package com.evolveum.midpoint.model.impl.lens.projector;

import com.evolveum.midpoint.common.refinery.RefinedObjectClassDefinition;
import com.evolveum.midpoint.model.api.PolicyViolationException;
import com.evolveum.midpoint.model.api.context.SynchronizationPolicyDecision;
import com.evolveum.midpoint.model.common.expression.Source;
import com.evolveum.midpoint.model.common.expression.StringPolicyResolver;
import com.evolveum.midpoint.model.common.mapping.Mapping;
import com.evolveum.midpoint.model.common.mapping.MappingFactory;
import com.evolveum.midpoint.model.impl.lens.LensContext;
import com.evolveum.midpoint.model.impl.lens.LensFocusContext;
import com.evolveum.midpoint.model.impl.lens.LensProjectionContext;
import com.evolveum.midpoint.model.impl.lens.LensUtil;
import com.evolveum.midpoint.model.impl.util.Utils;
import com.evolveum.midpoint.prism.Item;
import com.evolveum.midpoint.prism.ItemDefinition;
import com.evolveum.midpoint.prism.OriginType;
import com.evolveum.midpoint.prism.PrismContainer;
import com.evolveum.midpoint.prism.PrismContainerValue;
import com.evolveum.midpoint.prism.PrismContext;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.PrismValue;
import com.evolveum.midpoint.prism.delta.ChangeType;
import com.evolveum.midpoint.prism.delta.ContainerDelta;
import com.evolveum.midpoint.prism.delta.ItemDelta;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.delta.PartiallyResolvedDelta;
import com.evolveum.midpoint.prism.delta.PrismValueDeltaSetTriple;
import com.evolveum.midpoint.prism.delta.PropertyDelta;
import com.evolveum.midpoint.prism.delta.builder.DeltaBuilder;
import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.schema.ResourceShadowDiscriminator;
import com.evolveum.midpoint.schema.constants.ExpressionConstants;
import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractCredentialType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.MappingStrengthType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.MappingType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordHistoryEntryType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.StringPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ValuePolicyType;
import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Comparator;
import java.util.Iterator;
import java.util.List;
import javax.xml.datatype.XMLGregorianCalendar;
import javax.xml.namespace.QName;
import org.apache.commons.lang.Validate;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:WEB-INF/lib/model-impl-3.4.2-SNAPSHOT.jar:com/evolveum/midpoint/model/impl/lens/projector/CredentialsProcessor.class */
public class CredentialsProcessor {
    private static final Trace LOGGER;

    @Autowired
    private PrismContext prismContext;

    @Autowired
    private MappingFactory mappingFactory;

    @Autowired
    private MappingEvaluator mappingEvaluator;

    @Autowired
    private PasswordPolicyProcessor passwordPolicyProcessor;
    static final /* synthetic */ boolean $assertionsDisabled;

    public <F extends FocusType> void processFocusCredentials(LensContext<F> lensContext, XMLGregorianCalendar xMLGregorianCalendar, Task task, OperationResult operationResult) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, PolicyViolationException {
        processFocusPassword(lensContext, xMLGregorianCalendar, task, operationResult);
    }

    private <F extends FocusType> void processFocusPassword(LensContext<F> lensContext, XMLGregorianCalendar xMLGregorianCalendar, Task task, OperationResult operationResult) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, PolicyViolationException {
        LensFocusContext<F> focusContext = lensContext.getFocusContext();
        processFocusCredentialsCommon(lensContext, new ItemPath(UserType.F_CREDENTIALS, CredentialsType.F_PASSWORD), xMLGregorianCalendar, task, operationResult);
        this.passwordPolicyProcessor.processPasswordPolicy(focusContext, lensContext, task, operationResult);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public <F extends ObjectType> void processProjectionCredentials(LensContext<F> lensContext, LensProjectionContext lensProjectionContext, XMLGregorianCalendar xMLGregorianCalendar, Task task, OperationResult operationResult) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, PolicyViolationException {
        LensFocusContext<F> focusContext = lensContext.getFocusContext();
        if (focusContext != null && FocusType.class.isAssignableFrom(focusContext.getObjectTypeClass())) {
            processProjectionPassword(lensContext, lensProjectionContext, xMLGregorianCalendar, task, operationResult);
        }
        this.passwordPolicyProcessor.processPasswordPolicy(lensProjectionContext, lensContext, task, operationResult);
    }

    /* JADX WARN: Multi-variable type inference failed */
    private <F extends FocusType> void processProjectionPassword(LensContext<F> lensContext, final LensProjectionContext lensProjectionContext, XMLGregorianCalendar xMLGregorianCalendar, Task task, OperationResult operationResult) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException {
        Collection nonNegativeValues;
        LensFocusContext<F> focusContext = lensContext.getFocusContext();
        if (focusContext.getObjectNew() == null) {
            LOGGER.trace("userNew is null, skipping credentials processing");
            return;
        }
        ItemDefinition findPropertyDefinition = this.prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(ShadowType.class).findPropertyDefinition(SchemaConstants.PATH_PASSWORD_VALUE);
        ResourceShadowDiscriminator resourceShadowDiscriminator = lensProjectionContext.getResourceShadowDiscriminator();
        RefinedObjectClassDefinition structuralObjectClassDefinition = lensProjectionContext.getStructuralObjectClassDefinition();
        if (structuralObjectClassDefinition == null) {
            LOGGER.trace("No RefinedObjectClassDefinition, therefore also no password outbound definition, skipping credentials processing for projection {}", resourceShadowDiscriminator);
            return;
        }
        MappingType passwordOutbound = structuralObjectClassDefinition.getPasswordOutbound();
        if (passwordOutbound == null) {
            LOGGER.trace("No outbound definition in password definition in credentials in account type {}, skipping credentials processing", resourceShadowDiscriminator);
            return;
        }
        ObjectDelta<ShadowType> delta = lensProjectionContext.getDelta();
        PropertyDelta<ProtectedStringType> findPropertyDelta = (delta == null || delta.getChangeType() != ChangeType.MODIFY) ? null : delta.findPropertyDelta(SchemaConstants.PATH_PASSWORD_VALUE);
        checkExistingDeltaSanity(lensProjectionContext, findPropertyDelta);
        if (passwordOutbound.getStrength() == MappingStrengthType.WEAK && findPropertyDelta != null) {
            LOGGER.trace("Outbound password is weak and a priori projection password delta exists; skipping credentials processing for {}", resourceShadowDiscriminator);
            return;
        }
        Mapping build = this.mappingFactory.createMappingBuilder().mappingType(passwordOutbound).contextDescription("outbound password mapping in account type " + resourceShadowDiscriminator).defaultTargetDefinition(findPropertyDefinition).defaultSource(new Source<>(focusContext.getObjectDeltaObject().findIdi(SchemaConstants.PATH_PASSWORD_VALUE), ExpressionConstants.VAR_INPUT)).sourceContext(focusContext.getObjectDeltaObject()).originType(OriginType.OUTBOUND).originObject(lensProjectionContext.getResource()).stringPolicyResolver(new StringPolicyResolver() { // from class: com.evolveum.midpoint.model.impl.lens.projector.CredentialsProcessor.1
            @Override // com.evolveum.midpoint.model.common.expression.StringPolicyResolver
            public void setOutputPath(ItemPath itemPath) {
            }

            @Override // com.evolveum.midpoint.model.common.expression.StringPolicyResolver
            public void setOutputDefinition(ItemDefinition itemDefinition) {
            }

            @Override // com.evolveum.midpoint.model.common.expression.StringPolicyResolver
            public StringPolicyType resolve() {
                ValuePolicyType effectivePasswordPolicy = lensProjectionContext.getEffectivePasswordPolicy();
                if (effectivePasswordPolicy == null) {
                    return null;
                }
                return effectivePasswordPolicy.getStringPolicy();
            }
        }).addVariableDefinitions(Utils.getDefaultExpressionVariables(lensContext, lensProjectionContext).getMap()).build();
        if (build.isApplicableToChannel(lensContext.getChannel())) {
            this.mappingEvaluator.evaluateMapping(build, lensContext, task, operationResult);
            PrismValueDeltaSetTriple outputTriple = build.getOutputTriple();
            if (outputTriple == null) {
                LOGGER.trace("Credentials 'password' expression resulted in null output triple, skipping credentials processing for {}", resourceShadowDiscriminator);
                return;
            }
            boolean z = delta != null && (delta.getChangeType() == ChangeType.ADD || lensProjectionContext.getSynchronizationPolicyDecision() == SynchronizationPolicyDecision.ADD);
            if (outputTriple.hasPlusSet()) {
                nonNegativeValues = outputTriple.getPlusSet();
            } else if (z) {
                nonNegativeValues = outputTriple.getNonNegativeValues();
            } else if (!outputTriple.hasMinusSet()) {
                LOGGER.trace("Credentials 'password' expression resulted in no change, skipping credentials processing for {}", resourceShadowDiscriminator);
                return;
            } else {
                if (build.getStrength() == MappingStrengthType.WEAK) {
                    LOGGER.trace("Credentials 'password' expression resulting in password deletion but the mapping is weak: skipping credentials processing for {}", resourceShadowDiscriminator);
                    return;
                }
                nonNegativeValues = outputTriple.getNonNegativeValues();
            }
            if (!$assertionsDisabled && nonNegativeValues == null) {
                throw new AssertionError();
            }
            ItemDelta<?, ?> asItemDelta = DeltaBuilder.deltaFor(ShadowType.class, this.prismContext).item(SchemaConstants.PATH_PASSWORD_VALUE).replace((Collection<? extends PrismValue>) nonNegativeValues).asItemDelta();
            LOGGER.trace("Adding new password delta for account {}", resourceShadowDiscriminator);
            lensProjectionContext.swallowToSecondaryDelta(asItemDelta);
        }
    }

    private void checkExistingDeltaSanity(LensProjectionContext lensProjectionContext, PropertyDelta<ProtectedStringType> propertyDelta) throws SchemaException {
        if (propertyDelta != null) {
            if (propertyDelta.isAdd() || propertyDelta.isDelete()) {
                throw new SchemaException("Password for projection " + lensProjectionContext.getResourceShadowDiscriminator() + " cannot be added or deleted, it can only be replaced");
            }
        }
    }

    private <F extends FocusType> void processFocusCredentialsCommon(LensContext<F> lensContext, ItemPath itemPath, XMLGregorianCalendar xMLGregorianCalendar, Task task, OperationResult operationResult) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException {
        LensFocusContext<F> focusContext = lensContext.getFocusContext();
        PrismObject<F> objectAny = focusContext.getObjectAny();
        if (focusContext.isAdd()) {
            Item findContainer = objectAny.findContainer(itemPath);
            if (findContainer != null) {
                Iterator it = findContainer.getValues().iterator();
                while (it.hasNext()) {
                    processCredentialsCommonAdd(objectAny, lensContext, itemPath, (PrismContainerValue) it.next(), xMLGregorianCalendar, task, operationResult);
                }
            }
        } else if (focusContext.isModify()) {
            ObjectDelta<F> delta = focusContext.getDelta();
            ItemDelta findContainerDelta = delta.findContainerDelta(itemPath);
            if (findContainerDelta != null) {
                if (findContainerDelta.isAdd()) {
                    Iterator it2 = findContainerDelta.getValuesToAdd().iterator();
                    while (it2.hasNext()) {
                        processCredentialsCommonAdd(objectAny, lensContext, itemPath, (PrismContainerValue) it2.next(), xMLGregorianCalendar, task, operationResult);
                    }
                }
                if (findContainerDelta.isReplace()) {
                    Iterator it3 = findContainerDelta.getValuesToReplace().iterator();
                    while (it3.hasNext()) {
                        processCredentialsCommonAdd(objectAny, lensContext, itemPath, (PrismContainerValue) it3.next(), xMLGregorianCalendar, task, operationResult);
                    }
                }
            } else if (hasValueDelta(delta, itemPath)) {
                Iterator<? extends ItemDelta<?, ?>> it4 = LensUtil.createModifyMetadataDeltas(lensContext, itemPath.subPath(AbstractCredentialType.F_METADATA), focusContext.getObjectDefinition(), xMLGregorianCalendar, task).iterator();
                while (it4.hasNext()) {
                    lensContext.getFocusContext().swallowToSecondaryDelta(it4.next());
                }
            }
        }
        if (focusContext.isDelete()) {
            return;
        }
        processPasswordHistoryDeltas(objectAny, lensContext, xMLGregorianCalendar, task, operationResult);
    }

    private <F extends FocusType> int getMaxPasswordsToSave(LensFocusContext<F> lensFocusContext, LensContext<F> lensContext, Task task, OperationResult operationResult) throws SchemaException {
        ValuePolicyType orgPasswordPolicy;
        if (lensFocusContext.getOrgPasswordPolicy() == null) {
            orgPasswordPolicy = this.passwordPolicyProcessor.determineValuePolicy(lensFocusContext.getDelta(), lensFocusContext.getObjectAny(), lensContext, task, operationResult);
            lensFocusContext.setOrgPasswordPolicy(orgPasswordPolicy);
        } else {
            orgPasswordPolicy = lensFocusContext.getOrgPasswordPolicy();
        }
        if (orgPasswordPolicy == null || orgPasswordPolicy.getLifetime() == null || orgPasswordPolicy.getLifetime().getPasswordHistoryLength() == null) {
            return 0;
        }
        return orgPasswordPolicy.getLifetime().getPasswordHistoryLength().intValue();
    }

    private <F extends FocusType> boolean hasValueDelta(ObjectDelta<F> objectDelta, ItemPath itemPath) {
        if (objectDelta == null) {
            return false;
        }
        Iterator it = objectDelta.findPartial(itemPath).iterator();
        while (it.hasNext()) {
            PartiallyResolvedDelta partiallyResolvedDelta = (PartiallyResolvedDelta) it.next();
            LOGGER.trace("Residual delta:\n{}", partiallyResolvedDelta.debugDump());
            ItemPath residualPath = partiallyResolvedDelta.getResidualPath();
            if (residualPath != null && !residualPath.isEmpty()) {
                LOGGER.trace("PATH: {}", residualPath);
                QName firstName = ItemPath.getFirstName(residualPath);
                LOGGER.trace("NAME: {}", firstName);
                if (isValueElement(firstName)) {
                    return true;
                }
            }
        }
        return false;
    }

    private <F extends FocusType> void processCredentialsCommonAdd(PrismObject<F> prismObject, LensContext<F> lensContext, ItemPath itemPath, PrismContainerValue<AbstractCredentialType> prismContainerValue, XMLGregorianCalendar xMLGregorianCalendar, Task task, OperationResult operationResult) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException {
        if (!hasValueChange(prismContainerValue) || hasMetadata(prismContainerValue)) {
            return;
        }
        lensContext.getFocusContext().swallowToSecondaryDelta(ContainerDelta.createModificationAdd(itemPath.subPath(AbstractCredentialType.F_METADATA), UserType.class, this.prismContext, LensUtil.createCreateMetadata(lensContext, xMLGregorianCalendar, task)));
    }

    private <F extends FocusType> void processPasswordHistoryDeltas(PrismObject<F> prismObject, LensContext<F> lensContext, XMLGregorianCalendar xMLGregorianCalendar, Task task, OperationResult operationResult) throws SchemaException {
        PrismContainer<PasswordType> findContainer;
        Validate.notNull(prismObject, "Focus object must not be null");
        if (!prismObject.getCompileTimeClass().equals(UserType.class) || (findContainer = prismObject.findContainer(new ItemPath(UserType.F_CREDENTIALS, CredentialsType.F_PASSWORD))) == null || findContainer.isEmpty()) {
            return;
        }
        PrismContainer<PasswordHistoryEntryType> findOrCreateContainer = findContainer.findOrCreateContainer(PasswordType.F_HISTORY_ENTRY);
        int maxPasswordsToSave = getMaxPasswordsToSave(lensContext.getFocusContext(), lensContext, task, operationResult);
        createDeleteHistoryDeltasIfNeeded(getSortedHistoryList(findOrCreateContainer), maxPasswordsToSave, lensContext, task, operationResult);
        if (maxPasswordsToSave > 0) {
            createAddHistoryDelta(lensContext, findContainer, xMLGregorianCalendar);
        }
    }

    private <F extends FocusType> void createAddHistoryDelta(LensContext<F> lensContext, PrismContainer<PasswordType> prismContainer, XMLGregorianCalendar xMLGregorianCalendar) throws SchemaException {
        PasswordType asContainerable = prismContainer.getValue().asContainerable();
        PasswordHistoryEntryType passwordHistoryEntryType = (PasswordHistoryEntryType) prismContainer.getDefinition().findContainerDefinition(PasswordType.F_HISTORY_ENTRY).instantiate().createNewValue().asContainerable();
        passwordHistoryEntryType.setValue(asContainerable.getValue());
        passwordHistoryEntryType.setMetadata(asContainerable.getMetadata());
        passwordHistoryEntryType.setChangeTimestamp(xMLGregorianCalendar);
        lensContext.getFocusContext().swallowToSecondaryDelta(ContainerDelta.createModificationAdd(new ItemPath(UserType.F_CREDENTIALS, CredentialsType.F_PASSWORD, PasswordType.F_HISTORY_ENTRY), UserType.class, this.prismContext, passwordHistoryEntryType.m1565clone()));
    }

    private <F extends FocusType> void createDeleteHistoryDeltasIfNeeded(List<PasswordHistoryEntryType> list, int i, LensContext<F> lensContext, Task task, OperationResult operationResult) throws SchemaException {
        int size;
        if (list.size() != 0 && (size = list.size() - i) >= 0) {
            for (int i2 = 0; i2 <= size; i2++) {
                lensContext.getFocusContext().swallowToSecondaryDelta(ContainerDelta.createModificationDelete(new ItemPath(UserType.F_CREDENTIALS, CredentialsType.F_PASSWORD, PasswordType.F_HISTORY_ENTRY), UserType.class, this.prismContext, list.get(i2).m1565clone()));
            }
        }
    }

    private List<PasswordHistoryEntryType> getSortedHistoryList(PrismContainer<PasswordHistoryEntryType> prismContainer) {
        if (prismContainer.isEmpty()) {
            return new ArrayList();
        }
        List<PasswordHistoryEntryType> fromPcvList = PrismContainerValue.fromPcvList(prismContainer.getValues());
        Collections.sort(fromPcvList, new Comparator<PasswordHistoryEntryType>() { // from class: com.evolveum.midpoint.model.impl.lens.projector.CredentialsProcessor.2
            @Override // java.util.Comparator
            public int compare(PasswordHistoryEntryType passwordHistoryEntryType, PasswordHistoryEntryType passwordHistoryEntryType2) {
                return passwordHistoryEntryType.getChangeTimestamp().compare(passwordHistoryEntryType2.getChangeTimestamp());
            }
        });
        return fromPcvList;
    }

    private boolean hasValueChange(PrismContainerValue<AbstractCredentialType> prismContainerValue) {
        Iterator<Item<?, ?>> it = prismContainerValue.getItems().iterator();
        while (it.hasNext()) {
            if (isValueElement(it.next().getElementName())) {
                return true;
            }
        }
        return false;
    }

    private boolean isValueElement(QName qName) {
        return (qName.equals(AbstractCredentialType.F_FAILED_LOGINS) || qName.equals(AbstractCredentialType.F_LAST_FAILED_LOGIN) || qName.equals(AbstractCredentialType.F_LAST_SUCCESSFUL_LOGIN) || qName.equals(AbstractCredentialType.F_METADATA) || qName.equals(AbstractCredentialType.F_PREVIOUS_SUCCESSFUL_LOGIN)) ? false : true;
    }

    private boolean hasMetadata(PrismContainerValue<AbstractCredentialType> prismContainerValue) {
        Iterator<Item<?, ?>> it = prismContainerValue.getItems().iterator();
        while (it.hasNext()) {
            if (it.next().getElementName().equals(AbstractCredentialType.F_METADATA)) {
                return true;
            }
        }
        return false;
    }

    static {
        $assertionsDisabled = !CredentialsProcessor.class.desiredAssertionStatus();
        LOGGER = TraceManager.getTrace(CredentialsProcessor.class);
    }
}
