package org.wso2.carbon.identity.password.expiry;

import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import java.io.IOException;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.util.Iterator;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.application.authentication.framework.config.model.AuthenticatorConfig;
import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext;
import org.wso2.carbon.identity.application.authentication.framework.exception.PostAuthenticationFailedException;
import org.wso2.carbon.identity.application.authentication.framework.exception.UserIdNotFoundException;
import org.wso2.carbon.identity.application.authentication.framework.handler.request.AbstractPostAuthnHandler;
import org.wso2.carbon.identity.application.authentication.framework.handler.request.PostAuthnHandlerFlowStatus;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedIdPData;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.common.model.User;
import org.wso2.carbon.identity.governance.service.notification.NotificationChannels;
import org.wso2.carbon.identity.password.expiry.constants.PasswordPolicyConstants;
import org.wso2.carbon.identity.password.expiry.util.PasswordPolicyUtils;
import org.wso2.carbon.identity.recovery.IdentityRecoveryException;
import org.wso2.carbon.identity.recovery.RecoveryScenarios;
import org.wso2.carbon.identity.recovery.RecoverySteps;
import org.wso2.carbon.identity.recovery.model.UserRecoveryData;
import org.wso2.carbon.identity.recovery.store.JDBCRecoveryDataStore;
import org.wso2.carbon.identity.recovery.store.UserRecoveryDataStore;
import org.wso2.carbon.identity.recovery.util.Utils;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/identity/password/expiry/EnforcePasswordResetAuthenticationHandler.class */
public class EnforcePasswordResetAuthenticationHandler extends AbstractPostAuthnHandler {
    private static final Log log = LogFactory.getLog(EnforcePasswordResetAuthenticationHandler.class);
    private static final String ENCODED_PASSWORD_EXPIRED_MSG = URLEncoder.encode(PasswordPolicyConstants.PASSWORD_EXPIRED_ERROR_MESSAGE, StandardCharsets.UTF_8);

    @SuppressFBWarnings({"CRLF_INJECTION_LOGS"})
    public PostAuthnHandlerFlowStatus handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) throws PostAuthenticationFailedException {
        AuthenticatedUser authenticatedUser = getAuthenticatedUser(authenticationContext);
        if (authenticatedUser == null) {
            if (log.isDebugEnabled()) {
                log.debug("No authenticated user found. Hence returning without handling password expiry");
            }
            return PostAuthnHandlerFlowStatus.SUCCESS_COMPLETED;
        }
        String tenantDomain = authenticatedUser.getTenantDomain();
        if (authenticationContext.getCurrentAuthenticatedIdPs().containsKey(PasswordPolicyConstants.AUTHENTICATOR_TYPE) && PasswordPolicyUtils.isPasswordExpiryEnabled(tenantDomain)) {
            Iterator it = ((AuthenticatedIdPData) authenticationContext.getCurrentAuthenticatedIdPs().get(PasswordPolicyConstants.AUTHENTICATOR_TYPE)).getAuthenticators().iterator();
            while (it.hasNext()) {
                if (PasswordPolicyConstants.BASIC_AUTHENTICATOR.equals(((AuthenticatorConfig) it.next()).getName()) && !authenticatedUser.isFederatedUser()) {
                    if (!PasswordPolicyUtils.isPasswordExpired(tenantDomain, MultitenantUtils.getTenantAwareUsername(authenticatedUser.toFullQualifiedUsername()))) {
                        return PostAuthnHandlerFlowStatus.SUCCESS_COMPLETED;
                    }
                    if (log.isDebugEnabled()) {
                        try {
                            log.debug(String.format("User: %s password has expired.", authenticatedUser.getUserId()));
                        } catch (UserIdNotFoundException e) {
                            log.error("User id not found.", e);
                        }
                    }
                    redirectToPasswordResetPage(httpServletResponse, tenantDomain, generateNewConfirmationCode(authenticatedUser));
                    return PostAuthnHandlerFlowStatus.INCOMPLETE;
                }
            }
            return PostAuthnHandlerFlowStatus.SUCCESS_COMPLETED;
        }
        return PostAuthnHandlerFlowStatus.SUCCESS_COMPLETED;
    }

    public String getName() {
        return PasswordPolicyConstants.ENFORCE_PASSWORD_RESET_HANDLER;
    }

    private AuthenticatedUser getAuthenticatedUser(AuthenticationContext authenticationContext) {
        return authenticationContext.getSequenceConfig().getAuthenticatedUser();
    }

    private String generateNewConfirmationCode(AuthenticatedUser authenticatedUser) throws PostAuthenticationFailedException {
        User user = new User();
        user.setUserName(authenticatedUser.getUserName());
        user.setTenantDomain(authenticatedUser.getTenantDomain());
        user.setUserStoreDomain(authenticatedUser.getUserStoreDomain());
        try {
            UserRecoveryDataStore jDBCRecoveryDataStore = JDBCRecoveryDataStore.getInstance();
            jDBCRecoveryDataStore.invalidate(user);
            String generateSecretKey = Utils.generateSecretKey(NotificationChannels.EXTERNAL_CHANNEL.getChannelType(), user.getTenantDomain(), RecoveryScenarios.PASSWORD_EXPIRY.name());
            jDBCRecoveryDataStore.store(new UserRecoveryData(user, generateSecretKey, RecoveryScenarios.PASSWORD_EXPIRY, RecoverySteps.UPDATE_PASSWORD));
            return generateSecretKey;
        } catch (IdentityRecoveryException e) {
            throw new PostAuthenticationFailedException(PasswordPolicyConstants.ErrorMessages.ERROR_WHILE_GENERATING_CONFIRMATION_CODE.getCode(), PasswordPolicyConstants.ErrorMessages.ERROR_WHILE_GENERATING_CONFIRMATION_CODE.getMessage(), e);
        }
    }

    @SuppressFBWarnings({"UNVALIDATED_REDIRECT"})
    private void redirectToPasswordResetPage(HttpServletResponse httpServletResponse, String str, String str2) throws PostAuthenticationFailedException {
        try {
            httpServletResponse.sendRedirect(FrameworkUtils.appendQueryParamsStringToUrl(PasswordPolicyUtils.getPasswordResetPageUrl(str), PasswordPolicyConstants.CONFIRMATION_QUERY_PARAM + str2 + PasswordPolicyConstants.PASSWORD_EXPIRED_QUERY_PARAMS + PasswordPolicyConstants.PASSWORD_EXPIRED_MSG_QUERY_PARAM + ENCODED_PASSWORD_EXPIRED_MSG));
        } catch (IOException e) {
            throw new PostAuthenticationFailedException(PasswordPolicyConstants.ErrorMessages.ERROR_WHILE_REDIRECTING_TO_PASSWORD_RESET_PAGE.getCode(), PasswordPolicyConstants.ErrorMessages.ERROR_WHILE_REDIRECTING_TO_PASSWORD_RESET_PAGE.getMessage(), e);
        }
    }
}
