package com.evolveum.midpoint.model.common.stringpolicy;

import com.evolveum.midpoint.model.api.validator.StringLimitationResult;
import com.evolveum.midpoint.prism.PrismContainer;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.crypto.EncryptionException;
import com.evolveum.midpoint.prism.crypto.Protector;
import com.evolveum.midpoint.prism.path.ItemName;
import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.prism.xml.XmlTypeConverter;
import com.evolveum.midpoint.prism.xml.XsdTypeMapper;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.result.OperationResultStatus;
import com.evolveum.midpoint.schema.util.ValueMetadataTypeUtil;
import com.evolveum.midpoint.security.api.SecurityUtil;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.util.LocalizableMessage;
import com.evolveum.midpoint.util.LocalizableMessageBuilder;
import com.evolveum.midpoint.util.LocalizableMessageList;
import com.evolveum.midpoint.util.LocalizableMessageListBuilder;
import com.evolveum.midpoint.util.QNameUtil;
import com.evolveum.midpoint.util.SingleLocalizableMessage;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.exception.SystemException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractCredentialType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordHistoryEntryType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ValueMetadataType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ValuePolicyType;
import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import javax.xml.datatype.Duration;
import javax.xml.datatype.XMLGregorianCalendar;
import org.apache.commons.lang3.ObjectUtils;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;

/* loaded from: input_file:com/evolveum/midpoint/model/common/stringpolicy/ObjectValuePolicyEvaluator.class */
public class ObjectValuePolicyEvaluator {
    private static final Trace LOGGER = TraceManager.getTrace(ObjectValuePolicyEvaluator.class);
    private static final String OPERATION_VALIDATE_VALUE = ObjectValuePolicyEvaluator.class.getName() + ".validateValue";
    private final Protector protector;
    private final ValuePolicyProcessor valuePolicyProcessor;
    private final SecurityPolicyType securityPolicy;
    private final XMLGregorianCalendar now;
    private final ObjectBasedValuePolicyOriginResolver<?> originResolver;
    private final AbstractCredentialType oldCredential;
    private final String shortDesc;
    private final Task task;
    private final ItemName credentialName;
    private final CredentialPolicyType credentialPolicy;
    private final ValuePolicyType valuePolicy;

    /* loaded from: input_file:com/evolveum/midpoint/model/common/stringpolicy/ObjectValuePolicyEvaluator$Builder.class */
    public static final class Builder {
        private Protector protector;
        private ValuePolicyProcessor valuePolicyProcessor;
        private SecurityPolicyType securityPolicy;
        private XMLGregorianCalendar now;
        private ItemPath valueItemPath;
        private ObjectBasedValuePolicyOriginResolver<?> originResolver;
        private AbstractCredentialType oldCredential;
        private String shortDesc;
        private Task task;
        private ValuePolicyType valuePolicy;

        public Builder protector(Protector protector) {
            this.protector = protector;
            return this;
        }

        public Builder valuePolicyProcessor(ValuePolicyProcessor valuePolicyProcessor) {
            this.valuePolicyProcessor = valuePolicyProcessor;
            return this;
        }

        public Builder securityPolicy(SecurityPolicyType securityPolicyType) {
            this.securityPolicy = securityPolicyType;
            return this;
        }

        public Builder now(XMLGregorianCalendar xMLGregorianCalendar) {
            this.now = xMLGregorianCalendar;
            return this;
        }

        public Builder valueItemPath(ItemPath itemPath) {
            this.valueItemPath = itemPath;
            return this;
        }

        public Builder originResolver(ObjectBasedValuePolicyOriginResolver<?> objectBasedValuePolicyOriginResolver) {
            this.originResolver = objectBasedValuePolicyOriginResolver;
            return this;
        }

        public Builder oldCredential(AbstractCredentialType abstractCredentialType) {
            this.oldCredential = abstractCredentialType;
            return this;
        }

        public Builder shortDesc(String str) {
            this.shortDesc = str;
            return this;
        }

        public Builder task(Task task) {
            this.task = task;
            return this;
        }

        public Builder valuePolicy(ValuePolicyType valuePolicyType) {
            this.valuePolicy = valuePolicyType;
            return this;
        }

        public ObjectValuePolicyEvaluator build() throws SchemaException {
            return new ObjectValuePolicyEvaluator(this);
        }
    }

    private ObjectValuePolicyEvaluator(Builder builder) throws SchemaException {
        this.protector = builder.protector;
        this.valuePolicyProcessor = builder.valuePolicyProcessor;
        this.securityPolicy = builder.securityPolicy;
        this.now = builder.now;
        this.originResolver = builder.originResolver;
        this.oldCredential = builder.oldCredential;
        this.shortDesc = builder.shortDesc;
        this.task = builder.task;
        this.credentialName = determineCredentialName(builder.valueItemPath);
        this.credentialPolicy = determineCredentialPolicy(this.credentialName, this.securityPolicy);
        this.valuePolicy = determineValuePolicy(builder.valuePolicy, this.credentialPolicy);
    }

    private static ItemName determineCredentialName(ItemPath itemPath) {
        if (itemPath == null || !itemPath.startsWithName(FocusType.F_CREDENTIALS)) {
            return null;
        }
        Object segment = itemPath.getSegment(1);
        if (ItemPath.isName(segment)) {
            return ItemPath.toName(segment);
        }
        return null;
    }

    private static CredentialPolicyType determineCredentialPolicy(ItemName itemName, SecurityPolicyType securityPolicyType) throws SchemaException {
        if (QNameUtil.match(CredentialsType.F_PASSWORD, itemName)) {
            return SecurityUtil.getEffectivePasswordCredentialsPolicy(securityPolicyType);
        }
        if (QNameUtil.match(CredentialsType.F_NONCE, itemName)) {
            return SecurityUtil.getEffectiveNonceCredentialsPolicy(securityPolicyType);
        }
        return null;
    }

    private static ValuePolicyType determineValuePolicy(ValuePolicyType valuePolicyType, CredentialPolicyType credentialPolicyType) {
        ObjectReferenceType valuePolicyRef;
        PrismObject object;
        if (valuePolicyType != null) {
            return valuePolicyType;
        }
        if (credentialPolicyType == null || (valuePolicyRef = credentialPolicyType.getValuePolicyRef()) == null || (object = valuePolicyRef.asReferenceValue().getObject()) == null) {
            return null;
        }
        return object.asObjectable();
    }

    public Protector getProtector() {
        return this.protector;
    }

    public ValuePolicyProcessor getValuePolicyProcessor() {
        return this.valuePolicyProcessor;
    }

    public SecurityPolicyType getSecurityPolicy() {
        return this.securityPolicy;
    }

    public XMLGregorianCalendar getNow() {
        return this.now;
    }

    public String getShortDesc() {
        return this.shortDesc;
    }

    public Task getTask() {
        return this.task;
    }

    public OperationResult validateProtectedStringValue(ProtectedStringType protectedStringType, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        return validateStringValue(getClearValue(protectedStringType), operationResult);
    }

    public OperationResult validateStringValue(String str, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(OPERATION_VALIDATE_VALUE);
        try {
            try {
                ArrayList arrayList = new ArrayList();
                validateMinAge(arrayList, createMinorSubresult);
                validateHistory(str, arrayList, createMinorSubresult);
                validateStringPolicy(str, arrayList, createMinorSubresult);
                generateResultMessage(arrayList, createMinorSubresult);
                createMinorSubresult.computeStatusIfUnknown();
                return createMinorSubresult;
            } catch (Throwable th) {
                createMinorSubresult.recordFatalError(th);
                throw th;
            }
        } catch (Throwable th2) {
            createMinorSubresult.computeStatusIfUnknown();
            throw th2;
        }
    }

    private void generateResultMessage(List<LocalizableMessage> list, OperationResult operationResult) {
        operationResult.computeStatus();
        if (operationResult.isSuccess() || list.isEmpty()) {
            return;
        }
        operationResult.setUserFriendlyMessage(new LocalizableMessageListBuilder().messages(list).separator(LocalizableMessageList.SPACE).buildOptimized());
    }

    public OperationResult validateMinOccurs(int i, OperationResult operationResult) {
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(OPERATION_VALIDATE_VALUE);
        try {
            try {
                ArrayList arrayList = new ArrayList();
                validateMinOccurs(i, arrayList, createMinorSubresult);
                generateResultMessage(arrayList, createMinorSubresult);
                createMinorSubresult.computeStatusIfUnknown();
                return createMinorSubresult;
            } finally {
            }
        } catch (Throwable th) {
            createMinorSubresult.computeStatusIfUnknown();
            throw th;
        }
    }

    private void validateMinAge(List<LocalizableMessage> list, OperationResult operationResult) {
        if (this.oldCredential == null) {
            return;
        }
        Duration minAge = getMinAge();
        XMLGregorianCalendar lastChangeTimestamp = getLastChangeTimestamp();
        if (minAge == null || lastChangeTimestamp == null || XmlTypeConverter.addDuration(lastChangeTimestamp, minAge).compare(this.now) != 1) {
            return;
        }
        LOGGER.trace("Password minAge violated. lastChange={}, minAge={}, now={}", new Object[]{lastChangeTimestamp, minAge, this.now});
        SingleLocalizableMessage buildKey = LocalizableMessageBuilder.buildKey("ValuePolicy.minAgeNotReached");
        operationResult.addSubresult(new OperationResult("Password minimal age", OperationResultStatus.FATAL_ERROR, buildKey));
        list.add(buildKey);
    }

    @Nullable
    private XMLGregorianCalendar getLastChangeTimestamp() {
        XMLGregorianCalendar xMLGregorianCalendar = null;
        Iterator it = this.oldCredential.asPrismContainerValue().getValueMetadataAsContainer().getRealValues().iterator();
        while (it.hasNext()) {
            XMLGregorianCalendar lastChangeTimestamp = ValueMetadataTypeUtil.getLastChangeTimestamp((ValueMetadataType) it.next());
            if (xMLGregorianCalendar == null) {
                xMLGregorianCalendar = lastChangeTimestamp;
            } else if (lastChangeTimestamp != null && lastChangeTimestamp.compare(xMLGregorianCalendar) > 0) {
                xMLGregorianCalendar = lastChangeTimestamp;
            }
        }
        return xMLGregorianCalendar;
    }

    private boolean isMaxAgeViolated() {
        if (this.oldCredential == null) {
            return false;
        }
        Duration maxAge = getMaxAge();
        XMLGregorianCalendar lastChangeTimestamp = getLastChangeTimestamp();
        if (maxAge == null || lastChangeTimestamp == null || XmlTypeConverter.addDuration(lastChangeTimestamp, maxAge).compare(this.now) != -1) {
            return false;
        }
        LOGGER.trace("Password maxAge violated. lastChange={}, maxAge={}, now={}", new Object[]{lastChangeTimestamp, maxAge, this.now});
        return true;
    }

    private void validateStringPolicy(String str, List<LocalizableMessage> list, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        if (str == null) {
            return;
        }
        if (this.valuePolicy != null) {
            list.addAll(StringLimitationResult.extractMessages(this.valuePolicyProcessor.validateValue(str, this.valuePolicy, this.originResolver, "focus " + this.shortDesc + " value policy validation", this.task, operationResult)));
        } else {
            LOGGER.trace("Skipping validating {} value. Value policy not specified.", this.shortDesc);
        }
    }

    private void validateMinOccurs(int i, List<LocalizableMessage> list, OperationResult operationResult) {
        int minOccurs = getMinOccurs();
        if (i < minOccurs) {
            SingleLocalizableMessage buildKey = minOccurs == 1 ? LocalizableMessageBuilder.buildKey("ValuePolicy.valueMustBePresent") : new LocalizableMessageBuilder().key("ValuePolicy.valuesMustBePresent").args(new Object[]{Integer.valueOf(minOccurs), Integer.valueOf(i)}).build();
            operationResult.addSubresult(new OperationResult("minOccurs", OperationResultStatus.FATAL_ERROR, buildKey));
            list.add(buildKey);
        }
    }

    private void validateHistory(String str, List<LocalizableMessage> list, OperationResult operationResult) throws SchemaException {
        if (!CredentialsType.F_PASSWORD.matches(this.credentialName)) {
            LOGGER.trace("Skipping validating {} history, only password history is supported", this.shortDesc);
            return;
        }
        int credentialHistoryLength = SecurityUtil.getCredentialHistoryLength(this.credentialPolicy);
        if (credentialHistoryLength == 0) {
            LOGGER.trace("Skipping validating {} history, because history length is set to zero", this.shortDesc);
            return;
        }
        PasswordType passwordType = this.oldCredential;
        if (passwordType == null) {
            LOGGER.trace("Skipping validating {} history, because it is empty", this.shortDesc);
            return;
        }
        ProtectedStringType protectedStringType = new ProtectedStringType();
        protectedStringType.setClearValue(str);
        if (passwordEquals(protectedStringType, passwordType.getValue())) {
            LOGGER.trace("{} matched current value", this.shortDesc);
            if (!SecurityUtil.isHistoryAllowExistingPasswordReuse(this.credentialPolicy) || isMaxAgeViolated()) {
                appendHistoryViolationMessage(list, operationResult);
                return;
            }
        }
        int i = 1;
        for (PasswordHistoryEntryType passwordHistoryEntryType : getSortedHistoryList(passwordType.asPrismContainerValue().findContainer(PasswordType.F_HISTORY_ENTRY), false)) {
            if (i >= credentialHistoryLength) {
                return;
            }
            if (passwordEquals(protectedStringType, passwordHistoryEntryType.getValue())) {
                LOGGER.trace("Password history entry #{} matched (changed {})", Integer.valueOf(i), passwordHistoryEntryType.getChangeTimestamp());
                appendHistoryViolationMessage(list, operationResult);
                return;
            }
            i++;
        }
    }

    private Duration getMinAge() {
        if (this.credentialPolicy != null) {
            return this.credentialPolicy.getMinAge();
        }
        return null;
    }

    private Duration getMaxAge() {
        if (this.credentialPolicy != null) {
            return this.credentialPolicy.getMaxAge();
        }
        return null;
    }

    private int getMinOccurs() {
        if (this.credentialPolicy != null) {
            return ((Integer) ObjectUtils.defaultIfNull(XsdTypeMapper.multiplicityToInteger(this.credentialPolicy.getMinOccurs()), 0)).intValue();
        }
        return 0;
    }

    @NotNull
    private List<PasswordHistoryEntryType> getSortedHistoryList(PrismContainer<PasswordHistoryEntryType> prismContainer, boolean z) {
        if (prismContainer == null || prismContainer.isEmpty()) {
            return Collections.emptyList();
        }
        List<PasswordHistoryEntryType> list = (List) prismContainer.getRealValues();
        list.sort((passwordHistoryEntryType, passwordHistoryEntryType2) -> {
            XMLGregorianCalendar changeTimestamp = passwordHistoryEntryType.getChangeTimestamp();
            XMLGregorianCalendar changeTimestamp2 = passwordHistoryEntryType2.getChangeTimestamp();
            return z ? changeTimestamp.compare(changeTimestamp2) : changeTimestamp2.compare(changeTimestamp);
        });
        return list;
    }

    private void appendHistoryViolationMessage(List<LocalizableMessage> list, OperationResult operationResult) {
        SingleLocalizableMessage buildKey = LocalizableMessageBuilder.buildKey("ValuePolicy.valueRecentlyUsed");
        operationResult.addSubresult(new OperationResult("history", OperationResultStatus.FATAL_ERROR, buildKey));
        list.add(buildKey);
    }

    private String getClearValue(ProtectedStringType protectedStringType) {
        if (protectedStringType == null) {
            return null;
        }
        String str = (String) protectedStringType.getClearValue();
        if (str != null) {
            return str;
        }
        if (!protectedStringType.isEncrypted() && !protectedStringType.isExternal()) {
            return null;
        }
        try {
            return this.protector.decryptString(protectedStringType);
        } catch (EncryptionException e) {
            throw new SystemException("Failed to decrypt " + this.shortDesc + ": " + e.getMessage(), e);
        }
    }

    private boolean passwordEquals(ProtectedStringType protectedStringType, ProtectedStringType protectedStringType2) throws SchemaException {
        if (protectedStringType2 == null) {
            return protectedStringType == null;
        }
        try {
            return this.protector.compareCleartext(protectedStringType, protectedStringType2);
        } catch (EncryptionException e) {
            throw new SystemException("Failed to compare " + this.shortDesc + ": " + e.getMessage(), e);
        }
    }
}
