package org.keycloak.authentication.authenticators.browser;

import java.util.Collections;
import java.util.List;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.authentication.AuthenticationFlowError;
import org.keycloak.authentication.Authenticator;
import org.keycloak.authentication.CredentialValidator;
import org.keycloak.authentication.RequiredActionFactory;
import org.keycloak.authentication.RequiredActionProvider;
import org.keycloak.credential.CredentialInput;
import org.keycloak.credential.CredentialProvider;
import org.keycloak.credential.OTPCredentialProvider;
import org.keycloak.credential.OTPCredentialProviderFactory;
import org.keycloak.forms.login.LoginFormsProvider;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.credential.OTPCredentialModel;
import org.keycloak.services.messages.Messages;

/* loaded from: input_file:org/keycloak/authentication/authenticators/browser/OTPFormAuthenticator.class */
public class OTPFormAuthenticator extends AbstractUsernameFormAuthenticator implements Authenticator, CredentialValidator<OTPCredentialProvider> {
    public static final String SELECTED_OTP_CREDENTIAL_ID = "selectedOtpCredentialId";
    public static final String UNNAMED = "unnamed";

    @Override // org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator
    public void action(AuthenticationFlowContext authenticationFlowContext) {
        validateOTP(authenticationFlowContext);
    }

    public void authenticate(AuthenticationFlowContext authenticationFlowContext) {
        authenticationFlowContext.challenge(challenge(authenticationFlowContext, null));
    }

    public void validateOTP(AuthenticationFlowContext authenticationFlowContext) {
        MultivaluedMap decodedFormParameters = authenticationFlowContext.getHttpRequest().getDecodedFormParameters();
        String str = (String) decodedFormParameters.getFirst("otp");
        String str2 = (String) decodedFormParameters.getFirst("selectedCredentialId");
        if (str2 == null || str2.isEmpty()) {
            OTPCredentialModel defaultCredential = m37getCredentialProvider(authenticationFlowContext.getSession()).getDefaultCredential(authenticationFlowContext.getSession(), authenticationFlowContext.getRealm(), authenticationFlowContext.getUser());
            str2 = defaultCredential == null ? "" : defaultCredential.getId();
        }
        authenticationFlowContext.getEvent().detail("selected_credential_id", str2);
        authenticationFlowContext.form().setAttribute(SELECTED_OTP_CREDENTIAL_ID, str2);
        UserModel user = authenticationFlowContext.getUser();
        if (enabledUser(authenticationFlowContext, user)) {
            if (str == null) {
                authenticationFlowContext.challenge(challenge(authenticationFlowContext, null));
            } else if (authenticationFlowContext.getSession().userCredentialManager().isValid(authenticationFlowContext.getRealm(), authenticationFlowContext.getUser(), new CredentialInput[]{new UserCredentialModel(str2, m37getCredentialProvider(authenticationFlowContext.getSession()).getType(), str)})) {
                authenticationFlowContext.success();
            } else {
                authenticationFlowContext.getEvent().user(user).error("invalid_user_credentials");
                authenticationFlowContext.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS, challenge(authenticationFlowContext, Messages.INVALID_TOTP));
            }
        }
    }

    public boolean requiresUser() {
        return true;
    }

    @Override // org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator
    protected String tempDisabledError() {
        return Messages.INVALID_TOTP;
    }

    @Override // org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator
    protected Response createLoginForm(LoginFormsProvider loginFormsProvider) {
        return loginFormsProvider.createLoginTotp();
    }

    public boolean configuredFor(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        return keycloakSession.userCredentialManager().isConfiguredFor(realmModel, userModel, m37getCredentialProvider(keycloakSession).getType());
    }

    public void setRequiredActions(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        if (userModel.getRequiredActions().contains(UserModel.RequiredAction.CONFIGURE_TOTP.name())) {
            return;
        }
        userModel.addRequiredAction(UserModel.RequiredAction.CONFIGURE_TOTP.name());
    }

    public List<RequiredActionFactory> getRequiredActions(KeycloakSession keycloakSession) {
        return Collections.singletonList(keycloakSession.getKeycloakSessionFactory().getProviderFactory(RequiredActionProvider.class, UserModel.RequiredAction.CONFIGURE_TOTP.name()));
    }

    @Override // org.keycloak.authentication.AbstractFormAuthenticator
    public void close() {
    }

    /* renamed from: getCredentialProvider, reason: merged with bridge method [inline-methods] */
    public OTPCredentialProvider m37getCredentialProvider(KeycloakSession keycloakSession) {
        return keycloakSession.getProvider(CredentialProvider.class, OTPCredentialProviderFactory.PROVIDER_ID);
    }
}
