package org.cloudfoundry.identity.uaa.account;

import java.sql.Timestamp;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import org.cloudfoundry.identity.uaa.account.ResetPasswordService;
import org.cloudfoundry.identity.uaa.account.event.PasswordChangeEvent;
import org.cloudfoundry.identity.uaa.account.event.PasswordChangeFailureEvent;
import org.cloudfoundry.identity.uaa.account.event.ResetPasswordRequestEvent;
import org.cloudfoundry.identity.uaa.authentication.InvalidCodeException;
import org.cloudfoundry.identity.uaa.authentication.UaaAuthentication;
import org.cloudfoundry.identity.uaa.authentication.UaaPrincipal;
import org.cloudfoundry.identity.uaa.codestore.ExpiringCode;
import org.cloudfoundry.identity.uaa.codestore.ExpiringCodeStore;
import org.cloudfoundry.identity.uaa.constants.OriginKeys;
import org.cloudfoundry.identity.uaa.error.UaaException;
import org.cloudfoundry.identity.uaa.scim.ScimUser;
import org.cloudfoundry.identity.uaa.scim.ScimUserProvisioning;
import org.cloudfoundry.identity.uaa.scim.endpoints.PasswordChange;
import org.cloudfoundry.identity.uaa.scim.exception.InvalidPasswordException;
import org.cloudfoundry.identity.uaa.scim.validate.PasswordValidator;
import org.cloudfoundry.identity.uaa.user.UaaUser;
import org.cloudfoundry.identity.uaa.util.JsonUtils;
import org.cloudfoundry.identity.uaa.util.UaaUrlUtils;
import org.springframework.context.ApplicationEvent;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.ApplicationEventPublisherAware;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.ClientDetailsService;
import org.springframework.security.oauth2.provider.NoSuchClientException;
import org.springframework.util.StringUtils;
import org.springframework.web.client.RestClientException;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-3.9.0.jar:org/cloudfoundry/identity/uaa/account/UaaResetPasswordService.class */
public class UaaResetPasswordService implements ResetPasswordService, ApplicationEventPublisherAware {
    public static final int PASSWORD_RESET_LIFETIME = 1800000;
    public static final String FORGOT_PASSWORD_INTENT_PREFIX = "forgot_password_for_id:";
    private final ScimUserProvisioning scimUserProvisioning;
    private final ExpiringCodeStore expiringCodeStore;
    private final PasswordValidator passwordValidator;
    private final ClientDetailsService clientDetailsService;
    private ApplicationEventPublisher publisher;

    public UaaResetPasswordService(ScimUserProvisioning scimUserProvisioning, ExpiringCodeStore expiringCodeStore, PasswordValidator passwordValidator, ClientDetailsService clientDetailsService) {
        this.scimUserProvisioning = scimUserProvisioning;
        this.expiringCodeStore = expiringCodeStore;
        this.passwordValidator = passwordValidator;
        this.clientDetailsService = clientDetailsService;
    }

    @Override // org.cloudfoundry.identity.uaa.account.ResetPasswordService
    public ResetPasswordService.ResetPasswordResponse resetPassword(String str, String str2) throws InvalidPasswordException {
        try {
            this.passwordValidator.validate(str2);
            return changePasswordCodeAuthenticated(str, str2);
        } catch (RestClientException e) {
            throw new UaaException(e.getMessage());
        }
    }

    private ResetPasswordService.ResetPasswordResponse changePasswordCodeAuthenticated(String str, String str2) {
        String str3;
        ExpiringCode retrieveCode = this.expiringCodeStore.retrieveCode(str);
        if (retrieveCode == null) {
            throw new InvalidCodeException("invalid_code", "Sorry, your reset password link is no longer valid. Please request a new one", 422);
        }
        try {
            PasswordChange passwordChange = (PasswordChange) JsonUtils.readValue(retrieveCode.getData(), PasswordChange.class);
            String userId = passwordChange.getUserId();
            String username = passwordChange.getUsername();
            Date passwordModifiedTime = passwordChange.getPasswordModifiedTime();
            String clientId = passwordChange.getClientId();
            String redirectUri = passwordChange.getRedirectUri();
            ScimUser retrieve = this.scimUserProvisioning.retrieve(userId);
            UaaUser uaaUser = getUaaUser(retrieve);
            UaaAuthentication uaaAuthentication = new UaaAuthentication(new UaaPrincipal(uaaUser), Collections.emptyList(), null);
            try {
                if (isUserModified(retrieve, retrieveCode.getExpiresAt(), username, passwordModifiedTime)) {
                    throw new UaaException("Invalid password reset request.");
                }
                if (!retrieve.isVerified()) {
                    this.scimUserProvisioning.verifyUser(userId, -1);
                }
                if (this.scimUserProvisioning.checkPasswordMatches(userId, str2)) {
                    throw new InvalidPasswordException("Your new password cannot be the same as the old password.", HttpStatus.UNPROCESSABLE_ENTITY);
                }
                this.scimUserProvisioning.changePassword(userId, null, str2);
                publish(new PasswordChangeEvent("Password changed", uaaUser, uaaAuthentication));
                str3 = "home";
                if (!StringUtils.isEmpty(clientId) && !StringUtils.isEmpty(redirectUri)) {
                    try {
                        ClientDetails loadClientByClientId = this.clientDetailsService.loadClientByClientId(clientId);
                        String findMatchingRedirectUri = UaaUrlUtils.findMatchingRedirectUri(loadClientByClientId.getRegisteredRedirectUri() == null ? Collections.emptySet() : loadClientByClientId.getRegisteredRedirectUri(), redirectUri, null);
                        str3 = findMatchingRedirectUri != null ? findMatchingRedirectUri : "home";
                    } catch (NoSuchClientException e) {
                    }
                }
                return new ResetPasswordService.ResetPasswordResponse(retrieve, str3, clientId);
            } catch (Exception e2) {
                publish(new PasswordChangeFailureEvent(e2.getMessage(), uaaUser, uaaAuthentication));
                throw e2;
            }
        } catch (JsonUtils.JsonUtilException e3) {
            throw new InvalidCodeException("invalid_code", "Sorry, your reset password link is no longer valid. Please request a new one", 422);
        }
    }

    @Override // org.cloudfoundry.identity.uaa.account.ResetPasswordService
    public ForgotPasswordInfo forgotPassword(String str, String str2, String str3) {
        String writeValueAsString = JsonUtils.writeValueAsString(str);
        List<ScimUser> query = this.scimUserProvisioning.query("userName eq " + writeValueAsString + " and origin eq \"" + OriginKeys.UAA + "\"");
        if (query.isEmpty()) {
            List<ScimUser> query2 = this.scimUserProvisioning.query("userName eq " + writeValueAsString);
            if (query2.isEmpty()) {
                throw new NotFoundException();
            }
            throw new ConflictException(query2.get(0).getId());
        }
        ScimUser scimUser = query.get(0);
        PasswordChange passwordChange = new PasswordChange(scimUser.getId(), scimUser.getUserName(), scimUser.getPasswordLastModified(), str2, str3);
        String str4 = FORGOT_PASSWORD_INTENT_PREFIX + scimUser.getId();
        this.expiringCodeStore.expireByIntent(str4);
        ExpiringCode generateCode = this.expiringCodeStore.generateCode(JsonUtils.writeValueAsString(passwordChange), new Timestamp(System.currentTimeMillis() + 1800000), str4);
        publish(new ResetPasswordRequestEvent(str, generateCode.getCode(), SecurityContextHolder.getContext().getAuthentication()));
        return new ForgotPasswordInfo(scimUser.getId(), generateCode);
    }

    private boolean isUserModified(ScimUser scimUser, Timestamp timestamp, String str, Date date) {
        boolean z = false;
        if (str != null) {
            z = !str.equals(scimUser.getUserName());
        }
        if (date != null && !z) {
            z = scimUser.getPasswordLastModified().getTime() != date.getTime();
        }
        return z;
    }

    private UaaUser getUaaUser(ScimUser scimUser) {
        Date date = new Date();
        return new UaaUser(scimUser.getId(), scimUser.getUserName(), "N/A", scimUser.getPrimaryEmail(), null, scimUser.getGivenName(), scimUser.getFamilyName(), date, date, scimUser.getOrigin(), scimUser.getExternalId(), scimUser.isVerified(), scimUser.getZoneId(), scimUser.getSalt(), scimUser.getPasswordLastModified());
    }

    @Override // org.springframework.context.ApplicationEventPublisherAware
    public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
        this.publisher = applicationEventPublisher;
    }

    protected void publish(ApplicationEvent applicationEvent) {
        if (this.publisher != null) {
            this.publisher.publishEvent(applicationEvent);
        }
    }
}
