package org.keycloak.protocol.oidc.grants.ciba.endpoints;

import jakarta.ws.rs.Consumes;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.core.HttpHeaders;
import jakarta.ws.rs.core.Response;
import java.io.IOException;
import java.util.Map;
import org.jboss.logging.Logger;
import org.jboss.resteasy.reactive.NoCache;
import org.keycloak.TokenVerifier;
import org.keycloak.broker.provider.util.SimpleHttp;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.http.HttpRequest;
import org.keycloak.models.CibaConfig;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.OAuth2DeviceCodeModel;
import org.keycloak.protocol.oidc.grants.ciba.channel.AuthenticationChannelResponse;
import org.keycloak.protocol.oidc.grants.device.DeviceGrantType;
import org.keycloak.protocol.oidc.grants.device.endpoints.DeviceEndpoint;
import org.keycloak.representations.AccessToken;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.Urls;
import org.keycloak.services.managers.AppAuthManager;
import org.keycloak.services.managers.AuthenticationSessionManager;
import org.keycloak.services.util.DPoPUtil;
import org.keycloak.userprofile.DeclarativeUserProfileProvider;
import org.keycloak.utils.MediaType;

/* loaded from: input_file:org/keycloak/protocol/oidc/grants/ciba/endpoints/BackchannelAuthenticationCallbackEndpoint.class */
public class BackchannelAuthenticationCallbackEndpoint extends AbstractCibaEndpoint {
    private static final Logger logger = Logger.getLogger(BackchannelAuthenticationCallbackEndpoint.class);
    private final HttpRequest httpRequest;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.keycloak.protocol.oidc.grants.ciba.endpoints.BackchannelAuthenticationCallbackEndpoint$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/protocol/oidc/grants/ciba/endpoints/BackchannelAuthenticationCallbackEndpoint$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$protocol$oidc$grants$ciba$channel$AuthenticationChannelResponse$Status = new int[AuthenticationChannelResponse.Status.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$protocol$oidc$grants$ciba$channel$AuthenticationChannelResponse$Status[AuthenticationChannelResponse.Status.SUCCEED.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$keycloak$protocol$oidc$grants$ciba$channel$AuthenticationChannelResponse$Status[AuthenticationChannelResponse.Status.CANCELLED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$keycloak$protocol$oidc$grants$ciba$channel$AuthenticationChannelResponse$Status[AuthenticationChannelResponse.Status.UNAUTHORIZED.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/keycloak/protocol/oidc/grants/ciba/endpoints/BackchannelAuthenticationCallbackEndpoint$BackchannelAuthCallbackContext.class */
    public class BackchannelAuthCallbackContext {
        private final AccessToken bearerToken;
        private final OAuth2DeviceCodeModel deviceModel;

        private BackchannelAuthCallbackContext(AccessToken accessToken, OAuth2DeviceCodeModel oAuth2DeviceCodeModel) {
            this.bearerToken = accessToken;
            this.deviceModel = oAuth2DeviceCodeModel;
        }

        /* synthetic */ BackchannelAuthCallbackContext(BackchannelAuthenticationCallbackEndpoint backchannelAuthenticationCallbackEndpoint, AccessToken accessToken, OAuth2DeviceCodeModel oAuth2DeviceCodeModel, AnonymousClass1 anonymousClass1) {
            this(accessToken, oAuth2DeviceCodeModel);
        }
    }

    public BackchannelAuthenticationCallbackEndpoint(KeycloakSession keycloakSession, EventBuilder eventBuilder) {
        super(keycloakSession, eventBuilder);
        this.httpRequest = keycloakSession.getContext().getHttpRequest();
    }

    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    @POST
    @Path("/")
    @Consumes({MediaType.APPLICATION_JSON})
    public Response processAuthenticationChannelResult(AuthenticationChannelResponse authenticationChannelResponse) {
        this.event.event(EventType.LOGIN);
        BackchannelAuthCallbackContext verifyAuthenticationRequest = verifyAuthenticationRequest(this.httpRequest.getHttpHeaders());
        AccessToken accessToken = verifyAuthenticationRequest.bearerToken;
        OAuth2DeviceCodeModel oAuth2DeviceCodeModel = verifyAuthenticationRequest.deviceModel;
        AuthenticationChannelResponse.Status status = authenticationChannelResponse.getStatus();
        if (status == null) {
            this.event.error("invalid_request");
            throw new ErrorResponseException("invalid_request", "Invalid authentication status", Response.Status.BAD_REQUEST);
        }
        switch (AnonymousClass1.$SwitchMap$org$keycloak$protocol$oidc$grants$ciba$channel$AuthenticationChannelResponse$Status[status.ordinal()]) {
            case DeclarativeUserProfileProvider.PROVIDER_PRIORITY /* 1 */:
                approveRequest(accessToken, authenticationChannelResponse.getAdditionalParams());
                break;
            case DPoPUtil.DEFAULT_ALLOWED_CLOCK_SKEW /* 2 */:
            case AuthenticationSessionManager.AUTH_SESSION_COOKIE_LIMIT /* 3 */:
                denyRequest(accessToken, status);
                break;
        }
        ClientModel client = this.session.getContext().getClient();
        CibaConfig cibaPolicy = this.realm.getCibaPolicy();
        if (cibaPolicy.getBackchannelTokenDeliveryMode(client).equals("ping")) {
            sendClientNotificationRequest(client, cibaPolicy, oAuth2DeviceCodeModel);
        }
        return Response.ok(jakarta.ws.rs.core.MediaType.APPLICATION_JSON_TYPE).build();
    }

    private BackchannelAuthCallbackContext verifyAuthenticationRequest(HttpHeaders httpHeaders) {
        String extractAuthorizationHeaderTokenOrReturnNull = AppAuthManager.extractAuthorizationHeaderTokenOrReturnNull(httpHeaders);
        if (extractAuthorizationHeaderTokenOrReturnNull == null) {
            throw new ErrorResponseException("invalid_token", "Invalid token", Response.Status.UNAUTHORIZED);
        }
        try {
            AccessToken token = TokenVerifier.createWithoutSignature(this.session.tokens().decode(extractAuthorizationHeaderTokenOrReturnNull, AccessToken.class)).withDefaultChecks().realmUrl(Urls.realmIssuer(this.session.getContext().getUri().getBaseUri(), this.realm.getName())).checkActive(true).audience(new String[]{Urls.realmIssuer(this.session.getContext().getUri().getBaseUri(), this.realm.getName())}).verify().getToken();
            OAuth2DeviceCodeModel deviceByUserCode = DeviceEndpoint.getDeviceByUserCode(this.session, this.realm, token.getId());
            if (deviceByUserCode == null) {
                throw new ErrorResponseException("invalid_token", "Invalid token", Response.Status.FORBIDDEN);
            }
            if (!deviceByUserCode.isPending()) {
                cancelRequest(token.getId());
                throw new ErrorResponseException("invalid_token", "Invalid token", Response.Status.FORBIDDEN);
            }
            ClientModel clientByClientId = this.realm.getClientByClientId(token.getIssuedFor());
            if (clientByClientId == null || !clientByClientId.isEnabled()) {
                throw new ErrorResponseException("invalid_request", "Invalid token recipient", Response.Status.BAD_REQUEST);
            }
            if (!deviceByUserCode.getClientId().equals(clientByClientId.getClientId())) {
                throw new ErrorResponseException("invalid_request", "Token recipient mismatch", Response.Status.BAD_REQUEST);
            }
            this.session.getContext().setClient(clientByClientId);
            this.event.client(clientByClientId);
            return new BackchannelAuthCallbackContext(this, token, deviceByUserCode, null);
        } catch (Exception e) {
            this.event.error("invalid_token");
            throw new ErrorResponseException("invalid_token", "Invalid token", Response.Status.FORBIDDEN);
        }
    }

    private void cancelRequest(String str) {
        DeviceGrantType.removeDeviceByDeviceCode(this.session, DeviceEndpoint.getDeviceByUserCode(this.session, this.realm, str).getDeviceCode());
        DeviceGrantType.removeDeviceByUserCode(this.session, this.realm, str);
    }

    private void approveRequest(AccessToken accessToken, Map<String, String> map) {
        DeviceGrantType.approveUserCode(this.session, this.realm, accessToken.getId(), "fake", map);
    }

    private void denyRequest(AccessToken accessToken, AuthenticationChannelResponse.Status status) {
        if (AuthenticationChannelResponse.Status.CANCELLED.equals(status)) {
            this.event.error("not_allowed");
        } else {
            this.event.error("consent_denied");
        }
        DeviceGrantType.denyUserCode(this.session, this.realm, accessToken.getId());
    }

    protected void sendClientNotificationRequest(ClientModel clientModel, CibaConfig cibaConfig, OAuth2DeviceCodeModel oAuth2DeviceCodeModel) {
        String backchannelClientNotificationEndpoint = cibaConfig.getBackchannelClientNotificationEndpoint(clientModel);
        if (backchannelClientNotificationEndpoint == null) {
            this.event.error("invalid_request");
            throw new ErrorResponseException("invalid_request", "Client notification endpoint not set for the client with the ping mode", Response.Status.BAD_REQUEST);
        }
        logger.debugf("Sending request to client notification endpoint '%s' for the client '%s'", backchannelClientNotificationEndpoint, clientModel.getClientId());
        ClientNotificationEndpointRequest clientNotificationEndpointRequest = new ClientNotificationEndpointRequest();
        clientNotificationEndpointRequest.setAuthReqId(oAuth2DeviceCodeModel.getAuthReqId());
        try {
            int asStatus = SimpleHttp.doPost(backchannelClientNotificationEndpoint, this.session).header("Content-Type", MediaType.APPLICATION_JSON).json(clientNotificationEndpointRequest).auth(oAuth2DeviceCodeModel.getClientNotificationToken()).asStatus();
            logger.tracef("Received status '%d' from request to client notification endpoint '%s' for the client '%s'", asStatus, backchannelClientNotificationEndpoint, clientModel.getClientId());
            if (asStatus == 200 || asStatus == 204) {
                return;
            }
            logger.warnf("Invalid status returned from client notification endpoint '%s' of client '%s'", backchannelClientNotificationEndpoint, clientModel.getClientId());
            this.event.error("invalid_request");
            throw new ErrorResponseException("invalid_request", "Failed to send request to client notification endpoint", Response.Status.BAD_REQUEST);
        } catch (IOException e) {
            logger.errorf(e, "Failed to send request to client notification endpoint '%s' of client '%s'", backchannelClientNotificationEndpoint, clientModel.getClientId());
            this.event.error("invalid_request");
            throw new ErrorResponseException("invalid_request", "Failed to send request to client notification endpoint", Response.Status.BAD_REQUEST);
        }
    }
}
