package org.gluu.oxauth.fido2.ws.rs.service;

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.node.ObjectNode;
import java.io.IOException;
import java.nio.charset.Charset;
import java.security.SecureRandom;
import java.util.List;
import java.util.stream.Collectors;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import org.gluu.oxauth.fido2.ctap.AttestationConveyancePreference;
import org.gluu.oxauth.fido2.ctap.UserVerification;
import org.gluu.oxauth.fido2.exception.Fido2RPRuntimeException;
import org.gluu.oxauth.fido2.model.auth.CredAndCounterData;
import org.gluu.oxauth.fido2.model.cert.PublicKeyCredentialDescriptor;
import org.gluu.oxauth.fido2.model.entry.Fido2RegistrationData;
import org.gluu.oxauth.fido2.model.entry.Fido2RegistrationEntry;
import org.gluu.oxauth.fido2.model.entry.Fido2RegistrationStatus;
import org.gluu.oxauth.fido2.persist.AuthenticationPersistenceService;
import org.gluu.oxauth.fido2.persist.RegistrationPersistenceService;
import org.gluu.oxauth.fido2.service.Base64Service;
import org.gluu.oxauth.fido2.service.ChallengeGenerator;
import org.gluu.oxauth.fido2.service.DataMapperService;
import org.gluu.oxauth.fido2.service.verifier.AuthenticatorAttestationVerifier;
import org.gluu.oxauth.fido2.service.verifier.ChallengeVerifier;
import org.gluu.oxauth.fido2.service.verifier.CommonVerifiers;
import org.gluu.oxauth.fido2.service.verifier.DomainVerifier;
import org.gluu.oxauth.model.configuration.AppConfiguration;
import org.gluu.service.net.NetworkService;
import org.slf4j.Logger;

@ApplicationScoped
/* loaded from: input_file:org/gluu/oxauth/fido2/ws/rs/service/AttestationService.class */
public class AttestationService {

    @Inject
    private Logger log;

    @Inject
    private AuthenticationPersistenceService authenticationsRepository;

    @Inject
    private RegistrationPersistenceService registrationsRepository;

    @Inject
    private AuthenticatorAttestationVerifier authenticatorAttestationVerifier;

    @Inject
    private ChallengeVerifier challengeVerifier;

    @Inject
    private DomainVerifier domainVerifier;

    @Inject
    private ChallengeGenerator challengeGenerator;

    @Inject
    private CommonVerifiers commonVerifiers;

    @Inject
    private DataMapperService dataMapperService;

    @Inject
    private Base64Service base64Service;

    @Inject
    private NetworkService networkService;

    @Inject
    private AppConfiguration appConfiguration;

    public JsonNode options(JsonNode jsonNode) {
        this.log.info("options {}", jsonNode);
        return createNewRegistration(jsonNode);
    }

    public JsonNode verify(JsonNode jsonNode) {
        this.log.info("registerResponse {}", jsonNode);
        this.commonVerifiers.verifyBasicPayload(jsonNode);
        this.commonVerifiers.verifyBase64UrlString(jsonNode, "type");
        JsonNode jsonNode2 = jsonNode.get("response");
        try {
            if (!jsonNode.get("response").hasNonNull("clientDataJSON")) {
                throw new Fido2RPRuntimeException("Client data JSON is missing");
            }
            JsonNode readTree = this.dataMapperService.readTree(new String(this.base64Service.urlDecode(jsonNode.get("response").get("clientDataJSON").asText()), Charset.forName("UTF-8")));
            if (readTree == null) {
                throw new Fido2RPRuntimeException("Client data JSON is empty");
            }
            this.commonVerifiers.verifyClientJSON(readTree);
            this.commonVerifiers.verifyClientJSONTypeIsCreate(readTree);
            String verifyBase64UrlString = this.commonVerifiers.verifyBase64UrlString(jsonNode, "id");
            String urlEncodeToStringWithoutPadding = this.base64Service.urlEncodeToStringWithoutPadding(this.base64Service.urlDecode(readTree.get("challenge").asText()));
            this.log.info("Challenge {}", urlEncodeToStringWithoutPadding);
            Fido2RegistrationEntry orElseThrow = this.registrationsRepository.findAllByChallenge(urlEncodeToStringWithoutPadding).parallelStream().findAny().orElseThrow(() -> {
                return new Fido2RPRuntimeException(String.format("Can't find request with matching challenge '%s' and domain", urlEncodeToStringWithoutPadding));
            });
            Fido2RegistrationData registrationData = orElseThrow.getRegistrationData();
            this.domainVerifier.verifyDomain(registrationData.getDomain(), readTree.get("origin").asText());
            CredAndCounterData verifyAuthenticatorAttestationResponse = this.authenticatorAttestationVerifier.verifyAuthenticatorAttestationResponse(jsonNode2, registrationData);
            registrationData.setUncompressedECPoint(verifyAuthenticatorAttestationResponse.getUncompressedEcPoint());
            registrationData.setW3cAuthenticatorAttenstationResponse(jsonNode2.toString());
            registrationData.setSignatureAlgorithm(verifyAuthenticatorAttestationResponse.getSignatureAlgorithm());
            registrationData.setCounter(verifyAuthenticatorAttestationResponse.getCounters());
            if (verifyAuthenticatorAttestationResponse.getCredId() != null) {
                registrationData.setPublicKeyId(verifyAuthenticatorAttestationResponse.getCredId());
            } else {
                registrationData.setPublicKeyId(verifyBase64UrlString);
            }
            registrationData.setType("public-key");
            registrationData.setStatus(Fido2RegistrationStatus.registered);
            this.registrationsRepository.update(orElseThrow);
            ((ObjectNode) jsonNode).put("errorMessage", "");
            ((ObjectNode) jsonNode).put("status", "ok");
            return jsonNode;
        } catch (IOException e) {
            throw new Fido2RPRuntimeException("Can't parse message");
        }
    }

    private JsonNode createNewRegistration(JsonNode jsonNode) {
        JsonNode jsonNode2;
        this.commonVerifiers.verifyOptions(jsonNode);
        String asText = jsonNode.get("username").asText();
        String asText2 = jsonNode.get("displayName").asText();
        String host = this.networkService.getHost(jsonNode.hasNonNull("documentDomain") ? jsonNode.get("documentDomain").asText() : this.appConfiguration.getIssuer());
        this.log.info("Options {} {} {}", new Object[]{asText, asText2, host});
        AttestationConveyancePreference verifyAttestationConveyanceType = this.commonVerifiers.verifyAttestationConveyanceType(jsonNode);
        ObjectNode createObjectNode = this.dataMapperService.createObjectNode();
        String asText3 = jsonNode.hasNonNull("credentialType") ? jsonNode.get("credentialType").asText("public-key") : "public-key";
        if (jsonNode.hasNonNull("authenticatorSelection")) {
            jsonNode2 = jsonNode.get("authenticatorSelection");
        } else {
            JsonNode createObjectNode2 = this.dataMapperService.createObjectNode();
            jsonNode2 = createObjectNode2;
            createObjectNode2.put("requireResidentKey", false);
            createObjectNode2.put("userVerification", UserVerification.preferred.toString());
        }
        String challenge = this.challengeGenerator.getChallenge();
        createObjectNode.put("challenge", challenge);
        this.log.info("Challenge {}", challenge);
        ObjectNode putObject = createObjectNode.putObject("rp");
        putObject.put("name", "oxAuth RP");
        putObject.put("id", host);
        ObjectNode putObject2 = createObjectNode.putObject("user");
        byte[] bArr = new byte[32];
        new SecureRandom().nextBytes(bArr);
        String urlEncodeToString = this.base64Service.urlEncodeToString(bArr);
        putObject2.put("id", urlEncodeToString);
        putObject2.put("name", asText);
        putObject2.put("displayName", asText2);
        createObjectNode.put("attestation", verifyAttestationConveyanceType.toString());
        ObjectNode addObject = createObjectNode.putArray("pubKeyCredParams").addObject();
        if ("public-key".equals(asText3)) {
            addObject.put("type", "public-key");
            addObject.put("alg", -7);
        }
        if ("FIDO".equals(asText3)) {
            addObject.put("type", "FIDO");
            addObject.put("alg", -7);
        }
        createObjectNode.set("authenticatorSelection", jsonNode2);
        createObjectNode.putArray("excludeCredentials").addAll((List) this.registrationsRepository.findAllByUsername(asText).parallelStream().filter(fido2RegistrationEntry -> {
            return Fido2RegistrationStatus.registered.equals(fido2RegistrationEntry.getRegistrationData().getStatus());
        }).map(fido2RegistrationEntry2 -> {
            return (JsonNode) this.dataMapperService.convertValue(new PublicKeyCredentialDescriptor(fido2RegistrationEntry2.getRegistrationData().getType(), fido2RegistrationEntry2.getRegistrationData().getPublicKeyId()), JsonNode.class);
        }).collect(Collectors.toList()));
        if (jsonNode.hasNonNull("extensions")) {
            createObjectNode.set("extensions", jsonNode.get("extensions"));
        }
        createObjectNode.put("status", "ok");
        createObjectNode.put("errorMessage", "");
        Fido2RegistrationData fido2RegistrationData = new Fido2RegistrationData();
        fido2RegistrationData.setUsername(asText);
        fido2RegistrationData.setUserId(urlEncodeToString);
        fido2RegistrationData.setChallenge(challenge);
        fido2RegistrationData.setDomain(host);
        fido2RegistrationData.setW3cCredentialCreationOptions(createObjectNode.toString());
        fido2RegistrationData.setAttestationConveyancePreferenceType(verifyAttestationConveyanceType);
        fido2RegistrationData.setStatus(Fido2RegistrationStatus.pending);
        this.registrationsRepository.save(fido2RegistrationData);
        return createObjectNode;
    }
}
