package org.keycloak.testsuite.oauth;

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.lang.invoke.SerializedLambda;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.ws.rs.NotFoundException;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.hamcrest.Matchers;
import org.jboss.arquillian.graphene.page.Page;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.admin.client.Keycloak;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.admin.client.resource.RoleResource;
import org.keycloak.admin.client.resource.UserResource;
import org.keycloak.common.Profile;
import org.keycloak.jose.jws.JWSHeader;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.RefreshToken;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.ClientScopeRepresentation;
import org.keycloak.representations.idm.EventRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.RoleRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.AbstractAdminTest;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.arquillian.annotation.DisableFeature;
import org.keycloak.testsuite.pages.AccountApplicationsPage;
import org.keycloak.testsuite.pages.LoginPage;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.ClientManager;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.testsuite.util.RealmManager;
import org.keycloak.testsuite.util.RoleBuilder;
import org.keycloak.testsuite.util.ServerURLs;
import org.keycloak.testsuite.util.TokenSignatureUtil;
import org.keycloak.testsuite.util.UserBuilder;
import org.keycloak.testsuite.utils.tls.TLSUtils;

/* loaded from: input_file:org/keycloak/testsuite/oauth/OfflineTokenTest.class */
public class OfflineTokenTest extends AbstractKeycloakTest {
    private static String userId;
    private static String offlineClientAppUri;
    private static String serviceAccountUserId;

    @Page
    protected LoginPage loginPage;

    @Page
    protected AccountApplicationsPage applicationsPage;

    @Rule
    public AssertEvents events = new AssertEvents(this);

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void beforeAbstractKeycloakTest() throws Exception {
        super.beforeAbstractKeycloakTest();
    }

    @Before
    public void clientConfiguration() {
        userId = ApiUtil.findUserByUsername(this.adminClient.realm("test"), AssertEvents.DEFAULT_USERNAME).getId();
        this.oauth.clientId(AssertEvents.DEFAULT_CLIENT_ID);
    }

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        RealmBuilder testEventListener = RealmBuilder.edit((RealmRepresentation) AbstractAdminTest.loadJson(getClass().getResourceAsStream("/testrealm.json"), RealmRepresentation.class)).accessTokenLifespan(10).ssoSessionIdleTimeout(30).testEventListener();
        offlineClientAppUri = OAuthClient.APP_ROOT + "/offline-client";
        ClientRepresentation build = ClientBuilder.create().clientId("offline-client").id(KeycloakModelUtils.generateId()).adminUrl(offlineClientAppUri).redirectUris(offlineClientAppUri).directAccessGrants().serviceAccountsEnabled(true).attribute("client_credentials.use_refresh_token", "true").secret("secret1").build();
        testEventListener.client(build);
        serviceAccountUserId = KeycloakModelUtils.generateId();
        testEventListener.user(UserBuilder.create().id(serviceAccountUserId).addRoles("user", "offline_access").role(AssertEvents.DEFAULT_CLIENT_ID, "customer-user").username("service-account-" + build.getClientId()).serviceAccountId(build.getClientId()).build());
        list.add(testEventListener.build());
    }

    @Test
    public void offlineTokenDisabledForClient() throws Exception {
        ClientScopeRepresentation clientScopeRepresentation = (ClientScopeRepresentation) this.adminClient.realm("test").clientScopes().findAll().stream().filter(clientScopeRepresentation2 -> {
            return "offline_access".equals(clientScopeRepresentation2.getName());
        }).findFirst().get();
        ClientManager.realm(this.adminClient.realm("test")).clientId("offline-client").fullScopeAllowed(false).removeClientScope(clientScopeRepresentation.getId(), false);
        this.oauth.scope("offline_access");
        this.oauth.clientId("offline-client");
        this.oauth.redirectUri(offlineClientAppUri);
        this.oauth.openLoginForm();
        Assert.assertTrue(this.driver.getCurrentUrl().contains("error_description=Invalid+scopes"));
        ClientManager.realm(this.adminClient.realm("test")).clientId("offline-client").fullScopeAllowed(true).addClientScope(clientScopeRepresentation.getId(), false);
    }

    @Test
    public void offlineTokenUserNotAllowed() throws Exception {
        String id = ApiUtil.findUserByUsername(this.adminClient.realm("test"), "keycloak-user@localhost").getId();
        this.oauth.scope("offline_access");
        this.oauth.clientId("offline-client");
        this.oauth.redirectUri(offlineClientAppUri);
        this.oauth.doLogin("keycloak-user@localhost", "password");
        EventRepresentation assertEvent = this.events.expectLogin().client("offline-client").user(id).detail("redirect_uri", offlineClientAppUri).assertEvent();
        String sessionId = assertEvent.getSessionId();
        String str = (String) assertEvent.getDetails().get("code_id");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "secret1");
        Assert.assertEquals(400L, doAccessTokenRequest.getStatusCode());
        Assert.assertEquals("not_allowed", doAccessTokenRequest.getError());
        this.events.expectCodeToToken(str, sessionId).client("offline-client").user(id).error("not_allowed").clearDetails().assertEvent();
    }

    @Test
    public void offlineTokenBrowserFlow() throws Exception {
        this.oauth.scope("offline_access");
        this.oauth.clientId("offline-client");
        this.oauth.redirectUri(offlineClientAppUri);
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().client("offline-client").detail("redirect_uri", offlineClientAppUri).assertEvent();
        String sessionId = assertEvent.getSessionId();
        String str = (String) assertEvent.getDetails().get("code_id");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "secret1");
        AccessToken verifyToken = this.oauth.verifyToken(doAccessTokenRequest.getAccessToken());
        String refreshToken = doAccessTokenRequest.getRefreshToken();
        RefreshToken parseRefreshToken = this.oauth.parseRefreshToken(refreshToken);
        this.events.expectCodeToToken(str, sessionId).client("offline-client").detail("refresh_token_type", "Offline").assertEvent();
        Assert.assertEquals("Offline", parseRefreshToken.getType());
        Assert.assertEquals(0L, parseRefreshToken.getExpiration());
        Assert.assertTrue(doAccessTokenRequest.getScope().contains("offline_access"));
        String testRefreshWithOfflineToken = testRefreshWithOfflineToken(verifyToken, parseRefreshToken, refreshToken, sessionId, userId);
        setTimeOffset(3000000);
        OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(testRefreshWithOfflineToken, "secret1");
        RefreshToken parseRefreshToken2 = this.oauth.parseRefreshToken(testRefreshWithOfflineToken);
        Assert.assertEquals(400L, doRefreshTokenRequest.getStatusCode());
        Assert.assertEquals("invalid_grant", doRefreshTokenRequest.getError());
        this.events.expectRefresh(parseRefreshToken.getId(), parseRefreshToken2.getSessionState()).client("offline-client").error("invalid_token").user(userId).clearDetails().assertEvent();
        setTimeOffset(0);
    }

    private String testRefreshWithOfflineToken(AccessToken accessToken, RefreshToken refreshToken, String str, String str2, String str3) {
        setTimeOffset(99999);
        Assert.assertFalse(accessToken.isActive());
        Assert.assertTrue(refreshToken.isActive());
        this.testingClient.testing().removeExpired("test");
        try {
            this.testingClient.testing().removeUserSession("test", str2);
        } catch (NotFoundException e) {
        }
        OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(str, "secret1");
        AccessToken verifyToken = this.oauth.verifyToken(doRefreshTokenRequest.getAccessToken());
        Assert.assertEquals(200L, doRefreshTokenRequest.getStatusCode());
        String refreshToken2 = doRefreshTokenRequest.getRefreshToken();
        Assert.assertNotNull(refreshToken2);
        Assert.assertNotEquals(accessToken.getId(), verifyToken.getId());
        Assert.assertTrue(doRefreshTokenRequest.getScope().contains("offline_access"));
        Assert.assertEquals(str3, verifyToken.getSubject());
        Assert.assertTrue(verifyToken.getRealmAccess().isUserInRole("user"));
        Assert.assertTrue(verifyToken.getRealmAccess().isUserInRole("offline_access"));
        Assert.assertEquals(1L, verifyToken.getResourceAccess(AssertEvents.DEFAULT_CLIENT_ID).getRoles().size());
        Assert.assertTrue(verifyToken.getResourceAccess(AssertEvents.DEFAULT_CLIENT_ID).isUserInRole("customer-user"));
        Assert.assertNotEquals(accessToken.getId(), this.events.expectRefresh(refreshToken.getId(), str2).client("offline-client").user(str3).removeDetail("updated_refresh_token_id").detail("refresh_token_type", "Offline").assertEvent().getDetails().get("token_id"));
        setTimeOffset(0);
        return refreshToken2;
    }

    @Test
    public void offlineTokenDirectGrantFlow() throws Exception {
        this.oauth.scope("offline_access");
        this.oauth.clientId("offline-client");
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest = this.oauth.doGrantAccessTokenRequest("secret1", AssertEvents.DEFAULT_USERNAME, "password");
        Assert.assertNull(doGrantAccessTokenRequest.getErrorDescription());
        AccessToken verifyToken = this.oauth.verifyToken(doGrantAccessTokenRequest.getAccessToken());
        String refreshToken = doGrantAccessTokenRequest.getRefreshToken();
        RefreshToken parseRefreshToken = this.oauth.parseRefreshToken(refreshToken);
        this.events.expectLogin().client("offline-client").user(userId).session(verifyToken.getSessionState()).detail("grant_type", "password").detail("token_id", verifyToken.getId()).detail("refresh_token_id", parseRefreshToken.getId()).detail("refresh_token_type", "Offline").detail("username", AssertEvents.DEFAULT_USERNAME).removeDetail("code_id").removeDetail("redirect_uri").removeDetail("consent").assertEvent();
        Assert.assertEquals("Offline", parseRefreshToken.getType());
        Assert.assertEquals(0L, parseRefreshToken.getExpiration());
        testRefreshWithOfflineToken(verifyToken, parseRefreshToken, refreshToken, verifyToken.getSessionState(), userId);
        testRefreshWithOfflineToken(verifyToken, parseRefreshToken, refreshToken, verifyToken.getSessionState(), userId);
    }

    @Test
    public void offlineTokenDirectGrantFlowWithRefreshTokensRevoked() throws Exception {
        RealmManager.realm(this.adminClient.realm("test")).revokeRefreshToken(true);
        this.oauth.scope("offline_access");
        this.oauth.clientId("offline-client");
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest = this.oauth.doGrantAccessTokenRequest("secret1", AssertEvents.DEFAULT_USERNAME, "password");
        AccessToken verifyToken = this.oauth.verifyToken(doGrantAccessTokenRequest.getAccessToken());
        String refreshToken = doGrantAccessTokenRequest.getRefreshToken();
        RefreshToken parseRefreshToken = this.oauth.parseRefreshToken(refreshToken);
        this.events.expectLogin().client("offline-client").user(userId).session(verifyToken.getSessionState()).detail("grant_type", "password").detail("token_id", verifyToken.getId()).detail("refresh_token_id", parseRefreshToken.getId()).detail("refresh_token_type", "Offline").detail("username", AssertEvents.DEFAULT_USERNAME).removeDetail("code_id").removeDetail("redirect_uri").removeDetail("consent").assertEvent();
        Assert.assertEquals("Offline", parseRefreshToken.getType());
        Assert.assertEquals(0L, parseRefreshToken.getExpiration());
        RefreshToken parseRefreshToken2 = this.oauth.parseRefreshToken(testRefreshWithOfflineToken(verifyToken, parseRefreshToken, refreshToken, verifyToken.getSessionState(), userId));
        Assert.assertEquals(400L, this.oauth.doRefreshTokenRequest(refreshToken, "secret1").getStatusCode());
        this.events.expectRefresh(parseRefreshToken.getId(), verifyToken.getSessionState()).client("offline-client").error("invalid_token").user(userId).clearDetails().assertEvent();
        Assert.assertEquals(400L, this.oauth.doRefreshTokenRequest(r0, "secret1").getStatusCode());
        this.events.expectRefresh(parseRefreshToken2.getId(), parseRefreshToken2.getSessionState()).client("offline-client").error("invalid_token").user(userId).clearDetails().assertEvent();
        RealmManager.realm(this.adminClient.realm("test")).revokeRefreshToken(false);
    }

    @Test
    public void offlineTokenServiceAccountFlow() throws Exception {
        this.oauth.scope("offline_access");
        this.oauth.clientId("offline-client");
        OAuthClient.AccessTokenResponse doClientCredentialsGrantAccessTokenRequest = this.oauth.doClientCredentialsGrantAccessTokenRequest("secret1");
        AccessToken verifyToken = this.oauth.verifyToken(doClientCredentialsGrantAccessTokenRequest.getAccessToken());
        String refreshToken = doClientCredentialsGrantAccessTokenRequest.getRefreshToken();
        RefreshToken parseRefreshToken = this.oauth.parseRefreshToken(refreshToken);
        this.events.expectClientLogin().client("offline-client").user(serviceAccountUserId).session(verifyToken.getSessionState()).detail("token_id", verifyToken.getId()).detail("refresh_token_id", parseRefreshToken.getId()).detail("refresh_token_type", "Offline").detail("username", "service-account-offline-client").assertEvent();
        Assert.assertEquals("Offline", parseRefreshToken.getType());
        Assert.assertEquals(0L, parseRefreshToken.getExpiration());
        testRefreshWithOfflineToken(verifyToken, parseRefreshToken, refreshToken, verifyToken.getSessionState(), serviceAccountUserId);
        OAuthClient.AccessTokenResponse doClientCredentialsGrantAccessTokenRequest2 = this.oauth.doClientCredentialsGrantAccessTokenRequest("secret1");
        AccessToken verifyToken2 = this.oauth.verifyToken(doClientCredentialsGrantAccessTokenRequest2.getAccessToken());
        String refreshToken2 = doClientCredentialsGrantAccessTokenRequest2.getRefreshToken();
        RefreshToken parseRefreshToken2 = this.oauth.parseRefreshToken(refreshToken2);
        this.events.expectClientLogin().client("offline-client").user(serviceAccountUserId).session(verifyToken2.getSessionState()).detail("token_id", verifyToken2.getId()).detail("refresh_token_id", parseRefreshToken2.getId()).detail("refresh_token_type", "Offline").detail("username", "service-account-offline-client").assertEvent();
        testRefreshWithOfflineToken(verifyToken, parseRefreshToken, refreshToken, verifyToken.getSessionState(), serviceAccountUserId);
        testRefreshWithOfflineToken(verifyToken2, parseRefreshToken2, refreshToken2, verifyToken2.getSessionState(), serviceAccountUserId);
    }

    @Test
    public void offlineTokenAllowedWithCompositeRole() throws Exception {
        RealmResource realm = this.adminClient.realm("test");
        UserResource findUserByUsernameId = ApiUtil.findUserByUsernameId(realm, AssertEvents.DEFAULT_USERNAME);
        RoleRepresentation representation = ApiUtil.findRealmRoleByName(this.adminClient.realm("test"), "offline_access").toRepresentation();
        realm.roles().create(RoleBuilder.create().name("composite").build());
        RoleResource roleResource = realm.roles().get("composite");
        roleResource.addComposites(Collections.singletonList(representation));
        findUserByUsernameId.roles().realmLevel().remove(Collections.singletonList(representation));
        findUserByUsernameId.roles().realmLevel().add(Collections.singletonList(roleResource.toRepresentation()));
        offlineTokenDirectGrantFlow();
        findUserByUsernameId.roles().realmLevel().remove(Collections.singletonList(realm.roles().get("composite").toRepresentation()));
        realm.roles().get("composite").remove();
        findUserByUsernameId.roles().realmLevel().add(Collections.singletonList(representation));
    }

    @Test
    public void offlineTokenAdminRESTAccess() throws Exception {
        RealmResource realm = this.adminClient.realm("test");
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(realm, "realm-management");
        ApiUtil.findUserByUsernameId(realm, AssertEvents.DEFAULT_USERNAME).roles().clientLevel(findClientByClientId.toRepresentation().getId()).add(Collections.singletonList(findClientByClientId.roles().get(AdminRoles.VIEW_REALM).toRepresentation()));
        this.oauth.scope("offline_access");
        this.oauth.clientId("offline-client");
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest = this.oauth.doGrantAccessTokenRequest("secret1", AssertEvents.DEFAULT_USERNAME, "password");
        this.events.clear();
        setTimeOffset(86400);
        this.testingClient.testing().removeUserSessions(realm.toRepresentation().getId());
        Keycloak keycloak = Keycloak.getInstance(ServerURLs.getAuthServerContextRoot() + "/auth", "master", "admin-cli", this.oauth.doRefreshTokenRequest(doGrantAccessTokenRequest.getRefreshToken(), "secret1").getAccessToken(), TLSUtils.initializeTLS());
        Throwable th = null;
        try {
            try {
                Assert.assertNotNull(keycloak.realm("test").toRepresentation());
                if (keycloak != null) {
                    if (0 == 0) {
                        keycloak.close();
                        return;
                    }
                    try {
                        keycloak.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (keycloak != null) {
                if (th != null) {
                    try {
                        keycloak.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    keycloak.close();
                }
            }
            throw th4;
        }
    }

    @Test
    @DisableFeature(value = Profile.Feature.ACCOUNT2, skipRestart = true)
    public void offlineTokenRemoveClientWithTokens() throws Exception {
        RealmResource realm = this.adminClient.realm("test");
        realm.clients().create(ClientBuilder.create().clientId("offline-client-2").id(KeycloakModelUtils.generateId()).directAccessGrants().secret("secret1").build());
        this.oauth.scope("offline_access");
        this.oauth.clientId("offline-client-2");
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest = this.oauth.doGrantAccessTokenRequest("secret1", AssertEvents.DEFAULT_USERNAME, "password");
        Assert.assertNull(doGrantAccessTokenRequest.getErrorDescription());
        AccessToken verifyToken = this.oauth.verifyToken(doGrantAccessTokenRequest.getAccessToken());
        this.events.expectLogin().client("offline-client-2").user(userId).session(verifyToken.getSessionState()).detail("grant_type", "password").detail("token_id", verifyToken.getId()).detail("refresh_token_id", this.oauth.parseRefreshToken(doGrantAccessTokenRequest.getRefreshToken()).getId()).detail("refresh_token_type", "Offline").detail("username", AssertEvents.DEFAULT_USERNAME).removeDetail("code_id").removeDetail("redirect_uri").removeDetail("consent").assertEvent();
        this.applicationsPage.open();
        this.loginPage.login(AssertEvents.DEFAULT_USERNAME, "password");
        this.events.expectLogin().client(BackchannelLogoutTest.ACCOUNT_CLIENT_NAME).detail("redirect_uri", getAccountRedirectUrl() + "?path=applications").assertEvent();
        Assert.assertTrue(this.applicationsPage.isCurrent());
        Map applications = this.applicationsPage.getApplications();
        Assert.assertTrue(applications.containsKey("offline-client-2"));
        Assert.assertEquals("Offline Token", ((AccountApplicationsPage.AppEntry) applications.get("offline-client-2")).getAdditionalGrants().get(0));
        ApiUtil.findClientByClientId(realm, "offline-client-2").remove();
        this.applicationsPage.open();
        Assert.assertFalse(this.applicationsPage.getApplications().containsKey("offline-client-2"));
        Iterator it = ApiUtil.findUserByUsernameId(realm, AssertEvents.DEFAULT_USERNAME).getConsents().iterator();
        while (it.hasNext()) {
            Assert.assertNotEquals(((Map) it.next()).get("clientId"), "offline-client-2");
        }
    }

    @Test
    public void offlineTokenLogout() throws Exception {
        this.oauth.scope("offline_access");
        this.oauth.clientId("offline-client");
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest = this.oauth.doGrantAccessTokenRequest("secret1", AssertEvents.DEFAULT_USERNAME, "password");
        Assert.assertEquals(200L, doGrantAccessTokenRequest.getStatusCode());
        OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(doGrantAccessTokenRequest.getRefreshToken(), "secret1");
        Assert.assertEquals(200L, doRefreshTokenRequest.getStatusCode());
        Assert.assertEquals(204L, this.oauth.doLogout(doRefreshTokenRequest.getRefreshToken(), "secret1").getStatusLine().getStatusCode());
        Assert.assertEquals(400L, this.oauth.doRefreshTokenRequest(doRefreshTokenRequest.getRefreshToken(), "secret1").getStatusCode());
    }

    @Test
    public void onlineOfflineTokenLogout() throws Exception {
        this.oauth.clientId("offline-client");
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest = this.oauth.doGrantAccessTokenRequest("secret1", AssertEvents.DEFAULT_USERNAME, "password");
        Assert.assertEquals(200L, doGrantAccessTokenRequest.getStatusCode());
        OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(doGrantAccessTokenRequest.getRefreshToken(), "secret1");
        Assert.assertEquals(200L, doRefreshTokenRequest.getStatusCode());
        this.oauth.scope("offline_access");
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest2 = this.oauth.doGrantAccessTokenRequest("secret1", AssertEvents.DEFAULT_USERNAME, "password");
        Assert.assertEquals(200L, doGrantAccessTokenRequest2.getStatusCode());
        Assert.assertEquals(200L, this.oauth.doRefreshTokenRequest(doGrantAccessTokenRequest2.getRefreshToken(), "secret1").getStatusCode());
        Assert.assertEquals(204L, this.oauth.scope("").doLogout(doRefreshTokenRequest.getRefreshToken(), "secret1").getStatusLine().getStatusCode());
        Assert.assertEquals(400L, this.oauth.doRefreshTokenRequest(doRefreshTokenRequest.getRefreshToken(), "secret1").getStatusCode());
        Assert.assertEquals(200L, this.oauth.doRefreshTokenRequest(doGrantAccessTokenRequest2.getRefreshToken(), "secret1").getStatusCode());
    }

    @Test
    public void browserOfflineTokenLogoutFollowedByLoginSameSession() throws Exception {
        this.oauth.scope("offline_access");
        this.oauth.clientId("offline-client");
        this.oauth.redirectUri(offlineClientAppUri);
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().client("offline-client").detail("redirect_uri", offlineClientAppUri).assertEvent();
        String sessionId = assertEvent.getSessionId();
        String str = (String) assertEvent.getDetails().get("code_id");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "secret1");
        this.oauth.verifyToken(doAccessTokenRequest.getAccessToken());
        String refreshToken = doAccessTokenRequest.getRefreshToken();
        RefreshToken parseRefreshToken = this.oauth.parseRefreshToken(refreshToken);
        this.events.expectCodeToToken(str, sessionId).client("offline-client").detail("refresh_token_type", "Offline").assertEvent();
        Assert.assertEquals("Offline", parseRefreshToken.getType());
        Assert.assertEquals(0L, parseRefreshToken.getExpiration());
        String str2 = (String) this.testingClient.server().fetch(keycloakSession -> {
            return keycloakSession.sessions().getOfflineUserSession(keycloakSession.realms().getRealmByName("test"), parseRefreshToken.getSessionState()).getId();
        }, String.class);
        CloseableHttpResponse doLogout = this.oauth.doLogout(refreshToken, "secret1");
        Throwable th = null;
        try {
            Assert.assertEquals(204L, doLogout.getStatusLine().getStatusCode());
            if (doLogout != null) {
                if (0 != 0) {
                    try {
                        doLogout.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    doLogout.close();
                }
            }
            this.events.expectLogout(str2).client("offline-client").removeDetail("redirect_uri").assertEvent();
            this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
            OAuthClient.AccessTokenResponse doAccessTokenRequest2 = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "secret1");
            Assert.assertEquals(200L, doAccessTokenRequest2.getStatusCode());
            this.oauth.verifyToken(doAccessTokenRequest2.getAccessToken());
            RefreshToken parseRefreshToken2 = this.oauth.parseRefreshToken(doAccessTokenRequest2.getRefreshToken());
            this.events.expectCodeToToken((String) this.events.expectLogin().client("offline-client").detail("redirect_uri", offlineClientAppUri).assertEvent().getDetails().get("code_id"), parseRefreshToken2.getSessionState()).client("offline-client").detail("refresh_token_type", "Offline").assertEvent();
            Assert.assertEquals("Offline", parseRefreshToken2.getType());
            Assert.assertEquals(0L, parseRefreshToken2.getExpiration());
            Assert.assertNotEquals(parseRefreshToken.getSessionState(), parseRefreshToken2.getSessionState());
        } catch (Throwable th3) {
            if (doLogout != null) {
                if (0 != 0) {
                    try {
                        doLogout.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    doLogout.close();
                }
            }
            throw th3;
        }
    }

    private int[] changeOfflineSessionSettings(boolean z, int i, int i2) {
        RealmRepresentation representation = this.adminClient.realm("test").toRepresentation();
        int[] iArr = {representation.getOfflineSessionMaxLifespan().intValue(), representation.getOfflineSessionIdleTimeout().intValue()};
        RealmBuilder create = RealmBuilder.create();
        create.offlineSessionMaxLifespanEnabled(z).offlineSessionMaxLifespan(i).offlineSessionIdleTimeout(i2);
        this.adminClient.realm("test").update(create.build());
        return iArr;
    }

    private int[] changeSessionSettings(int i, int i2) {
        RealmRepresentation representation = this.adminClient.realm("test").toRepresentation();
        int[] iArr = {representation.getOfflineSessionMaxLifespan().intValue(), representation.getOfflineSessionIdleTimeout().intValue()};
        RealmBuilder create = RealmBuilder.create();
        create.ssoSessionIdleTimeout(i).accessTokenLifespan(i2);
        this.adminClient.realm("test").update(create.build());
        return iArr;
    }

    @Test
    public void offlineTokenBrowserFlowMaxLifespanExpired() throws Exception {
        testOfflineSessionExpiration(6000, 3600, 3660);
    }

    @Test
    public void offlineTokenBrowserFlowIdleTimeExpired() throws Exception {
        testOfflineSessionExpiration(600, 3000, 780);
    }

    @Test
    public void offlineTokenRequest_ClientES256_RealmPS256() throws Exception {
        conductOfflineTokenRequest("HS256", "ES256", "PS256");
    }

    @Test
    public void offlineTokenRequest_ClientPS256_RealmES256() throws Exception {
        conductOfflineTokenRequest("HS256", "PS256", "ES256");
    }

    private void conductOfflineTokenRequest(String str, String str2, String str3) throws Exception {
        try {
            TokenSignatureUtil.changeRealmTokenSignatureProvider(this.adminClient, str3);
            TokenSignatureUtil.changeClientAccessTokenSignatureProvider(ApiUtil.findClientByClientId(this.adminClient.realm("test"), "offline-client"), str2);
            offlineTokenRequest(str, str2, str3);
            TokenSignatureUtil.changeRealmTokenSignatureProvider(this.adminClient, "RS256");
            TokenSignatureUtil.changeClientAccessTokenSignatureProvider(ApiUtil.findClientByClientId(this.adminClient.realm("test"), "offline-client"), "RS256");
        } catch (Throwable th) {
            TokenSignatureUtil.changeRealmTokenSignatureProvider(this.adminClient, "RS256");
            TokenSignatureUtil.changeClientAccessTokenSignatureProvider(ApiUtil.findClientByClientId(this.adminClient.realm("test"), "offline-client"), "RS256");
            throw th;
        }
    }

    private void testOfflineSessionExpiration(int i, int i2, int i3) {
        int[] iArr = null;
        try {
            iArr = changeOfflineSessionSettings(true, i2, i);
            this.oauth.scope("offline_access");
            this.oauth.clientId("offline-client");
            this.oauth.redirectUri(offlineClientAppUri);
            this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
            String sessionId = this.events.expectLogin().client("offline-client").detail("redirect_uri", offlineClientAppUri).assertEvent().getSessionId();
            String refreshToken = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "secret1").getRefreshToken();
            Assert.assertEquals("Offline", this.oauth.parseRefreshToken(refreshToken).getType());
            OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(refreshToken, "secret1");
            this.oauth.verifyToken(doRefreshTokenRequest.getAccessToken());
            String refreshToken2 = doRefreshTokenRequest.getRefreshToken();
            this.oauth.parseRefreshToken(refreshToken2);
            Assert.assertEquals(200L, doRefreshTokenRequest.getStatusCode());
            setTimeOffset(i3);
            OAuthClient.AccessTokenResponse doRefreshTokenRequest2 = this.oauth.doRefreshTokenRequest(refreshToken2, "secret1");
            Assert.assertEquals(400L, doRefreshTokenRequest2.getStatusCode());
            Assert.assertEquals("invalid_grant", doRefreshTokenRequest2.getError());
            this.testingClient.testing().removeExpired("test");
            try {
                this.testingClient.testing().removeUserSession("test", sessionId);
            } catch (NotFoundException e) {
            }
            setTimeOffset(0);
            changeOfflineSessionSettings(false, iArr[0], iArr[1]);
        } catch (Throwable th) {
            changeOfflineSessionSettings(false, iArr[0], iArr[1]);
            throw th;
        }
    }

    private void offlineTokenRequest(String str, String str2, String str3) throws Exception {
        this.oauth.scope("offline_access");
        this.oauth.clientId("offline-client");
        OAuthClient.AccessTokenResponse doClientCredentialsGrantAccessTokenRequest = this.oauth.doClientCredentialsGrantAccessTokenRequest("secret1");
        String idToken = doClientCredentialsGrantAccessTokenRequest.getIdToken();
        String accessToken = doClientCredentialsGrantAccessTokenRequest.getAccessToken();
        String refreshToken = doClientCredentialsGrantAccessTokenRequest.getRefreshToken();
        if (idToken != null) {
            JWSHeader header = new JWSInput(idToken).getHeader();
            Assert.assertEquals(str3, header.getAlgorithm().name());
            Assert.assertEquals("JWT", header.getType());
            Assert.assertNull(header.getContentType());
        }
        if (accessToken != null) {
            JWSHeader header2 = new JWSInput(accessToken).getHeader();
            Assert.assertEquals(str2, header2.getAlgorithm().name());
            Assert.assertEquals("JWT", header2.getType());
            Assert.assertNull(header2.getContentType());
        }
        if (refreshToken != null) {
            JWSHeader header3 = new JWSInput(refreshToken).getHeader();
            Assert.assertEquals(str, header3.getAlgorithm().name());
            Assert.assertEquals("JWT", header3.getType());
            Assert.assertNull(header3.getContentType());
        }
        AccessToken verifyToken = this.oauth.verifyToken(doClientCredentialsGrantAccessTokenRequest.getAccessToken());
        String refreshToken2 = doClientCredentialsGrantAccessTokenRequest.getRefreshToken();
        RefreshToken parseRefreshToken = this.oauth.parseRefreshToken(refreshToken2);
        this.events.expectClientLogin().client("offline-client").user(serviceAccountUserId).session(verifyToken.getSessionState()).detail("token_id", verifyToken.getId()).detail("refresh_token_id", parseRefreshToken.getId()).detail("refresh_token_type", "Offline").detail("username", "service-account-offline-client").assertEvent();
        Assert.assertEquals("Offline", parseRefreshToken.getType());
        Assert.assertEquals(0L, parseRefreshToken.getExpiration());
        testRefreshWithOfflineToken(verifyToken, parseRefreshToken, refreshToken2, verifyToken.getSessionState(), serviceAccountUserId);
        OAuthClient.AccessTokenResponse doClientCredentialsGrantAccessTokenRequest2 = this.oauth.doClientCredentialsGrantAccessTokenRequest("secret1");
        AccessToken verifyToken2 = this.oauth.verifyToken(doClientCredentialsGrantAccessTokenRequest2.getAccessToken());
        String refreshToken3 = doClientCredentialsGrantAccessTokenRequest2.getRefreshToken();
        RefreshToken parseRefreshToken2 = this.oauth.parseRefreshToken(refreshToken3);
        this.events.expectClientLogin().client("offline-client").user(serviceAccountUserId).session(verifyToken2.getSessionState()).detail("token_id", verifyToken2.getId()).detail("refresh_token_id", parseRefreshToken2.getId()).detail("refresh_token_type", "Offline").detail("username", "service-account-offline-client").assertEvent();
        testRefreshWithOfflineToken(verifyToken, parseRefreshToken, refreshToken2, verifyToken.getSessionState(), serviceAccountUserId);
        testRefreshWithOfflineToken(verifyToken2, parseRefreshToken2, refreshToken3, verifyToken2.getSessionState(), serviceAccountUserId);
    }

    @Test
    public void testShortOfflineSessionMax() throws Exception {
        int[] iArr = null;
        int[] iArr2 = null;
        try {
            iArr = changeOfflineSessionSettings(true, 60, 30);
            iArr2 = changeSessionSettings(1800, 300);
            this.oauth.scope("offline_access");
            this.oauth.clientId("offline-client");
            this.oauth.redirectUri(offlineClientAppUri);
            this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
            this.events.expectLogin().client("offline-client").detail("redirect_uri", offlineClientAppUri).assertEvent();
            OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "secret1");
            RefreshToken parseRefreshToken = this.oauth.parseRefreshToken(doAccessTokenRequest.getRefreshToken());
            Assert.assertThat(Integer.valueOf(doAccessTokenRequest.getExpiresIn()), Matchers.allOf(Matchers.greaterThanOrEqualTo(59), Matchers.lessThanOrEqualTo(60)));
            Assert.assertThat(Integer.valueOf(doAccessTokenRequest.getRefreshExpiresIn()), Matchers.allOf(Matchers.greaterThanOrEqualTo(29), Matchers.lessThanOrEqualTo(30)));
            Assert.assertEquals("Offline", parseRefreshToken.getType());
            JsonNode readTree = new ObjectMapper().readTree(this.oauth.introspectAccessTokenWithClientCredential(AssertEvents.DEFAULT_CLIENT_ID, "password", doAccessTokenRequest.getAccessToken()));
            Assert.assertEquals(true, Boolean.valueOf(readTree.get("active").asBoolean()));
            Assert.assertEquals(AssertEvents.DEFAULT_USERNAME, readTree.get("email").asText());
            Assert.assertThat(Integer.valueOf(readTree.get("exp").asInt() - getCurrentTime()), Matchers.allOf(Matchers.greaterThanOrEqualTo(59), Matchers.lessThanOrEqualTo(60)));
            changeOfflineSessionSettings(false, iArr[0], iArr[1]);
            changeSessionSettings(iArr2[0], iArr2[1]);
        } catch (Throwable th) {
            changeOfflineSessionSettings(false, iArr[0], iArr[1]);
            changeSessionSettings(iArr2[0], iArr2[1]);
            throw th;
        }
    }

    @Test
    public void testClientOfflineSessionMaxLifespan() throws Exception {
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), "offline-client");
        ClientRepresentation representation = findClientByClientId.toRepresentation();
        RealmResource realm = this.adminClient.realm("test");
        RealmRepresentation representation2 = realm.toRepresentation();
        Boolean offlineSessionMaxLifespanEnabled = representation2.getOfflineSessionMaxLifespanEnabled();
        Integer offlineSessionMaxLifespan = representation2.getOfflineSessionMaxLifespan();
        int intValue = representation2.getOfflineSessionIdleTimeout().intValue() - 100;
        Integer clientOfflineSessionMaxLifespan = representation2.getClientOfflineSessionMaxLifespan();
        try {
            representation2.setOfflineSessionMaxLifespanEnabled(true);
            representation2.setOfflineSessionMaxLifespan(Integer.valueOf(intValue));
            realm.update(representation2);
            this.oauth.scope("offline_access");
            this.oauth.clientId("offline-client");
            this.oauth.redirectUri(offlineClientAppUri);
            this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
            OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "secret1");
            Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
            org.keycloak.testsuite.Assert.assertExpiration(doAccessTokenRequest.getRefreshExpiresIn(), intValue);
            representation2.setClientOfflineSessionMaxLifespan(Integer.valueOf(intValue - 100));
            realm.update(representation2);
            OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "secret1");
            Assert.assertEquals(200L, doRefreshTokenRequest.getStatusCode());
            org.keycloak.testsuite.Assert.assertExpiration(doRefreshTokenRequest.getRefreshExpiresIn(), intValue - 100);
            representation.getAttributes().put("client.offline.session.max.lifespan", Integer.toString(intValue - 200));
            findClientByClientId.update(representation);
            OAuthClient.AccessTokenResponse doRefreshTokenRequest2 = this.oauth.doRefreshTokenRequest(doRefreshTokenRequest.getRefreshToken(), "secret1");
            Assert.assertEquals(200L, doRefreshTokenRequest2.getStatusCode());
            org.keycloak.testsuite.Assert.assertExpiration(doRefreshTokenRequest2.getRefreshExpiresIn(), intValue - 200);
            representation2.setOfflineSessionMaxLifespanEnabled(offlineSessionMaxLifespanEnabled);
            representation2.setOfflineSessionMaxLifespan(offlineSessionMaxLifespan);
            representation2.setClientOfflineSessionMaxLifespan(clientOfflineSessionMaxLifespan);
            realm.update(representation2);
            representation.getAttributes().put("client.offline.session.max.lifespan", null);
            findClientByClientId.update(representation);
        } catch (Throwable th) {
            representation2.setOfflineSessionMaxLifespanEnabled(offlineSessionMaxLifespanEnabled);
            representation2.setOfflineSessionMaxLifespan(offlineSessionMaxLifespan);
            representation2.setClientOfflineSessionMaxLifespan(clientOfflineSessionMaxLifespan);
            realm.update(representation2);
            representation.getAttributes().put("client.offline.session.max.lifespan", null);
            findClientByClientId.update(representation);
            throw th;
        }
    }

    @Test
    public void testClientOfflineSessionIdleTimeout() throws Exception {
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(this.adminClient.realm("test"), "offline-client");
        ClientRepresentation representation = findClientByClientId.toRepresentation();
        RealmResource realm = this.adminClient.realm("test");
        RealmRepresentation representation2 = realm.toRepresentation();
        Boolean offlineSessionMaxLifespanEnabled = representation2.getOfflineSessionMaxLifespanEnabled();
        int intValue = representation2.getOfflineSessionIdleTimeout().intValue();
        Integer clientOfflineSessionIdleTimeout = representation2.getClientOfflineSessionIdleTimeout();
        try {
            representation2.setOfflineSessionMaxLifespanEnabled(true);
            realm.update(representation2);
            this.oauth.scope("offline_access");
            this.oauth.clientId("offline-client");
            this.oauth.redirectUri(offlineClientAppUri);
            this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
            OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "secret1");
            Assert.assertEquals(200L, doAccessTokenRequest.getStatusCode());
            org.keycloak.testsuite.Assert.assertExpiration(doAccessTokenRequest.getRefreshExpiresIn(), intValue);
            representation2.setClientOfflineSessionIdleTimeout(Integer.valueOf(intValue - 100));
            realm.update(representation2);
            OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "secret1");
            Assert.assertEquals(200L, doRefreshTokenRequest.getStatusCode());
            org.keycloak.testsuite.Assert.assertExpiration(doRefreshTokenRequest.getRefreshExpiresIn(), intValue - 100);
            representation.getAttributes().put("client.offline.session.idle.timeout", Integer.toString(intValue - 200));
            findClientByClientId.update(representation);
            OAuthClient.AccessTokenResponse doRefreshTokenRequest2 = this.oauth.doRefreshTokenRequest(doRefreshTokenRequest.getRefreshToken(), "secret1");
            Assert.assertEquals(200L, doRefreshTokenRequest2.getStatusCode());
            org.keycloak.testsuite.Assert.assertExpiration(doRefreshTokenRequest2.getRefreshExpiresIn(), intValue - 200);
            representation2.setOfflineSessionMaxLifespanEnabled(offlineSessionMaxLifespanEnabled);
            representation2.setClientOfflineSessionIdleTimeout(clientOfflineSessionIdleTimeout);
            realm.update(representation2);
            representation.getAttributes().put("client.offline.session.idle.timeout", null);
            findClientByClientId.update(representation);
        } catch (Throwable th) {
            representation2.setOfflineSessionMaxLifespanEnabled(offlineSessionMaxLifespanEnabled);
            representation2.setClientOfflineSessionIdleTimeout(clientOfflineSessionIdleTimeout);
            realm.update(representation2);
            representation.getAttributes().put("client.offline.session.idle.timeout", null);
            findClientByClientId.update(representation);
            throw th;
        }
    }

    private static /* synthetic */ Object $deserializeLambda$(SerializedLambda serializedLambda) {
        String implMethodName = serializedLambda.getImplMethodName();
        boolean z = -1;
        switch (implMethodName.hashCode()) {
            case 448712859:
                if (implMethodName.equals("lambda$browserOfflineTokenLogoutFollowedByLoginSameSession$cb043bc4$1")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("org/keycloak/testsuite/runonserver/FetchOnServer") && serializedLambda.getFunctionalInterfaceMethodName().equals("run") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Lorg/keycloak/models/KeycloakSession;)Ljava/lang/Object;") && serializedLambda.getImplClass().equals("org/keycloak/testsuite/oauth/OfflineTokenTest") && serializedLambda.getImplMethodSignature().equals("(Lorg/keycloak/representations/RefreshToken;Lorg/keycloak/models/KeycloakSession;)Ljava/lang/Object;")) {
                    RefreshToken refreshToken = (RefreshToken) serializedLambda.getCapturedArg(0);
                    return keycloakSession -> {
                        return keycloakSession.sessions().getOfflineUserSession(keycloakSession.realms().getRealmByName("test"), refreshToken.getSessionState()).getId();
                    };
                }
                break;
        }
        throw new IllegalArgumentException("Invalid lambda deserialization");
    }
}
