package org.wso2.carbon.identity.recovery.handler;

import java.security.SecureRandom;
import java.util.Map;
import java.util.UUID;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.application.common.model.User;
import org.wso2.carbon.identity.core.bean.context.MessageContext;
import org.wso2.carbon.identity.core.model.IdentityErrorMsgContext;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.event.IdentityEventException;
import org.wso2.carbon.identity.event.event.Event;
import org.wso2.carbon.identity.governance.IdentityMgtConstants;
import org.wso2.carbon.identity.recovery.IdentityRecoveryConstants;
import org.wso2.carbon.identity.recovery.IdentityRecoveryException;
import org.wso2.carbon.identity.recovery.RecoveryScenarios;
import org.wso2.carbon.identity.recovery.RecoverySteps;
import org.wso2.carbon.identity.recovery.model.UserRecoveryData;
import org.wso2.carbon.identity.recovery.util.Utils;
import org.wso2.carbon.user.core.UserStoreException;
import org.wso2.carbon.user.core.UserStoreManager;

/* loaded from: input_file:org/wso2/carbon/identity/recovery/handler/AdminForcedPasswordResetHandler.class */
public class AdminForcedPasswordResetHandler extends UserEmailVerificationHandler {
    private static final Log log = LogFactory.getLog(AdminForcedPasswordResetHandler.class);

    @Override // org.wso2.carbon.identity.recovery.handler.UserEmailVerificationHandler
    public void handleEvent(Event event) throws IdentityEventException {
        String eventName = event.getEventName();
        if (log.isDebugEnabled()) {
            log.debug("Handling event : " + eventName);
        }
        Map<String, Object> eventProperties = event.getEventProperties();
        UserStoreManager userStoreManager = (UserStoreManager) eventProperties.get("userStoreManager");
        if ("PRE_SET_USER_CLAIMS".equals(eventName)) {
            handleClaimUpdate(eventProperties, userStoreManager);
        }
        if ("PRE_AUTHENTICATION".equals(eventName)) {
            handleAuthenticate(eventProperties, userStoreManager);
        }
        if ("POST_UPDATE_CREDENTIAL_BY_ADMIN".equals(eventName)) {
            handleUpdateCredentialsByAdmin(eventProperties, userStoreManager);
        }
    }

    private void handleUpdateCredentialsByAdmin(Map<String, Object> map, UserStoreManager userStoreManager) throws IdentityEventException {
        User user = getUser(map, userStoreManager);
        if (log.isDebugEnabled()) {
            log.debug("PostUpdateCredentialsByAdmin - AdminForcedPasswordResetHandler for user : " + user.toString());
        }
        if (getRecoveryData(user) != null) {
            invalidateRecoveryData(user);
            if (log.isDebugEnabled()) {
                log.debug("PostUpdateCredentialsByAdmin - invalidate Recovery Data for user : " + user.toString());
            }
        }
    }

    protected void handleClaimUpdate(Map<String, Object> map, UserStoreManager userStoreManager) throws IdentityEventException {
        User user = getUser(map, userStoreManager);
        if (log.isDebugEnabled()) {
            log.debug("PreAuthenticate - AdminForcedPasswordResetHandler for : " + user.toString());
        }
        Map<String, String> map2 = (Map) map.get("USER_CLAIMS");
        boolean parseBoolean = Boolean.parseBoolean(Utils.getConnectorConfig(IdentityRecoveryConstants.ConnectorConfig.ENABLE_ADMIN_PASSWORD_RESET_OFFLINE, user.getTenantDomain()));
        boolean parseBoolean2 = Boolean.parseBoolean(Utils.getConnectorConfig(IdentityRecoveryConstants.ConnectorConfig.ENABLE_ADMIN_PASSWORD_RESET_WITH_OTP, user.getTenantDomain()));
        boolean parseBoolean3 = Boolean.parseBoolean(Utils.getConnectorConfig(IdentityRecoveryConstants.ConnectorConfig.ENABLE_ADMIN_PASSWORD_RESET_WITH_RECOVERY_LINK, user.getTenantDomain()));
        if ((!(parseBoolean | parseBoolean2) && !parseBoolean3) || !Boolean.valueOf(map2.get(IdentityRecoveryConstants.ADMIN_FORCED_PASSWORD_RESET_CLAIM)).booleanValue()) {
            return;
        }
        if (log.isDebugEnabled()) {
            log.debug("http://wso2.org/claims/identity/adminForcedPasswordReset update request.");
        }
        Utils.publishRecoveryEvent(map, "PRE_FORCE_PASSWORD_RESET_BY_ADMIN", null);
        map2.remove(IdentityRecoveryConstants.ADMIN_FORCED_PASSWORD_RESET_CLAIM);
        String generateOTPValue = generateOTPValue();
        RecoveryScenarios recoveryScenarios = RecoveryScenarios.ADMIN_FORCED_PASSWORD_RESET_VIA_OTP;
        if (parseBoolean) {
            if (map2.containsKey(IdentityRecoveryConstants.OTP_PASSWORD_CLAIM)) {
                map2.remove(IdentityRecoveryConstants.OTP_PASSWORD_CLAIM);
            }
            setUserClaim(IdentityRecoveryConstants.OTP_PASSWORD_CLAIM, generateOTPValue, userStoreManager, user);
        }
        String str = parseBoolean2 ? IdentityRecoveryConstants.NOTIFICATION_TYPE_ADMIN_FORCED_PASSWORD_RESET_WITH_OTP : "";
        if (parseBoolean3) {
            generateOTPValue = UUID.randomUUID().toString();
            recoveryScenarios = RecoveryScenarios.ADMIN_FORCED_PASSWORD_RESET_VIA_EMAIL_LINK;
            str = IdentityRecoveryConstants.NOTIFICATION_TYPE_ADMIN_FORCED_PASSWORD_RESET;
        }
        map2.remove("http://wso2.org/claims/identity/accountLocked");
        setRecoveryData(user, recoveryScenarios, RecoverySteps.UPDATE_PASSWORD, generateOTPValue);
        lockAccountOnAdminPasswordReset(user, map2);
        if (parseBoolean2 || parseBoolean3) {
            try {
                triggerNotification(user, str, generateOTPValue, Utils.getArbitraryProperties(), new UserRecoveryData(user, generateOTPValue, recoveryScenarios, RecoverySteps.UPDATE_PASSWORD));
                Utils.publishRecoveryEvent(map, "POST_FORCE_PASSWORD_RESET_BY_ADMIN", generateOTPValue);
            } catch (IdentityRecoveryException e) {
                throw new IdentityEventException("Error while sending  notification ", e);
            }
        }
    }

    protected void handleAuthenticate(Map<String, Object> map, UserStoreManager userStoreManager) throws IdentityEventException {
        User user = getUser(map, userStoreManager);
        if (log.isDebugEnabled()) {
            log.debug("PreAuthenticate - AdminForcedPasswordResetHandler for user : " + user.toString());
        }
        UserRecoveryData recoveryData = getRecoveryData(user);
        if (recoveryData != null) {
            Enum recoveryScenario = recoveryData.getRecoveryScenario();
            if (log.isDebugEnabled()) {
                log.debug("Handling recovery scenario : " + recoveryScenario.toString() + " for user : " + user.toString());
            }
            String str = null;
            String str2 = "User : " + user.toString();
            boolean z = false;
            if (RecoveryScenarios.ADMIN_FORCED_PASSWORD_RESET_VIA_EMAIL_LINK.equals(recoveryScenario)) {
                str = "17006";
                str2 = str2 + " needs to reset the password using the given link in email";
                z = true;
            } else if (RecoveryScenarios.ADMIN_FORCED_PASSWORD_RESET_VIA_OTP.equals(recoveryScenario)) {
                z = true;
                if (recoveryData.getSecret().equals((String) map.get("CREDENTIAL"))) {
                    str = "17007";
                    str2 = str2 + " has given correct OTP";
                } else {
                    str = "17008";
                    str2 = str2 + " has given in-correct OTP";
                }
            }
            if (z) {
                if (log.isDebugEnabled()) {
                    log.debug(str2);
                }
                IdentityUtil.setIdentityErrorMsg(new IdentityErrorMsgContext(str));
                throw new IdentityEventException(str2);
            }
        }
    }

    private void lockAccountOnAdminPasswordReset(User user, Map<String, String> map) {
        if (log.isDebugEnabled()) {
            log.debug("Locking user account on admin forced password reset: " + user.getUserName());
        }
        map.put("http://wso2.org/claims/identity/accountLocked", Boolean.TRUE.toString());
        map.put(IdentityRecoveryConstants.ACCOUNT_LOCKED_REASON_CLAIM, IdentityMgtConstants.LockedReason.PENDING_ADMIN_FORCED_USER_PASSWORD_RESET.toString());
        map.put(IdentityRecoveryConstants.ACCOUNT_STATE_CLAIM_URI, "PENDING_FUPR");
    }

    protected void setUserClaims(Map<String, String> map, User user, UserStoreManager userStoreManager) throws IdentityEventException {
        try {
            userStoreManager.setUserClaimValues(user.getUserName(), map, (String) null);
        } catch (UserStoreException e) {
            throw new IdentityEventException("Error while setting user claim value :" + user.getUserName(), e);
        }
    }

    @Override // org.wso2.carbon.identity.recovery.handler.UserEmailVerificationHandler
    public String getName() {
        return "adminForcedPasswordReset";
    }

    @Override // org.wso2.carbon.identity.recovery.handler.UserEmailVerificationHandler
    public String getFriendlyName() {
        return "Admin Forced Password Reset";
    }

    @Override // org.wso2.carbon.identity.recovery.handler.UserEmailVerificationHandler
    public int getPriority(MessageContext messageContext) {
        return 27;
    }

    private String generateOTPValue() {
        char[] charArray = IdentityRecoveryConstants.SMS_OTP_GENERATE_CHAR_SET.toCharArray();
        SecureRandom secureRandom = new SecureRandom();
        StringBuilder sb = new StringBuilder("");
        for (int i = 0; i < 6; i++) {
            sb.append(charArray[secureRandom.nextInt(charArray.length)]);
        }
        return sb.toString();
    }
}
