package io.gravitee.am.gateway.handler.common.vertx.web.handler.impl.internal.mfa;

import io.gravitee.am.gateway.handler.common.factor.FactorManager;
import io.gravitee.am.gateway.handler.common.ruleengine.RuleEngine;
import io.gravitee.am.gateway.handler.common.vertx.web.handler.impl.internal.AuthenticationFlowChain;
import io.gravitee.am.gateway.handler.common.vertx.web.handler.impl.internal.mfa.utils.MfaUtils;
import io.gravitee.am.model.MfaChallengeType;
import io.gravitee.am.model.oidc.Client;
import io.vertx.core.Handler;
import io.vertx.rxjava3.ext.web.RoutingContext;

/* loaded from: input_file:io/gravitee/am/gateway/handler/common/vertx/web/handler/impl/internal/mfa/MFAChallengeStep.class */
public class MFAChallengeStep extends MFAStep {
    private final FactorManager factorManager;

    /* renamed from: io.gravitee.am.gateway.handler.common.vertx.web.handler.impl.internal.mfa.MFAChallengeStep$1, reason: invalid class name */
    /* loaded from: input_file:io/gravitee/am/gateway/handler/common/vertx/web/handler/impl/internal/mfa/MFAChallengeStep$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$io$gravitee$am$model$MfaChallengeType = new int[MfaChallengeType.values().length];

        static {
            try {
                $SwitchMap$io$gravitee$am$model$MfaChallengeType[MfaChallengeType.REQUIRED.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$gravitee$am$model$MfaChallengeType[MfaChallengeType.CONDITIONAL.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$io$gravitee$am$model$MfaChallengeType[MfaChallengeType.RISK_BASED.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    public MFAChallengeStep(Handler<RoutingContext> handler, RuleEngine ruleEngine, FactorManager factorManager) {
        super(handler, ruleEngine);
        this.factorManager = factorManager;
    }

    @Override // io.gravitee.am.gateway.handler.common.vertx.web.handler.impl.internal.AuthenticationFlowStep
    public void execute(RoutingContext routingContext, AuthenticationFlowChain authenticationFlowChain) {
        Client client = (Client) routingContext.get("client");
        MfaFilterContext mfaFilterContext = new MfaFilterContext(routingContext, client, this.factorManager, this.ruleEngine);
        if (mfaFilterContext.isUserSilentAuth()) {
            MfaUtils.stopMfaFlow(mfaFilterContext, authenticationFlowChain);
            return;
        }
        if (MfaUtils.isMfaFlowStopped(mfaFilterContext)) {
            continueFlow(mfaFilterContext, authenticationFlowChain);
            return;
        }
        if (mfaFilterContext.isUserSelectedEnrollFactor()) {
            challenge(mfaFilterContext, authenticationFlowChain);
            return;
        }
        if (!mfaFilterContext.isChallengeCompleted() && MfaUtils.stepUpRequired(mfaFilterContext, client, this.ruleEngine)) {
            challenge(mfaFilterContext, authenticationFlowChain);
            return;
        }
        if (!MfaUtils.isChallengeActive(client)) {
            continueFlow(mfaFilterContext, authenticationFlowChain);
            return;
        }
        switch (AnonymousClass1.$SwitchMap$io$gravitee$am$model$MfaChallengeType[MfaUtils.getChallengeSettings(client).getType().ordinal()]) {
            case 1:
                required(mfaFilterContext, authenticationFlowChain);
                return;
            case 2:
                conditional(mfaFilterContext, authenticationFlowChain, client);
                return;
            case 3:
                riskBased(mfaFilterContext, authenticationFlowChain, client);
                return;
            default:
                return;
        }
    }

    private void required(MfaFilterContext mfaFilterContext, AuthenticationFlowChain authenticationFlowChain) {
        if (mfaFilterContext.isUserStronglyAuth() || isRememberDevice(mfaFilterContext)) {
            continueFlow(mfaFilterContext, authenticationFlowChain);
        } else {
            challenge(mfaFilterContext, authenticationFlowChain);
        }
    }

    private void conditional(MfaFilterContext mfaFilterContext, AuthenticationFlowChain authenticationFlowChain, Client client) {
        if (MfaUtils.challengeConditionSatisfied(client, mfaFilterContext, this.ruleEngine)) {
            continueFlow(mfaFilterContext, authenticationFlowChain);
            return;
        }
        if (mfaFilterContext.getRememberDeviceSettings().isSkipChallengeWhenRememberDevice()) {
            required(mfaFilterContext, authenticationFlowChain);
        } else if (mfaFilterContext.isUserStronglyAuth()) {
            continueFlow(mfaFilterContext, authenticationFlowChain);
        } else {
            challenge(mfaFilterContext, authenticationFlowChain);
        }
    }

    private void riskBased(MfaFilterContext mfaFilterContext, AuthenticationFlowChain authenticationFlowChain, Client client) {
        if (mfaFilterContext.isUserStronglyAuth() || isSafe(mfaFilterContext, client)) {
            continueFlow(mfaFilterContext, authenticationFlowChain);
        } else {
            challenge(mfaFilterContext, authenticationFlowChain);
        }
    }

    private void challenge(MfaFilterContext mfaFilterContext, AuthenticationFlowChain authenticationFlowChain) {
        MfaUtils.executeFlowStep(mfaFilterContext, authenticationFlowChain, this);
    }

    private boolean isSafe(MfaFilterContext mfaFilterContext, Client client) {
        return MfaUtils.evaluateRule(MfaUtils.getAdaptiveMfaStepUpRule(client), mfaFilterContext, this.ruleEngine);
    }

    private boolean isRememberDevice(MfaFilterContext mfaFilterContext) {
        return !mfaFilterContext.isDeviceRiskAssessmentEnabled() && mfaFilterContext.getRememberDeviceSettings().isActive() && mfaFilterContext.deviceAlreadyExists();
    }

    private static void continueFlow(MfaFilterContext mfaFilterContext, AuthenticationFlowChain authenticationFlowChain) {
        MfaUtils.continueMfaFlow(mfaFilterContext, authenticationFlowChain);
    }
}
