package org.keycloak.authentication.authenticators.browser;

import java.util.Optional;
import javax.ws.rs.core.Response;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.authentication.AuthenticationFlowError;
import org.keycloak.authentication.Authenticator;
import org.keycloak.authentication.authenticators.util.AuthenticatorUtils;
import org.keycloak.common.util.ObjectUtil;
import org.keycloak.credential.CredentialInput;
import org.keycloak.credential.CredentialModel;
import org.keycloak.forms.login.LoginFormsProvider;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.credential.RecoveryAuthnCodesCredentialModel;
import org.keycloak.models.utils.FormMessage;
import org.keycloak.services.messages.Messages;

/* loaded from: input_file:org/keycloak/authentication/authenticators/browser/RecoveryAuthnCodesFormAuthenticator.class */
public class RecoveryAuthnCodesFormAuthenticator implements Authenticator {
    public RecoveryAuthnCodesFormAuthenticator(KeycloakSession keycloakSession) {
    }

    public void authenticate(AuthenticationFlowContext authenticationFlowContext) {
        authenticationFlowContext.challenge(createLoginForm(authenticationFlowContext, false, null, null));
    }

    public void action(AuthenticationFlowContext authenticationFlowContext) {
        authenticationFlowContext.getEvent().detail("credential_type", "recovery-authn-codes");
        if (isRecoveryAuthnCodeInputValid(authenticationFlowContext)) {
            authenticationFlowContext.success();
        }
    }

    private boolean isRecoveryAuthnCodeInputValid(AuthenticationFlowContext authenticationFlowContext) {
        boolean z = false;
        String str = (String) authenticationFlowContext.getHttpRequest().getDecodedFormParameters().getFirst("recoveryCodeInput");
        if (ObjectUtil.isBlank(str)) {
            authenticationFlowContext.forceChallenge(createLoginForm(authenticationFlowContext, true, "recovery-codes-error-invalid", "recoveryCodeInput"));
            return false;
        }
        authenticationFlowContext.getRealm();
        UserModel user = authenticationFlowContext.getUser();
        if (!isDisabledByBruteForce(authenticationFlowContext, user)) {
            if (user.credentialManager().isValid(new CredentialInput[]{UserCredentialModel.buildFromBackupAuthnCode(str.replace("-", ""))})) {
                z = true;
                Optional findFirst = user.credentialManager().getStoredCredentialsByTypeStream("recovery-authn-codes").findFirst();
                RecoveryAuthnCodesCredentialModel recoveryAuthnCodesCredentialModel = null;
                if (findFirst.isPresent()) {
                    recoveryAuthnCodesCredentialModel = RecoveryAuthnCodesCredentialModel.createFromCredentialModel((CredentialModel) findFirst.get());
                    if (recoveryAuthnCodesCredentialModel.allCodesUsed()) {
                        user.credentialManager().removeStoredCredentialById(recoveryAuthnCodesCredentialModel.getId());
                    }
                }
                if (recoveryAuthnCodesCredentialModel == null || recoveryAuthnCodesCredentialModel.allCodesUsed()) {
                    user.addRequiredAction(UserModel.RequiredAction.CONFIGURE_RECOVERY_AUTHN_CODES);
                }
            } else {
                authenticationFlowContext.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS, createLoginForm(authenticationFlowContext, true, "recovery-codes-error-invalid", "recoveryCodeInput"));
            }
        }
        return z;
    }

    protected boolean isDisabledByBruteForce(AuthenticationFlowContext authenticationFlowContext, UserModel userModel) {
        String disabledByBruteForceEventError = getDisabledByBruteForceEventError(authenticationFlowContext, userModel);
        if (disabledByBruteForceEventError == null) {
            return false;
        }
        authenticationFlowContext.getEvent().user(userModel);
        authenticationFlowContext.getEvent().error(disabledByBruteForceEventError);
        authenticationFlowContext.forceChallenge(createLoginForm(authenticationFlowContext, false, Messages.INVALID_USER, "username"));
        return true;
    }

    protected String getDisabledByBruteForceEventError(AuthenticationFlowContext authenticationFlowContext, UserModel userModel) {
        return AuthenticatorUtils.getDisabledByBruteForceEventError(authenticationFlowContext, userModel);
    }

    private Response createLoginForm(AuthenticationFlowContext authenticationFlowContext, boolean z, String str, String str2) {
        LoginFormsProvider execution;
        if (z) {
            execution = authenticationFlowContext.form();
            authenticationFlowContext.getEvent().user(authenticationFlowContext.getUser());
            authenticationFlowContext.getEvent().error("invalid_user_credentials");
            execution.addError(new FormMessage(str2, str));
        } else {
            execution = authenticationFlowContext.form().setExecution(authenticationFlowContext.getExecution().getId());
            if (str != null) {
                if (str2 != null) {
                    execution.addError(new FormMessage(str2, str));
                } else {
                    execution.setError(str, new Object[0]);
                }
            }
        }
        return execution.createLoginRecoveryAuthnCode();
    }

    public boolean requiresUser() {
        return true;
    }

    public boolean configuredFor(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        return userModel.credentialManager().isConfiguredFor("recovery-authn-codes");
    }

    public void setRequiredActions(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        keycloakSession.getContext().getAuthenticationSession().addRequiredAction(UserModel.RequiredAction.CONFIGURE_RECOVERY_AUTHN_CODES.name());
    }

    public void close() {
    }
}
