package org.keycloak.services.resources.admin;

import java.net.URI;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.NotAuthorizedException;
import javax.ws.rs.NotFoundException;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.container.ResourceContext;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.NewCookie;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import javax.ws.rs.ext.Providers;
import org.jboss.resteasy.annotations.cache.NoCache;
import org.jboss.resteasy.logging.Logger;
import org.jboss.resteasy.spi.HttpRequest;
import org.jboss.resteasy.spi.HttpResponse;
import org.jboss.resteasy.spi.NotImplementedYetException;
import org.keycloak.jaxrs.JaxrsOAuthClient;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.crypto.RSAProvider;
import org.keycloak.models.ApplicationModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.services.managers.AccessCodeEntry;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.RealmManager;
import org.keycloak.services.managers.TokenManager;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.TokenService;
import org.keycloak.services.resources.flows.Flows;
import org.keycloak.services.resources.flows.OAuthFlows;

@Path("/admin")
/* loaded from: input_file:org/keycloak/services/resources/admin/AdminService.class */
public class AdminService {
    protected static final Logger logger = Logger.getLogger(AdminService.class);
    public static final String REALM_CREATOR_ROLE = "realm-creator";
    public static final String SAAS_IDENTITY_COOKIE = "KEYCLOAK_SAAS_IDENTITY";

    @Context
    protected UriInfo uriInfo;

    @Context
    protected HttpRequest request;

    @Context
    protected HttpResponse response;

    @Context
    protected KeycloakSession session;

    @Context
    protected ResourceContext resourceContext;

    @Context
    protected Providers providers;
    protected String adminPath = "/admin/index.html";
    protected AuthenticationManager authManager = new AuthenticationManager();
    protected TokenManager tokenManager;

    /* loaded from: input_file:org/keycloak/services/resources/admin/AdminService$WhoAmI.class */
    public static class WhoAmI {
        protected String userId;
        protected String displayName;

        public WhoAmI() {
        }

        public WhoAmI(String str, String str2) {
            this.userId = str;
            this.displayName = str2;
        }

        public String getUserId() {
            return this.userId;
        }

        public void setUserId(String str) {
            this.userId = str;
        }

        public String getDisplayName() {
            return this.displayName;
        }

        public void setDisplayName(String str) {
            this.displayName = str;
        }
    }

    public AdminService(TokenManager tokenManager) {
        this.tokenManager = tokenManager;
    }

    @GET
    @Path("keepalive")
    @NoCache
    public Response keepalive(@Context HttpHeaders httpHeaders) {
        logger.debug("keepalive");
        RealmModel adminstrationRealm = getAdminstrationRealm(new RealmManager(this.session));
        if (adminstrationRealm == null) {
            throw new NotFoundException();
        }
        UserModel authenticateSaasIdentityCookie = this.authManager.authenticateSaasIdentityCookie(adminstrationRealm, this.uriInfo, httpHeaders);
        if (authenticateSaasIdentityCookie == null) {
            return Response.status(401).build();
        }
        return Response.noContent().cookie(new NewCookie[]{this.authManager.createSaasIdentityCookie(adminstrationRealm, authenticateSaasIdentityCookie, this.uriInfo)}).build();
    }

    @GET
    @Path("whoami")
    @NoCache
    @Produces({"application/json"})
    public Response whoAmI(@Context HttpHeaders httpHeaders) {
        RealmModel adminstrationRealm = getAdminstrationRealm(new RealmManager(this.session));
        if (adminstrationRealm == null) {
            throw new NotFoundException();
        }
        UserModel authenticateSaasIdentityCookie = this.authManager.authenticateSaasIdentityCookie(adminstrationRealm, this.uriInfo, httpHeaders);
        return authenticateSaasIdentityCookie == null ? Response.status(401).build() : Response.ok(new WhoAmI(authenticateSaasIdentityCookie.getLoginName(), authenticateSaasIdentityCookie.getLoginName())).build();
    }

    @GET
    @Path("isLoggedIn.js")
    @NoCache
    @Produces({"application/javascript"})
    public String isLoggedIn(@Context HttpHeaders httpHeaders) {
        UserModel authenticateSaasIdentityCookie;
        logger.debug("WHOAMI Javascript start.");
        RealmModel adminstrationRealm = getAdminstrationRealm(new RealmManager(this.session));
        if (adminstrationRealm == null || (authenticateSaasIdentityCookie = this.authManager.authenticateSaasIdentityCookie(adminstrationRealm, this.uriInfo, httpHeaders)) == null) {
            return "var keycloakCookieLoggedIn = false;";
        }
        logger.debug("WHOAMI: " + authenticateSaasIdentityCookie.getLoginName());
        return "var keycloakCookieLoggedIn = true;";
    }

    public static UriBuilder contextRoot(UriInfo uriInfo) {
        return UriBuilder.fromUri(uriInfo.getBaseUri()).replacePath("/auth");
    }

    public static UriBuilder saasCookiePath(UriInfo uriInfo) {
        return contextRoot(uriInfo).path("rest").path(AdminService.class);
    }

    @Path("realms")
    public RealmsAdminResource getRealmsAdmin(@Context HttpHeaders httpHeaders) {
        RealmModel adminstrationRealm = getAdminstrationRealm(new RealmManager(this.session));
        if (adminstrationRealm == null) {
            throw new NotFoundException();
        }
        UserModel authenticateSaasIdentity = this.authManager.authenticateSaasIdentity(adminstrationRealm, this.uriInfo, httpHeaders);
        if (authenticateSaasIdentity == null) {
            throw new NotAuthorizedException("Bearer", new Object[0]);
        }
        ApplicationModel applicationModel = (ApplicationModel) adminstrationRealm.getApplicationNameMap().get("admin-console");
        if (applicationModel == null) {
            throw new NotFoundException();
        }
        if (!applicationModel.hasRole(authenticateSaasIdentity, applicationModel.getRole("admin"))) {
            logger.warn("not a Realm admin");
            throw new NotAuthorizedException("Bearer", new Object[0]);
        }
        RealmsAdminResource realmsAdminResource = new RealmsAdminResource(authenticateSaasIdentity);
        this.resourceContext.initResource(realmsAdminResource);
        return realmsAdminResource;
    }

    @GET
    @Path("login")
    @NoCache
    public Response loginPage(@QueryParam("path") String str) {
        logger.debug("loginPage ********************** <---");
        getAdminstrationRealm(new RealmManager(this.session));
        this.authManager.expireSaasIdentityCookie(this.uriInfo);
        JaxrsOAuthClient jaxrsOAuthClient = new JaxrsOAuthClient();
        String uri = TokenService.loginPageUrl(this.uriInfo).build(new Object[]{"keycloak-admin"}).toString();
        logger.debug("authUrl: {0}", new Object[]{uri});
        jaxrsOAuthClient.setAuthUrl(uri);
        jaxrsOAuthClient.setClientId("admin-console");
        URI build = this.uriInfo.getBaseUriBuilder().path(AdminService.class).path(AdminService.class, "loginRedirect").build(new Object[0]);
        logger.debug("redirectUri: {0}", new Object[]{build.toString()});
        jaxrsOAuthClient.setStateCookiePath(build.getRawPath());
        return jaxrsOAuthClient.redirect(this.uriInfo, build.toString(), str);
    }

    @GET
    @Path("login-error")
    @NoCache
    public Response errorOnLoginRedirect(@QueryParam("error") String str) {
        return Flows.forms(getAdminstrationRealm(new RealmManager(this.session)), this.request, this.uriInfo).setError(str).forwardToErrorPage();
    }

    protected Response redirectOnLoginError(String str) {
        return Response.status(302).location(TokenService.logoutUrl(this.uriInfo).queryParam("redirect_uri", new Object[]{this.uriInfo.getBaseUriBuilder().path(AdminService.class).path(AdminService.class, "errorOnLoginRedirect").queryParam(Messages.ERROR, new Object[]{str}).build(new Object[0]).toString()}).build(new Object[]{"keycloak-admin"})).build();
    }

    @GET
    @Path("login-redirect")
    @NoCache
    public Response loginRedirect(@QueryParam("code") String str, @QueryParam("state") String str2, @QueryParam("error") String str3, @Context HttpHeaders httpHeaders) {
        try {
            logger.info("loginRedirect ********************** <---");
            if (str3 != null) {
                logger.debug("error from oauth");
                Response redirectOnLoginError = redirectOnLoginError(str3);
                this.authManager.expireCookie("OAuth_Token_Request_State", this.uriInfo.getAbsolutePath().getPath());
                return redirectOnLoginError;
            }
            RealmModel adminstrationRealm = getAdminstrationRealm(new RealmManager(this.session));
            if (!adminstrationRealm.isEnabled()) {
                logger.debug("realm not enabled");
                Response redirectOnLoginError2 = redirectOnLoginError("realm not enabled");
                this.authManager.expireCookie("OAuth_Token_Request_State", this.uriInfo.getAbsolutePath().getPath());
                return redirectOnLoginError2;
            }
            ApplicationModel applicationModel = (ApplicationModel) adminstrationRealm.getApplicationNameMap().get("admin-console");
            UserModel applicationUser = applicationModel.getApplicationUser();
            if (!applicationModel.isEnabled() || !applicationUser.isEnabled()) {
                logger.debug("admin app not enabled");
                Response redirectOnLoginError3 = redirectOnLoginError("admin app not enabled");
                this.authManager.expireCookie("OAuth_Token_Request_State", this.uriInfo.getAbsolutePath().getPath());
                return redirectOnLoginError3;
            }
            if (str == null) {
                logger.debug("code not specified");
                Response redirectOnLoginError4 = redirectOnLoginError("invalid login data");
                this.authManager.expireCookie("OAuth_Token_Request_State", this.uriInfo.getAbsolutePath().getPath());
                return redirectOnLoginError4;
            }
            if (str2 == null) {
                logger.debug("state not specified");
                Response redirectOnLoginError5 = redirectOnLoginError("invalid login data");
                this.authManager.expireCookie("OAuth_Token_Request_State", this.uriInfo.getAbsolutePath().getPath());
                return redirectOnLoginError5;
            }
            String checkStateCookie = new JaxrsOAuthClient().checkStateCookie(this.uriInfo, httpHeaders);
            JWSInput jWSInput = new JWSInput(str);
            boolean z = false;
            try {
                z = RSAProvider.verify(jWSInput, adminstrationRealm.getPublicKey());
            } catch (Exception e) {
                logger.debug("Failed to verify signature", e);
            }
            if (!z) {
                logger.debug("unverified access code");
                Response redirectOnLoginError6 = redirectOnLoginError("invalid login data");
                this.authManager.expireCookie("OAuth_Token_Request_State", this.uriInfo.getAbsolutePath().getPath());
                return redirectOnLoginError6;
            }
            AccessCodeEntry pullAccessCode = this.tokenManager.pullAccessCode(jWSInput.readContentAsString());
            if (pullAccessCode == null) {
                logger.debug("bad access code");
                Response redirectOnLoginError7 = redirectOnLoginError("invalid login data");
                this.authManager.expireCookie("OAuth_Token_Request_State", this.uriInfo.getAbsolutePath().getPath());
                return redirectOnLoginError7;
            }
            if (pullAccessCode.isExpired()) {
                logger.debug("access code expired");
                Response redirectOnLoginError8 = redirectOnLoginError("invalid login data");
                this.authManager.expireCookie("OAuth_Token_Request_State", this.uriInfo.getAbsolutePath().getPath());
                return redirectOnLoginError8;
            }
            if (!pullAccessCode.getToken().isActive()) {
                logger.debug("access token expired");
                Response redirectOnLoginError9 = redirectOnLoginError("invalid login data");
                this.authManager.expireCookie("OAuth_Token_Request_State", this.uriInfo.getAbsolutePath().getPath());
                return redirectOnLoginError9;
            }
            if (!pullAccessCode.getRealm().getId().equals(adminstrationRealm.getId())) {
                logger.debug("bad realm");
                Response redirectOnLoginError10 = redirectOnLoginError("invalid login data");
                this.authManager.expireCookie("OAuth_Token_Request_State", this.uriInfo.getAbsolutePath().getPath());
                return redirectOnLoginError10;
            }
            if (!applicationUser.getLoginName().equals(pullAccessCode.getClient().getLoginName())) {
                logger.debug("bad client");
                Response redirectOnLoginError11 = redirectOnLoginError("invalid login data");
                this.authManager.expireCookie("OAuth_Token_Request_State", this.uriInfo.getAbsolutePath().getPath());
                return redirectOnLoginError11;
            }
            if (!applicationModel.hasRole(pullAccessCode.getUser(), "admin")) {
                logger.debug("not allowed");
                Response redirectOnLoginError12 = redirectOnLoginError("No permission to access console");
                this.authManager.expireCookie("OAuth_Token_Request_State", this.uriInfo.getAbsolutePath().getPath());
                return redirectOnLoginError12;
            }
            logger.debug("loginRedirect SUCCESS");
            NewCookie createSaasIdentityCookie = this.authManager.createSaasIdentityCookie(adminstrationRealm, pullAccessCode.getUser(), this.uriInfo);
            URI build = contextRoot(this.uriInfo).path(this.adminPath).build(new Object[0]);
            if (checkStateCookie != null) {
                build = build.resolve("#" + UriBuilder.fromPath(checkStateCookie).build(new Object[0]).toString());
            }
            Response build2 = Response.status(302).cookie(new NewCookie[]{createSaasIdentityCookie}).location(build).build();
            this.authManager.expireCookie("OAuth_Token_Request_State", this.uriInfo.getAbsolutePath().getPath());
            return build2;
        } catch (Throwable th) {
            this.authManager.expireCookie("OAuth_Token_Request_State", this.uriInfo.getAbsolutePath().getPath());
            throw th;
        }
    }

    @GET
    @Path("logout")
    @NoCache
    public Response logout() {
        RealmModel adminstrationRealm = getAdminstrationRealm(new RealmManager(this.session));
        this.authManager.expireSaasIdentityCookie(this.uriInfo);
        this.authManager.expireIdentityCookie(adminstrationRealm, this.uriInfo);
        return Response.status(302).location(this.uriInfo.getBaseUriBuilder().path(AdminService.class).path(AdminService.class, "loginPage").build(new Object[0])).build();
    }

    @GET
    @Path("logout-cookie")
    @NoCache
    public void logoutCookie() {
        logger.debug("*** logoutCookie");
        this.authManager.expireSaasIdentityCookie(this.uriInfo);
    }

    @POST
    @Path("login")
    @Consumes({"application/x-www-form-urlencoded"})
    public Response processLogin(MultivaluedMap<String, String> multivaluedMap) {
        logger.debug("processLogin start");
        RealmModel adminstrationRealm = getAdminstrationRealm(new RealmManager(this.session));
        if (adminstrationRealm == null) {
            throw new NotFoundException();
        }
        UserModel applicationUser = ((ApplicationModel) adminstrationRealm.getApplicationNameMap().get("admin-console")).getApplicationUser();
        if (!adminstrationRealm.isEnabled()) {
            throw new NotImplementedYetException();
        }
        UserModel user = adminstrationRealm.getUser((String) multivaluedMap.getFirst(AuthenticationManager.FORM_USERNAME));
        AuthenticationManager.AuthenticationStatus authenticateForm = this.authManager.authenticateForm(adminstrationRealm, user, multivaluedMap);
        OAuthFlows oauth = Flows.oauth(adminstrationRealm, this.request, this.uriInfo, this.authManager, this.tokenManager);
        switch (authenticateForm) {
            case SUCCESS:
                return Response.status(302).cookie(new NewCookie[]{this.authManager.createSaasIdentityCookie(adminstrationRealm, user, this.uriInfo)}).location(contextRoot(this.uriInfo).path(this.adminPath).build(new Object[0])).build();
            case ACCOUNT_DISABLED:
                return Flows.forms(adminstrationRealm, this.request, this.uriInfo).setError(Messages.ACCOUNT_DISABLED).setFormData(multivaluedMap).forwardToLogin();
            case ACTIONS_REQUIRED:
                return oauth.processAccessCode(null, "n", contextRoot(this.uriInfo).path(this.adminPath).build(new Object[0]).toString(), applicationUser, user);
            default:
                return Flows.forms(adminstrationRealm, this.request, this.uriInfo).setError(Messages.INVALID_USER).setFormData(multivaluedMap).forwardToLogin();
        }
    }

    protected RealmModel getAdminstrationRealm(RealmManager realmManager) {
        return realmManager.getKeycloakAdminstrationRealm();
    }
}
