package io.gravitee.am.gateway.handler.common.vertx.web.handler.impl.internal.mfa;

import io.gravitee.am.gateway.handler.common.factor.FactorManager;
import io.gravitee.am.gateway.handler.common.ruleengine.RuleEngine;
import io.gravitee.am.gateway.handler.common.vertx.web.handler.impl.internal.AuthenticationFlowChain;
import io.gravitee.am.gateway.handler.common.vertx.web.handler.impl.internal.mfa.utils.MfaUtils;
import io.gravitee.am.model.EnrollSettings;
import io.gravitee.am.model.MfaChallengeType;
import io.gravitee.am.model.MfaEnrollType;
import io.gravitee.am.model.oidc.Client;
import io.vertx.core.Handler;
import io.vertx.rxjava3.ext.web.RoutingContext;
import java.util.Optional;

/* loaded from: input_file:io/gravitee/am/gateway/handler/common/vertx/web/handler/impl/internal/mfa/MFAEnrollStep.class */
public class MFAEnrollStep extends MFAStep {
    private final FactorManager factorManager;

    /* renamed from: io.gravitee.am.gateway.handler.common.vertx.web.handler.impl.internal.mfa.MFAEnrollStep$1, reason: invalid class name */
    /* loaded from: input_file:io/gravitee/am/gateway/handler/common/vertx/web/handler/impl/internal/mfa/MFAEnrollStep$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$io$gravitee$am$model$MfaEnrollType = new int[MfaEnrollType.values().length];

        static {
            try {
                $SwitchMap$io$gravitee$am$model$MfaEnrollType[MfaEnrollType.OPTIONAL.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$gravitee$am$model$MfaEnrollType[MfaEnrollType.REQUIRED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$io$gravitee$am$model$MfaEnrollType[MfaEnrollType.CONDITIONAL.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    public MFAEnrollStep(Handler<RoutingContext> handler, RuleEngine ruleEngine, FactorManager factorManager) {
        super(handler, ruleEngine);
        this.factorManager = factorManager;
    }

    @Override // io.gravitee.am.gateway.handler.common.vertx.web.handler.impl.internal.AuthenticationFlowStep
    public void execute(RoutingContext routingContext, AuthenticationFlowChain authenticationFlowChain) {
        Client client = (Client) routingContext.get("client");
        MfaFilterContext mfaFilterContext = new MfaFilterContext(routingContext, client, this.factorManager, this.ruleEngine);
        if (mfaFilterContext.isUserSilentAuth()) {
            stop(mfaFilterContext, authenticationFlowChain);
            return;
        }
        if (!MfaUtils.hasFactors(client, this.factorManager)) {
            stop(mfaFilterContext, authenticationFlowChain);
            return;
        }
        if (mfaFilterContext.isFactorSelected() && !mfaFilterContext.checkSelectedFactor()) {
            enrollment(mfaFilterContext, authenticationFlowChain);
            return;
        }
        if (!userHasFactor(mfaFilterContext) && MfaUtils.stepUpRequired(mfaFilterContext, client, this.ruleEngine)) {
            enrollment(mfaFilterContext, authenticationFlowChain);
            return;
        }
        if (isEnrollActive(client)) {
            switch (AnonymousClass1.$SwitchMap$io$gravitee$am$model$MfaEnrollType[MfaUtils.getEnrollSettings(client).getType().ordinal()]) {
                case 1:
                    optional(authenticationFlowChain, mfaFilterContext);
                    return;
                case 2:
                    required(authenticationFlowChain, mfaFilterContext);
                    return;
                case 3:
                    conditional(authenticationFlowChain, client, mfaFilterContext);
                    return;
                default:
                    return;
            }
        }
        if (MfaUtils.stepUpRequired(mfaFilterContext, client, this.ruleEngine)) {
            continueFlow(mfaFilterContext, authenticationFlowChain);
        } else if (MfaUtils.isChallengeActive(client)) {
            enrollIfChallengeRequires(authenticationFlowChain, client, mfaFilterContext);
        } else {
            stop(mfaFilterContext, authenticationFlowChain);
        }
    }

    private void required(AuthenticationFlowChain authenticationFlowChain, MfaFilterContext mfaFilterContext) {
        if (userHasFactor(mfaFilterContext)) {
            continueFlow(mfaFilterContext, authenticationFlowChain);
        } else {
            enrollment(mfaFilterContext, authenticationFlowChain);
        }
    }

    private void conditional(AuthenticationFlowChain authenticationFlowChain, Client client, MfaFilterContext mfaFilterContext) {
        if (enrollConditionSatisfied(client, mfaFilterContext)) {
            stop(mfaFilterContext, authenticationFlowChain);
            return;
        }
        if (userHasFactor(mfaFilterContext)) {
            continueFlow(mfaFilterContext, authenticationFlowChain);
            return;
        }
        if (!canUserSkip(client, mfaFilterContext)) {
            enrollment(mfaFilterContext, authenticationFlowChain);
            return;
        }
        mfaFilterContext.session().put("mfaEnrollmentCanBeSkippedConditionally", true);
        if (mfaFilterContext.isEnrollSkipped()) {
            MfaUtils.stopMfaFlow(mfaFilterContext, authenticationFlowChain);
        } else {
            enrollment(mfaFilterContext, authenticationFlowChain);
        }
    }

    private void optional(AuthenticationFlowChain authenticationFlowChain, MfaFilterContext mfaFilterContext) {
        if (mfaFilterContext.isEnrollSkipped()) {
            stop(mfaFilterContext, authenticationFlowChain);
        } else if (userHasFactor(mfaFilterContext)) {
            continueFlow(mfaFilterContext, authenticationFlowChain);
        } else {
            enrollment(mfaFilterContext, authenticationFlowChain);
        }
    }

    private void enrollIfChallengeRequires(AuthenticationFlowChain authenticationFlowChain, Client client, MfaFilterContext mfaFilterContext) {
        if (!MfaChallengeType.CONDITIONAL.equals(MfaUtils.getChallengeSettings(client).getType())) {
            required(authenticationFlowChain, mfaFilterContext);
        } else if (MfaUtils.challengeConditionSatisfied(client, mfaFilterContext, this.ruleEngine)) {
            stop(mfaFilterContext, authenticationFlowChain);
        } else {
            required(authenticationFlowChain, mfaFilterContext);
        }
    }

    private void enrollment(MfaFilterContext mfaFilterContext, AuthenticationFlowChain authenticationFlowChain) {
        MfaUtils.executeFlowStep(mfaFilterContext, authenticationFlowChain, this);
    }

    private boolean enrollConditionSatisfied(Client client, MfaFilterContext mfaFilterContext) {
        return MfaUtils.evaluateRule(MfaUtils.getEnrollSettings(client).getEnrollmentRule(), mfaFilterContext, this.ruleEngine);
    }

    private boolean isEnrollActive(Client client) {
        return ((Boolean) Optional.ofNullable(client.getMfaSettings()).map((v0) -> {
            return v0.getEnroll();
        }).map((v0) -> {
            return v0.isActive();
        }).orElse(false)).booleanValue();
    }

    private boolean userHasFactor(MfaFilterContext mfaFilterContext) {
        return mfaFilterContext.isUserSelectedEnrollFactor() || mfaFilterContext.userHasMatchingActivatedFactors();
    }

    private static void continueFlow(MfaFilterContext mfaFilterContext, AuthenticationFlowChain authenticationFlowChain) {
        MfaUtils.continueMfaFlow(mfaFilterContext, authenticationFlowChain);
    }

    private static void stop(MfaFilterContext mfaFilterContext, AuthenticationFlowChain authenticationFlowChain) {
        MfaUtils.stopMfaFlow(mfaFilterContext, authenticationFlowChain);
    }

    public boolean canUserSkip(Client client, MfaFilterContext mfaFilterContext) {
        EnrollSettings enrollSettings = (EnrollSettings) Optional.ofNullable(client.getMfaSettings()).map((v0) -> {
            return v0.getEnroll();
        }).orElse(new EnrollSettings());
        return enrollSettings.isEnrollmentSkipActive() && MfaUtils.evaluateRule(enrollSettings.getEnrollmentSkipRule(), mfaFilterContext, this.ruleEngine);
    }
}
