package com.evolveum.midpoint.model.impl.lens.projector.credentials;

import com.evolveum.midpoint.common.LocalizationService;
import com.evolveum.midpoint.model.common.stringpolicy.ValuePolicyProcessor;
import com.evolveum.midpoint.model.impl.ModelObjectResolver;
import com.evolveum.midpoint.model.impl.lens.LensContext;
import com.evolveum.midpoint.model.impl.lens.LensFocusContext;
import com.evolveum.midpoint.model.impl.lens.OperationalDataManager;
import com.evolveum.midpoint.model.impl.lens.projector.ContextLoader;
import com.evolveum.midpoint.prism.Item;
import com.evolveum.midpoint.prism.PrismContainer;
import com.evolveum.midpoint.prism.PrismContainerValue;
import com.evolveum.midpoint.prism.PrismContext;
import com.evolveum.midpoint.prism.PrismProperty;
import com.evolveum.midpoint.prism.PrismPropertyValue;
import com.evolveum.midpoint.prism.crypto.EncryptionException;
import com.evolveum.midpoint.prism.crypto.Protector;
import com.evolveum.midpoint.prism.delta.ContainerDelta;
import com.evolveum.midpoint.prism.delta.ItemDelta;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.delta.PropertyDelta;
import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.security.api.SecurityUtil;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.PolicyViolationException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsStorageMethodType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsStorageTypeType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ValuePolicyType;
import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
import java.util.Collection;
import java.util.Iterator;
import javax.xml.datatype.XMLGregorianCalendar;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:WEB-INF/lib/model-impl-3.9.2-SNAPSHOT.jar:com/evolveum/midpoint/model/impl/lens/projector/credentials/CredentialsProcessor.class */
public class CredentialsProcessor {
    private static final Trace LOGGER = TraceManager.getTrace(CredentialsProcessor.class);

    @Autowired
    private PrismContext prismContext;

    @Autowired
    private OperationalDataManager metadataManager;

    @Autowired
    private ModelObjectResolver resolver;

    @Autowired
    private ValuePolicyProcessor valuePolicyProcessor;

    @Autowired
    private Protector protector;

    @Autowired
    private LocalizationService localizationService;

    @Autowired
    private ContextLoader contextLoader;

    public <F extends FocusType> void processFocusCredentials(LensContext<F> lensContext, XMLGregorianCalendar xMLGregorianCalendar, Task task, OperationResult operationResult) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, PolicyViolationException, CommunicationException, ConfigurationException, SecurityViolationException {
        LensFocusContext<F> focusContext = lensContext.getFocusContext();
        if (focusContext == null || !UserType.class.isAssignableFrom(focusContext.getObjectTypeClass())) {
            LOGGER.trace("Skipping processing credentials because focus is not user");
            return;
        }
        this.contextLoader.reloadSecurityPolicyIfNeeded(lensContext, task, operationResult);
        processFocusPassword(lensContext, xMLGregorianCalendar, task, operationResult);
        processFocusNonce(lensContext, xMLGregorianCalendar, task, operationResult);
        processFocusSecurityQuestions(lensContext, xMLGregorianCalendar, task, operationResult);
    }

    private <F extends FocusType> void processFocusPassword(LensContext<UserType> lensContext, XMLGregorianCalendar xMLGregorianCalendar, Task task, OperationResult operationResult) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, PolicyViolationException, CommunicationException, ConfigurationException, SecurityViolationException {
        PasswordPolicyEvaluator passwordPolicyEvaluator = new PasswordPolicyEvaluator();
        passwordPolicyEvaluator.setContext(lensContext);
        passwordPolicyEvaluator.setMetadataManager(this.metadataManager);
        passwordPolicyEvaluator.setNow(xMLGregorianCalendar);
        passwordPolicyEvaluator.setPrismContext(this.prismContext);
        passwordPolicyEvaluator.setProtector(this.protector);
        passwordPolicyEvaluator.setLocalizationService(this.localizationService);
        passwordPolicyEvaluator.setResolver(this.resolver);
        passwordPolicyEvaluator.setResult(operationResult);
        passwordPolicyEvaluator.setTask(task);
        passwordPolicyEvaluator.setValuePolicyProcessor(this.valuePolicyProcessor);
        passwordPolicyEvaluator.process();
    }

    private void processFocusNonce(LensContext<UserType> lensContext, XMLGregorianCalendar xMLGregorianCalendar, Task task, OperationResult operationResult) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, PolicyViolationException, CommunicationException, ConfigurationException, SecurityViolationException {
        NoncePolicyEvaluator noncePolicyEvaluator = new NoncePolicyEvaluator();
        noncePolicyEvaluator.setContext(lensContext);
        noncePolicyEvaluator.setMetadataManager(this.metadataManager);
        noncePolicyEvaluator.setNow(xMLGregorianCalendar);
        noncePolicyEvaluator.setPrismContext(this.prismContext);
        noncePolicyEvaluator.setProtector(this.protector);
        noncePolicyEvaluator.setLocalizationService(this.localizationService);
        noncePolicyEvaluator.setResolver(this.resolver);
        noncePolicyEvaluator.setResult(operationResult);
        noncePolicyEvaluator.setTask(task);
        noncePolicyEvaluator.setValuePolicyProcessor(this.valuePolicyProcessor);
        noncePolicyEvaluator.process();
    }

    private void processFocusSecurityQuestions(LensContext<UserType> lensContext, XMLGregorianCalendar xMLGregorianCalendar, Task task, OperationResult operationResult) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, PolicyViolationException, CommunicationException, ConfigurationException, SecurityViolationException {
        SecurityQuestionsPolicyEvaluator securityQuestionsPolicyEvaluator = new SecurityQuestionsPolicyEvaluator();
        securityQuestionsPolicyEvaluator.setContext(lensContext);
        securityQuestionsPolicyEvaluator.setMetadataManager(this.metadataManager);
        securityQuestionsPolicyEvaluator.setNow(xMLGregorianCalendar);
        securityQuestionsPolicyEvaluator.setPrismContext(this.prismContext);
        securityQuestionsPolicyEvaluator.setProtector(this.protector);
        securityQuestionsPolicyEvaluator.setLocalizationService(this.localizationService);
        securityQuestionsPolicyEvaluator.setResolver(this.resolver);
        securityQuestionsPolicyEvaluator.setResult(operationResult);
        securityQuestionsPolicyEvaluator.setTask(task);
        securityQuestionsPolicyEvaluator.setValuePolicyProcessor(this.valuePolicyProcessor);
        securityQuestionsPolicyEvaluator.process();
    }

    public <O extends ObjectType> ObjectDelta<O> transformFocusExecutionDelta(LensContext<O> lensContext, ObjectDelta<O> objectDelta) throws SchemaException, EncryptionException {
        CredentialsPolicyType credentials;
        SecurityPolicyType securityPolicy = lensContext.getFocusContext().getSecurityPolicy();
        if (securityPolicy != null && (credentials = securityPolicy.getCredentials()) != null) {
            ObjectDelta<O> m651clone = objectDelta.m651clone();
            transformFocusExecutionDeltaForPasswords(lensContext, credentials, credentials.getPassword(), SchemaConstants.PATH_PASSWORD_VALUE, m651clone, "password");
            return m651clone;
        }
        return objectDelta;
    }

    private <O extends ObjectType> void transformFocusExecutionDeltaForPasswords(LensContext<O> lensContext, CredentialsPolicyType credentialsPolicyType, CredentialPolicyType credentialPolicyType, ItemPath itemPath, ObjectDelta<O> objectDelta, String str) throws SchemaException, EncryptionException {
        if (objectDelta.isDelete()) {
            return;
        }
        CredentialsStorageMethodType credentialsStorageMethodType = (CredentialsStorageMethodType) SecurityUtil.getCredPolicyItem(credentialsPolicyType.getDefault(), credentialPolicyType, credentialPolicyType2 -> {
            return credentialPolicyType2.getStorageMethod();
        });
        LOGGER.trace("Credential {}, processing storage method: {}", str, credentialsStorageMethodType);
        if (credentialsStorageMethodType == null) {
            return;
        }
        CredentialsStorageTypeType storageType = credentialsStorageMethodType.getStorageType();
        if (storageType == null || storageType == CredentialsStorageTypeType.ENCRYPTION) {
            LOGGER.trace("Credential {} should be encrypted, nothing to do", str);
            return;
        }
        if (storageType != CredentialsStorageTypeType.HASHING) {
            if (storageType != CredentialsStorageTypeType.NONE) {
                throw new SchemaException("Unknown storage type " + storageType);
            }
            LOGGER.trace("Removing credential", str);
            if (objectDelta.isAdd()) {
                objectDelta.getObjectToAdd().removeProperty(itemPath);
                return;
            }
            ItemDelta findPropertyDelta = objectDelta.findPropertyDelta(itemPath);
            if (findPropertyDelta != null) {
                findPropertyDelta.setValueToReplace();
                return;
            }
            return;
        }
        LOGGER.trace("Hashing credential", str);
        if (objectDelta.isAdd()) {
            Item findProperty = objectDelta.getObjectToAdd().findProperty(itemPath);
            if (findProperty != null) {
                hashValues(findProperty.getValues(), credentialsStorageMethodType);
                return;
            }
            return;
        }
        PropertyDelta propertyDelta = (PropertyDelta) objectDelta.findItemDelta(itemPath, PropertyDelta.class, PrismProperty.class, true);
        if (propertyDelta != null) {
            hashValues(propertyDelta.getValuesToAdd(), credentialsStorageMethodType);
            hashValues(propertyDelta.getValuesToReplace(), credentialsStorageMethodType);
            hashValues(propertyDelta.getValuesToDelete(), credentialsStorageMethodType);
            return;
        }
        ItemPath allExceptLast = itemPath.allExceptLast();
        ContainerDelta containerDelta = (ContainerDelta) objectDelta.findItemDelta(allExceptLast, ContainerDelta.class, PrismContainer.class, true);
        if (containerDelta != null) {
            hashPasswordPcvs(containerDelta.getValuesToAdd(), credentialsStorageMethodType);
            hashPasswordPcvs(containerDelta.getValuesToReplace(), credentialsStorageMethodType);
            return;
        }
        ContainerDelta containerDelta2 = (ContainerDelta) objectDelta.findItemDelta(allExceptLast.allExceptLast(), ContainerDelta.class, PrismContainer.class, true);
        if (containerDelta2 != null) {
            hashCredentialsPcvs(containerDelta2.getValuesToAdd(), credentialsStorageMethodType);
            hashCredentialsPcvs(containerDelta2.getValuesToReplace(), credentialsStorageMethodType);
        }
    }

    private void hashValues(Collection<PrismPropertyValue<ProtectedStringType>> collection, CredentialsStorageMethodType credentialsStorageMethodType) throws SchemaException, EncryptionException {
        if (collection == null) {
            return;
        }
        Iterator<PrismPropertyValue<ProtectedStringType>> it = collection.iterator();
        while (it.hasNext()) {
            ProtectedStringType value = it.next().getValue();
            if (!value.isHashed()) {
                this.protector.hash(value);
            }
        }
    }

    private void hashPasswordPcvs(Collection<PrismContainerValue<PasswordType>> collection, CredentialsStorageMethodType credentialsStorageMethodType) throws SchemaException, EncryptionException {
        if (collection == null) {
            return;
        }
        Iterator<PrismContainerValue<PasswordType>> it = collection.iterator();
        while (it.hasNext()) {
            PasswordType value = it.next().getValue();
            if (value != null && value.getValue() != null && !value.getValue().isHashed()) {
                this.protector.hash(value.getValue());
            }
        }
    }

    private void hashCredentialsPcvs(Collection<PrismContainerValue<CredentialsType>> collection, CredentialsStorageMethodType credentialsStorageMethodType) throws SchemaException, EncryptionException {
        ProtectedStringType value;
        if (collection == null) {
            return;
        }
        Iterator<PrismContainerValue<CredentialsType>> it = collection.iterator();
        while (it.hasNext()) {
            CredentialsType value2 = it.next().getValue();
            if (value2 != null && value2.getPassword() != null && (value = value2.getPassword().getValue()) != null && !value.isHashed()) {
                this.protector.hash(value);
            }
        }
    }

    public <F extends ObjectType> ValuePolicyType determinePasswordPolicy(LensFocusContext<F> lensFocusContext, Task task, OperationResult operationResult) {
        if (lensFocusContext == null) {
            return null;
        }
        return SecurityUtil.getPasswordPolicy(lensFocusContext.getSecurityPolicy());
    }
}
