package org.keycloak.services.managers;

import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.Objects;
import org.jboss.logging.Logger;
import org.keycloak.common.util.Base64Url;
import org.keycloak.common.util.Time;
import org.keycloak.cookie.CookieProvider;
import org.keycloak.cookie.CookieType;
import org.keycloak.crypto.SHA256HashProviderFactory;
import org.keycloak.crypto.SignatureProvider;
import org.keycloak.crypto.SignatureSignerContext;
import org.keycloak.forms.login.LoginFormsProvider;
import org.keycloak.jose.jws.crypto.HashUtils;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.UserSessionProvider;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.models.utils.SessionExpiration;
import org.keycloak.protocol.RestartLoginCookie;
import org.keycloak.protocol.oid4vc.model.SupportedCredentialConfiguration;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.sessions.RootAuthenticationSessionModel;
import org.keycloak.sessions.StickySessionEncoderProvider;

/* loaded from: input_file:org/keycloak/services/managers/AuthenticationSessionManager.class */
public class AuthenticationSessionManager {
    private static final Logger log = Logger.getLogger(AuthenticationSessionManager.class);
    private final KeycloakSession session;

    public AuthenticationSessionManager(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
    }

    public RootAuthenticationSessionModel createAuthenticationSession(RealmModel realmModel, boolean z) {
        RootAuthenticationSessionModel createRootAuthenticationSession = this.session.authenticationSessions().createRootAuthenticationSession(realmModel);
        if (z) {
            setAuthSessionCookie(createRootAuthenticationSession.getId());
            setAuthSessionIdHashCookie(createRootAuthenticationSession.getId());
        }
        return createRootAuthenticationSession;
    }

    public RootAuthenticationSessionModel getCurrentRootAuthenticationSession(RealmModel realmModel) {
        String authSessionCookies = getAuthSessionCookies(realmModel);
        if (authSessionCookies == null) {
            return null;
        }
        AuthSessionId decodeAuthSessionId = decodeAuthSessionId(authSessionCookies);
        RootAuthenticationSessionModel rootAuthenticationSession = this.session.authenticationSessions().getRootAuthenticationSession(realmModel, decodeAuthSessionId.getDecodedId());
        if (rootAuthenticationSession == null) {
            return null;
        }
        reencodeAuthSessionCookie(authSessionCookies, decodeAuthSessionId, realmModel);
        return rootAuthenticationSession;
    }

    public AuthenticationSessionModel getCurrentAuthenticationSession(RealmModel realmModel, ClientModel clientModel, String str) {
        String authSessionCookies = getAuthSessionCookies(realmModel);
        if (authSessionCookies == null) {
            return null;
        }
        AuthSessionId decodeAuthSessionId = decodeAuthSessionId(authSessionCookies);
        AuthenticationSessionModel authenticationSessionByIdAndClient = getAuthenticationSessionByIdAndClient(realmModel, decodeAuthSessionId.getDecodedId(), clientModel, str);
        if (authenticationSessionByIdAndClient == null) {
            return null;
        }
        reencodeAuthSessionCookie(authSessionCookies, decodeAuthSessionId, realmModel);
        return authenticationSessionByIdAndClient;
    }

    public void setAuthSessionCookie(String str) {
        String encodeSessionId = this.session.getProvider(StickySessionEncoderProvider.class).encodeSessionId(signAndEncodeToBase64AuthSessionId(str));
        this.session.getProvider(CookieProvider.class).set(CookieType.AUTH_SESSION_ID, encodeSessionId);
        log.debugf("Set AUTH_SESSION_ID cookie with value %s", encodeSessionId);
    }

    public void setAuthSessionIdHashCookie(String str) {
        String encodeToString = Base64.getEncoder().withoutPadding().encodeToString(HashUtils.hash(SHA256HashProviderFactory.ID, str.getBytes(StandardCharsets.UTF_8)));
        this.session.getProvider(CookieProvider.class).set(CookieType.AUTH_SESSION_ID_HASH, encodeToString);
        log.debugf("Set KC_AUTH_SESSION_HASH cookie with value %s", encodeToString);
    }

    AuthSessionId decodeAuthSessionId(String str) {
        log.debugf("Found AUTH_SESSION_ID cookie with value %s", str);
        StickySessionEncoderProvider provider = this.session.getProvider(StickySessionEncoderProvider.class);
        String decodeSessionId = provider.decodeSessionId(str);
        String encodeSessionId = provider.encodeSessionId(decodeSessionId);
        if (!KeycloakModelUtils.isValidUUID(decodeSessionId)) {
            decodeSessionId = decodeBase64AndValidateSignature(decodeSessionId, false);
        }
        return new AuthSessionId(decodeSessionId, encodeSessionId);
    }

    void reencodeAuthSessionCookie(String str, AuthSessionId authSessionId, RealmModel realmModel) {
        if (str.equals(authSessionId.getEncodedId())) {
            return;
        }
        log.debugf("Route changed. Will update authentication session cookie. Old: '%s', New: '%s'", str, authSessionId.getEncodedId());
        setAuthSessionCookie(authSessionId.getDecodedId());
    }

    public String decodeBase64AndValidateSignature(String str, boolean z) {
        try {
            String str2 = new String(Base64Url.decode(str), StandardCharsets.UTF_8);
            if (str2.lastIndexOf(SupportedCredentialConfiguration.DOT_SEPARATOR) == -1) {
                return null;
            }
            String substring = str2.substring(0, str2.indexOf(SupportedCredentialConfiguration.DOT_SEPARATOR));
            return z ? validateAuthSessionIdSignature(substring, str2.substring(str2.indexOf(SupportedCredentialConfiguration.DOT_SEPARATOR) + 1)) : substring;
        } catch (Exception e) {
            log.errorf("Error decoding auth session id with value: %s", str, e);
            return null;
        }
    }

    private String validateAuthSessionIdSignature(String str, String str2) {
        if (str2.equals(this.session.getAttribute(str))) {
            return str;
        }
        SignatureProvider provider = this.session.getProvider(SignatureProvider.class, "HS512");
        try {
            if (!provider.verifier(provider.signer().getKid()).verify(str.getBytes(StandardCharsets.UTF_8), Base64Url.decode(str2))) {
                return null;
            }
            this.session.setAttribute(str, str2);
            return str;
        } catch (Exception e) {
            log.errorf("Signature validation failed for auth session id: %s", str, e);
            return null;
        }
    }

    private String signAndEncodeToBase64AuthSessionId(String str) {
        SignatureSignerContext signer = this.session.getProvider(SignatureProvider.class, "HS512").signer();
        StringBuilder sb = new StringBuilder();
        byte[] sign = signer.sign(str.getBytes(StandardCharsets.UTF_8));
        sb.append(str);
        if (sign != null) {
            sb.append('.');
            sb.append(Base64Url.encode(sign));
        }
        return Base64Url.encode(sb.toString().getBytes(StandardCharsets.UTF_8));
    }

    String getAuthSessionCookies(RealmModel realmModel) {
        String decodeBase64AndValidateSignature;
        String str = this.session.getProvider(CookieProvider.class).get(CookieType.AUTH_SESSION_ID);
        if (str == null || str.isEmpty() || (decodeBase64AndValidateSignature = decodeBase64AndValidateSignature(this.session.getProvider(StickySessionEncoderProvider.class).decodeSessionId(str), true)) == null || this.session.authenticationSessions().getRootAuthenticationSession(realmModel, decodeBase64AndValidateSignature) == null) {
            return null;
        }
        return str;
    }

    public void removeAuthenticationSession(RealmModel realmModel, AuthenticationSessionModel authenticationSessionModel, boolean z) {
        RootAuthenticationSessionModel parentSession = authenticationSessionModel.getParentSession();
        log.debugf("Removing root authSession '%s'. Expire restart cookie: %b", parentSession.getId(), Boolean.valueOf(z));
        this.session.authenticationSessions().removeRootAuthenticationSession(realmModel, parentSession);
        if (z) {
            RestartLoginCookie.expireRestartCookie(this.session);
            this.session.getProvider(LoginFormsProvider.class).setDetachedAuthSession();
        }
    }

    public boolean removeTabIdInAuthenticationSession(RealmModel realmModel, AuthenticationSessionModel authenticationSessionModel) {
        RootAuthenticationSessionModel parentSession = authenticationSessionModel.getParentSession();
        parentSession.removeAuthenticationSessionByTabId(authenticationSessionModel.getTabId());
        if (!parentSession.getAuthenticationSessions().isEmpty()) {
            return false;
        }
        removeAuthenticationSession(realmModel, authenticationSessionModel, true);
        return true;
    }

    public void updateAuthenticationSessionAfterSuccessfulAuthentication(RealmModel realmModel, AuthenticationSessionModel authenticationSessionModel) {
        if (removeTabIdInAuthenticationSession(realmModel, authenticationSessionModel)) {
            return;
        }
        if (realmModel.getSsoSessionIdleTimeout() < SessionExpiration.getAuthSessionLifespan(realmModel) && realmModel.getSsoSessionMaxLifespan() < SessionExpiration.getAuthSessionLifespan(realmModel)) {
            removeAuthenticationSession(realmModel, authenticationSessionModel, true);
            return;
        }
        RootAuthenticationSessionModel parentSession = authenticationSessionModel.getParentSession();
        int accessCodeLifespan = realmModel.getAccessCodeLifespan();
        parentSession.setTimestamp((Time.currentTime() - SessionExpiration.getAuthSessionLifespan(realmModel)) + accessCodeLifespan);
        log.tracef("Removed authentication session of root session '%s' with tabId '%s'. But there are remaining tabs in the root session. Root authentication session will expire in %d seconds", parentSession.getId(), authenticationSessionModel.getTabId(), Integer.valueOf(accessCodeLifespan));
    }

    public UserSessionModel getUserSession(AuthenticationSessionModel authenticationSessionModel) {
        return getUserSessionProvider().getUserSession(authenticationSessionModel.getRealm(), authenticationSessionModel.getParentSession().getId());
    }

    public AuthenticationSessionModel getAuthenticationSessionByIdAndClient(RealmModel realmModel, String str, ClientModel clientModel, String str2) {
        RootAuthenticationSessionModel rootAuthenticationSession = this.session.authenticationSessions().getRootAuthenticationSession(realmModel, str);
        if (rootAuthenticationSession == null) {
            return null;
        }
        return rootAuthenticationSession.getAuthenticationSession(clientModel, str2);
    }

    public AuthenticationSessionModel getAuthenticationSessionByEncodedIdAndClient(RealmModel realmModel, String str, ClientModel clientModel, String str2) {
        return getAuthenticationSessionByIdAndClient(realmModel, decodeBase64AndValidateSignature(str, true), clientModel, str2);
    }

    public UserSessionModel getUserSessionFromAuthenticationCookie(RealmModel realmModel) {
        String authSessionCookies = getAuthSessionCookies(realmModel);
        if (authSessionCookies == null) {
            AuthenticationManager.AuthResult authenticateIdentityCookie = AuthenticationManager.authenticateIdentityCookie(this.session, realmModel, true);
            if (authenticateIdentityCookie == null || authenticateIdentityCookie.getSession() == null) {
                return null;
            }
            authSessionCookies = authenticateIdentityCookie.getSession().getId();
        }
        AuthSessionId decodeAuthSessionId = decodeAuthSessionId(authSessionCookies);
        String decodedId = decodeAuthSessionId.getDecodedId();
        UserSessionProvider userSessionProvider = getUserSessionProvider();
        userSessionProvider.getUserSessionWithPredicate(realmModel, decodedId, false, (v0) -> {
            return Objects.isNull(v0);
        });
        UserSessionModel userSession = userSessionProvider.getUserSession(realmModel, decodedId);
        if (userSession == null) {
            return null;
        }
        reencodeAuthSessionCookie(authSessionCookies, decodeAuthSessionId, realmModel);
        return userSession;
    }

    private UserSessionProvider getUserSessionProvider() {
        return this.session.sessions();
    }
}
