package org.keycloak.services.managers;

import java.net.URI;
import java.util.HashSet;
import java.util.Iterator;
import javax.ws.rs.NotAuthorizedException;
import javax.ws.rs.core.Cookie;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.NewCookie;
import javax.ws.rs.core.UriInfo;
import org.jboss.resteasy.jose.jws.JWSBuilder;
import org.jboss.resteasy.jwt.JsonSerialization;
import org.jboss.resteasy.logging.Logger;
import org.jboss.resteasy.spi.HttpResponse;
import org.jboss.resteasy.spi.ResteasyProviderFactory;
import org.keycloak.RSATokenVerifier;
import org.keycloak.VerificationException;
import org.keycloak.models.Constants;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RequiredCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.representations.SkeletonKeyToken;
import org.keycloak.services.resources.AccountService;
import org.keycloak.services.resources.RealmsResource;
import org.keycloak.services.resources.SaasService;

/* loaded from: input_file:WEB-INF/lib/keycloak-services-1.0-alpha-1-12062013.jar:org/keycloak/services/managers/AuthenticationManager.class */
public class AuthenticationManager {
    protected Logger logger = Logger.getLogger(AuthenticationManager.class);
    public static final String FORM_USERNAME = "username";
    public static final String KEYCLOAK_IDENTITY_COOKIE = "KEYCLOAK_IDENTITY";

    /* loaded from: input_file:WEB-INF/lib/keycloak-services-1.0-alpha-1-12062013.jar:org/keycloak/services/managers/AuthenticationManager$Auth.class */
    public static class Auth {
        private SkeletonKeyToken token;
        private UserModel user;
        private UserModel client;

        public Auth(SkeletonKeyToken skeletonKeyToken) {
            this.token = skeletonKeyToken;
        }

        public SkeletonKeyToken getToken() {
            return this.token;
        }

        public UserModel getUser() {
            return this.user;
        }

        public UserModel getClient() {
            return this.client;
        }

        void setUser(UserModel userModel) {
            this.user = userModel;
        }

        void setClient(UserModel userModel) {
            this.client = userModel;
        }
    }

    /* loaded from: input_file:WEB-INF/lib/keycloak-services-1.0-alpha-1-12062013.jar:org/keycloak/services/managers/AuthenticationManager$AuthenticationStatus.class */
    public enum AuthenticationStatus {
        SUCCESS,
        ACCOUNT_DISABLED,
        ACTIONS_REQUIRED,
        INVALID_USER,
        INVALID_CREDENTIALS,
        MISSING_PASSWORD,
        MISSING_TOTP,
        FAILED
    }

    public SkeletonKeyToken createIdentityToken(RealmModel realmModel, String str) {
        SkeletonKeyToken skeletonKeyToken = new SkeletonKeyToken();
        skeletonKeyToken.m260id(RealmManager.generateId());
        skeletonKeyToken.issuedNow();
        skeletonKeyToken.m254principal(str);
        skeletonKeyToken.m255audience(realmModel.getId());
        if (realmModel.getTokenLifespan() > 0) {
            skeletonKeyToken.m259expiration((System.currentTimeMillis() / 1000) + realmModel.getTokenLifespan());
        }
        return skeletonKeyToken;
    }

    public NewCookie createLoginCookie(RealmModel realmModel, UserModel userModel, UriInfo uriInfo) {
        return createLoginCookie(realmModel, userModel, null, KEYCLOAK_IDENTITY_COOKIE, RealmsResource.realmBaseUrl(uriInfo).build(new Object[]{realmModel.getId()}).getPath());
    }

    public NewCookie createSaasIdentityCookie(RealmModel realmModel, UserModel userModel, UriInfo uriInfo) {
        return createLoginCookie(realmModel, userModel, null, SaasService.SAAS_IDENTITY_COOKIE, SaasService.saasCookiePath(uriInfo).build(new Object[0]).getPath());
    }

    public NewCookie createAccountIdentityCookie(RealmModel realmModel, UserModel userModel, UserModel userModel2, URI uri) {
        return createLoginCookie(realmModel, userModel, userModel2, AccountService.ACCOUNT_IDENTITY_COOKIE, uri.getPath());
    }

    protected NewCookie createLoginCookie(RealmModel realmModel, UserModel userModel, UserModel userModel2, String str, String str2) {
        SkeletonKeyToken createIdentityToken = createIdentityToken(realmModel, userModel.getLoginName());
        if (userModel2 != null) {
            createIdentityToken.issuedFor(userModel2.getLoginName());
        }
        String encodeToken = encodeToken(realmModel, createIdentityToken);
        boolean z = !realmModel.isSslNotRequired();
        this.logger.debug("creatingLoginCookie - name: {0} path: {1}", new Object[]{str, str2});
        return new NewCookie(str, encodeToken, str2, (String) null, (String) null, -1, z, true);
    }

    protected String encodeToken(RealmModel realmModel, Object obj) {
        try {
            return new JWSBuilder().content(JsonSerialization.toByteArray(obj, false)).rsa256(realmModel.getPrivateKey());
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public void expireIdentityCookie(RealmModel realmModel, UriInfo uriInfo) {
        URI build = RealmsResource.realmBaseUrl(uriInfo).build(new Object[]{realmModel.getId()});
        this.logger.debug("Expiring identity cookie");
        expireCookie(KEYCLOAK_IDENTITY_COOKIE, build.getPath());
    }

    public void expireSaasIdentityCookie(UriInfo uriInfo) {
        expireCookie(SaasService.SAAS_IDENTITY_COOKIE, SaasService.saasCookiePath(uriInfo).build(new Object[0]).getPath());
    }

    public void expireAccountIdentityCookie(URI uri) {
        expireCookie(AccountService.ACCOUNT_IDENTITY_COOKIE, uri.getPath());
    }

    public void expireCookie(String str, String str2) {
        HttpResponse httpResponse = (HttpResponse) ResteasyProviderFactory.getContextData(HttpResponse.class);
        if (httpResponse == null) {
            this.logger.debug("can't expire identity cookie, no HttpResponse");
        } else {
            this.logger.debug("Expiring cookie: {0} path: {1}", new Object[]{str, str2});
            httpResponse.addNewCookie(new NewCookie(str, "", str2, (String) null, "Expiring cookie", 0, false));
        }
    }

    public UserModel authenticateIdentityCookie(RealmModel realmModel, UriInfo uriInfo, HttpHeaders httpHeaders) {
        Auth authenticateIdentityCookie = authenticateIdentityCookie(realmModel, uriInfo, httpHeaders, KEYCLOAK_IDENTITY_COOKIE);
        if (authenticateIdentityCookie != null) {
            return authenticateIdentityCookie.getUser();
        }
        return null;
    }

    public UserModel authenticateSaasIdentityCookie(RealmModel realmModel, UriInfo uriInfo, HttpHeaders httpHeaders) {
        Auth authenticateIdentityCookie = authenticateIdentityCookie(realmModel, uriInfo, httpHeaders, SaasService.SAAS_IDENTITY_COOKIE);
        if (authenticateIdentityCookie != null) {
            return authenticateIdentityCookie.getUser();
        }
        return null;
    }

    public Auth authenticateAccountIdentityCookie(RealmModel realmModel, UriInfo uriInfo, HttpHeaders httpHeaders) {
        return authenticateIdentityCookie(realmModel, uriInfo, httpHeaders, AccountService.ACCOUNT_IDENTITY_COOKIE);
    }

    public UserModel authenticateSaasIdentity(RealmModel realmModel, UriInfo uriInfo, HttpHeaders httpHeaders) {
        UserModel authenticateSaasIdentityCookie = authenticateSaasIdentityCookie(realmModel, uriInfo, httpHeaders);
        if (authenticateSaasIdentityCookie != null) {
            return authenticateSaasIdentityCookie;
        }
        Auth authenticateBearerToken = authenticateBearerToken(realmModel, httpHeaders);
        if (authenticateBearerToken != null) {
            return authenticateBearerToken.getUser();
        }
        return null;
    }

    public Auth authenticateAccountIdentity(RealmModel realmModel, UriInfo uriInfo, HttpHeaders httpHeaders) {
        Auth authenticateAccountIdentityCookie = authenticateAccountIdentityCookie(realmModel, uriInfo, httpHeaders);
        return authenticateAccountIdentityCookie != null ? authenticateAccountIdentityCookie : authenticateBearerToken(realmModel, httpHeaders);
    }

    protected Auth authenticateIdentityCookie(RealmModel realmModel, UriInfo uriInfo, HttpHeaders httpHeaders, String str) {
        Cookie cookie = (Cookie) httpHeaders.getCookies().get(str);
        if (cookie == null) {
            this.logger.debug("authenticateCookie could not find cookie: {0}", new Object[]{str});
            return null;
        }
        try {
            SkeletonKeyToken verifyToken = RSATokenVerifier.verifyToken(cookie.getValue(), realmModel.getPublicKey(), realmModel.getId());
            if (!verifyToken.isActive()) {
                this.logger.debug("identity cookie expired");
                expireIdentityCookie(realmModel, uriInfo);
                return null;
            }
            Auth auth = new Auth(verifyToken);
            UserModel user = realmModel.getUser(verifyToken.getPrincipal());
            if (user == null || !user.isEnabled()) {
                this.logger.debug("Unknown user in identity cookie");
                expireIdentityCookie(realmModel, uriInfo);
                return null;
            }
            auth.setUser(user);
            if (verifyToken.getIssuedFor() != null) {
                UserModel user2 = realmModel.getUser(verifyToken.getIssuedFor());
                if (user2 == null || !user2.isEnabled()) {
                    this.logger.debug("Unknown client in identity cookie");
                    expireIdentityCookie(realmModel, uriInfo);
                    return null;
                }
                auth.setClient(user2);
            }
            return auth;
        } catch (VerificationException e) {
            this.logger.debug("Failed to verify identity cookie", e);
            expireIdentityCookie(realmModel, uriInfo);
            return null;
        }
    }

    public Auth authenticateBearerToken(RealmModel realmModel, HttpHeaders httpHeaders) {
        String headerString = httpHeaders.getHeaderString("Authorization");
        if (headerString == null) {
            return null;
        }
        String[] split = headerString.trim().split("\\s+");
        if (split == null || split.length != 2) {
            throw new NotAuthorizedException("Bearer", new Object[0]);
        }
        if (!split[0].equalsIgnoreCase("Bearer")) {
            throw new NotAuthorizedException("Bearer", new Object[0]);
        }
        try {
            SkeletonKeyToken verifyToken = RSATokenVerifier.verifyToken(split[1], realmModel.getPublicKey(), realmModel.getId());
            if (!verifyToken.isActive()) {
                throw new NotAuthorizedException("token_expired", new Object[0]);
            }
            Auth auth = new Auth(verifyToken);
            UserModel user = realmModel.getUser(verifyToken.getPrincipal());
            if (user == null || !user.isEnabled()) {
                throw new NotAuthorizedException("invalid_user", new Object[0]);
            }
            auth.setUser(user);
            if (verifyToken.getIssuedFor() != null) {
                UserModel user2 = realmModel.getUser(verifyToken.getIssuedFor());
                if (user2 == null || !user2.isEnabled()) {
                    throw new NotAuthorizedException("invalid_user", new Object[0]);
                }
                auth.setClient(user2);
            }
            return auth;
        } catch (VerificationException e) {
            this.logger.error("Failed to verify token", e);
            throw new NotAuthorizedException("invalid_token", new Object[0]);
        }
    }

    public AuthenticationStatus authenticateForm(RealmModel realmModel, UserModel userModel, MultivaluedMap<String, String> multivaluedMap) {
        if (userModel == null) {
            this.logger.debug("Not Authenticated! Incorrect user name");
            return AuthenticationStatus.INVALID_USER;
        }
        if (!userModel.isEnabled()) {
            this.logger.debug("Account is disabled, contact admin.");
            return AuthenticationStatus.ACCOUNT_DISABLED;
        }
        HashSet hashSet = new HashSet();
        Iterator<RequiredCredentialModel> it = (realmModel.hasRole(userModel, Constants.APPLICATION_ROLE) ? realmModel.getRequiredApplicationCredentials() : realmModel.hasRole(userModel, Constants.IDENTITY_REQUESTER_ROLE) ? realmModel.getRequiredOAuthClientCredentials() : realmModel.getRequiredCredentials()).iterator();
        while (it.hasNext()) {
            hashSet.add(it.next().getType());
        }
        if (!hashSet.contains("password")) {
            this.logger.warn("Do not know how to authenticate user");
            return AuthenticationStatus.FAILED;
        }
        String str = (String) multivaluedMap.getFirst("password");
        if (str == null) {
            this.logger.warn("Password not provided");
            return AuthenticationStatus.MISSING_PASSWORD;
        }
        if (userModel.isTotp()) {
            String str2 = (String) multivaluedMap.getFirst("totp");
            if (str2 == null) {
                this.logger.warn("TOTP token not provided");
                return AuthenticationStatus.MISSING_TOTP;
            }
            this.logger.debug("validating TOTP");
            if (!realmModel.validateTOTP(userModel, str, str2)) {
                return AuthenticationStatus.INVALID_CREDENTIALS;
            }
        } else {
            this.logger.debug("validating password for user: " + userModel.getLoginName());
            if (!realmModel.validatePassword(userModel, str)) {
                return AuthenticationStatus.INVALID_CREDENTIALS;
            }
        }
        return !userModel.getRequiredActions().isEmpty() ? AuthenticationStatus.ACTIONS_REQUIRED : AuthenticationStatus.SUCCESS;
    }
}
