package org.keycloak.authentication.requiredactions.util;

import jakarta.ws.rs.BadRequestException;
import jakarta.ws.rs.ForbiddenException;
import jakarta.ws.rs.NotFoundException;
import java.util.function.Supplier;
import org.jboss.logging.Logger;
import org.keycloak.authentication.AuthenticatorUtil;
import org.keycloak.authentication.authenticators.util.LoAUtil;
import org.keycloak.credential.CredentialModel;
import org.keycloak.credential.CredentialProvider;
import org.keycloak.credential.CredentialTypeMetadataContext;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;

/* loaded from: input_file:org/keycloak/authentication/requiredactions/util/CredentialDeleteHelper.class */
public class CredentialDeleteHelper {
    private static final Logger logger = Logger.getLogger(CredentialDeleteHelper.class);

    public static CredentialModel removeCredential(KeycloakSession keycloakSession, UserModel userModel, String str, Supplier<Integer> supplier) {
        CredentialModel storedCredentialById = userModel.credentialManager().getStoredCredentialById(str);
        if (storedCredentialById != null) {
            checkIfCanBeRemoved(keycloakSession, userModel, storedCredentialById.getType(), supplier);
            userModel.credentialManager().removeStoredCredentialById(str);
            return storedCredentialById;
        }
        if (!str.endsWith("-id")) {
            throw new NotFoundException("Credential not found");
        }
        String substring = str.substring(0, str.length() - 3);
        checkIfCanBeRemoved(keycloakSession, userModel, substring, supplier);
        userModel.credentialManager().disableCredentialType(substring);
        return null;
    }

    private static void checkIfCanBeRemoved(KeycloakSession keycloakSession, UserModel userModel, String str, Supplier<Integer> supplier) {
        CredentialProvider orElse = AuthenticatorUtil.getCredentialProviders(keycloakSession).filter(credentialProvider -> {
            return str.equals(credentialProvider.getType());
        }).findAny().orElse(null);
        if (orElse == null) {
            logger.warnf("Credential provider %s not found", str);
            throw new NotFoundException("Credential provider not found");
        }
        if (orElse.getCredentialTypeMetadata(CredentialTypeMetadataContext.builder().user(userModel).build(keycloakSession)).isRemoveable()) {
            checkAuthenticatedLoASufficientForCredentialRemove(keycloakSession, str, supplier);
        } else {
            logger.warnf("Credential type %s cannot be removed", str);
            throw new BadRequestException("Credential type cannot be removed");
        }
    }

    private static void checkAuthenticatedLoASufficientForCredentialRemove(KeycloakSession keycloakSession, String str, Supplier<Integer> supplier) {
        if (supplier.get().intValue() < getRequestedLoaForCredential(keycloakSession, keycloakSession.getContext().getRealm(), str)) {
            throw new ForbiddenException("Insufficient level of authentication for removing credential of type '" + str + "'.");
        }
    }

    private static int getRequestedLoaForCredential(KeycloakSession keycloakSession, RealmModel realmModel, String str) {
        return LoAUtil.getCredentialTypesToLoAMap(keycloakSession, realmModel, realmModel.getBrowserFlow()).getOrDefault(str, -1).intValue();
    }
}
