package org.thingsboard.server.service.security.auth.mfa.config;

import java.beans.ConstructorProperties;
import java.util.Comparator;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.Optional;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Lazy;
import org.springframework.stereotype.Service;
import org.thingsboard.common.util.JacksonUtil;
import org.thingsboard.server.common.data.AdminSettings;
import org.thingsboard.server.common.data.exception.ThingsboardException;
import org.thingsboard.server.common.data.id.TenantId;
import org.thingsboard.server.common.data.id.UserId;
import org.thingsboard.server.common.data.security.UserAuthSettings;
import org.thingsboard.server.common.data.security.model.mfa.PlatformTwoFaSettings;
import org.thingsboard.server.common.data.security.model.mfa.account.AccountTwoFaSettings;
import org.thingsboard.server.common.data.security.model.mfa.account.TwoFaAccountConfig;
import org.thingsboard.server.common.data.security.model.mfa.provider.TwoFaProviderConfig;
import org.thingsboard.server.common.data.security.model.mfa.provider.TwoFaProviderType;
import org.thingsboard.server.dao.service.ConstraintValidator;
import org.thingsboard.server.dao.settings.AdminSettingsDao;
import org.thingsboard.server.dao.settings.AdminSettingsService;
import org.thingsboard.server.dao.user.UserAuthSettingsDao;
import org.thingsboard.server.service.security.auth.mfa.TwoFactorAuthService;

@Service
/* loaded from: input_file:org/thingsboard/server/service/security/auth/mfa/config/DefaultTwoFaConfigManager.class */
public class DefaultTwoFaConfigManager implements TwoFaConfigManager {
    private final UserAuthSettingsDao userAuthSettingsDao;
    private final AdminSettingsService adminSettingsService;
    private final AdminSettingsDao adminSettingsDao;

    @Autowired
    @Lazy
    private TwoFactorAuthService twoFactorAuthService;
    protected static final String TWO_FACTOR_AUTH_SETTINGS_KEY = "twoFaSettings";

    @Override // org.thingsboard.server.service.security.auth.mfa.config.TwoFaConfigManager
    public Optional<AccountTwoFaSettings> getAccountTwoFaSettings(TenantId tenantId, UserId userId) {
        PlatformTwoFaSettings orElse = getPlatformTwoFaSettings(tenantId, true).orElse(null);
        return Optional.ofNullable(this.userAuthSettingsDao.findByUserId(userId)).map(userAuthSettings -> {
            AccountTwoFaSettings twoFaSettings = userAuthSettings.getTwoFaSettings();
            if (twoFaSettings == null) {
                return null;
            }
            LinkedHashMap configs = twoFaSettings.getConfigs();
            boolean removeIf = configs.keySet().removeIf(twoFaProviderType -> {
                return orElse == null || orElse.getProviderConfig(twoFaProviderType).isEmpty();
            });
            if (configs.size() == 1 && configs.containsKey(TwoFaProviderType.BACKUP_CODE)) {
                configs.remove(TwoFaProviderType.BACKUP_CODE);
                removeIf = true;
            }
            if (!configs.isEmpty() && configs.values().stream().noneMatch((v0) -> {
                return v0.isUseByDefault();
            })) {
                configs.values().stream().filter(twoFaAccountConfig -> {
                    return twoFaAccountConfig.getProviderType() != TwoFaProviderType.BACKUP_CODE;
                }).findFirst().ifPresent(twoFaAccountConfig2 -> {
                    twoFaAccountConfig2.setUseByDefault(true);
                });
                removeIf = true;
            }
            if (removeIf) {
                twoFaSettings = saveAccountTwoFaSettings(tenantId, userId, twoFaSettings);
            }
            return twoFaSettings;
        });
    }

    protected AccountTwoFaSettings saveAccountTwoFaSettings(TenantId tenantId, UserId userId, AccountTwoFaSettings accountTwoFaSettings) {
        UserAuthSettings userAuthSettings = (UserAuthSettings) Optional.ofNullable(this.userAuthSettingsDao.findByUserId(userId)).orElseGet(() -> {
            UserAuthSettings userAuthSettings2 = new UserAuthSettings();
            userAuthSettings2.setUserId(userId);
            return userAuthSettings2;
        });
        userAuthSettings.setTwoFaSettings(accountTwoFaSettings);
        accountTwoFaSettings.getConfigs().values().forEach(twoFaAccountConfig -> {
            twoFaAccountConfig.setSerializeHiddenFields(true);
        });
        this.userAuthSettingsDao.save(tenantId, userAuthSettings);
        accountTwoFaSettings.getConfigs().values().forEach(twoFaAccountConfig2 -> {
            twoFaAccountConfig2.setSerializeHiddenFields(false);
        });
        return accountTwoFaSettings;
    }

    @Override // org.thingsboard.server.service.security.auth.mfa.config.TwoFaConfigManager
    public Optional<TwoFaAccountConfig> getTwoFaAccountConfig(TenantId tenantId, UserId userId, TwoFaProviderType twoFaProviderType) {
        return getAccountTwoFaSettings(tenantId, userId).map((v0) -> {
            return v0.getConfigs();
        }).flatMap(linkedHashMap -> {
            return Optional.ofNullable((TwoFaAccountConfig) linkedHashMap.get(twoFaProviderType));
        });
    }

    @Override // org.thingsboard.server.service.security.auth.mfa.config.TwoFaConfigManager
    public AccountTwoFaSettings saveTwoFaAccountConfig(TenantId tenantId, UserId userId, TwoFaAccountConfig twoFaAccountConfig) {
        getTwoFaProviderConfig(tenantId, twoFaAccountConfig.getProviderType()).orElseThrow(() -> {
            return new IllegalArgumentException("2FA provider is not configured");
        });
        AccountTwoFaSettings orElseGet = getAccountTwoFaSettings(tenantId, userId).orElseGet(() -> {
            AccountTwoFaSettings accountTwoFaSettings = new AccountTwoFaSettings();
            accountTwoFaSettings.setConfigs(new LinkedHashMap());
            return accountTwoFaSettings;
        });
        LinkedHashMap configs = orElseGet.getConfigs();
        if (configs.isEmpty() && twoFaAccountConfig.getProviderType() == TwoFaProviderType.BACKUP_CODE) {
            throw new IllegalArgumentException("To use 2FA backup codes you first need to configure at least one provider");
        }
        if (twoFaAccountConfig.isUseByDefault()) {
            configs.values().forEach(twoFaAccountConfig2 -> {
                twoFaAccountConfig2.setUseByDefault(false);
            });
        }
        configs.put(twoFaAccountConfig.getProviderType(), twoFaAccountConfig);
        if (configs.values().stream().noneMatch((v0) -> {
            return v0.isUseByDefault();
        })) {
            configs.values().stream().findFirst().ifPresent(twoFaAccountConfig3 -> {
                twoFaAccountConfig3.setUseByDefault(true);
            });
        }
        return saveAccountTwoFaSettings(tenantId, userId, orElseGet);
    }

    @Override // org.thingsboard.server.service.security.auth.mfa.config.TwoFaConfigManager
    public AccountTwoFaSettings deleteTwoFaAccountConfig(TenantId tenantId, UserId userId, TwoFaProviderType twoFaProviderType) {
        AccountTwoFaSettings orElseThrow = getAccountTwoFaSettings(tenantId, userId).orElseThrow(() -> {
            return new IllegalArgumentException("2FA not configured");
        });
        orElseThrow.getConfigs().remove(twoFaProviderType);
        if (orElseThrow.getConfigs().size() == 1) {
            orElseThrow.getConfigs().remove(TwoFaProviderType.BACKUP_CODE);
        }
        if (!orElseThrow.getConfigs().isEmpty() && orElseThrow.getConfigs().values().stream().noneMatch((v0) -> {
            return v0.isUseByDefault();
        })) {
            orElseThrow.getConfigs().values().stream().min(Comparator.comparing((v0) -> {
                return v0.getProviderType();
            })).ifPresent(twoFaAccountConfig -> {
                twoFaAccountConfig.setUseByDefault(true);
            });
        }
        return saveAccountTwoFaSettings(tenantId, userId, orElseThrow);
    }

    private Optional<TwoFaProviderConfig> getTwoFaProviderConfig(TenantId tenantId, TwoFaProviderType twoFaProviderType) {
        return getPlatformTwoFaSettings(tenantId, true).flatMap(platformTwoFaSettings -> {
            return platformTwoFaSettings.getProviderConfig(twoFaProviderType);
        });
    }

    @Override // org.thingsboard.server.service.security.auth.mfa.config.TwoFaConfigManager
    public Optional<PlatformTwoFaSettings> getPlatformTwoFaSettings(TenantId tenantId, boolean z) {
        return Optional.ofNullable(this.adminSettingsService.findAdminSettingsByKey(TenantId.SYS_TENANT_ID, TWO_FACTOR_AUTH_SETTINGS_KEY)).map(adminSettings -> {
            return (PlatformTwoFaSettings) JacksonUtil.treeToValue(adminSettings.getJsonValue(), PlatformTwoFaSettings.class);
        });
    }

    @Override // org.thingsboard.server.service.security.auth.mfa.config.TwoFaConfigManager
    public PlatformTwoFaSettings savePlatformTwoFaSettings(TenantId tenantId, PlatformTwoFaSettings platformTwoFaSettings) throws ThingsboardException {
        ConstraintValidator.validateFields(platformTwoFaSettings);
        Iterator it = platformTwoFaSettings.getProviders().iterator();
        while (it.hasNext()) {
            this.twoFactorAuthService.checkProvider(tenantId, ((TwoFaProviderConfig) it.next()).getProviderType());
        }
        AdminSettings adminSettings = (AdminSettings) Optional.ofNullable(this.adminSettingsService.findAdminSettingsByKey(tenantId, TWO_FACTOR_AUTH_SETTINGS_KEY)).orElseGet(() -> {
            AdminSettings adminSettings2 = new AdminSettings();
            adminSettings2.setKey(TWO_FACTOR_AUTH_SETTINGS_KEY);
            return adminSettings2;
        });
        adminSettings.setJsonValue(JacksonUtil.valueToTree(platformTwoFaSettings));
        this.adminSettingsService.saveAdminSettings(tenantId, adminSettings);
        return platformTwoFaSettings;
    }

    @Override // org.thingsboard.server.service.security.auth.mfa.config.TwoFaConfigManager
    public void deletePlatformTwoFaSettings(TenantId tenantId) {
        Optional.ofNullable(this.adminSettingsService.findAdminSettingsByKey(tenantId, TWO_FACTOR_AUTH_SETTINGS_KEY)).ifPresent(adminSettings -> {
            this.adminSettingsDao.removeById(tenantId, adminSettings.getId().getId());
        });
    }

    @ConstructorProperties({"userAuthSettingsDao", "adminSettingsService", "adminSettingsDao"})
    public DefaultTwoFaConfigManager(UserAuthSettingsDao userAuthSettingsDao, AdminSettingsService adminSettingsService, AdminSettingsDao adminSettingsDao) {
        this.userAuthSettingsDao = userAuthSettingsDao;
        this.adminSettingsService = adminSettingsService;
        this.adminSettingsDao = adminSettingsDao;
    }
}
