package org.thingsboard.server.service.security.system;

import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.node.ObjectNode;
import jakarta.servlet.http.HttpServletRequest;
import java.beans.ConstructorProperties;
import java.util.ArrayList;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import org.passay.CharacterRule;
import org.passay.EnglishCharacterData;
import org.passay.LengthRule;
import org.passay.PasswordData;
import org.passay.PasswordValidator;
import org.passay.RuleResult;
import org.passay.WhitespaceRule;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.DisabledException;
import org.springframework.security.authentication.LockedException;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.stereotype.Service;
import org.thingsboard.common.util.JacksonUtil;
import org.thingsboard.rule.engine.api.MailService;
import org.thingsboard.server.common.data.AdminSettings;
import org.thingsboard.server.common.data.HasName;
import org.thingsboard.server.common.data.StringUtils;
import org.thingsboard.server.common.data.User;
import org.thingsboard.server.common.data.audit.ActionType;
import org.thingsboard.server.common.data.exception.ThingsboardException;
import org.thingsboard.server.common.data.id.CustomerId;
import org.thingsboard.server.common.data.id.TenantId;
import org.thingsboard.server.common.data.id.UserId;
import org.thingsboard.server.common.data.security.UserCredentials;
import org.thingsboard.server.common.data.security.model.SecuritySettings;
import org.thingsboard.server.common.data.security.model.UserPasswordPolicy;
import org.thingsboard.server.common.data.security.model.mfa.PlatformTwoFaSettings;
import org.thingsboard.server.dao.audit.AuditLogService;
import org.thingsboard.server.dao.exception.DataValidationException;
import org.thingsboard.server.dao.settings.AdminSettingsService;
import org.thingsboard.server.dao.settings.SecuritySettingsService;
import org.thingsboard.server.dao.user.UserService;
import org.thingsboard.server.service.security.auth.rest.RestAuthenticationDetails;
import org.thingsboard.server.service.security.exception.UserPasswordExpiredException;
import org.thingsboard.server.service.security.model.SecurityUser;
import org.thingsboard.server.utils.MiscUtils;
import ua_parser.Client;

@Service
/* loaded from: input_file:org/thingsboard/server/service/security/system/DefaultSystemSecurityService.class */
public class DefaultSystemSecurityService implements SystemSecurityService {
    private static final Logger log = LoggerFactory.getLogger(DefaultSystemSecurityService.class);
    private final AdminSettingsService adminSettingsService;
    private final BCryptPasswordEncoder encoder;
    private final UserService userService;
    private final MailService mailService;
    private final AuditLogService auditLogService;
    private final SecuritySettingsService securitySettingsService;

    @Override // org.thingsboard.server.service.security.system.SystemSecurityService
    public void validateUserCredentials(TenantId tenantId, UserCredentials userCredentials, String str, String str2) throws AuthenticationException {
        if (this.encoder.matches(str2, userCredentials.getPassword())) {
            if (!userCredentials.isEnabled()) {
                throw new DisabledException("User is not active");
            }
            this.userService.resetFailedLoginAttempts(tenantId, userCredentials.getUserId());
            if (isPositiveInteger(this.securitySettingsService.getSecuritySettings().getPasswordPolicy().getPasswordExpirationPeriodDays()) && userCredentials.getCreatedTime() + TimeUnit.DAYS.toMillis(r0.getPasswordPolicy().getPasswordExpirationPeriodDays().intValue()) < System.currentTimeMillis()) {
                throw new UserPasswordExpiredException("User password expired!", this.userService.requestExpiredPasswordReset(tenantId, userCredentials.getId()).getResetToken());
            }
            return;
        }
        int increaseFailedLoginAttempts = this.userService.increaseFailedLoginAttempts(tenantId, userCredentials.getUserId());
        SecuritySettings securitySettings = this.securitySettingsService.getSecuritySettings();
        if (securitySettings.getMaxFailedLoginAttempts() == null || securitySettings.getMaxFailedLoginAttempts().intValue() <= 0 || increaseFailedLoginAttempts <= securitySettings.getMaxFailedLoginAttempts().intValue() || !userCredentials.isEnabled()) {
            throw new BadCredentialsException("Authentication Failed. Username or Password not valid.");
        }
        lockAccount(userCredentials.getUserId(), str, securitySettings.getUserLockoutNotificationEmail(), securitySettings.getMaxFailedLoginAttempts());
        throw new LockedException("Authentication Failed. Username was locked due to security policy.");
    }

    @Override // org.thingsboard.server.service.security.system.SystemSecurityService
    public void validateTwoFaVerification(SecurityUser securityUser, boolean z, PlatformTwoFaSettings platformTwoFaSettings) {
        TenantId tenantId = securityUser.getTenantId();
        UserId id = securityUser.getId();
        if (z) {
            this.userService.resetFailedLoginAttempts(tenantId, id);
            return;
        }
        int increaseFailedLoginAttempts = this.userService.increaseFailedLoginAttempts(tenantId, id);
        Integer maxVerificationFailuresBeforeUserLockout = platformTwoFaSettings.getMaxVerificationFailuresBeforeUserLockout();
        if (maxVerificationFailuresBeforeUserLockout == null || maxVerificationFailuresBeforeUserLockout.intValue() <= 0 || increaseFailedLoginAttempts < maxVerificationFailuresBeforeUserLockout.intValue()) {
            return;
        }
        this.userService.setUserCredentialsEnabled(TenantId.SYS_TENANT_ID, id, false);
        lockAccount(id, securityUser.getEmail(), this.securitySettingsService.getSecuritySettings().getUserLockoutNotificationEmail(), maxVerificationFailuresBeforeUserLockout);
        throw new LockedException("User account was locked due to exceeded 2FA verification attempts");
    }

    private void lockAccount(UserId userId, String str, String str2, Integer num) {
        this.userService.setUserCredentialsEnabled(TenantId.SYS_TENANT_ID, userId, false);
        if (StringUtils.isNotBlank(str2)) {
            try {
                this.mailService.sendAccountLockoutEmail(str, str2, num);
            } catch (ThingsboardException e) {
                log.warn("Can't send email regarding user account [{}] lockout to provided email [{}]", new Object[]{str, str2, e});
            }
        }
    }

    @Override // org.thingsboard.server.service.security.system.SystemSecurityService
    public void validatePassword(String str, UserCredentials userCredentials) throws DataValidationException {
        UserPasswordPolicy passwordPolicy = this.securitySettingsService.getSecuritySettings().getPasswordPolicy();
        validatePasswordByPolicy(str, passwordPolicy);
        if (userCredentials == null || !isPositiveInteger(passwordPolicy.getPasswordReuseFrequencyDays())) {
            return;
        }
        long currentTimeMillis = System.currentTimeMillis() - TimeUnit.DAYS.toMillis(passwordPolicy.getPasswordReuseFrequencyDays().intValue());
        JsonNode additionalInfo = userCredentials.getAdditionalInfo();
        if ((additionalInfo instanceof ObjectNode) && additionalInfo.has("userPasswordHistory")) {
            for (Map.Entry entry : ((Map) JacksonUtil.convertValue(additionalInfo.get("userPasswordHistory"), new TypeReference<Map<String, String>>() { // from class: org.thingsboard.server.service.security.system.DefaultSystemSecurityService.1
            })).entrySet()) {
                if (this.encoder.matches(str, (String) entry.getValue()) && Long.parseLong((String) entry.getKey()) > currentTimeMillis) {
                    throw new DataValidationException("Password was already used for the last " + passwordPolicy.getPasswordReuseFrequencyDays() + " days");
                }
            }
        }
    }

    @Override // org.thingsboard.server.service.security.system.SystemSecurityService
    public void validatePasswordByPolicy(String str, UserPasswordPolicy userPasswordPolicy) {
        ArrayList arrayList = new ArrayList();
        Integer maximumLength = userPasswordPolicy.getMaximumLength();
        Integer minimumLength = userPasswordPolicy.getMinimumLength();
        arrayList.add(new LengthRule(minimumLength.intValue(), (maximumLength == null || maximumLength.intValue() <= userPasswordPolicy.getMinimumLength().intValue()) ? Integer.MAX_VALUE : maximumLength.intValue()));
        if (isPositiveInteger(userPasswordPolicy.getMinimumUppercaseLetters())) {
            arrayList.add(new CharacterRule(EnglishCharacterData.UpperCase, userPasswordPolicy.getMinimumUppercaseLetters().intValue()));
        }
        if (isPositiveInteger(userPasswordPolicy.getMinimumLowercaseLetters())) {
            arrayList.add(new CharacterRule(EnglishCharacterData.LowerCase, userPasswordPolicy.getMinimumLowercaseLetters().intValue()));
        }
        if (isPositiveInteger(userPasswordPolicy.getMinimumDigits())) {
            arrayList.add(new CharacterRule(EnglishCharacterData.Digit, userPasswordPolicy.getMinimumDigits().intValue()));
        }
        if (isPositiveInteger(userPasswordPolicy.getMinimumSpecialCharacters())) {
            arrayList.add(new CharacterRule(EnglishCharacterData.Special, userPasswordPolicy.getMinimumSpecialCharacters().intValue()));
        }
        if (userPasswordPolicy.getAllowWhitespaces() != null && !userPasswordPolicy.getAllowWhitespaces().booleanValue()) {
            arrayList.add(new WhitespaceRule());
        }
        PasswordValidator passwordValidator = new PasswordValidator(arrayList);
        RuleResult validate = passwordValidator.validate(new PasswordData(str));
        if (!validate.isValid()) {
            throw new DataValidationException(String.join("\n", passwordValidator.getMessages(validate)));
        }
    }

    @Override // org.thingsboard.server.service.security.system.SystemSecurityService
    public String getBaseUrl(TenantId tenantId, CustomerId customerId, HttpServletRequest httpServletRequest) {
        String str = null;
        AdminSettings findAdminSettingsByKey = this.adminSettingsService.findAdminSettingsByKey(TenantId.SYS_TENANT_ID, "general");
        JsonNode jsonNode = findAdminSettingsByKey.getJsonValue().get("prohibitDifferentUrl");
        if ((jsonNode != null && jsonNode.asBoolean()) || httpServletRequest == null) {
            str = findAdminSettingsByKey.getJsonValue().get("baseUrl").asText();
        }
        if (StringUtils.isEmpty(str) && httpServletRequest != null) {
            str = MiscUtils.constructBaseUrl(httpServletRequest);
        }
        return str;
    }

    @Override // org.thingsboard.server.service.security.system.SystemSecurityService
    public void logLoginAction(User user, Object obj, ActionType actionType, Exception exc) {
        logLoginAction(user, obj, actionType, null, exc);
    }

    @Override // org.thingsboard.server.service.security.system.SystemSecurityService
    public void logLoginAction(User user, Object obj, ActionType actionType, String str, Exception exc) {
        String str2 = "Unknown";
        String str3 = "Unknown";
        String str4 = "Unknown";
        String str5 = "Unknown";
        if (obj instanceof RestAuthenticationDetails) {
            RestAuthenticationDetails restAuthenticationDetails = (RestAuthenticationDetails) obj;
            str2 = restAuthenticationDetails.getClientAddress();
            if (restAuthenticationDetails.getUserAgent() != null) {
                Client userAgent = restAuthenticationDetails.getUserAgent();
                if (userAgent.userAgent != null) {
                    str3 = userAgent.userAgent.family;
                    if (userAgent.userAgent.major != null) {
                        str3 = str3 + " " + userAgent.userAgent.major;
                        if (userAgent.userAgent.minor != null) {
                            str3 = str3 + "." + userAgent.userAgent.minor;
                            if (userAgent.userAgent.patch != null) {
                                str3 = str3 + "." + userAgent.userAgent.patch;
                            }
                        }
                    }
                }
                if (userAgent.os != null) {
                    str4 = userAgent.os.family;
                    if (userAgent.os.major != null) {
                        str4 = str4 + " " + userAgent.os.major;
                        if (userAgent.os.minor != null) {
                            str4 = str4 + "." + userAgent.os.minor;
                            if (userAgent.os.patch != null) {
                                str4 = str4 + "." + userAgent.os.patch;
                                if (userAgent.os.patchMinor != null) {
                                    str4 = str4 + "." + userAgent.os.patchMinor;
                                }
                            }
                        }
                    }
                }
                if (userAgent.device != null) {
                    str5 = userAgent.device.family;
                }
            }
        }
        if (actionType == ActionType.LOGIN && exc == null) {
            this.userService.updateLastLoginTs(user.getTenantId(), user.getId());
        }
        this.auditLogService.logEntityAction(user.getTenantId(), user.getCustomerId(), user.getId(), user.getName(), user.getId(), (HasName) null, actionType, exc, new Object[]{str2, str3, str4, str5, str});
    }

    private static boolean isPositiveInteger(Integer num) {
        return num != null && num.intValue() > 0;
    }

    @ConstructorProperties({"adminSettingsService", "encoder", "userService", "mailService", "auditLogService", "securitySettingsService"})
    public DefaultSystemSecurityService(AdminSettingsService adminSettingsService, BCryptPasswordEncoder bCryptPasswordEncoder, UserService userService, MailService mailService, AuditLogService auditLogService, SecuritySettingsService securitySettingsService) {
        this.adminSettingsService = adminSettingsService;
        this.encoder = bCryptPasswordEncoder;
        this.userService = userService;
        this.mailService = mailService;
        this.auditLogService = auditLogService;
        this.securitySettingsService = securitySettingsService;
    }
}
