package org.jasig.cas.adaptors.ldap.lppe;

import java.util.Collections;
import java.util.LinkedList;
import java.util.List;
import javax.security.auth.login.AccountLockedException;
import javax.security.auth.login.CredentialExpiredException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;
import javax.validation.constraints.NotNull;
import org.jasig.cas.Message;
import org.jasig.cas.authentication.AccountDisabledException;
import org.jasig.cas.authentication.AccountPasswordMustChangeException;
import org.jasig.cas.authentication.BasicCredentialMetaData;
import org.jasig.cas.authentication.HandlerResult;
import org.jasig.cas.authentication.LdapAuthenticationHandler;
import org.jasig.cas.authentication.UsernamePasswordCredential;
import org.joda.time.DateTime;
import org.joda.time.DateTimeZone;
import org.joda.time.Days;
import org.ldaptive.LdapEntry;
import org.ldaptive.auth.AuthenticationResponse;
import org.ldaptive.auth.Authenticator;

/* loaded from: input_file:org/jasig/cas/adaptors/ldap/lppe/LPPEAuthenticationHandler.class */
public class LPPEAuthenticationHandler extends LdapAuthenticationHandler {
    private final PasswordPolicyConfiguration configuration;

    public LPPEAuthenticationHandler(@NotNull Authenticator authenticator, @NotNull PasswordPolicyConfiguration passwordPolicyConfiguration) {
        super(authenticator);
        this.configuration = passwordPolicyConfiguration;
    }

    @Override // org.jasig.cas.authentication.LdapAuthenticationHandler
    protected final HandlerResult doPostAuthentication(AuthenticationResponse authenticationResponse) throws LoginException {
        LdapEntry ldapEntry = authenticationResponse.getLdapEntry();
        PasswordPolicyResult build = this.configuration.build(ldapEntry);
        if (build == null) {
            throw new FailedLoginException("LPPE authentication failed. Configuration cannot be determined.");
        }
        examineAccountStatus(authenticationResponse, build);
        return new HandlerResult(this, new BasicCredentialMetaData(new UsernamePasswordCredential()), super.createPrincipal(ldapEntry), validateAccountPasswordExpirationPolicy(build));
    }

    protected void examineAccountStatus(AuthenticationResponse authenticationResponse, PasswordPolicyResult passwordPolicyResult) throws LoginException {
        String dn = passwordPolicyResult.getDn();
        if (passwordPolicyResult.isAccountExpired()) {
            throw new CredentialExpiredException(String.format("Account %s has expired", dn));
        }
        if (passwordPolicyResult.isAccountDisabled()) {
            throw new AccountDisabledException(String.format("Account %s is disabled", dn));
        }
        if (passwordPolicyResult.isAccountLocked()) {
            throw new AccountLockedException(String.format("Account %s is locked", dn));
        }
        if (passwordPolicyResult.isAccountPasswordMustChange()) {
            throw new AccountPasswordMustChangeException(String.format("Account %s must change it password", dn));
        }
    }

    @Override // org.jasig.cas.authentication.LdapAuthenticationHandler
    protected void initializeInternal() {
        populatePrincipalAttributeMap();
    }

    private void populatePrincipalAttributeMap() {
        this.principalAttributeMap.putAll(this.configuration.getPasswordPolicyAttributesMap());
    }

    protected int getDaysToExpirationDate(DateTime dateTime, PasswordPolicyResult passwordPolicyResult) throws LoginException {
        DateTimeZone timeZone = this.configuration.getDateConverter().getTimeZone();
        DateTime dateTime2 = new DateTime(timeZone);
        this.logger.debug("Current date is {}. Expiration date is {}", dateTime2, dateTime);
        int days = Days.daysBetween(dateTime2, dateTime).getDays();
        this.logger.debug("[{}] days left to the expiration date.", Integer.valueOf(days));
        if (dateTime.equals(dateTime2) || dateTime.isBefore(dateTime2)) {
            String format = String.format("Password expiration date %s is on/before the current time %s.", Integer.valueOf(days), dateTime2);
            this.logger.debug(format);
            throw new CredentialExpiredException(format);
        }
        DateTime minusDays = new DateTime(DateTime.parse(dateTime.toString()), timeZone).minusDays(passwordPolicyResult.getPasswordWarningNumberOfDays());
        this.logger.debug("Warning period begins on [{}]", minusDays);
        if (this.configuration.isAlwaysDisplayPasswordExpirationWarning()) {
            this.logger.debug("Warning all. The password for [{}] will expire in [{}] day(s).", passwordPolicyResult.getDn(), Integer.valueOf(days));
        } else if (dateTime2.equals(minusDays) || dateTime2.isAfter(minusDays)) {
            this.logger.debug("Password will expire in [{}] day(s)", Integer.valueOf(days));
        } else {
            this.logger.debug("Password is not expiring. [{}] day(s) left to the warning.", Integer.valueOf(days));
            days = -1;
        }
        return days;
    }

    private DateTime getExpirationDateToUse(PasswordPolicyResult passwordPolicyResult) {
        DateTime passwordExpirationDateTime = passwordPolicyResult.getPasswordExpirationDateTime();
        if (this.configuration.getStaticPasswordExpirationDate() != null) {
            return passwordExpirationDateTime;
        }
        DateTime plusDays = passwordExpirationDateTime.plusDays(passwordPolicyResult.getValidPasswordNumberOfDays());
        this.logger.debug("Retrieved date value [{}] for date attribute [{}] and added {} valid days. The final expiration date is [{}]", new Object[]{passwordExpirationDateTime, this.configuration.getPasswordExpirationDateAttributeName(), Integer.valueOf(passwordPolicyResult.getValidPasswordNumberOfDays()), plusDays});
        return plusDays;
    }

    private List<Message> validateAccountPasswordExpirationPolicy(PasswordPolicyResult passwordPolicyResult) throws LoginException {
        if (passwordPolicyResult.isAccountPasswordSetToNeverExpire()) {
            this.logger.debug("Account password will never expire. Skipping password policy...");
            return Collections.emptyList();
        }
        DateTime expirationDateToUse = getExpirationDateToUse(passwordPolicyResult);
        LinkedList linkedList = new LinkedList();
        if (this.configuration.getStaticPasswordExpirationDate() != null && (expirationDateToUse.equals(this.configuration.getStaticPasswordExpirationDate()) || expirationDateToUse.isAfter(this.configuration.getStaticPasswordExpirationDate()))) {
            String format = String.format("Account password has expired beyond the static expiration date [{}]", this.configuration.getStaticPasswordExpirationDate());
            this.logger.debug(format);
            throw new CredentialExpiredException(format);
        }
        int daysToExpirationDate = getDaysToExpirationDate(expirationDateToUse, passwordPolicyResult);
        if (daysToExpirationDate != -1) {
            String format2 = String.format("Password expires in [%d] days", Integer.valueOf(daysToExpirationDate));
            this.logger.debug(format2);
            linkedList.add(new AccountPasswordExpiringMessage(format2, daysToExpirationDate));
        }
        return linkedList;
    }
}
