package org.keycloak.protocol.saml.profile.ecp.authenticator;

import java.io.IOException;
import java.util.List;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.authentication.AuthenticationFlowError;
import org.keycloak.authentication.Authenticator;
import org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator;
import org.keycloak.common.util.Base64;
import org.keycloak.credential.CredentialInput;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.services.resources.Cors;

/* loaded from: input_file:org/keycloak/protocol/saml/profile/ecp/authenticator/HttpBasicAuthenticator.class */
public class HttpBasicAuthenticator implements Authenticator {
    private static final String BASIC = "Basic";
    private static final String BASIC_PREFIX = "Basic ";

    public void authenticate(AuthenticationFlowContext authenticationFlowContext) {
        String[] usernameAndPassword = getUsernameAndPassword(authenticationFlowContext.getHttpRequest().getHttpHeaders());
        authenticationFlowContext.attempted();
        if (usernameAndPassword != null) {
            RealmModel realm = authenticationFlowContext.getRealm();
            String str = usernameAndPassword[0];
            UserModel userByUsername = authenticationFlowContext.getSession().users().getUserByUsername(realm, str);
            authenticationFlowContext.getEvent().detail("username", str);
            authenticationFlowContext.getAuthenticationSession().setAuthNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME, str);
            if (userByUsername == null) {
                nullUserAction(authenticationFlowContext, realm, str);
                return;
            }
            if (!authenticationFlowContext.getSession().userCredentialManager().isValid(realm, userByUsername, new CredentialInput[]{UserCredentialModel.password(usernameAndPassword[1])})) {
                notValidCredentialsAction(authenticationFlowContext, realm, userByUsername);
                return;
            }
            if (isTemporarilyDisabledByBruteForce(authenticationFlowContext, userByUsername)) {
                userDisabledAction(authenticationFlowContext, realm, userByUsername, "user_temporarily_disabled");
            } else if (userByUsername.isEnabled()) {
                userSuccessAction(authenticationFlowContext, userByUsername);
            } else {
                userDisabledAction(authenticationFlowContext, realm, userByUsername, "user_disabled");
            }
        }
    }

    protected void userSuccessAction(AuthenticationFlowContext authenticationFlowContext, UserModel userModel) {
        authenticationFlowContext.getAuthenticationSession().setAuthenticatedUser(userModel);
        authenticationFlowContext.success();
    }

    protected void userDisabledAction(AuthenticationFlowContext authenticationFlowContext, RealmModel realmModel, UserModel userModel, String str) {
        authenticationFlowContext.getEvent().user(userModel);
        authenticationFlowContext.getEvent().error(str);
        authenticationFlowContext.failure(AuthenticationFlowError.INVALID_USER, Response.status(Response.Status.UNAUTHORIZED).header("WWW-Authenticate", "Basic realm=\"" + realmModel.getName() + "\"").build());
    }

    protected void nullUserAction(AuthenticationFlowContext authenticationFlowContext, RealmModel realmModel, String str) {
    }

    protected void notValidCredentialsAction(AuthenticationFlowContext authenticationFlowContext, RealmModel realmModel, UserModel userModel) {
        authenticationFlowContext.getEvent().user(userModel);
        authenticationFlowContext.getEvent().error("invalid_user_credentials");
        authenticationFlowContext.failure(AuthenticationFlowError.INVALID_USER, Response.status(Response.Status.UNAUTHORIZED).header("WWW-Authenticate", "Basic realm=\"" + realmModel.getName() + "\"").build());
    }

    private boolean isTemporarilyDisabledByBruteForce(AuthenticationFlowContext authenticationFlowContext, UserModel userModel) {
        return authenticationFlowContext.getRealm().isBruteForceProtected() && authenticationFlowContext.getProtector().isTemporarilyDisabled(authenticationFlowContext.getSession(), authenticationFlowContext.getRealm(), userModel);
    }

    private String[] getUsernameAndPassword(HttpHeaders httpHeaders) {
        List<String> requestHeader = httpHeaders.getRequestHeader(Cors.AUTHORIZATION_HEADER);
        if (requestHeader == null || requestHeader.size() == 0) {
            return null;
        }
        String str = null;
        for (String str2 : requestHeader) {
            if (str2.startsWith(BASIC_PREFIX)) {
                String[] split = str2.trim().split("\\s+");
                if (split.length != 2) {
                    return null;
                }
                str = split[1];
            }
        }
        try {
            String str3 = new String(Base64.decode(str));
            int indexOf = str3.indexOf(":");
            return indexOf == -1 ? new String[]{str3} : new String[]{str3.substring(0, indexOf), str3.substring(indexOf + 1)};
        } catch (IOException e) {
            throw new RuntimeException("Failed to parse credentials.", e);
        }
    }

    public void action(AuthenticationFlowContext authenticationFlowContext) {
    }

    public boolean requiresUser() {
        return false;
    }

    public boolean configuredFor(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        return false;
    }

    public void setRequiredActions(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
    }

    public void close() {
    }
}
