package org.keycloak.protocol.oidc.grants.ciba.endpoints;

import com.fasterxml.jackson.databind.node.ObjectNode;
import java.util.Collections;
import java.util.Optional;
import javax.ws.rs.Consumes;
import javax.ws.rs.POST;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import org.jboss.resteasy.annotations.cache.NoCache;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.common.util.Time;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.CibaConfig;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.OAuth2DeviceCodeModel;
import org.keycloak.models.OAuth2DeviceTokenStoreProvider;
import org.keycloak.models.OAuth2DeviceUserCodeModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.grants.ciba.CibaGrantType;
import org.keycloak.protocol.oidc.grants.ciba.channel.AuthenticationChannelProvider;
import org.keycloak.protocol.oidc.grants.ciba.channel.CIBAAuthenticationRequest;
import org.keycloak.protocol.oidc.grants.ciba.resolvers.CIBALoginUserResolver;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.util.JsonSerialization;
import org.keycloak.utils.MediaType;

/* loaded from: input_file:org/keycloak/protocol/oidc/grants/ciba/endpoints/BackchannelAuthenticationEndpoint.class */
public class BackchannelAuthenticationEndpoint extends AbstractCibaEndpoint {
    private final RealmModel realm;

    public BackchannelAuthenticationEndpoint(KeycloakSession keycloakSession, EventBuilder eventBuilder) {
        super(keycloakSession, eventBuilder);
        this.realm = keycloakSession.getContext().getRealm();
        eventBuilder.event(EventType.LOGIN);
    }

    @NoCache
    @Consumes({MediaType.APPLICATION_FORM_URLENCODED})
    @POST
    @Produces({MediaType.APPLICATION_JSON})
    public Response processGrantRequest(@Context HttpRequest httpRequest) {
        CIBAAuthenticationRequest authorizeClient = authorizeClient(httpRequest.getDecodedFormParameters());
        try {
            String serialize = authorizeClient.serialize(this.session);
            AuthenticationChannelProvider authenticationChannelProvider = (AuthenticationChannelProvider) this.session.getProvider(AuthenticationChannelProvider.class);
            if (authenticationChannelProvider == null) {
                throw new RuntimeException("Authentication Channel Provider not found.");
            }
            CIBALoginUserResolver cIBALoginUserResolver = (CIBALoginUserResolver) this.session.getProvider(CIBALoginUserResolver.class);
            if (cIBALoginUserResolver == null) {
                throw new RuntimeException("CIBA Login User Resolver not setup properly.");
            }
            if (!authenticationChannelProvider.requestAuthentication(authorizeClient, cIBALoginUserResolver.getInfoUsedByAuthentication(authorizeClient.getUser()))) {
                throw new ErrorResponseException("server_error", "Unexpected response from authentication device", Response.Status.SERVICE_UNAVAILABLE);
            }
            CibaConfig cibaPolicy = this.realm.getCibaPolicy();
            int poolingInterval = cibaPolicy.getPoolingInterval();
            storeAuthenticationRequest(authorizeClient, cibaPolicy);
            ObjectNode createObjectNode = JsonSerialization.createObjectNode();
            createObjectNode.put(CibaGrantType.AUTH_REQ_ID, serialize).put("expires_in", cibaPolicy.getExpiresIn());
            if (poolingInterval > 0) {
                createObjectNode.put("interval", poolingInterval);
            }
            return Response.ok(JsonSerialization.writeValueAsBytes(createObjectNode)).build();
        } catch (Exception e) {
            throw new ErrorResponseException("server_error", "Failed to send authentication request", Response.Status.SERVICE_UNAVAILABLE);
        }
    }

    private void storeAuthenticationRequest(CIBAAuthenticationRequest cIBAAuthenticationRequest, CibaConfig cibaConfig) {
        ClientModel client = cIBAAuthenticationRequest.getClient();
        int expiresIn = cibaConfig.getExpiresIn();
        int poolingInterval = cibaConfig.getPoolingInterval();
        OAuth2DeviceCodeModel create = OAuth2DeviceCodeModel.create(this.realm, client, cIBAAuthenticationRequest.getId(), cIBAAuthenticationRequest.getScope(), (String) null, expiresIn, poolingInterval, Collections.emptyMap());
        this.session.getProvider(OAuth2DeviceTokenStoreProvider.class).put(create, new OAuth2DeviceUserCodeModel(this.realm, create.getDeviceCode(), cIBAAuthenticationRequest.getAuthResultId()), expiresIn + poolingInterval + 10);
    }

    private CIBAAuthenticationRequest authorizeClient(MultivaluedMap<String, String> multivaluedMap) {
        ClientModel authenticateClient = authenticateClient();
        CIBAAuthenticationRequest cIBAAuthenticationRequest = new CIBAAuthenticationRequest(this.session, resolveUser(multivaluedMap, this.realm.getCibaPolicy().getAuthRequestedUserHint()), authenticateClient);
        cIBAAuthenticationRequest.setClient(authenticateClient);
        String str = (String) multivaluedMap.getFirst("scope");
        if (str == null) {
            throw new ErrorResponseException("invalid_request", "missing parameter : scope", Response.Status.BAD_REQUEST);
        }
        cIBAAuthenticationRequest.setScope(str);
        if (multivaluedMap.getFirst(CibaGrantType.BINDING_MESSAGE) != null) {
            cIBAAuthenticationRequest.setBindingMessage((String) multivaluedMap.getFirst(CibaGrantType.BINDING_MESSAGE));
        }
        if (multivaluedMap.getFirst(OIDCLoginProtocol.ACR_PARAM) != null) {
            cIBAAuthenticationRequest.setAcrValues((String) multivaluedMap.getFirst(OIDCLoginProtocol.ACR_PARAM));
        }
        Integer valueOf = Integer.valueOf(this.realm.getCibaPolicy().getExpiresIn());
        String str2 = (String) multivaluedMap.getFirst(CibaGrantType.REQUESTED_EXPIRY);
        if (str2 != null) {
            valueOf = Integer.valueOf(str2);
        }
        cIBAAuthenticationRequest.exp(Long.valueOf(Time.currentTime() + valueOf.longValue()));
        StringBuilder sb = new StringBuilder((String) Optional.ofNullable(cIBAAuthenticationRequest.getScope()).orElse(""));
        authenticateClient.getClientScopes(true).forEach((str3, clientScopeModel) -> {
            if (clientScopeModel.isDisplayOnConsentScreen()) {
                sb.append(" ").append(clientScopeModel.getName());
            }
        });
        cIBAAuthenticationRequest.setScope(sb.toString());
        if (((String) multivaluedMap.getFirst(CibaGrantType.CLIENT_NOTIFICATION_TOKEN)) != null) {
            throw new ErrorResponseException("invalid_request", "Ping and push modes not supported. Use poll mode instead.", Response.Status.BAD_REQUEST);
        }
        if (((String) multivaluedMap.getFirst("user_code")) != null) {
            throw new ErrorResponseException("invalid_request", "User code not supported", Response.Status.BAD_REQUEST);
        }
        return cIBAAuthenticationRequest;
    }

    private UserModel resolveUser(MultivaluedMap<String, String> multivaluedMap, String str) {
        UserModel userFromLoginHintToken;
        CIBALoginUserResolver cIBALoginUserResolver = (CIBALoginUserResolver) this.session.getProvider(CIBALoginUserResolver.class);
        if (cIBALoginUserResolver == null) {
            throw new RuntimeException("CIBA Login User Resolver not setup properly.");
        }
        if (str.equals("login_hint")) {
            String str2 = (String) multivaluedMap.getFirst("login_hint");
            if (str2 == null) {
                throw new ErrorResponseException("invalid_request", "missing parameter : login_hint", Response.Status.BAD_REQUEST);
            }
            userFromLoginHintToken = cIBALoginUserResolver.getUserFromLoginHint(str2);
        } else if (str.equals(OIDCLoginProtocol.ID_TOKEN_HINT)) {
            String str3 = (String) multivaluedMap.getFirst(OIDCLoginProtocol.ID_TOKEN_HINT);
            if (str3 == null) {
                throw new ErrorResponseException("invalid_request", "missing parameter : id_token_hint", Response.Status.BAD_REQUEST);
            }
            userFromLoginHintToken = cIBALoginUserResolver.getUserFromIdTokenHint(str3);
        } else {
            if (!str.equals(CibaGrantType.LOGIN_HINT_TOKEN)) {
                throw new ErrorResponseException("invalid_request", "invalid user hint", Response.Status.BAD_REQUEST);
            }
            String str4 = (String) multivaluedMap.getFirst(CibaGrantType.LOGIN_HINT_TOKEN);
            if (str4 == null) {
                throw new ErrorResponseException("invalid_request", "missing parameter : login_hint_token", Response.Status.BAD_REQUEST);
            }
            userFromLoginHintToken = cIBALoginUserResolver.getUserFromLoginHintToken(str4);
        }
        if (userFromLoginHintToken == null || !userFromLoginHintToken.isEnabled()) {
            throw new ErrorResponseException("invalid_request", "invalid user", Response.Status.BAD_REQUEST);
        }
        return userFromLoginHintToken;
    }
}
