package org.keycloak.credential;

import java.util.List;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.jboss.logging.Logger;
import org.keycloak.common.util.Time;
import org.keycloak.credential.CredentialTypeMetadata;
import org.keycloak.credential.hash.PasswordHashProvider;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelException;
import org.keycloak.models.PasswordPolicy;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.credential.PasswordCredentialModel;
import org.keycloak.policy.PasswordPolicyManagerProvider;
import org.keycloak.policy.PolicyError;

/* loaded from: input_file:org/keycloak/credential/PasswordCredentialProvider.class */
public class PasswordCredentialProvider implements CredentialProvider<PasswordCredentialModel>, CredentialInputUpdater, CredentialInputValidator {
    private static final Logger logger = Logger.getLogger(PasswordCredentialProvider.class);
    protected final KeycloakSession session;

    public PasswordCredentialProvider(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
    }

    public PasswordCredentialModel getPassword(RealmModel realmModel, UserModel userModel) {
        List list = (List) userModel.credentialManager().getStoredCredentialsByTypeStream(getType()).collect(Collectors.toList());
        if (list.isEmpty()) {
            return null;
        }
        return PasswordCredentialModel.createFromCredentialModel((CredentialModel) list.get(0));
    }

    public boolean createCredential(RealmModel realmModel, UserModel userModel, String str) {
        PasswordPolicy passwordPolicy = realmModel.getPasswordPolicy();
        PolicyError validate = this.session.getProvider(PasswordPolicyManagerProvider.class).validate(realmModel, userModel, str);
        if (validate != null) {
            throw new ModelException(validate.getMessage(), validate.getParameters());
        }
        PasswordHashProvider hashProvider = getHashProvider(passwordPolicy);
        if (hashProvider == null) {
            return false;
        }
        try {
            PasswordCredentialModel encodedCredential = hashProvider.encodedCredential(str, passwordPolicy.getHashIterations());
            encodedCredential.setCreatedDate(Long.valueOf(Time.currentTimeMillis()));
            createCredential(realmModel, userModel, encodedCredential);
            return true;
        } catch (Throwable th) {
            throw new ModelException(th.getMessage(), th);
        }
    }

    public CredentialModel createCredential(RealmModel realmModel, UserModel userModel, PasswordCredentialModel passwordCredentialModel) {
        PasswordCredentialModel passwordCredentialModel2;
        int expiredPasswords = realmModel.getPasswordPolicy().getExpiredPasswords();
        PasswordCredentialModel password = getPassword(realmModel, userModel);
        if (passwordCredentialModel.getCreatedDate() == null) {
            passwordCredentialModel.setCreatedDate(Long.valueOf(Time.currentTimeMillis()));
        }
        if (password == null) {
            passwordCredentialModel2 = userModel.credentialManager().createStoredCredential(passwordCredentialModel);
        } else {
            passwordCredentialModel.setId(password.getId());
            userModel.credentialManager().updateStoredCredential(passwordCredentialModel);
            passwordCredentialModel2 = passwordCredentialModel;
            if (expiredPasswords > 1) {
                password.setId((String) null);
                password.setType("password-history");
                userModel.credentialManager().createStoredCredential(password);
            }
        }
        ((List) userModel.credentialManager().getStoredCredentialsByTypeStream("password-history").sorted(CredentialModel.comparingByStartDateDesc()).skip(Math.max(0, expiredPasswords - 1)).collect(Collectors.toList())).forEach(credentialModel -> {
            userModel.credentialManager().removeStoredCredentialById(credentialModel.getId());
        });
        return passwordCredentialModel2;
    }

    public boolean deleteCredential(RealmModel realmModel, UserModel userModel, String str) {
        return userModel.credentialManager().removeStoredCredentialById(str);
    }

    /* renamed from: getCredentialFromModel, reason: merged with bridge method [inline-methods] */
    public PasswordCredentialModel m196getCredentialFromModel(CredentialModel credentialModel) {
        return PasswordCredentialModel.createFromCredentialModel(credentialModel);
    }

    protected PasswordHashProvider getHashProvider(PasswordPolicy passwordPolicy) {
        PasswordHashProvider provider = this.session.getProvider(PasswordHashProvider.class, passwordPolicy.getHashAlgorithm());
        if (provider != null) {
            return provider;
        }
        logger.warnv("Realm PasswordPolicy PasswordHashProvider {0} not found", passwordPolicy.getHashAlgorithm());
        return this.session.getProvider(PasswordHashProvider.class, "pbkdf2-sha256");
    }

    public boolean supportsCredentialType(String str) {
        return str.equals(getType());
    }

    public boolean updateCredential(RealmModel realmModel, UserModel userModel, CredentialInput credentialInput) {
        return createCredential(realmModel, userModel, credentialInput.getChallengeResponse());
    }

    public void disableCredentialType(RealmModel realmModel, UserModel userModel, String str) {
    }

    public Stream<String> getDisableableCredentialTypesStream(RealmModel realmModel, UserModel userModel) {
        return Stream.empty();
    }

    public boolean isConfiguredFor(RealmModel realmModel, UserModel userModel, String str) {
        return getPassword(realmModel, userModel) != null;
    }

    public boolean isValid(RealmModel realmModel, UserModel userModel, CredentialInput credentialInput) {
        PasswordHashProvider hashProvider;
        if (!(credentialInput instanceof UserCredentialModel)) {
            logger.debug("Expected instance of UserCredentialModel for CredentialInput");
            return false;
        }
        if (credentialInput.getChallengeResponse() == null) {
            logger.debugv("Input password was null for user {0} ", userModel.getUsername());
            return false;
        }
        PasswordCredentialModel password = getPassword(realmModel, userModel);
        if (password == null) {
            logger.debugv("No password stored for user {0} ", userModel.getUsername());
            return false;
        }
        PasswordHashProvider provider = this.session.getProvider(PasswordHashProvider.class, password.getPasswordCredentialData().getAlgorithm());
        if (provider == null) {
            logger.debugv("PasswordHashProvider {0} not found for user {1} ", password.getPasswordCredentialData().getAlgorithm(), userModel.getUsername());
            return false;
        }
        try {
            if (!provider.verify(credentialInput.getChallengeResponse(), password)) {
                logger.debugv("Failed password validation for user {0} ", userModel.getUsername());
                return false;
            }
            PasswordPolicy passwordPolicy = realmModel.getPasswordPolicy();
            if (passwordPolicy == null || (hashProvider = getHashProvider(passwordPolicy)) == null || hashProvider.policyCheck(passwordPolicy, password)) {
                return true;
            }
            PasswordCredentialModel encodedCredential = hashProvider.encodedCredential(credentialInput.getChallengeResponse(), passwordPolicy.getHashIterations());
            encodedCredential.setId(password.getId());
            encodedCredential.setCreatedDate(password.getCreatedDate());
            encodedCredential.setUserLabel(password.getUserLabel());
            userModel.credentialManager().updateStoredCredential(encodedCredential);
            return true;
        } catch (Throwable th) {
            logger.warn("Error when validating user password", th);
            return false;
        }
    }

    public String getType() {
        return "password";
    }

    public CredentialTypeMetadata getCredentialTypeMetadata(CredentialTypeMetadataContext credentialTypeMetadataContext) {
        CredentialTypeMetadata.CredentialTypeMetadataBuilder iconCssClass = CredentialTypeMetadata.builder().type(getType()).category(CredentialTypeMetadata.Category.BASIC_AUTHENTICATION).displayName("password-display-name").helpText("password-help-text").iconCssClass("kcAuthenticatorPasswordClass");
        UserModel user = credentialTypeMetadataContext.getUser();
        if (user == null || !user.credentialManager().isConfiguredFor(getType())) {
            iconCssClass.createAction(UserModel.RequiredAction.UPDATE_PASSWORD.toString());
        } else {
            iconCssClass.updateAction(UserModel.RequiredAction.UPDATE_PASSWORD.toString());
        }
        return iconCssClass.removeable(false).build(this.session);
    }
}
