package org.gluu.radius.server.filter;

import java.util.Iterator;
import org.apache.log4j.Logger;
import org.gluu.oxauth.client.supergluu.SuperGluuAuthClient;
import org.gluu.oxauth.client.supergluu.SuperGluuAuthClientConfig;
import org.gluu.oxauth.client.supergluu.SuperGluuAuthScheme;
import org.gluu.oxauth.client.supergluu.SuperGluuAuthStatus;
import org.gluu.oxauth.client.supergluu.impl.IHttpClientFactory;
import org.gluu.oxauth.client.supergluu.impl.http.PoolingConnectionHttpClientFactory;
import org.gluu.radius.exception.GluuRadiusException;
import org.gluu.radius.server.AccessRequestContext;
import org.gluu.radius.server.AccessRequestFilter;
import org.gluu.radius.service.CryptoService;

/* loaded from: input_file:org/gluu/radius/server/filter/SuperGluuAccessRequestFilter.class */
public class SuperGluuAccessRequestFilter implements AccessRequestFilter {
    private static final Logger log = Logger.getLogger(SuperGluuAccessRequestFilter.class);
    private static final long statusCheckInterval = 50;
    private IHttpClientFactory httpClientFactory = new PoolingConnectionHttpClientFactory();
    private SuperGluuAccessRequestFilterConfig filterConfig;

    public SuperGluuAccessRequestFilter(SuperGluuAccessRequestFilterConfig superGluuAccessRequestFilterConfig) {
        this.filterConfig = superGluuAccessRequestFilterConfig;
    }

    @Override // org.gluu.radius.server.AccessRequestFilter
    public boolean processAccessRequest(AccessRequestContext accessRequestContext) {
        boolean z = false;
        CryptoService cryptoService = this.filterConfig.getCryptoService();
        try {
            cryptoService.beginReadOpts();
            if (this.filterConfig.isOneStepAuth()) {
                z = performOneStepAuth(accessRequestContext);
            } else if (this.filterConfig.isTwoStepAuth()) {
                z = performTwoStepAuth(accessRequestContext);
            } else {
                log.debug("Authentication scheme is neither one-step nor two-step");
            }
            return z;
        } finally {
            cryptoService.endReadOpts();
        }
    }

    private final boolean performOneStepAuth(AccessRequestContext accessRequestContext) {
        try {
            SuperGluuAuthClient createAuthClient = createAuthClient();
            createAuthClient.setAuthScheme(SuperGluuAuthScheme.ONE_STEP);
            String clientIpAddress = accessRequestContext.getClientIpAddress();
            String username = accessRequestContext.getUsername();
            String password = accessRequestContext.getPassword();
            log.debug(String.format("Performing one-step authentication for user {%s}", username));
            Boolean initiateAuthentication = createAuthClient.initiateAuthentication(username, password, clientIpAddress);
            if (initiateAuthentication == null || !(initiateAuthentication == null || initiateAuthentication.booleanValue())) {
                log.debug(String.format("Authentication failed for user {%s}", username));
                return false;
            }
            log.debug(String.format("Authentication success for user {%s}", username));
            return true;
        } catch (GluuRadiusException e) {
            log.debug(String.format("Authentication failed for user {%s}", accessRequestContext.getUsername()), e);
            return false;
        } catch (Exception e2) {
            log.debug(String.format("Authentication failed for user {%s}", accessRequestContext.getUsername()), e2);
            return false;
        }
    }

    private final boolean performTwoStepAuth(AccessRequestContext accessRequestContext) {
        try {
            SuperGluuAuthClient createAuthClient = createAuthClient();
            createAuthClient.setAuthScheme(SuperGluuAuthScheme.TWO_STEP);
            String clientIpAddress = accessRequestContext.getClientIpAddress();
            String username = accessRequestContext.getUsername();
            String password = accessRequestContext.getPassword();
            log.debug(String.format("Performing two-step authentication for user {%s}", username));
            long currentTimeMillis = System.currentTimeMillis();
            Boolean initiateAuthentication = createAuthClient.initiateAuthentication(username, password, clientIpAddress);
            if (initiateAuthentication == null || !(initiateAuthentication == null || initiateAuthentication.booleanValue())) {
                log.debug(String.format("Authentication failed for user {%s}.", username));
                return false;
            }
            log.debug(String.format("User {%s} step one auth success. Checking step-two auth result", username));
            SuperGluuAuthStatus superGluuAuthStatus = SuperGluuAuthStatus.UNAUTHENTICATED;
            while (System.currentTimeMillis() - currentTimeMillis < this.filterConfig.getAuthenticationTimeout().longValue()) {
                superGluuAuthStatus = createAuthClient.checkAuthenticationStatus();
                if (superGluuAuthStatus == SuperGluuAuthStatus.AUTHENTICATED) {
                    break;
                }
                try {
                    Thread.sleep(statusCheckInterval);
                } catch (InterruptedException e) {
                }
            }
            if (superGluuAuthStatus == SuperGluuAuthStatus.UNAUTHENTICATED) {
                log.debug(String.format("Authentication timeout for user {%s}", username));
                return false;
            }
            log.debug(String.format("Performing additional two-step verification for user {%s}", username));
            Boolean verifyAuthentication = createAuthClient.verifyAuthentication(username, password);
            if (verifyAuthentication == null || !(verifyAuthentication == null || verifyAuthentication.booleanValue())) {
                log.debug(String.format("Two-step additional verification failed for user {%s}", username));
                return false;
            }
            log.debug(String.format("Authentication success for user {%s}", username));
            return true;
        } catch (GluuRadiusException e2) {
            log.debug(String.format("Authentication failed for user {%s}", accessRequestContext.getUsername()));
            return false;
        } catch (Exception e3) {
            log.debug(String.format("Authentication failed for user {%s}", accessRequestContext.getUsername()));
            return false;
        }
    }

    private final SuperGluuAuthClient createAuthClient() {
        return new SuperGluuAuthClient(createAuthClientConfig(), this.httpClientFactory, this.filterConfig.getCryptoProviderFactory(), this.filterConfig.getServerKeyset());
    }

    private final SuperGluuAuthClientConfig createAuthClientConfig() {
        SuperGluuAuthClientConfig superGluuAuthClientConfig = new SuperGluuAuthClientConfig(this.filterConfig.getJwtAuthKeyId(), this.filterConfig.getJwtAuthSignAlgo(), this.filterConfig.getTokenEndpointUrl());
        superGluuAuthClientConfig.setClientId(this.filterConfig.getOpenidUsername());
        superGluuAuthClientConfig.setTokenEndpointUrl(this.filterConfig.getTokenEndpointUrl());
        superGluuAuthClientConfig.setSessionStatusUrl(this.filterConfig.getSessionStatusUrl());
        superGluuAuthClientConfig.setAcrValue(this.filterConfig.getAcrValue());
        Iterator<String> it = this.filterConfig.getScopes().iterator();
        while (it.hasNext()) {
            superGluuAuthClientConfig.addScope(it.next());
        }
        return superGluuAuthClientConfig;
    }
}
