package io.vertx.ext.auth.test.oauth2;

import io.vertx.core.json.JsonArray;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.auth.JWTOptions;
import io.vertx.ext.auth.User;
import io.vertx.ext.auth.authorization.PermissionBasedAuthorization;
import io.vertx.ext.auth.authorization.RoleBasedAuthorization;
import io.vertx.ext.auth.oauth2.OAuth2Auth;
import io.vertx.ext.auth.oauth2.OAuth2FlowType;
import io.vertx.ext.auth.oauth2.OAuth2Options;
import io.vertx.ext.auth.oauth2.authorization.KeycloakAuthorization;
import io.vertx.ext.auth.oauth2.authorization.ScopeAuthorization;
import io.vertx.ext.auth.oauth2.providers.KeycloakAuth;
import io.vertx.ext.unit.Async;
import io.vertx.ext.unit.TestContext;
import io.vertx.ext.unit.junit.RunTestOnContext;
import io.vertx.ext.unit.junit.VertxUnitRunnerWithParametersFactory;
import java.util.Arrays;
import java.util.List;
import org.junit.Before;
import org.junit.ClassRule;
import org.junit.Rule;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;
import org.testcontainers.containers.BindMode;
import org.testcontainers.containers.GenericContainer;
import org.testcontainers.containers.wait.strategy.Wait;

@Parameterized.UseParametersRunnerFactory(VertxUnitRunnerWithParametersFactory.class)
@RunWith(Parameterized.class)
/* loaded from: input_file:io/vertx/ext/auth/test/oauth2/OAuth2KeycloakIT.class */
public class OAuth2KeycloakIT {

    @ClassRule
    public static GenericContainer<?> container = new GenericContainer("jboss/keycloak:6.0.0").withEnv("KEYCLOAK_USER", "user").withEnv("KEYCLOAK_PASSWORD", "password").withEnv("DB_VENDOR", "H2").withExposedPorts(new Integer[]{8080, 8443}).withClasspathResourceMapping("vertx-test-realm.json", "/tmp/vertx-test-realm.json", BindMode.READ_ONLY).withCommand(new String[]{"-b", "0.0.0.0", "-Dkeycloak.migration.action=import", "-Dkeycloak.migration.provider=singleFile", "-Dkeycloak.migration.file=/tmp/vertx-test-realm.json", "-Dkeycloak.migration.strategy=OVERWRITE_EXISTING"}).waitingFor(Wait.forLogMessage(".*Keycloak.*started.*", 1));

    @Rule
    public RunTestOnContext rule = new RunTestOnContext();
    private final String proto;
    private OAuth2Auth keycloak;
    private String site;

    @Parameterized.Parameters
    public static List<String> sites() {
        return Arrays.asList("http", "https");
    }

    public OAuth2KeycloakIT(String str) {
        this.proto = str;
    }

    @Before
    public void setUp(TestContext testContext) {
        Async async = testContext.async();
        String str = this.proto;
        boolean z = -1;
        switch (str.hashCode()) {
            case 3213448:
                if (str.equals("http")) {
                    z = false;
                    break;
                }
                break;
            case 99617003:
                if (str.equals("https")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                this.site = this.proto + "://" + container.getContainerIpAddress() + ":" + container.getMappedPort(8080);
                break;
            case true:
                this.site = this.proto + "://" + container.getContainerIpAddress() + ":" + container.getMappedPort(8443);
                break;
            default:
                throw new IllegalArgumentException("Invalid proto: " + this.proto);
        }
        OAuth2Options jWTOptions = new OAuth2Options().setFlow(OAuth2FlowType.PASSWORD).setClientId("confidential-client").setClientSecret("62b8de48-672e-4287-bb1e-6af39aec045e").setTenant("vertx-test").setSite(this.site + "/auth/realms/{tenant}").setJWTOptions(new JWTOptions().addAudience("account"));
        jWTOptions.getHttpClientOptions().setTrustAll(true);
        KeycloakAuth.discover(this.rule.vertx(), jWTOptions, asyncResult -> {
            testContext.assertTrue(asyncResult.succeeded());
            this.keycloak = (OAuth2Auth) asyncResult.result();
            async.complete();
        });
    }

    @Test
    public void shouldLoginWithUsernamePassword(TestContext testContext) {
        Async async = testContext.async();
        this.keycloak.authenticate(new JsonObject().put("username", "test-user").put("password", "tiger"), asyncResult -> {
            testContext.assertTrue(asyncResult.succeeded());
            testContext.assertNotNull(asyncResult.result());
            testContext.assertNotNull(((User) asyncResult.result()).attributes().getJsonObject("accessToken"));
            async.complete();
        });
    }

    @Test
    public void shouldLoginWithUsernamePasswordAndGetIdToken(TestContext testContext) {
        Async async = testContext.async();
        this.keycloak.authenticate(new JsonObject().put("username", "test-user").put("password", "tiger").put("scopes", new JsonArray().add("openid")), asyncResult -> {
            testContext.assertTrue(asyncResult.succeeded());
            testContext.assertNotNull(asyncResult.result());
            testContext.assertNotNull(((User) asyncResult.result()).attributes().getJsonObject("accessToken"));
            testContext.assertNotNull(((User) asyncResult.result()).attributes().getJsonObject("idToken"));
            async.complete();
        });
    }

    @Test
    public void shouldLoginWithAccessToken(TestContext testContext) {
        Async async = testContext.async();
        this.keycloak.authenticate(new JsonObject().put("username", "test-user").put("password", "tiger"), asyncResult -> {
            testContext.assertTrue(asyncResult.succeeded());
            testContext.assertNotNull(asyncResult.result());
            this.keycloak.authenticate(new JsonObject().put("access_token", ((User) asyncResult.result()).principal().getString("access_token")).put("token_type", "Bearer"), asyncResult -> {
                testContext.assertTrue(asyncResult.succeeded());
                testContext.assertNotNull(asyncResult.result());
                async.complete();
            });
        });
    }

    @Test
    public void shouldFailLoginWithInvalidToken(TestContext testContext) {
        Async async = testContext.async();
        this.keycloak.authenticate(new JsonObject().put("access_token", "aaaaaaaaaaaaaaaaaa").put("token_type", "Bearer"), asyncResult -> {
            testContext.assertTrue(asyncResult.failed());
            testContext.assertNotNull(asyncResult.cause());
            async.complete();
        });
    }

    @Test
    public void shouldIntrospectAccessTokenInactive(TestContext testContext) {
        Async async = testContext.async();
        this.keycloak.authenticate(new JsonObject().put("username", "test-user").put("password", "tiger"), asyncResult -> {
            testContext.assertTrue(asyncResult.succeeded());
            testContext.assertNotNull(asyncResult.result());
            User user = (User) asyncResult.result();
            OAuth2Options clientSecret = new OAuth2Options().setFlow(OAuth2FlowType.PASSWORD).setClientId("confidential-client").setTenant("vertx-test").setSite(this.site + "/auth/realms/{realm}").setClientSecret("62b8de48-672e-4287-bb1e-6af39aec045e");
            clientSecret.getHttpClientOptions().setTrustAll(true);
            KeycloakAuth.discover(this.rule.vertx(), clientSecret, asyncResult -> {
                testContext.assertTrue(asyncResult.succeeded());
                OAuth2Auth oAuth2Auth = (OAuth2Auth) asyncResult.result();
                try {
                    Thread.sleep(5000L);
                } catch (InterruptedException e) {
                }
                oAuth2Auth.authenticate(user.principal(), asyncResult -> {
                    testContext.assertTrue(asyncResult.failed());
                    testContext.assertEquals("Inactive Token", asyncResult.cause().getMessage());
                    async.complete();
                });
            });
        });
    }

    @Test
    public void shouldIntrospectAccessToken(TestContext testContext) {
        Async async = testContext.async();
        this.keycloak.authenticate(new JsonObject().put("username", "test-user").put("password", "tiger"), asyncResult -> {
            testContext.assertTrue(asyncResult.succeeded());
            testContext.assertNotNull(asyncResult.result());
            User user = (User) asyncResult.result();
            OAuth2Options clientSecret = new OAuth2Options().setFlow(OAuth2FlowType.PASSWORD).setClientId("confidential-client").setTenant("vertx-test").setSite(this.site + "/auth/realms/{realm}").setClientSecret("62b8de48-672e-4287-bb1e-6af39aec045e");
            clientSecret.getHttpClientOptions().setTrustAll(true);
            KeycloakAuth.discover(this.rule.vertx(), clientSecret, asyncResult -> {
                testContext.assertTrue(asyncResult.succeeded());
                ((OAuth2Auth) asyncResult.result()).authenticate(user.principal(), asyncResult -> {
                    testContext.assertTrue(asyncResult.succeeded());
                    async.complete();
                });
            });
        });
    }

    @Test
    public void shouldGetPermissionsFromToken(TestContext testContext) {
        Async async = testContext.async();
        this.keycloak.authenticate(new JsonObject().put("username", "test-user").put("password", "tiger"), asyncResult -> {
            testContext.assertTrue(asyncResult.succeeded());
            testContext.assertNotNull(asyncResult.result());
            User user = (User) asyncResult.result();
            Arrays.asList("profile", "email", "realm:offline_access", "realm:user", "confidential-client:test", "account:manage-account", "account:manage-account-links", "account:view-profile");
            ScopeAuthorization.create(" ").getAuthorizations(user, asyncResult -> {
                testContext.assertTrue(asyncResult.succeeded());
                testContext.assertTrue(PermissionBasedAuthorization.create("profile").match(user));
                testContext.assertTrue(PermissionBasedAuthorization.create("email").match(user));
                KeycloakAuthorization.create().getAuthorizations(user, asyncResult -> {
                    testContext.assertTrue(asyncResult.succeeded());
                    testContext.assertTrue(RoleBasedAuthorization.create("offline_access").match(user));
                    testContext.assertTrue(RoleBasedAuthorization.create("user").match(user));
                    testContext.assertTrue(RoleBasedAuthorization.create("test").setResource("confidential-client").match(user));
                    testContext.assertTrue(RoleBasedAuthorization.create("manage-account").setResource("account").match(user));
                    testContext.assertTrue(RoleBasedAuthorization.create("manage-account-links").setResource("account").match(user));
                    testContext.assertTrue(RoleBasedAuthorization.create("view-profile").setResource("account").match(user));
                    async.complete();
                });
            });
        });
    }

    @Test
    public void shouldGetPermissionsFromTokenButPermissionIsNotAllowed(TestContext testContext) {
        Async async = testContext.async();
        this.keycloak.authenticate(new JsonObject().put("username", "test-user").put("password", "tiger"), asyncResult -> {
            testContext.assertTrue(asyncResult.succeeded());
            testContext.assertNotNull(asyncResult.result());
            User user = (User) asyncResult.result();
            KeycloakAuthorization.create().getAuthorizations(user, asyncResult -> {
                testContext.assertTrue(asyncResult.succeeded());
                testContext.assertFalse(PermissionBasedAuthorization.create("sudo").match(user));
                async.complete();
            });
        });
    }

    @Test
    public void shouldLoadTheUserInfo(TestContext testContext) {
        Async async = testContext.async();
        this.keycloak.authenticate(new JsonObject().put("username", "test-user").put("password", "tiger"), asyncResult -> {
            testContext.assertTrue(asyncResult.succeeded());
            testContext.assertNotNull(asyncResult.result());
            this.keycloak.userInfo((User) asyncResult.result(), asyncResult -> {
                testContext.assertTrue(asyncResult.succeeded());
                testContext.assertNotNull(asyncResult.result());
                testContext.assertEquals("test-user", ((JsonObject) asyncResult.result()).getString("preferred_username"));
                async.complete();
            });
        });
    }

    @Test
    public void shouldRefreshAToken(TestContext testContext) {
        Async async = testContext.async();
        this.keycloak.authenticate(new JsonObject().put("username", "test-user").put("password", "tiger"), asyncResult -> {
            testContext.assertTrue(asyncResult.succeeded());
            testContext.assertNotNull(asyncResult.result());
            User user = (User) asyncResult.result();
            String string = user.principal().getString("access_token");
            this.keycloak.refresh(user, asyncResult -> {
                testContext.assertTrue(asyncResult.succeeded());
                testContext.assertNotEquals(string, ((User) asyncResult.result()).principal().getString("access_token"));
                async.complete();
            });
        });
    }

    @Test
    public void shouldReloadJWK(TestContext testContext) {
        Async async = testContext.async();
        this.keycloak.jWKSet(asyncResult -> {
            testContext.assertTrue(asyncResult.succeeded());
            this.keycloak.authenticate(new JsonObject().put("username", "test-user").put("password", "tiger"), asyncResult -> {
                testContext.assertTrue(asyncResult.succeeded());
                testContext.assertNotNull(asyncResult.result());
                testContext.assertNotNull(((User) asyncResult.result()).attributes().getJsonObject("accessToken"));
                async.complete();
            });
        });
    }

    @Test
    public void shouldDiscoverGrant(TestContext testContext) {
        Async async = testContext.async();
        OAuth2Options jWTOptions = new OAuth2Options().setClientId("confidential-client").setClientSecret("62b8de48-672e-4287-bb1e-6af39aec045e").setTenant("vertx-test").setSite(this.site + "/auth/realms/{tenant}").setJWTOptions(new JWTOptions().addAudience("account"));
        jWTOptions.getHttpClientOptions().setTrustAll(true);
        KeycloakAuth.discover(this.rule.vertx(), jWTOptions, asyncResult -> {
            testContext.assertTrue(asyncResult.succeeded());
            ((OAuth2Auth) asyncResult.result()).authenticate(new JsonObject().put("username", "test-user").put("password", "tiger").put("flow", OAuth2FlowType.PASSWORD.getGrantType()), asyncResult -> {
                testContext.assertTrue(asyncResult.succeeded());
                async.complete();
            });
        });
    }

    @Test
    public void unsupportedGrant(TestContext testContext) {
        Async async = testContext.async();
        OAuth2Options jWTOptions = new OAuth2Options().setClientId("confidential-client").setClientSecret("62b8de48-672e-4287-bb1e-6af39aec045e").setTenant("vertx-test").setSite(this.site + "/auth/realms/{tenant}").setJWTOptions(new JWTOptions().addAudience("account"));
        jWTOptions.getHttpClientOptions().setTrustAll(true);
        KeycloakAuth.discover(this.rule.vertx(), jWTOptions, asyncResult -> {
            testContext.assertTrue(asyncResult.succeeded());
            ((OAuth2Auth) asyncResult.result()).authenticate(new JsonObject().put("username", "test-user").put("password", "tiger").put("flow", OAuth2FlowType.AAD_OBO.getGrantType()), asyncResult -> {
                testContext.assertTrue(asyncResult.failed());
                testContext.assertEquals("Provided flow is not supported by provider", asyncResult.cause().getMessage());
                async.complete();
            });
        });
    }
}
