package org.keycloak.protocol.oidc.endpoints;

import java.util.Collections;
import java.util.HashMap;
import javax.ws.rs.GET;
import javax.ws.rs.OPTIONS;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
import org.jboss.resteasy.annotations.cache.NoCache;
import org.jboss.resteasy.spi.HttpRequest;
import org.jboss.resteasy.spi.HttpResponse;
import org.keycloak.OAuth2Constants;
import org.keycloak.OAuthErrorException;
import org.keycloak.TokenCategory;
import org.keycloak.TokenVerifier;
import org.keycloak.common.ClientConnection;
import org.keycloak.common.VerificationException;
import org.keycloak.crypto.SignatureProvider;
import org.keycloak.events.Details;
import org.keycloak.events.Errors;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.jose.jws.JWSBuilder;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.representations.AccessToken;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.Urls;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.UserInfoRequestContext;
import org.keycloak.services.managers.AppAuthManager;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.UserSessionCrossDCManager;
import org.keycloak.services.resources.Cors;
import org.keycloak.services.util.DefaultClientSessionContext;
import org.keycloak.services.util.MtlsHoKTokenUtil;
import org.keycloak.utils.MediaType;

/* loaded from: input_file:BOOT-INF/lib/keycloak-services-11.0.2.jar:org/keycloak/protocol/oidc/endpoints/UserInfoEndpoint.class */
public class UserInfoEndpoint {

    @Context
    private HttpRequest request;

    @Context
    private HttpResponse response;

    @Context
    private KeycloakSession session;

    @Context
    private ClientConnection clientConnection;
    private final TokenManager tokenManager;
    private final AppAuthManager appAuthManager = new AppAuthManager();
    private final RealmModel realm;

    public UserInfoEndpoint(TokenManager tokenManager, RealmModel realmModel) {
        this.realm = realmModel;
        this.tokenManager = tokenManager;
    }

    @Path("/")
    @OPTIONS
    public Response issueUserInfoPreflight() {
        return Cors.add(this.request, Response.ok()).auth().preflight().build();
    }

    @GET
    @Path("/")
    @NoCache
    public Response issueUserInfoGet(@Context HttpHeaders httpHeaders) {
        return issueUserInfo(this.appAuthManager.extractAuthorizationHeaderTokenOrReturnNull(httpHeaders));
    }

    @POST
    @Path("/")
    @NoCache
    public Response issueUserInfoPost() {
        String extractAuthorizationHeaderTokenOrReturnNull = this.appAuthManager.extractAuthorizationHeaderTokenOrReturnNull(this.request.getHttpHeaders());
        if (extractAuthorizationHeaderTokenOrReturnNull == null) {
            extractAuthorizationHeaderTokenOrReturnNull = this.request.getDecodedFormParameters().getFirst("access_token");
        }
        return issueUserInfo(extractAuthorizationHeaderTokenOrReturnNull);
    }

    private ErrorResponseException newUnauthorizedErrorResponseException(String str, String str2) {
        this.response.getOutputHeaders().put("WWW-Authenticate", Collections.singletonList(String.format("Bearer realm=\"%s\", error=\"%s\", error_description=\"%s\"", this.realm.getName(), str, str2)));
        return new ErrorResponseException(str, str2, Response.Status.UNAUTHORIZED);
    }

    private Response issueUserInfo(String str) {
        Response.ResponseBuilder header;
        try {
            this.session.clientPolicy().triggerOnEvent(new UserInfoRequestContext(str));
            EventBuilder detail = new EventBuilder(this.realm, this.session, this.clientConnection).event(EventType.USER_INFO_REQUEST).detail(Details.AUTH_METHOD, Details.VALIDATE_ACCESS_TOKEN);
            if (str == null) {
                detail.error("invalid_token");
                throw new ErrorResponseException("invalid_request", "Token not provided", Response.Status.BAD_REQUEST);
            }
            try {
                TokenVerifier realmUrl = TokenVerifier.create(str, AccessToken.class).withDefaultChecks().realmUrl(Urls.realmIssuer(this.session.getContext().getUri().getBaseUri(), this.realm.getName()));
                realmUrl.verifierContext(((SignatureProvider) this.session.getProvider(SignatureProvider.class, realmUrl.getHeader().getAlgorithm().name())).verifier(realmUrl.getHeader().getKeyId()));
                AccessToken accessToken = (AccessToken) realmUrl.verify().getToken();
                ClientModel clientByClientId = this.realm.getClientByClientId(accessToken.getIssuedFor());
                if (clientByClientId == null) {
                    detail.error(Errors.CLIENT_NOT_FOUND);
                    throw new ErrorResponseException("invalid_request", "Client not found", Response.Status.BAD_REQUEST);
                }
                TokenVerifier.createWithoutSignature(accessToken).withChecks(TokenManager.NotBeforeCheck.forModel(clientByClientId)).verify();
                if (!clientByClientId.getProtocol().equals("openid-connect")) {
                    detail.error("invalid_client");
                    throw new ErrorResponseException("invalid_client", "Wrong client protocol.", Response.Status.BAD_REQUEST);
                }
                this.session.getContext().setClient(clientByClientId);
                detail.client(clientByClientId);
                if (!clientByClientId.isEnabled()) {
                    detail.error(Errors.CLIENT_DISABLED);
                    throw new ErrorResponseException("invalid_request", "Client disabled", Response.Status.BAD_REQUEST);
                }
                UserSessionModel findValidSession = findValidSession(accessToken, detail, clientByClientId);
                UserModel user = findValidSession.getUser();
                if (user == null) {
                    detail.error(Errors.USER_NOT_FOUND);
                    throw new ErrorResponseException("invalid_request", "User not found", Response.Status.BAD_REQUEST);
                }
                detail.user(user).detail("username", user.getUsername());
                if (OIDCAdvancedConfigWrapper.fromClientModel(clientByClientId).isUseMtlsHokToken() && !MtlsHoKTokenUtil.verifyTokenBindingWithClientCertificate(accessToken, this.request, this.session)) {
                    detail.error(Errors.NOT_ALLOWED);
                    throw newUnauthorizedErrorResponseException(OAuthErrorException.UNAUTHORIZED_CLIENT, MtlsHoKTokenUtil.CERT_VERIFY_ERROR_DESC);
                }
                DefaultClientSessionContext fromClientSessionScopeParameter = DefaultClientSessionContext.fromClientSessionScopeParameter(findValidSession.getAuthenticatedClientSessionByClient(clientByClientId.getId()), this.session);
                AccessToken accessToken2 = new AccessToken();
                accessToken2.subject(user.getId());
                this.tokenManager.transformUserInfoAccessToken(this.session, accessToken2, findValidSession, fromClientSessionScopeParameter);
                HashMap hashMap = new HashMap();
                hashMap.putAll(accessToken2.getOtherClaims());
                hashMap.put("sub", accessToken2.getSubject());
                OIDCAdvancedConfigWrapper fromClientModel = OIDCAdvancedConfigWrapper.fromClientModel(clientByClientId);
                if (fromClientModel.isUserInfoSignatureRequired()) {
                    String realmIssuer = Urls.realmIssuer(this.session.getContext().getUri().getBaseUri(), this.realm.getName());
                    String clientId = clientByClientId.getClientId();
                    hashMap.put(OIDCLoginProtocol.ISSUER, realmIssuer);
                    hashMap.put("aud", clientId);
                    header = Response.ok(new JWSBuilder().type(OAuth2Constants.JWT).jsonContent(hashMap).sign(((SignatureProvider) this.session.getProvider(SignatureProvider.class, this.session.tokens().signatureAlgorithm(TokenCategory.USERINFO))).signer())).header("Content-Type", MediaType.APPLICATION_JWT);
                    detail.detail(Details.SIGNATURE_REQUIRED, "true");
                    detail.detail(Details.SIGNATURE_ALGORITHM, fromClientModel.getUserInfoSignedResponseAlg().toString());
                } else {
                    header = Response.ok(hashMap).header("Content-Type", "application/json");
                    detail.detail(Details.SIGNATURE_REQUIRED, "false");
                }
                detail.success();
                return Cors.add(this.request, header).auth().allowedOrigins(this.session, clientByClientId).build();
            } catch (VerificationException e) {
                detail.error("invalid_token");
                throw newUnauthorizedErrorResponseException("invalid_token", "Token verification failed");
            }
        } catch (ClientPolicyException e2) {
            throw new ErrorResponseException("invalid_request", e2.getErrorDetail(), Response.Status.BAD_REQUEST);
        }
    }

    private UserSessionModel findValidSession(AccessToken accessToken, EventBuilder eventBuilder, ClientModel clientModel) {
        UserSessionModel userSessionWithClient = new UserSessionCrossDCManager(this.session).getUserSessionWithClient(this.realm, accessToken.getSessionState(), false, clientModel.getId());
        if (AuthenticationManager.isSessionValid(this.realm, userSessionWithClient)) {
            checkTokenIssuedAt(accessToken, userSessionWithClient, eventBuilder);
            eventBuilder.session(userSessionWithClient);
            return userSessionWithClient;
        }
        UserSessionModel userSessionWithClient2 = new UserSessionCrossDCManager(this.session).getUserSessionWithClient(this.realm, accessToken.getSessionState(), true, clientModel.getId());
        if (AuthenticationManager.isOfflineSessionValid(this.realm, userSessionWithClient2)) {
            checkTokenIssuedAt(accessToken, userSessionWithClient2, eventBuilder);
            eventBuilder.session(userSessionWithClient2);
            return userSessionWithClient2;
        }
        if (userSessionWithClient == null && userSessionWithClient2 == null) {
            eventBuilder.error(Errors.USER_SESSION_NOT_FOUND);
            throw newUnauthorizedErrorResponseException("invalid_request", "User session not found or doesn't have client attached on it");
        }
        if (userSessionWithClient != null) {
            eventBuilder.session(userSessionWithClient);
        } else {
            eventBuilder.session(userSessionWithClient2);
        }
        eventBuilder.error(Errors.SESSION_EXPIRED);
        throw newUnauthorizedErrorResponseException("invalid_token", "Session expired");
    }

    private void checkTokenIssuedAt(AccessToken accessToken, UserSessionModel userSessionModel, EventBuilder eventBuilder) throws ErrorResponseException {
        if (accessToken.getIssuedAt() + 1 < userSessionModel.getStarted()) {
            eventBuilder.error("invalid_token");
            throw newUnauthorizedErrorResponseException("invalid_token", "Stale token");
        }
    }
}
