package org.keycloak.protocol.oidc.grants;

import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import org.jboss.logging.Logger;
import org.keycloak.events.EventType;
import org.keycloak.models.ClientSessionContext;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.oid4vc.issuance.mappers.OID4VCTargetRoleMapper;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.protocol.oidc.grants.OAuth2GrantType;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.services.CorsErrorResponseException;
import org.keycloak.services.Urls;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.context.ServiceAccountTokenRequestContext;
import org.keycloak.services.clientpolicy.context.ServiceAccountTokenResponseContext;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.AuthenticationSessionManager;
import org.keycloak.services.managers.UserSessionManager;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.util.TokenUtil;

/* loaded from: input_file:org/keycloak/protocol/oidc/grants/ClientCredentialsGrantType.class */
public class ClientCredentialsGrantType extends OAuth2GrantTypeBase {
    private static final Logger logger = Logger.getLogger(ClientCredentialsGrantType.class);

    public Response process(OAuth2GrantType.Context context) {
        setContext(context);
        if (this.client.isBearerOnly()) {
            this.event.detail("reason", "Bearer-only client not allowed to retrieve service account");
            this.event.error("invalid_client");
            throw new CorsErrorResponseException(this.cors, "unauthorized_client", "Bearer-only client not allowed to retrieve service account", Response.Status.UNAUTHORIZED);
        }
        if (this.client.isPublicClient()) {
            this.event.detail("reason", "Public client not allowed to retrieve service account");
            this.event.error("invalid_client");
            throw new CorsErrorResponseException(this.cors, "unauthorized_client", "Public client not allowed to retrieve service account", Response.Status.UNAUTHORIZED);
        }
        if (!this.client.isServiceAccountsEnabled()) {
            this.event.detail("reason", "Client not enabled to retrieve service account");
            this.event.error("invalid_client");
            throw new CorsErrorResponseException(this.cors, "unauthorized_client", "Client not enabled to retrieve service account", Response.Status.UNAUTHORIZED);
        }
        UserModel serviceAccount = this.session.users().getServiceAccount(this.client);
        if (serviceAccount == null) {
            this.event.detail("reason", "The associated service account for the client does not exist");
            this.event.error("user_not_found");
            throw new CorsErrorResponseException(this.cors, "invalid_request", "The associated service account for the client does not exist", Response.Status.UNAUTHORIZED);
        }
        String username = serviceAccount.getUsername();
        this.event.detail("username", username);
        this.event.user(serviceAccount);
        if (!serviceAccount.isEnabled()) {
            this.event.detail("reason", "User '" + username + "' disabled");
            this.event.error("user_disabled");
            throw new CorsErrorResponseException(this.cors, "invalid_request", "User '" + username + "' disabled", Response.Status.UNAUTHORIZED);
        }
        String requestedScopes = getRequestedScopes();
        AuthenticationSessionModel createAuthenticationSession = new AuthenticationSessionManager(this.session).createAuthenticationSession(this.realm, false).createAuthenticationSession(this.client);
        createAuthenticationSession.setAuthenticatedUser(serviceAccount);
        createAuthenticationSession.setProtocol("openid-connect");
        createAuthenticationSession.setClientNote("iss", Urls.realmIssuer(this.session.getContext().getUri().getBaseUri(), this.realm.getName()));
        createAuthenticationSession.setClientNote("scope", requestedScopes);
        setAuthorizationDetailsNoteIfIncluded(createAuthenticationSession);
        UserSessionModel.SessionPersistenceState sessionPersistenceState = UserSessionModel.SessionPersistenceState.PERSISTENT;
        boolean isUseRefreshTokenForClientCredentialsGrant = this.clientConfig.isUseRefreshTokenForClientCredentialsGrant();
        if (!isUseRefreshTokenForClientCredentialsGrant) {
            sessionPersistenceState = UserSessionModel.SessionPersistenceState.TRANSIENT;
        }
        UserSessionModel createUserSession = new UserSessionManager(this.session).createUserSession(createAuthenticationSession.getParentSession().getId(), this.realm, serviceAccount, username, this.clientConnection.getRemoteAddr(), "client_auth", false, null, null, sessionPersistenceState);
        this.event.session(createUserSession);
        AuthenticationManager.setClientScopesInSession(this.session, createAuthenticationSession);
        ClientSessionContext attachAuthenticationSession = TokenManager.attachAuthenticationSession(this.session, createUserSession, createAuthenticationSession);
        createUserSession.setNote(OID4VCTargetRoleMapper.CLIENT_CONFIG_KEY, this.client.getClientId());
        createUserSession.setNote("client_id", this.client.getClientId());
        createUserSession.setNote("clientHost", this.clientConnection.getRemoteHost());
        createUserSession.setNote("clientAddress", this.clientConnection.getRemoteAddr());
        try {
            this.session.clientPolicy().triggerOnEvent(new ServiceAccountTokenRequestContext(this.formParams, attachAuthenticationSession.getClientSession()));
            updateUserSessionFromClientAuth(createUserSession);
            TokenManager.AccessTokenResponseBuilder generateAccessToken = this.tokenManager.responseBuilder(this.realm, this.client, this.event, this.session, createUserSession, attachAuthenticationSession).generateAccessToken();
            if (isUseRefreshTokenForClientCredentialsGrant) {
                generateAccessToken = generateAccessToken.generateRefreshToken();
                if ("Offline".equals(generateAccessToken.getRefreshToken().getType())) {
                    this.session.sessions().removeUserSession(this.realm, createUserSession);
                }
            } else {
                generateAccessToken.getAccessToken().setSessionId((String) null);
            }
            checkAndBindMtlsHoKToken(generateAccessToken, isUseRefreshTokenForClientCredentialsGrant);
            if (TokenUtil.isOIDCRequest(attachAuthenticationSession.getClientSession().getNote("scope"))) {
                generateAccessToken.generateIDToken().generateAccessTokenHash();
            }
            try {
                this.session.clientPolicy().triggerOnEvent(new ServiceAccountTokenResponseContext(this.formParams, attachAuthenticationSession.getClientSession(), generateAccessToken));
                try {
                    AccessTokenResponse build = generateAccessToken.build();
                    this.event.success();
                    return this.cors.add(Response.ok(build, MediaType.APPLICATION_JSON_TYPE));
                } catch (RuntimeException e) {
                    this.event.detail("reason", e.getMessage());
                    this.event.error("invalid_request");
                    if ("can not get encryption KEK".equals(e.getMessage())) {
                        throw new CorsErrorResponseException(this.cors, "invalid_request", "can not get encryption KEK", Response.Status.BAD_REQUEST);
                    }
                    throw e;
                }
            } catch (ClientPolicyException e2) {
                this.event.detail("reason", e2.getErrorDetail());
                this.event.error(e2.getError());
                throw new CorsErrorResponseException(this.cors, e2.getError(), e2.getErrorDetail(), Response.Status.BAD_REQUEST);
            }
        } catch (ClientPolicyException e3) {
            this.event.detail("reason", e3.getErrorDetail());
            this.event.error(e3.getError());
            throw new CorsErrorResponseException(this.cors, e3.getError(), e3.getErrorDetail(), Response.Status.BAD_REQUEST);
        }
    }

    public EventType getEventType() {
        return EventType.CLIENT_LOGIN;
    }

    private void setAuthorizationDetailsNoteIfIncluded(AuthenticationSessionModel authenticationSessionModel) {
        String str = (String) this.formParams.getFirst(OIDCLoginProtocol.AUTHORIZATION_DETAILS_PARAM);
        if (str != null) {
            authenticationSessionModel.setClientNote(OIDCLoginProtocol.AUTHORIZATION_DETAILS_PARAM, str);
        }
    }
}
