package org.keycloak.services.resources;

import jakarta.ws.rs.Consumes;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.PathParam;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.core.Context;
import jakarta.ws.rs.core.MultivaluedMap;
import jakarta.ws.rs.core.Response;
import java.io.IOException;
import java.io.InputStream;
import java.net.InetAddress;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.UnknownHostException;
import java.util.HashMap;
import java.util.Objects;
import java.util.Properties;
import java.util.concurrent.atomic.AtomicBoolean;
import org.jboss.logging.Logger;
import org.keycloak.authentication.authenticators.sessionlimits.UserSessionLimitsAuthenticatorFactory;
import org.keycloak.common.ClientConnection;
import org.keycloak.common.Profile;
import org.keycloak.common.Version;
import org.keycloak.common.util.Base64Url;
import org.keycloak.common.util.MimeTypeUtil;
import org.keycloak.common.util.SecretGenerator;
import org.keycloak.cookie.CookieProvider;
import org.keycloak.cookie.CookieType;
import org.keycloak.models.KeycloakSession;
import org.keycloak.protocol.saml.SamlProtocol;
import org.keycloak.services.ForbiddenException;
import org.keycloak.services.ServicesLogger;
import org.keycloak.services.managers.ApplianceBootstrap;
import org.keycloak.services.util.CacheControlUtil;
import org.keycloak.theme.Theme;
import org.keycloak.theme.freemarker.FreeMarkerProvider;
import org.keycloak.urls.UrlType;
import org.keycloak.utils.MediaType;

@Path("/")
/* loaded from: input_file:org/keycloak/services/resources/WelcomeResource.class */
public class WelcomeResource {
    protected static final Logger logger = Logger.getLogger(WelcomeResource.class);
    private static final String KEYCLOAK_STATE_CHECKER = "WELCOME_STATE_CHECKER";
    private AtomicBoolean shouldBootstrap;

    @Context
    KeycloakSession session;

    @Produces({MediaType.TEXT_HTML_UTF_8})
    @GET
    public Response getWelcomePage() throws URISyntaxException {
        String uri = this.session.getContext().getUri().getRequestUri().toString();
        return !uri.endsWith("/") ? Response.seeOther(new URI(uri + "/")).build() : createWelcomePage(null, null);
    }

    @POST
    @Produces({MediaType.TEXT_HTML_UTF_8})
    @Consumes({MediaType.APPLICATION_FORM_URLENCODED})
    public Response createUser() {
        MultivaluedMap<String, String> decodedFormParameters = this.session.getContext().getHttpRequest().getDecodedFormParameters();
        if (!shouldBootstrap()) {
            return createWelcomePage(null, null);
        }
        if (!isLocal()) {
            ServicesLogger.LOGGER.rejectedNonLocalAttemptToCreateInitialUser(this.session.getContext().getConnection().getRemoteAddr());
            throw new WebApplicationException(Response.Status.BAD_REQUEST);
        }
        csrfCheck(decodedFormParameters);
        String str = (String) decodedFormParameters.getFirst("username");
        String str2 = (String) decodedFormParameters.getFirst("password");
        String str3 = (String) decodedFormParameters.getFirst("passwordConfirmation");
        if (str != null) {
            str = str.trim();
        }
        if (str == null || str.length() == 0) {
            return createWelcomePage(null, "Username is missing");
        }
        if (str2 == null || str2.length() == 0) {
            return createWelcomePage(null, "Password is missing");
        }
        if (!str2.equals(str3)) {
            return createWelcomePage(null, "Password and confirmation doesn't match");
        }
        expireCsrfCookie();
        new ApplianceBootstrap(this.session).createMasterRealmUser(str, str2);
        this.shouldBootstrap.set(false);
        ServicesLogger.LOGGER.createdInitialAdminUser(str);
        return createWelcomePage("User created", null);
    }

    @Produces({MediaType.TEXT_HTML_UTF_8})
    @GET
    @Path("/welcome-content/{path}")
    public Response getResource(@PathParam("path") String str) {
        try {
            InputStream resourceAsStream = getTheme().getResourceAsStream(str);
            if (resourceAsStream == null) {
                return Response.status(Response.Status.NOT_FOUND).build();
            }
            return Response.ok(resourceAsStream).type(MimeTypeUtil.getContentType(str)).cacheControl(CacheControlUtil.getDefaultCacheControl()).build();
        } catch (IOException e) {
            throw new WebApplicationException(e, Response.Status.INTERNAL_SERVER_ERROR);
        }
    }

    private Response createWelcomePage(String str, String str2) {
        try {
            Theme theme = getTheme();
            if (Objects.isNull(theme)) {
                logger.error("Theme is null please check the \"--spi-theme-default\" parameter");
                return Response.status(Response.Status.BAD_REQUEST).entity("The theme is null").cacheControl(CacheControlUtil.noCache()).build();
            }
            boolean shouldBootstrap = shouldBootstrap();
            boolean isAdminConsoleEnabled = isAdminConsoleEnabled();
            Properties properties = theme.getProperties();
            boolean parseBoolean = Boolean.parseBoolean(properties.getProperty("redirectToAdmin", SamlProtocol.ATTRIBUTE_FALSE_VALUE));
            URI build = this.session.getContext().getUri(UrlType.ADMIN).getBaseUriBuilder().path("/admin/").build(new Object[0]);
            if (parseBoolean && !shouldBootstrap && isAdminConsoleEnabled && str == null) {
                return Response.status(302).location(build).build();
            }
            HashMap hashMap = new HashMap();
            String property = properties.getProperty("common", "common/keycloak");
            hashMap.put("bootstrap", Boolean.valueOf(shouldBootstrap));
            hashMap.put("adminConsoleEnabled", Boolean.valueOf(isAdminConsoleEnabled));
            hashMap.put("properties", properties);
            hashMap.put("adminUrl", build);
            hashMap.put("baseUrl", this.session.getContext().getUri(UrlType.FRONTEND).getBaseUri());
            hashMap.put("productName", "Keycloak");
            hashMap.put("resourcesPath", "resources/" + Version.RESOURCES_VERSION + "/" + theme.getType().toString().toLowerCase() + "/" + theme.getName());
            hashMap.put("resourcesCommonPath", "resources/" + Version.RESOURCES_VERSION + "/" + property);
            boolean isLocal = isLocal();
            hashMap.put("localUser", Boolean.valueOf(isLocal));
            if (shouldBootstrap) {
                String uri = this.session.getContext().getUri(UrlType.LOCAL_ADMIN).getBaseUri().toString();
                String adminCreationMessage = getAdminCreationMessage();
                hashMap.put("localAdminUrl", uri);
                hashMap.put("adminUserCreationMessage", adminCreationMessage);
                if (isLocal) {
                    hashMap.put("stateChecker", setCsrfCookie());
                }
            }
            if (str != null) {
                hashMap.put("successMessage", str);
            }
            if (str2 != null) {
                hashMap.put(UserSessionLimitsAuthenticatorFactory.ERROR_MESSAGE, str2);
            }
            return Response.status(str2 == null ? Response.Status.OK : Response.Status.BAD_REQUEST).entity(((FreeMarkerProvider) this.session.getProvider(FreeMarkerProvider.class)).processTemplate(hashMap, "index.ftl", theme)).cacheControl(CacheControlUtil.noCache()).build();
        } catch (Exception e) {
            throw new WebApplicationException(e, Response.Status.INTERNAL_SERVER_ERROR);
        }
    }

    private static boolean isAdminConsoleEnabled() {
        return Profile.isFeatureEnabled(Profile.Feature.ADMIN2);
    }

    private Theme getTheme() {
        try {
            return this.session.theme().getTheme(Theme.Type.WELCOME);
        } catch (IOException e) {
            throw new WebApplicationException(e, Response.Status.INTERNAL_SERVER_ERROR);
        }
    }

    protected String getAdminCreationMessage() {
        return "or set the environment variables KEYCLOAK_ADMIN and KEYCLOAK_ADMIN_PASSWORD before starting the server";
    }

    private boolean shouldBootstrap() {
        if (this.shouldBootstrap == null) {
            synchronized (this) {
                if (this.shouldBootstrap == null) {
                    this.shouldBootstrap = new AtomicBoolean(new ApplianceBootstrap(this.session).isNoMasterUser());
                }
            }
        }
        return this.shouldBootstrap.get();
    }

    private boolean isLocal() {
        try {
            ClientConnection connection = this.session.getContext().getConnection();
            InetAddress byName = InetAddress.getByName(connection.getRemoteAddr());
            InetAddress byName2 = InetAddress.getByName(connection.getLocalAddr());
            String headerString = this.session.getContext().getHttpRequest().getHttpHeaders().getHeaderString("X-Forwarded-For");
            logger.debugf("Checking WelcomePage. Remote address: %s, Local address: %s, X-Forwarded-For header: %s", byName.toString(), byName2.toString(), headerString);
            if (isLocalAddress(byName)) {
                if (isLocalAddress(byName2) && headerString == null) {
                    return true;
                }
            }
            return false;
        } catch (UnknownHostException e) {
            throw new WebApplicationException(e, Response.Status.INTERNAL_SERVER_ERROR);
        }
    }

    private boolean isLocalAddress(InetAddress inetAddress) {
        return inetAddress.isAnyLocalAddress() || inetAddress.isLoopbackAddress();
    }

    private String setCsrfCookie() {
        String encode = Base64Url.encode(SecretGenerator.getInstance().randomBytes());
        this.session.getProvider(CookieProvider.class).set(CookieType.WELCOME_CSRF, encode);
        return encode;
    }

    private void expireCsrfCookie() {
        this.session.getProvider(CookieProvider.class).expire(CookieType.WELCOME_CSRF);
    }

    private void csrfCheck(MultivaluedMap<String, String> multivaluedMap) {
        String str = (String) multivaluedMap.getFirst("stateChecker");
        String str2 = this.session.getProvider(CookieProvider.class).get(CookieType.WELCOME_CSRF);
        if (str2 == null || !str2.equals(str)) {
            throw new ForbiddenException();
        }
    }
}
