package org.cloudfoundry.identity.uaa.account;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.cloudfoundry.identity.uaa.resources.ActionResult;
import org.cloudfoundry.identity.uaa.scim.ScimUserProvisioning;
import org.cloudfoundry.identity.uaa.scim.exception.InvalidPasswordException;
import org.cloudfoundry.identity.uaa.scim.exception.ScimException;
import org.cloudfoundry.identity.uaa.scim.exception.ScimResourceNotFoundException;
import org.cloudfoundry.identity.uaa.scim.validate.NullPasswordValidator;
import org.cloudfoundry.identity.uaa.scim.validate.PasswordValidator;
import org.cloudfoundry.identity.uaa.security.DefaultSecurityContextAccessor;
import org.cloudfoundry.identity.uaa.security.SecurityContextAccessor;
import org.cloudfoundry.identity.uaa.web.ConvertingExceptionView;
import org.cloudfoundry.identity.uaa.web.ExceptionReport;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.http.converter.HttpMessageConverter;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.stereotype.Controller;
import org.springframework.util.StringUtils;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.client.RestTemplate;
import org.springframework.web.servlet.View;

@Controller
/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.5.6.jar:org/cloudfoundry/identity/uaa/account/PasswordChangeEndpoint.class */
public class PasswordChangeEndpoint {
    private ScimUserProvisioning dao;
    private final Log logger = LogFactory.getLog(getClass());
    private PasswordValidator passwordValidator = new NullPasswordValidator();
    private SecurityContextAccessor securityContextAccessor = new DefaultSecurityContextAccessor();
    private HttpMessageConverter<?>[] messageConverters = (HttpMessageConverter[]) new RestTemplate().getMessageConverters().toArray(new HttpMessageConverter[0]);

    public void setScimUserProvisioning(ScimUserProvisioning scimUserProvisioning) {
        this.dao = scimUserProvisioning;
    }

    public void setPasswordValidator(PasswordValidator passwordValidator) {
        this.passwordValidator = passwordValidator;
    }

    public void setMessageConverters(HttpMessageConverter<?>[] httpMessageConverterArr) {
        this.messageConverters = httpMessageConverterArr;
    }

    void setSecurityContextAccessor(SecurityContextAccessor securityContextAccessor) {
        this.securityContextAccessor = securityContextAccessor;
    }

    @RequestMapping(value = {"/Users/{userId}/password"}, method = {RequestMethod.PUT})
    @ResponseBody
    public ActionResult changePassword(@PathVariable String str, @RequestBody PasswordChangeRequest passwordChangeRequest) {
        checkPasswordChangeIsAllowed(str, passwordChangeRequest.getOldPassword());
        if (this.dao.checkPasswordMatches(str, passwordChangeRequest.getPassword(), IdentityZoneHolder.get().getId())) {
            throw new InvalidPasswordException("Your new password cannot be the same as the old password.", HttpStatus.UNPROCESSABLE_ENTITY);
        }
        this.passwordValidator.validate(passwordChangeRequest.getPassword());
        this.dao.changePassword(str, passwordChangeRequest.getOldPassword(), passwordChangeRequest.getPassword(), IdentityZoneHolder.get().getId());
        return new ActionResult("ok", "password updated");
    }

    @ExceptionHandler
    public View handleException(ScimResourceNotFoundException scimResourceNotFoundException) {
        return new ConvertingExceptionView(new ResponseEntity(new ExceptionReport(new BadCredentialsException("Invalid password change request"), false), HttpStatus.UNAUTHORIZED), this.messageConverters);
    }

    @ExceptionHandler({ScimException.class})
    public View handleException(ScimException scimException) {
        return makeConvertingExceptionView(new BadCredentialsException("Invalid password change request"), scimException.getStatus());
    }

    @ExceptionHandler({InvalidPasswordException.class})
    public View handleException(InvalidPasswordException invalidPasswordException) throws ScimException {
        return makeConvertingExceptionView(invalidPasswordException, invalidPasswordException.getStatus());
    }

    private ConvertingExceptionView makeConvertingExceptionView(Exception exc, HttpStatus httpStatus) {
        return new ConvertingExceptionView(new ResponseEntity(new ExceptionReport(exc, false), httpStatus), this.messageConverters);
    }

    private void checkPasswordChangeIsAllowed(String str, String str2) {
        if (this.securityContextAccessor.isClient()) {
            return;
        }
        String userId = this.securityContextAccessor.getUserId();
        if (this.securityContextAccessor.isAdmin()) {
            if (str.equals(userId) && !StringUtils.hasText(str2)) {
                throw new InvalidPasswordException("Previous password is required even for admin");
            }
        } else {
            if (!str.equals(userId)) {
                this.logger.warn("User with id " + userId + " attempting to change password for user " + str);
                throw new InvalidPasswordException("Not permitted to change another user's password");
            }
            if (!StringUtils.hasText(str2)) {
                throw new InvalidPasswordException("Previous password is required");
            }
        }
    }
}
