package com.adobe.cq.account.impl;

import com.adobe.cq.account.api.AccountManagementService;
import com.adobe.granite.crypto.CryptoException;
import com.adobe.granite.oauth.jwt.JwsBuilder;
import com.adobe.granite.oauth.jwt.JwsBuilderFactory;
import com.adobe.granite.security.user.UserManagementService;
import com.adobe.granite.security.user.UserProperties;
import com.adobe.granite.security.user.UserPropertiesManager;
import com.adobe.granite.security.user.UserPropertiesService;
import com.day.cq.commons.jcr.JcrUtil;
import com.day.cq.mailer.MailService;
import com.day.cq.mailer.MailingException;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.Principal;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.Map;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import org.apache.commons.mail.EmailException;
import org.apache.commons.mail.SimpleEmail;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.ConfigurationPolicy;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.ReferencePolicy;
import org.apache.felix.scr.annotations.Service;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.sling.api.request.RequestParameter;
import org.apache.sling.api.resource.LoginException;
import org.apache.sling.api.resource.PersistenceException;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.resource.ResourceResolverFactory;
import org.apache.sling.api.resource.ValueMap;
import org.apache.sling.commons.osgi.PropertiesUtil;
import org.apache.sling.jcr.api.SlingRepository;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Service
@Component(metatype = true, name = "com.adobe.cq.account.api.AccountManagementService", description = "Account Manager for non-logged-in users", policy = ConfigurationPolicy.REQUIRE)
@Property(name = "service.description", value = {"Account Manager for non-logged in users"})
/* loaded from: input_file:com/adobe/cq/account/impl/AccountManagementServiceImpl.class */
public class AccountManagementServiceImpl implements AccountManagementService {
    private final Logger log = LoggerFactory.getLogger(AccountManagementServiceImpl.class);
    protected static final String CREATE_ACCOUNT_OPERATION = "create-account";
    protected static final String CHANGE_PASSWORD_OPERATION = "change-password";
    protected static final String TOKEN_FIELD_OPERATION = "operation";
    protected static final String TOKEN_FIELD_USER_ID = "userId";
    protected static final String TOKEN_FIELD_HOST = "host";
    private static final String ACCOUNT_MANAGEMENT_SERVICE = "account-management-service";
    private static final String PN_CONFIRMATION_PAGE = "confirmationPage";
    private static final String PN_INTERMEDIATE_PATH = "intermediatePath";
    private static final String PN_MEMBER_OF = "memberOf";
    private static final String PROPERTY_ID = "userId";
    private static final String PF_REP = "rep:";
    private static final String PASSWORD = "password";
    private static final long DEFAULT_CLAIM_MAX_VALIDITY_PERIOD = 600;

    @Property(longValue = {DEFAULT_CLAIM_MAX_VALIDITY_PERIOD}, label = "Validity period of the manager token", description = "Max validity period of the manager token (in seconds)")
    private static final String CLAIM_MAX_VALIDITY_PERIOD = "cq.accountmanager.token.validity.period";
    private static final String MAIL_CONFIG_PATH = "/etc/security/accountmgr/jcr:content";

    @Property(value = {"requestnewaccount"}, label = "Node name", description = "Config node below /etc/security/accountmgr/jcr:content defining the mail template used when requesting a new account")
    private static final String CREATE_ACCOUNT_REQUEST_MAIL_NAME = "cq.accountmanager.config.requestnewaccount.mail";

    @Property(value = {"requestnewpwd"}, label = "Node name", description = "Name of the node below /etc/security/accountmgr/jcr:content defining the mail template used when requesting a password change")
    private static final String CHANGE_PASSWORD_REQUEST_MAIL_NAME = "cq.accountmanager.config.requestnewpwd.mail";

    @Reference
    private SlingRepository repository;

    @Reference
    private ResourceResolverFactory resolverFactory;

    @Reference
    private UserPropertiesService userPropertiesService;

    @Reference
    private UserManagementService userManagementService;

    @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY, policy = ReferencePolicy.DYNAMIC)
    private volatile MailService mailService;

    @Reference
    private JwsBuilderFactory jwsBuilderFactory;
    private String createAccountRequestMail;
    private String changePasswordRequestMail;
    private long tokenExpiry;

    @Activate
    protected void activate(Map<String, Object> map) throws RepositoryException {
        this.createAccountRequestMail = "/etc/security/accountmgr/jcr:content/" + map.get(CREATE_ACCOUNT_REQUEST_MAIL_NAME);
        this.changePasswordRequestMail = "/etc/security/accountmgr/jcr:content/" + map.get(CHANGE_PASSWORD_REQUEST_MAIL_NAME);
        this.tokenExpiry = PropertiesUtil.toLong(map.get(CLAIM_MAX_VALIDITY_PERIOD), DEFAULT_CLAIM_MAX_VALIDITY_PERIOD);
    }

    @Override // com.adobe.cq.account.api.AccountManagementService
    public boolean requestAccount(String str, String str2, Map<String, RequestParameter[]> map, String str3, String str4) throws RepositoryException {
        this.log.debug("User {} would like to create an account", str);
        Session serviceSession = getServiceSession();
        ResourceResolver resourceResolver = getResourceResolver(serviceSession);
        boolean z = false;
        try {
            try {
                try {
                    try {
                        ValueMap valueMap = (ValueMap) resourceResolver.getResource(str4).adaptTo(ValueMap.class);
                        User createAccount = createAccount(resourceResolver, str, str2, (String) valueMap.get(PN_MEMBER_OF, ""), (String) valueMap.get(PN_INTERMEDIATE_PATH, (Class) null), map);
                        if (createAccount != null) {
                            createAccount.disable("user creation not yet confirmed");
                            serviceSession.save();
                            this.log.info("An account has been created for user {}. The account is disabled until the user confirms its creation", str);
                            MailTemplate createAccountRequestMail = getCreateAccountRequestMail(serviceSession);
                            if (createAccountRequestMail != null) {
                                String submittedEmail = getSubmittedEmail(str, map);
                                String buildJwt = buildJwt(str, submittedEmail, str3, CREATE_ACCOUNT_OPERATION);
                                URL nextStepPageURL = getNextStepPageURL(str3, (String) valueMap.get(PN_CONFIRMATION_PAGE, ""));
                                if (nextStepPageURL != null) {
                                    StringBuilder sb = new StringBuilder(nextStepPageURL.toExternalForm());
                                    sb.append("?ky=").append(buildJwt);
                                    HashMap hashMap = new HashMap();
                                    hashMap.put("actionurl", sb.toString());
                                    hashMap.put("userId", str);
                                    sendMail(createAccountRequestMail, submittedEmail, hashMap);
                                    this.log.info("Instruction email sent to user {} to create an account", str);
                                    z = true;
                                } else {
                                    this.log.error("Request to create an account failed: the confirmation URL is not defined");
                                }
                            } else {
                                this.log.error("Request to create an account failed: no mail template configured");
                            }
                        }
                        closeSession(serviceSession);
                        closeResourceResolver(resourceResolver);
                    } catch (EmailException e) {
                        this.log.error("Request to create an account failed: {}", e);
                        closeSession(serviceSession);
                        closeResourceResolver(resourceResolver);
                    }
                } catch (MalformedURLException e2) {
                    this.log.error("Request to create an account failed: {}", e2);
                    closeSession(serviceSession);
                    closeResourceResolver(resourceResolver);
                }
            } catch (CryptoException e3) {
                this.log.error("Request to create an account failed: {}", e3);
                closeSession(serviceSession);
                closeResourceResolver(resourceResolver);
            } catch (MailingException e4) {
                this.log.error("Request to create an account failed: {}", e4);
                closeSession(serviceSession);
                closeResourceResolver(resourceResolver);
            }
            return z;
        } catch (Throwable th) {
            closeSession(serviceSession);
            closeResourceResolver(resourceResolver);
            throw th;
        }
    }

    @Override // com.adobe.cq.account.api.AccountManagementService
    public boolean requestPasswordReset(String str, String str2, String str3) throws RepositoryException {
        this.log.debug("User {} would like to reset his password", str);
        Session serviceSession = getServiceSession();
        ResourceResolver resourceResolver = getResourceResolver(serviceSession);
        UserManager userManager = getUserManager(serviceSession);
        UserPropertiesManager userPropertiesManager = getUserPropertiesManager(resourceResolver);
        boolean z = false;
        User user = getUser(userManager, str);
        try {
            try {
                try {
                    if (user != null) {
                        ValueMap valueMap = (ValueMap) resourceResolver.getResource(str3).adaptTo(ValueMap.class);
                        MailTemplate changePasswordRequestMail = getChangePasswordRequestMail(serviceSession);
                        if (changePasswordRequestMail != null) {
                            String buildJwt = buildJwt(str, getUserEmail(userPropertiesManager, str), str2, CHANGE_PASSWORD_OPERATION);
                            URL nextStepPageURL = getNextStepPageURL(str2, (String) valueMap.get(PN_CONFIRMATION_PAGE, ""));
                            if (nextStepPageURL != null) {
                                StringBuilder sb = new StringBuilder(nextStepPageURL.toExternalForm());
                                sb.append("?ky=").append(buildJwt);
                                HashMap hashMap = new HashMap();
                                hashMap.put("actionurl", sb.toString());
                                hashMap.put("userId", str);
                                sendMail(userPropertiesManager, changePasswordRequestMail, user, hashMap);
                                z = true;
                                this.log.info("Instruction email sent to user {} to reset his password", str);
                            } else {
                                this.log.error("Could not send mail: the next step page URL is not defined");
                            }
                        }
                    } else {
                        this.log.error("Failed to request a password change: the user {} does not exist", str);
                    }
                    closeSession(serviceSession);
                    closeResourceResolver(resourceResolver);
                } catch (MalformedURLException e) {
                    this.log.error("Failed to retrieve the request URL: {}", e);
                    closeSession(serviceSession);
                    closeResourceResolver(resourceResolver);
                }
            } catch (CryptoException e2) {
                this.log.error("Failed to create hmac token for password request confirmation: {}", e2);
                closeSession(serviceSession);
                closeResourceResolver(resourceResolver);
            } catch (EmailException e3) {
                this.log.error("Failed to Send E-Mail: {}", e3);
                closeSession(serviceSession);
                closeResourceResolver(resourceResolver);
            }
            return z;
        } catch (Throwable th) {
            closeSession(serviceSession);
            closeResourceResolver(resourceResolver);
            throw th;
        }
    }

    private User createAccount(ResourceResolver resourceResolver, final String str, String str2, String str3, String str4, Map<String, RequestParameter[]> map) throws RepositoryException {
        UserManager userManager = (UserManager) resourceResolver.adaptTo(UserManager.class);
        if (userManager.getAuthorizable(str) != null) {
            this.log.error("Cannot create an account for user {}: an authorizable with the same ID already exists", str);
            return null;
        }
        try {
            User createUser = userManager.createUser(str, str2, new Principal() { // from class: com.adobe.cq.account.impl.AccountManagementServiceImpl.1
                @Override // java.security.Principal
                public String getName() {
                    return str;
                }
            }, str4);
            this.log.debug("User {} created in the transient space", str);
            Group authorizable = userManager.getAuthorizable(str3, Group.class);
            if (authorizable != null) {
                authorizable.addMember(createUser);
            }
            setUserProperties(resourceResolver, str, map);
            this.log.debug("Properties set in the transient space for user {}", str);
            return createUser;
        } catch (Exception e) {
            this.log.error("Cannot create account for userId {}: {}", str, e);
            return null;
        }
    }

    private void setUserProperties(ResourceResolver resourceResolver, String str, Map<String, RequestParameter[]> map) throws RepositoryException {
        if (str.contains("@")) {
            UserPropertiesManager userPropertiesManager = (UserPropertiesManager) resourceResolver.adaptTo(UserPropertiesManager.class);
            UserProperties userProperties = userPropertiesManager.getUserProperties(str, "profile");
            if (userProperties == null) {
                userProperties = userPropertiesManager.createUserProperties(str, "profile");
            }
            userProperties.getNode().setProperty("email", str);
            this.log.debug("Set user-id {} initially as mail", str);
        }
        setUserProperties(resourceResolver, str, map, false);
    }

    private boolean setUserProperties(ResourceResolver resourceResolver, String str, Map<String, RequestParameter[]> map, boolean z) throws RepositoryException {
        if (map == null) {
            this.log.info("The user properties are not defined");
            return false;
        }
        User authorizable = ((UserManager) resourceResolver.adaptTo(UserManager.class)).getAuthorizable(str, User.class);
        UserPropertiesManager userPropertiesManager = (UserPropertiesManager) resourceResolver.adaptTo(UserPropertiesManager.class);
        UserProperties userProperties = userPropertiesManager.getUserProperties(str, "");
        if (userProperties == null) {
            userProperties = userPropertiesManager.createUserProperties(str, "");
        }
        if (authorizable == null || str.equals(this.userManagementService.getAnonymousId())) {
            this.log.info("The user does not exist or is anonymous");
            return false;
        }
        UserProperties userProperties2 = userPropertiesManager.getUserProperties(str, "profile");
        if (userProperties2 == null) {
            userProperties2 = userPropertiesManager.createUserProperties(str, "profile");
        }
        UserProperties userProperties3 = userPropertiesManager.getUserProperties(str, "preferences");
        if (userProperties3 == null) {
            userProperties3 = userPropertiesManager.createUserProperties(str, "preferences");
        }
        for (String str2 : map.keySet()) {
            if (str2.equals("userId") || str2.startsWith(PASSWORD) || str2.equals(PN_INTERMEDIATE_PATH)) {
                this.log.debug("Skipped addition of {}, is key-property", str2);
            } else {
                RequestParameter[] requestParameterArr = map.get(str2);
                if (!str2.startsWith(PF_REP)) {
                    try {
                        Object obj = null;
                        if (requestParameterArr.length == 1) {
                            RequestParameter requestParameter = requestParameterArr[0];
                            if (requestParameter.getSize() != 0) {
                                obj = requestParameter.isFormField() ? requestParameter.getString() : requestParameter.getInputStream();
                            }
                        } else if (requestParameterArr.length > 0) {
                            boolean isFormField = requestParameterArr[0].isFormField();
                            HashSet hashSet = new HashSet();
                            for (RequestParameter requestParameter2 : requestParameterArr) {
                                if (requestParameter2.getSize() != 0) {
                                    if (isFormField) {
                                        hashSet.add(requestParameter2.getString());
                                    } else {
                                        hashSet.add(requestParameter2.getInputStream());
                                    }
                                }
                            }
                            obj = hashSet.toArray(new Object[hashSet.size()]);
                        }
                        if (str2.startsWith("preferences")) {
                            JcrUtil.setProperty(userProperties3.getNode(), str2.substring("preferences".length() + 1), obj);
                        } else {
                            JcrUtil.setProperty(userProperties2.getNode(), str2, obj);
                        }
                    } catch (IOException e) {
                        this.log.warn("Failed to access value for {}: {}", str2, e.getMessage());
                    } catch (IllegalArgumentException e2) {
                        this.log.warn("Cannot set the property {}: {}", str2, e2.getMessage());
                    }
                } else if (requestParameterArr.length <= 0 || !requestParameterArr[0].isFormField()) {
                    this.log.debug("Skipped addition of {}, is not a String", str2);
                } else {
                    userProperties.getNode().setProperty(str2, requestParameterArr[0].getString());
                    this.log.debug("Set {} as a user property", str2);
                }
            }
        }
        if (!z) {
            return true;
        }
        try {
            resourceResolver.commit();
            return true;
        } catch (PersistenceException e3) {
            this.log.error("Could not persist the changes in the repository: {}", e3.getMessage());
            return true;
        }
    }

    private void sendMail(UserPropertiesManager userPropertiesManager, MailTemplate mailTemplate, User user, Map<String, String> map) throws RepositoryException, EmailException, MailingException {
        String userEmail = getUserEmail(userPropertiesManager, user.getID());
        if (this.mailService == null || userEmail == null) {
            throw new EmailException("Failed to send email to " + userEmail);
        }
        SimpleEmail createMail = mailTemplate.createMail(new AccountVariableReplacer(userPropertiesManager, user.getID(), map));
        createMail.addTo(userEmail);
        this.mailService.send(createMail);
    }

    private void sendMail(MailTemplate mailTemplate, String str, Map<String, String> map) throws RepositoryException, EmailException, MailingException {
        if (this.mailService == null || str == null) {
            throw new EmailException("Failed to send email to " + str);
        }
        SimpleEmail createMail = mailTemplate.createMail(new VariableReplacer(map));
        createMail.addTo(str);
        this.mailService.send(createMail);
    }

    private String getSubmittedEmail(String str, Map<String, RequestParameter[]> map) throws RepositoryException {
        String str2 = str.contains("@") ? str : null;
        if (str2 == null) {
            str2 = map.containsKey("email") ? map.get("email")[0].getString() : null;
        }
        return str2;
    }

    private String getUserEmail(UserPropertiesManager userPropertiesManager, String str) throws RepositoryException {
        UserProperties userProperties = userPropertiesManager.getUserProperties(str, "profile");
        if (userProperties != null) {
            return userProperties.getProperty("email");
        }
        return null;
    }

    private MailTemplate getCreateAccountRequestMail(Session session) {
        return getMailTemplate(session, this.createAccountRequestMail);
    }

    private MailTemplate getChangePasswordRequestMail(Session session) {
        return getMailTemplate(session, this.changePasswordRequestMail);
    }

    private MailTemplate getMailTemplate(Session session, String str) {
        try {
            if (!session.itemExists(str)) {
                return null;
            }
            ResourceResolver resourceResolver = getResourceResolver(session);
            ValueMap valueMap = (ValueMap) resourceResolver.getResource(str).adaptTo(ValueMap.class);
            closeResourceResolver(resourceResolver);
            return MailTemplate.read(valueMap);
        } catch (RepositoryException e) {
            this.log.warn("Failed to read Mail configuration at {}: {}", str, e.getMessage());
            return null;
        }
    }

    private URL getNextStepPageURL(String str, String str2) throws MalformedURLException {
        if (str2 == null || "".equals(str2)) {
            return null;
        }
        if (!str2.endsWith(".html")) {
            str2 = str2 + ".html";
        }
        URL url = new URL(str);
        return new URL(url.getProtocol(), url.getHost(), url.getPort(), str2);
    }

    private User getUser(UserManager userManager, String str) throws RepositoryException {
        return userManager.getAuthorizable(str, User.class);
    }

    private String buildJwt(String str, String str2, String str3, String str4) throws CryptoException, MalformedURLException {
        JwsBuilder expiresIn = this.jwsBuilderFactory.getInstance("HS256").setExpiresIn(this.tokenExpiry);
        String host = new URL(str3).getHost();
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put("userId", str);
        linkedHashMap.put(TOKEN_FIELD_HOST, host);
        linkedHashMap.put(TOKEN_FIELD_OPERATION, str4);
        for (Map.Entry entry : linkedHashMap.entrySet()) {
            expiresIn.setCustomClaimsSetField((String) entry.getKey(), entry.getValue());
        }
        return expiresIn.build();
    }

    private Session getServiceSession() throws RepositoryException {
        return this.repository.loginService(ACCOUNT_MANAGEMENT_SERVICE, (String) null);
    }

    private ResourceResolver getResourceResolver(Session session) throws RepositoryException {
        HashMap hashMap = new HashMap();
        hashMap.put("user.jcr.session", session);
        try {
            return this.resolverFactory.getResourceResolver(hashMap);
        } catch (LoginException e) {
            throw new RepositoryException("Cannot login to the repository with the service user: {}", e);
        }
    }

    private UserManager getUserManager(Session session) throws RepositoryException {
        return ((JackrabbitSession) session).getUserManager();
    }

    private UserPropertiesManager getUserPropertiesManager(ResourceResolver resourceResolver) throws RepositoryException {
        return this.userPropertiesService.createUserPropertiesManager(resourceResolver);
    }

    private void closeSession(Session session) {
        if (session != null) {
            session.logout();
        }
    }

    private void closeResourceResolver(ResourceResolver resourceResolver) {
        if (resourceResolver == null || !resourceResolver.isLive()) {
            return;
        }
        resourceResolver.close();
    }

    protected void bindRepository(SlingRepository slingRepository) {
        this.repository = slingRepository;
    }

    protected void unbindRepository(SlingRepository slingRepository) {
        if (this.repository == slingRepository) {
            this.repository = null;
        }
    }

    protected void bindResolverFactory(ResourceResolverFactory resourceResolverFactory) {
        this.resolverFactory = resourceResolverFactory;
    }

    protected void unbindResolverFactory(ResourceResolverFactory resourceResolverFactory) {
        if (this.resolverFactory == resourceResolverFactory) {
            this.resolverFactory = null;
        }
    }

    protected void bindUserPropertiesService(UserPropertiesService userPropertiesService) {
        this.userPropertiesService = userPropertiesService;
    }

    protected void unbindUserPropertiesService(UserPropertiesService userPropertiesService) {
        if (this.userPropertiesService == userPropertiesService) {
            this.userPropertiesService = null;
        }
    }

    protected void bindUserManagementService(UserManagementService userManagementService) {
        this.userManagementService = userManagementService;
    }

    protected void unbindUserManagementService(UserManagementService userManagementService) {
        if (this.userManagementService == userManagementService) {
            this.userManagementService = null;
        }
    }

    protected void bindMailService(MailService mailService) {
        this.mailService = mailService;
    }

    protected void unbindMailService(MailService mailService) {
        if (this.mailService == mailService) {
            this.mailService = null;
        }
    }

    protected void bindJwsBuilderFactory(JwsBuilderFactory jwsBuilderFactory) {
        this.jwsBuilderFactory = jwsBuilderFactory;
    }

    protected void unbindJwsBuilderFactory(JwsBuilderFactory jwsBuilderFactory) {
        if (this.jwsBuilderFactory == jwsBuilderFactory) {
            this.jwsBuilderFactory = null;
        }
    }
}
