package org.keycloak.testsuite.admin;

import java.io.IOException;
import java.lang.invoke.SerializedLambda;
import java.net.URL;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import javax.ws.rs.ClientErrorException;
import javax.ws.rs.core.Response;
import org.apache.http.client.methods.RequestBuilder;
import org.apache.http.impl.client.BasicCookieStore;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.util.EntityUtils;
import org.hamcrest.Matchers;
import org.jboss.arquillian.graphene.page.Page;
import org.jboss.resteasy.client.jaxrs.ResteasyClient;
import org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder;
import org.junit.Assert;
import org.junit.Assume;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.Config;
import org.keycloak.admin.client.Keycloak;
import org.keycloak.admin.client.KeycloakBuilder;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.admin.client.resource.UserResource;
import org.keycloak.events.EventType;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.ImpersonationConstants;
import org.keycloak.models.ImpersonationSessionNote;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.EventRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.pages.AppPage;
import org.keycloak.testsuite.pages.LoginPage;
import org.keycloak.testsuite.util.AdminClientUtil;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.ClientManager;
import org.keycloak.testsuite.util.CredentialBuilder;
import org.keycloak.testsuite.util.DroneUtils;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.testsuite.util.ServerURLs;
import org.keycloak.testsuite.util.UserBuilder;
import org.openqa.selenium.Cookie;

@AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
/* loaded from: input_file:org/keycloak/testsuite/admin/ImpersonationTest.class */
public class ImpersonationTest extends AbstractKeycloakTest {

    @Rule
    public AssertEvents events = new AssertEvents(this);

    @Page
    protected AppPage appPage;

    @Page
    protected LoginPage loginPage;
    private String impersonatedUserId;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/keycloak/testsuite/admin/ImpersonationTest$UserSessionNotesHolder.class */
    public static class UserSessionNotesHolder {
        private Map<String, String> notes;

        public UserSessionNotesHolder() {
            this.notes = new HashMap();
        }

        public UserSessionNotesHolder(Map<String, String> map) {
            this.notes = new HashMap();
            this.notes = map;
        }

        public void setNotes(Map<String, String> map) {
            this.notes = map;
        }

        public Map<String, String> getNotes() {
            return this.notes;
        }
    }

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        RealmBuilder testEventListener = RealmBuilder.create().name("test").testEventListener();
        testEventListener.client(ClientBuilder.create().clientId("myclient").publicClient().directAccessGrants());
        this.impersonatedUserId = KeycloakModelUtils.generateId();
        testEventListener.user(UserBuilder.create().id(this.impersonatedUserId).username(AssertEvents.DEFAULT_USERNAME));
        testEventListener.user(UserBuilder.create().username("realm-admin").password("password").role("realm-management", AdminRoles.REALM_ADMIN));
        testEventListener.user(UserBuilder.create().username("impersonator").password("password").role("realm-management", ImpersonationConstants.IMPERSONATION_ROLE).role("realm-management", AdminRoles.VIEW_USERS));
        testEventListener.user(UserBuilder.create().username("bad-impersonator").password("password").role("realm-management", AdminRoles.MANAGE_USERS));
        list.add(testEventListener.build());
    }

    @BeforeClass
    public static void enabled() {
        Assume.assumeFalse("impersonation".equals(System.getProperty("feature.name")) && "disabled".equals(System.getProperty("feature.value")));
    }

    @Before
    public void beforeTest() {
        this.impersonatedUserId = ApiUtil.findUserByUsername(this.adminClient.realm("test"), AssertEvents.DEFAULT_USERNAME).getId();
    }

    @Test
    public void testImpersonateByMasterAdmin() {
        testSuccessfulImpersonation("admin", Config.getAdminRealm());
    }

    @Test
    public void testImpersonateByMasterImpersonator() {
        Response create = this.adminClient.realm("master").users().create(UserBuilder.create().username("master-impersonator").build());
        Throwable th = null;
        try {
            try {
                String createdId = ApiUtil.getCreatedId(create);
                if (create != null) {
                    if (0 != 0) {
                        try {
                            create.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        create.close();
                    }
                }
                UserResource userResource = this.adminClient.realm("master").users().get(createdId);
                userResource.resetPassword(CredentialBuilder.create().password("password").build());
                ClientResource findClientResourceByClientId = ApiUtil.findClientResourceByClientId(this.adminClient.realm("master"), "test-realm");
                LinkedList linkedList = new LinkedList();
                linkedList.add(ApiUtil.findClientRoleByName(findClientResourceByClientId, AdminRoles.VIEW_USERS).toRepresentation());
                linkedList.add(ApiUtil.findClientRoleByName(findClientResourceByClientId, ImpersonationConstants.IMPERSONATION_ROLE).toRepresentation());
                userResource.roles().clientLevel(findClientResourceByClientId.toRepresentation().getId()).add(linkedList);
                testSuccessfulImpersonation("master-impersonator", Config.getAdminRealm());
                this.adminClient.realm("master").users().get(createdId).remove();
            } finally {
            }
        } catch (Throwable th3) {
            if (create != null) {
                if (th != null) {
                    try {
                        create.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    create.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testImpersonateByTestImpersonator() {
        testSuccessfulImpersonation("impersonator", "test");
    }

    @Test
    public void testImpersonateByTestAdmin() {
        testSuccessfulImpersonation("realm-admin", "test");
    }

    @Test
    public void testImpersonateByTestBadImpersonator() {
        testForbiddenImpersonation("bad-impersonator", "test");
    }

    @Test
    public void testImpersonateByMastertBadImpersonator() {
        Response create = this.adminClient.realm("master").users().create(UserBuilder.create().username("master-bad-impersonator").build());
        Throwable th = null;
        try {
            try {
                String createdId = ApiUtil.getCreatedId(create);
                if (create != null) {
                    if (0 != 0) {
                        try {
                            create.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        create.close();
                    }
                }
                this.adminClient.realm("master").users().get(createdId).resetPassword(CredentialBuilder.create().password("password").build());
                testForbiddenImpersonation("master-bad-impersonator", Config.getAdminRealm());
                this.adminClient.realm("master").users().get(createdId).remove();
            } finally {
            }
        } catch (Throwable th3) {
            if (create != null) {
                if (th != null) {
                    try {
                        create.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    create.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testImpersonationWorksWhenAuthenticationSessionExists() throws Exception {
        RealmResource realm = this.adminClient.realms().realm("test");
        realm.clients().create(ClientBuilder.create().clientId(AssertEvents.DEFAULT_CLIENT_ID).addRedirectUri(OAuthClient.APP_ROOT + "/*").build()).close();
        String loginFormUrl = this.oauth.getLoginFormUrl();
        this.driver.navigate().to(loginFormUrl);
        this.loginPage.assertCurrent();
        Iterator<Cookie> it = testSuccessfulImpersonation("realm-admin", "test").iterator();
        while (it.hasNext()) {
            this.driver.manage().addCookie(it.next());
        }
        this.driver.navigate().to(loginFormUrl);
        this.appPage.assertCurrent();
        Assert.assertEquals("/auth/realms/master/app/auth", new URL(DroneUtils.getCurrentDriver().getCurrentUrl()).getPath());
        ApiUtil.findClientByClientId(realm, AssertEvents.DEFAULT_CLIENT_ID).remove();
    }

    @Test
    public void testImpersonationBySameRealmServiceAccount() throws Exception {
        RealmResource realm = this.adminClient.realms().realm("test");
        ClientRepresentation build = ClientBuilder.create().id(KeycloakModelUtils.generateId()).clientId("service-account-cl").secret("password").serviceAccountsEnabled(true).build();
        build.setServiceAccountsEnabled(true);
        realm.clients().create(build);
        UserRepresentation serviceAccountUser = ClientManager.realm(this.adminClient.realm("test")).clientId("service-account-cl").getServiceAccountUser();
        serviceAccountUser.setServiceAccountClientId("service-account-cl");
        ApiUtil.assignClientRoles(realm, serviceAccountUser.getId(), "realm-management", new String[]{ImpersonationConstants.IMPERSONATION_ROLE});
        testSuccessfulServiceAccountImpersonation(serviceAccountUser, "test");
        ApiUtil.findClientByClientId(realm, "service-account-cl").remove();
    }

    @Test
    public void testImpersonationByMasterRealmServiceAccount() throws Exception {
        RealmResource realm = this.adminClient.realms().realm("master");
        ClientRepresentation build = ClientBuilder.create().id(KeycloakModelUtils.generateId()).clientId("service-account-cl").secret("password").serviceAccountsEnabled(true).build();
        build.setServiceAccountsEnabled(true);
        realm.clients().create(build);
        UserRepresentation serviceAccountUser = ClientManager.realm(this.adminClient.realm("master")).clientId("service-account-cl").getServiceAccountUser();
        serviceAccountUser.setServiceAccountClientId("service-account-cl");
        ApiUtil.assignRealmRoles(realm, serviceAccountUser.getId(), new String[]{"admin"});
        testSuccessfulServiceAccountImpersonation(serviceAccountUser, "master");
        ApiUtil.findClientByClientId(realm, "service-account-cl").remove();
    }

    protected Set<Cookie> testSuccessfulImpersonation(String str, String str2) {
        ResteasyClientBuilder resteasyClientBuilder = new ResteasyClientBuilder();
        resteasyClientBuilder.connectionPoolSize(10);
        resteasyClientBuilder.httpEngine(AdminClientUtil.getCustomClientHttpEngine(resteasyClientBuilder, 10, (Boolean) null));
        Keycloak login = login(str, str2, resteasyClientBuilder.build());
        Throwable th = null;
        try {
            try {
                Set<Cookie> impersonate = impersonate(login, str, str2);
                if (login != null) {
                    if (0 != 0) {
                        try {
                            login.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        login.close();
                    }
                }
                return impersonate;
            } finally {
            }
        } catch (Throwable th3) {
            if (login != null) {
                if (th != null) {
                    try {
                        login.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    login.close();
                }
            }
            throw th3;
        }
    }

    private Set<Cookie> impersonate(Keycloak keycloak, String str, String str2) {
        BasicCookieStore basicCookieStore = new BasicCookieStore();
        try {
            CloseableHttpClient build = HttpClientBuilder.create().setDefaultCookieStore(basicCookieStore).build();
            Throwable th = null;
            try {
                try {
                    String entityUtils = EntityUtils.toString(build.execute(RequestBuilder.post().setUri(OAuthClient.AUTH_SERVER_ROOT + "/admin/realms/test/users/" + this.impersonatedUserId + "/impersonation").addHeader("Authorization", "Bearer " + keycloak.tokenManager().getAccessTokenString()).build()).getEntity());
                    Assert.assertNotNull(entityUtils);
                    Assert.assertTrue(entityUtils.contains("redirect"));
                    this.events.expect(EventType.IMPERSONATE).session(AssertEvents.isUUID()).user(this.impersonatedUserId).detail("impersonator", str).detail("impersonator_realm", str2).client((String) null).assertEvent();
                    String str3 = this.impersonatedUserId;
                    Map<String, String> notes = ((UserSessionNotesHolder) this.testingClient.server("test").fetch(keycloakSession -> {
                        RealmModel realmByName = keycloakSession.realms().getRealmByName("test");
                        return new UserSessionNotesHolder(((UserSessionModel) keycloakSession.sessions().getUserSessionsStream(realmByName, keycloakSession.users().getUserById(realmByName, str3)).findFirst().get()).getNotes());
                    }, UserSessionNotesHolder.class)).getNotes();
                    Assert.assertNotNull(notes.get(ImpersonationSessionNote.IMPERSONATOR_ID.toString()));
                    Assert.assertEquals(str, notes.get(ImpersonationSessionNote.IMPERSONATOR_USERNAME.toString()));
                    Set<Cookie> set = (Set) basicCookieStore.getCookies().stream().filter(cookie -> {
                        return cookie.getName().startsWith("KEYCLOAK_IDENTITY");
                    }).map(cookie2 -> {
                        return new Cookie(cookie2.getName(), cookie2.getValue(), cookie2.getDomain(), cookie2.getPath(), cookie2.getExpiryDate(), cookie2.isSecure(), true);
                    }).collect(Collectors.toSet());
                    Assert.assertNotNull(set);
                    Assert.assertThat(set, Matchers.is(Matchers.not(Matchers.empty())));
                    if (build != null) {
                        if (0 != 0) {
                            try {
                                build.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            build.close();
                        }
                    }
                    return set;
                } finally {
                }
            } finally {
            }
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    protected void testForbiddenImpersonation(String str, String str2) {
        try {
            Keycloak createAdminClient = createAdminClient(str2, establishClientId(str2), str);
            Throwable th = null;
            try {
                try {
                    createAdminClient.realms().realm("test").users().get(this.impersonatedUserId).impersonate();
                    Assert.fail("Expected ClientErrorException wasn't thrown.");
                    if (createAdminClient != null) {
                        if (0 != 0) {
                            try {
                                createAdminClient.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            createAdminClient.close();
                        }
                    }
                } finally {
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (ClientErrorException e) {
            Assert.assertThat(e.getMessage(), Matchers.containsString("403 Forbidden"));
        }
    }

    Keycloak createAdminClient(String str, String str2, String str3) {
        return createAdminClient(str, str2, str3, null, null);
    }

    String establishClientId(String str) {
        return str.equals("master") ? "admin-cli" : "myclient";
    }

    Keycloak createAdminClient(String str, String str2, String str3, String str4, ResteasyClient resteasyClient) {
        if (str4 == null) {
            str4 = str3.equals("admin") ? "admin" : "password";
        }
        return KeycloakBuilder.builder().serverUrl(ServerURLs.getAuthServerContextRoot() + "/auth").realm(str).username(str3).password(str4).clientId(str2).resteasyClient(resteasyClient).build();
    }

    private Keycloak login(String str, String str2, ResteasyClient resteasyClient) {
        String establishClientId = establishClientId(str2);
        Keycloak createAdminClient = createAdminClient(str2, establishClientId, str, null, resteasyClient);
        createAdminClient.tokenManager().grantToken();
        if (!"master".equals(str2)) {
            EventRepresentation poll = this.events.poll();
            Assert.assertEquals("Event type", EventType.LOGIN.toString(), poll.getType());
            Assert.assertEquals("Client ID", establishClientId, poll.getClientId());
            Assert.assertEquals("Username", str, poll.getDetails().get("username"));
        }
        return createAdminClient;
    }

    protected Set<Cookie> testSuccessfulServiceAccountImpersonation(UserRepresentation userRepresentation, String str) {
        ResteasyClientBuilder resteasyClientBuilder = new ResteasyClientBuilder();
        resteasyClientBuilder.connectionPoolSize(10);
        resteasyClientBuilder.httpEngine(AdminClientUtil.getCustomClientHttpEngine(resteasyClientBuilder, 10, (Boolean) null));
        Keycloak loginServiceAccount = loginServiceAccount(userRepresentation, str, resteasyClientBuilder.build());
        Throwable th = null;
        try {
            try {
                Set<Cookie> impersonateServiceAccount = impersonateServiceAccount(loginServiceAccount);
                if (loginServiceAccount != null) {
                    if (0 != 0) {
                        try {
                            loginServiceAccount.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        loginServiceAccount.close();
                    }
                }
                return impersonateServiceAccount;
            } finally {
            }
        } catch (Throwable th3) {
            if (loginServiceAccount != null) {
                if (th != null) {
                    try {
                        loginServiceAccount.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    loginServiceAccount.close();
                }
            }
            throw th3;
        }
    }

    private Keycloak loginServiceAccount(UserRepresentation userRepresentation, String str, ResteasyClient resteasyClient) {
        Keycloak createServiceAccountClient = createServiceAccountClient(str, userRepresentation, resteasyClient);
        createServiceAccountClient.tokenManager().getAccessToken();
        return createServiceAccountClient;
    }

    Keycloak createServiceAccountClient(String str, UserRepresentation userRepresentation, ResteasyClient resteasyClient) {
        return KeycloakBuilder.builder().serverUrl(ServerURLs.getAuthServerContextRoot() + "/auth").realm(str).clientId(userRepresentation.getServiceAccountClientId()).clientSecret("password").grantType("client_credentials").resteasyClient(resteasyClient).build();
    }

    private Set<Cookie> impersonateServiceAccount(Keycloak keycloak) {
        BasicCookieStore basicCookieStore = new BasicCookieStore();
        try {
            CloseableHttpClient build = HttpClientBuilder.create().setDefaultCookieStore(basicCookieStore).build();
            Throwable th = null;
            try {
                String entityUtils = EntityUtils.toString(build.execute(RequestBuilder.post().setUri(OAuthClient.AUTH_SERVER_ROOT + "/admin/realms/test/users/" + this.impersonatedUserId + "/impersonation").addHeader("Authorization", "Bearer " + keycloak.tokenManager().getAccessTokenString()).build()).getEntity());
                Assert.assertNotNull(entityUtils);
                Assert.assertTrue(entityUtils.contains("redirect"));
                Set<Cookie> set = (Set) basicCookieStore.getCookies().stream().filter(cookie -> {
                    return cookie.getName().startsWith("KEYCLOAK_IDENTITY");
                }).map(cookie2 -> {
                    return new Cookie(cookie2.getName(), cookie2.getValue(), cookie2.getDomain(), cookie2.getPath(), cookie2.getExpiryDate(), cookie2.isSecure(), true);
                }).collect(Collectors.toSet());
                Assert.assertNotNull(set);
                Assert.assertThat(set, Matchers.is(Matchers.not(Matchers.empty())));
                if (build != null) {
                    if (0 != 0) {
                        try {
                            build.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        build.close();
                    }
                }
                return set;
            } finally {
            }
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    private static /* synthetic */ Object $deserializeLambda$(SerializedLambda serializedLambda) {
        String implMethodName = serializedLambda.getImplMethodName();
        boolean z = -1;
        switch (implMethodName.hashCode()) {
            case -1686965212:
                if (implMethodName.equals("lambda$impersonate$c95a986d$1")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("org/keycloak/testsuite/runonserver/FetchOnServer") && serializedLambda.getFunctionalInterfaceMethodName().equals("run") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)Ljava/lang/Object;") && serializedLambda.getImplClass().equals("org/keycloak/testsuite/admin/ImpersonationTest") && serializedLambda.getImplMethodSignature().equals("(Ljava/lang/String;Lorg/keycloak/models/KeycloakSession;)Ljava/lang/Object;")) {
                    String str = (String) serializedLambda.getCapturedArg(0);
                    return keycloakSession -> {
                        RealmModel realmByName = keycloakSession.realms().getRealmByName("test");
                        return new UserSessionNotesHolder(((UserSessionModel) keycloakSession.sessions().getUserSessionsStream(realmByName, keycloakSession.users().getUserById(realmByName, str)).findFirst().get()).getNotes());
                    };
                }
                break;
        }
        throw new IllegalArgumentException("Invalid lambda deserialization");
    }
}
