package org.keycloak.services.resources;

import java.net.URISyntaxException;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.QueryParam;
import javax.ws.rs.container.ResourceContext;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MultivaluedHashMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import org.jboss.resteasy.logging.Logger;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.SocialLinkModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.RealmManager;
import org.keycloak.services.managers.SocialRequestManager;
import org.keycloak.services.managers.TokenManager;
import org.keycloak.services.resources.flows.Flows;
import org.keycloak.services.resources.flows.OAuthFlows;
import org.keycloak.services.resources.flows.Urls;
import org.keycloak.social.AuthCallback;
import org.keycloak.social.RequestDetails;
import org.keycloak.social.SocialAccessDeniedException;
import org.keycloak.social.SocialLoader;
import org.keycloak.social.SocialProvider;
import org.keycloak.social.SocialProviderConfig;
import org.keycloak.social.SocialProviderException;
import org.keycloak.social.SocialUser;

@Path("/social")
/* loaded from: input_file:org/keycloak/services/resources/SocialResource.class */
public class SocialResource {
    protected static Logger logger = Logger.getLogger(SocialResource.class);

    @Context
    protected UriInfo uriInfo;

    @Context
    protected HttpHeaders headers;

    @Context
    private HttpRequest request;

    @Context
    ResourceContext resourceContext;

    @Context
    protected KeycloakSession session;
    private SocialRequestManager socialRequestManager;
    private TokenManager tokenManager;
    private AuthenticationManager authManager = new AuthenticationManager();

    public SocialResource(TokenManager tokenManager, SocialRequestManager socialRequestManager) {
        this.tokenManager = tokenManager;
        this.socialRequestManager = socialRequestManager;
    }

    @GET
    @Path("callback")
    public Response callback() throws URISyntaxException {
        Map<String, String[]> queryParams = getQueryParams();
        RequestDetails requestDetails = getRequestDetails(queryParams);
        SocialProvider load = SocialLoader.load(requestDetails.getProviderId());
        RealmModel realmByName = new RealmManager(this.session).getRealmByName(requestDetails.getClientAttribute("realm"));
        OAuthFlows oauth = Flows.oauth(realmByName, this.request, this.uriInfo, this.authManager, this.tokenManager);
        if (!realmByName.isEnabled()) {
            return oauth.forwardToSecurityFailure("Realm not enabled.");
        }
        ClientModel findClient = realmByName.findClient((String) requestDetails.getClientAttributes().get("clientId"));
        if (findClient == null) {
            return oauth.forwardToSecurityFailure("Unknown login requester.");
        }
        if (!findClient.isEnabled()) {
            return oauth.forwardToSecurityFailure("Login requester not enabled.");
        }
        try {
            SocialUser processCallback = load.processCallback(new SocialProviderConfig((String) realmByName.getSocialConfig().get(requestDetails.getProviderId() + ".key"), (String) realmByName.getSocialConfig().get(requestDetails.getProviderId() + ".secret"), Urls.socialCallback(this.uriInfo.getBaseUri()).toString()), new AuthCallback(requestDetails.getSocialAttributes(), queryParams));
            SocialLinkModel socialLinkModel = new SocialLinkModel(load.getId(), processCallback.getId(), processCallback.getUsername());
            UserModel userBySocialLink = realmByName.getUserBySocialLink(socialLinkModel);
            String clientAttribute = requestDetails.getClientAttribute("userId");
            if (clientAttribute != null) {
                UserModel userById = realmByName.getUserById(clientAttribute);
                if (userBySocialLink != null) {
                    return oauth.forwardToSecurityFailure("This social account is already linked to other user");
                }
                if (!userById.isEnabled()) {
                    return oauth.forwardToSecurityFailure("User is disabled");
                }
                if (!realmByName.hasRole(userById, realmByName.getApplicationByName("account").getRole("manage-account"))) {
                    return oauth.forwardToSecurityFailure("Insufficient permissions to link social account");
                }
                realmByName.addSocialLink(userById, socialLinkModel);
                logger.debug("Social provider " + load.getId() + " linked with user " + userById.getLoginName());
                String str = (String) requestDetails.getClientAttributes().get("redirectUri");
                return str == null ? oauth.forwardToSecurityFailure("Unknown redirectUri") : Response.status(Response.Status.FOUND).location(UriBuilder.fromUri(str).build(new Object[0])).build();
            }
            if (userBySocialLink == null) {
                if (!realmByName.isRegistrationAllowed()) {
                    return oauth.forwardToSecurityFailure("Registration not allowed");
                }
                userBySocialLink = realmByName.addUser(KeycloakModelUtils.generateId());
                userBySocialLink.setEnabled(true);
                userBySocialLink.setFirstName(processCallback.getFirstName());
                userBySocialLink.setLastName(processCallback.getLastName());
                userBySocialLink.setEmail(processCallback.getEmail());
                if (realmByName.isUpdateProfileOnInitialSocialLogin()) {
                    userBySocialLink.addRequiredAction(UserModel.RequiredAction.UPDATE_PROFILE);
                }
                realmByName.addSocialLink(userBySocialLink, socialLinkModel);
            }
            return !userBySocialLink.isEnabled() ? oauth.forwardToSecurityFailure("Your account is not enabled.") : oauth.processAccessCode((String) requestDetails.getClientAttributes().get("scope"), (String) requestDetails.getClientAttributes().get("state"), (String) requestDetails.getClientAttributes().get("redirectUri"), findClient, userBySocialLink);
        } catch (SocialProviderException e) {
            logger.warn("Failed to process social callback", e);
            return oauth.forwardToSecurityFailure("Failed to process social callback");
        } catch (SocialAccessDeniedException e2) {
            MultivaluedHashMap multivaluedHashMap = new MultivaluedHashMap();
            multivaluedHashMap.putSingle("client_id", requestDetails.getClientAttribute("clientId"));
            multivaluedHashMap.putSingle("state", requestDetails.getClientAttribute("state"));
            multivaluedHashMap.putSingle("scope", requestDetails.getClientAttribute("scope"));
            multivaluedHashMap.putSingle("redirect_uri", requestDetails.getClientAttribute("redirectUri"));
            multivaluedHashMap.putSingle("response_type", requestDetails.getClientAttribute("responseType"));
            return Flows.forms(realmByName, this.request, this.uriInfo).setQueryParams(multivaluedHashMap).setWarning("Access denied").createLogin();
        }
    }

    @GET
    @Path("{realm}/login")
    public Response redirectToProviderAuth(@PathParam("realm") String str, @QueryParam("provider_id") String str2, @QueryParam("client_id") String str3, @QueryParam("scope") String str4, @QueryParam("state") String str5, @QueryParam("redirect_uri") String str6, @QueryParam("response_type") String str7) {
        RealmModel realmByName = new RealmManager(this.session).getRealmByName(str);
        SocialProvider load = SocialLoader.load(str2);
        if (load == null) {
            return Flows.forms(realmByName, this.request, this.uriInfo).setError("Social provider not found").createErrorPage();
        }
        ClientModel findClient = realmByName.findClient(str3);
        if (findClient == null) {
            logger.warn("Unknown login requester: " + str3);
            return Flows.forms(realmByName, this.request, this.uriInfo).setError("Unknown login requester.").createErrorPage();
        }
        if (!findClient.isEnabled()) {
            logger.warn("Login requester not enabled.");
            return Flows.forms(realmByName, this.request, this.uriInfo).setError("Login requester not enabled.").createErrorPage();
        }
        String verifyRedirectUri = TokenService.verifyRedirectUri(str6, findClient);
        if (verifyRedirectUri == null) {
            return Flows.forms(realmByName, this.request, this.uriInfo).setError("Invalid redirect_uri.").createErrorPage();
        }
        try {
            return Flows.social(this.socialRequestManager, realmByName, this.uriInfo, load).putClientAttribute("realm", str).putClientAttribute("clientId", str3).putClientAttribute("scope", str4).putClientAttribute("state", str5).putClientAttribute("redirectUri", verifyRedirectUri).putClientAttribute("responseType", str7).redirectToSocialProvider();
        } catch (Throwable th) {
            return Flows.forms(realmByName, this.request, this.uriInfo).setError("Failed to redirect to social auth").createErrorPage();
        }
    }

    private RequestDetails getRequestDetails(Map<String, String[]> map) {
        String str = null;
        if (map.containsKey("state")) {
            str = map.get("state")[0];
        } else if (map.containsKey("oauth_token")) {
            str = map.get("oauth_token")[0];
        } else if (map.containsKey("denied")) {
            str = map.get("denied")[0];
        }
        if (str == null || !this.socialRequestManager.isRequestId(str)) {
            return null;
        }
        return this.socialRequestManager.retrieveData(str);
    }

    private Map<String, String[]> getQueryParams() {
        HashMap hashMap = new HashMap();
        for (Map.Entry entry : this.uriInfo.getQueryParameters().entrySet()) {
            hashMap.put(entry.getKey(), ((List) entry.getValue()).toArray(new String[((List) entry.getValue()).size()]));
        }
        return hashMap;
    }
}
