package com.hypersocket.profile;

import com.hypersocket.auth.AbstractAuthenticatedServiceImpl;
import com.hypersocket.auth.AuthenticationModulesOperationContext;
import com.hypersocket.auth.AuthenticationScheme;
import com.hypersocket.auth.AuthenticationService;
import com.hypersocket.config.ConfigurationValueChangedEvent;
import com.hypersocket.i18n.I18NService;
import com.hypersocket.json.utils.HypersocketUtils;
import com.hypersocket.permissions.AccessDeniedException;
import com.hypersocket.permissions.PermissionService;
import com.hypersocket.permissions.Role;
import com.hypersocket.profile.jobs.ProfileBatchUpdateJob;
import com.hypersocket.profile.jobs.ProfileCreationJob;
import com.hypersocket.profile.jobs.ProfileReportingJob;
import com.hypersocket.profile.jobs.ProfileUpdateJob;
import com.hypersocket.realm.Principal;
import com.hypersocket.realm.Realm;
import com.hypersocket.realm.RealmAdapter;
import com.hypersocket.realm.RealmService;
import com.hypersocket.realm.UserPermission;
import com.hypersocket.realm.events.UserDeletedEvent;
import com.hypersocket.realm.events.UserUndeletedEvent;
import com.hypersocket.realm.events.UserUpdatedEvent;
import com.hypersocket.resource.ResourceException;
import com.hypersocket.scheduler.ClusteredSchedulerService;
import com.hypersocket.scheduler.JobData;
import com.hypersocket.scheduler.PermissionsAwareJobData;
import com.hypersocket.session.events.SessionOpenEvent;
import com.hypersocket.transactions.TransactionService;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
import javax.annotation.PostConstruct;
import org.quartz.SchedulerException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.event.EventListener;
import org.springframework.stereotype.Service;

@Service
/* loaded from: input_file:com/hypersocket/profile/ProfileCredentialsServiceImpl.class */
public class ProfileCredentialsServiceImpl extends AbstractAuthenticatedServiceImpl implements ProfileCredentialsService {
    static Logger log = LoggerFactory.getLogger(ProfileCredentialsServiceImpl.class);
    public static final String RESOURCE_BUNDLE = "ProfileCredentialsService";

    @Autowired
    private I18NService i18nService;

    @Autowired
    private PermissionService permissionService;

    @Autowired
    private ProfileRepository profileRepository;

    @Autowired
    private ClusteredSchedulerService schedulerService;

    @Autowired
    private RealmService realmService;

    @Autowired
    private AuthenticationService authenticationService;

    @Autowired
    private TransactionService transactionService;
    private ProfileValidator validator = null;
    private Map<String, ProfileCredentialsProvider> providers = new HashMap();
    private Set<Realm> disabledRealms = new HashSet();
    private ThreadLocal<Boolean> immediateProfileUpdates = new ThreadLocal<>();

    @PostConstruct
    private void postConstruct() {
        this.i18nService.registerBundle(RESOURCE_BUNDLE);
        this.realmService.registerRealmListener(new RealmAdapter() { // from class: com.hypersocket.profile.ProfileCredentialsServiceImpl.1
            @Override // com.hypersocket.realm.RealmAdapter, com.hypersocket.realm.RealmListener
            public void onDeleteRealm(Realm realm) throws ResourceException, AccessDeniedException {
                ProfileCredentialsServiceImpl.this.profileRepository.deleteRealm(realm);
            }
        });
        try {
            if (this.schedulerService.jobDoesNotExists("profileReporting")) {
                this.schedulerService.scheduleAt(ProfileReportingJob.class, "profileReporting", JobData.of("profileReporting", new Object[0]), HypersocketUtils.today(), TimeUnit.DAYS.toMillis(1L));
            }
        } catch (SchedulerException e) {
            log.error("Failed to schedule exchange rate job", e);
        }
    }

    @Override // com.hypersocket.profile.ProfileCredentialsService
    public void registerProvider(ProfileCredentialsProvider profileCredentialsProvider) {
        this.providers.put(profileCredentialsProvider.getResourceKey(), profileCredentialsProvider);
    }

    @Override // com.hypersocket.profile.ProfileCredentialsService
    public void setValidator(ProfileValidator profileValidator) {
        this.validator = profileValidator;
    }

    @Override // com.hypersocket.profile.ProfileCredentialsService
    public boolean areCredentialsRequired(Principal principal, String str) throws AccessDeniedException {
        AuthenticationModulesOperationContext authenticationModulesOperationContext = new AuthenticationModulesOperationContext();
        Profile profileForUser = getProfileForUser(principal);
        if (Objects.isNull(profileForUser)) {
            profileForUser = generateProfile(principal, authenticationModulesOperationContext);
        }
        Iterator<ProfileCredentials> it = profileForUser.getCredentials().iterator();
        while (it.hasNext()) {
            if (it.next().getResourceKey().equals(str)) {
                return true;
            }
        }
        return false;
    }

    @Override // com.hypersocket.profile.ProfileCredentialsService
    public Collection<AuthenticationScheme> filterUserSchemes(Principal principal, Collection<AuthenticationScheme> collection) throws AccessDeniedException {
        ArrayList arrayList = new ArrayList();
        for (AuthenticationScheme authenticationScheme : collection) {
            Set<Role> allowedRoles = this.authenticationService.getAllowedRoles(authenticationScheme);
            Set<Role> deniedRoles = this.authenticationService.getDeniedRoles(authenticationScheme);
            if (allowedRoles.isEmpty()) {
                if (deniedRoles.isEmpty()) {
                    arrayList.add(authenticationScheme);
                } else if (!this.permissionService.hasRole(principal, deniedRoles)) {
                    arrayList.add(authenticationScheme);
                }
            } else if (this.permissionService.hasRole(principal, allowedRoles)) {
                arrayList.add(authenticationScheme);
            }
        }
        return arrayList;
    }

    protected boolean collectAuthenticatorStates(Profile profile, Principal principal, List<ProfileCredentials> list, Map<String, ProfileCredentials> map, AuthenticationModulesOperationContext authenticationModulesOperationContext) throws AccessDeniedException {
        ProfileCredentialsState hasCredentials;
        ProfileCredentials profileCredentials;
        boolean z = false;
        if (Objects.nonNull(this.validator)) {
            HashSet<String> hashSet = new HashSet(this.validator.getRequiredUserCredentials(principal, authenticationModulesOperationContext));
            z = hashSet.contains("2faAuthenticationFlow");
            if (z) {
                hashSet.removeAll(new HashSet(this.validator.getRequired2FACredentials(principal)));
            }
            if (!hashSet.isEmpty()) {
                for (String str : hashSet) {
                    ProfileCredentialsProvider profileCredentialsProvider = this.providers.get(this.authenticationService.getAuthenticator(str).getCredentialsResourceKey());
                    z |= str.equals("2faAuthenticationFlow");
                    if (Objects.nonNull(profileCredentialsProvider) && (hasCredentials = profileCredentialsProvider.hasCredentials(principal, authenticationModulesOperationContext)) != ProfileCredentialsState.NOT_REQUIRED) {
                        if (map.containsKey(profileCredentialsProvider.getResourceKey())) {
                            profileCredentials = map.get(profileCredentialsProvider.getResourceKey());
                        } else {
                            profileCredentials = new ProfileCredentials();
                            profileCredentials.setResourceKey(profileCredentialsProvider.getResourceKey());
                        }
                        profileCredentials.setState(hasCredentials);
                        list.add(profileCredentials);
                    }
                }
            }
            if (z) {
                iterate2FACredentials(principal, list, map, authenticationModulesOperationContext);
            }
        } else {
            iterateAllCredentials(principal, list, map, authenticationModulesOperationContext);
        }
        profile.setSelective(Boolean.valueOf(z));
        return z;
    }

    private void iterate2FACredentials(Principal principal, List<ProfileCredentials> list, Map<String, ProfileCredentials> map, AuthenticationModulesOperationContext authenticationModulesOperationContext) throws AccessDeniedException {
        ProfileCredentialsState hasCredentials;
        ProfileCredentials profileCredentials;
        Iterator<String> it = this.validator.getRequired2FACredentials(principal).iterator();
        while (it.hasNext()) {
            ProfileCredentialsProvider profileCredentialsProvider = this.providers.get(this.authenticationService.getAuthenticator(it.next()).getCredentialsResourceKey());
            if (Objects.nonNull(profileCredentialsProvider) && (hasCredentials = profileCredentialsProvider.hasCredentials(principal, authenticationModulesOperationContext)) != ProfileCredentialsState.NOT_REQUIRED) {
                if (map.containsKey(profileCredentialsProvider.getResourceKey())) {
                    profileCredentials = map.get(profileCredentialsProvider.getResourceKey());
                } else {
                    profileCredentials = new ProfileCredentials();
                    profileCredentials.setResourceKey(profileCredentialsProvider.getResourceKey());
                }
                profileCredentials.setState(hasCredentials);
                list.add(profileCredentials);
            }
        }
    }

    private void iterateAllCredentials(Principal principal, List<ProfileCredentials> list, Map<String, ProfileCredentials> map, AuthenticationModulesOperationContext authenticationModulesOperationContext) throws AccessDeniedException {
        ProfileCredentials profileCredentials;
        for (ProfileCredentialsProvider profileCredentialsProvider : this.providers.values()) {
            ProfileCredentialsState hasCredentials = profileCredentialsProvider.hasCredentials(principal, authenticationModulesOperationContext);
            if (hasCredentials != ProfileCredentialsState.NOT_REQUIRED) {
                if (map.containsKey(profileCredentialsProvider.getResourceKey())) {
                    profileCredentials = map.get(profileCredentialsProvider.getResourceKey());
                } else {
                    profileCredentials = new ProfileCredentials();
                    profileCredentials.setResourceKey(profileCredentialsProvider.getResourceKey());
                }
                profileCredentials.setState(hasCredentials);
                list.add(profileCredentials);
            }
        }
    }

    @Override // com.hypersocket.profile.ProfileCredentialsService
    public boolean calculateCompleteness(Profile profile) {
        int i = 0;
        int i2 = 0;
        int i3 = 0;
        ProfileCredentialsState state = profile.getState();
        Iterator<ProfileCredentials> it = profile.getCredentials().iterator();
        while (it.hasNext()) {
            switch (it.next().getState()) {
                case COMPLETE:
                    i++;
                    break;
                case INCOMPLETE:
                    i3++;
                    break;
                case PARTIALLY_COMPLETE:
                    i2++;
                    break;
            }
        }
        boolean z = profile.getSelective() != null && profile.getSelective().booleanValue();
        if (Objects.nonNull(this.validator)) {
            if (i >= (z ? this.validator.getMaximumCompletedAuths(profile.getRealm()) : profile.getCredentials().size())) {
                profile.setState(ProfileCredentialsState.COMPLETE);
            } else if (i > 0 || i2 > 0) {
                profile.setState(ProfileCredentialsState.PARTIALLY_COMPLETE);
            } else {
                profile.setState(ProfileCredentialsState.INCOMPLETE);
            }
        } else if (i3 > 0) {
            if (i2 > 0 || i > 0) {
                profile.setState(ProfileCredentialsState.PARTIALLY_COMPLETE);
            } else {
                profile.setState(ProfileCredentialsState.INCOMPLETE);
            }
        } else if (i2 > 0) {
            profile.setState(ProfileCredentialsState.PARTIALLY_COMPLETE);
        } else {
            profile.setState(ProfileCredentialsState.COMPLETE);
        }
        switch (profile.getState()) {
            case INCOMPLETE:
            case PARTIALLY_COMPLETE:
                return !Boolean.getBoolean("hypersocket.disableDefaultProfileUpdate");
            default:
                return profile.getState() != state;
        }
    }

    @Override // com.hypersocket.profile.ProfileCredentialsService
    public Profile createProfile(Principal principal, AuthenticationModulesOperationContext authenticationModulesOperationContext) throws AccessDeniedException {
        if (log.isInfoEnabled()) {
            log.info(String.format("Creating profile for user %s", principal.getPrincipalName()));
        }
        Profile generateProfile = generateProfile(principal, authenticationModulesOperationContext);
        if (log.isInfoEnabled()) {
            log.info(String.format("Saving profile as %s for user %s", generateProfile.getState(), principal.getPrincipalName()));
        }
        this.profileRepository.saveEntity(generateProfile);
        return generateProfile;
    }

    @Override // com.hypersocket.profile.ProfileCredentialsService
    public Profile generateProfile(Principal principal, AuthenticationModulesOperationContext authenticationModulesOperationContext) throws AccessDeniedException {
        Profile profile = new Profile();
        profile.setId(principal);
        profile.setRealm(principal.getRealm());
        ArrayList arrayList = new ArrayList();
        collectAuthenticatorStates(profile, principal, arrayList, new HashMap(), authenticationModulesOperationContext);
        profile.setCredentials(arrayList);
        calculateCompleteness(profile);
        return profile;
    }

    @Override // com.hypersocket.profile.ProfileCredentialsService
    public void updateProfile(Principal principal, AuthenticationModulesOperationContext authenticationModulesOperationContext) throws AccessDeniedException {
        Profile entityById = this.profileRepository.getEntityById(principal.getId());
        if (entityById == null) {
            createProfile(principal, authenticationModulesOperationContext);
        } else {
            updateProfile(entityById, principal, authenticationModulesOperationContext);
        }
    }

    @Override // com.hypersocket.profile.ProfileCredentialsService
    public void updateProfile(Profile profile, Principal principal, AuthenticationModulesOperationContext authenticationModulesOperationContext) throws AccessDeniedException {
        if (log.isInfoEnabled()) {
            log.info(String.format("Updating profile for user %s", principal.getPrincipalName()));
        }
        HashMap hashMap = new HashMap();
        for (ProfileCredentials profileCredentials : profile.getCredentials()) {
            hashMap.put(profileCredentials.getResourceKey(), profileCredentials);
        }
        ArrayList arrayList = new ArrayList();
        collectAuthenticatorStates(profile, principal, arrayList, hashMap, authenticationModulesOperationContext);
        profile.getCredentials().clear();
        StringBuffer stringBuffer = new StringBuffer();
        for (ProfileCredentials profileCredentials2 : arrayList) {
            if (stringBuffer.length() > 0) {
                stringBuffer.append(",");
            }
            stringBuffer.append(profileCredentials2.getResourceKey());
        }
        if (!arrayList.isEmpty()) {
            profile.getCredentials().addAll(arrayList);
        }
        calculateCompleteness(profile);
        if (log.isInfoEnabled()) {
            log.info(String.format("Saving profile as %s for user %s with credentials %s", profile.getState(), principal.getPrincipalName(), stringBuffer.toString()));
        }
        this.profileRepository.saveEntity(profile);
    }

    @Override // com.hypersocket.profile.ProfileCredentialsService
    public void deleteProfile(Principal principal) {
        Profile entityById = this.profileRepository.getEntityById(principal.getId());
        if (entityById != null) {
            entityById.setDeleted(true);
            this.profileRepository.saveEntity(entityById);
        }
    }

    @Override // com.hypersocket.profile.ProfileCredentialsService
    public void undeleteProfile(Principal principal) {
        Profile entityById = this.profileRepository.getEntityById(principal.getId(), true);
        if (entityById != null) {
            entityById.setDeleted(false);
            this.profileRepository.saveEntity(entityById);
        }
    }

    @Override // com.hypersocket.profile.ProfileCredentialsService
    public Profile getProfileForUser(Principal principal) {
        return this.profileRepository.getEntityById(principal.getId());
    }

    private void fireProfileCreationJob(Principal principal) {
        if (this.profileRepository.getEntityById(principal.getId()) == null) {
            PermissionsAwareJobData permissionsAwareJobData = new PermissionsAwareJobData(principal.getRealm(), "profileCreationJob", principal.getName());
            permissionsAwareJobData.put("targetPrincipalId", principal.getId());
            try {
                this.schedulerService.scheduleNow(ProfileCreationJob.class, UUID.randomUUID().toString(), permissionsAwareJobData);
            } catch (SchedulerException e) {
                log.error("Failed to schedule profile creation job", e);
            }
        }
    }

    @Override // com.hypersocket.profile.ProfileCredentialsService
    @EventListener
    public void onCredentialsUpdated(ProfileCredentialsEvent profileCredentialsEvent) {
        if (profileCredentialsEvent.isSuccess()) {
            fireProfileUpdateJob(profileCredentialsEvent.getTargetPrincipal(this.realmService));
        }
    }

    @EventListener
    public void onUserUpdated(UserUpdatedEvent userUpdatedEvent) {
        if (userUpdatedEvent.isSuccess()) {
            if (userUpdatedEvent.getAllChangedProperties().containsKey("email") || userUpdatedEvent.getAllChangedProperties().containsKey("mobile") || userUpdatedEvent.getAllChangedProperties().containsKey("secondaryEmail") || userUpdatedEvent.getAllChangedProperties().containsKey("secondaryMobile")) {
                log.info(String.format("Profile for %s needs update due to change in primary or secondary address changes. %s", userUpdatedEvent.getTargetPrincipal().getName(), userUpdatedEvent.getAllChangedProperties()));
                fireProfileUpdateJob(userUpdatedEvent.getTargetPrincipal());
            }
        }
    }

    @Override // com.hypersocket.profile.ProfileCredentialsService
    public boolean immediateProfileUpdates(boolean z) {
        Boolean bool = this.immediateProfileUpdates.get();
        this.immediateProfileUpdates.set(Boolean.valueOf(z));
        if (bool == null) {
            return false;
        }
        return bool.booleanValue();
    }

    private void fireProfileUpdateJob(Principal principal) {
        if (Boolean.TRUE.equals(this.immediateProfileUpdates.get())) {
            try {
                updateProfile(principal, new AuthenticationModulesOperationContext());
                return;
            } catch (Exception e) {
                log.error("Failed to update profile.", e);
                return;
            }
        }
        PermissionsAwareJobData permissionsAwareJobData = new PermissionsAwareJobData(principal.getRealm(), "profileUpdateJob", principal.getName());
        permissionsAwareJobData.put("targetPrincipalId", principal.getId());
        try {
            this.schedulerService.scheduleNow(ProfileUpdateJob.class, UUID.randomUUID().toString(), permissionsAwareJobData);
        } catch (SchedulerException e2) {
            log.error("Failed to schedule profile update job", e2);
        }
    }

    @Override // com.hypersocket.profile.ProfileCredentialsService
    @EventListener
    public void onConfigurationChange(ConfigurationValueChangedEvent configurationValueChangedEvent) {
        if (configurationValueChangedEvent.isSuccess() && "2fa.minimumFactors".equals(configurationValueChangedEvent.getAttribute(ConfigurationValueChangedEvent.ATTR_CONFIG_RESOURCE_KEY))) {
            fireBatchUpdateJob(configurationValueChangedEvent.getCurrentRealm());
        }
    }

    @Override // com.hypersocket.profile.ProfileCredentialsService
    @EventListener
    public void onUserDeleted(UserDeletedEvent userDeletedEvent) {
        if (userDeletedEvent.isSuccess()) {
            deleteProfile(userDeletedEvent.getTargetPrincipal());
        }
    }

    @Override // com.hypersocket.profile.ProfileCredentialsService
    @EventListener
    public void onUserUndeleted(UserUndeletedEvent userUndeletedEvent) {
        if (userUndeletedEvent.isSuccess()) {
            undeleteProfile(userUndeletedEvent.getTargetPrincipal());
        }
    }

    @Override // com.hypersocket.profile.ProfileCredentialsService
    @EventListener
    public void onSessionOpen(SessionOpenEvent sessionOpenEvent) {
        if (sessionOpenEvent.isSuccess()) {
            fireProfileCreationJob(sessionOpenEvent.getTargetPrincipal(this.realmService));
        }
    }

    @Override // com.hypersocket.profile.ProfileCredentialsService
    @EventListener
    public void onBatchChange(ProfileBatchChangeEvent profileBatchChangeEvent) {
        if (profileBatchChangeEvent.isSuccess()) {
            fireBatchUpdateJob(profileBatchChangeEvent.getCurrentRealm());
        }
    }

    private void fireBatchUpdateJob(Realm realm) {
        if (this.disabledRealms.contains(realm)) {
            log.warn("Realm {} is currently disable for batch updates", realm.getName());
            return;
        }
        try {
            this.schedulerService.scheduleNow(ProfileBatchUpdateJob.class, UUID.randomUUID().toString(), new PermissionsAwareJobData(realm, "profileBatchUpdateJob", new Object[0]));
        } catch (SchedulerException e) {
            log.error("Failed to schedule profile batch update job", e);
        }
    }

    @Override // com.hypersocket.profile.ProfileCredentialsService
    public void resetProfile(Principal principal) throws AccessDeniedException, ResourceException {
        assertAnyPermission(UserPermission.DELETE, UserPermission.UPDATE);
        Profile profileForUser = getProfileForUser(principal);
        if (Objects.nonNull(profileForUser)) {
            this.profileRepository.deleteEntity(profileForUser);
        }
        Iterator<ProfileCredentialsProvider> it = this.providers.values().iterator();
        while (it.hasNext()) {
            it.next().deleteCredentials(principal);
        }
    }

    @Override // com.hypersocket.profile.ProfileCredentialsService
    public void resumeBatchUpdate(Realm realm) {
        this.disabledRealms.remove(realm);
        log.warn("Realm {} is now enabled batch updates", realm.getName());
        fireBatchUpdateJob(realm);
    }

    @Override // com.hypersocket.profile.ProfileCredentialsService
    public void disableBatchUpdate(Realm realm) {
        log.warn("Realm {} is now disabled batch updates", realm.getName());
        this.disabledRealms.add(realm);
    }

    @Override // com.hypersocket.profile.ProfileCredentialsService
    public void resetProfiles(List<Principal> list) throws AccessDeniedException, ResourceException {
        this.transactionService.doInTransaction(transactionStatus -> {
            if (list == null) {
                return null;
            }
            Iterator it = list.iterator();
            while (it.hasNext()) {
                try {
                    resetProfile((Principal) it.next());
                } catch (AccessDeniedException | ResourceException e) {
                    throw new IllegalStateException(e.getMessage(), e);
                }
            }
            return null;
        });
    }
}
