package org.keycloak.testsuite.x509;

import org.hamcrest.Matchers;
import org.jboss.arquillian.drone.api.annotation.Drone;
import org.junit.Assert;
import org.junit.Before;
import org.junit.ClassRule;
import org.junit.Test;
import org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.pages.AppPage;
import org.keycloak.testsuite.util.ContainerAssume;
import org.keycloak.testsuite.util.PhantomJSBrowser;
import org.openqa.selenium.WebDriver;

/* loaded from: input_file:org/keycloak/testsuite/x509/X509BrowserCRLTest.class */
public class X509BrowserCRLTest extends AbstractX509AuthenticationTest {

    @ClassRule
    public static CRLRule crlRule = new CRLRule();

    @Drone
    @PhantomJSBrowser
    private WebDriver phantomJS;

    @Before
    public void replaceTheDefaultDriver() {
        replaceDefaultWebDriver(this.phantomJS);
    }

    @Test
    public void loginSuccessWithEmptyRevocationListFromFile() {
        ContainerAssume.assumeNotAuthServerUndertow();
        x509BrowserLogin(new X509AuthenticatorConfigModel().setCRLEnabled(true).setCRLRelativePath(AbstractX509AuthenticationTest.EMPTY_CRL_PATH).setConfirmationPageAllowed(true).setMappingSourceType(X509AuthenticatorConfigModel.MappingSourceType.SUBJECTDN_EMAIL).setUserIdentityMapperType(X509AuthenticatorConfigModel.IdentityMapperType.USERNAME_EMAIL), this.userId, AssertEvents.DEFAULT_USERNAME, AssertEvents.DEFAULT_USERNAME);
    }

    @Test
    public void loginFailedWithIntermediateRevocationListFromFile() {
        ContainerAssume.assumeNotAuthServerUndertow();
        Assert.assertNotNull(createConfig(this.browserExecution.getId(), newConfig("x509-browser-config", new X509AuthenticatorConfigModel().setCRLEnabled(true).setCRLRelativePath(AbstractX509AuthenticationTest.INTERMEDIATE_CA_CRL_PATH).setConfirmationPageAllowed(true).setMappingSourceType(X509AuthenticatorConfigModel.MappingSourceType.SUBJECTDN_EMAIL).setUserIdentityMapperType(X509AuthenticatorConfigModel.IdentityMapperType.USERNAME_EMAIL).getConfig())));
        assertLoginFailedDueRevokedCertificate();
    }

    @Test
    public void loginSuccessWithEmptyRevocationListFromHttp() {
        x509BrowserLogin(new X509AuthenticatorConfigModel().setCRLEnabled(true).setCRLRelativePath("http://localhost:8889/empty.crl").setConfirmationPageAllowed(true).setMappingSourceType(X509AuthenticatorConfigModel.MappingSourceType.SUBJECTDN_EMAIL).setUserIdentityMapperType(X509AuthenticatorConfigModel.IdentityMapperType.USERNAME_EMAIL), this.userId, AssertEvents.DEFAULT_USERNAME, AssertEvents.DEFAULT_USERNAME);
    }

    @Test
    public void loginFailedWithIntermediateRevocationListFromHttp() {
        Assert.assertNotNull(createConfig(this.browserExecution.getId(), newConfig("x509-browser-config", new X509AuthenticatorConfigModel().setCRLEnabled(true).setCRLRelativePath("http://localhost:8889/intermediate-ca.crl").setConfirmationPageAllowed(true).setMappingSourceType(X509AuthenticatorConfigModel.MappingSourceType.SUBJECTDN_EMAIL).setUserIdentityMapperType(X509AuthenticatorConfigModel.IdentityMapperType.USERNAME_EMAIL).getConfig())));
        assertLoginFailedDueRevokedCertificate();
    }

    @Test
    public void loginFailedWithInvalidSignatureCRL() {
        Assert.assertNotNull(createConfig(this.browserExecution.getId(), newConfig("x509-browser-config", new X509AuthenticatorConfigModel().setCRLEnabled(true).setCRLRelativePath("http://localhost:8889/intermediate-ca-invalid-signature.crl").setConfirmationPageAllowed(true).setMappingSourceType(X509AuthenticatorConfigModel.MappingSourceType.SUBJECTDN_EMAIL).setUserIdentityMapperType(X509AuthenticatorConfigModel.IdentityMapperType.USERNAME_EMAIL).getConfig())));
        assertLoginFailedWithExpectedX509Error("Certificate validation's failed.\nSignature length not correct");
    }

    @Test
    public void loginSuccessWithCRLSignedWithIntermediateCA3FromTruststore() {
        X509AuthenticatorConfigModel userIdentityMapperType = new X509AuthenticatorConfigModel().setCRLEnabled(true).setCRLRelativePath("http://localhost:8889/intermediate-ca-3.crl").setConfirmationPageAllowed(true).setMappingSourceType(X509AuthenticatorConfigModel.MappingSourceType.SUBJECTDN_EMAIL).setUserIdentityMapperType(X509AuthenticatorConfigModel.IdentityMapperType.USERNAME_EMAIL);
        Assert.assertNotNull(createConfig(this.browserExecution.getId(), newConfig("x509-browser-config", userIdentityMapperType.getConfig())));
        x509BrowserLogin(userIdentityMapperType, this.userId, AssertEvents.DEFAULT_USERNAME, AssertEvents.DEFAULT_USERNAME);
    }

    @Test
    public void loginWithMultipleRevocationLists() {
        Assert.assertNotNull(createConfig(this.browserExecution.getId(), newConfig("x509-browser-config", new X509AuthenticatorConfigModel().setCRLEnabled(true).setCRLRelativePath("http://localhost:8889/empty.crl##http://localhost:8889/intermediate-ca.crl").setConfirmationPageAllowed(true).setMappingSourceType(X509AuthenticatorConfigModel.MappingSourceType.SUBJECTDN_EMAIL).setUserIdentityMapperType(X509AuthenticatorConfigModel.IdentityMapperType.USERNAME_EMAIL).getConfig())));
        assertLoginFailedDueRevokedCertificate();
    }

    @Test
    public void loginFailedWithRevocationListFromDistributionPoints() {
        Assert.assertNotNull(createConfig(this.browserExecution.getId(), newConfig("x509-browser-config", new X509AuthenticatorConfigModel().setCRLEnabled(true).setCRLDistributionPointEnabled(true).setConfirmationPageAllowed(true).setMappingSourceType(X509AuthenticatorConfigModel.MappingSourceType.SUBJECTDN_EMAIL).setUserIdentityMapperType(X509AuthenticatorConfigModel.IdentityMapperType.USERNAME_EMAIL).getConfig())));
        assertLoginFailedDueRevokedCertificate();
    }

    private void assertLoginFailedDueRevokedCertificate() {
        assertLoginFailedWithExpectedX509Error("Certificate validation's failed.\nCertificate has been revoked, certificate's subject:");
    }

    private void assertLoginFailedWithExpectedX509Error(String str) {
        this.loginConfirmationPage.open();
        this.loginPage.assertCurrent();
        Assert.assertNotNull(this.loginPage.getError());
        Assert.assertThat(this.loginPage.getError(), Matchers.containsString(str));
        this.loginPage.login(AssertEvents.DEFAULT_USERNAME, "password");
        Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, this.appPage.getRequestType());
        Assert.assertNotNull(this.oauth.getCurrentQuery().get("code"));
        this.events.expectLogin().user(this.userId).detail("username", AssertEvents.DEFAULT_USERNAME).removeDetail("redirect_uri").assertEvent();
    }
}
