package org.keycloak.services.resources;

import jakarta.ws.rs.GET;
import jakarta.ws.rs.NotFoundException;
import jakarta.ws.rs.OPTIONS;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.PathParam;
import jakarta.ws.rs.QueryParam;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.core.HttpHeaders;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.UriBuilder;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.UUID;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.jboss.logging.Logger;
import org.jboss.resteasy.annotations.cache.NoCache;
import org.keycloak.authentication.AuthenticationProcessor;
import org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator;
import org.keycloak.authentication.authenticators.broker.util.PostBrokerLoginConstants;
import org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext;
import org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator;
import org.keycloak.broker.provider.AuthenticationRequest;
import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.broker.provider.IdentityBrokerException;
import org.keycloak.broker.provider.IdentityProvider;
import org.keycloak.broker.provider.IdentityProviderFactory;
import org.keycloak.broker.provider.IdentityProviderMapper;
import org.keycloak.broker.provider.IdentityProviderMapperSyncModeDelegate;
import org.keycloak.broker.provider.util.IdentityBrokerState;
import org.keycloak.broker.saml.SAMLEndpoint;
import org.keycloak.broker.social.SocialIdentityProvider;
import org.keycloak.common.ClientConnection;
import org.keycloak.common.util.Base64Url;
import org.keycloak.common.util.ObjectUtil;
import org.keycloak.common.util.Time;
import org.keycloak.crypto.SHA256HashProviderFactory;
import org.keycloak.dom.saml.v2.protocol.StatusResponseType;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.http.HttpRequest;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.FederatedIdentityModel;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.models.IdentityProviderSyncMode;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.utils.AuthenticationFlowResolver;
import org.keycloak.models.utils.FormMessage;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.LoginProtocol;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.protocol.oidc.utils.RedirectUtils;
import org.keycloak.protocol.saml.SamlSessionUtils;
import org.keycloak.protocol.saml.preprocessor.SamlAuthenticationPreprocessor;
import org.keycloak.representations.AccessToken;
import org.keycloak.services.ErrorPage;
import org.keycloak.services.ErrorPageException;
import org.keycloak.services.ErrorResponse;
import org.keycloak.services.ServicesLogger;
import org.keycloak.services.Urls;
import org.keycloak.services.clientregistration.ErrorCodes;
import org.keycloak.services.managers.AppAuthManager;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.AuthenticationSessionManager;
import org.keycloak.services.managers.BruteForceProtector;
import org.keycloak.services.managers.ClientSessionCode;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.account.AccountConsole;
import org.keycloak.services.util.AuthenticationFlowURLHelper;
import org.keycloak.services.util.BrowserHistoryHelper;
import org.keycloak.services.util.CacheControlUtil;
import org.keycloak.services.util.DefaultClientSessionContext;
import org.keycloak.services.validation.Validation;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.sessions.CommonClientSessionModel;
import org.keycloak.sessions.RootAuthenticationSessionModel;
import org.keycloak.util.JsonSerialization;

/* loaded from: input_file:org/keycloak/services/resources/IdentityBrokerService.class */
public class IdentityBrokerService implements IdentityProvider.AuthenticationCallback {
    private static final String LINKING_IDENTITY_PROVIDER = "LINKING_IDENTITY_PROVIDER";
    private static final Logger logger = Logger.getLogger(IdentityBrokerService.class);
    private final RealmModel realmModel;
    private final KeycloakSession session;
    private final ClientConnection clientConnection;
    private final HttpRequest request;
    private final HttpHeaders headers;
    private EventBuilder event;

    public IdentityBrokerService(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
        this.clientConnection = keycloakSession.getContext().getConnection();
        this.realmModel = keycloakSession.getContext().getRealm();
        if (this.realmModel == null) {
            throw new IllegalArgumentException("Realm can not be null.");
        }
        this.request = keycloakSession.getContext().getHttpRequest();
        this.headers = keycloakSession.getContext().getRequestHeaders();
    }

    public void init() {
        this.event = new EventBuilder(this.realmModel, this.session, this.clientConnection).event(EventType.IDENTITY_PROVIDER_LOGIN);
    }

    private void checkRealm() {
        if (this.realmModel.isEnabled()) {
            return;
        }
        this.event.error("realm_disabled");
        throw new ErrorPageException(this.session, Response.Status.BAD_REQUEST, Messages.REALM_NOT_ENABLED, new Object[0]);
    }

    private ClientModel checkClient(String str) {
        if (str == null) {
            this.event.error("invalid_request");
            throw new ErrorPageException(this.session, Response.Status.BAD_REQUEST, Messages.MISSING_PARAMETER, "client_id");
        }
        this.event.client(str);
        ClientModel clientByClientId = this.realmModel.getClientByClientId(str);
        if (clientByClientId == null) {
            this.event.error("client_not_found");
            throw new ErrorPageException(this.session, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]);
        }
        if (clientByClientId.isEnabled()) {
            return clientByClientId;
        }
        this.event.error("client_disabled");
        throw new ErrorPageException(this.session, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]);
    }

    @Path("/{provider_id}/link")
    @OPTIONS
    public Response clientIntiatedAccountLinkingPreflight(@PathParam("provider_id") String str) {
        return Response.status(403).build();
    }

    @NoCache
    @GET
    @Path("/{provider_id}/link")
    public Response clientInitiatedAccountLinking(@PathParam("provider_id") String str, @QueryParam("redirect_uri") String str2, @QueryParam("client_id") String str3, @QueryParam("nonce") String str4, @QueryParam("hash") String str5) {
        this.event.event(EventType.CLIENT_INITIATED_ACCOUNT_LINKING);
        checkRealm();
        ClientModel checkClient = checkClient(str3);
        String verifyRedirectUri = RedirectUtils.verifyRedirectUri(this.session, str2, checkClient);
        if (verifyRedirectUri == null) {
            this.event.error(ErrorCodes.INVALID_REDIRECT_URI);
            throw new ErrorPageException(this.session, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]);
        }
        this.event.detail("redirect_uri", verifyRedirectUri);
        if (str4 == null || str5 == null) {
            this.event.error(ErrorCodes.INVALID_REDIRECT_URI);
            throw new ErrorPageException(this.session, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]);
        }
        AuthenticationManager.AuthResult authenticateIdentityCookie = AuthenticationManager.authenticateIdentityCookie(this.session, this.realmModel, true);
        if (authenticateIdentityCookie == null) {
            this.event.error("not_logged_in");
            return Response.status(302).location(UriBuilder.fromUri(verifyRedirectUri).queryParam("link_error", new Object[]{"not_logged_in"}).queryParam(OIDCLoginProtocol.NONCE_PARAM, new Object[]{str4}).build(new Object[0])).build();
        }
        authenticateIdentityCookie.getSession();
        this.event.session(authenticateIdentityCookie.getSession());
        this.event.user(authenticateIdentityCookie.getUser());
        this.event.detail("username", authenticateIdentityCookie.getUser().getUsername());
        AuthenticatedClientSessionModel authenticatedClientSessionModel = null;
        Iterator it = authenticateIdentityCookie.getSession().getAuthenticatedClientSessions().values().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            AuthenticatedClientSessionModel authenticatedClientSessionModel2 = (AuthenticatedClientSessionModel) it.next();
            if (authenticatedClientSessionModel2.getClient().getClientId().equals(str3)) {
                try {
                    if (MessageDigest.isEqual(Base64Url.decode(str5), MessageDigest.getInstance(SHA256HashProviderFactory.ID).digest((str4 + authenticateIdentityCookie.getSession().getId() + str3 + str).getBytes(StandardCharsets.UTF_8)))) {
                        authenticatedClientSessionModel = authenticatedClientSessionModel2;
                        break;
                    }
                } catch (NoSuchAlgorithmException e) {
                    throw new ErrorPageException(this.session, Response.Status.INTERNAL_SERVER_ERROR, Messages.UNEXPECTED_ERROR_HANDLING_REQUEST, new Object[0]);
                }
            }
        }
        if (authenticatedClientSessionModel == null) {
            this.event.error("invalid_token");
            throw new ErrorPageException(this.session, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]);
        }
        this.event.detail("identity_provider", str);
        ClientModel clientByClientId = this.realmModel.getClientByClientId("account");
        if (!clientByClientId.getId().equals(checkClient.getId())) {
            RoleModel role = clientByClientId.getRole("manage-account");
            Set set = (Set) DefaultClientSessionContext.fromClientSessionScopeParameter(authenticatedClientSessionModel, this.session).getRolesStream().collect(Collectors.toSet());
            if (!set.contains(role) && !set.contains(clientByClientId.getRole("manage-account-links"))) {
                this.event.error("not_allowed");
                return Response.status(302).location(UriBuilder.fromUri(verifyRedirectUri).queryParam("link_error", new Object[]{"not_allowed"}).queryParam(OIDCLoginProtocol.NONCE_PARAM, new Object[]{str4}).build(new Object[0])).build();
            }
        }
        if (this.realmModel.getIdentityProviderByAlias(str) == null) {
            this.event.error("unknown_identity_provider");
            return Response.status(302).location(UriBuilder.fromUri(verifyRedirectUri).queryParam("link_error", new Object[]{"unknown_identity_provider"}).queryParam(OIDCLoginProtocol.NONCE_PARAM, new Object[]{str4}).build(new Object[0])).build();
        }
        UserSessionModel session = authenticateIdentityCookie.getSession();
        RootAuthenticationSessionModel rootAuthenticationSession = this.session.authenticationSessions().getRootAuthenticationSession(this.realmModel, session.getId());
        if (rootAuthenticationSession == null) {
            rootAuthenticationSession = this.session.authenticationSessions().createRootAuthenticationSession(this.realmModel, session.getId());
        }
        AuthenticationSessionModel createAuthenticationSession = rootAuthenticationSession.createAuthenticationSession(checkClient);
        new AuthenticationSessionManager(this.session).setAuthSessionCookie(session.getId(), this.realmModel);
        ClientSessionCode<AuthenticationSessionModel> clientSessionCode = new ClientSessionCode<>(this.session, this.realmModel, createAuthenticationSession);
        clientSessionCode.setAction(CommonClientSessionModel.Action.AUTHENTICATE.name());
        clientSessionCode.getOrGenerateCode();
        createAuthenticationSession.setProtocol(checkClient.getProtocol());
        createAuthenticationSession.setRedirectUri(verifyRedirectUri);
        createAuthenticationSession.setClientNote("state", UUID.randomUUID().toString());
        createAuthenticationSession.setAuthNote(LINKING_IDENTITY_PROVIDER, authenticateIdentityCookie.getSession().getId() + str3 + str);
        this.event.detail("code_id", session.getId());
        this.event.success();
        try {
            IdentityProvider identityProvider = getIdentityProvider(this.session, this.realmModel, str);
            Response performLogin = identityProvider.performLogin(createAuthenticationRequest(str, clientSessionCode));
            if (performLogin == null) {
                return redirectToErrorPage(createAuthenticationSession, Response.Status.INTERNAL_SERVER_ERROR, Messages.COULD_NOT_PROCEED_WITH_AUTHENTICATION_REQUEST, new Object[0]);
            }
            if (isDebugEnabled()) {
                logger.debugf("Identity provider [%s] is going to send a request [%s].", identityProvider, performLogin);
            }
            return performLogin;
        } catch (IdentityBrokerException e2) {
            return redirectToErrorPage(createAuthenticationSession, Response.Status.INTERNAL_SERVER_ERROR, Messages.COULD_NOT_SEND_AUTHENTICATION_REQUEST, e2, str);
        } catch (Exception e3) {
            return redirectToErrorPage(createAuthenticationSession, Response.Status.INTERNAL_SERVER_ERROR, Messages.UNEXPECTED_ERROR_HANDLING_REQUEST, e3, str);
        }
    }

    @POST
    @Path("/{provider_id}/login")
    public Response performPostLogin(@PathParam("provider_id") String str, @QueryParam("session_code") String str2, @QueryParam("client_id") String str3, @QueryParam("tab_id") String str4, @QueryParam("login_hint") String str5) {
        return performLogin(str, str2, str3, str4, str5);
    }

    @NoCache
    @GET
    @Path("/{provider_id}/login")
    public Response performLogin(@PathParam("provider_id") String str, @QueryParam("session_code") String str2, @QueryParam("client_id") String str3, @QueryParam("tab_id") String str4, @QueryParam("login_hint") String str5) {
        this.event.detail("identity_provider", str);
        if (isDebugEnabled()) {
            logger.debugf("Sending authentication request to identity provider [%s].", str);
        }
        try {
            ClientSessionCode<AuthenticationSessionModel> clientSessionCode = new ClientSessionCode<>(this.session, this.realmModel, parseSessionCode(str2, str3, str4));
            clientSessionCode.setAction(CommonClientSessionModel.Action.AUTHENTICATE.name());
            IdentityProviderModel identityProviderByAlias = this.realmModel.getIdentityProviderByAlias(str);
            if (identityProviderByAlias == null) {
                throw new IdentityBrokerException("Identity Provider [" + str + "] not found.");
            }
            if (identityProviderByAlias.isLinkOnly()) {
                throw new IdentityBrokerException("Identity Provider [" + str + "] is not allowed to perform a login.");
            }
            if (clientSessionCode != null && clientSessionCode.getClientSession() != null && str5 != null) {
                clientSessionCode.getClientSession().setClientNote("login_hint", str5);
            }
            IdentityProvider create = getIdentityProviderFactory(this.session, identityProviderByAlias).create(this.session, identityProviderByAlias);
            Response performLogin = create.performLogin(createAuthenticationRequest(str, clientSessionCode));
            if (performLogin == null) {
                return redirectToErrorPage(Response.Status.INTERNAL_SERVER_ERROR, Messages.COULD_NOT_PROCEED_WITH_AUTHENTICATION_REQUEST, new Object[0]);
            }
            if (isDebugEnabled()) {
                logger.debugf("Identity provider [%s] is going to send a request [%s].", create, performLogin);
            }
            return performLogin;
        } catch (IdentityBrokerException e) {
            return redirectToErrorPage(Response.Status.BAD_GATEWAY, Messages.COULD_NOT_SEND_AUTHENTICATION_REQUEST, (Throwable) e, str);
        } catch (Exception e2) {
            return redirectToErrorPage(Response.Status.INTERNAL_SERVER_ERROR, Messages.UNEXPECTED_ERROR_HANDLING_REQUEST, e2, str);
        }
    }

    @Path("{provider_id}/endpoint")
    public Object getEndpoint(@PathParam("provider_id") String str) {
        try {
            return getIdentityProvider(this.session, this.realmModel, str).callback(this.realmModel, this, this.event);
        } catch (IdentityBrokerException e) {
            throw new NotFoundException(e.getMessage());
        }
    }

    @Path("{provider_id}/token")
    @OPTIONS
    public Response retrieveTokenPreflight() {
        return Cors.add(this.request, Response.ok()).auth().preflight().build();
    }

    @NoCache
    @GET
    @Path("{provider_id}/token")
    public Response retrieveToken(@PathParam("provider_id") String str) {
        return getToken(str, false);
    }

    private boolean canReadBrokerToken(AccessToken accessToken) {
        Map resourceAccess = accessToken.getResourceAccess();
        AccessToken.Access access = resourceAccess == null ? null : (AccessToken.Access) resourceAccess.get("broker");
        return access != null && access.isUserInRole("read-token");
    }

    private Response getToken(String str, boolean z) {
        this.event.event(EventType.IDENTITY_PROVIDER_RETRIEVE_TOKEN);
        try {
            AuthenticationManager.AuthResult authenticate = new AppAuthManager.BearerTokenAuthenticator(this.session).setRealm(this.realmModel).setConnection(this.clientConnection).setHeaders(this.request.getHttpHeaders()).authenticate();
            if (authenticate == null) {
                return badRequest("Invalid token.");
            }
            AccessToken token = authenticate.getToken();
            ClientModel client = authenticate.getClient();
            this.session.getContext().setClient(client);
            if (this.realmModel.getClientByClientId("broker") == null) {
                return corsResponse(forbidden("Realm has not migrated to support the broker token exchange service"), client);
            }
            if (!canReadBrokerToken(token)) {
                return corsResponse(forbidden("Client [" + client.getClientId() + "] not authorized to retrieve tokens from identity provider [" + str + "]."), client);
            }
            IdentityProvider identityProvider = getIdentityProvider(this.session, this.realmModel, str);
            if (!getIdentityProviderConfig(str).isStoreToken()) {
                return corsResponse(badRequest("Identity Provider [" + str + "] does not support this operation."), client);
            }
            FederatedIdentityModel federatedIdentity = this.session.users().getFederatedIdentity(this.realmModel, authenticate.getUser(), str);
            if (federatedIdentity == null) {
                return corsResponse(badRequest("User [" + authenticate.getUser().getId() + "] is not associated with identity provider [" + str + "]."), client);
            }
            if (federatedIdentity.getToken() == null) {
                return corsResponse(notFound("No token stored for user [" + authenticate.getUser().getId() + "] with associated identity provider [" + str + "]."), client);
            }
            this.event.success();
            return corsResponse(identityProvider.retrieveToken(this.session, federatedIdentity), client);
        } catch (IdentityBrokerException e) {
            return redirectToErrorPage(Response.Status.BAD_GATEWAY, Messages.COULD_NOT_OBTAIN_TOKEN, (Throwable) e, str);
        } catch (Exception e2) {
            return redirectToErrorPage(Response.Status.BAD_GATEWAY, Messages.UNEXPECTED_ERROR_RETRIEVING_TOKEN, e2, str);
        }
    }

    public Response authenticated(BrokeredIdentityContext brokeredIdentityContext) {
        IdentityProviderModel idpConfig = brokeredIdentityContext.getIdpConfig();
        AuthenticationSessionModel authenticationSession = brokeredIdentityContext.getAuthenticationSession();
        String alias = idpConfig.getAlias();
        if (!idpConfig.isStoreToken()) {
            if (isDebugEnabled()) {
                logger.debugf("Token will not be stored for identity provider [%s].", alias);
            }
            brokeredIdentityContext.setToken((String) null);
        }
        StatusResponseType statusResponseType = (StatusResponseType) brokeredIdentityContext.getContextData().get(SAMLEndpoint.SAML_LOGIN_RESPONSE);
        if (statusResponseType != null) {
            Iterator<SamlAuthenticationPreprocessor> samlAuthenticationPreprocessorIterator = SamlSessionUtils.getSamlAuthenticationPreprocessorIterator(this.session);
            while (samlAuthenticationPreprocessorIterator.hasNext()) {
                statusResponseType = samlAuthenticationPreprocessorIterator.next().beforeProcessingLoginResponse(statusResponseType, authenticationSession);
            }
        }
        this.session.getContext().setClient(authenticationSession.getClient());
        brokeredIdentityContext.getIdp().preprocessFederatedIdentity(this.session, this.realmModel, brokeredIdentityContext);
        KeycloakSessionFactory keycloakSessionFactory = this.session.getKeycloakSessionFactory();
        this.realmModel.getIdentityProviderMappersByAliasStream(brokeredIdentityContext.getIdpConfig().getAlias()).forEach(identityProviderMapperModel -> {
            keycloakSessionFactory.getProviderFactory(IdentityProviderMapper.class, identityProviderMapperModel.getIdentityProviderMapper()).preprocessFederatedIdentity(this.session, this.realmModel, identityProviderMapperModel, brokeredIdentityContext);
        });
        FederatedIdentityModel federatedIdentityModel = new FederatedIdentityModel(alias, brokeredIdentityContext.getId(), brokeredIdentityContext.getUsername(), brokeredIdentityContext.getToken());
        this.event.event(EventType.IDENTITY_PROVIDER_LOGIN).detail("redirect_uri", authenticationSession.getRedirectUri()).detail("identity_provider", alias).detail("identity_provider_identity", brokeredIdentityContext.getUsername());
        UserModel userByFederatedIdentity = this.session.users().getUserByFederatedIdentity(this.realmModel, federatedIdentityModel);
        boolean z = false;
        if (userByFederatedIdentity == null && brokeredIdentityContext.getLegacyId() != null) {
            federatedIdentityModel = new FederatedIdentityModel(federatedIdentityModel, brokeredIdentityContext.getLegacyId());
            userByFederatedIdentity = this.session.users().getUserByFederatedIdentity(this.realmModel, federatedIdentityModel);
            z = true;
        }
        UserSessionModel userSession = new AuthenticationSessionManager(this.session).getUserSession(authenticationSession);
        if (shouldPerformAccountLinking(authenticationSession, userSession, alias)) {
            return performAccountLinking(authenticationSession, userSession, brokeredIdentityContext, federatedIdentityModel, userByFederatedIdentity);
        }
        if (userByFederatedIdentity != null) {
            authenticationSession.setAuthNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME, userByFederatedIdentity.getUsername());
            Response validateUser = validateUser(authenticationSession, userByFederatedIdentity, this.realmModel);
            if (validateUser != null) {
                return validateUser;
            }
            updateFederatedIdentity(brokeredIdentityContext, userByFederatedIdentity);
            if (z) {
                migrateFederatedIdentityId(brokeredIdentityContext, userByFederatedIdentity);
            }
            authenticationSession.setAuthenticatedUser(userByFederatedIdentity);
            return finishOrRedirectToPostBrokerLogin(authenticationSession, brokeredIdentityContext, false);
        }
        logger.debugf("Federated user not found for provider '%s' and broker username '%s'", alias, brokeredIdentityContext.getUsername());
        authenticationSession.setAuthNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME, brokeredIdentityContext.getUsername());
        String modelUsername = brokeredIdentityContext.getModelUsername();
        if (modelUsername == null) {
            modelUsername = (!this.realmModel.isRegistrationEmailAsUsername() || Validation.isBlank(brokeredIdentityContext.getEmail())) ? brokeredIdentityContext.getUsername() == null ? brokeredIdentityContext.getIdpConfig().getAlias() + "." + brokeredIdentityContext.getId() : brokeredIdentityContext.getUsername() : brokeredIdentityContext.getEmail();
        }
        brokeredIdentityContext.setModelUsername(modelUsername.trim());
        SerializedBrokeredIdentityContext readFromAuthenticationSession = SerializedBrokeredIdentityContext.readFromAuthenticationSession(authenticationSession, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE);
        if (readFromAuthenticationSession != null) {
            SerializedBrokeredIdentityContext serialize = SerializedBrokeredIdentityContext.serialize(brokeredIdentityContext);
            serialize.saveToAuthenticationSession(authenticationSession, AbstractIdpAuthenticator.NESTED_FIRST_BROKER_CONTEXT);
            logger.warnv("Nested first broker flow detected: {0} -> {1}", readFromAuthenticationSession.getIdentityProviderId(), serialize.getIdentityProviderId());
            logger.debug("Resuming last execution");
            return Response.status(Response.Status.FOUND).location(new AuthenticationFlowURLHelper(this.session, this.realmModel, this.session.getContext().getUri()).getLastExecutionUrl(authenticationSession)).build();
        }
        logger.debug("Redirecting to flow for firstBrokerLogin");
        boolean equals = "true".equals(authenticationSession.getAuthNote(AuthenticationProcessor.FORWARDED_PASSIVE_LOGIN));
        Map<String, String> extractAuthNotesFromSession = extractAuthNotesFromSession(authenticationSession);
        AuthenticationProcessor.resetFlow(authenticationSession, LoginActionsService.FIRST_BROKER_LOGIN_PATH);
        Objects.requireNonNull(authenticationSession);
        extractAuthNotesFromSession.forEach(authenticationSession::setAuthNote);
        if (equals) {
            authenticationSession.setAuthNote(AuthenticationProcessor.FORWARDED_PASSIVE_LOGIN, "true");
        }
        SerializedBrokeredIdentityContext.serialize(brokeredIdentityContext).saveToAuthenticationSession(authenticationSession, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE);
        return Response.status(302).location(LoginActionsService.firstBrokerLoginProcessor(this.session.getContext().getUri()).queryParam("client_id", new Object[]{authenticationSession.getClient().getClientId()}).queryParam("tab_id", new Object[]{authenticationSession.getTabId()}).build(new Object[]{this.realmModel.getName()})).build();
    }

    private Map<String, String> extractAuthNotesFromSession(AuthenticationSessionModel authenticationSessionModel) {
        Stream filter = Stream.of((Object[]) new String[]{"locale_user_requested", "locale_client_requested"}).filter(str -> {
            return authenticationSessionModel.getAuthNote(str) != null;
        });
        Function identity = Function.identity();
        Objects.requireNonNull(authenticationSessionModel);
        return (Map) filter.collect(Collectors.toMap(identity, authenticationSessionModel::getAuthNote));
    }

    public Response validateUser(AuthenticationSessionModel authenticationSessionModel, UserModel userModel, RealmModel realmModel) {
        if (!userModel.isEnabled()) {
            this.event.error("user_disabled");
            return ErrorPage.error(this.session, authenticationSessionModel, Response.Status.BAD_REQUEST, Messages.ACCOUNT_DISABLED, new Object[0]);
        }
        if (!realmModel.isBruteForceProtected() || !this.session.getProvider(BruteForceProtector.class).isTemporarilyDisabled(this.session, realmModel, userModel)) {
            return null;
        }
        this.event.error("user_temporarily_disabled");
        return ErrorPage.error(this.session, authenticationSessionModel, Response.Status.BAD_REQUEST, Messages.ACCOUNT_DISABLED, new Object[0]);
    }

    @NoCache
    @GET
    @Path("/after-first-broker-login")
    public Response afterFirstBrokerLogin(@QueryParam("session_code") String str, @QueryParam("client_id") String str2, @QueryParam("tab_id") String str3) {
        return afterFirstBrokerLogin(parseSessionCode(str, str2, str3));
    }

    private Response afterFirstBrokerLogin(AuthenticationSessionModel authenticationSessionModel) {
        try {
            this.event.detail("code_id", authenticationSessionModel.getParentSession().getId()).removeDetail("auth_method");
            SerializedBrokeredIdentityContext readFromAuthenticationSession = SerializedBrokeredIdentityContext.readFromAuthenticationSession(authenticationSessionModel, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE);
            if (readFromAuthenticationSession == null) {
                throw new IdentityBrokerException("Not found serialized context in clientSession");
            }
            BrokeredIdentityContext deserialize = readFromAuthenticationSession.deserialize(this.session, authenticationSessionModel);
            String alias = deserialize.getIdpConfig().getAlias();
            this.event.detail("identity_provider", alias);
            this.event.detail("identity_provider_identity", deserialize.getUsername());
            String authNote = authenticationSessionModel.getAuthNote(AbstractIdpAuthenticator.FIRST_BROKER_LOGIN_SUCCESS);
            if (authNote == null || !authNote.equals(alias)) {
                throw new IdentityBrokerException("Invalid request. Not found the flag that first-broker-login flow was finished");
            }
            authenticationSessionModel.removeAuthNote(AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE);
            UserModel authenticatedUser = authenticationSessionModel.getAuthenticatedUser();
            if (authenticatedUser == null) {
                throw new IdentityBrokerException("Couldn't found authenticated federatedUser in authentication session");
            }
            this.event.user(authenticatedUser);
            this.event.detail("username", authenticatedUser.getUsername());
            if (deserialize.getIdpConfig().isAddReadTokenRoleOnCreate()) {
                ClientModel clientByClientId = this.realmModel.getClientByClientId("broker");
                if (clientByClientId == null) {
                    throw new IdentityBrokerException("Client 'broker' not available. Maybe realm has not migrated to support the broker token exchange service");
                }
                authenticatedUser.grantRole(clientByClientId.getRole("read-token"));
            }
            this.session.users().addFederatedIdentity(this.realmModel, authenticatedUser, new FederatedIdentityModel(deserialize.getIdpConfig().getAlias(), deserialize.getId(), deserialize.getUsername(), deserialize.getToken()));
            if (Boolean.parseBoolean(authenticationSessionModel.getAuthNote(AbstractIdpAuthenticator.BROKER_REGISTERED_NEW_USER))) {
                logger.debugf("Registered new user '%s' after first login with identity provider '%s'. Identity provider username is '%s' . ", authenticatedUser.getUsername(), alias, deserialize.getUsername());
                deserialize.getIdp().importNewUser(this.session, this.realmModel, authenticatedUser, deserialize);
                KeycloakSessionFactory keycloakSessionFactory = this.session.getKeycloakSessionFactory();
                this.realmModel.getIdentityProviderMappersByAliasStream(alias).forEach(identityProviderMapperModel -> {
                    keycloakSessionFactory.getProviderFactory(IdentityProviderMapper.class, identityProviderMapperModel.getIdentityProviderMapper()).importNewUser(this.session, this.realmModel, authenticatedUser, identityProviderMapperModel, deserialize);
                });
                if (deserialize.getIdpConfig().isTrustEmail() && !Validation.isBlank(authenticatedUser.getEmail()) && !Boolean.parseBoolean(authenticationSessionModel.getAuthNote(AbstractIdpAuthenticator.UPDATE_PROFILE_EMAIL_CHANGED))) {
                    logger.debugf("Email verified automatically after registration of user '%s' through Identity provider '%s' ", authenticatedUser.getUsername(), deserialize.getIdpConfig().getAlias());
                    authenticatedUser.setEmailVerified(true);
                }
                this.event.clone().event(EventType.REGISTER).detail("register_method", "broker").detail("email", authenticatedUser.getEmail()).success();
            } else {
                logger.debugf("Linked existing keycloak user '%s' with identity provider '%s' . Identity provider username is '%s' .", authenticatedUser.getUsername(), alias, deserialize.getUsername());
                this.event.event(EventType.FEDERATED_IDENTITY_LINK).success();
                updateFederatedIdentity(deserialize, authenticatedUser);
            }
            return finishOrRedirectToPostBrokerLogin(authenticationSessionModel, deserialize, true);
        } catch (Exception e) {
            return redirectToErrorPage(authenticationSessionModel, Response.Status.INTERNAL_SERVER_ERROR, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, e, new Object[0]);
        }
    }

    private Response finishOrRedirectToPostBrokerLogin(AuthenticationSessionModel authenticationSessionModel, BrokeredIdentityContext brokeredIdentityContext, boolean z) {
        if (brokeredIdentityContext.getIdpConfig().getPostBrokerLoginFlowId() == null) {
            logger.debugf("Skip redirect to postBrokerLogin flow. PostBrokerLogin flow not set for identityProvider '%s'.", brokeredIdentityContext.getIdpConfig().getAlias());
            return afterPostBrokerLoginFlowSuccess(authenticationSessionModel, brokeredIdentityContext, z);
        }
        logger.debugf("Redirect to postBrokerLogin flow after authentication with identityProvider '%s'.", brokeredIdentityContext.getIdpConfig().getAlias());
        authenticationSessionModel.getParentSession().setTimestamp(Time.currentTime());
        SerializedBrokeredIdentityContext.serialize(brokeredIdentityContext).saveToAuthenticationSession(authenticationSessionModel, PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT);
        authenticationSessionModel.setAuthNote(PostBrokerLoginConstants.PBL_AFTER_FIRST_BROKER_LOGIN, String.valueOf(z));
        return Response.status(302).location(LoginActionsService.postBrokerLoginProcessor(this.session.getContext().getUri()).queryParam("client_id", new Object[]{authenticationSessionModel.getClient().getClientId()}).queryParam("tab_id", new Object[]{authenticationSessionModel.getTabId()}).build(new Object[]{this.realmModel.getName()})).build();
    }

    @NoCache
    @GET
    @Path("/after-post-broker-login")
    public Response afterPostBrokerLoginFlow(@QueryParam("session_code") String str, @QueryParam("client_id") String str2, @QueryParam("tab_id") String str3) {
        AuthenticationSessionModel parseSessionCode = parseSessionCode(str, str2, str3);
        try {
            SerializedBrokeredIdentityContext readFromAuthenticationSession = SerializedBrokeredIdentityContext.readFromAuthenticationSession(parseSessionCode, PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT);
            if (readFromAuthenticationSession == null) {
                throw new IdentityBrokerException("Not found serialized context in clientSession. Note PBL_BROKERED_IDENTITY_CONTEXT was null");
            }
            BrokeredIdentityContext deserialize = readFromAuthenticationSession.deserialize(this.session, parseSessionCode);
            boolean parseBoolean = Boolean.parseBoolean(parseSessionCode.getAuthNote(PostBrokerLoginConstants.PBL_AFTER_FIRST_BROKER_LOGIN));
            if (!Boolean.parseBoolean(parseSessionCode.getAuthNote(PostBrokerLoginConstants.PBL_AUTH_STATE_PREFIX + deserialize.getIdpConfig().getAlias()))) {
                throw new IdentityBrokerException("Invalid request. Not found the flag that post-broker-login flow was finished");
            }
            parseSessionCode.removeAuthNote(PostBrokerLoginConstants.PBL_BROKERED_IDENTITY_CONTEXT);
            parseSessionCode.removeAuthNote(PostBrokerLoginConstants.PBL_AFTER_FIRST_BROKER_LOGIN);
            return afterPostBrokerLoginFlowSuccess(parseSessionCode, deserialize, parseBoolean);
        } catch (IdentityBrokerException e) {
            return redirectToErrorPage(parseSessionCode, Response.Status.INTERNAL_SERVER_ERROR, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, e, new Object[0]);
        }
    }

    private Response afterPostBrokerLoginFlowSuccess(AuthenticationSessionModel authenticationSessionModel, BrokeredIdentityContext brokeredIdentityContext, boolean z) {
        String alias = brokeredIdentityContext.getIdpConfig().getAlias();
        UserModel authenticatedUser = authenticationSessionModel.getAuthenticatedUser();
        if (z) {
            return finishBrokerAuthentication(brokeredIdentityContext, authenticatedUser, authenticationSessionModel, alias);
        }
        if (!(authenticationSessionModel.getAuthNote(AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE) != null)) {
            return finishBrokerAuthentication(brokeredIdentityContext, authenticatedUser, authenticationSessionModel, alias);
        }
        logger.debugf("Reauthenticated with broker '%s' when linking user '%s' with other broker", brokeredIdentityContext.getIdpConfig().getAlias(), authenticatedUser.getUsername());
        authenticationSessionModel.setAuthNote(AbstractIdpAuthenticator.FIRST_BROKER_LOGIN_SUCCESS, SerializedBrokeredIdentityContext.readFromAuthenticationSession(authenticationSessionModel, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE).getIdentityProviderId());
        return afterFirstBrokerLogin(authenticationSessionModel);
    }

    private Response finishBrokerAuthentication(BrokeredIdentityContext brokeredIdentityContext, UserModel userModel, AuthenticationSessionModel authenticationSessionModel, String str) {
        authenticationSessionModel.setAuthNote(AuthenticationProcessor.BROKER_SESSION_ID, brokeredIdentityContext.getBrokerSessionId());
        authenticationSessionModel.setAuthNote(AuthenticationProcessor.BROKER_USER_ID, brokeredIdentityContext.getBrokerUserId());
        this.event.user(userModel);
        brokeredIdentityContext.getIdp().authenticationFinished(authenticationSessionModel, brokeredIdentityContext);
        authenticationSessionModel.setUserSessionNote("identity_provider", str);
        authenticationSessionModel.setUserSessionNote("identity_provider_identity", brokeredIdentityContext.getUsername());
        this.event.detail("identity_provider", str).detail("identity_provider_identity", brokeredIdentityContext.getUsername());
        if (isDebugEnabled()) {
            logger.debugf("Performing local authentication for user [%s].", userModel);
        }
        AuthenticationManager.setClientScopesInSession(authenticationSessionModel);
        String nextRequiredAction = AuthenticationManager.nextRequiredAction(this.session, authenticationSessionModel, this.request, this.event);
        if (nextRequiredAction == null) {
            this.event.detail("code_id", authenticationSessionModel.getParentSession().getId());
            return AuthenticationManager.finishedRequiredActions(this.session, authenticationSessionModel, null, this.clientConnection, this.request, this.session.getContext().getUri(), this.event);
        }
        if (!"true".equals(authenticationSessionModel.getAuthNote(AuthenticationProcessor.FORWARDED_PASSIVE_LOGIN))) {
            return AuthenticationManager.redirectToRequiredActions(this.session, this.realmModel, authenticationSessionModel, this.session.getContext().getUri(), nextRequiredAction);
        }
        logger.errorf("Required action %s found. Auth requests using prompt=none are incompatible with required actions", nextRequiredAction);
        return checkPassiveLoginError(authenticationSessionModel, "interaction_required");
    }

    public Response cancelled(IdentityProviderModel identityProviderModel) {
        AuthenticationSessionModel authenticationSession = this.session.getContext().getAuthenticationSession();
        String identityProviderDisplayName = KeycloakModelUtils.getIdentityProviderDisplayName(this.session, identityProviderModel);
        Response checkAccountManagementFailedLinking = checkAccountManagementFailedLinking(authenticationSession, Messages.ACCESS_DENIED_WHEN_IDP_AUTH, identityProviderDisplayName);
        return checkAccountManagementFailedLinking != null ? checkAccountManagementFailedLinking : browserAuthentication(authenticationSession, Messages.ACCESS_DENIED_WHEN_IDP_AUTH, identityProviderDisplayName);
    }

    public Response error(String str) {
        AuthenticationSessionModel authenticationSession = this.session.getContext().getAuthenticationSession();
        Response checkAccountManagementFailedLinking = checkAccountManagementFailedLinking(authenticationSession, str, new Object[0]);
        if (checkAccountManagementFailedLinking != null) {
            return checkAccountManagementFailedLinking;
        }
        Response checkPassiveLoginError = checkPassiveLoginError(authenticationSession, str);
        return checkPassiveLoginError != null ? checkPassiveLoginError : browserAuthentication(authenticationSession, str, new Object[0]);
    }

    private boolean shouldPerformAccountLinking(AuthenticationSessionModel authenticationSessionModel, UserSessionModel userSessionModel, String str) {
        String authNote = authenticationSessionModel.getAuthNote(LINKING_IDENTITY_PROVIDER);
        if (authNote == null) {
            return false;
        }
        if (!(userSessionModel == null ? false : (userSessionModel.getId() + authenticationSessionModel.getClient().getClientId() + str).equals(authNote))) {
            throw new ErrorPageException(this.session, Response.Status.BAD_REQUEST, Messages.BROKER_LINKING_SESSION_EXPIRED, new Object[0]);
        }
        authenticationSessionModel.removeAuthNote(LINKING_IDENTITY_PROVIDER);
        return true;
    }

    private Response performAccountLinking(AuthenticationSessionModel authenticationSessionModel, UserSessionModel userSessionModel, BrokeredIdentityContext brokeredIdentityContext, FederatedIdentityModel federatedIdentityModel, UserModel userModel) {
        logger.debugf("Will try to link identity provider [%s] to user [%s]", brokeredIdentityContext.getIdpConfig().getAlias(), userSessionModel.getUser().getUsername());
        this.event.event(EventType.FEDERATED_IDENTITY_LINK);
        UserModel user = userSessionModel.getUser();
        authenticationSessionModel.setAuthenticatedUser(user);
        if (userModel != null && !user.getId().equals(userModel.getId())) {
            return redirectToErrorWhenLinkingFailed(authenticationSessionModel, Messages.IDENTITY_PROVIDER_ALREADY_LINKED, brokeredIdentityContext.getIdpConfig().getAlias());
        }
        if (!user.hasRole(this.realmModel.getClientByClientId("account").getRole("manage-account"))) {
            return redirectToErrorPage(authenticationSessionModel, Response.Status.FORBIDDEN, Messages.INSUFFICIENT_PERMISSION, new Object[0]);
        }
        if (!user.isEnabled()) {
            return redirectToErrorWhenLinkingFailed(authenticationSessionModel, Messages.ACCOUNT_DISABLED, new Object[0]);
        }
        if (userModel == null) {
            this.session.users().addFederatedIdentity(this.realmModel, user, federatedIdentityModel);
            userModel = user;
        } else if (brokeredIdentityContext.getIdpConfig().isStoreToken() && !ObjectUtil.isEqualOrBothNull(brokeredIdentityContext.getToken(), this.session.users().getFederatedIdentity(this.realmModel, userModel, brokeredIdentityContext.getIdpConfig().getAlias()).getToken())) {
            this.session.users().updateFederatedIdentity(this.realmModel, userModel, federatedIdentityModel);
            if (isDebugEnabled()) {
                logger.debugf("Identity [%s] update with response from identity provider [%s].", userModel, brokeredIdentityContext.getIdpConfig().getAlias());
            }
        }
        updateFederatedIdentity(brokeredIdentityContext, userModel);
        brokeredIdentityContext.getIdp().authenticationFinished(authenticationSessionModel, brokeredIdentityContext);
        AuthenticationManager.setClientScopesInSession(authenticationSessionModel);
        TokenManager.attachAuthenticationSession(this.session, userSessionModel, authenticationSessionModel);
        if (isDebugEnabled()) {
            logger.debugf("Linking account [%s] from identity provider [%s] to user [%s].", federatedIdentityModel, brokeredIdentityContext.getIdpConfig().getAlias(), user);
        }
        this.event.user(user).detail("username", user.getUsername()).detail("identity_provider", federatedIdentityModel.getIdentityProvider()).detail("identity_provider_identity", federatedIdentityModel.getUserName()).success();
        if (userSessionModel.getNote("identity_provider") == null) {
            userSessionModel.setNote("identity_provider", brokeredIdentityContext.getIdpConfig().getAlias());
            userSessionModel.setNote("identity_provider_identity", brokeredIdentityContext.getUsername());
        }
        return Response.status(302).location(UriBuilder.fromUri(authenticationSessionModel.getRedirectUri()).build(new Object[0])).build();
    }

    private Response redirectToErrorWhenLinkingFailed(AuthenticationSessionModel authenticationSessionModel, String str, Object... objArr) {
        return (authenticationSessionModel.getClient() == null || !authenticationSessionModel.getClient().getClientId().equals("account")) ? redirectToErrorPage(authenticationSessionModel, Response.Status.BAD_REQUEST, str, objArr) : redirectToAccountErrorPage(authenticationSessionModel, str, objArr);
    }

    private void updateFederatedIdentity(BrokeredIdentityContext brokeredIdentityContext, UserModel userModel) {
        FederatedIdentityModel federatedIdentity = this.session.users().getFederatedIdentity(this.realmModel, userModel, brokeredIdentityContext.getIdpConfig().getAlias());
        if (brokeredIdentityContext.getIdpConfig().getSyncMode() == IdentityProviderSyncMode.FORCE) {
            setBasicUserAttributes(brokeredIdentityContext, userModel);
            if (!Objects.equals(brokeredIdentityContext.getUsername(), federatedIdentity.getUserName())) {
                federatedIdentity = new FederatedIdentityModel(federatedIdentity.getIdentityProvider(), federatedIdentity.getUserId(), brokeredIdentityContext.getUsername(), federatedIdentity.getToken());
                this.session.users().updateFederatedIdentity(this.realmModel, userModel, federatedIdentity);
            }
        }
        updateToken(brokeredIdentityContext, userModel, federatedIdentity);
        brokeredIdentityContext.getIdp().updateBrokeredUser(this.session, this.realmModel, userModel, brokeredIdentityContext);
        KeycloakSessionFactory keycloakSessionFactory = this.session.getKeycloakSessionFactory();
        this.realmModel.getIdentityProviderMappersByAliasStream(brokeredIdentityContext.getIdpConfig().getAlias()).forEach(identityProviderMapperModel -> {
            IdentityProviderMapperSyncModeDelegate.delegateUpdateBrokeredUser(this.session, this.realmModel, userModel, identityProviderMapperModel, brokeredIdentityContext, keycloakSessionFactory.getProviderFactory(IdentityProviderMapper.class, identityProviderMapperModel.getIdentityProviderMapper()));
        });
    }

    private void setBasicUserAttributes(BrokeredIdentityContext brokeredIdentityContext, UserModel userModel) {
        setDiffAttrToConsumer(userModel.getEmail(), brokeredIdentityContext.getEmail(), str -> {
            setEmail(brokeredIdentityContext, userModel, str);
        });
        String firstName = userModel.getFirstName();
        String firstName2 = brokeredIdentityContext.getFirstName();
        Objects.requireNonNull(userModel);
        setDiffAttrToConsumer(firstName, firstName2, userModel::setFirstName);
        String lastName = userModel.getLastName();
        String lastName2 = brokeredIdentityContext.getLastName();
        Objects.requireNonNull(userModel);
        setDiffAttrToConsumer(lastName, lastName2, userModel::setLastName);
    }

    private void setDiffAttrToConsumer(String str, String str2, Consumer<String> consumer) {
        String str3 = (String) Optional.ofNullable(str).orElse("");
        if (str2 == null || str2.equals(str3)) {
            return;
        }
        consumer.accept(str2);
    }

    private void setEmail(BrokeredIdentityContext brokeredIdentityContext, UserModel userModel, String str) {
        userModel.setEmail(str);
        if (!brokeredIdentityContext.getIdpConfig().isTrustEmail() || Boolean.parseBoolean(brokeredIdentityContext.getAuthenticationSession().getAuthNote(AbstractIdpAuthenticator.UPDATE_PROFILE_EMAIL_CHANGED))) {
            logger.tracef("Email verified reset to false after updating user '%s' through Identity provider '%s' ", userModel.getUsername(), brokeredIdentityContext.getIdpConfig().getAlias());
            userModel.setEmailVerified(false);
        } else {
            logger.tracef("Email verified automatically after updating user '%s' through Identity provider '%s' ", userModel.getUsername(), brokeredIdentityContext.getIdpConfig().getAlias());
            userModel.setEmailVerified(true);
        }
    }

    private void migrateFederatedIdentityId(BrokeredIdentityContext brokeredIdentityContext, UserModel userModel) {
        FederatedIdentityModel federatedIdentity = this.session.users().getFederatedIdentity(this.realmModel, userModel, brokeredIdentityContext.getIdpConfig().getAlias());
        FederatedIdentityModel federatedIdentityModel = new FederatedIdentityModel(federatedIdentity, brokeredIdentityContext.getId());
        this.session.users().removeFederatedIdentity(this.realmModel, userModel, federatedIdentity.getIdentityProvider());
        this.session.users().addFederatedIdentity(this.realmModel, userModel, federatedIdentityModel);
        logger.debugf("Federated user ID was migrated from %s to %s", federatedIdentity.getUserId(), federatedIdentityModel.getUserId());
    }

    private void updateToken(BrokeredIdentityContext brokeredIdentityContext, UserModel userModel, FederatedIdentityModel federatedIdentityModel) {
        if (!brokeredIdentityContext.getIdpConfig().isStoreToken() || ObjectUtil.isEqualOrBothNull(brokeredIdentityContext.getToken(), federatedIdentityModel.getToken())) {
            return;
        }
        federatedIdentityModel.setToken(brokeredIdentityContext.getToken());
        this.session.users().updateFederatedIdentity(this.realmModel, userModel, federatedIdentityModel);
        if (isDebugEnabled()) {
            logger.debugf("Identity [%s] update with response from identity provider [%s].", userModel, brokeredIdentityContext.getIdpConfig().getAlias());
        }
    }

    public AuthenticationSessionModel getAndVerifyAuthenticationSession(String str) {
        IdentityBrokerState encoded = IdentityBrokerState.encoded(str, this.realmModel);
        return parseSessionCode(encoded.getDecodedState(), encoded.getClientId(), encoded.getTabId());
    }

    private AuthenticationSessionModel parseSessionCode(String str, String str2, String str3) {
        if (str == null || str2 == null || str3 == null) {
            logger.debugf("Invalid request. Authorization code, clientId or tabId was null. Code=%s, clientId=%s, tabID=%s", str, str2, str3);
            throw new WebApplicationException(redirectToErrorPage(Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]));
        }
        SessionCodeChecks sessionCodeChecks = new SessionCodeChecks(this.realmModel, this.session.getContext().getUri(), this.request, this.clientConnection, this.session, this.event, null, str, null, str2, str3, LoginActionsService.AUTHENTICATE_PATH);
        sessionCodeChecks.initialVerify();
        if (sessionCodeChecks.verifyActiveAndValidAction(CommonClientSessionModel.Action.AUTHENTICATE.name(), ClientSessionCode.ActionType.LOGIN)) {
            if (isDebugEnabled()) {
                logger.debugf("Authorization code is valid.", new Object[0]);
            }
            return sessionCodeChecks.getClientCode().getClientSession();
        }
        AuthenticationSessionModel authenticationSession = sessionCodeChecks.getAuthenticationSession();
        if (authenticationSession == null) {
            throw new WebApplicationException(sessionCodeChecks.getResponse());
        }
        Response checkAccountManagementFailedLinking = checkAccountManagementFailedLinking(authenticationSession, Messages.STALE_CODE_ACCOUNT, new Object[0]);
        if (checkAccountManagementFailedLinking != null) {
            throw new WebApplicationException(checkAccountManagementFailedLinking);
        }
        throw new WebApplicationException(BrowserHistoryHelper.getInstance().saveResponseAndRedirect(this.session, authenticationSession, sessionCodeChecks.getResponse(), true, this.request));
    }

    private Response checkAccountManagementFailedLinking(AuthenticationSessionModel authenticationSessionModel, String str, Object... objArr) {
        UserSessionModel userSession = new AuthenticationSessionManager(this.session).getUserSession(authenticationSessionModel);
        if (userSession == null || authenticationSessionModel.getClient() == null || !authenticationSessionModel.getClient().getClientId().equals("account")) {
            return null;
        }
        this.event.event(EventType.FEDERATED_IDENTITY_LINK);
        UserModel user = userSession.getUser();
        this.event.user(user);
        this.event.detail("username", user.getUsername());
        return redirectToAccountErrorPage(authenticationSessionModel, str, objArr);
    }

    private Response checkPassiveLoginError(AuthenticationSessionModel authenticationSessionModel, String str) {
        LoginProtocol.Error error = "login_required".equals(str) ? LoginProtocol.Error.PASSIVE_LOGIN_REQUIRED : "interaction_required".equals(str) ? LoginProtocol.Error.PASSIVE_INTERACTION_REQUIRED : null;
        if (error == null) {
            return null;
        }
        LoginProtocol provider = this.session.getProvider(LoginProtocol.class, authenticationSessionModel.getProtocol());
        provider.setRealm(this.realmModel).setHttpHeaders(this.headers).setUriInfo(this.session.getContext().getUri()).setEventBuilder(this.event);
        return provider.sendError(authenticationSessionModel, error);
    }

    private AuthenticationRequest createAuthenticationRequest(String str, ClientSessionCode<AuthenticationSessionModel> clientSessionCode) {
        AuthenticationSessionModel authenticationSessionModel = null;
        IdentityBrokerState identityBrokerState = null;
        if (clientSessionCode != null) {
            authenticationSessionModel = clientSessionCode.getClientSession();
            identityBrokerState = IdentityBrokerState.decoded(clientSessionCode.getOrGenerateCode(), authenticationSessionModel.getClient().getId(), authenticationSessionModel.getClient().getClientId(), authenticationSessionModel.getTabId());
        }
        return new AuthenticationRequest(this.session, this.realmModel, authenticationSessionModel, this.request, this.session.getContext().getUri(), identityBrokerState, getRedirectUri(str));
    }

    private String getRedirectUri(String str) {
        return Urls.identityProviderAuthnResponse(this.session.getContext().getUri().getBaseUri(), str, this.realmModel.getName()).toString();
    }

    private Response redirectToErrorPage(AuthenticationSessionModel authenticationSessionModel, Response.Status status, String str, Object... objArr) {
        return redirectToErrorPage(authenticationSessionModel, status, str, null, objArr);
    }

    private Response redirectToErrorPage(Response.Status status, String str, Object... objArr) {
        return redirectToErrorPage(null, status, str, null, objArr);
    }

    private Response redirectToErrorPage(Response.Status status, String str, Throwable th, Object... objArr) {
        return redirectToErrorPage(null, status, str, th, objArr);
    }

    private Response redirectToErrorPage(AuthenticationSessionModel authenticationSessionModel, Response.Status status, String str, Throwable th, Object... objArr) {
        if (str == null) {
            str = Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR;
        }
        fireErrorEvent(str, th);
        if (th == null || !(th instanceof WebApplicationException)) {
            throw new ErrorPageException(this.session, authenticationSessionModel, status, str, objArr);
        }
        return ((WebApplicationException) th).getResponse();
    }

    private Response redirectToAccountErrorPage(AuthenticationSessionModel authenticationSessionModel, String str, Object... objArr) {
        fireErrorEvent(str);
        try {
            authenticationSessionModel.setAuthNote(AccountConsole.ACCOUNT_MGMT_FORWARDED_ERROR_NOTE, JsonSerialization.writeValueAsString(new FormMessage(str, objArr)));
            return Response.status(302).location(UriBuilder.fromUri(authenticationSessionModel.getRedirectUri()).queryParam("tab_id", new Object[]{authenticationSessionModel.getTabId()}).build(new Object[0])).build();
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    protected Response browserAuthentication(AuthenticationSessionModel authenticationSessionModel, String str, Object... objArr) {
        this.event.event(EventType.LOGIN);
        String id = AuthenticationFlowResolver.resolveBrowserFlow(authenticationSessionModel).getId();
        AuthenticationProcessor authenticationProcessor = new AuthenticationProcessor();
        authenticationProcessor.setAuthenticationSession(authenticationSessionModel).setFlowPath(LoginActionsService.AUTHENTICATE_PATH).setFlowId(id).setBrowserFlow(true).setConnection(this.clientConnection).setEventBuilder(this.event).setRealm(this.realmModel).setSession(this.session).setUriInfo(this.session.getContext().getUri()).setRequest(this.request);
        if (str != null) {
            authenticationProcessor.setForwardedErrorMessage(new FormMessage((String) null, str, objArr));
        }
        try {
            CacheControlUtil.noBackButtonCacheControlHeader(this.session);
            return authenticationProcessor.authenticate();
        } catch (Exception e) {
            return authenticationProcessor.handleBrowserException(e);
        }
    }

    private Response badRequest(String str) {
        fireErrorEvent(str);
        throw ErrorResponse.error(str, Response.Status.BAD_REQUEST);
    }

    private Response forbidden(String str) {
        fireErrorEvent(str);
        throw ErrorResponse.error(str, Response.Status.FORBIDDEN);
    }

    private Response notFound(String str) {
        fireErrorEvent(str);
        throw ErrorResponse.error(str, Response.Status.NOT_FOUND);
    }

    public static IdentityProvider getIdentityProvider(KeycloakSession keycloakSession, RealmModel realmModel, String str) {
        IdentityProviderModel identityProviderByAlias = realmModel.getIdentityProviderByAlias(str);
        if (identityProviderByAlias == null) {
            throw new IdentityBrokerException("Identity Provider [" + str + "] not found.");
        }
        IdentityProviderFactory identityProviderFactory = getIdentityProviderFactory(keycloakSession, identityProviderByAlias);
        if (identityProviderFactory == null) {
            throw new IdentityBrokerException("Could not find factory for identity provider [" + str + "].");
        }
        return identityProviderFactory.create(keycloakSession, identityProviderByAlias);
    }

    public static IdentityProviderFactory getIdentityProviderFactory(KeycloakSession keycloakSession, IdentityProviderModel identityProviderModel) {
        Stream filter = Stream.concat(keycloakSession.getKeycloakSessionFactory().getProviderFactoriesStream(IdentityProvider.class), keycloakSession.getKeycloakSessionFactory().getProviderFactoriesStream(SocialIdentityProvider.class)).filter(providerFactory -> {
            return Objects.equals(providerFactory.getId(), identityProviderModel.getProviderId());
        });
        Class<IdentityProviderFactory> cls = IdentityProviderFactory.class;
        Objects.requireNonNull(IdentityProviderFactory.class);
        return (IdentityProviderFactory) filter.map((v1) -> {
            return r1.cast(v1);
        }).findFirst().orElse(null);
    }

    private IdentityProviderModel getIdentityProviderConfig(String str) {
        IdentityProviderModel identityProviderByAlias = this.realmModel.getIdentityProviderByAlias(str);
        if (identityProviderByAlias == null) {
            throw new IdentityBrokerException("Configuration for identity provider [" + str + "] not found.");
        }
        return identityProviderByAlias;
    }

    private Response corsResponse(Response response, ClientModel clientModel) {
        return Cors.add(this.request, Response.fromResponse(response)).auth().allowedOrigins(this.session, clientModel).build();
    }

    private void fireErrorEvent(String str, Throwable th) {
        if (!this.event.getEvent().getType().toString().endsWith("_ERROR")) {
            boolean z = !this.session.getTransactionManager().isActive();
            if (z) {
                try {
                    this.session.getTransactionManager().begin();
                } catch (Exception e) {
                    ServicesLogger.LOGGER.couldNotFireEvent(e);
                    rollback();
                }
            }
            this.event.error(str);
            if (z) {
                this.session.getTransactionManager().commit();
            }
        }
        if (th != null) {
            logger.error(str, th);
        } else {
            logger.error(str);
        }
    }

    private void fireErrorEvent(String str) {
        fireErrorEvent(str, null);
    }

    private boolean isDebugEnabled() {
        return logger.isDebugEnabled();
    }

    private void rollback() {
        if (this.session.getTransactionManager().isActive()) {
            this.session.getTransactionManager().rollback();
        }
    }
}
