package org.wso2.carbon.identity.authenticator.x509Certificate;

import java.io.ByteArrayInputStream;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import org.apache.axiom.om.util.Base64;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.context.CarbonContext;
import org.wso2.carbon.identity.application.authentication.framework.config.builder.FileBasedConfigurationBuilder;
import org.wso2.carbon.identity.application.authentication.framework.config.model.AuthenticatorConfig;
import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext;
import org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.handler.event.account.lock.exception.AccountLockServiceException;
import org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationException;
import org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl;
import org.wso2.carbon.user.api.UserRealm;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.core.common.AbstractUserStoreManager;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/identity/authenticator/x509Certificate/X509CertificateUtil.class */
public class X509CertificateUtil {
    private static final Log log = LogFactory.getLog(X509CertificateUtil.class);

    public static X509Certificate getCertificate(String str) throws AuthenticationFailedException {
        UserRealm userRealm = getUserRealm(str);
        try {
            String tenantAwareUsername = MultitenantUtils.getTenantAwareUsername(str);
            String claimUri = getClaimUri();
            if (userRealm == null) {
                if (log.isDebugEnabled()) {
                    log.debug("UserRealm is null for username: " + str);
                }
                throw new AuthenticationFailedException("Cannot find the user realm for the given tenant domain : " + CarbonContext.getThreadLocalCarbonContext().getTenantDomain());
            }
            String str2 = (String) userRealm.getUserStoreManager().getUserClaimValues(tenantAwareUsername, new String[]{claimUri}, (String) null).get(claimUri);
            if (log.isDebugEnabled()) {
                log.debug("The user certificate is " + str2);
            }
            if (StringUtils.isNotEmpty(str2)) {
                return (X509Certificate) CertificateFactory.getInstance("X509").generateCertificate(new ByteArrayInputStream(Base64.decode(str2)));
            }
            return null;
        } catch (UserStoreException e) {
            throw new AuthenticationFailedException("Error while retrieving the user store manager ", e);
        } catch (CertificateException e2) {
            throw new AuthenticationFailedException("Error while decoding the certificate ", e2);
        }
    }

    public static boolean addCertificate(String str, X509Certificate x509Certificate) throws AuthenticationFailedException {
        HashMap hashMap = new HashMap();
        UserRealm userRealm = getUserRealm(str);
        try {
            if (userRealm == null) {
                if (log.isDebugEnabled()) {
                    log.debug("UserRealm is null for username: " + str);
                }
                throw new AuthenticationFailedException("Cannot find the user realm for the given tenant domain : " + CarbonContext.getThreadLocalCarbonContext().getTenantDomain());
            }
            hashMap.put(getClaimUri(), Base64.encode(x509Certificate.getEncoded()));
            userRealm.getUserStoreManager().setUserClaimValues(MultitenantUtils.getTenantAwareUsername(str), hashMap, X509CertificateConstants.DEFAULT);
            if (!log.isDebugEnabled()) {
                return true;
            }
            log.debug("X509 certificate is added for user: " + str);
            return true;
        } catch (UserStoreException e) {
            throw new AuthenticationFailedException("Error while retrieving the user store manager ", e);
        } catch (CertificateException e2) {
            throw new AuthenticationFailedException("Error while retrieving certificate of user: " + str, e2);
        }
    }

    public static boolean validateCertificate(String str, AuthenticationContext authenticationContext, byte[] bArr, boolean z) throws AuthenticationFailedException {
        try {
            X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X509").generateCertificate(new ByteArrayInputStream(bArr));
            if (z && isCertificateExist(str) && !isUserCertificateValid(str, x509Certificate)) {
                return false;
            }
            if (!z && !isUserExists(str, authenticationContext)) {
                return false;
            }
            if (!isCertificateRevoked(x509Certificate)) {
                if (z && !isCertificateExist(str)) {
                    addUserCertificate(str, x509Certificate);
                }
                return true;
            }
            if (log.isDebugEnabled()) {
                log.debug("X509 certificate with serial num: " + x509Certificate.getSerialNumber() + " is revoked");
            }
            if (!z) {
                return false;
            }
            deleteUserCertificate(str, x509Certificate);
            return false;
        } catch (CertificateException e) {
            throw new AuthenticationFailedException("Error while retrieving certificate ", e);
        } catch (UserStoreException e2) {
            throw new AuthenticationFailedException("Cannot find the user realm for the username: " + str, e2);
        } catch (CertificateValidationException e3) {
            throw new AuthenticationFailedException("Error while validating client certificate with serial num: ", e3);
        }
    }

    public static boolean isCertificateExist(String str) throws AuthenticationFailedException {
        return getCertificate(str) != null;
    }

    public static Map<String, String> getX509Parameters() {
        AuthenticatorConfig authenticatorBean = FileBasedConfigurationBuilder.getInstance().getAuthenticatorBean(X509CertificateConstants.AUTHENTICATOR_NAME);
        if (authenticatorBean != null) {
            return authenticatorBean.getParameterMap();
        }
        if (log.isDebugEnabled()) {
            log.debug("AuthenticatorConfig is not provided for x509CertificateAuthenticator");
        }
        return Collections.emptyMap();
    }

    public static String getClaimUri() {
        String str;
        String str2 = X509CertificateConstants.CLAIM_DIALECT_URI;
        Map<String, String> x509Parameters = getX509Parameters();
        if (x509Parameters != null && (str = x509Parameters.get(X509CertificateConstants.CLAIM_URI)) != null) {
            str2 = String.valueOf(str);
        }
        if (log.isDebugEnabled()) {
            log.debug("The X509Certificate claimUri is " + str2);
        }
        return str2;
    }

    public static UserRealm getUserRealm(String str) throws AuthenticationFailedException {
        UserRealm userRealm = null;
        if (log.isDebugEnabled()) {
            log.debug("Getting userRealm for user: " + str);
        }
        try {
            if (StringUtils.isNotEmpty(str)) {
                userRealm = X509CertificateRealmServiceComponent.getRealmService().getTenantUserRealm(IdentityTenantUtil.getTenantId(MultitenantUtils.getTenantDomain(str)));
            }
            return userRealm;
        } catch (UserStoreException e) {
            throw new AuthenticationFailedException("Cannot find the user realm for the username: " + str, e);
        }
    }

    private static boolean isCertificateRevoked(X509Certificate x509Certificate) throws CertificateValidationException {
        return new RevocationValidationManagerImpl().verifyRevocationStatus(x509Certificate);
    }

    private static void deleteUserCertificate(String str, X509Certificate x509Certificate) throws AuthenticationFailedException {
        if (isCertificateExist(str) && isUserCertificateValid(str, x509Certificate)) {
            if (log.isDebugEnabled()) {
                log.debug("Provided X509 client certificate with serial num: " + x509Certificate.getSerialNumber() + " has been revoked. Removing the x509Certificate claim of the user: " + str);
            }
            deleteCertificate(str);
        }
    }

    private static void deleteCertificate(String str) throws AuthenticationFailedException {
        String[] strArr = new String[1];
        UserRealm userRealm = getUserRealm(str);
        try {
            if (userRealm == null) {
                if (log.isDebugEnabled()) {
                    log.debug("UserRealm is null for username: " + str);
                }
                throw new AuthenticationFailedException("Cannot find the user realm for the given tenant domain : " + CarbonContext.getThreadLocalCarbonContext().getTenantDomain());
            }
            strArr[0] = getClaimUri();
            userRealm.getUserStoreManager().deleteUserClaimValues(MultitenantUtils.getTenantAwareUsername(str), strArr, X509CertificateConstants.DEFAULT);
            if (log.isDebugEnabled()) {
                log.debug("X509 certificate is deleted for user: " + str);
            }
        } catch (UserStoreException e) {
            throw new AuthenticationFailedException("Error while deleting certificate of user: " + str, e);
        }
    }

    private static void addUserCertificate(String str, X509Certificate x509Certificate) throws AuthenticationFailedException {
        if (log.isDebugEnabled()) {
            log.debug("X509 Certificate with serial num: " + x509Certificate.getSerialNumber() + " does not exit for user: " + str);
        }
        addCertificate(str, x509Certificate);
        if (log.isDebugEnabled()) {
            log.debug("Adding the X509 certificate with serial num: " + x509Certificate.getSerialNumber() + " as a user claim.");
        }
    }

    private static boolean isUserCertificateValid(String str, X509Certificate x509Certificate) throws AuthenticationFailedException {
        X509Certificate certificate = getCertificate(str);
        if (log.isDebugEnabled()) {
            log.debug("X509 certificate with serial num: " + x509Certificate.getSerialNumber() + " is getting matched with the user certificate with serial num : " + certificate.getSerialNumber() + " in the user claim of user: " + str);
        }
        return x509Certificate.equals(certificate);
    }

    private static boolean isUserExists(String str, AuthenticationContext authenticationContext) throws UserStoreException, AuthenticationFailedException {
        if (!Boolean.valueOf(getX509Parameters().get(X509CertificateConstants.SEARCH_ALL_USERSTORES)).booleanValue()) {
            if (!getUserRealm(str).getUserStoreManager().isExistingUser(MultitenantUtils.getTenantAwareUsername(str))) {
                authenticationContext.setProperty(X509CertificateConstants.X509_CERTIFICATE_ERROR_CODE, X509CertificateConstants.USER_NOT_FOUND);
                throw new AuthenticationFailedException(" Unable to find X509 Certificate's user in user store. ");
            }
            if (!log.isDebugEnabled()) {
                return true;
            }
            log.debug("User exists with the user name: " + str);
            return true;
        }
        String[] listUsers = getUserRealm(str).getUserStoreManager().listUsers(MultitenantUtils.getTenantAwareUsername(str), -1);
        if (listUsers.length == 1) {
            if (!log.isDebugEnabled()) {
                return true;
            }
            log.debug("User exists with the user name: " + str);
            return true;
        }
        if (listUsers.length > 1) {
            authenticationContext.setProperty(X509CertificateConstants.X509_CERTIFICATE_ERROR_CODE, X509CertificateConstants.USERNAME_CONFLICT);
            throw new AuthenticationFailedException("Conflicting users with user name: " + str);
        }
        if (!getX509Parameters().containsKey(X509CertificateConstants.LOGIN_CLAIM_URIS)) {
            authenticationContext.setProperty(X509CertificateConstants.X509_CERTIFICATE_ERROR_CODE, X509CertificateConstants.USER_NOT_FOUND);
            throw new AuthenticationFailedException("Unable to find X509 Certificate's user in user store. ");
        }
        String[] split = getX509Parameters().get(X509CertificateConstants.LOGIN_CLAIM_URIS).split(",");
        AbstractUserStoreManager userStoreManager = getUserRealm(str).getUserStoreManager();
        for (String str2 : split) {
            String[] userList = userStoreManager.getUserList(str2, MultitenantUtils.getTenantAwareUsername(str), (String) null);
            if (userList.length == 1) {
                return true;
            }
            if (userList.length > 1) {
                authenticationContext.setProperty(X509CertificateConstants.X509_CERTIFICATE_ERROR_CODE, X509CertificateConstants.USERNAME_CONFLICT);
                throw new AuthenticationFailedException("Conflicting users with claim value: " + str);
            }
        }
        throw new AuthenticationFailedException("Unable to find X509 Certificate's user in user store. ");
    }

    public static boolean isAccountLock(AuthenticatedUser authenticatedUser) throws AccountLockServiceException {
        boolean z = false;
        if (authenticatedUser != null) {
            try {
                z = X509CertificateDataHolder.getInstance().getAccountLockService().isAccountLocked(authenticatedUser.getUserName(), authenticatedUser.getTenantDomain());
            } catch (AccountLockServiceException e) {
                if (log.isDebugEnabled()) {
                    log.debug("Error while calling the account lock service for user " + authenticatedUser.getUserName(), e);
                }
                throw e;
            }
        }
        return z;
    }

    public static boolean isAccountLock(String str) throws AccountLockServiceException {
        String str2 = str;
        String str3 = "carbon.super";
        if (str.contains("@")) {
            str2 = str.substring(0, str.lastIndexOf(64));
            str3 = str.substring(str.lastIndexOf(64) + 1);
        }
        boolean z = false;
        if (str2 != null) {
            try {
                z = X509CertificateDataHolder.getInstance().getAccountLockService().isAccountLocked(str2, str3);
            } catch (AccountLockServiceException e) {
                if (log.isDebugEnabled()) {
                    log.debug("Error while calling the account lock service for user " + str2, e);
                }
                throw e;
            }
        }
        return z;
    }

    public static boolean isAccountDisabled(AuthenticatedUser authenticatedUser) throws UserStoreException {
        boolean z = false;
        if (authenticatedUser != null) {
            try {
                z = Boolean.parseBoolean((String) X509CertificateDataHolder.getInstance().getRealmService().getTenantUserRealm(IdentityTenantUtil.getTenantId(authenticatedUser.getTenantDomain())).getUserStoreManager().getUserClaimValues(IdentityUtil.addDomainToName(authenticatedUser.getUserName(), authenticatedUser.getUserStoreDomain()), new String[]{X509CertificateConstants.ACCOUNT_DISABLED_CLAIM}, X509CertificateConstants.DEFAULT).get(X509CertificateConstants.ACCOUNT_DISABLED_CLAIM));
            } catch (UserStoreException e) {
                if (log.isDebugEnabled()) {
                    log.debug("Error while checking account disable for user " + authenticatedUser.getUserName(), e);
                }
                throw e;
            }
        }
        return z;
    }
}
