package org.keycloak.organization.authentication.authenticators.browser;

import jakarta.ws.rs.core.MultivaluedHashMap;
import jakarta.ws.rs.core.Response;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.function.Function;
import java.util.function.Predicate;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.authentication.AuthenticationFlowError;
import org.keycloak.authentication.AuthenticatorUtil;
import org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticator;
import org.keycloak.credential.PasswordCredentialProviderFactory;
import org.keycloak.email.freemarker.beans.ProfileBean;
import org.keycloak.forms.login.LoginFormsProvider;
import org.keycloak.forms.login.freemarker.model.AuthenticationContextBean;
import org.keycloak.forms.login.freemarker.model.IdentityProviderBean;
import org.keycloak.http.HttpRequest;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.models.KeycloakContext;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.OrganizationModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserProvider;
import org.keycloak.models.utils.FormMessage;
import org.keycloak.organization.OrganizationProvider;
import org.keycloak.organization.forms.login.freemarker.model.OrganizationAwareAuthenticationContextBean;
import org.keycloak.organization.forms.login.freemarker.model.OrganizationAwareIdentityProviderBean;
import org.keycloak.organization.forms.login.freemarker.model.OrganizationAwareRealmBean;
import org.keycloak.organization.protocol.mappers.oidc.OrganizationScope;
import org.keycloak.organization.utils.Organizations;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.userprofile.config.UPConfigUtils;

/* loaded from: input_file:org/keycloak/organization/authentication/authenticators/browser/OrganizationAuthenticator.class */
public class OrganizationAuthenticator extends IdentityProviderAuthenticator {
    private final KeycloakSession session;

    public OrganizationAuthenticator(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
    }

    @Override // org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticator
    public void authenticate(AuthenticationFlowContext authenticationFlowContext) {
        if (!Organizations.isEnabledAndOrganizationsPresent(getOrganizationProvider())) {
            authenticationFlowContext.attempted();
            return;
        }
        OrganizationModel resolveOrganization = Organizations.resolveOrganization(this.session);
        if (resolveOrganization == null) {
            initialChallenge(authenticationFlowContext);
        } else {
            authenticationFlowContext.getAuthenticationSession().setAuthNote("kc.org", resolveOrganization.getId());
            action(authenticationFlowContext);
        }
    }

    @Override // org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticator
    public void action(AuthenticationFlowContext authenticationFlowContext) {
        String str = (String) authenticationFlowContext.getHttpRequest().getDecodedFormParameters().getFirst("username");
        RealmModel realm = authenticationFlowContext.getRealm();
        UserModel resolveUser = resolveUser(authenticationFlowContext, str);
        String emailDomain = Organizations.getEmailDomain(str);
        OrganizationModel resolveOrganization = resolveOrganization(resolveUser, emailDomain);
        if (resolveOrganization == null) {
            if (shouldUserSelectOrganization(authenticationFlowContext, resolveUser) || isMembershipRequired(authenticationFlowContext, null, resolveUser)) {
                return;
            }
            clearAuthenticationSession(authenticationFlowContext);
            authenticationFlowContext.attempted();
            return;
        }
        AuthenticationSessionModel authenticationSession = authenticationFlowContext.getAuthenticationSession();
        authenticationSession.setAuthNote("kc.org", resolveOrganization.getId());
        this.session.getContext().setOrganization(resolveOrganization);
        if (isMembershipRequired(authenticationFlowContext, resolveOrganization, resolveUser) || tryRedirectBroker(authenticationFlowContext, resolveOrganization, resolveUser, str, emailDomain)) {
            return;
        }
        if (resolveUser == null) {
            unknownUserChallenge(authenticationFlowContext, resolveOrganization, realm, emailDomain != null);
            return;
        }
        if (!resolveUser.isEnabled()) {
            authenticationFlowContext.failure(AuthenticationFlowError.INVALID_USER);
        } else if (AuthenticatorUtil.isSSOAuthentication(authenticationSession)) {
            authenticationFlowContext.success();
        } else {
            authenticationFlowContext.attempted();
        }
    }

    @Override // org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticator
    public boolean configuredFor(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        return realmModel.isOrganizationsEnabled();
    }

    private OrganizationModel resolveOrganization(UserModel userModel, String str) {
        KeycloakContext context = this.session.getContext();
        HttpRequest httpRequest = context.getHttpRequest();
        AuthenticationSessionModel authenticationSession = context.getAuthenticationSession();
        List list = (List) httpRequest.getDecodedFormParameters().getOrDefault("kc.org", List.of());
        if (list.isEmpty()) {
            OrganizationModel resolveOrganization = Organizations.resolveOrganization(this.session, userModel, str);
            if (resolveOrganization != null) {
                authenticationSession.setClientNote("kc.org", resolveOrganization.getId());
            }
            return resolveOrganization;
        }
        OrganizationModel byAlias = getOrganizationProvider().getByAlias((String) list.get(0));
        if (byAlias == null) {
            return null;
        }
        authenticationSession.setClientNote("kc.org", byAlias.getId());
        return byAlias;
    }

    private boolean shouldUserSelectOrganization(AuthenticationFlowContext authenticationFlowContext, UserModel userModel) {
        OrganizationProvider organizationProvider = getOrganizationProvider();
        AuthenticationSessionModel authenticationSession = authenticationFlowContext.getAuthenticationSession();
        if (!OrganizationScope.ANY.equals(OrganizationScope.valueOfScope(this.session)) || userModel == null || authenticationSession.getClientNote("kc.org") != null || organizationProvider.getByMember(userModel).count() <= 1) {
            return false;
        }
        LoginFormsProvider form = authenticationFlowContext.form();
        form.setAttribute(UPConfigUtils.ROLE_USER, new ProfileBean(userModel, this.session));
        form.setAttributeMapper(new Function<Map<String, Object>, Map<String, Object>>() { // from class: org.keycloak.organization.authentication.authenticators.browser.OrganizationAuthenticator.1
            @Override // java.util.function.Function
            public Map<String, Object> apply(Map<String, Object> map) {
                map.computeIfPresent("auth", (str, obj) -> {
                    return new OrganizationAwareAuthenticationContextBean((AuthenticationContextBean) obj, false);
                });
                return map;
            }
        });
        clearAuthenticationSession(authenticationFlowContext);
        authenticationFlowContext.challenge(form.createForm("select-organization.ftl"));
        return true;
    }

    private boolean tryRedirectBroker(AuthenticationFlowContext authenticationFlowContext, OrganizationModel organizationModel, UserModel userModel, String str, String str2) {
        if (userModel != null && userModel.credentialManager().getStoredCredentialsStream().findAny().isPresent()) {
            return false;
        }
        List<IdentityProviderModel> resolveHomeBroker = Organizations.resolveHomeBroker(this.session, userModel);
        if (resolveHomeBroker.size() != 1) {
            return redirect(authenticationFlowContext, organizationModel, str, str2);
        }
        redirect(authenticationFlowContext, resolveHomeBroker.get(0).getAlias(), userModel.getEmail());
        return true;
    }

    private boolean redirect(AuthenticationFlowContext authenticationFlowContext, OrganizationModel organizationModel, String str, String str2) {
        if (str2 == null) {
            return false;
        }
        for (IdentityProviderModel identityProviderModel : organizationModel.getIdentityProviders().toList()) {
            if (OrganizationModel.IdentityProviderRedirectMode.EMAIL_MATCH.isSet(identityProviderModel) && str2.equals((String) identityProviderModel.getConfig().get("kc.org.domain"))) {
                redirect(authenticationFlowContext, identityProviderModel.getAlias(), str);
                return true;
            }
        }
        return false;
    }

    private UserModel resolveUser(AuthenticationFlowContext authenticationFlowContext, String str) {
        if (authenticationFlowContext.getUser() != null) {
            return authenticationFlowContext.getUser();
        }
        if (str == null) {
            return null;
        }
        UserProvider users = this.session.users();
        RealmModel realm = this.session.getContext().getRealm();
        UserModel userModel = (UserModel) Optional.ofNullable(users.getUserByEmail(realm, str)).orElseGet(() -> {
            return users.getUserByUsername(realm, str);
        });
        clearAuthenticationSession(authenticationFlowContext);
        authenticationFlowContext.setUser(userModel);
        return userModel;
    }

    private void unknownUserChallenge(AuthenticationFlowContext authenticationFlowContext, OrganizationModel organizationModel, RealmModel realmModel, boolean z) {
        LoginFormsProvider attributeMapper = authenticationFlowContext.form().setAttributeMapper(map -> {
            if (hasPublicBrokers(organizationModel)) {
                map.computeIfPresent("social", (str, obj) -> {
                    return new OrganizationAwareIdentityProviderBean((IdentityProviderBean) obj, true);
                });
                map.computeIfPresent(PasswordCredentialProviderFactory.METER_REALM_TAG, (str2, obj2) -> {
                    return new OrganizationAwareRealmBean(realmModel);
                });
            } else {
                map.computeIfPresent("social", (str3, obj3) -> {
                    return new OrganizationAwareIdentityProviderBean((IdentityProviderBean) obj3, false, true);
                });
            }
            map.computeIfPresent("auth", (str4, obj4) -> {
                return new OrganizationAwareAuthenticationContextBean((AuthenticationContextBean) obj4, false);
            });
            return map;
        });
        if (z) {
            attributeMapper.addError(new FormMessage("Your email domain matches the " + organizationModel.getName() + " organization but you don't have an account yet.", new Object[0]));
        }
        authenticationFlowContext.challenge(attributeMapper.createLoginUsername());
    }

    private void initialChallenge(AuthenticationFlowContext authenticationFlowContext) {
        AuthenticationSessionModel authenticationSession = authenticationFlowContext.getAuthenticationSession();
        UserModel user = authenticationFlowContext.getUser();
        if (user == null) {
            LoginFormsProvider attributeMapper = authenticationFlowContext.form().setAttributeMapper(map -> {
                map.computeIfPresent("social", (str, obj) -> {
                    return new OrganizationAwareIdentityProviderBean((IdentityProviderBean) obj, false, true);
                });
                map.computeIfPresent("auth", (str2, obj2) -> {
                    return new OrganizationAwareAuthenticationContextBean((AuthenticationContextBean) obj2, false);
                });
                return map;
            });
            String clientNote = authenticationSession.getClientNote("login_hint");
            if (clientNote != null) {
                attributeMapper.setFormData(new MultivaluedHashMap(Map.of("username", clientNote)));
            }
            authenticationFlowContext.challenge(attributeMapper.createLoginUsername());
            return;
        }
        if (!AuthenticatorUtil.isSSOAuthentication(authenticationSession)) {
            authenticationFlowContext.attempted();
        } else {
            if (shouldUserSelectOrganization(authenticationFlowContext, user)) {
                return;
            }
            authenticationFlowContext.success();
        }
    }

    private boolean hasPublicBrokers(OrganizationModel organizationModel) {
        return organizationModel.getIdentityProviders().anyMatch(Predicate.not((v0) -> {
            return v0.isHideOnLogin();
        }));
    }

    private OrganizationProvider getOrganizationProvider() {
        return this.session.getProvider(OrganizationProvider.class);
    }

    private boolean isRequiresMembership(AuthenticationFlowContext authenticationFlowContext) {
        return Boolean.parseBoolean(getConfig(authenticationFlowContext).getOrDefault(OrganizationAuthenticatorFactory.REQUIRES_USER_MEMBERSHIP, Boolean.FALSE.toString()));
    }

    private Map<String, String> getConfig(AuthenticationFlowContext authenticationFlowContext) {
        return (Map) Optional.ofNullable(authenticationFlowContext.getAuthenticatorConfig()).map((v0) -> {
            return v0.getConfig();
        }).orElse(Map.of());
    }

    private void clearAuthenticationSession(AuthenticationFlowContext authenticationFlowContext) {
        authenticationFlowContext.getAuthenticationSession().removeAuthNote("kc.org");
    }

    private boolean isMembershipRequired(AuthenticationFlowContext authenticationFlowContext, OrganizationModel organizationModel, UserModel userModel) {
        String str;
        String str2;
        if (userModel == null || !isRequiresMembership(authenticationFlowContext)) {
            return false;
        }
        if (organizationModel == null) {
            OrganizationScope valueOfScope = OrganizationScope.valueOfScope(this.session);
            if (OrganizationScope.SINGLE.equals(valueOfScope)) {
                organizationModel = valueOfScope.resolveOrganizations(this.session).findAny().orElse(null);
            }
        }
        if (organizationModel != null && organizationModel.isMember(userModel)) {
            return false;
        }
        authenticationFlowContext.setAuthenticationSelections(List.of());
        LoginFormsProvider form = authenticationFlowContext.form();
        if (organizationModel == null) {
            str = "notMemberOfAnyOrganization";
            str2 = "User " + userModel.getUsername() + " not a member of any organization";
            form.setError(str, new Object[0]);
        } else {
            str = "notMemberOfOrganization";
            str2 = "User " + userModel.getUsername() + " not a member of organization " + organizationModel.getAlias();
            form.setError(str, new Object[]{organizationModel.getName()});
        }
        authenticationFlowContext.failure(AuthenticationFlowError.GENERIC_AUTHENTICATION_ERROR, form.createErrorPage(Response.Status.FORBIDDEN), str2, str);
        return true;
    }
}
