package net.nemerosa.ontrack.service.security;

import net.nemerosa.ontrack.model.Ack;
import net.nemerosa.ontrack.model.exceptions.UserOldPasswordException;
import net.nemerosa.ontrack.model.security.Account;
import net.nemerosa.ontrack.model.security.SecurityService;
import net.nemerosa.ontrack.model.security.UserService;
import net.nemerosa.ontrack.model.support.PasswordChange;
import net.nemerosa.ontrack.repository.AccountRepository;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.stereotype.Service;

@Service
/* loaded from: input_file:net/nemerosa/ontrack/service/security/UserServiceImpl.class */
public class UserServiceImpl implements UserService {
    private final SecurityService securityService;
    private final AccountRepository accountRepository;
    private final PasswordEncoder passwordEncoder;

    @Autowired
    public UserServiceImpl(SecurityService securityService, AccountRepository accountRepository, PasswordEncoder passwordEncoder) {
        this.securityService = securityService;
        this.accountRepository = accountRepository;
        this.passwordEncoder = passwordEncoder;
    }

    public Ack changePassword(PasswordChange passwordChange) {
        Account currentAccount = this.securityService.getCurrentAccount();
        if (currentAccount == null) {
            throw new AccessDeniedException("Must be logged to change password.");
        }
        if (!currentAccount.getAuthenticationSource().isAllowingPasswordChange()) {
            throw new AccessDeniedException("Password change is not allowed from ontrack.");
        }
        if (!this.accountRepository.checkPassword(currentAccount.id(), str -> {
            return this.passwordEncoder.matches(passwordChange.getOldPassword(), str);
        })) {
            throw new UserOldPasswordException();
        }
        this.accountRepository.setPassword(currentAccount.id(), this.passwordEncoder.encode(passwordChange.getNewPassword()));
        return Ack.OK;
    }
}
