package org.keycloak.authentication.authenticators.broker;

import java.util.Objects;
import java.util.concurrent.TimeUnit;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilderException;
import org.jboss.logging.Logger;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.authentication.AuthenticationFlowError;
import org.keycloak.authentication.actiontoken.idpverifyemail.IdpVerifyAccountLinkActionToken;
import org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext;
import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.common.util.Time;
import org.keycloak.email.EmailException;
import org.keycloak.email.EmailTemplateProvider;
import org.keycloak.events.Details;
import org.keycloak.events.Errors;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.Constants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakUriInfo;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.services.ServicesLogger;
import org.keycloak.services.Urls;
import org.keycloak.services.messages.Messages;
import org.keycloak.sessions.AuthenticationSessionCompoundId;
import org.keycloak.sessions.AuthenticationSessionModel;

/* loaded from: input_file:BOOT-INF/lib/keycloak-services-8.0.0.jar:org/keycloak/authentication/authenticators/broker/IdpEmailVerificationAuthenticator.class */
public class IdpEmailVerificationAuthenticator extends AbstractIdpAuthenticator {
    private static Logger logger = Logger.getLogger((Class<?>) IdpEmailVerificationAuthenticator.class);
    public static final String VERIFY_ACCOUNT_IDP_USERNAME = "VERIFY_ACCOUNT_IDP_USERNAME";

    @Override // org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator
    protected void authenticateImpl(AuthenticationFlowContext authenticationFlowContext, SerializedBrokeredIdentityContext serializedBrokeredIdentityContext, BrokeredIdentityContext brokeredIdentityContext) {
        KeycloakSession session = authenticationFlowContext.getSession();
        RealmModel realm = authenticationFlowContext.getRealm();
        AuthenticationSessionModel authenticationSession = authenticationFlowContext.getAuthenticationSession();
        if (realm.getSmtpConfig().isEmpty()) {
            ServicesLogger.LOGGER.smtpNotConfigured();
            authenticationFlowContext.attempted();
            return;
        }
        if (Objects.equals(authenticationSession.getAuthNote(VERIFY_ACCOUNT_IDP_USERNAME), brokeredIdentityContext.getUsername())) {
            UserModel existingUser = getExistingUser(session, realm, authenticationSession);
            logger.debugf("User '%s' confirmed that wants to link with identity provider '%s' . Identity provider username is '%s' ", existingUser.getUsername(), brokeredIdentityContext.getIdpConfig().getAlias(), brokeredIdentityContext.getUsername());
            authenticationFlowContext.setUser(existingUser);
            authenticationFlowContext.success();
            return;
        }
        UserModel existingUser2 = getExistingUser(session, realm, authenticationSession);
        if (Objects.equals(authenticationSession.getAuthNote(Constants.VERIFY_EMAIL_KEY), existingUser2.getEmail())) {
            showEmailSentPage(authenticationFlowContext, brokeredIdentityContext);
        } else {
            authenticationSession.setAuthNote(Constants.VERIFY_EMAIL_KEY, existingUser2.getEmail());
            sendVerifyEmail(session, authenticationFlowContext, existingUser2, brokeredIdentityContext);
        }
    }

    @Override // org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator
    protected void actionImpl(AuthenticationFlowContext authenticationFlowContext, SerializedBrokeredIdentityContext serializedBrokeredIdentityContext, BrokeredIdentityContext brokeredIdentityContext) {
        logger.debugf("Re-sending email requested for user, details follow", new Object[0]);
        authenticationFlowContext.getAuthenticationSession().removeAuthNote(Constants.VERIFY_EMAIL_KEY);
        authenticateImpl(authenticationFlowContext, serializedBrokeredIdentityContext, brokeredIdentityContext);
    }

    @Override // org.keycloak.authentication.Authenticator
    public boolean requiresUser() {
        return false;
    }

    @Override // org.keycloak.authentication.Authenticator
    public boolean configuredFor(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        return false;
    }

    private void sendVerifyEmail(KeycloakSession keycloakSession, AuthenticationFlowContext authenticationFlowContext, UserModel userModel, BrokeredIdentityContext brokeredIdentityContext) throws UriBuilderException, IllegalArgumentException {
        RealmModel realm = keycloakSession.getContext().getRealm();
        KeycloakUriInfo uri = keycloakSession.getContext().getUri();
        AuthenticationSessionModel authenticationSession = authenticationFlowContext.getAuthenticationSession();
        int actionTokenGeneratedByUserLifespan = realm.getActionTokenGeneratedByUserLifespan(IdpVerifyAccountLinkActionToken.TOKEN_TYPE);
        int currentTime = Time.currentTime() + actionTokenGeneratedByUserLifespan;
        EventBuilder removeDetail = authenticationFlowContext.getEvent().m8521clone().event(EventType.SEND_IDENTITY_PROVIDER_LINK).user(userModel).detail("username", userModel.getUsername()).detail("email", userModel.getEmail()).detail(Details.CODE_ID, authenticationSession.getParentSession().getId()).removeDetail(Details.AUTH_METHOD).removeDetail(Details.AUTH_TYPE);
        try {
            ((EmailTemplateProvider) authenticationFlowContext.getSession().getProvider(EmailTemplateProvider.class)).setRealm(realm).setAuthenticationSession(authenticationSession).setUser(userModel).setAttribute("identityProviderBrokerCtx", brokeredIdentityContext).sendConfirmIdentityBrokerLink(Urls.actionTokenBuilder(uri.getBaseUri(), new IdpVerifyAccountLinkActionToken(userModel.getId(), currentTime, AuthenticationSessionCompoundId.fromAuthSession(authenticationSession).getEncodedId(), brokeredIdentityContext.getUsername(), brokeredIdentityContext.getIdpConfig().getAlias(), authenticationSession.getClient().getClientId()).serialize(keycloakSession, realm, uri), authenticationSession.getClient().getClientId(), authenticationSession.getTabId()).queryParam(Constants.EXECUTION, authenticationFlowContext.getExecution().getId()).build(realm.getName()).toString(), TimeUnit.SECONDS.toMinutes(actionTokenGeneratedByUserLifespan));
            removeDetail.success();
            showEmailSentPage(authenticationFlowContext, brokeredIdentityContext);
        } catch (EmailException e) {
            removeDetail.error(Errors.EMAIL_SEND_FAILED);
            ServicesLogger.LOGGER.confirmBrokerEmailFailed(e);
            authenticationFlowContext.failure(AuthenticationFlowError.INTERNAL_ERROR, authenticationFlowContext.form().setError(Messages.EMAIL_SENT_ERROR, new Object[0]).createErrorPage(Response.Status.INTERNAL_SERVER_ERROR));
        }
    }

    protected void showEmailSentPage(AuthenticationFlowContext authenticationFlowContext, BrokeredIdentityContext brokeredIdentityContext) {
        authenticationFlowContext.forceChallenge(authenticationFlowContext.form().setStatus(Response.Status.OK).setAttribute("identityProviderBrokerCtx", brokeredIdentityContext).setActionUri(authenticationFlowContext.getActionUrl(authenticationFlowContext.generateAccessCode())).setExecution(authenticationFlowContext.getExecution().getId()).createIdpLinkEmailPage());
    }
}
