package org.keycloak.services.resources.account;

import ch.qos.logback.core.joran.util.beans.BeanUtil;
import java.io.IOException;
import java.lang.reflect.Method;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import javax.ws.rs.Consumes;
import javax.ws.rs.FormParam;
import javax.ws.rs.GET;
import javax.ws.rs.NotFoundException;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import org.hibernate.event.internal.EntityCopyAllowedLoggedObserver;
import org.jboss.logging.Logger;
import org.keycloak.authentication.requiredactions.ConsoleUpdatePassword;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.PermissionTicket;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.store.PermissionTicketStore;
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.common.constants.ServiceAccountConstants;
import org.keycloak.common.util.Base64Url;
import org.keycloak.common.util.Time;
import org.keycloak.common.util.UriUtils;
import org.keycloak.connections.infinispan.InfinispanConnectionProvider;
import org.keycloak.events.Details;
import org.keycloak.events.Errors;
import org.keycloak.events.Event;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventStoreProvider;
import org.keycloak.events.EventType;
import org.keycloak.forms.account.AccountPages;
import org.keycloak.forms.account.AccountProvider;
import org.keycloak.forms.login.LoginFormsProvider;
import org.keycloak.locale.LocaleSelectorProvider;
import org.keycloak.locale.LocaleUpdaterProvider;
import org.keycloak.models.AccountRoles;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.FederatedIdentityModel;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelDuplicateException;
import org.keycloak.models.ModelException;
import org.keycloak.models.OTPPolicy;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.credential.OTPCredentialModel;
import org.keycloak.models.utils.CredentialValidation;
import org.keycloak.models.utils.FormMessage;
import org.keycloak.protocol.oidc.utils.RedirectUtils;
import org.keycloak.services.ErrorResponse;
import org.keycloak.services.ForbiddenException;
import org.keycloak.services.ServicesLogger;
import org.keycloak.services.Urls;
import org.keycloak.services.managers.AppAuthManager;
import org.keycloak.services.managers.Auth;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.AuthenticationSessionManager;
import org.keycloak.services.managers.UserSessionManager;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.AbstractSecuredLocalService;
import org.keycloak.services.resources.AttributeFormDataProcessor;
import org.keycloak.services.resources.RealmsResource;
import org.keycloak.services.util.ResolveRelative;
import org.keycloak.services.validation.Validation;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.storage.ReadOnlyException;
import org.keycloak.util.JsonSerialization;
import org.keycloak.utils.CredentialHelper;

/* loaded from: input_file:BOOT-INF/lib/keycloak-services-11.0.2.jar:org/keycloak/services/resources/account/AccountFormService.class */
public class AccountFormService extends AbstractSecuredLocalService {
    private static final Logger logger = Logger.getLogger((Class<?>) AccountFormService.class);
    private static Set<String> VALID_PATHS = new HashSet();
    public static final String ACCOUNT_MGMT_FORWARDED_ERROR_NOTE = "ACCOUNT_MGMT_FORWARDED_ERROR";
    private final AppAuthManager authManager;
    private EventBuilder event;
    private AccountProvider account;
    private EventStoreProvider eventStore;

    /* loaded from: input_file:BOOT-INF/lib/keycloak-services-11.0.2.jar:org/keycloak/services/resources/account/AccountFormService$AccountSocialAction.class */
    private enum AccountSocialAction {
        ADD,
        REMOVE;

        public static AccountSocialAction getAction(String str) {
            if (BeanUtil.PREFIX_ADDER.equalsIgnoreCase(str)) {
                return ADD;
            }
            if ("remove".equalsIgnoreCase(str)) {
                return REMOVE;
            }
            return null;
        }
    }

    public AccountFormService(RealmModel realmModel, ClientModel clientModel, EventBuilder eventBuilder) {
        super(realmModel, clientModel);
        this.event = eventBuilder;
        this.authManager = new AppAuthManager();
    }

    public void init() {
        String first;
        this.eventStore = (EventStoreProvider) this.session.getProvider(EventStoreProvider.class);
        this.account = ((AccountProvider) this.session.getProvider(AccountProvider.class)).setRealm(this.realm).setUriInfo(this.session.getContext().getUri()).setHttpHeaders(this.headers);
        AuthenticationManager.AuthResult authenticateIdentityCookie = this.authManager.authenticateIdentityCookie(this.session, this.realm);
        if (authenticateIdentityCookie != null) {
            this.stateChecker = (String) this.session.getAttribute("state_checker");
            this.auth = new Auth(this.realm, authenticateIdentityCookie.getToken(), authenticateIdentityCookie.getUser(), this.client, authenticateIdentityCookie.getSession(), true);
            this.account.setStateChecker(this.stateChecker);
        }
        String origin = UriUtils.getOrigin(this.session.getContext().getUri().getBaseUri());
        String first2 = this.headers.getRequestHeaders().getFirst("Origin");
        if (first2 != null && !first2.equals("null") && !origin.equals(first2)) {
            throw new ForbiddenException();
        }
        if (!this.request.getHttpMethod().equals("GET") && (first = this.headers.getRequestHeaders().getFirst("Referer")) != null && !origin.equals(UriUtils.getOrigin(first))) {
            throw new ForbiddenException();
        }
        if (authenticateIdentityCookie != null) {
            UserSessionModel session = authenticateIdentityCookie.getSession();
            if (session != null) {
                AuthenticatedClientSessionModel authenticatedClientSessionByClient = session.getAuthenticatedClientSessionByClient(this.client.getId());
                if (authenticatedClientSessionByClient == null) {
                    authenticatedClientSessionByClient = this.session.sessions().createClientSession(session.getRealm(), this.client, session);
                }
                this.auth.setClientSession(authenticatedClientSessionByClient);
            }
            this.account.setUser(this.auth.getUser());
        }
        this.account.setFeatures(this.realm.isIdentityFederationEnabled(), this.eventStore != null && this.realm.isEventsEnabled(), true, true);
    }

    public static UriBuilder accountServiceBaseUrl(UriInfo uriInfo) {
        return uriInfo.getBaseUriBuilder().path(RealmsResource.class).path(RealmsResource.class, "getAccountService");
    }

    public static UriBuilder accountServiceApplicationPage(UriInfo uriInfo) {
        return accountServiceBaseUrl(uriInfo).path(AccountFormService.class, "applicationsPage");
    }

    @Override // org.keycloak.services.resources.AbstractSecuredLocalService
    protected Set<String> getValidPaths() {
        return VALID_PATHS;
    }

    private Response forwardToPage(String str, AccountPages accountPages) {
        AuthenticationSessionModel authenticationSessionByIdAndClient;
        String authNote;
        if (this.auth == null) {
            return login(str);
        }
        try {
            this.auth.require(AccountRoles.MANAGE_ACCOUNT);
            setReferrerOnPage();
            UserSessionModel session = this.auth.getSession();
            String first = this.session.getContext().getUri().getQueryParameters().getFirst(org.keycloak.models.Constants.TAB_ID);
            if (first != null && (authenticationSessionByIdAndClient = new AuthenticationSessionManager(this.session).getAuthenticationSessionByIdAndClient(this.realm, session.getId(), this.client, first)) != null && (authNote = authenticationSessionByIdAndClient.getAuthNote(ACCOUNT_MGMT_FORWARDED_ERROR_NOTE)) != null) {
                try {
                    FormMessage formMessage = (FormMessage) JsonSerialization.readValue(authNote, FormMessage.class);
                    this.account.setError(Response.Status.INTERNAL_SERVER_ERROR, formMessage.getMessage(), formMessage.getParameters());
                    authenticationSessionByIdAndClient.removeAuthNote(ACCOUNT_MGMT_FORWARDED_ERROR_NOTE);
                } catch (IOException e) {
                    throw new RuntimeException(e);
                }
            }
            String first2 = this.session.getContext().getUri().getQueryParameters().getFirst(LocaleSelectorProvider.KC_LOCALE_PARAM);
            if (first2 != null) {
                ((LocaleUpdaterProvider) this.session.getProvider(LocaleUpdaterProvider.class)).updateUsersLocale(this.auth.getUser(), first2);
            }
            return this.account.createResponse(accountPages);
        } catch (ForbiddenException e2) {
            return ((LoginFormsProvider) this.session.getProvider(LoginFormsProvider.class)).setError(Messages.NO_ACCESS, new Object[0]).createErrorPage(Response.Status.FORBIDDEN);
        }
    }

    private void setReferrerOnPage() {
        String[] referrer = getReferrer();
        if (referrer != null) {
            this.account.setReferrer(referrer);
        }
    }

    @GET
    @Produces({"text/html"})
    @Path("/")
    public Response accountPage() {
        return forwardToPage(null, AccountPages.ACCOUNT);
    }

    public static UriBuilder totpUrl(UriBuilder uriBuilder) {
        return RealmsResource.accountUrl(uriBuilder).path(AccountFormService.class, "totpPage");
    }

    @GET
    @Path("totp")
    public Response totpPage() {
        this.account.setAttribute("mode", this.session.getContext().getUri().getQueryParameters().getFirst("mode"));
        return forwardToPage("totp", AccountPages.TOTP);
    }

    public static UriBuilder passwordUrl(UriBuilder uriBuilder) {
        return RealmsResource.accountUrl(uriBuilder).path(AccountFormService.class, "passwordPage");
    }

    @GET
    @Path("password")
    public Response passwordPage() {
        if (this.auth != null) {
            this.account.setPasswordSet(isPasswordSet(this.session, this.realm, this.auth.getUser()));
        }
        return forwardToPage("password", AccountPages.PASSWORD);
    }

    @GET
    @Path("identity")
    public Response federatedIdentityPage() {
        return forwardToPage("identity", AccountPages.FEDERATED_IDENTITY);
    }

    @GET
    @Path(EntityCopyAllowedLoggedObserver.SHORT_NAME)
    public Response logPage() {
        if (!this.realm.isEventsEnabled()) {
            throw new NotFoundException();
        }
        if (this.auth != null) {
            List<Event> resultList = this.eventStore.createQuery().type(Constants.EXPOSED_LOG_EVENTS).realm(this.auth.getRealm().getId()).user(this.auth.getUser().getId()).maxResults(30).getResultList();
            for (Event event : resultList) {
                if (event.getDetails() != null) {
                    Iterator<Map.Entry<String, String>> it = event.getDetails().entrySet().iterator();
                    while (it.hasNext()) {
                        if (!Constants.EXPOSED_LOG_DETAILS.contains(it.next().getKey())) {
                            it.remove();
                        }
                    }
                }
            }
            this.account.setEvents(resultList);
        }
        return forwardToPage(EntityCopyAllowedLoggedObserver.SHORT_NAME, AccountPages.LOG);
    }

    @GET
    @Path(InfinispanConnectionProvider.USER_SESSION_CACHE_NAME)
    public Response sessionsPage() {
        if (this.auth != null) {
            this.account.setSessions(this.session.sessions().getUserSessions(this.realm, this.auth.getUser()));
        }
        return forwardToPage(InfinispanConnectionProvider.USER_SESSION_CACHE_NAME, AccountPages.SESSIONS);
    }

    @GET
    @Path("applications")
    public Response applicationsPage() {
        return forwardToPage("applications", AccountPages.APPLICATIONS);
    }

    @POST
    @Path("/")
    @Consumes({"application/x-www-form-urlencoded"})
    public Response processAccountUpdate(MultivaluedMap<String, String> multivaluedMap) {
        if (this.auth == null) {
            return login(null);
        }
        this.auth.require(AccountRoles.MANAGE_ACCOUNT);
        String first = multivaluedMap.getFirst("submitAction");
        if (first != null && first.equals("Cancel")) {
            setReferrerOnPage();
            return this.account.createResponse(AccountPages.ACCOUNT);
        }
        csrfCheck(multivaluedMap);
        UserModel user = this.auth.getUser();
        this.event.event(EventType.UPDATE_PROFILE).client(this.auth.getClient()).user(this.auth.getUser());
        List<FormMessage> validateUpdateProfileForm = Validation.validateUpdateProfileForm(this.realm, multivaluedMap);
        if (validateUpdateProfileForm != null && !validateUpdateProfileForm.isEmpty()) {
            setReferrerOnPage();
            return this.account.setErrors(Response.Status.OK, validateUpdateProfileForm).setProfileFormData(multivaluedMap).createResponse(AccountPages.ACCOUNT);
        }
        try {
            updateUsername(multivaluedMap.getFirst("username"), user, this.session);
            updateEmail(multivaluedMap.getFirst("email"), user, this.session, this.event);
            user.setFirstName(multivaluedMap.getFirst("firstName"));
            user.setLastName(multivaluedMap.getFirst("lastName"));
            AttributeFormDataProcessor.process(multivaluedMap, this.realm, user);
            this.event.success();
            setReferrerOnPage();
            return this.account.setSuccess(Messages.ACCOUNT_UPDATED, new Object[0]).createResponse(AccountPages.ACCOUNT);
        } catch (ModelDuplicateException e) {
            setReferrerOnPage();
            return this.account.setError(Response.Status.CONFLICT, e.getMessage(), new Object[0]).setProfileFormData(multivaluedMap).createResponse(AccountPages.ACCOUNT);
        } catch (ReadOnlyException e2) {
            setReferrerOnPage();
            return this.account.setError(Response.Status.BAD_REQUEST, Messages.READ_ONLY_USER, new Object[0]).setProfileFormData(multivaluedMap).createResponse(AccountPages.ACCOUNT);
        }
    }

    @POST
    @Path(InfinispanConnectionProvider.USER_SESSION_CACHE_NAME)
    public Response processSessionsLogout(MultivaluedMap<String, String> multivaluedMap) {
        if (this.auth == null) {
            return login(InfinispanConnectionProvider.USER_SESSION_CACHE_NAME);
        }
        this.auth.require(AccountRoles.MANAGE_ACCOUNT);
        csrfCheck(multivaluedMap);
        UserModel user = this.auth.getUser();
        this.session.users().setNotBeforeForUser(this.realm, user, Time.currentTime() - 1);
        Iterator<UserSessionModel> it = this.session.sessions().getUserSessions(this.realm, user).iterator();
        while (it.hasNext()) {
            AuthenticationManager.backchannelLogout(this.session, this.realm, it.next(), this.session.getContext().getUri(), this.clientConnection, this.headers, true);
        }
        UriBuilder path = Urls.accountBase(this.session.getContext().getUri().getBaseUri()).path(AccountFormService.class, "sessionsPage");
        String first = this.session.getContext().getUri().getQueryParameters().getFirst("referrer");
        if (first != null) {
            path.queryParam("referrer", first);
        }
        return Response.seeOther(path.build(this.realm.getName())).build();
    }

    @POST
    @Path("applications")
    @Consumes({"application/x-www-form-urlencoded"})
    public Response processRevokeGrant(MultivaluedMap<String, String> multivaluedMap) {
        if (this.auth == null) {
            return login("applications");
        }
        this.auth.require(AccountRoles.MANAGE_ACCOUNT);
        csrfCheck(multivaluedMap);
        String first = multivaluedMap.getFirst(ServiceAccountConstants.CLIENT_ID);
        if (first == null) {
            setReferrerOnPage();
            return this.account.setError(Response.Status.BAD_REQUEST, Messages.CLIENT_NOT_FOUND, new Object[0]).createResponse(AccountPages.APPLICATIONS);
        }
        ClientModel clientById = this.realm.getClientById(first);
        if (clientById == null) {
            setReferrerOnPage();
            return this.account.setError(Response.Status.BAD_REQUEST, Messages.CLIENT_NOT_FOUND, new Object[0]).createResponse(AccountPages.APPLICATIONS);
        }
        UserModel user = this.auth.getUser();
        this.session.users().revokeConsentForClient(this.realm, user.getId(), clientById.getId());
        new UserSessionManager(this.session).revokeOfflineToken(user, clientById);
        AuthenticationManager.backchannelLogoutUserFromClient(this.session, this.realm, user, clientById, this.session.getContext().getUri(), this.headers);
        this.event.event(EventType.REVOKE_GRANT).client(this.auth.getClient()).user(this.auth.getUser()).detail(Details.REVOKED_CLIENT, clientById.getClientId()).success();
        setReferrerOnPage();
        UriBuilder path = Urls.accountBase(this.session.getContext().getUri().getBaseUri()).path(AccountFormService.class, "applicationsPage");
        String first2 = this.session.getContext().getUri().getQueryParameters().getFirst("referrer");
        if (first2 != null) {
            path.queryParam("referrer", first2);
        }
        return Response.seeOther(path.build(this.realm.getName())).build();
    }

    @POST
    @Path("totp")
    @Consumes({"application/x-www-form-urlencoded"})
    public Response processTotpUpdate(MultivaluedMap<String, String> multivaluedMap) {
        if (this.auth == null) {
            return login("totp");
        }
        this.auth.require(AccountRoles.MANAGE_ACCOUNT);
        this.account.setAttribute("mode", this.session.getContext().getUri().getQueryParameters().getFirst("mode"));
        String first = multivaluedMap.getFirst("submitAction");
        if (first != null && first.equals("Cancel")) {
            setReferrerOnPage();
            return this.account.createResponse(AccountPages.TOTP);
        }
        csrfCheck(multivaluedMap);
        UserModel user = this.auth.getUser();
        if (first != null && first.equals("Delete")) {
            String first2 = multivaluedMap.getFirst("credentialId");
            if (first2 == null) {
                setReferrerOnPage();
                return this.account.setError(Response.Status.OK, Messages.UNEXPECTED_ERROR_HANDLING_REQUEST, new Object[0]).createResponse(AccountPages.TOTP);
            }
            CredentialHelper.deleteOTPCredential(this.session, this.realm, user, first2);
            this.event.event(EventType.REMOVE_TOTP).client(this.auth.getClient()).user(this.auth.getUser()).success();
            setReferrerOnPage();
            return this.account.setSuccess(Messages.SUCCESS_TOTP_REMOVED, new Object[0]).createResponse(AccountPages.TOTP);
        }
        String first3 = multivaluedMap.getFirst("totp");
        String first4 = multivaluedMap.getFirst("totpSecret");
        String first5 = multivaluedMap.getFirst("userLabel");
        OTPPolicy oTPPolicy = this.realm.getOTPPolicy();
        OTPCredentialModel createFromPolicy = OTPCredentialModel.createFromPolicy(this.realm, first4, first5);
        if (Validation.isBlank(first3)) {
            setReferrerOnPage();
            return this.account.setError(Response.Status.OK, Messages.MISSING_TOTP, new Object[0]).createResponse(AccountPages.TOTP);
        }
        if (!CredentialValidation.validOTP(first3, createFromPolicy, oTPPolicy.getLookAheadWindow())) {
            setReferrerOnPage();
            return this.account.setError(Response.Status.OK, Messages.INVALID_TOTP, new Object[0]).createResponse(AccountPages.TOTP);
        }
        if (!CredentialHelper.createOTPCredential(this.session, this.realm, user, first3, createFromPolicy)) {
            setReferrerOnPage();
            return this.account.setError(Response.Status.OK, Messages.INVALID_TOTP, new Object[0]).createResponse(AccountPages.TOTP);
        }
        this.event.event(EventType.UPDATE_TOTP).client(this.auth.getClient()).user(this.auth.getUser()).success();
        setReferrerOnPage();
        return this.account.setSuccess(Messages.SUCCESS_TOTP, new Object[0]).createResponse(AccountPages.TOTP);
    }

    @POST
    @Path("password")
    @Consumes({"application/x-www-form-urlencoded"})
    public Response processPasswordUpdate(MultivaluedMap<String, String> multivaluedMap) {
        if (this.auth == null) {
            return login("password");
        }
        this.auth.require(AccountRoles.MANAGE_ACCOUNT);
        csrfCheck(multivaluedMap);
        UserModel user = this.auth.getUser();
        boolean isPasswordSet = isPasswordSet(this.session, this.realm, user);
        this.account.setPasswordSet(isPasswordSet);
        String first = multivaluedMap.getFirst("password");
        String first2 = multivaluedMap.getFirst(ConsoleUpdatePassword.PASSWORD_NEW);
        String first3 = multivaluedMap.getFirst("password-confirm");
        EventBuilder user2 = this.event.m8662clone().event(EventType.UPDATE_PASSWORD_ERROR).client(this.auth.getClient()).user(this.auth.getSession().getUser());
        if (isPasswordSet) {
            if (Validation.isBlank(first)) {
                setReferrerOnPage();
                user2.error(Errors.PASSWORD_MISSING);
                return this.account.setError(Response.Status.OK, Messages.MISSING_PASSWORD, new Object[0]).createResponse(AccountPages.PASSWORD);
            }
            if (!this.session.userCredentialManager().isValid(this.realm, user, UserCredentialModel.password(first))) {
                setReferrerOnPage();
                user2.error(Errors.INVALID_USER_CREDENTIALS);
                return this.account.setError(Response.Status.OK, Messages.INVALID_PASSWORD_EXISTING, new Object[0]).createResponse(AccountPages.PASSWORD);
            }
        }
        if (Validation.isBlank(first2)) {
            setReferrerOnPage();
            user2.error(Errors.PASSWORD_MISSING);
            return this.account.setError(Response.Status.OK, Messages.MISSING_PASSWORD, new Object[0]).createResponse(AccountPages.PASSWORD);
        }
        if (!first2.equals(first3)) {
            setReferrerOnPage();
            user2.error(Errors.PASSWORD_CONFIRM_ERROR);
            return this.account.setError(Response.Status.OK, Messages.INVALID_PASSWORD_CONFIRM, new Object[0]).createResponse(AccountPages.PASSWORD);
        }
        try {
            this.session.userCredentialManager().updateCredential(this.realm, user, UserCredentialModel.password(first2, false));
            for (UserSessionModel userSessionModel : this.session.sessions().getUserSessions(this.realm, user)) {
                if (!userSessionModel.getId().equals(this.auth.getSession().getId())) {
                    AuthenticationManager.backchannelLogout(this.session, this.realm, userSessionModel, this.session.getContext().getUri(), this.clientConnection, this.headers, true);
                }
            }
            this.event.event(EventType.UPDATE_PASSWORD).client(this.auth.getClient()).user(this.auth.getUser()).success();
            setReferrerOnPage();
            return this.account.setPasswordSet(true).setSuccess(Messages.ACCOUNT_PASSWORD_UPDATED, new Object[0]).createResponse(AccountPages.PASSWORD);
        } catch (ModelException e) {
            ServicesLogger.LOGGER.failedToUpdatePassword(e);
            setReferrerOnPage();
            user2.detail("reason", e.getMessage()).error(Errors.PASSWORD_REJECTED);
            return this.account.setError(Response.Status.NOT_ACCEPTABLE, e.getMessage(), e.getParameters()).createResponse(AccountPages.PASSWORD);
        } catch (ReadOnlyException e2) {
            setReferrerOnPage();
            user2.error(Errors.NOT_ALLOWED);
            return this.account.setError(Response.Status.BAD_REQUEST, Messages.READ_ONLY_PASSWORD, new Object[0]).createResponse(AccountPages.PASSWORD);
        } catch (Exception e3) {
            ServicesLogger.LOGGER.failedToUpdatePassword(e3);
            setReferrerOnPage();
            user2.detail("reason", e3.getMessage()).error(Errors.PASSWORD_REJECTED);
            return this.account.setError(Response.Status.INTERNAL_SERVER_ERROR, e3.getMessage(), new Object[0]).createResponse(AccountPages.PASSWORD);
        }
    }

    @POST
    @Path("identity")
    @Consumes({"application/x-www-form-urlencoded"})
    public Response processFederatedIdentityUpdate(MultivaluedMap<String, String> multivaluedMap) {
        if (this.auth == null) {
            return login("identity");
        }
        this.auth.require(AccountRoles.MANAGE_ACCOUNT);
        csrfCheck(multivaluedMap);
        UserModel user = this.auth.getUser();
        String first = multivaluedMap.getFirst(Details.ACTION);
        String first2 = multivaluedMap.getFirst("providerId");
        if (Validation.isEmpty(first2)) {
            setReferrerOnPage();
            return this.account.setError(Response.Status.OK, Messages.MISSING_IDENTITY_PROVIDER, new Object[0]).createResponse(AccountPages.FEDERATED_IDENTITY);
        }
        AccountSocialAction action = AccountSocialAction.getAction(first);
        if (action == null) {
            setReferrerOnPage();
            return this.account.setError(Response.Status.OK, Messages.INVALID_FEDERATED_IDENTITY_ACTION, new Object[0]).createResponse(AccountPages.FEDERATED_IDENTITY);
        }
        boolean z = false;
        Iterator<IdentityProviderModel> it = this.realm.getIdentityProviders().iterator();
        while (it.hasNext()) {
            if (it.next().getAlias().equals(first2)) {
                z = true;
            }
        }
        if (!z) {
            setReferrerOnPage();
            return this.account.setError(Response.Status.OK, Messages.IDENTITY_PROVIDER_NOT_FOUND, new Object[0]).createResponse(AccountPages.FEDERATED_IDENTITY);
        }
        if (!user.isEnabled()) {
            setReferrerOnPage();
            return this.account.setError(Response.Status.OK, Messages.ACCOUNT_DISABLED, new Object[0]).createResponse(AccountPages.FEDERATED_IDENTITY);
        }
        switch (action) {
            case ADD:
                String uri = UriBuilder.fromUri(Urls.accountFederatedIdentityPage(this.session.getContext().getUri().getBaseUri(), this.realm.getName())).build(new Object[0]).toString();
                try {
                    String uuid = UUID.randomUUID().toString();
                    return Response.seeOther(UriBuilder.fromUri(Urls.identityProviderLinkRequest(this.session.getContext().getUri().getBaseUri(), first2, this.realm.getName())).queryParam("nonce", uuid).queryParam("hash", Base64Url.encode(MessageDigest.getInstance("SHA-256").digest((uuid + this.auth.getSession().getId() + this.client.getClientId() + first2).getBytes(StandardCharsets.UTF_8)))).queryParam("client_id", this.client.getClientId()).queryParam("redirect_uri", uri).build(new Object[0])).build();
                } catch (Exception e) {
                    setReferrerOnPage();
                    return this.account.setError(Response.Status.INTERNAL_SERVER_ERROR, Messages.IDENTITY_PROVIDER_REDIRECT_ERROR, new Object[0]).createResponse(AccountPages.FEDERATED_IDENTITY);
                }
            case REMOVE:
                FederatedIdentityModel federatedIdentity = this.session.users().getFederatedIdentity(user, first2, this.realm);
                if (federatedIdentity == null) {
                    setReferrerOnPage();
                    return this.account.setError(Response.Status.OK, Messages.FEDERATED_IDENTITY_NOT_ACTIVE, new Object[0]).createResponse(AccountPages.FEDERATED_IDENTITY);
                }
                if (this.session.users().getFederatedIdentities(user, this.realm).size() <= 1 && user.getFederationLink() == null && !isPasswordSet(this.session, this.realm, user)) {
                    setReferrerOnPage();
                    return this.account.setError(Response.Status.OK, Messages.FEDERATED_IDENTITY_REMOVING_LAST_PROVIDER, new Object[0]).createResponse(AccountPages.FEDERATED_IDENTITY);
                }
                this.session.users().removeFederatedIdentity(this.realm, user, first2);
                logger.debugv("Social provider {0} removed successfully from user {1}", first2, user.getUsername());
                this.event.event(EventType.REMOVE_FEDERATED_IDENTITY).client(this.auth.getClient()).user(this.auth.getUser()).detail("username", this.auth.getUser().getUsername()).detail("identity_provider", federatedIdentity.getIdentityProvider()).detail(Details.IDENTITY_PROVIDER_USERNAME, federatedIdentity.getUserName()).success();
                setReferrerOnPage();
                return this.account.setSuccess(Messages.IDENTITY_PROVIDER_REMOVED, new Object[0]).createResponse(AccountPages.FEDERATED_IDENTITY);
            default:
                throw new IllegalArgumentException();
        }
    }

    @GET
    @Path("resource")
    public Response resourcesPage(@QueryParam("resource_id") String str) {
        return forwardToPage("resource", AccountPages.RESOURCES);
    }

    @GET
    @Path("resource/{resource_id}")
    public Response resourceDetailPage(@PathParam("resource_id") String str) {
        return forwardToPage("resource", AccountPages.RESOURCE_DETAIL);
    }

    @GET
    @Path("resource/{resource_id}/grant")
    public Response resourceDetailPageAfterGrant(@PathParam("resource_id") String str) {
        return resourceDetailPage(str);
    }

    @POST
    @Path("resource/{resource_id}/grant")
    public Response grantPermission(@PathParam("resource_id") String str, @FormParam("action") String str2, @FormParam("permission_id") String[] strArr, @FormParam("requester") String str3, MultivaluedMap<String, String> multivaluedMap) {
        if (this.auth == null) {
            return login("resource");
        }
        this.auth.require(AccountRoles.MANAGE_ACCOUNT);
        csrfCheck(multivaluedMap);
        AuthorizationProvider authorizationProvider = (AuthorizationProvider) this.session.getProvider(AuthorizationProvider.class);
        PermissionTicketStore permissionTicketStore = authorizationProvider.getStoreFactory().getPermissionTicketStore();
        Resource findById = authorizationProvider.getStoreFactory().getResourceStore().findById(str, null);
        if (findById == null) {
            return ErrorResponse.error("Invalid resource", Response.Status.BAD_REQUEST);
        }
        if (str2 == null) {
            return ErrorResponse.error("Invalid action", Response.Status.BAD_REQUEST);
        }
        boolean equals = "grant".equals(str2);
        boolean equals2 = "deny".equals(str2);
        boolean equals3 = "revoke".equals(str2);
        boolean equals4 = "revokePolicy".equals(str2);
        boolean equals5 = "revokePolicyAll".equals(str2);
        if (equals4 || equals5) {
            ArrayList arrayList = new ArrayList(Arrays.asList(strArr));
            Iterator it = arrayList.iterator();
            PolicyStore policyStore = authorizationProvider.getStoreFactory().getPolicyStore();
            Policy policy = null;
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                String str4 = (String) it.next();
                if (!str4.contains(":")) {
                    policy = policyStore.findById(str4, this.client.getId());
                    it.remove();
                    break;
                }
            }
            HashSet hashSet = new HashSet();
            if (equals5) {
                Iterator<Scope> it2 = policy.getScopes().iterator();
                while (it2.hasNext()) {
                    policy.removeScope(it2.next());
                }
            } else {
                Iterator it3 = arrayList.iterator();
                while (it3.hasNext()) {
                    hashSet.add(authorizationProvider.getStoreFactory().getScopeStore().findById(((String) it3.next()).split(":")[1], this.client.getId()));
                }
                for (Scope scope : policy.getScopes()) {
                    if (!hashSet.contains(scope)) {
                        policy.removeScope(scope);
                    }
                }
            }
            if (policy.getScopes().isEmpty()) {
                Iterator<Policy> it4 = policy.getAssociatedPolicies().iterator();
                while (it4.hasNext()) {
                    policyStore.delete(it4.next().getId());
                }
                policyStore.delete(policy.getId());
            }
        } else {
            HashMap hashMap = new HashMap();
            hashMap.put(PermissionTicket.RESOURCE, findById.getId());
            hashMap.put(PermissionTicket.REQUESTER, this.session.users().getUserByUsername(str3, this.realm).getId());
            if (equals3) {
                hashMap.put(PermissionTicket.GRANTED, Boolean.TRUE.toString());
            } else {
                hashMap.put(PermissionTicket.GRANTED, Boolean.FALSE.toString());
            }
            List<PermissionTicket> find = permissionTicketStore.find(hashMap, findById.getResourceServer(), -1, -1);
            Iterator<PermissionTicket> it5 = find.iterator();
            while (it5.hasNext()) {
                PermissionTicket next = it5.next();
                if (!equals || strArr == null || strArr.length <= 0 || Arrays.asList(strArr).contains(next.getId())) {
                    if (equals && !next.isGranted()) {
                        next.setGrantedTimestamp(Long.valueOf(System.currentTimeMillis()));
                        it5.remove();
                    } else if (equals2 || equals3) {
                        if (strArr != null && strArr.length > 0 && Arrays.asList(strArr).contains(next.getId())) {
                            it5.remove();
                        }
                    }
                }
            }
            Iterator<PermissionTicket> it6 = find.iterator();
            while (it6.hasNext()) {
                permissionTicketStore.delete(it6.next().getId());
            }
        }
        return (equals3 || equals4 || equals5) ? forwardToPage("resource", AccountPages.RESOURCE_DETAIL) : forwardToPage("resource", AccountPages.RESOURCES);
    }

    @GET
    @Path("resource/{resource_id}/share")
    public Response resourceDetailPageAfterShare(@PathParam("resource_id") String str) {
        return resourceDetailPage(str);
    }

    @POST
    @Path("resource/{resource_id}/share")
    public Response shareResource(@PathParam("resource_id") String str, @FormParam("user_id") String[] strArr, @FormParam("scope_id") String[] strArr2, MultivaluedMap<String, String> multivaluedMap) {
        if (this.auth == null) {
            return login("resource");
        }
        this.auth.require(AccountRoles.MANAGE_ACCOUNT);
        csrfCheck(multivaluedMap);
        AuthorizationProvider authorizationProvider = (AuthorizationProvider) this.session.getProvider(AuthorizationProvider.class);
        PermissionTicketStore permissionTicketStore = authorizationProvider.getStoreFactory().getPermissionTicketStore();
        Resource findById = authorizationProvider.getStoreFactory().getResourceStore().findById(str, null);
        ResourceServer findById2 = authorizationProvider.getStoreFactory().getResourceServerStore().findById(findById.getResourceServer());
        if (findById == null) {
            return ErrorResponse.error("Invalid resource", Response.Status.BAD_REQUEST);
        }
        if (strArr == null || strArr.length == 0) {
            setReferrerOnPage();
            return this.account.setError(Response.Status.BAD_REQUEST, Messages.MISSING_PASSWORD, new Object[0]).createResponse(AccountPages.PASSWORD);
        }
        for (String str2 : strArr) {
            UserModel userById = this.session.users().getUserById(str2, this.realm);
            if (userById == null) {
                userById = this.session.users().getUserByUsername(str2, this.realm);
            }
            if (userById == null) {
                userById = this.session.users().getUserByEmail(str2, this.realm);
            }
            if (userById == null) {
                setReferrerOnPage();
                return this.account.setError(Response.Status.BAD_REQUEST, Messages.INVALID_USER, new Object[0]).createResponse(AccountPages.RESOURCE_DETAIL);
            }
            HashMap hashMap = new HashMap();
            hashMap.put(PermissionTicket.RESOURCE, findById.getId());
            hashMap.put(PermissionTicket.OWNER, this.auth.getUser().getId());
            hashMap.put(PermissionTicket.REQUESTER, userById.getId());
            List<PermissionTicket> find = permissionTicketStore.find(hashMap, findById.getResourceServer(), -1, -1);
            if (find.isEmpty()) {
                if (strArr2 != null && strArr2.length > 0) {
                    for (String str3 : strArr2) {
                        permissionTicketStore.create(str, str3, userById.getId(), findById2).setGrantedTimestamp(Long.valueOf(System.currentTimeMillis()));
                    }
                } else if (findById.getScopes().isEmpty()) {
                    permissionTicketStore.create(str, null, userById.getId(), findById2).setGrantedTimestamp(Long.valueOf(System.currentTimeMillis()));
                } else {
                    Iterator<Scope> it = findById.getScopes().iterator();
                    while (it.hasNext()) {
                        permissionTicketStore.create(str, it.next().getId(), userById.getId(), findById2).setGrantedTimestamp(Long.valueOf(System.currentTimeMillis()));
                    }
                }
            } else if (strArr2 != null && strArr2.length > 0) {
                ArrayList arrayList = new ArrayList(Arrays.asList(strArr2));
                Iterator<PermissionTicket> it2 = find.iterator();
                while (it2.hasNext()) {
                    Scope scope = it2.next().getScope();
                    if (scope != null) {
                        arrayList.remove(scope.getId());
                    }
                }
                Iterator it3 = arrayList.iterator();
                while (it3.hasNext()) {
                    permissionTicketStore.create(str, (String) it3.next(), userById.getId(), findById2).setGrantedTimestamp(Long.valueOf(System.currentTimeMillis()));
                }
            }
        }
        return forwardToPage("resource", AccountPages.RESOURCE_DETAIL);
    }

    @POST
    @Path("resource")
    public Response processResourceActions(@FormParam("resource_id") String[] strArr, @FormParam("action") String str, MultivaluedMap<String, String> multivaluedMap) {
        if (this.auth == null) {
            return login("resource");
        }
        this.auth.require(AccountRoles.MANAGE_ACCOUNT);
        csrfCheck(multivaluedMap);
        AuthorizationProvider authorizationProvider = (AuthorizationProvider) this.session.getProvider(AuthorizationProvider.class);
        PermissionTicketStore permissionTicketStore = authorizationProvider.getStoreFactory().getPermissionTicketStore();
        if (str == null) {
            return ErrorResponse.error("Invalid action", Response.Status.BAD_REQUEST);
        }
        for (String str2 : strArr) {
            Resource findById = authorizationProvider.getStoreFactory().getResourceStore().findById(str2, null);
            if (findById == null) {
                return ErrorResponse.error("Invalid resource", Response.Status.BAD_REQUEST);
            }
            HashMap hashMap = new HashMap();
            hashMap.put(PermissionTicket.REQUESTER, this.auth.getUser().getId());
            hashMap.put(PermissionTicket.RESOURCE, findById.getId());
            if ("cancel".equals(str)) {
                hashMap.put(PermissionTicket.GRANTED, Boolean.TRUE.toString());
            } else if ("cancelRequest".equals(str)) {
                hashMap.put(PermissionTicket.GRANTED, Boolean.FALSE.toString());
            }
            Iterator<PermissionTicket> it = permissionTicketStore.find(hashMap, findById.getResourceServer(), -1, -1).iterator();
            while (it.hasNext()) {
                permissionTicketStore.delete(it.next().getId());
            }
        }
        return forwardToPage("authorization", AccountPages.RESOURCES);
    }

    public static UriBuilder loginRedirectUrl(UriBuilder uriBuilder) {
        return RealmsResource.accountUrl(uriBuilder).path(AccountFormService.class, "loginRedirect");
    }

    @Override // org.keycloak.services.resources.AbstractSecuredLocalService
    protected URI getBaseRedirectUri() {
        return Urls.accountBase(this.session.getContext().getUri().getBaseUri()).path("/").build(this.realm.getName());
    }

    public static boolean isPasswordSet(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        return keycloakSession.userCredentialManager().isConfiguredFor(realmModel, userModel, "password");
    }

    private String[] getReferrer() {
        String verifyRedirectUri;
        String first = this.session.getContext().getUri().getQueryParameters().getFirst("referrer");
        if (first == null) {
            return null;
        }
        String first2 = this.session.getContext().getUri().getQueryParameters().getFirst("referrer_uri");
        ClientModel clientByClientId = this.realm.getClientByClientId(first);
        if (clientByClientId == null) {
            if (first2 == null || this.client == null || (verifyRedirectUri = RedirectUtils.verifyRedirectUri(this.session, first2, this.client)) == null) {
                return null;
            }
            return new String[]{first, verifyRedirectUri};
        }
        String verifyRedirectUri2 = first2 != null ? RedirectUtils.verifyRedirectUri(this.session, first2, clientByClientId) : ResolveRelative.resolveRelativeUri(this.session, clientByClientId.getRootUrl(), clientByClientId.getBaseUrl());
        if (verifyRedirectUri2 == null) {
            return null;
        }
        String name = clientByClientId.getName();
        if (Validation.isBlank(name)) {
            name = first;
        }
        return new String[]{name, verifyRedirectUri2};
    }

    private void updateUsername(String str, UserModel userModel, KeycloakSession keycloakSession) {
        RealmModel realm = keycloakSession.getContext().getRealm();
        boolean z = str == null || !userModel.getUsername().equals(str);
        if (!realm.isEditUsernameAllowed() || realm.isRegistrationEmailAsUsername()) {
            if (z) {
            }
            return;
        }
        if (z) {
            UserModel userByUsername = keycloakSession.users().getUserByUsername(str, realm);
            if (userByUsername != null && !userByUsername.getId().equals(userModel.getId())) {
                throw new ModelDuplicateException(Messages.USERNAME_EXISTS);
            }
            userModel.setUsername(str);
        }
    }

    private void updateEmail(String str, UserModel userModel, KeycloakSession keycloakSession, EventBuilder eventBuilder) {
        UserModel userByEmail;
        UserModel userByEmail2;
        RealmModel realm = keycloakSession.getContext().getRealm();
        String email = userModel.getEmail();
        boolean z = email != null ? !email.equals(str) : str != null;
        if (z && !realm.isDuplicateEmailsAllowed() && (userByEmail2 = keycloakSession.users().getUserByEmail(str, realm)) != null && !userByEmail2.getId().equals(userModel.getId())) {
            throw new ModelDuplicateException(Messages.EMAIL_EXISTS);
        }
        userModel.setEmail(str);
        if (z) {
            userModel.setEmailVerified(false);
            eventBuilder.m8662clone().event(EventType.UPDATE_EMAIL).detail(Details.PREVIOUS_EMAIL, email).detail(Details.UPDATED_EMAIL, str).success();
        }
        if (realm.isRegistrationEmailAsUsername()) {
            if (!realm.isDuplicateEmailsAllowed() && (userByEmail = keycloakSession.users().getUserByEmail(str, realm)) != null && !userByEmail.getId().equals(userModel.getId())) {
                throw new ModelDuplicateException(Messages.USERNAME_EXISTS);
            }
            userModel.setUsername(str);
        }
    }

    private void csrfCheck(MultivaluedMap<String, String> multivaluedMap) {
        String first = multivaluedMap.getFirst("stateChecker");
        if (first == null || !first.equals(this.stateChecker)) {
            throw new ForbiddenException();
        }
    }

    static {
        for (Method method : AccountFormService.class.getMethods()) {
            Path path = (Path) method.getAnnotation(Path.class);
            if (path != null) {
                VALID_PATHS.add(path.value());
            }
        }
    }
}
