package io.hops.hopsworks.common.user;

import com.google.common.base.Strings;
import io.hops.hopsworks.common.dao.certificates.CertsFacade;
import io.hops.hopsworks.common.dao.kafka.KafkaConst;
import io.hops.hopsworks.common.dao.project.ProjectFacade;
import io.hops.hopsworks.common.dao.user.BbcGroupFacade;
import io.hops.hopsworks.common.dao.user.UserFacade;
import io.hops.hopsworks.common.dao.user.security.audit.AccountAuditFacade;
import io.hops.hopsworks.common.dao.user.security.ua.UserAccountsEmailMessages;
import io.hops.hopsworks.common.security.CertificatesMgmService;
import io.hops.hopsworks.common.security.utils.Secret;
import io.hops.hopsworks.common.security.utils.SecurityUtils;
import io.hops.hopsworks.common.util.EmailBean;
import io.hops.hopsworks.common.util.HopsUtils;
import io.hops.hopsworks.common.util.HttpUtil;
import io.hops.hopsworks.common.util.Settings;
import io.hops.hopsworks.exceptions.UserException;
import io.hops.hopsworks.persistence.entity.certificates.UserCerts;
import io.hops.hopsworks.persistence.entity.project.Project;
import io.hops.hopsworks.persistence.entity.user.BbcGroup;
import io.hops.hopsworks.persistence.entity.user.Users;
import io.hops.hopsworks.persistence.entity.user.security.ua.UserAccountStatus;
import io.hops.hopsworks.persistence.entity.user.security.ua.UserAccountType;
import io.hops.hopsworks.persistence.entity.user.security.ua.ValidationKeyType;
import io.hops.hopsworks.restutils.RESTCodes;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.sql.Timestamp;
import java.util.Date;
import java.util.Iterator;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import javax.ejb.EJB;
import javax.ejb.EJBException;
import javax.ejb.Stateless;
import javax.ejb.TransactionAttribute;
import javax.ejb.TransactionAttributeType;
import javax.inject.Inject;
import javax.mail.Message;
import javax.mail.MessagingException;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.codec.binary.Base32;

@TransactionAttribute(TransactionAttributeType.NEVER)
@Stateless
/* loaded from: input_file:io/hops/hopsworks/common/user/AuthController.class */
public class AuthController {

    @EJB
    private UserFacade userFacade;

    @EJB
    private BbcGroupFacade bbcGroupFacade;

    @EJB
    private UserStatusValidator userStatusValidator;

    @EJB
    private Settings settings;

    @EJB
    private EmailBean emailBean;

    @EJB
    private CertsFacade userCertsFacade;

    @EJB
    private ProjectFacade projectFacade;

    @EJB
    private CertificatesMgmService certificatesMgmService;

    @EJB
    private SecurityUtils securityUtils;

    @EJB
    private AccountAuditFacade accountAuditFacade;

    @Inject
    private PasswordRecovery passwordRecovery;
    private static final Logger LOGGER = Logger.getLogger(AuthController.class.getName());
    private static final long RESET_LINK_IN_HOURS = TimeUnit.HOURS.toMillis(24);

    /* loaded from: input_file:io/hops/hopsworks/common/user/AuthController$CredentialsResetToken.class */
    public static class CredentialsResetToken {
        private final String token;
        private final long validity;

        public static CredentialsResetToken of(String str, long j) {
            return new CredentialsResetToken(str, j);
        }

        private CredentialsResetToken(String str, long j) {
            this.token = str;
            this.validity = j;
        }

        public String getToken() {
            return this.token;
        }

        public long getValidity() {
            return this.validity;
        }
    }

    private void validateUser(Users users) {
        if (users == null) {
            throw new IllegalArgumentException("User not set.");
        }
        if (!users.getMode().equals(UserAccountType.M_ACCOUNT_TYPE)) {
            throw new IllegalArgumentException("Can not login user with account type: " + users.getMode().toString());
        }
    }

    public String preLoginCheck(Users users, String str, String str2) throws UserException {
        validateUser(users);
        if (isTwoFactorEnabled(users)) {
            if (Strings.isNullOrEmpty(str2)) {
                if (checkPasswordAndStatus(users, str)) {
                    throw new IllegalStateException("Second factor required.");
                }
                throw new UserException(RESTCodes.UserErrorCode.AUTHENTICATION_FAILURE, Level.FINE, "Incorrect username and/or password");
            }
            validateOTP(users, str2);
        }
        return getPasswordPlusSalt(str, users.getSalt());
    }

    public boolean validatePassword(Users users, String str) {
        validateUser(users);
        if (users.getPassword().equals(new Secret(str, users.getSalt()).getSha256HexDigest())) {
            resetFalseLogin(users);
            return true;
        }
        registerFalseLogin(users);
        LOGGER.log(Level.FINEST, "False login attempt by user: {0}", users.getEmail());
        return false;
    }

    public boolean checkPasswordAndStatus(Users users, String str) throws UserException {
        if (users == null) {
            throw new IllegalArgumentException("User not set.");
        }
        this.userStatusValidator.checkStatus(users.getStatus());
        return validatePassword(users, str);
    }

    public boolean checkUserPasswordAndStatus(Users users, String str) throws UserException {
        checkUserStatus(users, false);
        return validatePassword(users, str);
    }

    private Users getUserFromKey(String str) {
        if (str == null) {
            throw new IllegalArgumentException("Validation key not supplied.");
        }
        if (str.length() <= 8) {
            throw new IllegalArgumentException("Unrecognized validation key.");
        }
        return this.userFacade.findByUsername(str.substring(0, 8));
    }

    private void validate(Users users, String str) throws UserException {
        if (!str.substring(8).equals(users.getValidationKey())) {
            registerFalseKeyValidation(users);
            throw new UserException(RESTCodes.UserErrorCode.INCORRECT_VALIDATION_KEY, Level.FINE);
        }
        if (diffMillis(users.getValidationKeyUpdated()) < TimeUnit.SECONDS.toMillis(5L)) {
            resetValidationKey(users);
            throw new UserException(RESTCodes.UserErrorCode.INCORRECT_VALIDATION_KEY, Level.FINE);
        }
        resetFalseLogin(users);
    }

    public void validateEmail(String str) throws UserException {
        Users userFromKey = getUserFromKey(str);
        checkUserStatusAndKey(userFromKey, ValidationKeyType.EMAIL, true);
        validate(userFromKey, str);
        userFromKey.setStatus(UserAccountStatus.VERIFIED_ACCOUNT);
        userFromKey.setActivated(new Timestamp(new Date().getTime()));
        resetValidationKey(userFromKey);
    }

    public void validateOTP(String str, String str2, String str3) throws UserException {
        Users findByEmail = this.userFacade.findByEmail(str);
        if (findByEmail == null) {
            throw new UserException(RESTCodes.UserErrorCode.USER_DOES_NOT_EXIST, Level.FINE);
        }
        if (validatePassword(findByEmail, str2)) {
            validateOTP(findByEmail, str3);
        }
    }

    public void validateOTP(Users users, String str) throws UserException {
        try {
            int parseInt = Integer.parseInt(str);
            if (users == null) {
                throw new UserException(RESTCodes.UserErrorCode.USER_DOES_NOT_EXIST, Level.FINE, "User not found");
            }
            if (!checkCode(users.getSecret(), parseInt)) {
                throw new UserException(RESTCodes.UserErrorCode.INVALID_OTP, Level.FINE);
            }
        } catch (NumberFormatException e) {
            throw new UserException(RESTCodes.UserErrorCode.INVALID_OTP, Level.FINE, "OTP not an integer");
        }
    }

    private boolean checkCode(String str, int i) {
        byte[] decode = new Base32().decode(str);
        long currentTimeMillis = (System.currentTimeMillis() / 1000) / 30;
        for (int i2 = -2; i2 <= 2; i2++) {
            try {
                if (generateTOTP(decode, currentTimeMillis + i2) == i) {
                    return true;
                }
            } catch (InvalidKeyException | NoSuchAlgorithmException e) {
                return false;
            }
        }
        return false;
    }

    private static int generateTOTP(byte[] bArr, long j) throws NoSuchAlgorithmException, InvalidKeyException {
        byte[] bArr2 = new byte[8];
        long j2 = j;
        int i = 8;
        while (true) {
            int i2 = i;
            i--;
            if (i2 <= 0) {
                break;
            }
            bArr2[i] = (byte) j2;
            j2 >>>= 8;
        }
        SecretKeySpec secretKeySpec = new SecretKeySpec(bArr, "HmacSHA1");
        Mac mac = Mac.getInstance("HmacSHA1");
        mac.init(secretKeySpec);
        int i3 = mac.doFinal(bArr2)[19] & 15;
        long j3 = 0;
        for (int i4 = 0; i4 < 4; i4++) {
            j3 = (j3 << 8) | (r0[i3 + i4] & 255);
        }
        return (int) ((j3 & 2147483647L) % Settings.JOB_LOGS_DISPLAY_SIZE);
    }

    public void checkRecoveryKey(String str) throws UserException {
        Users userFromKey = getUserFromKey(str);
        checkUserStatusAndKey(userFromKey, ValidationKeyType.PASSWORD, false);
        validate(userFromKey, str);
        userFromKey.setValidationKeyType(ValidationKeyType.PASSWORD_RESET);
        this.userFacade.update(userFromKey);
    }

    public Users validateRecoveryKey(String str, ValidationKeyType validationKeyType) throws UserException {
        Users userFromKey = getUserFromKey(str);
        checkUserStatusAndKey(userFromKey, validationKeyType, false);
        validate(userFromKey, str);
        return userFromKey;
    }

    public void resetValidationKey(Users users) {
        users.setValidationKey((String) null);
        users.setValidationKeyUpdated((Date) null);
        users.setValidationKeyType((ValidationKeyType) null);
        this.userFacade.update(users);
    }

    public void setValidationKey(Users users, String str, ValidationKeyType validationKeyType) {
        users.setValidationKey(str);
        users.setValidationKeyUpdated(new Timestamp(new Date().getTime()));
        users.setValidationKeyType(validationKeyType);
        this.userFacade.update(users);
    }

    private void checkUserStatusAndKey(Users users, ValidationKeyType validationKeyType, boolean z) throws UserException {
        checkUserStatus(users, z);
        if (users.getValidationKeyType() == null || !validationKeyType.equals(users.getValidationKeyType())) {
            throw new UserException(RESTCodes.UserErrorCode.INCORRECT_VALIDATION_KEY, Level.FINE);
        }
    }

    public void checkUserStatus(Users users, boolean z) throws UserException {
        if (users == null) {
            throw new UserException(RESTCodes.UserErrorCode.USER_WAS_NOT_FOUND, Level.FINE);
        }
        if (z) {
            this.userStatusValidator.checkNewUserStatus(users.getStatus());
            return;
        }
        try {
            this.userStatusValidator.checkStatus(users.getStatus());
        } catch (UserException e) {
            throw new UserException(RESTCodes.UserErrorCode.ACCOUNT_NOT_ACTIVE, Level.FINE, e.getErrorCode().getMessage());
        }
    }

    public void sendNewRecoveryValidationKey(Users users, String str, boolean z) throws MessagingException, UserException {
        this.passwordRecovery.sendRecoveryNotification(users, str, z, generateResetToken(users, z));
    }

    public CredentialsResetToken generateResetToken(Users users, boolean z) throws UserException {
        if (users == null) {
            throw new IllegalArgumentException("User not set.");
        }
        if (UserAccountType.REMOTE_ACCOUNT_TYPE.equals(users.getMode())) {
            throw new UserException(RESTCodes.UserErrorCode.USER_WAS_NOT_FOUND, Level.FINE);
        }
        if (users.getValidationKey() != null && users.getValidationKeyType() != null && users.getValidationKeyUpdated() != null) {
            if (users.getValidationKeyType().equals(z ? ValidationKeyType.PASSWORD : ValidationKeyType.QR_RESET) && diffMillis(users.getValidationKeyUpdated()) > TimeUnit.MINUTES.toMillis(5L)) {
                return CredentialsResetToken.of(users.getValidationKey(), diffMillis(users.getValidationKeyUpdated()));
            }
        }
        String generateSecureRandomString = this.securityUtils.generateSecureRandomString();
        setValidationKey(users, generateSecureRandomString, z ? ValidationKeyType.PASSWORD : ValidationKeyType.QR_RESET);
        return CredentialsResetToken.of(generateSecureRandomString, RESET_LINK_IN_HOURS);
    }

    public long diffMillis(Date date) {
        if (date == null) {
            return -1L;
        }
        return TimeUnit.HOURS.toMillis(24L) - (new Date().getTime() - date.getTime());
    }

    public void sendNewValidationKey(Users users, String str) throws MessagingException {
        if (users == null) {
            throw new IllegalArgumentException("User not set.");
        }
        String generateSecureRandomString = this.securityUtils.generateSecureRandomString();
        sendEmailValidationKey(users, generateSecureRandomString, str);
        setValidationKey(users, generateSecureRandomString, ValidationKeyType.EMAIL);
    }

    public void sendEmailValidationKey(Users users, String str, String str2) throws MessagingException {
        this.emailBean.sendEmail(users.getEmail(), Message.RecipientType.TO, UserAccountsEmailMessages.ACCOUNT_REQUEST_SUBJECT, UserAccountsEmailMessages.buildMobileRequestMessageRest(str2, users.getUsername() + this.securityUtils.urlEncode(str), diffMillis(users.getValidationKeyUpdated())));
    }

    public boolean isTwoFactorEnabled(Users users) {
        if (!users.getMode().equals(UserAccountType.M_ACCOUNT_TYPE)) {
            return false;
        }
        String twoFactorAuth = this.settings.getTwoFactorAuth();
        String twoFactorExclude = this.settings.getTwoFactorExclude();
        String str = twoFactorAuth != null ? twoFactorAuth : KafkaConst.KAFKA_ENDPOINT_IDENTIFICATION_ALGORITHM;
        String str2 = twoFactorExclude != null ? twoFactorExclude : KafkaConst.KAFKA_ENDPOINT_IDENTIFICATION_ALGORITHM;
        for (String str3 : !str2.isEmpty() ? str2.split(";") : new String[0]) {
            if (isUserInRole(users, str3)) {
                return false;
            }
        }
        if (str.equals(Settings.TwoFactorMode.MANDATORY.getName())) {
            return true;
        }
        return str.equals(Settings.TwoFactorMode.OPTIONAL.getName()) && users.getTwoFactor();
    }

    public boolean isTwoFactorEnabled() {
        String twoFactorAuth = this.settings.getTwoFactorAuth();
        String str = twoFactorAuth != null ? twoFactorAuth : KafkaConst.KAFKA_ENDPOINT_IDENTIFICATION_ALGORITHM;
        return str.equals(Settings.TwoFactorMode.MANDATORY.getName()) || str.equals(Settings.TwoFactorMode.OPTIONAL.getName());
    }

    public boolean isTwoFactorEnabled(boolean z) {
        String twoFactorAuth = this.settings.getTwoFactorAuth();
        String str = twoFactorAuth != null ? twoFactorAuth : KafkaConst.KAFKA_ENDPOINT_IDENTIFICATION_ALGORITHM;
        return str.equals(Settings.TwoFactorMode.MANDATORY.getName()) || (str.equals(Settings.TwoFactorMode.OPTIONAL.getName()) && z);
    }

    @TransactionAttribute(TransactionAttributeType.REQUIRED)
    public void changePassword(Users users, Secret secret) {
        String password = users.getPassword();
        users.setPassword(secret.getSha256HexDigest());
        users.setSalt(secret.getSalt());
        users.setPasswordChanged(new Timestamp(new Date().getTime()));
        this.userFacade.update(users);
        resetProjectCertPassword(users, password);
    }

    @TransactionAttribute(TransactionAttributeType.REQUIRED)
    public void changeUserPasswordAsAdmin(Users users, Secret secret) {
        changePassword(users, secret);
    }

    public String getPasswordPlusSalt(String str, String str2) {
        return str + str2;
    }

    private void resetProjectCertPassword(Users users, String str) {
        try {
            Iterator<Project> it = this.projectFacade.findAllMemberStudies(users).iterator();
            while (it.hasNext()) {
                UserCerts findUserCert = this.userCertsFacade.findUserCert(it.next().getName(), users.getUsername());
                String masterEncryptionPassword = this.certificatesMgmService.getMasterEncryptionPassword();
                findUserCert.setUserKeyPwd(HopsUtils.encrypt(users.getPassword(), HopsUtils.decrypt(str, findUserCert.getUserKeyPwd(), masterEncryptionPassword), masterEncryptionPassword));
                this.userCertsFacade.update(findUserCert);
            }
        } catch (Exception e) {
            LOGGER.log(Level.SEVERE, (String) null, (Throwable) e);
            throw new EJBException(e);
        }
    }

    public void registerFalseLogin(Users users) {
        if (users != null) {
            int falseLogin = users.getFalseLogin() + 1;
            users.setFalseLogin(falseLogin);
            if (falseLogin > (isUserAgent(users) ? 20 : 5)) {
                users.setStatus(UserAccountStatus.BLOCKED_ACCOUNT);
                try {
                    this.emailBean.sendEmail(users.getEmail(), Message.RecipientType.TO, UserAccountsEmailMessages.ACCOUNT_BLOCKED__SUBJECT, UserAccountsEmailMessages.accountBlockedMessage());
                } catch (MessagingException e) {
                    LOGGER.log(Level.SEVERE, "Failed to send email. ", e);
                }
            }
            this.userFacade.update(users);
        }
    }

    private boolean isUserAgent(Users users) {
        return isUserInRole(users, "AGENT");
    }

    public void registerFalseKeyValidation(Users users) {
        if (users != null) {
            int falseLogin = users.getFalseLogin() + 1;
            users.setFalseLogin(falseLogin);
            if (falseLogin > 5) {
                users.setStatus(UserAccountStatus.SPAM_ACCOUNT);
            }
            this.userFacade.update(users);
        }
    }

    public void registerLogin(Users users) {
        resetFalseLogin(users);
        setUserOnlineStatus(users, 1);
        LOGGER.log(Level.FINEST, "Logged in user: {0}. ", users.getEmail());
    }

    public void registerLogin(Users users, HttpServletRequest httpServletRequest) {
        String extractRemoteHostIp = HttpUtil.extractRemoteHostIp(httpServletRequest);
        String extractUserAgent = HttpUtil.extractUserAgent(httpServletRequest);
        registerLogin(users);
        this.accountAuditFacade.registerLoginInfo(users, "LOGIN", "SUCCESS", extractRemoteHostIp, extractUserAgent);
    }

    public void registerLogout(Users users) {
        setUserOnlineStatus(users, 0);
        LOGGER.log(Level.FINEST, "Logged out user: {0}. ", users.getEmail());
    }

    public void registerAuthenticationFailure(Users users) {
        registerFalseLogin(users);
        LOGGER.log(Level.FINEST, "Authentication failure user: {0}. ", users.getEmail());
    }

    public void resetFalseLogin(Users users) {
        if (users != null) {
            users.setFalseLogin(0);
            this.userFacade.update(users);
        }
    }

    private void setUserOnlineStatus(Users users, int i) {
        if (users != null) {
            users.setIsonline(i);
            this.userFacade.update(users);
        }
    }

    private boolean isUserInRole(Users users, String str) {
        BbcGroup findByGroupName;
        if (users == null || str == null || (findByGroupName = this.bbcGroupFacade.findByGroupName(str)) == null) {
            return false;
        }
        return users.getBbcGroupCollection().contains(findByGroupName);
    }
}
