package org.keycloak.testsuite.keys;

import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.IOException;
import java.security.KeyPair;
import java.util.List;
import java.util.Map;
import javax.ws.rs.core.Response;
import org.jboss.arquillian.graphene.page.Page;
import org.junit.Assert;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.client.registration.Auth;
import org.keycloak.client.registration.ClientRegistration;
import org.keycloak.client.registration.ClientRegistrationException;
import org.keycloak.common.util.KeyUtils;
import org.keycloak.common.util.MultivaluedHashMap;
import org.keycloak.common.util.PemUtils;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.keys.KeyProvider;
import org.keycloak.representations.idm.ClientInitialAccessCreatePresentation;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.ComponentRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.AbstractAdminTest;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.pages.AppPage;
import org.keycloak.testsuite.pages.LoginPage;
import org.keycloak.testsuite.util.AdminClientUtil;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.KeycloakModelUtils;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.UserInfoClientUtil;

/* loaded from: input_file:org/keycloak/testsuite/keys/KeyRotationTest.class */
public class KeyRotationTest extends AbstractKeycloakTest {

    @Rule
    public AssertEvents events = new AssertEvents(this);

    @Page
    protected AppPage appPage;

    @Page
    protected LoginPage loginPage;

    /* loaded from: input_file:org/keycloak/testsuite/keys/KeyRotationTest$ActiveKeys.class */
    private class ActiveKeys {
        private String rsaKid;
        private String hsKid;

        private ActiveKeys() {
        }
    }

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        RealmRepresentation realmRepresentation = (RealmRepresentation) AbstractAdminTest.loadJson(getClass().getResourceAsStream("/testrealm.json"), RealmRepresentation.class);
        list.add(realmRepresentation);
        ClientRepresentation createClient = KeycloakModelUtils.createClient(realmRepresentation, "confidential-cli");
        createClient.setSecret("secret1");
        createClient.setServiceAccountsEnabled(Boolean.TRUE);
    }

    @Test
    public void testIdentityCookie() throws Exception {
        createKeys1();
        this.loginPage.open();
        this.loginPage.login(AssertEvents.DEFAULT_USERNAME, "password");
        Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, this.appPage.getRequestType());
        createKeys2();
        this.appPage.open();
        this.oauth.openLoginForm();
        Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, this.appPage.getRequestType());
        dropKeys1();
        this.appPage.open();
        this.oauth.openLoginForm();
        Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, this.appPage.getRequestType());
        dropKeys2();
        this.appPage.open();
        this.oauth.openLoginForm();
        Assert.assertTrue(this.loginPage.isCurrent());
    }

    @Test
    public void testTokens() throws Exception {
        Map<String, String> createKeys1 = createKeys1();
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
        Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
        assertTokenKid(createKeys1.get("RS256"), doAccessTokenRequest.getAccessToken());
        assertTokenKid(createKeys1.get("HS256"), doAccessTokenRequest.getRefreshToken());
        ClientInitialAccessCreatePresentation clientInitialAccessCreatePresentation = new ClientInitialAccessCreatePresentation();
        clientInitialAccessCreatePresentation.setCount(100);
        clientInitialAccessCreatePresentation.setExpiration(0);
        String token = this.adminClient.realm("test").clientInitialAccess().create(clientInitialAccessCreatePresentation).getToken();
        ClientRegistration build = ClientRegistration.create().url(this.suiteContext.getAuthServerInfo().getContextRoot() + "/auth", "test").build();
        build.auth(Auth.token(token));
        ClientRepresentation create = build.create(ClientBuilder.create().clientId("test").build());
        assertUserInfo(doAccessTokenRequest.getAccessToken(), 200);
        assertTokenIntrospection(doAccessTokenRequest.getAccessToken(), true);
        ClientRepresentation clientRepresentation = build.auth(Auth.token(create.getRegistrationAccessToken())).get("test");
        Assert.assertEquals(create.getRegistrationAccessToken(), clientRepresentation.getRegistrationAccessToken());
        Map<String, String> createKeys2 = createKeys2();
        Assert.assertNotEquals(createKeys1.get("RS256"), createKeys2.get("RS256"));
        Assert.assertNotEquals(createKeys1.get("HS256"), createKeys2.get("HS512"));
        OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password");
        Assert.assertEquals(200L, doRefreshTokenRequest.getStatusCode());
        assertTokenKid(createKeys2.get("RS256"), doRefreshTokenRequest.getAccessToken());
        assertTokenKid(createKeys2.get("HS256"), doRefreshTokenRequest.getRefreshToken());
        assertUserInfo(doRefreshTokenRequest.getAccessToken(), 200);
        assertTokenIntrospection(doRefreshTokenRequest.getAccessToken(), true);
        ClientRepresentation clientRepresentation2 = build.auth(Auth.token(create.getRegistrationAccessToken())).get("test");
        Assert.assertNotEquals(create.getRegistrationAccessToken(), clientRepresentation2.getRegistrationAccessToken());
        dropKeys1();
        OAuthClient.AccessTokenResponse doRefreshTokenRequest2 = this.oauth.doRefreshTokenRequest(doRefreshTokenRequest.getRefreshToken(), "password");
        assertTokenKid(createKeys2.get("RS256"), doRefreshTokenRequest2.getAccessToken());
        assertTokenKid(createKeys2.get("HS256"), doRefreshTokenRequest2.getRefreshToken());
        assertUserInfo(doRefreshTokenRequest2.getAccessToken(), 200);
        assertTokenIntrospection(doRefreshTokenRequest2.getAccessToken(), true);
        try {
            build.auth(Auth.token(create.getRegistrationAccessToken())).get("test");
            Assert.fail("Expected to fail");
        } catch (ClientRegistrationException e) {
        }
        Assert.assertNotEquals(clientRepresentation.getRegistrationAccessToken(), build.auth(Auth.token(clientRepresentation2.getRegistrationAccessToken())).get("test").getRegistrationAccessToken());
        dropKeys2();
        assertUserInfo(doRefreshTokenRequest2.getAccessToken(), 401);
        assertTokenIntrospection(doRefreshTokenRequest2.getAccessToken(), false);
        OAuthClient.AccessTokenResponse doRefreshTokenRequest3 = this.oauth.doRefreshTokenRequest(doRefreshTokenRequest2.getRefreshToken(), "password");
        Assert.assertEquals(400L, doRefreshTokenRequest3.getStatusCode());
        Assert.assertEquals("Invalid refresh token", doRefreshTokenRequest3.getErrorDescription());
    }

    @Test
    public void providerOrder() throws Exception {
        Map<String, String> createKeys1 = createKeys1();
        Map<String, String> createKeys2 = createKeys2();
        Assert.assertNotEquals(createKeys1.get("RS256"), createKeys2.get("RS256"));
        Assert.assertNotEquals(createKeys1.get("HS256"), createKeys2.get("HS512"));
        dropKeys1();
        dropKeys2();
    }

    @Test
    public void rotateKeys() throws InterruptedException {
        for (int i = 0; i < 10; i++) {
            String str = (String) this.adminClient.realm("test").keys().getKeyMetadata().getActive().get("RS256");
            String id = this.adminClient.realm("test").toRepresentation().getId();
            ComponentRepresentation componentRepresentation = new ComponentRepresentation();
            componentRepresentation.setName("generated" + i);
            componentRepresentation.setProviderType(KeyProvider.class.getName());
            componentRepresentation.setProviderId("rsa-generated");
            componentRepresentation.setParentId(id);
            componentRepresentation.setConfig(new MultivaluedHashMap());
            componentRepresentation.getConfig().putSingle("priority", "1000" + i);
            Response add = this.adminClient.realm("test").components().add(componentRepresentation);
            Assert.assertEquals(201L, add.getStatus());
            getCleanup().addComponentId(ApiUtil.getCreatedId(add));
            add.close();
            Assert.assertNotEquals(str, (String) this.adminClient.realm("test").keys().getKeyMetadata().getActive().get("RS256"));
        }
    }

    private void assertTokenKid(String str, String str2) throws JWSInputException {
        Assert.assertEquals(str, new JWSInput(str2).getHeader().getKeyId());
    }

    private Map<String, String> createKeys1() throws Exception {
        return createKeys("1000");
    }

    private Map<String, String> createKeys2() throws Exception {
        return createKeys("2000");
    }

    private Map<String, String> createKeys(String str) throws Exception {
        KeyPair generateRsaKeyPair = KeyUtils.generateRsaKeyPair(1024);
        String encodeKey = PemUtils.encodeKey(generateRsaKeyPair.getPrivate());
        generateRsaKeyPair.getPublic();
        ComponentRepresentation componentRepresentation = new ComponentRepresentation();
        componentRepresentation.setName("mycomponent");
        componentRepresentation.setParentId("test");
        componentRepresentation.setProviderId("rsa");
        componentRepresentation.setProviderType(KeyProvider.class.getName());
        MultivaluedHashMap multivaluedHashMap = new MultivaluedHashMap();
        multivaluedHashMap.addFirst("priority", str);
        multivaluedHashMap.addFirst("privateKey", encodeKey);
        componentRepresentation.setConfig(multivaluedHashMap);
        this.adminClient.realm("test").components().add(componentRepresentation).close();
        ComponentRepresentation componentRepresentation2 = new ComponentRepresentation();
        componentRepresentation2.setName("mycomponent2");
        componentRepresentation2.setParentId("test");
        componentRepresentation2.setProviderId("hmac-generated");
        componentRepresentation2.setProviderType(KeyProvider.class.getName());
        MultivaluedHashMap multivaluedHashMap2 = new MultivaluedHashMap();
        multivaluedHashMap2.addFirst("priority", str);
        componentRepresentation2.setConfig(multivaluedHashMap2);
        this.adminClient.realm("test").components().add(componentRepresentation2).close();
        return realmsResouce().realm("test").keys().getKeyMetadata().getActive();
    }

    private void dropKeys1() {
        dropKeys("1000");
    }

    private void dropKeys2() {
        dropKeys("2000");
    }

    private void dropKeys(String str) {
        int i = 0;
        for (ComponentRepresentation componentRepresentation : this.adminClient.realm("test").components().query("test", KeyProvider.class.getName())) {
            if (((String) componentRepresentation.getConfig().getFirst("priority")).equals(str)) {
                this.adminClient.realm("test").components().component(componentRepresentation.getId()).remove();
                i++;
            }
        }
        if (i != 2) {
            throw new RuntimeException("Failed to find keys1");
        }
    }

    private void assertUserInfo(String str, int i) {
        Response executeUserInfoRequest_getMethod = UserInfoClientUtil.executeUserInfoRequest_getMethod(AdminClientUtil.createResteasyClient(), str);
        Throwable th = null;
        try {
            Assert.assertEquals(i, executeUserInfoRequest_getMethod.getStatus());
            if (executeUserInfoRequest_getMethod != null) {
                if (0 == 0) {
                    executeUserInfoRequest_getMethod.close();
                    return;
                }
                try {
                    executeUserInfoRequest_getMethod.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
        } catch (Throwable th3) {
            if (executeUserInfoRequest_getMethod != null) {
                if (0 != 0) {
                    try {
                        executeUserInfoRequest_getMethod.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    executeUserInfoRequest_getMethod.close();
                }
            }
            throw th3;
        }
    }

    private void assertTokenIntrospection(String str, boolean z) {
        try {
            Assert.assertEquals(Boolean.valueOf(z), Boolean.valueOf(new ObjectMapper().readTree(this.oauth.introspectAccessTokenWithClientCredential("confidential-cli", "secret1", str)).get("active").asBoolean()));
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }
}
