package org.keycloak.credential;

import com.webauthn4j.WebAuthnAuthenticationManager;
import com.webauthn4j.authenticator.AuthenticatorImpl;
import com.webauthn4j.converter.util.ObjectConverter;
import com.webauthn4j.data.AuthenticationData;
import com.webauthn4j.data.AuthenticationParameters;
import com.webauthn4j.data.attestation.authenticator.AAGUID;
import com.webauthn4j.data.attestation.authenticator.AttestedCredentialData;
import com.webauthn4j.data.client.CollectedClientData;
import com.webauthn4j.data.client.Origin;
import com.webauthn4j.server.ServerProperty;
import com.webauthn4j.util.AssertUtil;
import com.webauthn4j.util.exception.WebAuthnException;
import com.webauthn4j.validator.OriginValidatorImpl;
import com.webauthn4j.validator.exception.BadOriginException;
import jakarta.annotation.Nonnull;
import java.io.IOException;
import java.util.Arrays;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import org.jboss.logging.Logger;
import org.keycloak.authentication.requiredactions.WebAuthnRegisterFactory;
import org.keycloak.common.util.Base64;
import org.keycloak.common.util.Time;
import org.keycloak.credential.CredentialTypeMetadata;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.WebAuthnPolicy;
import org.keycloak.models.credential.WebAuthnCredentialModel;
import org.keycloak.models.credential.dto.WebAuthnCredentialData;

/* loaded from: input_file:org/keycloak/credential/WebAuthnCredentialProvider.class */
public class WebAuthnCredentialProvider implements CredentialProvider<WebAuthnCredentialModel>, CredentialInputValidator {
    private static final Logger logger = Logger.getLogger(WebAuthnCredentialProvider.class);
    private KeycloakSession session;
    private CredentialPublicKeyConverter credentialPublicKeyConverter;
    private AttestationStatementConverter attestationStatementConverter;

    public WebAuthnCredentialProvider(KeycloakSession keycloakSession, ObjectConverter objectConverter) {
        this.session = keycloakSession;
        if (this.credentialPublicKeyConverter == null) {
            this.credentialPublicKeyConverter = new CredentialPublicKeyConverter(objectConverter);
        }
        if (this.attestationStatementConverter == null) {
            this.attestationStatementConverter = new AttestationStatementConverter(objectConverter);
        }
    }

    public CredentialModel createCredential(RealmModel realmModel, UserModel userModel, WebAuthnCredentialModel webAuthnCredentialModel) {
        if (webAuthnCredentialModel.getCreatedDate() == null) {
            webAuthnCredentialModel.setCreatedDate(Long.valueOf(Time.currentTimeMillis()));
        }
        return userModel.credentialManager().createStoredCredential(webAuthnCredentialModel);
    }

    public boolean deleteCredential(RealmModel realmModel, UserModel userModel, String str) {
        logger.debugv("Delete WebAuthn credential. username = {0}, credentialId = {1}", userModel.getUsername(), str);
        return userModel.credentialManager().removeStoredCredentialById(str);
    }

    /* renamed from: getCredentialFromModel, reason: merged with bridge method [inline-methods] */
    public WebAuthnCredentialModel m205getCredentialFromModel(CredentialModel credentialModel) {
        return WebAuthnCredentialModel.createFromCredentialModel(credentialModel);
    }

    public WebAuthnCredentialModel getCredentialModelFromCredentialInput(CredentialInput credentialInput, String str) {
        if (!supportsCredentialType(credentialInput.getType())) {
            return null;
        }
        WebAuthnCredentialModelInput webAuthnCredentialModelInput = (WebAuthnCredentialModelInput) credentialInput;
        WebAuthnCredentialModel create = WebAuthnCredentialModel.create(getType(), str, webAuthnCredentialModelInput.getAttestedCredentialData().getAaguid().toString(), Base64.encodeBytes(webAuthnCredentialModelInput.getAttestedCredentialData().getCredentialId()), (String) null, this.credentialPublicKeyConverter.convertToDatabaseColumn(webAuthnCredentialModelInput.getAttestedCredentialData().getCOSEKey()), webAuthnCredentialModelInput.getCount(), webAuthnCredentialModelInput.getAttestationStatementFormat(), (Set) webAuthnCredentialModelInput.getTransports().stream().map((v0) -> {
            return v0.getValue();
        }).collect(Collectors.toSet()));
        create.setId(webAuthnCredentialModelInput.getCredentialDBId());
        return create;
    }

    private WebAuthnCredentialModelInput getCredentialInputFromCredentialModel(CredentialModel credentialModel) {
        WebAuthnCredentialData webAuthnCredentialData = m205getCredentialFromModel(credentialModel).getWebAuthnCredentialData();
        WebAuthnCredentialModelInput webAuthnCredentialModelInput = new WebAuthnCredentialModelInput(getType());
        byte[] bArr = null;
        try {
            bArr = Base64.decode(webAuthnCredentialData.getCredentialId());
        } catch (IOException e) {
        }
        webAuthnCredentialModelInput.setAttestedCredentialData(new AttestedCredentialData(new AAGUID(webAuthnCredentialData.getAaguid()), bArr, this.credentialPublicKeyConverter.convertToEntityAttribute(webAuthnCredentialData.getCredentialPublicKey())));
        webAuthnCredentialModelInput.setCount(webAuthnCredentialData.getCounter());
        webAuthnCredentialModelInput.setCredentialDBId(credentialModel.getId());
        webAuthnCredentialModelInput.setAttestationStatementFormat(webAuthnCredentialData.getAttestationStatementFormat());
        return webAuthnCredentialModelInput;
    }

    public boolean supportsCredentialType(String str) {
        return getType().equals(str);
    }

    public boolean isConfiguredFor(RealmModel realmModel, UserModel userModel, String str) {
        return supportsCredentialType(str) && userModel.credentialManager().getStoredCredentialsByTypeStream(str).count() > 0;
    }

    public boolean isValid(RealmModel realmModel, UserModel userModel, CredentialInput credentialInput) {
        if (!WebAuthnCredentialModelInput.class.isInstance(credentialInput)) {
            return false;
        }
        WebAuthnCredentialModelInput webAuthnCredentialModelInput = (WebAuthnCredentialModelInput) WebAuthnCredentialModelInput.class.cast(credentialInput);
        List<WebAuthnCredentialModelInput> webAuthnCredentialModelList = getWebAuthnCredentialModelList(realmModel, userModel);
        WebAuthnAuthenticationManager webAuthnAuthenticationManager = getWebAuthnAuthenticationManager();
        try {
            for (WebAuthnCredentialModelInput webAuthnCredentialModelInput2 : webAuthnCredentialModelList) {
                if (Arrays.equals(webAuthnCredentialModelInput2.getAttestedCredentialData().getCredentialId(), webAuthnCredentialModelInput.getAuthenticationRequest().getCredentialId())) {
                    AuthenticatorImpl authenticatorImpl = new AuthenticatorImpl(webAuthnCredentialModelInput2.getAttestedCredentialData(), webAuthnCredentialModelInput2.getAttestationStatement(), webAuthnCredentialModelInput2.getCount());
                    AuthenticationData parse = webAuthnAuthenticationManager.parse(webAuthnCredentialModelInput.getAuthenticationRequest());
                    webAuthnAuthenticationManager.validate(parse, new AuthenticationParameters(webAuthnCredentialModelInput.getAuthenticationParameters().getServerProperty(), authenticatorImpl, webAuthnCredentialModelInput.getAuthenticationParameters().isUserVerificationRequired()));
                    logger.debugv("response.getAuthenticatorData().getFlags() = {0}", Byte.valueOf(parse.getAuthenticatorData().getFlags()));
                    WebAuthnCredentialModel m205getCredentialFromModel = m205getCredentialFromModel(userModel.credentialManager().getStoredCredentialById(webAuthnCredentialModelInput2.getCredentialDBId()));
                    long count = webAuthnCredentialModelInput2.getCount();
                    if (count > 0) {
                        m205getCredentialFromModel.updateCounter(count + 1);
                        userModel.credentialManager().updateStoredCredential(m205getCredentialFromModel);
                    }
                    logger.debugf("Successfully validated WebAuthn credential for user %s", userModel.getUsername());
                    dumpCredentialModel(m205getCredentialFromModel, webAuthnCredentialModelInput2);
                    return true;
                }
            }
            return false;
        } catch (WebAuthnException e) {
            e.printStackTrace();
            throw e;
        }
    }

    protected WebAuthnAuthenticationManager getWebAuthnAuthenticationManager() {
        final Set set = (Set) getWebAuthnPolicy().getExtraOrigins().stream().map(Origin::new).collect(Collectors.toSet());
        WebAuthnAuthenticationManager webAuthnAuthenticationManager = new WebAuthnAuthenticationManager();
        webAuthnAuthenticationManager.getAuthenticationDataValidator().setOriginValidator(new OriginValidatorImpl() { // from class: org.keycloak.credential.WebAuthnCredentialProvider.1
            protected void validate(@Nonnull CollectedClientData collectedClientData, @Nonnull ServerProperty serverProperty) {
                AssertUtil.notNull(collectedClientData, "collectedClientData must not be null");
                AssertUtil.notNull(serverProperty, "serverProperty must not be null");
                Origin origin = collectedClientData.getOrigin();
                if (!serverProperty.getOrigins().contains(origin) && !set.contains(origin)) {
                    throw new BadOriginException("The collectedClientData '" + String.valueOf(origin) + "' origin doesn't match any of the preconfigured origins.");
                }
            }
        });
        return webAuthnAuthenticationManager;
    }

    protected WebAuthnPolicy getWebAuthnPolicy() {
        return this.session.getContext().getRealm().getWebAuthnPolicy();
    }

    public String getType() {
        return "webauthn";
    }

    private List<WebAuthnCredentialModelInput> getWebAuthnCredentialModelList(RealmModel realmModel, UserModel userModel) {
        return (List) userModel.credentialManager().getStoredCredentialsByTypeStream(getType()).map(this::getCredentialInputFromCredentialModel).collect(Collectors.toList());
    }

    public void dumpCredentialModel(WebAuthnCredentialModel webAuthnCredentialModel, WebAuthnCredentialModelInput webAuthnCredentialModelInput) {
        if (logger.isDebugEnabled()) {
            logger.debug("  Persisted Credential Info::");
            logger.debug(webAuthnCredentialModel);
            logger.debug("  Context Credential Info::");
            logger.debug(webAuthnCredentialModelInput);
        }
    }

    public CredentialTypeMetadata getCredentialTypeMetadata(CredentialTypeMetadataContext credentialTypeMetadataContext) {
        return CredentialTypeMetadata.builder().type(getType()).category(CredentialTypeMetadata.Category.TWO_FACTOR).displayName("webauthn-display-name").helpText("webauthn-help-text").iconCssClass("kcAuthenticatorWebAuthnClass").createAction(WebAuthnRegisterFactory.PROVIDER_ID).removeable(true).build(this.session);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public KeycloakSession getKeycloakSession() {
        return this.session;
    }
}
