package org.thingsboard.server.service.security.auth.mfa.provider.impl;

import org.apache.commons.lang3.RandomUtils;
import org.apache.http.client.utils.URIBuilder;
import org.jboss.aerogear.security.otp.Totp;
import org.jboss.aerogear.security.otp.api.Base32;
import org.springframework.stereotype.Service;
import org.springframework.web.util.UriComponentsBuilder;
import org.thingsboard.server.common.data.User;
import org.thingsboard.server.common.data.security.model.mfa.account.TotpTwoFaAccountConfig;
import org.thingsboard.server.common.data.security.model.mfa.provider.TotpTwoFaProviderConfig;
import org.thingsboard.server.common.data.security.model.mfa.provider.TwoFaProviderType;
import org.thingsboard.server.controller.QrCodeSettingsController;
import org.thingsboard.server.queue.util.TbCoreComponent;
import org.thingsboard.server.service.security.auth.mfa.provider.TwoFaProvider;
import org.thingsboard.server.service.security.model.SecurityUser;

@TbCoreComponent
@Service
/* loaded from: input_file:org/thingsboard/server/service/security/auth/mfa/provider/impl/TotpTwoFaProvider.class */
public class TotpTwoFaProvider implements TwoFaProvider<TotpTwoFaProviderConfig, TotpTwoFaAccountConfig> {
    @Override // org.thingsboard.server.service.security.auth.mfa.provider.TwoFaProvider
    public final TotpTwoFaAccountConfig generateNewAccountConfig(User user, TotpTwoFaProviderConfig totpTwoFaProviderConfig) {
        TotpTwoFaAccountConfig totpTwoFaAccountConfig = new TotpTwoFaAccountConfig();
        totpTwoFaAccountConfig.setAuthUrl(getTotpAuthUrl(user, generateSecretKey(), totpTwoFaProviderConfig));
        return totpTwoFaAccountConfig;
    }

    @Override // org.thingsboard.server.service.security.auth.mfa.provider.TwoFaProvider
    public final boolean checkVerificationCode(SecurityUser securityUser, String str, TotpTwoFaProviderConfig totpTwoFaProviderConfig, TotpTwoFaAccountConfig totpTwoFaAccountConfig) {
        return new Totp((String) UriComponentsBuilder.fromUriString(totpTwoFaAccountConfig.getAuthUrl()).build().getQueryParams().getFirst(QrCodeSettingsController.SECRET)).verify(str);
    }

    private String getTotpAuthUrl(User user, String str, TotpTwoFaProviderConfig totpTwoFaProviderConfig) {
        return new URIBuilder().setScheme("otpauth").setHost("totp").setParameter("issuer", totpTwoFaProviderConfig.getIssuerName()).setPath("/" + totpTwoFaProviderConfig.getIssuerName() + ":" + user.getEmail()).setParameter(QrCodeSettingsController.SECRET, str).build().toASCIIString();
    }

    private String generateSecretKey() {
        return Base32.encode(RandomUtils.nextBytes(20));
    }

    @Override // org.thingsboard.server.service.security.auth.mfa.provider.TwoFaProvider
    public TwoFaProviderType getType() {
        return TwoFaProviderType.TOTP;
    }
}
