package org.keycloak.authentication.authenticators.sessionlimits;

import java.util.Collections;
import java.util.Comparator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Collectors;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import org.jboss.logging.Logger;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.authentication.AuthenticationFlowError;
import org.keycloak.authentication.Authenticator;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.representations.idm.OAuth2ErrorRepresentation;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.userprofile.DeclarativeUserProfileProvider;
import org.keycloak.utils.LockObjectsForModification;
import org.keycloak.utils.StringUtil;

/* loaded from: input_file:org/keycloak/authentication/authenticators/sessionlimits/UserSessionLimitsAuthenticator.class */
public class UserSessionLimitsAuthenticator implements Authenticator {
    public static final String SESSION_LIMIT_EXCEEDED = "sessionLimitExceeded";
    protected KeycloakSession session;
    String behavior;
    private static Logger logger = Logger.getLogger(UserSessionLimitsAuthenticator.class);
    private static String realmEventDetailsTemplate = "Realm session limit exceeded. Realm: %s, Realm limit: %s. Session count: %s, User id: %s";
    private static String clientEventDetailsTemplate = "Client session limit exceeded. Realm: %s, Client limit: %s. Session count: %s, User id: %s";

    public UserSessionLimitsAuthenticator(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
    }

    public void authenticate(AuthenticationFlowContext authenticationFlowContext) {
        Map<String, String> config = authenticationFlowContext.getAuthenticatorConfig().getConfig();
        this.behavior = config.get(UserSessionLimitsAuthenticatorFactory.BEHAVIOR);
        int intConfigProperty = getIntConfigProperty(UserSessionLimitsAuthenticatorFactory.USER_REALM_LIMIT, config);
        int intConfigProperty2 = getIntConfigProperty(UserSessionLimitsAuthenticatorFactory.USER_CLIENT_LIMIT, config);
        if (authenticationFlowContext.getRealm() == null || authenticationFlowContext.getUser() == null) {
            authenticationFlowContext.success();
            return;
        }
        List<UserSessionModel> list = (List) LockObjectsForModification.lockUserSessionsForModification(this.session, () -> {
            return (List) this.session.sessions().getUserSessionsStream(authenticationFlowContext.getRealm(), authenticationFlowContext.getUser()).collect(Collectors.toList());
        });
        int size = list.size();
        ClientModel client = authenticationFlowContext.getAuthenticationSession().getClient();
        logger.debugf("session-limiter's current keycloak clientId: %s", client.getClientId());
        List<UserSessionModel> userSessionsForClientIfEnabled = getUserSessionsForClientIfEnabled(list, client, intConfigProperty2);
        int size2 = userSessionsForClientIfEnabled.size();
        logger.debugf("session-limiter's configured realm session limit: %s", intConfigProperty);
        logger.debugf("session-limiter's configured client session limit: %s", intConfigProperty2);
        logger.debugf("session-limiter's count of total user sessions for the entire realm (could be apps other than web apps): %s", size);
        logger.debugf("session-limiter's count of total user sessions for this keycloak client: %s", size2);
        if (exceedsLimit(size, intConfigProperty)) {
            logger.infof("Too many session in this realm for the current user. Session count: %s", Integer.valueOf(size));
            handleLimitExceeded(authenticationFlowContext, list, String.format(realmEventDetailsTemplate, authenticationFlowContext.getRealm().getName(), Integer.valueOf(intConfigProperty), Integer.valueOf(size), authenticationFlowContext.getUser().getId()), intConfigProperty);
        } else if (!exceedsLimit(size2, intConfigProperty2)) {
            authenticationFlowContext.success();
        } else {
            logger.infof("Too many sessions related to the current client for this user. Session count: %s", Integer.valueOf(size));
            handleLimitExceeded(authenticationFlowContext, userSessionsForClientIfEnabled, String.format(clientEventDetailsTemplate, authenticationFlowContext.getRealm().getName(), Integer.valueOf(intConfigProperty2), Integer.valueOf(size2), authenticationFlowContext.getUser().getId()), intConfigProperty2);
        }
    }

    private boolean exceedsLimit(long j, long j2) {
        return j2 > 0 && getNumberOfSessionsThatNeedToBeLoggedOut(j, j2) > 0;
    }

    private long getNumberOfSessionsThatNeedToBeLoggedOut(long j, long j2) {
        return j - (j2 - 1);
    }

    private int getIntConfigProperty(String str, Map<String, String> map) {
        String str2 = map.get(str);
        if (StringUtil.isBlank(str2)) {
            return -1;
        }
        return Integer.parseInt(str2);
    }

    private List<UserSessionModel> getUserSessionsForClientIfEnabled(List<UserSessionModel> list, ClientModel clientModel, int i) {
        if (i <= 0) {
            return Collections.EMPTY_LIST;
        }
        logger.debugf("total user sessions for this keycloak client will not be counted. Will be logged as 0 (zero)", new Object[0]);
        return (List) list.stream().filter(userSessionModel -> {
            return userSessionModel.getAuthenticatedClientSessionByClient(clientModel.getId()) != null;
        }).collect(Collectors.toList());
    }

    public void action(AuthenticationFlowContext authenticationFlowContext) {
    }

    public boolean requiresUser() {
        return false;
    }

    public boolean configuredFor(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        return true;
    }

    public void setRequiredActions(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
    }

    public void close() {
    }

    private void handleLimitExceeded(AuthenticationFlowContext authenticationFlowContext, List<UserSessionModel> list, String str, long j) {
        Response createErrorPage;
        String str2 = this.behavior;
        boolean z = -1;
        switch (str2.hashCode()) {
            case -1978104524:
                if (str2.equals(UserSessionLimitsAuthenticatorFactory.TERMINATE_OLDEST_SESSION)) {
                    z = true;
                    break;
                }
                break;
            case -683449310:
                if (str2.equals(UserSessionLimitsAuthenticatorFactory.DENY_NEW_SESSION)) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                logger.info("Denying new session");
                String str3 = (String) Optional.ofNullable(authenticationFlowContext.getAuthenticatorConfig()).map((v0) -> {
                    return v0.getConfig();
                }).map(map -> {
                    return (String) map.get(UserSessionLimitsAuthenticatorFactory.ERROR_MESSAGE);
                }).orElse(SESSION_LIMIT_EXCEEDED);
                authenticationFlowContext.getEvent().error("generic_authentication_error");
                if (authenticationFlowContext.getFlowPath() == null) {
                    createErrorPage = Response.status(Response.Status.UNAUTHORIZED.getStatusCode()).entity(new OAuth2ErrorRepresentation("generic_authentication_error", str3)).type(MediaType.APPLICATION_JSON_TYPE).build();
                } else {
                    createErrorPage = authenticationFlowContext.form().setError(str3, new Object[0]).createErrorPage(Response.Status.FORBIDDEN);
                }
                authenticationFlowContext.failure(AuthenticationFlowError.GENERIC_AUTHENTICATION_ERROR, createErrorPage, str, str3);
                return;
            case DeclarativeUserProfileProvider.PROVIDER_PRIORITY /* 1 */:
                logger.info("Terminating oldest session");
                logoutOldestSessions(list, j);
                authenticationFlowContext.success();
                return;
            default:
                return;
        }
    }

    private void logoutOldestSessions(List<UserSessionModel> list, long j) {
        long numberOfSessionsThatNeedToBeLoggedOut = getNumberOfSessionsThatNeedToBeLoggedOut(list.size(), j);
        if (numberOfSessionsThatNeedToBeLoggedOut == 1) {
            logger.info("Logging out oldest session");
        } else {
            logger.infof("Logging out oldest %s sessions", Long.valueOf(numberOfSessionsThatNeedToBeLoggedOut));
        }
        list.stream().sorted(Comparator.comparingInt((v0) -> {
            return v0.getLastSessionRefresh();
        })).limit(numberOfSessionsThatNeedToBeLoggedOut).forEach(userSessionModel -> {
            AuthenticationManager.backchannelLogout(this.session, userSessionModel, true);
        });
    }
}
