package org.keycloak.protocol.oidc.grants;

import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import org.jboss.logging.Logger;
import org.keycloak.authentication.AuthenticationProcessor;
import org.keycloak.events.EventType;
import org.keycloak.models.ClientSessionContext;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.utils.AuthenticationFlowResolver;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.protocol.oidc.grants.OAuth2GrantType;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.services.CorsErrorResponseException;
import org.keycloak.services.Urls;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.context.ResourceOwnerPasswordCredentialsContext;
import org.keycloak.services.clientpolicy.context.ResourceOwnerPasswordCredentialsResponseContext;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.AuthenticationSessionManager;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.sessions.CommonClientSessionModel;
import org.keycloak.util.TokenUtil;

/* loaded from: input_file:org/keycloak/protocol/oidc/grants/ResourceOwnerPasswordCredentialsGrantType.class */
public class ResourceOwnerPasswordCredentialsGrantType extends OAuth2GrantTypeBase {
    private static final Logger logger = Logger.getLogger(ResourceOwnerPasswordCredentialsGrantType.class);

    public Response process(OAuth2GrantType.Context context) {
        setContext(context);
        this.event.detail("auth_method", "oauth_credentials");
        if (!this.client.isDirectAccessGrantsEnabled()) {
            this.event.detail("reason", "Client not allowed for direct access grants");
            this.event.error("not_allowed");
            throw new CorsErrorResponseException(this.cors, "unauthorized_client", "Client not allowed for direct access grants", Response.Status.BAD_REQUEST);
        }
        if (this.client.isConsentRequired()) {
            this.event.detail("reason", "Client requires user consent");
            this.event.error("consent_denied");
            throw new CorsErrorResponseException(this.cors, "invalid_client", "Client requires user consent", Response.Status.BAD_REQUEST);
        }
        try {
            this.session.clientPolicy().triggerOnEvent(new ResourceOwnerPasswordCredentialsContext(this.formParams));
            String requestedScopes = getRequestedScopes();
            AuthenticationSessionModel createAuthenticationSession = new AuthenticationSessionManager(this.session).createAuthenticationSession(this.realm, false).createAuthenticationSession(this.client);
            createAuthenticationSession.setProtocol("openid-connect");
            createAuthenticationSession.setAction(CommonClientSessionModel.Action.AUTHENTICATE.name());
            createAuthenticationSession.setClientNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(this.session.getContext().getUri().getBaseUri(), this.realm.getName()));
            createAuthenticationSession.setClientNote("scope", requestedScopes);
            String id = AuthenticationFlowResolver.resolveDirectGrantFlow(createAuthenticationSession).getId();
            AuthenticationProcessor authenticationProcessor = new AuthenticationProcessor();
            authenticationProcessor.setAuthenticationSession(createAuthenticationSession).setFlowId(id).setFlowPath("token").setConnection(this.clientConnection).setEventBuilder(this.event).setRealm(this.realm).setSession(this.session).setUriInfo(this.session.getContext().getUri()).setRequest(this.request);
            Response authenticateOnly = authenticationProcessor.authenticateOnly();
            if (authenticateOnly != null) {
                new AuthenticationSessionManager(this.session).removeAuthenticationSession(this.realm, createAuthenticationSession, false);
                this.cors.add();
                return authenticateOnly;
            }
            authenticationProcessor.evaluateRequiredActionTriggers();
            if (createAuthenticationSession.getAuthenticatedUser().getRequiredActionsStream().count() > 0 || createAuthenticationSession.getRequiredActions().size() > 0) {
                new AuthenticationSessionManager(this.session).removeAuthenticationSession(this.realm, createAuthenticationSession, false);
                this.event.detail("reason", "Account is not fully set up");
                this.event.error("resolve_required_actions");
                throw new CorsErrorResponseException(this.cors, "invalid_grant", "Account is not fully set up", Response.Status.BAD_REQUEST);
            }
            AuthenticationManager.setClientScopesInSession(createAuthenticationSession);
            ClientSessionContext attachSession = authenticationProcessor.attachSession();
            UserSessionModel userSession = authenticationProcessor.getUserSession();
            updateUserSessionFromClientAuth(userSession);
            TokenManager.AccessTokenResponseBuilder generateAccessToken = this.tokenManager.responseBuilder(this.realm, this.client, this.event, this.session, userSession, attachSession).generateAccessToken();
            boolean isUseRefreshToken = this.clientConfig.isUseRefreshToken();
            if (isUseRefreshToken) {
                generateAccessToken.generateRefreshToken();
            }
            if (TokenUtil.isOIDCRequest(attachSession.getClientSession().getNote("scope"))) {
                generateAccessToken.generateIDToken().generateAccessTokenHash();
            }
            checkAndBindMtlsHoKToken(generateAccessToken, isUseRefreshToken);
            try {
                this.session.clientPolicy().triggerOnEvent(new ResourceOwnerPasswordCredentialsResponseContext(this.formParams, attachSession, generateAccessToken));
                AccessTokenResponse build = generateAccessToken.build();
                this.event.success();
                AuthenticationManager.logSuccess(this.session, createAuthenticationSession);
                return this.cors.add(Response.ok(build, MediaType.APPLICATION_JSON_TYPE));
            } catch (ClientPolicyException e) {
                this.event.detail("reason", e.getErrorDetail());
                this.event.error(e.getError());
                throw new CorsErrorResponseException(this.cors, e.getError(), e.getErrorDetail(), e.getErrorStatus());
            }
        } catch (ClientPolicyException e2) {
            this.event.detail("reason", e2.getErrorDetail());
            this.event.error(e2.getError());
            throw new CorsErrorResponseException(this.cors, e2.getError(), e2.getErrorDetail(), e2.getErrorStatus());
        }
    }

    public EventType getEventType() {
        return EventType.LOGIN;
    }
}
