package org.keycloak.protocol.oidc.endpoints;

import java.util.List;
import javax.ws.rs.GET;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import org.jboss.logging.Logger;
import org.jboss.resteasy.specimpl.MultivaluedMapImpl;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.ClientConnection;
import org.keycloak.constants.AdapterConstants;
import org.keycloak.events.Errors;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.login.LoginFormsProvider;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.utils.RedirectUtils;
import org.keycloak.services.ErrorPageException;
import org.keycloak.services.Urls;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.ClientSessionCode;
import org.keycloak.services.managers.HttpAuthenticationManager;
import org.keycloak.services.messages.Messages;

/* loaded from: input_file:WEB-INF/lib/keycloak-services-1.2.0.Final.jar:org/keycloak/protocol/oidc/endpoints/AuthorizationEndpoint.class */
public class AuthorizationEndpoint {
    private static final Logger logger = Logger.getLogger((Class<?>) AuthorizationEndpoint.class);

    @Context
    private KeycloakSession session;

    @Context
    private HttpRequest request;

    @Context
    private HttpHeaders headers;

    @Context
    private UriInfo uriInfo;

    @Context
    private ClientConnection clientConnection;
    private final AuthenticationManager authManager;
    private final RealmModel realm;
    private final EventBuilder event;
    private ClientModel client;
    private ClientSessionModel clientSession;
    private Action action;
    private String clientId;
    private String redirectUri;
    private String redirectUriParam;
    private String responseType;
    private String state;
    private String scope;
    private String loginHint;
    private String prompt;
    private String idpHint;
    private String legacyResponseType;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/keycloak-services-1.2.0.Final.jar:org/keycloak/protocol/oidc/endpoints/AuthorizationEndpoint$Action.class */
    public enum Action {
        REGISTER,
        CODE
    }

    public AuthorizationEndpoint(AuthenticationManager authenticationManager, RealmModel realmModel, EventBuilder eventBuilder) {
        this.authManager = authenticationManager;
        this.realm = realmModel;
        this.event = eventBuilder;
        eventBuilder.event(EventType.LOGIN);
    }

    @GET
    public Response build() {
        MultivaluedMap queryParameters = this.uriInfo.getQueryParameters();
        this.clientId = (String) queryParameters.getFirst("client_id");
        this.responseType = (String) queryParameters.getFirst("response_type");
        this.redirectUriParam = (String) queryParameters.getFirst("redirect_uri");
        this.state = (String) queryParameters.getFirst("state");
        this.scope = (String) queryParameters.getFirst("scope");
        this.loginHint = (String) queryParameters.getFirst(OIDCLoginProtocol.LOGIN_HINT_PARAM);
        this.prompt = (String) queryParameters.getFirst(OIDCLoginProtocol.PROMPT_PARAM);
        this.idpHint = (String) queryParameters.getFirst(AdapterConstants.KC_IDP_HINT);
        checkSsl();
        checkRealm();
        checkClient();
        checkResponseType();
        checkRedirectUri();
        createClientSession();
        switch (this.action) {
            case REGISTER:
                return buildRegister();
            case CODE:
                return buildAuthorizationCodeAuthorizationResponse();
            default:
                throw new RuntimeException("Unknown action " + this.action);
        }
    }

    public AuthorizationEndpoint legacy(String str) {
        logger.warnv("Invoking deprecated endpoint {0}", this.uriInfo.getRequestUri());
        this.legacyResponseType = str;
        return this;
    }

    public AuthorizationEndpoint register() {
        this.event.event(EventType.REGISTER);
        this.action = Action.REGISTER;
        if (this.realm.isRegistrationAllowed()) {
            return this;
        }
        throw new ErrorPageException(this.session, Messages.REGISTRATION_NOT_ALLOWED, new Object[0]);
    }

    private void checkSsl() {
        if (this.uriInfo.getBaseUri().getScheme().equals("https") || !this.realm.getSslRequired().isRequired(this.clientConnection)) {
            return;
        }
        this.event.error(Errors.SSL_REQUIRED);
        throw new ErrorPageException(this.session, Messages.HTTPS_REQUIRED, new Object[0]);
    }

    private void checkRealm() {
        if (this.realm.isEnabled()) {
            return;
        }
        this.event.error(Errors.REALM_DISABLED);
        throw new ErrorPageException(this.session, Messages.REALM_NOT_ENABLED, new Object[0]);
    }

    private void checkClient() {
        if (this.clientId == null) {
            this.event.error("invalid_request");
            throw new ErrorPageException(this.session, Messages.MISSING_PARAMETER, "client_id");
        }
        this.event.client(this.clientId);
        this.client = this.realm.getClientByClientId(this.clientId);
        if (this.client == null) {
            this.event.error(Errors.CLIENT_NOT_FOUND);
            throw new ErrorPageException(this.session, Messages.CLIENT_NOT_FOUND, new Object[0]);
        }
        if (this.client.isBearerOnly()) {
            this.event.error(Errors.NOT_ALLOWED);
            throw new ErrorPageException(this.session, Messages.BEARER_ONLY, new Object[0]);
        }
        if (this.client.isDirectGrantsOnly()) {
            this.event.error(Errors.NOT_ALLOWED);
            throw new ErrorPageException(this.session, Messages.DIRECT_GRANTS_ONLY, new Object[0]);
        }
        this.session.getContext().setClient(this.client);
    }

    private void checkResponseType() {
        if (this.responseType == null) {
            if (this.legacyResponseType == null) {
                this.event.error("invalid_request");
                throw new ErrorPageException(this.session, Messages.MISSING_PARAMETER, "response_type");
            }
            this.responseType = this.legacyResponseType;
        }
        this.event.detail("response_type", this.responseType);
        if (!this.responseType.equals("code")) {
            this.event.error("invalid_request");
            throw new ErrorPageException(this.session, Messages.INVALID_PARAMETER, "response_type");
        }
        if (this.action == null) {
            this.action = Action.CODE;
        }
    }

    private void checkRedirectUri() {
        this.event.detail("redirect_uri", this.redirectUriParam);
        this.redirectUri = RedirectUtils.verifyRedirectUri(this.uriInfo, this.redirectUriParam, this.realm, this.client);
        if (this.redirectUri == null) {
            this.event.error(Errors.INVALID_REDIRECT_URI);
            throw new ErrorPageException(this.session, Messages.INVALID_PARAMETER, "redirect_uri");
        }
    }

    private void createClientSession() {
        this.clientSession = this.session.sessions().createClientSession(this.realm, this.client);
        this.clientSession.setAuthMethod(OIDCLoginProtocol.LOGIN_PROTOCOL);
        this.clientSession.setRedirectUri(this.redirectUri);
        this.clientSession.setAction(ClientSessionModel.Action.AUTHENTICATE);
        this.clientSession.setNote(ClientSessionCode.ACTION_KEY, KeycloakModelUtils.generateCodeSecret());
        this.clientSession.setNote("response_type", this.responseType);
        this.clientSession.setNote("redirect_uri", this.redirectUriParam);
        this.clientSession.setNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(this.uriInfo.getBaseUri(), this.realm.getName()));
        if (this.state != null) {
            this.clientSession.setNote("state", this.state);
        }
        if (this.scope != null) {
            this.clientSession.setNote("scope", this.scope);
        }
        if (this.loginHint != null) {
            this.clientSession.setNote(OIDCLoginProtocol.LOGIN_HINT_PARAM, this.loginHint);
        }
        if (this.prompt != null) {
            this.clientSession.setNote(OIDCLoginProtocol.PROMPT_PARAM, this.prompt);
        }
        if (this.idpHint != null) {
            this.clientSession.setNote(AdapterConstants.KC_IDP_HINT, this.idpHint);
        }
    }

    private Response buildAuthorizationCodeAuthorizationResponse() {
        String code = new ClientSessionCode(this.realm, this.clientSession).getCode();
        if (this.idpHint != null && !"".equals(this.idpHint)) {
            return this.realm.getIdentityProviderByAlias(this.idpHint) == null ? ((LoginFormsProvider) this.session.getProvider(LoginFormsProvider.class)).setError(Messages.IDENTITY_PROVIDER_NOT_FOUND, this.idpHint).createErrorPage() : buildRedirectToIdentityProvider(this.idpHint, code);
        }
        Response checkNonFormAuthentication = this.authManager.checkNonFormAuthentication(this.session, this.clientSession, this.realm, this.uriInfo, this.request, this.clientConnection, this.headers, this.event);
        if (checkNonFormAuthentication != null) {
            return checkNonFormAuthentication;
        }
        HttpAuthenticationManager.HttpAuthOutput spnegoAuthenticate = new HttpAuthenticationManager(this.session, this.clientSession, this.realm, this.uriInfo, this.request, this.clientConnection, this.event).spnegoAuthenticate(this.headers);
        if (spnegoAuthenticate.getResponse() != null) {
            return spnegoAuthenticate.getResponse();
        }
        if (this.prompt != null && this.prompt.equals("none")) {
            return new OIDCLoginProtocol(this.session, this.realm, this.uriInfo, this.headers, this.event).cancelLogin(this.clientSession);
        }
        List<IdentityProviderModel> identityProviders = this.realm.getIdentityProviders();
        for (IdentityProviderModel identityProviderModel : identityProviders) {
            if (identityProviderModel.isAuthenticateByDefault()) {
                return buildRedirectToIdentityProvider(identityProviderModel.getAlias(), code);
            }
        }
        if (this.realm.getRequiredCredentials().isEmpty()) {
            return !identityProviders.isEmpty() ? identityProviders.size() == 1 ? buildRedirectToIdentityProvider(identityProviders.get(0).getAlias(), code) : ((LoginFormsProvider) this.session.getProvider(LoginFormsProvider.class)).setError(Messages.IDENTITY_PROVIDER_NOT_UNIQUE, this.realm.getName()).createErrorPage() : ((LoginFormsProvider) this.session.getProvider(LoginFormsProvider.class)).setError(Messages.REALM_SUPPORTS_NO_CREDENTIALS, this.realm.getName()).createErrorPage();
        }
        LoginFormsProvider clientSessionCode = ((LoginFormsProvider) this.session.getProvider(LoginFormsProvider.class)).setClientSessionCode(code);
        if (spnegoAuthenticate.getChallenge() != null) {
            spnegoAuthenticate.getChallenge().sendChallenge(clientSessionCode);
        }
        String rememberMeUsername = AuthenticationManager.getRememberMeUsername(this.realm, this.headers);
        if (this.loginHint != null || rememberMeUsername != null) {
            MultivaluedMapImpl multivaluedMapImpl = new MultivaluedMapImpl();
            if (this.loginHint != null) {
                multivaluedMapImpl.add("username", this.loginHint);
            } else {
                multivaluedMapImpl.add("username", rememberMeUsername);
                multivaluedMapImpl.add("rememberMe", "on");
            }
            clientSessionCode.setFormData(multivaluedMapImpl);
        }
        return clientSessionCode.createLogin();
    }

    private Response buildRegister() {
        AuthenticationManager authenticationManager = this.authManager;
        AuthenticationManager.expireIdentityCookie(this.realm, this.uriInfo, this.clientConnection);
        return ((LoginFormsProvider) this.session.getProvider(LoginFormsProvider.class)).setClientSessionCode(new ClientSessionCode(this.realm, this.clientSession).getCode()).createRegistration();
    }

    private Response buildRedirectToIdentityProvider(String str, String str2) {
        logger.debug("Automatically redirect to identity provider: " + str);
        return Response.temporaryRedirect(Urls.identityProviderAuthnRequest(this.uriInfo.getBaseUri(), str, this.realm.getName(), str2)).build();
    }
}
