package com.evolveum.midpoint.authentication.impl.provider;

import com.evolveum.midpoint.authentication.api.AuthenticationChannel;
import com.evolveum.midpoint.authentication.api.config.AuthenticationEvaluator;
import com.evolveum.midpoint.authentication.api.config.MidpointAuthentication;
import com.evolveum.midpoint.authentication.api.config.ModuleAuthentication;
import com.evolveum.midpoint.authentication.impl.module.authentication.MailNonceModuleAuthenticationImpl;
import com.evolveum.midpoint.authentication.impl.module.authentication.token.MailNonceAuthenticationToken;
import com.evolveum.midpoint.authentication.impl.util.AuthSequenceUtil;
import com.evolveum.midpoint.model.api.ModelInteractionService;
import com.evolveum.midpoint.model.api.ModelService;
import com.evolveum.midpoint.model.api.authentication.GuiProfiledPrincipal;
import com.evolveum.midpoint.model.api.context.NonceAuthenticationContext;
import com.evolveum.midpoint.prism.PrismContext;
import com.evolveum.midpoint.security.api.ConnectionEnvironment;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.security.api.SecurityContextManager;
import com.evolveum.midpoint.task.api.TaskManager;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.NonceCredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import java.util.Collection;
import java.util.List;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UsernameNotFoundException;

/* loaded from: input_file:BOOT-INF/lib/authentication-impl-4.6.2-SNAPSHOT.jar:com/evolveum/midpoint/authentication/impl/provider/MailNonceProvider.class */
public class MailNonceProvider extends AbstractCredentialProvider<NonceAuthenticationContext> {
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) MailNonceProvider.class);

    @Autowired
    private AuthenticationEvaluator<NonceAuthenticationContext> nonceAuthenticationEvaluator;

    @Autowired
    private SecurityContextManager securityContextManager;

    @Autowired
    private TaskManager manager;

    @Autowired
    private ModelService modelService;

    @Autowired
    private PrismContext prismContext;

    @Autowired
    private ModelInteractionService modelInteractionService;

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.evolveum.midpoint.authentication.impl.provider.MidPointAbstractAuthenticationProvider
    public AuthenticationEvaluator<NonceAuthenticationContext> getEvaluator() {
        return this.nonceAuthenticationEvaluator;
    }

    @Override // com.evolveum.midpoint.authentication.impl.provider.MidPointAbstractAuthenticationProvider
    protected Authentication internalAuthentication(Authentication authentication, List<ObjectReferenceType> list, AuthenticationChannel authenticationChannel, Class<? extends FocusType> cls) throws AuthenticationException {
        if (authentication.isAuthenticated() && (authentication.getPrincipal() instanceof GuiProfiledPrincipal)) {
            return authentication;
        }
        String str = (String) authentication.getPrincipal();
        LOGGER.trace("Authenticating username '{}'", str);
        ConnectionEnvironment createEnvironment = createEnvironment(authenticationChannel);
        try {
            if (!(authentication instanceof MailNonceAuthenticationToken)) {
                LOGGER.error("Unsupported authentication {}", authentication);
                throw new AuthenticationServiceException("web.security.provider.unavailable");
            }
            NonceAuthenticationContext nonceAuthenticationContext = new NonceAuthenticationContext(str, cls, (String) authentication.getCredentials(), getNoncePolicy(str), list);
            if (authenticationChannel != null) {
                nonceAuthenticationContext.setSupportActivationByChannel(authenticationChannel.isSupportActivationByChannel());
            }
            UsernamePasswordAuthenticationToken authenticate = getEvaluator().authenticate(createEnvironment, nonceAuthenticationContext);
            LOGGER.debug("User '{}' authenticated ({}), authorities: {}", authentication.getPrincipal(), authentication.getClass().getSimpleName(), ((MidPointPrincipal) authenticate.getPrincipal()).getAuthorities());
            return authenticate;
        } catch (AuthenticationException e) {
            LOGGER.info("Authentication failed for {}: {}", str, e.getMessage());
            throw e;
        }
    }

    private NonceCredentialsPolicyType getNoncePolicy(String str) {
        if (StringUtils.isBlank(str)) {
            throw new UsernameNotFoundException("web.security.provider.invalid.credentials");
        }
        if (illegalAuthentication()) {
            return null;
        }
        UserType searchUserPrivileged = AuthSequenceUtil.searchUserPrivileged(str, this.securityContextManager, this.manager, this.modelService, this.prismContext);
        if (searchUserPrivileged == null) {
            throw new UsernameNotFoundException("web.security.provider.invalid.credentials");
        }
        SecurityPolicyType resolveSecurityPolicy = AuthSequenceUtil.resolveSecurityPolicy(searchUserPrivileged.asPrismObject(), this.securityContextManager, this.manager, this.modelInteractionService);
        if (illegalPolicy(resolveSecurityPolicy)) {
            return null;
        }
        String credentialName = ((MailNonceModuleAuthenticationImpl) ((MidpointAuthentication) SecurityContextHolder.getContext().getAuthentication()).getProcessingModuleAuthentication()).getCredentialName();
        for (NonceCredentialsPolicyType nonceCredentialsPolicyType : resolveSecurityPolicy.getCredentials().getNonce()) {
            if (nonceCredentialsPolicyType != null && credentialName.equals(nonceCredentialsPolicyType.getName())) {
                return nonceCredentialsPolicyType;
            }
        }
        LOGGER.debug("Couldn't find nonce credential by name " + credentialName);
        return null;
    }

    private boolean illegalPolicy(SecurityPolicyType securityPolicyType) {
        if (securityPolicyType == null) {
            LOGGER.debug("Security policy from principal is null");
            return true;
        }
        if (securityPolicyType.getCredentials() == null) {
            LOGGER.debug("Credentials in security policy from principal is null");
            return true;
        }
        if (securityPolicyType.getCredentials().getNonce() != null) {
            return false;
        }
        LOGGER.debug("Nonce credentials in security policy from principal is null");
        return true;
    }

    private boolean illegalAuthentication() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (!(authentication instanceof MidpointAuthentication)) {
            LOGGER.debug("Actual authentication isn't MidpointAuthentication");
            return true;
        }
        ModuleAuthentication processingModuleAuthentication = ((MidpointAuthentication) authentication).getProcessingModuleAuthentication();
        if (!(processingModuleAuthentication instanceof MailNonceModuleAuthenticationImpl)) {
            LOGGER.debug("Actual processing authentication module isn't MailNonceModuleAuthentication");
            return true;
        }
        if (((MailNonceModuleAuthenticationImpl) processingModuleAuthentication).getCredentialName() != null) {
            return false;
        }
        LOGGER.debug("Name of credential in processing module is null");
        return true;
    }

    @Override // com.evolveum.midpoint.authentication.impl.provider.MidPointAbstractAuthenticationProvider
    protected Authentication createNewAuthenticationToken(Authentication authentication, Collection<? extends GrantedAuthority> collection) {
        return authentication instanceof UsernamePasswordAuthenticationToken ? new MailNonceAuthenticationToken(authentication.getPrincipal(), authentication.getCredentials(), collection) : authentication;
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public boolean supports(Class<?> cls) {
        return MailNonceAuthenticationToken.class.equals(cls);
    }

    @Override // com.evolveum.midpoint.authentication.impl.provider.AbstractCredentialProvider
    public Class getTypeOfCredential() {
        return NonceCredentialsPolicyType.class;
    }
}
