package org.keycloak.authentication;

import java.net.URI;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import org.jboss.logging.Logger;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator;
import org.keycloak.authentication.authenticators.client.ClientAuthUtil;
import org.keycloak.common.ClientConnection;
import org.keycloak.common.util.Time;
import org.keycloak.events.EventBuilder;
import org.keycloak.forms.login.LoginFormsProvider;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.AuthenticationExecutionModel;
import org.keycloak.models.AuthenticationFlowModel;
import org.keycloak.models.AuthenticatorConfigModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.utils.FormMessage;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.LoginProtocol;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.protocol.saml.SamlProtocol;
import org.keycloak.services.ErrorPage;
import org.keycloak.services.ErrorPageException;
import org.keycloak.services.ServicesLogger;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.AuthenticationSessionManager;
import org.keycloak.services.managers.BruteForceProtector;
import org.keycloak.services.managers.ClientSessionCode;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.LoginActionsService;
import org.keycloak.services.util.AuthenticationFlowURLHelper;
import org.keycloak.services.util.CacheControlUtil;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.sessions.CommonClientSessionModel;

/* loaded from: input_file:org/keycloak/authentication/AuthenticationProcessor.class */
public class AuthenticationProcessor {
    public static final String CURRENT_AUTHENTICATION_EXECUTION = "current.authentication.execution";
    public static final String LAST_PROCESSED_EXECUTION = "last.processed.execution";
    public static final String CURRENT_FLOW_PATH = "current.flow.path";
    public static final String FORKED_FROM = "forked.from";
    public static final String BROKER_SESSION_ID = "broker.session.id";
    public static final String BROKER_USER_ID = "broker.user.id";
    protected static final Logger logger = Logger.getLogger(AuthenticationProcessor.class);
    protected RealmModel realm;
    protected UserSessionModel userSession;
    protected AuthenticationSessionModel authenticationSession;
    protected ClientConnection connection;
    protected UriInfo uriInfo;
    protected KeycloakSession session;
    protected EventBuilder event;
    protected HttpRequest request;
    protected String flowId;
    protected String flowPath;
    protected boolean browserFlow;
    protected BruteForceProtector protector;
    protected Runnable afterResetListener;
    protected FormMessage forwardedErrorMessage;
    protected FormMessage forwardedSuccessMessage;
    protected ClientModel client;
    protected Map<String, String> clientAuthAttributes = new HashMap();

    /* loaded from: input_file:org/keycloak/authentication/AuthenticationProcessor$Result.class */
    public class Result implements AuthenticationFlowContext, ClientAuthenticationFlowContext {
        AuthenticatorConfigModel authenticatorConfig;
        AuthenticationExecutionModel execution;
        Authenticator authenticator;
        FlowStatus status;
        ClientAuthenticator clientAuthenticator;
        Response challenge;
        AuthenticationFlowError error;
        List<AuthenticationExecutionModel> currentExecutions;
        FormMessage errorMessage;
        FormMessage successMessage;

        private Result(AuthenticationExecutionModel authenticationExecutionModel, Authenticator authenticator, List<AuthenticationExecutionModel> list) {
            this.execution = authenticationExecutionModel;
            this.authenticator = authenticator;
            this.currentExecutions = list;
        }

        private Result(AuthenticationExecutionModel authenticationExecutionModel, ClientAuthenticator clientAuthenticator, List<AuthenticationExecutionModel> list) {
            this.execution = authenticationExecutionModel;
            this.clientAuthenticator = clientAuthenticator;
            this.currentExecutions = list;
        }

        public EventBuilder newEvent() {
            return AuthenticationProcessor.this.newEvent();
        }

        public AuthenticationExecutionModel.Requirement getCategoryRequirementFromCurrentFlow(String str) {
            for (AuthenticationExecutionModel authenticationExecutionModel : AuthenticationProcessor.this.realm.getAuthenticationExecutions(this.execution.getParentFlow())) {
                AuthenticatorFactory providerFactory = getSession().getKeycloakSessionFactory().getProviderFactory(Authenticator.class, authenticationExecutionModel.getAuthenticator());
                if (providerFactory != null && providerFactory.getReferenceCategory().equals(str)) {
                    return authenticationExecutionModel.getRequirement();
                }
            }
            return null;
        }

        public AuthenticationExecutionModel getExecution() {
            return this.execution;
        }

        public AuthenticatorConfigModel getAuthenticatorConfig() {
            if (this.execution.getAuthenticatorConfig() == null) {
                return null;
            }
            if (this.authenticatorConfig != null) {
                return this.authenticatorConfig;
            }
            this.authenticatorConfig = AuthenticationProcessor.this.realm.getAuthenticatorConfigById(this.execution.getAuthenticatorConfig());
            return this.authenticatorConfig;
        }

        public Authenticator getAuthenticator() {
            return this.authenticator;
        }

        public FlowStatus getStatus() {
            return this.status;
        }

        public ClientAuthenticator getClientAuthenticator() {
            return this.clientAuthenticator;
        }

        public void success() {
            this.status = FlowStatus.SUCCESS;
        }

        public void failure(AuthenticationFlowError authenticationFlowError) {
            this.status = FlowStatus.FAILED;
            this.error = authenticationFlowError;
        }

        public void challenge(Response response) {
            this.status = FlowStatus.CHALLENGE;
            this.challenge = response;
        }

        public void forceChallenge(Response response) {
            this.status = FlowStatus.FORCE_CHALLENGE;
            this.challenge = response;
        }

        public void failureChallenge(AuthenticationFlowError authenticationFlowError, Response response) {
            this.error = authenticationFlowError;
            this.status = FlowStatus.FAILURE_CHALLENGE;
            this.challenge = response;
        }

        public void failure(AuthenticationFlowError authenticationFlowError, Response response) {
            this.error = authenticationFlowError;
            this.status = FlowStatus.FAILED;
            this.challenge = response;
        }

        public void attempted() {
            this.status = FlowStatus.ATTEMPTED;
        }

        public UserModel getUser() {
            return getAuthenticationSession().getAuthenticatedUser();
        }

        public void setUser(UserModel userModel) {
            AuthenticationProcessor.this.setAutheticatedUser(userModel);
        }

        public void clearUser() {
            AuthenticationProcessor.this.clearAuthenticatedUser();
        }

        public RealmModel getRealm() {
            return AuthenticationProcessor.this.getRealm();
        }

        public ClientModel getClient() {
            return AuthenticationProcessor.this.getClient();
        }

        public void setClient(ClientModel clientModel) {
            AuthenticationProcessor.this.setClient(clientModel);
        }

        public Map<String, String> getClientAuthAttributes() {
            return AuthenticationProcessor.this.getClientAuthAttributes();
        }

        public AuthenticationSessionModel getAuthenticationSession() {
            return AuthenticationProcessor.this.getAuthenticationSession();
        }

        public ClientConnection getConnection() {
            return AuthenticationProcessor.this.getConnection();
        }

        public UriInfo getUriInfo() {
            return AuthenticationProcessor.this.getUriInfo();
        }

        public KeycloakSession getSession() {
            return AuthenticationProcessor.this.getSession();
        }

        public HttpRequest getHttpRequest() {
            return AuthenticationProcessor.this.request;
        }

        public void attachUserSession(UserSessionModel userSessionModel) {
            AuthenticationProcessor.this.userSession = userSessionModel;
        }

        public BruteForceProtector getProtector() {
            return AuthenticationProcessor.this.getBruteForceProtector();
        }

        public EventBuilder getEvent() {
            return AuthenticationProcessor.this.event;
        }

        public FormMessage getForwardedErrorMessage() {
            return AuthenticationProcessor.this.forwardedErrorMessage;
        }

        public String generateAccessCode() {
            return AuthenticationProcessor.this.generateCode();
        }

        public Response getChallenge() {
            return this.challenge;
        }

        public AuthenticationFlowError getError() {
            return this.error;
        }

        public LoginFormsProvider form() {
            String generateAccessCode = generateAccessCode();
            LoginFormsProvider clientSessionCode = getSession().getProvider(LoginFormsProvider.class).setAuthenticationSession(getAuthenticationSession()).setUser(getUser()).setActionUri(getActionUrl(generateAccessCode)).setExecution(getExecution().getId()).setFormData(AuthenticationProcessor.this.request.getDecodedFormParameters()).setClientSessionCode(generateAccessCode);
            if (getForwardedErrorMessage() != null) {
                clientSessionCode.addError(getForwardedErrorMessage());
            } else if (getForwardedSuccessMessage() != null) {
                clientSessionCode.addSuccess(getForwardedSuccessMessage());
            }
            return clientSessionCode;
        }

        public URI getActionUrl(String str) {
            return LoginActionsService.loginActionsBaseUrl(getUriInfo()).path(AuthenticationProcessor.this.flowPath).queryParam("code", new Object[]{str}).queryParam("execution", new Object[]{getExecution().getId()}).queryParam("client_id", new Object[]{getAuthenticationSession().getClient().getClientId()}).build(new Object[]{getRealm().getName()});
        }

        public URI getActionTokenUrl(String str) {
            return LoginActionsService.actionTokenProcessor(getUriInfo()).queryParam("key", new Object[]{str}).queryParam("execution", new Object[]{getExecution().getId()}).queryParam("client_id", new Object[]{getAuthenticationSession().getClient().getClientId()}).build(new Object[]{getRealm().getName()});
        }

        public URI getRefreshExecutionUrl() {
            return LoginActionsService.loginActionsBaseUrl(getUriInfo()).path(AuthenticationProcessor.this.flowPath).queryParam("execution", new Object[]{getExecution().getId()}).queryParam("client_id", new Object[]{getAuthenticationSession().getClient().getClientId()}).build(new Object[]{getRealm().getName()});
        }

        public void cancelLogin() {
            getEvent().error("rejected_by_user");
            LoginProtocol provider = getSession().getProvider(LoginProtocol.class, getAuthenticationSession().getProtocol());
            provider.setRealm(getRealm()).setHttpHeaders(getHttpRequest().getHttpHeaders()).setUriInfo(getUriInfo()).setEventBuilder(AuthenticationProcessor.this.event);
            forceChallenge(provider.sendError(getAuthenticationSession(), LoginProtocol.Error.CANCELLED_BY_USER));
        }

        public void resetFlow() {
            this.status = FlowStatus.FLOW_RESET;
        }

        public void resetFlow(Runnable runnable) {
            this.status = FlowStatus.FLOW_RESET;
            AuthenticationProcessor.this.afterResetListener = runnable;
        }

        public void fork() {
            this.status = FlowStatus.FORK;
        }

        public void forkWithSuccessMessage(FormMessage formMessage) {
            this.status = FlowStatus.FORK;
            this.successMessage = formMessage;
        }

        public void forkWithErrorMessage(FormMessage formMessage) {
            this.status = FlowStatus.FORK;
            this.errorMessage = formMessage;
        }

        public FormMessage getForwardedSuccessMessage() {
            return AuthenticationProcessor.this.forwardedSuccessMessage;
        }

        public FormMessage getErrorMessage() {
            return this.errorMessage;
        }

        public FormMessage getSuccessMessage() {
            return this.successMessage;
        }
    }

    public boolean isBrowserFlow() {
        return this.browserFlow;
    }

    public AuthenticationProcessor setBrowserFlow(boolean z) {
        this.browserFlow = z;
        return this;
    }

    public BruteForceProtector getBruteForceProtector() {
        if (this.protector == null) {
            this.protector = this.session.getProvider(BruteForceProtector.class);
        }
        return this.protector;
    }

    public RealmModel getRealm() {
        return this.realm;
    }

    public ClientModel getClient() {
        return this.client;
    }

    public void setClient(ClientModel clientModel) {
        this.client = clientModel;
    }

    public Map<String, String> getClientAuthAttributes() {
        return this.clientAuthAttributes;
    }

    public AuthenticationSessionModel getAuthenticationSession() {
        return this.authenticationSession;
    }

    public ClientConnection getConnection() {
        return this.connection;
    }

    public UriInfo getUriInfo() {
        return this.uriInfo;
    }

    public KeycloakSession getSession() {
        return this.session;
    }

    public UserSessionModel getUserSession() {
        return this.userSession;
    }

    public AuthenticationProcessor setRealm(RealmModel realmModel) {
        this.realm = realmModel;
        return this;
    }

    public AuthenticationProcessor setAuthenticationSession(AuthenticationSessionModel authenticationSessionModel) {
        this.authenticationSession = authenticationSessionModel;
        return this;
    }

    public AuthenticationProcessor setConnection(ClientConnection clientConnection) {
        this.connection = clientConnection;
        return this;
    }

    public AuthenticationProcessor setUriInfo(UriInfo uriInfo) {
        this.uriInfo = uriInfo;
        return this;
    }

    public AuthenticationProcessor setSession(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
        return this;
    }

    public AuthenticationProcessor setEventBuilder(EventBuilder eventBuilder) {
        this.event = eventBuilder;
        return this;
    }

    public AuthenticationProcessor setRequest(HttpRequest httpRequest) {
        this.request = httpRequest;
        return this;
    }

    public AuthenticationProcessor setFlowId(String str) {
        this.flowId = str;
        return this;
    }

    public AuthenticationProcessor setFlowPath(String str) {
        this.flowPath = str;
        return this;
    }

    public AuthenticationProcessor setForwardedErrorMessage(FormMessage formMessage) {
        this.forwardedErrorMessage = formMessage;
        return this;
    }

    public AuthenticationProcessor setForwardedSuccessMessage(FormMessage formMessage) {
        this.forwardedSuccessMessage = formMessage;
        return this;
    }

    public String generateCode() {
        ClientSessionCode clientSessionCode = new ClientSessionCode(this.session, getRealm(), getAuthenticationSession());
        this.authenticationSession.setTimestamp(Time.currentTime());
        return clientSessionCode.getOrGenerateCode();
    }

    public EventBuilder newEvent() {
        this.event = new EventBuilder(this.realm, this.session, this.connection);
        return this.event;
    }

    public EventBuilder getEvent() {
        return this.event;
    }

    public HttpRequest getRequest() {
        return this.request;
    }

    public void setAutheticatedUser(UserModel userModel) {
        UserModel authenticatedUser = getAuthenticationSession().getAuthenticatedUser();
        if (authenticatedUser != null && !userModel.getId().equals(authenticatedUser.getId())) {
            throw new AuthenticationFlowException(AuthenticationFlowError.USER_CONFLICT);
        }
        validateUser(userModel);
        getAuthenticationSession().setAuthenticatedUser(userModel);
    }

    public void clearAuthenticatedUser() {
        getAuthenticationSession().setAuthenticatedUser((UserModel) null);
    }

    public void logFailure() {
        String authNote;
        UserModel findUserByNameOrEmail;
        if (!this.realm.isBruteForceProtected() || (authNote = this.authenticationSession.getAuthNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME)) == null || (findUserByNameOrEmail = KeycloakModelUtils.findUserByNameOrEmail(this.session, this.realm, authNote)) == null) {
            return;
        }
        getBruteForceProtector().failedLogin(this.realm, findUserByNameOrEmail, this.connection);
    }

    protected void logSuccess() {
        String authNote;
        UserModel findUserByNameOrEmail;
        if (!this.realm.isBruteForceProtected() || (authNote = this.authenticationSession.getAuthNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME)) == null || (findUserByNameOrEmail = KeycloakModelUtils.findUserByNameOrEmail(this.session, this.realm, authNote)) == null) {
            return;
        }
        getBruteForceProtector().successfulLogin(this.realm, findUserByNameOrEmail, this.connection);
    }

    public boolean isSuccessful(AuthenticationExecutionModel authenticationExecutionModel) {
        CommonClientSessionModel.ExecutionStatus executionStatus = (CommonClientSessionModel.ExecutionStatus) this.authenticationSession.getExecutionStatus().get(authenticationExecutionModel.getId());
        return executionStatus != null && executionStatus == CommonClientSessionModel.ExecutionStatus.SUCCESS;
    }

    public Response handleBrowserException(Exception exc) {
        if (!(exc instanceof AuthenticationFlowException)) {
            ServicesLogger.LOGGER.failedAuthentication(exc);
            this.event.error("invalid_user_credentials");
            return ErrorPage.error(this.session, this.authenticationSession, Messages.UNEXPECTED_ERROR_HANDLING_REQUEST, new Object[0]);
        }
        Throwable th = (AuthenticationFlowException) exc;
        if (th.getError() == AuthenticationFlowError.INVALID_USER) {
            ServicesLogger.LOGGER.failedAuthentication(th);
            this.event.error("user_not_found");
            return ErrorPage.error(this.session, this.authenticationSession, Messages.INVALID_USER, new Object[0]);
        }
        if (th.getError() == AuthenticationFlowError.USER_DISABLED) {
            ServicesLogger.LOGGER.failedAuthentication(th);
            this.event.error("user_disabled");
            return ErrorPage.error(this.session, this.authenticationSession, Messages.ACCOUNT_DISABLED, new Object[0]);
        }
        if (th.getError() == AuthenticationFlowError.USER_TEMPORARILY_DISABLED) {
            ServicesLogger.LOGGER.failedAuthentication(th);
            this.event.error("user_temporarily_disabled");
            return ErrorPage.error(this.session, this.authenticationSession, Messages.INVALID_USER, new Object[0]);
        }
        if (th.getError() == AuthenticationFlowError.INVALID_CLIENT_SESSION) {
            ServicesLogger.LOGGER.failedAuthentication(th);
            this.event.error("invalid_code");
            return ErrorPage.error(this.session, this.authenticationSession, Messages.INVALID_CODE, new Object[0]);
        }
        if (th.getError() == AuthenticationFlowError.EXPIRED_CODE) {
            ServicesLogger.LOGGER.failedAuthentication(th);
            this.event.error("expired_code");
            return ErrorPage.error(this.session, this.authenticationSession, Messages.EXPIRED_CODE, new Object[0]);
        }
        if (th.getError() != AuthenticationFlowError.FORK_FLOW) {
            ServicesLogger.LOGGER.failedAuthentication(th);
            this.event.error("invalid_user_credentials");
            return ErrorPage.error(this.session, this.authenticationSession, Messages.INVALID_USER, new Object[0]);
        }
        ForkFlowException forkFlowException = (ForkFlowException) th;
        AuthenticationSessionModel clone = clone(this.session, this.authenticationSession);
        clone.setAction(CommonClientSessionModel.Action.AUTHENTICATE.name());
        setAuthenticationSession(clone);
        AuthenticationProcessor authenticationProcessor = new AuthenticationProcessor();
        authenticationProcessor.setAuthenticationSession(clone).setFlowPath(LoginActionsService.AUTHENTICATE_PATH).setFlowId(this.realm.getBrowserFlow().getId()).setForwardedErrorMessage(forkFlowException.getErrorMessage()).setForwardedSuccessMessage(forkFlowException.getSuccessMessage()).setConnection(this.connection).setEventBuilder(this.event).setRealm(this.realm).setBrowserFlow(isBrowserFlow()).setSession(this.session).setUriInfo(this.uriInfo).setRequest(this.request);
        CacheControlUtil.noBackButtonCacheControlHeader();
        return authenticationProcessor.authenticate();
    }

    public Response handleClientAuthException(Exception exc) {
        if (!(exc instanceof AuthenticationFlowException)) {
            ServicesLogger.LOGGER.errorAuthenticatingClient(exc);
            this.event.error("invalid_client_credentials");
            return ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "unauthorized_client", "Unexpected error when authenticating client: " + exc.getMessage());
        }
        Throwable th = (AuthenticationFlowException) exc;
        ServicesLogger.LOGGER.failedClientAuthentication(th);
        if (th.getError() == AuthenticationFlowError.CLIENT_NOT_FOUND) {
            this.event.error("client_not_found");
            return ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "invalid_client", "Could not find client");
        }
        if (th.getError() == AuthenticationFlowError.CLIENT_DISABLED) {
            this.event.error("client_disabled");
            return ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "invalid_client", "Client is not enabled");
        }
        if (th.getError() == AuthenticationFlowError.CLIENT_CREDENTIALS_SETUP_REQUIRED) {
            this.event.error("invalid_client_credentials");
            return ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "unauthorized_client", th.getMessage());
        }
        this.event.error("invalid_client_credentials");
        return ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "unauthorized_client", th.getError().toString() + ": " + th.getMessage());
    }

    public AuthenticationFlow createFlowExecution(String str, AuthenticationExecutionModel authenticationExecutionModel) {
        AuthenticationFlowModel authenticationFlowById = this.realm.getAuthenticationFlowById(str);
        if (authenticationFlowById == null) {
            logger.error("Unknown flow to execute with");
            throw new AuthenticationFlowException(AuthenticationFlowError.INTERNAL_ERROR);
        }
        if (authenticationFlowById.getProviderId() == null || authenticationFlowById.getProviderId().equals("basic-flow")) {
            return new DefaultAuthenticationFlow(this, authenticationFlowById);
        }
        if (authenticationFlowById.getProviderId().equals("form-flow")) {
            return new FormAuthenticationFlow(this, authenticationExecutionModel);
        }
        if (authenticationFlowById.getProviderId().equals("client-flow")) {
            return new ClientAuthenticationFlow(this, authenticationFlowById);
        }
        throw new AuthenticationFlowException("Unknown flow provider type", AuthenticationFlowError.INTERNAL_ERROR);
    }

    public Response authenticate() throws AuthenticationFlowException {
        logger.debug("AUTHENTICATE");
        Response authenticateOnly = authenticateOnly();
        return authenticateOnly != null ? authenticateOnly : authenticationComplete();
    }

    public Response authenticateClient() throws AuthenticationFlowException {
        logger.debug("AUTHENTICATE CLIENT");
        try {
            return createFlowExecution(this.flowId, null).processFlow();
        } catch (Exception e) {
            return handleClientAuthException(e);
        }
    }

    public Response redirectToFlow() {
        URI lastExecutionUrl = new AuthenticationFlowURLHelper(this.session, this.realm, this.uriInfo).getLastExecutionUrl(this.authenticationSession);
        logger.debug("Redirecting to URL: " + lastExecutionUrl.toString());
        return Response.status(302).location(lastExecutionUrl).build();
    }

    public void resetFlow() {
        resetFlow(this.authenticationSession, this.flowPath);
        if (this.afterResetListener != null) {
            this.afterResetListener.run();
        }
    }

    public static void resetFlow(AuthenticationSessionModel authenticationSessionModel, String str) {
        logger.debug("RESET FLOW");
        authenticationSessionModel.setTimestamp(Time.currentTime());
        authenticationSessionModel.setAuthenticatedUser((UserModel) null);
        authenticationSessionModel.clearExecutionStatus();
        authenticationSessionModel.clearUserSessionNotes();
        authenticationSessionModel.clearAuthNotes();
        authenticationSessionModel.setAction(CommonClientSessionModel.Action.AUTHENTICATE.name());
        authenticationSessionModel.setAuthNote(CURRENT_FLOW_PATH, str);
    }

    public static AuthenticationSessionModel clone(KeycloakSession keycloakSession, AuthenticationSessionModel authenticationSessionModel) {
        AuthenticationSessionModel createAuthenticationSession = new AuthenticationSessionManager(keycloakSession).createAuthenticationSession(authenticationSessionModel.getRealm(), authenticationSessionModel.getClient(), true);
        for (Map.Entry entry : authenticationSessionModel.getClientNotes().entrySet()) {
            createAuthenticationSession.setClientNote((String) entry.getKey(), (String) entry.getValue());
        }
        createAuthenticationSession.setRedirectUri(authenticationSessionModel.getRedirectUri());
        createAuthenticationSession.setProtocol(authenticationSessionModel.getProtocol());
        createAuthenticationSession.setTimestamp(Time.currentTime());
        createAuthenticationSession.setAuthNote(FORKED_FROM, authenticationSessionModel.getId());
        logger.debugf("Forked authSession %s from authSession %s", createAuthenticationSession.getId(), authenticationSessionModel.getId());
        return createAuthenticationSession;
    }

    public Response authenticationAction(String str) {
        logger.debug("authenticationAction");
        checkClientSession(true);
        String authNote = this.authenticationSession.getAuthNote(CURRENT_AUTHENTICATION_EXECUTION);
        if (str == null || !str.equals(authNote)) {
            logger.debug("Current execution does not equal executed execution.  Might be a page refresh");
            return new AuthenticationFlowURLHelper(this.session, this.realm, this.uriInfo).showPageExpired(this.authenticationSession);
        }
        validateUser(this.authenticationSession.getAuthenticatedUser());
        AuthenticationExecutionModel authenticationExecutionById = this.realm.getAuthenticationExecutionById(str);
        if (authenticationExecutionById == null) {
            logger.debug("Cannot find execution, reseting flow");
            logFailure();
            resetFlow();
            return authenticate();
        }
        this.event.client(this.authenticationSession.getClient().getClientId()).detail("redirect_uri", this.authenticationSession.getRedirectUri()).detail("auth_method", this.authenticationSession.getProtocol());
        String authNote2 = this.authenticationSession.getAuthNote("auth_type");
        if (authNote2 != null) {
            this.event.detail("auth_type", authNote2);
        }
        Response processAction = createFlowExecution(this.flowId, authenticationExecutionById).processAction(str);
        if (processAction != null) {
            return processAction;
        }
        if (this.authenticationSession.getAuthenticatedUser() == null) {
            throw new AuthenticationFlowException(AuthenticationFlowError.UNKNOWN_USER);
        }
        return authenticationComplete();
    }

    private void checkClientSession(boolean z) {
        ClientSessionCode clientSessionCode = new ClientSessionCode(this.session, this.realm, this.authenticationSession);
        if (z && !clientSessionCode.isValidAction(CommonClientSessionModel.Action.AUTHENTICATE.name())) {
            throw new AuthenticationFlowException(AuthenticationFlowError.INVALID_CLIENT_SESSION);
        }
        if (!clientSessionCode.isActionActive(ClientSessionCode.ActionType.LOGIN)) {
            throw new AuthenticationFlowException(AuthenticationFlowError.EXPIRED_CODE);
        }
        this.authenticationSession.setTimestamp(Time.currentTime());
    }

    public Response authenticateOnly() throws AuthenticationFlowException {
        logger.debug("AUTHENTICATE ONLY");
        checkClientSession(false);
        this.event.client(this.authenticationSession.getClient().getClientId()).detail("redirect_uri", this.authenticationSession.getRedirectUri()).detail("auth_method", this.authenticationSession.getProtocol());
        String authNote = this.authenticationSession.getAuthNote("auth_type");
        if (authNote != null) {
            this.event.detail("auth_type", authNote);
        }
        validateUser(this.authenticationSession.getAuthenticatedUser());
        Response processFlow = createFlowExecution(this.flowId, null).processFlow();
        if (processFlow == null && this.authenticationSession.getAuthenticatedUser() == null) {
            throw new AuthenticationFlowException(AuthenticationFlowError.UNKNOWN_USER);
        }
        return processFlow;
    }

    public AuthenticatedClientSessionModel attachSession() {
        AuthenticatedClientSessionModel attachSession = attachSession(this.authenticationSession, this.userSession, this.session, this.realm, this.connection, this.event);
        if (this.userSession == null) {
            this.userSession = attachSession.getUserSession();
        }
        return attachSession;
    }

    public static AuthenticatedClientSessionModel attachSession(AuthenticationSessionModel authenticationSessionModel, UserSessionModel userSessionModel, KeycloakSession keycloakSession, RealmModel realmModel, ClientConnection clientConnection, EventBuilder eventBuilder) {
        String username = authenticationSessionModel.getAuthenticatedUser().getUsername();
        String authNote = authenticationSessionModel.getAuthNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME);
        if (authNote != null) {
            username = authNote;
        }
        String authNote2 = authenticationSessionModel.getAuthNote("remember_me");
        boolean z = authNote2 != null && authNote2.equalsIgnoreCase(SamlProtocol.ATTRIBUTE_TRUE_VALUE);
        String authNote3 = authenticationSessionModel.getAuthNote(BROKER_SESSION_ID);
        String authNote4 = authenticationSessionModel.getAuthNote(BROKER_USER_ID);
        if (userSessionModel == null) {
            userSessionModel = keycloakSession.sessions().getUserSession(realmModel, authenticationSessionModel.getId());
            if (userSessionModel == null) {
                userSessionModel = keycloakSession.sessions().createUserSession(authenticationSessionModel.getId(), realmModel, authenticationSessionModel.getAuthenticatedUser(), username, clientConnection.getRemoteAddr(), authenticationSessionModel.getProtocol(), z, authNote3, authNote4);
            } else if (userSessionModel.getUser() == null || !AuthenticationManager.isSessionValid(realmModel, userSessionModel)) {
                userSessionModel.restartSession(realmModel, authenticationSessionModel.getAuthenticatedUser(), username, clientConnection.getRemoteAddr(), authenticationSessionModel.getProtocol(), z, authNote3, authNote4);
            } else {
                logger.debugf("No SSO login, but found existing userSession with ID '%s' after finished authentication.", userSessionModel.getId());
                if (!authenticationSessionModel.getAuthenticatedUser().equals(userSessionModel.getUser())) {
                    eventBuilder.detail("previous_user", userSessionModel.getUser().getId());
                    eventBuilder.error("different_user_authenticated");
                    throw new ErrorPageException(keycloakSession, authenticationSessionModel, Messages.DIFFERENT_USER_AUTHENTICATED, userSessionModel.getUser().getUsername());
                }
            }
            userSessionModel.setState(UserSessionModel.State.LOGGED_IN);
        }
        if (z) {
            eventBuilder.detail("remember_me", SamlProtocol.ATTRIBUTE_TRUE_VALUE);
        }
        AuthenticatedClientSessionModel attachAuthenticationSession = TokenManager.attachAuthenticationSession(keycloakSession, userSessionModel, authenticationSessionModel);
        eventBuilder.user(userSessionModel.getUser()).detail("username", username).session(userSessionModel);
        return attachAuthenticationSession;
    }

    public void evaluateRequiredActionTriggers() {
        AuthenticationManager.evaluateRequiredActionTriggers(this.session, this.authenticationSession, this.connection, this.request, this.uriInfo, this.event, this.realm, this.authenticationSession.getAuthenticatedUser());
    }

    public Response finishAuthentication(LoginProtocol loginProtocol) {
        this.event.success();
        return AuthenticationManager.redirectAfterSuccessfulFlow(this.session, this.authenticationSession.getRealm(), this.userSession, attachSession(), this.request, this.uriInfo, this.connection, this.event, loginProtocol);
    }

    public void validateUser(UserModel userModel) {
        if (userModel == null) {
            return;
        }
        if (!userModel.isEnabled()) {
            throw new AuthenticationFlowException(AuthenticationFlowError.USER_DISABLED);
        }
        if (this.realm.isBruteForceProtected() && !this.realm.isPermanentLockout() && getBruteForceProtector().isTemporarilyDisabled(this.session, this.realm, userModel)) {
            getEvent().error("reset_credential_disabled");
            ServicesLogger.LOGGER.passwordResetFailed(new AuthenticationFlowException(AuthenticationFlowError.USER_TEMPORARILY_DISABLED));
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Response authenticationComplete() {
        AuthenticationManager.setRolesAndMappersInSession(this.authenticationSession);
        String nextRequiredAction = nextRequiredAction();
        if (nextRequiredAction != null) {
            return AuthenticationManager.redirectToRequiredActions(this.session, this.realm, this.authenticationSession, this.uriInfo, nextRequiredAction);
        }
        this.event.detail("code_id", this.authenticationSession.getId());
        logSuccess();
        return AuthenticationManager.finishedRequiredActions(this.session, this.authenticationSession, this.userSession, this.connection, this.request, this.uriInfo, this.event);
    }

    public String nextRequiredAction() {
        return AuthenticationManager.nextRequiredAction(this.session, this.authenticationSession, this.connection, this.request, this.uriInfo, this.event);
    }

    public Result createAuthenticatorContext(AuthenticationExecutionModel authenticationExecutionModel, Authenticator authenticator, List<AuthenticationExecutionModel> list) {
        return new Result(authenticationExecutionModel, authenticator, list);
    }

    public Result createClientAuthenticatorContext(AuthenticationExecutionModel authenticationExecutionModel, ClientAuthenticator clientAuthenticator, List<AuthenticationExecutionModel> list) {
        return new Result(authenticationExecutionModel, clientAuthenticator, list);
    }
}
