package org.ametys.plugins.core.user.management;

import jakarta.mail.MessagingException;
import java.io.IOException;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import org.ametys.core.authentication.token.AuthenticationTokenManager;
import org.ametys.core.trace.ForensicLogger;
import org.ametys.core.ui.mail.StandardMailBodyHelper;
import org.ametys.core.user.InvalidModificationException;
import org.ametys.core.user.User;
import org.ametys.core.user.UserIdentity;
import org.ametys.core.user.UserManager;
import org.ametys.core.user.directory.ModifiableUserDirectory;
import org.ametys.core.user.directory.NotUniqueUserException;
import org.ametys.core.user.directory.UserDirectory;
import org.ametys.core.user.population.UserPopulation;
import org.ametys.core.user.population.UserPopulationDAO;
import org.ametys.core.util.I18nUtils;
import org.ametys.core.util.mail.SendMailHelper;
import org.ametys.plugins.core.user.UserManagementException;
import org.ametys.runtime.config.Config;
import org.ametys.runtime.i18n.I18nizableText;
import org.ametys.runtime.i18n.I18nizableTextParameter;
import org.ametys.runtime.plugin.component.AbstractLogEnabled;
import org.ametys.runtime.workspace.WorkspaceMatcher;
import org.apache.avalon.framework.component.Component;
import org.apache.avalon.framework.service.ServiceException;
import org.apache.avalon.framework.service.ServiceManager;
import org.apache.avalon.framework.service.Serviceable;
import org.apache.cocoon.environment.Request;
import org.apache.commons.lang3.StringUtils;

/* loaded from: input_file:org/ametys/plugins/core/user/management/UserPasswordManager.class */
public class UserPasswordManager extends AbstractLogEnabled implements Component, Serviceable {
    public static final String ROLE = UserPasswordManager.class.getName();
    public static final String RESET_PASSWORD_URL = "plugins/core/reset-password.html";
    private static final int __CHANGE_PASSWORD_TOKEN_EXPIRATION_TIME = 300;
    private static final String __CHANGE_PASSWORD_TOKEN_TYPE = "change-password";
    private static final String __CHANGE_PASSWORD_TOKEN_CONTEXT = "change-password";
    private static final String __EVENT_ACCOUNT_PASSWORD_CHANGE = "account.password.change";
    private static final String __EVENT_ACCOUNT_PASSWORD_CHANGE_FAILED = "account.password.change.failed";
    private static final String __EVENT_ACCOUNT_PASSWORD_RESET = "account.password.reset";
    protected UserPopulationDAO _populationDAO;
    protected AuthenticationTokenManager _tokenManager;
    protected UserManager _userManager;
    protected I18nUtils _i18nUtils;

    public void service(ServiceManager serviceManager) throws ServiceException {
        this._i18nUtils = (I18nUtils) serviceManager.lookup(I18nUtils.ROLE);
        this._populationDAO = (UserPopulationDAO) serviceManager.lookup(UserPopulationDAO.ROLE);
        this._tokenManager = (AuthenticationTokenManager) serviceManager.lookup(AuthenticationTokenManager.ROLE);
        this._userManager = (UserManager) serviceManager.lookup(UserManager.ROLE);
    }

    public UserIdentity checkPasswordChangeToken(String str) throws UserManagementException {
        UserIdentity validateToken = this._tokenManager.validateToken(str, "change-password");
        if (validateToken == null) {
            throw new UserManagementException(UserManagementException.TOKEN_UNKNOWN, "Provided token is unknown.");
        }
        return validateToken;
    }

    public List<I18nizableText> validatePassword(UserIdentity userIdentity, String str) throws UserManagementException {
        UserDirectory userDirectory = this._userManager.getUserDirectory(userIdentity.getPopulationId(), userIdentity.getLogin());
        if (!(userDirectory instanceof ModifiableUserDirectory)) {
            throw new UserManagementException(UserManagementException.UNMODIFIABLE_USER_DIRECTORY, "User directory " + userDirectory.getId() + "is not modifiable");
        }
        Map<String, List<I18nizableText>> validate = ((ModifiableUserDirectory) userDirectory).validate(Map.of("login", userIdentity.getLogin(), "password", str));
        return validate.containsKey("password") ? validate.get("password") : List.of();
    }

    public void changeUserPassword(UserIdentity userIdentity, String str) throws UserManagementException {
        String login = userIdentity.getLogin();
        String populationId = userIdentity.getPopulationId();
        UserDirectory userDirectory = this._userManager.getUserDirectory(populationId, login);
        if (!(userDirectory instanceof ModifiableUserDirectory)) {
            _logPasswordChangeFailed(login, populationId, UserManagementException.UNMODIFIABLE_USER_DIRECTORY);
            throw new UserManagementException(UserManagementException.UNMODIFIABLE_USER_DIRECTORY, "User directory " + populationId + "is not modifiable");
        }
        try {
            ((ModifiableUserDirectory) userDirectory).update(Map.of("login", login, "password", str));
            this._tokenManager.deleteAuthenticationToken(this._tokenManager.getTokens(userIdentity, "change-password").stream().map((v0) -> {
                return v0.getId();
            }).toList());
            ForensicLogger.info(__EVENT_ACCOUNT_PASSWORD_CHANGE, Map.of("login", login, "population", populationId), userIdentity);
        } catch (InvalidModificationException e) {
            _logPasswordChangeFailed(login, populationId, UserManagementException.INVALID_MODIFICATION);
            throw new UserManagementException(UserManagementException.INVALID_MODIFICATION, "New password is not a valid password", e);
        }
    }

    protected void _logPasswordChangeFailed(String str, String str2, String str3) {
        ForensicLogger.warn(__EVENT_ACCOUNT_PASSWORD_CHANGE_FAILED, Map.of("login", str, "population", str2, "error", str3), new UserIdentity(str, str2));
    }

    public Optional<String> getChangePasswordURI(Request request, UserIdentity userIdentity, boolean z) {
        try {
            String _getChangePasswordURI = _getChangePasswordURI(request, userIdentity, _generateChangePasswordToken(userIdentity));
            if (z) {
                _getChangePasswordURI = _getChangePasswordURI + "&weak-password=true";
            }
            ForensicLogger.info(__EVENT_ACCOUNT_PASSWORD_RESET, Map.of("user", this._userManager.getUser(userIdentity)), userIdentity);
            return Optional.of(_getChangePasswordURI);
        } catch (UserManagementException e) {
            if (!UserManagementException.UNMODIFIABLE_USER_DIRECTORY.equals(e.getStatus())) {
                getLogger().error("Failed to build reset password URI for user {}", userIdentity, e);
            }
            return Optional.empty();
        }
    }

    protected String _getChangePasswordURI(Request request, UserIdentity userIdentity, String str) throws UserManagementException {
        if (!(this._userManager.getUserDirectory(userIdentity.getPopulationId(), userIdentity.getLogin()) instanceof ModifiableUserDirectory)) {
            throw new UserManagementException(UserManagementException.UNMODIFIABLE_USER_DIRECTORY, "User can not be edited " + String.valueOf(userIdentity));
        }
        StringBuilder append = new StringBuilder().append(request.getScheme()).append("://").append(request.getServerName());
        int serverPort = request.getServerPort();
        if ((request.isSecure() && serverPort != 443) || (!request.isSecure() && serverPort != 80)) {
            append.append(":").append(serverPort);
        }
        append.append(request.getContextPath()).append(request.getAttribute(WorkspaceMatcher.WORKSPACE_URI)).append("/").append(RESET_PASSWORD_URL).append("?token=").append(str);
        return append.toString();
    }

    protected String _generateChangePasswordToken(UserIdentity userIdentity) throws UserManagementException {
        try {
            return this._tokenManager.generateToken(userIdentity, 300L, true, null, Set.of("change-password"), "change-password", "Password reinitialiazation token");
        } catch (RuntimeException e) {
            throw new UserManagementException(UserManagementException.DATABASE_ERROR, "Database error while inserting a password change token for " + String.valueOf(userIdentity), e);
        }
    }

    public void resetUserPassword(Request request, String str, String str2) throws UserManagementException {
        UserPopulation userPopulation = this._populationDAO.getUserPopulation(str2);
        if (userPopulation == null) {
            throw new UserManagementException(UserManagementException.POPULATION_UNKNOWN, "Unknown population with id '" + str2 + "'");
        }
        User user = this._userManager.getUser(userPopulation, str);
        if (user == null) {
            try {
                user = this._userManager.getUserByEmail(userPopulation, str);
                if (user == null) {
                    throw new UserManagementException(UserManagementException.USER_UNKNOWN, "Unknown user with login or email " + str + " in population " + str2);
                }
            } catch (NotUniqueUserException e) {
                throw new UserManagementException(UserManagementException.NOT_UNIQUE_USER, "Many users match for email '" + str + "' and population '" + str2 + "'", e);
            }
        }
        if (!(user.getUserDirectory() instanceof ModifiableUserDirectory)) {
            throw new UserManagementException(UserManagementException.UNMODIFIABLE_USER_DIRECTORY, "User directory is not modifiable");
        }
        if (StringUtils.isEmpty(user.getEmail())) {
            throw new UserManagementException(UserManagementException.EMPTY_EMAIL, "Can't send reset password mail to user with no email");
        }
        _sendPasswordResetMail(request, user, _generateChangePasswordToken(user.getIdentity()));
        ForensicLogger.info(__EVENT_ACCOUNT_PASSWORD_RESET, Map.of("user", user), user.getIdentity());
    }

    protected void _sendPasswordResetMail(Request request, User user, String str) throws UserManagementException {
        String _getChangePasswordURI = _getChangePasswordURI(request, user.getIdentity(), str);
        try {
            SendMailHelper.newMail().withSubject(_getResetPasswordMailSubject()).withTextBody(_getResetPasswordMailTextBody(user, _getChangePasswordURI)).withHTMLBody(_getResetPasswordMailHTMLBody(user, _getChangePasswordURI)).withSender(_getResetPasswordMailSender(request)).withRecipient(user.getEmail()).sendMail();
        } catch (IOException | MessagingException e) {
            throw new UserManagementException(UserManagementException.MAIL_ERROR, "An error occured while trying to send reset password mail.", e);
        }
    }

    protected String _getResetPasswordMailSender(Request request) {
        return (String) Config.getInstance().getValue("smtp.mail.from");
    }

    protected String _getResetPasswordMailSubject() {
        return this._i18nUtils.translate(new I18nizableText("plugin.core", "PLUGINS_CORE_RESET_PASSWORD_MAIL_SUBJECT"));
    }

    protected String _getResetPasswordMailTextBody(User user, String str) {
        return this._i18nUtils.translate(new I18nizableText("plugin.core", "PLUGINS_CORE_RESET_PASSWORD_MAIL_TEXT_BODY", (Map<String, I18nizableTextParameter>) Map.of("fullName", new I18nizableText(user.getFullName()), "changePasswordURI", new I18nizableText(str))));
    }

    protected String _getResetPasswordMailHTMLBody(User user, String str) throws IOException {
        return StandardMailBodyHelper.newHTMLBody().withTitle(_getResetPasswordMailSubject()).addMessage(new I18nizableText("plugin.core", "PLUGINS_CORE_RESET_PASSWORD_MAIL_HTML_BODY", (Map<String, I18nizableTextParameter>) Map.of("fullName", new I18nizableText(user.getFullName()), "changePasswordURI", new I18nizableText(str)))).withLink(str, new I18nizableText("plugin.core", "PLUGINS_CORE_RESET_PASSWORD_MAIL_HTML_LINK")).build();
    }
}
