package com.worklight.core.auth.ext;

import com.ibm.json.java.JSONObject;
import com.worklight.common.log.WorklightLogger;
import com.worklight.common.log.WorklightServerLogger;
import com.worklight.common.type.DeploymentData;
import com.worklight.console.application.Services;
import com.worklight.core.auth.impl.AuthenticationContext;
import com.worklight.core.auth.impl.MobileClientData;
import com.worklight.core.auth.impl.SecurityEntry;
import com.worklight.gadgets.GadgetRuntimeException;
import com.worklight.gadgets.api.GadgetAPIRequestCoder;
import com.worklight.gadgets.bean.GadgetApplication;
import com.worklight.gadgets.utils.GadgetUtils;
import com.worklight.server.auth.api.AuthenticationResult;
import com.worklight.server.auth.api.AuthenticationStatus;
import com.worklight.server.auth.api.UserIdentity;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang.StringUtils;
import org.springframework.web.util.WebUtils;

/* loaded from: input_file:com/worklight/core/auth/ext/AuthenticityAuthenticator.class */
public class AuthenticityAuthenticator extends WorklightProtocolAuthenticator {
    private static final WorklightServerLogger logger = new WorklightServerLogger(AuthenticityAuthenticator.class, WorklightLogger.MessagesBundles.CORE);
    private static final String CHALLENGE_DATA_HEADER_NAME = "WL-Challenge-Data";
    public static final String ATTRIBUTE_CHALLENGE_DATA = "challengeData";
    public static final String RESPONSE_DATA_KEY = "challengeResponse";
    public static final String PUB_KEY_PARAM = "publicKey";
    static final String BYPASS_AUTHENTICITY_FLAG = "ignoreAuthenticity";
    static final String WARN_AUTHENTICITY_FLAG = "warnOfBadAuthenticity";
    static final String REQ_PATH = "reqPath";
    private Map<String, Object> authData = new HashMap(1);
    private String originAppName = null;
    private String originAppVersion = null;
    private String currentDeviceRealm = null;

    @Override // com.worklight.core.auth.ext.WorklightProtocolAuthenticator
    public AuthenticationResult processRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, boolean z) throws IOException, ServletException {
        JSONObject jSONObject = new JSONObject();
        try {
            GadgetApplication gadgetApplicationFrom = GadgetUtils.getGadgetApplicationFrom(GadgetAPIRequestCoder.decodeGadgetRequestInfo(httpServletRequest));
            DeploymentData deploymentData = gadgetApplicationFrom.getDeploymentData();
            if (this.currentDeviceRealm == null) {
                SecurityEntry deviceRealm = AuthenticationContext.getCurrentResource().getDeviceRealm();
                if (deviceRealm != null) {
                    this.currentDeviceRealm = deviceRealm.getName();
                }
                this.originAppVersion = deploymentData.getVersion();
                this.originAppName = deploymentData.getApplicationId();
            }
            HttpSession session = httpServletRequest.getSession(false);
            if (!gadgetApplicationFrom.getAuthenticityMode().equals(GadgetApplication.AuthenticityMode.ENABLED)) {
                this.authData.put(BYPASS_AUTHENTICITY_FLAG, Boolean.TRUE);
                if (gadgetApplicationFrom.getAuthenticityMode().equals(GadgetApplication.AuthenticityMode.IGNORED)) {
                    this.authData.put(WARN_AUTHENTICITY_FLAG, Boolean.TRUE);
                }
            }
            this.authData.put(REQ_PATH, httpServletRequest.getPathInfo());
            String str = (String) getChallengeResponse(httpServletRequest);
            String challengeAttribute = getChallengeAttribute(session);
            String authenticitySharedData = deploymentData.getAuthenticitySharedData();
            if (StringUtils.isEmpty(authenticitySharedData)) {
                throw new GadgetRuntimeException("missing shared data required for authenticity test");
            }
            if (str != null && challengeAttribute == null) {
                logger.info("processRequest", "logger.clientFailedRespond", new Object[0]);
                return AuthenticationResult.createFailureResult(jSONObject, logger.getFormatter().format("logger.clientFailedRespond", new Object[0]));
            }
            if (str != null && challengeAttribute != null) {
                updateAuthData(str, challengeAttribute, authenticitySharedData);
                return AuthenticationResult.createFrom(AuthenticationStatus.SUCCESS);
            }
            addChallangeData(httpServletRequest, deploymentData, jSONObject);
            AuthenticationResult createFrom = AuthenticationResult.createFrom(AuthenticationStatus.CLIENT_INTERACTION_REQUIRED);
            createFrom.setJson(jSONObject);
            return createFrom;
        } catch (Exception e) {
            logger.debug("processRequest", "Skipping authenticity check");
            return AuthenticationResult.createFailureResult(jSONObject, e.getLocalizedMessage());
        }
    }

    private void updateAuthData(String str, String str2, String str3) {
        this.authData.put(RESPONSE_DATA_KEY, str);
        this.authData.put(ATTRIBUTE_CHALLENGE_DATA, str2);
        this.authData.put(PUB_KEY_PARAM, str3);
    }

    @Override // com.worklight.core.auth.ext.WorklightProtocolAuthenticator
    public AuthenticationResult processRequestAlreadyAuthenticated(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        JSONObject jSONObject = new JSONObject();
        AuthenticationResult createFrom = AuthenticationResult.createFrom(AuthenticationStatus.REQUEST_NOT_RECOGNIZED);
        if (this.currentDeviceRealm != null) {
            UserIdentity identity = Services.getAuthService().getIdentity(this.currentDeviceRealm);
            if (identity != null) {
                MobileClientData mobileClientDataFromUserIdentity = MobileClientData.getMobileClientDataFromUserIdentity(identity);
                if (mobileClientDataFromUserIdentity == null || mobileClientDataFromUserIdentity.getApplication() == null) {
                    throw new RuntimeException("mobile data is malformed");
                }
                Application application = mobileClientDataFromUserIdentity.getApplication();
                String id = application.getID();
                String version = application.getVersion();
                logger.debug("processRequestAlreadyAuthenticated", "processRequestAlreadyAuthenticated found:ver=" + version + " appName=" + id);
                if (!this.originAppVersion.equals(version) || !this.originAppName.equals(id)) {
                    createFrom = AuthenticationResult.createFailureResult(jSONObject, "processRequestAlreadyAuthenticated found different application");
                }
            } else {
                logger.debug("processRequestAlreadyAuthenticated", "can't validate authenticated session since device realm is not yet authenticated");
            }
        } else {
            logger.debug("processRequestAlreadyAuthenticated", "can't validate authenticated session since device realm was not defined");
        }
        return createFrom;
    }

    @Override // com.worklight.core.auth.ext.WorklightProtocolAuthenticator
    public Map<String, Object> getAuthenticationData() {
        return this.authData;
    }

    @Override // com.worklight.core.auth.ext.WorklightProtocolAuthenticator
    public AuthenticationResult processAuthenticationFailure(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws IOException, ServletException {
        return AuthenticationResult.createFailureResult(new JSONObject(), "forbidden state");
    }

    void addChallangeData(HttpServletRequest httpServletRequest, DeploymentData deploymentData, JSONObject jSONObject) throws IOException, ServletException {
        jSONObject.put(CHALLENGE_DATA_HEADER_NAME, generateChallengeAttribute(httpServletRequest.getSession()) + "+" + deploymentData.getAuthenticityObscureData());
    }

    public static String getChallengeAttribute(HttpSession httpSession) {
        String str;
        synchronized (WebUtils.getSessionMutex(httpSession)) {
            str = (String) httpSession.getAttribute(ATTRIBUTE_CHALLENGE_DATA);
        }
        return str;
    }

    private static String generateChallengeAttribute(HttpSession httpSession) {
        String generateChallenge;
        synchronized (WebUtils.getSessionMutex(httpSession)) {
            generateChallenge = AuthenticityLoginModule.getSCHEME().generateChallenge();
            httpSession.setAttribute(ATTRIBUTE_CHALLENGE_DATA, generateChallenge);
        }
        return generateChallenge;
    }
}
