package org.molgenis.security.twofactor.service;

import java.text.MessageFormat;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Objects;
import java.util.stream.Stream;
import org.molgenis.data.DataService;
import org.molgenis.data.populate.IdGenerator;
import org.molgenis.data.security.auth.User;
import org.molgenis.data.security.user.UserService;
import org.molgenis.security.core.runas.RunAsSystemAspect;
import org.molgenis.security.core.utils.SecurityUtils;
import org.molgenis.security.twofactor.exceptions.InvalidVerificationCodeException;
import org.molgenis.security.twofactor.exceptions.TooManyLoginAttemptsException;
import org.molgenis.security.twofactor.model.UserSecret;
import org.molgenis.security.twofactor.model.UserSecretFactory;
import org.molgenis.security.twofactor.model.UserSecretMetaData;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.InternalAuthenticationServiceException;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
import org.springframework.util.StringUtils;

@Service
/* loaded from: input_file:org/molgenis/security/twofactor/service/TwoFactorAuthenticationServiceImpl.class */
public class TwoFactorAuthenticationServiceImpl implements TwoFactorAuthenticationService {
    private static final Logger LOG = LoggerFactory.getLogger(TwoFactorAuthenticationService.class);
    private static final int MAX_FAILED_LOGIN_ATTEMPTS = 3;
    private static final int FAILED_LOGIN_ATTEMPT_ITERATION = 1;
    private static final int BLOCKED_USER_INTERVAL = 30;
    private final OtpService otpService;
    private final DataService dataService;
    private final UserService userService;
    private final IdGenerator idGenerator;
    private final UserSecretFactory userSecretFactory;

    public TwoFactorAuthenticationServiceImpl(OtpService otpService, DataService dataService, UserService userService, IdGenerator idGenerator, UserSecretFactory userSecretFactory) {
        this.otpService = (OtpService) Objects.requireNonNull(otpService);
        this.dataService = (DataService) Objects.requireNonNull(dataService);
        this.userService = (UserService) Objects.requireNonNull(userService);
        this.idGenerator = (IdGenerator) Objects.requireNonNull(idGenerator);
        this.userSecretFactory = (UserSecretFactory) Objects.requireNonNull(userSecretFactory);
    }

    @Override // org.molgenis.security.twofactor.service.TwoFactorAuthenticationService
    public boolean isVerificationCodeValidForUser(String str) {
        boolean z = false;
        UserSecret secret = getSecret();
        if (!userIsBlocked()) {
            try {
                if (this.otpService.tryVerificationCode(str, secret.getSecret())) {
                    z = FAILED_LOGIN_ATTEMPT_ITERATION;
                    updateFailedLoginAttempts(0);
                }
            } catch (InvalidVerificationCodeException e) {
                updateFailedLoginAttempts(secret.getFailedLoginAttempts() + FAILED_LOGIN_ATTEMPT_ITERATION);
                if (!userIsBlocked()) {
                    throw e;
                }
            }
        }
        return z;
    }

    @Override // org.molgenis.security.twofactor.service.TwoFactorAuthenticationService
    public boolean userIsBlocked() {
        UserSecret secret = getSecret();
        if (secret.getFailedLoginAttempts() < MAX_FAILED_LOGIN_ATTEMPTS || secret.getLastFailedAuthentication() == null || Instant.now().toEpochMilli() >= secret.getLastFailedAuthentication().plus((TemporalAmount) Duration.ofSeconds(30L)).toEpochMilli()) {
            return false;
        }
        throw new TooManyLoginAttemptsException(MessageFormat.format("You entered the wrong verification code {0} times, please wait for {1} seconds before you try again", Integer.valueOf(MAX_FAILED_LOGIN_ATTEMPTS), Integer.valueOf(BLOCKED_USER_INTERVAL)));
    }

    @Override // org.molgenis.security.twofactor.service.TwoFactorAuthenticationService
    public void saveSecretForUser(String str) {
        if (str == null) {
            throw new InternalAuthenticationServiceException("No secretKey found");
        }
        User user = getUser();
        UserSecret create = this.userSecretFactory.create();
        create.setUserId(user.getId());
        create.setSecret(str);
        RunAsSystemAspect.runAsSystem(() -> {
            this.dataService.add(UserSecretMetaData.USER_SECRET, create);
        });
    }

    @Override // org.molgenis.security.twofactor.service.TwoFactorAuthenticationService
    public void resetSecretForUser() {
        User user = getUser();
        Stream stream = (Stream) RunAsSystemAspect.runAsSystem(() -> {
            return this.dataService.query(UserSecretMetaData.USER_SECRET, UserSecret.class).eq("userId", user.getId()).findAll();
        });
        RunAsSystemAspect.runAsSystem(() -> {
            this.dataService.delete(UserSecretMetaData.USER_SECRET, stream);
        });
    }

    @Override // org.molgenis.security.twofactor.service.TwoFactorAuthenticationService
    public void enableForUser() {
        User user = getUser();
        user.setTwoFactorAuthentication(true);
        this.userService.update(user);
    }

    @Override // org.molgenis.security.twofactor.service.TwoFactorAuthenticationService
    public void disableForUser() {
        User user = getUser();
        user.setTwoFactorAuthentication(false);
        this.userService.update(user);
        UserSecret secret = getSecret();
        RunAsSystemAspect.runAsSystem(() -> {
            this.dataService.delete(UserSecretMetaData.USER_SECRET, secret);
        });
    }

    @Override // org.molgenis.security.twofactor.service.TwoFactorAuthenticationService
    public String generateSecretKey() {
        return this.idGenerator.generateId(IdGenerator.Strategy.SECURE_RANDOM);
    }

    @Override // org.molgenis.security.twofactor.service.TwoFactorAuthenticationService
    public boolean isConfiguredForUser() {
        boolean z = false;
        try {
            if (StringUtils.hasText(getSecret().getSecret())) {
                z = FAILED_LOGIN_ATTEMPT_ITERATION;
            }
        } catch (InternalAuthenticationServiceException e) {
            LOG.warn(e.getMessage());
        }
        return z;
    }

    private void updateFailedLoginAttempts(int i) {
        UserSecret secret = getSecret();
        secret.setFailedLoginAttempts(i);
        if (secret.getFailedLoginAttempts() < MAX_FAILED_LOGIN_ATTEMPTS) {
            secret.setLastFailedAuthentication(Instant.now());
        } else if (secret.getLastFailedAuthentication() == null || Instant.now().toEpochMilli() >= secret.getLastFailedAuthentication().plus((TemporalAmount) Duration.ofSeconds(30L)).toEpochMilli()) {
            secret.setFailedLoginAttempts(FAILED_LOGIN_ATTEMPT_ITERATION);
        }
        RunAsSystemAspect.runAsSystem(() -> {
            this.dataService.update(UserSecretMetaData.USER_SECRET, secret);
        });
    }

    private UserSecret getSecret() {
        User user = getUser();
        UserSecret userSecret = (UserSecret) RunAsSystemAspect.runAsSystem(() -> {
            return this.dataService.query(UserSecretMetaData.USER_SECRET, UserSecret.class).eq("userId", user.getId()).findOne();
        });
        if (userSecret != null) {
            return userSecret;
        }
        throw new InternalAuthenticationServiceException(MessageFormat.format("Secret not found, user: [{0}] is not configured for two factor authentication", user.getUsername()));
    }

    private User getUser() {
        User user = this.userService.getUser(SecurityUtils.getCurrentUsername());
        if (user != null) {
            return user;
        }
        throw new UsernameNotFoundException(MessageFormat.format("Can not find user: [{0}]", SecurityUtils.getCurrentUsername()));
    }
}
