package org.keycloak.protocol.oidc.grants.ciba.endpoints;

import com.fasterxml.jackson.databind.node.ObjectNode;
import java.util.Collections;
import java.util.Optional;
import java.util.regex.Pattern;
import javax.ws.rs.Consumes;
import javax.ws.rs.POST;
import javax.ws.rs.Produces;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import org.jboss.resteasy.annotations.cache.NoCache;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.CibaConfig;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.OAuth2DeviceCodeModel;
import org.keycloak.models.OAuth2DeviceTokenStoreProvider;
import org.keycloak.models.OAuth2DeviceUserCodeModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.grants.ciba.CibaGrantType;
import org.keycloak.protocol.oidc.grants.ciba.channel.AuthenticationChannelProvider;
import org.keycloak.protocol.oidc.grants.ciba.channel.CIBAAuthenticationRequest;
import org.keycloak.protocol.oidc.grants.ciba.clientpolicy.context.BackchannelAuthenticationRequestContext;
import org.keycloak.protocol.oidc.grants.ciba.endpoints.request.BackchannelAuthenticationEndpointRequest;
import org.keycloak.protocol.oidc.grants.ciba.endpoints.request.BackchannelAuthenticationEndpointRequestParserProcessor;
import org.keycloak.protocol.oidc.grants.ciba.resolvers.CIBALoginUserResolver;
import org.keycloak.representations.idm.OAuth2ErrorRepresentation;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.util.JsonSerialization;
import org.keycloak.utils.MediaType;

/* loaded from: input_file:org/keycloak/protocol/oidc/grants/ciba/endpoints/BackchannelAuthenticationEndpoint.class */
public class BackchannelAuthenticationEndpoint extends AbstractCibaEndpoint {
    private final RealmModel realm;
    private static final Pattern BINDING_MESSAGE_VALIDATION = Pattern.compile("^[a-zA-Z0-9-._+/!?#]{1,50}$");

    public BackchannelAuthenticationEndpoint(KeycloakSession keycloakSession, EventBuilder eventBuilder) {
        super(keycloakSession, eventBuilder);
        this.realm = keycloakSession.getContext().getRealm();
        eventBuilder.event(EventType.LOGIN);
    }

    @NoCache
    @Consumes({MediaType.APPLICATION_FORM_URLENCODED})
    @POST
    @Produces({MediaType.APPLICATION_JSON})
    public Response processGrantRequest(@Context HttpRequest httpRequest) {
        CIBAAuthenticationRequest authorizeClient = authorizeClient(httpRequest.getDecodedFormParameters());
        try {
            String serialize = authorizeClient.serialize(this.session);
            AuthenticationChannelProvider authenticationChannelProvider = (AuthenticationChannelProvider) this.session.getProvider(AuthenticationChannelProvider.class);
            if (authenticationChannelProvider == null) {
                throw new RuntimeException("Authentication Channel Provider not found.");
            }
            CIBALoginUserResolver cIBALoginUserResolver = (CIBALoginUserResolver) this.session.getProvider(CIBALoginUserResolver.class);
            if (cIBALoginUserResolver == null) {
                throw new RuntimeException("CIBA Login User Resolver not setup properly.");
            }
            if (!authenticationChannelProvider.requestAuthentication(authorizeClient, cIBALoginUserResolver.getInfoUsedByAuthentication(authorizeClient.getUser()))) {
                throw new ErrorResponseException("server_error", "Unexpected response from authentication device", Response.Status.SERVICE_UNAVAILABLE);
            }
            CibaConfig cibaPolicy = this.realm.getCibaPolicy();
            int poolingInterval = cibaPolicy.getPoolingInterval();
            storeAuthenticationRequest(authorizeClient, cibaPolicy, serialize);
            ObjectNode createObjectNode = JsonSerialization.createObjectNode();
            createObjectNode.put(CibaGrantType.AUTH_REQ_ID, serialize).put("expires_in", cibaPolicy.getExpiresIn());
            if (poolingInterval > 0) {
                createObjectNode.put("interval", poolingInterval);
            }
            return Response.ok(JsonSerialization.writeValueAsBytes(createObjectNode)).build();
        } catch (Exception e) {
            throw new ErrorResponseException("server_error", "Failed to send authentication request", Response.Status.SERVICE_UNAVAILABLE);
        }
    }

    private void storeAuthenticationRequest(CIBAAuthenticationRequest cIBAAuthenticationRequest, CibaConfig cibaConfig, String str) {
        ClientModel client = cIBAAuthenticationRequest.getClient();
        int expiresIn = cibaConfig.getExpiresIn();
        int poolingInterval = cibaConfig.getPoolingInterval();
        if (!"ping".equals(cibaConfig.getBackchannelTokenDeliveryMode(client))) {
            str = null;
        }
        OAuth2DeviceCodeModel create = OAuth2DeviceCodeModel.create(this.realm, client, cIBAAuthenticationRequest.getId(), cIBAAuthenticationRequest.getScope(), (String) null, expiresIn, poolingInterval, cIBAAuthenticationRequest.getClientNotificationToken(), str, Collections.emptyMap(), (String) null, (String) null);
        this.session.getProvider(OAuth2DeviceTokenStoreProvider.class).put(create, new OAuth2DeviceUserCodeModel(this.realm, create.getDeviceCode(), cIBAAuthenticationRequest.getAuthResultId()), expiresIn + poolingInterval + 10);
    }

    private CIBAAuthenticationRequest authorizeClient(MultivaluedMap<String, String> multivaluedMap) {
        try {
            ClientModel authenticateClient = authenticateClient();
            BackchannelAuthenticationEndpointRequest parseRequest = BackchannelAuthenticationEndpointRequestParserProcessor.parseRequest(this.event, this.session, authenticateClient, multivaluedMap, this.realm.getCibaPolicy());
            CIBAAuthenticationRequest cIBAAuthenticationRequest = new CIBAAuthenticationRequest(this.session, resolveUser(parseRequest, this.realm.getCibaPolicy().getAuthRequestedUserHint()), authenticateClient);
            cIBAAuthenticationRequest.setClient(authenticateClient);
            String scope = parseRequest.getScope();
            if (scope == null) {
                throw new ErrorResponseException("invalid_request", "missing parameter : scope", Response.Status.BAD_REQUEST);
            }
            cIBAAuthenticationRequest.setScope(scope);
            if (parseRequest.getBindingMessage() != null) {
                validateBindingMessage(parseRequest.getBindingMessage());
                cIBAAuthenticationRequest.setBindingMessage(parseRequest.getBindingMessage());
            }
            if (parseRequest.getAcr() != null) {
                cIBAAuthenticationRequest.setAcrValues(parseRequest.getAcr());
            }
            CibaConfig cibaPolicy = this.realm.getCibaPolicy();
            cIBAAuthenticationRequest.exp(Long.valueOf(cIBAAuthenticationRequest.getIat().longValue() + ((Integer) Optional.ofNullable(parseRequest.getRequestedExpiry()).orElse(Integer.valueOf(cibaPolicy.getExpiresIn()))).longValue()));
            StringBuilder sb = new StringBuilder((String) Optional.ofNullable(cIBAAuthenticationRequest.getScope()).orElse(""));
            authenticateClient.getClientScopes(true).forEach((str, clientScopeModel) -> {
                if (clientScopeModel.isDisplayOnConsentScreen()) {
                    sb.append(" ").append(clientScopeModel.getName());
                }
            });
            cIBAAuthenticationRequest.setScope(sb.toString());
            if (parseRequest.getClientNotificationToken() != null) {
                if (!cibaPolicy.getBackchannelTokenDeliveryMode(authenticateClient).equals("ping")) {
                    throw new ErrorResponseException("invalid_request", "Client Notification token supported only for the ping mode", Response.Status.BAD_REQUEST);
                }
                if (parseRequest.getClientNotificationToken().length() > 1024) {
                    throw new ErrorResponseException("invalid_request", "Client Notification token length is limited to 1024 characters", Response.Status.BAD_REQUEST);
                }
                cIBAAuthenticationRequest.setClientNotificationToken(parseRequest.getClientNotificationToken());
            }
            if (parseRequest.getClientNotificationToken() == null && cibaPolicy.getBackchannelTokenDeliveryMode(authenticateClient).equals("ping")) {
                throw new ErrorResponseException("invalid_request", "Client Notification token needs to be provided with the ping mode", Response.Status.BAD_REQUEST);
            }
            if (parseRequest.getUserCode() != null) {
                throw new ErrorResponseException("invalid_request", "User code not supported", Response.Status.BAD_REQUEST);
            }
            extractAdditionalParams(parseRequest, cIBAAuthenticationRequest);
            try {
                this.session.clientPolicy().triggerOnEvent(new BackchannelAuthenticationRequestContext(parseRequest, cIBAAuthenticationRequest, multivaluedMap));
                return cIBAAuthenticationRequest;
            } catch (ClientPolicyException e) {
                throw new ErrorResponseException(e.getError(), e.getErrorDetail(), Response.Status.BAD_REQUEST);
            }
        } catch (WebApplicationException e2) {
            OAuth2ErrorRepresentation oAuth2ErrorRepresentation = (OAuth2ErrorRepresentation) e2.getResponse().getEntity();
            throw new ErrorResponseException(oAuth2ErrorRepresentation.getError(), oAuth2ErrorRepresentation.getErrorDescription(), Response.Status.UNAUTHORIZED);
        }
    }

    protected void extractAdditionalParams(BackchannelAuthenticationEndpointRequest backchannelAuthenticationEndpointRequest, CIBAAuthenticationRequest cIBAAuthenticationRequest) {
        for (String str : backchannelAuthenticationEndpointRequest.getAdditionalReqParams().keySet()) {
            cIBAAuthenticationRequest.setOtherClaims(str, backchannelAuthenticationEndpointRequest.getAdditionalReqParams().get(str));
        }
    }

    protected void validateBindingMessage(String str) {
        if (!BINDING_MESSAGE_VALIDATION.matcher(str).matches()) {
            throw new ErrorResponseException("invalid_binding_message", "the binding_message value has to be max 50 characters in length and must contain only basic plain-text characters without spaces", Response.Status.BAD_REQUEST);
        }
    }

    private UserModel resolveUser(BackchannelAuthenticationEndpointRequest backchannelAuthenticationEndpointRequest, String str) {
        UserModel userFromLoginHintToken;
        CIBALoginUserResolver cIBALoginUserResolver = (CIBALoginUserResolver) this.session.getProvider(CIBALoginUserResolver.class);
        if (cIBALoginUserResolver == null) {
            throw new RuntimeException("CIBA Login User Resolver not setup properly.");
        }
        if (str.equals("login_hint")) {
            String loginHint = backchannelAuthenticationEndpointRequest.getLoginHint();
            if (loginHint == null) {
                throw new ErrorResponseException("invalid_request", "missing parameter : login_hint", Response.Status.BAD_REQUEST);
            }
            userFromLoginHintToken = cIBALoginUserResolver.getUserFromLoginHint(loginHint);
        } else if (str.equals(OIDCLoginProtocol.ID_TOKEN_HINT)) {
            String idTokenHint = backchannelAuthenticationEndpointRequest.getIdTokenHint();
            if (idTokenHint == null) {
                throw new ErrorResponseException("invalid_request", "missing parameter : id_token_hint", Response.Status.BAD_REQUEST);
            }
            userFromLoginHintToken = cIBALoginUserResolver.getUserFromIdTokenHint(idTokenHint);
        } else {
            if (!str.equals(CibaGrantType.LOGIN_HINT_TOKEN)) {
                throw new ErrorResponseException("invalid_request", "invalid user hint", Response.Status.BAD_REQUEST);
            }
            String loginHintToken = backchannelAuthenticationEndpointRequest.getLoginHintToken();
            if (loginHintToken == null) {
                throw new ErrorResponseException("invalid_request", "missing parameter : login_hint_token", Response.Status.BAD_REQUEST);
            }
            userFromLoginHintToken = cIBALoginUserResolver.getUserFromLoginHintToken(loginHintToken);
        }
        if (userFromLoginHintToken == null || !userFromLoginHintToken.isEnabled()) {
            throw new ErrorResponseException("invalid_request", "invalid user", Response.Status.BAD_REQUEST);
        }
        return userFromLoginHintToken;
    }
}
