package org.cloudfoundry.identity.uaa.mfa;

import java.io.IOException;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.cloudfoundry.identity.uaa.authentication.UaaAuthentication;
import org.cloudfoundry.identity.uaa.authentication.UaaAuthenticationJsonBase;
import org.cloudfoundry.identity.uaa.authentication.event.MfaAuthenticationFailureEvent;
import org.cloudfoundry.identity.uaa.authentication.event.MfaAuthenticationSuccessEvent;
import org.cloudfoundry.identity.uaa.authentication.event.UserAuthenticationFailureEvent;
import org.cloudfoundry.identity.uaa.login.LoginInfoEndpoint;
import org.cloudfoundry.identity.uaa.mfa.exception.InvalidMfaCodeException;
import org.cloudfoundry.identity.uaa.mfa.exception.MissingMfaCodeException;
import org.cloudfoundry.identity.uaa.mfa.exception.UserMfaConfigDoesNotExistException;
import org.cloudfoundry.identity.uaa.user.UaaUser;
import org.cloudfoundry.identity.uaa.user.UaaUserDatabase;
import org.cloudfoundry.identity.uaa.util.JsonUtils;
import org.cloudfoundry.identity.uaa.zone.IdentityZone;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.springframework.context.ApplicationEvent;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.ApplicationEventPublisherAware;
import org.springframework.dao.EmptyResultDataAccessException;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.authentication.ProviderNotFoundException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.util.StringUtils;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:org/cloudfoundry/identity/uaa/mfa/StatelessMfaAuthenticationFilter.class */
public class StatelessMfaAuthenticationFilter extends OncePerRequestFilter implements ApplicationEventPublisherAware {
    private final UserGoogleMfaCredentialsProvisioning provisioning;
    private final Set<String> supportedGrantTypes;
    private final MfaProviderProvisioning mfaProvider;
    private final UaaUserDatabase userDb;
    private ApplicationEventPublisher publisher;

    /* loaded from: input_file:org/cloudfoundry/identity/uaa/mfa/StatelessMfaAuthenticationFilter$JsonError.class */
    public static class JsonError {
        private final int status;
        private final String error;
        private final String error_description;

        private JsonError(int i, String str, String str2) {
            this.status = i;
            this.error = str;
            this.error_description = str2;
        }

        public String getError() {
            return this.error;
        }

        public String getError_description() {
            return this.error_description;
        }

        public int getStatus() {
            return this.status;
        }
    }

    public StatelessMfaAuthenticationFilter(UserGoogleMfaCredentialsProvisioning userGoogleMfaCredentialsProvisioning, Set<String> set, MfaProviderProvisioning mfaProviderProvisioning, UaaUserDatabase uaaUserDatabase) {
        this.provisioning = userGoogleMfaCredentialsProvisioning;
        this.supportedGrantTypes = set;
        this.mfaProvider = mfaProviderProvisioning;
        this.userDb = uaaUserDatabase;
    }

    public boolean isGrantTypeSupported(String str) {
        return this.supportedGrantTypes.contains(str);
    }

    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        MfaProvider mfaProvider = null;
        try {
            if (isGrantTypeSupported(httpServletRequest.getParameter("grant_type"))) {
                mfaProvider = checkMfaCode(httpServletRequest);
                UaaUser uaaUser = getUaaUser();
                if (mfaProvider != null) {
                    publishEvent(new MfaAuthenticationSuccessEvent(uaaUser, getAuthentication(), mfaProvider.getType().toValue()));
                }
            }
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        } catch (InvalidMfaCodeException e) {
            UaaUser uaaUser2 = getUaaUser();
            publishEvent(new MfaAuthenticationFailureEvent(uaaUser2, getAuthentication(), mfaProvider != null ? mfaProvider.getType().toValue() : UaaAuthenticationJsonBase.NULL_STRING));
            publishEvent(new UserAuthenticationFailureEvent(uaaUser2, getAuthentication()));
            handleException(new JsonError(401, "unauthorized", "Bad credentials"), httpServletResponse);
        } catch (MissingMfaCodeException | UserMfaConfigDoesNotExistException e2) {
            UaaUser uaaUser3 = getUaaUser();
            publishEvent(new MfaAuthenticationFailureEvent(uaaUser3, getAuthentication(), mfaProvider != null ? mfaProvider.getType().toValue() : UaaAuthenticationJsonBase.NULL_STRING));
            publishEvent(new UserAuthenticationFailureEvent(uaaUser3, getAuthentication()));
            handleException(new JsonError(400, "invalid_request", e2.getMessage()), httpServletResponse);
        } catch (InsufficientAuthenticationException e3) {
            handleException(new JsonError(400, "invalid_request", e3.getMessage()), httpServletResponse);
        }
    }

    protected void handleException(JsonError jsonError, HttpServletResponse httpServletResponse) throws IOException {
        httpServletResponse.setStatus(jsonError.getStatus());
        httpServletResponse.setHeader("Content-Type", "application/json");
        httpServletResponse.getWriter().write(JsonUtils.writeValueAsString(jsonError));
    }

    protected MfaProvider checkMfaCode(HttpServletRequest httpServletRequest) throws ServletException, IOException {
        IdentityZone identityZone = IdentityZoneHolder.get();
        MfaProvider mfaProvider = null;
        UaaAuthentication authentication = getAuthentication();
        if (isMfaEnabled(identityZone)) {
            try {
                mfaProvider = this.mfaProvider.retrieveByName(identityZone.getConfig().getMfaConfig().getProviderName(), identityZone.getId());
                Integer mfaCode = getMfaCode(httpServletRequest);
                UserGoogleMfaCredentials userGoogleMfaCredentials = this.provisioning.getUserGoogleMfaCredentials(authentication.m16getPrincipal().getId(), mfaProvider.getId());
                if (userGoogleMfaCredentials == null) {
                    throw new UserMfaConfigDoesNotExistException("User must register a multi-factor authentication token");
                }
                if (!this.provisioning.isValidCode(userGoogleMfaCredentials, mfaCode)) {
                    throw new InvalidMfaCodeException("Invalid multi-factor authentication code");
                }
                HashSet hashSet = new HashSet(authentication.getAuthenticationMethods());
                hashSet.add("otp");
                hashSet.add("mfa");
                authentication.setAuthenticationMethods(hashSet);
            } catch (EmptyResultDataAccessException e) {
                throw new ProviderNotFoundException("Unable to find MFA provider for zone:" + identityZone.getSubdomain());
            }
        }
        return mfaProvider;
    }

    private void publishEvent(ApplicationEvent applicationEvent) {
        if (this.publisher != null) {
            this.publisher.publishEvent(applicationEvent);
        }
    }

    private Integer getMfaCode(HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter(LoginInfoEndpoint.MFA_CODE);
        if (StringUtils.isEmpty(parameter)) {
            throw new MissingMfaCodeException("A multi-factor authentication code is required to complete the request");
        }
        try {
            return Integer.valueOf(parameter);
        } catch (NumberFormatException e) {
            throw new InvalidMfaCodeException("Bad credentials");
        }
    }

    private boolean isMfaEnabled(IdentityZone identityZone) {
        return identityZone.getConfig().getMfaConfig().isEnabled();
    }

    private UaaUser getUaaUser() {
        return this.userDb.retrieveUserById(getAuthentication().m16getPrincipal().getId());
    }

    private UaaAuthentication getAuthentication() {
        OAuth2Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null) {
            throw new InsufficientAuthenticationException("User authentication missing");
        }
        if (!(authentication instanceof OAuth2Authentication)) {
            throw new InsufficientAuthenticationException("Unrecognizable authentication");
        }
        Authentication userAuthentication = authentication.getUserAuthentication();
        if (userAuthentication instanceof UaaAuthentication) {
            return (UaaAuthentication) userAuthentication;
        }
        throw new InsufficientAuthenticationException("Unrecognizable user authentication");
    }

    public Set<String> getSupportedGrantTypes() {
        return Collections.unmodifiableSet(this.supportedGrantTypes);
    }

    public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
        this.publisher = applicationEventPublisher;
    }
}
