package org.gluu.oxauth.service.fido.u2f;

import java.util.ArrayList;
import java.util.Date;
import java.util.GregorianCalendar;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.TimeZone;
import java.util.UUID;
import javax.ejb.Stateless;
import javax.enterprise.context.ApplicationScoped;
import javax.enterprise.inject.Produces;
import javax.inject.Inject;
import javax.inject.Named;
import org.apache.commons.codec.binary.Hex;
import org.gluu.oxauth.crypto.random.ChallengeGenerator;
import org.gluu.oxauth.crypto.signature.SHA256withECDSASignatureVerification;
import org.gluu.oxauth.exception.fido.u2f.DeviceCompromisedException;
import org.gluu.oxauth.exception.fido.u2f.InvalidKeyHandleDeviceException;
import org.gluu.oxauth.exception.fido.u2f.NoEligableDevicesException;
import org.gluu.oxauth.model.config.StaticConfiguration;
import org.gluu.oxauth.model.fido.u2f.AuthenticateRequestMessageLdap;
import org.gluu.oxauth.model.fido.u2f.DeviceRegistration;
import org.gluu.oxauth.model.fido.u2f.DeviceRegistrationResult;
import org.gluu.oxauth.model.fido.u2f.exception.BadInputException;
import org.gluu.oxauth.model.fido.u2f.message.RawAuthenticateResponse;
import org.gluu.oxauth.model.fido.u2f.protocol.AuthenticateRequest;
import org.gluu.oxauth.model.fido.u2f.protocol.AuthenticateRequestMessage;
import org.gluu.oxauth.model.fido.u2f.protocol.AuthenticateResponse;
import org.gluu.oxauth.model.fido.u2f.protocol.ClientData;
import org.gluu.oxauth.model.util.Base64Util;
import org.gluu.oxauth.service.common.UserService;
import org.gluu.persist.PersistenceEntryManager;
import org.gluu.search.filter.Filter;
import org.gluu.util.StringHelper;
import org.slf4j.Logger;

@Stateless
@Named("u2fAuthenticationService")
/* loaded from: input_file:org/gluu/oxauth/service/fido/u2f/AuthenticationService.class */
public class AuthenticationService extends RequestService {

    @Inject
    private Logger log;

    @Inject
    private PersistenceEntryManager ldapEntryManager;

    @Inject
    private ApplicationService applicationService;

    @Inject
    private RawAuthenticationService rawAuthenticationService;

    @Inject
    private ClientDataValidationService clientDataValidationService;

    @Inject
    private DeviceRegistrationService deviceRegistrationService;

    @Inject
    private UserService userService;

    @Inject
    @Named("randomChallengeGenerator")
    private ChallengeGenerator challengeGenerator;

    @Inject
    private StaticConfiguration staticConfiguration;

    @ApplicationScoped
    @Produces
    @Named("sha256withECDSASignatureVerification")
    public SHA256withECDSASignatureVerification getBouncyCastleSignatureVerification() {
        return new SHA256withECDSASignatureVerification();
    }

    public AuthenticateRequestMessage buildAuthenticateRequestMessage(String str, String str2) throws BadInputException, NoEligableDevicesException {
        if (this.applicationService.isValidateApplication()) {
            this.applicationService.checkIsValid(str);
        }
        ArrayList arrayList = new ArrayList();
        byte[] generateChallenge = this.challengeGenerator.generateChallenge();
        List<DeviceRegistration> findUserDeviceRegistrations = this.deviceRegistrationService.findUserDeviceRegistrations(str2, str, new String[0]);
        for (DeviceRegistration deviceRegistration : findUserDeviceRegistrations) {
            if (!deviceRegistration.isCompromised()) {
                try {
                    arrayList.add(startAuthentication(str, deviceRegistration, generateChallenge));
                } catch (DeviceCompromisedException e) {
                    this.log.error("Faield to authenticate device", e);
                }
            }
        }
        if (!arrayList.isEmpty()) {
            return new AuthenticateRequestMessage(arrayList);
        }
        if (findUserDeviceRegistrations.isEmpty()) {
            throw new NoEligableDevicesException(findUserDeviceRegistrations, "No devices registrered");
        }
        throw new NoEligableDevicesException(findUserDeviceRegistrations, "All devices compromised");
    }

    public AuthenticateRequest startAuthentication(String str, DeviceRegistration deviceRegistration) throws DeviceCompromisedException {
        return startAuthentication(str, deviceRegistration, this.challengeGenerator.generateChallenge());
    }

    public AuthenticateRequest startAuthentication(String str, DeviceRegistration deviceRegistration, byte[] bArr) throws DeviceCompromisedException {
        if (deviceRegistration.isCompromised()) {
            throw new DeviceCompromisedException(deviceRegistration, "Device has been marked as compromised, cannot authenticate");
        }
        return new AuthenticateRequest(Base64Util.base64urlencode(bArr), str, deviceRegistration.getKeyHandle());
    }

    public DeviceRegistrationResult finishAuthentication(AuthenticateRequestMessage authenticateRequestMessage, AuthenticateResponse authenticateResponse, String str) throws BadInputException, DeviceCompromisedException {
        return finishAuthentication(authenticateRequestMessage, authenticateResponse, str, null);
    }

    public DeviceRegistrationResult finishAuthentication(AuthenticateRequestMessage authenticateRequestMessage, AuthenticateResponse authenticateResponse, String str, Set<String> set) throws BadInputException, DeviceCompromisedException {
        List<DeviceRegistration> findUserDeviceRegistrations = this.deviceRegistrationService.findUserDeviceRegistrations(str, authenticateRequestMessage.getAppId(), new String[0]);
        AuthenticateRequest authenticateRequest = getAuthenticateRequest(authenticateRequestMessage, authenticateResponse);
        DeviceRegistration deviceRegistration = null;
        Iterator<DeviceRegistration> it = findUserDeviceRegistrations.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            DeviceRegistration next = it.next();
            if (StringHelper.equals(authenticateRequest.getKeyHandle(), next.getKeyHandle())) {
                deviceRegistration = next;
                break;
            }
        }
        if (deviceRegistration == null) {
            throw new BadInputException("Failed to find DeviceRegistration for the given AuthenticateRequest");
        }
        if (deviceRegistration.isCompromised()) {
            throw new DeviceCompromisedException(deviceRegistration, "The device is marked as possibly compromised, and cannot be authenticated");
        }
        ClientData clientData = authenticateResponse.getClientData();
        this.log.debug("Client data HEX '{}'", Hex.encodeHexString(authenticateResponse.getClientDataRaw().getBytes()));
        this.log.debug("Signature data HEX '{}'", Hex.encodeHexString(authenticateResponse.getSignatureData().getBytes()));
        this.clientDataValidationService.checkContent(clientData, RawAuthenticationService.SUPPORTED_AUTHENTICATE_TYPES, authenticateRequest.getChallenge(), set);
        RawAuthenticateResponse parseRawAuthenticateResponse = this.rawAuthenticationService.parseRawAuthenticateResponse(authenticateResponse.getSignatureData());
        this.rawAuthenticationService.checkSignature(authenticateRequest.getAppId(), clientData, parseRawAuthenticateResponse, Base64Util.base64urldecode(deviceRegistration.getDeviceRegistrationConfiguration().getPublicKey()));
        parseRawAuthenticateResponse.checkUserPresence();
        this.log.debug("Counter in finish authentication request'{}', countr in database '{}'", Long.valueOf(parseRawAuthenticateResponse.getCounter()), Long.valueOf(deviceRegistration.getCounter()));
        deviceRegistration.checkAndUpdateCounter(parseRawAuthenticateResponse.getCounter());
        deviceRegistration.setLastAccessTime(new Date());
        this.deviceRegistrationService.updateDeviceRegistration(str, deviceRegistration);
        DeviceRegistrationResult.Status status = DeviceRegistrationResult.Status.APPROVED;
        if (!StringHelper.equals(RawAuthenticationService.AUTHENTICATE_GET_TYPE, clientData.getTyp())) {
            status = DeviceRegistrationResult.Status.CANCELED;
            this.log.debug("Authentication request with keyHandle '{}' was canceled", authenticateResponse.getKeyHandle());
        }
        return new DeviceRegistrationResult(deviceRegistration, status);
    }

    public AuthenticateRequest getAuthenticateRequest(AuthenticateRequestMessage authenticateRequestMessage, AuthenticateResponse authenticateResponse) throws BadInputException {
        if (!StringHelper.equals(authenticateRequestMessage.getRequestId(), authenticateResponse.getRequestId())) {
            throw new BadInputException("Wrong request for response data");
        }
        for (AuthenticateRequest authenticateRequest : authenticateRequestMessage.getAuthenticateRequests()) {
            if (StringHelper.equals(authenticateRequest.getKeyHandle(), authenticateResponse.getKeyHandle())) {
                return authenticateRequest;
            }
        }
        throw new BadInputException("Responses keyHandle does not match any contained request");
    }

    public void storeAuthenticationRequestMessage(AuthenticateRequestMessage authenticateRequestMessage, String str, String str2) {
        Date time = new GregorianCalendar(TimeZone.getTimeZone("UTC")).getTime();
        String uuid = UUID.randomUUID().toString();
        this.ldapEntryManager.persist(new AuthenticateRequestMessageLdap(getDnForAuthenticateRequestMessage(uuid), uuid, time, str2, str, authenticateRequestMessage));
    }

    public AuthenticateRequestMessage getAuthenticationRequestMessage(String str) {
        AuthenticateRequestMessageLdap authenticateRequestMessageLdap = (AuthenticateRequestMessageLdap) this.ldapEntryManager.find(AuthenticateRequestMessageLdap.class, getDnForAuthenticateRequestMessage(str));
        if (authenticateRequestMessageLdap == null) {
            return null;
        }
        return authenticateRequestMessageLdap.getAuthenticateRequestMessage();
    }

    public AuthenticateRequestMessageLdap getAuthenticationRequestMessageByRequestId(String str) {
        List findEntries = this.ldapEntryManager.findEntries(getDnForAuthenticateRequestMessage(null), AuthenticateRequestMessageLdap.class, Filter.createEqualityFilter("oxRequestId", str));
        if (findEntries == null || findEntries.isEmpty()) {
            return null;
        }
        return (AuthenticateRequestMessageLdap) findEntries.get(0);
    }

    public void removeAuthenticationRequestMessage(AuthenticateRequestMessageLdap authenticateRequestMessageLdap) {
        removeRequestMessage(authenticateRequestMessageLdap);
    }

    public String getUserInumByKeyHandle(String str, String str2) throws InvalidKeyHandleDeviceException {
        if (StringHelper.isEmpty(str) || StringHelper.isEmpty(str2)) {
            return null;
        }
        List<DeviceRegistration> findDeviceRegistrationsByKeyHandle = this.deviceRegistrationService.findDeviceRegistrationsByKeyHandle(str, str2, "oxId");
        if (findDeviceRegistrationsByKeyHandle.isEmpty()) {
            throw new InvalidKeyHandleDeviceException(String.format("Failed to find device by keyHandle '%s' in LDAP", str2));
        }
        if (findDeviceRegistrationsByKeyHandle.size() != 1) {
            throw new BadInputException(String.format("There are '%d' devices with keyHandle '%s' in LDAP", Integer.valueOf(findDeviceRegistrationsByKeyHandle.size()), str2));
        }
        return this.userService.getUserInumByDn(findDeviceRegistrationsByKeyHandle.get(0).getDn());
    }

    public String getDnForAuthenticateRequestMessage(String str) {
        String u2fBase = this.staticConfiguration.getBaseDn().getU2fBase();
        return StringHelper.isEmpty(str) ? String.format("ou=authentication_requests,%s", u2fBase) : String.format("oxid=%s,ou=authentication_requests,%s", str, u2fBase);
    }
}
