package org.webswing.server.services.security.extension.onetimeurl;

import com.fasterxml.jackson.core.JsonGenerationException;
import com.fasterxml.jackson.databind.JsonMappingException;
import java.io.IOException;
import java.io.Serializable;
import java.lang.reflect.UndeclaredThrowableException;
import java.security.GeneralSecurityException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.StringUtils;
import org.apache.shiro.realm.text.IniRealm;
import org.freehep.graphicsio.ImageConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.webswing.Constants;
import org.webswing.server.common.util.ConfigUtil;
import org.webswing.server.services.security.api.AbstractWebswingUser;
import org.webswing.server.services.security.api.WebswingAction;
import org.webswing.server.services.security.api.WebswingAuthenticationException;
import org.webswing.server.services.security.extension.api.SecurityModuleExtension;
import org.webswing.server.services.security.modules.AbstractExtendableSecurityModule;
import org.webswing.server.services.security.modules.AbstractSecurityModule;

/* loaded from: input_file:WEB-INF/lib/webswing-server-security-2.5.jar:org/webswing/server/services/security/extension/onetimeurl/OneTimeUrlSecurityExtension.class */
public class OneTimeUrlSecurityExtension extends SecurityModuleExtension<OneTimeUrlSecurityExtensionConfig> {
    private static final String SECURITY_TOKEN = "securityToken";
    private static final Logger log = LoggerFactory.getLogger(OneTimeUrlSecurityExtension.class);

    public OneTimeUrlSecurityExtension(OneTimeUrlSecurityExtensionConfig oneTimeUrlSecurityExtensionConfig) {
        super(oneTimeUrlSecurityExtensionConfig);
    }

    @Override // org.webswing.server.services.security.extension.api.SecurityModuleExtension
    public AbstractWebswingUser doSufficientPreValidation(AbstractExtendableSecurityModule<?> abstractExtendableSecurityModule, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws WebswingAuthenticationException {
        Map<String, Object> loginRequest = abstractExtendableSecurityModule.getLoginRequest(httpServletRequest);
        if (loginRequest == null || !loginRequest.containsKey(SECURITY_TOKEN)) {
            return null;
        }
        return verifyOneTimePassword(httpServletRequest, (String) loginRequest.get(SECURITY_TOKEN));
    }

    @Override // org.webswing.server.services.security.extension.api.SecurityModuleExtension
    public boolean serveAuthenticated(AbstractWebswingUser abstractWebswingUser, String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (!str.equals("/oneTimeUrl") || !abstractWebswingUser.isPermitted(WebswingAction.rest_getOneTimePassword.name())) {
            return false;
        }
        String parameter = httpServletRequest.getParameter("requestorId");
        String parameter2 = httpServletRequest.getParameter(Constants.USER_NAME_SUBSTITUTE);
        String parameter3 = httpServletRequest.getParameter(IniRealm.ROLES_SECTION_NAME);
        String parameter4 = httpServletRequest.getParameter("permissions");
        String[] split = parameter3 != null ? parameter3.split(",") : null;
        String[] split2 = parameter4 != null ? parameter4.split(",") : null;
        ArrayList arrayList = new ArrayList();
        for (String str2 : httpServletRequest.getParameterMap().keySet()) {
            arrayList.add(Arrays.asList(str2, httpServletRequest.getParameter(str2)));
        }
        try {
            httpServletResponse.getWriter().print(generateOneTimePassword(parameter, parameter2, split, split2, arrayList));
            httpServletResponse.flushBuffer();
            httpServletResponse.getWriter().close();
            return true;
        } catch (Exception e) {
            log.error("Failed to generate OneTimeUrl", (Throwable) e);
            try {
                httpServletResponse.sendError(400, e.getMessage());
                return true;
            } catch (IOException e2) {
                return true;
            }
        }
    }

    public AbstractWebswingUser verifyOneTimePassword(HttpServletRequest httpServletRequest, String str) throws WebswingAuthenticationException {
        try {
            OtpTokenData parseOtpTokenString = parseOtpTokenString(str);
            verifyTokenValid(parseOtpTokenString);
            String otpSecret = getOtpSecret(parseOtpTokenString.getRequestorId());
            String otpMessage = getOtpMessage(parseOtpTokenString);
            String otpCrypto = getOtpCrypto(parseOtpTokenString.getRequestorId());
            int otpValidForSec = getOtpValidForSec(parseOtpTokenString.getRequestorId());
            for (int i = -1; i <= 1; i++) {
                if (calculateTotpString(otpCrypto, otpSecret, otpMessage, i, otpValidForSec).equals(parseOtpTokenString.getOneTimePassword())) {
                    return createUser(httpServletRequest, parseOtpTokenString);
                }
            }
            logFailure(httpServletRequest, null, "Invalid or expired OTP. ");
            throw new WebswingAuthenticationException("Invalid or expired OTP. ");
        } catch (Exception e) {
            logFailure(httpServletRequest, null, "Failed to verify OTP. " + e.getMessage());
            throw new WebswingAuthenticationException("Failed to verify OTP. " + e.getMessage(), e);
        }
    }

    public String generateOneTimePassword(String str, String str2, String[] strArr, String[] strArr2, List list) throws WebswingAuthenticationException {
        try {
            OtpTokenDataImpl otpTokenDataImpl = new OtpTokenDataImpl();
            otpTokenDataImpl.setUser(str2);
            otpTokenDataImpl.setRequestorId(str);
            otpTokenDataImpl.setAttributes(list);
            otpTokenDataImpl.setRoles(Arrays.asList(strArr));
            otpTokenDataImpl.setPermissions(Arrays.asList(strArr2));
            verifyTokenValid(otpTokenDataImpl);
            otpTokenDataImpl.setOneTimePassword(calculateTotpString(getOtpCrypto(str), getOtpSecret(str), getOtpMessage(otpTokenDataImpl), 0, getOtpValidForSec(str)));
            return encodeOtpToken(otpTokenDataImpl);
        } catch (Exception e) {
            throw new WebswingAuthenticationException("Failed to generate OTP. " + e.getMessage(), e);
        }
    }

    public void verifyTokenValid(OtpTokenData otpTokenData) throws WebswingAuthenticationException {
        if (StringUtils.isEmpty(otpTokenData.getUser())) {
            throw new WebswingAuthenticationException("User must not be empty.");
        }
        if (StringUtils.isEmpty(otpTokenData.getRequestorId())) {
            throw new WebswingAuthenticationException("Requestor Id must not be empty.");
        }
        if (getConfig().getApiKeys() == null || getConfigForRequestor(getConfig(), otpTokenData.getRequestorId()) == null) {
            throw new WebswingAuthenticationException("RequestorId not configured.");
        }
    }

    public static OtpAccessConfig getConfigForRequestor(OneTimeUrlSecurityExtensionConfig oneTimeUrlSecurityExtensionConfig, String str) {
        if (oneTimeUrlSecurityExtensionConfig == null) {
            return null;
        }
        for (OtpAccessConfig otpAccessConfig : oneTimeUrlSecurityExtensionConfig.getApiKeys()) {
            if (StringUtils.equals(str, otpAccessConfig.getRequestorId())) {
                return otpAccessConfig;
            }
        }
        return null;
    }

    public int getOtpValidForSec(String str) {
        Integer validForSec = getConfigForRequestor(getConfig(), str).getValidForSec();
        if (validForSec == null) {
            return 30;
        }
        return validForSec.intValue();
    }

    public String getOtpCrypto(String str) {
        String hMacAlgo = getConfigForRequestor(getConfig(), str).getHMacAlgo();
        return hMacAlgo == null ? "HmacSHA512" : hMacAlgo;
    }

    public String getOtpSecret(String str) throws WebswingAuthenticationException {
        String secret = getConfigForRequestor(getConfig(), str).getSecret();
        if (secret != null) {
            return secret;
        }
        log.error("Secret not found for requestor '" + str + "'");
        throw new WebswingAuthenticationException("OTP Access not configured.");
    }

    public static String getOtpMessage(OtpTokenData otpTokenData) {
        return "" + otpTokenData.getUser() + listToString(otpTokenData.getAttributes()) + listToString(otpTokenData.getRoles()) + listToString(otpTokenData.getPermissions());
    }

    private static String listToString(List list) {
        String str = "";
        if (list != null) {
            for (Object obj : list) {
                str = obj instanceof List ? str + listToString((List) obj) : str + obj;
            }
        }
        return str;
    }

    public OtpTokenData parseOtpTokenString(String str) throws WebswingAuthenticationException {
        try {
            return (OtpTokenData) ConfigUtil.instantiateConfig((Map) AbstractSecurityModule.getMapper().readValue(Base64.decodeBase64(str), Map.class), OtpTokenData.class, new Object[0]);
        } catch (Exception e) {
            throw new WebswingAuthenticationException("Failed to parse OTP token", e);
        }
    }

    public static String encodeOtpToken(OtpTokenData otpTokenData) throws WebswingAuthenticationException {
        try {
            return Base64.encodeBase64String(AbstractSecurityModule.getMapper().writeValueAsBytes(otpTokenData));
        } catch (Exception e) {
            throw new WebswingAuthenticationException("Failed to encode OTP token", e);
        }
    }

    public static String calculateTotpString(String str, String str2, String str3, int i, int i2) {
        return Base64.encodeBase64String(hmacSha(str, str2.getBytes(), (str3 + (((System.currentTimeMillis() / 1000) / i2) + i)).getBytes()));
    }

    private static byte[] hmacSha(String str, byte[] bArr, byte[] bArr2) {
        try {
            Mac mac = Mac.getInstance(str);
            mac.init(new SecretKeySpec(bArr, ImageConstants.RAW));
            return mac.doFinal(bArr2);
        } catch (GeneralSecurityException e) {
            throw new UndeclaredThrowableException(e);
        }
    }

    public AbstractWebswingUser createUser(HttpServletRequest httpServletRequest, OtpTokenData otpTokenData) throws WebswingAuthenticationException {
        OtpAccessConfig configForRequestor = getConfigForRequestor(getConfig(), otpTokenData.getRequestorId());
        HashMap hashMap = new HashMap();
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        if (otpTokenData.getAttributes() != null) {
            for (Object obj : otpTokenData.getAttributes()) {
                if ((obj instanceof List) && ((List) obj).size() == 2) {
                    List list = (List) obj;
                    hashMap.put((String) list.get(0), (Serializable) list.get(1));
                }
            }
        }
        if (otpTokenData.getRoles() != null) {
            hashSet.addAll(otpTokenData.getRoles());
        }
        if (otpTokenData.getPermissions() != null) {
            hashSet2.addAll(otpTokenData.getPermissions());
        }
        if (configForRequestor.getAllowedUsers() != null && configForRequestor.getAllowedUsers().size() > 0 && !configForRequestor.getAllowedUsers().contains(otpTokenData.getUser())) {
            logFailure(httpServletRequest, otpTokenData.getUser(), "User is not allowed to use OTP.");
            throw new WebswingAuthenticationException("User '" + otpTokenData.getUser() + "' is not allowed to use OTP.");
        }
        if (configForRequestor.getAllowedRoles() != null) {
            hashSet.retainAll(configForRequestor.getAllowedRoles());
        }
        if (configForRequestor.getAllowedPermissions() != null) {
            hashSet2.retainAll(configForRequestor.getAllowedPermissions());
        }
        OtpWebswingUser otpWebswingUser = new OtpWebswingUser(otpTokenData.getUser(), hashMap, hashSet, hashSet2);
        logSuccess(httpServletRequest, otpTokenData.getUser());
        return otpWebswingUser;
    }

    public static void main(String[] strArr) throws WebswingAuthenticationException, JsonGenerationException, JsonMappingException, IOException {
        OtpTokenDataImpl otpTokenDataImpl = new OtpTokenDataImpl();
        otpTokenDataImpl.setUser("john");
        otpTokenDataImpl.setRequestorId("myWebPage");
        ArrayList arrayList = new ArrayList();
        arrayList.add(Arrays.asList("attr1", "value1"));
        arrayList.add(Arrays.asList("attr2", "value2"));
        otpTokenDataImpl.setAttributes(arrayList);
        otpTokenDataImpl.setRoles(new ArrayList());
        otpTokenDataImpl.setPermissions(new ArrayList());
        String otpMessage = getOtpMessage(otpTokenDataImpl);
        otpTokenDataImpl.setOneTimePassword(calculateTotpString("HmacSHA512", "5gV4gchlFZEwmXHNLgGj", otpMessage, 0, 30));
        String encodeOtpToken = encodeOtpToken(otpTokenDataImpl);
        System.out.println("message: " + (otpMessage + (((System.currentTimeMillis() / 1000) / 30) + 0)));
        System.out.println("response: " + AbstractSecurityModule.getMapper().writeValueAsString(otpTokenDataImpl));
        System.out.println("http://localhost:8080/swingset3/?securityToken=" + encodeOtpToken);
    }
}
