package org.keycloak.authentication.authenticators.resetcred;

import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.authentication.CredentialValidator;
import org.keycloak.credential.CredentialProvider;
import org.keycloak.credential.OTPCredentialProvider;
import org.keycloak.credential.OTPCredentialProviderFactory;
import org.keycloak.models.AuthenticatorConfigModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.provider.ProviderConfigProperty;
import org.keycloak.provider.ProviderConfigurationBuilder;
import org.keycloak.services.messages.Messages;

/* loaded from: input_file:org/keycloak/authentication/authenticators/resetcred/ResetOTP.class */
public class ResetOTP extends AbstractSetRequiredActionAuthenticator implements CredentialValidator<OTPCredentialProvider> {
    public static final String PROVIDER_ID = "reset-otp";
    private static final String ACTION_ON_OTP_RESET_FLAG = "action_on_otp_reset_flag";
    private static final String REMOVE_NONE = "Remove none";
    private static final String REMOVE_ONE = "Remove one";
    private static final String REMOVE_ALL = "Remove all";

    public void authenticate(AuthenticationFlowContext authenticationFlowContext) {
        AuthenticatorConfigModel authenticatorConfig = authenticationFlowContext.getAuthenticatorConfig();
        Map map = null;
        if (authenticatorConfig != null) {
            map = authenticatorConfig.getConfig();
        }
        if (map != null) {
            String str = (String) map.get(ACTION_ON_OTP_RESET_FLAG);
            List list = (List) authenticationFlowContext.getUser().credentialManager().getStoredCredentialsByTypeStream("otp").collect(Collectors.toList());
            if (REMOVE_ALL.equals(str)) {
                list.forEach(credentialModel -> {
                    authenticationFlowContext.getUser().credentialManager().removeStoredCredentialById(credentialModel.getId());
                });
            } else if (REMOVE_ONE.equals(str) && !list.isEmpty()) {
                authenticationFlowContext.challenge(authenticationFlowContext.form().setAttribute("configuredOtpCredentials", list).createOtpReset());
                return;
            }
        }
        authenticationFlowContext.getAuthenticationSession().addRequiredAction(UserModel.RequiredAction.CONFIGURE_TOTP);
        authenticationFlowContext.success();
    }

    @Override // org.keycloak.authentication.authenticators.resetcred.AbstractSetRequiredActionAuthenticator
    public void action(AuthenticationFlowContext authenticationFlowContext) {
        String str = (String) authenticationFlowContext.getHttpRequest().getDecodedFormParameters().getFirst("selectedCredentialId");
        if (str == null || str.isEmpty()) {
            authenticationFlowContext.challenge(authenticationFlowContext.form().setAttribute("configuredOtpCredentials", (List) authenticationFlowContext.getUser().credentialManager().getStoredCredentialsByTypeStream("otp").collect(Collectors.toList())).setError(Messages.RESET_OTP_MISSING_ID_ERROR, new Object[0]).createOtpReset());
        } else {
            authenticationFlowContext.getUser().credentialManager().removeStoredCredentialById(str);
            authenticationFlowContext.getAuthenticationSession().addRequiredAction(UserModel.RequiredAction.CONFIGURE_TOTP);
            authenticationFlowContext.success();
        }
    }

    @Override // org.keycloak.authentication.authenticators.resetcred.AbstractSetRequiredActionAuthenticator
    public boolean isConfigurable() {
        return true;
    }

    @Override // org.keycloak.authentication.authenticators.resetcred.AbstractSetRequiredActionAuthenticator
    public List<ProviderConfigProperty> getConfigProperties() {
        ProviderConfigurationBuilder create = ProviderConfigurationBuilder.create();
        create.property(ACTION_ON_OTP_RESET_FLAG, "Action on OTP reset.", " If 'Remove none' is chosen, the user will keep all existing OTP configurations (legacy behavior). If 'Remove one' is chosen, the user will be prompted to choose one OTP configuration which will then be removed. If 'Remove all' is chosen, all existing OTP configurations of the user will be removed. The user will always be prompted to configure a new OTP no matter which option is selected.", "List", REMOVE_NONE, Arrays.asList(REMOVE_NONE, REMOVE_ONE, REMOVE_ALL));
        return create.build();
    }

    /* renamed from: getCredentialProvider, reason: merged with bridge method [inline-methods] */
    public OTPCredentialProvider m85getCredentialProvider(KeycloakSession keycloakSession) {
        return keycloakSession.getProvider(CredentialProvider.class, OTPCredentialProviderFactory.PROVIDER_ID);
    }

    @Override // org.keycloak.authentication.authenticators.resetcred.AbstractSetRequiredActionAuthenticator
    public boolean configuredFor(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        return m85getCredentialProvider(keycloakSession).isConfiguredFor(realmModel, userModel);
    }

    public String getDisplayType() {
        return "Reset OTP";
    }

    public String getHelpText() {
        return "Removes existing OTP configurations (if chosen) and sets the 'Configure OTP' required action.";
    }

    public String getId() {
        return PROVIDER_ID;
    }
}
