package org.xdi.oxauth.ws.rs.fido.u2f;

import com.wordnik.swagger.annotations.Api;
import javax.inject.Inject;
import javax.ws.rs.FormParam;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Response;
import org.slf4j.Logger;
import org.xdi.model.custom.script.conf.CustomScriptConfiguration;
import org.xdi.oxauth.model.common.SessionId;
import org.xdi.oxauth.model.common.User;
import org.xdi.oxauth.model.config.Constants;
import org.xdi.oxauth.model.error.ErrorResponseFactory;
import org.xdi.oxauth.model.fido.u2f.DeviceRegistrationResult;
import org.xdi.oxauth.model.fido.u2f.RegisterRequestMessageLdap;
import org.xdi.oxauth.model.fido.u2f.U2fErrorResponseType;
import org.xdi.oxauth.model.fido.u2f.exception.BadInputException;
import org.xdi.oxauth.model.fido.u2f.exception.RegistrationNotAllowed;
import org.xdi.oxauth.model.fido.u2f.protocol.RegisterRequestMessage;
import org.xdi.oxauth.model.fido.u2f.protocol.RegisterResponse;
import org.xdi.oxauth.model.fido.u2f.protocol.RegisterStatus;
import org.xdi.oxauth.service.SessionIdService;
import org.xdi.oxauth.service.UserService;
import org.xdi.oxauth.service.external.ExternalAuthenticationService;
import org.xdi.oxauth.service.fido.u2f.DeviceRegistrationService;
import org.xdi.oxauth.service.fido.u2f.RegistrationService;
import org.xdi.oxauth.service.fido.u2f.UserSessionIdService;
import org.xdi.oxauth.service.fido.u2f.ValidationService;
import org.xdi.oxauth.util.ServerUtil;
import org.xdi.util.StringHelper;

@Path("/fido/u2f/registration")
@Api(value = "/fido/u2f/registration", description = "The endpoint at which the U2F device start registration process.")
/* loaded from: input_file:org/xdi/oxauth/ws/rs/fido/u2f/U2fRegistrationWS.class */
public class U2fRegistrationWS {

    @Inject
    private Logger log;

    @Inject
    private UserService userService;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private RegistrationService u2fRegistrationService;

    @Inject
    private DeviceRegistrationService deviceRegistrationService;

    @Inject
    private SessionIdService sessionIdService;

    @Inject
    private UserSessionIdService userSessionIdService;

    @Inject
    private ValidationService u2fValidationService;

    @Inject
    private ExternalAuthenticationService service;

    @GET
    @Produces({"application/json"})
    public Response startRegistration(@QueryParam("username") String str, @QueryParam("application") String str2, @QueryParam("session_id") String str3, @QueryParam("enrollment_code") String str4) {
        try {
            this.log.debug("Startig registration with username '{}' for appId '{}'. session_id '{}', enrollment_code '{}'", new Object[]{str, str2, str3, str4});
            String str5 = null;
            boolean z = false;
            if (StringHelper.isNotEmpty(str)) {
                boolean z2 = false;
                if (StringHelper.isNotEmpty(str3)) {
                    if (!this.u2fValidationService.isValidSessionId(str, str3)) {
                        throw new BadInputException(String.format("session_id '%s' is invalid", str3));
                    }
                    z = true;
                } else {
                    if (!StringHelper.isNotEmpty(str4)) {
                        throw new BadInputException("session_id or enrollment_code is mandatory");
                    }
                    if (!this.u2fValidationService.isValidEnrollmentCode(str, str4)) {
                        throw new BadInputException(String.format("enrollment_code '%s' is invalid", str4));
                    }
                    z2 = true;
                }
                User user = this.userService.getUser(str, new String[0]);
                str5 = this.userService.getUserInum(user);
                if (StringHelper.isEmpty(str5)) {
                    throw new BadInputException(String.format("Failed to find user '%s' in LDAP", str));
                }
                if (z2) {
                    user.setAttribute("oxEnrollmentCode", (String) null);
                    this.userService.updateUser(user);
                }
            }
            if (z && this.deviceRegistrationService.findUserDeviceRegistrations(str5, str2, new String[0]).size() > 0 && !isCurrentAuthenticationLevelCorrespondsToU2fLevel(str3)) {
                throw new RegistrationNotAllowed(String.format("It's not possible to start registration with user_name and session_id because user '%s' has already enrolled device", str));
            }
            RegisterRequestMessage builRegisterRequestMessage = this.u2fRegistrationService.builRegisterRequestMessage(str2, str5);
            this.u2fRegistrationService.storeRegisterRequestMessage(builRegisterRequestMessage, str5, str3);
            return Response.status(Response.Status.OK).entity(ServerUtil.asJson(builRegisterRequestMessage)).cacheControl(ServerUtil.cacheControl(true)).build();
        } catch (Exception e) {
            this.log.error("Exception happened", e);
            if (e instanceof WebApplicationException) {
                throw e;
            }
            if (e instanceof RegistrationNotAllowed) {
                throw new WebApplicationException(Response.status(Response.Status.NOT_ACCEPTABLE).entity(this.errorResponseFactory.getErrorResponse(U2fErrorResponseType.REGISTRATION_NOT_ALLOWED)).build());
            }
            throw new WebApplicationException(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(this.errorResponseFactory.getJsonErrorResponse(U2fErrorResponseType.SERVER_ERROR)).build());
        }
    }

    @POST
    @Produces({"application/json"})
    public Response finishRegistration(@FormParam("username") String str, @FormParam("tokenResponse") String str2) {
        try {
            this.log.debug("Finishing registration for username '{}' with response '{}'", str, str2);
            RegisterResponse registerResponse = (RegisterResponse) ServerUtil.jsonMapperWithWrapRoot().readValue(str2, RegisterResponse.class);
            String requestId = registerResponse.getRequestId();
            RegisterRequestMessageLdap registerRequestMessageByRequestId = this.u2fRegistrationService.getRegisterRequestMessageByRequestId(requestId);
            if (registerRequestMessageByRequestId == null) {
                throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(this.errorResponseFactory.getJsonErrorResponse(U2fErrorResponseType.SESSION_EXPIRED)).build());
            }
            this.u2fRegistrationService.removeRegisterRequestMessage(registerRequestMessageByRequestId);
            String userInum = registerRequestMessageByRequestId.getUserInum();
            DeviceRegistrationResult finishRegistration = this.u2fRegistrationService.finishRegistration(registerRequestMessageByRequestId.getRegisterRequestMessage(), registerResponse, userInum);
            String sessionId = registerRequestMessageByRequestId.getSessionId();
            if (StringHelper.isNotEmpty(sessionId)) {
                this.log.debug("There is session id. Setting session id attributes");
                this.userSessionIdService.updateUserSessionIdOnFinishRequest(sessionId, userInum, finishRegistration, true, StringHelper.isEmpty(userInum));
            }
            return Response.status(Response.Status.OK).entity(ServerUtil.asJson(new RegisterStatus(Constants.RESULT_SUCCESS, requestId))).cacheControl(ServerUtil.cacheControl(true)).build();
        } catch (Exception e) {
            this.log.error("Exception happened", e);
            try {
                if (StringHelper.isNotEmpty((String) null)) {
                    this.log.debug("There is session id. Setting session id status to 'declined'");
                    this.userSessionIdService.updateUserSessionIdOnError(null);
                }
            } catch (Exception e2) {
                this.log.error("Failed to update session id status", e2);
            }
            if (e instanceof WebApplicationException) {
                throw e;
            }
            if (e instanceof BadInputException) {
                throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(this.errorResponseFactory.getErrorResponse(U2fErrorResponseType.INVALID_REQUEST)).build());
            }
            throw new WebApplicationException(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(this.errorResponseFactory.getJsonErrorResponse(U2fErrorResponseType.SERVER_ERROR)).build());
        }
    }

    private boolean isCurrentAuthenticationLevelCorrespondsToU2fLevel(String str) {
        String acr;
        CustomScriptConfiguration customScriptConfigurationByName;
        SessionId sessionId = this.sessionIdService.getSessionId(str);
        if (sessionId == null || (acr = this.sessionIdService.getAcr(sessionId)) == null || (customScriptConfigurationByName = this.service.getCustomScriptConfigurationByName("u2f")) == null) {
            return false;
        }
        for (String str2 : acr.split(" ")) {
            CustomScriptConfiguration customScriptConfigurationByName2 = this.service.getCustomScriptConfigurationByName(str2);
            if (customScriptConfigurationByName2 != null && customScriptConfigurationByName2.getLevel() >= customScriptConfigurationByName.getLevel()) {
                return true;
            }
        }
        return false;
    }
}
