package net.unit8.bouncr.api.resource;

import enkan.component.BeansConverter;
import enkan.data.HttpRequest;
import enkan.util.BeanBuilder;
import java.util.Arrays;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import javax.inject.Inject;
import javax.persistence.CacheStoreMode;
import javax.persistence.EntityGraph;
import javax.persistence.EntityManager;
import javax.persistence.criteria.CriteriaBuilder;
import javax.persistence.criteria.CriteriaQuery;
import kotowari.restful.Decision;
import kotowari.restful.DecisionPoint;
import kotowari.restful.component.BeansValidator;
import kotowari.restful.data.Problem;
import kotowari.restful.data.RestContext;
import kotowari.restful.resource.AllowedMethods;
import net.unit8.bouncr.api.boundary.BouncrProblem;
import net.unit8.bouncr.api.boundary.PasswordSignInRequest;
import net.unit8.bouncr.api.logging.ActionRecord;
import net.unit8.bouncr.api.service.SignInService;
import net.unit8.bouncr.api.service.UserLockService;
import net.unit8.bouncr.component.BouncrConfiguration;
import net.unit8.bouncr.component.StoreProvider;
import net.unit8.bouncr.component.config.HookPoint;
import net.unit8.bouncr.entity.ActionType;
import net.unit8.bouncr.entity.User;
import net.unit8.bouncr.entity.UserSession;
import net.unit8.bouncr.util.PasswordUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@AllowedMethods({"POST"})
/* loaded from: input_file:net/unit8/bouncr/api/resource/PasswordSignInResource.class */
public class PasswordSignInResource {
    private static final Logger LOG = LoggerFactory.getLogger(PasswordSignInResource.class);

    @Inject
    private StoreProvider storeProvider;

    @Inject
    private BouncrConfiguration config;

    @Inject
    private BeansConverter converter;

    @Inject
    private BeansValidator validator;

    @Decision(value = DecisionPoint.MALFORMED, method = {"POST"})
    public Problem validatePasswordSignInRequest(PasswordSignInRequest passwordSignInRequest, RestContext restContext) {
        if (passwordSignInRequest == null) {
            return (Problem) BeanBuilder.builder(Problem.valueOf(400, "request is empty")).set((v0, v1) -> {
                v0.setType(v1);
            }, BouncrProblem.MALFORMED.problemUri()).build();
        }
        Set validate = this.validator.validate(passwordSignInRequest);
        if (validate.isEmpty()) {
            restContext.putValue(passwordSignInRequest);
        }
        if (validate.isEmpty()) {
            return null;
        }
        return (Problem) BeanBuilder.builder(Problem.fromViolations(validate)).set((v0, v1) -> {
            v0.setType(v1);
        }, BouncrProblem.MALFORMED.problemUri()).build();
    }

    @Decision(DecisionPoint.AUTHORIZED)
    public boolean authenticate(PasswordSignInRequest passwordSignInRequest, ActionRecord actionRecord, RestContext restContext, EntityManager entityManager) {
        this.config.getHookRepo().runHook(HookPoint.BEFORE_SIGN_IN, restContext);
        Optional message = restContext.getMessage();
        Class<Problem> cls = Problem.class;
        Objects.requireNonNull(Problem.class);
        if (message.filter(cls::isInstance).isPresent()) {
            return false;
        }
        SignInService signInService = new SignInService(entityManager, this.storeProvider, this.config);
        UserLockService userLockService = new UserLockService(entityManager, this.config);
        CriteriaBuilder criteriaBuilder = entityManager.getCriteriaBuilder();
        CriteriaQuery createQuery = criteriaBuilder.createQuery(User.class);
        createQuery.where(criteriaBuilder.equal(createQuery.from(User.class).get("account"), passwordSignInRequest.getAccount()));
        EntityGraph createEntityGraph = entityManager.createEntityGraph(User.class);
        createEntityGraph.addAttributeNodes(new String[]{"account", "userProfileValues", "otpKey", "userLock"});
        createEntityGraph.addSubgraph("otpKey").addAttributeNodes(new String[]{"key"});
        createEntityGraph.addSubgraph("userLock").addAttributeNodes(new String[]{"lockedAt"});
        createEntityGraph.addSubgraph("passwordCredential").addAttributeNodes(new String[]{"password", "salt", "initial", "createdAt"});
        User user = (User) entityManager.createQuery(createQuery).setHint("javax.persistence.fetchgraph", createEntityGraph).setHint("javax.persistence.cache.storeMode", CacheStoreMode.REFRESH).getResultStream().findAny().orElse(null);
        if (user != null && user.getUserLock() != null) {
            restContext.setMessage(BeanBuilder.builder(Problem.valueOf(401, "Account is locked")).set((v0, v1) -> {
                v0.setType(v1);
            }, BouncrProblem.ACCOUNT_IS_LOCKED.problemUri()).build());
            return false;
        }
        if (user == null) {
            return false;
        }
        actionRecord.setActor(user.getAccount());
        if (user.getPasswordCredential() == null || !Arrays.equals(user.getPasswordCredential().getPassword(), PasswordUtils.pbkdf2(passwordSignInRequest.getPassword(), user.getPasswordCredential().getSalt(), 100))) {
            actionRecord.setActionType(ActionType.USER_FAILED_SIGNIN);
            userLockService.lockUser(user);
            return false;
        }
        restContext.putValue(user);
        actionRecord.setActionType(ActionType.USER_SIGNIN);
        SignInService.PasswordCredentialStatus validatePasswordCredentialAttributes = signInService.validatePasswordCredentialAttributes(user);
        if (validatePasswordCredentialAttributes == SignInService.PasswordCredentialStatus.EXPIRED || validatePasswordCredentialAttributes == SignInService.PasswordCredentialStatus.INITIAL) {
            restContext.setMessage(BeanBuilder.builder(Problem.valueOf(401, "Password must be changed")).set((v0, v1) -> {
                v0.setType(v1);
            }, BouncrProblem.PASSWORD_MUST_BE_CHANGED.problemUri()).build());
            return false;
        }
        if (signInService.validateOtpKey(user.getOtpKey(), passwordSignInRequest.getOneTimePassword())) {
            return true;
        }
        restContext.setMessage(BeanBuilder.builder(Problem.valueOf(401, "One time password is needed")).set((v0, v1) -> {
            v0.setType(v1);
        }, BouncrProblem.ONE_TIME_PASSWORD_IS_NEEDED.problemUri()).build());
        return false;
    }

    @Decision(DecisionPoint.ALLOWED)
    public boolean allowed(RestContext restContext) {
        this.config.getHookRepo().runHook(HookPoint.ALLOWED_SIGN_IN, restContext);
        Optional message = restContext.getMessage();
        Class<Problem> cls = Problem.class;
        Objects.requireNonNull(Problem.class);
        return !message.filter(cls::isInstance).isPresent();
    }

    @Decision(DecisionPoint.POST)
    public UserSession doPost(User user, HttpRequest httpRequest, RestContext restContext, EntityManager entityManager) {
        SignInService signInService = new SignInService(entityManager, this.storeProvider, this.config);
        UserSession createUserSession = signInService.createUserSession(httpRequest, user, signInService.createToken());
        restContext.putValue(createUserSession);
        this.config.getHookRepo().runHook(HookPoint.AFTER_SIGN_IN, restContext);
        return createUserSession;
    }

    @Decision(DecisionPoint.HANDLE_CREATED)
    public UserSession handleCreated(UserSession userSession) {
        return userSession;
    }
}
