package org.keycloak.authentication.authenticators.broker;

import java.util.List;
import javax.ws.rs.core.MultivaluedMap;
import org.jboss.logging.Logger;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext;
import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.common.util.ObjectUtil;
import org.keycloak.events.Details;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.forms.login.LoginFormsProvider;
import org.keycloak.models.AuthenticatorConfigModel;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.FormMessage;
import org.keycloak.representations.idm.IdentityProviderRepresentation;
import org.keycloak.services.resources.AttributeFormDataProcessor;
import org.keycloak.services.validation.Validation;

/* loaded from: input_file:BOOT-INF/lib/keycloak-services-11.0.2.jar:org/keycloak/authentication/authenticators/broker/IdpReviewProfileAuthenticator.class */
public class IdpReviewProfileAuthenticator extends AbstractIdpAuthenticator {
    private static final Logger logger = Logger.getLogger((Class<?>) IdpReviewProfileAuthenticator.class);

    @Override // org.keycloak.authentication.Authenticator
    public boolean requiresUser() {
        return false;
    }

    @Override // org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator
    protected void authenticateImpl(AuthenticationFlowContext authenticationFlowContext, SerializedBrokeredIdentityContext serializedBrokeredIdentityContext, BrokeredIdentityContext brokeredIdentityContext) {
        IdentityProviderModel idpConfig = brokeredIdentityContext.getIdpConfig();
        if (!requiresUpdateProfilePage(authenticationFlowContext, serializedBrokeredIdentityContext, brokeredIdentityContext)) {
            authenticationFlowContext.success();
        } else {
            logger.debugf("Identity provider '%s' requires update profile action for broker user '%s'.", idpConfig.getAlias(), serializedBrokeredIdentityContext.getUsername());
            authenticationFlowContext.challenge(authenticationFlowContext.form().setAttribute(LoginFormsProvider.UPDATE_PROFILE_CONTEXT_ATTR, serializedBrokeredIdentityContext).setFormData(null).createUpdateProfilePage());
        }
    }

    protected boolean requiresUpdateProfilePage(AuthenticationFlowContext authenticationFlowContext, SerializedBrokeredIdentityContext serializedBrokeredIdentityContext, BrokeredIdentityContext brokeredIdentityContext) {
        if (Boolean.parseBoolean(authenticationFlowContext.getAuthenticationSession().getAuthNote(AbstractIdpAuthenticator.ENFORCE_UPDATE_PROFILE))) {
            return true;
        }
        AuthenticatorConfigModel authenticatorConfig = authenticationFlowContext.getAuthenticatorConfig();
        String str = (authenticatorConfig == null || !authenticatorConfig.getConfig().containsKey(IdpReviewProfileAuthenticatorFactory.UPDATE_PROFILE_ON_FIRST_LOGIN)) ? IdentityProviderRepresentation.UPFLM_MISSING : authenticatorConfig.getConfig().get(IdpReviewProfileAuthenticatorFactory.UPDATE_PROFILE_ON_FIRST_LOGIN);
        return "on".equals(str) || (IdentityProviderRepresentation.UPFLM_MISSING.equals(str) && !Validation.validateUserMandatoryFields(authenticationFlowContext.getRealm(), serializedBrokeredIdentityContext));
    }

    @Override // org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator
    protected void actionImpl(AuthenticationFlowContext authenticationFlowContext, SerializedBrokeredIdentityContext serializedBrokeredIdentityContext, BrokeredIdentityContext brokeredIdentityContext) {
        EventBuilder event = authenticationFlowContext.getEvent();
        event.event(EventType.UPDATE_PROFILE);
        MultivaluedMap<String, String> decodedFormParameters = authenticationFlowContext.getHttpRequest().getDecodedFormParameters();
        RealmModel realm = authenticationFlowContext.getRealm();
        List<FormMessage> validateUpdateProfileForm = Validation.validateUpdateProfileForm(realm, decodedFormParameters, serializedBrokeredIdentityContext.isEditUsernameAllowed());
        if (validateUpdateProfileForm != null && !validateUpdateProfileForm.isEmpty()) {
            authenticationFlowContext.challenge(authenticationFlowContext.form().setErrors(validateUpdateProfileForm).setAttribute(LoginFormsProvider.UPDATE_PROFILE_CONTEXT_ATTR, serializedBrokeredIdentityContext).setFormData(decodedFormParameters).createUpdateProfilePage());
            return;
        }
        serializedBrokeredIdentityContext.setUsername(realm.isRegistrationEmailAsUsername() ? decodedFormParameters.getFirst("email") : decodedFormParameters.getFirst("username"));
        serializedBrokeredIdentityContext.setFirstName(decodedFormParameters.getFirst("firstName"));
        serializedBrokeredIdentityContext.setLastName(decodedFormParameters.getFirst("lastName"));
        String first = decodedFormParameters.getFirst("email");
        if (!ObjectUtil.isEqualOrBothNull(first, serializedBrokeredIdentityContext.getEmail())) {
            if (logger.isTraceEnabled()) {
                logger.tracef("Email updated on updateProfile page to '%s' ", first);
            }
            serializedBrokeredIdentityContext.setEmail(first);
            authenticationFlowContext.getAuthenticationSession().setAuthNote(AbstractIdpAuthenticator.UPDATE_PROFILE_EMAIL_CHANGED, "true");
        }
        AttributeFormDataProcessor.process(decodedFormParameters, realm, serializedBrokeredIdentityContext);
        serializedBrokeredIdentityContext.saveToAuthenticationSession(authenticationFlowContext.getAuthenticationSession(), AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE);
        logger.debugf("Profile updated successfully after first authentication with identity provider '%s' for broker user '%s'.", brokeredIdentityContext.getIdpConfig().getAlias(), serializedBrokeredIdentityContext.getUsername());
        event.detail(Details.UPDATED_EMAIL, first);
        authenticationFlowContext.getAuthenticationSession().setAuthNote(AbstractIdpAuthenticator.ENFORCE_UPDATE_PROFILE, "true");
        authenticationFlowContext.success();
    }

    @Override // org.keycloak.authentication.Authenticator
    public boolean configuredFor(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        return true;
    }
}
