package org.keycloak.services.resources;

import java.util.Objects;
import java.util.function.Consumer;
import org.jboss.logging.Logger;
import org.keycloak.TokenVerifier;
import org.keycloak.authentication.AuthenticationProcessor;
import org.keycloak.authentication.ExplainedVerificationException;
import org.keycloak.authentication.actiontoken.ActionTokenContext;
import org.keycloak.authentication.actiontoken.ExplainedTokenVerificationException;
import org.keycloak.common.VerificationException;
import org.keycloak.forms.login.LoginFormsProvider;
import org.keycloak.models.ActionTokenKeyModel;
import org.keycloak.models.ActionTokenStoreProvider;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.protocol.oidc.utils.RedirectUtils;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.services.clientregistration.ErrorCodes;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.messages.Messages;
import org.keycloak.sessions.AuthenticationSessionCompoundId;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.sessions.CommonClientSessionModel;

/* loaded from: input_file:org/keycloak/services/resources/LoginActionsServiceChecks.class */
public class LoginActionsServiceChecks {
    private static final Logger LOG = Logger.getLogger(LoginActionsServiceChecks.class.getName());

    /* loaded from: input_file:org/keycloak/services/resources/LoginActionsServiceChecks$AuthenticationSessionUserIdMatchesOneFromToken.class */
    public static class AuthenticationSessionUserIdMatchesOneFromToken implements TokenVerifier.Predicate<JsonWebToken> {
        private final ActionTokenContext<?> context;

        public AuthenticationSessionUserIdMatchesOneFromToken(ActionTokenContext<?> actionTokenContext) {
            this.context = actionTokenContext;
        }

        public boolean test(JsonWebToken jsonWebToken) throws VerificationException {
            AuthenticationSessionModel authenticationSession = this.context.getAuthenticationSession();
            if (authenticationSession == null || authenticationSession.getAuthenticatedUser() == null || !Objects.equals(jsonWebToken.getSubject(), authenticationSession.getAuthenticatedUser().getId())) {
                throw new ExplainedTokenVerificationException(jsonWebToken, "invalid_token", Messages.INVALID_USER);
            }
            return true;
        }
    }

    /* loaded from: input_file:org/keycloak/services/resources/LoginActionsServiceChecks$IsActionRequired.class */
    public static class IsActionRequired implements TokenVerifier.Predicate<JsonWebToken> {
        private final ActionTokenContext<?> context;
        private final CommonClientSessionModel.Action expectedAction;

        public IsActionRequired(ActionTokenContext<?> actionTokenContext, CommonClientSessionModel.Action action) {
            this.context = actionTokenContext;
            this.expectedAction = action;
        }

        public boolean test(JsonWebToken jsonWebToken) throws VerificationException {
            AuthenticationSessionModel authenticationSession = this.context.getAuthenticationSession();
            if (authenticationSession == null || Objects.equals(authenticationSession.getAction(), this.expectedAction.name())) {
                return true;
            }
            if (Objects.equals(CommonClientSessionModel.Action.REQUIRED_ACTIONS.name(), authenticationSession.getAction())) {
                throw new LoginActionsServiceException(AuthenticationManager.nextActionAfterAuthentication(this.context.getSession(), authenticationSession, this.context.getClientConnection(), this.context.getRequest(), this.context.getUriInfo(), this.context.getEvent()));
            }
            throw new ExplainedTokenVerificationException(jsonWebToken, "invalid_token", Messages.INVALID_CODE);
        }
    }

    /* loaded from: input_file:org/keycloak/services/resources/LoginActionsServiceChecks$IsRedirectValid.class */
    public static class IsRedirectValid implements TokenVerifier.Predicate<JsonWebToken> {
        private final ActionTokenContext<?> context;
        private final String redirectUri;

        public IsRedirectValid(ActionTokenContext<?> actionTokenContext, String str) {
            this.context = actionTokenContext;
            this.redirectUri = str;
        }

        public boolean test(JsonWebToken jsonWebToken) throws VerificationException {
            if (this.redirectUri == null) {
                return true;
            }
            if (RedirectUtils.verifyRedirectUri(this.context.getUriInfo(), this.redirectUri, this.context.getRealm(), this.context.getAuthenticationSession().getClient()) == null) {
                throw new ExplainedTokenVerificationException(jsonWebToken, ErrorCodes.INVALID_REDIRECT_URI, Messages.INVALID_REDIRECT_URI);
            }
            return true;
        }
    }

    public static <T extends JsonWebToken> void checkNotLoggedInYet(ActionTokenContext<T> actionTokenContext, String str) throws VerificationException {
        if (str == null || actionTokenContext.getSession().sessions().getUserSession(actionTokenContext.getRealm(), str) == null) {
            return;
        }
        LoginFormsProvider success = actionTokenContext.getSession().getProvider(LoginFormsProvider.class).setAuthenticationSession(actionTokenContext.getAuthenticationSession()).setSuccess(Messages.ALREADY_LOGGED_IN, new Object[0]);
        if (actionTokenContext.getSession().getContext().getClient() == null) {
            success.setAttribute("skipLink", true);
        }
        throw new LoginActionsServiceException(success.createInfoPage());
    }

    public static void checkIsUserValid(KeycloakSession keycloakSession, RealmModel realmModel, String str, Consumer<UserModel> consumer) throws VerificationException {
        UserModel userById = str == null ? null : keycloakSession.users().getUserById(str, realmModel);
        if (userById == null) {
            throw new ExplainedVerificationException("user_not_found", Messages.INVALID_USER);
        }
        if (!userById.isEnabled()) {
            throw new ExplainedVerificationException("user_disabled", Messages.INVALID_USER);
        }
        if (consumer != null) {
            consumer.accept(userById);
        }
    }

    public static <T extends JsonWebToken & ActionTokenKeyModel> void checkIsUserValid(T t, ActionTokenContext<T> actionTokenContext) throws VerificationException {
        try {
            KeycloakSession session = actionTokenContext.getSession();
            RealmModel realm = actionTokenContext.getRealm();
            String userId = t.getUserId();
            AuthenticationSessionModel authenticationSession = actionTokenContext.getAuthenticationSession();
            authenticationSession.getClass();
            checkIsUserValid(session, realm, userId, authenticationSession::setAuthenticatedUser);
        } catch (ExplainedVerificationException e) {
            throw new ExplainedTokenVerificationException(t, e);
        }
    }

    public static void checkIsClientValid(KeycloakSession keycloakSession, ClientModel clientModel) throws VerificationException {
        if (clientModel == null) {
            throw new ExplainedVerificationException("client_not_found", Messages.UNKNOWN_LOGIN_REQUESTER);
        }
        if (!clientModel.isEnabled()) {
            throw new ExplainedVerificationException("client_not_found", Messages.LOGIN_REQUESTER_NOT_ENABLED);
        }
    }

    public static <T extends JsonWebToken> void checkIsClientValid(T t, ActionTokenContext<T> actionTokenContext) throws VerificationException {
        String issuedFor = t.getIssuedFor();
        AuthenticationSessionModel authenticationSession = actionTokenContext.getAuthenticationSession();
        ClientModel client = authenticationSession == null ? null : authenticationSession.getClient();
        try {
            checkIsClientValid(actionTokenContext.getSession(), client);
            if (issuedFor == null || Objects.equals(client.getClientId(), issuedFor)) {
            } else {
                throw new ExplainedTokenVerificationException(t, "client_not_found", Messages.UNKNOWN_LOGIN_REQUESTER);
            }
        } catch (ExplainedVerificationException e) {
            throw new ExplainedTokenVerificationException(t, e);
        }
    }

    public static <T extends JsonWebToken> boolean doesAuthenticationSessionFromCookieMatchOneFromToken(ActionTokenContext<T> actionTokenContext, AuthenticationSessionModel authenticationSessionModel, String str) throws VerificationException {
        AuthenticationSessionModel authenticationSession;
        if (str == null) {
            return false;
        }
        if (Objects.equals(AuthenticationSessionCompoundId.fromAuthSession(authenticationSessionModel).getEncodedId(), str)) {
            actionTokenContext.setAuthenticationSession(authenticationSessionModel, false);
            return true;
        }
        String authNote = authenticationSessionModel.getAuthNote(AuthenticationProcessor.FORKED_FROM);
        if (authNote == null || (authenticationSession = authenticationSessionModel.getParentSession().getAuthenticationSession(authenticationSessionModel.getClient(), authNote)) == null) {
            return false;
        }
        LOG.debugf("Switched to forked tab: %s from: %s . Root session: %s", authenticationSession.getTabId(), authenticationSessionModel.getTabId(), authenticationSessionModel.getParentSession().getId());
        actionTokenContext.setAuthenticationSession(authenticationSession, false);
        actionTokenContext.setExecutionId(authenticationSession.getAuthNote(AuthenticationProcessor.LAST_PROCESSED_EXECUTION));
        return true;
    }

    public static <T extends JsonWebToken & ActionTokenKeyModel> void checkTokenWasNotUsedYet(T t, ActionTokenContext<T> actionTokenContext) throws VerificationException {
        if (actionTokenContext.getSession().getProvider(ActionTokenStoreProvider.class).get(t) != null) {
            throw new ExplainedTokenVerificationException(t, "expired_code", Messages.EXPIRED_ACTION);
        }
    }
}
