package io.phasetwo.service.auth;

import io.phasetwo.service.Orgs;
import io.phasetwo.service.model.OrganizationModel;
import io.phasetwo.service.model.OrganizationProvider;
import jakarta.ws.rs.core.Response;
import java.util.Collections;
import java.util.List;
import org.jboss.logging.Logger;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.authentication.AuthenticationFlowError;
import org.keycloak.authentication.Authenticator;
import org.keycloak.forms.login.LoginFormsProvider;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;

/* loaded from: input_file:io/phasetwo/service/auth/ActiveOrganizationAuthenticator.class */
public class ActiveOrganizationAuthenticator implements Authenticator {
    private static final Logger log = Logger.getLogger(ActiveOrganizationAuthenticator.class);
    private final OrganizationProvider provider;
    private static final String BROWSER_ACCOUNT_HINT_PARAM = "client_request_param_account_hint";
    private static final String DIRECT_ACCOUNT_HINT = "account_hint";
    private static final String ERROR_FORM = "error.ftl";

    public ActiveOrganizationAuthenticator(KeycloakSession keycloakSession) {
        this.provider = (OrganizationProvider) keycloakSession.getProvider(OrganizationProvider.class);
    }

    public void authenticate(AuthenticationFlowContext authenticationFlowContext) {
        if (requestHasAccountHintParam(authenticationFlowContext)) {
            evaluateAuthenticationWithAccountHint(authenticationFlowContext);
        } else if (shouldChallengeForOrganizationSelection(authenticationFlowContext)) {
            tryOrganizationSelectionChallenge(authenticationFlowContext);
        } else {
            authenticationFlowContext.success();
        }
    }

    private boolean requestHasAccountHintParam(AuthenticationFlowContext authenticationFlowContext) {
        return (getAccountHintValueFromBrowserRequest(authenticationFlowContext) == null && getAccountHintValueFromDirectGrantRequest(authenticationFlowContext) == null) ? false : true;
    }

    private String getAccountHintValueFromBrowserRequest(AuthenticationFlowContext authenticationFlowContext) {
        return authenticationFlowContext.getAuthenticationSession().getClientNote(BROWSER_ACCOUNT_HINT_PARAM);
    }

    private String getAccountHintValueFromDirectGrantRequest(AuthenticationFlowContext authenticationFlowContext) {
        return (String) authenticationFlowContext.getHttpRequest().getUri().getQueryParameters().getFirst(DIRECT_ACCOUNT_HINT);
    }

    private void evaluateAuthenticationWithAccountHint(AuthenticationFlowContext authenticationFlowContext) {
        evaluateAuthenticationChallenge(authenticationFlowContext, getOrganizationIdFromAccountHint(authenticationFlowContext));
    }

    private String getOrganizationIdFromAccountHint(AuthenticationFlowContext authenticationFlowContext) {
        String accountHintValueFromBrowserRequest = getAccountHintValueFromBrowserRequest(authenticationFlowContext);
        return accountHintValueFromBrowserRequest != null ? accountHintValueFromBrowserRequest : getAccountHintValueFromDirectGrantRequest(authenticationFlowContext);
    }

    private void evaluateAuthenticationChallenge(AuthenticationFlowContext authenticationFlowContext, String str) {
        if (hasMembership(authenticationFlowContext, str)) {
            updateActiveOrganizationAttributeAndSucceedChallenge(authenticationFlowContext, str);
        } else {
            failChallenge(authenticationFlowContext, "invalidOrganizationError");
        }
    }

    private boolean hasMembership(AuthenticationFlowContext authenticationFlowContext, String str) {
        if (!this.provider.getUserOrganizationsStream(authenticationFlowContext.getRealm(), authenticationFlowContext.getUser()).noneMatch(organizationModel -> {
            return organizationModel.getId().equals(str);
        })) {
            return true;
        }
        log.errorf("User isn't a member of this organization", new Object[0]);
        return false;
    }

    private void updateActiveOrganizationAttributeAndSucceedChallenge(AuthenticationFlowContext authenticationFlowContext, String str) {
        log.debugf("Authentication Challenge Success", new Object[0]);
        authenticationFlowContext.getUser().setAttribute(Orgs.ACTIVE_ORGANIZATION, Collections.singletonList(str));
        authenticationFlowContext.success();
    }

    private void failChallenge(AuthenticationFlowContext authenticationFlowContext, String str) {
        Response build;
        log.debugf("Authentication Challenge Failure", new Object[0]);
        try {
            build = authenticationFlowContext.form().setError(str, new Object[0]).createForm(ERROR_FORM);
        } catch (Exception e) {
            build = Response.status(401).build();
        }
        authenticationFlowContext.failureChallenge(AuthenticationFlowError.GENERIC_AUTHENTICATION_ERROR, build);
    }

    private boolean shouldChallengeForOrganizationSelection(AuthenticationFlowContext authenticationFlowContext) {
        String clientNote = authenticationFlowContext.getAuthenticationSession().getClientNote("prompt");
        return clientNote != null && clientNote.contains("select_account");
    }

    private void tryOrganizationSelectionChallenge(AuthenticationFlowContext authenticationFlowContext) {
        List<OrganizationModel> list = this.provider.getUserOrganizationsStream(authenticationFlowContext.getRealm(), authenticationFlowContext.getUser()).toList();
        if (list.isEmpty()) {
            log.warnf("Select organization challenge couldn't be performed because the user has no organization.", new Object[0]);
            failChallenge(authenticationFlowContext, "noOrganizationError");
        } else if (list.size() == 1) {
            log.infof("User has 1 organization, skip organization selection challenge.", new Object[0]);
            updateActiveOrganizationAttributeAndSucceedChallenge(authenticationFlowContext, list.get(0).getId());
        } else {
            LoginFormsProvider form = authenticationFlowContext.form();
            form.setAttribute("organizations", list);
            authenticationFlowContext.challenge(form.createForm("select-organization.ftl"));
        }
    }

    public void action(AuthenticationFlowContext authenticationFlowContext) {
        String str = (String) authenticationFlowContext.getHttpRequest().getDecodedFormParameters().getFirst("organizationId");
        if (str != null && !str.isEmpty()) {
            evaluateAuthenticationChallenge(authenticationFlowContext, str);
        } else {
            log.errorf("No selected organization", new Object[0]);
            failChallenge(authenticationFlowContext, "invalidOrganizationError");
        }
    }

    public boolean requiresUser() {
        return true;
    }

    public boolean configuredFor(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        return true;
    }

    public void setRequiredActions(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
    }

    public void close() {
    }
}
