package com.evolveum.midpoint.model.impl.security;

import com.evolveum.midpoint.model.api.AuthenticationEvaluator;
import com.evolveum.midpoint.model.impl.ModelRestService;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.security.api.AuthorizationConstants;
import com.evolveum.midpoint.security.api.ConnectionEnvironment;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.security.api.SecurityEnforcer;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.task.api.TaskManager;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import java.io.IOException;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.ContainerResponseContext;
import javax.ws.rs.container.ContainerResponseFilter;
import javax.ws.rs.core.Response;
import org.apache.cxf.configuration.security.AuthorizationPolicy;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.message.Message;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.CredentialsExpiredException;
import org.springframework.security.authentication.DisabledException;
import org.springframework.security.authentication.LockedException;
import org.springframework.security.core.userdetails.UsernameNotFoundException;

/* loaded from: input_file:WEB-INF/lib/model-impl-3.5.2-SNAPSHOT.jar:com/evolveum/midpoint/model/impl/security/MidpointRestAuthenticationHandler.class */
public class MidpointRestAuthenticationHandler implements ContainerRequestFilter, ContainerResponseFilter {
    private static final Trace LOGGER = TraceManager.getTrace(MidpointRestAuthenticationHandler.class);

    @Autowired(required = true)
    private AuthenticationEvaluator authenticationEvaluator;

    @Autowired(required = true)
    private SecurityEnforcer securityEnforcer;

    @Autowired(required = true)
    private SecurityHelper securityHelper;

    @Autowired(required = true)
    private TaskManager taskManager;

    public void handleRequest(Message message, ContainerRequestContext containerRequestContext) {
        AuthorizationPolicy authorizationPolicy = (AuthorizationPolicy) message.get(AuthorizationPolicy.class);
        if (authorizationPolicy == null) {
            containerRequestContext.abortWith(Response.status(401).header("WWW-Authenticate", "Basic").build());
            return;
        }
        String userName = authorizationPolicy.getUserName();
        if (userName == null) {
            containerRequestContext.abortWith(Response.status(401).header("WWW-Authenticate", "Basic").build());
            return;
        }
        LOGGER.trace("Authenticating username '{}' to REST service", userName);
        Task createTaskInstance = this.taskManager.createTaskInstance(ModelRestService.OPERATION_REST_SERVICE);
        createTaskInstance.setChannel(SchemaConstants.CHANNEL_REST_URI);
        ConnectionEnvironment createConnectionEnvironment = createConnectionEnvironment();
        createConnectionEnvironment.setSessionId(createTaskInstance.getTaskIdentifier());
        try {
            UserType user = ((MidPointPrincipal) this.authenticationEvaluator.authenticateUserPassword(createConnectionEnvironment, userName, authorizationPolicy.getPassword()).getPrincipal()).getUser();
            createTaskInstance.setOwner(user.asPrismObject());
            message.put("task", createTaskInstance);
            this.securityEnforcer.setupPreAuthenticatedSecurityContext((PrismObject<UserType>) user.asPrismObject());
            LOGGER.trace("Authenticated to REST service as {}", user);
            try {
                this.securityEnforcer.authorize(AuthorizationConstants.AUTZ_REST_ALL_URL, null, null, null, null, null, new OperationResult("Rest authentication/authorization operation."));
                LOGGER.trace("Authorized to use REST service ({})", user);
            } catch (SchemaException e) {
                this.securityHelper.auditLoginFailure(userName, user, createConnectionEnvironment, "Schema error: " + e.getMessage());
                containerRequestContext.abortWith(Response.status(Response.Status.BAD_REQUEST).build());
            } catch (SecurityViolationException e2) {
                this.securityHelper.auditLoginFailure(userName, user, createConnectionEnvironment, "Not authorized");
                containerRequestContext.abortWith(Response.status(403).build());
            }
        } catch (AccessDeniedException | AuthenticationCredentialsNotFoundException | AuthenticationServiceException | CredentialsExpiredException | DisabledException | LockedException e3) {
            LOGGER.trace("Exception while authenticating username '{}' to REST service: {}", userName, e3.getMessage(), e3);
            containerRequestContext.abortWith(Response.status(403).build());
        } catch (BadCredentialsException | UsernameNotFoundException e4) {
            LOGGER.trace("Exception while authenticating username '{}' to REST service: {}", userName, e4.getMessage(), e4);
            containerRequestContext.abortWith(Response.status(401).header("WWW-Authenticate", "Basic authentication failed. Cannot authenticate user.").build());
        }
    }

    @Override // javax.ws.rs.container.ContainerResponseFilter
    public void filter(ContainerRequestContext containerRequestContext, ContainerResponseContext containerResponseContext) throws IOException {
    }

    @Override // javax.ws.rs.container.ContainerRequestFilter
    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        handleRequest(JAXRSUtils.getCurrentMessage(), containerRequestContext);
    }

    private ConnectionEnvironment createConnectionEnvironment() {
        ConnectionEnvironment connectionEnvironment = new ConnectionEnvironment();
        connectionEnvironment.setChannel(SchemaConstants.CHANNEL_REST_URI);
        return connectionEnvironment;
    }
}
