package org.keycloak.services.resources;

import java.net.URI;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.OPTIONS;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import javax.ws.rs.core.Variant;
import org.jboss.logging.Logger;
import org.jboss.resteasy.spi.BadRequestException;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.ClientConnection;
import org.keycloak.account.AccountPages;
import org.keycloak.account.AccountProvider;
import org.keycloak.events.Event;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventStoreProvider;
import org.keycloak.events.EventType;
import org.keycloak.models.ApplicationModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelReadOnlyException;
import org.keycloak.models.RealmModel;
import org.keycloak.models.SocialLinkModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserCredentialValueModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.models.utils.TimeBasedOTP;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.services.ForbiddenException;
import org.keycloak.services.managers.AppAuthManager;
import org.keycloak.services.managers.Auth;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.flows.Flows;
import org.keycloak.services.resources.flows.OAuthRedirect;
import org.keycloak.services.resources.flows.Urls;
import org.keycloak.services.util.ResolveRelative;
import org.keycloak.services.validation.Validation;
import org.keycloak.social.SocialLoader;
import org.keycloak.social.SocialProvider;
import org.keycloak.social.SocialProviderException;

/* loaded from: input_file:org/keycloak/services/resources/AccountService.class */
public class AccountService {
    private static final Logger logger = Logger.getLogger(AccountService.class);
    private static final EventType[] LOG_EVENTS = {EventType.LOGIN, EventType.LOGOUT, EventType.REGISTER, EventType.REMOVE_SOCIAL_LINK, EventType.REMOVE_TOTP, EventType.SEND_RESET_PASSWORD, EventType.SEND_VERIFY_EMAIL, EventType.SOCIAL_LINK, EventType.UPDATE_EMAIL, EventType.UPDATE_PASSWORD, EventType.UPDATE_PROFILE, EventType.UPDATE_TOTP, EventType.VERIFY_EMAIL};
    private static final Set<String> LOG_DETAILS = new HashSet();
    private RealmModel realm;

    @Context
    private HttpRequest request;

    @Context
    protected HttpHeaders headers;

    @Context
    private UriInfo uriInfo;

    @Context
    private ClientConnection clientConnection;

    @Context
    private KeycloakSession session;
    private final AppAuthManager authManager = new AppAuthManager();
    private final ApplicationModel application;
    private EventBuilder event;
    private AccountProvider account;
    private Auth auth;
    private EventStoreProvider eventStore;

    /* loaded from: input_file:org/keycloak/services/resources/AccountService$AccountSocialAction.class */
    public enum AccountSocialAction {
        ADD,
        REMOVE;

        public static AccountSocialAction getAction(String str) {
            if ("add".equalsIgnoreCase(str)) {
                return ADD;
            }
            if ("remove".equalsIgnoreCase(str)) {
                return REMOVE;
            }
            return null;
        }
    }

    public AccountService(RealmModel realmModel, ApplicationModel applicationModel, EventBuilder eventBuilder) {
        this.realm = realmModel;
        this.application = applicationModel;
        this.event = eventBuilder;
    }

    public void init() {
        this.eventStore = this.session.getProvider(EventStoreProvider.class);
        this.account = this.session.getProvider(AccountProvider.class).setRealm(this.realm).setUriInfo(this.uriInfo);
        AuthenticationManager.AuthResult authenticateIdentityCookie = this.authManager.authenticateIdentityCookie(this.session, this.realm, this.uriInfo, this.clientConnection, this.headers);
        if (authenticateIdentityCookie != null) {
            this.auth = new Auth(this.realm, authenticateIdentityCookie.getToken(), authenticateIdentityCookie.getUser(), this.application, true);
        } else {
            authenticateIdentityCookie = this.authManager.authenticateBearerToken(this.session, this.realm, this.uriInfo, this.clientConnection, this.headers);
            if (authenticateIdentityCookie != null) {
                this.auth = new Auth(this.realm, authenticateIdentityCookie.getToken(), authenticateIdentityCookie.getUser(), this.application, false);
            }
        }
        if (authenticateIdentityCookie != null) {
            UserSessionModel session = authenticateIdentityCookie.getSession();
            if (session != null) {
                boolean z = false;
                Iterator it = session.getClientSessions().iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    } else if (((ClientSessionModel) it.next()).getClient().equals(this.application)) {
                        z = true;
                        break;
                    }
                }
                if (!z) {
                    this.session.sessions().createClientSession(this.realm, this.application, session, (String) null, (String) null, (Set) null);
                }
            }
            this.account.setUser(this.auth.getUser());
        }
        this.account.setFeatures(this.realm.isSocial(), this.eventStore != null && this.realm.isEventsEnabled(), true);
    }

    public static UriBuilder accountServiceBaseUrl(UriInfo uriInfo) {
        return uriInfo.getBaseUriBuilder().path(RealmsResource.class).path(RealmsResource.class, "getAccountService");
    }

    public static UriBuilder accountServiceBaseUrl(UriBuilder uriBuilder) {
        return uriBuilder.path(RealmsResource.class).path(RealmsResource.class, "getAccountService");
    }

    private Response forwardToPage(String str, AccountPages accountPages) {
        if (this.auth == null) {
            return login(str);
        }
        try {
            require("manage-account");
            setReferrerOnPage();
            return this.account.createResponse(accountPages);
        } catch (ForbiddenException e) {
            return Flows.forms(this.session, this.realm, null, this.uriInfo).setError("No access").createErrorPage();
        }
    }

    protected void setReferrerOnPage() {
        String[] referrer = getReferrer();
        if (referrer != null) {
            this.account.setReferrer(referrer);
        }
    }

    @Path("/")
    @OPTIONS
    public Response accountPreflight() {
        return Cors.add(this.request, Response.ok()).auth().preflight().build();
    }

    @GET
    @Path("/")
    public Response accountPage() {
        List acceptableMediaTypes = this.headers.getAcceptableMediaTypes();
        if (acceptableMediaTypes.contains(MediaType.WILDCARD_TYPE) || acceptableMediaTypes.contains(MediaType.TEXT_HTML_TYPE)) {
            return forwardToPage(null, AccountPages.ACCOUNT);
        }
        if (!acceptableMediaTypes.contains(MediaType.APPLICATION_JSON_TYPE)) {
            return Response.notAcceptable(Variant.VariantListBuilder.newInstance().mediaTypes(new MediaType[]{MediaType.TEXT_HTML_TYPE, MediaType.APPLICATION_JSON_TYPE}).build()).build();
        }
        requireOneOf("manage-account", "view-profile");
        UserRepresentation representation = ModelToRepresentation.toRepresentation(this.auth.getUser());
        if (representation.getAttributes() != null) {
            Iterator it = representation.getAttributes().keySet().iterator();
            while (it.hasNext()) {
                if (((String) it.next()).startsWith("keycloak.")) {
                    it.remove();
                }
            }
        }
        return Cors.add(this.request, Response.ok(representation)).auth().allowedOrigins(this.auth.getToken()).build();
    }

    public static UriBuilder totpUrl(UriBuilder uriBuilder) {
        return RealmsResource.accountUrl(uriBuilder).path(AccountService.class, "totpPage");
    }

    @GET
    @Path("totp")
    public Response totpPage() {
        return forwardToPage("totp", AccountPages.TOTP);
    }

    public static UriBuilder passwordUrl(UriBuilder uriBuilder) {
        return RealmsResource.accountUrl(uriBuilder).path(AccountService.class, "passwordPage");
    }

    @GET
    @Path("password")
    public Response passwordPage() {
        if (this.auth != null) {
            this.account.setPasswordSet(isPasswordSet(this.auth.getUser()));
        }
        return forwardToPage("password", AccountPages.PASSWORD);
    }

    public static UriBuilder socialUrl(UriBuilder uriBuilder) {
        return RealmsResource.accountUrl(uriBuilder).path(AccountService.class, "socialPage");
    }

    @GET
    @Path("social")
    public Response socialPage() {
        return forwardToPage("social", AccountPages.SOCIAL);
    }

    @GET
    @Path("log")
    public Response logPage() {
        if (this.auth != null) {
            List<Event> resultList = this.eventStore.createQuery().type(LOG_EVENTS).user(this.auth.getUser().getId()).maxResults(30).getResultList();
            for (Event event : resultList) {
                if (event.getDetails() != null) {
                    Iterator it = event.getDetails().entrySet().iterator();
                    while (it.hasNext()) {
                        if (!LOG_DETAILS.contains(((Map.Entry) it.next()).getKey())) {
                            it.remove();
                        }
                    }
                }
            }
            this.account.setEvents(resultList);
        }
        return forwardToPage("log", AccountPages.LOG);
    }

    @GET
    @Path("sessions")
    public Response sessionsPage() {
        if (this.auth != null) {
            this.account.setSessions(this.session.sessions().getUserSessions(this.realm, this.auth.getUser()));
        }
        return forwardToPage("sessions", AccountPages.SESSIONS);
    }

    @POST
    @Path("/")
    @Consumes({"application/x-www-form-urlencoded"})
    public Response processAccountUpdate(MultivaluedMap<String, String> multivaluedMap) {
        if (this.auth == null) {
            return login(null);
        }
        require("manage-account");
        String str = (String) multivaluedMap.getFirst("submitAction");
        if (str != null && str.equals("Cancel")) {
            setReferrerOnPage();
            return this.account.createResponse(AccountPages.ACCOUNT);
        }
        UserModel user = this.auth.getUser();
        String validateUpdateProfileForm = Validation.validateUpdateProfileForm(multivaluedMap);
        if (validateUpdateProfileForm != null) {
            setReferrerOnPage();
            return this.account.setError(validateUpdateProfileForm).createResponse(AccountPages.ACCOUNT);
        }
        try {
            user.setFirstName((String) multivaluedMap.getFirst("firstName"));
            user.setLastName((String) multivaluedMap.getFirst("lastName"));
            String str2 = (String) multivaluedMap.getFirst("email");
            String email = user.getEmail();
            boolean z = email != null ? !email.equals(str2) : str2 != null;
            user.setEmail((String) multivaluedMap.getFirst("email"));
            this.event.event(EventType.UPDATE_PROFILE).client(this.auth.getClient()).user(this.auth.getUser()).success();
            if (z) {
                user.setEmailVerified(false);
                this.event.clone().event(EventType.UPDATE_EMAIL).detail("previous_email", email).detail("updated_email", str2).success();
            }
            setReferrerOnPage();
            return this.account.setSuccess("accountUpdated").createResponse(AccountPages.ACCOUNT);
        } catch (ModelReadOnlyException e) {
            setReferrerOnPage();
            return this.account.setError(Messages.READ_ONLY_USER).createResponse(AccountPages.ACCOUNT);
        }
    }

    @GET
    @Path("totp-remove")
    public Response processTotpRemove() {
        if (this.auth == null) {
            return login("totp");
        }
        require("manage-account");
        this.auth.getUser().setTotp(false);
        this.event.event(EventType.REMOVE_TOTP).client(this.auth.getClient()).user(this.auth.getUser()).success();
        setReferrerOnPage();
        return this.account.setSuccess("successTotpRemoved").createResponse(AccountPages.TOTP);
    }

    @GET
    @Path("sessions-logout")
    public Response processSessionsLogout() {
        if (this.auth == null) {
            return login("sessions");
        }
        require("manage-account");
        this.session.sessions().removeUserSessions(this.realm, this.auth.getUser());
        UriBuilder path = Urls.accountBase(this.uriInfo.getBaseUri()).path(AccountService.class, "sessionsPage");
        String str = (String) this.uriInfo.getQueryParameters().getFirst("referrer");
        if (str != null) {
            path.queryParam("referrer", new Object[]{str});
        }
        return Response.seeOther(path.build(new Object[]{this.realm.getName()})).build();
    }

    @POST
    @Path("totp")
    @Consumes({"application/x-www-form-urlencoded"})
    public Response processTotpUpdate(MultivaluedMap<String, String> multivaluedMap) {
        if (this.auth == null) {
            return login("totp");
        }
        require("manage-account");
        String str = (String) multivaluedMap.getFirst("submitAction");
        if (str != null && str.equals("Cancel")) {
            setReferrerOnPage();
            return this.account.createResponse(AccountPages.TOTP);
        }
        UserModel user = this.auth.getUser();
        String str2 = (String) multivaluedMap.getFirst("totp");
        String str3 = (String) multivaluedMap.getFirst("totpSecret");
        if (Validation.isEmpty(str2)) {
            setReferrerOnPage();
            return this.account.setError(Messages.MISSING_TOTP).createResponse(AccountPages.TOTP);
        }
        if (!new TimeBasedOTP().validate(str2, str3.getBytes())) {
            setReferrerOnPage();
            return this.account.setError(Messages.INVALID_TOTP).createResponse(AccountPages.TOTP);
        }
        UserCredentialModel userCredentialModel = new UserCredentialModel();
        userCredentialModel.setType("totp");
        userCredentialModel.setValue(str3);
        this.session.users().updateCredential(this.realm, user, userCredentialModel);
        user.setTotp(true);
        this.event.event(EventType.UPDATE_TOTP).client(this.auth.getClient()).user(this.auth.getUser()).success();
        setReferrerOnPage();
        return this.account.setSuccess("successTotp").createResponse(AccountPages.TOTP);
    }

    @POST
    @Path("password")
    @Consumes({"application/x-www-form-urlencoded"})
    public Response processPasswordUpdate(MultivaluedMap<String, String> multivaluedMap) {
        if (this.auth == null) {
            return login("password");
        }
        require("manage-account");
        String str = (String) multivaluedMap.getFirst("submitAction");
        if (str != null && str.equals("Cancel")) {
            setReferrerOnPage();
            return this.account.createResponse(AccountPages.PASSWORD);
        }
        UserModel user = this.auth.getUser();
        boolean isPasswordSet = isPasswordSet(user);
        this.account.setPasswordSet(isPasswordSet);
        String str2 = (String) multivaluedMap.getFirst("password");
        String str3 = (String) multivaluedMap.getFirst("password-new");
        String str4 = (String) multivaluedMap.getFirst("password-confirm");
        if (isPasswordSet) {
            if (Validation.isEmpty(str2)) {
                setReferrerOnPage();
                return this.account.setError(Messages.MISSING_PASSWORD).createResponse(AccountPages.PASSWORD);
            }
            if (!this.session.users().validCredentials(this.realm, user, new UserCredentialModel[]{UserCredentialModel.password(str2)})) {
                setReferrerOnPage();
                return this.account.setError(Messages.INVALID_PASSWORD_EXISTING).createResponse(AccountPages.PASSWORD);
            }
        }
        if (Validation.isEmpty(str3)) {
            setReferrerOnPage();
            return this.account.setError(Messages.MISSING_PASSWORD).createResponse(AccountPages.PASSWORD);
        }
        if (!str3.equals(str4)) {
            setReferrerOnPage();
            return this.account.setError(Messages.INVALID_PASSWORD_CONFIRM).createResponse(AccountPages.PASSWORD);
        }
        try {
            this.session.users().updateCredential(this.realm, user, UserCredentialModel.password(str3));
            this.event.event(EventType.UPDATE_PASSWORD).client(this.auth.getClient()).user(this.auth.getUser()).success();
            setReferrerOnPage();
            return this.account.setPasswordSet(true).setSuccess("accountPasswordUpdated").createResponse(AccountPages.PASSWORD);
        } catch (ModelReadOnlyException e) {
            setReferrerOnPage();
            return this.account.setError(Messages.READ_ONLY_PASSWORD).createResponse(AccountPages.PASSWORD);
        } catch (Exception e2) {
            logger.error("Failed to update password", e2);
            setReferrerOnPage();
            return this.account.setError(e2.getMessage()).createResponse(AccountPages.PASSWORD);
        }
    }

    @GET
    @Path("social-update")
    public Response processSocialUpdate(@QueryParam("action") String str, @QueryParam("provider_id") String str2) {
        if (this.auth == null) {
            return login("social");
        }
        require("manage-account");
        UserModel user = this.auth.getUser();
        if (Validation.isEmpty(str2)) {
            setReferrerOnPage();
            return this.account.setError(Messages.MISSING_SOCIAL_PROVIDER).createResponse(AccountPages.SOCIAL);
        }
        AccountSocialAction action = AccountSocialAction.getAction(str);
        if (action == null) {
            setReferrerOnPage();
            return this.account.setError(Messages.INVALID_SOCIAL_ACTION).createResponse(AccountPages.SOCIAL);
        }
        SocialProvider load = SocialLoader.load(str2);
        if (load == null) {
            setReferrerOnPage();
            return this.account.setError(Messages.SOCIAL_PROVIDER_NOT_FOUND).createResponse(AccountPages.SOCIAL);
        }
        if (!user.isEnabled()) {
            setReferrerOnPage();
            return this.account.setError(Messages.ACCOUNT_DISABLED).createResponse(AccountPages.SOCIAL);
        }
        switch (action) {
            case ADD:
                try {
                    return Flows.social(this.realm, this.uriInfo, this.clientConnection, load).user(user).putClientAttribute("client_id", "account").putClientAttribute("state", UUID.randomUUID().toString()).putClientAttribute("redirect_uri", UriBuilder.fromUri(Urls.accountSocialPage(this.uriInfo.getBaseUri(), this.realm.getName())).build(new Object[0]).toString()).redirectToSocialProvider();
                } catch (SocialProviderException e) {
                    setReferrerOnPage();
                    return this.account.setError(Messages.SOCIAL_REDIRECT_ERROR).createResponse(AccountPages.SOCIAL);
                }
            case REMOVE:
                SocialLinkModel socialLink = this.session.users().getSocialLink(user, str2, this.realm);
                if (socialLink == null) {
                    setReferrerOnPage();
                    return this.account.setError(Messages.SOCIAL_LINK_NOT_ACTIVE).createResponse(AccountPages.SOCIAL);
                }
                if (this.session.users().getSocialLinks(user, this.realm).size() <= 1 && user.getFederationLink() == null && !isPasswordSet(user)) {
                    setReferrerOnPage();
                    return this.account.setError(Messages.SOCIAL_REMOVING_LAST_PROVIDER).createResponse(AccountPages.SOCIAL);
                }
                this.session.users().removeSocialLink(this.realm, user, str2);
                logger.debugv("Social provider {0} removed successfully from user {1}", str2, user.getUsername());
                this.event.event(EventType.REMOVE_SOCIAL_LINK).client(this.auth.getClient()).user(this.auth.getUser()).detail(AuthenticationManager.FORM_USERNAME, socialLink.getSocialUserId() + "@" + socialLink.getSocialProvider()).success();
                setReferrerOnPage();
                return this.account.setSuccess(Messages.SOCIAL_PROVIDER_REMOVED).createResponse(AccountPages.SOCIAL);
            default:
                throw new IllegalArgumentException();
        }
    }

    public static UriBuilder loginRedirectUrl(UriBuilder uriBuilder) {
        return RealmsResource.accountUrl(uriBuilder).path(AccountService.class, "loginRedirect");
    }

    @GET
    @Path("login-redirect")
    public Response loginRedirect(@QueryParam("code") String str, @QueryParam("state") String str2, @QueryParam("error") String str3, @QueryParam("path") String str4, @QueryParam("referrer") String str5, @Context HttpHeaders httpHeaders) {
        if (str3 != null) {
            logger.debug("error from oauth");
            throw new ForbiddenException(Messages.ERROR);
        }
        if (!this.realm.isEnabled()) {
            logger.debug("realm not enabled");
            throw new ForbiddenException();
        }
        if (!this.application.isEnabled()) {
            logger.debug("account management app not enabled");
            throw new ForbiddenException();
        }
        if (str == null) {
            logger.debug("code not specified");
            throw new BadRequestException("code not specified");
        }
        if (str2 == null) {
            logger.debug("state not specified");
            throw new BadRequestException("state not specified");
        }
        URI build = Urls.accountBase(this.uriInfo.getBaseUri()).path("/").build(new Object[]{this.realm.getName()});
        URI resolve = str4 != null ? build.resolve(str4) : build;
        if (str5 != null) {
            resolve = resolve.resolve("?referrer=" + str5);
        }
        return Response.status(302).location(resolve).build();
    }

    private Response login(String str) {
        OAuthRedirect oAuthRedirect = new OAuthRedirect();
        oAuthRedirect.setAuthUrl(Urls.realmLoginPage(this.uriInfo.getBaseUri(), this.realm.getName()).toString());
        oAuthRedirect.setClientId("account");
        UriBuilder path = Urls.accountPageBuilder(this.uriInfo.getBaseUri()).path(AccountService.class, "loginRedirect");
        if (str != null) {
            path.queryParam("path", new Object[]{str});
        }
        String str2 = (String) this.uriInfo.getQueryParameters().getFirst("referrer");
        if (str2 != null) {
            path.queryParam("referrer", new Object[]{str2});
        }
        String str3 = (String) this.uriInfo.getQueryParameters().getFirst("referrer_uri");
        if (str3 != null) {
            path.queryParam("referrer_uri", new Object[]{str3});
        }
        URI build = path.build(new Object[]{this.realm.getName()});
        oAuthRedirect.setStateCookiePath(build.getRawPath());
        return oAuthRedirect.redirect(this.uriInfo, build.toString());
    }

    public static boolean isPasswordSet(UserModel userModel) {
        boolean z = false;
        if (userModel.getFederationLink() != null) {
            z = true;
        }
        Iterator it = userModel.getCredentialsDirectly().iterator();
        while (it.hasNext()) {
            if (((UserCredentialValueModel) it.next()).getType().equals("password")) {
                z = true;
            }
        }
        return z;
    }

    private String[] getReferrer() {
        String verifyRedirectUri;
        String str = (String) this.uriInfo.getQueryParameters().getFirst("referrer");
        if (str == null) {
            return null;
        }
        String str2 = (String) this.uriInfo.getQueryParameters().getFirst("referrer_uri");
        ApplicationModel applicationByName = this.realm.getApplicationByName(str);
        if (applicationByName != null) {
            String verifyRedirectUri2 = str2 != null ? TokenService.verifyRedirectUri(this.uriInfo, str2, this.realm, (ClientModel) applicationByName) : ResolveRelative.resolveRelativeUri(this.uriInfo.getRequestUri(), applicationByName.getBaseUrl());
            if (verifyRedirectUri2 != null) {
                return new String[]{str, verifyRedirectUri2};
            }
            return null;
        }
        if (str2 == null || this.realm.getOAuthClient(str) == null || (verifyRedirectUri = TokenService.verifyRedirectUri(this.uriInfo, str2, this.realm, (ClientModel) applicationByName)) == null) {
            return null;
        }
        return new String[]{str, verifyRedirectUri};
    }

    public void require(String str) {
        if (this.auth == null) {
            throw new ForbiddenException();
        }
        if (!this.auth.hasAppRole(this.application, str)) {
            throw new ForbiddenException();
        }
    }

    public void requireOneOf(String... strArr) {
        if (this.auth == null) {
            throw new ForbiddenException();
        }
        if (!this.auth.hasOneOfAppRole(this.application, strArr)) {
            throw new ForbiddenException();
        }
    }

    static {
        LOG_DETAILS.add("updated_email");
        LOG_DETAILS.add("email");
        LOG_DETAILS.add("previous_email");
        LOG_DETAILS.add(AuthenticationManager.FORM_USERNAME);
        LOG_DETAILS.add("remember_me");
        LOG_DETAILS.add("register_method");
        LOG_DETAILS.add("auth_method");
    }
}
