package org.jahia.modules.mfa.valve;

import javax.jcr.RepositoryException;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.StringUtils;
import org.jahia.api.usermanager.JahiaUserManagerService;
import org.jahia.bin.Login;
import org.jahia.modules.mfa.MFAConstants;
import org.jahia.modules.mfa.service.JahiaMFAService;
import org.jahia.modules.mfa.servlet.MFAServlet;
import org.jahia.params.valves.AuthValveContext;
import org.jahia.params.valves.BaseAuthValve;
import org.jahia.params.valves.LoginUrlProvider;
import org.jahia.params.valves.LogoutUrlProvider;
import org.jahia.pipelines.Pipeline;
import org.jahia.pipelines.PipelineException;
import org.jahia.pipelines.valves.Valve;
import org.jahia.pipelines.valves.ValveContext;
import org.jahia.services.content.JCRNodeWrapper;
import org.jahia.services.content.decorator.JCRUserNode;
import org.jahia.services.usermanager.JahiaUser;
import org.osgi.framework.BundleContext;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component(service = {Valve.class, LoginUrlProvider.class, LogoutUrlProvider.class}, immediate = true)
/* loaded from: input_file:jahia-mfa-core-1.0.1.jar:org/jahia/modules/mfa/valve/AuthenticationValve.class */
public final class AuthenticationValve extends BaseAuthValve implements LoginUrlProvider {
    private static final Logger LOGGER = LoggerFactory.getLogger(AuthenticationValve.class);
    private Pipeline authPipeline;
    private JahiaUserManagerService jahiaUserManagerService;
    private JahiaMFAService jahiaMFAService;

    @Reference(service = Pipeline.class, target = "(type=authentication)")
    public void setAuthPipeline(Pipeline pipeline) {
        this.authPipeline = pipeline;
    }

    @Reference
    public void setJahiaUserManagerService(JahiaUserManagerService jahiaUserManagerService) {
        this.jahiaUserManagerService = jahiaUserManagerService;
    }

    @Reference
    public void setJahiaMFAService(JahiaMFAService jahiaMFAService) {
        this.jahiaMFAService = jahiaMFAService;
    }

    @Activate
    public void activate(BundleContext bundleContext) {
        setId(MFAConstants.AUTH_VALVE_ID);
        removeValve(this.authPipeline);
        addValve(this.authPipeline, -1, null, "LoginEngineAuthValve");
    }

    public void stop() {
        removeValve(this.authPipeline);
    }

    public void invoke(Object obj, ValveContext valveContext) throws PipelineException {
        String str;
        String extractTokenFromRequest;
        AuthValveContext authValveContext = (AuthValveContext) obj;
        HttpServletRequest request = authValveContext.getRequest();
        String parameter = request.getParameter(MFAConstants.PARAM_USERNAME);
        String parameter2 = request.getParameter(MFAConstants.PARAM_PASSWORD);
        LOGGER.debug("jahia-mfa-core authentication valve");
        if (isEnabled() && isLoginRequested(request) && parameter != null && parameter2 != null) {
            JCRUserNode lookupUser = this.jahiaUserManagerService.lookupUser(parameter, request.getParameter("site"));
            if (lookupUser != null && this.jahiaMFAService.hasMFA(lookupUser)) {
                if (!(request.getParameter("digit-1") == null) || parameter2.length() <= 6) {
                    str = parameter2;
                    extractTokenFromRequest = extractTokenFromRequest(request);
                } else {
                    str = parameter2.substring(0, parameter2.length() - 6);
                    extractTokenFromRequest = parameter2.substring(str.length(), parameter2.length());
                }
                if (!verifyCredentials(lookupUser, str, extractTokenFromRequest)) {
                    LOGGER.warn("Login failed: password and token verification failed for user {}", lookupUser.getName());
                    request.setAttribute("login_valve_result", "bad_password");
                    return;
                }
                LOGGER.debug("User {} logged in.", lookupUser);
                JahiaUser jahiaUser = lookupUser.getJahiaUser();
                if (request.getSession(false) != null) {
                    request.getSession().invalidate();
                }
                request.setAttribute("login_valve_result", "ok");
                authValveContext.getSessionFactory().setCurrentUser(jahiaUser);
                return;
            }
        }
        valveContext.invokeNext(obj);
    }

    private boolean verifyCredentials(JCRUserNode jCRUserNode, String str, String str2) {
        return jCRUserNode.verifyPassword(str) && verifyToken(jCRUserNode, str2, str);
    }

    private boolean verifyToken(JCRUserNode jCRUserNode, String str, String str2) {
        try {
            if (!jCRUserNode.hasNode(MFAConstants.NODE_NAME_MFA)) {
                return false;
            }
            JCRNodeWrapper node = jCRUserNode.getNode(MFAConstants.NODE_NAME_MFA);
            if (node.hasProperty(MFAConstants.PROP_ACTIVATED) && node.getProperty(MFAConstants.PROP_ACTIVATED).getBoolean() && node.hasProperty("provider")) {
                return this.jahiaMFAService.verifyToken(jCRUserNode, node.getPropertyAsString("provider"), str, str2);
            }
            return false;
        } catch (RepositoryException e) {
            LOGGER.warn(String.format("Unable to read MFA configuration for user: %s", jCRUserNode.getName()), e);
            return false;
        }
    }

    private boolean isLoginRequested(HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter("doLogin");
        if (parameter != null) {
            return Boolean.valueOf(parameter).booleanValue() || "1".equals(parameter);
        }
        if ("/cms".equals(httpServletRequest.getServletPath())) {
            return Login.getMapping().equals(httpServletRequest.getPathInfo());
        }
        return false;
    }

    public String getLoginUrl(HttpServletRequest httpServletRequest) {
        return getContextRequestURL(httpServletRequest) + "/" + MFAServlet.CONTEXT;
    }

    public boolean hasCustomLoginUrl() {
        return true;
    }

    private static String extractTokenFromRequest(HttpServletRequest httpServletRequest) {
        return ((String) StringUtils.defaultIfEmpty(httpServletRequest.getParameter("digit-1"), "0")) + ((String) StringUtils.defaultIfEmpty(httpServletRequest.getParameter("digit-2"), "0")) + ((String) StringUtils.defaultIfEmpty(httpServletRequest.getParameter("digit-3"), "0")) + ((String) StringUtils.defaultIfEmpty(httpServletRequest.getParameter("digit-4"), "0")) + ((String) StringUtils.defaultIfEmpty(httpServletRequest.getParameter("digit-5"), "0")) + ((String) StringUtils.defaultIfEmpty(httpServletRequest.getParameter("digit-6"), "0"));
    }

    private static String getContextRequestURL(HttpServletRequest httpServletRequest) {
        String str = httpServletRequest.getScheme() + "://" + httpServletRequest.getServerName();
        if ((!"http".equals(httpServletRequest.getScheme()) || httpServletRequest.getServerPort() != 80) && (!"https".equals(httpServletRequest.getScheme()) || httpServletRequest.getServerPort() != 443)) {
            str = str + ":" + httpServletRequest.getServerPort();
        }
        return str + httpServletRequest.getContextPath();
    }
}
