package org.keycloak.protocol.oidc.endpoints;

import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.util.List;
import java.util.Map;
import javax.ws.rs.GET;
import javax.ws.rs.OPTIONS;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import org.jboss.resteasy.annotations.cache.NoCache;
import org.keycloak.TokenCategory;
import org.keycloak.TokenVerifier;
import org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider;
import org.keycloak.broker.oidc.OIDCIdentityProvider;
import org.keycloak.common.ClientConnection;
import org.keycloak.common.VerificationException;
import org.keycloak.crypto.CekManagementProvider;
import org.keycloak.crypto.ContentEncryptionProvider;
import org.keycloak.crypto.KeyWrapper;
import org.keycloak.crypto.SignatureProvider;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.http.HttpRequest;
import org.keycloak.jose.jwe.JWEException;
import org.keycloak.jose.jwe.alg.JWEAlgorithmProvider;
import org.keycloak.jose.jwe.enc.JWEEncryptionProvider;
import org.keycloak.jose.jwk.JWK;
import org.keycloak.jose.jws.JWSBuilder;
import org.keycloak.keys.loader.PublicKeyStorageManager;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.protocol.saml.SamlProtocol;
import org.keycloak.representations.AccessToken;
import org.keycloak.services.Urls;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.context.UserInfoRequestContext;
import org.keycloak.services.managers.AppAuthManager;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.UserSessionCrossDCManager;
import org.keycloak.services.resources.Cors;
import org.keycloak.services.util.DefaultClientSessionContext;
import org.keycloak.services.util.MtlsHoKTokenUtil;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.util.JsonSerialization;
import org.keycloak.util.TokenUtil;
import org.keycloak.utils.MediaType;
import org.keycloak.utils.OAuth2Error;

/* loaded from: input_file:org/keycloak/protocol/oidc/endpoints/UserInfoEndpoint.class */
public class UserInfoEndpoint {
    private final HttpRequest request;
    private final KeycloakSession session;
    private final ClientConnection clientConnection;
    private final TokenManager tokenManager;
    private final AppAuthManager appAuthManager = new AppAuthManager();
    private final RealmModel realm;
    private final OAuth2Error error;
    private Cors cors;
    private String authorization;

    public UserInfoEndpoint(KeycloakSession keycloakSession, TokenManager tokenManager) {
        this.session = keycloakSession;
        this.clientConnection = keycloakSession.getContext().getConnection();
        this.realm = keycloakSession.getContext().getRealm();
        this.tokenManager = tokenManager;
        this.error = new OAuth2Error().json(false).realm(this.realm);
        this.request = keycloakSession.getContext().getHttpRequest();
    }

    @Path("/")
    @OPTIONS
    public Response issueUserInfoPreflight() {
        return Cors.add(this.request, Response.ok()).auth().preflight().build();
    }

    @GET
    @Path("/")
    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    public Response issueUserInfoGet() {
        setupCors();
        AppAuthManager appAuthManager = this.appAuthManager;
        authorization(AppAuthManager.extractAuthorizationHeaderTokenOrReturnNull(this.session.getContext().getRequestHeaders()));
        return issueUserInfo();
    }

    @Path("/")
    @NoCache
    @POST
    @Produces({MediaType.APPLICATION_JSON})
    public Response issueUserInfoPost() {
        setupCors();
        HttpHeaders httpHeaders = this.request.getHttpHeaders();
        AppAuthManager appAuthManager = this.appAuthManager;
        authorization(AppAuthManager.extractAuthorizationHeaderTokenOrReturnNull(httpHeaders));
        try {
            if (MediaType.APPLICATION_FORM_URLENCODED.equalsIgnoreCase(httpHeaders.getHeaderString("Content-Type"))) {
                MultivaluedMap<String, String> decodedFormParameters = this.request.getDecodedFormParameters();
                checkAccessTokenDuplicated(decodedFormParameters);
                authorization((String) decodedFormParameters.getFirst("access_token"));
            }
        } catch (IllegalArgumentException e) {
        }
        return issueUserInfo();
    }

    private Response issueUserInfo() {
        Response.ResponseBuilder header;
        this.cors.allowAllOrigins();
        try {
            this.session.clientPolicy().triggerOnEvent(new UserInfoRequestContext(this.authorization));
            EventBuilder detail = new EventBuilder(this.realm, this.session, this.clientConnection).event(EventType.USER_INFO_REQUEST).detail("auth_method", "validate_access_token");
            if (this.authorization == null) {
                detail.error("invalid_token");
                throw this.error.unauthorized();
            }
            try {
                TokenVerifier realmUrl = TokenVerifier.create(this.authorization, AccessToken.class).withDefaultChecks().realmUrl(Urls.realmIssuer(this.session.getContext().getUri().getBaseUri(), this.realm.getName()));
                realmUrl.verifierContext(this.session.getProvider(SignatureProvider.class, realmUrl.getHeader().getAlgorithm().name()).verifier(realmUrl.getHeader().getKeyId()));
                AccessToken accessToken = (AccessToken) realmUrl.verify().getToken();
                if (!TokenUtil.hasScope(accessToken.getScope(), OIDCIdentityProvider.SCOPE_OPENID)) {
                    detail.error(AbstractOAuth2IdentityProvider.ACCESS_DENIED);
                    throw this.error.insufficientScope("Missing openid scope");
                }
                ClientModel clientByClientId = this.realm.getClientByClientId(accessToken.getIssuedFor());
                if (clientByClientId == null) {
                    detail.error("client_not_found");
                    throw this.error.invalidToken("Client not found");
                }
                this.cors.allowedOrigins(this.session, clientByClientId);
                TokenVerifier.createWithoutSignature(accessToken).withChecks(new TokenVerifier.Predicate[]{TokenManager.NotBeforeCheck.forModel(clientByClientId), new TokenManager.TokenRevocationCheck(this.session)}).verify();
                if (!clientByClientId.getProtocol().equals("openid-connect")) {
                    detail.error("invalid_client");
                    throw this.error.invalidToken("Wrong client protocol");
                }
                this.session.getContext().setClient(clientByClientId);
                detail.client(clientByClientId);
                if (!clientByClientId.isEnabled()) {
                    detail.error("client_disabled");
                    throw this.error.invalidToken("Client disabled");
                }
                UserSessionModel findValidSession = findValidSession(accessToken, detail, clientByClientId);
                UserModel user = findValidSession.getUser();
                if (user == null) {
                    detail.error("user_not_found");
                    throw this.error.invalidToken("User not found");
                }
                detail.user(user).detail("username", user.getUsername());
                if (!user.isEnabled()) {
                    detail.error("user_disabled");
                    throw this.error.invalidToken("User disabled");
                }
                if (OIDCAdvancedConfigWrapper.fromClientModel(clientByClientId).isUseMtlsHokToken() && !MtlsHoKTokenUtil.verifyTokenBindingWithClientCertificate(accessToken, this.request, this.session)) {
                    detail.error("not_allowed");
                    throw this.error.invalidToken(MtlsHoKTokenUtil.CERT_VERIFY_ERROR_DESC);
                }
                DefaultClientSessionContext fromClientSessionScopeParameter = DefaultClientSessionContext.fromClientSessionScopeParameter(findValidSession.getAuthenticatedClientSessionByClient(clientByClientId.getId()), this.session);
                AccessToken accessToken2 = new AccessToken();
                this.tokenManager.transformUserInfoAccessToken(this.session, accessToken2, findValidSession, fromClientSessionScopeParameter);
                Map<String, Object> generateUserInfoClaims = this.tokenManager.generateUserInfoClaims(accessToken2, user);
                OIDCAdvancedConfigWrapper fromClientModel = OIDCAdvancedConfigWrapper.fromClientModel(clientByClientId);
                if (fromClientModel.isUserInfoSignatureRequired()) {
                    String realmIssuer = Urls.realmIssuer(this.session.getContext().getUri().getBaseUri(), this.realm.getName());
                    String clientId = clientByClientId.getClientId();
                    generateUserInfoClaims.put(OIDCLoginProtocol.ISSUER, realmIssuer);
                    generateUserInfoClaims.put("aud", clientId);
                    String sign = new JWSBuilder().type("JWT").jsonContent(generateUserInfoClaims).sign(this.session.getProvider(SignatureProvider.class, this.session.tokens().signatureAlgorithm(TokenCategory.USERINFO)).signer());
                    try {
                        header = Response.ok(fromClientModel.isUserInfoEncryptionRequired() ? jweFromContent(sign, "JWT") : sign).header("Content-Type", MediaType.APPLICATION_JWT);
                        detail.detail("signature_required", "true");
                        detail.detail("signature_algorithm", fromClientModel.getUserInfoSignedResponseAlg());
                    } catch (RuntimeException e) {
                        throw this.error.status(Response.Status.INTERNAL_SERVER_ERROR).build();
                    }
                } else if (fromClientModel.isUserInfoEncryptionRequired()) {
                    try {
                        header = Response.ok(jweFromContent(JsonSerialization.writeValueAsString(generateUserInfoClaims), null)).header("Content-Type", MediaType.APPLICATION_JWT);
                        detail.detail("signature_required", SamlProtocol.ATTRIBUTE_FALSE_VALUE);
                    } catch (IOException | RuntimeException e2) {
                        throw this.error.status(Response.Status.INTERNAL_SERVER_ERROR).build();
                    }
                } else {
                    header = Response.ok(generateUserInfoClaims).header("Content-Type", MediaType.APPLICATION_JSON);
                    detail.detail("signature_required", SamlProtocol.ATTRIBUTE_FALSE_VALUE);
                }
                detail.success();
                return this.cors.builder(header).build();
            } catch (VerificationException e3) {
                if (0 == 0) {
                    this.cors.allowAllOrigins();
                }
                detail.error("invalid_token");
                throw this.error.invalidToken("Token verification failed");
            }
        } catch (ClientPolicyException e4) {
            throw this.error.error(e4.getError()).errorDescription(e4.getErrorDetail()).status(e4.getErrorStatus()).build();
        }
    }

    private String jweFromContent(String str, String str2) {
        String cekManagementAlgorithm = this.session.tokens().cekManagementAlgorithm(TokenCategory.USERINFO);
        String encryptAlgorithm = this.session.tokens().encryptAlgorithm(TokenCategory.USERINFO);
        JWEAlgorithmProvider jweAlgorithmProvider = this.session.getProvider(CekManagementProvider.class, cekManagementAlgorithm).jweAlgorithmProvider();
        JWEEncryptionProvider jweEncryptionProvider = this.session.getProvider(ContentEncryptionProvider.class, encryptAlgorithm).jweEncryptionProvider();
        KeyWrapper clientPublicKeyWrapper = PublicKeyStorageManager.getClientPublicKeyWrapper(this.session, this.session.getContext().getClient(), JWK.Use.ENCRYPTION, cekManagementAlgorithm);
        if (clientPublicKeyWrapper == null) {
            throw new RuntimeException("can not get encryption KEK");
        }
        try {
            return TokenUtil.jweKeyEncryptionEncode(clientPublicKeyWrapper.getPublicKey(), str.getBytes("UTF-8"), cekManagementAlgorithm, encryptAlgorithm, clientPublicKeyWrapper.getKid(), jweAlgorithmProvider, jweEncryptionProvider, str2);
        } catch (JWEException | UnsupportedEncodingException e) {
            throw new RuntimeException((Throwable) e);
        }
    }

    private UserSessionModel createTransientSessionForClient(AccessToken accessToken, ClientModel clientModel) {
        UserModel lookupUserFromStatelessToken = TokenManager.lookupUserFromStatelessToken(this.session, this.realm, accessToken);
        if (lookupUserFromStatelessToken == null) {
            throw this.error.invalidToken("User not found");
        }
        UserSessionModel createUserSession = this.session.sessions().createUserSession(KeycloakModelUtils.generateId(), this.realm, lookupUserFromStatelessToken, lookupUserFromStatelessToken.getUsername(), this.clientConnection.getRemoteAddr(), "client_auth", false, (String) null, (String) null, UserSessionModel.SessionPersistenceState.TRANSIENT);
        AuthenticationSessionModel createAuthenticationSession = this.session.authenticationSessions().createRootAuthenticationSession(this.realm).createAuthenticationSession(clientModel);
        createAuthenticationSession.setAuthenticatedUser(createUserSession.getUser());
        createAuthenticationSession.setProtocol("openid-connect");
        createAuthenticationSession.setClientNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(this.session.getContext().getUri().getBaseUri(), this.realm.getName()));
        AuthenticationManager.setClientScopesInSession(createAuthenticationSession);
        TokenManager.attachAuthenticationSession(this.session, createUserSession, createAuthenticationSession);
        return createUserSession;
    }

    private UserSessionModel findValidSession(AccessToken accessToken, EventBuilder eventBuilder, ClientModel clientModel) {
        if (accessToken.getSessionState() == null) {
            return createTransientSessionForClient(accessToken, clientModel);
        }
        UserSessionModel userSessionWithClient = new UserSessionCrossDCManager(this.session).getUserSessionWithClient(this.realm, accessToken.getSessionState(), false, clientModel.getId());
        if (AuthenticationManager.isSessionValid(this.realm, userSessionWithClient)) {
            checkTokenIssuedAt(accessToken, userSessionWithClient, eventBuilder, clientModel);
            eventBuilder.session(userSessionWithClient);
            return userSessionWithClient;
        }
        UserSessionModel userSessionWithClient2 = new UserSessionCrossDCManager(this.session).getUserSessionWithClient(this.realm, accessToken.getSessionState(), true, clientModel.getId());
        if (AuthenticationManager.isOfflineSessionValid(this.realm, userSessionWithClient2)) {
            checkTokenIssuedAt(accessToken, userSessionWithClient2, eventBuilder, clientModel);
            eventBuilder.session(userSessionWithClient2);
            return userSessionWithClient2;
        }
        if (userSessionWithClient == null && userSessionWithClient2 == null) {
            eventBuilder.error("user_session_not_found");
            throw this.error.invalidToken("User session not found or doesn't have client attached on it");
        }
        if (userSessionWithClient != null) {
            eventBuilder.session(userSessionWithClient);
        } else {
            eventBuilder.session(userSessionWithClient2);
        }
        eventBuilder.error("session_expired");
        throw this.error.invalidToken("Session expired");
    }

    private void checkTokenIssuedAt(AccessToken accessToken, UserSessionModel userSessionModel, EventBuilder eventBuilder, ClientModel clientModel) {
        if (accessToken.isIssuedBeforeSessionStart(userSessionModel.getStarted())) {
            eventBuilder.error("invalid_token");
            throw this.error.invalidToken("Stale token");
        }
        if (accessToken.isIssuedBeforeSessionStart(userSessionModel.getAuthenticatedClientSessionByClient(clientModel.getId()).getStarted())) {
            eventBuilder.error("invalid_token");
            throw this.error.invalidToken("Stale token");
        }
    }

    private void checkAccessTokenDuplicated(MultivaluedMap<String, String> multivaluedMap) {
        if (multivaluedMap.containsKey("access_token") && ((List) multivaluedMap.get("access_token")).size() != 1) {
            throw this.error.invalidRequest("Duplicate parameter");
        }
    }

    private void setupCors() {
        this.cors = Cors.add(this.request).auth().allowedMethods(this.request.getHttpMethod()).auth().exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS);
        this.error.cors(this.cors);
    }

    private void authorization(String str) {
        if (str != null) {
            if (this.authorization != null) {
                throw this.error.cors(this.cors.allowAllOrigins()).invalidRequest("More than one method used for including an access token");
            }
            this.authorization = str;
        }
    }
}
