package cc.alcina.framework.servlet.authentication;

import cc.alcina.framework.common.client.WrappedRuntimeException;
import cc.alcina.framework.common.client.csobjects.LoginBean;
import cc.alcina.framework.common.client.csobjects.LoginResponse;
import cc.alcina.framework.common.client.domain.Domain;
import cc.alcina.framework.common.client.logic.domain.Entity;
import cc.alcina.framework.common.client.logic.domaintransform.AuthenticationSession;
import cc.alcina.framework.common.client.logic.domaintransform.ClientInstance;
import cc.alcina.framework.common.client.logic.domaintransform.PersistentImpl;
import cc.alcina.framework.common.client.logic.permissions.IUser;
import cc.alcina.framework.common.client.logic.permissions.UserWith2FA;
import cc.alcina.framework.common.client.logic.permissions.UserlandProvider;
import cc.alcina.framework.common.client.logic.reflection.Permission;
import cc.alcina.framework.common.client.logic.reflection.Registration;
import cc.alcina.framework.common.client.logic.reflection.registry.Registry;
import cc.alcina.framework.common.client.util.Ax;
import cc.alcina.framework.common.client.util.LooseContext;
import cc.alcina.framework.entity.Configuration;
import cc.alcina.framework.entity.logic.EntityLayerUtils;
import cc.alcina.framework.entity.persistence.AppPersistenceBase;
import cc.alcina.framework.entity.persistence.mvcc.Transaction;
import cc.alcina.framework.gwt.client.logic.AlcinaDebugIds;
import cc.alcina.framework.gwt.client.util.Base64Utils;
import cc.alcina.framework.servlet.module.login.LoginAttempts;
import cc.alcina.framework.servlet.module.login.LoginModel;
import cc.alcina.framework.servlet.module.login.LoginRequestHandler;
import cc.alcina.framework.servlet.module.login.TwoFactorAuthentication;
import com.lambdaworks.crypto.SCrypt;
import java.util.Date;
import java.util.concurrent.TimeUnit;
import org.apache.derby.iapi.reference.Attribute;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Registration({Authenticator.class})
/* loaded from: input_file:alcina-servlet.jar:cc/alcina/framework/servlet/authentication/Authenticator.class */
public abstract class Authenticator<U extends Entity & IUser> {
    public static final String CONTEXT_BYPASS_PASSWORD_CHECK = Authenticator.class.getName() + ".CONTEXT_BYPASS_PASSWORD_CHECK";
    protected LoginModel loginModel;
    protected Logger logger = LoggerFactory.getLogger(getClass());

    /* loaded from: input_file:alcina-servlet.jar:cc/alcina/framework/servlet/authentication/Authenticator$PasswordEncryptionSupport.class */
    public interface PasswordEncryptionSupport {
        static PasswordEncryptionSupport get() {
            return (PasswordEncryptionSupport) Registry.impl(PasswordEncryptionSupport.class);
        }

        default boolean check(String str, String str2, String str3) {
            return encryptPassword(str, str2).equals(str3);
        }

        String encryptPassword(String str, String str2);

        default String maybeReencrypt(String str, String str2) throws Exception {
            return str2;
        }
    }

    @Registration({PasswordEncryptionSupport.class})
    /* loaded from: input_file:alcina-servlet.jar:cc/alcina/framework/servlet/authentication/Authenticator$ScryptSupport.class */
    public static class ScryptSupport implements PasswordEncryptionSupport {
        private static final int N = 16384;
        private static final int r = 8;
        private static final int p = 1;
        private static final int dkLen = 64;

        @Override // cc.alcina.framework.servlet.authentication.Authenticator.PasswordEncryptionSupport
        public String encryptPassword(String str, String str2) {
            try {
                return Base64Utils.toBase64(SCrypt.scrypt(str.getBytes("UTF-8"), str2.getBytes("UTF-8"), 16384, 8, 1, 64));
            } catch (Exception e) {
                throw new WrappedRuntimeException(e);
            }
        }
    }

    public static Authenticator get() {
        return (Authenticator) Registry.impl(Authenticator.class);
    }

    public LoginResponse authenticate(LoginBean loginBean) throws AuthenticationException {
        LoginResponse loginResponse = new LoginResponse();
        loginResponse.setOk(false);
        this.loginModel = new LoginModel();
        this.loginModel.loginBean = loginBean;
        this.loginModel.loginResponse = loginResponse;
        authenticate(loginBean, this.loginModel);
        return loginResponse;
    }

    public void authenticate(LoginBean loginBean, LoginModel loginModel) throws AuthenticationException {
        if (validateUsername(loginModel) && validatePassword(loginModel)) {
            validateAccount(loginModel.loginResponse, loginBean.getUserName());
        }
    }

    public void checkExternalExpiration(AuthenticationSession authenticationSession) {
    }

    public U createUser(String str, String str2) {
        U u = (U) Domain.create(PersistentImpl.getImplementation(IUser.class));
        u.setUserName(str);
        setPassword(u, str2);
        return u;
    }

    public void invalidateSession(AuthenticationSession authenticationSession) {
    }

    public void logOut() {
        AuthenticationManager.get().createAuthenticationSession(new Date(), (IUser) UserlandProvider.get().getAnonymousUser(), AlcinaDebugIds.TOP_BUTTON_LOGOUT, false);
        Transaction.commit();
    }

    public void processValidLogin(LoginResponse loginResponse, String str, boolean z) throws AuthenticationException {
        if (this.loginModel == null) {
            LoginBean loginBean = new LoginBean();
            loginBean.setUserName(str);
            this.loginModel = new LoginModel();
            this.loginModel.loginBean = loginBean;
            this.loginModel.loginResponse = loginResponse;
        }
        U validateAccount = validateAccount(loginResponse, str);
        if (loginResponse.isOk()) {
            AuthenticationSession createAuthenticationSession = AuthenticationManager.get().createAuthenticationSession(new Date(), validateAccount, Attribute.PASSWORD_ATTR, true);
            if (!z) {
                createAuthenticationSession.setMaxInstances(1);
            }
            if (validateAccount instanceof UserWith2FA) {
                ((UserWith2FA) validateAccount).setHasSuccessfullyLoggedIn(true);
            }
            Transaction.commit();
        }
    }

    public void setPassword(U u, String str) {
        if (Ax.isBlank(u.getSalt())) {
            u.setSalt(u.getUserName());
        }
        u.setPassword(PasswordEncryptionSupport.get().encryptPassword(str, u.getSalt()));
    }

    public abstract U validateAccount(LoginResponse loginResponse, String str) throws AuthenticationException;

    public boolean validateLoginAttempt(LoginModel<U> loginModel) {
        if (Configuration.is("validateLoginAttempts")) {
            return new LoginAttempts().checkLockedOut(loginModel);
        }
        return true;
    }

    public boolean validatePassword(LoginModel<U> loginModel) {
        U u = loginModel.user;
        if (u.getSalt() == null) {
            u.setSalt(u.getUserName());
        }
        if ((u instanceof UserWith2FA) && ((UserWith2FA) u).getAuthenticationSecret() == null) {
            ((UserWith2FA) u).setAuthenticationSecret(new TwoFactorAuthentication().generateSecret());
        }
        Transaction.commit();
        if (LooseContext.is(CONTEXT_BYPASS_PASSWORD_CHECK)) {
            return true;
        }
        if ((AppPersistenceBase.isTestServer() && Configuration.is("bypassPasswordCheck")) || PasswordEncryptionSupport.get().check(loginModel.loginBean.getPassword(), u.getSalt(), u.getPasswordHash())) {
            return true;
        }
        loginModel.loginResponse.setErrorMsg("Password incorrect");
        return false;
    }

    public LoginRequestHandler.TwoFactorAuthResult validateTwoFactorAuth(LoginModel<U> loginModel) throws Exception {
        LoginRequestHandler.TwoFactorAuthResult twoFactorAuthResult = new LoginRequestHandler.TwoFactorAuthResult();
        twoFactorAuthResult.requiresTwoFactorAuth = false;
        if (appUsesTwoFactorAuthentication()) {
            twoFactorAuthResult.requiresTwoFactorAuth = true;
            UserWith2FA userWith2FA = (UserWith2FA) loginModel.user;
            if (Ax.notBlank(loginModel.loginRequest.getTwoFactorAuthenticationCode())) {
                if (new TwoFactorAuthentication().checkCode(userWith2FA.getAuthenticationSecret(), Long.parseLong(loginModel.loginRequest.getTwoFactorAuthenticationCode()), new Date().getTime() / TimeUnit.SECONDS.toMillis(30L))) {
                    twoFactorAuthResult.requiresTwoFactorAuth = false;
                } else {
                    loginModel.loginResponse.setErrorMsg("Invalid authentication code");
                }
            }
            if (twoFactorAuthResult.requiresTwoFactorAuth) {
                if (!((UserWith2FA) loginModel.user).isHasSuccessfullyLoggedIn()) {
                    twoFactorAuthResult.requiresTwoFactorQrCode = true;
                }
                twoFactorAuthResult.qrCode = new TwoFactorAuthentication().getQRBarcodeURL(loginModel.user.getUserName(), EntityLayerUtils.getApplicationHostName(), userWith2FA.getAuthenticationSecret());
            }
        }
        return twoFactorAuthResult;
    }

    public boolean validateUsername(LoginModel<U> loginModel) {
        loginModel.user = (U) UserlandProvider.get().getUserByName(loginModel.loginBean.getUserName());
        if (loginModel.user == null) {
            loginModel.loginResponse.setErrorMsg("Email address not registered");
        }
        return loginModel.user != null;
    }

    protected boolean appUsesTwoFactorAuthentication() {
        return false;
    }

    protected boolean validateLoginAttemptFromHistory(LoginModel<U> loginModel) {
        return true;
    }

    public void postCreateAuthenticationSession(AuthenticationSession authenticationSession) {
    }

    public String getExternalAuthorizationUrl(Permission permission) {
        return null;
    }

    public void postCreateClientInstance(ClientInstance clientInstance) {
    }
}
