package org.keycloak.models.utils;

import java.io.IOException;
import java.util.Iterator;
import java.util.List;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.crypto.RSAProvider;
import org.keycloak.models.PasswordPolicy;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserCredentialValueModel;
import org.keycloak.models.UserModel;
import org.keycloak.representations.PasswordToken;
import org.keycloak.util.Time;

/* loaded from: input_file:WEB-INF/lib/keycloak-model-api-1.0.1.Final.jar:org/keycloak/models/utils/CredentialValidation.class */
public class CredentialValidation {
    private static int hashIterations(RealmModel realmModel) {
        PasswordPolicy passwordPolicy = realmModel.getPasswordPolicy();
        if (passwordPolicy != null) {
            return passwordPolicy.getHashIterations();
        }
        return -1;
    }

    public static boolean validPassword(RealmModel realmModel, UserModel userModel, String str) {
        int hashIterations;
        boolean z = false;
        UserCredentialValueModel userCredentialValueModel = null;
        for (UserCredentialValueModel userCredentialValueModel2 : userModel.getCredentialsDirectly()) {
            if (userCredentialValueModel2.getType().equals("password")) {
                z = new Pbkdf2PasswordEncoder(userCredentialValueModel2.getSalt()).verify(str, userCredentialValueModel2.getValue(), userCredentialValueModel2.getHashIterations());
                userCredentialValueModel = userCredentialValueModel2;
            }
        }
        if (z && (hashIterations = hashIterations(realmModel)) > -1 && hashIterations != userCredentialValueModel.getHashIterations()) {
            UserCredentialValueModel userCredentialValueModel3 = new UserCredentialValueModel();
            userCredentialValueModel3.setType(userCredentialValueModel.getType());
            userCredentialValueModel3.setDevice(userCredentialValueModel.getDevice());
            userCredentialValueModel3.setSalt(userCredentialValueModel.getSalt());
            userCredentialValueModel3.setHashIterations(hashIterations);
            userCredentialValueModel3.setValue(new Pbkdf2PasswordEncoder(userCredentialValueModel3.getSalt()).encode(str, hashIterations));
            userModel.updateCredentialDirectly(userCredentialValueModel3);
        }
        return z;
    }

    public static boolean validPasswordToken(RealmModel realmModel, UserModel userModel, String str) {
        JWSInput jWSInput = new JWSInput(str);
        if (!RSAProvider.verify(jWSInput, realmModel.getPublicKey())) {
            return false;
        }
        try {
            PasswordToken passwordToken = (PasswordToken) jWSInput.readJsonContent(PasswordToken.class);
            if (passwordToken.getRealm().equals(realmModel.getName()) && passwordToken.getUser().equals(userModel.getId())) {
                return Time.currentTime() - passwordToken.getTimestamp() <= realmModel.getAccessCodeLifespanUserAction();
            }
            return false;
        } catch (IOException e) {
            return false;
        }
    }

    public static boolean validTOTP(RealmModel realmModel, UserModel userModel, String str) {
        for (UserCredentialValueModel userCredentialValueModel : userModel.getCredentialsDirectly()) {
            if (userCredentialValueModel.getType().equals("totp") && new TimeBasedOTP().validate(str, userCredentialValueModel.getValue().getBytes())) {
                return true;
            }
        }
        return false;
    }

    public static boolean validSecret(RealmModel realmModel, UserModel userModel, String str) {
        for (UserCredentialValueModel userCredentialValueModel : userModel.getCredentialsDirectly()) {
            if (userCredentialValueModel.getType().equals("secret") && userCredentialValueModel.getValue().equals(str)) {
                return true;
            }
        }
        return false;
    }

    public static boolean validCredentials(RealmModel realmModel, UserModel userModel, List<UserCredentialModel> list) {
        Iterator<UserCredentialModel> it = list.iterator();
        while (it.hasNext()) {
            if (!validCredential(realmModel, userModel, it.next())) {
                return false;
            }
        }
        return true;
    }

    public static boolean validCredentials(RealmModel realmModel, UserModel userModel, UserCredentialModel... userCredentialModelArr) {
        for (UserCredentialModel userCredentialModel : userCredentialModelArr) {
            if (!validCredential(realmModel, userModel, userCredentialModel)) {
                return false;
            }
        }
        return true;
    }

    private static boolean validCredential(RealmModel realmModel, UserModel userModel, UserCredentialModel userCredentialModel) {
        return userCredentialModel.getType().equals("password") ? validPassword(realmModel, userModel, userCredentialModel.getValue()) : userCredentialModel.getType().equals("password-token") ? validPasswordToken(realmModel, userModel, userCredentialModel.getValue()) : userCredentialModel.getType().equals("totp") ? validTOTP(realmModel, userModel, userCredentialModel.getValue()) : userCredentialModel.getType().equals("secret") && validSecret(realmModel, userModel, userCredentialModel.getValue());
    }
}
