package org.openvpms.web.security.login;

import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.TimeUnit;
import org.apache.commons.collections4.map.PassiveExpiringMap;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.ImmutablePair;
import org.apache.commons.lang3.tuple.Pair;
import org.openvpms.archetype.rules.party.Contacts;
import org.openvpms.archetype.rules.practice.PracticeService;
import org.openvpms.archetype.rules.user.PasswordValidator;
import org.openvpms.component.business.dao.im.common.IMObjectDAO;
import org.openvpms.component.business.dao.im.security.IUserDAO;
import org.openvpms.component.model.bean.IMObjectBean;
import org.openvpms.component.model.party.Party;
import org.openvpms.component.model.user.User;
import org.openvpms.component.service.archetype.ArchetypeService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.crypto.password.PasswordEncoder;

/* loaded from: input_file:org/openvpms/web/security/login/PasswordService.class */
public class PasswordService {
    private final ArchetypeService service;
    private final IUserDAO users;
    private final PasswordEncoder encoder;
    private final PasswordValidator validator;
    private final PracticeService practiceService;
    private final PasswordMailer mailer;
    private final Contacts contacts;
    private final IMObjectDAO dao;
    private final Map<String, ResetCode> codes = Collections.synchronizedMap(new PassiveExpiringMap(10, TimeUnit.MINUTES));
    private volatile boolean missingEmailLogged;
    private static final Logger log = LoggerFactory.getLogger(PasswordService.class);
    private static final int MAX_ATTEMPTS = 3;

    /* loaded from: input_file:org/openvpms/web/security/login/PasswordService$Status.class */
    public enum Status {
        EXPIRED,
        CODE_MISMATCH,
        PASSWORD_MISMATCH,
        ERROR,
        SUCCESS
    }

    public PasswordService(ArchetypeService archetypeService, IUserDAO iUserDAO, PasswordEncoder passwordEncoder, PasswordValidator passwordValidator, PracticeService practiceService, PasswordMailer passwordMailer, IMObjectDAO iMObjectDAO) {
        this.service = archetypeService;
        this.users = iUserDAO;
        this.encoder = passwordEncoder;
        this.validator = passwordValidator;
        this.practiceService = practiceService;
        this.mailer = passwordMailer;
        this.contacts = new Contacts(archetypeService);
        this.dao = iMObjectDAO;
    }

    public String sendResetCode(String str) {
        String str2 = null;
        User user = getUser(str);
        if (user == null) {
            log.error("No active user with username {}", str);
        } else {
            Pair<String, String> emails = getEmails(user);
            if (emails != null) {
                str2 = sendResetCode(user, (String) emails.getLeft(), (String) emails.getRight());
            }
        }
        return str2;
    }

    public Status resetPassword(String str, String str2, String str3) {
        Status status;
        ResetCode resetCode = getResetCode(str);
        if (resetCode == null) {
            status = Status.EXPIRED;
        } else if (Objects.equals(resetCode.getCode(), str2)) {
            if (validate(str3)) {
                User user = (User) this.service.get("security.user", resetCode.getUserId(), true);
                if (user != null) {
                    setPassword(user, str3);
                    sendNotification(user);
                    status = Status.SUCCESS;
                } else {
                    log.warn("Cannot reset password for user id={}. No active user exists", Long.valueOf(resetCode.getUserId()));
                    status = Status.ERROR;
                }
                this.codes.remove(str);
            } else {
                status = Status.ERROR;
                this.codes.remove(str);
            }
        } else if (resetCode.incAttempts() < MAX_ATTEMPTS) {
            status = Status.CODE_MISMATCH;
        } else {
            status = Status.EXPIRED;
            this.codes.remove(str);
        }
        return status;
    }

    public Status changePassword(User user, String str, String str2) {
        Status status;
        if (!this.encoder.matches(str, ((org.openvpms.component.business.domain.im.security.User) user).getPassword())) {
            status = Status.PASSWORD_MISMATCH;
        } else if (str.equals(str2) || !validate(str2)) {
            status = Status.ERROR;
        } else {
            setPassword(user, str2);
            sendNotification(user);
            status = Status.SUCCESS;
        }
        return status;
    }

    private void setPassword(User user, String str) {
        IMObjectBean bean = this.service.getBean(user);
        bean.setValue("password", this.encoder.encode(str));
        bean.setValue("changePassword", false);
        this.dao.save((org.openvpms.component.business.domain.im.security.User) user);
        log.warn("Password changed for user id={}, username={}", Long.valueOf(user.getId()), user.getUsername());
    }

    private ResetCode getResetCode(String str) {
        return this.codes.get(str);
    }

    private ResetCode generateResetCode(User user) {
        ResetCode resetCode = new ResetCode(user);
        this.codes.put(resetCode.getId(), resetCode);
        return resetCode;
    }

    private User getUser(String str) {
        org.openvpms.component.business.domain.im.security.User user = this.users.getUser(str);
        if (user == null || !user.isActive()) {
            return null;
        }
        return user;
    }

    private String sendResetCode(User user, String str, String str2) {
        String str3 = null;
        ResetCode generateResetCode = generateResetCode(user);
        try {
            this.mailer.sendResetCode(str, str2, generateResetCode.getCode());
            str3 = generateResetCode.getId();
        } catch (Exception e) {
            log.error("Failed to send reset code to {}: {}", str2, e.getMessage());
        }
        return str3;
    }

    private void sendNotification(User user) {
        Pair<String, String> emails = getEmails(user);
        if (emails != null) {
            String str = (String) emails.getRight();
            try {
                this.mailer.sendPasswordChanged((String) emails.getLeft(), str);
            } catch (Exception e) {
                log.error("Failed to send notification to {}: {}", str, e.getMessage());
            }
        }
    }

    private boolean validate(String str) {
        List validate = this.validator.validate(str);
        if (!validate.isEmpty()) {
            log.error("Password doesn't match policy: {}", StringUtils.join(validate, ","));
        }
        return validate.isEmpty();
    }

    private String getEmail(Party party) {
        if (party != null) {
            return this.contacts.getEmail(party);
        }
        return null;
    }

    private Pair<String, String> getEmails(User user) {
        Pair<String, String> pair = null;
        String email = getEmail(this.practiceService.getPractice());
        if (email != null) {
            this.missingEmailLogged = false;
            String email2 = getEmail(user);
            if (email2 == null) {
                log.error("Cannot send password mails to {} as the user has no email address configured", user.getUsername());
            } else {
                pair = ImmutablePair.of(email, email2);
            }
        } else if (!this.missingEmailLogged) {
            log.error("Cannot send password mails as the practice has no email address configured");
            this.missingEmailLogged = true;
        }
        return pair;
    }
}
