package org.apereo.cas.pm.ldap;

import com.google.common.collect.Maps;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.UUID;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.validator.routines.EmailValidator;
import org.apereo.cas.CipherExecutor;
import org.apereo.cas.authentication.Credential;
import org.apereo.cas.authentication.UsernamePasswordCredential;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.support.pm.PasswordManagementProperties;
import org.apereo.cas.configuration.support.Beans;
import org.apereo.cas.pm.PasswordChangeBean;
import org.apereo.cas.pm.PasswordManagementService;
import org.apereo.cas.util.LdapUtils;
import org.apereo.inspektr.common.web.ClientInfo;
import org.apereo.inspektr.common.web.ClientInfoHolder;
import org.eclipse.jgit.lib.Constants;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.NumericDate;
import org.ldaptive.LdapAttribute;
import org.ldaptive.LdapEntry;
import org.ldaptive.Response;
import org.ldaptive.SearchFilter;
import org.ldaptive.SearchResult;
import org.ldaptive.pool.PooledConnectionFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.util.Assert;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-pm-5.0.3.1.jar:org/apereo/cas/pm/ldap/LdapPasswordManagementService.class */
public class LdapPasswordManagementService implements PasswordManagementService {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) LdapPasswordManagementService.class);

    @Autowired
    private CasConfigurationProperties casProperties;
    private CipherExecutor<String, String> cipherExecutor;

    public LdapPasswordManagementService(CipherExecutor<String, String> cipherExecutor) {
        this.cipherExecutor = cipherExecutor;
    }

    @Override // org.apereo.cas.pm.PasswordManagementService
    public String findEmail(String str) {
        LdapAttribute attribute;
        try {
            PasswordManagementProperties.Ldap ldap = this.casProperties.getAuthn().getPm().getLdap();
            Response<SearchResult> executeSearchOperation = LdapUtils.executeSearchOperation(Beans.newPooledConnectionFactory(ldap), ldap.getBaseDn(), Beans.newSearchFilter(ldap.getUserFilter(), str));
            if (!LdapUtils.containsResultEntry(executeSearchOperation) || (attribute = executeSearchOperation.getResult().getEntry().getAttribute(this.casProperties.getAuthn().getPm().getReset().getEmailAttribute())) == null) {
                return null;
            }
            String stringValue = attribute.getStringValue();
            if (EmailValidator.getInstance().isValid(stringValue)) {
                return stringValue;
            }
            return null;
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), (Throwable) e);
            return null;
        }
    }

    @Override // org.apereo.cas.pm.PasswordManagementService
    public String createToken(String str) {
        try {
            String uuid = UUID.randomUUID().toString();
            JwtClaims jwtClaims = new JwtClaims();
            jwtClaims.setJwtId(uuid);
            jwtClaims.setIssuer(this.casProperties.getServer().getPrefix());
            jwtClaims.setAudience(this.casProperties.getServer().getPrefix());
            jwtClaims.setExpirationTimeMinutesInTheFuture(this.casProperties.getAuthn().getPm().getReset().getExpirationMinutes());
            jwtClaims.setIssuedAtToNow();
            ClientInfo clientInfo = ClientInfoHolder.getClientInfo();
            jwtClaims.setStringClaim(Constants.DEFAULT_REMOTE_NAME, clientInfo.getServerIpAddress());
            jwtClaims.setStringClaim("client", clientInfo.getClientIpAddress());
            jwtClaims.setSubject(str);
            return this.cipherExecutor.encode(jwtClaims.toJson());
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), (Throwable) e);
            return null;
        }
    }

    @Override // org.apereo.cas.pm.PasswordManagementService
    public boolean change(Credential credential, PasswordChangeBean passwordChangeBean) {
        Assert.notNull(credential, "Credential cannot be null");
        Assert.notNull(passwordChangeBean, "PasswordChangeBean cannot be null");
        try {
            PasswordManagementProperties.Ldap ldap = this.casProperties.getAuthn().getPm().getLdap();
            UsernamePasswordCredential usernamePasswordCredential = (UsernamePasswordCredential) credential;
            SearchFilter newSearchFilter = Beans.newSearchFilter(ldap.getUserFilter(), usernamePasswordCredential.getId());
            PooledConnectionFactory newPooledConnectionFactory = Beans.newPooledConnectionFactory(ldap);
            Response<SearchResult> executeSearchOperation = LdapUtils.executeSearchOperation(newPooledConnectionFactory, ldap.getBaseDn(), newSearchFilter);
            if (LdapUtils.containsResultEntry(executeSearchOperation)) {
                String dn = executeSearchOperation.getResult().getEntry().getDn();
                LOGGER.debug("Updating account password for {}", dn);
                if (LdapUtils.executePasswordModifyOperation(dn, newPooledConnectionFactory, usernamePasswordCredential.getPassword(), passwordChangeBean.getPassword(), this.casProperties.getAuthn().getPm().getLdap().getType())) {
                    LOGGER.debug("Successfully updated the account password for {}", dn);
                    return true;
                }
                LOGGER.error("Could not update the LDAP entry's password for {} and base DN {}", newSearchFilter.format(), ldap.getBaseDn());
            } else {
                LOGGER.error("Could not locate an LDAP entry for {} and base DN {}", newSearchFilter.format(), ldap.getBaseDn());
            }
            return false;
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), (Throwable) e);
            return false;
        }
    }

    @Override // org.apereo.cas.pm.PasswordManagementService
    public String parseToken(String str) {
        try {
            JwtClaims parse = JwtClaims.parse(this.cipherExecutor.decode(str));
            if (!parse.getIssuer().equals(this.casProperties.getServer().getPrefix())) {
                LOGGER.error("Token issuer does not match CAS");
                return null;
            }
            if (parse.getAudience().isEmpty() || !parse.getAudience().get(0).equals(this.casProperties.getServer().getPrefix())) {
                LOGGER.error("Token audience does not match CAS");
                return null;
            }
            if (StringUtils.isBlank(parse.getSubject())) {
                LOGGER.error("Token has no subject identifier");
                return null;
            }
            ClientInfo clientInfo = ClientInfoHolder.getClientInfo();
            if (!parse.getStringClaimValue(Constants.DEFAULT_REMOTE_NAME).equals(clientInfo.getServerIpAddress())) {
                LOGGER.error("Token origin does not match CAS");
                return null;
            }
            if (!parse.getStringClaimValue("client").equals(clientInfo.getClientIpAddress())) {
                LOGGER.error("Token client does not match CAS");
                return null;
            }
            if (!parse.getExpirationTime().isBefore(NumericDate.now())) {
                return parse.getSubject();
            }
            LOGGER.error("Token has expired.");
            return null;
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), (Throwable) e);
            return null;
        }
    }

    @Override // org.apereo.cas.pm.PasswordManagementService
    public Map<String, String> getSecurityQuestions(String str) {
        LinkedHashMap newLinkedHashMap = Maps.newLinkedHashMap();
        try {
            PasswordManagementProperties.Ldap ldap = this.casProperties.getAuthn().getPm().getLdap();
            Response<SearchResult> executeSearchOperation = LdapUtils.executeSearchOperation(Beans.newPooledConnectionFactory(ldap), ldap.getBaseDn(), Beans.newSearchFilter(ldap.getUserFilter(), str));
            if (LdapUtils.containsResultEntry(executeSearchOperation)) {
                LdapEntry entry = executeSearchOperation.getResult().getEntry();
                this.casProperties.getAuthn().getPm().getReset().getSecurityQuestionsAttributes().forEach((str2, str3) -> {
                    LdapAttribute attribute = entry.getAttribute(str2);
                    LdapAttribute attribute2 = entry.getAttribute(str3);
                    if (attribute == null || attribute2 == null || !StringUtils.isNotBlank(attribute.getStringValue()) || !StringUtils.isNotBlank(attribute2.getStringValue())) {
                        return;
                    }
                    newLinkedHashMap.put(attribute.getStringValue(), attribute2.getStringValue());
                });
            }
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), (Throwable) e);
        }
        return newLinkedHashMap;
    }
}
