package org.keycloak.testsuite.oauth;

import java.util.Collections;
import java.util.List;
import org.jboss.arquillian.graphene.page.Page;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.admin.client.resource.RoleResource;
import org.keycloak.admin.client.resource.UserResource;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.RefreshToken;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.EventRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.RoleRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.AbstractAdminTest;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.pages.LoginPage;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.ClientManager;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.testsuite.util.RealmManager;
import org.keycloak.testsuite.util.RoleBuilder;
import org.keycloak.testsuite.util.UserBuilder;

/* loaded from: input_file:org/keycloak/testsuite/oauth/OfflineTokenTest.class */
public class OfflineTokenTest extends AbstractKeycloakTest {
    private static String userId;
    private static String offlineClientAppUri;
    private static String serviceAccountUserId;

    @Page
    protected LoginPage loginPage;

    @Rule
    public AssertEvents events = new AssertEvents(this);

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void beforeAbstractKeycloakTest() throws Exception {
        super.beforeAbstractKeycloakTest();
    }

    @Before
    public void clientConfiguration() {
        userId = ApiUtil.findUserByUsername(this.adminClient.realm("test"), AssertEvents.DEFAULT_USERNAME).getId();
        this.oauth.clientId(AssertEvents.DEFAULT_CLIENT_ID);
    }

    @Override // org.keycloak.testsuite.AbstractKeycloakTest
    public void addTestRealms(List<RealmRepresentation> list) {
        RealmBuilder testEventListener = RealmBuilder.edit((RealmRepresentation) AbstractAdminTest.loadJson(getClass().getResourceAsStream("/testrealm.json"), RealmRepresentation.class)).accessTokenLifespan(10).ssoSessionIdleTimeout(30).testEventListener();
        offlineClientAppUri = OAuthClient.APP_ROOT + "/offline-client";
        ClientRepresentation build = ClientBuilder.create().clientId("offline-client").id(KeycloakModelUtils.generateId()).adminUrl(offlineClientAppUri).redirectUris(offlineClientAppUri).directAccessGrants().serviceAccountsEnabled(true).secret("secret1").build();
        testEventListener.client(build);
        serviceAccountUserId = KeycloakModelUtils.generateId();
        testEventListener.user(UserBuilder.create().id(serviceAccountUserId).addRoles("user", "offline_access").role(AssertEvents.DEFAULT_CLIENT_ID, "customer-user").username("service-account-" + build.getClientId()).serviceAccountId(build.getClientId()).build());
        list.add(testEventListener.build());
    }

    @Test
    public void offlineTokenDisabledForClient() throws Exception {
        ClientManager.realm(this.adminClient.realm("test")).clientId("offline-client").fullScopeAllowed(false);
        this.oauth.scope("offline_access");
        this.oauth.clientId("offline-client");
        this.oauth.redirectUri(offlineClientAppUri);
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().client("offline-client").detail("redirect_uri", offlineClientAppUri).assertEvent();
        String sessionId = assertEvent.getSessionId();
        String str = (String) assertEvent.getDetails().get("code_id");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "secret1");
        Assert.assertEquals(400L, doAccessTokenRequest.getStatusCode());
        Assert.assertEquals("not_allowed", doAccessTokenRequest.getError());
        this.events.expectCodeToToken(str, sessionId).client("offline-client").error("not_allowed").clearDetails().assertEvent();
        ClientManager.realm(this.adminClient.realm("test")).clientId("offline-client").fullScopeAllowed(true);
    }

    @Test
    public void offlineTokenUserNotAllowed() throws Exception {
        String id = ApiUtil.findUserByUsername(this.adminClient.realm("test"), "keycloak-user@localhost").getId();
        this.oauth.scope("offline_access");
        this.oauth.clientId("offline-client");
        this.oauth.redirectUri(offlineClientAppUri);
        this.oauth.doLogin("keycloak-user@localhost", "password");
        EventRepresentation assertEvent = this.events.expectLogin().client("offline-client").user(id).detail("redirect_uri", offlineClientAppUri).assertEvent();
        String sessionId = assertEvent.getSessionId();
        String str = (String) assertEvent.getDetails().get("code_id");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "secret1");
        Assert.assertEquals(400L, doAccessTokenRequest.getStatusCode());
        Assert.assertEquals("not_allowed", doAccessTokenRequest.getError());
        this.events.expectCodeToToken(str, sessionId).client("offline-client").user(id).error("not_allowed").clearDetails().assertEvent();
    }

    @Test
    public void offlineTokenBrowserFlow() throws Exception {
        this.oauth.scope("offline_access");
        this.oauth.clientId("offline-client");
        this.oauth.redirectUri(offlineClientAppUri);
        this.oauth.doLogin(AssertEvents.DEFAULT_USERNAME, "password");
        EventRepresentation assertEvent = this.events.expectLogin().client("offline-client").detail("redirect_uri", offlineClientAppUri).assertEvent();
        String sessionId = assertEvent.getSessionId();
        String str = (String) assertEvent.getDetails().get("code_id");
        OAuthClient.AccessTokenResponse doAccessTokenRequest = this.oauth.doAccessTokenRequest((String) this.oauth.getCurrentQuery().get("code"), "secret1");
        AccessToken verifyToken = this.oauth.verifyToken(doAccessTokenRequest.getAccessToken());
        String refreshToken = doAccessTokenRequest.getRefreshToken();
        RefreshToken verifyRefreshToken = this.oauth.verifyRefreshToken(refreshToken);
        this.events.expectCodeToToken(str, sessionId).client("offline-client").detail("refresh_token_type", "Offline").assertEvent();
        Assert.assertEquals("Offline", verifyRefreshToken.getType());
        Assert.assertEquals(0L, verifyRefreshToken.getExpiration());
        String testRefreshWithOfflineToken = testRefreshWithOfflineToken(verifyToken, verifyRefreshToken, refreshToken, sessionId, userId);
        setTimeOffset(3000000);
        OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(testRefreshWithOfflineToken, "secret1");
        Assert.assertEquals(400L, doRefreshTokenRequest.getStatusCode());
        Assert.assertEquals("invalid_grant", doRefreshTokenRequest.getError());
        this.events.expectRefresh(verifyRefreshToken.getId(), sessionId).client("offline-client").error("invalid_token").user(userId).clearDetails().assertEvent();
        setTimeOffset(0);
    }

    private String testRefreshWithOfflineToken(AccessToken accessToken, RefreshToken refreshToken, String str, String str2, String str3) {
        setTimeOffset(99999);
        Assert.assertFalse(accessToken.isActive());
        Assert.assertTrue(refreshToken.isActive());
        this.testingClient.testing().removeExpired("test");
        this.testingClient.testing().removeUserSession("test", str2);
        OAuthClient.AccessTokenResponse doRefreshTokenRequest = this.oauth.doRefreshTokenRequest(str, "secret1");
        AccessToken verifyToken = this.oauth.verifyToken(doRefreshTokenRequest.getAccessToken());
        Assert.assertEquals(200L, doRefreshTokenRequest.getStatusCode());
        Assert.assertEquals(str2, verifyToken.getSessionState());
        String refreshToken2 = doRefreshTokenRequest.getRefreshToken();
        Assert.assertNotNull(refreshToken2);
        Assert.assertNotEquals(accessToken.getId(), verifyToken.getId());
        Assert.assertEquals(str3, verifyToken.getSubject());
        Assert.assertTrue(verifyToken.getRealmAccess().isUserInRole("user"));
        Assert.assertTrue(verifyToken.getRealmAccess().isUserInRole("offline_access"));
        Assert.assertEquals(1L, verifyToken.getResourceAccess(AssertEvents.DEFAULT_CLIENT_ID).getRoles().size());
        Assert.assertTrue(verifyToken.getResourceAccess(AssertEvents.DEFAULT_CLIENT_ID).isUserInRole("customer-user"));
        Assert.assertNotEquals(accessToken.getId(), this.events.expectRefresh(refreshToken.getId(), str2).client("offline-client").user(str3).removeDetail("updated_refresh_token_id").detail("refresh_token_type", "Offline").assertEvent().getDetails().get("token_id"));
        setTimeOffset(0);
        return refreshToken2;
    }

    @Test
    public void offlineTokenDirectGrantFlow() throws Exception {
        this.oauth.scope("offline_access");
        this.oauth.clientId("offline-client");
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest = this.oauth.doGrantAccessTokenRequest("secret1", AssertEvents.DEFAULT_USERNAME, "password");
        doGrantAccessTokenRequest.getErrorDescription();
        AccessToken verifyToken = this.oauth.verifyToken(doGrantAccessTokenRequest.getAccessToken());
        String refreshToken = doGrantAccessTokenRequest.getRefreshToken();
        RefreshToken verifyRefreshToken = this.oauth.verifyRefreshToken(refreshToken);
        this.events.expectLogin().client("offline-client").user(userId).session(verifyToken.getSessionState()).detail("grant_type", "password").detail("token_id", verifyToken.getId()).detail("refresh_token_id", verifyRefreshToken.getId()).detail("refresh_token_type", "Offline").detail("username", AssertEvents.DEFAULT_USERNAME).removeDetail("code_id").removeDetail("redirect_uri").removeDetail("consent").assertEvent();
        Assert.assertEquals("Offline", verifyRefreshToken.getType());
        Assert.assertEquals(0L, verifyRefreshToken.getExpiration());
        testRefreshWithOfflineToken(verifyToken, verifyRefreshToken, refreshToken, verifyToken.getSessionState(), userId);
        testRefreshWithOfflineToken(verifyToken, verifyRefreshToken, refreshToken, verifyToken.getSessionState(), userId);
    }

    @Test
    public void offlineTokenDirectGrantFlowWithRefreshTokensRevoked() throws Exception {
        RealmManager.realm(this.adminClient.realm("test")).revokeRefreshToken(true);
        this.oauth.scope("offline_access");
        this.oauth.clientId("offline-client");
        OAuthClient.AccessTokenResponse doGrantAccessTokenRequest = this.oauth.doGrantAccessTokenRequest("secret1", AssertEvents.DEFAULT_USERNAME, "password");
        AccessToken verifyToken = this.oauth.verifyToken(doGrantAccessTokenRequest.getAccessToken());
        String refreshToken = doGrantAccessTokenRequest.getRefreshToken();
        RefreshToken verifyRefreshToken = this.oauth.verifyRefreshToken(refreshToken);
        this.events.expectLogin().client("offline-client").user(userId).session(verifyToken.getSessionState()).detail("grant_type", "password").detail("token_id", verifyToken.getId()).detail("refresh_token_id", verifyRefreshToken.getId()).detail("refresh_token_type", "Offline").detail("username", AssertEvents.DEFAULT_USERNAME).removeDetail("code_id").removeDetail("redirect_uri").removeDetail("consent").assertEvent();
        Assert.assertEquals("Offline", verifyRefreshToken.getType());
        Assert.assertEquals(0L, verifyRefreshToken.getExpiration());
        String testRefreshWithOfflineToken = testRefreshWithOfflineToken(verifyToken, verifyRefreshToken, refreshToken, verifyToken.getSessionState(), userId);
        RefreshToken verifyRefreshToken2 = this.oauth.verifyRefreshToken(testRefreshWithOfflineToken);
        Assert.assertEquals(400L, this.oauth.doRefreshTokenRequest(refreshToken, "secret1").getStatusCode());
        this.events.expectRefresh(verifyRefreshToken.getId(), verifyToken.getSessionState()).client("offline-client").error("invalid_token").user(userId).clearDetails().assertEvent();
        testRefreshWithOfflineToken(verifyToken, verifyRefreshToken2, testRefreshWithOfflineToken, verifyToken.getSessionState(), userId);
        RealmManager.realm(this.adminClient.realm("test")).revokeRefreshToken(false);
    }

    @Test
    public void offlineTokenServiceAccountFlow() throws Exception {
        this.oauth.scope("offline_access");
        this.oauth.clientId("offline-client");
        OAuthClient.AccessTokenResponse doClientCredentialsGrantAccessTokenRequest = this.oauth.doClientCredentialsGrantAccessTokenRequest("secret1");
        AccessToken verifyToken = this.oauth.verifyToken(doClientCredentialsGrantAccessTokenRequest.getAccessToken());
        String refreshToken = doClientCredentialsGrantAccessTokenRequest.getRefreshToken();
        RefreshToken verifyRefreshToken = this.oauth.verifyRefreshToken(refreshToken);
        this.events.expectClientLogin().client("offline-client").user(serviceAccountUserId).session(verifyToken.getSessionState()).detail("token_id", verifyToken.getId()).detail("refresh_token_id", verifyRefreshToken.getId()).detail("refresh_token_type", "Offline").detail("username", "service-account-offline-client").assertEvent();
        Assert.assertEquals("Offline", verifyRefreshToken.getType());
        Assert.assertEquals(0L, verifyRefreshToken.getExpiration());
        testRefreshWithOfflineToken(verifyToken, verifyRefreshToken, refreshToken, verifyToken.getSessionState(), serviceAccountUserId);
        OAuthClient.AccessTokenResponse doClientCredentialsGrantAccessTokenRequest2 = this.oauth.doClientCredentialsGrantAccessTokenRequest("secret1");
        AccessToken verifyToken2 = this.oauth.verifyToken(doClientCredentialsGrantAccessTokenRequest2.getAccessToken());
        String refreshToken2 = doClientCredentialsGrantAccessTokenRequest2.getRefreshToken();
        RefreshToken verifyRefreshToken2 = this.oauth.verifyRefreshToken(refreshToken2);
        this.events.expectClientLogin().client("offline-client").user(serviceAccountUserId).session(verifyToken2.getSessionState()).detail("token_id", verifyToken2.getId()).detail("refresh_token_id", verifyRefreshToken2.getId()).detail("refresh_token_type", "Offline").detail("username", "service-account-offline-client").assertEvent();
        testRefreshWithOfflineToken(verifyToken, verifyRefreshToken, refreshToken, verifyToken.getSessionState(), serviceAccountUserId);
        testRefreshWithOfflineToken(verifyToken2, verifyRefreshToken2, refreshToken2, verifyToken2.getSessionState(), serviceAccountUserId);
    }

    @Test
    public void offlineTokenAllowedWithCompositeRole() throws Exception {
        RealmResource realm = this.adminClient.realm("test");
        UserResource findUserByUsernameId = ApiUtil.findUserByUsernameId(realm, AssertEvents.DEFAULT_USERNAME);
        RoleRepresentation representation = ApiUtil.findRealmRoleByName(this.adminClient.realm("test"), "offline_access").toRepresentation();
        realm.roles().create(RoleBuilder.create().name("composite").build());
        RoleResource roleResource = realm.roles().get("composite");
        roleResource.addComposites(Collections.singletonList(representation));
        findUserByUsernameId.roles().realmLevel().remove(Collections.singletonList(representation));
        findUserByUsernameId.roles().realmLevel().add(Collections.singletonList(roleResource.toRepresentation()));
        offlineTokenDirectGrantFlow();
        findUserByUsernameId.roles().realmLevel().remove(Collections.singletonList(realm.roles().get("composite").toRepresentation()));
        realm.roles().get("composite").remove();
        findUserByUsernameId.roles().realmLevel().add(Collections.singletonList(representation));
    }
}
