package com.evolveum.midpoint.model.impl.security;

import com.evolveum.midpoint.common.ActivationComputer;
import com.evolveum.midpoint.prism.crypto.EncryptionException;
import com.evolveum.midpoint.prism.crypto.Protector;
import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.security.api.AuthorizationConstants;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.security.api.SecurityEnforcer;
import com.evolveum.midpoint.security.api.UserProfileService;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
import java.io.IOException;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.ContainerResponseContext;
import javax.ws.rs.container.ContainerResponseFilter;
import javax.ws.rs.core.Response;
import org.apache.cxf.configuration.security.AuthorizationPolicy;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.message.Message;
import org.springframework.beans.factory.annotation.Autowired;

/* loaded from: input_file:WEB-INF/lib/model-impl-3.3.2-SNAPSHOT.jar:com/evolveum/midpoint/model/impl/security/MidpointRestAuthenticationHandler.class */
public class MidpointRestAuthenticationHandler implements ContainerRequestFilter, ContainerResponseFilter {

    @Autowired(required = true)
    private UserProfileService userDetails;

    @Autowired(required = true)
    private SecurityEnforcer securityEnforcer;

    @Autowired(required = true)
    private Protector protector;

    @Autowired(required = true)
    private SecurityHelper securityHelper;

    @Autowired(required = true)
    private ActivationComputer activationComputer;

    public void handleRequest(Message message, ContainerRequestContext containerRequestContext) {
        AuthorizationPolicy authorizationPolicy = (AuthorizationPolicy) message.get(AuthorizationPolicy.class);
        if (authorizationPolicy == null) {
            containerRequestContext.abortWith(Response.status(401).header("WWW-Authenticate", "Basic").build());
            return;
        }
        String userName = authorizationPolicy.getUserName();
        if (userName == null) {
            containerRequestContext.abortWith(Response.status(401).header("WWW-Authenticate", "Basic").build());
            return;
        }
        try {
            MidPointPrincipal principal = this.userDetails.getPrincipal(userName);
            if (principal == null) {
                this.securityHelper.auditLoginFailure(userName, "No user", SchemaConstants.CHANNEL_REST_URI);
                containerRequestContext.abortWith(Response.status(401).header("WWW-Authenticate", "Basic").build());
                return;
            }
            UserType user = principal.getUser();
            if (!this.activationComputer.isActive(user.getActivation())) {
                this.securityHelper.auditLoginFailure(userName, "User not active", SchemaConstants.CHANNEL_REST_URI);
                containerRequestContext.abortWith(Response.status(403).build());
                return;
            }
            String password = authorizationPolicy.getPassword();
            if (password == null) {
                this.securityHelper.auditLoginFailure(userName, "No password entered", SchemaConstants.CHANNEL_REST_URI);
                containerRequestContext.abortWith(Response.status(401).header("WWW-Authenticate", "Basic authentication failed. Cannot authenticate user without password").build());
                return;
            }
            if (user.getCredentials() == null) {
                this.securityHelper.auditLoginFailure(userName, "No user credentials", SchemaConstants.CHANNEL_REST_URI);
                containerRequestContext.abortWith(Response.status(403).build());
                return;
            }
            PasswordType password2 = user.getCredentials().getPassword();
            if (password2 == null) {
                this.securityHelper.auditLoginFailure(userName, "No password in user credentials", SchemaConstants.CHANNEL_REST_URI);
                containerRequestContext.abortWith(Response.status(403).build());
                return;
            }
            ProtectedStringType value = password2.getValue();
            if (value.getClearValue() != null) {
                if (!password.equals(value.getClearValue())) {
                    this.securityHelper.auditLoginFailure(userName, "Wrong password", SchemaConstants.CHANNEL_REST_URI);
                    containerRequestContext.abortWith(Response.status(401).header("WWW-Authenticate", "Basic").build());
                    return;
                }
            } else {
                if (value.getEncryptedDataType() == null) {
                    this.securityHelper.auditLoginFailure(userName, "Unsupported password format or no password value", SchemaConstants.CHANNEL_REST_URI);
                    containerRequestContext.abortWith(Response.status(403).build());
                    return;
                }
                try {
                    if (!password.equals(this.protector.decryptString(value))) {
                        this.securityHelper.auditLoginFailure(userName, "Wrong password", SchemaConstants.CHANNEL_REST_URI);
                        containerRequestContext.abortWith(Response.status(401).header("WWW-Authenticate", "Basic").build());
                        return;
                    }
                } catch (EncryptionException e) {
                    this.securityHelper.auditLoginFailure(userName, "Password cryptographic error: " + e.getMessage(), SchemaConstants.CHANNEL_REST_URI);
                    containerRequestContext.abortWith(Response.status(403).build());
                    return;
                }
            }
            message.put("authenticatedUser", user);
            this.securityEnforcer.setupPreAuthenticatedSecurityContext(user.asPrismObject());
            try {
                this.securityEnforcer.authorize(AuthorizationConstants.AUTZ_REST_ALL_URL, null, null, null, null, null, new OperationResult("Rest authentication/authorization operation."));
            } catch (SchemaException e2) {
                this.securityHelper.auditLoginFailure(userName, "Schema error: " + e2.getMessage(), SchemaConstants.CHANNEL_REST_URI);
                containerRequestContext.abortWith(Response.status(Response.Status.BAD_REQUEST).build());
            } catch (SecurityViolationException unused) {
                this.securityHelper.auditLoginFailure(userName, "Not authorized", SchemaConstants.CHANNEL_REST_URI);
                containerRequestContext.abortWith(Response.status(403).build());
            }
        } catch (ObjectNotFoundException unused2) {
            this.securityHelper.auditLoginFailure(userName, "No user", SchemaConstants.CHANNEL_REST_URI);
            containerRequestContext.abortWith(Response.status(401).header("WWW-Authenticate", "Basic authentication failed. Cannot authenticate user.").build());
        }
    }

    @Override // javax.ws.rs.container.ContainerResponseFilter
    public void filter(ContainerRequestContext containerRequestContext, ContainerResponseContext containerResponseContext) throws IOException {
    }

    @Override // javax.ws.rs.container.ContainerRequestFilter
    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        handleRequest(JAXRSUtils.getCurrentMessage(), containerRequestContext);
    }
}
