package org.apereo.cas.mfa.accepto;

import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.security.PublicKey;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import javax.servlet.http.HttpServletRequest;
import lombok.Generated;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang3.BooleanUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.http.HttpResponse;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.configuration.model.support.mfa.AccepttoMultifactorAuthenticationProperties;
import org.apereo.cas.mfa.accepto.web.flow.AccepttoWebflowUtils;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.EncodingUtils;
import org.apereo.cas.util.HttpUtils;
import org.apereo.cas.util.LoggingUtils;
import org.apereo.cas.util.serialization.JacksonObjectMapperFactory;
import org.apereo.cas.web.support.CookieUtils;
import org.apereo.cas.web.support.WebUtils;
import org.apereo.inspektr.common.web.ClientInfoHolder;
import org.hjson.JsonValue;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.keys.AesKey;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpMethod;
import org.springframework.webflow.execution.RequestContext;

/* loaded from: input_file:org/apereo/cas/mfa/accepto/AccepttoApiUtils.class */
public final class AccepttoApiUtils {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(AccepttoApiUtils.class);
    private static final ObjectMapper MAPPER = JacksonObjectMapperFactory.builder().defaultTypingEnabled(false).build().toObjectMapper();

    public static String getUserEmail(Authentication authentication, AccepttoMultifactorAuthenticationProperties accepttoMultifactorAuthenticationProperties) {
        Map attributes = authentication.getPrincipal().getAttributes();
        LOGGER.debug("Current principal attributes are [{}]", attributes);
        return (String) CollectionUtils.firstElement(attributes.get(accepttoMultifactorAuthenticationProperties.getEmailAttribute())).map((v0) -> {
            return v0.toString();
        }).orElse(null);
    }

    public static List<String> getUserGroup(Authentication authentication, AccepttoMultifactorAuthenticationProperties accepttoMultifactorAuthenticationProperties) {
        Map attributes = authentication.getPrincipal().getAttributes();
        LOGGER.debug("Current principal attributes are [{}]", attributes);
        return (StringUtils.isBlank(accepttoMultifactorAuthenticationProperties.getGroupAttribute()) || !attributes.containsKey(accepttoMultifactorAuthenticationProperties.getGroupAttribute())) ? new ArrayList(0) : (List) CollectionUtils.toCollection(attributes.get(accepttoMultifactorAuthenticationProperties.getGroupAttribute()), ArrayList.class);
    }

    public static Map isUserValid(Authentication authentication, AccepttoMultifactorAuthenticationProperties accepttoMultifactorAuthenticationProperties) {
        String str = StringUtils.appendIfMissing(accepttoMultifactorAuthenticationProperties.getApiUrl(), "/", new CharSequence[0]) + "is_user_valid";
        String userEmail = getUserEmail(authentication, accepttoMultifactorAuthenticationProperties);
        if (StringUtils.isBlank(userEmail)) {
            LOGGER.error("Unable to determine email address under attribute [{}]", accepttoMultifactorAuthenticationProperties.getEmailAttribute());
            return new HashMap(0);
        }
        LOGGER.debug("Principal email address determined from attribute [{}] is [{}]", accepttoMultifactorAuthenticationProperties.getEmailAttribute(), userEmail);
        try {
            try {
                HttpResponse execute = HttpUtils.execute(HttpUtils.HttpExecutionRequest.builder().method(HttpMethod.POST).url(str).parameters(CollectionUtils.wrap("uid", accepttoMultifactorAuthenticationProperties.getApplicationId(), "secret", accepttoMultifactorAuthenticationProperties.getSecret(), "email", userEmail)).build());
                if (execute != null) {
                    int statusCode = execute.getStatusLine().getStatusCode();
                    LOGGER.debug("Response status code is [{}]", Integer.valueOf(statusCode));
                    if (statusCode == 200) {
                        InputStream content = execute.getEntity().getContent();
                        try {
                            String iOUtils = IOUtils.toString(content, StandardCharsets.UTF_8);
                            LOGGER.debug("Received API response as [{}]", iOUtils);
                            Map map = (Map) MAPPER.readValue(JsonValue.readHjson(iOUtils).toString(), Map.class);
                            if (content != null) {
                                content.close();
                            }
                            HttpUtils.close(execute);
                            return map;
                        } catch (Throwable th) {
                            if (content != null) {
                                try {
                                    content.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            }
                            throw th;
                        }
                    }
                }
                HttpUtils.close(execute);
            } catch (Throwable th3) {
                HttpUtils.close((HttpResponse) null);
                throw th3;
            }
        } catch (Exception e) {
            LoggingUtils.error(LOGGER, e);
            HttpUtils.close((HttpResponse) null);
        }
        return new HashMap(0);
    }

    public static Map authenticate(Authentication authentication, AccepttoMultifactorAuthenticationProperties accepttoMultifactorAuthenticationProperties, RequestContext requestContext, PublicKey publicKey) {
        String registrationApiUrl = accepttoMultifactorAuthenticationProperties.getRegistrationApiUrl();
        String userEmail = getUserEmail(authentication, accepttoMultifactorAuthenticationProperties);
        String uuid = UUID.randomUUID().toString();
        HttpServletRequest httpServletRequestFromExternalWebflowContext = WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext);
        LOGGER.debug("Principal email address determined from attribute [{}] is [{}]", accepttoMultifactorAuthenticationProperties.getEmailAttribute(), userEmail);
        Map wrap = CollectionUtils.wrap("application_uid", accepttoMultifactorAuthenticationProperties.getApplicationId(), "type", "Login", "ip_address", ClientInfoHolder.getClientInfo().getClientIpAddress(), "remote_ip_address", httpServletRequestFromExternalWebflowContext.getRemoteAddr(), "message", accepttoMultifactorAuthenticationProperties.getMessage(), "session_id", uuid, "timeout", String.valueOf(accepttoMultifactorAuthenticationProperties.getTimeout()), "email", userEmail);
        CookieUtils.getCookieFromRequest("jwt", httpServletRequestFromExternalWebflowContext).ifPresent(cookie -> {
            wrap.put("jwt", cookie.getValue());
        });
        List<String> userGroup = getUserGroup(authentication, accepttoMultifactorAuthenticationProperties);
        if (!userGroup.isEmpty()) {
            wrap.put("groups", userGroup.get(0));
        }
        AccepttoWebflowUtils.getEGuardianUserId(requestContext).ifPresent(str -> {
            wrap.put("eguardian_user_id", str);
        });
        if (WebUtils.getCredential(requestContext) instanceof AccepttoEmailCredential) {
            wrap.put("auth_type", "1");
        }
        LOGGER.debug("Authentication API parameters are assembled as [{}]", wrap);
        try {
            try {
                HttpResponse execute = HttpUtils.execute(HttpUtils.HttpExecutionRequest.builder().method(HttpMethod.POST).url(registrationApiUrl).parameters(wrap).headers(CollectionUtils.wrap("Authorization", "Bearer " + buildAuthorizationHeaderPayloadForAuthentication(accepttoMultifactorAuthenticationProperties))).build());
                LOGGER.debug("Authentication response status code is [{}]", Integer.valueOf(execute.getStatusLine().getStatusCode()));
                InputStream content = execute.getEntity().getContent();
                try {
                    Map map = (Map) MAPPER.readValue(JsonValue.readHjson(IOUtils.toString(content, StandardCharsets.UTF_8)).toString(), Map.class);
                    LOGGER.trace("Received API response as [{}]", map);
                    if (!map.containsKey("content")) {
                        throw new IllegalArgumentException("Unable to locate content in API response");
                    }
                    String obj = map.get("content").toString();
                    LOGGER.trace("Validating response signature for [{}] using [{}]", obj, publicKey);
                    byte[] verifyJwsSignature = EncodingUtils.verifyJwsSignature(publicKey, obj);
                    if (verifyJwsSignature == null) {
                        LOGGER.error("Unable to verify API content using public key [{}]", publicKey);
                        HashMap hashMap = new HashMap(0);
                        if (content != null) {
                            content.close();
                        }
                        HttpUtils.close(execute);
                        return hashMap;
                    }
                    String jsonValue = JsonValue.readHjson(new String(verifyJwsSignature, StandardCharsets.UTF_8)).toString();
                    LOGGER.debug("Received final API response as [{}]", jsonValue);
                    Map map2 = (Map) MAPPER.readValue(jsonValue, Map.class);
                    if (content != null) {
                        content.close();
                    }
                    HttpUtils.close(execute);
                    return map2;
                } catch (Throwable th) {
                    if (content != null) {
                        try {
                            content.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (Exception e) {
                LoggingUtils.error(LOGGER, e);
                HttpUtils.close((HttpResponse) null);
                return new HashMap(0);
            }
        } catch (Throwable th3) {
            HttpUtils.close((HttpResponse) null);
            throw th3;
        }
    }

    private static String buildAuthorizationHeaderPayloadForAuthentication(AccepttoMultifactorAuthenticationProperties accepttoMultifactorAuthenticationProperties) {
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setClaim("uid", accepttoMultifactorAuthenticationProperties.getOrganizationId());
        jwtClaims.setExpirationTimeMinutesInTheFuture(1.0f);
        String json = jwtClaims.toJson();
        LOGGER.trace("Authorization payload is [{}]", json);
        AesKey aesKey = new AesKey(accepttoMultifactorAuthenticationProperties.getOrganizationSecret().getBytes(StandardCharsets.UTF_8));
        LOGGER.trace("Signing authorization payload...");
        String str = new String(EncodingUtils.signJwsHMACSha256(aesKey, json.getBytes(StandardCharsets.UTF_8), Map.of()), StandardCharsets.UTF_8);
        LOGGER.trace("Signed authorization payload is [{}]", str);
        return str;
    }

    public static boolean isUserDevicePaired(Authentication authentication, AccepttoMultifactorAuthenticationProperties accepttoMultifactorAuthenticationProperties) {
        Map isUserValid = isUserValid(authentication, accepttoMultifactorAuthenticationProperties);
        return isUserValid != null && isUserValid.containsKey("device_paired") && BooleanUtils.toBoolean(isUserValid.get("device_paired").toString());
    }

    public static String generateQRCodeHash(Authentication authentication, AccepttoMultifactorAuthenticationProperties accepttoMultifactorAuthenticationProperties, String str) throws Exception {
        return EncodingUtils.encodeBase64(MAPPER.writeValueAsString(CollectionUtils.wrap("invitation_token", str, "email_address", getUserEmail(authentication, accepttoMultifactorAuthenticationProperties))));
    }

    public static String decodeInvitationToken(String str) throws Exception {
        return ((Map) MAPPER.readValue(EncodingUtils.decodeBase64(str), Map.class)).get("invitation_token").toString();
    }

    @Generated
    private AccepttoApiUtils() {
        throw new UnsupportedOperationException("This is a utility class and cannot be instantiated");
    }
}
