package org.keycloak.services.resources;

import java.net.URI;
import java.util.List;
import javax.ws.rs.BadRequestException;
import javax.ws.rs.Consumes;
import javax.ws.rs.ForbiddenException;
import javax.ws.rs.GET;
import javax.ws.rs.OPTIONS;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.NewCookie;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import javax.ws.rs.core.Variant;
import javax.ws.rs.ext.Providers;
import org.jboss.resteasy.jose.jws.JWSInput;
import org.jboss.resteasy.jose.jws.crypto.RSAProvider;
import org.jboss.resteasy.logging.Logger;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.jaxrs.JaxrsOAuthClient;
import org.keycloak.models.ApplicationModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.TimeBasedOTP;
import org.keycloak.representations.SkeletonKeyToken;
import org.keycloak.services.managers.AccessCodeEntry;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.RealmManager;
import org.keycloak.services.managers.TokenManager;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.flows.Flows;
import org.keycloak.services.resources.flows.FormFlows;
import org.keycloak.services.resources.flows.Pages;
import org.keycloak.services.resources.flows.Urls;
import org.keycloak.services.validation.Validation;

/* loaded from: input_file:org/keycloak/services/resources/AccountService.class */
public class AccountService {
    private static final Logger logger = Logger.getLogger(AccountService.class);
    public static final String ACCOUNT_IDENTITY_COOKIE = "KEYCLOAK_ACCOUNT_IDENTITY";
    private RealmModel realm;

    @Context
    private HttpRequest request;

    @Context
    protected HttpHeaders headers;

    @Context
    private UriInfo uriInfo;

    @Context
    private Providers providers;
    private AuthenticationManager authManager = new AuthenticationManager();
    private ApplicationModel application;
    private TokenManager tokenManager;

    public AccountService(RealmModel realmModel, ApplicationModel applicationModel, TokenManager tokenManager) {
        this.realm = realmModel;
        this.application = applicationModel;
        this.tokenManager = tokenManager;
    }

    private Response forwardToPage(String str, String str2) {
        AuthenticationManager.Auth auth = getAuth(false);
        if (auth == null) {
            return login(str);
        }
        if (!hasAccess(auth)) {
            return noAccess();
        }
        FormFlows user = Flows.forms(this.realm, this.request, this.uriInfo).setUser(auth.getUser());
        String referrer = getReferrer();
        if (referrer != null) {
            user.setQueryParam("referrer", referrer);
        }
        return user.forwardToForm(str2);
    }

    private Response noAccess() {
        return Flows.forms(this.realm, this.request, this.uriInfo).setError("No access").forwardToErrorPage();
    }

    @Path("/")
    @OPTIONS
    public Response accountPreflight() {
        return Cors.add(this.request, Response.ok()).auth().preflight().build();
    }

    @GET
    @Path("/")
    public Response accountPage() {
        List acceptableMediaTypes = this.headers.getAcceptableMediaTypes();
        if (acceptableMediaTypes.contains(MediaType.WILDCARD_TYPE) || acceptableMediaTypes.contains(MediaType.TEXT_HTML_TYPE)) {
            return forwardToPage(null, Pages.ACCOUNT);
        }
        if (!acceptableMediaTypes.contains(MediaType.APPLICATION_JSON_TYPE)) {
            return Response.notAcceptable(Variant.VariantListBuilder.newInstance().mediaTypes(new MediaType[]{MediaType.TEXT_HTML_TYPE, MediaType.APPLICATION_JSON_TYPE}).build()).build();
        }
        AuthenticationManager.Auth auth = getAuth(true);
        return !hasAccess(auth, "view-profile") ? Response.status(Response.Status.FORBIDDEN).build() : Cors.add(this.request, Response.ok(RealmManager.toRepresentation(auth.getUser()))).auth().allowedOrigins(auth.getClient()).build();
    }

    @GET
    @Path("social")
    public Response socialPage() {
        return forwardToPage("social", Pages.SOCIAL);
    }

    @GET
    @Path("totp")
    public Response totpPage() {
        return forwardToPage("totp", Pages.TOTP);
    }

    @GET
    @Path("password")
    public Response passwordPage() {
        return forwardToPage("password", Pages.PASSWORD);
    }

    @GET
    @Path("access")
    public Response accessPage() {
        return forwardToPage("access", Pages.ACCESS);
    }

    @POST
    @Path("/")
    @Consumes({"application/x-www-form-urlencoded"})
    public Response processAccountUpdate(MultivaluedMap<String, String> multivaluedMap) {
        AuthenticationManager.Auth auth = getAuth(true);
        if (!hasAccess(auth)) {
            return noAccess();
        }
        UserModel user = auth.getUser();
        String validateUpdateProfileForm = Validation.validateUpdateProfileForm(multivaluedMap);
        if (validateUpdateProfileForm != null) {
            return Flows.forms(this.realm, this.request, this.uriInfo).setUser(user).setError(validateUpdateProfileForm).forwardToAccount();
        }
        user.setFirstName((String) multivaluedMap.getFirst("firstName"));
        user.setLastName((String) multivaluedMap.getFirst("lastName"));
        user.setEmail((String) multivaluedMap.getFirst("email"));
        return Flows.forms(this.realm, this.request, this.uriInfo).setUser(user).setError("accountUpdated").setErrorType(FormFlows.MessageType.SUCCESS).forwardToAccount();
    }

    @GET
    @Path("totp-remove")
    public Response processTotpRemove() {
        AuthenticationManager.Auth auth = getAuth(true);
        if (!hasAccess(auth)) {
            return noAccess();
        }
        UserModel user = auth.getUser();
        user.setTotp(false);
        return Flows.forms(this.realm, this.request, this.uriInfo).setError("successTotpRemoved").setErrorType(FormFlows.MessageType.SUCCESS).setUser(user).forwardToTotp();
    }

    @POST
    @Path("totp")
    @Consumes({"application/x-www-form-urlencoded"})
    public Response processTotpUpdate(MultivaluedMap<String, String> multivaluedMap) {
        AuthenticationManager.Auth auth = getAuth(true);
        if (!hasAccess(auth)) {
            return noAccess();
        }
        UserModel user = auth.getUser();
        String str = (String) multivaluedMap.getFirst("totp");
        String str2 = (String) multivaluedMap.getFirst("totpSecret");
        FormFlows user2 = Flows.forms(this.realm, this.request, this.uriInfo).setUser(user);
        if (Validation.isEmpty(str)) {
            return user2.setError(Messages.MISSING_TOTP).forwardToTotp();
        }
        if (!new TimeBasedOTP().validate(str, str2.getBytes())) {
            return user2.setError(Messages.INVALID_TOTP).forwardToTotp();
        }
        UserCredentialModel userCredentialModel = new UserCredentialModel();
        userCredentialModel.setType("totp");
        userCredentialModel.setValue(str2);
        this.realm.updateCredential(user, userCredentialModel);
        user.setTotp(true);
        return Flows.forms(this.realm, this.request, this.uriInfo).setError("successTotp").setErrorType(FormFlows.MessageType.SUCCESS).setUser(user).forwardToTotp();
    }

    @POST
    @Path("password")
    @Consumes({"application/x-www-form-urlencoded"})
    public Response processPasswordUpdate(MultivaluedMap<String, String> multivaluedMap) {
        AuthenticationManager.Auth auth = getAuth(true);
        if (!hasAccess(auth)) {
            return noAccess();
        }
        UserModel user = auth.getUser();
        FormFlows user2 = Flows.forms(this.realm, this.request, this.uriInfo).setUser(user);
        String str = (String) multivaluedMap.getFirst("password");
        String str2 = (String) multivaluedMap.getFirst("password-new");
        String str3 = (String) multivaluedMap.getFirst("password-confirm");
        if (Validation.isEmpty(str2)) {
            return user2.setError(Messages.MISSING_PASSWORD).forwardToPassword();
        }
        if (!str2.equals(str3)) {
            return user2.setError(Messages.INVALID_PASSWORD_CONFIRM).forwardToPassword();
        }
        if (Validation.isEmpty(str)) {
            return user2.setError(Messages.MISSING_PASSWORD).forwardToPassword();
        }
        if (!this.realm.validatePassword(user, str)) {
            return user2.setError(Messages.INVALID_PASSWORD_EXISTING).forwardToPassword();
        }
        String validatePassword = Validation.validatePassword(multivaluedMap, this.realm.getPasswordPolicy());
        if (validatePassword != null) {
            return user2.setError(validatePassword).forwardToPassword();
        }
        UserCredentialModel userCredentialModel = new UserCredentialModel();
        userCredentialModel.setType("password");
        userCredentialModel.setValue(str2);
        this.realm.updateCredential(user, userCredentialModel);
        return Flows.forms(this.realm, this.request, this.uriInfo).setUser(user).setError("accountPasswordUpdated").setErrorType(FormFlows.MessageType.SUCCESS).forwardToPassword();
    }

    @GET
    @Path("login-redirect")
    public Response loginRedirect(@QueryParam("code") String str, @QueryParam("state") String str2, @QueryParam("error") String str3, @Context HttpHeaders httpHeaders) {
        try {
            if (str3 != null) {
                logger.debug("error from oauth");
                throw new ForbiddenException(Messages.ERROR);
            }
            if (!this.realm.isEnabled()) {
                logger.debug("realm not enabled");
                throw new ForbiddenException();
            }
            UserModel applicationUser = this.application.getApplicationUser();
            if (!applicationUser.isEnabled() || !this.application.isEnabled()) {
                logger.debug("account management app not enabled");
                throw new ForbiddenException();
            }
            if (str == null) {
                logger.debug("code not specified");
                throw new BadRequestException();
            }
            if (str2 == null) {
                logger.debug("state not specified");
                throw new BadRequestException();
            }
            String checkStateCookie = new JaxrsOAuthClient().checkStateCookie(this.uriInfo, httpHeaders);
            JWSInput jWSInput = new JWSInput(str, this.providers);
            boolean z = false;
            try {
                z = RSAProvider.verify(jWSInput, this.realm.getPublicKey());
            } catch (Exception e) {
                logger.debug("Failed to verify signature", e);
            }
            if (!z) {
                logger.debug("unverified access code");
                throw new BadRequestException();
            }
            AccessCodeEntry pullAccessCode = this.tokenManager.pullAccessCode((String) jWSInput.readContent(String.class));
            if (pullAccessCode == null) {
                logger.debug("bad access code");
                throw new BadRequestException();
            }
            if (pullAccessCode.isExpired()) {
                logger.debug("access code expired");
                throw new BadRequestException();
            }
            if (!pullAccessCode.getToken().isActive()) {
                logger.debug("access token expired");
                throw new BadRequestException();
            }
            if (!pullAccessCode.getRealm().getId().equals(this.realm.getId())) {
                logger.debug("bad realm");
                throw new BadRequestException();
            }
            if (!applicationUser.getLoginName().equals(pullAccessCode.getClient().getLoginName())) {
                logger.debug("bad client");
                throw new BadRequestException();
            }
            URI build = Urls.accountBase(this.uriInfo.getBaseUri()).path("/").build(new Object[]{this.realm.getId()});
            Response build2 = Response.status(302).cookie(new NewCookie[]{this.authManager.createAccountIdentityCookie(this.realm, pullAccessCode.getUser(), applicationUser, Urls.accountBase(this.uriInfo.getBaseUri()).build(new Object[]{this.realm.getId()}))}).location(checkStateCookie != null ? build.resolve(checkStateCookie) : build).build();
            this.authManager.expireCookie("OAuth_Token_Request_State", this.uriInfo.getAbsolutePath().getPath());
            return build2;
        } catch (Throwable th) {
            this.authManager.expireCookie("OAuth_Token_Request_State", this.uriInfo.getAbsolutePath().getPath());
            throw th;
        }
    }

    @GET
    @Path("logout")
    public Response logout() {
        URI build = Urls.accountBase(this.uriInfo.getBaseUri()).build(new Object[]{this.realm.getId()});
        this.authManager.expireIdentityCookie(this.realm, this.uriInfo);
        this.authManager.expireAccountIdentityCookie(build);
        return Response.status(302).location(build).build();
    }

    private Response login(String str) {
        JaxrsOAuthClient jaxrsOAuthClient = new JaxrsOAuthClient();
        jaxrsOAuthClient.setAuthUrl(Urls.realmLoginPage(this.uriInfo.getBaseUri(), this.realm.getId()).toString());
        jaxrsOAuthClient.setClientId("Account");
        URI build = Urls.accountPageBuilder(this.uriInfo.getBaseUri()).path(AccountService.class, "loginRedirect").build(new Object[]{this.realm.getId()});
        String referrer = getReferrer();
        if (referrer != null) {
            str = (str != null ? str : "") + "?referrer=" + referrer;
        }
        jaxrsOAuthClient.setStateCookiePath(build.getPath());
        return jaxrsOAuthClient.redirect(this.uriInfo, build.toString(), str);
    }

    private AuthenticationManager.Auth getAuth(boolean z) {
        AuthenticationManager.Auth authenticateAccountIdentity = this.authManager.authenticateAccountIdentity(this.realm, this.uriInfo, this.headers);
        if (authenticateAccountIdentity == null && z) {
            throw new ForbiddenException();
        }
        return authenticateAccountIdentity;
    }

    private boolean hasAccess(AuthenticationManager.Auth auth) {
        return hasAccess(auth, null);
    }

    private boolean hasAccess(AuthenticationManager.Auth auth, String str) {
        if (this.realm.hasRole(auth.getClient(), "KEYCLOAK__APPLICATION")) {
            UserModel user = auth.getUser();
            if (hasRole(user, "manage-account")) {
                return true;
            }
            if (str != null && hasRole(user, str)) {
                return true;
            }
        }
        SkeletonKeyToken.Access resourceAccess = auth.getToken().getResourceAccess(this.application.getName());
        if (resourceAccess == null) {
            return false;
        }
        if (resourceAccess.isUserInRole("manage-account")) {
            return true;
        }
        return str != null && resourceAccess.isUserInRole(str);
    }

    private boolean hasRole(UserModel userModel, String str) {
        return this.application.hasRole(userModel, str);
    }

    private String getReferrer() {
        String str = (String) this.uriInfo.getQueryParameters().getFirst("referrer");
        if (str != null) {
            return str;
        }
        String headerString = this.headers.getHeaderString("Referer");
        if (headerString == null) {
            return null;
        }
        for (ApplicationModel applicationModel : this.realm.getApplications()) {
            if (applicationModel.getBaseUrl() != null && headerString.startsWith(applicationModel.getBaseUrl())) {
                return applicationModel.getName();
            }
        }
        return null;
    }
}
