package pl.edu.icm.synat.unity.stdext.credential;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.node.ArrayNode;
import com.fasterxml.jackson.databind.node.ObjectNode;
import edu.vt.middleware.password.AlphabeticalSequenceRule;
import edu.vt.middleware.password.CharacterCharacteristicsRule;
import edu.vt.middleware.password.DigitCharacterRule;
import edu.vt.middleware.password.LengthRule;
import edu.vt.middleware.password.LowercaseCharacterRule;
import edu.vt.middleware.password.NonAlphanumericCharacterRule;
import edu.vt.middleware.password.NumericalSequenceRule;
import edu.vt.middleware.password.Password;
import edu.vt.middleware.password.PasswordData;
import edu.vt.middleware.password.PasswordValidator;
import edu.vt.middleware.password.QwertySequenceRule;
import edu.vt.middleware.password.RepeatCharacterRegexRule;
import edu.vt.middleware.password.UppercaseCharacterRule;
import java.util.ArrayList;
import java.util.Date;
import java.util.Deque;
import java.util.Iterator;
import java.util.Random;
import org.apache.log4j.Logger;
import pl.edu.icm.synat.unity.stdext.utils.PasswordUtils;
import pl.edu.icm.unity.Constants;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.exceptions.IllegalCredentialException;
import pl.edu.icm.unity.exceptions.IllegalPreviousCredentialException;
import pl.edu.icm.unity.exceptions.InternalException;
import pl.edu.icm.unity.notifications.NotificationProducer;
import pl.edu.icm.unity.server.authn.AbstractLocalVerificator;
import pl.edu.icm.unity.server.authn.AuthenticatedEntity;
import pl.edu.icm.unity.server.authn.AuthenticationException;
import pl.edu.icm.unity.server.authn.AuthenticationResult;
import pl.edu.icm.unity.server.authn.CredentialHelper;
import pl.edu.icm.unity.server.authn.CredentialReset;
import pl.edu.icm.unity.server.authn.EntityWithCredential;
import pl.edu.icm.unity.server.authn.LocalSandboxAuthnContext;
import pl.edu.icm.unity.server.authn.remote.SandboxAuthnResultCallback;
import pl.edu.icm.unity.server.utils.Log;
import pl.edu.icm.unity.stdext.credential.CredentialResetImpl;
import pl.edu.icm.unity.stdext.credential.PasswordCredential;
import pl.edu.icm.unity.stdext.credential.PasswordExchange;
import pl.edu.icm.unity.stdext.credential.PasswordExtraInfo;
import pl.edu.icm.unity.stdext.credential.PasswordInfo;
import pl.edu.icm.unity.stdext.credential.PasswordToken;
import pl.edu.icm.unity.stdext.utils.CryptoUtils;
import pl.edu.icm.unity.types.authn.CredentialPublicInformation;
import pl.edu.icm.unity.types.authn.LocalCredentialState;

/* loaded from: input_file:pl/edu/icm/synat/unity/stdext/credential/PasswordVerificator.class */
public class PasswordVerificator extends AbstractLocalVerificator implements PasswordExchange {
    private static final Logger log = Log.getLogger("unity.server", PasswordVerificator.class);
    static final String[] IDENTITY_TYPES = {"userName", "email"};
    private NotificationProducer notificationProducer;
    private CredentialHelper credentialHelper;
    private Random random;
    private PasswordCredential credential;

    public PasswordVerificator(String str, String str2, NotificationProducer notificationProducer, CredentialHelper credentialHelper) {
        super(str, str2, "password exchange", true);
        this.random = new Random();
        this.credential = new PasswordCredential();
        this.notificationProducer = notificationProducer;
        this.credentialHelper = credentialHelper;
    }

    public String getSerializedConfiguration() throws InternalException {
        return this.credential.getSerializedConfiguration();
    }

    public void setSerializedConfiguration(String str) throws InternalException {
        this.credential.setSerializedConfiguration(str);
    }

    public String prepareCredential(String str, String str2, String str3) throws IllegalCredentialException, InternalException {
        Deque<PasswordInfo> passwords = PasswordCredentialDBState.fromJson(str3).getPasswords();
        PasswordToken loadFromJson = PasswordToken.loadFromJson(str);
        if (str2 != null && !passwords.isEmpty()) {
            PasswordToken loadFromJson2 = PasswordToken.loadFromJson(str2);
            if (!checkPasswordInternal(loadFromJson2.getPassword(), passwords.getFirst())) {
                throw new IllegalPreviousCredentialException("The current credential is incorrect");
            }
        }
        verifyNewPassword(loadFromJson.getExistingPassword(), loadFromJson.getPassword(), passwords);
        if (this.credential.getPasswordResetSettings().isEnabled() && this.credential.getPasswordResetSettings().isRequireSecurityQuestion()) {
            if (loadFromJson.getAnswer() == null || loadFromJson.getQuestion() == -1) {
                throw new IllegalCredentialException("The credential must select a security question and provide an answer for it");
            }
            if (loadFromJson.getQuestion() < 0 || loadFromJson.getQuestion() >= this.credential.getPasswordResetSettings().getQuestions().size()) {
                throw new IllegalCredentialException("The chosen answer for security question is invalid");
            }
        }
        PasswordInfo passwordInfo = new PasswordInfo(PasswordUtils.hash(loadFromJson.getPassword()), "");
        if (this.credential.getHistorySize() <= passwords.size() && !passwords.isEmpty()) {
            passwords.removeLast();
        }
        passwords.addFirst(passwordInfo);
        ObjectNode createObjectNode = Constants.MAPPER.createObjectNode();
        ArrayNode putArray = createObjectNode.putArray("passwords");
        for (PasswordInfo passwordInfo2 : passwords) {
            ObjectNode addObject = putArray.addObject();
            addObject.put("hash", passwordInfo2.getHash());
            addObject.put("salt", passwordInfo2.getSalt());
            addObject.put("time", passwordInfo2.getTime().getTime());
        }
        createObjectNode.put("outdated", false);
        if (this.credential.getPasswordResetSettings().isEnabled() && this.credential.getPasswordResetSettings().isRequireSecurityQuestion()) {
            String str4 = (String) this.credential.getPasswordResetSettings().getQuestions().get(loadFromJson.getQuestion());
            createObjectNode.put("question", str4);
            createObjectNode.put("answerHash", CryptoUtils.hash(loadFromJson.getAnswer().toLowerCase(), str4));
        }
        try {
            return Constants.MAPPER.writeValueAsString(createObjectNode);
        } catch (JsonProcessingException e) {
            throw new InternalException("Can't serialize password credential to JSON", e);
        }
    }

    public String invalidate(String str) {
        try {
            ObjectNode readTree = Constants.MAPPER.readTree(str);
            readTree.put("outdated", true);
            return Constants.MAPPER.writeValueAsString(readTree);
        } catch (Exception e) {
            throw new InternalException("Can't deserialize password credential from JSON", e);
        }
    }

    public CredentialPublicInformation checkCredentialState(String str) throws InternalException {
        PasswordCredentialDBState fromJson = PasswordCredentialDBState.fromJson(str);
        Deque<PasswordInfo> passwords = fromJson.getPasswords();
        if (passwords.isEmpty()) {
            return new CredentialPublicInformation(LocalCredentialState.notSet, "");
        }
        String json = new PasswordExtraInfo(passwords.getFirst().getTime(), fromJson.getSecurityQuestion()).toJson();
        return isCurrentCredentialOutdated(fromJson) ? new CredentialPublicInformation(LocalCredentialState.outdated, json) : new CredentialPublicInformation(LocalCredentialState.correct, json);
    }

    public AuthenticationResult checkPassword(String str, String str2, SandboxAuthnResultCallback sandboxAuthnResultCallback) {
        AuthenticationResult checkPasswordInternal = checkPasswordInternal(str, str2);
        if (sandboxAuthnResultCallback != null) {
            sandboxAuthnResultCallback.sandboxedAuthenticationDone(new LocalSandboxAuthnContext(checkPasswordInternal));
        }
        return checkPasswordInternal;
    }

    public AuthenticationResult checkPasswordInternal(String str, String str2) {
        try {
            EntityWithCredential resolveIdentity = this.identityResolver.resolveIdentity(str, IDENTITY_TYPES, this.credentialName);
            try {
                PasswordCredentialDBState fromJson = PasswordCredentialDBState.fromJson(resolveIdentity.getCredentialValue());
                Deque<PasswordInfo> passwords = fromJson.getPasswords();
                if (passwords.isEmpty()) {
                    log.debug("The user has no password set: " + str);
                    return new AuthenticationResult(AuthenticationResult.Status.deny, (AuthenticatedEntity) null);
                }
                if (!checkPasswordInternal(str2, passwords.getFirst())) {
                    log.debug("Password provided by " + str + " is invalid");
                    return new AuthenticationResult(AuthenticationResult.Status.deny, (AuthenticatedEntity) null);
                }
                return new AuthenticationResult(AuthenticationResult.Status.success, new AuthenticatedEntity(Long.valueOf(resolveIdentity.getEntityId()), str, isCurrentPasswordOutdated(str2, fromJson, resolveIdentity)));
            } catch (Exception e) {
                log.debug("Error during password verification for " + str, e);
                return new AuthenticationResult(AuthenticationResult.Status.deny, (AuthenticatedEntity) null);
            }
        } catch (Exception e2) {
            log.debug("The user for password authN can not be found: " + str, e2);
            return new AuthenticationResult(AuthenticationResult.Status.deny, (AuthenticatedEntity) null);
        }
    }

    private boolean checkPasswordInternal(String str, PasswordInfo passwordInfo) {
        return PasswordUtils.validate(passwordInfo.getHash(), str);
    }

    public CredentialReset getCredentialResetBackend() {
        return new CredentialResetImpl(this.notificationProducer, this.identityResolver, this, this.credentialHelper, this.credentialName, getSerializedConfiguration(), this.credential.getPasswordResetSettings());
    }

    private boolean isCurrentPasswordOutdated(String str, PasswordCredentialDBState passwordCredentialDBState, EntityWithCredential entityWithCredential) throws AuthenticationException {
        if (isCurrentCredentialOutdated(passwordCredentialDBState)) {
            return true;
        }
        if (getPasswordValidator().validate(new PasswordData(new Password(str))).isValid()) {
            return false;
        }
        try {
            this.credentialHelper.updateCredential(entityWithCredential.getEntityId(), entityWithCredential.getCredentialName(), invalidate(entityWithCredential.getCredentialValue()));
            return true;
        } catch (EngineException e) {
            throw new AuthenticationException("Problem invalidating outdated credential", e);
        }
    }

    private boolean isCurrentCredentialOutdated(PasswordCredentialDBState passwordCredentialDBState) {
        if (passwordCredentialDBState.isOutdated()) {
            return true;
        }
        if (passwordCredentialDBState.getSecurityQuestion() == null && this.credential.getPasswordResetSettings().isEnabled() && this.credential.getPasswordResetSettings().isRequireSecurityQuestion()) {
            return true;
        }
        return new Date().after(new Date(passwordCredentialDBState.getPasswords().getFirst().getTime().getTime() + this.credential.getMaxAge()));
    }

    private void verifyNewPassword(String str, String str2, Deque<PasswordInfo> deque) throws IllegalCredentialException {
        if (!getPasswordValidator().validate(new PasswordData(new Password(str2))).isValid()) {
            throw new IllegalCredentialException("Password is too weak");
        }
        Iterator<PasswordInfo> it = deque.iterator();
        while (it.hasNext()) {
            if (PasswordUtils.validate(it.next().getHash(), str2)) {
                throw new IllegalCredentialException("The same password was recently used");
            }
        }
    }

    private PasswordValidator getPasswordValidator() {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new LengthRule(this.credential.getMinLength(), 512));
        CharacterCharacteristicsRule characterCharacteristicsRule = new CharacterCharacteristicsRule();
        characterCharacteristicsRule.getRules().add(new DigitCharacterRule(1));
        characterCharacteristicsRule.getRules().add(new NonAlphanumericCharacterRule(1));
        characterCharacteristicsRule.getRules().add(new UppercaseCharacterRule(1));
        characterCharacteristicsRule.getRules().add(new LowercaseCharacterRule(1));
        characterCharacteristicsRule.setNumberOfCharacteristics(this.credential.getMinClassesNum());
        arrayList.add(characterCharacteristicsRule);
        if (this.credential.isDenySequences()) {
            arrayList.add(new AlphabeticalSequenceRule());
            arrayList.add(new NumericalSequenceRule(3, true));
            arrayList.add(new QwertySequenceRule());
            arrayList.add(new RepeatCharacterRegexRule(4));
        }
        return new PasswordValidator(arrayList);
    }

    public String prepareCredential(String str, String str2) throws IllegalCredentialException, InternalException {
        return prepareCredential(str, null, str2);
    }
}
