package org.keycloak.authentication.authenticators.broker;

import javax.ws.rs.core.Response;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.authentication.AuthenticationFlowError;
import org.keycloak.authentication.AuthenticationFlowException;
import org.keycloak.authentication.Authenticator;
import org.keycloak.authentication.authenticators.broker.util.ExistingUserInfo;
import org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext;
import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.events.Errors;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.services.messages.Messages;
import org.keycloak.sessions.AuthenticationSessionModel;

/* loaded from: input_file:BOOT-INF/lib/keycloak-services-11.0.2.jar:org/keycloak/authentication/authenticators/broker/AbstractIdpAuthenticator.class */
public abstract class AbstractIdpAuthenticator implements Authenticator {
    public static final String BROKERED_CONTEXT_NOTE = "BROKERED_CONTEXT";
    public static final String EXISTING_USER_INFO = "EXISTING_USER_INFO";
    public static final String UPDATE_PROFILE_EMAIL_CHANGED = "UPDATE_PROFILE_EMAIL_CHANGED";
    public static final String ENFORCE_UPDATE_PROFILE = "ENFORCE_UPDATE_PROFILE";
    public static final String BROKER_REGISTERED_NEW_USER = "BROKER_REGISTERED_NEW_USER";
    public static final String FIRST_BROKER_LOGIN_SUCCESS = "FIRST_BROKER_LOGIN_SUCCESS";
    public static final String NESTED_FIRST_BROKER_CONTEXT = "NESTED_FIRST_BROKER_CONTEXT";

    @Override // org.keycloak.authentication.Authenticator
    public void authenticate(AuthenticationFlowContext authenticationFlowContext) {
        AuthenticationSessionModel authenticationSession = authenticationFlowContext.getAuthenticationSession();
        SerializedBrokeredIdentityContext readFromAuthenticationSession = SerializedBrokeredIdentityContext.readFromAuthenticationSession(authenticationSession, BROKERED_CONTEXT_NOTE);
        if (readFromAuthenticationSession == null) {
            throw new AuthenticationFlowException("Not found serialized context in clientSession", AuthenticationFlowError.IDENTITY_PROVIDER_ERROR);
        }
        BrokeredIdentityContext deserialize = readFromAuthenticationSession.deserialize(authenticationFlowContext.getSession(), authenticationSession);
        if (!deserialize.getIdpConfig().isEnabled()) {
            sendFailureChallenge(authenticationFlowContext, Response.Status.BAD_REQUEST, Errors.IDENTITY_PROVIDER_ERROR, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, AuthenticationFlowError.IDENTITY_PROVIDER_ERROR);
        }
        authenticateImpl(authenticationFlowContext, readFromAuthenticationSession, deserialize);
    }

    @Override // org.keycloak.authentication.Authenticator
    public void action(AuthenticationFlowContext authenticationFlowContext) {
        AuthenticationSessionModel authenticationSession = authenticationFlowContext.getAuthenticationSession();
        SerializedBrokeredIdentityContext readFromAuthenticationSession = SerializedBrokeredIdentityContext.readFromAuthenticationSession(authenticationSession, BROKERED_CONTEXT_NOTE);
        if (readFromAuthenticationSession == null) {
            throw new AuthenticationFlowException("Not found serialized context in clientSession", AuthenticationFlowError.IDENTITY_PROVIDER_ERROR);
        }
        BrokeredIdentityContext deserialize = readFromAuthenticationSession.deserialize(authenticationFlowContext.getSession(), authenticationSession);
        if (!deserialize.getIdpConfig().isEnabled()) {
            sendFailureChallenge(authenticationFlowContext, Response.Status.BAD_REQUEST, Errors.IDENTITY_PROVIDER_ERROR, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, AuthenticationFlowError.IDENTITY_PROVIDER_ERROR);
        }
        actionImpl(authenticationFlowContext, readFromAuthenticationSession, deserialize);
    }

    protected abstract void authenticateImpl(AuthenticationFlowContext authenticationFlowContext, SerializedBrokeredIdentityContext serializedBrokeredIdentityContext, BrokeredIdentityContext brokeredIdentityContext);

    protected abstract void actionImpl(AuthenticationFlowContext authenticationFlowContext, SerializedBrokeredIdentityContext serializedBrokeredIdentityContext, BrokeredIdentityContext brokeredIdentityContext);

    protected void sendFailureChallenge(AuthenticationFlowContext authenticationFlowContext, Response.Status status, String str, String str2, AuthenticationFlowError authenticationFlowError) {
        authenticationFlowContext.getEvent().user(authenticationFlowContext.getUser()).error(str);
        authenticationFlowContext.failureChallenge(authenticationFlowError, authenticationFlowContext.form().setError(str2, new Object[0]).createErrorPage(status));
    }

    @Override // org.keycloak.authentication.Authenticator
    public void setRequiredActions(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
    }

    @Override // org.keycloak.provider.Provider
    public void close() {
    }

    public static UserModel getExistingUser(KeycloakSession keycloakSession, RealmModel realmModel, AuthenticationSessionModel authenticationSessionModel) {
        String authNote = authenticationSessionModel.getAuthNote(EXISTING_USER_INFO);
        if (authNote == null) {
            throw new AuthenticationFlowException("Unexpected state. There is no existing duplicated user identified in ClientSession", AuthenticationFlowError.INTERNAL_ERROR);
        }
        UserModel userById = keycloakSession.users().getUserById(ExistingUserInfo.deserialize(authNote).getExistingUserId(), realmModel);
        if (userById == null) {
            throw new AuthenticationFlowException("User with ID '" + authNote + "' not found.", AuthenticationFlowError.INVALID_USER);
        }
        if (userById.isEnabled()) {
            return userById;
        }
        throw new AuthenticationFlowException("User with ID '" + authNote + "', username '" + userById.getUsername() + "' disabled.", AuthenticationFlowError.USER_DISABLED);
    }
}
