package org.keycloak.testsuite.oauth;

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.util.ArrayList;
import org.junit.Assert;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.CredentialRepresentation;
import org.keycloak.representations.idm.EventRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.representations.oidc.TokenMetadataRepresentation;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.TestRealmKeycloakTest;
import org.keycloak.testsuite.util.KeycloakModelUtils;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.util.JsonSerialization;

/* loaded from: input_file:org/keycloak/testsuite/oauth/TokenIntrospectionTest.class */
public class TokenIntrospectionTest extends TestRealmKeycloakTest {

    @Rule
    public AssertEvents events = new AssertEvents(this);

    @Override // org.keycloak.testsuite.TestRealmKeycloakTest
    public void configureTestRealm(RealmRepresentation realmRepresentation) {
        ClientRepresentation createClient = KeycloakModelUtils.createClient(realmRepresentation, "confidential-cli");
        createClient.setSecret("secret1");
        createClient.setServiceAccountsEnabled(Boolean.TRUE);
        KeycloakModelUtils.createClient(realmRepresentation, "public-cli").setPublicClient(Boolean.TRUE);
        UserRepresentation userRepresentation = new UserRepresentation();
        userRepresentation.setUsername("no-permissions");
        CredentialRepresentation credentialRepresentation = new CredentialRepresentation();
        credentialRepresentation.setType("password");
        credentialRepresentation.setValue("password");
        ArrayList arrayList = new ArrayList();
        arrayList.add(credentialRepresentation);
        userRepresentation.setCredentials(arrayList);
        userRepresentation.setEnabled(Boolean.TRUE);
        ArrayList arrayList2 = new ArrayList();
        arrayList2.add("user");
        userRepresentation.setRealmRoles(arrayList2);
        realmRepresentation.getUsers().add(userRepresentation);
    }

    @Test
    public void testConfidentialClientCredentialsBasicAuthentication() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        String introspectAccessTokenWithClientCredential = this.oauth.introspectAccessTokenWithClientCredential("confidential-cli", "secret1", this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password").getAccessToken());
        ObjectMapper objectMapper = new ObjectMapper();
        JsonNode readTree = objectMapper.readTree(introspectAccessTokenWithClientCredential);
        Assert.assertTrue(readTree.get("active").asBoolean());
        Assert.assertEquals(AssertEvents.DEFAULT_USERNAME, readTree.get("username").asText());
        Assert.assertEquals(AssertEvents.DEFAULT_CLIENT_ID, readTree.get("client_id").asText());
        Assert.assertTrue(readTree.has("exp"));
        Assert.assertTrue(readTree.has("iat"));
        Assert.assertTrue(readTree.has("nbf"));
        Assert.assertTrue(readTree.has("sub"));
        Assert.assertTrue(readTree.has("aud"));
        Assert.assertTrue(readTree.has("iss"));
        Assert.assertTrue(readTree.has("jti"));
        TokenMetadataRepresentation tokenMetadataRepresentation = (TokenMetadataRepresentation) objectMapper.readValue(introspectAccessTokenWithClientCredential, TokenMetadataRepresentation.class);
        Assert.assertTrue(tokenMetadataRepresentation.isActive());
        Assert.assertEquals(AssertEvents.DEFAULT_USERNAME, tokenMetadataRepresentation.getUserName());
        Assert.assertEquals(AssertEvents.DEFAULT_CLIENT_ID, tokenMetadataRepresentation.getClientId());
        Assert.assertEquals(readTree.get("exp").asInt(), tokenMetadataRepresentation.getExpiration());
        Assert.assertEquals(readTree.get("iat").asInt(), tokenMetadataRepresentation.getIssuedAt());
        Assert.assertEquals(readTree.get("nbf").asInt(), tokenMetadataRepresentation.getNotBefore());
        Assert.assertEquals(readTree.get("sub").asText(), tokenMetadataRepresentation.getSubject());
        Assert.assertEquals(readTree.get("aud").asText(), tokenMetadataRepresentation.getAudience()[0]);
        Assert.assertEquals(readTree.get("iss").asText(), tokenMetadataRepresentation.getIssuer());
        Assert.assertEquals(readTree.get("jti").asText(), tokenMetadataRepresentation.getId());
    }

    @Test
    public void testInvalidClientCredentials() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        Assert.assertEquals("{\"error_description\":\"Authentication failed.\",\"error\":\"invalid_request\"}", this.oauth.introspectAccessTokenWithClientCredential("confidential-cli", "bad_credential", this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password").getAccessToken()));
    }

    @Test
    public void testIntrospectRefreshToken() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        String str = (String) this.oauth.getCurrentQuery().get("code");
        String sessionId = this.events.expectLogin().assertEvent().getSessionId();
        String introspectRefreshTokenWithClientCredential = this.oauth.introspectRefreshTokenWithClientCredential("confidential-cli", "secret1", this.oauth.doAccessTokenRequest(str, "password").getAccessToken());
        ObjectMapper objectMapper = new ObjectMapper();
        JsonNode readTree = objectMapper.readTree(introspectRefreshTokenWithClientCredential);
        Assert.assertTrue(readTree.get("active").asBoolean());
        Assert.assertEquals(sessionId, readTree.get("session_state").asText());
        Assert.assertEquals(AssertEvents.DEFAULT_CLIENT_ID, readTree.get("client_id").asText());
        Assert.assertTrue(readTree.has("exp"));
        Assert.assertTrue(readTree.has("iat"));
        Assert.assertTrue(readTree.has("nbf"));
        Assert.assertTrue(readTree.has("sub"));
        Assert.assertTrue(readTree.has("aud"));
        Assert.assertTrue(readTree.has("iss"));
        Assert.assertTrue(readTree.has("jti"));
        TokenMetadataRepresentation tokenMetadataRepresentation = (TokenMetadataRepresentation) objectMapper.readValue(introspectRefreshTokenWithClientCredential, TokenMetadataRepresentation.class);
        Assert.assertTrue(tokenMetadataRepresentation.isActive());
        Assert.assertEquals(AssertEvents.DEFAULT_CLIENT_ID, tokenMetadataRepresentation.getClientId());
        Assert.assertEquals(readTree.get("session_state").asText(), tokenMetadataRepresentation.getSessionState());
        Assert.assertEquals(readTree.get("exp").asInt(), tokenMetadataRepresentation.getExpiration());
        Assert.assertEquals(readTree.get("iat").asInt(), tokenMetadataRepresentation.getIssuedAt());
        Assert.assertEquals(readTree.get("nbf").asInt(), tokenMetadataRepresentation.getNotBefore());
        Assert.assertEquals(readTree.get("iss").asText(), tokenMetadataRepresentation.getIssuer());
        Assert.assertEquals(readTree.get("jti").asText(), tokenMetadataRepresentation.getId());
    }

    @Test
    public void testPublicClientCredentialsNotAllowed() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        Assert.assertEquals("{\"error_description\":\"Client not allowed.\",\"error\":\"invalid_request\"}", this.oauth.introspectAccessTokenWithClientCredential("public-cli", "it_doesnt_matter", this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password").getAccessToken()));
    }

    @Test
    public void testInactiveAccessToken() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        String introspectAccessTokenWithClientCredential = this.oauth.introspectAccessTokenWithClientCredential("confidential-cli", "secret1", "eyJhbGciOiJSUzI1NiJ9.eyJub25jZSI6IjczMGZjNjQ1LTBlMDQtNDE3Yi04MDY0LTkyYWIyY2RjM2QwZSIsImp0aSI6ImU5ZGU1NjU2LWUzMjctNDkxNC1hNjBmLTI1MzJlYjBiNDk4OCIsImV4cCI6MTQ1MjI4MTAwMCwibmJmIjowLCJpYXQiOjE0NTIyODA3MDAsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9hdXRoL3JlYWxtcy9leGFtcGxlIiwiYXVkIjoianMtY29uc29sZSIsInN1YiI6IjFkNzQ0MDY5LWYyOTgtNGU3Yy1hNzNiLTU1YzlhZjgzYTY4NyIsInR5cCI6IkJlYXJlciIsImF6cCI6ImpzLWNvbnNvbGUiLCJzZXNzaW9uX3N0YXRlIjoiNzc2YTA0OTktODNjNC00MDhkLWE5YjctYTZiYzQ5YmQ3MThjIiwiY2xpZW50X3Nlc3Npb24iOiJjN2Y5ODczOC05MDhlLTQxOWYtYTdkNC1kODYxYjRhYTI3NjkiLCJhbGxvd2VkLW9yaWdpbnMiOltdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsidXNlciJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19LCJuYW1lIjoiU2FtcGxlIFVzZXIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyIiwiZ2l2ZW5fbmFtZSI6IlNhbXBsZSIsImZhbWlseV9uYW1lIjoiVXNlciIsImVtYWlsIjoic2FtcGxlLXVzZXJAZXhhbXBsZSJ9.YyPV74j9CqOG2Jmq692ZZpqycjNpUgtYVRfQJccS_FU84tGVXoKKsXKYeY2UJ1Y_bPiYG1I1J6JSXC8XqgQijCG7Nh7oK0yN74JbRN58HG75fvg6K9BjR6hgJ8mHT8qPrCux2svFucIMIZ180eoBoRvRstkidOhl_mtjT_i31fU");
        ObjectMapper objectMapper = new ObjectMapper();
        Assert.assertFalse(objectMapper.readTree(introspectAccessTokenWithClientCredential).get("active").asBoolean());
        TokenMetadataRepresentation tokenMetadataRepresentation = (TokenMetadataRepresentation) objectMapper.readValue(introspectAccessTokenWithClientCredential, TokenMetadataRepresentation.class);
        Assert.assertFalse(tokenMetadataRepresentation.isActive());
        Assert.assertNull(tokenMetadataRepresentation.getUserName());
        Assert.assertNull(tokenMetadataRepresentation.getClientId());
        Assert.assertNull(tokenMetadataRepresentation.getSubject());
    }

    @Test
    public void testIntrospectAccessToken() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        String str = (String) this.oauth.getCurrentQuery().get("code");
        EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
        TokenMetadataRepresentation tokenMetadataRepresentation = (TokenMetadataRepresentation) JsonSerialization.readValue(this.oauth.introspectAccessTokenWithClientCredential("confidential-cli", "secret1", this.oauth.doAccessTokenRequest(str, "password").getAccessToken()), TokenMetadataRepresentation.class);
        Assert.assertTrue(tokenMetadataRepresentation.isActive());
        Assert.assertEquals(AssertEvents.DEFAULT_USERNAME, tokenMetadataRepresentation.getUserName());
        Assert.assertEquals(AssertEvents.DEFAULT_CLIENT_ID, tokenMetadataRepresentation.getClientId());
        Assert.assertEquals(assertEvent.getUserId(), tokenMetadataRepresentation.getSubject());
    }

    @Test
    public void testIntrospectAccessTokenSessionInvalid() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
        this.oauth.doLogout(doAccessTokenRequest.getRefreshToken(), "password");
        TokenMetadataRepresentation tokenMetadataRepresentation = (TokenMetadataRepresentation) JsonSerialization.readValue(this.oauth.introspectAccessTokenWithClientCredential("confidential-cli", "secret1", doAccessTokenRequest.getAccessToken()), TokenMetadataRepresentation.class);
        Assert.assertFalse(tokenMetadataRepresentation.isActive());
        Assert.assertNull(tokenMetadataRepresentation.getUserName());
        Assert.assertNull(tokenMetadataRepresentation.getClientId());
        Assert.assertNull(tokenMetadataRepresentation.getSubject());
    }

    @Test
    public void testIntrospectAccessTokenUserDisabled() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
        EventRepresentation assertEvent = this.events.expectLogin().assertEvent();
        UserRepresentation userRepresentation = new UserRepresentation();
        try {
            userRepresentation.setEnabled(false);
            this.adminClient.realm(this.oauth.getRealm()).users().get(assertEvent.getUserId()).update(userRepresentation);
            TokenMetadataRepresentation tokenMetadataRepresentation = (TokenMetadataRepresentation) JsonSerialization.readValue(this.oauth.introspectAccessTokenWithClientCredential("confidential-cli", "secret1", doAccessTokenRequest.getAccessToken()), TokenMetadataRepresentation.class);
            Assert.assertFalse(tokenMetadataRepresentation.isActive());
            Assert.assertNull(tokenMetadataRepresentation.getUserName());
            Assert.assertNull(tokenMetadataRepresentation.getClientId());
            Assert.assertNull(tokenMetadataRepresentation.getSubject());
            userRepresentation.setEnabled(true);
            this.adminClient.realm(this.oauth.getRealm()).users().get(assertEvent.getUserId()).update(userRepresentation);
        } catch (Throwable th) {
            userRepresentation.setEnabled(true);
            this.adminClient.realm(this.oauth.getRealm()).users().get(assertEvent.getUserId()).update(userRepresentation);
            throw th;
        }
    }

    @Test
    public void testIntrospectAccessTokenExpired() throws Exception {
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "password");
        setTimeOffset(this.adminClient.realm(this.oauth.getRealm()).toRepresentation().getAccessTokenLifespan().intValue() + 1);
        TokenMetadataRepresentation tokenMetadataRepresentation = (TokenMetadataRepresentation) JsonSerialization.readValue(this.oauth.introspectAccessTokenWithClientCredential("confidential-cli", "secret1", doAccessTokenRequest.getAccessToken()), TokenMetadataRepresentation.class);
        Assert.assertFalse(tokenMetadataRepresentation.isActive());
        Assert.assertNull(tokenMetadataRepresentation.getUserName());
        Assert.assertNull(tokenMetadataRepresentation.getClientId());
        Assert.assertNull(tokenMetadataRepresentation.getSubject());
    }
}
