package org.keycloak.services.resources.flows;

import java.util.Iterator;
import java.util.LinkedList;
import javax.ws.rs.core.Cookie;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import org.jboss.logging.Logger;
import org.jboss.resteasy.specimpl.MultivaluedMapImpl;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.ClientConnection;
import org.keycloak.audit.Audit;
import org.keycloak.audit.EventType;
import org.keycloak.models.ApplicationModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RequiredCredentialModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.services.managers.AccessCode;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.TokenManager;
import org.keycloak.services.messages.Messages;

/* loaded from: input_file:org/keycloak/services/resources/flows/OAuthFlows.class */
public class OAuthFlows {
    private static final Logger log = Logger.getLogger(OAuthFlows.class);
    private final KeycloakSession session;
    private final RealmModel realm;
    private final HttpRequest request;
    private final UriInfo uriInfo;
    private ClientConnection clientConnection;
    private final AuthenticationManager authManager;
    private final TokenManager tokenManager;

    /* JADX INFO: Access modifiers changed from: package-private */
    public OAuthFlows(KeycloakSession keycloakSession, RealmModel realmModel, HttpRequest httpRequest, UriInfo uriInfo, ClientConnection clientConnection, AuthenticationManager authenticationManager, TokenManager tokenManager) {
        this.session = keycloakSession;
        this.realm = realmModel;
        this.request = httpRequest;
        this.uriInfo = uriInfo;
        this.clientConnection = clientConnection;
        this.authManager = authenticationManager;
        this.tokenManager = tokenManager;
    }

    public Response redirectAccessCode(AccessCode accessCode, UserSessionModel userSessionModel, String str, String str2) {
        UserSessionModel userSession;
        UriBuilder queryParam = UriBuilder.fromUri(str2).queryParam("code", new Object[]{accessCode.getCode()});
        log.debugv("redirectAccessCode: state: {0}", str);
        if (str != null) {
            queryParam.queryParam("state", new Object[]{str});
        }
        Response.ResponseBuilder location = Response.status(302).location(queryParam.build(new Object[0]));
        Cookie cookie = (Cookie) this.request.getHttpHeaders().getCookies().get(AuthenticationManager.KEYCLOAK_SESSION_COOKIE);
        if (cookie != null) {
            String[] split = cookie.getValue().split("/");
            if (split.length >= 3) {
                String str3 = split[2];
                if (!str3.equals(userSessionModel.getId()) && (userSession = this.session.sessions().getUserSession(this.realm, str3)) != null) {
                    log.debugv("Removing old user session: session: {0}", str3);
                    this.session.sessions().removeUserSession(this.realm, userSession);
                }
            }
        }
        this.authManager.createLoginCookie(this.realm, accessCode.getUser(), userSessionModel, this.uriInfo, this.clientConnection);
        if (userSessionModel.isRememberMe()) {
            this.authManager.createRememberMeCookie(this.realm, this.uriInfo, this.clientConnection);
        }
        return location.build();
    }

    public Response redirectError(ClientModel clientModel, String str, String str2, String str3) {
        UriBuilder queryParam = UriBuilder.fromUri(str3).queryParam(Messages.ERROR, new Object[]{str});
        if (str2 != null) {
            queryParam.queryParam("state", new Object[]{str2});
        }
        return Response.status(302).location(queryParam.build(new Object[0])).build();
    }

    public Response processAccessCode(String str, String str2, String str3, ClientModel clientModel, UserModel userModel, UserSessionModel userSessionModel, Audit audit) {
        isTotpConfigurationRequired(userModel);
        isEmailVerificationRequired(userModel);
        boolean z = clientModel instanceof ApplicationModel;
        AccessCode createAccessCode = this.tokenManager.createAccessCode(str, str2, str3, this.session, this.realm, clientModel, userModel, userSessionModel);
        log.debugv("processAccessCode: isResource: {0}", Boolean.valueOf(z));
        log.debugv("processAccessCode: go to oauth page?: {0}", Boolean.valueOf(!z));
        audit.detail("code_id", createAccessCode.getCodeId());
        if (!userModel.getRequiredActions().isEmpty()) {
            UserModel.RequiredAction requiredAction = (UserModel.RequiredAction) userModel.getRequiredActions().iterator().next();
            createAccessCode.setRequiredAction(requiredAction);
            if (requiredAction.equals(UserModel.RequiredAction.VERIFY_EMAIL)) {
                audit.clone().event(EventType.SEND_VERIFY_EMAIL).detail("email", createAccessCode.getUser().getEmail()).success();
            }
            return Flows.forms(this.session, this.realm, clientModel, this.uriInfo).setAccessCode(createAccessCode.getCode()).setUser(userModel).createResponse(requiredAction);
        }
        if (z) {
            if (str3 == null) {
                return null;
            }
            audit.success();
            createAccessCode.setAction(ClientSessionModel.Action.CODE_TO_TOKEN);
            return redirectAccessCode(createAccessCode, userSessionModel, str2, str3);
        }
        createAccessCode.setAction(ClientSessionModel.Action.OAUTH_GRANT);
        LinkedList linkedList = new LinkedList();
        MultivaluedMapImpl multivaluedMapImpl = new MultivaluedMapImpl();
        for (RoleModel roleModel : createAccessCode.getRequestedRoles()) {
            if (roleModel.getContainer() instanceof RealmModel) {
                linkedList.add(roleModel);
            } else {
                multivaluedMapImpl.add(roleModel.getContainer().getName(), roleModel);
            }
        }
        return Flows.forms(this.session, this.realm, clientModel, this.uriInfo).setAccessCode(createAccessCode.getCode()).setAccessRequest(linkedList, multivaluedMapImpl).setClient(clientModel).createOAuthGrant();
    }

    public Response forwardToSecurityFailure(String str) {
        return Flows.forms(this.session, this.realm, null, this.uriInfo).setError(str).createErrorPage();
    }

    private void isTotpConfigurationRequired(UserModel userModel) {
        Iterator it = this.realm.getRequiredCredentials().iterator();
        while (it.hasNext()) {
            if (((RequiredCredentialModel) it.next()).getType().equals("totp") && !userModel.isTotp()) {
                userModel.addRequiredAction(UserModel.RequiredAction.CONFIGURE_TOTP);
                log.debug("User is required to configure totp");
            }
        }
    }

    private void isEmailVerificationRequired(UserModel userModel) {
        if (!this.realm.isVerifyEmail() || userModel.isEmailVerified()) {
            return;
        }
        userModel.addRequiredAction(UserModel.RequiredAction.VERIFY_EMAIL);
        log.debug("User is required to verify email");
    }
}
