package org.keycloak.services.resources;

import java.util.Iterator;
import java.util.LinkedList;
import java.util.concurrent.TimeUnit;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import javax.ws.rs.ext.Providers;
import org.jboss.logging.Logger;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.ClientConnection;
import org.keycloak.OAuth2Constants;
import org.keycloak.email.EmailException;
import org.keycloak.email.EmailProvider;
import org.keycloak.events.Details;
import org.keycloak.events.Errors;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.jose.jws.JWSBuilder;
import org.keycloak.login.LoginFormsProvider;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RequiredCredentialModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.models.utils.TimeBasedOTP;
import org.keycloak.protocol.LoginProtocol;
import org.keycloak.protocol.oidc.OpenIDConnectService;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.protocol.saml.SamlProtocol;
import org.keycloak.representations.PasswordToken;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.ClientSessionCode;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.flows.Flows;
import org.keycloak.services.resources.flows.Urls;
import org.keycloak.services.validation.Validation;

/* loaded from: input_file:WEB-INF/lib/keycloak-services-1.1.0.Final.jar:org/keycloak/services/resources/LoginActionsService.class */
public class LoginActionsService {
    protected static final Logger logger = Logger.getLogger((Class<?>) LoginActionsService.class);
    private RealmModel realm;

    @Context
    private HttpRequest request;

    @Context
    protected HttpHeaders headers;

    @Context
    private UriInfo uriInfo;

    @Context
    private ClientConnection clientConnection;

    @Context
    protected Providers providers;

    @Context
    protected KeycloakSession session;
    private AuthenticationManager authManager;
    private EventBuilder event;

    /* loaded from: input_file:WEB-INF/lib/keycloak-services-1.1.0.Final.jar:org/keycloak/services/resources/LoginActionsService$Checks.class */
    private class Checks {
        ClientSessionCode clientCode;
        Response response;

        private Checks() {
        }

        boolean check(String str, ClientSessionModel.Action action) {
            if (!check(str)) {
                return false;
            }
            if (this.clientCode.isValid(action)) {
                return true;
            }
            LoginActionsService.this.event.error(Errors.INVALID_CODE);
            this.response = Flows.forwardToSecurityFailurePage(LoginActionsService.this.session, LoginActionsService.this.realm, LoginActionsService.this.uriInfo, "Invalid code, please login again through your application.");
            return false;
        }

        public boolean check(String str) {
            if (!LoginActionsService.this.checkSsl()) {
                LoginActionsService.this.event.error(Errors.SSL_REQUIRED);
                this.response = Flows.forwardToSecurityFailurePage(LoginActionsService.this.session, LoginActionsService.this.realm, LoginActionsService.this.uriInfo, "HTTPS required");
                return false;
            }
            if (!LoginActionsService.this.realm.isEnabled()) {
                LoginActionsService.this.event.error(Errors.REALM_DISABLED);
                this.response = Flows.forwardToSecurityFailurePage(LoginActionsService.this.session, LoginActionsService.this.realm, LoginActionsService.this.uriInfo, "Realm not enabled.");
                return false;
            }
            this.clientCode = ClientSessionCode.parse(str, LoginActionsService.this.session, LoginActionsService.this.realm);
            if (this.clientCode != null) {
                return true;
            }
            LoginActionsService.this.event.error(Errors.INVALID_CODE);
            this.response = Flows.forwardToSecurityFailurePage(LoginActionsService.this.session, LoginActionsService.this.realm, LoginActionsService.this.uriInfo, "Unknown code, please login again through your application.");
            return false;
        }
    }

    public static UriBuilder loginActionsBaseUrl(UriInfo uriInfo) {
        return loginActionsBaseUrl(uriInfo.getBaseUriBuilder());
    }

    public static UriBuilder loginActionsBaseUrl(UriBuilder uriBuilder) {
        return uriBuilder.path(RealmsResource.class).path(RealmsResource.class, "getLoginActionsService");
    }

    public static UriBuilder processLoginUrl(UriInfo uriInfo) {
        return processLoginUrl(uriInfo.getBaseUriBuilder());
    }

    public static UriBuilder processLoginUrl(UriBuilder uriBuilder) {
        return loginActionsBaseUrl(uriBuilder).path(OpenIDConnectService.class, "processLogin");
    }

    public static UriBuilder processOAuthUrl(UriInfo uriInfo) {
        return processOAuthUrl(uriInfo.getBaseUriBuilder());
    }

    public static UriBuilder processOAuthUrl(UriBuilder uriBuilder) {
        return loginActionsBaseUrl(uriBuilder).path(OpenIDConnectService.class, "processOAuth");
    }

    public LoginActionsService(RealmModel realmModel, AuthenticationManager authenticationManager, EventBuilder eventBuilder) {
        this.realm = realmModel;
        this.authManager = authenticationManager;
        this.event = eventBuilder;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean checkSsl() {
        return this.uriInfo.getBaseUri().getScheme().equals("https") || !this.realm.getSslRequired().isRequired(this.clientConnection);
    }

    @GET
    @Path("login")
    public Response loginPage(@QueryParam("code") String str) {
        this.event.event(EventType.LOGIN);
        Checks checks = new Checks();
        if (!checks.check(str)) {
            return checks.response;
        }
        this.event.detail(Details.CODE_ID, str);
        ClientSessionCode clientSessionCode = checks.clientCode;
        ClientSessionModel clientSession = clientSessionCode.getClientSession();
        if (clientSession.getAction().equals(ClientSessionModel.Action.RECOVER_PASSWORD)) {
            TokenManager.dettachClientSession(this.session.sessions(), this.realm, clientSession);
            clientSession.setAction(ClientSessionModel.Action.AUTHENTICATE);
        }
        return Flows.forms(this.session, this.realm, clientSession.getClient(), this.uriInfo).setClientSessionCode(clientSessionCode.getCode()).createLogin();
    }

    @GET
    @Path("registration")
    public Response registerPage(@QueryParam("code") String str) {
        this.event.event(EventType.REGISTER);
        if (!this.realm.isRegistrationAllowed()) {
            this.event.error(Errors.REGISTRATION_DISABLED);
            return Flows.forwardToSecurityFailurePage(this.session, this.realm, this.uriInfo, "Registration not allowed");
        }
        Checks checks = new Checks();
        if (!checks.check(str)) {
            return checks.response;
        }
        this.event.detail(Details.CODE_ID, str);
        ClientSessionCode clientSessionCode = checks.clientCode;
        ClientSessionModel clientSession = clientSessionCode.getClientSession();
        AuthenticationManager authenticationManager = this.authManager;
        AuthenticationManager.expireIdentityCookie(this.realm, this.uriInfo, this.clientConnection);
        return Flows.forms(this.session, this.realm, clientSession.getClient(), this.uriInfo).setClientSessionCode(clientSessionCode.getCode()).createRegistration();
    }

    @POST
    @Path("request/login")
    @Consumes({"application/x-www-form-urlencoded"})
    public Response processLogin(@QueryParam("code") String str, MultivaluedMap<String, String> multivaluedMap) {
        this.event.event(EventType.LOGIN);
        if (!checkSsl()) {
            this.event.error(Errors.SSL_REQUIRED);
            return Flows.forwardToSecurityFailurePage(this.session, this.realm, this.uriInfo, "HTTPS required");
        }
        if (!this.realm.isEnabled()) {
            this.event.error(Errors.REALM_DISABLED);
            return Flows.forwardToSecurityFailurePage(this.session, this.realm, this.uriInfo, "Realm not enabled.");
        }
        ClientSessionCode parse = ClientSessionCode.parse(str, this.session, this.realm);
        if (parse == null) {
            this.event.error(Errors.INVALID_CODE);
            return Flows.forwardToSecurityFailurePage(this.session, this.realm, this.uriInfo, "Unknown code, please login again through your application.");
        }
        ClientSessionModel clientSession = parse.getClientSession();
        if (!parse.isValid(ClientSessionModel.Action.AUTHENTICATE) || clientSession.getUserSession() != null) {
            parse.setAction(ClientSessionModel.Action.AUTHENTICATE);
            this.event.client(clientSession.getClient()).error(Errors.INVALID_CODE);
            return Flows.forms(this.session, this.realm, clientSession.getClient(), this.uriInfo).setError(Messages.INVALID_USER).setClientSessionCode(parse.getCode()).createLogin();
        }
        String str2 = (String) multivaluedMap.getFirst("username");
        String str3 = (String) multivaluedMap.getFirst("rememberMe");
        boolean z = str3 != null && str3.equalsIgnoreCase("on");
        this.event.client(clientSession.getClient().getClientId()).detail("redirect_uri", clientSession.getRedirectUri()).detail("response_type", OAuth2Constants.CODE).detail(Details.AUTH_METHOD, "form").detail("username", str2);
        if (z) {
            this.event.detail(Details.REMEMBER_ME, SamlProtocol.ATTRIBUTE_TRUE_VALUE);
        }
        ClientModel client = clientSession.getClient();
        if (client == null) {
            this.event.error(Errors.CLIENT_NOT_FOUND);
            return Flows.forwardToSecurityFailurePage(this.session, this.realm, this.uriInfo, "Unknown login requester.");
        }
        if (!client.isEnabled()) {
            this.event.error(Errors.CLIENT_NOT_FOUND);
            return Flows.forwardToSecurityFailurePage(this.session, this.realm, this.uriInfo, "Login requester not enabled.");
        }
        if (multivaluedMap.containsKey("cancel")) {
            this.event.error(Errors.REJECTED_BY_USER);
            LoginProtocol loginProtocol = (LoginProtocol) this.session.getProvider(LoginProtocol.class, clientSession.getAuthMethod());
            loginProtocol.setRealm(this.realm).setUriInfo(this.uriInfo);
            return loginProtocol.cancelLogin(clientSession);
        }
        AuthenticationManager.AuthenticationStatus authenticateForm = this.authManager.authenticateForm(this.session, this.clientConnection, this.realm, multivaluedMap);
        if (z) {
            AuthenticationManager authenticationManager = this.authManager;
            AuthenticationManager.createRememberMeCookie(this.realm, str2, this.uriInfo, this.clientConnection);
        } else {
            AuthenticationManager authenticationManager2 = this.authManager;
            AuthenticationManager.expireRememberMeCookie(this.realm, this.uriInfo, this.clientConnection);
        }
        UserModel findUserByNameOrEmail = KeycloakModelUtils.findUserByNameOrEmail(this.session, this.realm, str2);
        if (findUserByNameOrEmail != null) {
            this.event.user(findUserByNameOrEmail);
        }
        switch (authenticateForm) {
            case SUCCESS:
            case ACTIONS_REQUIRED:
                UserSessionModel createUserSession = this.session.sessions().createUserSession(this.realm, findUserByNameOrEmail, str2, this.clientConnection.getRemoteAddr(), "form", z);
                TokenManager.attachClientSession(createUserSession, clientSession);
                this.event.session(createUserSession);
                AuthenticationManager authenticationManager3 = this.authManager;
                return AuthenticationManager.nextActionAfterAuthentication(this.session, createUserSession, clientSession, this.clientConnection, this.request, this.uriInfo, this.event);
            case ACCOUNT_TEMPORARILY_DISABLED:
                this.event.error(Errors.USER_TEMPORARILY_DISABLED);
                return Flows.forms(this.session, this.realm, client, this.uriInfo).setError(Messages.ACCOUNT_TEMPORARILY_DISABLED).setFormData(multivaluedMap).setClientSessionCode(parse.getCode()).createLogin();
            case ACCOUNT_DISABLED:
                this.event.error(Errors.USER_DISABLED);
                return Flows.forms(this.session, this.realm, client, this.uriInfo).setError(Messages.ACCOUNT_DISABLED).setClientSessionCode(parse.getCode()).setFormData(multivaluedMap).createLogin();
            case MISSING_TOTP:
                multivaluedMap.remove("password");
                multivaluedMap.add("password-token", new JWSBuilder().jsonContent(new PasswordToken(this.realm.getName(), findUserByNameOrEmail.getId())).rsa256(this.realm.getPrivateKey()));
                return Flows.forms(this.session, this.realm, client, this.uriInfo).setFormData(multivaluedMap).setClientSessionCode(parse.getCode()).createLoginTotp();
            case INVALID_USER:
                this.event.error(Errors.USER_NOT_FOUND);
                return Flows.forms(this.session, this.realm, client, this.uriInfo).setError(Messages.INVALID_USER).setFormData(multivaluedMap).setClientSessionCode(parse.getCode()).createLogin();
            default:
                this.event.error(Errors.INVALID_USER_CREDENTIALS);
                return Flows.forms(this.session, this.realm, client, this.uriInfo).setError(Messages.INVALID_USER).setFormData(multivaluedMap).setClientSessionCode(parse.getCode()).createLogin();
        }
    }

    @POST
    @Path("request/registration")
    @Consumes({"application/x-www-form-urlencoded"})
    public Response processRegister(@QueryParam("code") String str, MultivaluedMap<String, String> multivaluedMap) {
        boolean z;
        this.event.event(EventType.REGISTER);
        if (!checkSsl()) {
            this.event.error(Errors.SSL_REQUIRED);
            return Flows.forwardToSecurityFailurePage(this.session, this.realm, this.uriInfo, "HTTPS required");
        }
        if (!this.realm.isEnabled()) {
            this.event.error(Errors.REALM_DISABLED);
            return Flows.forwardToSecurityFailurePage(this.session, this.realm, this.uriInfo, "Realm not enabled.");
        }
        if (!this.realm.isRegistrationAllowed()) {
            this.event.error(Errors.REGISTRATION_DISABLED);
            return Flows.forwardToSecurityFailurePage(this.session, this.realm, this.uriInfo, "Registration not allowed");
        }
        ClientSessionCode parse = ClientSessionCode.parse(str, this.session, this.realm);
        if (parse == null) {
            this.event.error(Errors.INVALID_CODE);
            return Flows.forwardToSecurityFailurePage(this.session, this.realm, this.uriInfo, "Unknown code, please login again through your application.");
        }
        if (!parse.isValid(ClientSessionModel.Action.AUTHENTICATE)) {
            this.event.error(Errors.INVALID_CODE);
            return Flows.forwardToSecurityFailurePage(this.session, this.realm, this.uriInfo, "Invalid code, please login again through your application.");
        }
        String str2 = (String) multivaluedMap.getFirst("username");
        String str3 = (String) multivaluedMap.getFirst("email");
        ClientSessionModel clientSession = parse.getClientSession();
        this.event.client(clientSession.getClient()).detail("redirect_uri", clientSession.getRedirectUri()).detail("response_type", OAuth2Constants.CODE).detail("username", str2).detail("email", str3).detail(Details.REGISTER_METHOD, "form");
        if (!this.realm.isEnabled()) {
            this.event.error(Errors.REALM_DISABLED);
            return Flows.forwardToSecurityFailurePage(this.session, this.realm, this.uriInfo, "Realm not enabled");
        }
        ClientModel client = clientSession.getClient();
        if (client == null) {
            this.event.error(Errors.CLIENT_NOT_FOUND);
            return Flows.forwardToSecurityFailurePage(this.session, this.realm, this.uriInfo, "Unknown login requester.");
        }
        if (!client.isEnabled()) {
            this.event.error(Errors.CLIENT_DISABLED);
            return Flows.forwardToSecurityFailurePage(this.session, this.realm, this.uriInfo, "Login requester not enabled.");
        }
        LinkedList linkedList = new LinkedList();
        Iterator<RequiredCredentialModel> it = this.realm.getRequiredCredentials().iterator();
        while (it.hasNext()) {
            linkedList.add(it.next().getType());
        }
        String validateRegistrationForm = Validation.validateRegistrationForm(multivaluedMap, linkedList);
        if (validateRegistrationForm == null) {
            validateRegistrationForm = Validation.validatePassword(multivaluedMap, this.realm.getPasswordPolicy());
        }
        if (validateRegistrationForm != null) {
            this.event.error(Errors.INVALID_REGISTRATION);
            return Flows.forms(this.session, this.realm, client, this.uriInfo).setError(validateRegistrationForm).setFormData(multivaluedMap).setClientSessionCode(parse.getCode()).createRegistration();
        }
        if (this.session.users().getUserByUsername(str2, this.realm) != null) {
            this.event.error(Errors.USERNAME_IN_USE);
            return Flows.forms(this.session, this.realm, client, this.uriInfo).setError(Messages.USERNAME_EXISTS).setFormData(multivaluedMap).setClientSessionCode(parse.getCode()).createRegistration();
        }
        if (this.session.users().getUserByEmail(str3, this.realm) != null) {
            this.event.error(Errors.EMAIL_IN_USE);
            return Flows.forms(this.session, this.realm, client, this.uriInfo).setError(Messages.EMAIL_EXISTS).setFormData(multivaluedMap).setClientSessionCode(parse.getCode()).createRegistration();
        }
        UserModel addUser = this.session.users().addUser(this.realm, str2);
        addUser.setEnabled(true);
        addUser.setFirstName((String) multivaluedMap.getFirst("firstName"));
        addUser.setLastName((String) multivaluedMap.getFirst("lastName"));
        addUser.setEmail(str3);
        if (linkedList.contains("password")) {
            UserCredentialModel userCredentialModel = new UserCredentialModel();
            userCredentialModel.setType("password");
            userCredentialModel.setValue((String) multivaluedMap.getFirst("password"));
            String str4 = null;
            try {
                this.session.users().updateCredential(this.realm, addUser, UserCredentialModel.password((String) multivaluedMap.getFirst("password")));
                z = true;
            } catch (Exception e) {
                z = false;
                str4 = e.getMessage();
            }
            if (!z) {
                addUser.addRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD);
                return Flows.forms(this.session, this.realm, client, this.uriInfo).setError(str4).setClientSessionCode(parse.getCode()).createResponse(UserModel.RequiredAction.UPDATE_PASSWORD);
            }
        }
        this.event.user(addUser).success();
        this.event.reset();
        return processLogin(str, multivaluedMap);
    }

    @POST
    @Path("consent")
    @Consumes({"application/x-www-form-urlencoded"})
    public Response processConsent(MultivaluedMap<String, String> multivaluedMap) {
        this.event.event(EventType.LOGIN).detail("response_type", OAuth2Constants.CODE);
        if (!checkSsl()) {
            return Flows.forwardToSecurityFailurePage(this.session, this.realm, this.uriInfo, "HTTPS required");
        }
        ClientSessionCode parse = ClientSessionCode.parse((String) multivaluedMap.getFirst(OAuth2Constants.CODE), this.session, this.realm);
        if (parse == null || !parse.isValid(ClientSessionModel.Action.OAUTH_GRANT)) {
            this.event.error(Errors.INVALID_CODE);
            return Flows.forwardToSecurityFailurePage(this.session, this.realm, this.uriInfo, "Invalid access code.");
        }
        ClientSessionModel clientSession = parse.getClientSession();
        this.event.detail(Details.CODE_ID, clientSession.getId());
        this.event.client(clientSession.getClient()).user(clientSession.getUserSession().getUser()).detail("response_type", OAuth2Constants.CODE).detail("redirect_uri", clientSession.getRedirectUri());
        UserSessionModel userSession = clientSession.getUserSession();
        if (userSession != null) {
            this.event.detail(Details.AUTH_METHOD, userSession.getAuthMethod());
            this.event.detail("username", userSession.getLoginUsername());
            if (userSession.isRememberMe()) {
                this.event.detail(Details.REMEMBER_ME, SamlProtocol.ATTRIBUTE_TRUE_VALUE);
            }
        }
        if (!AuthenticationManager.isSessionValid(this.realm, userSession)) {
            AuthenticationManager.logout(this.session, this.realm, userSession, this.uriInfo, this.clientConnection);
            this.event.error(Errors.INVALID_CODE);
            return Flows.forwardToSecurityFailurePage(this.session, this.realm, this.uriInfo, "Session not active");
        }
        this.event.session(userSession);
        LoginProtocol loginProtocol = (LoginProtocol) this.session.getProvider(LoginProtocol.class, clientSession.getAuthMethod());
        loginProtocol.setRealm(this.realm).setUriInfo(this.uriInfo);
        if (multivaluedMap.containsKey("cancel")) {
            this.event.error(Errors.REJECTED_BY_USER);
            return loginProtocol.consentDenied(clientSession);
        }
        this.event.success();
        AuthenticationManager authenticationManager = this.authManager;
        return AuthenticationManager.redirectAfterSuccessfulFlow(this.session, this.realm, userSession, clientSession, this.request, this.uriInfo, this.clientConnection);
    }

    @POST
    @Path("profile")
    @Consumes({"application/x-www-form-urlencoded"})
    public Response updateProfile(@QueryParam("code") String str, MultivaluedMap<String, String> multivaluedMap) {
        this.event.event(EventType.UPDATE_PROFILE);
        Checks checks = new Checks();
        if (!checks.check(str, ClientSessionModel.Action.UPDATE_PROFILE)) {
            return checks.response;
        }
        ClientSessionCode clientSessionCode = checks.clientCode;
        ClientSessionModel clientSession = clientSessionCode.getClientSession();
        UserSessionModel userSession = clientSession.getUserSession();
        UserModel user = userSession.getUser();
        initEvent(clientSession);
        String validateUpdateProfileForm = Validation.validateUpdateProfileForm(multivaluedMap);
        if (validateUpdateProfileForm != null) {
            return Flows.forms(this.session, this.realm, null, this.uriInfo).setUser(user).setError(validateUpdateProfileForm).setClientSessionCode(clientSessionCode.getCode()).createResponse(UserModel.RequiredAction.UPDATE_PROFILE);
        }
        user.setFirstName((String) multivaluedMap.getFirst("firstName"));
        user.setLastName((String) multivaluedMap.getFirst("lastName"));
        String str2 = (String) multivaluedMap.getFirst("email");
        String email = user.getEmail();
        boolean z = email != null ? !email.equals(str2) : str2 != null;
        if (z) {
            UserModel userByEmail = this.session.users().getUserByEmail(str2, this.realm);
            if (userByEmail != null && !userByEmail.getId().equals(user.getId())) {
                return Flows.forms(this.session, this.realm, null, this.uriInfo).setUser(user).setError(Messages.EMAIL_EXISTS).setClientSessionCode(clientSessionCode.getCode()).createResponse(UserModel.RequiredAction.UPDATE_PROFILE);
            }
            user.setEmail(str2);
            user.setEmailVerified(false);
        }
        user.removeRequiredAction(UserModel.RequiredAction.UPDATE_PROFILE);
        this.event.m806clone().event(EventType.UPDATE_PROFILE).success();
        if (z) {
            this.event.m806clone().event(EventType.UPDATE_EMAIL).detail(Details.PREVIOUS_EMAIL, email).detail(Details.UPDATED_EMAIL, str2).success();
        }
        return redirectOauth(user, clientSessionCode, clientSession, userSession);
    }

    @POST
    @Path("totp")
    @Consumes({"application/x-www-form-urlencoded"})
    public Response updateTotp(@QueryParam("code") String str, MultivaluedMap<String, String> multivaluedMap) {
        this.event.event(EventType.UPDATE_TOTP);
        Checks checks = new Checks();
        if (!checks.check(str, ClientSessionModel.Action.CONFIGURE_TOTP)) {
            return checks.response;
        }
        ClientSessionCode clientSessionCode = checks.clientCode;
        ClientSessionModel clientSession = clientSessionCode.getClientSession();
        UserSessionModel userSession = clientSession.getUserSession();
        UserModel user = userSession.getUser();
        initEvent(clientSession);
        String str2 = (String) multivaluedMap.getFirst("totp");
        String str3 = (String) multivaluedMap.getFirst("totpSecret");
        LoginFormsProvider user2 = Flows.forms(this.session, this.realm, null, this.uriInfo).setUser(user);
        if (Validation.isEmpty(str2)) {
            return user2.setError(Messages.MISSING_TOTP).setClientSessionCode(clientSessionCode.getCode()).createResponse(UserModel.RequiredAction.CONFIGURE_TOTP);
        }
        if (!new TimeBasedOTP().validate(str2, str3.getBytes())) {
            return user2.setError(Messages.INVALID_TOTP).setClientSessionCode(clientSessionCode.getCode()).createResponse(UserModel.RequiredAction.CONFIGURE_TOTP);
        }
        UserCredentialModel userCredentialModel = new UserCredentialModel();
        userCredentialModel.setType("totp");
        userCredentialModel.setValue(str3);
        this.session.users().updateCredential(this.realm, user, userCredentialModel);
        user.setTotp(true);
        user.removeRequiredAction(UserModel.RequiredAction.CONFIGURE_TOTP);
        this.event.m806clone().event(EventType.UPDATE_TOTP).success();
        return redirectOauth(user, clientSessionCode, clientSession, userSession);
    }

    @POST
    @Path("password")
    @Consumes({"application/x-www-form-urlencoded"})
    public Response updatePassword(@QueryParam("code") String str, MultivaluedMap<String, String> multivaluedMap) {
        this.event.event(EventType.UPDATE_PASSWORD);
        Checks checks = new Checks();
        if (!checks.check(str, ClientSessionModel.Action.UPDATE_PASSWORD)) {
            return checks.response;
        }
        ClientSessionCode clientSessionCode = checks.clientCode;
        ClientSessionModel clientSession = clientSessionCode.getClientSession();
        UserSessionModel userSession = clientSession.getUserSession();
        UserModel user = userSession.getUser();
        initEvent(clientSession);
        String str2 = (String) multivaluedMap.getFirst("password-new");
        String str3 = (String) multivaluedMap.getFirst("password-confirm");
        LoginFormsProvider user2 = Flows.forms(this.session, this.realm, null, this.uriInfo).setUser(user);
        if (Validation.isEmpty(str2)) {
            return user2.setError(Messages.MISSING_PASSWORD).setClientSessionCode(clientSessionCode.getCode()).createResponse(UserModel.RequiredAction.UPDATE_PASSWORD);
        }
        if (!str2.equals(str3)) {
            return user2.setError(Messages.NOTMATCH_PASSWORD).setClientSessionCode(clientSessionCode.getCode()).createResponse(UserModel.RequiredAction.UPDATE_PASSWORD);
        }
        try {
            this.session.users().updateCredential(this.realm, user, UserCredentialModel.password(str2));
            user.removeRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD);
            this.event.m806clone().event(EventType.UPDATE_PASSWORD).success();
            return redirectOauth(user, clientSessionCode, clientSession, userSession);
        } catch (Exception e) {
            return user2.setError(e.getMessage()).setClientSessionCode(clientSessionCode.getCode()).createResponse(UserModel.RequiredAction.UPDATE_PASSWORD);
        }
    }

    @GET
    @Path("email-verification")
    public Response emailVerification(@QueryParam("code") String str, @QueryParam("key") String str2) {
        this.event.event(EventType.VERIFY_EMAIL);
        if (str2 == null) {
            Checks checks = new Checks();
            if (!checks.check(str, ClientSessionModel.Action.VERIFY_EMAIL)) {
                return checks.response;
            }
            ClientSessionCode clientSessionCode = checks.clientCode;
            ClientSessionModel clientSession = clientSessionCode.getClientSession();
            UserSessionModel userSession = clientSession.getUserSession();
            initEvent(clientSession);
            return Flows.forms(this.session, this.realm, null, this.uriInfo).setClientSessionCode(clientSessionCode.getCode()).setUser(userSession.getUser()).createResponse(UserModel.RequiredAction.VERIFY_EMAIL);
        }
        Checks checks2 = new Checks();
        if (!checks2.check(str2, ClientSessionModel.Action.VERIFY_EMAIL)) {
            return checks2.response;
        }
        ClientSessionCode clientSessionCode2 = checks2.clientCode;
        ClientSessionModel clientSession2 = clientSessionCode2.getClientSession();
        UserSessionModel userSession2 = clientSession2.getUserSession();
        UserModel user = userSession2.getUser();
        initEvent(clientSession2);
        user.setEmailVerified(true);
        user.removeRequiredAction(UserModel.RequiredAction.VERIFY_EMAIL);
        this.event.m806clone().event(EventType.VERIFY_EMAIL).detail("email", user.getEmail()).success();
        return redirectOauth(user, clientSessionCode2, clientSession2, userSession2);
    }

    @GET
    @Path("password-reset")
    public Response passwordReset(@QueryParam("code") String str, @QueryParam("key") String str2) {
        this.event.event(EventType.RESET_PASSWORD);
        if (str2 == null) {
            return Flows.forms(this.session, this.realm, null, this.uriInfo).setClientSessionCode(str).createPasswordReset();
        }
        Checks checks = new Checks();
        if (!checks.check(str2, ClientSessionModel.Action.RECOVER_PASSWORD)) {
            return checks.response;
        }
        ClientSessionCode clientSessionCode = checks.clientCode;
        clientSessionCode.setRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD);
        return Flows.forms(this.session, this.realm, null, this.uriInfo).setClientSessionCode(clientSessionCode.getCode()).createResponse(UserModel.RequiredAction.UPDATE_PASSWORD);
    }

    @POST
    @Path("password-reset")
    @Consumes({"application/x-www-form-urlencoded"})
    public Response sendPasswordReset(@QueryParam("code") String str, MultivaluedMap<String, String> multivaluedMap) {
        this.event.event(EventType.SEND_RESET_PASSWORD);
        if (!checkSsl()) {
            return Flows.forwardToSecurityFailurePage(this.session, this.realm, this.uriInfo, "HTTPS required");
        }
        if (!this.realm.isEnabled()) {
            this.event.error(Errors.REALM_DISABLED);
            return Flows.forwardToSecurityFailurePage(this.session, this.realm, this.uriInfo, "Realm not enabled.");
        }
        ClientSessionCode parse = ClientSessionCode.parse(str, this.session, this.realm);
        if (parse == null) {
            this.event.error(Errors.INVALID_CODE);
            return Flows.forwardToSecurityFailurePage(this.session, this.realm, this.uriInfo, "Unknown code, please login again through your application.");
        }
        ClientSessionModel clientSession = parse.getClientSession();
        String str2 = (String) multivaluedMap.getFirst("username");
        ClientModel client = clientSession.getClient();
        if (client == null) {
            return Flows.forwardToSecurityFailurePage(this.session, this.realm, this.uriInfo, "Unknown login requester.");
        }
        if (!client.isEnabled()) {
            return Flows.forwardToSecurityFailurePage(this.session, this.realm, this.uriInfo, "Login requester not enabled.");
        }
        this.event.client(client.getClientId()).detail("redirect_uri", clientSession.getRedirectUri()).detail("response_type", OAuth2Constants.CODE).detail(Details.AUTH_METHOD, "form").detail("username", str2);
        UserModel userByUsername = this.session.users().getUserByUsername(str2, this.realm);
        if (userByUsername == null && str2.contains("@")) {
            userByUsername = this.session.users().getUserByEmail(str2, this.realm);
        }
        if (userByUsername == null) {
            this.event.error(Errors.USER_NOT_FOUND);
        } else if (!userByUsername.isEnabled()) {
            this.event.user(userByUsername).error(Errors.USER_DISABLED);
        } else if (userByUsername.getEmail() == null || userByUsername.getEmail().trim().length() == 0) {
            this.event.user(userByUsername).error(Errors.INVALID_EMAIL);
        } else {
            this.event.user(userByUsername);
            UserSessionModel createUserSession = this.session.sessions().createUserSession(this.realm, userByUsername, str2, this.clientConnection.getRemoteAddr(), "form", false);
            this.event.session(createUserSession);
            TokenManager.attachClientSession(createUserSession, clientSession);
            parse.setAction(ClientSessionModel.Action.RECOVER_PASSWORD);
            try {
                UriBuilder loginPasswordResetBuilder = Urls.loginPasswordResetBuilder(this.uriInfo.getBaseUri());
                loginPasswordResetBuilder.queryParam("key", new Object[]{parse.getCode()});
                ((EmailProvider) this.session.getProvider(EmailProvider.class)).setRealm(this.realm).setUser(userByUsername).sendPasswordReset(loginPasswordResetBuilder.build(new Object[]{this.realm.getName()}).toString(), TimeUnit.SECONDS.toMinutes(this.realm.getAccessCodeLifespanUserAction()));
                this.event.detail("email", userByUsername.getEmail()).detail(Details.CODE_ID, clientSession.getId()).success();
            } catch (EmailException e) {
                this.event.error(Errors.EMAIL_SEND_FAILED);
                logger.error("Failed to send password reset email", e);
                return Flows.forms(this.session, this.realm, client, this.uriInfo).setError("emailSendError").setClientSessionCode(parse.getCode()).createErrorPage();
            }
        }
        return Flows.forms(this.session, this.realm, client, this.uriInfo).setSuccess("emailSent").setClientSessionCode(parse.getCode()).createPasswordReset();
    }

    private Response redirectOauth(UserModel userModel, ClientSessionCode clientSessionCode, ClientSessionModel clientSessionModel, UserSessionModel userSessionModel) {
        return AuthenticationManager.nextActionAfterAuthentication(this.session, userSessionModel, clientSessionModel, this.clientConnection, this.request, this.uriInfo, this.event);
    }

    private void initEvent(ClientSessionModel clientSessionModel) {
        this.event.event(EventType.LOGIN).client(clientSessionModel.getClient()).user(clientSessionModel.getUserSession().getUser()).session(clientSessionModel.getUserSession().getId()).detail(Details.CODE_ID, clientSessionModel.getId()).detail("redirect_uri", clientSessionModel.getRedirectUri()).detail("response_type", OAuth2Constants.CODE);
        UserSessionModel userSession = clientSessionModel.getUserSession();
        if (userSession != null) {
            this.event.detail(Details.AUTH_METHOD, userSession.getAuthMethod());
            this.event.detail("username", userSession.getLoginUsername());
            if (userSession.isRememberMe()) {
                this.event.detail(Details.REMEMBER_ME, SamlProtocol.ATTRIBUTE_TRUE_VALUE);
            }
        }
    }
}
