package org.keycloak.policy;

import java.time.Duration;
import org.jboss.logging.Logger;
import org.keycloak.common.util.Time;
import org.keycloak.credential.hash.PasswordHashProvider;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.credential.PasswordCredentialModel;

/* loaded from: input_file:org/keycloak/policy/AgePasswordPolicyProvider.class */
public class AgePasswordPolicyProvider implements PasswordPolicyProvider {
    private static final String ERROR_MESSAGE = "invalidPasswordGenericMessage";
    public static final Logger logger = Logger.getLogger(AgePasswordPolicyProvider.class);
    private final KeycloakSession session;

    public AgePasswordPolicyProvider(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
    }

    public PolicyError validate(String str, String str2) {
        RealmModel realm = this.session.getContext().getRealm();
        return validate(realm, this.session.users().getUserByUsername(realm, str), str2);
    }

    public PolicyError validate(RealmModel realmModel, UserModel userModel, String str) {
        int intValue = ((Integer) this.session.getContext().getRealm().getPasswordPolicy().getPolicyConfig("passwordAge")).intValue();
        if (intValue == -1) {
            return null;
        }
        if (userModel.credentialManager().getStoredCredentialsByTypeStream("password").map(PasswordCredentialModel::createFromCredentialModel).anyMatch(passwordCredentialModel -> {
            PasswordHashProvider provider = this.session.getProvider(PasswordHashProvider.class, passwordCredentialModel.getPasswordCredentialData().getAlgorithm());
            return provider != null && provider.verify(str, passwordCredentialModel);
        })) {
            return new PolicyError(ERROR_MESSAGE, new Object[]{Integer.valueOf(intValue)});
        }
        long currentTimeMillis = Time.currentTimeMillis() - Duration.ofDays(intValue).toMillis();
        if (intValue <= 0 || !userModel.credentialManager().getStoredCredentialsByTypeStream("password-history").filter(credentialModel -> {
            return credentialModel.getCreatedDate().longValue() > currentTimeMillis;
        }).map(PasswordCredentialModel::createFromCredentialModel).anyMatch(passwordCredentialModel2 -> {
            return this.session.getProvider(PasswordHashProvider.class, passwordCredentialModel2.getPasswordCredentialData().getAlgorithm()).verify(str, passwordCredentialModel2);
        })) {
            return null;
        }
        return new PolicyError(ERROR_MESSAGE, new Object[]{Integer.valueOf(intValue)});
    }

    public Object parseConfig(String str) {
        return parseInteger(str, AgePasswordPolicyProviderFactory.DEFAULT_AGE_DAYS);
    }

    public void close() {
    }
}
