPoliciesUtil.ClientPolicyBuilder().createPolicy(str, "Prima Politica", Boolean.TRUE).addCondition("client-roles", ClientPoliciesUtil.createClientRolesConditionConfig(Arrays.asList("sample-client-role"))).addCondition("client-updater-context", ClientPoliciesUtil.createClientUpdateContextConditionConfig(Arrays.asList("ByInitialAccessToken"))).addProfile("MyProfile").toRepresentation()).toString());
    }

    private void successfulLoginAndLogout(String str, String str2) {
        this.oauth.clientId(str);
        this.oauth.doLogin("test-user@localhost", "password");
        EventRepresentation assertEvent = this.events.expectLogin().client(str).assertEvent();
        String sessionId = assertEvent.getSessionId();
        String str3 = (String) assertEvent.getDetails().get("code_id");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), str2);
        Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
        this.events.expectCodeToToken(str3, sessionId).client(str).assertEvent();
        this.oauth.doLogout(doAccessTokenRequest.getRefreshToken(), str2);
        this.events.expectLogout(sessionId).client(str).clearDetails().assertEvent();
    }

    private void successfulLoginAndLogoutWithPKCE(String str, String str2, String str3, String str4) throws Exception {
        this.oauth.clientId(str);
        this.oauth.codeChallenge(generateS256CodeChallenge("1a345A7890123456r8901c3456789012b45K7890l23"));
        this.oauth.codeChallengeMethod("S256");
        this.oauth.nonce("bjapewiziIE083d");
        this.oauth.doLogin(str3, str4);
        EventRepresentation assertEvent = this.events.expectLogin().client(str).assertEvent();
        String sessionId = assertEvent.getSessionId();
        String str5 = (String) assertEvent.getDetails().get("code_id");
        String str6 = (String) this.oauth.getCurrentQuery().get("code");
        this.oauth.codeVerifier("1a345A7890123456r8901c3456789012b45K7890l23");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(str6, str2);
        Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
        this.events.expectCodeToToken(str5, sessionId).client(str).assertEvent();
        AccessToken verifyToken = this.oauth.verifyToken(doAccessTokenRequest.getAccessToken());
        String id = ApiUtil.findUserByUsername(this.adminClient.realm("test"), str3).getId();
        Assert.assertEquals(id, verifyToken.getSubject());
        Assert.assertNotEquals(str3, verifyToken.getSubject());
        Assert.assertEquals(sessionId, verifyToken.getSessionState());
        Assert.assertEquals(str, verifyToken.getIssuedFor());
        String refreshToken = doAccessTokenRequest.getRefreshToken();
        RefreshToken parseRefreshToken = this.oauth.parseRefreshToken(refreshToken);
        Assert.assertEquals(sessionId, parseRefreshToken.getSessionState());
        Assert.assertEquals(str, parseRefreshToken.getIssuedFor());
        OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(refreshToken, str2);
        Assert.assertEquals(200L, doRefreshTokenRequest.getStatusCode());
        this.events.expectRefresh(parseRefreshToken.getId(), sessionId).client(str).assertEvent();
        AccessToken verifyToken2 = this.oauth.verifyToken(doRefreshTokenRequest.getAccessToken());
        RefreshToken parseRefreshToken2 = this.oauth.parseRefreshToken(doRefreshTokenRequest.getRefreshToken());
        Assert.assertEquals(sessionId, verifyToken2.getSessionState());
        Assert.assertEquals(sessionId, parseRefreshToken2.getSessionState());
        Assert.assertEquals(ApiUtil.findUserByUsername(this.adminClient.realm("test"), str3).getId(), verifyToken2.getSubject());
        doIntrospectAccessToken(doRefreshTokenRequest, str3, str, str2);
        doTokenRevoke(doRefreshTokenRequest.getRefreshToken(), str, str2, id, false);
    }

    private void failLoginByNotFollowingPKCE(String str) {
        this.oauth.clientId(str);
        this.oauth.openLoginForm();
        Assert.assertEquals("invalid_request", this.oauth.getCurrentQuery().get("error"));
        Assert.assertEquals("Missing parameter: code_challenge_method", this.oauth.getCurrentQuery().get("error_description"));
    }

    private void failTokenRequestByNotFollowingPKCE(String str, String str2) {
        this.oauth.clientId(str);
        this.oauth.doLogin("test-user@localhost", "password");
        EventRepresentation assertEvent = this.events.expectLogin().client(str).assertEvent();
        String sessionId = assertEvent.getSessionId();
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), str2);
        Assert.assertEquals("invalid_grant", doAccessTokenRequest.getError());
        Assert.assertEquals("PKCE code verifier not specified", doAccessTokenRequest.getErrorDescription());
        this.events.expect(EventType.CODE_TO_TOKEN_ERROR).client(str).session(sessionId).clearDetails().error("code_verifier_missing").assertEvent();
        this.oauth.openLogout();
        this.events.expectLogout(sessionId).clearDetails().assertEvent();
    }

    private void failLoginWithoutSecureSessionParameter(String str, String str2) {
        this.oauth.clientId(str);
        this.oauth.openLoginForm();
        Assert.assertEquals("invalid_request", this.oauth.getCurrentQuery().get("error"));
        Assert.assertEquals(str2, this.oauth.getCurrentQuery().get("error_description"));
    }

    private void failLoginWithoutNonce(String str) {
        this.oauth.clientId(str);
        this.oauth.openLoginForm();
        Assert.assertEquals("invalid_request", this.oauth.getCurrentQuery().get("error"));
        Assert.assertEquals("Missing parameter: nonce", this.oauth.getCurrentQuery().get("error_description"));
    }
}
