package org.keycloak.services.resources;

import java.net.URI;
import java.util.Iterator;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.QueryParam;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Cookie;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import javax.ws.rs.ext.Providers;
import org.jboss.logging.Logger;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.authentication.AuthenticationProcessor;
import org.keycloak.authentication.RequiredActionContext;
import org.keycloak.authentication.RequiredActionContextResult;
import org.keycloak.authentication.RequiredActionFactory;
import org.keycloak.authentication.RequiredActionProvider;
import org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator;
import org.keycloak.authentication.authenticators.broker.util.PostBrokerLoginConstants;
import org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext;
import org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator;
import org.keycloak.authentication.requiredactions.VerifyEmail;
import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.common.ClientConnection;
import org.keycloak.common.util.Time;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.login.LoginFormsProvider;
import org.keycloak.models.AuthenticationFlowModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserConsentModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.utils.FormMessage;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.LoginProtocol;
import org.keycloak.protocol.RestartLoginCookie;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.utils.OIDCResponseMode;
import org.keycloak.protocol.oidc.utils.OIDCResponseType;
import org.keycloak.services.ErrorPage;
import org.keycloak.services.Urls;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.ClientSessionCode;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.util.CookieHelper;

/* loaded from: input_file:org/keycloak/services/resources/LoginActionsService.class */
public class LoginActionsService {
    protected static final Logger logger = Logger.getLogger(LoginActionsService.class);
    public static final String ACTION_COOKIE = "KEYCLOAK_ACTION";
    public static final String AUTHENTICATE_PATH = "authenticate";
    public static final String REGISTRATION_PATH = "registration";
    public static final String RESET_CREDENTIALS_PATH = "reset-credentials";
    public static final String REQUIRED_ACTION = "required-action";
    public static final String FIRST_BROKER_LOGIN_PATH = "first-broker-login";
    public static final String POST_BROKER_LOGIN_PATH = "post-broker-login";
    private RealmModel realm;

    @Context
    private HttpRequest request;

    @Context
    protected HttpHeaders headers;

    @Context
    private UriInfo uriInfo;

    @Context
    private ClientConnection clientConnection;

    @Context
    protected Providers providers;

    @Context
    protected KeycloakSession session;
    private AuthenticationManager authManager;
    private EventBuilder event;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/keycloak/services/resources/LoginActionsService$Checks.class */
    public class Checks {
        ClientSessionCode clientCode;
        Response response;

        private Checks() {
        }

        boolean verifyCode(String str, String str2, ClientSessionCode.ActionType actionType) {
            return verifyCode(str) && verifyAction(str2, actionType);
        }

        public boolean verifyAction(String str, ClientSessionCode.ActionType actionType) {
            if (!this.clientCode.isValidAction(str)) {
                LoginActionsService.this.event.client(this.clientCode.getClientSession().getClient());
                LoginActionsService.this.event.error("invalid_code");
                this.response = ErrorPage.error(LoginActionsService.this.session, Messages.INVALID_CODE, new Object[0]);
                return false;
            }
            if (this.clientCode.isActionActive(actionType)) {
                return true;
            }
            LoginActionsService.this.event.client(this.clientCode.getClientSession().getClient());
            LoginActionsService.this.event.clone().error("expired_code");
            if (!this.clientCode.getClientSession().getAction().equals(ClientSessionModel.Action.AUTHENTICATE.name())) {
                this.response = ErrorPage.error(LoginActionsService.this.session, Messages.EXPIRED_CODE, new Object[0]);
                return false;
            }
            AuthenticationProcessor.resetFlow(this.clientCode.getClientSession());
            this.response = LoginActionsService.this.processAuthentication(null, this.clientCode.getClientSession(), Messages.LOGIN_TIMEOUT);
            return false;
        }

        public boolean verifyCode(String str) {
            if (!LoginActionsService.this.checkSsl()) {
                LoginActionsService.this.event.error("ssl_required");
                this.response = ErrorPage.error(LoginActionsService.this.session, Messages.HTTPS_REQUIRED, new Object[0]);
                return false;
            }
            if (!LoginActionsService.this.realm.isEnabled()) {
                LoginActionsService.this.event.error("realm_disabled");
                this.response = ErrorPage.error(LoginActionsService.this.session, Messages.REALM_NOT_ENABLED, new Object[0]);
                return false;
            }
            ClientSessionCode.ParseResult parseResult = ClientSessionCode.parseResult(str, LoginActionsService.this.session, LoginActionsService.this.realm);
            this.clientCode = parseResult.getCode();
            if (this.clientCode == null) {
                if (parseResult.isClientSessionNotFound()) {
                    try {
                        ClientSessionModel restartSession = RestartLoginCookie.restartSession(LoginActionsService.this.session, LoginActionsService.this.realm, str);
                        if (restartSession != null) {
                            LoginActionsService.this.event.clone().detail("restart_after_timeout", "true").error("expired_code");
                            this.response = LoginActionsService.this.processFlow(null, restartSession, LoginActionsService.AUTHENTICATE_PATH, LoginActionsService.this.realm.getBrowserFlow(), Messages.LOGIN_TIMEOUT, new AuthenticationProcessor());
                            return false;
                        }
                    } catch (Exception e) {
                        LoginActionsService.logger.error("failed to parse RestartLoginCookie", e);
                    }
                }
                LoginActionsService.this.event.error("invalid_code");
                this.response = ErrorPage.error(LoginActionsService.this.session, Messages.INVALID_CODE, new Object[0]);
                return false;
            }
            ClientSessionModel clientSession = this.clientCode.getClientSession();
            if (clientSession == null) {
                LoginActionsService.this.event.error("invalid_code");
                this.response = ErrorPage.error(LoginActionsService.this.session, Messages.INVALID_CODE, new Object[0]);
                return false;
            }
            LoginActionsService.this.event.detail("code_id", clientSession.getId());
            ClientModel client = clientSession.getClient();
            if (client == null) {
                LoginActionsService.this.event.error("client_not_found");
                this.response = ErrorPage.error(LoginActionsService.this.session, Messages.UNKNOWN_LOGIN_REQUESTER, new Object[0]);
                LoginActionsService.this.session.sessions().removeClientSession(LoginActionsService.this.realm, clientSession);
                return false;
            }
            if (client.isEnabled()) {
                LoginActionsService.this.session.getContext().setClient(client);
                return true;
            }
            LoginActionsService.this.event.error("client_not_found");
            this.response = ErrorPage.error(LoginActionsService.this.session, Messages.LOGIN_REQUESTER_NOT_ENABLED, new Object[0]);
            LoginActionsService.this.session.sessions().removeClientSession(LoginActionsService.this.realm, clientSession);
            return false;
        }
    }

    public static UriBuilder loginActionsBaseUrl(UriInfo uriInfo) {
        return loginActionsBaseUrl(uriInfo.getBaseUriBuilder());
    }

    public static UriBuilder authenticationFormProcessor(UriInfo uriInfo) {
        return loginActionsBaseUrl(uriInfo).path(LoginActionsService.class, "authenticateForm");
    }

    public static UriBuilder requiredActionProcessor(UriInfo uriInfo) {
        return loginActionsBaseUrl(uriInfo).path(LoginActionsService.class, "requiredActionPOST");
    }

    public static UriBuilder registrationFormProcessor(UriInfo uriInfo) {
        return loginActionsBaseUrl(uriInfo).path(LoginActionsService.class, "processRegister");
    }

    public static UriBuilder firstBrokerLoginProcessor(UriInfo uriInfo) {
        return loginActionsBaseUrl(uriInfo).path(LoginActionsService.class, "firstBrokerLoginGet");
    }

    public static UriBuilder postBrokerLoginProcessor(UriInfo uriInfo) {
        return loginActionsBaseUrl(uriInfo).path(LoginActionsService.class, "postBrokerLoginGet");
    }

    public static UriBuilder loginActionsBaseUrl(UriBuilder uriBuilder) {
        return uriBuilder.path(RealmsResource.class).path(RealmsResource.class, "getLoginActionsService");
    }

    public LoginActionsService(RealmModel realmModel, AuthenticationManager authenticationManager, EventBuilder eventBuilder) {
        this.realm = realmModel;
        this.authManager = authenticationManager;
        this.event = eventBuilder;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean checkSsl() {
        return this.uriInfo.getBaseUri().getScheme().equals("https") || !this.realm.getSslRequired().isRequired(this.clientConnection);
    }

    @GET
    @Path(AUTHENTICATE_PATH)
    public Response authenticate(@QueryParam("code") String str, @QueryParam("execution") String str2) {
        this.event.event(EventType.LOGIN);
        Checks checks = new Checks();
        if (!checks.verifyCode(str, ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) {
            return checks.response;
        }
        this.event.detail("code_id", str);
        return processAuthentication(str2, checks.clientCode.getClientSession(), null);
    }

    protected Response processAuthentication(String str, ClientSessionModel clientSessionModel, String str2) {
        return processFlow(str, clientSessionModel, AUTHENTICATE_PATH, this.realm.getBrowserFlow(), str2, new AuthenticationProcessor());
    }

    protected Response processFlow(String str, ClientSessionModel clientSessionModel, String str2, AuthenticationFlowModel authenticationFlowModel, String str3, AuthenticationProcessor authenticationProcessor) {
        authenticationProcessor.setClientSession(clientSessionModel).setFlowPath(str2).setBrowserFlow(true).setFlowId(authenticationFlowModel.getId()).setConnection(this.clientConnection).setEventBuilder(this.event).setProtector(this.authManager.getProtector()).setRealm(this.realm).setSession(this.session).setUriInfo(this.uriInfo).setRequest(this.request);
        if (str3 != null) {
            authenticationProcessor.setForwardedErrorMessage(new FormMessage((String) null, str3));
        }
        try {
            return str != null ? authenticationProcessor.authenticationAction(str) : authenticationProcessor.authenticate();
        } catch (Exception e) {
            return authenticationProcessor.handleBrowserException(e);
        }
    }

    @POST
    @Path(AUTHENTICATE_PATH)
    public Response authenticateForm(@QueryParam("code") String str, @QueryParam("execution") String str2) {
        this.event.event(EventType.LOGIN);
        Checks checks = new Checks();
        return !checks.verifyCode(str, ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN) ? checks.response : processAuthentication(str2, checks.clientCode.getClientSession(), null);
    }

    @POST
    @Path(RESET_CREDENTIALS_PATH)
    public Response resetCredentialsPOST(@QueryParam("code") String str, @QueryParam("execution") String str2) {
        return resetCredentials(str, str2);
    }

    @GET
    @Path(RESET_CREDENTIALS_PATH)
    public Response resetCredentialsGET(@QueryParam("code") String str, @QueryParam("execution") String str2) {
        if (str != null) {
            return resetCredentials(str, str2);
        }
        if (!this.realm.isResetPasswordAllowed()) {
            this.event.event(EventType.RESET_PASSWORD);
            this.event.error("not_allowed");
            return ErrorPage.error(this.session, Messages.RESET_CREDENTIAL_NOT_ALLOWED, new Object[0]);
        }
        ClientSessionModel createClientSession = this.session.sessions().createClientSession(this.realm, this.realm.getClientByClientId("account"));
        createClientSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name());
        createClientSession.setNote(ClientSessionCode.ACTION_KEY, KeycloakModelUtils.generateCodeSecret());
        createClientSession.setAuthMethod("openid-connect");
        String uri = Urls.accountBase(this.uriInfo.getBaseUri()).path("/").build(new Object[]{this.realm.getName()}).toString();
        createClientSession.setRedirectUri(uri);
        createClientSession.setAction(ClientSessionModel.Action.AUTHENTICATE.name());
        createClientSession.setNote(ClientSessionCode.ACTION_KEY, KeycloakModelUtils.generateCodeSecret());
        createClientSession.setNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM, "code");
        createClientSession.setNote(OIDCLoginProtocol.REDIRECT_URI_PARAM, uri);
        createClientSession.setNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(this.uriInfo.getBaseUri(), this.realm.getName()));
        return processResetCredentials(null, createClientSession, null);
    }

    protected Response resetCredentials(String str, String str2) {
        this.event.event(EventType.RESET_PASSWORD);
        Checks checks = new Checks();
        if (!checks.verifyCode(str, ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.USER)) {
            return checks.response;
        }
        ClientSessionCode clientSessionCode = checks.clientCode;
        ClientSessionModel clientSession = clientSessionCode.getClientSession();
        if (this.realm.isResetPasswordAllowed()) {
            return processResetCredentials(str2, clientSession, null);
        }
        this.event.client(clientSessionCode.getClientSession().getClient());
        this.event.error("not_allowed");
        return ErrorPage.error(this.session, Messages.RESET_CREDENTIAL_NOT_ALLOWED, new Object[0]);
    }

    protected Response processResetCredentials(String str, ClientSessionModel clientSessionModel, String str2) {
        return processFlow(str, clientSessionModel, RESET_CREDENTIALS_PATH, this.realm.getResetCredentialsFlow(), str2, new AuthenticationProcessor() { // from class: org.keycloak.services.resources.LoginActionsService.1
            /* JADX INFO: Access modifiers changed from: protected */
            @Override // org.keycloak.authentication.AuthenticationProcessor
            public Response authenticationComplete() {
                if (!(this.clientSession.getNote(AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE) != null)) {
                    return super.authenticationComplete();
                }
                UserModel existingUser = AbstractIdpAuthenticator.getExistingUser(this.session, this.realm, this.clientSession);
                if (!existingUser.getId().equals(this.clientSession.getAuthenticatedUser().getId())) {
                    return ErrorPage.error(this.session, Messages.IDENTITY_PROVIDER_DIFFERENT_USER_MESSAGE, this.clientSession.getAuthenticatedUser().getUsername(), existingUser.getUsername());
                }
                logger.debugf("Forget-password flow finished when authenticated user '%s' after first broker login.", existingUser.getUsername());
                return LoginActionsService.this.redirectToAfterBrokerLoginEndpoint(this.clientSession, true);
            }
        });
    }

    protected Response processRegistration(String str, ClientSessionModel clientSessionModel, String str2) {
        return processFlow(str, clientSessionModel, REGISTRATION_PATH, this.realm.getRegistrationFlow(), str2, new AuthenticationProcessor());
    }

    @GET
    @Path(REGISTRATION_PATH)
    public Response registerPage(@QueryParam("code") String str, @QueryParam("execution") String str2) {
        this.event.event(EventType.REGISTER);
        if (!this.realm.isRegistrationAllowed()) {
            this.event.error("registration_disabled");
            return ErrorPage.error(this.session, Messages.REGISTRATION_NOT_ALLOWED, new Object[0]);
        }
        Checks checks = new Checks();
        if (!checks.verifyCode(str, ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) {
            return checks.response;
        }
        this.event.detail("code_id", str);
        ClientSessionModel clientSession = checks.clientCode.getClientSession();
        AuthenticationManager authenticationManager = this.authManager;
        AuthenticationManager.expireIdentityCookie(this.realm, this.uriInfo, this.clientConnection);
        return processRegistration(str2, clientSession, null);
    }

    @POST
    @Path(REGISTRATION_PATH)
    public Response processRegister(@QueryParam("code") String str, @QueryParam("execution") String str2) {
        this.event.event(EventType.REGISTER);
        if (this.realm.isRegistrationAllowed()) {
            Checks checks = new Checks();
            return !checks.verifyCode(str, ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN) ? checks.response : processRegistration(str2, checks.clientCode.getClientSession(), null);
        }
        this.event.error("registration_disabled");
        return ErrorPage.error(this.session, Messages.REGISTRATION_NOT_ALLOWED, new Object[0]);
    }

    @GET
    @Path(FIRST_BROKER_LOGIN_PATH)
    public Response firstBrokerLoginGet(@QueryParam("code") String str, @QueryParam("execution") String str2) {
        return brokerLoginFlow(str, str2, true);
    }

    @POST
    @Path(FIRST_BROKER_LOGIN_PATH)
    public Response firstBrokerLoginPost(@QueryParam("code") String str, @QueryParam("execution") String str2) {
        return brokerLoginFlow(str, str2, true);
    }

    @GET
    @Path(POST_BROKER_LOGIN_PATH)
    public Response postBrokerLoginGet(@QueryParam("code") String str, @QueryParam("execution") String str2) {
        return brokerLoginFlow(str, str2, false);
    }

    @POST
    @Path(POST_BROKER_LOGIN_PATH)
    public Response postBrokerLoginPost(@QueryParam("code") String str, @QueryParam("execution") String str2) {
        return brokerLoginFlow(str, str2, false);
    }

    protected Response brokerLoginFlow(String str, String str2, final boolean z) {
        this.event.event(z ? EventType.IDENTITY_PROVIDER_FIRST_LOGIN : EventType.IDENTITY_PROVIDER_POST_LOGIN);
        Checks checks = new Checks();
        if (!checks.verifyCode(str, ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) {
            return checks.response;
        }
        this.event.detail("code_id", str);
        final ClientSessionModel clientSession = checks.clientCode.getClientSession();
        String str3 = z ? AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE : PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT;
        SerializedBrokeredIdentityContext readFromClientSession = SerializedBrokeredIdentityContext.readFromClientSession(clientSession, str3);
        if (readFromClientSession == null) {
            logger.errorf("Not found serialized context in clientSession under note '%s'", str3);
            throw new WebApplicationException(ErrorPage.error(this.session, "Not found serialized context in clientSession.", new Object[0]));
        }
        BrokeredIdentityContext deserialize = readFromClientSession.deserialize(this.session, clientSession);
        final String alias = deserialize.getIdpConfig().getAlias();
        String firstBrokerLoginFlowId = z ? deserialize.getIdpConfig().getFirstBrokerLoginFlowId() : deserialize.getIdpConfig().getPostBrokerLoginFlowId();
        if (firstBrokerLoginFlowId == null) {
            logger.errorf("Flow not configured for identity provider '%s'", alias);
            throw new WebApplicationException(ErrorPage.error(this.session, "Flow not configured for identity provider", new Object[0]));
        }
        AuthenticationFlowModel authenticationFlowById = this.realm.getAuthenticationFlowById(firstBrokerLoginFlowId);
        if (authenticationFlowById == null) {
            logger.errorf("Not found configured flow with ID '%s' for identity provider '%s'", firstBrokerLoginFlowId, alias);
            throw new WebApplicationException(ErrorPage.error(this.session, "Flow not found for identity provider", new Object[0]));
        }
        this.event.detail("identity_provider", alias).detail("identity_provider_identity", deserialize.getUsername());
        return processFlow(str2, clientSession, z ? FIRST_BROKER_LOGIN_PATH : POST_BROKER_LOGIN_PATH, authenticationFlowById, null, new AuthenticationProcessor() { // from class: org.keycloak.services.resources.LoginActionsService.2
            /* JADX INFO: Access modifiers changed from: protected */
            @Override // org.keycloak.authentication.AuthenticationProcessor
            public Response authenticationComplete() {
                if (!z) {
                    clientSession.setNote(PostBrokerLoginConstants.PBL_AUTH_STATE_PREFIX + alias, "true");
                }
                return LoginActionsService.this.redirectToAfterBrokerLoginEndpoint(this.clientSession, z);
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Response redirectToAfterBrokerLoginEndpoint(ClientSessionModel clientSessionModel, boolean z) {
        ClientSessionCode clientSessionCode = new ClientSessionCode(this.realm, clientSessionModel);
        clientSessionModel.setTimestamp(Time.currentTime());
        URI identityProviderAfterFirstBrokerLogin = z ? Urls.identityProviderAfterFirstBrokerLogin(this.uriInfo.getBaseUri(), this.realm.getName(), clientSessionCode.getCode()) : Urls.identityProviderAfterPostBrokerLogin(this.uriInfo.getBaseUri(), this.realm.getName(), clientSessionCode.getCode());
        logger.debugf("Redirecting to '%s' ", identityProviderAfterFirstBrokerLogin);
        return Response.status(302).location(identityProviderAfterFirstBrokerLogin).build();
    }

    @POST
    @Path("consent")
    @Consumes({"application/x-www-form-urlencoded"})
    public Response processConsent(MultivaluedMap<String, String> multivaluedMap) {
        this.event.event(EventType.LOGIN);
        if (!checkSsl()) {
            return ErrorPage.error(this.session, Messages.HTTPS_REQUIRED, new Object[0]);
        }
        ClientSessionCode parse = ClientSessionCode.parse((String) multivaluedMap.getFirst("code"), this.session, this.realm);
        if (parse == null || !parse.isValid(ClientSessionModel.Action.OAUTH_GRANT.name(), ClientSessionCode.ActionType.LOGIN)) {
            this.event.error("invalid_code");
            return ErrorPage.error(this.session, Messages.INVALID_ACCESS_CODE, new Object[0]);
        }
        ClientSessionModel clientSession = parse.getClientSession();
        initEvent(clientSession);
        UserSessionModel userSession = clientSession.getUserSession();
        UserModel user = userSession.getUser();
        ClientModel client = clientSession.getClient();
        if (!AuthenticationManager.isSessionValid(this.realm, userSession)) {
            AuthenticationManager.backchannelLogout(this.session, this.realm, userSession, this.uriInfo, this.clientConnection, this.headers, true);
            this.event.error("invalid_code");
            return ErrorPage.error(this.session, Messages.SESSION_NOT_ACTIVE, new Object[0]);
        }
        if (multivaluedMap.containsKey("cancel")) {
            LoginProtocol loginProtocol = (LoginProtocol) this.session.getProvider(LoginProtocol.class, clientSession.getAuthMethod());
            loginProtocol.setRealm(this.realm).setHttpHeaders(this.headers).setUriInfo(this.uriInfo).setEventBuilder(this.event);
            Response sendError = loginProtocol.sendError(clientSession, LoginProtocol.Error.CONSENT_DENIED);
            this.event.error("rejected_by_user");
            return sendError;
        }
        UserConsentModel consentByClient = user.getConsentByClient(client.getId());
        if (consentByClient == null) {
            consentByClient = new UserConsentModel(client);
            user.addConsent(consentByClient);
        }
        Iterator<RoleModel> it = parse.getRequestedRoles().iterator();
        while (it.hasNext()) {
            consentByClient.addGrantedRole(it.next());
        }
        for (ProtocolMapperModel protocolMapperModel : parse.getRequestedProtocolMappers()) {
            if (protocolMapperModel.isConsentRequired() && protocolMapperModel.getConsentText() != null) {
                consentByClient.addGrantedProtocolMapper(protocolMapperModel);
            }
        }
        user.updateConsent(consentByClient);
        this.event.detail("consent", "consent_granted");
        this.event.success();
        AuthenticationManager authenticationManager = this.authManager;
        return AuthenticationManager.redirectAfterSuccessfulFlow(this.session, this.realm, userSession, clientSession, this.request, this.uriInfo, this.clientConnection, this.event);
    }

    @GET
    @Path("email-verification")
    public Response emailVerification(@QueryParam("code") String str, @QueryParam("key") String str2) {
        this.event.event(EventType.VERIFY_EMAIL);
        if (str2 == null) {
            Checks checks = new Checks();
            if (!checks.verifyCode(str, ClientSessionModel.Action.REQUIRED_ACTIONS.name(), ClientSessionCode.ActionType.USER)) {
                return checks.response;
            }
            ClientSessionCode clientSessionCode = checks.clientCode;
            ClientSessionModel clientSession = clientSessionCode.getClientSession();
            UserSessionModel userSession = clientSession.getUserSession();
            initEvent(clientSession);
            createActionCookie(this.realm, this.uriInfo, this.clientConnection, userSession.getId());
            VerifyEmail.setupKey(clientSession);
            return this.session.getProvider(LoginFormsProvider.class).setClientSessionCode(clientSessionCode.getCode()).setClientSession(clientSession).setUser(userSession.getUser()).createResponse(UserModel.RequiredAction.VERIFY_EMAIL);
        }
        Checks checks2 = new Checks();
        if (!checks2.verifyCode(str, ClientSessionModel.Action.REQUIRED_ACTIONS.name(), ClientSessionCode.ActionType.USER)) {
            return checks2.response;
        }
        ClientSessionModel clientSession2 = checks2.clientCode.getClientSession();
        if (!ClientSessionModel.Action.VERIFY_EMAIL.name().equals(clientSession2.getNote(AuthenticationManager.CURRENT_REQUIRED_ACTION))) {
            logger.error("required action doesn't match current required action");
            this.event.error("invalid_code");
            throw new WebApplicationException(ErrorPage.error(this.session, Messages.INVALID_CODE, new Object[0]));
        }
        UserSessionModel userSession2 = clientSession2.getUserSession();
        UserModel user = userSession2.getUser();
        initEvent(clientSession2);
        this.event.event(EventType.VERIFY_EMAIL).detail("email", user.getEmail());
        String note = clientSession2.getNote("VERIFY_EMAIL_KEY");
        clientSession2.removeNote("VERIFY_EMAIL_KEY");
        if (!str2.equals(note)) {
            logger.error("Invalid key for email verification");
            this.event.error("invalid_user_credentials");
            throw new WebApplicationException(ErrorPage.error(this.session, Messages.INVALID_CODE, new Object[0]));
        }
        user.setEmailVerified(true);
        user.removeRequiredAction(UserModel.RequiredAction.VERIFY_EMAIL);
        this.event.success();
        String actionCookie = getActionCookie();
        if (actionCookie == null || !actionCookie.equals(userSession2.getId())) {
            this.session.sessions().removeClientSession(this.realm, clientSession2);
            return this.session.getProvider(LoginFormsProvider.class).setSuccess(Messages.EMAIL_VERIFIED, new Object[0]).createInfoPage();
        }
        this.event = this.event.clone().removeDetail("email").event(EventType.LOGIN);
        return AuthenticationProcessor.createRequiredActionRedirect(this.realm, clientSession2, this.uriInfo);
    }

    @GET
    @Path("execute-actions")
    public Response executeActions(@QueryParam("key") String str) {
        this.event.event(EventType.EXECUTE_ACTIONS);
        if (str == null) {
            this.event.error("invalid_code");
            return ErrorPage.error(this.session, Messages.INVALID_CODE, new Object[0]);
        }
        Checks checks = new Checks();
        if (!checks.verifyCode(str, ClientSessionModel.Action.EXECUTE_ACTIONS.name(), ClientSessionCode.ActionType.USER)) {
            return checks.response;
        }
        ClientSessionModel clientSession = checks.clientCode.getClientSession();
        clientSession.getUserSession().getUser().setEmailVerified(true);
        clientSession.setNote(AuthenticationManager.END_AFTER_REQUIRED_ACTIONS, "true");
        clientSession.setNote(ClientSessionModel.Action.EXECUTE_ACTIONS.name(), "true");
        return AuthenticationProcessor.createRequiredActionRedirect(this.realm, clientSession, this.uriInfo);
    }

    private String getActionCookie() {
        return getActionCookie(this.headers, this.realm, this.uriInfo, this.clientConnection);
    }

    public static String getActionCookie(HttpHeaders httpHeaders, RealmModel realmModel, UriInfo uriInfo, ClientConnection clientConnection) {
        Cookie cookie = (Cookie) httpHeaders.getCookies().get(ACTION_COOKIE);
        AuthenticationManager.expireCookie(realmModel, ACTION_COOKIE, AuthenticationManager.getRealmCookiePath(realmModel, uriInfo), realmModel.getSslRequired().isRequired(clientConnection), clientConnection);
        if (cookie != null) {
            return cookie.getValue();
        }
        return null;
    }

    public static void createActionCookie(RealmModel realmModel, UriInfo uriInfo, ClientConnection clientConnection, String str) {
        CookieHelper.addCookie(ACTION_COOKIE, str, AuthenticationManager.getRealmCookiePath(realmModel, uriInfo), null, null, -1, realmModel.getSslRequired().isRequired(clientConnection), true);
    }

    private void initEvent(ClientSessionModel clientSessionModel) {
        UserSessionModel userSession = clientSessionModel.getUserSession();
        String note = clientSessionModel.getNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM);
        if (note == null) {
            note = "code";
        }
        this.event.event(EventType.LOGIN).client(clientSessionModel.getClient()).user(userSession.getUser()).session(userSession.getId()).detail("code_id", clientSessionModel.getId()).detail(OIDCLoginProtocol.REDIRECT_URI_PARAM, clientSessionModel.getRedirectUri()).detail("username", clientSessionModel.getNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME)).detail("auth_method", userSession.getAuthMethod()).detail("username", userSession.getLoginUsername()).detail(OIDCLoginProtocol.RESPONSE_TYPE_PARAM, note).detail(OIDCLoginProtocol.RESPONSE_MODE_PARAM, OIDCResponseMode.parse(clientSessionModel.getNote(OIDCLoginProtocol.RESPONSE_MODE_PARAM), OIDCResponseType.parse(note)).toString().toLowerCase());
        if (userSession.isRememberMe()) {
            this.event.detail("remember_me", "true");
        }
    }

    @POST
    @Path(REQUIRED_ACTION)
    public Response requiredActionPOST(@QueryParam("code") String str, @QueryParam("action") String str2) {
        return processRequireAction(str, str2);
    }

    @GET
    @Path(REQUIRED_ACTION)
    public Response requiredActionGET(@QueryParam("code") String str, @QueryParam("action") String str2) {
        return processRequireAction(str, str2);
    }

    public Response processRequireAction(String str, String str2) {
        this.event.event(EventType.CUSTOM_REQUIRED_ACTION);
        this.event.detail("custom_required_action", str2);
        Checks checks = new Checks();
        if (!checks.verifyCode(str, ClientSessionModel.Action.REQUIRED_ACTIONS.name(), ClientSessionCode.ActionType.USER)) {
            return checks.response;
        }
        ClientSessionModel clientSession = checks.clientCode.getClientSession();
        if (clientSession.getUserSession() == null) {
            logger.error("user session was null");
            this.event.error("user_session_not_found");
            throw new WebApplicationException(ErrorPage.error(this.session, Messages.SESSION_NOT_ACTIVE, new Object[0]));
        }
        if (str2 == null && clientSession.getUserSession() != null) {
            initEvent(clientSession);
            this.event.event(EventType.LOGIN);
            return AuthenticationManager.nextActionAfterAuthentication(this.session, clientSession.getUserSession(), clientSession, this.clientConnection, this.request, this.uriInfo, this.event);
        }
        if (!str2.equals(clientSession.getNote(AuthenticationManager.CURRENT_REQUIRED_ACTION))) {
            logger.error("required action doesn't match current required action");
            this.event.error("invalid_code");
            throw new WebApplicationException(ErrorPage.error(this.session, Messages.INVALID_CODE, new Object[0]));
        }
        RequiredActionFactory requiredActionFactory = (RequiredActionFactory) this.session.getKeycloakSessionFactory().getProviderFactory(RequiredActionProvider.class, str2);
        if (requiredActionFactory == null) {
            logger.error("required action provider was null");
            this.event.error("invalid_code");
            throw new WebApplicationException(ErrorPage.error(this.session, Messages.INVALID_CODE, new Object[0]));
        }
        RequiredActionProvider requiredActionProvider = (RequiredActionProvider) requiredActionFactory.create(this.session);
        initEvent(clientSession);
        this.event.event(EventType.CUSTOM_REQUIRED_ACTION);
        RequiredActionContextResult requiredActionContextResult = new RequiredActionContextResult(clientSession.getUserSession(), clientSession, this.realm, this.event, this.session, this.request, clientSession.getUserSession().getUser(), requiredActionFactory) { // from class: org.keycloak.services.resources.LoginActionsService.3
            @Override // org.keycloak.authentication.RequiredActionContextResult, org.keycloak.authentication.RequiredActionContext
            public void ignore() {
                throw new RuntimeException("Cannot call ignore within processAction()");
            }
        };
        requiredActionProvider.processAction(requiredActionContextResult);
        if (requiredActionContextResult.getStatus() == RequiredActionContext.Status.SUCCESS) {
            this.event.success();
            clientSession.removeRequiredAction(requiredActionFactory.getId());
            clientSession.getUserSession().getUser().removeRequiredAction(requiredActionFactory.getId());
            return Response.status(302).location(loginActionsBaseUrl(this.uriInfo).path(REQUIRED_ACTION).queryParam("code", new Object[]{str}).build(new Object[]{this.realm.getName()})).build();
        }
        if (requiredActionContextResult.getStatus() == RequiredActionContext.Status.CHALLENGE) {
            return requiredActionContextResult.getChallenge();
        }
        if (requiredActionContextResult.getStatus() != RequiredActionContext.Status.FAILURE) {
            throw new RuntimeException("Unreachable");
        }
        LoginProtocol loginProtocol = (LoginProtocol) requiredActionContextResult.getSession().getProvider(LoginProtocol.class, requiredActionContextResult.getClientSession().getAuthMethod());
        loginProtocol.setRealm(requiredActionContextResult.getRealm()).setHttpHeaders(requiredActionContextResult.getHttpRequest().getHttpHeaders()).setUriInfo(requiredActionContextResult.getUriInfo()).setEventBuilder(this.event);
        this.event.detail("custom_required_action", str2);
        Response sendError = loginProtocol.sendError(requiredActionContextResult.getClientSession(), LoginProtocol.Error.CONSENT_DENIED);
        this.event.error("rejected_by_user");
        return sendError;
    }
}
