package org.keycloak.services.resources;

import java.io.IOException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import javax.ws.rs.GET;
import javax.ws.rs.OPTIONS;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import org.jboss.logging.Logger;
import org.jboss.resteasy.spi.HttpRequest;
import org.jboss.resteasy.spi.ResteasyProviderFactory;
import org.keycloak.authentication.AuthenticationProcessor;
import org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator;
import org.keycloak.authentication.authenticators.broker.util.PostBrokerLoginConstants;
import org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext;
import org.keycloak.broker.provider.AuthenticationRequest;
import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.broker.provider.IdentityBrokerException;
import org.keycloak.broker.provider.IdentityProvider;
import org.keycloak.broker.provider.IdentityProviderFactory;
import org.keycloak.broker.provider.IdentityProviderMapper;
import org.keycloak.common.ClientConnection;
import org.keycloak.common.util.ObjectUtil;
import org.keycloak.common.util.Time;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.login.LoginFormsProvider;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.FederatedIdentityModel;
import org.keycloak.models.IdentityProviderMapperModel;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.utils.FormMessage;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.representations.AccessToken;
import org.keycloak.services.ErrorPage;
import org.keycloak.services.ErrorResponse;
import org.keycloak.services.Urls;
import org.keycloak.services.managers.AppAuthManager;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.BruteForceProtector;
import org.keycloak.services.managers.ClientSessionCode;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.validation.Validation;
import org.keycloak.social.SocialIdentityProvider;
import org.keycloak.util.JsonSerialization;

/* loaded from: input_file:org/keycloak/services/resources/IdentityBrokerService.class */
public class IdentityBrokerService implements IdentityProvider.AuthenticationCallback {
    private static final Logger LOGGER = Logger.getLogger(IdentityBrokerService.class);
    private final RealmModel realmModel;

    @Context
    private UriInfo uriInfo;

    @Context
    private KeycloakSession session;

    @Context
    private ClientConnection clientConnection;

    @Context
    private HttpRequest request;

    @Context
    private HttpHeaders headers;
    private EventBuilder event;
    private BruteForceProtector protector;

    public IdentityBrokerService(RealmModel realmModel, BruteForceProtector bruteForceProtector) {
        if (realmModel == null) {
            throw new IllegalArgumentException("Realm can not be null.");
        }
        this.protector = bruteForceProtector;
        this.realmModel = realmModel;
    }

    public void init() {
        this.event = new EventBuilder(this.realmModel, this.session, this.clientConnection).event(EventType.IDENTITY_PROVIDER_LOGIN);
    }

    @POST
    @Path("/{provider_id}/login")
    public Response performPostLogin(@PathParam("provider_id") String str, @QueryParam("code") String str2) {
        return performLogin(str, str2);
    }

    @GET
    @Path("/{provider_id}/login")
    public Response performLogin(@PathParam("provider_id") String str, @QueryParam("code") String str2) {
        this.event.detail("identity_provider", str);
        if (isDebugEnabled()) {
            LOGGER.debugf("Sending authentication request to identity provider [%s].", str);
        }
        try {
            ClientSessionCode parseClientSessionCode = parseClientSessionCode(str2);
            IdentityProvider identityProvider = getIdentityProvider(this.session, this.realmModel, str);
            Response performLogin = identityProvider.performLogin(createAuthenticationRequest(str, parseClientSessionCode));
            if (performLogin == null) {
                return redirectToErrorPage(Messages.COULD_NOT_PROCEED_WITH_AUTHENTICATION_REQUEST, new Object[0]);
            }
            if (isDebugEnabled()) {
                LOGGER.debugf("Identity provider [%s] is going to send a request [%s].", identityProvider, performLogin);
            }
            return performLogin;
        } catch (Exception e) {
            return redirectToErrorPage(Messages.UNEXPECTED_ERROR_HANDLING_REQUEST, e, str);
        } catch (IdentityBrokerException e2) {
            return redirectToErrorPage(Messages.COULD_NOT_SEND_AUTHENTICATION_REQUEST, e2, str);
        }
    }

    @Path("{provider_id}/endpoint")
    public Object getEndpoint(@PathParam("provider_id") String str) {
        Object callback = getIdentityProvider(this.session, this.realmModel, str).callback(this.realmModel, this, this.event);
        ResteasyProviderFactory.getInstance().injectProperties(callback);
        return callback;
    }

    @Path("{provider_id}/token")
    @OPTIONS
    public Response retrieveTokenPreflight() {
        return Cors.add(this.request, Response.ok()).auth().preflight().build();
    }

    @GET
    @Path("{provider_id}/token")
    public Response retrieveToken(@PathParam("provider_id") String str) {
        return getToken(str, false);
    }

    private Response getToken(String str, boolean z) {
        this.event.event(EventType.IDENTITY_PROVIDER_RETRIEVE_TOKEN);
        try {
            AuthenticationManager.AuthResult authenticateBearerToken = new AppAuthManager().authenticateBearerToken(this.session, this.realmModel, this.uriInfo, this.clientConnection, this.request.getHttpHeaders());
            if (authenticateBearerToken == null) {
                return badRequest("Invalid token.");
            }
            AccessToken token = authenticateBearerToken.getToken();
            ClientModel clientByClientId = this.realmModel.getClientByClientId(token.getAudience()[0]);
            if (clientByClientId == null) {
                return badRequest("Invalid client.");
            }
            this.session.getContext().setClient(clientByClientId);
            if (this.realmModel.getClientByClientId("broker") == null) {
                return corsResponse(forbidden("Realm has not migrated to support the broker token exchange service"), clientByClientId);
            }
            Map resourceAccess = token.getResourceAccess();
            AccessToken.Access access = resourceAccess == null ? null : (AccessToken.Access) resourceAccess.get("broker");
            if (access == null || !access.isUserInRole("read-token")) {
                return corsResponse(forbidden("Client [" + clientByClientId.getClientId() + "] not authorized to retrieve tokens from identity provider [" + str + "]."), clientByClientId);
            }
            IdentityProvider identityProvider = getIdentityProvider(this.session, this.realmModel, str);
            if (!getIdentityProviderConfig(str).isStoreToken()) {
                return corsResponse(badRequest("Identity Provider [" + str + "] does not support this operation."), clientByClientId);
            }
            FederatedIdentityModel federatedIdentity = this.session.users().getFederatedIdentity(authenticateBearerToken.getUser(), str, this.realmModel);
            if (federatedIdentity == null) {
                return corsResponse(badRequest("User [" + authenticateBearerToken.getUser().getId() + "] is not associated with identity provider [" + str + "]."), clientByClientId);
            }
            this.event.success();
            return corsResponse(identityProvider.retrieveToken(federatedIdentity), clientByClientId);
        } catch (Exception e) {
            return redirectToErrorPage(Messages.UNEXPECTED_ERROR_RETRIEVING_TOKEN, e, str);
        } catch (IdentityBrokerException e2) {
            return redirectToErrorPage(Messages.COULD_NOT_OBTAIN_TOKEN, e2, str);
        }
    }

    public Response authenticated(BrokeredIdentityContext brokeredIdentityContext) {
        IdentityProviderModel idpConfig = brokeredIdentityContext.getIdpConfig();
        try {
            ClientSessionCode parseClientSessionCode = parseClientSessionCode(brokeredIdentityContext.getCode());
            String alias = idpConfig.getAlias();
            if (!idpConfig.isStoreToken()) {
                if (isDebugEnabled()) {
                    LOGGER.debugf("Token will not be stored for identity provider [%s].", alias);
                }
                brokeredIdentityContext.setToken((String) null);
            }
            ClientSessionModel clientSession = parseClientSessionCode.getClientSession();
            brokeredIdentityContext.setClientSession(clientSession);
            this.session.getContext().setClient(clientSession.getClient());
            brokeredIdentityContext.getIdp().preprocessFederatedIdentity(this.session, this.realmModel, brokeredIdentityContext);
            Set<IdentityProviderMapperModel> identityProviderMappersByAlias = this.realmModel.getIdentityProviderMappersByAlias(brokeredIdentityContext.getIdpConfig().getAlias());
            if (identityProviderMappersByAlias != null) {
                KeycloakSessionFactory keycloakSessionFactory = this.session.getKeycloakSessionFactory();
                for (IdentityProviderMapperModel identityProviderMapperModel : identityProviderMappersByAlias) {
                    keycloakSessionFactory.getProviderFactory(IdentityProviderMapper.class, identityProviderMapperModel.getIdentityProviderMapper()).preprocessFederatedIdentity(this.session, this.realmModel, identityProviderMapperModel, brokeredIdentityContext);
                }
            }
            FederatedIdentityModel federatedIdentityModel = new FederatedIdentityModel(alias, brokeredIdentityContext.getId(), brokeredIdentityContext.getUsername(), brokeredIdentityContext.getToken());
            this.event.event(EventType.IDENTITY_PROVIDER_LOGIN).detail(OIDCLoginProtocol.REDIRECT_URI_PARAM, clientSession.getRedirectUri()).detail("identity_provider_identity", brokeredIdentityContext.getUsername());
            UserModel userByFederatedIdentity = this.session.users().getUserByFederatedIdentity(federatedIdentityModel, this.realmModel);
            if (clientSession.getUserSession() != null) {
                return performAccountLinking(clientSession, brokeredIdentityContext, federatedIdentityModel, userByFederatedIdentity);
            }
            if (userByFederatedIdentity != null) {
                updateFederatedIdentity(brokeredIdentityContext, userByFederatedIdentity);
                clientSession.setAuthenticatedUser(userByFederatedIdentity);
                return finishOrRedirectToPostBrokerLogin(clientSession, brokeredIdentityContext, false);
            }
            LOGGER.debugf("Federated user not found for provider '%s' and broker username '%s' . Redirecting to flow for firstBrokerLogin", alias, brokeredIdentityContext.getUsername());
            String modelUsername = brokeredIdentityContext.getModelUsername();
            if (modelUsername == null) {
                modelUsername = (!this.realmModel.isRegistrationEmailAsUsername() || Validation.isBlank(brokeredIdentityContext.getEmail())) ? brokeredIdentityContext.getUsername() == null ? brokeredIdentityContext.getIdpConfig().getAlias() + "." + brokeredIdentityContext.getId() : brokeredIdentityContext.getIdpConfig().getAlias() + "." + brokeredIdentityContext.getUsername() : brokeredIdentityContext.getEmail();
            }
            brokeredIdentityContext.setModelUsername(modelUsername.trim());
            clientSession.setTimestamp(Time.currentTime());
            SerializedBrokeredIdentityContext.serialize(brokeredIdentityContext).saveToClientSession(clientSession, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE);
            return Response.status(302).location(LoginActionsService.firstBrokerLoginProcessor(this.uriInfo).queryParam("code", new Object[]{brokeredIdentityContext.getCode()}).build(new Object[]{this.realmModel.getName()})).build();
        } catch (Exception e) {
            return redirectToErrorPage(Messages.IDENTITY_PROVIDER_AUTHENTICATION_FAILED, e, idpConfig.getProviderId());
        }
    }

    @GET
    @Path("/after-first-broker-login")
    public Response afterFirstBrokerLogin(@QueryParam("code") String str) {
        ClientSessionModel clientSession = parseClientSessionCode(str).getClientSession();
        try {
            this.event.detail("code_id", clientSession.getId()).removeDetail("auth_method");
            SerializedBrokeredIdentityContext readFromClientSession = SerializedBrokeredIdentityContext.readFromClientSession(clientSession, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE);
            if (readFromClientSession == null) {
                throw new IdentityBrokerException("Not found serialized context in clientSession");
            }
            BrokeredIdentityContext deserialize = readFromClientSession.deserialize(this.session, clientSession);
            String alias = deserialize.getIdpConfig().getAlias();
            this.event.detail("identity_provider", alias);
            this.event.detail("identity_provider_identity", deserialize.getUsername());
            clientSession.removeNote(AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE);
            UserModel authenticatedUser = clientSession.getAuthenticatedUser();
            if (authenticatedUser == null) {
                throw new IdentityBrokerException("Couldn't found authenticated federatedUser in clientSession");
            }
            this.event.user(authenticatedUser);
            this.event.detail("username", authenticatedUser.getUsername());
            if (deserialize.getIdpConfig().isAddReadTokenRoleOnCreate()) {
                ClientModel clientByClientId = this.realmModel.getClientByClientId("broker");
                if (clientByClientId == null) {
                    throw new IdentityBrokerException("Client 'broker' not available. Maybe realm has not migrated to support the broker token exchange service");
                }
                authenticatedUser.grantRole(clientByClientId.getRole("read-token"));
            }
            this.session.users().addFederatedIdentity(this.realmModel, authenticatedUser, new FederatedIdentityModel(deserialize.getIdpConfig().getAlias(), deserialize.getId(), deserialize.getUsername(), deserialize.getToken()));
            if (Boolean.parseBoolean(clientSession.getNote(AbstractIdpAuthenticator.BROKER_REGISTERED_NEW_USER))) {
                LOGGER.debugf("Registered new user '%s' after first login with identity provider '%s'. Identity provider username is '%s' . ", authenticatedUser.getUsername(), alias, deserialize.getUsername());
                deserialize.getIdp().importNewUser(this.session, this.realmModel, authenticatedUser, deserialize);
                Set<IdentityProviderMapperModel> identityProviderMappersByAlias = this.realmModel.getIdentityProviderMappersByAlias(alias);
                if (identityProviderMappersByAlias != null) {
                    KeycloakSessionFactory keycloakSessionFactory = this.session.getKeycloakSessionFactory();
                    for (IdentityProviderMapperModel identityProviderMapperModel : identityProviderMappersByAlias) {
                        keycloakSessionFactory.getProviderFactory(IdentityProviderMapper.class, identityProviderMapperModel.getIdentityProviderMapper()).importNewUser(this.session, this.realmModel, authenticatedUser, identityProviderMapperModel, deserialize);
                    }
                }
                if (deserialize.getIdpConfig().isTrustEmail() && !Validation.isBlank(authenticatedUser.getEmail()) && !Boolean.parseBoolean(clientSession.getNote(AbstractIdpAuthenticator.UPDATE_PROFILE_EMAIL_CHANGED))) {
                    LOGGER.debugf("Email verified automatically after registration of user '%s' through Identity provider '%s' ", authenticatedUser.getUsername(), deserialize.getIdpConfig().getAlias());
                    authenticatedUser.setEmailVerified(true);
                }
                this.event.event(EventType.REGISTER).detail("register_method", "broker").detail("email", authenticatedUser.getEmail()).success();
            } else {
                LOGGER.debugf("Linked existing keycloak user '%s' with identity provider '%s' . Identity provider username is '%s' .", authenticatedUser.getUsername(), alias, deserialize.getUsername());
                this.event.event(EventType.FEDERATED_IDENTITY_LINK).success();
                updateFederatedIdentity(deserialize, authenticatedUser);
            }
            return finishOrRedirectToPostBrokerLogin(clientSession, deserialize, true);
        } catch (Exception e) {
            return redirectToErrorPage(Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, e, new Object[0]);
        }
    }

    private Response finishOrRedirectToPostBrokerLogin(ClientSessionModel clientSessionModel, BrokeredIdentityContext brokeredIdentityContext, boolean z) {
        if (brokeredIdentityContext.getIdpConfig().getPostBrokerLoginFlowId() == null) {
            LOGGER.debugf("Skip redirect to postBrokerLogin flow. PostBrokerLogin flow not set for identityProvider '%s'.", brokeredIdentityContext.getIdpConfig().getAlias());
            return afterPostBrokerLoginFlowSuccess(clientSessionModel, brokeredIdentityContext, z);
        }
        LOGGER.debugf("Redirect to postBrokerLogin flow after authentication with identityProvider '%s'.", brokeredIdentityContext.getIdpConfig().getAlias());
        clientSessionModel.setTimestamp(Time.currentTime());
        SerializedBrokeredIdentityContext.serialize(brokeredIdentityContext).saveToClientSession(clientSessionModel, PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT);
        clientSessionModel.setNote(PostBrokerLoginConstants.PBL_AFTER_FIRST_BROKER_LOGIN, String.valueOf(z));
        return Response.status(302).location(LoginActionsService.postBrokerLoginProcessor(this.uriInfo).queryParam("code", new Object[]{brokeredIdentityContext.getCode()}).build(new Object[]{this.realmModel.getName()})).build();
    }

    @GET
    @Path("/after-post-broker-login")
    public Response afterPostBrokerLoginFlow(@QueryParam("code") String str) {
        ClientSessionModel clientSession = parseClientSessionCode(str).getClientSession();
        try {
            SerializedBrokeredIdentityContext readFromClientSession = SerializedBrokeredIdentityContext.readFromClientSession(clientSession, PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT);
            if (readFromClientSession == null) {
                throw new IdentityBrokerException("Not found serialized context in clientSession. Note PBL_BROKERED_IDENTITY_CONTEXT was null");
            }
            BrokeredIdentityContext deserialize = readFromClientSession.deserialize(this.session, clientSession);
            boolean parseBoolean = Boolean.parseBoolean(clientSession.getNote(PostBrokerLoginConstants.PBL_AFTER_FIRST_BROKER_LOGIN));
            if (!Boolean.parseBoolean(clientSession.getNote(PostBrokerLoginConstants.PBL_AUTH_STATE_PREFIX + deserialize.getIdpConfig().getAlias()))) {
                throw new IdentityBrokerException("Invalid request. Not found the flag that post-broker-login flow was finished");
            }
            clientSession.removeNote(PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT);
            clientSession.removeNote(PostBrokerLoginConstants.PBL_AFTER_FIRST_BROKER_LOGIN);
            return afterPostBrokerLoginFlowSuccess(clientSession, deserialize, parseBoolean);
        } catch (IdentityBrokerException e) {
            return redirectToErrorPage(Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, e, new Object[0]);
        }
    }

    private Response afterPostBrokerLoginFlowSuccess(ClientSessionModel clientSessionModel, BrokeredIdentityContext brokeredIdentityContext, boolean z) {
        String alias = brokeredIdentityContext.getIdpConfig().getAlias();
        UserModel authenticatedUser = clientSessionModel.getAuthenticatedUser();
        if (z) {
            if (!Boolean.parseBoolean(clientSessionModel.getNote(AbstractIdpAuthenticator.IS_DIFFERENT_BROWSER))) {
                return finishBrokerAuthentication(brokeredIdentityContext, authenticatedUser, clientSessionModel, alias);
            }
            this.session.sessions().removeClientSession(this.realmModel, clientSessionModel);
            return this.session.getProvider(LoginFormsProvider.class).setSuccess(Messages.IDENTITY_PROVIDER_LINK_SUCCESS, new Object[]{brokeredIdentityContext.getIdpConfig().getAlias(), brokeredIdentityContext.getUsername()}).createInfoPage();
        }
        if (!(clientSessionModel.getNote(AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE) != null)) {
            return finishBrokerAuthentication(brokeredIdentityContext, authenticatedUser, clientSessionModel, alias);
        }
        LOGGER.debugf("Reauthenticated with broker '%s' when linking user '%s' with other broker", brokeredIdentityContext.getIdpConfig().getAlias(), authenticatedUser.getUsername());
        UserModel existingUser = AbstractIdpAuthenticator.getExistingUser(this.session, this.realmModel, clientSessionModel);
        return !existingUser.getId().equals(authenticatedUser.getId()) ? redirectToErrorPage(Messages.IDENTITY_PROVIDER_DIFFERENT_USER_MESSAGE, authenticatedUser.getUsername(), existingUser.getUsername()) : afterFirstBrokerLogin(brokeredIdentityContext.getCode());
    }

    private Response finishBrokerAuthentication(BrokeredIdentityContext brokeredIdentityContext, UserModel userModel, ClientSessionModel clientSessionModel, String str) {
        UserSessionModel createUserSession = this.session.sessions().createUserSession(this.realmModel, userModel, userModel.getUsername(), this.clientConnection.getRemoteAddr(), "broker", false, brokeredIdentityContext.getBrokerSessionId(), brokeredIdentityContext.getBrokerUserId());
        this.event.user(userModel);
        this.event.session(createUserSession);
        TokenManager.attachClientSession(createUserSession, clientSessionModel);
        brokeredIdentityContext.getIdp().attachUserSession(createUserSession, clientSessionModel, brokeredIdentityContext);
        createUserSession.setNote("identity_provider", str);
        createUserSession.setNote("identity_provider_identity", brokeredIdentityContext.getUsername());
        if (isDebugEnabled()) {
            LOGGER.debugf("Performing local authentication for user [%s].", userModel);
        }
        return AuthenticationProcessor.createRequiredActionRedirect(this.realmModel, clientSessionModel, this.uriInfo);
    }

    public Response cancelled(String str) {
        ClientSessionCode parse = ClientSessionCode.parse(str, this.session, this.realmModel);
        return (parse.getClientSession() == null || !parse.isValid(ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) ? redirectToErrorPage(Messages.INVALID_CODE, new Object[0]) : browserAuthentication(parse.getClientSession(), null);
    }

    public Response error(String str, String str2) {
        ClientSessionCode parse = ClientSessionCode.parse(str, this.session, this.realmModel);
        return (parse.getClientSession() == null || !parse.isValid(ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) ? redirectToErrorPage(Messages.INVALID_CODE, new Object[0]) : browserAuthentication(parse.getClientSession(), str2);
    }

    private Response performAccountLinking(ClientSessionModel clientSessionModel, BrokeredIdentityContext brokeredIdentityContext, FederatedIdentityModel federatedIdentityModel, UserModel userModel) {
        this.event.event(EventType.FEDERATED_IDENTITY_LINK);
        if (userModel != null) {
            return redirectToAccountErrorPage(clientSessionModel, Messages.IDENTITY_PROVIDER_ALREADY_LINKED, brokeredIdentityContext.getIdpConfig().getAlias());
        }
        UserModel user = clientSessionModel.getUserSession().getUser();
        if (isDebugEnabled()) {
            LOGGER.debugf("Linking account [%s] from identity provider [%s] to user [%s].", federatedIdentityModel, brokeredIdentityContext.getIdpConfig().getAlias(), user);
        }
        if (!user.isEnabled()) {
            return redirectToAccountErrorPage(clientSessionModel, Messages.ACCOUNT_DISABLED, new Object[0]);
        }
        if (!user.hasRole(this.realmModel.getClientByClientId("account").getRole("manage-account"))) {
            return redirectToErrorPage(Messages.INSUFFICIENT_PERMISSION, new Object[0]);
        }
        this.session.users().addFederatedIdentity(this.realmModel, user, federatedIdentityModel);
        brokeredIdentityContext.getIdp().attachUserSession(clientSessionModel.getUserSession(), clientSessionModel, brokeredIdentityContext);
        this.event.user(user).detail("username", user.getUsername()).detail("identity_provider", federatedIdentityModel.getIdentityProvider()).detail("identity_provider_identity", federatedIdentityModel.getUserName()).success();
        return Response.status(302).location(UriBuilder.fromUri(clientSessionModel.getRedirectUri()).build(new Object[0])).build();
    }

    private void updateFederatedIdentity(BrokeredIdentityContext brokeredIdentityContext, UserModel userModel) {
        FederatedIdentityModel federatedIdentity = this.session.users().getFederatedIdentity(userModel, brokeredIdentityContext.getIdpConfig().getAlias(), this.realmModel);
        if (brokeredIdentityContext.getIdpConfig().isStoreToken() && !ObjectUtil.isEqualOrBothNull(brokeredIdentityContext.getToken(), federatedIdentity.getToken())) {
            federatedIdentity.setToken(brokeredIdentityContext.getToken());
            this.session.users().updateFederatedIdentity(this.realmModel, userModel, federatedIdentity);
            if (isDebugEnabled()) {
                LOGGER.debugf("Identity [%s] update with response from identity provider [%s].", userModel, brokeredIdentityContext.getIdpConfig().getAlias());
            }
        }
        brokeredIdentityContext.getIdp().updateBrokeredUser(this.session, this.realmModel, userModel, brokeredIdentityContext);
        Set<IdentityProviderMapperModel> identityProviderMappersByAlias = this.realmModel.getIdentityProviderMappersByAlias(brokeredIdentityContext.getIdpConfig().getAlias());
        if (identityProviderMappersByAlias != null) {
            KeycloakSessionFactory keycloakSessionFactory = this.session.getKeycloakSessionFactory();
            for (IdentityProviderMapperModel identityProviderMapperModel : identityProviderMappersByAlias) {
                keycloakSessionFactory.getProviderFactory(IdentityProviderMapper.class, identityProviderMapperModel.getIdentityProviderMapper()).updateBrokeredUser(this.session, this.realmModel, userModel, identityProviderMapperModel, brokeredIdentityContext);
            }
        }
    }

    private ClientSessionCode parseClientSessionCode(String str) {
        ClientSessionCode parse = ClientSessionCode.parse(str, this.session, this.realmModel);
        if (parse == null || !parse.isValid(ClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) {
            throw new IdentityBrokerException("Invalid code, please login again through your client.");
        }
        ClientSessionModel clientSession = parse.getClientSession();
        if (clientSession != null) {
            ClientModel client = clientSession.getClient();
            if (client == null) {
                throw new IdentityBrokerException("Invalid client");
            }
            LOGGER.debugf("Got authorization code from client [%s].", client.getClientId());
            this.event.client(client);
            this.session.getContext().setClient(client);
            if (clientSession.getUserSession() != null) {
                this.event.session(clientSession.getUserSession());
            }
        }
        if (isDebugEnabled()) {
            LOGGER.debugf("Authorization code is valid.", new Object[0]);
        }
        return parse;
    }

    private AuthenticationRequest createAuthenticationRequest(String str, ClientSessionCode clientSessionCode) {
        ClientSessionModel clientSessionModel = null;
        String str2 = null;
        if (clientSessionCode != null) {
            clientSessionModel = clientSessionCode.getClientSession();
            str2 = clientSessionCode.getCode();
        }
        return new AuthenticationRequest(this.session, this.realmModel, clientSessionModel, this.request, this.uriInfo, str2, getRedirectUri(str));
    }

    private String getRedirectUri(String str) {
        return Urls.identityProviderAuthnResponse(this.uriInfo.getBaseUri(), str, this.realmModel.getName()).toString();
    }

    private Response redirectToErrorPage(String str, Object... objArr) {
        return redirectToErrorPage(str, null, objArr);
    }

    private Response redirectToErrorPage(String str, Throwable th, Object... objArr) {
        if (str == null) {
            str = Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR;
        }
        fireErrorEvent(str, th);
        return ErrorPage.error(this.session, str, objArr);
    }

    private Response redirectToAccountErrorPage(ClientSessionModel clientSessionModel, String str, Object... objArr) {
        fireErrorEvent(str);
        try {
            clientSessionModel.setNote(AccountService.ACCOUNT_MGMT_FORWARDED_ERROR_NOTE, JsonSerialization.writeValueAsString(new FormMessage(str, objArr)));
            return Response.status(302).location(UriBuilder.fromUri(clientSessionModel.getRedirectUri()).build(new Object[0])).build();
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    private Response redirectToLoginPage(Throwable th, ClientSessionCode clientSessionCode) {
        String message = th.getMessage();
        if (message == null) {
            message = Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR;
        }
        fireErrorEvent(message);
        return browserAuthentication(clientSessionCode.getClientSession(), message);
    }

    protected Response browserAuthentication(ClientSessionModel clientSessionModel, String str) {
        this.event.event(EventType.LOGIN);
        String id = this.realmModel.getBrowserFlow().getId();
        AuthenticationProcessor authenticationProcessor = new AuthenticationProcessor();
        authenticationProcessor.setClientSession(clientSessionModel).setFlowPath(LoginActionsService.AUTHENTICATE_PATH).setFlowId(id).setConnection(this.clientConnection).setEventBuilder(this.event).setProtector(this.protector).setRealm(this.realmModel).setSession(this.session).setUriInfo(this.uriInfo).setRequest(this.request);
        if (str != null) {
            authenticationProcessor.setForwardedErrorMessage(new FormMessage((String) null, str));
        }
        try {
            return authenticationProcessor.authenticate();
        } catch (Exception e) {
            return authenticationProcessor.handleBrowserException(e);
        }
    }

    private Response badRequest(String str) {
        fireErrorEvent(str);
        return ErrorResponse.error(str, Response.Status.BAD_REQUEST);
    }

    private Response forbidden(String str) {
        fireErrorEvent(str);
        return ErrorResponse.error(str, Response.Status.FORBIDDEN);
    }

    public static IdentityProvider getIdentityProvider(KeycloakSession keycloakSession, RealmModel realmModel, String str) {
        IdentityProviderModel identityProviderByAlias = realmModel.getIdentityProviderByAlias(str);
        if (identityProviderByAlias == null) {
            throw new IdentityBrokerException("Identity Provider [" + str + "] not found.");
        }
        IdentityProviderFactory identityProviderFactory = getIdentityProviderFactory(keycloakSession, identityProviderByAlias);
        if (identityProviderFactory == null) {
            throw new IdentityBrokerException("Could not find factory for identity provider [" + str + "].");
        }
        return identityProviderFactory.create(identityProviderByAlias);
    }

    private static IdentityProviderFactory getIdentityProviderFactory(KeycloakSession keycloakSession, IdentityProviderModel identityProviderModel) {
        HashMap hashMap = new HashMap();
        ArrayList<IdentityProviderFactory> arrayList = new ArrayList();
        arrayList.addAll(keycloakSession.getKeycloakSessionFactory().getProviderFactories(IdentityProvider.class));
        arrayList.addAll(keycloakSession.getKeycloakSessionFactory().getProviderFactories(SocialIdentityProvider.class));
        for (IdentityProviderFactory identityProviderFactory : arrayList) {
            hashMap.put(identityProviderFactory.getId(), identityProviderFactory);
        }
        return (IdentityProviderFactory) hashMap.get(identityProviderModel.getProviderId());
    }

    private IdentityProviderModel getIdentityProviderConfig(String str) {
        IdentityProviderModel identityProviderByAlias = this.realmModel.getIdentityProviderByAlias(str);
        if (identityProviderByAlias == null) {
            throw new IdentityBrokerException("Configuration for identity provider [" + str + "] not found.");
        }
        return identityProviderByAlias;
    }

    private Response corsResponse(Response response, ClientModel clientModel) {
        return Cors.add(this.request, Response.fromResponse(response)).auth().allowedOrigins(clientModel).build();
    }

    private void fireErrorEvent(String str, Throwable th) {
        if (!this.event.getEvent().getType().toString().endsWith("_ERROR")) {
            boolean z = !this.session.getTransaction().isActive();
            if (z) {
                try {
                    this.session.getTransaction().begin();
                } catch (Exception e) {
                    LOGGER.error("Could not fire event.", e);
                    rollback();
                }
            }
            this.event.error(str);
            if (z) {
                this.session.getTransaction().commit();
            }
        }
        if (th != null) {
            LOGGER.error(str, th);
        } else {
            LOGGER.error(str);
        }
    }

    private void fireErrorEvent(String str) {
        fireErrorEvent(str, null);
    }

    private boolean isDebugEnabled() {
        return LOGGER.isDebugEnabled();
    }

    private void rollback() {
        if (this.session.getTransaction().isActive()) {
            this.session.getTransaction().rollback();
        }
    }
}
