package pl.edu.icm.unity.engine.authn;

import java.util.Collection;
import java.util.Iterator;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.authn.AuthenticatedEntity;
import pl.edu.icm.unity.engine.api.authn.AuthenticationException;
import pl.edu.icm.unity.engine.api.authn.AuthenticationFlow;
import pl.edu.icm.unity.engine.api.authn.AuthenticationProcessor;
import pl.edu.icm.unity.engine.api.authn.AuthenticationResult;
import pl.edu.icm.unity.engine.api.authn.AuthenticatorInstance;
import pl.edu.icm.unity.engine.api.authn.PartialAuthnState;
import pl.edu.icm.unity.engine.api.authn.local.LocalCredentialsRegistry;
import pl.edu.icm.unity.engine.api.authn.remote.UnknownRemoteUserException;
import pl.edu.icm.unity.engine.api.endpoint.BindingAuthn;
import pl.edu.icm.unity.engine.credential.CredentialRepository;
import pl.edu.icm.unity.engine.identity.SecondFactorOptInService;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.exceptions.IllegalCredentialException;
import pl.edu.icm.unity.types.authn.AuthenticationFlowDefinition;
import pl.edu.icm.unity.types.authn.AuthenticationOptionKey;
import pl.edu.icm.unity.types.authn.AuthenticatorInstanceMetadata;
import pl.edu.icm.unity.types.basic.EntityParam;

@Component
/* loaded from: input_file:pl/edu/icm/unity/engine/authn/AuthenticationProcessorImpl.class */
class AuthenticationProcessorImpl implements AuthenticationProcessor {
    private static final Logger log = Log.getLogger("unity.server.authn", AuthenticationProcessorImpl.class);
    private final SecondFactorOptInService secondFactorOptInService;
    private final LocalCredentialsRegistry localCred;
    private final CredentialRepository credRepo;

    @Autowired
    AuthenticationProcessorImpl(SecondFactorOptInService secondFactorOptInService, LocalCredentialsRegistry localCredentialsRegistry, CredentialRepository credentialRepository) {
        this.secondFactorOptInService = secondFactorOptInService;
        this.localCred = localCredentialsRegistry;
        this.credRepo = credentialRepository;
    }

    public PartialAuthnState processPrimaryAuthnResult(AuthenticationResult authenticationResult, AuthenticationFlow authenticationFlow, AuthenticationOptionKey authenticationOptionKey) throws AuthenticationException {
        if (authenticationResult.getStatus() != AuthenticationResult.Status.success) {
            if (authenticationResult.getStatus() == AuthenticationResult.Status.unknownRemotePrincipal) {
                throw new UnknownRemoteUserException("AuthenticationProcessorImpl.authnFailed", authenticationResult.asRemote());
            }
            throw new AuthenticationException("AuthenticationProcessorImpl.authnFailed");
        }
        AuthenticationFlowDefinition.Policy policy = authenticationFlow.getPolicy();
        if (policy.equals(AuthenticationFlowDefinition.Policy.REQUIRE)) {
            PartialAuthnState secondFactorAuthn = getSecondFactorAuthn(authenticationFlow, authenticationResult, authenticationOptionKey);
            if (secondFactorAuthn != null) {
                return secondFactorAuthn;
            }
            throw new AuthenticationException("AuthenticationProcessorImpl.secondFactorRequire");
        }
        if (!policy.equals(AuthenticationFlowDefinition.Policy.USER_OPTIN) || !getUserOptInAttribute(authenticationResult.getSuccessResult().authenticatedEntity.getEntityId().longValue())) {
            return new PartialAuthnState(authenticationOptionKey, (BindingAuthn) null, authenticationResult, authenticationFlow);
        }
        PartialAuthnState secondFactorAuthn2 = getSecondFactorAuthn(authenticationFlow, authenticationResult, authenticationOptionKey);
        if (secondFactorAuthn2 != null) {
            return secondFactorAuthn2;
        }
        throw new AuthenticationException("AuthenticationProcessorImpl.secondFactorRequire");
    }

    private boolean getUserOptInAttribute(long j) {
        try {
            return this.secondFactorOptInService.getUserOptin(j);
        } catch (EngineException e) {
            log.debug("Can not get user optin attribute for entity " + j);
            return true;
        }
    }

    private PartialAuthnState getSecondFactorAuthn(AuthenticationFlow authenticationFlow, AuthenticationResult authenticationResult, AuthenticationOptionKey authenticationOptionKey) {
        AuthenticatorInstance validAuthenticatorForEntity;
        if (authenticationResult.getSuccessResult().authenticatedEntity == null || (validAuthenticatorForEntity = getValidAuthenticatorForEntity(authenticationFlow.getSecondFactorAuthenticators(), authenticationResult.getSuccessResult().authenticatedEntity.getEntityId().longValue())) == null) {
            return null;
        }
        return new PartialAuthnState(authenticationOptionKey, validAuthenticatorForEntity.getRetrieval(), authenticationResult, authenticationFlow);
    }

    public AuthenticatorInstance getValidAuthenticatorForEntity(Collection<AuthenticatorInstance> collection, long j) {
        Iterator<AuthenticatorInstance> it = collection.iterator();
        while (it.hasNext()) {
            AuthenticatorInstance next = it.next();
            AuthenticatorInstanceMetadata metadata = next.getMetadata();
            if (metadata == null || (metadata.getTypeDescription().isLocal() && !checkIfUserHasCredential(metadata, j))) {
            }
            return next;
        }
        return null;
    }

    private boolean checkIfUserHasLocalCredential(long j, String str) throws IllegalCredentialException, EngineException {
        return this.localCred.createLocalCredentialVerificator(this.credRepo.get(str)).isCredentialSet(new EntityParam(Long.valueOf(j)));
    }

    public boolean checkIfUserHasCredential(AuthenticatorInstanceMetadata authenticatorInstanceMetadata, long j) {
        try {
            boolean checkIfUserHasLocalCredential = checkIfUserHasLocalCredential(j, authenticatorInstanceMetadata.getLocalCredentialName());
            log.debug("Check if user {} has defined credential {}: {}", Long.valueOf(j), authenticatorInstanceMetadata.getLocalCredentialName(), Boolean.valueOf(checkIfUserHasLocalCredential));
            return checkIfUserHasLocalCredential;
        } catch (Exception e) {
            log.warn("Can not check entity local credential state", e);
            return false;
        }
    }

    public AuthenticatedEntity finalizeAfterPrimaryAuthentication(PartialAuthnState partialAuthnState, boolean z) {
        if (!partialAuthnState.isSecondaryAuthenticationRequired() || z) {
            return partialAuthnState.getPrimaryResult().getSuccessResult().authenticatedEntity;
        }
        throw new IllegalStateException("BUG: code tried to finalize authentication requiring MFA after first authentication");
    }

    public AuthenticatedEntity finalizeAfterSecondaryAuthentication(PartialAuthnState partialAuthnState, AuthenticationResult authenticationResult) throws AuthenticationException {
        if (!partialAuthnState.isSecondaryAuthenticationRequired()) {
            throw new IllegalStateException("BUG: code tried to finalize authentication with additional authentication while only one was selected");
        }
        if (authenticationResult.getStatus() != AuthenticationResult.Status.success) {
            if (authenticationResult.getStatus() == AuthenticationResult.Status.unknownRemotePrincipal) {
                throw new AuthenticationException("AuthenticationProcessorImpl.authnWrongUsers");
            }
            throw new AuthenticationException("AuthenticationProcessorImpl.authnFailed");
        }
        Long entityId = authenticationResult.getSuccessResult().authenticatedEntity.getEntityId();
        AuthenticatedEntity authenticatedEntity = partialAuthnState.getPrimaryResult().getSuccessResult().authenticatedEntity;
        if (!entityId.equals(authenticatedEntity.getEntityId())) {
            throw new AuthenticationException("AuthenticationProcessorImpl.authnWrongUsers");
        }
        AuthenticatedEntity authenticatedEntity2 = authenticationResult.getSuccessResult().authenticatedEntity;
        authenticatedEntity2.getAuthenticatedWith().addAll(authenticatedEntity.getAuthenticatedWith());
        if (authenticatedEntity.getOutdatedCredentialId() != null) {
            authenticatedEntity2.setOutdatedCredentialId(authenticatedEntity.getOutdatedCredentialId());
        }
        return authenticatedEntity2;
    }
}
