package org.keycloak.testsuite.authz;

import com.google.common.base.Charsets;
import java.util.Arrays;
import java.util.Collection;
import java.util.LinkedList;
import java.util.Map;
import javax.ws.rs.client.Entity;
import javax.ws.rs.client.WebTarget;
import javax.ws.rs.core.Form;
import javax.ws.rs.core.UriBuilder;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.message.BasicNameValuePair;
import org.hamcrest.Matchers;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.keycloak.admin.client.resource.AuthorizationResource;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.authorization.client.AuthorizationDeniedException;
import org.keycloak.authorization.client.AuthzClient;
import org.keycloak.authorization.client.representation.TokenIntrospectionResponse;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.representations.idm.authorization.AuthorizationResponse;
import org.keycloak.representations.idm.authorization.JSPolicyRepresentation;
import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.representations.idm.authorization.PermissionRequest;
import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.ScopePermissionRepresentation;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.util.AdminClientUtil;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.UserBuilder;
import org.keycloak.util.BasicAuthHelper;
import org.keycloak.util.JsonSerialization;

@AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
/* loaded from: input_file:org/keycloak/testsuite/authz/UmaGrantTypeTest.class */
public class UmaGrantTypeTest extends AbstractResourceServerTest {
    private ResourceRepresentation resourceA;

    @Before
    public void configureAuthorization() throws Exception {
        AuthorizationResource authorization = getClient(getRealm()).authorization();
        JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
        jSPolicyRepresentation.setName("Default Policy");
        jSPolicyRepresentation.setCode("$evaluation.grant();");
        authorization.policies().js().create(jSPolicyRepresentation).close();
        ResourcePermissionRepresentation resourcePermissionRepresentation = new ResourcePermissionRepresentation();
        this.resourceA = addResource("Resource A", "ScopeA", "ScopeB", "ScopeC");
        resourcePermissionRepresentation.setName(this.resourceA.getName() + " Permission");
        resourcePermissionRepresentation.addResource(this.resourceA.getName());
        resourcePermissionRepresentation.addPolicy(new String[]{jSPolicyRepresentation.getName()});
        authorization.permissions().resource().create(resourcePermissionRepresentation).close();
        JSPolicyRepresentation jSPolicyRepresentation2 = new JSPolicyRepresentation();
        jSPolicyRepresentation2.setName("Deny Policy");
        jSPolicyRepresentation2.setCode("$evaluation.deny();");
        authorization.policies().js().create(jSPolicyRepresentation2).close();
    }

    @Test
    public void testObtainRptWithClientAdditionalScopes() throws Exception {
        Collection<Permission> permissions = toAccessToken(authorize("marta", "password", "Resource A", new String[]{"ScopeA", "ScopeB"}, new String[]{"ScopeC"}).getToken()).getAuthorization().getPermissions();
        Assert.assertNotNull(permissions);
        assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB", "ScopeC");
        Assert.assertTrue(permissions.isEmpty());
    }

    @Test
    public void testObtainRptWithUpgrade() throws Exception {
        String token = authorize("marta", "password", "Resource A", new String[]{"ScopeA", "ScopeB"}).getToken();
        Collection<Permission> permissions = toAccessToken(token).getAuthorization().getPermissions();
        Assert.assertNotNull(permissions);
        assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB");
        Assert.assertTrue(permissions.isEmpty());
        AuthorizationResponse authorize = authorize("marta", "password", "Resource A", new String[]{"ScopeC"}, token);
        Assert.assertTrue(authorize.isUpgraded());
        Collection<Permission> permissions2 = toAccessToken(authorize.getToken()).getAuthorization().getPermissions();
        Assert.assertNotNull(permissions2);
        assertPermissions(permissions2, "Resource A", "ScopeA", "ScopeB", "ScopeC");
        Assert.assertTrue(permissions2.isEmpty());
    }

    @Test
    public void testObtainRptWithUpgradeOnlyScopes() throws Exception {
        AuthorizationResponse authorize = authorize("marta", "password", (String) null, new String[]{"ScopeA", "ScopeB"});
        String token = authorize.getToken();
        Collection<Permission> permissions = toAccessToken(token).getAuthorization().getPermissions();
        Assert.assertFalse(authorize.isUpgraded());
        Assert.assertNotNull(permissions);
        assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB");
        Assert.assertTrue(permissions.isEmpty());
        AuthorizationResponse authorize2 = authorize("marta", "password", "Resource A", new String[]{"ScopeC"}, token);
        Collection<Permission> permissions2 = toAccessToken(authorize2.getToken()).getAuthorization().getPermissions();
        Assert.assertTrue(authorize2.isUpgraded());
        Assert.assertNotNull(permissions2);
        assertPermissions(permissions2, "Resource A", "ScopeA", "ScopeB", "ScopeC");
        Assert.assertTrue(permissions2.isEmpty());
    }

    @Test
    public void testObtainRptWithUpgradeWithUnauthorizedResource() throws Exception {
        AuthorizationResponse authorize = authorize("marta", "password", "Resource A", new String[]{"ScopeA", "ScopeB"});
        String token = authorize.getToken();
        Collection<Permission> permissions = toAccessToken(token).getAuthorization().getPermissions();
        Assert.assertFalse(authorize.isUpgraded());
        Assert.assertNotNull(permissions);
        assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB");
        Assert.assertTrue(permissions.isEmpty());
        ResourcePermissionRepresentation resourcePermissionRepresentation = new ResourcePermissionRepresentation();
        ResourceRepresentation addResource = addResource("Resource B", "ScopeA", "ScopeB", "ScopeC");
        resourcePermissionRepresentation.setName(addResource.getName() + " Permission");
        resourcePermissionRepresentation.addResource(addResource.getName());
        resourcePermissionRepresentation.addPolicy(new String[]{"Deny Policy"});
        getClient(getRealm()).authorization().permissions().resource().create(resourcePermissionRepresentation).close();
        try {
            authorize("marta", "password", "Resource B", new String[]{"ScopeC"}, token);
            Assert.fail("Should be denied, resource b not granted");
        } catch (AuthorizationDeniedException e) {
        }
    }

    @Test
    public void testObtainRptWithUpgradeWithUnauthorizedResourceFromRpt() throws Exception {
        ResourcePermissionRepresentation resourcePermissionRepresentation = new ResourcePermissionRepresentation();
        ResourceRepresentation addResource = addResource(KeycloakModelUtils.generateId(), "ScopeA", "ScopeB", "ScopeC");
        resourcePermissionRepresentation.setName(addResource.getName() + " Permission");
        resourcePermissionRepresentation.addResource(addResource.getName());
        resourcePermissionRepresentation.addPolicy(new String[]{"Default Policy"});
        AuthorizationResource authorization = getClient(getRealm()).authorization();
        authorization.permissions().resource().create(resourcePermissionRepresentation).close();
        AuthorizationResponse authorize = authorize("marta", "password", addResource.getId(), new String[]{"ScopeA", "ScopeB"});
        String token = authorize.getToken();
        Collection<Permission> permissions = toAccessToken(token).getAuthorization().getPermissions();
        Assert.assertFalse(authorize.isUpgraded());
        Assert.assertNotNull(permissions);
        assertPermissions(permissions, addResource.getName(), "ScopeA", "ScopeB");
        Assert.assertTrue(permissions.isEmpty());
        ResourceRepresentation addResource2 = addResource(KeycloakModelUtils.generateId(), "ScopeA", "ScopeB", "ScopeC");
        ResourcePermissionRepresentation resourcePermissionRepresentation2 = new ResourcePermissionRepresentation();
        resourcePermissionRepresentation2.setName(addResource2.getName() + " Permission");
        resourcePermissionRepresentation2.addResource(addResource2.getName());
        resourcePermissionRepresentation2.addPolicy(new String[]{"Default Policy"});
        authorization.permissions().resource().create(resourcePermissionRepresentation2).close();
        AuthorizationResponse authorize2 = authorize("marta", "password", addResource2.getId(), new String[]{"ScopeC"}, token);
        String token2 = authorize2.getToken();
        Collection<Permission> permissions2 = toAccessToken(token2).getAuthorization().getPermissions();
        Assert.assertTrue(authorize2.isUpgraded());
        Assert.assertNotNull(permissions2);
        assertPermissions(permissions2, addResource.getName(), "ScopeA", "ScopeB");
        assertPermissions(permissions2, addResource2.getName(), "ScopeC");
        Assert.assertTrue(permissions2.isEmpty());
        ResourcePermissionRepresentation findByName = authorization.permissions().resource().findByName(resourcePermissionRepresentation2.getName());
        findByName.removePolicy("Default Policy");
        findByName.addPolicy(new String[]{"Deny Policy"});
        authorization.permissions().resource().findById(findByName.getId()).update(findByName);
        AuthorizationResponse authorize3 = authorize("marta", "password", addResource.getId(), new String[]{"ScopeC"}, token2);
        Collection<Permission> permissions3 = toAccessToken(authorize3.getToken()).getAuthorization().getPermissions();
        Assert.assertFalse(authorize3.isUpgraded());
        Assert.assertNotNull(permissions3);
        assertPermissions(permissions3, addResource.getName(), "ScopeA", "ScopeB", "ScopeC");
        Assert.assertTrue(permissions3.isEmpty());
    }

    @Test
    public void testObtainRptOnlyAuthorizedScopes() throws Exception {
        ResourceRepresentation addResource = addResource(KeycloakModelUtils.generateId(), "READ", "WRITE");
        ScopePermissionRepresentation scopePermissionRepresentation = new ScopePermissionRepresentation();
        scopePermissionRepresentation.setName(KeycloakModelUtils.generateId());
        scopePermissionRepresentation.addScope(new String[]{"READ"});
        scopePermissionRepresentation.addPolicy(new String[]{"Default Policy"});
        AuthorizationResource authorization = getClient(getRealm()).authorization();
        authorization.permissions().scope().create(scopePermissionRepresentation).close();
        ScopePermissionRepresentation scopePermissionRepresentation2 = new ScopePermissionRepresentation();
        scopePermissionRepresentation2.setName(KeycloakModelUtils.generateId());
        scopePermissionRepresentation2.addScope(new String[]{"WRITE"});
        scopePermissionRepresentation2.addPolicy(new String[]{"Deny Policy"});
        authorization.permissions().scope().create(scopePermissionRepresentation2).close();
        AuthorizationResponse authorize = authorize("marta", "password", addResource.getName(), new String[]{"READ"});
        Collection<Permission> permissions = toAccessToken(authorize.getToken()).getAuthorization().getPermissions();
        Assert.assertFalse(authorize.isUpgraded());
        Assert.assertNotNull(permissions);
        assertPermissions(permissions, addResource.getName(), "READ");
        Assert.assertTrue(permissions.isEmpty());
        AuthorizationResponse authorize2 = authorize("marta", "password", addResource.getName(), new String[]{"READ", "WRITE"});
        Collection<Permission> permissions2 = toAccessToken(authorize2.getToken()).getAuthorization().getPermissions();
        Assert.assertFalse(authorize2.isUpgraded());
        Assert.assertNotNull(permissions2);
        assertPermissions(permissions2, addResource.getName(), "READ");
        Assert.assertTrue(permissions2.isEmpty());
    }

    @Test
    public void testObtainRptWithOwnerManagedResource() throws Exception {
        ResourcePermissionRepresentation resourcePermissionRepresentation = new ResourcePermissionRepresentation();
        ResourceRepresentation addResource = addResource("Resource Marta", "marta", true, "ScopeA", "ScopeB", "ScopeC");
        resourcePermissionRepresentation.setName(addResource.getName() + " Permission");
        resourcePermissionRepresentation.addResource(addResource.getId());
        resourcePermissionRepresentation.addPolicy(new String[]{"Default Policy"});
        getClient(getRealm()).authorization().permissions().resource().create(resourcePermissionRepresentation).close();
        ResourceRepresentation addResource2 = addResource("Resource B", "marta", "ScopeA", "ScopeB", "ScopeC");
        resourcePermissionRepresentation.setName(addResource2.getName() + " Permission");
        resourcePermissionRepresentation.addResource(addResource2.getId());
        resourcePermissionRepresentation.addPolicy(new String[]{"Default Policy"});
        getClient(getRealm()).authorization().permissions().resource().create(resourcePermissionRepresentation).close();
        Collection<Permission> permissions = toAccessToken(authorize("marta", "password", new PermissionRequest(addResource.getName(), new String[]{"ScopeA", "ScopeB"}), new PermissionRequest(addResource2.getName(), new String[]{"ScopeC"})).getToken()).getAuthorization().getPermissions();
        Assert.assertNotNull(permissions);
        assertPermissions(permissions, addResource.getName(), "ScopeA", "ScopeB");
        assertPermissions(permissions, addResource2.getName(), "ScopeC");
        Assert.assertTrue(permissions.isEmpty());
    }

    @Test
    public void testObtainRptWithClientCredentials() throws Exception {
        AuthorizationResponse authorize = authorize("Resource A", new String[]{"ScopeA", "ScopeB"});
        String token = authorize.getToken();
        Assert.assertNotNull(token);
        Assert.assertFalse(authorize.isUpgraded());
        AccessToken.Authorization authorization = toAccessToken(token).getAuthorization();
        Assert.assertNotNull(authorization);
        Collection<Permission> permissions = authorization.getPermissions();
        Assert.assertNotNull(permissions);
        assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB");
        Assert.assertTrue(permissions.isEmpty());
    }

    @Test
    public void testObtainRptUsingAccessToken() throws Exception {
        AuthorizationResponse authorize = authorize(null, null, null, null, getAuthzClient().obtainAccessToken("marta", "password").getToken(), null, null, new PermissionRequest("Resource A", new String[]{"ScopeA", "ScopeB"}));
        String token = authorize.getToken();
        Assert.assertNotNull(token);
        Assert.assertFalse(authorize.isUpgraded());
        AccessToken.Authorization authorization = toAccessToken(token).getAuthorization();
        Assert.assertNotNull(authorization);
        Collection<Permission> permissions = authorization.getPermissions();
        Assert.assertNotNull(permissions);
        assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB");
        Assert.assertTrue(permissions.isEmpty());
    }

    @Test
    public void testCORSHeadersInFailedRptRequest() throws Exception {
        AccessTokenResponse obtainAccessToken = getAuthzClient().obtainAccessToken("marta", "password");
        UserRepresentation userRepresentation = (UserRepresentation) getRealm().users().search("marta").get(0);
        getRealm().users().get(userRepresentation.getId()).update(UserBuilder.edit(userRepresentation).enabled(false).build());
        String ticket = getAuthzClient().protection().permission().create(Arrays.asList(new PermissionRequest("Resource A", new String[]{"ScopeA", "ScopeB"}))).getTicket();
        HttpPost httpPost = new HttpPost(getAuthzClient().getServerConfiguration().getTokenEndpoint());
        httpPost.addHeader("Origin", "http://localhost");
        httpPost.addHeader("Authorization", "Bearer " + obtainAccessToken.getToken());
        LinkedList linkedList = new LinkedList();
        linkedList.add(new BasicNameValuePair("grant_type", "urn:ietf:params:oauth:grant-type:uma-ticket"));
        linkedList.add(new BasicNameValuePair("ticket", ticket));
        httpPost.setEntity(new UrlEncodedFormEntity(linkedList, Charsets.UTF_8));
        CloseableHttpResponse execute = ((CloseableHttpClient) this.oauth.getHttpClient().get()).execute(httpPost);
        Assert.assertEquals(401L, execute.getStatusLine().getStatusCode());
        Assert.assertEquals("http://localhost", execute.getFirstHeader("Access-Control-Allow-Origin").getValue());
    }

    @Test
    public void testRefreshRpt() {
        AuthorizationResponse authorize = authorize(null, null, null, null, getAuthzClient().obtainAccessToken("marta", "password").getToken(), null, null, new PermissionRequest("Resource A", new String[]{"ScopeA", "ScopeB"}));
        String token = authorize.getToken();
        Assert.assertNotNull(token);
        AccessToken.Authorization authorization = toAccessToken(token).getAuthorization();
        Assert.assertNotNull(authorization);
        Collection<Permission> permissions = authorization.getPermissions();
        Assert.assertNotNull(permissions);
        assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB");
        Assert.assertTrue(permissions.isEmpty());
        String refreshToken = authorize.getRefreshToken();
        Assert.assertNotNull(refreshToken);
        Assert.assertNotNull(toAccessToken(refreshToken).getAuthorization());
        WebTarget target = AdminClientUtil.createResteasyClient().target(OIDCLoginProtocolService.tokenUrl(UriBuilder.fromUri(OAuthClient.AUTH_SERVER_ROOT)).build(new Object[]{"authz-test"}));
        Form form = new Form();
        form.param("grant_type", "refresh_token");
        form.param("refresh_token", refreshToken);
        AccessTokenResponse accessTokenResponse = (AccessTokenResponse) target.request().header("Authorization", BasicAuthHelper.createHeader("resource-server-test", "secret")).post(Entity.form(form)).readEntity(AccessTokenResponse.class);
        Assert.assertNotNull(accessTokenResponse.getToken());
        Assert.assertNotNull(toAccessToken(accessTokenResponse.getRefreshToken()).getAuthorization());
        AccessToken.Authorization authorization2 = toAccessToken(token).getAuthorization();
        Assert.assertNotNull(authorization2);
        Collection<Permission> permissions2 = authorization2.getPermissions();
        Assert.assertNotNull(permissions2);
        assertPermissions(permissions2, "Resource A", "ScopeA", "ScopeB");
        Assert.assertTrue(permissions2.isEmpty());
        AccessTokenResponse accessTokenResponse2 = (AccessTokenResponse) target.request().header("Authorization", BasicAuthHelper.createHeader("resource-server-test", "secret")).post(Entity.form(form)).readEntity(AccessTokenResponse.class);
        Assert.assertNotNull(accessTokenResponse2.getToken());
        Assert.assertNotNull(toAccessToken(accessTokenResponse2.getRefreshToken()).getAuthorization());
        AccessToken.Authorization authorization3 = toAccessToken(token).getAuthorization();
        Assert.assertNotNull(authorization3);
        Collection<Permission> permissions3 = authorization3.getPermissions();
        Assert.assertNotNull(permissions3);
        assertPermissions(permissions3, "Resource A", "ScopeA", "ScopeB");
        Assert.assertTrue(permissions3.isEmpty());
    }

    @Test
    public void testObtainRptWithIDToken() throws Exception {
        AuthorizationResponse authorize = authorize("Resource A", new String[]{"ScopeA", "ScopeB"}, getIdToken("marta", "password"), "http://openid.net/specs/openid-connect-core-1_0.html#IDToken");
        String token = authorize.getToken();
        Assert.assertNotNull(token);
        Assert.assertFalse(authorize.isUpgraded());
        AccessToken.Authorization authorization = toAccessToken(token).getAuthorization();
        Assert.assertNotNull(authorization);
        Collection<Permission> permissions = authorization.getPermissions();
        Assert.assertNotNull(permissions);
        assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB");
        Assert.assertTrue(permissions.isEmpty());
    }

    @Test
    public void testTokenIntrospect() throws Exception {
        AuthzClient authzClient = getAuthzClient();
        AuthorizationResponse authorize = authorize(null, null, null, null, authzClient.obtainAccessToken("marta", "password").getToken(), null, null, new PermissionRequest("Resource A", new String[]{"ScopeA", "ScopeB"}));
        String token = authorize.getToken();
        Assert.assertNotNull(token);
        Assert.assertFalse(authorize.isUpgraded());
        AccessToken.Authorization authorization = toAccessToken(token).getAuthorization();
        Assert.assertNotNull(authorization);
        Collection<Permission> permissions = authorization.getPermissions();
        Assert.assertNotNull(permissions);
        assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB");
        Assert.assertTrue(permissions.isEmpty());
        TokenIntrospectionResponse introspectRequestingPartyToken = authzClient.protection().introspectRequestingPartyToken(token);
        Assert.assertNotNull(introspectRequestingPartyToken);
        Assert.assertNotNull(introspectRequestingPartyToken.getPermissions());
        this.oauth.realm("authz-test");
        Map map = (Map) JsonSerialization.readValue(this.oauth.introspectTokenWithClientCredential("resource-server-test", "secret", "requesting_party_token", token), Map.class);
        Assert.assertEquals(true, map.get("active"));
        Collection collection = (Collection) map.get("permissions");
        Assert.assertNotNull(collection);
        Assert.assertEquals(1L, collection.size());
        Map map2 = (Map) collection.iterator().next();
        Assert.assertThat(map2.keySet(), Matchers.containsInAnyOrder(new String[]{"resource_id", "rsname", "resource_scopes", "scopes", "rsid"}));
        Assert.assertThat(map2.get("rsname"), Matchers.equalTo("Resource A"));
        ResourceRepresentation findByName = authzClient.protection().resource().findByName("Resource A");
        Assert.assertThat(map2.get("rsid"), Matchers.equalTo(findByName.getId()));
        Assert.assertThat(map2.get("resource_id"), Matchers.equalTo(findByName.getId()));
        Assert.assertThat((Collection) map2.get("resource_scopes"), Matchers.containsInAnyOrder(new String[]{"ScopeA", "ScopeB"}));
        Assert.assertThat((Collection) map2.get("scopes"), Matchers.containsInAnyOrder(new String[]{"ScopeA", "ScopeB"}));
    }

    @Test
    public void testNoRefreshToken() {
        ClientResource client = getClient(getRealm());
        ClientRepresentation representation = client.toRepresentation();
        representation.getAttributes().put("use.refresh.tokens", "false");
        client.update(representation);
        AuthorizationResponse authorize = authorize(null, null, null, null, getAuthzClient().obtainAccessToken("marta", "password").getToken(), null, null, new PermissionRequest("Resource A", new String[]{"ScopeA", "ScopeB"}));
        String token = authorize.getToken();
        String refreshToken = authorize.getRefreshToken();
        Assert.assertNotNull(token);
        Assert.assertNull(refreshToken);
        representation.getAttributes().put("use.refresh.tokens", "true");
        client.update(representation);
    }

    private String getIdToken(String str, String str2) {
        this.oauth.realm("authz-test");
        this.oauth.clientId(AssertEvents.DEFAULT_CLIENT_ID);
        this.oauth.openLoginForm();
        return this.oauth.doAccessTokenRequest(this.oauth.doLogin(str, str2).getCode(), str2).getIdToken();
    }
}
