package org.apereo.cas.authentication.support;

import java.io.Serializable;
import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import java.time.temporal.ChronoUnit;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.security.auth.login.AccountExpiredException;
import javax.security.auth.login.AccountLockedException;
import javax.security.auth.login.AccountNotFoundException;
import javax.security.auth.login.CredentialExpiredException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;
import lombok.Generated;
import org.apereo.cas.DefaultMessageDescriptor;
import org.apereo.cas.authentication.AuthenticationAccountStateHandler;
import org.apereo.cas.authentication.MessageDescriptor;
import org.apereo.cas.authentication.exceptions.AccountDisabledException;
import org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException;
import org.apereo.cas.authentication.exceptions.InvalidLoginLocationException;
import org.apereo.cas.authentication.exceptions.InvalidLoginTimeException;
import org.apereo.cas.authentication.support.password.PasswordExpiringWarningMessageDescriptor;
import org.apereo.cas.authentication.support.password.PasswordPolicyContext;
import org.apereo.cas.util.DateTimeUtils;
import org.ldaptive.LdapAttribute;
import org.ldaptive.auth.AccountState;
import org.ldaptive.auth.AuthenticationResponse;
import org.ldaptive.auth.ext.ActiveDirectoryAccountState;
import org.ldaptive.auth.ext.EDirectoryAccountState;
import org.ldaptive.auth.ext.FreeIPAAccountState;
import org.ldaptive.auth.ext.PasswordExpirationAccountState;
import org.ldaptive.control.PasswordPolicyControl;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.LinkedCaseInsensitiveMap;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-ldap-core-6.5.4.jar:org/apereo/cas/authentication/support/DefaultLdapAccountStateHandler.class */
public class DefaultLdapAccountStateHandler implements AuthenticationAccountStateHandler<AuthenticationResponse, PasswordPolicyContext> {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) DefaultLdapAccountStateHandler.class);
    private static final int DEFAULT_ERROR_COUNT = 30;
    private Map<String, Class<? extends LoginException>> attributesToErrorMap = new LinkedCaseInsensitiveMap(30);
    protected Map<AccountState.Error, LoginException> errorMap = new HashMap(30);

    public DefaultLdapAccountStateHandler() {
        this.errorMap.put(ActiveDirectoryAccountState.Error.ACCOUNT_DISABLED, new AccountDisabledException());
        this.errorMap.put(ActiveDirectoryAccountState.Error.ACCOUNT_LOCKED_OUT, new AccountLockedException());
        this.errorMap.put(ActiveDirectoryAccountState.Error.INVALID_LOGON_HOURS, new InvalidLoginTimeException());
        this.errorMap.put(ActiveDirectoryAccountState.Error.INVALID_WORKSTATION, new InvalidLoginLocationException());
        this.errorMap.put(ActiveDirectoryAccountState.Error.PASSWORD_MUST_CHANGE, new AccountPasswordMustChangeException());
        this.errorMap.put(ActiveDirectoryAccountState.Error.PASSWORD_EXPIRED, new CredentialExpiredException());
        this.errorMap.put(ActiveDirectoryAccountState.Error.ACCOUNT_EXPIRED, new AccountExpiredException());
        this.errorMap.put(ActiveDirectoryAccountState.Error.LOGON_FAILURE, new FailedLoginException());
        this.errorMap.put(EDirectoryAccountState.Error.ACCOUNT_EXPIRED, new AccountExpiredException());
        this.errorMap.put(EDirectoryAccountState.Error.FAILED_AUTHENTICATION, new FailedLoginException());
        this.errorMap.put(EDirectoryAccountState.Error.LOGIN_LOCKOUT, new AccountLockedException());
        this.errorMap.put(EDirectoryAccountState.Error.LOGIN_TIME_LIMITED, new InvalidLoginTimeException());
        this.errorMap.put(EDirectoryAccountState.Error.PASSWORD_EXPIRED, new CredentialExpiredException());
        this.errorMap.put(PasswordExpirationAccountState.Error.PASSWORD_EXPIRED, new CredentialExpiredException());
        this.errorMap.put(PasswordPolicyControl.Error.ACCOUNT_LOCKED, new AccountLockedException());
        this.errorMap.put(PasswordPolicyControl.Error.PASSWORD_EXPIRED, new CredentialExpiredException());
        this.errorMap.put(PasswordPolicyControl.Error.INSUFFICIENT_PASSWORD_QUALITY, new AccountPasswordMustChangeException());
        this.errorMap.put(PasswordPolicyControl.Error.CHANGE_AFTER_RESET, new AccountPasswordMustChangeException());
        this.errorMap.put(FreeIPAAccountState.Error.FAILED_AUTHENTICATION, new FailedLoginException());
        this.errorMap.put(FreeIPAAccountState.Error.PASSWORD_EXPIRED, new CredentialExpiredException());
        this.errorMap.put(FreeIPAAccountState.Error.ACCOUNT_EXPIRED, new AccountExpiredException());
        this.errorMap.put(FreeIPAAccountState.Error.MAXIMUM_LOGINS_EXCEEDED, new AccountLockedException());
        this.errorMap.put(FreeIPAAccountState.Error.LOGIN_TIME_LIMITED, new InvalidLoginTimeException());
        this.errorMap.put(FreeIPAAccountState.Error.LOGIN_LOCKOUT, new AccountLockedException());
        this.errorMap.put(FreeIPAAccountState.Error.ACCOUNT_NOT_FOUND, new AccountNotFoundException());
        this.errorMap.put(FreeIPAAccountState.Error.CREDENTIAL_NOT_FOUND, new FailedLoginException());
        this.errorMap.put(FreeIPAAccountState.Error.ACCOUNT_DISABLED, new AccountDisabledException());
    }

    @Override // org.apereo.cas.authentication.AuthenticationAccountStateHandler
    public List<MessageDescriptor> handle(AuthenticationResponse authenticationResponse, PasswordPolicyContext passwordPolicyContext) throws LoginException {
        LOGGER.debug("Attempting to handle LDAP account state for [{}]", authenticationResponse);
        if (!this.attributesToErrorMap.isEmpty() && authenticationResponse.isSuccess()) {
            LOGGER.debug("Handling policy based on pre-defined attributes");
            handlePolicyAttributes(authenticationResponse);
        }
        AccountState accountState = authenticationResponse.getAccountState();
        if (accountState == null && !authenticationResponse.isSuccess()) {
            handleFailingResponse(authenticationResponse, passwordPolicyContext);
        }
        if (accountState == null) {
            LOGGER.debug("Account state not defined. Returning empty list of messages.");
            return new ArrayList(0);
        }
        ArrayList arrayList = new ArrayList();
        handleError(accountState.getError(), authenticationResponse, passwordPolicyContext, arrayList);
        handleWarning(accountState.getWarning(), authenticationResponse, passwordPolicyContext, arrayList);
        return arrayList;
    }

    protected void handleFailingResponse(AuthenticationResponse authenticationResponse, PasswordPolicyContext passwordPolicyContext) throws LoginException {
        handleError(ActiveDirectoryAccountState.Error.parse(authenticationResponse.getDiagnosticMessage()), authenticationResponse, passwordPolicyContext, new ArrayList());
    }

    protected void handleError(AccountState.Error error, AuthenticationResponse authenticationResponse, PasswordPolicyContext passwordPolicyContext, List<MessageDescriptor> list) throws LoginException {
        LOGGER.debug("Handling LDAP account state error [{}]", error);
        if (error != null && this.errorMap.containsKey(error)) {
            throw this.errorMap.get(error);
        }
        LOGGER.debug("No LDAP error mapping defined for [{}]", error);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void handleWarning(AccountState.Warning warning, AuthenticationResponse authenticationResponse, PasswordPolicyContext passwordPolicyContext, List<MessageDescriptor> list) {
        LOGGER.debug("Handling account state warning [{}]", warning);
        if (warning == null) {
            LOGGER.debug("Account state warning not defined");
            return;
        }
        if (warning.getExpiration() != null) {
            long until = ZonedDateTime.now(ZoneOffset.UTC).until(DateTimeUtils.zonedDateTimeOf(warning.getExpiration()), ChronoUnit.DAYS);
            LOGGER.debug("Password expires in [{}] days. Expiration warning threshold is [{}] days.", Long.valueOf(until), Integer.valueOf(passwordPolicyContext.getPasswordWarningNumberOfDays()));
            if (passwordPolicyContext.isAlwaysDisplayPasswordExpirationWarning() || until < passwordPolicyContext.getPasswordWarningNumberOfDays()) {
                list.add(new PasswordExpiringWarningMessageDescriptor("Password expires in {0} days.", until));
            }
        } else {
            LOGGER.debug("No account expiration warning was provided as part of the account state");
        }
        if (warning.getLoginsRemaining() > 0) {
            list.add(new DefaultMessageDescriptor("password.expiration.loginsRemaining", "You have {0} logins remaining before you MUST change your password.", new Serializable[]{Integer.valueOf(warning.getLoginsRemaining())}));
        }
    }

    protected void handlePolicyAttributes(AuthenticationResponse authenticationResponse) {
        for (LdapAttribute ldapAttribute : authenticationResponse.getLdapEntry().getAttributes()) {
            if (this.attributesToErrorMap.containsKey(ldapAttribute.getName()) && Boolean.parseBoolean(ldapAttribute.getStringValue())) {
                throw this.attributesToErrorMap.get(ldapAttribute.getName()).getDeclaredConstructor(new Class[0]).newInstance(new Object[0]);
            }
        }
    }

    @Generated
    public void setAttributesToErrorMap(Map<String, Class<? extends LoginException>> map) {
        this.attributesToErrorMap = map;
    }
}
