package com.evolveum.midpoint.model.impl.security;

import com.evolveum.midpoint.common.Clock;
import com.evolveum.midpoint.model.api.AuthenticationEvaluator;
import com.evolveum.midpoint.prism.crypto.EncryptionException;
import com.evolveum.midpoint.prism.crypto.Protector;
import com.evolveum.midpoint.prism.xml.XmlTypeConverter;
import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
import com.evolveum.midpoint.security.api.Authorization;
import com.evolveum.midpoint.security.api.ConnectionEnvironment;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.security.api.UserProfileService;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractCredentialPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractCredentialType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.LockoutStatusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.LoginEventType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordCredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityPolicyType;
import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
import java.util.Collection;
import javax.xml.datatype.Duration;
import javax.xml.datatype.XMLGregorianCalendar;
import org.apache.commons.lang.StringUtils;
import org.jetbrains.annotations.NotNull;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.CredentialsExpiredException;
import org.springframework.security.authentication.DisabledException;
import org.springframework.security.authentication.LockedException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
import org.springframework.stereotype.Component;

@Component("authenticationEvaluator")
/* loaded from: input_file:WEB-INF/lib/model-impl-3.4.2-SNAPSHOT.jar:com/evolveum/midpoint/model/impl/security/AuthenticationEvaluatorImpl.class */
public class AuthenticationEvaluatorImpl implements AuthenticationEvaluator {
    private static final Trace LOGGER = TraceManager.getTrace(AuthenticationEvaluatorImpl.class);

    @Autowired
    private Protector protector;

    @Autowired
    private Clock clock;

    @Autowired
    UserProfileService userProfileService;

    @Autowired
    private SecurityHelper securityHelper;

    @Override // com.evolveum.midpoint.model.api.AuthenticationEvaluator
    public UsernamePasswordAuthenticationToken authenticateUserPassword(ConnectionEnvironment connectionEnvironment, String str, String str2) throws BadCredentialsException, AuthenticationCredentialsNotFoundException, DisabledException, LockedException, CredentialsExpiredException, AuthenticationServiceException, AccessDeniedException, UsernameNotFoundException {
        CredentialsPolicyType credentials;
        if (StringUtils.isBlank(str2)) {
            recordAuthenticationFailure(str, connectionEnvironment, "empty password provided");
            throw new BadCredentialsException("web.security.provider.password.encoding");
        }
        MidPointPrincipal andCheckPrincipal = getAndCheckPrincipal(connectionEnvironment, str);
        CredentialsType credentials2 = andCheckPrincipal.getUser().getCredentials();
        if (credentials2 == null) {
            recordAuthenticationFailure(andCheckPrincipal, connectionEnvironment, "no credentials in user");
            throw new AuthenticationCredentialsNotFoundException("web.security.provider.invalid");
        }
        PasswordType password = credentials2.getPassword();
        SecurityPolicyType applicableSecurityPolicy = andCheckPrincipal.getApplicableSecurityPolicy();
        PasswordCredentialsPolicyType passwordCredentialsPolicyType = null;
        if (applicableSecurityPolicy != null && (credentials = applicableSecurityPolicy.getCredentials()) != null) {
            passwordCredentialsPolicyType = credentials.getPassword();
        }
        if (isLockedOut(password, passwordCredentialsPolicyType)) {
            recordAuthenticationFailure(andCheckPrincipal, connectionEnvironment, "password locked-out");
            throw new LockedException("web.security.provider.locked");
        }
        if (!hasAnyAuthorization(andCheckPrincipal)) {
            recordAuthenticationFailure(andCheckPrincipal, connectionEnvironment, "no authorizations");
            throw new DisabledException("web.security.provider.access.denied");
        }
        checkPasswordValidityAndAge(connectionEnvironment, andCheckPrincipal, password, passwordCredentialsPolicyType);
        if (passwordMatches(connectionEnvironment, andCheckPrincipal, password, str2)) {
            recordPasswordAuthenticationSuccess(andCheckPrincipal, connectionEnvironment, password, passwordCredentialsPolicyType);
            return new UsernamePasswordAuthenticationToken(andCheckPrincipal, str2, andCheckPrincipal.getAuthorities());
        }
        recordPasswordAuthenticationFailure(andCheckPrincipal, connectionEnvironment, password, passwordCredentialsPolicyType, "password mismatch");
        throw new BadCredentialsException("web.security.provider.invalid");
    }

    public String getAndCheckUserPassword(ConnectionEnvironment connectionEnvironment, String str) throws AuthenticationCredentialsNotFoundException, DisabledException, LockedException, CredentialsExpiredException, AuthenticationServiceException, AccessDeniedException, UsernameNotFoundException {
        CredentialsPolicyType credentials;
        MidPointPrincipal andCheckPrincipal = getAndCheckPrincipal(connectionEnvironment, str);
        CredentialsType credentials2 = andCheckPrincipal.getUser().getCredentials();
        if (credentials2 == null) {
            recordAuthenticationFailure(andCheckPrincipal, connectionEnvironment, "no credentials in user");
            throw new AuthenticationCredentialsNotFoundException("web.security.provider.invalid");
        }
        PasswordType password = credentials2.getPassword();
        SecurityPolicyType applicableSecurityPolicy = andCheckPrincipal.getApplicableSecurityPolicy();
        PasswordCredentialsPolicyType passwordCredentialsPolicyType = null;
        if (applicableSecurityPolicy != null && (credentials = applicableSecurityPolicy.getCredentials()) != null) {
            passwordCredentialsPolicyType = credentials.getPassword();
        }
        if (isLockedOut(password, passwordCredentialsPolicyType)) {
            recordAuthenticationFailure(andCheckPrincipal, connectionEnvironment, "password locked-out");
            throw new LockedException("web.security.provider.locked");
        }
        if (hasAnyAuthorization(andCheckPrincipal)) {
            checkPasswordValidityAndAge(connectionEnvironment, andCheckPrincipal, password, passwordCredentialsPolicyType);
            return getPassword(connectionEnvironment, andCheckPrincipal, password);
        }
        recordAuthenticationFailure(andCheckPrincipal, connectionEnvironment, "no authorizations");
        throw new AccessDeniedException("web.security.provider.access.denied");
    }

    @Override // com.evolveum.midpoint.model.api.AuthenticationEvaluator
    public PreAuthenticatedAuthenticationToken authenticateUserPreAuthenticated(ConnectionEnvironment connectionEnvironment, String str) {
        MidPointPrincipal andCheckPrincipal = getAndCheckPrincipal(connectionEnvironment, str);
        if (!hasAnyAuthorization(andCheckPrincipal)) {
            recordAuthenticationFailure(andCheckPrincipal, connectionEnvironment, "no authorizations");
            throw new AccessDeniedException("web.security.provider.access.denied");
        }
        PreAuthenticatedAuthenticationToken preAuthenticatedAuthenticationToken = new PreAuthenticatedAuthenticationToken(andCheckPrincipal, null, andCheckPrincipal.getAuthorities());
        recordAuthenticationSuccess(andCheckPrincipal, connectionEnvironment);
        return preAuthenticatedAuthenticationToken;
    }

    @NotNull
    private MidPointPrincipal getAndCheckPrincipal(ConnectionEnvironment connectionEnvironment, String str) {
        if (StringUtils.isBlank(str)) {
            recordAuthenticationFailure(str, connectionEnvironment, "no username");
            throw new UsernameNotFoundException("web.security.provider.invalid");
        }
        try {
            MidPointPrincipal principal = this.userProfileService.getPrincipal(str);
            if (principal == null) {
                recordAuthenticationFailure(str, connectionEnvironment, "no user");
                throw new UsernameNotFoundException("web.security.provider.invalid");
            }
            if (principal.isEnabled()) {
                return principal;
            }
            recordAuthenticationFailure(principal, connectionEnvironment, "user disabled");
            throw new DisabledException("web.security.provider.disabled");
        } catch (ObjectNotFoundException e) {
            recordAuthenticationFailure(str, connectionEnvironment, "no user");
            throw new UsernameNotFoundException("web.security.provider.invalid");
        }
    }

    private boolean hasAnyAuthorization(MidPointPrincipal midPointPrincipal) {
        Collection<Authorization> authorities = midPointPrincipal.getAuthorities();
        if (authorities == null || authorities.isEmpty()) {
            return false;
        }
        for (Authorization authorization : authorities) {
            if (authorization.getAction() != null && !authorization.getAction().isEmpty()) {
                return true;
            }
        }
        return false;
    }

    private void checkPasswordValidityAndAge(ConnectionEnvironment connectionEnvironment, @NotNull MidPointPrincipal midPointPrincipal, PasswordType passwordType, PasswordCredentialsPolicyType passwordCredentialsPolicyType) {
        Duration maxAge;
        XMLGregorianCalendar changeTimestamp;
        if (passwordType.getValue() == null) {
            recordAuthenticationFailure(midPointPrincipal, connectionEnvironment, "no stored password value");
            throw new AuthenticationCredentialsNotFoundException("web.security.provider.password.bad");
        }
        if (passwordCredentialsPolicyType == null || (maxAge = passwordCredentialsPolicyType.getMaxAge()) == null || (changeTimestamp = MiscSchemaUtil.getChangeTimestamp(passwordType.getMetadata())) == null) {
            return;
        }
        if (this.clock.isPast(XmlTypeConverter.addDuration(changeTimestamp, maxAge))) {
            recordAuthenticationFailure(midPointPrincipal, connectionEnvironment, "password expired");
            throw new CredentialsExpiredException("web.security.provider.password.bad");
        }
    }

    private boolean passwordMatches(ConnectionEnvironment connectionEnvironment, @NotNull MidPointPrincipal midPointPrincipal, PasswordType passwordType, String str) {
        return str.equals(getPassword(connectionEnvironment, midPointPrincipal, passwordType));
    }

    private String getPassword(ConnectionEnvironment connectionEnvironment, @NotNull MidPointPrincipal midPointPrincipal, PasswordType passwordType) {
        String decryptString;
        ProtectedStringType value = passwordType.getValue();
        if (value.getEncryptedDataType() != null) {
            try {
                decryptString = this.protector.decryptString(value);
            } catch (EncryptionException e) {
                recordAuthenticationFailure(midPointPrincipal, connectionEnvironment, "error decrypting password: " + e.getMessage());
                throw new AuthenticationServiceException("web.security.provider.unavailable", e);
            }
        } else {
            LOGGER.warn("Authenticating user based on clear value. Please check objects, this should not happen. Protected string should be encrypted.");
            decryptString = value.getClearValue();
        }
        return decryptString;
    }

    private boolean isLockedOut(AbstractCredentialType abstractCredentialType, AbstractCredentialPolicyType abstractCredentialPolicyType) {
        return isOverFailedLockoutAttempts(abstractCredentialType, abstractCredentialPolicyType) && !isLockoutExpired(abstractCredentialType, abstractCredentialPolicyType);
    }

    private boolean isOverFailedLockoutAttempts(AbstractCredentialType abstractCredentialType, AbstractCredentialPolicyType abstractCredentialPolicyType) {
        return isOverFailedLockoutAttempts(abstractCredentialType.getFailedLogins() != null ? abstractCredentialType.getFailedLogins().intValue() : 0, abstractCredentialPolicyType);
    }

    private boolean isOverFailedLockoutAttempts(int i, AbstractCredentialPolicyType abstractCredentialPolicyType) {
        return abstractCredentialPolicyType != null && abstractCredentialPolicyType.getLockoutMaxFailedAttempts() != null && abstractCredentialPolicyType.getLockoutMaxFailedAttempts().intValue() > 0 && i >= abstractCredentialPolicyType.getLockoutMaxFailedAttempts().intValue();
    }

    private boolean isLockoutExpired(AbstractCredentialType abstractCredentialType, AbstractCredentialPolicyType abstractCredentialPolicyType) {
        XMLGregorianCalendar timestamp;
        Duration lockoutDuration = abstractCredentialPolicyType.getLockoutDuration();
        if (lockoutDuration == null) {
            return false;
        }
        LoginEventType lastFailedLogin = abstractCredentialType.getLastFailedLogin();
        if (lastFailedLogin == null || (timestamp = lastFailedLogin.getTimestamp()) == null) {
            return true;
        }
        return this.clock.isPast(XmlTypeConverter.addDuration(timestamp, lockoutDuration));
    }

    private void recordPasswordAuthenticationSuccess(MidPointPrincipal midPointPrincipal, ConnectionEnvironment connectionEnvironment, PasswordType passwordType, PasswordCredentialsPolicyType passwordCredentialsPolicyType) {
        Integer failedLogins = passwordType.getFailedLogins();
        if (failedLogins != null && failedLogins.intValue() > 0) {
            passwordType.setFailedLogins(0);
        }
        LoginEventType loginEventType = new LoginEventType();
        loginEventType.setTimestamp(this.clock.currentTimeXMLGregorianCalendar());
        loginEventType.setFrom(connectionEnvironment.getRemoteHost());
        passwordType.setPreviousSuccessfulLogin(passwordType.getLastSuccessfulLogin());
        passwordType.setLastSuccessfulLogin(loginEventType);
        ActivationType activation = midPointPrincipal.getUser().getActivation();
        if (activation != null) {
            activation.setLockoutStatus(LockoutStatusType.NORMAL);
            activation.setLockoutExpirationTimestamp(null);
        }
        this.userProfileService.updateUser(midPointPrincipal);
        recordAuthenticationSuccess(midPointPrincipal, connectionEnvironment);
    }

    private void recordAuthenticationSuccess(@NotNull MidPointPrincipal midPointPrincipal, @NotNull ConnectionEnvironment connectionEnvironment) {
        this.securityHelper.auditLoginSuccess(midPointPrincipal.getUser(), connectionEnvironment);
    }

    private void recordPasswordAuthenticationFailure(@NotNull MidPointPrincipal midPointPrincipal, @NotNull ConnectionEnvironment connectionEnvironment, @NotNull PasswordType passwordType, PasswordCredentialsPolicyType passwordCredentialsPolicyType, String str) {
        Duration lockoutDuration;
        Duration lockoutFailedAttemptsDuration;
        Integer failedLogins = passwordType.getFailedLogins();
        LoginEventType lastFailedLogin = passwordType.getLastFailedLogin();
        XMLGregorianCalendar xMLGregorianCalendar = null;
        if (lastFailedLogin != null) {
            xMLGregorianCalendar = lastFailedLogin.getTimestamp();
        }
        if (passwordCredentialsPolicyType != null && (lockoutFailedAttemptsDuration = passwordCredentialsPolicyType.getLockoutFailedAttemptsDuration()) != null && xMLGregorianCalendar != null) {
            if (this.clock.isPast(XmlTypeConverter.addDuration(xMLGregorianCalendar, lockoutFailedAttemptsDuration))) {
                failedLogins = 0;
            }
        }
        Integer valueOf = failedLogins == null ? 1 : Integer.valueOf(failedLogins.intValue() + 1);
        passwordType.setFailedLogins(valueOf);
        LoginEventType loginEventType = new LoginEventType();
        loginEventType.setTimestamp(this.clock.currentTimeXMLGregorianCalendar());
        loginEventType.setFrom(connectionEnvironment.getRemoteHost());
        passwordType.setLastFailedLogin(loginEventType);
        ActivationType activation = midPointPrincipal.getUser().getActivation();
        if (valueOf != null && isOverFailedLockoutAttempts(valueOf.intValue(), passwordCredentialsPolicyType)) {
            if (activation == null) {
                activation = new ActivationType();
                midPointPrincipal.getUser().setActivation(activation);
            }
            activation.setLockoutStatus(LockoutStatusType.LOCKED);
            XMLGregorianCalendar xMLGregorianCalendar2 = null;
            if (passwordCredentialsPolicyType != null && (lockoutDuration = passwordCredentialsPolicyType.getLockoutDuration()) != null) {
                xMLGregorianCalendar2 = XmlTypeConverter.addDuration(loginEventType.getTimestamp(), lockoutDuration);
            }
            activation.setLockoutExpirationTimestamp(xMLGregorianCalendar2);
        }
        this.userProfileService.updateUser(midPointPrincipal);
        recordAuthenticationFailure(midPointPrincipal, connectionEnvironment, str);
    }

    private void recordAuthenticationFailure(@NotNull MidPointPrincipal midPointPrincipal, ConnectionEnvironment connectionEnvironment, String str) {
        this.securityHelper.auditLoginFailure(midPointPrincipal.getUsername(), midPointPrincipal.getUser(), connectionEnvironment, str);
    }

    private void recordAuthenticationFailure(String str, ConnectionEnvironment connectionEnvironment, String str2) {
        this.securityHelper.auditLoginFailure(str, null, connectionEnvironment, str2);
    }
}
