package org.keycloak.authentication.requiredactions;

import com.webauthn4j.WebAuthnRegistrationManager;
import com.webauthn4j.converter.util.ObjectConverter;
import com.webauthn4j.data.RegistrationData;
import com.webauthn4j.data.RegistrationParameters;
import com.webauthn4j.data.RegistrationRequest;
import com.webauthn4j.data.attestation.authenticator.AttestedCredentialData;
import com.webauthn4j.data.attestation.statement.AttestationStatement;
import com.webauthn4j.data.attestation.statement.COSEAlgorithmIdentifier;
import com.webauthn4j.data.client.Origin;
import com.webauthn4j.data.client.challenge.DefaultChallenge;
import com.webauthn4j.server.ServerProperty;
import com.webauthn4j.util.exception.WebAuthnException;
import com.webauthn4j.validator.attestation.statement.androidkey.AndroidKeyAttestationStatementValidator;
import com.webauthn4j.validator.attestation.statement.androidsafetynet.AndroidSafetyNetAttestationStatementValidator;
import com.webauthn4j.validator.attestation.statement.none.NoneAttestationStatementValidator;
import com.webauthn4j.validator.attestation.statement.packed.PackedAttestationStatementValidator;
import com.webauthn4j.validator.attestation.statement.tpm.TPMAttestationStatementValidator;
import com.webauthn4j.validator.attestation.statement.u2f.FIDOU2FAttestationStatementValidator;
import com.webauthn4j.validator.attestation.trustworthiness.certpath.CertPathTrustworthinessValidator;
import com.webauthn4j.validator.attestation.trustworthiness.self.DefaultSelfAttestationTrustworthinessValidator;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import org.jboss.logging.Logger;
import org.keycloak.WebAuthnConstants;
import org.keycloak.authentication.CredentialRegistrator;
import org.keycloak.authentication.InitiatedActionSupport;
import org.keycloak.authentication.RequiredActionContext;
import org.keycloak.authentication.RequiredActionProvider;
import org.keycloak.common.util.Base64Url;
import org.keycloak.common.util.CollectionUtil;
import org.keycloak.common.util.UriUtils;
import org.keycloak.credential.CredentialProvider;
import org.keycloak.credential.WebAuthnCredentialModelInput;
import org.keycloak.credential.WebAuthnCredentialProvider;
import org.keycloak.credential.WebAuthnCredentialProviderFactory;
import org.keycloak.http.HttpRequest;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.UserModel;
import org.keycloak.models.WebAuthnPolicy;
import org.keycloak.models.credential.WebAuthnCredentialModel;
import org.keycloak.services.managers.AuthenticationSessionManager;
import org.keycloak.services.messages.Messages;
import org.keycloak.userprofile.DeclarativeUserProfileProvider;
import org.keycloak.utils.StringUtil;

/* loaded from: input_file:org/keycloak/authentication/requiredactions/WebAuthnRegister.class */
public class WebAuthnRegister implements RequiredActionProvider, CredentialRegistrator {
    private static final String WEB_AUTHN_TITLE_ATTR = "webAuthnTitle";
    private static final Logger logger = Logger.getLogger(WebAuthnRegister.class);
    private KeycloakSession session;
    private CertPathTrustworthinessValidator certPathtrustValidator;

    public WebAuthnRegister(KeycloakSession keycloakSession, CertPathTrustworthinessValidator certPathTrustworthinessValidator) {
        this.session = keycloakSession;
        this.certPathtrustValidator = certPathTrustworthinessValidator;
    }

    public InitiatedActionSupport initiatedActionSupport() {
        return InitiatedActionSupport.SUPPORTED;
    }

    public void requiredActionChallenge(RequiredActionContext requiredActionContext) {
        UserModel user = requiredActionContext.getUser();
        String encode = Base64Url.encode(user.getId().getBytes(StandardCharsets.UTF_8));
        String username = user.getUsername();
        String encode2 = Base64Url.encode(new DefaultChallenge().getValue());
        requiredActionContext.getAuthenticationSession().setAuthNote(WebAuthnConstants.AUTH_CHALLENGE_NOTE, encode2);
        WebAuthnPolicy webAuthnPolicy = getWebAuthnPolicy(requiredActionContext);
        String stringifySignatureAlgorithms = stringifySignatureAlgorithms(webAuthnPolicy.getSignatureAlgorithm());
        String rpEntityName = webAuthnPolicy.getRpEntityName();
        String rpId = webAuthnPolicy.getRpId();
        if (rpId == null || rpId.isEmpty()) {
            rpId = requiredActionContext.getUriInfo().getBaseUri().getHost();
        }
        String attestationConveyancePreference = webAuthnPolicy.getAttestationConveyancePreference();
        String authenticatorAttachment = webAuthnPolicy.getAuthenticatorAttachment();
        String requireResidentKey = webAuthnPolicy.getRequireResidentKey();
        String userVerificationRequirement = webAuthnPolicy.getUserVerificationRequirement();
        long createTimeout = webAuthnPolicy.getCreateTimeout();
        String str = webAuthnPolicy.isAvoidSameAuthenticatorRegister() ? (String) user.credentialManager().getStoredCredentialsByTypeStream(getCredentialType()).map(credentialModel -> {
            return Base64Url.encodeBase64ToBase64Url(WebAuthnCredentialModel.createFromCredentialModel(credentialModel).getWebAuthnCredentialData().getCredentialId());
        }).collect(Collectors.joining(",")) : "";
        String str2 = null;
        if (isFormDataRequest(requiredActionContext.getHttpRequest())) {
            str2 = (String) requiredActionContext.getHttpRequest().getDecodedFormParameters().getFirst(WebAuthnConstants.IS_SET_RETRY);
        }
        requiredActionContext.challenge(requiredActionContext.form().setAttribute(WebAuthnConstants.CHALLENGE, encode2).setAttribute(WebAuthnConstants.USER_ID, encode).setAttribute("username", username).setAttribute(WebAuthnConstants.RP_ENTITY_NAME, rpEntityName).setAttribute(WebAuthnConstants.SIGNATURE_ALGORITHMS, stringifySignatureAlgorithms).setAttribute(WebAuthnConstants.RP_ID, rpId).setAttribute(WebAuthnConstants.ATTESTATION_CONVEYANCE_PREFERENCE, attestationConveyancePreference).setAttribute(WebAuthnConstants.AUTHENTICATOR_ATTACHMENT, authenticatorAttachment).setAttribute(WebAuthnConstants.REQUIRE_RESIDENT_KEY, requireResidentKey).setAttribute(WebAuthnConstants.USER_VERIFICATION_REQUIREMENT, userVerificationRequirement).setAttribute(WebAuthnConstants.CREATE_TIMEOUT, Long.valueOf(createTimeout)).setAttribute(WebAuthnConstants.EXCLUDE_CREDENTIAL_IDS, str).setAttribute(WebAuthnConstants.IS_SET_RETRY, str2).createForm("webauthn-register.ftl"));
    }

    protected WebAuthnPolicy getWebAuthnPolicy(RequiredActionContext requiredActionContext) {
        return requiredActionContext.getRealm().getWebAuthnPolicy();
    }

    protected String getCredentialType() {
        return "webauthn";
    }

    protected String getCredentialProviderId() {
        return WebAuthnCredentialProviderFactory.PROVIDER_ID;
    }

    public void processAction(RequiredActionContext requiredActionContext) {
        MultivaluedMap decodedFormParameters = requiredActionContext.getHttpRequest().getDecodedFormParameters();
        String str = (String) decodedFormParameters.getFirst(WebAuthnConstants.IS_SET_RETRY);
        if (str != null && !str.isEmpty()) {
            requiredActionChallenge(requiredActionContext);
            return;
        }
        requiredActionContext.getEvent().detail("credential_type", getCredentialType());
        String str2 = (String) decodedFormParameters.getFirst(WebAuthnConstants.ERROR);
        if (str2 != null && !str2.isEmpty()) {
            setErrorResponse(requiredActionContext, Messages.WEBAUTHN_ERROR_REGISTER_VERIFICATION, str2);
            return;
        }
        WebAuthnPolicy webAuthnPolicy = getWebAuthnPolicy(requiredActionContext);
        String rpId = webAuthnPolicy.getRpId();
        if (rpId == null || rpId.isEmpty()) {
            rpId = requiredActionContext.getUriInfo().getBaseUri().getHost();
        }
        String str3 = (String) decodedFormParameters.getFirst(WebAuthnConstants.AUTHENTICATOR_LABEL);
        byte[] decode = Base64.getUrlDecoder().decode((String) decodedFormParameters.getFirst(WebAuthnConstants.CLIENT_DATA_JSON));
        byte[] decode2 = Base64.getUrlDecoder().decode((String) decodedFormParameters.getFirst(WebAuthnConstants.ATTESTATION_OBJECT));
        String str4 = (String) decodedFormParameters.getFirst(WebAuthnConstants.PUBLIC_KEY_CREDENTIAL_ID);
        ServerProperty serverProperty = new ServerProperty(new Origin(UriUtils.getOrigin(requiredActionContext.getUriInfo().getBaseUri())), rpId, new DefaultChallenge(requiredActionContext.getAuthenticationSession().getAuthNote(WebAuthnConstants.AUTH_CHALLENGE_NOTE)), (byte[]) null);
        boolean equals = webAuthnPolicy.getUserVerificationRequirement().equals(WebAuthnConstants.OPTION_REQUIRED);
        String str5 = (String) decodedFormParameters.getFirst(WebAuthnConstants.TRANSPORTS);
        RegistrationRequest registrationRequest = StringUtil.isNotBlank(str5) ? new RegistrationRequest(decode2, decode, new HashSet(Arrays.asList(str5.split(",")))) : new RegistrationRequest(decode2, decode);
        RegistrationParameters registrationParameters = new RegistrationParameters(serverProperty, equals);
        WebAuthnRegistrationManager createWebAuthnRegistrationManager = createWebAuthnRegistrationManager();
        try {
            RegistrationData parse = createWebAuthnRegistrationManager.parse(registrationRequest);
            createWebAuthnRegistrationManager.validate(parse, registrationParameters);
            showInfoAfterWebAuthnApiCreate(parse);
            checkAcceptedAuthenticator(parse, webAuthnPolicy);
            WebAuthnCredentialModelInput webAuthnCredentialModelInput = new WebAuthnCredentialModelInput(getCredentialType());
            webAuthnCredentialModelInput.setAttestedCredentialData(parse.getAttestationObject().getAuthenticatorData().getAttestedCredentialData());
            webAuthnCredentialModelInput.setCount(parse.getAttestationObject().getAuthenticatorData().getSignCount());
            webAuthnCredentialModelInput.setAttestationStatementFormat(parse.getAttestationObject().getFormat());
            webAuthnCredentialModelInput.setTransports(parse.getTransports());
            WebAuthnCredentialProvider provider = this.session.getProvider(CredentialProvider.class, getCredentialProviderId());
            WebAuthnCredentialModel credentialModelFromCredentialInput = provider.getCredentialModelFromCredentialInput(webAuthnCredentialModelInput, str3);
            provider.createCredential(requiredActionContext.getRealm(), requiredActionContext.getUser(), credentialModelFromCredentialInput);
            String aaguid = credentialModelFromCredentialInput.getWebAuthnCredentialData().getAaguid();
            logger.debugv("WebAuthn credential registration success for user {0}. credentialType = {1}, publicKeyCredentialId = {2}, publicKeyCredentialLabel = {3}, publicKeyCredentialAAGUID = {4}", new Object[]{requiredActionContext.getUser().getUsername(), getCredentialType(), str4, str3, aaguid});
            provider.dumpCredentialModel(credentialModelFromCredentialInput, webAuthnCredentialModelInput);
            requiredActionContext.getEvent().detail(WebAuthnConstants.PUBKEY_CRED_ID_ATTR, str4).detail(WebAuthnConstants.PUBKEY_CRED_LABEL_ATTR, str3).detail(WebAuthnConstants.PUBKEY_CRED_AAGUID_ATTR, aaguid);
            requiredActionContext.success();
        } catch (Exception e) {
            if (logger.isDebugEnabled()) {
                logger.debug(e.getMessage(), e);
            }
            setErrorResponse(requiredActionContext, Messages.WEBAUTHN_ERROR_REGISTRATION, e.getMessage());
        } catch (WebAuthnException e2) {
            if (logger.isDebugEnabled()) {
                logger.debug(e2.getMessage(), e2);
            }
            setErrorResponse(requiredActionContext, Messages.WEBAUTHN_ERROR_REGISTRATION, e2.getMessage());
        }
    }

    private WebAuthnRegistrationManager createWebAuthnRegistrationManager() {
        return new WebAuthnRegistrationManager(Arrays.asList(new NoneAttestationStatementValidator(), new PackedAttestationStatementValidator(), new TPMAttestationStatementValidator(), new AndroidKeyAttestationStatementValidator(), new AndroidSafetyNetAttestationStatementValidator(), new FIDOU2FAttestationStatementValidator()), this.certPathtrustValidator, new DefaultSelfAttestationTrustworthinessValidator(), Collections.emptyList(), new ObjectConverter());
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:9:0x003f. Please report as an issue. */
    private String stringifySignatureAlgorithms(List<String> list) {
        if (list == null || list.isEmpty()) {
            return "";
        }
        StringBuilder sb = new StringBuilder();
        for (String str : list) {
            boolean z = -1;
            switch (str.hashCode()) {
                case 81424:
                    if (str.equals("RS1")) {
                        z = 6;
                        break;
                    }
                    break;
                case 66245349:
                    if (str.equals("ES256")) {
                        z = false;
                        break;
                    }
                    break;
                case 66246401:
                    if (str.equals("ES384")) {
                        z = 2;
                        break;
                    }
                    break;
                case 66248104:
                    if (str.equals("ES512")) {
                        z = 4;
                        break;
                    }
                    break;
                case 78251122:
                    if (str.equals("RS256")) {
                        z = true;
                        break;
                    }
                    break;
                case 78252174:
                    if (str.equals("RS384")) {
                        z = 3;
                        break;
                    }
                    break;
                case 78253877:
                    if (str.equals("RS512")) {
                        z = 5;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    sb.append(COSEAlgorithmIdentifier.ES256.getValue()).append(",");
                    break;
                case DeclarativeUserProfileProvider.PROVIDER_PRIORITY /* 1 */:
                    sb.append(COSEAlgorithmIdentifier.RS256.getValue()).append(",");
                    break;
                case true:
                    sb.append(COSEAlgorithmIdentifier.ES384.getValue()).append(",");
                    break;
                case AuthenticationSessionManager.AUTH_SESSION_COOKIE_LIMIT /* 3 */:
                    sb.append(COSEAlgorithmIdentifier.RS384.getValue()).append(",");
                    break;
                case true:
                    sb.append(COSEAlgorithmIdentifier.ES512.getValue()).append(",");
                    break;
                case true:
                    sb.append(COSEAlgorithmIdentifier.RS512.getValue()).append(",");
                    break;
                case true:
                    sb.append(COSEAlgorithmIdentifier.RS1.getValue()).append(",");
                    break;
            }
        }
        if (sb.lastIndexOf(",") > -1) {
            sb.deleteCharAt(sb.lastIndexOf(","));
        }
        return sb.toString();
    }

    private void showInfoAfterWebAuthnApiCreate(RegistrationData registrationData) {
        AttestedCredentialData attestedCredentialData = registrationData.getAttestationObject().getAuthenticatorData().getAttestedCredentialData();
        AttestationStatement attestationStatement = registrationData.getAttestationObject().getAttestationStatement();
        Set transports = registrationData.getTransports();
        logger.debugv("createad key's algorithm = {0}", String.valueOf(attestedCredentialData.getCOSEKey().getAlgorithm().getValue()));
        logger.debugv("aaguid = {0}", attestedCredentialData.getAaguid().toString());
        logger.debugv("attestation format = {0}", attestationStatement.getFormat());
        if (CollectionUtil.isNotEmpty(transports)) {
            logger.debugv("transports = [{0}]", transports.stream().map((v0) -> {
                return v0.getValue();
            }).collect(Collectors.joining(",")));
        }
    }

    private void checkAcceptedAuthenticator(RegistrationData registrationData, WebAuthnPolicy webAuthnPolicy) throws Exception {
        String aaguid = registrationData.getAttestationObject().getAuthenticatorData().getAttestedCredentialData().getAaguid().toString();
        List acceptableAaguids = webAuthnPolicy.getAcceptableAaguids();
        boolean z = false;
        if (acceptableAaguids == null || acceptableAaguids.isEmpty()) {
            z = true;
        } else {
            Iterator it = acceptableAaguids.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                } else if (aaguid.equals((String) it.next())) {
                    z = true;
                    break;
                }
            }
        }
        if (!z) {
            throw new WebAuthnException("not acceptable aaguid = " + aaguid);
        }
    }

    public void close() {
    }

    public void evaluateTriggers(RequiredActionContext requiredActionContext) {
    }

    private void setErrorResponse(RequiredActionContext requiredActionContext, String str, String str2) {
        boolean z = -1;
        switch (str.hashCode()) {
            case 872455449:
                if (str.equals(Messages.WEBAUTHN_ERROR_REGISTRATION)) {
                    z = true;
                    break;
                }
                break;
            case 1941709989:
                if (str.equals(Messages.WEBAUTHN_ERROR_REGISTER_VERIFICATION)) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                logger.warnv("WebAuthn API .create() response validation failure. {0}", str2);
                requiredActionContext.getEvent().detail(WebAuthnConstants.REG_ERR_LABEL, str).detail(WebAuthnConstants.REG_ERR_DETAIL_LABEL, str2).error("invalid_user_credentials");
                requiredActionContext.challenge(requiredActionContext.form().setError(str, new Object[]{str2}).setAttribute(WEB_AUTHN_TITLE_ATTR, Messages.WEBAUTHN_REGISTER_TITLE).createWebAuthnErrorPage());
                return;
            case DeclarativeUserProfileProvider.PROVIDER_PRIORITY /* 1 */:
                logger.warn(str);
                requiredActionContext.getEvent().detail(WebAuthnConstants.REG_ERR_LABEL, str).detail(WebAuthnConstants.REG_ERR_DETAIL_LABEL, str2).error("invalid_registration");
                requiredActionContext.challenge(requiredActionContext.form().setError(str, new Object[]{str2}).setAttribute(WEB_AUTHN_TITLE_ATTR, Messages.WEBAUTHN_REGISTER_TITLE).createWebAuthnErrorPage());
                return;
            default:
                return;
        }
    }

    private boolean isFormDataRequest(HttpRequest httpRequest) {
        MediaType mediaType = httpRequest.getHttpHeaders().getMediaType();
        return mediaType != null && mediaType.isCompatible(MediaType.APPLICATION_FORM_URLENCODED_TYPE);
    }
}
