package org.forgerock.openam.authentication.modules.push.registration;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.iplanet.dpro.session.SessionException;
import com.sun.identity.authentication.spi.AuthLoginException;
import com.sun.identity.idm.AMIdentity;
import com.sun.identity.idm.IdUtils;
import com.sun.identity.shared.configuration.SystemPropertiesManager;
import com.sun.identity.shared.datastruct.CollectionHelper;
import com.sun.identity.shared.debug.Debug;
import com.sun.identity.sm.DNMapper;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.Principal;
import java.util.HashSet;
import java.util.Map;
import java.util.UUID;
import java.util.concurrent.ExecutionException;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.ConfirmationCallback;
import javax.security.auth.callback.TextOutputCallback;
import javax.security.auth.login.LoginException;
import org.forgerock.guice.core.InjectorHolder;
import org.forgerock.json.JsonValue;
import org.forgerock.json.resource.NotFoundException;
import org.forgerock.openam.authentication.callbacks.PollingWaitCallback;
import org.forgerock.openam.authentication.callbacks.helpers.PollingWaitAssistant;
import org.forgerock.openam.authentication.callbacks.helpers.QRCallbackBuilder;
import org.forgerock.openam.authentication.modules.push.AbstractPushModule;
import org.forgerock.openam.authentication.modules.push.AuthenticatorPushPrincipal;
import org.forgerock.openam.core.rest.devices.push.PushDeviceSettings;
import org.forgerock.openam.cts.exceptions.CoreTokenException;
import org.forgerock.openam.services.baseurl.BaseURLProviderFactory;
import org.forgerock.openam.services.push.PushNotificationException;
import org.forgerock.openam.services.push.dispatch.PushMessageChallengeResponsePredicate;
import org.forgerock.openam.services.push.dispatch.SignedJwtVerificationPredicate;
import org.forgerock.openam.utils.Alphabet;
import org.forgerock.openam.utils.CodeException;
import org.forgerock.openam.utils.RecoveryCodeGenerator;
import org.forgerock.util.encode.Base64;
import org.forgerock.util.encode.Base64url;
import org.forgerock.util.promise.Promise;
import org.forgerock.util.time.TimeService;

/* loaded from: input_file:org/forgerock/openam/authentication/modules/push/registration/AuthenticatorPushRegistration.class */
public class AuthenticatorPushRegistration extends AbstractPushModule {
    private static final Debug DEBUG = Debug.getInstance("amAuthPush");
    private PollingWaitAssistant pollingWaitAssistant;
    private AMIdentity amIdentityPrincipal;
    private PushDeviceSettings newDeviceRegistrationProfile;
    private Promise<JsonValue, Exception> deviceResponsePromise;
    private String issuer;
    private long timeout;
    private String messageId;
    private String bgColour;
    private String imgUrl;
    private String appleLink;
    private String googleLink;
    private String lbCookieValue;
    private String realm;
    private RecoveryCodeGenerator recoveryCodeGenerator = (RecoveryCodeGenerator) InjectorHolder.getInstance(RecoveryCodeGenerator.class);
    private final BaseURLProviderFactory baseUrlProviderFactory = (BaseURLProviderFactory) InjectorHolder.getInstance(BaseURLProviderFactory.class);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.forgerock.openam.authentication.modules.push.registration.AuthenticatorPushRegistration$1, reason: invalid class name */
    /* loaded from: input_file:org/forgerock/openam/authentication/modules/push/registration/AuthenticatorPushRegistration$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$forgerock$openam$authentication$callbacks$helpers$PollingWaitAssistant$PollingWaitState = new int[PollingWaitAssistant.PollingWaitState.values().length];

        static {
            try {
                $SwitchMap$org$forgerock$openam$authentication$callbacks$helpers$PollingWaitAssistant$PollingWaitState[PollingWaitAssistant.PollingWaitState.TOO_EARLY.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$forgerock$openam$authentication$callbacks$helpers$PollingWaitAssistant$PollingWaitState[PollingWaitAssistant.PollingWaitState.NOT_STARTED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$forgerock$openam$authentication$callbacks$helpers$PollingWaitAssistant$PollingWaitState[PollingWaitAssistant.PollingWaitState.WAITING.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$forgerock$openam$authentication$callbacks$helpers$PollingWaitAssistant$PollingWaitState[PollingWaitAssistant.PollingWaitState.COMPLETE.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$forgerock$openam$authentication$callbacks$helpers$PollingWaitAssistant$PollingWaitState[PollingWaitAssistant.PollingWaitState.TIMEOUT.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$forgerock$openam$authentication$callbacks$helpers$PollingWaitAssistant$PollingWaitState[PollingWaitAssistant.PollingWaitState.SPAMMED.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
        }
    }

    public void init(Subject subject, Map map, Map map2) {
        DEBUG.message("{}::init", new Object[]{Constants.AM_AUTH_AUTHENTICATOR_PUSH_REGISTRATION});
        String mapAttr = CollectionHelper.getMapAttr(map2, "forgerock-am-auth-push-reg-auth-level");
        if (mapAttr != null) {
            try {
                setAuthLevel(Integer.parseInt(mapAttr));
            } catch (Exception e) {
                DEBUG.error("{} :: init() : Unable to set auth level {}", new Object[]{Constants.AM_AUTH_AUTHENTICATOR_PUSH_REGISTRATION, mapAttr, e});
            }
        }
        this.timeout = Long.valueOf(CollectionHelper.getMapAttr(map2, "forgerock-am-auth-push-message-registration-response-timeout")).longValue();
        this.issuer = CollectionHelper.getMapAttr(map2, "forgerock-am-auth-push-reg-issuer");
        this.imgUrl = CollectionHelper.getMapAttr(map2, "forgerock-am-auth-img-url");
        this.bgColour = CollectionHelper.getMapAttr(map2, "forgerock-am-auth-hex-bgcolour");
        this.appleLink = CollectionHelper.getMapAttr(map2, "forgerock-am-auth-apple-link");
        this.googleLink = CollectionHelper.getMapAttr(map2, "forgerock-am-auth-google-link");
        if (this.bgColour != null && this.bgColour.startsWith("#")) {
            this.bgColour = this.bgColour.substring(1);
        }
        try {
            this.lbCookieValue = this.sessionCookies.getLBCookie(getSessionId());
        } catch (SessionException e2) {
            DEBUG.warning("{} :: init() : Unable to determine loadbalancer bookie value", new Object[]{Constants.AM_AUTH_AUTHENTICATOR_PUSH_REGISTRATION, e2});
        }
        this.amIdentityPrincipal = establishPreauthenticatedUser(map);
        this.pollingWaitAssistant = setUpPollingWaitCallbackAssistant(this.timeout);
        this.realm = DNMapper.orgNameToRealmName(getRequestOrg());
        try {
            this.pushService.init(this.realm);
        } catch (PushNotificationException e3) {
            DEBUG.error("{} :: init() : Unable to initialiseService Push system.", new Object[]{Constants.AM_AUTH_AUTHENTICATOR_PUSH_REGISTRATION, e3});
        }
    }

    private PollingWaitAssistant setUpPollingWaitCallbackAssistant(long j) {
        return Boolean.parseBoolean(SystemPropertiesManager.get("com.forgerock.openam.authentication.push.nearinstant")) ? new PollingWaitAssistant(j, 1000L, 1000L, 1000L) : new PollingWaitAssistant(j);
    }

    private AMIdentity establishPreauthenticatedUser(Map map) {
        return IdUtils.getIdentity((String) map.get(getUserKey()), DNMapper.orgNameToRealmName(getRequestOrg()));
    }

    public int process(Callback[] callbackArr, int i) throws LoginException {
        if (getHttpServletRequest() == null) {
            DEBUG.error("{} :: process() : Request was null.", new Object[]{Constants.AM_AUTH_AUTHENTICATOR_PUSH_REGISTRATION});
            throw failedAsLoginException();
        }
        try {
            if (!this.userPushDeviceProfileManager.getDeviceProfiles(this.amIdentityPrincipal.getName(), this.realm).isEmpty()) {
                return -1;
            }
            switch (i) {
                case 1:
                    return 2;
                case Constants.POLLING_TIME_OUTPUT_CALLBACK_INDEX /* 2 */:
                    return navigateOptions(callbackArr);
                case 3:
                    return startRegistration();
                case 4:
                    return awaitState();
                case 5:
                    return -1;
                default:
                    DEBUG.error("{} :: process() : Invalid state.", new Object[]{Constants.AM_AUTH_AUTHENTICATOR_PUSH_REGISTRATION});
                    throw failedAsLoginException();
            }
        } catch (IOException e) {
            DEBUG.error("{} :: process() : Unable to talk to datastore.", new Object[]{Constants.AM_AUTH_AUTHENTICATOR_PUSH_REGISTRATION});
            throw failedAsLoginException();
        }
    }

    private int navigateOptions(Callback[] callbackArr) throws AuthLoginException {
        if (null == callbackArr || callbackArr.length < 1) {
            throw new AuthLoginException(Constants.AM_AUTH_AUTHENTICATOR_PUSH_REGISTRATION, "authFailed", (Object[]) null);
        }
        switch (((ConfirmationCallback) callbackArr[0]).getSelectedIndex()) {
            case 0:
                return startRegistration();
            case 1:
                setAppLinkCallbacks();
                return 3;
            default:
                throw new AuthLoginException(Constants.AM_AUTH_AUTHENTICATOR_PUSH_REGISTRATION, "authFailed", (Object[]) null);
        }
    }

    private int startRegistration() throws AuthLoginException {
        this.newDeviceRegistrationProfile = this.userPushDeviceProfileManager.createDeviceProfile();
        this.messageId = UUID.randomUUID().toString() + TimeService.SYSTEM.now();
        String createRandomBytes = this.userPushDeviceProfileManager.createRandomBytes(32);
        paintRegisterDeviceCallback(this.amIdentityPrincipal, this.messageId, createRandomBytes);
        byte[] decode = Base64.decode(this.newDeviceRegistrationProfile.getSharedSecret());
        HashSet hashSet = new HashSet();
        hashSet.add(new SignedJwtVerificationPredicate(decode, "jwt"));
        hashSet.add(new PushMessageChallengeResponsePredicate(decode, createRandomBytes, "jwt"));
        try {
            hashSet.addAll(this.pushService.getRegistrationMessagePredicatesFor(this.realm));
            this.deviceResponsePromise = this.pushService.getMessageDispatcher(this.realm).expect(this.messageId, hashSet).getPromise();
            this.pollingWaitAssistant.start(this.deviceResponsePromise);
            try {
                storeInCTS(this.messageId, hashSet, this.timeout);
                return 4;
            } catch (JsonProcessingException | CoreTokenException e) {
                DEBUG.warning("Unable to persist token in core token service.", e);
                return 4;
            }
        } catch (NotFoundException | PushNotificationException e2) {
            DEBUG.error("Unable to read service addresses for Push Notification Service.");
            throw failedAsLoginException();
        }
    }

    private int awaitState() throws AuthLoginException {
        switch (AnonymousClass1.$SwitchMap$org$forgerock$openam$authentication$callbacks$helpers$PollingWaitAssistant$PollingWaitState[this.pollingWaitAssistant.getPollingWaitState().ordinal()]) {
            case 1:
                return 4;
            case Constants.POLLING_TIME_OUTPUT_CALLBACK_INDEX /* 2 */:
            case 3:
                return waitingChecks();
            case 4:
                return completeChecks();
            case 5:
                DEBUG.warning("{} :: timeout value exceeded while waiting for response.", new Object[]{Constants.AM_AUTH_AUTHENTICATOR_PUSH_REGISTRATION});
                throw new AuthLoginException(Constants.AM_AUTH_AUTHENTICATOR_PUSH_REGISTRATION, "authFailed", (Object[]) null);
            case 6:
                DEBUG.warning("{} :: too many requests sent to Auth module.  Client should obey wait time.", new Object[]{Constants.AM_AUTH_AUTHENTICATOR_PUSH_REGISTRATION});
                throw new AuthLoginException(Constants.AM_AUTH_AUTHENTICATOR_PUSH_REGISTRATION, "authFailed", (Object[]) null);
            default:
                throw new AuthLoginException(Constants.AM_AUTH_AUTHENTICATOR_PUSH_REGISTRATION, "authFailed", (Object[]) null);
        }
    }

    private int completeChecks() throws AuthLoginException {
        try {
            this.coreTokenService.deleteAsync(this.messageId);
        } catch (CoreTokenException e) {
            DEBUG.warning("Removing token from CTS failed.", e);
        }
        try {
            return finaliseSuccess((JsonValue) this.deviceResponsePromise.get());
        } catch (InterruptedException | ExecutionException e2) {
            DEBUG.error("{} :: Failed to save device settings.", new Object[]{Constants.AM_AUTH_AUTHENTICATOR_PUSH_REGISTRATION, e2});
            throw new AuthLoginException(Constants.AM_AUTH_AUTHENTICATOR_PUSH_REGISTRATION, "authFailed", (Object[]) null);
        }
    }

    private int finaliseSuccess(JsonValue jsonValue) throws AuthLoginException {
        storeUsername(this.amIdentityPrincipal.getName());
        saveDeviceDetailsUnderUserAccount(jsonValue);
        return 5;
    }

    private int waitingChecks() throws AuthLoginException {
        try {
            JsonValue checkCTSRegistration = checkCTSRegistration(this.messageId);
            if (checkCTSRegistration != null) {
                this.pushService.getMessageDispatcher(this.realm).forget(this.messageId);
                this.coreTokenService.deleteAsync(this.messageId);
                return finaliseSuccess(checkCTSRegistration);
            }
        } catch (CoreTokenException e) {
            DEBUG.warning("CTS threw exception, falling back to local MessageDispatcher.", e);
        } catch (NotFoundException e2) {
            DEBUG.error("Could not find local MessageDispatcher for realm.", e2);
            throw failedAsLoginException();
        }
        setPollbackTimePeriod(this.pollingWaitAssistant.getWaitPeriod());
        this.pollingWaitAssistant.resetWait();
        return 4;
    }

    private void saveDeviceDetailsUnderUserAccount(JsonValue jsonValue) throws AuthLoginException {
        this.newDeviceRegistrationProfile.setDeviceName("Push Device");
        try {
            this.newDeviceRegistrationProfile.setCommunicationId(jsonValue.get("communicationId").asString());
            this.newDeviceRegistrationProfile.setDeviceMechanismUID(jsonValue.get("mechanismUid").asString());
            this.newDeviceRegistrationProfile.setCommunicationType(jsonValue.get("communicationType").asString());
            this.newDeviceRegistrationProfile.setDeviceType(jsonValue.get("deviceType").asString());
            this.newDeviceRegistrationProfile.setDeviceId(jsonValue.get("deviceId").asString());
            try {
                this.newDeviceRegistrationProfile.setRecoveryCodes(this.recoveryCodeGenerator.generateCodes(10, Alphabet.ALPHANUMERIC, false));
                this.newDeviceRegistrationProfile.setIssuer(this.issuer);
                this.userPushDeviceProfileManager.saveDeviceProfile(this.amIdentityPrincipal.getName(), this.realm, this.newDeviceRegistrationProfile);
            } catch (CodeException e) {
                DEBUG.error("Insufficient recovery code generation occurred.");
                throw failedAsLoginException();
            }
        } catch (NullPointerException e2) {
            DEBUG.error("Blank value for necessary data from device response, {}", new Object[]{jsonValue});
            throw failedAsLoginException();
        }
    }

    private void paintRegisterDeviceCallback(AMIdentity aMIdentity, String str, String str2) throws AuthLoginException {
        replaceCallback(4, 1, createQRCodeCallback(this.newDeviceRegistrationProfile, aMIdentity, str, 1, str2));
    }

    private Callback createQRCodeCallback(PushDeviceSettings pushDeviceSettings, AMIdentity aMIdentity, String str, int i, String str2) throws AuthLoginException {
        try {
            QRCallbackBuilder addUriQueryComponent = new QRCallbackBuilder().withUriScheme("pushauth").withUriHost("push").withUriPath("forgerock").withUriPort(aMIdentity.getName()).withCallbackIndex(i).addUriQueryComponent("l", Base64url.encode(this.lbCookieValue.getBytes())).addUriQueryComponent("issuer", Base64url.encode(this.issuer.getBytes())).addUriQueryComponent("m", str).addUriQueryComponent("s", Base64url.encode(Base64.decode(pushDeviceSettings.getSharedSecret()))).addUriQueryComponent("b", this.bgColour).addUriQueryComponent("c", Base64url.encode(Base64.decode(str2))).addUriQueryComponent("r", getMessageResponseUrl(this.pushService.getRegServiceAddress(this.realm))).addUriQueryComponent("a", getMessageResponseUrl(this.pushService.getAuthServiceAddress(this.realm)));
            if (this.imgUrl != null) {
                addUriQueryComponent.addUriQueryComponent("image", Base64url.encode(this.imgUrl.getBytes()));
            }
            return addUriQueryComponent.build();
        } catch (PushNotificationException e) {
            DEBUG.error("Unable to read service addresses for Push Notification Service.");
            throw failedAsLoginException();
        }
    }

    private String getMessageResponseUrl(String str) {
        return Base64url.encode((this.baseUrlProviderFactory.get(getRequestOrg()).getRootURL(getHttpServletRequest()) + "/json" + str).getBytes(StandardCharsets.UTF_8));
    }

    private AuthLoginException failedAsLoginException() throws AuthLoginException {
        setFailureID(this.amIdentityPrincipal.getName());
        throw new AuthLoginException(Constants.AM_AUTH_AUTHENTICATOR_PUSH_REGISTRATION, "authFailed", (Object[]) null);
    }

    public Principal getPrincipal() {
        return new AuthenticatorPushPrincipal(this.amIdentityPrincipal.getName());
    }

    private void setPollbackTimePeriod(long j) throws AuthLoginException {
        replaceCallback(4, 2, PollingWaitCallback.makeCallback().asCopyOf(getCallback(4)[2]).withWaitTime(String.valueOf(j)).build());
    }

    private void setAppLinkCallbacks() throws AuthLoginException {
        TextOutputCallback textOutputCallback = new TextOutputCallback(0, this.appleLink);
        TextOutputCallback textOutputCallback2 = new TextOutputCallback(0, this.googleLink);
        replaceCallback(3, 0, textOutputCallback);
        replaceCallback(3, 1, textOutputCallback2);
    }
}
