package software.netcore.unimus.aaa.impl.account.service;

import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTVerificationException;
import java.security.SecureRandom;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalAmount;
import java.util.Collections;
import java.util.Date;
import java.util.Objects;
import lombok.NonNull;
import net.unimus.common.lang.Identity;
import net.unimus.data.repository.account.OwnedObjectsViewData;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.ApplicationEvent;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.data.domain.Page;
import org.springframework.security.crypto.argon2.Argon2PasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.stereotype.Service;
import org.springframework.util.StringUtils;
import software.netcore.common.domain.error.data.ErrorMessage;
import software.netcore.common.domain.error.definition.ECommonErrorType;
import software.netcore.common.domain.error.operation.OperationResult;
import software.netcore.unimus.aaa.impl.UnimusAAAServiceImpl;
import software.netcore.unimus.aaa.impl.account.database.SystemAccountDatabaseService;
import software.netcore.unimus.aaa.spi.access_policy.service.update.AccessPolicyUpdate;
import software.netcore.unimus.aaa.spi.account.data.AccountViewData;
import software.netcore.unimus.aaa.spi.account.data.SystemAccount;
import software.netcore.unimus.aaa.spi.account.event.AccountAuthenticationUpdatedEvent;
import software.netcore.unimus.aaa.spi.account.event.AccountCreatedEvent;
import software.netcore.unimus.aaa.spi.account.event.AccountDeletedEvent;
import software.netcore.unimus.aaa.spi.account.event.AccountPermissionsUpdatedEvent;
import software.netcore.unimus.aaa.spi.account.event.ownership.DeviceOwnerChangedEvent;
import software.netcore.unimus.aaa.spi.account.event.ownership.TagOwnerChangedEvent;
import software.netcore.unimus.aaa.spi.account.event.ownership.ZoneOwnerChangedEvent;
import software.netcore.unimus.aaa.spi.account.service.AccountAuthenticationUpdateCommand;
import software.netcore.unimus.aaa.spi.account.service.AccountCreateCommand;
import software.netcore.unimus.aaa.spi.account.service.AccountDeleteCommand;
import software.netcore.unimus.aaa.spi.account.service.AccountListCommand;
import software.netcore.unimus.aaa.spi.account.service.AccountPermissionsUpdateCommand;
import software.netcore.unimus.aaa.spi.account.service.AccountService;
import software.netcore.unimus.aaa.spi.account.service.OwnedObjectsListCommand;
import software.netcore.unimus.aaa.spi.account.service.OwnershipDeleteCommand;
import software.netcore.unimus.aaa.spi.account.service.OwnershipDeleteResult;
import software.netcore.unimus.aaa.spi.account.service.mfa.AccountMFACreateCommand;
import software.netcore.unimus.aaa.spi.account.service.update.AccountUpdateRequest;
import software.netcore.unimus.aaa.spi.account.service.update.AuthenticationUpdate;
import software.netcore.unimus.aaa.spi.account.service.update.RoleUpdate;
import software.netcore.unimus.common.aaa.spi.data.Account;
import software.netcore.unimus.common.aaa.spi.data.AuthenticationType;
import software.netcore.unimus.common.aaa.spi.data.Role;
import software.netcore.unimus.common.domain.UnimusErrorType;

@Service
/* loaded from: input_file:WEB-INF/lib/unimus-application-aaa-impl-3.30.0-STAGE.jar:software/netcore/unimus/aaa/impl/account/service/AccountServiceImpl.class */
public class AccountServiceImpl implements AccountService {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) AccountServiceImpl.class);
    private static final char[] CHARS = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890!+=.,".toCharArray();

    @NonNull
    private final PasswordEncoder passwordEncoder = new Argon2PasswordEncoder();

    @NonNull
    private final SystemAccountDatabaseService systemAccountDatabaseService;

    @NonNull
    private final ApplicationEventPublisher eventPublisher;

    @Override // software.netcore.unimus.aaa.spi.account.service.AccountService
    public OperationResult<Identity> create(@NonNull AccountCreateCommand accountCreateCommand) {
        if (accountCreateCommand == null) {
            throw new NullPointerException("command is marked non-null but is null");
        }
        log.debug("[create] command = '{}'", accountCreateCommand);
        OperationResult<SystemAccount> findByIdentity = this.systemAccountDatabaseService.findByIdentity(accountCreateCommand.getPrincipal());
        if (findByIdentity.isFailure()) {
            return OperationResult.ofFailure(findByIdentity.getErrorMessages());
        }
        if (findByIdentity.getData().getRole() != Role.ADMINISTRATOR) {
            OperationResult<Identity> ofFailure = OperationResult.ofFailure(ErrorMessage.of(ECommonErrorType.FORBIDDEN));
            log.debug("[create] create failed = '{}'", ofFailure);
            return ofFailure;
        }
        String str = null;
        String str2 = null;
        if (AuthenticationType.LOCAL.equals(accountCreateCommand.getAuthType())) {
            if (Objects.isNull(accountCreateCommand.getPassword())) {
                log.debug("[create] create failed, because of null password");
                return OperationResult.ofFailure(ErrorMessage.of(ECommonErrorType.BAD_REQUEST));
            }
            log.debug("[create] encoding account password for local account");
            str2 = String.valueOf(accountCreateCommand.getPassword().length());
            str = this.passwordEncoder.encode(accountCreateCommand.getPassword());
        }
        OperationResult<Identity> create = this.systemAccountDatabaseService.create(new Account(null, accountCreateCommand.getUsername(), str, str2, accountCreateCommand.getRole(), accountCreateCommand.getAuthType()), accountCreateCommand.getAccessPolicyIdentity());
        if (create.isFailure()) {
            return OperationResult.ofFailure(create.getErrorMessages());
        }
        this.eventPublisher.publishEvent((ApplicationEvent) new AccountCreatedEvent());
        return create;
    }

    @Override // software.netcore.unimus.aaa.spi.account.service.AccountService
    public OperationResult<Long> updateAuthentication(@NonNull AccountAuthenticationUpdateCommand accountAuthenticationUpdateCommand) {
        if (accountAuthenticationUpdateCommand == null) {
            throw new NullPointerException("command is marked non-null but is null");
        }
        log.debug("[updateAuthentication] command = '{}'", accountAuthenticationUpdateCommand);
        OperationResult<SystemAccount> findByIdentity = this.systemAccountDatabaseService.findByIdentity(accountAuthenticationUpdateCommand.getPrincipal());
        if (findByIdentity.isFailure()) {
            return OperationResult.ofFailure(findByIdentity.getErrorMessages());
        }
        SystemAccount data = findByIdentity.getData();
        if (!accountAuthenticationUpdateCommand.isOwnPasswordChange() && data.getRole() != Role.ADMINISTRATOR) {
            OperationResult<Long> ofFailure = OperationResult.ofFailure(ErrorMessage.of(ECommonErrorType.FORBIDDEN));
            log.debug("[updateAuthentication] update failed, returning = '{}'", ofFailure);
            return ofFailure;
        }
        AuthenticationUpdate.AuthenticationUpdateBuilder builder = AuthenticationUpdate.builder();
        builder.newAuthType(accountAuthenticationUpdateCommand.getAuthenticationType());
        if (accountAuthenticationUpdateCommand.getAuthenticationType().equals(AuthenticationType.LOCAL)) {
            if (Objects.isNull(accountAuthenticationUpdateCommand.getPassword())) {
                log.debug("[create] create failed, because of null password");
                return OperationResult.ofFailure(ErrorMessage.of(ECommonErrorType.BAD_REQUEST));
            }
            log.debug("[create] encoding account password for local account");
            builder.newPasswordLength(String.valueOf(accountAuthenticationUpdateCommand.getPassword().length()));
            builder.newPassword(this.passwordEncoder.encode(accountAuthenticationUpdateCommand.getPassword()));
        }
        OperationResult<Long> updateAccount = this.systemAccountDatabaseService.updateAccount(AccountUpdateRequest.builder().accountIdentities(Collections.singletonList(accountAuthenticationUpdateCommand.getAccountIdentity())).authUpdate(builder.build()).build());
        if (updateAccount.isFailure()) {
            return OperationResult.ofFailure(updateAccount.getErrorMessages());
        }
        OperationResult<SystemAccount> findByIdentity2 = this.systemAccountDatabaseService.findByIdentity(accountAuthenticationUpdateCommand.getAccountIdentity());
        if (findByIdentity2.isFailure()) {
            log.warn("Failed to fetch account after update, skipping event publishing, reason = '{}'", findByIdentity2.getErrorMessages());
            return updateAccount;
        }
        this.eventPublisher.publishEvent((ApplicationEvent) new AccountAuthenticationUpdatedEvent(findByIdentity2.getData(), accountAuthenticationUpdateCommand.getSessionId()));
        return updateAccount;
    }

    @Override // software.netcore.unimus.aaa.spi.account.service.AccountService
    public OperationResult<Long> updatePermissions(@NonNull AccountPermissionsUpdateCommand accountPermissionsUpdateCommand) {
        if (accountPermissionsUpdateCommand == null) {
            throw new NullPointerException("command is marked non-null but is null");
        }
        log.debug("[updatePermissions] command = '{}'", accountPermissionsUpdateCommand);
        OperationResult<SystemAccount> findByIdentity = this.systemAccountDatabaseService.findByIdentity(accountPermissionsUpdateCommand.getPrincipal());
        if (findByIdentity.isFailure()) {
            return OperationResult.ofFailure(findByIdentity.getErrorMessages());
        }
        if (findByIdentity.getData().getRole() != Role.ADMINISTRATOR) {
            OperationResult<Long> ofFailure = OperationResult.ofFailure(ErrorMessage.of(ECommonErrorType.FORBIDDEN));
            log.debug("[updateAuthentication] update failed, returning = '{}'", ofFailure);
            return ofFailure;
        }
        OperationResult<Long> updateAccount = this.systemAccountDatabaseService.updateAccount(AccountUpdateRequest.builder().accountIdentities(Collections.singletonList(accountPermissionsUpdateCommand.getAccountIdentity())).roleUpdate(Objects.isNull(accountPermissionsUpdateCommand.getRole()) ? null : RoleUpdate.builder().newRole(accountPermissionsUpdateCommand.getRole()).build()).accessPolicyUpdate(Objects.isNull(accountPermissionsUpdateCommand.getAccessPolicyIdentity()) ? null : AccessPolicyUpdate.builder().newAccessPolicyIdentity(accountPermissionsUpdateCommand.getAccessPolicyIdentity()).build()).build());
        if (updateAccount.isFailure()) {
            return OperationResult.ofFailure(updateAccount.getErrorMessages());
        }
        OperationResult<SystemAccount> findByIdentity2 = this.systemAccountDatabaseService.findByIdentity(accountPermissionsUpdateCommand.getAccountIdentity());
        if (findByIdentity2.isFailure()) {
            log.warn("Failed to fetch account after update, skipping event publishing, reason = '{}'", findByIdentity2.getErrorMessages());
            return updateAccount;
        }
        this.eventPublisher.publishEvent((ApplicationEvent) new AccountPermissionsUpdatedEvent(findByIdentity2.getData()));
        return updateAccount;
    }

    @Override // software.netcore.unimus.aaa.spi.account.service.AccountService
    public OperationResult<Page<AccountViewData>> list(@NonNull AccountListCommand accountListCommand) {
        if (accountListCommand == null) {
            throw new NullPointerException("command is marked non-null but is null");
        }
        log.debug("[list] command = '{}'", accountListCommand);
        return this.systemAccountDatabaseService.list(accountListCommand);
    }

    @Override // software.netcore.unimus.aaa.spi.account.service.AccountService
    public OperationResult<Long> count(@NonNull AccountListCommand accountListCommand) {
        if (accountListCommand == null) {
            throw new NullPointerException("command is marked non-null but is null");
        }
        log.debug("[count] command = '{}'", accountListCommand);
        return this.systemAccountDatabaseService.count(accountListCommand);
    }

    @Override // software.netcore.unimus.aaa.spi.account.service.AccountService
    public OperationResult<Long> delete(@NonNull AccountDeleteCommand accountDeleteCommand) {
        if (accountDeleteCommand == null) {
            throw new NullPointerException("command is marked non-null but is null");
        }
        log.debug("[delete] command = '{}'", accountDeleteCommand);
        OperationResult<SystemAccount> findByIdentity = this.systemAccountDatabaseService.findByIdentity(accountDeleteCommand.getPrincipal());
        if (findByIdentity.isFailure()) {
            return OperationResult.ofFailure(findByIdentity.getErrorMessages());
        }
        if (findByIdentity.getData().getRole() != Role.ADMINISTRATOR) {
            OperationResult<Long> ofFailure = OperationResult.ofFailure(ErrorMessage.of(ECommonErrorType.FORBIDDEN));
            log.debug("[delete] delete failed, returning = '{}'", ofFailure);
            return ofFailure;
        }
        OperationResult<Long> delete = this.systemAccountDatabaseService.delete(accountDeleteCommand.getAccountIdentities());
        if (delete.isFailure()) {
            return delete;
        }
        this.eventPublisher.publishEvent((ApplicationEvent) new AccountDeletedEvent(accountDeleteCommand.getAccountIdentities()));
        return delete;
    }

    @Override // software.netcore.unimus.aaa.spi.account.service.AccountService
    public OperationResult<Page<OwnedObjectsViewData>> ownedObjectsList(@NonNull OwnedObjectsListCommand ownedObjectsListCommand) {
        if (ownedObjectsListCommand == null) {
            throw new NullPointerException("command is marked non-null but is null");
        }
        log.debug("[ownedObjectsList] command = '{}'", ownedObjectsListCommand);
        return this.systemAccountDatabaseService.ownedObjectsList(ownedObjectsListCommand);
    }

    @Override // software.netcore.unimus.aaa.spi.account.service.AccountService
    public OperationResult<Long> ownedObjectsCount(@NonNull OwnedObjectsListCommand ownedObjectsListCommand) {
        if (ownedObjectsListCommand == null) {
            throw new NullPointerException("command is marked non-null but is null");
        }
        log.debug("[ownedObjectsCount] command = '{}'", ownedObjectsListCommand);
        return this.systemAccountDatabaseService.ownedObjectsCount(ownedObjectsListCommand);
    }

    @Override // software.netcore.unimus.aaa.spi.account.service.AccountService
    public OperationResult<OwnershipDeleteResult> ownershipDelete(@NonNull OwnershipDeleteCommand ownershipDeleteCommand) {
        if (ownershipDeleteCommand == null) {
            throw new NullPointerException("command is marked non-null but is null");
        }
        log.debug("[ownershipDelete] ownership command = '{}'", ownershipDeleteCommand);
        OperationResult<SystemAccount> findByIdentity = this.systemAccountDatabaseService.findByIdentity(ownershipDeleteCommand.getPrincipal());
        if (findByIdentity.isFailure()) {
            return OperationResult.ofFailure(findByIdentity.getErrorMessages());
        }
        if (findByIdentity.getData().getRole() != Role.ADMINISTRATOR) {
            OperationResult<OwnershipDeleteResult> ofFailure = OperationResult.ofFailure(ErrorMessage.of(ECommonErrorType.FORBIDDEN));
            log.debug("[delete] ownership delete failed, returning = '{}'", ofFailure);
            return ofFailure;
        }
        OperationResult<OwnershipDeleteResult> ownershipDelete = this.systemAccountDatabaseService.ownershipDelete(ownershipDeleteCommand);
        if (ownershipDelete.isFailure()) {
            return ownershipDelete;
        }
        if (ownershipDelete.getData().getDevicesCount().longValue() > 0) {
            this.eventPublisher.publishEvent((ApplicationEvent) DeviceOwnerChangedEvent.builder().affectedAccountIds(Collections.singleton(ownershipDeleteCommand.getAccountIdentity().getId())).build());
        }
        if (ownershipDelete.getData().getZonesCount().longValue() > 0) {
            this.eventPublisher.publishEvent((ApplicationEvent) ZoneOwnerChangedEvent.builder().affectedAccountIds(Collections.singleton(ownershipDeleteCommand.getAccountIdentity().getId())).build());
        }
        if (ownershipDelete.getData().getTagsCount().longValue() > 0) {
            this.eventPublisher.publishEvent((ApplicationEvent) TagOwnerChangedEvent.builder().affectedAccountIds(Collections.singleton(ownershipDeleteCommand.getAccountIdentity().getId())).build());
        }
        return ownershipDelete;
    }

    @Override // software.netcore.unimus.aaa.spi.account.service.AccountService
    public OperationResult<SystemAccount> findByIdentity(@NonNull Identity identity) {
        if (identity == null) {
            throw new NullPointerException("identity is marked non-null but is null");
        }
        OperationResult<SystemAccount> findByIdentity = this.systemAccountDatabaseService.findByIdentity(identity);
        return findByIdentity.isFailure() ? OperationResult.ofFailure(findByIdentity.getErrorMessages()) : findByIdentity;
    }

    @Override // software.netcore.unimus.aaa.spi.account.service.AccountService
    public OperationResult<SystemAccount> findByUsername(@NonNull String str) {
        if (str == null) {
            throw new NullPointerException("username is marked non-null but is null");
        }
        log.debug("[isMFAEnabled] account username = '{}'", str);
        OperationResult<SystemAccount> findByUsername = this.systemAccountDatabaseService.findByUsername(str);
        return findByUsername.isFailure() ? OperationResult.ofFailure(findByUsername.getErrorMessages()) : findByUsername;
    }

    @Override // software.netcore.unimus.aaa.spi.account.service.AccountService
    public OperationResult<Void> validateMFARememberMe(@NonNull String str, @NonNull String str2) {
        if (str == null) {
            throw new NullPointerException("username is marked non-null but is null");
        }
        if (str2 == null) {
            throw new NullPointerException("token is marked non-null but is null");
        }
        log.debug("[validateMFARememberMe] account username = '{}'", str);
        OperationResult<SystemAccount> findByUsername = this.systemAccountDatabaseService.findByUsername(str);
        String dualFactorRememberMeSecret = findByUsername.getData().getDualFactorRememberMeSecret();
        if (!StringUtils.hasText(dualFactorRememberMeSecret)) {
            return OperationResult.ofFailure(ErrorMessage.of(UnimusErrorType.INVALID_REMEMBER_ME_TOKEN));
        }
        try {
            JWT.require(Algorithm.HMAC256(dualFactorRememberMeSecret)).withIssuer(UnimusAAAServiceImpl.MFA_ISSUER).withClaim("username", findByUsername.getData().getUsername()).build().verify(str2);
            return OperationResult.ofSuccess();
        } catch (JWTVerificationException e) {
            log.info("MFA 'remember me' token validation failed for username '{}'.", str);
            log.debug("Reason ", (Throwable) e);
            return OperationResult.ofFailure(ErrorMessage.of(UnimusErrorType.INVALID_REMEMBER_ME_TOKEN));
        }
    }

    @Override // software.netcore.unimus.aaa.spi.account.service.AccountService
    public OperationResult<Void> validateMFABackupCode(@NonNull String str, @NonNull String str2) {
        if (str == null) {
            throw new NullPointerException("username is marked non-null but is null");
        }
        if (str2 == null) {
            throw new NullPointerException("backupCode is marked non-null but is null");
        }
        log.debug("[validateMFABackupCode] account username = '{}'", str);
        return this.systemAccountDatabaseService.validateMFABackupCode(str, str2);
    }

    @Override // software.netcore.unimus.aaa.spi.account.service.AccountService
    public OperationResult<Void> enableMFA(@NonNull AccountMFACreateCommand accountMFACreateCommand) {
        if (accountMFACreateCommand == null) {
            throw new NullPointerException("command is marked non-null but is null");
        }
        log.debug("[enableMFA] account id = '{}'", accountMFACreateCommand.getPrincipal().getId());
        return this.systemAccountDatabaseService.enableMFA(accountMFACreateCommand);
    }

    @Override // software.netcore.unimus.aaa.spi.account.service.AccountService
    public OperationResult<Void> disableMFA(@NonNull Identity identity) {
        if (identity == null) {
            throw new NullPointerException("principal is marked non-null but is null");
        }
        log.debug("[disableMFA] account id = '{}'", identity);
        return this.systemAccountDatabaseService.disableMFA(identity);
    }

    @Override // software.netcore.unimus.aaa.spi.account.service.AccountService
    public OperationResult<String> createMFARememberMeToken(@NonNull String str) {
        if (str == null) {
            throw new NullPointerException("username is marked non-null but is null");
        }
        log.debug("[createMFARememberMeToken] username = '{}'", str);
        String generateMFARememberTokenSecret = generateMFARememberTokenSecret();
        OperationResult<Void> createMFARememberMeToken = this.systemAccountDatabaseService.createMFARememberMeToken(str, generateMFARememberTokenSecret);
        if (createMFARememberMeToken.isFailure()) {
            return OperationResult.ofFailure(createMFARememberMeToken.getErrorMessages());
        }
        return OperationResult.ofSuccess(JWT.create().withIssuer(UnimusAAAServiceImpl.MFA_ISSUER).withClaim("username", str).withExpiresAt(new Date(Instant.now().plus((TemporalAmount) Duration.of(30L, ChronoUnit.DAYS)).toEpochMilli())).sign(Algorithm.HMAC256(generateMFARememberTokenSecret)));
    }

    private String generateMFARememberTokenSecret() {
        StringBuilder sb = new StringBuilder();
        SecureRandom secureRandom = new SecureRandom();
        for (int i = 0; i < 64; i++) {
            sb.append(CHARS[secureRandom.nextInt(CHARS.length)]);
        }
        return sb.toString();
    }

    public AccountServiceImpl(@NonNull SystemAccountDatabaseService systemAccountDatabaseService, @NonNull ApplicationEventPublisher applicationEventPublisher) {
        if (systemAccountDatabaseService == null) {
            throw new NullPointerException("systemAccountDatabaseService is marked non-null but is null");
        }
        if (applicationEventPublisher == null) {
            throw new NullPointerException("eventPublisher is marked non-null but is null");
        }
        this.systemAccountDatabaseService = systemAccountDatabaseService;
        this.eventPublisher = applicationEventPublisher;
    }
}
