package org.apereo.cas.adaptors.yubikey;

import com.yubico.client.v2.ResponseStatus;
import com.yubico.client.v2.VerificationResponse;
import com.yubico.client.v2.YubicoClient;
import com.yubico.client.v2.exceptions.YubicoValidationFailure;
import com.yubico.client.v2.exceptions.YubicoVerificationException;
import java.security.GeneralSecurityException;
import javax.annotation.PostConstruct;
import javax.security.auth.login.AccountNotFoundException;
import javax.security.auth.login.FailedLoginException;
import org.apereo.cas.authentication.Credential;
import org.apereo.cas.authentication.HandlerResult;
import org.apereo.cas.authentication.PreventedException;
import org.apereo.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler;
import org.apereo.cas.web.support.WebUtils;
import org.springframework.webflow.execution.RequestContextHolder;

/* loaded from: input_file:org/apereo/cas/adaptors/yubikey/YubiKeyAuthenticationHandler.class */
public class YubiKeyAuthenticationHandler extends AbstractPreAndPostProcessingAuthenticationHandler {
    private YubiKeyAccountRegistry registry;
    private YubicoClient client;

    public YubiKeyAuthenticationHandler(Integer num, String str) {
        this.client = YubicoClient.getClient(num, str);
    }

    @PostConstruct
    public void afterPropertiesSet() {
        if (this.registry == null) {
            this.logger.warn("No YubiKey account registry is defined. All credentials are considered eligible for YubiKey authentication. Consider providing an account registry via [{}]", YubiKeyAccountRegistry.class.getName());
        }
    }

    protected HandlerResult doAuthentication(Credential credential) throws GeneralSecurityException, PreventedException {
        YubiKeyCredential yubiKeyCredential = (YubiKeyCredential) credential;
        String token = yubiKeyCredential.getToken();
        if (!YubicoClient.isValidOTPFormat(token)) {
            this.logger.debug("Invalid OTP format [{}]", token);
            throw new AccountNotFoundException("OTP format is invalid");
        }
        String id = WebUtils.getAuthentication(RequestContextHolder.getRequestContext()).getPrincipal().getId();
        String publicId = YubicoClient.getPublicId(token);
        if (this.registry != null && !this.registry.isYubiKeyRegisteredFor(id, publicId)) {
            this.logger.debug("YubiKey public id [{}] is not registered for user [{}]", publicId, id);
            throw new AccountNotFoundException("YubiKey id is not recognized in registry");
        }
        try {
            VerificationResponse verify = this.client.verify(token);
            ResponseStatus status = verify.getStatus();
            if (status.compareTo(ResponseStatus.OK) != 0) {
                throw new FailedLoginException("Authentication failed with status: " + status);
            }
            this.logger.debug("YubiKey response status {} at {}", status, verify.getTimestamp());
            return createHandlerResult(yubiKeyCredential, this.principalFactory.createPrincipal(id), null);
        } catch (YubicoVerificationException | YubicoValidationFailure e) {
            this.logger.error(e.getMessage(), e);
            throw new FailedLoginException("YubiKey validation failed: " + e.getMessage());
        }
    }

    public void setRegistry(YubiKeyAccountRegistry yubiKeyAccountRegistry) {
        this.registry = yubiKeyAccountRegistry;
    }

    public YubiKeyAccountRegistry getRegistry() {
        return this.registry;
    }

    public YubicoClient getClient() {
        return this.client;
    }

    public boolean supports(Credential credential) {
        return YubiKeyCredential.class.isAssignableFrom(credential.getClass());
    }
}
