package org.keycloak.services.util;

import java.util.Objects;
import java.util.function.Consumer;
import org.jboss.logging.Logger;
import org.keycloak.common.Profile;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ImpersonationSessionNote;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.UserSessionProvider;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.models.utils.UserSessionModelDelegate;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.protocol.oidc.encode.AccessTokenContext;
import org.keycloak.protocol.oidc.encode.TokenContextEncoderProvider;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.RefreshToken;
import org.keycloak.services.Urls;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.UserSessionManager;
import org.keycloak.sessions.AuthenticationSessionModel;

/* loaded from: input_file:org/keycloak/services/util/UserSessionUtil.class */
public class UserSessionUtil {
    private static final Logger logger = Logger.getLogger(UserSessionUtil.class);

    /* loaded from: input_file:org/keycloak/services/util/UserSessionUtil$UserSessionValidationResult.class */
    public static class UserSessionValidationResult {
        private final UserSessionModel userSession;
        private final String error;

        private static UserSessionValidationResult validSession(KeycloakSession keycloakSession, UserSessionModel userSessionModel) {
            keycloakSession.getContext().setUserSession(userSessionModel);
            return new UserSessionValidationResult(userSessionModel, null);
        }

        private static UserSessionValidationResult error(String str) {
            return new UserSessionValidationResult(null, str);
        }

        private static UserSessionValidationResult error(String str, UserSessionModel userSessionModel, Consumer<UserSessionModel> consumer) {
            consumer.accept(userSessionModel);
            return new UserSessionValidationResult(null, str);
        }

        private UserSessionValidationResult(UserSessionModel userSessionModel, String str) {
            this.userSession = userSessionModel;
            this.error = str;
        }

        public UserSessionModel getUserSession() {
            return this.userSession;
        }

        public String getError() {
            return this.error;
        }
    }

    public static UserSessionValidationResult findValidSessionForIdentityCookie(KeycloakSession keycloakSession, RealmModel realmModel, AccessToken accessToken, Consumer<UserSessionModel> consumer) {
        return findValidSession(keycloakSession, realmModel, accessToken, null, AccessTokenContext.SessionType.ONLINE, false, true, consumer);
    }

    public static UserSessionValidationResult findValidSessionForRefreshToken(KeycloakSession keycloakSession, RealmModel realmModel, RefreshToken refreshToken, ClientModel clientModel, Consumer<UserSessionModel> consumer) {
        AccessTokenContext.SessionType sessionType;
        if ("Offline".equals(refreshToken.getType())) {
            sessionType = AccessTokenContext.SessionType.OFFLINE;
        } else {
            if (!"Refresh".equals(refreshToken.getType())) {
                return UserSessionValidationResult.error("invalid_token_type");
            }
            sessionType = AccessTokenContext.SessionType.ONLINE;
        }
        return findValidSession(keycloakSession, realmModel, refreshToken, clientModel, sessionType, Profile.isFeatureEnabled(Profile.Feature.TOKEN_EXCHANGE), false, consumer);
    }

    public static UserSessionValidationResult findValidSessionForAccessToken(KeycloakSession keycloakSession, RealmModel realmModel, AccessToken accessToken, ClientModel clientModel, Consumer<UserSessionModel> consumer) {
        return findValidSession(keycloakSession, realmModel, accessToken, clientModel, ((TokenContextEncoderProvider) keycloakSession.getProvider(TokenContextEncoderProvider.class)).getTokenContextFromTokenId(accessToken.getId()).getSessionType(), Profile.isFeatureEnabled(Profile.Feature.TOKEN_EXCHANGE), false, consumer);
    }

    private static UserSessionValidationResult findValidSession(KeycloakSession keycloakSession, RealmModel realmModel, AccessToken accessToken, ClientModel clientModel, AccessTokenContext.SessionType sessionType, boolean z, boolean z2, Consumer<UserSessionModel> consumer) {
        logger.tracef("Lookup user session with the sessionType '%s'. Token session id: %s", sessionType, accessToken.getSessionId());
        if (accessToken.getSessionId() == null) {
            return sessionType.isAllowTransientUserSession() ? createTransientSessionForClient(keycloakSession, realmModel, accessToken, clientModel) : UserSessionValidationResult.error("user_session_not_found");
        }
        UserSessionProvider sessions = keycloakSession.sessions();
        UserSessionModel userSessionModel = null;
        if (sessionType.isAllowLookupOnlineUserSession()) {
            if (z2 || sessionType.isAllowTransientClientSession()) {
                userSessionModel = sessions.getUserSession(realmModel, accessToken.getSessionId());
            } else {
                userSessionModel = sessions.getUserSessionIfClientExists(realmModel, accessToken.getSessionId(), false, clientModel.getId());
                if (userSessionModel != null && !checkTokenIssuedAt(accessToken, userSessionModel.getAuthenticatedClientSessionByClient(clientModel.getId()))) {
                    return UserSessionValidationResult.error("invalid_token", userSessionModel, consumer);
                }
                if (userSessionModel == null && z) {
                    userSessionModel = getUserSessionWithImpersonatorClient(keycloakSession, realmModel, accessToken.getSessionId(), false, clientModel.getId());
                }
            }
            if (AuthenticationManager.isSessionValid(realmModel, userSessionModel)) {
                return !checkTokenIssuedAt(accessToken, userSessionModel) ? UserSessionValidationResult.error("invalid_token", userSessionModel, consumer) : sessionType.isAllowTransientClientSession() ? UserSessionValidationResult.validSession(keycloakSession, createTransientSessionForClient(keycloakSession, userSessionModel, clientModel)) : UserSessionValidationResult.validSession(keycloakSession, userSessionModel);
            }
        }
        UserSessionModel userSessionModel2 = null;
        if (sessionType.isAllowLookupOfflineUserSession()) {
            if (sessionType.isAllowTransientClientSession()) {
                userSessionModel2 = sessions.getOfflineUserSession(realmModel, accessToken.getSessionId());
            } else {
                userSessionModel2 = sessions.getUserSessionIfClientExists(realmModel, accessToken.getSessionId(), true, clientModel.getId());
                if (userSessionModel2 != null && !checkTokenIssuedAt(accessToken, userSessionModel2.getAuthenticatedClientSessionByClient(clientModel.getId()))) {
                    return UserSessionValidationResult.error("invalid_token", userSessionModel2, consumer);
                }
            }
            if (AuthenticationManager.isSessionValid(realmModel, userSessionModel2)) {
                return !checkTokenIssuedAt(accessToken, userSessionModel2) ? UserSessionValidationResult.error("invalid_token", userSessionModel2, consumer) : sessionType.isAllowTransientClientSession() ? UserSessionValidationResult.validSession(keycloakSession, createTransientSessionForClient(keycloakSession, userSessionModel2, clientModel)) : UserSessionValidationResult.validSession(keycloakSession, userSessionModel2);
            }
        }
        if (userSessionModel == null && userSessionModel2 == null) {
            logger.debugf("User session '%s' not found or doesn't have client attached on it", accessToken.getSessionId());
            return UserSessionValidationResult.error("user_session_not_found");
        }
        logger.debugf("Session '%s' expired", accessToken.getSessionId());
        return UserSessionValidationResult.error("session_expired", userSessionModel != null ? userSessionModel : userSessionModel2, consumer);
    }

    public static UserSessionModel createTransientUserSession(KeycloakSession keycloakSession, final UserSessionModel userSessionModel) {
        if (userSessionModel.getPersistenceState() == UserSessionModel.SessionPersistenceState.TRANSIENT) {
            throw new IllegalArgumentException("Not expected to invoke this method with the transient session");
        }
        UserSessionModel createUserSession = new UserSessionManager(keycloakSession).createUserSession(userSessionModel.getId(), userSessionModel.getRealm(), userSessionModel.getUser(), userSessionModel.getLoginUsername(), userSessionModel.getIpAddress(), userSessionModel.getAuthMethod(), userSessionModel.isRememberMe(), userSessionModel.getBrokerSessionId(), userSessionModel.getBrokerUserId(), UserSessionModel.SessionPersistenceState.TRANSIENT);
        userSessionModel.getNotes().entrySet().forEach(entry -> {
            createUserSession.setNote((String) entry.getKey(), (String) entry.getValue());
        });
        createUserSession.setNote("created_from_persistent", userSessionModel.isOffline() ? "offline" : "online");
        return new UserSessionModelDelegate(createUserSession) { // from class: org.keycloak.services.util.UserSessionUtil.1
            public int getStarted() {
                return userSessionModel.getStarted();
            }
        };
    }

    private static void attachAuthenticationSession(KeycloakSession keycloakSession, UserSessionModel userSessionModel, ClientModel clientModel) {
        AuthenticationSessionModel createAuthenticationSession = keycloakSession.authenticationSessions().createRootAuthenticationSession(userSessionModel.getRealm()).createAuthenticationSession(clientModel);
        createAuthenticationSession.setAuthenticatedUser(userSessionModel.getUser());
        createAuthenticationSession.setProtocol("openid-connect");
        createAuthenticationSession.setClientNote("iss", Urls.realmIssuer(keycloakSession.getContext().getUri().getBaseUri(), userSessionModel.getRealm().getName()));
        AuthenticationManager.setClientScopesInSession(keycloakSession, createAuthenticationSession);
        TokenManager.attachAuthenticationSession(keycloakSession, userSessionModel, createAuthenticationSession);
    }

    private static UserSessionModel createTransientSessionForClient(KeycloakSession keycloakSession, UserSessionModel userSessionModel, ClientModel clientModel) {
        UserSessionModel createTransientUserSession = createTransientUserSession(keycloakSession, userSessionModel);
        attachAuthenticationSession(keycloakSession, createTransientUserSession, clientModel);
        return createTransientUserSession;
    }

    private static UserSessionValidationResult createTransientSessionForClient(KeycloakSession keycloakSession, RealmModel realmModel, AccessToken accessToken, ClientModel clientModel) {
        UserModel lookupUserFromStatelessToken = TokenManager.lookupUserFromStatelessToken(keycloakSession, realmModel, accessToken);
        if (lookupUserFromStatelessToken == null) {
            logger.debug("Transient User not found");
            return UserSessionValidationResult.error("user_not_found");
        }
        if (!lookupUserFromStatelessToken.isEnabled()) {
            logger.debugf("User '%s' disabled", lookupUserFromStatelessToken.getUsername());
            return UserSessionValidationResult.error("user_disabled");
        }
        UserSessionModel createUserSession = new UserSessionManager(keycloakSession).createUserSession(KeycloakModelUtils.generateId(), realmModel, lookupUserFromStatelessToken, lookupUserFromStatelessToken.getUsername(), keycloakSession.getContext().getConnection().getRemoteHost(), "client_auth", false, null, null, UserSessionModel.SessionPersistenceState.TRANSIENT);
        attachAuthenticationSession(keycloakSession, createUserSession, clientModel);
        return UserSessionValidationResult.validSession(keycloakSession, createUserSession);
    }

    private static boolean checkTokenIssuedAt(AccessToken accessToken, UserSessionModel userSessionModel) {
        if (!accessToken.isIssuedBeforeSessionStart(userSessionModel.getStarted())) {
            return true;
        }
        logger.debug("Stale token for user session");
        return false;
    }

    private static boolean checkTokenIssuedAt(AccessToken accessToken, AuthenticatedClientSessionModel authenticatedClientSessionModel) {
        if (!accessToken.isIssuedBeforeSessionStart(authenticatedClientSessionModel.getStarted())) {
            return true;
        }
        logger.debug("Stale token for client session");
        return false;
    }

    public static UserSessionModel getUserSessionWithImpersonatorClient(KeycloakSession keycloakSession, RealmModel realmModel, String str, boolean z, String str2) {
        return keycloakSession.sessions().getUserSessionWithPredicate(realmModel, str, z, userSessionModel -> {
            return Objects.equals(str2, userSessionModel.getNote(ImpersonationSessionNote.IMPERSONATOR_CLIENT.toString()));
        });
    }
}
