package org.keycloak.services.util;

import java.util.Objects;
import org.jboss.logging.Logger;
import org.keycloak.events.EventBuilder;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ImpersonationSessionNote;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.UserSessionProvider;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.representations.AccessToken;
import org.keycloak.services.Urls;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.UserSessionManager;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.utils.OAuth2Error;

/* loaded from: input_file:org/keycloak/services/util/UserSessionUtil.class */
public class UserSessionUtil {
    private static final Logger logger = Logger.getLogger(UserSessionUtil.class);

    public static UserSessionModel findValidSession(KeycloakSession keycloakSession, RealmModel realmModel, AccessToken accessToken, EventBuilder eventBuilder, ClientModel clientModel) {
        return findValidSession(keycloakSession, realmModel, accessToken, eventBuilder, clientModel, new OAuth2Error().json(false).realm(realmModel));
    }

    public static UserSessionModel findValidSession(KeycloakSession keycloakSession, RealmModel realmModel, AccessToken accessToken, EventBuilder eventBuilder, ClientModel clientModel, OAuth2Error oAuth2Error) {
        if (accessToken.getSessionId() == null) {
            return createTransientSessionForClient(keycloakSession, realmModel, accessToken, clientModel, eventBuilder);
        }
        UserSessionProvider sessions = keycloakSession.sessions();
        UserSessionModel userSessionIfClientExists = sessions.getUserSessionIfClientExists(realmModel, accessToken.getSessionId(), false, clientModel.getId());
        if (userSessionIfClientExists == null) {
            userSessionIfClientExists = getUserSessionWithImpersonatorClient(keycloakSession, realmModel, accessToken.getSessionId(), false, clientModel.getId());
        }
        if (AuthenticationManager.isSessionValid(realmModel, userSessionIfClientExists)) {
            checkTokenIssuedAt(realmModel, accessToken, userSessionIfClientExists, eventBuilder, clientModel);
            eventBuilder.session(userSessionIfClientExists);
            return userSessionIfClientExists;
        }
        UserSessionModel userSessionIfClientExists2 = sessions.getUserSessionIfClientExists(realmModel, accessToken.getSessionId(), true, clientModel.getId());
        if (AuthenticationManager.isSessionValid(realmModel, userSessionIfClientExists2)) {
            checkTokenIssuedAt(realmModel, accessToken, userSessionIfClientExists2, eventBuilder, clientModel);
            eventBuilder.session(userSessionIfClientExists2);
            return userSessionIfClientExists2;
        }
        if (userSessionIfClientExists == null && userSessionIfClientExists2 == null) {
            logger.debug("User session not found or doesn't have client attached on it");
            eventBuilder.error("user_session_not_found");
            throw oAuth2Error.invalidToken("User session not found or doesn't have client attached on it");
        }
        eventBuilder.session((UserSessionModel) Objects.requireNonNullElse(userSessionIfClientExists, userSessionIfClientExists2));
        logger.debug("Session expired");
        eventBuilder.error("session_expired");
        throw oAuth2Error.invalidToken("Session expired");
    }

    private static UserSessionModel createTransientSessionForClient(KeycloakSession keycloakSession, RealmModel realmModel, AccessToken accessToken, ClientModel clientModel, EventBuilder eventBuilder) {
        OAuth2Error realm = new OAuth2Error().json(false).realm(realmModel);
        UserModel lookupUserFromStatelessToken = TokenManager.lookupUserFromStatelessToken(keycloakSession, realmModel, accessToken);
        if (lookupUserFromStatelessToken == null) {
            logger.debug("Transient User not found");
            eventBuilder.error("user_not_found");
            throw realm.invalidToken("User not found");
        }
        UserSessionModel createUserSession = new UserSessionManager(keycloakSession).createUserSession(KeycloakModelUtils.generateId(), realmModel, lookupUserFromStatelessToken, lookupUserFromStatelessToken.getUsername(), keycloakSession.getContext().getConnection().getRemoteAddr(), "client_auth", false, null, null, UserSessionModel.SessionPersistenceState.TRANSIENT);
        AuthenticationSessionModel createAuthenticationSession = keycloakSession.authenticationSessions().createRootAuthenticationSession(realmModel).createAuthenticationSession(clientModel);
        createAuthenticationSession.setAuthenticatedUser(createUserSession.getUser());
        createAuthenticationSession.setProtocol("openid-connect");
        createAuthenticationSession.setClientNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(keycloakSession.getContext().getUri().getBaseUri(), realmModel.getName()));
        AuthenticationManager.setClientScopesInSession(keycloakSession, createAuthenticationSession);
        TokenManager.attachAuthenticationSession(keycloakSession, createUserSession, createAuthenticationSession);
        return createUserSession;
    }

    public static void checkTokenIssuedAt(RealmModel realmModel, AccessToken accessToken, UserSessionModel userSessionModel, EventBuilder eventBuilder, ClientModel clientModel) {
        OAuth2Error realm = new OAuth2Error().json(false).realm(realmModel);
        if (accessToken.isIssuedBeforeSessionStart(userSessionModel.getStarted())) {
            logger.debug("Stale token for user session");
            eventBuilder.error("invalid_token");
            throw realm.invalidToken("Stale token");
        }
        if (userSessionModel.getAuthenticatedClientSessionByClient(clientModel.getId()) == null || !accessToken.isIssuedBeforeSessionStart(r0.getStarted())) {
            return;
        }
        logger.debug("Stale token for client session");
        eventBuilder.error("invalid_token");
        throw realm.invalidToken("Stale token");
    }

    public static UserSessionModel getUserSessionWithImpersonatorClient(KeycloakSession keycloakSession, RealmModel realmModel, String str, boolean z, String str2) {
        return keycloakSession.sessions().getUserSessionWithPredicate(realmModel, str, z, userSessionModel -> {
            return Objects.equals(str2, userSessionModel.getNote(ImpersonationSessionNote.IMPERSONATOR_CLIENT.toString()));
        });
    }
}
