package org.keycloak.authentication.actiontoken.execactions;

import java.util.Objects;
import java.util.stream.Stream;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import org.keycloak.TokenVerifier;
import org.keycloak.authentication.RequiredActionProvider;
import org.keycloak.authentication.actiontoken.AbstractActionTokenHander;
import org.keycloak.authentication.actiontoken.ActionTokenContext;
import org.keycloak.authentication.actiontoken.TokenUtils;
import org.keycloak.events.EventType;
import org.keycloak.forms.login.LoginFormsProvider;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.protocol.oidc.utils.RedirectUtils;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.services.Urls;
import org.keycloak.services.clientregistration.ErrorCodes;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.messages.Messages;
import org.keycloak.sessions.AuthenticationSessionCompoundId;
import org.keycloak.sessions.AuthenticationSessionModel;

/* loaded from: input_file:org/keycloak/authentication/actiontoken/execactions/ExecuteActionsActionTokenHandler.class */
public class ExecuteActionsActionTokenHandler extends AbstractActionTokenHander<ExecuteActionsActionToken> {
    public ExecuteActionsActionTokenHandler() {
        super(ExecuteActionsActionToken.TOKEN_TYPE, ExecuteActionsActionToken.class, Messages.INVALID_CODE, EventType.EXECUTE_ACTIONS, "not_allowed");
    }

    @Override // org.keycloak.authentication.actiontoken.ActionTokenHandler
    public TokenVerifier.Predicate<? super ExecuteActionsActionToken>[] getVerifiers(ActionTokenContext<ExecuteActionsActionToken> actionTokenContext) {
        return TokenUtils.predicates(TokenUtils.checkThat(executeActionsActionToken -> {
            return executeActionsActionToken.getRedirectUri() == null || RedirectUtils.verifyRedirectUri(actionTokenContext.getSession(), executeActionsActionToken.getRedirectUri(), actionTokenContext.getAuthenticationSession().getClient()) != null;
        }, ErrorCodes.INVALID_REDIRECT_URI, Messages.INVALID_REDIRECT_URI));
    }

    public Response handleToken(ExecuteActionsActionToken executeActionsActionToken, ActionTokenContext<ExecuteActionsActionToken> actionTokenContext) {
        AuthenticationSessionModel authenticationSession = actionTokenContext.getAuthenticationSession();
        UriInfo uriInfo = actionTokenContext.getUriInfo();
        RealmModel realm = actionTokenContext.getRealm();
        KeycloakSession session = actionTokenContext.getSession();
        if (actionTokenContext.isAuthenticationSessionFresh()) {
            executeActionsActionToken.setCompoundAuthenticationSessionId(AuthenticationSessionCompoundId.fromAuthSession(authenticationSession).getEncodedId());
            return session.getProvider(LoginFormsProvider.class).setAuthenticationSession(authenticationSession).setSuccess(Messages.CONFIRM_EXECUTION_OF_ACTIONS, new Object[0]).setAttribute("actionUri", Urls.actionTokenBuilder(uriInfo.getBaseUri(), executeActionsActionToken.serialize(session, realm, uriInfo), authenticationSession.getClient().getClientId(), authenticationSession.getTabId()).build(new Object[]{realm.getName()}).toString()).setAttribute("requiredActions", executeActionsActionToken.getRequiredActions()).createInfoPage();
        }
        String verifyRedirectUri = RedirectUtils.verifyRedirectUri(actionTokenContext.getSession(), executeActionsActionToken.getRedirectUri(), authenticationSession.getClient());
        if (verifyRedirectUri != null) {
            authenticationSession.setAuthNote(AuthenticationManager.SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS, "true");
            authenticationSession.setRedirectUri(verifyRedirectUri);
            authenticationSession.setClientNote("redirect_uri", verifyRedirectUri);
        }
        Stream<String> stream = executeActionsActionToken.getRequiredActions().stream();
        authenticationSession.getClass();
        stream.forEach(authenticationSession::addRequiredAction);
        actionTokenContext.getAuthenticationSession().getAuthenticatedUser().setEmailVerified(true);
        return AuthenticationManager.redirectToRequiredActions(actionTokenContext.getSession(), actionTokenContext.getRealm(), authenticationSession, actionTokenContext.getUriInfo(), AuthenticationManager.nextRequiredAction(actionTokenContext.getSession(), authenticationSession, actionTokenContext.getClientConnection(), actionTokenContext.getRequest(), actionTokenContext.getUriInfo(), actionTokenContext.getEvent()));
    }

    public boolean canUseTokenRepeatedly(ExecuteActionsActionToken executeActionsActionToken, ActionTokenContext<ExecuteActionsActionToken> actionTokenContext) {
        RealmModel realm = actionTokenContext.getRealm();
        KeycloakSessionFactory keycloakSessionFactory = actionTokenContext.getSession().getKeycloakSessionFactory();
        return executeActionsActionToken.getRequiredActions().stream().map(str -> {
            return realm.getRequiredActionProviderByAlias(str);
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).filter((v0) -> {
            return v0.isEnabled();
        }).map((v0) -> {
            return v0.getProviderId();
        }).map(str2 -> {
            return keycloakSessionFactory.getProviderFactory(RequiredActionProvider.class, str2);
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).noneMatch((v0) -> {
            return v0.isOneTimeAction();
        });
    }

    @Override // org.keycloak.authentication.actiontoken.AbstractActionTokenHander, org.keycloak.authentication.actiontoken.ActionTokenHandler
    public /* bridge */ /* synthetic */ boolean canUseTokenRepeatedly(JsonWebToken jsonWebToken, ActionTokenContext actionTokenContext) {
        return canUseTokenRepeatedly((ExecuteActionsActionToken) jsonWebToken, (ActionTokenContext<ExecuteActionsActionToken>) actionTokenContext);
    }

    @Override // org.keycloak.authentication.actiontoken.ActionTokenHandler
    public /* bridge */ /* synthetic */ Response handleToken(JsonWebToken jsonWebToken, ActionTokenContext actionTokenContext) {
        return handleToken((ExecuteActionsActionToken) jsonWebToken, (ActionTokenContext<ExecuteActionsActionToken>) actionTokenContext);
    }
}
