package com.worklight.core.auth.ext;

import com.ibm.json.java.JSONObject;
import com.worklight.common.log.WorklightLogger;
import com.worklight.common.log.WorklightServerLogger;
import com.worklight.core.auth.WLKeyStoreManager;
import com.worklight.core.auth.impl.CertificateGenerator;
import com.worklight.core.auth.impl.DevicePublicKeyJWS;
import com.worklight.core.auth.impl.JWSAuthenticationValidationException;
import com.worklight.core.auth.impl.LoginConfigurationService;
import com.worklight.core.util.RssBrokerUtils;
import com.worklight.gadgets.api.GadgetAPIRequestCoder;
import com.worklight.gadgets.serving.VitalityServlet;
import com.worklight.server.auth.api.AuthenticationResult;
import com.worklight.server.auth.api.AuthenticationStatus;
import com.worklight.server.auth.api.MissingConfigurationOptionException;
import com.worklight.server.bundle.api.WorklightConfiguration;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.SignatureException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Map;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.StringUtils;

/* loaded from: input_file:com/worklight/core/auth/ext/DeviceAutoProvisioningAuthenticator.class */
public class DeviceAutoProvisioningAuthenticator extends DeviceWithProvisioningAuthenticator {
    private X509Certificate caCertificate;
    private PrivateKey caPrivateKey;
    private X509Certificate deviceCertificate;
    private static final String APPLICATION_ID = "applicationId";
    private static final String GROUP_ID = "groupId";
    private static final String DEVICE_ID = "deviceId";
    protected static final String CSR_PARAM_NAME = "CSR";
    public static final String CERTIFICATE = "certificate";
    protected String entityString = VitalityServlet.APPLICATION;
    protected String preRequiredRealms = LoginConfigurationService.DEFAULT_AUTHENTICITY_REALM;
    private static final WorklightServerLogger logger = new WorklightServerLogger(DeviceAutoProvisioningAuthenticator.class, WorklightLogger.MessagesBundles.CORE);

    @Override // com.worklight.core.auth.ext.DeviceWithProvisioningAuthenticator, com.worklight.core.auth.ext.WorklightProtocolAuthenticator
    public void init(Map<String, String> map) throws MissingConfigurationOptionException {
        map.put(DeviceWithProvisioningAuthenticator.PROVISIONED_ENTITY_PARAM_NAME, this.entityString);
        map.put("pre-required-realms", this.preRequiredRealms);
        super.init(map);
        WorklightConfiguration worklightConfiguration = WorklightConfiguration.getInstance();
        String stringProperty = worklightConfiguration.getStringProperty("wl.ca.key.alias");
        String stringProperty2 = worklightConfiguration.getStringProperty("wl.ca.key.alias.password");
        try {
            KeyStore keyStore = ((WLKeyStoreManager) RssBrokerUtils.getBeanFactory().getBean(WLKeyStoreManager.BEAN_ID)).getKeyStore(WLKeyStoreManager.WLKeystoreType.CA_KEYSTORE);
            this.caCertificate = (X509Certificate) keyStore.getCertificate(stringProperty);
            this.caPrivateKey = (PrivateKey) keyStore.getKey(stringProperty, stringProperty2.toCharArray());
            if (this.caPrivateKey == null) {
                throw new RuntimeException("Unable to extract private key from supplied keystore, alias is missing or invalid");
            }
        } catch (KeyStoreException e) {
            throw new IllegalArgumentException("Illegal keystoreType defined in authentication configuration", e);
        } catch (NoSuchAlgorithmException e2) {
            throw new RuntimeException(e2);
        } catch (UnrecoverableKeyException e3) {
            logger.debug(e3, GadgetAPIRequestCoder.REQ_PATH_INIT, "");
            throw new RuntimeException("Unable to recover key, most commonly caused by using an incorrect alias password");
        }
    }

    @Override // com.worklight.core.auth.ext.DeviceAuthenticator
    protected AuthenticationResult checkChallangeResponse(Object obj, HttpServletResponse httpServletResponse) throws IOException {
        if (!(obj instanceof JSONObject)) {
            return AuthenticationResult.createFailureResult(new JSONObject(), "Challenge response is malformed. Expected JSON.");
        }
        JSONObject jSONObject = (JSONObject) obj;
        if (!jSONObject.containsKey("ID")) {
            return jSONObject.containsKey(CSR_PARAM_NAME) ? isProvisioningAllowed() ? handleCSR((String) jSONObject.get(CSR_PARAM_NAME), httpServletResponse) : AuthenticationResult.createFailureResult(new JSONObject(), "Provisioning is not allowed at this time") : AuthenticationResult.createFailureResult(new JSONObject(), "Challenge response is malformed. Missing expected keys.");
        }
        Object obj2 = jSONObject.get("ID");
        AuthenticationResult checkToken = checkToken(obj2);
        if (checkToken.getStatus() == AuthenticationStatus.SUCCESS) {
            this.authenticationData.put("ID", obj2);
            this.authenticationData.put(CERTIFICATE, this.caCertificate);
        }
        return checkToken;
    }

    private AuthenticationResult handleCSR(String str, HttpServletResponse httpServletResponse) {
        try {
            DevicePublicKeyJWS devicePublicKeyJWS = new DevicePublicKeyJWS(str);
            JSONObject jSONObject = devicePublicKeyJWS.getJwsParts().payload;
            String str2 = (String) jSONObject.get(DEVICE_ID);
            String str3 = (String) jSONObject.get(APPLICATION_ID);
            String str4 = (String) jSONObject.get(GROUP_ID);
            StringBuilder sb = new StringBuilder();
            if (StringUtils.isEmpty(str2)) {
                return AuthenticationResult.createFailureResult(new JSONObject(), "missing deviceId from csr");
            }
            sb.append("UID=");
            sb.append(str2);
            switch (this.entity.getType()) {
                case APPLICATION:
                    if (!StringUtils.isEmpty(str3)) {
                        sb.append(", DC=");
                        sb.append(str3);
                        break;
                    } else {
                        return AuthenticationResult.createFailureResult(new JSONObject(), "missing applicationId from csr");
                    }
                case GROUP:
                    if (!StringUtils.isEmpty(str4)) {
                        sb.append(", DC=");
                        sb.append(str4);
                        break;
                    } else {
                        return AuthenticationResult.createFailureResult(new JSONObject(), "missing groupId from csr");
                    }
            }
            this.deviceCertificate = CertificateGenerator.generateCertificate(devicePublicKeyJWS.getPublicKey(), sb.toString(), this.caCertificate, this.caPrivateKey);
            String encodeBase64String = Base64.encodeBase64String(this.deviceCertificate.getEncoded());
            AuthenticationResult createNewChallenge = createNewChallenge();
            createNewChallenge.getJson().put(CERTIFICATE, encodeBase64String);
            return createNewChallenge;
        } catch (JWSAuthenticationValidationException e) {
            return AuthenticationResult.createFailureResult(new JSONObject(), e.getMessage());
        } catch (InvalidKeyException e2) {
            return AuthenticationResult.createFailureResult(new JSONObject(), e2.getMessage());
        } catch (NoSuchAlgorithmException e3) {
            return AuthenticationResult.createFailureResult(new JSONObject(), e3.getMessage());
        } catch (NoSuchProviderException e4) {
            return AuthenticationResult.createFailureResult(new JSONObject(), e4.getMessage());
        } catch (SignatureException e5) {
            return AuthenticationResult.createFailureResult(new JSONObject(), e5.getMessage());
        } catch (CertificateEncodingException e6) {
            return AuthenticationResult.createFailureResult(new JSONObject(), e6.getMessage());
        }
    }
}
