package org.cloudfoundry.identity.uaa.authentication.manager;

import java.util.Calendar;
import java.util.Collections;
import java.util.Locale;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.cloudfoundry.identity.uaa.authentication.AccountNotVerifiedException;
import org.cloudfoundry.identity.uaa.authentication.AuthenticationPolicyRejectionException;
import org.cloudfoundry.identity.uaa.authentication.PasswordExpiredException;
import org.cloudfoundry.identity.uaa.authentication.UaaAuthentication;
import org.cloudfoundry.identity.uaa.authentication.UaaAuthenticationDetails;
import org.cloudfoundry.identity.uaa.authentication.UaaPrincipal;
import org.cloudfoundry.identity.uaa.authentication.event.UnverifiedUserAuthenticationEvent;
import org.cloudfoundry.identity.uaa.authentication.event.UserAuthenticationFailureEvent;
import org.cloudfoundry.identity.uaa.authentication.event.UserAuthenticationSuccessEvent;
import org.cloudfoundry.identity.uaa.authentication.event.UserNotFoundEvent;
import org.cloudfoundry.identity.uaa.constants.OriginKeys;
import org.cloudfoundry.identity.uaa.provider.IdentityProvider;
import org.cloudfoundry.identity.uaa.provider.IdentityProviderProvisioning;
import org.cloudfoundry.identity.uaa.provider.UaaIdentityProviderDefinition;
import org.cloudfoundry.identity.uaa.user.UaaUser;
import org.cloudfoundry.identity.uaa.user.UaaUserDatabase;
import org.cloudfoundry.identity.uaa.util.ObjectUtils;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.springframework.context.ApplicationEvent;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.ApplicationEventPublisherAware;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent;
import org.springframework.security.authentication.event.AuthenticationFailureLockedEvent;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-3.9.0.jar:org/cloudfoundry/identity/uaa/authentication/manager/AuthzAuthenticationManager.class */
public class AuthzAuthenticationManager implements AuthenticationManager, ApplicationEventPublisherAware {
    private final Log logger;
    private final PasswordEncoder encoder;
    private final UaaUserDatabase userDatabase;
    private ApplicationEventPublisher eventPublisher;
    private AccountLoginPolicy accountLoginPolicy;
    private IdentityProviderProvisioning providerProvisioning;
    private String origin;
    private boolean allowUnverifiedUsers;

    public AuthzAuthenticationManager(UaaUserDatabase uaaUserDatabase, IdentityProviderProvisioning identityProviderProvisioning) {
        this(uaaUserDatabase, new BCryptPasswordEncoder(), identityProviderProvisioning);
    }

    public AuthzAuthenticationManager(UaaUserDatabase uaaUserDatabase, PasswordEncoder passwordEncoder, IdentityProviderProvisioning identityProviderProvisioning) {
        this.logger = LogFactory.getLog(getClass());
        this.accountLoginPolicy = new PermitAllAccountLoginPolicy();
        this.allowUnverifiedUsers = true;
        this.userDatabase = uaaUserDatabase;
        this.encoder = passwordEncoder;
        this.providerProvisioning = identityProviderProvisioning;
    }

    @Override // org.springframework.security.authentication.AuthenticationManager
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        this.logger.debug("Processing authentication request for " + authentication.getName());
        if (authentication.getCredentials() == null) {
            BadCredentialsException badCredentialsException = new BadCredentialsException("No password supplied");
            publish(new AuthenticationFailureBadCredentialsEvent(authentication, badCredentialsException));
            throw badCredentialsException;
        }
        UaaUser uaaUser = getUaaUser(authentication);
        if (uaaUser == null) {
            this.logger.debug("No user named '" + authentication.getName() + "' was found for origin:" + this.origin);
            publish(new UserNotFoundEvent(authentication));
        } else {
            if (!this.accountLoginPolicy.isAllowed(uaaUser, authentication)) {
                this.logger.warn("Login policy rejected authentication for " + uaaUser.getUsername() + ", " + uaaUser.getId() + ". Ignoring login request.");
                AuthenticationPolicyRejectionException authenticationPolicyRejectionException = new AuthenticationPolicyRejectionException("Your account has been locked because of too many failed attempts to login.");
                publish(new AuthenticationFailureLockedEvent(authentication, authenticationPolicyRejectionException));
                throw authenticationPolicyRejectionException;
            }
            if (((CharSequence) authentication.getCredentials()).length() != 0 && this.encoder.matches((CharSequence) authentication.getCredentials(), uaaUser.getPassword())) {
                this.logger.debug("Password successfully matched for userId[" + uaaUser.getUsername() + "]:" + uaaUser.getId());
                if ((!this.allowUnverifiedUsers || !uaaUser.isLegacyVerificationBehavior()) && !uaaUser.isVerified()) {
                    publish(new UnverifiedUserAuthenticationEvent(uaaUser, authentication));
                    this.logger.debug("Account not verified: " + uaaUser.getId());
                    throw new AccountNotVerifiedException("Account not verified");
                }
                int passwordExpiresInMonths = getPasswordExpiresInMonths();
                if (passwordExpiresInMonths > 0) {
                    Calendar calendar = Calendar.getInstance();
                    calendar.setTimeInMillis(uaaUser.getPasswordLastModified().getTime());
                    calendar.add(2, passwordExpiresInMonths);
                    if (calendar.getTimeInMillis() < System.currentTimeMillis()) {
                        throw new PasswordExpiredException("Your current password has expired. Please reset your password.");
                    }
                }
                UaaAuthentication uaaAuthentication = new UaaAuthentication(new UaaPrincipal(uaaUser), uaaUser.getAuthorities(), (UaaAuthenticationDetails) authentication.getDetails());
                uaaAuthentication.setAuthenticationMethods(Collections.singleton("pwd"));
                publish(new UserAuthenticationSuccessEvent(uaaUser, uaaAuthentication));
                return uaaAuthentication;
            }
            this.logger.debug("Password did not match for user " + authentication.getName());
            publish(new UserAuthenticationFailureEvent(uaaUser, authentication));
        }
        BadCredentialsException badCredentialsException2 = new BadCredentialsException("Bad credentials");
        publish(new AuthenticationFailureBadCredentialsEvent(authentication, badCredentialsException2));
        throw badCredentialsException2;
    }

    protected int getPasswordExpiresInMonths() {
        UaaIdentityProviderDefinition uaaIdentityProviderDefinition;
        IdentityProvider retrieveByOrigin = this.providerProvisioning.retrieveByOrigin(OriginKeys.UAA, IdentityZoneHolder.get().getId());
        if (retrieveByOrigin == null || (uaaIdentityProviderDefinition = (UaaIdentityProviderDefinition) ObjectUtils.castInstance(retrieveByOrigin.getConfig(), UaaIdentityProviderDefinition.class)) == null || null == uaaIdentityProviderDefinition.getPasswordPolicy()) {
            return 0;
        }
        return uaaIdentityProviderDefinition.getPasswordPolicy().getExpirePasswordInMonths();
    }

    private UaaUser getUaaUser(Authentication authentication) {
        try {
            UaaUser retrieveUserByName = this.userDatabase.retrieveUserByName(authentication.getName().toLowerCase(Locale.US), getOrigin());
            if (retrieveUserByName != null) {
                return retrieveUserByName;
            }
            return null;
        } catch (UsernameNotFoundException e) {
            return null;
        }
    }

    private void publish(ApplicationEvent applicationEvent) {
        if (this.eventPublisher != null) {
            this.eventPublisher.publishEvent(applicationEvent);
        }
    }

    @Override // org.springframework.context.ApplicationEventPublisherAware
    public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
        this.eventPublisher = applicationEventPublisher;
    }

    public AccountLoginPolicy getAccountLoginPolicy() {
        return this.accountLoginPolicy;
    }

    public void setAccountLoginPolicy(AccountLoginPolicy accountLoginPolicy) {
        this.accountLoginPolicy = accountLoginPolicy;
    }

    public String getOrigin() {
        return this.origin;
    }

    public void setOrigin(String str) {
        this.origin = str;
    }

    public void setAllowUnverifiedUsers(boolean z) {
        this.allowUnverifiedUsers = z;
    }
}
