package org.keycloak.protocol.oidc.tokenexchange;

import jakarta.ws.rs.core.Response;
import org.keycloak.TokenVerifier;
import org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider;
import org.keycloak.common.ClientConnection;
import org.keycloak.events.EventBuilder;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ImpersonationSessionNote;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.oidc.TokenExchangeContext;
import org.keycloak.representations.AccessToken;
import org.keycloak.services.CorsErrorResponseException;
import org.keycloak.services.cors.Cors;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.UserSessionManager;
import org.keycloak.services.resources.admin.AdminAuth;
import org.keycloak.services.resources.admin.permissions.AdminPermissions;

/* loaded from: input_file:org/keycloak/protocol/oidc/tokenexchange/V1TokenExchangeProvider.class */
public class V1TokenExchangeProvider extends AbstractTokenExchangeProvider {
    public boolean supports(TokenExchangeContext tokenExchangeContext) {
        return true;
    }

    @Override // org.keycloak.protocol.oidc.tokenexchange.AbstractTokenExchangeProvider
    protected Response tokenExchange() {
        KeycloakSession session = this.context.getSession();
        RealmModel realm = this.context.getRealm();
        ClientConnection clientConnection = this.context.getClientConnection();
        Cors cors = this.context.getCors();
        ClientModel client = this.context.getClient();
        EventBuilder event = this.context.getEvent();
        UserModel userModel = null;
        UserSessionModel userSessionModel = null;
        AccessToken accessToken = null;
        String subjectToken = this.context.getParams().getSubjectToken();
        if (subjectToken != null) {
            String subjectTokenType = this.context.getParams().getSubjectTokenType();
            if (isExternalInternalTokenExchangeRequest(this.context)) {
                return exchangeExternalToken(getSubjectIssuer(this.context, subjectToken, subjectTokenType), subjectToken);
            }
            if (subjectTokenType != null && !subjectTokenType.equals("urn:ietf:params:oauth:token-type:access_token")) {
                event.detail("reason", "subject_token supports access tokens only");
                event.error("invalid_token");
                throw new CorsErrorResponseException(cors, "invalid_request", "Invalid token type, must be access token", Response.Status.BAD_REQUEST);
            }
            AuthenticationManager.AuthResult verifyIdentityToken = AuthenticationManager.verifyIdentityToken(session, realm, session.getContext().getUri(), clientConnection, true, true, null, false, subjectToken, this.context.getHeaders(), new TokenVerifier.Predicate[0]);
            if (verifyIdentityToken == null) {
                event.detail("reason", "subject_token validation failure");
                event.error("invalid_token");
                throw new CorsErrorResponseException(cors, "invalid_request", "Invalid token", Response.Status.BAD_REQUEST);
            }
            userModel = verifyIdentityToken.getUser();
            userSessionModel = verifyIdentityToken.getSession();
            accessToken = verifyIdentityToken.getToken();
        }
        String str = (String) this.context.getFormParams().getFirst("requested_subject");
        boolean z = true;
        if (str != null) {
            event.detail("requested_subject", str);
            UserModel userByUsername = session.users().getUserByUsername(realm, str);
            if (userByUsername == null) {
                userByUsername = session.users().getUserById(realm, str);
            }
            if (userByUsername == null) {
                event.detail("reason", "requested_subject not found");
                event.error("not_allowed");
                throw new CorsErrorResponseException(cors, AbstractOAuth2IdentityProvider.ACCESS_DENIED, "Client not allowed to exchange", Response.Status.FORBIDDEN);
            }
            if (accessToken != null) {
                event.detail("impersonator", userModel.getUsername());
                if (!AdminPermissions.evaluator(session, realm, new AdminAuth(realm, accessToken, userModel, client)).users().canImpersonate(userByUsername, client)) {
                    event.detail("reason", "subject not allowed to impersonate");
                    event.error("not_allowed");
                    throw new CorsErrorResponseException(cors, AbstractOAuth2IdentityProvider.ACCESS_DENIED, "Client not allowed to exchange", Response.Status.FORBIDDEN);
                }
            } else {
                if (client.isPublicClient()) {
                    event.detail("reason", "public clients not allowed");
                    event.error("not_allowed");
                    throw new CorsErrorResponseException(cors, AbstractOAuth2IdentityProvider.ACCESS_DENIED, "Client not allowed to exchange", Response.Status.FORBIDDEN);
                }
                if (!AdminPermissions.management(session, realm).users().canClientImpersonate(client, userByUsername)) {
                    event.detail("reason", "client not allowed to impersonate");
                    event.error("not_allowed");
                    throw new CorsErrorResponseException(cors, AbstractOAuth2IdentityProvider.ACCESS_DENIED, "Client not allowed to exchange", Response.Status.FORBIDDEN);
                }
                z = false;
            }
            userSessionModel = new UserSessionManager(session).createUserSession(realm, userByUsername, userByUsername.getUsername(), clientConnection.getRemoteHost(), "impersonate", false, null, null);
            if (userModel != null) {
                userSessionModel.setNote(ImpersonationSessionNote.IMPERSONATOR_ID.toString(), userModel.getId());
                userSessionModel.setNote(ImpersonationSessionNote.IMPERSONATOR_USERNAME.toString(), userModel.getUsername());
            }
            userModel = userByUsername;
        }
        String str2 = (String) this.context.getFormParams().getFirst("requested_issuer");
        if (str2 == null) {
            return exchangeClientToClient(userModel, userSessionModel, accessToken, z);
        }
        try {
            Response exchangeToIdentityProvider = exchangeToIdentityProvider(userModel, userSessionModel, str2);
            if (subjectToken == null) {
                try {
                    session.sessions().removeUserSession(realm, userSessionModel);
                } catch (Exception e) {
                }
            }
            return exchangeToIdentityProvider;
        } catch (Throwable th) {
            if (subjectToken == null) {
                try {
                    session.sessions().removeUserSession(realm, userSessionModel);
                } catch (Exception e2) {
                }
            }
            throw th;
        }
    }
}
