package org.keycloak.authentication.authenticators.browser;

import java.util.LinkedList;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import org.jboss.logging.Logger;
import org.keycloak.authentication.AbstractFormAuthenticator;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.authentication.AuthenticationFlowError;
import org.keycloak.credential.hash.PasswordHashProvider;
import org.keycloak.models.ModelDuplicateException;
import org.keycloak.models.PasswordPolicy;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.saml.SamlProtocol;
import org.keycloak.services.ServicesLogger;
import org.keycloak.services.messages.Messages;

/* loaded from: input_file:org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthenticator.class */
public abstract class AbstractUsernameFormAuthenticator extends AbstractFormAuthenticator {
    private static final Logger logger = Logger.getLogger(AbstractUsernameFormAuthenticator.class);
    public static final String REGISTRATION_FORM_ACTION = "registration_form";
    public static final String ATTEMPTED_USERNAME = "ATTEMPTED_USERNAME";

    public void action(AuthenticationFlowContext authenticationFlowContext) {
    }

    protected Response invalidUser(AuthenticationFlowContext authenticationFlowContext) {
        return authenticationFlowContext.form().setError(Messages.INVALID_USER, new Object[0]).createLogin();
    }

    protected Response disabledUser(AuthenticationFlowContext authenticationFlowContext) {
        return authenticationFlowContext.form().setError(Messages.ACCOUNT_DISABLED, new Object[0]).createLogin();
    }

    protected Response temporarilyDisabledUser(AuthenticationFlowContext authenticationFlowContext) {
        return authenticationFlowContext.form().setError(Messages.INVALID_USER, new Object[0]).createLogin();
    }

    protected Response invalidCredentials(AuthenticationFlowContext authenticationFlowContext) {
        return authenticationFlowContext.form().setError(Messages.INVALID_USER, new Object[0]).createLogin();
    }

    protected Response setDuplicateUserChallenge(AuthenticationFlowContext authenticationFlowContext, String str, String str2, AuthenticationFlowError authenticationFlowError) {
        authenticationFlowContext.getEvent().error(str);
        Response createLogin = authenticationFlowContext.form().setError(str2, new Object[0]).createLogin();
        authenticationFlowContext.failureChallenge(authenticationFlowError, createLogin);
        return createLogin;
    }

    protected void runDefaultDummyHash(AuthenticationFlowContext authenticationFlowContext) {
        authenticationFlowContext.getSession().getProvider(PasswordHashProvider.class, "pbkdf2-sha256").encode("dummypassword", 27500);
    }

    protected void dummyHash(AuthenticationFlowContext authenticationFlowContext) {
        PasswordPolicy passwordPolicy = authenticationFlowContext.getRealm().getPasswordPolicy();
        if (passwordPolicy == null) {
            runDefaultDummyHash(authenticationFlowContext);
            return;
        }
        PasswordHashProvider provider = authenticationFlowContext.getSession().getProvider(PasswordHashProvider.class, passwordPolicy.getHashAlgorithm());
        if (provider == null) {
            runDefaultDummyHash(authenticationFlowContext);
        } else {
            provider.encode("dummypassword", passwordPolicy.getHashIterations());
        }
    }

    public boolean invalidUser(AuthenticationFlowContext authenticationFlowContext, UserModel userModel) {
        if (userModel != null) {
            return false;
        }
        dummyHash(authenticationFlowContext);
        authenticationFlowContext.getEvent().error("user_not_found");
        authenticationFlowContext.failureChallenge(AuthenticationFlowError.INVALID_USER, invalidUser(authenticationFlowContext));
        return true;
    }

    public boolean enabledUser(AuthenticationFlowContext authenticationFlowContext, UserModel userModel) {
        if (!userModel.isEnabled()) {
            authenticationFlowContext.getEvent().user(userModel);
            authenticationFlowContext.getEvent().error("user_disabled");
            authenticationFlowContext.failureChallenge(AuthenticationFlowError.USER_DISABLED, disabledUser(authenticationFlowContext));
            return false;
        }
        if (!authenticationFlowContext.getRealm().isBruteForceProtected() || !authenticationFlowContext.getProtector().isTemporarilyDisabled(authenticationFlowContext.getSession(), authenticationFlowContext.getRealm(), userModel)) {
            return true;
        }
        authenticationFlowContext.getEvent().user(userModel);
        authenticationFlowContext.getEvent().error("user_temporarily_disabled");
        authenticationFlowContext.failureChallenge(AuthenticationFlowError.USER_TEMPORARILY_DISABLED, temporarilyDisabledUser(authenticationFlowContext));
        return false;
    }

    public boolean validateUserAndPassword(AuthenticationFlowContext authenticationFlowContext, MultivaluedMap<String, String> multivaluedMap) {
        String str = (String) multivaluedMap.getFirst("username");
        if (str == null) {
            authenticationFlowContext.getEvent().error("user_not_found");
            authenticationFlowContext.failureChallenge(AuthenticationFlowError.INVALID_USER, invalidUser(authenticationFlowContext));
            return false;
        }
        String trim = str.trim();
        authenticationFlowContext.getEvent().detail("username", trim);
        authenticationFlowContext.getAuthenticationSession().setAuthNote(ATTEMPTED_USERNAME, trim);
        try {
            UserModel findUserByNameOrEmail = KeycloakModelUtils.findUserByNameOrEmail(authenticationFlowContext.getSession(), authenticationFlowContext.getRealm(), trim);
            if (invalidUser(authenticationFlowContext, findUserByNameOrEmail) || !validatePassword(authenticationFlowContext, findUserByNameOrEmail, multivaluedMap) || !enabledUser(authenticationFlowContext, findUserByNameOrEmail)) {
                return false;
            }
            String str2 = (String) multivaluedMap.getFirst("rememberMe");
            if (str2 != null && str2.equalsIgnoreCase("on")) {
                authenticationFlowContext.getAuthenticationSession().setAuthNote("remember_me", SamlProtocol.ATTRIBUTE_TRUE_VALUE);
                authenticationFlowContext.getEvent().detail("remember_me", SamlProtocol.ATTRIBUTE_TRUE_VALUE);
            } else {
                authenticationFlowContext.getAuthenticationSession().removeAuthNote("remember_me");
            }
            authenticationFlowContext.setUser(findUserByNameOrEmail);
            return true;
        } catch (ModelDuplicateException e) {
            ServicesLogger.LOGGER.modelDuplicateException(e);
            if (e.getDuplicateFieldName() == null || !e.getDuplicateFieldName().equals("email")) {
                setDuplicateUserChallenge(authenticationFlowContext, "username_in_use", Messages.USERNAME_EXISTS, AuthenticationFlowError.INVALID_USER);
                return false;
            }
            setDuplicateUserChallenge(authenticationFlowContext, "email_in_use", Messages.EMAIL_EXISTS, AuthenticationFlowError.INVALID_USER);
            return false;
        }
    }

    public boolean validatePassword(AuthenticationFlowContext authenticationFlowContext, UserModel userModel, MultivaluedMap<String, String> multivaluedMap) {
        LinkedList linkedList = new LinkedList();
        String str = (String) multivaluedMap.getFirst("password");
        linkedList.add(UserCredentialModel.password(str));
        if (str != null && !str.isEmpty() && authenticationFlowContext.getSession().userCredentialManager().isValid(authenticationFlowContext.getRealm(), userModel, linkedList)) {
            return true;
        }
        authenticationFlowContext.getEvent().user(userModel);
        authenticationFlowContext.getEvent().error("invalid_user_credentials");
        authenticationFlowContext.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS, invalidCredentials(authenticationFlowContext));
        authenticationFlowContext.clearUser();
        return false;
    }
}
