package org.keycloak.protocol.oidc.grants;

import jakarta.ws.rs.core.HttpHeaders;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.MultivaluedMap;
import jakarta.ws.rs.core.Response;
import java.util.Map;
import java.util.Objects;
import java.util.function.Function;
import org.jboss.logging.Logger;
import org.keycloak.common.ClientConnection;
import org.keycloak.common.Profile;
import org.keycloak.common.VerificationException;
import org.keycloak.events.EventBuilder;
import org.keycloak.http.HttpRequest;
import org.keycloak.http.HttpResponse;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionContext;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.protocol.oidc.grants.OAuth2GrantType;
import org.keycloak.protocol.oidc.utils.AuthorizeClientUtil;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.representations.dpop.DPoP;
import org.keycloak.services.CorsErrorResponseException;
import org.keycloak.services.ServicesLogger;
import org.keycloak.services.clientpolicy.ClientPolicyContext;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.cors.Cors;
import org.keycloak.services.util.AuthorizationContextUtil;
import org.keycloak.services.util.DPoPUtil;
import org.keycloak.services.util.MtlsHoKTokenUtil;
import org.keycloak.util.TokenUtil;

/* loaded from: input_file:org/keycloak/protocol/oidc/grants/OAuth2GrantTypeBase.class */
public abstract class OAuth2GrantTypeBase implements OAuth2GrantType {
    private static final Logger logger = Logger.getLogger(OAuth2GrantTypeBase.class);
    protected OAuth2GrantType.Context context;
    protected KeycloakSession session;
    protected RealmModel realm;
    protected ClientModel client;
    protected OIDCAdvancedConfigWrapper clientConfig;
    protected ClientConnection clientConnection;
    protected Map<String, String> clientAuthAttributes;
    protected MultivaluedMap<String, String> formParams;
    protected EventBuilder event;
    protected Cors cors;
    protected TokenManager tokenManager;
    protected DPoP dPoP;
    protected HttpRequest request;
    protected HttpResponse response;
    protected HttpHeaders headers;

    /* JADX INFO: Access modifiers changed from: protected */
    public void setContext(OAuth2GrantType.Context context) {
        this.context = context;
        this.session = context.session;
        this.realm = context.realm;
        this.client = context.client;
        this.clientConfig = (OIDCAdvancedConfigWrapper) context.clientConfig;
        this.clientConnection = context.clientConnection;
        this.clientAuthAttributes = context.clientAuthAttributes;
        this.request = context.request;
        this.response = context.response;
        this.headers = context.headers;
        this.formParams = context.formParams;
        this.event = context.event;
        this.cors = context.cors;
        this.tokenManager = (TokenManager) context.tokenManager;
        this.dPoP = context.dPoP;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Response createTokenResponse(UserModel userModel, UserSessionModel userSessionModel, ClientSessionContext clientSessionContext, String str, boolean z, Function<TokenManager.AccessTokenResponseBuilder, ClientPolicyContext> function) {
        AccessTokenResponse build;
        TokenManager.AccessTokenResponseBuilder accessToken = this.tokenManager.responseBuilder(this.realm, this.client, this.event, this.session, userSessionModel, clientSessionContext).accessToken(this.tokenManager.createClientAccessToken(this.session, this.realm, this.client, userModel, userSessionModel, clientSessionContext));
        boolean isUseRefreshToken = this.clientConfig.isUseRefreshToken();
        if (isUseRefreshToken) {
            accessToken.generateRefreshToken();
        }
        checkAndBindMtlsHoKToken(accessToken, isUseRefreshToken);
        checkAndBindDPoPToken(accessToken, isUseRefreshToken && this.client.isPublicClient(), Profile.isFeatureEnabled(Profile.Feature.DPOP));
        if (TokenUtil.isOIDCRequest(str)) {
            accessToken.generateIDToken().generateAccessTokenHash();
        }
        if (function != null) {
            try {
                this.session.clientPolicy().triggerOnEvent(function.apply(accessToken));
            } catch (ClientPolicyException e) {
                this.event.error(e.getError());
                throw new CorsErrorResponseException(this.cors, e.getError(), e.getErrorDetail(), e.getErrorStatus());
            }
        }
        if (z) {
            try {
                build = accessToken.build();
            } catch (RuntimeException e2) {
                if ("can not get encryption KEK".equals(e2.getMessage())) {
                    throw new CorsErrorResponseException(this.cors, "invalid_request", "can not get encryption KEK", Response.Status.BAD_REQUEST);
                }
                throw e2;
            }
        } else {
            build = accessToken.build();
        }
        this.event.success();
        return this.cors.builder(Response.ok(build).type(MediaType.APPLICATION_JSON_TYPE)).build();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void checkAndBindMtlsHoKToken(TokenManager.AccessTokenResponseBuilder accessTokenResponseBuilder, boolean z) {
        if (this.clientConfig.isUseMtlsHokToken()) {
            AccessToken.Confirmation bindTokenWithClientCertificate = MtlsHoKTokenUtil.bindTokenWithClientCertificate(this.request, this.session);
            if (bindTokenWithClientCertificate == null) {
                this.event.error("invalid_request");
                throw new CorsErrorResponseException(this.cors, "invalid_request", "Client Certification missing for MTLS HoK Token Binding", Response.Status.BAD_REQUEST);
            }
            accessTokenResponseBuilder.getAccessToken().setConfirmation(bindTokenWithClientCertificate);
            if (z) {
                accessTokenResponseBuilder.getRefreshToken().setConfirmation(bindTokenWithClientCertificate);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void checkAndBindDPoPToken(TokenManager.AccessTokenResponseBuilder accessTokenResponseBuilder, boolean z, boolean z2) {
        if (z2) {
            if (this.clientConfig.isUseDPoP() || this.dPoP != null) {
                DPoPUtil.bindToken(accessTokenResponseBuilder.getAccessToken(), this.dPoP);
                accessTokenResponseBuilder.getAccessToken().type("DPoP");
                accessTokenResponseBuilder.responseTokenType("DPoP");
                if (z) {
                    DPoPUtil.bindToken((AccessToken) accessTokenResponseBuilder.getRefreshToken(), this.dPoP);
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void updateClientSession(AuthenticatedClientSessionModel authenticatedClientSessionModel) {
        if (authenticatedClientSessionModel == null) {
            ServicesLogger.LOGGER.clientSessionNull();
            return;
        }
        String str = (String) this.formParams.getFirst("client_session_state");
        if (str != null) {
            String str2 = (String) this.formParams.getFirst("client_session_host");
            logger.debugf("Adapter Session '%s' saved in ClientSession for client '%s'. Host is '%s'", str, this.client.getClientId(), str2);
            if (!str.equals(authenticatedClientSessionModel.getNote("client_session_state"))) {
                authenticatedClientSessionModel.setNote("client_session_state", str);
            }
            if (Objects.equals(str2, authenticatedClientSessionModel.getNote("client_session_host"))) {
                return;
            }
            authenticatedClientSessionModel.setNote("client_session_host", str2);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void updateUserSessionFromClientAuth(UserSessionModel userSessionModel) {
        for (Map.Entry<String, String> entry : this.clientAuthAttributes.entrySet()) {
            userSessionModel.setNote(entry.getKey(), entry.getValue());
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void checkAndRetrieveDPoPProof(boolean z) {
        if (z) {
            if (this.clientConfig.isUseDPoP() || this.request.getHttpHeaders().getHeaderString("DPoP") != null) {
                try {
                    this.dPoP = new DPoPUtil.Validator(this.session).request(this.request).uriInfo(this.session.getContext().getUri()).validate();
                    this.session.setAttribute("dpop", this.dPoP);
                } catch (VerificationException e) {
                    this.event.error("invalid_dpop_proof");
                    throw new CorsErrorResponseException(this.cors, "invalid_dpop_proof", e.getMessage(), Response.Status.BAD_REQUEST);
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getRequestedScopes() {
        String str = (String) this.formParams.getFirst("scope");
        if (Profile.isFeatureEnabled(Profile.Feature.DYNAMIC_SCOPES) ? TokenManager.isValidScope(str, AuthorizationContextUtil.getAuthorizationRequestContextFromScopes(this.session, str), this.client) : TokenManager.isValidScope(str, this.client)) {
            return str;
        }
        this.event.error("invalid_request");
        throw new CorsErrorResponseException(this.cors, "invalid_scope", "Invalid scopes: " + str, Response.Status.BAD_REQUEST);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void checkClient() {
        AuthorizeClientUtil.ClientAuthResult authorizeClient = AuthorizeClientUtil.authorizeClient(this.session, this.event, this.cors);
        this.client = authorizeClient.getClient();
        this.clientAuthAttributes = authorizeClient.getClientAuthAttributes();
        this.clientConfig = OIDCAdvancedConfigWrapper.fromClientModel(this.client);
        this.cors.allowedOrigins(this.session, this.client);
        if (this.client.isBearerOnly()) {
            throw new CorsErrorResponseException(this.cors, "invalid_client", "Bearer-only not allowed", Response.Status.BAD_REQUEST);
        }
    }

    public void close() {
    }
}
