package org.keycloak.testsuite.url;

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.List;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.jboss.arquillian.container.test.api.ContainerController;
import org.jboss.arquillian.test.api.ArquillianResource;
import org.junit.Assert;
import org.junit.Test;
import org.keycloak.admin.client.Keycloak;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.broker.provider.util.SimpleHttp;
import org.keycloak.client.registration.Auth;
import org.keycloak.client.registration.ClientRegistration;
import org.keycloak.client.registration.ClientRegistrationException;
import org.keycloak.common.util.UriUtils;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.models.BrowserSecurityHeaders;
import org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.representations.idm.ClientInitialAccessCreatePresentation;
import org.keycloak.representations.idm.ClientInitialAccessPresentation;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
import org.keycloak.testsuite.saml.ConcurrentAuthnRequestTest;
import org.keycloak.testsuite.util.AdminClientUtil;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.testsuite.util.ServerURLs;
import org.keycloak.testsuite.util.UserBuilder;

@AuthServerContainerExclude({AuthServerContainerExclude.AuthServer.REMOTE, AuthServerContainerExclude.AuthServer.QUARKUS})
/* loaded from: input_file:org/keycloak/testsuite/url/DefaultHostnameTest.class */
public class DefaultHostnameTest extends AbstractHostnameTest {

    @ArquillianResource
    protected ContainerController controller;
    private String expectedBackendUrl;
    private String globalFrontEndUrl = "https://keycloak.127.0.0.1.nip.io/custom";
    private String realmFrontEndUrl = "https://my-realm.127.0.0.1.nip.io";

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        list.add(RealmBuilder.create().name("test").client(ClientBuilder.create().name("direct-grant").clientId("direct-grant").enabled(true).secret("password").directAccessGrants()).user(UserBuilder.create().username(AssertEvents.DEFAULT_USERNAME).password("password")).build());
        list.add(RealmBuilder.create().name("frontendUrl").client(ClientBuilder.create().name("direct-grant").clientId("direct-grant").enabled(true).secret("password").directAccessGrants()).user(UserBuilder.create().username(AssertEvents.DEFAULT_USERNAME).password("password")).attribute("frontendUrl", this.realmFrontEndUrl).build());
    }

    @Test
    public void fixedFrontendUrl() throws Exception {
        this.expectedBackendUrl = OAuthClient.AUTH_SERVER_ROOT;
        this.oauth.clientId("direct-grant");
        try {
            Keycloak createAdminClient = AdminClientUtil.createAdminClient(this.suiteContext.isAdapterCompatTesting(), ServerURLs.getAuthServerContextRoot());
            Throwable th = null;
            try {
                try {
                    assertWellKnown("test", this.expectedBackendUrl);
                    configureDefault(this.globalFrontEndUrl, false, null);
                    assertWellKnown("test", this.globalFrontEndUrl);
                    assertTokenIssuer("test", this.globalFrontEndUrl);
                    assertInitialAccessTokenFromMasterRealm(createAdminClient, "test", this.globalFrontEndUrl);
                    assertBackendForcedToFrontendWithMatchingHostname("test", this.globalFrontEndUrl);
                    assertWelcomePage(this.globalFrontEndUrl);
                    assertAdminPage("master", this.globalFrontEndUrl, this.globalFrontEndUrl);
                    assertWellKnown("frontendUrl", this.realmFrontEndUrl);
                    assertTokenIssuer("frontendUrl", this.realmFrontEndUrl);
                    assertInitialAccessTokenFromMasterRealm(createAdminClient, "frontendUrl", this.realmFrontEndUrl);
                    assertBackendForcedToFrontendWithMatchingHostname("frontendUrl", this.realmFrontEndUrl);
                    assertAdminPage("frontendUrl", this.realmFrontEndUrl, this.realmFrontEndUrl);
                    if (createAdminClient != null) {
                        if (0 != 0) {
                            try {
                                createAdminClient.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            createAdminClient.close();
                        }
                    }
                } finally {
                }
            } finally {
            }
        } finally {
            reset();
        }
    }

    @Test
    public void emptyRealmFrontendUrl() throws URISyntaxException {
        this.expectedBackendUrl = OAuthClient.AUTH_SERVER_ROOT;
        this.oauth.clientId("direct-grant");
        RealmResource realm = realmsResouce().realm("frontendUrl");
        RealmRepresentation representation = realm.toRepresentation();
        try {
            representation.getAttributes().put("frontendUrl", "");
            realm.update(representation);
            assertWellKnown("frontendUrl", OAuthClient.AUTH_SERVER_ROOT);
        } finally {
            representation.getAttributes().put("frontendUrl", this.realmFrontEndUrl);
            realm.update(representation);
        }
    }

    @Test
    public void fixedAdminUrl() throws Exception {
        this.expectedBackendUrl = OAuthClient.AUTH_SERVER_ROOT;
        this.oauth.clientId("direct-grant");
        try {
            assertWellKnown("test", this.expectedBackendUrl);
            configureDefault(this.globalFrontEndUrl, false, "https://admin.127.0.0.1.nip.io/custom-admin");
            assertWelcomePage("https://admin.127.0.0.1.nip.io/custom-admin");
            assertAdminPage("master", this.globalFrontEndUrl, "https://admin.127.0.0.1.nip.io/custom-admin");
            assertAdminPage("frontendUrl", this.realmFrontEndUrl, "https://admin.127.0.0.1.nip.io/custom-admin");
        } finally {
            reset();
        }
    }

    @Test
    public void forceBackendUrlToFrontendUrl() throws Exception {
        this.expectedBackendUrl = OAuthClient.AUTH_SERVER_ROOT;
        this.oauth.clientId("direct-grant");
        try {
            Keycloak createAdminClient = AdminClientUtil.createAdminClient(this.suiteContext.isAdapterCompatTesting(), ServerURLs.getAuthServerContextRoot());
            Throwable th = null;
            try {
                assertWellKnown("test", this.expectedBackendUrl);
                configureDefault(this.globalFrontEndUrl, true, null);
                this.expectedBackendUrl = this.globalFrontEndUrl;
                assertWellKnown("test", this.globalFrontEndUrl);
                assertTokenIssuer("test", this.globalFrontEndUrl);
                assertInitialAccessTokenFromMasterRealm(createAdminClient, "test", this.globalFrontEndUrl);
                this.expectedBackendUrl = this.realmFrontEndUrl;
                assertWellKnown("frontendUrl", this.realmFrontEndUrl);
                assertTokenIssuer("frontendUrl", this.realmFrontEndUrl);
                assertInitialAccessTokenFromMasterRealm(createAdminClient, "frontendUrl", this.realmFrontEndUrl);
                if (createAdminClient != null) {
                    if (0 != 0) {
                        try {
                            createAdminClient.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        createAdminClient.close();
                    }
                }
            } finally {
            }
        } finally {
            reset();
        }
    }

    private void assertInitialAccessTokenFromMasterRealm(Keycloak keycloak, String str, String str2) throws JWSInputException, ClientRegistrationException {
        ClientInitialAccessCreatePresentation clientInitialAccessCreatePresentation = new ClientInitialAccessCreatePresentation();
        clientInitialAccessCreatePresentation.setCount(1);
        clientInitialAccessCreatePresentation.setExpiration(Integer.valueOf(ConcurrentAuthnRequestTest.ITERATIONS));
        ClientInitialAccessPresentation create = keycloak.realm(str).clientInitialAccess().create(clientInitialAccessCreatePresentation);
        Assert.assertEquals(str2 + "/realms/" + str, ((JsonWebToken) new JWSInput(create.getToken()).readJsonContent(JsonWebToken.class)).getIssuer());
        ClientRegistration build = ClientRegistration.create().url(OAuthClient.AUTH_SERVER_ROOT, str).build();
        build.auth(Auth.token(create.getToken()));
        ClientRepresentation clientRepresentation = new ClientRepresentation();
        clientRepresentation.setEnabled(true);
        Assert.assertEquals(str2 + "/realms/" + str, ((JsonWebToken) new JWSInput(build.create(clientRepresentation).getRegistrationAccessToken()).readJsonContent(JsonWebToken.class)).getIssuer());
    }

    private void assertTokenIssuer(String str, String str2) throws Exception {
        this.oauth.realm(str);
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest = this.oauth.doGrantAccessTokenRequest("password", AssertEvents.DEFAULT_USERNAME, "password");
        Assert.assertEquals(str2 + "/realms/" + str, ((AccessToken) new JWSInput(doGrantAccessTokenRequest.getAccessToken()).readJsonContent(AccessToken.class)).getIssuer());
        JsonNode readTree = new ObjectMapper().readTree(this.oauth.introspectAccessTokenWithClientCredential(this.oauth.getClientId(), "password", doGrantAccessTokenRequest.getAccessToken()));
        Assert.assertTrue(readTree.get("active").asBoolean());
        Assert.assertEquals(str2 + "/realms/" + str, readTree.get("iss").asText());
    }

    private void assertWellKnown(String str, String str2) throws URISyntaxException {
        OIDCConfigurationRepresentation doWellKnownRequest = this.oauth.doWellKnownRequest(str);
        Assert.assertEquals(str2 + "/realms/" + str, doWellKnownRequest.getIssuer());
        Assert.assertEquals(str2 + "/realms/" + str + "/protocol/openid-connect/auth", doWellKnownRequest.getAuthorizationEndpoint());
        Assert.assertEquals(this.expectedBackendUrl + "/realms/" + str + "/protocol/openid-connect/token", doWellKnownRequest.getTokenEndpoint());
        Assert.assertEquals(this.expectedBackendUrl + "/realms/" + str + "/protocol/openid-connect/userinfo", doWellKnownRequest.getUserinfoEndpoint());
        Assert.assertEquals(str2 + "/realms/" + str + "/protocol/openid-connect/logout", doWellKnownRequest.getLogoutEndpoint());
        Assert.assertEquals(this.expectedBackendUrl + "/realms/" + str + "/protocol/openid-connect/certs", doWellKnownRequest.getJwksUri());
        Assert.assertEquals(str2 + "/realms/" + str + "/protocol/openid-connect/login-status-iframe.html", doWellKnownRequest.getCheckSessionIframe());
        Assert.assertEquals(this.expectedBackendUrl + "/realms/" + str + "/clients-registrations/openid-connect", doWellKnownRequest.getRegistrationEndpoint());
    }

    private void assertBackendForcedToFrontendWithMatchingHostname(String str, String str2) throws URISyntaxException {
        this.oauth.baseUrl("http://" + new URI(str2).getHost() + ":" + System.getProperty("auth.server.http.port") + "/auth");
        OIDCConfigurationRepresentation doWellKnownRequest = this.oauth.doWellKnownRequest(str);
        Assert.assertEquals(str2 + "/realms/" + str, doWellKnownRequest.getIssuer());
        Assert.assertEquals(str2 + "/realms/" + str + "/protocol/openid-connect/auth", doWellKnownRequest.getAuthorizationEndpoint());
        Assert.assertEquals(str2 + "/realms/" + str + "/protocol/openid-connect/token", doWellKnownRequest.getTokenEndpoint());
        Assert.assertEquals(str2 + "/realms/" + str + "/protocol/openid-connect/userinfo", doWellKnownRequest.getUserinfoEndpoint());
        Assert.assertEquals(str2 + "/realms/" + str + "/protocol/openid-connect/logout", doWellKnownRequest.getLogoutEndpoint());
        Assert.assertEquals(str2 + "/realms/" + str + "/protocol/openid-connect/certs", doWellKnownRequest.getJwksUri());
        Assert.assertEquals(str2 + "/realms/" + str + "/protocol/openid-connect/login-status-iframe.html", doWellKnownRequest.getCheckSessionIframe());
        Assert.assertEquals(str2 + "/realms/" + str + "/clients-registrations/openid-connect", doWellKnownRequest.getRegistrationEndpoint());
        this.oauth.baseUrl(OAuthClient.AUTH_SERVER_ROOT);
    }

    private void assertWelcomePage(String str) throws IOException {
        CloseableHttpClient build = HttpClientBuilder.create().build();
        Throwable th = null;
        try {
            Assert.assertTrue(SimpleHttp.doGet(OAuthClient.AUTH_SERVER_ROOT + "/", build).asString().contains("<a href=\"" + str + "/admin/\">"));
            if (build != null) {
                if (0 == 0) {
                    build.close();
                    return;
                }
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
        } catch (Throwable th3) {
            if (build != null) {
                if (0 != 0) {
                    try {
                        build.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    build.close();
                }
            }
            throw th3;
        }
    }

    private void assertAdminPage(String str, String str2, String str3) throws IOException, URISyntaxException {
        CloseableHttpClient build = HttpClientBuilder.create().build();
        Throwable th = null;
        try {
            SimpleHttp.Response asResponse = SimpleHttp.doGet(OAuthClient.AUTH_SERVER_ROOT + "/admin/" + str + "/console/", build).asResponse();
            String asString = asResponse.asString();
            Assert.assertTrue(asString.contains("authServerUrl = '" + str2 + "'"));
            Assert.assertTrue(asString.contains("authUrl = '" + str3 + "'"));
            Assert.assertTrue(asString.contains("consoleBaseUrl = '" + new URI(str3).getPath() + "/admin/" + str + "/console/'"));
            Assert.assertTrue(asString.contains("resourceUrl = '" + new URI(str3).getPath() + "/resources/"));
            String firstHeader = asResponse.getFirstHeader(BrowserSecurityHeaders.CONTENT_SECURITY_POLICY.getHeaderName());
            if (str2.equalsIgnoreCase(str3)) {
                Assert.assertEquals("frame-src 'self'; frame-ancestors 'self'; object-src 'none';", firstHeader);
            } else {
                Assert.assertEquals("frame-src " + UriUtils.getOrigin(str2) + "; frame-ancestors 'self'; object-src 'none';", firstHeader);
            }
            if (build != null) {
                if (0 == 0) {
                    build.close();
                    return;
                }
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
        } catch (Throwable th3) {
            if (build != null) {
                if (0 != 0) {
                    try {
                        build.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    build.close();
                }
            }
            throw th3;
        }
    }
}
