package org.keycloak.services.resources.flows;

import java.util.HashSet;
import java.util.Set;
import javax.ws.rs.core.NewCookie;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import org.jboss.resteasy.logging.Logger;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.models.Constants;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;
import org.keycloak.services.managers.AccessCodeEntry;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.TokenManager;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.TokenService;

/* loaded from: input_file:WEB-INF/lib/keycloak-services-1.0-alpha-1-12062013.jar:org/keycloak/services/resources/flows/OAuthFlows.class */
public class OAuthFlows {
    private static final Logger log = Logger.getLogger(OAuthFlows.class);
    private RealmModel realm;
    private HttpRequest request;
    private UriInfo uriInfo;
    private AuthenticationManager authManager;
    private TokenManager tokenManager;

    /* JADX INFO: Access modifiers changed from: package-private */
    public OAuthFlows(RealmModel realmModel, HttpRequest httpRequest, UriInfo uriInfo, AuthenticationManager authenticationManager, TokenManager tokenManager) {
        this.realm = realmModel;
        this.request = httpRequest;
        this.uriInfo = uriInfo;
        this.authManager = authenticationManager;
        this.tokenManager = tokenManager;
    }

    public Response redirectAccessCode(AccessCodeEntry accessCodeEntry, String str, String str2) {
        UriBuilder queryParam = UriBuilder.fromUri(str2).queryParam(FormFlows.CODE, new Object[]{accessCodeEntry.getCode()});
        log.debug("redirectAccessCode: state: {0}", new Object[]{str});
        if (str != null) {
            queryParam.queryParam("state", new Object[]{str});
        }
        Response.ResponseBuilder location = Response.status(302).location(queryParam.build(new Object[0]));
        if (this.realm.isCookieLoginAllowed()) {
            location.cookie(new NewCookie[]{this.authManager.createLoginCookie(this.realm, accessCodeEntry.getUser(), this.uriInfo)});
        }
        return location.build();
    }

    public Response redirectError(UserModel userModel, String str, String str2, String str3) {
        UriBuilder queryParam = UriBuilder.fromUri(str3).queryParam(Messages.ERROR, new Object[]{str});
        if (str2 != null) {
            queryParam.queryParam("state", new Object[]{str2});
        }
        return Response.status(302).location(queryParam.build(new Object[0])).build();
    }

    public Response processAccessCode(String str, String str2, String str3, UserModel userModel, UserModel userModel2) {
        RoleModel role = this.realm.getRole(Constants.APPLICATION_ROLE);
        RoleModel role2 = this.realm.getRole(Constants.IDENTITY_REQUESTER_ROLE);
        boolean hasRole = this.realm.hasRole(userModel, role);
        if (!hasRole && !this.realm.hasRole(userModel, role2)) {
            return forwardToSecurityFailure("Login requester not allowed to request login.");
        }
        AccessCodeEntry createAccessCode = this.tokenManager.createAccessCode(str, str2, str3, this.realm, userModel, userModel2);
        log.debug("processAccessCode: isResource: {0}", new Object[]{Boolean.valueOf(hasRole)});
        Logger logger = log;
        Object[] objArr = new Object[1];
        objArr[0] = Boolean.valueOf(!hasRole && (createAccessCode.getRealmRolesRequested().size() > 0 || createAccessCode.getResourceRolesRequested().size() > 0));
        logger.debug("processAccessCode: go to oauth page?: {0}", objArr);
        Set<UserModel.RequiredAction> requiredActions = userModel2.getRequiredActions();
        if (!requiredActions.isEmpty()) {
            createAccessCode.setRequiredActions(new HashSet(requiredActions));
            createAccessCode.setExpiration((System.currentTimeMillis() / 1000) + this.realm.getAccessCodeLifespanUserAction());
            return Flows.forms(this.realm, this.request, this.uriInfo).setAccessCode(createAccessCode).setUser(userModel2).forwardToAction(userModel2.getRequiredActions().iterator().next());
        }
        if (!hasRole && (createAccessCode.getRealmRolesRequested().size() > 0 || createAccessCode.getResourceRolesRequested().size() > 0)) {
            createAccessCode.setExpiration((System.currentTimeMillis() / 1000) + this.realm.getAccessCodeLifespanUserAction());
            return oauthGrantPage(createAccessCode, userModel);
        }
        if (str3 != null) {
            return redirectAccessCode(createAccessCode, str2, str3);
        }
        return null;
    }

    public Response oauthGrantPage(AccessCodeEntry accessCodeEntry, UserModel userModel) {
        this.request.setAttribute("realmRolesRequested", accessCodeEntry.getRealmRolesRequested());
        this.request.setAttribute("resourceRolesRequested", accessCodeEntry.getResourceRolesRequested());
        this.request.setAttribute("client", userModel);
        this.request.setAttribute("action", TokenService.processOAuthUrl(this.uriInfo).build(new Object[]{this.realm.getId()}).toString());
        this.request.setAttribute(FormFlows.CODE, accessCodeEntry.getCode());
        return Flows.forms(this.realm, this.request, this.uriInfo).setAccessCode(accessCodeEntry).forwardToOAuthGrant();
    }

    public Response forwardToSecurityFailure(String str) {
        return Flows.forms(this.realm, this.request, this.uriInfo).setError(str).forwardToErrorPage();
    }
}
