package org.keycloak.testsuite.x509;

import java.lang.reflect.Field;
import java.net.URI;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.ws.rs.core.Response;
import org.hamcrest.Matchers;
import org.jboss.arquillian.graphene.page.Page;
import org.jboss.logging.Logger;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.Assume;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Rule;
import org.keycloak.admin.client.resource.AuthenticationManagementResource;
import org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel;
import org.keycloak.common.util.Encode;
import org.keycloak.events.admin.OperationType;
import org.keycloak.events.admin.ResourceType;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.idm.AuthenticationExecutionInfoRepresentation;
import org.keycloak.representations.idm.AuthenticationExecutionRepresentation;
import org.keycloak.representations.idm.AuthenticationFlowRepresentation;
import org.keycloak.representations.idm.AuthenticatorConfigRepresentation;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.testsuite.AbstractTestRealmKeycloakTest;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.pages.AbstractPage;
import org.keycloak.testsuite.pages.AppPage;
import org.keycloak.testsuite.pages.LoginPage;
import org.keycloak.testsuite.pages.x509.X509IdentityConfirmationPage;
import org.keycloak.testsuite.updaters.SetSystemProperty;
import org.keycloak.testsuite.util.AdminEventPaths;
import org.keycloak.testsuite.util.AssertAdminEvents;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.DroneUtils;
import org.keycloak.testsuite.util.PhantomJSBrowser;
import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.testsuite.util.ServerURLs;
import org.keycloak.testsuite.util.UserBuilder;
import org.openqa.selenium.WebDriver;

@AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE})
/* loaded from: input_file:org/keycloak/testsuite/x509/AbstractX509AuthenticationTest.class */
public abstract class AbstractX509AuthenticationTest extends AbstractTestRealmKeycloakTest {
    public static final String EMPTY_CRL_PATH = "empty.crl";
    public static final String INTERMEDIATE_CA_CRL_PATH = "intermediate-ca.crl";
    public static final String INTERMEDIATE_CA_INVALID_SIGNATURE_CRL_PATH = "intermediate-ca-invalid-signature.crl";
    public static final String INTERMEDIATE_CA_3_CRL_PATH = "intermediate-ca-3.crl";
    static final String REQUIRED = "REQUIRED";
    static final String OPTIONAL = "OPTIONAL";
    static final String DISABLED = "DISABLED";
    static final String ALTERNATIVE = "ALTERNATIVE";
    public static final String REALM_NAME = "test";
    protected String userId;
    protected String userId2;
    protected AuthenticationManagementResource authMgmtResource;
    protected AuthenticationExecutionInfoRepresentation browserExecution;
    protected AuthenticationExecutionInfoRepresentation directGrantExecution;
    private static SetSystemProperty phantomjsCliArgs;

    @Page
    @PhantomJSBrowser
    protected AppPage appPage;

    @Page
    @PhantomJSBrowser
    protected X509IdentityConfirmationPage loginConfirmationPage;

    @Page
    @PhantomJSBrowser
    protected LoginPage loginPage;
    protected final Logger log = Logger.getLogger(getClass());

    @Rule
    public AssertEvents events = new AssertEvents(this);

    @Rule
    public AssertAdminEvents assertAdminEvents = new AssertAdminEvents(this);

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    protected boolean isImportAfterEachMethod() {
        return true;
    }

    @Before
    public void validateConfiguration() {
        Assume.assumeTrue(ServerURLs.AUTH_SERVER_SSL_REQUIRED);
    }

    @BeforeClass
    public static void onBeforeTestClass() {
        configurePhantomJS("/ca.crt", "/client.crt", "/client.key", "password");
    }

    @AfterClass
    public static void onAfterTestClass() {
        phantomjsCliArgs.revert();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static void configurePhantomJS(String str, String str2, String str3, String str4) {
        String authServerHome = getAuthServerHome();
        if (authServerHome == null || System.getProperty("auth.server.ssl.required") == null) {
            return;
        }
        StringBuilder sb = new StringBuilder();
        sb.append("--ignore-ssl-errors=true ");
        sb.append("--web-security=false ");
        sb.append("--ssl-certificates-path=").append(authServerHome).append(str).append(" ");
        sb.append("--ssl-client-certificate-file=").append(authServerHome).append(str2).append(" ");
        sb.append("--ssl-client-key-file=").append(authServerHome).append(str3).append(" ");
        sb.append("--ssl-client-key-passphrase=" + str4).append(" ");
        phantomjsCliArgs = new SetSystemProperty("keycloak.phantomjs.cli.args", sb.toString());
    }

    private static boolean isAuthServerJBoss() {
        return Boolean.parseBoolean(System.getProperty("auth.server.jboss"));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static String getAuthServerHome() {
        String property = System.getProperty("auth.server.home");
        if (property == null) {
            return null;
        }
        if (isAuthServerJBoss()) {
            property = property + "/standalone/configuration";
        }
        return property;
    }

    @Before
    public void configureFlows() {
        this.authMgmtResource = this.adminClient.realms().realm("test").flows();
        AuthenticationFlowRepresentation copyBrowserFlow = copyBrowserFlow();
        Assert.assertNotNull(copyBrowserFlow);
        AuthenticationFlowRepresentation createDirectGrantFlow = createDirectGrantFlow();
        Assert.assertNotNull(createDirectGrantFlow);
        setBrowserFlow(copyBrowserFlow);
        Assert.assertEquals(testRealm().toRepresentation().getBrowserFlow(), copyBrowserFlow.getAlias());
        setDirectGrantFlow(createDirectGrantFlow);
        Assert.assertEquals(testRealm().toRepresentation().getDirectGrantFlow(), createDirectGrantFlow.getAlias());
        Assert.assertEquals(0L, createDirectGrantFlow.getAuthenticationExecutions().size());
        this.directGrantExecution = addAssertExecution(createDirectGrantFlow, "direct-grant-auth-x509-username", REQUIRED);
        Assert.assertNotNull(this.directGrantExecution);
        Assert.assertNotNull(this.authMgmtResource.getFlow(createDirectGrantFlow.getId()).getAuthenticationExecutions());
        Assert.assertEquals(1L, r0.getAuthenticationExecutions().size());
        this.browserExecution = addAssertExecution(copyBrowserFlow, "auth-x509-client-username-form", ALTERNATIVE);
        Assert.assertNotNull(this.browserExecution);
        this.authMgmtResource.raisePriority(this.browserExecution.getId());
        UserRepresentation findUser = findUser(AssertEvents.DEFAULT_USERNAME);
        this.userId = findUser.getId();
        findUser.singleAttribute("x509_certificate_identity", "-");
        findUser.singleAttribute("alternative_email", "test-user-altmail@localhost");
        findUser.singleAttribute("upn", "test_upn_name@localhost");
        updateUser(findUser);
    }

    private AuthenticationExecutionInfoRepresentation addAssertExecution(AuthenticationFlowRepresentation authenticationFlowRepresentation, String str, String str2) {
        AuthenticationExecutionRepresentation authenticationExecutionRepresentation = new AuthenticationExecutionRepresentation();
        authenticationExecutionRepresentation.setPriority(10);
        authenticationExecutionRepresentation.setAuthenticator(str);
        authenticationExecutionRepresentation.setRequirement(str2);
        authenticationExecutionRepresentation.setParentFlow(authenticationFlowRepresentation.getId());
        Response addExecution = this.authMgmtResource.addExecution(authenticationExecutionRepresentation);
        try {
            Assert.assertEquals("added execution", 201L, addExecution.getStatus());
            addExecution.close();
            return findExecution(str, this.authMgmtResource.getExecutions(authenticationFlowRepresentation.getAlias()));
        } catch (Throwable th) {
            addExecution.close();
            throw th;
        }
    }

    AuthenticationExecutionInfoRepresentation findExecution(String str, List<AuthenticationExecutionInfoRepresentation> list) {
        for (AuthenticationExecutionInfoRepresentation authenticationExecutionInfoRepresentation : list) {
            if (str.equals(authenticationExecutionInfoRepresentation.getProviderId())) {
                return authenticationExecutionInfoRepresentation;
            }
        }
        return null;
    }

    @Override // org.keycloak.testsuite.AbstractTestRealmKeycloakTest
    public void configureTestRealm(RealmRepresentation realmRepresentation) {
        ClientRepresentation build = ClientBuilder.create().id(KeycloakModelUtils.generateId()).clientId("resource-owner").directAccessGrants().secret("secret").build();
        UserRepresentation build2 = UserBuilder.create().id(KeycloakModelUtils.generateId()).username("Keycloak").email("localhost@localhost").enabled(true).password("password").addAttribute("x509_issuer_identity", "Keycloak Intermediate CA").build();
        this.userId2 = build2.getId();
        ClientRepresentation findTestApp = findTestApp(realmRepresentation);
        findTestApp.getRedirectUris().add(URI.create("https://localhost:" + System.getProperty("auth.server.https.port", "8543") + URI.create((String) findTestApp.getRedirectUris().get(0)).getRawPath()).toString());
        realmRepresentation.setBruteForceProtected(true);
        realmRepresentation.setFailureFactor(2);
        RealmBuilder.edit(realmRepresentation).user(build2).client(build);
    }

    AuthenticationFlowRepresentation createFlow(AuthenticationFlowRepresentation authenticationFlowRepresentation) {
        Response createFlow = this.authMgmtResource.createFlow(authenticationFlowRepresentation);
        try {
            org.keycloak.testsuite.Assert.assertEquals(201L, createFlow.getStatus());
            this.assertAdminEvents.assertEvent("test", OperationType.CREATE, AssertAdminEvents.isExpectedPrefixFollowedByUuid(AdminEventPaths.authFlowsPath()), authenticationFlowRepresentation, ResourceType.AUTH_FLOW);
            for (AuthenticationFlowRepresentation authenticationFlowRepresentation2 : this.authMgmtResource.getFlows()) {
                if (authenticationFlowRepresentation2.getAlias().equalsIgnoreCase(authenticationFlowRepresentation.getAlias())) {
                    return authenticationFlowRepresentation2;
                }
            }
            return null;
        } finally {
            createFlow.close();
        }
    }

    AuthenticationFlowRepresentation copyFlow(String str, String str2) {
        HashMap hashMap = new HashMap();
        hashMap.put("newName", str2);
        Response copy = this.authMgmtResource.copy(str, hashMap);
        this.assertAdminEvents.assertEvent("test", OperationType.CREATE, Encode.decode(AdminEventPaths.authCopyFlowPath(str)), hashMap, ResourceType.AUTH_FLOW);
        try {
            Assert.assertEquals("Copy flow", 201L, copy.getStatus());
            copy.close();
            for (AuthenticationFlowRepresentation authenticationFlowRepresentation : this.authMgmtResource.getFlows()) {
                if (authenticationFlowRepresentation.getAlias().equalsIgnoreCase(str2)) {
                    return authenticationFlowRepresentation;
                }
            }
            return null;
        } catch (Throwable th) {
            copy.close();
            throw th;
        }
    }

    AuthenticationFlowRepresentation createDirectGrantFlow() {
        return createFlow(newFlow("Copy-of-direct-grant", "desc", "basic-flow", true, false));
    }

    AuthenticationFlowRepresentation newFlow(String str, String str2, String str3, boolean z, boolean z2) {
        AuthenticationFlowRepresentation authenticationFlowRepresentation = new AuthenticationFlowRepresentation();
        authenticationFlowRepresentation.setAlias(str);
        authenticationFlowRepresentation.setDescription(str2);
        authenticationFlowRepresentation.setProviderId(str3);
        authenticationFlowRepresentation.setTopLevel(z);
        authenticationFlowRepresentation.setBuiltIn(z2);
        return authenticationFlowRepresentation;
    }

    AuthenticationFlowRepresentation copyBrowserFlow() {
        return copyFlow(testRealm().toRepresentation().getBrowserFlow(), "Copy-of-browser");
    }

    void setBrowserFlow(AuthenticationFlowRepresentation authenticationFlowRepresentation) {
        RealmRepresentation representation = testRealm().toRepresentation();
        representation.setBrowserFlow(authenticationFlowRepresentation.getAlias());
        testRealm().update(representation);
    }

    void setDirectGrantFlow(AuthenticationFlowRepresentation authenticationFlowRepresentation) {
        RealmRepresentation representation = testRealm().toRepresentation();
        representation.setDirectGrantFlow(authenticationFlowRepresentation.getAlias());
        testRealm().update(representation);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static AuthenticatorConfigRepresentation newConfig(String str, Map<String, String> map) {
        AuthenticatorConfigRepresentation authenticatorConfigRepresentation = new AuthenticatorConfigRepresentation();
        authenticatorConfigRepresentation.setAlias(str);
        authenticatorConfigRepresentation.setConfig(map);
        return authenticatorConfigRepresentation;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String createConfig(String str, AuthenticatorConfigRepresentation authenticatorConfigRepresentation) {
        Response newExecutionConfig = this.authMgmtResource.newExecutionConfig(str, authenticatorConfigRepresentation);
        try {
            Assert.assertEquals(201L, newExecutionConfig.getStatus());
            newExecutionConfig.close();
            return ApiUtil.getCreatedId(newExecutionConfig);
        } catch (Throwable th) {
            newExecutionConfig.close();
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static X509AuthenticatorConfigModel createLoginSubjectEmail2UsernameOrEmailConfig() {
        return new X509AuthenticatorConfigModel().setConfirmationPageAllowed(true).setMappingSourceType(X509AuthenticatorConfigModel.MappingSourceType.SUBJECTDN_EMAIL).setUserIdentityMapperType(X509AuthenticatorConfigModel.IdentityMapperType.USERNAME_EMAIL);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static X509AuthenticatorConfigModel createLoginSubjectAltNameEmail2UserAttributeConfig() {
        return new X509AuthenticatorConfigModel().setConfirmationPageAllowed(true).setMappingSourceType(X509AuthenticatorConfigModel.MappingSourceType.SUBJECTALTNAME_EMAIL).setUserIdentityMapperType(X509AuthenticatorConfigModel.IdentityMapperType.USER_ATTRIBUTE).setCustomAttributeName("alternative_email");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static X509AuthenticatorConfigModel createLoginSubjectAltNameOtherName2UserAttributeConfig() {
        return new X509AuthenticatorConfigModel().setConfirmationPageAllowed(true).setMappingSourceType(X509AuthenticatorConfigModel.MappingSourceType.SUBJECTALTNAME_OTHERNAME).setUserIdentityMapperType(X509AuthenticatorConfigModel.IdentityMapperType.USER_ATTRIBUTE).setCustomAttributeName("upn");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static X509AuthenticatorConfigModel createLoginSubjectEmailWithKeyUsage(String str) {
        return createLoginSubjectEmail2UsernameOrEmailConfig().setKeyUsage(str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static X509AuthenticatorConfigModel createLoginSubjectEmailWithExtendedKeyUsage(String str) {
        return createLoginSubjectEmail2UsernameOrEmailConfig().setExtendedKeyUsage(str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static X509AuthenticatorConfigModel createLoginSubjectCN2UsernameOrEmailConfig() {
        return new X509AuthenticatorConfigModel().setConfirmationPageAllowed(true).setMappingSourceType(X509AuthenticatorConfigModel.MappingSourceType.SUBJECTDN_CN).setUserIdentityMapperType(X509AuthenticatorConfigModel.IdentityMapperType.USERNAME_EMAIL);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static X509AuthenticatorConfigModel createLoginWithSpecifiedSourceTypeToCustomAttributeConfig(X509AuthenticatorConfigModel.MappingSourceType mappingSourceType, String str) {
        return new X509AuthenticatorConfigModel().setConfirmationPageAllowed(true).setMappingSourceType(mappingSourceType).setUserIdentityMapperType(X509AuthenticatorConfigModel.IdentityMapperType.USER_ATTRIBUTE).setCustomAttributeName(str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static X509AuthenticatorConfigModel createLoginIssuerDN_OU2CustomAttributeConfig() {
        return new X509AuthenticatorConfigModel().setConfirmationPageAllowed(true).setMappingSourceType(X509AuthenticatorConfigModel.MappingSourceType.ISSUERDN).setRegularExpression("O=(.*?)(?:,|$)").setUserIdentityMapperType(X509AuthenticatorConfigModel.IdentityMapperType.USER_ATTRIBUTE).setCustomAttributeName("x509_certificate_identity");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static X509AuthenticatorConfigModel createLoginSubjectDNToCustomAttributeConfig(boolean z) {
        return new X509AuthenticatorConfigModel().setConfirmationPageAllowed(true).setCanonicalDnEnabled(z).setMappingSourceType(X509AuthenticatorConfigModel.MappingSourceType.SUBJECTDN).setRegularExpression("(.*?)(?:$)").setUserIdentityMapperType(X509AuthenticatorConfigModel.IdentityMapperType.USER_ATTRIBUTE).setCustomAttributeName("x509_certificate_identity");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static X509AuthenticatorConfigModel createLoginIssuerDNToCustomAttributeConfig(boolean z) {
        return new X509AuthenticatorConfigModel().setConfirmationPageAllowed(true).setCanonicalDnEnabled(z).setMappingSourceType(X509AuthenticatorConfigModel.MappingSourceType.ISSUERDN).setRegularExpression("(.*?)(?:$)").setUserIdentityMapperType(X509AuthenticatorConfigModel.IdentityMapperType.USER_ATTRIBUTE).setCustomAttributeName("x509_certificate_identity");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void setUserEnabled(String str, boolean z) {
        UserRepresentation findUser = findUser(str);
        Assert.assertNotNull(findUser);
        findUser.setEnabled(Boolean.valueOf(z));
        updateUser(findUser);
    }

    public void replaceDefaultWebDriver(WebDriver webDriver) {
        this.driver = webDriver;
        DroneUtils.addWebDriver(webDriver);
        ArrayList<Field> arrayList = new ArrayList();
        Class<?> cls = getClass();
        while (true) {
            Class<?> cls2 = cls;
            if (!AbstractX509AuthenticationTest.class.isAssignableFrom(cls2)) {
                break;
            }
            arrayList.addAll(Arrays.asList(cls2.getDeclaredFields()));
            arrayList.addAll(Arrays.asList(cls2.getFields()));
            cls = cls2.getSuperclass();
        }
        for (Field field : arrayList) {
            if (field.getAnnotation(Page.class) != null) {
                try {
                    ((AbstractPage) field.get(this)).setDriver(webDriver);
                } catch (IllegalAccessException e) {
                    throw new IllegalStateException("Could not replace the driver in " + field, e);
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void x509BrowserLogin(X509AuthenticatorConfigModel x509AuthenticatorConfigModel, String str, String str2, String str3) {
        Assert.assertNotNull(createConfig(this.browserExecution.getId(), newConfig("x509-browser-config", x509AuthenticatorConfigModel.getConfig())));
        this.loginConfirmationPage.open();
        Assert.assertTrue(this.loginConfirmationPage.getSubjectDistinguishedNameText().startsWith("EMAILADDRESS=test-user@localhost"));
        Assert.assertEquals(str2, this.loginConfirmationPage.getUsernameText());
        this.loginConfirmationPage.confirm();
        Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, this.appPage.getRequestType());
        Assert.assertNotNull(this.oauth.getCurrentQuery().get("code"));
        addX509CertificateDetails(this.events.expectLogin().user(str).detail("username", str3).removeDetail("redirect_uri")).assertEvent();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AssertEvents.ExpectedEvent addX509CertificateDetails(AssertEvents.ExpectedEvent expectedEvent) {
        return expectedEvent.detail("x509_cert_serial_number", Matchers.not(Matchers.isEmptyOrNullString())).detail("x509_cert_subject_distinguished_name", Matchers.startsWith("EMAILADDRESS=test-user@localhost")).detail("x509_cert_issuer_distinguished_name", Matchers.startsWith("EMAILADDRESS=contact@keycloak.org"));
    }
}
