package org.wso2.carbon.identity.rest.api.user.totp.v1.core;

import java.util.HashMap;
import java.util.Map;
import javax.ws.rs.core.Response;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.core.util.CryptoException;
import org.wso2.carbon.identity.api.user.common.ContextLoader;
import org.wso2.carbon.identity.api.user.common.error.APIError;
import org.wso2.carbon.identity.api.user.common.error.ErrorResponse;
import org.wso2.carbon.identity.api.user.totp.common.TOTPConstants;
import org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException;
import org.wso2.carbon.identity.application.authenticator.totp.TOTPKeyGenerator;
import org.wso2.carbon.identity.application.authenticator.totp.exception.TOTPException;
import org.wso2.carbon.identity.application.authenticator.totp.util.TOTPAuthenticatorConfig;
import org.wso2.carbon.identity.application.authenticator.totp.util.TOTPAuthenticatorCredentials;
import org.wso2.carbon.identity.application.authenticator.totp.util.TOTPKeyRepresentation;
import org.wso2.carbon.identity.application.authenticator.totp.util.TOTPUtil;
import org.wso2.carbon.identity.application.common.model.User;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.rest.api.user.totp.v1.dto.TOTPResponseDTO;
import org.wso2.carbon.identity.rest.api.user.totp.v1.dto.TOTPSecretResponseDTO;
import org.wso2.carbon.user.api.UserRealm;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:WEB-INF/lib/org.wso2.carbon.identity.rest.api.user.totp.v1-1.3.34.jar:org/wso2/carbon/identity/rest/api/user/totp/v1/core/TOTPService.class */
public class TOTPService {
    private static final Log log = LogFactory.getLog(TOTPService.class);

    public TOTPSecretResponseDTO getSecretKey() {
        if (!isValidAuthenticationType()) {
            throw handleError(Response.Status.FORBIDDEN, TOTPConstants.ErrorMessage.USER_ERROR_ACCESS_DENIED_FOR_BASIC_AUTH);
        }
        User user = getUser();
        TOTPSecretResponseDTO tOTPSecretResponseDTO = new TOTPSecretResponseDTO();
        String str = null;
        HashMap hashMap = new HashMap();
        try {
            UserRealm userRealm = TOTPUtil.getUserRealm(user.toFullQualifiedUsername());
            String tenantAwareUsername = MultitenantUtils.getTenantAwareUsername(user.toFullQualifiedUsername());
            if (userRealm != null) {
                Map userClaimValues = userRealm.getUserStoreManager().getUserClaimValues(tenantAwareUsername, new String[]{"http://wso2.org/claims/identity/secretkey", "http://wso2.org/claims/identity/verifySecretkey"}, (String) null);
                String str2 = (String) userClaimValues.get("http://wso2.org/claims/identity/secretkey");
                if (StringUtils.isEmpty(str2)) {
                    String str3 = (String) userClaimValues.get("http://wso2.org/claims/identity/verifySecretkey");
                    if (StringUtils.isEmpty(str3)) {
                        str = TOTPKeyGenerator.generateKey(user.getTenantDomain()).getKey();
                        String encodingMethod = TOTPUtil.getEncodingMethod(user.getTenantDomain());
                        hashMap.put("http://wso2.org/claims/identity/verifySecretkey", TOTPUtil.encrypt(str));
                        hashMap.put("http://wso2.org/claims/identity/encoding", encodingMethod);
                        TOTPKeyGenerator.addTOTPClaimsAndRetrievingQRCodeURL(hashMap, user.toFullQualifiedUsername());
                    } else {
                        str = TOTPUtil.decrypt(str3);
                    }
                } else {
                    str = TOTPUtil.decrypt(str2);
                }
            }
            tOTPSecretResponseDTO.setSecret(str);
            return tOTPSecretResponseDTO;
        } catch (CryptoException e) {
            throw handleException(e, TOTPConstants.ErrorMessage.SERVER_ERROR_DECRYPTING_SECRET, new String[0]);
        } catch (TOTPException e2) {
            throw handleException(e2, TOTPConstants.ErrorMessage.SERVER_ERROR_GENERAL, new String[0]);
        } catch (UserStoreException e3) {
            throw handleException(e3, TOTPConstants.ErrorMessage.SERVER_ERROR_RETRIEVING_USERSTORE_MANAGER, null);
        } catch (AuthenticationFailedException e4) {
            throw handleException(e4, TOTPConstants.ErrorMessage.USER_ERROR_UNAUTHORIZED_USER, new String[0]);
        }
    }

    public TOTPResponseDTO initTOTP() {
        if (!isValidAuthenticationType()) {
            throw handleError(Response.Status.FORBIDDEN, TOTPConstants.ErrorMessage.USER_ERROR_ACCESS_DENIED_FOR_BASIC_AUTH);
        }
        TOTPResponseDTO tOTPResponseDTO = new TOTPResponseDTO();
        User user = getUser();
        try {
            tOTPResponseDTO.setQrCodeUrl(TOTPKeyGenerator.addTOTPClaimsAndRetrievingQRCodeURL(TOTPKeyGenerator.generateClaimsWithVerifySecretKey(user.toFullQualifiedUsername(), false), user.toFullQualifiedUsername()));
            return tOTPResponseDTO;
        } catch (TOTPException e) {
            throw handleException(e, TOTPConstants.ErrorMessage.SERVER_ERROR_GENERAL, new String[0]);
        }
    }

    public TOTPResponseDTO viewTOTP() {
        if (!isValidAuthenticationType()) {
            throw handleError(Response.Status.FORBIDDEN, TOTPConstants.ErrorMessage.USER_ERROR_ACCESS_DENIED_FOR_BASIC_AUTH);
        }
        TOTPResponseDTO tOTPResponseDTO = new TOTPResponseDTO();
        User user = getUser();
        try {
            tOTPResponseDTO.setQrCodeUrl(TOTPKeyGenerator.addTOTPClaimsAndRetrievingQRCodeURL(TOTPKeyGenerator.generateClaims(user.toFullQualifiedUsername(), false), user.toFullQualifiedUsername()));
            return tOTPResponseDTO;
        } catch (TOTPException e) {
            throw handleException(e, TOTPConstants.ErrorMessage.SERVER_ERROR_GENERAL, new String[0]);
        }
    }

    public TOTPResponseDTO getQRUrlCode() {
        if (!isValidAuthenticationType()) {
            throw handleError(Response.Status.FORBIDDEN, TOTPConstants.ErrorMessage.USER_ERROR_ACCESS_DENIED_FOR_BASIC_AUTH);
        }
        TOTPResponseDTO tOTPResponseDTO = new TOTPResponseDTO();
        try {
            Map generateClaims = TOTPKeyGenerator.generateClaims(getUser().toFullQualifiedUsername(), false);
            if (!generateClaims.containsKey("http://wso2.org/claims/identity/qrcodeurl")) {
                throw handleError(Response.Status.NOT_FOUND, TOTPConstants.ErrorMessage.USER_ERROR_QR_CODE_URL_NOT_EXIST);
            }
            tOTPResponseDTO.setQrCodeUrl((String) generateClaims.get("http://wso2.org/claims/identity/qrcodeurl"));
            return tOTPResponseDTO;
        } catch (TOTPException e) {
            throw handleException(e, TOTPConstants.ErrorMessage.SERVER_ERROR_GENERAL, new String[0]);
        }
    }

    public void resetTOTP() {
        if (!isValidAuthenticationType()) {
            throw handleError(Response.Status.FORBIDDEN, TOTPConstants.ErrorMessage.USER_ERROR_ACCESS_DENIED_FOR_BASIC_AUTH);
        }
        try {
            TOTPKeyGenerator.resetLocal(getUser().toFullQualifiedUsername());
        } catch (AuthenticationFailedException e) {
            throw handleException(e, TOTPConstants.ErrorMessage.USER_ERROR_UNAUTHORIZED_USER, new String[0]);
        } catch (TOTPException e2) {
            throw handleException(e2, TOTPConstants.ErrorMessage.SERVER_ERROR_RETRIEVING_REALM_FOR_USER, new String[0]);
        }
    }

    public TOTPResponseDTO refreshSecretKey() {
        if (!isValidAuthenticationType()) {
            throw handleError(Response.Status.FORBIDDEN, TOTPConstants.ErrorMessage.USER_ERROR_ACCESS_DENIED_FOR_BASIC_AUTH);
        }
        TOTPResponseDTO tOTPResponseDTO = new TOTPResponseDTO();
        User user = getUser();
        try {
            tOTPResponseDTO.setQrCodeUrl(TOTPKeyGenerator.addTOTPClaimsAndRetrievingQRCodeURL(TOTPKeyGenerator.generateClaimsWithVerifySecretKey(user.toFullQualifiedUsername(), true), user.toFullQualifiedUsername()));
            return tOTPResponseDTO;
        } catch (TOTPException e) {
            throw handleException(e, TOTPConstants.ErrorMessage.SERVER_ERROR_GENERAL, new String[0]);
        }
    }

    public TOTPResponseDTO validateTOTP(int i) {
        TOTPResponseDTO tOTPResponseDTO = new TOTPResponseDTO();
        String user = getUser().toString();
        TOTPKeyRepresentation tOTPKeyRepresentation = TOTPKeyRepresentation.BASE32;
        try {
            if ("Base64".equals(TOTPUtil.getEncodingMethod(MultitenantUtils.getTenantDomain(user)))) {
                tOTPKeyRepresentation = TOTPKeyRepresentation.BASE64;
            }
            TOTPAuthenticatorCredentials tOTPAuthenticatorCredentials = new TOTPAuthenticatorCredentials(new TOTPAuthenticatorConfig.TOTPAuthenticatorConfigBuilder().setKeyRepresentation(tOTPKeyRepresentation).build());
            if (log.isDebugEnabled()) {
                log.debug("Validating TOTP verification code for the user: " + user);
            }
            tOTPResponseDTO.setIsValid(Boolean.valueOf(tOTPAuthenticatorCredentials.authorizeAndStoreSecret(i, user)));
            return tOTPResponseDTO;
        } catch (AuthenticationFailedException e) {
            throw handleException(e, TOTPConstants.ErrorMessage.USER_ERROR_UNAUTHORIZED_USER, new String[0]);
        }
    }

    public static User getUser() {
        return ContextLoader.getUserFromContext();
    }

    public APIError handleInvalidInput(TOTPConstants.ErrorMessage errorMessage, String... strArr) {
        return handleError(Response.Status.HTTP_VERSION_NOT_SUPPORTED, errorMessage);
    }

    private APIError handleException(Exception exc, TOTPConstants.ErrorMessage errorMessage, String... strArr) {
        ErrorResponse build = strArr != null ? getErrorBuilder(errorMessage).build(log, exc, String.format(errorMessage.getDescription(), strArr)) : getErrorBuilder(errorMessage).build(log, exc, errorMessage.getDescription());
        if (exc instanceof AuthenticationFailedException) {
            return handleError(Response.Status.UNAUTHORIZED, TOTPConstants.ErrorMessage.USER_ERROR_UNAUTHORIZED_USER);
        }
        if ((exc instanceof UserStoreException) || (exc instanceof CryptoException)) {
            return new APIError(Response.Status.INTERNAL_SERVER_ERROR, build);
        }
        if (!(exc instanceof TOTPException)) {
            return new APIError(Response.Status.BAD_REQUEST, build);
        }
        build.setDescription(exc.getMessage());
        return new APIError(Response.Status.INTERNAL_SERVER_ERROR, build);
    }

    private APIError handleError(Response.Status status, TOTPConstants.ErrorMessage errorMessage) {
        return new APIError(status, getErrorBuilder(errorMessage).build());
    }

    private ErrorResponse.Builder getErrorBuilder(TOTPConstants.ErrorMessage errorMessage) {
        return new ErrorResponse.Builder().withCode(errorMessage.getCode()).withMessage(errorMessage.getMessage()).withDescription(errorMessage.getDescription());
    }

    private boolean isValidAuthenticationType() {
        if (!Boolean.parseBoolean((String) ((Map) IdentityUtil.threadLocalProperties.get()).get("AuthenticatedWithBasicAuth"))) {
            return true;
        }
        if (!log.isDebugEnabled()) {
            return false;
        }
        log.debug("Not a valid authentication method. This method is blocked for the requests with basic authentication.");
        return false;
    }
}
