package org.apereo.cas.pm.web.flow.actions;

import jakarta.servlet.http.HttpServletRequest;
import java.net.URL;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Optional;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.AuthenticationSystemSupport;
import org.apereo.cas.authentication.MultifactorAuthenticationProvider;
import org.apereo.cas.authentication.MultifactorAuthenticationProviderSelector;
import org.apereo.cas.authentication.MultifactorAuthenticationUtils;
import org.apereo.cas.authentication.credential.BasicIdentifiableCredential;
import org.apereo.cas.authentication.principal.NullPrincipal;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.authentication.principal.PrincipalResolver;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.support.email.EmailProperties;
import org.apereo.cas.configuration.model.support.sms.SmsProperties;
import org.apereo.cas.configuration.support.Beans;
import org.apereo.cas.notifications.CommunicationsManager;
import org.apereo.cas.notifications.mail.EmailCommunicationResult;
import org.apereo.cas.notifications.mail.EmailMessageBodyBuilder;
import org.apereo.cas.notifications.mail.EmailMessageRequest;
import org.apereo.cas.notifications.sms.SmsBodyBuilder;
import org.apereo.cas.notifications.sms.SmsRequest;
import org.apereo.cas.pm.PasswordManagementQuery;
import org.apereo.cas.pm.PasswordManagementService;
import org.apereo.cas.pm.PasswordResetUrlBuilder;
import org.apereo.cas.ticket.TicketFactory;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.function.FunctionUtils;
import org.apereo.cas.web.flow.actions.BaseCasWebflowAction;
import org.apereo.cas.web.flow.util.MultifactorAuthenticationWebflowUtils;
import org.apereo.cas.web.support.WebUtils;
import org.apereo.inspektr.audit.annotation.Audit;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.ApplicationContext;
import org.springframework.web.servlet.support.RequestContextUtils;
import org.springframework.webflow.action.EventFactorySupport;
import org.springframework.webflow.execution.Event;
import org.springframework.webflow.execution.RequestContext;

/* loaded from: input_file:org/apereo/cas/pm/web/flow/actions/SendPasswordResetInstructionsAction.class */
public class SendPasswordResetInstructionsAction extends BaseCasWebflowAction {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(SendPasswordResetInstructionsAction.class);
    public static final String REQUEST_PARAMETER_USERNAME = "username";
    protected final CasConfigurationProperties casProperties;
    protected final CommunicationsManager communicationsManager;
    protected final PasswordManagementService passwordManagementService;
    protected final TicketRegistry ticketRegistry;
    protected final TicketFactory ticketFactory;
    protected final PrincipalResolver principalResolver;
    protected final PasswordResetUrlBuilder passwordResetUrlBuilder;
    protected final MultifactorAuthenticationProviderSelector multifactorAuthenticationProviderSelector;
    protected final AuthenticationSystemSupport authenticationSystemSupport;
    protected final ApplicationContext applicationContext;

    @Audit(action = "REQUEST_CHANGE_PASSWORD", principalResolverName = "REQUEST_CHANGE_PASSWORD_PRINCIPAL_RESOLVER", actionResolverName = "REQUEST_CHANGE_PASSWORD_ACTION_RESOLVER", resourceResolverName = "REQUEST_CHANGE_PASSWORD_RESOURCE_RESOLVER")
    protected Event doExecuteInternal(RequestContext requestContext) throws Throwable {
        this.communicationsManager.validate();
        if (!this.communicationsManager.isMailSenderDefined() && !this.communicationsManager.isSmsSenderDefined()) {
            return getErrorEvent("contact.failed", "Unable to send email as no mail sender is defined", requestContext);
        }
        PasswordManagementQuery buildPasswordManagementQuery = buildPasswordManagementQuery(requestContext);
        if (StringUtils.isBlank(buildPasswordManagementQuery.getUsername())) {
            return getErrorEvent("username.required", "No username is provided", requestContext);
        }
        String findEmail = this.passwordManagementService.findEmail(buildPasswordManagementQuery);
        String findPhone = this.passwordManagementService.findPhone(buildPasswordManagementQuery);
        if (StringUtils.isBlank(findEmail) && StringUtils.isBlank(findPhone)) {
            LOGGER.warn("No recipient is provided with a valid email/phone");
            return getInvalidContactEvent(requestContext);
        }
        WebUtils.putPasswordManagementQuery(requestContext, buildPasswordManagementQuery);
        if (doesPasswordResetRequireMultifactorAuthentication(requestContext) && !hasPrincipalRegisteredMultifactorAuthenticationDevice(requestContext)) {
            LOGGER.warn("No registered devices for multifactor authentication could be found for [{}]", buildPasswordManagementQuery.getUsername());
            WebUtils.addErrorMessageToContext(requestContext, "screen.mfaDenied.message");
            return new EventFactorySupport().event(this, "deny");
        }
        URL buildPasswordResetUrl = buildPasswordResetUrl(buildPasswordManagementQuery.getUsername(), WebUtils.getService(requestContext));
        if (buildPasswordResetUrl != null) {
            LOGGER.debug("Generated password reset URL [{}]; Link is only active for the next [{}] minute(s)", buildPasswordResetUrl, Beans.newDuration(this.casProperties.getAuthn().getPm().getReset().getExpiration()));
            EmailCommunicationResult sendPasswordResetEmailToAccount = sendPasswordResetEmailToAccount(buildPasswordManagementQuery.getUsername(), findEmail, buildPasswordResetUrl, requestContext);
            boolean sendPasswordResetSmsToAccount = sendPasswordResetSmsToAccount(findPhone, buildPasswordResetUrl);
            if (sendPasswordResetEmailToAccount.isSuccess() || sendPasswordResetSmsToAccount) {
                return success(buildPasswordResetUrl);
            }
        } else {
            LOGGER.error("No password reset URL could be built and sent to [{}]", findEmail);
        }
        LOGGER.error("Failed to notify account [{}]", findEmail);
        return getErrorEvent("contact.failed", "Failed to send the password reset link via email address or phone", requestContext);
    }

    protected boolean doesPasswordResetRequireMultifactorAuthentication(RequestContext requestContext) {
        return this.casProperties.getAuthn().getPm().getReset().isMultifactorAuthenticationEnabled() && !MultifactorAuthenticationUtils.getAvailableMultifactorAuthenticationProviders(this.applicationContext).isEmpty() && StringUtils.isBlank(MultifactorAuthenticationWebflowUtils.getMultifactorAuthenticationProvider(requestContext));
    }

    protected boolean hasPrincipalRegisteredMultifactorAuthenticationDevice(RequestContext requestContext) throws Throwable {
        Principal resolvedPrincipal = resolvedPrincipal(((PasswordManagementQuery) WebUtils.getPasswordManagementQuery(requestContext, PasswordManagementQuery.class)).getUsername());
        MultifactorAuthenticationProvider selectMultifactorAuthenticationProvider = selectMultifactorAuthenticationProvider(requestContext, resolvedPrincipal);
        LOGGER.debug("Selected multifactor authentication provider [{}]", selectMultifactorAuthenticationProvider.getId());
        return selectMultifactorAuthenticationProvider.getDeviceManager() == null || selectMultifactorAuthenticationProvider.getDeviceManager().hasRegisteredDevices(resolvedPrincipal);
    }

    protected Principal resolvedPrincipal(String str) throws Throwable {
        Principal resolve = this.principalResolver.resolve(new BasicIdentifiableCredential(str));
        return resolve instanceof NullPrincipal ? this.authenticationSystemSupport.getPrincipalFactory().createPrincipal(str) : resolve;
    }

    protected MultifactorAuthenticationProvider selectMultifactorAuthenticationProvider(RequestContext requestContext, Principal principal) throws Throwable {
        Map availableMultifactorAuthenticationProviders = MultifactorAuthenticationUtils.getAvailableMultifactorAuthenticationProviders(this.applicationContext);
        return this.multifactorAuthenticationProviderSelector.resolve(availableMultifactorAuthenticationProviders.values(), WebUtils.getRegisteredService(requestContext), principal);
    }

    protected PasswordManagementQuery buildPasswordManagementQuery(RequestContext requestContext) {
        return (PasswordManagementQuery) Optional.ofNullable((PasswordManagementQuery) WebUtils.getPasswordManagementQuery(requestContext, PasswordManagementQuery.class)).orElseGet(() -> {
            String parameter = WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext).getParameter(REQUEST_PARAMETER_USERNAME);
            PasswordManagementQuery.PasswordManagementQueryBuilder builder = PasswordManagementQuery.builder();
            if (StringUtils.isBlank(parameter)) {
                LOGGER.warn("No username parameter is provided");
            }
            return builder.username(parameter).build();
        });
    }

    protected Event getInvalidContactEvent(RequestContext requestContext) {
        return getErrorEvent("contact.invalid", "Provided email address or phone number is invalid", requestContext);
    }

    protected boolean sendPasswordResetSmsToAccount(String str, URL url) throws Throwable {
        if (!StringUtils.isNotBlank(str)) {
            return false;
        }
        LOGGER.debug("Sending password reset URL [{}] via SMS to [{}]", url.toExternalForm(), str);
        SmsProperties sms = this.casProperties.getAuthn().getPm().getReset().getSms();
        return this.communicationsManager.sms(SmsRequest.builder().from(sms.getFrom()).to(List.of(str)).text(SmsBodyBuilder.builder().properties(sms).parameters(Map.of("url", url.toExternalForm())).build().get()).build());
    }

    protected EmailCommunicationResult sendPasswordResetEmailToAccount(String str, String str2, URL url, RequestContext requestContext) throws Throwable {
        EmailProperties mail = this.casProperties.getAuthn().getPm().getReset().getMail();
        Map wrap = CollectionUtils.wrap("url", url.toExternalForm());
        if (!StringUtils.isNotBlank(str2)) {
            return EmailCommunicationResult.builder().success(false).to(List.of(str2)).build();
        }
        Principal resolvedPrincipal = resolvedPrincipal(str);
        FunctionUtils.doIfNotNull(resolvedPrincipal, principal -> {
            wrap.put("principal", principal);
        });
        HttpServletRequest httpServletRequestFromExternalWebflowContext = WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext);
        Optional map = Optional.ofNullable(RequestContextUtils.getLocaleResolver(httpServletRequestFromExternalWebflowContext)).map(localeResolver -> {
            return localeResolver.resolveLocale(httpServletRequestFromExternalWebflowContext);
        });
        String str3 = EmailMessageBodyBuilder.builder().properties(mail).parameters(wrap).locale(map).build().get();
        LOGGER.debug("Sending password reset URL [{}] via email to [{}] for username [{}]", new Object[]{url, str2, str});
        return this.communicationsManager.email(EmailMessageRequest.builder().emailProperties(mail).principal(resolvedPrincipal).to(List.of(str2)).locale((Locale) map.orElseGet(Locale::getDefault)).body(str3).build());
    }

    protected Event getErrorEvent(String str, String str2, RequestContext requestContext) {
        WebUtils.addErrorMessageToContext(requestContext, "screen.pm.reset." + str, str2);
        LOGGER.error(str2);
        return new EventFactorySupport().event(this, "error");
    }

    protected URL buildPasswordResetUrl(String str, WebApplicationService webApplicationService) throws Throwable {
        return this.passwordResetUrlBuilder.build(str, webApplicationService);
    }

    @Generated
    public SendPasswordResetInstructionsAction(CasConfigurationProperties casConfigurationProperties, CommunicationsManager communicationsManager, PasswordManagementService passwordManagementService, TicketRegistry ticketRegistry, TicketFactory ticketFactory, PrincipalResolver principalResolver, PasswordResetUrlBuilder passwordResetUrlBuilder, MultifactorAuthenticationProviderSelector multifactorAuthenticationProviderSelector, AuthenticationSystemSupport authenticationSystemSupport, ApplicationContext applicationContext) {
        this.casProperties = casConfigurationProperties;
        this.communicationsManager = communicationsManager;
        this.passwordManagementService = passwordManagementService;
        this.ticketRegistry = ticketRegistry;
        this.ticketFactory = ticketFactory;
        this.principalResolver = principalResolver;
        this.passwordResetUrlBuilder = passwordResetUrlBuilder;
        this.multifactorAuthenticationProviderSelector = multifactorAuthenticationProviderSelector;
        this.authenticationSystemSupport = authenticationSystemSupport;
        this.applicationContext = applicationContext;
    }
}
