package org.wso2.carbon.identity.application.authenticator.basicauth;

import java.io.IOException;
import java.net.URLEncoder;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang.exception.ExceptionUtils;
import org.apache.commons.lang.math.NumberUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.json.simple.JSONObject;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator;
import org.wso2.carbon.identity.application.authentication.framework.AuthenticatorFlowStatus;
import org.wso2.carbon.identity.application.authentication.framework.LocalApplicationAuthenticator;
import org.wso2.carbon.identity.application.authentication.framework.config.ConfigurationFacade;
import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext;
import org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException;
import org.wso2.carbon.identity.application.authentication.framework.exception.InvalidCredentialsException;
import org.wso2.carbon.identity.application.authentication.framework.exception.LogoutFailedException;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticationFrameworkWrapper;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.authenticator.basicauth.internal.BasicAuthenticatorDataHolder;
import org.wso2.carbon.identity.application.authenticator.basicauth.internal.BasicAuthenticatorServiceComponent;
import org.wso2.carbon.identity.application.authenticator.basicauth.util.AutoLoginConstant;
import org.wso2.carbon.identity.application.authenticator.basicauth.util.AutoLoginUtilities;
import org.wso2.carbon.identity.application.authenticator.basicauth.util.BasicAuthErrorConstants;
import org.wso2.carbon.identity.application.common.model.Property;
import org.wso2.carbon.identity.application.common.model.User;
import org.wso2.carbon.identity.base.IdentityRuntimeException;
import org.wso2.carbon.identity.captcha.connector.recaptcha.SSOLoginReCaptchaConfig;
import org.wso2.carbon.identity.configuration.mgt.core.constant.ConfigurationConstants;
import org.wso2.carbon.identity.configuration.mgt.core.exception.ConfigurationManagementException;
import org.wso2.carbon.identity.core.ServiceURLBuilder;
import org.wso2.carbon.identity.core.URLBuilderException;
import org.wso2.carbon.identity.core.model.IdentityErrorMsgContext;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.governance.IdentityGovernanceException;
import org.wso2.carbon.identity.multi.attribute.login.mgt.ResolvedUserResult;
import org.wso2.carbon.identity.recovery.RecoveryScenarios;
import org.wso2.carbon.user.api.UserRealm;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.core.UserStoreClientException;
import org.wso2.carbon.user.core.common.AbstractUserStoreManager;
import org.wso2.carbon.user.core.common.AuthenticationResult;
import org.wso2.carbon.user.core.util.UserCoreUtil;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/identity/application/authenticator/basicauth/BasicAuthenticator.class */
public class BasicAuthenticator extends AbstractApplicationAuthenticator implements LocalApplicationAuthenticator {
    private static final long serialVersionUID = 1819664539416029785L;
    private static final String PASSWORD_PROPERTY = "PASSWORD_PROPERTY";
    private static final String PASSWORD_RESET_ENDPOINT = "accountrecoveryendpoint/confirmrecovery.do?";
    private static final Log log = LogFactory.getLog(BasicAuthenticator.class);
    private static final String RESEND_CONFIRMATION_RECAPTCHA_ENABLE = "SelfRegistration.ResendConfirmationReCaptcha";
    private static final String APPEND_USER_TENANT_TO_USERNAME = "appendUserTenantToUsername";
    private static final String APPEND_APP_TENANT_TO_USERNAME = "appendAppTenantToUsername";
    private static final String RE_CAPTCHA_USER_DOMAIN = "user-domain-recaptcha";
    public static final String ADDITIONAL_QUERY_PARAMS = "additionalParams";
    private static final String USER_EXIST_THREAD_LOCAL_PROPERTY = "userExistThreadLocalProperty";

    public boolean canHandle(HttpServletRequest httpServletRequest) {
        return ((httpServletRequest.getParameter("username") == null || httpServletRequest.getParameter(BasicAuthenticatorConstants.PASSWORD) == null) && AutoLoginUtilities.getAutoLoginCookie(httpServletRequest.getCookies()) == null) ? false : true;
    }

    public AuthenticatorFlowStatus process(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) throws AuthenticationFailedException, LogoutFailedException {
        if (isURLContainSensitiveData(httpServletRequest, httpServletResponse, authenticationContext)) {
            return AuthenticatorFlowStatus.INCOMPLETE;
        }
        Cookie autoLoginCookie = AutoLoginUtilities.getAutoLoginCookie(httpServletRequest.getCookies());
        if (authenticationContext.isLogoutRequest()) {
            return AuthenticatorFlowStatus.SUCCESS_COMPLETED;
        }
        if (autoLoginCookie != null && !Boolean.TRUE.equals(authenticationContext.getProperty(AutoLoginConstant.BASIC_AUTH_AUTO_LOGIN_FLOW_HANDLED))) {
            try {
                if (AutoLoginUtilities.isEnableAutoLoginEnabled(authenticationContext, autoLoginCookie)) {
                    try {
                        authenticationContext.setProperty(AutoLoginConstant.BASIC_AUTH_AUTO_LOGIN_FLOW_HANDLED, true);
                        AuthenticatorFlowStatus executeAutoLoginFlow = executeAutoLoginFlow(httpServletRequest, httpServletResponse, authenticationContext, autoLoginCookie);
                        AutoLoginUtilities.removeAutoLoginCookieInResponse(httpServletResponse, autoLoginCookie);
                        return executeAutoLoginFlow;
                    } catch (AuthenticationFailedException e) {
                        httpServletRequest.setAttribute("commonAuthHandled", true);
                        boolean z = isStepHasMultiOption(authenticationContext) && isRedirectToMultiOptionPageOnFailure();
                        if (!retryAuthenticationEnabled(authenticationContext) || z) {
                            authenticationContext.setProperty("LastFailedAuthenticator", getName());
                            if (log.isDebugEnabled()) {
                                log.debug("Error occurred while executing the Auto Login from Cookie flow: " + e);
                            }
                            throw e;
                        }
                        authenticationContext.setCurrentAuthenticator(getName());
                        initiateAuthenticationRequest(httpServletRequest, httpServletResponse, authenticationContext);
                        AuthenticatorFlowStatus authenticatorFlowStatus = AuthenticatorFlowStatus.INCOMPLETE;
                        AutoLoginUtilities.removeAutoLoginCookieInResponse(httpServletResponse, autoLoginCookie);
                        return authenticatorFlowStatus;
                    }
                }
            } catch (Throwable th) {
                AutoLoginUtilities.removeAutoLoginCookieInResponse(httpServletResponse, autoLoginCookie);
                throw th;
            }
        }
        return super.process(httpServletRequest, httpServletResponse, authenticationContext);
    }

    protected AuthenticatorFlowStatus executeAutoLoginFlow(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext, Cookie cookie) throws AuthenticationFailedException {
        JSONObject transformToJSON = AutoLoginUtilities.transformToJSON(new String(Base64.getDecoder().decode(cookie.getValue())));
        String str = (String) transformToJSON.get(AutoLoginConstant.SIGNATURE);
        String str2 = (String) transformToJSON.get(AutoLoginConstant.CONTENT);
        JSONObject transformToJSON2 = AutoLoginUtilities.transformToJSON(str2);
        AutoLoginUtilities.validateAutoLoginCookie(authenticationContext, getAuthenticatorConfig(), str2, str);
        if (log.isDebugEnabled()) {
            log.debug("Started executing Auto Login from Cookie flow.");
        }
        String str3 = (String) transformToJSON2.get("username");
        UserCoreUtil.setDomainInThreadLocal(UserCoreUtil.extractDomainFromName(str3));
        authenticationContext.setSubject(AuthenticatedUser.createLocalAuthenticatedUserFromSubjectIdentifier(FrameworkUtils.prependUserStoreDomainToName(str3)));
        return AuthenticatorFlowStatus.SUCCESS_COMPLETED;
    }

    protected void initiateAuthenticationRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) throws AuthenticationFailedException {
        String str;
        Map parameterMap = getAuthenticatorConfig().getParameterMap();
        String str2 = null;
        String str3 = null;
        String str4 = null;
        String str5 = null;
        ArrayList arrayList = null;
        if (parameterMap != null) {
            str2 = (String) parameterMap.get(BasicAuthenticatorConstants.CONF_SHOW_AUTH_FAILURE_REASON);
            if (log.isDebugEnabled()) {
                log.debug("showAuthFailureReason has been set as : " + str2);
            }
            if (Boolean.parseBoolean(str2)) {
                str4 = (String) parameterMap.get(BasicAuthenticatorConstants.CONF_MASK_USER_NOT_EXISTS_ERROR_CODE);
                if (log.isDebugEnabled()) {
                    log.debug("maskUserNotExistsErrorCode has been set as : " + str4);
                }
                str3 = (String) parameterMap.get(BasicAuthenticatorConstants.CONF_SHOW_AUTH_FAILURE_REASON_ON_LOGIN_PAGE);
                if (log.isDebugEnabled()) {
                    log.debug("showAuthFailureReasonOnLoginPage has been set as : " + str3);
                }
                String str6 = (String) parameterMap.get(BasicAuthenticatorConstants.CONF_ERROR_PARAMS_TO_OMIT);
                if (log.isDebugEnabled()) {
                    log.debug("errorParamsToOmit has been set as : " + str6);
                }
                if (StringUtils.isNotBlank(str6)) {
                    arrayList = new ArrayList(Arrays.asList(str6.replaceAll(" ", "").split(",")));
                }
            }
            str5 = (String) parameterMap.get(BasicAuthenticatorConstants.CONF_MASK_ADMIN_FORCED_PASSWORD_RESET_ERROR_CODE);
            if (log.isDebugEnabled()) {
                log.debug("maskAdminForcedPasswordResetErrorCode has been set as : " + str5);
            }
        }
        String authenticationEndpointURL = ConfigurationFacade.getInstance().getAuthenticationEndpointURL();
        String authenticationEndpointRetryURL = ConfigurationFacade.getInstance().getAuthenticationEndpointRetryURL();
        String contextIdIncludedQueryParams = authenticationContext.getContextIdIncludedQueryParams();
        String str7 = (String) authenticationContext.getProperty(PASSWORD_PROPERTY);
        authenticationContext.getProperties().remove(PASSWORD_PROPERTY);
        Map runtimeParams = getRuntimeParams(authenticationContext);
        if (runtimeParams != null) {
            String str8 = null;
            String str9 = (String) runtimeParams.get("username");
            if (str9 != null) {
                str8 = "idf";
            }
            if ("idf".equalsIgnoreCase(str8)) {
                contextIdIncludedQueryParams = contextIdIncludedQueryParams + "&inputType=" + str8;
                authenticationContext.addEndpointParam("username", str9);
            }
            String str10 = (String) runtimeParams.get(ADDITIONAL_QUERY_PARAMS);
            if (StringUtils.isNotBlank(str10)) {
                contextIdIncludedQueryParams = contextIdIncludedQueryParams + "&" + str10;
            }
        }
        try {
            String str11 = "";
            if (authenticationContext.isRetrying()) {
                if (authenticationContext.getProperty("InvalidEmailUsername") == null || !((Boolean) authenticationContext.getProperty("InvalidEmailUsername")).booleanValue()) {
                    str11 = "&authFailure=true&authFailureMsg=login.fail.message";
                } else {
                    str11 = "&authFailure=true&authFailureMsg=emailusername.fail.message";
                    authenticationContext.setProperty("InvalidEmailUsername", false);
                }
            }
            if (authenticationContext.getProperty("UserTenantDomainMismatch") != null && ((Boolean) authenticationContext.getProperty("UserTenantDomainMismatch")).booleanValue()) {
                str11 = "&authFailure=true&authFailureMsg=user.tenant.domain.mismatch.message";
                authenticationContext.setProperty("UserTenantDomainMismatch", false);
            }
            IdentityErrorMsgContext identityErrorMsg = IdentityUtil.getIdentityErrorMsg();
            IdentityUtil.clearIdentityErrorMsg();
            if (identityErrorMsg == null || identityErrorMsg.getErrorCode() == null) {
                if (log.isDebugEnabled()) {
                    log.debug("Identity error message context is null");
                }
                str = authenticationEndpointURL + "?" + contextIdIncludedQueryParams + BasicAuthenticatorConstants.AUTHENTICATORS + getName() + ":" + BasicAuthenticatorConstants.LOCAL + str11;
            } else {
                if (log.isDebugEnabled()) {
                    log.debug("Identity error message context is not null");
                }
                String errorCode = identityErrorMsg.getErrorCode();
                if (errorCode.equals("17005")) {
                    String parameter = httpServletRequest.getParameter("username");
                    Object obj = ((Map) IdentityUtil.threadLocalProperties.get()).get(RE_CAPTCHA_USER_DOMAIN);
                    if (obj != null) {
                        parameter = IdentityUtil.addDomainToName(parameter, obj.toString());
                    }
                    str = authenticationEndpointURL + "?" + contextIdIncludedQueryParams + BasicAuthenticatorConstants.FAILED_USERNAME + URLEncoder.encode(parameter, BasicAuthenticatorConstants.UTF_8) + BasicAuthenticatorConstants.ERROR_CODE + errorCode + BasicAuthenticatorConstants.AUTHENTICATORS + getName() + ":" + BasicAuthenticatorConstants.LOCAL + "&authFailure=true&authFailureMsg=account.confirmation.pending";
                } else if (errorCode.equals("17006")) {
                    String str12 = "&authFailure=true&authFailureMsg=password.reset.pending";
                    if (Boolean.parseBoolean(str5)) {
                        errorCode = "17002";
                        if (log.isDebugEnabled()) {
                            log.debug("Masking password reset pending error code: 17006 with error code: " + errorCode);
                        }
                        str12 = "&authFailure=true&authFailureMsg=login.fail.message";
                    }
                    str = authenticationEndpointURL + "?" + contextIdIncludedQueryParams + BasicAuthenticatorConstants.FAILED_USERNAME + URLEncoder.encode(httpServletRequest.getParameter("username"), BasicAuthenticatorConstants.UTF_8) + BasicAuthenticatorConstants.ERROR_CODE + errorCode + BasicAuthenticatorConstants.AUTHENTICATORS + getName() + ":" + BasicAuthenticatorConstants.LOCAL + str12;
                } else if (errorCode.equals("17007")) {
                    String parameter2 = httpServletRequest.getParameter("username");
                    try {
                        str = "accountrecoveryendpoint/confirmrecovery.do?username=" + URLEncoder.encode(parameter2, BasicAuthenticatorConstants.UTF_8) + BasicAuthenticatorConstants.TENANT_DOMAIN_PARAM + URLEncoder.encode(getTenantDomainFromUserName(authenticationContext, parameter2), BasicAuthenticatorConstants.UTF_8) + BasicAuthenticatorConstants.CONFIRMATION_PARAM + URLEncoder.encode(str7, BasicAuthenticatorConstants.UTF_8) + BasicAuthenticatorConstants.CALLBACK_PARAM + URLEncoder.encode(ServiceURLBuilder.create().addPath(new String[]{authenticationEndpointURL}).build().getAbsolutePublicURL() + "?" + contextIdIncludedQueryParams + BasicAuthenticatorConstants.AUTHENTICATORS + getName() + ":" + BasicAuthenticatorConstants.LOCAL, BasicAuthenticatorConstants.UTF_8) + BasicAuthenticatorConstants.REASON_PARAM + URLEncoder.encode(RecoveryScenarios.ADMIN_FORCED_PASSWORD_RESET_VIA_OTP.name(), BasicAuthenticatorConstants.UTF_8);
                    } catch (URLBuilderException e) {
                        throw new IdentityRuntimeException("Error while building callback url for context: " + authenticationEndpointURL, e);
                    }
                } else if (errorCode.equals("17009")) {
                    str = authenticationEndpointURL + "?" + contextIdIncludedQueryParams + BasicAuthenticatorConstants.FAILED_USERNAME + URLEncoder.encode(httpServletRequest.getParameter("username"), BasicAuthenticatorConstants.UTF_8) + BasicAuthenticatorConstants.ERROR_CODE + errorCode + BasicAuthenticatorConstants.AUTHENTICATORS + getName() + ":" + BasicAuthenticatorConstants.LOCAL + "&authFailure=true&authFailureMsg=account.pending.approval";
                } else if ("true".equals(str2)) {
                    if (Boolean.parseBoolean(str4) && StringUtils.contains(errorCode, "17001")) {
                        errorCode = "17002";
                        if (log.isDebugEnabled()) {
                            log.debug("Masking user not found error code: 17001 with error code: " + errorCode);
                        }
                    }
                    String str13 = null;
                    if (errorCode.contains(":")) {
                        String[] split = errorCode.split(":", 2);
                        errorCode = split[0];
                        if (split.length > 1) {
                            str13 = split[1];
                        }
                    }
                    int maximumLoginAttempts = identityErrorMsg.getMaximumLoginAttempts() - identityErrorMsg.getFailedLoginAttempts();
                    if (log.isDebugEnabled()) {
                        log.debug("errorCode : " + errorCode);
                        log.debug("username : " + httpServletRequest.getParameter("username"));
                        log.debug("remainingAttempts : " + maximumLoginAttempts);
                    }
                    if (errorCode.equals("17002")) {
                        HashMap hashMap = new HashMap();
                        hashMap.put(BasicAuthenticatorConstants.ERROR_CODE, errorCode);
                        hashMap.put(BasicAuthenticatorConstants.FAILED_USERNAME, URLEncoder.encode(httpServletRequest.getParameter("username"), BasicAuthenticatorConstants.UTF_8));
                        hashMap.put(BasicAuthenticatorConstants.REMAINING_ATTEMPTS, String.valueOf(maximumLoginAttempts));
                        str = authenticationEndpointURL + "?" + contextIdIncludedQueryParams + BasicAuthenticatorConstants.AUTHENTICATORS + getName() + ":" + BasicAuthenticatorConstants.LOCAL + (str11 + buildErrorParamString(hashMap, arrayList));
                    } else if (errorCode.equals("17003")) {
                        HashMap hashMap2 = new HashMap();
                        hashMap2.put(BasicAuthenticatorConstants.ERROR_CODE, errorCode);
                        hashMap2.put(BasicAuthenticatorConstants.FAILED_USERNAME, URLEncoder.encode(httpServletRequest.getParameter("username"), BasicAuthenticatorConstants.UTF_8));
                        if (StringUtils.isNotBlank(str13)) {
                            hashMap2.put(BasicAuthenticatorConstants.LOCKED_REASON, str13);
                        }
                        if (maximumLoginAttempts == 0) {
                            hashMap2.put(BasicAuthenticatorConstants.REMAINING_ATTEMPTS, "0");
                        }
                        str = Boolean.parseBoolean(str3) ? authenticationEndpointURL + "?" + contextIdIncludedQueryParams + BasicAuthenticatorConstants.AUTHENTICATORS + getName() + ":" + BasicAuthenticatorConstants.LOCAL + buildErrorParamString(hashMap2, arrayList) : httpServletResponse.encodeRedirectURL(authenticationEndpointRetryURL + "?" + contextIdIncludedQueryParams) + buildErrorParamString(hashMap2, arrayList);
                    } else if (errorCode.equals("17008")) {
                        HashMap hashMap3 = new HashMap();
                        hashMap3.put(BasicAuthenticatorConstants.ERROR_CODE, errorCode);
                        hashMap3.put(BasicAuthenticatorConstants.FAILED_USERNAME, URLEncoder.encode(httpServletRequest.getParameter("username"), BasicAuthenticatorConstants.UTF_8));
                        str = authenticationEndpointURL + "?" + contextIdIncludedQueryParams + buildErrorParamString(hashMap3, arrayList) + BasicAuthenticatorConstants.AUTHENTICATORS + getName() + ":" + BasicAuthenticatorConstants.LOCAL + "&authFailure=true&authFailureMsg=login.fail.message";
                    } else {
                        HashMap hashMap4 = new HashMap();
                        hashMap4.put(BasicAuthenticatorConstants.ERROR_CODE, errorCode);
                        if (httpServletRequest.getParameter("username") != null) {
                            hashMap4.put(BasicAuthenticatorConstants.FAILED_USERNAME, URLEncoder.encode(httpServletRequest.getParameter("username"), BasicAuthenticatorConstants.UTF_8));
                        }
                        if (StringUtils.isNotBlank(str13)) {
                            str11 = "&authFailure=true&authFailureMsg=" + URLEncoder.encode(str13, BasicAuthenticatorConstants.UTF_8);
                        }
                        str = authenticationEndpointURL + "?" + contextIdIncludedQueryParams + BasicAuthenticatorConstants.AUTHENTICATORS + getName() + ":" + BasicAuthenticatorConstants.LOCAL + (str11 + buildErrorParamString(hashMap4, arrayList));
                    }
                } else {
                    if (log.isDebugEnabled()) {
                        log.debug("Unknown identity error code.");
                    }
                    str = authenticationEndpointURL + "?" + contextIdIncludedQueryParams + BasicAuthenticatorConstants.AUTHENTICATORS + getName() + ":" + BasicAuthenticatorConstants.LOCAL + str11;
                }
            }
            httpServletResponse.sendRedirect(str + getCaptchaParams(authenticationContext.getLoginTenantDomain(), identityErrorMsg == null ? 0 : identityErrorMsg.getFailedLoginAttempts()));
        } catch (IOException e2) {
            throw new AuthenticationFailedException(BasicAuthErrorConstants.ErrorMessages.SYSTEM_ERROR_WHILE_AUTHENTICATING.getCode(), e2.getMessage(), User.getUserFromUserName(httpServletRequest.getParameter("username")), e2);
        }
    }

    protected void processAuthenticationResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) throws AuthenticationFailedException {
        String str;
        String captchaParams = getCaptchaParams(authenticationContext.getLoginTenantDomain(), 0);
        if (StringUtils.isNotBlank(captchaParams)) {
            authenticationContext.setProperty("captchaParams", captchaParams);
        }
        String parameter = httpServletRequest.getParameter("username");
        if (StringUtils.isBlank(parameter)) {
            throw new InvalidCredentialsException(BasicAuthErrorConstants.ErrorMessages.EMPTY_USERNAME.getCode(), BasicAuthErrorConstants.ErrorMessages.EMPTY_USERNAME.getMessage());
        }
        Map runtimeParams = getRuntimeParams(authenticationContext);
        if (runtimeParams != null) {
            if (Boolean.parseBoolean((String) runtimeParams.get(APPEND_USER_TENANT_TO_USERNAME))) {
                parameter = parameter + "@" + authenticationContext.getUserTenantDomain();
            }
            if (Boolean.parseBoolean((String) runtimeParams.get(APPEND_APP_TENANT_TO_USERNAME))) {
                parameter = parameter + "@" + authenticationContext.getTenantDomain();
            }
        }
        String str2 = parameter;
        if (!IdentityUtil.isEmailUsernameValidationDisabled()) {
            FrameworkUtils.validateUsername(parameter, authenticationContext);
            str2 = FrameworkUtils.preprocessUsername(parameter, authenticationContext);
        }
        String tenantDomain = MultitenantUtils.getTenantDomain(str2);
        String tenantAwareUsername = MultitenantUtils.getTenantAwareUsername(str2);
        String str3 = null;
        if (BasicAuthenticatorDataHolder.getInstance().getMultiAttributeLogin().isEnabled(tenantDomain)) {
            ResolvedUserResult resolveUser = BasicAuthenticatorDataHolder.getInstance().getMultiAttributeLogin().resolveUser(tenantAwareUsername, tenantDomain);
            if (resolveUser == null || !ResolvedUserResult.UserResolvedStatus.SUCCESS.equals(resolveUser.getResolvedStatus())) {
                throw new InvalidCredentialsException(BasicAuthErrorConstants.ErrorMessages.USER_DOES_NOT_EXISTS.getCode(), BasicAuthErrorConstants.ErrorMessages.USER_DOES_NOT_EXISTS.getMessage(), User.getUserFromUserName(str2));
            }
            tenantAwareUsername = resolveUser.getUser().getUsername();
            str2 = UserCoreUtil.addTenantDomainToEntry(tenantAwareUsername, tenantDomain);
            str3 = resolveUser.getUser().getUserID();
        }
        String parameter2 = httpServletRequest.getParameter(BasicAuthenticatorConstants.PASSWORD);
        if (StringUtils.isBlank(parameter2)) {
            throw new InvalidCredentialsException(BasicAuthErrorConstants.ErrorMessages.EMPTY_PASSWORD.getCode(), BasicAuthErrorConstants.ErrorMessages.EMPTY_PASSWORD.getMessage());
        }
        Map properties = authenticationContext.getProperties();
        if (properties == null) {
            properties = new HashMap();
            authenticationContext.setProperties(properties);
        }
        if (runtimeParams != null && (str = (String) runtimeParams.get("username")) != null && !str.equals(httpServletRequest.getParameter("username"))) {
            if (log.isDebugEnabled()) {
                log.debug("Username set for identifier first login: " + str + " and username submitted from login page" + str2 + " does not match.");
            }
            throw new InvalidCredentialsException(BasicAuthErrorConstants.ErrorMessages.CREDENTIAL_MISMATCH.getCode(), BasicAuthErrorConstants.ErrorMessages.CREDENTIAL_MISMATCH.getMessage());
        }
        properties.put(PASSWORD_PROPERTY, parameter2);
        boolean z = false;
        AbstractUserStoreManager userStoreManager = getUserStoreManager(str2, tenantDomain);
        ((Map) IdentityUtil.threadLocalProperties.get()).remove(RE_CAPTCHA_USER_DOMAIN);
        try {
            try {
                setUserExistThreadLocal();
                AuthenticationResult authenticateWithID = str3 != null ? userStoreManager.authenticateWithID(str3, parameter2) : userStoreManager.authenticateWithID("http://wso2.org/claims/username", tenantAwareUsername, parameter2, "default");
                if (AuthenticationResult.AuthenticationStatus.SUCCESS == authenticateWithID.getAuthenticationStatus() && authenticateWithID.getAuthenticatedUser().isPresent()) {
                    z = true;
                    authenticationContext.removeProperty("captchaParams");
                }
                if (isAuthPolicyAccountExistCheck()) {
                    checkUserExistence();
                }
                if (z) {
                    properties.put("user-tenant-domain", tenantDomain);
                    AuthenticatedUser authenticatedUser = new AuthenticatedUser((org.wso2.carbon.user.core.common.User) authenticateWithID.getAuthenticatedUser().get());
                    updateMultiAttributeUsername(authenticatedUser, userStoreManager);
                    authenticatedUser.setAuthenticatedSubjectIdentifier(authenticatedUser.getUsernameAsSubjectIdentifier(true, true));
                    authenticationContext.setSubject(authenticatedUser);
                    if ("on".equals(httpServletRequest.getParameter("chkRemember"))) {
                        authenticationContext.setRememberMe(true);
                        return;
                    }
                    return;
                }
                if (log.isDebugEnabled()) {
                    log.debug("User authentication failed due to invalid credentials");
                }
                if (((Map) IdentityUtil.threadLocalProperties.get()).get(RE_CAPTCHA_USER_DOMAIN) != null) {
                    str2 = IdentityUtil.addDomainToName(str2, ((Map) IdentityUtil.threadLocalProperties.get()).get(RE_CAPTCHA_USER_DOMAIN).toString());
                }
                ((Map) IdentityUtil.threadLocalProperties.get()).remove(RE_CAPTCHA_USER_DOMAIN);
                IdentityErrorMsgContext identityErrorMsg = IdentityUtil.getIdentityErrorMsg();
                String captchaParams2 = getCaptchaParams(authenticationContext.getLoginTenantDomain(), identityErrorMsg == null ? 0 : identityErrorMsg.getFailedLoginAttempts());
                if (StringUtils.isNotBlank(captchaParams2)) {
                    authenticationContext.setProperty("captchaParams", captchaParams2);
                }
                throw new InvalidCredentialsException(BasicAuthErrorConstants.ErrorMessages.INVALID_CREDENTIALS.getCode(), BasicAuthErrorConstants.ErrorMessages.INVALID_CREDENTIALS.getMessage(), User.getUserFromUserName(str2));
            } catch (UserStoreClientException e) {
                if (log.isDebugEnabled()) {
                    log.debug("BasicAuthentication failed while trying to authenticate the user " + str2, e);
                }
                IdentityUtil.setIdentityErrorMsg(new IdentityErrorMsgContext(e.getErrorCode() + ":" + e.getMessage()));
                throw new AuthenticationFailedException(BasicAuthErrorConstants.ErrorMessages.USER_STORE_EXCEPTION_WHILE_TRYING_TO_AUTHENTICATE.getCode(), e.getMessage(), User.getUserFromUserName(str2), e);
            } catch (UserStoreException e2) {
                if (log.isDebugEnabled()) {
                    log.debug("BasicAuthentication failed while trying to authenticate the user " + str2, e2);
                }
                UserStoreClientException rootCause = ExceptionUtils.getRootCause(e2);
                if (rootCause instanceof UserStoreClientException) {
                    IdentityUtil.setIdentityErrorMsg(new IdentityErrorMsgContext(rootCause.getErrorCode() + ":" + rootCause.getMessage()));
                }
                boolean showPendingUserInformationDefaultConfig = showPendingUserInformationDefaultConfig();
                try {
                    try {
                        PrivilegedCarbonContext.startTenantFlow();
                        PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantId(IdentityTenantUtil.getTenantId(tenantDomain));
                        PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(tenantDomain);
                        String value = BasicAuthenticatorDataHolder.getInstance().getConfigurationManager().getAttribute(BasicAuthenticatorConstants.RESOURCE_TYPE_NAME_CONFIG, BasicAuthenticatorConstants.RESOURCE_NAME_CONFIG, BasicAuthenticatorConstants.PENDING_USER_INFORMATION_ATTRIBUTE_NAME_CONFIG).getValue();
                        if (StringUtils.isNotBlank(value)) {
                            showPendingUserInformationDefaultConfig = Boolean.parseBoolean(value);
                        }
                        PrivilegedCarbonContext.endTenantFlow();
                    } catch (Throwable th) {
                        PrivilegedCarbonContext.endTenantFlow();
                        throw th;
                    }
                } catch (ConfigurationManagementException e3) {
                    if (ConfigurationConstants.ErrorMessages.ERROR_CODE_FEATURE_NOT_ENABLED.getCode().equals(e3.getErrorCode())) {
                        if (log.isDebugEnabled()) {
                            log.debug(String.format("%s Therefore using the default configuration value: %s for the attribute: %s", ConfigurationConstants.ErrorMessages.ERROR_CODE_FEATURE_NOT_ENABLED.getMessage(), Boolean.valueOf(showPendingUserInformationDefaultConfig), BasicAuthenticatorConstants.PENDING_USER_INFORMATION_ATTRIBUTE_NAME_CONFIG));
                        }
                    } else if (ConfigurationConstants.ErrorMessages.ERROR_CODE_ATTRIBUTE_DOES_NOT_EXISTS.getCode().equals(e3.getErrorCode())) {
                        if (log.isDebugEnabled()) {
                            log.debug(String.format("%s attribute doesn't exist for the tenant: %s. Therefore using the default configuration value: %s for the attribute: %s", BasicAuthenticatorConstants.PENDING_USER_INFORMATION_ATTRIBUTE_NAME_CONFIG, tenantDomain, Boolean.valueOf(showPendingUserInformationDefaultConfig), BasicAuthenticatorConstants.PENDING_USER_INFORMATION_ATTRIBUTE_NAME_CONFIG));
                        }
                    } else if (ConfigurationConstants.ErrorMessages.ERROR_CODE_RESOURCE_TYPE_DOES_NOT_EXISTS.getCode().equals(e3.getErrorCode())) {
                        if (log.isDebugEnabled()) {
                            log.debug(String.format("%s resource type doesn't exist for the tenant: %s. Therefore using the default configuration value: %s for the attribute: %s", BasicAuthenticatorConstants.RESOURCE_TYPE_NAME_CONFIG, tenantDomain, Boolean.valueOf(showPendingUserInformationDefaultConfig), BasicAuthenticatorConstants.PENDING_USER_INFORMATION_ATTRIBUTE_NAME_CONFIG));
                        }
                    } else {
                        if (!ConfigurationConstants.ErrorMessages.ERROR_CODE_RESOURCE_DOES_NOT_EXISTS.getCode().equals(e3.getErrorCode())) {
                            throw new AuthenticationFailedException(String.format("Error in retrieving %s configuration for the tenant %s", BasicAuthenticatorConstants.PENDING_USER_INFORMATION_ATTRIBUTE_NAME_CONFIG, tenantDomain, e2));
                        }
                        if (log.isDebugEnabled()) {
                            log.debug(String.format("%s resource doesn't exist for the tenant: %s. Therefore using the default configuration value: %s for the attribute: %s", BasicAuthenticatorConstants.RESOURCE_NAME_CONFIG, tenantDomain, Boolean.valueOf(showPendingUserInformationDefaultConfig), BasicAuthenticatorConstants.PENDING_USER_INFORMATION_ATTRIBUTE_NAME_CONFIG));
                        }
                    }
                    PrivilegedCarbonContext.endTenantFlow();
                }
                if (!showPendingUserInformationDefaultConfig) {
                    throw new AuthenticationFailedException(BasicAuthErrorConstants.ErrorMessages.USER_STORE_EXCEPTION_WHILE_TRYING_TO_AUTHENTICATE.getCode(), e2.getMessage(), e2);
                }
                throw new AuthenticationFailedException(BasicAuthErrorConstants.ErrorMessages.USER_STORE_EXCEPTION_WHILE_TRYING_TO_AUTHENTICATE.getCode(), e2.getMessage(), User.getUserFromUserName(str2), e2);
            }
        } finally {
            clearUserExistThreadLocal();
        }
    }

    protected boolean retryAuthenticationEnabled() {
        return true;
    }

    public String getContextIdentifier(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getParameter("sessionDataKey");
    }

    public String getFriendlyName() {
        return BasicAuthenticatorConstants.AUTHENTICATOR_FRIENDLY_NAME;
    }

    public String getName() {
        return BasicAuthenticatorConstants.AUTHENTICATOR_NAME;
    }

    private String buildErrorParamString(Map<String, String> map, List<String> list) {
        StringBuilder sb = new StringBuilder();
        for (Map.Entry<String, String> entry : map.entrySet()) {
            sb.append(filterAndAddParam(entry.getKey(), entry.getValue(), list));
        }
        return sb.toString();
    }

    private String filterAndAddParam(String str, String str2, List<String> list) {
        String replaceAll = str.replaceAll("&", "").replaceAll("=", "");
        if (!CollectionUtils.isNotEmpty(list) || !list.contains(replaceAll)) {
            return str + str2;
        }
        if (!log.isDebugEnabled()) {
            return "";
        }
        log.debug("omitting param " + replaceAll + " in the error response.");
        return "";
    }

    private String getCaptchaParams(String str, int i) {
        int i2;
        SSOLoginReCaptchaConfig sSOLoginReCaptchaConfig = new SSOLoginReCaptchaConfig();
        String str2 = sSOLoginReCaptchaConfig.getName() + ".enable.always";
        String str3 = sSOLoginReCaptchaConfig.getName() + ".on.max.failed.attempts";
        String str4 = sSOLoginReCaptchaConfig.getName() + ".enable";
        String str5 = "";
        Properties captchaConfigs = getCaptchaConfigs();
        if (captchaConfigs != null && !captchaConfigs.isEmpty() && Boolean.parseBoolean(captchaConfigs.getProperty("recaptcha.enabled"))) {
            boolean parseBoolean = Boolean.parseBoolean(captchaConfigs.getProperty("recaptcha.forcefullyEnabledForAllTenants"));
            try {
                for (Property property : BasicAuthenticatorDataHolder.getInstance().getIdentityGovernanceService().getConfiguration(new String[]{str2, RESEND_CONFIRMATION_RECAPTCHA_ENABLE, str4}, str)) {
                    if (str2.equals(property.getName())) {
                        if (Boolean.parseBoolean(property.getValue()) || parseBoolean) {
                            str5 = "&reCaptcha=true";
                        } else if (log.isDebugEnabled()) {
                            log.debug("Enforcing recaptcha for SSO Login is not enabled.");
                        }
                    } else if (RESEND_CONFIRMATION_RECAPTCHA_ENABLE.equals(property.getName())) {
                        if (Boolean.parseBoolean(property.getValue()) || parseBoolean) {
                            str5 = str5 + "&reCaptchaResend=true";
                        } else if (log.isDebugEnabled()) {
                            log.debug("Enforcing recaptcha for resend confirmation is not enabled.");
                        }
                    } else if (str4.equals(property.getName())) {
                        if (Boolean.parseBoolean(property.getValue())) {
                            Property property2 = BasicAuthenticatorDataHolder.getInstance().getIdentityGovernanceService().getConfiguration(new String[]{str3}, str)[0];
                            if (NumberUtils.isNumber(property2.getValue())) {
                                i2 = Integer.valueOf(property2.getValue()).intValue();
                            } else {
                                if (log.isDebugEnabled()) {
                                    log.debug(String.format("Invalid value for Max failed attempts for reCaptcha: %s. Default value will be used.", property2.getValue()));
                                }
                                i2 = 3;
                            }
                            if (i2 < i) {
                                if (log.isDebugEnabled()) {
                                    log.debug("Number of failed attempts is higher than max failed loginattempts before reCaptcha. Recaptcha will be enforced.");
                                }
                                str5 = str5 + "&reCaptcha=true";
                            } else if (log.isDebugEnabled()) {
                                log.debug("Number of failed attempts is less than or equal to max failed login attempts before reCaptcha. Recaptcha will not be enforced.");
                            }
                        } else if (log.isDebugEnabled()) {
                            log.debug("Enforcing recaptcha for exceeding max failed login is not enabled.");
                        }
                    }
                }
            } catch (IdentityGovernanceException e) {
                log.error("Error occurred while verifying the captcha configs. Proceeding the authentication request without enabling recaptcha.", e);
            }
        } else if (log.isDebugEnabled()) {
            log.debug("Recaptcha is not enabled.");
        }
        return str5;
    }

    private Properties getCaptchaConfigs() {
        Properties recaptchaConfigs = BasicAuthenticatorDataHolder.getInstance().getRecaptchaConfigs();
        if (recaptchaConfigs != null && !recaptchaConfigs.isEmpty() && Boolean.valueOf(recaptchaConfigs.getProperty("recaptcha.enabled")).booleanValue() && (StringUtils.isBlank(recaptchaConfigs.getProperty("recaptcha.site.key")) || StringUtils.isBlank(recaptchaConfigs.getProperty("recaptcha.api.url")) || StringUtils.isBlank(recaptchaConfigs.getProperty("recaptcha.secret.key")) || StringUtils.isBlank(recaptchaConfigs.getProperty("recaptcha.verify.url")))) {
            if (log.isDebugEnabled()) {
                log.debug("Empty values found for the captcha properties in the file captcha-config.properties.");
            }
            recaptchaConfigs.clear();
        }
        return recaptchaConfigs;
    }

    private void updateMultiAttributeUsername(AuthenticatedUser authenticatedUser, AbstractUserStoreManager abstractUserStoreManager) {
        if (getAuthenticatorConfig().getParameterMap() != null) {
            String str = (String) getAuthenticatorConfig().getParameterMap().get("UserNameAttributeClaimUri");
            if (StringUtils.isNotBlank(str)) {
                String domainFromThreadLocal = UserCoreUtil.getDomainFromThreadLocal();
                if (!isMultipleAttributeEnable(abstractUserStoreManager, domainFromThreadLocal)) {
                    if (log.isDebugEnabled()) {
                        log.debug("MultipleAttribute is not enabled for user store domain : " + domainFromThreadLocal + " Therefore UserNameAttribute is not retrieved");
                        return;
                    }
                    return;
                }
                try {
                    if (log.isDebugEnabled()) {
                        log.debug("Searching for UserNameAttribute value for user " + authenticatedUser.getLoggableUserId() + " for claim uri : " + str);
                    }
                    String multiAttributeUsername = getMultiAttributeUsername(authenticatedUser, abstractUserStoreManager, str);
                    if (StringUtils.isNotBlank(multiAttributeUsername)) {
                        authenticatedUser.setUserName(multiAttributeUsername);
                        if (log.isDebugEnabled()) {
                            log.debug("UserNameAttribute is found for user + " + authenticatedUser.getLoggableUserId() + ". Value is: " + multiAttributeUsername);
                        }
                    }
                } catch (org.wso2.carbon.user.core.UserStoreException e) {
                    if (log.isDebugEnabled()) {
                        log.debug("Error while retrieving UserNameAttribute for user : " + authenticatedUser.getLoggableUserId(), e);
                    }
                }
            }
        }
    }

    private String getMultiAttributeUsername(AuthenticatedUser authenticatedUser, AbstractUserStoreManager abstractUserStoreManager, String str) throws org.wso2.carbon.user.core.UserStoreException {
        return (authenticatedUser.getUserStoreDomain() == null || "PRIMARY".equals(authenticatedUser.getUserStoreDomain())) ? abstractUserStoreManager.getUserClaimValue(authenticatedUser.getUserName(), str, (String) null) : abstractUserStoreManager.getSecondaryUserStoreManager(authenticatedUser.getUserStoreDomain()).getUserClaimValue(authenticatedUser.getUserName(), str, (String) null);
    }

    private boolean isMultipleAttributeEnable(AbstractUserStoreManager abstractUserStoreManager, String str) {
        return StringUtils.isNotBlank(str) ? Boolean.parseBoolean(abstractUserStoreManager.getSecondaryUserStoreManager(str).getRealmConfiguration().getUserStoreProperty("MultipleAttributeEnable")) : Boolean.parseBoolean(abstractUserStoreManager.getRealmConfiguration().getUserStoreProperty("MultipleAttributeEnable"));
    }

    private AbstractUserStoreManager getUserStoreManager(String str, String str2) throws AuthenticationFailedException {
        try {
            int tenantId = BasicAuthenticatorServiceComponent.getRealmService().getTenantManager().getTenantId(str2);
            UserRealm tenantUserRealm = BasicAuthenticatorServiceComponent.getRealmService().getTenantUserRealm(tenantId);
            if (tenantUserRealm != null) {
                return tenantUserRealm.getUserStoreManager();
            }
            throw new AuthenticationFailedException("Cannot find the user realm for the given tenant: " + tenantId, User.getUserFromUserName(str));
        } catch (UserStoreException e) {
            if (log.isDebugEnabled()) {
                log.debug("Can't find the UserStoreManager for the user: " + str, e);
            }
            throw new AuthenticationFailedException(e.getMessage(), e);
        }
    }

    private boolean isAuthPolicyAccountExistCheck() {
        return Boolean.parseBoolean(IdentityUtil.getProperty(BasicAuthenticatorConstants.AUTHENTICATION_POLICY_CONFIG));
    }

    private void checkUserExistence() {
        if (isUserExist().booleanValue()) {
            return;
        }
        IdentityUtil.setIdentityErrorMsg(new IdentityErrorMsgContext("17001"));
    }

    private Boolean isUserExist() {
        return Boolean.valueOf(((Map) IdentityUtil.threadLocalProperties.get()).get(USER_EXIST_THREAD_LOCAL_PROPERTY) != null && ((Boolean) ((Map) IdentityUtil.threadLocalProperties.get()).get(USER_EXIST_THREAD_LOCAL_PROPERTY)).booleanValue());
    }

    private void setUserExistThreadLocal() {
        ((Map) IdentityUtil.threadLocalProperties.get()).put(USER_EXIST_THREAD_LOCAL_PROPERTY, false);
        if (log.isDebugEnabled()) {
            log.debug("userExistThreadLocalProperty is added as false to thread local.");
        }
    }

    private void clearUserExistThreadLocal() {
        ((Map) IdentityUtil.threadLocalProperties.get()).remove(USER_EXIST_THREAD_LOCAL_PROPERTY);
    }

    private String getTenantDomainFromUserName(AuthenticationContext authenticationContext, String str) {
        return (!IdentityTenantUtil.isTenantQualifiedUrlsEnabled() || authenticationContext.getSequenceConfig().getApplicationConfig().isSaaSApp()) ? MultitenantUtils.getTenantDomain(str) : IdentityTenantUtil.getTenantDomainFromContext();
    }

    private boolean isURLContainSensitiveData(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) throws AuthenticationFailedException {
        String queryString = httpServletRequest instanceof AuthenticationFrameworkWrapper ? ((AuthenticationFrameworkWrapper) httpServletRequest).getRequest().getQueryString() : httpServletRequest.getQueryString();
        if (!StringUtils.contains(queryString, BasicAuthenticatorConstants.USER_NAME_PARAM) && !StringUtils.contains(queryString, "password=")) {
            return false;
        }
        try {
            httpServletResponse.sendRedirect(ConfigurationFacade.getInstance().getAuthenticationEndpointURL() + "?" + authenticationContext.getContextIdIncludedQueryParams() + BasicAuthenticatorConstants.AUTHENTICATORS + getName() + ":" + BasicAuthenticatorConstants.LOCAL + BasicAuthenticatorConstants.AUTH_FAILURE_PARAM + "true" + BasicAuthenticatorConstants.AUTH_FAILURE_MSG_PARAM + "query.params.contains.user.credentials");
            return true;
        } catch (IOException e) {
            throw new AuthenticationFailedException(BasicAuthErrorConstants.ErrorMessages.SYSTEM_ERROR_WHILE_AUTHENTICATING.getCode(), e.getMessage(), User.getUserFromUserName(httpServletRequest.getParameter("username")), e);
        }
    }

    private boolean showPendingUserInformationDefaultConfig() {
        String property = IdentityUtil.getProperty(BasicAuthenticatorConstants.SHOW_PENDING_USER_INFORMATION_CONFIG);
        if (property == null) {
            return true;
        }
        return Boolean.parseBoolean(property);
    }
}
