package io.imunity.otp;

import com.google.common.base.Strings;
import java.util.Date;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.ObjectFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.JsonUtil;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.authn.AuthenticatedEntity;
import pl.edu.icm.unity.engine.api.authn.AuthenticationResult;
import pl.edu.icm.unity.engine.api.authn.AuthenticationSubject;
import pl.edu.icm.unity.engine.api.authn.EntityWithCredential;
import pl.edu.icm.unity.engine.api.authn.local.AbstractLocalCredentialVerificatorFactory;
import pl.edu.icm.unity.engine.api.authn.local.AbstractLocalVerificator;
import pl.edu.icm.unity.engine.api.authn.local.CredentialHelper;
import pl.edu.icm.unity.engine.api.authn.local.LocalSandboxAuthnContext;
import pl.edu.icm.unity.engine.api.authn.remote.SandboxAuthnResultCallback;
import pl.edu.icm.unity.engine.api.notification.NotificationProducer;
import pl.edu.icm.unity.engine.api.utils.PrototypeComponent;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.exceptions.IllegalCredentialException;
import pl.edu.icm.unity.exceptions.InternalException;
import pl.edu.icm.unity.types.authn.CredentialPublicInformation;
import pl.edu.icm.unity.types.authn.LocalCredentialState;
import pl.edu.icm.unity.types.basic.EntityParam;

@PrototypeComponent
/* loaded from: input_file:io/imunity/otp/OTPVerificator.class */
class OTPVerificator extends AbstractLocalVerificator implements OTPExchange {
    public static final String DESC = "One-time password";
    private OTPCredentialDefinition credentialConfig;
    private final CredentialHelper credentialHelper;
    private final NotificationProducer notificationProducer;
    private static final Logger log = Log.getLogger("unity.server.otp", OTPVerificator.class);
    public static final String[] IDENTITY_TYPES = {"userName", "email"};

    @Component
    /* loaded from: input_file:io/imunity/otp/OTPVerificator$Factory.class */
    public static class Factory extends AbstractLocalCredentialVerificatorFactory {
        @Autowired
        public Factory(ObjectFactory<OTPVerificator> objectFactory) {
            super("otp", OTPVerificator.DESC, true, objectFactory);
        }
    }

    @Autowired
    OTPVerificator(CredentialHelper credentialHelper, NotificationProducer notificationProducer) {
        super("otp", DESC, OTPExchange.ID, true);
        this.credentialHelper = credentialHelper;
        this.notificationProducer = notificationProducer;
    }

    public String getExchangeId() {
        return OTPExchange.ID;
    }

    @Override // io.imunity.otp.OTPExchange
    public AuthenticationResult verifyCode(String str, AuthenticationSubject authenticationSubject, SandboxAuthnResultCallback sandboxAuthnResultCallback) {
        AuthenticationResult checkCode = checkCode(authenticationSubject, str);
        if (sandboxAuthnResultCallback != null) {
            sandboxAuthnResultCallback.sandboxedAuthenticationDone(new LocalSandboxAuthnContext(checkCode));
        }
        return checkCode;
    }

    private AuthenticationResult checkCode(AuthenticationSubject authenticationSubject, String str) {
        try {
            EntityWithCredential resolveSubject = this.identityResolver.resolveSubject(authenticationSubject, IDENTITY_TYPES, this.credentialName);
            try {
                OTPCredentialDBState oTPCredentialDBState = (OTPCredentialDBState) JsonUtil.parse(resolveSubject.getCredentialValue(), OTPCredentialDBState.class);
                if (TOTPCodeVerificator.verifyCode(str, oTPCredentialDBState.secret, oTPCredentialDBState.otpParams, this.credentialConfig.allowedTimeDriftSteps)) {
                    return new AuthenticationResult(AuthenticationResult.Status.success, new AuthenticatedEntity(Long.valueOf(resolveSubject.getEntityId()), authenticationSubject, oTPCredentialDBState.outdated ? resolveSubject.getCredentialName() : null));
                }
                log.debug("Code provided by {} is invalid", authenticationSubject);
                return new AuthenticationResult(AuthenticationResult.Status.deny, (AuthenticatedEntity) null);
            } catch (Exception e) {
                log.debug("Error during TOTP verification for " + authenticationSubject, e);
                return new AuthenticationResult(AuthenticationResult.Status.deny, (AuthenticatedEntity) null);
            }
        } catch (Exception e2) {
            log.debug("The user for OTP authN can not be found: " + authenticationSubject, e2);
            return new AuthenticationResult(AuthenticationResult.Status.deny, (AuthenticatedEntity) null);
        }
    }

    @Override // io.imunity.otp.OTPExchange
    public OTPCredentialReset getCredentialResetBackend() {
        return new OTPCredentialReset(this.notificationProducer, this.identityResolver, this, this.credentialHelper, this.credentialName, JsonUtil.toJsonNode(this.credentialConfig), this.credentialConfig.resetSettings);
    }

    public String prepareCredential(String str, String str2, boolean z) throws IllegalCredentialException, InternalException {
        OTPCredential oTPCredential = (OTPCredential) JsonUtil.parse(str, OTPCredential.class);
        return JsonUtil.toJsonString(new OTPCredentialDBState(oTPCredential.secret, oTPCredential.otpParams, new Date(), false, null));
    }

    public CredentialPublicInformation checkCredentialState(String str) throws InternalException {
        if (Strings.isNullOrEmpty(str)) {
            return new CredentialPublicInformation(LocalCredentialState.notSet, "");
        }
        OTPCredentialDBState oTPCredentialDBState = (OTPCredentialDBState) JsonUtil.parse(str, OTPCredentialDBState.class);
        return new CredentialPublicInformation(oTPCredentialDBState.outdated ? LocalCredentialState.outdated : LocalCredentialState.correct, JsonUtil.toJsonString(new OTPExtraInfo(oTPCredentialDBState.time)));
    }

    public String invalidate(String str) {
        OTPCredentialDBState oTPCredentialDBState = (OTPCredentialDBState) JsonUtil.parse(str, OTPCredentialDBState.class);
        return JsonUtil.toJsonString(new OTPCredentialDBState(oTPCredentialDBState.secret, oTPCredentialDBState.otpParams, oTPCredentialDBState.time, true, null));
    }

    public boolean isCredentialSet(EntityParam entityParam) throws EngineException {
        return this.credentialHelper.isCredentialSet(entityParam, this.credentialName);
    }

    public boolean isCredentialDefinitionChagneOutdatingCredentials(String str) {
        return !((OTPCredentialDefinition) JsonUtil.parse(str, OTPCredentialDefinition.class)).otpParams.equals(this.credentialConfig.otpParams);
    }

    public String getSerializedConfiguration() {
        return JsonUtil.toJsonString(this.credentialConfig);
    }

    public void setSerializedConfiguration(String str) {
        this.credentialConfig = (OTPCredentialDefinition) JsonUtil.parse(str, OTPCredentialDefinition.class);
    }

    @Override // io.imunity.otp.OTPExchange
    public int getCodeLength() {
        return this.credentialConfig.otpParams.codeLength;
    }
}
