package org.keycloak.authentication.authenticators.challenge;

import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.authentication.AuthenticationFlowError;
import org.keycloak.authentication.Authenticator;
import org.keycloak.authentication.CredentialValidator;
import org.keycloak.credential.CredentialProvider;
import org.keycloak.credential.OTPCredentialProvider;
import org.keycloak.credential.OTPCredentialProviderFactory;
import org.keycloak.events.Errors;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.services.messages.Messages;

/* loaded from: input_file:BOOT-INF/lib/keycloak-services-11.0.2.jar:org/keycloak/authentication/authenticators/challenge/BasicAuthOTPAuthenticator.class */
public class BasicAuthOTPAuthenticator extends BasicAuthAuthenticator implements Authenticator, CredentialValidator<OTPCredentialProvider> {
    @Override // org.keycloak.authentication.authenticators.challenge.BasicAuthAuthenticator
    protected boolean onAuthenticate(AuthenticationFlowContext authenticationFlowContext, String[] strArr) {
        String str = strArr[0];
        String str2 = strArr[1];
        int digits = authenticationFlowContext.getRealm().getOTPPolicy().getDigits();
        if (str2.length() < digits) {
            return false;
        }
        String substring = str2.substring(0, str2.length() - digits);
        return checkUsernameAndPassword(authenticationFlowContext, str, substring) && checkOtp(authenticationFlowContext, strArr[1].substring(substring.length(), strArr[1].length()));
    }

    private boolean checkOtp(AuthenticationFlowContext authenticationFlowContext, String str) {
        if (getCredentialProvider2(authenticationFlowContext.getSession()).isValid(authenticationFlowContext.getRealm(), authenticationFlowContext.getUser(), new UserCredentialModel(getCredentialProvider2(authenticationFlowContext.getSession()).getDefaultCredential(authenticationFlowContext.getSession(), authenticationFlowContext.getRealm(), authenticationFlowContext.getUser()).getId(), getCredentialProvider2(authenticationFlowContext.getSession()).getType(), str))) {
            return true;
        }
        authenticationFlowContext.getEvent().user(authenticationFlowContext.getUser()).error(Errors.INVALID_USER_CREDENTIALS);
        if (!authenticationFlowContext.getExecution().isRequired()) {
            authenticationFlowContext.attempted();
            return false;
        }
        authenticationFlowContext.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS, challenge(authenticationFlowContext, Messages.INVALID_TOTP));
        return false;
    }

    @Override // org.keycloak.authentication.authenticators.challenge.BasicAuthAuthenticator, org.keycloak.authentication.Authenticator
    public boolean configuredFor(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        return getCredentialProvider2(keycloakSession).isConfiguredFor(realmModel, userModel);
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // org.keycloak.authentication.CredentialValidator
    /* renamed from: getCredentialProvider */
    public OTPCredentialProvider getCredentialProvider2(KeycloakSession keycloakSession) {
        return (OTPCredentialProvider) keycloakSession.getProvider(CredentialProvider.class, OTPCredentialProviderFactory.PROVIDER_ID);
    }
}
