package io.imunity.fido.service;

import com.fasterxml.jackson.annotation.JsonInclude;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.SerializationFeature;
import com.fasterxml.jackson.datatype.jdk8.Jdk8Module;
import com.yubico.webauthn.AssertionRequest;
import com.yubico.webauthn.AssertionResult;
import com.yubico.webauthn.FinishAssertionOptions;
import com.yubico.webauthn.RelyingParty;
import com.yubico.webauthn.StartAssertionOptions;
import com.yubico.webauthn.data.AttestationConveyancePreference;
import com.yubico.webauthn.data.ByteArray;
import com.yubico.webauthn.data.PublicKeyCredential;
import com.yubico.webauthn.data.RelyingPartyIdentity;
import com.yubico.webauthn.data.UserVerificationRequirement;
import com.yubico.webauthn.exception.AssertionFailedException;
import io.imunity.fido.FidoExchange;
import io.imunity.fido.credential.FidoCredential;
import io.imunity.fido.credential.FidoCredentialInfo;
import io.imunity.fido.service.UnityFidoRegistrationStorage;
import java.io.IOException;
import java.util.AbstractMap;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.UUID;
import java.util.concurrent.ConcurrentHashMap;
import java.util.stream.Collectors;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.ObjectFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.MessageSource;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.authn.AuthenticatedEntity;
import pl.edu.icm.unity.engine.api.authn.AuthenticationResult;
import pl.edu.icm.unity.engine.api.authn.LocalAuthenticationResult;
import pl.edu.icm.unity.engine.api.authn.local.AbstractLocalCredentialVerificatorFactory;
import pl.edu.icm.unity.engine.api.authn.local.AbstractLocalVerificator;
import pl.edu.icm.unity.engine.api.authn.local.CredentialHelper;
import pl.edu.icm.unity.engine.api.server.AdvertisedAddressProvider;
import pl.edu.icm.unity.engine.api.utils.PrototypeComponent;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.exceptions.IllegalCredentialException;
import pl.edu.icm.unity.types.authn.CredentialPublicInformation;
import pl.edu.icm.unity.types.authn.LocalCredentialState;
import pl.edu.icm.unity.types.basic.EntityParam;

@PrototypeComponent
/* loaded from: input_file:io/imunity/fido/service/FidoCredentialVerificator.class */
public class FidoCredentialVerificator extends AbstractLocalVerificator implements FidoExchange {
    public static final String NAME = "fido";
    public static final String DESC = "Verifies fido credential";
    private final UnityFidoRegistrationStorage.UnityFidoRegistrationStorageCache fidoStorage;
    FidoCredential credential;
    private final ConcurrentHashMap<String, AssertionRequest> authenticationRequests;
    private final MessageSource msg;
    private final FidoEntityHelper entityHelper;
    private final CredentialHelper credentialHelper;
    private final AdvertisedAddressProvider addressProvider;
    private static final Logger log = Log.getLogger("unity.server.fido", FidoCredentialVerificator.class);
    static final ObjectMapper FIDO_MAPPER = new ObjectMapper().configure(SerializationFeature.FAIL_ON_EMPTY_BEANS, false).setSerializationInclusion(JsonInclude.Include.NON_ABSENT).registerModule(new Jdk8Module());

    @Component
    /* loaded from: input_file:io/imunity/fido/service/FidoCredentialVerificator$Factory.class */
    public static class Factory extends AbstractLocalCredentialVerificatorFactory {
        @Autowired
        public Factory(ObjectFactory<FidoCredentialVerificator> objectFactory) {
            super(FidoCredentialVerificator.NAME, FidoCredentialVerificator.DESC, false, objectFactory);
        }
    }

    @Autowired
    public FidoCredentialVerificator(MessageSource messageSource, FidoEntityHelper fidoEntityHelper, CredentialHelper credentialHelper, UnityFidoRegistrationStorage.UnityFidoRegistrationStorageCache unityFidoRegistrationStorageCache, AdvertisedAddressProvider advertisedAddressProvider) {
        super(NAME, DESC, FidoExchange.ID, false);
        this.credential = new FidoCredential();
        this.authenticationRequests = new ConcurrentHashMap<>();
        this.msg = messageSource;
        this.entityHelper = fidoEntityHelper;
        this.credentialHelper = credentialHelper;
        this.fidoStorage = unityFidoRegistrationStorageCache;
        this.addressProvider = advertisedAddressProvider;
    }

    public String getSerializedConfiguration() {
        return this.credential.serialize();
    }

    public void setSerializedConfiguration(String str) {
        this.credential = FidoCredential.deserialize(str);
    }

    public String prepareCredential(String str, String str2, boolean z) throws IllegalCredentialException {
        return str;
    }

    public CredentialPublicInformation checkCredentialState(String str) {
        String str2 = Objects.isNull(str) ? "" : str;
        return new CredentialPublicInformation(str2.isEmpty() ? LocalCredentialState.notSet : LocalCredentialState.correct, str2);
    }

    public String invalidate(String str) {
        throw new IllegalStateException("This credential doesn't support invalidation");
    }

    public boolean isCredentialSet(EntityParam entityParam) throws EngineException {
        return this.credentialHelper.isCredentialSet(entityParam, this.credentialName);
    }

    public boolean isCredentialDefinitionChagneOutdatingCredentials(String str) {
        return false;
    }

    @Override // io.imunity.fido.FidoExchange
    public AbstractMap.SimpleEntry<String, String> getAuthenticationOptions(Long l, String str) throws FidoException {
        String uuid = UUID.randomUUID().toString();
        AssertionRequest startAssertion = getRelyingParty().startAssertion(getAssertionOptions(l, str));
        String str2 = null;
        try {
            str2 = FIDO_MAPPER.writeValueAsString(startAssertion);
            this.authenticationRequests.put(uuid, startAssertion);
            log.info("Fido start authentication for entityId: {}, username: {}, reqId: {}", l, str, uuid);
            return new AbstractMap.SimpleEntry<>(uuid, str2);
        } catch (JsonProcessingException e) {
            log.error("Parsing JSON: {}, exception: ", str2, e);
            throw new FidoException(this.msg.getMessage("FidoExc.internalError", new Object[0]), e);
        }
    }

    private StartAssertionOptions getAssertionOptions(Long l, String str) {
        StartAssertionOptions.StartAssertionOptionsBuilder userVerification = StartAssertionOptions.builder().timeout(60000L).userVerification(UserVerificationRequirement.valueOf(this.credential.getUserVerification()));
        String assertionUsername = getAssertionUsername(l, str);
        if (Objects.nonNull(assertionUsername)) {
            userVerification.username(assertionUsername);
        }
        return userVerification.build();
    }

    private String getAssertionUsername(Long l, String str) {
        Optional<Identities> resolveUsername = this.entityHelper.resolveUsername(l, str);
        if (resolveUsername.isPresent()) {
            return assertFidoCredentialExists(resolveUsername.get());
        }
        if (this.credential.isLoginLessAllowed()) {
            return null;
        }
        throw new NoEntityException(this.msg.getMessage("FidoExc.noEntity", new Object[0]));
    }

    private String assertFidoCredentialExists(Identities identities) {
        List<FidoCredentialInfo> fidoCredentialInfoForUsername = this.fidoStorage.getInstance(getCredentialName()).getFidoCredentialInfoForUsername(identities.getUsername());
        if (fidoCredentialInfoForUsername.isEmpty()) {
            log.warn("No {} credential found for user {}", getCredentialName(), identities.getUsername());
            throw new NoEntityException(this.msg.getMessage("Fido.invalidUsername", new Object[0]));
        }
        this.entityHelper.getOrCreateUserHandle(identities, fidoCredentialInfoForUsername.get(0).getUserHandle());
        return identities.getUsername();
    }

    @Override // io.imunity.fido.FidoExchange
    public AuthenticationResult verifyAuthentication(String str, String str2) throws FidoException {
        log.debug("Fido finalize authentication for reqId: {}", str);
        String str3 = null;
        try {
            PublicKeyCredential parseAssertionResponseJson = PublicKeyCredential.parseAssertionResponseJson(str2);
            AssertionRequest remove = this.authenticationRequests.remove(str);
            if (remove == null) {
                throw new FidoException(this.msg.getMessage("FidoExc.authReqExpired", new Object[0]));
            }
            AssertionResult finishAssertion = getRelyingParty().finishAssertion(FinishAssertionOptions.builder().request(remove).response(parseAssertionResponseJson).build());
            if (finishAssertion.isSuccess()) {
                str3 = finishAssertion.getUsername();
                updateSignatureCount(str3, parseAssertionResponseJson.getId(), parseAssertionResponseJson.getResponse().getParsedAuthenticatorData().getSignatureCounter());
            }
            if (finishAssertion.isSuccess()) {
                return LocalAuthenticationResult.successful(new AuthenticatedEntity(Long.valueOf(this.entityHelper.getEntityId(this.entityHelper.resolveUsername(null, str3).orElseThrow(() -> {
                    return new NoEntityException(this.msg.getMessage("FidoExc.noEntity", new Object[0]));
                }).getEntityParam())), str3, (String) null));
            }
            throw new FidoException(this.msg.getMessage("Fido.authFailed", new Object[0]));
        } catch (AssertionFailedException e) {
            throw new FidoException(this.msg.getMessage("Fido.authFailed", new Object[]{e}));
        } catch (IOException | EngineException e2) {
            log.error("Authentication failed with exception", e2);
            throw new FidoException(this.msg.getMessage("FidoExc.internalError", new Object[0]), e2);
        }
    }

    private void updateSignatureCount(String str, ByteArray byteArray, long j) throws EngineException {
        Identities orElseThrow = this.entityHelper.resolveUsername(null, str).orElseThrow(() -> {
            return new NoEntityException(this.msg.getMessage("FidoExc.noEntity", new Object[0]));
        });
        this.credentialHelper.updateCredential(this.entityHelper.getEntityId(orElseThrow.getEntityParam()), getCredentialName(), FidoCredentialInfo.serializeList((List) this.fidoStorage.getInstance(getCredentialName()).getFidoCredentialInfoForUsername(orElseThrow.getUsername()).stream().map(fidoCredentialInfo -> {
            if (!fidoCredentialInfo.getCredentialId().equals(byteArray)) {
                return fidoCredentialInfo;
            }
            log.debug("SignCount: old={}, new={}", Long.valueOf(fidoCredentialInfo.getSignatureCount()), Long.valueOf(j));
            return fidoCredentialInfo.copyBuilder().signatureCount(j).build();
        }).collect(Collectors.toList())));
    }

    private RelyingParty getRelyingParty() {
        return getRelyingParty(this.addressProvider.get().getHost(), this.fidoStorage.getInstance(this.credentialName), this.credential);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static RelyingParty getRelyingParty(String str, UnityFidoRegistrationStorage unityFidoRegistrationStorage, FidoCredential fidoCredential) {
        return RelyingParty.builder().identity(RelyingPartyIdentity.builder().id(str).name(fidoCredential.getHostName()).build()).credentialRepository(unityFidoRegistrationStorage).attestationConveyancePreference(AttestationConveyancePreference.valueOf(fidoCredential.getAttestationConveyance())).allowUntrustedAttestation(true).allowOriginPort(true).build();
    }
}
