package org.keycloak.authentication.user.authenticators;

import java.time.Instant;
import java.util.Date;
import net.interus.keycloak.phone.authenticators.BaseDirectGrantAuthenticator;
import org.jboss.logging.Logger;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.authentication.user.UserRegisteredAttributes;
import org.keycloak.credential.CredentialInput;
import org.keycloak.credential.CredentialProvider;
import org.keycloak.credential.PasswordCredentialProvider;
import org.keycloak.events.EventType;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.credential.PasswordCredentialModel;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.UserSessionManager;
import org.keycloak.services.validation.Validation;

/* loaded from: input_file:org/keycloak/authentication/user/authenticators/SimplePasswordDeregistration.class */
public class SimplePasswordDeregistration extends BaseDirectGrantAuthenticator {
    public static final String PROVIDER_ID = "simple-password-deregister";
    private static final Logger logger = Logger.getLogger(SimplePasswordDeregistration.class);

    public SimplePasswordDeregistration() {
        super(PROVIDER_ID, "[Dozn] Simple password de-registration", "Deregister the six digit password supplied as a 'password' form parameter in direct grant request");
    }

    public void authenticate(AuthenticationFlowContext authenticationFlowContext) {
        authenticationFlowContext.getEvent().event(EventType.DELETE_ACCOUNT).detail("identity_provider", PROVIDER_ID).detail(UserCredentialValidation.CONF_CREDENTIAL_TYPE, PasswordFormKeys.FORM_PASSWORD);
        String str = retrieve(authenticationFlowContext, PasswordFormKeys.FORM_PASSWORD).get();
        if (Validation.isBlank(str)) {
            authenticationFlowContext.getEvent().event(EventType.DELETE_ACCOUNT_ERROR);
            invalidRequest(authenticationFlowContext, "Missing parameter: password");
            return;
        }
        UserModel user = authenticationFlowContext.getUser();
        if (user == null) {
            authenticationFlowContext.getEvent().event(EventType.DELETE_ACCOUNT_ERROR);
            invalidNotFoundUser(authenticationFlowContext);
            return;
        }
        PasswordCredentialProvider credentialProvider = getCredentialProvider(authenticationFlowContext.getSession());
        PasswordCredentialModel password = credentialProvider.getPassword(authenticationFlowContext.getRealm(), authenticationFlowContext.getUser());
        if (password == null) {
            authenticationFlowContext.getEvent().event(EventType.DELETE_ACCOUNT_ERROR);
            invalidUserCredentials(authenticationFlowContext, user);
            return;
        }
        if (!user.credentialManager().isValid(new CredentialInput[]{UserCredentialModel.password(str)})) {
            logger.info(String.format("Password de registration is not valid", new Object[0]));
            authenticationFlowContext.getEvent().event(EventType.DELETE_ACCOUNT_ERROR);
            invalidUserCredentials(authenticationFlowContext, user);
        } else {
            if (!credentialProvider.deleteCredential(authenticationFlowContext.getRealm(), authenticationFlowContext.getUser(), password.getId())) {
                authenticationFlowContext.getEvent().event(EventType.DELETE_ACCOUNT_ERROR);
                invalidUserCredentials(authenticationFlowContext, user);
                return;
            }
            Instant now = Instant.now();
            user.setUsername(user.getUsername() + "-deregistered_" + now.getEpochSecond());
            user.setSingleAttribute(UserRegisteredAttributes.USER_ATTRIBUTES_DEREGISTERED_DATE, Date.from(now).toString());
            user.removeAttribute(UserRegisteredAttributes.USER_ATTRIBUTES_REGISTERED);
            user.removeAttribute("phoneNumber");
            user.removeAttribute("phoneNumberVerified");
            user.setEnabled(false);
            authenticationFlowContext.getSession().sessions().removeUserSessions(authenticationFlowContext.getRealm(), user);
            new UserSessionManager(authenticationFlowContext.getSession()).findOfflineSessionsStream(authenticationFlowContext.getRealm(), user).forEach(userSessionModel -> {
                AuthenticationManager.backchannelLogout(authenticationFlowContext.getSession(), userSessionModel, true);
            });
            authenticationFlowContext.success();
        }
    }

    public boolean requiresUser() {
        return true;
    }

    public PasswordCredentialProvider getCredentialProvider(KeycloakSession keycloakSession) {
        return keycloakSession.getProvider(CredentialProvider.class, "keycloak-password");
    }
}
