package org.keycloak.authentication;

import java.util.List;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import org.jboss.logging.Logger;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.ClientConnection;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.AuthenticationExecutionModel;
import org.keycloak.models.AuthenticatorModel;
import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.services.ErrorPage;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.BruteForceProtector;
import org.keycloak.services.messages.Messages;

/* loaded from: input_file:org/keycloak/authentication/AuthenticationProcessor.class */
public class AuthenticationProcessor {
    protected static Logger logger = Logger.getLogger(AuthenticationProcessor.class);
    protected RealmModel realm;
    protected UserSessionModel userSession;
    protected ClientSessionModel clientSession;
    protected ClientConnection connection;
    protected UriInfo uriInfo;
    protected KeycloakSession session;
    protected BruteForceProtector protector;
    protected EventBuilder event;
    protected HttpRequest request;
    protected String flowId;
    protected String action;
    protected String forwardedErrorMessage;
    protected boolean userSessionCreated;

    /* loaded from: input_file:org/keycloak/authentication/AuthenticationProcessor$AuthException.class */
    public static class AuthException extends RuntimeException {
        private Error error;

        public AuthException(Error error) {
            this.error = error;
        }

        public AuthException(String str, Error error) {
            super(str);
            this.error = error;
        }

        public AuthException(String str, Throwable th, Error error) {
            super(str, th);
            this.error = error;
        }

        public AuthException(Throwable th, Error error) {
            super(th);
            this.error = error;
        }

        public AuthException(String str, Throwable th, boolean z, boolean z2, Error error) {
            super(str, th, z, z2);
            this.error = error;
        }

        public Error getError() {
            return this.error;
        }
    }

    /* loaded from: input_file:org/keycloak/authentication/AuthenticationProcessor$Error.class */
    public enum Error {
        INVALID_CLIENT_SESSION,
        INVALID_USER,
        INVALID_CREDENTIALS,
        CREDENTIAL_SETUP_REQUIRED,
        USER_DISABLED,
        USER_CONFLICT,
        USER_TEMPORARILY_DISABLED,
        INTERNAL_ERROR,
        UNKNOWN_USER
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/keycloak/authentication/AuthenticationProcessor$Result.class */
    public class Result implements AuthenticatorContext {
        AuthenticatorModel model;
        AuthenticationExecutionModel execution;
        Authenticator authenticator;
        Status status;
        Response challenge;
        Error error;

        private Result(AuthenticationExecutionModel authenticationExecutionModel, AuthenticatorModel authenticatorModel, Authenticator authenticator) {
            this.execution = authenticationExecutionModel;
            this.model = authenticatorModel;
            this.authenticator = authenticator;
        }

        @Override // org.keycloak.authentication.AuthenticatorContext
        public AuthenticationExecutionModel getExecution() {
            return this.execution;
        }

        @Override // org.keycloak.authentication.AuthenticatorContext
        public void setExecution(AuthenticationExecutionModel authenticationExecutionModel) {
            this.execution = authenticationExecutionModel;
        }

        @Override // org.keycloak.authentication.AuthenticatorContext
        public AuthenticatorModel getAuthenticatorModel() {
            return this.model;
        }

        @Override // org.keycloak.authentication.AuthenticatorContext
        public void setAuthenticatorModel(AuthenticatorModel authenticatorModel) {
            this.model = authenticatorModel;
        }

        @Override // org.keycloak.authentication.AuthenticatorContext
        public String getAction() {
            return AuthenticationProcessor.this.action;
        }

        @Override // org.keycloak.authentication.AuthenticatorContext
        public Authenticator getAuthenticator() {
            return this.authenticator;
        }

        @Override // org.keycloak.authentication.AuthenticatorContext
        public void setAuthenticator(Authenticator authenticator) {
            this.authenticator = authenticator;
        }

        @Override // org.keycloak.authentication.AuthenticatorContext
        public Status getStatus() {
            return this.status;
        }

        @Override // org.keycloak.authentication.AuthenticatorContext
        public void success() {
            this.status = Status.SUCCESS;
        }

        @Override // org.keycloak.authentication.AuthenticatorContext
        public void failure(Error error) {
            this.status = Status.FAILED;
            this.error = error;
        }

        @Override // org.keycloak.authentication.AuthenticatorContext
        public void challenge(Response response) {
            this.status = Status.CHALLENGE;
            this.challenge = response;
        }

        @Override // org.keycloak.authentication.AuthenticatorContext
        public void forceChallenge(Response response) {
            this.status = Status.FORCE_CHALLENGE;
            this.challenge = response;
        }

        @Override // org.keycloak.authentication.AuthenticatorContext
        public void failureChallenge(Error error, Response response) {
            this.error = error;
            this.status = Status.FAILURE_CHALLENGE;
            this.challenge = response;
        }

        @Override // org.keycloak.authentication.AuthenticatorContext
        public void failure(Error error, Response response) {
            this.error = error;
            this.status = Status.FAILED;
            this.challenge = response;
        }

        @Override // org.keycloak.authentication.AuthenticatorContext
        public void attempted() {
            this.status = Status.ATTEMPTED;
        }

        @Override // org.keycloak.authentication.AuthenticatorContext
        public UserModel getUser() {
            return getClientSession().getAuthenticatedUser();
        }

        @Override // org.keycloak.authentication.AuthenticatorContext
        public void setUser(UserModel userModel) {
            UserModel user = getUser();
            if (user != null && !userModel.getId().equals(user.getId())) {
                throw new AuthException(Error.USER_CONFLICT);
            }
            AuthenticationProcessor.this.validateUser(userModel);
            getClientSession().setAuthenticatedUser(userModel);
        }

        @Override // org.keycloak.authentication.AuthenticatorContext
        public RealmModel getRealm() {
            return AuthenticationProcessor.this.getRealm();
        }

        @Override // org.keycloak.authentication.AuthenticatorContext
        public ClientSessionModel getClientSession() {
            return AuthenticationProcessor.this.getClientSession();
        }

        @Override // org.keycloak.authentication.AuthenticatorContext
        public ClientConnection getConnection() {
            return AuthenticationProcessor.this.getConnection();
        }

        @Override // org.keycloak.authentication.AuthenticatorContext
        public UriInfo getUriInfo() {
            return AuthenticationProcessor.this.getUriInfo();
        }

        @Override // org.keycloak.authentication.AuthenticatorContext
        public KeycloakSession getSession() {
            return AuthenticationProcessor.this.getSession();
        }

        @Override // org.keycloak.authentication.AuthenticatorContext
        public HttpRequest getHttpRequest() {
            return AuthenticationProcessor.this.request;
        }

        @Override // org.keycloak.authentication.AuthenticatorContext
        public void attachUserSession(UserSessionModel userSessionModel) {
            AuthenticationProcessor.this.userSession = userSessionModel;
        }

        @Override // org.keycloak.authentication.AuthenticatorContext
        public BruteForceProtector getProtector() {
            return AuthenticationProcessor.this.protector;
        }

        @Override // org.keycloak.authentication.AuthenticatorContext
        public EventBuilder getEvent() {
            return AuthenticationProcessor.this.event;
        }

        @Override // org.keycloak.authentication.AuthenticatorContext
        public String getForwardedErrorMessage() {
            return AuthenticationProcessor.this.forwardedErrorMessage;
        }
    }

    /* loaded from: input_file:org/keycloak/authentication/AuthenticationProcessor$Status.class */
    public enum Status {
        SUCCESS,
        CHALLENGE,
        FORCE_CHALLENGE,
        FAILURE_CHALLENGE,
        FAILED,
        ATTEMPTED
    }

    public RealmModel getRealm() {
        return this.realm;
    }

    public ClientSessionModel getClientSession() {
        return this.clientSession;
    }

    public ClientConnection getConnection() {
        return this.connection;
    }

    public UriInfo getUriInfo() {
        return this.uriInfo;
    }

    public KeycloakSession getSession() {
        return this.session;
    }

    public UserSessionModel getUserSession() {
        return this.userSession;
    }

    public boolean isUserSessionCreated() {
        return this.userSessionCreated;
    }

    public AuthenticationProcessor setRealm(RealmModel realmModel) {
        this.realm = realmModel;
        return this;
    }

    public AuthenticationProcessor setClientSession(ClientSessionModel clientSessionModel) {
        this.clientSession = clientSessionModel;
        return this;
    }

    public AuthenticationProcessor setConnection(ClientConnection clientConnection) {
        this.connection = clientConnection;
        return this;
    }

    public AuthenticationProcessor setUriInfo(UriInfo uriInfo) {
        this.uriInfo = uriInfo;
        return this;
    }

    public AuthenticationProcessor setSession(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
        return this;
    }

    public AuthenticationProcessor setProtector(BruteForceProtector bruteForceProtector) {
        this.protector = bruteForceProtector;
        return this;
    }

    public AuthenticationProcessor setEventBuilder(EventBuilder eventBuilder) {
        this.event = eventBuilder;
        return this;
    }

    public AuthenticationProcessor setRequest(HttpRequest httpRequest) {
        this.request = httpRequest;
        return this;
    }

    public AuthenticationProcessor setFlowId(String str) {
        this.flowId = str;
        return this;
    }

    public AuthenticationProcessor setAction(String str) {
        this.action = str;
        return this;
    }

    public AuthenticationProcessor setForwardedErrorMessage(String str) {
        this.forwardedErrorMessage = str;
        return this;
    }

    public void logUserFailure() {
    }

    protected boolean isProcessed(AuthenticationExecutionModel authenticationExecutionModel) {
        if (authenticationExecutionModel.isDisabled()) {
            return true;
        }
        UserSessionModel.AuthenticatorStatus authenticatorStatus = (UserSessionModel.AuthenticatorStatus) this.clientSession.getAuthenticators().get(authenticationExecutionModel.getId());
        if (authenticatorStatus == null) {
            return false;
        }
        return authenticatorStatus == UserSessionModel.AuthenticatorStatus.SUCCESS || authenticatorStatus == UserSessionModel.AuthenticatorStatus.SKIPPED || authenticatorStatus == UserSessionModel.AuthenticatorStatus.ATTEMPTED || authenticatorStatus == UserSessionModel.AuthenticatorStatus.SETUP_REQUIRED;
    }

    public boolean isSuccessful(AuthenticationExecutionModel authenticationExecutionModel) {
        UserSessionModel.AuthenticatorStatus authenticatorStatus = (UserSessionModel.AuthenticatorStatus) this.clientSession.getAuthenticators().get(authenticationExecutionModel.getId());
        return authenticatorStatus != null && authenticatorStatus == UserSessionModel.AuthenticatorStatus.SUCCESS;
    }

    public Response handleBrowserException(Exception exc) {
        if (!(exc instanceof AuthException)) {
            logger.error("failed authentication", exc);
            this.event.error("invalid_user_credentials");
            return ErrorPage.error(this.session, Messages.UNEXPECTED_ERROR_HANDLING_REQUEST, new Object[0]);
        }
        AuthException authException = (AuthException) exc;
        logger.error("failed authentication: " + authException.getError().toString(), authException);
        if (authException.getError() == Error.INVALID_USER) {
            this.event.error("user_not_found");
            return ErrorPage.error(this.session, Messages.INVALID_USER, new Object[0]);
        }
        if (authException.getError() == Error.USER_DISABLED) {
            this.event.error("user_disabled");
            return ErrorPage.error(this.session, Messages.ACCOUNT_DISABLED, new Object[0]);
        }
        if (authException.getError() == Error.USER_TEMPORARILY_DISABLED) {
            this.event.error("user_temporarily_disabled");
            return ErrorPage.error(this.session, Messages.ACCOUNT_TEMPORARILY_DISABLED, new Object[0]);
        }
        if (authException.getError() == Error.INVALID_CLIENT_SESSION) {
            this.event.error("invalid_code");
            return ErrorPage.error(this.session, Messages.INVALID_CODE, new Object[0]);
        }
        this.event.error("invalid_user_credentials");
        return ErrorPage.error(this.session, Messages.INVALID_USER, new Object[0]);
    }

    public Response authenticate() throws AuthException {
        if (!ClientSessionModel.Action.AUTHENTICATE.name().equals(this.clientSession.getAction())) {
            throw new AuthException(Error.INVALID_CLIENT_SESSION);
        }
        logger.debug("AUTHENTICATE");
        this.event.event(EventType.LOGIN);
        this.event.client(this.clientSession.getClient().getClientId()).detail(OIDCLoginProtocol.REDIRECT_URI_PARAM, this.clientSession.getRedirectUri()).detail("auth_method", this.clientSession.getAuthMethod());
        String note = this.clientSession.getNote("auth_type");
        if (note != null) {
            this.event.detail("auth_type", note);
        }
        validateUser(this.clientSession.getAuthenticatedUser());
        Response processFlow = processFlow(this.flowId);
        if (processFlow != null) {
            return processFlow;
        }
        if (this.clientSession.getAuthenticatedUser() == null) {
            throw new AuthException(Error.UNKNOWN_USER);
        }
        return authenticationComplete();
    }

    public Response authenticateOnly() throws AuthException {
        if (!ClientSessionModel.Action.AUTHENTICATE.name().equals(this.clientSession.getAction())) {
            throw new AuthException(Error.INVALID_CLIENT_SESSION);
        }
        this.event.event(EventType.LOGIN);
        this.event.client(this.clientSession.getClient().getClientId()).detail(OIDCLoginProtocol.REDIRECT_URI_PARAM, this.clientSession.getRedirectUri()).detail("auth_method", this.clientSession.getAuthMethod());
        String note = this.clientSession.getNote("auth_type");
        if (note != null) {
            this.event.detail("auth_type", note);
        }
        validateUser(this.clientSession.getAuthenticatedUser());
        Response processFlow = processFlow(this.flowId);
        if (processFlow != null) {
            return processFlow;
        }
        String username = this.clientSession.getAuthenticatedUser().getUsername();
        if (this.userSession == null) {
            this.userSession = this.session.sessions().createUserSession(this.realm, this.clientSession.getAuthenticatedUser(), username, this.connection.getRemoteAddr(), "form", false, (String) null, (String) null);
            this.userSession.setState(UserSessionModel.State.LOGGING_IN);
            this.userSessionCreated = true;
        }
        TokenManager.attachClientSession(this.userSession, this.clientSession);
        this.event.user(this.userSession.getUser()).detail("username", username).session(this.userSession);
        return AuthenticationManager.actionRequired(this.session, this.userSession, this.clientSession, this.connection, this.request, this.uriInfo, this.event);
    }

    public Response finishAuthentication() {
        this.event.success();
        return AuthenticationManager.redirectAfterSuccessfulFlow(this.session, this.clientSession.getRealm(), this.userSession, this.clientSession, this.request, this.uriInfo, this.connection);
    }

    public Response processFlow(String str) {
        if (this.realm.getAuthenticationFlowById(str) == null) {
            logger.error("Unknown flow to execute with");
            throw new AuthException(Error.INTERNAL_ERROR);
        }
        List<AuthenticationExecutionModel> authenticationExecutions = this.realm.getAuthenticationExecutions(str);
        if (authenticationExecutions == null) {
            return null;
        }
        Response response = null;
        AuthenticationExecutionModel authenticationExecutionModel = null;
        boolean z = false;
        for (AuthenticationExecutionModel authenticationExecutionModel2 : authenticationExecutions) {
            if (isProcessed(authenticationExecutionModel2)) {
                logger.debug("execution is processed");
                if (!z && authenticationExecutionModel2.isAlternative() && isSuccessful(authenticationExecutionModel2)) {
                    z = true;
                }
            } else if (authenticationExecutionModel2.isAlternative() && z) {
                this.clientSession.setAuthenticatorStatus(authenticationExecutionModel2.getId(), UserSessionModel.AuthenticatorStatus.SKIPPED);
            } else if (authenticationExecutionModel2.isAutheticatorFlow()) {
                Response processFlow = processFlow(authenticationExecutionModel2.getAuthenticator());
                if (processFlow != null) {
                    return processFlow;
                }
                this.clientSession.setAuthenticatorStatus(authenticationExecutionModel2.getId(), UserSessionModel.AuthenticatorStatus.SUCCESS);
                if (authenticationExecutionModel2.isAlternative()) {
                    z = true;
                }
            } else {
                AuthenticatorModel authenticatorById = this.realm.getAuthenticatorById(authenticationExecutionModel2.getAuthenticator());
                Authenticator create = ((AuthenticatorFactory) this.session.getKeycloakSessionFactory().getProviderFactory(Authenticator.class, authenticatorById.getProviderId())).create(authenticatorById);
                logger.debugv("authenticator: {0}", authenticatorById.getProviderId());
                UserModel authenticatedUser = this.clientSession.getAuthenticatedUser();
                if (create.requiresUser() && authenticatedUser == null) {
                    if (response == null) {
                        throw new AuthException("authenticator: " + authenticatorById.getProviderId(), Error.UNKNOWN_USER);
                    }
                    this.clientSession.setAuthenticatorStatus(authenticationExecutionModel.getId(), UserSessionModel.AuthenticatorStatus.CHALLENGED);
                    return response;
                }
                boolean z2 = false;
                if (create.requiresUser() && authenticatedUser != null) {
                    z2 = create.configuredFor(this.session, this.realm, authenticatedUser);
                    if (!z2) {
                        if (authenticationExecutionModel2.isRequired()) {
                            if (!authenticationExecutionModel2.isUserSetupAllowed()) {
                                throw new AuthException(Error.CREDENTIAL_SETUP_REQUIRED);
                            }
                            logger.debugv("authenticator SETUP_REQUIRED: {0}", authenticatorById.getProviderId());
                            this.clientSession.setAuthenticatorStatus(authenticationExecutionModel2.getId(), UserSessionModel.AuthenticatorStatus.SETUP_REQUIRED);
                            String requiredAction = create.getRequiredAction();
                            if (!authenticatedUser.getRequiredActions().contains(requiredAction)) {
                                authenticatedUser.addRequiredAction(requiredAction);
                            }
                        } else if (authenticationExecutionModel2.isOptional()) {
                            this.clientSession.setAuthenticatorStatus(authenticationExecutionModel2.getId(), UserSessionModel.AuthenticatorStatus.SKIPPED);
                        }
                    }
                }
                Result result = new Result(authenticationExecutionModel2, authenticatorById, create);
                create.authenticate(result);
                Status status = result.getStatus();
                if (status == Status.SUCCESS) {
                    logger.debugv("authenticator SUCCESS: {0}", authenticatorById.getProviderId());
                    this.clientSession.setAuthenticatorStatus(authenticationExecutionModel2.getId(), UserSessionModel.AuthenticatorStatus.SUCCESS);
                    if (authenticationExecutionModel2.isAlternative()) {
                        z = true;
                    }
                } else {
                    if (status == Status.FAILED) {
                        logger.debugv("authenticator FAILED: {0}", authenticatorById.getProviderId());
                        logUserFailure();
                        this.clientSession.setAuthenticatorStatus(authenticationExecutionModel2.getId(), UserSessionModel.AuthenticatorStatus.FAILED);
                        if (result.challenge != null) {
                            return result.challenge;
                        }
                        throw new AuthException(result.error);
                    }
                    if (status == Status.FORCE_CHALLENGE) {
                        this.clientSession.setAuthenticatorStatus(authenticationExecutionModel2.getId(), UserSessionModel.AuthenticatorStatus.CHALLENGED);
                        return result.challenge;
                    }
                    if (status == Status.CHALLENGE) {
                        logger.debugv("authenticator CHALLENGE: {0}", authenticatorById.getProviderId());
                        if (authenticationExecutionModel2.isRequired() || (authenticationExecutionModel2.isOptional() && z2)) {
                            this.clientSession.setAuthenticatorStatus(authenticationExecutionModel2.getId(), UserSessionModel.AuthenticatorStatus.CHALLENGED);
                            return result.challenge;
                        }
                        if (authenticationExecutionModel2.isAlternative()) {
                            response = result.challenge;
                            authenticationExecutionModel = authenticationExecutionModel2;
                        } else {
                            this.clientSession.setAuthenticatorStatus(authenticationExecutionModel2.getId(), UserSessionModel.AuthenticatorStatus.SKIPPED);
                        }
                    } else {
                        if (status == Status.FAILURE_CHALLENGE) {
                            logger.debugv("authenticator FAILURE_CHALLENGE: {0}", authenticatorById.getProviderId());
                            logUserFailure();
                            this.clientSession.setAuthenticatorStatus(authenticationExecutionModel2.getId(), UserSessionModel.AuthenticatorStatus.CHALLENGED);
                            return result.challenge;
                        }
                        if (status != Status.ATTEMPTED) {
                            logger.debugv("authenticator INTERNAL_ERROR: {0}", authenticatorById.getProviderId());
                            logger.error("Unknown result status");
                            throw new AuthException(Error.INTERNAL_ERROR);
                        }
                        logger.debugv("authenticator ATTEMPTED: {0}", authenticatorById.getProviderId());
                        if (authenticationExecutionModel2.getRequirement() == AuthenticationExecutionModel.Requirement.REQUIRED) {
                            throw new AuthException(Error.INVALID_CREDENTIALS);
                        }
                        this.clientSession.setAuthenticatorStatus(authenticationExecutionModel2.getId(), UserSessionModel.AuthenticatorStatus.ATTEMPTED);
                    }
                }
            }
        }
        return null;
    }

    public void validateUser(UserModel userModel) {
        if (userModel != null && !userModel.isEnabled()) {
            throw new AuthException(Error.USER_DISABLED);
        }
        if (this.realm.isBruteForceProtected() && this.protector.isTemporarilyDisabled(this.session, this.realm, userModel.getUsername())) {
            throw new AuthException(Error.USER_TEMPORARILY_DISABLED);
        }
    }

    protected Response authenticationComplete() {
        String username = this.clientSession.getAuthenticatedUser().getUsername();
        String note = this.clientSession.getNote("remember_me");
        boolean z = note != null && note.equalsIgnoreCase("true");
        if (this.userSession == null) {
            this.userSession = this.session.sessions().createUserSession(this.realm, this.clientSession.getAuthenticatedUser(), username, this.connection.getRemoteAddr(), this.clientSession.getAuthMethod(), z, (String) null, (String) null);
            this.userSession.setState(UserSessionModel.State.LOGGING_IN);
        }
        if (z) {
            this.event.detail("remember_me", "true");
        }
        TokenManager.attachClientSession(this.userSession, this.clientSession);
        this.event.user(this.userSession.getUser()).detail("username", username).session(this.userSession);
        return AuthenticationManager.nextActionAfterAuthentication(this.session, this.userSession, this.clientSession, this.connection, this.request, this.uriInfo, this.event);
    }
}
