package org.keycloak.services.resources;

import java.net.URI;
import java.util.Iterator;
import java.util.Map;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.QueryParam;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriBuilderException;
import javax.ws.rs.core.UriInfo;
import javax.ws.rs.ext.Providers;
import org.jboss.logging.Logger;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.TokenVerifier;
import org.keycloak.authentication.AuthenticationProcessor;
import org.keycloak.authentication.RequiredActionContext;
import org.keycloak.authentication.RequiredActionContextResult;
import org.keycloak.authentication.RequiredActionFactory;
import org.keycloak.authentication.RequiredActionProvider;
import org.keycloak.authentication.actiontoken.ActionTokenContext;
import org.keycloak.authentication.actiontoken.ActionTokenHandler;
import org.keycloak.authentication.actiontoken.DefaultActionToken;
import org.keycloak.authentication.actiontoken.DefaultActionTokenKey;
import org.keycloak.authentication.actiontoken.ExplainedTokenVerificationException;
import org.keycloak.authentication.actiontoken.resetcred.ResetCredentialsActionTokenHandler;
import org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator;
import org.keycloak.authentication.authenticators.broker.util.PostBrokerLoginConstants;
import org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext;
import org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator;
import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.common.ClientConnection;
import org.keycloak.common.VerificationException;
import org.keycloak.common.util.Time;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.exceptions.TokenNotActiveException;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.AuthenticationFlowModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserConsentModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.FormMessage;
import org.keycloak.protocol.AuthorizationEndpointBase;
import org.keycloak.protocol.LoginProtocol;
import org.keycloak.protocol.docker.DockerAuthV2Protocol;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.utils.OIDCResponseMode;
import org.keycloak.protocol.oidc.utils.OIDCResponseType;
import org.keycloak.protocol.saml.SamlProtocol;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.services.ErrorPage;
import org.keycloak.services.ServicesLogger;
import org.keycloak.services.Urls;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.AuthenticationSessionManager;
import org.keycloak.services.managers.ClientSessionCode;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.util.AuthenticationFlowURLHelper;
import org.keycloak.services.util.BrowserHistoryHelper;
import org.keycloak.services.util.CacheControlUtil;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.sessions.CommonClientSessionModel;
import org.keycloak.utils.MediaType;

/* loaded from: input_file:org/keycloak/services/resources/LoginActionsService.class */
public class LoginActionsService {
    private static final Logger logger = Logger.getLogger(LoginActionsService.class);
    public static final String AUTHENTICATE_PATH = "authenticate";
    public static final String REGISTRATION_PATH = "registration";
    public static final String RESET_CREDENTIALS_PATH = "reset-credentials";
    public static final String REQUIRED_ACTION = "required-action";
    public static final String FIRST_BROKER_LOGIN_PATH = "first-broker-login";
    public static final String POST_BROKER_LOGIN_PATH = "post-broker-login";
    public static final String RESTART_PATH = "restart";
    public static final String FORWARDED_ERROR_MESSAGE_NOTE = "forwardedErrorMessage";
    private RealmModel realm;

    @Context
    private HttpRequest request;

    @Context
    protected HttpHeaders headers;

    @Context
    private UriInfo uriInfo;

    @Context
    private ClientConnection clientConnection;

    @Context
    protected Providers providers;

    @Context
    protected KeycloakSession session;
    private EventBuilder event;

    public static UriBuilder loginActionsBaseUrl(UriInfo uriInfo) {
        return loginActionsBaseUrl(uriInfo.getBaseUriBuilder());
    }

    public static UriBuilder authenticationFormProcessor(UriInfo uriInfo) {
        return loginActionsBaseUrl(uriInfo).path(LoginActionsService.class, "authenticateForm");
    }

    public static UriBuilder requiredActionProcessor(UriInfo uriInfo) {
        return loginActionsBaseUrl(uriInfo).path(LoginActionsService.class, "requiredActionPOST");
    }

    public static UriBuilder actionTokenProcessor(UriInfo uriInfo) {
        return loginActionsBaseUrl(uriInfo).path(LoginActionsService.class, "executeActionToken");
    }

    public static UriBuilder registrationFormProcessor(UriInfo uriInfo) {
        return loginActionsBaseUrl(uriInfo).path(LoginActionsService.class, "processRegister");
    }

    public static UriBuilder firstBrokerLoginProcessor(UriInfo uriInfo) {
        return loginActionsBaseUrl(uriInfo).path(LoginActionsService.class, "firstBrokerLoginGet");
    }

    public static UriBuilder postBrokerLoginProcessor(UriInfo uriInfo) {
        return loginActionsBaseUrl(uriInfo).path(LoginActionsService.class, "postBrokerLoginGet");
    }

    public static UriBuilder loginActionsBaseUrl(UriBuilder uriBuilder) {
        return uriBuilder.path(RealmsResource.class).path(RealmsResource.class, "getLoginActionsService");
    }

    public LoginActionsService(RealmModel realmModel, EventBuilder eventBuilder) {
        this.realm = realmModel;
        this.event = eventBuilder;
        CacheControlUtil.noBackButtonCacheControlHeader();
    }

    private boolean checkSsl() {
        return this.uriInfo.getBaseUri().getScheme().equals("https") || !this.realm.getSslRequired().isRequired(this.clientConnection);
    }

    private SessionCodeChecks checksForCode(String str, String str2, String str3, String str4) {
        SessionCodeChecks sessionCodeChecks = new SessionCodeChecks(this.realm, this.uriInfo, this.clientConnection, this.session, this.event, str, str2, str3, str4);
        sessionCodeChecks.initialVerify();
        return sessionCodeChecks;
    }

    protected URI getLastExecutionUrl(String str, String str2, String str3) {
        return new AuthenticationFlowURLHelper(this.session, this.realm, this.uriInfo).getLastExecutionUrl(str, str2, str3);
    }

    @GET
    @Path(RESTART_PATH)
    public Response restartSession(@QueryParam("client_id") String str) {
        this.event.event(EventType.RESTART_AUTHENTICATION);
        SessionCodeChecks sessionCodeChecks = new SessionCodeChecks(this.realm, this.uriInfo, this.clientConnection, this.session, this.event, null, null, str, null);
        AuthenticationSessionModel initialVerifyAuthSession = sessionCodeChecks.initialVerifyAuthSession();
        if (initialVerifyAuthSession == null) {
            return sessionCodeChecks.getResponse();
        }
        String clientNote = initialVerifyAuthSession.getClientNote(AuthorizationEndpointBase.APP_INITIATED_FLOW);
        if (clientNote == null) {
            clientNote = AUTHENTICATE_PATH;
        }
        AuthenticationProcessor.resetFlow(initialVerifyAuthSession, clientNote);
        URI lastExecutionUrl = getLastExecutionUrl(clientNote, null, initialVerifyAuthSession.getClient().getClientId());
        logger.debugf("Flow restart requested. Redirecting to %s", lastExecutionUrl);
        return Response.status(Response.Status.FOUND).location(lastExecutionUrl).build();
    }

    @GET
    @Path(AUTHENTICATE_PATH)
    public Response authenticate(@QueryParam("code") String str, @QueryParam("execution") String str2, @QueryParam("client_id") String str3) {
        this.event.event(EventType.LOGIN);
        SessionCodeChecks checksForCode = checksForCode(str, str2, str3, AUTHENTICATE_PATH);
        if (!checksForCode.verifyActiveAndValidAction(CommonClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) {
            return checksForCode.getResponse();
        }
        return processAuthentication(checksForCode.isActionRequest(), str2, checksForCode.getAuthenticationSession(), null);
    }

    protected Response processAuthentication(boolean z, String str, AuthenticationSessionModel authenticationSessionModel, String str2) {
        return processFlow(z, str, authenticationSessionModel, AUTHENTICATE_PATH, this.realm.getBrowserFlow(), str2, new AuthenticationProcessor());
    }

    protected Response processFlow(boolean z, String str, AuthenticationSessionModel authenticationSessionModel, String str2, AuthenticationFlowModel authenticationFlowModel, String str3, AuthenticationProcessor authenticationProcessor) {
        Response response;
        authenticationProcessor.setAuthenticationSession(authenticationSessionModel).setFlowPath(str2).setBrowserFlow(true).setFlowId(authenticationFlowModel.getId()).setConnection(this.clientConnection).setEventBuilder(this.event).setRealm(this.realm).setSession(this.session).setUriInfo(this.uriInfo).setRequest(this.request);
        if (str3 != null) {
            authenticationProcessor.setForwardedErrorMessage(new FormMessage((String) null, str3));
        }
        String authNote = authenticationSessionModel.getAuthNote(FORWARDED_ERROR_MESSAGE_NOTE);
        if (authNote != null) {
            authenticationSessionModel.removeAuthNote(FORWARDED_ERROR_MESSAGE_NOTE);
            authenticationProcessor.setForwardedErrorMessage(new FormMessage((String) null, authNote));
        }
        try {
            response = z ? authenticationProcessor.authenticationAction(str) : authenticationProcessor.authenticate();
        } catch (Exception e) {
            response = authenticationProcessor.handleBrowserException(e);
            authenticationSessionModel = authenticationProcessor.getAuthenticationSession();
        } catch (WebApplicationException e2) {
            response = e2.getResponse();
            authenticationSessionModel = authenticationProcessor.getAuthenticationSession();
        }
        return BrowserHistoryHelper.getInstance().saveResponseAndRedirect(this.session, authenticationSessionModel, response, z);
    }

    @POST
    @Path(AUTHENTICATE_PATH)
    public Response authenticateForm(@QueryParam("code") String str, @QueryParam("execution") String str2, @QueryParam("client_id") String str3) {
        return authenticate(str, str2, str3);
    }

    @POST
    @Path("reset-credentials")
    public Response resetCredentialsPOST(@QueryParam("code") String str, @QueryParam("execution") String str2, @QueryParam("client_id") String str3, @QueryParam("key") String str4) {
        if (str4 != null) {
            return handleActionToken(str4, str2, str3);
        }
        this.event.event(EventType.RESET_PASSWORD);
        return resetCredentials(str, str2, str3);
    }

    @GET
    @Path("reset-credentials")
    public Response resetCredentialsGET(@QueryParam("code") String str, @QueryParam("execution") String str2, @QueryParam("client_id") String str3) {
        if (new AuthenticationSessionManager(this.session).getCurrentAuthenticationSession(this.realm) != null || str != null) {
            this.event.event(EventType.RESET_PASSWORD);
            return resetCredentials(str, str2, str3);
        }
        if (this.realm.isResetPasswordAllowed()) {
            return processResetCredentials(false, null, createAuthenticationSessionForClient());
        }
        this.event.event(EventType.RESET_PASSWORD);
        this.event.error("not_allowed");
        return ErrorPage.error(this.session, Messages.RESET_CREDENTIAL_NOT_ALLOWED, new Object[0]);
    }

    AuthenticationSessionModel createAuthenticationSessionForClient() throws UriBuilderException, IllegalArgumentException {
        AuthenticationSessionModel createAuthenticationSession = new AuthenticationSessionManager(this.session).createAuthenticationSession(this.realm, this.realm.getClientByClientId(DockerAuthV2Protocol.ACCOUNT_PARAM), true);
        createAuthenticationSession.setAction(CommonClientSessionModel.Action.AUTHENTICATE.name());
        createAuthenticationSession.setProtocol("openid-connect");
        String uri = Urls.accountBase(this.uriInfo.getBaseUri()).path("/").build(new Object[]{this.realm.getName()}).toString();
        createAuthenticationSession.setRedirectUri(uri);
        createAuthenticationSession.setClientNote("response_type", "code");
        createAuthenticationSession.setClientNote("redirect_uri", uri);
        createAuthenticationSession.setClientNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(this.uriInfo.getBaseUri(), this.realm.getName()));
        return createAuthenticationSession;
    }

    protected Response resetCredentials(String str, String str2, String str3) {
        SessionCodeChecks checksForCode = checksForCode(str, str2, str3, "reset-credentials");
        if (!checksForCode.verifyActiveAndValidAction(CommonClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.USER)) {
            return checksForCode.getResponse();
        }
        AuthenticationSessionModel authenticationSession = checksForCode.getAuthenticationSession();
        if (this.realm.isResetPasswordAllowed()) {
            return processResetCredentials(checksForCode.isActionRequest(), str2, authenticationSession);
        }
        this.event.error("not_allowed");
        return ErrorPage.error(this.session, Messages.RESET_CREDENTIAL_NOT_ALLOWED, new Object[0]);
    }

    @GET
    @Path("action-token")
    public Response executeActionToken(@QueryParam("key") String str, @QueryParam("execution") String str2, @QueryParam("client_id") String str3) {
        return handleActionToken(str, str2, str3);
    }

    protected <T extends DefaultActionToken> Response handleActionToken(String str, String str2, String str3) {
        AuthenticationSessionModel currentAuthenticationSession = new AuthenticationSessionManager(this.session).getCurrentAuthenticationSession(this.realm);
        this.event.event(EventType.EXECUTE_ACTION_TOKEN);
        ClientModel clientModel = null;
        if (str3 != null) {
            clientModel = this.realm.getClientByClientId(str3);
        }
        if (clientModel != null) {
            this.session.getContext().setClient(clientModel);
        }
        try {
            if (str == null) {
                throw new ExplainedTokenVerificationException((JsonWebToken) null, "not_allowed", Messages.INVALID_REQUEST);
            }
            TokenVerifier create = TokenVerifier.create(str, DefaultActionToken.class);
            DefaultActionToken defaultActionToken = (DefaultActionToken) create.getToken();
            this.event.detail("token_id", defaultActionToken.getId()).detail("action", defaultActionToken.getActionId()).user(defaultActionToken.getUserId());
            ActionTokenHandler resolveActionTokenHandler = resolveActionTokenHandler(defaultActionToken.getActionId());
            String defaultEventError = resolveActionTokenHandler.getDefaultEventError();
            String defaultErrorMessage = resolveActionTokenHandler.getDefaultErrorMessage();
            if (!this.realm.isEnabled()) {
                throw new ExplainedTokenVerificationException(defaultActionToken, "realm_disabled", Messages.REALM_NOT_ENABLED);
            }
            if (!checkSsl()) {
                throw new ExplainedTokenVerificationException(defaultActionToken, "ssl_required", Messages.HTTPS_REQUIRED);
            }
            create.withChecks(new TokenVerifier.Predicate[]{TokenVerifier.IS_ACTIVE, new TokenVerifier.RealmUrlCheck(Urls.realmIssuer(this.uriInfo.getBaseUri(), this.realm.getName())), DefaultActionToken.ACTION_TOKEN_BASIC_CHECKS}).secretKey(this.session.keys().getActiveHmacKey(this.realm).getSecretKey()).verify();
            DefaultActionToken defaultActionToken2 = (DefaultActionToken) TokenVerifier.create(str, resolveActionTokenHandler.getTokenClass()).getToken();
            ActionTokenContext<?> actionTokenContext = new ActionTokenContext<>(this.session, this.realm, this.uriInfo, this.clientConnection, this.request, this.event, resolveActionTokenHandler, str2, this::processFlow, this::brokerLoginFlow);
            try {
                String authenticationSessionIdFromToken = resolveActionTokenHandler.getAuthenticationSessionIdFromToken(defaultActionToken2);
                if (authenticationSessionIdFromToken != null) {
                    LoginActionsServiceChecks.checkNotLoggedInYet(actionTokenContext, authenticationSessionIdFromToken);
                }
                if (currentAuthenticationSession == null) {
                    currentAuthenticationSession = resolveActionTokenHandler.startFreshAuthenticationSession(defaultActionToken2, actionTokenContext);
                    actionTokenContext.setAuthenticationSession(currentAuthenticationSession, true);
                } else if (authenticationSessionIdFromToken == null || !LoginActionsServiceChecks.doesAuthenticationSessionFromCookieMatchOneFromToken(actionTokenContext, authenticationSessionIdFromToken)) {
                    logger.debugf("Authentication session in progress but no authentication session ID was found in action token %s, restarting.", defaultActionToken2.getId());
                    new AuthenticationSessionManager(this.session).removeAuthenticationSession(this.realm, currentAuthenticationSession, false);
                    currentAuthenticationSession = resolveActionTokenHandler.startFreshAuthenticationSession(defaultActionToken2, actionTokenContext);
                    actionTokenContext.setAuthenticationSession(currentAuthenticationSession, true);
                }
                initLoginEvent(currentAuthenticationSession);
                this.event.event(resolveActionTokenHandler.eventType());
                LoginActionsServiceChecks.checkIsUserValid(defaultActionToken2, actionTokenContext);
                LoginActionsServiceChecks.checkIsClientValid(defaultActionToken2, (ActionTokenContext<DefaultActionToken>) actionTokenContext);
                this.session.getContext().setClient(currentAuthenticationSession.getClient());
                TokenVerifier.create(defaultActionToken2).withChecks(resolveActionTokenHandler.getVerifiers(actionTokenContext)).verify();
                AuthenticationSessionModel authenticationSession = actionTokenContext.getAuthenticationSession();
                this.event = actionTokenContext.getEvent();
                this.event.event(resolveActionTokenHandler.eventType());
                if (!resolveActionTokenHandler.canUseTokenRepeatedly(defaultActionToken2, actionTokenContext)) {
                    LoginActionsServiceChecks.checkTokenWasNotUsedYet(defaultActionToken2, actionTokenContext);
                    authenticationSession.setAuthNote(AuthenticationManager.INVALIDATE_ACTION_TOKEN, defaultActionToken2.serializeKey());
                }
                authenticationSession.setAuthNote(DefaultActionTokenKey.ACTION_TOKEN_USER_ID, defaultActionToken2.getUserId());
                return resolveActionTokenHandler.handleToken(defaultActionToken2, actionTokenContext);
            } catch (ExplainedTokenVerificationException e) {
                return handleActionTokenVerificationException(actionTokenContext, e, e.getErrorEvent(), e.getMessage());
            } catch (LoginActionsServiceException e2) {
                Response response = e2.getResponse();
                return response == null ? handleActionTokenVerificationException(actionTokenContext, e2, defaultEventError, defaultErrorMessage) : response;
            } catch (VerificationException e3) {
                return handleActionTokenVerificationException(actionTokenContext, e3, defaultEventError, defaultErrorMessage);
            }
        } catch (TokenNotActiveException e4) {
            if (currentAuthenticationSession == null) {
                return handleActionTokenVerificationException(null, e4, "expired_code", null);
            }
            this.event.clone().error("expired_code");
            String clientNote = currentAuthenticationSession.getClientNote(AuthorizationEndpointBase.APP_INITIATED_FLOW);
            if (clientNote == null) {
                clientNote = AUTHENTICATE_PATH;
            }
            AuthenticationProcessor.resetFlow(currentAuthenticationSession, clientNote);
            return processAuthentication(false, null, currentAuthenticationSession, Messages.LOGIN_TIMEOUT);
        } catch (VerificationException e5) {
            return handleActionTokenVerificationException(null, e5, null, null);
        } catch (ExplainedTokenVerificationException e6) {
            return handleActionTokenVerificationException(null, e6, e6.getErrorEvent(), e6.getMessage());
        }
    }

    private <T extends DefaultActionToken> ActionTokenHandler<T> resolveActionTokenHandler(String str) throws VerificationException {
        if (str == null) {
            throw new VerificationException("Action token operation not set");
        }
        ActionTokenHandler<T> actionTokenHandler = (ActionTokenHandler) this.session.getProvider(ActionTokenHandler.class, str);
        if (actionTokenHandler == null) {
            throw new VerificationException("Invalid action token operation");
        }
        return actionTokenHandler;
    }

    private Response handleActionTokenVerificationException(ActionTokenContext<?> actionTokenContext, VerificationException verificationException, String str, String str2) {
        if (actionTokenContext != null && actionTokenContext.getAuthenticationSession() != null) {
            new AuthenticationSessionManager(this.session).removeAuthenticationSession(this.realm, actionTokenContext.getAuthenticationSession(), true);
        }
        this.event.detail("reason", verificationException == null ? "<unknown>" : verificationException.getMessage()).error(str == null ? "invalid_code" : str);
        return ErrorPage.error(this.session, str2 == null ? Messages.INVALID_CODE : str2, new Object[0]);
    }

    protected Response processResetCredentials(boolean z, String str, AuthenticationSessionModel authenticationSessionModel) {
        return processFlow(z, str, authenticationSessionModel, "reset-credentials", this.realm.getResetCredentialsFlow(), null, new ResetCredentialsActionTokenHandler.ResetCredsAuthenticationProcessor());
    }

    protected Response processRegistration(boolean z, String str, AuthenticationSessionModel authenticationSessionModel, String str2) {
        return processFlow(z, str, authenticationSessionModel, REGISTRATION_PATH, this.realm.getRegistrationFlow(), str2, new AuthenticationProcessor());
    }

    @GET
    @Path(REGISTRATION_PATH)
    public Response registerPage(@QueryParam("code") String str, @QueryParam("execution") String str2, @QueryParam("client_id") String str3) {
        return registerRequest(str, str2, str3, false);
    }

    @POST
    @Path(REGISTRATION_PATH)
    public Response processRegister(@QueryParam("code") String str, @QueryParam("execution") String str2, @QueryParam("client_id") String str3) {
        return registerRequest(str, str2, str3, true);
    }

    private Response registerRequest(String str, String str2, String str3, boolean z) {
        this.event.event(EventType.REGISTER);
        if (!this.realm.isRegistrationAllowed()) {
            this.event.error("registration_disabled");
            return ErrorPage.error(this.session, Messages.REGISTRATION_NOT_ALLOWED, new Object[0]);
        }
        SessionCodeChecks checksForCode = checksForCode(str, str2, str3, REGISTRATION_PATH);
        if (!checksForCode.verifyActiveAndValidAction(CommonClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) {
            return checksForCode.getResponse();
        }
        AuthenticationSessionModel authenticationSession = checksForCode.getAuthenticationSession();
        AuthenticationManager.expireIdentityCookie(this.realm, this.uriInfo, this.clientConnection);
        return processRegistration(checksForCode.isActionRequest(), str2, authenticationSession, null);
    }

    @GET
    @Path(FIRST_BROKER_LOGIN_PATH)
    public Response firstBrokerLoginGet(@QueryParam("code") String str, @QueryParam("execution") String str2, @QueryParam("client_id") String str3) {
        return brokerLoginFlow(str, str2, str3, FIRST_BROKER_LOGIN_PATH);
    }

    @POST
    @Path(FIRST_BROKER_LOGIN_PATH)
    public Response firstBrokerLoginPost(@QueryParam("code") String str, @QueryParam("execution") String str2, @QueryParam("client_id") String str3) {
        return brokerLoginFlow(str, str2, str3, FIRST_BROKER_LOGIN_PATH);
    }

    @GET
    @Path(POST_BROKER_LOGIN_PATH)
    public Response postBrokerLoginGet(@QueryParam("code") String str, @QueryParam("execution") String str2, @QueryParam("client_id") String str3) {
        return brokerLoginFlow(str, str2, str3, POST_BROKER_LOGIN_PATH);
    }

    @POST
    @Path(POST_BROKER_LOGIN_PATH)
    public Response postBrokerLoginPost(@QueryParam("code") String str, @QueryParam("execution") String str2, @QueryParam("client_id") String str3) {
        return brokerLoginFlow(str, str2, str3, POST_BROKER_LOGIN_PATH);
    }

    protected Response brokerLoginFlow(String str, String str2, String str3, String str4) {
        final boolean equals = str4.equals(FIRST_BROKER_LOGIN_PATH);
        this.event.event(equals ? EventType.IDENTITY_PROVIDER_FIRST_LOGIN : EventType.IDENTITY_PROVIDER_POST_LOGIN);
        SessionCodeChecks checksForCode = checksForCode(str, str2, str3, str4);
        if (!checksForCode.verifyActiveAndValidAction(CommonClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) {
            return checksForCode.getResponse();
        }
        this.event.detail("code_id", str);
        final AuthenticationSessionModel authenticationSession = checksForCode.getAuthenticationSession();
        String str5 = equals ? AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE : PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT;
        SerializedBrokeredIdentityContext readFromAuthenticationSession = SerializedBrokeredIdentityContext.readFromAuthenticationSession(authenticationSession, str5);
        if (readFromAuthenticationSession == null) {
            ServicesLogger.LOGGER.notFoundSerializedCtxInClientSession(str5);
            throw new WebApplicationException(ErrorPage.error(this.session, "Not found serialized context in authenticationSession.", new Object[0]));
        }
        BrokeredIdentityContext deserialize = readFromAuthenticationSession.deserialize(this.session, authenticationSession);
        final String alias = deserialize.getIdpConfig().getAlias();
        String firstBrokerLoginFlowId = equals ? deserialize.getIdpConfig().getFirstBrokerLoginFlowId() : deserialize.getIdpConfig().getPostBrokerLoginFlowId();
        if (firstBrokerLoginFlowId == null) {
            ServicesLogger.LOGGER.flowNotConfigForIDP(alias);
            throw new WebApplicationException(ErrorPage.error(this.session, "Flow not configured for identity provider", new Object[0]));
        }
        AuthenticationFlowModel authenticationFlowById = this.realm.getAuthenticationFlowById(firstBrokerLoginFlowId);
        if (authenticationFlowById == null) {
            ServicesLogger.LOGGER.flowNotFoundForIDP(firstBrokerLoginFlowId, alias);
            throw new WebApplicationException(ErrorPage.error(this.session, "Flow not found for identity provider", new Object[0]));
        }
        this.event.detail("identity_provider", alias).detail("identity_provider_identity", deserialize.getUsername());
        return processFlow(checksForCode.isActionRequest(), str2, authenticationSession, str4, authenticationFlowById, null, new AuthenticationProcessor() { // from class: org.keycloak.services.resources.LoginActionsService.1
            /* JADX INFO: Access modifiers changed from: protected */
            @Override // org.keycloak.authentication.AuthenticationProcessor
            public Response authenticationComplete() {
                if (equals) {
                    authenticationSession.setAuthNote(AbstractIdpAuthenticator.FIRST_BROKER_LOGIN_SUCCESS, alias);
                } else {
                    authenticationSession.setAuthNote(PostBrokerLoginConstants.PBL_AUTH_STATE_PREFIX + alias, SamlProtocol.ATTRIBUTE_TRUE_VALUE);
                }
                return LoginActionsService.this.redirectToAfterBrokerLoginEndpoint(authenticationSession, equals);
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Response redirectToAfterBrokerLoginEndpoint(AuthenticationSessionModel authenticationSessionModel, boolean z) {
        return redirectToAfterBrokerLoginEndpoint(this.session, this.realm, this.uriInfo, authenticationSessionModel, z);
    }

    public static Response redirectToAfterBrokerLoginEndpoint(KeycloakSession keycloakSession, RealmModel realmModel, UriInfo uriInfo, AuthenticationSessionModel authenticationSessionModel, boolean z) {
        ClientSessionCode clientSessionCode = new ClientSessionCode(keycloakSession, realmModel, authenticationSessionModel);
        authenticationSessionModel.setTimestamp(Time.currentTime());
        String clientId = authenticationSessionModel.getClient().getClientId();
        URI identityProviderAfterFirstBrokerLogin = z ? Urls.identityProviderAfterFirstBrokerLogin(uriInfo.getBaseUri(), realmModel.getName(), clientSessionCode.getCode(), clientId) : Urls.identityProviderAfterPostBrokerLogin(uriInfo.getBaseUri(), realmModel.getName(), clientSessionCode.getCode(), clientId);
        logger.debugf("Redirecting to '%s' ", identityProviderAfterFirstBrokerLogin);
        return Response.status(302).location(identityProviderAfterFirstBrokerLogin).build();
    }

    @POST
    @Path(OIDCLoginProtocol.PROMPT_VALUE_CONSENT)
    @Consumes({MediaType.APPLICATION_FORM_URLENCODED})
    public Response processConsent(MultivaluedMap<String, String> multivaluedMap) {
        this.event.event(EventType.LOGIN);
        SessionCodeChecks checksForCode = checksForCode((String) multivaluedMap.getFirst("code"), null, (String) this.uriInfo.getQueryParameters().getFirst("client_id"), REQUIRED_ACTION);
        if (!checksForCode.verifyRequiredAction(CommonClientSessionModel.Action.OAUTH_GRANT.name())) {
            return checksForCode.getResponse();
        }
        AuthenticationSessionModel authenticationSession = checksForCode.getAuthenticationSession();
        initLoginEvent(authenticationSession);
        UserModel authenticatedUser = authenticationSession.getAuthenticatedUser();
        ClientModel client = authenticationSession.getClient();
        if (multivaluedMap.containsKey("cancel")) {
            LoginProtocol provider = this.session.getProvider(LoginProtocol.class, authenticationSession.getProtocol());
            provider.setRealm(this.realm).setHttpHeaders(this.headers).setUriInfo(this.uriInfo).setEventBuilder(this.event);
            Response sendError = provider.sendError(authenticationSession, LoginProtocol.Error.CONSENT_DENIED);
            this.event.error("rejected_by_user");
            return sendError;
        }
        UserConsentModel consentByClient = this.session.users().getConsentByClient(this.realm, authenticatedUser.getId(), client.getId());
        if (consentByClient == null) {
            consentByClient = new UserConsentModel(client);
            this.session.users().addConsent(this.realm, authenticatedUser.getId(), consentByClient);
        }
        Iterator<RoleModel> it = ClientSessionCode.getRequestedRoles(authenticationSession, this.realm).iterator();
        while (it.hasNext()) {
            consentByClient.addGrantedRole(it.next());
        }
        for (ProtocolMapperModel protocolMapperModel : ClientSessionCode.getRequestedProtocolMappers(authenticationSession.getProtocolMappers(), client)) {
            if (protocolMapperModel.isConsentRequired() && protocolMapperModel.getConsentText() != null) {
                consentByClient.addGrantedProtocolMapper(protocolMapperModel);
            }
        }
        this.session.users().updateConsent(this.realm, authenticatedUser.getId(), consentByClient);
        this.event.detail(OIDCLoginProtocol.PROMPT_VALUE_CONSENT, "consent_granted");
        this.event.success();
        AuthenticatedClientSessionModel attachSession = AuthenticationProcessor.attachSession(authenticationSession, null, this.session, this.realm, this.clientConnection, this.event);
        return AuthenticationManager.redirectAfterSuccessfulFlow(this.session, this.realm, attachSession.getUserSession(), attachSession, this.request, this.uriInfo, this.clientConnection, this.event, authenticationSession.getProtocol());
    }

    private void initLoginEvent(AuthenticationSessionModel authenticationSessionModel) {
        String clientNote = authenticationSessionModel.getClientNote("response_type");
        if (clientNote == null) {
            clientNote = "code";
        }
        this.event.event(EventType.LOGIN).client(authenticationSessionModel.getClient()).detail("code_id", authenticationSessionModel.getId()).detail("redirect_uri", authenticationSessionModel.getRedirectUri()).detail("auth_method", authenticationSessionModel.getProtocol()).detail("response_type", clientNote).detail(OIDCLoginProtocol.RESPONSE_MODE_PARAM, OIDCResponseMode.parse(authenticationSessionModel.getClientNote(OIDCLoginProtocol.RESPONSE_MODE_PARAM), OIDCResponseType.parse(clientNote)).toString().toLowerCase());
        UserModel authenticatedUser = authenticationSessionModel.getAuthenticatedUser();
        if (authenticatedUser != null) {
            this.event.user(authenticatedUser).detail("username", authenticatedUser.getUsername());
        }
        String authNote = authenticationSessionModel.getAuthNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME);
        if (authNote != null) {
            this.event.detail("username", authNote);
        }
        String authNote2 = authenticationSessionModel.getAuthNote("remember_me");
        if (authNote2 == null || !authNote2.equalsIgnoreCase(SamlProtocol.ATTRIBUTE_TRUE_VALUE)) {
            authNote2 = SamlProtocol.ATTRIBUTE_FALSE_VALUE;
        }
        this.event.detail("remember_me", authNote2);
        Map userSessionNotes = authenticationSessionModel.getUserSessionNotes();
        String str = (String) userSessionNotes.get("identity_provider");
        if (str != null) {
            this.event.detail("identity_provider", str).detail("identity_provider_identity", (String) userSessionNotes.get("identity_provider_identity"));
        }
    }

    @POST
    @Path(REQUIRED_ACTION)
    public Response requiredActionPOST(@QueryParam("code") String str, @QueryParam("execution") String str2, @QueryParam("client_id") String str3) {
        return processRequireAction(str, str2, str3);
    }

    @GET
    @Path(REQUIRED_ACTION)
    public Response requiredActionGET(@QueryParam("code") String str, @QueryParam("execution") String str2, @QueryParam("client_id") String str3) {
        return processRequireAction(str, str2, str3);
    }

    private Response processRequireAction(String str, String str2, String str3) {
        Response sendError;
        this.event.event(EventType.CUSTOM_REQUIRED_ACTION);
        SessionCodeChecks checksForCode = checksForCode(str, str2, str3, REQUIRED_ACTION);
        if (!checksForCode.verifyRequiredAction(str2)) {
            return checksForCode.getResponse();
        }
        AuthenticationSessionModel authenticationSession = checksForCode.getAuthenticationSession();
        if (!checksForCode.isActionRequest()) {
            initLoginEvent(authenticationSession);
            this.event.event(EventType.CUSTOM_REQUIRED_ACTION);
            return AuthenticationManager.nextActionAfterAuthentication(this.session, authenticationSession, this.clientConnection, this.request, this.uriInfo, this.event);
        }
        initLoginEvent(authenticationSession);
        this.event.event(EventType.CUSTOM_REQUIRED_ACTION);
        this.event.detail("custom_required_action", str2);
        RequiredActionFactory providerFactory = this.session.getKeycloakSessionFactory().getProviderFactory(RequiredActionProvider.class, str2);
        if (providerFactory == null) {
            ServicesLogger.LOGGER.actionProviderNull();
            this.event.error("invalid_code");
            throw new WebApplicationException(ErrorPage.error(this.session, Messages.INVALID_CODE, new Object[0]));
        }
        RequiredActionProvider create = providerFactory.create(this.session);
        RequiredActionContextResult requiredActionContextResult = new RequiredActionContextResult(authenticationSession, this.realm, this.event, this.session, this.request, authenticationSession.getAuthenticatedUser(), providerFactory) { // from class: org.keycloak.services.resources.LoginActionsService.2
            @Override // org.keycloak.authentication.RequiredActionContextResult
            public void ignore() {
                throw new RuntimeException("Cannot call ignore within processAction()");
            }
        };
        create.processAction(requiredActionContextResult);
        if (str2 != null) {
            authenticationSession.setAuthNote(AuthenticationProcessor.LAST_PROCESSED_EXECUTION, str2);
        }
        if (requiredActionContextResult.getStatus() == RequiredActionContext.Status.SUCCESS) {
            this.event.clone().success();
            initLoginEvent(authenticationSession);
            this.event.event(EventType.LOGIN);
            authenticationSession.removeRequiredAction(providerFactory.getId());
            authenticationSession.getAuthenticatedUser().removeRequiredAction(providerFactory.getId());
            authenticationSession.removeAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION);
            sendError = AuthenticationManager.nextActionAfterAuthentication(this.session, authenticationSession, this.clientConnection, this.request, this.uriInfo, this.event);
        } else if (requiredActionContextResult.getStatus() == RequiredActionContext.Status.CHALLENGE) {
            sendError = requiredActionContextResult.getChallenge();
        } else {
            if (requiredActionContextResult.getStatus() != RequiredActionContext.Status.FAILURE) {
                throw new RuntimeException("Unreachable");
            }
            LoginProtocol provider = requiredActionContextResult.getSession().getProvider(LoginProtocol.class, authenticationSession.getProtocol());
            provider.setRealm(requiredActionContextResult.getRealm()).setHttpHeaders(requiredActionContextResult.getHttpRequest().getHttpHeaders()).setUriInfo(requiredActionContextResult.getUriInfo()).setEventBuilder(this.event);
            this.event.detail("custom_required_action", str2);
            sendError = provider.sendError(authenticationSession, LoginProtocol.Error.CONSENT_DENIED);
            this.event.error("rejected_by_user");
        }
        return BrowserHistoryHelper.getInstance().saveResponseAndRedirect(this.session, authenticationSession, sendError, true);
    }
}
