package org.keycloak.testsuite.saml;

import java.io.IOException;
import java.net.URI;
import java.util.Arrays;
import java.util.List;
import java.util.UUID;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.Consumer;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilderException;
import javax.xml.transform.dom.DOMSource;
import org.apache.http.HttpResponse;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.dom.saml.v2.SAML2Object;
import org.keycloak.dom.saml.v2.assertion.NameIDType;
import org.keycloak.dom.saml.v2.protocol.AuthnRequestType;
import org.keycloak.dom.saml.v2.protocol.LogoutRequestType;
import org.keycloak.dom.saml.v2.protocol.ResponseType;
import org.keycloak.events.EventType;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.EventRepresentation;
import org.keycloak.representations.idm.IdentityProviderRepresentation;
import org.keycloak.saml.SAML2LoginResponseBuilder;
import org.keycloak.saml.SAML2LogoutResponseBuilder;
import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
import org.keycloak.saml.common.exceptions.ConfigurationException;
import org.keycloak.saml.common.exceptions.ProcessingException;
import org.keycloak.saml.processing.core.parsers.saml.SAMLParser;
import org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder;
import org.keycloak.testsuite.updaters.ClientAttributeUpdater;
import org.keycloak.testsuite.updaters.IdentityProviderCreator;
import org.keycloak.testsuite.updaters.ServerResourceUpdater;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.IdentityProviderBuilder;
import org.keycloak.testsuite.util.Matchers;
import org.keycloak.testsuite.util.SamlClient;
import org.keycloak.testsuite.util.SamlClientBuilder;
import org.keycloak.testsuite.util.saml.CreateLogoutRequestStepBuilder;

/* loaded from: input_file:org/keycloak/testsuite/saml/LogoutTest.class */
public class LogoutTest extends AbstractSamlTest {
    private static final String SP_PROVIDED_ID = "spProvidedId";
    private static final String SP_NAME_QUALIFIER = "spNameQualifier";
    private static final String NAME_QUALIFIER = "nameQualifier";
    private static final String BROKER_SIGN_ON_SERVICE_URL = "https://saml.idp/saml";
    private static final String BROKER_LOGOUT_SERVICE_URL = "https://saml.idp/SLO/saml";
    private static final String BROKER_SERVICE_ID = "https://saml.idp/saml";
    private ClientRepresentation salesRep;
    private ClientRepresentation sales2Rep;

    @Before
    public void setup() {
        this.salesRep = (ClientRepresentation) this.adminClient.realm(AbstractSamlTest.REALM_NAME).clients().findByClientId(AbstractSamlTest.SAML_CLIENT_ID_SALES_POST).get(0);
        this.sales2Rep = (ClientRepresentation) this.adminClient.realm(AbstractSamlTest.REALM_NAME).clients().findByClientId(AbstractSamlTest.SAML_CLIENT_ID_SALES_POST2).get(0);
        this.adminClient.realm(AbstractSamlTest.REALM_NAME).clients().get(this.salesRep.getId()).update(ClientBuilder.edit(this.salesRep).frontchannelLogout(true).attribute("saml_single_logout_service_url_post", "http://url").build());
        this.nameIdRef.set(null);
        this.sessionIndexRef.set(null);
        this.adminClient.realm(AbstractSamlTest.REALM_NAME).clearEvents();
    }

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    protected boolean isImportAfterEachMethod() {
        return true;
    }

    private SamlClientBuilder logIntoUnsignedSalesAppViaIdp() throws IllegalArgumentException, UriBuilderException {
        return new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(AbstractSamlTest.REALM_NAME), AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, SamlClient.Binding.POST).build().login().idp(AbstractSamlTest.SAML_BROKER_ALIAS).build().processSamlResponse(SamlClient.Binding.REDIRECT).transformObject(this::createAuthnResponse).targetAttributeSamlResponse().targetUri(getSamlBrokerUrl(AbstractSamlTest.REALM_NAME)).build().updateProfile().username("a").email("a@b.c").firstName("A").lastName("B").build().followOneRedirect().processSamlResponse(SamlClient.Binding.POST).transformObject(this::extractNameIdAndSessionIndexAndTerminate).build();
    }

    private SamlClientBuilder prepareLogIntoTwoApps() {
        return new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(AbstractSamlTest.REALM_NAME), AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, SamlClient.Binding.POST).build().login().user(this.bburkeUser).build().processSamlResponse(SamlClient.Binding.POST).transformObject(this::extractNameIdAndSessionIndexAndTerminate).build().authnRequest(getAuthServerSamlEndpoint(AbstractSamlTest.REALM_NAME), AbstractSamlTest.SAML_CLIENT_ID_SALES_POST2, SAML_ASSERTION_CONSUMER_URL_SALES_POST2, SamlClient.Binding.POST).build().login().sso(true).build().processSamlResponse(SamlClient.Binding.POST).transformObject(sAML2Object -> {
            Assert.assertThat(sAML2Object, Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
            return null;
        }).build();
    }

    @Test
    public void testLogoutDifferentBrowser() {
        this.adminClient.realm(AbstractSamlTest.REALM_NAME).clients().get(this.sales2Rep.getId()).update(ClientBuilder.edit(this.sales2Rep).frontchannelLogout(false).attribute("saml_single_logout_service_url_post", "").removeAttribute("saml_single_logout_service_url_redirect").build());
        CreateLogoutRequestStepBuilder logoutRequest = prepareLogIntoTwoApps().clearCookies().logoutRequest(getAuthServerSamlEndpoint(AbstractSamlTest.REALM_NAME), AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, SamlClient.Binding.POST);
        AtomicReference<NameIDType> atomicReference = this.nameIdRef;
        atomicReference.getClass();
        CreateLogoutRequestStepBuilder nameId = logoutRequest.nameId(atomicReference::get);
        AtomicReference<String> atomicReference2 = this.sessionIndexRef;
        atomicReference2.getClass();
        Assert.assertThat(nameId.sessionIndex(atomicReference2::get).build().getSamlResponse(SamlClient.Binding.POST).getSamlObject(), Matchers.isSamlStatusResponse(new JBossSAMLURIConstants[]{JBossSAMLURIConstants.STATUS_SUCCESS}));
    }

    @Test
    public void testFrontchannelLogoutInSameBrowser() {
        this.adminClient.realm(AbstractSamlTest.REALM_NAME).clients().get(this.sales2Rep.getId()).update(ClientBuilder.edit(this.sales2Rep).frontchannelLogout(true).attribute("saml_single_logout_service_url_post", "").build());
        CreateLogoutRequestStepBuilder logoutRequest = prepareLogIntoTwoApps().logoutRequest(getAuthServerSamlEndpoint(AbstractSamlTest.REALM_NAME), AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, SamlClient.Binding.POST);
        AtomicReference<NameIDType> atomicReference = this.nameIdRef;
        atomicReference.getClass();
        CreateLogoutRequestStepBuilder nameId = logoutRequest.nameId(atomicReference::get);
        AtomicReference<String> atomicReference2 = this.sessionIndexRef;
        atomicReference2.getClass();
        Assert.assertThat(nameId.sessionIndex(atomicReference2::get).build().getSamlResponse(SamlClient.Binding.POST).getSamlObject(), Matchers.isSamlStatusResponse(new JBossSAMLURIConstants[]{JBossSAMLURIConstants.STATUS_SUCCESS}));
        assertLogoutEvent(AbstractSamlTest.SAML_CLIENT_ID_SALES_POST);
    }

    @Test
    public void testFrontchannelLogoutNoLogoutServiceUrlSetInSameBrowser() {
        this.adminClient.realm(AbstractSamlTest.REALM_NAME).clients().get(this.sales2Rep.getId()).update(ClientBuilder.edit(this.sales2Rep).frontchannelLogout(true).attribute("saml_single_logout_service_url_post", "").attribute("saml_single_logout_service_url_redirect", "").build());
        CreateLogoutRequestStepBuilder logoutRequest = prepareLogIntoTwoApps().logoutRequest(getAuthServerSamlEndpoint(AbstractSamlTest.REALM_NAME), AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, SamlClient.Binding.POST);
        AtomicReference<NameIDType> atomicReference = this.nameIdRef;
        atomicReference.getClass();
        CreateLogoutRequestStepBuilder nameId = logoutRequest.nameId(atomicReference::get);
        AtomicReference<String> atomicReference2 = this.sessionIndexRef;
        atomicReference2.getClass();
        Assert.assertThat(nameId.sessionIndex(atomicReference2::get).build().getSamlResponse(SamlClient.Binding.POST).getSamlObject(), Matchers.isSamlStatusResponse(new JBossSAMLURIConstants[]{JBossSAMLURIConstants.STATUS_SUCCESS}));
    }

    @Test
    public void testFrontchannelLogoutDifferentBrowser() {
        this.adminClient.realm(AbstractSamlTest.REALM_NAME).clients().get(this.sales2Rep.getId()).update(ClientBuilder.edit(this.sales2Rep).frontchannelLogout(true).attribute("saml_single_logout_service_url_post", "").build());
        CreateLogoutRequestStepBuilder logoutRequest = prepareLogIntoTwoApps().clearCookies().logoutRequest(getAuthServerSamlEndpoint(AbstractSamlTest.REALM_NAME), AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, SamlClient.Binding.POST);
        AtomicReference<NameIDType> atomicReference = this.nameIdRef;
        atomicReference.getClass();
        CreateLogoutRequestStepBuilder nameId = logoutRequest.nameId(atomicReference::get);
        AtomicReference<String> atomicReference2 = this.sessionIndexRef;
        atomicReference2.getClass();
        Assert.assertThat(nameId.sessionIndex(atomicReference2::get).build().getSamlResponse(SamlClient.Binding.POST).getSamlObject(), Matchers.isSamlStatusResponse(new JBossSAMLURIConstants[]{JBossSAMLURIConstants.STATUS_SUCCESS}));
    }

    @Test
    public void testFrontchannelLogoutWithRedirectUrlDifferentBrowser() {
        this.adminClient.realm(AbstractSamlTest.REALM_NAME).clients().get(this.salesRep.getId()).update(ClientBuilder.edit(this.salesRep).frontchannelLogout(true).attribute("saml_single_logout_service_url_post", "").attribute("saml_single_logout_service_url_redirect", "http://url").build());
        this.adminClient.realm(AbstractSamlTest.REALM_NAME).clients().get(this.sales2Rep.getId()).update(ClientBuilder.edit(this.sales2Rep).frontchannelLogout(true).attribute("saml_single_logout_service_url_post", "").attribute("saml_single_logout_service_url_redirect", "").build());
        CreateLogoutRequestStepBuilder logoutRequest = prepareLogIntoTwoApps().clearCookies().logoutRequest(getAuthServerSamlEndpoint(AbstractSamlTest.REALM_NAME), AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, SamlClient.Binding.REDIRECT);
        AtomicReference<NameIDType> atomicReference = this.nameIdRef;
        atomicReference.getClass();
        CreateLogoutRequestStepBuilder nameId = logoutRequest.nameId(atomicReference::get);
        AtomicReference<String> atomicReference2 = this.sessionIndexRef;
        atomicReference2.getClass();
        Assert.assertThat(nameId.sessionIndex(atomicReference2::get).build().getSamlResponse(SamlClient.Binding.REDIRECT).getSamlObject(), Matchers.isSamlStatusResponse(new JBossSAMLURIConstants[]{JBossSAMLURIConstants.STATUS_SUCCESS}));
    }

    @Test
    public void testLogoutWithPostBindingUnsetRedirectBindingSet() {
        this.adminClient.realm(AbstractSamlTest.REALM_NAME).clients().get(this.sales2Rep.getId()).update(ClientBuilder.edit(this.sales2Rep).frontchannelLogout(true).attribute("saml_single_logout_service_url_post", "").attribute("saml_single_logout_service_url_redirect", "http://url-to-sales-2").build());
        CreateLogoutRequestStepBuilder logoutRequest = prepareLogIntoTwoApps().logoutRequest(getAuthServerSamlEndpoint(AbstractSamlTest.REALM_NAME), AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, SamlClient.Binding.POST);
        AtomicReference<NameIDType> atomicReference = this.nameIdRef;
        atomicReference.getClass();
        CreateLogoutRequestStepBuilder nameId = logoutRequest.nameId(atomicReference::get);
        AtomicReference<String> atomicReference2 = this.sessionIndexRef;
        atomicReference2.getClass();
        SAMLDocumentHolder samlResponse = nameId.sessionIndex(atomicReference2::get).build().processSamlResponse(SamlClient.Binding.REDIRECT).transformDocument(document -> {
            LogoutRequestType logoutRequestType = (SAML2Object) SAMLParser.getInstance().parse(new DOMSource(document));
            Assert.assertThat(logoutRequestType, Matchers.isSamlLogoutRequest("http://url-to-sales-2"));
            return new SAML2LogoutResponseBuilder().destination(getAuthServerSamlEndpoint(AbstractSamlTest.REALM_NAME).toString()).issuer(AbstractSamlTest.SAML_CLIENT_ID_SALES_POST2).logoutRequestID(logoutRequestType.getID()).buildDocument();
        }).targetAttributeSamlResponse().targetUri(getAuthServerSamlEndpoint(AbstractSamlTest.REALM_NAME)).build().getSamlResponse(SamlClient.Binding.POST);
        Assert.assertThat(samlResponse.getSamlObject(), Matchers.isSamlStatusResponse(new JBossSAMLURIConstants[]{JBossSAMLURIConstants.STATUS_SUCCESS}));
        Assert.assertThat(samlResponse.getSamlObject().getDestination(), org.hamcrest.Matchers.is("http://url"));
        assertLogoutEvent(AbstractSamlTest.SAML_CLIENT_ID_SALES_POST2);
    }

    private void assertLogoutEvent(String str) {
        List events = this.adminClient.realm(AbstractSamlTest.REALM_NAME).getEvents(Arrays.asList(EventType.LOGOUT.name()), str, (String) null, (String) null, (String) null, (String) null, (Integer) null, (Integer) null);
        Assert.assertFalse(events.isEmpty());
        Assert.assertEquals(1L, events.size());
        EventRepresentation eventRepresentation = (EventRepresentation) events.get(0);
        Assert.assertEquals("http://url", eventRepresentation.getDetails().get("redirect_uri"));
        Assert.assertEquals(this.bburkeUser.getUsername(), eventRepresentation.getDetails().get("username"));
        Assert.assertEquals("post", eventRepresentation.getDetails().get("response_mode"));
        Assert.assertEquals("saml", eventRepresentation.getDetails().get("auth_method"));
        Assert.assertNotNull(eventRepresentation.getDetails().get("SAML_LOGOUT_REQUEST_ID"));
    }

    private IdentityProviderRepresentation addIdentityProvider() {
        return IdentityProviderBuilder.create().providerId("saml").alias(AbstractSamlTest.SAML_BROKER_ALIAS).displayName("SAML").setAttribute("singleSignOnServiceUrl", "https://saml.idp/saml").setAttribute("singleLogoutServiceUrl", BROKER_LOGOUT_SERVICE_URL).setAttribute("nameIDPolicyFormat", "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress").setAttribute("postBindingResponse", "false").setAttribute("postBindingAuthnRequest", "false").setAttribute("backchannelSupported", "false").build();
    }

    private SAML2Object createAuthnResponse(SAML2Object sAML2Object) {
        AuthnRequestType authnRequestType = (AuthnRequestType) sAML2Object;
        try {
            ResponseType buildModel = new SAML2LoginResponseBuilder().requestID(authnRequestType.getID()).destination(authnRequestType.getAssertionConsumerServiceURL().toString()).issuer("https://saml.idp/saml").assertionExpiration(1000000).subjectExpiration(1000000).requestIssuer(getAuthServerRealmBase(AbstractSamlTest.REALM_NAME).toString()).nameIdentifier(JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.get(), "a@b.c").authMethod(JBossSAMLURIConstants.AC_UNSPECIFIED.get()).sessionIndex("idp:" + UUID.randomUUID()).buildModel();
            NameIDType baseID = ((ResponseType.RTChoiceType) buildModel.getAssertions().get(0)).getAssertion().getSubject().getSubType().getBaseID();
            baseID.setNameQualifier(NAME_QUALIFIER);
            baseID.setSPNameQualifier(SP_NAME_QUALIFIER);
            baseID.setSPProvidedID(SP_PROVIDED_ID);
            return buildModel;
        } catch (ConfigurationException | ProcessingException e) {
            throw new RuntimeException((Throwable) e);
        }
    }

    private SAML2Object createIdPLogoutResponse(SAML2Object sAML2Object) {
        try {
            return new SAML2LogoutResponseBuilder().logoutRequestID(((LogoutRequestType) sAML2Object).getID()).destination(getSamlBrokerUrl(AbstractSamlTest.REALM_NAME).toString()).issuer("https://saml.idp/saml").buildModel();
        } catch (ConfigurationException e) {
            throw new RuntimeException((Throwable) e);
        }
    }

    @Test
    public void testLogoutPropagatesToSamlIdentityProvider() throws IOException {
        RealmResource realm = this.adminClient.realm(AbstractSamlTest.REALM_NAME);
        ServerResourceUpdater update = ClientAttributeUpdater.forClient(this.adminClient, AbstractSamlTest.REALM_NAME, AbstractSamlTest.SAML_CLIENT_ID_SALES_POST).setFrontchannelLogout(true).removeAttribute("saml_single_logout_service_url_post").setAttribute("saml_single_logout_service_url_redirect", "http://url").update();
        Throwable th = null;
        try {
            IdentityProviderCreator identityProviderCreator = new IdentityProviderCreator(realm, addIdentityProvider());
            Throwable th2 = null;
            try {
                try {
                    CreateLogoutRequestStepBuilder logoutRequest = logIntoUnsignedSalesAppViaIdp().logoutRequest(getAuthServerSamlEndpoint(AbstractSamlTest.REALM_NAME), AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, SamlClient.Binding.REDIRECT);
                    AtomicReference<NameIDType> atomicReference = this.nameIdRef;
                    atomicReference.getClass();
                    CreateLogoutRequestStepBuilder nameId = logoutRequest.nameId(atomicReference::get);
                    AtomicReference<String> atomicReference2 = this.sessionIndexRef;
                    atomicReference2.getClass();
                    Assert.assertThat(nameId.sessionIndex(atomicReference2::get).build().processSamlResponse(SamlClient.Binding.REDIRECT).transformObject(this::createIdPLogoutResponse).targetAttributeSamlResponse().targetUri(getSamlBrokerUrl(AbstractSamlTest.REALM_NAME)).build().getSamlResponse(SamlClient.Binding.REDIRECT).getSamlObject(), Matchers.isSamlStatusResponse(new JBossSAMLURIConstants[]{JBossSAMLURIConstants.STATUS_SUCCESS}));
                    if (identityProviderCreator != null) {
                        if (0 != 0) {
                            try {
                                identityProviderCreator.close();
                            } catch (Throwable th3) {
                                th2.addSuppressed(th3);
                            }
                        } else {
                            identityProviderCreator.close();
                        }
                    }
                    if (update != null) {
                        if (0 == 0) {
                            update.close();
                            return;
                        }
                        try {
                            update.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    }
                } catch (Throwable th5) {
                    th2 = th5;
                    throw th5;
                }
            } catch (Throwable th6) {
                if (identityProviderCreator != null) {
                    if (th2 != null) {
                        try {
                            identityProviderCreator.close();
                        } catch (Throwable th7) {
                            th2.addSuppressed(th7);
                        }
                    } else {
                        identityProviderCreator.close();
                    }
                }
                throw th6;
            }
        } catch (Throwable th8) {
            if (update != null) {
                if (0 != 0) {
                    try {
                        update.close();
                    } catch (Throwable th9) {
                        th.addSuppressed(th9);
                    }
                } else {
                    update.close();
                }
            }
            throw th8;
        }
    }

    @Test
    public void testLogoutPropagatesToSamlIdentityProviderNameIdPreserved() throws IOException {
        RealmResource realm = this.adminClient.realm(AbstractSamlTest.REALM_NAME);
        ServerResourceUpdater update = ClientAttributeUpdater.forClient(this.adminClient, AbstractSamlTest.REALM_NAME, AbstractSamlTest.SAML_CLIENT_ID_SALES_POST).setFrontchannelLogout(true).removeAttribute("saml_single_logout_service_url_post").setAttribute("saml_single_logout_service_url_redirect", "http://url").update();
        Throwable th = null;
        try {
            IdentityProviderCreator identityProviderCreator = new IdentityProviderCreator(realm, addIdentityProvider());
            Throwable th2 = null;
            try {
                try {
                    CreateLogoutRequestStepBuilder logoutRequest = logIntoUnsignedSalesAppViaIdp().logoutRequest(getAuthServerSamlEndpoint(AbstractSamlTest.REALM_NAME), AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, SamlClient.Binding.REDIRECT);
                    AtomicReference<NameIDType> atomicReference = this.nameIdRef;
                    atomicReference.getClass();
                    CreateLogoutRequestStepBuilder nameId = logoutRequest.nameId(atomicReference::get);
                    AtomicReference<String> atomicReference2 = this.sessionIndexRef;
                    atomicReference2.getClass();
                    SAMLDocumentHolder samlResponse = nameId.sessionIndex(atomicReference2::get).build().getSamlResponse(SamlClient.Binding.REDIRECT);
                    Assert.assertThat(samlResponse.getSamlObject(), Matchers.isSamlLogoutRequest(BROKER_LOGOUT_SERVICE_URL));
                    NameIDType nameID = samlResponse.getSamlObject().getNameID();
                    Assert.assertThat(nameID.getFormat(), org.hamcrest.Matchers.is(JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.getUri()));
                    Assert.assertThat(nameID.getValue(), org.hamcrest.Matchers.is("a@b.c"));
                    Assert.assertThat(nameID.getNameQualifier(), org.hamcrest.Matchers.is(NAME_QUALIFIER));
                    Assert.assertThat(nameID.getSPProvidedID(), org.hamcrest.Matchers.is(SP_PROVIDED_ID));
                    Assert.assertThat(nameID.getSPNameQualifier(), org.hamcrest.Matchers.is(SP_NAME_QUALIFIER));
                    if (identityProviderCreator != null) {
                        if (0 != 0) {
                            try {
                                identityProviderCreator.close();
                            } catch (Throwable th3) {
                                th2.addSuppressed(th3);
                            }
                        } else {
                            identityProviderCreator.close();
                        }
                    }
                    if (update != null) {
                        if (0 == 0) {
                            update.close();
                            return;
                        }
                        try {
                            update.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    }
                } catch (Throwable th5) {
                    th2 = th5;
                    throw th5;
                }
            } catch (Throwable th6) {
                if (identityProviderCreator != null) {
                    if (th2 != null) {
                        try {
                            identityProviderCreator.close();
                        } catch (Throwable th7) {
                            th2.addSuppressed(th7);
                        }
                    } else {
                        identityProviderCreator.close();
                    }
                }
                throw th6;
            }
        } catch (Throwable th8) {
            if (update != null) {
                if (0 != 0) {
                    try {
                        update.close();
                    } catch (Throwable th9) {
                        th.addSuppressed(th9);
                    }
                } else {
                    update.close();
                }
            }
            throw th8;
        }
    }

    @Test
    public void testLogoutDestinationOptionalIfUnsignedRedirect() throws IOException {
        testLogoutDestination(SamlClient.Binding.REDIRECT, createLogoutRequestStepBuilder -> {
            createLogoutRequestStepBuilder.transformObject(logoutRequestType -> {
                logoutRequestType.setDestination((URI) null);
            });
        }, LogoutTest::assertSamlLogoutRequest);
    }

    @Test
    public void testLogoutMandatoryDestinationUnsetRedirect() throws IOException {
        testLogoutDestination(SamlClient.Binding.REDIRECT, createLogoutRequestStepBuilder -> {
            createLogoutRequestStepBuilder.transformObject(logoutRequestType -> {
                logoutRequestType.setDestination((URI) null);
            }).signWith(AbstractSamlTest.SAML_CLIENT_SALES_POST_SIG_PRIVATE_KEY, AbstractSamlTest.SAML_CLIENT_SALES_POST_SIG_PUBLIC_KEY);
        }, (v0) -> {
            assertBadRequest(v0);
        });
    }

    @Test
    public void testLogoutMandatoryDestinationSetRedirect() throws IOException {
        testLogoutDestination(SamlClient.Binding.REDIRECT, createLogoutRequestStepBuilder -> {
            createLogoutRequestStepBuilder.signWith(AbstractSamlTest.SAML_CLIENT_SALES_POST_SIG_PRIVATE_KEY, AbstractSamlTest.SAML_CLIENT_SALES_POST_SIG_PUBLIC_KEY);
        }, LogoutTest::assertSamlLogoutRequest);
    }

    @Test
    public void testLogoutDestinationOptionalIfUnsignedPost() throws IOException {
        testLogoutDestination(SamlClient.Binding.POST, createLogoutRequestStepBuilder -> {
            createLogoutRequestStepBuilder.transformObject(logoutRequestType -> {
                logoutRequestType.setDestination((URI) null);
            });
        }, LogoutTest::assertSamlLogoutRequest);
    }

    @Test
    public void testLogoutMandatoryDestinationUnsetPost() throws IOException {
        testLogoutDestination(SamlClient.Binding.POST, createLogoutRequestStepBuilder -> {
            createLogoutRequestStepBuilder.transformObject(logoutRequestType -> {
                logoutRequestType.setDestination((URI) null);
            }).signWith(AbstractSamlTest.SAML_CLIENT_SALES_POST_SIG_PRIVATE_KEY, AbstractSamlTest.SAML_CLIENT_SALES_POST_SIG_PUBLIC_KEY);
        }, (v0) -> {
            assertBadRequest(v0);
        });
    }

    @Test
    public void testLogoutMandatoryDestinationSetPost() throws IOException {
        testLogoutDestination(SamlClient.Binding.POST, createLogoutRequestStepBuilder -> {
            createLogoutRequestStepBuilder.signWith(AbstractSamlTest.SAML_CLIENT_SALES_POST_SIG_PRIVATE_KEY, AbstractSamlTest.SAML_CLIENT_SALES_POST_SIG_PUBLIC_KEY);
        }, LogoutTest::assertSamlLogoutRequest);
    }

    private void testLogoutDestination(SamlClient.Binding binding, Consumer<CreateLogoutRequestStepBuilder> consumer, Consumer<? super CloseableHttpResponse> consumer2) throws IOException {
        RealmResource realm = this.adminClient.realm(AbstractSamlTest.REALM_NAME);
        ServerResourceUpdater update = ClientAttributeUpdater.forClient(this.adminClient, AbstractSamlTest.REALM_NAME, AbstractSamlTest.SAML_CLIENT_ID_SALES_POST).setFrontchannelLogout(true).removeAttribute("saml_single_logout_service_url_post").setAttribute("saml_single_logout_service_url_redirect", "http://url").update();
        Throwable th = null;
        try {
            IdentityProviderCreator identityProviderCreator = new IdentityProviderCreator(realm, addIdentityProvider());
            Throwable th2 = null;
            try {
                try {
                    CreateLogoutRequestStepBuilder logoutRequest = logIntoUnsignedSalesAppViaIdp().logoutRequest(getAuthServerSamlEndpoint(AbstractSamlTest.REALM_NAME), AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, binding);
                    AtomicReference<NameIDType> atomicReference = this.nameIdRef;
                    atomicReference.getClass();
                    CreateLogoutRequestStepBuilder nameId = logoutRequest.nameId(atomicReference::get);
                    AtomicReference<String> atomicReference2 = this.sessionIndexRef;
                    atomicReference2.getClass();
                    nameId.sessionIndex(atomicReference2::get).apply(consumer).build().doNotFollowRedirects().assertResponse(consumer2).execute();
                    if (identityProviderCreator != null) {
                        if (0 != 0) {
                            try {
                                identityProviderCreator.close();
                            } catch (Throwable th3) {
                                th2.addSuppressed(th3);
                            }
                        } else {
                            identityProviderCreator.close();
                        }
                    }
                    if (update != null) {
                        if (0 == 0) {
                            update.close();
                            return;
                        }
                        try {
                            update.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    }
                } catch (Throwable th5) {
                    th2 = th5;
                    throw th5;
                }
            } catch (Throwable th6) {
                if (identityProviderCreator != null) {
                    if (th2 != null) {
                        try {
                            identityProviderCreator.close();
                        } catch (Throwable th7) {
                            th2.addSuppressed(th7);
                        }
                    } else {
                        identityProviderCreator.close();
                    }
                }
                throw th6;
            }
        } catch (Throwable th8) {
            if (update != null) {
                if (0 != 0) {
                    try {
                        update.close();
                    } catch (Throwable th9) {
                        th.addSuppressed(th9);
                    }
                } else {
                    update.close();
                }
            }
            throw th8;
        }
    }

    public static void assertSamlLogoutRequest(CloseableHttpResponse closeableHttpResponse) {
        try {
            Assert.assertThat(SamlClient.Binding.REDIRECT.extractResponse(closeableHttpResponse).getSamlObject(), Matchers.isSamlLogoutRequest(BROKER_LOGOUT_SERVICE_URL));
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    public static void assertBadRequest(HttpResponse httpResponse) {
        Assert.assertThat(httpResponse, Matchers.statusCodeIsHC(Response.Status.BAD_REQUEST));
    }
}
