package com.adobe.cq.account.impl;

import com.adobe.granite.oauth.jwt.JwsValidator;
import com.adobe.granite.security.user.UserProperties;
import com.adobe.granite.security.user.UserPropertiesManager;
import com.adobe.granite.security.user.UserPropertiesService;
import com.day.cq.mailer.MailService;
import com.day.cq.mailer.MailingException;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.HashMap;
import java.util.Map;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.servlet.ServletException;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.mail.EmailException;
import org.apache.commons.mail.SimpleEmail;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Properties;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.ReferencePolicy;
import org.apache.felix.scr.annotations.Service;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.oltu.oauth2.jwt.JWT;
import org.apache.oltu.oauth2.jwt.io.JWTReader;
import org.apache.sling.api.SlingHttpServletRequest;
import org.apache.sling.api.SlingHttpServletResponse;
import org.apache.sling.api.resource.LoginException;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.resource.ResourceResolverFactory;
import org.apache.sling.api.resource.ValueMap;
import org.apache.sling.api.servlets.SlingAllMethodsServlet;
import org.apache.sling.jcr.api.SlingRepository;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Service
@Component(metatype = true, name = "com.adobe.cq.account.impl.AccountManagementServlet", description = "Manages confirmation requests when managing accounts")
@Properties({@Property(name = "sling.servlet.resourceTypes", value = {"security/accountmgr/confirm"}, propertyPrivate = true), @Property(name = "sling.servlet.methods", value = {"GET", "POST"}, propertyPrivate = true)})
/* loaded from: input_file:com/adobe/cq/account/impl/AccountManagementServlet.class */
public class AccountManagementServlet extends SlingAllMethodsServlet {
    private final Logger log = LoggerFactory.getLogger(AccountManagementServlet.class);
    private static final String REQ_ATTR_OPERATION_NAME = "cq.account.operation";
    private static final String REQ_ATTR_OPERATION_STATUS = "cq.account.operationStatus";
    private static final String ACCOUNT_MANAGEMENT_SERVICE = "account-management-service";
    private static final String MAIL_CONFIG_PATH = "/etc/security/accountmgr/jcr:content";

    @Property(value = {"informnewaccount"}, label = "Node name", description = "Config node below /etc/security/accountmgr/jcr:content defining the mail template used to inform the user about the new account")
    private static final String INFORM_NEW_ACCOUNT_MAIL_NAME = "cq.accountmanager.config.informnewaccount.mail";

    @Property(value = {"informnewpwd"}, label = "Node name", description = "Config node below /etc/security/accountmgr/jcr:content defining the mail template used to inform the user about the new password")
    private static final String INFORM_NEW_PWD_MAIL_NAME = "cq.accountmanager.config.informnewpwd.mail";

    @Reference
    private SlingRepository repository;

    @Reference
    private ResourceResolverFactory resolverFactory;

    @Reference
    private UserPropertiesService userPropertiesService;

    @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY, policy = ReferencePolicy.DYNAMIC)
    private volatile MailService mailService;

    @Reference
    JwsValidator jwsValidator;
    private String informNewAccountMail;
    private String informNewPwdMail;

    @Activate
    protected void activate(Map<String, Object> map) throws RepositoryException {
        this.informNewAccountMail = "/etc/security/accountmgr/jcr:content/" + map.get(INFORM_NEW_ACCOUNT_MAIL_NAME);
        this.informNewPwdMail = "/etc/security/accountmgr/jcr:content/" + map.get(INFORM_NEW_PWD_MAIL_NAME);
    }

    protected void doPost(SlingHttpServletRequest slingHttpServletRequest, SlingHttpServletResponse slingHttpServletResponse) throws ServletException, IOException {
        manageUserRequest(slingHttpServletRequest);
    }

    protected void doGet(SlingHttpServletRequest slingHttpServletRequest, SlingHttpServletResponse slingHttpServletResponse) throws ServletException, IOException {
        manageUserRequest(slingHttpServletRequest);
    }

    private void manageUserRequest(SlingHttpServletRequest slingHttpServletRequest) {
        this.log.debug("Received a request to perform an account task");
        try {
            try {
                Session serviceSession = getServiceSession();
                ResourceResolver resourceResolver = getResourceResolver(serviceSession);
                UserManager userManager = getUserManager(serviceSession);
                UserPropertiesManager userPropertiesManager = getUserPropertiesManager(resourceResolver);
                String parameter = slingHttpServletRequest.getParameter("ky");
                if (isTokenValid(parameter, new URL(slingHttpServletRequest.getRequestURL().toString()).getHost())) {
                    String tokenField = getTokenField(parameter, "operation");
                    boolean z = false;
                    String tokenField2 = getTokenField(parameter, "userId");
                    this.log.debug("The token is valid for user '{}'", tokenField2);
                    if ("create-account".equals(tokenField)) {
                        z = enableAccount(serviceSession, userManager, userPropertiesManager, tokenField2);
                    } else if ("change-password".equals(tokenField)) {
                        z = setPassword(serviceSession, userManager, userPropertiesManager, tokenField2, slingHttpServletRequest.getParameter("passwordreset"), slingHttpServletRequest.getParameter("passwordreset_confirm"));
                    }
                    slingHttpServletRequest.setAttribute(REQ_ATTR_OPERATION_NAME, tokenField);
                    slingHttpServletRequest.setAttribute(REQ_ATTR_OPERATION_STATUS, Boolean.valueOf(z));
                } else {
                    this.log.error("The provided token is not valid.");
                }
                closeSession(serviceSession);
                closeResourceResolver(resourceResolver);
            } catch (RepositoryException e) {
                this.log.error("Error performing the account task: ", e);
                closeSession(null);
                closeResourceResolver(null);
            } catch (MalformedURLException e2) {
                this.log.error("Error while getting the request host: ", e2);
                closeSession(null);
                closeResourceResolver(null);
            }
        } catch (Throwable th) {
            closeSession(null);
            closeResourceResolver(null);
            throw th;
        }
    }

    private boolean enableAccount(Session session, UserManager userManager, UserPropertiesManager userPropertiesManager, String str) throws RepositoryException {
        User user = getUser(userManager, str);
        if (user == null) {
            this.log.error("User '{}' does not exist", str);
            return false;
        }
        user.disable((String) null);
        session.save();
        this.log.info("Account enabled for user '{}'", str);
        informUser(session, userPropertiesManager, user, "create-account");
        return true;
    }

    private boolean setPassword(Session session, UserManager userManager, UserPropertiesManager userPropertiesManager, String str, String str2, String str3) throws RepositoryException {
        User user = getUser(userManager, str);
        if (user == null) {
            this.log.error("The user '{}' does not exist", str);
            return false;
        }
        if (StringUtils.isEmpty(str2) || StringUtils.isEmpty(str3)) {
            this.log.error("The provided password or the confirmed password for user '{}' cannot be null", str);
            return false;
        }
        if (!StringUtils.equals(str2, str3)) {
            this.log.error("The provided password and the confirmed password for user '{}' are different", str);
            return false;
        }
        user.changePassword(str2);
        session.save();
        this.log.info("The provided password has been set for user '{}'", str);
        informUser(session, userPropertiesManager, user, "change-password");
        return true;
    }

    private void informUser(Session session, UserPropertiesManager userPropertiesManager, User user, String str) throws RepositoryException {
        String id = user.getID();
        MailTemplate informNewAccountMail = "create-account".equals(str) ? getInformNewAccountMail(session) : getInformNewPwdMail(session);
        if (informNewAccountMail == null) {
            this.log.error("Cannot inform user: mail template is not defined");
            return;
        }
        try {
            HashMap hashMap = new HashMap();
            hashMap.put("userId", id);
            sendMail(userPropertiesManager, informNewAccountMail, user, hashMap);
            this.log.info("Information email sent to user '{}' about {}", id, str);
        } catch (EmailException e) {
            this.log.error("Failed to inform user '{}': ", id, e);
        } catch (MailingException e2) {
            this.log.error("Failed to inform user '{}': ", id, e2);
        }
    }

    private String getTokenField(String str, String str2) {
        JWT jwt = (JWT) new JWTReader().read(str);
        if (jwt != null) {
            return (String) jwt.getClaimsSet().getCustomField(str2, String.class);
        }
        return null;
    }

    private boolean isTokenValid(String str, String str2) {
        String tokenField;
        return (!this.jwsValidator.validate(str) || (tokenField = getTokenField(str, "host")) == null || "".equals(tokenField) || str2 == null || "".equals(str2) || !tokenField.equals(str2)) ? false : true;
    }

    private User getUser(UserManager userManager, String str) throws RepositoryException {
        return userManager.getAuthorizable(str, User.class);
    }

    private String getEmail(UserPropertiesManager userPropertiesManager, String str) throws RepositoryException {
        UserProperties userProperties = userPropertiesManager.getUserProperties(str, "profile");
        if (userProperties != null) {
            return userProperties.getProperty("email");
        }
        return null;
    }

    private MailTemplate getInformNewAccountMail(Session session) {
        return getMailTemplate(session, this.informNewAccountMail);
    }

    private MailTemplate getInformNewPwdMail(Session session) {
        return getMailTemplate(session, this.informNewPwdMail);
    }

    private MailTemplate getMailTemplate(Session session, String str) {
        try {
            if (!session.itemExists(str)) {
                return null;
            }
            ResourceResolver resourceResolver = getResourceResolver(session);
            ValueMap valueMap = (ValueMap) resourceResolver.getResource(str).adaptTo(ValueMap.class);
            closeResourceResolver(resourceResolver);
            return MailTemplate.read(valueMap);
        } catch (RepositoryException e) {
            this.log.error("Failed to read Mail configuration at {}: {}", str, e);
            return null;
        }
    }

    private void sendMail(UserPropertiesManager userPropertiesManager, MailTemplate mailTemplate, User user, Map<String, String> map) throws RepositoryException, EmailException, MailingException {
        String email = getEmail(userPropertiesManager, user.getID());
        if (this.mailService == null || email == null) {
            throw new EmailException("Failed to send email: email address is not defined");
        }
        SimpleEmail createMail = mailTemplate.createMail(new AccountVariableReplacer(userPropertiesManager, user.getID(), map));
        createMail.addTo(email);
        this.mailService.send(createMail);
    }

    private Session getServiceSession() throws RepositoryException {
        return this.repository.loginService(ACCOUNT_MANAGEMENT_SERVICE, (String) null);
    }

    private ResourceResolver getResourceResolver(Session session) throws RepositoryException {
        HashMap hashMap = new HashMap();
        hashMap.put("user.jcr.session", session);
        try {
            return this.resolverFactory.getResourceResolver(hashMap);
        } catch (LoginException e) {
            throw new RepositoryException("Cannot login to the repository with the service user: {}", e);
        }
    }

    private UserManager getUserManager(Session session) throws RepositoryException {
        return ((JackrabbitSession) session).getUserManager();
    }

    private UserPropertiesManager getUserPropertiesManager(ResourceResolver resourceResolver) throws RepositoryException {
        return this.userPropertiesService.createUserPropertiesManager(resourceResolver);
    }

    private void closeSession(Session session) {
        if (session != null) {
            session.logout();
        }
    }

    private void closeResourceResolver(ResourceResolver resourceResolver) {
        if (resourceResolver == null || !resourceResolver.isLive()) {
            return;
        }
        resourceResolver.close();
    }

    protected void bindRepository(SlingRepository slingRepository) {
        this.repository = slingRepository;
    }

    protected void unbindRepository(SlingRepository slingRepository) {
        if (this.repository == slingRepository) {
            this.repository = null;
        }
    }

    protected void bindResolverFactory(ResourceResolverFactory resourceResolverFactory) {
        this.resolverFactory = resourceResolverFactory;
    }

    protected void unbindResolverFactory(ResourceResolverFactory resourceResolverFactory) {
        if (this.resolverFactory == resourceResolverFactory) {
            this.resolverFactory = null;
        }
    }

    protected void bindUserPropertiesService(UserPropertiesService userPropertiesService) {
        this.userPropertiesService = userPropertiesService;
    }

    protected void unbindUserPropertiesService(UserPropertiesService userPropertiesService) {
        if (this.userPropertiesService == userPropertiesService) {
            this.userPropertiesService = null;
        }
    }

    protected void bindMailService(MailService mailService) {
        this.mailService = mailService;
    }

    protected void unbindMailService(MailService mailService) {
        if (this.mailService == mailService) {
            this.mailService = null;
        }
    }

    protected void bindJwsValidator(JwsValidator jwsValidator) {
        this.jwsValidator = jwsValidator;
    }

    protected void unbindJwsValidator(JwsValidator jwsValidator) {
        if (this.jwsValidator == jwsValidator) {
            this.jwsValidator = null;
        }
    }
}
