package org.keycloak.services.managers;

import jakarta.ws.rs.core.HttpHeaders;
import jakarta.ws.rs.core.MultivaluedHashMap;
import jakarta.ws.rs.core.MultivaluedMap;
import jakarta.ws.rs.core.NewCookie;
import jakarta.ws.rs.core.UriInfo;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.time.LocalDateTime;
import java.time.ZoneId;
import java.util.concurrent.ExecutorService;
import org.jboss.logging.Logger;
import org.keycloak.common.ClientConnection;
import org.keycloak.common.util.Time;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.executors.ExecutorsProvider;
import org.keycloak.http.FormPartValue;
import org.keycloak.http.HttpRequest;
import org.keycloak.http.HttpResponse;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserLoginFailureModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.storage.ReadOnlyException;

/* loaded from: input_file:org/keycloak/services/managers/DefaultBruteForceProtector.class */
public class DefaultBruteForceProtector implements BruteForceProtector {
    private static final Logger logger = Logger.getLogger(DefaultBruteForceProtector.class);
    protected int maxDeltaTimeSeconds = 43200;
    protected KeycloakSessionFactory factory;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/keycloak/services/managers/DefaultBruteForceProtector$BruteForceHttpRequest.class */
    public static class BruteForceHttpRequest implements HttpRequest {
        private final UriInfo uriInfo;

        BruteForceHttpRequest(UriInfo uriInfo) {
            this.uriInfo = uriInfo;
        }

        public String getHttpMethod() {
            return "";
        }

        public MultivaluedMap<String, String> getDecodedFormParameters() {
            return new MultivaluedHashMap();
        }

        public MultivaluedMap<String, FormPartValue> getMultiPartFormParameters() {
            return new MultivaluedHashMap();
        }

        public HttpHeaders getHttpHeaders() {
            return null;
        }

        public X509Certificate[] getClientCertificateChain() {
            return null;
        }

        public UriInfo getUri() {
            return this.uriInfo;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/keycloak/services/managers/DefaultBruteForceProtector$BruteForceHttpResponse.class */
    public static class BruteForceHttpResponse implements HttpResponse {
        private BruteForceHttpResponse() {
        }

        public int getStatus() {
            return -1;
        }

        public void setStatus(int i) {
        }

        public void addHeader(String str, String str2) {
        }

        public void setHeader(String str, String str2) {
        }

        public void setCookieIfAbsent(NewCookie newCookie) {
        }
    }

    public DefaultBruteForceProtector(KeycloakSessionFactory keycloakSessionFactory) {
        this.factory = keycloakSessionFactory;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void failure(KeycloakSession keycloakSession, RealmModel realmModel, String str, String str2, long j) {
        UserModel userById;
        logger.debug("failure");
        UserLoginFailureModel userFailureModel = getUserFailureModel(keycloakSession, realmModel, str);
        if (userFailureModel == null) {
            userFailureModel = keycloakSession.loginFailures().addUserLoginFailure(realmModel, str);
        }
        userFailureModel.setLastIPFailure(str2);
        long lastFailure = userFailureModel.getLastFailure();
        long j2 = 0;
        if (lastFailure > 0) {
            j2 = j - lastFailure;
        }
        userFailureModel.setLastFailure(j);
        if ((!realmModel.isPermanentLockout() || realmModel.getMaxTemporaryLockouts() != 0) && j2 > 0 && j2 > realmModel.getMaxDeltaTimeSeconds() * 1000) {
            userFailureModel.clearFailures();
        }
        userFailureModel.incrementFailures();
        logger.debugv("new num failures: {0}", Integer.valueOf(userFailureModel.getNumFailures()));
        int i = 0;
        if (!realmModel.isPermanentLockout() || realmModel.getMaxTemporaryLockouts() != 0) {
            i = RealmRepresentation.BruteForceStrategy.MULTIPLE.equals(realmModel.getBruteForceStrategy()) ? realmModel.getWaitIncrementSeconds() * (userFailureModel.getNumFailures() / realmModel.getFailureFactor()) : realmModel.getWaitIncrementSeconds() * ((1 + userFailureModel.getNumFailures()) - realmModel.getFailureFactor());
        }
        logger.debugv("waitSeconds: {0}", Integer.valueOf(i));
        logger.debugv("deltaTime: {0}", Long.valueOf(j2));
        boolean z = false;
        if (i <= 0 && lastFailure > 0 && j2 < realmModel.getQuickLoginCheckMilliSeconds()) {
            logger.debugv("quick login, set min wait seconds", new Object[0]);
            i = realmModel.getMinimumQuickLoginWaitSeconds();
            z = true;
        }
        if (i > 0) {
            if (!realmModel.isPermanentLockout() || realmModel.getMaxTemporaryLockouts() > 0) {
                i = Math.min(realmModel.getMaxFailureWaitSeconds(), i);
            }
            if (!z) {
                userFailureModel.incrementTemporaryLockouts();
            }
            if (z || !realmModel.isPermanentLockout() || userFailureModel.getNumTemporaryLockouts() <= realmModel.getMaxTemporaryLockouts()) {
                int i2 = ((int) (j / 1000)) + i;
                logger.debugv("set notBefore: {0}", Integer.valueOf(i2));
                userFailureModel.setFailedLoginNotBefore(i2);
                sendEvent(keycloakSession, realmModel, userFailureModel, EventType.USER_DISABLED_BY_TEMPORARY_LOCKOUT);
            }
        }
        if (realmModel.isPermanentLockout()) {
            if ((userFailureModel.getNumTemporaryLockouts() > realmModel.getMaxTemporaryLockouts() || (realmModel.getMaxTemporaryLockouts() == 0 && userFailureModel.getNumFailures() >= realmModel.getFailureFactor())) && (userById = keycloakSession.users().getUserById(realmModel, str)) != null) {
                logger.debugv("user {0} locked permanently due to too many login attempts", userById.getUsername());
                userById.setEnabled(false);
                try {
                    userById.setSingleAttribute("disabledReason", "permanentLockout");
                } catch (ReadOnlyException e) {
                    logger.debug("Cannot set disabled reason on read only user");
                }
                sendEvent(keycloakSession, realmModel, userFailureModel, EventType.USER_DISABLED_BY_PERMANENT_LOCKOUT);
            }
        }
    }

    protected UserLoginFailureModel getUserFailureModel(KeycloakSession keycloakSession, RealmModel realmModel, String str) {
        if (realmModel == null) {
            return null;
        }
        return keycloakSession.loginFailures().getUserLoginFailure(realmModel, str);
    }

    protected void sendEvent(KeycloakSession keycloakSession, RealmModel realmModel, UserLoginFailureModel userLoginFailureModel, EventType eventType) {
        EventBuilder user = new EventBuilder(realmModel, keycloakSession).ipAddress(userLoginFailureModel.getLastIPFailure()).event(eventType).detail("reason", "brute_force_attack detected").detail("num_failures", String.valueOf(userLoginFailureModel.getNumFailures())).user(userLoginFailureModel.getUserId());
        if (eventType == EventType.USER_DISABLED_BY_TEMPORARY_LOCKOUT) {
            user.detail("not_before", LocalDateTime.ofInstant(Instant.ofEpochSecond(userLoginFailureModel.getFailedLoginNotBefore()), ZoneId.systemDefault()).toString());
        }
        user.success();
    }

    public void shutdown() {
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void success(KeycloakSession keycloakSession, RealmModel realmModel, String str) {
        UserLoginFailureModel userFailureModel = getUserFailureModel(keycloakSession, realmModel, str);
        if (userFailureModel == null) {
            return;
        }
        if (logger.isDebugEnabled()) {
            logger.debugv("user {0} successfully logged in, clearing all failures", keycloakSession.users().getUserById(realmModel, str).getUsername());
        }
        userFailureModel.clearFailures();
    }

    public void failedLogin(RealmModel realmModel, UserModel userModel, ClientConnection clientConnection, UriInfo uriInfo) {
        processLogin(realmModel, userModel, clientConnection, uriInfo, false);
        logger.trace("sent failure event");
    }

    public void successfulLogin(RealmModel realmModel, UserModel userModel, ClientConnection clientConnection, UriInfo uriInfo) {
        processLogin(realmModel, userModel, clientConnection, uriInfo, true);
        logger.trace("sent success event");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void processLogin(RealmModel realmModel, UserModel userModel, ClientConnection clientConnection, UriInfo uriInfo, boolean z) {
        ExecutorService executorService = (ExecutorService) KeycloakModelUtils.runJobInTransactionWithResult(this.factory, keycloakSession -> {
            return keycloakSession.getProvider(ExecutorsProvider.class).getExecutor("bruteforce");
        });
        BruteForceHttpRequest bruteForceHttpRequest = new BruteForceHttpRequest(uriInfo);
        BruteForceHttpResponse bruteForceHttpResponse = new BruteForceHttpResponse();
        executorService.execute(() -> {
            KeycloakModelUtils.runJobInTransaction(this.factory, keycloakSession2 -> {
                keycloakSession2.getContext().setRealm(keycloakSession2.realms().getRealm(realmModel.getId()));
                keycloakSession2.getContext().setHttpRequest(bruteForceHttpRequest);
                keycloakSession2.getContext().setHttpResponse(bruteForceHttpResponse);
                if (z) {
                    success(keycloakSession2, realmModel, userModel.getId());
                } else {
                    failure(keycloakSession2, realmModel, userModel.getId(), clientConnection.getRemoteAddr(), Time.currentTimeMillis());
                }
            });
        });
    }

    public boolean isTemporarilyDisabled(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        int currentTimeMillis;
        int failedLoginNotBefore;
        UserLoginFailureModel userFailureModel = getUserFailureModel(keycloakSession, realmModel, userModel.getId());
        if (userFailureModel == null || (currentTimeMillis = (int) (Time.currentTimeMillis() / 1000)) >= (failedLoginNotBefore = userFailureModel.getFailedLoginNotBefore())) {
            return false;
        }
        logger.debugv("Current: {0} notBefore: {1}", Integer.valueOf(currentTimeMillis), Integer.valueOf(failedLoginNotBefore));
        return true;
    }

    public boolean isPermanentlyLockedOut(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        UserLoginFailureModel userFailureModel;
        if (userModel.isEnabled() || !"permanentLockout".equals(userModel.getFirstAttribute("disabledReason"))) {
            return realmModel.isPermanentLockout() && (userFailureModel = getUserFailureModel(keycloakSession, realmModel, userModel.getId())) != null && userFailureModel.getNumTemporaryLockouts() > realmModel.getMaxTemporaryLockouts();
        }
        return true;
    }

    public void cleanUpPermanentLockout(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        if ("permanentLockout".equals(userModel.getFirstAttribute("disabledReason"))) {
            userModel.removeAttribute("disabledReason");
        }
    }

    public void close() {
    }
}
