package io.vertx.ext.auth.test.oauth2;

import io.vertx.core.Future;
import io.vertx.core.Promise;
import io.vertx.ext.auth.JWTOptions;
import io.vertx.ext.auth.User;
import io.vertx.ext.auth.authentication.TokenCredentials;
import io.vertx.ext.auth.authorization.RoleBasedAuthorization;
import io.vertx.ext.auth.jwt.authorization.MicroProfileAuthorization;
import io.vertx.ext.auth.oauth2.OAuth2Auth;
import io.vertx.ext.auth.oauth2.OAuth2FlowType;
import io.vertx.ext.auth.oauth2.OAuth2Options;
import io.vertx.ext.auth.oauth2.Oauth2Credentials;
import io.vertx.ext.auth.oauth2.authorization.KeycloakAuthorization;
import io.vertx.ext.auth.oauth2.providers.KeycloakAuth;
import io.vertx.ext.unit.Async;
import io.vertx.ext.unit.TestContext;
import io.vertx.ext.unit.junit.RunTestOnContext;
import io.vertx.ext.unit.junit.VertxUnitRunnerWithParametersFactory;
import java.util.Arrays;
import java.util.List;
import org.junit.Before;
import org.junit.ClassRule;
import org.junit.Rule;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;
import org.testcontainers.containers.BindMode;
import org.testcontainers.containers.GenericContainer;
import org.testcontainers.containers.wait.strategy.Wait;

@Parameterized.UseParametersRunnerFactory(VertxUnitRunnerWithParametersFactory.class)
@RunWith(Parameterized.class)
/* loaded from: input_file:io/vertx/ext/auth/test/oauth2/OAuth2Keycloak14IT.class */
public class OAuth2Keycloak14IT {

    @ClassRule
    public static GenericContainer<?> container = new GenericContainer("jboss/keycloak:14.0.0").withEnv("KEYCLOAK_USER", "admin").withEnv("KEYCLOAK_PASSWORD", "secret").withEnv("DB_VENDOR", "H2").withExposedPorts(new Integer[]{8080, 8443}).withClasspathResourceMapping("vertx-it-realm.json", "/tmp/fixtures.json", BindMode.READ_ONLY).withCommand(new String[]{"-b", "0.0.0.0", "-Dkeycloak.migration.action=import", "-Dkeycloak.migration.provider=singleFile", "-Dkeycloak.migration.file=/tmp/fixtures.json", "-Dkeycloak.migration.strategy=OVERWRITE_EXISTING"}).waitingFor(Wait.forLogMessage(".*Keycloak.*started.*", 1));

    @Rule
    public RunTestOnContext rule = new RunTestOnContext();
    private final String proto;
    private String site;

    @Parameterized.Parameters
    public static List<String> sites() {
        return Arrays.asList("http", "https");
    }

    public OAuth2Keycloak14IT(String str) {
        this.proto = str;
    }

    @Before
    public void setUp() {
        String str = this.proto;
        boolean z = -1;
        switch (str.hashCode()) {
            case 3213448:
                if (str.equals("http")) {
                    z = false;
                    break;
                }
                break;
            case 99617003:
                if (str.equals("https")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                this.site = this.proto + "://" + container.getContainerIpAddress() + ":" + container.getMappedPort(8080);
                return;
            case true:
                this.site = this.proto + "://" + container.getContainerIpAddress() + ":" + container.getMappedPort(8443);
                return;
            default:
                throw new IllegalArgumentException("Invalid proto: " + this.proto);
        }
    }

    @Test
    public void discoverPublic(TestContext testContext) {
        Async async = testContext.async();
        OAuth2Options jWTOptions = new OAuth2Options().setFlow(OAuth2FlowType.PASSWORD).setClientId("public").setTenant("vertx-it").setSite(this.site + "/auth/realms/{tenant}").setJWTOptions(new JWTOptions().addAudience("account"));
        jWTOptions.getHttpClientOptions().setTrustAll(true);
        Future discover = KeycloakAuth.discover(this.rule.vertx(), jWTOptions);
        testContext.getClass();
        discover.onFailure(testContext::fail).onSuccess(oAuth2Auth -> {
            loginAs(oAuth2Auth, testContext, "alice", "account", Arrays.asList("openid")).onSuccess(user -> {
                testContext.assertNotNull(user.attributes().getJsonObject("idToken"));
                testContext.assertEquals(jWTOptions.getClientId(), user.attributes().getJsonObject("idToken").getString("aud"));
                Future authorizations = KeycloakAuthorization.create().getAuthorizations(user);
                testContext.getClass();
                authorizations.onFailure(testContext::fail).onSuccess(r12 -> {
                    testContext.assertTrue(RoleBasedAuthorization.create("offline_access").match(user));
                    testContext.assertTrue(RoleBasedAuthorization.create("default-roles-vertx-it").match(user));
                    testContext.assertTrue(RoleBasedAuthorization.create("view-profile").setResource("account").match(user));
                    loginAs(oAuth2Auth, testContext, "bob", "account", (List<String>) null).onSuccess(user -> {
                        async.complete();
                    });
                });
            });
        });
    }

    @Test
    public void discoverConfidential(TestContext testContext) {
        Async async = testContext.async();
        OAuth2Options jWTOptions = new OAuth2Options().setFlow(OAuth2FlowType.PASSWORD).setClientId("confidential").setClientSecret("51321e70-b1f3-45bf-aec2-d6bfbb9327e3").setTenant("vertx-it").setSite(this.site + "/auth/realms/{tenant}").setJWTOptions(new JWTOptions().addAudience("account"));
        jWTOptions.getHttpClientOptions().setTrustAll(true);
        Future discover = KeycloakAuth.discover(this.rule.vertx(), jWTOptions);
        testContext.getClass();
        discover.onFailure(testContext::fail).onSuccess(oAuth2Auth -> {
            loginAs(oAuth2Auth, testContext, "alice", "account", Arrays.asList("openid")).onSuccess(user -> {
                testContext.assertNotNull(user.attributes().getJsonObject("idToken"));
                testContext.assertEquals(jWTOptions.getClientId(), user.attributes().getJsonObject("idToken").getString("aud"));
                Future authorizations = KeycloakAuthorization.create().getAuthorizations(user);
                testContext.getClass();
                authorizations.onFailure(testContext::fail).onSuccess(r12 -> {
                    testContext.assertTrue(RoleBasedAuthorization.create("offline_access").match(user));
                    testContext.assertTrue(RoleBasedAuthorization.create("default-roles-vertx-it").match(user));
                    testContext.assertTrue(RoleBasedAuthorization.create("view-profile").setResource("account").match(user));
                    loginAs(oAuth2Auth, testContext, "bob", "account", (List<String>) null).onSuccess(user -> {
                        async.complete();
                    });
                });
            });
        });
    }

    @Test
    public void discoverOwnAudience(TestContext testContext) {
        Async async = testContext.async();
        OAuth2Options site = new OAuth2Options().setFlow(OAuth2FlowType.PASSWORD).setClientId("own-audience").setTenant("vertx-it").setSite(this.site + "/auth/realms/{tenant}");
        site.getHttpClientOptions().setTrustAll(true);
        Future discover = KeycloakAuth.discover(this.rule.vertx(), site);
        testContext.getClass();
        discover.onFailure(testContext::fail).onSuccess(oAuth2Auth -> {
            loginAs(oAuth2Auth, testContext, "alice", site.getClientId(), Arrays.asList("openid")).onSuccess(user -> {
                testContext.assertNotNull(user.attributes().getJsonObject("idToken"));
                testContext.assertEquals(site.getClientId(), user.attributes().getJsonObject("idToken").getString("aud"));
                loginAs(oAuth2Auth, testContext, "bob", site.getClientId(), (List<String>) null).onSuccess(user -> {
                    async.complete();
                });
            });
        });
    }

    @Test
    public void discoverMultipleAudienceDefault(TestContext testContext) {
        Async async = testContext.async();
        OAuth2Options site = new OAuth2Options().setFlow(OAuth2FlowType.PASSWORD).setClientId("multiple-audience").setTenant("vertx-it").setSite(this.site + "/auth/realms/{tenant}");
        site.getHttpClientOptions().setTrustAll(true);
        Future discover = KeycloakAuth.discover(this.rule.vertx(), site);
        testContext.getClass();
        discover.onFailure(testContext::fail).onSuccess(oAuth2Auth -> {
            loginAs(oAuth2Auth, testContext, "alice", Arrays.asList(site.getClientId(), "account"), Arrays.asList("openid")).onSuccess(user -> {
                testContext.assertNotNull(user.attributes().getJsonObject("idToken"));
                testContext.assertEquals(site.getClientId(), user.attributes().getJsonObject("idToken").getString("aud"));
                loginAs(oAuth2Auth, testContext, "bob", Arrays.asList(site.getClientId(), "account"), (List<String>) null).onSuccess(user -> {
                    async.complete();
                });
            });
        });
    }

    @Test
    public void discoverMultipleAudienceWithAudiencesInConfig(TestContext testContext) {
        Async async = testContext.async();
        OAuth2Options jWTOptions = new OAuth2Options().setFlow(OAuth2FlowType.PASSWORD).setClientId("multiple-audience").setTenant("vertx-it").setSite(this.site + "/auth/realms/{tenant}").setJWTOptions(new JWTOptions().addAudience("multiple-audience").addAudience("account"));
        jWTOptions.getHttpClientOptions().setTrustAll(true);
        Future discover = KeycloakAuth.discover(this.rule.vertx(), jWTOptions);
        testContext.getClass();
        discover.onFailure(testContext::fail).onSuccess(oAuth2Auth -> {
            loginAs(oAuth2Auth, testContext, "alice", jWTOptions.getJWTOptions().getAudience(), Arrays.asList("openid")).onSuccess(user -> {
                testContext.assertNotNull(user.attributes().getJsonObject("idToken"));
                testContext.assertEquals(jWTOptions.getClientId(), user.attributes().getJsonObject("idToken").getString("aud"));
                loginAs(oAuth2Auth, testContext, "bob", jWTOptions.getJWTOptions().getAudience(), (List<String>) null).onSuccess(user -> {
                    async.complete();
                });
            });
        });
    }

    @Test
    public void discoverPublicMicroprofile(TestContext testContext) {
        Async async = testContext.async();
        OAuth2Options jWTOptions = new OAuth2Options().setFlow(OAuth2FlowType.PASSWORD).setClientId("public").setTenant("vertx-it").setSite(this.site + "/auth/realms/{tenant}").setJWTOptions(new JWTOptions().addAudience("account"));
        jWTOptions.getHttpClientOptions().setTrustAll(true);
        Future discover = KeycloakAuth.discover(this.rule.vertx(), jWTOptions);
        testContext.getClass();
        discover.onFailure(testContext::fail).onSuccess(oAuth2Auth -> {
            loginAs(oAuth2Auth, testContext, "alice", "account", Arrays.asList("openid", "microprofile-jwt")).onSuccess(user -> {
                testContext.assertNotNull(user.attributes().getJsonObject("idToken"));
                testContext.assertEquals(jWTOptions.getClientId(), user.attributes().getJsonObject("idToken").getString("aud"));
                Future authorizations = MicroProfileAuthorization.create().getAuthorizations(user);
                testContext.getClass();
                authorizations.onFailure(testContext::fail).onSuccess(r12 -> {
                    testContext.assertTrue(RoleBasedAuthorization.create("offline_access").match(user));
                    testContext.assertTrue(RoleBasedAuthorization.create("default-roles-vertx-it").match(user));
                    loginAs(oAuth2Auth, testContext, "bob", "account", (List<String>) null).onSuccess(user -> {
                        async.complete();
                    });
                });
            });
        });
    }

    @Test
    public void discoverGetTokenFromFrontEndPerformAuthWithBackend(TestContext testContext) {
        Async async = testContext.async();
        OAuth2Options site = new OAuth2Options().setFlow(OAuth2FlowType.PASSWORD).setClientId("frontend").setTenant("vertx-it").setSite(this.site + "/auth/realms/{tenant}");
        site.getHttpClientOptions().setTrustAll(true);
        Future discover = KeycloakAuth.discover(this.rule.vertx(), site);
        testContext.getClass();
        discover.onFailure(testContext::fail).onSuccess(oAuth2Auth -> {
            Future authenticate = oAuth2Auth.authenticate(new Oauth2Credentials().setUsername("alice").setPassword("password").addScope("backend"));
            testContext.getClass();
            authenticate.onFailure(testContext::fail).onSuccess(user -> {
                testContext.assertNotNull(user);
                testContext.assertNull(user.attributes().getJsonObject("accessToken"));
                OAuth2Options site2 = new OAuth2Options().setClientId("backend").setTenant("vertx-it").setSite(this.site + "/auth/realms/{tenant}");
                site2.getHttpClientOptions().setTrustAll(true);
                Future discover2 = KeycloakAuth.discover(this.rule.vertx(), site2);
                testContext.getClass();
                discover2.onFailure(testContext::fail).onSuccess(oAuth2Auth -> {
                    Future authenticate2 = oAuth2Auth.authenticate(new TokenCredentials(user.principal().getString("access_token")));
                    testContext.getClass();
                    authenticate2.onFailure(testContext::fail).onSuccess(user -> {
                        testContext.assertNotNull(user);
                        testContext.assertNotNull(user.attributes().getJsonObject("accessToken"));
                        testContext.assertTrue(user.attributes().getJsonObject("accessToken").getJsonArray("aud").contains("backend"));
                        async.complete();
                    });
                });
            });
        });
    }

    @Test
    public void discoverGetTokenFromFrontEndPerformAuthWithBorkendWillFail(TestContext testContext) {
        Async async = testContext.async();
        OAuth2Options site = new OAuth2Options().setFlow(OAuth2FlowType.PASSWORD).setClientId("frontend").setTenant("vertx-it").setSite(this.site + "/auth/realms/{tenant}");
        site.getHttpClientOptions().setTrustAll(true);
        Future discover = KeycloakAuth.discover(this.rule.vertx(), site);
        testContext.getClass();
        discover.onFailure(testContext::fail).onSuccess(oAuth2Auth -> {
            Future authenticate = oAuth2Auth.authenticate(new Oauth2Credentials().setUsername("alice").setPassword("password").addScope("backend"));
            testContext.getClass();
            authenticate.onFailure(testContext::fail).onSuccess(user -> {
                testContext.assertNotNull(user);
                testContext.assertNull(user.attributes().getJsonObject("accessToken"));
                OAuth2Options site2 = new OAuth2Options().setClientId("borkend").setTenant("vertx-it").setSite(this.site + "/auth/realms/{tenant}");
                site2.getHttpClientOptions().setTrustAll(true);
                Future discover2 = KeycloakAuth.discover(this.rule.vertx(), site2);
                testContext.getClass();
                discover2.onFailure(testContext::fail).onSuccess(oAuth2Auth -> {
                    oAuth2Auth.authenticate(new TokenCredentials(user.principal().getString("access_token"))).onFailure(th -> {
                        async.complete();
                    }).onSuccess(user -> {
                        testContext.fail("We are on the wrong audience for a bearer client");
                    });
                });
            });
        });
    }

    private Future<User> loginAs(OAuth2Auth oAuth2Auth, TestContext testContext, String str, String str2, List<String> list) {
        Promise promise = Promise.promise();
        Future authenticate = oAuth2Auth.authenticate(new Oauth2Credentials().setUsername(str).setPassword("password").setScopes(list));
        testContext.getClass();
        authenticate.onFailure(testContext::fail).onSuccess(user -> {
            testContext.assertNotNull(user);
            testContext.assertNotNull(user.attributes().getJsonObject("accessToken"));
            testContext.assertEquals(str2, user.attributes().getJsonObject("accessToken").getString("aud"));
            promise.complete(user);
        });
        return promise.future();
    }

    private Future<User> loginAs(OAuth2Auth oAuth2Auth, TestContext testContext, String str, List<String> list, List<String> list2) {
        Promise promise = Promise.promise();
        Future authenticate = oAuth2Auth.authenticate(new Oauth2Credentials().setUsername(str).setPassword("password").setScopes(list2));
        testContext.getClass();
        authenticate.onFailure(testContext::fail).onSuccess(user -> {
            testContext.assertNotNull(user);
            testContext.assertNotNull(user.attributes().getJsonObject("accessToken"));
            testContext.assertEquals(list, user.attributes().getJsonObject("accessToken").getJsonArray("aud").getList());
            promise.complete(user);
        });
        return promise.future();
    }
}
