package com.liferay.multi.factor.authentication.email.otp.web.internal.checker;

import com.liferay.multi.factor.authentication.email.otp.configuration.MFAEmailOTPConfiguration;
import com.liferay.multi.factor.authentication.email.otp.model.MFAEmailOTPEntry;
import com.liferay.multi.factor.authentication.email.otp.service.MFAEmailOTPEntryLocalService;
import com.liferay.multi.factor.authentication.email.otp.web.internal.audit.MFAEmailOTPAuditMessageBuilder;
import com.liferay.multi.factor.authentication.email.otp.web.internal.constants.MFAEmailOTPWebKeys;
import com.liferay.multi.factor.authentication.spi.checker.browser.BrowserMFAChecker;
import com.liferay.portal.configuration.metatype.bnd.util.ConfigurableUtil;
import com.liferay.portal.kernel.audit.AuditMessage;
import com.liferay.portal.kernel.exception.PortalException;
import com.liferay.portal.kernel.log.Log;
import com.liferay.portal.kernel.log.LogFactoryUtil;
import com.liferay.portal.kernel.model.User;
import com.liferay.portal.kernel.security.auth.CompanyThreadLocal;
import com.liferay.portal.kernel.service.UserLocalService;
import com.liferay.portal.kernel.util.GetterUtil;
import com.liferay.portal.kernel.util.ParamUtil;
import com.liferay.portal.kernel.util.Portal;
import com.liferay.portal.util.PropsValues;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Map;
import java.util.Objects;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;

@Component(configurationPid = {"com.liferay.multi.factor.authentication.email.otp.configuration.MFAEmailOTPConfiguration.scoped"}, configurationPolicy = ConfigurationPolicy.OPTIONAL, service = {BrowserMFAChecker.class})
/* loaded from: input_file:com/liferay/multi/factor/authentication/email/otp/web/internal/checker/EmailOTPBrowserMFAChecker.class */
public class EmailOTPBrowserMFAChecker implements BrowserMFAChecker {
    private static final Log _log = LogFactoryUtil.getLog(EmailOTPBrowserMFAChecker.class);

    @Reference(cardinality = ReferenceCardinality.OPTIONAL)
    private MFAEmailOTPAuditMessageBuilder _mfaEmailOTPAuditMessageBuilder;
    private MFAEmailOTPConfiguration _mfaEmailOTPConfiguration;

    @Reference
    private MFAEmailOTPEntryLocalService _mfaEmailOTPEntryLocalService;

    @Reference
    private Portal _portal;

    @Reference(target = "(osgi.web.symbolicname=com.liferay.multi.factor.authentication.email.otp.web)")
    private ServletContext _servletContext;

    @Reference
    private UserLocalService _userLocalService;

    public void includeBrowserVerification(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, long j) throws IOException, ServletException {
        User fetchUser = this._userLocalService.fetchUser(j);
        if (fetchUser == null) {
            if (_log.isWarnEnabled()) {
                _log.warn("Requested one-time password email verification for nonexistent user " + j);
                return;
            }
            return;
        }
        if (_isMaximumAllowedAttemptsReached(fetchUser.getUserId())) {
            httpServletRequest.setAttribute(MFAEmailOTPWebKeys.MFA_EMAIL_OTP_FAILED_ATTEMPTS_RETRY_TIMEOUT, Long.valueOf(this._mfaEmailOTPConfiguration.retryTimeout()));
        }
        HttpSession session = this._portal.getOriginalServletRequest(httpServletRequest).getSession();
        httpServletRequest.setAttribute(MFAEmailOTPWebKeys.MFA_EMAIL_OTP_SEND_TO_ADDRESS_OBFUSCATED, obfuscateEmailAddress(fetchUser.getEmailAddress()));
        httpServletRequest.setAttribute(MFAEmailOTPWebKeys.MFA_EMAIL_OTP_SET_AT_TIME, Long.valueOf(GetterUtil.getLong(session.getAttribute(MFAEmailOTPWebKeys.MFA_EMAIL_OTP_SET_AT_TIME), Long.MIN_VALUE)));
        this._servletContext.getRequestDispatcher("/mfa_email_otp_checker/verify_browser.jsp").include(httpServletRequest, httpServletResponse);
        session.setAttribute(MFAEmailOTPWebKeys.MFA_EMAIL_OTP_PHASE, "verify");
        session.setAttribute(MFAEmailOTPWebKeys.MFA_EMAIL_OTP_USER_ID, Long.valueOf(j));
    }

    public boolean isBrowserVerified(HttpServletRequest httpServletRequest, long j) {
        return isVerified(this._portal.getOriginalServletRequest(httpServletRequest).getSession(false), j);
    }

    public boolean verifyBrowserRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, long j) throws Exception {
        User fetchUser = this._userLocalService.fetchUser(j);
        if (fetchUser == null) {
            if (_log.isWarnEnabled()) {
                _log.warn("Requested one-time password email verification for nonexistent user " + j);
            }
            _routeAuditMessage(this._mfaEmailOTPAuditMessageBuilder.buildNonexistentUserVerificationFailureAuditMessage(CompanyThreadLocal.getCompanyId().longValue(), j, _getClassName()));
            return false;
        }
        if (this._mfaEmailOTPEntryLocalService.fetchMFAEmailOTPEntryByUserId(j) == null) {
            this._mfaEmailOTPEntryLocalService.addMFAEmailOTPEntry(j);
        }
        if (_isMaximumAllowedAttemptsReached(j)) {
            _routeAuditMessage(this._mfaEmailOTPAuditMessageBuilder.buildVerificationFailureAuditMessage(fetchUser, _getClassName(), "Reached maximum allowed attempts"));
            return false;
        }
        HttpServletRequest originalServletRequest = this._portal.getOriginalServletRequest(httpServletRequest);
        HttpSession session = originalServletRequest.getSession();
        if (!_verify(session, ParamUtil.getString(httpServletRequest, "otp"))) {
            _routeAuditMessage(this._mfaEmailOTPAuditMessageBuilder.buildVerificationFailureAuditMessage(fetchUser, _getClassName(), "Incorrect email one-time password"));
            this._mfaEmailOTPEntryLocalService.updateAttempts(j, originalServletRequest.getRemoteAddr(), false);
            return false;
        }
        session.setAttribute(MFAEmailOTPWebKeys.MFA_EMAIL_OTP_VALIDATED_AT_TIME, Long.valueOf(System.currentTimeMillis()));
        session.setAttribute(MFAEmailOTPWebKeys.MFA_EMAIL_OTP_VALIDATED_USER_ID, Long.valueOf(j));
        this._mfaEmailOTPEntryLocalService.updateAttempts(j, originalServletRequest.getRemoteAddr(), true);
        _routeAuditMessage(this._mfaEmailOTPAuditMessageBuilder.buildVerificationSuccessAuditMessage(fetchUser, _getClassName()));
        return true;
    }

    protected static String obfuscateEmailAddress(String str) {
        int max = Math.max((int) Math.ceil(r0.length() / 2.0d), Math.min(3, str.substring(0, str.indexOf(64)).length()));
        int ceil = (int) Math.ceil((r0.length() - max) / 2.0d);
        int i = ceil + max;
        char[] charArray = str.toCharArray();
        for (int i2 = ceil; i2 < i; i2++) {
            charArray[i2] = '*';
        }
        return new String(charArray);
    }

    @Activate
    protected void activate(Map<String, Object> map) {
        this._mfaEmailOTPConfiguration = (MFAEmailOTPConfiguration) ConfigurableUtil.createConfigurable(MFAEmailOTPConfiguration.class, map);
        if (PropsValues.SESSION_ENABLE_PHISHING_PROTECTION) {
            ArrayList arrayList = new ArrayList(Arrays.asList(PropsValues.SESSION_PHISHING_PROTECTED_ATTRIBUTES));
            arrayList.add(MFAEmailOTPWebKeys.MFA_EMAIL_OTP_VALIDATED_AT_TIME);
            arrayList.add(MFAEmailOTPWebKeys.MFA_EMAIL_OTP_VALIDATED_USER_ID);
            PropsValues.SESSION_PHISHING_PROTECTED_ATTRIBUTES = (String[]) arrayList.toArray(new String[0]);
        }
    }

    @Deactivate
    protected void deactivate() {
        if (PropsValues.SESSION_ENABLE_PHISHING_PROTECTION) {
            ArrayList arrayList = new ArrayList(Arrays.asList(PropsValues.SESSION_PHISHING_PROTECTED_ATTRIBUTES));
            arrayList.remove(MFAEmailOTPWebKeys.MFA_EMAIL_OTP_VALIDATED_AT_TIME);
            arrayList.remove(MFAEmailOTPWebKeys.MFA_EMAIL_OTP_VALIDATED_USER_ID);
            PropsValues.SESSION_PHISHING_PROTECTED_ATTRIBUTES = (String[]) arrayList.toArray(new String[0]);
        }
    }

    protected boolean isVerified(HttpSession httpSession, long j) {
        User fetchUser = this._userLocalService.fetchUser(j);
        if (fetchUser == null) {
            if (_log.isWarnEnabled()) {
                _log.warn("Requested one-time password email verification for nonexistent user " + j);
            }
            _routeAuditMessage(this._mfaEmailOTPAuditMessageBuilder.buildNonexistentUserVerificationFailureAuditMessage(CompanyThreadLocal.getCompanyId().longValue(), j, _getClassName()));
            return false;
        }
        if (httpSession == null) {
            _routeAuditMessage(this._mfaEmailOTPAuditMessageBuilder.buildNotVerifiedAuditMessage(fetchUser, _getClassName(), "Empty session"));
            return false;
        }
        Object attribute = httpSession.getAttribute(MFAEmailOTPWebKeys.MFA_EMAIL_OTP_VALIDATED_USER_ID);
        if (attribute == null) {
            _routeAuditMessage(this._mfaEmailOTPAuditMessageBuilder.buildNotVerifiedAuditMessage(fetchUser, _getClassName(), "Not verified yet"));
            return false;
        }
        if (Objects.equals(attribute, Long.valueOf(j))) {
            return true;
        }
        _routeAuditMessage(this._mfaEmailOTPAuditMessageBuilder.buildNotVerifiedAuditMessage(fetchUser, _getClassName(), "Not the same user"));
        return false;
    }

    private String _getClassName() {
        return getClass().getName();
    }

    private boolean _isMaximumAllowedAttemptsReached(long j) {
        try {
            MFAEmailOTPEntry fetchMFAEmailOTPEntryByUserId = this._mfaEmailOTPEntryLocalService.fetchMFAEmailOTPEntryByUserId(j);
            if (fetchMFAEmailOTPEntryByUserId == null || this._mfaEmailOTPConfiguration.failedAttemptsAllowed() < 0 || this._mfaEmailOTPConfiguration.failedAttemptsAllowed() > fetchMFAEmailOTPEntryByUserId.getFailedAttempts() || this._mfaEmailOTPConfiguration.retryTimeout() < 0) {
                return false;
            }
            if ((this._mfaEmailOTPConfiguration.retryTimeout() * 1000) + fetchMFAEmailOTPEntryByUserId.getLastFailDate().getTime() > System.currentTimeMillis()) {
                return true;
            }
            this._mfaEmailOTPEntryLocalService.resetFailedAttempts(j);
            return false;
        } catch (PortalException e) {
            _log.error(e, e);
            return false;
        }
    }

    private void _routeAuditMessage(AuditMessage auditMessage) {
        if (this._mfaEmailOTPAuditMessageBuilder != null) {
            this._mfaEmailOTPAuditMessageBuilder.routeAuditMessage(auditMessage);
        }
    }

    private boolean _verify(HttpSession httpSession, String str) {
        String str2 = (String) httpSession.getAttribute(MFAEmailOTPWebKeys.MFA_EMAIL_OTP);
        if (str2 == null || !str2.equals(str)) {
            return false;
        }
        httpSession.removeAttribute(MFAEmailOTPWebKeys.MFA_EMAIL_OTP);
        httpSession.removeAttribute(MFAEmailOTPWebKeys.MFA_EMAIL_OTP_PHASE);
        httpSession.removeAttribute(MFAEmailOTPWebKeys.MFA_EMAIL_OTP_SET_AT_TIME);
        httpSession.removeAttribute(MFAEmailOTPWebKeys.MFA_EMAIL_OTP_USER_ID);
        return true;
    }
}
