package org.cloudfoundry.identity.uaa.login;

import com.google.zxing.WriterException;
import com.warrenstrange.googleauth.GoogleAuthenticatorException;
import java.io.IOException;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.cloudfoundry.identity.uaa.authentication.UaaAuthentication;
import org.cloudfoundry.identity.uaa.authentication.UaaPrincipal;
import org.cloudfoundry.identity.uaa.authentication.event.MfaAuthenticationFailureEvent;
import org.cloudfoundry.identity.uaa.authentication.event.MfaAuthenticationSuccessEvent;
import org.cloudfoundry.identity.uaa.mfa.GoogleAuthenticatorAdapter;
import org.cloudfoundry.identity.uaa.mfa.MfaProvider;
import org.cloudfoundry.identity.uaa.mfa.MfaProviderProvisioning;
import org.cloudfoundry.identity.uaa.mfa.UserGoogleMfaCredentialsProvisioning;
import org.cloudfoundry.identity.uaa.user.UaaUser;
import org.cloudfoundry.identity.uaa.user.UaaUserDatabase;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.springframework.context.ApplicationEvent;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.ApplicationEventPublisherAware;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.view.RedirectView;

@Controller
/* loaded from: input_file:org/cloudfoundry/identity/uaa/login/TotpMfaEndpoint.class */
public class TotpMfaEndpoint implements ApplicationEventPublisherAware {
    private UserGoogleMfaCredentialsProvisioning userGoogleMfaCredentialsProvisioning;
    private MfaProviderProvisioning mfaProviderProvisioning;
    private GoogleAuthenticatorAdapter googleAuthenticatorService;
    private ApplicationEventPublisher eventPublisher;
    private UaaUserDatabase userDatabase;
    private Log logger = LogFactory.getLog(TotpMfaEndpoint.class);
    private String mfaCompleteUrl = "/login/mfa/completed";

    /* loaded from: input_file:org/cloudfoundry/identity/uaa/login/TotpMfaEndpoint$UaaPrincipalIsNotInSession.class */
    public class UaaPrincipalIsNotInSession extends Exception {
        public UaaPrincipalIsNotInSession() {
        }
    }

    public void setMfaCompleteUrl(String str) {
        this.mfaCompleteUrl = str;
    }

    @RequestMapping(value = {"/login/mfa/register"}, method = {RequestMethod.GET})
    public String generateQrUrl(Model model) throws NoSuchAlgorithmException, WriterException, IOException, UaaPrincipalIsNotInSession {
        UaaPrincipal sessionAuthPrincipal = getSessionAuthPrincipal();
        MfaProvider mfaProvider = getMfaProvider();
        if (this.userGoogleMfaCredentialsProvisioning.activeUserCredentialExists(sessionAuthPrincipal.getId(), mfaProvider.getId())) {
            return "redirect:/login/mfa/verify";
        }
        model.addAttribute("qrurl", this.googleAuthenticatorService.getOtpAuthURL(mfaProvider.getConfig().getIssuer(), sessionAuthPrincipal.getId(), sessionAuthPrincipal.getName()));
        model.addAttribute("identity_zone", IdentityZoneHolder.get().getName());
        return "mfa/qr_code";
    }

    @RequestMapping(value = {"/login/mfa/manual"}, method = {RequestMethod.GET})
    public String manualRegistration(Model model) throws UaaPrincipalIsNotInSession {
        UaaPrincipal sessionAuthPrincipal = getSessionAuthPrincipal();
        MfaProvider mfaProvider = getMfaProvider();
        if (this.userGoogleMfaCredentialsProvisioning.activeUserCredentialExists(sessionAuthPrincipal.getId(), mfaProvider.getId())) {
            return "redirect:/login/mfa/verify";
        }
        model.addAttribute("issuer", mfaProvider.getConfig().getIssuer());
        model.addAttribute("username", sessionAuthPrincipal.getName());
        model.addAttribute("mfa_secret", this.googleAuthenticatorService.getOtpSecret(sessionAuthPrincipal.getId()));
        model.addAttribute("identity_zone", IdentityZoneHolder.get().getName());
        return "mfa/manual_registration";
    }

    @RequestMapping(value = {"/login/mfa/verify"}, method = {RequestMethod.GET})
    public ModelAndView totpAuthorize(Model model) throws UaaPrincipalIsNotInSession {
        return renderEnterCodePage(model, getSessionAuthPrincipal());
    }

    @RequestMapping(value = {"/login/mfa/verify.do"}, method = {RequestMethod.POST})
    public ModelAndView validateCode(Model model, @RequestParam("code") String str) throws UaaPrincipalIsNotInSession {
        UaaAuthentication uaaAuthentication = getUaaAuthentication();
        UaaPrincipal sessionAuthPrincipal = getSessionAuthPrincipal();
        try {
        } catch (NumberFormatException | GoogleAuthenticatorException e) {
            this.logger.debug("Error validating the code for user: " + sessionAuthPrincipal.getId() + ". Error: " + e.getMessage());
            publish(new MfaAuthenticationFailureEvent(getUaaUser(sessionAuthPrincipal), uaaAuthentication, getMfaProvider().getType().toValue()));
            model.addAttribute("error", "Incorrect code, please try again.");
        }
        if (!this.googleAuthenticatorService.isValidCode(sessionAuthPrincipal.getId(), Integer.valueOf(str))) {
            this.logger.debug("Code authorization failed for user: " + sessionAuthPrincipal.getId());
            publish(new MfaAuthenticationFailureEvent(getUaaUser(sessionAuthPrincipal), uaaAuthentication, getMfaProvider().getType().toValue()));
            model.addAttribute("error", "Incorrect code, please try again.");
            return renderEnterCodePage(model, sessionAuthPrincipal);
        }
        this.userGoogleMfaCredentialsProvisioning.persistCredentials();
        HashSet hashSet = new HashSet(uaaAuthentication.getAuthenticationMethods());
        hashSet.addAll(Arrays.asList("otp", "mfa"));
        uaaAuthentication.setAuthenticationMethods(hashSet);
        publish(new MfaAuthenticationSuccessEvent(getUaaUser(sessionAuthPrincipal), uaaAuthentication, getMfaProvider().getType().toValue()));
        return new ModelAndView(new RedirectView(this.mfaCompleteUrl, true));
    }

    public void setUserGoogleMfaCredentialsProvisioning(UserGoogleMfaCredentialsProvisioning userGoogleMfaCredentialsProvisioning) {
        this.userGoogleMfaCredentialsProvisioning = userGoogleMfaCredentialsProvisioning;
    }

    public void setMfaProviderProvisioning(MfaProviderProvisioning mfaProviderProvisioning) {
        this.mfaProviderProvisioning = mfaProviderProvisioning;
    }

    public void setGoogleAuthenticatorService(GoogleAuthenticatorAdapter googleAuthenticatorAdapter) {
        this.googleAuthenticatorService = googleAuthenticatorAdapter;
    }

    @ExceptionHandler({UaaPrincipalIsNotInSession.class})
    public ModelAndView handleUaaPrincipalIsNotInSession() {
        return new ModelAndView("redirect:/login", Collections.emptyMap());
    }

    private ModelAndView renderEnterCodePage(Model model, UaaPrincipal uaaPrincipal) {
        model.addAttribute("is_first_time_user", Boolean.valueOf(this.userGoogleMfaCredentialsProvisioning.isFirstTimeMFAUser(uaaPrincipal)));
        model.addAttribute("identity_zone", IdentityZoneHolder.get().getName());
        return new ModelAndView("mfa/enter_code", model.asMap());
    }

    private UaaPrincipal getSessionAuthPrincipal() throws UaaPrincipalIsNotInSession {
        UaaPrincipal m16getPrincipal;
        UaaAuthentication uaaAuthentication = getUaaAuthentication();
        if (uaaAuthentication == null || (m16getPrincipal = uaaAuthentication.m16getPrincipal()) == null) {
            throw new UaaPrincipalIsNotInSession();
        }
        return m16getPrincipal;
    }

    private UaaAuthentication getUaaAuthentication() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication instanceof UaaAuthentication) {
            return (UaaAuthentication) authentication;
        }
        return null;
    }

    public void setUserDatabase(UaaUserDatabase uaaUserDatabase) {
        this.userDatabase = uaaUserDatabase;
    }

    private MfaProvider getMfaProvider() {
        return this.mfaProviderProvisioning.retrieveByName(IdentityZoneHolder.get().getConfig().getMfaConfig().getProviderName(), IdentityZoneHolder.get().getId());
    }

    public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
        this.eventPublisher = applicationEventPublisher;
    }

    private void publish(ApplicationEvent applicationEvent) {
        if (this.eventPublisher != null) {
            this.eventPublisher.publishEvent(applicationEvent);
        }
    }

    private UaaUser getUaaUser(UaaPrincipal uaaPrincipal) {
        try {
            UaaUser retrieveUserByName = this.userDatabase.retrieveUserByName(uaaPrincipal.getName(), uaaPrincipal.getOrigin());
            if (retrieveUserByName != null) {
                return retrieveUserByName;
            }
            return null;
        } catch (UsernameNotFoundException e) {
            return null;
        }
    }
}
