package pl.edu.icm.unity.engine.authn;

import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.servlet.http.HttpSession;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import org.apache.logging.log4j.Logger;
import org.springframework.context.annotation.Primary;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.base.authn.AuthenticationOptionKey;
import pl.edu.icm.unity.base.authn.AuthenticationRealm;
import pl.edu.icm.unity.base.entity.EntityParam;
import pl.edu.icm.unity.base.exceptions.EngineException;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.EntityManagement;
import pl.edu.icm.unity.engine.api.authn.AuthenticatedEntity;
import pl.edu.icm.unity.engine.api.authn.AuthenticationException;
import pl.edu.icm.unity.engine.api.authn.AuthenticationPolicy;
import pl.edu.icm.unity.engine.api.authn.AuthenticationProcessor;
import pl.edu.icm.unity.engine.api.authn.AuthenticationResult;
import pl.edu.icm.unity.engine.api.authn.AuthenticationStepContext;
import pl.edu.icm.unity.engine.api.authn.AuthorizationException;
import pl.edu.icm.unity.engine.api.authn.InteractiveAuthenticationProcessor;
import pl.edu.icm.unity.engine.api.authn.InvocationContext;
import pl.edu.icm.unity.engine.api.authn.LastAuthenticationCookie;
import pl.edu.icm.unity.engine.api.authn.LoginSession;
import pl.edu.icm.unity.engine.api.authn.PartialAuthnState;
import pl.edu.icm.unity.engine.api.authn.RememberMeToken;
import pl.edu.icm.unity.engine.api.authn.RemoteAuthnMetadata;
import pl.edu.icm.unity.engine.api.authn.SessionCookie;
import pl.edu.icm.unity.engine.api.authn.UnsuccessfulAccessCounter;
import pl.edu.icm.unity.engine.api.authn.remote.RemoteSandboxAuthnContext;
import pl.edu.icm.unity.engine.api.authn.remote.RemotelyAuthenticatedInput;
import pl.edu.icm.unity.engine.api.authn.remote.UnknownRemoteUserException;
import pl.edu.icm.unity.engine.api.authn.sandbox.SandboxAuthenticationResult;
import pl.edu.icm.unity.engine.api.authn.sandbox.SandboxAuthnEvent;
import pl.edu.icm.unity.engine.api.authn.sandbox.SandboxAuthnRouter;
import pl.edu.icm.unity.engine.api.session.LoginToHttpSessionBinder;
import pl.edu.icm.unity.engine.api.session.SessionManagement;
import pl.edu.icm.unity.engine.api.session.SessionParticipant;
import pl.edu.icm.unity.engine.api.session.SessionParticipantTypesRegistry;
import pl.edu.icm.unity.engine.api.session.SessionParticipants;

@Primary
@Component
/* loaded from: input_file:pl/edu/icm/unity/engine/authn/InteractiveAuthneticationProcessorImpl.class */
class InteractiveAuthneticationProcessorImpl implements InteractiveAuthenticationProcessor {
    private static final Logger log = Log.getLogger("unity.server.authn", InteractiveAuthneticationProcessorImpl.class);
    private final AuthenticationProcessor basicAuthnProcessor;
    private final EntityManagement entityMan;
    private final SessionManagement sessionMan;
    private final SessionParticipantTypesRegistry participantTypesRegistry;
    private final LoginToHttpSessionBinder sessionBinder;
    private final RememberMeProcessorImpl rememberMeProcessor;

    InteractiveAuthneticationProcessorImpl(AuthenticationProcessor authenticationProcessor, EntityManagement entityManagement, SessionManagement sessionManagement, SessionParticipantTypesRegistry sessionParticipantTypesRegistry, LoginToHttpSessionBinder loginToHttpSessionBinder, RememberMeProcessorImpl rememberMeProcessorImpl) {
        this.basicAuthnProcessor = authenticationProcessor;
        this.entityMan = entityManagement;
        this.sessionMan = sessionManagement;
        this.participantTypesRegistry = sessionParticipantTypesRegistry;
        this.sessionBinder = loginToHttpSessionBinder;
        this.rememberMeProcessor = rememberMeProcessorImpl;
    }

    public InteractiveAuthenticationProcessor.PostAuthenticationStepDecision processFirstFactorResult(AuthenticationResult authenticationResult, AuthenticationStepContext authenticationStepContext, RememberMeToken.LoginMachineDetails loginMachineDetails, boolean z, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, InteractiveAuthenticationProcessor.SessionReinitializer sessionReinitializer) {
        LoginSession loginSessionForEntity;
        try {
            PartialAuthnState processPrimaryAuthnResult = this.basicAuthnProcessor.processPrimaryAuthnResult(authenticationResult, authenticationStepContext.selectedAuthnFlow, authenticationStepContext.authnOptionId);
            assertNotFailed(processPrimaryAuthnResult.getPrimaryResult());
            if (processPrimaryAuthnResult.isSecondaryAuthenticationRequired()) {
                Optional<LoginSession> processRememberedSecondFactor = this.rememberMeProcessor.processRememberedSecondFactor(httpServletRequest, httpServletResponse, authenticationResult.getSuccessResult().authenticatedEntity.getEntityId().longValue(), loginMachineDetails.getIp(), authenticationStepContext.realm, getLoginCounter(httpServletRequest));
                if (!processRememberedSecondFactor.isPresent()) {
                    log.debug("2nd factor authentication required for {} with {}", processPrimaryAuthnResult.getPrimaryResult().getSuccessResult().authenticatedEntity, processPrimaryAuthnResult.getSecondaryAuthenticator().getAuthenticatorId());
                    setLastIdpCookie(httpServletResponse, authenticationStepContext.authnOptionId, authenticationStepContext.endpointPath);
                    return InteractiveAuthenticationProcessor.PostAuthenticationStepDecision.goToSecondFactor(new InteractiveAuthenticationProcessor.PostAuthenticationStepDecision.SecondFactorDetail(processPrimaryAuthnResult));
                }
                loginSessionForEntity = processRememberedSecondFactor.get();
                log.debug("Second factor authn is remembered by entity " + loginSessionForEntity.getEntityId() + ", skipping it");
            } else {
                loginSessionForEntity = getLoginSessionForEntity(getAuthnContext(processPrimaryAuthnResult.getPrimaryResult()), processPrimaryAuthnResult.getPrimaryResult().getSuccessResult().authenticatedEntity, authenticationStepContext.realm, processPrimaryAuthnResult.getFirstFactorOptionId(), null);
            }
            if (loginSessionForEntity == null) {
                throw new IllegalStateException("BUG: code tried to finalize authentication without login session");
            }
            logged(this.basicAuthnProcessor.finalizeAfterPrimaryAuthentication(processPrimaryAuthnResult, loginSessionForEntity.getRememberMeInfo().secondFactorSkipped), loginSessionForEntity, authenticationStepContext.realm, loginMachineDetails, z, AuthenticationProcessor.extractParticipants(new AuthenticationResult[]{authenticationResult}), sessionReinitializer, httpServletResponse);
            setLastIdpCookie(httpServletResponse, authenticationStepContext.authnOptionId, authenticationStepContext.endpointPath);
            return InteractiveAuthenticationProcessor.PostAuthenticationStepDecision.completed();
        } catch (AuthenticationException e) {
            return interpretAuthnException(e, httpServletRequest, loginMachineDetails.getIp());
        }
    }

    private void assertNotFailed(AuthenticationResult authenticationResult) {
        if (authenticationResult.getStatus() == AuthenticationResult.Status.deny) {
            throw new IllegalStateException("Exception should be thrown to signal authN failure");
        }
    }

    public InteractiveAuthenticationProcessor.PostAuthenticationStepDecision processSecondFactorResult(PartialAuthnState partialAuthnState, AuthenticationResult authenticationResult, AuthenticationStepContext authenticationStepContext, RememberMeToken.LoginMachineDetails loginMachineDetails, boolean z, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, InteractiveAuthenticationProcessor.SessionReinitializer sessionReinitializer) {
        try {
            AuthenticatedEntity finalizeAfterSecondaryAuthentication = this.basicAuthnProcessor.finalizeAfterSecondaryAuthentication(partialAuthnState, authenticationResult);
            logged(finalizeAfterSecondaryAuthentication, getLoginSessionForEntity(getAuthnContext(partialAuthnState.getPrimaryResult()), finalizeAfterSecondaryAuthentication, authenticationStepContext.realm, partialAuthnState.getFirstFactorOptionId(), authenticationStepContext.authnOptionId), authenticationStepContext.realm, loginMachineDetails, z, AuthenticationProcessor.extractParticipants(new AuthenticationResult[]{partialAuthnState.getPrimaryResult(), authenticationResult}), sessionReinitializer, httpServletResponse);
            return InteractiveAuthenticationProcessor.PostAuthenticationStepDecision.completed();
        } catch (AuthenticationException e) {
            return interpretAuthnException(e, httpServletRequest, loginMachineDetails.getIp());
        }
    }

    public InteractiveAuthenticationProcessor.PostAuthenticationStepDecision processRemoteRegistrationResult(AuthenticationResult authenticationResult, AuthenticationStepContext authenticationStepContext, RememberMeToken.LoginMachineDetails loginMachineDetails, HttpServletRequest httpServletRequest) {
        log.info("Processing results of remote authentication {}", authenticationResult);
        if (log.isDebugEnabled()) {
            log.debug("Complete remote authn context:\n{}", authenticationResult.toStringFull());
        }
        try {
            this.basicAuthnProcessor.processPrimaryAuthnResult(authenticationResult, authenticationStepContext.selectedAuthnFlow, authenticationStepContext.authnOptionId);
            return InteractiveAuthenticationProcessor.PostAuthenticationStepDecision.completed();
        } catch (AuthenticationException e) {
            return interpretAuthnException(e, httpServletRequest, loginMachineDetails.getIp());
        }
    }

    public void syntheticAuthenticate(RemoteAuthnMetadata remoteAuthnMetadata, AuthenticatedEntity authenticatedEntity, List<SessionParticipant> list, AuthenticationOptionKey authenticationOptionKey, AuthenticationRealm authenticationRealm, RememberMeToken.LoginMachineDetails loginMachineDetails, boolean z, HttpServletResponse httpServletResponse, InteractiveAuthenticationProcessor.SessionReinitializer sessionReinitializer) {
        logged(authenticatedEntity, getLoginSessionForEntity(remoteAuthnMetadata, authenticatedEntity, authenticationRealm, authenticationOptionKey, null), authenticationRealm, loginMachineDetails, z, list, sessionReinitializer, httpServletResponse);
    }

    public InteractiveAuthenticationProcessor.PostAuthenticationStepDecision processFirstFactorSandboxAuthnResult(SandboxAuthenticationResult sandboxAuthenticationResult, AuthenticationStepContext authenticationStepContext, RememberMeToken.LoginMachineDetails loginMachineDetails, HttpServletRequest httpServletRequest, SandboxAuthnRouter sandboxAuthnRouter) {
        try {
            PartialAuthnState processPrimaryAuthnResult = this.basicAuthnProcessor.processPrimaryAuthnResult(sandboxAuthenticationResult, authenticationStepContext.selectedAuthnFlow, (AuthenticationOptionKey) null);
            assertNotFailed(processPrimaryAuthnResult.getPrimaryResult());
            if (processPrimaryAuthnResult.isSecondaryAuthenticationRequired()) {
                return InteractiveAuthenticationProcessor.PostAuthenticationStepDecision.goToSecondFactor(new InteractiveAuthenticationProcessor.PostAuthenticationStepDecision.SecondFactorDetail(processPrimaryAuthnResult));
            }
            sandboxAuthnRouter.fireEvent(new SandboxAuthnEvent(sandboxAuthenticationResult.sandboxAuthnInfo, this.basicAuthnProcessor.finalizeAfterPrimaryAuthentication(processPrimaryAuthnResult, false), httpServletRequest.getSession().getId()));
            return InteractiveAuthenticationProcessor.PostAuthenticationStepDecision.completed();
        } catch (AuthenticationException e) {
            sandboxAuthnRouter.fireEvent(new SandboxAuthnEvent(RemoteSandboxAuthnContext.failedAuthn((Exception) sandboxAuthenticationResult.sandboxAuthnInfo.getAuthnException().orElse(e), sandboxAuthenticationResult.sandboxAuthnInfo.getLogs(), (RemotelyAuthenticatedInput) sandboxAuthenticationResult.sandboxAuthnInfo.getRemotePrincipal().map((v0) -> {
                return v0.getAuthnInput();
            }).orElse(null)), (AuthenticatedEntity) null, httpServletRequest.getSession().getId()));
            return interpretAuthnException(e, httpServletRequest, loginMachineDetails.getIp());
        } catch (UnknownRemoteUserException e2) {
            sandboxAuthnRouter.fireEvent(new SandboxAuthnEvent(sandboxAuthenticationResult.sandboxAuthnInfo, (AuthenticatedEntity) null, httpServletRequest.getSession() != null ? httpServletRequest.getSession().getId() : null));
            return InteractiveAuthenticationProcessor.PostAuthenticationStepDecision.completed();
        }
    }

    public InteractiveAuthenticationProcessor.PostAuthenticationStepDecision processSecondFactorSandboxAuthnResult(PartialAuthnState partialAuthnState, SandboxAuthenticationResult sandboxAuthenticationResult, AuthenticationStepContext authenticationStepContext, RememberMeToken.LoginMachineDetails loginMachineDetails, HttpServletRequest httpServletRequest, SandboxAuthnRouter sandboxAuthnRouter) {
        try {
            sandboxAuthnRouter.fireEvent(new SandboxAuthnEvent(sandboxAuthenticationResult.sandboxAuthnInfo, this.basicAuthnProcessor.finalizeAfterSecondaryAuthentication(partialAuthnState, sandboxAuthenticationResult), httpServletRequest.getSession().getId()));
            return InteractiveAuthenticationProcessor.PostAuthenticationStepDecision.completed();
        } catch (AuthenticationException e) {
            sandboxAuthnRouter.fireEvent(new SandboxAuthnEvent(RemoteSandboxAuthnContext.failedAuthn(e, sandboxAuthenticationResult.sandboxAuthnInfo.getLogs(), (RemotelyAuthenticatedInput) sandboxAuthenticationResult.sandboxAuthnInfo.getRemotePrincipal().map((v0) -> {
                return v0.getAuthnInput();
            }).orElse(null)), (AuthenticatedEntity) null, httpServletRequest.getSession().getId()));
            return interpretAuthnException(e, httpServletRequest, loginMachineDetails.getIp());
        }
    }

    private InteractiveAuthenticationProcessor.PostAuthenticationStepDecision interpretAuthnException(AuthenticationException authenticationException, HttpServletRequest httpServletRequest, String str) {
        UnsuccessfulAccessCounter loginCounter = getLoginCounter(httpServletRequest);
        if (authenticationException instanceof UnknownRemoteUserException) {
            log.info("Unknown remote user for {}", authenticationException.getResult().asRemote().getUnknownRemotePrincipalResult());
            return InteractiveAuthenticationProcessor.PostAuthenticationStepDecision.unknownRemoteUser(new InteractiveAuthenticationProcessor.PostAuthenticationStepDecision.UnknownRemoteUserDetail(authenticationException.getResult().asRemote().getUnknownRemotePrincipalResult()));
        }
        log.info("Authentication failure: {} {}", authenticationException.getMessage(), authenticationException.getResult());
        loginCounter.unsuccessfulAttempt(str);
        return InteractiveAuthenticationProcessor.PostAuthenticationStepDecision.error(new InteractiveAuthenticationProcessor.PostAuthenticationStepDecision.ErrorDetail(new AuthenticationResult.ResolvableError(authenticationException.getMessage(), new Object[0])));
    }

    private LoginSession getLoginSessionForEntity(RemoteAuthnMetadata remoteAuthnMetadata, AuthenticatedEntity authenticatedEntity, AuthenticationRealm authenticationRealm, AuthenticationOptionKey authenticationOptionKey, AuthenticationOptionKey authenticationOptionKey2) {
        long longValue = authenticatedEntity.getEntityId().longValue();
        return this.sessionMan.getCreateSession(longValue, authenticationRealm, getLabel(longValue), authenticatedEntity.getOutdatedCredentialId(), new LoginSession.RememberMeInfo(false, false), authenticationOptionKey, authenticationOptionKey2, remoteAuthnMetadata);
    }

    private RemoteAuthnMetadata getAuthnContext(AuthenticationResult authenticationResult) {
        if (authenticationResult.isRemote()) {
            return authenticationResult.asRemote().getSuccessResult().getRemotelyAuthenticatedPrincipal().getAuthnInput().getRemoteAuthnMetadata();
        }
        return null;
    }

    private void logged(AuthenticatedEntity authenticatedEntity, LoginSession loginSession, AuthenticationRealm authenticationRealm, RememberMeToken.LoginMachineDetails loginMachineDetails, boolean z, List<SessionParticipant> list, InteractiveAuthenticationProcessor.SessionReinitializer sessionReinitializer, HttpServletResponse httpServletResponse) {
        this.sessionMan.updateSessionAttributes(loginSession.getId(), new SessionParticipants.AddParticipantToSessionTask(this.participantTypesRegistry, (SessionParticipant[]) list.toArray(new SessionParticipant[list.size()])));
        HttpSession reinitialize = sessionReinitializer.reinitialize();
        bindReinitializedHttpSession(reinitialize, loginSession, authenticationRealm);
        if (z) {
            this.rememberMeProcessor.addRememberMeCookieAndUnityToken(httpServletResponse, authenticationRealm, loginMachineDetails, loginSession.getEntityId(), loginSession.getStarted(), loginSession.getLogin1stFactorOptionId(), loginSession.getLogin2ndFactorOptionId());
        }
        addSessionCookie(authenticationRealm.getName(), loginSession.getId(), httpServletResponse);
        loginSession.addAuthenticatedIdentities(authenticatedEntity.getAuthenticatedWith());
        loginSession.setRemoteIdP(authenticatedEntity.getRemoteIdP());
        if (loginSession.isUsedOutdatedCredential()) {
            log.info("User {} logged with outdated credential", Long.valueOf(loginSession.getEntityId()));
        }
        AuthenticationPolicy.setPolicy(reinitialize, AuthenticationPolicy.DEFAULT);
        log.info("Logged with session: {}, first factor authn option: {}, second factor authn option: {}, first factor skipped: {}, second factor skipped: {}", loginSession.toString(), loginSession.getLogin1stFactorOptionId(), loginSession.getLogin2ndFactorOptionId(), Boolean.valueOf(loginSession.getRememberMeInfo().firstFactorSkipped), Boolean.valueOf(loginSession.getRememberMeInfo().secondFactorSkipped));
    }

    private void bindReinitializedHttpSession(HttpSession httpSession, LoginSession loginSession, AuthenticationRealm authenticationRealm) {
        LoginSession loginSession2 = (LoginSession) httpSession.getAttribute("pl.edu.icm.unity.web.WebSession");
        boolean z = loginSession2 != null && loginSession2.getId().equals(loginSession.getId());
        boolean equals = authenticationRealm.getName().equals(InvocationContext.safeGetRealm());
        if (z || equals) {
            this.sessionBinder.bindHttpSession(httpSession, loginSession);
        }
    }

    private static UnsuccessfulAccessCounter getLoginCounter(HttpServletRequest httpServletRequest) {
        UnsuccessfulAccessCounter unsuccessfulAccessCounter = (UnsuccessfulAccessCounter) httpServletRequest.getServletContext().getAttribute(UnsuccessfulAccessCounter.class.getName());
        if (unsuccessfulAccessCounter == null) {
            throw new IllegalStateException("No authn failures counter in servlet context");
        }
        return unsuccessfulAccessCounter;
    }

    private String getLabel(long j) {
        try {
            return this.entityMan.getEntityLabel(new EntityParam(Long.valueOf(j)));
        } catch (EngineException e) {
            log.error("Can not get the attribute designated with EntityName", e);
            return null;
        } catch (AuthorizationException e2) {
            log.debug("Not setting entity's label as the client is not authorized to read the attribute", e2);
            return null;
        }
    }

    private void addSessionCookie(String str, String str2, HttpServletResponse httpServletResponse) {
        httpServletResponse.addCookie(new SessionCookie(str, str2).toHttpCookie());
    }

    private void setLastIdpCookie(HttpServletResponse httpServletResponse, AuthenticationOptionKey authenticationOptionKey, String str) {
        if (str == null) {
            return;
        }
        Optional createLastIdpCookie = LastAuthenticationCookie.createLastIdpCookie(str, authenticationOptionKey);
        Objects.requireNonNull(httpServletResponse);
        createLastIdpCookie.ifPresent(httpServletResponse::addCookie);
    }
}
