package net.unicon.cas.addons.authentication.strong.yubikey;

import com.yubico.client.v2.YubicoClient;
import com.yubico.client.v2.YubicoResponse;
import com.yubico.client.v2.YubicoResponseStatus;
import org.jasig.cas.authentication.handler.AuthenticationException;
import org.jasig.cas.authentication.handler.BadUsernameOrPasswordAuthenticationException;
import org.jasig.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler;
import org.jasig.cas.authentication.principal.UsernamePasswordCredentials;
import org.springframework.beans.factory.InitializingBean;

/* loaded from: input_file:WEB-INF/lib/cas-addons-1.16.jar:net/unicon/cas/addons/authentication/strong/yubikey/YubiKeyAuthenticationHandler.class */
public class YubiKeyAuthenticationHandler extends AbstractUsernamePasswordAuthenticationHandler implements InitializingBean {
    private YubiKeyAccountRegistry registry;
    private YubicoClient client;

    /* loaded from: input_file:WEB-INF/lib/cas-addons-1.16.jar:net/unicon/cas/addons/authentication/strong/yubikey/YubiKeyAuthenticationHandler$AcceptAnyYubiKeyAccountRegistry.class */
    private static final class AcceptAnyYubiKeyAccountRegistry implements YubiKeyAccountRegistry {
        private AcceptAnyYubiKeyAccountRegistry() {
        }

        @Override // net.unicon.cas.addons.authentication.strong.yubikey.YubiKeyAccountRegistry
        public boolean isYubiKeyRegisteredFor(String str, String str2) {
            return true;
        }

        /* synthetic */ AcceptAnyYubiKeyAccountRegistry(AcceptAnyYubiKeyAccountRegistry acceptAnyYubiKeyAccountRegistry) {
            this();
        }
    }

    public YubiKeyAuthenticationHandler(Integer num, String str) {
        this.registry = new AcceptAnyYubiKeyAccountRegistry(null);
        this.client = YubicoClient.getClient(num);
        this.client.setKey(str);
    }

    public YubiKeyAuthenticationHandler(Integer num, String str, YubiKeyAccountRegistry yubiKeyAccountRegistry) {
        this(num, str);
        this.registry = yubiKeyAccountRegistry;
    }

    @Override // org.springframework.beans.factory.InitializingBean
    public void afterPropertiesSet() throws Exception {
        if (this.registry instanceof AcceptAnyYubiKeyAccountRegistry) {
            this.log.warn("{} instantiated with example accept-any configuration handled via {}. THIS IS NOT OKAY IN PRODUCTION. NO. NO. NO.", getClass().getSimpleName(), AcceptAnyYubiKeyAccountRegistry.class.getSimpleName());
        }
    }

    @Override // org.jasig.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler
    protected boolean authenticateUsernamePasswordInternal(UsernamePasswordCredentials usernamePasswordCredentials) throws AuthenticationException {
        try {
            String username = usernamePasswordCredentials.getUsername();
            String password = usernamePasswordCredentials.getPassword();
            if (!YubicoClient.isValidOTPFormat(password)) {
                this.log.debug("Invalid OTP format [{}]", password);
                return false;
            }
            String publicId = YubicoClient.getPublicId(password);
            if (!this.registry.isYubiKeyRegisteredFor(username, publicId)) {
                this.log.debug("YubiKey public id [{}] is not registered for user [{}]", publicId, username);
                return false;
            }
            YubicoResponse verify = this.client.verify(password);
            this.log.debug("YubiKey response status {} at {}", verify.getStatus(), verify.getTimestamp());
            return verify.getStatus() == YubicoResponseStatus.OK;
        } catch (Exception e) {
            throw new BadUsernameOrPasswordAuthenticationException(e);
        }
    }
}
