package org.keycloak.credential;

import io.micrometer.core.instrument.Counter;
import io.micrometer.core.instrument.Meter;
import io.micrometer.core.instrument.Tag;
import java.time.Duration;
import java.util.ArrayList;
import java.util.List;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.jboss.logging.Logger;
import org.keycloak.common.util.Time;
import org.keycloak.credential.CredentialTypeMetadata;
import org.keycloak.credential.hash.PasswordHashProvider;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelException;
import org.keycloak.models.PasswordPolicy;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.credential.PasswordCredentialModel;
import org.keycloak.policy.PasswordPolicyManagerProvider;
import org.keycloak.policy.PolicyError;

/* loaded from: input_file:org/keycloak/credential/PasswordCredentialProvider.class */
public class PasswordCredentialProvider implements CredentialProvider<PasswordCredentialModel>, CredentialInputUpdater, CredentialInputValidator {
    private static final Logger logger = Logger.getLogger(PasswordCredentialProvider.class);
    private static final String METER_VALIDATION_OUTCOME_VALID_TAG_VALUE = "valid";
    private static final String METER_VALIDATION_OUTCOME_INVALID_TAG_VALUE = "invalid";
    private static final String METER_VALIDATION_OUTCOME_ERROR_TAG_VALUE = "error";
    protected final KeycloakSession session;
    private final Meter.MeterProvider<Counter> meterProvider;
    private final boolean withAlgorithmInMetric;
    private final boolean metricsEnabled;
    private final boolean withRealmInMetric;
    private final boolean withHashingStrengthInMetric;
    private final boolean withOutcomeInMetric;

    public PasswordCredentialProvider(KeycloakSession keycloakSession, Meter.MeterProvider<Counter> meterProvider, boolean z, boolean z2, boolean z3, boolean z4, boolean z5) {
        this.session = keycloakSession;
        this.meterProvider = meterProvider;
        this.metricsEnabled = z;
        this.withRealmInMetric = z2;
        this.withAlgorithmInMetric = z3;
        this.withHashingStrengthInMetric = z4;
        this.withOutcomeInMetric = z5;
    }

    public PasswordCredentialModel getPassword(RealmModel realmModel, UserModel userModel) {
        List list = (List) userModel.credentialManager().getStoredCredentialsByTypeStream(getType()).collect(Collectors.toList());
        if (list.isEmpty()) {
            return null;
        }
        return PasswordCredentialModel.createFromCredentialModel((CredentialModel) list.get(0));
    }

    public boolean createCredential(RealmModel realmModel, UserModel userModel, String str) {
        PasswordPolicy passwordPolicy = realmModel.getPasswordPolicy();
        PolicyError validate = this.session.getProvider(PasswordPolicyManagerProvider.class).validate(realmModel, userModel, str);
        if (validate != null) {
            throw new ModelException(validate.getMessage(), validate.getParameters());
        }
        PasswordHashProvider hashProvider = getHashProvider(passwordPolicy);
        if (hashProvider == null) {
            return false;
        }
        try {
            PasswordCredentialModel encodedCredential = hashProvider.encodedCredential(str, passwordPolicy.getHashIterations());
            encodedCredential.setCreatedDate(Long.valueOf(Time.currentTimeMillis()));
            createCredential(realmModel, userModel, encodedCredential);
            return true;
        } catch (Throwable th) {
            throw new ModelException(th.getMessage(), th);
        }
    }

    public CredentialModel createCredential(RealmModel realmModel, UserModel userModel, PasswordCredentialModel passwordCredentialModel) {
        PasswordCredentialModel passwordCredentialModel2;
        PasswordPolicy passwordPolicy = realmModel.getPasswordPolicy();
        int expiredPasswords = passwordPolicy.getExpiredPasswords();
        int max = Math.max(0, passwordPolicy.getPasswordAgeInDays());
        CredentialModel password = getPassword(realmModel, userModel);
        if (passwordCredentialModel.getCreatedDate() == null) {
            passwordCredentialModel.setCreatedDate(Long.valueOf(Time.currentTimeMillis()));
        }
        if (password == null) {
            passwordCredentialModel2 = userModel.credentialManager().createStoredCredential(passwordCredentialModel);
        } else {
            passwordCredentialModel.setId(password.getId());
            userModel.credentialManager().updateStoredCredential(passwordCredentialModel);
            passwordCredentialModel2 = passwordCredentialModel;
            if (expiredPasswords > 1 || max > 0) {
                password.setId((String) null);
                password.setType("password-history");
                password = userModel.credentialManager().createStoredCredential(password);
            }
        }
        int max2 = Math.max(0, expiredPasswords - 1);
        long currentTimeMillis = Time.currentTimeMillis() - Duration.ofDays(max).toMillis();
        CredentialModel credentialModel = password;
        ((List) userModel.credentialManager().getStoredCredentialsByTypeStream("password-history").sorted(CredentialModel.comparingByStartDateDesc()).skip(max2).filter(credentialModel2 -> {
            return !credentialModel2.getId().equals(credentialModel.getId());
        }).filter(credentialModel3 -> {
            return passwordAgePredicate(credentialModel3, currentTimeMillis);
        }).collect(Collectors.toList())).forEach(credentialModel4 -> {
            userModel.credentialManager().removeStoredCredentialById(credentialModel4.getId());
        });
        return passwordCredentialModel2;
    }

    private boolean passwordAgePredicate(CredentialModel credentialModel, long j) {
        return (credentialModel.getCreatedDate() == null ? Long.MIN_VALUE : credentialModel.getCreatedDate().longValue()) < j;
    }

    public boolean deleteCredential(RealmModel realmModel, UserModel userModel, String str) {
        return userModel.credentialManager().removeStoredCredentialById(str);
    }

    /* renamed from: getCredentialFromModel, reason: merged with bridge method [inline-methods] */
    public PasswordCredentialModel m201getCredentialFromModel(CredentialModel credentialModel) {
        return PasswordCredentialModel.createFromCredentialModel(credentialModel);
    }

    protected PasswordHashProvider getHashProvider(PasswordPolicy passwordPolicy) {
        if (passwordPolicy != null && passwordPolicy.getHashAlgorithm() != null) {
            PasswordHashProvider provider = this.session.getProvider(PasswordHashProvider.class, passwordPolicy.getHashAlgorithm());
            if (provider != null) {
                return provider;
            }
            logger.warnv("Realm PasswordPolicy PasswordHashProvider {0} not found", passwordPolicy.getHashAlgorithm());
        }
        return this.session.getProvider(PasswordHashProvider.class);
    }

    public boolean supportsCredentialType(String str) {
        return str.equals(getType());
    }

    public boolean updateCredential(RealmModel realmModel, UserModel userModel, CredentialInput credentialInput) {
        return createCredential(realmModel, userModel, credentialInput.getChallengeResponse());
    }

    public void disableCredentialType(RealmModel realmModel, UserModel userModel, String str) {
    }

    public Stream<String> getDisableableCredentialTypesStream(RealmModel realmModel, UserModel userModel) {
        return Stream.empty();
    }

    public boolean isConfiguredFor(RealmModel realmModel, UserModel userModel, String str) {
        return getPassword(realmModel, userModel) != null;
    }

    public boolean isValid(RealmModel realmModel, UserModel userModel, CredentialInput credentialInput) {
        if (!(credentialInput instanceof UserCredentialModel)) {
            logger.debug("Expected instance of UserCredentialModel for CredentialInput");
            return false;
        }
        if (credentialInput.getChallengeResponse() == null) {
            logger.debugv("Input password was null for user {0} ", userModel.getUsername());
            return false;
        }
        PasswordCredentialModel password = getPassword(realmModel, userModel);
        if (password == null) {
            logger.debugv("No password stored for user {0} ", userModel.getUsername());
            return false;
        }
        String algorithm = password.getPasswordCredentialData().getAlgorithm();
        PasswordHashProvider provider = this.session.getProvider(PasswordHashProvider.class, algorithm);
        if (provider == null) {
            logger.debugv("PasswordHashProvider {0} not found for user {1} ", algorithm, userModel.getUsername());
            return false;
        }
        try {
            if (provider.verify(credentialInput.getChallengeResponse(), password)) {
                rehashPasswordIfRequired(this.session, realmModel, userModel, credentialInput, password);
                publishMetricIfEnabled(realmModel, algorithm, provider.credentialHashingStrength(password), METER_VALIDATION_OUTCOME_VALID_TAG_VALUE);
                return true;
            }
            logger.debugv("Failed password validation for user {0} ", userModel.getUsername());
            publishMetricIfEnabled(realmModel, algorithm, provider.credentialHashingStrength(password), METER_VALIDATION_OUTCOME_INVALID_TAG_VALUE);
            return false;
        } catch (Throwable th) {
            logger.warn("Error when validating user password", th);
            publishMetricIfEnabled(realmModel, algorithm, provider.credentialHashingStrength(password), "error");
            return false;
        }
    }

    private void publishMetricIfEnabled(RealmModel realmModel, String str, String str2, String str3) {
        if (this.metricsEnabled) {
            ArrayList arrayList = new ArrayList(5);
            if (this.withAlgorithmInMetric) {
                arrayList.add(Tag.of("algorithm", nullToEmpty(str)));
            }
            if (this.withHashingStrengthInMetric) {
                arrayList.add(Tag.of(PasswordCredentialProviderFactory.METER_HASHING_STRENGTH_TAG, nullToEmpty(str2)));
            }
            if (this.withRealmInMetric) {
                arrayList.add(Tag.of(PasswordCredentialProviderFactory.METER_REALM_TAG, nullToEmpty(realmModel.getName())));
            }
            if (this.withOutcomeInMetric) {
                arrayList.add(Tag.of(PasswordCredentialProviderFactory.METER_VALIDATION_OUTCOME_TAG, nullToEmpty(str3)));
            }
            this.meterProvider.withTags(arrayList).increment();
        }
    }

    private String nullToEmpty(String str) {
        return str == null ? "" : str;
    }

    private void rehashPasswordIfRequired(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel, CredentialInput credentialInput, PasswordCredentialModel passwordCredentialModel) {
        PasswordPolicy passwordPolicy = realmModel.getPasswordPolicy();
        PasswordHashProvider provider = (passwordPolicy == null || passwordPolicy.getHashAlgorithm() == null) ? keycloakSession.getProvider(PasswordHashProvider.class) : (PasswordHashProvider) keycloakSession.getProvider(PasswordHashProvider.class, passwordPolicy.getHashAlgorithm());
        if (provider.policyCheck(passwordPolicy, passwordCredentialModel)) {
            return;
        }
        PasswordCredentialModel encodedCredential = provider.encodedCredential(credentialInput.getChallengeResponse(), passwordPolicy != null ? passwordPolicy.getHashIterations() : -1);
        encodedCredential.setId(passwordCredentialModel.getId());
        encodedCredential.setCreatedDate(passwordCredentialModel.getCreatedDate());
        encodedCredential.setUserLabel(passwordCredentialModel.getUserLabel());
        userModel.credentialManager().updateStoredCredential(encodedCredential);
    }

    public String getType() {
        return "password";
    }

    public CredentialTypeMetadata getCredentialTypeMetadata(CredentialTypeMetadataContext credentialTypeMetadataContext) {
        CredentialTypeMetadata.CredentialTypeMetadataBuilder iconCssClass = CredentialTypeMetadata.builder().type(getType()).category(CredentialTypeMetadata.Category.BASIC_AUTHENTICATION).displayName("password-display-name").helpText("password-help-text").iconCssClass("kcAuthenticatorPasswordClass");
        UserModel user = credentialTypeMetadataContext.getUser();
        if (user == null || !user.credentialManager().isConfiguredFor(getType())) {
            iconCssClass.createAction(UserModel.RequiredAction.UPDATE_PASSWORD.toString());
        } else {
            iconCssClass.updateAction(UserModel.RequiredAction.UPDATE_PASSWORD.toString());
        }
        return iconCssClass.removeable(false).build(this.session);
    }
}
