package org.opencms.security.twofactor;

import dev.samstevens.totp.code.CodeGenerator;
import dev.samstevens.totp.code.CodeVerifier;
import dev.samstevens.totp.code.DefaultCodeGenerator;
import dev.samstevens.totp.code.DefaultCodeVerifier;
import dev.samstevens.totp.code.HashingAlgorithm;
import dev.samstevens.totp.exceptions.QrGenerationException;
import dev.samstevens.totp.qr.QrData;
import dev.samstevens.totp.qr.ZxingPngQrGenerator;
import dev.samstevens.totp.secret.DefaultSecretGenerator;
import dev.samstevens.totp.secret.SecretGenerator;
import dev.samstevens.totp.time.SystemTimeProvider;
import dev.samstevens.totp.time.TimeProvider;
import dev.samstevens.totp.util.Utils;
import java.util.Locale;
import org.apache.commons.logging.Log;
import org.opencms.crypto.CmsAESTextEncryption;
import org.opencms.crypto.CmsEncryptionException;
import org.opencms.file.CmsObject;
import org.opencms.file.CmsRequestContext;
import org.opencms.file.CmsUser;
import org.opencms.json.JSONException;
import org.opencms.json.JSONObject;
import org.opencms.main.CmsLog;
import org.opencms.main.OpenCms;
import org.opencms.security.CmsUserLog;
import org.opencms.util.CmsMacroResolver;

/* loaded from: input_file:org/opencms/security/twofactor/CmsTwoFactorAuthenticationHandler.class */
public class CmsTwoFactorAuthenticationHandler {
    public static final String ATTR_TWOFACTOR_INFO = "two_factor_auth";
    public static final int DIGITS = 6;
    public static final String KEY_SECRET = "secret";
    public static final String KEY_USER = "user";
    private CmsObject m_cms;
    private CmsTwoFactorAuthenticationConfig m_config;
    private CmsAESTextEncryption m_encryption;
    public static final HashingAlgorithm ALGORITHM = HashingAlgorithm.SHA1;
    private static final Log LOG = CmsLog.getLog(CmsTwoFactorAuthenticationHandler.class);
    private final CodeGenerator m_codeGenerator = new DefaultCodeGenerator(ALGORITHM, 6);
    private final SecretGenerator m_secretGenerator = new DefaultSecretGenerator();
    private final TimeProvider m_timeProvider = new SystemTimeProvider();
    private final CodeVerifier m_verifier = new DefaultCodeVerifier(this.m_codeGenerator, this.m_timeProvider);

    public CmsTwoFactorAuthenticationHandler(CmsObject cmsObject, CmsTwoFactorAuthenticationConfig cmsTwoFactorAuthenticationConfig) {
        this.m_config = cmsTwoFactorAuthenticationConfig;
        this.m_cms = cmsObject;
        if (cmsTwoFactorAuthenticationConfig != null) {
            this.m_encryption = new CmsAESTextEncryption(cmsTwoFactorAuthenticationConfig.getSecret());
        }
    }

    public CmsSecondFactorSetupInfo generateSetupInfo(CmsUser cmsUser) {
        checkEnabled();
        try {
            String generate = this.m_secretGenerator.generate();
            return new CmsSecondFactorSetupInfo(generate, Utils.getDataUriForImage(new ZxingPngQrGenerator().generate(new QrData.Builder().label(cmsUser.getFullName()).secret(generate).issuer(this.m_config.getIssuer()).algorithm(ALGORITHM).digits(6).period(30).build()), "image/png"));
        } catch (QrGenerationException e) {
            throw new RuntimeException((Throwable) e);
        }
    }

    public String getSetupMessage(Locale locale) {
        String setupMessage = this.m_config.getSetupMessage();
        CmsMacroResolver cmsMacroResolver = new CmsMacroResolver();
        cmsMacroResolver.setMessages(OpenCms.getWorkplaceManager().getMessages(locale));
        return cmsMacroResolver.resolveMacros(setupMessage);
    }

    public boolean hasSecondFactor(CmsUser cmsUser) {
        return cmsUser.getAdditionalInfo().containsKey(ATTR_TWOFACTOR_INFO);
    }

    public boolean isEnabled() {
        return this.m_config != null && this.m_config.isEnabled();
    }

    public boolean needsTwoFactorAuthentication(CmsUser cmsUser) {
        if (isEnabled()) {
            return this.m_config.getPolicy().shouldUseTwoFactorAuthentication(this.m_cms, cmsUser);
        }
        return false;
    }

    public void resetTwoFactorAuthentication(CmsUser cmsUser) {
        cmsUser.deleteAdditionalInfo(ATTR_TWOFACTOR_INFO);
    }

    public boolean setUpAndVerifySecondFactor(CmsUser cmsUser, CmsSecondFactorInfo cmsSecondFactorInfo) throws CmsSecondFactorSetupException {
        checkEnabled();
        String secret = cmsSecondFactorInfo.getSecret();
        if (secret == null) {
            throw new CmsSecondFactorSetupException("Secret must not be null.");
        }
        if (decodeSecondFactor(cmsUser) != null) {
            throw new CmsSecondFactorSetupException("Two-factor authentication already set up.");
        }
        try {
            JSONObject jSONObject = new JSONObject();
            jSONObject.put("secret", secret);
            jSONObject.put("user", cmsUser.getName());
            if (!this.m_verifier.isValidCode(secret, cmsSecondFactorInfo.getCode())) {
                return false;
            }
            encodeSecondFactor(cmsUser, jSONObject);
            return true;
        } catch (JSONException e) {
            throw new CmsSecondFactorSetupException(e);
        }
    }

    public void trackUserChange(CmsRequestContext cmsRequestContext, CmsUser cmsUser, CmsUser cmsUser2) {
        String str = (String) cmsUser.getAdditionalInfo(ATTR_TWOFACTOR_INFO);
        String str2 = (String) cmsUser2.getAdditionalInfo(ATTR_TWOFACTOR_INFO);
        if (str == null && str2 == null) {
            return;
        }
        if (str == null && str2 != null) {
            CmsUserLog.logSecondFactorAdded(cmsRequestContext, cmsUser.getName());
            return;
        }
        if (str != null && str2 == null) {
            CmsUserLog.logSecondFactorReset(cmsRequestContext, cmsUser.getName());
        } else {
            if (str.equals(str2)) {
                return;
            }
            CmsUserLog.logSecondFactorInfoModified(cmsRequestContext, cmsUser.getName());
        }
    }

    public boolean verifySecondFactor(CmsUser cmsUser, CmsSecondFactorInfo cmsSecondFactorInfo) {
        if (cmsSecondFactorInfo == null) {
            return false;
        }
        if (cmsSecondFactorInfo.getSecret() != null) {
            LOG.warn("Secret set in second-factor information for non-setup case", new Exception());
        }
        JSONObject decodeSecondFactor = decodeSecondFactor(cmsUser);
        if (cmsUser.getName().equals(decodeSecondFactor.optString("user"))) {
            return this.m_verifier.isValidCode(decodeSecondFactor.optString("secret"), cmsSecondFactorInfo.getCode());
        }
        LOG.error("User mismatch for two-factor authentication data for user: " + cmsUser.getName());
        return false;
    }

    public boolean verifySecondFactorSetup(CmsSecondFactorInfo cmsSecondFactorInfo) {
        return this.m_verifier.isValidCode(cmsSecondFactorInfo.getSecret(), cmsSecondFactorInfo.getCode());
    }

    private void checkEnabled() {
        if (!isEnabled()) {
            throw new UnsupportedOperationException("Two-factor authentication is disabled");
        }
    }

    private JSONObject decodeSecondFactor(CmsUser cmsUser) {
        try {
            String str = (String) cmsUser.getAdditionalInfo().get(ATTR_TWOFACTOR_INFO);
            if (str == null) {
                return null;
            }
            return new JSONObject(this.m_encryption.decrypt(str));
        } catch (CmsEncryptionException | JSONException e) {
            LOG.error(e.getLocalizedMessage(), e);
            return null;
        }
    }

    private void encodeSecondFactor(CmsUser cmsUser, JSONObject jSONObject) {
        try {
            cmsUser.getAdditionalInfo().put(ATTR_TWOFACTOR_INFO, this.m_encryption.encrypt(jSONObject.toString()));
        } catch (CmsEncryptionException e) {
            throw new RuntimeException(e);
        }
    }
}
