package org.keycloak.authentication.actiontoken.inviteorg;

import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.UriInfo;
import java.net.URI;
import java.util.Objects;
import org.keycloak.TokenVerifier;
import org.keycloak.authentication.AuthenticationProcessor;
import org.keycloak.authentication.actiontoken.AbstractActionTokenHandler;
import org.keycloak.authentication.actiontoken.ActionTokenContext;
import org.keycloak.authentication.actiontoken.TokenUtils;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.forms.login.LoginFormsProvider;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.OrganizationModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.organization.OrganizationProvider;
import org.keycloak.protocol.oidc.utils.RedirectUtils;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.services.Urls;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.messages.Messages;
import org.keycloak.sessions.AuthenticationSessionCompoundId;
import org.keycloak.sessions.AuthenticationSessionModel;

/* loaded from: input_file:org/keycloak/authentication/actiontoken/inviteorg/InviteOrgActionTokenHandler.class */
public class InviteOrgActionTokenHandler extends AbstractActionTokenHandler<InviteOrgActionToken> {
    public InviteOrgActionTokenHandler() {
        super(InviteOrgActionToken.TOKEN_TYPE, InviteOrgActionToken.class, Messages.STALE_INVITE_ORG_LINK, EventType.INVITE_ORG, "invalid_token");
    }

    @Override // org.keycloak.authentication.actiontoken.ActionTokenHandler
    public TokenVerifier.Predicate<? super InviteOrgActionToken>[] getVerifiers(ActionTokenContext<InviteOrgActionToken> actionTokenContext) {
        return TokenUtils.predicates(TokenUtils.checkThat(inviteOrgActionToken -> {
            return Objects.equals(inviteOrgActionToken.getEmail(), actionTokenContext.getAuthenticationSession().getAuthenticatedUser().getEmail());
        }, "invalid_email", getDefaultErrorMessage()));
    }

    public Response handleToken(InviteOrgActionToken inviteOrgActionToken, ActionTokenContext<InviteOrgActionToken> actionTokenContext) {
        UserModel authenticatedUser = actionTokenContext.getAuthenticationSession().getAuthenticatedUser();
        KeycloakSession session = actionTokenContext.getSession();
        OrganizationProvider provider = session.getProvider(OrganizationProvider.class);
        AuthenticationSessionModel authenticationSession = actionTokenContext.getAuthenticationSession();
        EventBuilder event = actionTokenContext.getEvent();
        event.event(EventType.INVITE_ORG).detail("username", authenticatedUser.getUsername());
        OrganizationModel byId = provider.getById(inviteOrgActionToken.getOrgId());
        if (byId == null) {
            event.user(authenticatedUser).error("org_not_found");
            return session.getProvider(LoginFormsProvider.class).setAuthenticationSession(authenticationSession).setInfo(Messages.ORG_NOT_FOUND, new Object[]{inviteOrgActionToken.getOrgId()}).createInfoPage();
        }
        if (byId.isMember(authenticatedUser)) {
            event.user(authenticatedUser).error("user_org_member_already");
            return session.getProvider(LoginFormsProvider.class).setAuthenticationSession(authenticationSession).setInfo(Messages.ORG_MEMBER_ALREADY, new Object[]{authenticatedUser.getUsername()}).createInfoPage();
        }
        UriInfo uriInfo = actionTokenContext.getUriInfo();
        RealmModel realm = actionTokenContext.getRealm();
        if (actionTokenContext.isAuthenticationSessionFresh()) {
            inviteOrgActionToken.setCompoundAuthenticationSessionId(AuthenticationSessionCompoundId.fromAuthSession(authenticationSession).getEncodedId());
            return session.getProvider(LoginFormsProvider.class).setAuthenticationSession(authenticationSession).setSuccess(Messages.CONFIRM_ORGANIZATION_MEMBERSHIP, new Object[]{byId.getName()}).setAttribute("messageHeader", Messages.CONFIRM_ORGANIZATION_MEMBERSHIP_TITLE).setAttribute("actionUri", Urls.actionTokenBuilder(uriInfo.getBaseUri(), inviteOrgActionToken.serialize(session, realm, uriInfo), authenticationSession.getClient().getClientId(), authenticationSession.getTabId(), AuthenticationProcessor.getClientData(session, authenticationSession)).build(new Object[]{realm.getName()}).toString()).setAttribute("kc.org.name", byId.getName()).createInfoPage();
        }
        provider.addMember(provider.getById(inviteOrgActionToken.getOrgId()), authenticatedUser);
        String verifyRedirectUri = RedirectUtils.verifyRedirectUri(actionTokenContext.getSession(), inviteOrgActionToken.getRedirectUri(), authenticationSession.getClient());
        if (verifyRedirectUri != null) {
            authenticationSession.setAuthNote(AuthenticationManager.SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS, "true");
            authenticationSession.setRedirectUri(verifyRedirectUri);
            authenticationSession.setClientNote("redirect_uri", verifyRedirectUri);
        }
        event.success();
        actionTokenContext.setEvent(event.clone().removeDetail("email").event(EventType.LOGIN));
        String nextRequiredAction = AuthenticationManager.nextRequiredAction(session, authenticationSession, actionTokenContext.getRequest(), event);
        if (nextRequiredAction == null) {
            authenticationSession.removeAuthNote(AuthenticationManager.END_AFTER_REQUIRED_ACTIONS);
            if (verifyRedirectUri != null) {
                return Response.status(Response.Status.FOUND).location(URI.create(verifyRedirectUri)).build();
            }
        }
        return AuthenticationManager.redirectToRequiredActions(session, realm, authenticationSession, uriInfo, nextRequiredAction);
    }

    @Override // org.keycloak.authentication.actiontoken.ActionTokenHandler
    public /* bridge */ /* synthetic */ Response handleToken(JsonWebToken jsonWebToken, ActionTokenContext actionTokenContext) {
        return handleToken((InviteOrgActionToken) jsonWebToken, (ActionTokenContext<InviteOrgActionToken>) actionTokenContext);
    }
}
