package org.keycloak.authentication.authenticators.browser;

import jakarta.ws.rs.core.MultivaluedMap;
import jakarta.ws.rs.core.Response;
import org.jboss.logging.Logger;
import org.keycloak.authentication.AbstractFormAuthenticator;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.authentication.AuthenticationFlowError;
import org.keycloak.authentication.authenticators.util.AuthenticatorUtils;
import org.keycloak.credential.CredentialInput;
import org.keycloak.credential.hash.PasswordHashProvider;
import org.keycloak.forms.login.LoginFormsProvider;
import org.keycloak.models.ModelDuplicateException;
import org.keycloak.models.PasswordPolicy;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.FormMessage;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.services.ServicesLogger;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.messages.Messages;

/* loaded from: input_file:org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthenticator.class */
public abstract class AbstractUsernameFormAuthenticator extends AbstractFormAuthenticator {
    private static final Logger logger = Logger.getLogger(AbstractUsernameFormAuthenticator.class);
    public static final String REGISTRATION_FORM_ACTION = "registration_form";
    public static final String ATTEMPTED_USERNAME = "ATTEMPTED_USERNAME";
    public static final String SESSION_INVALID = "SESSION_INVALID";
    protected static final String USER_SET_BEFORE_USERNAME_PASSWORD_AUTH = "USER_SET_BEFORE_USERNAME_PASSWORD_AUTH";

    public void action(AuthenticationFlowContext authenticationFlowContext) {
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Response challenge(AuthenticationFlowContext authenticationFlowContext, String str) {
        return challenge(authenticationFlowContext, str, null);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Response challenge(AuthenticationFlowContext authenticationFlowContext, String str, String str2) {
        LoginFormsProvider execution = authenticationFlowContext.form().setExecution(authenticationFlowContext.getExecution().getId());
        if (str != null) {
            if (str2 != null) {
                execution.addError(new FormMessage(str2, str));
            } else {
                execution.setError(str, new Object[0]);
            }
        }
        return createLoginForm(execution);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Response createLoginForm(LoginFormsProvider loginFormsProvider) {
        return loginFormsProvider.createLoginUsernamePassword();
    }

    protected String disabledByBruteForceError() {
        return Messages.INVALID_USER;
    }

    protected String disabledByBruteForceFieldError() {
        return "username";
    }

    protected Response setDuplicateUserChallenge(AuthenticationFlowContext authenticationFlowContext, String str, String str2, AuthenticationFlowError authenticationFlowError) {
        authenticationFlowContext.getEvent().error(str);
        Response createLoginUsernamePassword = authenticationFlowContext.form().setError(str2, new Object[0]).createLoginUsernamePassword();
        authenticationFlowContext.failureChallenge(authenticationFlowError, createLoginUsernamePassword);
        return createLoginUsernamePassword;
    }

    protected void runDefaultDummyHash(AuthenticationFlowContext authenticationFlowContext) {
        authenticationFlowContext.getSession().getProvider(PasswordHashProvider.class, "pbkdf2-sha512").encode("SlightlyLongerDummyPassword", 210000);
    }

    protected void dummyHash(AuthenticationFlowContext authenticationFlowContext) {
        PasswordPolicy passwordPolicy = authenticationFlowContext.getRealm().getPasswordPolicy();
        if (passwordPolicy == null) {
            runDefaultDummyHash(authenticationFlowContext);
            return;
        }
        PasswordHashProvider provider = authenticationFlowContext.getSession().getProvider(PasswordHashProvider.class, passwordPolicy.getHashAlgorithm());
        if (provider == null) {
            runDefaultDummyHash(authenticationFlowContext);
        } else {
            provider.encode("SlightlyLongerDummyPassword", passwordPolicy.getHashIterations());
        }
    }

    public void testInvalidUser(AuthenticationFlowContext authenticationFlowContext, UserModel userModel) {
        if (userModel == null) {
            dummyHash(authenticationFlowContext);
            authenticationFlowContext.getEvent().error("user_not_found");
            authenticationFlowContext.failureChallenge(AuthenticationFlowError.INVALID_USER, challenge(authenticationFlowContext, getDefaultChallengeMessage(authenticationFlowContext), "username"));
        }
    }

    public boolean enabledUser(AuthenticationFlowContext authenticationFlowContext, UserModel userModel) {
        if (isDisabledByBruteForce(authenticationFlowContext, userModel)) {
            return false;
        }
        if (userModel.isEnabled()) {
            return true;
        }
        authenticationFlowContext.getEvent().user(userModel);
        authenticationFlowContext.getEvent().error("user_disabled");
        authenticationFlowContext.forceChallenge(challenge(authenticationFlowContext, Messages.ACCOUNT_DISABLED));
        return false;
    }

    public boolean validateUserAndPassword(AuthenticationFlowContext authenticationFlowContext, MultivaluedMap<String, String> multivaluedMap) {
        UserModel user = getUser(authenticationFlowContext, multivaluedMap);
        return user != null && validatePassword(authenticationFlowContext, user, multivaluedMap, !isUserAlreadySetBeforeUsernamePasswordAuth(authenticationFlowContext)) && validateUser(authenticationFlowContext, user, multivaluedMap);
    }

    public boolean validateUser(AuthenticationFlowContext authenticationFlowContext, MultivaluedMap<String, String> multivaluedMap) {
        UserModel user = getUser(authenticationFlowContext, multivaluedMap);
        return user != null && validateUser(authenticationFlowContext, user, multivaluedMap);
    }

    private UserModel getUser(AuthenticationFlowContext authenticationFlowContext, MultivaluedMap<String, String> multivaluedMap) {
        if (!isUserAlreadySetBeforeUsernamePasswordAuth(authenticationFlowContext)) {
            authenticationFlowContext.clearUser();
            return getUserFromForm(authenticationFlowContext, multivaluedMap);
        }
        UserModel user = authenticationFlowContext.getUser();
        testInvalidUser(authenticationFlowContext, user);
        return user;
    }

    private UserModel getUserFromForm(AuthenticationFlowContext authenticationFlowContext, MultivaluedMap<String, String> multivaluedMap) {
        String str = (String) multivaluedMap.getFirst("username");
        if (str == null || str.isEmpty()) {
            authenticationFlowContext.getEvent().error("user_not_found");
            authenticationFlowContext.failureChallenge(AuthenticationFlowError.INVALID_USER, challenge(authenticationFlowContext, getDefaultChallengeMessage(authenticationFlowContext), "username"));
            return null;
        }
        String trim = str.trim();
        authenticationFlowContext.getEvent().detail("username", trim);
        authenticationFlowContext.getAuthenticationSession().setAuthNote(ATTEMPTED_USERNAME, trim);
        UserModel userModel = null;
        try {
            userModel = KeycloakModelUtils.findUserByNameOrEmail(authenticationFlowContext.getSession(), authenticationFlowContext.getRealm(), trim);
            testInvalidUser(authenticationFlowContext, userModel);
            return userModel;
        } catch (ModelDuplicateException e) {
            ServicesLogger.LOGGER.modelDuplicateException(e);
            if (e.getDuplicateFieldName() == null || !e.getDuplicateFieldName().equals("email")) {
                setDuplicateUserChallenge(authenticationFlowContext, "username_in_use", Messages.USERNAME_EXISTS, AuthenticationFlowError.INVALID_USER);
            } else {
                setDuplicateUserChallenge(authenticationFlowContext, "email_in_use", Messages.EMAIL_EXISTS, AuthenticationFlowError.INVALID_USER);
            }
            return userModel;
        }
    }

    private boolean validateUser(AuthenticationFlowContext authenticationFlowContext, UserModel userModel, MultivaluedMap<String, String> multivaluedMap) {
        if (!enabledUser(authenticationFlowContext, userModel)) {
            return false;
        }
        String str = (String) multivaluedMap.getFirst("rememberMe");
        if (authenticationFlowContext.getRealm().isRememberMe() && str != null && str.equalsIgnoreCase("on")) {
            authenticationFlowContext.getAuthenticationSession().setAuthNote("remember_me", "true");
            authenticationFlowContext.getEvent().detail("remember_me", "true");
        } else {
            authenticationFlowContext.getAuthenticationSession().removeAuthNote("remember_me");
        }
        authenticationFlowContext.setUser(userModel);
        return true;
    }

    public boolean validatePassword(AuthenticationFlowContext authenticationFlowContext, UserModel userModel, MultivaluedMap<String, String> multivaluedMap, boolean z) {
        String str = (String) multivaluedMap.getFirst("password");
        if (str == null || str.isEmpty()) {
            return badPasswordHandler(authenticationFlowContext, userModel, z, true);
        }
        if (isDisabledByBruteForce(authenticationFlowContext, userModel)) {
            return false;
        }
        if (str == null || str.isEmpty() || !userModel.credentialManager().isValid(new CredentialInput[]{UserCredentialModel.password(str)})) {
            return badPasswordHandler(authenticationFlowContext, userModel, z, false);
        }
        authenticationFlowContext.getAuthenticationSession().setAuthNote(AuthenticationManager.PASSWORD_VALIDATED, "true");
        return true;
    }

    private boolean badPasswordHandler(AuthenticationFlowContext authenticationFlowContext, UserModel userModel, boolean z, boolean z2) {
        authenticationFlowContext.getEvent().user(userModel);
        authenticationFlowContext.getEvent().error("invalid_user_credentials");
        if (isUserAlreadySetBeforeUsernamePasswordAuth(authenticationFlowContext)) {
            LoginFormsProvider form = authenticationFlowContext.form();
            form.setAttribute("usernameHidden", true);
            form.setAttribute("registrationDisabled", true);
        }
        Response challenge = challenge(authenticationFlowContext, getDefaultChallengeMessage(authenticationFlowContext), "password");
        if (z2) {
            authenticationFlowContext.forceChallenge(challenge);
        } else {
            authenticationFlowContext.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS, challenge);
        }
        if (!z) {
            return false;
        }
        authenticationFlowContext.clearUser();
        return false;
    }

    protected boolean isDisabledByBruteForce(AuthenticationFlowContext authenticationFlowContext, UserModel userModel) {
        String disabledByBruteForceEventError = AuthenticatorUtils.getDisabledByBruteForceEventError(authenticationFlowContext, userModel);
        if (disabledByBruteForceEventError == null) {
            return false;
        }
        authenticationFlowContext.getEvent().user(userModel);
        authenticationFlowContext.getEvent().error(disabledByBruteForceEventError);
        authenticationFlowContext.forceChallenge(challenge(authenticationFlowContext, disabledByBruteForceError(), disabledByBruteForceFieldError()));
        return true;
    }

    protected String getDefaultChallengeMessage(AuthenticationFlowContext authenticationFlowContext) {
        return isUserAlreadySetBeforeUsernamePasswordAuth(authenticationFlowContext) ? Messages.INVALID_PASSWORD : Messages.INVALID_USER;
    }

    protected boolean isUserAlreadySetBeforeUsernamePasswordAuth(AuthenticationFlowContext authenticationFlowContext) {
        return Boolean.parseBoolean(authenticationFlowContext.getAuthenticationSession().getAuthNote(USER_SET_BEFORE_USERNAME_PASSWORD_AUTH));
    }
}
