package org.keycloak.services.resources;

import java.net.URI;
import java.util.Set;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Cookie;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.NewCookie;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import org.jboss.logging.Logger;
import org.jboss.resteasy.spi.BadRequestException;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.AbstractOAuthClient;
import org.keycloak.common.ClientConnection;
import org.keycloak.common.util.KeycloakUriBuilder;
import org.keycloak.common.util.UriUtils;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
import org.keycloak.services.ForbiddenException;
import org.keycloak.services.managers.AppAuthManager;
import org.keycloak.services.managers.Auth;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.util.CookieHelper;
import org.keycloak.util.TokenUtil;

/* loaded from: input_file:org/keycloak/services/resources/AbstractSecuredLocalService.class */
public abstract class AbstractSecuredLocalService {
    private static final Logger logger = Logger.getLogger(AbstractSecuredLocalService.class);
    private static final String KEYCLOAK_STATE_CHECKER = "KEYCLOAK_STATE_CHECKER";
    protected final ClientModel client;
    protected RealmModel realm;

    @Context
    protected UriInfo uriInfo;

    @Context
    protected HttpHeaders headers;

    @Context
    protected ClientConnection clientConnection;
    protected String stateChecker;

    @Context
    protected KeycloakSession session;

    @Context
    protected HttpRequest request;
    protected Auth auth;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/keycloak/services/resources/AbstractSecuredLocalService$OAuthRedirect.class */
    public static class OAuthRedirect extends AbstractOAuthClient {
        OAuthRedirect() {
        }

        public void stop() {
        }

        public Response redirect(UriInfo uriInfo, String str) {
            String stateCode = getStateCode();
            URI build = UriBuilder.fromUri(this.authUrl).queryParam("client_id", new Object[]{this.clientId}).queryParam("redirect_uri", new Object[]{str}).queryParam("state", new Object[]{stateCode}).queryParam("response_type", new Object[]{"code"}).queryParam("scope", new Object[]{TokenUtil.attachOIDCScope(this.scope)}).build(new Object[0]);
            NewCookie newCookie = new NewCookie(getStateCookieName(), stateCode, getStateCookiePath(uriInfo), (String) null, (String) null, -1, this.isSecure, true);
            AbstractSecuredLocalService.logger.debug("NewCookie: " + newCookie.toString());
            AbstractSecuredLocalService.logger.debug("Oauth Redirect to: " + build);
            return Response.status(302).location(build).cookie(new NewCookie[]{newCookie}).build();
        }

        private String getStateCookiePath(UriInfo uriInfo) {
            return this.stateCookiePath != null ? this.stateCookiePath : uriInfo.getBaseUri().getRawPath();
        }
    }

    public AbstractSecuredLocalService(RealmModel realmModel, ClientModel clientModel) {
        this.realm = realmModel;
        this.client = clientModel;
    }

    @GET
    @Path("login-redirect")
    public Response loginRedirect(@QueryParam("code") String str, @QueryParam("state") String str2, @QueryParam("error") String str3, @QueryParam("path") String str4, @QueryParam("referrer") String str5, @Context HttpHeaders httpHeaders) {
        if (str3 != null) {
            logger.debug("error from oauth");
            throw new ForbiddenException("error");
        }
        if (str4 != null && !getValidPaths().contains(str4)) {
            throw new BadRequestException("Invalid path");
        }
        if (!this.realm.isEnabled()) {
            logger.debug("realm not enabled");
            throw new ForbiddenException();
        }
        if (!this.client.isEnabled()) {
            logger.debug("account management app not enabled");
            throw new ForbiddenException();
        }
        if (str == null) {
            logger.debug("code not specified");
            throw new BadRequestException("code not specified");
        }
        if (str2 == null) {
            logger.debug("state not specified");
            throw new BadRequestException("state not specified");
        }
        KeycloakUriBuilder fromUri = KeycloakUriBuilder.fromUri(getBaseRedirectUri());
        if (str4 != null) {
            fromUri.path(str4);
        }
        if (str5 != null) {
            fromUri.queryParam("referrer", new Object[]{str5});
        }
        return Response.status(302).location(fromUri.build(new Object[0])).build();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void updateCsrfChecks() {
        Cookie cookie = (Cookie) this.headers.getCookies().get(KEYCLOAK_STATE_CHECKER);
        if (cookie != null) {
            this.stateChecker = cookie.getValue();
            return;
        }
        this.stateChecker = KeycloakModelUtils.generateSecret();
        CookieHelper.addCookie(KEYCLOAK_STATE_CHECKER, this.stateChecker, AuthenticationManager.getRealmCookiePath(this.realm, this.uriInfo), null, null, -1, this.realm.getSslRequired().isRequired(this.clientConnection), true);
    }

    protected abstract Set<String> getValidPaths();

    /* JADX INFO: Access modifiers changed from: protected */
    public void csrfCheck(MultivaluedMap<String, String> multivaluedMap) {
        if (this.auth.isCookieAuthenticated()) {
            if (!this.stateChecker.equals((String) multivaluedMap.getFirst("stateChecker"))) {
                throw new ForbiddenException();
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void csrfCheck(String str) {
        if (this.auth.isCookieAuthenticated() && this.auth.getSession() != null && !this.stateChecker.equals(str)) {
            throw new ForbiddenException();
        }
    }

    protected abstract URI getBaseRedirectUri();

    /* JADX INFO: Access modifiers changed from: protected */
    public Response login(String str) {
        OAuthRedirect oAuthRedirect = new OAuthRedirect();
        oAuthRedirect.setAuthUrl(OIDCLoginProtocolService.authUrl(this.uriInfo).build(new Object[]{this.realm.getName()}).toString());
        oAuthRedirect.setClientId(this.client.getClientId());
        oAuthRedirect.setSecure(this.realm.getSslRequired().isRequired(this.clientConnection));
        UriBuilder path = UriBuilder.fromUri(getBaseRedirectUri()).path("login-redirect");
        if (str != null) {
            path.queryParam("path", new Object[]{str});
        }
        String str2 = (String) this.uriInfo.getQueryParameters().getFirst("referrer");
        if (str2 != null) {
            path.queryParam("referrer", new Object[]{str2});
        }
        String str3 = (String) this.uriInfo.getQueryParameters().getFirst("referrer_uri");
        if (str3 != null) {
            path.queryParam("referrer_uri", new Object[]{str3});
        }
        URI build = path.build(new Object[]{this.realm.getName()});
        oAuthRedirect.setStateCookiePath(build.getRawPath());
        return oAuthRedirect.redirect(this.uriInfo, build.toString());
    }

    protected Response authenticateBrowser() {
        String str;
        AuthenticationManager.AuthResult authenticateIdentityCookie = new AppAuthManager().authenticateIdentityCookie(this.session, this.realm);
        if (authenticateIdentityCookie == null) {
            return login(null);
        }
        this.auth = new Auth(this.realm, authenticateIdentityCookie.getToken(), authenticateIdentityCookie.getUser(), this.client, authenticateIdentityCookie.getSession(), true);
        String origin = UriUtils.getOrigin(this.uriInfo.getBaseUri());
        String str2 = (String) this.headers.getRequestHeaders().getFirst(Cors.ORIGIN_HEADER);
        if (str2 != null && !origin.equals(str2)) {
            throw new ForbiddenException();
        }
        if (!this.request.getHttpMethod().equals("GET") && (str = (String) this.headers.getRequestHeaders().getFirst("Referer")) != null && !origin.equals(UriUtils.getOrigin(str))) {
            throw new ForbiddenException();
        }
        updateCsrfChecks();
        return null;
    }
}
