package org.keycloak.services.resources;

import java.net.URI;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import org.jboss.logging.Logger;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.authentication.AuthenticationProcessor;
import org.keycloak.common.ClientConnection;
import org.keycloak.common.util.ObjectUtil;
import org.keycloak.events.EventBuilder;
import org.keycloak.forms.login.LoginFormsProvider;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.protocol.AuthorizationEndpointBase;
import org.keycloak.protocol.RestartLoginCookie;
import org.keycloak.services.ErrorPage;
import org.keycloak.services.ServicesLogger;
import org.keycloak.services.managers.AuthenticationSessionManager;
import org.keycloak.services.managers.ClientSessionCode;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.util.AuthenticationFlowURLHelper;
import org.keycloak.services.util.BrowserHistoryHelper;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.sessions.CommonClientSessionModel;
import org.keycloak.sessions.RootAuthenticationSessionModel;

/* loaded from: input_file:org/keycloak/services/resources/SessionCodeChecks.class */
public class SessionCodeChecks {
    private static final Logger logger = Logger.getLogger(SessionCodeChecks.class);
    private AuthenticationSessionModel authSession;
    private ClientSessionCode<AuthenticationSessionModel> clientCode;
    private Response response;
    private boolean actionRequest;
    private final RealmModel realm;
    private final UriInfo uriInfo;
    private final HttpRequest request;
    private final ClientConnection clientConnection;
    private final KeycloakSession session;
    private final EventBuilder event;
    private final String code;
    private final String execution;
    private final String clientId;
    private final String tabId;
    private final String flowPath;
    private final String authSessionId;

    public SessionCodeChecks(RealmModel realmModel, UriInfo uriInfo, HttpRequest httpRequest, ClientConnection clientConnection, KeycloakSession keycloakSession, EventBuilder eventBuilder, String str, String str2, String str3, String str4, String str5, String str6) {
        this.realm = realmModel;
        this.uriInfo = uriInfo;
        this.request = httpRequest;
        this.clientConnection = clientConnection;
        this.session = keycloakSession;
        this.event = eventBuilder;
        this.code = str2;
        this.execution = str3;
        this.clientId = str4;
        this.tabId = str5;
        this.flowPath = str6;
        this.authSessionId = str;
    }

    public AuthenticationSessionModel getAuthenticationSession() {
        return this.authSession;
    }

    private boolean failed() {
        return this.response != null;
    }

    public Response getResponse() {
        return this.response;
    }

    public ClientSessionCode<AuthenticationSessionModel> getClientCode() {
        return this.clientCode;
    }

    public boolean isActionRequest() {
        return this.actionRequest;
    }

    private boolean checkSsl() {
        return this.uriInfo.getBaseUri().getScheme().equals("https") || !this.realm.getSslRequired().isRequired(this.clientConnection);
    }

    public AuthenticationSessionModel initialVerifyAuthSession() {
        if (!checkSsl()) {
            this.event.error("ssl_required");
            this.response = ErrorPage.error(this.session, null, Response.Status.BAD_REQUEST, Messages.HTTPS_REQUIRED, new Object[0]);
            return null;
        }
        if (!this.realm.isEnabled()) {
            this.event.error("realm_disabled");
            this.response = ErrorPage.error(this.session, null, Response.Status.BAD_REQUEST, Messages.REALM_NOT_ENABLED, new Object[0]);
            return null;
        }
        logger.debugf("Will use client '%s' in back-to-application link", this.clientId);
        ClientModel clientModel = null;
        if (this.clientId != null) {
            clientModel = this.realm.getClientByClientId(this.clientId);
        }
        if (clientModel != null) {
            this.session.getContext().setClient(clientModel);
        }
        AuthenticationSessionManager authenticationSessionManager = new AuthenticationSessionManager(this.session);
        AuthenticationSessionModel authenticationSessionModel = null;
        if (this.authSessionId != null) {
            authenticationSessionModel = authenticationSessionManager.getAuthenticationSessionByIdAndClient(this.realm, this.authSessionId, clientModel, this.tabId);
        }
        AuthenticationSessionModel currentAuthenticationSession = authenticationSessionManager.getCurrentAuthenticationSession(this.realm, clientModel, this.tabId);
        if (authenticationSessionModel != null && currentAuthenticationSession != null && !authenticationSessionModel.getParentSession().getId().equals(currentAuthenticationSession.getParentSession().getId())) {
            this.event.detail("reason", "cookie does not match auth_session query parameter");
            this.event.error("invalid_code");
            this.response = ErrorPage.error(this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_CODE, new Object[0]);
            return null;
        }
        if (authenticationSessionModel != null) {
            this.session.getProvider(LoginFormsProvider.class).setAuthenticationSession(authenticationSessionModel);
            return authenticationSessionModel;
        }
        if (currentAuthenticationSession != null) {
            this.session.getProvider(LoginFormsProvider.class).setAuthenticationSession(currentAuthenticationSession);
            return currentAuthenticationSession;
        }
        if (authenticationSessionManager.getUserSessionFromAuthCookie(this.realm) == null) {
            this.response = restartAuthenticationSessionFromCookie(authenticationSessionManager.getCurrentRootAuthenticationSession(this.realm));
            return null;
        }
        LoginFormsProvider success = this.session.getProvider(LoginFormsProvider.class).setAuthenticationSession(authenticationSessionModel).setSuccess(Messages.ALREADY_LOGGED_IN, new Object[0]);
        if (clientModel == null) {
            success.setAttribute("skipLink", true);
        }
        this.response = success.createInfoPage();
        return null;
    }

    public boolean initialVerify() {
        this.authSession = initialVerifyAuthSession();
        if (this.authSession == null) {
            return false;
        }
        this.response = BrowserHistoryHelper.getInstance().loadSavedResponse(this.session, this.authSession);
        if (this.response != null) {
            return false;
        }
        this.event.detail("code_id", this.authSession.getParentSession().getId());
        ClientModel client = this.authSession.getClient();
        if (client == null) {
            this.event.error("client_not_found");
            this.response = ErrorPage.error(this.session, this.authSession, Response.Status.BAD_REQUEST, Messages.UNKNOWN_LOGIN_REQUESTER, new Object[0]);
            this.clientCode.removeExpiredClientSession();
            return false;
        }
        this.event.client(client);
        this.session.getContext().setClient(client);
        if (!client.isEnabled()) {
            this.event.error("client_disabled");
            this.response = ErrorPage.error(this.session, this.authSession, Response.Status.BAD_REQUEST, Messages.LOGIN_REQUESTER_NOT_ENABLED, new Object[0]);
            this.clientCode.removeExpiredClientSession();
            return false;
        }
        if (this.code != null) {
            this.clientCode = ClientSessionCode.parseResult(this.code, this.tabId, this.session, this.realm, client, this.event, this.authSession).getCode();
            if (this.clientCode != null) {
                this.actionRequest = true;
                if (this.execution == null) {
                    return true;
                }
                this.authSession.setAuthNote(AuthenticationProcessor.LAST_PROCESSED_EXECUTION, this.execution);
                return true;
            }
            if (!ObjectUtil.isEqualOrBothNull(this.execution, this.authSession.getAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION))) {
                this.response = showPageExpired(this.authSession);
                return false;
            }
            URI lastExecutionUrl = getLastExecutionUrl(this.authSession.getAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH), this.execution, this.tabId);
            logger.debugf("Invalid action code, but execution matches. So just redirecting to %s", lastExecutionUrl);
            this.authSession.setAuthNote(LoginActionsService.FORWARDED_ERROR_MESSAGE_NOTE, Messages.EXPIRED_ACTION);
            this.response = Response.status(Response.Status.FOUND).location(lastExecutionUrl).build();
            return false;
        }
        String authNote = this.authSession.getAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION);
        String authNote2 = this.authSession.getAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH);
        if (this.execution == null && !this.flowPath.equals(authNote2)) {
            logger.debugf("Transition between flows! Current flow: %s, Previous flow: %s", this.flowPath, authNote2);
            if (CommonClientSessionModel.Action.AUTHENTICATE.name().equals(this.authSession.getAction())) {
                this.authSession.setAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH, this.flowPath);
                this.authSession.removeAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION);
                authNote = null;
            }
        }
        if (this.execution != null && !this.execution.equals(authNote)) {
            this.response = showPageExpired(this.authSession);
            return false;
        }
        this.clientCode = new ClientSessionCode<>(this.session, this.realm, this.authSession);
        this.actionRequest = false;
        if (this.execution != null || authNote == null) {
            return true;
        }
        logger.debugf("Parameter 'execution' is not in the request, but flow wasn't changed. Will update browser history", new Object[0]);
        this.request.setAttribute(BrowserHistoryHelper.SHOULD_UPDATE_BROWSER_HISTORY, true);
        return true;
    }

    public boolean verifyActiveAndValidAction(String str, ClientSessionCode.ActionType actionType) {
        if (failed() || !isActionActive(actionType)) {
            return false;
        }
        if (this.clientCode.isValidAction(str)) {
            return true;
        }
        AuthenticationSessionModel authenticationSession = getAuthenticationSession();
        if (CommonClientSessionModel.Action.REQUIRED_ACTIONS.name().equals(authenticationSession.getAction())) {
            logger.debugf("Incorrect action '%s' . User authenticated already.", authenticationSession.getAction());
            this.response = showPageExpired(authenticationSession);
            return false;
        }
        logger.errorf("Bad action. Expected action '%s', current action '%s'", str, authenticationSession.getAction());
        this.response = ErrorPage.error(this.session, authenticationSession, Response.Status.BAD_REQUEST, Messages.EXPIRED_CODE, new Object[0]);
        return false;
    }

    private boolean isActionActive(ClientSessionCode.ActionType actionType) {
        if (this.clientCode.isActionActive(actionType)) {
            return true;
        }
        this.event.clone().error("expired_code");
        AuthenticationProcessor.resetFlow(this.authSession, LoginActionsService.AUTHENTICATE_PATH);
        this.authSession.setAuthNote(LoginActionsService.FORWARDED_ERROR_MESSAGE_NOTE, Messages.LOGIN_TIMEOUT);
        URI lastExecutionUrl = getLastExecutionUrl(LoginActionsService.AUTHENTICATE_PATH, null, this.tabId);
        logger.debugf("Flow restart after timeout. Redirecting to %s", lastExecutionUrl);
        this.response = Response.status(Response.Status.FOUND).location(lastExecutionUrl).build();
        return false;
    }

    public boolean verifyRequiredAction(String str) {
        if (failed()) {
            return false;
        }
        if (!this.clientCode.isValidAction(CommonClientSessionModel.Action.REQUIRED_ACTIONS.name())) {
            logger.debugf("Expected required action, but session action is '%s' . Showing expired page now.", this.authSession.getAction());
            this.event.error("invalid_code");
            this.response = showPageExpired(this.authSession);
            return false;
        }
        if (!isActionActive(ClientSessionCode.ActionType.USER)) {
            return false;
        }
        if (!this.actionRequest) {
            return true;
        }
        String authNote = this.authSession.getAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION);
        if (str != null && str.equals(authNote)) {
            return true;
        }
        logger.debug("required action doesn't match current required action");
        this.response = redirectToRequiredActions(authNote);
        return false;
    }

    private Response restartAuthenticationSessionFromCookie(RootAuthenticationSessionModel rootAuthenticationSessionModel) {
        logger.debug("Authentication session not found. Trying to restart from cookie.");
        AuthenticationSessionModel authenticationSessionModel = null;
        try {
            authenticationSessionModel = RestartLoginCookie.restartSession(this.session, this.realm, rootAuthenticationSessionModel, this.clientId);
        } catch (Exception e) {
            ServicesLogger.LOGGER.failedToParseRestartLoginCookie(e);
        }
        if (authenticationSessionModel == null) {
            this.event.error("invalid_code");
            return ErrorPage.error(this.session, authenticationSessionModel, Response.Status.BAD_REQUEST, Messages.INVALID_CODE, new Object[0]);
        }
        this.event.clone();
        this.event.detail("restart_after_timeout", "true");
        this.event.error("expired_code");
        authenticationSessionModel.setAuthNote(LoginActionsService.FORWARDED_ERROR_MESSAGE_NOTE, Messages.LOGIN_TIMEOUT);
        String clientNote = authenticationSessionModel.getClientNote(AuthorizationEndpointBase.APP_INITIATED_FLOW);
        if (clientNote == null) {
            clientNote = LoginActionsService.AUTHENTICATE_PATH;
        }
        URI lastExecutionUrl = getLastExecutionUrl(clientNote, null, authenticationSessionModel.getTabId());
        logger.debugf("Authentication session restart from cookie succeeded. Redirecting to %s", lastExecutionUrl);
        return Response.status(Response.Status.FOUND).location(lastExecutionUrl).build();
    }

    private Response redirectToRequiredActions(String str) {
        UriBuilder path = LoginActionsService.loginActionsBaseUrl(this.uriInfo).path(LoginActionsService.REQUIRED_ACTION);
        if (str != null) {
            path.queryParam("execution", new Object[]{str});
        }
        path.queryParam("client_id", new Object[]{this.authSession.getClient().getClientId()});
        path.queryParam("tab_id", new Object[]{this.authSession.getTabId()});
        return Response.status(302).location(path.build(new Object[]{this.realm.getName()})).build();
    }

    private URI getLastExecutionUrl(String str, String str2, String str3) {
        return new AuthenticationFlowURLHelper(this.session, this.realm, this.uriInfo).getLastExecutionUrl(str, str2, this.clientId, str3);
    }

    private Response showPageExpired(AuthenticationSessionModel authenticationSessionModel) {
        return new AuthenticationFlowURLHelper(this.session, this.realm, this.uriInfo).showPageExpired(authenticationSessionModel);
    }
}
