package pl.edu.icm.unity.engine.authn;

import com.fasterxml.jackson.core.JsonProcessingException;
import java.nio.charset.StandardCharsets;
import java.time.Duration;
import java.time.temporal.ChronoUnit;
import java.util.Arrays;
import java.util.Date;
import java.util.Optional;
import java.util.UUID;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.logging.log4j.Logger;
import org.bouncycastle.crypto.digests.SHA256Digest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.base.token.Token;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.EntityManagement;
import pl.edu.icm.unity.engine.api.authn.AuthenticationException;
import pl.edu.icm.unity.engine.api.authn.LoginSession;
import pl.edu.icm.unity.engine.api.authn.RememberMeProcessor;
import pl.edu.icm.unity.engine.api.authn.RememberMeToken;
import pl.edu.icm.unity.engine.api.authn.UnsuccessfulAuthenticationCounter;
import pl.edu.icm.unity.engine.api.session.SessionManagement;
import pl.edu.icm.unity.engine.api.token.TokensManagement;
import pl.edu.icm.unity.engine.api.utils.CookieHelper;
import pl.edu.icm.unity.exceptions.AuthorizationException;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.store.api.TokenDAO;
import pl.edu.icm.unity.types.authn.AuthenticationOptionKey;
import pl.edu.icm.unity.types.authn.AuthenticationRealm;
import pl.edu.icm.unity.types.authn.RememberMePolicy;
import pl.edu.icm.unity.types.basic.EntityParam;

@Component
/* loaded from: input_file:pl/edu/icm/unity/engine/authn/RememberMeProcessorImpl.class */
class RememberMeProcessorImpl implements RememberMeProcessor {
    private static final Logger log = Log.getLogger("unity.server.web", RememberMeProcessorImpl.class);
    public static final String REMEMBER_ME_COOKIE_PFX = "REMEMBERME_";
    private final TokensManagement tokenMan;
    private final SessionManagement sessionMan;
    private final EntityManagement entityMan;

    /* loaded from: input_file:pl/edu/icm/unity/engine/authn/RememberMeProcessorImpl$CookieParseException.class */
    private static class CookieParseException extends RuntimeException {
        private CookieParseException() {
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:pl/edu/icm/unity/engine/authn/RememberMeProcessorImpl$RememberMeCookie.class */
    public static class RememberMeCookie {
        private final String rememberMeSeriesToken;
        private final String rememberMeToken;

        private RememberMeCookie(String str, String str2) {
            this.rememberMeSeriesToken = str;
            this.rememberMeToken = str2;
        }

        static RememberMeCookie parseHttpCookieValue(String str) {
            String[] split = str.split("\\|");
            if (split.length == 2) {
                return new RememberMeCookie(split[0], split[1]);
            }
            throw new CookieParseException();
        }

        String toHttpCookieValue() {
            return this.rememberMeSeriesToken + "|" + this.rememberMeToken;
        }
    }

    @Autowired
    RememberMeProcessorImpl(TokensManagement tokensManagement, SessionManagement sessionManagement, EntityManagement entityManagement) {
        this.tokenMan = tokensManagement;
        this.sessionMan = sessionManagement;
        this.entityMan = entityManagement;
    }

    public Optional<LoginSession> processRememberedWholeAuthn(HttpServletRequest httpServletRequest, ServletResponse servletResponse, String str, AuthenticationRealm authenticationRealm, UnsuccessfulAuthenticationCounter unsuccessfulAuthenticationCounter) {
        return processRememberedFactor(httpServletRequest, servletResponse, str, authenticationRealm, unsuccessfulAuthenticationCounter, RememberMePolicy.allowForWholeAuthn);
    }

    public Optional<LoginSession> processRememberedSecondFactor(HttpServletRequest httpServletRequest, ServletResponse servletResponse, long j, String str, AuthenticationRealm authenticationRealm, UnsuccessfulAuthenticationCounter unsuccessfulAuthenticationCounter) {
        Optional<LoginSession> processRememberedFactor = processRememberedFactor(httpServletRequest, servletResponse, str, authenticationRealm, unsuccessfulAuthenticationCounter, RememberMePolicy.allowFor2ndFactor);
        if (!processRememberedFactor.isPresent() || processRememberedFactor.get().getEntityId() == j) {
            return processRememberedFactor;
        }
        Logger logger = log;
        processRememberedFactor.get().getEntityId();
        logger.warn("Remember me cookie used in second factor authn by entity " + j + " is owned by entity " + logger + ", may signal malicious action");
        unsuccessfulAuthenticationCounter.unsuccessfulAttempt(str);
        return Optional.empty();
    }

    private Optional<LoginSession> processRememberedFactor(HttpServletRequest httpServletRequest, ServletResponse servletResponse, String str, AuthenticationRealm authenticationRealm, UnsuccessfulAuthenticationCounter unsuccessfulAuthenticationCounter, RememberMePolicy rememberMePolicy) {
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        Optional<LoginSession> empty = Optional.empty();
        Optional<RememberMeCookie> empty2 = Optional.empty();
        if (!authenticationRealm.getRememberMePolicy().equals(rememberMePolicy)) {
            return Optional.empty();
        }
        try {
            empty2 = getRememberMeUnityCookie(httpServletRequest, authenticationRealm.getName());
            if (empty2.isPresent()) {
                empty = getLoginSessionFromRememberMeToken(empty2.get(), authenticationRealm, rememberMePolicy.equals(RememberMePolicy.allowForWholeAuthn));
            }
        } catch (AuthenticationException e) {
            log.warn("Remember me cookie is invalid", e);
            unsuccessfulAuthenticationCounter.unsuccessfulAttempt(str);
        } catch (CookieParseException e2) {
            log.warn("Remember me cookie can not be parsed", e2);
            unsuccessfulAuthenticationCounter.unsuccessfulAttempt(str);
        }
        if (empty.isPresent()) {
            updateRememberMeCookieAndUnityToken(empty2.get(), authenticationRealm, httpServletResponse);
            return empty;
        }
        if (empty2.isPresent()) {
            removeRememberMeCookie(authenticationRealm.getName(), httpServletResponse);
            removeRememberMeUnityToken(empty2.get().rememberMeSeriesToken);
        }
        return Optional.empty();
    }

    public void addRememberMeCookieAndUnityToken(HttpServletResponse httpServletResponse, AuthenticationRealm authenticationRealm, RememberMeToken.LoginMachineDetails loginMachineDetails, long j, Date date, AuthenticationOptionKey authenticationOptionKey, AuthenticationOptionKey authenticationOptionKey2) {
        if (authenticationRealm.getRememberMePolicy().equals(RememberMePolicy.disallow)) {
            return;
        }
        UUID randomUUID = UUID.randomUUID();
        UUID randomUUID2 = UUID.randomUUID();
        RememberMeToken createRememberMeUnityToken = createRememberMeUnityToken(j, authenticationRealm, hash(randomUUID2.toString()), date, loginMachineDetails, authenticationOptionKey, authenticationOptionKey2);
        try {
            byte[] serialized = createRememberMeUnityToken.getSerialized();
            Duration absoluteRememberMeCookieTTL = getAbsoluteRememberMeCookieTTL(authenticationRealm);
            try {
                this.tokenMan.addToken("rememberMe", randomUUID.toString(), new EntityParam(Long.valueOf(j)), serialized, createRememberMeUnityToken.getLoginTime(), getExpirationDateAfter(absoluteRememberMeCookieTTL));
                Cookie buildRememberMeHttpCookie = buildRememberMeHttpCookie(authenticationRealm.getName(), new RememberMeCookie(randomUUID.toString(), randomUUID2.toString()).toHttpCookieValue(), absoluteRememberMeCookieTTL);
                log.info("Adding remember me cookie and token for {}", Long.valueOf(j));
                httpServletResponse.addCookie(buildRememberMeHttpCookie);
            } catch (EngineException e) {
                log.warn("Can not add remember me token, skip setting remember me cookie for " + j, e);
            }
        } catch (JsonProcessingException e2) {
            log.warn("Can not serialize remember me token, skip setting remember me cookie", e2);
        }
    }

    private Date getExpirationDateAfter(Duration duration) {
        return new Date(System.currentTimeMillis() + duration.toMillis());
    }

    public void removeRememberMeWithWholeAuthn(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Optional<RememberMeCookie> empty = Optional.empty();
        try {
            empty = getRememberMeUnityCookie(httpServletRequest, str);
        } catch (CookieParseException e) {
            log.warn("Can not remove remember me token, the cookie content is incorrect", e);
            removeRememberMeCookie(str, httpServletResponse);
        }
        if (empty.isPresent()) {
            Optional<RememberMeToken> rememberMeUnityToken = getRememberMeUnityToken(empty.get());
            if (!rememberMeUnityToken.isPresent()) {
                removeRememberMeCookie(str, httpServletResponse);
            } else if (rememberMeUnityToken.get().getRememberMePolicy().equals(RememberMePolicy.allowForWholeAuthn)) {
                removeRememberMeCookie(str, httpServletResponse);
                removeRememberMeUnityToken(empty.get().rememberMeSeriesToken);
            }
        }
    }

    private void removeRememberMeCookie(String str, HttpServletResponse httpServletResponse) {
        httpServletResponse.addCookie(buildRememberMeHttpCookieCleaner(str));
    }

    private void removeRememberMeUnityToken(String str) {
        try {
            this.tokenMan.removeToken("rememberMe", str);
            log.debug("Remove remember me unity token " + str);
        } catch (Exception e) {
            log.info("Can not remove remember me token {}. The token was removed or expired", str, e);
        }
    }

    private Optional<String> getHttpRememberMeCookieValue(HttpServletRequest httpServletRequest, String str) {
        String cookie = CookieHelper.getCookie(httpServletRequest, getRememberMeCookieName(str));
        return (cookie == null || cookie.isEmpty()) ? Optional.empty() : Optional.ofNullable(cookie);
    }

    private Optional<RememberMeCookie> getRememberMeUnityCookie(HttpServletRequest httpServletRequest, String str) {
        return getHttpRememberMeCookieValue(httpServletRequest, str).map(RememberMeCookie::parseHttpCookieValue);
    }

    private Optional<RememberMeToken> getAndCheckRememberMeUnityToken(RememberMeCookie rememberMeCookie, AuthenticationRealm authenticationRealm) throws AuthenticationException {
        Optional<RememberMeToken> rememberMeUnityToken = getRememberMeUnityToken(rememberMeCookie);
        if (!rememberMeUnityToken.isPresent()) {
            return Optional.empty();
        }
        if (!Arrays.equals(rememberMeUnityToken.get().getRememberMeTokenHash(), hash(rememberMeCookie.rememberMeToken))) {
            throw new AuthenticationException("Someone change remember me cookie contents, may signal malicious action");
        }
        if (authenticationRealm.getRememberMePolicy().equals(rememberMeUnityToken.get().getRememberMePolicy())) {
            return rememberMeUnityToken;
        }
        log.info("The remember me token is invalid, remember me policy was changed");
        return Optional.empty();
    }

    private Optional<LoginSession> getLoginSessionFromRememberMeToken(RememberMeCookie rememberMeCookie, AuthenticationRealm authenticationRealm, boolean z) throws AuthenticationException {
        Optional<RememberMeToken> andCheckRememberMeUnityToken = getAndCheckRememberMeUnityToken(rememberMeCookie, authenticationRealm);
        if (!andCheckRememberMeUnityToken.isPresent()) {
            return Optional.empty();
        }
        AuthenticationOptionKey secondFactorAuthnOptionId = andCheckRememberMeUnityToken.get().getSecondFactorAuthnOptionId();
        long entity = andCheckRememberMeUnityToken.get().getEntity();
        return Optional.of(this.sessionMan.createSession(entity, authenticationRealm, getLabel(entity), (String) null, new LoginSession.RememberMeInfo(z, secondFactorAuthnOptionId != null), andCheckRememberMeUnityToken.get().getFirstFactorAuthnOptionId(), secondFactorAuthnOptionId));
    }

    private String getLabel(long j) {
        try {
            return this.entityMan.getEntityLabel(new EntityParam(Long.valueOf(j)));
        } catch (EngineException e) {
            log.error("Can not get the attribute designated with EntityName", e);
            return "";
        } catch (AuthorizationException e2) {
            log.debug("Not setting entity's label as the client is not authorized to read the attribute", e2);
            return "";
        }
    }

    private Optional<RememberMeToken> getRememberMeUnityToken(RememberMeCookie rememberMeCookie) {
        Token token = null;
        try {
            token = this.tokenMan.getTokenById("rememberMe", rememberMeCookie.rememberMeSeriesToken);
        } catch (TokenDAO.TokenNotFoundException e) {
            log.debug("Can not get rememberMeToken, token was removed or expired");
        }
        if (token != null) {
            try {
                return Optional.ofNullable(RememberMeToken.getInstanceFromJson(token.getContents()));
            } catch (IllegalArgumentException e2) {
                log.warn("Can not parse rememberMe token", e2);
            }
        }
        return Optional.empty();
    }

    private Cookie buildRememberMeHttpCookie(String str, String str2, Duration duration) {
        return CookieHelper.setupHttpCookie(getRememberMeCookieName(str), str2, (int) duration.get(ChronoUnit.SECONDS));
    }

    private Cookie buildRememberMeHttpCookieCleaner(String str) {
        return CookieHelper.setupHttpCookie(getRememberMeCookieName(str), "", 0);
    }

    private RememberMeToken createRememberMeUnityToken(long j, AuthenticationRealm authenticationRealm, byte[] bArr, Date date, RememberMeToken.LoginMachineDetails loginMachineDetails, AuthenticationOptionKey authenticationOptionKey, AuthenticationOptionKey authenticationOptionKey2) {
        return new RememberMeToken(j, loginMachineDetails, date, authenticationOptionKey, authenticationOptionKey2, bArr, authenticationRealm.getRememberMePolicy());
    }

    private byte[] hash(String str) {
        byte[] bytes = str.getBytes(StandardCharsets.UTF_8);
        SHA256Digest sHA256Digest = new SHA256Digest();
        sHA256Digest.update(bytes, 0, bytes.length);
        byte[] bArr = new byte[sHA256Digest.getDigestSize()];
        sHA256Digest.doFinal(bArr, 0);
        return bArr;
    }

    public static String getRememberMeCookieName(String str) {
        return "REMEMBERME_" + str;
    }

    private static Duration getAbsoluteRememberMeCookieTTL(AuthenticationRealm authenticationRealm) {
        return Duration.ofDays(authenticationRealm.getAllowForRememberMeDays());
    }

    private void updateRememberMeCookieAndUnityToken(RememberMeCookie rememberMeCookie, AuthenticationRealm authenticationRealm, HttpServletResponse httpServletResponse) {
        log.debug("Update remember me cookie and token");
        Optional<RememberMeToken> rememberMeUnityToken = getRememberMeUnityToken(rememberMeCookie);
        if (!rememberMeUnityToken.isPresent()) {
            removeRememberMeCookie(authenticationRealm.getName(), httpServletResponse);
            return;
        }
        String uuid = UUID.randomUUID().toString();
        rememberMeUnityToken.get().setRememberMeTokenHash(hash(uuid));
        Duration absoluteRememberMeCookieTTL = getAbsoluteRememberMeCookieTTL(authenticationRealm);
        try {
            this.tokenMan.updateToken("rememberMe", rememberMeCookie.rememberMeSeriesToken, getExpirationDateAfter(absoluteRememberMeCookieTTL), rememberMeUnityToken.get().getSerialized());
            httpServletResponse.addCookie(buildRememberMeHttpCookie(authenticationRealm.getName(), new RememberMeCookie(rememberMeCookie.rememberMeSeriesToken, uuid).toHttpCookieValue(), absoluteRememberMeCookieTTL));
        } catch (JsonProcessingException e) {
            log.warn("Can not set remember me token, skip setting remember me cookie", e);
        }
    }
}
