package org.keycloak.services.managers;

import java.util.HashSet;
import java.util.Iterator;
import javax.ws.rs.core.Cookie;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.NewCookie;
import javax.ws.rs.core.UriInfo;
import org.jboss.resteasy.logging.Logger;
import org.jboss.resteasy.spi.HttpResponse;
import org.jboss.resteasy.spi.ResteasyProviderFactory;
import org.keycloak.RSATokenVerifier;
import org.keycloak.VerificationException;
import org.keycloak.jose.jws.JWSBuilder;
import org.keycloak.models.ClientModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RequiredCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.AccessToken;
import org.keycloak.services.resources.RealmsResource;

/* loaded from: input_file:org/keycloak/services/managers/AuthenticationManager.class */
public class AuthenticationManager {
    protected static Logger logger = Logger.getLogger(AuthenticationManager.class);
    public static final String FORM_USERNAME = "username";
    public static final String KEYCLOAK_IDENTITY_COOKIE = "KEYCLOAK_IDENTITY";
    public static final String KEYCLOAK_REMEMBER_ME = "KEYCLOAK_REMEMBER_ME";

    /* loaded from: input_file:org/keycloak/services/managers/AuthenticationManager$AuthenticationStatus.class */
    public enum AuthenticationStatus {
        SUCCESS,
        ACCOUNT_DISABLED,
        ACTIONS_REQUIRED,
        INVALID_USER,
        INVALID_CREDENTIALS,
        MISSING_PASSWORD,
        MISSING_TOTP,
        FAILED
    }

    public AccessToken createIdentityToken(RealmModel realmModel, UserModel userModel) {
        logger.info("createIdentityToken");
        AccessToken accessToken = new AccessToken();
        accessToken.id(KeycloakModelUtils.generateId());
        accessToken.issuedNow();
        accessToken.subject(userModel.getId());
        accessToken.audience(realmModel.getName());
        if (realmModel.getCentralLoginLifespan() > 0) {
            accessToken.expiration((System.currentTimeMillis() / 1000) + realmModel.getCentralLoginLifespan());
        }
        return accessToken;
    }

    public NewCookie createLoginCookie(RealmModel realmModel, UserModel userModel, UriInfo uriInfo, boolean z) {
        logger.info("createLoginCookie");
        return createLoginCookie(realmModel, userModel, null, KEYCLOAK_IDENTITY_COOKIE, getIdentityCookiePath(realmModel, uriInfo), z);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public NewCookie createLoginCookie(RealmModel realmModel, UserModel userModel, ClientModel clientModel, String str, String str2, boolean z) {
        AccessToken createIdentityToken = createIdentityToken(realmModel, userModel);
        if (clientModel != null) {
            createIdentityToken.issuedFor(clientModel.getClientId());
        }
        String encodeToken = encodeToken(realmModel, createIdentityToken);
        boolean z2 = !realmModel.isSslNotRequired();
        logger.debug("creatingLoginCookie - name: {0} path: {1}", new Object[]{str, str2});
        int i = -1;
        if (z) {
            i = realmModel.getCentralLoginLifespan();
            logger.info("createLoginCookie maxAge: " + i);
        }
        return new NewCookie(str, encodeToken, str2, (String) null, (String) null, i, z2, true);
    }

    public NewCookie createRememberMeCookie(RealmModel realmModel, UriInfo uriInfo) {
        return new NewCookie(KEYCLOAK_REMEMBER_ME, "true", getIdentityCookiePath(realmModel, uriInfo), (String) null, (String) null, realmModel.getCentralLoginLifespan(), !realmModel.isSslNotRequired(), true);
    }

    protected String encodeToken(RealmModel realmModel, Object obj) {
        return new JWSBuilder().jsonContent(obj).rsa256(realmModel.getPrivateKey());
    }

    public void expireIdentityCookie(RealmModel realmModel, UriInfo uriInfo) {
        logger.debug("Expiring identity cookie");
        expireCookie(KEYCLOAK_IDENTITY_COOKIE, getIdentityCookiePath(realmModel, uriInfo));
    }

    public void expireRememberMeCookie(RealmModel realmModel, UriInfo uriInfo) {
        logger.debug("Expiring remember me cookie");
        expireCookie(KEYCLOAK_REMEMBER_ME, getIdentityCookiePath(realmModel, uriInfo));
    }

    protected String getIdentityCookiePath(RealmModel realmModel, UriInfo uriInfo) {
        return RealmsResource.realmBaseUrl(uriInfo).build(new Object[]{realmModel.getName()}).getRawPath();
    }

    public void expireCookie(String str, String str2) {
        HttpResponse httpResponse = (HttpResponse) ResteasyProviderFactory.getContextData(HttpResponse.class);
        if (httpResponse == null) {
            logger.debug("can't expire identity cookie, no HttpResponse");
        } else {
            logger.debug("Expiring cookie: {0} path: {1}", new Object[]{str, str2});
            httpResponse.addNewCookie(new NewCookie(str, "", str2, (String) null, "Expiring cookie", 0, false));
        }
    }

    public UserModel authenticateIdentityCookie(RealmModel realmModel, UriInfo uriInfo, HttpHeaders httpHeaders) {
        return authenticateIdentityCookie(realmModel, uriInfo, httpHeaders, true);
    }

    public UserModel authenticateIdentityCookie(RealmModel realmModel, UriInfo uriInfo, HttpHeaders httpHeaders, boolean z) {
        logger.info("authenticateIdentityCookie");
        return authenticateIdentityCookie(realmModel, uriInfo, httpHeaders, KEYCLOAK_IDENTITY_COOKIE, z);
    }

    protected UserModel authenticateIdentityCookie(RealmModel realmModel, UriInfo uriInfo, HttpHeaders httpHeaders, String str, boolean z) {
        logger.info("authenticateIdentityCookie");
        Cookie cookie = (Cookie) httpHeaders.getCookies().get(str);
        if (cookie == null) {
            logger.info("authenticateCookie could not find cookie: {0}", new Object[]{str});
            return null;
        }
        try {
            AccessToken verifyToken = RSATokenVerifier.verifyToken(cookie.getValue(), realmModel.getPublicKey(), realmModel.getName(), z);
            logger.info("identity token verified");
            if (z) {
                logger.info("Checking if identity token is active");
                if (!verifyToken.isActive() || verifyToken.getIssuedAt() < realmModel.getNotBefore()) {
                    logger.info("identity cookie expired");
                    expireIdentityCookie(realmModel, uriInfo);
                    return null;
                }
                logger.info("token.isActive() : " + verifyToken.isActive());
                logger.info("token.issuedAt: " + verifyToken.getIssuedAt());
                logger.info("real.notbefore: " + realmModel.getNotBefore());
            }
            UserModel userById = realmModel.getUserById(verifyToken.getSubject());
            if (userById == null || !userById.isEnabled()) {
                logger.info("Unknown user in identity cookie");
                expireIdentityCookie(realmModel, uriInfo);
                return null;
            }
            if (verifyToken.getIssuedAt() >= userById.getNotBefore()) {
                return userById;
            }
            logger.info("Stale cookie");
            expireIdentityCookie(realmModel, uriInfo);
            return null;
        } catch (VerificationException e) {
            logger.info("Failed to verify identity cookie", e);
            expireCookie(cookie.getName(), cookie.getPath());
            return null;
        }
    }

    public AuthenticationStatus authenticateForm(RealmModel realmModel, UserModel userModel, MultivaluedMap<String, String> multivaluedMap) {
        if (userModel == null) {
            logger.debug("Not Authenticated! Incorrect user name");
            return AuthenticationStatus.INVALID_USER;
        }
        if (!userModel.isEnabled()) {
            logger.debug("Account is disabled, contact admin. " + userModel.getLoginName());
            return AuthenticationStatus.ACCOUNT_DISABLED;
        }
        HashSet hashSet = new HashSet();
        Iterator it = realmModel.getRequiredCredentials().iterator();
        while (it.hasNext()) {
            hashSet.add(((RequiredCredentialModel) it.next()).getType());
        }
        if (!hashSet.contains("password")) {
            if (!hashSet.contains("secret")) {
                logger.warn("Do not know how to authenticate user");
                return AuthenticationStatus.FAILED;
            }
            if (((String) multivaluedMap.getFirst("secret")) != null) {
                return !userModel.getRequiredActions().isEmpty() ? AuthenticationStatus.ACTIONS_REQUIRED : AuthenticationStatus.SUCCESS;
            }
            logger.warn("Secret not provided");
            return AuthenticationStatus.MISSING_PASSWORD;
        }
        String str = (String) multivaluedMap.getFirst("password");
        if (str == null) {
            logger.warn("Password not provided");
            return AuthenticationStatus.MISSING_PASSWORD;
        }
        if (userModel.isTotp()) {
            String str2 = (String) multivaluedMap.getFirst("totp");
            if (str2 == null) {
                logger.warn("TOTP token not provided");
                return AuthenticationStatus.MISSING_TOTP;
            }
            logger.debug("validating TOTP");
            if (!realmModel.validateTOTP(userModel, str, str2)) {
                return AuthenticationStatus.INVALID_CREDENTIALS;
            }
        } else {
            logger.debug("validating password for user: " + userModel.getLoginName());
            if (!realmModel.validatePassword(userModel, str)) {
                logger.debug("invalid password for user: " + userModel.getLoginName());
                return AuthenticationStatus.INVALID_CREDENTIALS;
            }
        }
        return !userModel.getRequiredActions().isEmpty() ? AuthenticationStatus.ACTIONS_REQUIRED : AuthenticationStatus.SUCCESS;
    }
}
