package org.keycloak.models.utils;

import java.util.Iterator;
import java.util.List;
import org.keycloak.common.util.Time;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.jose.jws.crypto.RSAProvider;
import org.keycloak.models.OTPPolicy;
import org.keycloak.models.PasswordPolicy;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserCredentialValueModel;
import org.keycloak.models.UserModel;
import org.keycloak.representations.PasswordToken;

/* loaded from: input_file:WEB-INF/lib/keycloak-model-api-1.7.0.Final.jar:org/keycloak/models/utils/CredentialValidation.class */
public class CredentialValidation {
    private static int hashIterations(RealmModel realmModel) {
        PasswordPolicy passwordPolicy = realmModel.getPasswordPolicy();
        if (passwordPolicy != null) {
            return passwordPolicy.getHashIterations();
        }
        return -1;
    }

    public static boolean validPassword(RealmModel realmModel, UserModel userModel, String str) {
        UserCredentialValueModel userCredentialValueModel = null;
        for (UserCredentialValueModel userCredentialValueModel2 : userModel.getCredentialsDirectly()) {
            if (userCredentialValueModel2.getType().equals("password")) {
                userCredentialValueModel = userCredentialValueModel2;
            }
        }
        if (userCredentialValueModel == null) {
            return false;
        }
        return validateHashedCredential(realmModel, userModel, str, userCredentialValueModel);
    }

    public static boolean validateHashedCredential(RealmModel realmModel, UserModel userModel, String str, UserCredentialValueModel userCredentialValueModel) {
        int hashIterations;
        if (str == null) {
            return false;
        }
        boolean verify = new Pbkdf2PasswordEncoder(userCredentialValueModel.getSalt()).verify(str, userCredentialValueModel.getValue(), userCredentialValueModel.getHashIterations());
        if (verify && (hashIterations = hashIterations(realmModel)) > -1 && hashIterations != userCredentialValueModel.getHashIterations()) {
            UserCredentialValueModel userCredentialValueModel2 = new UserCredentialValueModel();
            userCredentialValueModel2.setType(userCredentialValueModel.getType());
            userCredentialValueModel2.setDevice(userCredentialValueModel.getDevice());
            userCredentialValueModel2.setSalt(userCredentialValueModel.getSalt());
            userCredentialValueModel2.setHashIterations(hashIterations);
            userCredentialValueModel2.setValue(new Pbkdf2PasswordEncoder(userCredentialValueModel2.getSalt()).encode(str, hashIterations));
            userModel.updateCredentialDirectly(userCredentialValueModel2);
        }
        return verify;
    }

    public static boolean validPasswordToken(RealmModel realmModel, UserModel userModel, String str) {
        try {
            JWSInput jWSInput = new JWSInput(str);
            if (!RSAProvider.verify(jWSInput, realmModel.getPublicKey())) {
                return false;
            }
            PasswordToken passwordToken = (PasswordToken) jWSInput.readJsonContent(PasswordToken.class);
            if (passwordToken.getRealm().equals(realmModel.getName()) && passwordToken.getUser().equals(userModel.getId())) {
                return Time.currentTime() - passwordToken.getTimestamp() <= realmModel.getAccessCodeLifespanUserAction();
            }
            return false;
        } catch (JWSInputException e) {
            return false;
        }
    }

    public static boolean validHOTP(RealmModel realmModel, UserModel userModel, String str) {
        OTPPolicy oTPPolicy = realmModel.getOTPPolicy();
        HmacOTP hmacOTP = new HmacOTP(oTPPolicy.getDigits(), oTPPolicy.getAlgorithm(), oTPPolicy.getLookAheadWindow());
        for (UserCredentialValueModel userCredentialValueModel : userModel.getCredentialsDirectly()) {
            if (userCredentialValueModel.getType().equals("hotp")) {
                int validateHOTP = hmacOTP.validateHOTP(str, userCredentialValueModel.getValue(), userCredentialValueModel.getCounter());
                if (validateHOTP < 0) {
                    return false;
                }
                userCredentialValueModel.setCounter(validateHOTP);
                userModel.updateCredentialDirectly(userCredentialValueModel);
                return true;
            }
        }
        return false;
    }

    public static boolean validOTP(RealmModel realmModel, String str, String str2) {
        OTPPolicy oTPPolicy = realmModel.getOTPPolicy();
        return oTPPolicy.getType().equals("totp") ? new TimeBasedOTP(oTPPolicy.getAlgorithm(), oTPPolicy.getDigits(), oTPPolicy.getPeriod(), oTPPolicy.getLookAheadWindow()).validateTOTP(str, str2.getBytes()) : new HmacOTP(oTPPolicy.getDigits(), oTPPolicy.getAlgorithm(), oTPPolicy.getLookAheadWindow()).validateHOTP(str, str2, oTPPolicy.getInitialCounter()) > -1;
    }

    public static boolean validTOTP(RealmModel realmModel, UserModel userModel, String str) {
        OTPPolicy oTPPolicy = realmModel.getOTPPolicy();
        TimeBasedOTP timeBasedOTP = new TimeBasedOTP(oTPPolicy.getAlgorithm(), oTPPolicy.getDigits(), oTPPolicy.getPeriod(), oTPPolicy.getLookAheadWindow());
        for (UserCredentialValueModel userCredentialValueModel : userModel.getCredentialsDirectly()) {
            if (userCredentialValueModel.getType().equals("totp") && timeBasedOTP.validateTOTP(str, userCredentialValueModel.getValue().getBytes())) {
                return true;
            }
        }
        return false;
    }

    public static boolean validSecret(RealmModel realmModel, UserModel userModel, String str) {
        for (UserCredentialValueModel userCredentialValueModel : userModel.getCredentialsDirectly()) {
            if (userCredentialValueModel.getType().equals("secret") && userCredentialValueModel.getValue().equals(str)) {
                return true;
            }
        }
        return false;
    }

    public static boolean validCredentials(RealmModel realmModel, UserModel userModel, List<UserCredentialModel> list) {
        Iterator<UserCredentialModel> it = list.iterator();
        while (it.hasNext()) {
            if (!validCredential(realmModel, userModel, it.next())) {
                return false;
            }
        }
        return true;
    }

    public static boolean validCredentials(RealmModel realmModel, UserModel userModel, UserCredentialModel... userCredentialModelArr) {
        for (UserCredentialModel userCredentialModel : userCredentialModelArr) {
            if (!validCredential(realmModel, userModel, userCredentialModel)) {
                return false;
            }
        }
        return true;
    }

    private static boolean validCredential(RealmModel realmModel, UserModel userModel, UserCredentialModel userCredentialModel) {
        return userCredentialModel.getType().equals("password") ? validPassword(realmModel, userModel, userCredentialModel.getValue()) : userCredentialModel.getType().equals("password-token") ? validPasswordToken(realmModel, userModel, userCredentialModel.getValue()) : userCredentialModel.getType().equals("totp") ? validTOTP(realmModel, userModel, userCredentialModel.getValue()) : userCredentialModel.getType().equals("hotp") ? validHOTP(realmModel, userModel, userCredentialModel.getValue()) : userCredentialModel.getType().equals("secret") && validSecret(realmModel, userModel, userCredentialModel.getValue());
    }
}
