package com.evolveum.midpoint.security.api;

import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.util.MiscUtil;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsStorageMethodType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsStorageTypeType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.NonceCredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordCredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityQuestionsCredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ValuePolicyType;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.function.Function;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.lang3.StringUtils;
import org.jetbrains.annotations.NotNull;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.context.request.RequestAttributes;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;

/* loaded from: input_file:WEB-INF/lib/security-api-3.9.2-SNAPSHOT.jar:com/evolveum/midpoint/security/api/SecurityUtil.class */
public class SecurityUtil {
    private static final Trace LOGGER = TraceManager.getTrace(SecurityUtil.class);

    @NotNull
    private static List<String> remoteHostAddressHeaders = Collections.emptyList();

    public static Collection<String> getActions(Collection<ConfigAttribute> collection) {
        ArrayList arrayList = new ArrayList(collection.size());
        Iterator<ConfigAttribute> it = collection.iterator();
        while (it.hasNext()) {
            arrayList.add(it.next().getAttribute());
        }
        return arrayList;
    }

    public static void logSecurityDeny(Object obj, String str) {
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Denied access to {} by {} {}", obj, getSubjectDescription(), str);
        }
    }

    public static void logSecurityDeny(MidPointPrincipal midPointPrincipal, Object obj, String str) {
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Denied access to {} by {} {}", obj, midPointPrincipal, str);
        }
    }

    public static void logSecurityDeny(Object obj, String str, Throwable th, Collection<String> collection) {
        if (LOGGER.isDebugEnabled()) {
            String subjectDescription = getSubjectDescription();
            LOGGER.debug("Denied access to {} by {} {}", obj, subjectDescription, str);
            if (LOGGER.isTraceEnabled()) {
                LOGGER.trace("Denied access to {} by {} {}; one of the following authorization actions is required: " + collection, obj, subjectDescription, str, th);
            }
        }
    }

    public static String getSubjectDescription() {
        Object principal;
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null || (principal = authentication.getPrincipal()) == null) {
            return null;
        }
        return !(principal instanceof MidPointPrincipal) ? principal.toString() : ((MidPointPrincipal) principal).getUsername();
    }

    public static <T> T getCredPolicyItem(CredentialPolicyType credentialPolicyType, CredentialPolicyType credentialPolicyType2, Function<CredentialPolicyType, T> function) {
        T apply;
        T apply2;
        if (credentialPolicyType2 != null && (apply2 = function.apply(credentialPolicyType2)) != null) {
            return apply2;
        }
        if (credentialPolicyType == null || (apply = function.apply(credentialPolicyType)) == null) {
            return null;
        }
        return apply;
    }

    public static PasswordCredentialsPolicyType getEffectivePasswordCredentialsPolicy(SecurityPolicyType securityPolicyType) {
        CredentialsPolicyType credentials;
        if (securityPolicyType == null || (credentials = securityPolicyType.getCredentials()) == null) {
            return null;
        }
        if (credentials.getDefault() == null) {
            return credentials.getPassword();
        }
        PasswordCredentialsPolicyType password = credentials.getPassword();
        PasswordCredentialsPolicyType passwordCredentialsPolicyType = password == null ? new PasswordCredentialsPolicyType() : password.mo1799clone();
        copyDefaults(credentials.getDefault(), passwordCredentialsPolicyType);
        return passwordCredentialsPolicyType;
    }

    public static SecurityQuestionsCredentialsPolicyType getEffectiveSecurityQuestionsCredentialsPolicy(SecurityPolicyType securityPolicyType) {
        CredentialsPolicyType credentials;
        if (securityPolicyType == null || (credentials = securityPolicyType.getCredentials()) == null) {
            return null;
        }
        if (credentials.getDefault() == null) {
            return credentials.getSecurityQuestions();
        }
        SecurityQuestionsCredentialsPolicyType securityQuestions = credentials.getSecurityQuestions();
        SecurityQuestionsCredentialsPolicyType securityQuestionsCredentialsPolicyType = securityQuestions == null ? new SecurityQuestionsCredentialsPolicyType() : securityQuestions.mo1799clone();
        copyDefaults(credentials.getDefault(), securityQuestionsCredentialsPolicyType);
        return securityQuestionsCredentialsPolicyType;
    }

    public static List<NonceCredentialsPolicyType> getEffectiveNonceCredentialsPolicies(SecurityPolicyType securityPolicyType) {
        CredentialsPolicyType credentials;
        if (securityPolicyType == null || (credentials = securityPolicyType.getCredentials()) == null) {
            return null;
        }
        if (credentials.getDefault() == null) {
            return credentials.getNonce();
        }
        List<NonceCredentialsPolicyType> nonce = credentials.getNonce();
        ArrayList arrayList = new ArrayList(nonce.size());
        Iterator<NonceCredentialsPolicyType> it = nonce.iterator();
        while (it.hasNext()) {
            NonceCredentialsPolicyType mo1799clone = it.next().mo1799clone();
            copyDefaults(credentials.getDefault(), mo1799clone);
            arrayList.add(mo1799clone);
        }
        return arrayList;
    }

    public static NonceCredentialsPolicyType getEffectiveNonceCredentialsPolicy(SecurityPolicyType securityPolicyType) throws SchemaException {
        List<NonceCredentialsPolicyType> effectiveNonceCredentialsPolicies = getEffectiveNonceCredentialsPolicies(securityPolicyType);
        if (CollectionUtils.isEmpty(effectiveNonceCredentialsPolicies)) {
            return null;
        }
        if (effectiveNonceCredentialsPolicies.size() > 1) {
            throw new SchemaException("More than one nonce policy");
        }
        return effectiveNonceCredentialsPolicies.get(0);
    }

    private static void copyDefaults(CredentialPolicyType credentialPolicyType, CredentialPolicyType credentialPolicyType2) {
        if (credentialPolicyType2.getHistoryLength() == null && credentialPolicyType.getHistoryLength() != null) {
            credentialPolicyType2.setHistoryLength(credentialPolicyType.getHistoryLength());
        }
        if (credentialPolicyType2.getHistoryStorageMethod() == null && credentialPolicyType.getHistoryStorageMethod() != null) {
            credentialPolicyType2.setHistoryStorageMethod(credentialPolicyType.getHistoryStorageMethod());
        }
        if (credentialPolicyType2.getLockoutDuration() == null && credentialPolicyType.getLockoutDuration() != null) {
            credentialPolicyType2.setLockoutDuration(credentialPolicyType.getLockoutDuration());
        }
        if (credentialPolicyType2.getLockoutFailedAttemptsDuration() == null && credentialPolicyType.getLockoutFailedAttemptsDuration() != null) {
            credentialPolicyType2.setLockoutFailedAttemptsDuration(credentialPolicyType.getLockoutFailedAttemptsDuration());
        }
        if (credentialPolicyType2.getLockoutMaxFailedAttempts() == null && credentialPolicyType.getLockoutMaxFailedAttempts() != null) {
            credentialPolicyType2.setLockoutMaxFailedAttempts(credentialPolicyType.getLockoutMaxFailedAttempts());
        }
        if (credentialPolicyType2.getMaxAge() == null && credentialPolicyType.getMaxAge() != null) {
            credentialPolicyType2.setMaxAge(credentialPolicyType.getMaxAge());
        }
        if (credentialPolicyType2.getMinAge() == null && credentialPolicyType.getMinAge() != null) {
            credentialPolicyType2.setMinAge(credentialPolicyType.getMinAge());
        }
        if (credentialPolicyType2.getPropagationUserControl() == null && credentialPolicyType.getPropagationUserControl() != null) {
            credentialPolicyType2.setPropagationUserControl(credentialPolicyType.getPropagationUserControl());
        }
        if (credentialPolicyType2.getResetMethod() == null && credentialPolicyType.getResetMethod() != null) {
            credentialPolicyType2.setResetMethod(credentialPolicyType.getResetMethod());
        }
        if (credentialPolicyType2.getStorageMethod() == null && credentialPolicyType.getStorageMethod() != null) {
            credentialPolicyType2.setStorageMethod(credentialPolicyType.getStorageMethod());
        }
        if (credentialPolicyType2.getWarningBeforeExpirationDuration() != null || credentialPolicyType.getWarningBeforeExpirationDuration() == null) {
            return;
        }
        credentialPolicyType2.setWarningBeforeExpirationDuration(credentialPolicyType.getWarningBeforeExpirationDuration());
    }

    public static int getCredentialHistoryLength(CredentialPolicyType credentialPolicyType) {
        Integer historyLength;
        if (credentialPolicyType == null || (historyLength = credentialPolicyType.getHistoryLength()) == null) {
            return 0;
        }
        return historyLength.intValue();
    }

    public static CredentialsStorageTypeType getCredentialStorageTypeType(CredentialsStorageMethodType credentialsStorageMethodType) {
        if (credentialsStorageMethodType == null) {
            return null;
        }
        return credentialsStorageMethodType.getStorageType();
    }

    public static ValuePolicyType getPasswordPolicy(SecurityPolicyType securityPolicyType) {
        CredentialsPolicyType credentials;
        PasswordCredentialsPolicyType password;
        ObjectReferenceType valuePolicyRef;
        PrismObject object;
        if (securityPolicyType == null || (credentials = securityPolicyType.getCredentials()) == null || (password = credentials.getPassword()) == null || (valuePolicyRef = password.getValuePolicyRef()) == null || (object = valuePolicyRef.asReferenceValue().getObject()) == null) {
            return null;
        }
        return (ValuePolicyType) object.asObjectable();
    }

    public static void setRemoteHostAddressHeaders(SystemConfigurationType systemConfigurationType) {
        List<String> emptyList = (systemConfigurationType == null || systemConfigurationType.getInfrastructure() == null) ? Collections.emptyList() : new ArrayList<>(systemConfigurationType.getInfrastructure().getRemoteHostAddressHeader());
        if (!MiscUtil.unorderedCollectionEquals(remoteHostAddressHeaders, emptyList)) {
            LOGGER.debug("Setting new value for 'remoteHostAddressHeaders': {}", emptyList);
        }
        remoteHostAddressHeaders = emptyList;
    }

    public static HttpConnectionInformation getCurrentConnectionInformation() {
        HttpServletRequest request;
        RequestAttributes requestAttributes = RequestContextHolder.getRequestAttributes();
        if (!(requestAttributes instanceof ServletRequestAttributes) || (request = ((ServletRequestAttributes) requestAttributes).getRequest()) == null) {
            return null;
        }
        HttpConnectionInformation httpConnectionInformation = new HttpConnectionInformation();
        HttpSession session = request.getSession(false);
        if (session != null) {
            httpConnectionInformation.setSessionId(session.getId());
        }
        httpConnectionInformation.setLocalHostName(request.getLocalName());
        httpConnectionInformation.setRemoteHostAddress(getRemoteHostAddress(request));
        return httpConnectionInformation;
    }

    private static String getRemoteHostAddress(HttpServletRequest httpServletRequest) {
        for (String str : remoteHostAddressHeaders) {
            String header = httpServletRequest.getHeader(str);
            if (header != null) {
                return getAddressFromHeader(str, header);
            }
        }
        return httpServletRequest.getRemoteAddr();
    }

    private static String getAddressFromHeader(String str, String str2) {
        return StringUtils.trim(StringUtils.split(str2, ",")[0]);
    }

    public static MidPointPrincipal getPrincipal() throws SecurityViolationException {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null) {
            SecurityViolationException securityViolationException = new SecurityViolationException("No authentication");
            LOGGER.error("No authentication", (Throwable) securityViolationException);
            throw securityViolationException;
        }
        Object principal = authentication.getPrincipal();
        if (principal instanceof MidPointPrincipal) {
            return (MidPointPrincipal) principal;
        }
        if ((authentication.getPrincipal() instanceof String) && AuthorizationConstants.ANONYMOUS_USER_PRINCIPAL.equals(principal)) {
            return null;
        }
        throw new IllegalArgumentException("Expected that spring security principal will be of type " + MidPointPrincipal.class.getName() + " but it was " + MiscUtil.getObjectName(principal));
    }

    public static boolean isAuthenticated() {
        return SecurityContextHolder.getContext().getAuthentication() != null;
    }
}
