package org.keycloak.protocol.oidc.grants.device.endpoints;

import jakarta.ws.rs.Consumes;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.OPTIONS;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.QueryParam;
import jakarta.ws.rs.core.Response;
import java.util.Map;
import org.jboss.logging.Logger;
import org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider;
import org.keycloak.common.util.Base64Url;
import org.keycloak.common.util.SecretGenerator;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.forms.login.LoginFormsProvider;
import org.keycloak.http.HttpRequest;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.OAuth2DeviceCodeModel;
import org.keycloak.models.OAuth2DeviceUserCodeModel;
import org.keycloak.models.OAuth2DeviceUserCodeProvider;
import org.keycloak.models.RealmModel;
import org.keycloak.models.SingleUseObjectProvider;
import org.keycloak.protocol.AuthorizationEndpointBase;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.endpoints.AuthorizationEndpointChecker;
import org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest;
import org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequestParserProcessor;
import org.keycloak.protocol.oidc.grants.device.DeviceGrantType;
import org.keycloak.protocol.oidc.grants.device.clientpolicy.context.DeviceAuthorizationRequestContext;
import org.keycloak.protocol.oidc.utils.AuthorizeClientUtil;
import org.keycloak.representations.OAuth2DeviceAuthorizationResponse;
import org.keycloak.saml.common.util.StringUtil;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.ServicesLogger;
import org.keycloak.services.Urls;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.cors.Cors;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.resource.RealmResourceProvider;
import org.keycloak.services.util.CacheControlUtil;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.sessions.CommonClientSessionModel;
import org.keycloak.userprofile.DeclarativeUserProfileProviderFactory;
import org.keycloak.util.JsonSerialization;
import org.keycloak.util.TokenUtil;
import org.keycloak.utils.MediaType;

/* loaded from: input_file:org/keycloak/protocol/oidc/grants/device/endpoints/DeviceEndpoint.class */
public class DeviceEndpoint extends AuthorizationEndpointBase implements RealmResourceProvider {
    protected static final Logger logger = Logger.getLogger(DeviceEndpoint.class);
    public static final String SHORT_VERIFICATION_URI = "shortVerificationUri";
    private final HttpRequest request;
    private Cors cors;

    public DeviceEndpoint(KeycloakSession keycloakSession, EventBuilder eventBuilder) {
        super(keycloakSession, eventBuilder);
        this.request = keycloakSession.getContext().getHttpRequest();
    }

    @Produces({MediaType.APPLICATION_JSON})
    @POST
    @Path("")
    @Consumes({MediaType.APPLICATION_FORM_URLENCODED})
    public Response handleDeviceRequest() {
        this.cors = Cors.add(this.request).auth().allowedMethods(new String[]{"POST"}).auth().exposedHeaders(new String[]{"Access-Control-Allow-Methods"});
        logger.trace("Processing @POST request");
        this.event.event(EventType.OAUTH2_DEVICE_AUTH);
        checkSsl();
        checkRealm();
        ClientModel authenticateClient = authenticateClient();
        AuthorizationEndpointRequest parseRequest = AuthorizationEndpointRequestParserProcessor.parseRequest(this.event, this.session, authenticateClient, this.httpRequest.getDecodedFormParameters(), AuthorizationEndpointRequestParserProcessor.EndpointType.OAUTH2_DEVICE_ENDPOINT);
        if (parseRequest.getInvalidRequestMessage() != null) {
            this.event.error("invalid_request");
            throw new ErrorResponseException("invalid_grant", parseRequest.getInvalidRequestMessage(), Response.Status.BAD_REQUEST);
        }
        if (!TokenUtil.isOIDCRequest(parseRequest.getScope())) {
            ServicesLogger.LOGGER.oidcScopeMissing();
        }
        CacheControlUtil.noBackButtonCacheControlHeader(this.session);
        if (!this.realm.getOAuth2DeviceConfig().isOAuth2DeviceAuthorizationGrantEnabled(authenticateClient)) {
            this.event.error("not_allowed");
            throw new ErrorResponseException("invalid_grant", "Client not allowed for OAuth 2.0 Device Authorization Grant", Response.Status.BAD_REQUEST);
        }
        try {
            new AuthorizationEndpointChecker().event(this.event).client(authenticateClient).request(parseRequest).checkPKCEParams();
            try {
                this.session.clientPolicy().triggerOnEvent(new DeviceAuthorizationRequestContext(parseRequest, this.httpRequest.getDecodedFormParameters()));
                int lifespan = this.realm.getOAuth2DeviceConfig().getLifespan(authenticateClient);
                int poolingInterval = this.realm.getOAuth2DeviceConfig().getPoolingInterval(authenticateClient);
                OAuth2DeviceCodeModel create = OAuth2DeviceCodeModel.create(this.realm, authenticateClient, Base64Url.encode(SecretGenerator.getInstance().randomBytes()), parseRequest.getScope(), parseRequest.getNonce(), lifespan, poolingInterval, (String) null, (String) null, parseRequest.getAdditionalReqParams(), parseRequest.getCodeChallenge(), parseRequest.getCodeChallengeMethod());
                OAuth2DeviceUserCodeProvider provider = this.session.getProvider(OAuth2DeviceUserCodeProvider.class);
                String generate = provider.generate();
                OAuth2DeviceUserCodeModel oAuth2DeviceUserCodeModel = new OAuth2DeviceUserCodeModel(this.realm, create.getDeviceCode(), generate);
                int i = lifespan + poolingInterval + 10;
                SingleUseObjectProvider singleUseObjects = this.session.singleUseObjects();
                singleUseObjects.put(create.serializeKey(), i, create.toMap());
                singleUseObjects.put(oAuth2DeviceUserCodeModel.serializeKey(), i, oAuth2DeviceUserCodeModel.serializeValue());
                try {
                    String attribute = this.realm.getAttribute(SHORT_VERIFICATION_URI);
                    if (attribute == null || attribute.isEmpty()) {
                        attribute = DeviceGrantType.oauth2DeviceVerificationUrl(this.session.getContext().getUri()).build(new Object[]{this.realm.getName()}).toString();
                    }
                    OAuth2DeviceAuthorizationResponse oAuth2DeviceAuthorizationResponse = new OAuth2DeviceAuthorizationResponse();
                    oAuth2DeviceAuthorizationResponse.setDeviceCode(create.getDeviceCode());
                    oAuth2DeviceAuthorizationResponse.setUserCode(provider.display(generate));
                    oAuth2DeviceAuthorizationResponse.setExpiresIn(lifespan);
                    oAuth2DeviceAuthorizationResponse.setInterval(poolingInterval);
                    oAuth2DeviceAuthorizationResponse.setVerificationUri(attribute);
                    oAuth2DeviceAuthorizationResponse.setVerificationUriComplete(attribute + "?user_code=" + oAuth2DeviceAuthorizationResponse.getUserCode());
                    return this.cors.builder(Response.ok(JsonSerialization.writeValueAsBytes(oAuth2DeviceAuthorizationResponse)).type(jakarta.ws.rs.core.MediaType.APPLICATION_JSON_TYPE)).build();
                } catch (Exception e) {
                    throw new RuntimeException("Error creating OAuth 2.0 Device Authorization Response.", e);
                }
            } catch (ClientPolicyException e2) {
                throw new ErrorResponseException(e2.getError(), e2.getErrorDetail(), Response.Status.BAD_REQUEST);
            }
        } catch (AuthorizationEndpointChecker.AuthorizationCheckException e3) {
            throw new ErrorResponseException(e3.getError(), e3.getErrorDescription(), Response.Status.BAD_REQUEST);
        }
    }

    @OPTIONS
    public Response preflight() {
        if (logger.isDebugEnabled()) {
            logger.debugv("CORS preflight from: {0}", this.headers.getRequestHeaders().getFirst("Origin"));
        }
        return Cors.add(this.request, Response.ok()).auth().preflight().allowedMethods(new String[]{"POST", "OPTIONS"}).build();
    }

    @GET
    public Response verifyUserCode(@QueryParam("user_code") String str) {
        this.event.event(EventType.OAUTH2_DEVICE_VERIFY_USER_CODE);
        checkSsl();
        checkRealm();
        CacheControlUtil.noBackButtonCacheControlHeader(this.session);
        if (StringUtil.isNullOrEmpty(str)) {
            return createVerificationPage(null);
        }
        String format = this.session.getProvider(OAuth2DeviceUserCodeProvider.class).format(str);
        OAuth2DeviceCodeModel deviceByUserCode = getDeviceByUserCode(this.session, this.realm, format);
        if (deviceByUserCode == null) {
            return invalidUserCodeResponse(Messages.OAUTH2_DEVICE_INVALID_USER_CODE, "device code not found (it may already have been used)");
        }
        if (deviceByUserCode.isPending()) {
            return deviceByUserCode.isDenied() ? invalidUserCodeResponse(Messages.OAUTH2_DEVICE_INVALID_USER_CODE, "device code denied") : deviceByUserCode.isExpired() ? invalidUserCodeResponse(Messages.OAUTH2_DEVICE_EXPIRED_USER_CODE, "device code expired") : processVerification(deviceByUserCode, format);
        }
        this.event.detail("device_code_user_session_id", deviceByUserCode.getUserSessionId());
        return invalidUserCodeResponse(Messages.OAUTH2_DEVICE_INVALID_USER_CODE, "device code already used and not yet deleted");
    }

    @POST
    @Path("/")
    @Consumes({MediaType.APPLICATION_FORM_URLENCODED})
    public Response verifyUserCode() {
        return verifyUserCode((String) this.httpRequest.getDecodedFormParameters().getFirst(DeviceGrantType.OAUTH2_DEVICE_USER_CODE));
    }

    @Path("status")
    @GET
    public Response status(@QueryParam("error") String str) {
        String str2;
        if (StringUtil.isNullOrEmpty(str)) {
            LoginFormsProvider provider = this.session.getProvider(LoginFormsProvider.class);
            return provider.setAttribute("messageHeader", provider.getMessage(Messages.OAUTH2_DEVICE_VERIFICATION_COMPLETE_HEADER)).setAttribute("skipLink", true).setSuccess(Messages.OAUTH2_DEVICE_VERIFICATION_COMPLETE, new Object[0]).createInfoPage();
        }
        boolean z = -1;
        switch (str.hashCode()) {
            case -444618026:
                if (str.equals(AbstractOAuth2IdentityProvider.ACCESS_DENIED)) {
                    z = false;
                    break;
                }
                break;
            case 1612125279:
                if (str.equals("expired_token")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                str2 = Messages.OAUTH2_DEVICE_CONSENT_DENIED;
                break;
            case DeclarativeUserProfileProviderFactory.PROVIDER_PRIORITY /* 1 */:
                str2 = Messages.OAUTH2_DEVICE_EXPIRED_USER_CODE;
                break;
            default:
                str2 = Messages.OAUTH2_DEVICE_VERIFICATION_FAILED;
                break;
        }
        LoginFormsProvider provider2 = this.session.getProvider(LoginFormsProvider.class);
        return provider2.setAttribute("messageHeader", provider2.getMessage(Messages.OAUTH2_DEVICE_VERIFICATION_FAILED_HEADER)).setAttribute("actionUri", DeviceGrantType.oauth2DeviceVerificationUrl(this.session.getContext().getUri()).build(new Object[]{this.realm.getName()}).toString()).setError(str2, new Object[0]).createInfoPage();
    }

    public static OAuth2DeviceCodeModel getDeviceByUserCode(KeycloakSession keycloakSession, RealmModel realmModel, String str) {
        SingleUseObjectProvider singleUseObjects = keycloakSession.singleUseObjects();
        Map map = singleUseObjects.get(OAuth2DeviceUserCodeModel.createKey(realmModel, str));
        if (map == null) {
            return null;
        }
        String deviceCode = OAuth2DeviceUserCodeModel.fromCache(realmModel, str, map).getDeviceCode();
        Map map2 = singleUseObjects.get(OAuth2DeviceCodeModel.createKey(deviceCode));
        if (map2 != null) {
            return OAuth2DeviceCodeModel.fromCache(realmModel, deviceCode, map2);
        }
        return null;
    }

    private Response invalidUserCodeResponse(String str, String str2) {
        this.event.error("invalid_oauth2_user_code");
        this.event.detail("reason", str2);
        logger.debugf("invalid user code: %s", str2);
        return createVerificationPage(str);
    }

    private Response createVerificationPage(String str) {
        LoginFormsProvider execution = this.session.getProvider(LoginFormsProvider.class).setExecution(CommonClientSessionModel.Action.USER_CODE_VERIFICATION.name());
        if (str != null) {
            execution = execution.setError(str, new Object[0]);
        }
        return execution.createOAuth2DeviceVerifyUserCodePage();
    }

    private Response processVerification(OAuth2DeviceCodeModel oAuth2DeviceCodeModel, String str) {
        AuthenticationSessionModel createAuthenticationSession = createAuthenticationSession(this.realm.getClientByClientId(oAuth2DeviceCodeModel.getClientId()), oAuth2DeviceCodeModel.getScope());
        createAuthenticationSession.setClientNote(DeviceGrantType.OAUTH2_DEVICE_VERIFIED_USER_CODE, str);
        this.event.client(oAuth2DeviceCodeModel.getClientId()).detail("scope", oAuth2DeviceCodeModel.getScope()).success();
        return handleBrowserAuthenticationRequest(createAuthenticationSession, new OIDCLoginProtocol(this.session, this.realm, this.session.getContext().getUri(), this.headers, this.event), false, true);
    }

    public Object getResource() {
        return this;
    }

    public void close() {
    }

    private ClientModel authenticateClient() {
        ClientModel client = AuthorizeClientUtil.authorizeClient(this.session, this.event, this.cors).getClient();
        if (client == null) {
            this.event.error("invalid_request");
            throw new ErrorResponseException("invalid_request", "Missing parameters:client_id", Response.Status.BAD_REQUEST);
        }
        checkClient(client.getClientId());
        return client;
    }

    private ClientModel checkClient(String str) {
        if (str == null) {
            this.event.error("invalid_request");
            throw new ErrorResponseException("invalid_request", "Missing parameters:client_id", Response.Status.BAD_REQUEST);
        }
        this.event.client(str);
        ClientModel clientByClientId = this.realm.getClientByClientId(str);
        if (clientByClientId == null) {
            this.event.error("client_not_found");
            throw new ErrorResponseException("invalid_client", "Client not found.", Response.Status.BAD_REQUEST);
        }
        if (!clientByClientId.isEnabled()) {
            this.event.error("client_disabled");
            throw new ErrorResponseException("invalid_client", "Client disabled.", Response.Status.BAD_REQUEST);
        }
        if (!this.realm.getOAuth2DeviceConfig().isOAuth2DeviceAuthorizationGrantEnabled(clientByClientId)) {
            this.event.error("not_allowed");
            throw new ErrorResponseException("unauthorized_client", "Client is not allowed to initiate OAuth 2.0 Device Authorization Grant. The flow is disabled for the client.", Response.Status.BAD_REQUEST);
        }
        if (clientByClientId.isBearerOnly()) {
            this.event.error("not_allowed");
            throw new ErrorResponseException("unauthorized_client", "Bearer-only applications are not allowed to initiate browser login.", Response.Status.FORBIDDEN);
        }
        String protocol = clientByClientId.getProtocol();
        if (protocol == null) {
            logger.warnf("Client '%s' doesn't have protocol set. Fallback to openid-connect. Please fix client configuration", str);
            protocol = "openid-connect";
        }
        if (protocol.equals("openid-connect")) {
            this.session.getContext().setClient(clientByClientId);
            return clientByClientId;
        }
        this.event.error("invalid_client");
        throw new ErrorResponseException("unauthorized_client", "Wrong client protocol.", Response.Status.BAD_REQUEST);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.keycloak.protocol.AuthorizationEndpointBase
    public AuthenticationSessionModel createAuthenticationSession(ClientModel clientModel, String str) {
        AuthenticationSessionModel createAuthenticationSession = super.createAuthenticationSession(clientModel, null);
        createAuthenticationSession.setProtocol("openid-connect");
        createAuthenticationSession.setAction(CommonClientSessionModel.Action.AUTHENTICATE.name());
        createAuthenticationSession.setClientNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(this.session.getContext().getUri().getBaseUri(), this.realm.getName()));
        if (str != null) {
            createAuthenticationSession.setClientNote("scope", str);
        }
        return createAuthenticationSession;
    }
}
