package org.keycloak.testsuite.oauth;

import java.util.Collections;
import java.util.List;
import java.util.Map;
import org.jboss.arquillian.graphene.page.Page;
import org.junit.Assert;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.admin.client.resource.UserResource;
import org.keycloak.events.EventType;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.idm.EventRepresentation;
import org.keycloak.representations.idm.ProtocolMapperRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.RoleRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.AbstractAdminTest;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.pages.AccountApplicationsPage;
import org.keycloak.testsuite.pages.AppPage;
import org.keycloak.testsuite.pages.OAuthGrantPage;
import org.keycloak.testsuite.util.ClientManager;
import org.keycloak.testsuite.util.ProtocolMapperUtil;
import org.keycloak.testsuite.util.RoleBuilder;
import org.openqa.selenium.By;

/* loaded from: input_file:org/keycloak/testsuite/oauth/OAuthGrantTest.class */
public class OAuthGrantTest extends AbstractKeycloakTest {
    public static final String THIRD_PARTY_APP = "third-party";
    public static final String REALM_NAME = "test";

    @Rule
    public AssertEvents events = new AssertEvents(this);

    @Page
    protected OAuthGrantPage grantPage;

    @Page
    protected AccountApplicationsPage accountAppsPage;

    @Page
    protected AppPage appPage;
    private static String ROLE_USER = "Have User privileges";
    private static String ROLE_CUSTOMER = "Have Customer User privileges";

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void beforeAbstractKeycloakTest() throws Exception {
        super.beforeAbstractKeycloakTest();
    }

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        list.add((RealmRepresentation) AbstractAdminTest.loadJson(getClass().getResourceAsStream("/testrealm.json"), RealmRepresentation.class));
    }

    @Test
    public void oauthGrantAcceptTest() {
        this.oauth.clientId(THIRD_PARTY_APP);
        this.oauth.doLoginGrant(AssertEvents.DEFAULT_USERNAME, "password");
        this.grantPage.assertCurrent();
        Assert.assertTrue(this.driver.getPageSource().contains(ROLE_USER));
        Assert.assertTrue(this.driver.getPageSource().contains(ROLE_CUSTOMER));
        this.grantPage.accept();
        Assert.assertTrue(this.oauth.getCurrentQuery().containsKey("code"));
        EventRepresentation assertEvent = this.events.expectLogin().client(THIRD_PARTY_APP).detail("consent", "consent_granted").assertEvent();
        String str = (String) assertEvent.getDetails().get("code_id");
        String sessionId = assertEvent.getSessionId();
        String accessToken = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password").getAccessToken();
        Assert.assertNotNull(accessToken);
        AccessToken verifyToken = this.oauth.verifyToken(accessToken);
        Assert.assertEquals(sessionId, verifyToken.getSessionState());
        AccessToken.Access realmAccess = verifyToken.getRealmAccess();
        Assert.assertEquals(1L, realmAccess.getRoles().size());
        Assert.assertTrue(realmAccess.isUserInRole("user"));
        Map resourceAccess = verifyToken.getResourceAccess();
        Assert.assertEquals(1L, resourceAccess.size());
        Assert.assertEquals(1L, ((AccessToken.Access) resourceAccess.get(AssertEvents.DEFAULT_CLIENT_ID)).getRoles().size());
        Assert.assertTrue(((AccessToken.Access) resourceAccess.get(AssertEvents.DEFAULT_CLIENT_ID)).isUserInRole("customer-user"));
        this.events.expectCodeToToken(str, assertEvent.getSessionId()).client(THIRD_PARTY_APP).assertEvent();
        this.accountAppsPage.open();
        Assert.assertEquals(1L, this.driver.findElements(By.id("revoke-third-party")).size());
        this.accountAppsPage.revokeGrant(THIRD_PARTY_APP);
        this.events.expect(EventType.REVOKE_GRANT).client("account").detail("revoked_client", THIRD_PARTY_APP).assertEvent();
        Assert.assertEquals(0L, this.driver.findElements(By.id("revoke-third-party")).size());
    }

    @Test
    public void oauthGrantCancelTest() {
        this.oauth.clientId(THIRD_PARTY_APP);
        this.oauth.doLoginGrant(AssertEvents.DEFAULT_USERNAME, "password");
        this.grantPage.assertCurrent();
        Assert.assertTrue(this.driver.getPageSource().contains(ROLE_USER));
        Assert.assertTrue(this.driver.getPageSource().contains(ROLE_CUSTOMER));
        this.grantPage.cancel();
        Assert.assertTrue(this.oauth.getCurrentQuery().containsKey("error"));
        Assert.assertEquals("access_denied", this.oauth.getCurrentQuery().get("error"));
        this.events.expectLogin().client(THIRD_PARTY_APP).error("rejected_by_user").removeDetail("consent").assertEvent();
    }

    @Test
    public void oauthGrantNotShownWhenAlreadyGranted() {
        this.oauth.clientId(THIRD_PARTY_APP);
        this.oauth.doLoginGrant(AssertEvents.DEFAULT_USERNAME, "password");
        this.grantPage.assertCurrent();
        this.grantPage.accept();
        this.events.expectLogin().client(THIRD_PARTY_APP).detail("consent", "consent_granted").assertEvent();
        this.accountAppsPage.open();
        AccountApplicationsPage.AppEntry appEntry = (AccountApplicationsPage.AppEntry) this.accountAppsPage.getApplications().get(THIRD_PARTY_APP);
        Assert.assertTrue(appEntry.getRolesGranted().contains(ROLE_USER));
        Assert.assertTrue(appEntry.getRolesGranted().contains("Have Customer User privileges in test-app"));
        Assert.assertTrue(appEntry.getProtocolMappersGranted().contains("Full name"));
        Assert.assertTrue(appEntry.getProtocolMappersGranted().contains("Email"));
        this.oauth.openLoginForm();
        this.appPage.assertCurrent();
        this.events.expectLogin().detail("auth_method", "openid-connect").detail("consent", "persistent_consent").removeDetail("username").client(THIRD_PARTY_APP).assertEvent();
        this.accountAppsPage.open();
        this.accountAppsPage.revokeGrant(THIRD_PARTY_APP);
        this.events.expect(EventType.REVOKE_GRANT).client("account").detail("revoked_client", THIRD_PARTY_APP).assertEvent();
        this.oauth.openLoginForm();
        this.grantPage.assertCurrent();
        Assert.assertTrue(this.driver.getPageSource().contains(ROLE_USER));
        Assert.assertTrue(this.driver.getPageSource().contains(ROLE_CUSTOMER));
    }

    @Test
    public void oauthGrantAddAnotherRoleAndMapper() {
        this.oauth.clientId(THIRD_PARTY_APP);
        this.oauth.doLoginGrant(AssertEvents.DEFAULT_USERNAME, "password");
        this.oauth.scope("grant_type");
        ProtocolMapperRepresentation createClaimMapper = ProtocolMapperUtil.createClaimMapper("gss delegation credential", "gss_delegation_credential", "gss_delegation_credential", "String", true, "gss delegation credential", true, false);
        RealmResource realm = this.adminClient.realm("test");
        realm.roles().create(RoleBuilder.create().name("new-role").build());
        RoleRepresentation representation = realm.roles().get("new-role").toRepresentation();
        ClientManager.realm(this.adminClient.realm("test")).clientId(THIRD_PARTY_APP).addProtocolMapper(createClaimMapper).addScopeMapping(representation);
        ApiUtil.findUserByUsernameId(realm, AssertEvents.DEFAULT_USERNAME).roles().realmLevel().add(Collections.singletonList(representation));
        this.grantPage.assertCurrent();
        this.grantPage.accept();
        this.events.expectLogin().client(THIRD_PARTY_APP).detail("consent", "consent_granted").assertEvent();
        this.accountAppsPage.open();
        AccountApplicationsPage.AppEntry appEntry = (AccountApplicationsPage.AppEntry) this.accountAppsPage.getApplications().get(THIRD_PARTY_APP);
        Assert.assertFalse(appEntry.getRolesGranted().contains("new-role"));
        Assert.assertFalse(appEntry.getProtocolMappersGranted().contains("gss delegation credential"));
        this.oauth.openLoginForm();
        this.grantPage.assertCurrent();
        Assert.assertFalse(this.driver.getPageSource().contains(ROLE_USER));
        Assert.assertFalse(this.driver.getPageSource().contains("Full name"));
        Assert.assertTrue(this.driver.getPageSource().contains("new-role"));
        Assert.assertTrue(this.driver.getPageSource().contains("gss delegation credential"));
        this.grantPage.accept();
        this.events.expectLogin().client(THIRD_PARTY_APP).detail("consent", "consent_granted").assertEvent();
        this.accountAppsPage.open();
        AccountApplicationsPage.AppEntry appEntry2 = (AccountApplicationsPage.AppEntry) this.accountAppsPage.getApplications().get(THIRD_PARTY_APP);
        Assert.assertTrue(appEntry2.getRolesGranted().contains("new-role"));
        Assert.assertTrue(appEntry2.getProtocolMappersGranted().contains("gss delegation credential"));
        this.accountAppsPage.revokeGrant(THIRD_PARTY_APP);
        this.events.expect(EventType.REVOKE_GRANT).client("account").detail("revoked_client", THIRD_PARTY_APP).assertEvent();
        ClientManager.realm(this.adminClient.realm("test")).clientId(THIRD_PARTY_APP).removeProtocolMapper("gss delegation credential").removeScopeMapping(representation);
        realm.roles().deleteRole("new-role");
    }

    @Test
    public void oauthGrantScopeParamRequired() throws Exception {
        RealmResource realm = this.adminClient.realm("test");
        ClientResource findClientByClientId = ApiUtil.findClientByClientId(realm, THIRD_PARTY_APP);
        findClientByClientId.roles().create(RoleBuilder.create().id("bar-role").name("bar-role").scopeParamRequired(true).build());
        RoleRepresentation representation = findClientByClientId.roles().get("bar-role").toRepresentation();
        realm.roles().create(RoleBuilder.create().id("foo-role").name("foo-role").scopeParamRequired(true).build());
        RoleRepresentation representation2 = realm.roles().get("foo-role").toRepresentation();
        ClientManager.realm(realm).clientId(THIRD_PARTY_APP).addScopeMapping(representation2);
        UserResource findUserByUsernameId = ApiUtil.findUserByUsernameId(realm, AssertEvents.DEFAULT_USERNAME);
        findUserByUsernameId.roles().clientLevel(findClientByClientId.toRepresentation().getId()).add(Collections.singletonList(representation));
        findUserByUsernameId.roles().realmLevel().add(Collections.singletonList(representation2));
        this.oauth.clientId(THIRD_PARTY_APP);
        this.oauth.doLoginGrant(AssertEvents.DEFAULT_USERNAME, "password");
        this.grantPage.assertCurrent();
        Assert.assertFalse(this.driver.getPageSource().contains("foo-role"));
        Assert.assertFalse(this.driver.getPageSource().contains("bar-role"));
        this.grantPage.cancel();
        this.events.expectLogin().client(THIRD_PARTY_APP).error("rejected_by_user").removeDetail("consent").assertEvent();
        this.oauth.scope("foo-role third-party/bar-role");
        this.oauth.doLoginGrant(AssertEvents.DEFAULT_USERNAME, "password");
        this.grantPage.assertCurrent();
        Assert.assertTrue(this.driver.getPageSource().contains("foo-role"));
        Assert.assertTrue(this.driver.getPageSource().contains("bar-role"));
        this.grantPage.accept();
        this.events.expectLogin().client(THIRD_PARTY_APP).detail("consent", "consent_granted").assertEvent();
        this.accountAppsPage.open();
        this.accountAppsPage.revokeGrant(THIRD_PARTY_APP);
        this.events.expect(EventType.REVOKE_GRANT).client("account").detail("revoked_client", THIRD_PARTY_APP).assertEvent();
        realm.roles().deleteRole(representation2.getName());
        findClientByClientId.roles().deleteRole(representation.getName());
    }
}
