package org.keycloak.services.resources.account;

import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.SortedSet;
import java.util.TreeSet;
import java.util.UUID;
import javax.ws.rs.DELETE;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import org.jboss.logging.Logger;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.broker.social.SocialIdentityProvider;
import org.keycloak.common.util.Base64Url;
import org.keycloak.events.Details;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.AccountRoles;
import org.keycloak.models.ClientModel;
import org.keycloak.models.FederatedIdentityModel;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.provider.ProviderFactory;
import org.keycloak.representations.account.AccountLinkUriRepresentation;
import org.keycloak.representations.account.LinkedAccountRepresentation;
import org.keycloak.services.ErrorResponse;
import org.keycloak.services.Urls;
import org.keycloak.services.managers.Auth;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.Cors;
import org.keycloak.services.validation.Validation;

/* loaded from: input_file:BOOT-INF/lib/keycloak-services-8.0.0.jar:org/keycloak/services/resources/account/LinkedAccountsResource.class */
public class LinkedAccountsResource {
    private static final Logger logger = Logger.getLogger((Class<?>) LinkedAccountsResource.class);
    private final KeycloakSession session;
    private final HttpRequest request;
    private final ClientModel client;
    private final EventBuilder event;
    private final UserModel user;
    private final RealmModel realm;
    private final Auth auth;

    public LinkedAccountsResource(KeycloakSession keycloakSession, HttpRequest httpRequest, ClientModel clientModel, Auth auth, EventBuilder eventBuilder, UserModel userModel) {
        this.session = keycloakSession;
        this.request = httpRequest;
        this.client = clientModel;
        this.auth = auth;
        this.event = eventBuilder;
        this.user = userModel;
        this.realm = keycloakSession.getContext().getRealm();
    }

    @GET
    @Produces({"application/json"})
    @Path("/")
    public Response linkedAccounts() {
        this.auth.requireOneOf(AccountRoles.MANAGE_ACCOUNT, AccountRoles.VIEW_PROFILE);
        return Cors.add(this.request, Response.ok(getLinkedAccounts(this.session, this.realm, this.user))).auth().allowedOrigins(this.auth.getToken()).build();
    }

    private Set<String> findSocialIds() {
        HashSet hashSet = new HashSet();
        Iterator<ProviderFactory> it = this.session.getKeycloakSessionFactory().getProviderFactories(SocialIdentityProvider.class).iterator();
        while (it.hasNext()) {
            hashSet.add(it.next().getId());
        }
        return hashSet;
    }

    public SortedSet<LinkedAccountRepresentation> getLinkedAccounts(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        List<IdentityProviderModel> identityProviders = realmModel.getIdentityProviders();
        TreeSet treeSet = new TreeSet();
        if (identityProviders == null || identityProviders.isEmpty()) {
            return treeSet;
        }
        Set<String> findSocialIds = findSocialIds();
        Set<FederatedIdentityModel> federatedIdentities = keycloakSession.users().getFederatedIdentities(userModel, realmModel);
        for (IdentityProviderModel identityProviderModel : identityProviders) {
            if (identityProviderModel.isEnabled()) {
                String alias = identityProviderModel.getAlias();
                FederatedIdentityModel identity = getIdentity(federatedIdentities, alias);
                String identityProviderDisplayName = KeycloakModelUtils.getIdentityProviderDisplayName(keycloakSession, identityProviderModel);
                String str = identityProviderModel.getConfig() != null ? identityProviderModel.getConfig().get("guiOrder") : null;
                LinkedAccountRepresentation linkedAccountRepresentation = new LinkedAccountRepresentation();
                linkedAccountRepresentation.setConnected(identity != null);
                linkedAccountRepresentation.setSocial(findSocialIds.contains(identityProviderModel.getProviderId()));
                linkedAccountRepresentation.setProviderAlias(alias);
                linkedAccountRepresentation.setDisplayName(identityProviderDisplayName);
                linkedAccountRepresentation.setGuiOrder(str);
                linkedAccountRepresentation.setProviderName(identityProviderModel.getAlias());
                if (identity != null) {
                    linkedAccountRepresentation.setLinkedUsername(identity.getUserName());
                }
                treeSet.add(linkedAccountRepresentation);
            }
        }
        return treeSet;
    }

    private FederatedIdentityModel getIdentity(Set<FederatedIdentityModel> set, String str) {
        for (FederatedIdentityModel federatedIdentityModel : set) {
            if (str.equals(federatedIdentityModel.getIdentityProvider())) {
                return federatedIdentityModel;
            }
        }
        return null;
    }

    @GET
    @Path("/{providerId}")
    @Deprecated
    @Produces({"application/json"})
    public Response buildLinkedAccountURI(@PathParam("providerId") String str, @QueryParam("redirectUri") String str2) {
        this.auth.require(AccountRoles.MANAGE_ACCOUNT);
        if (str2 == null) {
            ErrorResponse.error(Messages.INVALID_REDIRECT_URI, Response.Status.BAD_REQUEST);
        }
        String checkCommonPreconditions = checkCommonPreconditions(str);
        if (checkCommonPreconditions != null) {
            return ErrorResponse.error(checkCommonPreconditions, Response.Status.BAD_REQUEST);
        }
        try {
            String uuid = UUID.randomUUID().toString();
            String encode = Base64Url.encode(MessageDigest.getInstance("SHA-256").digest((uuid + this.auth.getSession().getId() + this.client.getClientId() + str).getBytes(StandardCharsets.UTF_8)));
            URI build = UriBuilder.fromUri(Urls.identityProviderLinkRequest(this.session.getContext().getUri().getBaseUri(), str, this.realm.getName())).queryParam("nonce", uuid).queryParam("hash", encode).queryParam("client_id", this.client.getClientId()).queryParam("redirect_uri", str2).build(new Object[0]);
            AccountLinkUriRepresentation accountLinkUriRepresentation = new AccountLinkUriRepresentation();
            accountLinkUriRepresentation.setAccountLinkUri(build);
            accountLinkUriRepresentation.setHash(encode);
            accountLinkUriRepresentation.setNonce(uuid);
            return Cors.add(this.request, Response.ok(accountLinkUriRepresentation)).auth().allowedOrigins(this.auth.getToken()).build();
        } catch (Exception e) {
            e.printStackTrace();
            return ErrorResponse.error(Messages.FAILED_TO_PROCESS_RESPONSE, Response.Status.INTERNAL_SERVER_ERROR);
        }
    }

    @Produces({"application/json"})
    @Path("/{providerId}")
    @DELETE
    public Response removeLinkedAccount(@PathParam("providerId") String str) {
        this.auth.require(AccountRoles.MANAGE_ACCOUNT);
        String checkCommonPreconditions = checkCommonPreconditions(str);
        if (checkCommonPreconditions != null) {
            return ErrorResponse.error(checkCommonPreconditions, Response.Status.BAD_REQUEST);
        }
        FederatedIdentityModel federatedIdentity = this.session.users().getFederatedIdentity(this.user, str, this.realm);
        if (federatedIdentity == null) {
            return ErrorResponse.error(Messages.FEDERATED_IDENTITY_NOT_ACTIVE, Response.Status.BAD_REQUEST);
        }
        if (this.session.users().getFederatedIdentities(this.user, this.realm).size() <= 1 && this.user.getFederationLink() == null && !isPasswordSet()) {
            return ErrorResponse.error(Messages.FEDERATED_IDENTITY_REMOVING_LAST_PROVIDER, Response.Status.BAD_REQUEST);
        }
        this.session.users().removeFederatedIdentity(this.realm, this.user, str);
        logger.debugv("Social provider {0} removed successfully from user {1}", str, this.user.getUsername());
        this.event.event(EventType.REMOVE_FEDERATED_IDENTITY).client(this.auth.getClient()).user(this.auth.getUser()).detail("username", this.auth.getUser().getUsername()).detail("identity_provider", federatedIdentity.getIdentityProvider()).detail(Details.IDENTITY_PROVIDER_USERNAME, federatedIdentity.getUserName()).success();
        return Cors.add(this.request, Response.ok()).auth().allowedOrigins(this.auth.getToken()).build();
    }

    private String checkCommonPreconditions(String str) {
        this.auth.require(AccountRoles.MANAGE_ACCOUNT);
        if (Validation.isEmpty(str)) {
            return Messages.MISSING_IDENTITY_PROVIDER;
        }
        if (!isValidProvider(str)) {
            return Messages.IDENTITY_PROVIDER_NOT_FOUND;
        }
        if (this.user.isEnabled()) {
            return null;
        }
        return Messages.ACCOUNT_DISABLED;
    }

    private boolean isPasswordSet() {
        return this.session.userCredentialManager().isConfiguredFor(this.realm, this.user, "password");
    }

    private boolean isValidProvider(String str) {
        Iterator<IdentityProviderModel> it = this.realm.getIdentityProviders().iterator();
        while (it.hasNext()) {
            if (it.next().getAlias().equals(str)) {
                return true;
            }
        }
        return false;
    }
}
