package net.sinodawn.framework.security.support;

import java.time.LocalDateTime;
import java.util.List;
import java.util.stream.Collectors;
import net.sinodawn.framework.context.ApplicationContextHelper;
import net.sinodawn.framework.exception.database.JdbcException;
import net.sinodawn.framework.security.AccountCategory;
import net.sinodawn.framework.security.authentication.AuthenticationHelper;
import net.sinodawn.framework.security.bean.LoginUser;
import net.sinodawn.framework.security.captcha.SecurityCaptchaService;
import net.sinodawn.framework.security.service.DefaultUserDetailsChecker;
import net.sinodawn.framework.security.sso.RemoteAuthenticator;
import net.sinodawn.framework.security.sso.SsoAuthenticator;
import net.sinodawn.framework.security.sso.SsoAuthenticatorRegistry;
import net.sinodawn.framework.utils.CollectionUtils;
import net.sinodawn.framework.utils.ServletUtils;
import net.sinodawn.framework.utils.StringUtils;
import net.sinodawn.module.mdm.user.bean.CoreUserBean;
import net.sinodawn.module.mdm.user.service.CoreUserService;
import net.sinodawn.module.sys.password.bean.CorePasswordPolicyBean;
import net.sinodawn.module.sys.password.service.CorePasswordPolicyService;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Lazy;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.LockedException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.CredentialsContainer;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.crypto.password.PasswordEncoder;

/* loaded from: input_file:net/sinodawn/framework/security/support/DefaultDaoAuthenticationProvider.class */
public class DefaultDaoAuthenticationProvider extends DaoAuthenticationProvider {
    private static final Logger logger = LogManager.getLogger(DaoAuthenticationProvider.class);

    @Autowired
    @Lazy
    protected CoreUserService userService;

    @Autowired
    private CorePasswordPolicyService passwordPolicyService;

    @Autowired
    @Lazy
    private PasswordEncoder passwordEncoder;

    @Value("${sino.security.remote-authenticator-name:}")
    private String remoteAuthenticatorName;

    @Autowired
    @Lazy
    private SecurityCaptchaService captchaService;

    public DefaultDaoAuthenticationProvider() {
        setHideUserNotFoundExceptions(false);
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        RemoteAuthenticator remoteAuthenticator;
        this.captchaService.checkCaptcha();
        String parameter = ServletUtils.getCurrentRequest().getParameter("loginType");
        if (!StringUtils.isEmpty(parameter)) {
            SsoAuthenticator authenticator = SsoAuthenticatorRegistry.INSTANCE.getAuthenticator(parameter);
            if (authenticator == null) {
                throw new SecurityException("SINO.SECURITY.SSO_LOGIN.INVALID_LOGINTYPE");
            }
            LoginUser authenticate = authenticator.authenticate();
            authentication = new UsernamePasswordAuthenticationToken(authenticate.getUsername(), authenticate.getAdditionalCheck() ? authentication.getCredentials() : authenticate.getPassword(), CollectionUtils.emptyList());
            if (authenticate.getAdditionalCheck()) {
                authentication.setAuthenticated(false);
            }
        }
        if (!StringUtils.isEmpty(parameter) || StringUtils.isBlank(this.remoteAuthenticatorName) || (remoteAuthenticator = (RemoteAuthenticator) ApplicationContextHelper.getBeanIfPresent(this.remoteAuthenticatorName)) == null) {
            return super.authenticate(authentication);
        }
        LoginUser authenticate2 = remoteAuthenticator.authenticate((String) authentication.getPrincipal(), AuthenticationHelper.getRawPassword((String) authentication.getCredentials()));
        CoreUserBean selectById = this.userService.selectById(authenticate2.getUsername());
        logoutPreviousLoginIfNecessary(selectById);
        return new UsernamePasswordAuthenticationToken(authenticate2, selectById.getPassword());
    }

    protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken) throws AuthenticationException {
        try {
            try {
                CoreUserBean selectById = this.userService.selectById(userDetails.getUsername());
                try {
                    if (!usernamePasswordAuthenticationToken.isAuthenticated() && ((LoginUser) userDetails).getAdditionalCheck()) {
                        DefaultUserDetailsChecker.checkPassword((String) usernamePasswordAuthenticationToken.getPrincipal(), AuthenticationHelper.getRawPassword((String) usernamePasswordAuthenticationToken.getCredentials()));
                    }
                    List<CorePasswordPolicyBean> list = (List) this.passwordPolicyService.selectEffectedList(selectById.getId()).stream().filter(corePasswordPolicyBean -> {
                        return corePasswordPolicyBean.getExpiryInterval() != null && corePasswordPolicyBean.getExpiryInterval().longValue() > 0;
                    }).collect(Collectors.toList());
                    if (!list.isEmpty()) {
                        LocalDateTime now = LocalDateTime.now();
                        boolean z = false;
                        for (CorePasswordPolicyBean corePasswordPolicyBean2 : list) {
                            if (selectById.getPasswordUpdatedTime().plusDays(corePasswordPolicyBean2.getExpiryInterval().longValue()).isBefore(now)) {
                                if (corePasswordPolicyBean2.getExpiredMaxUse() == null || corePasswordPolicyBean2.getExpiredMaxUse().longValue() <= selectById.getExpiredPasswordUses().intValue()) {
                                    CoreUserBean coreUserBean = new CoreUserBean();
                                    coreUserBean.setId(selectById.getId());
                                    coreUserBean.setStatus("locked");
                                    this.userService.update(coreUserBean);
                                    throw new LockedException("SINO.SECURITY.LOGIN.LOCKED");
                                }
                                z = true;
                            }
                        }
                        if (z) {
                            CoreUserBean coreUserBean2 = new CoreUserBean();
                            coreUserBean2.setId(selectById.getId());
                            coreUserBean2.setExpiredPasswordUses(Integer.valueOf(selectById.getExpiredPasswordUses().intValue() + 1));
                            this.userService.update(coreUserBean2);
                        }
                    }
                    if (selectById.getFailedLoginAttempts().intValue() > 0) {
                        CoreUserBean coreUserBean3 = new CoreUserBean();
                        coreUserBean3.setId(selectById.getId());
                        coreUserBean3.setFailedLoginAttempts(0);
                        this.userService.update(coreUserBean3);
                    }
                    logoutPreviousLoginIfNecessary(selectById);
                    if (userDetails instanceof CredentialsContainer) {
                        ((CredentialsContainer) userDetails).eraseCredentials();
                    }
                } catch (BadCredentialsException e) {
                    DefaultUserDetailsChecker.postAuthenticationFailure(userDetails.getUsername());
                    if (userDetails instanceof CredentialsContainer) {
                        ((CredentialsContainer) userDetails).eraseCredentials();
                    }
                }
            } catch (Throwable th) {
                if (userDetails instanceof CredentialsContainer) {
                    ((CredentialsContainer) userDetails).eraseCredentials();
                }
                throw th;
            }
        } catch (Exception e2) {
            if (AuthenticationException.class.isAssignableFrom(e2.getClass())) {
                throw e2;
            }
            logger.error(e2.getMessage(), e2);
            throw new JdbcException("SINO.EXCEPTION.UNEXPECTED");
        }
    }

    private void logoutPreviousLoginIfNecessary(CoreUserBean coreUserBean) {
        if ("0".equals(coreUserBean.getMultiLogin())) {
            for (String str : AuthenticationHelper.getLoginTokenList()) {
                Authentication cacheAuthentication = AuthenticationHelper.getCacheAuthentication(str);
                if (cacheAuthentication != null && coreUserBean.getId().equals(cacheAuthentication.getName())) {
                    AuthenticationHelper.markOffline(str, AccountCategory.OFFLINE_PRELOGIN.name());
                    AuthenticationHelper.logout(str, "不允许重复登录，强制下线");
                }
            }
        }
    }
}
