package org.wso2.carbon.identity.application.authenticator.totp;

import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang.math.NumberUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.owasp.encoder.Encode;
import org.wso2.carbon.context.CarbonContext;
import org.wso2.carbon.core.util.CryptoException;
import org.wso2.carbon.extension.identity.helper.FederatedAuthenticatorUtil;
import org.wso2.carbon.extension.identity.helper.util.IdentityHelperUtil;
import org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator;
import org.wso2.carbon.identity.application.authentication.framework.AuthenticatorFlowStatus;
import org.wso2.carbon.identity.application.authentication.framework.LocalApplicationAuthenticator;
import org.wso2.carbon.identity.application.authentication.framework.config.model.StepConfig;
import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext;
import org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException;
import org.wso2.carbon.identity.application.authentication.framework.exception.LogoutFailedException;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.authenticator.totp.TOTPAuthenticatorConstants;
import org.wso2.carbon.identity.application.authenticator.totp.exception.TOTPException;
import org.wso2.carbon.identity.application.authenticator.totp.internal.TOTPDataHolder;
import org.wso2.carbon.identity.application.authenticator.totp.util.TOTPAuthenticatorConfig;
import org.wso2.carbon.identity.application.authenticator.totp.util.TOTPAuthenticatorCredentials;
import org.wso2.carbon.identity.application.authenticator.totp.util.TOTPKeyRepresentation;
import org.wso2.carbon.identity.application.authenticator.totp.util.TOTPUtil;
import org.wso2.carbon.identity.application.common.model.IdentityProvider;
import org.wso2.carbon.identity.application.common.model.JustInTimeProvisioningConfig;
import org.wso2.carbon.identity.application.common.model.Property;
import org.wso2.carbon.identity.core.ServiceURLBuilder;
import org.wso2.carbon.identity.core.URLBuilderException;
import org.wso2.carbon.identity.core.model.IdentityErrorMsgContext;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
import org.wso2.carbon.user.api.UserRealm;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.api.UserStoreManager;
import org.wso2.carbon.user.core.util.UserCoreUtil;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/identity/application/authenticator/totp/TOTPAuthenticator.class */
public class TOTPAuthenticator extends AbstractApplicationAuthenticator implements LocalApplicationAuthenticator {
    private static final long serialVersionUID = 2009231028659744926L;
    private static final Log log = LogFactory.getLog(TOTPAuthenticator.class);

    public boolean canHandle(HttpServletRequest httpServletRequest) {
        return (httpServletRequest.getParameter(TOTPAuthenticatorConstants.TOKEN) == null && httpServletRequest.getParameter(TOTPAuthenticatorConstants.SEND_TOKEN) == null && httpServletRequest.getParameter(TOTPAuthenticatorConstants.ENABLE_TOTP) == null) ? false : true;
    }

    public AuthenticatorFlowStatus process(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) throws AuthenticationFailedException, LogoutFailedException {
        if (authenticationContext.isLogoutRequest()) {
            return AuthenticatorFlowStatus.SUCCESS_COMPLETED;
        }
        if (httpServletRequest.getParameter(TOTPAuthenticatorConstants.SEND_TOKEN) != null) {
            return generateOTPAndSendByEmail(authenticationContext) ? AuthenticatorFlowStatus.INCOMPLETE : AuthenticatorFlowStatus.FAIL_COMPLETED;
        }
        if (StringUtils.isNotEmpty(httpServletRequest.getParameter(TOTPAuthenticatorConstants.ENABLE_TOTP))) {
            initiateAuthenticationRequest(httpServletRequest, httpServletResponse, authenticationContext);
            return authenticationContext.getProperty(TOTPAuthenticatorConstants.AUTHENTICATION).equals("totp") ? AuthenticatorFlowStatus.INCOMPLETE : AuthenticatorFlowStatus.SUCCESS_COMPLETED;
        }
        if (httpServletRequest.getParameter(TOTPAuthenticatorConstants.TOKEN) != null) {
            return super.process(httpServletRequest, httpServletResponse, authenticationContext);
        }
        initiateAuthenticationRequest(httpServletRequest, httpServletResponse, authenticationContext);
        return authenticationContext.getProperty(TOTPAuthenticatorConstants.AUTHENTICATION).equals("totp") ? AuthenticatorFlowStatus.INCOMPLETE : AuthenticatorFlowStatus.SUCCESS_COMPLETED;
    }

    protected void initiateAuthenticationRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) throws AuthenticationFailedException {
        Map parameterMap = getAuthenticatorConfig().getParameterMap();
        boolean parseBoolean = Boolean.parseBoolean((String) parameterMap.get(TOTPAuthenticatorConstants.CONF_SHOW_AUTH_FAILURE_REASON));
        boolean z = false;
        if (parseBoolean) {
            z = Boolean.parseBoolean((String) parameterMap.get(TOTPAuthenticatorConstants.CONF_SHOW_AUTH_FAILURE_REASON_ON_LOGIN_PAGE));
        }
        AuthenticatedUser authenticatedUser = TOTPUtil.getAuthenticatedUser(authenticationContext);
        if (authenticatedUser == null) {
            throw new AuthenticationFailedException(TOTPAuthenticatorConstants.ErrorMessages.ERROR_CODE_NO_AUTHENTICATED_USER.getCode(), TOTPAuthenticatorConstants.ErrorMessages.ERROR_CODE_NO_AUTHENTICATED_USER.getMessage());
        }
        String tenantDomain = authenticatedUser.getTenantDomain();
        if (StringUtils.isBlank(tenantDomain)) {
            throw new AuthenticationFailedException(TOTPAuthenticatorConstants.ErrorMessages.ERROR_CODE_NO_USER_TENANT.getCode(), TOTPAuthenticatorConstants.ErrorMessages.ERROR_CODE_NO_USER_TENANT.getMessage());
        }
        authenticationContext.setProperty(TOTPAuthenticatorConstants.AUTHENTICATION, "totp");
        if (!tenantDomain.equals("carbon.super")) {
            IdentityHelperUtil.loadApplicationAuthenticationXMLFromRegistry(authenticationContext, getName(), tenantDomain);
        }
        String mappedLocalUsername = getMappedLocalUsername(authenticatedUser, authenticationContext);
        boolean isBlank = StringUtils.isBlank(mappedLocalUsername);
        try {
            AuthenticatedUser resolveAuthenticatingUser = resolveAuthenticatingUser(authenticationContext, authenticatedUser, mappedLocalUsername, tenantDomain, isBlank);
            String addTenantDomainToEntry = UserCoreUtil.addTenantDomainToEntry(resolveAuthenticatingUser.getUserName(), tenantDomain);
            authenticationContext.setProperty(TOTPAuthenticatorConstants.AUTHENTICATED_USER, resolveAuthenticatingUser);
            String str = authenticationContext.isRetrying() ? "&authFailure=true&authFailureMsg=login.fail.message" : "";
            IdentityErrorMsgContext identityErrorMsg = IdentityUtil.getIdentityErrorMsg();
            IdentityUtil.clearIdentityErrorMsg();
            String str2 = "";
            if (parseBoolean && identityErrorMsg != null && identityErrorMsg.getErrorCode() != null) {
                log.debug("Identity error message context is not null.");
                String errorCode = identityErrorMsg.getErrorCode();
                if (errorCode != null) {
                    String str3 = null;
                    if (errorCode.contains(":")) {
                        String[] split = errorCode.split(":", 2);
                        errorCode = split[0];
                        if (split.length > 1) {
                            str3 = split[1];
                        }
                    }
                    if (errorCode.equals("17003")) {
                        HashMap hashMap = new HashMap();
                        hashMap.put(TOTPAuthenticatorConstants.ERROR_CODE, errorCode);
                        if (StringUtils.isNotBlank(str3)) {
                            hashMap.put(TOTPAuthenticatorConstants.LOCKED_REASON, str3);
                        }
                        str2 = buildErrorParamString(hashMap);
                    }
                }
            }
            boolean z2 = false;
            if (!isBlank) {
                z2 = isSecretKeyExistForUser(UserCoreUtil.addDomainToName(addTenantDomainToEntry, resolveAuthenticatingUser.getUserStoreDomain()));
            }
            if (z2 && log.isDebugEnabled()) {
                log.debug("Secret key exists for the user: " + addTenantDomainToEntry);
            }
            boolean checkSecondStepEnableByAdmin = IdentityHelperUtil.checkSecondStepEnableByAdmin(authenticationContext);
            if (log.isDebugEnabled()) {
                log.debug("TOTP  is enabled by admin: " + checkSecondStepEnableByAdmin);
            }
            String multiOptionURIQueryParam = TOTPUtil.getMultiOptionURIQueryParam(httpServletRequest);
            if (z2 && httpServletRequest.getParameter(TOTPAuthenticatorConstants.ENABLE_TOTP) == null) {
                if (!z) {
                    str2 = "";
                }
                httpServletResponse.sendRedirect(buildTOTPLoginPageURL(authenticationContext, addTenantDomainToEntry, str, str2, multiOptionURIQueryParam));
            } else if (TOTPUtil.isEnrolUserInAuthenticationFlowEnabled(authenticationContext) && httpServletRequest.getParameter(TOTPAuthenticatorConstants.ENABLE_TOTP) == null) {
                if (log.isDebugEnabled()) {
                    log.debug("User has not enabled TOTP: " + addTenantDomainToEntry);
                }
                Map<String, String> generateClaimsForFedUser = isBlank ? TOTPKeyGenerator.generateClaimsForFedUser(addTenantDomainToEntry, tenantDomain, authenticationContext) : TOTPKeyGenerator.generateClaims(UserCoreUtil.addDomainToName(addTenantDomainToEntry, resolveAuthenticatingUser.getUserStoreDomain()), false, authenticationContext);
                authenticationContext.setProperty(TOTPAuthenticatorConstants.SECRET_KEY_CLAIM_URL, generateClaimsForFedUser.get(TOTPAuthenticatorConstants.SECRET_KEY_CLAIM_URL));
                authenticationContext.setProperty(TOTPAuthenticatorConstants.QR_CODE_CLAIM_URL, generateClaimsForFedUser.get(TOTPAuthenticatorConstants.QR_CODE_CLAIM_URL));
                TOTPUtil.redirectToEnableTOTPReqPage(httpServletRequest, httpServletResponse, authenticationContext, generateClaimsForFedUser.get(TOTPAuthenticatorConstants.QR_CODE_CLAIM_URL));
            } else if (Boolean.valueOf(httpServletRequest.getParameter(TOTPAuthenticatorConstants.ENABLE_TOTP)).booleanValue()) {
                authenticationContext.setProperty(TOTPAuthenticatorConstants.ENABLE_TOTP, true);
                if (!parseBoolean) {
                    str2 = "";
                }
                httpServletResponse.sendRedirect(buildTOTPLoginPageURL(authenticationContext, addTenantDomainToEntry, str, str2, multiOptionURIQueryParam));
            } else if (checkSecondStepEnableByAdmin) {
                httpServletResponse.sendRedirect(buildTOTPErrorPageURL(authenticationContext, addTenantDomainToEntry, str, str2, multiOptionURIQueryParam));
            } else {
                authenticationContext.setSubject(resolveAuthenticatingUser);
                if (((StepConfig) authenticationContext.getSequenceConfig().getStepMap().get(Integer.valueOf(authenticationContext.getCurrentStep() - 1))).getAuthenticatedAutenticator().getApplicationAuthenticator() instanceof LocalApplicationAuthenticator) {
                    authenticationContext.setProperty(TOTPAuthenticatorConstants.AUTHENTICATION, TOTPAuthenticatorConstants.BASIC);
                } else {
                    authenticationContext.setProperty(TOTPAuthenticatorConstants.AUTHENTICATION, TOTPAuthenticatorConstants.FEDERETOR);
                }
            }
        } catch (URLBuilderException | URISyntaxException e) {
            throw new AuthenticationFailedException("Error while building TOTP page URL.", e);
        } catch (AuthenticationFailedException e2) {
            throw new AuthenticationFailedException("Authentication failed!. Cannot get the username from first step.", e2);
        } catch (IOException e3) {
            throw new AuthenticationFailedException("Error when redirecting the TOTP login response, user : " + ((String) null), e3);
        } catch (TOTPException e4) {
            throw new AuthenticationFailedException("Error when checking TOTP enabled for the user : " + ((String) null), e4);
        }
    }

    private String buildTOTPLoginPageURL(AuthenticationContext authenticationContext, String str, String str2, String str3, String str4) throws AuthenticationFailedException, URISyntaxException, URLBuilderException {
        return buildAbsoluteURL(FrameworkUtils.appendQueryParamsStringToUrl(TOTPUtil.getTOTPLoginPage(authenticationContext), "t=" + authenticationContext.getLoginTenantDomain() + "&sessionDataKey=" + authenticationContext.getContextIdentifier() + "&authenticators=" + getName() + "&type=totp" + str2 + "&username=" + str + "&sp=" + Encode.forUriComponent(authenticationContext.getServiceProviderName()) + str3 + str4));
    }

    private String buildTOTPErrorPageURL(AuthenticationContext authenticationContext, String str, String str2, String str3, String str4) throws AuthenticationFailedException, URISyntaxException, URLBuilderException {
        return buildAbsoluteURL(FrameworkUtils.appendQueryParamsStringToUrl(TOTPUtil.getTOTPErrorPage(authenticationContext), "t=" + authenticationContext.getLoginTenantDomain() + "&sessionDataKey=" + authenticationContext.getContextIdentifier() + "&authenticators=" + getName() + "&type=totp_error" + str2 + "&username=" + str + "&sp=" + Encode.forUriComponent(authenticationContext.getServiceProviderName()) + str3 + str4));
    }

    private String buildErrorParamString(Map<String, String> map) {
        StringBuilder sb = new StringBuilder();
        for (Map.Entry<String, String> entry : map.entrySet()) {
            sb.append("&").append(entry.getKey()).append("=").append(entry.getValue());
        }
        return sb.toString();
    }

    private String buildAbsoluteURL(String str) throws URISyntaxException, URLBuilderException {
        return new URI(str).isAbsolute() ? str : ServiceURLBuilder.create().addPath(new String[]{str}).build().getAbsolutePublicURL();
    }

    protected void processAuthenticationResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) throws AuthenticationFailedException {
        String parameter = httpServletRequest.getParameter(TOTPAuthenticatorConstants.TOKEN);
        String fullQualifiedUsername = ((AuthenticatedUser) authenticationContext.getProperty(TOTPAuthenticatorConstants.AUTHENTICATED_USER)).toFullQualifiedUsername();
        validateAccountLockStatusForLocalUser(authenticationContext, fullQualifiedUsername);
        if (StringUtils.isBlank(parameter)) {
            handleTotpVerificationFail(authenticationContext);
            throw new AuthenticationFailedException("Empty TOTP in the request. Authentication Failed for user: " + fullQualifiedUsername);
        }
        try {
            int parseInt = Integer.parseInt(parameter);
            if (!isInitialFederationAttempt(authenticationContext)) {
                checkTotpEnabled(authenticationContext, fullQualifiedUsername);
                if (!isValidTokenLocalUser(parseInt, fullQualifiedUsername, authenticationContext)) {
                    handleTotpVerificationFail(authenticationContext);
                    throw new AuthenticationFailedException("Invalid Token. Authentication failed, user :  " + fullQualifiedUsername);
                }
            } else if (!isValidTokenFederatedUser(parseInt, authenticationContext)) {
                throw new AuthenticationFailedException("Invalid Token. Authentication failed for federated user: " + fullQualifiedUsername);
            }
            if (StringUtils.isNotBlank(fullQualifiedUsername)) {
                AuthenticatedUser authenticatedUser = new AuthenticatedUser();
                authenticatedUser.setAuthenticatedSubjectIdentifier(fullQualifiedUsername);
                authenticatedUser.setUserName(UserCoreUtil.removeDomainFromName(MultitenantUtils.getTenantAwareUsername(fullQualifiedUsername)));
                authenticatedUser.setUserStoreDomain(UserCoreUtil.extractDomainFromName(fullQualifiedUsername));
                authenticatedUser.setTenantDomain(MultitenantUtils.getTenantDomain(fullQualifiedUsername));
                authenticationContext.setSubject(authenticatedUser);
            } else {
                authenticationContext.setSubject(AuthenticatedUser.createLocalAuthenticatedUserFromSubjectIdentifier(fullQualifiedUsername));
            }
            resetTotpFailedAttempts(authenticationContext);
        } catch (NumberFormatException e) {
            handleTotpVerificationFail(authenticationContext);
            throw new AuthenticationFailedException("TOTP Authentication process failed for user " + fullQualifiedUsername, e);
        } catch (TOTPException e2) {
            throw new AuthenticationFailedException("TOTP Authentication process failed for user " + fullQualifiedUsername, e2);
        }
    }

    private void checkTotpEnabled(AuthenticationContext authenticationContext, String str) throws AuthenticationFailedException {
        if (authenticationContext.getProperty(TOTPAuthenticatorConstants.ENABLE_TOTP) == null || !Boolean.valueOf(authenticationContext.getProperty(TOTPAuthenticatorConstants.ENABLE_TOTP).toString()).booleanValue()) {
            return;
        }
        checkForUpdatedSecretKey(authenticationContext, str);
        HashMap hashMap = new HashMap();
        if (authenticationContext.getProperty(TOTPAuthenticatorConstants.SECRET_KEY_CLAIM_URL) != null) {
            hashMap.put(TOTPAuthenticatorConstants.SECRET_KEY_CLAIM_URL, authenticationContext.getProperty(TOTPAuthenticatorConstants.SECRET_KEY_CLAIM_URL).toString());
            hashMap.put(TOTPAuthenticatorConstants.TOTP_ENABLED_CLAIM_URI, "true");
        }
        if (authenticationContext.getProperty(TOTPAuthenticatorConstants.QR_CODE_CLAIM_URL) != null) {
            hashMap.put(TOTPAuthenticatorConstants.QR_CODE_CLAIM_URL, authenticationContext.getProperty(TOTPAuthenticatorConstants.QR_CODE_CLAIM_URL).toString());
        }
        try {
            TOTPKeyGenerator.addTOTPClaimsAndRetrievingQRCodeURL(hashMap, str, authenticationContext);
        } catch (TOTPException e) {
            throw new AuthenticationFailedException("Error while adding TOTP claims to the user : " + str, e);
        }
    }

    private void checkForUpdatedSecretKey(AuthenticationContext authenticationContext, String str) throws AuthenticationFailedException {
        try {
            String tenantAwareUsername = MultitenantUtils.getTenantAwareUsername(str);
            UserRealm userRealm = TOTPUtil.getUserRealm(str);
            if (userRealm != null) {
                String str2 = (String) userRealm.getUserStoreManager().getUserClaimValues(tenantAwareUsername, new String[]{TOTPAuthenticatorConstants.SECRET_KEY_CLAIM_URL}, (String) null).get(TOTPAuthenticatorConstants.SECRET_KEY_CLAIM_URL);
                if (StringUtils.isNotEmpty(str2)) {
                    authenticationContext.setProperty(TOTPAuthenticatorConstants.SECRET_KEY_CLAIM_URL, str2);
                }
            }
        } catch (UserStoreException e) {
            throw new AuthenticationFailedException("Error while getting TOTP secret key of the user: " + str, e);
        }
    }

    private void validateAccountLockStatusForLocalUser(AuthenticationContext authenticationContext, String str) throws AuthenticationFailedException {
        boolean isLocalUser = TOTPUtil.isLocalUser(authenticationContext);
        AuthenticatedUser authenticatedUser = (AuthenticatedUser) authenticationContext.getProperty(TOTPAuthenticatorConstants.AUTHENTICATED_USER);
        String tenantDomain = MultitenantUtils.getTenantDomain(str);
        String extractDomainFromName = UserCoreUtil.extractDomainFromName(str);
        if (isLocalUser && TOTPUtil.isAccountLocked(authenticatedUser.getUserName(), tenantDomain, extractDomainFromName)) {
            String format = String.format("Authentication failed since authenticated user: %s, account is locked.", getUserStoreAppendedName(str));
            if (log.isDebugEnabled()) {
                log.debug(format);
            }
            try {
                Map userClaimValues = TOTPUtil.getUserRealm(str).getUserStoreManager().getUserClaimValues(IdentityUtil.addDomainToName(authenticatedUser.getUserName(), authenticatedUser.getUserStoreDomain()), new String[]{TOTPAuthenticatorConstants.ACCOUNT_LOCKED_REASON_CLAIM_URI}, "default");
                IdentityUtil.setIdentityErrorMsg(new IdentityErrorMsgContext("17003:" + (userClaimValues != null ? (String) userClaimValues.get(TOTPAuthenticatorConstants.ACCOUNT_LOCKED_REASON_CLAIM_URI) : "")));
                throw new AuthenticationFailedException(format);
            } catch (UserStoreException e) {
                throw new AuthenticationFailedException(format + " Could not get the account locked reason.");
            }
        }
    }

    protected boolean retryAuthenticationEnabled() {
        return true;
    }

    public String getContextIdentifier(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getParameter("sessionDataKey");
    }

    public String getFriendlyName() {
        return "TOTP";
    }

    public String getName() {
        return "totp";
    }

    private boolean generateOTPAndSendByEmail(AuthenticationContext authenticationContext) {
        String authenticatedSubjectIdentifier = TOTPUtil.getAuthenticatedUser(authenticationContext).getAuthenticatedSubjectIdentifier();
        if (!TOTPUtil.isSendVerificationCodeByEmailEnabled()) {
            log.warn(String.format("Sending verification code by email is disabled by admin. An attempt was made to send a verification code by email for user: %s for application: %s of %s tenant using sessionDataKey: %s", authenticatedSubjectIdentifier, authenticationContext.getServiceProviderName(), authenticationContext.getTenantDomain(), authenticationContext.getContextIdentifier()));
            return false;
        }
        if (StringUtils.isBlank(authenticatedSubjectIdentifier)) {
            log.error("No username found in the authentication context.");
            return false;
        }
        try {
            TOTPTokenGenerator.generateTOTPTokenLocal(authenticatedSubjectIdentifier, authenticationContext);
            if (log.isDebugEnabled()) {
                log.debug("TOTP Token is generated");
            }
            return true;
        } catch (TOTPException e) {
            log.error("Error when generating the totp token", e);
            return false;
        }
    }

    private String getUsernameFromContext(AuthenticationContext authenticationContext) {
        if (authenticationContext.getProperty("username") == null) {
            return null;
        }
        return authenticationContext.getProperty("username").toString();
    }

    private boolean isSecretKeyExistForUser(String str) throws TOTPException, AuthenticationFailedException {
        UserRealm userRealm = TOTPUtil.getUserRealm(str);
        try {
            String tenantAwareUsername = MultitenantUtils.getTenantAwareUsername(str);
            if (userRealm != null) {
                return StringUtils.isNotBlank((String) userRealm.getUserStoreManager().getUserClaimValues(tenantAwareUsername, new String[]{TOTPAuthenticatorConstants.SECRET_KEY_CLAIM_URL}, (String) null).get(TOTPAuthenticatorConstants.SECRET_KEY_CLAIM_URL));
            }
            throw new TOTPException("Cannot find the user realm for the given tenant domain : " + CarbonContext.getThreadLocalCarbonContext().getTenantDomain());
        } catch (UserStoreException e) {
            throw new TOTPException("TOTPAccessController failed while trying to access userRealm of the user : " + ((String) null), e);
        }
    }

    private boolean isValidTokenLocalUser(int i, String str, AuthenticationContext authenticationContext) throws TOTPException {
        try {
            TOTPAuthenticatorCredentials totpAuthenticator = getTotpAuthenticator(authenticationContext, MultitenantUtils.getTenantDomain(str));
            String tenantAwareUsername = MultitenantUtils.getTenantAwareUsername(str);
            UserRealm userRealm = TOTPUtil.getUserRealm(str);
            if (userRealm != null) {
                return totpAuthenticator.authorize(TOTPUtil.decrypt((String) userRealm.getUserStoreManager().getUserClaimValues(tenantAwareUsername, new String[]{TOTPAuthenticatorConstants.SECRET_KEY_CLAIM_URL}, (String) null).get(TOTPAuthenticatorConstants.SECRET_KEY_CLAIM_URL)), i);
            }
            throw new TOTPException("Cannot find the user realm for the given tenant domain : " + CarbonContext.getThreadLocalCarbonContext().getTenantDomain());
        } catch (CryptoException e) {
            throw new TOTPException("Error while decrypting the key", e);
        } catch (AuthenticationFailedException e2) {
            throw new TOTPException("TOTPTokenVerifier cannot find the property value for encodingMethod");
        } catch (UserStoreException e3) {
            throw new TOTPException("TOTPTokenVerifier failed while trying to access userRealm of the user : " + ((String) null), e3);
        }
    }

    private TOTPAuthenticatorCredentials getTotpAuthenticator(AuthenticationContext authenticationContext, String str) {
        TOTPKeyRepresentation tOTPKeyRepresentation = TOTPKeyRepresentation.BASE32;
        if (TOTPAuthenticatorConstants.BASE64.equals(TOTPUtil.getEncodingMethod(str, authenticationContext))) {
            tOTPKeyRepresentation = TOTPKeyRepresentation.BASE64;
        }
        return new TOTPAuthenticatorCredentials(new TOTPAuthenticatorConfig.TOTPAuthenticatorConfigBuilder().setKeyRepresentation(tOTPKeyRepresentation).setWindowSize(TOTPUtil.getWindowSize(authenticationContext)).setTimeStepSizeInMillis(TimeUnit.SECONDS.toMillis(TOTPUtil.getTimeStepSize(authenticationContext))).build());
    }

    private boolean isValidTokenFederatedUser(int i, AuthenticationContext authenticationContext) throws TOTPException {
        String str = null;
        if (authenticationContext.getProperty(TOTPAuthenticatorConstants.SECRET_KEY_CLAIM_URL) != null) {
            try {
                str = TOTPUtil.decrypt(authenticationContext.getProperty(TOTPAuthenticatorConstants.SECRET_KEY_CLAIM_URL).toString());
            } catch (CryptoException e) {
                throw new TOTPException("Error while decrypting the secret key", e);
            }
        }
        return getTotpAuthenticator(authenticationContext, authenticationContext.getTenantDomain()).authorize(str, i);
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:11:0x0064. Please report as an issue. */
    /* JADX WARN: Failed to find 'out' block for switch in B:25:0x00cf. Please report as an issue. */
    private void handleTotpVerificationFail(AuthenticationContext authenticationContext) throws AuthenticationFailedException {
        AuthenticatedUser authenticatedUser = (AuthenticatedUser) authenticationContext.getProperty(TOTPAuthenticatorConstants.AUTHENTICATED_USER);
        if (TOTPUtil.isLocalUser(authenticationContext) && TOTPUtil.isAccountLockingEnabledForTotp() && !TOTPUtil.isAccountLocked(authenticatedUser.getUserName(), authenticatedUser.getTenantDomain(), authenticatedUser.getUserStoreDomain())) {
            int i = 0;
            long j = 0;
            double d = 1.0d;
            for (Property property : TOTPUtil.getAccountLockConnectorConfigs(authenticatedUser.getTenantDomain())) {
                String name = property.getName();
                boolean z = -1;
                switch (name.hashCode()) {
                    case 410630793:
                        if (name.equals(TOTPAuthenticatorConstants.PROPERTY_ACCOUNT_LOCK_ON_FAILURE)) {
                            z = false;
                            break;
                        }
                        break;
                    case 437904755:
                        if (name.equals(TOTPAuthenticatorConstants.PROPERTY_ACCOUNT_LOCK_TIME)) {
                            z = 2;
                            break;
                        }
                        break;
                    case 497142557:
                        if (name.equals(TOTPAuthenticatorConstants.PROPERTY_ACCOUNT_LOCK_ON_FAILURE_MAX)) {
                            z = true;
                            break;
                        }
                        break;
                    case 1825656985:
                        if (name.equals(TOTPAuthenticatorConstants.PROPERTY_LOGIN_FAIL_TIMEOUT_RATIO)) {
                            z = 3;
                            break;
                        }
                        break;
                }
                switch (z) {
                    case false:
                        if (!Boolean.parseBoolean(property.getValue())) {
                            return;
                        }
                    case true:
                        if (NumberUtils.isNumber(property.getValue())) {
                            i = Integer.parseInt(property.getValue());
                        }
                    case true:
                        if (NumberUtils.isNumber(property.getValue())) {
                            j = Integer.parseInt(property.getValue());
                        }
                    case true:
                        if (NumberUtils.isNumber(property.getValue())) {
                            double parseDouble = Double.parseDouble(property.getValue());
                            if (parseDouble > 0.0d) {
                                d = parseDouble;
                            }
                        }
                    default:
                }
            }
            Map<String, String> userClaimValues = getUserClaimValues(authenticatedUser);
            if (userClaimValues == null) {
                userClaimValues = new HashMap();
            }
            int parseInt = NumberUtils.isNumber(userClaimValues.get(TOTPAuthenticatorConstants.TOTP_FAILED_ATTEMPTS_CLAIM)) ? Integer.parseInt(userClaimValues.get(TOTPAuthenticatorConstants.TOTP_FAILED_ATTEMPTS_CLAIM)) : 0;
            int parseInt2 = NumberUtils.isNumber(userClaimValues.get(TOTPAuthenticatorConstants.FAILED_LOGIN_LOCKOUT_COUNT_CLAIM)) ? Integer.parseInt(userClaimValues.get(TOTPAuthenticatorConstants.FAILED_LOGIN_LOCKOUT_COUNT_CLAIM)) : 0;
            HashMap hashMap = new HashMap();
            if (parseInt + 1 < i) {
                hashMap.put(TOTPAuthenticatorConstants.TOTP_FAILED_ATTEMPTS_CLAIM, String.valueOf(parseInt + 1));
                setUserClaimValues(authenticatedUser, hashMap);
                return;
            }
            long currentTimeMillis = System.currentTimeMillis() + ((long) (j * 1000 * 60 * Math.pow(d, parseInt2)));
            hashMap.put(TOTPAuthenticatorConstants.ACCOUNT_LOCKED_CLAIM, Boolean.TRUE.toString());
            hashMap.put(TOTPAuthenticatorConstants.TOTP_FAILED_ATTEMPTS_CLAIM, "0");
            hashMap.put(TOTPAuthenticatorConstants.ACCOUNT_UNLOCK_TIME_CLAIM, String.valueOf(currentTimeMillis));
            hashMap.put(TOTPAuthenticatorConstants.FAILED_LOGIN_LOCKOUT_COUNT_CLAIM, String.valueOf(parseInt2 + 1));
            hashMap.put(TOTPAuthenticatorConstants.ACCOUNT_LOCKED_REASON_CLAIM_URI, TOTPAuthenticatorConstants.MAX_TOTP_ATTEMPTS_EXCEEDED);
            ((Map) IdentityUtil.threadLocalProperties.get()).put(TOTPAuthenticatorConstants.ADMIN_INITIATED, false);
            setUserClaimValues(authenticatedUser, hashMap);
            String format = String.format("User account: %s is locked.", authenticatedUser.getUserName());
            IdentityUtil.setIdentityErrorMsg(new IdentityErrorMsgContext("17003:MAX_TOTP_ATTEMPTS_EXCEEDED"));
            throw new AuthenticationFailedException(format);
        }
    }

    private void resetTotpFailedAttempts(AuthenticationContext authenticationContext) throws AuthenticationFailedException {
        if (TOTPUtil.isLocalUser(authenticationContext) && TOTPUtil.isAccountLockingEnabledForTotp()) {
            AuthenticatedUser authenticatedUser = (AuthenticatedUser) authenticationContext.getProperty(TOTPAuthenticatorConstants.AUTHENTICATED_USER);
            for (Property property : TOTPUtil.getAccountLockConnectorConfigs(authenticatedUser.getTenantDomain())) {
                if (TOTPAuthenticatorConstants.PROPERTY_ACCOUNT_LOCK_ON_FAILURE.equals(property.getName()) && !Boolean.parseBoolean(property.getValue())) {
                    return;
                }
            }
            String fullQualifiedUsername = authenticatedUser.toFullQualifiedUsername();
            String addDomainToName = IdentityUtil.addDomainToName(authenticatedUser.getUserName(), authenticatedUser.getUserStoreDomain());
            try {
                UserStoreManager userStoreManager = TOTPUtil.getUserRealm(fullQualifiedUsername).getUserStoreManager();
                Map userClaimValues = userStoreManager.getUserClaimValues(addDomainToName, new String[]{TOTPAuthenticatorConstants.TOTP_FAILED_ATTEMPTS_CLAIM, TOTPAuthenticatorConstants.FAILED_LOGIN_LOCKOUT_COUNT_CLAIM}, "default");
                String str = (String) userClaimValues.get(TOTPAuthenticatorConstants.TOTP_FAILED_ATTEMPTS_CLAIM);
                String str2 = (String) userClaimValues.get(TOTPAuthenticatorConstants.FAILED_LOGIN_LOCKOUT_COUNT_CLAIM);
                if ((NumberUtils.isNumber(str) && Integer.parseInt(str) > 0) || (NumberUtils.isNumber(str2) && Integer.parseInt(str2) > 0)) {
                    HashMap hashMap = new HashMap();
                    hashMap.put(TOTPAuthenticatorConstants.TOTP_FAILED_ATTEMPTS_CLAIM, "0");
                    hashMap.put(TOTPAuthenticatorConstants.FAILED_LOGIN_LOCKOUT_COUNT_CLAIM, "0");
                    userStoreManager.setUserClaimValues(addDomainToName, hashMap, "default");
                }
            } catch (UserStoreException e) {
                if (log.isDebugEnabled()) {
                    log.debug("Error while resetting failed TOTP attempts count for user: " + fullQualifiedUsername, e);
                }
                throw new AuthenticationFailedException("Failed to reset failed attempts count for user : " + fullQualifiedUsername, e);
            }
        }
    }

    private Map<String, String> getUserClaimValues(AuthenticatedUser authenticatedUser) throws AuthenticationFailedException {
        try {
            return TOTPUtil.getUserRealm(authenticatedUser.toFullQualifiedUsername()).getUserStoreManager().getUserClaimValues(IdentityUtil.addDomainToName(authenticatedUser.getUserName(), authenticatedUser.getUserStoreDomain()), new String[]{TOTPAuthenticatorConstants.TOTP_FAILED_ATTEMPTS_CLAIM, TOTPAuthenticatorConstants.FAILED_LOGIN_LOCKOUT_COUNT_CLAIM}, "default");
        } catch (UserStoreException e) {
            if (log.isDebugEnabled()) {
                log.debug("Error while reading user claims of user: " + authenticatedUser.getUserName(), e);
            }
            throw new AuthenticationFailedException("Failed to read user claims for user : " + authenticatedUser.getUserName(), e);
        }
    }

    private void setUserClaimValues(AuthenticatedUser authenticatedUser, Map<String, String> map) throws AuthenticationFailedException {
        try {
            TOTPUtil.getUserRealm(authenticatedUser.toFullQualifiedUsername()).getUserStoreManager().setUserClaimValues(IdentityUtil.addDomainToName(authenticatedUser.getUserName(), authenticatedUser.getUserStoreDomain()), map, "default");
        } catch (UserStoreException e) {
            if (log.isDebugEnabled()) {
                log.debug("Error while updating user claims of user: " + authenticatedUser.getUserName(), e);
            }
            throw new AuthenticationFailedException("Failed to update user claims for user : " + authenticatedUser.getUserName(), e);
        }
    }

    private boolean isJitProvisioningEnabled(AuthenticatedUser authenticatedUser, String str) throws AuthenticationFailedException {
        String federatedIdPName = authenticatedUser.getFederatedIdPName();
        JustInTimeProvisioningConfig justInTimeProvisioningConfig = getIdentityProvider(federatedIdPName, str).getJustInTimeProvisioningConfig();
        if (justInTimeProvisioningConfig != null) {
            return justInTimeProvisioningConfig.isProvisioningEnabled();
        }
        if (!log.isDebugEnabled()) {
            return false;
        }
        log.debug(String.format("No JIT provisioning configs for idp: %s in tenant: %s", federatedIdPName, str));
        return false;
    }

    private String getFederatedUserStoreDomain(AuthenticatedUser authenticatedUser, String str) throws AuthenticationFailedException {
        String federatedIdPName = authenticatedUser.getFederatedIdPName();
        JustInTimeProvisioningConfig justInTimeProvisioningConfig = getIdentityProvider(federatedIdPName, str).getJustInTimeProvisioningConfig();
        if (justInTimeProvisioningConfig == null) {
            if (!log.isDebugEnabled()) {
                return null;
            }
            log.debug(String.format("No JIT provisioning configs for idp: %s in tenant: %s", federatedIdPName, str));
            return null;
        }
        String provisioningUserStore = justInTimeProvisioningConfig.getProvisioningUserStore();
        if (log.isDebugEnabled()) {
            log.debug(String.format("Setting userstore: %s as the provisioning userstore for user: %s in tenant: %s", provisioningUserStore, authenticatedUser.getUserName(), str));
        }
        return provisioningUserStore;
    }

    private IdentityProvider getIdentityProvider(String str, String str2) throws AuthenticationFailedException {
        try {
            IdentityProvider idPByName = TOTPDataHolder.getInstance().getIdpManager().getIdPByName(str, str2);
            if (idPByName == null) {
                throw new AuthenticationFailedException(String.format(TOTPAuthenticatorConstants.ErrorMessages.ERROR_CODE_INVALID_FEDERATED_AUTHENTICATOR.getMessage(), str, str2));
            }
            return idPByName;
        } catch (IdentityProviderManagementException e) {
            throw new AuthenticationFailedException(String.format(TOTPAuthenticatorConstants.ErrorMessages.ERROR_CODE_INVALID_FEDERATED_AUTHENTICATOR.getMessage(), str, str2));
        }
    }

    private String getMappedLocalUsername(AuthenticatedUser authenticatedUser, AuthenticationContext authenticationContext) throws AuthenticationFailedException {
        if (!authenticatedUser.isFederatedUser()) {
            return authenticatedUser.getUserName();
        }
        String loggedInFederatedUser = FederatedAuthenticatorUtil.getLoggedInFederatedUser(authenticationContext);
        if (StringUtils.isBlank(loggedInFederatedUser)) {
            throw new AuthenticationFailedException(TOTPAuthenticatorConstants.ErrorMessages.ERROR_CODE_NO_AUTHENTICATED_USER.getCode(), TOTPAuthenticatorConstants.ErrorMessages.ERROR_CODE_NO_FEDERATED_USER.getMessage());
        }
        String localUsernameAssociatedWithFederatedUser = FederatedAuthenticatorUtil.getLocalUsernameAssociatedWithFederatedUser(MultitenantUtils.getTenantAwareUsername(loggedInFederatedUser), authenticationContext);
        if (StringUtils.isNotBlank(localUsernameAssociatedWithFederatedUser)) {
            return localUsernameAssociatedWithFederatedUser;
        }
        return null;
    }

    private AuthenticatedUser resolveAuthenticatingUser(AuthenticationContext authenticationContext, AuthenticatedUser authenticatedUser, String str, String str2, boolean z) throws AuthenticationFailedException {
        if (!authenticatedUser.isFederatedUser()) {
            return authenticatedUser;
        }
        if (!isJitProvisioningEnabled(authenticatedUser, str2)) {
            throw new AuthenticationFailedException(TOTPAuthenticatorConstants.ErrorMessages.ERROR_CODE_INVALID_FEDERATED_USER_AUTHENTICATION.getCode(), TOTPAuthenticatorConstants.ErrorMessages.ERROR_CODE_INVALID_FEDERATED_USER_AUTHENTICATION.getMessage());
        }
        if (z) {
            authenticationContext.setProperty(TOTPAuthenticatorConstants.IS_INITIAL_FEDERATED_USER_ATTEMPT, true);
            return authenticatedUser;
        }
        AuthenticatedUser authenticatedUser2 = new AuthenticatedUser(authenticatedUser);
        authenticatedUser2.setUserName(str);
        authenticatedUser2.setUserStoreDomain(getFederatedUserStoreDomain(authenticatedUser, str2));
        return authenticatedUser2;
    }

    private boolean isInitialFederationAttempt(AuthenticationContext authenticationContext) {
        if (authenticationContext.getProperty(TOTPAuthenticatorConstants.IS_INITIAL_FEDERATED_USER_ATTEMPT) != null) {
            return Boolean.parseBoolean(authenticationContext.getProperty(TOTPAuthenticatorConstants.IS_INITIAL_FEDERATED_USER_ATTEMPT).toString());
        }
        return false;
    }
}
