package org.keycloak.testsuite.oauth;

import java.util.List;
import javax.ws.rs.client.Client;
import javax.ws.rs.client.ClientBuilder;
import javax.ws.rs.client.Entity;
import javax.ws.rs.client.WebTarget;
import javax.ws.rs.core.Form;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import org.hamcrest.Matchers;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.common.enums.SslRequired;
import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.representations.RefreshToken;
import org.keycloak.representations.idm.EventRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.AbstractAdminTest;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.util.ClientManager;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.testsuite.util.RealmManager;
import org.keycloak.util.BasicAuthHelper;

/* loaded from: input_file:org/keycloak/testsuite/oauth/RefreshTokenTest.class */
public class RefreshTokenTest extends AbstractKeycloakTest {

    @Rule
    public AssertEvents events = new AssertEvents(this);
    String privateKey;
    String publicKey;

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void beforeAbstractKeycloakTest() throws Exception {
        super.beforeAbstractKeycloakTest();
    }

    @Before
    public void clientConfiguration() {
        ClientManager.realm(this.adminClient.realm("test")).clientId(AssertEvents.DEFAULT_CLIENT_ID).directAccessGrant(true);
    }

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        list.add(RealmBuilder.edit((RealmRepresentation) AbstractAdminTest.loadJson(getClass().getResourceAsStream("/testrealm.json"), RealmRepresentation.class)).testEventListener().build());
    }

    @Test
    public void nullRefreshToken() throws Exception {
        Response post = ClientBuilder.newClient().target(OIDCLoginProtocolService.tokenUrl(UriBuilder.fromUri(OAuthClient.AUTH_SERVER_ROOT)).build(new Object[]{"test"})).request().header("Authorization", BasicAuthHelper.createHeader(AssertEvents.DEFAULT_CLIENT_ID, "password")).post(Entity.form(new Form()));
        Assert.assertEquals(400L, post.getStatus());
        post.close();
        this.events.clear();
    }

    @Test
    public void invalidRefreshToken() throws Exception {
        OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest("invalid", "password");
        Assert.assertEquals(400L, doRefreshTokenRequest.getStatusCode());
        Assert.assertEquals("invalid_grant", doRefreshTokenRequest.getError());
        this.events.clear();
    }

    @Test
    public void refreshTokenRequest() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
        String sessionId = assertEvent.getSessionId();
        String str = (String) assertEvent.getDetails().get("code_id");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
        AccessToken verifyToken = this.oauth.verifyToken(doAccessTokenRequest.getAccessToken());
        String refreshToken = doAccessTokenRequest.getRefreshToken();
        RefreshToken verifyRefreshToken = this.oauth.verifyRefreshToken(refreshToken);
        EventRepresentation assertEvent2 = this.events.expectCodeToToken(str, sessionId).assertEvent();
        Assert.assertNotNull(refreshToken);
        Assert.assertEquals("bearer", doAccessTokenRequest.getTokenType());
        Assert.assertThat(Integer.valueOf(verifyToken.getExpiration() - getCurrentTime()), Matchers.allOf(Matchers.greaterThanOrEqualTo(200), Matchers.lessThanOrEqualTo(350)));
        Assert.assertThat(Integer.valueOf(verifyRefreshToken.getExpiration() - getCurrentTime()), Matchers.allOf(Matchers.greaterThanOrEqualTo(1799), Matchers.lessThanOrEqualTo(1800)));
        Assert.assertEquals(sessionId, verifyRefreshToken.getSessionState());
        setTimeOffset(2);
        OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(refreshToken, "password");
        AccessToken verifyToken2 = this.oauth.verifyToken(doRefreshTokenRequest.getAccessToken());
        RefreshToken verifyRefreshToken2 = this.oauth.verifyRefreshToken(doRefreshTokenRequest.getRefreshToken());
        Assert.assertEquals(200L, doRefreshTokenRequest.getStatusCode());
        Assert.assertEquals(sessionId, verifyToken2.getSessionState());
        Assert.assertEquals(sessionId, verifyRefreshToken2.getSessionState());
        Assert.assertThat(Integer.valueOf(doRefreshTokenRequest.getExpiresIn()), Matchers.allOf(Matchers.greaterThanOrEqualTo(250), Matchers.lessThanOrEqualTo(300)));
        Assert.assertThat(Integer.valueOf(verifyToken2.getExpiration() - getCurrentTime()), Matchers.allOf(Matchers.greaterThanOrEqualTo(250), Matchers.lessThanOrEqualTo(300)));
        Assert.assertThat(Integer.valueOf(verifyToken2.getExpiration() - verifyToken.getExpiration()), Matchers.allOf(Matchers.greaterThanOrEqualTo(1), Matchers.lessThanOrEqualTo(10)));
        Assert.assertThat(Integer.valueOf(verifyRefreshToken2.getExpiration() - verifyRefreshToken.getExpiration()), Matchers.allOf(Matchers.greaterThanOrEqualTo(1), Matchers.lessThanOrEqualTo(10)));
        Assert.assertNotEquals(verifyToken.getId(), verifyToken2.getId());
        Assert.assertNotEquals(verifyRefreshToken.getId(), verifyRefreshToken2.getId());
        Assert.assertEquals("bearer", doRefreshTokenRequest.getTokenType());
        Assert.assertEquals(ApiUtil.findUserByUsername(this.adminClient.realm("test"), AssertEvents.DEFAULT_USERNAME).getId(), verifyToken2.getSubject());
        Assert.assertNotEquals(AssertEvents.DEFAULT_USERNAME, verifyToken2.getSubject());
        Assert.assertEquals(1L, verifyToken2.getRealmAccess().getRoles().size());
        Assert.assertTrue(verifyToken2.getRealmAccess().isUserInRole("user"));
        Assert.assertEquals(1L, verifyToken2.getResourceAccess(this.oauth.getClientId()).getRoles().size());
        Assert.assertTrue(verifyToken2.getResourceAccess(this.oauth.getClientId()).isUserInRole("customer-user"));
        EventRepresentation assertEvent3 = this.events.expectRefresh((String) assertEvent2.getDetails().get("refresh_token_id"), sessionId).assertEvent();
        Assert.assertNotEquals(assertEvent2.getDetails().get("token_id"), assertEvent3.getDetails().get("token_id"));
        Assert.assertNotEquals(assertEvent2.getDetails().get("refresh_token_id"), assertEvent3.getDetails().get("updated_refresh_token_id"));
        setTimeOffset(0);
    }

    @Test
    public void refreshTokenReuseTokenWithoutRefreshTokensRevoked() throws Exception {
        try {
            this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
            EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
            String sessionId = assertEvent.getSessionId();
            String str = (String) assertEvent.getDetails().get("code_id");
            RefreshToken verifyRefreshToken = this.oauth.verifyRefreshToken(this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password").getRefreshToken());
            this.events.expectCodeToToken(str, sessionId).assertEvent();
            setTimeOffset(2);
            Assert.assertEquals(200L, this.oauth.doRefreshTokenRequest(r0.getRefreshToken(), "password").getStatusCode());
            this.events.expectRefresh(verifyRefreshToken.getId(), sessionId).assertEvent();
            Assert.assertEquals(200L, this.oauth.doRefreshTokenRequest(r0.getRefreshToken(), "password").getStatusCode());
            this.events.expectRefresh(verifyRefreshToken.getId(), sessionId).assertEvent();
            setTimeOffset(0);
        } catch (Throwable th) {
            setTimeOffset(0);
            throw th;
        }
    }

    @Test
    public void refreshTokenReuseTokenWithRefreshTokensRevoked() throws Exception {
        try {
            RealmManager.realm(this.adminClient.realm("test")).revokeRefreshToken(true);
            this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
            EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
            String sessionId = assertEvent.getSessionId();
            String str = (String) assertEvent.getDetails().get("code_id");
            OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
            RefreshToken verifyRefreshToken = this.oauth.verifyRefreshToken(doAccessTokenRequest.getRefreshToken());
            this.events.expectCodeToToken(str, sessionId).assertEvent();
            setTimeOffset(2);
            OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password");
            RefreshToken verifyRefreshToken2 = this.oauth.verifyRefreshToken(doRefreshTokenRequest.getRefreshToken());
            Assert.assertEquals(200L, doRefreshTokenRequest.getStatusCode());
            this.events.expectRefresh(verifyRefreshToken.getId(), sessionId).assertEvent();
            Assert.assertEquals(400L, this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password").getStatusCode());
            this.events.expectRefresh(verifyRefreshToken.getId(), sessionId).removeDetail("token_id").removeDetail("updated_refresh_token_id").error("invalid_token").assertEvent();
            this.oauth.doRefreshTokenRequest(doRefreshTokenRequest.getRefreshToken(), "password");
            this.events.expectRefresh(verifyRefreshToken2.getId(), sessionId).assertEvent();
            setTimeOffset(0);
            RealmManager.realm(this.adminClient.realm("test")).revokeRefreshToken(false);
        } catch (Throwable th) {
            setTimeOffset(0);
            RealmManager.realm(this.adminClient.realm("test")).revokeRefreshToken(false);
            throw th;
        }
    }

    @Test
    public void refreshTokenRealmKeysChanged() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
        String sessionId = assertEvent.getSessionId();
        String str = (String) assertEvent.getDetails().get("code_id");
        String refreshToken = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password").getRefreshToken();
        RefreshToken verifyRefreshToken = this.oauth.verifyRefreshToken(refreshToken);
        this.events.expectCodeToToken(str, sessionId).assertEvent();
        try {
            RealmManager.realm(this.adminClient.realm("test")).generateKeys();
            OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(refreshToken, "password");
            Assert.assertEquals(400L, doRefreshTokenRequest.getStatusCode());
            Assert.assertEquals("invalid_grant", doRefreshTokenRequest.getError());
            this.events.expectRefresh(verifyRefreshToken.getId(), sessionId).user((String) null).session((String) null).clearDetails().error("invalid_token").assertEvent();
            RealmManager.realm(this.adminClient.realm("test")).keyPair(this.privateKey, this.publicKey);
        } catch (Throwable th) {
            RealmManager.realm(this.adminClient.realm("test")).keyPair(this.privateKey, this.publicKey);
            throw th;
        }
    }

    @Test
    public void refreshTokenClientDisabled() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
        String sessionId = assertEvent.getSessionId();
        String str = (String) assertEvent.getDetails().get("code_id");
        String refreshToken = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password").getRefreshToken();
        RefreshToken verifyRefreshToken = this.oauth.verifyRefreshToken(refreshToken);
        this.events.expectCodeToToken(str, sessionId).assertEvent();
        try {
            ClientManager.realm(this.adminClient.realm("test")).clientId(this.oauth.getClientId()).enabled(false);
            OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(refreshToken, "password");
            Assert.assertEquals(400L, doRefreshTokenRequest.getStatusCode());
            Assert.assertEquals("invalid_client", doRefreshTokenRequest.getError());
            this.events.expectRefresh(verifyRefreshToken.getId(), sessionId).user((String) null).session((String) null).clearDetails().error("client_disabled").assertEvent();
            ClientManager.realm(this.adminClient.realm("test")).clientId(this.oauth.getClientId()).enabled(true);
        } catch (Throwable th) {
            ClientManager.realm(this.adminClient.realm("test")).clientId(this.oauth.getClientId()).enabled(true);
            throw th;
        }
    }

    @Test
    public void refreshTokenUserSessionExpired() {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        String sessionId = this.events.expectLogin().assertEvent().getSessionId();
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
        this.events.poll();
        String id = this.oauth.verifyRefreshToken(doAccessTokenRequest.getRefreshToken()).getId();
        this.testingClient.testing().removeUserSession("test", sessionId);
        OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password");
        Assert.assertEquals(400L, doRefreshTokenRequest.getStatusCode());
        Assert.assertNull(doRefreshTokenRequest.getAccessToken());
        Assert.assertNull(doRefreshTokenRequest.getRefreshToken());
        this.events.expectRefresh(id, sessionId).error("invalid_token");
        this.events.clear();
    }

    @Test
    public void testUserSessionRefreshAndIdle() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        String sessionId = this.events.expectLogin().assertEvent().getSessionId();
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
        this.events.poll();
        String id = this.oauth.verifyRefreshToken(doAccessTokenRequest.getRefreshToken()).getId();
        int intValue = this.testingClient.testing().getLastSessionRefresh("test", sessionId).intValue();
        setTimeOffset(2);
        OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password");
        this.oauth.verifyToken(doRefreshTokenRequest.getAccessToken());
        this.oauth.verifyRefreshToken(doRefreshTokenRequest.getRefreshToken());
        Assert.assertEquals(200L, doRefreshTokenRequest.getStatusCode());
        Assert.assertNotEquals(intValue, this.testingClient.testing().getLastSessionRefresh("test", sessionId).intValue());
        RealmResource realm = this.adminClient.realm("test");
        int intValue2 = realm.toRepresentation().getAccessTokenLifespan().intValue();
        RealmManager.realm(realm).accessTokenLifespan(100000);
        setTimeOffset(4);
        OAuthClient.AccessTokenResponse doRefreshTokenRequest2 = this.oauth.doRefreshTokenRequest(doRefreshTokenRequest.getRefreshToken(), "password");
        Assert.assertThat(Integer.valueOf(this.testingClient.testing().getLastSessionRefresh("test", sessionId).intValue()), Matchers.allOf(Matchers.greaterThan(Integer.valueOf(intValue)), Matchers.lessThan(Integer.valueOf(intValue + 50))));
        int intValue3 = realm.toRepresentation().getSsoSessionIdleTimeout().intValue();
        RealmManager.realm(realm).ssoSessionIdleTimeout(1);
        this.events.clear();
        setTimeOffset(6);
        OAuthClient.AccessTokenResponse doRefreshTokenRequest3 = this.oauth.doRefreshTokenRequest(doRefreshTokenRequest2.getRefreshToken(), "password");
        Assert.assertEquals(400L, doRefreshTokenRequest3.getStatusCode());
        Assert.assertNull(doRefreshTokenRequest3.getAccessToken());
        Assert.assertNull(doRefreshTokenRequest3.getRefreshToken());
        this.events.expectRefresh(id, sessionId).error("invalid_token");
        RealmManager.realm(realm).ssoSessionIdleTimeout(intValue3).accessTokenLifespan(intValue2);
        this.events.clear();
        setTimeOffset(0);
    }

    @Test
    public void refreshTokenUserSessionMaxLifespan() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        String sessionId = this.events.expectLogin().assertEvent().getSessionId();
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
        this.events.poll();
        String id = this.oauth.verifyRefreshToken(doAccessTokenRequest.getRefreshToken()).getId();
        RealmResource realm = this.adminClient.realm("test");
        Integer ssoSessionMaxLifespan = realm.toRepresentation().getSsoSessionMaxLifespan();
        RealmManager.realm(realm).ssoSessionMaxLifespan(1);
        setTimeOffset(1);
        OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(doAccessTokenRequest.getRefreshToken(), "password");
        Assert.assertEquals(400L, doRefreshTokenRequest.getStatusCode());
        Assert.assertNull(doRefreshTokenRequest.getAccessToken());
        Assert.assertNull(doRefreshTokenRequest.getRefreshToken());
        RealmManager.realm(realm).ssoSessionMaxLifespan(ssoSessionMaxLifespan.intValue());
        this.events.expectRefresh(id, sessionId).error("invalid_token");
        this.events.clear();
        setTimeOffset(0);
    }

    @Test
    public void testCheckSsl() throws Exception {
        Client newClient = ClientBuilder.newClient();
        WebTarget target = newClient.target(OIDCLoginProtocolService.tokenUrl(UriBuilder.fromUri(OAuthClient.AUTH_SERVER_ROOT)).build(new Object[]{"test"}));
        WebTarget target2 = newClient.target(OIDCLoginProtocolService.tokenUrl(UriBuilder.fromUri(OAuthClient.AUTH_SERVER_ROOT)).build(new Object[]{"test"}));
        Response executeGrantAccessTokenRequest = executeGrantAccessTokenRequest(target);
        Assert.assertEquals(200L, executeGrantAccessTokenRequest.getStatus());
        String refreshToken = ((AccessTokenResponse) executeGrantAccessTokenRequest.readEntity(AccessTokenResponse.class)).getRefreshToken();
        executeGrantAccessTokenRequest.close();
        Response executeRefreshToken = executeRefreshToken(target2, refreshToken);
        Assert.assertEquals(200L, executeRefreshToken.getStatus());
        String refreshToken2 = ((AccessTokenResponse) executeRefreshToken.readEntity(AccessTokenResponse.class)).getRefreshToken();
        executeRefreshToken.close();
        RealmResource realm = this.adminClient.realm("test");
        RealmManager.realm(realm).sslRequired(SslRequired.ALL.toString());
        Response executeRefreshToken2 = executeRefreshToken(target2, refreshToken2);
        Assert.assertEquals(403L, executeRefreshToken2.getStatus());
        executeRefreshToken2.close();
        RealmManager.realm(realm).sslRequired(SslRequired.EXTERNAL.toString());
        Response executeRefreshToken3 = executeRefreshToken(target2, refreshToken2);
        Assert.assertEquals(200L, executeRefreshToken3.getStatus());
        ((AccessTokenResponse) executeRefreshToken3.readEntity(AccessTokenResponse.class)).getRefreshToken();
        executeRefreshToken3.close();
        newClient.close();
        this.events.clear();
    }

    protected Response executeRefreshToken(WebTarget webTarget, String str) {
        String createHeader = BasicAuthHelper.createHeader(AssertEvents.DEFAULT_CLIENT_ID, "password");
        Form form = new Form();
        form.param("grant_type", "refresh_token");
        form.param("refresh_token", str);
        return webTarget.request().header("Authorization", createHeader).post(Entity.form(form));
    }

    protected Response executeGrantAccessTokenRequest(WebTarget webTarget) {
        String createHeader = BasicAuthHelper.createHeader(AssertEvents.DEFAULT_CLIENT_ID, "password");
        Form form = new Form();
        form.param("grant_type", "password").param("username", AssertEvents.DEFAULT_USERNAME).param("password", "password");
        return webTarget.request().header("Authorization", createHeader).post(Entity.form(form));
    }
}
