package org.wso2.carbon.identity.captcha.connector.recaptcha;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.application.authentication.framework.AuthenticationFlowHandler;
import org.wso2.carbon.identity.application.authentication.framework.config.model.AuthenticatorConfig;
import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedIdPData;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.common.model.Property;
import org.wso2.carbon.identity.captcha.connector.CaptchaPostValidationResponse;
import org.wso2.carbon.identity.captcha.connector.CaptchaPreValidationResponse;
import org.wso2.carbon.identity.captcha.exception.CaptchaException;
import org.wso2.carbon.identity.captcha.internal.CaptchaDataHolder;
import org.wso2.carbon.identity.captcha.util.CaptchaConstants;
import org.wso2.carbon.identity.captcha.util.CaptchaUtil;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.governance.IdentityGovernanceException;
import org.wso2.carbon.identity.governance.IdentityGovernanceService;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/identity/captcha/connector/recaptcha/EmailOTPCaptchaConnector.class */
public class EmailOTPCaptchaConnector extends AbstractReCaptchaConnector {
    private static final Log log = LogFactory.getLog(EmailOTPCaptchaConnector.class);
    private static final String SECURED_DESTINATIONS = "/commonauth";
    public static final String EMAIL_OTP_AUTHENTICATOR_NAME = "email-otp-authenticator";
    public static final String IS_REDIRECT_TO_EMAIL_OTP = "isRedirectToEmailOTP";
    public static final String RESEND_CODE = "resendCode";
    private static final String ON_FAIL_REDIRECT_URL = "/authenticationendpoint/login.do";
    private static final String EMAIL_OTP_LOGIN_ATTEMPT_FAIL_CLAIM = "http://wso2.org/claims/identity/failedEmailOtpAttempts";
    private static final String RECAPTCHA_PARAM = "reCaptcha";
    private static final String AUTH_FAILURE = "authFailure";
    private static final String AUTH_FAILURE_MSG = "authFailureMsg";
    private static final String RECAPTCHA_FAIL_MSG = "recaptcha.fail.message";
    private static final String OTP_CODE_PARAM = "OTPCode";
    private IdentityGovernanceService identityGovernanceService;

    @Override // org.wso2.carbon.identity.captcha.connector.CaptchaConnector
    public void init(IdentityGovernanceService identityGovernanceService) {
        this.identityGovernanceService = identityGovernanceService;
    }

    @Override // org.wso2.carbon.identity.captcha.connector.CaptchaConnector
    public int getPriority() {
        return 30;
    }

    @Override // org.wso2.carbon.identity.captcha.connector.CaptchaConnector
    public boolean canHandle(ServletRequest servletRequest, ServletResponse servletResponse) throws CaptchaException {
        String parameter;
        AuthenticationContext authenticationContextFromCache;
        String requestURI = ((HttpServletRequest) servletRequest).getRequestURI();
        if (StringUtils.isBlank(requestURI) || !CaptchaUtil.isPathAvailable(requestURI, SECURED_DESTINATIONS) || (parameter = servletRequest.getParameter("sessionDataKey")) == null || (authenticationContextFromCache = FrameworkUtils.getAuthenticationContextFromCache(parameter)) == null || !EMAIL_OTP_AUTHENTICATOR_NAME.equals(authenticationContextFromCache.getCurrentAuthenticator())) {
            return false;
        }
        if ((EMAIL_OTP_AUTHENTICATOR_NAME.equals(authenticationContextFromCache.getCurrentAuthenticator()) && !Boolean.parseBoolean((String) authenticationContextFromCache.getProperty(IS_REDIRECT_TO_EMAIL_OTP))) || servletRequest.getParameter(OTP_CODE_PARAM) == null || authenticationContextFromCache.getCurrentStep() != 1 || isPreviousIdPAuthenticationFlowHandler(authenticationContextFromCache) || Boolean.parseBoolean(servletRequest.getParameter(RESEND_CODE))) {
            return false;
        }
        return isEmailRecaptchaEnabled(servletRequest);
    }

    @Override // org.wso2.carbon.identity.captcha.connector.CaptchaConnector
    public CaptchaPreValidationResponse preValidate(ServletRequest servletRequest, ServletResponse servletResponse) throws CaptchaException {
        CaptchaPreValidationResponse captchaPreValidationResponse = new CaptchaPreValidationResponse();
        AuthenticationContext authenticationContextFromCache = FrameworkUtils.getAuthenticationContextFromCache(servletRequest.getParameter("sessionDataKey"));
        String userName = authenticationContextFromCache.getLastAuthenticatedUser().getUserName();
        String tenant = getTenant(authenticationContextFromCache, userName);
        Property[] propertyArr = null;
        try {
            propertyArr = this.identityGovernanceService.getConfiguration(new String[]{"sso.login.recaptcha.enable.always"}, tenant);
        } catch (IdentityGovernanceException e) {
            log.error("Unable to load connector configuration.", e);
        }
        if (CaptchaDataHolder.getInstance().isForcefullyEnabledRecaptchaForAllTenants() || !(propertyArr == null || propertyArr.length == 0 || !Boolean.parseBoolean(propertyArr[0].getValue()))) {
            HashMap hashMap = new HashMap();
            hashMap.put("authFailure", Boolean.TRUE.toString());
            hashMap.put("authFailureMsg", "recaptcha.fail.message");
            captchaPreValidationResponse.setCaptchaAttributes(hashMap);
            captchaPreValidationResponse.setOnCaptchaFailRedirectUrls(getFailedUrlList());
            captchaPreValidationResponse.setCaptchaValidationRequired(true);
        } else if (CaptchaUtil.isMaximumFailedLoginAttemptsReached(MultitenantUtils.getTenantAwareUsername(userName), tenant, EMAIL_OTP_LOGIN_ATTEMPT_FAIL_CLAIM)) {
            captchaPreValidationResponse.setCaptchaValidationRequired(true);
            captchaPreValidationResponse.setMaxFailedLimitReached(true);
            captchaPreValidationResponse.setOnCaptchaFailRedirectUrls(getFailedUrlList());
            HashMap hashMap2 = new HashMap();
            hashMap2.put("reCaptcha", Boolean.TRUE.toString());
            hashMap2.put("authFailure", Boolean.TRUE.toString());
            hashMap2.put("authFailureMsg", "recaptcha.fail.message");
            captchaPreValidationResponse.setCaptchaAttributes(hashMap2);
        }
        captchaPreValidationResponse.setMaxFailedLimitReached(true);
        captchaPreValidationResponse.setPostValidationRequired(true);
        return captchaPreValidationResponse;
    }

    private List<String> getFailedUrlList() {
        ArrayList arrayList = new ArrayList();
        String reCaptchaErrorRedirectUrls = CaptchaDataHolder.getInstance().getReCaptchaErrorRedirectUrls();
        if (StringUtils.isNotBlank(reCaptchaErrorRedirectUrls)) {
            arrayList = new ArrayList(Arrays.asList(reCaptchaErrorRedirectUrls.split(",")));
        }
        arrayList.add("/authenticationendpoint/login.do");
        return arrayList;
    }

    @Override // org.wso2.carbon.identity.captcha.connector.CaptchaConnector
    public CaptchaPostValidationResponse postValidate(ServletRequest servletRequest, ServletResponse servletResponse) throws CaptchaException {
        if (StringUtils.isBlank(CaptchaConstants.getEnableSecurityMechanism())) {
            return null;
        }
        CaptchaConstants.removeEnabledSecurityMechanism();
        CaptchaPostValidationResponse captchaPostValidationResponse = new CaptchaPostValidationResponse();
        captchaPostValidationResponse.setSuccessfulAttempt(false);
        captchaPostValidationResponse.setEnableCaptchaResponsePath(true);
        HashMap hashMap = new HashMap();
        hashMap.put("reCaptcha", Boolean.TRUE.toString());
        captchaPostValidationResponse.setCaptchaAttributes(hashMap);
        return captchaPostValidationResponse;
    }

    public boolean isEmailRecaptchaEnabled(ServletRequest servletRequest) throws CaptchaException {
        AuthenticationContext authenticationContextFromCache;
        if (CaptchaDataHolder.getInstance().isForcefullyEnabledRecaptchaForAllTenants()) {
            return true;
        }
        String parameter = servletRequest.getParameter("sessionDataKey");
        if (parameter == null || (authenticationContextFromCache = FrameworkUtils.getAuthenticationContextFromCache(parameter)) == null || authenticationContextFromCache.getLastAuthenticatedUser() == null || StringUtils.isBlank(authenticationContextFromCache.getLastAuthenticatedUser().getUserName())) {
            return false;
        }
        String userName = authenticationContextFromCache.getLastAuthenticatedUser().getUserName();
        String tenant = getTenant(authenticationContextFromCache, userName);
        try {
            Property[] configuration = this.identityGovernanceService.getConfiguration(new String[]{"sso.login.recaptcha.enable.always", "sso.login.recaptcha.enable", "sso.login.recaptcha.on.max.failed.attempts"}, tenant);
            if (ArrayUtils.isEmpty(configuration) || configuration.length != 3) {
                return false;
            }
            if (!Boolean.parseBoolean(configuration[0].getValue()) && !Boolean.parseBoolean(configuration[1].getValue())) {
                return false;
            }
            if (Boolean.parseBoolean(configuration[0].getValue()) || !Boolean.parseBoolean(configuration[1].getValue()) || CaptchaUtil.isMaximumFailedLoginAttemptsReached(userName, tenant, EMAIL_OTP_LOGIN_ATTEMPT_FAIL_CLAIM)) {
                return CaptchaDataHolder.getInstance().isReCaptchaEnabled();
            }
            return false;
        } catch (IdentityGovernanceException e) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("Unable to load connector configuration.", e);
            return false;
        }
    }

    private String getTenant(AuthenticationContext authenticationContext, String str) {
        return (IdentityTenantUtil.isTenantedSessionsEnabled() || IdentityTenantUtil.isTenantQualifiedUrlsEnabled()) ? authenticationContext.getUserTenantDomain() : MultitenantUtils.getTenantDomain(str);
    }

    private boolean isPreviousIdPAuthenticationFlowHandler(AuthenticationContext authenticationContext) {
        List authenticators;
        boolean z = false;
        Map currentAuthenticatedIdPs = authenticationContext.getCurrentAuthenticatedIdPs();
        if (currentAuthenticatedIdPs != null && !currentAuthenticatedIdPs.isEmpty()) {
            Iterator it = currentAuthenticatedIdPs.entrySet().iterator();
            while (it.hasNext()) {
                AuthenticatedIdPData authenticatedIdPData = (AuthenticatedIdPData) ((Map.Entry) it.next()).getValue();
                if (authenticatedIdPData != null && (authenticators = authenticatedIdPData.getAuthenticators()) != null) {
                    Iterator it2 = authenticators.iterator();
                    while (it2.hasNext()) {
                        z = true;
                        if (!(((AuthenticatorConfig) it2.next()).getApplicationAuthenticator() instanceof AuthenticationFlowHandler)) {
                            return false;
                        }
                    }
                }
            }
        }
        return z;
    }
}
