package org.codehaus.plexus.redback.policy;

import java.util.ArrayList;
import java.util.Calendar;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import javax.annotation.Resource;
import org.codehaus.plexus.PlexusContainer;
import org.codehaus.plexus.component.repository.exception.ComponentLookupException;
import org.codehaus.plexus.context.Context;
import org.codehaus.plexus.context.ContextException;
import org.codehaus.plexus.personality.plexus.lifecycle.phase.Contextualizable;
import org.codehaus.plexus.personality.plexus.lifecycle.phase.Initializable;
import org.codehaus.plexus.personality.plexus.lifecycle.phase.InitializationException;
import org.codehaus.plexus.redback.configuration.UserConfiguration;
import org.codehaus.plexus.redback.policy.rules.MustHavePasswordRule;
import org.codehaus.plexus.redback.users.User;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Service;

@Service("userSecurityPolicy")
/* loaded from: input_file:org/codehaus/plexus/redback/policy/DefaultUserSecurityPolicy.class */
public class DefaultUserSecurityPolicy implements UserSecurityPolicy, Initializable, Contextualizable {
    public static final String PASSWORD_RETENTION_COUNT = "security.policy.password.previous.count";
    public static final String LOGIN_ATTEMPT_COUNT = "security.policy.allowed.login.attempt";
    public static final String PASSWORD_EXPIRATION_ENABLED = "security.policy.password.expiration.enabled";
    public static final String PASSWORD_EXPIRATION = "security.policy.password.expiration.days";
    public static final String PASSWORD_ENCODER = "security.policy.password.encoder";
    public static final String UNLOCKABLE_ACCOUNTS = "security.policy.unlockable.accounts";
    private PlexusContainer plexus;

    @Resource(name = "userConfiguration")
    private UserConfiguration config;

    @Resource(name = "passwordEncoder#sha256")
    private PasswordEncoder passwordEncoder;

    @Resource(name = "userValidationSettings")
    private UserValidationSettings userValidationSettings;

    @Resource(name = "cookieSettings#rememberMe")
    private CookieSettings rememberMeCookieSettings;

    @Resource(name = "cookieSettings#signon")
    private CookieSettings signonCookieSettings;
    private int previousPasswordsCount;
    private int loginAttemptCount;
    private int passwordExpirationDays;
    private boolean passwordExpirationEnabled;
    private List<String> unlockableAccounts;
    private static final String ENABLEMENT_KEY = ROLE + ":ENABLED";
    private static final Logger log = LoggerFactory.getLogger(DefaultUserSecurityPolicy.class);
    private PasswordRule defaultPasswordRule = new MustHavePasswordRule();
    private List<PasswordRule> rules = new ArrayList();

    public void initialize() throws InitializationException {
        configurePolicy();
        configureEncoder();
        try {
            this.rules = this.plexus.lookupList(PasswordRule.ROLE);
            if (this.rules == null) {
                this.rules = new ArrayList();
            }
            if (this.rules.isEmpty()) {
                addPasswordRule(this.defaultPasswordRule);
            }
        } catch (ComponentLookupException e) {
            throw new InitializationException(e.getMessage(), e);
        }
    }

    public void contextualize(Context context) throws ContextException {
        this.plexus = (PlexusContainer) context.get("plexus");
    }

    private void configureEncoder() throws InitializationException {
        String string = this.config.getString(PASSWORD_ENCODER);
        if (string != null) {
            try {
                this.passwordEncoder = (PasswordEncoder) this.plexus.lookup(PasswordEncoder.ROLE, string);
            } catch (ComponentLookupException e) {
                throw new InitializationException("Unable to lookup password encoder.", e);
            }
        }
    }

    private void configurePolicy() {
        this.previousPasswordsCount = this.config.getInt(PASSWORD_RETENTION_COUNT);
        this.loginAttemptCount = this.config.getInt(LOGIN_ATTEMPT_COUNT);
        this.passwordExpirationEnabled = this.config.getBoolean(PASSWORD_EXPIRATION_ENABLED);
        this.passwordExpirationDays = this.config.getInt(PASSWORD_EXPIRATION);
        this.unlockableAccounts = this.config.getList(UNLOCKABLE_ACCOUNTS);
    }

    @Override // org.codehaus.plexus.redback.policy.UserSecurityPolicy
    public String getId() {
        return "Default User Security Policy";
    }

    @Override // org.codehaus.plexus.redback.policy.UserSecurityPolicy
    public int getPreviousPasswordsCount() {
        return this.previousPasswordsCount;
    }

    @Override // org.codehaus.plexus.redback.policy.UserSecurityPolicy
    public List<String> getUnlockableAccounts() {
        if (this.unlockableAccounts == null) {
            this.unlockableAccounts = new ArrayList();
        }
        return this.unlockableAccounts;
    }

    @Override // org.codehaus.plexus.redback.policy.UserSecurityPolicy
    public void setUnlockableAccounts(List<String> list) {
        this.unlockableAccounts = list;
    }

    @Override // org.codehaus.plexus.redback.policy.UserSecurityPolicy
    public void setPreviousPasswordsCount(int i) {
        this.previousPasswordsCount = i;
    }

    @Override // org.codehaus.plexus.redback.policy.UserSecurityPolicy
    public int getLoginAttemptCount() {
        return this.loginAttemptCount;
    }

    @Override // org.codehaus.plexus.redback.policy.UserSecurityPolicy
    public void setLoginAttemptCount(int i) {
        this.loginAttemptCount = i;
    }

    @Override // org.codehaus.plexus.redback.policy.UserSecurityPolicy
    public PasswordEncoder getPasswordEncoder() {
        return this.passwordEncoder;
    }

    @Override // org.codehaus.plexus.redback.policy.UserSecurityPolicy
    public boolean isEnabled() {
        Boolean bool = (Boolean) PolicyContext.getContext().get(ENABLEMENT_KEY);
        return bool == null || bool.booleanValue();
    }

    @Override // org.codehaus.plexus.redback.policy.UserSecurityPolicy
    public void setEnabled(boolean z) {
        PolicyContext.getContext().put(ENABLEMENT_KEY, Boolean.valueOf(z));
    }

    @Override // org.codehaus.plexus.redback.policy.UserSecurityPolicy
    public void addPasswordRule(PasswordRule passwordRule) {
        passwordRule.setUserSecurityPolicy(this);
        this.rules.add(passwordRule);
    }

    @Override // org.codehaus.plexus.redback.policy.UserSecurityPolicy
    public List<PasswordRule> getPasswordRules() {
        return this.rules;
    }

    @Override // org.codehaus.plexus.redback.policy.UserSecurityPolicy
    public void setPasswordRules(List<PasswordRule> list) {
        this.rules.clear();
        if (list == null) {
            return;
        }
        Iterator<PasswordRule> it = list.iterator();
        while (it.hasNext()) {
            addPasswordRule(it.next());
        }
    }

    @Override // org.codehaus.plexus.redback.policy.UserSecurityPolicy
    public void extensionPasswordExpiration(User user) throws MustChangePasswordException {
        if (!this.passwordExpirationEnabled || getUnlockableAccounts().contains(user.getUsername())) {
            return;
        }
        Calendar calendar = Calendar.getInstance();
        calendar.setTime(user.getLastPasswordChange());
        calendar.add(5, this.passwordExpirationDays);
        if (Calendar.getInstance().after(calendar)) {
            log.info("User '" + user.getUsername() + "' flagged for password expiry (expired on: " + calendar + ")");
            user.setPasswordChangeRequired(true);
            throw new MustChangePasswordException("Password Expired, You must change your password.", user);
        }
    }

    @Override // org.codehaus.plexus.redback.policy.UserSecurityPolicy
    public void extensionExcessiveLoginAttempts(User user) throws AccountLockedException {
        if (getUnlockableAccounts().contains(user.getUsername())) {
            return;
        }
        int countFailedLoginAttempts = user.getCountFailedLoginAttempts() + 1;
        user.setCountFailedLoginAttempts(countFailedLoginAttempts);
        if (countFailedLoginAttempts >= this.loginAttemptCount) {
            log.info("User '" + user.getUsername() + "' locked due to excessive login attempts: " + countFailedLoginAttempts);
            user.setLocked(true);
            throw new AccountLockedException("Account " + user.getUsername() + " is locked.", user);
        }
    }

    @Override // org.codehaus.plexus.redback.policy.UserSecurityPolicy
    public void extensionChangePassword(User user) throws PasswordRuleViolationException {
        extensionChangePassword(user, false);
    }

    @Override // org.codehaus.plexus.redback.policy.UserSecurityPolicy
    public void extensionChangePassword(User user, boolean z) throws PasswordRuleViolationException {
        validatePassword(user);
        user.setEncodedPassword(this.passwordEncoder.encodePassword(user.getPassword()));
        user.setPassword((String) null);
        ArrayList arrayList = new ArrayList();
        arrayList.add(user.getEncodedPassword());
        if (!user.getPreviousEncodedPasswords().isEmpty()) {
            arrayList.addAll(user.getPreviousEncodedPasswords().subList(0, Math.min(this.previousPasswordsCount - 1, user.getPreviousEncodedPasswords().size())));
        }
        user.setPreviousEncodedPasswords(arrayList);
        user.setPasswordChangeRequired(z);
        user.setLastPasswordChange(new Date());
    }

    @Override // org.codehaus.plexus.redback.policy.UserSecurityPolicy
    public void validatePassword(User user) throws PasswordRuleViolationException {
        if (isEnabled()) {
            PasswordRuleViolations passwordRuleViolations = new PasswordRuleViolations();
            for (PasswordRule passwordRule : this.rules) {
                if (passwordRule.isEnabled()) {
                    if (passwordRule.requiresSecurityPolicy()) {
                        passwordRule.setUserSecurityPolicy(this);
                    }
                    passwordRule.testPassword(passwordRuleViolations, user);
                }
            }
            if (passwordRuleViolations.hasViolations()) {
                PasswordRuleViolationException passwordRuleViolationException = new PasswordRuleViolationException();
                passwordRuleViolationException.setViolations(passwordRuleViolations);
                throw passwordRuleViolationException;
            }
        }
        if (user.getPassword() == null) {
            user.setPassword("");
        }
    }

    @Override // org.codehaus.plexus.redback.policy.UserSecurityPolicy
    public int getPasswordExpirationDays() {
        return this.passwordExpirationDays;
    }

    @Override // org.codehaus.plexus.redback.policy.UserSecurityPolicy
    public void setPasswordExpirationDays(int i) {
        this.passwordExpirationDays = i;
    }

    @Override // org.codehaus.plexus.redback.policy.UserSecurityPolicy
    public UserValidationSettings getUserValidationSettings() {
        return this.userValidationSettings;
    }

    @Override // org.codehaus.plexus.redback.policy.UserSecurityPolicy
    public void setUserValidationSettings(UserValidationSettings userValidationSettings) {
        this.userValidationSettings = userValidationSettings;
    }

    @Override // org.codehaus.plexus.redback.policy.UserSecurityPolicy
    public CookieSettings getRememberMeCookieSettings() {
        return this.rememberMeCookieSettings;
    }

    @Override // org.codehaus.plexus.redback.policy.UserSecurityPolicy
    public CookieSettings getSignonCookieSettings() {
        return this.signonCookieSettings;
    }
}
