package com.evolveum.midpoint.model.impl.lens.projector;

import com.evolveum.midpoint.common.policy.PasswordPolicyUtils;
import com.evolveum.midpoint.model.api.PolicyViolationException;
import com.evolveum.midpoint.model.impl.ModelObjectResolver;
import com.evolveum.midpoint.model.impl.lens.LensContext;
import com.evolveum.midpoint.model.impl.lens.LensFocusContext;
import com.evolveum.midpoint.model.impl.lens.LensObjectDeltaOperation;
import com.evolveum.midpoint.model.impl.lens.LensProjectionContext;
import com.evolveum.midpoint.prism.Item;
import com.evolveum.midpoint.prism.PrismContainerValue;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.PrismProperty;
import com.evolveum.midpoint.prism.PrismReference;
import com.evolveum.midpoint.prism.PrismReferenceValue;
import com.evolveum.midpoint.prism.crypto.EncryptionException;
import com.evolveum.midpoint.prism.crypto.Protector;
import com.evolveum.midpoint.prism.delta.ChangeType;
import com.evolveum.midpoint.prism.delta.ItemDelta;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.delta.ReferenceDelta;
import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.util.ObjectTypeUtil;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SystemException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordHistoryEntryType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ValuePolicyType;
import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:WEB-INF/lib/model-impl-3.4.2-SNAPSHOT.jar:com/evolveum/midpoint/model/impl/lens/projector/PasswordPolicyProcessor.class */
public class PasswordPolicyProcessor {
    private static final Trace LOGGER = TraceManager.getTrace(PasswordPolicyProcessor.class);

    @Autowired(required = true)
    Protector protector;

    @Autowired(required = true)
    ModelObjectResolver resolver;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* JADX WARN: Multi-variable type inference failed */
    public <F extends FocusType> void processPasswordPolicy(LensFocusContext<F> lensFocusContext, LensContext<F> lensContext, Task task, OperationResult operationResult) throws PolicyViolationException, SchemaException {
        ValuePolicyType orgPasswordPolicy;
        if (!UserType.class.isAssignableFrom(lensFocusContext.getObjectTypeClass())) {
            LOGGER.trace("Skipping processing password policies because focus is not user");
            return;
        }
        ObjectDelta<UserType> delta = lensFocusContext.getDelta();
        if (delta == null) {
            LOGGER.trace("Skipping processing password policies. User delta not specified.");
            return;
        }
        if (delta.isDelete()) {
            LOGGER.trace("Skipping processing password policies. User will be deleted.");
            return;
        }
        PrismProperty<ProtectedStringType> prismProperty = null;
        if (ChangeType.ADD == delta.getChangeType()) {
            PrismObject objectToAdd = lensFocusContext.getDelta().getObjectToAdd();
            if (objectToAdd != null) {
                prismProperty = objectToAdd.findProperty(SchemaConstants.PATH_PASSWORD_VALUE);
            }
            if (prismProperty == null && wasExecuted(delta, lensFocusContext)) {
                LOGGER.trace("Skipping processing password policies. User addition was already executed.");
                return;
            }
        } else if (ChangeType.MODIFY == delta.getChangeType()) {
            ItemDelta findPropertyDelta = delta.findPropertyDelta(SchemaConstants.PATH_PASSWORD_VALUE);
            if (findPropertyDelta == null) {
                LOGGER.trace("Skipping processing password policies. User delta does not contain password change.");
                return;
            }
            prismProperty = delta.getChangeType() == ChangeType.MODIFY ? findPropertyDelta.isAdd() ? (PrismProperty) findPropertyDelta.getItemNewMatchingPath(null) : findPropertyDelta.isDelete() ? null : (PrismProperty) findPropertyDelta.getItemNewMatchingPath(null) : (PrismProperty) findPropertyDelta.getItemNewMatchingPath(null);
        }
        if (lensFocusContext.getOrgPasswordPolicy() == null) {
            orgPasswordPolicy = determineValuePolicy(delta, lensFocusContext.getObjectAny(), lensContext, task, operationResult);
            lensFocusContext.setOrgPasswordPolicy(orgPasswordPolicy);
        } else {
            orgPasswordPolicy = lensFocusContext.getOrgPasswordPolicy();
        }
        processPasswordPolicy(orgPasswordPolicy, lensFocusContext.getObjectOld(), prismProperty, operationResult);
    }

    private <F extends FocusType> void processPasswordPolicy(ValuePolicyType valuePolicyType, PrismObject<F> prismObject, PrismProperty<ProtectedStringType> prismProperty, OperationResult operationResult) throws PolicyViolationException, SchemaException {
        if (valuePolicyType == null) {
            LOGGER.trace("Skipping processing password policies. Password policy not specified.");
        } else {
            if (PasswordPolicyUtils.validatePassword(determinePasswordValue(prismProperty), determineOldPasswordValues(prismObject), valuePolicyType, operationResult)) {
                return;
            }
            operationResult.computeStatus();
            throw new PolicyViolationException("Provided password does not satisfy password policies. " + operationResult.getMessage());
        }
    }

    private <F extends FocusType> List<String> determineOldPasswordValues(PrismObject<F> prismObject) {
        if (prismObject == null) {
            return null;
        }
        ArrayList arrayList = null;
        if (prismObject.getCompileTimeClass().equals(UserType.class)) {
            Item findContainer = prismObject.findContainer(new ItemPath(UserType.F_CREDENTIALS, CredentialsType.F_PASSWORD, PasswordType.F_HISTORY_ENTRY));
            if (findContainer == null || findContainer.isEmpty()) {
                return null;
            }
            List fromPcvList = PrismContainerValue.fromPcvList(findContainer.getValues());
            arrayList = new ArrayList(fromPcvList.size());
            Iterator it = fromPcvList.iterator();
            while (it.hasNext()) {
                try {
                    arrayList.add(this.protector.decryptString(((PasswordHistoryEntryType) it.next()).getValue()));
                } catch (EncryptionException e) {
                    throw new SystemException("Failed to process password for user: ", e);
                }
            }
        }
        return arrayList;
    }

    private <F extends FocusType> boolean wasExecuted(ObjectDelta<UserType> objectDelta, LensFocusContext<F> lensFocusContext) {
        Iterator<LensObjectDeltaOperation<F>> it = lensFocusContext.getExecutedDeltas().iterator();
        while (it.hasNext()) {
            ObjectDelta<F> objectDelta2 = it.next().getObjectDelta();
            if (objectDelta2.isAdd() && objectDelta2.getObjectToAdd() != null && objectDelta2.getObjectTypeClass().equals(UserType.class)) {
                return true;
            }
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public <T extends ObjectType, F extends FocusType> ValuePolicyType determineValuePolicy(ObjectDelta<F> objectDelta, PrismObject<T> prismObject, LensContext<F> lensContext, Task task, OperationResult operationResult) throws SchemaException {
        ValuePolicyType determineValuePolicy = determineValuePolicy(objectDelta, task, operationResult);
        if (determineValuePolicy == null) {
            determineValuePolicy = determineValuePolicy(prismObject, task, operationResult);
        }
        if (determineValuePolicy == null) {
            determineValuePolicy = lensContext.getEffectivePasswordPolicy();
        }
        if (determineValuePolicy != null) {
            LOGGER.trace("Value policy {} will be user to check password.", determineValuePolicy.getName().getOrig());
        }
        return determineValuePolicy;
    }

    protected <F extends FocusType> ValuePolicyType determineValuePolicy(ObjectDelta<F> objectDelta, Task task, OperationResult operationResult) throws SchemaException {
        PrismReferenceValue anyValue;
        if (objectDelta == null) {
            return null;
        }
        ReferenceDelta findReferenceModification = objectDelta.findReferenceModification(UserType.F_PARENT_ORG_REF);
        LOGGER.trace("Determining password policy from org delta.");
        if (findReferenceModification == null || (anyValue = findReferenceModification.getAnyValue()) == null) {
            return null;
        }
        ValuePolicyType valuePolicyType = null;
        try {
            PrismObject resolve = this.resolver.resolve(anyValue, "resolving parent org ref", null, null, operationResult);
            OrgType orgType = (OrgType) resolve.asObjectable();
            ObjectReferenceType passwordPolicyRef = orgType.getPasswordPolicyRef();
            if (passwordPolicyRef != null) {
                LOGGER.trace("Org {} has specified password policy.", orgType);
                valuePolicyType = (ValuePolicyType) this.resolver.resolve(passwordPolicyRef, ValuePolicyType.class, null, "resolving password policy for organization", task, operationResult);
                LOGGER.trace("Resolved password policy {}", valuePolicyType);
            }
            if (valuePolicyType == null) {
                valuePolicyType = determineValuePolicy(resolve, task, operationResult);
            }
            return valuePolicyType;
        } catch (ObjectNotFoundException e) {
            throw new IllegalStateException(e);
        }
    }

    private ValuePolicyType determineValuePolicy(PrismObject prismObject, Task task, OperationResult operationResult) throws SchemaException {
        LOGGER.trace("Determining password policies from object: {}", ObjectTypeUtil.toShortString((PrismObject<? extends ObjectType>) prismObject));
        PrismReference findReference = prismObject.findReference(ObjectType.F_PARENT_ORG_REF);
        if (findReference == null) {
            return null;
        }
        List<PrismReferenceValue> values = findReference.getValues();
        ValuePolicyType valuePolicyType = null;
        ArrayList arrayList = new ArrayList();
        try {
            for (PrismReferenceValue prismReferenceValue : values) {
                if (prismReferenceValue != null) {
                    PrismObject<OrgType> resolve = this.resolver.resolve(prismReferenceValue, "resolving parent org ref", null, null, operationResult);
                    arrayList.add(resolve);
                    ValuePolicyType resolvePolicy = resolvePolicy(resolve, task, operationResult);
                    if (resolvePolicy == null) {
                        continue;
                    } else if (valuePolicyType == null) {
                        valuePolicyType = resolvePolicy;
                    } else if (!StringUtils.equals(resolvePolicy.getOid(), valuePolicyType.getOid())) {
                        throw new IllegalStateException("Found more than one policy while trying to validate user's password. Please check your configuration");
                    }
                }
            }
            if (valuePolicyType == null) {
                Iterator it = arrayList.iterator();
                while (it.hasNext()) {
                    valuePolicyType = determineValuePolicy((PrismObject) it.next(), task, operationResult);
                    if (valuePolicyType != null) {
                        return valuePolicyType;
                    }
                }
            }
            return valuePolicyType;
        } catch (ObjectNotFoundException e) {
            throw new IllegalStateException(e);
        }
    }

    private ValuePolicyType resolvePolicy(PrismObject<OrgType> prismObject, Task task, OperationResult operationResult) throws SchemaException {
        try {
            ObjectReferenceType passwordPolicyRef = prismObject.asObjectable().getPasswordPolicyRef();
            if (passwordPolicyRef == null) {
                return null;
            }
            return (ValuePolicyType) this.resolver.resolve(passwordPolicyRef, ValuePolicyType.class, null, "resolving password policy for organization", task, operationResult);
        } catch (ObjectNotFoundException e) {
            e.printStackTrace();
            throw new IllegalStateException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public <F extends ObjectType> void processPasswordPolicy(LensProjectionContext lensProjectionContext, LensContext<F> lensContext, Task task, OperationResult operationResult) throws SchemaException, PolicyViolationException {
        ValuePolicyType effectivePasswordPolicy;
        PrismObject<ShadowType> objectToAdd;
        ObjectDelta<ShadowType> delta = lensProjectionContext.getDelta();
        if (delta == null) {
            LOGGER.trace("Skipping processing password policies. Shadow delta not specified.");
            return;
        }
        if (ChangeType.DELETE == delta.getChangeType()) {
            return;
        }
        PrismProperty<ProtectedStringType> prismProperty = null;
        if (ChangeType.ADD == delta.getChangeType() && (objectToAdd = delta.getObjectToAdd()) != null) {
            prismProperty = objectToAdd.findProperty(SchemaConstants.PATH_PASSWORD_VALUE);
        }
        if (ChangeType.MODIFY == delta.getChangeType() || prismProperty == null) {
            ItemDelta findPropertyDelta = delta.findPropertyDelta(SchemaConstants.PATH_PASSWORD_VALUE);
            if (delta.getChangeType() == ChangeType.MODIFY && findPropertyDelta != null && (findPropertyDelta.isAdd() || findPropertyDelta.isDelete())) {
                throw new SchemaException("Shadow password value cannot be added or deleted, it can only be replaced");
            }
            if (findPropertyDelta == null) {
                LOGGER.trace("Skipping processing password policies. Shadow delta does not contain password change.");
                return;
            }
            prismProperty = (PrismProperty) findPropertyDelta.getItemNewMatchingPath(null);
        }
        if (isCheckOrgPolicy(lensContext)) {
            effectivePasswordPolicy = determineValuePolicy(lensContext.getFocusContext().getObjectAny(), task, operationResult);
            lensContext.getFocusContext().setOrgPasswordPolicy(effectivePasswordPolicy);
        } else {
            effectivePasswordPolicy = lensProjectionContext.getEffectivePasswordPolicy();
        }
        processPasswordPolicy(effectivePasswordPolicy, (PrismObject) null, prismProperty, operationResult);
    }

    private <F extends ObjectType> boolean isCheckOrgPolicy(LensContext<F> lensContext) throws SchemaException {
        LensFocusContext<F> focusContext = lensContext.getFocusContext();
        if (focusContext == null) {
            return false;
        }
        if (focusContext.getDelta() != null) {
            if (focusContext.getDelta().isAdd()) {
                return false;
            }
            if (focusContext.getDelta().isModify() && focusContext.getDelta().hasItemDelta(SchemaConstants.PATH_PASSWORD_VALUE)) {
                return false;
            }
        }
        return focusContext.getOrgPasswordPolicy() == null;
    }

    private String determinePasswordValue(PrismProperty<ProtectedStringType> prismProperty) {
        ProtectedStringType realValue;
        if (prismProperty == null || prismProperty.getValue(ProtectedStringType.class) == null || (realValue = prismProperty.getRealValue()) == null) {
            return null;
        }
        String clearValue = realValue.getClearValue();
        if (clearValue == null && realValue.getEncryptedDataType() != null) {
            try {
                clearValue = this.protector.decryptString(realValue);
            } catch (EncryptionException e) {
                throw new SystemException("Failed to process password for user: ", e);
            }
        }
        return clearValue;
    }
}
