package org.keycloak.testsuite.authz;

import java.io.IOException;
import java.util.Collections;
import java.util.List;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.keycloak.admin.client.resource.AuthorizationResource;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.ClientsResource;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.authorization.client.AuthzClient;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.authorization.AuthorizationRequest;
import org.keycloak.representations.idm.authorization.AuthorizationResponse;
import org.keycloak.representations.idm.authorization.JSPolicyRepresentation;
import org.keycloak.representations.idm.authorization.PermissionRequest;
import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.client.resources.TestApplicationResourceUrls;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.testsuite.util.RoleBuilder;
import org.keycloak.testsuite.util.RolesBuilder;
import org.keycloak.testsuite.util.UserBuilder;
import org.keycloak.util.JsonSerialization;

@AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
/* loaded from: input_file:org/keycloak/testsuite/authz/AuthorizationAPITest.class */
public class AuthorizationAPITest extends AbstractAuthzTest {
    private static final String RESOURCE_SERVER_TEST = "resource-server-test";
    private static final String TEST_CLIENT = "test-client";
    private static final String AUTHZ_CLIENT_CONFIG = "default-keycloak.json";
    private static final String PAIRWISE_RESOURCE_SERVER_TEST = "pairwise-resource-server-test";
    private static final String PAIRWISE_TEST_CLIENT = "test-client-pairwise";
    private static final String PAIRWISE_AUTHZ_CLIENT_CONFIG = "default-keycloak-pairwise.json";

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        list.add(RealmBuilder.create().name("authz-test").roles(RolesBuilder.create().realmRole(RoleBuilder.create().name("uma_authorization").build())).user(UserBuilder.create().username("marta").password("password").addRoles("uma_authorization")).user(UserBuilder.create().username("kolo").password("password")).client(ClientBuilder.create().clientId(RESOURCE_SERVER_TEST).secret("secret").authorizationServicesEnabled(true).redirectUris("http://localhost/resource-server-test").defaultRoles("uma_protection").directAccessGrants()).client(ClientBuilder.create().clientId(PAIRWISE_RESOURCE_SERVER_TEST).secret("secret").authorizationServicesEnabled(true).redirectUris("http://localhost/resource-server-test").defaultRoles("uma_protection").directAccessGrants().pairwise(TestApplicationResourceUrls.pairwiseSectorIdentifierUri())).client(ClientBuilder.create().clientId(TEST_CLIENT).secret("secret").authorizationServicesEnabled(true).redirectUris("http://localhost/test-client").directAccessGrants()).client(ClientBuilder.create().clientId(PAIRWISE_TEST_CLIENT).secret("secret").authorizationServicesEnabled(true).redirectUris("http://localhost/test-client").directAccessGrants()).build());
        this.testingClient.testApp().oidcClientEndpoints().setSectorIdentifierRedirectUris(Collections.singletonList("http://localhost/resource-server-test"));
    }

    @Before
    public void configureAuthorization() throws Exception {
        configureAuthorization(RESOURCE_SERVER_TEST);
        configureAuthorization(PAIRWISE_RESOURCE_SERVER_TEST);
    }

    private void configureAuthorization(String str) throws Exception {
        AuthorizationResource authorization = getClient(getRealm(), str).authorization();
        ResourceRepresentation resourceRepresentation = new ResourceRepresentation("Resource A", new String[0]);
        authorization.resources().create(resourceRepresentation).close();
        JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
        jSPolicyRepresentation.setName("Default Policy");
        jSPolicyRepresentation.setCode("$evaluation.grant();");
        authorization.policies().js().create(jSPolicyRepresentation).close();
        ResourcePermissionRepresentation resourcePermissionRepresentation = new ResourcePermissionRepresentation();
        resourcePermissionRepresentation.setName(resourceRepresentation.getName() + " Permission");
        resourcePermissionRepresentation.addResource(resourceRepresentation.getName());
        resourcePermissionRepresentation.addPolicy(new String[]{jSPolicyRepresentation.getName()});
        authorization.permissions().resource().create(resourcePermissionRepresentation).close();
    }

    @Test
    public void testAccessTokenWithUmaAuthorization() {
        testAccessTokenWithUmaAuthorization(AUTHZ_CLIENT_CONFIG);
    }

    @Test
    public void testAccessTokenWithUmaAuthorizationPairwise() {
        testAccessTokenWithUmaAuthorization(PAIRWISE_AUTHZ_CLIENT_CONFIG);
    }

    public void testAccessTokenWithUmaAuthorization(String str) {
        AuthzClient authzClient = getAuthzClient(str);
        Assert.assertNotNull(authzClient.authorization("marta", "password").authorize(new AuthorizationRequest(authzClient.protection().permission().create(new PermissionRequest("Resource A", new String[0])).getTicket())).getToken());
    }

    @Test
    public void testResourceServerAsAudience() throws Exception {
        testResourceServerAsAudience(TEST_CLIENT, RESOURCE_SERVER_TEST, AUTHZ_CLIENT_CONFIG);
    }

    @Test
    public void testResourceServerAsAudienceWithPairwiseClient() throws Exception {
        testResourceServerAsAudience(PAIRWISE_TEST_CLIENT, RESOURCE_SERVER_TEST, AUTHZ_CLIENT_CONFIG);
    }

    @Test
    public void testPairwiseResourceServerAsAudience() throws Exception {
        testResourceServerAsAudience(TEST_CLIENT, PAIRWISE_RESOURCE_SERVER_TEST, PAIRWISE_AUTHZ_CLIENT_CONFIG);
    }

    @Test
    public void testPairwiseResourceServerAsAudienceWithPairwiseClient() throws Exception {
        testResourceServerAsAudience(PAIRWISE_TEST_CLIENT, PAIRWISE_RESOURCE_SERVER_TEST, PAIRWISE_AUTHZ_CLIENT_CONFIG);
    }

    public void testResourceServerAsAudience(String str, String str2, String str3) throws Exception {
        AuthzClient authzClient = getAuthzClient(str3);
        PermissionRequest permissionRequest = new PermissionRequest();
        permissionRequest.setResourceId("Resource A");
        String accessToken = new OAuthClient().realm("authz-test").clientId(str).doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken();
        String ticket = authzClient.protection().permission().create(permissionRequest).getTicket();
        JsonWebToken jsonWebToken = (JsonWebToken) JsonSerialization.readValue(new JWSInput(ticket).getContent(), JsonWebToken.class);
        org.keycloak.testsuite.Assert.assertFalse(jsonWebToken.hasAudience(str));
        org.keycloak.testsuite.Assert.assertFalse(jsonWebToken.hasAudience(str2));
        AuthorizationResponse authorize = authzClient.authorization(accessToken).authorize(new AuthorizationRequest(ticket));
        Assert.assertNotNull(authorize.getToken());
        Assert.assertEquals(str2, toAccessToken(authorize.getToken()).getAudience()[0]);
    }

    private RealmResource getRealm() {
        return this.adminClient.realm("authz-test");
    }

    private ClientResource getClient(RealmResource realmResource, String str) {
        ClientsResource clients = realmResource.clients();
        return (ClientResource) clients.findByClientId(str).stream().map(clientRepresentation -> {
            return clients.get(clientRepresentation.getId());
        }).findFirst().orElseThrow(() -> {
            return new RuntimeException("Expected client [resource-server-test]");
        });
    }

    private AuthzClient getAuthzClient(String str) {
        try {
            return AuthzClient.create(httpsAwareConfigurationStream(getClass().getResourceAsStream("/authorization-test/" + str)));
        } catch (IOException e) {
            throw new RuntimeException("Failed to create authz client", e);
        }
    }
}
