package com.evolveum.midpoint.web.security;

import com.evolveum.midpoint.prism.crypto.EncryptionException;
import com.evolveum.midpoint.prism.crypto.Protector;
import com.evolveum.midpoint.security.api.Authorization;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.security.api.UserProfileService;
import com.evolveum.midpoint.util.MiscUtil;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.LoginEventType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordType;
import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.sql.Date;
import java.util.Calendar;
import java.util.Collection;
import javax.servlet.http.HttpServletRequest;
import javax.xml.datatype.XMLGregorianCalendar;
import org.apache.commons.lang.StringUtils;
import org.apache.wicket.request.cycle.RequestCycle;
import org.apache.wicket.request.http.WebRequest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;

/* loaded from: input_file:WEB-INF/classes/com/evolveum/midpoint/web/security/MidPointAuthenticationProvider.class */
public class MidPointAuthenticationProvider implements AuthenticationProvider {
    private static final Trace LOGGER = TraceManager.getTrace(MidPointAuthenticationProvider.class);

    @Autowired(required = true)
    private transient UserProfileService userProfileService;

    @Autowired(required = true)
    private transient Protector protector;
    private int loginTimeout;
    private int maxFailedLogins;

    public void setLoginTimeout(int i) {
        if (i < 0) {
            i = 0;
        }
        this.loginTimeout = i;
    }

    public void setMaxFailedLogins(int i) {
        if (i < 0) {
            i = 0;
        }
        this.maxFailedLogins = i;
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        if (StringUtils.isBlank((String) authentication.getPrincipal())) {
            throw new BadCredentialsException("web.security.provider.invalid");
        }
        try {
            MidPointPrincipal principal = this.userProfileService.getPrincipal((String) authentication.getPrincipal());
            try {
                Authentication authenticateUser = authenticateUser(principal, authentication);
                LOGGER.debug("User '{}' authenticated ({}), authorities: {}", authentication.getPrincipal(), authentication.getClass().getSimpleName(), principal.getAuthorities());
                return authenticateUser;
            } catch (BadCredentialsException e) {
                LOGGER.debug("Authentication of user with username '{}' failed: bad credentials: {}", e.getMessage(), e);
                throw e;
            } catch (Exception e2) {
                LOGGER.error("Can't authenticate user '{}': {}", authentication.getPrincipal(), e2.getMessage(), e2);
                throw new AuthenticationServiceException("web.security.provider.unavailable");
            }
        } catch (ObjectNotFoundException e3) {
            LOGGER.debug("Authentication of user with username '{}' failed: not found: {}", e3.getMessage(), e3);
            throw new BadCredentialsException("web.security.provider.access.denied");
        } catch (Exception e4) {
            LOGGER.error("Can't get user with username '{}'. Unknown error occured, reason {}.", authentication.getPrincipal(), e4.getMessage(), e4);
            throw new AuthenticationServiceException("web.security.provider.unavailable");
        }
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public boolean supports(Class<? extends Object> cls) {
        return UsernamePasswordAuthenticationToken.class.equals(cls) || PreAuthenticatedAuthenticationToken.class.equals(cls);
    }

    private Authentication authenticateUser(MidPointPrincipal midPointPrincipal, Authentication authentication) {
        if (authentication instanceof UsernamePasswordAuthenticationToken) {
            return authenticateUserPassword(midPointPrincipal, (String) authentication.getCredentials());
        }
        if (authentication instanceof PreAuthenticatedAuthenticationToken) {
            return new PreAuthenticatedAuthenticationToken(midPointPrincipal, null, midPointPrincipal.getAuthorities());
        }
        throw new AuthenticationServiceException("web.security.provider.unavailable");
    }

    private Authentication authenticateUserPassword(MidPointPrincipal midPointPrincipal, String str) throws BadCredentialsException {
        String clearValue;
        if (StringUtils.isBlank(str)) {
            throw new BadCredentialsException("web.security.provider.access.denied");
        }
        if (midPointPrincipal == null || midPointPrincipal.getUser() == null || midPointPrincipal.getUser().getCredentials() == null) {
            throw new BadCredentialsException("web.security.provider.invalid");
        }
        if (!midPointPrincipal.isEnabled()) {
            throw new BadCredentialsException("web.security.provider.disabled");
        }
        PasswordType password = midPointPrincipal.getUser().getCredentials().getPassword();
        int intValue = password.getFailedLogins() != null ? password.getFailedLogins().intValue() : 0;
        if (this.maxFailedLogins > 0 && intValue >= this.maxFailedLogins) {
            Calendar calendar = Calendar.getInstance();
            calendar.setTimeInMillis(MiscUtil.asDate(password.getLastFailedLogin().getTimestamp()).getTime());
            calendar.add(12, this.loginTimeout);
            if (calendar.getTimeInMillis() > System.currentTimeMillis()) {
                throw new BadCredentialsException("web.security.provider.locked");
            }
        }
        ProtectedStringType value = password.getValue();
        if (value == null) {
            throw new BadCredentialsException("web.security.provider.password.bad");
        }
        if (StringUtils.isEmpty(str)) {
            throw new BadCredentialsException("web.security.provider.password.encoding");
        }
        Collection<Authorization> authorities = midPointPrincipal.getAuthorities();
        if (authorities == null || authorities.isEmpty()) {
            throw new BadCredentialsException("web.security.provider.access.denied");
        }
        for (Authorization authorization : authorities) {
            if (authorization.getAction() == null || authorization.getAction().isEmpty()) {
                throw new BadCredentialsException("web.security.provider.access.denied");
            }
        }
        try {
            if (value.getEncryptedDataType() != null) {
                clearValue = this.protector.decryptString(value);
            } else {
                LOGGER.warn("Authenticating user based on clear value. Please check objects, this should not happen. Protected string should be encrypted.");
                clearValue = value.getClearValue();
            }
            if (!str.equals(clearValue)) {
                password.setFailedLogins(Integer.valueOf(intValue + 1));
                XMLGregorianCalendar asXMLGregorianCalendar = MiscUtil.asXMLGregorianCalendar(new Date(System.currentTimeMillis()));
                LoginEventType loginEventType = new LoginEventType();
                loginEventType.setTimestamp(asXMLGregorianCalendar);
                loginEventType.setFrom(getRemoteHost());
                password.setLastFailedLogin(loginEventType);
                this.userProfileService.updateUser(midPointPrincipal);
                throw new BadCredentialsException("web.security.provider.invalid");
            }
            if (intValue > 0) {
                password.setFailedLogins(0);
            }
            XMLGregorianCalendar asXMLGregorianCalendar2 = MiscUtil.asXMLGregorianCalendar(new Date(System.currentTimeMillis()));
            LoginEventType loginEventType2 = new LoginEventType();
            loginEventType2.setTimestamp(asXMLGregorianCalendar2);
            loginEventType2.setFrom(getRemoteHost());
            password.setPreviousSuccessfulLogin(password.getLastSuccessfulLogin());
            password.setLastSuccessfulLogin(loginEventType2);
            this.userProfileService.updateUser(midPointPrincipal);
            return new UsernamePasswordAuthenticationToken(midPointPrincipal, str, midPointPrincipal.getAuthorities());
        } catch (EncryptionException e) {
            throw new AuthenticationServiceException("web.security.provider.unavailable", e);
        }
    }

    public static String getRemoteHost() {
        HttpServletRequest httpServletRequest = (HttpServletRequest) ((WebRequest) RequestCycle.get().getRequest()).getContainerRequest();
        String remoteHost = httpServletRequest.getRemoteHost();
        if (remoteHost.equals(httpServletRequest.getLocalAddr())) {
            try {
                remoteHost = InetAddress.getLocalHost().getHostAddress();
            } catch (UnknownHostException e) {
                LOGGER.error("Can't get local host: " + e.getMessage());
            }
        }
        return remoteHost;
    }
}
