package com.evolveum.midpoint.web.security;

import com.evolveum.midpoint.model.api.ModelInteractionService;
import com.evolveum.midpoint.model.api.ModelService;
import com.evolveum.midpoint.model.api.authentication.MidpointAuthentication;
import com.evolveum.midpoint.model.api.authentication.NameOfModuleType;
import com.evolveum.midpoint.prism.PrismContext;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.schema.SearchResultList;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.util.ObjectQueryUtil;
import com.evolveum.midpoint.security.api.SecurityContextManager;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.task.api.TaskManager;
import com.evolveum.midpoint.util.Producer;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.web.security.filter.MidpointAuthFilter;
import com.evolveum.midpoint.web.security.filter.SecurityQuestionsAuthenticationFilter;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityQuestionDefinitionType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import com.github.openjson.JSONArray;
import com.github.openjson.JSONObject;
import java.io.IOException;
import java.util.Collection;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.cxf.common.util.Base64Utility;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.SecurityContextHolder;

/* loaded from: input_file:com/evolveum/midpoint/web/security/HttpSecurityQuestionsAuthenticationEntryPoint.class */
public class HttpSecurityQuestionsAuthenticationEntryPoint extends HttpAuthenticationEntryPoint {
    private static final Trace LOGGER = TraceManager.getTrace(MidpointAuthFilter.class);
    private static final String WWW_AUTHENTICATION_HEADER = "WWW-Authenticate";
    private static final String AUTHENTICATION_HEADER = "Authorization";
    private static final String DEFAULT_JSON = "{\"user\":\"username\"}";

    @Autowired
    private SecurityContextManager securityContextManager;

    @Autowired
    private TaskManager taskManager;

    @Autowired
    private ModelService model;

    @Autowired
    private PrismContext prismContext;

    @Autowired
    private ModelInteractionService modelInteractionService;

    private JSONArray generateAnswer(PrismObject<UserType> prismObject) {
        List<SecurityQuestionDefinitionType> questions = getQuestions(prismObject);
        JSONArray jSONArray = new JSONArray();
        if (questions == null) {
            return null;
        }
        for (SecurityQuestionDefinitionType securityQuestionDefinitionType : questions) {
            if (Boolean.TRUE.equals(securityQuestionDefinitionType.isEnabled())) {
                JSONObject jSONObject = new JSONObject();
                jSONObject.put(SecurityQuestionsAuthenticationFilter.J_QID, securityQuestionDefinitionType.getIdentifier());
                jSONObject.put(SecurityQuestionsAuthenticationFilter.J_QTXT, securityQuestionDefinitionType.getQuestionText());
                jSONArray.put(jSONObject);
            }
        }
        if (jSONArray.length() == 0) {
            return null;
        }
        return jSONArray;
    }

    @Override // com.evolveum.midpoint.web.security.HttpAuthenticationEntryPoint
    public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException {
        try {
            if (SecurityContextHolder.getContext().getAuthentication() instanceof MidpointAuthentication) {
                if (httpServletRequest.getHeader(AUTHENTICATION_HEADER) == null || !httpServletRequest.getHeader(AUTHENTICATION_HEADER).toLowerCase().startsWith(NameOfModuleType.SECURITY_QUESTIONS.getName().toLowerCase())) {
                    super.commence(httpServletRequest, httpServletResponse, authenticationException);
                    return;
                }
                String header = httpServletRequest.getHeader(AUTHENTICATION_HEADER);
                if (header.toLowerCase().equals(NameOfModuleType.SECURITY_QUESTIONS.getName().toLowerCase())) {
                    createSecurityQuestionAbortMessage(httpServletResponse, DEFAULT_JSON);
                } else {
                    JSONObject jSONObject = new JSONObject(new String(Base64Utility.decode(header.substring(NameOfModuleType.SECURITY_QUESTIONS.getName().length() + 1))));
                    if (jSONObject.keySet().size() != 1 || !jSONObject.keySet().contains("user")) {
                        super.commence(httpServletRequest, httpServletResponse, authenticationException);
                        return;
                    }
                    SearchResultList<PrismObject<UserType>> searchUser = searchUser(jSONObject.getString("user"));
                    if (searchUser == null || searchUser.size() != 1) {
                        super.commence(httpServletRequest, httpServletResponse, authenticationException);
                        return;
                    }
                    JSONArray generateAnswer = generateAnswer((PrismObject) searchUser.get(0));
                    if (generateAnswer == null) {
                        super.commence(httpServletRequest, httpServletResponse, authenticationException);
                        return;
                    } else {
                        jSONObject.putOpt("answer", generateAnswer);
                        createSecurityQuestionAbortMessage(httpServletResponse, jSONObject.toString());
                    }
                }
            }
            httpServletResponse.sendError(401);
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), e);
            super.commence(httpServletRequest, httpServletResponse, authenticationException);
        }
    }

    public static void createSecurityQuestionAbortMessage(HttpServletResponse httpServletResponse, String str) {
        httpServletResponse.setHeader(WWW_AUTHENTICATION_HEADER, NameOfModuleType.SECURITY_QUESTIONS.getName() + " " + Base64Utility.encode(str.getBytes()));
    }

    private SearchResultList<PrismObject<UserType>> searchUser(final String str) {
        return (SearchResultList) this.securityContextManager.runPrivileged(new Producer<SearchResultList<PrismObject<UserType>>>() { // from class: com.evolveum.midpoint.web.security.HttpSecurityQuestionsAuthenticationEntryPoint.1
            /* renamed from: run, reason: merged with bridge method [inline-methods] */
            public SearchResultList<PrismObject<UserType>> m896run() {
                Task createTaskInstance = HttpSecurityQuestionsAuthenticationEntryPoint.this.taskManager.createTaskInstance("Search user by name");
                try {
                    return HttpSecurityQuestionsAuthenticationEntryPoint.this.model.searchObjects(UserType.class, ObjectQueryUtil.createNameQuery(str, HttpSecurityQuestionsAuthenticationEntryPoint.this.prismContext), (Collection) null, createTaskInstance, createTaskInstance.getResult());
                } catch (SchemaException | ObjectNotFoundException | SecurityViolationException | CommunicationException | ConfigurationException | ExpressionEvaluationException e) {
                    return null;
                }
            }
        });
    }

    private List<SecurityQuestionDefinitionType> getQuestions(final PrismObject<UserType> prismObject) {
        return (List) this.securityContextManager.runPrivileged(new Producer<List<SecurityQuestionDefinitionType>>() { // from class: com.evolveum.midpoint.web.security.HttpSecurityQuestionsAuthenticationEntryPoint.2
            /* renamed from: run, reason: merged with bridge method [inline-methods] */
            public List<SecurityQuestionDefinitionType> m897run() {
                Task createTaskInstance = HttpSecurityQuestionsAuthenticationEntryPoint.this.taskManager.createTaskInstance("Search user by name");
                OperationResult result = createTaskInstance.getResult();
                try {
                    SecurityContextHolder.getContext().setAuthentication(new AnonymousAuthenticationToken("rest_sec_q_auth", "REST", AuthorityUtils.createAuthorityList(new String[]{"ROLE_ANONYMOUS"})));
                    SecurityPolicyType securityPolicy = HttpSecurityQuestionsAuthenticationEntryPoint.this.modelInteractionService.getSecurityPolicy(prismObject, createTaskInstance, result);
                    if (securityPolicy.getCredentials() == null || securityPolicy.getCredentials().getSecurityQuestions() == null) {
                        return null;
                    }
                    return securityPolicy.getCredentials().getSecurityQuestions().getQuestion();
                } catch (ObjectNotFoundException | SchemaException | CommunicationException | ConfigurationException | SecurityViolationException | ExpressionEvaluationException e) {
                    return null;
                }
            }
        });
    }
}
