package org.keycloak.protocol.oidc;

import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import org.jboss.logging.Logger;
import org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider;
import org.keycloak.common.util.Time;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.LoginProtocol;
import org.keycloak.protocol.RestartLoginCookie;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.protocol.oidc.utils.OIDCRedirectUriBuilder;
import org.keycloak.protocol.oidc.utils.OIDCResponseMode;
import org.keycloak.protocol.oidc.utils.OIDCResponseType;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.services.ServicesLogger;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.ClientSessionCode;
import org.keycloak.services.managers.ResourceAdminManager;
import org.keycloak.util.TokenUtil;

/* loaded from: input_file:org/keycloak/protocol/oidc/OIDCLoginProtocol.class */
public class OIDCLoginProtocol implements LoginProtocol {
    public static final String LOGIN_PROTOCOL = "openid-connect";
    public static final String STATE_PARAM = "state";
    public static final String LOGOUT_STATE_PARAM = "OIDC_LOGOUT_STATE_PARAM";
    public static final String SCOPE_PARAM = "scope";
    public static final String CODE_PARAM = "code";
    public static final String RESPONSE_TYPE_PARAM = "response_type";
    public static final String GRANT_TYPE_PARAM = "grant_type";
    public static final String REDIRECT_URI_PARAM = "redirect_uri";
    public static final String CLIENT_ID_PARAM = "client_id";
    public static final String NONCE_PARAM = "nonce";
    public static final String MAX_AGE_PARAM = "max_age";
    public static final String PROMPT_PARAM = "prompt";
    public static final String LOGIN_HINT_PARAM = "login_hint";
    public static final String REQUEST_PARAM = "request";
    public static final String REQUEST_URI_PARAM = "request_uri";
    public static final String UI_LOCALES_PARAM = "ui_locales";
    public static final String CLAIMS_PARAM = "claims";
    public static final String LOGOUT_REDIRECT_URI = "OIDC_LOGOUT_REDIRECT_URI";
    public static final String ISSUER = "iss";
    public static final String RESPONSE_MODE_PARAM = "response_mode";
    public static final String PROMPT_VALUE_NONE = "none";
    public static final String PROMPT_VALUE_LOGIN = "login";
    public static final String PROMPT_VALUE_CONSENT = "consent";
    public static final String PROMPT_VALUE_SELECT_ACCOUNT = "select_account";
    public static final String CLIENT_SECRET_BASIC = "client_secret_basic";
    public static final String CLIENT_SECRET_POST = "client_secret_post";
    public static final String CLIENT_SECRET_JWT = "client_secret_jwt";
    public static final String PRIVATE_KEY_JWT = "private_key_jwt";
    public static final String CODE_CHALLENGE_PARAM = "code_challenge";
    public static final String CODE_CHALLENGE_METHOD_PARAM = "code_challenge_method";
    public static final int PKCE_CODE_CHALLENGE_MIN_LENGTH = 43;
    public static final int PKCE_CODE_CHALLENGE_MAX_LENGTH = 128;
    public static final int PKCE_CODE_VERIFIER_MIN_LENGTH = 43;
    public static final int PKCE_CODE_VERIFIER_MAX_LENGTH = 128;
    public static final String PKCE_METHOD_PLAIN = "plain";
    public static final String PKCE_METHOD_S256 = "S256";
    private static final Logger logger = Logger.getLogger(OIDCLoginProtocol.class);
    protected KeycloakSession session;
    protected RealmModel realm;
    protected UriInfo uriInfo;
    protected HttpHeaders headers;
    protected EventBuilder event;
    protected OIDCResponseType responseType;
    protected OIDCResponseMode responseMode;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.keycloak.protocol.oidc.OIDCLoginProtocol$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/protocol/oidc/OIDCLoginProtocol$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$protocol$LoginProtocol$Error = new int[LoginProtocol.Error.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$protocol$LoginProtocol$Error[LoginProtocol.Error.CANCELLED_BY_USER.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$keycloak$protocol$LoginProtocol$Error[LoginProtocol.Error.CONSENT_DENIED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$keycloak$protocol$LoginProtocol$Error[LoginProtocol.Error.PASSIVE_INTERACTION_REQUIRED.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$keycloak$protocol$LoginProtocol$Error[LoginProtocol.Error.PASSIVE_LOGIN_REQUIRED.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    public OIDCLoginProtocol(KeycloakSession keycloakSession, RealmModel realmModel, UriInfo uriInfo, HttpHeaders httpHeaders, EventBuilder eventBuilder) {
        this.session = keycloakSession;
        this.realm = realmModel;
        this.uriInfo = uriInfo;
        this.headers = httpHeaders;
        this.event = eventBuilder;
    }

    public OIDCLoginProtocol() {
    }

    private void setupResponseTypeAndMode(ClientSessionModel clientSessionModel) {
        String note = clientSessionModel.getNote("response_type");
        String note2 = clientSessionModel.getNote(RESPONSE_MODE_PARAM);
        this.responseType = OIDCResponseType.parse(note);
        this.responseMode = OIDCResponseMode.parse(note2, this.responseType);
        this.event.detail("response_type", note);
        this.event.detail(RESPONSE_MODE_PARAM, this.responseMode.toString().toLowerCase());
    }

    /* renamed from: setSession, reason: merged with bridge method [inline-methods] */
    public OIDCLoginProtocol m184setSession(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
        return this;
    }

    /* renamed from: setRealm, reason: merged with bridge method [inline-methods] */
    public OIDCLoginProtocol m183setRealm(RealmModel realmModel) {
        this.realm = realmModel;
        return this;
    }

    /* renamed from: setUriInfo, reason: merged with bridge method [inline-methods] */
    public OIDCLoginProtocol m182setUriInfo(UriInfo uriInfo) {
        this.uriInfo = uriInfo;
        return this;
    }

    /* renamed from: setHttpHeaders, reason: merged with bridge method [inline-methods] */
    public OIDCLoginProtocol m181setHttpHeaders(HttpHeaders httpHeaders) {
        this.headers = httpHeaders;
        return this;
    }

    /* renamed from: setEventBuilder, reason: merged with bridge method [inline-methods] */
    public OIDCLoginProtocol m180setEventBuilder(EventBuilder eventBuilder) {
        this.event = eventBuilder;
        return this;
    }

    public Response authenticated(UserSessionModel userSessionModel, ClientSessionCode clientSessionCode) {
        ClientSessionModel clientSession = clientSessionCode.getClientSession();
        setupResponseTypeAndMode(clientSession);
        OIDCRedirectUriBuilder fromUri = OIDCRedirectUriBuilder.fromUri(clientSession.getRedirectUri(), this.responseMode);
        String note = clientSession.getNote("state");
        logger.debugv("redirectAccessCode: state: {0}", note);
        if (note != null) {
            fromUri.addParam("state", note);
        }
        if (this.responseType.hasResponseType("code")) {
            clientSessionCode.setAction(ClientSessionModel.Action.CODE_TO_TOKEN.name());
            fromUri.addParam("code", clientSessionCode.getCode());
        }
        if (this.responseType.isImplicitOrHybridFlow()) {
            TokenManager.AccessTokenResponseBuilder generateAccessToken = new TokenManager().responseBuilder(this.realm, clientSession.getClient(), this.event, this.session, userSessionModel, clientSession).generateAccessToken();
            if (this.responseType.hasResponseType(OIDCResponseType.ID_TOKEN)) {
                generateAccessToken.generateIDToken();
                if (this.responseType.hasResponseType(OIDCResponseType.TOKEN)) {
                    generateAccessToken.generateAccessTokenHash();
                }
                if (this.responseType.hasResponseType("code")) {
                    generateAccessToken.generateCodeHash(clientSessionCode.getCode());
                }
            }
            AccessTokenResponse build = generateAccessToken.build();
            if (this.responseType.hasResponseType(OIDCResponseType.ID_TOKEN)) {
                fromUri.addParam(OIDCResponseType.ID_TOKEN, build.getIdToken());
            }
            if (this.responseType.hasResponseType(OIDCResponseType.TOKEN)) {
                fromUri.addParam("access_token", build.getToken());
                fromUri.addParam("token_type", build.getTokenType());
                fromUri.addParam("session_state", build.getSessionState());
                fromUri.addParam("expires_in", String.valueOf(build.getExpiresIn()));
            }
            fromUri.addParam("not-before-policy", String.valueOf(build.getNotBeforePolicy()));
        }
        return fromUri.build();
    }

    public Response sendError(ClientSessionModel clientSessionModel, LoginProtocol.Error error) {
        setupResponseTypeAndMode(clientSessionModel);
        String redirectUri = clientSessionModel.getRedirectUri();
        String note = clientSessionModel.getNote("state");
        OIDCRedirectUriBuilder addParam = OIDCRedirectUriBuilder.fromUri(redirectUri, this.responseMode).addParam("error", translateError(error));
        if (note != null) {
            addParam.addParam("state", note);
        }
        this.session.sessions().removeClientSession(this.realm, clientSessionModel);
        RestartLoginCookie.expireRestartCookie(this.realm, this.session.getContext().getConnection(), this.uriInfo);
        return addParam.build();
    }

    private String translateError(LoginProtocol.Error error) {
        switch (AnonymousClass1.$SwitchMap$org$keycloak$protocol$LoginProtocol$Error[error.ordinal()]) {
            case 1:
            case 2:
                return AbstractOAuth2IdentityProvider.ACCESS_DENIED;
            case 3:
                return "interaction_required";
            case 4:
                return "login_required";
            default:
                ServicesLogger.LOGGER.untranslatedProtocol(error.name());
                return "server_error";
        }
    }

    public void backchannelLogout(UserSessionModel userSessionModel, ClientSessionModel clientSessionModel) {
        new ResourceAdminManager(this.session).logoutClientSession(this.uriInfo.getRequestUri(), this.realm, clientSessionModel.getClient(), clientSessionModel);
    }

    public Response frontchannelLogout(UserSessionModel userSessionModel, ClientSessionModel clientSessionModel) {
        throw new RuntimeException("NOT IMPLEMENTED");
    }

    public Response finishLogout(UserSessionModel userSessionModel) {
        String note = userSessionModel.getNote(LOGOUT_REDIRECT_URI);
        String note2 = userSessionModel.getNote(LOGOUT_STATE_PARAM);
        this.event.event(EventType.LOGOUT);
        if (note != null) {
            this.event.detail("redirect_uri", note);
        }
        this.event.user(userSessionModel.getUser()).session(userSessionModel).success();
        if (note == null) {
            return Response.ok().build();
        }
        UriBuilder fromUri = UriBuilder.fromUri(note);
        if (note2 != null) {
            fromUri.queryParam("state", new Object[]{note2});
        }
        return Response.status(302).location(fromUri.build(new Object[0])).build();
    }

    public boolean requireReauthentication(UserSessionModel userSessionModel, ClientSessionModel clientSessionModel) {
        return isPromptLogin(clientSessionModel) || isAuthTimeExpired(userSessionModel, clientSessionModel);
    }

    protected boolean isPromptLogin(ClientSessionModel clientSessionModel) {
        return TokenUtil.hasPrompt(clientSessionModel.getNote("prompt"), PROMPT_VALUE_LOGIN);
    }

    protected boolean isAuthTimeExpired(UserSessionModel userSessionModel, ClientSessionModel clientSessionModel) {
        String note = userSessionModel.getNote(AuthenticationManager.AUTH_TIME);
        String note2 = clientSessionModel.getNote(MAX_AGE_PARAM);
        if (note2 == null) {
            return false;
        }
        int parseInt = note == null ? 0 : Integer.parseInt(note);
        int parseInt2 = Integer.parseInt(note2);
        if (parseInt + parseInt2 >= Time.currentTime()) {
            return false;
        }
        logger.debugf("Authentication time is expired, needs to reauthenticate. userSession=%s, clientId=%s, maxAge=%d, authTime=%d", new Object[]{userSessionModel.getId(), clientSessionModel.getClient().getId(), Integer.valueOf(parseInt2), Integer.valueOf(parseInt)});
        return true;
    }

    public void close() {
    }
}
