package com.evolveum.midpoint.model.impl.security;

import com.evolveum.midpoint.common.ActivationComputer;
import com.evolveum.midpoint.common.Clock;
import com.evolveum.midpoint.model.api.context.EvaluatedAssignmentTarget;
import com.evolveum.midpoint.model.api.util.DeputyUtils;
import com.evolveum.midpoint.model.api.util.ModelUtils;
import com.evolveum.midpoint.model.common.SystemObjectCache;
import com.evolveum.midpoint.model.common.mapping.MappingFactory;
import com.evolveum.midpoint.model.impl.UserComputer;
import com.evolveum.midpoint.model.impl.lens.AssignmentEvaluator;
import com.evolveum.midpoint.model.impl.lens.EvaluatedAssignmentImpl;
import com.evolveum.midpoint.model.impl.lens.LensContext;
import com.evolveum.midpoint.model.impl.lens.LensContextPlaceholder;
import com.evolveum.midpoint.model.impl.lens.LensUtil;
import com.evolveum.midpoint.model.impl.lens.projector.MappingEvaluator;
import com.evolveum.midpoint.prism.PrismContainerDefinition;
import com.evolveum.midpoint.prism.PrismContainerValue;
import com.evolveum.midpoint.prism.PrismContext;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.delta.PlusMinusZero;
import com.evolveum.midpoint.prism.polystring.PolyString;
import com.evolveum.midpoint.prism.query.ObjectQuery;
import com.evolveum.midpoint.prism.query.builder.QueryBuilder;
import com.evolveum.midpoint.repo.api.RepositoryService;
import com.evolveum.midpoint.repo.cache.RepositoryCache;
import com.evolveum.midpoint.repo.common.expression.ItemDeltaItem;
import com.evolveum.midpoint.repo.common.expression.ObjectDeltaObject;
import com.evolveum.midpoint.schema.SearchResultList;
import com.evolveum.midpoint.schema.constants.ObjectTypes;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.util.AdminGuiConfigTypeUtil;
import com.evolveum.midpoint.schema.util.FocusTypeUtil;
import com.evolveum.midpoint.schema.util.ObjectQueryUtil;
import com.evolveum.midpoint.schema.util.ObjectResolver;
import com.evolveum.midpoint.security.api.Authorization;
import com.evolveum.midpoint.security.api.AuthorizationTransformer;
import com.evolveum.midpoint.security.api.DelegatorWithOtherPrivilegesLimitations;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.security.api.UserProfileService;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.task.api.TaskManager;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.PolicyViolationException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.exception.SystemException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractRoleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.LifecycleStateModelType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectPolicyConfigurationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemObjectsType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.TaskType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.MessageSource;
import org.springframework.context.MessageSourceAware;
import org.springframework.context.support.MessageSourceAccessor;
import org.springframework.ldap.core.DirContextAdapter;
import org.springframework.ldap.core.DirContextOperations;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.ldap.userdetails.UserDetailsContextMapper;
import org.springframework.stereotype.Service;

@Service("userDetailsService")
/* loaded from: input_file:WEB-INF/lib/model-impl-3.8.1-SNAPSHOT.jar:com/evolveum/midpoint/model/impl/security/UserProfileServiceImpl.class */
public class UserProfileServiceImpl implements UserProfileService, UserDetailsService, UserDetailsContextMapper, MessageSourceAware {
    private static final Trace LOGGER = TraceManager.getTrace(UserProfileServiceImpl.class);

    @Autowired
    @Qualifier("cacheRepositoryService")
    private RepositoryService repositoryService;

    @Autowired
    private ObjectResolver objectResolver;

    @Autowired
    private SystemObjectCache systemObjectCache;

    @Autowired
    private MappingFactory mappingFactory;

    @Autowired
    private MappingEvaluator mappingEvaluator;

    @Autowired
    private SecurityHelper securityHelper;

    @Autowired
    private UserComputer userComputer;

    @Autowired
    private ActivationComputer activationComputer;

    @Autowired
    private Clock clock;

    @Autowired
    private PrismContext prismContext;

    @Autowired
    private TaskManager taskManager;
    private MessageSourceAccessor messages;

    @Override // org.springframework.context.MessageSourceAware
    public void setMessageSource(MessageSource messageSource) {
        this.messages = new MessageSourceAccessor(messageSource);
    }

    @Override // com.evolveum.midpoint.security.api.UserProfileService
    public MidPointPrincipal getPrincipal(String str) throws ObjectNotFoundException, SchemaException {
        OperationResult operationResult = new OperationResult(OPERATION_GET_PRINCIPAL);
        try {
            PrismObject<UserType> findByUsername = findByUsername(str, operationResult);
            if (findByUsername == null) {
                throw new ObjectNotFoundException("Couldn't find user with name '" + str + "'");
            }
            return getPrincipal(findByUsername, null, operationResult);
        } catch (ObjectNotFoundException e) {
            LOGGER.trace("Couldn't find user with name '{}', reason: {}.", str, e.getMessage(), e);
            throw e;
        } catch (Exception e2) {
            LOGGER.warn("Error getting user with name '{}', reason: {}.", str, e2.getMessage(), e2);
            throw new SystemException(e2.getMessage(), e2);
        }
    }

    @Override // com.evolveum.midpoint.security.api.UserProfileService
    public MidPointPrincipal getPrincipalByOid(String str) throws ObjectNotFoundException, SchemaException {
        return getPrincipal(getUserByOid(str, new OperationResult(OPERATION_GET_PRINCIPAL)).asPrismObject());
    }

    @Override // com.evolveum.midpoint.security.api.UserProfileService
    public MidPointPrincipal getPrincipal(PrismObject<UserType> prismObject) throws SchemaException {
        return getPrincipal(prismObject, null, new OperationResult(OPERATION_GET_PRINCIPAL));
    }

    @Override // com.evolveum.midpoint.security.api.UserProfileService
    public MidPointPrincipal getPrincipal(PrismObject<UserType> prismObject, AuthorizationTransformer authorizationTransformer, OperationResult operationResult) throws SchemaException {
        if (prismObject == null) {
            return null;
        }
        PrismObject<SystemConfigurationType> systemConfiguration = getSystemConfiguration(operationResult);
        this.userComputer.recompute(prismObject, getLifecycleModel(prismObject, systemConfiguration));
        MidPointPrincipal midPointPrincipal = new MidPointPrincipal(prismObject.asObjectable());
        initializePrincipalFromAssignments(midPointPrincipal, systemConfiguration, authorizationTransformer);
        return midPointPrincipal;
    }

    private PrismObject<SystemConfigurationType> getSystemConfiguration(OperationResult operationResult) {
        PrismObject<SystemConfigurationType> prismObject = null;
        try {
            prismObject = this.repositoryService.getObject(SystemConfigurationType.class, SystemObjectsType.SYSTEM_CONFIGURATION.value(), null, operationResult);
        } catch (ObjectNotFoundException | SchemaException e) {
            LOGGER.warn("No system configuration: {}", e.getMessage(), e);
        }
        return prismObject;
    }

    private LifecycleStateModelType getLifecycleModel(PrismObject<UserType> prismObject, PrismObject<SystemConfigurationType> prismObject2) {
        if (prismObject2 == null) {
            return null;
        }
        try {
            return ModelUtils.determineLifecycleModel(prismObject, prismObject2.asObjectable());
        } catch (ConfigurationException e) {
            throw new SystemException(e.getMessage(), e);
        }
    }

    @Override // com.evolveum.midpoint.security.api.UserProfileService
    public void updateUser(MidPointPrincipal midPointPrincipal) {
        try {
            save(midPointPrincipal, new OperationResult(OPERATION_UPDATE_USER));
        } catch (Exception e) {
            LOGGER.warn("Couldn't save user '{}, ({})', reason: {}.", midPointPrincipal.getFullName(), midPointPrincipal.getOid(), e.getMessage(), e);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    private PrismObject<UserType> findByUsername(String str, OperationResult operationResult) throws SchemaException, ObjectNotFoundException {
        ObjectQuery createNormNameQuery = ObjectQueryUtil.createNormNameQuery(new PolyString(str), this.prismContext);
        LOGGER.trace("Looking for user, query:\n" + createNormNameQuery.debugDump());
        SearchResultList searchObjects = this.repositoryService.searchObjects(UserType.class, createNormNameQuery, null, operationResult);
        LOGGER.trace("Users found: {}.", Integer.valueOf(searchObjects.size()));
        if (searchObjects.size() != 1) {
            return null;
        }
        return (PrismObject) searchObjects.get(0);
    }

    private void initializePrincipalFromAssignments(MidPointPrincipal midPointPrincipal, PrismObject<SystemConfigurationType> prismObject, AuthorizationTransformer authorizationTransformer) throws SchemaException {
        UserType user = midPointPrincipal.getUser();
        Collection<Authorization> authorities = midPointPrincipal.getAuthorities();
        ArrayList arrayList = new ArrayList();
        Task createTaskInstance = this.taskManager.createTaskInstance(UserProfileServiceImpl.class.getName() + ".initializePrincipalFromAssignments");
        OperationResult result = createTaskInstance.getResult();
        midPointPrincipal.setApplicableSecurityPolicy(this.securityHelper.locateSecurityPolicy(user.asPrismObject(), prismObject, createTaskInstance, result));
        if (!user.getAssignment().isEmpty()) {
            LensContext<UserType> createAuthenticationLensContext = createAuthenticationLensContext(user.asPrismObject(), prismObject);
            AssignmentEvaluator build = new AssignmentEvaluator.Builder().repository(this.repositoryService).focusOdo(new ObjectDeltaObject(user.asPrismObject(), null, user.asPrismObject())).channel(null).objectResolver(this.objectResolver).systemObjectCache(this.systemObjectCache).prismContext(this.prismContext).mappingFactory(this.mappingFactory).mappingEvaluator(this.mappingEvaluator).activationComputer(this.activationComputer).now(this.clock.currentTimeXMLGregorianCalendar()).loginMode(true).lensContext(createAuthenticationLensContext).build();
            HashSet<AssignmentType> hashSet = new HashSet();
            hashSet.addAll(user.getAssignment());
            try {
                Collection<AssignmentType> forcedAssignments = LensUtil.getForcedAssignments(createAuthenticationLensContext.getFocusContext().getLifecycleModel(), user.getLifecycleState(), this.objectResolver, this.prismContext, createTaskInstance, result);
                if (forcedAssignments != null) {
                    hashSet.addAll(forcedAssignments);
                }
            } catch (CommunicationException | ConfigurationException | ExpressionEvaluationException | ObjectNotFoundException | SecurityViolationException e) {
                LOGGER.error("Forced assignments defined for lifecycle {} won't be evaluated", user.getLifecycleState(), e);
            }
            try {
                RepositoryCache.enter();
                for (AssignmentType assignmentType : hashSet) {
                    try {
                        ItemDeltaItem<PrismContainerValue<AssignmentType>, PrismContainerDefinition<AssignmentType>> itemDeltaItem = new ItemDeltaItem<>();
                        itemDeltaItem.setItemOld(LensUtil.createAssignmentSingleValueContainerClone(assignmentType));
                        itemDeltaItem.recompute();
                        EvaluatedAssignmentImpl evaluate = build.evaluate(itemDeltaItem, PlusMinusZero.ZERO, false, user, user.toString(), createTaskInstance, result);
                        if (evaluate.isValid()) {
                            addAuthorizations(authorities, evaluate.getAuthorizations(), authorizationTransformer);
                            arrayList.addAll(evaluate.getAdminGuiConfigurations());
                        }
                        for (EvaluatedAssignmentTarget evaluatedAssignmentTarget : evaluate.getRoles().getNonNegativeValues()) {
                            if (evaluatedAssignmentTarget.isValid() && evaluatedAssignmentTarget.getTarget() != null && (evaluatedAssignmentTarget.getTarget().asObjectable() instanceof UserType) && DeputyUtils.isDelegationPath(evaluatedAssignmentTarget.getAssignmentPath())) {
                                midPointPrincipal.addDelegatorWithOtherPrivilegesLimitations(new DelegatorWithOtherPrivilegesLimitations((UserType) evaluatedAssignmentTarget.getTarget().asObjectable(), DeputyUtils.extractLimitations(evaluatedAssignmentTarget.getAssignmentPath())));
                            }
                        }
                    } catch (CommunicationException | ConfigurationException | ExpressionEvaluationException | ObjectNotFoundException | PolicyViolationException | SchemaException | SecurityViolationException e2) {
                        LOGGER.error("Error while processing assignment of {}: {}; assignment: {}", user, e2.getMessage(), assignmentType, e2);
                    }
                }
                RepositoryCache.exit();
            } catch (Throwable th) {
                RepositoryCache.exit();
                throw th;
            }
        }
        if (user.getAdminGuiConfiguration() != null) {
            arrayList.add(user.getAdminGuiConfiguration());
        }
        midPointPrincipal.setAdminGuiConfiguration(AdminGuiConfigTypeUtil.compileAdminGuiConfiguration(arrayList, prismObject));
    }

    private LensContext<UserType> createAuthenticationLensContext(PrismObject<UserType> prismObject, PrismObject<SystemConfigurationType> prismObject2) throws SchemaException {
        LensContextPlaceholder lensContextPlaceholder = new LensContextPlaceholder(prismObject, this.prismContext);
        if (prismObject2 != null) {
            lensContextPlaceholder.getFocusContext().setObjectPolicyConfigurationType(determineObjectPolicyConfiguration(prismObject, prismObject2));
        }
        return lensContextPlaceholder;
    }

    private ObjectPolicyConfigurationType determineObjectPolicyConfiguration(PrismObject<UserType> prismObject, PrismObject<SystemConfigurationType> prismObject2) throws SchemaException {
        try {
            ObjectPolicyConfigurationType determineObjectPolicyConfiguration = ModelUtils.determineObjectPolicyConfiguration(prismObject, prismObject2.asObjectable());
            if (LOGGER.isTraceEnabled()) {
                LOGGER.trace("Selected policy configuration from subtypes {}:\n{}", FocusTypeUtil.determineSubTypes(prismObject), determineObjectPolicyConfiguration == null ? null : determineObjectPolicyConfiguration.asPrismContainerValue().debugDump(1));
            }
            return determineObjectPolicyConfiguration;
        } catch (ConfigurationException e) {
            throw new SchemaException(e.getMessage(), e);
        }
    }

    private void addAuthorizations(Collection<Authorization> collection, Collection<Authorization> collection2, AuthorizationTransformer authorizationTransformer) {
        if (collection2 == null) {
            return;
        }
        for (Authorization authorization : collection2) {
            if (authorizationTransformer == null) {
                collection.add(authorization);
            } else {
                Collection<Authorization> transform = authorizationTransformer.transform(authorization);
                if (transform != null) {
                    collection.addAll(transform);
                }
            }
        }
    }

    private MidPointPrincipal save(MidPointPrincipal midPointPrincipal, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, ObjectAlreadyExistsException {
        PrismObject<UserType> asPrismObject = getUserByOid(midPointPrincipal.getOid(), operationResult).asPrismObject();
        PrismObject<UserType> asPrismObject2 = midPointPrincipal.getUser().asPrismObject();
        ObjectDelta<UserType> diff = asPrismObject.diff(asPrismObject2);
        if (LOGGER.isTraceEnabled()) {
            LOGGER.trace("Updating user {} with delta:\n{}", asPrismObject2, diff.debugDump());
        }
        this.repositoryService.modifyObject(UserType.class, diff.getOid(), diff.getModifications(), new OperationResult(OPERATION_UPDATE_USER));
        return midPointPrincipal;
    }

    private UserType getUserByOid(String str, OperationResult operationResult) throws ObjectNotFoundException, SchemaException {
        return (UserType) this.repositoryService.getObject(UserType.class, str, null, operationResult).asObjectable();
    }

    @Override // com.evolveum.midpoint.security.api.OwnerResolver
    public <F extends FocusType, O extends ObjectType> PrismObject<F> resolveOwner(PrismObject<O> prismObject) {
        ObjectReferenceType ownerRef;
        if (prismObject == null || prismObject.getOid() == null) {
            return null;
        }
        PrismObject<F> prismObject2 = null;
        OperationResult operationResult = new OperationResult(UserProfileServiceImpl.class + ".resolveOwner");
        if (prismObject.canRepresent(ShadowType.class)) {
            prismObject2 = this.repositoryService.searchShadowOwner(prismObject.getOid(), null, operationResult);
        } else if (prismObject.canRepresent(UserType.class)) {
            try {
                SearchResultList searchObjects = this.repositoryService.searchObjects(UserType.class, QueryBuilder.queryFor(UserType.class, this.prismContext).item(FocusType.F_PERSONA_REF).ref(prismObject.getOid()).build(), null, operationResult);
                if (searchObjects.isEmpty()) {
                    return null;
                }
                if (searchObjects.size() > 1) {
                    LOGGER.warn("More than one owner of {}: {}", prismObject, searchObjects);
                }
                prismObject2 = (PrismObject) searchObjects.get(0);
            } catch (SchemaException e) {
                LOGGER.warn("Cannot resolve owner of {}: {}", prismObject, e.getMessage(), e);
            }
        } else if (prismObject.canRepresent(AbstractRoleType.class)) {
            ObjectReferenceType ownerRef2 = ((AbstractRoleType) prismObject.asObjectable()).getOwnerRef();
            if (ownerRef2 != null && ownerRef2.getOid() != null && ownerRef2.getType() != null) {
                try {
                    prismObject2 = this.repositoryService.getObject(ObjectTypes.getObjectTypeFromTypeQName(ownerRef2.getType()).getClassDefinition(), ownerRef2.getOid(), null, operationResult);
                } catch (ObjectNotFoundException | SchemaException e2) {
                    LOGGER.warn("Cannot resolve owner of {}: {}", prismObject, e2.getMessage(), e2);
                }
            }
        } else if (prismObject.canRepresent(TaskType.class) && (ownerRef = ((TaskType) prismObject.asObjectable()).getOwnerRef()) != null && ownerRef.getOid() != null && ownerRef.getType() != null) {
            try {
                prismObject2 = this.repositoryService.getObject(ObjectTypes.getObjectTypeFromTypeQName(ownerRef.getType()).getClassDefinition(), ownerRef.getOid(), null, operationResult);
            } catch (ObjectNotFoundException | SchemaException e3) {
                LOGGER.warn("Cannot resolve owner of {}: {}", prismObject, e3.getMessage(), e3);
            }
        }
        if (prismObject2 == null) {
            return null;
        }
        if (prismObject2.canRepresent(UserType.class)) {
            this.userComputer.recompute(prismObject2, getLifecycleModel(prismObject2, getSystemConfiguration(operationResult)));
        }
        return prismObject2;
    }

    @Override // org.springframework.security.core.userdetails.UserDetailsService
    public UserDetails loadUserByUsername(String str) throws UsernameNotFoundException {
        try {
            return getPrincipal(str);
        } catch (ObjectNotFoundException e) {
            throw new UsernameNotFoundException(e.getMessage(), e);
        } catch (SchemaException e2) {
            throw new SystemException(e2.getMessage(), e2);
        }
    }

    @Override // org.springframework.security.ldap.userdetails.UserDetailsContextMapper
    public UserDetails mapUserFromContext(DirContextOperations dirContextOperations, String str, Collection<? extends GrantedAuthority> collection) {
        try {
            return getPrincipal(str);
        } catch (ObjectNotFoundException e) {
            throw new UsernameNotFoundException("UserProfileServiceImpl.unknownUser", e);
        } catch (SchemaException e2) {
            throw new SystemException(e2.getMessage(), e2);
        }
    }

    @Override // org.springframework.security.ldap.userdetails.UserDetailsContextMapper
    public void mapUserToContext(UserDetails userDetails, DirContextAdapter dirContextAdapter) {
    }
}
