package org.keycloak.services.resources.flows;

import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.ws.rs.core.Cookie;
import javax.ws.rs.core.NewCookie;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import org.jboss.resteasy.logging.Logger;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.models.ApplicationModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RequiredCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.services.managers.AccessCodeEntry;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.TokenManager;
import org.keycloak.services.messages.Messages;

/* loaded from: input_file:org/keycloak/services/resources/flows/OAuthFlows.class */
public class OAuthFlows {
    private static final Logger log = Logger.getLogger(OAuthFlows.class);
    private RealmModel realm;
    private HttpRequest request;
    private UriInfo uriInfo;
    private AuthenticationManager authManager;
    private TokenManager tokenManager;

    /* JADX INFO: Access modifiers changed from: package-private */
    public OAuthFlows(RealmModel realmModel, HttpRequest httpRequest, UriInfo uriInfo, AuthenticationManager authenticationManager, TokenManager tokenManager) {
        this.realm = realmModel;
        this.request = httpRequest;
        this.uriInfo = uriInfo;
        this.authManager = authenticationManager;
        this.tokenManager = tokenManager;
    }

    public Response redirectAccessCode(AccessCodeEntry accessCodeEntry, String str, String str2) {
        return redirectAccessCode(accessCodeEntry, str, str2, false);
    }

    public Response redirectAccessCode(AccessCodeEntry accessCodeEntry, String str, String str2, boolean z) {
        String code = accessCodeEntry.getCode();
        if ("urn:ietf:wg:oauth:2.0:oob".equals(str2)) {
            return Flows.forms(this.realm, this.request, this.uriInfo).setAccessCode(accessCodeEntry.getId(), code).createCode();
        }
        UriBuilder queryParam = UriBuilder.fromUri(str2).queryParam("code", new Object[]{code});
        log.debug("redirectAccessCode: state: {0}", new Object[]{str});
        if (str != null) {
            queryParam.queryParam("state", new Object[]{str});
        }
        Response.ResponseBuilder location = Response.status(302).location(queryParam.build(new Object[0]));
        location.cookie(new NewCookie[]{this.authManager.createLoginCookie(this.realm, accessCodeEntry.getUser(), this.uriInfo, z || ((Cookie) this.request.getHttpHeaders().getCookies().get(AuthenticationManager.KEYCLOAK_REMEMBER_ME)) != null)});
        return location.build();
    }

    public Response redirectError(ClientModel clientModel, String str, String str2, String str3) {
        if ("urn:ietf:wg:oauth:2.0:oob".equals(str3)) {
            return Flows.forms(this.realm, this.request, this.uriInfo).setError(str).createCode();
        }
        UriBuilder queryParam = UriBuilder.fromUri(str3).queryParam(Messages.ERROR, new Object[]{str});
        if (str2 != null) {
            queryParam.queryParam("state", new Object[]{str2});
        }
        return Response.status(302).location(queryParam.build(new Object[0])).build();
    }

    public Response processAccessCode(String str, String str2, String str3, ClientModel clientModel, UserModel userModel) {
        return processAccessCode(str, str2, str3, clientModel, userModel, false);
    }

    public Response processAccessCode(String str, String str2, String str3, ClientModel clientModel, UserModel userModel, boolean z) {
        isTotpConfigurationRequired(userModel);
        isEmailVerificationRequired(userModel);
        boolean z2 = clientModel instanceof ApplicationModel;
        AccessCodeEntry createAccessCode = this.tokenManager.createAccessCode(str, str2, str3, this.realm, clientModel, userModel);
        log.debug("processAccessCode: isResource: {0}", new Object[]{Boolean.valueOf(z2)});
        Logger logger = log;
        Object[] objArr = new Object[1];
        objArr[0] = Boolean.valueOf(!z2 && (createAccessCode.getRealmRolesRequested().size() > 0 || createAccessCode.getResourceRolesRequested().size() > 0));
        logger.debug("processAccessCode: go to oauth page?: {0}", objArr);
        Set requiredActions = userModel.getRequiredActions();
        if (!requiredActions.isEmpty()) {
            createAccessCode.setRequiredActions(new HashSet(requiredActions));
            createAccessCode.setExpiration((System.currentTimeMillis() / 1000) + this.realm.getAccessCodeLifespanUserAction());
            return Flows.forms(this.realm, this.request, this.uriInfo).setAccessCode(createAccessCode.getId(), createAccessCode.getCode()).setUser(userModel).createResponse((UserModel.RequiredAction) userModel.getRequiredActions().iterator().next());
        }
        if (!z2 && (createAccessCode.getRealmRolesRequested().size() > 0 || createAccessCode.getResourceRolesRequested().size() > 0)) {
            createAccessCode.setExpiration((System.currentTimeMillis() / 1000) + this.realm.getAccessCodeLifespanUserAction());
            return Flows.forms(this.realm, this.request, this.uriInfo).setAccessCode(createAccessCode.getId(), createAccessCode.getCode()).setAccessRequest(createAccessCode.getRealmRolesRequested(), createAccessCode.getResourceRolesRequested()).setClient(clientModel).createOAuthGrant();
        }
        if (str3 != null) {
            return redirectAccessCode(createAccessCode, str2, str3, z);
        }
        return null;
    }

    public Response forwardToSecurityFailure(String str) {
        return Flows.forms(this.realm, this.request, this.uriInfo).setError(str).createErrorPage();
    }

    private void isTotpConfigurationRequired(UserModel userModel) {
        Iterator it = this.realm.getRequiredCredentials().iterator();
        while (it.hasNext()) {
            if (((RequiredCredentialModel) it.next()).getType().equals("totp") && !userModel.isTotp()) {
                userModel.addRequiredAction(UserModel.RequiredAction.CONFIGURE_TOTP);
                log.debug("User is required to configure totp");
            }
        }
    }

    private void isEmailVerificationRequired(UserModel userModel) {
        if (!this.realm.isVerifyEmail() || userModel.isEmailVerified()) {
            return;
        }
        userModel.addRequiredAction(UserModel.RequiredAction.VERIFY_EMAIL);
        log.debug("User is required to verify email");
    }
}
