package io.imunity.otp.ldap;

import com.unboundid.ldap.sdk.LDAPException;
import eu.unicore.util.configuration.ConfigurationException;
import io.imunity.otp.HashFunction;
import io.imunity.otp.OTPCredentialReset;
import io.imunity.otp.OTPExchange;
import io.imunity.otp.OTPGenerationParams;
import io.imunity.otp.TOTPCodeVerificator;
import java.io.IOException;
import java.io.StringReader;
import java.io.StringWriter;
import java.net.URISyntaxException;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.util.Map;
import java.util.Optional;
import java.util.Properties;
import java.util.stream.Collectors;
import org.apache.http.client.utils.URIBuilder;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.ObjectFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.PKIManagement;
import pl.edu.icm.unity.engine.api.authn.AbstractCredentialVerificatorFactory;
import pl.edu.icm.unity.engine.api.authn.AbstractVerificator;
import pl.edu.icm.unity.engine.api.authn.AuthenticatedEntity;
import pl.edu.icm.unity.engine.api.authn.AuthenticationException;
import pl.edu.icm.unity.engine.api.authn.AuthenticationResult;
import pl.edu.icm.unity.engine.api.authn.AuthenticationSubject;
import pl.edu.icm.unity.engine.api.authn.CredentialVerificator;
import pl.edu.icm.unity.engine.api.authn.LocalAuthenticationResult;
import pl.edu.icm.unity.engine.api.utils.PrototypeComponent;
import pl.edu.icm.unity.exceptions.InternalException;
import pl.edu.icm.unity.ldap.client.LdapAuthenticationException;
import pl.edu.icm.unity.ldap.client.LdapClient;
import pl.edu.icm.unity.ldap.client.config.LdapClientConfiguration;
import pl.edu.icm.unity.types.basic.Identity;

@PrototypeComponent
/* loaded from: input_file:io/imunity/otp/ldap/OTPWithLDAPVerificator.class */
class OTPWithLDAPVerificator extends AbstractVerificator implements OTPExchange {
    private static final Logger log = Log.getLogger("unity.server.otp", OTPWithLDAPVerificator.class);
    public static final String NAME = "otp-ldap";
    public static final String DESC = "One-time password with ldap";
    private final PKIManagement pkiManagement;
    private OTPWithLDAPProperties otpWithLDAPProperties;
    private LdapClientConfiguration ldapClientConfiguration;
    private OTPWithLDAPConfiguration otpLdapConfiguration;
    private LdapClient ldapClient;

    @Component
    /* loaded from: input_file:io/imunity/otp/ldap/OTPWithLDAPVerificator$Factory.class */
    public static class Factory extends AbstractCredentialVerificatorFactory {
        @Autowired
        public Factory(ObjectFactory<OTPWithLDAPVerificator> objectFactory) {
            super(OTPWithLDAPVerificator.NAME, OTPWithLDAPVerificator.DESC, objectFactory);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/imunity/otp/ldap/OTPWithLDAPVerificator$OTPURIParams.class */
    public static class OTPURIParams {
        final HashFunction hashFunction;
        final int timeStepSeconds;
        final int codeLength;
        final String base32Secret;

        OTPURIParams(HashFunction hashFunction, int i, int i2, String str) {
            this.hashFunction = hashFunction;
            this.timeStepSeconds = i;
            this.codeLength = i2;
            this.base32Secret = str;
        }
    }

    OTPWithLDAPVerificator(PKIManagement pKIManagement) {
        super(NAME, DESC, "otp-exchange");
        this.pkiManagement = pKIManagement;
        this.ldapClient = new LdapClient();
    }

    public CredentialVerificator.VerificatorType getType() {
        return CredentialVerificator.VerificatorType.Mixed;
    }

    public String getSerializedConfiguration() {
        StringWriter stringWriter = new StringWriter();
        try {
            this.otpWithLDAPProperties.getProperties().store(stringWriter, "");
            return stringWriter.toString();
        } catch (IOException e) {
            throw new InternalException("Can't serialize OTP-LDAP verificator configuration", e);
        }
    }

    public void setSerializedConfiguration(String str) {
        try {
            Properties properties = new Properties();
            properties.load(new StringReader(str));
            this.otpWithLDAPProperties = new OTPWithLDAPProperties(properties);
            this.otpLdapConfiguration = new OTPWithLDAPConfiguration();
            this.otpLdapConfiguration.fromProperties(this.otpWithLDAPProperties);
            this.ldapClientConfiguration = new LdapClientConfiguration(this.otpWithLDAPProperties.toFullLDAPProperties(), this.pkiManagement);
        } catch (ConfigurationException e) {
            throw new InternalException("Invalid configuration of the OTP-LDAP verificator", e);
        } catch (IOException e2) {
            throw new InternalException("Invalid configuration of the OTP-LDAP verificator(?)", e2);
        }
    }

    public int getCodeLength() {
        return this.otpLdapConfiguration.getCodeLength();
    }

    public OTPCredentialReset getCredentialResetBackend() {
        return OTPCredentialReset.createDisabled();
    }

    public AuthenticationResult verifyCode(String str, AuthenticationSubject authenticationSubject) {
        try {
            Identity resolveSubject = this.identityResolver.resolveSubject(authenticationSubject, "userName");
            try {
                OTPURIParams oTPURIParamsFromLdapFallbackToDefaults = getOTPURIParamsFromLdapFallbackToDefaults(resolveSubject.getValue());
                if (TOTPCodeVerificator.verifyCode(str, oTPURIParamsFromLdapFallbackToDefaults.base32Secret, new OTPGenerationParams(oTPURIParamsFromLdapFallbackToDefaults.codeLength, oTPURIParamsFromLdapFallbackToDefaults.hashFunction, oTPURIParamsFromLdapFallbackToDefaults.timeStepSeconds), this.otpLdapConfiguration.getAllowedTimeDriftSteps())) {
                    return LocalAuthenticationResult.successful(new AuthenticatedEntity(Long.valueOf(resolveSubject.getEntityId()), authenticationSubject, (String) null));
                }
                log.info("Code provided by {} is invalid", authenticationSubject);
                return LocalAuthenticationResult.failed(new AuthenticationResult.ResolvableError("OTPRetrieval.wrongCode", new Object[0]));
            } catch (Exception e) {
                log.warn("Error during TOTP verification for " + authenticationSubject, e);
                return LocalAuthenticationResult.failed(new AuthenticationResult.ResolvableError("OTPRetrieval.wrongCode", new Object[0]), e);
            }
        } catch (Exception e2) {
            log.info("The user for OTP authN can not be found: " + authenticationSubject, e2);
            return LocalAuthenticationResult.failed(new AuthenticationResult.ResolvableError("OTPRetrieval.wrongCode", new Object[0]), e2);
        }
    }

    private OTPURIParams getOTPURIParamsFromLdapFallbackToDefaults(String str) throws AuthenticationException, KeyManagementException, LDAPException, NoSuchAlgorithmException, LdapAuthenticationException {
        Optional searchAttribute = this.ldapClient.searchAttribute(str, this.otpLdapConfiguration.getSecretAttribute(), this.ldapClientConfiguration);
        if (!searchAttribute.isPresent()) {
            log.error("OTP secret URI is not available for user " + str);
            throw new AuthenticationException("OTP secret is not available for user " + str);
        }
        try {
            Map map = (Map) new URIBuilder((String) searchAttribute.get()).getQueryParams().stream().collect(Collectors.toMap((v0) -> {
                return v0.getName();
            }, (v0) -> {
                return v0.getValue();
            }));
            String str2 = (String) map.get("secret");
            if (str2 == null || str2.isEmpty()) {
                log.error("OTP secret is not available for user " + str);
                throw new AuthenticationException("OTP secret is not available for user " + str);
            }
            return new OTPURIParams(HashFunction.valueOf((String) map.getOrDefault("algorithm", this.otpLdapConfiguration.getHashFunction().toString())), Integer.valueOf((String) map.getOrDefault("period", String.valueOf(this.otpLdapConfiguration.getTimeStepSeconds()))).intValue(), Integer.valueOf((String) map.getOrDefault("digits", String.valueOf(this.otpLdapConfiguration.getCodeLength()))).intValue(), str2);
        } catch (URISyntaxException e) {
            log.error("Can not parse secret URI from LDAP", e);
            throw new AuthenticationException("OTP secret is not available for user " + str);
        }
    }
}
