package org.apereo.cas.adaptors.yubikey;

import com.yubico.client.v2.ResponseStatus;
import com.yubico.client.v2.VerificationResponse;
import com.yubico.client.v2.YubicoClient;
import com.yubico.client.v2.exceptions.YubicoValidationFailure;
import com.yubico.client.v2.exceptions.YubicoVerificationException;
import java.security.GeneralSecurityException;
import javax.annotation.PostConstruct;
import javax.security.auth.login.AccountNotFoundException;
import javax.security.auth.login.FailedLoginException;
import org.apereo.cas.authentication.Credential;
import org.apereo.cas.authentication.HandlerResult;
import org.apereo.cas.authentication.PreventedException;
import org.apereo.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler;
import org.apereo.cas.web.support.WebUtils;
import org.apereo.inspektr.aspect.TraceLogAspect;
import org.aspectj.lang.JoinPoint;
import org.aspectj.runtime.internal.AroundClosure;
import org.aspectj.runtime.internal.Conversions;
import org.aspectj.runtime.reflect.Factory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.stereotype.Component;
import org.springframework.webflow.execution.RequestContextHolder;

@RefreshScope
@Component("yubikeyAuthenticationHandler")
/* loaded from: input_file:org/apereo/cas/adaptors/yubikey/YubiKeyAuthenticationHandler.class */
public class YubiKeyAuthenticationHandler extends AbstractPreAndPostProcessingAuthenticationHandler {
    private YubiKeyAccountRegistry registry;
    private YubicoClient client;
    private static final JoinPoint.StaticPart ajc$tjp_0 = null;
    private static final JoinPoint.StaticPart ajc$tjp_1 = null;
    private static final JoinPoint.StaticPart ajc$tjp_2 = null;
    private static final JoinPoint.StaticPart ajc$tjp_3 = null;

    /* loaded from: input_file:org/apereo/cas/adaptors/yubikey/YubiKeyAuthenticationHandler$AjcClosure1.class */
    public class AjcClosure1 extends AroundClosure {
        public AjcClosure1(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            YubiKeyAuthenticationHandler.afterPropertiesSet_aroundBody0((YubiKeyAuthenticationHandler) objArr2[0], (JoinPoint) objArr2[1]);
            return null;
        }
    }

    /* loaded from: input_file:org/apereo/cas/adaptors/yubikey/YubiKeyAuthenticationHandler$AjcClosure3.class */
    public class AjcClosure3 extends AroundClosure {
        public AjcClosure3(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            return YubiKeyAuthenticationHandler.getRegistry_aroundBody2((YubiKeyAuthenticationHandler) objArr2[0], (JoinPoint) objArr2[1]);
        }
    }

    /* loaded from: input_file:org/apereo/cas/adaptors/yubikey/YubiKeyAuthenticationHandler$AjcClosure5.class */
    public class AjcClosure5 extends AroundClosure {
        public AjcClosure5(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            return YubiKeyAuthenticationHandler.getClient_aroundBody4((YubiKeyAuthenticationHandler) objArr2[0], (JoinPoint) objArr2[1]);
        }
    }

    /* loaded from: input_file:org/apereo/cas/adaptors/yubikey/YubiKeyAuthenticationHandler$AjcClosure7.class */
    public class AjcClosure7 extends AroundClosure {
        public AjcClosure7(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            return Conversions.booleanObject(YubiKeyAuthenticationHandler.supports_aroundBody6((YubiKeyAuthenticationHandler) objArr2[0], (Credential) objArr2[1], (JoinPoint) objArr2[2]));
        }
    }

    @Autowired
    public YubiKeyAuthenticationHandler(@Value("${cas.mfa.yubikey.client.id:}") Integer num, @Value("${cas.mfa.yubikey.secret.key:}") String str) {
        this.client = YubicoClient.getClient(num, str);
    }

    @PostConstruct
    public void afterPropertiesSet() {
        TraceLogAspect.aspectOf().traceMethod(new AjcClosure1(new Object[]{this, Factory.makeJP(ajc$tjp_0, this, this)}).linkClosureAndJoinPoint(69648));
    }

    protected HandlerResult doAuthentication(Credential credential) throws GeneralSecurityException, PreventedException {
        YubiKeyCredential yubiKeyCredential = (YubiKeyCredential) credential;
        String token = yubiKeyCredential.getToken();
        if (!YubicoClient.isValidOTPFormat(token)) {
            this.logger.debug("Invalid OTP format [{}]", token);
            throw new AccountNotFoundException("OTP format is invalid");
        }
        String id = WebUtils.getAuthentication(RequestContextHolder.getRequestContext()).getPrincipal().getId();
        String publicId = YubicoClient.getPublicId(token);
        if (this.registry != null && !this.registry.isYubiKeyRegisteredFor(id, publicId)) {
            this.logger.debug("YubiKey public id [{}] is not registered for user [{}]", publicId, id);
            throw new AccountNotFoundException("YubiKey id is not recognized in registry");
        }
        try {
            VerificationResponse verify = this.client.verify(token);
            ResponseStatus status = verify.getStatus();
            if (status.compareTo(ResponseStatus.OK) != 0) {
                throw new FailedLoginException("Authentication failed with status: " + status);
            }
            this.logger.debug("YubiKey response status {} at {}", status, verify.getTimestamp());
            return createHandlerResult(yubiKeyCredential, this.principalFactory.createPrincipal(id), null);
        } catch (YubicoVerificationException | YubicoValidationFailure e) {
            this.logger.error(e.getMessage(), e);
            throw new FailedLoginException("YubiKey validation failed: " + e.getMessage());
        }
    }

    @Autowired(required = false)
    public void setRegistry(@Qualifier("yubiKeyAccountRegistry") YubiKeyAccountRegistry yubiKeyAccountRegistry) {
        this.registry = yubiKeyAccountRegistry;
    }

    public YubiKeyAccountRegistry getRegistry() {
        return (YubiKeyAccountRegistry) TraceLogAspect.aspectOf().traceMethod(new AjcClosure3(new Object[]{this, Factory.makeJP(ajc$tjp_1, this, this)}).linkClosureAndJoinPoint(69648));
    }

    public YubicoClient getClient() {
        return (YubicoClient) TraceLogAspect.aspectOf().traceMethod(new AjcClosure5(new Object[]{this, Factory.makeJP(ajc$tjp_2, this, this)}).linkClosureAndJoinPoint(69648));
    }

    public boolean supports(Credential credential) {
        return Conversions.booleanValue(TraceLogAspect.aspectOf().traceMethod(new AjcClosure7(new Object[]{this, credential, Factory.makeJP(ajc$tjp_3, this, this, credential)}).linkClosureAndJoinPoint(69648)));
    }

    static {
        ajc$preClinit();
    }

    static final void afterPropertiesSet_aroundBody0(YubiKeyAuthenticationHandler yubiKeyAuthenticationHandler, JoinPoint joinPoint) {
        if (yubiKeyAuthenticationHandler.registry == null) {
            yubiKeyAuthenticationHandler.logger.warn("No YubiKey account registry is defined. All credentials are considered eligible for YubiKey authentication. Consider providing an account registry via [{}]", YubiKeyAccountRegistry.class.getName());
        }
    }

    static final YubiKeyAccountRegistry getRegistry_aroundBody2(YubiKeyAuthenticationHandler yubiKeyAuthenticationHandler, JoinPoint joinPoint) {
        return yubiKeyAuthenticationHandler.registry;
    }

    static final YubicoClient getClient_aroundBody4(YubiKeyAuthenticationHandler yubiKeyAuthenticationHandler, JoinPoint joinPoint) {
        return yubiKeyAuthenticationHandler.client;
    }

    static final boolean supports_aroundBody6(YubiKeyAuthenticationHandler yubiKeyAuthenticationHandler, Credential credential, JoinPoint joinPoint) {
        return YubiKeyCredential.class.isAssignableFrom(credential.getClass());
    }

    private static void ajc$preClinit() {
        Factory factory = new Factory("YubiKeyAuthenticationHandler.java", YubiKeyAuthenticationHandler.class);
        ajc$tjp_0 = factory.makeSJP("method-execution", factory.makeMethodSig("1", "afterPropertiesSet", "org.apereo.cas.adaptors.yubikey.YubiKeyAuthenticationHandler", "", "", "", "void"), 66);
        ajc$tjp_1 = factory.makeSJP("method-execution", factory.makeMethodSig("1", "getRegistry", "org.apereo.cas.adaptors.yubikey.YubiKeyAuthenticationHandler", "", "", "", "org.apereo.cas.adaptors.yubikey.YubiKeyAccountRegistry"), 115);
        ajc$tjp_2 = factory.makeSJP("method-execution", factory.makeMethodSig("1", "getClient", "org.apereo.cas.adaptors.yubikey.YubiKeyAuthenticationHandler", "", "", "", "com.yubico.client.v2.YubicoClient"), 119);
        ajc$tjp_3 = factory.makeSJP("method-execution", factory.makeMethodSig("1", "supports", "org.apereo.cas.adaptors.yubikey.YubiKeyAuthenticationHandler", "org.apereo.cas.authentication.Credential", "credential", "", "boolean"), 125);
    }
}
