package com.appiancorp.security.auth.forgotpassword;

import com.appian.logging.AppianLogger;
import com.appiancorp.cache.Cache;
import com.appiancorp.security.auth.GroupServiceHelper;
import com.appiancorp.security.auth.forgotpassword.ForgotPasswordException;
import com.appiancorp.security.auth.oidc.OidcConfiguration;
import com.appiancorp.security.auth.oidc.OidcSettingsSelector;
import com.appiancorp.security.auth.oidc.persistence.service.OidcSettingsService;
import com.appiancorp.security.auth.piee.PieeSettingsSelector;
import com.appiancorp.security.auth.saml.SamlSettingsSelector;
import com.appiancorp.suite.cfg.AdminSecurityConfiguration;
import com.appiancorp.suite.cfg.LdapConfiguration;
import com.appiancorp.suite.cfg.PieeConfiguration;
import com.appiancorp.suite.cfg.SamlConfiguration;
import com.appiancorp.suiteapi.common.exceptions.InvalidGroupException;
import com.appiancorp.suiteapi.common.exceptions.InvalidUserException;
import com.appiancorp.suiteapi.personalization.User;
import java.sql.Timestamp;
import java.util.Optional;

/* loaded from: input_file:com/appiancorp/security/auth/forgotpassword/ForgotPasswordUserValidator.class */
public class ForgotPasswordUserValidator {
    private static final AppianLogger LOG = AppianLogger.getLogger(ForgotPasswordUserValidator.class);
    private final GroupServiceHelper groupServiceHelper;
    private final AdminSecurityConfiguration adminSecurityConfiguration;
    private final LdapConfiguration ldapConfiguration;
    private final SamlConfiguration samlConfiguration;
    private final SamlSettingsSelector samlSettingsSelector;
    private final OidcConfiguration oidcConfiguration;
    private final OidcSettingsService oidcSettingsService;
    private final OidcSettingsSelector oidcSettingsSelector;
    private final ForgotPasswordRequestCache forgotPasswordRequestCache;
    private final PieeConfiguration pieeConfiguration;
    private final PieeSettingsSelector pieeSettingsSelector;

    public ForgotPasswordUserValidator(GroupServiceHelper groupServiceHelper, AdminSecurityConfiguration adminSecurityConfiguration, LdapConfiguration ldapConfiguration, SamlConfiguration samlConfiguration, SamlSettingsSelector samlSettingsSelector, OidcConfiguration oidcConfiguration, OidcSettingsService oidcSettingsService, OidcSettingsSelector oidcSettingsSelector, PieeConfiguration pieeConfiguration, PieeSettingsSelector pieeSettingsSelector, ForgotPasswordRequestCache forgotPasswordRequestCache) {
        this.groupServiceHelper = groupServiceHelper;
        this.adminSecurityConfiguration = adminSecurityConfiguration;
        this.ldapConfiguration = ldapConfiguration;
        this.samlConfiguration = samlConfiguration;
        this.samlSettingsSelector = samlSettingsSelector;
        this.oidcConfiguration = oidcConfiguration;
        this.oidcSettingsService = oidcSettingsService;
        this.oidcSettingsSelector = oidcSettingsSelector;
        this.pieeConfiguration = pieeConfiguration;
        this.pieeSettingsSelector = pieeSettingsSelector;
        this.forgotPasswordRequestCache = forgotPasswordRequestCache;
    }

    public void validate(User user) throws ForgotPasswordException {
        validateUserIsActive(user);
        validateUserIsAppianAuthenticated(user.getUsername());
        validatePasswordMinimumAge(user);
        validateNotMfaUser(user.getUsername());
    }

    public void validateUserRequestUnblocked(String str) throws ForgotPasswordException {
        long currentTimeMillis = System.currentTimeMillis();
        Cache cache = this.forgotPasswordRequestCache.getCache();
        if (null == str || !cache.containsKey(str)) {
            return;
        }
        ForgotPasswordRequest forgotPasswordRequest = (ForgotPasswordRequest) cache.get(str);
        if (forgotPasswordRequest.isBlocked(currentTimeMillis)) {
            forgotPasswordRequest.logRequest(currentTimeMillis);
            throw new ForgotPasswordException(ForgotPasswordException.RejectionReason.REQUEST_BLOCKED, (Exception) null);
        }
    }

    private void validateUserIsAppianAuthenticated(String str) throws ForgotPasswordException {
        validateNotSamlUser(str);
        validateNotLdapUser(str);
        validateNotOidcUser(str);
        validateNotPieeUser(str);
    }

    private void validateNotOidcUser(String str) throws ForgotPasswordException {
        if (this.oidcConfiguration.isEnabled() && this.oidcSettingsSelector.selectSettingsForUser(this.oidcSettingsService.getAllOidcSettings(), str).isPresent()) {
            throw new ForgotPasswordException(ForgotPasswordException.RejectionReason.NOT_APPIAN_AUTH, (Exception) null);
        }
    }

    private void validateNotPieeUser(String str) throws ForgotPasswordException {
        if (this.pieeConfiguration.isEnabled() && this.pieeSettingsSelector.selectSettingsForUser(str).isPresent()) {
            throw new ForgotPasswordException(ForgotPasswordException.RejectionReason.NOT_APPIAN_AUTH, (Exception) null);
        }
    }

    private void validateNotLdapUser(String str) throws ForgotPasswordException {
        if (shouldDisableForgotPasswordForUser(str, this.ldapConfiguration.isEnabled(), this.ldapConfiguration.getGroupUuid(), this.ldapConfiguration.isLowercaseUsername())) {
            throw new ForgotPasswordException(ForgotPasswordException.RejectionReason.NOT_APPIAN_AUTH, (Exception) null);
        }
    }

    private void validateNotSamlUser(String str) throws ForgotPasswordException {
        if (this.samlConfiguration.isEnabled() && this.samlSettingsSelector.selectSettingsForUser(str).isPresent()) {
            throw new ForgotPasswordException(ForgotPasswordException.RejectionReason.NOT_APPIAN_AUTH, (Exception) null);
        }
    }

    private void validateNotMfaUser(String str) throws ForgotPasswordException {
        if (shouldDisableForgotPasswordForUser(str, this.adminSecurityConfiguration.isMfaEnabled().booleanValue(), Optional.of(this.adminSecurityConfiguration.getMfaGroupSelection()), false)) {
            throw new ForgotPasswordException(ForgotPasswordException.RejectionReason.MFA_USER, (Exception) null);
        }
    }

    private boolean shouldDisableForgotPasswordForUser(String str, boolean z, Optional<String> optional, boolean z2) {
        if (!z) {
            return false;
        }
        if (!optional.isPresent()) {
            return true;
        }
        try {
            return this.groupServiceHelper.isUserMemberOfAuthGroup(str, optional.get(), z2);
        } catch (InvalidGroupException e) {
            LOG.debug("Authentication service was configured with an invalid group.", e);
            return false;
        } catch (InvalidUserException e2) {
            LOG.debug("A password reset request was submitted for an invalid user.", e2);
            return false;
        }
    }

    private void validatePasswordMinimumAge(User user) throws ForgotPasswordException {
        long minPasswordAgeInMillis = this.adminSecurityConfiguration.getMinPasswordAgeInMillis();
        Timestamp passwordModified = user.getPasswordModified();
        if (passwordModified != null && passwordModified.getTime() + minPasswordAgeInMillis > System.currentTimeMillis()) {
            throw new ForgotPasswordException(ForgotPasswordException.RejectionReason.PASSWORD_NOT_OLD_ENOUGH, (Exception) null);
        }
    }

    private void validateUserIsActive(User user) throws ForgotPasswordException {
        if (user.getStatus() == 0) {
            throw new ForgotPasswordException(ForgotPasswordException.RejectionReason.DEACTIVATED_USER, (Exception) null);
        }
    }
}
