package org.openbase.bco.authentication.core;

import com.google.protobuf.ByteString;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.Serializable;
import java.security.KeyPair;
import java.util.concurrent.Future;
import org.apache.commons.lang.RandomStringUtils;
import org.openbase.bco.authentication.lib.AbstractProtectedStore;
import org.openbase.bco.authentication.lib.AuthenticatedServiceProcessor;
import org.openbase.bco.authentication.lib.AuthenticationBaseData;
import org.openbase.bco.authentication.lib.AuthenticationServerHandler;
import org.openbase.bco.authentication.lib.AuthenticationService;
import org.openbase.bco.authentication.lib.CredentialStore;
import org.openbase.bco.authentication.lib.EncryptionHelper;
import org.openbase.bco.authentication.lib.ExceptionReporter;
import org.openbase.bco.authentication.lib.exception.SessionExpiredException;
import org.openbase.bco.authentication.lib.jp.JPAuthenticationScope;
import org.openbase.bco.authentication.lib.jp.JPCredentialsDirectory;
import org.openbase.bco.authentication.lib.jp.JPSessionTimeout;
import org.openbase.jps.core.JPService;
import org.openbase.jps.exception.JPNotAvailableException;
import org.openbase.jul.communication.controller.RPCHelper;
import org.openbase.jul.exception.CouldNotPerformException;
import org.openbase.jul.exception.InitializationException;
import org.openbase.jul.exception.NotAvailableException;
import org.openbase.jul.exception.NotSupportedException;
import org.openbase.jul.exception.PermissionDeniedException;
import org.openbase.jul.exception.RejectedException;
import org.openbase.jul.exception.printer.ExceptionPrinter;
import org.openbase.jul.exception.printer.LogLevel;
import org.openbase.jul.extension.rsb.com.NotInitializedRSBLocalServer;
import org.openbase.jul.extension.rsb.com.RSBFactoryImpl;
import org.openbase.jul.extension.rsb.com.RSBSharedConnectionConfig;
import org.openbase.jul.extension.rsb.iface.RSBLocalServer;
import org.openbase.jul.extension.rsb.scope.ScopeTransformer;
import org.openbase.jul.iface.Launchable;
import org.openbase.jul.iface.VoidInitializable;
import org.openbase.jul.schedule.GlobalCachedExecutorService;
import org.openbase.jul.schedule.WatchDog;
import org.openbase.type.communication.ScopeType;
import org.openbase.type.domotic.authentication.AuthenticatedValueType;
import org.openbase.type.domotic.authentication.LoginCredentialsChangeType;
import org.openbase.type.domotic.authentication.LoginCredentialsType;
import org.openbase.type.domotic.authentication.TicketAuthenticatorWrapperType;
import org.openbase.type.domotic.authentication.TicketSessionKeyWrapperType;
import org.openbase.type.domotic.authentication.UserClientPairType;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import rsb.converter.DefaultConverterRepository;
import rsb.converter.ProtocolBufferConverter;

/* loaded from: input_file:org/openbase/bco/authentication/core/AuthenticatorController.class */
public class AuthenticatorController implements AuthenticationService, Launchable<Void>, VoidInitializable {
    private static final Logger LOGGER;
    private static final String STORE_FILENAME = "server_credential_store.json";
    private static final String TICKET_GRANTING_KEY = "ticket_granting_key";
    private static final String SERVICE_SERVER_SECRET_KEY = "service_server_secret_key";
    private RSBLocalServer server;
    private WatchDog serverWatchDog;
    private final CredentialStore credentialStore;
    private static String initialPassword;
    private final long ticketValidityTime;
    private byte[] ticketGrantingServiceSecretKey;
    private byte[] serviceServerSecretKey;

    public AuthenticatorController() throws InitializationException {
        this(new CredentialStore(), EncryptionHelper.generateKey());
    }

    public AuthenticatorController(CredentialStore credentialStore) throws InitializationException {
        this(credentialStore, EncryptionHelper.generateKey());
    }

    public AuthenticatorController(byte[] bArr) throws InitializationException {
        this(new CredentialStore(), bArr);
    }

    public AuthenticatorController(CredentialStore credentialStore, byte[] bArr) throws InitializationException {
        this.ticketGrantingServiceSecretKey = null;
        this.server = new NotInitializedRSBLocalServer();
        this.credentialStore = credentialStore;
        this.serviceServerSecretKey = bArr;
        try {
            this.ticketValidityTime = ((Long) JPService.getProperty(JPSessionTimeout.class).getValue()).longValue();
        } catch (JPNotAvailableException e) {
            throw new InitializationException(AuthenticatorController.class, e);
        }
    }

    public void init() throws InitializationException, InterruptedException {
        try {
            this.server = RSBFactoryImpl.getInstance().createSynchronizedLocalServer(ScopeTransformer.transform((ScopeType.Scope) JPService.getProperty(JPAuthenticationScope.class).getValue()), RSBSharedConnectionConfig.getParticipantConfig());
            RPCHelper.registerInterface(AuthenticationService.class, this, this.server);
            this.serverWatchDog = new WatchDog(this.server, "AuthenticatorWatchDog");
            this.credentialStore.init(STORE_FILENAME);
            if (!this.credentialStore.hasEntry(TICKET_GRANTING_KEY)) {
                this.credentialStore.addCredentials(TICKET_GRANTING_KEY, EncryptionHelper.generateKey(), false, true);
            }
            if (!this.credentialStore.hasEntry(SERVICE_SERVER_SECRET_KEY)) {
                if (this.serviceServerSecretKey != null) {
                    this.credentialStore.addCredentials(SERVICE_SERVER_SECRET_KEY, this.serviceServerSecretKey, false, true);
                } else {
                    this.credentialStore.addCredentials(SERVICE_SERVER_SECRET_KEY, EncryptionHelper.generateKey(), false, true);
                }
            }
            try {
                this.ticketGrantingServiceSecretKey = this.credentialStore.getCredentials(TICKET_GRANTING_KEY).getCredentials().toByteArray();
                this.serviceServerSecretKey = this.credentialStore.getCredentials(SERVICE_SERVER_SECRET_KEY).getCredentials().toByteArray();
            } catch (NotAvailableException e) {
                throw new InitializationException(this, e);
            }
        } catch (JPNotAvailableException | CouldNotPerformException e2) {
            throw new InitializationException(this, e2);
        }
    }

    public void activate() throws CouldNotPerformException, InterruptedException {
        if (!this.credentialStore.hasEntry("serviceServer") || JPService.testMode()) {
            KeyPair generateKeyPair = EncryptionHelper.generateKeyPair();
            this.credentialStore.addCredentials("serviceServer", generateKeyPair.getPublic().getEncoded(), false, false);
            try {
                LoginCredentialsType.LoginCredentials build = ((LoginCredentialsType.LoginCredentials) this.credentialStore.getEntry("serviceServer")).toBuilder().setCredentials(ByteString.copyFrom(generateKeyPair.getPrivate().getEncoded())).build();
                File file = new File((File) JPService.getProperty(JPCredentialsDirectory.class).getValue(), "service_server_private_key");
                FileOutputStream fileOutputStream = new FileOutputStream(file);
                try {
                    fileOutputStream.write(build.toByteArray());
                    fileOutputStream.flush();
                    fileOutputStream.close();
                    AbstractProtectedStore.protectFile(file);
                } finally {
                }
            } catch (JPNotAvailableException e) {
                throw new CouldNotPerformException("Could not load property.", e);
            } catch (IOException e2) {
                throw new CouldNotPerformException("Could not write private key.", e2);
            }
        }
        if (initialPasswordRequired() || JPService.testMode()) {
            initialPassword = RandomStringUtils.randomAlphanumeric(15);
        }
        this.serverWatchDog.activate();
    }

    public void deactivate() throws CouldNotPerformException, InterruptedException {
        if (this.serverWatchDog != null) {
            this.serverWatchDog.deactivate();
        }
        this.credentialStore.shutdown();
    }

    public boolean isActive() {
        if (this.serverWatchDog != null) {
            return this.serverWatchDog.isActive();
        }
        return false;
    }

    public void waitForActivation() throws CouldNotPerformException, InterruptedException {
        try {
            this.serverWatchDog.waitForServiceActivation();
        } catch (CouldNotPerformException e) {
            throw new CouldNotPerformException("Could not wait for activation!", e);
        }
    }

    private boolean initialPasswordRequired() {
        return this.credentialStore.getSize() == 3 && this.credentialStore.hasEntry("serviceServer") && this.credentialStore.hasEntry(TICKET_GRANTING_KEY) && this.credentialStore.hasEntry(SERVICE_SERVER_SECRET_KEY);
    }

    public Future<TicketSessionKeyWrapperType.TicketSessionKeyWrapper> requestTicketGrantingTicket(UserClientPairType.UserClientPair userClientPair) {
        return GlobalCachedExecutorService.submit(() -> {
            try {
                LoginCredentialsType.LoginCredentials loginCredentials = null;
                LoginCredentialsType.LoginCredentials loginCredentials2 = null;
                if (!userClientPair.getUserId().isEmpty()) {
                    loginCredentials = this.credentialStore.getCredentials(userClientPair.getUserId());
                }
                if (!userClientPair.getClientId().isEmpty()) {
                    loginCredentials2 = this.credentialStore.getCredentials(userClientPair.getClientId());
                }
                if (loginCredentials == null || loginCredentials2 == null || loginCredentials.getSymmetric() || loginCredentials2.getSymmetric()) {
                    return AuthenticationServerHandler.handleKDCRequest(userClientPair, loginCredentials, loginCredentials2, this.ticketGrantingServiceSecretKey, this.ticketValidityTime);
                }
                throw new NotSupportedException("Login with two asymmetric keys", AuthenticatorController.class);
            } catch (CouldNotPerformException e) {
                if (e instanceof NotSupportedException) {
                    throw e;
                }
                ExceptionPrinter.printHistory(e, LOGGER, LogLevel.ERROR);
                throw new CouldNotPerformException("Internal server error. Please try again.");
            } catch (NotAvailableException e2) {
                ExceptionPrinter.printHistory(e2, LOGGER, LogLevel.WARN);
                ExceptionReporter.getInstance().report(e2);
                throw new NotAvailableException(e2.getMessage());
            }
        });
    }

    public Future<TicketSessionKeyWrapperType.TicketSessionKeyWrapper> requestClientServerTicket(TicketAuthenticatorWrapperType.TicketAuthenticatorWrapper ticketAuthenticatorWrapper) {
        return GlobalCachedExecutorService.submit(() -> {
            try {
                return AuthenticationServerHandler.handleTGSRequest(this.ticketGrantingServiceSecretKey, this.serviceServerSecretKey, ticketAuthenticatorWrapper, this.ticketValidityTime);
            } catch (CouldNotPerformException e) {
                ExceptionPrinter.printHistory(e, LOGGER, LogLevel.WARN);
                ExceptionReporter.getInstance().report(e);
                throw new RejectedException(e.getMessage());
            }
        });
    }

    public Future<TicketAuthenticatorWrapperType.TicketAuthenticatorWrapper> validateClientServerTicket(TicketAuthenticatorWrapperType.TicketAuthenticatorWrapper ticketAuthenticatorWrapper) {
        return GlobalCachedExecutorService.submit(() -> {
            try {
                AuthenticationBaseData handleSSRequest = AuthenticationServerHandler.handleSSRequest(this.serviceServerSecretKey, ticketAuthenticatorWrapper, this.ticketValidityTime);
                UserClientPairType.UserClientPair userClientPair = handleSSRequest.getUserClientPair();
                if (!userClientPair.getUserId().isEmpty() && !this.credentialStore.hasEntry(userClientPair.getUserId())) {
                    throw new RejectedException("User[" + userClientPair.getUserId() + "] logged in after being removed from authenticator!");
                }
                if (userClientPair.getClientId().isEmpty() || this.credentialStore.hasEntry(userClientPair.getClientId())) {
                    return handleSSRequest.getTicketAuthenticatorWrapper();
                }
                throw new RejectedException("Client[" + userClientPair.getClientId() + "] logged in after being removed from authenticator!");
            } catch (SessionExpiredException e) {
                throw e;
            } catch (CouldNotPerformException e2) {
                ExceptionPrinter.printHistory(e2, LOGGER, LogLevel.WARN);
                ExceptionReporter.getInstance().report(e2);
                throw new RejectedException(e2.getMessage());
            }
        });
    }

    private AuthenticatedServiceProcessor.TicketValidator getTicketValidator() {
        return authenticatedValue -> {
            return AuthenticationServerHandler.handleSSRequest(this.serviceServerSecretKey, authenticatedValue.getTicketAuthenticatorWrapper(), this.ticketValidityTime);
        };
    }

    public Future<AuthenticatedValueType.AuthenticatedValue> changeCredentials(AuthenticatedValueType.AuthenticatedValue authenticatedValue) {
        return GlobalCachedExecutorService.submit(() -> {
            return AuthenticatedServiceProcessor.authenticatedAction(authenticatedValue, LoginCredentialsChangeType.LoginCredentialsChange.class, getTicketValidator(), (loginCredentialsChange, authenticationBaseData) -> {
                UserClientPairType.UserClientPair userClientPair = authenticationBaseData.getUserClientPair();
                boolean isAdmin = this.credentialStore.isAdmin(userClientPair.getUserId());
                if (!isAdmin) {
                    boolean z = userClientPair.getUserId().equals(loginCredentialsChange.getId()) && !userClientPair.getUserId().isEmpty();
                    boolean z2 = userClientPair.getClientId().equals(loginCredentialsChange.getId()) && !userClientPair.getClientId().isEmpty();
                    if (!z && !z2) {
                        throw new RejectedException("UserClientPair[" + userClientPair + "] cannot change password of user or client[" + loginCredentialsChange.getId() + "]");
                    }
                }
                if (!isAdmin && !this.credentialStore.getCredentials(loginCredentialsChange.getId()).getCredentials().equals(loginCredentialsChange.getOldCredentials())) {
                    throw new RejectedException("Old credentials do not match");
                }
                LoginCredentialsType.LoginCredentials.Builder builder = this.credentialStore.getCredentials(loginCredentialsChange.getId()).toBuilder();
                builder.setSymmetric(loginCredentialsChange.getSymmetric());
                builder.setCredentials(loginCredentialsChange.getNewCredentials());
                this.credentialStore.addEntry(builder.getId(), builder.build());
                return loginCredentialsChange;
            });
        });
    }

    public Future<AuthenticatedValueType.AuthenticatedValue> register(AuthenticatedValueType.AuthenticatedValue authenticatedValue) {
        return GlobalCachedExecutorService.submit(() -> {
            return AuthenticatedServiceProcessor.authenticatedAction(authenticatedValue, LoginCredentialsType.LoginCredentials.class, getTicketValidator(), (loginCredentials, authenticationBaseData) -> {
                if (initialPassword == null || !(initialPasswordRequired() || JPService.testMode())) {
                    if (loginCredentials.getAdmin() && !this.credentialStore.isAdmin(authenticationBaseData.getUserClientPair().getUserId())) {
                        throw new PermissionDeniedException("You are not permitted to register an admin.");
                    }
                    if (this.credentialStore.hasEntry(loginCredentials.getId())) {
                        throw new CouldNotPerformException("You cannot register an existing user.");
                    }
                    this.credentialStore.addEntry(loginCredentials.getId(), loginCredentials);
                    return loginCredentials;
                }
                if (!loginCredentials.hasId() || !loginCredentials.hasCredentials()) {
                    throw new RejectedException("Cannot register first user, id and/or new credentials empty");
                }
                LoginCredentialsType.LoginCredentials build = LoginCredentialsType.LoginCredentials.newBuilder().setId(loginCredentials.getId()).setAdmin(true).setSymmetric(loginCredentials.getSymmetric()).setCredentials(ByteString.copyFrom((byte[]) EncryptionHelper.decryptSymmetric(loginCredentials.getCredentials(), EncryptionHelper.hash(initialPassword), byte[].class))).build();
                this.credentialStore.addEntry(loginCredentials.getId(), build);
                initialPassword = null;
                return build;
            });
        });
    }

    public Future<AuthenticatedValueType.AuthenticatedValue> removeUser(AuthenticatedValueType.AuthenticatedValue authenticatedValue) {
        return GlobalCachedExecutorService.submit(() -> {
            return AuthenticatedServiceProcessor.authenticatedAction(authenticatedValue, String.class, getTicketValidator(), (str, authenticationBaseData) -> {
                if (!str.equals(authenticationBaseData.getUserClientPair().getUserId()) && !this.credentialStore.isAdmin(authenticationBaseData.getUserClientPair().getUserId())) {
                    throw new PermissionDeniedException("You are not allowed to perform this action");
                }
                if (this.credentialStore.isAdmin(str) && this.credentialStore.getAdminCount() <= 1) {
                    throw new PermissionDeniedException("The last admin cannot remove itself");
                }
                this.credentialStore.removeEntry(str);
                return str;
            });
        });
    }

    public Future<AuthenticatedValueType.AuthenticatedValue> setAdministrator(AuthenticatedValueType.AuthenticatedValue authenticatedValue) {
        return GlobalCachedExecutorService.submit(() -> {
            return AuthenticatedServiceProcessor.authenticatedAction(authenticatedValue, LoginCredentialsType.LoginCredentials.class, getTicketValidator(), (loginCredentials, authenticationBaseData) -> {
                if (!this.credentialStore.isAdmin(authenticationBaseData.getUserClientPair().getUserId())) {
                    throw new PermissionDeniedException("You are not permitted to perform this action.");
                }
                if (authenticationBaseData.getUserClientPair().getUserId().equals(loginCredentials.getId())) {
                    throw new CouldNotPerformException("Admin status can only be revoked by another admin.");
                }
                this.credentialStore.addEntry(loginCredentials.getId(), this.credentialStore.getCredentials(loginCredentials.getId()).toBuilder().setAdmin(loginCredentials.getAdmin()).build());
                return loginCredentials;
            });
        });
    }

    public Future<AuthenticatedValueType.AuthenticatedValue> requestServiceServerSecretKey(TicketAuthenticatorWrapperType.TicketAuthenticatorWrapper ticketAuthenticatorWrapper) {
        return GlobalCachedExecutorService.submit(() -> {
            try {
                AuthenticationBaseData verifyClientServerTicket = getTicketValidator().verifyClientServerTicket(AuthenticatedValueType.AuthenticatedValue.newBuilder().setTicketAuthenticatorWrapper(ticketAuthenticatorWrapper).build());
                if (!verifyClientServerTicket.getUserClientPair().getClientId().equals("serviceServer")) {
                    throw new RejectedException("Client[" + verifyClientServerTicket.getUserClientPair().getClientId() + "] is not authorized to request the ServiceServerSecretKey");
                }
                AuthenticatedValueType.AuthenticatedValue.Builder newBuilder = AuthenticatedValueType.AuthenticatedValue.newBuilder();
                newBuilder.setTicketAuthenticatorWrapper(verifyClientServerTicket.getTicketAuthenticatorWrapper());
                newBuilder.setValue(EncryptionHelper.encryptSymmetric((Serializable) this.serviceServerSecretKey, verifyClientServerTicket.getSessionKey()));
                return newBuilder.build();
            } catch (CouldNotPerformException e) {
                ExceptionPrinter.printHistory(e, LOGGER, LogLevel.WARN);
                ExceptionReporter.getInstance().report(e);
                throw new RejectedException(e.getMessage());
            }
        });
    }

    public Future<Boolean> isAdmin(String str) {
        return GlobalCachedExecutorService.submit(() -> {
            return Boolean.valueOf(this.credentialStore.isAdmin(str));
        });
    }

    public static String getInitialPassword() {
        return initialPassword;
    }

    public Future<Boolean> hasUser(String str) {
        return GlobalCachedExecutorService.submit(() -> {
            return Boolean.valueOf(this.credentialStore.hasEntry(str));
        });
    }

    static {
        DefaultConverterRepository.getDefaultConverterRepository().addConverter(new ProtocolBufferConverter(TicketSessionKeyWrapperType.TicketSessionKeyWrapper.getDefaultInstance()));
        DefaultConverterRepository.getDefaultConverterRepository().addConverter(new ProtocolBufferConverter(TicketAuthenticatorWrapperType.TicketAuthenticatorWrapper.getDefaultInstance()));
        DefaultConverterRepository.getDefaultConverterRepository().addConverter(new ProtocolBufferConverter(AuthenticatedValueType.AuthenticatedValue.getDefaultInstance()));
        DefaultConverterRepository.getDefaultConverterRepository().addConverter(new ProtocolBufferConverter(UserClientPairType.UserClientPair.getDefaultInstance()));
        LOGGER = LoggerFactory.getLogger(AuthenticatorController.class);
    }
}
