package org.keycloak.testsuite.broker;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import org.jetbrains.annotations.NotNull;
import org.junit.Test;
import org.keycloak.admin.client.resource.IdentityProviderResource;
import org.keycloak.models.IdentityProviderMapperSyncMode;
import org.keycloak.representations.idm.IdentityProviderMapperRepresentation;
import org.keycloak.representations.idm.IdentityProviderRepresentation;
import org.keycloak.representations.idm.UserRepresentation;

/* loaded from: input_file:org/keycloak/testsuite/broker/OidcClaimToRoleMapperTest.class */
public class OidcClaimToRoleMapperTest extends AbstractRoleMapperTest {
    protected static final String CLAIM = "user-attribute";
    protected static final String CLAIM_VALUE = "value 1";
    private String claimOnSecondLogin = "";

    @Override // org.keycloak.testsuite.broker.AbstractBaseBrokerTest
    protected BrokerConfiguration getBrokerConfiguration() {
        return new KcOidcBrokerConfiguration();
    }

    @Test
    public void allClaimValuesMatch() {
        createClaimToRoleMapper(CLAIM_VALUE);
        createUserInProviderRealm(ImmutableMap.builder().put("user-attribute", ImmutableList.builder().add(CLAIM_VALUE).build()).build());
        logInAsUserInIDPForFirstTime();
        assertThatRoleHasBeenAssignedInConsumerRealmTo(findUser(this.bc.consumerRealmName(), this.bc.getUserLogin(), this.bc.getUserEmail()));
    }

    @Test
    public void claimValuesMismatch() {
        createClaimToRoleMapper("other value");
        createUserInProviderRealm(ImmutableMap.builder().put("user-attribute", ImmutableList.builder().add(CLAIM_VALUE).build()).build());
        logInAsUserInIDPForFirstTime();
        assertThatRoleHasNotBeenAssignedInConsumerRealmTo(findUser(this.bc.consumerRealmName(), this.bc.getUserLogin(), this.bc.getUserEmail()));
    }

    @Test
    public void updateBrokeredUserMismatchDeletesRoleInForceMode() {
        assertThatRoleHasNotBeenAssignedInConsumerRealmTo(loginWithClaimThenChangeClaimToValue("value mismatch", IdentityProviderMapperSyncMode.FORCE, false));
    }

    @Test
    public void updateBrokeredUserMismatchDeletesRoleInLegacyMode() {
        assertThatRoleHasNotBeenAssignedInConsumerRealmTo(createMapperThenLoginWithStandardClaimThenChangeClaimToValue("value mismatch", IdentityProviderMapperSyncMode.LEGACY));
    }

    @Test
    public void updateBrokeredUserNewMatchGrantsRoleAfterFirstLoginInForceMode() {
        assertThatRoleHasBeenAssignedInConsumerRealmTo(loginWithStandardClaimThenAddMapperAndLoginAgain(IdentityProviderMapperSyncMode.FORCE));
    }

    @Test
    public void updateBrokeredUserNewMatchDoesNotGrantRoleAfterFirstLoginInLegacyMode() {
        assertThatRoleHasNotBeenAssignedInConsumerRealmTo(loginWithStandardClaimThenAddMapperAndLoginAgain(IdentityProviderMapperSyncMode.LEGACY));
    }

    @Test
    public void updateBrokeredUserDoesNotDeleteRoleIfClaimStillMatches() {
        assertThatRoleHasBeenAssignedInConsumerRealmTo(createMapperThenLoginWithStandardClaimThenChangeClaimToValue(CLAIM_VALUE, IdentityProviderMapperSyncMode.FORCE));
    }

    private UserRepresentation loginWithStandardClaimThenAddMapperAndLoginAgain(IdentityProviderMapperSyncMode identityProviderMapperSyncMode) {
        return loginWithClaimThenChangeClaimToValue(CLAIM_VALUE, identityProviderMapperSyncMode, true);
    }

    private UserRepresentation createMapperThenLoginWithStandardClaimThenChangeClaimToValue(String str, IdentityProviderMapperSyncMode identityProviderMapperSyncMode) {
        return loginWithClaimThenChangeClaimToValue(str, identityProviderMapperSyncMode, false);
    }

    @NotNull
    private UserRepresentation loginWithClaimThenChangeClaimToValue(String str, IdentityProviderMapperSyncMode identityProviderMapperSyncMode, boolean z) {
        this.claimOnSecondLogin = str;
        return loginAsUserTwiceWithMapper(identityProviderMapperSyncMode, z, ImmutableMap.builder().put("user-attribute", ImmutableList.builder().add(CLAIM_VALUE).build()).build());
    }

    private void createClaimToRoleMapper(String str) {
        createClaimToRoleMapper(setupIdentityProvider(), str, IdentityProviderMapperSyncMode.IMPORT);
    }

    @Override // org.keycloak.testsuite.broker.AbstractRoleMapperTest
    protected void createMapperInIdp(IdentityProviderRepresentation identityProviderRepresentation, IdentityProviderMapperSyncMode identityProviderMapperSyncMode) {
        createClaimToRoleMapper(identityProviderRepresentation, CLAIM_VALUE, identityProviderMapperSyncMode);
    }

    @Override // org.keycloak.testsuite.broker.AbstractRoleMapperTest
    protected void updateUser() {
        UserRepresentation findUser = findUser(this.bc.providerRealmName(), this.bc.getUserLogin(), this.bc.getUserEmail());
        findUser.setAttributes(ImmutableMap.builder().put("user-attribute", ImmutableList.builder().add(this.claimOnSecondLogin).build()).build());
        this.adminClient.realm(this.bc.providerRealmName()).users().get(findUser.getId()).update(findUser);
    }

    protected void createClaimToRoleMapper(IdentityProviderRepresentation identityProviderRepresentation, String str, IdentityProviderMapperSyncMode identityProviderMapperSyncMode) {
        IdentityProviderMapperRepresentation identityProviderMapperRepresentation = new IdentityProviderMapperRepresentation();
        identityProviderMapperRepresentation.setName("claim-to-role-mapper");
        identityProviderMapperRepresentation.setIdentityProviderMapper("oidc-role-idp-mapper");
        identityProviderMapperRepresentation.setConfig(ImmutableMap.builder().put("syncMode", identityProviderMapperSyncMode.toString()).put("claim", "user-attribute").put("claim.value", str).put("role", AbstractRoleMapperTest.CLIENT_ROLE_MAPPER_REPRESENTATION).build());
        IdentityProviderResource identityProviderResource = this.realm.identityProviders().get(identityProviderRepresentation.getAlias());
        identityProviderMapperRepresentation.setIdentityProviderAlias(this.bc.getIDPAlias());
        identityProviderResource.addMapper(identityProviderMapperRepresentation).close();
    }
}
