package org.keycloak.services.resources.account;

import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.util.Objects;
import java.util.Set;
import java.util.SortedSet;
import java.util.TreeSet;
import java.util.UUID;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.ws.rs.DELETE;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import org.jboss.logging.Logger;
import org.keycloak.broker.social.SocialIdentityProvider;
import org.keycloak.common.util.Base64Url;
import org.keycloak.crypto.SHA256HashProviderFactory;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.http.HttpRequest;
import org.keycloak.models.FederatedIdentityModel;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.representations.account.AccountLinkUriRepresentation;
import org.keycloak.representations.account.LinkedAccountRepresentation;
import org.keycloak.services.ErrorResponse;
import org.keycloak.services.Urls;
import org.keycloak.services.managers.Auth;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.Cors;
import org.keycloak.services.validation.Validation;
import org.keycloak.utils.MediaType;

/* loaded from: input_file:org/keycloak/services/resources/account/LinkedAccountsResource.class */
public class LinkedAccountsResource {
    private static final Logger logger = Logger.getLogger(LinkedAccountsResource.class);
    private final KeycloakSession session;
    private final HttpRequest request;
    private final EventBuilder event;
    private final UserModel user;
    private final RealmModel realm;
    private final Auth auth;

    public LinkedAccountsResource(KeycloakSession keycloakSession, HttpRequest httpRequest, Auth auth, EventBuilder eventBuilder, UserModel userModel) {
        this.session = keycloakSession;
        this.request = httpRequest;
        this.auth = auth;
        this.event = eventBuilder;
        this.user = userModel;
        this.realm = keycloakSession.getContext().getRealm();
    }

    @GET
    @Produces({MediaType.APPLICATION_JSON})
    @Path("/")
    public Response linkedAccounts() {
        this.auth.requireOneOf("manage-account", "view-profile");
        return Cors.add(this.request, Response.ok(getLinkedAccounts(this.session, this.realm, this.user))).auth().allowedOrigins(this.auth.getToken()).build();
    }

    private Set<String> findSocialIds() {
        return (Set) this.session.getKeycloakSessionFactory().getProviderFactoriesStream(SocialIdentityProvider.class).map((v0) -> {
            return v0.getId();
        }).collect(Collectors.toSet());
    }

    public SortedSet<LinkedAccountRepresentation> getLinkedAccounts(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        Set<String> findSocialIds = findSocialIds();
        return (SortedSet) realmModel.getIdentityProvidersStream().filter((v0) -> {
            return v0.isEnabled();
        }).map(identityProviderModel -> {
            return toLinkedAccountRepresentation(identityProviderModel, findSocialIds, keycloakSession.users().getFederatedIdentitiesStream(realmModel, userModel));
        }).collect(Collectors.toCollection(TreeSet::new));
    }

    private LinkedAccountRepresentation toLinkedAccountRepresentation(IdentityProviderModel identityProviderModel, Set<String> set, Stream<FederatedIdentityModel> stream) {
        String alias = identityProviderModel.getAlias();
        FederatedIdentityModel identity = getIdentity(stream, alias);
        String identityProviderDisplayName = KeycloakModelUtils.getIdentityProviderDisplayName(this.session, identityProviderModel);
        String str = identityProviderModel.getConfig() != null ? (String) identityProviderModel.getConfig().get("guiOrder") : null;
        LinkedAccountRepresentation linkedAccountRepresentation = new LinkedAccountRepresentation();
        linkedAccountRepresentation.setConnected(identity != null);
        linkedAccountRepresentation.setSocial(set.contains(identityProviderModel.getProviderId()));
        linkedAccountRepresentation.setProviderAlias(alias);
        linkedAccountRepresentation.setDisplayName(identityProviderDisplayName);
        linkedAccountRepresentation.setGuiOrder(str);
        linkedAccountRepresentation.setProviderName(identityProviderModel.getAlias());
        if (identity != null) {
            linkedAccountRepresentation.setLinkedUsername(identity.getUserName());
        }
        return linkedAccountRepresentation;
    }

    private FederatedIdentityModel getIdentity(Stream<FederatedIdentityModel> stream, String str) {
        return stream.filter(federatedIdentityModel -> {
            return Objects.equals(federatedIdentityModel.getIdentityProvider(), str);
        }).findFirst().orElse(null);
    }

    @GET
    @Path("/{providerId}")
    @Deprecated
    @Produces({MediaType.APPLICATION_JSON})
    public Response buildLinkedAccountURI(@PathParam("providerId") String str, @QueryParam("redirectUri") String str2) {
        this.auth.require("manage-account");
        if (str2 == null) {
            ErrorResponse.error(Messages.INVALID_REDIRECT_URI, Response.Status.BAD_REQUEST);
        }
        String checkCommonPreconditions = checkCommonPreconditions(str);
        if (checkCommonPreconditions != null) {
            throw ErrorResponse.error(checkCommonPreconditions, Response.Status.BAD_REQUEST);
        }
        if (this.auth.getSession() == null) {
            throw ErrorResponse.error(Messages.SESSION_NOT_ACTIVE, Response.Status.BAD_REQUEST);
        }
        try {
            String uuid = UUID.randomUUID().toString();
            String encode = Base64Url.encode(MessageDigest.getInstance(SHA256HashProviderFactory.ID).digest((uuid + this.auth.getSession().getId() + "account-console" + str).getBytes(StandardCharsets.UTF_8)));
            URI build = UriBuilder.fromUri(Urls.identityProviderLinkRequest(this.session.getContext().getUri().getBaseUri(), str, this.realm.getName())).queryParam(OIDCLoginProtocol.NONCE_PARAM, new Object[]{uuid}).queryParam("hash", new Object[]{encode}).queryParam("client_id", new Object[]{"account-console"}).queryParam("redirect_uri", new Object[]{str2}).build(new Object[0]);
            AccountLinkUriRepresentation accountLinkUriRepresentation = new AccountLinkUriRepresentation();
            accountLinkUriRepresentation.setAccountLinkUri(build);
            accountLinkUriRepresentation.setHash(encode);
            accountLinkUriRepresentation.setNonce(uuid);
            return Cors.add(this.request, Response.ok(accountLinkUriRepresentation)).auth().allowedOrigins(this.auth.getToken()).build();
        } catch (Exception e) {
            e.printStackTrace();
            throw ErrorResponse.error(Messages.FAILED_TO_PROCESS_RESPONSE, Response.Status.INTERNAL_SERVER_ERROR);
        }
    }

    @Produces({MediaType.APPLICATION_JSON})
    @Path("/{providerId}")
    @DELETE
    public Response removeLinkedAccount(@PathParam("providerId") String str) {
        this.auth.require("manage-account");
        String checkCommonPreconditions = checkCommonPreconditions(str);
        if (checkCommonPreconditions != null) {
            throw ErrorResponse.error(checkCommonPreconditions, Response.Status.BAD_REQUEST);
        }
        FederatedIdentityModel federatedIdentity = this.session.users().getFederatedIdentity(this.realm, this.user, str);
        if (federatedIdentity == null) {
            throw ErrorResponse.error(Messages.FEDERATED_IDENTITY_NOT_ACTIVE, Response.Status.BAD_REQUEST);
        }
        if (this.session.users().getFederatedIdentitiesStream(this.realm, this.user).count() <= 1 && this.user.getFederationLink() == null && !isPasswordSet()) {
            throw ErrorResponse.error(Messages.FEDERATED_IDENTITY_REMOVING_LAST_PROVIDER, Response.Status.BAD_REQUEST);
        }
        this.session.users().removeFederatedIdentity(this.realm, this.user, str);
        logger.debugv("Social provider {0} removed successfully from user {1}", str, this.user.getUsername());
        this.event.event(EventType.REMOVE_FEDERATED_IDENTITY).client(this.auth.getClient()).user(this.auth.getUser()).detail("username", this.auth.getUser().getUsername()).detail("identity_provider", federatedIdentity.getIdentityProvider()).detail("identity_provider_identity", federatedIdentity.getUserName()).success();
        return Cors.add(this.request, Response.noContent()).auth().allowedOrigins(this.auth.getToken()).build();
    }

    private String checkCommonPreconditions(String str) {
        this.auth.require("manage-account");
        if (Validation.isEmpty(str)) {
            return Messages.MISSING_IDENTITY_PROVIDER;
        }
        if (!isValidProvider(str)) {
            return Messages.IDENTITY_PROVIDER_NOT_FOUND;
        }
        if (this.user.isEnabled()) {
            return null;
        }
        return Messages.ACCOUNT_DISABLED;
    }

    private boolean isPasswordSet() {
        return this.user.credentialManager().isConfiguredFor("password");
    }

    private boolean isValidProvider(String str) {
        return this.realm.getIdentityProvidersStream().anyMatch(identityProviderModel -> {
            return Objects.equals(identityProviderModel.getAlias(), str);
        });
    }
}
