package org.ametys.plugins.core.authentication;

import dev.samstevens.totp.code.DefaultCodeGenerator;
import dev.samstevens.totp.code.DefaultCodeVerifier;
import dev.samstevens.totp.exceptions.CodeGenerationException;
import dev.samstevens.totp.qr.QrData;
import dev.samstevens.totp.secret.DefaultSecretGenerator;
import dev.samstevens.totp.time.SystemTimeProvider;
import jakarta.mail.MessagingException;
import java.io.IOException;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.time.ZonedDateTime;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Stream;
import org.ametys.core.authentication.CredentialProvider;
import org.ametys.core.datasource.ConnectionHelper;
import org.ametys.core.datasource.dbtype.SQLDatabaseTypeExtensionPoint;
import org.ametys.core.ui.Callable;
import org.ametys.core.ui.mail.StandardMailBodyHelper;
import org.ametys.core.user.CurrentUserProvider;
import org.ametys.core.user.User;
import org.ametys.core.user.UserIdentity;
import org.ametys.core.user.UserManager;
import org.ametys.core.user.population.UserPopulation;
import org.ametys.core.util.CryptoHelper;
import org.ametys.core.util.I18nUtils;
import org.ametys.core.util.mail.SendMailHelper;
import org.ametys.plugins.core.impl.authentication.FormCredentialProvider;
import org.ametys.runtime.config.Config;
import org.ametys.runtime.i18n.I18nizableText;
import org.ametys.runtime.plugin.component.AbstractLogEnabled;
import org.apache.avalon.framework.activity.Disposable;
import org.apache.avalon.framework.activity.Initializable;
import org.apache.avalon.framework.component.Component;
import org.apache.avalon.framework.configuration.Configuration;
import org.apache.avalon.framework.configuration.DefaultConfiguration;
import org.apache.avalon.framework.context.Context;
import org.apache.avalon.framework.context.ContextException;
import org.apache.avalon.framework.context.Contextualizable;
import org.apache.avalon.framework.service.ServiceException;
import org.apache.avalon.framework.service.ServiceManager;
import org.apache.avalon.framework.service.Serviceable;
import org.apache.cocoon.components.LifecycleHelper;
import org.apache.cocoon.environment.Request;
import org.apache.cocoon.util.log.SLF4JLoggerAdapter;
import org.apache.commons.lang3.StringUtils;

/* loaded from: input_file:org/ametys/plugins/core/authentication/MultifactorAuthenticationManager.class */
public class MultifactorAuthenticationManager extends AbstractLogEnabled implements Component, Serviceable, Initializable, Contextualizable, Disposable {
    public static final String ROLE = MultifactorAuthenticationManager.class.getName();
    private static final String __SQL_TABLE_NAME = "Authentication_MFA";
    private static final String __QRCODE_ISSUER_KEY = "APPLICATION_PRODUCT_LABEL";
    private static final String __QRCODE_ISSUER_CATALOG = "application";
    private static final String __SEND_CODE_MAIL_SUBJECT_DEFAULT_PREFIX_KEY = "PLUGINS_CORE_MULTIFACTOR_AUTHENTICATION_MAIL_SUBJECT_DEFAULT_PREFIX";
    private static final String __SEND_CODE_MAIL_SUBJECT_KEY = "PLUGINS_CORE_MULTIFACTOR_AUTHENTICATION_MAIL_SUBJECT";
    private static final String __SEND_CODE_MAIL_BODY_TITLE_KEY = "PLUGINS_CORE_MULTIFACTOR_AUTHENTICATION_MAIL_BODY_TITLE";
    private static final String __SEND_CODE_MAIL_BODY_KEY = "PLUGINS_CORE_MULTIFACTOR_AUTHENTICATION_MAIL_BODY";
    private static final int __BUCKET_PERIOD_IN_SECONDS = 30;
    private static final int __ALLOWED_EMAIL_TIME_PERIOD_DISCREPANCY = 10;
    protected ServiceManager _serviceManager;
    protected Context _context;
    protected I18nUtils _i18nUtils;
    protected UserManager _userManager;
    protected SQLDatabaseTypeExtensionPoint _sqlDatabaseTypeExtensionPoint;
    protected CurrentUserProvider _currentUserProvider;
    protected Map<String, MultifactorAuthenticationCryptoHelper> _cryptoHelpers = new HashMap();
    protected String _datasourceId;

    /* loaded from: input_file:org/ametys/plugins/core/authentication/MultifactorAuthenticationManager$MultifactorAuthenticationCode.class */
    public static final class MultifactorAuthenticationCode extends Record {
        private final String code;
        private final ZonedDateTime expirationDate;

        public MultifactorAuthenticationCode(String str, ZonedDateTime zonedDateTime) {
            this.code = str;
            this.expirationDate = zonedDateTime;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, MultifactorAuthenticationCode.class), MultifactorAuthenticationCode.class, "code;expirationDate", "FIELD:Lorg/ametys/plugins/core/authentication/MultifactorAuthenticationManager$MultifactorAuthenticationCode;->code:Ljava/lang/String;", "FIELD:Lorg/ametys/plugins/core/authentication/MultifactorAuthenticationManager$MultifactorAuthenticationCode;->expirationDate:Ljava/time/ZonedDateTime;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, MultifactorAuthenticationCode.class), MultifactorAuthenticationCode.class, "code;expirationDate", "FIELD:Lorg/ametys/plugins/core/authentication/MultifactorAuthenticationManager$MultifactorAuthenticationCode;->code:Ljava/lang/String;", "FIELD:Lorg/ametys/plugins/core/authentication/MultifactorAuthenticationManager$MultifactorAuthenticationCode;->expirationDate:Ljava/time/ZonedDateTime;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, MultifactorAuthenticationCode.class, Object.class), MultifactorAuthenticationCode.class, "code;expirationDate", "FIELD:Lorg/ametys/plugins/core/authentication/MultifactorAuthenticationManager$MultifactorAuthenticationCode;->code:Ljava/lang/String;", "FIELD:Lorg/ametys/plugins/core/authentication/MultifactorAuthenticationManager$MultifactorAuthenticationCode;->expirationDate:Ljava/time/ZonedDateTime;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public String code() {
            return this.code;
        }

        public ZonedDateTime expirationDate() {
            return this.expirationDate;
        }
    }

    public void service(ServiceManager serviceManager) throws ServiceException {
        this._serviceManager = serviceManager;
        this._i18nUtils = (I18nUtils) serviceManager.lookup(I18nUtils.ROLE);
        this._userManager = (UserManager) serviceManager.lookup(UserManager.ROLE);
        this._sqlDatabaseTypeExtensionPoint = (SQLDatabaseTypeExtensionPoint) serviceManager.lookup(SQLDatabaseTypeExtensionPoint.ROLE);
        this._currentUserProvider = (CurrentUserProvider) serviceManager.lookup(CurrentUserProvider.ROLE);
    }

    public void initialize() throws Exception {
        this._datasourceId = Config.getInstance() != null ? (String) Config.getInstance().getValue("runtime.assignments.multifactorauthentication") : "";
    }

    public void contextualize(Context context) throws ContextException {
        this._context = context;
    }

    public void dispose() {
        this._cryptoHelpers.clear();
    }

    public int getEmailCodeDuration() {
        return 300;
    }

    public void initializeMFACryptoComponent(UserPopulation userPopulation) throws IllegalStateException {
        if (this._cryptoHelpers.containsKey(userPopulation.getId())) {
            return;
        }
        try {
            Stream<CredentialProvider> stream = userPopulation.getCredentialProviders().stream();
            Class<FormCredentialProvider> cls = FormCredentialProvider.class;
            Objects.requireNonNull(FormCredentialProvider.class);
            Stream<CredentialProvider> filter = stream.filter((v1) -> {
                return r1.isInstance(v1);
            });
            Class<FormCredentialProvider> cls2 = FormCredentialProvider.class;
            Objects.requireNonNull(FormCredentialProvider.class);
            if (filter.map((v1) -> {
                return r1.cast(v1);
            }).anyMatch((v0) -> {
                return v0.useMultifactorAuthentication();
            })) {
                Configuration _getCryptoHelperConfiguration = _getCryptoHelperConfiguration(userPopulation);
                MultifactorAuthenticationCryptoHelper multifactorAuthenticationCryptoHelper = new MultifactorAuthenticationCryptoHelper();
                LifecycleHelper.setupComponent(multifactorAuthenticationCryptoHelper, new SLF4JLoggerAdapter(getLogger()), this._context, this._serviceManager, _getCryptoHelperConfiguration);
                this._cryptoHelpers.put(userPopulation.getId(), multifactorAuthenticationCryptoHelper);
            }
        } catch (Exception e) {
            throw new IllegalStateException("An error occured during the initialization of the multifactor authentication crypto component for UserPopulation '" + userPopulation.getId() + "'.", e);
        }
    }

    private Configuration _getCryptoHelperConfiguration(UserPopulation userPopulation) {
        DefaultConfiguration defaultConfiguration = new DefaultConfiguration("mfaCryptoHelper");
        DefaultConfiguration defaultConfiguration2 = new DefaultConfiguration("userPopulationId");
        defaultConfiguration2.setValue(userPopulation.getId());
        defaultConfiguration.addChild(defaultConfiguration2);
        return defaultConfiguration;
    }

    public MultifactorAuthenticationCode generateMultifactorAuthenticationCode(UserIdentity userIdentity) throws RuntimeException {
        if (StringUtils.isEmpty(this._datasourceId)) {
            return null;
        }
        String _getUserSecret = _getUserSecret(userIdentity);
        try {
            ZonedDateTime now = ZonedDateTime.now();
            return new MultifactorAuthenticationCode(new DefaultCodeGenerator().generate(_getUserSecret, Math.floorDiv(now.toEpochSecond(), __BUCKET_PERIOD_IN_SECONDS)), now.plusSeconds(getEmailCodeDuration()));
        } catch (CodeGenerationException e) {
            throw new RuntimeException("Unable to generate the multifactor authentication code for user " + UserIdentity.userIdentityToString(userIdentity) + ".", e);
        }
    }

    @Callable(rights = {""})
    public Map<String, Object> getUserSecretForCurrentUser() {
        UserIdentity user = this._currentUserProvider.getUser();
        return Map.of("active", Boolean.valueOf(isAuthenticationApplicationActivated(user)), "secret", _getUserSecret(user));
    }

    @Callable(rights = {""})
    public String renewSecretForCurrentUser() {
        return renewSecret(this._currentUserProvider.getUser());
    }

    public boolean isAuthenticationApplicationActivated(UserIdentity userIdentity) {
        try {
            try {
                Connection connection = ConnectionHelper.getConnection(this._datasourceId);
                PreparedStatement _getSelectUseApplicationStatement = _getSelectUseApplicationStatement(connection, userIdentity);
                try {
                    ResultSet executeQuery = _getSelectUseApplicationStatement.executeQuery();
                    try {
                        if (!executeQuery.next()) {
                            if (executeQuery != null) {
                                executeQuery.close();
                            }
                            if (_getSelectUseApplicationStatement != null) {
                                _getSelectUseApplicationStatement.close();
                            }
                            ConnectionHelper.cleanup(connection);
                            return false;
                        }
                        boolean z = executeQuery.getBoolean("use_application");
                        if (executeQuery != null) {
                            executeQuery.close();
                        }
                        if (_getSelectUseApplicationStatement != null) {
                            _getSelectUseApplicationStatement.close();
                        }
                        ConnectionHelper.cleanup(connection);
                        return z;
                    } catch (Throwable th) {
                        if (executeQuery != null) {
                            try {
                                executeQuery.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        }
                        throw th;
                    }
                } catch (Throwable th3) {
                    if (_getSelectUseApplicationStatement != null) {
                        try {
                            _getSelectUseApplicationStatement.close();
                        } catch (Throwable th4) {
                            th3.addSuppressed(th4);
                        }
                    }
                    throw th3;
                }
            } catch (SQLException e) {
                throw new RuntimeException("Communication error with the database. Unable to retrieve the multifactor authentication state for user " + UserIdentity.userIdentityToString(userIdentity) + ".", e);
            }
        } catch (Throwable th5) {
            ConnectionHelper.cleanup((Connection) null);
            throw th5;
        }
    }

    private PreparedStatement _getSelectUseApplicationStatement(Connection connection, UserIdentity userIdentity) throws SQLException {
        PreparedStatement prepareStatement = connection.prepareStatement("SELECT use_application FROM " + this._sqlDatabaseTypeExtensionPoint.languageEscapeTableName(ConnectionHelper.getDatabaseType(connection), __SQL_TABLE_NAME) + " WHERE login=? AND population_id=?");
        prepareStatement.setString(1, userIdentity.getLogin());
        prepareStatement.setString(2, userIdentity.getPopulationId());
        return prepareStatement;
    }

    @Callable(rights = {""})
    public void authenticationApplicationForCurrentUser(boolean z) {
        _storeAuthenticationActivationInDataSource(this._currentUserProvider.getUser(), z);
    }

    private void _storeAuthenticationActivationInDataSource(UserIdentity userIdentity, boolean z) throws RuntimeException {
        Connection connection = null;
        try {
            try {
                connection = ConnectionHelper.getConnection(this._datasourceId);
                PreparedStatement prepareStatement = connection.prepareStatement("UPDATE " + this._sqlDatabaseTypeExtensionPoint.languageEscapeTableName(ConnectionHelper.getDatabaseType(connection), __SQL_TABLE_NAME) + " SET use_application=? WHERE login=? AND population_id=?");
                prepareStatement.setBoolean(1, z);
                prepareStatement.setString(2, userIdentity.getLogin());
                prepareStatement.setString(3, userIdentity.getPopulationId());
                prepareStatement.executeUpdate();
                ConnectionHelper.cleanup(connection);
            } catch (SQLException e) {
                throw new RuntimeException("Communication error with the database. Unable to store the generated secret for multifactor authentication for user " + UserIdentity.userIdentityToString(userIdentity) + ".", e);
            }
        } catch (Throwable th) {
            ConnectionHelper.cleanup(connection);
            throw th;
        }
    }

    public QrData getCurrentUserQrData() {
        UserIdentity user = this._currentUserProvider.getUser();
        String _getUserSecret = _getUserSecret(user);
        return new QrData.Builder().secret(_getUserSecret).label(user.getLogin()).issuer(this._i18nUtils.translate(new I18nizableText("application", __QRCODE_ISSUER_KEY))).period(__BUCKET_PERIOD_IN_SECONDS).build();
    }

    private String _getUserSecret(UserIdentity userIdentity) {
        return _getSecretFromDatasourceIfExists(userIdentity).orElseGet(() -> {
            return _generateSecret(userIdentity);
        });
    }

    public boolean isValidMultifactorAuthenticationCode(UserIdentity userIdentity, String str) throws RuntimeException {
        Optional<String> _getSecretFromDatasourceIfExists = _getSecretFromDatasourceIfExists(userIdentity);
        if (!_getSecretFromDatasourceIfExists.isPresent()) {
            return false;
        }
        DefaultCodeVerifier defaultCodeVerifier = new DefaultCodeVerifier(new DefaultCodeGenerator(), new SystemTimeProvider());
        defaultCodeVerifier.setTimePeriod(__BUCKET_PERIOD_IN_SECONDS);
        defaultCodeVerifier.setAllowedTimePeriodDiscrepancy(__ALLOWED_EMAIL_TIME_PERIOD_DISCREPANCY);
        return defaultCodeVerifier.isValidCode(_getSecretFromDatasourceIfExists.get(), str);
    }

    private Optional<String> _getSecretFromDatasourceIfExists(UserIdentity userIdentity) throws RuntimeException {
        try {
            try {
                try {
                    Connection connection = ConnectionHelper.getConnection(this._datasourceId);
                    PreparedStatement _getSelectSecretStatement = _getSelectSecretStatement(connection, userIdentity);
                    try {
                        ResultSet executeQuery = _getSelectSecretStatement.executeQuery();
                        try {
                            if (!executeQuery.next()) {
                                if (executeQuery != null) {
                                    executeQuery.close();
                                }
                                if (_getSelectSecretStatement != null) {
                                    _getSelectSecretStatement.close();
                                }
                                Optional<String> empty = Optional.empty();
                                ConnectionHelper.cleanup(connection);
                                return empty;
                            }
                            Optional<String> of = Optional.of(this._cryptoHelpers.get(userIdentity.getPopulationId()).decrypt(executeQuery.getString("secret")));
                            if (executeQuery != null) {
                                executeQuery.close();
                            }
                            if (_getSelectSecretStatement != null) {
                                _getSelectSecretStatement.close();
                            }
                            ConnectionHelper.cleanup(connection);
                            return of;
                        } catch (Throwable th) {
                            if (executeQuery != null) {
                                try {
                                    executeQuery.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            }
                            throw th;
                        }
                    } catch (Throwable th3) {
                        if (_getSelectSecretStatement != null) {
                            try {
                                _getSelectSecretStatement.close();
                            } catch (Throwable th4) {
                                th3.addSuppressed(th4);
                            }
                        }
                        throw th3;
                    }
                } catch (Throwable th5) {
                    ConnectionHelper.cleanup((Connection) null);
                    throw th5;
                }
            } catch (SQLException e) {
                throw new RuntimeException("Communication error with the database. Unable to retrieve the multifactor authentication secret for user " + UserIdentity.userIdentityToString(userIdentity) + ".", e);
            }
        } catch (CryptoHelper.WrongKeyException e2) {
            throw new RuntimeException("Secret of user " + UserIdentity.userIdentityToString(userIdentity) + " cannot be decrypted. Unable to retrieve the multifactor authentication secret.", e2);
        }
    }

    public String renewSecret(UserIdentity userIdentity) {
        try {
            try {
                Connection connection = ConnectionHelper.getConnection(this._datasourceId);
                String generate = new DefaultSecretGenerator().generate();
                PreparedStatement _getUpdateSecretStatement = _getUpdateSecretStatement(connection, userIdentity, generate);
                try {
                    if (_getUpdateSecretStatement.executeUpdate() != 1) {
                        if (_getUpdateSecretStatement != null) {
                            _getUpdateSecretStatement.close();
                        }
                        throw new RuntimeException("Secret of user " + UserIdentity.userIdentityToString(userIdentity) + " cannot be updated");
                    }
                    if (_getUpdateSecretStatement != null) {
                        _getUpdateSecretStatement.close();
                    }
                    ConnectionHelper.cleanup(connection);
                    return generate;
                } catch (Throwable th) {
                    if (_getUpdateSecretStatement != null) {
                        try {
                            _getUpdateSecretStatement.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (SQLException e) {
                throw new RuntimeException("Communication error with the database. Unable to retrieve the multifactor authentication secret for user " + UserIdentity.userIdentityToString(userIdentity) + ".", e);
            }
        } catch (Throwable th3) {
            ConnectionHelper.cleanup((Connection) null);
            throw th3;
        }
    }

    private PreparedStatement _getUpdateSecretStatement(Connection connection, UserIdentity userIdentity, String str) throws SQLException {
        String str2 = "UPDATE " + this._sqlDatabaseTypeExtensionPoint.languageEscapeTableName(ConnectionHelper.getDatabaseType(connection), __SQL_TABLE_NAME) + " SET secret=? WHERE login=? AND population_id=?";
        String encrypt = this._cryptoHelpers.get(userIdentity.getPopulationId()).encrypt(str);
        PreparedStatement prepareStatement = connection.prepareStatement(str2);
        prepareStatement.setString(1, encrypt);
        prepareStatement.setString(2, userIdentity.getLogin());
        prepareStatement.setString(3, userIdentity.getPopulationId());
        return prepareStatement;
    }

    private PreparedStatement _getSelectSecretStatement(Connection connection, UserIdentity userIdentity) throws SQLException {
        PreparedStatement prepareStatement = connection.prepareStatement("SELECT secret FROM " + this._sqlDatabaseTypeExtensionPoint.languageEscapeTableName(ConnectionHelper.getDatabaseType(connection), __SQL_TABLE_NAME) + " WHERE login=? AND population_id=?");
        prepareStatement.setString(1, userIdentity.getLogin());
        prepareStatement.setString(2, userIdentity.getPopulationId());
        return prepareStatement;
    }

    private String _generateSecret(UserIdentity userIdentity) throws RuntimeException {
        String generate = new DefaultSecretGenerator().generate();
        _storeSecretInDataSource(userIdentity, generate);
        return generate;
    }

    private void _storeSecretInDataSource(UserIdentity userIdentity, String str) throws RuntimeException {
        Connection connection = null;
        try {
            try {
                connection = ConnectionHelper.getConnection(this._datasourceId);
                PreparedStatement prepareStatement = connection.prepareStatement("INSERT INTO " + this._sqlDatabaseTypeExtensionPoint.languageEscapeTableName(ConnectionHelper.getDatabaseType(connection), __SQL_TABLE_NAME) + " (login, population_id, secret) VALUES (?, ?, ?)");
                prepareStatement.setString(1, userIdentity.getLogin());
                prepareStatement.setString(2, userIdentity.getPopulationId());
                prepareStatement.setString(3, this._cryptoHelpers.get(userIdentity.getPopulationId()).encrypt(str));
                prepareStatement.executeUpdate();
                ConnectionHelper.cleanup(connection);
            } catch (SQLException e) {
                throw new RuntimeException("Communication error with the database. Unable to store the generated secret for multifactor authentication for user " + UserIdentity.userIdentityToString(userIdentity) + ".", e);
            }
        } catch (Throwable th) {
            ConnectionHelper.cleanup(connection);
            throw th;
        }
    }

    public void sendMultifactorAuthenticationCodeByMail(Request request, UserIdentity userIdentity, String str) throws RuntimeException {
        try {
            User user = this._userManager.getUser(userIdentity);
            String email = user.getEmail();
            if (StringUtils.isEmpty(email)) {
                throw new RuntimeException("Unable to send the multifactor authentication code to user " + UserIdentity.userIdentityToString(userIdentity) + ". This user has no email address");
            }
            String language = user.getLanguage();
            List of = List.of(this._i18nUtils.translate(_getMailSubjectPrefix(request), language), str, String.valueOf(getEmailCodeDuration() / 60));
            String translate = this._i18nUtils.translate(new I18nizableText("plugin.core-impl", __SEND_CODE_MAIL_SUBJECT_KEY, (List<String>) of), language);
            SendMailHelper.newMail().withSubject(translate).withHTMLBody(StandardMailBodyHelper.newHTMLBody().withTitle(new I18nizableText("plugin.core-impl", __SEND_CODE_MAIL_BODY_TITLE_KEY)).withMessage(new I18nizableText("plugin.core-impl", __SEND_CODE_MAIL_BODY_KEY, (List<String>) of)).withFooterBottomText(StandardMailBodyHelper.AUTOGENERATED_DO_NOT_ANSWER_TEXT).withLanguage(language).build()).withRecipient(email).sendMail();
        } catch (MessagingException | IOException e) {
            throw new RuntimeException("Unable to send the multifactor authentication code to user " + UserIdentity.userIdentityToString(userIdentity) + ".", e);
        }
    }

    protected I18nizableText _getMailSubjectPrefix(Request request) {
        return new I18nizableText("plugin.core-impl", __SEND_CODE_MAIL_SUBJECT_DEFAULT_PREFIX_KEY);
    }
}
