package net.shibboleth.idp.plugin.authn.webauthn.storage.impl;

import com.yubico.webauthn.RegisteredCredential;
import com.yubico.webauthn.data.ByteArray;
import com.yubico.webauthn.data.PublicKeyCredentialDescriptor;
import java.io.IOException;
import java.util.Collection;
import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import java.util.stream.Collectors;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.plugin.authn.webauthn.exception.CredentialRepositoryException;
import net.shibboleth.idp.plugin.authn.webauthn.storage.CredentialRegistration;
import net.shibboleth.idp.plugin.authn.webauthn.storage.StorageServiceCredentialRepository;
import net.shibboleth.shared.annotation.constraint.NonnullAfterInit;
import net.shibboleth.shared.annotation.constraint.NotLive;
import net.shibboleth.shared.annotation.constraint.ThreadSafeAfterInit;
import net.shibboleth.shared.annotation.constraint.Unmodifiable;
import net.shibboleth.shared.collection.CollectionSupport;
import net.shibboleth.shared.component.AbstractIdentifiableInitializableComponent;
import net.shibboleth.shared.component.ComponentInitializationException;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.logic.ConstraintViolationException;
import net.shibboleth.shared.primitive.NonnullSupplier;
import org.opensaml.storage.EnumeratableStorageService;
import org.opensaml.storage.StorageCapabilities;
import org.opensaml.storage.StorageRecord;
import org.opensaml.storage.StorageSerializer;
import org.opensaml.storage.StorageService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ThreadSafeAfterInit
/* loaded from: input_file:net/shibboleth/idp/plugin/authn/webauthn/storage/impl/IdPStorageServiceCredentialRespository.class */
public class IdPStorageServiceCredentialRespository extends AbstractIdentifiableInitializableComponent implements StorageServiceCredentialRepository {
    private static final Logger log;
    private static final String STORAGE_CONTEXT = "net.shibboleth.idp.plugin.authn.webauthn";

    @NonnullAfterInit
    private StorageSerializer<Set<CredentialRegistration>> serializer;

    @NonnullAfterInit
    private EnumeratableStorageService storageService;

    @NonnullAfterInit
    private ReentrantReadWriteLock lock;
    static final /* synthetic */ boolean $assertionsDisabled;

    public void setStorageService(@Nonnull StorageService storageService) {
        checkSetterPreconditions();
        Constraint.isNotNull(storageService, "The Storage Service can not be null");
        if (!(storageService instanceof EnumeratableStorageService)) {
            throw new ConstraintViolationException("Credential repository requires an EnumeratableStorageService type");
        }
        this.storageService = (EnumeratableStorageService) storageService;
        StorageCapabilities capabilities = this.storageService.getCapabilities();
        if (capabilities instanceof StorageCapabilities) {
            if (!capabilities.isServerSide()) {
                log.info("Use of client-side storage can make it difficult/impossible to transfer key registrations from one browser to another, which can hinder portability");
            }
            if (capabilities.isClustered()) {
                return;
            }
            log.info("Use of non-clustered storage service will result in per-node lockout behavior");
        }
    }

    public void setSerializer(@Nonnull StorageSerializer<Set<CredentialRegistration>> storageSerializer) {
        checkSetterPreconditions();
        this.serializer = (StorageSerializer) Constraint.isNotNull(storageSerializer, "serializer can not be null");
    }

    protected void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.serializer == null) {
            throw new ComponentInitializationException("Storage serializer can not be null");
        }
        if (this.storageService == null) {
            throw new ComponentInitializationException("Storage service can not be null");
        }
        this.lock = new ReentrantReadWriteLock(true);
    }

    protected void doDestroy() {
        this.lock = null;
        super.doDestroy();
    }

    public Set<PublicKeyCredentialDescriptor> getCredentialIdsForUsername(@Nullable String str) {
        checkComponentActive();
        if (str == null) {
            return CollectionSupport.emptySet();
        }
        ReentrantReadWriteLock.ReadLock readLock = this.lock.readLock();
        try {
            readLock.lock();
            Set<PublicKeyCredentialDescriptor> set = (Set) ((NonnullSupplier) getRegistrationsByUsername(str).stream().map(credentialRegistration -> {
                return credentialRegistration.toPublicKeyCredentialDescriptor();
            }).collect(CollectionSupport.nonnullCollector(Collectors.toUnmodifiableSet()))).get();
            readLock.unlock();
            return set;
        } catch (Throwable th) {
            readLock.unlock();
            throw th;
        }
    }

    public Optional<ByteArray> getUserHandleForUsername(@Nullable String str) {
        checkComponentActive();
        if (str == null) {
            return Optional.empty();
        }
        ReentrantReadWriteLock.ReadLock readLock = this.lock.readLock();
        try {
            readLock.lock();
            Optional map = getRegistrationsByUsername(str).stream().findAny().map(credentialRegistration -> {
                return credentialRegistration.getUserIdentity().getId();
            });
            readLock.unlock();
            return map;
        } catch (Throwable th) {
            readLock.unlock();
            throw th;
        }
    }

    public Optional<String> getUsernameForUserHandle(ByteArray byteArray) {
        checkComponentActive();
        ReentrantReadWriteLock.ReadLock readLock = this.lock.readLock();
        try {
            readLock.lock();
            Optional map = getRegistrationsByUserHandle(byteArray).stream().findAny().map((v0) -> {
                return v0.getUsername();
            });
            readLock.unlock();
            return map;
        } catch (Throwable th) {
            readLock.unlock();
            throw th;
        }
    }

    public Optional<RegisteredCredential> lookup(ByteArray byteArray, ByteArray byteArray2) {
        checkComponentActive();
        ReentrantReadWriteLock.ReadLock readLock = this.lock.readLock();
        try {
            readLock.lock();
            Optional<RegisteredCredential> findAny = lookupAll(byteArray).stream().filter(registeredCredential -> {
                return registeredCredential.getUserHandle().equals(byteArray2);
            }).findAny();
            readLock.unlock();
            return findAny;
        } catch (Throwable th) {
            readLock.unlock();
            throw th;
        }
    }

    private Collection<CredentialRegistration> getRegistrationsByUserHandle(ByteArray byteArray) {
        checkComponentActive();
        ReentrantReadWriteLock.ReadLock readLock = this.lock.readLock();
        try {
            try {
                readLock.lock();
                HashSet hashSet = new HashSet();
                for (String str : this.storageService.getContextKeys(STORAGE_CONTEXT, (String) null)) {
                    if (!$assertionsDisabled && str == null) {
                        throw new AssertionError();
                    }
                    hashSet.addAll((Set) ((NonnullSupplier) getRegistrationsByUsername(str).stream().filter(credentialRegistration -> {
                        return byteArray.equals(credentialRegistration.getUserIdentity().getId());
                    }).collect(CollectionSupport.nonnullCollector(Collectors.toUnmodifiableSet()))).get());
                }
                return hashSet;
            } catch (IOException e) {
                throw new CredentialRepositoryException(e);
            }
        } finally {
            readLock.unlock();
        }
    }

    @Nonnull
    public Set<RegisteredCredential> lookupAll(ByteArray byteArray) {
        checkComponentActive();
        ReentrantReadWriteLock.ReadLock readLock = this.lock.readLock();
        try {
            try {
                readLock.lock();
                HashSet hashSet = new HashSet();
                for (String str : this.storageService.getContextKeys(STORAGE_CONTEXT, (String) null)) {
                    if (!$assertionsDisabled && str == null) {
                        throw new AssertionError();
                    }
                    hashSet.addAll((Set) ((NonnullSupplier) getRegistrationsByUsername(str).stream().filter(credentialRegistration -> {
                        return credentialRegistration.getCredential().getCredentialId().equals(byteArray);
                    }).map((v0) -> {
                        return v0.getCredential();
                    }).collect(CollectionSupport.nonnullCollector(Collectors.toUnmodifiableSet()))).get());
                }
                return hashSet;
            } catch (IOException e) {
                throw new CredentialRepositoryException(e);
            }
        } finally {
            readLock.unlock();
        }
    }

    @Nonnull
    public Set<CredentialRegistration> getRegistrationsByUsername(String str) {
        checkComponentActive();
        ReentrantReadWriteLock.ReadLock readLock = this.lock.readLock();
        try {
            try {
                readLock.lock();
                StorageRecord read = this.storageService.read(STORAGE_CONTEXT, str);
                if (read != null) {
                    Set<CredentialRegistration> set = (Set) read.getValue(this.serializer, STORAGE_CONTEXT, str);
                    readLock.unlock();
                    return set;
                }
                Set<CredentialRegistration> emptySet = CollectionSupport.emptySet();
                readLock.unlock();
                return emptySet;
            } catch (IOException e) {
                throw new CredentialRepositoryException(e);
            }
        } catch (Throwable th) {
            readLock.unlock();
            throw th;
        }
    }

    public Optional<CredentialRegistration> getRegistrationByUsernameAndCredentialId(String str, ByteArray byteArray) {
        checkComponentActive();
        ReentrantReadWriteLock.ReadLock readLock = this.lock.readLock();
        try {
            readLock.lock();
            Optional<CredentialRegistration> findFirst = getRegistrationsByUsername(str).stream().filter(credentialRegistration -> {
                return byteArray.equals(credentialRegistration.getCredential().getCredentialId());
            }).findFirst();
            readLock.unlock();
            return findFirst;
        } catch (Throwable th) {
            readLock.unlock();
            throw th;
        }
    }

    public boolean addRegistrationByUsername(@Nonnull String str, @Nonnull CredentialRegistration credentialRegistration) {
        checkComponentActive();
        ReentrantReadWriteLock.WriteLock writeLock = this.lock.writeLock();
        try {
            try {
                writeLock.lock();
                Set<CredentialRegistration> registrationsByUsername = getRegistrationsByUsername(str);
                if (registrationsByUsername.isEmpty()) {
                    LinkedHashSet linkedHashSet = new LinkedHashSet(1);
                    linkedHashSet.add(credentialRegistration);
                    boolean create = this.storageService.create(STORAGE_CONTEXT, str, linkedHashSet, this.serializer, (Long) null);
                    writeLock.unlock();
                    return create;
                }
                LinkedHashSet linkedHashSet2 = new LinkedHashSet(registrationsByUsername);
                linkedHashSet2.add(credentialRegistration);
                boolean update = this.storageService.update(STORAGE_CONTEXT, str, linkedHashSet2, this.serializer, (Long) null);
                writeLock.unlock();
                return update;
            } catch (IOException e) {
                throw new CredentialRepositoryException(e);
            }
        } catch (Throwable th) {
            writeLock.unlock();
            throw th;
        }
    }

    public boolean removeRegistrationByUsername(String str, CredentialRegistration credentialRegistration) {
        checkComponentActive();
        ReentrantReadWriteLock.WriteLock writeLock = this.lock.writeLock();
        try {
            try {
                writeLock.lock();
                Set<CredentialRegistration> registrationsByUsername = getRegistrationsByUsername(str);
                if (registrationsByUsername.isEmpty()) {
                    return false;
                }
                LinkedHashSet linkedHashSet = new LinkedHashSet(registrationsByUsername);
                linkedHashSet.remove(credentialRegistration);
                if (linkedHashSet.isEmpty()) {
                    boolean delete = this.storageService.delete(STORAGE_CONTEXT, str);
                    writeLock.unlock();
                    return delete;
                }
                if (!$assertionsDisabled && this.serializer == null) {
                    throw new AssertionError();
                }
                boolean update = this.storageService.update(STORAGE_CONTEXT, str, linkedHashSet, this.serializer, (Long) null);
                writeLock.unlock();
                return update;
            } catch (IOException e) {
                throw new CredentialRepositoryException(e);
            }
        } finally {
            writeLock.unlock();
        }
    }

    public int removeRegistrationByCredentialId(ByteArray byteArray) {
        checkComponentActive();
        ReentrantReadWriteLock.WriteLock writeLock = this.lock.writeLock();
        try {
            try {
                writeLock.lock();
                int i = 0;
                for (String str : this.storageService.getContextKeys(STORAGE_CONTEXT, (String) null)) {
                    if (!$assertionsDisabled && str == null) {
                        throw new AssertionError();
                    }
                    Set<CredentialRegistration> registrationsByUsername = getRegistrationsByUsername(str);
                    if (registrationsByUsername.isEmpty()) {
                        log.trace("No existing registrations, nothing to remove");
                    } else {
                        List list = (List) ((NonnullSupplier) registrationsByUsername.stream().filter(credentialRegistration -> {
                            return credentialRegistration.getCredential().getCredentialId().equals(byteArray);
                        }).collect(CollectionSupport.nonnullCollector(Collectors.toList()))).get();
                        if (list.size() == 1) {
                            CredentialRegistration credentialRegistration2 = (CredentialRegistration) list.get(0);
                            LinkedHashSet linkedHashSet = new LinkedHashSet(registrationsByUsername);
                            linkedHashSet.remove(credentialRegistration2);
                            if (!linkedHashSet.isEmpty()) {
                                if (!$assertionsDisabled && this.serializer == null) {
                                    throw new AssertionError();
                                }
                                if (this.storageService.update(STORAGE_CONTEXT, str, linkedHashSet, this.serializer, (Long) null)) {
                                    i++;
                                }
                            } else if (this.storageService.delete(STORAGE_CONTEXT, str)) {
                                i++;
                            }
                        }
                    }
                }
                return i;
            } catch (IOException e) {
                throw new CredentialRepositoryException(e);
            }
        } finally {
            writeLock.unlock();
        }
    }

    public boolean removeRegistrationByUsernameAndCredentialId(String str, ByteArray byteArray) {
        checkComponentActive();
        ReentrantReadWriteLock.WriteLock writeLock = this.lock.writeLock();
        try {
            try {
                writeLock.lock();
                Set<CredentialRegistration> registrationsByUsername = getRegistrationsByUsername(str);
                if (registrationsByUsername.isEmpty()) {
                    writeLock.unlock();
                    return false;
                }
                LinkedHashSet linkedHashSet = new LinkedHashSet(registrationsByUsername);
                List list = (List) ((NonnullSupplier) registrationsByUsername.stream().filter(credentialRegistration -> {
                    return credentialRegistration.getCredential().getCredentialId().equals(byteArray);
                }).collect(CollectionSupport.nonnullCollector(Collectors.toList()))).get();
                if (list.size() != 1) {
                    return false;
                }
                linkedHashSet.remove(list.iterator().next());
                if (linkedHashSet.isEmpty()) {
                    boolean delete = this.storageService.delete(STORAGE_CONTEXT, str);
                    writeLock.unlock();
                    return delete;
                }
                if (!$assertionsDisabled && this.serializer == null) {
                    throw new AssertionError();
                }
                boolean update = this.storageService.update(STORAGE_CONTEXT, str, linkedHashSet, this.serializer, (Long) null);
                writeLock.unlock();
                return update;
            } catch (IOException e) {
                throw new CredentialRepositoryException(e);
            }
        } finally {
            writeLock.unlock();
        }
    }

    public boolean updateSignatureCounter(@Nonnull String str, @Nonnull ByteArray byteArray, long j) {
        ReentrantReadWriteLock.WriteLock writeLock = this.lock.writeLock();
        try {
            writeLock.lock();
            Optional<CredentialRegistration> registrationByUsernameAndCredentialId = getRegistrationByUsernameAndCredentialId(str, byteArray);
            if (registrationByUsernameAndCredentialId.isEmpty()) {
                log.warn("Can not update signature count for user '{}' and credential '{}'. No existing credential found.", str, byteArray.getBase64());
                writeLock.unlock();
                return false;
            }
            RegisteredCredential build = registrationByUsernameAndCredentialId.get().getCredential().toBuilder().signatureCount(j).build();
            if (!$assertionsDisabled && build == null) {
                throw new AssertionError();
            }
            CredentialRegistration withCredential = registrationByUsernameAndCredentialId.get().withCredential(build);
            CredentialRegistration credentialRegistration = registrationByUsernameAndCredentialId.get();
            if (!$assertionsDisabled && (credentialRegistration == null || withCredential == null)) {
                throw new AssertionError();
            }
            if (!removeRegistrationByUsername(str, credentialRegistration)) {
                log.warn("Can not update signature count for user '{}' and credential '{}'. Can not remove existing signature count.", str, byteArray.getBase64());
                writeLock.unlock();
                return false;
            }
            if (addRegistrationByUsername(str, withCredential)) {
                return true;
            }
            log.warn("Can not update signature count for user '{}' and credential '{}'. Can not add new signature count.", str, byteArray.getBase64());
            writeLock.unlock();
            return false;
        } finally {
            writeLock.unlock();
        }
    }

    @Unmodifiable
    @Nonnull
    @NotLive
    public Set<CredentialRegistration> getAllRegistrations() {
        checkComponentActive();
        ReentrantReadWriteLock.ReadLock readLock = this.lock.readLock();
        try {
            try {
                readLock.lock();
                HashSet hashSet = new HashSet();
                for (String str : this.storageService.getContextKeys(STORAGE_CONTEXT, (String) null)) {
                    if (!$assertionsDisabled && str == null) {
                        throw new AssertionError();
                    }
                    hashSet.addAll((Collection) ((NonnullSupplier) getRegistrationsByUsername(str).stream().filter((v0) -> {
                        return Objects.nonNull(v0);
                    }).collect(CollectionSupport.nonnullCollector(Collectors.toUnmodifiableSet()))).get());
                }
                Set<CredentialRegistration> copyToSet = CollectionSupport.copyToSet(hashSet);
                readLock.unlock();
                return copyToSet;
            } catch (IOException e) {
                throw new CredentialRepositoryException(e);
            }
        } catch (Throwable th) {
            readLock.unlock();
            throw th;
        }
    }

    static {
        $assertionsDisabled = !IdPStorageServiceCredentialRespository.class.desiredAssertionStatus();
        log = LoggerFactory.getLogger(IdPStorageServiceCredentialRespository.class);
    }
}
