package org.keycloak.testsuite.saml;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.util.Iterator;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.core.UriBuilder;
import org.apache.commons.io.IOUtils;
import org.junit.Assert;
import org.junit.ClassRule;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.RuleChain;
import org.junit.rules.TestRule;
import org.junit.runner.Description;
import org.junit.runners.model.Statement;
import org.keycloak.admin.client.Keycloak;
import org.keycloak.common.util.Environment;
import org.keycloak.dom.saml.v2.assertion.AttributeStatementType;
import org.keycloak.dom.saml.v2.assertion.AttributeType;
import org.keycloak.dom.saml.v2.protocol.ResponseType;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.RealmModel;
import org.keycloak.protocol.saml.mappers.HardcodedAttributeMapper;
import org.keycloak.protocol.saml.mappers.HardcodedRole;
import org.keycloak.protocol.saml.mappers.RoleNameMapper;
import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
import org.keycloak.saml.processing.api.saml.v2.response.SAML2Response;
import org.keycloak.saml.processing.core.saml.v2.constants.X500SAMLProfileConstants;
import org.keycloak.saml.processing.web.util.PostBindingUtil;
import org.keycloak.services.managers.RealmManager;
import org.keycloak.testsuite.pages.AppPage;
import org.keycloak.testsuite.pages.LoginPage;
import org.keycloak.testsuite.rule.KeycloakRule;
import org.keycloak.testsuite.rule.WebResource;
import org.keycloak.testsuite.rule.WebRule;
import org.openqa.selenium.WebDriver;

/* loaded from: input_file:org/keycloak/testsuite/saml/SamlPicketlinkSPTest.class */
public class SamlPicketlinkSPTest {
    public static TestRule ignoreIBMJDK = new TestRule() { // from class: org.keycloak.testsuite.saml.SamlPicketlinkSPTest.1
        public Statement apply(final Statement statement, final Description description) {
            return new Statement() { // from class: org.keycloak.testsuite.saml.SamlPicketlinkSPTest.1.1
                public void evaluate() throws Throwable {
                    if (Environment.IS_IBM_JAVA) {
                        System.err.println("Ignore " + description.getDisplayName() + " because executing on IBM JDK");
                    } else {
                        statement.evaluate();
                    }
                }
            };
        }
    };
    public static SamlKeycloakRule keycloakRule = new SamlKeycloakRule() { // from class: org.keycloak.testsuite.saml.SamlPicketlinkSPTest.2
        @Override // org.keycloak.testsuite.saml.SamlKeycloakRule
        public void initWars() {
            ClassLoader classLoader = SamlPicketlinkSPTest.class.getClassLoader();
            initializeSamlSecuredWar("/saml/simple-post", "/sales-post", "post.war", classLoader);
            initializeSamlSecuredWar("/saml/signed-post", "/sales-post-sig", "post-sig.war", classLoader);
            initializeSamlSecuredWar("/saml/signed-post-email", "/sales-post-sig-email", "post-sig-email.war", classLoader);
            initializeSamlSecuredWar("/saml/signed-post-transient", "/sales-post-sig-transient", "post-sig-transient.war", classLoader);
            initializeSamlSecuredWar("/saml/signed-post-persistent", "/sales-post-sig-persistent", "post-sig-persistent.war", classLoader);
            initializeSamlSecuredWar("/saml/signed-metadata", "/sales-metadata", "post-metadata.war", classLoader);
            initializeSamlSecuredWar("/saml/signed-get", "/employee-sig", "employee-sig.war", classLoader);
            initializeSamlSecuredWar("/saml/signed-front-get", "/employee-sig-front", "employee-sig-front.war", classLoader);
            initializeSamlSecuredWar("/saml/bad-client-signed-post", "/bad-client-sales-post-sig", "bad-client-post-sig.war", classLoader);
            initializeSamlSecuredWar("/saml/bad-realm-signed-post", "/bad-realm-sales-post-sig", "bad-realm-post-sig.war", classLoader);
            initializeSamlSecuredWar("/saml/encrypted-post", "/sales-post-enc", "post-enc.war", classLoader);
            SamlPicketlinkSPTest.uploadSP();
            this.server.getServer().deploy(createDeploymentInfo("employee.war", "/employee", SamlSPFacade.class));
        }

        @Override // org.keycloak.testsuite.saml.SamlKeycloakRule
        public String getRealmJson() {
            return "/saml/testsaml.json";
        }
    };

    @ClassRule
    public static TestRule chain = RuleChain.outerRule(ignoreIBMJDK).around(keycloakRule);

    @Rule
    public WebRule webRule = new WebRule(this);

    @WebResource
    protected WebDriver driver;

    @WebResource
    protected LoginPage loginPage;

    /* loaded from: input_file:org/keycloak/testsuite/saml/SamlPicketlinkSPTest$SamlSPFacade.class */
    public static class SamlSPFacade extends HttpServlet {
        public static String samlResponse;
        public static String RELAY_STATE = "http://test.com/foo/bar";
        public static String sentRelayState;

        protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
            handler(httpServletRequest, httpServletResponse);
        }

        protected void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
            handler(httpServletRequest, httpServletResponse);
        }

        private void handler(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
            System.out.println("********* HERE ******");
            if (!httpServletRequest.getParameterMap().isEmpty()) {
                System.out.println("received response");
                samlResponse = httpServletRequest.getParameter("SAMLResponse");
                sentRelayState = httpServletRequest.getParameter("RelayState");
            } else {
                System.out.println("redirecting");
                httpServletResponse.setStatus(302);
                UriBuilder fromUri = UriBuilder.fromUri("http://localhost:8081/auth/realms/demo/protocol/saml?SAMLRequest=jVJbT8IwFP4rS99HuwluNIwEIUYSLwugD76Y2h2kSdfOng7l31uGRn0ATfrQ9HznfJfTEYpaN3zS%2Bo1ZwGsL6KP3WhvkXaEgrTPcClTIjagBuZd8Obm55mmP8cZZb6XV5NByGiwQwXllDYkmX9epNdjW4JbgtkrC%2FeK6IBvvG06ptlLojUXPc5YnFOpG2x0AJdEsaFRG7PuPoUWwQx0IXSOtoLb0SynduyLRpXUSOs8FWQuNQKL5rCDz2VO%2FymEgIY2zlJ3H%2FSx9jkU%2BzOK0ys8yNmSSsUEAYxnsqC18tyO2MDfohfEFSVkyiNlZzM5XacrDSbJePug%2Fkqj8FHKhTKXMy%2BnIng8g5FerVRmXd8sViR7AYec8AMh4tPfDO3L3Y2%2F%2F3cT4j7BH9Mf8A1nDb8PA%2Bay0WsldNNHavk1D1D5k4V0LXbi18MclJL2ke1FVvO6gvDXYgFRrBRWh4wPp7z85%2FgA%3D");
                fromUri.queryParam("RelayState", new Object[]{RELAY_STATE});
                httpServletResponse.setHeader("Location", fromUri.build(new Object[0]).toString());
            }
        }
    }

    protected void checkLoggedOut(String str, boolean z) {
        String pageSource = this.driver.getPageSource();
        System.out.println("*** logout pagesouce ***");
        System.out.println(pageSource);
        System.out.println("driver url: " + this.driver.getCurrentUrl());
        Assert.assertTrue(pageSource.contains("request-path: /logout.jsp"));
        this.driver.navigate().to(str);
        checkAtLoginPage(z);
    }

    protected void checkAtLoginPage(boolean z) {
        if (z) {
            assertAtLoginPagePostBinding();
        } else {
            assertAtLoginPageRedirectBinding();
        }
    }

    protected void assertAtLoginPageRedirectBinding() {
        Assert.assertTrue(this.driver.getCurrentUrl().startsWith("http://localhost:8081/auth/realms/demo/protocol/saml"));
    }

    protected void assertAtLoginPagePostBinding() {
        Assert.assertTrue(this.driver.getCurrentUrl().startsWith("http://localhost:8081/auth/realms/demo/login-actions/authenticate"));
    }

    public void ideTesting() throws Exception {
        Thread.sleep(100000000L);
    }

    @Test
    public void testPostSimpleLoginLogout() {
        this.driver.navigate().to("http://localhost:8081/sales-post/");
        assertAtLoginPagePostBinding();
        this.loginPage.login("bburke", "password");
        Assert.assertEquals(this.driver.getCurrentUrl(), "http://localhost:8081/sales-post/");
        System.out.println(this.driver.getPageSource());
        Assert.assertTrue(this.driver.getPageSource().contains("bburke"));
        this.driver.navigate().to("http://localhost:8081/sales-post?GLO=true");
        checkLoggedOut("http://localhost:8081/sales-post/", true);
    }

    @Test
    public void testPostSimpleLoginLogoutIdpInitiated() {
        this.driver.navigate().to("http://localhost:8081/auth/realms/demo/protocol/saml/clients/sales-post");
        this.loginPage.login("bburke", "password");
        Assert.assertEquals(this.driver.getCurrentUrl(), "http://localhost:8081/sales-post/");
        System.out.println(this.driver.getPageSource());
        Assert.assertTrue(this.driver.getPageSource().contains("bburke"));
        this.driver.navigate().to("http://localhost:8081/sales-post?GLO=true");
        checkLoggedOut("http://localhost:8081/sales-post/", true);
    }

    @Test
    public void testPostSignedLoginLogout() {
        this.driver.navigate().to("http://localhost:8081/sales-post-sig/");
        assertAtLoginPagePostBinding();
        this.loginPage.login("bburke", "password");
        Assert.assertEquals(this.driver.getCurrentUrl(), "http://localhost:8081/sales-post-sig/");
        Assert.assertTrue(this.driver.getPageSource().contains("bburke"));
        this.driver.navigate().to("http://localhost:8081/sales-post-sig?GLO=true");
        checkLoggedOut("http://localhost:8081/sales-post-sig/", true);
    }

    @Test
    public void testPostSignedLoginLogoutTransientNameID() {
        this.driver.navigate().to("http://localhost:8081/sales-post-sig-transient/");
        assertAtLoginPagePostBinding();
        this.loginPage.login("bburke", "password");
        Assert.assertEquals(this.driver.getCurrentUrl(), "http://localhost:8081/sales-post-sig-transient/");
        System.out.println(this.driver.getPageSource());
        Assert.assertFalse(this.driver.getPageSource().contains("bburke"));
        Assert.assertTrue(this.driver.getPageSource().contains("principal=G-"));
        this.driver.navigate().to("http://localhost:8081/sales-post-sig-transient?GLO=true");
        checkLoggedOut("http://localhost:8081/sales-post-sig-transient/", true);
    }

    @Test
    public void testPostSignedLoginLogoutPersistentNameID() {
        this.driver.navigate().to("http://localhost:8081/sales-post-sig-persistent/");
        assertAtLoginPagePostBinding();
        this.loginPage.login("bburke", "password");
        Assert.assertEquals(this.driver.getCurrentUrl(), "http://localhost:8081/sales-post-sig-persistent/");
        System.out.println(this.driver.getPageSource());
        Assert.assertFalse(this.driver.getPageSource().contains("bburke"));
        Assert.assertTrue(this.driver.getPageSource().contains("principal=G-"));
        this.driver.navigate().to("http://localhost:8081/sales-post-sig-persistent?GLO=true");
        checkLoggedOut("http://localhost:8081/sales-post-sig-persistent/", true);
    }

    @Test
    public void testPostSignedLoginLogoutEmailNameID() {
        this.driver.navigate().to("http://localhost:8081/sales-post-sig-email/");
        assertAtLoginPagePostBinding();
        this.loginPage.login("bburke", "password");
        Assert.assertEquals(this.driver.getCurrentUrl(), "http://localhost:8081/sales-post-sig-email/");
        System.out.println(this.driver.getPageSource());
        Assert.assertTrue(this.driver.getPageSource().contains("principal=bburke@redhat.com"));
        this.driver.navigate().to("http://localhost:8081/sales-post-sig-email?GLO=true");
        checkLoggedOut("http://localhost:8081/sales-post-sig-email/", true);
    }

    @Test
    public void testRelayStateEncoding() throws Exception {
        SamlSPFacade.samlResponse = null;
        this.driver.navigate().to("http://localhost:8081/employee/");
        assertAtLoginPageRedirectBinding();
        System.out.println(this.driver.getCurrentUrl());
        this.loginPage.login("bburke", "password");
        Assert.assertEquals(this.driver.getCurrentUrl(), "http://localhost:8081/employee/");
        Assert.assertEquals(SamlSPFacade.sentRelayState, SamlSPFacade.RELAY_STATE);
        Assert.assertNotNull(SamlSPFacade.samlResponse);
    }

    @Test
    public void testAttributes() throws Exception {
        SamlSPFacade.samlResponse = null;
        this.driver.navigate().to("http://localhost:8081/employee/");
        assertAtLoginPageRedirectBinding();
        System.out.println(this.driver.getCurrentUrl());
        this.loginPage.login("bburke", "password");
        Assert.assertEquals(this.driver.getCurrentUrl(), "http://localhost:8081/employee/");
        Assert.assertNotNull(SamlSPFacade.samlResponse);
        ResponseType responseType = new SAML2Response().getResponseType(new ByteArrayInputStream(PostBindingUtil.base64Decode(SamlSPFacade.samlResponse)));
        Assert.assertTrue(responseType.getAssertions().size() == 1);
        boolean z = false;
        boolean z2 = false;
        boolean z3 = false;
        boolean z4 = false;
        Iterator it = ((ResponseType.RTChoiceType) responseType.getAssertions().get(0)).getAssertion().getAttributeStatements().iterator();
        while (it.hasNext()) {
            Iterator it2 = ((AttributeStatementType) it.next()).getAttributes().iterator();
            while (it2.hasNext()) {
                AttributeType attribute = ((AttributeStatementType.ASTChoiceType) it2.next()).getAttribute();
                if (X500SAMLProfileConstants.EMAIL.getFriendlyName().equals(attribute.getFriendlyName())) {
                    Assert.assertEquals(X500SAMLProfileConstants.EMAIL.get(), attribute.getName());
                    Assert.assertEquals(JBossSAMLURIConstants.ATTRIBUTE_FORMAT_URI.get(), attribute.getNameFormat());
                    Assert.assertEquals(attribute.getAttributeValue().get(0), "bburke@redhat.com");
                    z = true;
                } else if (attribute.getName().equals("phone")) {
                    Assert.assertEquals(JBossSAMLURIConstants.ATTRIBUTE_FORMAT_BASIC.get(), attribute.getNameFormat());
                    Assert.assertEquals(attribute.getAttributeValue().get(0), "617");
                    z2 = true;
                } else if (attribute.getName().equals("Role")) {
                    if (attribute.getAttributeValue().get(0).equals("manager")) {
                        z4 = true;
                    }
                    if (attribute.getAttributeValue().get(0).equals("user")) {
                        z3 = true;
                    }
                }
            }
        }
        Assert.assertTrue(z);
        Assert.assertTrue(z2);
        Assert.assertTrue(z3);
        Assert.assertTrue(z4);
        keycloakRule.update(new KeycloakRule.KeycloakSetup() { // from class: org.keycloak.testsuite.saml.SamlPicketlinkSPTest.3
            @Override // org.keycloak.testsuite.rule.KeycloakRule.KeycloakSetup
            public void config(RealmManager realmManager, RealmModel realmModel, RealmModel realmModel2) {
                ClientModel clientByClientId = realmModel2.getClientByClientId("http://localhost:8081/employee/");
                for (ProtocolMapperModel protocolMapperModel : clientByClientId.getProtocolMappers()) {
                    if (protocolMapperModel.getName().equals("role-list")) {
                        clientByClientId.removeProtocolMapper(protocolMapperModel);
                        protocolMapperModel.setId((String) null);
                        protocolMapperModel.getConfig().put("single", "true");
                        protocolMapperModel.getConfig().put("attribute.name", "memberOf");
                        clientByClientId.addProtocolMapper(protocolMapperModel);
                    }
                }
                clientByClientId.addProtocolMapper(HardcodedAttributeMapper.create("hardcoded-attribute", "hardcoded-attribute", "Basic", (String) null, "hard", false, (String) null));
                clientByClientId.addProtocolMapper(HardcodedRole.create("hardcoded-role", "hardcoded-role"));
                clientByClientId.addProtocolMapper(RoleNameMapper.create("renamed-role", "manager", "el-jefe"));
                clientByClientId.addProtocolMapper(RoleNameMapper.create("renamed-employee-role", "http://localhost:8081/employee/.employee", "pee-on"));
            }
        }, "demo");
        System.out.println(">>>>>>>>>> single role attribute <<<<<<<<");
        SamlSPFacade.samlResponse = null;
        this.driver.navigate().to("http://localhost:8081/employee/");
        System.out.println(this.driver.getCurrentUrl());
        Assert.assertEquals(this.driver.getCurrentUrl(), "http://localhost:8081/employee/");
        Assert.assertNotNull(SamlSPFacade.samlResponse);
        ResponseType responseType2 = new SAML2Response().getResponseType(new ByteArrayInputStream(PostBindingUtil.base64Decode(SamlSPFacade.samlResponse)));
        Assert.assertTrue(responseType2.getAssertions().size() == 1);
        boolean z5 = false;
        boolean z6 = false;
        boolean z7 = false;
        boolean z8 = false;
        boolean z9 = false;
        boolean z10 = false;
        Iterator it3 = ((ResponseType.RTChoiceType) responseType2.getAssertions().get(0)).getAssertion().getAttributeStatements().iterator();
        while (it3.hasNext()) {
            Iterator it4 = ((AttributeStatementType) it3.next()).getAttributes().iterator();
            while (it4.hasNext()) {
                AttributeType attribute2 = ((AttributeStatementType.ASTChoiceType) it4.next()).getAttribute();
                if (attribute2.getName().equals("memberOf")) {
                    if (z7) {
                        Assert.fail("too many role attributes");
                    }
                    z7 = true;
                    for (Object obj : attribute2.getAttributeValue()) {
                        if (obj.equals("el-jefe")) {
                            z6 = true;
                        }
                        if (obj.equals("user")) {
                            z5 = true;
                        }
                        if (obj.equals("hardcoded-role")) {
                            z8 = true;
                        }
                        if (obj.equals("pee-on")) {
                            z10 = true;
                        }
                    }
                } else if (attribute2.getName().equals("hardcoded-attribute")) {
                    z9 = true;
                    Assert.assertEquals(attribute2.getAttributeValue().get(0), "hard");
                }
            }
        }
        Assert.assertTrue(z7);
        Assert.assertTrue(z9);
        Assert.assertTrue(z8);
        Assert.assertTrue(z10);
        Assert.assertTrue(z5);
        Assert.assertTrue(z6);
    }

    @Test
    public void testRedirectSignedLoginLogout() {
        this.driver.navigate().to("http://localhost:8081/employee-sig/");
        assertAtLoginPageRedirectBinding();
        this.loginPage.login("bburke", "password");
        Assert.assertEquals(this.driver.getCurrentUrl(), "http://localhost:8081/employee-sig/");
        Assert.assertTrue(this.driver.getPageSource().contains("bburke"));
        this.driver.navigate().to("http://localhost:8081/employee-sig?GLO=true");
        checkLoggedOut("http://localhost:8081/employee-sig/", false);
    }

    @Test
    public void testRedirectSignedLoginLogoutFrontNoSSO() {
        this.driver.navigate().to("http://localhost:8081/employee-sig-front/");
        assertAtLoginPageRedirectBinding();
        this.loginPage.login("bburke", "password");
        Assert.assertEquals(this.driver.getCurrentUrl(), "http://localhost:8081/employee-sig-front/");
        Assert.assertTrue(this.driver.getPageSource().contains("bburke"));
        this.driver.navigate().to("http://localhost:8081/employee-sig-front?GLO=true");
        checkLoggedOut("http://localhost:8081/employee-sig-front/", false);
    }

    @Test
    public void testRedirectSignedLoginLogoutFront() {
        System.out.println("visit 1st app ");
        this.driver.navigate().to("http://localhost:8081/employee-sig/");
        assertAtLoginPageRedirectBinding();
        System.out.println("login to form");
        this.loginPage.login("bburke", "password");
        Assert.assertEquals(this.driver.getCurrentUrl(), "http://localhost:8081/employee-sig/");
        Assert.assertTrue(this.driver.getPageSource().contains("bburke"));
        System.out.println("visit 2nd app ");
        this.driver.navigate().to("http://localhost:8081/employee-sig-front/");
        Assert.assertEquals(this.driver.getCurrentUrl(), "http://localhost:8081/employee-sig-front/");
        Assert.assertTrue(this.driver.getPageSource().contains("bburke"));
        System.out.println("visit 3rd app ");
        this.driver.navigate().to("http://localhost:8081/sales-post-sig/");
        Assert.assertEquals(this.driver.getCurrentUrl(), "http://localhost:8081/sales-post-sig/");
        Assert.assertTrue(this.driver.getPageSource().contains("bburke"));
        System.out.println("GLO");
        this.driver.navigate().to("http://localhost:8081/employee-sig?GLO=true");
        checkLoggedOut("http://localhost:8081/employee-sig/", false);
        this.driver.navigate().to("http://localhost:8081/employee-sig-front/");
        assertAtLoginPageRedirectBinding();
        this.driver.navigate().to("http://localhost:8081/sales-post-sig/");
        assertAtLoginPagePostBinding();
    }

    @Test
    public void testPostEncryptedLoginLogout() {
        this.driver.navigate().to("http://localhost:8081/sales-post-enc/");
        assertAtLoginPagePostBinding();
        this.loginPage.login("bburke", "password");
        Assert.assertEquals(this.driver.getCurrentUrl(), "http://localhost:8081/sales-post-enc/");
        Assert.assertTrue(this.driver.getPageSource().contains("bburke"));
        this.driver.navigate().to("http://localhost:8081/sales-post-enc?GLO=true");
        checkLoggedOut("http://localhost:8081/sales-post-enc/", true);
    }

    @Test
    public void testPostBadClientSignature() {
        this.driver.navigate().to("http://localhost:8081/bad-client-sales-post-sig/");
        Assert.assertEquals(this.driver.getCurrentUrl(), "http://localhost:8081/auth/realms/demo/protocol/saml");
        Assert.assertEquals(this.driver.getTitle(), "We're sorry...");
    }

    @Test
    public void testPostBadRealmSignature() {
        this.driver.navigate().to("http://localhost:8081/bad-realm-sales-post-sig/");
        assertAtLoginPagePostBinding();
        this.loginPage.login("bburke", "password");
        Assert.assertEquals(this.driver.getCurrentUrl(), "http://localhost:8081/bad-realm-sales-post-sig/");
        Assert.assertTrue(this.driver.getPageSource().contains("null"));
    }

    @Test
    public void testPassiveMode() {
    }

    @Test
    public void testMetadataPostSignedLoginLogout() throws Exception {
        this.driver.navigate().to("http://localhost:8081/sales-metadata/");
        assertAtLoginPagePostBinding();
        this.loginPage.login("bburke", "password");
        Assert.assertEquals(this.driver.getCurrentUrl(), "http://localhost:8081/sales-metadata/");
        Assert.assertTrue(this.driver.getPageSource().contains("bburke"));
        this.driver.navigate().to("http://localhost:8081/sales-metadata?GLO=true");
        checkLoggedOut("http://localhost:8081/sales-metadata/", true);
    }

    public static void uploadSP() {
        try {
            Keycloak keycloak = Keycloak.getInstance(AppPage.AUTH_SERVER_URL, "master", "admin", "admin", "admin-cli", (String) null);
            keycloak.realm("demo").toRepresentation();
            Assert.assertEquals(201L, r0.clients().create(r0.convertClientDescription(IOUtils.toString(SamlPicketlinkSPTest.class.getResourceAsStream("/saml/sp-metadata.xml")))).getStatus());
            keycloak.close();
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }
}
