package org.keycloak.protocol.oidc;

import java.io.IOException;
import java.io.InputStream;
import java.net.URI;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.HeaderParam;
import javax.ws.rs.OPTIONS;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.CacheControl;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import javax.ws.rs.ext.Providers;
import org.jboss.logging.Logger;
import org.jboss.resteasy.annotations.cache.NoCache;
import org.jboss.resteasy.specimpl.MultivaluedMapImpl;
import org.jboss.resteasy.spi.BadRequestException;
import org.jboss.resteasy.spi.HttpRequest;
import org.jboss.resteasy.spi.HttpResponse;
import org.jboss.resteasy.spi.NotAcceptableException;
import org.jboss.resteasy.spi.NotFoundException;
import org.jboss.resteasy.spi.UnauthorizedException;
import org.keycloak.ClientConnection;
import org.keycloak.Config;
import org.keycloak.OAuth2Constants;
import org.keycloak.OAuthErrorException;
import org.keycloak.RSATokenVerifier;
import org.keycloak.constants.AdapterConstants;
import org.keycloak.events.Details;
import org.keycloak.events.Errors;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.login.LoginFormsProvider;
import org.keycloak.models.ApplicationModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.Constants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.OAuthClientModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.UserSessionProvider;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.services.ForbiddenException;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.ClientSessionCode;
import org.keycloak.services.resources.Cors;
import org.keycloak.services.resources.RealmsResource;
import org.keycloak.services.resources.flows.Flows;
import org.keycloak.services.resources.flows.Urls;
import org.keycloak.util.BasicAuthHelper;
import org.keycloak.util.StreamUtil;
import org.keycloak.util.UriUtils;

/* loaded from: input_file:WEB-INF/lib/keycloak-services-1.1.0.Final.jar:org/keycloak/protocol/oidc/OpenIDConnectService.class */
public class OpenIDConnectService {
    protected static final Logger logger = Logger.getLogger((Class<?>) OpenIDConnectService.class);
    protected RealmModel realm;
    protected TokenManager tokenManager = new TokenManager();
    private EventBuilder event;
    protected AuthenticationManager authManager;

    @Context
    protected Providers providers;

    @Context
    protected SecurityContext securityContext;

    @Context
    protected UriInfo uriInfo;

    @Context
    protected HttpHeaders headers;

    @Context
    protected HttpRequest request;

    @Context
    protected HttpResponse response;

    @Context
    protected KeycloakSession session;

    @Context
    protected ClientConnection clientConnection;

    /* loaded from: input_file:WEB-INF/lib/keycloak-services-1.1.0.Final.jar:org/keycloak/protocol/oidc/OpenIDConnectService$FrontPageInitializer.class */
    private class FrontPageInitializer {
        protected String clientId;
        protected String redirect;
        protected String state;
        protected String scopeParam;
        protected String responseType;
        protected String loginHint;
        protected String prompt;
        protected ClientSessionModel clientSession;

        private FrontPageInitializer() {
        }

        public Response processInput() {
            OpenIDConnectService.this.event.client(this.clientId).detail("redirect_uri", this.redirect).detail("response_type", OAuth2Constants.CODE);
            if (!OpenIDConnectService.this.checkSsl()) {
                OpenIDConnectService.this.event.error(Errors.SSL_REQUIRED);
                return Flows.forwardToSecurityFailurePage(OpenIDConnectService.this.session, OpenIDConnectService.this.realm, OpenIDConnectService.this.uriInfo, "HTTPS required");
            }
            if (!OpenIDConnectService.this.realm.isEnabled()) {
                OpenIDConnectService.this.event.error(Errors.REALM_DISABLED);
                return Flows.forwardToSecurityFailurePage(OpenIDConnectService.this.session, OpenIDConnectService.this.realm, OpenIDConnectService.this.uriInfo, "Realm not enabled");
            }
            this.clientSession = null;
            ClientModel findClient = OpenIDConnectService.this.realm.findClient(this.clientId);
            if (findClient == null) {
                OpenIDConnectService.this.event.error(Errors.CLIENT_NOT_FOUND);
                return Flows.forwardToSecurityFailurePage(OpenIDConnectService.this.session, OpenIDConnectService.this.realm, OpenIDConnectService.this.uriInfo, "Unknown login requester.");
            }
            if (!findClient.isEnabled()) {
                OpenIDConnectService.this.event.error(Errors.CLIENT_DISABLED);
                return Flows.forwardToSecurityFailurePage(OpenIDConnectService.this.session, OpenIDConnectService.this.realm, OpenIDConnectService.this.uriInfo, "Login requester not enabled.");
            }
            if ((findClient instanceof ApplicationModel) && ((ApplicationModel) findClient).isBearerOnly()) {
                OpenIDConnectService.this.event.error(Errors.NOT_ALLOWED);
                return Flows.forwardToSecurityFailurePage(OpenIDConnectService.this.session, OpenIDConnectService.this.realm, OpenIDConnectService.this.uriInfo, "Bearer-only applications are not allowed to initiate browser login");
            }
            if (findClient.isDirectGrantsOnly()) {
                OpenIDConnectService.this.event.error(Errors.NOT_ALLOWED);
                return Flows.forwardToSecurityFailurePage(OpenIDConnectService.this.session, OpenIDConnectService.this.realm, OpenIDConnectService.this.uriInfo, "direct-grants-only clients are not allowed to initiate browser login");
            }
            String str = this.redirect;
            this.redirect = OpenIDConnectService.verifyRedirectUri(OpenIDConnectService.this.uriInfo, this.redirect, OpenIDConnectService.this.realm, findClient);
            if (this.redirect == null) {
                OpenIDConnectService.this.event.error(Errors.INVALID_REDIRECT_URI);
                return Flows.forwardToSecurityFailurePage(OpenIDConnectService.this.session, OpenIDConnectService.this.realm, OpenIDConnectService.this.uriInfo, "Invalid redirect_uri.");
            }
            this.clientSession = OpenIDConnectService.this.session.sessions().createClientSession(OpenIDConnectService.this.realm, findClient);
            this.clientSession.setAuthMethod(OpenIDConnect.LOGIN_PROTOCOL);
            this.clientSession.setRedirectUri(this.redirect);
            this.clientSession.setAction(ClientSessionModel.Action.AUTHENTICATE);
            this.clientSession.setNote(ClientSessionCode.ACTION_KEY, KeycloakModelUtils.generateCodeSecret());
            this.clientSession.setNote("state", this.state);
            this.clientSession.setNote("redirect_uri", str);
            if (this.scopeParam != null) {
                this.clientSession.setNote("scope", this.scopeParam);
            }
            if (this.responseType != null) {
                this.clientSession.setNote("response_type", this.responseType);
            }
            if (this.loginHint != null) {
                this.clientSession.setNote(OpenIDConnect.LOGIN_HINT_PARAM, this.loginHint);
            }
            if (this.prompt == null) {
                return null;
            }
            this.clientSession.setNote(OpenIDConnect.PROMPT_PARAM, this.prompt);
            return null;
        }
    }

    public OpenIDConnectService(RealmModel realmModel, EventBuilder eventBuilder, AuthenticationManager authenticationManager) {
        this.realm = realmModel;
        this.event = eventBuilder;
        this.authManager = authenticationManager;
    }

    public static UriBuilder tokenServiceBaseUrl(UriInfo uriInfo) {
        return tokenServiceBaseUrl(uriInfo.getBaseUriBuilder());
    }

    public static UriBuilder tokenServiceBaseUrl(UriBuilder uriBuilder) {
        return uriBuilder.path(RealmsResource.class).path("{realm}/protocol/openid-connect");
    }

    public static UriBuilder accessCodeToTokenUrl(UriInfo uriInfo) {
        return accessCodeToTokenUrl(uriInfo.getBaseUriBuilder());
    }

    public static UriBuilder accessCodeToTokenUrl(UriBuilder uriBuilder) {
        return tokenServiceBaseUrl(uriBuilder).path(OpenIDConnectService.class, "accessCodeToToken");
    }

    public static UriBuilder validateAccessTokenUrl(UriBuilder uriBuilder) {
        return tokenServiceBaseUrl(uriBuilder).path(OpenIDConnectService.class, "validateAccessToken");
    }

    public static UriBuilder grantAccessTokenUrl(UriInfo uriInfo) {
        return grantAccessTokenUrl(uriInfo.getBaseUriBuilder());
    }

    public static UriBuilder grantAccessTokenUrl(UriBuilder uriBuilder) {
        return tokenServiceBaseUrl(uriBuilder).path(OpenIDConnectService.class, "grantAccessToken");
    }

    public static UriBuilder loginPageUrl(UriInfo uriInfo) {
        return loginPageUrl(uriInfo.getBaseUriBuilder());
    }

    public static UriBuilder loginPageUrl(UriBuilder uriBuilder) {
        return tokenServiceBaseUrl(uriBuilder).path(OpenIDConnectService.class, "loginPage");
    }

    public static UriBuilder logoutUrl(UriInfo uriInfo) {
        return logoutUrl(uriInfo.getBaseUriBuilder());
    }

    public static UriBuilder logoutUrl(UriBuilder uriBuilder) {
        return tokenServiceBaseUrl(uriBuilder).path(OpenIDConnectService.class, "logout");
    }

    public static UriBuilder refreshUrl(UriBuilder uriBuilder) {
        return tokenServiceBaseUrl(uriBuilder).path(OpenIDConnectService.class, "refreshAccessToken");
    }

    @GET
    @Produces({"text/html"})
    @Path("login-status-iframe.html")
    public Response getLoginStatusIframe(@QueryParam("client_id") String str, @QueryParam("origin") String str2) {
        if (!UriUtils.isOrigin(str2)) {
            throw new BadRequestException("Invalid origin");
        }
        ClientModel findClient = this.realm.findClient(str);
        if (findClient == null) {
            throw new NotFoundException("could not find client: " + str);
        }
        InputStream resourceAsStream = getClass().getClassLoader().getResourceAsStream("login-status-iframe.html");
        if (resourceAsStream == null) {
            throw new NotFoundException("Could not find login-status-iframe.html ");
        }
        boolean z = false;
        for (String str3 : findClient.getWebOrigins()) {
            if (str3.equals(Cors.ACCESS_CONTROL_ALLOW_ORIGIN_WILDCARD) || str3.equals(str2)) {
                z = true;
                break;
            }
        }
        Iterator<String> it = resolveValidRedirects(this.uriInfo, findClient.getRedirectUris()).iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            String next = it.next();
            int indexOf = next.indexOf(47, 8);
            if (indexOf != -1) {
                next = next.substring(0, indexOf);
            }
            if (next.equals(str2)) {
                z = true;
                break;
            }
        }
        if (!z) {
            throw new BadRequestException("Invalid origin");
        }
        try {
            String replace = StreamUtil.readString(resourceAsStream).replace("ORIGIN", str2);
            CacheControl cacheControl = new CacheControl();
            cacheControl.setNoTransform(false);
            cacheControl.setMaxAge(Config.scope("theme").getInt("staticMaxAge", -1).intValue());
            return Response.ok(replace).cacheControl(cacheControl).build();
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    @Path("grants/access")
    @Consumes({"application/x-www-form-urlencoded"})
    @POST
    @Produces({"application/json"})
    public Response grantAccessToken(@HeaderParam("Authorization") String str, MultivaluedMap<String, String> multivaluedMap) {
        if (!checkSsl()) {
            return createError("https_required", "HTTPS required", Response.Status.FORBIDDEN);
        }
        if (!this.realm.isPasswordCredentialGrantAllowed()) {
            return createError("not_enabled", "Direct Grant REST API not enabled", Response.Status.FORBIDDEN);
        }
        this.event.event(EventType.LOGIN).detail(Details.AUTH_METHOD, "oauth_credentials").detail("response_type", "token");
        String str2 = (String) multivaluedMap.getFirst("username");
        if (str2 == null) {
            this.event.error(Errors.USERNAME_MISSING);
            throw new UnauthorizedException("No username");
        }
        this.event.detail("username", str2);
        UserModel findUserByNameOrEmail = KeycloakModelUtils.findUserByNameOrEmail(this.session, this.realm, str2);
        if (findUserByNameOrEmail != null) {
            this.event.user(findUserByNameOrEmail);
        }
        ClientModel authorizeClient = authorizeClient(str, multivaluedMap, this.event);
        if (!this.realm.isEnabled()) {
            this.event.error(Errors.REALM_DISABLED);
            return createError(Errors.REALM_DISABLED, "Realm is disabled", Response.Status.UNAUTHORIZED);
        }
        switch (this.authManager.authenticateForm(this.session, this.clientConnection, this.realm, multivaluedMap)) {
            case SUCCESS:
                String str3 = (String) multivaluedMap.getFirst("scope");
                UserSessionProvider sessions = this.session.sessions();
                UserSessionModel createUserSession = sessions.createUserSession(this.realm, findUserByNameOrEmail, str2, this.clientConnection.getRemoteAddr(), "oauth_credentials", false);
                this.event.session(createUserSession);
                ClientSessionModel createClientSession = sessions.createClientSession(this.realm, authorizeClient);
                createClientSession.setAuthMethod(OpenIDConnect.LOGIN_PROTOCOL);
                TokenManager.attachClientSession(createUserSession, createClientSession);
                AccessTokenResponse build = this.tokenManager.responseBuilder(this.realm, authorizeClient, this.event).generateAccessToken(str3, authorizeClient, findUserByNameOrEmail, createUserSession).generateRefreshToken().generateIDToken().build();
                this.event.success();
                return Response.ok(build, MediaType.APPLICATION_JSON_TYPE).build();
            case ACCOUNT_TEMPORARILY_DISABLED:
            case ACTIONS_REQUIRED:
                HashMap hashMap = new HashMap();
                hashMap.put("error", "invalid_grant");
                hashMap.put(OAuth2Constants.ERROR_DESCRIPTION, "AccountProvider temporarily disabled");
                this.event.error(Errors.USER_TEMPORARILY_DISABLED);
                return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(hashMap).build();
            case ACCOUNT_DISABLED:
                HashMap hashMap2 = new HashMap();
                hashMap2.put("error", "invalid_grant");
                hashMap2.put(OAuth2Constants.ERROR_DESCRIPTION, "AccountProvider disabled");
                this.event.error(Errors.USER_DISABLED);
                return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(hashMap2).build();
            default:
                HashMap hashMap3 = new HashMap();
                hashMap3.put("error", "invalid_grant");
                hashMap3.put(OAuth2Constants.ERROR_DESCRIPTION, "Invalid user credentials");
                this.event.error(Errors.INVALID_USER_CREDENTIALS);
                return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(hashMap3).build();
        }
    }

    @GET
    @Path("validate")
    @NoCache
    @Produces({"application/json"})
    public Response validateAccessToken(@QueryParam("access_token") String str) {
        if (!checkSsl()) {
            return createError("https_required", "HTTPS required", Response.Status.FORBIDDEN);
        }
        this.event.event(EventType.VALIDATE_ACCESS_TOKEN);
        try {
            AccessToken verifyToken = RSATokenVerifier.verifyToken(str, this.realm.getPublicKey(), this.realm.getName());
            this.event.user(verifyToken.getSubject()).session(verifyToken.getSessionState()).detail(Details.VALIDATE_ACCESS_TOKEN, verifyToken.getId());
            if (verifyToken.isExpired() || verifyToken.getIssuedAt() < this.realm.getNotBefore()) {
                HashMap hashMap = new HashMap();
                hashMap.put("error", "invalid_grant");
                hashMap.put(OAuth2Constants.ERROR_DESCRIPTION, "Token expired");
                this.event.error(Errors.INVALID_TOKEN);
                return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(hashMap).build();
            }
            UserModel userById = this.session.users().getUserById(verifyToken.getSubject(), this.realm);
            if (userById == null) {
                HashMap hashMap2 = new HashMap();
                hashMap2.put("error", "invalid_grant");
                hashMap2.put(OAuth2Constants.ERROR_DESCRIPTION, "User does not exist");
                this.event.error(Errors.USER_NOT_FOUND);
                return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(hashMap2).build();
            }
            if (!userById.isEnabled()) {
                HashMap hashMap3 = new HashMap();
                hashMap3.put("error", "invalid_grant");
                hashMap3.put(OAuth2Constants.ERROR_DESCRIPTION, "User disabled");
                this.event.error(Errors.USER_DISABLED);
                return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(hashMap3).build();
            }
            if (!AuthenticationManager.isSessionValid(this.realm, this.session.sessions().getUserSession(this.realm, verifyToken.getSessionState()))) {
                HashMap hashMap4 = new HashMap();
                hashMap4.put("error", "invalid_grant");
                hashMap4.put(OAuth2Constants.ERROR_DESCRIPTION, "Expired session");
                this.event.error(Errors.USER_SESSION_NOT_FOUND);
                return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(hashMap4).build();
            }
            ClientModel findClient = this.realm.findClient(verifyToken.getIssuedFor());
            if (findClient == null) {
                HashMap hashMap5 = new HashMap();
                hashMap5.put("error", "invalid_client");
                hashMap5.put(OAuth2Constants.ERROR_DESCRIPTION, "Issued for client no longer exists");
                this.event.error(Errors.CLIENT_NOT_FOUND);
                return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(hashMap5).build();
            }
            if (verifyToken.getIssuedAt() < findClient.getNotBefore()) {
                HashMap hashMap6 = new HashMap();
                hashMap6.put("error", "invalid_client");
                hashMap6.put(OAuth2Constants.ERROR_DESCRIPTION, "Issued for client no longer exists");
                this.event.error(Errors.INVALID_TOKEN);
                return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(hashMap6).build();
            }
            try {
                this.tokenManager.verifyAccess(verifyToken, this.realm, findClient, userById);
                this.event.success();
                return Response.ok(verifyToken, MediaType.APPLICATION_JSON_TYPE).build();
            } catch (OAuthErrorException e) {
                HashMap hashMap7 = new HashMap();
                hashMap7.put("error", "invalid_grant");
                hashMap7.put(OAuth2Constants.ERROR_DESCRIPTION, "Role mappings have changed");
                this.event.error(Errors.INVALID_TOKEN);
                return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(hashMap7).build();
            }
        } catch (Exception e2) {
            HashMap hashMap8 = new HashMap();
            hashMap8.put("error", "invalid_grant");
            hashMap8.put(OAuth2Constants.ERROR_DESCRIPTION, "Token invalid");
            this.event.error(Errors.INVALID_TOKEN);
            return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(hashMap8).build();
        }
    }

    @Produces({"application/json"})
    @Path("refresh")
    @OPTIONS
    public Response refreshAccessTokenPreflight() {
        if (logger.isDebugEnabled()) {
            logger.debugv("cors request from: {0}", this.request.getHttpHeaders().getRequestHeaders().getFirst(Cors.ORIGIN_HEADER));
        }
        return Cors.add(this.request, Response.ok()).auth().preflight().build();
    }

    @Path("refresh")
    @Consumes({"application/x-www-form-urlencoded"})
    @POST
    @Produces({"application/json"})
    public Response refreshAccessToken(@HeaderParam("Authorization") String str, MultivaluedMap<String, String> multivaluedMap) {
        if (!checkSsl()) {
            return createError("https_required", "HTTPS required", Response.Status.FORBIDDEN);
        }
        this.event.event(EventType.REFRESH_TOKEN);
        ClientModel authorizeClient = authorizeClient(str, multivaluedMap, this.event);
        String str2 = (String) multivaluedMap.getFirst(OAuth2Constants.REFRESH_TOKEN);
        if (str2 == null) {
            HashMap hashMap = new HashMap();
            hashMap.put("error", OAuthErrorException.INVALID_REQUEST);
            hashMap.put(OAuth2Constants.ERROR_DESCRIPTION, "No refresh token");
            this.event.error(Errors.INVALID_TOKEN);
            return Response.status(Response.Status.BAD_REQUEST).entity(hashMap).type("application/json").build();
        }
        try {
            AccessTokenResponse build = this.tokenManager.responseBuilder(this.realm, authorizeClient, this.event).accessToken(this.tokenManager.refreshAccessToken(this.session, this.uriInfo, this.clientConnection, this.realm, authorizeClient, str2, this.event)).generateIDToken().generateRefreshToken().build();
            this.event.success();
            return Cors.add(this.request, Response.ok(build, MediaType.APPLICATION_JSON_TYPE)).auth().allowedOrigins(authorizeClient).allowedMethods("POST").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build();
        } catch (OAuthErrorException e) {
            HashMap hashMap2 = new HashMap();
            hashMap2.put("error", e.getError());
            if (e.getDescription() != null) {
                hashMap2.put(OAuth2Constants.ERROR_DESCRIPTION, e.getDescription());
            }
            this.event.error(Errors.INVALID_TOKEN);
            return Response.status(Response.Status.BAD_REQUEST).entity(hashMap2).type("application/json").build();
        }
    }

    @Produces({"application/json"})
    @Path("access/codes")
    @OPTIONS
    public Response accessCodeToTokenPreflight() {
        if (logger.isDebugEnabled()) {
            logger.debugv("cors request from: {0}", this.request.getHttpHeaders().getRequestHeaders().getFirst(Cors.ORIGIN_HEADER));
        }
        return Cors.add(this.request, Response.ok()).auth().preflight().build();
    }

    @POST
    @Produces({"application/json"})
    @Path("access/codes")
    public Response accessCodeToToken(@HeaderParam("Authorization") String str, MultivaluedMap<String, String> multivaluedMap) {
        if (!checkSsl()) {
            throw new ForbiddenException("HTTPS required");
        }
        this.event.event(EventType.CODE_TO_TOKEN);
        if (!this.realm.isEnabled()) {
            this.event.error(Errors.REALM_DISABLED);
            throw new UnauthorizedException("Realm not enabled");
        }
        String str2 = (String) multivaluedMap.getFirst(OAuth2Constants.CODE);
        if (str2 == null) {
            HashMap hashMap = new HashMap();
            hashMap.put("error", OAuthErrorException.INVALID_REQUEST);
            hashMap.put(OAuth2Constants.ERROR_DESCRIPTION, "code not specified");
            this.event.error(Errors.INVALID_CODE);
            throw new BadRequestException("Code not specified", Response.status(Response.Status.BAD_REQUEST).entity(hashMap).type("application/json").build());
        }
        ClientSessionCode parse = ClientSessionCode.parse(str2, this.session, this.realm);
        if (parse == null) {
            String[] split = str2.split("\\.");
            if (split.length == 2) {
                try {
                    this.event.detail(Details.CODE_ID, new String(split[1]));
                } catch (Throwable th) {
                }
            }
            HashMap hashMap2 = new HashMap();
            hashMap2.put("error", "invalid_grant");
            hashMap2.put(OAuth2Constants.ERROR_DESCRIPTION, "Code not found");
            this.event.error(Errors.INVALID_CODE);
            return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(hashMap2).build();
        }
        ClientSessionModel clientSession = parse.getClientSession();
        this.event.detail(Details.CODE_ID, clientSession.getId());
        if (!parse.isValid(ClientSessionModel.Action.CODE_TO_TOKEN)) {
            HashMap hashMap3 = new HashMap();
            hashMap3.put("error", "invalid_grant");
            hashMap3.put(OAuth2Constants.ERROR_DESCRIPTION, "Code is expired");
            this.event.error(Errors.INVALID_CODE);
            return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(hashMap3).build();
        }
        parse.setAction(null);
        UserSessionModel userSession = clientSession.getUserSession();
        this.event.user(userSession.getUser());
        this.event.session(userSession.getId());
        ClientModel authorizeClient = authorizeClient(str, multivaluedMap, this.event);
        String note = clientSession.getNote("redirect_uri");
        if (note != null && !note.equals(multivaluedMap.getFirst("redirect_uri"))) {
            HashMap hashMap4 = new HashMap();
            hashMap4.put("error", "invalid_grant");
            hashMap4.put(OAuth2Constants.ERROR_DESCRIPTION, "Incorrect redirect_uri");
            this.event.error(Errors.INVALID_CODE);
            return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(hashMap4).build();
        }
        if (!authorizeClient.getClientId().equals(clientSession.getClient().getClientId())) {
            HashMap hashMap5 = new HashMap();
            hashMap5.put("error", "invalid_grant");
            hashMap5.put(OAuth2Constants.ERROR_DESCRIPTION, "Auth error");
            this.event.error(Errors.INVALID_CODE);
            return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(hashMap5).build();
        }
        UserModel userById = this.session.users().getUserById(userSession.getUser().getId(), this.realm);
        if (userById == null) {
            HashMap hashMap6 = new HashMap();
            hashMap6.put("error", "invalid_grant");
            hashMap6.put(OAuth2Constants.ERROR_DESCRIPTION, "User not found");
            this.event.error(Errors.INVALID_CODE);
            return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(hashMap6).build();
        }
        if (!userById.isEnabled()) {
            HashMap hashMap7 = new HashMap();
            hashMap7.put("error", "invalid_grant");
            hashMap7.put(OAuth2Constants.ERROR_DESCRIPTION, "User disabled");
            this.event.error(Errors.INVALID_CODE);
            return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(hashMap7).build();
        }
        if (!AuthenticationManager.isSessionValid(this.realm, userSession)) {
            AuthenticationManager.logout(this.session, this.realm, userSession, this.uriInfo, this.clientConnection);
            HashMap hashMap8 = new HashMap();
            hashMap8.put("error", "invalid_grant");
            hashMap8.put(OAuth2Constants.ERROR_DESCRIPTION, "Session not active");
            this.event.error(Errors.INVALID_CODE);
            return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(hashMap8).build();
        }
        String str3 = (String) multivaluedMap.getFirst(AdapterConstants.APPLICATION_SESSION_STATE);
        if (str3 != null) {
            String str4 = (String) multivaluedMap.getFirst(AdapterConstants.APPLICATION_SESSION_HOST);
            logger.debugf("Adapter Session '%s' saved in ClientSession for client '%s'. Host is '%s'", str3, authorizeClient.getClientId(), str4);
            this.event.detail(AdapterConstants.APPLICATION_SESSION_STATE, str3);
            clientSession.setNote(AdapterConstants.APPLICATION_SESSION_STATE, str3);
            this.event.detail(AdapterConstants.APPLICATION_SESSION_HOST, str4);
            clientSession.setNote(AdapterConstants.APPLICATION_SESSION_HOST, str4);
        }
        AccessToken createClientAccessToken = this.tokenManager.createClientAccessToken(parse.getRequestedRoles(), this.realm, authorizeClient, userById, userSession);
        try {
            this.tokenManager.verifyAccess(createClientAccessToken, this.realm, authorizeClient, userById);
            AccessTokenResponse build = this.tokenManager.responseBuilder(this.realm, authorizeClient, this.event).accessToken(createClientAccessToken).generateIDToken().generateRefreshToken().build();
            this.event.success();
            return Cors.add(this.request, Response.ok(build)).auth().allowedOrigins(authorizeClient).allowedMethods("POST").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build();
        } catch (OAuthErrorException e) {
            HashMap hashMap9 = new HashMap();
            hashMap9.put("error", e.getError());
            if (e.getDescription() != null) {
                hashMap9.put(OAuth2Constants.ERROR_DESCRIPTION, e.getDescription());
            }
            this.event.error(Errors.INVALID_CODE);
            return Response.status(Response.Status.BAD_REQUEST).entity(hashMap9).type("application/json").build();
        }
    }

    protected ClientModel authorizeClient(String str, MultivaluedMap<String, String> multivaluedMap, EventBuilder eventBuilder) {
        ClientModel authorizeClientBase = authorizeClientBase(str, multivaluedMap, eventBuilder, this.realm);
        if (!(authorizeClientBase instanceof ApplicationModel) || !((ApplicationModel) authorizeClientBase).isBearerOnly()) {
            return authorizeClientBase;
        }
        HashMap hashMap = new HashMap();
        hashMap.put("error", "invalid_client");
        hashMap.put(OAuth2Constants.ERROR_DESCRIPTION, "Bearer-only not allowed");
        eventBuilder.error("invalid_client");
        throw new BadRequestException("Bearer-only not allowed", Response.status(Response.Status.BAD_REQUEST).entity(hashMap).type("application/json").build());
    }

    public static ClientModel authorizeClientBase(String str, MultivaluedMap<String, String> multivaluedMap, EventBuilder eventBuilder, RealmModel realmModel) {
        String str2;
        String str3;
        if (str != null) {
            String[] parseHeader = BasicAuthHelper.parseHeader(str);
            if (parseHeader == null) {
                throw new UnauthorizedException("Bad Authorization header", Response.status(401).header("WWW-Authenticate", "Basic realm=\"" + realmModel.getName() + "\"").build());
            }
            str2 = parseHeader[0];
            str3 = parseHeader[1];
        } else {
            str2 = (String) multivaluedMap.getFirst("client_id");
            str3 = (String) multivaluedMap.getFirst("client_secret");
        }
        if (str2 == null) {
            HashMap hashMap = new HashMap();
            hashMap.put("error", "invalid_client");
            hashMap.put(OAuth2Constants.ERROR_DESCRIPTION, "Could not find client");
            throw new BadRequestException("Could not find client", Response.status(Response.Status.BAD_REQUEST).entity(hashMap).type("application/json").build());
        }
        eventBuilder.client(str2);
        ClientModel findClient = realmModel.findClient(str2);
        if (findClient == null) {
            HashMap hashMap2 = new HashMap();
            hashMap2.put("error", "invalid_client");
            hashMap2.put(OAuth2Constants.ERROR_DESCRIPTION, "Could not find client");
            eventBuilder.error(Errors.CLIENT_NOT_FOUND);
            throw new BadRequestException("Could not find client", Response.status(Response.Status.BAD_REQUEST).entity(hashMap2).type("application/json").build());
        }
        if (!findClient.isEnabled()) {
            HashMap hashMap3 = new HashMap();
            hashMap3.put("error", "invalid_client");
            hashMap3.put(OAuth2Constants.ERROR_DESCRIPTION, "Client is not enabled");
            eventBuilder.error(Errors.CLIENT_DISABLED);
            throw new BadRequestException("Client is not enabled", Response.status(Response.Status.BAD_REQUEST).entity(hashMap3).type("application/json").build());
        }
        if (findClient.isPublicClient() || (str3 != null && findClient.validateSecret(str3))) {
            return findClient;
        }
        HashMap hashMap4 = new HashMap();
        hashMap4.put("error", OAuthErrorException.UNAUTHORIZED_CLIENT);
        eventBuilder.error(Errors.INVALID_CLIENT_CREDENTIALS);
        throw new BadRequestException("Unauthorized Client", Response.status(Response.Status.BAD_REQUEST).entity(hashMap4).type("application/json").build());
    }

    @GET
    @Path("login")
    public Response loginPage(@QueryParam("response_type") String str, @QueryParam("redirect_uri") String str2, @QueryParam("client_id") String str3, @QueryParam("scope") String str4, @QueryParam("state") String str5, @QueryParam("prompt") String str6, @QueryParam("login_hint") String str7) {
        this.event.event(EventType.LOGIN);
        FrontPageInitializer frontPageInitializer = new FrontPageInitializer();
        frontPageInitializer.responseType = str;
        frontPageInitializer.redirect = str2;
        frontPageInitializer.clientId = str3;
        frontPageInitializer.scopeParam = str4;
        frontPageInitializer.state = str5;
        frontPageInitializer.prompt = str6;
        frontPageInitializer.loginHint = str7;
        Response processInput = frontPageInitializer.processInput();
        if (processInput != null) {
            return processInput;
        }
        ClientSessionModel clientSessionModel = frontPageInitializer.clientSession;
        Response checkNonFormAuthentication = this.authManager.checkNonFormAuthentication(this.session, clientSessionModel, this.realm, this.uriInfo, this.request, this.clientConnection, this.headers, this.event);
        if (checkNonFormAuthentication != null) {
            return checkNonFormAuthentication;
        }
        if (str6 != null && str6.equals("none")) {
            return new OpenIDConnect(this.session, this.realm, this.uriInfo).cancelLogin(clientSessionModel);
        }
        LoginFormsProvider clientSessionCode = Flows.forms(this.session, this.realm, clientSessionModel.getClient(), this.uriInfo).setClientSessionCode(new ClientSessionCode(this.realm, clientSessionModel).getCode());
        String rememberMeUsername = AuthenticationManager.getRememberMeUsername(this.realm, this.headers);
        if (str7 != null || rememberMeUsername != null) {
            MultivaluedMapImpl multivaluedMapImpl = new MultivaluedMapImpl();
            if (str7 != null) {
                multivaluedMapImpl.add("username", str7);
            } else {
                multivaluedMapImpl.add("username", rememberMeUsername);
                multivaluedMapImpl.add("rememberMe", "on");
            }
            clientSessionCode.setFormData(multivaluedMapImpl);
        }
        return clientSessionCode.createLogin();
    }

    @GET
    @Path("registrations")
    public Response registerPage(@QueryParam("response_type") String str, @QueryParam("redirect_uri") String str2, @QueryParam("client_id") String str3, @QueryParam("scope") String str4, @QueryParam("state") String str5) {
        this.event.event(EventType.REGISTER);
        if (!this.realm.isRegistrationAllowed()) {
            this.event.error(Errors.REGISTRATION_DISABLED);
            return Flows.forwardToSecurityFailurePage(this.session, this.realm, this.uriInfo, "Registration not allowed");
        }
        FrontPageInitializer frontPageInitializer = new FrontPageInitializer();
        frontPageInitializer.responseType = str;
        frontPageInitializer.redirect = str2;
        frontPageInitializer.clientId = str3;
        frontPageInitializer.scopeParam = str4;
        frontPageInitializer.state = str5;
        Response processInput = frontPageInitializer.processInput();
        if (processInput != null) {
            return processInput;
        }
        ClientSessionModel clientSessionModel = frontPageInitializer.clientSession;
        AuthenticationManager authenticationManager = this.authManager;
        AuthenticationManager.expireIdentityCookie(this.realm, this.uriInfo, this.clientConnection);
        return Flows.forms(this.session, this.realm, clientSessionModel.getClient(), this.uriInfo).setClientSessionCode(new ClientSessionCode(this.realm, clientSessionModel).getCode()).createRegistration();
    }

    @GET
    @Path("logout")
    @NoCache
    public Response logout(@QueryParam("redirect_uri") String str) {
        this.event.event(EventType.LOGOUT);
        if (str != null) {
            this.event.detail("redirect_uri", str);
        }
        AuthenticationManager.AuthResult authenticateIdentityCookie = this.authManager.authenticateIdentityCookie(this.session, this.realm, this.uriInfo, this.clientConnection, this.headers, false);
        if (authenticateIdentityCookie != null) {
            logout(authenticateIdentityCookie.getSession());
        }
        if (str == null) {
            return Response.ok().build();
        }
        String verifyRealmRedirectUri = verifyRealmRedirectUri(this.uriInfo, str, this.realm);
        return verifyRealmRedirectUri == null ? Flows.forwardToSecurityFailurePage(this.session, this.realm, this.uriInfo, "Invalid redirect uri.") : Response.status(302).location(UriBuilder.fromUri(verifyRealmRedirectUri).build(new Object[0])).build();
    }

    @POST
    @Path("logout")
    @Consumes({"application/x-www-form-urlencoded"})
    public Response logoutToken(@HeaderParam("Authorization") String str, MultivaluedMap<String, String> multivaluedMap) {
        if (!checkSsl()) {
            throw new NotAcceptableException("HTTPS required");
        }
        this.event.event(EventType.LOGOUT);
        ClientModel authorizeClient = authorizeClient(str, multivaluedMap, this.event);
        String str2 = (String) multivaluedMap.getFirst(OAuth2Constants.REFRESH_TOKEN);
        if (str2 == null) {
            HashMap hashMap = new HashMap();
            hashMap.put("error", OAuthErrorException.INVALID_REQUEST);
            hashMap.put(OAuth2Constants.ERROR_DESCRIPTION, "No refresh token");
            this.event.error(Errors.INVALID_TOKEN);
            return Response.status(Response.Status.BAD_REQUEST).entity(hashMap).type("application/json").build();
        }
        try {
            UserSessionModel userSession = this.session.sessions().getUserSession(this.realm, this.tokenManager.verifyRefreshToken(this.realm, str2).getSessionState());
            if (userSession != null) {
                logout(userSession);
            }
            return Cors.add(this.request, Response.noContent()).auth().allowedOrigins(authorizeClient).allowedMethods("POST").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build();
        } catch (OAuthErrorException e) {
            HashMap hashMap2 = new HashMap();
            hashMap2.put("error", e.getError());
            if (e.getDescription() != null) {
                hashMap2.put(OAuth2Constants.ERROR_DESCRIPTION, e.getDescription());
            }
            this.event.error(Errors.INVALID_TOKEN);
            return Response.status(Response.Status.BAD_REQUEST).entity(hashMap2).type("application/json").build();
        }
    }

    private void logout(UserSessionModel userSessionModel) {
        AuthenticationManager authenticationManager = this.authManager;
        AuthenticationManager.logout(this.session, this.realm, userSessionModel, this.uriInfo, this.clientConnection);
        this.event.user(userSessionModel.getUser()).session(userSessionModel).success();
    }

    @GET
    @Path("oauth/oob")
    public Response installedAppUrnCallback(@QueryParam("code") String str, @QueryParam("error") String str2, @QueryParam("error_description") String str3) {
        LoginFormsProvider forms = Flows.forms(this.session, this.realm, null, this.uriInfo);
        return str != null ? forms.setClientSessionCode(str).createCode() : forms.setError(str2).createCode();
    }

    public static boolean matchesRedirects(Set<String> set, String str) {
        for (String str2 : set) {
            if (str2.endsWith(Cors.ACCESS_CONTROL_ALLOW_ORIGIN_WILDCARD)) {
                int length = str2.length() - 1;
                String substring = str2.substring(0, length);
                if (str.startsWith(substring)) {
                    return true;
                }
                if (length - 1 > 0 && substring.charAt(length - 1) == '/') {
                    length--;
                }
                if (substring.substring(0, length).equals(str)) {
                    return true;
                }
            } else if (str2.equals(str)) {
                return true;
            }
        }
        return false;
    }

    public static Set<String> getValidateRedirectUris(RealmModel realmModel) {
        HashSet hashSet = new HashSet();
        Iterator<ApplicationModel> it = realmModel.getApplications().iterator();
        while (it.hasNext()) {
            Iterator<String> it2 = it.next().getRedirectUris().iterator();
            while (it2.hasNext()) {
                hashSet.add(it2.next());
            }
        }
        Iterator<OAuthClientModel> it3 = realmModel.getOAuthClients().iterator();
        while (it3.hasNext()) {
            Iterator<String> it4 = it3.next().getRedirectUris().iterator();
            while (it4.hasNext()) {
                hashSet.add(it4.next());
            }
        }
        return hashSet;
    }

    public static String verifyRealmRedirectUri(UriInfo uriInfo, String str, RealmModel realmModel) {
        return verifyRedirectUri(uriInfo, str, realmModel, getValidateRedirectUris(realmModel));
    }

    public static String verifyRedirectUri(UriInfo uriInfo, String str, RealmModel realmModel, ClientModel clientModel) {
        return verifyRedirectUri(uriInfo, str, realmModel, clientModel.getRedirectUris());
    }

    public static String verifyRedirectUri(UriInfo uriInfo, String str, RealmModel realmModel, Set<String> set) {
        String str2;
        if (str == null) {
            if (set.size() != 1) {
                return null;
            }
            String next = set.iterator().next();
            int indexOf = next.indexOf("/*");
            if (indexOf > -1) {
                next = next.substring(0, indexOf);
            }
            str2 = next;
        } else if (set.isEmpty()) {
            logger.debug("No Redirect URIs supplied");
            str2 = null;
        } else {
            String substring = str.indexOf(63) != -1 ? str.substring(0, str.indexOf(63)) : str;
            Set<String> resolveValidRedirects = resolveValidRedirects(uriInfo, set);
            boolean matchesRedirects = matchesRedirects(resolveValidRedirects, substring);
            if (!matchesRedirects && substring.startsWith(Constants.INSTALLED_APP_URL) && substring.indexOf(58, Constants.INSTALLED_APP_URL.length()) >= 0) {
                int indexOf2 = substring.indexOf(58, Constants.INSTALLED_APP_URL.length());
                StringBuilder sb = new StringBuilder();
                sb.append(substring.substring(0, indexOf2));
                int indexOf3 = substring.indexOf(47, indexOf2);
                if (indexOf3 >= 0) {
                    sb.append(substring.substring(indexOf3));
                }
                matchesRedirects = matchesRedirects(resolveValidRedirects, sb.toString());
            }
            if (matchesRedirects && str.startsWith("/")) {
                str = relativeToAbsoluteURI(uriInfo, str);
            }
            str2 = matchesRedirects ? str : null;
        }
        return Constants.INSTALLED_APP_URN.equals(str2) ? Urls.realmInstalledAppUrnCallback(uriInfo.getBaseUri(), realmModel.getName()).toString() : str2;
    }

    public static Set<String> resolveValidRedirects(UriInfo uriInfo, Set<String> set) {
        HashSet hashSet = new HashSet();
        for (String str : set) {
            hashSet.add(str);
            if (str.startsWith("/")) {
                String relativeToAbsoluteURI = relativeToAbsoluteURI(uriInfo, str);
                logger.debugv("replacing relative valid redirect with: {0}", relativeToAbsoluteURI);
                hashSet.add(relativeToAbsoluteURI);
            }
        }
        return hashSet;
    }

    public static String relativeToAbsoluteURI(UriInfo uriInfo, String str) {
        URI baseUri = uriInfo.getBaseUri();
        String str2 = baseUri.getScheme() + "://" + baseUri.getHost();
        if (baseUri.getPort() != -1) {
            str2 = str2 + ":" + baseUri.getPort();
        }
        return str2 + str;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean checkSsl() {
        return this.uriInfo.getBaseUri().getScheme().equals("https") || !this.realm.getSslRequired().isRequired(this.clientConnection);
    }

    private Response createError(String str, String str2, Response.Status status) {
        HashMap hashMap = new HashMap();
        hashMap.put("error", str);
        if (str2 != null) {
            hashMap.put(OAuth2Constants.ERROR_DESCRIPTION, str2);
        }
        return Response.status(status).entity(hashMap).type("application/json").build();
    }
}
