package org.keycloak.testsuite.x509;

import com.google.common.base.Charsets;
import io.undertow.Undertow;
import io.undertow.server.handlers.BlockingHandler;
import java.nio.file.Paths;
import java.util.function.Supplier;
import javax.ws.rs.core.Response;
import org.apache.commons.io.IOUtils;
import org.hamcrest.Matchers;
import org.jboss.arquillian.drone.api.annotation.Drone;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.PhantomJSBrowser;
import org.openqa.selenium.WebDriver;

/* loaded from: input_file:org/keycloak/testsuite/x509/X509OCSPResponderTest.class */
public class X509OCSPResponderTest extends AbstractX509AuthenticationTest {
    private static final String OCSP_RESPONDER_HOST = "localhost";
    private static final int OCSP_RESPONDER_PORT = 8888;
    private Undertow ocspResponder;

    @Drone
    @PhantomJSBrowser
    private WebDriver phantomJS;

    @Before
    public void replaceTheDefaultDriver() {
        replaceDefaultWebDriver(this.phantomJS);
    }

    @Test
    public void loginFailedOnOCSPResponderRevocationCheck() throws Exception {
        Assert.assertNotNull(createConfig(this.directGrantExecution.getId(), newConfig("x509-directgrant-config", new X509AuthenticatorConfigModel().setOCSPEnabled(true).setMappingSourceType(X509AuthenticatorConfigModel.MappingSourceType.SUBJECTDN_EMAIL).setUserIdentityMapperType(X509AuthenticatorConfigModel.IdentityMapperType.USERNAME_EMAIL).getConfig())));
        this.oauth.clientId("resource-owner");
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest = this.oauth.doGrantAccessTokenRequest("secret", "", "", (String) null);
        Assert.assertEquals(Response.Status.UNAUTHORIZED.getStatusCode(), doGrantAccessTokenRequest.getStatusCode());
        Assert.assertEquals("invalid_request", doGrantAccessTokenRequest.getError());
        Assert.assertThat(doGrantAccessTokenRequest.getErrorDescription(), Matchers.containsString("Certificate's been revoked."));
    }

    @Test
    public void loginFailedOnOCSPResponderRevocationCheckWithoutCA() throws Exception {
        Assert.assertNotNull(createConfig(this.directGrantExecution.getId(), newConfig("x509-directgrant-config", new X509AuthenticatorConfigModel().setOCSPEnabled(true).setMappingSourceType(X509AuthenticatorConfigModel.MappingSourceType.SUBJECTDN_EMAIL).setOCSPResponder("http://localhost:8888/oscp").setUserIdentityMapperType(X509AuthenticatorConfigModel.IdentityMapperType.USERNAME_EMAIL).getConfig())));
        String path = Paths.get(System.getProperty("client.certificate.keystore"), new String[0]).getParent().resolve("client-ca.jks").toString();
        String property = System.getProperty("client.certificate.keystore.passphrase");
        String property2 = System.getProperty("client.truststore");
        String property3 = System.getProperty("client.truststore.passphrase");
        Supplier httpClient = this.oauth.getHttpClient();
        try {
            this.oauth.clientId("resource-owner");
            this.oauth.httpClient(() -> {
                return OAuthClient.newCloseableHttpClientSSL(path, property, property2, property3);
            });
            OAuthClient.AccessTokenResponse doGrantAccessTokenRequest = this.oauth.doGrantAccessTokenRequest("secret", "", "", (String) null);
            Assert.assertEquals(Response.Status.UNAUTHORIZED.getStatusCode(), doGrantAccessTokenRequest.getStatusCode());
            Assert.assertEquals("invalid_request", doGrantAccessTokenRequest.getError());
            Assert.assertThat(doGrantAccessTokenRequest.getErrorDescription(), Matchers.containsString("Responder's certificate not valid for signing OCSP responses"));
            this.oauth.httpClient(httpClient);
        } catch (Throwable th) {
            this.oauth.httpClient(httpClient);
            throw th;
        }
    }

    @Test
    public void loginClientCertSignedByIntermediateCA() throws Exception {
        Assert.assertNotNull(createConfig(this.directGrantExecution.getId(), newConfig("x509-directgrant-config", new X509AuthenticatorConfigModel().setOCSPEnabled(true).setMappingSourceType(X509AuthenticatorConfigModel.MappingSourceType.SUBJECTDN_EMAIL).setOCSPResponder("http://localhost:8888/oscp").setUserIdentityMapperType(X509AuthenticatorConfigModel.IdentityMapperType.USERNAME_EMAIL).getConfig())));
        String path = Paths.get(System.getProperty("client.certificate.keystore"), new String[0]).getParent().resolve("test-user-cert-intermediary-ca.jks").toString();
        String property = System.getProperty("client.certificate.keystore.passphrase");
        String property2 = System.getProperty("client.truststore");
        String property3 = System.getProperty("client.truststore.passphrase");
        Supplier httpClient = this.oauth.getHttpClient();
        try {
            this.oauth.clientId("resource-owner");
            this.oauth.httpClient(() -> {
                return OAuthClient.newCloseableHttpClientSSL(path, property, property2, property3);
            });
            Assert.assertEquals(Response.Status.OK.getStatusCode(), this.oauth.doGrantAccessTokenRequest("secret", "", "", (String) null).getStatusCode());
            this.oauth.httpClient(httpClient);
        } catch (Throwable th) {
            this.oauth.httpClient(httpClient);
            throw th;
        }
    }

    @Test
    public void loginOKOnOCSPResponderRevocationCheckWithoutCA() throws Exception {
        Assert.assertNotNull(createConfig(this.directGrantExecution.getId(), newConfig("x509-directgrant-config", new X509AuthenticatorConfigModel().setOCSPEnabled(true).setMappingSourceType(X509AuthenticatorConfigModel.MappingSourceType.SUBJECTDN_EMAIL).setOCSPResponder("http://localhost:8888/oscp").setOCSPResponderCertificate(IOUtils.toString(getClass().getResourceAsStream(OcspHandler.OCSP_RESPONDER_CERT_PATH), Charsets.UTF_8).replace("-----BEGIN CERTIFICATE-----", "").replace("-----END CERTIFICATE-----", "")).setUserIdentityMapperType(X509AuthenticatorConfigModel.IdentityMapperType.USERNAME_EMAIL).getConfig())));
        String path = Paths.get(System.getProperty("client.certificate.keystore"), new String[0]).getParent().resolve("client-ca.jks").toString();
        String property = System.getProperty("client.certificate.keystore.passphrase");
        String property2 = System.getProperty("client.truststore");
        String property3 = System.getProperty("client.truststore.passphrase");
        Supplier httpClient = this.oauth.getHttpClient();
        try {
            this.oauth.clientId("resource-owner");
            this.oauth.httpClient(() -> {
                return OAuthClient.newCloseableHttpClientSSL(path, property, property2, property3);
            });
            Assert.assertEquals(Response.Status.OK.getStatusCode(), this.oauth.doGrantAccessTokenRequest("secret", "", "", (String) null).getStatusCode());
            this.oauth.httpClient(httpClient);
        } catch (Throwable th) {
            this.oauth.httpClient(httpClient);
            throw th;
        }
    }

    @Before
    public void startOCSPResponder() throws Exception {
        this.ocspResponder = Undertow.builder().addHttpListener(OCSP_RESPONDER_PORT, "localhost").setHandler(new BlockingHandler(new OcspHandler(OcspHandler.OCSP_RESPONDER_CERT_PATH, OcspHandler.OCSP_RESPONDER_KEYPAIR_PATH))).build();
        this.ocspResponder.start();
    }

    @After
    public void stopOCSPResponder() {
        this.ocspResponder.stop();
    }
}
