package org.keycloak.services.resources;

import java.io.IOException;
import java.net.URISyntaxException;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import org.jboss.logging.Logger;
import org.jboss.resteasy.specimpl.MultivaluedMapImpl;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.ClientConnection;
import org.keycloak.events.Details;
import org.keycloak.events.Errors;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.AccountRoles;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.Constants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelDuplicateException;
import org.keycloak.models.RealmModel;
import org.keycloak.models.SocialLinkModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.ClientSessionCode;
import org.keycloak.services.managers.EventsManager;
import org.keycloak.services.managers.RealmManager;
import org.keycloak.services.resources.flows.Flows;
import org.keycloak.services.resources.flows.Urls;
import org.keycloak.social.AuthCallback;
import org.keycloak.social.SocialAccessDeniedException;
import org.keycloak.social.SocialLoader;
import org.keycloak.social.SocialProvider;
import org.keycloak.social.SocialProviderConfig;
import org.keycloak.social.SocialProviderException;
import org.keycloak.social.SocialUser;
import twitter4j.internal.http.HttpResponseCode;

@Path("/social")
/* loaded from: input_file:WEB-INF/lib/keycloak-services-1.1.0.Beta2.jar:org/keycloak/services/resources/SocialResource.class */
public class SocialResource {
    protected static Logger logger = Logger.getLogger((Class<?>) SocialResource.class);

    @Context
    protected UriInfo uriInfo;

    @Context
    protected HttpHeaders headers;

    @Context
    private HttpRequest request;

    @Context
    protected KeycloakSession session;

    @Context
    protected ClientConnection clientConnection;

    /* loaded from: input_file:WEB-INF/lib/keycloak-services-1.1.0.Beta2.jar:org/keycloak/services/resources/SocialResource$Checks.class */
    private class Checks {
        ClientSessionCode clientCode;
        Response response;

        private Checks() {
        }

        private boolean checkSsl(RealmModel realmModel) {
            return SocialResource.this.uriInfo.getBaseUri().getScheme().equals("https") || !realmModel.getSslRequired().isRequired(SocialResource.this.clientConnection);
        }

        boolean check(EventBuilder eventBuilder, RealmModel realmModel, String str, ClientSessionModel.Action action) {
            if (!checkSsl(realmModel)) {
                eventBuilder.error(Errors.SSL_REQUIRED);
                this.response = Flows.forwardToSecurityFailurePage(SocialResource.this.session, realmModel, SocialResource.this.uriInfo, "HTTPS required");
                return false;
            }
            if (!realmModel.isEnabled()) {
                eventBuilder.error(Errors.REALM_DISABLED);
                this.response = Flows.forwardToSecurityFailurePage(SocialResource.this.session, realmModel, SocialResource.this.uriInfo, "Realm not enabled.");
                return false;
            }
            this.clientCode = ClientSessionCode.parse(str, SocialResource.this.session, realmModel);
            if (this.clientCode == null) {
                eventBuilder.error(Errors.INVALID_CODE);
                this.response = Flows.forwardToSecurityFailurePage(SocialResource.this.session, realmModel, SocialResource.this.uriInfo, "Unknown code, please login again through your application.");
                return false;
            }
            if (this.clientCode.isValid(action)) {
                return true;
            }
            eventBuilder.error(Errors.INVALID_CODE);
            this.response = Flows.forwardToSecurityFailurePage(SocialResource.this.session, realmModel, SocialResource.this.uriInfo, "Invalid code, please login again through your application.");
            return true;
        }
    }

    @GET
    @Path("callback")
    public Response callback(@QueryParam("state") String str) throws URISyntaxException, IOException {
        try {
            ClientSessionCode parse = ClientSessionCode.parse(str, this.session);
            if (parse == null) {
                return Flows.forms(this.session, null, null, this.uriInfo).setError("Unexpected callback").createErrorPage();
            }
            ClientSessionModel clientSession = parse.getClientSession();
            if (!parse.isValid(ClientSessionModel.Action.SOCIAL_CALLBACK)) {
                return Flows.forwardToSecurityFailurePage(this.session, clientSession.getRealm(), this.uriInfo, "Invalid code, please login again through your application.");
            }
            SocialProvider load = SocialLoader.load(clientSession.getNote("social_provider"));
            String str2 = "social@" + load.getId();
            RealmModel realm = clientSession.getRealm();
            EventBuilder detail = new EventsManager(realm, this.session, this.clientConnection).createEventBuilder().event(EventType.LOGIN).client(clientSession.getClient()).detail("redirect_uri", clientSession.getRedirectUri()).detail(Details.AUTH_METHOD, str2);
            if (!realm.isEnabled()) {
                detail.error(Errors.REALM_DISABLED);
                return Flows.forwardToSecurityFailurePage(this.session, realm, this.uriInfo, "Realm not enabled.");
            }
            try {
                SocialUser processCallback = load.processCallback(clientSession, new SocialProviderConfig(realm.getSocialConfig().get(load.getId() + ".key"), realm.getSocialConfig().get(load.getId() + ".secret"), Urls.socialCallback(this.uriInfo.getBaseUri()).toString()), new AuthCallback(getQueryParams()));
                detail.detail("username", processCallback.getId() + "@" + load.getId());
                try {
                    SocialLinkModel socialLinkModel = new SocialLinkModel(load.getId(), processCallback.getId(), processCallback.getUsername());
                    UserModel userBySocialLink = this.session.users().getUserBySocialLink(socialLinkModel, realm);
                    if (clientSession.getUserSession() != null) {
                        UserModel user = clientSession.getUserSession().getUser();
                        detail.event(EventType.SOCIAL_LINK).user(user.getId());
                        if (userBySocialLink != null) {
                            detail.error(Errors.SOCIAL_ID_IN_USE);
                            return Flows.forwardToSecurityFailurePage(this.session, realm, this.uriInfo, "This social account is already linked to other user");
                        }
                        if (!user.isEnabled()) {
                            detail.error(Errors.USER_DISABLED);
                            return Flows.forwardToSecurityFailurePage(this.session, realm, this.uriInfo, "User is disabled");
                        }
                        if (!user.hasRole(realm.getApplicationByName(Constants.ACCOUNT_MANAGEMENT_APP).getRole(AccountRoles.MANAGE_ACCOUNT))) {
                            detail.error(Errors.NOT_ALLOWED);
                            return Flows.forwardToSecurityFailurePage(this.session, realm, this.uriInfo, "Insufficient permissions to link social account");
                        }
                        this.session.users().addSocialLink(realm, user, socialLinkModel);
                        logger.debugv("Social provider {0} linked with user {1}", load.getId(), user.getUsername());
                        detail.success();
                        return Response.status(HttpResponseCode.FOUND).location(UriBuilder.fromUri(clientSession.getRedirectUri()).build(new Object[0])).build();
                    }
                    if (userBySocialLink == null) {
                        userBySocialLink = this.session.users().addUser(realm, KeycloakModelUtils.generateId());
                        userBySocialLink.setEnabled(true);
                        userBySocialLink.setFirstName(processCallback.getFirstName());
                        userBySocialLink.setLastName(processCallback.getLastName());
                        userBySocialLink.setEmail(processCallback.getEmail());
                        if (realm.isUpdateProfileOnInitialSocialLogin()) {
                            userBySocialLink.addRequiredAction(UserModel.RequiredAction.UPDATE_PROFILE);
                        }
                        this.session.users().addSocialLink(realm, userBySocialLink, socialLinkModel);
                        detail.m806clone().user(userBySocialLink).event(EventType.REGISTER).detail(Details.REGISTER_METHOD, "social@" + load.getId()).detail("email", processCallback.getEmail()).removeDetail(Details.AUTH_METHOD).success();
                    }
                    detail.user(userBySocialLink);
                    if (!userBySocialLink.isEnabled()) {
                        detail.error(Errors.USER_DISABLED);
                        return Flows.forwardToSecurityFailurePage(this.session, realm, this.uriInfo, "Your account is not enabled.");
                    }
                    UserSessionModel createUserSession = this.session.sessions().createUserSession(realm, userBySocialLink, socialLinkModel.getSocialUserId() + "@" + socialLinkModel.getSocialProvider(), this.clientConnection.getRemoteAddr(), str2, false);
                    detail.session(createUserSession);
                    TokenManager.attachClientSession(createUserSession, clientSession);
                    new AuthenticationManager();
                    Response nextActionAfterAuthentication = AuthenticationManager.nextActionAfterAuthentication(this.session, createUserSession, clientSession, this.clientConnection, this.request, this.uriInfo, detail);
                    if (this.session.getTransaction().isActive()) {
                        this.session.getTransaction().commit();
                    }
                    return nextActionAfterAuthentication;
                } catch (ModelDuplicateException e) {
                    return Flows.forms(this.session, realm, clientSession.getClient(), this.uriInfo).setClientSessionCode(parse.getCode()).setError("socialEmailExists").createLogin();
                }
            } catch (SocialAccessDeniedException e2) {
                detail.error(Errors.REJECTED_BY_USER);
                clientSession.setAction(ClientSessionModel.Action.AUTHENTICATE);
                return Flows.forms(this.session, realm, clientSession.getClient(), this.uriInfo).setClientSessionCode(parse.getCode()).setWarning("Access denied").createLogin();
            } catch (SocialProviderException e3) {
                logger.error("Failed to process social callback", e3);
                return Flows.forwardToSecurityFailurePage(this.session, realm, this.uriInfo, "Failed to process social callback");
            }
        } catch (Throwable th) {
            logger.error("Invalid social callback", th);
            return Flows.forms(this.session, null, null, this.uriInfo).setError("Unexpected callback").createErrorPage();
        }
    }

    @GET
    @Path("{realm}/login")
    public Response redirectToProviderAuth(@PathParam("realm") String str, @QueryParam("provider_id") String str2, @QueryParam("code") String str3) {
        RealmModel realmByName = new RealmManager(this.session).getRealmByName(str);
        EventBuilder detail = new EventsManager(realmByName, this.session, this.clientConnection).createEventBuilder().event(EventType.LOGIN).detail(Details.AUTH_METHOD, "social@" + str2);
        SocialProvider load = SocialLoader.load(str2);
        if (load == null) {
            detail.error(Errors.SOCIAL_PROVIDER_NOT_FOUND);
            return Flows.forms(this.session, realmByName, null, this.uriInfo).setError("Social provider not found").createErrorPage();
        }
        Checks checks = new Checks();
        if (!checks.check(detail, realmByName, str3, ClientSessionModel.Action.AUTHENTICATE)) {
            return checks.response;
        }
        try {
            return Flows.social(realmByName, this.uriInfo, this.clientConnection, load).redirectToSocialProvider(checks.clientCode);
        } catch (Throwable th) {
            logger.error("Failed to redirect to social auth", th);
            return Flows.forms(this.session, realmByName, null, this.uriInfo).setError("Failed to redirect to social auth").createErrorPage();
        }
    }

    private Response returnToLogin(RealmModel realmModel, ClientModel clientModel, Map<String, String> map, String str) {
        MultivaluedMap<String, String> multivaluedMapImpl = new MultivaluedMapImpl<>();
        for (Map.Entry<String, String> entry : map.entrySet()) {
            multivaluedMapImpl.add(entry.getKey(), entry.getValue());
        }
        return Flows.forms(this.session, realmModel, clientModel, this.uriInfo).setQueryParams(multivaluedMapImpl).setError(str).createLogin();
    }

    private Map<String, String[]> getQueryParams() {
        HashMap hashMap = new HashMap();
        for (Map.Entry entry : this.uriInfo.getQueryParameters().entrySet()) {
            hashMap.put(entry.getKey(), ((List) entry.getValue()).toArray(new String[((List) entry.getValue()).size()]));
        }
        return hashMap;
    }
}
