package io.phasetwo.keycloak.magic;

import com.google.common.base.Strings;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.Maps;
import io.phasetwo.keycloak.magic.auth.token.MagicLinkActionToken;
import jakarta.ws.rs.core.UriBuilder;
import java.net.URI;
import java.util.HashMap;
import java.util.List;
import java.util.OptionalInt;
import java.util.function.Consumer;
import java.util.stream.Collectors;
import org.jboss.logging.Logger;
import org.keycloak.Config;
import org.keycloak.authentication.Authenticator;
import org.keycloak.common.util.Time;
import org.keycloak.email.EmailException;
import org.keycloak.email.EmailTemplateProvider;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.AuthenticationExecutionModel;
import org.keycloak.models.AuthenticationFlowModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.KeycloakSessionTask;
import org.keycloak.models.KeycloakUriInfo;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.oidc.utils.RedirectUtils;
import org.keycloak.services.Urls;
import org.keycloak.services.resources.LoginActionsService;
import org.keycloak.services.resources.RealmsResource;
import org.keycloak.sessions.AuthenticationSessionModel;

/* loaded from: input_file:io/phasetwo/keycloak/magic/MagicLink.class */
public class MagicLink {
    private static final Logger log = Logger.getLogger(MagicLink.class);
    public static final String MAGIC_LINK_AUTH_FLOW_ALIAS = "magic link";
    public static final String COOKIE_PROVIDER_ID = "auth-cookie";
    public static final String IDP_REDIRECTOR_PROVIDER_ID = "identity-provider-redirector";
    public static final String MAGIC_LINK_PROVIDER_ID = "ext-magic-form";

    public static Consumer<UserModel> registerEvent(final EventBuilder eventBuilder) {
        return new Consumer<UserModel>() { // from class: io.phasetwo.keycloak.magic.MagicLink.1
            @Override // java.util.function.Consumer
            public void accept(UserModel userModel) {
                eventBuilder.event(EventType.REGISTER).detail("register_method", "magic").detail("username", userModel.getUsername()).detail("email", userModel.getEmail()).user(userModel).success();
            }
        };
    }

    public static UserModel getOrCreate(KeycloakSession keycloakSession, RealmModel realmModel, String str, boolean z, boolean z2, boolean z3) {
        return getOrCreate(keycloakSession, realmModel, str, z, z2, z3, null);
    }

    public static UserModel getOrCreate(KeycloakSession keycloakSession, RealmModel realmModel, String str, boolean z, boolean z2, boolean z3, Consumer<UserModel> consumer) {
        UserModel findUserByNameOrEmail = KeycloakModelUtils.findUserByNameOrEmail(keycloakSession, realmModel, str);
        if (findUserByNameOrEmail == null && z) {
            findUserByNameOrEmail = keycloakSession.users().addUser(realmModel, str);
            findUserByNameOrEmail.setEnabled(true);
            findUserByNameOrEmail.setEmail(str);
            if (consumer != null) {
                consumer.accept(findUserByNameOrEmail);
            }
            if (z3) {
                findUserByNameOrEmail.addRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD);
            }
            if (z2) {
                findUserByNameOrEmail.addRequiredAction(UserModel.RequiredAction.UPDATE_PROFILE);
            }
        }
        return findUserByNameOrEmail;
    }

    public static MagicLinkActionToken createActionToken(UserModel userModel, String str, OptionalInt optionalInt, Boolean bool, AuthenticationSessionModel authenticationSessionModel) {
        return createActionToken(userModel, str, optionalInt, bool, authenticationSessionModel, true);
    }

    public static MagicLinkActionToken createActionToken(UserModel userModel, String str, OptionalInt optionalInt, Boolean bool, AuthenticationSessionModel authenticationSessionModel, Boolean bool2) {
        String redirectUri = authenticationSessionModel.getRedirectUri();
        String clientNote = authenticationSessionModel.getClientNote("scope");
        String clientNote2 = authenticationSessionModel.getClientNote("state");
        String clientNote3 = authenticationSessionModel.getClientNote("nonce");
        log.infof("Attempting MagicLinkAuthenticator for %s, %s, %s", userModel.getEmail(), str, redirectUri);
        log.infof("MagicLinkAuthenticator extra vars %s %s %s %b", new Object[]{clientNote, clientNote2, clientNote3, bool});
        return createActionToken(userModel, str, redirectUri, optionalInt, clientNote, clientNote3, clientNote2, bool, bool2);
    }

    public static MagicLinkActionToken createActionToken(UserModel userModel, String str, String str2, OptionalInt optionalInt, String str3, String str4, String str5, Boolean bool) {
        return createActionToken(userModel, str, str2, optionalInt, str3, str4, str5, bool, true);
    }

    public static MagicLinkActionToken createActionToken(UserModel userModel, String str, String str2, OptionalInt optionalInt, String str3, String str4, String str5, Boolean bool, Boolean bool2) {
        return new MagicLinkActionToken(userModel.getId(), Time.currentTime() + optionalInt.orElse(86400), str, str2, str3, str4, str5, bool, bool2);
    }

    public static MagicLinkActionToken createActionToken(UserModel userModel, String str, String str2, OptionalInt optionalInt) {
        return createActionToken(userModel, str, str2, optionalInt, null, null, null, false, true);
    }

    public static String linkFromActionToken(KeycloakSession keycloakSession, RealmModel realmModel, MagicLinkActionToken magicLinkActionToken) {
        KeycloakUriInfo uri = keycloakSession.getContext().getUri();
        RealmModel realm = keycloakSession.getContext().getRealm();
        log.debugf("realm %s session.context.realm %s", realmModel.getName(), realm.getName());
        if (Config.getAdminRealm().equals(realmModel.getName())) {
            throw new IllegalStateException(String.format("Magic links not allowed for %s realm", Config.getAdminRealm()));
        }
        keycloakSession.getContext().setRealm(realmModel);
        UriBuilder actionTokenBuilder = actionTokenBuilder(uri.getBaseUri(), magicLinkActionToken.serialize(keycloakSession, realmModel, uri), magicLinkActionToken.getIssuedFor());
        keycloakSession.getContext().setRealm(realm);
        return actionTokenBuilder.build(new Object[]{realmModel.getName()}).toString();
    }

    public static boolean validateRedirectUri(KeycloakSession keycloakSession, String str, ClientModel clientModel) {
        String verifyRedirectUri = RedirectUtils.verifyRedirectUri(keycloakSession, str, clientModel);
        log.debugf("Redirect after verify %s -> %s", str, verifyRedirectUri);
        return str.equals(verifyRedirectUri);
    }

    private static UriBuilder actionTokenBuilder(URI uri, String str, String str2) {
        log.debugf("baseUri: %s, tokenString: %s, clientId: %s", uri, str, str2);
        return Urls.realmBase(uri).path(RealmsResource.class, "getLoginActionsService").path(LoginActionsService.class, "executeActionToken").queryParam("key", new Object[]{str}).queryParam("client_id", new Object[]{str2});
    }

    public static boolean sendMagicLinkEmail(KeycloakSession keycloakSession, UserModel userModel, String str) {
        RealmModel realm = keycloakSession.getContext().getRealm();
        try {
            EmailTemplateProvider provider = keycloakSession.getProvider(EmailTemplateProvider.class);
            String realmName = getRealmName(realm);
            ImmutableList of = ImmutableList.of(realmName);
            HashMap newHashMap = Maps.newHashMap();
            newHashMap.put("realmName", realmName);
            newHashMap.put("magicLink", str);
            provider.setRealm(realm).setUser(userModel).setAttribute("realmName", realmName).send("magicLinkSubject", of, "magic-link-email.ftl", newHashMap);
            return true;
        } catch (EmailException e) {
            log.error("Failed to send magic link email", e);
            return false;
        }
    }

    public static boolean sendOtpEmail(KeycloakSession keycloakSession, UserModel userModel, String str) {
        RealmModel realm = keycloakSession.getContext().getRealm();
        try {
            EmailTemplateProvider provider = keycloakSession.getProvider(EmailTemplateProvider.class);
            String realmName = getRealmName(realm);
            ImmutableList of = ImmutableList.of(realmName);
            HashMap newHashMap = Maps.newHashMap();
            newHashMap.put("code", str);
            provider.setRealm(realm).setUser(userModel).setAttribute("realmName", realmName).send("otpSubject", of, "otp-email.ftl", newHashMap);
            return true;
        } catch (EmailException e) {
            log.error("Failed to send otp mail", e);
            return false;
        }
    }

    public static String getRealmName(RealmModel realmModel) {
        return Strings.isNullOrEmpty(realmModel.getDisplayName()) ? realmModel.getName() : realmModel.getDisplayName();
    }

    public static void realmPostCreate(KeycloakSessionFactory keycloakSessionFactory, RealmModel.RealmPostCreateEvent realmPostCreateEvent) {
        setupDefaultFlow(realmPostCreateEvent.getKeycloakSession(), realmPostCreateEvent.getCreatedRealm());
    }

    public static void realmPostCreateInTransaction(KeycloakSessionFactory keycloakSessionFactory, RealmModel.RealmPostCreateEvent realmPostCreateEvent) {
        final String name = realmPostCreateEvent.getCreatedRealm().getName();
        KeycloakModelUtils.runJobInTransaction(keycloakSessionFactory, new KeycloakSessionTask() { // from class: io.phasetwo.keycloak.magic.MagicLink.2
            public void run(KeycloakSession keycloakSession) {
                try {
                    MagicLink.setupDefaultFlow(keycloakSession, keycloakSession.realms().getRealmByName(name));
                } catch (Exception e) {
                    MagicLink.log.warn("Error setting up default magic link flow", e);
                }
            }
        });
    }

    public static void setupDefaultFlow(KeycloakSession keycloakSession, RealmModel realmModel) {
        if (realmModel.getFlowByAlias(MAGIC_LINK_AUTH_FLOW_ALIAS) != null) {
            log.infof("%s flow exists. Skipping.", MAGIC_LINK_AUTH_FLOW_ALIAS);
            return;
        }
        log.infof("creating built-in auth flow for %s", MAGIC_LINK_AUTH_FLOW_ALIAS);
        AuthenticationFlowModel authenticationFlowModel = new AuthenticationFlowModel();
        authenticationFlowModel.setAlias(MAGIC_LINK_AUTH_FLOW_ALIAS);
        authenticationFlowModel.setBuiltIn(true);
        authenticationFlowModel.setProviderId("basic-flow");
        authenticationFlowModel.setDescription("Simple magic link authentication flow.");
        authenticationFlowModel.setTopLevel(true);
        AuthenticationFlowModel addAuthenticationFlow = realmModel.addAuthenticationFlow(authenticationFlowModel);
        addExecutionToFlow(keycloakSession, realmModel, addAuthenticationFlow, COOKIE_PROVIDER_ID, AuthenticationExecutionModel.Requirement.ALTERNATIVE);
        addExecutionToFlow(keycloakSession, realmModel, addAuthenticationFlow, IDP_REDIRECTOR_PROVIDER_ID, AuthenticationExecutionModel.Requirement.ALTERNATIVE);
        AuthenticationFlowModel authenticationFlowModel2 = new AuthenticationFlowModel();
        authenticationFlowModel2.setAlias(String.format("%s %s", MAGIC_LINK_AUTH_FLOW_ALIAS, "forms"));
        authenticationFlowModel2.setProviderId("basic-flow");
        authenticationFlowModel2.setDescription("Forms for simple magic link authentication flow.");
        authenticationFlowModel2.setTopLevel(false);
        AuthenticationFlowModel addAuthenticationFlow2 = realmModel.addAuthenticationFlow(authenticationFlowModel2);
        AuthenticationExecutionModel authenticationExecutionModel = new AuthenticationExecutionModel();
        authenticationExecutionModel.setParentFlow(addAuthenticationFlow.getId());
        authenticationExecutionModel.setFlowId(addAuthenticationFlow2.getId());
        authenticationExecutionModel.setRequirement(AuthenticationExecutionModel.Requirement.ALTERNATIVE);
        authenticationExecutionModel.setAuthenticatorFlow(true);
        authenticationExecutionModel.setPriority(getNextPriority(realmModel, addAuthenticationFlow));
        realmModel.addAuthenticatorExecution(authenticationExecutionModel);
        addExecutionToFlow(keycloakSession, realmModel, addAuthenticationFlow2, "ext-magic-form", AuthenticationExecutionModel.Requirement.REQUIRED);
    }

    private static int getNextPriority(RealmModel realmModel, AuthenticationFlowModel authenticationFlowModel) {
        List list = (List) realmModel.getAuthenticationExecutionsStream(authenticationFlowModel.getId()).collect(Collectors.toList());
        if (list.isEmpty()) {
            return 0;
        }
        return ((AuthenticationExecutionModel) list.get(list.size() - 1)).getPriority() + 1;
    }

    private static void addExecutionToFlow(KeycloakSession keycloakSession, RealmModel realmModel, AuthenticationFlowModel authenticationFlowModel, String str, AuthenticationExecutionModel.Requirement requirement) {
        if (realmModel.getAuthenticationExecutionsStream(authenticationFlowModel.getId()).filter(authenticationExecutionModel -> {
            return str.equals(authenticationExecutionModel.getAuthenticator());
        }).count() > 0) {
            return;
        }
        log.infof("adding execution %s for auth flow for %s", str, authenticationFlowModel.getAlias());
        keycloakSession.getKeycloakSessionFactory().getProviderFactory(Authenticator.class, str);
        AuthenticationExecutionModel authenticationExecutionModel2 = new AuthenticationExecutionModel();
        authenticationExecutionModel2.setParentFlow(authenticationFlowModel.getId());
        authenticationExecutionModel2.setRequirement(requirement);
        authenticationExecutionModel2.setAuthenticatorFlow(false);
        authenticationExecutionModel2.setAuthenticator(str);
        realmModel.addAuthenticatorExecution(authenticationExecutionModel2);
    }
}
