package org.keycloak.services.resources.account;

import jakarta.ws.rs.DELETE;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.PathParam;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.QueryParam;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.UriBuilder;
import java.io.IOException;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.UUID;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.jboss.logging.Logger;
import org.keycloak.broker.social.SocialIdentityProvider;
import org.keycloak.common.Profile;
import org.keycloak.common.util.Base64Url;
import org.keycloak.crypto.SHA256HashProviderFactory;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.http.HttpRequest;
import org.keycloak.keys.Attributes;
import org.keycloak.models.FederatedIdentityModel;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.organization.utils.Organizations;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.representations.account.AccountLinkUriRepresentation;
import org.keycloak.representations.account.LinkedAccountRepresentation;
import org.keycloak.services.ErrorResponse;
import org.keycloak.services.Urls;
import org.keycloak.services.cors.Cors;
import org.keycloak.services.managers.Auth;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.validation.Validation;
import org.keycloak.theme.Theme;
import org.keycloak.utils.MediaType;
import org.keycloak.utils.StreamsUtil;

/* loaded from: input_file:org/keycloak/services/resources/account/LinkedAccountsResource.class */
public class LinkedAccountsResource {
    private static final Logger logger = Logger.getLogger(LinkedAccountsResource.class);
    private final KeycloakSession session;
    private final HttpRequest request;
    private final EventBuilder event;
    private final UserModel user;
    private final RealmModel realm;
    private final Auth auth;
    private final Set<String> socialIds;

    public LinkedAccountsResource(KeycloakSession keycloakSession, HttpRequest httpRequest, Auth auth, EventBuilder eventBuilder, UserModel userModel) {
        this.session = keycloakSession;
        this.request = httpRequest;
        this.auth = auth;
        this.event = eventBuilder;
        this.user = userModel;
        this.realm = keycloakSession.getContext().getRealm();
        this.socialIds = (Set) keycloakSession.getKeycloakSessionFactory().getProviderFactoriesStream(SocialIdentityProvider.class).map((v0) -> {
            return v0.getId();
        }).collect(Collectors.toSet());
    }

    @Produces({MediaType.APPLICATION_JSON})
    @GET
    @Path("/")
    public Response linkedAccounts(@QueryParam("linked") Boolean bool, @QueryParam("search") String str, @QueryParam("first") Integer num, @QueryParam("max") Integer num2) {
        List list;
        this.auth.requireOneOf("manage-account", "view-profile");
        if (bool == null) {
            return Cors.builder().auth().allowedOrigins(this.auth.getToken()).add(Response.ok(getLinkedAccounts(this.session, this.realm, this.user)));
        }
        if (bool.booleanValue()) {
            list = StreamsUtil.paginatedStream(this.session.users().getFederatedIdentitiesStream(this.realm, this.user).map(federatedIdentityModel -> {
                return toLinkedAccount(this.session.identityProviders().getByAlias(federatedIdentityModel.getIdentityProvider()), federatedIdentityModel.getUserName());
            }).filter(linkedAccountRepresentation -> {
                return linkedAccountRepresentation != null && matchesLinkedProvider(linkedAccountRepresentation, str);
            }).sorted(), num, num2).toList();
        } else {
            list = this.session.identityProviders().getAllStream(Map.of(Attributes.ENABLED_KEY, "true", "organizationId", "", "search", str == null ? "" : str, "aliasNotIn", (String) this.session.users().getFederatedIdentitiesStream(this.realm, this.user).map((v0) -> {
                return v0.getIdentityProvider();
            }).collect(Collectors.joining(","))), num, num2).map(identityProviderModel -> {
                return toLinkedAccount(identityProviderModel, null);
            }).toList();
        }
        return Cors.builder().auth().allowedOrigins(this.auth.getToken()).add(Response.ok(list));
    }

    private LinkedAccountRepresentation toLinkedAccount(IdentityProviderModel identityProviderModel, String str) {
        if (identityProviderModel == null || !identityProviderModel.isEnabled()) {
            return null;
        }
        LinkedAccountRepresentation linkedAccountRepresentation = new LinkedAccountRepresentation();
        linkedAccountRepresentation.setConnected(str != null);
        linkedAccountRepresentation.setSocial(this.socialIds.contains(identityProviderModel.getProviderId()));
        linkedAccountRepresentation.setProviderAlias(identityProviderModel.getAlias());
        linkedAccountRepresentation.setDisplayName(KeycloakModelUtils.getIdentityProviderDisplayName(this.session, identityProviderModel));
        linkedAccountRepresentation.setGuiOrder(identityProviderModel.getConfig() != null ? (String) identityProviderModel.getConfig().get("guiOrder") : null);
        linkedAccountRepresentation.setProviderName(identityProviderModel.getAlias());
        linkedAccountRepresentation.setLinkedUsername(str);
        return linkedAccountRepresentation;
    }

    private boolean matchesLinkedProvider(LinkedAccountRepresentation linkedAccountRepresentation, String str) {
        if (str == null) {
            return true;
        }
        if (str.startsWith("\"") && str.endsWith("\"")) {
            String substring = str.substring(1, str.length() - 1);
            return linkedAccountRepresentation.getProviderAlias().equals(substring) || linkedAccountRepresentation.getDisplayName().equals(substring);
        }
        if (str.startsWith("*") && str.endsWith("*")) {
            String substring2 = str.substring(1, str.length() - 1);
            return linkedAccountRepresentation.getProviderAlias().contains(substring2) || linkedAccountRepresentation.getDisplayName().contains(substring2);
        }
        if (!str.endsWith("*")) {
            return linkedAccountRepresentation.getProviderAlias().startsWith(str) || linkedAccountRepresentation.getDisplayName().startsWith(str);
        }
        String substring3 = str.substring(0, str.length() - 1);
        return linkedAccountRepresentation.getProviderAlias().startsWith(substring3) || linkedAccountRepresentation.getDisplayName().startsWith(substring3);
    }

    @Deprecated
    public List<LinkedAccountRepresentation> getLinkedAccounts(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        return keycloakSession.identityProviders().getAllStream(Map.of(Attributes.ENABLED_KEY, "true"), (Integer) null, (Integer) null).map(identityProviderModel -> {
            return toLinkedAccountRepresentation(identityProviderModel, keycloakSession.users().getFederatedIdentitiesStream(realmModel, userModel));
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).sorted().toList();
    }

    @Deprecated
    private LinkedAccountRepresentation toLinkedAccountRepresentation(IdentityProviderModel identityProviderModel, Stream<FederatedIdentityModel> stream) {
        String alias = identityProviderModel.getAlias();
        FederatedIdentityModel identity = getIdentity(stream, alias);
        if (identity == null && identityProviderModel.getOrganizationId() != null) {
            return null;
        }
        String identityProviderDisplayName = KeycloakModelUtils.getIdentityProviderDisplayName(this.session, identityProviderModel);
        String str = identityProviderModel.getConfig() != null ? (String) identityProviderModel.getConfig().get("guiOrder") : null;
        LinkedAccountRepresentation linkedAccountRepresentation = new LinkedAccountRepresentation();
        linkedAccountRepresentation.setConnected(identity != null);
        linkedAccountRepresentation.setSocial(this.socialIds.contains(identityProviderModel.getProviderId()));
        linkedAccountRepresentation.setProviderAlias(alias);
        linkedAccountRepresentation.setDisplayName(identityProviderDisplayName);
        linkedAccountRepresentation.setGuiOrder(str);
        linkedAccountRepresentation.setProviderName(identityProviderModel.getAlias());
        if (identity != null) {
            linkedAccountRepresentation.setLinkedUsername(identity.getUserName());
        }
        return linkedAccountRepresentation;
    }

    @Deprecated
    private FederatedIdentityModel getIdentity(Stream<FederatedIdentityModel> stream, String str) {
        return stream.filter(federatedIdentityModel -> {
            return Objects.equals(federatedIdentityModel.getIdentityProvider(), str);
        }).findFirst().orElse(null);
    }

    @Produces({MediaType.APPLICATION_JSON})
    @Deprecated
    @GET
    @Path("/{providerAlias}")
    public Response buildLinkedAccountURI(@PathParam("providerAlias") String str, @QueryParam("redirectUri") String str2) {
        this.auth.require("manage-account");
        if (str2 == null) {
            ErrorResponse.error(Messages.INVALID_REDIRECT_URI, Response.Status.BAD_REQUEST);
        }
        String checkCommonPreconditions = checkCommonPreconditions(str);
        if (checkCommonPreconditions != null) {
            throw ErrorResponse.error(checkCommonPreconditions, Response.Status.BAD_REQUEST);
        }
        if (this.auth.getSession() == null) {
            throw ErrorResponse.error(Messages.SESSION_NOT_ACTIVE, Response.Status.BAD_REQUEST);
        }
        try {
            String uuid = UUID.randomUUID().toString();
            String encode = Base64Url.encode(MessageDigest.getInstance(SHA256HashProviderFactory.ID).digest((uuid + this.auth.getSession().getId() + "account-console" + str).getBytes(StandardCharsets.UTF_8)));
            URI build = UriBuilder.fromUri(Urls.identityProviderLinkRequest(this.session.getContext().getUri().getBaseUri(), str, this.realm.getName())).queryParam(OIDCLoginProtocol.NONCE_PARAM, new Object[]{uuid}).queryParam("hash", new Object[]{encode}).queryParam("client_id", new Object[]{"account-console"}).queryParam("redirect_uri", new Object[]{str2}).build(new Object[0]);
            AccountLinkUriRepresentation accountLinkUriRepresentation = new AccountLinkUriRepresentation();
            accountLinkUriRepresentation.setAccountLinkUri(build);
            accountLinkUriRepresentation.setHash(encode);
            accountLinkUriRepresentation.setNonce(uuid);
            return Cors.builder().auth().allowedOrigins(this.auth.getToken()).add(Response.ok(accountLinkUriRepresentation));
        } catch (Exception e) {
            e.printStackTrace();
            throw ErrorResponse.error(Messages.FAILED_TO_PROCESS_RESPONSE, Response.Status.INTERNAL_SERVER_ERROR);
        }
    }

    @Produces({MediaType.APPLICATION_JSON})
    @DELETE
    @Path("/{providerAlias}")
    public Response removeLinkedAccount(@PathParam("providerAlias") String str) {
        this.auth.require("manage-account");
        String checkCommonPreconditions = checkCommonPreconditions(str);
        if (checkCommonPreconditions != null) {
            throw ErrorResponse.error(checkCommonPreconditions, Response.Status.BAD_REQUEST);
        }
        FederatedIdentityModel federatedIdentity = this.session.users().getFederatedIdentity(this.realm, this.user, str);
        if (federatedIdentity == null) {
            throw ErrorResponse.error(translateErrorMessage(Messages.FEDERATED_IDENTITY_NOT_ACTIVE), Response.Status.BAD_REQUEST);
        }
        if (Profile.isFeatureEnabled(Profile.Feature.ORGANIZATION)) {
            Stream<R> map = Organizations.resolveHomeBroker(this.session, this.user).stream().map((v0) -> {
                return v0.getAlias();
            });
            Objects.requireNonNull(str);
            if (map.anyMatch((v1) -> {
                return r1.equals(v1);
            })) {
                throw ErrorResponse.error(translateErrorMessage(Messages.FEDERATED_IDENTITY_BOUND_ORGANIZATION), Response.Status.BAD_REQUEST);
            }
        }
        if (this.session.users().getFederatedIdentitiesStream(this.realm, this.user).count() <= 1 && this.user.getFederationLink() == null && !isPasswordSet()) {
            throw ErrorResponse.error(translateErrorMessage(Messages.FEDERATED_IDENTITY_REMOVING_LAST_PROVIDER), Response.Status.BAD_REQUEST);
        }
        this.session.users().removeFederatedIdentity(this.realm, this.user, str);
        logger.debugv("Social provider {0} removed successfully from user {1}", str, this.user.getUsername());
        this.event.event(EventType.REMOVE_FEDERATED_IDENTITY).client(this.auth.getClient()).user(this.auth.getUser()).detail("username", this.auth.getUser().getUsername()).detail("identity_provider", federatedIdentity.getIdentityProvider()).detail("identity_provider_identity", federatedIdentity.getUserName()).success();
        return Cors.builder().auth().allowedOrigins(this.auth.getToken()).add(Response.noContent());
    }

    private String checkCommonPreconditions(String str) {
        this.auth.require("manage-account");
        if (Validation.isEmpty(str)) {
            return Messages.MISSING_IDENTITY_PROVIDER;
        }
        if (!isValidProvider(str)) {
            return Messages.IDENTITY_PROVIDER_NOT_FOUND;
        }
        if (this.user.isEnabled()) {
            return null;
        }
        return Messages.ACCOUNT_DISABLED;
    }

    private String translateErrorMessage(String str) {
        try {
            return this.session.theme().getTheme(Theme.Type.ACCOUNT).getMessages(this.session.getContext().resolveLocale(this.user)).getProperty(str);
        } catch (IOException e) {
            return str;
        }
    }

    private boolean isPasswordSet() {
        return this.user.credentialManager().isConfiguredFor("password");
    }

    private boolean isValidProvider(String str) {
        return this.session.identityProviders().getByAlias(str) != null;
    }
}
