package org.keycloak.services.clientpolicy.executor;

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.node.ArrayNode;
import com.fasterxml.jackson.databind.node.BooleanNode;
import com.fasterxml.jackson.databind.node.ObjectNode;
import java.net.URISyntaxException;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.Objects;
import java.util.stream.Stream;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.keycloak.models.KeycloakSession;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.executor.SecureRedirectUrisEnforcerExecutor;
import org.keycloak.util.JsonSerialization;

/* loaded from: input_file:org/keycloak/services/clientpolicy/executor/SecureRedirectUrisEnforcerExecutorTest.class */
public class SecureRedirectUrisEnforcerExecutorTest {
    private static SecureRedirectUrisEnforcerExecutor executor;
    private ObjectNode configuration;

    @BeforeClass
    public static void setupAll() {
        executor = new SecureRedirectUrisEnforcerExecutor((KeycloakSession) null);
    }

    @Before
    public void setup() {
        this.configuration = JsonSerialization.createObjectNode();
    }

    @Test
    public void defaultConfiguration() {
        setupConfiguration(this.configuration);
        SecureRedirectUrisEnforcerExecutor.Configuration configuration = executor.getConfiguration();
        Assert.assertFalse(configuration.isAllowIPv4LoopbackAddress());
        Assert.assertFalse(configuration.isAllowIPv6LoopbackAddress());
        Assert.assertFalse(configuration.isAllowPrivateUseUriScheme());
        Assert.assertFalse(configuration.isAllowHttpScheme());
        Assert.assertFalse(configuration.isAllowWildcardContextPath());
        Assert.assertFalse(configuration.isOAuth2_1Compliant());
        Assert.assertFalse(configuration.isAllowOpenRedirect());
        Assert.assertTrue(configuration.getAllowPermittedDomains().isEmpty());
    }

    @Test
    public void failUriSyntax() {
        checkFail("https://keycloak.org\n", false, "Invalid Redirect Uri: invalid uri");
        checkFail("Collins'&1=1;--", false, "Invalid Redirect Uri: invalid uri");
    }

    @Test
    public void failValidatePrivateUseUriScheme() {
        checkFail("myapp:/oauth.redirect", false, "Invalid Redirect Uri: invalid private use scheme");
        enable("allow-private-use-uri-scheme");
        checkFail("myapp.example.com:/*", false, "Invalid Redirect Uri: invalid private use scheme");
        enable("allow-wildcard-context-path");
        checkFail("myapp.example.com:/*/abc/*/efg", false, "Invalid Redirect Uri: invalid private use scheme");
        enable("oauth-2-1-compliant");
        Stream.of((Object[]) new String[]{"myapp:/oauth.redirect#pinpoint", "myapp.example.com:/oauth.redirect/*", "myapp:/oauth.redirect"}).forEach(str -> {
            checkFail(str, false, "Invalid Redirect Uri: invalid private use scheme");
        });
    }

    @Test
    public void successValidatePrivateUseUriScheme() {
        enable("allow-private-use-uri-scheme");
        Stream.of((Object[]) new String[]{"com.example.app:/oauth2redirect/example-provider", "com.example.app:51004/oauth2redirect/example-provider"}).forEach(str -> {
            checkSuccess(str, false);
        });
        enable("allow-wildcard-context-path");
        checkSuccess("myapp.example.com:/*", false);
        enable("oauth-2-1-compliant");
        checkSuccess("com.example.app:/oauth2redirect/example-provider", false);
    }

    @Test
    public void failValidateIPv4LoopbackAddress() {
        checkFail("https://127.0.0.1/auth/admin", false, "Invalid Redirect Uri: invalid loopback address");
        enable("allow-ipv4-loopback-address");
        Stream.of((Object[]) new String[]{"http://127.0.0.1:8080/auth/admin", "https://127.0.0.1:8080/*"}).forEach(str -> {
            checkFail(str, false, "Invalid Redirect Uri: invalid loopback address");
        });
        enable("allow-wildcard-context-path");
        checkFail("https://127.0.0.1:8080/*/efg/*/abc", false, "Invalid Redirect Uri: invalid loopback address");
        enable("allow-http-scheme");
        enable("oauth-2-1-compliant");
        Stream.of((Object[]) new String[]{"http://127.0.0.1:8080/auth/admin", "http://127.0.0.1/*", "http://127.0.0.1/auth/admin#fragment"}).forEach(str2 -> {
            checkFail(str2, false, "Invalid Redirect Uri: invalid loopback address");
        });
        Stream.of((Object[]) new String[]{"http://127.0.0.1:123456/oauth2redirect/example-provider", "http://127.0.0.1/oauth2redirect/example-provider"}).forEach(str3 -> {
            checkFail(str3, true, "Invalid Redirect Uri: invalid loopback address");
        });
    }

    @Test
    public void successValiIPv4LoopbackAddress() {
        enable("allow-ipv4-loopback-address");
        Stream.of((Object[]) new String[]{"https://127.0.0.1:8443", "https://localhost/auth/admin"}).forEach(str -> {
            checkSuccess(str, false);
        });
        enable("allow-wildcard-context-path");
        checkSuccess("https://localhost/*", false);
        enable("allow-http-scheme");
        checkSuccess("http://127.0.0.1:8080/oauth2redirect", false);
        enable("oauth-2-1-compliant");
        checkSuccess("http://127.0.0.1/oauth2redirect/example-provider", false);
        checkSuccess("http://127.0.0.1:43321/oauth2redirect/example-provider", true);
    }

    @Test
    public void failValidateIPv6LoopbackAddress() {
        checkFail("https://[::1]:9999/oauth2redirect/example-provider", false, "Invalid Redirect Uri: invalid loopback address");
        enable("allow-ipv6-loopback-address");
        checkFail("http://[::1]:9999/oauth2redirect/example-provider", false, "Invalid Redirect Uri: invalid loopback address");
        checkFail("https://[::1]:9999/*", false, "Invalid Redirect Uri: invalid loopback address");
        enable("allow-wildcard-context-path");
        checkFail("https://[::1]/*/efg/*/abc", false, "Invalid Redirect Uri: invalid loopback address");
        enable("allow-http-scheme");
        enable("oauth-2-1-compliant");
        Stream.of((Object[]) new String[]{"http://[::1]:8080/auth/admin", "http://[::1]/*", "http://[::1]/auth/admin#fragment", "https://[0:0:0:0:0:0:0:1]:8080"}).forEach(str -> {
            checkFail(str, false, "Invalid Redirect Uri: invalid loopback address");
        });
        Stream.of((Object[]) new String[]{"http://[::1]:123456/oauth2redirect/example-provider", "http://[::1]/oauth2redirect/example-provider"}).forEach(str2 -> {
            checkFail(str2, true, "Invalid Redirect Uri: invalid loopback address");
        });
    }

    @Test
    public void successValiIPv6LoopbackAddress() {
        enable("allow-ipv6-loopback-address");
        Iterator it = Arrays.asList("https://[::1]/oauth2redirect/example-provider", "https://[::1]:8443").iterator();
        while (it.hasNext()) {
            checkSuccess((String) it.next(), false);
        }
        enable("allow-wildcard-context-path");
        checkSuccess("https://[::1]/*", false);
        enable("allow-http-scheme");
        checkSuccess("http://[::1]:8080/oauth2redirect", false);
        enable("oauth-2-1-compliant");
        checkSuccess("http://[::1]/oauth2redirect/example-provider", false);
        checkSuccess("http://[::1]:43321/oauth2redirect/example-provider", true);
    }

    @Test
    public void failNormalUri() {
        checkFail("http://192.168.1.211:9088/oauth2redirect/example-provider/test", false, "Invalid Redirect Uri: invalid uri");
        enable("allow-wildcard-context-path");
        checkFail("https://192.168.1.211/*/efg/*/abc", false, "Invalid Redirect Uri: invalid uri");
        enable("allow-http-scheme");
        permittedDomains("oauth.redirect", "((dev|test)-)*example.org");
        checkFail("http://192.168.1.211/oauth2redirect/example-provider/test", false, "Invalid Redirect Uri: invalid uri");
        enable("oauth-2-1-compliant");
        Stream.of((Object[]) new String[]{"http://dev-example.com/auth/callback", "https://test-example.com:8443/*", "https://oauth.redirect:8443/auth/callback#fragment"}).forEach(str -> {
            checkFail(str, true, "Invalid Redirect Uri: invalid uri");
        });
    }

    @Test
    public void successNormalUri() {
        Stream.of((Object[]) new String[]{"https://example.org/realms/master", "https://192.168.1.211:9088/oauth2redirect/example-provider/test", "https://192.168.1.211/"}).forEach(str -> {
            checkSuccess(str, false);
        });
        enable("allow-wildcard-context-path");
        checkSuccess("https://example.org/*", false);
        enable("allow-http-scheme");
        permittedDomains("oauth.redirect", "((dev|test)-)*example.org");
        checkSuccess("http://test-example.org:8080/*", false);
        enable("oauth-2-1-compliant");
        checkSuccess("https://dev-example.org:8080/redirect", false);
    }

    @Test
    public void successDefaultConfiguration() {
        Stream.of((Object[]) new String[]{"https://example.org/realms/master", "https://192.168.1.211:9088/oauth2redirect/example-provider/test", "https://192.168.1.211/"}).forEach(str -> {
            checkSuccess(str, false);
        });
    }

    @Test
    public void successAllConfigurationEnabled() {
        enable("allow-wildcard-context-path", "allow-ipv4-loopback-address", "allow-ipv6-loopback-address", "allow-http-scheme", "allow-private-use-uri-scheme");
        permittedDomains("oauth.redirect", "((dev|test)-)*example.org");
        Stream.of((Object[]) new String[]{"http://127.0.0.1/*/realms/master", "http://[::1]/*/realms/master", "myapp.example.com://oauth.redirect", "https://test-example.org/*/auth/admin"}).forEach(str -> {
            checkSuccess(str, false);
        });
    }

    @Test
    public void successAllConfigurationDisabled() {
        disable("allow-wildcard-context-path", "allow-ipv4-loopback-address", "allow-ipv6-loopback-address", "allow-http-scheme", "allow-private-use-uri-scheme", "allow-open-redirect");
        Stream.of((Object[]) new String[]{"https://keycloak.org/sso/silent-callback.html", "https://example.org/auth/realms/master/broker/oidc/endpoint", "https://192.168.8.1:12345/auth/realms/master/broker/oidc/endpoint"}).forEach(str -> {
            checkSuccess(str, false);
        });
    }

    private void permittedDomains(String... strArr) {
        ArrayNode createArrayNode = JsonSerialization.mapper.createArrayNode();
        Stream stream = Arrays.stream(strArr);
        Objects.requireNonNull(createArrayNode);
        stream.forEach(createArrayNode::add);
        this.configuration.set("allow-permitted-domains", createArrayNode);
    }

    private void disable(String... strArr) {
        Arrays.stream(strArr).forEach(str -> {
            this.configuration.set(str, BooleanNode.getFalse());
        });
    }

    private void enable(String... strArr) {
        Arrays.stream(strArr).forEach(str -> {
            this.configuration.set(str, BooleanNode.getTrue());
        });
    }

    private void setupConfiguration(JsonNode jsonNode) {
        executor.setupConfiguration((SecureRedirectUrisEnforcerExecutor.Configuration) JsonSerialization.mapper.convertValue(jsonNode, executor.getExecutorConfigurationClass()));
    }

    private void checkFail(String str, boolean z, String str2) {
        try {
            doValidate(str, z);
            Assert.fail();
        } catch (ClientPolicyException e) {
            Assert.assertEquals("invalid_request", e.getMessage());
            Assert.assertEquals(str2, e.getErrorDetail());
        }
    }

    private void checkSuccess(String str, boolean z) {
        try {
            doValidate(str, z);
        } catch (ClientPolicyException e) {
            Assert.assertNull(e.getErrorDetail(), e);
        }
    }

    private void doValidate(String str, boolean z) throws ClientPolicyException {
        setupConfiguration(this.configuration);
        executor.verifyRedirectUri(str, z);
    }

    @Test
    public void matchDomains() throws URISyntaxException {
        SecureRedirectUrisEnforcerExecutor.Configuration configuration = new SecureRedirectUrisEnforcerExecutor.Configuration();
        SecureRedirectUrisEnforcerExecutor.UriValidation uriValidation = new SecureRedirectUrisEnforcerExecutor.UriValidation("http://localhost:8080/auth/realms/master/account", false, configuration);
        Assert.assertFalse(uriValidation.matchDomains(Collections.emptyList()));
        Assert.assertFalse(uriValidation.matchDomains(Collections.singletonList("local-\\w+")));
        Assert.assertTrue(uriValidation.matchDomains(Collections.singletonList("localhost")));
        Assert.assertTrue(uriValidation.matchDomains(Collections.singletonList("local\\w+")));
        Assert.assertFalse(uriValidation.matchDomains(Arrays.asList("local-\\w+", "localhost2")));
        Assert.assertTrue(uriValidation.matchDomains(Arrays.asList("local\\w+", "localhost")));
        for (String str : new String[]{"https://dev-example.org", "https://test-example.org", "https://example.org"}) {
            Assert.assertTrue(str, new SecureRedirectUrisEnforcerExecutor.UriValidation(str, false, configuration).matchDomain("((dev|test)-)*example.org"));
        }
        for (String str2 : new String[]{"https://prod-example.org", "https://testexample.org"}) {
            Assert.assertFalse(str2, new SecureRedirectUrisEnforcerExecutor.UriValidation(str2, false, configuration).matchDomain("((dev|test)-)*example.org"));
        }
    }
}
