package org.keycloak.protocol.oidc.endpoints;

import java.util.regex.Pattern;
import javax.ws.rs.GET;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import org.jboss.logging.Logger;
import org.keycloak.authentication.AuthenticationProcessor;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.ClientModel;
import org.keycloak.models.RealmModel;
import org.keycloak.protocol.AuthorizationEndpointBase;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest;
import org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequestParserProcessor;
import org.keycloak.protocol.oidc.utils.OIDCRedirectUriBuilder;
import org.keycloak.protocol.oidc.utils.OIDCResponseMode;
import org.keycloak.protocol.oidc.utils.OIDCResponseType;
import org.keycloak.protocol.oidc.utils.RedirectUtils;
import org.keycloak.services.ErrorPageException;
import org.keycloak.services.ServicesLogger;
import org.keycloak.services.Urls;
import org.keycloak.services.clientregistration.ErrorCodes;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.LoginActionsService;
import org.keycloak.services.util.CacheControlUtil;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.sessions.CommonClientSessionModel;
import org.keycloak.util.TokenUtil;

/* loaded from: input_file:org/keycloak/protocol/oidc/endpoints/AuthorizationEndpoint.class */
public class AuthorizationEndpoint extends AuthorizationEndpointBase {
    public static final String CODE_AUTH_TYPE = "code";
    public static final String LOGIN_SESSION_NOTE_ADDITIONAL_REQ_PARAMS_PREFIX = "client_request_param_";
    private ClientModel client;
    private AuthenticationSessionModel authenticationSession;
    private Action action;
    private OIDCResponseType parsedResponseType;
    private OIDCResponseMode parsedResponseMode;
    private AuthorizationEndpointRequest request;
    private String redirectUri;
    private static final Logger logger = Logger.getLogger(AuthorizationEndpoint.class);
    private static final Pattern VALID_CODE_CHALLENGE_PATTERN = Pattern.compile("^[0-9a-zA-Z\\-\\.~_]+$");

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/keycloak/protocol/oidc/endpoints/AuthorizationEndpoint$Action.class */
    public enum Action {
        REGISTER,
        CODE,
        FORGOT_CREDENTIALS
    }

    public AuthorizationEndpoint(RealmModel realmModel, EventBuilder eventBuilder) {
        super(realmModel, eventBuilder);
        eventBuilder.event(EventType.LOGIN);
    }

    @GET
    public Response build() {
        MultivaluedMap queryParameters = this.uriInfo.getQueryParameters();
        this.uriInfo.getRequestUri().toString();
        String str = (String) queryParameters.getFirst("client_id");
        checkSsl();
        checkRealm();
        checkClient(str);
        this.request = AuthorizationEndpointRequestParserProcessor.parseRequest(this.event, this.session, this.client, queryParameters);
        checkRedirectUri();
        Response checkResponseType = checkResponseType();
        if (checkResponseType != null) {
            return checkResponseType;
        }
        if (!TokenUtil.isOIDCRequest(this.request.getScope())) {
            ServicesLogger.LOGGER.oidcScopeMissing();
        }
        Response checkOIDCParams = checkOIDCParams();
        if (checkOIDCParams != null) {
            return checkOIDCParams;
        }
        Response checkPKCEParams = checkPKCEParams();
        if (checkPKCEParams != null) {
            return checkPKCEParams;
        }
        this.authenticationSession = createAuthenticationSession(this.client, this.request.getState());
        updateAuthenticationSession();
        CacheControlUtil.noBackButtonCacheControlHeader();
        switch (this.action) {
            case REGISTER:
                return buildRegister();
            case FORGOT_CREDENTIALS:
                return buildForgotCredential();
            case CODE:
                return buildAuthorizationCodeAuthorizationResponse();
            default:
                throw new RuntimeException("Unknown action " + this.action);
        }
    }

    public AuthorizationEndpoint register() {
        this.event.event(EventType.REGISTER);
        this.action = Action.REGISTER;
        if (this.realm.isRegistrationAllowed()) {
            return this;
        }
        throw new ErrorPageException(this.session, this.authenticationSession, Response.Status.BAD_REQUEST, Messages.REGISTRATION_NOT_ALLOWED, new Object[0]);
    }

    public AuthorizationEndpoint forgotCredentials() {
        this.event.event(EventType.RESET_PASSWORD);
        this.action = Action.FORGOT_CREDENTIALS;
        if (this.realm.isResetPasswordAllowed()) {
            return this;
        }
        throw new ErrorPageException(this.session, this.authenticationSession, Response.Status.BAD_REQUEST, Messages.RESET_CREDENTIAL_NOT_ALLOWED, new Object[0]);
    }

    private void checkClient(String str) {
        if (str == null) {
            this.event.error("invalid_request");
            throw new ErrorPageException(this.session, this.authenticationSession, Response.Status.BAD_REQUEST, Messages.MISSING_PARAMETER, "client_id");
        }
        this.event.client(str);
        this.client = this.realm.getClientByClientId(str);
        if (this.client == null) {
            this.event.error("client_not_found");
            throw new ErrorPageException(this.session, this.authenticationSession, Response.Status.BAD_REQUEST, Messages.CLIENT_NOT_FOUND, new Object[0]);
        }
        if (!this.client.isEnabled()) {
            this.event.error("client_disabled");
            throw new ErrorPageException(this.session, this.authenticationSession, Response.Status.BAD_REQUEST, Messages.CLIENT_DISABLED, new Object[0]);
        }
        if (this.client.isBearerOnly()) {
            this.event.error("not_allowed");
            throw new ErrorPageException(this.session, this.authenticationSession, Response.Status.FORBIDDEN, Messages.BEARER_ONLY, new Object[0]);
        }
        this.session.getContext().setClient(this.client);
    }

    private Response checkResponseType() {
        String responseType = this.request.getResponseType();
        if (responseType == null) {
            ServicesLogger.LOGGER.missingParameter("response_type");
            this.event.error("invalid_request");
            return redirectErrorToClient(OIDCResponseMode.QUERY, "invalid_request", "Missing parameter: response_type");
        }
        this.event.detail("response_type", responseType);
        try {
            this.parsedResponseType = OIDCResponseType.parse(responseType);
            if (this.action == null) {
                this.action = Action.CODE;
            }
            try {
                OIDCResponseMode parse = OIDCResponseMode.parse(this.request.getResponseMode(), this.parsedResponseType);
                this.event.detail(OIDCLoginProtocol.RESPONSE_MODE_PARAM, parse.toString().toLowerCase());
                if (this.parsedResponseType.isImplicitOrHybridFlow() && parse == OIDCResponseMode.QUERY) {
                    ServicesLogger.LOGGER.responseModeQueryNotAllowed();
                    this.event.error("invalid_request");
                    return redirectErrorToClient(OIDCResponseMode.QUERY, "invalid_request", "Response_mode 'query' not allowed for implicit or hybrid flow");
                }
                if ((this.parsedResponseType.hasResponseType("code") || this.parsedResponseType.hasResponseType("none")) && !this.client.isStandardFlowEnabled()) {
                    ServicesLogger.LOGGER.flowNotAllowed("Standard");
                    this.event.error("not_allowed");
                    return redirectErrorToClient(parse, "unsupported_response_type", "Client is not allowed to initiate browser login with given response_type. Standard flow is disabled for the client.");
                }
                if (!this.parsedResponseType.isImplicitOrHybridFlow() || this.client.isImplicitFlowEnabled()) {
                    this.parsedResponseMode = parse;
                    return null;
                }
                ServicesLogger.LOGGER.flowNotAllowed("Implicit");
                this.event.error("not_allowed");
                return redirectErrorToClient(parse, "unsupported_response_type", "Client is not allowed to initiate browser login with given response_type. Implicit flow is disabled for the client.");
            } catch (IllegalArgumentException e) {
                ServicesLogger.LOGGER.invalidParameter(OIDCLoginProtocol.RESPONSE_MODE_PARAM);
                this.event.error("invalid_request");
                return redirectErrorToClient(OIDCResponseMode.QUERY, "invalid_request", "Invalid parameter: response_mode");
            }
        } catch (IllegalArgumentException e2) {
            logger.error(e2.getMessage());
            this.event.error("invalid_request");
            return redirectErrorToClient(OIDCResponseMode.QUERY, "unsupported_response_type", null);
        }
    }

    private Response checkOIDCParams() {
        if ((!TokenUtil.isOIDCRequest(this.request.getScope()) && this.parsedResponseType.toString().equals(OIDCResponseType.TOKEN)) || !this.parsedResponseType.isImplicitOrHybridFlow() || this.request.getNonce() != null) {
            return null;
        }
        ServicesLogger.LOGGER.missingParameter("nonce");
        this.event.error("invalid_request");
        return redirectErrorToClient(this.parsedResponseMode, "invalid_request", "Missing parameter: nonce");
    }

    private Response checkPKCEParams() {
        String codeChallenge = this.request.getCodeChallenge();
        String codeChallengeMethod = this.request.getCodeChallengeMethod();
        if (this.parsedResponseType.isImplicitFlow()) {
            return null;
        }
        if (codeChallenge == null && codeChallengeMethod != null) {
            logger.info("PKCE supporting Client without code challenge");
            this.event.error("invalid_request");
            return redirectErrorToClient(this.parsedResponseMode, "invalid_request", "Missing parameter: code_challenge");
        }
        if (codeChallenge == null) {
            logger.debug("PKCE non-supporting Client");
            return null;
        }
        if (codeChallengeMethod != null && !codeChallengeMethod.equals(OIDCLoginProtocol.PKCE_METHOD_S256) && !codeChallengeMethod.equals(OIDCLoginProtocol.PKCE_METHOD_PLAIN)) {
            logger.infof("PKCE supporting Client with invalid code challenge method not specified in PKCE, codeChallengeMethod = %s", codeChallengeMethod);
            this.event.error("invalid_request");
            return redirectErrorToClient(this.parsedResponseMode, "invalid_request", "Invalid parameter: code_challenge_method");
        }
        if (isValidPkceCodeChallenge(codeChallenge)) {
            return null;
        }
        logger.infof("PKCE supporting Client with invalid code challenge specified in PKCE, codeChallenge = %s", codeChallenge);
        this.event.error("invalid_request");
        return redirectErrorToClient(this.parsedResponseMode, "invalid_request", "Invalid parameter: code_challenge");
    }

    private boolean isValidPkceCodeChallenge(String str) {
        if (str.length() < 43) {
            logger.debugf("PKCE codeChallenge length under lower limit , codeChallenge = %s", str);
            return false;
        }
        if (str.length() <= 128) {
            return VALID_CODE_CHALLENGE_PATTERN.matcher(str).matches();
        }
        logger.debugf("PKCE codeChallenge length over upper limit , codeChallenge = %s", str);
        return false;
    }

    private Response redirectErrorToClient(OIDCResponseMode oIDCResponseMode, String str, String str2) {
        OIDCRedirectUriBuilder addParam = OIDCRedirectUriBuilder.fromUri(this.redirectUri, oIDCResponseMode).addParam("error", str);
        if (str2 != null) {
            addParam.addParam("error_description", str2);
        }
        if (this.request.getState() != null) {
            addParam.addParam("state", this.request.getState());
        }
        return addParam.build();
    }

    private void checkRedirectUri() {
        String redirectUriParam = this.request.getRedirectUriParam();
        boolean isOIDCRequest = TokenUtil.isOIDCRequest(this.request.getScope());
        this.event.detail("redirect_uri", redirectUriParam);
        this.redirectUri = RedirectUtils.verifyRedirectUri(this.uriInfo, redirectUriParam, this.realm, this.client, isOIDCRequest);
        if (this.redirectUri == null) {
            this.event.error(ErrorCodes.INVALID_REDIRECT_URI);
            throw new ErrorPageException(this.session, this.authenticationSession, Response.Status.BAD_REQUEST, Messages.INVALID_PARAMETER, "redirect_uri");
        }
    }

    private void updateAuthenticationSession() {
        this.authenticationSession.setProtocol("openid-connect");
        this.authenticationSession.setRedirectUri(this.redirectUri);
        this.authenticationSession.setAction(CommonClientSessionModel.Action.AUTHENTICATE.name());
        this.authenticationSession.setClientNote("response_type", this.request.getResponseType());
        this.authenticationSession.setClientNote("redirect_uri", this.request.getRedirectUriParam());
        this.authenticationSession.setClientNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(this.uriInfo.getBaseUri(), this.realm.getName()));
        if (this.request.getState() != null) {
            this.authenticationSession.setClientNote("state", this.request.getState());
        }
        if (this.request.getNonce() != null) {
            this.authenticationSession.setClientNote("nonce", this.request.getNonce());
        }
        if (this.request.getMaxAge() != null) {
            this.authenticationSession.setClientNote(OIDCLoginProtocol.MAX_AGE_PARAM, String.valueOf(this.request.getMaxAge()));
        }
        if (this.request.getScope() != null) {
            this.authenticationSession.setClientNote("scope", this.request.getScope());
        }
        if (this.request.getLoginHint() != null) {
            this.authenticationSession.setClientNote(OIDCLoginProtocol.LOGIN_HINT_PARAM, this.request.getLoginHint());
        }
        if (this.request.getPrompt() != null) {
            this.authenticationSession.setClientNote(OIDCLoginProtocol.PROMPT_PARAM, this.request.getPrompt());
        }
        if (this.request.getIdpHint() != null) {
            this.authenticationSession.setClientNote("kc_idp_hint", this.request.getIdpHint());
        }
        if (this.request.getResponseMode() != null) {
            this.authenticationSession.setClientNote(OIDCLoginProtocol.RESPONSE_MODE_PARAM, this.request.getResponseMode());
        }
        if (this.request.getClaims() != null) {
            this.authenticationSession.setClientNote(OIDCLoginProtocol.CLAIMS_PARAM, this.request.getClaims());
        }
        if (this.request.getAcr() != null) {
            this.authenticationSession.setClientNote(OIDCLoginProtocol.ACR_PARAM, this.request.getAcr());
        }
        if (this.request.getCodeChallenge() != null) {
            this.authenticationSession.setClientNote(OIDCLoginProtocol.CODE_CHALLENGE_PARAM, this.request.getCodeChallenge());
        }
        if (this.request.getCodeChallengeMethod() != null) {
            this.authenticationSession.setClientNote(OIDCLoginProtocol.CODE_CHALLENGE_METHOD_PARAM, this.request.getCodeChallengeMethod());
        } else {
            this.authenticationSession.setClientNote(OIDCLoginProtocol.CODE_CHALLENGE_METHOD_PARAM, OIDCLoginProtocol.PKCE_METHOD_PLAIN);
        }
        if (this.request.getAdditionalReqParams() != null) {
            for (String str : this.request.getAdditionalReqParams().keySet()) {
                this.authenticationSession.setClientNote(LOGIN_SESSION_NOTE_ADDITIONAL_REQ_PARAMS_PREFIX + str, this.request.getAdditionalReqParams().get(str));
            }
        }
    }

    private Response buildAuthorizationCodeAuthorizationResponse() {
        this.event.event(EventType.LOGIN);
        this.authenticationSession.setAuthNote("auth_type", "code");
        return handleBrowserAuthenticationRequest(this.authenticationSession, new OIDCLoginProtocol(this.session, this.realm, this.uriInfo, this.headers, this.event), TokenUtil.hasPrompt(this.request.getPrompt(), "none"), false);
    }

    private Response buildRegister() {
        AuthenticationManager authenticationManager = this.authManager;
        AuthenticationManager.expireIdentityCookie(this.realm, this.uriInfo, this.clientConnection);
        AuthenticationProcessor createProcessor = createProcessor(this.authenticationSession, this.realm.getRegistrationFlow().getId(), LoginActionsService.REGISTRATION_PATH);
        this.authenticationSession.setClientNote(AuthorizationEndpointBase.APP_INITIATED_FLOW, LoginActionsService.REGISTRATION_PATH);
        return createProcessor.authenticate();
    }

    private Response buildForgotCredential() {
        AuthenticationManager authenticationManager = this.authManager;
        AuthenticationManager.expireIdentityCookie(this.realm, this.uriInfo, this.clientConnection);
        AuthenticationProcessor createProcessor = createProcessor(this.authenticationSession, this.realm.getResetCredentialsFlow().getId(), "reset-credentials");
        this.authenticationSession.setClientNote(AuthorizationEndpointBase.APP_INITIATED_FLOW, "reset-credentials");
        return createProcessor.authenticate();
    }
}
