package org.keycloak.authentication.authenticators.broker;

import java.util.concurrent.TimeUnit;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import org.jboss.logging.Logger;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.authentication.AuthenticationFlowError;
import org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext;
import org.keycloak.authentication.requiredactions.VerifyEmail;
import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.email.EmailException;
import org.keycloak.email.EmailTemplateProvider;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.LoginActionsService;

/* loaded from: input_file:org/keycloak/authentication/authenticators/broker/IdpEmailVerificationAuthenticator.class */
public class IdpEmailVerificationAuthenticator extends AbstractIdpAuthenticator {
    protected static Logger logger = Logger.getLogger(IdpEmailVerificationAuthenticator.class);

    @Override // org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator
    protected void authenticateImpl(AuthenticationFlowContext authenticationFlowContext, SerializedBrokeredIdentityContext serializedBrokeredIdentityContext, BrokeredIdentityContext brokeredIdentityContext) {
        KeycloakSession session = authenticationFlowContext.getSession();
        RealmModel realm = authenticationFlowContext.getRealm();
        ClientSessionModel clientSession = authenticationFlowContext.getClientSession();
        if (realm.getSmtpConfig().size() == 0) {
            logger.warnf("Smtp is not configured for the realm. Ignoring email verification authenticator", new Object[0]);
            authenticationFlowContext.attempted();
            return;
        }
        LoginActionsService.createActionCookie(authenticationFlowContext.getRealm(), authenticationFlowContext.getUriInfo(), authenticationFlowContext.getConnection(), authenticationFlowContext.getClientSession().getId());
        VerifyEmail.setupKey(clientSession);
        UserModel existingUser = getExistingUser(session, realm, clientSession);
        String uri = UriBuilder.fromUri(authenticationFlowContext.getActionUrl()).queryParam("key", new Object[]{clientSession.getNote("VERIFY_EMAIL_KEY")}).build(new Object[0]).toString();
        EventBuilder removeDetail = authenticationFlowContext.getEvent().clone().event(EventType.SEND_IDENTITY_PROVIDER_LINK).user(existingUser).detail("username", existingUser.getUsername()).detail("email", existingUser.getEmail()).detail("code_id", clientSession.getId()).removeDetail("auth_method").removeDetail("auth_type");
        try {
            authenticationFlowContext.getSession().getProvider(EmailTemplateProvider.class).setRealm(realm).setUser(existingUser).setAttribute("identityProviderBrokerCtx", brokeredIdentityContext).sendConfirmIdentityBrokerLink(uri, TimeUnit.SECONDS.toMinutes(authenticationFlowContext.getRealm().getAccessCodeLifespanUserAction()));
            removeDetail.success();
            authenticationFlowContext.forceChallenge(authenticationFlowContext.form().setStatus(Response.Status.OK).setAttribute("identityProviderBrokerCtx", brokeredIdentityContext).createIdpLinkEmailPage());
        } catch (EmailException e) {
            removeDetail.error("email_send_failed");
            logger.error("Failed to send email to confirm identity broker linking", e);
            authenticationFlowContext.failure(AuthenticationFlowError.INTERNAL_ERROR, authenticationFlowContext.form().setError(Messages.EMAIL_SENT_ERROR, new Object[0]).createErrorPage());
        }
    }

    @Override // org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator
    protected void actionImpl(AuthenticationFlowContext authenticationFlowContext, SerializedBrokeredIdentityContext serializedBrokeredIdentityContext, BrokeredIdentityContext brokeredIdentityContext) {
        String str = (String) authenticationFlowContext.getSession().getContext().getUri().getQueryParameters().getFirst("key");
        ClientSessionModel clientSession = authenticationFlowContext.getClientSession();
        RealmModel realm = authenticationFlowContext.getRealm();
        KeycloakSession session = authenticationFlowContext.getSession();
        if (str == null) {
            authenticationFlowContext.failureChallenge(AuthenticationFlowError.IDENTITY_PROVIDER_ERROR, authenticationFlowContext.form().setError(Messages.MISSING_PARAMETER, new Object[]{"key"}).createErrorPage());
            return;
        }
        String note = clientSession.getNote("VERIFY_EMAIL_KEY");
        clientSession.removeNote("VERIFY_EMAIL_KEY");
        if (!str.equals(note)) {
            logger.error("Key parameter don't match with the expected value from client session");
            authenticationFlowContext.failureChallenge(AuthenticationFlowError.IDENTITY_PROVIDER_ERROR, authenticationFlowContext.form().setError(Messages.INVALID_ACCESS_CODE, new Object[0]).createErrorPage());
            return;
        }
        UserModel existingUser = getExistingUser(session, realm, clientSession);
        logger.debugf("User '%s' confirmed that wants to link with identity provider '%s' . Identity provider username is '%s' ", existingUser.getUsername(), brokeredIdentityContext.getIdpConfig().getAlias(), brokeredIdentityContext.getUsername());
        String actionCookie = LoginActionsService.getActionCookie(session.getContext().getRequestHeaders(), realm, session.getContext().getUri(), authenticationFlowContext.getConnection());
        if (actionCookie == null || !actionCookie.equals(clientSession.getId())) {
            clientSession.setNote(AbstractIdpAuthenticator.IS_DIFFERENT_BROWSER, "true");
        }
        authenticationFlowContext.setUser(existingUser);
        authenticationFlowContext.success();
    }

    @Override // org.keycloak.authentication.Authenticator
    public boolean requiresUser() {
        return false;
    }

    @Override // org.keycloak.authentication.Authenticator
    public boolean configuredFor(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        return false;
    }
}
