package org.keycloak.testsuite.script;

import java.io.IOException;
import java.util.List;
import javax.ws.rs.core.Response;
import org.jboss.arquillian.container.test.api.Deployer;
import org.jboss.arquillian.container.test.api.Deployment;
import org.jboss.arquillian.container.test.api.TargetsContainer;
import org.jboss.arquillian.test.api.ArquillianResource;
import org.jboss.shrinkwrap.api.ShrinkWrap;
import org.jboss.shrinkwrap.api.asset.StringAsset;
import org.jboss.shrinkwrap.api.spec.JavaArchive;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.keycloak.admin.client.resource.AuthorizationResource;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.ClientsResource;
import org.keycloak.admin.client.resource.PermissionsResource;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.common.Profile;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.authorization.DecisionEffect;
import org.keycloak.representations.idm.authorization.DecisionStrategy;
import org.keycloak.representations.idm.authorization.JSPolicyRepresentation;
import org.keycloak.representations.idm.authorization.PolicyEvaluationRequest;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.provider.ScriptProviderDescriptor;
import org.keycloak.testsuite.arquillian.annotation.DisableFeature;
import org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected;
import org.keycloak.testsuite.authz.AbstractAuthzTest;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.ContainerAssume;
import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.testsuite.util.RoleBuilder;
import org.keycloak.testsuite.util.RolesBuilder;
import org.keycloak.testsuite.util.UserBuilder;
import org.keycloak.util.JsonSerialization;

/* loaded from: input_file:org/keycloak/testsuite/script/DeployedScriptPolicyTest.class */
public class DeployedScriptPolicyTest extends AbstractAuthzTest {
    private static final String SCRIPT_DEPLOYMENT_NAME = "scripts.jar";

    @ArquillianResource
    private Deployer deployer;

    @Deployment(name = SCRIPT_DEPLOYMENT_NAME, managed = false, testable = false)
    @TargetsContainer("auth-server-current")
    public static JavaArchive deploy() throws IOException {
        ScriptProviderDescriptor scriptProviderDescriptor = new ScriptProviderDescriptor();
        scriptProviderDescriptor.addPolicy("Grant Policy", "policy-grant.js");
        scriptProviderDescriptor.addPolicy("Deny Policy", "policy-deny.js");
        return ShrinkWrap.create(JavaArchive.class, SCRIPT_DEPLOYMENT_NAME).addAsManifestResource(new StringAsset(JsonSerialization.writeValueAsPrettyString(scriptProviderDescriptor)), "keycloak-scripts.json").addAsResource(new StringAsset("$evaluation.grant();"), "policy-grant.js").addAsResource(new StringAsset("$evaluation.deny();"), "policy-deny.js");
    }

    @BeforeClass
    public static void verifyEnvironment() {
        ContainerAssume.assumeNotAuthServerUndertow();
        ContainerAssume.assumeNotAuthServerQuarkus();
    }

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        list.add(RealmBuilder.create().name("authz-test").roles(RolesBuilder.create().realmRole(RoleBuilder.create().name("uma_authorization").build())).user(UserBuilder.create().username("marta").password("password").addRoles("uma_authorization")).user(UserBuilder.create().username("kolo").password("password")).client(ClientBuilder.create().clientId("resource-server").secret("secret").authorizationServicesEnabled(true).redirectUris("http://localhost/resource-server-test").defaultRoles("uma_protection").directAccessGrants()).build());
    }

    @Before
    public void onBefore() {
        this.deployer.deploy(SCRIPT_DEPLOYMENT_NAME);
        getAuthorizationResource().resources().create(new ResourceRepresentation("Default Resource", new String[0]));
    }

    @After
    public void onAfter() {
        this.deployer.undeploy(SCRIPT_DEPLOYMENT_NAME);
    }

    @Test
    @DisableFeature(value = Profile.Feature.UPLOAD_SCRIPTS, skipRestart = true)
    public void testJSPolicyProviderNotAvailable() {
        Assert.assertFalse(getAuthorizationResource().policies().policyProviders().stream().anyMatch(policyProviderRepresentation -> {
            return "js".equals(policyProviderRepresentation.getType());
        }));
    }

    @Test
    @UncaughtServerErrorExpected
    @DisableFeature(value = Profile.Feature.UPLOAD_SCRIPTS, skipRestart = true)
    public void failCreateJSPolicy() {
        JSPolicyRepresentation jSPolicyRepresentation = new JSPolicyRepresentation();
        jSPolicyRepresentation.setName("JS Policy");
        jSPolicyRepresentation.setType("js");
        jSPolicyRepresentation.setCode("$evaluation.grant();");
        Response create = getAuthorizationResource().policies().js().create(jSPolicyRepresentation);
        Throwable th = null;
        try {
            try {
                Assert.assertEquals(500L, create.getStatus());
                if (create != null) {
                    if (0 == 0) {
                        create.close();
                        return;
                    }
                    try {
                        create.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (create != null) {
                if (th != null) {
                    try {
                        create.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    create.close();
                }
            }
            throw th4;
        }
    }

    @Test
    public void testCreatePermission() {
        AuthorizationResource authorizationResource = getAuthorizationResource();
        PolicyRepresentation policyRepresentation = new PolicyRepresentation();
        policyRepresentation.setName("Grant Policy");
        policyRepresentation.setType("script-policy-grant.js");
        authorizationResource.policies().create(policyRepresentation).close();
        PolicyRepresentation policyRepresentation2 = new PolicyRepresentation();
        policyRepresentation2.setName("Deny Policy");
        policyRepresentation2.setType("script-policy-deny.js");
        authorizationResource.policies().create(policyRepresentation2).close();
        PermissionsResource permissions = authorizationResource.permissions();
        ResourcePermissionRepresentation resourcePermissionRepresentation = new ResourcePermissionRepresentation();
        resourcePermissionRepresentation.setName("Test Deployed JS Permission");
        resourcePermissionRepresentation.addResource("Default Resource");
        resourcePermissionRepresentation.addPolicy(new String[]{policyRepresentation.getName()});
        permissions.resource().create(resourcePermissionRepresentation).close();
        PolicyEvaluationRequest policyEvaluationRequest = new PolicyEvaluationRequest();
        policyEvaluationRequest.setUserId("marta");
        policyEvaluationRequest.addResource("Default Resource", new String[0]);
        Assert.assertEquals(DecisionEffect.PERMIT, authorizationResource.policies().evaluate(policyEvaluationRequest).getStatus());
        ResourcePermissionRepresentation findByName = permissions.resource().findByName(resourcePermissionRepresentation.getName());
        findByName.addPolicy(new String[]{policyRepresentation2.getName()});
        permissions.resource().findById(findByName.getId()).update(findByName);
        Assert.assertEquals(DecisionEffect.DENY, authorizationResource.policies().evaluate(policyEvaluationRequest).getStatus());
        findByName.addPolicy(new String[]{policyRepresentation.getName()});
        permissions.resource().findById(findByName.getId()).update(findByName);
        Assert.assertEquals(DecisionEffect.DENY, authorizationResource.policies().evaluate(policyEvaluationRequest).getStatus());
        findByName.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
        permissions.resource().findById(findByName.getId()).update(findByName);
        Assert.assertEquals(DecisionEffect.PERMIT, authorizationResource.policies().evaluate(policyEvaluationRequest).getStatus());
    }

    private AuthorizationResource getAuthorizationResource() {
        return getClient(realmsResouce().realm("authz-test"), "resource-server").authorization();
    }

    private ClientResource getClient(RealmResource realmResource, String str) {
        ClientsResource clients = realmResource.clients();
        return (ClientResource) clients.findByClientId(str).stream().map(clientRepresentation -> {
            return clients.get(clientRepresentation.getId());
        }).findFirst().orElseThrow(() -> {
            return new RuntimeException("Expected client [resource-server-test]");
        });
    }
}
