package com.atlassian.crowd.manager.login;

import com.atlassian.crowd.dao.token.ExpirableUserTokenDao;
import com.atlassian.crowd.embedded.api.Directory;
import com.atlassian.crowd.embedded.api.OperationType;
import com.atlassian.crowd.embedded.api.PasswordCredential;
import com.atlassian.crowd.embedded.impl.IdentifierUtils;
import com.atlassian.crowd.event.login.RequestResetPasswordEvent;
import com.atlassian.crowd.event.login.RequestUsernamesEvent;
import com.atlassian.crowd.exception.ApplicationPermissionException;
import com.atlassian.crowd.exception.DirectoryNotFoundException;
import com.atlassian.crowd.exception.InvalidCredentialException;
import com.atlassian.crowd.exception.InvalidEmailAddressException;
import com.atlassian.crowd.exception.ObjectAlreadyExistsException;
import com.atlassian.crowd.exception.OperationFailedException;
import com.atlassian.crowd.exception.UserNotFoundException;
import com.atlassian.crowd.manager.application.ApplicationService;
import com.atlassian.crowd.manager.directory.DirectoryManager;
import com.atlassian.crowd.manager.directory.DirectoryPermissionException;
import com.atlassian.crowd.manager.login.exception.InvalidResetPasswordTokenException;
import com.atlassian.crowd.manager.permission.PermissionManager;
import com.atlassian.crowd.model.DirectoryEntities;
import com.atlassian.crowd.model.application.Application;
import com.atlassian.crowd.model.token.ExpirableUserToken;
import com.atlassian.crowd.model.token.InternalExpirableUserToken;
import com.atlassian.crowd.model.user.User;
import com.atlassian.crowd.search.EntityDescriptor;
import com.atlassian.crowd.search.builder.QueryBuilder;
import com.atlassian.crowd.search.builder.Restriction;
import com.atlassian.crowd.search.query.entity.restriction.constants.UserTermKeys;
import com.atlassian.event.api.EventPublisher;
import com.atlassian.sal.api.ApplicationProperties;
import com.atlassian.sal.api.UrlMode;
import com.atlassian.security.random.SecureTokenGenerator;
import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableList;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.time.Clock;
import java.util.ConcurrentModificationException;
import java.util.List;
import java.util.Optional;
import javax.mail.internet.AddressException;
import javax.mail.internet.InternetAddress;
import org.apache.commons.lang3.StringUtils;
import org.joda.time.DateTime;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.transaction.annotation.Transactional;

@Transactional
/* loaded from: input_file:com/atlassian/crowd/manager/login/ForgottenLoginManagerImpl.class */
public class ForgottenLoginManagerImpl implements ForgottenLoginManager {
    private static final String UTF8_ENCODING = "UTF-8";
    private static final String RESET_PASSWORD_ACTION = "/console/resetpassword.action";
    private final Logger logger = LoggerFactory.getLogger(getClass());
    private final ApplicationService applicationService;
    private final DirectoryManager directoryManager;
    private final PermissionManager permissionManager;
    private final ExpirableUserTokenDao expirableUserTokenDao;
    private final SecureTokenGenerator tokenGenerator;
    private final ApplicationProperties applicationProperties;
    private final EventPublisher eventPublisher;
    private final Clock clock;

    public ForgottenLoginManagerImpl(ApplicationService applicationService, DirectoryManager directoryManager, PermissionManager permissionManager, ExpirableUserTokenDao expirableUserTokenDao, SecureTokenGenerator secureTokenGenerator, EventPublisher eventPublisher, ApplicationProperties applicationProperties, Clock clock) {
        this.applicationService = (ApplicationService) Preconditions.checkNotNull(applicationService);
        this.directoryManager = (DirectoryManager) Preconditions.checkNotNull(directoryManager);
        this.permissionManager = (PermissionManager) Preconditions.checkNotNull(permissionManager);
        this.expirableUserTokenDao = (ExpirableUserTokenDao) Preconditions.checkNotNull(expirableUserTokenDao);
        this.tokenGenerator = (SecureTokenGenerator) Preconditions.checkNotNull(secureTokenGenerator);
        this.eventPublisher = (EventPublisher) Preconditions.checkNotNull(eventPublisher);
        this.applicationProperties = applicationProperties;
        this.clock = clock;
    }

    public void sendResetLink(Application application, String str, int i) throws UserNotFoundException, InvalidEmailAddressException, ApplicationPermissionException {
        User findUserByName = this.applicationService.findUserByName(application, str);
        try {
            Directory findDirectoryById = this.directoryManager.findDirectoryById(findUserByName.getDirectoryId());
            if (!this.permissionManager.hasPermission(application, findDirectoryById, OperationType.UPDATE_USER)) {
                throw new ApplicationPermissionException("Not allowed to update user '" + findUserByName.getName() + "' in directory '" + findDirectoryById.getName() + "'.");
            }
            sendResetLink(findUserByName, findDirectoryById, i);
        } catch (DirectoryNotFoundException e) {
            throw new ConcurrentModificationException("Directory " + findUserByName.getDirectoryId() + " no longer exists.");
        }
    }

    public boolean sendUsernames(Application application, String str) throws InvalidEmailAddressException {
        List searchUsers = this.applicationService.searchUsers(application, QueryBuilder.queryFor(User.class, EntityDescriptor.user()).with(Restriction.on(UserTermKeys.EMAIL).exactlyMatching(str)).returningAtMost(-1));
        if (searchUsers.isEmpty()) {
            this.logger.info("No usernames found for email address: " + str);
            return false;
        }
        this.eventPublisher.publish(new RequestUsernamesEvent((User) searchUsers.get(0), ImmutableList.copyOf(DirectoryEntities.namesOf(searchUsers))));
        return true;
    }

    public void sendResetLink(long j, String str, int i) throws DirectoryNotFoundException, InvalidEmailAddressException, UserNotFoundException, OperationFailedException {
        sendResetLink(this.directoryManager.findUserByName(j, str), this.directoryManager.findDirectoryById(j), i);
    }

    public boolean isValidResetToken(long j, String str, String str2) {
        if (StringUtils.isBlank(str) || StringUtils.isBlank(str2)) {
            return false;
        }
        Optional findByToken = this.expirableUserTokenDao.findByToken(str2);
        if (!findByToken.isPresent()) {
            return false;
        }
        ExpirableUserToken expirableUserToken = (ExpirableUserToken) findByToken.get();
        return expirableUserToken.getToken().equals(str2) && ((Boolean) maybeGetUser(j, str).filter((v0) -> {
            return v0.isActive();
        }).map(user -> {
            return Boolean.valueOf(user.getEmailAddress().equals(expirableUserToken.getEmailAddress()));
        }).orElse(false)).booleanValue() && this.clock.millis() < expirableUserToken.getExpiryDate() && expirableUserToken.getDirectoryId() == j && IdentifierUtils.equalsInLowerCase(expirableUserToken.getUsername(), str);
    }

    private Optional<User> maybeGetUser(long j, String str) {
        try {
            return Optional.of(this.directoryManager.findUserByName(j, str));
        } catch (UserNotFoundException e) {
            return Optional.empty();
        } catch (DirectoryNotFoundException e2) {
            this.logger.debug("Tried to reset credential for {} in directory {}, but the directory was not found", str, Long.valueOf(j));
            return Optional.empty();
        } catch (OperationFailedException e3) {
            return Optional.empty();
        }
    }

    public void resetUserCredential(long j, String str, PasswordCredential passwordCredential, String str2) throws DirectoryNotFoundException, UserNotFoundException, InvalidResetPasswordTokenException, OperationFailedException, InvalidCredentialException, DirectoryPermissionException {
        if (!isValidResetToken(j, str, str2)) {
            throw new InvalidResetPasswordTokenException("No valid reset token found for user");
        }
        this.directoryManager.updateUserCredential(j, str, passwordCredential);
        this.expirableUserTokenDao.removeByToken(str2);
    }

    private void validateUser(User user) throws InvalidEmailAddressException {
        if (StringUtils.isBlank(user.getEmailAddress())) {
            throw new InvalidEmailAddressException("Cannot email a reset password link; user's email address is blank.");
        }
        try {
            new InternetAddress(user.getEmailAddress()).validate();
        } catch (AddressException e) {
            throw new InvalidEmailAddressException(e);
        }
    }

    public ExpirableUserToken createAndStoreResetToken(long j, String str, String str2, int i) {
        Preconditions.checkArgument(i >= 0, "Token expiry must be greater than or equal to 0 seconds.");
        InternalExpirableUserToken createResetPasswordToken = InternalExpirableUserToken.createResetPasswordToken(this.tokenGenerator.generateToken(), str, str2, new DateTime().plusSeconds(i).toDateTime().getMillis(), j);
        try {
            this.expirableUserTokenDao.add(createResetPasswordToken);
            return createResetPasswordToken;
        } catch (ObjectAlreadyExistsException e) {
            throw new RuntimeException("Failed to generate token due to collision with existing token.");
        }
    }

    public boolean removeByDirectoryAndUsername(long j, String str) {
        return this.expirableUserTokenDao.removeByDirectoryAndUsername(j, str);
    }

    private void sendResetLink(User user, Directory directory, int i) throws InvalidEmailAddressException {
        validateUser(user);
        this.logger.info("\"{}\" in directory \"{}\" is being e-mailed a password reset link.", user.getName(), directory.getName());
        emailResetToken(createAndStoreResetToken(directory.getId().longValue(), user.getName(), user.getEmailAddress(), i), user);
    }

    private void emailResetToken(ExpirableUserToken expirableUserToken, User user) throws InvalidEmailAddressException {
        try {
            this.eventPublisher.publish(new RequestResetPasswordEvent(user, this.applicationProperties.getBaseUrl(UrlMode.CANONICAL) + RESET_PASSWORD_ACTION + "?username=" + URLEncoder.encode(expirableUserToken.getUsername(), UTF8_ENCODING) + "&directoryId=" + URLEncoder.encode(Long.toString(expirableUserToken.getDirectoryId()), UTF8_ENCODING) + "&token=" + URLEncoder.encode(expirableUserToken.getToken(), UTF8_ENCODING)));
        } catch (UnsupportedEncodingException e) {
            throw new RuntimeException("Could not encode username and token: this Java VM does not support UTF-8", e);
        }
    }
}
