package org.apereo.cas.gauth.credential;

import com.google.errorprone.annotations.CanIgnoreReturnValue;
import com.warrenstrange.googleauth.IGoogleAuthenticator;
import java.security.GeneralSecurityException;
import java.util.Collection;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.security.auth.login.AccountExpiredException;
import javax.security.auth.login.AccountNotFoundException;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.OneTimeTokenAccount;
import org.apereo.cas.authentication.PreventedException;
import org.apereo.cas.gauth.token.GoogleAuthenticatorToken;
import org.apereo.cas.otp.repository.credentials.OneTimeTokenCredentialRepository;
import org.apereo.cas.otp.repository.credentials.OneTimeTokenCredentialValidator;
import org.apereo.cas.otp.repository.token.OneTimeTokenRepository;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/gauth/credential/GoogleAuthenticatorOneTimeTokenCredentialValidator.class */
public class GoogleAuthenticatorOneTimeTokenCredentialValidator implements OneTimeTokenCredentialValidator<GoogleAuthenticatorTokenCredential, GoogleAuthenticatorToken> {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(GoogleAuthenticatorOneTimeTokenCredentialValidator.class);
    private final IGoogleAuthenticator googleAuthenticatorInstance;
    private final OneTimeTokenRepository tokenRepository;
    private final OneTimeTokenCredentialRepository credentialRepository;

    private static boolean isCredentialAssignedToAccount(GoogleAuthenticatorTokenCredential googleAuthenticatorTokenCredential, OneTimeTokenAccount oneTimeTokenAccount) {
        return googleAuthenticatorTokenCredential.getAccountId() == null || googleAuthenticatorTokenCredential.getAccountId().longValue() == oneTimeTokenAccount.getId();
    }

    public GoogleAuthenticatorToken validate(Authentication authentication, GoogleAuthenticatorTokenCredential googleAuthenticatorTokenCredential) throws GeneralSecurityException, PreventedException {
        if (!StringUtils.isNumeric(googleAuthenticatorTokenCredential.getToken())) {
            throw new PreventedException("Invalid non-numeric OTP format specified.");
        }
        String id = authentication.getPrincipal().getId();
        int parseInt = Integer.parseInt(googleAuthenticatorTokenCredential.getToken());
        LOGGER.trace("Received OTP [{}] assigned to account [{}]", Integer.valueOf(parseInt), googleAuthenticatorTokenCredential.getAccountId());
        LOGGER.trace("Received principal id [{}]. Attempting to locate account in credential repository...", id);
        Collection<? extends OneTimeTokenAccount> collection = this.credentialRepository.get(id);
        if (collection == null || collection.isEmpty()) {
            throw new AccountNotFoundException(id + " cannot be found in the registry");
        }
        if (collection.size() > 1 && googleAuthenticatorTokenCredential.getAccountId() == null) {
            throw new PreventedException("Account identifier must be specified if multiple accounts are registered for " + id);
        }
        LOGGER.trace("Attempting to locate OTP token [{}] in token repository for [{}]...", Integer.valueOf(parseInt), id);
        if (this.tokenRepository.exists(id, Integer.valueOf(parseInt))) {
            throw new AccountExpiredException(id + " cannot reuse OTP " + parseInt + " as it may be expired/invalid");
        }
        LOGGER.debug("Attempting to authorize OTP token [{}]...", Integer.valueOf(parseInt));
        return (GoogleAuthenticatorToken) getAuthorizedAccountForToken(googleAuthenticatorTokenCredential, collection).or(() -> {
            return getAuthorizedScratchCodeForToken(googleAuthenticatorTokenCredential, authentication, collection);
        }).map(googleAuthenticatorAccount -> {
            return new GoogleAuthenticatorToken(Integer.valueOf(parseInt), id);
        }).orElse(null);
    }

    @CanIgnoreReturnValue
    public OneTimeTokenCredentialValidator<GoogleAuthenticatorTokenCredential, GoogleAuthenticatorToken> store(GoogleAuthenticatorToken googleAuthenticatorToken) {
        this.tokenRepository.store(googleAuthenticatorToken);
        return this;
    }

    public boolean isTokenAuthorizedFor(int i, OneTimeTokenAccount oneTimeTokenAccount) {
        return this.googleAuthenticatorInstance.authorize(oneTimeTokenAccount.getSecretKey(), i);
    }

    protected Optional<GoogleAuthenticatorAccount> getAuthorizedScratchCodeForToken(GoogleAuthenticatorTokenCredential googleAuthenticatorTokenCredential, Authentication authentication, Collection<? extends OneTimeTokenAccount> collection) {
        String id = authentication.getPrincipal().getId();
        int parseInt = Integer.parseInt(googleAuthenticatorTokenCredential.getToken());
        Stream<? extends OneTimeTokenAccount> filter = collection.stream().filter(oneTimeTokenAccount -> {
            return isCredentialAssignedToAccount(googleAuthenticatorTokenCredential, oneTimeTokenAccount) && ((List) oneTimeTokenAccount.getScratchCodes().stream().map((v0) -> {
                return v0.intValue();
            }).collect(Collectors.toList())).contains(Integer.valueOf(parseInt));
        });
        Class<GoogleAuthenticatorAccount> cls = GoogleAuthenticatorAccount.class;
        Objects.requireNonNull(GoogleAuthenticatorAccount.class);
        return filter.map((v1) -> {
            return r1.cast(v1);
        }).peek(googleAuthenticatorAccount -> {
            LOGGER.info("Using scratch code [{}] to authenticate user [{}]. Scratch code will be removed", Integer.valueOf(parseInt), id);
            googleAuthenticatorAccount.getScratchCodes().removeIf(number -> {
                return number.intValue() == parseInt;
            });
            this.credentialRepository.update(googleAuthenticatorAccount);
        }).findFirst();
    }

    protected Optional<GoogleAuthenticatorAccount> getAuthorizedAccountForToken(GoogleAuthenticatorTokenCredential googleAuthenticatorTokenCredential, Collection<? extends OneTimeTokenAccount> collection) {
        int parseInt = Integer.parseInt(googleAuthenticatorTokenCredential.getToken());
        Stream<? extends OneTimeTokenAccount> filter = collection.stream().filter(oneTimeTokenAccount -> {
            return isCredentialAssignedToAccount(googleAuthenticatorTokenCredential, oneTimeTokenAccount) && isTokenAuthorizedFor(parseInt, oneTimeTokenAccount);
        });
        Class<GoogleAuthenticatorAccount> cls = GoogleAuthenticatorAccount.class;
        Objects.requireNonNull(GoogleAuthenticatorAccount.class);
        return filter.map((v1) -> {
            return r1.cast(v1);
        }).findFirst();
    }

    @Generated
    public GoogleAuthenticatorOneTimeTokenCredentialValidator(IGoogleAuthenticator iGoogleAuthenticator, OneTimeTokenRepository oneTimeTokenRepository, OneTimeTokenCredentialRepository oneTimeTokenCredentialRepository) {
        this.googleAuthenticatorInstance = iGoogleAuthenticator;
        this.tokenRepository = oneTimeTokenRepository;
        this.credentialRepository = oneTimeTokenCredentialRepository;
    }

    @Generated
    public IGoogleAuthenticator getGoogleAuthenticatorInstance() {
        return this.googleAuthenticatorInstance;
    }

    @Generated
    public OneTimeTokenRepository getTokenRepository() {
        return this.tokenRepository;
    }

    @Generated
    public OneTimeTokenCredentialRepository getCredentialRepository() {
        return this.credentialRepository;
    }
}
