package com.evolveum.midpoint.authentication.impl.provider;

import com.duosecurity.Client;
import com.duosecurity.model.Token;
import com.evolveum.midpoint.authentication.api.AuthenticationChannel;
import com.evolveum.midpoint.authentication.impl.module.authentication.token.DuoRequestToken;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.nimbusds.jose.jwk.JWK;
import java.util.List;
import java.util.function.Function;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;

/* loaded from: input_file:BOOT-INF/lib/authentication-impl-4.9.3.jar:com/evolveum/midpoint/authentication/impl/provider/DuoProvider.class */
public class DuoProvider extends RemoteModuleProvider {
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) DuoProvider.class);
    private final Client duoClient;
    private Function<ClientRegistration, JWK> jwkResolver;

    public DuoProvider(Client client) {
        this.duoClient = client;
    }

    @Override // com.evolveum.midpoint.authentication.impl.provider.AbstractAuthenticationProvider
    protected Authentication internalAuthentication(Authentication authentication, List list, AuthenticationChannel authenticationChannel, Class cls) throws AuthenticationException {
        String name = authentication.getName();
        if (name == null) {
            LOGGER.error("Couldn't get principal username for duo module");
            throw new AuthenticationServiceException("web.security.provider.unavailable");
        }
        try {
            Token exchangeAuthorizationCodeFor2FAResult = this.duoClient.exchangeAuthorizationCodeFor2FAResult(((DuoRequestToken) authentication).getDuoCode(), name);
            if (!isAuthSuccessful(exchangeAuthorizationCodeFor2FAResult)) {
                throw new AuthenticationServiceException("Duo authentication is deny");
            }
            try {
                PreAuthenticatedAuthenticationToken preAuthenticationToken = getPreAuthenticationToken(name, cls, list, authenticationChannel);
                ((DuoRequestToken) authentication).setDetails(exchangeAuthorizationCodeFor2FAResult);
                LOGGER.debug("User '{}' authenticated ({}), authorities: {}", authentication.getPrincipal(), authentication.getClass().getSimpleName(), ((MidPointPrincipal) preAuthenticationToken.getPrincipal()).getAuthorities());
                return preAuthenticationToken;
            } catch (AuthenticationException e) {
                LOGGER.debug("Authentication with duo module failed: {}", e.getMessage());
                throw e;
            }
        } catch (Exception e2) {
            getAuditProvider().auditLoginFailure(null, null, createConnectEnvironment(getChannel()), e2.getMessage());
            LOGGER.debug("Unexpected exception in duo module", (Throwable) e2);
            throw new AuthenticationServiceException("web.security.provider.unavailable", e2);
        }
    }

    private boolean isAuthSuccessful(Token token) {
        if (token == null || token.getAuth_result() == null) {
            return false;
        }
        return "ALLOW".equalsIgnoreCase(token.getAuth_result().getStatus());
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public boolean supports(Class cls) {
        return DuoRequestToken.class.equals(cls);
    }
}
