package org.keycloak.services.managers;

import java.io.IOException;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.ws.rs.core.UriInfo;
import org.jboss.logging.Logger;
import org.keycloak.ClientConnection;
import org.keycloak.OAuthErrorException;
import org.keycloak.events.Details;
import org.keycloak.events.EventBuilder;
import org.keycloak.jose.jws.JWSBuilder;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.crypto.RSAProvider;
import org.keycloak.models.ApplicationModel;
import org.keycloak.models.ClaimMask;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.representations.IDToken;
import org.keycloak.representations.RefreshToken;
import org.keycloak.util.Time;

/* loaded from: input_file:WEB-INF/lib/keycloak-services-1.0-final.jar:org/keycloak/services/managers/TokenManager.class */
public class TokenManager {
    protected static final Logger logger = Logger.getLogger(TokenManager.class);

    /* loaded from: input_file:WEB-INF/lib/keycloak-services-1.0-final.jar:org/keycloak/services/managers/TokenManager$AccessTokenResponseBuilder.class */
    public class AccessTokenResponseBuilder {
        RealmModel realm;
        ClientModel client;
        AccessToken accessToken;
        RefreshToken refreshToken;
        IDToken idToken;
        EventBuilder event;

        public AccessTokenResponseBuilder(RealmModel realmModel, ClientModel clientModel, EventBuilder eventBuilder) {
            this.realm = realmModel;
            this.client = clientModel;
            this.event = eventBuilder;
        }

        public AccessTokenResponseBuilder accessToken(AccessToken accessToken) {
            this.accessToken = accessToken;
            return this;
        }

        public AccessTokenResponseBuilder refreshToken(RefreshToken refreshToken) {
            this.refreshToken = refreshToken;
            return this;
        }

        public AccessTokenResponseBuilder generateAccessToken(String str, ClientModel clientModel, UserModel userModel, UserSessionModel userSessionModel) {
            this.accessToken = TokenManager.this.createClientAccessToken(TokenManager.this.getAccess(str, clientModel, userModel), this.realm, clientModel, userModel, userSessionModel);
            return this;
        }

        public AccessTokenResponseBuilder generateRefreshToken() {
            if (this.accessToken == null) {
                throw new IllegalStateException("accessToken not set");
            }
            this.refreshToken = new RefreshToken(this.accessToken);
            this.refreshToken.id(KeycloakModelUtils.generateId());
            this.refreshToken.issuedNow();
            this.refreshToken.expiration(Time.currentTime() + this.realm.getSsoSessionIdleTimeout());
            return this;
        }

        public AccessTokenResponseBuilder generateIDToken() {
            if (this.accessToken == null) {
                throw new IllegalStateException("accessToken not set");
            }
            this.idToken = new IDToken();
            this.idToken.id(KeycloakModelUtils.generateId());
            this.idToken.subject(this.accessToken.getSubject());
            this.idToken.audience(this.realm.getName());
            this.idToken.issuedNow();
            this.idToken.issuedFor(this.accessToken.getIssuedFor());
            this.idToken.issuer(this.accessToken.getIssuer());
            if (this.realm.getAccessTokenLifespan() > 0) {
                this.idToken.expiration(Time.currentTime() + this.realm.getAccessTokenLifespan());
            }
            this.idToken.setPreferredUsername(this.accessToken.getPreferredUsername());
            this.idToken.setGivenName(this.accessToken.getGivenName());
            this.idToken.setMiddleName(this.accessToken.getMiddleName());
            this.idToken.setFamilyName(this.accessToken.getFamilyName());
            this.idToken.setName(this.accessToken.getName());
            this.idToken.setNickName(this.accessToken.getNickName());
            this.idToken.setGender(this.accessToken.getGender());
            this.idToken.setPicture(this.accessToken.getPicture());
            this.idToken.setProfile(this.accessToken.getProfile());
            this.idToken.setWebsite(this.accessToken.getWebsite());
            this.idToken.setBirthdate(this.accessToken.getBirthdate());
            this.idToken.setEmail(this.accessToken.getEmail());
            this.idToken.setEmailVerified(this.accessToken.getEmailVerified());
            this.idToken.setLocale(this.accessToken.getLocale());
            this.idToken.setFormattedAddress(this.accessToken.getFormattedAddress());
            this.idToken.setAddress(this.accessToken.getAddress());
            this.idToken.setStreetAddress(this.accessToken.getStreetAddress());
            this.idToken.setLocality(this.accessToken.getLocality());
            this.idToken.setRegion(this.accessToken.getRegion());
            this.idToken.setPostalCode(this.accessToken.getPostalCode());
            this.idToken.setCountry(this.accessToken.getCountry());
            this.idToken.setPhoneNumber(this.accessToken.getPhoneNumber());
            this.idToken.setPhoneNumberVerified(this.accessToken.getPhoneNumberVerified());
            this.idToken.setZoneinfo(this.accessToken.getZoneinfo());
            return this;
        }

        public AccessTokenResponse build() {
            if (this.accessToken != null) {
                this.event.detail(Details.TOKEN_ID, this.accessToken.getId());
            }
            if (this.refreshToken != null) {
                if (this.event.getEvent().getDetails().containsKey(Details.REFRESH_TOKEN_ID)) {
                    this.event.detail(Details.UPDATED_REFRESH_TOKEN_ID, this.refreshToken.getId());
                } else {
                    this.event.detail(Details.REFRESH_TOKEN_ID, this.refreshToken.getId());
                }
            }
            AccessTokenResponse accessTokenResponse = new AccessTokenResponse();
            if (this.idToken != null) {
                accessTokenResponse.setIdToken(new JWSBuilder().jsonContent(this.idToken).rsa256(this.realm.getPrivateKey()));
            }
            if (this.accessToken != null) {
                accessTokenResponse.setToken(new JWSBuilder().jsonContent(this.accessToken).rsa256(this.realm.getPrivateKey()));
                accessTokenResponse.setTokenType("bearer");
                accessTokenResponse.setSessionState(this.accessToken.getSessionState());
                if (this.accessToken.getExpiration() != 0) {
                    accessTokenResponse.setExpiresIn(this.accessToken.getExpiration() - Time.currentTime());
                }
            }
            if (this.refreshToken != null) {
                accessTokenResponse.setRefreshToken(new JWSBuilder().jsonContent(this.refreshToken).rsa256(this.realm.getPrivateKey()));
            }
            int notBefore = this.realm.getNotBefore();
            if (this.client.getNotBefore() > notBefore) {
                notBefore = this.client.getNotBefore();
            }
            accessTokenResponse.setNotBeforePolicy(notBefore);
            return accessTokenResponse;
        }
    }

    public static void applyScope(RoleModel roleModel, RoleModel roleModel2, Set<RoleModel> set, Set<RoleModel> set2) {
        if (set.contains(roleModel2)) {
            return;
        }
        set.add(roleModel2);
        if (roleModel.hasRole(roleModel2)) {
            set2.add(roleModel2);
        } else if (roleModel2.isComposite()) {
            Iterator<RoleModel> it = roleModel2.getComposites().iterator();
            while (it.hasNext()) {
                applyScope(roleModel, it.next(), set, set2);
            }
        }
    }

    public AccessCode createAccessCode(String str, String str2, String str3, KeycloakSession keycloakSession, RealmModel realmModel, ClientModel clientModel, UserModel userModel, UserSessionModel userSessionModel) {
        HashSet hashSet = new HashSet();
        Iterator<RoleModel> it = getAccess(str, clientModel, userModel).iterator();
        while (it.hasNext()) {
            hashSet.add(it.next().getId());
        }
        return new AccessCode(realmModel, keycloakSession.sessions().createClientSession(realmModel, clientModel, userSessionModel, str3, str2, hashSet));
    }

    public AccessToken refreshAccessToken(KeycloakSession keycloakSession, UriInfo uriInfo, ClientConnection clientConnection, RealmModel realmModel, ClientModel clientModel, String str, EventBuilder eventBuilder) throws OAuthErrorException {
        RefreshToken verifyRefreshToken = verifyRefreshToken(realmModel, str);
        eventBuilder.user(verifyRefreshToken.getSubject()).session(verifyRefreshToken.getSessionState()).detail(Details.REFRESH_TOKEN_ID, verifyRefreshToken.getId());
        UserModel userById = keycloakSession.users().getUserById(verifyRefreshToken.getSubject(), realmModel);
        if (userById == null) {
            throw new OAuthErrorException("invalid_grant", "Invalid refresh token", "Unknown user");
        }
        if (!userById.isEnabled()) {
            throw new OAuthErrorException("invalid_grant", "User disabled", "User disabled");
        }
        UserSessionModel userSession = keycloakSession.sessions().getUserSession(realmModel, verifyRefreshToken.getSessionState());
        int currentTime = Time.currentTime();
        if (!AuthenticationManager.isSessionValid(realmModel, userSession)) {
            AuthenticationManager.logout(keycloakSession, realmModel, userSession, uriInfo, clientConnection);
            throw new OAuthErrorException("invalid_grant", "Session not active", "Session not active");
        }
        if (!clientModel.getClientId().equals(verifyRefreshToken.getIssuedFor())) {
            throw new OAuthErrorException("invalid_grant", "Unmatching clients", "Unmatching clients");
        }
        if (verifyRefreshToken.getIssuedAt() < clientModel.getNotBefore()) {
            throw new OAuthErrorException("invalid_grant", "Stale refresh token");
        }
        verifyAccess(verifyRefreshToken, realmModel, clientModel, userById);
        AccessToken initToken = initToken(realmModel, clientModel, userById, userSession);
        initToken.setRealmAccess(verifyRefreshToken.getRealmAccess());
        initToken.setResourceAccess(verifyRefreshToken.getResourceAccess());
        userSession.setLastSessionRefresh(currentTime);
        return initToken;
    }

    public RefreshToken verifyRefreshToken(RealmModel realmModel, String str) throws OAuthErrorException {
        JWSInput jWSInput = new JWSInput(str);
        try {
            if (!RSAProvider.verify(jWSInput, realmModel.getPublicKey())) {
                throw new RuntimeException("Invalid refresh token");
            }
            RefreshToken refreshToken = (RefreshToken) jWSInput.readJsonContent(RefreshToken.class);
            if (refreshToken.isExpired()) {
                throw new OAuthErrorException("invalid_grant", "Refresh token expired");
            }
            if (refreshToken.getIssuedAt() < realmModel.getNotBefore()) {
                throw new OAuthErrorException("invalid_grant", "Stale refresh token");
            }
            return refreshToken;
        } catch (IOException e) {
            throw new OAuthErrorException("invalid_grant", "Invalid refresh token", e);
        }
    }

    public AccessToken createClientAccessToken(Set<RoleModel> set, RealmModel realmModel, ClientModel clientModel, UserModel userModel, UserSessionModel userSessionModel) {
        AccessToken initToken = initToken(realmModel, clientModel, userModel, userSessionModel);
        Iterator<RoleModel> it = set.iterator();
        while (it.hasNext()) {
            addComposites(initToken, it.next());
        }
        return initToken;
    }

    public Set<RoleModel> getAccess(String str, ClientModel clientModel, UserModel userModel) {
        HashSet hashSet = new HashSet();
        Set<RoleModel> roleMappings = userModel.getRoleMappings();
        if (clientModel.isFullScopeAllowed()) {
            return roleMappings;
        }
        Set<RoleModel> scopeMappings = clientModel.getScopeMappings();
        if (clientModel instanceof ApplicationModel) {
            scopeMappings.addAll(((ApplicationModel) clientModel).getRoles());
        }
        for (RoleModel roleModel : roleMappings) {
            Iterator<RoleModel> it = scopeMappings.iterator();
            while (it.hasNext()) {
                applyScope(roleModel, it.next(), new HashSet(), hashSet);
            }
        }
        return hashSet;
    }

    public void verifyAccess(AccessToken accessToken, RealmModel realmModel, ClientModel clientModel, UserModel userModel) throws OAuthErrorException {
        ApplicationModel applicationModel = clientModel instanceof ApplicationModel ? (ApplicationModel) clientModel : null;
        if (accessToken.getRealmAccess() != null) {
            for (String str : accessToken.getRealmAccess().getRoles()) {
                RoleModel role = realmModel.getRole(str);
                if (role == null) {
                    throw new OAuthErrorException("invalid_grant", "Invalid realm role " + str);
                }
                if (!userModel.hasRole(role)) {
                    throw new OAuthErrorException("invalid_grant", "User no long has permission for realm role: " + str);
                }
                if (!clientModel.hasScope(role)) {
                    throw new OAuthErrorException("invalid_grant", "Client no longer has realm scope: " + str);
                }
            }
        }
        if (accessToken.getResourceAccess() != null) {
            for (Map.Entry<String, AccessToken.Access> entry : accessToken.getResourceAccess().entrySet()) {
                ApplicationModel applicationByName = realmModel.getApplicationByName(entry.getKey());
                if (applicationByName == null) {
                    throw new OAuthErrorException("invalid_grant", "Application no longer exists", "Application no longer exists: " + applicationByName.getName());
                }
                for (String str2 : entry.getValue().getRoles()) {
                    RoleModel role2 = applicationByName.getRole(str2);
                    if (role2 == null) {
                        throw new OAuthErrorException("invalid_grant", "Invalid refresh token", "Unknown application role: " + str2);
                    }
                    if (!userModel.hasRole(role2)) {
                        throw new OAuthErrorException("invalid_grant", "User no long has permission for application role " + str2);
                    }
                    if (applicationModel != null && !applicationModel.equals(applicationByName) && !clientModel.hasScope(role2)) {
                        throw new OAuthErrorException("invalid_grant", "Client no longer has application scope" + str2);
                    }
                }
            }
        }
    }

    public void initClaims(IDToken iDToken, ClientModel clientModel, UserModel userModel) {
        if (ClaimMask.hasUsername(clientModel.getAllowedClaimsMask())) {
            iDToken.setPreferredUsername(userModel.getUsername());
        }
        if (ClaimMask.hasEmail(clientModel.getAllowedClaimsMask())) {
            iDToken.setEmail(userModel.getEmail());
            iDToken.setEmailVerified(Boolean.valueOf(userModel.isEmailVerified()));
        }
        if (ClaimMask.hasName(clientModel.getAllowedClaimsMask())) {
            iDToken.setFamilyName(userModel.getLastName());
            iDToken.setGivenName(userModel.getFirstName());
            StringBuilder sb = new StringBuilder();
            if (userModel.getFirstName() != null) {
                sb.append(userModel.getFirstName()).append(" ");
            }
            if (userModel.getLastName() != null) {
                sb.append(userModel.getLastName());
            }
            iDToken.setName(sb.toString());
        }
    }

    protected IDToken initIDToken(RealmModel realmModel, ClientModel clientModel, UserModel userModel, UserModel userModel2) {
        IDToken iDToken = new IDToken();
        iDToken.id(KeycloakModelUtils.generateId());
        iDToken.subject(userModel2.getId());
        iDToken.audience(realmModel.getName());
        iDToken.issuedNow();
        iDToken.issuedFor(userModel.getUsername());
        iDToken.issuer(realmModel.getName());
        if (realmModel.getAccessTokenLifespan() > 0) {
            iDToken.expiration(Time.currentTime() + realmModel.getAccessTokenLifespan());
        }
        initClaims(iDToken, clientModel, userModel2);
        return iDToken;
    }

    protected AccessToken initToken(RealmModel realmModel, ClientModel clientModel, UserModel userModel, UserSessionModel userSessionModel) {
        AccessToken accessToken = new AccessToken();
        accessToken.id(KeycloakModelUtils.generateId());
        accessToken.subject(userModel.getId());
        accessToken.audience(realmModel.getName());
        accessToken.issuedNow();
        accessToken.issuedFor(clientModel.getClientId());
        accessToken.issuer(realmModel.getName());
        if (userSessionModel != null) {
            accessToken.setSessionState(userSessionModel.getId());
        }
        if (realmModel.getAccessTokenLifespan() > 0) {
            accessToken.expiration(Time.currentTime() + realmModel.getAccessTokenLifespan());
        }
        Set<String> webOrigins = clientModel.getWebOrigins();
        if (webOrigins != null) {
            accessToken.setAllowedOrigins(webOrigins);
        }
        initClaims(accessToken, clientModel, userModel);
        return accessToken;
    }

    protected void addComposites(AccessToken accessToken, RoleModel roleModel) {
        AccessToken.Access resourceAccess;
        if (roleModel.getContainer() instanceof RealmModel) {
            resourceAccess = accessToken.getRealmAccess();
            if (accessToken.getRealmAccess() == null) {
                resourceAccess = new AccessToken.Access();
                accessToken.setRealmAccess(resourceAccess);
            } else if (accessToken.getRealmAccess().getRoles() != null && accessToken.getRealmAccess().isUserInRole(roleModel.getName())) {
                return;
            }
        } else {
            ApplicationModel applicationModel = (ApplicationModel) roleModel.getContainer();
            resourceAccess = accessToken.getResourceAccess(applicationModel.getName());
            if (resourceAccess == null) {
                resourceAccess = accessToken.addAccess(applicationModel.getName());
                if (applicationModel.isSurrogateAuthRequired()) {
                    resourceAccess.verifyCaller(true);
                }
            } else if (resourceAccess.isUserInRole(roleModel.getName())) {
                return;
            }
        }
        resourceAccess.addRole(roleModel.getName());
        if (roleModel.isComposite()) {
            Iterator<RoleModel> it = roleModel.getComposites().iterator();
            while (it.hasNext()) {
                addComposites(accessToken, it.next());
            }
        }
    }

    public String encodeToken(RealmModel realmModel, Object obj) {
        return new JWSBuilder().jsonContent(obj).rsa256(realmModel.getPrivateKey());
    }

    public AccessTokenResponseBuilder responseBuilder(RealmModel realmModel, ClientModel clientModel, EventBuilder eventBuilder) {
        return new AccessTokenResponseBuilder(realmModel, clientModel, eventBuilder);
    }
}
