package fish.payara.security.identitystores;

import com.yubico.client.v2.ResponseStatus;
import com.yubico.client.v2.YubicoClient;
import com.yubico.client.v2.exceptions.YubicoValidationFailure;
import com.yubico.client.v2.exceptions.YubicoVerificationException;
import fish.payara.notification.requesttracing.EventType;
import fish.payara.notification.requesttracing.RequestTraceSpan;
import fish.payara.nucleus.requesttracing.RequestTracingService;
import fish.payara.security.annotations.YubikeyIdentityStoreDefinition;
import java.util.Arrays;
import java.util.EnumSet;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.enterprise.inject.Typed;
import javax.inject.Inject;
import javax.security.enterprise.credential.Credential;
import javax.security.enterprise.identitystore.CredentialValidationResult;
import javax.security.enterprise.identitystore.IdentityStore;
import org.glassfish.internal.api.Globals;

@Typed({YubikeyIdentityStore.class})
/* loaded from: input_file:MICRO-INF/runtime/yubikey-authentication.jar:fish/payara/security/identitystores/YubikeyIdentityStore.class */
public class YubikeyIdentityStore implements IdentityStore {
    private static final Logger LOG = Logger.getLogger(YubikeyIdentityStore.class.getName());

    @Inject
    private YubicoAPI yubicoAPI;
    private RequestTracingService requestTracing;
    private int priority;

    public YubikeyIdentityStore init(YubikeyIdentityStoreDefinition yubikeyIdentityStoreDefinition) {
        try {
            this.requestTracing = (RequestTracingService) Globals.get(RequestTracingService.class);
        } catch (NullPointerException e) {
            LOG.log(Level.INFO, "Error retrieving Request Tracing service during initialisation of Yubikey Identity Store - NullPointerException");
        }
        this.priority = yubikeyIdentityStoreDefinition.priority();
        this.yubicoAPI.init(yubikeyIdentityStoreDefinition.yubikeyAPIClientID(), yubikeyIdentityStoreDefinition.yubikeyAPIKey());
        return this;
    }

    @Override // javax.security.enterprise.identitystore.IdentityStore
    public CredentialValidationResult validate(Credential credential) {
        if (!(credential instanceof YubikeyCredential)) {
            return CredentialValidationResult.NOT_VALIDATED_RESULT;
        }
        YubikeyCredential yubikeyCredential = (YubikeyCredential) credential;
        try {
            String oneTimePasswordString = yubikeyCredential.getOneTimePasswordString();
            if (!YubicoClient.isValidOTPFormat(oneTimePasswordString)) {
                return CredentialValidationResult.INVALID_RESULT;
            }
            RequestTraceSpan beginTrace = beginTrace(yubikeyCredential);
            ResponseStatus status = this.yubicoAPI.verify(oneTimePasswordString).getStatus();
            doTrace(beginTrace, status);
            LOG.log(Level.FINE, "Yubico server reported {0}", status.name());
            switch (status) {
                case BAD_OTP:
                case REPLAYED_OTP:
                case BAD_SIGNATURE:
                case NO_SUCH_CLIENT:
                    return CredentialValidationResult.INVALID_RESULT;
                case MISSING_PARAMETER:
                case OPERATION_NOT_ALLOWED:
                case BACKEND_ERROR:
                case NOT_ENOUGH_ANSWERS:
                case REPLAYED_REQUEST:
                    LOG.log(Level.WARNING, "Yubico reported {0}", status.name());
                    return CredentialValidationResult.NOT_VALIDATED_RESULT;
                case OK:
                    break;
                default:
                    LOG.log(Level.SEVERE, "Unknown/new yubico return status");
                    break;
            }
            return new CredentialValidationResult(yubikeyCredential.getPublicID());
        } catch (YubicoValidationFailure | YubicoVerificationException e) {
            LOG.log(Level.SEVERE, (String) null, e);
            return CredentialValidationResult.NOT_VALIDATED_RESULT;
        }
    }

    @Override // javax.security.enterprise.identitystore.IdentityStore
    public Set<IdentityStore.ValidationType> validationTypes() {
        return EnumSet.of(IdentityStore.ValidationType.VALIDATE);
    }

    @Override // javax.security.enterprise.identitystore.IdentityStore
    public int priority() {
        return this.priority;
    }

    private RequestTraceSpan beginTrace(YubikeyCredential yubikeyCredential) {
        if (this.requestTracing == null || !this.requestTracing.isRequestTracingEnabled()) {
            return null;
        }
        RequestTraceSpan requestTraceSpan = new RequestTraceSpan(EventType.REQUEST_EVENT, "verifyYubikeyCloudServiceRequest");
        requestTraceSpan.addSpanTag("API Client ID", "" + this.yubicoAPI.getClientId());
        requestTraceSpan.addSpanTag("Yubikey public ID", yubikeyCredential.getPublicID());
        requestTraceSpan.addSpanTag("Yubico validation URLs", Arrays.toString(this.yubicoAPI.getWsapiUrls()));
        return requestTraceSpan;
    }

    private void doTrace(RequestTraceSpan requestTraceSpan, ResponseStatus responseStatus) {
        if (requestTraceSpan != null) {
            requestTraceSpan.addSpanTag("Yubico response status", responseStatus.name());
            this.requestTracing.traceSpan(requestTraceSpan);
        }
    }
}
