package org.keycloak.protocol.oidc.grants;

import jakarta.ws.rs.core.Response;
import java.util.function.Supplier;
import java.util.stream.Stream;
import org.jboss.logging.Logger;
import org.keycloak.common.util.KeycloakUriBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.protocol.oidc.grants.OAuth2GrantType;
import org.keycloak.protocol.oidc.grants.ciba.channel.CIBAAuthenticationRequest;
import org.keycloak.protocol.oidc.utils.OAuth2Code;
import org.keycloak.protocol.oidc.utils.OAuth2CodeParser;
import org.keycloak.protocol.oidc.utils.PkceUtils;
import org.keycloak.services.CorsErrorResponseException;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.context.TokenRequestContext;
import org.keycloak.services.clientpolicy.context.TokenResponseContext;
import org.keycloak.services.clientregistration.ErrorCodes;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.util.DPoPUtil;
import org.keycloak.services.util.DefaultClientSessionContext;

/* loaded from: input_file:org/keycloak/protocol/oidc/grants/AuthorizationCodeGrantType.class */
public class AuthorizationCodeGrantType extends OAuth2GrantTypeBase {
    private static final Logger logger = Logger.getLogger(AuthorizationCodeGrantType.class);

    public Response process(OAuth2GrantType.Context context) {
        setContext(context);
        String str = (String) this.formParams.getFirst("code");
        if (str == null) {
            this.event.detail("reason", "Missing parameter: code");
            this.event.error("invalid_code");
            throw new CorsErrorResponseException(this.cors, "invalid_request", "Missing parameter: code", Response.Status.BAD_REQUEST);
        }
        OAuth2CodeParser.ParseResult parseCode = OAuth2CodeParser.parseCode(this.session, str, this.realm, this.event);
        if (parseCode.isIllegalCode()) {
            AuthenticatedClientSessionModel clientSession = parseCode.getClientSession();
            if (clientSession != null) {
                clientSession.detachFromUserSession();
            }
            this.event.error("invalid_code");
            throw new CorsErrorResponseException(this.cors, "invalid_grant", "Code not valid", Response.Status.BAD_REQUEST);
        }
        AuthenticatedClientSessionModel clientSession2 = parseCode.getClientSession();
        if (parseCode.isExpiredCode()) {
            this.event.error("expired_code");
            throw new CorsErrorResponseException(this.cors, "invalid_grant", "Code is expired", Response.Status.BAD_REQUEST);
        }
        UserSessionModel userSessionModel = null;
        if (clientSession2 != null) {
            userSessionModel = clientSession2.getUserSession();
        }
        if (userSessionModel == null) {
            this.event.error("user_session_not_found");
            throw new CorsErrorResponseException(this.cors, "invalid_grant", "User session not found", Response.Status.BAD_REQUEST);
        }
        UserModel user = userSessionModel.getUser();
        if (user == null) {
            this.event.error("user_not_found");
            throw new CorsErrorResponseException(this.cors, "invalid_grant", "User not found", Response.Status.BAD_REQUEST);
        }
        this.event.user(userSessionModel.getUser());
        if (!user.isEnabled()) {
            this.event.error("user_disabled");
            throw new CorsErrorResponseException(this.cors, "invalid_grant", "User disabled", Response.Status.BAD_REQUEST);
        }
        OAuth2Code codeData = parseCode.getCodeData();
        String redirectUriParam = codeData.getRedirectUriParam();
        String str2 = (String) this.formParams.getFirst("redirect_uri");
        if (str2 != null && str2.contains("session_state=") && !redirectUriParam.contains("session_state=")) {
            str2 = KeycloakUriBuilder.fromUri(str2).replaceQueryParam(CIBAAuthenticationRequest.SESSION_STATE, (Object[]) null).build(new Object[0]).toString();
        }
        if (redirectUriParam != null && !redirectUriParam.equals(str2)) {
            this.event.detail("reason", String.format("Parameter 'redirect_uri' did not match originally saved redirect URI used in initial OIDC request. Saved redirectUri: %s, redirectUri parameter: %s", redirectUriParam, str2));
            this.event.error(ErrorCodes.INVALID_REDIRECT_URI);
            logger.tracef("Parameter 'redirect_uri' did not match originally saved redirect URI used in initial OIDC request. Saved redirectUri: %s, redirectUri parameter: %s", redirectUriParam, str2);
            throw new CorsErrorResponseException(this.cors, "invalid_grant", "Incorrect redirect_uri", Response.Status.BAD_REQUEST);
        }
        if (!this.client.getClientId().equals(clientSession2.getClient().getClientId())) {
            this.event.detail("reason", "Auth error: Found different client_id in clientSession");
            this.event.error("invalid_client");
            throw new CorsErrorResponseException(this.cors, "invalid_grant", "Auth error: Found different client_id in clientSession", Response.Status.BAD_REQUEST);
        }
        if (!this.client.isStandardFlowEnabled()) {
            this.event.detail("reason", "Client not allowed to exchange code");
            this.event.error("not_allowed");
            throw new CorsErrorResponseException(this.cors, "invalid_grant", "Client not allowed to exchange code", Response.Status.BAD_REQUEST);
        }
        if (!AuthenticationManager.isSessionValid(this.realm, userSessionModel)) {
            this.event.detail("reason", "Session not active");
            this.event.error("user_session_not_found");
            throw new CorsErrorResponseException(this.cors, "invalid_grant", "Session not active", Response.Status.BAD_REQUEST);
        }
        String str3 = (String) this.formParams.getFirst("code_verifier");
        String codeChallenge = codeData.getCodeChallenge();
        String codeChallengeMethod = codeData.getCodeChallengeMethod();
        String id = user.getId();
        String username = user.getUsername();
        if (id == null) {
            id = "unknown";
        }
        if (username == null) {
            username = "unknown";
        }
        if (codeChallengeMethod == null || codeChallengeMethod.isEmpty()) {
            PkceUtils.checkParamsForPkceNotEnforcedClient(str3, codeChallenge, codeChallengeMethod, id, username, this.event, this.cors);
        } else {
            PkceUtils.checkParamsForPkceEnforcedClient(str3, codeChallenge, codeChallengeMethod, id, username, this.event, this.cors);
        }
        DPoPUtil.validateDPoPJkt(codeData.getDpopJkt(), this.session, this.event, this.cors);
        try {
            this.session.clientPolicy().triggerOnEvent(new TokenRequestContext(this.formParams, parseCode));
            updateClientSession(clientSession2);
            updateUserSessionFromClientAuth(userSessionModel);
            String scope = codeData.getScope();
            Supplier supplier = () -> {
                return TokenManager.getRequestedClientScopes(this.session, scope, this.client, user);
            };
            if (TokenManager.verifyConsentStillAvailable(this.session, user, this.client, (Stream) supplier.get())) {
                DefaultClientSessionContext fromClientSessionAndScopeParameter = DefaultClientSessionContext.fromClientSessionAndScopeParameter(clientSession2, scope, this.session);
                fromClientSessionAndScopeParameter.setAttribute(OIDCLoginProtocol.NONCE_PARAM, codeData.getNonce());
                return createTokenResponse(user, userSessionModel, fromClientSessionAndScopeParameter, scope, true, accessTokenResponseBuilder -> {
                    return new TokenResponseContext(this.formParams, parseCode, fromClientSessionAndScopeParameter, accessTokenResponseBuilder);
                });
            }
            this.event.detail("reason", "Client no longer has requested consent from user");
            this.event.error("not_allowed");
            throw new CorsErrorResponseException(this.cors, "invalid_scope", "Client no longer has requested consent from user", Response.Status.BAD_REQUEST);
        } catch (ClientPolicyException e) {
            this.event.detail("reason", "client_policy_error");
            this.event.detail("client_policy_error", e.getError());
            this.event.detail("client_policy_error_detail", e.getErrorDetail());
            this.event.error(e.getError());
            throw new CorsErrorResponseException(this.cors, "invalid_grant", e.getErrorDetail(), Response.Status.BAD_REQUEST);
        }
    }

    public EventType getEventType() {
        return EventType.CODE_TO_TOKEN;
    }
}
