package de.governikus.autent.eudiwallet.keycloak.provider.authflow;

import de.governikus.autent.eudiwallet.keycloak.constants.Constants;
import de.governikus.autent.eudiwallet.keycloak.constants.StaticContext;
import de.governikus.autent.eudiwallet.keycloak.constants.UtilityMethods;
import de.governikus.autent.eudiwallet.keycloak.database.RetryCounterEntity;
import de.governikus.autent.eudiwallet.keycloak.database.RetryCounterRepository;
import de.governikus.autent.eudiwallet.keycloak.endpoints.credentialendpoints.AbstractCredentialEndpoint;
import de.governikus.autent.eudiwallet.keycloak.models.ProofOfPossessionDetails;
import de.governikus.autent.eudiwallet.keycloak.provider.credentialbuilder.OpenId4VciCredentialBuilderProvider;
import jakarta.ws.rs.BadRequestException;
import jakarta.ws.rs.core.MultivaluedMap;
import java.nio.charset.StandardCharsets;
import java.util.List;
import java.util.Optional;
import java.util.function.Function;
import org.apache.commons.lang3.StringUtils;
import org.keycloak.Config;
import org.keycloak.TokenVerifier;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.authentication.AuthenticationFlowError;
import org.keycloak.authentication.Authenticator;
import org.keycloak.authentication.AuthenticatorFactory;
import org.keycloak.common.VerificationException;
import org.keycloak.jose.jwk.JWK;
import org.keycloak.jose.jws.crypto.HashUtils;
import org.keycloak.models.AuthenticationExecutionModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.provider.ProviderConfigProperty;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/governikus/autent/eudiwallet/keycloak/provider/authflow/CredentialAuthenticator.class */
public class CredentialAuthenticator implements Authenticator, AuthenticatorFactory {
    private static final Logger log = LoggerFactory.getLogger(CredentialAuthenticator.class);
    public static final String PROVIDER_ID = "credential-authentication-flow";

    public void authenticate(AuthenticationFlowContext authenticationFlowContext) {
        log.debug("Trying to authenticate wallet by credential");
        KeycloakSession session = authenticationFlowContext.getSession();
        JWK verifyRequestParams = verifyRequestParams(authenticationFlowContext.getSession());
        MultivaluedMap decodedFormParameters = authenticationFlowContext.getHttpRequest().getDecodedFormParameters();
        String str = (String) Optional.ofNullable((String) decodedFormParameters.getFirst("seed_credential")).orElse((String) decodedFormParameters.getFirst(Constants.ProtocolAttributes.CREDENTIAL_PARAM_NAME));
        Optional<RetryCounterEntity> retryCounter = RetryCounterRepository.getRetryCounter(session, HashUtils.encodeHashToOIDC(HashUtils.hash(Constants.RETRY_COUNTER_MESSAGE_DIGEST_ALGORITHM, str.getBytes(StandardCharsets.UTF_8)), true));
        if (retryCounter.isEmpty()) {
            log.info("Unknown credential. Not registered within the database.");
            authenticationFlowContext.failure(AuthenticationFlowError.INVALID_CREDENTIALS);
            return;
        }
        RetryCounterEntity retryCounterEntity = retryCounter.get();
        log.debug("Credential is unknown and cannot be verified");
        if (retryCounterEntity.getRetryCounter() >= 3) {
            log.info("Maximum number of retries exceeded. Credential is disabled");
            authenticationFlowContext.failure(AuthenticationFlowError.USER_DISABLED);
            return;
        }
        if (!StringUtils.equals(HashUtils.encodeHashToOIDC(HashUtils.hash(Constants.RETRY_COUNTER_MESSAGE_DIGEST_ALGORITHM, UtilityMethods.getPublicKeyFromJwk(verifyRequestParams).getEncoded()), true), retryCounterEntity.getPinDerivedEphPublicDigest())) {
            log.info("Invalid Pin detected. Increasing retry counter by 1.");
            retryCounterEntity.increaseByOne();
            authenticationFlowContext.failure(AuthenticationFlowError.INVALID_CREDENTIALS);
            return;
        }
        UserModel parseCredential = OpenId4VciCredentialBuilderProvider.parseCredential(session, str);
        if (parseCredential == null) {
            log.info("Credential could not be parsed.");
            authenticationFlowContext.failure(AuthenticationFlowError.UNKNOWN_USER);
        } else {
            retryCounterEntity.resetRetryCounter();
            authenticationFlowContext.setUser(parseCredential);
            authenticationFlowContext.success();
        }
    }

    private JWK verifyRequestParams(KeycloakSession keycloakSession) {
        MultivaluedMap<String, String> decodedFormParameters = keycloakSession.getContext().getHttpRequest().getDecodedFormParameters();
        ProofOfPossessionDetails validateProofOfPossession = validateProofOfPossession(keycloakSession, decodedFormParameters, "pin_derived_eph_key_pop", Constants.ProtocolAttributes.DEVICE_KEY_PUB);
        validateProofOfPossession.isCrossProofOfPossessionKeyRefEquals(validateProofOfPossession(keycloakSession, decodedFormParameters, Constants.ProtocolAttributes.DEV_KEY_POP, Constants.ProtocolAttributes.PIN_DERIVED_EPH_PUB));
        return validateProofOfPossession.getHeaderKey();
    }

    private ProofOfPossessionDetails validateProofOfPossession(KeycloakSession keycloakSession, MultivaluedMap<String, String> multivaluedMap, String str, String str2) {
        String str3 = (String) multivaluedMap.getFirst(str);
        if (StringUtils.isBlank(str3)) {
            throw new BadRequestException(String.format("Missing required parameter '%s'", str));
        }
        try {
            ProofOfPossessionDetails parseAndVerify = ProofOfPossessionDetails.parseAndVerify(keycloakSession, str3, new TokenVerifier.Predicate[]{new TokenVerifier.AudienceCheck(StaticContext.getIssuer(keycloakSession)), new AbstractCredentialEndpoint.ProofOfPossessionLifetimeVerifier(), new AbstractCredentialEndpoint.ProofOfPossessionComparisonVerifier(Constants.ProtocolAttributes.SESSION_ID, (Function<String, Boolean>) str4 -> {
                return Boolean.valueOf(keycloakSession.singleUseObjects().get(str4) != null);
            }), new AbstractCredentialEndpoint.ProofOfPossessionBodyKeyPresentVerifier(str2)});
            parseAndVerify.extractBodyKey(str2);
            return parseAndVerify;
        } catch (VerificationException e) {
            throw new BadRequestException(e.getMessage());
        }
    }

    public void action(AuthenticationFlowContext authenticationFlowContext) {
    }

    public boolean requiresUser() {
        return false;
    }

    public boolean configuredFor(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        return true;
    }

    public void setRequiredActions(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
    }

    public String getDisplayType() {
        return "Seed Credential Authenticator";
    }

    public String getReferenceCategory() {
        return null;
    }

    public boolean isConfigurable() {
        return false;
    }

    public AuthenticationExecutionModel.Requirement[] getRequirementChoices() {
        return new AuthenticationExecutionModel.Requirement[]{AuthenticationExecutionModel.Requirement.REQUIRED};
    }

    public boolean isUserSetupAllowed() {
        return false;
    }

    public String getHelpText() {
        return String.format("Used as authentication for the grant_type '%s'.", "urn:ietf:params:oauth:grant-type:seed_credential");
    }

    public List<ProviderConfigProperty> getConfigProperties() {
        return null;
    }

    /* renamed from: create, reason: merged with bridge method [inline-methods] */
    public Authenticator m107create(KeycloakSession keycloakSession) {
        return new CredentialAuthenticator();
    }

    public void init(Config.Scope scope) {
    }

    public void postInit(KeycloakSessionFactory keycloakSessionFactory) {
    }

    public void close() {
    }

    public String getId() {
        return "credential-authentication-flow";
    }
}
