package org.keycloak.authentication.authenticators.directgrant;

import java.util.LinkedList;
import java.util.List;
import javax.ws.rs.core.Response;
import org.keycloak.OAuthErrorException;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.authentication.AuthenticationFlowError;
import org.keycloak.events.Errors;
import org.keycloak.models.AuthenticationExecutionModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.provider.ProviderConfigProperty;

/* loaded from: input_file:wildfly-10.1.0.Final/modules/system/add-ons/keycloak/org/keycloak/keycloak-services/main/keycloak-services-2.5.5.Final.jar:org/keycloak/authentication/authenticators/directgrant/ValidateOTP.class */
public class ValidateOTP extends AbstractDirectGrantAuthenticator {
    public static final String PROVIDER_ID = "direct-grant-validate-otp";
    public static final AuthenticationExecutionModel.Requirement[] REQUIREMENT_CHOICES = {AuthenticationExecutionModel.Requirement.REQUIRED, AuthenticationExecutionModel.Requirement.OPTIONAL, AuthenticationExecutionModel.Requirement.DISABLED};

    @Override // org.keycloak.authentication.Authenticator
    public void authenticate(AuthenticationFlowContext authenticationFlowContext) {
        if (!isConfigured(authenticationFlowContext.getSession(), authenticationFlowContext.getRealm(), authenticationFlowContext.getUser())) {
            if (authenticationFlowContext.getExecution().isOptional()) {
                authenticationFlowContext.attempted();
                return;
            } else {
                if (authenticationFlowContext.getExecution().isRequired()) {
                    authenticationFlowContext.getEvent().error(Errors.INVALID_USER_CREDENTIALS);
                    authenticationFlowContext.failure(AuthenticationFlowError.INVALID_USER, errorResponse(Response.Status.UNAUTHORIZED.getStatusCode(), OAuthErrorException.INVALID_GRANT, "Invalid user credentials"));
                    return;
                }
                return;
            }
        }
        String retrieveOTP = retrieveOTP(authenticationFlowContext);
        if (retrieveOTP == null) {
            if (authenticationFlowContext.getUser() != null) {
                authenticationFlowContext.getEvent().user(authenticationFlowContext.getUser());
            }
            authenticationFlowContext.getEvent().error(Errors.INVALID_USER_CREDENTIALS);
            authenticationFlowContext.failure(AuthenticationFlowError.INVALID_USER, errorResponse(Response.Status.UNAUTHORIZED.getStatusCode(), OAuthErrorException.INVALID_GRANT, "Invalid user credentials"));
            return;
        }
        if (authenticationFlowContext.getSession().userCredentialManager().isValid(authenticationFlowContext.getRealm(), authenticationFlowContext.getUser(), UserCredentialModel.otp(authenticationFlowContext.getRealm().getOTPPolicy().getType(), retrieveOTP))) {
            authenticationFlowContext.success();
            return;
        }
        authenticationFlowContext.getEvent().user(authenticationFlowContext.getUser());
        authenticationFlowContext.getEvent().error(Errors.INVALID_USER_CREDENTIALS);
        authenticationFlowContext.failure(AuthenticationFlowError.INVALID_USER, errorResponse(Response.Status.UNAUTHORIZED.getStatusCode(), OAuthErrorException.INVALID_GRANT, "Invalid user credentials"));
    }

    @Override // org.keycloak.authentication.Authenticator
    public boolean requiresUser() {
        return true;
    }

    @Override // org.keycloak.authentication.Authenticator
    public boolean configuredFor(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        return true;
    }

    private boolean isConfigured(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        return keycloakSession.userCredentialManager().isConfiguredFor(realmModel, userModel, realmModel.getOTPPolicy().getType());
    }

    @Override // org.keycloak.authentication.Authenticator
    public void setRequiredActions(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
    }

    @Override // org.keycloak.authentication.ConfigurableAuthenticatorFactory
    public boolean isUserSetupAllowed() {
        return false;
    }

    @Override // org.keycloak.authentication.ConfigurableAuthenticatorFactory
    public String getDisplayType() {
        return "OTP";
    }

    @Override // org.keycloak.authentication.ConfigurableAuthenticatorFactory
    public String getReferenceCategory() {
        return null;
    }

    @Override // org.keycloak.authentication.ConfigurableAuthenticatorFactory
    public boolean isConfigurable() {
        return false;
    }

    @Override // org.keycloak.authentication.ConfigurableAuthenticatorFactory
    public AuthenticationExecutionModel.Requirement[] getRequirementChoices() {
        return REQUIREMENT_CHOICES;
    }

    @Override // org.keycloak.provider.ConfiguredProvider
    public String getHelpText() {
        return "Validates the one time password supplied as a 'totp' form parameter in direct grant request";
    }

    @Override // org.keycloak.provider.ConfiguredProvider
    public List<ProviderConfigProperty> getConfigProperties() {
        return new LinkedList();
    }

    @Override // org.keycloak.provider.ProviderFactory
    public String getId() {
        return PROVIDER_ID;
    }

    protected String retrieveOTP(AuthenticationFlowContext authenticationFlowContext) {
        return authenticationFlowContext.getHttpRequest().getDecodedFormParameters().getFirst("totp");
    }
}
