package com.evolveum.midpoint.model.impl.security;

import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.security.api.ConnectionEnvironment;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.security.api.UserProfileService;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordCredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.validate.Credential;
import org.apache.wss4j.dom.validate.UsernameTokenValidator;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;

@Service
/* loaded from: input_file:WEB-INF/lib/model-impl-3.9.2-SNAPSHOT.jar:com/evolveum/midpoint/model/impl/security/MidpointPasswordValidator.class */
public class MidpointPasswordValidator extends UsernameTokenValidator {

    @Autowired
    private PasswordAuthenticationEvaluatorImpl passwdEvaluator;

    @Autowired
    private UserProfileService userService;

    @Override // org.apache.wss4j.dom.validate.UsernameTokenValidator, org.apache.wss4j.dom.validate.Validator
    public Credential validate(Credential credential, RequestData requestData) throws WSSecurityException {
        try {
            Credential validate = super.validate(credential, requestData);
            recordAuthenticationSuccess(credential);
            return validate;
        } catch (WSSecurityException e) {
            recordAuthenticatonError(credential, e);
            throw e;
        }
    }

    private void recordAuthenticationSuccess(Credential credential) throws WSSecurityException {
        MidPointPrincipal resolveMidpointPrincipal = resolveMidpointPrincipal(credential);
        this.passwdEvaluator.recordPasswordAuthenticationSuccess(resolveMidpointPrincipal, ConnectionEnvironment.create(SchemaConstants.CHANNEL_WEB_SERVICE_URI), resolvePassowrd(resolveMidpointPrincipal));
    }

    private void recordAuthenticatonError(Credential credential, WSSecurityException wSSecurityException) throws WSSecurityException {
        MidPointPrincipal resolveMidpointPrincipal = resolveMidpointPrincipal(credential);
        PasswordType resolvePassowrd = resolvePassowrd(resolveMidpointPrincipal);
        ConnectionEnvironment create = ConnectionEnvironment.create(SchemaConstants.CHANNEL_WEB_SERVICE_URI);
        PasswordCredentialsPolicyType passwordCredentialsPolicyType = null;
        if (resolveMidpointPrincipal.getApplicableSecurityPolicy() != null) {
            passwordCredentialsPolicyType = resolveMidpointPrincipal.getApplicableSecurityPolicy().getCredentials().getPassword();
        }
        this.passwdEvaluator.recordPasswordAuthenticationFailure(resolveMidpointPrincipal, create, resolvePassowrd, passwordCredentialsPolicyType, wSSecurityException.getMessage());
    }

    private MidPointPrincipal resolveMidpointPrincipal(Credential credential) throws WSSecurityException {
        try {
            return this.userService.getPrincipal(credential.getUsernametoken().getName());
        } catch (CommunicationException | ConfigurationException | ExpressionEvaluationException | ObjectNotFoundException | SchemaException | SecurityViolationException e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, e);
        }
    }

    private PasswordType resolvePassowrd(MidPointPrincipal midPointPrincipal) {
        UserType user = midPointPrincipal.getUser();
        PasswordType passwordType = null;
        if (user.getCredentials() != null) {
            passwordType = user.getCredentials().getPassword();
        }
        return passwordType;
    }
}
