package org.keycloak.testsuite.admin;

import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import javax.ws.rs.ClientErrorException;
import javax.ws.rs.core.Response;
import org.junit.Assert;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.Config;
import org.keycloak.admin.client.Keycloak;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.UserResource;
import org.keycloak.events.EventType;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.ImpersonationConstants;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.idm.EventRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.arquillian.AuthServerTestEnricher;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.CredentialBuilder;
import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.testsuite.util.UserBuilder;

/* loaded from: input_file:org/keycloak/testsuite/admin/ImpersonationTest.class */
public class ImpersonationTest extends AbstractKeycloakTest {

    @Rule
    public AssertEvents events = new AssertEvents(this);
    private String impersonatedUserId;

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void beforeAbstractKeycloakTest() throws Exception {
        super.beforeAbstractKeycloakTest();
    }

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        RealmBuilder testEventListener = RealmBuilder.create().name("test").testEventListener();
        testEventListener.client(ClientBuilder.create().clientId("myclient").publicClient().directAccessGrants());
        this.impersonatedUserId = KeycloakModelUtils.generateId();
        testEventListener.user(UserBuilder.create().id(this.impersonatedUserId).username(AssertEvents.DEFAULT_USERNAME));
        testEventListener.user(UserBuilder.create().username("realm-admin").password("password").role("realm-management", AdminRoles.REALM_ADMIN));
        testEventListener.user(UserBuilder.create().username("impersonator").password("password").role("realm-management", ImpersonationConstants.IMPERSONATION_ROLE).role("realm-management", AdminRoles.VIEW_USERS));
        testEventListener.user(UserBuilder.create().username("bad-impersonator").password("password").role("realm-management", AdminRoles.MANAGE_USERS));
        list.add(testEventListener.build());
    }

    @Test
    public void testImpersonateByMasterAdmin() {
        testSuccessfulImpersonation("admin", Config.getAdminRealm());
    }

    @Test
    public void testImpersonateByMasterImpersonator() {
        Response create = this.adminClient.realm("master").users().create(UserBuilder.create().username("master-impersonator").build());
        String createdId = ApiUtil.getCreatedId(create);
        create.close();
        UserResource userResource = this.adminClient.realm("master").users().get(createdId);
        userResource.resetPassword(CredentialBuilder.create().password("password").build());
        ClientResource findClientResourceByClientId = ApiUtil.findClientResourceByClientId(this.adminClient.realm("master"), "test-realm");
        LinkedList linkedList = new LinkedList();
        linkedList.add(ApiUtil.findClientRoleByName(findClientResourceByClientId, AdminRoles.VIEW_USERS).toRepresentation());
        linkedList.add(ApiUtil.findClientRoleByName(findClientResourceByClientId, ImpersonationConstants.IMPERSONATION_ROLE).toRepresentation());
        userResource.roles().clientLevel(findClientResourceByClientId.toRepresentation().getId()).add(linkedList);
        testSuccessfulImpersonation("master-impersonator", Config.getAdminRealm());
        this.adminClient.realm("master").users().get(createdId).remove();
    }

    @Test
    public void testImpersonateByTestImpersonator() {
        testSuccessfulImpersonation("impersonator", "test");
    }

    @Test
    public void testImpersonateByTestAdmin() {
        testSuccessfulImpersonation("realm-admin", "test");
    }

    @Test
    public void testImpersonateByTestBadImpersonator() {
        testForbiddenImpersonation("bad-impersonator", "test");
    }

    @Test
    public void testImpersonateByMastertBadImpersonator() {
        Response create = this.adminClient.realm("master").users().create(UserBuilder.create().username("master-bad-impersonator").build());
        String createdId = ApiUtil.getCreatedId(create);
        create.close();
        this.adminClient.realm("master").users().get(createdId).resetPassword(CredentialBuilder.create().password("password").build());
        testForbiddenImpersonation("master-bad-impersonator", Config.getAdminRealm());
        this.adminClient.realm("master").users().get(createdId).remove();
    }

    protected void testSuccessfulImpersonation(String str, String str2) {
        Keycloak login = login(str, str2);
        try {
            Map impersonate = login.realms().realm("test").users().get(this.impersonatedUserId).impersonate();
            Assert.assertNotNull(impersonate);
            Assert.assertNotNull(impersonate.get("redirect"));
            this.events.expect(EventType.IMPERSONATE).session(AssertEvents.isUUID()).user(this.impersonatedUserId).detail("impersonator", str).detail("impersonator_realm", str2).client((String) null).assertEvent();
            login.close();
        } catch (Throwable th) {
            login.close();
            throw th;
        }
    }

    protected void testForbiddenImpersonation(String str, String str2) {
        Keycloak createAdminClient = createAdminClient(str2, establishClientId(str2), str);
        try {
            try {
                createAdminClient.realms().realm("test").users().get(this.impersonatedUserId).impersonate();
                createAdminClient.close();
            } catch (ClientErrorException e) {
                Assert.assertTrue(e.getMessage().indexOf("403 Forbidden") != -1);
                createAdminClient.close();
            }
        } catch (Throwable th) {
            createAdminClient.close();
            throw th;
        }
    }

    Keycloak createAdminClient(String str, String str2, String str3) {
        return createAdminClient(str, str2, str3, null);
    }

    String establishClientId(String str) {
        return str.equals("master") ? "admin-cli" : "myclient";
    }

    Keycloak createAdminClient(String str, String str2, String str3, String str4) {
        if (str4 == null) {
            str4 = str3.equals("admin") ? "admin" : "password";
        }
        return Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth", str, str3, str4, str2);
    }

    private Keycloak login(String str, String str2) {
        String establishClientId = establishClientId(str2);
        Keycloak createAdminClient = createAdminClient(str2, establishClientId, str);
        createAdminClient.tokenManager().grantToken();
        if (!"master".equals(str2)) {
            EventRepresentation poll = this.events.poll();
            Assert.assertEquals("Event type", EventType.LOGIN.toString(), poll.getType());
            Assert.assertEquals("Client ID", establishClientId, poll.getClientId());
            Assert.assertEquals("Username", str, poll.getDetails().get("username"));
        }
        return createAdminClient;
    }
}
