package org.keycloak.organization.authentication.authenticators.browser;

import java.util.List;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.authentication.AuthenticationFlowError;
import org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticator;
import org.keycloak.forms.login.LoginFormsProvider;
import org.keycloak.forms.login.freemarker.model.AuthenticationContextBean;
import org.keycloak.forms.login.freemarker.model.IdentityProviderBean;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.OrganizationModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.FormMessage;
import org.keycloak.organization.OrganizationProvider;
import org.keycloak.organization.forms.login.freemarker.model.OrganizationAwareAuthenticationContextBean;
import org.keycloak.organization.forms.login.freemarker.model.OrganizationAwareIdentityProviderBean;
import org.keycloak.organization.forms.login.freemarker.model.OrganizationAwareRealmBean;
import org.keycloak.organization.utils.Organizations;
import org.keycloak.services.messages.Messages;

/* loaded from: input_file:org/keycloak/organization/authentication/authenticators/browser/OrganizationAuthenticator.class */
public class OrganizationAuthenticator extends IdentityProviderAuthenticator {
    private final KeycloakSession session;

    public OrganizationAuthenticator(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
    }

    @Override // org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticator
    public void authenticate(AuthenticationFlowContext authenticationFlowContext) {
        if (Organizations.isEnabledAndOrganizationsPresent(getOrganizationProvider())) {
            challenge(authenticationFlowContext);
        } else {
            authenticationFlowContext.attempted();
        }
    }

    @Override // org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticator
    public void action(AuthenticationFlowContext authenticationFlowContext) {
        String str = (String) authenticationFlowContext.getHttpRequest().getDecodedFormParameters().getFirst("username");
        String emailDomain = getEmailDomain(str);
        if (emailDomain == null) {
            authenticationFlowContext.attempted();
            return;
        }
        RealmModel realm = authenticationFlowContext.getRealm();
        UserModel userByEmail = this.session.users().getUserByEmail(realm, str);
        if (userByEmail != null) {
            if (!userByEmail.isEnabled()) {
                authenticationFlowContext.failure(AuthenticationFlowError.INVALID_USER);
                return;
            }
            List<IdentityProviderModel> resolveBroker = Organizations.resolveBroker(this.session, userByEmail);
            if (resolveBroker.isEmpty()) {
                authenticationFlowContext.attempted();
                return;
            } else {
                if (resolveBroker.size() == 1) {
                    redirect(authenticationFlowContext, resolveBroker.get(0).getAlias(), userByEmail.getEmail());
                    return;
                }
                return;
            }
        }
        OrganizationModel byDomainName = getOrganizationProvider().getByDomainName(emailDomain);
        if (byDomainName == null || !byDomainName.isEnabled()) {
            authenticationFlowContext.attempted();
            return;
        }
        List<IdentityProviderModel> list = byDomainName.getIdentityProviders().toList();
        if (redirect(authenticationFlowContext, list, str, emailDomain)) {
            return;
        }
        if (!hasPublicBrokers(list)) {
            challenge(str, authenticationFlowContext);
            return;
        }
        LoginFormsProvider attributeMapper = authenticationFlowContext.form().setAttributeMapper(map -> {
            map.computeIfPresent("social", (str2, obj) -> {
                return new OrganizationAwareIdentityProviderBean((IdentityProviderBean) obj, this.session, true);
            });
            map.computeIfPresent("auth", (str3, obj2) -> {
                return new OrganizationAwareAuthenticationContextBean((AuthenticationContextBean) obj2, false);
            });
            map.computeIfPresent("realm", (str4, obj3) -> {
                return new OrganizationAwareRealmBean(realm);
            });
            return map;
        });
        attributeMapper.addError(new FormMessage("Your email domain matches the " + byDomainName.getName() + " organization but you don't have an account yet.", new Object[0]));
        authenticationFlowContext.challenge(attributeMapper.createLoginUsername());
    }

    private static boolean hasPublicBrokers(List<IdentityProviderModel> list) {
        return list.stream().anyMatch(identityProviderModel -> {
            return Boolean.parseBoolean((String) identityProviderModel.getConfig().getOrDefault("kc.org.broker.public", Boolean.FALSE.toString()));
        });
    }

    private OrganizationProvider getOrganizationProvider() {
        return this.session.getProvider(OrganizationProvider.class);
    }

    private void challenge(AuthenticationFlowContext authenticationFlowContext) {
        challenge(null, authenticationFlowContext);
    }

    private void challenge(String str, AuthenticationFlowContext authenticationFlowContext) {
        LoginFormsProvider attributeMapper = authenticationFlowContext.form().setAttributeMapper(map -> {
            map.computeIfPresent("social", (str2, obj) -> {
                return new OrganizationAwareIdentityProviderBean((IdentityProviderBean) obj, this.session, false, true);
            });
            map.computeIfPresent("auth", (str3, obj2) -> {
                return new OrganizationAwareAuthenticationContextBean((AuthenticationContextBean) obj2, false);
            });
            return map;
        });
        if (str != null) {
            attributeMapper.addError(new FormMessage("username", Messages.INVALID_USER));
        }
        authenticationFlowContext.challenge(attributeMapper.createLoginUsername());
    }

    private String getEmailDomain(String str) {
        int indexOf;
        if (str == null || (indexOf = str.indexOf(64)) == -1) {
            return null;
        }
        return str.substring(indexOf + 1);
    }

    @Override // org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticator
    public boolean configuredFor(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        return realmModel.isOrganizationsEnabled();
    }

    protected boolean redirect(AuthenticationFlowContext authenticationFlowContext, List<IdentityProviderModel> list, String str, String str2) {
        for (IdentityProviderModel identityProviderModel : list) {
            if (OrganizationModel.IdentityProviderRedirectMode.EMAIL_MATCH.isSet(identityProviderModel) && str2.equals((String) identityProviderModel.getConfig().get("kc.org.domain"))) {
                redirect(authenticationFlowContext, identityProviderModel.getAlias(), str);
                return true;
            }
        }
        return false;
    }
}
