package org.keycloak.models.utils;

import java.util.Iterator;
import java.util.List;
import org.keycloak.common.util.Time;
import org.keycloak.hash.PasswordHashManager;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.jose.jws.crypto.RSAProvider;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.OTPPolicy;
import org.keycloak.models.PasswordPolicy;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserCredentialValueModel;
import org.keycloak.models.UserModel;
import org.keycloak.representations.PasswordToken;

/* loaded from: input_file:wildfly-10.1.0.Final/modules/system/add-ons/keycloak/org/keycloak/keycloak-server-spi/main/keycloak-server-spi-2.1.0.Final.jar:org/keycloak/models/utils/FederatedCredentialValidation.class */
public class FederatedCredentialValidation {
    private static int hashIterations(RealmModel realmModel) {
        PasswordPolicy passwordPolicy = realmModel.getPasswordPolicy();
        if (passwordPolicy != null) {
            return passwordPolicy.getHashIterations();
        }
        return -1;
    }

    public static boolean validPassword(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel, String str, UserCredentialValueModel userCredentialValueModel) {
        return validateHashedCredential(keycloakSession, realmModel, userModel, str, userCredentialValueModel);
    }

    public static boolean validateHashedCredential(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel, String str, UserCredentialValueModel userCredentialValueModel) {
        int hashIterations;
        if (str == null || str.isEmpty()) {
            return false;
        }
        boolean verify = PasswordHashManager.verify(keycloakSession, realmModel, str, userCredentialValueModel);
        if (verify && (hashIterations = hashIterations(realmModel)) > -1 && hashIterations != userCredentialValueModel.getHashIterations()) {
            keycloakSession.userFederatedStorage().updateCredential(realmModel, userModel, PasswordHashManager.encode(keycloakSession, realmModel, str));
        }
        return verify;
    }

    public static boolean validPasswordToken(RealmModel realmModel, UserModel userModel, String str) {
        try {
            JWSInput jWSInput = new JWSInput(str);
            if (!RSAProvider.verify(jWSInput, realmModel.getPublicKey())) {
                return false;
            }
            PasswordToken passwordToken = (PasswordToken) jWSInput.readJsonContent(PasswordToken.class);
            if (passwordToken.getRealm().equals(realmModel.getName()) && passwordToken.getUser().equals(userModel.getId())) {
                return Time.currentTime() - passwordToken.getTimestamp() <= realmModel.getAccessCodeLifespanUserAction();
            }
            return false;
        } catch (JWSInputException e) {
            return false;
        }
    }

    public static boolean validHOTP(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel, String str, List<UserCredentialValueModel> list) {
        OTPPolicy oTPPolicy = realmModel.getOTPPolicy();
        HmacOTP hmacOTP = new HmacOTP(oTPPolicy.getDigits(), oTPPolicy.getAlgorithm(), oTPPolicy.getLookAheadWindow());
        for (UserCredentialValueModel userCredentialValueModel : list) {
            if (userCredentialValueModel.getType().equals("hotp")) {
                int validateHOTP = hmacOTP.validateHOTP(str, userCredentialValueModel.getValue(), userCredentialValueModel.getCounter());
                if (validateHOTP < 0) {
                    return false;
                }
                userCredentialValueModel.setCounter(validateHOTP);
                keycloakSession.userFederatedStorage().updateCredential(realmModel, userModel, userCredentialValueModel);
                return true;
            }
        }
        return false;
    }

    public static boolean validTOTP(RealmModel realmModel, UserModel userModel, String str, List<UserCredentialValueModel> list) {
        OTPPolicy oTPPolicy = realmModel.getOTPPolicy();
        TimeBasedOTP timeBasedOTP = new TimeBasedOTP(oTPPolicy.getAlgorithm(), oTPPolicy.getDigits(), oTPPolicy.getPeriod(), oTPPolicy.getLookAheadWindow());
        Iterator<UserCredentialValueModel> it = list.iterator();
        while (it.hasNext()) {
            if (timeBasedOTP.validateTOTP(str, it.next().getValue().getBytes())) {
                return true;
            }
        }
        return false;
    }

    public static boolean validSecret(RealmModel realmModel, UserModel userModel, String str, UserCredentialValueModel userCredentialValueModel) {
        return userCredentialValueModel.getValue().equals(str);
    }

    public static boolean validCredential(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel, UserCredentialModel userCredentialModel, List<UserCredentialValueModel> list) {
        return userCredentialModel.getType().equals("password") ? validPassword(keycloakSession, realmModel, userModel, userCredentialModel.getValue(), list.get(0)) : userCredentialModel.getType().equals("password-token") ? validPasswordToken(realmModel, userModel, userCredentialModel.getValue()) : userCredentialModel.getType().equals("totp") ? validTOTP(realmModel, userModel, userCredentialModel.getValue(), list) : userCredentialModel.getType().equals("hotp") ? validHOTP(keycloakSession, realmModel, userModel, userCredentialModel.getValue(), list) : userCredentialModel.getType().equals("secret") && validSecret(realmModel, userModel, userCredentialModel.getValue(), list.get(0));
    }
}
