package org.keycloak.authentication.authenticators.broker;

import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.authentication.AuthenticationFlowError;
import org.keycloak.authentication.AuthenticationFlowException;
import org.keycloak.authentication.Authenticator;
import org.keycloak.authentication.authenticators.broker.util.ExistingUserInfo;
import org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext;
import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.events.Errors;
import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.services.messages.Messages;

/* loaded from: input_file:wildfly-10.1.0.Final/modules/system/add-ons/keycloak/org/keycloak/keycloak-services/main/keycloak-services-2.1.0.Final.jar:org/keycloak/authentication/authenticators/broker/AbstractIdpAuthenticator.class */
public abstract class AbstractIdpAuthenticator implements Authenticator {
    public static final String BROKERED_CONTEXT_NOTE = "BROKERED_CONTEXT";
    public static final String EXISTING_USER_INFO = "EXISTING_USER_INFO";
    public static final String UPDATE_PROFILE_EMAIL_CHANGED = "UPDATE_PROFILE_EMAIL_CHANGED";
    public static final String IS_DIFFERENT_BROWSER = "IS_DIFFERENT_BROWSER";
    public static final String ENFORCE_UPDATE_PROFILE = "ENFORCE_UPDATE_PROFILE";
    public static final String BROKER_REGISTERED_NEW_USER = "BROKER_REGISTERED_NEW_USER";

    @Override // org.keycloak.authentication.Authenticator
    public void authenticate(AuthenticationFlowContext authenticationFlowContext) {
        ClientSessionModel clientSession = authenticationFlowContext.getClientSession();
        SerializedBrokeredIdentityContext readFromClientSession = SerializedBrokeredIdentityContext.readFromClientSession(clientSession, BROKERED_CONTEXT_NOTE);
        if (readFromClientSession == null) {
            throw new AuthenticationFlowException("Not found serialized context in clientSession", AuthenticationFlowError.IDENTITY_PROVIDER_ERROR);
        }
        BrokeredIdentityContext deserialize = readFromClientSession.deserialize(authenticationFlowContext.getSession(), clientSession);
        if (!deserialize.getIdpConfig().isEnabled()) {
            sendFailureChallenge(authenticationFlowContext, Errors.IDENTITY_PROVIDER_ERROR, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, AuthenticationFlowError.IDENTITY_PROVIDER_ERROR);
        }
        authenticateImpl(authenticationFlowContext, readFromClientSession, deserialize);
    }

    @Override // org.keycloak.authentication.Authenticator
    public void action(AuthenticationFlowContext authenticationFlowContext) {
        ClientSessionModel clientSession = authenticationFlowContext.getClientSession();
        SerializedBrokeredIdentityContext readFromClientSession = SerializedBrokeredIdentityContext.readFromClientSession(clientSession, BROKERED_CONTEXT_NOTE);
        if (readFromClientSession == null) {
            throw new AuthenticationFlowException("Not found serialized context in clientSession", AuthenticationFlowError.IDENTITY_PROVIDER_ERROR);
        }
        BrokeredIdentityContext deserialize = readFromClientSession.deserialize(authenticationFlowContext.getSession(), clientSession);
        if (!deserialize.getIdpConfig().isEnabled()) {
            sendFailureChallenge(authenticationFlowContext, Errors.IDENTITY_PROVIDER_ERROR, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, AuthenticationFlowError.IDENTITY_PROVIDER_ERROR);
        }
        actionImpl(authenticationFlowContext, readFromClientSession, deserialize);
    }

    protected abstract void authenticateImpl(AuthenticationFlowContext authenticationFlowContext, SerializedBrokeredIdentityContext serializedBrokeredIdentityContext, BrokeredIdentityContext brokeredIdentityContext);

    protected abstract void actionImpl(AuthenticationFlowContext authenticationFlowContext, SerializedBrokeredIdentityContext serializedBrokeredIdentityContext, BrokeredIdentityContext brokeredIdentityContext);

    protected void sendFailureChallenge(AuthenticationFlowContext authenticationFlowContext, String str, String str2, AuthenticationFlowError authenticationFlowError) {
        authenticationFlowContext.getEvent().user(authenticationFlowContext.getUser()).error(str);
        authenticationFlowContext.failureChallenge(authenticationFlowError, authenticationFlowContext.form().setError(str2, new Object[0]).createErrorPage());
    }

    @Override // org.keycloak.authentication.Authenticator
    public void setRequiredActions(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
    }

    @Override // org.keycloak.provider.Provider
    public void close() {
    }

    public static UserModel getExistingUser(KeycloakSession keycloakSession, RealmModel realmModel, ClientSessionModel clientSessionModel) {
        String note = clientSessionModel.getNote(EXISTING_USER_INFO);
        if (note == null) {
            throw new AuthenticationFlowException("Unexpected state. There is no existing duplicated user identified in ClientSession", AuthenticationFlowError.INTERNAL_ERROR);
        }
        UserModel userById = keycloakSession.users().getUserById(ExistingUserInfo.deserialize(note).getExistingUserId(), realmModel);
        if (userById == null) {
            throw new AuthenticationFlowException("User with ID '" + note + "' not found.", AuthenticationFlowError.INVALID_USER);
        }
        if (userById.isEnabled()) {
            return userById;
        }
        throw new AuthenticationFlowException("User with ID '" + note + "', username '" + userById.getUsername() + "' disabled.", AuthenticationFlowError.USER_DISABLED);
    }
}
