package pl.edu.icm.unity.engine.session;

import java.util.Iterator;
import java.util.Optional;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.authn.AuthenticationFlow;
import pl.edu.icm.unity.engine.api.authn.AuthenticationProcessor;
import pl.edu.icm.unity.engine.api.authn.AuthenticatorInstance;
import pl.edu.icm.unity.engine.api.authn.InvocationContext;
import pl.edu.icm.unity.engine.api.authn.LoginSession;
import pl.edu.icm.unity.engine.api.config.UnityServerConfiguration;
import pl.edu.icm.unity.engine.api.session.AdditionalAuthenticationRequiredException;
import pl.edu.icm.unity.types.authn.AuthenticationOptionKeyUtils;
import pl.edu.icm.unity.types.authn.AuthenticatorInstanceMetadata;

@Component
/* loaded from: input_file:pl/edu/icm/unity/engine/session/AdditionalAuthenticationService.class */
public class AdditionalAuthenticationService {
    private static final Logger log = Log.getLogger("unity.server", AdditionalAuthenticationService.class);
    private final AuthenticationProcessor authnProcessor;
    private final String policyStr;
    private final boolean failOnNoMatch;
    private final long graceTimeMS;

    @Autowired
    public AdditionalAuthenticationService(UnityServerConfiguration unityServerConfiguration, AuthenticationProcessor authenticationProcessor) {
        this(authenticationProcessor, unityServerConfiguration.getValue("reAuthenticationPolicy"), unityServerConfiguration.getBooleanValue("reAuthenticationBlockOnNoOption").booleanValue(), unityServerConfiguration.getIntValue("reAuthenticationGraceTime").intValue() * 1000);
    }

    AdditionalAuthenticationService(AuthenticationProcessor authenticationProcessor, String str, boolean z, long j) {
        this.policyStr = str;
        this.failOnNoMatch = z;
        this.graceTimeMS = j;
        this.authnProcessor = authenticationProcessor;
    }

    public void checkAdditionalAuthenticationRequirements() {
        checkAdditionalAuthenticationRequirements(null);
    }

    public void checkAdditionalAuthenticationRequirements(String str) {
        String optionToReAuthenticate = getOptionToReAuthenticate(Optional.ofNullable(str));
        if (optionToReAuthenticate != null && isAdditionalAuthnRequiredForOption(optionToReAuthenticate)) {
            log.debug("Additional authn is required with option {}", optionToReAuthenticate);
            throw new AdditionalAuthenticationRequiredException(optionToReAuthenticate);
        }
    }

    /* JADX WARN: Removed duplicated region for block: B:20:0x00b8  */
    /* JADX WARN: Removed duplicated region for block: B:23:0x00fb A[LOOP:0: B:2:0x0016->B:23:0x00fb, LOOP_END] */
    /* JADX WARN: Removed duplicated region for block: B:24:0x00f8 A[SYNTHETIC] */
    /* JADX WARN: Removed duplicated region for block: B:28:0x00c1  */
    /* JADX WARN: Removed duplicated region for block: B:29:0x00ca  */
    /* JADX WARN: Removed duplicated region for block: B:30:0x00d3  */
    /* JADX WARN: Removed duplicated region for block: B:31:0x00dd  */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private java.lang.String getOptionToReAuthenticate(java.util.Optional<java.lang.String> r6) {
        /*
            Method dump skipped, instructions count: 284
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: pl.edu.icm.unity.engine.session.AdditionalAuthenticationService.getOptionToReAuthenticate(java.util.Optional):java.lang.String");
    }

    private String findOnEndpoint(String str) {
        Optional<AuthenticatorInstance> endpointAuthenticator = getEndpointAuthenticator(str);
        if (endpointAuthenticator.isPresent() && isValidForReauthentication(endpointAuthenticator.get())) {
            return str;
        }
        return null;
    }

    private String getMatchingCredential(Optional<String> optional) {
        if (!optional.isPresent()) {
            return null;
        }
        String str = optional.get();
        Iterator it = InvocationContext.getCurrent().getEndpointFlows().iterator();
        while (it.hasNext()) {
            for (AuthenticatorInstance authenticatorInstance : ((AuthenticationFlow) it.next()).getAllAuthenticators()) {
                String id = authenticatorInstance.getMetadata().getId();
                if (str.equals(authenticatorInstance.getMetadata().getLocalCredentialName()) && isValidForReauthentication(authenticatorInstance)) {
                    return id;
                }
            }
        }
        return null;
    }

    private String getSession1stF() {
        return getFromSessionFactor(InvocationContext.getCurrent().getLoginSession().getLogin1stFactorOptionId());
    }

    private String getSession2ndF() {
        return getFromSessionFactor(InvocationContext.getCurrent().getLoginSession().getLogin2ndFactorOptionId());
    }

    private String getFromSessionFactor(String str) {
        if (str == null) {
            return null;
        }
        String decodeAuthenticator = AuthenticationOptionKeyUtils.decodeAuthenticator(str);
        if (isValidForReauthentication(decodeAuthenticator)) {
            return decodeAuthenticator;
        }
        return null;
    }

    private String getEndpoint2ndF() {
        Iterator it = InvocationContext.getCurrent().getEndpointFlows().iterator();
        while (it.hasNext()) {
            AuthenticatorInstance validAuthenticatorForEntity = this.authnProcessor.getValidAuthenticatorForEntity(((AuthenticationFlow) it.next()).getSecondFactorAuthenticators(), InvocationContext.getCurrent().getLoginSession().getEntityId());
            if (validAuthenticatorForEntity != null) {
                return validAuthenticatorForEntity.getMetadata().getId();
            }
        }
        return null;
    }

    private Optional<AuthenticatorInstance> getEndpointAuthenticator(String str) {
        return InvocationContext.getCurrent().getEndpointFlows().stream().flatMap(authenticationFlow -> {
            return authenticationFlow.getAllAuthenticators().stream();
        }).filter(authenticatorInstance -> {
            return str.equals(authenticatorInstance.getMetadata().getId());
        }).findAny();
    }

    private boolean isValidForReauthentication(String str) {
        Optional<AuthenticatorInstance> endpointAuthenticator = getEndpointAuthenticator(str);
        if (endpointAuthenticator.isPresent()) {
            return isValidForReauthentication(endpointAuthenticator.get());
        }
        return false;
    }

    private boolean isValidForReauthentication(AuthenticatorInstance authenticatorInstance) {
        if (authenticatorInstance.getRetrieval().requiresRedirect() || authenticatorInstance.getMetadata().getLocalCredentialName() == null) {
            return false;
        }
        return userCanUse(authenticatorInstance.getMetadata());
    }

    private boolean userCanUse(AuthenticatorInstanceMetadata authenticatorInstanceMetadata) {
        return this.authnProcessor.checkIfUserHasCredential(authenticatorInstanceMetadata, InvocationContext.getCurrent().getLoginSession().getEntityId());
    }

    private boolean isAdditionalAuthnRequiredForOption(String str) {
        LoginSession loginSession = InvocationContext.getCurrent().getLoginSession();
        return (checkAuthnInfoInGracePeriod(loginSession.getAdditionalAuthn(), str, this.graceTimeMS) || checkAuthnInfoInGracePeriod(loginSession.getLogin1stFactor(), str, this.graceTimeMS) || checkAuthnInfoInGracePeriod(loginSession.getLogin2ndFactor(), str, this.graceTimeMS)) ? false : true;
    }

    private boolean checkAuthnInfoInGracePeriod(LoginSession.AuthNInfo authNInfo, String str, long j) {
        log.trace("Checking if {} contains {} in grace period {} at {}", authNInfo, str, Long.valueOf(j), Long.valueOf(System.currentTimeMillis()));
        return authNInfo != null && authNInfo.optionId != null && AuthenticationOptionKeyUtils.decodeAuthenticator(authNInfo.optionId).equals(str) && System.currentTimeMillis() < j + authNInfo.time.getTime();
    }
}
