package org.keycloak.protocol.oidc;

import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import org.jboss.logging.Logger;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.ClientConnection;
import org.keycloak.events.EventBuilder;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.UserSessionProvider;
import org.keycloak.protocol.oidc.utils.AuthorizeClientUtil;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.Urls;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.ClientManager;
import org.keycloak.services.managers.RealmManager;
import org.keycloak.services.resources.Cors;

/* loaded from: input_file:org/keycloak/protocol/oidc/ServiceAccountManager.class */
public class ServiceAccountManager {
    protected static final Logger logger = Logger.getLogger(ServiceAccountManager.class);
    private TokenManager tokenManager;
    private AuthenticationManager authManager;
    private EventBuilder event;
    private HttpRequest request;
    private MultivaluedMap<String, String> formParams;
    private KeycloakSession session;
    private RealmModel realm;
    private HttpHeaders headers;
    private UriInfo uriInfo;
    private ClientConnection clientConnection;
    private ClientModel client;
    private UserModel clientUser;

    public ServiceAccountManager(TokenManager tokenManager, AuthenticationManager authenticationManager, EventBuilder eventBuilder, HttpRequest httpRequest, MultivaluedMap<String, String> multivaluedMap, KeycloakSession keycloakSession) {
        this.tokenManager = tokenManager;
        this.authManager = authenticationManager;
        this.event = eventBuilder;
        this.request = httpRequest;
        this.formParams = multivaluedMap;
        this.session = keycloakSession;
        this.realm = keycloakSession.getContext().getRealm();
        this.headers = keycloakSession.getContext().getRequestHeaders();
        this.uriInfo = keycloakSession.getContext().getUri();
        this.clientConnection = keycloakSession.getContext().getConnection();
    }

    public Response buildClientCredentialsGrant() {
        authenticateClient();
        checkClient();
        return finishClientAuthorization();
    }

    protected void authenticateClient() {
        this.client = AuthorizeClientUtil.authorizeClient((String) this.headers.getRequestHeaders().getFirst(Cors.AUTHORIZATION_HEADER), this.formParams, this.event, this.realm);
        this.event.detail("client_auth_method", "client_credentials");
    }

    protected void checkClient() {
        if (this.client.isBearerOnly()) {
            this.event.error("invalid_client");
            throw new ErrorResponseException("unauthorized_client", "Bearer-only client not allowed to retrieve service account", Response.Status.UNAUTHORIZED);
        }
        if (this.client.isPublicClient()) {
            this.event.error("invalid_client");
            throw new ErrorResponseException("unauthorized_client", "Public client not allowed to retrieve service account", Response.Status.UNAUTHORIZED);
        }
        if (this.client.isServiceAccountsEnabled()) {
            return;
        }
        this.event.error("invalid_client");
        throw new ErrorResponseException("unauthorized_client", "Client not enabled to retrieve service account", Response.Status.UNAUTHORIZED);
    }

    protected Response finishClientAuthorization() {
        this.event.detail(OIDCLoginProtocol.RESPONSE_TYPE_PARAM, "client_auth");
        this.clientUser = this.session.users().getUserByServiceAccountClient(this.client);
        if (this.clientUser == null || this.client.getProtocolMapperByName(OIDCLoginProtocol.LOGIN_PROTOCOL, "Client ID") == null) {
            logger.infof("Service account user for client '%s' not found or default protocol mapper for service account not found. Creating now", this.client.getClientId());
            new ClientManager(new RealmManager(this.session)).enableServiceAccount(this.client);
            this.clientUser = this.session.users().getUserByServiceAccountClient(this.client);
        }
        String username = this.clientUser.getUsername();
        this.event.detail("username", username);
        this.event.user(this.clientUser);
        if (!this.clientUser.isEnabled()) {
            this.event.error("user_disabled");
            throw new ErrorResponseException("invalid_request", "User '" + username + "' disabled", Response.Status.UNAUTHORIZED);
        }
        String str = (String) this.formParams.getFirst(OIDCLoginProtocol.SCOPE_PARAM);
        UserSessionProvider sessions = this.session.sessions();
        ClientSessionModel createClientSession = sessions.createClientSession(this.realm, this.client);
        createClientSession.setAuthMethod(OIDCLoginProtocol.LOGIN_PROTOCOL);
        createClientSession.setNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(this.uriInfo.getBaseUri(), this.realm.getName()));
        UserSessionModel createUserSession = sessions.createUserSession(this.realm, this.clientUser, username, this.clientConnection.getRemoteAddr(), "client_auth", false, (String) null, (String) null);
        this.event.session(createUserSession);
        TokenManager.attachClientSession(createUserSession, createClientSession);
        createUserSession.setNote("clientId", this.client.getClientId());
        createUserSession.setNote("clientHost", this.clientConnection.getRemoteHost());
        createUserSession.setNote("clientAddress", this.clientConnection.getRemoteAddr());
        AccessTokenResponse build = this.tokenManager.responseBuilder(this.realm, this.client, this.event, this.session, createUserSession, createClientSession).generateAccessToken(this.session, str, this.client, this.clientUser, createUserSession, createClientSession).generateRefreshToken().generateIDToken().build();
        this.event.success();
        return Cors.add(this.request, Response.ok(build, MediaType.APPLICATION_JSON_TYPE)).auth().allowedOrigins(this.client).allowedMethods("POST").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build();
    }
}
