package org.keycloak.services.resources;

import java.util.Set;
import java.util.concurrent.TimeUnit;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import javax.ws.rs.ext.Providers;
import org.jboss.logging.Logger;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.ClientConnection;
import org.keycloak.OAuth2Constants;
import org.keycloak.email.EmailException;
import org.keycloak.email.EmailProvider;
import org.keycloak.events.Details;
import org.keycloak.events.Errors;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.login.LoginFormsProvider;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.utils.TimeBasedOTP;
import org.keycloak.services.managers.AccessCode;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.TokenManager;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.flows.Flows;
import org.keycloak.services.resources.flows.Urls;
import org.keycloak.services.validation.Validation;

/* loaded from: input_file:WEB-INF/lib/keycloak-services-1.0.4.Final.jar:org/keycloak/services/resources/RequiredActionsService.class */
public class RequiredActionsService {
    protected static final Logger logger = Logger.getLogger(RequiredActionsService.class);
    private RealmModel realm;

    @Context
    private HttpRequest request;

    @Context
    protected HttpHeaders headers;

    @Context
    private UriInfo uriInfo;

    @Context
    private ClientConnection clientConnection;

    @Context
    protected Providers providers;

    @Context
    protected KeycloakSession session;
    private TokenManager tokenManager;
    private EventBuilder event;

    public RequiredActionsService(RealmModel realmModel, TokenManager tokenManager, EventBuilder eventBuilder) {
        this.realm = realmModel;
        this.tokenManager = tokenManager;
        this.event = eventBuilder;
    }

    @POST
    @Path("profile")
    @Consumes({"application/x-www-form-urlencoded"})
    public Response updateProfile(MultivaluedMap<String, String> multivaluedMap) {
        AccessCode accessCodeEntry = getAccessCodeEntry(UserModel.RequiredAction.UPDATE_PROFILE);
        if (accessCodeEntry == null) {
            return unauthorized();
        }
        UserModel user = getUser(accessCodeEntry);
        initEvent(accessCodeEntry);
        String validateUpdateProfileForm = Validation.validateUpdateProfileForm(multivaluedMap);
        if (validateUpdateProfileForm != null) {
            return Flows.forms(this.session, this.realm, null, this.uriInfo).setUser(user).setError(validateUpdateProfileForm).createResponse(UserModel.RequiredAction.UPDATE_PROFILE);
        }
        user.setFirstName((String) multivaluedMap.getFirst("firstName"));
        user.setLastName((String) multivaluedMap.getFirst("lastName"));
        String str = (String) multivaluedMap.getFirst("email");
        String email = user.getEmail();
        boolean z = email != null ? !email.equals(str) : str != null;
        user.setEmail(str);
        user.removeRequiredAction(UserModel.RequiredAction.UPDATE_PROFILE);
        this.event.m386clone().event(EventType.UPDATE_PROFILE).success();
        if (z) {
            user.setEmailVerified(false);
            this.event.m386clone().event(EventType.UPDATE_EMAIL).detail(Details.PREVIOUS_EMAIL, email).detail(Details.UPDATED_EMAIL, str).success();
        }
        return redirectOauth(user, accessCodeEntry);
    }

    @POST
    @Path("totp")
    @Consumes({"application/x-www-form-urlencoded"})
    public Response updateTotp(MultivaluedMap<String, String> multivaluedMap) {
        AccessCode accessCodeEntry = getAccessCodeEntry(UserModel.RequiredAction.CONFIGURE_TOTP);
        if (accessCodeEntry == null) {
            return unauthorized();
        }
        UserModel user = getUser(accessCodeEntry);
        initEvent(accessCodeEntry);
        String str = (String) multivaluedMap.getFirst("totp");
        String str2 = (String) multivaluedMap.getFirst("totpSecret");
        LoginFormsProvider user2 = Flows.forms(this.session, this.realm, null, this.uriInfo).setUser(user);
        if (Validation.isEmpty(str)) {
            return user2.setError(Messages.MISSING_TOTP).createResponse(UserModel.RequiredAction.CONFIGURE_TOTP);
        }
        if (!new TimeBasedOTP().validate(str, str2.getBytes())) {
            return user2.setError(Messages.INVALID_TOTP).createResponse(UserModel.RequiredAction.CONFIGURE_TOTP);
        }
        UserCredentialModel userCredentialModel = new UserCredentialModel();
        userCredentialModel.setType("totp");
        userCredentialModel.setValue(str2);
        this.session.users().updateCredential(this.realm, user, userCredentialModel);
        user.setTotp(true);
        user.removeRequiredAction(UserModel.RequiredAction.CONFIGURE_TOTP);
        this.event.m386clone().event(EventType.UPDATE_TOTP).success();
        return redirectOauth(user, accessCodeEntry);
    }

    @POST
    @Path("password")
    @Consumes({"application/x-www-form-urlencoded"})
    public Response updatePassword(MultivaluedMap<String, String> multivaluedMap) {
        AccessCode accessCodeEntry = getAccessCodeEntry(UserModel.RequiredAction.UPDATE_PASSWORD);
        if (accessCodeEntry == null) {
            return unauthorized();
        }
        UserModel user = getUser(accessCodeEntry);
        initEvent(accessCodeEntry);
        String str = (String) multivaluedMap.getFirst("password-new");
        String str2 = (String) multivaluedMap.getFirst("password-confirm");
        LoginFormsProvider user2 = Flows.forms(this.session, this.realm, null, this.uriInfo).setUser(user);
        if (Validation.isEmpty(str)) {
            return user2.setError(Messages.MISSING_PASSWORD).createResponse(UserModel.RequiredAction.UPDATE_PASSWORD);
        }
        if (!str.equals(str2)) {
            return user2.setError(Messages.NOTMATCH_PASSWORD).createResponse(UserModel.RequiredAction.UPDATE_PASSWORD);
        }
        try {
            this.session.users().updateCredential(this.realm, user, UserCredentialModel.password(str));
            user.removeRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD);
            this.event.m386clone().event(EventType.UPDATE_PASSWORD).success();
            return accessCodeEntry.getSessionState() == null ? Response.seeOther(Urls.accountPage(this.uriInfo.getBaseUri(), this.realm.getId())).build() : redirectOauth(user, accessCodeEntry);
        } catch (Exception e) {
            return user2.setError(e.getMessage()).createResponse(UserModel.RequiredAction.UPDATE_PASSWORD);
        }
    }

    @GET
    @Path("email-verification")
    public Response emailVerification() {
        if (!this.uriInfo.getQueryParameters().containsKey("key")) {
            AccessCode accessCodeEntry = getAccessCodeEntry(UserModel.RequiredAction.VERIFY_EMAIL);
            if (accessCodeEntry == null) {
                return unauthorized();
            }
            initEvent(accessCodeEntry);
            return Flows.forms(this.session, this.realm, null, this.uriInfo).setAccessCode(accessCodeEntry.getCode()).setUser(accessCodeEntry.getUser()).createResponse(UserModel.RequiredAction.VERIFY_EMAIL);
        }
        AccessCode parse = AccessCode.parse((String) this.uriInfo.getQueryParameters().getFirst("key"), this.session, this.realm);
        if (parse == null || !parse.isValid(UserModel.RequiredAction.VERIFY_EMAIL)) {
            return unauthorized();
        }
        UserModel user = getUser(parse);
        initEvent(parse);
        user.setEmailVerified(true);
        user.removeRequiredAction(UserModel.RequiredAction.VERIFY_EMAIL);
        this.event.m386clone().event(EventType.VERIFY_EMAIL).detail("email", parse.getUser().getEmail()).success();
        return redirectOauth(user, parse);
    }

    @GET
    @Path("password-reset")
    public Response passwordReset() {
        if (!this.uriInfo.getQueryParameters().containsKey("key")) {
            return Flows.forms(this.session, this.realm, null, this.uriInfo).createPasswordReset();
        }
        AccessCode parse = AccessCode.parse((String) this.uriInfo.getQueryParameters().getFirst("key"), this.session, this.realm);
        return (parse == null || !parse.isValid(UserModel.RequiredAction.UPDATE_PASSWORD)) ? unauthorized() : Flows.forms(this.session, this.realm, null, this.uriInfo).setAccessCode(parse.getCode()).createResponse(UserModel.RequiredAction.UPDATE_PASSWORD);
    }

    @POST
    @Path("password-reset")
    @Consumes({"application/x-www-form-urlencoded"})
    public Response sendPasswordReset(MultivaluedMap<String, String> multivaluedMap) {
        String str = (String) multivaluedMap.getFirst("username");
        String str2 = (String) this.uriInfo.getQueryParameters().getFirst(OAuth2Constants.SCOPE);
        String str3 = (String) this.uriInfo.getQueryParameters().getFirst(OAuth2Constants.STATE);
        String str4 = (String) this.uriInfo.getQueryParameters().getFirst("redirect_uri");
        String str5 = (String) this.uriInfo.getQueryParameters().getFirst(OAuth2Constants.CLIENT_ID);
        AuthenticationManager authenticationManager = new AuthenticationManager();
        ClientModel findClient = this.realm.findClient(str5);
        if (findClient == null) {
            return Flows.oauth(this.session, this.realm, this.request, this.uriInfo, this.clientConnection, authenticationManager, this.tokenManager).forwardToSecurityFailure("Unknown login requester.");
        }
        if (!findClient.isEnabled()) {
            return Flows.oauth(this.session, this.realm, this.request, this.uriInfo, this.clientConnection, authenticationManager, this.tokenManager).forwardToSecurityFailure("Login requester not enabled.");
        }
        this.event.event(EventType.SEND_RESET_PASSWORD).client(str5).detail("redirect_uri", str4).detail("response_type", OAuth2Constants.CODE).detail(Details.AUTH_METHOD, "form").detail("username", str);
        UserModel userByUsername = this.session.users().getUserByUsername(str, this.realm);
        if (userByUsername == null && str.contains("@")) {
            userByUsername = this.session.users().getUserByEmail(str, this.realm);
        }
        if (userByUsername == null) {
            this.event.error(Errors.USER_NOT_FOUND);
        } else {
            UserSessionModel createUserSession = this.session.sessions().createUserSession(this.realm, userByUsername, str, this.clientConnection.getRemoteAddr(), "form", false);
            this.event.session(createUserSession);
            AccessCode createAccessCode = this.tokenManager.createAccessCode(str2, str3, str4, this.session, this.realm, findClient, userByUsername, createUserSession);
            createAccessCode.setRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD);
            try {
                UriBuilder loginPasswordResetBuilder = Urls.loginPasswordResetBuilder(this.uriInfo.getBaseUri());
                loginPasswordResetBuilder.queryParam("key", new Object[]{createAccessCode.getCode()});
                ((EmailProvider) this.session.getProvider(EmailProvider.class)).setRealm(this.realm).setUser(userByUsername).sendPasswordReset(loginPasswordResetBuilder.build(new Object[]{this.realm.getName()}).toString(), TimeUnit.SECONDS.toMinutes(this.realm.getAccessCodeLifespanUserAction()));
                this.event.user(userByUsername).detail("email", userByUsername.getEmail()).detail(Details.CODE_ID, createAccessCode.getCodeId()).success();
            } catch (EmailException e) {
                logger.error("Failed to send password reset email", e);
                return Flows.forms(this.session, this.realm, findClient, this.uriInfo).setError("emailSendError").createErrorPage();
            }
        }
        return Flows.forms(this.session, this.realm, findClient, this.uriInfo).setSuccess("emailSent").createPasswordReset();
    }

    private AccessCode getAccessCodeEntry(UserModel.RequiredAction requiredAction) {
        String str = (String) this.uriInfo.getQueryParameters().getFirst(OAuth2Constants.CODE);
        if (str == null) {
            logger.debug("Code query param not found");
            return null;
        }
        AccessCode parse = AccessCode.parse(str, this.session, this.realm);
        if (parse == null) {
            logger.debug("Access code not found");
            return null;
        }
        if (parse.isValid(requiredAction)) {
            return parse;
        }
        logger.debugv("Invalid access code", new Object[0]);
        return null;
    }

    private UserModel getUser(AccessCode accessCode) {
        return this.session.users().getUserByUsername(accessCode.getUser().getUsername(), this.realm);
    }

    private Response redirectOauth(UserModel userModel, AccessCode accessCode) {
        if (accessCode == null) {
            return null;
        }
        Set<UserModel.RequiredAction> requiredActions = userModel.getRequiredActions();
        if (!requiredActions.isEmpty()) {
            accessCode.setRequiredAction(requiredActions.iterator().next());
            return Flows.forms(this.session, this.realm, null, this.uriInfo).setAccessCode(accessCode.getCode()).setUser(userModel).createResponse(requiredActions.iterator().next());
        }
        logger.debugv("Redirecting to: {0}", accessCode.getRedirectUri());
        accessCode.setAction(ClientSessionModel.Action.CODE_TO_TOKEN);
        AuthenticationManager authenticationManager = new AuthenticationManager();
        UserSessionModel userSession = this.session.sessions().getUserSession(this.realm, accessCode.getSessionState());
        if (!AuthenticationManager.isSessionValid(this.realm, userSession)) {
            AuthenticationManager.logout(this.session, this.realm, userSession, this.uriInfo, this.clientConnection);
            return Flows.oauth(this.session, this.realm, this.request, this.uriInfo, this.clientConnection, authenticationManager, this.tokenManager).redirectError(accessCode.getClient(), "access_denied", accessCode.getState(), accessCode.getRedirectUri());
        }
        this.event.session(userSession);
        this.event.success();
        return Flows.oauth(this.session, this.realm, this.request, this.uriInfo, this.clientConnection, authenticationManager, this.tokenManager).redirectAccessCode(accessCode, userSession, accessCode.getState(), accessCode.getRedirectUri());
    }

    private void initEvent(AccessCode accessCode) {
        this.event.event(EventType.LOGIN).client(accessCode.getClient()).user(accessCode.getUser()).session(accessCode.getSessionState()).detail(Details.CODE_ID, accessCode.getCodeId()).detail("redirect_uri", accessCode.getRedirectUri()).detail("response_type", OAuth2Constants.CODE);
        UserSessionModel userSession = accessCode.getSessionState() != null ? this.session.sessions().getUserSession(this.realm, accessCode.getSessionState()) : null;
        if (userSession != null) {
            this.event.detail(Details.AUTH_METHOD, userSession.getAuthMethod());
            this.event.detail("username", userSession.getLoginUsername());
            if (userSession.isRememberMe()) {
                this.event.detail(Details.REMEMBER_ME, "true");
            }
        }
    }

    private Response unauthorized() {
        return Flows.forms(this.session, this.realm, null, this.uriInfo).setError("Unauthorized request").createErrorPage();
    }
}
