package org.eclipse.stardust.engine.core.security.utils;

import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.lang.reflect.Method;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Date;
import java.util.List;
import org.eclipse.stardust.common.Attribute;
import org.eclipse.stardust.common.Base64;
import org.eclipse.stardust.common.Serialization;
import org.eclipse.stardust.common.StringUtils;
import org.eclipse.stardust.common.config.ExtensionProviderUtils;
import org.eclipse.stardust.common.error.AccessForbiddenException;
import org.eclipse.stardust.common.error.InternalException;
import org.eclipse.stardust.common.security.DesEncrypter;
import org.eclipse.stardust.common.security.HMAC;
import org.eclipse.stardust.engine.api.model.PredefinedConstants;
import org.eclipse.stardust.engine.api.runtime.AdministrationService;
import org.eclipse.stardust.engine.api.runtime.BpmRuntimeError;
import org.eclipse.stardust.engine.api.runtime.PasswordRules;
import org.eclipse.stardust.engine.api.runtime.UserService;
import org.eclipse.stardust.engine.core.persistence.jdbc.SessionFactory;
import org.eclipse.stardust.engine.core.runtime.beans.ClobDataBean;
import org.eclipse.stardust.engine.core.runtime.beans.IUser;
import org.eclipse.stardust.engine.core.runtime.beans.PropertyPersistor;
import org.eclipse.stardust.engine.core.runtime.beans.removethis.SecurityProperties;
import org.eclipse.stardust.engine.core.runtime.interceptor.MethodInvocation;
import org.eclipse.stardust.engine.core.spi.security.CredentialDeliveryStrategy;
import org.eclipse.stardust.engine.runtime.utils.TimestampProviderUtils;

/* loaded from: input_file:lib/carnot-engine.jar:org/eclipse/stardust/engine/core/security/utils/SecurityUtils.class */
public class SecurityUtils {
    public static String LAST_PASSWORDS = "Infinity.Security.LastPasswords";
    public static String PASSWORD_RULES = "Infinity.Security.PasswordRules";
    public static String PASSWORD_ENCRYPTION = "Security.Password.Encryption";
    public static String LOGIN_DIALOG_URL = "Security.Password.LoginDialogUrl";
    public static String RESET_SERVLET_URL = "Security.Password.ResetServletUrl";
    public static String PASSWORD_RESET_TOKEN = "Security.Password.ResetToken";
    private static String splitExpression = ";";
    private static final Method[] EXPIRED_USER_METHOD_WHITE_LIST;

    public static List getPreviousPasswords(IUser iUser, String str) {
        String str2 = (String) iUser.getPropertyValue(LAST_PASSWORDS);
        if (StringUtils.isEmpty(str2)) {
            return null;
        }
        ArrayList arrayList = new ArrayList();
        try {
            HMAC hmac = new HMAC("MD5");
            if (!hmac.isHashed(str)) {
                str = hmac.hashToString(iUser.getOID(), str);
            }
            DesEncrypter desEncrypter = new DesEncrypter(str);
            String[] split = str2.split(splitExpression);
            if (split.length > 1) {
                for (String str3 : split) {
                    arrayList.add(desEncrypter.decrypt(str3));
                }
            } else {
                arrayList.add(desEncrypter.decrypt(str2));
            }
            return arrayList;
        } catch (UnsupportedEncodingException e) {
            throw new InternalException("Encryption failed.", e);
        } catch (NoSuchAlgorithmException e2) {
            throw new InternalException("Encryption failed.", e2);
        } catch (NoSuchProviderException e3) {
            throw new InternalException("Encryption failed.", e3);
        }
    }

    public static void updatePasswordHistory(IUser iUser, String str) {
        if (((String) iUser.getPropertyValue(LAST_PASSWORDS)) == null) {
            try {
                iUser.setPropertyValue(LAST_PASSWORDS, new DesEncrypter(new HMAC("MD5").hashToString(iUser.getOID(), str)).encrypt(str), true);
            } catch (UnsupportedEncodingException e) {
                throw new InternalException("Encryption failed.", e);
            } catch (NoSuchAlgorithmException e2) {
                throw new InternalException("Encryption failed.", e2);
            } catch (NoSuchProviderException e3) {
                throw new InternalException("Encryption failed.", e3);
            }
        }
    }

    public static void changePassword(IUser iUser, String str, String str2) {
        PasswordRules passwordRules = getPasswordRules(SecurityProperties.getPartitionOid());
        if (passwordRules == null || passwordRules.getPasswordTracking() == 0) {
            iUser.setPropertyValue(LAST_PASSWORDS, "", true);
            return;
        }
        try {
            HMAC hmac = new HMAC("MD5");
            if (!hmac.isHashed(str)) {
                str = hmac.hashToString(iUser.getOID(), str);
            }
            DesEncrypter desEncrypter = new DesEncrypter(hmac.hashToString(iUser.getOID(), str2));
            String str3 = "";
            if (StringUtils.isEmpty((String) iUser.getPropertyValue(LAST_PASSWORDS))) {
                str3 = desEncrypter.encrypt(str2);
            } else {
                List previousPasswords = getPreviousPasswords(iUser, str);
                previousPasswords.add(str2);
                while (previousPasswords.size() > passwordRules.getPasswordTracking()) {
                    previousPasswords.remove(0);
                }
                for (int i = 0; i < previousPasswords.size(); i++) {
                    str3 = str3.concat(desEncrypter.encrypt((String) previousPasswords.get(i)));
                    if (i < previousPasswords.size() - 1) {
                        str3 = str3.concat(splitExpression);
                    }
                }
            }
            iUser.setPropertyValue(LAST_PASSWORDS, str3, true);
        } catch (UnsupportedEncodingException e) {
            throw new InternalException("Encryption failed.", e);
        } catch (NoSuchAlgorithmException e2) {
            throw new InternalException("Encryption failed.", e2);
        } catch (NoSuchProviderException e3) {
            throw new InternalException("Encryption failed.", e3);
        }
    }

    public static PasswordRules getPasswordRules(short s) {
        ClobDataBean find;
        PropertyPersistor findByName = PropertyPersistor.findByName(PASSWORD_RULES, s);
        if (findByName == null || (find = ClobDataBean.find(findByName.getOID(), PropertyPersistor.class)) == null) {
            return null;
        }
        try {
            return (PasswordRules) Serialization.deserializeObject(Base64.decode(find.getStringValue().getBytes()));
        } catch (IOException e) {
            throw new InternalException("Argument not deserializable.", e);
        } catch (ClassNotFoundException e2) {
            throw new InternalException("Argument not deserializable.", e2);
        }
    }

    public static void setPasswordRules(PasswordRules passwordRules) {
        try {
            String str = new String(Base64.encode(Serialization.serializeObject(passwordRules)));
            PropertyPersistor findByName = PropertyPersistor.findByName(PASSWORD_RULES, SecurityProperties.getPartitionOid());
            if (findByName == null) {
                SessionFactory.getSession("AuditTrail").cluster(new ClobDataBean(new PropertyPersistor(PASSWORD_RULES, "", SecurityProperties.getPartition()).getOID(), PropertyPersistor.class, str));
                return;
            }
            ClobDataBean find = ClobDataBean.find(findByName.getOID(), PropertyPersistor.class);
            if (find != null) {
                find.setStringValue(str);
            }
        } catch (IOException e) {
            throw new InternalException("Argument not serializable.", e);
        }
    }

    public static void checkPasswordExpired(IUser iUser, MethodInvocation methodInvocation) throws AccessForbiddenException {
        if (iUser.isPasswordExpired() && !acceptMethod(methodInvocation.getMethod())) {
            throw new AccessForbiddenException(BpmRuntimeError.AUTHx_USER_PASSWORD_EXPIRED.raise(iUser.getOID()));
        }
    }

    private static boolean acceptMethod(Method method) {
        for (int i = 0; i < EXPIRED_USER_METHOD_WHITE_LIST.length; i++) {
            if (EXPIRED_USER_METHOD_WHITE_LIST[i].equals(method)) {
                return true;
            }
        }
        return false;
    }

    public static void publishGeneratedPassword(IUser iUser, String str) {
        CredentialDeliveryStrategy credentialDeliveryStrategy = (CredentialDeliveryStrategy) ExtensionProviderUtils.getFirstExtensionProvider(CredentialDeliveryStrategy.class);
        if (credentialDeliveryStrategy == null) {
            throw new InternalException("Couldn't deliver password: no implementation for CredentialDeliveryStrategy provided.");
        }
        credentialDeliveryStrategy.deliverNewPassword(iUser, str);
    }

    public static boolean isPasswordExpired(IUser iUser) {
        if (iUser.hasRole(PredefinedConstants.ADMINISTRATOR_ROLE)) {
            return false;
        }
        if (iUser.isPasswordExpired()) {
            return true;
        }
        PasswordRules passwordRules = getPasswordRules(SecurityProperties.getPartitionOid());
        if (passwordRules == null || !passwordRules.isForcePasswordChange()) {
            return false;
        }
        long lastModificationTime = getLastModificationTime(iUser);
        if (lastModificationTime == -1) {
            return false;
        }
        Date timeStamp = TimestampProviderUtils.getTimeStamp();
        Calendar calendar = TimestampProviderUtils.getCalendar(lastModificationTime);
        calendar.add(5, passwordRules.getExpirationTime());
        return calendar.getTime().getTime() <= timeStamp.getTime();
    }

    public static boolean isUserDisabled(IUser iUser) {
        PasswordRules passwordRules = getPasswordRules(SecurityProperties.getPartitionOid());
        if (passwordRules == null || !passwordRules.isForcePasswordChange() || passwordRules.getDisableUserTime() == -1) {
            return false;
        }
        long lastModificationTime = getLastModificationTime(iUser);
        if (lastModificationTime == -1) {
            return false;
        }
        Date timeStamp = TimestampProviderUtils.getTimeStamp();
        Calendar calendar = TimestampProviderUtils.getCalendar(lastModificationTime);
        calendar.add(5, passwordRules.getExpirationTime());
        calendar.add(5, passwordRules.getDisableUserTime());
        return calendar.getTime().getTime() <= timeStamp.getTime();
    }

    private static long getLastModificationTime(IUser iUser) {
        Attribute attribute = (Attribute) iUser.getAllProperties().get(LAST_PASSWORDS);
        if (attribute != null) {
            return attribute.getLastModificationTime().getTime();
        }
        return -1L;
    }

    public static boolean isUserInvalid(IUser iUser) {
        return (iUser.getValidTo() == null || iUser.getValidTo().after(TimestampProviderUtils.getTimeStamp())) ? false : true;
    }

    public static void generatePasswordResetToken(IUser iUser) {
        try {
            byte[] digest = MessageDigest.getInstance("SHA-1").digest((iUser.getOID() + "-" + TimestampProviderUtils.getTimeStampValue()).getBytes());
            StringBuffer stringBuffer = new StringBuffer();
            for (byte b : digest) {
                stringBuffer.append(Integer.toString((b & 255) + 256, 16).substring(1));
            }
            publishGeneratedResetToken(iUser, stringBuffer.toString());
            iUser.setPropertyValue(PASSWORD_RESET_TOKEN, stringBuffer.toString(), true);
        } catch (NoSuchAlgorithmException e) {
            throw new InternalException("Encryption of token failed.", e);
        }
    }

    public static void generatePassword(IUser iUser, String str) {
        if (!isTokenValid(iUser, str)) {
            iUser.removeProperty(PASSWORD_RESET_TOKEN);
            throw new AccessForbiddenException(BpmRuntimeError.AUTHx_CHANGE_PASSWORD_IVALID_TOKEN.raise());
        }
        generatePassword(iUser);
        iUser.removeProperty(PASSWORD_RESET_TOKEN);
    }

    public static void generatePassword(IUser iUser) {
        PasswordRules passwordRules = getPasswordRules(SecurityProperties.getPartitionOid());
        String password = iUser.getPassword();
        String str = new String(PasswordGenerator.generatePassword(passwordRules, getPreviousPasswords(iUser, password)));
        iUser.setPassword(str);
        publishGeneratedPassword(iUser, str);
        iUser.setPasswordExpired(true);
        changePassword(iUser, password, str);
    }

    public static void publishGeneratedResetToken(IUser iUser, String str) {
        CredentialDeliveryStrategy credentialDeliveryStrategy = (CredentialDeliveryStrategy) ExtensionProviderUtils.getFirstExtensionProvider(CredentialDeliveryStrategy.class);
        if (credentialDeliveryStrategy == null) {
            throw new InternalException("Couldn't deliver password reset token: no implementation for CredentialDeliveryStrategy provided.");
        }
        credentialDeliveryStrategy.deliverPasswordResetToken(iUser, str);
    }

    private static boolean isTokenValid(IUser iUser, String str) {
        return iUser.getPropertyValue(PASSWORD_RESET_TOKEN) != null && iUser.getPropertyValue(PASSWORD_RESET_TOKEN).equals(str);
    }

    static {
        try {
            EXPIRED_USER_METHOD_WHITE_LIST = new Method[]{AdministrationService.class.getMethod("getUser", new Class[0]), AdministrationService.class.getMethod("getPasswordRules", new Class[0]), UserService.class.getMethod("startSession", String.class), UserService.class.getMethod("closeSession", String.class), UserService.class.getMethod("getUser", new Class[0]), UserService.class.getMethod("modifyLoginUser", String.class, String.class, String.class, String.class, String.class)};
        } catch (NoSuchMethodException e) {
            throw new InternalException(e.getMessage(), e);
        }
    }
}
