package tv.hd3g.authkit.mod.service;

import com.google.zxing.BarcodeFormat;
import com.google.zxing.WriterException;
import com.google.zxing.client.j2se.MatrixToImageWriter;
import com.google.zxing.common.BitMatrix;
import com.google.zxing.qrcode.QRCodeWriter;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.GeneralSecurityException;
import java.util.Base64;
import java.util.Collection;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.codec.binary.Base32;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.tomcat.jni.Time;
import org.owasp.encoder.Encode;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
import tv.hd3g.authkit.mod.dto.SetupTOTPTokenDto;
import tv.hd3g.authkit.mod.dto.validated.ValidationSetupTOTPDto;
import tv.hd3g.authkit.mod.dto.validated.ValidationTOTPDto;
import tv.hd3g.authkit.mod.entity.Credential;
import tv.hd3g.authkit.mod.entity.Totpbackupcode;
import tv.hd3g.authkit.mod.entity.User;
import tv.hd3g.authkit.mod.exception.AuthKitException;
import tv.hd3g.authkit.mod.exception.NotAcceptableSecuredTokenException;
import tv.hd3g.authkit.mod.exception.UserCantLoginException;
import tv.hd3g.authkit.mod.repository.CredentialRepository;
import tv.hd3g.authkit.mod.repository.TotpbackupcodeRepository;
import tv.hd3g.authkit.mod.service.AuditReportService;
import tv.hd3g.commons.authkit.CipherService;

@Service
/* loaded from: input_file:BOOT-INF/classes/tv/hd3g/authkit/mod/service/TOTPServiceImpl.class */
public class TOTPServiceImpl implements TOTPService {
    private static Logger log = LogManager.getLogger();
    public static final Base32 base32 = new Base32(false);

    @Autowired
    private CipherService cipherService;

    @Autowired
    private CredentialRepository credentialRepository;

    @Autowired
    private TotpbackupcodeRepository totpbackupcodeRepository;

    @Autowired
    private AuthenticationService authenticationService;

    @Autowired
    private SecuredTokenService securedTokenService;

    @Value("${authkit.backupCodeQuantity:6}")
    private int backupCodeQuantity;

    @Value("${authkit.totpTimeStepSeconds:30}")
    private int timeStepSeconds;

    @Value("${authkit.totpWindowMillis:5000}")
    private long windowMillis;

    @Override // tv.hd3g.authkit.mod.service.TOTPService
    public String makeSecret() {
        byte[] bArr = new byte[64];
        this.cipherService.getSecureRandom().nextBytes(bArr);
        return base32.encodeAsString(bArr);
    }

    @Override // tv.hd3g.authkit.mod.service.TOTPService
    public URI makeURI(String str, User user, String str2) {
        Credential credential = user.getCredential();
        Objects.requireNonNull(credential, "Can't found Credential for user " + user.getUuid());
        try {
            return new URI("otpauth://totp/" + credential.getLogin() + "@" + Encode.forJavaScript(str2) + "?secret=" + str);
        } catch (URISyntaxException e) {
            throw new IllegalArgumentException("Invalid URI parameters", e);
        }
    }

    @Override // tv.hd3g.authkit.mod.service.TOTPService
    public String makeQRCode(URI uri) {
        try {
            BitMatrix encode = new QRCodeWriter().encode(uri.toString(), BarcodeFormat.QR_CODE, 400, 400);
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(4095);
            MatrixToImageWriter.writeToStream(encode, "png", byteArrayOutputStream);
            return Base64.getEncoder().encodeToString(byteArrayOutputStream.toByteArray());
        } catch (WriterException | IOException e) {
            throw new IllegalArgumentException("Problem with QRcode generation", e);
        }
    }

    @Override // tv.hd3g.authkit.mod.service.TOTPService
    public List<String> makeBackupCodes() {
        return (List) this.cipherService.getSecureRandom().ints(this.backupCodeQuantity, 0, 1000000).mapToObj(i -> {
            return StringUtils.leftPad(String.valueOf(i), 6, "0");
        }).collect(Collectors.toUnmodifiableList());
    }

    @Override // tv.hd3g.authkit.mod.service.TOTPService
    @Transactional(readOnly = false)
    public void setupTOTP(String str, Collection<String> collection, String str2) {
        byte[] decode = base32.decode(str);
        Credential byUserUUID = this.credentialRepository.getByUserUUID(str2);
        byUserUUID.getTotpBackupCodes().clear();
        byUserUUID.getTotpBackupCodes().addAll((Set) collection.stream().map(str3 -> {
            return new Totpbackupcode(byUserUUID, str3);
        }).collect(Collectors.toUnmodifiableSet()));
        byUserUUID.setTotpkey(this.cipherService.cipherFromData(decode));
    }

    @Override // tv.hd3g.authkit.mod.service.TOTPService
    @Transactional(readOnly = false)
    public void setupTOTPWithChecks(ValidationSetupTOTPDto validationSetupTOTPDto, String str) {
        try {
            SetupTOTPTokenDto setupTOTPTokenDto = this.securedTokenService.setupTOTPExtractToken(validationSetupTOTPDto.getControlToken());
            if (!str.equalsIgnoreCase(setupTOTPTokenDto.getUserUUID())) {
                throw new AuthKitException("You can't use this token for this user");
            }
            if (!isCodeIsValid(base32.decode(setupTOTPTokenDto.getSecret()), validationSetupTOTPDto.getTwoauthcode())) {
                throw new AuthKitException("Invalid code");
            }
            Optional<AuditReportService.RejectLoginCause> checkPassword = this.authenticationService.checkPassword(validationSetupTOTPDto.getCurrentpassword(), this.credentialRepository.getByUserUUID(str));
            if (checkPassword.isPresent()) {
                throw new AuthKitException(401, "Can't accept demand, bad password ; " + checkPassword.get().toString());
            }
            setupTOTP(setupTOTPTokenDto.getSecret(), setupTOTPTokenDto.getBackupCodes(), str);
        } catch (NotAcceptableSecuredTokenException e) {
            log.error("Invalid token", (Throwable) e);
            throw new AuthKitException("You can't use this token");
        }
    }

    private boolean isCodeIsValid(byte[] bArr, String str) {
        try {
            long currentTimeMillis = System.currentTimeMillis();
            if (makeCodeAtTime(bArr, currentTimeMillis, this.timeStepSeconds).equals(str) || makeCodeAtTime(bArr, currentTimeMillis - this.windowMillis, this.timeStepSeconds).equals(str)) {
                return true;
            }
            return makeCodeAtTime(bArr, currentTimeMillis + this.windowMillis, this.timeStepSeconds).equals(str);
        } catch (GeneralSecurityException e) {
            throw new AuthKitException(500, "Can't manage cipher tools");
        }
    }

    @Override // tv.hd3g.authkit.mod.service.TOTPService
    @Transactional(readOnly = true)
    public void checkCodeAndPassword(Credential credential, ValidationTOTPDto validationTOTPDto) {
        Optional<AuditReportService.RejectLoginCause> checkPassword = this.authenticationService.checkPassword(validationTOTPDto.getCurrentpassword(), credential);
        if (checkPassword.isPresent()) {
            throw new AuthKitException(401, "Invalid password: " + checkPassword.get());
        }
        try {
            checkCode(credential, validationTOTPDto.getTwoauthcode());
        } catch (UserCantLoginException.BadTOTPCodeCantLoginException e) {
            throw new AuthKitException(401, "Invalid 2auth code");
        }
    }

    @Override // tv.hd3g.authkit.mod.service.TOTPService
    @Transactional(readOnly = false)
    public void checkCode(Credential credential, String str) throws UserCantLoginException.BadTOTPCodeCantLoginException {
        if (isCodeIsValid(this.cipherService.unCipherToData(credential.getTotpkey()), str)) {
            return;
        }
        this.totpbackupcodeRepository.delete(this.totpbackupcodeRepository.getByCredential(credential).stream().filter(totpbackupcode -> {
            return totpbackupcode.getCode().equals(str);
        }).findFirst().orElseThrow(UserCantLoginException.BadTOTPCodeCantLoginException::new));
    }

    @Override // tv.hd3g.authkit.mod.service.TOTPService
    @Transactional(readOnly = false)
    public void removeTOTP(Credential credential) {
        credential.setTotpkey(null);
        this.credentialRepository.save(credential);
        this.totpbackupcodeRepository.getByCredential(credential).forEach(totpbackupcode -> {
            this.totpbackupcodeRepository.delete(totpbackupcode);
        });
    }

    public static String makeCodeAtTime(byte[] bArr, long j, int i) throws GeneralSecurityException {
        byte[] bArr2 = new byte[8];
        long j2 = (j / 1000) / i;
        int i2 = 7;
        while (j2 > 0) {
            bArr2[i2] = (byte) (j2 & 255);
            j2 >>= 8;
            i2--;
        }
        SecretKeySpec secretKeySpec = new SecretKeySpec(bArr, "HmacSHA1");
        Mac mac = Mac.getInstance("HmacSHA1");
        mac.init(secretKeySpec);
        byte[] doFinal = mac.doFinal(bArr2);
        int i3 = doFinal[doFinal.length - 1] & 15;
        long j3 = 0;
        for (int i4 = i3; i4 < i3 + 4; i4++) {
            j3 = (j3 << 8) | (doFinal[i4] & 255);
        }
        return StringUtils.leftPad(String.valueOf((int) ((j3 & 2147483647L) % Time.APR_USEC_PER_SEC)), 6, "0");
    }
}
