package org.keycloak.protocol.oidc.endpoints;

import jakarta.ws.rs.Consumes;
import jakarta.ws.rs.OPTIONS;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.core.HttpHeaders;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.MultivaluedHashMap;
import jakarta.ws.rs.core.MultivaluedMap;
import jakarta.ws.rs.core.Response;
import java.io.IOException;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.xml.namespace.QName;
import org.jboss.logging.Logger;
import org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider;
import org.keycloak.common.ClientConnection;
import org.keycloak.events.EventBuilder;
import org.keycloak.http.HttpRequest;
import org.keycloak.http.HttpResponse;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.protocol.oidc.grants.OAuth2GrantType;
import org.keycloak.protocol.oidc.utils.AuthorizeClientUtil;
import org.keycloak.protocol.saml.JaxrsSAML2BindingBuilder;
import org.keycloak.protocol.saml.SamlClient;
import org.keycloak.protocol.saml.SamlProtocol;
import org.keycloak.representations.dpop.DPoP;
import org.keycloak.saml.common.constants.JBossSAMLConstants;
import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
import org.keycloak.saml.common.exceptions.ConfigurationException;
import org.keycloak.saml.common.exceptions.ProcessingException;
import org.keycloak.saml.common.util.DocumentUtil;
import org.keycloak.services.CorsErrorResponseException;
import org.keycloak.services.cors.Cors;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:org/keycloak/protocol/oidc/endpoints/TokenEndpoint.class */
public class TokenEndpoint {
    private static final Logger logger = Logger.getLogger(TokenEndpoint.class);
    private MultivaluedMap<String, String> formParams;
    private ClientModel client;
    private Map<String, String> clientAuthAttributes;
    private OIDCAdvancedConfigWrapper clientConfig;
    private DPoP dPoP;
    private final KeycloakSession session;
    private final HttpRequest request;
    private final HttpResponse httpResponse;
    private final HttpHeaders headers;
    private final ClientConnection clientConnection;
    private final TokenManager tokenManager;
    private final RealmModel realm;
    private final EventBuilder event;
    private String grantType;
    private OAuth2GrantType grant;
    private Cors cors;

    /* loaded from: input_file:org/keycloak/protocol/oidc/endpoints/TokenEndpoint$TokenExchangeSamlProtocol.class */
    public static class TokenExchangeSamlProtocol extends SamlProtocol {
        final SamlClient samlClient;

        public TokenExchangeSamlProtocol(SamlClient samlClient) {
            this.samlClient = samlClient;
        }

        @Override // org.keycloak.protocol.saml.SamlProtocol
        protected Response buildAuthenticatedResponse(AuthenticatedClientSessionModel authenticatedClientSessionModel, String str, Document document, JaxrsSAML2BindingBuilder jaxrsSAML2BindingBuilder) throws ConfigurationException, ProcessingException, IOException {
            JaxrsSAML2BindingBuilder.PostBindingBuilder m450postBinding = jaxrsSAML2BindingBuilder.m450postBinding(document);
            Element element = this.samlClient.requiresEncryption() ? DocumentUtil.getElement(m450postBinding.getDocument(), new QName(JBossSAMLURIConstants.ASSERTION_NSURI.get(), JBossSAMLConstants.ENCRYPTED_ASSERTION.get())) : DocumentUtil.getElement(m450postBinding.getDocument(), new QName(JBossSAMLURIConstants.ASSERTION_NSURI.get(), JBossSAMLConstants.ASSERTION.get()));
            return element == null ? Response.status(Response.Status.BAD_REQUEST).build() : Response.ok(DocumentUtil.getNodeAsString(element), MediaType.APPLICATION_XML_TYPE).build();
        }

        @Override // org.keycloak.protocol.saml.SamlProtocol
        protected Response buildErrorResponse(boolean z, String str, JaxrsSAML2BindingBuilder jaxrsSAML2BindingBuilder, Document document) throws ConfigurationException, ProcessingException, IOException {
            return Response.status(Response.Status.BAD_REQUEST).build();
        }
    }

    public TokenEndpoint(KeycloakSession keycloakSession, TokenManager tokenManager, EventBuilder eventBuilder) {
        this.session = keycloakSession;
        this.clientConnection = keycloakSession.getContext().getConnection();
        this.tokenManager = tokenManager;
        this.realm = keycloakSession.getContext().getRealm();
        this.event = eventBuilder;
        this.request = keycloakSession.getContext().getHttpRequest();
        this.httpResponse = keycloakSession.getContext().getHttpResponse();
        this.headers = keycloakSession.getContext().getRequestHeaders();
    }

    @POST
    @Consumes({org.keycloak.utils.MediaType.APPLICATION_FORM_URLENCODED})
    public Response processGrantRequest() {
        this.cors = Cors.add(this.request).auth().allowedMethods(new String[]{"POST"}).auth().exposedHeaders(new String[]{"Access-Control-Allow-Methods"});
        MultivaluedHashMap decodedFormParameters = this.request.getDecodedFormParameters();
        if (decodedFormParameters == null) {
            decodedFormParameters = new MultivaluedHashMap();
        }
        this.formParams = decodedFormParameters;
        this.grantType = (String) this.formParams.getFirst("grant_type");
        this.httpResponse.setHeader("Cache-Control", "no-store");
        this.httpResponse.setHeader("Pragma", "no-cache");
        checkSsl();
        checkRealm();
        checkGrantType();
        if (!this.grantType.equals("urn:ietf:params:oauth:grant-type:uma-ticket")) {
            checkClient();
            checkParameterDuplicated();
        }
        return this.grant.process(new OAuth2GrantType.Context(this.session, this.clientConfig, this.clientAuthAttributes, this.formParams, this.event, this.cors, this.tokenManager, this.dPoP));
    }

    @Path("introspect")
    public Object introspect() {
        return new TokenIntrospectionEndpoint(this.session, this.event);
    }

    @OPTIONS
    public Response preflight() {
        if (logger.isDebugEnabled()) {
            logger.debugv("CORS preflight from: {0}", this.headers.getRequestHeaders().getFirst("Origin"));
        }
        return Cors.add(this.request, Response.ok()).auth().preflight().allowedMethods(new String[]{"POST", "OPTIONS"}).build();
    }

    private void checkSsl() {
        if (!this.session.getContext().getUri().getBaseUri().getScheme().equals("https") && this.realm.getSslRequired().isRequired(this.clientConnection)) {
            throw new CorsErrorResponseException(this.cors.allowAllOrigins(), "invalid_request", "HTTPS required", Response.Status.FORBIDDEN);
        }
    }

    private void checkRealm() {
        if (!this.realm.isEnabled()) {
            throw new CorsErrorResponseException(this.cors.allowAllOrigins(), AbstractOAuth2IdentityProvider.ACCESS_DENIED, "Realm not enabled", Response.Status.FORBIDDEN);
        }
    }

    private void checkClient() {
        AuthorizeClientUtil.ClientAuthResult authorizeClient = AuthorizeClientUtil.authorizeClient(this.session, this.event, this.cors);
        this.client = authorizeClient.getClient();
        this.clientAuthAttributes = authorizeClient.getClientAuthAttributes();
        this.clientConfig = OIDCAdvancedConfigWrapper.fromClientModel(this.client);
        this.cors.allowedOrigins(this.session, this.client);
        if (this.client.isBearerOnly()) {
            throw new CorsErrorResponseException(this.cors, "invalid_client", "Bearer-only not allowed", Response.Status.BAD_REQUEST);
        }
    }

    private void checkGrantType() {
        if (this.grantType == null) {
            throw new CorsErrorResponseException(this.cors, "invalid_request", "Missing form parameter: grant_type", Response.Status.BAD_REQUEST);
        }
        this.grant = this.session.getProvider(OAuth2GrantType.class, this.grantType);
        if (this.grant == null) {
            throw newUnsupportedGrantTypeException();
        }
        this.event.event(this.grant.getEventType());
        this.event.detail("grant_type", this.grantType);
    }

    private CorsErrorResponseException newUnsupportedGrantTypeException() {
        return new CorsErrorResponseException(this.cors, "unsupported_grant_type", "Unsupported grant_type", Response.Status.BAD_REQUEST);
    }

    private void checkParameterDuplicated() {
        Iterator it = this.formParams.keySet().iterator();
        while (it.hasNext()) {
            if (((List) this.formParams.get((String) it.next())).size() != 1) {
                throw new CorsErrorResponseException(this.cors, "invalid_request", "duplicated parameter", Response.Status.BAD_REQUEST);
            }
        }
    }
}
