package org.keycloak.testsuite.adapter.servlet;

import java.net.URL;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import javax.ws.rs.client.Client;
import javax.ws.rs.core.UriBuilder;
import org.jboss.arquillian.container.test.api.Deployment;
import org.jboss.arquillian.container.test.api.OperateOnDeployment;
import org.jboss.arquillian.graphene.page.Page;
import org.jboss.arquillian.test.api.ArquillianResource;
import org.jboss.resteasy.client.jaxrs.ResteasyClient;
import org.jboss.shrinkwrap.api.spec.WebArchive;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.common.Profile;
import org.keycloak.common.util.Base64Url;
import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.IdentityProviderRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.RoleRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.testsuite.ActionURIUtils;
import org.keycloak.testsuite.adapter.AbstractServletsAdapterTest;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.arquillian.annotation.AppServerContainer;
import org.keycloak.testsuite.arquillian.annotation.AppServerContainers;
import org.keycloak.testsuite.arquillian.annotation.DisableFeature;
import org.keycloak.testsuite.broker.BrokerTestTools;
import org.keycloak.testsuite.oauth.BackchannelLogoutTest;
import org.keycloak.testsuite.page.AbstractPageWithInjectedUrl;
import org.keycloak.testsuite.pages.AccountUpdateProfilePage;
import org.keycloak.testsuite.pages.ErrorPage;
import org.keycloak.testsuite.pages.LoginPage;
import org.keycloak.testsuite.pages.LoginUpdateProfilePage;
import org.keycloak.testsuite.util.AdminClientUtil;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.ServerURLs;
import org.keycloak.testsuite.util.WaitUtils;
import org.keycloak.util.JsonSerialization;

@AppServerContainers({@AppServerContainer("app-server-undertow"), @AppServerContainer("app-server-wildfly"), @AppServerContainer("app-server-wildfly-deprecated"), @AppServerContainer("app-server-eap"), @AppServerContainer("app-server-eap6"), @AppServerContainer("app-server-eap71")})
/* loaded from: input_file:org/keycloak/testsuite/adapter/servlet/ClientInitiatedAccountLinkTest.class */
public class ClientInitiatedAccountLinkTest extends AbstractServletsAdapterTest {
    public static final String CHILD_IDP = "child";
    public static final String PARENT_IDP = "parent-idp";
    public static final String PARENT_USERNAME = "parent";

    @Page
    protected LoginUpdateProfilePage loginUpdateProfilePage;

    @Page
    protected AccountUpdateProfilePage profilePage;

    @Page
    private LoginPage loginPage;

    @Page
    protected ErrorPage errorPage;

    @Page
    private ClientApp appPage;
    private String childUserId = null;

    /* loaded from: input_file:org/keycloak/testsuite/adapter/servlet/ClientInitiatedAccountLinkTest$ClientApp.class */
    public static class ClientApp extends AbstractPageWithInjectedUrl {
        public static final String DEPLOYMENT_NAME = "client-linking";

        @ArquillianResource
        @OperateOnDeployment(DEPLOYMENT_NAME)
        private URL url;

        public URL getInjectedUrl() {
            return this.url;
        }
    }

    @Override // org.keycloak.testsuite.AbstractAuthTest
    public void beforeAuthTest() {
    }

    @Override // org.keycloak.testsuite.adapter.AbstractServletsAdapterTest, org.keycloak.testsuite.adapter.AbstractAdapterTest
    public void addAdapterTestRealms(List<RealmRepresentation> list) {
        RealmRepresentation realmRepresentation = new RealmRepresentation();
        realmRepresentation.setRealm("child");
        realmRepresentation.setEnabled(true);
        ClientRepresentation clientRepresentation = new ClientRepresentation();
        clientRepresentation.setClientId(ClientApp.DEPLOYMENT_NAME);
        clientRepresentation.setProtocol("openid-connect");
        clientRepresentation.setAdminUrl("/client-linking");
        clientRepresentation.setDirectAccessGrantsEnabled(true);
        clientRepresentation.setBaseUrl("/client-linking");
        clientRepresentation.setRedirectUris(new LinkedList());
        clientRepresentation.getRedirectUris().add("/client-linking/*");
        clientRepresentation.setSecret("password");
        clientRepresentation.setFullScopeAllowed(true);
        realmRepresentation.setClients(new LinkedList());
        realmRepresentation.getClients().add(clientRepresentation);
        list.add(realmRepresentation);
        RealmRepresentation realmRepresentation2 = new RealmRepresentation();
        realmRepresentation2.setRealm("parent-idp");
        realmRepresentation2.setEnabled(true);
        list.add(realmRepresentation2);
    }

    @Deployment(name = ClientApp.DEPLOYMENT_NAME)
    protected static WebArchive accountLink() {
        return servletDeployment(ClientApp.DEPLOYMENT_NAME, ClientInitiatedAccountLinkServlet.class, ServletTestUtils.class);
    }

    @Before
    public void addIdpUser() {
        RealmResource realm = this.adminClient.realms().realm("parent-idp");
        UserRepresentation userRepresentation = new UserRepresentation();
        userRepresentation.setUsername("parent");
        userRepresentation.setEnabled(true);
        ApiUtil.createUserAndResetPasswordWithAdminClient(realm, userRepresentation, "password");
    }

    @Before
    public void addChildUser() {
        RealmResource realm = this.adminClient.realms().realm("child");
        UserRepresentation userRepresentation = new UserRepresentation();
        userRepresentation.setUsername("child");
        userRepresentation.setEnabled(true);
        this.childUserId = ApiUtil.createUserAndResetPasswordWithAdminClient(realm, userRepresentation, "password");
        UserRepresentation userRepresentation2 = new UserRepresentation();
        userRepresentation2.setUsername("child2");
        userRepresentation2.setEnabled(true);
        String createUserAndResetPasswordWithAdminClient = ApiUtil.createUserAndResetPasswordWithAdminClient(realm, userRepresentation2, "password");
        realm.roles().create(new RoleRepresentation("user", (String) null, false));
        RoleRepresentation representation = realm.roles().get("user").toRepresentation();
        LinkedList linkedList = new LinkedList();
        linkedList.add(representation);
        realm.users().get(this.childUserId).roles().realmLevel().add(linkedList);
        realm.users().get(createUserAndResetPasswordWithAdminClient).roles().realmLevel().add(linkedList);
        ClientRepresentation clientRepresentation = (ClientRepresentation) realm.clients().findByClientId("broker").get(0);
        RoleRepresentation representation2 = realm.clients().get(clientRepresentation.getId()).roles().get("read-token").toRepresentation();
        linkedList.clear();
        linkedList.add(representation2);
        realm.users().get(this.childUserId).roles().clientLevel(clientRepresentation.getId()).add(linkedList);
        realm.users().get(createUserAndResetPasswordWithAdminClient).roles().clientLevel(clientRepresentation.getId()).add(linkedList);
    }

    @Before
    public void createBroker() {
        createParentChild();
    }

    public void createParentChild() {
        BrokerTestTools.createKcOidcBroker(this.adminClient, "child", "parent-idp");
    }

    @Test
    public void testErrorConditions() throws Exception {
        String aSCIIString = this.appPage.getUriBuilder().clone().path("hello").build(new Object[0]).toASCIIString();
        RealmResource realm = this.adminClient.realms().realm("child");
        Assert.assertTrue(realm.users().get(this.childUserId).getFederatedIdentity().isEmpty());
        ClientRepresentation clientRepresentation = (ClientRepresentation) this.adminClient.realms().realm("child").clients().findByClientId(ClientApp.DEPLOYMENT_NAME).get(0);
        String uri = UriBuilder.fromUri(ServerURLs.getAuthServerContextRoot() + "/auth").path("realms/child/broker/{provider}/link").queryParam("client_id", new Object[]{ClientApp.DEPLOYMENT_NAME}).queryParam("redirect_uri", new Object[]{UriBuilder.fromUri(this.appPage.getInjectedUrl().toString()).path("link").queryParam("response", new Object[]{"true"}).build(new Object[0])}).queryParam("hash", new Object[]{Base64Url.encode("crap".getBytes())}).queryParam("nonce", new Object[]{UUID.randomUUID().toString()}).build(new Object[]{"parent-idp"}).toString();
        navigateTo(uri);
        Assert.assertTrue(this.loginPage.isCurrent("child"));
        this.loginPage.login("child", "password");
        Assert.assertTrue(this.driver.getCurrentUrl().contains("link_error=not_logged_in"));
        logoutAll();
        navigateTo(aSCIIString);
        Assert.assertTrue(this.loginPage.isCurrent("child"));
        this.loginPage.login("child", "password");
        Assert.assertTrue(this.driver.getCurrentUrl().startsWith(aSCIIString));
        Assert.assertTrue(this.driver.getPageSource().contains("Unknown request:"));
        navigateTo(uri);
        Assert.assertTrue(this.driver.getPageSource().contains("We are sorry..."));
        logoutAll();
        String id = ((ClientRepresentation) this.adminClient.realms().realm("child").clients().findByClientId(BackchannelLogoutTest.ACCOUNT_CLIENT_NAME).get(0)).getId();
        RoleRepresentation representation = this.adminClient.realms().realm("child").clients().get(id).roles().get("manage-account").toRepresentation();
        RoleRepresentation representation2 = this.adminClient.realms().realm("child").clients().get(id).roles().get("manage-account-links").toRepresentation();
        RoleRepresentation representation3 = this.adminClient.realms().realm("child").roles().get("user").toRepresentation();
        clientRepresentation.setFullScopeAllowed(false);
        ClientResource clientResource = this.adminClient.realms().realm("child").clients().get(clientRepresentation.getId());
        clientResource.update(clientRepresentation);
        LinkedList linkedList = new LinkedList();
        linkedList.add(representation3);
        clientResource.getScopeMappings().realmLevel().add(linkedList);
        navigateTo(aSCIIString);
        Assert.assertTrue(this.loginPage.isCurrent("child"));
        this.loginPage.login("child", "password");
        Assert.assertTrue(this.driver.getCurrentUrl().startsWith(aSCIIString));
        Assert.assertTrue(this.driver.getPageSource().contains("Unknown request:"));
        UriBuilder path = UriBuilder.fromUri(this.appPage.getInjectedUrl().toString()).path("link");
        String uri2 = path.clone().queryParam("realm", new Object[]{"child"}).queryParam("provider", new Object[]{"parent-idp"}).build(new Object[0]).toString();
        navigateTo(uri2);
        Assert.assertTrue(this.driver.getCurrentUrl().contains("error=not_allowed"));
        logoutAll();
        Assert.assertTrue(realm.users().get(this.childUserId).getFederatedIdentity().isEmpty());
        LinkedList linkedList2 = new LinkedList();
        linkedList2.add(representation2);
        clientResource.getScopeMappings().clientLevel(id).add(linkedList2);
        navigateTo(uri2);
        Assert.assertTrue(this.loginPage.isCurrent("child"));
        this.loginPage.login("child", "password");
        Assert.assertTrue(this.loginPage.isCurrent("parent-idp"));
        this.loginPage.login("parent", "password");
        Assert.assertTrue(this.driver.getCurrentUrl().startsWith(path.toTemplate()));
        Assert.assertTrue(this.driver.getPageSource().contains("Account Linked"));
        Assert.assertFalse(realm.users().get(this.childUserId).getFederatedIdentity().isEmpty());
        realm.users().get(this.childUserId).removeFederatedIdentity("parent-idp");
        Assert.assertTrue(realm.users().get(this.childUserId).getFederatedIdentity().isEmpty());
        clientResource.getScopeMappings().clientLevel(id).remove(linkedList2);
        logoutAll();
        navigateTo(uri2);
        Assert.assertTrue(this.loginPage.isCurrent("child"));
        this.loginPage.login("child", "password");
        Assert.assertTrue(this.driver.getCurrentUrl().contains("link_error=not_allowed"));
        logoutAll();
        Assert.assertTrue(realm.users().get(this.childUserId).getFederatedIdentity().isEmpty());
        LinkedList linkedList3 = new LinkedList();
        linkedList3.add(representation);
        clientResource.getScopeMappings().clientLevel(id).add(linkedList3);
        navigateTo(uri2);
        Assert.assertTrue(this.loginPage.isCurrent("child"));
        this.loginPage.login("child", "password");
        Assert.assertTrue(this.loginPage.isCurrent("parent-idp"));
        this.loginPage.login("parent", "password");
        Assert.assertTrue(this.driver.getCurrentUrl().startsWith(path.toTemplate()));
        Assert.assertTrue(this.driver.getPageSource().contains("Account Linked"));
        Assert.assertFalse(realm.users().get(this.childUserId).getFederatedIdentity().isEmpty());
        realm.users().get(this.childUserId).removeFederatedIdentity("parent-idp");
        Assert.assertTrue(realm.users().get(this.childUserId).getFederatedIdentity().isEmpty());
        clientResource.getScopeMappings().clientLevel(id).remove(linkedList3);
        logoutAll();
        navigateTo(uri2);
        Assert.assertTrue(this.loginPage.isCurrent("child"));
        this.loginPage.login("child", "password");
        Assert.assertTrue(this.driver.getCurrentUrl().contains("link_error=not_allowed"));
        logoutAll();
        ClientRepresentation clientRepresentation2 = (ClientRepresentation) this.adminClient.realms().realm("child").clients().findByClientId(ClientApp.DEPLOYMENT_NAME).get(0);
        clientRepresentation2.setFullScopeAllowed(true);
        clientResource.update(clientRepresentation2);
        Assert.assertTrue(realm.users().get(this.childUserId).getFederatedIdentity().isEmpty());
        logoutAll();
    }

    @Test
    public void testAccountLink() throws Exception {
        RealmResource realm = this.adminClient.realms().realm("child");
        Assert.assertTrue(realm.users().get(this.childUserId).getFederatedIdentity().isEmpty());
        UriBuilder path = UriBuilder.fromUri(this.appPage.getInjectedUrl().toString()).path("link");
        String uri = path.clone().queryParam("realm", new Object[]{"child"}).queryParam("provider", new Object[]{"parent-idp"}).build(new Object[0]).toString();
        System.out.println("linkUrl: " + uri);
        navigateTo(uri);
        Assert.assertTrue(this.loginPage.isCurrent("child"));
        Assert.assertTrue(this.driver.getPageSource().contains("parent-idp"));
        this.loginPage.login("child", "password");
        Assert.assertTrue(this.loginPage.isCurrent("parent-idp"));
        this.loginPage.login("parent", "password");
        System.out.println("After linking: " + this.driver.getCurrentUrl());
        System.out.println(this.driver.getPageSource());
        Assert.assertTrue(this.driver.getCurrentUrl().startsWith(path.toTemplate()));
        Assert.assertTrue(this.driver.getPageSource().contains("Account Linked"));
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest = this.oauth.doGrantAccessTokenRequest("child", "child", "password", (String) null, ClientApp.DEPLOYMENT_NAME, "password");
        Assert.assertNotNull(doGrantAccessTokenRequest.getAccessToken());
        Assert.assertNull(doGrantAccessTokenRequest.getError());
        ResteasyClient createResteasyClient = AdminClientUtil.createResteasyClient();
        String token = getToken(doGrantAccessTokenRequest, createResteasyClient);
        Assert.assertNotNull(token);
        navigateTo(uri);
        Assert.assertTrue(this.driver.getPageSource().contains("Account Linked"));
        String token2 = getToken(doGrantAccessTokenRequest, createResteasyClient);
        Assert.assertNotNull(token2);
        Assert.assertNotEquals(token, token2);
        Assert.assertFalse(realm.users().get(this.childUserId).getFederatedIdentity().isEmpty());
        realm.users().get(this.childUserId).removeFederatedIdentity("parent-idp");
        Assert.assertTrue(realm.users().get(this.childUserId).getFederatedIdentity().isEmpty());
        logoutAll();
    }

    private String getToken(OAuthClient.AccessTokenResponse accessTokenResponse, Client client) throws Exception {
        return ((AccessTokenResponse) JsonSerialization.readValue((String) client.target(OAuthClient.AUTH_SERVER_ROOT).path("realms").path("child/broker").path("parent-idp").path("token").request().header("Authorization", "Bearer " + accessTokenResponse.getAccessToken()).get(String.class), AccessTokenResponse.class)).getToken();
    }

    public void logoutAll() {
        navigateTo(OIDCLoginProtocolService.logoutUrl(this.authServerPage.createUriBuilder()).build(new Object[]{"child"}).toString());
        navigateTo(OIDCLoginProtocolService.logoutUrl(this.authServerPage.createUriBuilder()).build(new Object[]{"parent-idp"}).toString());
    }

    @Test
    public void testLinkOnlyProvider() throws Exception {
        RealmResource realm = this.adminClient.realms().realm("child");
        IdentityProviderRepresentation representation = realm.identityProviders().get("parent-idp").toRepresentation();
        representation.setLinkOnly(true);
        realm.identityProviders().get("parent-idp").update(representation);
        try {
            Assert.assertTrue(realm.users().get(this.childUserId).getFederatedIdentity().isEmpty());
            UriBuilder path = UriBuilder.fromUri(this.appPage.getInjectedUrl().toString()).path("link");
            String uri = path.clone().queryParam("realm", new Object[]{"child"}).queryParam("provider", new Object[]{"parent-idp"}).build(new Object[0]).toString();
            navigateTo(uri);
            Assert.assertTrue(this.loginPage.isCurrent("child"));
            Assert.assertFalse(this.driver.getPageSource().contains("parent-idp"));
            this.loginPage.login("child", "password");
            Assert.assertTrue(this.loginPage.isCurrent("parent-idp"));
            this.loginPage.login("parent", "password");
            System.out.println("After linking: " + this.driver.getCurrentUrl());
            System.out.println(this.driver.getPageSource());
            Assert.assertTrue(this.driver.getCurrentUrl().startsWith(path.toTemplate()));
            Assert.assertTrue(this.driver.getPageSource().contains("Account Linked"));
            Assert.assertFalse(realm.users().get(this.childUserId).getFederatedIdentity().isEmpty());
            realm.users().get(this.childUserId).removeFederatedIdentity("parent-idp");
            Assert.assertTrue(realm.users().get(this.childUserId).getFederatedIdentity().isEmpty());
            logoutAll();
            System.out.println("testing link-only attack");
            navigateTo(uri);
            Assert.assertTrue(this.loginPage.isCurrent("child"));
            System.out.println("login page uri is: " + this.driver.getCurrentUrl());
            String actionURIFromPageSource = ActionURIUtils.getActionURIFromPageSource(this.driver.getPageSource());
            System.out.println("action uri: " + actionURIFromPageSource);
            Map parseQueryParamsFromActionURI = ActionURIUtils.parseQueryParamsFromActionURI(actionURIFromPageSource);
            System.out.println("query params: " + parseQueryParamsFromActionURI);
            String uri2 = UriBuilder.fromUri(ServerURLs.getAuthServerContextRoot()).path("/auth/realms/child/broker/parent-idp/login").queryParam("session_code", new Object[]{parseQueryParamsFromActionURI.get("session_code")}).queryParam("client_id", new Object[]{parseQueryParamsFromActionURI.get("client_id")}).queryParam("tab_id", new Object[]{parseQueryParamsFromActionURI.get("tab_id")}).build(new Object[0]).toString();
            System.out.println("hack uri: " + uri2);
            navigateTo(uri2);
            Assert.assertTrue(this.driver.getPageSource().contains("Could not send authentication request to identity provider."));
            representation.setLinkOnly(false);
            realm.identityProviders().get("parent-idp").update(representation);
        } catch (Throwable th) {
            representation.setLinkOnly(false);
            realm.identityProviders().get("parent-idp").update(representation);
            throw th;
        }
    }

    @Test
    @DisableFeature(value = Profile.Feature.ACCOUNT2, skipRestart = true)
    public void testAccountNotLinkedAutomatically() throws Exception {
        RealmResource realm = this.adminClient.realms().realm("child");
        Assert.assertTrue(realm.users().get(this.childUserId).getFederatedIdentity().isEmpty());
        this.profilePage.open("child");
        WaitUtils.waitForPageToLoad();
        Assert.assertTrue(this.loginPage.isCurrent("child"));
        this.loginPage.login("child", "password");
        this.profilePage.assertCurrent();
        navigateTo(UriBuilder.fromUri(this.appPage.getInjectedUrl().toString()).path("nosuch").clone().queryParam("prompt", new Object[]{"login"}).build(new Object[0]).toString());
        Assert.assertTrue(this.loginPage.isCurrent("child"));
        this.loginPage.clickSocial("parent-idp");
        Assert.assertTrue(this.loginPage.isCurrent("parent-idp"));
        this.loginPage.login("parent", "password");
        Assert.assertTrue(realm.users().get(this.childUserId).getFederatedIdentity().isEmpty());
        this.loginUpdateProfilePage.assertCurrent();
        this.loginUpdateProfilePage.update("Joe", "Doe", "joe@parent.com");
        this.errorPage.assertCurrent();
        Assert.assertEquals("You are already authenticated as different user 'child' in this session. Please sign out first.", this.errorPage.getError());
        logoutAll();
        getCleanup("child").addUserId(ApiUtil.findUserByUsername(realm, "parent").getId());
    }

    @Test
    @DisableFeature(value = Profile.Feature.ACCOUNT2, skipRestart = true)
    public void testAccountLinkingExpired() throws Exception {
        RealmResource realm = this.adminClient.realms().realm("child");
        Assert.assertTrue(realm.users().get(this.childUserId).getFederatedIdentity().isEmpty());
        this.profilePage.open("child");
        WaitUtils.waitForPageToLoad();
        Assert.assertTrue(this.loginPage.isCurrent("child"));
        this.loginPage.login("child", "password");
        this.profilePage.assertCurrent();
        navigateTo(UriBuilder.fromUri(this.appPage.getInjectedUrl().toString()).path("link").clone().queryParam("realm", new Object[]{"child"}).queryParam("provider", new Object[]{"parent-idp"}).build(new Object[0]).toString());
        Assert.assertTrue(this.loginPage.isCurrent("parent-idp"));
        realm.logoutAll();
        this.loginPage.login("parent", "password");
        Assert.assertTrue(realm.users().get(this.childUserId).getFederatedIdentity().isEmpty());
        this.errorPage.assertCurrent();
        Assert.assertEquals("Requested broker account linking, but current session is no longer valid.", this.errorPage.getError());
        logoutAll();
    }

    private void navigateTo(String str) {
        this.driver.navigate().to(str);
        WaitUtils.waitForPageToLoad();
    }
}
