package an.xacml.policy.function.userdb;

import an.xacml.IndeterminateException;
import an.xacml.engine.EvaluationContext;
import an.xacml.policy.AttributeValue;
import an.xacml.policy.function.BuiltInFunction;
import java.net.URI;
import java.util.HashMap;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Required;
import pl.edu.icm.yadda.aas.retrievers.AttributeRetrieverHelper;
import pl.edu.icm.yadda.common.pagination.PaginationResult;
import pl.edu.icm.yadda.service2.user.UserCatalog;
import pl.edu.icm.yadda.service2.user.exception.DomainNotSpecifiedException;
import pl.edu.icm.yadda.service2.user.exception.TokenVerificationException;
import pl.edu.icm.yadda.service2.user.model.UserData;
import pl.edu.icm.yadda.service2.user.token.LoginPasswordToken;

/* loaded from: input_file:WEB-INF/lib/yadda-aas2-4.4.0.jar:an/xacml/policy/function/userdb/VerifyPasswordUserDBFunction.class */
public class VerifyPasswordUserDBFunction implements BuiltInFunction {
    public static final URI FUNCTION_ID = URI.create("urn:yadda:function:userdb:verify-password");
    protected UserCatalog userCatalog;
    protected String predefinedDomain;
    protected final Logger log = LoggerFactory.getLogger(getClass());
    protected boolean identifyByEmail = false;

    @Override // an.xacml.policy.function.BuiltInFunction
    public URI getFunctionId() {
        return FUNCTION_ID;
    }

    @Override // an.xacml.policy.function.BuiltInFunction
    public Object invoke(EvaluationContext evaluationContext, Object[] objArr) throws Exception {
        if (objArr == null || objArr.length < 2) {
            throw new IndeterminateException("invalid number of parameters passed: " + (objArr != null ? Integer.valueOf(objArr.length) : "0") + "; Expected at least 2 parameters!");
        }
        String domain = getDomain(evaluationContext, objArr);
        String userIdForEmail = this.identifyByEmail ? getUserIdForEmail((String) ((AttributeValue) objArr[0]).getValue(), domain) : (String) ((AttributeValue) objArr[0]).getValue();
        String str = (String) ((AttributeValue) objArr[1]).getValue();
        LoginPasswordToken loginPasswordToken = new LoginPasswordToken();
        loginPasswordToken.setLogin(userIdForEmail);
        loginPasswordToken.setDomain(domain);
        loginPasswordToken.setPassword(str);
        try {
            this.userCatalog.verifyToken(loginPasswordToken);
            return AttributeValue.TRUE;
        } catch (TokenVerificationException e) {
            switch (e.getReason()) {
                case NOT_FOUND:
                    this.log.debug("user " + userIdForEmail + " or password couldn't be found!");
                    break;
                case TOKEN_INVALID:
                    this.log.debug("user " + userIdForEmail + "passwords doesn't match!");
                    break;
                case FOUND_EXPIRED:
                    this.log.debug("user " + userIdForEmail + "password expired!");
                    break;
                case FOUND_INACTIVE:
                    this.log.debug("user " + userIdForEmail + "password inactive!");
                    break;
                default:
                    this.log.debug("exception occurred when validating user " + userIdForEmail + "password!", (Throwable) e);
                    break;
            }
            return AttributeValue.FALSE;
        }
    }

    protected String getDomain(EvaluationContext evaluationContext, Object[] objArr) throws IndeterminateException {
        String domainFromRequest = AttributeRetrieverHelper.getDomainFromRequest(evaluationContext.getRequest());
        return domainFromRequest != null ? domainFromRequest : objArr.length > 2 ? (String) ((AttributeValue) objArr[2]).getValue() : this.predefinedDomain;
    }

    protected String getUserIdForEmail(String str, String str2) throws IndeterminateException {
        try {
            HashMap hashMap = new HashMap();
            hashMap.put("email", str);
            PaginationResult<UserData> searchUsers = this.userCatalog.searchUsers(str2, null, null, hashMap, null, 0, Integer.MAX_VALUE, new UserData.UserDataParts[0]);
            if (searchUsers == null || searchUsers.getResults() == null || searchUsers.getResults().size() <= 0) {
                throw new IndeterminateException("unable to find user for email: " + str + " in domain: " + str2);
            }
            if (searchUsers.getResults().size() == 1) {
                return searchUsers.getResults().iterator().next().getUser().getId();
            }
            throw new IndeterminateException("got " + searchUsers.getResults().size() + " users for email: " + str + " in domain: " + str2);
        } catch (DomainNotSpecifiedException e) {
            throw new IndeterminateException("domain was not specified but this implementation requires one", e);
        }
    }

    @Override // an.xacml.policy.function.BuiltInFunction
    public Object[] getAllAttributes() {
        return null;
    }

    @Override // an.xacml.policy.function.BuiltInFunction
    public Object getAttribute(Object obj) {
        return null;
    }

    @Required
    public void setUserCatalog(UserCatalog userCatalog) {
        this.userCatalog = userCatalog;
    }

    public void setPredefinedDomain(String str) {
        this.predefinedDomain = str;
    }

    public void setIdentifyByEmail(boolean z) {
        this.identifyByEmail = z;
    }
}
