package org.keycloak.credential;

import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.jboss.logging.Logger;
import org.keycloak.common.util.Time;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.OTPPolicy;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.cache.CachedUserModel;
import org.keycloak.models.cache.OnUserCache;
import org.keycloak.models.cache.UserCache;
import org.keycloak.models.utils.HmacOTP;
import org.keycloak.models.utils.TimeBasedOTP;

/* loaded from: input_file:wildfly-10.1.0.Final/modules/system/add-ons/keycloak/org/keycloak/keycloak-services/main/keycloak-services-2.5.5.Final.jar:org/keycloak/credential/OTPCredentialProvider.class */
public class OTPCredentialProvider implements CredentialProvider, CredentialInputValidator, CredentialInputUpdater, OnUserCache {
    private static final Logger logger = Logger.getLogger((Class<?>) OTPCredentialProvider.class);
    protected KeycloakSession session;

    protected List<CredentialModel> getCachedCredentials(UserModel userModel, String str) {
        if (!(userModel instanceof CachedUserModel)) {
            return null;
        }
        CachedUserModel cachedUserModel = (CachedUserModel) userModel;
        if (cachedUserModel.isMarkedForEviction()) {
            return null;
        }
        List<CredentialModel> list = (List) cachedUserModel.getCachedWith().get(OTPCredentialProvider.class.getName() + "." + str);
        return list == null ? Collections.EMPTY_LIST : list;
    }

    protected UserCredentialStore getCredentialStore() {
        return this.session.userCredentialManager();
    }

    @Override // org.keycloak.models.cache.OnUserCache
    public void onCache(RealmModel realmModel, CachedUserModel cachedUserModel, UserModel userModel) {
        cachedUserModel.getCachedWith().put(OTPCredentialProvider.class.getName() + ".totp", getCredentialStore().getStoredCredentialsByType(realmModel, cachedUserModel, "totp"));
    }

    public OTPCredentialProvider(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
    }

    @Override // org.keycloak.credential.CredentialInputUpdater
    public boolean updateCredential(RealmModel realmModel, UserModel userModel, CredentialInput credentialInput) {
        if (!supportsCredentialType(credentialInput.getType())) {
            return false;
        }
        if (!(credentialInput instanceof UserCredentialModel)) {
            logger.debug("Expected instance of UserCredentialModel for CredentialInput");
            return false;
        }
        UserCredentialModel userCredentialModel = (UserCredentialModel) credentialInput;
        CredentialModel credentialModel = null;
        if (userCredentialModel.getDevice() != null) {
            credentialModel = getCredentialStore().getStoredCredentialByNameAndType(realmModel, userModel, userCredentialModel.getDevice(), "totp");
            if (credentialModel == null) {
                credentialModel = getCredentialStore().getStoredCredentialByNameAndType(realmModel, userModel, userCredentialModel.getDevice(), "hotp");
            }
        }
        if (credentialModel == null) {
            disableCredentialType(realmModel, userModel, CredentialModel.OTP);
            credentialModel = new CredentialModel();
        }
        OTPPolicy oTPPolicy = realmModel.getOTPPolicy();
        credentialModel.setDigits(oTPPolicy.getDigits());
        credentialModel.setCounter(oTPPolicy.getInitialCounter());
        credentialModel.setAlgorithm(oTPPolicy.getAlgorithm());
        credentialModel.setType(credentialInput.getType());
        credentialModel.setValue(userCredentialModel.getValue());
        credentialModel.setDevice(userCredentialModel.getDevice());
        credentialModel.setPeriod(oTPPolicy.getPeriod());
        credentialModel.setCreatedDate(Long.valueOf(Time.currentTimeMillis()));
        if (credentialModel.getId() == null) {
            getCredentialStore().createCredential(realmModel, userModel, credentialModel);
        } else {
            getCredentialStore().updateCredential(realmModel, userModel, credentialModel);
        }
        UserCache userCache = this.session.userCache();
        if (userCache == null) {
            return true;
        }
        userCache.evict(realmModel, userModel);
        return true;
    }

    @Override // org.keycloak.credential.CredentialInputUpdater
    public void disableCredentialType(RealmModel realmModel, UserModel userModel, String str) {
        UserCache userCache;
        boolean z = false;
        boolean z2 = false;
        if (CredentialModel.OTP.equals(str)) {
            z = true;
            z2 = true;
        } else if ("hotp".equals(str)) {
            z2 = true;
        } else if ("totp".equals(str)) {
            z = true;
        }
        if (z2) {
            Iterator<CredentialModel> it = getCredentialStore().getStoredCredentialsByType(realmModel, userModel, "hotp").iterator();
            while (it.hasNext()) {
                getCredentialStore().removeStoredCredential(realmModel, userModel, it.next().getId());
            }
        }
        if (z) {
            List<CredentialModel> storedCredentialsByType = getCredentialStore().getStoredCredentialsByType(realmModel, userModel, "totp");
            if (!storedCredentialsByType.isEmpty()) {
                Iterator<CredentialModel> it2 = storedCredentialsByType.iterator();
                while (it2.hasNext()) {
                    getCredentialStore().removeStoredCredential(realmModel, userModel, it2.next().getId());
                }
            }
        }
        if ((z || z2) && (userCache = this.session.userCache()) != null) {
            userCache.evict(realmModel, userModel);
        }
    }

    @Override // org.keycloak.credential.CredentialInputUpdater
    public Set<String> getDisableableCredentialTypes(RealmModel realmModel, UserModel userModel) {
        if (getCredentialStore().getStoredCredentialsByType(realmModel, userModel, "hotp").isEmpty() && getCredentialStore().getStoredCredentialsByType(realmModel, userModel, "totp").isEmpty()) {
            return Collections.EMPTY_SET;
        }
        HashSet hashSet = new HashSet();
        hashSet.add(CredentialModel.OTP);
        return hashSet;
    }

    @Override // org.keycloak.credential.CredentialInputValidator, org.keycloak.credential.CredentialInputUpdater
    public boolean supportsCredentialType(String str) {
        return CredentialModel.OTP.equals(str) || "hotp".equals(str) || "totp".equals(str);
    }

    @Override // org.keycloak.credential.CredentialInputValidator
    public boolean isConfiguredFor(RealmModel realmModel, UserModel userModel, String str) {
        if (!supportsCredentialType(str)) {
            return false;
        }
        if (CredentialModel.OTP.equals(str)) {
            return realmModel.getOTPPolicy().getType().equals("hotp") ? configuredForHOTP(realmModel, userModel) : configuredForTOTP(realmModel, userModel);
        }
        if ("hotp".equals(str)) {
            return configuredForHOTP(realmModel, userModel);
        }
        if ("totp".equals(str)) {
            return configuredForTOTP(realmModel, userModel);
        }
        return false;
    }

    protected boolean configuredForHOTP(RealmModel realmModel, UserModel userModel) {
        return !getCredentialStore().getStoredCredentialsByType(realmModel, userModel, "hotp").isEmpty();
    }

    protected boolean configuredForTOTP(RealmModel realmModel, UserModel userModel) {
        List<CredentialModel> cachedCredentials = getCachedCredentials(userModel, "totp");
        return cachedCredentials == null ? !getCredentialStore().getStoredCredentialsByType(realmModel, userModel, "totp").isEmpty() : !cachedCredentials.isEmpty();
    }

    public static boolean validOTP(RealmModel realmModel, String str, String str2) {
        OTPPolicy oTPPolicy = realmModel.getOTPPolicy();
        return oTPPolicy.getType().equals("totp") ? new TimeBasedOTP(oTPPolicy.getAlgorithm(), oTPPolicy.getDigits(), oTPPolicy.getPeriod(), oTPPolicy.getLookAheadWindow()).validateTOTP(str, str2.getBytes()) : new HmacOTP(oTPPolicy.getDigits(), oTPPolicy.getAlgorithm(), oTPPolicy.getLookAheadWindow()).validateHOTP(str, str2, oTPPolicy.getInitialCounter()) > -1;
    }

    @Override // org.keycloak.credential.CredentialInputValidator
    public boolean isValid(RealmModel realmModel, UserModel userModel, CredentialInput credentialInput) {
        if (!(credentialInput instanceof UserCredentialModel)) {
            logger.debug("Expected instance of UserCredentialModel for CredentialInput");
            return false;
        }
        String value = ((UserCredentialModel) credentialInput).getValue();
        if (value == null) {
            return false;
        }
        OTPPolicy oTPPolicy = realmModel.getOTPPolicy();
        if (realmModel.getOTPPolicy().getType().equals("hotp")) {
            HmacOTP hmacOTP = new HmacOTP(oTPPolicy.getDigits(), oTPPolicy.getAlgorithm(), oTPPolicy.getLookAheadWindow());
            for (CredentialModel credentialModel : getCredentialStore().getStoredCredentialsByType(realmModel, userModel, "hotp")) {
                int validateHOTP = hmacOTP.validateHOTP(value, credentialModel.getValue(), credentialModel.getCounter());
                if (validateHOTP >= 0) {
                    credentialModel.setCounter(validateHOTP);
                    getCredentialStore().updateCredential(realmModel, userModel, credentialModel);
                    return true;
                }
            }
            return false;
        }
        TimeBasedOTP timeBasedOTP = new TimeBasedOTP(oTPPolicy.getAlgorithm(), oTPPolicy.getDigits(), oTPPolicy.getPeriod(), oTPPolicy.getLookAheadWindow());
        List<CredentialModel> cachedCredentials = getCachedCredentials(userModel, "totp");
        if (cachedCredentials == null) {
            cachedCredentials = getCredentialStore().getStoredCredentialsByType(realmModel, userModel, "totp");
        } else {
            logger.debugv("Cache hit for TOTP for user {0}", userModel.getUsername());
        }
        Iterator<CredentialModel> it = cachedCredentials.iterator();
        while (it.hasNext()) {
            if (timeBasedOTP.validateTOTP(value, it.next().getValue().getBytes())) {
                return true;
            }
        }
        return false;
    }
}
