package com.evolveum.midpoint.model.common.stringpolicy;

import com.evolveum.midpoint.prism.PrismContainer;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.crypto.EncryptionException;
import com.evolveum.midpoint.prism.crypto.Protector;
import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.prism.path.ItemPathSegment;
import com.evolveum.midpoint.prism.path.NameItemPathSegment;
import com.evolveum.midpoint.prism.xml.XmlTypeConverter;
import com.evolveum.midpoint.prism.xml.XsdTypeMapper;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.result.OperationResultStatus;
import com.evolveum.midpoint.security.api.SecurityUtil;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.util.LocalizableMessage;
import com.evolveum.midpoint.util.LocalizableMessageBuilder;
import com.evolveum.midpoint.util.LocalizableMessageList;
import com.evolveum.midpoint.util.LocalizableMessageListBuilder;
import com.evolveum.midpoint.util.QNameUtil;
import com.evolveum.midpoint.util.SingleLocalizableMessage;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.exception.SystemException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractCredentialType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.MetadataType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordHistoryEntryType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ValuePolicyType;
import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
import com.ibm.icu.text.PluralRules;
import java.util.ArrayList;
import java.util.List;
import javax.xml.datatype.Duration;
import javax.xml.datatype.XMLGregorianCalendar;
import javax.xml.namespace.QName;
import org.apache.commons.lang3.ObjectUtils;
import org.jetbrains.annotations.NotNull;

/* loaded from: input_file:WEB-INF/lib/model-common-3.7.3-SNAPSHOT.jar:com/evolveum/midpoint/model/common/stringpolicy/ObjectValuePolicyEvaluator.class */
public class ObjectValuePolicyEvaluator {
    private static final Trace LOGGER = TraceManager.getTrace(ObjectValuePolicyEvaluator.class);
    public static final String OPERATION_VALIDATE_VALUE = ObjectValuePolicyEvaluator.class + ".validateValue";
    private Protector protector;
    private ValuePolicyProcessor valuePolicyProcessor;
    private SecurityPolicyType securityPolicy;
    private XMLGregorianCalendar now;
    private ItemPath valueItemPath;
    private AbstractValuePolicyOriginResolver originResolver;
    private AbstractCredentialType oldCredentialType;
    private String shortDesc;
    private Task task;
    private boolean prepared = false;
    private QName credentialQName = null;
    private CredentialPolicyType credentialPolicy;
    private ValuePolicyType valuePolicy;

    public Protector getProtector() {
        return this.protector;
    }

    public void setProtector(Protector protector) {
        this.protector = protector;
    }

    public ValuePolicyProcessor getValuePolicyProcessor() {
        return this.valuePolicyProcessor;
    }

    public void setValuePolicyProcessor(ValuePolicyProcessor valuePolicyProcessor) {
        this.valuePolicyProcessor = valuePolicyProcessor;
    }

    public SecurityPolicyType getSecurityPolicy() {
        return this.securityPolicy;
    }

    public void setSecurityPolicy(SecurityPolicyType securityPolicyType) {
        this.securityPolicy = securityPolicyType;
    }

    public void setValuePolicy(ValuePolicyType valuePolicyType) {
        this.valuePolicy = valuePolicyType;
    }

    public XMLGregorianCalendar getNow() {
        return this.now;
    }

    public void setNow(XMLGregorianCalendar xMLGregorianCalendar) {
        this.now = xMLGregorianCalendar;
    }

    public ItemPath getValueItemPath() {
        return this.valueItemPath;
    }

    public void setValueItemPath(ItemPath itemPath) {
        this.valueItemPath = itemPath;
    }

    public AbstractValuePolicyOriginResolver getOriginResolver() {
        return this.originResolver;
    }

    public void setOriginResolver(AbstractValuePolicyOriginResolver abstractValuePolicyOriginResolver) {
        this.originResolver = abstractValuePolicyOriginResolver;
    }

    public AbstractCredentialType getOldCredentialType() {
        return this.oldCredentialType;
    }

    public void setOldCredentialType(AbstractCredentialType abstractCredentialType) {
        this.oldCredentialType = abstractCredentialType;
    }

    public String getShortDesc() {
        return this.shortDesc;
    }

    public void setShortDesc(String str) {
        this.shortDesc = str;
    }

    public Task getTask() {
        return this.task;
    }

    public void setTask(Task task) {
        this.task = task;
    }

    public OperationResult validateProtectedStringValue(ProtectedStringType protectedStringType) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        return validateStringValue(getClearValue(protectedStringType));
    }

    public OperationResult validateStringValue(String str) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        OperationResult operationResult = new OperationResult(OPERATION_VALIDATE_VALUE);
        ArrayList arrayList = new ArrayList();
        prepare();
        validateMinAge(arrayList, operationResult);
        validateHistory(str, arrayList, operationResult);
        validateStringPolicy(str, arrayList, operationResult);
        return generateResultMessage(arrayList, operationResult);
    }

    @NotNull
    private OperationResult generateResultMessage(List<LocalizableMessage> list, OperationResult operationResult) {
        operationResult.computeStatus();
        if (!operationResult.isSuccess() && !list.isEmpty()) {
            operationResult.setUserFriendlyMessage(new LocalizableMessageListBuilder().messages(list).separator(LocalizableMessageList.SPACE).buildOptimized());
        }
        return operationResult;
    }

    public OperationResult validateMinOccurs(int i) throws SchemaException {
        OperationResult operationResult = new OperationResult(OPERATION_VALIDATE_VALUE);
        ArrayList arrayList = new ArrayList();
        prepare();
        validateMinOccurs(i, arrayList, operationResult);
        return generateResultMessage(arrayList, operationResult);
    }

    private void prepare() throws SchemaException {
        if (this.prepared) {
            return;
        }
        preparePassword();
        prepareNonce();
        prepareValuePolicy();
        this.prepared = true;
    }

    private void prepareValuePolicy() {
        ObjectReferenceType valuePolicyRef;
        PrismObject object;
        if (this.valuePolicy != null || this.credentialPolicy == null || (valuePolicyRef = this.credentialPolicy.getValuePolicyRef()) == null || (object = valuePolicyRef.asReferenceValue().getObject()) == null) {
            return;
        }
        this.valuePolicy = (ValuePolicyType) object.asObjectable();
    }

    private void preparePassword() {
        if (this.valueItemPath != null && QNameUtil.match(UserType.F_CREDENTIALS, this.valueItemPath.getFirstName())) {
            ItemPathSegment itemPathSegment = this.valueItemPath.getSegments().get(1);
            if (itemPathSegment instanceof NameItemPathSegment) {
                this.credentialQName = ((NameItemPathSegment) itemPathSegment).getName();
                if (QNameUtil.match(CredentialsType.F_PASSWORD, this.credentialQName) && this.securityPolicy != null) {
                    this.credentialPolicy = SecurityUtil.getEffectivePasswordCredentialsPolicy(this.securityPolicy);
                }
            }
        }
    }

    private void prepareNonce() throws SchemaException {
        if (QNameUtil.match(CredentialsType.F_NONCE, this.credentialQName) && this.securityPolicy != null) {
            this.credentialPolicy = SecurityUtil.getEffectiveNonceCredentialsPolicy(this.securityPolicy);
        }
    }

    private void validateMinAge(List<LocalizableMessage> list, OperationResult operationResult) {
        Duration minAge;
        MetadataType metadata;
        if (this.oldCredentialType == null || (minAge = getMinAge()) == null || (metadata = this.oldCredentialType.getMetadata()) == null) {
            return;
        }
        XMLGregorianCalendar modifyTimestamp = metadata.getModifyTimestamp();
        if (modifyTimestamp == null) {
            modifyTimestamp = metadata.getCreateTimestamp();
        }
        if (modifyTimestamp != null && XmlTypeConverter.addDuration(modifyTimestamp, minAge).compare(this.now) == 1) {
            LOGGER.trace("Password minAge violated. lastChange={}, minAge={}, now={}", modifyTimestamp, minAge, this.now);
            SingleLocalizableMessage buildKey = LocalizableMessageBuilder.buildKey("ValuePolicy.minAgeNotReached");
            operationResult.addSubresult(new OperationResult("Password minimal age", OperationResultStatus.FATAL_ERROR, buildKey));
            list.add(buildKey);
        }
    }

    private void validateStringPolicy(String str, List<LocalizableMessage> list, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        if (str == null) {
            return;
        }
        if (this.valuePolicy == null) {
            LOGGER.trace("Skipping validating {} value. Value policy not specified.", this.shortDesc);
        } else {
            this.valuePolicyProcessor.validateValue(str, this.valuePolicy, this.originResolver, list, "user " + this.shortDesc + " value policy validation", this.task, operationResult);
        }
    }

    private void validateMinOccurs(int i, List<LocalizableMessage> list, OperationResult operationResult) {
        int minOccurs = getMinOccurs();
        if (i < minOccurs) {
            SingleLocalizableMessage buildKey = minOccurs == 1 ? LocalizableMessageBuilder.buildKey("ValuePolicy.valueMustBePresent") : new LocalizableMessageBuilder().key("ValuePolicy.valuesMustBePresent").args(Integer.valueOf(minOccurs), Integer.valueOf(i)).build();
            operationResult.addSubresult(new OperationResult("minOccurs", OperationResultStatus.FATAL_ERROR, buildKey));
            list.add(buildKey);
        }
    }

    private void validateHistory(String str, List<LocalizableMessage> list, OperationResult operationResult) throws SchemaException {
        if (!QNameUtil.match(CredentialsType.F_PASSWORD, this.credentialQName)) {
            LOGGER.trace("Skipping validating {} history, only password history is supported", this.shortDesc);
            return;
        }
        int historyLength = getHistoryLength();
        if (historyLength == 0) {
            LOGGER.trace("Skipping validating {} history, because history length is set to zero", this.shortDesc);
            return;
        }
        PasswordType passwordType = (PasswordType) this.oldCredentialType;
        if (passwordType == null) {
            LOGGER.trace("Skipping validating {} history, because it is empty", this.shortDesc);
            return;
        }
        ProtectedStringType protectedStringType = new ProtectedStringType();
        protectedStringType.setClearValue(str);
        if (passwordEquals(protectedStringType, passwordType.getValue())) {
            LOGGER.trace("{} matched current value", this.shortDesc);
            appendHistoryViolationMessage(list, operationResult);
            return;
        }
        int i = 1;
        for (PasswordHistoryEntryType passwordHistoryEntryType : getSortedHistoryList(passwordType.asPrismContainerValue().findContainer(PasswordType.F_HISTORY_ENTRY), false)) {
            if (i >= historyLength) {
                return;
            }
            if (passwordEquals(protectedStringType, passwordHistoryEntryType.getValue())) {
                LOGGER.trace("Password history entry #{} matched (changed {})", Integer.valueOf(i), passwordHistoryEntryType.getChangeTimestamp());
                appendHistoryViolationMessage(list, operationResult);
                return;
            }
            i++;
        }
    }

    private int getHistoryLength() {
        return SecurityUtil.getCredentialHistoryLength(this.credentialPolicy);
    }

    private Duration getMinAge() {
        if (this.credentialPolicy == null) {
            return null;
        }
        return this.credentialPolicy.getMinAge();
    }

    private int getMinOccurs() {
        if (this.credentialPolicy == null) {
            return 0;
        }
        String minOccurs = this.credentialPolicy.getMinOccurs();
        if (minOccurs == null && this.valuePolicy != null) {
            minOccurs = this.valuePolicy.getMinOccurs();
        }
        return ((Integer) ObjectUtils.defaultIfNull(XsdTypeMapper.multiplicityToInteger(minOccurs), 0)).intValue();
    }

    private List<PasswordHistoryEntryType> getSortedHistoryList(PrismContainer<PasswordHistoryEntryType> prismContainer, boolean z) {
        if (prismContainer == null || prismContainer.isEmpty()) {
            return new ArrayList();
        }
        List<PasswordHistoryEntryType> list = (List) prismContainer.getRealValues();
        list.sort((passwordHistoryEntryType, passwordHistoryEntryType2) -> {
            XMLGregorianCalendar changeTimestamp = passwordHistoryEntryType.getChangeTimestamp();
            XMLGregorianCalendar changeTimestamp2 = passwordHistoryEntryType2.getChangeTimestamp();
            return z ? changeTimestamp.compare(changeTimestamp2) : changeTimestamp2.compare(changeTimestamp);
        });
        return list;
    }

    private void appendHistoryViolationMessage(List<LocalizableMessage> list, OperationResult operationResult) {
        SingleLocalizableMessage buildKey = LocalizableMessageBuilder.buildKey("ValuePolicy.valueRecentlyUsed");
        operationResult.addSubresult(new OperationResult("history", OperationResultStatus.FATAL_ERROR, buildKey));
        list.add(buildKey);
    }

    private String getClearValue(ProtectedStringType protectedStringType) {
        if (protectedStringType == null) {
            return null;
        }
        String clearValue = protectedStringType.getClearValue();
        if (clearValue == null && protectedStringType.isEncrypted()) {
            try {
                clearValue = this.protector.decryptString(protectedStringType);
            } catch (EncryptionException e) {
                throw new SystemException("Failed to decrypt " + this.shortDesc + PluralRules.KEYWORD_RULE_SEPARATOR + e.getMessage(), e);
            }
        }
        return clearValue;
    }

    private boolean passwordEquals(ProtectedStringType protectedStringType, ProtectedStringType protectedStringType2) throws SchemaException {
        if (protectedStringType2 == null) {
            return protectedStringType == null;
        }
        try {
            return this.protector.compare(protectedStringType, protectedStringType2);
        } catch (EncryptionException e) {
            throw new SystemException("Failed to compare " + this.shortDesc + PluralRules.KEYWORD_RULE_SEPARATOR + e.getMessage(), e);
        }
    }
}
