package org.keycloak.services.resources;

import java.io.IOException;
import java.net.URISyntaxException;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Cookie;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import org.jboss.logging.Logger;
import org.jboss.resteasy.specimpl.MultivaluedMapImpl;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.ClientConnection;
import org.keycloak.audit.Audit;
import org.keycloak.audit.EventType;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelDuplicateException;
import org.keycloak.models.RealmModel;
import org.keycloak.models.SocialLinkModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.services.managers.AuditManager;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.RealmManager;
import org.keycloak.services.managers.TokenManager;
import org.keycloak.services.resources.flows.Flows;
import org.keycloak.services.resources.flows.OAuthFlows;
import org.keycloak.services.resources.flows.Urls;
import org.keycloak.social.AuthCallback;
import org.keycloak.social.SocialAccessDeniedException;
import org.keycloak.social.SocialLoader;
import org.keycloak.social.SocialProvider;
import org.keycloak.social.SocialProviderConfig;
import org.keycloak.social.SocialProviderException;
import org.keycloak.social.SocialUser;

@Path("/social")
/* loaded from: input_file:org/keycloak/services/resources/SocialResource.class */
public class SocialResource {
    protected static Logger logger = Logger.getLogger(SocialResource.class);

    @Context
    protected UriInfo uriInfo;

    @Context
    protected HttpHeaders headers;

    @Context
    private HttpRequest request;

    @Context
    protected KeycloakSession session;

    @Context
    protected ClientConnection clientConnection;
    private TokenManager tokenManager;

    /* loaded from: input_file:org/keycloak/services/resources/SocialResource$State.class */
    public static class State {
        private String realm;
        private String provider;
        private String user;
        private Map<String, String> attributes = new HashMap();

        public String getRealm() {
            return this.realm;
        }

        public void setRealm(String str) {
            this.realm = str;
        }

        public String getProvider() {
            return this.provider;
        }

        public void setProvider(String str) {
            this.provider = str;
        }

        public String getUser() {
            return this.user;
        }

        public void setUser(String str) {
            this.user = str;
        }

        public Map<String, String> getAttributes() {
            return this.attributes;
        }

        public String get(String str) {
            return this.attributes.get(str);
        }

        public void set(String str, String str2) {
            this.attributes.put(str, str2);
        }
    }

    public SocialResource(TokenManager tokenManager) {
        this.tokenManager = tokenManager;
    }

    @GET
    @Path("callback")
    public Response callback(@QueryParam("state") String str) throws URISyntaxException, IOException {
        try {
            State state = (State) new JWSInput(str).readJsonContent(State.class);
            SocialProvider load = SocialLoader.load(state.getProvider());
            String realm = state.getRealm();
            String str2 = "social@" + load.getId();
            RealmModel realmByName = new RealmManager(this.session).getRealmByName(realm);
            Audit detail = new AuditManager(realmByName, this.session, this.clientConnection).createAudit().event(EventType.LOGIN).detail("response_type", state.get("response_type")).detail("auth_method", str2);
            OAuthFlows oauth = Flows.oauth(this.session, realmByName, this.request, this.uriInfo, this.clientConnection, new AuthenticationManager(), this.tokenManager);
            if (!realmByName.isEnabled()) {
                detail.error("realm_disabled");
                return oauth.forwardToSecurityFailure("Realm not enabled.");
            }
            String str3 = state.get("client_id");
            String str4 = state.get("redirect_uri");
            String str5 = state.get("scope");
            String str6 = state.get("state");
            String str7 = state.get("response_type");
            detail.client(str3).detail("redirect_uri", str4);
            ClientModel findClient = realmByName.findClient(str3);
            if (findClient == null) {
                detail.error("client_not_found");
                return oauth.forwardToSecurityFailure("Unknown login requester.");
            }
            if (!findClient.isEnabled()) {
                detail.error("client_disabled");
                return oauth.forwardToSecurityFailure("Login requester not enabled.");
            }
            try {
                SocialUser processCallback = load.processCallback(new SocialProviderConfig((String) realmByName.getSocialConfig().get(load.getId() + ".key"), (String) realmByName.getSocialConfig().get(load.getId() + ".secret"), Urls.socialCallback(this.uriInfo.getBaseUri()).toString()), new AuthCallback(getQueryParams(), getAttributes()));
                detail.detail(AuthenticationManager.FORM_USERNAME, processCallback.getId() + "@" + load.getId());
                try {
                    SocialLinkModel socialLinkModel = new SocialLinkModel(load.getId(), processCallback.getId(), processCallback.getUsername());
                    UserModel userBySocialLink = this.session.users().getUserBySocialLink(socialLinkModel, realmByName);
                    String user = state.getUser();
                    if (user != null) {
                        UserModel userById = this.session.users().getUserById(user, realmByName);
                        detail.event(EventType.SOCIAL_LINK).user(user);
                        if (userBySocialLink != null) {
                            detail.error("social_id_in_use");
                            return oauth.forwardToSecurityFailure("This social account is already linked to other user");
                        }
                        if (!userById.isEnabled()) {
                            detail.error("user_disabled");
                            return oauth.forwardToSecurityFailure("User is disabled");
                        }
                        if (!userById.hasRole(realmByName.getApplicationByName("account").getRole("manage-account"))) {
                            detail.error("not_allowed");
                            return oauth.forwardToSecurityFailure("Insufficient permissions to link social account");
                        }
                        if (str4 == null) {
                            detail.error("invalid_redirect_uri");
                            return oauth.forwardToSecurityFailure("Unknown redirectUri");
                        }
                        this.session.users().addSocialLink(realmByName, userById, socialLinkModel);
                        logger.debug("Social provider " + load.getId() + " linked with user " + userById.getUsername());
                        detail.success();
                        return Response.status(302).location(UriBuilder.fromUri(str4).build(new Object[0])).build();
                    }
                    if (userBySocialLink == null) {
                        userBySocialLink = this.session.users().addUser(realmByName, KeycloakModelUtils.generateId());
                        userBySocialLink.setEnabled(true);
                        userBySocialLink.setFirstName(processCallback.getFirstName());
                        userBySocialLink.setLastName(processCallback.getLastName());
                        userBySocialLink.setEmail(processCallback.getEmail());
                        if (realmByName.isUpdateProfileOnInitialSocialLogin()) {
                            userBySocialLink.addRequiredAction(UserModel.RequiredAction.UPDATE_PROFILE);
                        }
                        this.session.users().addSocialLink(realmByName, userBySocialLink, socialLinkModel);
                        detail.clone().user(userBySocialLink).event(EventType.REGISTER).detail("register_method", "social@" + load.getId()).detail("email", processCallback.getEmail()).removeDetail("auth_method").success();
                    }
                    detail.user(userBySocialLink);
                    if (!userBySocialLink.isEnabled()) {
                        detail.error("user_disabled");
                        return oauth.forwardToSecurityFailure("Your account is not enabled.");
                    }
                    UserSessionModel createUserSession = this.session.sessions().createUserSession(realmByName, userBySocialLink, socialLinkModel.getSocialUserId() + "@" + socialLinkModel.getSocialProvider(), this.clientConnection.getRemoteAddr(), str2, false);
                    detail.session(createUserSession);
                    Response processAccessCode = oauth.processAccessCode(str5, str6, str4, findClient, userBySocialLink, createUserSession, detail);
                    if (this.session.getTransaction().isActive()) {
                        this.session.getTransaction().commit();
                    }
                    return processAccessCode;
                } catch (ModelDuplicateException e) {
                    return returnToLogin(realmByName, findClient, state.getAttributes(), "socialEmailExists");
                }
            } catch (SocialAccessDeniedException e2) {
                MultivaluedMapImpl multivaluedMapImpl = new MultivaluedMapImpl();
                multivaluedMapImpl.putSingle("client_id", str3);
                multivaluedMapImpl.putSingle("state", str6);
                multivaluedMapImpl.putSingle("scope", str5);
                multivaluedMapImpl.putSingle("redirect_uri", str4);
                multivaluedMapImpl.putSingle("response_type", str7);
                detail.error("rejected_by_user");
                return Flows.forms(this.session, realmByName, findClient, this.uriInfo).setQueryParams(multivaluedMapImpl).setWarning("Access denied").createLogin();
            } catch (SocialProviderException e3) {
                logger.error("Failed to process social callback", e3);
                return oauth.forwardToSecurityFailure("Failed to process social callback");
            }
        } catch (Throwable th) {
            logger.warn("Invalid social callback", th);
            return Flows.forms(this.session, null, null, this.uriInfo).setError("Unexpected callback").createErrorPage();
        }
    }

    @GET
    @Path("{realm}/login")
    public Response redirectToProviderAuth(@PathParam("realm") String str, @QueryParam("provider_id") String str2, @QueryParam("client_id") String str3, @QueryParam("scope") String str4, @QueryParam("state") String str5, @QueryParam("redirect_uri") String str6, @QueryParam("response_type") String str7) {
        RealmModel realmByName = new RealmManager(this.session).getRealmByName(str);
        Audit detail = new AuditManager(realmByName, this.session, this.clientConnection).createAudit().event(EventType.LOGIN).client(str3).detail("redirect_uri", str6).detail("response_type", "code").detail("auth_method", "social@" + str2);
        SocialProvider load = SocialLoader.load(str2);
        if (load == null) {
            detail.error("social_provider_not_found");
            return Flows.forms(this.session, realmByName, null, this.uriInfo).setError("Social provider not found").createErrorPage();
        }
        ClientModel findClient = realmByName.findClient(str3);
        if (findClient == null) {
            detail.error("client_not_found");
            logger.warn("Unknown login requester: " + str3);
            return Flows.forms(this.session, realmByName, null, this.uriInfo).setError("Unknown login requester.").createErrorPage();
        }
        if (!findClient.isEnabled()) {
            detail.error("client_disabled");
            logger.warn("Login requester not enabled.");
            return Flows.forms(this.session, realmByName, null, this.uriInfo).setError("Login requester not enabled.").createErrorPage();
        }
        String verifyRedirectUri = TokenService.verifyRedirectUri(this.uriInfo, str6, realmByName, findClient);
        if (verifyRedirectUri == null) {
            detail.error("invalid_redirect_uri");
            return Flows.forms(this.session, realmByName, null, this.uriInfo).setError("Invalid redirect_uri.").createErrorPage();
        }
        try {
            return Flows.social(realmByName, this.uriInfo, this.clientConnection, load).putClientAttribute("client_id", str3).putClientAttribute("scope", str4).putClientAttribute("state", str5).putClientAttribute("redirect_uri", verifyRedirectUri).putClientAttribute("response_type", str7).redirectToSocialProvider();
        } catch (Throwable th) {
            logger.error("Failed to redirect to social auth", th);
            return Flows.forms(this.session, realmByName, null, this.uriInfo).setError("Failed to redirect to social auth").createErrorPage();
        }
    }

    private Response returnToLogin(RealmModel realmModel, ClientModel clientModel, Map<String, String> map, String str) {
        MultivaluedMapImpl multivaluedMapImpl = new MultivaluedMapImpl();
        for (Map.Entry<String, String> entry : map.entrySet()) {
            multivaluedMapImpl.add(entry.getKey(), entry.getValue());
        }
        return Flows.forms(this.session, realmModel, clientModel, this.uriInfo).setQueryParams(multivaluedMapImpl).setError(str).createLogin();
    }

    private Map<String, String[]> getQueryParams() {
        HashMap hashMap = new HashMap();
        for (Map.Entry entry : this.uriInfo.getQueryParameters().entrySet()) {
            hashMap.put(entry.getKey(), ((List) entry.getValue()).toArray(new String[((List) entry.getValue()).size()]));
        }
        return hashMap;
    }

    private Map<String, String> getAttributes() throws IOException {
        Cookie cookie = (Cookie) this.headers.getCookies().get("KEYCLOAK_SOCIAL");
        if (cookie != null) {
            return (HashMap) new JWSInput(cookie.getValue()).readJsonContent(HashMap.class);
        }
        return null;
    }
}
