package org.keycloak.authentication.actiontoken.idpverifyemail;

import java.util.Collections;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import org.keycloak.TokenVerifier;
import org.keycloak.authentication.AuthenticationProcessor;
import org.keycloak.authentication.actiontoken.AbstractActionTokenHander;
import org.keycloak.authentication.actiontoken.ActionTokenContext;
import org.keycloak.authentication.actiontoken.TokenUtils;
import org.keycloak.authentication.authenticators.broker.IdpEmailVerificationAuthenticator;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.forms.login.LoginFormsProvider;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.services.Urls;
import org.keycloak.services.managers.AuthenticationSessionManager;
import org.keycloak.services.messages.Messages;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.sessions.AuthenticationSessionProvider;

/* loaded from: input_file:org/keycloak/authentication/actiontoken/idpverifyemail/IdpVerifyAccountLinkActionTokenHandler.class */
public class IdpVerifyAccountLinkActionTokenHandler extends AbstractActionTokenHander<IdpVerifyAccountLinkActionToken> {
    public IdpVerifyAccountLinkActionTokenHandler() {
        super(IdpVerifyAccountLinkActionToken.TOKEN_TYPE, IdpVerifyAccountLinkActionToken.class, Messages.STALE_CODE, EventType.IDENTITY_PROVIDER_LINK_ACCOUNT, "invalid_token");
    }

    @Override // org.keycloak.authentication.actiontoken.ActionTokenHandler
    public TokenVerifier.Predicate<? super IdpVerifyAccountLinkActionToken>[] getVerifiers(ActionTokenContext<IdpVerifyAccountLinkActionToken> actionTokenContext) {
        return TokenUtils.predicates(new TokenVerifier.Predicate[0]);
    }

    public Response handleToken(IdpVerifyAccountLinkActionToken idpVerifyAccountLinkActionToken, ActionTokenContext<IdpVerifyAccountLinkActionToken> actionTokenContext) {
        UserModel authenticatedUser = actionTokenContext.getAuthenticationSession().getAuthenticatedUser();
        EventBuilder event = actionTokenContext.getEvent();
        UriInfo uriInfo = actionTokenContext.getUriInfo();
        RealmModel realm = actionTokenContext.getRealm();
        KeycloakSession session = actionTokenContext.getSession();
        event.event(EventType.IDENTITY_PROVIDER_LINK_ACCOUNT).detail("email", authenticatedUser.getEmail()).detail("identity_provider", idpVerifyAccountLinkActionToken.getIdentityProviderAlias()).detail("identity_provider_identity", idpVerifyAccountLinkActionToken.getIdentityProviderUsername()).success();
        AuthenticationSessionModel authenticationSession = actionTokenContext.getAuthenticationSession();
        if (actionTokenContext.isAuthenticationSessionFresh()) {
            idpVerifyAccountLinkActionToken.setOriginalAuthenticationSessionId(idpVerifyAccountLinkActionToken.getAuthenticationSessionId());
            idpVerifyAccountLinkActionToken.setAuthenticationSessionId(authenticationSession.getId());
            return session.getProvider(LoginFormsProvider.class).setAuthenticationSession(authenticationSession).setSuccess(Messages.CONFIRM_ACCOUNT_LINKING, new Object[]{idpVerifyAccountLinkActionToken.getIdentityProviderUsername(), idpVerifyAccountLinkActionToken.getIdentityProviderAlias()}).setAttribute("actionUri", Urls.actionTokenBuilder(uriInfo.getBaseUri(), idpVerifyAccountLinkActionToken.serialize(session, realm, uriInfo)).build(new Object[]{realm.getName()}).toString()).createInfoPage();
        }
        authenticatedUser.setEmailVerified(true);
        if (idpVerifyAccountLinkActionToken.getOriginalAuthenticationSessionId() == null) {
            authenticationSession.setAuthNote(IdpEmailVerificationAuthenticator.VERIFY_ACCOUNT_IDP_USERNAME, idpVerifyAccountLinkActionToken.getIdentityProviderUsername());
            return actionTokenContext.brokerFlow(null, authenticationSession.getAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH));
        }
        new AuthenticationSessionManager(session).removeAuthenticationSession(realm, authenticationSession, true);
        AuthenticationSessionProvider authenticationSessions = session.authenticationSessions();
        AuthenticationSessionModel authenticationSession2 = authenticationSessions.getAuthenticationSession(realm, idpVerifyAccountLinkActionToken.getOriginalAuthenticationSessionId());
        if (authenticationSession2 != null) {
            authenticationSession2.setAuthNote(IdpEmailVerificationAuthenticator.VERIFY_ACCOUNT_IDP_USERNAME, idpVerifyAccountLinkActionToken.getIdentityProviderUsername());
        } else {
            authenticationSessions.updateNonlocalSessionAuthNotes(idpVerifyAccountLinkActionToken.getAuthenticationSessionId(), Collections.singletonMap(IdpEmailVerificationAuthenticator.VERIFY_ACCOUNT_IDP_USERNAME, idpVerifyAccountLinkActionToken.getIdentityProviderUsername()));
        }
        return session.getProvider(LoginFormsProvider.class).setAuthenticationSession(authenticationSession2).setSuccess(Messages.IDENTITY_PROVIDER_LINK_SUCCESS, new Object[]{idpVerifyAccountLinkActionToken.getIdentityProviderAlias(), idpVerifyAccountLinkActionToken.getIdentityProviderUsername()}).setAttribute("skipLink", true).createInfoPage();
    }

    @Override // org.keycloak.authentication.actiontoken.ActionTokenHandler
    public /* bridge */ /* synthetic */ Response handleToken(JsonWebToken jsonWebToken, ActionTokenContext actionTokenContext) {
        return handleToken((IdpVerifyAccountLinkActionToken) jsonWebToken, (ActionTokenContext<IdpVerifyAccountLinkActionToken>) actionTokenContext);
    }
}
