package org.keycloak.credential;

import java.nio.charset.StandardCharsets;
import org.jboss.logging.Logger;
import org.keycloak.common.util.ObjectUtil;
import org.keycloak.common.util.Time;
import org.keycloak.credential.CredentialTypeMetadata;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.OTPPolicy;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.credential.OTPCredentialModel;
import org.keycloak.models.credential.dto.OTPCredentialData;
import org.keycloak.models.credential.dto.OTPSecretData;
import org.keycloak.models.utils.HmacOTP;
import org.keycloak.models.utils.TimeBasedOTP;

/* loaded from: input_file:org/keycloak/credential/OTPCredentialProvider.class */
public class OTPCredentialProvider implements CredentialProvider<OTPCredentialModel>, CredentialInputValidator {
    private static final Logger logger = Logger.getLogger(OTPCredentialProvider.class);
    protected KeycloakSession session;

    private UserCredentialStore getCredentialStore() {
        return this.session.userCredentialManager();
    }

    public OTPCredentialProvider(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
    }

    public CredentialModel createCredential(RealmModel realmModel, UserModel userModel, OTPCredentialModel oTPCredentialModel) {
        if (oTPCredentialModel.getCreatedDate() == null) {
            oTPCredentialModel.setCreatedDate(Long.valueOf(Time.currentTimeMillis()));
        }
        return getCredentialStore().createCredential(realmModel, userModel, oTPCredentialModel);
    }

    public boolean deleteCredential(RealmModel realmModel, UserModel userModel, String str) {
        return getCredentialStore().removeStoredCredential(realmModel, userModel, str);
    }

    /* renamed from: getCredentialFromModel, reason: merged with bridge method [inline-methods] */
    public OTPCredentialModel m170getCredentialFromModel(CredentialModel credentialModel) {
        return OTPCredentialModel.createFromCredentialModel(credentialModel);
    }

    public boolean supportsCredentialType(String str) {
        return getType().equals(str);
    }

    public boolean isConfiguredFor(RealmModel realmModel, UserModel userModel, String str) {
        return supportsCredentialType(str) && !getCredentialStore().getStoredCredentialsByType(realmModel, userModel, str).isEmpty();
    }

    public boolean isConfiguredFor(RealmModel realmModel, UserModel userModel) {
        return isConfiguredFor(realmModel, userModel, getType());
    }

    public boolean isValid(RealmModel realmModel, UserModel userModel, CredentialInput credentialInput) {
        if (!(credentialInput instanceof UserCredentialModel)) {
            logger.debug("Expected instance of UserCredentialModel for CredentialInput");
            return false;
        }
        String challengeResponse = credentialInput.getChallengeResponse();
        if (challengeResponse == null) {
            return false;
        }
        if (ObjectUtil.isBlank(credentialInput.getCredentialId())) {
            logger.debugf("CredentialId is null when validating credential of user %s", userModel.getUsername());
            return false;
        }
        OTPCredentialModel createFromCredentialModel = OTPCredentialModel.createFromCredentialModel(getCredentialStore().getStoredCredentialById(realmModel, userModel, credentialInput.getCredentialId()));
        OTPSecretData oTPSecretData = createFromCredentialModel.getOTPSecretData();
        OTPCredentialData oTPCredentialData = createFromCredentialModel.getOTPCredentialData();
        OTPPolicy oTPPolicy = realmModel.getOTPPolicy();
        if (!"hotp".equals(oTPCredentialData.getSubType())) {
            if ("totp".equals(oTPCredentialData.getSubType())) {
                return new TimeBasedOTP(oTPCredentialData.getAlgorithm(), oTPCredentialData.getDigits(), oTPCredentialData.getPeriod(), oTPPolicy.getLookAheadWindow()).validateTOTP(challengeResponse, oTPSecretData.getValue().getBytes(StandardCharsets.UTF_8));
            }
            return false;
        }
        int validateHOTP = new HmacOTP(oTPCredentialData.getDigits(), oTPCredentialData.getAlgorithm(), oTPPolicy.getLookAheadWindow()).validateHOTP(challengeResponse, oTPSecretData.getValue(), oTPCredentialData.getCounter());
        if (validateHOTP < 0) {
            return false;
        }
        createFromCredentialModel.updateCounter(validateHOTP);
        getCredentialStore().updateCredential(realmModel, userModel, createFromCredentialModel);
        return true;
    }

    public String getType() {
        return "otp";
    }

    public CredentialTypeMetadata getCredentialTypeMetadata(CredentialTypeMetadataContext credentialTypeMetadataContext) {
        return CredentialTypeMetadata.builder().type(getType()).category(CredentialTypeMetadata.Category.TWO_FACTOR).displayName("otp-display-name").helpText("otp-help-text").iconCssClass("kcAuthenticatorOTPClass").createAction(UserModel.RequiredAction.CONFIGURE_TOTP.toString()).removeable(true).build(this.session);
    }
}
