package org.wso2.carbon.identity.application.authenticator.basicauth;

import java.io.IOException;
import java.net.URLEncoder;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator;
import org.wso2.carbon.identity.application.authentication.framework.AuthenticatorFlowStatus;
import org.wso2.carbon.identity.application.authentication.framework.LocalApplicationAuthenticator;
import org.wso2.carbon.identity.application.authentication.framework.config.ConfigurationFacade;
import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext;
import org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException;
import org.wso2.carbon.identity.application.authentication.framework.exception.InvalidCredentialsException;
import org.wso2.carbon.identity.application.authentication.framework.exception.LogoutFailedException;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.authenticator.basicauth.internal.BasicAuthenticatorDataHolder;
import org.wso2.carbon.identity.application.authenticator.basicauth.internal.BasicAuthenticatorServiceComponent;
import org.wso2.carbon.identity.application.common.model.Property;
import org.wso2.carbon.identity.application.common.model.User;
import org.wso2.carbon.identity.base.IdentityRuntimeException;
import org.wso2.carbon.identity.captcha.connector.recaptcha.SSOLoginReCaptchaConfig;
import org.wso2.carbon.identity.core.model.IdentityErrorMsgContext;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.governance.IdentityGovernanceException;
import org.wso2.carbon.user.api.UserRealm;
import org.wso2.carbon.user.core.UserStoreException;
import org.wso2.carbon.user.core.UserStoreManager;
import org.wso2.carbon.user.core.util.UserCoreUtil;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/identity/application/authenticator/basicauth/BasicAuthenticator.class */
public class BasicAuthenticator extends AbstractApplicationAuthenticator implements LocalApplicationAuthenticator {
    private static final long serialVersionUID = 1819664539416029785L;
    private static final String PASSWORD_PROPERTY = "PASSWORD_PROPERTY";
    private static final String PASSWORD_RESET_ENDPOINT = "accountrecoveryendpoint/confirmrecovery.do?";
    private static final Log log = LogFactory.getLog(BasicAuthenticator.class);
    private static String RE_CAPTCHA_USER_DOMAIN = "user-domain-recaptcha";
    private List<String> omittingErrorParams = null;

    public boolean canHandle(HttpServletRequest httpServletRequest) {
        return (httpServletRequest.getParameter(BasicAuthenticatorConstants.USER_NAME) == null || httpServletRequest.getParameter(BasicAuthenticatorConstants.PASSWORD) == null) ? false : true;
    }

    public AuthenticatorFlowStatus process(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) throws AuthenticationFailedException, LogoutFailedException {
        return authenticationContext.isLogoutRequest() ? AuthenticatorFlowStatus.SUCCESS_COMPLETED : super.process(httpServletRequest, httpServletResponse, authenticationContext);
    }

    protected void initiateAuthenticationRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) throws AuthenticationFailedException {
        String str;
        Map parameterMap = getAuthenticatorConfig().getParameterMap();
        String str2 = null;
        String str3 = null;
        String str4 = null;
        if (parameterMap != null) {
            str2 = (String) parameterMap.get(BasicAuthenticatorConstants.CONF_SHOW_AUTH_FAILURE_REASON);
            if (log.isDebugEnabled()) {
                log.debug("showAuthFailureReason has been set as : " + str2);
            }
            if (Boolean.parseBoolean(str2)) {
                str3 = (String) parameterMap.get(BasicAuthenticatorConstants.CONF_MASK_USER_NOT_EXISTS_ERROR_CODE);
                if (log.isDebugEnabled()) {
                    log.debug("maskUserNotExistsErrorCode has been set as : " + str3);
                }
                String str5 = (String) parameterMap.get(BasicAuthenticatorConstants.CONF_ERROR_PARAMS_TO_OMIT);
                if (log.isDebugEnabled()) {
                    log.debug("errorParamsToOmit has been set as : " + str5);
                }
                if (StringUtils.isNotBlank(str5)) {
                    this.omittingErrorParams = new ArrayList(Arrays.asList(str5.replaceAll(" ", "").split(",")));
                }
            }
            str4 = (String) parameterMap.get(BasicAuthenticatorConstants.CONF_MASK_ADMIN_FORCED_PASSWORD_RESET_ERROR_CODE);
            if (log.isDebugEnabled()) {
                log.debug("maskAdminForcedPasswordResetErrorCode has been set as : " + str4);
            }
        }
        String authenticationEndpointURL = ConfigurationFacade.getInstance().getAuthenticationEndpointURL();
        String authenticationEndpointRetryURL = ConfigurationFacade.getInstance().getAuthenticationEndpointRetryURL();
        String contextIdIncludedQueryParams = authenticationContext.getContextIdIncludedQueryParams();
        String str6 = (String) authenticationContext.getProperty(PASSWORD_PROPERTY);
        authenticationContext.getProperties().remove(PASSWORD_PROPERTY);
        Map runtimeParams = getRuntimeParams(authenticationContext);
        if (runtimeParams != null) {
            String str7 = null;
            String str8 = (String) runtimeParams.get(BasicAuthenticatorConstants.USER_NAME);
            if (str8 != null) {
                str7 = "idf";
            }
            if ("idf".equalsIgnoreCase(str7)) {
                contextIdIncludedQueryParams = contextIdIncludedQueryParams + "&inputType=" + str7;
                authenticationContext.addEndpointParam(BasicAuthenticatorConstants.USER_NAME, str8);
            }
        }
        try {
            String str9 = "";
            if (authenticationContext.isRetrying()) {
                if (authenticationContext.getProperty("InvalidEmailUsername") == null || !((Boolean) authenticationContext.getProperty("InvalidEmailUsername")).booleanValue()) {
                    str9 = "&authFailure=true&authFailureMsg=login.fail.message";
                } else {
                    str9 = "&authFailure=true&authFailureMsg=emailusername.fail.message";
                    authenticationContext.setProperty("InvalidEmailUsername", false);
                }
            }
            if (authenticationContext.getProperty("UserTenantDomainMismatch") != null && ((Boolean) authenticationContext.getProperty("UserTenantDomainMismatch")).booleanValue()) {
                str9 = "&authFailure=true&authFailureMsg=user.tenant.domain.mismatch.message";
                authenticationContext.setProperty("UserTenantDomainMismatch", false);
            }
            IdentityErrorMsgContext identityErrorMsg = IdentityUtil.getIdentityErrorMsg();
            IdentityUtil.clearIdentityErrorMsg();
            if (identityErrorMsg == null || identityErrorMsg.getErrorCode() == null) {
                if (log.isDebugEnabled()) {
                    log.debug("Identity error message context is null");
                }
                str = authenticationEndpointURL + "?" + contextIdIncludedQueryParams + BasicAuthenticatorConstants.AUTHENTICATORS + getName() + ":" + BasicAuthenticatorConstants.LOCAL + str9;
            } else {
                if (log.isDebugEnabled()) {
                    log.debug("Identity error message context is not null");
                }
                String errorCode = identityErrorMsg.getErrorCode();
                if (errorCode.equals("17005")) {
                    String parameter = httpServletRequest.getParameter(BasicAuthenticatorConstants.USER_NAME);
                    Object obj = ((Map) IdentityUtil.threadLocalProperties.get()).get(RE_CAPTCHA_USER_DOMAIN);
                    if (obj != null) {
                        parameter = IdentityUtil.addDomainToName(parameter, obj.toString());
                    }
                    str = authenticationEndpointURL + "?" + contextIdIncludedQueryParams + BasicAuthenticatorConstants.FAILED_USERNAME + URLEncoder.encode(parameter, BasicAuthenticatorConstants.UTF_8) + BasicAuthenticatorConstants.ERROR_CODE + errorCode + BasicAuthenticatorConstants.AUTHENTICATORS + getName() + ":" + BasicAuthenticatorConstants.LOCAL + "&authFailure=true&authFailureMsg=account.confirmation.pending";
                } else if (errorCode.equals("17006")) {
                    String str10 = "&authFailure=true&authFailureMsg=password.reset.pending";
                    if (Boolean.parseBoolean(str4)) {
                        errorCode = "17002";
                        if (log.isDebugEnabled()) {
                            log.debug("Masking password reset pending error code: 17006 with error code: " + errorCode);
                        }
                        str10 = "&authFailure=true&authFailureMsg=login.fail.message";
                    }
                    str = authenticationEndpointURL + "?" + contextIdIncludedQueryParams + BasicAuthenticatorConstants.FAILED_USERNAME + URLEncoder.encode(httpServletRequest.getParameter(BasicAuthenticatorConstants.USER_NAME), BasicAuthenticatorConstants.UTF_8) + BasicAuthenticatorConstants.ERROR_CODE + errorCode + BasicAuthenticatorConstants.AUTHENTICATORS + getName() + ":" + BasicAuthenticatorConstants.LOCAL + str10;
                } else if (errorCode.equals("17007")) {
                    String parameter2 = httpServletRequest.getParameter(BasicAuthenticatorConstants.USER_NAME);
                    str = PASSWORD_RESET_ENDPOINT + contextIdIncludedQueryParams + BasicAuthenticatorConstants.USER_NAME_PARAM + URLEncoder.encode(parameter2, BasicAuthenticatorConstants.UTF_8) + BasicAuthenticatorConstants.TENANT_DOMAIN_PARAM + URLEncoder.encode(MultitenantUtils.getTenantDomain(parameter2), BasicAuthenticatorConstants.UTF_8) + BasicAuthenticatorConstants.CONFIRMATION_PARAM + URLEncoder.encode(str6, BasicAuthenticatorConstants.UTF_8);
                } else if ("true".equals(str2)) {
                    if (Boolean.parseBoolean(str3) && StringUtils.contains(errorCode, "17001")) {
                        errorCode = "17002";
                        if (log.isDebugEnabled()) {
                            log.debug("Masking user not found error code: 17001 with error code: " + errorCode);
                        }
                    }
                    String str11 = null;
                    if (errorCode.contains(":")) {
                        String[] split = errorCode.split(":");
                        errorCode = split[0];
                        if (split.length > 1) {
                            str11 = split[1];
                        }
                    }
                    int maximumLoginAttempts = identityErrorMsg.getMaximumLoginAttempts() - identityErrorMsg.getFailedLoginAttempts();
                    if (log.isDebugEnabled()) {
                        log.debug("errorCode : " + errorCode);
                        log.debug("username : " + httpServletRequest.getParameter(BasicAuthenticatorConstants.USER_NAME));
                        log.debug("remainingAttempts : " + maximumLoginAttempts);
                    }
                    if (errorCode.equals("17002")) {
                        HashMap hashMap = new HashMap();
                        hashMap.put(BasicAuthenticatorConstants.ERROR_CODE, errorCode);
                        hashMap.put(BasicAuthenticatorConstants.FAILED_USERNAME, URLEncoder.encode(httpServletRequest.getParameter(BasicAuthenticatorConstants.USER_NAME), BasicAuthenticatorConstants.UTF_8));
                        hashMap.put(BasicAuthenticatorConstants.REMAINING_ATTEMPTS, String.valueOf(maximumLoginAttempts));
                        str = authenticationEndpointURL + "?" + contextIdIncludedQueryParams + BasicAuthenticatorConstants.AUTHENTICATORS + getName() + ":" + BasicAuthenticatorConstants.LOCAL + (str9 + buildErrorParamString(hashMap));
                    } else if (errorCode.equals("17003")) {
                        HashMap hashMap2 = new HashMap();
                        hashMap2.put(BasicAuthenticatorConstants.ERROR_CODE, errorCode);
                        hashMap2.put(BasicAuthenticatorConstants.FAILED_USERNAME, URLEncoder.encode(httpServletRequest.getParameter(BasicAuthenticatorConstants.USER_NAME), BasicAuthenticatorConstants.UTF_8));
                        if (StringUtils.isNotBlank(str11)) {
                            hashMap2.put(BasicAuthenticatorConstants.LOCKED_REASON, str11);
                        }
                        if (maximumLoginAttempts == 0) {
                            hashMap2.put(BasicAuthenticatorConstants.REMAINING_ATTEMPTS, "0");
                        }
                        str = httpServletResponse.encodeRedirectURL(authenticationEndpointRetryURL + "?" + contextIdIncludedQueryParams) + buildErrorParamString(hashMap2);
                    } else if (errorCode.equals("17008")) {
                        HashMap hashMap3 = new HashMap();
                        hashMap3.put(BasicAuthenticatorConstants.ERROR_CODE, errorCode);
                        hashMap3.put(BasicAuthenticatorConstants.FAILED_USERNAME, URLEncoder.encode(httpServletRequest.getParameter(BasicAuthenticatorConstants.USER_NAME), BasicAuthenticatorConstants.UTF_8));
                        str = authenticationEndpointURL + "?" + contextIdIncludedQueryParams + buildErrorParamString(hashMap3) + BasicAuthenticatorConstants.AUTHENTICATORS + getName() + ":" + BasicAuthenticatorConstants.LOCAL + "&authFailure=true&authFailureMsg=login.fail.message";
                    } else {
                        HashMap hashMap4 = new HashMap();
                        hashMap4.put(BasicAuthenticatorConstants.ERROR_CODE, errorCode);
                        hashMap4.put(BasicAuthenticatorConstants.FAILED_USERNAME, URLEncoder.encode(httpServletRequest.getParameter(BasicAuthenticatorConstants.USER_NAME), BasicAuthenticatorConstants.UTF_8));
                        str = authenticationEndpointURL + "?" + contextIdIncludedQueryParams + BasicAuthenticatorConstants.AUTHENTICATORS + getName() + ":" + BasicAuthenticatorConstants.LOCAL + (str9 + buildErrorParamString(hashMap4));
                    }
                } else {
                    if (log.isDebugEnabled()) {
                        log.debug("Unknown identity error code.");
                    }
                    str = authenticationEndpointURL + "?" + contextIdIncludedQueryParams + BasicAuthenticatorConstants.AUTHENTICATORS + getName() + ":" + BasicAuthenticatorConstants.LOCAL + str9;
                }
            }
            httpServletResponse.sendRedirect(str + getCaptchaParams(authenticationContext.getTenantDomain()));
        } catch (IOException e) {
            throw new AuthenticationFailedException(e.getMessage(), User.getUserFromUserName(httpServletRequest.getParameter(BasicAuthenticatorConstants.USER_NAME)), e);
        }
    }

    protected void processAuthenticationResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) throws AuthenticationFailedException {
        String str;
        FrameworkUtils.validateUsername(httpServletRequest.getParameter(BasicAuthenticatorConstants.USER_NAME), authenticationContext);
        String preprocessUsername = FrameworkUtils.preprocessUsername(httpServletRequest.getParameter(BasicAuthenticatorConstants.USER_NAME), authenticationContext);
        String parameter = httpServletRequest.getParameter(BasicAuthenticatorConstants.PASSWORD);
        Map properties = authenticationContext.getProperties();
        if (properties == null) {
            properties = new HashMap();
            authenticationContext.setProperties(properties);
        }
        Map runtimeParams = getRuntimeParams(authenticationContext);
        if (runtimeParams != null && (str = (String) runtimeParams.get(BasicAuthenticatorConstants.USER_NAME)) != null && !str.equals(preprocessUsername)) {
            if (log.isDebugEnabled()) {
                log.debug("Username set for identifier first login: " + str + " and username submitted from login page" + preprocessUsername + " does not match.");
            }
            throw new InvalidCredentialsException("Credential mismatch.");
        }
        properties.put(PASSWORD_PROPERTY, parameter);
        ((Map) IdentityUtil.threadLocalProperties.get()).remove(RE_CAPTCHA_USER_DOMAIN);
        try {
            int tenantIdOfUser = IdentityTenantUtil.getTenantIdOfUser(preprocessUsername);
            UserRealm tenantUserRealm = BasicAuthenticatorServiceComponent.getRealmService().getTenantUserRealm(tenantIdOfUser);
            if (tenantUserRealm == null) {
                throw new AuthenticationFailedException("Cannot find the user realm for the given tenant: " + tenantIdOfUser, User.getUserFromUserName(preprocessUsername));
            }
            UserStoreManager userStoreManager = tenantUserRealm.getUserStoreManager();
            if (!userStoreManager.authenticate(MultitenantUtils.getTenantAwareUsername(preprocessUsername), parameter)) {
                if (log.isDebugEnabled()) {
                    log.debug("User authentication failed due to invalid credentials");
                }
                if (((Map) IdentityUtil.threadLocalProperties.get()).get(RE_CAPTCHA_USER_DOMAIN) != null) {
                    preprocessUsername = IdentityUtil.addDomainToName(preprocessUsername, ((Map) IdentityUtil.threadLocalProperties.get()).get(RE_CAPTCHA_USER_DOMAIN).toString());
                }
                ((Map) IdentityUtil.threadLocalProperties.get()).remove(RE_CAPTCHA_USER_DOMAIN);
                throw new InvalidCredentialsException("User authentication failed due to invalid credentials", User.getUserFromUserName(preprocessUsername));
            }
            properties.put("user-tenant-domain", MultitenantUtils.getTenantDomain(preprocessUsername));
            String prependUserStoreDomainToName = FrameworkUtils.prependUserStoreDomainToName(preprocessUsername);
            if (getAuthenticatorConfig().getParameterMap() != null) {
                String str2 = (String) getAuthenticatorConfig().getParameterMap().get("UserNameAttributeClaimUri");
                if (StringUtils.isNotBlank(str2)) {
                    String domainFromThreadLocal = UserCoreUtil.getDomainFromThreadLocal();
                    if (StringUtils.isNotBlank(domainFromThreadLocal) ? Boolean.parseBoolean(userStoreManager.getSecondaryUserStoreManager(domainFromThreadLocal).getRealmConfiguration().getUserStoreProperty("MultipleAttributeEnable")) : Boolean.parseBoolean(userStoreManager.getRealmConfiguration().getUserStoreProperty("MultipleAttributeEnable"))) {
                        try {
                            if (log.isDebugEnabled()) {
                                log.debug("Searching for UserNameAttribute value for user " + prependUserStoreDomainToName + " for claim uri : " + str2);
                            }
                            String userClaimValue = userStoreManager.getUserClaimValue(MultitenantUtils.getTenantAwareUsername(prependUserStoreDomainToName), str2, (String) null);
                            if (StringUtils.isNotBlank(userClaimValue)) {
                                prependUserStoreDomainToName = FrameworkUtils.prependUserStoreDomainToName(userClaimValue) + "@" + MultitenantUtils.getTenantDomain(prependUserStoreDomainToName);
                                if (log.isDebugEnabled()) {
                                    log.debug("UserNameAttribute is found for user. Value is :  " + prependUserStoreDomainToName);
                                }
                            }
                        } catch (UserStoreException e) {
                            if (log.isDebugEnabled()) {
                                log.debug("Error while retrieving UserNameAttribute for user : " + prependUserStoreDomainToName, e);
                            }
                        }
                    } else if (log.isDebugEnabled()) {
                        log.debug("MultipleAttribute is not enabled for user store domain : " + domainFromThreadLocal + " Therefore UserNameAttribute is not retrieved");
                    }
                }
            }
            authenticationContext.setSubject(AuthenticatedUser.createLocalAuthenticatedUserFromSubjectIdentifier(prependUserStoreDomainToName));
            if ("on".equals(httpServletRequest.getParameter("chkRemember"))) {
                authenticationContext.setRememberMe(true);
            }
        } catch (IdentityRuntimeException e2) {
            if (log.isDebugEnabled()) {
                log.debug("BasicAuthentication failed while trying to get the tenant ID of the user " + preprocessUsername, e2);
            }
            throw new AuthenticationFailedException(e2.getMessage(), e2);
        } catch (org.wso2.carbon.user.api.UserStoreException e3) {
            if (log.isDebugEnabled()) {
                log.debug("BasicAuthentication failed while trying to authenticate the user " + preprocessUsername, e3);
            }
            throw new AuthenticationFailedException(e3.getMessage(), e3);
        }
    }

    protected boolean retryAuthenticationEnabled() {
        return true;
    }

    public String getContextIdentifier(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getParameter("sessionDataKey");
    }

    public String getFriendlyName() {
        return BasicAuthenticatorConstants.AUTHENTICATOR_FRIENDLY_NAME;
    }

    public String getName() {
        return BasicAuthenticatorConstants.AUTHENTICATOR_NAME;
    }

    private String buildErrorParamString(Map<String, String> map) {
        StringBuilder sb = new StringBuilder();
        for (Map.Entry<String, String> entry : map.entrySet()) {
            sb.append(filterAndAddParam(entry.getKey(), entry.getValue()));
        }
        return sb.toString();
    }

    private String filterAndAddParam(String str, String str2) {
        String replaceAll = str.replaceAll("&", "").replaceAll("=", "");
        if (!CollectionUtils.isNotEmpty(this.omittingErrorParams) || !this.omittingErrorParams.contains(replaceAll)) {
            return str + str2;
        }
        if (!log.isDebugEnabled()) {
            return "";
        }
        log.debug("omitting param " + replaceAll + " in the error response.");
        return "";
    }

    private String getCaptchaParams(String str) {
        String str2 = "";
        try {
            Property[] configuration = BasicAuthenticatorDataHolder.getInstance().getIdentityGovernanceService().getConfiguration(new String[]{new SSOLoginReCaptchaConfig().getName() + ".enable.always"}, str);
            if (!ArrayUtils.isEmpty(configuration) && Boolean.valueOf(configuration[0].getValue()).booleanValue()) {
                Properties captchaConfigs = getCaptchaConfigs();
                if (captchaConfigs != null && !captchaConfigs.isEmpty() && Boolean.valueOf(captchaConfigs.getProperty("recaptcha.enabled")).booleanValue()) {
                    str2 = "&reCaptcha=true&reCaptchaKey=" + captchaConfigs.getProperty("recaptcha.site.key") + BasicAuthenticatorConstants.RECAPTCHA_API_PARAM + captchaConfigs.getProperty("recaptcha.api.url");
                } else if (log.isDebugEnabled()) {
                    log.debug("Recaptcha is not enabled.");
                }
            } else if (log.isDebugEnabled()) {
                log.debug("Enforcing recaptcha always for the basic authentication is not enabled.");
            }
        } catch (IdentityGovernanceException e) {
            log.error("Error occurred while verifying the captcha configs. Proceeding the authentication request without enabling recaptcha.", e);
        }
        return str2;
    }

    private Properties getCaptchaConfigs() {
        Properties recaptchaConfigs = BasicAuthenticatorDataHolder.getInstance().getRecaptchaConfigs();
        if (recaptchaConfigs != null && !recaptchaConfigs.isEmpty() && Boolean.valueOf(recaptchaConfigs.getProperty("recaptcha.enabled")).booleanValue() && (StringUtils.isBlank(recaptchaConfigs.getProperty("recaptcha.site.key")) || StringUtils.isBlank(recaptchaConfigs.getProperty("recaptcha.api.url")) || StringUtils.isBlank(recaptchaConfigs.getProperty("recaptcha.secret.key")) || StringUtils.isBlank(recaptchaConfigs.getProperty("recaptcha.verify.url")))) {
            if (log.isDebugEnabled()) {
                log.debug("Empty values found for the captcha properties in the file captcha-config.properties.");
            }
            recaptchaConfigs.clear();
        }
        return recaptchaConfigs;
    }
}
