package org.apereo.cas.adaptors.yubikey;

import com.yubico.client.v2.ResponseStatus;
import com.yubico.client.v2.VerificationResponse;
import com.yubico.client.v2.YubicoClient;
import com.yubico.client.v2.exceptions.YubicoValidationFailure;
import com.yubico.client.v2.exceptions.YubicoVerificationException;
import java.security.GeneralSecurityException;
import javax.security.auth.login.AccountNotFoundException;
import javax.security.auth.login.FailedLoginException;
import lombok.Generated;
import org.apereo.cas.adaptors.yubikey.registry.OpenYubiKeyAccountRegistry;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.AuthenticationHandlerExecutionResult;
import org.apereo.cas.authentication.Credential;
import org.apereo.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.web.support.WebUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/adaptors/yubikey/YubiKeyAuthenticationHandler.class */
public class YubiKeyAuthenticationHandler extends AbstractPreAndPostProcessingAuthenticationHandler {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(YubiKeyAuthenticationHandler.class);
    private final YubiKeyAccountRegistry registry;
    private final YubicoClient client;

    public YubiKeyAuthenticationHandler(String str, ServicesManager servicesManager, PrincipalFactory principalFactory, YubicoClient yubicoClient, YubiKeyAccountRegistry yubiKeyAccountRegistry) {
        super(str, servicesManager, principalFactory, (Integer) null);
        this.registry = yubiKeyAccountRegistry;
        this.client = yubicoClient;
    }

    public YubiKeyAuthenticationHandler(YubicoClient yubicoClient) {
        this("", null, null, yubicoClient, new OpenYubiKeyAccountRegistry(new AcceptAllYubiKeyAccountValidator()));
    }

    protected AuthenticationHandlerExecutionResult doAuthentication(Credential credential) throws GeneralSecurityException {
        YubiKeyCredential yubiKeyCredential = (YubiKeyCredential) credential;
        String token = yubiKeyCredential.getToken();
        if (!YubicoClient.isValidOTPFormat(token)) {
            LOGGER.debug("Invalid OTP format [{}]", token);
            throw new AccountNotFoundException("OTP format is invalid");
        }
        Authentication inProgressAuthentication = WebUtils.getInProgressAuthentication();
        if (inProgressAuthentication == null) {
            throw new IllegalArgumentException("CAS has no reference to an authentication event to locate a principal");
        }
        String id = inProgressAuthentication.getPrincipal().getId();
        String tokenPublicId = this.registry.getAccountValidator().getTokenPublicId(token);
        if (!this.registry.isYubiKeyRegisteredFor(id, tokenPublicId)) {
            LOGGER.debug("YubiKey public id [{}] is not registered for user [{}]", tokenPublicId, id);
            throw new AccountNotFoundException("YubiKey id is not recognized in registry");
        }
        try {
            VerificationResponse verify = this.client.verify(token);
            ResponseStatus status = verify.getStatus();
            if (status.compareTo(ResponseStatus.OK) != 0) {
                throw new FailedLoginException("Authentication failed with status: " + status);
            }
            LOGGER.debug("YubiKey response status [{}] at [{}]", status, verify.getTimestamp());
            return createHandlerResult(yubiKeyCredential, this.principalFactory.createPrincipal(id));
        } catch (YubicoVerificationException | YubicoValidationFailure e) {
            LOGGER.error(e.getMessage(), e);
            throw new FailedLoginException("YubiKey validation failed: " + e.getMessage());
        }
    }

    public YubiKeyAccountRegistry getRegistry() {
        return this.registry;
    }

    public YubicoClient getClient() {
        return this.client;
    }

    public boolean supports(Credential credential) {
        return YubiKeyCredential.class.isAssignableFrom(credential.getClass());
    }
}
