package com.evolveum.midpoint.model.impl.lens.projector.credentials;

import com.evolveum.midpoint.common.LocalizationService;
import com.evolveum.midpoint.model.common.stringpolicy.ObjectValuePolicyEvaluator;
import com.evolveum.midpoint.model.common.stringpolicy.UserValuePolicyOriginResolver;
import com.evolveum.midpoint.model.common.stringpolicy.ValuePolicyProcessor;
import com.evolveum.midpoint.model.impl.ModelObjectResolver;
import com.evolveum.midpoint.model.impl.lens.LensContext;
import com.evolveum.midpoint.model.impl.lens.LensFocusContext;
import com.evolveum.midpoint.model.impl.lens.OperationalDataManager;
import com.evolveum.midpoint.prism.Item;
import com.evolveum.midpoint.prism.PrismContainer;
import com.evolveum.midpoint.prism.PrismContainerValue;
import com.evolveum.midpoint.prism.PrismContext;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.PrismPropertyValue;
import com.evolveum.midpoint.prism.crypto.EncryptionException;
import com.evolveum.midpoint.prism.crypto.Protector;
import com.evolveum.midpoint.prism.delta.ContainerDelta;
import com.evolveum.midpoint.prism.delta.ItemDelta;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.delta.PartiallyResolvedDelta;
import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.security.api.SecurityUtil;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.util.LocalizableMessageBuilder;
import com.evolveum.midpoint.util.MiscUtil;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.PolicyViolationException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.exception.SystemException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractCredentialType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsStorageTypeType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.MetadataType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordHistoryEntryType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import javax.xml.datatype.XMLGregorianCalendar;
import javax.xml.namespace.QName;

/* loaded from: input_file:WEB-INF/lib/model-impl-3.7.3-SNAPSHOT.jar:com/evolveum/midpoint/model/impl/lens/projector/credentials/CredentialPolicyEvaluator.class */
public abstract class CredentialPolicyEvaluator<R extends AbstractCredentialType, P extends CredentialPolicyType> {
    private static final Trace LOGGER = TraceManager.getTrace(CredentialPolicyEvaluator.class);
    private static final ItemPath CREDENTIAL_RELATIVE_VALUE_PATH = new ItemPath(PasswordType.F_VALUE);
    private PrismContext prismContext;
    private Protector protector;
    private LocalizationService localizationService;
    private OperationalDataManager metadataManager;
    private ValuePolicyProcessor valuePolicyProcessor;
    private ModelObjectResolver resolver;
    private LensContext<UserType> context;
    private XMLGregorianCalendar now;
    private Task task;
    private OperationResult result;
    private ObjectValuePolicyEvaluator objectValuePolicyEvaluator;
    private P credentialPolicy;

    public PrismContext getPrismContext() {
        return this.prismContext;
    }

    public void setPrismContext(PrismContext prismContext) {
        this.prismContext = prismContext;
    }

    public Protector getProtector() {
        return this.protector;
    }

    public void setProtector(Protector protector) {
        this.protector = protector;
    }

    public LocalizationService getLocalizationService() {
        return this.localizationService;
    }

    public void setLocalizationService(LocalizationService localizationService) {
        this.localizationService = localizationService;
    }

    public OperationalDataManager getMetadataManager() {
        return this.metadataManager;
    }

    public void setMetadataManager(OperationalDataManager operationalDataManager) {
        this.metadataManager = operationalDataManager;
    }

    public ValuePolicyProcessor getValuePolicyProcessor() {
        return this.valuePolicyProcessor;
    }

    public void setValuePolicyProcessor(ValuePolicyProcessor valuePolicyProcessor) {
        this.valuePolicyProcessor = valuePolicyProcessor;
    }

    public ModelObjectResolver getResolver() {
        return this.resolver;
    }

    public void setResolver(ModelObjectResolver modelObjectResolver) {
        this.resolver = modelObjectResolver;
    }

    public LensContext<UserType> getContext() {
        return this.context;
    }

    public void setContext(LensContext<UserType> lensContext) {
        this.context = lensContext;
    }

    public XMLGregorianCalendar getNow() {
        return this.now;
    }

    public void setNow(XMLGregorianCalendar xMLGregorianCalendar) {
        this.now = xMLGregorianCalendar;
    }

    public Task getTask() {
        return this.task;
    }

    public void setTask(Task task) {
        this.task = task;
    }

    public OperationResult getResult() {
        return this.result;
    }

    public void setResult(OperationResult operationResult) {
        this.result = operationResult;
    }

    protected abstract ItemPath getCredentialsContainerPath();

    protected ItemPath getCredentialRelativeValuePath() {
        return CREDENTIAL_RELATIVE_VALUE_PATH;
    }

    protected ItemPath getCredentialValuePath() {
        return getCredentialsContainerPath().subPath(getCredentialRelativeValuePath());
    }

    protected abstract String getCredentialHumanReadableName();

    protected abstract String getCredentialHumanReadableKey();

    protected boolean supportsHistory() {
        return false;
    }

    protected P getCredentialPolicy() throws SchemaException {
        if (this.credentialPolicy == null) {
            this.credentialPolicy = determineEffectiveCredentialPolicy();
        }
        return this.credentialPolicy;
    }

    protected abstract P determineEffectiveCredentialPolicy() throws SchemaException;

    /* JADX INFO: Access modifiers changed from: protected */
    public SecurityPolicyType getSecurityPolicy() {
        return this.context.getFocusContext().getSecurityPolicy();
    }

    private ObjectValuePolicyEvaluator getObjectValuePolicyEvaluator() {
        if (this.objectValuePolicyEvaluator == null) {
            UserValuePolicyOriginResolver originResolver = getOriginResolver();
            this.objectValuePolicyEvaluator = new ObjectValuePolicyEvaluator();
            this.objectValuePolicyEvaluator.setNow(this.now);
            this.objectValuePolicyEvaluator.setOriginResolver(originResolver);
            this.objectValuePolicyEvaluator.setProtector(this.protector);
            this.objectValuePolicyEvaluator.setSecurityPolicy(getSecurityPolicy());
            this.objectValuePolicyEvaluator.setShortDesc(getCredentialHumanReadableName() + " for " + originResolver.getObject());
            this.objectValuePolicyEvaluator.setTask(this.task);
            this.objectValuePolicyEvaluator.setValueItemPath(getCredentialValuePath());
            this.objectValuePolicyEvaluator.setValuePolicyProcessor(this.valuePolicyProcessor);
            PrismContainer<R> oldCredentialContainer = getOldCredentialContainer();
            if (oldCredentialContainer != null) {
                this.objectValuePolicyEvaluator.setOldCredentialType(oldCredentialContainer.getRealValue());
            }
        }
        return this.objectValuePolicyEvaluator;
    }

    private UserValuePolicyOriginResolver getOriginResolver() {
        return new UserValuePolicyOriginResolver(this.context.getFocusContext().getObjectAny(), this.resolver);
    }

    /* JADX WARN: Multi-variable type inference failed */
    public void process() throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, PolicyViolationException, CommunicationException, ConfigurationException, SecurityViolationException {
        LensFocusContext<UserType> focusContext = this.context.getFocusContext();
        PrismObject<UserType> objectAny = focusContext.getObjectAny();
        if (focusContext.isAdd()) {
            if (focusContext.wasAddExecuted()) {
                LOGGER.trace("Skipping processing {} policies. User addition was already executed.", getCredentialHumanReadableName());
                return;
            }
            Item findContainer = objectAny.findContainer(getCredentialsContainerPath());
            if (findContainer != null) {
                Iterator it = findContainer.getValues().iterator();
                while (it.hasNext()) {
                    processCredentialContainerValue(objectAny, (PrismContainerValue) it.next());
                }
            }
            validateMinOccurs(findContainer);
            return;
        }
        if (!focusContext.isModify()) {
            if (focusContext.isDelete()) {
                LOGGER.trace("Skipping processing {} policies. User will be deleted.", getCredentialHumanReadableName());
                return;
            }
            return;
        }
        boolean z = false;
        boolean z2 = false;
        ObjectDelta<UserType> delta = focusContext.getDelta();
        ItemDelta findContainerDelta = delta.findContainerDelta(getCredentialsContainerPath());
        if (findContainerDelta != null) {
            if (findContainerDelta.isAdd()) {
                Iterator it2 = findContainerDelta.getValuesToAdd().iterator();
                while (it2.hasNext()) {
                    z = true;
                    processCredentialContainerValue(objectAny, (PrismContainerValue) it2.next());
                }
            }
            if (findContainerDelta.isReplace()) {
                Iterator it3 = findContainerDelta.getValuesToReplace().iterator();
                while (it3.hasNext()) {
                    z = true;
                    processCredentialContainerValue(objectAny, (PrismContainerValue) it3.next());
                }
                z2 = true;
            }
            if (findContainerDelta.isDelete()) {
                z2 = true;
            }
        } else if (hasValueDelta(delta, getCredentialsContainerPath())) {
            z = true;
            z2 = true;
            processValueDelta(delta);
            addMetadataDelta();
        }
        if (z2) {
            PrismObject<UserType> objectNew = focusContext.getObjectNew();
            if (objectNew == null) {
                focusContext.recompute();
                objectNew = focusContext.getObjectNew();
                if (objectNew == null) {
                    throw new IllegalStateException("Unexpected null objectNew in " + focusContext);
                }
            }
            if (objectNew != null) {
                validateMinOccurs(objectNew.findContainer(getCredentialsContainerPath()));
            }
        }
        if (z) {
            addHistoryDeltas();
        }
    }

    protected void processCredentialContainerValue(PrismObject<UserType> prismObject, PrismContainerValue<R> prismContainerValue) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, PolicyViolationException, CommunicationException, ConfigurationException, SecurityViolationException {
        addMissingMetadata(prismContainerValue);
        validateCredentialContainerValues(prismContainerValue);
    }

    protected int getValuesCount(PrismContainer<R> prismContainer) {
        return MiscUtil.nonNullValues(Item.getAllValues(prismContainer, getCredentialRelativeValuePath())).size();
    }

    private void validateMinOccurs(PrismContainer<R> prismContainer) throws SchemaException, PolicyViolationException {
        processValidationResult(getObjectValuePolicyEvaluator().validateMinOccurs(getValuesCount(prismContainer)));
    }

    protected void processValueDelta(ObjectDelta<UserType> objectDelta) throws PolicyViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        ItemDelta findPropertyDelta = objectDelta.findPropertyDelta(getCredentialValuePath());
        if (findPropertyDelta == null) {
            LOGGER.trace("Skipping processing {} policies. User delta does not contain value change.", getCredentialHumanReadableName());
        } else {
            processPropertyValueCollection(findPropertyDelta.getValuesToAdd());
            processPropertyValueCollection(findPropertyDelta.getValuesToReplace());
        }
    }

    private void processPropertyValueCollection(Collection<PrismPropertyValue<ProtectedStringType>> collection) throws PolicyViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        if (collection == null) {
            return;
        }
        Iterator<PrismPropertyValue<ProtectedStringType>> it = collection.iterator();
        while (it.hasNext()) {
            validateProtectedStringValue(it.next().getValue());
        }
    }

    protected void validateCredentialContainerValues(PrismContainerValue<R> prismContainerValue) throws PolicyViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        Item findProperty = prismContainerValue.findProperty(getCredentialRelativeValuePath());
        if (findProperty != null) {
            Iterator it = findProperty.getValues().iterator();
            while (it.hasNext()) {
                validateProtectedStringValue((ProtectedStringType) ((PrismPropertyValue) it.next()).getValue());
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateProtectedStringValue(ProtectedStringType protectedStringType) throws PolicyViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        processValidationResult(getObjectValuePolicyEvaluator().validateProtectedStringValue(protectedStringType));
    }

    private void processValidationResult(OperationResult operationResult) throws PolicyViolationException {
        this.result.addSubresult(operationResult);
        if (operationResult.isAcceptable()) {
            return;
        }
        throw ((PolicyViolationException) this.localizationService.translate((LocalizationService) new PolicyViolationException(new LocalizableMessageBuilder().key("PolicyViolationException.message.credentials." + getCredentialHumanReadableKey()).arg(operationResult.getUserFriendlyMessage()).build())));
    }

    private void addMetadataDelta() throws SchemaException {
        Iterator<ItemDelta<?, ?>> it = this.metadataManager.createModifyMetadataDeltas(this.context, getCredentialsContainerPath().subPath(AbstractCredentialType.F_METADATA), this.context.getFocusClass(), this.now, this.task).iterator();
        while (it.hasNext()) {
            this.context.getFocusContext().swallowToSecondaryDelta(it.next());
        }
    }

    private void addMissingMetadata(PrismContainerValue<R> prismContainerValue) throws SchemaException {
        if (!hasValueChange(prismContainerValue) || hasMetadata(prismContainerValue)) {
            return;
        }
        this.context.getFocusContext().swallowToSecondaryDelta(ContainerDelta.createModificationAdd(getCredentialsContainerPath().subPath(AbstractCredentialType.F_METADATA), UserType.class, this.prismContext, this.metadataManager.createCreateMetadata(this.context, this.now, this.task)));
    }

    private <F extends FocusType> boolean hasValueDelta(ObjectDelta<UserType> objectDelta, ItemPath itemPath) {
        if (objectDelta == null) {
            return false;
        }
        Iterator it = objectDelta.findPartial(itemPath).iterator();
        while (it.hasNext()) {
            PartiallyResolvedDelta partiallyResolvedDelta = (PartiallyResolvedDelta) it.next();
            if (LOGGER.isTraceEnabled()) {
                LOGGER.trace("Residual delta:\n{}", partiallyResolvedDelta.debugDump());
            }
            ItemPath residualPath = partiallyResolvedDelta.getResidualPath();
            if (residualPath != null && !residualPath.isEmpty()) {
                LOGGER.trace("PATH: {}", residualPath);
                QName firstName = ItemPath.getFirstName(residualPath);
                LOGGER.trace("NAME: {}", firstName);
                if (isValueElement(firstName)) {
                    return true;
                }
            }
        }
        return false;
    }

    private boolean hasValueChange(PrismContainerValue<R> prismContainerValue) {
        Iterator<Item<?, ?>> it = prismContainerValue.getItems().iterator();
        while (it.hasNext()) {
            if (isValueElement(it.next().getElementName())) {
                return true;
            }
        }
        return false;
    }

    private boolean isValueElement(QName qName) {
        return (qName.equals(AbstractCredentialType.F_FAILED_LOGINS) || qName.equals(AbstractCredentialType.F_LAST_FAILED_LOGIN) || qName.equals(AbstractCredentialType.F_LAST_SUCCESSFUL_LOGIN) || qName.equals(AbstractCredentialType.F_METADATA) || qName.equals(AbstractCredentialType.F_PREVIOUS_SUCCESSFUL_LOGIN)) ? false : true;
    }

    private boolean hasMetadata(PrismContainerValue<R> prismContainerValue) {
        Iterator<Item<?, ?>> it = prismContainerValue.getItems().iterator();
        while (it.hasNext()) {
            if (it.next().getElementName().equals(AbstractCredentialType.F_METADATA)) {
                return true;
            }
        }
        return false;
    }

    protected PrismContainer<R> getOldCredentialContainer() {
        PrismObject<UserType> objectOld = this.context.getFocusContext().getObjectOld();
        if (objectOld == null) {
            return null;
        }
        return (PrismContainer<R>) objectOld.findContainer(getCredentialsContainerPath());
    }

    private void addHistoryDeltas() throws SchemaException {
        if (supportsHistory()) {
            int credentialHistoryLength = SecurityUtil.getCredentialHistoryLength(getCredentialPolicy());
            PrismContainer<R> oldCredentialContainer = getOldCredentialContainer();
            if (oldCredentialContainer == null) {
                return;
            }
            int i = 0;
            if (credentialHistoryLength > 1) {
                i = createAddHistoryDelta(oldCredentialContainer);
            }
            createDeleteHistoryDeltasIfNeeded(credentialHistoryLength, i, oldCredentialContainer);
        }
    }

    private <F extends FocusType> int createAddHistoryDelta(PrismContainer<R> prismContainer) throws SchemaException {
        MetadataType metadata = prismContainer.getValue().asContainerable().getMetadata();
        Item findProperty = prismContainer.findProperty(getCredentialRelativeValuePath());
        if (findProperty == null) {
            return 0;
        }
        ProtectedStringType m2599clone = ((ProtectedStringType) findProperty.getRealValue()).m2599clone();
        CredentialsStorageTypeType credentialStorageTypeType = SecurityUtil.getCredentialStorageTypeType(getCredentialPolicy().getHistoryStorageMethod());
        if (credentialStorageTypeType == null) {
            credentialStorageTypeType = CredentialsStorageTypeType.HASHING;
        }
        prepareProtectedStringForStorage(m2599clone, credentialStorageTypeType);
        PasswordHistoryEntryType passwordHistoryEntryType = (PasswordHistoryEntryType) prismContainer.getDefinition().findContainerDefinition(PasswordType.F_HISTORY_ENTRY).instantiate().createNewValue().asContainerable();
        passwordHistoryEntryType.setValue(m2599clone);
        passwordHistoryEntryType.setMetadata(metadata == null ? null : metadata.m1958clone());
        passwordHistoryEntryType.setChangeTimestamp(this.now);
        this.context.getFocusContext().swallowToSecondaryDelta(ContainerDelta.createModificationAdd(new ItemPath(UserType.F_CREDENTIALS, CredentialsType.F_PASSWORD, PasswordType.F_HISTORY_ENTRY), UserType.class, this.prismContext, passwordHistoryEntryType.m2054clone()));
        return 1;
    }

    private <F extends FocusType> void createDeleteHistoryDeltasIfNeeded(int i, int i2, PrismContainer<R> prismContainer) throws SchemaException {
        Item findOrCreateContainer = prismContainer.findOrCreateContainer(PasswordType.F_HISTORY_ENTRY);
        List values = findOrCreateContainer.getValues();
        if (findOrCreateContainer.size() == 0) {
            return;
        }
        int size = (findOrCreateContainer.size() - i) + i2 + 1;
        Iterator it = values.iterator();
        for (int i3 = 0; it.hasNext() && i3 < size; i3++) {
            this.context.getFocusContext().swallowToSecondaryDelta(ContainerDelta.createModificationDelete(new ItemPath(UserType.F_CREDENTIALS, CredentialsType.F_PASSWORD, PasswordType.F_HISTORY_ENTRY), UserType.class, this.prismContext, ((PrismContainerValue) it.next()).mo600clone()));
        }
    }

    private void prepareProtectedStringForStorage(ProtectedStringType protectedStringType, CredentialsStorageTypeType credentialsStorageTypeType) throws SchemaException {
        try {
            switch (credentialsStorageTypeType) {
                case ENCRYPTION:
                    if (!protectedStringType.isEncrypted()) {
                        if (!protectedStringType.isHashed()) {
                            this.protector.encrypt(protectedStringType);
                            break;
                        } else {
                            throw new SchemaException("Cannot store hashed value in an encrypted form");
                        }
                    } else {
                        break;
                    }
                case HASHING:
                    if (!protectedStringType.isHashed()) {
                        this.protector.hash(protectedStringType);
                        break;
                    } else {
                        break;
                    }
                case NONE:
                    throw new SchemaException("Cannot store value on NONE storage form");
                default:
                    throw new SchemaException("Unknown storage type: " + credentialsStorageTypeType);
            }
        } catch (EncryptionException e) {
            throw new SystemException(e.getMessage(), e);
        }
    }
}
