package org.thingsboard.server.service.security.auth.mfa;

import java.beans.ConstructorProperties;
import java.util.Collection;
import java.util.EnumMap;
import java.util.Map;
import java.util.Optional;
import org.apache.commons.lang3.tuple.Pair;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.LockedException;
import org.springframework.stereotype.Service;
import org.thingsboard.server.cache.limits.RateLimitService;
import org.thingsboard.server.common.data.StringUtils;
import org.thingsboard.server.common.data.User;
import org.thingsboard.server.common.data.exception.ThingsboardErrorCode;
import org.thingsboard.server.common.data.exception.ThingsboardException;
import org.thingsboard.server.common.data.id.TenantId;
import org.thingsboard.server.common.data.id.UserId;
import org.thingsboard.server.common.data.limit.LimitedApi;
import org.thingsboard.server.common.data.security.model.mfa.PlatformTwoFaSettings;
import org.thingsboard.server.common.data.security.model.mfa.account.TwoFaAccountConfig;
import org.thingsboard.server.common.data.security.model.mfa.provider.TwoFaProviderConfig;
import org.thingsboard.server.common.data.security.model.mfa.provider.TwoFaProviderType;
import org.thingsboard.server.dao.user.UserService;
import org.thingsboard.server.queue.util.TbCoreComponent;
import org.thingsboard.server.service.security.auth.mfa.config.TwoFaConfigManager;
import org.thingsboard.server.service.security.auth.mfa.provider.TwoFaProvider;
import org.thingsboard.server.service.security.model.SecurityUser;
import org.thingsboard.server.service.security.system.SystemSecurityService;

@TbCoreComponent
@Service
/* loaded from: input_file:org/thingsboard/server/service/security/auth/mfa/DefaultTwoFactorAuthService.class */
public class DefaultTwoFactorAuthService implements TwoFactorAuthService {
    private final TwoFaConfigManager configManager;
    private final SystemSecurityService systemSecurityService;
    private final UserService userService;
    private final RateLimitService rateLimitService;
    private final Map<TwoFaProviderType, TwoFaProvider<TwoFaProviderConfig, TwoFaAccountConfig>> providers = new EnumMap(TwoFaProviderType.class);
    private static final ThingsboardException ACCOUNT_NOT_CONFIGURED_ERROR = new ThingsboardException("2FA is not configured for account", ThingsboardErrorCode.BAD_REQUEST_PARAMS);
    private static final ThingsboardException PROVIDER_NOT_CONFIGURED_ERROR = new ThingsboardException("2FA provider is not configured", ThingsboardErrorCode.BAD_REQUEST_PARAMS);
    private static final ThingsboardException PROVIDER_NOT_AVAILABLE_ERROR = new ThingsboardException("2FA provider is not available", ThingsboardErrorCode.GENERAL);
    private static final ThingsboardException TOO_MANY_REQUESTS_ERROR = new ThingsboardException("Too many requests", ThingsboardErrorCode.TOO_MANY_REQUESTS);

    @Override // org.thingsboard.server.service.security.auth.mfa.TwoFactorAuthService
    public boolean isTwoFaEnabled(TenantId tenantId, UserId userId) {
        return ((Boolean) this.configManager.getAccountTwoFaSettings(tenantId, userId).map(accountTwoFaSettings -> {
            return Boolean.valueOf(!accountTwoFaSettings.getConfigs().isEmpty());
        }).orElse(false)).booleanValue();
    }

    @Override // org.thingsboard.server.service.security.auth.mfa.TwoFactorAuthService
    public void checkProvider(TenantId tenantId, TwoFaProviderType twoFaProviderType) throws ThingsboardException {
        getTwoFaProvider(twoFaProviderType).check(tenantId);
    }

    @Override // org.thingsboard.server.service.security.auth.mfa.TwoFactorAuthService
    public void prepareVerificationCode(SecurityUser securityUser, TwoFaProviderType twoFaProviderType, boolean z) throws Exception {
        prepareVerificationCode(securityUser, this.configManager.getTwoFaAccountConfig(securityUser.getTenantId(), securityUser.getId(), twoFaProviderType).orElseThrow(() -> {
            return ACCOUNT_NOT_CONFIGURED_ERROR;
        }), z);
    }

    @Override // org.thingsboard.server.service.security.auth.mfa.TwoFactorAuthService
    public void prepareVerificationCode(SecurityUser securityUser, TwoFaAccountConfig twoFaAccountConfig, boolean z) throws ThingsboardException {
        PlatformTwoFaSettings orElseThrow = this.configManager.getPlatformTwoFaSettings(securityUser.getTenantId(), true).orElseThrow(() -> {
            return PROVIDER_NOT_CONFIGURED_ERROR;
        });
        if (z) {
            Integer minVerificationCodeSendPeriod = orElseThrow.getMinVerificationCodeSendPeriod();
            String str = null;
            if (minVerificationCodeSendPeriod != null && minVerificationCodeSendPeriod.intValue() > 4) {
                str = "1:" + minVerificationCodeSendPeriod;
            }
            if (!this.rateLimitService.checkRateLimit(LimitedApi.TWO_FA_VERIFICATION_CODE_SEND, Pair.of(securityUser.getId(), twoFaAccountConfig.getProviderType()), str)) {
                throw TOO_MANY_REQUESTS_ERROR;
            }
        }
        getTwoFaProvider(twoFaAccountConfig.getProviderType()).prepareVerificationCode(securityUser, (TwoFaProviderConfig) orElseThrow.getProviderConfig(twoFaAccountConfig.getProviderType()).orElseThrow(() -> {
            return PROVIDER_NOT_CONFIGURED_ERROR;
        }), twoFaAccountConfig);
    }

    @Override // org.thingsboard.server.service.security.auth.mfa.TwoFactorAuthService
    public boolean checkVerificationCode(SecurityUser securityUser, TwoFaProviderType twoFaProviderType, String str, boolean z) throws ThingsboardException {
        return checkVerificationCode(securityUser, str, this.configManager.getTwoFaAccountConfig(securityUser.getTenantId(), securityUser.getId(), twoFaProviderType).orElseThrow(() -> {
            return ACCOUNT_NOT_CONFIGURED_ERROR;
        }), z);
    }

    @Override // org.thingsboard.server.service.security.auth.mfa.TwoFactorAuthService
    public boolean checkVerificationCode(SecurityUser securityUser, String str, TwoFaAccountConfig twoFaAccountConfig, boolean z) throws ThingsboardException {
        if (!this.userService.findUserCredentialsByUserId(securityUser.getTenantId(), securityUser.getId()).isEnabled()) {
            throw new ThingsboardException("User is disabled", ThingsboardErrorCode.AUTHENTICATION);
        }
        PlatformTwoFaSettings orElseThrow = this.configManager.getPlatformTwoFaSettings(securityUser.getTenantId(), true).orElseThrow(() -> {
            return PROVIDER_NOT_CONFIGURED_ERROR;
        });
        if (z && !this.rateLimitService.checkRateLimit(LimitedApi.TWO_FA_VERIFICATION_CODE_CHECK, Pair.of(securityUser.getId(), twoFaAccountConfig.getProviderType()), orElseThrow.getVerificationCodeCheckRateLimit())) {
            throw TOO_MANY_REQUESTS_ERROR;
        }
        TwoFaProviderConfig twoFaProviderConfig = (TwoFaProviderConfig) orElseThrow.getProviderConfig(twoFaAccountConfig.getProviderType()).orElseThrow(() -> {
            return PROVIDER_NOT_CONFIGURED_ERROR;
        });
        boolean z2 = false;
        if (StringUtils.isNotBlank(str) && (StringUtils.isNumeric(str) || twoFaAccountConfig.getProviderType() == TwoFaProviderType.BACKUP_CODE)) {
            z2 = getTwoFaProvider(twoFaAccountConfig.getProviderType()).checkVerificationCode(securityUser, str, twoFaProviderConfig, twoFaAccountConfig);
        }
        if (z) {
            try {
                this.systemSecurityService.validateTwoFaVerification(securityUser, z2, orElseThrow);
                if (z2) {
                    cleanUpRateLimits(securityUser.getId());
                }
            } catch (LockedException e) {
                cleanUpRateLimits(securityUser.getId());
                throw new ThingsboardException(e.getMessage(), ThingsboardErrorCode.AUTHENTICATION);
            }
        }
        return z2;
    }

    @Override // org.thingsboard.server.service.security.auth.mfa.TwoFactorAuthService
    public TwoFaAccountConfig generateNewAccountConfig(User user, TwoFaProviderType twoFaProviderType) throws ThingsboardException {
        return getTwoFaProvider(twoFaProviderType).generateNewAccountConfig(user, getTwoFaProviderConfig(user.getTenantId(), twoFaProviderType));
    }

    private void cleanUpRateLimits(UserId userId) {
        for (TwoFaProviderType twoFaProviderType : TwoFaProviderType.values()) {
            this.rateLimitService.cleanUp(LimitedApi.TWO_FA_VERIFICATION_CODE_SEND, Pair.of(userId, twoFaProviderType));
            this.rateLimitService.cleanUp(LimitedApi.TWO_FA_VERIFICATION_CODE_CHECK, Pair.of(userId, twoFaProviderType));
        }
    }

    private TwoFaProviderConfig getTwoFaProviderConfig(TenantId tenantId, TwoFaProviderType twoFaProviderType) throws ThingsboardException {
        return (TwoFaProviderConfig) this.configManager.getPlatformTwoFaSettings(tenantId, true).flatMap(platformTwoFaSettings -> {
            return platformTwoFaSettings.getProviderConfig(twoFaProviderType);
        }).orElseThrow(() -> {
            return PROVIDER_NOT_CONFIGURED_ERROR;
        });
    }

    private TwoFaProvider<TwoFaProviderConfig, TwoFaAccountConfig> getTwoFaProvider(TwoFaProviderType twoFaProviderType) throws ThingsboardException {
        return (TwoFaProvider) Optional.ofNullable(this.providers.get(twoFaProviderType)).orElseThrow(() -> {
            return PROVIDER_NOT_AVAILABLE_ERROR;
        });
    }

    @Autowired
    private void setProviders(Collection<TwoFaProvider> collection) {
        collection.forEach(twoFaProvider -> {
            this.providers.put(twoFaProvider.getType(), twoFaProvider);
        });
    }

    @ConstructorProperties({"configManager", "systemSecurityService", "userService", "rateLimitService"})
    public DefaultTwoFactorAuthService(TwoFaConfigManager twoFaConfigManager, SystemSecurityService systemSecurityService, UserService userService, RateLimitService rateLimitService) {
        this.configManager = twoFaConfigManager;
        this.systemSecurityService = systemSecurityService;
        this.userService = userService;
        this.rateLimitService = rateLimitService;
    }
}
