package com.appiancorp.ag.security;

import com.appiancorp.ag.ExtendedUserService;
import com.appiancorp.common.config.ApplicationContextHolder;
import com.appiancorp.common.monitoring.ProductMetricsAggregatedDataCollector;
import com.appiancorp.services.ServiceContextFactory;
import com.appiancorp.suite.cfg.AdminSecurityConfiguration;
import com.appiancorp.suiteapi.common.ServiceLocator;
import com.appiancorp.suiteapi.common.exceptions.InvalidLoginException;
import com.appiancorp.suiteapi.common.exceptions.PasswordExpiredException;
import com.appiancorp.suiteapi.common.exceptions.PrivilegeException;
import com.appiancorp.suiteapi.common.exceptions.TemporaryPasswordExpiredException;
import com.appiancorp.suiteapi.personalization.UserProfile;
import com.appiancorp.suiteapi.personalization.UserService;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import java.sql.Timestamp;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;

/* loaded from: input_file:com/appiancorp/ag/security/DefaultAuthenticator.class */
public class DefaultAuthenticator implements Authenticator {
    private static final Logger LOG = Logger.getLogger(DefaultAuthenticator.class);
    private final UserService us;
    private final PasswordConfig passwordConfig;
    private final AdminSecurityConfiguration securityConfig;
    private final MfaUtils mfaUtils;

    public DefaultAuthenticator(UserService userService, PasswordConfig passwordConfig, AdminSecurityConfiguration adminSecurityConfiguration, MfaUtils mfaUtils) {
        this.us = userService;
        this.passwordConfig = passwordConfig;
        this.securityConfig = adminSecurityConfiguration;
        this.mfaUtils = mfaUtils;
    }

    @Override // com.appiancorp.ag.security.Authenticator
    public UserProfile authenticateUser(String str, char[] cArr) throws InvalidLoginException {
        if (StringUtils.isEmpty(str)) {
            throw new InvalidLoginException("No username provided.");
        }
        return evaluateUserProfile(ArrayUtils.isEmpty(cArr) ? null : getUserProfile(str, cArr), str);
    }

    private UserProfile getUserProfile(String str, char[] cArr) throws InvalidLoginException {
        UserProfile userProfile = null;
        boolean equals = str.equals("Administrator");
        if (equals) {
            validateAdministratorLogin(str, cArr, totalActiveSystemAdminUsers());
        }
        String[] allPossibleSalts = ((SaltCreator) ApplicationContextHolder.getBean(SaltCreator.class)).getAllPossibleSalts(str);
        PasswordHasher[] allAvailableAlgorithms = this.passwordConfig.getAllAvailableAlgorithms();
        boolean isDebugEnabled = LOG.isDebugEnabled();
        int length = allAvailableAlgorithms.length;
        int length2 = allPossibleSalts.length;
        for (int i = 0; i < length; i++) {
            PasswordHasher passwordHasher = allAvailableAlgorithms[i];
            int i2 = 0;
            while (true) {
                if (i2 >= length2) {
                    break;
                }
                try {
                    userProfile = this.us.authenticate(str, passwordHasher.hash(cArr, allPossibleSalts[i2]));
                    if (isDebugEnabled) {
                        LOG.debug("User [" + str + "] authenticated with the hasher [" + i + "] and salt [" + i2 + "]");
                    }
                    if (equals) {
                        LOG.debug("Login for Administrator successful");
                        ProductMetricsAggregatedDataCollector.recordData("login.defaultAdministratorAccount.success");
                    }
                } catch (InvalidLoginException e) {
                    i2++;
                }
            }
            if (userProfile != null) {
                break;
            }
        }
        return userProfile;
    }

    private UserProfile evaluateUserProfile(UserProfile userProfile, String str) throws InvalidLoginException {
        if (userProfile == null) {
            recordFailedLoginAttempt(str);
            throw new InvalidLoginException(str);
        }
        Timestamp passwordModified = userProfile.getPasswordModified();
        if (userProfile.isTemporaryPassword() && this.securityConfig.isTempPasswordExpired(passwordModified)) {
            throw new TemporaryPasswordExpiredException(userProfile);
        }
        if (this.securityConfig.isPasswordExpired(passwordModified)) {
            throw new PasswordExpiredException(userProfile);
        }
        if (!this.mfaUtils.isMfaUser(str)) {
            recordSuccessfulLoginAttempt(str);
        }
        return userProfile;
    }

    @Override // com.appiancorp.ag.security.Authenticator
    public boolean isPasswordValid(String str, char[] cArr) {
        if (null == cArr || cArr.length <= 0) {
            return false;
        }
        PasswordHasher[] allAvailableAlgorithms = this.passwordConfig.getAllAvailableAlgorithms();
        String[] allPossibleSalts = ((SaltCreator) ApplicationContextHolder.getBean(SaltCreator.class)).getAllPossibleSalts(str);
        boolean isDebugEnabled = LOG.isDebugEnabled();
        int length = allAvailableAlgorithms.length;
        int length2 = allPossibleSalts.length;
        for (int i = 0; i < length; i++) {
            PasswordHasher passwordHasher = allAvailableAlgorithms[i];
            for (int i2 = 0; i2 < length2; i2++) {
                try {
                    if (this.us.isUserPasswordValid(str, passwordHasher.hash(cArr, allPossibleSalts[i2]))) {
                        if (!isDebugEnabled) {
                            return true;
                        }
                        LOG.debug("User [" + str + "] password validated with the hasher [" + i + "] and salt [" + i2 + "]");
                        return true;
                    }
                } catch (PrivilegeException e) {
                    return false;
                }
            }
        }
        return false;
    }

    protected void recordSuccessfulLoginAttempt(String str) {
        this.us.loginAttempt(str, true);
    }

    protected boolean recordFailedLoginAttempt(String str) {
        return !this.us.loginAttempt(str, false);
    }

    @SuppressFBWarnings({"HARD_CODE_PASSWORD"})
    protected void validateAdministratorLogin(String str, char[] cArr, long j) throws InvalidLoginException {
        if (!String.valueOf(cArr).equals("admin") || j <= 0) {
            return;
        }
        LOG.debug("Invalid login attempt for Administrator as at least one other System Administrator exists on the site");
        ProductMetricsAggregatedDataCollector.recordData("login.defaultAdministratorAccount.defaultPasswordRejected");
        throw new InvalidLoginException(str);
    }

    private long totalActiveSystemAdminUsers() {
        return ((ExtendedUserService) ServiceLocator.getService(ServiceContextFactory.getAdministratorServiceContext(), ExtendedUserService.SERVICE_NAME)).findActiveSystemAdminsPaging(false, 0, 0, 0, 0).getAvailableItems();
    }
}
