package org.wso2.carbon.identity.application.authenticator.totp;

import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang.math.NumberUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.owasp.encoder.Encode;
import org.wso2.carbon.context.CarbonContext;
import org.wso2.carbon.core.util.CryptoException;
import org.wso2.carbon.extension.identity.helper.FederatedAuthenticatorUtil;
import org.wso2.carbon.extension.identity.helper.util.IdentityHelperUtil;
import org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator;
import org.wso2.carbon.identity.application.authentication.framework.AuthenticatorFlowStatus;
import org.wso2.carbon.identity.application.authentication.framework.LocalApplicationAuthenticator;
import org.wso2.carbon.identity.application.authentication.framework.config.model.StepConfig;
import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext;
import org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException;
import org.wso2.carbon.identity.application.authentication.framework.exception.LogoutFailedException;
import org.wso2.carbon.identity.application.authentication.framework.exception.UserIdNotFoundException;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatorData;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatorMessage;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatorParamMetadata;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.authenticator.totp.TOTPAuthenticatorConstants;
import org.wso2.carbon.identity.application.authenticator.totp.exception.TOTPException;
import org.wso2.carbon.identity.application.authenticator.totp.internal.TOTPDataHolder;
import org.wso2.carbon.identity.application.authenticator.totp.util.TOTPAuthenticatorConfig;
import org.wso2.carbon.identity.application.authenticator.totp.util.TOTPAuthenticatorCredentials;
import org.wso2.carbon.identity.application.authenticator.totp.util.TOTPKeyRepresentation;
import org.wso2.carbon.identity.application.authenticator.totp.util.TOTPUtil;
import org.wso2.carbon.identity.application.common.model.IdentityProvider;
import org.wso2.carbon.identity.application.common.model.JustInTimeProvisioningConfig;
import org.wso2.carbon.identity.application.common.model.Property;
import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
import org.wso2.carbon.identity.core.ServiceURLBuilder;
import org.wso2.carbon.identity.core.URLBuilderException;
import org.wso2.carbon.identity.core.model.IdentityErrorMsgContext;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
import org.wso2.carbon.user.api.UserRealm;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.api.UserStoreManager;
import org.wso2.carbon.user.core.util.UserCoreUtil;
import org.wso2.carbon.utils.DiagnosticLog;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/identity/application/authenticator/totp/TOTPAuthenticator.class */
public class TOTPAuthenticator extends AbstractApplicationAuthenticator implements LocalApplicationAuthenticator {
    private static final long serialVersionUID = 2009231028659744926L;
    private static final Log log = LogFactory.getLog(TOTPAuthenticator.class);
    private static final String IS_API_BASED = "IS_API_BASED";
    private static final String AUTHENTICATOR_MESSAGE = "authenticatorMessage";
    private static final String LOCKED_REASON = "lockedReason";

    public boolean canHandle(HttpServletRequest httpServletRequest) {
        boolean z = (httpServletRequest.getParameter(TOTPAuthenticatorConstants.TOKEN) == null && httpServletRequest.getParameter(TOTPAuthenticatorConstants.SEND_TOKEN) == null && httpServletRequest.getParameter(TOTPAuthenticatorConstants.ENABLE_TOTP) == null) ? false : true;
        if (LoggerUtils.isDiagnosticLogsEnabled() && z) {
            DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(TOTPAuthenticatorConstants.LogConstants.TOTP_AUTH_SERVICE, "handle-authentication-step");
            diagnosticLogBuilder.resultMessage("TOTP Authenticator handling the authentication.").logDetailLevel(DiagnosticLog.LogDetailLevel.INTERNAL_SYSTEM).resultStatus(DiagnosticLog.ResultStatus.SUCCESS);
            LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
        }
        return z;
    }

    public AuthenticatorFlowStatus process(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) throws AuthenticationFailedException, LogoutFailedException {
        if (authenticationContext.isLogoutRequest()) {
            return AuthenticatorFlowStatus.SUCCESS_COMPLETED;
        }
        if (httpServletRequest.getParameter(TOTPAuthenticatorConstants.SEND_TOKEN) != null) {
            return generateOTPAndSendByEmail(authenticationContext) ? AuthenticatorFlowStatus.INCOMPLETE : AuthenticatorFlowStatus.FAIL_COMPLETED;
        }
        if (StringUtils.isNotEmpty(httpServletRequest.getParameter(TOTPAuthenticatorConstants.ENABLE_TOTP))) {
            initiateAuthenticationRequest(httpServletRequest, httpServletResponse, authenticationContext);
            return authenticationContext.getProperty(TOTPAuthenticatorConstants.AUTHENTICATION).equals("totp") ? AuthenticatorFlowStatus.INCOMPLETE : AuthenticatorFlowStatus.SUCCESS_COMPLETED;
        }
        if (httpServletRequest.getParameter(TOTPAuthenticatorConstants.TOKEN) != null) {
            return super.process(httpServletRequest, httpServletResponse, authenticationContext);
        }
        initiateAuthenticationRequest(httpServletRequest, httpServletResponse, authenticationContext);
        return authenticationContext.getProperty(TOTPAuthenticatorConstants.AUTHENTICATION).equals("totp") ? AuthenticatorFlowStatus.INCOMPLETE : AuthenticatorFlowStatus.SUCCESS_COMPLETED;
    }

    protected void initiateAuthenticationRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) throws AuthenticationFailedException {
        if (LoggerUtils.isDiagnosticLogsEnabled()) {
            DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(TOTPAuthenticatorConstants.LogConstants.TOTP_AUTH_SERVICE, TOTPAuthenticatorConstants.LogConstants.ActionIDs.INITIATE_TOTP_REQUEST);
            diagnosticLogBuilder.resultMessage("Initiating TOTP authentication request.").logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION).resultStatus(DiagnosticLog.ResultStatus.SUCCESS).inputParam("step", Integer.valueOf(authenticationContext.getCurrentStep())).inputParams(getApplicationDetails(authenticationContext));
            LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
        }
        Map parameterMap = getAuthenticatorConfig().getParameterMap();
        boolean parseBoolean = Boolean.parseBoolean((String) parameterMap.get(TOTPAuthenticatorConstants.CONF_SHOW_AUTH_FAILURE_REASON));
        boolean z = false;
        if (parseBoolean) {
            z = Boolean.parseBoolean((String) parameterMap.get(TOTPAuthenticatorConstants.CONF_SHOW_AUTH_FAILURE_REASON_ON_LOGIN_PAGE));
        }
        String str = (String) parameterMap.get(TOTPAuthenticatorConstants.CONF_ACC_LOCK_AUTH_FAILURE_MSG);
        if (StringUtils.isBlank(str)) {
            str = TOTPAuthenticatorConstants.LOGIN_FAIL_MESSAGE;
        }
        AuthenticatedUser authenticatedUser = TOTPUtil.getAuthenticatedUser(authenticationContext);
        if (authenticatedUser == null) {
            throw new AuthenticationFailedException(TOTPAuthenticatorConstants.ErrorMessages.ERROR_CODE_NO_AUTHENTICATED_USER.getCode(), TOTPAuthenticatorConstants.ErrorMessages.ERROR_CODE_NO_AUTHENTICATED_USER.getMessage());
        }
        String tenantDomain = authenticatedUser.getTenantDomain();
        if (StringUtils.isBlank(tenantDomain)) {
            throw new AuthenticationFailedException(TOTPAuthenticatorConstants.ErrorMessages.ERROR_CODE_NO_USER_TENANT.getCode(), TOTPAuthenticatorConstants.ErrorMessages.ERROR_CODE_NO_USER_TENANT.getMessage());
        }
        authenticationContext.setProperty(TOTPAuthenticatorConstants.AUTHENTICATION, "totp");
        if (!tenantDomain.equals("carbon.super")) {
            IdentityHelperUtil.loadApplicationAuthenticationXMLFromRegistry(authenticationContext, getName(), tenantDomain);
        }
        String mappedLocalUsername = getMappedLocalUsername(authenticatedUser, authenticationContext);
        boolean isBlank = StringUtils.isBlank(mappedLocalUsername);
        DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder2 = null;
        if (LoggerUtils.isDiagnosticLogsEnabled()) {
            diagnosticLogBuilder2 = new DiagnosticLog.DiagnosticLogBuilder(TOTPAuthenticatorConstants.LogConstants.TOTP_AUTH_SERVICE, TOTPAuthenticatorConstants.LogConstants.ActionIDs.INITIATE_TOTP_REQUEST);
            diagnosticLogBuilder2.logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION).resultStatus(DiagnosticLog.ResultStatus.SUCCESS).inputParam("step", Integer.valueOf(authenticationContext.getCurrentStep())).inputParams(getApplicationDetails(authenticationContext));
        }
        try {
            AuthenticatedUser resolveAuthenticatingUser = resolveAuthenticatingUser(authenticationContext, authenticatedUser, mappedLocalUsername, tenantDomain, isBlank);
            String addTenantDomainToEntry = UserCoreUtil.addTenantDomainToEntry(resolveAuthenticatingUser.getUserName(), tenantDomain);
            String maskedContent = LoggerUtils.isLogMaskingEnable ? LoggerUtils.getMaskedContent(addTenantDomainToEntry) : addTenantDomainToEntry;
            authenticationContext.setProperty(TOTPAuthenticatorConstants.AUTHENTICATED_USER, resolveAuthenticatingUser);
            if (LoggerUtils.isDiagnosticLogsEnabled() && diagnosticLogBuilder2 != null) {
                HashMap hashMap = new HashMap();
                hashMap.put("user", maskedContent);
                getUserId(authenticatedUser).ifPresent(str2 -> {
                    hashMap.put("user id", str2);
                });
                diagnosticLogBuilder2.inputParams(hashMap);
            }
            String str3 = authenticationContext.isRetrying() ? "&authFailure=true&authFailureMsg=login.fail.message" : "";
            IdentityErrorMsgContext identityErrorMsg = IdentityUtil.getIdentityErrorMsg();
            IdentityUtil.clearIdentityErrorMsg();
            String str4 = "";
            if (parseBoolean && identityErrorMsg != null && StringUtils.isNotBlank(identityErrorMsg.getErrorCode())) {
                log.debug("Identity error message context is not null.");
                String errorCode = identityErrorMsg.getErrorCode();
                String str5 = null;
                if (errorCode.contains(":")) {
                    String[] split = errorCode.split(":", 2);
                    errorCode = split[0];
                    if (split.length > 1) {
                        str5 = split[1];
                    }
                }
                if ("17003".equals(errorCode)) {
                    if (authenticationContext.isRetrying()) {
                        str3 = "&authFailure=true&authFailureMsg=" + str;
                    }
                    HashMap hashMap2 = new HashMap();
                    hashMap2.put(TOTPAuthenticatorConstants.ERROR_CODE, errorCode);
                    if (StringUtils.isNotBlank(str5)) {
                        hashMap2.put("lockedReason", str5);
                    }
                    long unlockTimeInMilliSeconds = getUnlockTimeInMilliSeconds(resolveAuthenticatingUser) - System.currentTimeMillis();
                    if (unlockTimeInMilliSeconds > 0) {
                        hashMap2.put(TOTPAuthenticatorConstants.UNLOCK_TIME, String.valueOf(Math.round((unlockTimeInMilliSeconds / 1000.0d) / 60.0d)));
                    }
                    str4 = buildErrorParamString(hashMap2);
                    setAuthenticatorMessageToContext(getAuthenticatorMessage(String.format("Authentication failed since authenticated user: %s, account is locked.", getUserStoreAppendedName(addTenantDomainToEntry)), getMessageContext("lockedReason", String.valueOf(str5))), authenticationContext);
                }
            }
            boolean z2 = false;
            if (!isBlank) {
                z2 = isSecretKeyExistForUser(UserCoreUtil.addDomainToName(addTenantDomainToEntry, resolveAuthenticatingUser.getUserStoreDomain()));
            }
            if (z2 && log.isDebugEnabled()) {
                log.debug("Secret key exists for the user: " + addTenantDomainToEntry);
            }
            boolean checkSecondStepEnableByAdmin = IdentityHelperUtil.checkSecondStepEnableByAdmin(authenticationContext);
            if (log.isDebugEnabled()) {
                log.debug("TOTP  is enabled by admin: " + checkSecondStepEnableByAdmin);
            }
            String multiOptionURIQueryParam = TOTPUtil.getMultiOptionURIQueryParam(httpServletRequest);
            if (z2 && httpServletRequest.getParameter(TOTPAuthenticatorConstants.ENABLE_TOTP) == null) {
                if (!z) {
                    str4 = "";
                }
                httpServletResponse.sendRedirect(buildTOTPLoginPageURL(authenticationContext, addTenantDomainToEntry, str3, str4, multiOptionURIQueryParam));
                if (LoggerUtils.isDiagnosticLogsEnabled() && diagnosticLogBuilder2 != null) {
                    diagnosticLogBuilder2.resultMessage("Redirecting to TOTP login page.");
                    LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder2);
                }
            } else {
                Map runtimeParams = getRuntimeParams(authenticationContext);
                boolean isEnrolUserInAuthenticationFlowEnabled = TOTPUtil.isEnrolUserInAuthenticationFlowEnabled(authenticationContext, runtimeParams);
                if (LoggerUtils.isDiagnosticLogsEnabled() && diagnosticLogBuilder2 != null) {
                    diagnosticLogBuilder2.inputParam("user enrollment enabled", Boolean.valueOf(isEnrolUserInAuthenticationFlowEnabled));
                }
                if (isEnrolUserInAuthenticationFlowEnabled && httpServletRequest.getParameter(TOTPAuthenticatorConstants.ENABLE_TOTP) == null) {
                    if (authenticationContext.getProperty(IS_API_BASED) == null) {
                        if (log.isDebugEnabled()) {
                            log.debug("User has not enabled TOTP: " + addTenantDomainToEntry);
                        }
                        Map<String, String> generateClaimsForFedUser = isBlank ? TOTPKeyGenerator.generateClaimsForFedUser(addTenantDomainToEntry, tenantDomain, authenticationContext) : TOTPKeyGenerator.generateClaims(UserCoreUtil.addDomainToName(addTenantDomainToEntry, resolveAuthenticatingUser.getUserStoreDomain()), false, authenticationContext);
                        if (TOTPUtil.getClaimProperties(tenantDomain, TOTPAuthenticatorConstants.SECRET_KEY_CLAIM_URL).containsKey(TOTPAuthenticatorConstants.ENABLE_ENCRYPTION)) {
                            authenticationContext.setProperty(TOTPAuthenticatorConstants.SECRET_KEY_CLAIM_URL, generateClaimsForFedUser.get(TOTPAuthenticatorConstants.SECRET_KEY_CLAIM_URL));
                        } else {
                            authenticationContext.setProperty(TOTPAuthenticatorConstants.SECRET_KEY_CLAIM_URL, TOTPUtil.decrypt(generateClaimsForFedUser.get(TOTPAuthenticatorConstants.SECRET_KEY_CLAIM_URL)));
                        }
                        authenticationContext.setProperty(TOTPAuthenticatorConstants.QR_CODE_CLAIM_URL, generateClaimsForFedUser.get(TOTPAuthenticatorConstants.QR_CODE_CLAIM_URL));
                        TOTPUtil.redirectToEnableTOTPReqPage(httpServletRequest, httpServletResponse, authenticationContext, generateClaimsForFedUser.get(TOTPAuthenticatorConstants.QR_CODE_CLAIM_URL), runtimeParams);
                        if (LoggerUtils.isDiagnosticLogsEnabled() && diagnosticLogBuilder2 != null) {
                            diagnosticLogBuilder2.resultMessage("Redirecting user to the TOTP enable page.");
                            LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder2);
                        }
                    }
                } else if (Boolean.valueOf(httpServletRequest.getParameter(TOTPAuthenticatorConstants.ENABLE_TOTP)).booleanValue() || checkSecondStepEnableByAdmin) {
                    authenticationContext.setProperty(TOTPAuthenticatorConstants.ENABLE_TOTP, true);
                    if (!parseBoolean || checkSecondStepEnableByAdmin) {
                        str4 = "";
                    }
                    httpServletResponse.sendRedirect(buildTOTPLoginPageURL(authenticationContext, addTenantDomainToEntry, str3, str4, multiOptionURIQueryParam));
                    if (LoggerUtils.isDiagnosticLogsEnabled() && diagnosticLogBuilder2 != null) {
                        diagnosticLogBuilder2.resultMessage("Redirecting to TOTP login page.");
                        LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder2);
                    }
                } else {
                    authenticationContext.setSubject(resolveAuthenticatingUser);
                    if (((StepConfig) authenticationContext.getSequenceConfig().getStepMap().get(Integer.valueOf(authenticationContext.getCurrentStep() - 1))).getAuthenticatedAutenticator().getApplicationAuthenticator() instanceof LocalApplicationAuthenticator) {
                        authenticationContext.setProperty(TOTPAuthenticatorConstants.AUTHENTICATION, TOTPAuthenticatorConstants.BASIC);
                    } else {
                        authenticationContext.setProperty(TOTPAuthenticatorConstants.AUTHENTICATION, TOTPAuthenticatorConstants.FEDERETOR);
                    }
                    if (LoggerUtils.isDiagnosticLogsEnabled() && diagnosticLogBuilder2 != null) {
                        diagnosticLogBuilder2.resultMessage("TOTP is not enabled for the user.");
                        LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder2);
                    }
                }
            }
        } catch (IOException e) {
            throw new AuthenticationFailedException("Error when redirecting the TOTP login response, user : " + ((String) null), e);
        } catch (URLBuilderException | URISyntaxException e2) {
            throw new AuthenticationFailedException("Error while building TOTP page URL.", e2);
        } catch (CryptoException e3) {
            throw new AuthenticationFailedException("Error while decrypting the secret key.", e3);
        } catch (AuthenticationFailedException e4) {
            throw new AuthenticationFailedException("Authentication failed!. Cannot get the username from first step.", e4);
        } catch (TOTPException e5) {
            throw new AuthenticationFailedException("Error when checking TOTP enabled for the user : " + ((String) null), e5);
        }
    }

    private long getUnlockTimeInMilliSeconds(AuthenticatedUser authenticatedUser) throws AuthenticationFailedException {
        String fullQualifiedUsername = authenticatedUser.toFullQualifiedUsername();
        Map<String, String> userClaimValues = getUserClaimValues(authenticatedUser, new String[]{TOTPAuthenticatorConstants.ACCOUNT_UNLOCK_TIME_CLAIM});
        if (userClaimValues.get(TOTPAuthenticatorConstants.ACCOUNT_UNLOCK_TIME_CLAIM) != null) {
            return Long.parseLong(userClaimValues.get(TOTPAuthenticatorConstants.ACCOUNT_UNLOCK_TIME_CLAIM));
        }
        if (!log.isDebugEnabled()) {
            return 0L;
        }
        log.debug(String.format("No value configured for claim: %s, of user: %s", TOTPAuthenticatorConstants.ACCOUNT_UNLOCK_TIME_CLAIM, fullQualifiedUsername));
        return 0L;
    }

    private static Map<String, String> getMessageContext(String str, String str2) {
        HashMap hashMap = new HashMap();
        hashMap.put(str, str2);
        return hashMap;
    }

    private String buildTOTPLoginPageURL(AuthenticationContext authenticationContext, String str, String str2, String str3, String str4) throws AuthenticationFailedException, URISyntaxException, URLBuilderException {
        return buildAbsoluteURL(FrameworkUtils.appendQueryParamsStringToUrl(TOTPUtil.getTOTPLoginPage(authenticationContext), "t=" + authenticationContext.getLoginTenantDomain() + "&sessionDataKey=" + authenticationContext.getContextIdentifier() + "&authenticators=" + getName() + "&type=totp" + str2 + "&username=" + str + "&sp=" + Encode.forUriComponent(authenticationContext.getServiceProviderName()) + str3 + str4));
    }

    private String buildTOTPErrorPageURL(AuthenticationContext authenticationContext, String str, String str2, String str3, String str4) throws AuthenticationFailedException, URISyntaxException, URLBuilderException {
        return buildAbsoluteURL(FrameworkUtils.appendQueryParamsStringToUrl(TOTPUtil.getTOTPErrorPage(authenticationContext), "t=" + authenticationContext.getLoginTenantDomain() + "&sessionDataKey=" + authenticationContext.getContextIdentifier() + "&authenticators=" + getName() + "&type=totp_error" + str2 + "&username=" + str + "&sp=" + Encode.forUriComponent(authenticationContext.getServiceProviderName()) + str3 + str4));
    }

    private String buildErrorParamString(Map<String, String> map) {
        StringBuilder sb = new StringBuilder();
        for (Map.Entry<String, String> entry : map.entrySet()) {
            sb.append("&").append(entry.getKey()).append("=").append(entry.getValue());
        }
        return sb.toString();
    }

    private String buildAbsoluteURL(String str) throws URISyntaxException, URLBuilderException {
        return new URI(str).isAbsolute() ? str : ServiceURLBuilder.create().addPath(new String[]{str}).build().getAbsolutePublicURL();
    }

    protected void processAuthenticationResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) throws AuthenticationFailedException {
        if (LoggerUtils.isDiagnosticLogsEnabled()) {
            DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder(TOTPAuthenticatorConstants.LogConstants.TOTP_AUTH_SERVICE, TOTPAuthenticatorConstants.LogConstants.ActionIDs.PROCESS_AUTHENTICATION_RESPONSE);
            diagnosticLogBuilder.resultMessage("Processing TOTP authentication response.").logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION).resultStatus(DiagnosticLog.ResultStatus.SUCCESS).inputParam("step", Integer.valueOf(authenticationContext.getCurrentStep())).inputParams(getApplicationDetails(authenticationContext));
            LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
        }
        String parameter = httpServletRequest.getParameter(TOTPAuthenticatorConstants.TOKEN);
        String fullQualifiedUsername = ((AuthenticatedUser) authenticationContext.getProperty(TOTPAuthenticatorConstants.AUTHENTICATED_USER)).toFullQualifiedUsername();
        String maskedContent = LoggerUtils.isLogMaskingEnable ? LoggerUtils.getMaskedContent(fullQualifiedUsername) : fullQualifiedUsername;
        validateAccountLockStatusForLocalUser(authenticationContext, fullQualifiedUsername);
        if (StringUtils.isBlank(parameter)) {
            handleTotpVerificationFail(authenticationContext);
            throw new AuthenticationFailedException("Empty TOTP in the request. Authentication Failed for user: " + maskedContent);
        }
        try {
            int parseInt = Integer.parseInt(parameter);
            if (!isInitialFederationAttempt(authenticationContext)) {
                checkTotpEnabled(authenticationContext, fullQualifiedUsername);
                if (!isValidTokenLocalUser(parseInt, fullQualifiedUsername, authenticationContext)) {
                    handleTotpVerificationFail(authenticationContext);
                    throw new AuthenticationFailedException("Invalid Token. Authentication failed, user :  " + maskedContent);
                }
            } else if (!isValidTokenFederatedUser(parseInt, authenticationContext)) {
                throw new AuthenticationFailedException("Invalid Token. Authentication failed for federated user: " + maskedContent);
            }
            if (StringUtils.isNotBlank(fullQualifiedUsername)) {
                AuthenticatedUser authenticatedUser = new AuthenticatedUser();
                authenticatedUser.setAuthenticatedSubjectIdentifier(fullQualifiedUsername);
                authenticatedUser.setUserName(UserCoreUtil.removeDomainFromName(MultitenantUtils.getTenantAwareUsername(fullQualifiedUsername)));
                authenticatedUser.setUserStoreDomain(UserCoreUtil.extractDomainFromName(fullQualifiedUsername));
                authenticatedUser.setTenantDomain(MultitenantUtils.getTenantDomain(fullQualifiedUsername));
                authenticationContext.setSubject(authenticatedUser);
            } else {
                authenticationContext.setSubject(AuthenticatedUser.createLocalAuthenticatedUserFromSubjectIdentifier(fullQualifiedUsername));
            }
            resetTotpFailedAttempts(authenticationContext);
            if (LoggerUtils.isDiagnosticLogsEnabled()) {
                DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder2 = new DiagnosticLog.DiagnosticLogBuilder(TOTPAuthenticatorConstants.LogConstants.TOTP_AUTH_SERVICE, TOTPAuthenticatorConstants.LogConstants.ActionIDs.PROCESS_AUTHENTICATION_RESPONSE);
                diagnosticLogBuilder2.resultMessage("Successfully processed TOTP authentication response.").logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION).resultStatus(DiagnosticLog.ResultStatus.SUCCESS).inputParam("step", Integer.valueOf(authenticationContext.getCurrentStep())).inputParam("user", maskedContent).inputParams(getApplicationDetails(authenticationContext));
                getUserId(authenticationContext.getSubject()).ifPresent(str -> {
                    diagnosticLogBuilder2.inputParam("user id", str);
                });
                LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder2);
            }
        } catch (NumberFormatException e) {
            handleTotpVerificationFail(authenticationContext);
            throw new AuthenticationFailedException("TOTP Authentication process failed for user " + maskedContent, e);
        } catch (TOTPException e2) {
            throw new AuthenticationFailedException("TOTP Authentication process failed for user " + maskedContent, e2);
        }
    }

    private void checkTotpEnabled(AuthenticationContext authenticationContext, String str) throws AuthenticationFailedException {
        if (authenticationContext.getProperty(TOTPAuthenticatorConstants.ENABLE_TOTP) == null || !Boolean.valueOf(authenticationContext.getProperty(TOTPAuthenticatorConstants.ENABLE_TOTP).toString()).booleanValue()) {
            return;
        }
        try {
            checkForUpdatedSecretKey(authenticationContext, str);
            HashMap hashMap = new HashMap();
            if (authenticationContext.getProperty(TOTPAuthenticatorConstants.SECRET_KEY_CLAIM_URL) != null && !isSecretKeyExistForUser(str)) {
                hashMap.put(TOTPAuthenticatorConstants.SECRET_KEY_CLAIM_URL, TOTPUtil.getProcessedClaimValue(TOTPAuthenticatorConstants.SECRET_KEY_CLAIM_URL, authenticationContext.getProperty(TOTPAuthenticatorConstants.SECRET_KEY_CLAIM_URL).toString(), authenticationContext.getTenantDomain()));
                hashMap.put(TOTPAuthenticatorConstants.TOTP_ENABLED_CLAIM_URI, "true");
            }
            if (authenticationContext.getProperty(TOTPAuthenticatorConstants.QR_CODE_CLAIM_URL) != null) {
                hashMap.put(TOTPAuthenticatorConstants.QR_CODE_CLAIM_URL, authenticationContext.getProperty(TOTPAuthenticatorConstants.QR_CODE_CLAIM_URL).toString());
            }
            TOTPKeyGenerator.addTOTPClaimsAndRetrievingQRCodeURL(hashMap, str, authenticationContext);
        } catch (TOTPException e) {
            throw new AuthenticationFailedException("Error while adding TOTP claims to the user : " + (LoggerUtils.isLogMaskingEnable ? LoggerUtils.getMaskedContent(str) : str), e);
        }
    }

    private void checkForUpdatedSecretKey(AuthenticationContext authenticationContext, String str) throws AuthenticationFailedException {
        try {
            String tenantAwareUsername = MultitenantUtils.getTenantAwareUsername(str);
            UserRealm userRealm = TOTPUtil.getUserRealm(str);
            if (userRealm != null) {
                String str2 = (String) userRealm.getUserStoreManager().getUserClaimValues(tenantAwareUsername, new String[]{TOTPAuthenticatorConstants.SECRET_KEY_CLAIM_URL}, (String) null).get(TOTPAuthenticatorConstants.SECRET_KEY_CLAIM_URL);
                if (StringUtils.isNotEmpty(str2)) {
                    authenticationContext.setProperty(TOTPAuthenticatorConstants.SECRET_KEY_CLAIM_URL, TOTPUtil.decrypt(str2));
                }
            }
        } catch (CryptoException e) {
            throw new AuthenticationFailedException("Error while decrypting the secret key for user : " + (LoggerUtils.isLogMaskingEnable ? LoggerUtils.getMaskedContent(str) : str), e);
        } catch (UserStoreException e2) {
            throw new AuthenticationFailedException("Error while getting TOTP secret key of the user: " + (LoggerUtils.isLogMaskingEnable ? LoggerUtils.getMaskedContent(str) : str), e2);
        }
    }

    private void validateAccountLockStatusForLocalUser(AuthenticationContext authenticationContext, String str) throws AuthenticationFailedException {
        boolean isLocalUser = TOTPUtil.isLocalUser(authenticationContext);
        AuthenticatedUser authenticatedUser = (AuthenticatedUser) authenticationContext.getProperty(TOTPAuthenticatorConstants.AUTHENTICATED_USER);
        String tenantDomain = MultitenantUtils.getTenantDomain(str);
        String extractDomainFromName = UserCoreUtil.extractDomainFromName(str);
        if (isLocalUser && TOTPUtil.isAccountLocked(authenticatedUser.getUserName(), tenantDomain, extractDomainFromName)) {
            String format = String.format("Authentication failed since authenticated user: %s, account is locked.", getUserStoreAppendedName(str));
            if (log.isDebugEnabled()) {
                log.debug(format);
            }
            try {
                Map userClaimValues = TOTPUtil.getUserRealm(str).getUserStoreManager().getUserClaimValues(IdentityUtil.addDomainToName(authenticatedUser.getUserName(), authenticatedUser.getUserStoreDomain()), new String[]{TOTPAuthenticatorConstants.ACCOUNT_LOCKED_REASON_CLAIM_URI}, "default");
                IdentityErrorMsgContext identityErrorMsgContext = new IdentityErrorMsgContext("17003:" + (userClaimValues != null ? (String) userClaimValues.get(TOTPAuthenticatorConstants.ACCOUNT_LOCKED_REASON_CLAIM_URI) : ""));
                setAuthenticatorMessageToContext(getAuthenticatorMessage(String.format("Authentication failed since authenticated user: %s, account is locked.", getUserStoreAppendedName(str)), null), authenticationContext);
                IdentityUtil.setIdentityErrorMsg(identityErrorMsgContext);
                throw new AuthenticationFailedException(format);
            } catch (UserStoreException e) {
                throw new AuthenticationFailedException(format + " Could not get the account locked reason.");
            }
        }
    }

    private static void setAuthenticatorMessageToContext(AuthenticatorMessage authenticatorMessage, AuthenticationContext authenticationContext) {
        authenticationContext.setProperty(AUTHENTICATOR_MESSAGE, authenticatorMessage);
    }

    protected boolean retryAuthenticationEnabled() {
        return true;
    }

    public String getContextIdentifier(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getParameter("sessionDataKey");
    }

    public String getFriendlyName() {
        return "TOTP";
    }

    public String getName() {
        return "totp";
    }

    public Optional<AuthenticatorData> getAuthInitiationData(AuthenticationContext authenticationContext) {
        AuthenticatorData authenticatorData = new AuthenticatorData();
        authenticatorData.setName(getName());
        authenticatorData.setDisplayName(getFriendlyName());
        authenticatorData.setI18nKey(getI18nKey());
        authenticatorData.setIdp(authenticationContext.getExternalIdP().getIdPName());
        authenticatorData.setPromptType(FrameworkConstants.AuthenticatorPromptType.USER_PROMPT);
        ArrayList arrayList = new ArrayList();
        arrayList.add(new AuthenticatorParamMetadata(TOTPAuthenticatorConstants.TOKEN, TOTPAuthenticatorConstants.DISPLAY_TOKEN, FrameworkConstants.AuthenticatorParamType.STRING, 0, Boolean.FALSE.booleanValue(), TOTPAuthenticatorConstants.TOTP_AUTHENTICATOR));
        authenticatorData.setAuthParams(arrayList);
        ArrayList arrayList2 = new ArrayList();
        arrayList2.add(TOTPAuthenticatorConstants.TOKEN);
        authenticatorData.setRequiredParams(arrayList2);
        return Optional.of(authenticatorData);
    }

    public boolean isAPIBasedAuthenticationSupported() {
        return true;
    }

    private boolean generateOTPAndSendByEmail(AuthenticationContext authenticationContext) {
        String authenticatedSubjectIdentifier = TOTPUtil.getAuthenticatedUser(authenticationContext).getAuthenticatedSubjectIdentifier();
        if (!TOTPUtil.isSendVerificationCodeByEmailEnabled()) {
            log.warn(String.format("Sending verification code by email is disabled by admin. An attempt was made to send a verification code by email for user: %s for application: %s of %s tenant using sessionDataKey: %s", authenticatedSubjectIdentifier, authenticationContext.getServiceProviderName(), authenticationContext.getTenantDomain(), authenticationContext.getContextIdentifier()));
            return false;
        }
        if (StringUtils.isBlank(authenticatedSubjectIdentifier)) {
            log.error("No username found in the authentication context.");
            return false;
        }
        try {
            TOTPTokenGenerator.generateTOTPTokenLocal(authenticatedSubjectIdentifier, authenticationContext);
            if (log.isDebugEnabled()) {
                log.debug("TOTP Token is generated");
            }
            return true;
        } catch (TOTPException e) {
            log.error("Error when generating the totp token", e);
            return false;
        }
    }

    private String getUsernameFromContext(AuthenticationContext authenticationContext) {
        if (authenticationContext.getProperty("username") == null) {
            return null;
        }
        return authenticationContext.getProperty("username").toString();
    }

    private boolean isSecretKeyExistForUser(String str) throws TOTPException, AuthenticationFailedException {
        UserRealm userRealm = TOTPUtil.getUserRealm(str);
        try {
            String tenantAwareUsername = MultitenantUtils.getTenantAwareUsername(str);
            if (userRealm != null) {
                return StringUtils.isNotBlank((String) userRealm.getUserStoreManager().getUserClaimValues(tenantAwareUsername, new String[]{TOTPAuthenticatorConstants.SECRET_KEY_CLAIM_URL}, (String) null).get(TOTPAuthenticatorConstants.SECRET_KEY_CLAIM_URL));
            }
            throw new TOTPException("Cannot find the user realm for the given tenant domain : " + CarbonContext.getThreadLocalCarbonContext().getTenantDomain());
        } catch (UserStoreException e) {
            throw new TOTPException("TOTPAccessController failed while trying to access userRealm of the user : " + (LoggerUtils.isLogMaskingEnable ? LoggerUtils.getMaskedContent((String) null) : null), e);
        }
    }

    private boolean isValidTokenLocalUser(int i, String str, AuthenticationContext authenticationContext) throws TOTPException {
        try {
            TOTPAuthenticatorCredentials totpAuthenticator = getTotpAuthenticator(authenticationContext, MultitenantUtils.getTenantDomain(str));
            String tenantAwareUsername = MultitenantUtils.getTenantAwareUsername(str);
            UserRealm userRealm = TOTPUtil.getUserRealm(str);
            if (userRealm == null) {
                throw new TOTPException("Cannot find the user realm for the given tenant domain : " + CarbonContext.getThreadLocalCarbonContext().getTenantDomain());
            }
            String str2 = (String) userRealm.getUserStoreManager().getUserClaimValues(tenantAwareUsername, new String[]{TOTPAuthenticatorConstants.SECRET_KEY_CLAIM_URL}, (String) null).get(TOTPAuthenticatorConstants.SECRET_KEY_CLAIM_URL);
            if (str2 == null) {
                throw new TOTPException("Secret key claim is null for the user : " + (LoggerUtils.isLogMaskingEnable ? LoggerUtils.getMaskedContent(tenantAwareUsername) : tenantAwareUsername));
            }
            return totpAuthenticator.authorize(TOTPUtil.decrypt(str2), i);
        } catch (UserStoreException e) {
            throw new TOTPException("TOTPTokenVerifier failed while trying to access userRealm of the user : " + (LoggerUtils.isLogMaskingEnable ? LoggerUtils.getMaskedContent((String) null) : null), e);
        } catch (AuthenticationFailedException e2) {
            throw new TOTPException("TOTPTokenVerifier cannot find the property value for encodingMethod");
        } catch (CryptoException e3) {
            throw new TOTPException("Error while decrypting the key", e3);
        }
    }

    private TOTPAuthenticatorCredentials getTotpAuthenticator(AuthenticationContext authenticationContext, String str) {
        TOTPKeyRepresentation tOTPKeyRepresentation = TOTPKeyRepresentation.BASE32;
        if (TOTPAuthenticatorConstants.BASE64.equals(TOTPUtil.getEncodingMethod(str, authenticationContext))) {
            tOTPKeyRepresentation = TOTPKeyRepresentation.BASE64;
        }
        return new TOTPAuthenticatorCredentials(new TOTPAuthenticatorConfig.TOTPAuthenticatorConfigBuilder().setKeyRepresentation(tOTPKeyRepresentation).setWindowSize(TOTPUtil.getWindowSize(authenticationContext)).setTimeStepSizeInMillis(TimeUnit.SECONDS.toMillis(TOTPUtil.getTimeStepSize(authenticationContext))).build());
    }

    private boolean isValidTokenFederatedUser(int i, AuthenticationContext authenticationContext) throws TOTPException {
        String str = null;
        if (authenticationContext.getProperty(TOTPAuthenticatorConstants.SECRET_KEY_CLAIM_URL) != null) {
            str = authenticationContext.getProperty(TOTPAuthenticatorConstants.SECRET_KEY_CLAIM_URL).toString();
        }
        return getTotpAuthenticator(authenticationContext, authenticationContext.getTenantDomain()).authorize(str, i);
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:11:0x0064. Please report as an issue. */
    /* JADX WARN: Failed to find 'out' block for switch in B:25:0x00d3. Please report as an issue. */
    private void handleTotpVerificationFail(AuthenticationContext authenticationContext) throws AuthenticationFailedException {
        AuthenticatedUser authenticatedUser = (AuthenticatedUser) authenticationContext.getProperty(TOTPAuthenticatorConstants.AUTHENTICATED_USER);
        if (TOTPUtil.isLocalUser(authenticationContext) && TOTPUtil.isAccountLockingEnabledForTotp() && !TOTPUtil.isAccountLocked(authenticatedUser.getUserName(), authenticatedUser.getTenantDomain(), authenticatedUser.getUserStoreDomain())) {
            int i = 0;
            long j = 0;
            double d = 1.0d;
            for (Property property : TOTPUtil.getAccountLockConnectorConfigs(authenticatedUser.getTenantDomain())) {
                String name = property.getName();
                boolean z = -1;
                switch (name.hashCode()) {
                    case 410630793:
                        if (name.equals(TOTPAuthenticatorConstants.PROPERTY_ACCOUNT_LOCK_ON_FAILURE)) {
                            z = false;
                            break;
                        }
                        break;
                    case 437904755:
                        if (name.equals(TOTPAuthenticatorConstants.PROPERTY_ACCOUNT_LOCK_TIME)) {
                            z = 2;
                            break;
                        }
                        break;
                    case 497142557:
                        if (name.equals(TOTPAuthenticatorConstants.PROPERTY_ACCOUNT_LOCK_ON_FAILURE_MAX)) {
                            z = true;
                            break;
                        }
                        break;
                    case 1825656985:
                        if (name.equals(TOTPAuthenticatorConstants.PROPERTY_LOGIN_FAIL_TIMEOUT_RATIO)) {
                            z = 3;
                            break;
                        }
                        break;
                }
                switch (z) {
                    case false:
                        if (!Boolean.parseBoolean(property.getValue())) {
                            return;
                        }
                    case true:
                        if (NumberUtils.isNumber(property.getValue())) {
                            i = Integer.parseInt(property.getValue());
                        }
                    case true:
                        if (NumberUtils.isNumber(property.getValue())) {
                            j = Integer.parseInt(property.getValue());
                        }
                    case true:
                        if (NumberUtils.isNumber(property.getValue())) {
                            double parseDouble = Double.parseDouble(property.getValue());
                            if (parseDouble > 0.0d) {
                                d = parseDouble;
                            }
                        }
                    default:
                }
            }
            Map<String, String> userClaimValues = getUserClaimValues(authenticatedUser, new String[]{TOTPAuthenticatorConstants.TOTP_FAILED_ATTEMPTS_CLAIM, TOTPAuthenticatorConstants.FAILED_LOGIN_LOCKOUT_COUNT_CLAIM});
            if (userClaimValues == null) {
                userClaimValues = new HashMap();
            }
            int parseInt = NumberUtils.isNumber(userClaimValues.get(TOTPAuthenticatorConstants.TOTP_FAILED_ATTEMPTS_CLAIM)) ? Integer.parseInt(userClaimValues.get(TOTPAuthenticatorConstants.TOTP_FAILED_ATTEMPTS_CLAIM)) : 0;
            int parseInt2 = NumberUtils.isNumber(userClaimValues.get(TOTPAuthenticatorConstants.FAILED_LOGIN_LOCKOUT_COUNT_CLAIM)) ? Integer.parseInt(userClaimValues.get(TOTPAuthenticatorConstants.FAILED_LOGIN_LOCKOUT_COUNT_CLAIM)) : 0;
            HashMap hashMap = new HashMap();
            if (parseInt + 1 < i) {
                hashMap.put(TOTPAuthenticatorConstants.TOTP_FAILED_ATTEMPTS_CLAIM, String.valueOf(parseInt + 1));
                setUserClaimValues(authenticatedUser, hashMap);
                return;
            }
            long currentTimeMillis = System.currentTimeMillis() + ((long) (j * 1000 * 60 * Math.pow(d, parseInt2)));
            hashMap.put(TOTPAuthenticatorConstants.ACCOUNT_LOCKED_CLAIM, Boolean.TRUE.toString());
            hashMap.put(TOTPAuthenticatorConstants.TOTP_FAILED_ATTEMPTS_CLAIM, "0");
            hashMap.put(TOTPAuthenticatorConstants.ACCOUNT_UNLOCK_TIME_CLAIM, String.valueOf(currentTimeMillis));
            hashMap.put(TOTPAuthenticatorConstants.FAILED_LOGIN_LOCKOUT_COUNT_CLAIM, String.valueOf(parseInt2 + 1));
            hashMap.put(TOTPAuthenticatorConstants.ACCOUNT_LOCKED_REASON_CLAIM_URI, TOTPAuthenticatorConstants.MAX_TOTP_ATTEMPTS_EXCEEDED);
            ((Map) IdentityUtil.threadLocalProperties.get()).put(TOTPAuthenticatorConstants.ADMIN_INITIATED, false);
            setUserClaimValues(authenticatedUser, hashMap);
            Object[] objArr = new Object[1];
            objArr[0] = LoggerUtils.isLogMaskingEnable ? LoggerUtils.getMaskedContent(authenticatedUser.getUserName()) : authenticatedUser.getUserName();
            String format = String.format("User account: %s is locked.", objArr);
            setAuthenticatorMessageToContext(getAuthenticatorMessage(format, null), authenticationContext);
            IdentityUtil.setIdentityErrorMsg(new IdentityErrorMsgContext("17003:MAX_TOTP_ATTEMPTS_EXCEEDED"));
            throw new AuthenticationFailedException(format);
        }
    }

    private static AuthenticatorMessage getAuthenticatorMessage(String str, Map<String, String> map) {
        return new AuthenticatorMessage(FrameworkConstants.AuthenticatorMessageType.ERROR, "17003", str, map);
    }

    private void resetTotpFailedAttempts(AuthenticationContext authenticationContext) throws AuthenticationFailedException {
        if (TOTPUtil.isLocalUser(authenticationContext) && TOTPUtil.isAccountLockingEnabledForTotp()) {
            AuthenticatedUser authenticatedUser = (AuthenticatedUser) authenticationContext.getProperty(TOTPAuthenticatorConstants.AUTHENTICATED_USER);
            for (Property property : TOTPUtil.getAccountLockConnectorConfigs(authenticatedUser.getTenantDomain())) {
                if (TOTPAuthenticatorConstants.PROPERTY_ACCOUNT_LOCK_ON_FAILURE.equals(property.getName()) && !Boolean.parseBoolean(property.getValue())) {
                    return;
                }
            }
            String fullQualifiedUsername = authenticatedUser.toFullQualifiedUsername();
            String addDomainToName = IdentityUtil.addDomainToName(authenticatedUser.getUserName(), authenticatedUser.getUserStoreDomain());
            try {
                UserStoreManager userStoreManager = TOTPUtil.getUserRealm(fullQualifiedUsername).getUserStoreManager();
                String str = (String) userStoreManager.getUserClaimValues(addDomainToName, new String[]{TOTPAuthenticatorConstants.TOTP_FAILED_ATTEMPTS_CLAIM}, "default").get(TOTPAuthenticatorConstants.TOTP_FAILED_ATTEMPTS_CLAIM);
                if (NumberUtils.isNumber(str) && Integer.parseInt(str) > 0) {
                    HashMap hashMap = new HashMap();
                    hashMap.put(TOTPAuthenticatorConstants.TOTP_FAILED_ATTEMPTS_CLAIM, "0");
                    userStoreManager.setUserClaimValues(addDomainToName, hashMap, "default");
                }
            } catch (UserStoreException e) {
                if (log.isDebugEnabled()) {
                    log.debug("Error while resetting failed TOTP attempts count for user: " + fullQualifiedUsername, e);
                }
                throw new AuthenticationFailedException("Failed to reset failed attempts count for user : " + (LoggerUtils.isLogMaskingEnable ? LoggerUtils.getMaskedContent(fullQualifiedUsername) : fullQualifiedUsername), e);
            }
        }
    }

    private Map<String, String> getUserClaimValues(AuthenticatedUser authenticatedUser, String[] strArr) throws AuthenticationFailedException {
        try {
            return TOTPUtil.getUserRealm(authenticatedUser.toFullQualifiedUsername()).getUserStoreManager().getUserClaimValues(IdentityUtil.addDomainToName(authenticatedUser.getUserName(), authenticatedUser.getUserStoreDomain()), strArr, "default");
        } catch (UserStoreException e) {
            if (log.isDebugEnabled()) {
                log.debug("Error while reading user claims of user: " + authenticatedUser.getUserName(), e);
            }
            throw new AuthenticationFailedException("Failed to read user claims for user : " + (LoggerUtils.isLogMaskingEnable ? LoggerUtils.getMaskedContent(authenticatedUser.getUserName()) : authenticatedUser.getUserName()), e);
        }
    }

    private void setUserClaimValues(AuthenticatedUser authenticatedUser, Map<String, String> map) throws AuthenticationFailedException {
        try {
            TOTPUtil.getUserRealm(authenticatedUser.toFullQualifiedUsername()).getUserStoreManager().setUserClaimValues(IdentityUtil.addDomainToName(authenticatedUser.getUserName(), authenticatedUser.getUserStoreDomain()), map, "default");
        } catch (UserStoreException e) {
            if (log.isDebugEnabled()) {
                log.debug("Error while updating user claims of user: " + authenticatedUser.getUserName(), e);
            }
            throw new AuthenticationFailedException("Failed to update user claims for user : " + (LoggerUtils.isLogMaskingEnable ? LoggerUtils.getMaskedContent(authenticatedUser.getUserName()) : authenticatedUser.getUserName()), e);
        }
    }

    private boolean isJitProvisioningEnabled(AuthenticatedUser authenticatedUser, String str) throws AuthenticationFailedException {
        String federatedIdPName = authenticatedUser.getFederatedIdPName();
        JustInTimeProvisioningConfig justInTimeProvisioningConfig = getIdentityProvider(federatedIdPName, str).getJustInTimeProvisioningConfig();
        if (justInTimeProvisioningConfig != null) {
            return justInTimeProvisioningConfig.isProvisioningEnabled();
        }
        if (!log.isDebugEnabled()) {
            return false;
        }
        log.debug(String.format("No JIT provisioning configs for idp: %s in tenant: %s", federatedIdPName, str));
        return false;
    }

    private String getFederatedUserStoreDomain(AuthenticatedUser authenticatedUser, String str) throws AuthenticationFailedException {
        String federatedIdPName = authenticatedUser.getFederatedIdPName();
        JustInTimeProvisioningConfig justInTimeProvisioningConfig = getIdentityProvider(federatedIdPName, str).getJustInTimeProvisioningConfig();
        if (justInTimeProvisioningConfig == null) {
            if (!log.isDebugEnabled()) {
                return null;
            }
            log.debug(String.format("No JIT provisioning configs for idp: %s in tenant: %s", federatedIdPName, str));
            return null;
        }
        String provisioningUserStore = justInTimeProvisioningConfig.getProvisioningUserStore();
        if (log.isDebugEnabled()) {
            log.debug(String.format("Setting userstore: %s as the provisioning userstore for user: %s in tenant: %s", provisioningUserStore, authenticatedUser.getUserName(), str));
        }
        return provisioningUserStore;
    }

    private IdentityProvider getIdentityProvider(String str, String str2) throws AuthenticationFailedException {
        try {
            IdentityProvider idPByName = TOTPDataHolder.getInstance().getIdpManager().getIdPByName(str, str2);
            if (idPByName == null) {
                throw new AuthenticationFailedException(String.format(TOTPAuthenticatorConstants.ErrorMessages.ERROR_CODE_INVALID_FEDERATED_AUTHENTICATOR.getMessage(), str, str2));
            }
            return idPByName;
        } catch (IdentityProviderManagementException e) {
            throw new AuthenticationFailedException(String.format(TOTPAuthenticatorConstants.ErrorMessages.ERROR_CODE_INVALID_FEDERATED_AUTHENTICATOR.getMessage(), str, str2));
        }
    }

    private String getMappedLocalUsername(AuthenticatedUser authenticatedUser, AuthenticationContext authenticationContext) throws AuthenticationFailedException {
        if (!authenticatedUser.isFederatedUser()) {
            return authenticatedUser.getUserName();
        }
        String loggedInFederatedUser = FederatedAuthenticatorUtil.getLoggedInFederatedUser(authenticationContext);
        if (StringUtils.isBlank(loggedInFederatedUser)) {
            throw new AuthenticationFailedException(TOTPAuthenticatorConstants.ErrorMessages.ERROR_CODE_NO_AUTHENTICATED_USER.getCode(), TOTPAuthenticatorConstants.ErrorMessages.ERROR_CODE_NO_FEDERATED_USER.getMessage());
        }
        String localUsernameAssociatedWithFederatedUser = FederatedAuthenticatorUtil.getLocalUsernameAssociatedWithFederatedUser(MultitenantUtils.getTenantAwareUsername(loggedInFederatedUser), authenticationContext);
        if (StringUtils.isNotBlank(localUsernameAssociatedWithFederatedUser)) {
            return localUsernameAssociatedWithFederatedUser;
        }
        return null;
    }

    private AuthenticatedUser resolveAuthenticatingUser(AuthenticationContext authenticationContext, AuthenticatedUser authenticatedUser, String str, String str2, boolean z) throws AuthenticationFailedException {
        if (!authenticatedUser.isFederatedUser()) {
            return authenticatedUser;
        }
        if (!isJitProvisioningEnabled(authenticatedUser, str2)) {
            throw new AuthenticationFailedException(TOTPAuthenticatorConstants.ErrorMessages.ERROR_CODE_INVALID_FEDERATED_USER_AUTHENTICATION.getCode(), TOTPAuthenticatorConstants.ErrorMessages.ERROR_CODE_INVALID_FEDERATED_USER_AUTHENTICATION.getMessage());
        }
        if (z) {
            authenticationContext.setProperty(TOTPAuthenticatorConstants.IS_INITIAL_FEDERATED_USER_ATTEMPT, true);
            return authenticatedUser;
        }
        AuthenticatedUser authenticatedUser2 = new AuthenticatedUser(authenticatedUser);
        authenticatedUser2.setUserName(str);
        authenticatedUser2.setUserStoreDomain(getFederatedUserStoreDomain(authenticatedUser, str2));
        return authenticatedUser2;
    }

    private boolean isInitialFederationAttempt(AuthenticationContext authenticationContext) {
        if (authenticationContext.getProperty(TOTPAuthenticatorConstants.IS_INITIAL_FEDERATED_USER_ATTEMPT) != null) {
            return Boolean.parseBoolean(authenticationContext.getProperty(TOTPAuthenticatorConstants.IS_INITIAL_FEDERATED_USER_ATTEMPT).toString());
        }
        return false;
    }

    private Map<String, String> getApplicationDetails(AuthenticationContext authenticationContext) {
        HashMap hashMap = new HashMap();
        FrameworkUtils.getApplicationResourceId(authenticationContext).ifPresent(str -> {
            hashMap.put("app id", str);
        });
        FrameworkUtils.getApplicationName(authenticationContext).ifPresent(str2 -> {
            hashMap.put("application name", str2);
        });
        return hashMap;
    }

    private Optional<String> getUserId(AuthenticatedUser authenticatedUser) {
        if (authenticatedUser == null) {
            return Optional.empty();
        }
        try {
            if (authenticatedUser.getUserId() != null) {
                return Optional.ofNullable(authenticatedUser.getUserId());
            }
        } catch (UserIdNotFoundException e) {
            log.debug("Error while getting the user id from the authenticated user.", e);
        }
        return Optional.empty();
    }

    public String getI18nKey() {
        return TOTPAuthenticatorConstants.AUTHENTICATOR_TOTP;
    }
}
