package org.apereo.cas.pm.impl;

import com.google.common.net.HttpHeaders;
import com.sun.xml.ws.policy.PolicyConstants;
import java.io.Serializable;
import java.util.UUID;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.audit.AuditActionResolvers;
import org.apereo.cas.audit.AuditResourceResolvers;
import org.apereo.cas.audit.AuditableActions;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.support.pm.ResetPasswordManagementProperties;
import org.apereo.cas.configuration.support.Beans;
import org.apereo.cas.pm.PasswordChangeRequest;
import org.apereo.cas.pm.PasswordHistoryService;
import org.apereo.cas.pm.PasswordManagementQuery;
import org.apereo.cas.pm.PasswordManagementService;
import org.apereo.cas.util.LoggingUtils;
import org.apereo.cas.util.crypto.CipherExecutor;
import org.apereo.inspektr.audit.annotation.Audit;
import org.apereo.inspektr.common.web.ClientInfo;
import org.apereo.inspektr.common.web.ClientInfoHolder;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.NumericDate;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-pm-core-7.3.0-RC2.jar:org/apereo/cas/pm/impl/BasePasswordManagementService.class */
public abstract class BasePasswordManagementService implements PasswordManagementService {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) BasePasswordManagementService.class);
    protected final CasConfigurationProperties casProperties;
    protected final CipherExecutor<Serializable, String> cipherExecutor;
    protected final PasswordHistoryService passwordHistoryService;

    @Override // org.apereo.cas.pm.PasswordManagementService
    public String parseToken(String str) {
        try {
            JwtClaims parse = JwtClaims.parse(this.cipherExecutor.decode(str));
            ResetPasswordManagementProperties reset = this.casProperties.getAuthn().getPm().getReset();
            String prefix = this.casProperties.getServer().getPrefix();
            if (!parse.getIssuer().equals(prefix)) {
                LOGGER.error("Token issuer does not match CAS");
                return null;
            }
            if (parse.getAudience().isEmpty() || !((String) parse.getAudience().getFirst()).equals(prefix)) {
                LOGGER.error("Token audience does not match CAS");
                return null;
            }
            if (StringUtils.isBlank(parse.getSubject())) {
                LOGGER.error("Token has no subject identifier");
                return null;
            }
            ClientInfo clientInfo = ClientInfoHolder.getClientInfo();
            if (reset.isIncludeServerIpAddress() && !parse.getStringClaimValue(HttpHeaders.ReferrerPolicyValues.ORIGIN).equals(clientInfo.getServerIpAddress())) {
                LOGGER.error("Token origin server IP address does not match CAS");
                return null;
            }
            if (reset.isIncludeClientIpAddress() && !parse.getStringClaimValue(PolicyConstants.CLIENT_CONFIGURATION_IDENTIFIER).equals(clientInfo.getClientIpAddress())) {
                LOGGER.error("Token client IP address does not match CAS");
                return null;
            }
            if (!parse.getExpirationTime().isBefore(NumericDate.now())) {
                return parse.getSubject();
            }
            LOGGER.error("Token has expired.");
            return null;
        } catch (Exception e) {
            LoggingUtils.error(LOGGER, e);
            return null;
        }
    }

    @Override // org.apereo.cas.pm.PasswordManagementService
    public String createToken(PasswordManagementQuery passwordManagementQuery) {
        try {
            String prefix = this.casProperties.getServer().getPrefix();
            String uuid = UUID.randomUUID().toString();
            JwtClaims jwtClaims = new JwtClaims();
            ResetPasswordManagementProperties reset = this.casProperties.getAuthn().getPm().getReset();
            jwtClaims.setJwtId(uuid);
            jwtClaims.setIssuer(prefix);
            jwtClaims.setAudience(prefix);
            jwtClaims.setExpirationTimeMinutesInTheFuture((float) Beans.newDuration(reset.getExpiration()).toMinutes());
            jwtClaims.setIssuedAtToNow();
            ClientInfo clientInfo = ClientInfoHolder.getClientInfo();
            if (clientInfo != null) {
                if (reset.isIncludeServerIpAddress()) {
                    jwtClaims.setStringClaim(HttpHeaders.ReferrerPolicyValues.ORIGIN, clientInfo.getServerIpAddress());
                }
                if (reset.isIncludeClientIpAddress()) {
                    jwtClaims.setStringClaim(PolicyConstants.CLIENT_CONFIGURATION_IDENTIFIER, clientInfo.getClientIpAddress());
                }
            }
            jwtClaims.setSubject(passwordManagementQuery.getUsername());
            LOGGER.debug("Creating password management token for [{}]", passwordManagementQuery.getUsername());
            String json = jwtClaims.toJson();
            LOGGER.debug("Encoding the generated JSON token...");
            return this.cipherExecutor.encode(json);
        } catch (Exception e) {
            LoggingUtils.error(LOGGER, e);
            return null;
        }
    }

    @Override // org.apereo.cas.pm.PasswordManagementService
    @Audit(action = AuditableActions.CHANGE_PASSWORD, actionResolverName = AuditActionResolvers.CHANGE_PASSWORD_ACTION_RESOLVER, resourceResolverName = AuditResourceResolvers.CHANGE_PASSWORD_RESOURCE_RESOLVER)
    public boolean change(PasswordChangeRequest passwordChangeRequest) throws Throwable {
        if (this.passwordHistoryService != null && this.passwordHistoryService.exists(passwordChangeRequest)) {
            LOGGER.debug("Password history policy disallows reusing the password for [{}]", passwordChangeRequest.getUsername());
            return false;
        }
        if (!changeInternal(passwordChangeRequest)) {
            return false;
        }
        if (this.passwordHistoryService == null) {
            return true;
        }
        LOGGER.debug("Password successfully changed; storing used password in history for [{}]...", passwordChangeRequest.getUsername());
        return this.passwordHistoryService.store(passwordChangeRequest);
    }

    protected abstract boolean changeInternal(PasswordChangeRequest passwordChangeRequest) throws Throwable;

    @Generated
    public BasePasswordManagementService(CasConfigurationProperties casConfigurationProperties, CipherExecutor<Serializable, String> cipherExecutor, PasswordHistoryService passwordHistoryService) {
        this.casProperties = casConfigurationProperties;
        this.cipherExecutor = cipherExecutor;
        this.passwordHistoryService = passwordHistoryService;
    }

    @Generated
    public CasConfigurationProperties getCasProperties() {
        return this.casProperties;
    }

    @Generated
    public CipherExecutor<Serializable, String> getCipherExecutor() {
        return this.cipherExecutor;
    }

    @Generated
    public PasswordHistoryService getPasswordHistoryService() {
        return this.passwordHistoryService;
    }
}
