package org.jahia.modules.mfa.otp.provider;

import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Base64;
import javax.crypto.Cipher;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import javax.jcr.RepositoryException;
import org.apache.commons.codec.binary.Base32;
import org.apache.commons.io.Charsets;
import org.jahia.modules.mfa.MFAConstants;
import org.jahia.modules.mfa.provider.JahiaMFAProvider;
import org.jahia.services.content.JCRCallback;
import org.jahia.services.content.JCRNodeWrapper;
import org.jahia.services.content.JCRSessionWrapper;
import org.jahia.services.content.JCRTemplate;
import org.jahia.services.content.decorator.JCRUserNode;
import org.jahia.services.content.rules.AddedNodeFact;
import org.jahia.services.usermanager.JahiaUserManagerService;
import org.jboss.aerogear.security.otp.Totp;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:jahia-mfa-otp-provider-1.0.1.jar:org/jahia/modules/mfa/otp/provider/JahiaMFAOtpProvider.class */
public class JahiaMFAOtpProvider extends JahiaMFAProvider {
    private static final JahiaMFAOtpProvider INSTANCE = new JahiaMFAOtpProvider();
    private static final Logger LOGGER = LoggerFactory.getLogger(JahiaMFAOtpProvider.class);
    private static final String ALGORITHM = "AES";
    private static final String KEY = "jahia-mfa-otp-provider";
    private static final String TRANSFORMATION = "AES/GCM/NoPadding";
    private static final int KEY_SIZE = 32;
    private static final int TAG_LENGTH_BIT = 128;
    private static final int TOTP_KEY_BYTE_SIZE = 20;

    public JahiaMFAOtpProvider() {
        super(KEY);
    }

    public static JahiaMFAOtpProvider getInstance() {
        return INSTANCE;
    }

    @Override // org.jahia.modules.mfa.provider.JahiaMFAProvider
    public boolean verifyToken(final JCRUserNode jCRUserNode, final String str, final String str2) {
        try {
            return ((Boolean) JCRTemplate.getInstance().doExecuteWithSystemSession(new JCRCallback<Boolean>() { // from class: org.jahia.modules.mfa.otp.provider.JahiaMFAOtpProvider.1
                /* renamed from: doInJCR, reason: merged with bridge method [inline-methods] */
                public Boolean m160doInJCR(JCRSessionWrapper jCRSessionWrapper) throws RepositoryException {
                    JCRNodeWrapper node = jCRSessionWrapper.getNode(jCRUserNode.getPath());
                    return Boolean.valueOf(JahiaMFAOtpProvider.this.isValidLong(str) && new Totp(JahiaMFAOtpProvider.decryptTotpSecretKey(node.getNode(MFAConstants.NODE_NAME_MFA).getPropertyAsString(Constants.PROP_SECRET_KEY), str2, node.getIdentifier())).verify(str));
                }
            })).booleanValue();
        } catch (RepositoryException e) {
            LOGGER.error(String.format("Impossible to vertify OTP code for user %s", jCRUserNode.getUserKey()), e);
            return false;
        } catch (IllegalStateException e2) {
            LOGGER.error(String.format("Impossible to decrypt secret key for user %s, something has changed. Deactivating MFA for this user.", jCRUserNode.getUserKey()), e2);
            getJahiaMFAService().deactivateMFA(jCRUserNode, KEY);
            return false;
        }
    }

    @Override // org.jahia.modules.mfa.provider.JahiaMFAProvider
    public boolean prepareMFA(final JCRUserNode jCRUserNode, final String str) {
        try {
            return ((Boolean) JCRTemplate.getInstance().doExecuteWithSystemSession(new JCRCallback<Boolean>() { // from class: org.jahia.modules.mfa.otp.provider.JahiaMFAOtpProvider.2
                /* renamed from: doInJCR, reason: merged with bridge method [inline-methods] */
                public Boolean m161doInJCR(JCRSessionWrapper jCRSessionWrapper) throws RepositoryException {
                    JCRNodeWrapper node = jCRSessionWrapper.getNode(jCRUserNode.getPath());
                    JCRNodeWrapper node2 = node.getNode(MFAConstants.NODE_NAME_MFA);
                    node2.addMixin(Constants.MIXIN_MFA_OTP);
                    node2.setProperty(Constants.PROP_SECRET_KEY, JahiaMFAOtpProvider.encryptTotpSecretKey(JahiaMFAOtpProvider.access$100(), str, node.getIdentifier()));
                    jCRSessionWrapper.save();
                    return true;
                }
            })).booleanValue();
        } catch (RepositoryException | IllegalStateException e) {
            LOGGER.error(String.format("Impossible to activate MFA OTP for user %s", jCRUserNode.getUserKey()), e);
            return false;
        }
    }

    @Override // org.jahia.modules.mfa.provider.JahiaMFAProvider
    public boolean activateMFA(JCRUserNode jCRUserNode) {
        return true;
    }

    @Override // org.jahia.modules.mfa.provider.JahiaMFAProvider
    public boolean deactivateMFA(final JCRUserNode jCRUserNode) {
        try {
            if (isActivated(jCRUserNode)) {
                return ((Boolean) JCRTemplate.getInstance().doExecuteWithSystemSession(new JCRCallback<Boolean>() { // from class: org.jahia.modules.mfa.otp.provider.JahiaMFAOtpProvider.3
                    /* renamed from: doInJCR, reason: merged with bridge method [inline-methods] */
                    public Boolean m162doInJCR(JCRSessionWrapper jCRSessionWrapper) throws RepositoryException {
                        JCRNodeWrapper node = jCRSessionWrapper.getNode(jCRUserNode.getPath()).getNode(MFAConstants.NODE_NAME_MFA);
                        if (node.hasProperty(Constants.PROP_SECRET_KEY)) {
                            node.getProperty(Constants.PROP_SECRET_KEY).remove();
                        }
                        if (node.isNodeType(Constants.MIXIN_MFA_OTP)) {
                            node.removeMixin(Constants.MIXIN_MFA_OTP);
                        }
                        jCRSessionWrapper.save();
                        return true;
                    }
                })).booleanValue();
            }
            return false;
        } catch (RepositoryException e) {
            LOGGER.error(String.format("Impossible to deactivate MFA OTP for user %s", jCRUserNode.getUserKey()), e);
            return false;
        }
    }

    public static boolean isActivated(JCRUserNode jCRUserNode) throws RepositoryException {
        if (jCRUserNode.hasNode(MFAConstants.NODE_NAME_MFA)) {
            return jCRUserNode.getNode(MFAConstants.NODE_NAME_MFA).isNodeType(Constants.MIXIN_MFA_OTP);
        }
        return false;
    }

    public void deactivateMFA(AddedNodeFact addedNodeFact) {
        try {
            JCRUserNode lookupUserByPath = JahiaUserManagerService.getInstance().lookupUserByPath(addedNodeFact.getPath());
            if (isActivated(lookupUserByPath)) {
                getJahiaMFAService().deactivateMFA(lookupUserByPath, KEY);
            }
        } catch (RepositoryException e) {
            LOGGER.error("Impossible to deactivate MFA OTP", e);
        }
    }

    public static String decryptTotpSecretKey(String str, String str2, String str3) {
        try {
            return new String(getCipher(false, str2, str3).doFinal(Base64.getDecoder().decode(str)), Charsets.UTF_8);
        } catch (Exception e) {
            throw new IllegalStateException("Impossible to decrypt secret key", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String encryptTotpSecretKey(String str, String str2, String str3) {
        try {
            return Base64.getEncoder().encodeToString(getCipher(true, str2, str3).doFinal(str.getBytes(Charsets.UTF_8)));
        } catch (Exception e) {
            throw new IllegalStateException("Impossible to encrypt secret key", e);
        }
    }

    private static Cipher getCipher(boolean z, String str, String str2) {
        try {
            Key generateSecretKey = generateSecretKey(str);
            Cipher cipher = Cipher.getInstance(TRANSFORMATION);
            cipher.init(z ? 1 : 2, generateSecretKey, new GCMParameterSpec(TAG_LENGTH_BIT, str2.getBytes(Charsets.UTF_8)));
            return cipher;
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | NoSuchPaddingException e) {
            throw new IllegalStateException("Impossible to initialize cipher", e);
        }
    }

    private static Key generateSecretKey(String str) {
        return new SecretKeySpec(generateKey(str).getBytes(Charsets.UTF_8), ALGORITHM);
    }

    private static String generateKey(String str) {
        StringBuilder sb = new StringBuilder("");
        while (sb.length() < 32) {
            sb.append(str);
        }
        return sb.substring(0, 32);
    }

    private static String generateTotpSecret() {
        byte[] bArr = new byte[20];
        new SecureRandom().nextBytes(bArr);
        return new Base32().encodeToString(bArr);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean isValidLong(String str) {
        try {
            Long.parseLong(str);
            return true;
        } catch (NumberFormatException e) {
            return false;
        }
    }

    static /* synthetic */ String access$100() {
        return generateTotpSecret();
    }
}
