package com.liferay.multi.factor.authentication.fido2.web.internal.checker;

import com.fasterxml.jackson.annotation.JsonInclude;
import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.SerializationFeature;
import com.fasterxml.jackson.datatype.jdk8.Jdk8Module;
import com.liferay.multi.factor.authentication.fido2.credential.model.MFAFIDO2CredentialEntry;
import com.liferay.multi.factor.authentication.fido2.credential.service.MFAFIDO2CredentialEntryLocalService;
import com.liferay.multi.factor.authentication.fido2.web.internal.audit.MFAFIDO2AuditMessageBuilder;
import com.liferay.multi.factor.authentication.fido2.web.internal.configuration.MFAFIDO2Configuration;
import com.liferay.multi.factor.authentication.fido2.web.internal.constants.MFAFIDO2WebKeys;
import com.liferay.multi.factor.authentication.fido2.web.internal.util.ConvertUtil;
import com.liferay.multi.factor.authentication.fido2.web.internal.yubico.webauthn.MFAFIDO2CredentialRepository;
import com.liferay.multi.factor.authentication.spi.checker.browser.BrowserMFAChecker;
import com.liferay.multi.factor.authentication.spi.checker.setup.SetupMFAChecker;
import com.liferay.petra.string.StringBundler;
import com.liferay.portal.configuration.metatype.bnd.util.ConfigurableUtil;
import com.liferay.portal.kernel.audit.AuditMessage;
import com.liferay.portal.kernel.log.Log;
import com.liferay.portal.kernel.log.LogFactoryUtil;
import com.liferay.portal.kernel.model.User;
import com.liferay.portal.kernel.security.auth.CompanyThreadLocal;
import com.liferay.portal.kernel.service.UserLocalService;
import com.liferay.portal.kernel.util.GetterUtil;
import com.liferay.portal.kernel.util.HashMapDictionary;
import com.liferay.portal.kernel.util.ParamUtil;
import com.liferay.portal.kernel.util.Portal;
import com.liferay.portal.kernel.util.SetUtil;
import com.liferay.portal.util.PropsValues;
import com.yubico.webauthn.AssertionRequest;
import com.yubico.webauthn.AssertionResult;
import com.yubico.webauthn.FinishAssertionOptions;
import com.yubico.webauthn.FinishRegistrationOptions;
import com.yubico.webauthn.RegistrationResult;
import com.yubico.webauthn.RelyingParty;
import com.yubico.webauthn.StartAssertionOptions;
import com.yubico.webauthn.StartRegistrationOptions;
import com.yubico.webauthn.data.AuthenticatorAssertionResponse;
import com.yubico.webauthn.data.AuthenticatorAttestationResponse;
import com.yubico.webauthn.data.ByteArray;
import com.yubico.webauthn.data.ClientAssertionExtensionOutputs;
import com.yubico.webauthn.data.ClientRegistrationExtensionOutputs;
import com.yubico.webauthn.data.PublicKeyCredential;
import com.yubico.webauthn.data.PublicKeyCredentialCreationOptions;
import com.yubico.webauthn.data.RelyingPartyIdentity;
import com.yubico.webauthn.data.UserIdentity;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.osgi.framework.BundleContext;
import org.osgi.framework.ServiceRegistration;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;

@Component(configurationPid = {"com.liferay.multi.factor.authentication.fido2.web.internal.configuration.MFAFIDO2Configuration.scoped"}, configurationPolicy = ConfigurationPolicy.REQUIRE, immediate = true, service = {})
/* loaded from: input_file:com/liferay/multi/factor/authentication/fido2/web/internal/checker/FIDO2BrowserSetupMFAChecker.class */
public class FIDO2BrowserSetupMFAChecker implements BrowserMFAChecker, SetupMFAChecker {
    private static final Log _log = LogFactoryUtil.getLog(FIDO2BrowserSetupMFAChecker.class);

    @Reference(cardinality = ReferenceCardinality.OPTIONAL)
    private MFAFIDO2AuditMessageBuilder _mfaFIDO2AuditMessageBuilder;
    private MFAFIDO2Configuration _mfaFIDO2Configuration;

    @Reference
    private MFAFIDO2CredentialEntryLocalService _mfaFIDO2CredentialEntryLocalService;
    private ObjectMapper _objectMapper;

    @Reference
    private Portal _portal;
    private RelyingParty _relyingParty;
    private ServiceRegistration<?> _serviceRegistration;

    @Reference(target = "(osgi.web.symbolicname=com.liferay.multi.factor.authentication.fido2.web)")
    private ServletContext _servletContext;

    @Reference
    private UserLocalService _userLocalService;

    public void includeBrowserVerification(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, long j) throws Exception {
        String writeValueAsString = this._objectMapper.writeValueAsString(_getAssertionRequest(j));
        httpServletRequest.setAttribute(MFAFIDO2WebKeys.MFA_FIDO2_ASSERTION_REQUEST, writeValueAsString);
        this._servletContext.getRequestDispatcher("/mfa_fido2_checker/verify_browser.jsp").include(httpServletRequest, httpServletResponse);
        this._portal.getOriginalServletRequest(httpServletRequest).getSession().setAttribute(MFAFIDO2WebKeys.MFA_FIDO2_ASSERTION_REQUEST, writeValueAsString);
    }

    public void includeSetup(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, long j) throws Exception {
        if (this._mfaFIDO2CredentialEntryLocalService.getMFAFIDO2CredentialEntriesByUserId(j).size() < this._mfaFIDO2Configuration.allowedCredentialsPerUser()) {
            String writeValueAsString = this._objectMapper.writeValueAsString(_getPublicKeyCredentialCreationOptions(j));
            httpServletRequest.setAttribute(MFAFIDO2WebKeys.MFA_FIDO2_PKCC_OPTIONS, writeValueAsString);
            this._portal.getOriginalServletRequest(httpServletRequest).getSession().setAttribute(MFAFIDO2WebKeys.MFA_FIDO2_PKCC_OPTIONS, writeValueAsString);
        }
        this._servletContext.getRequestDispatcher("/mfa_fido2_checker/setup.jsp").include(httpServletRequest, httpServletResponse);
    }

    public boolean isAvailable(long j) {
        return !this._mfaFIDO2CredentialEntryLocalService.getMFAFIDO2CredentialEntriesByUserId(j).isEmpty();
    }

    public boolean isBrowserVerified(HttpServletRequest httpServletRequest, long j) {
        return _isVerified(this._portal.getOriginalServletRequest(httpServletRequest).getSession(false), j);
    }

    public void removeExistingSetup(long j) {
        for (MFAFIDO2CredentialEntry mFAFIDO2CredentialEntry : this._mfaFIDO2CredentialEntryLocalService.getMFAFIDO2CredentialEntriesByUserId(j)) {
            if (mFAFIDO2CredentialEntry != null) {
                this._mfaFIDO2CredentialEntryLocalService.deleteMFAFIDO2CredentialEntry(mFAFIDO2CredentialEntry);
            }
        }
    }

    public boolean setUp(HttpServletRequest httpServletRequest, long j) {
        try {
            RegistrationResult _getRegistrationResult = _getRegistrationResult(httpServletRequest);
            this._mfaFIDO2CredentialEntryLocalService.addMFAFIDO2CredentialEntry(j, _getRegistrationResult.getKeyId().getId().getBase64(), 0, _getRegistrationResult.getPublicKeyCose().getBase64());
            return true;
        } catch (Exception e) {
            _log.error(StringBundler.concat(new Object[]{"Unable to setup FIDO2 for user ", Long.valueOf(j), ": ", e.getMessage()}), e);
            return false;
        }
    }

    public boolean verifyBrowserRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, long j) throws Exception {
        User fetchUser = this._userLocalService.fetchUser(j);
        if (fetchUser == null) {
            if (_log.isWarnEnabled()) {
                _log.warn("Requested FIDO2 verification for nonexistent user " + j);
            }
            _routeAuditMessage(this._mfaFIDO2AuditMessageBuilder.buildNonexistentUserVerificationFailureAuditMessage(CompanyThreadLocal.getCompanyId().longValue(), j, _getClassName()));
            return false;
        }
        if (!isAvailable(fetchUser.getUserId())) {
            if (_log.isWarnEnabled()) {
                _log.warn("Requested FIDO2 verification for user " + j + " with incomplete configuration");
            }
            _routeAuditMessage(this._mfaFIDO2AuditMessageBuilder.buildUnconfiguredUserVerificationFailureAuditMessage(CompanyThreadLocal.getCompanyId().longValue(), fetchUser, _getClassName()));
            return false;
        }
        try {
            AssertionResult _getAssertionResult = _getAssertionResult(httpServletRequest);
            ByteArray credentialId = _getAssertionResult.getCredentialId();
            if (!_getAssertionResult.isSuccess()) {
                this._mfaFIDO2CredentialEntryLocalService.updateAttempts(j, credentialId.getBase64(), 0L);
                _routeAuditMessage(this._mfaFIDO2AuditMessageBuilder.buildVerificationFailureAuditMessage(fetchUser, _getClassName(), "Incorrect FIDO2 verification"));
                return false;
            }
            this._mfaFIDO2CredentialEntryLocalService.updateAttempts(j, credentialId.getBase64(), _getAssertionResult.getSignatureCount());
            HttpSession session = this._portal.getOriginalServletRequest(httpServletRequest).getSession();
            session.setAttribute(MFAFIDO2WebKeys.MFA_FIDO2_VALIDATED_AT_TIME, Long.valueOf(System.currentTimeMillis()));
            session.setAttribute(MFAFIDO2WebKeys.MFA_FIDO2_VALIDATED_USER_ID, Long.valueOf(j));
            _routeAuditMessage(this._mfaFIDO2AuditMessageBuilder.buildVerifiedAuditMessage(fetchUser, _getClassName()));
            return true;
        } catch (Exception e) {
            if (!_log.isDebugEnabled()) {
                return false;
            }
            _log.debug(e);
            return false;
        }
    }

    @Activate
    protected void activate(BundleContext bundleContext, Map<String, Object> map) {
        this._mfaFIDO2Configuration = (MFAFIDO2Configuration) ConfigurableUtil.createConfigurable(MFAFIDO2Configuration.class, map);
        this._objectMapper = new ObjectMapper();
        this._objectMapper = this._objectMapper.configure(SerializationFeature.FAIL_ON_EMPTY_BEANS, false);
        this._objectMapper = this._objectMapper.registerModule(new Jdk8Module());
        this._objectMapper = this._objectMapper.setSerializationInclusion(JsonInclude.Include.NON_ABSENT);
        this._relyingParty = RelyingParty.builder().identity(RelyingPartyIdentity.builder().id(this._mfaFIDO2Configuration.relyingPartyId()).name(this._mfaFIDO2Configuration.relyingPartyName()).build()).credentialRepository(new MFAFIDO2CredentialRepository(this._mfaFIDO2CredentialEntryLocalService, this._userLocalService)).origins(SetUtil.fromArray(this._mfaFIDO2Configuration.origins())).allowOriginPort(this._mfaFIDO2Configuration.allowOriginPort()).allowOriginSubdomain(this._mfaFIDO2Configuration.allowOriginSubdomain()).build();
        if (PropsValues.SESSION_ENABLE_PHISHING_PROTECTION) {
            ArrayList arrayList = new ArrayList(Arrays.asList(PropsValues.SESSION_PHISHING_PROTECTED_ATTRIBUTES));
            arrayList.add(MFAFIDO2WebKeys.MFA_FIDO2_VALIDATED_AT_TIME);
            arrayList.add(MFAFIDO2WebKeys.MFA_FIDO2_VALIDATED_USER_ID);
            PropsValues.SESSION_PHISHING_PROTECTED_ATTRIBUTES = (String[]) arrayList.toArray(new String[0]);
        }
        this._serviceRegistration = bundleContext.registerService(new String[]{BrowserMFAChecker.class.getName(), SetupMFAChecker.class.getName()}, this, new HashMapDictionary(map));
    }

    @Deactivate
    protected void deactivate() {
        if (this._serviceRegistration == null) {
            return;
        }
        this._serviceRegistration.unregister();
        if (PropsValues.SESSION_ENABLE_PHISHING_PROTECTION) {
            ArrayList arrayList = new ArrayList(Arrays.asList(PropsValues.SESSION_PHISHING_PROTECTED_ATTRIBUTES));
            arrayList.remove(MFAFIDO2WebKeys.MFA_FIDO2_VALIDATED_AT_TIME);
            arrayList.remove(MFAFIDO2WebKeys.MFA_FIDO2_VALIDATED_USER_ID);
            PropsValues.SESSION_PHISHING_PROTECTED_ATTRIBUTES = (String[]) arrayList.toArray(new String[0]);
        }
    }

    private AssertionRequest _getAssertionRequest(long j) throws Exception {
        return this._relyingParty.startAssertion(StartAssertionOptions.builder().username(Optional.of(this._userLocalService.getUserById(j).getScreenName())).build());
    }

    private AssertionResult _getAssertionResult(HttpServletRequest httpServletRequest) throws Exception {
        return this._relyingParty.finishAssertion(FinishAssertionOptions.builder().request((AssertionRequest) this._objectMapper.readValue(GetterUtil.getString(this._portal.getOriginalServletRequest(httpServletRequest).getSession().getAttribute(MFAFIDO2WebKeys.MFA_FIDO2_ASSERTION_REQUEST)), AssertionRequest.class)).response((PublicKeyCredential) this._objectMapper.readValue(ParamUtil.getString(httpServletRequest, "responseJSON"), new TypeReference<PublicKeyCredential<AuthenticatorAssertionResponse, ClientAssertionExtensionOutputs>>() { // from class: com.liferay.multi.factor.authentication.fido2.web.internal.checker.FIDO2BrowserSetupMFAChecker.1
        })).build());
    }

    private String _getClassName() {
        return getClass().getName();
    }

    private PublicKeyCredentialCreationOptions _getPublicKeyCredentialCreationOptions(long j) {
        User fetchUserById = this._userLocalService.fetchUserById(j);
        return this._relyingParty.startRegistration(StartRegistrationOptions.builder().user(UserIdentity.builder().name(fetchUserById.getScreenName()).displayName(fetchUserById.getFullName()).id(ConvertUtil.toByteArray(j)).build()).build());
    }

    private RegistrationResult _getRegistrationResult(HttpServletRequest httpServletRequest) throws Exception {
        return this._relyingParty.finishRegistration(FinishRegistrationOptions.builder().request((PublicKeyCredentialCreationOptions) this._objectMapper.readValue(GetterUtil.getString(this._portal.getOriginalServletRequest(httpServletRequest).getSession().getAttribute(MFAFIDO2WebKeys.MFA_FIDO2_PKCC_OPTIONS)), PublicKeyCredentialCreationOptions.class)).response((PublicKeyCredential) this._objectMapper.readValue(ParamUtil.getString(httpServletRequest, "responseJSON"), new TypeReference<PublicKeyCredential<AuthenticatorAttestationResponse, ClientRegistrationExtensionOutputs>>() { // from class: com.liferay.multi.factor.authentication.fido2.web.internal.checker.FIDO2BrowserSetupMFAChecker.2
        })).build());
    }

    private boolean _isVerified(HttpSession httpSession, long j) {
        User fetchUser = this._userLocalService.fetchUser(j);
        if (fetchUser == null) {
            if (_log.isWarnEnabled()) {
                _log.warn("Requested FIDO2 verification for nonexistent user " + j);
            }
            _routeAuditMessage(this._mfaFIDO2AuditMessageBuilder.buildNonexistentUserVerificationFailureAuditMessage(CompanyThreadLocal.getCompanyId().longValue(), j, _getClassName()));
            return false;
        }
        if (httpSession != null) {
            return Objects.equals(httpSession.getAttribute(MFAFIDO2WebKeys.MFA_FIDO2_VALIDATED_USER_ID), Long.valueOf(j));
        }
        _routeAuditMessage(this._mfaFIDO2AuditMessageBuilder.buildNotVerifiedAuditMessage(fetchUser, _getClassName(), "Empty session"));
        return false;
    }

    private void _routeAuditMessage(AuditMessage auditMessage) {
        if (this._mfaFIDO2AuditMessageBuilder != null) {
            this._mfaFIDO2AuditMessageBuilder.routeAuditMessage(auditMessage);
        }
    }
}
