package pl.edu.icm.unity.composite.password;

import java.io.IOException;
import java.io.StringReader;
import java.io.StringWriter;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Properties;
import java.util.concurrent.ForkJoinPool;
import org.apache.commons.io.FileUtils;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.ObjectFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.JsonUtil;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.authn.AbstractCredentialVerificatorFactory;
import pl.edu.icm.unity.engine.api.authn.AbstractVerificator;
import pl.edu.icm.unity.engine.api.authn.AuthenticatedEntity;
import pl.edu.icm.unity.engine.api.authn.AuthenticationException;
import pl.edu.icm.unity.engine.api.authn.AuthenticationResult;
import pl.edu.icm.unity.engine.api.authn.AuthenticationSubject;
import pl.edu.icm.unity.engine.api.authn.CredentialReset;
import pl.edu.icm.unity.engine.api.authn.CredentialVerificator;
import pl.edu.icm.unity.engine.api.authn.CredentialVerificatorFactory;
import pl.edu.icm.unity.engine.api.authn.EntityWithCredential;
import pl.edu.icm.unity.engine.api.authn.local.CredentialHelper;
import pl.edu.icm.unity.engine.api.authn.local.LocalCredentialVerificator;
import pl.edu.icm.unity.engine.api.authn.local.LocalCredentialVerificatorFactory;
import pl.edu.icm.unity.engine.api.authn.remote.SandboxAuthnResultCallback;
import pl.edu.icm.unity.engine.api.notification.NotificationProducer;
import pl.edu.icm.unity.engine.api.utils.PrototypeComponent;
import pl.edu.icm.unity.exceptions.InternalException;
import pl.edu.icm.unity.ldap.client.LdapPasswordVerificator;
import pl.edu.icm.unity.pam.PAMVerificator;
import pl.edu.icm.unity.stdext.credential.NoCredentialResetImpl;
import pl.edu.icm.unity.stdext.credential.pass.PasswordCredential;
import pl.edu.icm.unity.stdext.credential.pass.PasswordEncodingPoolProvider;
import pl.edu.icm.unity.stdext.credential.pass.PasswordEngine;
import pl.edu.icm.unity.stdext.credential.pass.PasswordExchange;
import pl.edu.icm.unity.stdext.credential.pass.PasswordVerificator;
import pl.edu.icm.unity.types.authn.CredentialDefinition;

@PrototypeComponent
/* loaded from: input_file:pl/edu/icm/unity/composite/password/CompositePasswordVerificator.class */
public class CompositePasswordVerificator extends AbstractVerificator implements PasswordExchange {
    private static final Logger log = Log.getLogger("unity.server", CompositePasswordVerificator.class);
    public static final String NAME = "composite-password";
    public static final String DESC = "Verifies local or remote password";
    private Map<String, CredentialVerificatorFactory> credentialVerificatorFactories;
    private CredentialHelper credentialHelper;
    private List<LocalCredentialVerificator> localVerificators;
    private List<CredentialVerificator> remoteVerificators;
    private CompositePasswordProperties compositePasswordProperties;
    private NotificationProducer notificationProducer;
    private PasswordEngine passwordEngine;

    @Component
    /* loaded from: input_file:pl/edu/icm/unity/composite/password/CompositePasswordVerificator$Factory.class */
    public static class Factory extends AbstractCredentialVerificatorFactory {
        @Autowired
        public Factory(ObjectFactory<CompositePasswordVerificator> objectFactory) {
            super(CompositePasswordVerificator.NAME, CompositePasswordVerificator.DESC, objectFactory);
        }
    }

    @Autowired
    public CompositePasswordVerificator(PasswordVerificator.Factory factory, PAMVerificator.Factory factory2, LdapPasswordVerificator.Factory factory3, CredentialHelper credentialHelper, NotificationProducer notificationProducer, Optional<PasswordEncodingPoolProvider> optional) {
        super(NAME, DESC, "password exchange");
        this.credentialHelper = credentialHelper;
        this.notificationProducer = notificationProducer;
        this.credentialVerificatorFactories = new HashMap();
        this.credentialVerificatorFactories.put("password", factory);
        this.credentialVerificatorFactories.put("pam", factory2);
        this.credentialVerificatorFactories.put("ldap", factory3);
        this.localVerificators = new ArrayList();
        this.remoteVerificators = new ArrayList();
        this.passwordEngine = new PasswordEngine((ForkJoinPool) optional.map(passwordEncodingPoolProvider -> {
            return passwordEncodingPoolProvider.pool;
        }).orElse(ForkJoinPool.commonPool()));
    }

    public String getSerializedConfiguration() {
        StringWriter stringWriter = new StringWriter();
        try {
            this.compositePasswordProperties.getProperties().store(stringWriter, "");
            return stringWriter.toString();
        } catch (IOException e) {
            throw new InternalException("Can't serialize composite-password verificator configuration", e);
        }
    }

    private LocalCredentialVerificator getLocalVerificator(CredentialVerificator credentialVerificator, String str) {
        Optional<CredentialDefinition> credentialDefinition = CompositePasswordHelper.getCredentialDefinition(this.credentialHelper, str);
        if (!credentialDefinition.isPresent()) {
            throw new InternalException("Invalid configuration of the verificator, local credential " + str + " is undefined");
        }
        credentialVerificator.setSerializedConfiguration(credentialDefinition.get().getConfiguration());
        credentialVerificator.setIdentityResolver(this.identityResolver);
        LocalCredentialVerificator localCredentialVerificator = (LocalCredentialVerificator) credentialVerificator;
        localCredentialVerificator.setCredentialName(str);
        return localCredentialVerificator;
    }

    public void setSerializedConfiguration(String str) {
        this.localVerificators.clear();
        this.remoteVerificators.clear();
        Properties properties = new Properties();
        try {
            properties.load(new StringReader(str));
            this.compositePasswordProperties = new CompositePasswordProperties(properties);
            for (String str2 : this.compositePasswordProperties.getStructuredListKeys(CompositePasswordProperties.VERIFICATORS)) {
                CredentialVerificatorFactory credentialVerificatorFactory = this.credentialVerificatorFactories.get(this.compositePasswordProperties.getValue(str2 + CompositePasswordProperties.VERIFICATOR_TYPE));
                CredentialVerificator newInstance = credentialVerificatorFactory.newInstance();
                newInstance.setIdentityResolver(this.identityResolver);
                newInstance.setInstanceName(NAME);
                if (credentialVerificatorFactory instanceof LocalCredentialVerificatorFactory) {
                    this.localVerificators.add(getLocalVerificator(newInstance, this.compositePasswordProperties.getValue(str2 + CompositePasswordProperties.VERIFICATOR_CREDENTIAL)));
                } else {
                    newInstance.setSerializedConfiguration(getRemoteAuthenticatorConfig(str2));
                    this.remoteVerificators.add(newInstance);
                }
            }
        } catch (IOException e) {
            throw new InternalException("Invalid configuration of the composite-password verificator", e);
        }
    }

    private String getRemoteAuthenticatorConfig(String str) {
        if (!this.compositePasswordProperties.isSet(str + CompositePasswordProperties.VERIFICATOR_CONFIG_EMBEDDED) && !this.compositePasswordProperties.isSet(str + CompositePasswordProperties.VERIFICATOR_CONFIG)) {
            throw new InternalException("Misconfigured composite-password verificator, remote verificator has no defined configuration");
        }
        if (!this.compositePasswordProperties.isSet(str + CompositePasswordProperties.VERIFICATOR_CONFIG)) {
            return this.compositePasswordProperties.getValue(str + CompositePasswordProperties.VERIFICATOR_CONFIG_EMBEDDED);
        }
        try {
            return FileUtils.readFileToString(this.compositePasswordProperties.getFileValue(str + CompositePasswordProperties.VERIFICATOR_CONFIG, false), StandardCharsets.UTF_8);
        } catch (IOException e) {
            throw new InternalException("Misconfigured composite-password verificator composite-password, remote verificator config file is not available", e);
        }
    }

    public AuthenticationResult checkPassword(String str, String str2, SandboxAuthnResultCallback sandboxAuthnResultCallback) throws AuthenticationException {
        Optional<EntityWithCredential> localEntity = CompositePasswordHelper.getLocalEntity(this.identityResolver, AuthenticationSubject.identityBased(str));
        if (localEntity.isPresent()) {
            Iterator<LocalCredentialVerificator> it = this.localVerificators.iterator();
            while (it.hasNext()) {
                PasswordExchange passwordExchange = (LocalCredentialVerificator) it.next();
                if (CompositePasswordHelper.checkIfUserHasCredential(passwordExchange, localEntity.get().getEntityId())) {
                    log.debug("Checking >{}< password using verificator with local credential >{}<", str, passwordExchange.getCredentialName());
                    return passwordExchange.checkPassword(str, str2, sandboxAuthnResultCallback);
                }
            }
        }
        Iterator<CredentialVerificator> it2 = this.remoteVerificators.iterator();
        while (it2.hasNext()) {
            PasswordExchange passwordExchange2 = (CredentialVerificator) it2.next();
            log.debug("Checking >{}< password using remote verificator >{}<", str, passwordExchange2.getName());
            AuthenticationResult checkPassword = passwordExchange2.checkPassword(str, str2, sandboxAuthnResultCallback);
            if (!checkPassword.getStatus().equals(AuthenticationResult.Status.deny) && !checkPassword.getStatus().equals(AuthenticationResult.Status.notApplicable)) {
                return checkPassword;
            }
        }
        log.debug("Password provided by {} is invalid", str);
        return new AuthenticationResult(AuthenticationResult.Status.deny, (AuthenticatedEntity) null);
    }

    private List<LocalCredentialVerificator> getVerificatorsWithCredentialResetSupport() {
        ArrayList arrayList = new ArrayList();
        for (LocalCredentialVerificator localCredentialVerificator : this.localVerificators) {
            Optional<CredentialDefinition> credentialDefinition = CompositePasswordHelper.getCredentialDefinition(this.credentialHelper, localCredentialVerificator.getCredentialName());
            if (credentialDefinition.isPresent()) {
                PasswordCredential passwordCredential = new PasswordCredential();
                passwordCredential.setSerializedConfiguration(JsonUtil.parse(credentialDefinition.get().getConfiguration()));
                if (passwordCredential.getPasswordResetSettings().isEnabled()) {
                    arrayList.add(localCredentialVerificator);
                }
            }
        }
        return arrayList;
    }

    public CredentialReset getCredentialResetBackend() {
        List<LocalCredentialVerificator> verificatorsWithCredentialResetSupport = getVerificatorsWithCredentialResetSupport();
        return verificatorsWithCredentialResetSupport.isEmpty() ? new NoCredentialResetImpl() : new CompositePasswordResetImpl(this.credentialHelper, verificatorsWithCredentialResetSupport, this.identityResolver, this.notificationProducer, this.passwordEngine);
    }

    public CredentialVerificator.VerificatorType getType() {
        return CredentialVerificator.VerificatorType.Mixed;
    }
}
