package org.keycloak.policy;

import java.util.stream.Stream;
import org.jboss.logging.Logger;
import org.keycloak.credential.CredentialModel;
import org.keycloak.credential.hash.PasswordHashProvider;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.PasswordPolicy;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.credential.PasswordCredentialModel;

/* loaded from: input_file:BOOT-INF/lib/keycloak-server-spi-private-21.1.2.jar:org/keycloak/policy/HistoryPasswordPolicyProvider.class */
public class HistoryPasswordPolicyProvider implements PasswordPolicyProvider {
    private static final Logger logger = Logger.getLogger((Class<?>) HistoryPasswordPolicyProvider.class);
    private static final String ERROR_MESSAGE = "invalidPasswordHistoryMessage";
    private KeycloakSession session;

    public HistoryPasswordPolicyProvider(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
    }

    @Override // org.keycloak.policy.PasswordPolicyProvider
    public PolicyError validate(String str, String str2) {
        return null;
    }

    @Override // org.keycloak.policy.PasswordPolicyProvider
    public PolicyError validate(RealmModel realmModel, UserModel userModel, String str) {
        int intValue = ((Integer) this.session.getContext().getRealm().getPasswordPolicy().getPolicyConfig(PasswordPolicy.PASSWORD_HISTORY_ID)).intValue();
        if (intValue == -1) {
            return null;
        }
        if (userModel.credentialManager().getStoredCredentialsByTypeStream("password").map(PasswordCredentialModel::createFromCredentialModel).anyMatch(passwordCredentialModel -> {
            PasswordHashProvider passwordHashProvider = (PasswordHashProvider) this.session.getProvider(PasswordHashProvider.class, passwordCredentialModel.getPasswordCredentialData().getAlgorithm());
            return passwordHashProvider != null && passwordHashProvider.verify(str, passwordCredentialModel);
        })) {
            return new PolicyError(ERROR_MESSAGE, Integer.valueOf(intValue));
        }
        if (intValue <= 0 || !getRecent(userModel.credentialManager().getStoredCredentialsByTypeStream("password-history"), intValue - 1).map(PasswordCredentialModel::createFromCredentialModel).anyMatch(passwordCredentialModel2 -> {
            return ((PasswordHashProvider) this.session.getProvider(PasswordHashProvider.class, passwordCredentialModel2.getPasswordCredentialData().getAlgorithm())).verify(str, passwordCredentialModel2);
        })) {
            return null;
        }
        return new PolicyError(ERROR_MESSAGE, Integer.valueOf(intValue));
    }

    private Stream<CredentialModel> getRecent(Stream<CredentialModel> stream, int i) {
        return stream.sorted(CredentialModel.comparingByStartDateDesc()).limit(i);
    }

    @Override // org.keycloak.policy.PasswordPolicyProvider
    public Object parseConfig(String str) {
        return parseInteger(str, HistoryPasswordPolicyProviderFactory.DEFAULT_VALUE);
    }

    @Override // org.keycloak.provider.Provider
    public void close() {
    }
}
