package org.keycloak.protocol.docker;

import javax.ws.rs.GET;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import org.jboss.logging.Logger;
import org.keycloak.common.Profile;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.AuthenticationFlowModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.AuthorizationEndpointBase;
import org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequestParserProcessor;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.Urls;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.util.CacheControlUtil;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.sessions.CommonClientSessionModel;
import org.keycloak.utils.ProfileHelper;

/* loaded from: input_file:org/keycloak/protocol/docker/DockerEndpoint.class */
public class DockerEndpoint extends AuthorizationEndpointBase {
    protected static final Logger logger = Logger.getLogger(DockerEndpoint.class);
    private final EventType login;
    private String account;
    private String service;
    private String scope;
    private ClientModel client;
    private AuthenticationSessionModel authenticationSession;

    public DockerEndpoint(KeycloakSession keycloakSession, EventBuilder eventBuilder, EventType eventType) {
        super(keycloakSession, eventBuilder);
        this.login = eventType;
    }

    @GET
    public Response build() {
        ProfileHelper.requireFeature(Profile.Feature.DOCKER);
        MultivaluedMap queryParameters = this.session.getContext().getUri().getQueryParameters();
        this.account = (String) queryParameters.getFirst("account");
        if (this.account == null) {
            logger.debug("Account parameter not provided by docker auth.  This is techincally required, but not actually used since username is provided by Basic auth header.");
        }
        this.service = (String) queryParameters.getFirst(DockerAuthV2Protocol.SERVICE_PARAM);
        if (this.service == null) {
            throw new ErrorResponseException("invalid_request", "service parameter must be provided", Response.Status.BAD_REQUEST);
        }
        this.client = this.realm.getClientByClientId(this.service);
        if (this.client == null) {
            logger.errorv("Failed to lookup client given by service={0} parameter for realm: {1}.", this.service, this.realm.getName());
            throw new ErrorResponseException("invalid_client", "Client specified by 'service' parameter does not exist", Response.Status.BAD_REQUEST);
        }
        this.scope = (String) queryParameters.getFirst("scope");
        checkSsl();
        checkRealm();
        this.authenticationSession = createAuthenticationSession(this.client, AuthorizationEndpointRequestParserProcessor.parseRequest(this.event, this.session, this.client, queryParameters, AuthorizationEndpointRequestParserProcessor.EndpointType.DOCKER_ENDPOINT).getState());
        updateAuthenticationSession();
        CacheControlUtil.noBackButtonCacheControlHeader(this.session);
        return handleBrowserAuthenticationRequest(this.authenticationSession, new DockerAuthV2Protocol(this.session, this.realm, this.session.getContext().getUri(), this.headers, this.event.event(this.login)), false, false);
    }

    private void updateAuthenticationSession() {
        this.authenticationSession.setProtocol(DockerAuthV2Protocol.LOGIN_PROTOCOL);
        this.authenticationSession.setAction(CommonClientSessionModel.Action.AUTHENTICATE.name());
        this.authenticationSession.setClientNote(AuthenticationManager.USER_SESSION_PERSISTENT_STATE, UserSessionModel.SessionPersistenceState.TRANSIENT.toString());
        this.authenticationSession.setClientNote("account", this.account);
        this.authenticationSession.setClientNote(DockerAuthV2Protocol.SERVICE_PARAM, this.service);
        this.authenticationSession.setClientNote("scope", this.scope);
        this.authenticationSession.setClientNote(DockerAuthV2Protocol.ISSUER, Urls.realmIssuer(this.session.getContext().getUri().getBaseUri(), this.realm.getName()));
    }

    @Override // org.keycloak.protocol.AuthorizationEndpointBase
    protected AuthenticationFlowModel getAuthenticationFlow(AuthenticationSessionModel authenticationSessionModel) {
        return this.realm.getDockerAuthenticationFlow();
    }
}
