package org.keycloak.authentication.authenticators;

import java.util.LinkedList;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import org.keycloak.authentication.AuthenticationProcessor;
import org.keycloak.authentication.Authenticator;
import org.keycloak.authentication.AuthenticatorContext;
import org.keycloak.login.LoginFormsProvider;
import org.keycloak.models.AuthenticatorModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.services.managers.ClientSessionCode;
import org.keycloak.services.messages.Messages;

/* loaded from: input_file:org/keycloak/authentication/authenticators/OTPFormAuthenticator.class */
public class OTPFormAuthenticator extends AbstractFormAuthenticator implements Authenticator {
    public static final String TOTP_FORM_ACTION = "totp";
    protected AuthenticatorModel model;

    public OTPFormAuthenticator(AuthenticatorModel authenticatorModel) {
        this.model = authenticatorModel;
    }

    @Override // org.keycloak.authentication.Authenticator
    public void authenticate(AuthenticatorContext authenticatorContext) {
        if (isAction(authenticatorContext, TOTP_FORM_ACTION)) {
            validateOTP(authenticatorContext);
        } else {
            authenticatorContext.challenge(challenge(authenticatorContext, null));
        }
    }

    public void validateOTP(AuthenticatorContext authenticatorContext) {
        MultivaluedMap decodedFormParameters = authenticatorContext.getHttpRequest().getDecodedFormParameters();
        LinkedList linkedList = new LinkedList();
        String str = (String) decodedFormParameters.getFirst(TOTP_FORM_ACTION);
        if (str == null) {
            authenticatorContext.challenge(challenge(authenticatorContext, null));
            return;
        }
        linkedList.add(UserCredentialModel.totp(str));
        if (authenticatorContext.getSession().users().validCredentials(authenticatorContext.getRealm(), authenticatorContext.getUser(), linkedList)) {
            authenticatorContext.success();
            return;
        }
        authenticatorContext.getEvent().user(authenticatorContext.getUser()).error("invalid_user_credentials");
        authenticatorContext.failureChallenge(AuthenticationProcessor.Error.INVALID_CREDENTIALS, challenge(authenticatorContext, Messages.INVALID_TOTP));
    }

    @Override // org.keycloak.authentication.Authenticator
    public boolean requiresUser() {
        return true;
    }

    protected Response challenge(AuthenticatorContext authenticatorContext, String str) {
        ClientSessionCode clientSessionCode = new ClientSessionCode(authenticatorContext.getRealm(), authenticatorContext.getClientSession());
        LoginFormsProvider clientSessionCode2 = authenticatorContext.getSession().getProvider(LoginFormsProvider.class).setActionUri(AbstractFormAuthenticator.getActionUrl(authenticatorContext, clientSessionCode, TOTP_FORM_ACTION)).setClientSessionCode(clientSessionCode.getCode());
        if (str != null) {
            clientSessionCode2.setError(str, new Object[0]);
        }
        return clientSessionCode2.createLoginTotp();
    }

    @Override // org.keycloak.authentication.Authenticator
    public boolean configuredFor(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        return keycloakSession.users().configuredForCredentialType(TOTP_FORM_ACTION, realmModel, userModel) && userModel.isTotp();
    }

    @Override // org.keycloak.authentication.Authenticator
    public String getRequiredAction() {
        return UserModel.RequiredAction.CONFIGURE_TOTP.name();
    }

    public void close() {
    }
}
