package org.keycloak.services.managers;

import java.security.PublicKey;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.Set;
import javax.crypto.SecretKey;
import javax.ws.rs.core.Cookie;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import org.jboss.logging.Logger;
import org.jboss.resteasy.specimpl.MultivaluedMapImpl;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.TokenVerifier;
import org.keycloak.authentication.RequiredActionContext;
import org.keycloak.authentication.RequiredActionContextResult;
import org.keycloak.authentication.RequiredActionFactory;
import org.keycloak.authentication.RequiredActionProvider;
import org.keycloak.common.ClientConnection;
import org.keycloak.common.VerificationException;
import org.keycloak.common.util.Time;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.forms.login.LoginFormsProvider;
import org.keycloak.jose.jws.AlgorithmType;
import org.keycloak.jose.jws.JWSBuilder;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.KeyManager;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RequiredActionProviderModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserConsentModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.LoginProtocol;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.representations.AccessToken;
import org.keycloak.services.ServicesLogger;
import org.keycloak.services.Urls;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.IdentityBrokerService;
import org.keycloak.services.resources.RealmsResource;
import org.keycloak.services.util.CookieHelper;
import org.keycloak.services.util.P3PHelper;
import org.keycloak.social.stackoverflow.StackoverflowIdentityProvider;

/* loaded from: input_file:org/keycloak/services/managers/AuthenticationManager.class */
public class AuthenticationManager {
    public static final String SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS = "SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS";
    public static final String END_AFTER_REQUIRED_ACTIONS = "END_AFTER_REQUIRED_ACTIONS";
    public static final String AUTH_TIME = "AUTH_TIME";
    public static final String SSO_AUTH = "SSO_AUTH";
    protected static final Logger logger = Logger.getLogger(AuthenticationManager.class);
    public static final String FORM_USERNAME = "username";
    public static final String KEYCLOAK_IDENTITY_COOKIE = "KEYCLOAK_IDENTITY";
    public static final String KEYCLOAK_SESSION_COOKIE = "KEYCLOAK_SESSION";
    public static final String KEYCLOAK_REMEMBER_ME = "KEYCLOAK_REMEMBER_ME";
    public static final String KEYCLOAK_LOGOUT_PROTOCOL = "KEYCLOAK_LOGOUT_PROTOCOL";
    public static final String CURRENT_REQUIRED_ACTION = "CURRENT_REQUIRED_ACTION";

    /* loaded from: input_file:org/keycloak/services/managers/AuthenticationManager$AuthResult.class */
    public static class AuthResult {
        private final UserModel user;
        private final UserSessionModel session;
        private final AccessToken token;

        public AuthResult(UserModel userModel, UserSessionModel userSessionModel, AccessToken accessToken) {
            this.user = userModel;
            this.session = userSessionModel;
            this.token = accessToken;
        }

        public UserSessionModel getSession() {
            return this.session;
        }

        public UserModel getUser() {
            return this.user;
        }

        public AccessToken getToken() {
            return this.token;
        }
    }

    /* loaded from: input_file:org/keycloak/services/managers/AuthenticationManager$AuthenticationStatus.class */
    public enum AuthenticationStatus {
        SUCCESS,
        ACCOUNT_TEMPORARILY_DISABLED,
        ACCOUNT_DISABLED,
        ACTIONS_REQUIRED,
        INVALID_USER,
        INVALID_CREDENTIALS,
        MISSING_PASSWORD,
        MISSING_TOTP,
        FAILED
    }

    public static boolean isSessionValid(RealmModel realmModel, UserSessionModel userSessionModel) {
        if (userSessionModel == null) {
            logger.debug("No user session");
            return false;
        }
        int currentTime = Time.currentTime();
        return userSessionModel.getLastSessionRefresh() + realmModel.getSsoSessionIdleTimeout() > currentTime && userSessionModel.getStarted() + realmModel.getSsoSessionMaxLifespan() > currentTime;
    }

    public static void expireUserSessionCookie(KeycloakSession keycloakSession, UserSessionModel userSessionModel, RealmModel realmModel, UriInfo uriInfo, HttpHeaders httpHeaders, ClientConnection clientConnection) {
        try {
            Cookie cookie = (Cookie) httpHeaders.getCookies().get(KEYCLOAK_IDENTITY_COOKIE);
            if (cookie == null) {
                return;
            }
            TokenVerifier checkTokenType = TokenVerifier.create(cookie.getValue()).realmUrl(Urls.realmIssuer(uriInfo.getBaseUri(), realmModel.getName())).checkActive(false).checkTokenType(false);
            UserSessionModel userSession = keycloakSession.sessions().getUserSession(realmModel, checkTokenType.secretKey(keycloakSession.keys().getHmacSecretKey(realmModel, checkTokenType.getHeader().getKeyId())).verify().getToken().getSessionState());
            if (userSession == null || !userSession.getId().equals(userSessionModel.getId())) {
                return;
            }
            expireIdentityCookie(realmModel, uriInfo, clientConnection);
        } catch (Exception e) {
        }
    }

    public static void backchannelLogout(KeycloakSession keycloakSession, RealmModel realmModel, UserSessionModel userSessionModel, UriInfo uriInfo, ClientConnection clientConnection, HttpHeaders httpHeaders, boolean z) {
        String note;
        if (userSessionModel == null) {
            return;
        }
        UserModel user = userSessionModel.getUser();
        userSessionModel.setState(UserSessionModel.State.LOGGING_OUT);
        logger.debugv("Logging out: {0} ({1})", user.getUsername(), userSessionModel.getId());
        expireUserSessionCookie(keycloakSession, userSessionModel, realmModel, uriInfo, httpHeaders, clientConnection);
        Iterator it = userSessionModel.getClientSessions().iterator();
        while (it.hasNext()) {
            backchannelLogoutClientSession(keycloakSession, realmModel, (ClientSessionModel) it.next(), userSessionModel, uriInfo, httpHeaders);
        }
        if (z && (note = userSessionModel.getNote("identity_provider")) != null) {
            try {
                IdentityBrokerService.getIdentityProvider(keycloakSession, realmModel, note).backchannelLogout(keycloakSession, userSessionModel, uriInfo, realmModel);
            } catch (Exception e) {
            }
        }
        userSessionModel.setState(UserSessionModel.State.LOGGED_OUT);
        keycloakSession.sessions().removeUserSession(realmModel, userSessionModel);
    }

    public static void backchannelLogoutClientSession(KeycloakSession keycloakSession, RealmModel realmModel, ClientSessionModel clientSessionModel, UserSessionModel userSessionModel, UriInfo uriInfo, HttpHeaders httpHeaders) {
        String authMethod;
        ClientModel client = clientSessionModel.getClient();
        if (!(client instanceof ClientModel) || client.isFrontchannelLogout() || ClientSessionModel.Action.LOGGED_OUT.name().equals(clientSessionModel.getAction()) || (authMethod = clientSessionModel.getAuthMethod()) == null) {
            return;
        }
        LoginProtocol provider = keycloakSession.getProvider(LoginProtocol.class, authMethod);
        provider.setRealm(realmModel).setHttpHeaders(httpHeaders).setUriInfo(uriInfo);
        provider.backchannelLogout(userSessionModel, clientSessionModel);
        clientSessionModel.setAction(ClientSessionModel.Action.LOGGED_OUT.name());
    }

    public static void backchannelUserFromClient(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel, ClientModel clientModel, UriInfo uriInfo, HttpHeaders httpHeaders) {
        String id = clientModel.getId();
        for (UserSessionModel userSessionModel : keycloakSession.sessions().getUserSessions(realmModel, userModel)) {
            for (ClientSessionModel clientSessionModel : userSessionModel.getClientSessions()) {
                if (clientSessionModel.getClient().getId().equals(id)) {
                    backchannelLogoutClientSession(keycloakSession, realmModel, clientSessionModel, userSessionModel, uriInfo, httpHeaders);
                    TokenManager.dettachClientSession(keycloakSession.sessions(), realmModel, clientSessionModel);
                }
            }
        }
    }

    public static Response browserLogout(KeycloakSession keycloakSession, RealmModel realmModel, UserSessionModel userSessionModel, UriInfo uriInfo, ClientConnection clientConnection, HttpHeaders httpHeaders) {
        Response keycloakInitiatedBrowserLogout;
        Response frontchannelLogout;
        if (userSessionModel == null) {
            return null;
        }
        logger.debugv("Logging out: {0} ({1})", userSessionModel.getUser().getUsername(), userSessionModel.getId());
        if (userSessionModel.getState() != UserSessionModel.State.LOGGING_OUT) {
            userSessionModel.setState(UserSessionModel.State.LOGGING_OUT);
        }
        LinkedList<ClientSessionModel> linkedList = new LinkedList();
        for (ClientSessionModel clientSessionModel : userSessionModel.getClientSessions()) {
            ClientModel client = clientSessionModel.getClient();
            if (!ClientSessionModel.Action.LOGGED_OUT.name().equals(clientSessionModel.getAction())) {
                if (!client.isFrontchannelLogout()) {
                    String authMethod = clientSessionModel.getAuthMethod();
                    if (authMethod != null) {
                        LoginProtocol provider = keycloakSession.getProvider(LoginProtocol.class, authMethod);
                        provider.setRealm(realmModel).setHttpHeaders(httpHeaders).setUriInfo(uriInfo);
                        try {
                            logger.debugv("backchannel logout to: {0}", client.getClientId());
                            provider.backchannelLogout(userSessionModel, clientSessionModel);
                            clientSessionModel.setAction(ClientSessionModel.Action.LOGGED_OUT.name());
                        } catch (Exception e) {
                            ServicesLogger.LOGGER.failedToLogoutClient(e);
                        }
                    }
                } else if (clientSessionModel.getAuthMethod() != null) {
                    linkedList.add(clientSessionModel);
                }
            }
        }
        for (ClientSessionModel clientSessionModel2 : linkedList) {
            LoginProtocol provider2 = keycloakSession.getProvider(LoginProtocol.class, clientSessionModel2.getAuthMethod());
            provider2.setRealm(realmModel).setHttpHeaders(httpHeaders).setUriInfo(uriInfo);
            clientSessionModel2.setAction(ClientSessionModel.Action.LOGGED_OUT.name());
            try {
                logger.debugv("frontchannel logout to: {0}", clientSessionModel2.getClient().getClientId());
                frontchannelLogout = provider2.frontchannelLogout(userSessionModel, clientSessionModel2);
            } catch (Exception e2) {
                ServicesLogger.LOGGER.failedToLogoutClient(e2);
            }
            if (frontchannelLogout != null) {
                logger.debug("returning frontchannel logout request to client");
                return frontchannelLogout;
            }
            continue;
        }
        String note = userSessionModel.getNote("identity_provider");
        return (note == null || (keycloakInitiatedBrowserLogout = IdentityBrokerService.getIdentityProvider(keycloakSession, realmModel, note).keycloakInitiatedBrowserLogout(keycloakSession, userSessionModel, uriInfo, realmModel)) == null) ? finishBrowserLogout(keycloakSession, realmModel, userSessionModel, uriInfo, clientConnection, httpHeaders) : keycloakInitiatedBrowserLogout;
    }

    public static Response finishBrowserLogout(KeycloakSession keycloakSession, RealmModel realmModel, UserSessionModel userSessionModel, UriInfo uriInfo, ClientConnection clientConnection, HttpHeaders httpHeaders) {
        expireIdentityCookie(realmModel, uriInfo, clientConnection);
        expireRememberMeCookie(realmModel, uriInfo, clientConnection);
        userSessionModel.setState(UserSessionModel.State.LOGGED_OUT);
        String note = userSessionModel.getNote(KEYCLOAK_LOGOUT_PROTOCOL);
        EventBuilder eventBuilder = new EventBuilder(realmModel, keycloakSession, clientConnection);
        LoginProtocol provider = keycloakSession.getProvider(LoginProtocol.class, note);
        provider.setRealm(realmModel).setHttpHeaders(httpHeaders).setUriInfo(uriInfo).setEventBuilder(eventBuilder);
        Response finishLogout = provider.finishLogout(userSessionModel);
        keycloakSession.sessions().removeUserSession(realmModel, userSessionModel);
        return finishLogout;
    }

    public static AccessToken createIdentityToken(RealmModel realmModel, UserModel userModel, UserSessionModel userSessionModel, String str) {
        AccessToken accessToken = new AccessToken();
        accessToken.id(KeycloakModelUtils.generateId());
        accessToken.issuedNow();
        accessToken.subject(userModel.getId());
        accessToken.issuer(str);
        if (userSessionModel != null) {
            accessToken.setSessionState(userSessionModel.getId());
        }
        if (realmModel.getSsoSessionMaxLifespan() > 0) {
            accessToken.expiration(Time.currentTime() + realmModel.getSsoSessionMaxLifespan());
        }
        return accessToken;
    }

    public static void createLoginCookie(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel, UserSessionModel userSessionModel, UriInfo uriInfo, ClientConnection clientConnection) {
        String identityCookiePath = getIdentityCookiePath(realmModel, uriInfo);
        String encodeToken = encodeToken(keycloakSession, realmModel, createIdentityToken(realmModel, userModel, userSessionModel, Urls.realmIssuer(uriInfo.getBaseUri(), realmModel.getName())));
        boolean isRequired = realmModel.getSslRequired().isRequired(clientConnection);
        int i = -1;
        if (userSessionModel.isRememberMe()) {
            i = realmModel.getSsoSessionMaxLifespan();
        }
        logger.debugv("Create login cookie - name: {0}, path: {1}, max-age: {2}", KEYCLOAK_IDENTITY_COOKIE, identityCookiePath, Integer.valueOf(i));
        CookieHelper.addCookie(KEYCLOAK_IDENTITY_COOKIE, encodeToken, identityCookiePath, null, null, i, isRequired, true);
        String str = realmModel.getName() + "/" + userModel.getId();
        if (userSessionModel != null) {
            str = str + "/" + userSessionModel.getId();
        }
        CookieHelper.addCookie(KEYCLOAK_SESSION_COOKIE, str, identityCookiePath, null, null, realmModel.getSsoSessionMaxLifespan(), isRequired, false);
        P3PHelper.addP3PHeader(keycloakSession);
    }

    public static void createRememberMeCookie(RealmModel realmModel, String str, UriInfo uriInfo, ClientConnection clientConnection) {
        CookieHelper.addCookie(KEYCLOAK_REMEMBER_ME, "username:" + str, getIdentityCookiePath(realmModel, uriInfo), null, null, 31536000, realmModel.getSslRequired().isRequired(clientConnection), true);
    }

    public static String getRememberMeUsername(RealmModel realmModel, HttpHeaders httpHeaders) {
        Cookie cookie;
        if (!realmModel.isRememberMe() || (cookie = (Cookie) httpHeaders.getCookies().get(KEYCLOAK_REMEMBER_ME)) == null) {
            return null;
        }
        String[] split = cookie.getValue().split(":");
        if (split[0].equals("username") && split.length == 2) {
            return split[1];
        }
        return null;
    }

    protected static String encodeToken(KeycloakSession keycloakSession, RealmModel realmModel, Object obj) {
        KeyManager.ActiveHmacKey activeHmacKey = keycloakSession.keys().getActiveHmacKey(realmModel);
        logger.tracef("Encoding token with kid '%s'", activeHmacKey.getKid());
        return new JWSBuilder().kid(activeHmacKey.getKid()).jsonContent(obj).hmac256(activeHmacKey.getSecretKey());
    }

    public static void expireIdentityCookie(RealmModel realmModel, UriInfo uriInfo, ClientConnection clientConnection) {
        logger.debug("Expiring identity cookie");
        String identityCookiePath = getIdentityCookiePath(realmModel, uriInfo);
        expireCookie(realmModel, KEYCLOAK_IDENTITY_COOKIE, identityCookiePath, true, clientConnection);
        expireCookie(realmModel, KEYCLOAK_SESSION_COOKIE, identityCookiePath, false, clientConnection);
    }

    public static void expireRememberMeCookie(RealmModel realmModel, UriInfo uriInfo, ClientConnection clientConnection) {
        logger.debug("Expiring remember me cookie");
        expireCookie(realmModel, KEYCLOAK_REMEMBER_ME, getIdentityCookiePath(realmModel, uriInfo), true, clientConnection);
    }

    protected static String getIdentityCookiePath(RealmModel realmModel, UriInfo uriInfo) {
        return getRealmCookiePath(realmModel, uriInfo);
    }

    public static String getRealmCookiePath(RealmModel realmModel, UriInfo uriInfo) {
        return RealmsResource.realmBaseUrl(uriInfo).build(new Object[]{realmModel.getName()}).getRawPath();
    }

    public static void expireCookie(RealmModel realmModel, String str, String str2, boolean z, ClientConnection clientConnection) {
        logger.debugv("Expiring cookie: {0} path: {1}", str, str2);
        CookieHelper.addCookie(str, StackoverflowIdentityProvider.DEFAULT_SCOPE, str2, null, "Expiring cookie", 0, realmModel.getSslRequired().isRequired(clientConnection), z);
    }

    public AuthResult authenticateIdentityCookie(KeycloakSession keycloakSession, RealmModel realmModel) {
        return authenticateIdentityCookie(keycloakSession, realmModel, true);
    }

    public static AuthResult authenticateIdentityCookie(KeycloakSession keycloakSession, RealmModel realmModel, boolean z) {
        Cookie cookie = (Cookie) keycloakSession.getContext().getRequestHeaders().getCookies().get(KEYCLOAK_IDENTITY_COOKIE);
        if (cookie == null || StackoverflowIdentityProvider.DEFAULT_SCOPE.equals(cookie.getValue())) {
            logger.debugv("Could not find cookie: {0}", KEYCLOAK_IDENTITY_COOKIE);
            return null;
        }
        AuthResult verifyIdentityToken = verifyIdentityToken(keycloakSession, realmModel, keycloakSession.getContext().getUri(), keycloakSession.getContext().getConnection(), z, false, cookie.getValue(), keycloakSession.getContext().getRequestHeaders());
        if (verifyIdentityToken == null) {
            expireIdentityCookie(realmModel, keycloakSession.getContext().getUri(), keycloakSession.getContext().getConnection());
            return null;
        }
        verifyIdentityToken.getSession().setLastSessionRefresh(Time.currentTime());
        return verifyIdentityToken;
    }

    public static Response redirectAfterSuccessfulFlow(KeycloakSession keycloakSession, RealmModel realmModel, UserSessionModel userSessionModel, ClientSessionModel clientSessionModel, HttpRequest httpRequest, UriInfo uriInfo, ClientConnection clientConnection, EventBuilder eventBuilder) {
        LoginProtocol provider = keycloakSession.getProvider(LoginProtocol.class, clientSessionModel.getAuthMethod());
        provider.setRealm(realmModel).setHttpHeaders(httpRequest.getHttpHeaders()).setUriInfo(uriInfo).setEventBuilder(eventBuilder);
        return redirectAfterSuccessfulFlow(keycloakSession, realmModel, userSessionModel, clientSessionModel, httpRequest, uriInfo, clientConnection, eventBuilder, provider);
    }

    public static Response redirectAfterSuccessfulFlow(KeycloakSession keycloakSession, RealmModel realmModel, UserSessionModel userSessionModel, ClientSessionModel clientSessionModel, HttpRequest httpRequest, UriInfo uriInfo, ClientConnection clientConnection, EventBuilder eventBuilder, LoginProtocol loginProtocol) {
        UserSessionModel userSession;
        Cookie cookie = (Cookie) httpRequest.getHttpHeaders().getCookies().get(KEYCLOAK_SESSION_COOKIE);
        if (cookie != null) {
            String[] split = cookie.getValue().split("/");
            if (split.length >= 3) {
                String str = split[2];
                if (!str.equals(userSessionModel.getId()) && (userSession = keycloakSession.sessions().getUserSession(realmModel, str)) != null) {
                    logger.debugv("Removing old user session: session: {0}", str);
                    keycloakSession.sessions().removeUserSession(realmModel, userSession);
                }
            }
        }
        keycloakSession.getContext().resolveLocale(userSessionModel.getUser());
        createLoginCookie(keycloakSession, realmModel, userSessionModel.getUser(), userSessionModel, uriInfo, clientConnection);
        if (userSessionModel.getState() != UserSessionModel.State.LOGGED_IN) {
            userSessionModel.setState(UserSessionModel.State.LOGGED_IN);
        }
        if (userSessionModel.isRememberMe()) {
            createRememberMeCookie(realmModel, userSessionModel.getLoginUsername(), uriInfo, clientConnection);
        } else {
            expireRememberMeCookie(realmModel, uriInfo, clientConnection);
        }
        if (!isSSOAuthentication(clientSessionModel)) {
            userSessionModel.setNote(AUTH_TIME, String.valueOf(Time.currentTime()));
        }
        return loginProtocol.authenticated(userSessionModel, new ClientSessionCode(keycloakSession, realmModel, clientSessionModel));
    }

    public static boolean isSSOAuthentication(ClientSessionModel clientSessionModel) {
        return Boolean.parseBoolean(clientSessionModel.getNote(SSO_AUTH));
    }

    public static Response nextActionAfterAuthentication(KeycloakSession keycloakSession, UserSessionModel userSessionModel, ClientSessionModel clientSessionModel, ClientConnection clientConnection, HttpRequest httpRequest, UriInfo uriInfo, EventBuilder eventBuilder) {
        Response actionRequired = actionRequired(keycloakSession, userSessionModel, clientSessionModel, clientConnection, httpRequest, uriInfo, eventBuilder);
        return actionRequired != null ? actionRequired : finishedRequiredActions(keycloakSession, userSessionModel, clientSessionModel, clientConnection, httpRequest, uriInfo, eventBuilder);
    }

    public static Response finishedRequiredActions(KeycloakSession keycloakSession, UserSessionModel userSessionModel, ClientSessionModel clientSessionModel, ClientConnection clientConnection, HttpRequest httpRequest, UriInfo uriInfo, EventBuilder eventBuilder) {
        if (clientSessionModel.getNote(END_AFTER_REQUIRED_ACTIONS) == null) {
            eventBuilder.success();
            return redirectAfterSuccessfulFlow(keycloakSession, clientSessionModel.getRealm(), userSessionModel, clientSessionModel, httpRequest, uriInfo, clientConnection, eventBuilder);
        }
        LoginFormsProvider success = keycloakSession.getProvider(LoginFormsProvider.class).setSuccess(Messages.ACCOUNT_UPDATED, new Object[0]);
        if (clientSessionModel.getNote(SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS) == null) {
            success.setAttribute("skipLink", true);
        } else if (clientSessionModel.getRedirectUri() != null) {
            success.setAttribute("pageRedirectUri", clientSessionModel.getRedirectUri());
        }
        Response createInfoPage = success.createInfoPage();
        keycloakSession.sessions().removeUserSession(keycloakSession.getContext().getRealm(), userSessionModel);
        return createInfoPage;
    }

    public static boolean isActionRequired(KeycloakSession keycloakSession, UserSessionModel userSessionModel, ClientSessionModel clientSessionModel, ClientConnection clientConnection, HttpRequest httpRequest, UriInfo uriInfo, EventBuilder eventBuilder) {
        RealmModel realm = clientSessionModel.getRealm();
        UserModel user = userSessionModel.getUser();
        ClientModel client = clientSessionModel.getClient();
        evaluateRequiredActionTriggers(keycloakSession, userSessionModel, clientSessionModel, clientConnection, httpRequest, uriInfo, eventBuilder, realm, user);
        if (!user.getRequiredActions().isEmpty() || !clientSessionModel.getRequiredActions().isEmpty()) {
            return true;
        }
        if (!client.isConsentRequired()) {
            eventBuilder.detail(OIDCLoginProtocol.PROMPT_VALUE_CONSENT, "no_consent_required");
            return false;
        }
        UserConsentModel consentByClient = keycloakSession.users().getConsentByClient(realm, user.getId(), client.getId());
        ClientSessionCode clientSessionCode = new ClientSessionCode(keycloakSession, realm, clientSessionModel);
        for (RoleModel roleModel : clientSessionCode.getRequestedRoles()) {
            if (consentByClient == null || !consentByClient.isRoleGranted(roleModel)) {
                return true;
            }
        }
        for (ProtocolMapperModel protocolMapperModel : clientSessionCode.getRequestedProtocolMappers()) {
            if (protocolMapperModel.isConsentRequired() && protocolMapperModel.getConsentText() != null && (consentByClient == null || !consentByClient.isProtocolMapperGranted(protocolMapperModel))) {
                return true;
            }
        }
        eventBuilder.detail(OIDCLoginProtocol.PROMPT_VALUE_CONSENT, consentByClient != null ? "persistent_consent" : "no_consent_required");
        return false;
    }

    public static Response actionRequired(KeycloakSession keycloakSession, UserSessionModel userSessionModel, ClientSessionModel clientSessionModel, ClientConnection clientConnection, HttpRequest httpRequest, UriInfo uriInfo, EventBuilder eventBuilder) {
        RealmModel realm = clientSessionModel.getRealm();
        UserModel user = userSessionModel.getUser();
        ClientModel client = clientSessionModel.getClient();
        evaluateRequiredActionTriggers(keycloakSession, userSessionModel, clientSessionModel, clientConnection, httpRequest, uriInfo, eventBuilder, realm, user);
        logger.debugv("processAccessCode: go to oauth page?: {0}", Boolean.valueOf(client.isConsentRequired()));
        eventBuilder.detail("code_id", clientSessionModel.getId());
        Response executionActions = executionActions(keycloakSession, userSessionModel, clientSessionModel, httpRequest, eventBuilder, realm, user, user.getRequiredActions());
        if (executionActions != null) {
            return executionActions;
        }
        Response executionActions2 = executionActions(keycloakSession, userSessionModel, clientSessionModel, httpRequest, eventBuilder, realm, user, clientSessionModel.getRequiredActions());
        if (executionActions2 != null) {
            return executionActions2;
        }
        if (!client.isConsentRequired()) {
            eventBuilder.detail(OIDCLoginProtocol.PROMPT_VALUE_CONSENT, "no_consent_required");
            return null;
        }
        UserConsentModel consentByClient = keycloakSession.users().getConsentByClient(realm, user.getId(), client.getId());
        LinkedList linkedList = new LinkedList();
        MultivaluedMapImpl multivaluedMapImpl = new MultivaluedMapImpl();
        ClientSessionCode clientSessionCode = new ClientSessionCode(keycloakSession, realm, clientSessionModel);
        for (RoleModel roleModel : clientSessionCode.getRequestedRoles()) {
            if (consentByClient == null || !consentByClient.isRoleGranted(roleModel)) {
                if (roleModel.getContainer() instanceof RealmModel) {
                    linkedList.add(roleModel);
                } else {
                    multivaluedMapImpl.add(roleModel.getContainer().getClientId(), roleModel);
                }
            }
        }
        LinkedList linkedList2 = new LinkedList();
        for (ProtocolMapperModel protocolMapperModel : clientSessionCode.getRequestedProtocolMappers()) {
            if (protocolMapperModel.isConsentRequired() && protocolMapperModel.getConsentText() != null && (consentByClient == null || !consentByClient.isProtocolMapperGranted(protocolMapperModel))) {
                linkedList2.add(protocolMapperModel);
            }
        }
        if (linkedList.size() <= 0 && multivaluedMapImpl.size() <= 0 && linkedList2.size() <= 0) {
            eventBuilder.detail(OIDCLoginProtocol.PROMPT_VALUE_CONSENT, consentByClient != null ? "persistent_consent" : "no_consent_required");
            return null;
        }
        clientSessionCode.setAction(ClientSessionModel.Action.REQUIRED_ACTIONS.name());
        clientSessionModel.setNote(CURRENT_REQUIRED_ACTION, ClientSessionModel.Action.OAUTH_GRANT.name());
        return keycloakSession.getProvider(LoginFormsProvider.class).setClientSessionCode(clientSessionCode.getCode()).setAccessRequest(linkedList, multivaluedMapImpl, linkedList2).createOAuthGrant(clientSessionModel);
    }

    protected static Response executionActions(KeycloakSession keycloakSession, UserSessionModel userSessionModel, ClientSessionModel clientSessionModel, HttpRequest httpRequest, EventBuilder eventBuilder, RealmModel realmModel, UserModel userModel, Set<String> set) {
        for (String str : set) {
            RequiredActionProviderModel requiredActionProviderByAlias = realmModel.getRequiredActionProviderByAlias(str);
            if (requiredActionProviderByAlias == null) {
                logger.warnv("Could not find configuration for Required Action {0}, did you forget to register it?", str);
            } else if (requiredActionProviderByAlias.isEnabled()) {
                RequiredActionFactory providerFactory = keycloakSession.getKeycloakSessionFactory().getProviderFactory(RequiredActionProvider.class, requiredActionProviderByAlias.getProviderId());
                if (providerFactory == null) {
                    throw new RuntimeException("Unable to find factory for Required Action: " + requiredActionProviderByAlias.getProviderId() + " did you forget to declare it in a META-INF/services file?");
                }
                RequiredActionProvider create = providerFactory.create(keycloakSession);
                RequiredActionContextResult requiredActionContextResult = new RequiredActionContextResult(userSessionModel, clientSessionModel, realmModel, eventBuilder, keycloakSession, httpRequest, userModel, providerFactory);
                create.requiredActionChallenge(requiredActionContextResult);
                if (requiredActionContextResult.getStatus() == RequiredActionContext.Status.FAILURE) {
                    LoginProtocol provider = requiredActionContextResult.getSession().getProvider(LoginProtocol.class, requiredActionContextResult.getClientSession().getAuthMethod());
                    provider.setRealm(requiredActionContextResult.getRealm()).setHttpHeaders(requiredActionContextResult.getHttpRequest().getHttpHeaders()).setUriInfo(requiredActionContextResult.getUriInfo()).setEventBuilder(eventBuilder);
                    Response sendError = provider.sendError(requiredActionContextResult.getClientSession(), LoginProtocol.Error.CONSENT_DENIED);
                    eventBuilder.error("rejected_by_user");
                    return sendError;
                }
                if (requiredActionContextResult.getStatus() == RequiredActionContext.Status.CHALLENGE) {
                    clientSessionModel.setNote(CURRENT_REQUIRED_ACTION, requiredActionProviderByAlias.getProviderId());
                    return requiredActionContextResult.getChallenge();
                }
                if (requiredActionContextResult.getStatus() == RequiredActionContext.Status.SUCCESS) {
                    eventBuilder.clone().event(EventType.CUSTOM_REQUIRED_ACTION).detail("custom_required_action", providerFactory.getId()).success();
                    clientSessionModel.getUserSession().getUser().removeRequiredAction(providerFactory.getId());
                    clientSessionModel.removeRequiredAction(providerFactory.getId());
                }
            } else {
                continue;
            }
        }
        return null;
    }

    public static void evaluateRequiredActionTriggers(KeycloakSession keycloakSession, UserSessionModel userSessionModel, ClientSessionModel clientSessionModel, ClientConnection clientConnection, HttpRequest httpRequest, UriInfo uriInfo, EventBuilder eventBuilder, RealmModel realmModel, UserModel userModel) {
        for (RequiredActionProviderModel requiredActionProviderModel : realmModel.getRequiredActionProviders()) {
            if (requiredActionProviderModel.isEnabled()) {
                RequiredActionFactory providerFactory = keycloakSession.getKeycloakSessionFactory().getProviderFactory(RequiredActionProvider.class, requiredActionProviderModel.getProviderId());
                if (providerFactory == null) {
                    throw new RuntimeException("Unable to find factory for Required Action: " + requiredActionProviderModel.getProviderId() + " did you forget to declare it in a META-INF/services file?");
                }
                providerFactory.create(keycloakSession).evaluateTriggers(new RequiredActionContextResult(userSessionModel, clientSessionModel, realmModel, eventBuilder, keycloakSession, httpRequest, userModel, providerFactory) { // from class: org.keycloak.services.managers.AuthenticationManager.1
                    @Override // org.keycloak.authentication.RequiredActionContextResult
                    public void challenge(Response response) {
                        throw new RuntimeException("Not allowed to call challenge() within evaluateTriggers()");
                    }

                    @Override // org.keycloak.authentication.RequiredActionContextResult
                    public void failure() {
                        throw new RuntimeException("Not allowed to call failure() within evaluateTriggers()");
                    }

                    @Override // org.keycloak.authentication.RequiredActionContextResult
                    public void success() {
                        throw new RuntimeException("Not allowed to call success() within evaluateTriggers()");
                    }

                    @Override // org.keycloak.authentication.RequiredActionContextResult
                    public void ignore() {
                        throw new RuntimeException("Not allowed to call ignore() within evaluateTriggers()");
                    }
                });
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static AuthResult verifyIdentityToken(KeycloakSession keycloakSession, RealmModel realmModel, UriInfo uriInfo, ClientConnection clientConnection, boolean z, boolean z2, String str, HttpHeaders httpHeaders) {
        try {
            TokenVerifier checkTokenType = TokenVerifier.create(str).realmUrl(Urls.realmIssuer(uriInfo.getBaseUri(), realmModel.getName())).checkActive(z).checkTokenType(z2);
            String keyId = checkTokenType.getHeader().getKeyId();
            AlgorithmType type = checkTokenType.getHeader().getAlgorithm().getType();
            if (AlgorithmType.RSA.equals(type)) {
                PublicKey rsaPublicKey = keycloakSession.keys().getRsaPublicKey(realmModel, keyId);
                if (rsaPublicKey == null) {
                    logger.debugf("Identity cookie signed with unknown kid '%s'", keyId);
                    return null;
                }
                checkTokenType.publicKey(rsaPublicKey);
            } else if (AlgorithmType.HMAC.equals(type)) {
                SecretKey hmacSecretKey = keycloakSession.keys().getHmacSecretKey(realmModel, keyId);
                if (hmacSecretKey == null) {
                    logger.debugf("Identity cookie signed with unknown kid '%s'", keyId);
                    return null;
                }
                checkTokenType.secretKey(hmacSecretKey);
            }
            AccessToken token = checkTokenType.verify().getToken();
            if (z && (!token.isActive() || token.getIssuedAt() < realmModel.getNotBefore())) {
                logger.debug("Identity cookie expired");
                return null;
            }
            UserModel userById = keycloakSession.users().getUserById(token.getSubject(), realmModel);
            if (userById == null || !userById.isEnabled()) {
                logger.debug("Unknown user in identity token");
                return null;
            }
            UserSessionModel userSession = keycloakSession.sessions().getUserSession(realmModel, token.getSessionState());
            if (isSessionValid(realmModel, userSession)) {
                return new AuthResult(userById, userSession, token);
            }
            if (userSession != null) {
                backchannelLogout(keycloakSession, realmModel, userSession, uriInfo, clientConnection, httpHeaders, true);
            }
            logger.debug("User session not active");
            return null;
        } catch (VerificationException e) {
            logger.debugf("Failed to verify identity token: %s", e.getMessage());
            return null;
        }
    }
}
