package io.gravitee.am.policy.enroll.mfa;

import io.gravitee.am.common.factor.FactorType;
import io.gravitee.am.factor.api.FactorProvider;
import io.gravitee.am.factor.utils.SharedSecret;
import io.gravitee.am.gateway.handler.common.factor.FactorManager;
import io.gravitee.am.gateway.handler.common.user.UserService;
import io.gravitee.am.identityprovider.api.DefaultUser;
import io.gravitee.am.model.Factor;
import io.gravitee.am.model.User;
import io.gravitee.am.model.factor.EnrolledFactor;
import io.gravitee.am.model.factor.EnrolledFactorChannel;
import io.gravitee.am.model.factor.EnrolledFactorSecurity;
import io.gravitee.am.model.factor.FactorStatus;
import io.gravitee.am.model.oidc.Client;
import io.gravitee.am.policy.enroll.mfa.configuration.EnrollMfaPolicyConfiguration;
import io.gravitee.gateway.api.ExecutionContext;
import io.gravitee.gateway.api.Request;
import io.gravitee.gateway.api.Response;
import io.gravitee.policy.api.PolicyChain;
import io.gravitee.policy.api.PolicyResult;
import io.gravitee.policy.api.annotations.OnRequest;
import io.reactivex.Single;
import java.nio.charset.StandardCharsets;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Collections;
import java.util.Date;
import java.util.Map;
import java.util.Optional;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.ObjectUtils;

/* loaded from: input_file:io/gravitee/am/policy/enroll/mfa/EnrollMfaPolicy.class */
public class EnrollMfaPolicy {
    static final String GATEWAY_POLICY_ENROLL_MFA_ERROR_KEY = "GATEWAY_POLICY_ENROLL_MFA_ERROR";
    private static Logger LOGGER = LoggerFactory.getLogger(EnrollMfaPolicy.class);
    private final EnrollMfaPolicyConfiguration configuration;

    /* renamed from: io.gravitee.am.policy.enroll.mfa.EnrollMfaPolicy$1, reason: invalid class name */
    /* loaded from: input_file:io/gravitee/am/policy/enroll/mfa/EnrollMfaPolicy$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$io$gravitee$am$common$factor$FactorType = new int[FactorType.values().length];

        static {
            try {
                $SwitchMap$io$gravitee$am$common$factor$FactorType[FactorType.OTP.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$gravitee$am$common$factor$FactorType[FactorType.SMS.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$io$gravitee$am$common$factor$FactorType[FactorType.CALL.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$io$gravitee$am$common$factor$FactorType[FactorType.EMAIL.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$io$gravitee$am$common$factor$FactorType[FactorType.HTTP.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
        }
    }

    public EnrollMfaPolicy(EnrollMfaPolicyConfiguration enrollMfaPolicyConfiguration) {
        this.configuration = enrollMfaPolicyConfiguration;
    }

    @OnRequest
    public void onRequest(Request request, Response response, ExecutionContext executionContext, PolicyChain policyChain) {
        LOGGER.debug("Start enroll MFA policy");
        String factorId = this.configuration.getFactorId();
        String value = this.configuration.getValue();
        if (ObjectUtils.isEmpty(factorId)) {
            LOGGER.warn("No factor ID configured for the enroll MFA policy");
            policyChain.doNext(request, response);
            return;
        }
        try {
            UserService userService = (UserService) executionContext.getComponent(UserService.class);
            User user = (User) executionContext.getAttribute("user");
            Client client = (Client) executionContext.getAttribute("client");
            FactorManager factorManager = (FactorManager) executionContext.getComponent(FactorManager.class);
            Optional clientFactor = factorManager.getClientFactor(client, factorId);
            if (clientFactor.isEmpty()) {
                LOGGER.warn("No active MFA factor with ID [{}] found", factorId);
                policyChain.doNext(request, response);
                return;
            }
            if (user == null) {
                LOGGER.warn("No user found in context");
                policyChain.doNext(request, response);
                return;
            }
            if (!ObjectUtils.isEmpty(user.getFactors()) && user.getFactors().stream().anyMatch(enrolledFactor -> {
                return enrolledFactor.getFactorId().equals(factorId);
            })) {
                LOGGER.debug("MFA factor with ID [{}] already enrolled for the current user", factorId);
                policyChain.doNext(request, response);
                return;
            }
            Factor factor = (Factor) clientFactor.get();
            FactorProvider factorProvider = factorManager.get(factorId);
            if (!ObjectUtils.isEmpty(value) || FactorType.HTTP.getType().equals(factor.getFactorType().getType()) || FactorType.OTP.getType().equals(factor.getFactorType().getType())) {
                buildEnrolledFactor(factor, factorProvider, user, value, executionContext).flatMap(enrolledFactor2 -> {
                    return userService.addFactor(user.getId(), enrolledFactor2, new DefaultUser(user));
                }).subscribe(user2 -> {
                    LOGGER.debug("MFA factor with ID [{}] enrolled for user {}", factorId, user.getId());
                    policyChain.doNext(request, response);
                }, th -> {
                    LOGGER.error("Unable to enroll MFA factor with ID [{}]", factorId, th.getMessage());
                    policyChain.failWith(PolicyResult.failure(GATEWAY_POLICY_ENROLL_MFA_ERROR_KEY, th.getMessage()));
                });
            } else {
                LOGGER.error("Value field is missing");
                policyChain.failWith(PolicyResult.failure(GATEWAY_POLICY_ENROLL_MFA_ERROR_KEY, "Value field is missing"));
            }
        } catch (Exception e) {
            LOGGER.error("An error has occurred for [enroll-mfa] policy", e);
            policyChain.failWith(PolicyResult.failure(GATEWAY_POLICY_ENROLL_MFA_ERROR_KEY, e.getMessage()));
        }
    }

    private Single<EnrolledFactor> buildEnrolledFactor(Factor factor, FactorProvider factorProvider, User user, String str, ExecutionContext executionContext) {
        return Single.defer(() -> {
            try {
                String str2 = !ObjectUtils.isEmpty(str) ? (String) executionContext.getTemplateEngine().getValue(str, String.class) : null;
                if (!ObjectUtils.isEmpty(str) && ObjectUtils.isEmpty(str2)) {
                    LOGGER.warn("The expression language set up for Enroll MFA has returned nothing");
                }
                EnrolledFactor enrolledFactor = new EnrolledFactor();
                enrolledFactor.setFactorId(factor.getId());
                enrolledFactor.setStatus(FactorStatus.PENDING_ACTIVATION);
                enrolledFactor.setPrimary(Boolean.valueOf(this.configuration.isPrimary()));
                switch (AnonymousClass1.$SwitchMap$io$gravitee$am$common$factor$FactorType[factor.getFactorType().ordinal()]) {
                    case 1:
                        String generate = str2 != null ? str2 : SharedSecret.generate();
                        Map emptyMap = Collections.emptyMap();
                        if (factorProvider.useVariableFactorSecurity()) {
                            emptyMap = Collections.singletonMap("MOVING_FACTOR", Integer.valueOf(generateInitialMovingFactor(user)));
                        }
                        enrolledFactor.setSecurity(new EnrolledFactorSecurity("SHARED_SECRET", generate, emptyMap));
                        break;
                    case 2:
                        enrolledFactor.setChannel(new EnrolledFactorChannel(EnrolledFactorChannel.Type.SMS, str2));
                        break;
                    case 3:
                        enrolledFactor.setChannel(new EnrolledFactorChannel(EnrolledFactorChannel.Type.CALL, str2));
                        break;
                    case 4:
                        enrolledFactor.setSecurity(new EnrolledFactorSecurity("SHARED_SECRET", SharedSecret.generate(), Collections.singletonMap("MOVING_FACTOR", Integer.valueOf(generateInitialMovingFactor(user)))));
                        enrolledFactor.setChannel(new EnrolledFactorChannel(EnrolledFactorChannel.Type.EMAIL, str2));
                        break;
                    case 5:
                        enrolledFactor.setChannel(new EnrolledFactorChannel(EnrolledFactorChannel.Type.HTTP, str2));
                        break;
                    default:
                        return Single.error(new IllegalStateException("Unexpected value: " + factor.getFactorType().getType()));
                }
                enrolledFactor.setCreatedAt(new Date());
                enrolledFactor.setUpdatedAt(enrolledFactor.getCreatedAt());
                return Single.just(enrolledFactor);
            } catch (Exception e) {
                LOGGER.error("An error has occurred when building the enrolled factor", e);
                return Single.error(e);
            }
        });
    }

    private int generateInitialMovingFactor(User user) {
        try {
            SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG");
            secureRandom.setSeed(user.getUsername().getBytes(StandardCharsets.UTF_8));
            return secureRandom.nextInt(1000) + 1;
        } catch (NoSuchAlgorithmException e) {
            return 0;
        }
    }
}
