package org.keycloak.protocol.oidc.grants.device;

import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.UriBuilder;
import jakarta.ws.rs.core.UriInfo;
import java.net.URI;
import java.util.Map;
import org.keycloak.WebAuthnConstants;
import org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakContext;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.OAuth2DeviceCodeModel;
import org.keycloak.models.OAuth2DeviceUserCodeModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.SingleUseObjectProvider;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.LoginProtocol;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint;
import org.keycloak.protocol.oidc.grants.OAuth2GrantType;
import org.keycloak.protocol.oidc.grants.OAuth2GrantTypeBase;
import org.keycloak.protocol.oidc.grants.device.clientpolicy.context.DeviceTokenRequestContext;
import org.keycloak.protocol.oidc.grants.device.clientpolicy.context.DeviceTokenResponseContext;
import org.keycloak.protocol.oidc.grants.device.endpoints.DeviceEndpoint;
import org.keycloak.protocol.oidc.utils.PkceUtils;
import org.keycloak.services.CorsErrorResponseException;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.UserSessionCrossDCManager;
import org.keycloak.services.resources.RealmsResource;
import org.keycloak.services.util.DefaultClientSessionContext;
import org.keycloak.sessions.AuthenticationSessionModel;

/* loaded from: input_file:org/keycloak/protocol/oidc/grants/device/DeviceGrantType.class */
public class DeviceGrantType extends OAuth2GrantTypeBase {
    public static final String OAUTH2_DEVICE_VERIFIED_USER_CODE = "OAUTH2_DEVICE_VERIFIED_USER_CODE";
    public static final String OAUTH2_DEVICE_USER_CODE = "device_user_code";
    public static final String OAUTH2_USER_CODE_VERIFY = "device/verify";

    public static UriBuilder oauth2DeviceVerificationUrl(UriInfo uriInfo) {
        return uriInfo.getBaseUriBuilder().path(RealmsResource.class).path("{realm}").path("device");
    }

    public static URI realmOAuth2DeviceVerificationAction(URI uri, String str) {
        return UriBuilder.fromUri(uri).path(RealmsResource.class).path("{realm}").path("device").build(new Object[]{str});
    }

    public static UriBuilder oauth2DeviceAuthUrl(UriBuilder uriBuilder) {
        return OIDCLoginProtocolService.tokenServiceBaseUrl(uriBuilder).path(OIDCLoginProtocolService.class, "auth").path(AuthorizationEndpoint.class, "authorizeDevice").path(DeviceEndpoint.class, "handleDeviceRequest");
    }

    public static UriBuilder oauth2DeviceVerificationCompletedUrl(UriInfo uriInfo) {
        return uriInfo.getBaseUriBuilder().path(RealmsResource.class).path("{realm}").path("device").path("status");
    }

    public static Response denyOAuth2DeviceAuthorization(AuthenticationSessionModel authenticationSessionModel, LoginProtocol.Error error, KeycloakSession keycloakSession) {
        KeycloakContext context = keycloakSession.getContext();
        RealmModel realm = context.getRealm();
        return Response.status(302).location(oauth2DeviceVerificationCompletedUrl(context.getUri()).queryParam(WebAuthnConstants.ERROR, new Object[]{error == LoginProtocol.Error.CONSENT_DENIED ? !denyUserCode(keycloakSession, realm, authenticationSessionModel.getClientNote(OAUTH2_DEVICE_VERIFIED_USER_CODE)) ? "expired_token" : AbstractOAuth2IdentityProvider.ACCESS_DENIED : "server_error"}).build(new Object[]{realm.getName()})).build();
    }

    public static Response approveOAuth2DeviceAuthorization(AuthenticationSessionModel authenticationSessionModel, AuthenticatedClientSessionModel authenticatedClientSessionModel, KeycloakSession keycloakSession) {
        KeycloakContext context = keycloakSession.getContext();
        RealmModel realm = context.getRealm();
        UriBuilder oauth2DeviceVerificationCompletedUrl = oauth2DeviceVerificationCompletedUrl(context.getUri());
        String clientNote = authenticationSessionModel.getClientNote(OAUTH2_DEVICE_VERIFIED_USER_CODE);
        if (!approveUserCode(keycloakSession, realm, clientNote, authenticatedClientSessionModel.getUserSession().getId(), null)) {
            return Response.status(302).location(oauth2DeviceVerificationCompletedUrl.queryParam(WebAuthnConstants.ERROR, new Object[]{"expired_token"}).build(new Object[]{realm.getName()})).build();
        }
        removeDeviceByUserCode(keycloakSession, realm, clientNote);
        return Response.status(302).location(oauth2DeviceVerificationCompletedUrl.build(new Object[]{realm.getName()})).build();
    }

    public static boolean isOAuth2DeviceVerificationFlow(AuthenticationSessionModel authenticationSessionModel) {
        return authenticationSessionModel.getClientNote(OAUTH2_DEVICE_VERIFIED_USER_CODE) != null;
    }

    public static OAuth2DeviceCodeModel getDeviceByDeviceCode(KeycloakSession keycloakSession, RealmModel realmModel, ClientModel clientModel, EventBuilder eventBuilder, String str) {
        Map map = keycloakSession.singleUseObjects().get(OAuth2DeviceCodeModel.createKey(str));
        OAuth2DeviceCodeModel fromCache = map != null ? OAuth2DeviceCodeModel.fromCache(realmModel, str, map) : null;
        if (fromCache == null || clientModel.getClientId().equals(fromCache.getClientId())) {
            return fromCache;
        }
        eventBuilder.error("invalid_oauth2_device_code");
        throw new ErrorResponseException("invalid_grant", "unauthorized client", Response.Status.BAD_REQUEST);
    }

    public static void removeDeviceByDeviceCode(KeycloakSession keycloakSession, String str) {
        keycloakSession.singleUseObjects().remove(OAuth2DeviceCodeModel.createKey(str));
    }

    public static void removeDeviceByUserCode(KeycloakSession keycloakSession, RealmModel realmModel, String str) {
        keycloakSession.singleUseObjects().remove(OAuth2DeviceUserCodeModel.createKey(realmModel, str));
    }

    public static boolean isPollingAllowed(KeycloakSession keycloakSession, OAuth2DeviceCodeModel oAuth2DeviceCodeModel) {
        return keycloakSession.singleUseObjects().putIfAbsent(oAuth2DeviceCodeModel.serializePollingKey(), oAuth2DeviceCodeModel.getPollingInterval());
    }

    public static boolean approveUserCode(KeycloakSession keycloakSession, RealmModel realmModel, String str, String str2, Map<String, String> map) {
        SingleUseObjectProvider singleUseObjects = keycloakSession.singleUseObjects();
        OAuth2DeviceCodeModel deviceByUserCode = DeviceEndpoint.getDeviceByUserCode(keycloakSession, realmModel, str);
        if (deviceByUserCode == null) {
            return false;
        }
        OAuth2DeviceCodeModel approve = deviceByUserCode.approve(str2, map);
        return singleUseObjects.replace(approve.serializeKey(), approve.toMap());
    }

    public static boolean denyUserCode(KeycloakSession keycloakSession, RealmModel realmModel, String str) {
        SingleUseObjectProvider singleUseObjects = keycloakSession.singleUseObjects();
        OAuth2DeviceCodeModel deviceByUserCode = DeviceEndpoint.getDeviceByUserCode(keycloakSession, realmModel, str);
        if (deviceByUserCode == null) {
            return false;
        }
        OAuth2DeviceCodeModel deny = deviceByUserCode.deny();
        return singleUseObjects.replace(deny.serializeKey(), deny.toMap());
    }

    public Response process(OAuth2GrantType.Context context) {
        setContext(context);
        if (!this.realm.getOAuth2DeviceConfig().isOAuth2DeviceAuthorizationGrantEnabled(this.client)) {
            this.event.error("not_allowed");
            throw new CorsErrorResponseException(this.cors, "invalid_grant", "Client not allowed OAuth 2.0 Device Authorization Grant", Response.Status.BAD_REQUEST);
        }
        String str = (String) this.formParams.getFirst("device_code");
        if (str == null) {
            this.event.error("invalid_oauth2_device_code");
            throw new CorsErrorResponseException(this.cors, "invalid_request", "Missing parameter: device_code", Response.Status.BAD_REQUEST);
        }
        OAuth2DeviceCodeModel deviceByDeviceCode = getDeviceByDeviceCode(this.session, this.realm, this.client, this.event, str);
        if (deviceByDeviceCode == null) {
            this.event.error("invalid_oauth2_device_code");
            throw new CorsErrorResponseException(this.cors, "invalid_grant", "Device code not valid", Response.Status.BAD_REQUEST);
        }
        if (deviceByDeviceCode.isExpired()) {
            this.event.error("expired_oauth2_device_code");
            throw new CorsErrorResponseException(this.cors, "expired_token", "Device code is expired", Response.Status.BAD_REQUEST);
        }
        if (!isPollingAllowed(this.session, deviceByDeviceCode)) {
            this.event.error("slow_down");
            throw new CorsErrorResponseException(this.cors, "slow_down", "Slow down", Response.Status.BAD_REQUEST);
        }
        if (deviceByDeviceCode.isDenied()) {
            this.event.error(AbstractOAuth2IdentityProvider.ACCESS_DENIED);
            throw new CorsErrorResponseException(this.cors, AbstractOAuth2IdentityProvider.ACCESS_DENIED, "The end user denied the authorization request", Response.Status.BAD_REQUEST);
        }
        if (deviceByDeviceCode.isPending()) {
            throw new CorsErrorResponseException(this.cors, "authorization_pending", "The authorization request is still pending", Response.Status.BAD_REQUEST);
        }
        String str2 = (String) this.formParams.getFirst("code_verifier");
        String codeChallenge = deviceByDeviceCode.getCodeChallenge();
        String codeChallengeMethod = deviceByDeviceCode.getCodeChallengeMethod();
        if (codeChallengeMethod == null || codeChallengeMethod.isEmpty()) {
            PkceUtils.checkParamsForPkceNotEnforcedClient(str2, codeChallenge, codeChallengeMethod, null, null, this.event, this.cors);
        } else {
            PkceUtils.checkParamsForPkceEnforcedClient(str2, codeChallenge, codeChallengeMethod, null, null, this.event, this.cors);
        }
        String userSessionId = deviceByDeviceCode.getUserSessionId();
        this.event.detail("code_id", userSessionId);
        this.event.session(userSessionId);
        UserSessionModel userSessionWithClient = new UserSessionCrossDCManager(this.session).getUserSessionWithClient(this.realm, userSessionId, this.client.getId());
        if (userSessionWithClient == null) {
            userSessionWithClient = this.session.sessions().getUserSession(this.realm, userSessionId);
            if (userSessionWithClient == null) {
                throw new CorsErrorResponseException(this.cors, "authorization_pending", "The authorization request is verified but can not lookup the user session yet", Response.Status.BAD_REQUEST);
            }
        }
        removeDeviceByDeviceCode(this.session, str);
        UserModel user = userSessionWithClient.getUser();
        if (user == null) {
            this.event.error("user_not_found");
            throw new CorsErrorResponseException(this.cors, "invalid_grant", "User not found", Response.Status.BAD_REQUEST);
        }
        this.event.user(userSessionWithClient.getUser());
        if (!user.isEnabled()) {
            this.event.error("user_disabled");
            throw new CorsErrorResponseException(this.cors, "invalid_grant", "User disabled", Response.Status.BAD_REQUEST);
        }
        AuthenticatedClientSessionModel authenticatedClientSessionByClient = userSessionWithClient.getAuthenticatedClientSessionByClient(this.client.getId());
        if (!this.client.getClientId().equals(authenticatedClientSessionByClient.getClient().getClientId())) {
            this.event.error("invalid_code");
            throw new CorsErrorResponseException(this.cors, "invalid_grant", "Auth error", Response.Status.BAD_REQUEST);
        }
        if (!AuthenticationManager.isSessionValid(this.realm, userSessionWithClient)) {
            this.event.error("user_session_not_found");
            throw new CorsErrorResponseException(this.cors, "invalid_grant", "Session not active", Response.Status.BAD_REQUEST);
        }
        try {
            this.session.clientPolicy().triggerOnEvent(new DeviceTokenRequestContext(deviceByDeviceCode, this.formParams));
            String scope = deviceByDeviceCode.getScope();
            if (!TokenManager.verifyConsentStillAvailable(this.session, user, this.client, TokenManager.getRequestedClientScopes(scope, this.client))) {
                this.event.error("not_allowed");
                throw new CorsErrorResponseException(this.cors, "invalid_scope", "Client no longer has requested consent from user", Response.Status.BAD_REQUEST);
            }
            DefaultClientSessionContext fromClientSessionAndScopeParameter = DefaultClientSessionContext.fromClientSessionAndScopeParameter(authenticatedClientSessionByClient, scope, this.session);
            fromClientSessionAndScopeParameter.setAttribute(OIDCLoginProtocol.NONCE_PARAM, deviceByDeviceCode.getNonce());
            return createTokenResponse(user, userSessionWithClient, fromClientSessionAndScopeParameter, scope, false, accessTokenResponseBuilder -> {
                return new DeviceTokenResponseContext(deviceByDeviceCode, this.formParams, authenticatedClientSessionByClient, accessTokenResponseBuilder);
            });
        } catch (ClientPolicyException e) {
            this.event.error(e.getError());
            throw new CorsErrorResponseException(this.cors, "invalid_grant", e.getErrorDetail(), Response.Status.BAD_REQUEST);
        }
    }

    public EventType getEventType() {
        return EventType.OAUTH2_DEVICE_CODE_TO_TOKEN;
    }
}
