package com.evolveum.midpoint.web.security;

import com.evolveum.midpoint.prism.Containerable;
import com.evolveum.midpoint.prism.PrismContainerValue;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.delta.PlusMinusZero;
import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.prism.query.ObjectFilter;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.security.api.HttpConnectionInformation;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.security.api.OwnerResolver;
import com.evolveum.midpoint.security.api.SecurityContextManager;
import com.evolveum.midpoint.security.api.SecurityUtil;
import com.evolveum.midpoint.security.api.UserProfileService;
import com.evolveum.midpoint.security.enforcer.api.AccessDecision;
import com.evolveum.midpoint.security.enforcer.api.AuthorizationParameters;
import com.evolveum.midpoint.security.enforcer.api.ItemSecurityConstraints;
import com.evolveum.midpoint.security.enforcer.api.ObjectSecurityConstraints;
import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.task.api.TaskManager;
import com.evolveum.midpoint.util.DisplayableValue;
import com.evolveum.midpoint.util.Producer;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.exception.SystemException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.web.application.DescriptorLoader;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractRoleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OrderConstraintsType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.aopalliance.intercept.MethodInvocation;
import org.apache.commons.lang.StringUtils;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

/* loaded from: input_file:com/evolveum/midpoint/web/security/MidPointGuiAuthorizationEvaluator.class */
public class MidPointGuiAuthorizationEvaluator implements SecurityEnforcer, SecurityContextManager, AccessDecisionManager {
    private static final Trace LOGGER = TraceManager.getTrace(MidPointGuiAuthorizationEvaluator.class);
    private final SecurityEnforcer securityEnforcer;
    private final SecurityContextManager securityContextManager;
    private final TaskManager taskManager;

    public MidPointGuiAuthorizationEvaluator(SecurityEnforcer securityEnforcer, SecurityContextManager securityContextManager, TaskManager taskManager) {
        this.securityEnforcer = securityEnforcer;
        this.securityContextManager = securityContextManager;
        this.taskManager = taskManager;
    }

    public UserProfileService getUserProfileService() {
        return this.securityContextManager.getUserProfileService();
    }

    public void setUserProfileService(UserProfileService userProfileService) {
        this.securityContextManager.setUserProfileService(userProfileService);
    }

    public void setupPreAuthenticatedSecurityContext(Authentication authentication) {
        this.securityContextManager.setupPreAuthenticatedSecurityContext(authentication);
    }

    public void setupPreAuthenticatedSecurityContext(PrismObject<UserType> prismObject) throws SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        this.securityContextManager.setupPreAuthenticatedSecurityContext(prismObject);
    }

    public void setupPreAuthenticatedSecurityContext(MidPointPrincipal midPointPrincipal) {
        this.securityContextManager.setupPreAuthenticatedSecurityContext(midPointPrincipal);
    }

    public boolean isAuthenticated() {
        return this.securityContextManager.isAuthenticated();
    }

    public MidPointPrincipal getPrincipal() throws SecurityViolationException {
        return this.securityContextManager.getPrincipal();
    }

    public <O extends ObjectType, T extends ObjectType> void failAuthorization(String str, AuthorizationPhaseType authorizationPhaseType, AuthorizationParameters<O, T> authorizationParameters, OperationResult operationResult) throws SecurityViolationException {
        this.securityEnforcer.failAuthorization(str, authorizationPhaseType, authorizationParameters, operationResult);
    }

    public <O extends ObjectType, T extends ObjectType> boolean isAuthorized(String str, AuthorizationPhaseType authorizationPhaseType, AuthorizationParameters<O, T> authorizationParameters, OwnerResolver ownerResolver, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        return this.securityEnforcer.isAuthorized(str, authorizationPhaseType, authorizationParameters, ownerResolver, task, operationResult);
    }

    public boolean supports(ConfigAttribute configAttribute) {
        return (configAttribute instanceof SecurityConfig) || "org.springframework.security.web.access.expression.WebExpressionConfigAttribute".equals(configAttribute.getClass().getName());
    }

    public boolean supports(Class<?> cls) {
        return MethodInvocation.class.isAssignableFrom(cls) || FilterInvocation.class.isAssignableFrom(cls);
    }

    public <O extends ObjectType, T extends ObjectType> void authorize(String str, AuthorizationPhaseType authorizationPhaseType, AuthorizationParameters<O, T> authorizationParameters, OwnerResolver ownerResolver, Task task, OperationResult operationResult) throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
        this.securityEnforcer.authorize(str, authorizationPhaseType, authorizationParameters, ownerResolver, task, operationResult);
    }

    public void decide(Authentication authentication, Object obj, Collection<ConfigAttribute> collection) throws AccessDeniedException, InsufficientAuthenticationException {
        if (!(obj instanceof FilterInvocation)) {
            LOGGER.trace("DECIDE: PASS because object is not FilterInvocation, it is {}", obj);
            return;
        }
        FilterInvocation filterInvocation = (FilterInvocation) obj;
        if (isPermitAll(filterInvocation)) {
            LOGGER.trace("DECIDE: authentication={}, object={}: ALLOW ALL (permitAll)", authentication, obj);
            return;
        }
        String servletPath = filterInvocation.getRequest().getServletPath();
        if ("".equals(servletPath) || "/".equals(servletPath)) {
            LOGGER.trace("DECIDE: authentication={}, object={}: ALLOW ALL (/)", authentication, obj);
            return;
        }
        ArrayList arrayList = new ArrayList();
        for (PageUrlMapping pageUrlMapping : PageUrlMapping.values()) {
            addSecurityConfig(filterInvocation, arrayList, pageUrlMapping.getUrl(), pageUrlMapping.getAction());
        }
        for (Map.Entry<String, DisplayableValue<String>[]> entry : DescriptorLoader.getActions().entrySet()) {
            addSecurityConfig(filterInvocation, arrayList, entry.getKey(), entry.getValue());
        }
        if (arrayList.isEmpty()) {
            LOGGER.trace("DECIDE: DENY because determined empty required actions from {}", filterInvocation);
            SecurityUtil.logSecurityDeny(obj, ": Not authorized (page without authorizations)", (Throwable) null, arrayList);
            throw new AccessDeniedException("Not authorized");
        }
        Object principal = authentication.getPrincipal();
        if (!(principal instanceof MidPointPrincipal)) {
            if (!(authentication.getPrincipal() instanceof String) || !"anonymousUser".equals(principal)) {
                LOGGER.trace("DECIDE: authentication={}, object={}, configAttributes={}: ERROR (wrong principal)", new Object[]{authentication, obj, collection});
                throw new IllegalArgumentException("Expected that spring security principal will be of type " + MidPointPrincipal.class.getName() + " but it was " + principal.getClass());
            }
            SecurityUtil.logSecurityDeny(obj, ": Not logged in");
            LOGGER.trace("DECIDE: authentication={}, object={}, configAttributes={}: DENY (not logged in)", new Object[]{authentication, obj, collection});
            throw new InsufficientAuthenticationException("Not logged in.");
        }
        MidPointPrincipal midPointPrincipal = (MidPointPrincipal) principal;
        Task createTaskInstance = this.taskManager.createTaskInstance(MidPointGuiAuthorizationEvaluator.class.getName() + ".decide");
        try {
            AccessDecision decideAccess = this.securityEnforcer.decideAccess(midPointPrincipal, arrayList, createTaskInstance, createTaskInstance.getResult());
            if (LOGGER.isTraceEnabled()) {
                LOGGER.trace("DECIDE: authentication={}, object={}, requiredActions={}: {}", new Object[]{authentication, obj, arrayList, decideAccess});
            }
            if (decideAccess.equals(AccessDecision.ALLOW)) {
                return;
            }
            SecurityUtil.logSecurityDeny(obj, ": Not authorized", (Throwable) null, arrayList);
            throw new AccessDeniedException("Not authorized");
        } catch (SchemaException | ObjectNotFoundException | ExpressionEvaluationException | CommunicationException | ConfigurationException | SecurityViolationException e) {
            LOGGER.error("Error while processing authorization: {}", e.getMessage(), e);
            LOGGER.trace("DECIDE: authentication={}, object={}, requiredActions={}: ERROR {}", new Object[]{authentication, obj, arrayList, e.getMessage()});
            throw new SystemException("Error while processing authorization: " + e.getMessage(), e);
        }
    }

    private boolean isPermitAll(FilterInvocation filterInvocation) {
        Iterator<String> it = DescriptorLoader.getPermitAllUrls().iterator();
        while (it.hasNext()) {
            if (new AntPathRequestMatcher(it.next()).matches(filterInvocation.getRequest())) {
                return true;
            }
        }
        return false;
    }

    private void addSecurityConfig(FilterInvocation filterInvocation, List<String> list, String str, DisplayableValue<String>[] displayableValueArr) {
        if (!new AntPathRequestMatcher(str).matches(filterInvocation.getRequest()) || displayableValueArr == null) {
            return;
        }
        for (DisplayableValue<String> displayableValue : displayableValueArr) {
            String str2 = (String) displayableValue.getValue();
            if (!StringUtils.isBlank(str2) && !list.contains(str2)) {
                list.add(str2);
            }
        }
    }

    public AccessDecision decideAccess(MidPointPrincipal midPointPrincipal, List<String> list, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        return this.securityEnforcer.decideAccess(midPointPrincipal, list, task, operationResult);
    }

    public <O extends ObjectType> ObjectSecurityConstraints compileSecurityConstraints(PrismObject<O> prismObject, OwnerResolver ownerResolver, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        return this.securityEnforcer.compileSecurityConstraints(prismObject, ownerResolver, task, operationResult);
    }

    public <T extends ObjectType, O extends ObjectType> ObjectFilter preProcessObjectFilter(String[] strArr, AuthorizationPhaseType authorizationPhaseType, Class<T> cls, PrismObject<O> prismObject, ObjectFilter objectFilter, String str, List<OrderConstraintsType> list, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        return this.securityEnforcer.preProcessObjectFilter(strArr, authorizationPhaseType, cls, prismObject, objectFilter, str, list, task, operationResult);
    }

    public <T extends ObjectType, O extends ObjectType> boolean canSearch(String[] strArr, AuthorizationPhaseType authorizationPhaseType, Class<T> cls, PrismObject<O> prismObject, boolean z, ObjectFilter objectFilter, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        return this.securityEnforcer.canSearch(strArr, authorizationPhaseType, cls, prismObject, z, objectFilter, task, operationResult);
    }

    public MidPointPrincipal createDonorPrincipal(MidPointPrincipal midPointPrincipal, String str, PrismObject<UserType> prismObject, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        return this.securityEnforcer.createDonorPrincipal(midPointPrincipal, str, prismObject, task, operationResult);
    }

    public <T> T runAs(Producer<T> producer, PrismObject<UserType> prismObject) throws SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        return (T) this.securityContextManager.runAs(producer, prismObject);
    }

    public <T> T runPrivileged(Producer<T> producer) {
        return (T) this.securityContextManager.runPrivileged(producer);
    }

    public <O extends ObjectType, R extends AbstractRoleType> ItemSecurityConstraints getAllowedRequestAssignmentItems(MidPointPrincipal midPointPrincipal, String str, PrismObject<O> prismObject, PrismObject<R> prismObject2, OwnerResolver ownerResolver, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        return this.securityEnforcer.getAllowedRequestAssignmentItems(midPointPrincipal, str, prismObject, prismObject2, ownerResolver, task, operationResult);
    }

    public void storeConnectionInformation(HttpConnectionInformation httpConnectionInformation) {
        this.securityContextManager.storeConnectionInformation(httpConnectionInformation);
    }

    public HttpConnectionInformation getStoredConnectionInformation() {
        return this.securityContextManager.getStoredConnectionInformation();
    }

    public <O extends ObjectType> AccessDecision determineSubitemDecision(ObjectSecurityConstraints objectSecurityConstraints, ObjectDelta<O> objectDelta, PrismObject<O> prismObject, String str, AuthorizationPhaseType authorizationPhaseType, ItemPath itemPath) {
        return this.securityEnforcer.determineSubitemDecision(objectSecurityConstraints, objectDelta, prismObject, str, authorizationPhaseType, itemPath);
    }

    public <C extends Containerable> AccessDecision determineSubitemDecision(ObjectSecurityConstraints objectSecurityConstraints, PrismContainerValue<C> prismContainerValue, String str, AuthorizationPhaseType authorizationPhaseType, ItemPath itemPath, PlusMinusZero plusMinusZero, String str2) {
        return this.securityEnforcer.determineSubitemDecision(objectSecurityConstraints, prismContainerValue, str, authorizationPhaseType, itemPath, plusMinusZero, str2);
    }
}
