package org.keycloak.protocol.oidc.grants.ciba;

import java.util.Iterator;
import java.util.Map;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import org.jboss.logging.Logger;
import org.keycloak.authentication.AuthenticationProcessor;
import org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider;
import org.keycloak.common.Profile;
import org.keycloak.common.util.Time;
import org.keycloak.events.EventBuilder;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientScopeModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.OAuth2DeviceCodeModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserConsentModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.protocol.oidc.endpoints.TokenEndpoint;
import org.keycloak.protocol.oidc.grants.ciba.channel.CIBAAuthenticationRequest;
import org.keycloak.protocol.oidc.grants.ciba.clientpolicy.context.BackchannelTokenRequestContext;
import org.keycloak.protocol.oidc.grants.ciba.endpoints.CibaRootEndpoint;
import org.keycloak.protocol.oidc.grants.device.DeviceGrantType;
import org.keycloak.services.CorsErrorResponseException;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.Urls;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.resources.Cors;
import org.keycloak.services.resources.LoginActionsService;
import org.keycloak.services.util.DefaultClientSessionContext;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.sessions.CommonClientSessionModel;
import org.keycloak.utils.ProfileHelper;

/* loaded from: input_file:org/keycloak/protocol/oidc/grants/ciba/CibaGrantType.class */
public class CibaGrantType {
    private static final Logger logger = Logger.getLogger(CibaGrantType.class);
    public static final String IS_CONSENT_REQUIRED = "is_consent_required";
    public static final String LOGIN_HINT = "login_hint";
    public static final String LOGIN_HINT_TOKEN = "login_hint_token";
    public static final String BINDING_MESSAGE = "binding_message";
    public static final String AUTH_REQ_ID = "auth_req_id";
    public static final String CLIENT_NOTIFICATION_TOKEN = "client_notification_token";
    public static final String REQUESTED_EXPIRY = "requested_expiry";
    public static final String USER_CODE = "user_code";
    public static final String REQUEST = "request";
    public static final String REQUEST_URI = "request_uri";
    public static final String ADDITIONAL_CALLBACK_PARAMS_PREFIX = "ciba_callback_response_param_";
    public static final String ADDITIONAL_BACKCHANNEL_REQ_PARAMS_PREFIX = "ciba_backchannel_request_param_";
    private final MultivaluedMap<String, String> formParams;
    private final ClientModel client;
    private final KeycloakSession session;
    private final TokenEndpoint tokenEndpoint;
    private final RealmModel realm;
    private final EventBuilder event;
    private final Cors cors;

    public static UriBuilder authorizationUrl(UriBuilder uriBuilder) {
        return OIDCLoginProtocolService.tokenServiceBaseUrl(uriBuilder).path(OIDCLoginProtocolService.class, "resolveExtension").resolveTemplate("extension", CibaRootEndpoint.PROVIDER_ID, false).path(CibaRootEndpoint.class, "authorize");
    }

    public static UriBuilder authenticationUrl(UriBuilder uriBuilder) {
        return OIDCLoginProtocolService.tokenServiceBaseUrl(uriBuilder).path(OIDCLoginProtocolService.class, "resolveExtension").resolveTemplate("extension", CibaRootEndpoint.PROVIDER_ID, false).path(CibaRootEndpoint.class, LoginActionsService.AUTHENTICATE_PATH);
    }

    public CibaGrantType(MultivaluedMap<String, String> multivaluedMap, ClientModel clientModel, KeycloakSession keycloakSession, TokenEndpoint tokenEndpoint, RealmModel realmModel, EventBuilder eventBuilder, Cors cors) {
        this.formParams = multivaluedMap;
        this.client = clientModel;
        this.session = keycloakSession;
        this.tokenEndpoint = tokenEndpoint;
        this.realm = realmModel;
        this.event = eventBuilder;
        this.cors = cors;
    }

    public Response cibaGrant() {
        ProfileHelper.requireFeature(Profile.Feature.CIBA);
        if (!this.realm.getCibaPolicy().isOIDCCIBAGrantEnabled(this.client)) {
            this.event.error("not_allowed");
            throw new CorsErrorResponseException(this.cors, "invalid_grant", "Client not allowed OIDC CIBA Grant", Response.Status.BAD_REQUEST);
        }
        String str = (String) this.formParams.getFirst(AUTH_REQ_ID);
        if (str == null) {
            this.event.error("invalid_code");
            throw new CorsErrorResponseException(this.cors, "invalid_request", "Missing parameter: auth_req_id", Response.Status.BAD_REQUEST);
        }
        logger.tracev("CIBA Grant :: authReqId = {0}", str);
        try {
            CIBAAuthenticationRequest deserialize = CIBAAuthenticationRequest.deserialize(this.session, str);
            deserialize.setClient(this.client);
            try {
                this.session.clientPolicy().triggerOnEvent(new BackchannelTokenRequestContext(deserialize, this.formParams));
                OAuth2DeviceCodeModel deviceByDeviceCode = DeviceGrantType.getDeviceByDeviceCode(this.session, this.realm, deserialize.getId());
                if (deviceByDeviceCode == null) {
                    throw new CorsErrorResponseException(this.cors, "invalid_grant", "Invalid auth_req_id", Response.Status.BAD_REQUEST);
                }
                if (!deserialize.getIssuedFor().equals(this.client.getClientId())) {
                    logDebug("invalid client.", deserialize);
                    throw new CorsErrorResponseException(this.cors, "invalid_grant", "unauthorized client", Response.Status.BAD_REQUEST);
                }
                if (deviceByDeviceCode.isExpired()) {
                    logDebug("expired.", deserialize);
                    throw new CorsErrorResponseException(this.cors, "expired_token", "authentication timed out", Response.Status.BAD_REQUEST);
                }
                if (!DeviceGrantType.isPollingAllowed(this.session, deviceByDeviceCode)) {
                    logDebug("polling.", deserialize);
                    throw new CorsErrorResponseException(this.cors, "slow_down", "too early to access", Response.Status.BAD_REQUEST);
                }
                if (deviceByDeviceCode.isDenied()) {
                    logDebug("denied.", deserialize);
                    throw new CorsErrorResponseException(this.cors, AbstractOAuth2IdentityProvider.ACCESS_DENIED, "not authorized", Response.Status.BAD_REQUEST);
                }
                if (deviceByDeviceCode.isPending()) {
                    logDebug("not yet authenticated by Authentication Device or auth_req_id has already been used to get tokens.", deserialize);
                    throw new CorsErrorResponseException(this.cors, "authorization_pending", "The authorization request is still pending as the end-user hasn't yet been authenticated.", Response.Status.BAD_REQUEST);
                }
                UserSessionModel createUserSession = createUserSession(deserialize, deviceByDeviceCode.getAdditionalParams());
                UserModel user = createUserSession.getUser();
                DeviceGrantType.removeDeviceByDeviceCode(this.session, deserialize.getId());
                String scope = deserialize.getScope();
                if (!TokenManager.verifyConsentStillAvailable(this.session, user, this.client, TokenManager.getRequestedClientScopes(scope, this.client))) {
                    this.event.error("not_allowed");
                    throw new CorsErrorResponseException(this.cors, "invalid_scope", "Client no longer has requested consent from user", Response.Status.BAD_REQUEST);
                }
                DefaultClientSessionContext fromClientSessionAndScopeParameter = DefaultClientSessionContext.fromClientSessionAndScopeParameter(createUserSession.getAuthenticatedClientSessionByClient(this.client.getId()), scope, this.session);
                createUserSession.setNote(AuthenticationManager.AUTH_TIME, String.valueOf(Time.currentTime()));
                return this.tokenEndpoint.createTokenResponse(user, createUserSession, fromClientSessionAndScopeParameter, scope, true);
            } catch (ClientPolicyException e) {
                this.event.error(e.getError());
                throw new CorsErrorResponseException(this.cors, "invalid_grant", e.getErrorDetail(), Response.Status.BAD_REQUEST);
            }
        } catch (Exception e2) {
            logger.warnf("illegal format of auth_req_id : e.getMessage() = %s", e2.getMessage());
            throw new CorsErrorResponseException(this.cors, "invalid_grant", "Invalid Auth Req ID", Response.Status.BAD_REQUEST);
        }
    }

    private UserSessionModel createUserSession(CIBAAuthenticationRequest cIBAAuthenticationRequest, Map<String, String> map) {
        AuthenticationSessionModel createAuthenticationSession = this.session.authenticationSessions().createRootAuthenticationSession(this.realm).createAuthenticationSession(this.client);
        createAuthenticationSession.setProtocol("openid-connect");
        createAuthenticationSession.setAction(CommonClientSessionModel.Action.AUTHENTICATE.name());
        createAuthenticationSession.setClientNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(this.session.getContext().getUri().getBaseUri(), this.realm.getName()));
        createAuthenticationSession.setClientNote("scope", cIBAAuthenticationRequest.getScope());
        if (map != null) {
            for (String str : map.keySet()) {
                createAuthenticationSession.setClientNote(ADDITIONAL_CALLBACK_PARAMS_PREFIX + str, map.get(str));
            }
        }
        if (cIBAAuthenticationRequest.getOtherClaims() != null) {
            for (String str2 : cIBAAuthenticationRequest.getOtherClaims().keySet()) {
                createAuthenticationSession.setClientNote(ADDITIONAL_BACKCHANNEL_REQ_PARAMS_PREFIX + str2, cIBAAuthenticationRequest.getOtherClaims().get(str2).toString());
            }
        }
        UserModel userById = this.session.users().getUserById(this.realm, cIBAAuthenticationRequest.getSubject());
        if (userById == null) {
            this.event.error("username_missing");
            throw new ErrorResponseException("invalid_grant", "Could not identify user", Response.Status.BAD_REQUEST);
        }
        if (!userById.isEnabled()) {
            this.event.error("user_disabled");
            throw new CorsErrorResponseException(this.cors, "invalid_grant", "User disabled", Response.Status.BAD_REQUEST);
        }
        logger.debugf("CIBA Grant :: user model found. user.getId() = %s, user.getEmail() = %s, user.getUsername() = %s.", userById.getId(), userById.getEmail(), userById.getUsername());
        createAuthenticationSession.setAuthenticatedUser(userById);
        if (userById.getRequiredActionsStream().count() > 0) {
            this.event.error("resolve_required_actions");
            throw new ErrorResponseException("invalid_grant", "Account is not fully set up", Response.Status.BAD_REQUEST);
        }
        AuthenticationManager.setClientScopesInSession(createAuthenticationSession);
        UserSessionModel userSession = AuthenticationProcessor.attachSession(createAuthenticationSession, null, this.session, this.realm, this.session.getContext().getConnection(), this.event).getClientSession().getUserSession();
        if (userSession == null) {
            this.event.error("user_session_not_found");
            throw new ErrorResponseException("invalid_grant", "User session is not found", Response.Status.BAD_REQUEST);
        }
        UserConsentModel consentByClient = this.session.users().getConsentByClient(this.realm, userById.getId(), this.client.getId());
        if (consentByClient == null) {
            consentByClient = new UserConsentModel(this.client);
            this.session.users().addConsent(this.realm, userById.getId(), consentByClient);
            if (logger.isTraceEnabled()) {
                consentByClient.getGrantedClientScopes().forEach(clientScopeModel -> {
                    logger.tracef("CIBA Grant :: Consent granted. %s", clientScopeModel.getName());
                });
            }
        }
        boolean z = false;
        Iterator it = createAuthenticationSession.getClientScopes().iterator();
        while (it.hasNext()) {
            ClientScopeModel findClientScopeById = KeycloakModelUtils.findClientScopeById(this.realm, this.client, (String) it.next());
            if (findClientScopeById != null && !consentByClient.isClientScopeGranted(findClientScopeById) && findClientScopeById.isDisplayOnConsentScreen()) {
                consentByClient.addGrantedClientScope(findClientScopeById);
                z = true;
            }
        }
        if (z) {
            this.session.users().updateConsent(this.realm, userById.getId(), consentByClient);
            if (logger.isTraceEnabled()) {
                consentByClient.getGrantedClientScopes().forEach(clientScopeModel2 -> {
                    logger.tracef("CIBA Grant :: Consent updated. %s", clientScopeModel2.getName());
                });
            }
        }
        this.event.detail(OIDCLoginProtocol.PROMPT_VALUE_CONSENT, "consent_granted");
        this.event.detail("code_id", userSession.getId());
        this.event.session(userSession.getId());
        this.event.user(userById);
        logger.debugf("Successfully verified Authe Req Id '%s'. User session: '%s', client: '%s'", cIBAAuthenticationRequest, userSession.getId(), this.client.getId());
        return userSession;
    }

    private static void logDebug(String str, CIBAAuthenticationRequest cIBAAuthenticationRequest) {
        logger.debugf("CIBA Grant :: authentication channel %s clientId = %s, authResultId = %s", str, cIBAAuthenticationRequest.getIssuedFor(), cIBAAuthenticationRequest.getAuthResultId());
    }
}
