package org.apereo.cas.pm;

import com.google.common.net.HttpHeaders;
import java.io.Serializable;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.CipherExecutor;
import org.apereo.cas.authentication.Credential;
import org.apereo.cas.configuration.model.support.pm.PasswordManagementProperties;
import org.apereo.inspektr.audit.annotation.Audit;
import org.apereo.inspektr.common.web.ClientInfo;
import org.apereo.inspektr.common.web.ClientInfoHolder;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.NumericDate;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-pm-6.0.4.jar:org/apereo/cas/pm/BasePasswordManagementService.class */
public class BasePasswordManagementService implements PasswordManagementService {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) BasePasswordManagementService.class);
    protected final PasswordManagementProperties properties;
    private final CipherExecutor<Serializable, String> cipherExecutor;
    private final String issuer;

    public static List<String> canonicalizeSecurityQuestions(Map<String, String> map) {
        ArrayList arrayList = new ArrayList(map.keySet());
        arrayList.sort(String.CASE_INSENSITIVE_ORDER);
        return arrayList;
    }

    @Override // org.apereo.cas.pm.PasswordManagementService
    public String parseToken(String str) {
        try {
            JwtClaims parse = JwtClaims.parse(this.cipherExecutor.decode(str));
            if (!parse.getIssuer().equals(this.issuer)) {
                LOGGER.error("Token issuer does not match CAS");
                return null;
            }
            if (parse.getAudience().isEmpty() || !parse.getAudience().get(0).equals(this.issuer)) {
                LOGGER.error("Token audience does not match CAS");
                return null;
            }
            if (StringUtils.isBlank(parse.getSubject())) {
                LOGGER.error("Token has no subject identifier");
                return null;
            }
            ClientInfo clientInfo = ClientInfoHolder.getClientInfo();
            if (!parse.getStringClaimValue(HttpHeaders.ReferrerPolicyValues.ORIGIN).equals(clientInfo.getServerIpAddress())) {
                LOGGER.error("Token origin server IP address does not match CAS");
                return null;
            }
            if (!parse.getStringClaimValue("client").equals(clientInfo.getClientIpAddress())) {
                LOGGER.error("Token client IP address does not match CAS");
                return null;
            }
            if (!parse.getExpirationTime().isBefore(NumericDate.now())) {
                return parse.getSubject();
            }
            LOGGER.error("Token has expired.");
            return null;
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), (Throwable) e);
            return null;
        }
    }

    @Override // org.apereo.cas.pm.PasswordManagementService
    public String createToken(String str) {
        try {
            String uuid = UUID.randomUUID().toString();
            JwtClaims jwtClaims = new JwtClaims();
            jwtClaims.setJwtId(uuid);
            jwtClaims.setIssuer(this.issuer);
            jwtClaims.setAudience(this.issuer);
            jwtClaims.setExpirationTimeMinutesInTheFuture((float) this.properties.getReset().getExpirationMinutes());
            jwtClaims.setIssuedAtToNow();
            ClientInfo clientInfo = ClientInfoHolder.getClientInfo();
            if (clientInfo != null) {
                jwtClaims.setStringClaim(HttpHeaders.ReferrerPolicyValues.ORIGIN, clientInfo.getServerIpAddress());
                jwtClaims.setStringClaim("client", clientInfo.getClientIpAddress());
            }
            jwtClaims.setSubject(str);
            LOGGER.debug("Creating password management token for [{}]", str);
            String json = jwtClaims.toJson();
            LOGGER.debug("Encoding the generated JSON token...");
            return this.cipherExecutor.encode(json);
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), (Throwable) e);
            return null;
        }
    }

    @Override // org.apereo.cas.pm.PasswordManagementService
    @Audit(action = "CHANGE_PASSWORD", actionResolverName = "CHANGE_PASSWORD_ACTION_RESOLVER", resourceResolverName = "CHANGE_PASSWORD_RESOURCE_RESOLVER")
    public boolean change(Credential credential, PasswordChangeBean passwordChangeBean) throws InvalidPasswordException {
        return changeInternal(credential, passwordChangeBean);
    }

    public boolean changeInternal(Credential credential, PasswordChangeBean passwordChangeBean) throws InvalidPasswordException {
        return false;
    }

    @Generated
    public BasePasswordManagementService(PasswordManagementProperties passwordManagementProperties, CipherExecutor<Serializable, String> cipherExecutor, String str) {
        this.properties = passwordManagementProperties;
        this.cipherExecutor = cipherExecutor;
        this.issuer = str;
    }
}
