package org.springframework.security.web.webauthn.management;

import com.webauthn4j.WebAuthnManager;
import com.webauthn4j.authenticator.AuthenticatorImpl;
import com.webauthn4j.converter.util.ObjectConverter;
import com.webauthn4j.data.AuthenticationParameters;
import com.webauthn4j.data.AuthenticationRequest;
import com.webauthn4j.data.RegistrationData;
import com.webauthn4j.data.RegistrationParameters;
import com.webauthn4j.data.RegistrationRequest;
import com.webauthn4j.data.attestation.AttestationObject;
import com.webauthn4j.data.attestation.authenticator.AttestedCredentialData;
import com.webauthn4j.data.attestation.authenticator.AuthenticatorData;
import com.webauthn4j.data.attestation.statement.COSEAlgorithmIdentifier;
import com.webauthn4j.data.client.Origin;
import com.webauthn4j.data.client.challenge.DefaultChallenge;
import com.webauthn4j.server.ServerProperty;
import java.time.Duration;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Set;
import java.util.function.Consumer;
import java.util.stream.Collectors;
import org.springframework.security.authentication.AuthenticationTrustResolver;
import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.webauthn.api.AttestationConveyancePreference;
import org.springframework.security.web.webauthn.api.AuthenticatorAssertionResponse;
import org.springframework.security.web.webauthn.api.AuthenticatorAttestationResponse;
import org.springframework.security.web.webauthn.api.AuthenticatorSelectionCriteria;
import org.springframework.security.web.webauthn.api.AuthenticatorTransport;
import org.springframework.security.web.webauthn.api.Bytes;
import org.springframework.security.web.webauthn.api.CredentialRecord;
import org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientInput;
import org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientInputs;
import org.springframework.security.web.webauthn.api.ImmutableCredentialRecord;
import org.springframework.security.web.webauthn.api.ImmutablePublicKeyCose;
import org.springframework.security.web.webauthn.api.ImmutablePublicKeyCredentialUserEntity;
import org.springframework.security.web.webauthn.api.PublicKeyCredential;
import org.springframework.security.web.webauthn.api.PublicKeyCredentialCreationOptions;
import org.springframework.security.web.webauthn.api.PublicKeyCredentialDescriptor;
import org.springframework.security.web.webauthn.api.PublicKeyCredentialParameters;
import org.springframework.security.web.webauthn.api.PublicKeyCredentialRequestOptions;
import org.springframework.security.web.webauthn.api.PublicKeyCredentialRpEntity;
import org.springframework.security.web.webauthn.api.PublicKeyCredentialType;
import org.springframework.security.web.webauthn.api.PublicKeyCredentialUserEntity;
import org.springframework.security.web.webauthn.api.ResidentKeyRequirement;
import org.springframework.security.web.webauthn.api.UserVerificationRequirement;
import org.springframework.util.Assert;

/* loaded from: input_file:WEB-INF/lib/spring-security-web-6.4.1.jar:org/springframework/security/web/webauthn/management/Webauthn4JRelyingPartyOperations.class */
public class Webauthn4JRelyingPartyOperations implements WebAuthnRelyingPartyOperations {
    private final PublicKeyCredentialUserEntityRepository userEntities;
    private final UserCredentialRepository userCredentials;
    private final Set<String> allowedOrigins;
    private final PublicKeyCredentialRpEntity rp;
    private final ObjectConverter objectConverter = new ObjectConverter();
    private final AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
    private WebAuthnManager webAuthnManager = WebAuthnManager.createNonStrictWebAuthnManager();
    private Consumer<PublicKeyCredentialCreationOptions.PublicKeyCredentialCreationOptionsBuilder> customizeCreationOptions = publicKeyCredentialCreationOptionsBuilder -> {
    };
    private Consumer<PublicKeyCredentialRequestOptions.PublicKeyCredentialRequestOptionsBuilder> customizeRequestOptions = publicKeyCredentialRequestOptionsBuilder -> {
    };

    public Webauthn4JRelyingPartyOperations(PublicKeyCredentialUserEntityRepository publicKeyCredentialUserEntityRepository, UserCredentialRepository userCredentialRepository, PublicKeyCredentialRpEntity publicKeyCredentialRpEntity, Set<String> set) {
        Assert.notNull(publicKeyCredentialUserEntityRepository, "userEntities cannot be null");
        Assert.notNull(userCredentialRepository, "userCredentials cannot be null");
        Assert.notNull(publicKeyCredentialRpEntity, "rpEntity cannot be null");
        Assert.notNull(set, "allowedOrigins cannot be null");
        this.userEntities = publicKeyCredentialUserEntityRepository;
        this.userCredentials = userCredentialRepository;
        this.rp = publicKeyCredentialRpEntity;
        this.allowedOrigins = set;
    }

    public void setWebAuthnManager(WebAuthnManager webAuthnManager) {
        Assert.notNull(webAuthnManager, "webAuthnManager cannot be null");
        this.webAuthnManager = webAuthnManager;
    }

    public void setCustomizeCreationOptions(Consumer<PublicKeyCredentialCreationOptions.PublicKeyCredentialCreationOptionsBuilder> consumer) {
        Assert.notNull(consumer, "customizeCreationOptions must not be null");
        this.customizeCreationOptions = consumer;
    }

    public void setCustomizeRequestOptions(Consumer<PublicKeyCredentialRequestOptions.PublicKeyCredentialRequestOptionsBuilder> consumer) {
        Assert.notNull(consumer, "customizeRequestOptions cannot be null");
        this.customizeRequestOptions = consumer;
    }

    @Override // org.springframework.security.web.webauthn.management.WebAuthnRelyingPartyOperations
    public PublicKeyCredentialCreationOptions createPublicKeyCredentialCreationOptions(PublicKeyCredentialCreationOptionsRequest publicKeyCredentialCreationOptionsRequest) {
        if (publicKeyCredentialCreationOptionsRequest == null) {
            throw new IllegalArgumentException("request cannot be null");
        }
        Authentication authentication = publicKeyCredentialCreationOptionsRequest.getAuthentication();
        if (!this.trustResolver.isAuthenticated(authentication)) {
            throw new IllegalArgumentException("Authentication must be authenticated");
        }
        AuthenticatorSelectionCriteria build = AuthenticatorSelectionCriteria.builder().userVerification(UserVerificationRequirement.PREFERRED).residentKey(ResidentKeyRequirement.REQUIRED).build();
        ImmutableAuthenticationExtensionsClientInputs immutableAuthenticationExtensionsClientInputs = new ImmutableAuthenticationExtensionsClientInputs(ImmutableAuthenticationExtensionsClientInput.credProps);
        PublicKeyCredentialUserEntity findUserEntityOrCreateAndSave = findUserEntityOrCreateAndSave(authentication.getName());
        return PublicKeyCredentialCreationOptions.builder().attestation(AttestationConveyancePreference.DIRECT).pubKeyCredParams(PublicKeyCredentialParameters.EdDSA, PublicKeyCredentialParameters.ES256, PublicKeyCredentialParameters.RS256).authenticatorSelection(build).challenge(Bytes.random()).extensions(immutableAuthenticationExtensionsClientInputs).timeout(Duration.ofMinutes(5L)).user(findUserEntityOrCreateAndSave).rp(this.rp).excludeCredentials(credentialDescriptors(this.userCredentials.findByUserId(findUserEntityOrCreateAndSave.getId()))).customize(this.customizeCreationOptions).build();
    }

    private static List<PublicKeyCredentialDescriptor> credentialDescriptors(List<CredentialRecord> list) {
        ArrayList arrayList = new ArrayList();
        for (CredentialRecord credentialRecord : list) {
            arrayList.add(PublicKeyCredentialDescriptor.builder().id(Bytes.fromBase64(credentialRecord.getCredentialId().toBase64UrlString())).transports(credentialRecord.getTransports()).build());
        }
        return arrayList;
    }

    private PublicKeyCredentialUserEntity findUserEntityOrCreateAndSave(String str) {
        PublicKeyCredentialUserEntity findByUsername = this.userEntities.findByUsername(str);
        if (findByUsername != null) {
            return findByUsername;
        }
        PublicKeyCredentialUserEntity build = ImmutablePublicKeyCredentialUserEntity.builder().displayName(str).id(Bytes.random()).name(str).build();
        this.userEntities.save(build);
        return build;
    }

    @Override // org.springframework.security.web.webauthn.management.WebAuthnRelyingPartyOperations
    public CredentialRecord registerCredential(RelyingPartyRegistrationRequest relyingPartyRegistrationRequest) {
        Assert.notNull(relyingPartyRegistrationRequest, "rpRegistrationRequest cannot be null");
        Bytes rawId = relyingPartyRegistrationRequest.getPublicKey().getCredential().getRawId();
        if (this.userCredentials.findByCredentialId(rawId) != null) {
            throw new IllegalArgumentException("Credential with id " + rawId + " already exists");
        }
        PublicKeyCredentialCreationOptions creationOptions = relyingPartyRegistrationRequest.getCreationOptions();
        String id = creationOptions.getRp().getId();
        RelyingPartyPublicKey publicKey = relyingPartyRegistrationRequest.getPublicKey();
        PublicKeyCredential<AuthenticatorAttestationResponse> credential = publicKey.getCredential();
        AuthenticatorAttestationResponse response = credential.getResponse();
        Set<Origin> origins = toOrigins();
        byte[] bytes = creationOptions.getChallenge().getBytes();
        byte[] bytes2 = response.getAttestationObject().getBytes();
        byte[] bytes3 = response.getClientDataJSON().getBytes();
        ServerProperty serverProperty = new ServerProperty(origins, id, new DefaultChallenge(bytes), (byte[]) null);
        boolean z = creationOptions.getAuthenticatorSelection().getUserVerification() == UserVerificationRequirement.REQUIRED;
        RegistrationData validate = this.webAuthnManager.validate(new RegistrationRequest(bytes2, bytes3), new RegistrationParameters(serverProperty, convertCredentialParamsToWebauthn4j(creationOptions.getPubKeyCredParams()), z, true));
        AuthenticatorData authenticatorData = validate.getAttestationObject().getAuthenticatorData();
        ImmutableCredentialRecord build = ImmutableCredentialRecord.builder().userEntityUserId(creationOptions.getUser().getId()).credentialType(credential.getType()).credentialId(credential.getRawId()).publicKey(new ImmutablePublicKeyCose(this.objectConverter.getCborConverter().writeValueAsBytes(authenticatorData.getAttestedCredentialData().getCOSEKey()))).signatureCount(authenticatorData.getSignCount()).uvInitialized(authenticatorData.isFlagUV()).transports(convertTransports(validate.getTransports())).backupEligible(authenticatorData.isFlagBE()).backupState(authenticatorData.isFlagBS()).label(publicKey.getLabel()).attestationClientDataJSON(credential.getResponse().getClientDataJSON()).attestationObject(credential.getResponse().getAttestationObject()).build();
        this.userCredentials.save(build);
        return build;
    }

    private List<com.webauthn4j.data.PublicKeyCredentialParameters> convertCredentialParamsToWebauthn4j(List<PublicKeyCredentialParameters> list) {
        return (List) list.stream().map(this::convertParamToWebauthn4j).collect(Collectors.toUnmodifiableList());
    }

    private com.webauthn4j.data.PublicKeyCredentialParameters convertParamToWebauthn4j(PublicKeyCredentialParameters publicKeyCredentialParameters) {
        if (publicKeyCredentialParameters.getType() != PublicKeyCredentialType.PUBLIC_KEY) {
            throw new IllegalArgumentException("Cannot convert unknown credential type " + publicKeyCredentialParameters.getType() + " to webauthn4j");
        }
        return new com.webauthn4j.data.PublicKeyCredentialParameters(com.webauthn4j.data.PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.create(publicKeyCredentialParameters.getAlg().getValue()));
    }

    private Set<Origin> toOrigins() {
        return (Set) this.allowedOrigins.stream().map(Origin::new).collect(Collectors.toSet());
    }

    private static Set<AuthenticatorTransport> convertTransports(Set<com.webauthn4j.data.AuthenticatorTransport> set) {
        return set == null ? Collections.emptySet() : (Set) set.stream().map(authenticatorTransport -> {
            return AuthenticatorTransport.valueOf(authenticatorTransport.getValue());
        }).collect(Collectors.toUnmodifiableSet());
    }

    @Override // org.springframework.security.web.webauthn.management.WebAuthnRelyingPartyOperations
    public PublicKeyCredentialRequestOptions createCredentialRequestOptions(PublicKeyCredentialRequestOptionsRequest publicKeyCredentialRequestOptionsRequest) {
        return PublicKeyCredentialRequestOptions.builder().allowCredentials(credentialDescriptors(this.userCredentials.findByUserId(findUserEntityOrCreateAndSave(publicKeyCredentialRequestOptionsRequest.getAuthentication().getName()).getId()))).challenge(Bytes.random()).rpId(this.rp.getId()).timeout(Duration.ofMinutes(5L)).userVerification(UserVerificationRequirement.PREFERRED).customize(this.customizeRequestOptions).build();
    }

    @Override // org.springframework.security.web.webauthn.management.WebAuthnRelyingPartyOperations
    public PublicKeyCredentialUserEntity authenticate(RelyingPartyAuthenticationRequest relyingPartyAuthenticationRequest) {
        PublicKeyCredentialRequestOptions requestOptions = relyingPartyAuthenticationRequest.getRequestOptions();
        AuthenticatorAssertionResponse response = relyingPartyAuthenticationRequest.getPublicKey().getResponse();
        Bytes rawId = relyingPartyAuthenticationRequest.getPublicKey().getRawId();
        CredentialRecord findByCredentialId = this.userCredentials.findByCredentialId(rawId);
        AttestationObject attestationObject = (AttestationObject) this.objectConverter.getCborConverter().readValue(findByCredentialId.getAttestationObject().getBytes(), AttestationObject.class);
        AuthenticatorData authenticatorData = attestationObject.getAuthenticatorData();
        AuthenticatorImpl authenticatorImpl = new AuthenticatorImpl(new AttestedCredentialData(authenticatorData.getAttestedCredentialData().getAaguid(), rawId.getBytes(), authenticatorData.getAttestedCredentialData().getCOSEKey()), attestationObject.getAttestationStatement(), findByCredentialId.getSignatureCount());
        if (authenticatorImpl == null) {
            throw new IllegalStateException("No authenticator found");
        }
        ServerProperty serverProperty = new ServerProperty(toOrigins(), requestOptions.getRpId(), new DefaultChallenge(requestOptions.getChallenge().getBytes()), (byte[]) null);
        this.userCredentials.save(ImmutableCredentialRecord.fromCredentialRecord(findByCredentialId).lastUsed(Instant.now()).signatureCount(this.webAuthnManager.validate(new AuthenticationRequest(relyingPartyAuthenticationRequest.getPublicKey().getId().getBytes(), response.getAuthenticatorData().getBytes(), response.getClientDataJSON().getBytes(), response.getSignature().getBytes()), new AuthenticationParameters(serverProperty, authenticatorImpl, relyingPartyAuthenticationRequest.getRequestOptions().getUserVerification() == UserVerificationRequirement.REQUIRED)).getAuthenticatorData().getSignCount()).build());
        return this.userEntities.findById(findByCredentialId.getUserEntityUserId());
    }
}
