package org.keycloak.authentication.requiredactions;

import java.util.Objects;
import org.jboss.logging.Logger;
import org.keycloak.Config;
import org.keycloak.authentication.AuthenticationProcessor;
import org.keycloak.authentication.InitiatedActionSupport;
import org.keycloak.authentication.RequiredActionContext;
import org.keycloak.authentication.RequiredActionFactory;
import org.keycloak.authentication.RequiredActionProvider;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.KeycloakContext;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserManager;
import org.keycloak.models.UserModel;
import org.keycloak.services.ForbiddenException;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.messages.Messages;

/* loaded from: input_file:org/keycloak/authentication/requiredactions/DeleteAccount.class */
public class DeleteAccount implements RequiredActionProvider, RequiredActionFactory {
    public static final String PROVIDER_ID = "delete_account";
    private static final String TRIGGERED_FROM_AIA = "triggered_from_aia";
    private static final Logger logger = Logger.getLogger(DeleteAccount.class);

    public String getDisplayText() {
        return "Delete Account";
    }

    public void evaluateTriggers(RequiredActionContext requiredActionContext) {
    }

    public void requiredActionChallenge(RequiredActionContext requiredActionContext) {
        if (clientHasDeleteAccountRole(requiredActionContext)) {
            requiredActionContext.challenge(requiredActionContext.form().setAttribute(TRIGGERED_FROM_AIA, Boolean.valueOf(isCurrentActionTriggeredFromAIA(requiredActionContext))).createForm("delete-account-confirm.ftl"));
        } else {
            requiredActionContext.challenge(requiredActionContext.form().setError(Messages.DELETE_ACCOUNT_LACK_PRIVILEDGES, new Object[0]).createForm("error.ftl"));
        }
    }

    public void processAction(RequiredActionContext requiredActionContext) {
        KeycloakSession session = requiredActionContext.getSession();
        EventBuilder event = requiredActionContext.getEvent();
        KeycloakContext context = session.getContext();
        RealmModel realm = context.getRealm();
        UserModel authenticatedUser = context.getAuthenticationSession().getAuthenticatedUser();
        try {
            if (!clientHasDeleteAccountRole(requiredActionContext)) {
                throw new ForbiddenException();
            }
            if (new UserManager(session).removeUser(realm, authenticatedUser)) {
                event.event(EventType.DELETE_ACCOUNT).client(context.getClient()).user(authenticatedUser).detail("username", authenticatedUser.getUsername()).success();
                cleanSession(requiredActionContext, RequiredActionContext.KcActionStatus.SUCCESS);
                requiredActionContext.challenge(requiredActionContext.form().setAttribute("messageHeader", "").setInfo("userDeletedSuccessfully", new Object[0]).createForm("info.ftl"));
            } else {
                event.event(EventType.DELETE_ACCOUNT).client(context.getClient()).user(authenticatedUser).detail("username", authenticatedUser.getUsername()).error("User could not be deleted");
                cleanSession(requiredActionContext, RequiredActionContext.KcActionStatus.ERROR);
                requiredActionContext.failure();
            }
        } catch (Exception e) {
            logger.error("unexpected error happened during account deletion", e);
            event.event(EventType.DELETE_ACCOUNT_ERROR).client(context.getClient()).user(context.getAuthenticationSession().getAuthenticatedUser()).detail("reason", e.getMessage()).error("user_delete_error");
            requiredActionContext.challenge(requiredActionContext.form().setError(Messages.DELETE_ACCOUNT_ERROR, new Object[0]).createForm("delete-account-confirm.ftl"));
        } catch (ForbiddenException e2) {
            logger.error("account client does not have the required roles for user deletion");
            event.event(EventType.DELETE_ACCOUNT_ERROR).client(context.getClient()).user(context.getAuthenticationSession().getAuthenticatedUser()).detail("reason", "does not have the required roles for user deletion").error("user_delete_error");
            requiredActionContext.challenge(requiredActionContext.form().setAttribute(TRIGGERED_FROM_AIA, Boolean.valueOf(isCurrentActionTriggeredFromAIA(requiredActionContext))).setError(Messages.DELETE_ACCOUNT_LACK_PRIVILEDGES, new Object[0]).createForm("delete-account-confirm.ftl"));
        }
    }

    private void cleanSession(RequiredActionContext requiredActionContext, RequiredActionContext.KcActionStatus kcActionStatus) {
        requiredActionContext.getAuthenticationSession().removeRequiredAction(PROVIDER_ID);
        requiredActionContext.getAuthenticationSession().removeAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION);
        AuthenticationManager.setKcActionStatus(PROVIDER_ID, kcActionStatus, requiredActionContext.getAuthenticationSession());
    }

    private boolean clientHasDeleteAccountRole(RequiredActionContext requiredActionContext) {
        RoleModel role = requiredActionContext.getRealm().getClientByClientId("account").getRole("delete-account");
        return role != null && requiredActionContext.getUser().hasRole(role);
    }

    private boolean isCurrentActionTriggeredFromAIA(RequiredActionContext requiredActionContext) {
        return Objects.equals(requiredActionContext.getAuthenticationSession().getClientNote("kc_action"), PROVIDER_ID);
    }

    /* renamed from: create, reason: merged with bridge method [inline-methods] */
    public RequiredActionProvider m135create(KeycloakSession keycloakSession) {
        return this;
    }

    public void init(Config.Scope scope) {
    }

    public void postInit(KeycloakSessionFactory keycloakSessionFactory) {
    }

    public void close() {
    }

    public String getId() {
        return PROVIDER_ID;
    }

    public InitiatedActionSupport initiatedActionSupport() {
        return InitiatedActionSupport.SUPPORTED;
    }

    public boolean isOneTimeAction() {
        return true;
    }

    public int getMaxAuthAge() {
        return 0;
    }
}
