package pl.edu.icm.unity.stdext.credential.pass;

import com.fasterxml.jackson.databind.node.ObjectNode;
import com.google.common.collect.Lists;
import com.nulabinc.zxcvbn.Strength;
import com.nulabinc.zxcvbn.Zxcvbn;
import edu.vt.middleware.password.AlphabeticalSequenceRule;
import edu.vt.middleware.password.CharacterCharacteristicsRule;
import edu.vt.middleware.password.CharacterRule;
import edu.vt.middleware.password.DigitCharacterRule;
import edu.vt.middleware.password.LengthRule;
import edu.vt.middleware.password.LowercaseCharacterRule;
import edu.vt.middleware.password.NonAlphanumericCharacterRule;
import edu.vt.middleware.password.NumericalSequenceRule;
import edu.vt.middleware.password.Password;
import edu.vt.middleware.password.PasswordData;
import edu.vt.middleware.password.PasswordValidator;
import edu.vt.middleware.password.QwertySequenceRule;
import edu.vt.middleware.password.RepeatCharacterRegexRule;
import edu.vt.middleware.password.Rule;
import edu.vt.middleware.password.UppercaseCharacterRule;
import java.util.ArrayList;
import java.util.Date;
import java.util.Deque;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import java.util.concurrent.ForkJoinPool;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.ObjectFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.Constants;
import pl.edu.icm.unity.JsonUtil;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.authn.AuthenticatedEntity;
import pl.edu.icm.unity.engine.api.authn.AuthenticationException;
import pl.edu.icm.unity.engine.api.authn.AuthenticationResult;
import pl.edu.icm.unity.engine.api.authn.CredentialReset;
import pl.edu.icm.unity.engine.api.authn.EntityWithCredential;
import pl.edu.icm.unity.engine.api.authn.LocalAuthenticationResult;
import pl.edu.icm.unity.engine.api.authn.local.AbstractLocalCredentialVerificatorFactory;
import pl.edu.icm.unity.engine.api.authn.local.AbstractLocalVerificator;
import pl.edu.icm.unity.engine.api.authn.local.CredentialHelper;
import pl.edu.icm.unity.engine.api.authn.remote.AuthenticationTriggeringContext;
import pl.edu.icm.unity.engine.api.notification.NotificationProducer;
import pl.edu.icm.unity.engine.api.utils.PrototypeComponent;
import pl.edu.icm.unity.exceptions.CredentialRecentlyUsedException;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.exceptions.IllegalCredentialException;
import pl.edu.icm.unity.exceptions.InternalException;
import pl.edu.icm.unity.stdext.identity.EmailIdentity;
import pl.edu.icm.unity.stdext.identity.UsernameIdentity;
import pl.edu.icm.unity.types.authn.CredentialPublicInformation;
import pl.edu.icm.unity.types.authn.LocalCredentialState;
import pl.edu.icm.unity.types.basic.EntityParam;

@PrototypeComponent
/* loaded from: input_file:pl/edu/icm/unity/stdext/credential/pass/PasswordVerificator.class */
public class PasswordVerificator extends AbstractLocalVerificator implements PasswordExchange {
    public static final String NAME = "password";
    public static final String DESC = "Verifies passwords";
    private NotificationProducer notificationProducer;
    private CredentialHelper credentialHelper;
    private PasswordEngine passwordEngine;
    private PasswordCredential credential;
    private static final AuthenticationResult.ResolvableError GENERIC_ERROR = new AuthenticationResult.ResolvableError("WebPasswordRetrieval.wrongPassword", new Object[0]);
    private static final Logger log = Log.getLogger("unity.server.authn", PasswordVerificator.class);
    public static final String[] IDENTITY_TYPES = {UsernameIdentity.ID, EmailIdentity.ID};

    @Component
    /* loaded from: input_file:pl/edu/icm/unity/stdext/credential/pass/PasswordVerificator$Factory.class */
    public static class Factory extends AbstractLocalCredentialVerificatorFactory {
        @Autowired
        public Factory(ObjectFactory<PasswordVerificator> objectFactory) {
            super(PasswordVerificator.NAME, PasswordVerificator.DESC, true, objectFactory);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:pl/edu/icm/unity/stdext/credential/pass/PasswordVerificator$PasswordStatus.class */
    public static class PasswordStatus {
        boolean outdated;
        String reason;

        PasswordStatus(boolean z, String str) {
            this.outdated = z;
            this.reason = str;
        }
    }

    @Autowired
    public PasswordVerificator(NotificationProducer notificationProducer, CredentialHelper credentialHelper, Optional<PasswordEncodingPoolProvider> optional) {
        super(NAME, DESC, PasswordExchange.ID, true);
        this.credential = new PasswordCredential();
        this.notificationProducer = notificationProducer;
        this.credentialHelper = credentialHelper;
        this.passwordEngine = new PasswordEngine((ForkJoinPool) optional.map(passwordEncodingPoolProvider -> {
            return passwordEncodingPoolProvider.pool;
        }).orElse(ForkJoinPool.commonPool()));
    }

    public String getSerializedConfiguration() throws InternalException {
        return JsonUtil.serialize(this.credential.getSerializedConfiguration());
    }

    public void setSerializedConfiguration(String str) throws InternalException {
        this.credential.setSerializedConfiguration(JsonUtil.parse(str));
    }

    public String prepareCredential(String str, String str2, boolean z) throws IllegalCredentialException, InternalException {
        Deque<PasswordInfo> passwords = PasswordCredentialDBState.fromJson(str2).getPasswords();
        PasswordToken loadFromJson = PasswordToken.loadFromJson(str);
        if (z) {
            verifyNewPassword(loadFromJson.getPassword(), passwords, this.credential.getHistorySize());
        }
        return prepareCredentialForStorage(passwords, loadFromJson);
    }

    private String prepareCredentialForStorage(Deque<PasswordInfo> deque, PasswordToken passwordToken) throws IllegalCredentialException, InternalException {
        if (this.credential.getPasswordResetSettings().isEnabled() && this.credential.getPasswordResetSettings().isRequireSecurityQuestion()) {
            if (passwordToken.getAnswer() == null || passwordToken.getQuestion() == -1) {
                throw new IllegalCredentialException("The credential must select a security question and provide an answer for it");
            }
            if (passwordToken.getQuestion() < 0 || passwordToken.getQuestion() >= this.credential.getPasswordResetSettings().getQuestions().size()) {
                throw new IllegalCredentialException("The chosen answer for security question is invalid");
            }
        }
        PasswordInfo prepareForStore = this.passwordEngine.prepareForStore(this.credential, passwordToken.getPassword());
        if (this.credential.getHistorySize() <= deque.size() && !deque.isEmpty()) {
            deque.removeLast();
        }
        deque.addFirst(prepareForStore);
        return PasswordCredentialDBState.toJson(this.credential, deque, passwordToken.getQuestion(), passwordToken.getAnswer() != null ? this.passwordEngine.prepareForStore(this.credential, passwordToken.getAnswer()) : null);
    }

    public String invalidate(String str) {
        try {
            ObjectNode readTree = Constants.MAPPER.readTree(str);
            readTree.put("outdated", true);
            return Constants.MAPPER.writeValueAsString(readTree);
        } catch (Exception e) {
            throw new InternalException("Can't deserialize password credential from JSON", e);
        }
    }

    public CredentialPublicInformation checkCredentialState(String str) throws InternalException {
        PasswordCredentialDBState fromJson = PasswordCredentialDBState.fromJson(str);
        Deque<PasswordInfo> passwords = fromJson.getPasswords();
        if (passwords.isEmpty()) {
            return new CredentialPublicInformation(LocalCredentialState.notSet, "");
        }
        String json = new PasswordExtraInfo(passwords.getFirst().getTime(), fromJson.getSecurityQuestion()).toJson();
        PasswordStatus checkIfCredentialIsOutdated = checkIfCredentialIsOutdated(fromJson);
        return checkIfCredentialIsOutdated.outdated ? new CredentialPublicInformation(LocalCredentialState.outdated, checkIfCredentialIsOutdated.reason, json) : storedPasswordRequiresRehash(fromJson) ? new CredentialPublicInformation(LocalCredentialState.outdated, "rehash required", json) : new CredentialPublicInformation(LocalCredentialState.correct, json);
    }

    public Optional<String> updateCredentialAfterConfigurationChange(String str) {
        PasswordCredentialDBState fromJson = PasswordCredentialDBState.fromJson(str);
        Deque<PasswordInfo> passwords = fromJson.getPasswords();
        return removeHistoricalPasswordsStoredWithOutdatedMechanism(passwords) | removeExcessHistoricalPasswords(passwords, this.credential.getHistorySize()) ? Optional.of(JsonUtil.toJsonString(fromJson)) : Optional.empty();
    }

    private boolean removeHistoricalPasswordsStoredWithOutdatedMechanism(Deque<PasswordInfo> deque) {
        boolean z = false;
        Iterator<PasswordInfo> it = deque.iterator();
        it.next();
        while (it.hasNext()) {
            if (!this.passwordEngine.checkParamsUpToDate(this.credential, it.next())) {
                it.remove();
                z = true;
            }
        }
        return z;
    }

    private boolean removeExcessHistoricalPasswords(Deque<PasswordInfo> deque, int i) {
        boolean z;
        boolean z2 = false;
        while (true) {
            z = z2;
            if ((i != 0 || deque.size() <= 1) && (i <= 0 || deque.size() <= i)) {
                break;
            }
            deque.removeLast();
            z2 = true;
        }
        return z;
    }

    @Override // pl.edu.icm.unity.stdext.credential.pass.PasswordExchange
    public AuthenticationResult checkPassword(String str, String str2, String str3, boolean z, AuthenticationTriggeringContext authenticationTriggeringContext) {
        return checkPasswordInternal(str, str2);
    }

    private AuthenticationResult checkPasswordInternal(String str, String str2) {
        try {
            EntityWithCredential resolveIdentity = this.identityResolver.resolveIdentity(str, IDENTITY_TYPES, this.credentialName);
            try {
                PasswordCredentialDBState fromJson = PasswordCredentialDBState.fromJson(resolveIdentity.getCredentialValue());
                Deque<PasswordInfo> passwords = fromJson.getPasswords();
                if (passwords.isEmpty()) {
                    log.info("The user has no password set: {}", str);
                    return LocalAuthenticationResult.failed(GENERIC_ERROR);
                }
                if (this.passwordEngine.verify(passwords.getFirst(), str2)) {
                    return LocalAuthenticationResult.successful(new AuthenticatedEntity(Long.valueOf(resolveIdentity.getEntityId()), str, isCurrentPasswordOutdated(str2, fromJson, resolveIdentity) ? resolveIdentity.getCredentialName() : null));
                }
                log.info("Password provided by {} is invalid", str);
                return LocalAuthenticationResult.failed(GENERIC_ERROR);
            } catch (Exception e) {
                log.warn("Error during password verification for " + str, e);
                return LocalAuthenticationResult.failed(GENERIC_ERROR);
            }
        } catch (Exception e2) {
            log.info("The user for password authN can not be found: " + str, e2);
            return LocalAuthenticationResult.failed(GENERIC_ERROR);
        }
    }

    @Override // pl.edu.icm.unity.stdext.credential.pass.PasswordExchange
    public CredentialReset getCredentialResetBackend() {
        return new PasswordCredentialResetImpl(this.notificationProducer, this.identityResolver, this, this.credentialHelper, this.credentialName, this.credential.getSerializedConfiguration(), this.credential.getPasswordResetSettings(), this.passwordEngine);
    }

    private boolean isCurrentPasswordOutdated(String str, PasswordCredentialDBState passwordCredentialDBState, EntityWithCredential entityWithCredential) throws AuthenticationException {
        if (isCurrentCredentialOutdated(passwordCredentialDBState)) {
            return true;
        }
        try {
            verifyPasswordStrength(str);
            if (!storedPasswordRequiresRehash(passwordCredentialDBState)) {
                return false;
            }
            log.debug("Password hash of user {} is outdated: hashing parameters were changed", Long.valueOf(entityWithCredential.getEntityId()));
            rehashPassword(str, passwordCredentialDBState, entityWithCredential);
            return false;
        } catch (IllegalCredentialException e) {
            log.info("User with id {} logged in with password not matching current credential requirements, invalidating the password", Long.valueOf(entityWithCredential.getEntityId()));
            try {
                this.credentialHelper.updateCredential(entityWithCredential.getEntityId(), entityWithCredential.getCredentialName(), invalidate(entityWithCredential.getCredentialValue()));
                return true;
            } catch (EngineException e2) {
                throw new AuthenticationException("Problem invalidating outdated credential", e2);
            }
        }
    }

    private void rehashPassword(String str, PasswordCredentialDBState passwordCredentialDBState, EntityWithCredential entityWithCredential) throws AuthenticationException {
        try {
            log.info("Re-hashing password of entity {} to match updated security requirements", Long.valueOf(entityWithCredential.getEntityId()));
            this.credentialHelper.updateCredential(entityWithCredential.getEntityId(), entityWithCredential.getCredentialName(), prepareCredentialForStorage(passwordCredentialDBState.getPasswords(), new PasswordToken(str)));
        } catch (Exception e) {
            throw new AuthenticationException("Problem rehasing password", e);
        }
    }

    private boolean isCurrentCredentialOutdated(PasswordCredentialDBState passwordCredentialDBState) {
        return checkIfCredentialIsOutdated(passwordCredentialDBState).outdated;
    }

    private PasswordStatus checkIfCredentialIsOutdated(PasswordCredentialDBState passwordCredentialDBState) {
        if (passwordCredentialDBState.isOutdated()) {
            return new PasswordStatus(true, "set as");
        }
        if (passwordCredentialDBState.getSecurityQuestion() == null && this.credential.getPasswordResetSettings().isEnabled() && this.credential.getPasswordResetSettings().isRequireSecurityQuestion()) {
            return new PasswordStatus(true, "no question");
        }
        return new Date().after(new Date(passwordCredentialDBState.getPasswords().getFirst().getTime().getTime() + this.credential.getMaxAge())) ? new PasswordStatus(true, "expired") : (this.credential.getPasswordResetSettings().isEnabled() && this.credential.getPasswordResetSettings().isRequireSecurityQuestion() && !this.passwordEngine.checkParamsUpToDate(this.credential, passwordCredentialDBState.getAnswer())) ? new PasswordStatus(true, "question outdated") : new PasswordStatus(false, null);
    }

    private boolean storedPasswordRequiresRehash(PasswordCredentialDBState passwordCredentialDBState) {
        return !this.passwordEngine.checkParamsUpToDate(this.credential, passwordCredentialDBState.getPasswords().getFirst());
    }

    private void verifyNewPassword(String str, Deque<PasswordInfo> deque, int i) throws IllegalCredentialException {
        verifyPasswordStrength(str);
        verifyPasswordNotReused(str, deque, i);
    }

    private void verifyPasswordStrength(String str) throws IllegalCredentialException {
        Strength measure = new Zxcvbn().measure(str);
        if (measure.getGuessesLog10() >= this.credential.getMinScore()) {
            if (!getPasswordValidator().validate(new PasswordData(new Password(str))).isValid()) {
                throw new IllegalCredentialException("Password is too weak");
            }
        } else {
            double guessesLog10 = measure.getGuessesLog10();
            this.credential.getMinScore();
            IllegalCredentialException illegalCredentialException = new IllegalCredentialException("Password has too low score " + guessesLog10 + "/" + illegalCredentialException);
            throw illegalCredentialException;
        }
    }

    private void verifyPasswordNotReused(String str, Deque<PasswordInfo> deque, int i) throws IllegalCredentialException {
        Iterator<PasswordInfo> it = deque.iterator();
        for (int i2 = 0; i2 < i && it.hasNext(); i2++) {
            if (this.passwordEngine.verify(it.next(), str)) {
                throw new CredentialRecentlyUsedException("The same password was recently used");
            }
        }
    }

    private PasswordValidator getPasswordValidator() {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new LengthRule(this.credential.getMinLength(), 512));
        CharacterCharacteristicsRule characterCharacteristicsRule = new CharacterCharacteristicsRule();
        characterCharacteristicsRule.setRules(getCharacteristicsRules());
        characterCharacteristicsRule.setNumberOfCharacteristics(this.credential.getMinClassesNum());
        arrayList.add(characterCharacteristicsRule);
        if (this.credential.isDenySequences()) {
            arrayList.addAll(getSequencesRules());
        }
        return new PasswordValidator(arrayList);
    }

    public boolean isCredentialDefinitionChagneOutdatingCredentials(String str) {
        PasswordCredential passwordCredential = new PasswordCredential();
        passwordCredential.setSerializedConfiguration(JsonUtil.parse(str));
        return passwordCredential.hasStrongerRequirementsThen(this.credential);
    }

    public static List<CharacterRule> getCharacteristicsRules() {
        return Lists.newArrayList(new CharacterRule[]{new DigitCharacterRule(1), new NonAlphanumericCharacterRule(1), new UppercaseCharacterRule(1), new LowercaseCharacterRule(1)});
    }

    public static List<Rule> getSequencesRules() {
        return Lists.newArrayList(new Rule[]{new AlphabeticalSequenceRule(), new NumericalSequenceRule(3, true), new QwertySequenceRule(), new RepeatCharacterRegexRule(4)});
    }

    public boolean isCredentialSet(EntityParam entityParam) throws EngineException {
        return this.credentialHelper.isCredentialSet(entityParam, this.credentialName);
    }
}
