package org.keycloak.services.managers;

import java.nio.ByteBuffer;
import java.security.MessageDigest;
import java.security.Signature;
import java.util.HashSet;
import java.util.Set;
import org.keycloak.jose.jws.Algorithm;
import org.keycloak.jose.jws.crypto.RSAProvider;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;
import org.keycloak.util.Base64Url;
import org.keycloak.util.Time;

/* loaded from: input_file:WEB-INF/lib/keycloak-services-1.0.4.Final.jar:org/keycloak/services/managers/AccessCode.class */
public class AccessCode {
    private final RealmModel realm;
    private final ClientSessionModel clientSession;

    public AccessCode(RealmModel realmModel, ClientSessionModel clientSessionModel) {
        this.realm = realmModel;
        this.clientSession = clientSessionModel;
    }

    public static AccessCode parse(String str, KeycloakSession keycloakSession, RealmModel realmModel) {
        try {
            String[] split = str.split("\\.");
            ClientSessionModel clientSession = keycloakSession.sessions().getClientSession(realmModel, new String(Base64Url.decode(split[1])));
            if (clientSession != null && createSignatureHash(realmModel, clientSession).equals(split[0])) {
                return new AccessCode(realmModel, clientSession);
            }
            return null;
        } catch (RuntimeException e) {
            return null;
        }
    }

    public String getCodeId() {
        return this.clientSession.getId();
    }

    public UserModel getUser() {
        return this.clientSession.getUserSession().getUser();
    }

    public String getSessionState() {
        return this.clientSession.getUserSession().getId();
    }

    public boolean isValid(UserModel.RequiredAction requiredAction) {
        return isValid(convertToAction(requiredAction));
    }

    public boolean isValid(ClientSessionModel.Action action) {
        ClientSessionModel.Action action2 = this.clientSession.getAction();
        if (action2 == null) {
            return false;
        }
        int timestamp = this.clientSession.getTimestamp();
        if (action2.equals(action)) {
            return timestamp + (action2.equals(ClientSessionModel.Action.CODE_TO_TOKEN) ? this.realm.getAccessCodeLifespan() : this.realm.getAccessCodeLifespanUserAction()) > Time.currentTime();
        }
        return false;
    }

    public Set<RoleModel> getRequestedRoles() {
        HashSet hashSet = new HashSet();
        for (String str : this.clientSession.getRoles()) {
            if (this.realm.getRoleById(str) != null) {
                hashSet.add(this.realm.getRoleById(str));
            }
        }
        return hashSet;
    }

    public ClientModel getClient() {
        return this.clientSession.getClient();
    }

    public String getState() {
        return this.clientSession.getState();
    }

    public String getRedirectUri() {
        return this.clientSession.getRedirectUri();
    }

    public ClientSessionModel.Action getAction() {
        return this.clientSession.getAction();
    }

    public void setAction(ClientSessionModel.Action action) {
        this.clientSession.setAction(action);
        this.clientSession.setTimestamp(Time.currentTime());
    }

    public void setRequiredAction(UserModel.RequiredAction requiredAction) {
        setAction(convertToAction(requiredAction));
    }

    private ClientSessionModel.Action convertToAction(UserModel.RequiredAction requiredAction) {
        switch (requiredAction) {
            case CONFIGURE_TOTP:
                return ClientSessionModel.Action.CONFIGURE_TOTP;
            case UPDATE_PASSWORD:
                return ClientSessionModel.Action.UPDATE_PASSWORD;
            case UPDATE_PROFILE:
                return ClientSessionModel.Action.UPDATE_PROFILE;
            case VERIFY_EMAIL:
                return ClientSessionModel.Action.VERIFY_EMAIL;
            default:
                throw new IllegalArgumentException("Unknown required action " + requiredAction);
        }
    }

    public String getCode() {
        return createSignatureHash(this.realm, this.clientSession) + "." + Base64Url.encode(this.clientSession.getId().getBytes());
    }

    private static String createSignatureHash(RealmModel realmModel, ClientSessionModel clientSessionModel) {
        try {
            Signature signature = Signature.getInstance(RSAProvider.getJavaAlgorithm(Algorithm.RS256));
            signature.initSign(realmModel.getPrivateKey());
            signature.update(clientSessionModel.getId().getBytes());
            signature.update(ByteBuffer.allocate(4).putInt(clientSessionModel.getTimestamp()));
            if (clientSessionModel.getAction() != null) {
                signature.update(clientSessionModel.getAction().toString().getBytes());
            }
            byte[] sign = signature.sign();
            MessageDigest messageDigest = MessageDigest.getInstance("sha-1");
            messageDigest.update(sign);
            return Base64Url.encode(messageDigest.digest());
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }
}
