package org.apereo.cas.pm.web.flow.actions;

import java.util.Map;
import java.util.Optional;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.AuthenticationResultBuilder;
import org.apereo.cas.authentication.AuthenticationSystemSupport;
import org.apereo.cas.authentication.DefaultAuthenticationBuilder;
import org.apereo.cas.authentication.MultifactorAuthenticationContextValidationResult;
import org.apereo.cas.authentication.MultifactorAuthenticationContextValidator;
import org.apereo.cas.authentication.MultifactorAuthenticationProvider;
import org.apereo.cas.authentication.MultifactorAuthenticationProviderSelector;
import org.apereo.cas.authentication.MultifactorAuthenticationUtils;
import org.apereo.cas.authentication.credential.BasicIdentifiableCredential;
import org.apereo.cas.authentication.credential.UsernamePasswordCredential;
import org.apereo.cas.authentication.device.MultifactorAuthenticationDeviceManager;
import org.apereo.cas.authentication.principal.NullPrincipal;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.authentication.principal.PrincipalResolver;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.pm.PasswordManagementService;
import org.apereo.cas.pm.web.flow.PasswordManagementWebflowUtils;
import org.apereo.cas.pm.web.flow.PasswordResetRequest;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.web.flow.CasWebflowConstants;
import org.apereo.cas.web.flow.actions.BaseCasWebflowAction;
import org.apereo.cas.web.flow.util.MultifactorAuthenticationWebflowUtils;
import org.apereo.cas.web.support.WebUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.webflow.action.EventFactorySupport;
import org.springframework.webflow.core.collection.LocalAttributeMap;
import org.springframework.webflow.execution.Event;
import org.springframework.webflow.execution.RequestContext;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-pm-webflow-7.2.0-RC4.jar:org/apereo/cas/pm/web/flow/actions/InitPasswordResetAction.class */
public class InitPasswordResetAction extends BaseCasWebflowAction {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) InitPasswordResetAction.class);
    private final PasswordManagementService passwordManagementService;
    private final CasConfigurationProperties casProperties;
    private final PrincipalResolver principalResolver;
    private final MultifactorAuthenticationProviderSelector multifactorAuthenticationProviderSelector;
    private final AuthenticationSystemSupport authenticationSystemSupport;
    private final MultifactorAuthenticationContextValidator multifactorAuthenticationContextValidator;

    @Override // org.apereo.cas.web.flow.actions.BaseCasWebflowAction
    protected Event doExecuteInternal(RequestContext requestContext) throws Throwable {
        String passwordResetUsername = getPasswordResetUsername(requestContext);
        if (StringUtils.isBlank(passwordResetUsername)) {
            LOGGER.error("Password reset token could not be verified to determine username");
            return error();
        }
        if (doesPasswordResetRequireMultifactorAuthentication(requestContext)) {
            Principal resolvedPrincipal = resolvedPrincipal(passwordResetUsername);
            MultifactorAuthenticationProvider selectMultifactorAuthenticationProvider = selectMultifactorAuthenticationProvider(requestContext, resolvedPrincipal);
            if (!doesMultifactorAuthenticationProviderExistInContext(requestContext, selectMultifactorAuthenticationProvider)) {
                MultifactorAuthenticationDeviceManager deviceManager = selectMultifactorAuthenticationProvider.getDeviceManager();
                if (deviceManager == null || deviceManager.hasRegisteredDevices(resolvedPrincipal)) {
                    return routeToMultifactorAuthenticationProvider(requestContext, resolvedPrincipal, selectMultifactorAuthenticationProvider);
                }
                LOGGER.warn("No registered devices for multifactor authentication could be found for [{}] via [{}]", resolvedPrincipal.getId(), selectMultifactorAuthenticationProvider.getId());
                return error();
            }
        }
        UsernamePasswordCredential usernamePasswordCredential = new UsernamePasswordCredential();
        usernamePasswordCredential.setUsername(passwordResetUsername);
        WebUtils.putCredential(requestContext, usernamePasswordCredential);
        return success();
    }

    protected Event routeToMultifactorAuthenticationProvider(RequestContext requestContext, Principal principal, MultifactorAuthenticationProvider multifactorAuthenticationProvider) {
        Authentication build = DefaultAuthenticationBuilder.newInstance().setPrincipal(principal).build();
        WebUtils.putAuthentication(build, requestContext);
        WebUtils.putAuthenticationResultBuilder(this.authenticationSystemSupport.getAuthenticationResultBuilderFactory().newBuilder().collect(build), requestContext);
        WebUtils.putTargetTransition(requestContext, CasWebflowConstants.TRANSITION_ID_RESUME_RESET_PASSWORD);
        MultifactorAuthenticationWebflowUtils.putMultifactorAuthenticationProvider(requestContext, multifactorAuthenticationProvider);
        return new EventFactorySupport().event(this, multifactorAuthenticationProvider.getId(), new LocalAttributeMap(Map.of(MultifactorAuthenticationProvider.class.getName(), multifactorAuthenticationProvider)));
    }

    protected Principal resolvedPrincipal(String str) throws Throwable {
        Principal resolve = this.principalResolver.resolve(new BasicIdentifiableCredential(str));
        return resolve instanceof NullPrincipal ? this.authenticationSystemSupport.getPrincipalFactory().createPrincipal(str) : resolve;
    }

    protected String getPasswordResetUsername(RequestContext requestContext) {
        String passwordResetToken = PasswordManagementWebflowUtils.getPasswordResetToken(requestContext);
        if (StringUtils.isNotBlank(passwordResetToken)) {
            return this.passwordManagementService.parseToken(passwordResetToken);
        }
        PasswordResetRequest passwordResetRequest = PasswordManagementWebflowUtils.getPasswordResetRequest(requestContext);
        if (passwordResetRequest != null) {
            return passwordResetRequest.getUsername();
        }
        return null;
    }

    protected boolean doesMultifactorAuthenticationProviderExistInContext(RequestContext requestContext, MultifactorAuthenticationProvider multifactorAuthenticationProvider) {
        AuthenticationResultBuilder authenticationResultBuilder = WebUtils.getAuthenticationResultBuilder(requestContext);
        RegisteredService registeredService = WebUtils.getRegisteredService(requestContext);
        return authenticationResultBuilder != null && authenticationResultBuilder.getAuthentications().stream().anyMatch(authentication -> {
            MultifactorAuthenticationContextValidationResult validate = this.multifactorAuthenticationContextValidator.validate(authentication, multifactorAuthenticationProvider.getId(), Optional.ofNullable(registeredService));
            return validate.isSuccess() && validate.getProvider().isPresent();
        });
    }

    protected MultifactorAuthenticationProvider selectMultifactorAuthenticationProvider(RequestContext requestContext, Principal principal) throws Throwable {
        Map<String, MultifactorAuthenticationProvider> availableMultifactorAuthenticationProviders = MultifactorAuthenticationUtils.getAvailableMultifactorAuthenticationProviders(requestContext.getActiveFlow().getApplicationContext());
        return this.multifactorAuthenticationProviderSelector.resolve(availableMultifactorAuthenticationProviders.values(), WebUtils.getRegisteredService(requestContext), principal);
    }

    protected boolean doesPasswordResetRequireMultifactorAuthentication(RequestContext requestContext) {
        return this.casProperties.getAuthn().getPm().getReset().isMultifactorAuthenticationEnabled() && !MultifactorAuthenticationUtils.getAvailableMultifactorAuthenticationProviders(requestContext.getActiveFlow().getApplicationContext()).isEmpty() && StringUtils.isBlank(MultifactorAuthenticationWebflowUtils.getMultifactorAuthenticationProvider(requestContext));
    }

    @Generated
    public InitPasswordResetAction(PasswordManagementService passwordManagementService, CasConfigurationProperties casConfigurationProperties, PrincipalResolver principalResolver, MultifactorAuthenticationProviderSelector multifactorAuthenticationProviderSelector, AuthenticationSystemSupport authenticationSystemSupport, MultifactorAuthenticationContextValidator multifactorAuthenticationContextValidator) {
        this.passwordManagementService = passwordManagementService;
        this.casProperties = casConfigurationProperties;
        this.principalResolver = principalResolver;
        this.multifactorAuthenticationProviderSelector = multifactorAuthenticationProviderSelector;
        this.authenticationSystemSupport = authenticationSystemSupport;
        this.multifactorAuthenticationContextValidator = multifactorAuthenticationContextValidator;
    }
}
