package org.keycloak.services.managers;

import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import javax.ws.rs.core.Cookie;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.UriInfo;
import org.jboss.logging.Logger;
import org.keycloak.ClientConnection;
import org.keycloak.RSATokenVerifier;
import org.keycloak.VerificationException;
import org.keycloak.jose.jws.JWSBuilder;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RequiredCredentialModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.AccessToken;
import org.keycloak.services.resources.RealmsResource;
import org.keycloak.services.util.CookieHelper;
import org.keycloak.util.Time;
import org.picketlink.idm.model.basic.Group;

/* loaded from: input_file:WEB-INF/lib/keycloak-services-1.0-final.jar:org/keycloak/services/managers/AuthenticationManager.class */
public class AuthenticationManager {
    protected static Logger logger = Logger.getLogger((Class<?>) AuthenticationManager.class);
    public static final String FORM_USERNAME = "username";
    public static final String KEYCLOAK_IDENTITY_COOKIE = "KEYCLOAK_IDENTITY";
    public static final String KEYCLOAK_SESSION_COOKIE = "KEYCLOAK_SESSION";
    public static final String KEYCLOAK_REMEMBER_ME = "KEYCLOAK_REMEMBER_ME";
    protected BruteForceProtector protector;

    /* loaded from: input_file:WEB-INF/lib/keycloak-services-1.0-final.jar:org/keycloak/services/managers/AuthenticationManager$AuthResult.class */
    public class AuthResult {
        private final UserModel user;
        private final UserSessionModel session;
        private final AccessToken token;

        public AuthResult(UserModel userModel, UserSessionModel userSessionModel, AccessToken accessToken) {
            this.user = userModel;
            this.session = userSessionModel;
            this.token = accessToken;
        }

        public UserSessionModel getSession() {
            return this.session;
        }

        public UserModel getUser() {
            return this.user;
        }

        public AccessToken getToken() {
            return this.token;
        }
    }

    /* loaded from: input_file:WEB-INF/lib/keycloak-services-1.0-final.jar:org/keycloak/services/managers/AuthenticationManager$AuthenticationStatus.class */
    public enum AuthenticationStatus {
        SUCCESS,
        ACCOUNT_TEMPORARILY_DISABLED,
        ACCOUNT_DISABLED,
        ACTIONS_REQUIRED,
        INVALID_USER,
        INVALID_CREDENTIALS,
        MISSING_PASSWORD,
        MISSING_TOTP,
        FAILED
    }

    public AuthenticationManager() {
    }

    public AuthenticationManager(BruteForceProtector bruteForceProtector) {
        this.protector = bruteForceProtector;
    }

    public static boolean isSessionValid(RealmModel realmModel, UserSessionModel userSessionModel) {
        if (userSessionModel == null) {
            logger.debug("No user session");
            return false;
        }
        int currentTime = Time.currentTime();
        return userSessionModel != null && userSessionModel.getLastSessionRefresh() + realmModel.getSsoSessionIdleTimeout() > currentTime && userSessionModel.getStarted() + realmModel.getSsoSessionMaxLifespan() > currentTime;
    }

    public static void logout(KeycloakSession keycloakSession, RealmModel realmModel, UserSessionModel userSessionModel, UriInfo uriInfo, ClientConnection clientConnection) {
        if (userSessionModel == null) {
            return;
        }
        UserModel user = userSessionModel.getUser();
        logger.debugv("Logging out: {0} ({1})", user.getUsername(), userSessionModel.getId());
        keycloakSession.sessions().removeUserSession(realmModel, userSessionModel);
        expireIdentityCookie(realmModel, uriInfo, clientConnection);
        expireRememberMeCookie(realmModel, uriInfo, clientConnection);
        new ResourceAdminManager().logoutUser(uriInfo.getRequestUri(), realmModel, user.getId(), userSessionModel.getId());
    }

    public AccessToken createIdentityToken(RealmModel realmModel, UserModel userModel, UserSessionModel userSessionModel) {
        AccessToken accessToken = new AccessToken();
        accessToken.id(KeycloakModelUtils.generateId());
        accessToken.issuedNow();
        accessToken.subject(userModel.getId());
        accessToken.audience(realmModel.getName());
        if (userSessionModel != null) {
            accessToken.setSessionState(userSessionModel.getId());
        }
        if (realmModel.getSsoSessionIdleTimeout() > 0) {
            accessToken.expiration(Time.currentTime() + realmModel.getSsoSessionIdleTimeout());
        }
        return accessToken;
    }

    public void createLoginCookie(RealmModel realmModel, UserModel userModel, UserSessionModel userSessionModel, UriInfo uriInfo, ClientConnection clientConnection) {
        String identityCookiePath = getIdentityCookiePath(realmModel, uriInfo);
        String encodeToken = encodeToken(realmModel, createIdentityToken(realmModel, userModel, userSessionModel));
        boolean isRequired = realmModel.getSslRequired().isRequired(clientConnection);
        int i = -1;
        if (userSessionModel.isRememberMe()) {
            i = realmModel.getSsoSessionIdleTimeout();
        }
        logger.debugv("Create login cookie - name: {0}, path: {1}, max-age: {2}", KEYCLOAK_IDENTITY_COOKIE, identityCookiePath, Integer.valueOf(i));
        CookieHelper.addCookie(KEYCLOAK_IDENTITY_COOKIE, encodeToken, identityCookiePath, null, null, i, isRequired, true);
        String str = realmModel.getName() + Group.PATH_SEPARATOR + userModel.getId();
        if (userSessionModel != null) {
            str = str + Group.PATH_SEPARATOR + userSessionModel.getId();
        }
        CookieHelper.addCookie(KEYCLOAK_SESSION_COOKIE, str, identityCookiePath, null, null, realmModel.getSsoSessionMaxLifespan(), isRequired, false);
    }

    public void createRememberMeCookie(RealmModel realmModel, UriInfo uriInfo, ClientConnection clientConnection) {
        CookieHelper.addCookie(KEYCLOAK_REMEMBER_ME, "true", getIdentityCookiePath(realmModel, uriInfo), null, null, realmModel.getSsoSessionIdleTimeout(), realmModel.getSslRequired().isRequired(clientConnection), true);
    }

    protected String encodeToken(RealmModel realmModel, Object obj) {
        return new JWSBuilder().jsonContent(obj).rsa256(realmModel.getPrivateKey());
    }

    public static void expireIdentityCookie(RealmModel realmModel, UriInfo uriInfo, ClientConnection clientConnection) {
        logger.debug("Expiring identity cookie");
        String identityCookiePath = getIdentityCookiePath(realmModel, uriInfo);
        expireCookie(realmModel, KEYCLOAK_IDENTITY_COOKIE, identityCookiePath, true, clientConnection);
        expireCookie(realmModel, KEYCLOAK_SESSION_COOKIE, identityCookiePath, false, clientConnection);
        expireRememberMeCookie(realmModel, uriInfo, clientConnection);
    }

    public static void expireRememberMeCookie(RealmModel realmModel, UriInfo uriInfo, ClientConnection clientConnection) {
        logger.debug("Expiring remember me cookie");
        expireCookie(realmModel, KEYCLOAK_REMEMBER_ME, getIdentityCookiePath(realmModel, uriInfo), true, clientConnection);
    }

    protected static String getIdentityCookiePath(RealmModel realmModel, UriInfo uriInfo) {
        return getRealmCookiePath(realmModel, uriInfo);
    }

    public static String getRealmCookiePath(RealmModel realmModel, UriInfo uriInfo) {
        return RealmsResource.realmBaseUrl(uriInfo).build(new Object[]{realmModel.getName()}).getRawPath();
    }

    public static void expireCookie(RealmModel realmModel, String str, String str2, boolean z, ClientConnection clientConnection) {
        logger.debugv("Expiring cookie: {0} path: {1}", str, str2);
        CookieHelper.addCookie(str, "", str2, null, "Expiring cookie", 0, realmModel.getSslRequired().isRequired(clientConnection), z);
    }

    public AuthResult authenticateIdentityCookie(KeycloakSession keycloakSession, RealmModel realmModel, UriInfo uriInfo, ClientConnection clientConnection, HttpHeaders httpHeaders) {
        return authenticateIdentityCookie(keycloakSession, realmModel, uriInfo, clientConnection, httpHeaders, true);
    }

    public AuthResult authenticateIdentityCookie(KeycloakSession keycloakSession, RealmModel realmModel, UriInfo uriInfo, ClientConnection clientConnection, HttpHeaders httpHeaders, boolean z) {
        Cookie cookie = (Cookie) httpHeaders.getCookies().get(KEYCLOAK_IDENTITY_COOKIE);
        if (cookie == null || "".equals(cookie.getValue())) {
            logger.debugv("Could not find cookie: {0}", KEYCLOAK_IDENTITY_COOKIE);
            return null;
        }
        AuthResult verifyIdentityToken = verifyIdentityToken(keycloakSession, realmModel, uriInfo, clientConnection, z, cookie.getValue());
        if (verifyIdentityToken == null) {
            expireIdentityCookie(realmModel, uriInfo, clientConnection);
            return null;
        }
        verifyIdentityToken.getSession().setLastSessionRefresh(Time.currentTime());
        return verifyIdentityToken;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AuthResult verifyIdentityToken(KeycloakSession keycloakSession, RealmModel realmModel, UriInfo uriInfo, ClientConnection clientConnection, boolean z, String str) {
        try {
            AccessToken verifyToken = RSATokenVerifier.verifyToken(str, realmModel.getPublicKey(), realmModel.getName(), z);
            if (z) {
                if (!verifyToken.isActive() || verifyToken.getIssuedAt() < realmModel.getNotBefore()) {
                    logger.debug("identity cookie expired");
                    return null;
                }
                logger.debugv("token not active - active: {0}, issued-at: {1}, not-before: {2}", Boolean.valueOf(verifyToken.isActive()), Integer.valueOf(verifyToken.getIssuedAt()), Integer.valueOf(realmModel.getNotBefore()));
            }
            UserModel userById = keycloakSession.users().getUserById(verifyToken.getSubject(), realmModel);
            if (userById == null || !userById.isEnabled()) {
                logger.debug("Unknown user in identity token");
                return null;
            }
            UserSessionModel userSession = keycloakSession.sessions().getUserSession(realmModel, verifyToken.getSessionState());
            if (isSessionValid(realmModel, userSession)) {
                return new AuthResult(userById, userSession, verifyToken);
            }
            if (userSession != null) {
                logout(keycloakSession, realmModel, userSession, uriInfo, clientConnection);
            }
            logger.debug("User session not active");
            return null;
        } catch (VerificationException e) {
            logger.debug("Failed to verify identity token", e);
            return null;
        }
    }

    public AuthenticationStatus authenticateForm(KeycloakSession keycloakSession, ClientConnection clientConnection, RealmModel realmModel, MultivaluedMap<String, String> multivaluedMap) {
        String str = (String) multivaluedMap.getFirst("username");
        if (str == null) {
            logger.debug("Username not provided");
            return AuthenticationStatus.INVALID_USER;
        }
        if (realmModel.isBruteForceProtected() && this.protector.isTemporarilyDisabled(keycloakSession, realmModel, str)) {
            return AuthenticationStatus.ACCOUNT_TEMPORARILY_DISABLED;
        }
        AuthenticationStatus authenticateInternal = authenticateInternal(keycloakSession, realmModel, multivaluedMap, str);
        if (realmModel.isBruteForceProtected()) {
            switch (authenticateInternal) {
                case SUCCESS:
                    this.protector.successfulLogin(realmModel, str, clientConnection);
                    break;
                case FAILED:
                case MISSING_TOTP:
                case MISSING_PASSWORD:
                case INVALID_CREDENTIALS:
                    this.protector.failedLogin(realmModel, str, clientConnection);
                    break;
                case INVALID_USER:
                    this.protector.invalidUser(realmModel, str, clientConnection);
                    break;
            }
        }
        return authenticateInternal;
    }

    protected AuthenticationStatus authenticateInternal(KeycloakSession keycloakSession, RealmModel realmModel, MultivaluedMap<String, String> multivaluedMap, String str) {
        UserModel findUserByNameOrEmail = KeycloakModelUtils.findUserByNameOrEmail(keycloakSession, realmModel, str);
        if (findUserByNameOrEmail == null) {
            logger.debugv("User {0} not found", str);
            return AuthenticationStatus.INVALID_USER;
        }
        if (!findUserByNameOrEmail.isEnabled()) {
            return AuthenticationStatus.ACCOUNT_DISABLED;
        }
        HashSet hashSet = new HashSet();
        Iterator<RequiredCredentialModel> it = realmModel.getRequiredCredentials().iterator();
        while (it.hasNext()) {
            hashSet.add(it.next().getType());
        }
        if (!hashSet.contains("password")) {
            if (!hashSet.contains("secret")) {
                logger.warn("Do not know how to authenticate user");
                return AuthenticationStatus.FAILED;
            }
            String str2 = (String) multivaluedMap.getFirst("secret");
            if (str2 != null) {
                return !keycloakSession.users().validCredentials(realmModel, findUserByNameOrEmail, UserCredentialModel.secret(str2)) ? AuthenticationStatus.INVALID_CREDENTIALS : !findUserByNameOrEmail.getRequiredActions().isEmpty() ? AuthenticationStatus.ACTIONS_REQUIRED : AuthenticationStatus.SUCCESS;
            }
            logger.debug("Secret not provided");
            return AuthenticationStatus.MISSING_PASSWORD;
        }
        LinkedList linkedList = new LinkedList();
        String str3 = (String) multivaluedMap.getFirst("password");
        if (str3 != null) {
            linkedList.add(UserCredentialModel.password(str3));
        }
        String str4 = (String) multivaluedMap.getFirst("password-token");
        if (str4 != null) {
            linkedList.add(UserCredentialModel.passwordToken(str4));
        }
        String str5 = (String) multivaluedMap.getFirst("totp");
        if (str5 != null) {
            linkedList.add(UserCredentialModel.totp(str5));
        }
        if (str3 == null && str4 == null) {
            logger.debug("Password not provided");
            return AuthenticationStatus.MISSING_PASSWORD;
        }
        logger.debugv("validating password for user: {0}", str);
        return !keycloakSession.users().validCredentials(realmModel, findUserByNameOrEmail, linkedList) ? AuthenticationStatus.INVALID_CREDENTIALS : (findUserByNameOrEmail.isTotp() && str5 == null) ? AuthenticationStatus.MISSING_TOTP : !findUserByNameOrEmail.getRequiredActions().isEmpty() ? AuthenticationStatus.ACTIONS_REQUIRED : AuthenticationStatus.SUCCESS;
    }
}
