package org.keycloak.services.resources.admin;

import jakarta.ws.rs.DELETE;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.PathParam;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.core.HttpHeaders;
import jakarta.ws.rs.core.UriInfo;
import java.util.HashMap;
import java.util.Map;
import org.eclipse.microprofile.openapi.annotations.Operation;
import org.eclipse.microprofile.openapi.annotations.extensions.Extension;
import org.eclipse.microprofile.openapi.annotations.tags.Tag;
import org.jboss.logging.Logger;
import org.jboss.resteasy.reactive.NoCache;
import org.keycloak.common.ClientConnection;
import org.keycloak.common.util.Time;
import org.keycloak.events.admin.OperationType;
import org.keycloak.events.admin.ResourceType;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserLoginFailureModel;
import org.keycloak.models.UserModel;
import org.keycloak.services.managers.BruteForceProtector;
import org.keycloak.services.resources.KeycloakOpenAPI;
import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator;
import org.keycloak.utils.MediaType;

@Extension(name = KeycloakOpenAPI.Profiles.ADMIN, value = "")
/* loaded from: input_file:org/keycloak/services/resources/admin/AttackDetectionResource.class */
public class AttackDetectionResource {
    protected static final Logger logger = Logger.getLogger(AttackDetectionResource.class);
    protected final AdminPermissionEvaluator auth;
    protected final RealmModel realm;
    private final AdminEventBuilder adminEvent;
    protected final KeycloakSession session;
    protected final ClientConnection connection;
    protected final HttpHeaders headers;

    public AttackDetectionResource(KeycloakSession keycloakSession, AdminPermissionEvaluator adminPermissionEvaluator, AdminEventBuilder adminEventBuilder) {
        this.session = keycloakSession;
        this.auth = adminPermissionEvaluator;
        this.realm = keycloakSession.getContext().getRealm();
        this.connection = keycloakSession.getContext().getConnection();
        this.adminEvent = adminEventBuilder.realm(this.realm).resource(ResourceType.USER_LOGIN_FAILURE);
        this.headers = keycloakSession.getContext().getRequestHeaders();
    }

    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.ATTACK_DETECTION)
    @Operation(summary = "Get status of a username in brute force detection")
    @GET
    @Path("brute-force/users/{userId}")
    public Map<String, Object> bruteForceUserStatus(@PathParam("userId") String str) {
        UserLoginFailureModel userLoginFailure;
        UserModel userById = this.session.users().getUserById(this.realm, str);
        if (userById == null) {
            this.auth.users().requireView();
        } else {
            this.auth.users().requireView(userById);
        }
        HashMap hashMap = new HashMap();
        hashMap.put("disabled", false);
        hashMap.put("numFailures", 0);
        hashMap.put("numTemporaryLockouts", 0);
        hashMap.put("lastFailure", 0);
        hashMap.put("lastIPFailure", "n/a");
        hashMap.put("failedLoginNotBefore", 0);
        if (this.realm.isBruteForceProtected() && (userLoginFailure = this.session.loginFailures().getUserLoginFailure(this.realm, str)) != null) {
            if (isUserDisabled(userLoginFailure, userById)) {
                hashMap.put("disabled", true);
                if (this.session.getProvider(BruteForceProtector.class).isTemporarilyDisabled(this.session, this.realm, userById)) {
                    hashMap.put("failedLoginNotBefore", Integer.valueOf(userLoginFailure.getFailedLoginNotBefore()));
                } else {
                    hashMap.put("failedLoginNotBefore", Long.MAX_VALUE);
                }
            }
            hashMap.put("numFailures", Integer.valueOf(userLoginFailure.getNumFailures()));
            hashMap.put("numTemporaryLockouts", Integer.valueOf(userLoginFailure.getNumTemporaryLockouts()));
            hashMap.put("lastFailure", Long.valueOf(userLoginFailure.getLastFailure()));
            hashMap.put("lastIPFailure", userLoginFailure.getLastIPFailure());
            return hashMap;
        }
        return hashMap;
    }

    private boolean isUserDisabled(UserLoginFailureModel userLoginFailureModel, UserModel userModel) {
        return userModel == null ? Time.currentTime() < userLoginFailureModel.getFailedLoginNotBefore() : isUserDisabledOrLockedByBruteForce(this.session, this.realm, userModel);
    }

    private boolean isUserDisabledOrLockedByBruteForce(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        return keycloakSession.getProvider(BruteForceProtector.class).isPermanentlyLockedOut(keycloakSession, realmModel, userModel) || keycloakSession.getProvider(BruteForceProtector.class).isTemporarilyDisabled(keycloakSession, realmModel, userModel);
    }

    @Tag(name = KeycloakOpenAPI.Admin.Tags.ATTACK_DETECTION)
    @Operation(summary = "Clear any user login failures for the user This can release temporary disabled user")
    @Path("brute-force/users/{userId}")
    @DELETE
    public void clearBruteForceForUser(@PathParam("userId") String str) {
        UserModel userById = this.session.users().getUserById(this.realm, str);
        if (userById == null) {
            this.auth.users().requireManage();
        } else {
            this.auth.users().requireManage(userById);
        }
        if (this.session.loginFailures().getUserLoginFailure(this.realm, str) != null) {
            this.session.loginFailures().removeUserLoginFailure(this.realm, str);
            this.adminEvent.operation(OperationType.DELETE).resourcePath((UriInfo) this.session.getContext().getUri()).success();
        }
    }

    @Tag(name = KeycloakOpenAPI.Admin.Tags.ATTACK_DETECTION)
    @Operation(summary = "Clear any user login failures for all users This can release temporary disabled users")
    @Path("brute-force/users")
    @DELETE
    public void clearAllBruteForce() {
        this.auth.users().requireManage();
        this.session.loginFailures().removeAllUserLoginFailures(this.realm);
        this.adminEvent.operation(OperationType.DELETE).resourcePath((UriInfo) this.session.getContext().getUri()).success();
    }
}
