package com.evolveum.midpoint.model.impl.lens.projector;

import com.evolveum.midpoint.common.policy.StringPolicyUtils;
import com.evolveum.midpoint.model.impl.ModelObjectResolver;
import com.evolveum.midpoint.model.impl.lens.LensContext;
import com.evolveum.midpoint.model.impl.lens.LensFocusContext;
import com.evolveum.midpoint.model.impl.lens.LensObjectDeltaOperation;
import com.evolveum.midpoint.model.impl.lens.LensProjectionContext;
import com.evolveum.midpoint.prism.PrismContainer;
import com.evolveum.midpoint.prism.PrismContext;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.PrismProperty;
import com.evolveum.midpoint.prism.PrismReference;
import com.evolveum.midpoint.prism.PrismReferenceValue;
import com.evolveum.midpoint.prism.crypto.EncryptionException;
import com.evolveum.midpoint.prism.crypto.Protector;
import com.evolveum.midpoint.prism.delta.ChangeType;
import com.evolveum.midpoint.prism.delta.ContainerDelta;
import com.evolveum.midpoint.prism.delta.ItemDelta;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.delta.ReferenceDelta;
import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.prism.xml.XsdTypeMapper;
import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.result.OperationResultStatus;
import com.evolveum.midpoint.schema.util.ObjectTypeUtil;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.PolicyViolationException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SystemException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CharacterClassType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.LimitationsType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordHistoryEntryType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordLifeTimeType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.StringLimitType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.StringPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ValuePolicyType;
import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.xml.datatype.XMLGregorianCalendar;
import org.apache.commons.lang.Validate;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:WEB-INF/lib/model-impl-3.5.2-SNAPSHOT.jar:com/evolveum/midpoint/model/impl/lens/projector/PasswordPolicyProcessor.class */
public class PasswordPolicyProcessor {
    private static final String DOT_CLASS = PasswordPolicyProcessor.class.getName() + ".";
    private static final String OPERATION_PASSWORD_VALIDATION = DOT_CLASS + "passwordValidation";
    private static final Trace LOGGER = TraceManager.getTrace(PasswordPolicyProcessor.class);

    @Autowired(required = true)
    private PrismContext prismContext;

    @Autowired(required = true)
    Protector protector;

    @Autowired(required = true)
    ModelObjectResolver resolver;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* JADX WARN: Multi-variable type inference failed */
    public <F extends FocusType> void processPasswordPolicy(LensFocusContext<F> lensFocusContext, LensContext<F> lensContext, XMLGregorianCalendar xMLGregorianCalendar, Task task, OperationResult operationResult) throws PolicyViolationException, SchemaException {
        ValuePolicyType orgPasswordPolicy;
        if (!UserType.class.isAssignableFrom(lensFocusContext.getObjectTypeClass())) {
            LOGGER.trace("Skipping processing password policies because focus is not user");
            return;
        }
        ObjectDelta<UserType> delta = lensFocusContext.getDelta();
        if (delta == null) {
            LOGGER.trace("Skipping processing password policies. User delta not specified.");
            return;
        }
        if (delta.isDelete()) {
            LOGGER.trace("Skipping processing password policies. User will be deleted.");
            return;
        }
        PrismProperty<ProtectedStringType> prismProperty = null;
        boolean z = false;
        if (ChangeType.ADD == delta.getChangeType()) {
            PrismObject objectToAdd = lensFocusContext.getDelta().getObjectToAdd();
            if (objectToAdd != null) {
                prismProperty = objectToAdd.findProperty(SchemaConstants.PATH_PASSWORD_VALUE);
            }
            if (prismProperty == null && wasExecuted(delta, lensFocusContext)) {
                LOGGER.trace("Skipping processing password policies. User addition was already executed.");
                return;
            }
        } else if (ChangeType.MODIFY == delta.getChangeType()) {
            ItemDelta findPropertyDelta = delta.findPropertyDelta(SchemaConstants.PATH_PASSWORD_VALUE);
            if (findPropertyDelta == null) {
                LOGGER.trace("Skipping processing password policies. User delta does not contain password change.");
                return;
            }
            if (delta.getChangeType() != ChangeType.MODIFY) {
                prismProperty = (PrismProperty) findPropertyDelta.getItemNewMatchingPath(null);
            } else if (findPropertyDelta.isAdd()) {
                prismProperty = (PrismProperty) findPropertyDelta.getItemNewMatchingPath(null);
                z = true;
            } else if (findPropertyDelta.isDelete()) {
                prismProperty = null;
            } else {
                prismProperty = (PrismProperty) findPropertyDelta.getItemNewMatchingPath(null);
                z = true;
            }
        }
        if (lensFocusContext.getOrgPasswordPolicy() == null) {
            orgPasswordPolicy = determineValuePolicy(delta, lensFocusContext.getObjectAny(), lensContext, task, operationResult);
            lensFocusContext.setOrgPasswordPolicy(orgPasswordPolicy);
        } else {
            orgPasswordPolicy = lensFocusContext.getOrgPasswordPolicy();
        }
        processPasswordPolicy(orgPasswordPolicy, lensFocusContext.getObjectOld(), prismProperty, operationResult);
        if (prismProperty == null || !z) {
            return;
        }
        processPasswordHistoryDeltas(lensFocusContext, lensContext, xMLGregorianCalendar, task, operationResult);
    }

    private <F extends FocusType> void processPasswordPolicy(ValuePolicyType valuePolicyType, PrismObject<F> prismObject, PrismProperty<ProtectedStringType> prismProperty, OperationResult operationResult) throws PolicyViolationException, SchemaException {
        if (valuePolicyType == null) {
            LOGGER.trace("Skipping processing password policies. Password policy not specified.");
        } else {
            if (validatePassword(determinePasswordValue(prismProperty), determineCurrentPassword(prismObject), valuePolicyType, operationResult)) {
                return;
            }
            operationResult.computeStatus();
            throw new PolicyViolationException("Provided password does not satisfy password policies. " + operationResult.getMessage());
        }
    }

    private <F extends FocusType> PasswordType determineCurrentPassword(PrismObject<F> prismObject) {
        CredentialsType credentials;
        if (prismObject == null) {
            return null;
        }
        PasswordType passwordType = null;
        if (prismObject.getCompileTimeClass().equals(UserType.class) && (credentials = ((UserType) prismObject.asObjectable()).getCredentials()) != null) {
            passwordType = credentials.getPassword();
        }
        return passwordType;
    }

    private <F extends FocusType> boolean wasExecuted(ObjectDelta<UserType> objectDelta, LensFocusContext<F> lensFocusContext) {
        Iterator<LensObjectDeltaOperation<F>> it = lensFocusContext.getExecutedDeltas().iterator();
        while (it.hasNext()) {
            ObjectDelta<F> objectDelta2 = it.next().getObjectDelta();
            if (objectDelta2.isAdd() && objectDelta2.getObjectToAdd() != null && objectDelta2.getObjectTypeClass().equals(UserType.class)) {
                return true;
            }
        }
        return false;
    }

    protected <T extends ObjectType, F extends FocusType> ValuePolicyType determineValuePolicy(ObjectDelta<F> objectDelta, PrismObject<T> prismObject, LensContext<F> lensContext, Task task, OperationResult operationResult) throws SchemaException {
        ValuePolicyType determineValuePolicy = determineValuePolicy(objectDelta, task, operationResult);
        if (determineValuePolicy == null) {
            determineValuePolicy = determineValuePolicy(prismObject, task, operationResult);
        }
        if (determineValuePolicy == null) {
            determineValuePolicy = lensContext.getEffectivePasswordPolicy();
        }
        if (determineValuePolicy != null) {
            LOGGER.trace("Value policy {} will be user to check password.", determineValuePolicy.getName().getOrig());
        }
        return determineValuePolicy;
    }

    protected <F extends FocusType> ValuePolicyType determineValuePolicy(ObjectDelta<F> objectDelta, Task task, OperationResult operationResult) throws SchemaException {
        PrismReferenceValue anyValue;
        if (objectDelta == null) {
            return null;
        }
        ReferenceDelta findReferenceModification = objectDelta.findReferenceModification(UserType.F_PARENT_ORG_REF);
        LOGGER.trace("Determining password policy from org delta.");
        if (findReferenceModification == null || (anyValue = findReferenceModification.getAnyValue()) == null) {
            return null;
        }
        ValuePolicyType valuePolicyType = null;
        try {
            PrismObject resolve = this.resolver.resolve(anyValue, "resolving parent org ref", null, null, operationResult);
            OrgType orgType = (OrgType) resolve.asObjectable();
            ObjectReferenceType passwordPolicyRef = orgType.getPasswordPolicyRef();
            if (passwordPolicyRef != null) {
                LOGGER.trace("Org {} has specified password policy.", orgType);
                valuePolicyType = (ValuePolicyType) this.resolver.resolve(passwordPolicyRef, ValuePolicyType.class, null, "resolving password policy for organization", task, operationResult);
                LOGGER.trace("Resolved password policy {}", valuePolicyType);
            }
            if (valuePolicyType == null) {
                valuePolicyType = determineValuePolicy(resolve, task, operationResult);
            }
            return valuePolicyType;
        } catch (ObjectNotFoundException e) {
            throw new IllegalStateException(e);
        }
    }

    private ValuePolicyType determineValuePolicy(PrismObject prismObject, Task task, OperationResult operationResult) throws SchemaException {
        LOGGER.trace("Determining password policies from object: {}", ObjectTypeUtil.toShortString((PrismObject<? extends ObjectType>) prismObject));
        PrismReference findReference = prismObject.findReference(ObjectType.F_PARENT_ORG_REF);
        if (findReference == null) {
            return null;
        }
        List<PrismReferenceValue> values = findReference.getValues();
        ValuePolicyType valuePolicyType = null;
        ArrayList arrayList = new ArrayList();
        try {
            for (PrismReferenceValue prismReferenceValue : values) {
                if (prismReferenceValue != null) {
                    PrismObject<OrgType> resolve = this.resolver.resolve(prismReferenceValue, "resolving parent org ref", null, null, operationResult);
                    arrayList.add(resolve);
                    ValuePolicyType resolvePolicy = resolvePolicy(resolve, task, operationResult);
                    if (resolvePolicy == null) {
                        continue;
                    } else if (valuePolicyType == null) {
                        valuePolicyType = resolvePolicy;
                    } else if (!StringUtils.equals(resolvePolicy.getOid(), valuePolicyType.getOid())) {
                        throw new IllegalStateException("Found more than one policy while trying to validate user's password. Please check your configuration");
                    }
                }
            }
            if (valuePolicyType == null) {
                Iterator it = arrayList.iterator();
                while (it.hasNext()) {
                    valuePolicyType = determineValuePolicy((PrismObject) it.next(), task, operationResult);
                    if (valuePolicyType != null) {
                        return valuePolicyType;
                    }
                }
            }
            return valuePolicyType;
        } catch (ObjectNotFoundException e) {
            throw new IllegalStateException(e);
        }
    }

    private ValuePolicyType resolvePolicy(PrismObject<OrgType> prismObject, Task task, OperationResult operationResult) throws SchemaException {
        try {
            ObjectReferenceType passwordPolicyRef = prismObject.asObjectable().getPasswordPolicyRef();
            if (passwordPolicyRef == null) {
                return null;
            }
            return (ValuePolicyType) this.resolver.resolve(passwordPolicyRef, ValuePolicyType.class, null, "resolving password policy for organization", task, operationResult);
        } catch (ObjectNotFoundException e) {
            e.printStackTrace();
            throw new IllegalStateException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public <F extends ObjectType> void processPasswordPolicy(LensProjectionContext lensProjectionContext, LensContext<F> lensContext, Task task, OperationResult operationResult) throws SchemaException, PolicyViolationException {
        PrismObject<ShadowType> objectToAdd;
        ObjectDelta<ShadowType> delta = lensProjectionContext.getDelta();
        if (delta == null) {
            LOGGER.trace("Skipping processing password policies. Shadow delta not specified.");
            return;
        }
        if (ChangeType.DELETE == delta.getChangeType()) {
            return;
        }
        PrismProperty<ProtectedStringType> prismProperty = null;
        if (ChangeType.ADD == delta.getChangeType() && (objectToAdd = delta.getObjectToAdd()) != null) {
            prismProperty = objectToAdd.findProperty(SchemaConstants.PATH_PASSWORD_VALUE);
        }
        if (ChangeType.MODIFY == delta.getChangeType() || prismProperty == null) {
            ItemDelta findPropertyDelta = delta.findPropertyDelta(SchemaConstants.PATH_PASSWORD_VALUE);
            if (delta.getChangeType() == ChangeType.MODIFY && findPropertyDelta != null && (findPropertyDelta.isAdd() || findPropertyDelta.isDelete())) {
                throw new SchemaException("Shadow password value cannot be added or deleted, it can only be replaced");
            }
            if (findPropertyDelta == null) {
                LOGGER.trace("Skipping processing password policies. Shadow delta does not contain password change.");
                return;
            }
            prismProperty = (PrismProperty) findPropertyDelta.getItemNewMatchingPath(null);
        }
        ValuePolicyType valuePolicyType = null;
        if (isCheckOrgPolicy(lensContext)) {
            valuePolicyType = determineValuePolicy(lensContext.getFocusContext().getObjectAny(), task, operationResult);
            lensContext.getFocusContext().setOrgPasswordPolicy(valuePolicyType);
        }
        if (valuePolicyType == null) {
            valuePolicyType = lensProjectionContext.getEffectivePasswordPolicy();
        }
        processPasswordPolicy(valuePolicyType, (PrismObject) null, prismProperty, operationResult);
    }

    private <F extends ObjectType> boolean isCheckOrgPolicy(LensContext<F> lensContext) throws SchemaException {
        LensFocusContext<F> focusContext = lensContext.getFocusContext();
        if (focusContext == null) {
            return false;
        }
        if (focusContext.getDelta() != null) {
            if (focusContext.getDelta().isAdd()) {
                return false;
            }
            if (focusContext.getDelta().isModify() && focusContext.getDelta().hasItemDelta(SchemaConstants.PATH_PASSWORD_VALUE)) {
                return false;
            }
        }
        return focusContext.getOrgPasswordPolicy() == null;
    }

    public boolean validatePassword(String str, PasswordType passwordType, ValuePolicyType valuePolicyType, OperationResult operationResult) {
        Validate.notNull(valuePolicyType, "Password policy must not be null.");
        OperationResult createSubresult = operationResult.createSubresult(OPERATION_PASSWORD_VALIDATION);
        createSubresult.addParam("policyName", valuePolicyType.getName());
        normalize(valuePolicyType);
        if (str == null && valuePolicyType.getMinOccurs() != null && XsdTypeMapper.multiplicityToInteger(valuePolicyType.getMinOccurs()).intValue() == 0) {
            createSubresult.recordSuccess();
            return true;
        }
        if (str == null) {
            str = "";
        }
        LimitationsType limitations = valuePolicyType.getStringPolicy().getLimitations();
        StringBuilder sb = new StringBuilder();
        testMinimalLength(str, limitations, createSubresult, sb);
        testMaximalLength(str, limitations, createSubresult, sb);
        testMinimalUniqueCharacters(str, limitations, createSubresult, sb);
        testPasswordHistoryEntries(str, passwordType, valuePolicyType, createSubresult, sb);
        if (limitations.getLimit() == null || limitations.getLimit().isEmpty()) {
            if (sb.toString() == null || sb.toString().isEmpty()) {
                createSubresult.computeStatus();
            } else {
                createSubresult.computeStatus(sb.toString());
            }
            return createSubresult.isAcceptable();
        }
        HashSet<String> hashSet = new HashSet<>();
        List<String> stringTokenizer = StringPolicyUtils.stringTokenizer(str);
        for (StringLimitType stringLimitType : limitations.getLimit()) {
            OperationResult operationResult2 = new OperationResult("Tested limitation: " + stringLimitType.getDescription());
            HashSet<String> validCharacters = getValidCharacters(stringLimitType.getCharacterClass(), valuePolicyType);
            int countValidCharacters = countValidCharacters(validCharacters, stringTokenizer);
            hashSet.addAll(validCharacters);
            testMinimalOccurence(stringLimitType, countValidCharacters, operationResult2, sb);
            testMaximalOccurence(stringLimitType, countValidCharacters, operationResult2, sb);
            testMustBeFirst(stringLimitType, countValidCharacters, operationResult2, sb, str, validCharacters);
            operationResult2.computeStatus();
            createSubresult.addSubresult(operationResult2);
        }
        testInvalidCharacters(stringTokenizer, hashSet, createSubresult, sb);
        if (sb.toString() == null || sb.toString().isEmpty()) {
            createSubresult.computeStatus();
        } else {
            createSubresult.computeStatus(sb.toString());
        }
        return createSubresult.isAcceptable();
    }

    private void normalize(ValuePolicyType valuePolicyType) {
        if (null == valuePolicyType) {
            throw new IllegalArgumentException("Password policy cannot be null");
        }
        if (null == valuePolicyType.getStringPolicy()) {
            valuePolicyType.setStringPolicy(StringPolicyUtils.normalize(new StringPolicyType()));
        } else {
            valuePolicyType.setStringPolicy(StringPolicyUtils.normalize(valuePolicyType.getStringPolicy()));
        }
        if (null == valuePolicyType.getLifetime()) {
            PasswordLifeTimeType passwordLifeTimeType = new PasswordLifeTimeType();
            passwordLifeTimeType.setExpiration(-1);
            passwordLifeTimeType.setWarnBeforeExpiration(0);
            passwordLifeTimeType.setLockAfterExpiration(0);
            passwordLifeTimeType.setMinPasswordAge(0);
            passwordLifeTimeType.setPasswordHistoryLength(0);
        }
    }

    private void testPasswordHistoryEntries(String str, PasswordType passwordType, ValuePolicyType valuePolicyType, OperationResult operationResult, StringBuilder sb) {
        PasswordLifeTimeType lifetime;
        Integer passwordHistoryLength;
        if (passwordType == null || (lifetime = valuePolicyType.getLifetime()) == null || (passwordHistoryLength = lifetime.getPasswordHistoryLength()) == null || passwordHistoryLength.intValue() == 0) {
            return;
        }
        if (passwordEquals(str, passwordType.getValue())) {
            appendHistoryViolationMessage(operationResult, sb);
            return;
        }
        int i = 1;
        for (PasswordHistoryEntryType passwordHistoryEntryType : getSortedHistoryList(passwordType.asPrismContainerValue().findContainer(PasswordType.F_HISTORY_ENTRY), false)) {
            if (i >= passwordHistoryLength.intValue()) {
                return;
            }
            if (passwordEquals(str, passwordHistoryEntryType.getValue())) {
                LOGGER.trace("Password history entry #{} matched (changed {})", Integer.valueOf(i), passwordHistoryEntryType.getChangeTimestamp());
                appendHistoryViolationMessage(operationResult, sb);
                return;
            }
            i++;
        }
    }

    private void appendHistoryViolationMessage(OperationResult operationResult, StringBuilder sb) {
        operationResult.addSubresult(new OperationResult("Check if password does not contain invalid characters", OperationResultStatus.FATAL_ERROR, "Password couldn't be changed to the same value. Please select another password."));
        sb.append("Password couldn't be changed to the same value. Please select another password.");
        sb.append("\n");
    }

    private void testInvalidCharacters(List<String> list, HashSet<String> hashSet, OperationResult operationResult, StringBuilder sb) {
        StringBuilder sb2 = new StringBuilder();
        for (String str : list) {
            if (!hashSet.contains(str)) {
                sb2.append(str);
            }
        }
        if (sb2.length() > 0) {
            String str2 = "Characters [ " + ((Object) sb2) + " ] are not allowed in password";
            operationResult.addSubresult(new OperationResult("Check if password does not contain invalid characters", OperationResultStatus.FATAL_ERROR, str2));
            sb.append(str2);
            sb.append("\n");
        }
    }

    private void testMustBeFirst(StringLimitType stringLimitType, int i, OperationResult operationResult, StringBuilder sb, String str, Set<String> set) {
        if (stringLimitType.isMustBeFirst() == null) {
            stringLimitType.setMustBeFirst(false);
        }
        if (StringUtils.isNotEmpty(str) && stringLimitType.isMustBeFirst().booleanValue() && !set.contains(str.substring(0, 1))) {
            String str2 = "First character is not from allowed set. Allowed set: " + set.toString();
            operationResult.addSubresult(new OperationResult("Check valid first char", OperationResultStatus.FATAL_ERROR, str2));
            sb.append(str2);
            sb.append("\n");
        }
    }

    private void testMaximalOccurence(StringLimitType stringLimitType, int i, OperationResult operationResult, StringBuilder sb) {
        if (stringLimitType.getMaxOccurs() == null || stringLimitType.getMaxOccurs().intValue() >= i) {
            return;
        }
        String str = "Required maximal occurrence (" + stringLimitType.getMaxOccurs() + ") of characters (" + stringLimitType.getDescription() + ") in password was exceeded (occurrence of characters in password " + i + ").";
        operationResult.addSubresult(new OperationResult("Check maximal occurrence of characters", OperationResultStatus.FATAL_ERROR, str));
        sb.append(str);
        sb.append("\n");
    }

    private void testMinimalOccurence(StringLimitType stringLimitType, int i, OperationResult operationResult, StringBuilder sb) {
        if (stringLimitType.getMinOccurs() == null) {
            stringLimitType.setMinOccurs(0);
        }
        if (stringLimitType.getMinOccurs().intValue() > i) {
            String str = "Required minimal occurrence (" + stringLimitType.getMinOccurs() + ") of characters (" + stringLimitType.getDescription() + ") in password is not met (occurrence of characters in password " + i + ").";
            operationResult.addSubresult(new OperationResult("Check minimal occurrence of characters", OperationResultStatus.FATAL_ERROR, str));
            sb.append(str);
            sb.append("\n");
        }
    }

    private int countValidCharacters(Set<String> set, List<String> list) {
        int i = 0;
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            if (set.contains(it.next())) {
                i++;
            }
        }
        return i;
    }

    private HashSet<String> getValidCharacters(CharacterClassType characterClassType, ValuePolicyType valuePolicyType) {
        return null != characterClassType.getValue() ? new HashSet<>(StringPolicyUtils.stringTokenizer(characterClassType.getValue())) : new HashSet<>(StringPolicyUtils.stringTokenizer(StringPolicyUtils.collectCharacterClass(valuePolicyType.getStringPolicy().getCharacterClass(), characterClassType.getRef())));
    }

    private void testMinimalUniqueCharacters(String str, LimitationsType limitationsType, OperationResult operationResult, StringBuilder sb) {
        HashSet hashSet = new HashSet(StringPolicyUtils.stringTokenizer(str));
        if (limitationsType.getMinUniqueChars() == null || limitationsType.getMinUniqueChars().intValue() <= hashSet.size()) {
            return;
        }
        String str2 = "Required minimal count of unique characters (" + limitationsType.getMinUniqueChars() + ") in password are not met (unique characters in password " + hashSet.size() + ")";
        operationResult.addSubresult(new OperationResult("Check minimal count of unique chars", OperationResultStatus.FATAL_ERROR, str2));
        sb.append(str2);
        sb.append("\n");
    }

    private void testMinimalLength(String str, LimitationsType limitationsType, OperationResult operationResult, StringBuilder sb) {
        if (limitationsType.getMinLength() == null) {
            limitationsType.setMinLength(0);
        }
        if (limitationsType.getMinLength().intValue() > str.length()) {
            String str2 = "Required minimal size (" + limitationsType.getMinLength() + ") of password is not met (password length: " + str.length() + ")";
            operationResult.addSubresult(new OperationResult("Check global minimal length", OperationResultStatus.FATAL_ERROR, str2));
            sb.append(str2);
            sb.append("\n");
        }
    }

    private void testMaximalLength(String str, LimitationsType limitationsType, OperationResult operationResult, StringBuilder sb) {
        if (limitationsType.getMaxLength() == null || limitationsType.getMaxLength().intValue() >= str.length()) {
            return;
        }
        String str2 = "Required maximal size (" + limitationsType.getMaxLength() + ") of password was exceeded (password length: " + str.length() + ").";
        operationResult.addSubresult(new OperationResult("Check global maximal length", OperationResultStatus.FATAL_ERROR, str2));
        sb.append(str2);
        sb.append("\n");
    }

    private boolean passwordEquals(String str, ProtectedStringType protectedStringType) {
        return determinePasswordValue(protectedStringType).equals(str);
    }

    private String determinePasswordValue(PrismProperty<ProtectedStringType> prismProperty) {
        if (prismProperty == null || prismProperty.getValue(ProtectedStringType.class) == null) {
            return null;
        }
        return determinePasswordValue(prismProperty.getRealValue());
    }

    private String determinePasswordValue(ProtectedStringType protectedStringType) {
        if (protectedStringType == null) {
            return null;
        }
        String clearValue = protectedStringType.getClearValue();
        if (clearValue == null && protectedStringType.getEncryptedDataType() != null) {
            try {
                clearValue = this.protector.decryptString(protectedStringType);
            } catch (EncryptionException e) {
                throw new SystemException("Failed to process password for user: ", e);
            }
        }
        return clearValue;
    }

    public <F extends FocusType> void processPasswordHistoryDeltas(LensFocusContext<F> lensFocusContext, LensContext<F> lensContext, XMLGregorianCalendar xMLGregorianCalendar, Task task, OperationResult operationResult) throws SchemaException {
        PrismContainer<PasswordType> findContainer;
        PrismObject<F> objectOld = lensFocusContext.getObjectOld();
        Validate.notNull(objectOld, "Focus object must not be null");
        if (!objectOld.getCompileTimeClass().equals(UserType.class) || (findContainer = objectOld.findContainer(new ItemPath(UserType.F_CREDENTIALS, CredentialsType.F_PASSWORD))) == null || findContainer.isEmpty()) {
            return;
        }
        PrismContainer<PasswordHistoryEntryType> findOrCreateContainer = findContainer.findOrCreateContainer(PasswordType.F_HISTORY_ENTRY);
        int maxPasswordsToSave = getMaxPasswordsToSave(lensContext.getFocusContext(), lensContext, task, operationResult);
        List<PasswordHistoryEntryType> sortedHistoryList = getSortedHistoryList(findOrCreateContainer, true);
        int i = 0;
        if (maxPasswordsToSave > 0) {
            i = createAddHistoryDelta(lensContext, findContainer, xMLGregorianCalendar);
        }
        createDeleteHistoryDeltasIfNeeded(sortedHistoryList, maxPasswordsToSave, i, lensContext, task, operationResult);
    }

    private <F extends FocusType> int getMaxPasswordsToSave(LensFocusContext<F> lensFocusContext, LensContext<F> lensContext, Task task, OperationResult operationResult) throws SchemaException {
        ValuePolicyType orgPasswordPolicy;
        Integer passwordHistoryLength;
        if (lensFocusContext.getOrgPasswordPolicy() == null) {
            orgPasswordPolicy = determineValuePolicy(lensFocusContext.getDelta(), lensFocusContext.getObjectAny(), lensContext, task, operationResult);
            lensFocusContext.setOrgPasswordPolicy(orgPasswordPolicy);
        } else {
            orgPasswordPolicy = lensFocusContext.getOrgPasswordPolicy();
        }
        if (orgPasswordPolicy == null || orgPasswordPolicy.getLifetime() == null || (passwordHistoryLength = orgPasswordPolicy.getLifetime().getPasswordHistoryLength()) == null || passwordHistoryLength.intValue() <= 1) {
            return 0;
        }
        return passwordHistoryLength.intValue() - 1;
    }

    private <F extends FocusType> int createAddHistoryDelta(LensContext<F> lensContext, PrismContainer<PasswordType> prismContainer, XMLGregorianCalendar xMLGregorianCalendar) throws SchemaException {
        PasswordType asContainerable = prismContainer.getValue().asContainerable();
        PasswordHistoryEntryType passwordHistoryEntryType = (PasswordHistoryEntryType) prismContainer.getDefinition().findContainerDefinition(PasswordType.F_HISTORY_ENTRY).instantiate().createNewValue().asContainerable();
        passwordHistoryEntryType.setValue(asContainerable.getValue());
        passwordHistoryEntryType.setMetadata(asContainerable.getMetadata());
        passwordHistoryEntryType.setChangeTimestamp(xMLGregorianCalendar);
        lensContext.getFocusContext().swallowToSecondaryDelta(ContainerDelta.createModificationAdd(new ItemPath(UserType.F_CREDENTIALS, CredentialsType.F_PASSWORD, PasswordType.F_HISTORY_ENTRY), UserType.class, this.prismContext, passwordHistoryEntryType.m1657clone()));
        return 1;
    }

    private <F extends FocusType> void createDeleteHistoryDeltasIfNeeded(List<PasswordHistoryEntryType> list, int i, int i2, LensContext<F> lensContext, Task task, OperationResult operationResult) throws SchemaException {
        if (list.size() == 0) {
            return;
        }
        int size = (list.size() - i) + i2;
        for (int i3 = 0; i3 < size; i3++) {
            LOGGER.info("PPPPPPPPPPP i={}, numberOfHistoryEntriesToDelete={}, maxPasswordsToSave={}", Integer.valueOf(i3), Integer.valueOf(size), Integer.valueOf(i));
            lensContext.getFocusContext().swallowToSecondaryDelta(ContainerDelta.createModificationDelete(new ItemPath(UserType.F_CREDENTIALS, CredentialsType.F_PASSWORD, PasswordType.F_HISTORY_ENTRY), UserType.class, this.prismContext, list.get(i3).m1657clone()));
        }
    }

    private List<PasswordHistoryEntryType> getSortedHistoryList(PrismContainer<PasswordHistoryEntryType> prismContainer, boolean z) {
        if (prismContainer == null || prismContainer.isEmpty()) {
            return new ArrayList();
        }
        List<PasswordHistoryEntryType> list = (List) prismContainer.getRealValues();
        Collections.sort(list, (passwordHistoryEntryType, passwordHistoryEntryType2) -> {
            XMLGregorianCalendar changeTimestamp = passwordHistoryEntryType.getChangeTimestamp();
            XMLGregorianCalendar changeTimestamp2 = passwordHistoryEntryType2.getChangeTimestamp();
            return z ? changeTimestamp.compare(changeTimestamp2) : changeTimestamp2.compare(changeTimestamp);
        });
        return list;
    }
}
