package org.thingsboard.server.service.security.auth.rest;

import java.util.UUID;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.authentication.LockedException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Component;
import org.springframework.util.Assert;
import org.thingsboard.server.common.data.Customer;
import org.thingsboard.server.common.data.User;
import org.thingsboard.server.common.data.audit.ActionType;
import org.thingsboard.server.common.data.id.CustomerId;
import org.thingsboard.server.common.data.id.EntityId;
import org.thingsboard.server.common.data.id.TenantId;
import org.thingsboard.server.common.data.id.UserId;
import org.thingsboard.server.common.data.security.Authority;
import org.thingsboard.server.common.data.security.UserCredentials;
import org.thingsboard.server.common.data.security.model.UserPasswordPolicy;
import org.thingsboard.server.dao.customer.CustomerService;
import org.thingsboard.server.dao.exception.DataValidationException;
import org.thingsboard.server.dao.settings.SecuritySettingsService;
import org.thingsboard.server.dao.user.UserService;
import org.thingsboard.server.queue.util.TbCoreComponent;
import org.thingsboard.server.service.security.auth.MfaAuthenticationToken;
import org.thingsboard.server.service.security.auth.mfa.TwoFactorAuthService;
import org.thingsboard.server.service.security.exception.UserPasswordNotValidException;
import org.thingsboard.server.service.security.model.SecurityUser;
import org.thingsboard.server.service.security.model.UserPrincipal;
import org.thingsboard.server.service.security.system.SystemSecurityService;

@TbCoreComponent
@Component
/* loaded from: input_file:org/thingsboard/server/service/security/auth/rest/RestAuthenticationProvider.class */
public class RestAuthenticationProvider implements AuthenticationProvider {
    private static final Logger log = LoggerFactory.getLogger(RestAuthenticationProvider.class);
    private final SystemSecurityService systemSecurityService;
    private final SecuritySettingsService securitySettingsService;
    private final UserService userService;
    private final CustomerService customerService;
    private final TwoFactorAuthService twoFactorAuthService;

    @Autowired
    public RestAuthenticationProvider(UserService userService, CustomerService customerService, SystemSecurityService systemSecurityService, SecuritySettingsService securitySettingsService, TwoFactorAuthService twoFactorAuthService) {
        this.userService = userService;
        this.customerService = customerService;
        this.systemSecurityService = systemSecurityService;
        this.securitySettingsService = securitySettingsService;
        this.twoFactorAuthService = twoFactorAuthService;
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        SecurityUser authenticateByPublicId;
        Assert.notNull(authentication, "No authentication data provided");
        Object principal = authentication.getPrincipal();
        if (!(principal instanceof UserPrincipal)) {
            throw new BadCredentialsException("Authentication Failed. Bad user principal.");
        }
        UserPrincipal userPrincipal = (UserPrincipal) principal;
        if (userPrincipal.getType() == UserPrincipal.Type.USER_NAME) {
            String value = userPrincipal.getValue();
            String str = (String) authentication.getCredentials();
            UserPasswordPolicy passwordPolicy = this.securitySettingsService.getSecuritySettings().getPasswordPolicy();
            if (Boolean.TRUE.equals(passwordPolicy.getForceUserToResetPasswordIfNotValid())) {
                try {
                    this.systemSecurityService.validatePasswordByPolicy(str, passwordPolicy);
                } catch (DataValidationException e) {
                    throw new UserPasswordNotValidException("The entered password violates our policies. If this is your real password, please reset it.");
                }
            }
            authenticateByPublicId = authenticateByUsernameAndPassword(authentication, userPrincipal, value, str);
            if (this.twoFactorAuthService.isTwoFaEnabled(authenticateByPublicId.getTenantId(), authenticateByPublicId.getId())) {
                return new MfaAuthenticationToken(authenticateByPublicId);
            }
            this.systemSecurityService.logLoginAction(authenticateByPublicId, authentication.getDetails(), ActionType.LOGIN, null);
        } else {
            authenticateByPublicId = authenticateByPublicId(userPrincipal, userPrincipal.getValue());
        }
        return new UsernamePasswordAuthenticationToken(authenticateByPublicId, (Object) null, authenticateByPublicId.getAuthorities());
    }

    private SecurityUser authenticateByUsernameAndPassword(Authentication authentication, UserPrincipal userPrincipal, String str, String str2) {
        User findUserByEmail = this.userService.findUserByEmail(TenantId.SYS_TENANT_ID, str);
        if (findUserByEmail == null) {
            throw new UsernameNotFoundException("User not found: " + str);
        }
        try {
            UserCredentials findUserCredentialsByUserId = this.userService.findUserCredentialsByUserId(TenantId.SYS_TENANT_ID, findUserByEmail.getId());
            if (findUserCredentialsByUserId == null) {
                throw new UsernameNotFoundException("User credentials not found");
            }
            try {
                this.systemSecurityService.validateUserCredentials(findUserByEmail.getTenantId(), findUserCredentialsByUserId, str, str2);
                if (findUserByEmail.getAuthority() == null) {
                    throw new InsufficientAuthenticationException("User has no authority assigned");
                }
                return new SecurityUser(findUserByEmail, findUserCredentialsByUserId.isEnabled(), userPrincipal);
            } catch (LockedException e) {
                this.systemSecurityService.logLoginAction(findUserByEmail, authentication.getDetails(), ActionType.LOCKOUT, null);
                throw e;
            }
        } catch (Exception e2) {
            this.systemSecurityService.logLoginAction(findUserByEmail, authentication.getDetails(), ActionType.LOGIN, e2);
            throw e2;
        }
    }

    private SecurityUser authenticateByPublicId(UserPrincipal userPrincipal, String str) {
        try {
            Customer findCustomerById = this.customerService.findCustomerById(TenantId.SYS_TENANT_ID, new CustomerId(UUID.fromString(str)));
            if (findCustomerById == null) {
                throw new UsernameNotFoundException("Public entity not found: " + str);
            }
            if (!findCustomerById.isPublic()) {
                throw new BadCredentialsException("Authentication Failed. Public Id is not valid.");
            }
            User user = new User(new UserId(EntityId.NULL_UUID));
            user.setTenantId(findCustomerById.getTenantId());
            user.setCustomerId(findCustomerById.getId());
            user.setEmail(str);
            user.setAuthority(Authority.CUSTOMER_USER);
            user.setFirstName("Public");
            user.setLastName("Public");
            return new SecurityUser(user, true, userPrincipal);
        } catch (Exception e) {
            throw new BadCredentialsException("Authentication Failed. Public Id is not valid.");
        }
    }

    public boolean supports(Class<?> cls) {
        return UsernamePasswordAuthenticationToken.class.isAssignableFrom(cls);
    }
}
