package org.keycloak.authentication.authenticators.browser;

import com.webauthn4j.data.AuthenticationParameters;
import com.webauthn4j.data.AuthenticationRequest;
import com.webauthn4j.data.client.Origin;
import com.webauthn4j.data.client.challenge.DefaultChallenge;
import com.webauthn4j.server.ServerProperty;
import com.webauthn4j.util.exception.WebAuthnException;
import java.nio.charset.StandardCharsets;
import java.util.Collections;
import java.util.List;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import org.jboss.logging.Logger;
import org.keycloak.WebAuthnConstants;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.authentication.AuthenticationFlowError;
import org.keycloak.authentication.Authenticator;
import org.keycloak.authentication.CredentialValidator;
import org.keycloak.authentication.RequiredActionFactory;
import org.keycloak.authentication.RequiredActionProvider;
import org.keycloak.authentication.requiredactions.WebAuthnRegisterFactory;
import org.keycloak.common.util.Base64Url;
import org.keycloak.common.util.UriUtils;
import org.keycloak.credential.CredentialInput;
import org.keycloak.credential.CredentialProvider;
import org.keycloak.credential.WebAuthnCredentialModelInput;
import org.keycloak.credential.WebAuthnCredentialProvider;
import org.keycloak.credential.WebAuthnCredentialProviderFactory;
import org.keycloak.forms.login.LoginFormsProvider;
import org.keycloak.forms.login.freemarker.model.WebAuthnAuthenticatorsBean;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.WebAuthnPolicy;
import org.keycloak.services.managers.AuthenticationSessionManager;
import org.keycloak.services.messages.Messages;

/* loaded from: input_file:org/keycloak/authentication/authenticators/browser/WebAuthnAuthenticator.class */
public class WebAuthnAuthenticator implements Authenticator, CredentialValidator<WebAuthnCredentialProvider> {
    private static final Logger logger = Logger.getLogger(WebAuthnAuthenticator.class);
    private KeycloakSession session;
    private static final String ERR_LABEL = "web_authn_authentication_error";
    private static final String ERR_DETAIL_LABEL = "web_authn_authentication_error_detail";

    public WebAuthnAuthenticator(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
    }

    public void authenticate(AuthenticationFlowContext authenticationFlowContext) {
        LoginFormsProvider form = authenticationFlowContext.form();
        String encode = Base64Url.encode(new DefaultChallenge().getValue());
        authenticationFlowContext.getAuthenticationSession().setAuthNote(WebAuthnConstants.AUTH_CHALLENGE_NOTE, encode);
        form.setAttribute(WebAuthnConstants.CHALLENGE, encode);
        WebAuthnPolicy webAuthnPolicy = getWebAuthnPolicy(authenticationFlowContext);
        form.setAttribute(WebAuthnConstants.RP_ID, getRpID(authenticationFlowContext));
        UserModel user = authenticationFlowContext.getUser();
        boolean z = false;
        if (user != null) {
            WebAuthnAuthenticatorsBean webAuthnAuthenticatorsBean = new WebAuthnAuthenticatorsBean(authenticationFlowContext.getSession(), authenticationFlowContext.getRealm(), user, getCredentialType());
            if (webAuthnAuthenticatorsBean.getAuthenticators().isEmpty()) {
                return;
            }
            z = true;
            form.setAttribute(WebAuthnConstants.ALLOWED_AUTHENTICATORS, webAuthnAuthenticatorsBean);
        }
        form.setAttribute(WebAuthnConstants.IS_USER_IDENTIFIED, Boolean.toString(z));
        form.setAttribute(WebAuthnConstants.USER_VERIFICATION, webAuthnPolicy.getUserVerificationRequirement());
        authenticationFlowContext.challenge(form.createLoginWebAuthn());
    }

    protected WebAuthnPolicy getWebAuthnPolicy(AuthenticationFlowContext authenticationFlowContext) {
        return authenticationFlowContext.getRealm().getWebAuthnPolicy();
    }

    protected String getRpID(AuthenticationFlowContext authenticationFlowContext) {
        String rpId = getWebAuthnPolicy(authenticationFlowContext).getRpId();
        if (rpId == null || rpId.isEmpty()) {
            rpId = authenticationFlowContext.getUriInfo().getBaseUri().getHost();
        }
        return rpId;
    }

    protected String getCredentialType() {
        return "webauthn";
    }

    public void action(AuthenticationFlowContext authenticationFlowContext) {
        String id;
        String id2;
        MultivaluedMap decodedFormParameters = authenticationFlowContext.getHttpRequest().getDecodedFormParameters();
        authenticationFlowContext.getEvent().detail("credential_type", getCredentialType());
        String str = (String) decodedFormParameters.getFirst(WebAuthnConstants.ERROR);
        if (str != null && !str.isEmpty()) {
            setErrorResponse(authenticationFlowContext, Messages.WEBAUTHN_ERROR_API_GET, str);
            return;
        }
        ServerProperty serverProperty = new ServerProperty(new Origin(UriUtils.getOrigin(authenticationFlowContext.getUriInfo().getBaseUri())), getRpID(authenticationFlowContext), new DefaultChallenge(authenticationFlowContext.getAuthenticationSession().getAuthNote(WebAuthnConstants.AUTH_CHALLENGE_NOTE)), (byte[]) null);
        byte[] decode = Base64Url.decode((String) decodedFormParameters.getFirst(WebAuthnConstants.CREDENTIAL_ID));
        byte[] decode2 = Base64Url.decode((String) decodedFormParameters.getFirst(WebAuthnConstants.CLIENT_DATA_JSON));
        byte[] decode3 = Base64Url.decode((String) decodedFormParameters.getFirst(WebAuthnConstants.AUTHENTICATOR_DATA));
        byte[] decode4 = Base64Url.decode((String) decodedFormParameters.getFirst(WebAuthnConstants.SIGNATURE));
        String str2 = (String) decodedFormParameters.getFirst(WebAuthnConstants.USER_HANDLE);
        if (str2 == null || str2.isEmpty()) {
            id = authenticationFlowContext.getUser().getId();
        } else {
            id = new String(Base64Url.decode(str2), StandardCharsets.UTF_8);
            if (authenticationFlowContext.getUser() != null && (id2 = authenticationFlowContext.getUser().getId()) != null && !id2.equals(id)) {
                authenticationFlowContext.getEvent().detail("first_authenticated_user_id", id2).detail("web_authn_authenticator_authenticated_user_id", id);
                setErrorResponse(authenticationFlowContext, Messages.WEBAUTHN_ERROR_DIFFERENT_USER, null);
                return;
            }
        }
        boolean z = false;
        if (WebAuthnConstants.OPTION_REQUIRED.equals(getWebAuthnPolicy(authenticationFlowContext).getUserVerificationRequirement())) {
            z = true;
        }
        UserModel userById = this.session.users().getUserById(id, authenticationFlowContext.getRealm());
        AuthenticationRequest authenticationRequest = new AuthenticationRequest(decode, decode3, decode2, decode4);
        AuthenticationParameters authenticationParameters = new AuthenticationParameters(serverProperty, (com.webauthn4j.authenticator.Authenticator) null, z);
        WebAuthnCredentialModelInput webAuthnCredentialModelInput = new WebAuthnCredentialModelInput(getCredentialType());
        webAuthnCredentialModelInput.setAuthenticationRequest(authenticationRequest);
        webAuthnCredentialModelInput.setAuthenticationParameters(authenticationParameters);
        try {
            boolean isValid = this.session.userCredentialManager().isValid(authenticationFlowContext.getRealm(), userById, new CredentialInput[]{webAuthnCredentialModelInput});
            String encode = Base64Url.encode(decode);
            if (!isValid) {
                authenticationFlowContext.getEvent().detail("web_authn_authenticated_user_id", id).detail(WebAuthnConstants.PUBKEY_CRED_ID_ATTR, encode);
                setErrorResponse(authenticationFlowContext, Messages.WEBAUTHN_ERROR_USER_NOT_FOUND, null);
                authenticationFlowContext.cancelLogin();
            } else {
                String bool = Boolean.toString(z);
                logger.debugv("WebAuthn Authentication successed. isUserVerificationChecked = {0}, PublicKeyCredentialID = {1}", bool, encode);
                authenticationFlowContext.setUser(userById);
                authenticationFlowContext.getEvent().detail("web_authn_authenticator_user_verification_checked", bool).detail(WebAuthnConstants.PUBKEY_CRED_ID_ATTR, encode);
                authenticationFlowContext.success();
            }
        } catch (WebAuthnException e) {
            setErrorResponse(authenticationFlowContext, Messages.WEBAUTHN_ERROR_AUTH_VERIFICATION, e.getMessage());
        }
    }

    public boolean requiresUser() {
        return true;
    }

    public boolean configuredFor(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        return keycloakSession.userCredentialManager().isConfiguredFor(realmModel, userModel, getCredentialType());
    }

    public void setRequiredActions(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        if (userModel.getRequiredActions().contains(WebAuthnRegisterFactory.PROVIDER_ID)) {
            return;
        }
        userModel.addRequiredAction(WebAuthnRegisterFactory.PROVIDER_ID);
    }

    public List<RequiredActionFactory> getRequiredActions(KeycloakSession keycloakSession) {
        return Collections.singletonList(keycloakSession.getKeycloakSessionFactory().getProviderFactory(RequiredActionProvider.class, WebAuthnRegisterFactory.PROVIDER_ID));
    }

    public void close() {
    }

    @Override // 
    /* renamed from: getCredentialProvider, reason: merged with bridge method [inline-methods] */
    public WebAuthnCredentialProvider mo54getCredentialProvider(KeycloakSession keycloakSession) {
        return keycloakSession.getProvider(CredentialProvider.class, WebAuthnCredentialProviderFactory.PROVIDER_ID);
    }

    private void setErrorResponse(AuthenticationFlowContext authenticationFlowContext, String str, String str2) {
        boolean z = -1;
        switch (str.hashCode()) {
            case -1321003713:
                if (str.equals(Messages.WEBAUTHN_ERROR_DIFFERENT_USER)) {
                    z = 2;
                    break;
                }
                break;
            case 170497254:
                if (str.equals(Messages.WEBAUTHN_ERROR_USER_NOT_FOUND)) {
                    z = 4;
                    break;
                }
                break;
            case 872455449:
                if (str.equals(Messages.WEBAUTHN_ERROR_REGISTRATION)) {
                    z = false;
                    break;
                }
                break;
            case 1257566403:
                if (str.equals(Messages.WEBAUTHN_ERROR_API_GET)) {
                    z = true;
                    break;
                }
                break;
            case 1799394752:
                if (str.equals(Messages.WEBAUTHN_ERROR_AUTH_VERIFICATION)) {
                    z = 3;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                logger.warn(str);
                authenticationFlowContext.getEvent().detail(ERR_LABEL, str).error("invalid_user_credentials");
                authenticationFlowContext.failure(AuthenticationFlowError.INVALID_CREDENTIALS, createErrorResponse(authenticationFlowContext, str));
                return;
            case true:
                logger.warnv("error returned from navigator.credentials.get(). {0}", str2);
                authenticationFlowContext.getEvent().detail(ERR_LABEL, str).detail(ERR_DETAIL_LABEL, str2).error("not_allowed");
                authenticationFlowContext.failure(AuthenticationFlowError.INVALID_USER, createErrorResponse(authenticationFlowContext, str));
                return;
            case true:
                logger.warn(str);
                authenticationFlowContext.getEvent().detail(ERR_LABEL, str).error("different_user_authenticated");
                authenticationFlowContext.failure(AuthenticationFlowError.USER_CONFLICT, createErrorResponse(authenticationFlowContext, str));
                return;
            case AuthenticationSessionManager.AUTH_SESSION_LIMIT /* 3 */:
                logger.warnv("WebAuthn API .get() response validation failure. {0}", str2);
                authenticationFlowContext.getEvent().detail(ERR_LABEL, str).detail(ERR_DETAIL_LABEL, str2).error("invalid_user_credentials");
                authenticationFlowContext.failure(AuthenticationFlowError.INVALID_USER, createErrorResponse(authenticationFlowContext, str));
                return;
            case true:
                logger.warn(str);
                authenticationFlowContext.getEvent().detail(ERR_LABEL, str).error("user_not_found");
                authenticationFlowContext.failure(AuthenticationFlowError.UNKNOWN_USER, createErrorResponse(authenticationFlowContext, str));
                return;
            default:
                return;
        }
    }

    private Response createErrorResponse(AuthenticationFlowContext authenticationFlowContext, String str) {
        LoginFormsProvider error = authenticationFlowContext.form().setError(str, new Object[0]);
        UserModel user = authenticationFlowContext.getUser();
        if (user != null) {
            WebAuthnAuthenticatorsBean webAuthnAuthenticatorsBean = new WebAuthnAuthenticatorsBean(authenticationFlowContext.getSession(), authenticationFlowContext.getRealm(), user, getCredentialType());
            if (webAuthnAuthenticatorsBean.getAuthenticators() != null) {
                error.setAttribute(WebAuthnConstants.ALLOWED_AUTHENTICATORS, webAuthnAuthenticatorsBean);
            }
        }
        return error.createWebAuthnErrorPage();
    }
}
