package com.evolveum.midpoint.web.security.provider;

import com.evolveum.midpoint.common.Clock;
import com.evolveum.midpoint.gui.api.util.WebComponentUtil;
import com.evolveum.midpoint.model.api.AuthenticationEvaluator;
import com.evolveum.midpoint.model.api.ModelAuditRecorder;
import com.evolveum.midpoint.model.api.authentication.AuthenticationChannel;
import com.evolveum.midpoint.model.api.authentication.GuiProfiledPrincipal;
import com.evolveum.midpoint.model.api.authentication.GuiProfiledPrincipalManager;
import com.evolveum.midpoint.model.api.authentication.MidpointAuthentication;
import com.evolveum.midpoint.model.api.authentication.MidpointDirContextAdapter;
import com.evolveum.midpoint.model.api.authentication.ModuleAuthentication;
import com.evolveum.midpoint.model.api.util.AuthenticationEvaluatorUtil;
import com.evolveum.midpoint.prism.PrismContext;
import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.security.api.ConnectionEnvironment;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.security.api.SecurityUtil;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.web.security.module.authentication.LdapAuthenticationToken;
import com.evolveum.midpoint.web.security.module.authentication.LdapModuleAuthentication;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationBehavioralDataType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.LoginEventType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import java.util.Collection;
import java.util.List;
import javax.naming.AuthenticationException;
import org.jetbrains.annotations.NotNull;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.dao.IncorrectResultSizeDataAccessException;
import org.springframework.ldap.core.DirContextAdapter;
import org.springframework.ldap.core.DirContextOperations;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.InternalAuthenticationServiceException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.ldap.authentication.LdapAuthenticationProvider;
import org.springframework.security.ldap.authentication.LdapAuthenticator;
import org.springframework.security.ldap.userdetails.UserDetailsContextMapper;

/* loaded from: input_file:WEB-INF/classes/com/evolveum/midpoint/web/security/provider/MidPointLdapAuthenticationProvider.class */
public class MidPointLdapAuthenticationProvider extends MidPointAbstractAuthenticationProvider {
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) MidPointLdapAuthenticationProvider.class);
    private final LdapAuthenticationProvider authenticatorProvider;

    @Autowired
    private ModelAuditRecorder auditProvider;

    @Autowired
    private PrismContext prismContext;

    @Autowired
    private Clock clock;

    @Autowired
    private GuiProfiledPrincipalManager focusProfileService;

    public MidPointLdapAuthenticationProvider(LdapAuthenticator ldapAuthenticator) {
        this.authenticatorProvider = createAuthenticatorProvider(ldapAuthenticator);
    }

    public void setUserDetailsContextMapper(UserDetailsContextMapper userDetailsContextMapper) {
        this.authenticatorProvider.setUserDetailsContextMapper(userDetailsContextMapper);
    }

    public LdapAuthenticationProvider getAuthenticatorProvider() {
        return this.authenticatorProvider;
    }

    private LdapAuthenticationProvider createAuthenticatorProvider(LdapAuthenticator ldapAuthenticator) {
        return new LdapAuthenticationProvider(ldapAuthenticator) { // from class: com.evolveum.midpoint.web.security.provider.MidPointLdapAuthenticationProvider.1
            /* JADX INFO: Access modifiers changed from: protected */
            @Override // org.springframework.security.ldap.authentication.LdapAuthenticationProvider, org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider
            public DirContextOperations doAuthentication(UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken) {
                DirContextOperations doAuthentication = super.doAuthentication(usernamePasswordAuthenticationToken);
                if (doAuthentication instanceof DirContextAdapter) {
                    Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
                    if (authentication instanceof MidpointAuthentication) {
                        ModuleAuthentication processingModule = MidPointLdapAuthenticationProvider.this.getProcessingModule((MidpointAuthentication) authentication);
                        if (processingModule instanceof LdapModuleAuthentication) {
                            if (!doAuthentication.isUpdateMode()) {
                                ((DirContextAdapter) doAuthentication).setUpdateMode(true);
                                ((DirContextAdapter) doAuthentication).setUpdateMode(false);
                            }
                            MidpointDirContextAdapter midpointDirContextAdapter = new MidpointDirContextAdapter((DirContextAdapter) doAuthentication);
                            midpointDirContextAdapter.setNamingAttr(((LdapModuleAuthentication) processingModule).getNamingAttribute());
                            if (processingModule.getFocusType() != null) {
                                midpointDirContextAdapter.setFocusType(WebComponentUtil.qnameToClass(MidPointLdapAuthenticationProvider.this.prismContext, processingModule.getFocusType(), FocusType.class));
                            }
                            return midpointDirContextAdapter;
                        }
                    }
                }
                return doAuthentication;
            }

            /* JADX INFO: Access modifiers changed from: protected */
            @Override // org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider
            public Authentication createSuccessfulAuthentication(UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken, UserDetails userDetails) {
                Authentication createSuccessfulAuthentication = super.createSuccessfulAuthentication(usernamePasswordAuthenticationToken, userDetails);
                Object principal = createSuccessfulAuthentication.getPrincipal();
                if (!(principal instanceof MidPointPrincipal)) {
                    MidPointLdapAuthenticationProvider.this.recordPasswordAuthenticationFailure(usernamePasswordAuthenticationToken.getName(), "not contains required assignment");
                    throw new BadCredentialsException("LdapAuthentication.incorrect.value");
                }
                MidPointPrincipal midPointPrincipal = (MidPointPrincipal) principal;
                FocusType focus = midPointPrincipal.getFocus();
                if (focus == null) {
                    MidPointLdapAuthenticationProvider.this.recordPasswordAuthenticationFailure(usernamePasswordAuthenticationToken.getName(), "not contains required assignment");
                    throw new BadCredentialsException("LdapAuthentication.bad.user");
                }
                Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
                if (authentication instanceof MidpointAuthentication) {
                    if (!AuthenticationEvaluatorUtil.checkRequiredAssignment(focus.getAssignment(), ((MidpointAuthentication) authentication).getSequence().getRequireAssignmentTarget())) {
                        MidPointLdapAuthenticationProvider.this.recordPasswordAuthenticationFailure(midPointPrincipal.getUsername(), "not contains required assignment");
                        throw new InternalAuthenticationServiceException("web.security.flexAuth.invalid.required.assignment");
                    }
                }
                MidPointLdapAuthenticationProvider.this.recordPasswordAuthenticationSuccess(midPointPrincipal);
                return createSuccessfulAuthentication;
            }
        };
    }

    private RuntimeException processInternalAuthenticationException(InternalAuthenticationServiceException internalAuthenticationServiceException, Throwable th) {
        if ((th instanceof AuthenticationException) && ((AuthenticationException) th).getMessage().contains("error code 49")) {
            return new BadCredentialsException("Invalid username and/or password.", internalAuthenticationServiceException);
        }
        Throwable cause = th.getCause();
        return cause == null ? internalAuthenticationServiceException : processInternalAuthenticationException(internalAuthenticationServiceException, cause);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider
    public AuthenticationEvaluator getEvaluator() {
        return null;
    }

    @Override // com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider
    protected Authentication internalAuthentication(Authentication authentication, List list, AuthenticationChannel authenticationChannel, Class cls) throws org.springframework.security.core.AuthenticationException {
        if (authentication.isAuthenticated() && (authentication.getPrincipal() instanceof GuiProfiledPrincipal)) {
            return authentication;
        }
        LOGGER.trace("Authenticating username '{}'", (String) authentication.getPrincipal());
        createEnvironment(authenticationChannel);
        try {
            if (!(authentication instanceof LdapAuthenticationToken)) {
                LOGGER.error("Unsupported authentication {}", authentication);
                recordPasswordAuthenticationFailure(authentication.getName(), "unavailable provider");
                throw new AuthenticationServiceException("web.security.provider.unavailable");
            }
            Authentication authenticate = this.authenticatorProvider.authenticate(authentication);
            LOGGER.debug("User '{}' authenticated ({}), authorities: {}", authentication.getPrincipal(), authentication.getClass().getSimpleName(), ((MidPointPrincipal) authenticate.getPrincipal()).getAuthorities());
            return authenticate;
        } catch (IncorrectResultSizeDataAccessException e) {
            LOGGER.error("Failed to authenticate user {}. Error: {}", authentication.getName(), e.getMessage(), e);
            recordPasswordAuthenticationFailure(authentication.getName(), "bad user");
            throw new BadCredentialsException("LdapAuthentication.bad.user", e);
        } catch (InternalAuthenticationServiceException e2) {
            recordPasswordAuthenticationFailure(authentication.getName(), e2.getMessage());
            throw processInternalAuthenticationException(e2, e2);
        } catch (RuntimeException e3) {
            LOGGER.error("Failed to authenticate user {}. Error: {}", authentication.getName(), e3.getMessage(), e3);
            recordPasswordAuthenticationFailure(authentication.getName(), "bad credentials");
            throw e3;
        }
    }

    @Override // com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider
    protected Authentication createNewAuthenticationToken(Authentication authentication, Collection collection) {
        return authentication instanceof LdapAuthenticationToken ? new LdapAuthenticationToken(authentication.getPrincipal(), authentication.getCredentials(), collection) : authentication;
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public boolean supports(Class<?> cls) {
        return LdapAuthenticationToken.class.equals(cls);
    }

    @Override // com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider
    public int hashCode() {
        return this.authenticatorProvider.hashCode();
    }

    @Override // com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider
    public boolean equals(Object obj) {
        return this.authenticatorProvider.equals(obj);
    }

    public void recordPasswordAuthenticationSuccess(@NotNull MidPointPrincipal midPointPrincipal) {
        String channel = getChannel();
        AuthenticationBehavioralDataType behavior = AuthenticationEvaluatorUtil.getBehavior(midPointPrincipal.getFocus());
        FocusType mo2045clone = midPointPrincipal.getFocus().mo2045clone();
        Integer failedLogins = behavior.getFailedLogins();
        if (failedLogins != null && failedLogins.intValue() > 0) {
            behavior.setFailedLogins(0);
        }
        LoginEventType loginEventType = new LoginEventType();
        loginEventType.setTimestamp(this.clock.currentTimeXMLGregorianCalendar());
        loginEventType.setFrom(SecurityUtil.getCurrentConnectionInformation().getRemoteHostAddress());
        behavior.setPreviousSuccessfulLogin(behavior.getLastSuccessfulLogin());
        behavior.setLastSuccessfulLogin(loginEventType);
        this.focusProfileService.updateFocus(midPointPrincipal, computeModifications(mo2045clone, midPointPrincipal.getFocus()));
        recordAuthenticationSuccess(midPointPrincipal.getFocus(), channel);
    }

    private String getChannel() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        return (!(authentication instanceof MidpointAuthentication) || ((MidpointAuthentication) authentication).getAuthenticationChannel() == null) ? SchemaConstants.CHANNEL_USER_URI : ((MidpointAuthentication) authentication).getAuthenticationChannel().getChannelId();
    }

    private void recordAuthenticationSuccess(@NotNull FocusType focusType, @NotNull String str) {
        this.auditProvider.auditLoginSuccess(focusType, createConnectEnvironment(str));
    }

    private ConnectionEnvironment createConnectEnvironment(String str) {
        ConnectionEnvironment create = ConnectionEnvironment.create(str);
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if ((authentication instanceof MidpointAuthentication) && ((MidpointAuthentication) authentication).getSessionId() != null) {
            create.setSessionIdOverride(((MidpointAuthentication) authentication).getSessionId());
        }
        return create;
    }

    public void recordPasswordAuthenticationFailure(String str, String str2) {
        FocusType focusType = null;
        String channel = getChannel();
        GuiProfiledPrincipal guiProfiledPrincipal = null;
        try {
            guiProfiledPrincipal = this.focusProfileService.getPrincipal(str, getFocusType());
            focusType = guiProfiledPrincipal.getFocus();
        } catch (Exception e) {
        }
        if (guiProfiledPrincipal != null && focusType != null) {
            AuthenticationBehavioralDataType behavior = AuthenticationEvaluatorUtil.getBehavior(focusType);
            FocusType mo2045clone = focusType.mo2045clone();
            Integer failedLogins = behavior.getFailedLogins();
            behavior.setFailedLogins(failedLogins == null ? 1 : Integer.valueOf(failedLogins.intValue() + 1));
            LoginEventType loginEventType = new LoginEventType();
            loginEventType.setTimestamp(this.clock.currentTimeXMLGregorianCalendar());
            loginEventType.setFrom(SecurityUtil.getCurrentConnectionInformation().getRemoteHostAddress());
            behavior.setLastFailedLogin(loginEventType);
            this.focusProfileService.updateFocus(guiProfiledPrincipal, computeModifications(mo2045clone, guiProfiledPrincipal.getFocus()));
        }
        recordAuthenticationFailure(str, focusType, channel, str2);
    }

    private Class<? extends FocusType> getFocusType() {
        ModuleAuthentication processingModule;
        Class<? extends FocusType> cls = UserType.class;
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if ((authentication instanceof MidpointAuthentication) && (processingModule = getProcessingModule((MidpointAuthentication) authentication)) != null && processingModule.getFocusType() != null) {
            cls = WebComponentUtil.qnameToClass(this.prismContext, processingModule.getFocusType(), FocusType.class);
        }
        return cls;
    }

    protected void recordAuthenticationFailure(String str, FocusType focusType, String str2, String str3) {
        this.auditProvider.auditLoginFailure(str, focusType, createConnectEnvironment(str2), "bad credentials");
    }
}
