package com.evolveum.midpoint.authentication.impl.entry.point;

import com.evolveum.midpoint.authentication.api.config.MidpointAuthentication;
import com.evolveum.midpoint.authentication.api.util.AuthConstants;
import com.evolveum.midpoint.authentication.api.util.AuthenticationModuleNameConstants;
import com.evolveum.midpoint.authentication.impl.filter.HttpSecurityQuestionsAuthenticationFilter;
import com.evolveum.midpoint.authentication.impl.filter.MidpointAuthFilter;
import com.evolveum.midpoint.model.api.ModelInteractionService;
import com.evolveum.midpoint.model.api.ModelService;
import com.evolveum.midpoint.prism.PrismContext;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.schema.SearchResultList;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.util.ObjectQueryUtil;
import com.evolveum.midpoint.security.api.SecurityContextManager;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.task.api.TaskManager;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityQuestionDefinitionType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import com.github.openjson.JSONArray;
import com.github.openjson.JSONObject;
import java.io.IOException;
import java.lang.invoke.SerializedLambda;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.cxf.common.util.Base64Utility;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.SecurityContextHolder;

/* loaded from: input_file:WEB-INF/lib/authentication-impl-4.6-SNAPSHOT.jar:com/evolveum/midpoint/authentication/impl/entry/point/HttpSecurityQuestionsAuthenticationEntryPoint.class */
public class HttpSecurityQuestionsAuthenticationEntryPoint extends HttpAuthenticationEntryPoint {
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) MidpointAuthFilter.class);
    private static final String WWW_AUTHENTICATION_HEADER = "WWW-Authenticate";
    private static final String AUTHENTICATION_HEADER = "Authorization";
    private static final String DEFAULT_JSON = "{\"user\":\"username\"}";

    @Autowired
    private SecurityContextManager securityContextManager;

    @Autowired
    private TaskManager taskManager;

    @Autowired
    private ModelService model;

    @Autowired
    private ModelInteractionService modelInteractionService;

    private JSONArray generateAnswer(PrismObject<UserType> prismObject) {
        List<SecurityQuestionDefinitionType> questions = getQuestions(prismObject);
        JSONArray jSONArray = new JSONArray();
        if (questions == null) {
            return null;
        }
        for (SecurityQuestionDefinitionType securityQuestionDefinitionType : questions) {
            if (!Boolean.FALSE.equals(securityQuestionDefinitionType.isEnabled())) {
                JSONObject jSONObject = new JSONObject();
                jSONObject.put(AuthConstants.SEC_QUESTION_J_QID, securityQuestionDefinitionType.getIdentifier());
                jSONObject.put(AuthConstants.SEC_QUESTION_J_QTXT, securityQuestionDefinitionType.getQuestionText());
                jSONArray.put(jSONObject);
            }
        }
        if (jSONArray.length() == 0) {
            return null;
        }
        return jSONArray;
    }

    @Override // com.evolveum.midpoint.authentication.impl.entry.point.HttpAuthenticationEntryPoint, org.springframework.security.web.AuthenticationEntryPoint
    public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException {
        try {
            if (SecurityContextHolder.getContext().getAuthentication() instanceof MidpointAuthentication) {
                if (httpServletRequest.getHeader("Authorization") == null || !httpServletRequest.getHeader("Authorization").toLowerCase().startsWith(AuthenticationModuleNameConstants.SECURITY_QUESTIONS.toLowerCase())) {
                    super.commence(httpServletRequest, httpServletResponse, authenticationException);
                    return;
                }
                String header = httpServletRequest.getHeader("Authorization");
                if (header.equalsIgnoreCase(AuthenticationModuleNameConstants.SECURITY_QUESTIONS)) {
                    createSecurityQuestionAbortMessage(httpServletResponse, DEFAULT_JSON);
                } else {
                    JSONObject jSONObject = new JSONObject(new String(Base64Utility.decode(header.substring(AuthenticationModuleNameConstants.SECURITY_QUESTIONS.length() + 1))));
                    if (jSONObject.keySet().size() != 1 || !jSONObject.keySet().contains("user")) {
                        super.commence(httpServletRequest, httpServletResponse, authenticationException);
                        return;
                    }
                    SearchResultList<PrismObject<UserType>> searchUser = searchUser(jSONObject.getString("user"));
                    if (searchUser == null || searchUser.size() != 1) {
                        super.commence(httpServletRequest, httpServletResponse, authenticationException);
                        return;
                    }
                    JSONArray generateAnswer = generateAnswer(searchUser.get(0));
                    if (generateAnswer == null) {
                        super.commence(httpServletRequest, httpServletResponse, authenticationException);
                        return;
                    } else {
                        jSONObject.putOpt(HttpSecurityQuestionsAuthenticationFilter.J_ANSWER, generateAnswer);
                        createSecurityQuestionAbortMessage(httpServletResponse, jSONObject.toString());
                    }
                }
            }
            httpServletResponse.setStatus(401);
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), (Throwable) e);
            super.commence(httpServletRequest, httpServletResponse, authenticationException);
        }
    }

    public static void createSecurityQuestionAbortMessage(HttpServletResponse httpServletResponse, String str) {
        httpServletResponse.setHeader("WWW-Authenticate", "SecQ " + Base64Utility.encode(str.getBytes()));
    }

    private SearchResultList<PrismObject<UserType>> searchUser(String str) {
        return (SearchResultList) this.securityContextManager.runPrivileged(() -> {
            Task createTaskInstance = this.taskManager.createTaskInstance("Search user by name");
            try {
                return this.model.searchObjects(UserType.class, ObjectQueryUtil.createNameQuery(str, PrismContext.get()), null, createTaskInstance, createTaskInstance.getResult());
            } catch (CommunicationException | ConfigurationException | ExpressionEvaluationException | ObjectNotFoundException | SchemaException | SecurityViolationException e) {
                return null;
            }
        });
    }

    private List<SecurityQuestionDefinitionType> getQuestions(PrismObject<UserType> prismObject) {
        return (List) this.securityContextManager.runPrivileged(() -> {
            Task createTaskInstance = this.taskManager.createTaskInstance("Search user by name");
            OperationResult result = createTaskInstance.getResult();
            try {
                SecurityContextHolder.getContext().setAuthentication(new AnonymousAuthenticationToken("rest_sec_q_auth", "REST", AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS")));
                SecurityPolicyType securityPolicy = this.modelInteractionService.getSecurityPolicy(prismObject, createTaskInstance, result);
                if (securityPolicy.getCredentials() == null || securityPolicy.getCredentials().getSecurityQuestions() == null) {
                    return null;
                }
                return securityPolicy.getCredentials().getSecurityQuestions().getQuestion();
            } catch (CommunicationException | ConfigurationException | ExpressionEvaluationException | ObjectNotFoundException | SchemaException | SecurityViolationException e) {
                return null;
            }
        });
    }

    private static /* synthetic */ Object $deserializeLambda$(SerializedLambda serializedLambda) {
        String implMethodName = serializedLambda.getImplMethodName();
        boolean z = -1;
        switch (implMethodName.hashCode()) {
            case 524465643:
                if (implMethodName.equals("lambda$searchUser$185cf39a$1")) {
                    z = true;
                    break;
                }
                break;
            case 1378776653:
                if (implMethodName.equals("lambda$getQuestions$7c7bca83$1")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                if (serializedLambda.getImplMethodKind() == 7 && serializedLambda.getFunctionalInterfaceClass().equals("com/evolveum/midpoint/util/Producer") && serializedLambda.getFunctionalInterfaceMethodName().equals("run") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("()Ljava/lang/Object;") && serializedLambda.getImplClass().equals("com/evolveum/midpoint/authentication/impl/entry/point/HttpSecurityQuestionsAuthenticationEntryPoint") && serializedLambda.getImplMethodSignature().equals("(Lcom/evolveum/midpoint/prism/PrismObject;)Ljava/util/List;")) {
                    HttpSecurityQuestionsAuthenticationEntryPoint httpSecurityQuestionsAuthenticationEntryPoint = (HttpSecurityQuestionsAuthenticationEntryPoint) serializedLambda.getCapturedArg(0);
                    PrismObject prismObject = (PrismObject) serializedLambda.getCapturedArg(1);
                    return () -> {
                        Task createTaskInstance = this.taskManager.createTaskInstance("Search user by name");
                        OperationResult result = createTaskInstance.getResult();
                        try {
                            SecurityContextHolder.getContext().setAuthentication(new AnonymousAuthenticationToken("rest_sec_q_auth", "REST", AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS")));
                            SecurityPolicyType securityPolicy = this.modelInteractionService.getSecurityPolicy(prismObject, createTaskInstance, result);
                            if (securityPolicy.getCredentials() == null || securityPolicy.getCredentials().getSecurityQuestions() == null) {
                                return null;
                            }
                            return securityPolicy.getCredentials().getSecurityQuestions().getQuestion();
                        } catch (CommunicationException | ConfigurationException | ExpressionEvaluationException | ObjectNotFoundException | SchemaException | SecurityViolationException e) {
                            return null;
                        }
                    };
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 7 && serializedLambda.getFunctionalInterfaceClass().equals("com/evolveum/midpoint/util/Producer") && serializedLambda.getFunctionalInterfaceMethodName().equals("run") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("()Ljava/lang/Object;") && serializedLambda.getImplClass().equals("com/evolveum/midpoint/authentication/impl/entry/point/HttpSecurityQuestionsAuthenticationEntryPoint") && serializedLambda.getImplMethodSignature().equals("(Ljava/lang/String;)Lcom/evolveum/midpoint/schema/SearchResultList;")) {
                    HttpSecurityQuestionsAuthenticationEntryPoint httpSecurityQuestionsAuthenticationEntryPoint2 = (HttpSecurityQuestionsAuthenticationEntryPoint) serializedLambda.getCapturedArg(0);
                    String str = (String) serializedLambda.getCapturedArg(1);
                    return () -> {
                        Task createTaskInstance = this.taskManager.createTaskInstance("Search user by name");
                        try {
                            return this.model.searchObjects(UserType.class, ObjectQueryUtil.createNameQuery(str, PrismContext.get()), null, createTaskInstance, createTaskInstance.getResult());
                        } catch (CommunicationException | ConfigurationException | ExpressionEvaluationException | ObjectNotFoundException | SchemaException | SecurityViolationException e) {
                            return null;
                        }
                    };
                }
                break;
        }
        throw new IllegalArgumentException("Invalid lambda deserialization");
    }
}
