package org.keycloak.testsuite.broker;

import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URLEncoder;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import javax.ws.rs.core.Response;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.TrustAllStrategy;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.ssl.SSLContextBuilder;
import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert;
import org.junit.Ignore;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.dom.saml.v2.protocol.ResponseType;
import org.keycloak.events.EventType;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.util.Matchers;
import org.keycloak.testsuite.util.ReverseProxy;
import org.keycloak.testsuite.util.SamlClient;
import org.keycloak.testsuite.util.SamlClientBuilder;

/* loaded from: input_file:org/keycloak/testsuite/broker/KcSamlBrokerFrontendUrlTest.class */
public final class KcSamlBrokerFrontendUrlTest extends AbstractBrokerTest {

    @Rule
    public ReverseProxy proxy = new ReverseProxy();

    @Rule
    public AssertEvents events = new AssertEvents(this);

    @Override // org.keycloak.testsuite.broker.AbstractBaseBrokerTest
    protected BrokerConfiguration getBrokerConfiguration() {
        return new KcSamlBrokerConfiguration() { // from class: org.keycloak.testsuite.broker.KcSamlBrokerFrontendUrlTest.1
            @Override // org.keycloak.testsuite.broker.KcSamlBrokerConfiguration, org.keycloak.testsuite.broker.BrokerConfiguration
            public RealmRepresentation createConsumerRealm() {
                RealmRepresentation createConsumerRealm = super.createConsumerRealm();
                HashMap hashMap = new HashMap();
                hashMap.put("frontendUrl", KcSamlBrokerFrontendUrlTest.this.proxy.getUrl());
                createConsumerRealm.setAttributes(hashMap);
                return createConsumerRealm;
            }

            @Override // org.keycloak.testsuite.broker.KcSamlBrokerConfiguration, org.keycloak.testsuite.broker.BrokerConfiguration
            public List<ClientRepresentation> createProviderClients() {
                List<ClientRepresentation> createProviderClients = super.createProviderClients();
                ArrayList arrayList = new ArrayList();
                arrayList.add(KcSamlBrokerFrontendUrlTest.this.proxy.getUrl() + "/realms/consumer/broker/kc-saml-idp/endpoint/*");
                createProviderClients.get(0).setRedirectUris(arrayList);
                return createProviderClients;
            }

            @Override // org.keycloak.testsuite.broker.KcSamlBrokerConfiguration, org.keycloak.testsuite.broker.BrokerConfiguration
            public String getIDPClientIdInProviderRealm() {
                return KcSamlBrokerFrontendUrlTest.this.proxy.getUrl() + "/realms/" + consumerRealmName();
            }
        };
    }

    private SamlClientBuilder clientBuilderTrustingAllCertificates() {
        return new SamlClientBuilder() { // from class: org.keycloak.testsuite.broker.KcSamlBrokerFrontendUrlTest.2
            protected SamlClient createSamlClient() {
                return new SamlClient() { // from class: org.keycloak.testsuite.broker.KcSamlBrokerFrontendUrlTest.2.1
                    protected HttpClientBuilder createHttpClientBuilderInstance() {
                        try {
                            return super.createHttpClientBuilderInstance().setSSLContext(new SSLContextBuilder().loadTrustMaterial((KeyStore) null, TrustAllStrategy.INSTANCE).build()).setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE);
                        } catch (KeyManagementException | KeyStoreException | NoSuchAlgorithmException e) {
                            throw new RuntimeException(e);
                        }
                    }
                };
            }
        };
    }

    @Override // org.keycloak.testsuite.broker.AbstractBrokerTest
    @Test
    public void testLogInAsUserInIDP() {
        updateExecutions(AbstractBrokerTest::disableUpdateProfileOnFirstLogin);
        createUser(this.bc.consumerRealmName(), "consumer", "password", "FirstName", "LastName", "consumer@localhost.com");
        this.driver.navigate().to(this.proxy.getUrl() + "/realms/consumer/account");
        this.log.debug("Clicking social " + this.bc.getIDPAlias());
        this.loginPage.clickSocial(this.bc.getIDPAlias());
        BrokerTestTools.waitForPage(this.driver, "sign in to", true);
        this.log.debug("Logging in");
        try {
            MatcherAssert.assertThat(this.driver.getCurrentUrl(), CoreMatchers.containsString("client_id=" + URLEncoder.encode(this.proxy.getUrl(), "UTF-8")));
            this.loginPage.login(this.bc.getUserLogin(), this.bc.getUserPassword());
            BrokerTestTools.waitForPage(this.driver, "account management", true);
            this.accountUpdateProfilePage.assertCurrent();
        } catch (UnsupportedEncodingException e) {
            throw new RuntimeException(e);
        }
    }

    @Test
    public void testFrontendUrlInDestinationExpected() throws URISyntaxException {
        MatcherAssert.assertThat(clientBuilderTrustingAllCertificates().idpInitiatedLogin(new URI(this.proxy.getUrl() + "/realms/" + this.bc.consumerRealmName() + "/protocol/saml"), "sales-post").build().login().idp("kc-saml-idp").build().processSamlResponse(SamlClient.Binding.POST).targetAttributeSamlRequest().build().login().user("testuser", "password").build().processSamlResponse(SamlClient.Binding.POST).transformObject(sAML2Object -> {
            MatcherAssert.assertThat(sAML2Object, Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
            MatcherAssert.assertThat(((ResponseType) sAML2Object).getDestination(), CoreMatchers.startsWith(this.proxy.getUrl()));
            return sAML2Object;
        }).build().updateProfile().username("testuser").email("user@localhost.com").firstName("Firstname").lastName("Lastname").build().followOneRedirect().getSamlResponse(SamlClient.Binding.POST).getSamlObject(), Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
    }

    @Test
    public void testKeycloakRejectsRealUrlWhenFrontendUrlConfigured() throws URISyntaxException {
        clientBuilderTrustingAllCertificates().idpInitiatedLogin(new URI(this.proxy.getUrl() + "/realms/" + this.bc.consumerRealmName() + "/protocol/saml"), "sales-post").build().login().idp("kc-saml-idp").build().processSamlResponse(SamlClient.Binding.POST).targetAttributeSamlRequest().build().login().user("testuser", "password").build().processSamlResponse(SamlClient.Binding.POST).transformObject(sAML2Object -> {
            MatcherAssert.assertThat(sAML2Object, Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
            ResponseType responseType = (ResponseType) sAML2Object;
            MatcherAssert.assertThat(responseType.getDestination(), CoreMatchers.startsWith(this.proxy.getUrl()));
            responseType.setDestination(BrokerTestTools.getConsumerRoot() + "/auth/realms/consumer/broker/kc-saml-idp/endpoint");
            return sAML2Object;
        }).build().execute(closeableHttpResponse -> {
            MatcherAssert.assertThat(closeableHttpResponse, Matchers.statusCodeIsHC(Response.Status.BAD_REQUEST));
            this.events.expect(EventType.IDENTITY_PROVIDER_RESPONSE_ERROR).clearDetails().session((String) null).realm(realmsResouce().realm(this.bc.consumerRealmName()).toRepresentation().getId()).user((String) null).client((String) null).error("invalid_saml_response").detail("reason", "invalid_destination").assertEvent();
            this.events.assertEmpty();
        });
    }

    @Override // org.keycloak.testsuite.broker.AbstractBrokerTest
    @Test
    @Ignore
    public void loginWithExistingUser() {
    }
}
