package org.keycloak.authentication.authenticators.browser;

import java.util.LinkedList;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.authentication.AuthenticationFlowError;
import org.keycloak.authentication.Authenticator;
import org.keycloak.events.Errors;
import org.keycloak.login.LoginFormsProvider;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.services.messages.Messages;

/* loaded from: input_file:WEB-INF/lib/keycloak-services-1.7.0.Final.jar:org/keycloak/authentication/authenticators/browser/OTPFormAuthenticator.class */
public class OTPFormAuthenticator extends AbstractUsernameFormAuthenticator implements Authenticator {
    public static final String TOTP_FORM_ACTION = "totp";

    @Override // org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator, org.keycloak.authentication.Authenticator
    public void action(AuthenticationFlowContext authenticationFlowContext) {
        validateOTP(authenticationFlowContext);
    }

    @Override // org.keycloak.authentication.Authenticator
    public void authenticate(AuthenticationFlowContext authenticationFlowContext) {
        authenticationFlowContext.challenge(challenge(authenticationFlowContext, null));
    }

    public void validateOTP(AuthenticationFlowContext authenticationFlowContext) {
        MultivaluedMap decodedFormParameters = authenticationFlowContext.getHttpRequest().getDecodedFormParameters();
        if (decodedFormParameters.containsKey("cancel")) {
            authenticationFlowContext.resetFlow();
            return;
        }
        LinkedList linkedList = new LinkedList();
        String str = (String) decodedFormParameters.getFirst("totp");
        if (str == null) {
            authenticationFlowContext.challenge(challenge(authenticationFlowContext, null));
            return;
        }
        linkedList.add(UserCredentialModel.otp(authenticationFlowContext.getRealm().getOTPPolicy().getType(), str));
        if (authenticationFlowContext.getSession().users().validCredentials(authenticationFlowContext.getRealm(), authenticationFlowContext.getUser(), linkedList)) {
            authenticationFlowContext.success();
            return;
        }
        authenticationFlowContext.getEvent().user(authenticationFlowContext.getUser()).error(Errors.INVALID_USER_CREDENTIALS);
        authenticationFlowContext.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS, challenge(authenticationFlowContext, Messages.INVALID_TOTP));
    }

    @Override // org.keycloak.authentication.Authenticator
    public boolean requiresUser() {
        return true;
    }

    protected Response challenge(AuthenticationFlowContext authenticationFlowContext, String str) {
        LoginFormsProvider form = authenticationFlowContext.form();
        if (str != null) {
            form.setError(str, new Object[0]);
        }
        return form.createLoginTotp();
    }

    @Override // org.keycloak.authentication.Authenticator
    public boolean configuredFor(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        return keycloakSession.users().configuredForCredentialType(realmModel.getOTPPolicy().getType(), realmModel, userModel);
    }

    @Override // org.keycloak.authentication.Authenticator
    public void setRequiredActions(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        if (userModel.getRequiredActions().contains(UserModel.RequiredAction.CONFIGURE_TOTP.name())) {
            return;
        }
        userModel.addRequiredAction(UserModel.RequiredAction.CONFIGURE_TOTP.name());
    }

    @Override // org.keycloak.authentication.AbstractFormAuthenticator, org.keycloak.provider.Provider
    public void close() {
    }
}
