package org.keycloak.testsuite.adapter.servlet;

import java.io.IOException;
import java.net.URI;
import java.util.List;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.Consumer;
import javax.ws.rs.core.Response;
import org.apache.http.HttpResponse;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.jboss.arquillian.container.test.api.Deployment;
import org.jboss.arquillian.graphene.page.Page;
import org.jboss.shrinkwrap.api.spec.WebArchive;
import org.junit.Assert;
import org.junit.Test;
import org.keycloak.dom.saml.v2.SAML2Object;
import org.keycloak.dom.saml.v2.assertion.AssertionType;
import org.keycloak.dom.saml.v2.assertion.AuthnStatementType;
import org.keycloak.dom.saml.v2.assertion.NameIDType;
import org.keycloak.dom.saml.v2.protocol.LogoutRequestType;
import org.keycloak.dom.saml.v2.protocol.ResponseType;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
import org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder;
import org.keycloak.testsuite.adapter.AbstractServletsAdapterTest;
import org.keycloak.testsuite.adapter.page.EmployeeServlet;
import org.keycloak.testsuite.adapter.page.SalesPostServlet;
import org.keycloak.testsuite.arquillian.annotation.AppServerContainer;
import org.keycloak.testsuite.arquillian.annotation.AppServerContainers;
import org.keycloak.testsuite.saml.AbstractSamlTest;
import org.keycloak.testsuite.util.Matchers;
import org.keycloak.testsuite.util.SamlClient;
import org.keycloak.testsuite.util.SamlClientBuilder;
import org.keycloak.testsuite.util.saml.CreateLogoutRequestStepBuilder;
import org.keycloak.testsuite.utils.io.IOUtil;

@AppServerContainers({@AppServerContainer("app-server-undertow"), @AppServerContainer("app-server-wildfly"), @AppServerContainer("app-server-wildfly-deprecated"), @AppServerContainer("app-server-eap"), @AppServerContainer("app-server-eap6"), @AppServerContainer("app-server-eap71"), @AppServerContainer("app-server-tomcat7"), @AppServerContainer("app-server-tomcat8"), @AppServerContainer("app-server-tomcat9")})
/* loaded from: input_file:org/keycloak/testsuite/adapter/servlet/SAMLLogoutAdapterTest.class */
public class SAMLLogoutAdapterTest extends AbstractServletsAdapterTest {
    private static final String SP_PROVIDED_ID = "spProvidedId";
    private static final String SP_NAME_QUALIFIER = "spNameQualifier";
    private static final String NAME_QUALIFIER = "nameQualifier";

    @Page
    private EmployeeServlet employeeServletPage;

    @Page
    private SalesPostServlet salesPostServlet;
    private final AtomicReference<NameIDType> nameIdRef = new AtomicReference<>();
    private final AtomicReference<String> sessionIndexRef = new AtomicReference<>();

    @Deployment(name = "employee")
    protected static WebArchive employee() {
        return samlServletDeployment("employee", SendUsernameServlet.class);
    }

    @Deployment(name = "sales-post")
    protected static WebArchive sales() {
        return samlServletDeployment("sales-post", SendUsernameServlet.class);
    }

    @Override // org.keycloak.testsuite.adapter.AbstractServletsAdapterTest, org.keycloak.testsuite.adapter.AbstractAdapterTest
    public void addAdapterTestRealms(List<RealmRepresentation> list) {
        list.add(IOUtil.loadRealm("/adapter-test/keycloak-saml/testsaml.json"));
    }

    @Override // org.keycloak.testsuite.adapter.AbstractAdapterTest, org.keycloak.testsuite.AbstractKeycloakTest
    protected boolean isImportAfterEachMethod() {
        return false;
    }

    private SAML2Object extractNameId(SAML2Object sAML2Object) {
        Assert.assertThat(sAML2Object, Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
        AssertionType assertion = ((ResponseType.RTChoiceType) ((ResponseType) sAML2Object).getAssertions().get(0)).getAssertion();
        Assert.assertThat(assertion, org.hamcrest.Matchers.notNullValue());
        Assert.assertThat(assertion.getSubject().getSubType().getBaseID(), org.hamcrest.Matchers.instanceOf(NameIDType.class));
        NameIDType baseID = assertion.getSubject().getSubType().getBaseID();
        AuthnStatementType authnStatementType = (AuthnStatementType) assertion.getStatements().iterator().next();
        this.nameIdRef.set(baseID);
        this.sessionIndexRef.set(authnStatementType.getSessionIndex());
        return sAML2Object;
    }

    @Test
    public void employeeGlobalLogoutTest() {
        SAMLDocumentHolder samlResponse = new SamlClientBuilder().navigateTo(this.employeeServletPage).processSamlResponse(SamlClient.Binding.POST).build().login().user(this.bburkeUser).build().processSamlResponse(SamlClient.Binding.POST).targetAttributeSamlResponse().transformObject(this::extractNameId).transformObject(sAML2Object -> {
            Assert.assertThat(sAML2Object, Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
            NameIDType baseID = ((ResponseType.RTChoiceType) ((ResponseType) sAML2Object).getAssertions().get(0)).getAssertion().getSubject().getSubType().getBaseID();
            baseID.setNameQualifier(NAME_QUALIFIER);
            baseID.setSPNameQualifier(SP_NAME_QUALIFIER);
            baseID.setSPProvidedID(SP_PROVIDED_ID);
        }).build().navigateTo(this.employeeServletPage.getUriBuilder().clone().queryParam("GLO", new Object[]{"true"}).build(new Object[0])).getSamlResponse(SamlClient.Binding.POST);
        Assert.assertThat(samlResponse.getSamlObject(), org.hamcrest.Matchers.instanceOf(LogoutRequestType.class));
        NameIDType nameID = samlResponse.getSamlObject().getNameID();
        Assert.assertThat(nameID.getFormat(), org.hamcrest.Matchers.is(this.nameIdRef.get().getFormat()));
        Assert.assertThat(nameID.getValue(), org.hamcrest.Matchers.is(this.nameIdRef.get().getValue()));
        Assert.assertThat(nameID.getNameQualifier(), org.hamcrest.Matchers.is(NAME_QUALIFIER));
        Assert.assertThat(nameID.getSPProvidedID(), org.hamcrest.Matchers.is(SP_PROVIDED_ID));
        Assert.assertThat(nameID.getSPNameQualifier(), org.hamcrest.Matchers.is(SP_NAME_QUALIFIER));
    }

    @Test
    public void testLogoutDestinationOptionalIfUnsignedRedirect() throws IOException {
        testLogoutDestination(SamlClient.Binding.REDIRECT, createLogoutRequestStepBuilder -> {
            createLogoutRequestStepBuilder.transformObject(logoutRequestType -> {
                logoutRequestType.setDestination((URI) null);
            });
        }, SAMLLogoutAdapterTest::assertSamlLogoutResponse);
    }

    @Test
    public void testLogoutMandatoryDestinationUnsetRedirect() throws IOException {
        testLogoutDestination(SamlClient.Binding.REDIRECT, createLogoutRequestStepBuilder -> {
            createLogoutRequestStepBuilder.transformObject(logoutRequestType -> {
                logoutRequestType.setDestination((URI) null);
            }).signWith(AbstractSamlTest.SAML_CLIENT_SALES_POST_SIG_PRIVATE_KEY, AbstractSamlTest.SAML_CLIENT_SALES_POST_SIG_PUBLIC_KEY);
        }, (v0) -> {
            assertBadRequest(v0);
        });
    }

    @Test
    public void testLogoutMandatoryDestinationSetRedirect() throws IOException {
        testLogoutDestination(SamlClient.Binding.REDIRECT, createLogoutRequestStepBuilder -> {
            createLogoutRequestStepBuilder.signWith(AbstractSamlTest.SAML_CLIENT_SALES_POST_SIG_PRIVATE_KEY, AbstractSamlTest.SAML_CLIENT_SALES_POST_SIG_PUBLIC_KEY);
        }, SAMLLogoutAdapterTest::assertSamlLogoutResponse);
    }

    @Test
    public void testLogoutDestinationOptionalIfUnsignedPost() throws IOException {
        testLogoutDestination(SamlClient.Binding.POST, createLogoutRequestStepBuilder -> {
            createLogoutRequestStepBuilder.transformObject(logoutRequestType -> {
                logoutRequestType.setDestination((URI) null);
            });
        }, SAMLLogoutAdapterTest::assertSamlLogoutResponse);
    }

    @Test
    public void testLogoutMandatoryDestinationUnsetPost() throws IOException {
        testLogoutDestination(SamlClient.Binding.POST, createLogoutRequestStepBuilder -> {
            createLogoutRequestStepBuilder.transformObject(logoutRequestType -> {
                logoutRequestType.setDestination((URI) null);
            }).signWith(AbstractSamlTest.SAML_CLIENT_SALES_POST_SIG_PRIVATE_KEY, AbstractSamlTest.SAML_CLIENT_SALES_POST_SIG_PUBLIC_KEY);
        }, (v0) -> {
            assertBadRequest(v0);
        });
    }

    @Test
    public void testLogoutMandatoryDestinationSetPost() throws IOException {
        testLogoutDestination(SamlClient.Binding.POST, createLogoutRequestStepBuilder -> {
            createLogoutRequestStepBuilder.signWith(AbstractSamlTest.SAML_CLIENT_SALES_POST_SIG_PRIVATE_KEY, AbstractSamlTest.SAML_CLIENT_SALES_POST_SIG_PUBLIC_KEY);
        }, SAMLLogoutAdapterTest::assertSamlLogoutResponse);
    }

    private void testLogoutDestination(SamlClient.Binding binding, Consumer<CreateLogoutRequestStepBuilder> consumer, Consumer<? super CloseableHttpResponse> consumer2) throws IOException {
        CreateLogoutRequestStepBuilder logoutRequest = new SamlClientBuilder().navigateTo(this.salesPostServlet).processSamlResponse(SamlClient.Binding.POST).build().login().user(this.bburkeUser).build().processSamlResponse(SamlClient.Binding.POST).targetAttributeSamlResponse().transformObject(this::extractNameId).build().logoutRequest(this.salesPostServlet.getUriBuilder().clone().path("saml").build(new Object[0]), "http://no.one.cares/", binding);
        AtomicReference<NameIDType> atomicReference = this.nameIdRef;
        atomicReference.getClass();
        CreateLogoutRequestStepBuilder nameId = logoutRequest.nameId(atomicReference::get);
        AtomicReference<String> atomicReference2 = this.sessionIndexRef;
        atomicReference2.getClass();
        nameId.sessionIndex(atomicReference2::get).apply(consumer).build().doNotFollowRedirects().assertResponse(consumer2).execute();
    }

    public static void assertSamlLogoutResponse(CloseableHttpResponse closeableHttpResponse) {
        try {
            Assert.assertThat(SamlClient.Binding.POST.extractResponse(closeableHttpResponse).getSamlObject(), Matchers.isSamlStatusResponse(new JBossSAMLURIConstants[]{JBossSAMLURIConstants.STATUS_SUCCESS}));
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    public static void assertBadRequest(HttpResponse httpResponse) {
        Assert.assertThat(httpResponse, org.hamcrest.Matchers.anyOf(Matchers.statusCodeIsHC(Response.Status.BAD_REQUEST), Matchers.statusCodeIsHC(Response.Status.FORBIDDEN), Matchers.bodyHC(org.hamcrest.Matchers.anyOf(org.hamcrest.Matchers.containsString("Forbidden"), org.hamcrest.Matchers.containsString(SAMLServletAdapterTest.FORBIDDEN_TEXT), org.hamcrest.Matchers.containsString(SAMLServletAdapterTest.WEBSPHERE_FORBIDDEN_TEXT)))));
    }
}
