package org.apereo.cas.mfa.accepto;

import com.fasterxml.jackson.databind.ObjectMapper;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.util.Map;
import javax.security.auth.login.AccountExpiredException;
import javax.security.auth.login.AccountLockedException;
import javax.security.auth.login.AccountNotFoundException;
import javax.security.auth.login.FailedLoginException;
import lombok.Generated;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.http.HttpResponse;
import org.apereo.cas.authentication.AuthenticationHandlerExecutionResult;
import org.apereo.cas.authentication.Credential;
import org.apereo.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.configuration.model.support.mfa.AccepttoMultifactorAuthenticationProperties;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.HttpUtils;
import org.apereo.cas.util.LoggingUtils;
import org.apereo.cas.util.serialization.JacksonObjectMapperFactory;
import org.apereo.cas.web.support.WebUtils;
import org.hjson.JsonValue;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpMethod;

/* loaded from: input_file:org/apereo/cas/mfa/accepto/AccepttoMultifactorAuthenticationHandler.class */
public class AccepttoMultifactorAuthenticationHandler extends AbstractPreAndPostProcessingAuthenticationHandler {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(AccepttoMultifactorAuthenticationHandler.class);
    private static final ObjectMapper MAPPER = JacksonObjectMapperFactory.builder().defaultTypingEnabled(false).build().toObjectMapper();
    private final AccepttoMultifactorAuthenticationProperties accepttoProperties;

    public AccepttoMultifactorAuthenticationHandler(ServicesManager servicesManager, PrincipalFactory principalFactory, AccepttoMultifactorAuthenticationProperties accepttoMultifactorAuthenticationProperties) {
        super(accepttoMultifactorAuthenticationProperties.getName(), servicesManager, principalFactory, Integer.valueOf(accepttoMultifactorAuthenticationProperties.getOrder()));
        this.accepttoProperties = accepttoMultifactorAuthenticationProperties;
    }

    protected AuthenticationHandlerExecutionResult doAuthentication(Credential credential) throws GeneralSecurityException {
        try {
            String str = StringUtils.appendIfMissing(this.accepttoProperties.getApiUrl(), "/", new CharSequence[0]) + "check";
            AccepttoMultifactorTokenCredential accepttoMultifactorTokenCredential = (AccepttoMultifactorTokenCredential) credential;
            LOGGER.debug("Received token [{}]", accepttoMultifactorTokenCredential.getId());
            String str2 = (String) CollectionUtils.firstElement(WebUtils.getInProgressAuthentication().getPrincipal().getAttributes().get(this.accepttoProperties.getEmailAttribute())).map((v0) -> {
                return v0.toString();
            }).orElseThrow(() -> {
                return new IllegalArgumentException("Unable to determine email address");
            });
            LOGGER.debug("Email determined from attribute [{}] is [{}]", this.accepttoProperties.getEmailAttribute(), str2);
            try {
                HttpResponse execute = HttpUtils.execute(HttpUtils.HttpExecutionRequest.builder().method(HttpMethod.POST).url(str).parameters(CollectionUtils.wrap("uid", this.accepttoProperties.getApplicationId(), "secret", this.accepttoProperties.getSecret(), "email", str2, "channel", accepttoMultifactorTokenCredential.getId())).build());
                if (execute != null) {
                    int statusCode = execute.getStatusLine().getStatusCode();
                    if (statusCode == 200) {
                        Map map = (Map) MAPPER.readValue(JsonValue.readHjson(IOUtils.toString(execute.getEntity().getContent(), StandardCharsets.UTF_8)).toString(), Map.class);
                        LOGGER.debug("Received results as [{}]", map);
                        String obj = map.get("status").toString();
                        if ("expired".equalsIgnoreCase(obj)) {
                            throw new AccountExpiredException("Authentication request has expired");
                        }
                        if ("declined".equalsIgnoreCase(obj)) {
                            throw new FailedLoginException("Acceptto authentication has been declined");
                        }
                        if ("approved".equalsIgnoreCase(obj)) {
                            AuthenticationHandlerExecutionResult createHandlerResult = createHandlerResult(accepttoMultifactorTokenCredential, this.principalFactory.createPrincipal(str2, CollectionUtils.wrap("accepttoChannel", CollectionUtils.wrapList(new String[]{accepttoMultifactorTokenCredential.getId()}), "accepttoDeviceId", CollectionUtils.wrapList(new String[]{map.get("device_id").toString()}), "accepttoStatus", CollectionUtils.wrapList(new String[]{obj}))));
                            HttpUtils.close(execute);
                            return createHandlerResult;
                        }
                    }
                    if (statusCode == 403) {
                        throw new AccountNotFoundException("Invalid uid and secret combination; application not found");
                    }
                    if (statusCode == 401) {
                        throw new AccountLockedException("Email address provided is not a valid registered account");
                    }
                }
                HttpUtils.close(execute);
            } catch (Throwable th) {
                HttpUtils.close((HttpResponse) null);
                throw th;
            }
        } catch (Exception e) {
            LoggingUtils.error(LOGGER, e);
        }
        throw new FailedLoginException("Acceptto authentication has failed");
    }

    public boolean supports(Class<? extends Credential> cls) {
        return AccepttoMultifactorTokenCredential.class.isAssignableFrom(cls);
    }

    public boolean supports(Credential credential) {
        return AccepttoMultifactorTokenCredential.class.isAssignableFrom(credential.getClass());
    }
}
