package com.evolveum.midpoint.model.impl.lens.projector.credentials;

import com.evolveum.midpoint.common.LocalizationService;
import com.evolveum.midpoint.model.common.stringpolicy.ValuePolicyProcessor;
import com.evolveum.midpoint.model.impl.ModelObjectResolver;
import com.evolveum.midpoint.model.impl.lens.LensContext;
import com.evolveum.midpoint.model.impl.lens.LensFocusContext;
import com.evolveum.midpoint.model.impl.lens.OperationalDataManager;
import com.evolveum.midpoint.model.impl.lens.projector.ContextLoader;
import com.evolveum.midpoint.model.impl.lens.projector.ProjectorProcessor;
import com.evolveum.midpoint.model.impl.lens.projector.credentials.CredentialPolicyEvaluator;
import com.evolveum.midpoint.model.impl.lens.projector.credentials.NoncePolicyEvaluator;
import com.evolveum.midpoint.model.impl.lens.projector.credentials.PasswordPolicyEvaluator;
import com.evolveum.midpoint.model.impl.lens.projector.credentials.SecurityQuestionsPolicyEvaluator;
import com.evolveum.midpoint.model.impl.lens.projector.util.ProcessorExecution;
import com.evolveum.midpoint.model.impl.lens.projector.util.ProcessorMethod;
import com.evolveum.midpoint.prism.Item;
import com.evolveum.midpoint.prism.PrismContainer;
import com.evolveum.midpoint.prism.PrismContainerValue;
import com.evolveum.midpoint.prism.PrismContext;
import com.evolveum.midpoint.prism.PrismProperty;
import com.evolveum.midpoint.prism.PrismPropertyValue;
import com.evolveum.midpoint.prism.crypto.EncryptionException;
import com.evolveum.midpoint.prism.crypto.Protector;
import com.evolveum.midpoint.prism.delta.ContainerDelta;
import com.evolveum.midpoint.prism.delta.ItemDelta;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.delta.PropertyDelta;
import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.security.api.SecurityUtil;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.PolicyViolationException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsStorageMethodType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsStorageTypeType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ValuePolicyType;
import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
import java.util.Collection;
import java.util.Iterator;
import javax.xml.datatype.XMLGregorianCalendar;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@ProcessorExecution(focusRequired = true, focusType = FocusType.class)
@Component
/* loaded from: input_file:WEB-INF/lib/model-impl-4.4.12-SNAPSHOT.jar:com/evolveum/midpoint/model/impl/lens/projector/credentials/CredentialsProcessor.class */
public class CredentialsProcessor implements ProjectorProcessor {
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) CredentialsProcessor.class);

    @Autowired
    private PrismContext prismContext;

    @Autowired
    private OperationalDataManager metadataManager;

    @Autowired
    private ModelObjectResolver resolver;

    @Autowired
    private ValuePolicyProcessor valuePolicyProcessor;

    @Autowired
    private Protector protector;

    @Autowired
    private LocalizationService localizationService;

    @Autowired
    private ContextLoader contextLoader;

    @ProcessorMethod
    public <F extends FocusType> void processFocusCredentials(LensContext<F> lensContext, XMLGregorianCalendar xMLGregorianCalendar, Task task, OperationResult operationResult) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, PolicyViolationException, CommunicationException, ConfigurationException, SecurityViolationException {
        this.contextLoader.reloadSecurityPolicyIfNeeded(lensContext, lensContext.getFocusContext(), task, operationResult);
        processFocusPassword(lensContext, xMLGregorianCalendar, task, operationResult);
        processFocusNonce(lensContext, xMLGregorianCalendar, task, operationResult);
        processFocusSecurityQuestions(lensContext, xMLGregorianCalendar, task, operationResult);
    }

    private <F extends FocusType> void processFocusPassword(LensContext<F> lensContext, XMLGregorianCalendar xMLGregorianCalendar, Task task, OperationResult operationResult) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, PolicyViolationException, CommunicationException, ConfigurationException, SecurityViolationException {
        createEvaluator(new PasswordPolicyEvaluator.Builder(), lensContext, xMLGregorianCalendar, task, operationResult).process();
    }

    private <F extends FocusType> void processFocusNonce(LensContext<F> lensContext, XMLGregorianCalendar xMLGregorianCalendar, Task task, OperationResult operationResult) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, PolicyViolationException, CommunicationException, ConfigurationException, SecurityViolationException {
        createEvaluator(new NoncePolicyEvaluator.Builder(), lensContext, xMLGregorianCalendar, task, operationResult).process();
    }

    private <F extends FocusType> void processFocusSecurityQuestions(LensContext<F> lensContext, XMLGregorianCalendar xMLGregorianCalendar, Task task, OperationResult operationResult) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, PolicyViolationException, CommunicationException, ConfigurationException, SecurityViolationException {
        createEvaluator(new SecurityQuestionsPolicyEvaluator.Builder(), lensContext, xMLGregorianCalendar, task, operationResult).process();
    }

    private <F extends FocusType> CredentialPolicyEvaluator<?, ?, F> createEvaluator(CredentialPolicyEvaluator.Builder<F> builder, LensContext<F> lensContext, XMLGregorianCalendar xMLGregorianCalendar, Task task, OperationResult operationResult) {
        return builder.context(lensContext).metadataManager(this.metadataManager).now(xMLGregorianCalendar).prismContext(this.prismContext).protector(this.protector).localizationService(this.localizationService).resolver(this.resolver).valuePolicyProcessor(this.valuePolicyProcessor).task(task).result(operationResult).build();
    }

    public <O extends ObjectType> ObjectDelta<O> transformFocusExecutionDelta(LensContext<O> lensContext, ObjectDelta<O> objectDelta) throws SchemaException, EncryptionException {
        CredentialsPolicyType credentialsPolicy = lensContext.getFocusContext().getCredentialsPolicy();
        if (credentialsPolicy == null) {
            return objectDelta;
        }
        ObjectDelta<O> mo261clone = objectDelta.mo261clone();
        transformFocusExecutionDeltaForCredential(credentialsPolicy, credentialsPolicy.getPassword(), "password", SchemaConstants.PATH_PASSWORD_VALUE, mo261clone);
        return mo261clone;
    }

    private <O extends ObjectType> void transformFocusExecutionDeltaForCredential(CredentialsPolicyType credentialsPolicyType, CredentialPolicyType credentialPolicyType, String str, ItemPath itemPath, ObjectDelta<O> objectDelta) throws SchemaException, EncryptionException {
        if (objectDelta.isDelete()) {
            return;
        }
        CredentialsStorageMethodType credentialsStorageMethodType = (CredentialsStorageMethodType) SecurityUtil.getCredentialPolicyItem(credentialsPolicyType.getDefault(), credentialPolicyType, (v0) -> {
            return v0.getStorageMethod();
        });
        LOGGER.trace("Credential {}, processing storage method: {}", str, credentialsStorageMethodType);
        if (credentialsStorageMethodType == null) {
            return;
        }
        CredentialsStorageTypeType storageType = credentialsStorageMethodType.getStorageType();
        if (storageType == null || storageType == CredentialsStorageTypeType.ENCRYPTION) {
            LOGGER.trace("Credential {} should be encrypted, nothing to do", str);
            return;
        }
        if (storageType == CredentialsStorageTypeType.HASHING) {
            LOGGER.trace("Hashing credential: {}", str);
            hashCredentialValue(itemPath, objectDelta);
        } else {
            if (storageType != CredentialsStorageTypeType.NONE) {
                throw new SchemaException("Unknown storage type " + storageType);
            }
            LOGGER.trace("Removing credential: {}", str);
            removeCredentialValue(itemPath, objectDelta);
        }
    }

    private <O extends ObjectType> void hashCredentialValue(ItemPath itemPath, ObjectDelta<O> objectDelta) throws SchemaException, EncryptionException {
        if (objectDelta.isAdd()) {
            Item findProperty = objectDelta.getObjectToAdd().findProperty(itemPath);
            if (findProperty != null) {
                hashValues(findProperty.getValues());
                return;
            }
            return;
        }
        PropertyDelta propertyDelta = (PropertyDelta) objectDelta.findItemDelta(itemPath, PropertyDelta.class, PrismProperty.class, true);
        if (propertyDelta != null) {
            hashValues(propertyDelta.getValuesToAdd());
            hashValues(propertyDelta.getValuesToReplace());
            hashValues(propertyDelta.getValuesToDelete());
            return;
        }
        ItemPath allExceptLast = itemPath.allExceptLast();
        ContainerDelta containerDelta = (ContainerDelta) objectDelta.findItemDelta(allExceptLast, ContainerDelta.class, PrismContainer.class, true);
        if (containerDelta != null) {
            hashPasswordPcvs(containerDelta.getValuesToAdd());
            hashPasswordPcvs(containerDelta.getValuesToReplace());
            return;
        }
        ContainerDelta containerDelta2 = (ContainerDelta) objectDelta.findItemDelta(allExceptLast.allExceptLast(), ContainerDelta.class, PrismContainer.class, true);
        if (containerDelta2 != null) {
            hashCredentialsPcvs(containerDelta2.getValuesToAdd());
            hashCredentialsPcvs(containerDelta2.getValuesToReplace());
        }
    }

    private <O extends ObjectType> void removeCredentialValue(ItemPath itemPath, ObjectDelta<O> objectDelta) {
        if (objectDelta.isAdd()) {
            objectDelta.getObjectToAdd().removeProperty(itemPath);
            return;
        }
        ItemDelta findPropertyDelta = objectDelta.findPropertyDelta(itemPath);
        if (findPropertyDelta != null) {
            findPropertyDelta.setValueToReplace();
        }
    }

    private void hashValues(Collection<PrismPropertyValue<ProtectedStringType>> collection) throws SchemaException, EncryptionException {
        if (collection != null) {
            Iterator<PrismPropertyValue<ProtectedStringType>> it = collection.iterator();
            while (it.hasNext()) {
                ProtectedStringType value = it.next().getValue();
                if (!value.isHashed()) {
                    this.protector.hash(value);
                }
            }
        }
    }

    private void hashPasswordPcvs(Collection<PrismContainerValue<PasswordType>> collection) throws SchemaException, EncryptionException {
        if (collection != null) {
            Iterator<PrismContainerValue<PasswordType>> it = collection.iterator();
            while (it.hasNext()) {
                PasswordType value = it.next().getValue();
                if (value != null && value.getValue() != null && !value.getValue().isHashed()) {
                    this.protector.hash(value.getValue());
                }
            }
        }
    }

    private void hashCredentialsPcvs(Collection<PrismContainerValue<CredentialsType>> collection) throws SchemaException, EncryptionException {
        ProtectedStringType value;
        if (collection != null) {
            Iterator<PrismContainerValue<CredentialsType>> it = collection.iterator();
            while (it.hasNext()) {
                CredentialsType value2 = it.next().getValue();
                if (value2 != null && value2.getPassword() != null && (value = value2.getPassword().getValue()) != null && !value.isHashed()) {
                    this.protector.hash(value);
                }
            }
        }
    }

    public <F extends ObjectType> ValuePolicyType determinePasswordPolicy(LensFocusContext<F> lensFocusContext) {
        if (lensFocusContext != null) {
            return SecurityUtil.getPasswordPolicy(lensFocusContext.getSecurityPolicy());
        }
        return null;
    }
}
