package org.keycloak.services.resources;

import java.io.IOException;
import java.lang.reflect.Method;
import java.net.URI;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.OPTIONS;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import javax.ws.rs.core.Variant;
import org.keycloak.authentication.authenticators.browser.OTPFormAuthenticator;
import org.keycloak.common.util.UriUtils;
import org.keycloak.events.Event;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventStoreProvider;
import org.keycloak.events.EventType;
import org.keycloak.forms.account.AccountPages;
import org.keycloak.forms.account.AccountProvider;
import org.keycloak.forms.login.LoginFormsProvider;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.FederatedIdentityModel;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelDuplicateException;
import org.keycloak.models.ModelException;
import org.keycloak.models.ModelReadOnlyException;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserCredentialValueModel;
import org.keycloak.models.UserFederationProvider;
import org.keycloak.models.UserFederationProviderModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.utils.CredentialValidation;
import org.keycloak.models.utils.FormMessage;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.protocol.oidc.utils.RedirectUtils;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.services.ForbiddenException;
import org.keycloak.services.ServicesLogger;
import org.keycloak.services.Urls;
import org.keycloak.services.managers.AppAuthManager;
import org.keycloak.services.managers.Auth;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.ClientSessionCode;
import org.keycloak.services.managers.UserSessionManager;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.util.ResolveRelative;
import org.keycloak.services.validation.Validation;
import org.keycloak.util.JsonSerialization;

/* loaded from: input_file:org/keycloak/services/resources/AccountService.class */
public class AccountService extends AbstractSecuredLocalService {
    private static final ServicesLogger logger = ServicesLogger.ROOT_LOGGER;
    private static Set<String> VALID_PATHS = new HashSet();
    private static final EventType[] LOG_EVENTS;
    private static final Set<String> LOG_DETAILS;
    public static final String ACCOUNT_MGMT_FORWARDED_ERROR_NOTE = "ACCOUNT_MGMT_FORWARDED_ERROR";
    private final AppAuthManager authManager;
    private EventBuilder event;
    private AccountProvider account;
    private EventStoreProvider eventStore;

    /* loaded from: input_file:org/keycloak/services/resources/AccountService$AccountSocialAction.class */
    public enum AccountSocialAction {
        ADD,
        REMOVE;

        public static AccountSocialAction getAction(String str) {
            if ("add".equalsIgnoreCase(str)) {
                return ADD;
            }
            if ("remove".equalsIgnoreCase(str)) {
                return REMOVE;
            }
            return null;
        }
    }

    public AccountService(RealmModel realmModel, ClientModel clientModel, EventBuilder eventBuilder) {
        super(realmModel, clientModel);
        this.event = eventBuilder;
        this.authManager = new AppAuthManager();
    }

    public void init() {
        String str;
        this.eventStore = this.session.getProvider(EventStoreProvider.class);
        this.account = this.session.getProvider(AccountProvider.class).setRealm(this.realm).setUriInfo(this.uriInfo).setHttpHeaders(this.headers);
        AuthenticationManager.AuthResult authenticateBearerToken = this.authManager.authenticateBearerToken(this.session, this.realm, this.uriInfo, this.clientConnection, this.headers);
        if (authenticateBearerToken != null) {
            this.auth = new Auth(this.realm, authenticateBearerToken.getToken(), authenticateBearerToken.getUser(), this.client, authenticateBearerToken.getSession(), false);
        } else {
            authenticateBearerToken = this.authManager.authenticateIdentityCookie(this.session, this.realm);
            if (authenticateBearerToken != null) {
                this.auth = new Auth(this.realm, authenticateBearerToken.getToken(), authenticateBearerToken.getUser(), this.client, authenticateBearerToken.getSession(), true);
                updateCsrfChecks();
                this.account.setStateChecker(this.stateChecker);
            }
        }
        String origin = UriUtils.getOrigin(this.uriInfo.getBaseUri());
        if (this.auth != null && this.auth.isCookieAuthenticated()) {
            String str2 = (String) this.headers.getRequestHeaders().getFirst(Cors.ORIGIN_HEADER);
            if (str2 != null && !origin.equals(str2)) {
                throw new ForbiddenException();
            }
            if (!this.request.getHttpMethod().equals("GET") && (str = (String) this.headers.getRequestHeaders().getFirst("Referer")) != null && !origin.equals(UriUtils.getOrigin(str))) {
                throw new ForbiddenException();
            }
        }
        if (authenticateBearerToken != null) {
            UserSessionModel session = authenticateBearerToken.getSession();
            if (session != null) {
                boolean z = false;
                Iterator it = session.getClientSessions().iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    ClientSessionModel clientSessionModel = (ClientSessionModel) it.next();
                    if (clientSessionModel.getClient().equals(this.client)) {
                        this.auth.setClientSession(clientSessionModel);
                        z = true;
                        break;
                    }
                }
                if (!z) {
                    ClientSessionModel createClientSession = this.session.sessions().createClientSession(this.realm, this.client);
                    createClientSession.setUserSession(session);
                    this.auth.setClientSession(createClientSession);
                }
            }
            this.account.setUser(this.auth.getUser());
        }
        this.account.setFeatures(this.realm.isIdentityFederationEnabled(), this.eventStore != null && this.realm.isEventsEnabled(), true);
    }

    public static UriBuilder accountServiceBaseUrl(UriInfo uriInfo) {
        return uriInfo.getBaseUriBuilder().path(RealmsResource.class).path(RealmsResource.class, "getAccountService");
    }

    public static UriBuilder accountServiceApplicationPage(UriInfo uriInfo) {
        return accountServiceBaseUrl(uriInfo).path(AccountService.class, "applicationsPage");
    }

    public static UriBuilder accountServiceBaseUrl(UriBuilder uriBuilder) {
        return uriBuilder.path(RealmsResource.class).path(RealmsResource.class, "getAccountService");
    }

    @Override // org.keycloak.services.resources.AbstractSecuredLocalService
    protected Set<String> getValidPaths() {
        return VALID_PATHS;
    }

    private Response forwardToPage(String str, AccountPages accountPages) {
        if (this.auth == null) {
            return login(str);
        }
        try {
            require("manage-account");
            setReferrerOnPage();
            String note = this.auth.getClientSession().getNote(ACCOUNT_MGMT_FORWARDED_ERROR_NOTE);
            if (note != null) {
                try {
                    FormMessage formMessage = (FormMessage) JsonSerialization.readValue(note, FormMessage.class);
                    this.account.setError(formMessage.getMessage(), formMessage.getParameters());
                    this.auth.getClientSession().removeNote(ACCOUNT_MGMT_FORWARDED_ERROR_NOTE);
                } catch (IOException e) {
                    throw new RuntimeException(e);
                }
            }
            return this.account.createResponse(accountPages);
        } catch (ForbiddenException e2) {
            return this.session.getProvider(LoginFormsProvider.class).setError(Messages.NO_ACCESS, new Object[0]).createErrorPage();
        }
    }

    protected void setReferrerOnPage() {
        String[] referrer = getReferrer();
        if (referrer != null) {
            this.account.setReferrer(referrer);
        }
    }

    @Path("/")
    @OPTIONS
    public Response accountPreflight() {
        return Cors.add(this.request, Response.ok()).auth().preflight().build();
    }

    @GET
    @Path("/")
    public Response accountPage() {
        List acceptableMediaTypes = this.headers.getAcceptableMediaTypes();
        if (acceptableMediaTypes.contains(MediaType.WILDCARD_TYPE) || acceptableMediaTypes.contains(MediaType.TEXT_HTML_TYPE)) {
            return forwardToPage(null, AccountPages.ACCOUNT);
        }
        if (!acceptableMediaTypes.contains(MediaType.APPLICATION_JSON_TYPE)) {
            return Response.notAcceptable(Variant.VariantListBuilder.newInstance().mediaTypes(new MediaType[]{MediaType.TEXT_HTML_TYPE, MediaType.APPLICATION_JSON_TYPE}).build()).build();
        }
        requireOneOf("manage-account", "view-profile");
        UserRepresentation representation = ModelToRepresentation.toRepresentation(this.auth.getUser());
        if (representation.getAttributes() != null) {
            Iterator it = representation.getAttributes().keySet().iterator();
            while (it.hasNext()) {
                if (((String) it.next()).startsWith("keycloak.")) {
                    it.remove();
                }
            }
        }
        return Cors.add(this.request, Response.ok(representation)).auth().allowedOrigins(this.auth.getToken()).build();
    }

    public static UriBuilder totpUrl(UriBuilder uriBuilder) {
        return RealmsResource.accountUrl(uriBuilder).path(AccountService.class, "totpPage");
    }

    @GET
    @Path(OTPFormAuthenticator.TOTP_FORM_ACTION)
    public Response totpPage() {
        return forwardToPage(OTPFormAuthenticator.TOTP_FORM_ACTION, AccountPages.TOTP);
    }

    public static UriBuilder passwordUrl(UriBuilder uriBuilder) {
        return RealmsResource.accountUrl(uriBuilder).path(AccountService.class, "passwordPage");
    }

    @GET
    @Path("password")
    public Response passwordPage() {
        if (this.auth != null) {
            this.account.setPasswordSet(isPasswordSet(this.session, this.realm, this.auth.getUser()));
        }
        return forwardToPage("password", AccountPages.PASSWORD);
    }

    @GET
    @Path("identity")
    public Response federatedIdentityPage() {
        return forwardToPage("identity", AccountPages.FEDERATED_IDENTITY);
    }

    @GET
    @Path("log")
    public Response logPage() {
        if (this.auth != null) {
            List<Event> resultList = this.eventStore.createQuery().type(LOG_EVENTS).user(this.auth.getUser().getId()).maxResults(30).getResultList();
            for (Event event : resultList) {
                if (event.getDetails() != null) {
                    Iterator it = event.getDetails().entrySet().iterator();
                    while (it.hasNext()) {
                        if (!LOG_DETAILS.contains(((Map.Entry) it.next()).getKey())) {
                            it.remove();
                        }
                    }
                }
            }
            this.account.setEvents(resultList);
        }
        return forwardToPage("log", AccountPages.LOG);
    }

    @GET
    @Path("sessions")
    public Response sessionsPage() {
        if (this.auth != null) {
            this.account.setSessions(this.session.sessions().getUserSessions(this.realm, this.auth.getUser()));
        }
        return forwardToPage("sessions", AccountPages.SESSIONS);
    }

    @GET
    @Path("applications")
    public Response applicationsPage() {
        return forwardToPage("applications", AccountPages.APPLICATIONS);
    }

    @POST
    @Path("/")
    @Consumes({org.keycloak.utils.MediaType.APPLICATION_FORM_URLENCODED})
    public Response processAccountUpdate(MultivaluedMap<String, String> multivaluedMap) {
        UserModel userByEmail;
        if (this.auth == null) {
            return login(null);
        }
        require("manage-account");
        String str = (String) multivaluedMap.getFirst("submitAction");
        if (str != null && str.equals("Cancel")) {
            setReferrerOnPage();
            return this.account.createResponse(AccountPages.ACCOUNT);
        }
        csrfCheck(multivaluedMap);
        UserModel user = this.auth.getUser();
        List<FormMessage> validateUpdateProfileForm = Validation.validateUpdateProfileForm(this.realm.isEditUsernameAllowed(), multivaluedMap);
        if (validateUpdateProfileForm != null && !validateUpdateProfileForm.isEmpty()) {
            setReferrerOnPage();
            return this.account.setErrors(validateUpdateProfileForm).setProfileFormData(multivaluedMap).createResponse(AccountPages.ACCOUNT);
        }
        try {
            if (this.realm.isEditUsernameAllowed()) {
                String str2 = (String) multivaluedMap.getFirst("username");
                UserModel userByUsername = this.session.users().getUserByUsername(str2, this.realm);
                if (userByUsername != null && !userByUsername.getId().equals(user.getId())) {
                    throw new ModelDuplicateException(Messages.USERNAME_EXISTS);
                }
                user.setUsername(str2);
            }
            user.setFirstName((String) multivaluedMap.getFirst("firstName"));
            user.setLastName((String) multivaluedMap.getFirst("lastName"));
            String str3 = (String) multivaluedMap.getFirst("email");
            String email = user.getEmail();
            boolean z = email != null ? !email.equals(str3) : str3 != null;
            if (z && (userByEmail = this.session.users().getUserByEmail(str3, this.realm)) != null && !userByEmail.getId().equals(user.getId())) {
                throw new ModelDuplicateException(Messages.EMAIL_EXISTS);
            }
            user.setEmail(str3);
            AttributeFormDataProcessor.process(multivaluedMap, this.realm, user);
            this.event.event(EventType.UPDATE_PROFILE).client(this.auth.getClient()).user(this.auth.getUser()).success();
            if (z) {
                user.setEmailVerified(false);
                this.event.clone().event(EventType.UPDATE_EMAIL).detail("previous_email", email).detail("updated_email", str3).success();
            }
            setReferrerOnPage();
            return this.account.setSuccess(Messages.ACCOUNT_UPDATED, new Object[0]).createResponse(AccountPages.ACCOUNT);
        } catch (ModelReadOnlyException e) {
            setReferrerOnPage();
            return this.account.setError(Messages.READ_ONLY_USER, new Object[0]).setProfileFormData(multivaluedMap).createResponse(AccountPages.ACCOUNT);
        } catch (ModelDuplicateException e2) {
            setReferrerOnPage();
            return this.account.setError(e2.getMessage(), new Object[0]).setProfileFormData(multivaluedMap).createResponse(AccountPages.ACCOUNT);
        }
    }

    @GET
    @Path("totp-remove")
    public Response processTotpRemove(@QueryParam("stateChecker") String str) {
        if (this.auth == null) {
            return login(OTPFormAuthenticator.TOTP_FORM_ACTION);
        }
        require("manage-account");
        csrfCheck(str);
        this.auth.getUser().setOtpEnabled(false);
        this.event.event(EventType.REMOVE_TOTP).client(this.auth.getClient()).user(this.auth.getUser()).success();
        setReferrerOnPage();
        return this.account.setSuccess(Messages.SUCCESS_TOTP_REMOVED, new Object[0]).createResponse(AccountPages.TOTP);
    }

    @GET
    @Path("sessions-logout")
    public Response processSessionsLogout(@QueryParam("stateChecker") String str) {
        if (this.auth == null) {
            return login("sessions");
        }
        require("manage-account");
        csrfCheck(str);
        Iterator it = this.session.sessions().getUserSessions(this.realm, this.auth.getUser()).iterator();
        while (it.hasNext()) {
            AuthenticationManager.backchannelLogout(this.session, this.realm, (UserSessionModel) it.next(), this.uriInfo, this.clientConnection, this.headers, true);
        }
        UriBuilder path = Urls.accountBase(this.uriInfo.getBaseUri()).path(AccountService.class, "sessionsPage");
        String str2 = (String) this.uriInfo.getQueryParameters().getFirst("referrer");
        if (str2 != null) {
            path.queryParam("referrer", new Object[]{str2});
        }
        return Response.seeOther(path.build(new Object[]{this.realm.getName()})).build();
    }

    @POST
    @Path("revoke-grant")
    public Response processRevokeGrant(MultivaluedMap<String, String> multivaluedMap) {
        if (this.auth == null) {
            return login("applications");
        }
        require("manage-account");
        csrfCheck(multivaluedMap);
        String str = (String) multivaluedMap.getFirst("clientId");
        if (str == null) {
            return this.account.setError(Messages.CLIENT_NOT_FOUND, new Object[0]).createResponse(AccountPages.APPLICATIONS);
        }
        ClientModel clientById = this.realm.getClientById(str);
        if (clientById == null) {
            return this.account.setError(Messages.CLIENT_NOT_FOUND, new Object[0]).createResponse(AccountPages.APPLICATIONS);
        }
        UserModel user = this.auth.getUser();
        this.session.users().revokeConsentForClient(this.realm, user, clientById.getId());
        new UserSessionManager(this.session).revokeOfflineToken(user, clientById);
        AuthenticationManager.backchannelUserFromClient(this.session, this.realm, user, clientById, this.uriInfo, this.headers);
        this.event.event(EventType.REVOKE_GRANT).client(this.auth.getClient()).user(this.auth.getUser()).detail("revoked_client", clientById.getClientId()).success();
        setReferrerOnPage();
        UriBuilder path = Urls.accountBase(this.uriInfo.getBaseUri()).path(AccountService.class, "applicationsPage");
        String str2 = (String) this.uriInfo.getQueryParameters().getFirst("referrer");
        if (str2 != null) {
            path.queryParam("referrer", new Object[]{str2});
        }
        return Response.seeOther(path.build(new Object[]{this.realm.getName()})).build();
    }

    @POST
    @Path(OTPFormAuthenticator.TOTP_FORM_ACTION)
    @Consumes({org.keycloak.utils.MediaType.APPLICATION_FORM_URLENCODED})
    public Response processTotpUpdate(MultivaluedMap<String, String> multivaluedMap) {
        if (this.auth == null) {
            return login(OTPFormAuthenticator.TOTP_FORM_ACTION);
        }
        require("manage-account");
        String str = (String) multivaluedMap.getFirst("submitAction");
        if (str != null && str.equals("Cancel")) {
            setReferrerOnPage();
            return this.account.createResponse(AccountPages.TOTP);
        }
        csrfCheck(multivaluedMap);
        UserModel user = this.auth.getUser();
        String str2 = (String) multivaluedMap.getFirst(OTPFormAuthenticator.TOTP_FORM_ACTION);
        String str3 = (String) multivaluedMap.getFirst("totpSecret");
        if (Validation.isBlank(str2)) {
            setReferrerOnPage();
            return this.account.setError(Messages.MISSING_TOTP, new Object[0]).createResponse(AccountPages.TOTP);
        }
        if (!CredentialValidation.validOTP(this.realm, str2, str3)) {
            setReferrerOnPage();
            return this.account.setError(Messages.INVALID_TOTP, new Object[0]).createResponse(AccountPages.TOTP);
        }
        UserCredentialModel userCredentialModel = new UserCredentialModel();
        userCredentialModel.setType(this.realm.getOTPPolicy().getType());
        userCredentialModel.setValue(str3);
        this.session.users().updateCredential(this.realm, user, userCredentialModel);
        user.setOtpEnabled(true);
        UserCredentialModel userCredentialModel2 = new UserCredentialModel();
        userCredentialModel2.setType(this.realm.getOTPPolicy().getType());
        userCredentialModel2.setValue(str2);
        this.session.users().validCredentials(this.session, this.realm, user, new UserCredentialModel[]{userCredentialModel2});
        this.event.event(EventType.UPDATE_TOTP).client(this.auth.getClient()).user(this.auth.getUser()).success();
        setReferrerOnPage();
        return this.account.setSuccess(Messages.SUCCESS_TOTP, new Object[0]).createResponse(AccountPages.TOTP);
    }

    @POST
    @Path("password")
    @Consumes({org.keycloak.utils.MediaType.APPLICATION_FORM_URLENCODED})
    public Response processPasswordUpdate(MultivaluedMap<String, String> multivaluedMap) {
        if (this.auth == null) {
            return login("password");
        }
        require("manage-account");
        csrfCheck(multivaluedMap);
        UserModel user = this.auth.getUser();
        boolean isPasswordSet = isPasswordSet(this.session, this.realm, user);
        this.account.setPasswordSet(isPasswordSet);
        String str = (String) multivaluedMap.getFirst("password");
        String str2 = (String) multivaluedMap.getFirst("password-new");
        String str3 = (String) multivaluedMap.getFirst("password-confirm");
        EventBuilder user2 = this.event.clone().event(EventType.UPDATE_PASSWORD_ERROR).client(this.auth.getClient()).user(this.auth.getClientSession().getUserSession().getUser());
        if (isPasswordSet) {
            if (Validation.isBlank(str)) {
                setReferrerOnPage();
                user2.error("password_missing");
                return this.account.setError(Messages.MISSING_PASSWORD, new Object[0]).createResponse(AccountPages.PASSWORD);
            }
            if (!this.session.users().validCredentials(this.session, this.realm, user, new UserCredentialModel[]{UserCredentialModel.password(str)})) {
                setReferrerOnPage();
                user2.error("invalid_user_credentials");
                return this.account.setError(Messages.INVALID_PASSWORD_EXISTING, new Object[0]).createResponse(AccountPages.PASSWORD);
            }
        }
        if (Validation.isBlank(str2)) {
            setReferrerOnPage();
            user2.error("password_missing");
            return this.account.setError(Messages.MISSING_PASSWORD, new Object[0]).createResponse(AccountPages.PASSWORD);
        }
        if (!str2.equals(str3)) {
            setReferrerOnPage();
            user2.error("password_confirm_error");
            return this.account.setError(Messages.INVALID_PASSWORD_CONFIRM, new Object[0]).createResponse(AccountPages.PASSWORD);
        }
        try {
            this.session.users().updateCredential(this.realm, user, UserCredentialModel.password(str2));
            for (UserSessionModel userSessionModel : this.session.sessions().getUserSessions(this.realm, user)) {
                if (!userSessionModel.getId().equals(this.auth.getSession().getId())) {
                    AuthenticationManager.backchannelLogout(this.session, this.realm, userSessionModel, this.uriInfo, this.clientConnection, this.headers, true);
                }
            }
            this.event.event(EventType.UPDATE_PASSWORD).client(this.auth.getClient()).user(this.auth.getUser()).success();
            setReferrerOnPage();
            return this.account.setPasswordSet(true).setSuccess(Messages.ACCOUNT_PASSWORD_UPDATED, new Object[0]).createResponse(AccountPages.PASSWORD);
        } catch (Exception e) {
            logger.failedToUpdatePassword(e);
            setReferrerOnPage();
            user2.detail("reason", e.getMessage()).error("password_rejected");
            return this.account.setError(e.getMessage(), new Object[0]).createResponse(AccountPages.PASSWORD);
        } catch (ModelReadOnlyException e2) {
            setReferrerOnPage();
            user2.error("not_allowed");
            return this.account.setError(Messages.READ_ONLY_PASSWORD, new Object[0]).createResponse(AccountPages.PASSWORD);
        } catch (ModelException e3) {
            logger.failedToUpdatePassword(e3);
            setReferrerOnPage();
            user2.detail("reason", e3.getMessage()).error("password_rejected");
            return this.account.setError(e3.getMessage(), e3.getParameters()).createResponse(AccountPages.PASSWORD);
        }
    }

    @GET
    @Path("federated-identity-update")
    public Response processFederatedIdentityUpdate(@QueryParam("action") String str, @QueryParam("provider_id") String str2, @QueryParam("stateChecker") String str3) {
        if (this.auth == null) {
            return login("identity");
        }
        require("manage-account");
        csrfCheck(str3);
        UserModel user = this.auth.getUser();
        if (Validation.isEmpty(str2)) {
            setReferrerOnPage();
            return this.account.setError(Messages.MISSING_IDENTITY_PROVIDER, new Object[0]).createResponse(AccountPages.FEDERATED_IDENTITY);
        }
        AccountSocialAction action = AccountSocialAction.getAction(str);
        if (action == null) {
            setReferrerOnPage();
            return this.account.setError(Messages.INVALID_FEDERATED_IDENTITY_ACTION, new Object[0]).createResponse(AccountPages.FEDERATED_IDENTITY);
        }
        boolean z = false;
        Iterator it = this.realm.getIdentityProviders().iterator();
        while (it.hasNext()) {
            if (((IdentityProviderModel) it.next()).getAlias().equals(str2)) {
                z = true;
            }
        }
        if (!z) {
            setReferrerOnPage();
            return this.account.setError(Messages.IDENTITY_PROVIDER_NOT_FOUND, new Object[0]).createResponse(AccountPages.FEDERATED_IDENTITY);
        }
        if (!user.isEnabled()) {
            setReferrerOnPage();
            return this.account.setError(Messages.ACCOUNT_DISABLED, new Object[0]).createResponse(AccountPages.FEDERATED_IDENTITY);
        }
        switch (action) {
            case ADD:
                String uri = UriBuilder.fromUri(Urls.accountFederatedIdentityPage(this.uriInfo.getBaseUri(), this.realm.getName())).build(new Object[0]).toString();
                try {
                    ClientSessionModel clientSession = this.auth.getClientSession();
                    ClientSessionCode clientSessionCode = new ClientSessionCode(this.realm, clientSession);
                    clientSessionCode.setAction(ClientSessionModel.Action.AUTHENTICATE.name());
                    clientSession.setRedirectUri(uri);
                    clientSession.setNote("state", UUID.randomUUID().toString());
                    return Response.temporaryRedirect(Urls.identityProviderAuthnRequest(this.uriInfo.getBaseUri(), str2, this.realm.getName(), clientSessionCode.getCode())).build();
                } catch (Exception e) {
                    setReferrerOnPage();
                    return this.account.setError(Messages.IDENTITY_PROVIDER_REDIRECT_ERROR, new Object[0]).createResponse(AccountPages.FEDERATED_IDENTITY);
                }
            case REMOVE:
                FederatedIdentityModel federatedIdentity = this.session.users().getFederatedIdentity(user, str2, this.realm);
                if (federatedIdentity == null) {
                    setReferrerOnPage();
                    return this.account.setError(Messages.FEDERATED_IDENTITY_NOT_ACTIVE, new Object[0]).createResponse(AccountPages.FEDERATED_IDENTITY);
                }
                if (this.session.users().getFederatedIdentities(user, this.realm).size() <= 1 && user.getFederationLink() == null && !isPasswordSet(this.session, this.realm, user)) {
                    setReferrerOnPage();
                    return this.account.setError(Messages.FEDERATED_IDENTITY_REMOVING_LAST_PROVIDER, new Object[0]).createResponse(AccountPages.FEDERATED_IDENTITY);
                }
                this.session.users().removeFederatedIdentity(this.realm, user, str2);
                logger.debugv("Social provider {0} removed successfully from user {1}", str2, user.getUsername());
                this.event.event(EventType.REMOVE_FEDERATED_IDENTITY).client(this.auth.getClient()).user(this.auth.getUser()).detail("username", this.auth.getUser().getUsername()).detail("identity_provider", federatedIdentity.getIdentityProvider()).detail("identity_provider_identity", federatedIdentity.getUserName()).success();
                setReferrerOnPage();
                return this.account.setSuccess(Messages.IDENTITY_PROVIDER_REMOVED, new Object[0]).createResponse(AccountPages.FEDERATED_IDENTITY);
            default:
                throw new IllegalArgumentException();
        }
    }

    public static UriBuilder loginRedirectUrl(UriBuilder uriBuilder) {
        return RealmsResource.accountUrl(uriBuilder).path(AccountService.class, "loginRedirect");
    }

    @Override // org.keycloak.services.resources.AbstractSecuredLocalService
    protected URI getBaseRedirectUri() {
        return Urls.accountBase(this.uriInfo.getBaseUri()).path("/").build(new Object[]{this.realm.getName()});
    }

    public static boolean isPasswordSet(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        boolean z = false;
        if (userModel.getFederationLink() != null) {
            UserFederationProvider userFederationProvider = null;
            for (UserFederationProviderModel userFederationProviderModel : realmModel.getUserFederationProviders()) {
                if (userFederationProviderModel.getId().equals(userModel.getFederationLink())) {
                    userFederationProvider = KeycloakModelUtils.getFederationProviderInstance(keycloakSession, userFederationProviderModel);
                }
            }
            if (userFederationProvider != null && userFederationProvider.getSupportedCredentialTypes(userModel).contains("password")) {
                z = true;
            }
        }
        Iterator it = userModel.getCredentialsDirectly().iterator();
        while (it.hasNext()) {
            if (((UserCredentialValueModel) it.next()).getType().equals("password")) {
                z = true;
            }
        }
        return z;
    }

    private String[] getReferrer() {
        String verifyRedirectUri;
        String str = (String) this.uriInfo.getQueryParameters().getFirst("referrer");
        if (str == null) {
            return null;
        }
        String str2 = (String) this.uriInfo.getQueryParameters().getFirst("referrer_uri");
        ClientModel clientByClientId = this.realm.getClientByClientId(str);
        if (clientByClientId != null) {
            String verifyRedirectUri2 = str2 != null ? RedirectUtils.verifyRedirectUri(this.uriInfo, str2, this.realm, clientByClientId) : ResolveRelative.resolveRelativeUri(this.uriInfo.getRequestUri(), this.client.getRootUrl(), clientByClientId.getBaseUrl());
            if (verifyRedirectUri2 != null) {
                return new String[]{str, verifyRedirectUri2};
            }
            return null;
        }
        if (str2 == null) {
            return null;
        }
        ClientModel clientByClientId2 = this.realm.getClientByClientId(str);
        if (this.client == null || (verifyRedirectUri = RedirectUtils.verifyRedirectUri(this.uriInfo, str2, this.realm, clientByClientId2)) == null) {
            return null;
        }
        return new String[]{str, verifyRedirectUri};
    }

    public void require(String str) {
        if (this.auth == null) {
            throw new ForbiddenException();
        }
        if (!this.auth.hasClientRole(this.client, str)) {
            throw new ForbiddenException();
        }
    }

    public void requireOneOf(String... strArr) {
        if (this.auth == null) {
            throw new ForbiddenException();
        }
        if (!this.auth.hasOneOfAppRole(this.client, strArr)) {
            throw new ForbiddenException();
        }
    }

    static {
        for (Method method : AccountService.class.getMethods()) {
            Path annotation = method.getAnnotation(Path.class);
            if (annotation != null) {
                VALID_PATHS.add(annotation.value());
            }
        }
        LOG_EVENTS = new EventType[]{EventType.LOGIN, EventType.LOGOUT, EventType.REGISTER, EventType.REMOVE_FEDERATED_IDENTITY, EventType.REMOVE_TOTP, EventType.SEND_RESET_PASSWORD, EventType.SEND_VERIFY_EMAIL, EventType.FEDERATED_IDENTITY_LINK, EventType.UPDATE_EMAIL, EventType.UPDATE_PASSWORD, EventType.UPDATE_PROFILE, EventType.UPDATE_TOTP, EventType.VERIFY_EMAIL};
        LOG_DETAILS = new HashSet();
        LOG_DETAILS.add("updated_email");
        LOG_DETAILS.add("email");
        LOG_DETAILS.add("previous_email");
        LOG_DETAILS.add("username");
        LOG_DETAILS.add("remember_me");
        LOG_DETAILS.add("register_method");
        LOG_DETAILS.add("auth_method");
    }
}
