package org.gluu.oxauth.ws.rs.fido.u2f;

import javax.inject.Inject;
import javax.ws.rs.FormParam;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Response;
import org.gluu.oxauth.exception.fido.u2f.DeviceCompromisedException;
import org.gluu.oxauth.exception.fido.u2f.InvalidKeyHandleDeviceException;
import org.gluu.oxauth.exception.fido.u2f.NoEligableDevicesException;
import org.gluu.oxauth.model.config.Constants;
import org.gluu.oxauth.model.configuration.AppConfiguration;
import org.gluu.oxauth.model.error.ErrorResponseFactory;
import org.gluu.oxauth.model.fido.u2f.AuthenticateRequestMessageLdap;
import org.gluu.oxauth.model.fido.u2f.DeviceRegistration;
import org.gluu.oxauth.model.fido.u2f.DeviceRegistrationResult;
import org.gluu.oxauth.model.fido.u2f.U2fErrorResponseType;
import org.gluu.oxauth.model.fido.u2f.exception.BadInputException;
import org.gluu.oxauth.model.fido.u2f.protocol.AuthenticateRequestMessage;
import org.gluu.oxauth.model.fido.u2f.protocol.AuthenticateResponse;
import org.gluu.oxauth.model.fido.u2f.protocol.AuthenticateStatus;
import org.gluu.oxauth.model.util.Base64Util;
import org.gluu.oxauth.service.common.UserService;
import org.gluu.oxauth.service.fido.u2f.AuthenticationService;
import org.gluu.oxauth.service.fido.u2f.DeviceRegistrationService;
import org.gluu.oxauth.service.fido.u2f.UserSessionIdService;
import org.gluu.oxauth.service.fido.u2f.ValidationService;
import org.gluu.oxauth.util.ServerUtil;
import org.gluu.util.StringHelper;
import org.slf4j.Logger;

@Path("/fido/u2f/authentication")
/* loaded from: input_file:org/gluu/oxauth/ws/rs/fido/u2f/U2fAuthenticationWS.class */
public class U2fAuthenticationWS {

    @Inject
    private Logger log;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private UserService userService;

    @Inject
    private AuthenticationService u2fAuthenticationService;

    @Inject
    private DeviceRegistrationService deviceRegistrationService;

    @Inject
    private UserSessionIdService userSessionIdService;

    @Inject
    private ValidationService u2fValidationService;

    @GET
    @Produces({"application/json"})
    public Response startAuthentication(@QueryParam("username") String str, @QueryParam("keyhandle") String str2, @QueryParam("application") String str3, @QueryParam("session_id") String str4) {
        String userInumByKeyHandle;
        try {
            if (this.appConfiguration.getDisableU2fEndpoint().booleanValue()) {
                return Response.status(Response.Status.FORBIDDEN).build();
            }
            this.log.debug("Startig authentication with username '{}', keyhandle '{}' for appId '{}' and session_id '{}'", new Object[]{str, str2, str3, str4});
            if (StringHelper.isEmpty(str) && StringHelper.isEmpty(str2)) {
                throw new BadInputException("The request should contains either username or keyhandle");
            }
            if (!StringHelper.isNotEmpty(str)) {
                userInumByKeyHandle = this.u2fAuthenticationService.getUserInumByKeyHandle(str3, Base64Util.base64urlencode(Base64Util.base64urldecode(str2)));
            } else {
                if (!this.u2fValidationService.isValidSessionId(str, str4)) {
                    throw new BadInputException(String.format("session_id '%s' is invalid", str4));
                }
                userInumByKeyHandle = this.userService.getUserInum(str);
            }
            if (StringHelper.isEmpty(userInumByKeyHandle)) {
                throw new BadInputException(String.format("Failed to find user by userName '%s' or keyHandle '%s' in LDAP", str, str2));
            }
            AuthenticateRequestMessage buildAuthenticateRequestMessage = this.u2fAuthenticationService.buildAuthenticateRequestMessage(str3, userInumByKeyHandle);
            this.u2fAuthenticationService.storeAuthenticationRequestMessage(buildAuthenticateRequestMessage, userInumByKeyHandle, str4);
            return Response.status(Response.Status.OK).entity(ServerUtil.asJson(buildAuthenticateRequestMessage)).cacheControl(ServerUtil.cacheControl(true)).build();
        } catch (Exception e) {
            this.log.error("Exception happened", e);
            if (e instanceof WebApplicationException) {
                throw e;
            }
            if ((e instanceof NoEligableDevicesException) || (e instanceof InvalidKeyHandleDeviceException)) {
                throw new WebApplicationException(Response.status(Response.Status.NOT_FOUND).entity(this.errorResponseFactory.getErrorResponse(U2fErrorResponseType.NO_ELIGABLE_DEVICES)).build());
            }
            throw new WebApplicationException(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(this.errorResponseFactory.getJsonErrorResponse(U2fErrorResponseType.SERVER_ERROR)).build());
        }
    }

    @POST
    @Produces({"application/json"})
    public Response finishAuthentication(@FormParam("username") String str, @FormParam("tokenResponse") String str2) {
        try {
            if (this.appConfiguration.getDisableU2fEndpoint().booleanValue()) {
                return Response.status(Response.Status.FORBIDDEN).build();
            }
            this.log.debug("Finishing authentication for username '{}' with response '{}'", str, str2);
            AuthenticateResponse authenticateResponse = (AuthenticateResponse) ServerUtil.jsonMapperWithWrapRoot().readValue(str2, AuthenticateResponse.class);
            String requestId = authenticateResponse.getRequestId();
            AuthenticateRequestMessageLdap authenticationRequestMessageByRequestId = this.u2fAuthenticationService.getAuthenticationRequestMessageByRequestId(requestId);
            if (authenticationRequestMessageByRequestId == null) {
                throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(this.errorResponseFactory.getJsonErrorResponse(U2fErrorResponseType.SESSION_EXPIRED)).build());
            }
            String sessionId = authenticationRequestMessageByRequestId.getSessionId();
            this.u2fAuthenticationService.removeAuthenticationRequestMessage(authenticationRequestMessageByRequestId);
            AuthenticateRequestMessage authenticateRequestMessage = authenticationRequestMessageByRequestId.getAuthenticateRequestMessage();
            String userInum = authenticationRequestMessageByRequestId.getUserInum();
            DeviceRegistrationResult finishAuthentication = this.u2fAuthenticationService.finishAuthentication(authenticateRequestMessage, authenticateResponse, userInum);
            if (StringHelper.isNotEmpty(sessionId)) {
                this.log.debug("There is session id. Setting session id attributes");
                this.userSessionIdService.updateUserSessionIdOnFinishRequest(sessionId, userInum, finishAuthentication, false, StringHelper.isEmpty(str));
            }
            return Response.status(Response.Status.OK).entity(ServerUtil.asJson(new AuthenticateStatus(Constants.RESULT_SUCCESS, requestId))).cacheControl(ServerUtil.cacheControl(true)).build();
        } catch (Exception e) {
            this.log.error("Exception happened", e);
            if (e instanceof WebApplicationException) {
                throw e;
            }
            try {
                if (StringHelper.isNotEmpty((String) null)) {
                    this.log.debug("There is session id. Setting session id status to 'declined'");
                    this.userSessionIdService.updateUserSessionIdOnError(null);
                }
            } catch (Exception e2) {
                this.log.error("Failed to update session id status", e2);
            }
            if (e instanceof BadInputException) {
                throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(this.errorResponseFactory.getErrorResponse(U2fErrorResponseType.INVALID_REQUEST)).build());
            }
            if (!(e instanceof DeviceCompromisedException)) {
                throw new WebApplicationException(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(this.errorResponseFactory.getJsonErrorResponse(U2fErrorResponseType.SERVER_ERROR)).build());
            }
            DeviceRegistration deviceRegistration = ((DeviceCompromisedException) e).getDeviceRegistration();
            try {
                this.deviceRegistrationService.disableUserDeviceRegistration(deviceRegistration);
            } catch (Exception e3) {
                this.log.error("Failed to mark device '{}' as compomised", e3, deviceRegistration.getId());
            }
            throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(this.errorResponseFactory.getErrorResponse(U2fErrorResponseType.DEVICE_COMPROMISED)).build());
        }
    }
}
