package org.apereo.cas.pm.ldap;

import java.io.Serializable;
import java.util.Arrays;
import java.util.LinkedHashMap;
import java.util.Map;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.validator.routines.EmailValidator;
import org.apereo.cas.CipherExecutor;
import org.apereo.cas.authentication.Credential;
import org.apereo.cas.authentication.UsernamePasswordCredential;
import org.apereo.cas.configuration.model.support.pm.PasswordManagementProperties;
import org.apereo.cas.configuration.support.Beans;
import org.apereo.cas.pm.BasePasswordManagementService;
import org.apereo.cas.pm.PasswordChangeBean;
import org.apereo.cas.util.LdapUtils;
import org.apereo.inspektr.audit.annotation.Audit;
import org.ldaptive.LdapAttribute;
import org.ldaptive.LdapEntry;
import org.ldaptive.Response;
import org.ldaptive.SearchFilter;
import org.ldaptive.SearchResult;
import org.ldaptive.pool.PooledConnectionFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.Assert;

/* loaded from: input_file:org/apereo/cas/pm/ldap/LdapPasswordManagementService.class */
public class LdapPasswordManagementService extends BasePasswordManagementService {
    private static final Logger LOGGER = LoggerFactory.getLogger(LdapPasswordManagementService.class);

    public LdapPasswordManagementService(CipherExecutor<Serializable, String> cipherExecutor, String str, PasswordManagementProperties passwordManagementProperties) {
        super(cipherExecutor, str, passwordManagementProperties);
    }

    @Override // org.apereo.cas.pm.PasswordManagementService
    public String findEmail(String str) {
        try {
            PasswordManagementProperties.Ldap ldap = this.passwordManagementProperties.getLdap();
            SearchFilter newLdaptiveSearchFilter = Beans.newLdaptiveSearchFilter(ldap.getUserFilter(), "user", Arrays.asList(str));
            LOGGER.debug("Constructed LDAP filter [{}] to locate account email", newLdaptiveSearchFilter);
            Response executeSearchOperation = LdapUtils.executeSearchOperation(Beans.newLdaptivePooledConnectionFactory(ldap), ldap.getBaseDn(), newLdaptiveSearchFilter);
            LOGGER.debug("LDAP response to locate account email is [{}]", executeSearchOperation);
            if (!LdapUtils.containsResultEntry(executeSearchOperation)) {
                LOGGER.error("Could not locate an LDAP entry for [{}] and base DN [{}]", newLdaptiveSearchFilter.format(), ldap.getBaseDn());
                return null;
            }
            LdapEntry entry = ((SearchResult) executeSearchOperation.getResult()).getEntry();
            LOGGER.debug("Found LDAP entry [{}] to use for the account email", entry);
            String emailAttribute = this.passwordManagementProperties.getReset().getEmailAttribute();
            LdapAttribute attribute = entry.getAttribute(emailAttribute);
            if (attribute == null) {
                LOGGER.error("Could not locate an LDAP attribute [{}] for [{}] and base DN [{}]", new Object[]{emailAttribute, newLdaptiveSearchFilter.format(), ldap.getBaseDn()});
                return null;
            }
            String stringValue = attribute.getStringValue();
            LOGGER.debug("Found email address [{}] for user [{}]. Validating...", stringValue, str);
            if (EmailValidator.getInstance().isValid(stringValue)) {
                LOGGER.debug("Email address [{}] matches a valid email address", stringValue);
                return stringValue;
            }
            LOGGER.error("Email [{}] is not a valid address", stringValue);
            return null;
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), e);
            return null;
        }
    }

    @Override // org.apereo.cas.pm.PasswordManagementService
    @Audit(action = "CHANGE_PASSWORD", actionResolverName = "CHANGE_PASSWORD_ACTION_RESOLVER", resourceResolverName = "CHANGE_PASSWORD_RESOURCE_RESOLVER")
    public boolean change(Credential credential, PasswordChangeBean passwordChangeBean) {
        Assert.notNull(credential, "Credential cannot be null");
        Assert.notNull(passwordChangeBean, "PasswordChangeBean cannot be null");
        try {
            PasswordManagementProperties.Ldap ldap = this.passwordManagementProperties.getLdap();
            UsernamePasswordCredential usernamePasswordCredential = (UsernamePasswordCredential) credential;
            SearchFilter newLdaptiveSearchFilter = Beans.newLdaptiveSearchFilter(ldap.getUserFilter(), "user", Arrays.asList(usernamePasswordCredential.getId()));
            LOGGER.debug("Constructed LDAP filter [{}] to update account password", newLdaptiveSearchFilter);
            PooledConnectionFactory newLdaptivePooledConnectionFactory = Beans.newLdaptivePooledConnectionFactory(ldap);
            Response executeSearchOperation = LdapUtils.executeSearchOperation(newLdaptivePooledConnectionFactory, ldap.getBaseDn(), newLdaptiveSearchFilter);
            LOGGER.debug("LDAP response to update password is [{}]", executeSearchOperation);
            if (LdapUtils.containsResultEntry(executeSearchOperation)) {
                String dn = ((SearchResult) executeSearchOperation.getResult()).getEntry().getDn();
                LOGGER.debug("Updating account password for [{}]", dn);
                if (LdapUtils.executePasswordModifyOperation(dn, newLdaptivePooledConnectionFactory, usernamePasswordCredential.getPassword(), passwordChangeBean.getPassword(), this.passwordManagementProperties.getLdap().getType())) {
                    LOGGER.debug("Successfully updated the account password for [{}]", dn);
                    return true;
                }
                LOGGER.error("Could not update the LDAP entry's password for [{}] and base DN [{}]", newLdaptiveSearchFilter.format(), ldap.getBaseDn());
            } else {
                LOGGER.error("Could not locate an LDAP entry for [{}] and base DN [{}]", newLdaptiveSearchFilter.format(), ldap.getBaseDn());
            }
            return false;
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), e);
            return false;
        }
    }

    @Override // org.apereo.cas.pm.PasswordManagementService
    public Map<String, String> getSecurityQuestions(String str) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        try {
            PasswordManagementProperties.Ldap ldap = this.passwordManagementProperties.getLdap();
            SearchFilter newLdaptiveSearchFilter = Beans.newLdaptiveSearchFilter(ldap.getUserFilter(), "user", Arrays.asList(str));
            LOGGER.debug("Constructed LDAP filter [{}] to locate security questions", newLdaptiveSearchFilter);
            Response executeSearchOperation = LdapUtils.executeSearchOperation(Beans.newLdaptivePooledConnectionFactory(ldap), ldap.getBaseDn(), newLdaptiveSearchFilter);
            LOGGER.debug("LDAP response for security questions [{}]", executeSearchOperation);
            if (LdapUtils.containsResultEntry(executeSearchOperation)) {
                LdapEntry entry = ((SearchResult) executeSearchOperation.getResult()).getEntry();
                LOGGER.debug("Located LDAP entry [{}] in the response", entry);
                Map securityQuestionsAttributes = this.passwordManagementProperties.getLdap().getSecurityQuestionsAttributes();
                LOGGER.debug("Security question attributes are defined to be [{}]", securityQuestionsAttributes);
                securityQuestionsAttributes.forEach((str2, str3) -> {
                    LdapAttribute attribute = entry.getAttribute(str2);
                    LdapAttribute attribute2 = entry.getAttribute(str3);
                    if (attribute == null || attribute2 == null || !StringUtils.isNotBlank(attribute.getStringValue()) || !StringUtils.isNotBlank(attribute2.getStringValue())) {
                        return;
                    }
                    LOGGER.debug("Added security question [{}]", attribute.getStringValue());
                    linkedHashMap.put(attribute.getStringValue(), attribute2.getStringValue());
                });
            } else {
                LOGGER.debug("LDAP response did not contain a result for security questions");
            }
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), e);
        }
        return linkedHashMap;
    }
}
