package org.keycloak.testsuite.oauth;

import java.security.MessageDigest;
import java.util.List;
import javax.ws.rs.core.UriBuilder;
import org.hamcrest.Matchers;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.common.util.Base64Url;
import org.keycloak.jose.jws.JWSHeader;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.RefreshToken;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.EventRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.AbstractAdminTest;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.util.ClientManager;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.UserBuilder;

/* loaded from: input_file:org/keycloak/testsuite/oauth/OAuthProofKeyForCodeExchangeTest.class */
public class OAuthProofKeyForCodeExchangeTest extends AbstractKeycloakTest {

    @Rule
    public AssertEvents events = new AssertEvents(this);

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void beforeAbstractKeycloakTest() throws Exception {
        super.beforeAbstractKeycloakTest();
    }

    @Before
    public void clientConfiguration() {
        ClientManager.realm(this.adminClient.realm("test")).clientId(AssertEvents.DEFAULT_CLIENT_ID).directAccessGrant(true);
        this.oauth.clientId(AssertEvents.DEFAULT_CLIENT_ID);
    }

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        RealmRepresentation realmRepresentation = (RealmRepresentation) AbstractAdminTest.loadJson(getClass().getResourceAsStream("/testrealm.json"), RealmRepresentation.class);
        realmRepresentation.getUsers().add(UserBuilder.create().id(KeycloakModelUtils.generateId()).username("no-permissions").addRoles("user").password("password").build());
        list.add(realmRepresentation);
    }

    @Test
    @AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
    public void accessTokenRequestWithoutPKCE() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
        expectSuccessfulResponseFromTokenEndpoint((String) assertEvent.getDetails().get("code_id"), assertEvent.getSessionId(), (String) this.oauth.getCurrentQuery().get("code"));
    }

    @Test
    public void accessTokenRequestInPKCEValidS256CodeChallengeMethod() throws Exception {
        this.oauth.codeChallenge(generateS256CodeChallenge("1234567890123456789012345678901234567890123"));
        this.oauth.codeChallengeMethod("S256");
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
        String sessionId = assertEvent.getSessionId();
        String str = (String) assertEvent.getDetails().get("code_id");
        String str2 = (String) this.oauth.getCurrentQuery().get("code");
        this.oauth.codeVerifier("1234567890123456789012345678901234567890123");
        expectSuccessfulResponseFromTokenEndpoint(str, sessionId, str2);
    }

    @Test
    public void accessTokenRequestInPKCEUnmatchedCodeVerifierWithS256CodeChallengeMethod() throws Exception {
        this.oauth.codeChallenge("1234567890123456789012345678901234567890123");
        this.oauth.codeChallengeMethod("S256");
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
        String sessionId = assertEvent.getSessionId();
        String str = (String) assertEvent.getDetails().get("code_id");
        String str2 = (String) this.oauth.getCurrentQuery().get("code");
        this.oauth.codeVerifier("1234567890123456789012345678901234567890123");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(str2, "password");
        Assert.assertEquals(400L, doAccessTokenRequest.getStatusCode());
        Assert.assertEquals("invalid_grant", doAccessTokenRequest.getError());
        Assert.assertEquals("PKCE verification failed", doAccessTokenRequest.getErrorDescription());
        this.events.expectCodeToToken(str, sessionId).error("pkce_verification_failed").clearDetails().assertEvent();
    }

    @Test
    @AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
    public void accessTokenRequestInPKCEValidPlainCodeChallengeMethod() throws Exception {
        this.oauth.codeChallenge(".234567890-234567890~234567890_234567890123");
        this.oauth.codeChallengeMethod("plain");
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
        String sessionId = assertEvent.getSessionId();
        String str = (String) assertEvent.getDetails().get("code_id");
        String str2 = (String) this.oauth.getCurrentQuery().get("code");
        this.oauth.codeVerifier(".234567890-234567890~234567890_234567890123");
        expectSuccessfulResponseFromTokenEndpoint(str, sessionId, str2);
    }

    @Test
    public void accessTokenRequestInPKCEUnmachedCodeVerifierWithPlainCodeChallengeMethod() throws Exception {
        this.oauth.codeChallenge("1234567890123456789012345678901234567890123");
        this.oauth.codeChallengeMethod("plain");
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
        String sessionId = assertEvent.getSessionId();
        String str = (String) assertEvent.getDetails().get("code_id");
        String str2 = (String) this.oauth.getCurrentQuery().get("code");
        this.oauth.codeVerifier("aZ_-.~1234567890123456789012345678901234567890123Za");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(str2, "password");
        Assert.assertEquals(400L, doAccessTokenRequest.getStatusCode());
        Assert.assertEquals("invalid_grant", doAccessTokenRequest.getError());
        Assert.assertEquals("PKCE verification failed", doAccessTokenRequest.getErrorDescription());
        this.events.expectCodeToToken(str, sessionId).error("pkce_verification_failed").clearDetails().assertEvent();
    }

    @Test
    @AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
    public void accessTokenRequestInPKCEValidDefaultCodeChallengeMethod() throws Exception {
        this.oauth.codeChallenge("1234567890123456789012345678901234567890123");
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
        String sessionId = assertEvent.getSessionId();
        String str = (String) assertEvent.getDetails().get("code_id");
        String str2 = (String) this.oauth.getCurrentQuery().get("code");
        this.oauth.codeVerifier("1234567890123456789012345678901234567890123");
        expectSuccessfulResponseFromTokenEndpoint(str, sessionId, str2);
    }

    @Test
    public void accessTokenRequestInPKCEWithoutCodeChallengeWithValidCodeChallengeMethod() throws Exception {
        this.oauth.codeChallengeMethod("plain");
        this.driver.navigate().to(UriBuilder.fromUri(this.oauth.getLoginFormUrl()).build(new Object[0]).toURL());
        OAuthClient.AuthorizationEndpointResponse authorizationEndpointResponse = new OAuthClient.AuthorizationEndpointResponse(this.oauth);
        Assert.assertTrue(authorizationEndpointResponse.isRedirected());
        Assert.assertEquals(authorizationEndpointResponse.getError(), "invalid_request");
        Assert.assertEquals(authorizationEndpointResponse.getErrorDescription(), "Missing parameter: code_challenge");
        this.events.expectLogin().error("invalid_request").user((String) null).session((String) null).clearDetails().assertEvent();
    }

    @Test
    public void accessTokenRequestInPKCEInvalidUnderCodeChallengeWithS256CodeChallengeMethod() throws Exception {
        this.oauth.codeChallengeMethod("S256");
        this.oauth.codeChallenge("ABCDEFGabcdefg1234567ABCDEFGabcdefg1234567");
        this.driver.navigate().to(UriBuilder.fromUri(this.oauth.getLoginFormUrl()).build(new Object[0]).toURL());
        OAuthClient.AuthorizationEndpointResponse authorizationEndpointResponse = new OAuthClient.AuthorizationEndpointResponse(this.oauth);
        Assert.assertTrue(authorizationEndpointResponse.isRedirected());
        Assert.assertEquals(authorizationEndpointResponse.getError(), "invalid_request");
        Assert.assertEquals(authorizationEndpointResponse.getErrorDescription(), "Invalid parameter: code_challenge");
        this.events.expectLogin().error("invalid_request").user((String) null).session((String) null).clearDetails().assertEvent();
    }

    @Test
    public void accessTokenRequestInPKCEInvalidOverCodeChallengeWithPlainCodeChallengeMethod() throws Exception {
        this.oauth.codeChallengeMethod("plain");
        this.oauth.codeChallenge("3fRc92kac_keic8c7al-3ncbdoaie.DDeizlck3~3fRc92kac_keic8c7al-3ncbdoaie.DDeizlck3~3fRc92kac_keic8c7al-3ncbdoaie.DDeizlck3~123456789");
        this.driver.navigate().to(UriBuilder.fromUri(this.oauth.getLoginFormUrl()).build(new Object[0]).toURL());
        OAuthClient.AuthorizationEndpointResponse authorizationEndpointResponse = new OAuthClient.AuthorizationEndpointResponse(this.oauth);
        Assert.assertTrue(authorizationEndpointResponse.isRedirected());
        Assert.assertEquals(authorizationEndpointResponse.getError(), "invalid_request");
        Assert.assertEquals(authorizationEndpointResponse.getErrorDescription(), "Invalid parameter: code_challenge");
        this.events.expectLogin().error("invalid_request").user((String) null).session((String) null).clearDetails().assertEvent();
    }

    @Test
    public void accessTokenRequestInPKCEInvalidUnderCodeVerifierWithS256CodeChallengeMethod() throws Exception {
        this.oauth.codeChallenge(generateS256CodeChallenge("ABCDEFGabcdefg1234567ABCDEFGabcdefg1234567"));
        this.oauth.codeChallengeMethod("S256");
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
        String sessionId = assertEvent.getSessionId();
        String str = (String) assertEvent.getDetails().get("code_id");
        String str2 = (String) this.oauth.getCurrentQuery().get("code");
        this.oauth.codeVerifier("ABCDEFGabcdefg1234567ABCDEFGabcdefg1234567");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(str2, "password");
        Assert.assertEquals(400L, doAccessTokenRequest.getStatusCode());
        Assert.assertEquals("invalid_grant", doAccessTokenRequest.getError());
        Assert.assertEquals("PKCE invalid code verifier", doAccessTokenRequest.getErrorDescription());
        this.events.expectCodeToToken(str, sessionId).error("invalid_code_verifier").clearDetails().assertEvent();
    }

    @Test
    public void accessTokenRequestInPKCEInvalidOverCodeVerifierWithS256CodeChallengeMethod() throws Exception {
        this.oauth.codeChallenge(generateS256CodeChallenge("3fRc92kac_keic8c7al-3ncbdoaie.DDeizlck3~3fRc92kac_keic8c7al-3ncbdoaie.DDeizlck3~3fRc92kac_keic8c7al-3ncbdoaie.DDeizlck3~123456789"));
        this.oauth.codeChallengeMethod("S256");
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
        String sessionId = assertEvent.getSessionId();
        String str = (String) assertEvent.getDetails().get("code_id");
        String str2 = (String) this.oauth.getCurrentQuery().get("code");
        this.oauth.codeVerifier("3fRc92kac_keic8c7al-3ncbdoaie.DDeizlck3~3fRc92kac_keic8c7al-3ncbdoaie.DDeizlck3~3fRc92kac_keic8c7al-3ncbdoaie.DDeizlck3~123456789");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(str2, "password");
        Assert.assertEquals(400L, doAccessTokenRequest.getStatusCode());
        Assert.assertEquals("invalid_grant", doAccessTokenRequest.getError());
        Assert.assertEquals("PKCE invalid code verifier", doAccessTokenRequest.getErrorDescription());
        this.events.expectCodeToToken(str, sessionId).error("invalid_code_verifier").clearDetails().assertEvent();
    }

    @Test
    public void accessTokenRequestInPKCEWIthoutCodeVerifierWithS256CodeChallengeMethod() throws Exception {
        this.oauth.codeChallenge("1234567890123456789012345678901234567890123");
        this.oauth.codeChallengeMethod("S256");
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
        String sessionId = assertEvent.getSessionId();
        String str = (String) assertEvent.getDetails().get("code_id");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
        Assert.assertEquals(400L, doAccessTokenRequest.getStatusCode());
        Assert.assertEquals("invalid_grant", doAccessTokenRequest.getError());
        Assert.assertEquals("PKCE code verifier not specified", doAccessTokenRequest.getErrorDescription());
        this.events.expectCodeToToken(str, sessionId).error("code_verifier_missing").clearDetails().assertEvent();
    }

    @Test
    public void accessTokenRequestInPKCEInvalidCodeChallengeWithS256CodeChallengeMethod() throws Exception {
        this.oauth.codeChallenge("1234567890123456789=12345678901234567890123");
        this.oauth.codeChallengeMethod("S256");
        this.driver.navigate().to(UriBuilder.fromUri(this.oauth.getLoginFormUrl()).build(new Object[0]).toURL());
        OAuthClient.AuthorizationEndpointResponse authorizationEndpointResponse = new OAuthClient.AuthorizationEndpointResponse(this.oauth);
        Assert.assertTrue(authorizationEndpointResponse.isRedirected());
        Assert.assertEquals(authorizationEndpointResponse.getError(), "invalid_request");
        Assert.assertEquals(authorizationEndpointResponse.getErrorDescription(), "Invalid parameter: code_challenge");
        this.events.expectLogin().error("invalid_request").user((String) null).session((String) null).clearDetails().assertEvent();
    }

    @Test
    public void accessTokenRequestInPKCEInvalidCodeVerifierWithS256CodeChallengeMethod() throws Exception {
        this.oauth.codeChallenge(generateS256CodeChallenge("123456789.123456789-123456789~1234$6789_123"));
        this.oauth.codeChallengeMethod("S256");
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
        String sessionId = assertEvent.getSessionId();
        String str = (String) assertEvent.getDetails().get("code_id");
        String str2 = (String) this.oauth.getCurrentQuery().get("code");
        this.oauth.codeVerifier("123456789.123456789-123456789~1234$6789_123");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(str2, "password");
        Assert.assertEquals(400L, doAccessTokenRequest.getStatusCode());
        Assert.assertEquals("invalid_grant", doAccessTokenRequest.getError());
        Assert.assertEquals("PKCE invalid code verifier", doAccessTokenRequest.getErrorDescription());
        this.events.expectCodeToToken(str, sessionId).error("invalid_code_verifier").clearDetails().assertEvent();
    }

    private String generateS256CodeChallenge(String str) throws Exception {
        MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
        messageDigest.update(str.getBytes("ISO_8859_1"));
        return Base64Url.encode(messageDigest.digest());
    }

    private void expectSuccessfulResponseFromTokenEndpoint(String str, String str2, String str3) throws Exception {
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest(str3, "password");
        Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
        Assert.assertThat(Integer.valueOf(doAccessTokenRequest.getExpiresIn()), Matchers.allOf(Matchers.greaterThanOrEqualTo(250), Matchers.lessThanOrEqualTo(300)));
        Assert.assertThat(Integer.valueOf(doAccessTokenRequest.getRefreshExpiresIn()), Matchers.allOf(Matchers.greaterThanOrEqualTo(1750), Matchers.lessThanOrEqualTo(1800)));
        Assert.assertEquals("Bearer", doAccessTokenRequest.getTokenType());
        String keyId = this.oauth.doCertsRequest("test").getKeys()[0].getKeyId();
        JWSHeader header = new JWSInput(doAccessTokenRequest.getAccessToken()).getHeader();
        Assert.assertEquals("RS256", header.getAlgorithm().name());
        Assert.assertEquals("JWT", header.getType());
        Assert.assertEquals(keyId, header.getKeyId());
        Assert.assertNull(header.getContentType());
        JWSHeader header2 = new JWSInput(doAccessTokenRequest.getIdToken()).getHeader();
        Assert.assertEquals("RS256", header2.getAlgorithm().name());
        Assert.assertEquals("JWT", header2.getType());
        Assert.assertEquals(keyId, header2.getKeyId());
        Assert.assertNull(header2.getContentType());
        JWSHeader header3 = new JWSInput(doAccessTokenRequest.getRefreshToken()).getHeader();
        Assert.assertEquals("HS256", header3.getAlgorithm().name());
        Assert.assertEquals("JWT", header3.getType());
        Assert.assertNull(header3.getContentType());
        AccessToken verifyToken = this.oauth.verifyToken(doAccessTokenRequest.getAccessToken());
        Assert.assertEquals(ApiUtil.findUserByUsername(this.adminClient.realm("test"), AssertEvents.DEFAULT_USERNAME).getId(), verifyToken.getSubject());
        Assert.assertNotEquals(AssertEvents.DEFAULT_USERNAME, verifyToken.getSubject());
        Assert.assertEquals(str2, verifyToken.getSessionState());
        Assert.assertEquals(2L, verifyToken.getRealmAccess().getRoles().size());
        Assert.assertTrue(verifyToken.getRealmAccess().isUserInRole("user"));
        Assert.assertEquals(1L, verifyToken.getResourceAccess(this.oauth.getClientId()).getRoles().size());
        Assert.assertTrue(verifyToken.getResourceAccess(this.oauth.getClientId()).isUserInRole("customer-user"));
        EventRepresentation assertEvent = this.events.expectCodeToToken(str, str2).assertEvent();
        Assert.assertEquals(verifyToken.getId(), assertEvent.getDetails().get("token_id"));
        Assert.assertEquals(this.oauth.parseRefreshToken(doAccessTokenRequest.getRefreshToken()).getId(), assertEvent.getDetails().get("refresh_token_id"));
        Assert.assertEquals(str2, verifyToken.getSessionState());
        String refreshToken = doAccessTokenRequest.getRefreshToken();
        RefreshToken parseRefreshToken = this.oauth.parseRefreshToken(refreshToken);
        Assert.assertNotNull(refreshToken);
        Assert.assertThat(Integer.valueOf(verifyToken.getExpiration() - getCurrentTime()), Matchers.allOf(Matchers.greaterThanOrEqualTo(200), Matchers.lessThanOrEqualTo(350)));
        Assert.assertThat(Integer.valueOf(parseRefreshToken.getExpiration() - getCurrentTime()), Matchers.allOf(Matchers.greaterThanOrEqualTo(1796), Matchers.lessThanOrEqualTo(1803)));
        Assert.assertEquals(str2, parseRefreshToken.getSessionState());
        setTimeOffset(2);
        OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(refreshToken, "password");
        AccessToken verifyToken2 = this.oauth.verifyToken(doRefreshTokenRequest.getAccessToken());
        RefreshToken parseRefreshToken2 = this.oauth.parseRefreshToken(doRefreshTokenRequest.getRefreshToken());
        Assert.assertEquals(200L, doRefreshTokenRequest.getStatusCode());
        Assert.assertEquals(str2, verifyToken2.getSessionState());
        Assert.assertEquals(str2, parseRefreshToken2.getSessionState());
        Assert.assertThat(Integer.valueOf(doRefreshTokenRequest.getExpiresIn()), Matchers.allOf(Matchers.greaterThanOrEqualTo(250), Matchers.lessThanOrEqualTo(300)));
        Assert.assertThat(Integer.valueOf(verifyToken2.getExpiration() - getCurrentTime()), Matchers.allOf(Matchers.greaterThanOrEqualTo(247), Matchers.lessThanOrEqualTo(303)));
        Assert.assertThat(Integer.valueOf(verifyToken2.getExpiration() - verifyToken.getExpiration()), Matchers.allOf(Matchers.greaterThanOrEqualTo(1), Matchers.lessThanOrEqualTo(10)));
        Assert.assertThat(Integer.valueOf(parseRefreshToken2.getExpiration() - parseRefreshToken.getExpiration()), Matchers.allOf(Matchers.greaterThanOrEqualTo(1), Matchers.lessThanOrEqualTo(10)));
        Assert.assertNotEquals(verifyToken.getId(), verifyToken2.getId());
        Assert.assertNotEquals(parseRefreshToken.getId(), parseRefreshToken2.getId());
        Assert.assertEquals("Bearer", doRefreshTokenRequest.getTokenType());
        Assert.assertEquals(ApiUtil.findUserByUsername(this.adminClient.realm("test"), AssertEvents.DEFAULT_USERNAME).getId(), verifyToken2.getSubject());
        Assert.assertNotEquals(AssertEvents.DEFAULT_USERNAME, verifyToken2.getSubject());
        Assert.assertEquals(2L, verifyToken2.getRealmAccess().getRoles().size());
        Assert.assertTrue(verifyToken2.getRealmAccess().isUserInRole("user"));
        Assert.assertEquals(1L, verifyToken2.getResourceAccess(this.oauth.getClientId()).getRoles().size());
        Assert.assertTrue(verifyToken2.getResourceAccess(this.oauth.getClientId()).isUserInRole("customer-user"));
        EventRepresentation assertEvent2 = this.events.expectRefresh((String) assertEvent.getDetails().get("refresh_token_id"), str2).assertEvent();
        Assert.assertNotEquals(assertEvent.getDetails().get("token_id"), assertEvent2.getDetails().get("token_id"));
        Assert.assertNotEquals(assertEvent.getDetails().get("refresh_token_id"), assertEvent2.getDetails().get("updated_refresh_token_id"));
        setTimeOffset(0);
    }

    private void setPkceActivationSettings(String str, String str2) {
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), str);
        ClientRepresentation representation = findClientByClientId.toRepresentation();
        OIDCAdvancedConfigWrapper.fromClientRepresentation(representation).setPkceCodeChallengeMethod(str2);
        findClientByClientId.update(representation);
    }

    @Test
    public void accessTokenRequestValidS256CodeChallengeMethodPkceEnforced() throws Exception {
        try {
            setPkceActivationSettings(AssertEvents.DEFAULT_CLIENT_ID, "S256");
            this.oauth.codeChallenge(generateS256CodeChallenge("1a345A7890123456r8901c3456789012b45K7890l23"));
            this.oauth.codeChallengeMethod("S256");
            this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
            EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
            String sessionId = assertEvent.getSessionId();
            String str = (String) assertEvent.getDetails().get("code_id");
            String str2 = (String) this.oauth.getCurrentQuery().get("code");
            this.oauth.codeVerifier("1a345A7890123456r8901c3456789012b45K7890l23");
            expectSuccessfulResponseFromTokenEndpoint(str, sessionId, str2);
            setPkceActivationSettings(AssertEvents.DEFAULT_CLIENT_ID, null);
        } catch (Throwable th) {
            setPkceActivationSettings(AssertEvents.DEFAULT_CLIENT_ID, null);
            throw th;
        }
    }

    @Test
    @AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
    public void accessTokenRequestValidPlainCodeChallengeMethodPkceEnforced() throws Exception {
        try {
            setPkceActivationSettings(AssertEvents.DEFAULT_CLIENT_ID, "plain");
            this.oauth.codeChallenge("12E45r78901d3456789G12y45G78901234B67v901u3");
            this.oauth.codeChallengeMethod("plain");
            this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
            EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
            String sessionId = assertEvent.getSessionId();
            String str = (String) assertEvent.getDetails().get("code_id");
            String str2 = (String) this.oauth.getCurrentQuery().get("code");
            this.oauth.codeVerifier("12E45r78901d3456789G12y45G78901234B67v901u3");
            expectSuccessfulResponseFromTokenEndpoint(str, sessionId, str2);
            setPkceActivationSettings(AssertEvents.DEFAULT_CLIENT_ID, null);
        } catch (Throwable th) {
            setPkceActivationSettings(AssertEvents.DEFAULT_CLIENT_ID, null);
            throw th;
        }
    }

    @Test
    public void accessTokenRequestCodeChallengeMethodMismatchPkceEnforced() throws Exception {
        try {
            setPkceActivationSettings(AssertEvents.DEFAULT_CLIENT_ID, "S256");
            this.oauth.codeChallenge(generateS256CodeChallenge("12345678e01234567890g2345678h012a4567j90123"));
            this.oauth.codeChallengeMethod("plain");
            this.driver.navigate().to(UriBuilder.fromUri(this.oauth.getLoginFormUrl()).build(new Object[0]).toURL());
            OAuthClient.AuthorizationEndpointResponse authorizationEndpointResponse = new OAuthClient.AuthorizationEndpointResponse(this.oauth);
            Assert.assertTrue(authorizationEndpointResponse.isRedirected());
            Assert.assertEquals(authorizationEndpointResponse.getError(), "invalid_request");
            Assert.assertEquals(authorizationEndpointResponse.getErrorDescription(), "Invalid parameter: code challenge method is not configured one");
            this.events.expectLogin().error("invalid_request").user((String) null).session((String) null).clearDetails().assertEvent();
            setPkceActivationSettings(AssertEvents.DEFAULT_CLIENT_ID, null);
        } catch (Throwable th) {
            setPkceActivationSettings(AssertEvents.DEFAULT_CLIENT_ID, null);
            throw th;
        }
    }

    @Test
    public void accessTokenRequestCodeChallengeMethodMissingPkceEnforced() throws Exception {
        try {
            setPkceActivationSettings(AssertEvents.DEFAULT_CLIENT_ID, "S256");
            this.oauth.codeChallenge(generateS256CodeChallenge("1234567890123456789012345678901234567890123"));
            this.driver.navigate().to(UriBuilder.fromUri(this.oauth.getLoginFormUrl()).build(new Object[0]).toURL());
            OAuthClient.AuthorizationEndpointResponse authorizationEndpointResponse = new OAuthClient.AuthorizationEndpointResponse(this.oauth);
            Assert.assertTrue(authorizationEndpointResponse.isRedirected());
            Assert.assertEquals(authorizationEndpointResponse.getError(), "invalid_request");
            Assert.assertEquals(authorizationEndpointResponse.getErrorDescription(), "Missing parameter: code_challenge_method");
            this.events.expectLogin().error("invalid_request").user((String) null).session((String) null).clearDetails().assertEvent();
            setPkceActivationSettings(AssertEvents.DEFAULT_CLIENT_ID, null);
        } catch (Throwable th) {
            setPkceActivationSettings(AssertEvents.DEFAULT_CLIENT_ID, null);
            throw th;
        }
    }

    @Test
    public void accessTokenRequestCodeChallengeMissingPkceEnforced() throws Exception {
        try {
            setPkceActivationSettings(AssertEvents.DEFAULT_CLIENT_ID, "S256");
            this.oauth.codeChallengeMethod("S256");
            this.driver.navigate().to(UriBuilder.fromUri(this.oauth.getLoginFormUrl()).build(new Object[0]).toURL());
            OAuthClient.AuthorizationEndpointResponse authorizationEndpointResponse = new OAuthClient.AuthorizationEndpointResponse(this.oauth);
            Assert.assertTrue(authorizationEndpointResponse.isRedirected());
            Assert.assertEquals(authorizationEndpointResponse.getError(), "invalid_request");
            Assert.assertEquals(authorizationEndpointResponse.getErrorDescription(), "Missing parameter: code_challenge");
            this.events.expectLogin().error("invalid_request").user((String) null).session((String) null).clearDetails().assertEvent();
        } finally {
            setPkceActivationSettings(AssertEvents.DEFAULT_CLIENT_ID, null);
        }
    }

    @Test
    public void accessTokenRequestInvalidCodeChallengePkceEnforced() throws Exception {
        try {
            setPkceActivationSettings(AssertEvents.DEFAULT_CLIENT_ID, "S256");
            this.oauth.codeChallenge("invalid");
            this.oauth.codeChallengeMethod("S256");
            this.driver.navigate().to(UriBuilder.fromUri(this.oauth.getLoginFormUrl()).build(new Object[0]).toURL());
            OAuthClient.AuthorizationEndpointResponse authorizationEndpointResponse = new OAuthClient.AuthorizationEndpointResponse(this.oauth);
            Assert.assertTrue(authorizationEndpointResponse.isRedirected());
            Assert.assertEquals(authorizationEndpointResponse.getError(), "invalid_request");
            Assert.assertEquals(authorizationEndpointResponse.getErrorDescription(), "Invalid parameter: code_challenge");
            this.events.expectLogin().error("invalid_request").user((String) null).session((String) null).clearDetails().assertEvent();
        } finally {
            setPkceActivationSettings(AssertEvents.DEFAULT_CLIENT_ID, null);
        }
    }

    @Test
    public void accessTokenRequestWithoutCodeVerifierPkceEnforced() throws Exception {
        try {
            setPkceActivationSettings(AssertEvents.DEFAULT_CLIENT_ID, "S256");
            this.oauth.codeChallenge(generateS256CodeChallenge("1234567890123456789012345678901234567890123"));
            this.oauth.codeChallengeMethod("S256");
            this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
            EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
            String sessionId = assertEvent.getSessionId();
            String str = (String) assertEvent.getDetails().get("code_id");
            OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
            Assert.assertEquals(400L, doAccessTokenRequest.getStatusCode());
            Assert.assertEquals("invalid_grant", doAccessTokenRequest.getError());
            Assert.assertEquals("PKCE code verifier not specified", doAccessTokenRequest.getErrorDescription());
            this.events.expectCodeToToken(str, sessionId).error("code_verifier_missing").clearDetails().assertEvent();
            setPkceActivationSettings(AssertEvents.DEFAULT_CLIENT_ID, null);
        } catch (Throwable th) {
            setPkceActivationSettings(AssertEvents.DEFAULT_CLIENT_ID, null);
            throw th;
        }
    }
}
