package org.keycloak.models.utils;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.jboss.logging.Logger;
import org.keycloak.common.util.Base64;
import org.keycloak.common.util.SecretGenerator;
import org.keycloak.credential.CredentialModel;
import org.keycloak.jose.jws.crypto.HashUtils;
import org.keycloak.models.UserModel;
import org.keycloak.models.credential.RecoveryAuthnCodesCredentialModel;

/* loaded from: input_file:org/keycloak/models/utils/RecoveryAuthnCodesUtils.class */
public class RecoveryAuthnCodesUtils {
    public static final int QUANTITY_OF_CODES_TO_GENERATE = 12;
    private static final int CODE_LENGTH = 12;
    public static final String NOM_ALGORITHM_TO_HASH = "SHA-512";
    public static final String RECOVERY_AUTHN_CODES_INPUT_DEFAULT_ERROR_MESSAGE = "recovery-codes-error-invalid";
    public static final String FIELD_RECOVERY_CODE_IN_BROWSER_FLOW = "recoveryCodeInput";
    private static final Logger logger = Logger.getLogger(RecoveryAuthnCodesUtils.class);
    public static final char[] UPPERNUM = "ABCDEFGHIJKLMNPQRSTUVWXYZ123456789".toCharArray();
    private static final SecretGenerator SECRET_GENERATOR = SecretGenerator.getInstance();

    public static byte[] hashRawCode(String str) {
        Objects.requireNonNull(str, "rawGeneratedCode cannot be null");
        return HashUtils.hash(NOM_ALGORITHM_TO_HASH, str.getBytes(StandardCharsets.UTF_8));
    }

    public static boolean verifyRecoveryCodeInput(String str, String str2) {
        try {
            return MessageDigest.isEqual(hashRawCode(str), Base64.decode(str2));
        } catch (IOException e) {
            logger.warnf("Error when decoding saved recovery code", e);
            return false;
        }
    }

    public static List<String> generateRawCodes() {
        return (List) Stream.generate(() -> {
            return SECRET_GENERATOR.randomString(12, UPPERNUM);
        }).limit(12L).collect(Collectors.toList());
    }

    public static Optional<CredentialModel> getCredential(UserModel userModel) {
        return userModel.credentialManager().getFederatedCredentialsStream().filter(credentialModel -> {
            return RecoveryAuthnCodesCredentialModel.TYPE.equals(credentialModel.getType());
        }).findFirst().or(() -> {
            return userModel.credentialManager().getStoredCredentialsByTypeStream(RecoveryAuthnCodesCredentialModel.TYPE).findFirst();
        });
    }
}
