package org.keycloak.authentication.authenticators.browser;

import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.regex.Pattern;
import javax.ws.rs.core.MultivaluedMap;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.models.AuthenticatorConfigModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.models.utils.RoleUtils;

/* loaded from: input_file:org/keycloak/authentication/authenticators/browser/ConditionalOtpFormAuthenticator.class */
public class ConditionalOtpFormAuthenticator extends OTPFormAuthenticator {
    public static final String SKIP = "skip";
    public static final String FORCE = "force";
    public static final String OTP_CONTROL_USER_ATTRIBUTE = "otpControlAttribute";
    public static final String SKIP_OTP_ROLE = "skipOtpRole";
    public static final String FORCE_OTP_ROLE = "forceOtpRole";
    public static final String SKIP_OTP_FOR_HTTP_HEADER = "noOtpRequiredForHeaderPattern";
    public static final String FORCE_OTP_FOR_HTTP_HEADER = "forceOtpForHeaderPattern";
    public static final String DEFAULT_OTP_OUTCOME = "defaultOtpOutcome";

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/keycloak/authentication/authenticators/browser/ConditionalOtpFormAuthenticator$OtpDecision.class */
    public enum OtpDecision {
        SKIP_OTP,
        SHOW_OTP,
        ABSTAIN
    }

    @Override // org.keycloak.authentication.authenticators.browser.OTPFormAuthenticator
    public void authenticate(AuthenticationFlowContext authenticationFlowContext) {
        Map<String, String> config = authenticationFlowContext.getAuthenticatorConfig().getConfig();
        if (tryConcludeBasedOn(voteForUserOtpControlAttribute(authenticationFlowContext.getUser(), config), authenticationFlowContext) || tryConcludeBasedOn(voteForUserRole(authenticationFlowContext.getRealm(), authenticationFlowContext.getUser(), config), authenticationFlowContext) || tryConcludeBasedOn(voteForHttpHeaderMatchesPattern(authenticationFlowContext.getHttpRequest().getHttpHeaders().getRequestHeaders(), config), authenticationFlowContext) || tryConcludeBasedOn(voteForDefaultFallback(config), authenticationFlowContext)) {
            return;
        }
        showOtpForm(authenticationFlowContext);
    }

    private OtpDecision voteForDefaultFallback(Map<String, String> map) {
        if (!map.containsKey(DEFAULT_OTP_OUTCOME)) {
            return OtpDecision.ABSTAIN;
        }
        String str = map.get(DEFAULT_OTP_OUTCOME);
        boolean z = -1;
        switch (str.hashCode()) {
            case 3532159:
                if (str.equals(SKIP)) {
                    z = false;
                    break;
                }
                break;
            case 97618667:
                if (str.equals(FORCE)) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return OtpDecision.SKIP_OTP;
            case true:
                return OtpDecision.SHOW_OTP;
            default:
                return OtpDecision.ABSTAIN;
        }
    }

    private boolean tryConcludeBasedOn(OtpDecision otpDecision, AuthenticationFlowContext authenticationFlowContext) {
        switch (otpDecision) {
            case SHOW_OTP:
                showOtpForm(authenticationFlowContext);
                return true;
            case SKIP_OTP:
                authenticationFlowContext.success();
                return true;
            default:
                return false;
        }
    }

    private boolean tryConcludeBasedOn(OtpDecision otpDecision) {
        switch (otpDecision) {
            case SHOW_OTP:
                return true;
            case SKIP_OTP:
                return false;
            default:
                return false;
        }
    }

    private void showOtpForm(AuthenticationFlowContext authenticationFlowContext) {
        super.authenticate(authenticationFlowContext);
    }

    private OtpDecision voteForUserOtpControlAttribute(UserModel userModel, Map<String, String> map) {
        String str;
        if (map.containsKey(OTP_CONTROL_USER_ATTRIBUTE) && (str = map.get(OTP_CONTROL_USER_ATTRIBUTE)) != null) {
            List attribute = userModel.getAttribute(str);
            if (attribute.isEmpty()) {
                return OtpDecision.ABSTAIN;
            }
            String trim = ((String) attribute.get(0)).trim();
            boolean z = -1;
            switch (trim.hashCode()) {
                case 3532159:
                    if (trim.equals(SKIP)) {
                        z = false;
                        break;
                    }
                    break;
                case 97618667:
                    if (trim.equals(FORCE)) {
                        z = true;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    return OtpDecision.SKIP_OTP;
                case true:
                    return OtpDecision.SHOW_OTP;
                default:
                    return OtpDecision.ABSTAIN;
            }
        }
        return OtpDecision.ABSTAIN;
    }

    private OtpDecision voteForHttpHeaderMatchesPattern(MultivaluedMap<String, String> multivaluedMap, Map<String, String> map) {
        return (map.containsKey(FORCE_OTP_FOR_HTTP_HEADER) || map.containsKey(SKIP_OTP_FOR_HTTP_HEADER)) ? containsMatchingRequestHeader(multivaluedMap, map.get(SKIP_OTP_FOR_HTTP_HEADER)) ? OtpDecision.SKIP_OTP : containsMatchingRequestHeader(multivaluedMap, map.get(FORCE_OTP_FOR_HTTP_HEADER)) ? OtpDecision.SHOW_OTP : OtpDecision.ABSTAIN : OtpDecision.ABSTAIN;
    }

    private boolean containsMatchingRequestHeader(MultivaluedMap<String, String> multivaluedMap, String str) {
        if (str == null) {
            return false;
        }
        Pattern compile = Pattern.compile(str, 32);
        for (Map.Entry entry : multivaluedMap.entrySet()) {
            String str2 = (String) entry.getKey();
            Iterator it = ((List) entry.getValue()).iterator();
            while (it.hasNext()) {
                if (compile.matcher(str2.trim() + ": " + ((String) it.next()).trim()).matches()) {
                    return true;
                }
            }
        }
        return false;
    }

    private OtpDecision voteForUserRole(RealmModel realmModel, UserModel userModel, Map<String, String> map) {
        return (map.containsKey(SKIP_OTP_ROLE) || map.containsKey(FORCE_OTP_ROLE)) ? userHasRole(realmModel, userModel, map.get(SKIP_OTP_ROLE)) ? OtpDecision.SKIP_OTP : userHasRole(realmModel, userModel, map.get(FORCE_OTP_ROLE)) ? OtpDecision.SHOW_OTP : OtpDecision.ABSTAIN : OtpDecision.ABSTAIN;
    }

    private boolean userHasRole(RealmModel realmModel, UserModel userModel, String str) {
        if (str == null) {
            return false;
        }
        return RoleUtils.hasRole(userModel.getRoleMappings(), KeycloakModelUtils.getRoleFromString(realmModel, str));
    }

    private boolean isOTPRequired(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        MultivaluedMap<String, String> requestHeaders = keycloakSession.getContext().getRequestHeaders().getRequestHeaders();
        for (AuthenticatorConfigModel authenticatorConfigModel : realmModel.getAuthenticatorConfigs()) {
            if (tryConcludeBasedOn(voteForUserOtpControlAttribute(userModel, authenticatorConfigModel.getConfig())) || tryConcludeBasedOn(voteForUserRole(realmModel, userModel, authenticatorConfigModel.getConfig())) || tryConcludeBasedOn(voteForHttpHeaderMatchesPattern(requestHeaders, authenticatorConfigModel.getConfig()))) {
                return true;
            }
            if (authenticatorConfigModel.getConfig().get(DEFAULT_OTP_OUTCOME) != null && ((String) authenticatorConfigModel.getConfig().get(DEFAULT_OTP_OUTCOME)).equals(FORCE) && authenticatorConfigModel.getConfig().size() <= 1) {
                return true;
            }
            if (containsConditionalOtpConfig(authenticatorConfigModel.getConfig()) && voteForUserOtpControlAttribute(userModel, authenticatorConfigModel.getConfig()) == OtpDecision.ABSTAIN && voteForUserRole(realmModel, userModel, authenticatorConfigModel.getConfig()) == OtpDecision.ABSTAIN && voteForHttpHeaderMatchesPattern(requestHeaders, authenticatorConfigModel.getConfig()) == OtpDecision.ABSTAIN && (voteForDefaultFallback(authenticatorConfigModel.getConfig()) == OtpDecision.SHOW_OTP || voteForDefaultFallback(authenticatorConfigModel.getConfig()) == OtpDecision.ABSTAIN)) {
                return true;
            }
        }
        return false;
    }

    private boolean containsConditionalOtpConfig(Map map) {
        return map.containsKey(OTP_CONTROL_USER_ATTRIBUTE) || map.containsKey(SKIP_OTP_ROLE) || map.containsKey(FORCE_OTP_ROLE) || map.containsKey(SKIP_OTP_FOR_HTTP_HEADER) || map.containsKey(FORCE_OTP_FOR_HTTP_HEADER) || map.containsKey(DEFAULT_OTP_OUTCOME);
    }

    @Override // org.keycloak.authentication.authenticators.browser.OTPFormAuthenticator
    public void setRequiredActions(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        if (!isOTPRequired(keycloakSession, realmModel, userModel)) {
            userModel.removeRequiredAction(UserModel.RequiredAction.CONFIGURE_TOTP);
        } else {
            if (userModel.getRequiredActions().contains(UserModel.RequiredAction.CONFIGURE_TOTP.name())) {
                return;
            }
            userModel.addRequiredAction(UserModel.RequiredAction.CONFIGURE_TOTP.name());
        }
    }
}
