package org.apereo.cas.gauth;

import com.warrenstrange.googleauth.IGoogleAuthenticator;
import java.security.GeneralSecurityException;
import javax.security.auth.login.AccountExpiredException;
import javax.security.auth.login.AccountNotFoundException;
import javax.security.auth.login.FailedLoginException;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.AuthenticationHandlerExecutionResult;
import org.apereo.cas.authentication.Credential;
import org.apereo.cas.authentication.OneTimeTokenAccount;
import org.apereo.cas.authentication.PreventedException;
import org.apereo.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.gauth.credential.GoogleAuthenticatorTokenCredential;
import org.apereo.cas.gauth.token.GoogleAuthenticatorToken;
import org.apereo.cas.otp.repository.credentials.OneTimeTokenCredentialRepository;
import org.apereo.cas.otp.repository.token.OneTimeTokenRepository;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.web.support.WebUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/gauth/GoogleAuthenticatorAuthenticationHandler.class */
public class GoogleAuthenticatorAuthenticationHandler extends AbstractPreAndPostProcessingAuthenticationHandler {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(GoogleAuthenticatorAuthenticationHandler.class);
    private final IGoogleAuthenticator googleAuthenticatorInstance;
    private final OneTimeTokenRepository tokenRepository;
    private final OneTimeTokenCredentialRepository credentialRepository;

    public GoogleAuthenticatorAuthenticationHandler(String str, ServicesManager servicesManager, PrincipalFactory principalFactory, IGoogleAuthenticator iGoogleAuthenticator, OneTimeTokenRepository oneTimeTokenRepository, OneTimeTokenCredentialRepository oneTimeTokenCredentialRepository, Integer num) {
        super(str, servicesManager, principalFactory, num);
        this.googleAuthenticatorInstance = iGoogleAuthenticator;
        this.tokenRepository = oneTimeTokenRepository;
        this.credentialRepository = oneTimeTokenCredentialRepository;
    }

    protected AuthenticationHandlerExecutionResult doAuthentication(Credential credential) throws GeneralSecurityException, PreventedException {
        GoogleAuthenticatorTokenCredential googleAuthenticatorTokenCredential = (GoogleAuthenticatorTokenCredential) credential;
        if (!StringUtils.isNumeric(googleAuthenticatorTokenCredential.getToken())) {
            throw new PreventedException("Invalid non-numeric OTP format specified.", new IllegalArgumentException("Invalid token " + googleAuthenticatorTokenCredential.getToken()));
        }
        int parseInt = Integer.parseInt(googleAuthenticatorTokenCredential.getToken());
        LOGGER.trace("Received OTP [{}]", Integer.valueOf(parseInt));
        String id = WebUtils.getInProgressAuthentication().getPrincipal().getId();
        LOGGER.trace("Received principal id [{}]. Attempting to locate account in credential repository...", id);
        OneTimeTokenAccount oneTimeTokenAccount = this.credentialRepository.get(id);
        if (oneTimeTokenAccount == null || StringUtils.isBlank(oneTimeTokenAccount.getSecretKey())) {
            throw new AccountNotFoundException(id + " cannot be found in the registry");
        }
        LOGGER.trace("Attempting to locate OTP token [{}] in token repository for [{}]...", Integer.valueOf(parseInt), id);
        if (this.tokenRepository.exists(id, Integer.valueOf(parseInt))) {
            throw new AccountExpiredException(id + " cannot reuse OTP " + parseInt + " as it may be expired/invalid");
        }
        LOGGER.debug("Attempting to authorize OTP token [{}]...", Integer.valueOf(parseInt));
        boolean authorize = this.googleAuthenticatorInstance.authorize(oneTimeTokenAccount.getSecretKey(), parseInt);
        if (!authorize && oneTimeTokenAccount.getScratchCodes().contains(Integer.valueOf(parseInt))) {
            LOGGER.warn("Using scratch code [{}] to authenticate user [{}]. Scratch code will be removed", Integer.valueOf(parseInt), id);
            oneTimeTokenAccount.getScratchCodes().removeIf(num -> {
                return num.intValue() == parseInt;
            });
            this.credentialRepository.update(oneTimeTokenAccount);
            authorize = true;
        }
        if (!authorize) {
            LOGGER.warn("Authorization of OTP token [{}] has failed", Integer.valueOf(parseInt));
            throw new FailedLoginException("Failed to authenticate code " + parseInt);
        }
        LOGGER.debug("Validated OTP token [{}] successfully for [{}]", Integer.valueOf(parseInt), id);
        this.tokenRepository.store(new GoogleAuthenticatorToken(Integer.valueOf(parseInt), id));
        LOGGER.debug("Creating authentication result and building principal for [{}]", id);
        return createHandlerResult(googleAuthenticatorTokenCredential, this.principalFactory.createPrincipal(id));
    }

    public boolean supports(Class<? extends Credential> cls) {
        return GoogleAuthenticatorTokenCredential.class.isAssignableFrom(cls);
    }

    public boolean supports(Credential credential) {
        return GoogleAuthenticatorTokenCredential.class.isAssignableFrom(credential.getClass());
    }

    @Generated
    public IGoogleAuthenticator getGoogleAuthenticatorInstance() {
        return this.googleAuthenticatorInstance;
    }

    @Generated
    public OneTimeTokenRepository getTokenRepository() {
        return this.tokenRepository;
    }

    @Generated
    public OneTimeTokenCredentialRepository getCredentialRepository() {
        return this.credentialRepository;
    }
}
