package io.gravitee.am.service.impl;

import io.gravitee.am.model.Domain;
import io.gravitee.am.model.ReferenceType;
import io.gravitee.am.model.User;
import io.gravitee.am.model.VerifyAttempt;
import io.gravitee.am.model.account.AccountSettings;
import io.gravitee.am.model.oidc.Client;
import io.gravitee.am.repository.management.api.VerifyAttemptRepository;
import io.gravitee.am.repository.management.api.search.VerifyAttemptCriteria;
import io.gravitee.am.service.AuditService;
import io.gravitee.am.service.EmailService;
import io.gravitee.am.service.VerifyAttemptService;
import io.gravitee.am.service.exception.MFAValidationAttemptException;
import io.gravitee.am.service.reporter.builder.AuditBuilder;
import io.gravitee.am.service.reporter.builder.management.VerifyAttemptAuditBuilder;
import io.reactivex.rxjava3.core.Completable;
import io.reactivex.rxjava3.core.Maybe;
import java.util.Date;
import java.util.Optional;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Lazy;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:io/gravitee/am/service/impl/VerifyAttemptServiceImpl.class */
public class VerifyAttemptServiceImpl implements VerifyAttemptService {
    private static final Logger LOGGER = LoggerFactory.getLogger(VerifyAttemptServiceImpl.class);

    @Autowired
    AuditService auditService;

    @Autowired
    EmailService emailService;

    @Autowired
    @Lazy
    VerifyAttemptRepository verifyAttemptRepository;

    @Override // io.gravitee.am.service.VerifyAttemptService
    public Maybe<VerifyAttempt> checkVerifyAttempt(User user, String str, Client client, Domain domain) {
        AccountSettings accountSettings = AccountSettings.getInstance(domain, client);
        if (accountSettings != null && accountSettings.isMfaChallengeAttemptsDetectionEnabled()) {
            return getVerifyAttemptIfExists(buildCriteria(user.getId(), str, client.getId()), accountSettings).doOnSuccess(verifyAttempt -> {
                LOGGER.debug("VerifyAttempt value: [{}]", verifyAttempt);
                if (verifyAttempt.isAllowRequest()) {
                    return;
                }
                this.auditService.report(((VerifyAttemptAuditBuilder) AuditBuilder.builder(VerifyAttemptAuditBuilder.class)).type("MFA_VERIFY_LIMIT_EXCEED").verifyAttempt(verifyAttempt).user(user));
                throw new MFAValidationAttemptException("Maximum verification limit exceed");
            });
        }
        LOGGER.debug("MFA brute force detection is disabled, won't check verify attempt.");
        return Maybe.empty();
    }

    @Override // io.gravitee.am.service.VerifyAttemptService
    public Completable incrementAttempt(String str, String str2, Client client, Domain domain, Optional<VerifyAttempt> optional) {
        AccountSettings accountSettings = AccountSettings.getInstance(domain, client);
        if (accountSettings == null || !accountSettings.isMfaChallengeAttemptsDetectionEnabled()) {
            return Completable.complete();
        }
        if (optional.isPresent()) {
            VerifyAttempt verifyAttempt = optional.get();
            int attempts = verifyAttempt.getAttempts() + 1;
            if (attempts >= accountSettings.getMfaChallengeMaxAttempts().intValue()) {
                verifyAttempt.setAllowRequest(false);
                verifyAttempt.setAttempts(accountSettings.getMfaChallengeMaxAttempts().intValue());
            } else {
                verifyAttempt.setAttempts(attempts);
                verifyAttempt.setAllowRequest(true);
            }
            verifyAttempt.setUpdatedAt(new Date());
            return this.verifyAttemptRepository.update(verifyAttempt).ignoreElement();
        }
        VerifyAttempt verifyAttempt2 = new VerifyAttempt();
        verifyAttempt2.setUserId(str);
        verifyAttempt2.setFactorId(str2);
        verifyAttempt2.setClient(client.getId());
        verifyAttempt2.setReferenceId(domain.getId());
        verifyAttempt2.setReferenceType(ReferenceType.DOMAIN);
        verifyAttempt2.setAttempts(1);
        verifyAttempt2.setAllowRequest(1 < accountSettings.getMfaChallengeMaxAttempts().intValue());
        verifyAttempt2.setCreatedAt(new Date());
        verifyAttempt2.setUpdatedAt(verifyAttempt2.getCreatedAt());
        return this.verifyAttemptRepository.create(verifyAttempt2).ignoreElement();
    }

    @Override // io.gravitee.am.service.VerifyAttemptService
    public Completable delete(String str) {
        LOGGER.debug("delete verify attempt id: {}", str);
        return this.verifyAttemptRepository.delete(str);
    }

    @Override // io.gravitee.am.service.VerifyAttemptService
    public Completable deleteByUser(User user) {
        LOGGER.debug("deleteByUser userID: {}", user.getId());
        return this.verifyAttemptRepository.deleteByUser(user.getId());
    }

    @Override // io.gravitee.am.service.VerifyAttemptService
    public Completable deleteByDomain(Domain domain, ReferenceType referenceType) {
        LOGGER.debug("deleteByDomain domainId: {}", domain.getId());
        return this.verifyAttemptRepository.deleteByDomain(domain.getId(), referenceType);
    }

    @Override // io.gravitee.am.service.VerifyAttemptService
    public boolean shouldSendEmail(Client client, Domain domain) {
        return AccountSettings.getInstance(domain, client).isMfaChallengeSendVerifyAlertEmail();
    }

    private Maybe<VerifyAttempt> getVerifyAttemptIfExists(VerifyAttemptCriteria verifyAttemptCriteria, AccountSettings accountSettings) {
        return this.verifyAttemptRepository.findByCriteria(verifyAttemptCriteria).flatMap(verifyAttempt -> {
            if (new Date().getTime() > new Date(verifyAttempt.getUpdatedAt().getTime() + (accountSettings.getMfaChallengeAttemptsResetTime().intValue() * 1000)).getTime()) {
                verifyAttempt.setAttempts(0);
                verifyAttempt.setAllowRequest(true);
            } else {
                verifyAttempt.setAllowRequest(verifyAttempt.getAttempts() < accountSettings.getMfaChallengeMaxAttempts().intValue());
            }
            return Maybe.just(verifyAttempt);
        });
    }

    private VerifyAttemptCriteria buildCriteria(String str, String str2, String str3) {
        return new VerifyAttemptCriteria.Builder().userId(str).factorId(str2).client(str3).build();
    }
}
