package org.keycloak.testsuite.oauth;

import java.util.List;
import org.junit.Assert;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.RefreshToken;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.realm.RealmTest;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.ClientManager;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.testsuite.util.UserBuilder;

/* loaded from: input_file:org/keycloak/testsuite/oauth/ServiceAccountTest.class */
public class ServiceAccountTest extends AbstractKeycloakTest {
    private static String userId;

    @Rule
    public AssertEvents events = new AssertEvents(this);

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void beforeAbstractKeycloakTest() throws Exception {
        super.beforeAbstractKeycloakTest();
    }

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        RealmBuilder testEventListener = RealmBuilder.create().name("test").privateKey(RealmTest.PRIVATE_KEY).publicKey(RealmTest.PUBLIC_KEY).testEventListener();
        ClientRepresentation build = ClientBuilder.create().id(KeycloakModelUtils.generateId()).clientId("service-account-cl").secret("secret1").serviceAccountsEnabled(true).build();
        testEventListener.client(build);
        testEventListener.client(ClientBuilder.create().id(KeycloakModelUtils.generateId()).clientId("service-account-disabled").secret("secret1").build());
        testEventListener.user(UserBuilder.create().id(KeycloakModelUtils.generateId()).username(AssertEvents.DEFAULT_USERNAME));
        userId = KeycloakModelUtils.generateId();
        testEventListener.user(UserBuilder.create().id(userId).username("service-account-" + build.getClientId()).serviceAccountId(build.getClientId()));
        list.add(testEventListener.build());
    }

    @Test
    public void clientCredentialsAuthSuccess() throws Exception {
        this.oauth.clientId("service-account-cl");
        OAuthClient.AccessTokenResponse doClientCredentialsGrantAccessTokenRequest = this.oauth.doClientCredentialsGrantAccessTokenRequest("secret1");
        Assert.assertEquals(200L, doClientCredentialsGrantAccessTokenRequest.getStatusCode());
        AccessToken verifyToken = this.oauth.verifyToken(doClientCredentialsGrantAccessTokenRequest.getAccessToken());
        RefreshToken verifyRefreshToken = this.oauth.verifyRefreshToken(doClientCredentialsGrantAccessTokenRequest.getRefreshToken());
        this.events.expectClientLogin().client("service-account-cl").user(userId).session(verifyToken.getSessionState()).detail("token_id", verifyToken.getId()).detail("refresh_token_id", verifyRefreshToken.getId()).detail("username", "service-account-service-account-cl").assertEvent();
        Assert.assertEquals(verifyToken.getSessionState(), verifyRefreshToken.getSessionState());
        System.out.println("Access token other claims: " + verifyToken.getOtherClaims());
        Assert.assertEquals("service-account-cl", verifyToken.getOtherClaims().get("clientId"));
        Assert.assertTrue(verifyToken.getOtherClaims().containsKey("clientAddress"));
        Assert.assertTrue(verifyToken.getOtherClaims().containsKey("clientHost"));
        OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(doClientCredentialsGrantAccessTokenRequest.getRefreshToken(), "secret1");
        AccessToken verifyToken2 = this.oauth.verifyToken(doRefreshTokenRequest.getAccessToken());
        RefreshToken verifyRefreshToken2 = this.oauth.verifyRefreshToken(doRefreshTokenRequest.getRefreshToken());
        Assert.assertEquals(verifyToken.getSessionState(), verifyToken2.getSessionState());
        Assert.assertEquals(verifyToken.getSessionState(), verifyRefreshToken2.getSessionState());
        this.events.expectRefresh(verifyRefreshToken.getId(), verifyRefreshToken.getSessionState()).user(userId).client("service-account-cl").assertEvent();
    }

    @Test
    public void clientCredentialsLogout() throws Exception {
        this.oauth.clientId("service-account-cl");
        OAuthClient.AccessTokenResponse doClientCredentialsGrantAccessTokenRequest = this.oauth.doClientCredentialsGrantAccessTokenRequest("secret1");
        Assert.assertEquals(200L, doClientCredentialsGrantAccessTokenRequest.getStatusCode());
        AccessToken verifyToken = this.oauth.verifyToken(doClientCredentialsGrantAccessTokenRequest.getAccessToken());
        RefreshToken verifyRefreshToken = this.oauth.verifyRefreshToken(doClientCredentialsGrantAccessTokenRequest.getRefreshToken());
        this.events.expectClientLogin().client("service-account-cl").user(userId).session(verifyToken.getSessionState()).detail("token_id", verifyToken.getId()).detail("refresh_token_id", verifyRefreshToken.getId()).detail("username", "service-account-service-account-cl").detail("client_auth_method", "client-secret").assertEvent();
        Assert.assertEquals(204L, this.oauth.doLogout(doClientCredentialsGrantAccessTokenRequest.getRefreshToken(), "secret1").getStatusLine().getStatusCode());
        this.events.expectLogout(verifyToken.getSessionState()).client("service-account-cl").user(userId).removeDetail("redirect_uri").assertEvent();
        OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(doClientCredentialsGrantAccessTokenRequest.getRefreshToken(), "secret1");
        Assert.assertEquals(400L, doRefreshTokenRequest.getStatusCode());
        Assert.assertEquals("invalid_grant", doRefreshTokenRequest.getError());
        this.events.expectRefresh(verifyRefreshToken.getId(), verifyRefreshToken.getSessionState()).client("service-account-cl").user(userId).removeDetail("token_id").removeDetail("updated_refresh_token_id").error("invalid_token").assertEvent();
    }

    @Test
    public void clientCredentialsInvalidClientCredentials() throws Exception {
        this.oauth.clientId("service-account-cl");
        OAuthClient.AccessTokenResponse doClientCredentialsGrantAccessTokenRequest = this.oauth.doClientCredentialsGrantAccessTokenRequest("secret2");
        Assert.assertEquals(400L, doClientCredentialsGrantAccessTokenRequest.getStatusCode());
        Assert.assertEquals("unauthorized_client", doClientCredentialsGrantAccessTokenRequest.getError());
        this.events.expectClientLogin().client("service-account-cl").session((String) null).clearDetails().error("invalid_client_credentials").user((String) null).assertEvent();
    }

    @Test
    public void clientCredentialsDisabledServiceAccount() throws Exception {
        this.oauth.clientId("service-account-disabled");
        OAuthClient.AccessTokenResponse doClientCredentialsGrantAccessTokenRequest = this.oauth.doClientCredentialsGrantAccessTokenRequest("secret1");
        Assert.assertEquals(401L, doClientCredentialsGrantAccessTokenRequest.getStatusCode());
        Assert.assertEquals("unauthorized_client", doClientCredentialsGrantAccessTokenRequest.getError());
        this.events.expectClientLogin().client("service-account-disabled").user((String) null).session((String) null).removeDetail("username").removeDetail("response_type").error("invalid_client").assertEvent();
    }

    @Test
    public void changeClientIdTest() throws Exception {
        ClientManager.realm(this.adminClient.realm("test")).clientId("service-account-cl").renameTo("updated-client");
        this.oauth.clientId("updated-client");
        OAuthClient.AccessTokenResponse doClientCredentialsGrantAccessTokenRequest = this.oauth.doClientCredentialsGrantAccessTokenRequest("secret1");
        Assert.assertEquals(200L, doClientCredentialsGrantAccessTokenRequest.getStatusCode());
        AccessToken verifyToken = this.oauth.verifyToken(doClientCredentialsGrantAccessTokenRequest.getAccessToken());
        RefreshToken verifyRefreshToken = this.oauth.verifyRefreshToken(doClientCredentialsGrantAccessTokenRequest.getRefreshToken());
        Assert.assertEquals("updated-client", verifyToken.getOtherClaims().get("clientId"));
        this.events.expectClientLogin().client("updated-client").user(userId).session(verifyToken.getSessionState()).detail("token_id", verifyToken.getId()).detail("refresh_token_id", verifyRefreshToken.getId()).detail("username", "service-account-service-account-cl").assertEvent();
        ClientManager.realm(this.adminClient.realm("test")).clientId("updated-client").renameTo("service-account-cl");
    }
}
