package com.liferay.multi.factor.authentication.timebased.otp.web.internal.checker;

import com.liferay.mail.kernel.model.MailMessage;
import com.liferay.mail.kernel.service.MailService;
import com.liferay.mail.kernel.template.MailTemplate;
import com.liferay.mail.kernel.template.MailTemplateContext;
import com.liferay.mail.kernel.template.MailTemplateContextBuilder;
import com.liferay.mail.kernel.template.MailTemplateFactoryUtil;
import com.liferay.multi.factor.authentication.spi.checker.browser.BrowserMFAChecker;
import com.liferay.multi.factor.authentication.spi.checker.setup.SetupMFAChecker;
import com.liferay.multi.factor.authentication.timebased.otp.model.MFATimeBasedOTPEntry;
import com.liferay.multi.factor.authentication.timebased.otp.service.MFATimeBasedOTPEntryLocalService;
import com.liferay.multi.factor.authentication.timebased.otp.web.internal.configuration.MFATimeBasedOTPConfiguration;
import com.liferay.multi.factor.authentication.timebased.otp.web.internal.constants.MFATimeBasedOTPEventTypes;
import com.liferay.multi.factor.authentication.timebased.otp.web.internal.constants.MFATimeBasedOTPWebKeys;
import com.liferay.multi.factor.authentication.timebased.otp.web.internal.util.MFATimeBasedOTPUtil;
import com.liferay.petra.string.StringBundler;
import com.liferay.portal.configuration.metatype.bnd.util.ConfigurableUtil;
import com.liferay.portal.configuration.module.configuration.ConfigurationProvider;
import com.liferay.portal.kernel.audit.AuditException;
import com.liferay.portal.kernel.audit.AuditMessage;
import com.liferay.portal.kernel.audit.AuditRouterUtil;
import com.liferay.portal.kernel.exception.PortalException;
import com.liferay.portal.kernel.json.JSONObject;
import com.liferay.portal.kernel.json.JSONUtil;
import com.liferay.portal.kernel.log.Log;
import com.liferay.portal.kernel.log.LogFactoryUtil;
import com.liferay.portal.kernel.model.Company;
import com.liferay.portal.kernel.model.User;
import com.liferay.portal.kernel.security.auth.CompanyThreadLocal;
import com.liferay.portal.kernel.service.UserLocalService;
import com.liferay.portal.kernel.util.EscapableObject;
import com.liferay.portal.kernel.util.HashMapDictionary;
import com.liferay.portal.kernel.util.ParamUtil;
import com.liferay.portal.kernel.util.Portal;
import com.liferay.portal.kernel.util.Validator;
import com.liferay.portal.util.PropsValues;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Map;
import java.util.Objects;
import javax.mail.internet.InternetAddress;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.osgi.framework.BundleContext;
import org.osgi.framework.ServiceRegistration;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Reference;

@Component(configurationPid = {"com.liferay.multi.factor.authentication.timebased.otp.web.internal.configuration.MFATimeBasedOTPConfiguration.scoped"}, configurationPolicy = ConfigurationPolicy.REQUIRE, service = {})
/* loaded from: input_file:com/liferay/multi/factor/authentication/timebased/otp/web/internal/checker/TimeBasedOTPBrowserSetupMFAChecker.class */
public class TimeBasedOTPBrowserSetupMFAChecker implements BrowserMFAChecker, SetupMFAChecker {
    private static final Log _log = LogFactoryUtil.getLog(TimeBasedOTPBrowserSetupMFAChecker.class);

    @Reference
    private ConfigurationProvider _configurationProvider;

    @Reference
    private MailService _mailService;
    private final MFATimeBasedOTPAuditMessageBuilder _mfaTimeBasedOTPAuditMessageBuilder = new MFATimeBasedOTPAuditMessageBuilder();
    private MFATimeBasedOTPConfiguration _mfaTimeBasedOTPConfiguration;

    @Reference
    private MFATimeBasedOTPEntryLocalService _mfaTimeBasedOTPEntryLocalService;

    @Reference
    private Portal _portal;
    private ServiceRegistration<?> _serviceRegistration;

    @Reference(target = "(osgi.web.symbolicname=com.liferay.multi.factor.authentication.timebased.otp.web)")
    private ServletContext _servletContext;

    @Reference
    private UserLocalService _userLocalService;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/liferay/multi/factor/authentication/timebased/otp/web/internal/checker/TimeBasedOTPBrowserSetupMFAChecker$MFATimeBasedOTPAuditMessageBuilder.class */
    public class MFATimeBasedOTPAuditMessageBuilder {
        private final Log _log;

        private MFATimeBasedOTPAuditMessageBuilder() {
            this._log = LogFactoryUtil.getLog(MFATimeBasedOTPAuditMessageBuilder.class);
        }

        public AuditMessage buildNonexistentUserVerificationFailureAuditMessage(long j, long j2, String str) {
            return new AuditMessage(MFATimeBasedOTPEventTypes.MFA_TIMEBASED_OTP_VERIFICATION_FAILURE, j, j2, "Nonexistent", str, String.valueOf(j2), (String) null, JSONUtil.put("reason", "Nonexistent User"));
        }

        public AuditMessage buildNotVerifiedAuditMessage(User user, String str, String str2) {
            return new AuditMessage(MFATimeBasedOTPEventTypes.MFA_TIMEBASED_OTP_NOT_VERIFIED, user.getCompanyId(), user.getUserId(), user.getFullName(), str, String.valueOf(user.getPrimaryKey()), (String) null, JSONUtil.put("reason", str2));
        }

        public AuditMessage buildUnconfiguredUserVerificationFailureAuditMessage(long j, User user, String str) {
            return new AuditMessage(MFATimeBasedOTPEventTypes.MFA_TIMEBASED_OTP_VERIFICATION_FAILURE, j, user.getUserId(), "Unconfigured", str, (String) null, (String) null, JSONUtil.put("reason", "Unconfigured for User"));
        }

        public AuditMessage buildVerificationFailureAuditMessage(User user, String str, String str2) {
            return new AuditMessage(MFATimeBasedOTPEventTypes.MFA_TIMEBASED_OTP_VERIFICATION_FAILURE, user.getCompanyId(), user.getUserId(), user.getFullName(), str, String.valueOf(user.getPrimaryKey()), (String) null, JSONUtil.put("reason", str2));
        }

        public AuditMessage buildVerificationSuccessAuditMessage(User user, String str) {
            return new AuditMessage(MFATimeBasedOTPEventTypes.MFA_TIMEBASED_OTP_VERIFICATION_SUCCESS, user.getCompanyId(), user.getUserId(), user.getFullName(), str, String.valueOf(user.getPrimaryKey()), (String) null, (JSONObject) null);
        }

        public AuditMessage buildVerifiedAuditMessage(User user, String str) {
            return new AuditMessage(MFATimeBasedOTPEventTypes.MFA_TIMEBASED_OTP_VERIFIED, user.getCompanyId(), user.getUserId(), user.getFullName(), str, String.valueOf(user.getPrimaryKey()), (String) null, (JSONObject) null);
        }

        public void routeAuditMessage(AuditMessage auditMessage) {
            try {
                AuditRouterUtil.route(auditMessage);
            } catch (AuditException e) {
                if (this._log.isWarnEnabled()) {
                    this._log.warn("Unable to route audit message", e);
                }
            } catch (Exception e2) {
                if (this._log.isDebugEnabled()) {
                    this._log.debug(e2);
                }
            }
        }
    }

    public void includeBrowserVerification(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, long j) throws IOException, ServletException {
        this._servletContext.getRequestDispatcher("/mfa_timebased_otp_checker/verify_browser.jsp").include(httpServletRequest, httpServletResponse);
    }

    public void includeSetup(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, long j) throws Exception {
        if (this._mfaTimeBasedOTPEntryLocalService.fetchMFATimeBasedOTPEntryByUserId(j) != null) {
            this._servletContext.getRequestDispatcher("/mfa_timebased_otp_checker/setup_completed.jsp").include(httpServletRequest, httpServletResponse);
            return;
        }
        Company company = this._portal.getCompany(httpServletRequest);
        String generateSharedSecret = MFATimeBasedOTPUtil.generateSharedSecret(this._mfaTimeBasedOTPConfiguration.algorithmKeySize());
        httpServletRequest.setAttribute(MFATimeBasedOTPWebKeys.MFA_TIME_BASED_OTP_ALGORITHM, "SHA1");
        httpServletRequest.setAttribute(MFATimeBasedOTPWebKeys.MFA_TIME_BASED_OTP_COMPANY_NAME, company.getName());
        httpServletRequest.setAttribute(MFATimeBasedOTPWebKeys.MFA_TIME_BASED_OTP_DIGITS, 6);
        httpServletRequest.setAttribute(MFATimeBasedOTPWebKeys.MFA_TIME_BASED_OTP_SHARED_SECRET, generateSharedSecret);
        httpServletRequest.setAttribute(MFATimeBasedOTPWebKeys.MFA_TIME_BASED_OTP_TIME_COUNTER, Integer.valueOf(MFATimeBasedOTPUtil.MFA_TIMEBASED_OTP_COUNTER));
        this._servletContext.getRequestDispatcher("/mfa_timebased_otp_checker/setup.jsp").include(httpServletRequest, httpServletResponse);
        this._portal.getOriginalServletRequest(httpServletRequest).getSession().setAttribute(MFATimeBasedOTPWebKeys.MFA_TIME_BASED_OTP_SHARED_SECRET, generateSharedSecret);
    }

    public boolean isAvailable(long j) {
        return this._mfaTimeBasedOTPEntryLocalService.fetchMFATimeBasedOTPEntryByUserId(j) != null;
    }

    public boolean isBrowserVerified(HttpServletRequest httpServletRequest, long j) {
        return _isVerified(this._portal.getOriginalServletRequest(httpServletRequest).getSession(false), j);
    }

    public void removeExistingSetup(long j) {
        MFATimeBasedOTPEntry fetchMFATimeBasedOTPEntryByUserId = this._mfaTimeBasedOTPEntryLocalService.fetchMFATimeBasedOTPEntryByUserId(j);
        if (fetchMFATimeBasedOTPEntryByUserId != null) {
            this._mfaTimeBasedOTPEntryLocalService.deleteMFATimeBasedOTPEntry(fetchMFATimeBasedOTPEntryByUserId);
        }
    }

    public boolean setUp(HttpServletRequest httpServletRequest, long j) {
        String str = (String) this._portal.getOriginalServletRequest(httpServletRequest).getSession().getAttribute(MFATimeBasedOTPWebKeys.MFA_TIME_BASED_OTP_SHARED_SECRET);
        try {
            if (MFATimeBasedOTPUtil.verifyTimeBasedOTP(this._mfaTimeBasedOTPConfiguration.clockSkew(), str, ParamUtil.getString(httpServletRequest, "mfaTimeBasedOTP"))) {
                return this._mfaTimeBasedOTPEntryLocalService.addTimeBasedOTPEntry(j, str) != null;
            }
            return false;
        } catch (PortalException e) {
            _log.error(StringBundler.concat(new Object[]{"Unable to generate time-based one-time password for user ", Long.valueOf(j), ": ", e.getMessage()}), e);
            return false;
        }
    }

    public boolean verifyBrowserRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, long j) throws Exception {
        User fetchUser = this._userLocalService.fetchUser(j);
        if (fetchUser == null) {
            if (_log.isWarnEnabled()) {
                _log.warn("Requested one-time password time-based verification for nonexistent user " + j);
            }
            this._mfaTimeBasedOTPAuditMessageBuilder.routeAuditMessage(this._mfaTimeBasedOTPAuditMessageBuilder.buildNonexistentUserVerificationFailureAuditMessage(CompanyThreadLocal.getCompanyId().longValue(), j, _getClassName()));
            return false;
        }
        if (!isAvailable(fetchUser.getUserId())) {
            if (_log.isWarnEnabled()) {
                _log.warn("Requested time-based one time password for user" + j + " with incomplete configuration");
            }
            this._mfaTimeBasedOTPAuditMessageBuilder.routeAuditMessage(this._mfaTimeBasedOTPAuditMessageBuilder.buildUnconfiguredUserVerificationFailureAuditMessage(CompanyThreadLocal.getCompanyId().longValue(), fetchUser, _getClassName()));
            return false;
        }
        String string = ParamUtil.getString(httpServletRequest, "mfaTimeBasedOTP");
        if (Validator.isBlank(string)) {
            return false;
        }
        HttpServletRequest originalServletRequest = this._portal.getOriginalServletRequest(httpServletRequest);
        String remoteAddr = originalServletRequest.getRemoteAddr();
        if (!_verify(string, fetchUser, httpServletRequest)) {
            this._mfaTimeBasedOTPEntryLocalService.updateAttempts(fetchUser.getUserId(), remoteAddr, false);
            this._mfaTimeBasedOTPAuditMessageBuilder.routeAuditMessage(this._mfaTimeBasedOTPAuditMessageBuilder.buildVerificationFailureAuditMessage(fetchUser, _getClassName(), "Incorrect time-based one-time password"));
            return false;
        }
        HttpSession session = originalServletRequest.getSession();
        session.setAttribute(MFATimeBasedOTPWebKeys.MFA_TIME_BASED_OTP_VALIDATED_AT_TIME, Long.valueOf(System.currentTimeMillis()));
        session.setAttribute(MFATimeBasedOTPWebKeys.MFA_TIME_BASED_OTP_VALIDATED_USER_ID, Long.valueOf(j));
        this._mfaTimeBasedOTPEntryLocalService.updateAttempts(j, remoteAddr, true);
        this._mfaTimeBasedOTPEntryLocalService.updateLastTOTP(j, string);
        this._mfaTimeBasedOTPAuditMessageBuilder.routeAuditMessage(this._mfaTimeBasedOTPAuditMessageBuilder.buildVerificationSuccessAuditMessage(fetchUser, _getClassName()));
        return true;
    }

    @Activate
    protected void activate(BundleContext bundleContext, Map<String, Object> map) {
        this._mfaTimeBasedOTPConfiguration = (MFATimeBasedOTPConfiguration) ConfigurableUtil.createConfigurable(MFATimeBasedOTPConfiguration.class, map);
        if (this._mfaTimeBasedOTPConfiguration.enabled()) {
            if (PropsValues.SESSION_ENABLE_PHISHING_PROTECTION) {
                ArrayList arrayList = new ArrayList(Arrays.asList(PropsValues.SESSION_PHISHING_PROTECTED_ATTRIBUTES));
                arrayList.add(MFATimeBasedOTPWebKeys.MFA_TIME_BASED_OTP_VALIDATED_AT_TIME);
                arrayList.add(MFATimeBasedOTPWebKeys.MFA_TIME_BASED_OTP_VALIDATED_USER_ID);
                PropsValues.SESSION_PHISHING_PROTECTED_ATTRIBUTES = (String[]) arrayList.toArray(new String[0]);
            }
            this._serviceRegistration = bundleContext.registerService(new String[]{BrowserMFAChecker.class.getName(), SetupMFAChecker.class.getName()}, this, new HashMapDictionary(map));
        }
    }

    @Deactivate
    protected void deactivate() {
        if (this._serviceRegistration == null) {
            return;
        }
        this._serviceRegistration.unregister();
        if (PropsValues.SESSION_ENABLE_PHISHING_PROTECTION) {
            ArrayList arrayList = new ArrayList(Arrays.asList(PropsValues.SESSION_PHISHING_PROTECTED_ATTRIBUTES));
            arrayList.remove(MFATimeBasedOTPWebKeys.MFA_TIME_BASED_OTP_VALIDATED_AT_TIME);
            arrayList.remove(MFATimeBasedOTPWebKeys.MFA_TIME_BASED_OTP_VALIDATED_USER_ID);
            PropsValues.SESSION_PHISHING_PROTECTED_ATTRIBUTES = (String[]) arrayList.toArray(new String[0]);
        }
    }

    private String _getClassName() {
        return getClass().getName();
    }

    private boolean _isVerified(HttpSession httpSession, long j) {
        User fetchUser = this._userLocalService.fetchUser(j);
        if (fetchUser == null) {
            if (_log.isWarnEnabled()) {
                _log.warn("Requested one-time password email verification for nonexistent user " + j);
            }
            this._mfaTimeBasedOTPAuditMessageBuilder.routeAuditMessage(this._mfaTimeBasedOTPAuditMessageBuilder.buildNonexistentUserVerificationFailureAuditMessage(CompanyThreadLocal.getCompanyId().longValue(), j, _getClassName()));
            return false;
        }
        if (httpSession == null) {
            this._mfaTimeBasedOTPAuditMessageBuilder.routeAuditMessage(this._mfaTimeBasedOTPAuditMessageBuilder.buildNotVerifiedAuditMessage(fetchUser, _getClassName(), "Empty session"));
            return false;
        }
        Object attribute = httpSession.getAttribute(MFATimeBasedOTPWebKeys.MFA_TIME_BASED_OTP_VALIDATED_USER_ID);
        if (attribute == null) {
            this._mfaTimeBasedOTPAuditMessageBuilder.routeAuditMessage(this._mfaTimeBasedOTPAuditMessageBuilder.buildNotVerifiedAuditMessage(fetchUser, _getClassName(), "Not verified yet"));
            return false;
        }
        if (Objects.equals(attribute, Long.valueOf(j))) {
            return true;
        }
        this._mfaTimeBasedOTPAuditMessageBuilder.routeAuditMessage(this._mfaTimeBasedOTPAuditMessageBuilder.buildNotVerifiedAuditMessage(fetchUser, _getClassName(), "Not the same user"));
        return false;
    }

    private void _sendEmail(User user, String str, HttpServletRequest httpServletRequest) throws Exception {
        MFATimeBasedOTPConfiguration mFATimeBasedOTPConfiguration = (MFATimeBasedOTPConfiguration) this._configurationProvider.getCompanyConfiguration(MFATimeBasedOTPConfiguration.class, user.getCompanyId());
        String emailTOTPReuseAttemptWarningFromAddress = mFATimeBasedOTPConfiguration.emailTOTPReuseAttemptWarningFromAddress();
        String emailTOTPReuseAttemptWarningFromName = mFATimeBasedOTPConfiguration.emailTOTPReuseAttemptWarningFromName();
        MailTemplate createMailTemplate = MailTemplateFactoryUtil.createMailTemplate(mFATimeBasedOTPConfiguration.emailTOTPReuseAttemptWarningSubject().get(user.getLocale()), false);
        MailTemplate createMailTemplate2 = MailTemplateFactoryUtil.createMailTemplate(mFATimeBasedOTPConfiguration.emailTOTPReuseAttemptWarningBody().get(user.getLocale()), true);
        MailTemplateContextBuilder createMailTemplateContextBuilder = MailTemplateFactoryUtil.createMailTemplateContextBuilder();
        createMailTemplateContextBuilder.put("[$FROM_ADDRESS$]", emailTOTPReuseAttemptWarningFromAddress);
        createMailTemplateContextBuilder.put("[$FROM_NAME$]", emailTOTPReuseAttemptWarningFromName);
        createMailTemplateContextBuilder.put("[$PORTAL_URL$]", this._portal.getPortalURL(httpServletRequest));
        createMailTemplateContextBuilder.put("[$REMOTE_ADDRESS$]", httpServletRequest.getRemoteAddr());
        createMailTemplateContextBuilder.put("[$REMOTE_HOST$]", new EscapableObject(httpServletRequest.getRemoteHost()));
        createMailTemplateContextBuilder.put("[$TO_NAME$]", new EscapableObject(user.getFullName()));
        MailTemplateContext build = createMailTemplateContextBuilder.build();
        this._mailService.sendEmail(new MailMessage(new InternetAddress(emailTOTPReuseAttemptWarningFromAddress, emailTOTPReuseAttemptWarningFromName), new InternetAddress(str, user.getFullName()), createMailTemplate.renderAsString(user.getLocale(), build), createMailTemplate2.renderAsString(user.getLocale(), build), true));
    }

    private boolean _verify(String str, User user, HttpServletRequest httpServletRequest) throws Exception {
        MFATimeBasedOTPEntry fetchMFATimeBasedOTPEntryByUserId = this._mfaTimeBasedOTPEntryLocalService.fetchMFATimeBasedOTPEntryByUserId(user.getUserId());
        if (fetchMFATimeBasedOTPEntryByUserId == null) {
            return false;
        }
        if (!Objects.equals(str, fetchMFATimeBasedOTPEntryByUserId.getLastValidTOTP())) {
            return MFATimeBasedOTPUtil.verifyTimeBasedOTP(this._mfaTimeBasedOTPConfiguration.clockSkew(), fetchMFATimeBasedOTPEntryByUserId.getSharedSecret(), str);
        }
        _sendEmail(user, user.getEmailAddress(), httpServletRequest);
        return false;
    }
}
