package org.forgerock.openam.authentication.modules.push;

import com.amazonaws.services.sns.model.InvalidParameterException;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.iplanet.dpro.session.SessionException;
import com.iplanet.sso.SSOException;
import com.sun.identity.authentication.spi.AuthLoginException;
import com.sun.identity.authentication.spi.InvalidPasswordException;
import com.sun.identity.idm.AMIdentity;
import com.sun.identity.idm.IdRepoException;
import com.sun.identity.idm.IdUtils;
import com.sun.identity.shared.configuration.SystemPropertiesManager;
import com.sun.identity.shared.datastruct.CollectionHelper;
import com.sun.identity.shared.debug.Debug;
import com.sun.identity.shared.encode.Base64;
import com.sun.identity.sm.DNMapper;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Map;
import java.util.concurrent.ExecutionException;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.ConfirmationCallback;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.login.LoginException;
import org.forgerock.json.JsonValue;
import org.forgerock.json.jose.builders.JwtClaimsSetBuilder;
import org.forgerock.json.jose.builders.SignedJwtBuilderImpl;
import org.forgerock.json.jose.common.JwtReconstruction;
import org.forgerock.json.jose.jws.JwsAlgorithm;
import org.forgerock.json.jose.jws.SigningManager;
import org.forgerock.json.jose.jwt.Jwt;
import org.forgerock.json.resource.NotFoundException;
import org.forgerock.openam.authentication.callbacks.PollingWaitCallback;
import org.forgerock.openam.authentication.callbacks.helpers.PollingWaitAssistant;
import org.forgerock.openam.core.rest.devices.push.PushDeviceSettings;
import org.forgerock.openam.cts.exceptions.CoreTokenException;
import org.forgerock.openam.services.push.PushMessage;
import org.forgerock.openam.services.push.PushNotificationException;
import org.forgerock.openam.services.push.dispatch.MessagePromise;
import org.forgerock.openam.services.push.dispatch.PushMessageChallengeResponsePredicate;
import org.forgerock.openam.services.push.dispatch.SignedJwtVerificationPredicate;
import org.forgerock.openam.utils.StringUtils;
import org.forgerock.openam.utils.Time;
import org.forgerock.util.Reject;

/* loaded from: input_file:org/forgerock/openam/authentication/modules/push/AuthenticatorPush.class */
public class AuthenticatorPush extends AbstractPushModule {
    private static final Debug DEBUG = Debug.getInstance("amAuthPush");
    private Map<String, String> sharedState;
    private String realm;
    private String username;
    private Principal principal;
    private String lbCookieValue;
    private long timeout;
    private String messageId;
    private MessagePromise messagePromise;
    private PushDeviceSettings device;
    private PollingWaitAssistant pollingWaitAssistant;
    private long expireTime;
    private String pushMessage;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.forgerock.openam.authentication.modules.push.AuthenticatorPush$1, reason: invalid class name */
    /* loaded from: input_file:org/forgerock/openam/authentication/modules/push/AuthenticatorPush$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$forgerock$openam$authentication$callbacks$helpers$PollingWaitAssistant$PollingWaitState = new int[PollingWaitAssistant.PollingWaitState.values().length];

        static {
            try {
                $SwitchMap$org$forgerock$openam$authentication$callbacks$helpers$PollingWaitAssistant$PollingWaitState[PollingWaitAssistant.PollingWaitState.TOO_EARLY.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$forgerock$openam$authentication$callbacks$helpers$PollingWaitAssistant$PollingWaitState[PollingWaitAssistant.PollingWaitState.NOT_STARTED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$forgerock$openam$authentication$callbacks$helpers$PollingWaitAssistant$PollingWaitState[PollingWaitAssistant.PollingWaitState.WAITING.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$forgerock$openam$authentication$callbacks$helpers$PollingWaitAssistant$PollingWaitState[PollingWaitAssistant.PollingWaitState.COMPLETE.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$forgerock$openam$authentication$callbacks$helpers$PollingWaitAssistant$PollingWaitState[PollingWaitAssistant.PollingWaitState.TIMEOUT.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$forgerock$openam$authentication$callbacks$helpers$PollingWaitAssistant$PollingWaitState[PollingWaitAssistant.PollingWaitState.SPAMMED.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
        }
    }

    public void init(Subject subject, Map map, Map map2) {
        this.sharedState = map;
        this.timeout = Long.valueOf(CollectionHelper.getMapAttr(map2, "forgerock-am-auth-push-message-response-timeout")).longValue();
        this.realm = DNMapper.orgNameToRealmName(getRequestOrg());
        try {
            this.pushService.init(this.realm);
        } catch (PushNotificationException e) {
            DEBUG.error("AuthenticatorPush :: init() : Unable to init Push system.", e);
        }
        try {
            this.lbCookieValue = this.sessionCookies.getLBCookie(getSessionId());
        } catch (SessionException e2) {
            DEBUG.warning("AuthenticatorPush :: init() : Unable to determine loadbalancer cookie value", e2);
        }
        if (Boolean.parseBoolean(SystemPropertiesManager.get("com.forgerock.openam.authentication.push.nearinstant"))) {
            this.pollingWaitAssistant = new PollingWaitAssistant(this.timeout, 1000L, 1000L, 1000L);
        } else {
            this.pollingWaitAssistant = new PollingWaitAssistant(this.timeout);
        }
        this.pushMessage = CollectionHelper.getMapAttr(map2, "forgerock-am-auth-push-message");
        String mapAttr = CollectionHelper.getMapAttr(map2, "forgerock-am-auth-push-auth-level");
        if (mapAttr != null) {
            try {
                setAuthLevel(Integer.parseInt(mapAttr));
            } catch (Exception e3) {
                DEBUG.error("AuthenticatorPush :: init() : Unable to set auth level {}", new Object[]{mapAttr, e3});
            }
        }
    }

    public int process(Callback[] callbackArr, int i) throws LoginException {
        if (getHttpServletRequest() == null) {
            DEBUG.error("AuthenticatorPush :: process() : Request was null.");
            throw failedAsLoginException();
        }
        switch (i) {
            case 1:
                return loginStart();
            case org.forgerock.openam.authentication.modules.push.registration.Constants.POLLING_TIME_OUTPUT_CALLBACK_INDEX /* 2 */:
                return usernameState(callbackArr);
            case 3:
                return stateWait(callbackArr);
            case 4:
                return emergencyState(callbackArr, this.username, this.realm);
            case 5:
                storeUsername(this.username);
                return -1;
            default:
                DEBUG.error("AuthenticatorPush :: process() : Invalid state.");
                throw failedAsLoginException();
        }
    }

    private int stateWait(Callback[] callbackArr) throws AuthLoginException {
        checkDeviceExists();
        if (this.expireTime < Time.currentTimeMillis()) {
            throw failedAsPasswordException();
        }
        if (emergencyPressed(callbackArr)) {
            return 4;
        }
        return pollForResponse();
    }

    private boolean emergencyPressed(Callback[] callbackArr) {
        return ((ConfirmationCallback) callbackArr[1]).getSelectedIndex() == 0;
    }

    private void checkDeviceExists() throws AuthLoginException {
        if (this.device == null) {
            throw new AuthLoginException(Constants.AM_AUTH_AUTHENTICATOR_PUSH, "authFailed", (Object[]) null);
        }
    }

    private int emergencyState(Callback[] callbackArr, String str, String str2) throws AuthLoginException {
        String name = ((NameCallback) callbackArr[0]).getName();
        ArrayList arrayList = new ArrayList(Arrays.asList(this.device.getRecoveryCodes()));
        if (!arrayList.contains(name)) {
            throw failedAsPasswordException();
        }
        arrayList.remove(name);
        this.device.setRecoveryCodes((String[]) arrayList.toArray(new String[arrayList.size()]));
        this.userPushDeviceProfileManager.saveDeviceProfile(str, str2, this.device);
        return 5;
    }

    private int pollForResponse() throws AuthLoginException {
        switch (AnonymousClass1.$SwitchMap$org$forgerock$openam$authentication$callbacks$helpers$PollingWaitAssistant$PollingWaitState[this.pollingWaitAssistant.getPollingWaitState().ordinal()]) {
            case 1:
                setEmergencyButton();
                return 3;
            case org.forgerock.openam.authentication.modules.push.registration.Constants.POLLING_TIME_OUTPUT_CALLBACK_INDEX /* 2 */:
            case 3:
                return waitingChecks();
            case 4:
                return completeChecks();
            case 5:
                DEBUG.warning("AuthenticatorPush :: timeout value exceeded while waiting for response.");
                throw new AuthLoginException(Constants.AM_AUTH_AUTHENTICATOR_PUSH, "authFailed", (Object[]) null);
            case 6:
                DEBUG.warning("AuthenticatorPush :: too many requests sent to Auth module.  Client should obey wait time.");
                throw new AuthLoginException(Constants.AM_AUTH_AUTHENTICATOR_PUSH, "authFailed", (Object[]) null);
            default:
                throw new AuthLoginException(Constants.AM_AUTH_AUTHENTICATOR_PUSH, "authFailed", (Object[]) null);
        }
    }

    private int completeChecks() throws AuthLoginException {
        try {
            Boolean bool = (Boolean) new JwtReconstruction().reconstructJwt(((JsonValue) this.messagePromise.getPromise().get()).get("jwt").asString(), Jwt.class).getClaimsSet().getClaim("deny");
            this.coreTokenService.deleteAsync(this.messageId);
            if (bool != null && bool.booleanValue()) {
                throw failedAsPasswordException();
            }
            storeUsername(this.username);
            return -1;
        } catch (CoreTokenException e) {
            DEBUG.warning("Removing token from CTS failed.", e);
            throw failedAsLoginException();
        } catch (InterruptedException | ExecutionException e2) {
            DEBUG.error("Unable to verify JWT claims did or did not contain a DENY value.", e2);
            throw failedAsLoginException();
        }
    }

    private int waitingChecks() throws AuthLoginException {
        Boolean checkCTSAuth;
        try {
            checkCTSAuth = checkCTSAuth(this.messageId);
        } catch (CoreTokenException e) {
            DEBUG.warning("CTS threw exception, falling back to local MessageDispatcher.", e);
        } catch (NotFoundException e2) {
            DEBUG.error("Could not find local MessageDispatcher for realm.", e2);
            throw failedAsLoginException();
        }
        if (checkCTSAuth == null) {
            setPollbackTimePeriod(this.pollingWaitAssistant.getWaitPeriod());
            this.pollingWaitAssistant.resetWait();
            setEmergencyButton();
            return 3;
        }
        this.pushService.getMessageDispatcher(this.realm).forget(this.messageId);
        this.coreTokenService.deleteAsync(this.messageId);
        if (!checkCTSAuth.booleanValue()) {
            throw failedAsPasswordException();
        }
        storeUsername(this.username);
        return -1;
    }

    private int loginStart() throws AuthLoginException {
        if (this.username == null && this.sharedState != null) {
            this.username = this.sharedState.get(getUserKey());
        }
        if (this.username == null) {
            return 2;
        }
        this.device = getDevice(this.username, this.realm);
        if (!sendMessage(this.device)) {
            DEBUG.warning("AuthenticatorPush :: sendState() : Failed to send message.");
            throw failedAsLoginException();
        }
        this.expireTime = Time.currentTimeMillis() + this.timeout;
        setEmergencyButton();
        return 3;
    }

    private int usernameState(Callback[] callbackArr) throws AuthLoginException {
        Reject.ifNull(callbackArr);
        this.username = ((NameCallback) callbackArr[0]).getName();
        if (StringUtils.isBlank(this.username)) {
            DEBUG.warning("AuthenticatorPush :: usernameState() : Username was blank.");
            throw failedAsLoginException();
        }
        AMIdentity identity = IdUtils.getIdentity(this.username, this.realm);
        if (identity != null) {
            try {
                if (identity.isExists() && identity.isActive()) {
                    this.principal = new AuthenticatorPushPrincipal(this.username);
                    return 1;
                }
            } catch (IdRepoException | SSOException e) {
                DEBUG.warning("AuthenticatorPush :: Failed to locate user {} ", new Object[]{this.username, e});
            }
        }
        throw failedAsLoginException();
    }

    private boolean sendMessage(PushDeviceSettings pushDeviceSettings) {
        String communicationId = pushDeviceSettings.getCommunicationId();
        String deviceMechanismUID = pushDeviceSettings.getDeviceMechanismUID();
        String createRandomBytes = this.userPushDeviceProfileManager.createRandomBytes(32);
        String build = new SignedJwtBuilderImpl(new SigningManager().newHmacSigningHandler(Base64.decode(pushDeviceSettings.getSharedSecret()))).claims(new JwtClaimsSetBuilder().claim("u", deviceMechanismUID).claim("l", Base64.encode(this.lbCookieValue.getBytes())).claim("c", createRandomBytes).claim("t", String.valueOf(this.timeout / 1000)).build()).headers().alg(JwsAlgorithm.HS256).done().build();
        this.pushMessage = this.pushMessage.replaceAll("\\{\\{user\\}\\}", this.username);
        this.pushMessage = this.pushMessage.replaceAll("\\{\\{issuer\\}\\}", pushDeviceSettings.getIssuer());
        PushMessage pushMessage = new PushMessage(communicationId, build, this.pushMessage);
        this.messageId = pushMessage.getMessageId();
        HashSet hashSet = new HashSet();
        hashSet.add(new SignedJwtVerificationPredicate(Base64.decode(pushDeviceSettings.getSharedSecret()), "jwt"));
        hashSet.add(new PushMessageChallengeResponsePredicate(Base64.decode(pushDeviceSettings.getSharedSecret()), createRandomBytes, "jwt"));
        try {
            this.messagePromise = this.pushService.getMessageDispatcher(this.realm).expect(this.messageId, hashSet);
            this.pushService.send(pushMessage, this.realm);
            this.pollingWaitAssistant.start(this.messagePromise.getPromise());
            hashSet.addAll(this.pushService.getAuthenticationMessagePredicatesFor(this.realm));
            storeInCTS(this.messageId, hashSet, this.timeout);
            return true;
        } catch (JsonProcessingException | CoreTokenException e) {
            DEBUG.warning("Unable to persist token in core token service.", e);
            return true;
        } catch (NotFoundException | PushNotificationException e2) {
            DEBUG.error("AuthenticatorPush :: sendMessage() : Failed to transmit message through PushService.");
            return false;
        }
    }

    public Principal getPrincipal() {
        return this.principal;
    }

    private InvalidPasswordException failedAsPasswordException() throws InvalidParameterException {
        setFailureID(this.username);
        return new InvalidPasswordException(Constants.AM_AUTH_AUTHENTICATOR_PUSH, "authFailed", (Object[]) null);
    }

    private AuthLoginException failedAsLoginException() throws AuthLoginException {
        setFailureID(this.username);
        return new AuthLoginException(Constants.AM_AUTH_AUTHENTICATOR_PUSH, "authFailed", (Object[]) null);
    }

    private void setPollbackTimePeriod(long j) throws AuthLoginException {
        replaceCallback(3, 0, PollingWaitCallback.makeCallback().asCopyOf(getCallback(3)[0]).withWaitTime(String.valueOf(j)).build());
    }

    private void setEmergencyButton() throws AuthLoginException {
        ConfirmationCallback confirmationCallback = new ConfirmationCallback(0, Constants.USE_EMERGENCY_CODE, 0);
        confirmationCallback.setSelectedIndex(100);
        replaceCallback(3, 1, confirmationCallback);
    }
}
