package com.evolveum.midpoint.model.impl.lens.projector.credentials;

import com.evolveum.midpoint.common.refinery.RefinedObjectClassDefinition;
import com.evolveum.midpoint.model.api.context.SynchronizationPolicyDecision;
import com.evolveum.midpoint.model.common.mapping.MappingFactory;
import com.evolveum.midpoint.model.common.stringpolicy.ShadowValuePolicyOriginResolver;
import com.evolveum.midpoint.model.common.stringpolicy.ValuePolicyProcessor;
import com.evolveum.midpoint.model.impl.ModelObjectResolver;
import com.evolveum.midpoint.model.impl.lens.LensContext;
import com.evolveum.midpoint.model.impl.lens.LensFocusContext;
import com.evolveum.midpoint.model.impl.lens.LensProjectionContext;
import com.evolveum.midpoint.model.impl.lens.OperationalDataManager;
import com.evolveum.midpoint.model.impl.lens.projector.ContextLoader;
import com.evolveum.midpoint.model.impl.lens.projector.MappingEvaluator;
import com.evolveum.midpoint.model.impl.lens.projector.MappingTimeEval;
import com.evolveum.midpoint.prism.ItemDefinition;
import com.evolveum.midpoint.prism.OriginType;
import com.evolveum.midpoint.prism.PrismContext;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.PrismProperty;
import com.evolveum.midpoint.prism.PrismPropertyDefinition;
import com.evolveum.midpoint.prism.PrismPropertyValue;
import com.evolveum.midpoint.prism.crypto.EncryptionException;
import com.evolveum.midpoint.prism.crypto.Protector;
import com.evolveum.midpoint.prism.delta.ChangeType;
import com.evolveum.midpoint.prism.delta.ContainerDelta;
import com.evolveum.midpoint.prism.delta.ItemDelta;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.delta.PrismValueDeltaSetTriple;
import com.evolveum.midpoint.prism.delta.PropertyDelta;
import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.repo.common.expression.ItemDeltaItem;
import com.evolveum.midpoint.repo.common.expression.Source;
import com.evolveum.midpoint.repo.common.expression.ValuePolicyResolver;
import com.evolveum.midpoint.schema.ResourceShadowDiscriminator;
import com.evolveum.midpoint.schema.constants.ExpressionConstants;
import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.util.ResourceTypeUtil;
import com.evolveum.midpoint.security.api.SecurityUtil;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.util.LocalizableMessageBuilder;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.PolicyViolationException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.exception.SystemException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.MappingType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.MetadataType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ValuePolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.VariableBindingDefinitionType;
import com.evolveum.midpoint.xml.ns._public.resource.capabilities_3.CredentialsCapabilityType;
import com.evolveum.midpoint.xml.ns._public.resource.capabilities_3.PasswordCapabilityType;
import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import javax.xml.datatype.XMLGregorianCalendar;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:WEB-INF/lib/model-impl-3.8.1-SNAPSHOT.jar:com/evolveum/midpoint/model/impl/lens/projector/credentials/ProjectionCredentialsProcessor.class */
public class ProjectionCredentialsProcessor {
    private static final Trace LOGGER = TraceManager.getTrace(ProjectionCredentialsProcessor.class);

    @Autowired
    private PrismContext prismContext;

    @Autowired
    private ContextLoader contextLoader;

    @Autowired
    private MappingFactory mappingFactory;

    @Autowired
    private MappingEvaluator mappingEvaluator;

    @Autowired
    private ValuePolicyProcessor valuePolicyProcessor;

    @Autowired
    private Protector protector;

    @Autowired
    private OperationalDataManager operationalDataManager;

    @Autowired
    private ModelObjectResolver modelObjectResolver;

    public <F extends ObjectType> void processProjectionCredentials(LensContext<F> lensContext, LensProjectionContext lensProjectionContext, XMLGregorianCalendar xMLGregorianCalendar, Task task, OperationResult operationResult) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, PolicyViolationException, CommunicationException, ConfigurationException, SecurityViolationException {
        LensFocusContext<F> focusContext;
        if (lensProjectionContext.isDelete() || (focusContext = lensContext.getFocusContext()) == null || !FocusType.class.isAssignableFrom(focusContext.getObjectTypeClass())) {
            return;
        }
        processProjectionCredentialsFocus(lensContext, lensProjectionContext, xMLGregorianCalendar, task, operationResult);
    }

    private <F extends FocusType> void processProjectionCredentialsFocus(LensContext<F> lensContext, LensProjectionContext lensProjectionContext, XMLGregorianCalendar xMLGregorianCalendar, Task task, OperationResult operationResult) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, PolicyViolationException, CommunicationException, ConfigurationException, SecurityViolationException {
        ValuePolicyType determinePasswordPolicy = determinePasswordPolicy(lensContext, lensProjectionContext, xMLGregorianCalendar, task, operationResult);
        processProjectionPasswordMapping(lensContext, lensProjectionContext, determinePasswordPolicy, xMLGregorianCalendar, task, operationResult);
        validateProjectionPassword(lensContext, lensProjectionContext, determinePasswordPolicy, xMLGregorianCalendar, task, operationResult);
        applyMetadata(lensContext, lensProjectionContext, xMLGregorianCalendar, task, operationResult);
    }

    private <F extends FocusType> void processProjectionPasswordMapping(LensContext<F> lensContext, LensProjectionContext lensProjectionContext, final ValuePolicyType valuePolicyType, XMLGregorianCalendar xMLGregorianCalendar, Task task, OperationResult operationResult) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException {
        LensFocusContext<F> focusContext = lensContext.getFocusContext();
        if (focusContext.getObjectNew() == null) {
            LOGGER.trace("userNew is null, skipping credentials processing");
            return;
        }
        PrismPropertyDefinition findPropertyDefinition = this.prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(ShadowType.class).findPropertyDefinition(SchemaConstants.PATH_PASSWORD_VALUE);
        ResourceShadowDiscriminator resourceShadowDiscriminator = lensProjectionContext.getResourceShadowDiscriminator();
        RefinedObjectClassDefinition structuralObjectClassDefinition = lensProjectionContext.getStructuralObjectClassDefinition();
        if (structuralObjectClassDefinition == null) {
            LOGGER.trace("No RefinedObjectClassDefinition, therefore also no password outbound definition, skipping credentials processing for projection {}", resourceShadowDiscriminator);
            return;
        }
        List<MappingType> passwordOutbound = structuralObjectClassDefinition.getPasswordOutbound();
        if (passwordOutbound == null || passwordOutbound.isEmpty()) {
            LOGGER.trace("No outbound password mapping for {}, skipping credentials processing", resourceShadowDiscriminator);
            return;
        }
        if (!lensProjectionContext.isDoReconciliation() && !lensProjectionContext.isAdd() && !isActivated(passwordOutbound, focusContext.getDelta())) {
            LOGGER.trace("Outbound password mappings not activated for type {}, skipping credentials processing", resourceShadowDiscriminator);
            return;
        }
        ObjectDelta<ShadowType> delta = lensProjectionContext.getDelta();
        checkExistingDeltaSanity(lensProjectionContext, (delta == null || delta.getChangeType() != ChangeType.MODIFY) ? null : delta.findPropertyDelta(SchemaConstants.PATH_PASSWORD_VALUE));
        boolean evaluateWeak = getEvaluateWeak(lensProjectionContext);
        ItemDeltaItem<IV, ID> findIdi = focusContext.getObjectDeltaObject().findIdi(SchemaConstants.PATH_PASSWORD_VALUE);
        ValuePolicyResolver valuePolicyResolver = new ValuePolicyResolver() { // from class: com.evolveum.midpoint.model.impl.lens.projector.credentials.ProjectionCredentialsProcessor.1
            @Override // com.evolveum.midpoint.repo.common.expression.ValuePolicyResolver
            public void setOutputPath(ItemPath itemPath) {
            }

            @Override // com.evolveum.midpoint.repo.common.expression.ValuePolicyResolver
            public void setOutputDefinition(ItemDefinition itemDefinition) {
            }

            @Override // com.evolveum.midpoint.repo.common.expression.ValuePolicyResolver
            public ValuePolicyType resolve() {
                return valuePolicyType;
            }
        };
        this.mappingEvaluator.evaluateOutboundMapping(lensContext, lensProjectionContext, passwordOutbound, SchemaConstants.PATH_PASSWORD_VALUE, SchemaConstants.PATH_PASSWORD_VALUE, builder -> {
            builder.defaultTargetDefinition(findPropertyDefinition);
            builder.defaultSource(new Source<>(findIdi, ExpressionConstants.VAR_INPUT));
            builder.valuePolicyResolver(valuePolicyResolver);
            return builder;
        }, (itemPath, mappingOutputStruct) -> {
            ObjectDelta<ShadowType> primaryDelta;
            PrismValueDeltaSetTriple outputTriple = mappingOutputStruct.getOutputTriple();
            if (outputTriple == null) {
                LOGGER.trace("Credentials 'password' expression resulted in null output triple, skipping credentials processing for {}", resourceShadowDiscriminator);
                return false;
            }
            boolean z = delta != null && (delta.getChangeType() == ChangeType.ADD || lensProjectionContext.getSynchronizationPolicyDecision() == SynchronizationPolicyDecision.ADD);
            outputTriple.getPlusSet();
            if (canGetCleartext(z ? outputTriple.getNonNegativeValues() : outputTriple.getPlusSet()) || (primaryDelta = lensProjectionContext.getPrimaryDelta()) == null || primaryDelta.findPropertyDelta(SchemaConstants.PATH_PASSWORD_VALUE) == null) {
                return true;
            }
            LOGGER.trace("We have primary password delta in projection, skipping credentials processing");
            return false;
        }, xMLGregorianCalendar, MappingTimeEval.CURRENT, evaluateWeak, "password mapping", task, operationResult);
    }

    private <F extends FocusType> boolean isActivated(List<MappingType> list, ObjectDelta<F> objectDelta) {
        if (objectDelta == null) {
            return false;
        }
        Iterator<MappingType> it = list.iterator();
        while (it.hasNext()) {
            List<VariableBindingDefinitionType> source = it.next().getSource();
            if (source.isEmpty() && objectDelta.hasItemDelta(SchemaConstants.PATH_PASSWORD_VALUE)) {
                return true;
            }
            Iterator<VariableBindingDefinitionType> it2 = source.iterator();
            while (it2.hasNext()) {
                if (objectDelta.hasItemDelta(it2.next().getPath().getItemPath().stripVariableSegment())) {
                    return true;
                }
            }
        }
        return false;
    }

    private boolean canGetCleartext(Collection<PrismPropertyValue<ProtectedStringType>> collection) {
        if (collection == null) {
            return false;
        }
        Iterator<PrismPropertyValue<ProtectedStringType>> it = collection.iterator();
        while (it.hasNext()) {
            if (it.next().getValue().canGetCleartext()) {
                return true;
            }
        }
        return false;
    }

    private boolean getEvaluateWeak(LensProjectionContext lensProjectionContext) {
        PasswordCapabilityType password;
        Boolean isReadable;
        CredentialsCapabilityType credentialsCapabilityType = (CredentialsCapabilityType) ResourceTypeUtil.getEffectiveCapability(lensProjectionContext.getResource(), CredentialsCapabilityType.class);
        if (credentialsCapabilityType == null || (password = credentialsCapabilityType.getPassword()) == null || password.isEnabled() == Boolean.FALSE || (isReadable = password.isReadable()) == null || !isReadable.booleanValue()) {
            return lensProjectionContext.isAdd();
        }
        return true;
    }

    private <F extends FocusType> void validateProjectionPassword(LensContext<F> lensContext, LensProjectionContext lensProjectionContext, ValuePolicyType valuePolicyType, XMLGregorianCalendar xMLGregorianCalendar, Task task, OperationResult operationResult) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, PolicyViolationException, CommunicationException, ConfigurationException, SecurityViolationException {
        if (valuePolicyType == null) {
            LOGGER.trace("Skipping processing password policies. Password policy not specified.");
            return;
        }
        ObjectDelta<ShadowType> delta = lensProjectionContext.getDelta();
        if (delta == null) {
            LOGGER.trace("Skipping processing password policies. Shadow delta not specified.");
            return;
        }
        if (delta.isDelete()) {
            return;
        }
        PrismObject<ShadowType> prismObject = null;
        PrismProperty<ProtectedStringType> prismProperty = null;
        if (delta.isAdd()) {
            prismObject = delta.getObjectToAdd();
            if (prismObject != null) {
                prismProperty = prismObject.findProperty(SchemaConstants.PATH_PASSWORD_VALUE);
            }
        }
        if (delta.isModify() || prismProperty == null) {
            ItemDelta findPropertyDelta = delta.findPropertyDelta(SchemaConstants.PATH_PASSWORD_VALUE);
            if (delta.getChangeType() == ChangeType.MODIFY && findPropertyDelta != null && (findPropertyDelta.isAdd() || findPropertyDelta.isDelete())) {
                throw new SchemaException("Shadow password value cannot be added or deleted, it can only be replaced");
            }
            if (findPropertyDelta == null) {
                LOGGER.trace("Skipping processing password policies. Shadow delta does not contain password change.");
                return;
            }
            prismProperty = (PrismProperty) findPropertyDelta.getItemNewMatchingPath(null);
        }
        if (prismObject == null) {
            prismObject = lensProjectionContext.getObjectNew();
        }
        if (this.valuePolicyProcessor.validateValue(determinePasswordValue(prismProperty), valuePolicyType, getOriginResolver(prismObject), "projection password policy", task, operationResult)) {
            return;
        }
        operationResult.computeStatus();
        throw new PolicyViolationException(new LocalizableMessageBuilder().key("PolicyViolationException.message.projectionPassword").arg(lensProjectionContext.getHumanReadableName()).arg(operationResult.getUserFriendlyMessage()).build());
    }

    private ShadowValuePolicyOriginResolver getOriginResolver(PrismObject<ShadowType> prismObject) {
        return new ShadowValuePolicyOriginResolver(prismObject, this.modelObjectResolver);
    }

    private <F extends FocusType> void applyMetadata(LensContext<F> lensContext, LensProjectionContext lensProjectionContext, XMLGregorianCalendar xMLGregorianCalendar, Task task, OperationResult operationResult) throws SchemaException {
        ObjectDelta delta = lensProjectionContext.getDelta();
        if (lensProjectionContext.isDelete()) {
            return;
        }
        if (delta == null) {
            LOGGER.trace("Skipping application of password metadata. Shadow delta not specified.");
            return;
        }
        if (delta.findPropertyDelta(SchemaConstants.PATH_PASSWORD_VALUE) == null) {
            LOGGER.trace("Skipping application of password metadata. No password change.");
            return;
        }
        if (lensProjectionContext.isAdd()) {
            MetadataType createCreateMetadata = this.operationalDataManager.createCreateMetadata(lensContext, xMLGregorianCalendar, task);
            ItemDelta<?, ?> createDelta = ContainerDelta.createDelta(SchemaConstants.PATH_PASSWORD_METADATA, lensProjectionContext.getObjectDefinition());
            createCreateMetadata.asPrismContainerValue().setOriginTypeRecursive(OriginType.OUTBOUND);
            createDelta.addValuesToAdd(createCreateMetadata.asPrismContainerValue());
            lensProjectionContext.swallowToSecondaryDelta(createDelta);
            return;
        }
        if (lensProjectionContext.isModify() && delta.findContainerDelta(SchemaConstants.PATH_PASSWORD_METADATA) == null) {
            for (ItemDelta<?, ?> itemDelta : this.operationalDataManager.createModifyMetadataDeltas(lensContext, SchemaConstants.PATH_PASSWORD_METADATA, lensProjectionContext.getObjectTypeClass(), xMLGregorianCalendar, task)) {
                itemDelta.setOriginTypeRecursive(OriginType.OUTBOUND);
                lensProjectionContext.swallowToSecondaryDelta(itemDelta);
            }
        }
    }

    private <F extends FocusType> ValuePolicyType determinePasswordPolicy(LensContext<F> lensContext, LensProjectionContext lensProjectionContext, XMLGregorianCalendar xMLGregorianCalendar, Task task, OperationResult operationResult) {
        ValuePolicyType accountPasswordPolicy = lensProjectionContext.getAccountPasswordPolicy();
        if (accountPasswordPolicy != null) {
            return accountPasswordPolicy;
        }
        LensFocusContext<F> focusContext = lensContext.getFocusContext();
        if (focusContext == null) {
            return null;
        }
        return SecurityUtil.getPasswordPolicy(focusContext.getSecurityPolicy());
    }

    private String determinePasswordValue(PrismProperty<ProtectedStringType> prismProperty) {
        if (prismProperty == null || prismProperty.getValue(ProtectedStringType.class) == null) {
            return null;
        }
        return determinePasswordValue(prismProperty.getRealValue());
    }

    private String determinePasswordValue(ProtectedStringType protectedStringType) {
        if (protectedStringType == null) {
            return null;
        }
        String clearValue = protectedStringType.getClearValue();
        if (clearValue == null && protectedStringType.getEncryptedDataType() != null) {
            try {
                clearValue = this.protector.decryptString(protectedStringType);
            } catch (EncryptionException e) {
                throw new SystemException("Failed to process password for user: ", e);
            }
        }
        return clearValue;
    }

    private void checkExistingDeltaSanity(LensProjectionContext lensProjectionContext, PropertyDelta<ProtectedStringType> propertyDelta) throws SchemaException {
        if (propertyDelta != null) {
            if (propertyDelta.isAdd() || propertyDelta.isDelete()) {
                throw new SchemaException("Password for projection " + lensProjectionContext.getResourceShadowDiscriminator() + " cannot be added or deleted, it can only be replaced");
            }
        }
    }
}
