package org.gluu.oxauth.fido2.service.mds;

import com.fasterxml.jackson.databind.JsonNode;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import javax.annotation.PostConstruct;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import javax.ws.rs.core.Response;
import org.apache.commons.codec.binary.Hex;
import org.gluu.oxauth.fido2.exception.Fido2RPRuntimeException;
import org.gluu.oxauth.fido2.service.Base64Service;
import org.gluu.oxauth.fido2.service.DataMapperService;
import org.gluu.oxauth.fido2.service.processors.impl.ResteasyClientFactory;
import org.gluu.oxauth.fido2.service.verifier.CommonVerifiers;
import org.gluu.oxauth.model.configuration.AppConfiguration;
import org.gluu.oxauth.model.configuration.Fido2Configuration;
import org.gluu.util.StringHelper;
import org.slf4j.Logger;

@ApplicationScoped
/* loaded from: input_file:org/gluu/oxauth/fido2/service/mds/MdsService.class */
public class MdsService {

    @Inject
    private Logger log;

    @Inject
    private CommonVerifiers commonVerifiers;

    @Inject
    private MdsTocService mdsTocService;

    @Inject
    private DataMapperService dataMapperService;

    @Inject
    private Base64Service base64Service;

    @Inject
    private ResteasyClientFactory resteasyClientFactory;

    @Inject
    private AppConfiguration appConfiguration;
    private Map<String, JsonNode> mdsEntries;

    @PostConstruct
    public void create() {
        this.mdsEntries = Collections.synchronizedMap(new HashMap());
    }

    public JsonNode fetchMetadata(byte[] bArr) {
        String deconvert = deconvert(bArr);
        JsonNode jsonNode = this.mdsEntries.get(deconvert);
        if (jsonNode != null) {
            this.log.debug("Get MDS by aaguid {} from cache", deconvert);
            return jsonNode;
        }
        JsonNode authenticatorsMetadata = this.mdsTocService.getAuthenticatorsMetadata(deconvert);
        if (authenticatorsMetadata == null) {
            throw new Fido2RPRuntimeException("Authenticator not in TOC aaguid " + deconvert);
        }
        Fido2Configuration fido2Configuration = this.appConfiguration.getFido2Configuration();
        if (fido2Configuration == null) {
            throw new Fido2RPRuntimeException("Fido2 configuration not exists");
        }
        String mdsAccessToken = fido2Configuration.getMdsAccessToken();
        if (StringHelper.isEmpty(mdsAccessToken)) {
            throw new Fido2RPRuntimeException("Fido2 MDS access token should be set");
        }
        String asText = authenticatorsMetadata.get("url").asText();
        try {
            URI uri = new URI(String.format("%s/?token=%s", asText, mdsAccessToken));
            this.log.info("Authenticator AAGUI {} url metadataUrl {} downloaded", deconvert, uri);
            verifyTocEntryStatus(deconvert, authenticatorsMetadata);
            String verifyThatString = this.commonVerifiers.verifyThatString(authenticatorsMetadata, "hash");
            this.log.info("Reaching MDS at {}", asText);
            Response response = this.resteasyClientFactory.buildResteasyClient().target(uri).request().header("Content-Type", "application/json").get();
            String str = (String) response.readEntity(String.class);
            Response.StatusType statusInfo = response.getStatusInfo();
            this.log.info("Response from resource server {}", statusInfo);
            if (statusInfo.getFamily() != Response.Status.Family.SUCCESSFUL) {
                throw new Fido2RPRuntimeException("Unable to retrieve metadata for aaguid " + deconvert(bArr) + " status " + statusInfo);
            }
            try {
                if (!Arrays.equals(this.mdsTocService.getDigester().digest(str.getBytes("UTF-8")), this.base64Service.urlDecode(verifyThatString))) {
                    throw new Fido2RPRuntimeException("Unable to verify metadata hash for aaguid " + deconvert(bArr));
                }
                try {
                    JsonNode readTree = this.dataMapperService.readTree(this.base64Service.urlDecode(str));
                    this.mdsEntries.put(deconvert, readTree);
                    return readTree;
                } catch (IOException e) {
                    this.log.warn("Can't parse payload from the server ");
                    throw new Fido2RPRuntimeException("Unable to parse payload from server for aaguid " + deconvert(bArr));
                }
            } catch (UnsupportedEncodingException e2) {
                throw new Fido2RPRuntimeException("Unable to verify metadata hash for aaguid " + deconvert(bArr));
            }
        } catch (URISyntaxException e3) {
            throw new Fido2RPRuntimeException("Invalid URI in TOC aaguid " + deconvert);
        }
    }

    private void verifyTocEntryStatus(String str, JsonNode jsonNode) {
        Iterator elements = jsonNode.get("statusReports").elements();
        while (elements.hasNext()) {
            JsonNode jsonNode2 = (JsonNode) elements.next();
            AuthenticatorStatus valueOf = AuthenticatorStatus.valueOf(jsonNode2.get("status").asText());
            this.log.info("Authenticator AAGUI {} status {} effective date {}", new Object[]{str, valueOf, jsonNode2.get("effectiveDate").asText()});
            verifyStatusAcceptable(str, valueOf);
        }
    }

    private String deconvert(byte[] bArr) {
        return Hex.encodeHexString(bArr).replaceFirst("([0-9a-fA-F]{8})([0-9a-fA-F]{4})([0-9a-fA-F]{4})([0-9a-fA-F]{4})([0-9a-fA-F]+)", "$1-$2-$3-$4-$5");
    }

    private void verifyStatusAcceptable(String str, AuthenticatorStatus authenticatorStatus) {
        if (Arrays.asList(AuthenticatorStatus.USER_VERIFICATION_BYPASS, AuthenticatorStatus.ATTESTATION_KEY_COMPROMISE, AuthenticatorStatus.USER_KEY_REMOTE_COMPROMISE, AuthenticatorStatus.USER_KEY_PHYSICAL_COMPROMISE, AuthenticatorStatus.ATTESTATION_KEY_COMPROMISE).contains(authenticatorStatus)) {
            throw new Fido2RPRuntimeException("Authenticator " + str + "status undesirable " + authenticatorStatus);
        }
    }

    public void clear() {
        this.mdsEntries.clear();
    }
}
