package org.xdi.oxauth.service.fido.u2f;

import com.unboundid.ldap.sdk.Filter;
import java.util.ArrayList;
import java.util.Date;
import java.util.GregorianCalendar;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.TimeZone;
import java.util.UUID;
import org.gluu.site.ldap.persistence.LdapEntryManager;
import org.jboss.seam.ScopeType;
import org.jboss.seam.annotations.AutoCreate;
import org.jboss.seam.annotations.In;
import org.jboss.seam.annotations.Logger;
import org.jboss.seam.annotations.Name;
import org.jboss.seam.annotations.Scope;
import org.jboss.seam.log.Log;
import org.xdi.oxauth.crypto.random.ChallengeGenerator;
import org.xdi.oxauth.exception.fido.u2f.DeviceCompromisedException;
import org.xdi.oxauth.exception.fido.u2f.NoEligableDevicesException;
import org.xdi.oxauth.model.config.ConfigurationFactory;
import org.xdi.oxauth.model.fido.u2f.AuthenticateRequestMessageLdap;
import org.xdi.oxauth.model.fido.u2f.DeviceRegistration;
import org.xdi.oxauth.model.fido.u2f.exception.BadInputException;
import org.xdi.oxauth.model.fido.u2f.message.RawAuthenticateResponse;
import org.xdi.oxauth.model.fido.u2f.protocol.AuthenticateRequest;
import org.xdi.oxauth.model.fido.u2f.protocol.AuthenticateRequestMessage;
import org.xdi.oxauth.model.fido.u2f.protocol.AuthenticateResponse;
import org.xdi.oxauth.model.fido.u2f.protocol.ClientData;
import org.xdi.oxauth.model.util.Base64Util;
import org.xdi.oxauth.service.UserService;
import org.xdi.util.StringHelper;

@Name("u2fAuthenticationService")
@AutoCreate
@Scope(ScopeType.STATELESS)
/* loaded from: input_file:org/xdi/oxauth/service/fido/u2f/AuthenticationService.class */
public class AuthenticationService extends RequestService {

    @Logger
    private Log log;

    @In
    private LdapEntryManager ldapEntryManager;

    @In
    private ApplicationService applicationService;

    @In
    private RawAuthenticationService rawAuthenticationService;

    @In
    private ClientDataValidationService clientDataValidationService;

    @In
    private DeviceRegistrationService deviceRegistrationService;

    @In
    private UserService userService;

    @In("randomChallengeGenerator")
    private ChallengeGenerator challengeGenerator;

    public AuthenticateRequestMessage buildAuthenticateRequestMessage(String str, String str2) throws BadInputException, NoEligableDevicesException {
        if (this.applicationService.isValidateApplication()) {
            this.applicationService.checkIsValid(str);
        }
        String userInum = this.userService.getUserInum(str2);
        if (StringHelper.isEmpty(userInum)) {
            throw new BadInputException(String.format("Failed to find user '%s' in LDAP", str2));
        }
        ArrayList arrayList = new ArrayList();
        byte[] generateChallenge = this.challengeGenerator.generateChallenge();
        List<DeviceRegistration> findUserDeviceRegistrations = this.deviceRegistrationService.findUserDeviceRegistrations(userInum, str, new String[0]);
        for (DeviceRegistration deviceRegistration : findUserDeviceRegistrations) {
            if (!deviceRegistration.isCompromised()) {
                try {
                    arrayList.add(startAuthentication(str, deviceRegistration, generateChallenge));
                } catch (DeviceCompromisedException e) {
                    this.log.error("Faield to authenticate device", e, new Object[0]);
                }
            }
        }
        if (!arrayList.isEmpty()) {
            return new AuthenticateRequestMessage(arrayList);
        }
        if (findUserDeviceRegistrations.isEmpty()) {
            throw new NoEligableDevicesException(findUserDeviceRegistrations, "No devices registrered");
        }
        throw new NoEligableDevicesException(findUserDeviceRegistrations, "All devices compromised");
    }

    public AuthenticateRequest startAuthentication(String str, DeviceRegistration deviceRegistration) throws DeviceCompromisedException {
        return startAuthentication(str, deviceRegistration, this.challengeGenerator.generateChallenge());
    }

    public AuthenticateRequest startAuthentication(String str, DeviceRegistration deviceRegistration, byte[] bArr) throws DeviceCompromisedException {
        if (deviceRegistration.isCompromised()) {
            throw new DeviceCompromisedException(deviceRegistration, "Device has been marked as compromised, cannot authenticate");
        }
        return new AuthenticateRequest(Base64Util.base64urlencode(bArr), str, deviceRegistration.getDeviceRegistrationConfiguration().getKeyHandle());
    }

    public DeviceRegistration finishAuthentication(AuthenticateRequestMessage authenticateRequestMessage, AuthenticateResponse authenticateResponse, String str) throws BadInputException, DeviceCompromisedException {
        return finishAuthentication(authenticateRequestMessage, authenticateResponse, str, null);
    }

    public DeviceRegistration finishAuthentication(AuthenticateRequestMessage authenticateRequestMessage, AuthenticateResponse authenticateResponse, String str, Set<String> set) throws BadInputException, DeviceCompromisedException {
        String userInum = this.userService.getUserInum(str);
        if (StringHelper.isEmpty(userInum)) {
            throw new BadInputException(String.format("Failed to find user '%s' in LDAP", str));
        }
        List<DeviceRegistration> findUserDeviceRegistrations = this.deviceRegistrationService.findUserDeviceRegistrations(userInum, authenticateRequestMessage.getAppId(), new String[0]);
        AuthenticateRequest authenticateRequest = getAuthenticateRequest(authenticateRequestMessage, authenticateResponse);
        DeviceRegistration deviceRegistration = null;
        Iterator<DeviceRegistration> it = findUserDeviceRegistrations.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            DeviceRegistration next = it.next();
            if (StringHelper.equals(authenticateRequest.getKeyHandle(), next.getDeviceRegistrationConfiguration().getKeyHandle())) {
                deviceRegistration = next;
                break;
            }
        }
        if (deviceRegistration == null) {
            throw new BadInputException("Failed to find DeviceRegistration for the given AuthenticateRequest");
        }
        if (deviceRegistration.isCompromised()) {
            throw new DeviceCompromisedException(deviceRegistration, "The device is marked as possibly compromised, and cannot be authenticated");
        }
        ClientData clientData = authenticateResponse.getClientData();
        this.clientDataValidationService.checkContent(clientData, RawAuthenticationService.AUTHENTICATE_TYPE, authenticateRequest.getChallenge(), set);
        RawAuthenticateResponse parseRawAuthenticateResponse = this.rawAuthenticationService.parseRawAuthenticateResponse(authenticateResponse.getSignatureData());
        this.rawAuthenticationService.checkSignature(authenticateRequest.getAppId(), clientData, parseRawAuthenticateResponse, Base64Util.base64urldecode(deviceRegistration.getDeviceRegistrationConfiguration().getPublicKey()));
        parseRawAuthenticateResponse.checkUserPresence();
        deviceRegistration.checkAndUpdateCounter(parseRawAuthenticateResponse.getCounter());
        this.deviceRegistrationService.updateDeviceRegistration(userInum, deviceRegistration);
        return deviceRegistration;
    }

    public AuthenticateRequest getAuthenticateRequest(AuthenticateRequestMessage authenticateRequestMessage, AuthenticateResponse authenticateResponse) throws BadInputException {
        if (!StringHelper.equals(authenticateRequestMessage.getRequestId(), authenticateResponse.getRequestId())) {
            throw new BadInputException("Wrong request for response data");
        }
        for (AuthenticateRequest authenticateRequest : authenticateRequestMessage.getAuthenticateRequests()) {
            if (StringHelper.equals(authenticateRequest.getKeyHandle(), authenticateResponse.getKeyHandle())) {
                return authenticateRequest;
            }
        }
        throw new BadInputException("Responses keyHandle does not match any contained request");
    }

    public void storeAuthenticationRequestMessage(AuthenticateRequestMessage authenticateRequestMessage) {
        Date time = new GregorianCalendar(TimeZone.getTimeZone("UTC")).getTime();
        String uuid = UUID.randomUUID().toString();
        AuthenticateRequestMessageLdap authenticateRequestMessageLdap = new AuthenticateRequestMessageLdap(authenticateRequestMessage);
        authenticateRequestMessageLdap.setCreationDate(time);
        authenticateRequestMessageLdap.setId(uuid);
        authenticateRequestMessageLdap.setDn(getDnForAuthenticateRequestMessage(uuid));
        this.ldapEntryManager.persist(authenticateRequestMessageLdap);
    }

    public AuthenticateRequestMessage getAuthenticationRequestMessage(String str) {
        AuthenticateRequestMessageLdap authenticateRequestMessageLdap = (AuthenticateRequestMessageLdap) this.ldapEntryManager.find(AuthenticateRequestMessageLdap.class, getDnForAuthenticateRequestMessage(str));
        if (authenticateRequestMessageLdap == null) {
            return null;
        }
        return authenticateRequestMessageLdap.getAuthenticateRequestMessage();
    }

    public AuthenticateRequestMessageLdap getAuthenticationRequestMessageByRequestId(String str) {
        List findEntries = this.ldapEntryManager.findEntries(getDnForAuthenticateRequestMessage(null), AuthenticateRequestMessageLdap.class, Filter.createEqualityFilter("oxRequestId", str));
        if (findEntries == null || findEntries.isEmpty()) {
            return null;
        }
        return (AuthenticateRequestMessageLdap) findEntries.get(0);
    }

    public void removeAuthenticationRequestMessage(AuthenticateRequestMessageLdap authenticateRequestMessageLdap) {
        removeRequestMessage(authenticateRequestMessageLdap);
    }

    public String getDnForAuthenticateRequestMessage(String str) {
        String u2fBase = ConfigurationFactory.getBaseDn().getU2fBase();
        return StringHelper.isEmpty(str) ? String.format("ou=authentication_requests,%s", u2fBase) : String.format("oxid=%s,ou=authentication_requests,%s", str, u2fBase);
    }
}
