package com.evolveum.midpoint.model.impl.security;

import com.evolveum.midpoint.audit.api.AuditEventRecord;
import com.evolveum.midpoint.audit.api.AuditEventStage;
import com.evolveum.midpoint.audit.api.AuditEventType;
import com.evolveum.midpoint.model.api.ModelAuditRecorder;
import com.evolveum.midpoint.model.common.util.AuditHelper;
import com.evolveum.midpoint.model.impl.ModelObjectResolver;
import com.evolveum.midpoint.prism.PrismContext;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.xml.XmlTypeConverter;
import com.evolveum.midpoint.repo.common.SystemObjectCache;
import com.evolveum.midpoint.schema.processor.ResourceObjectDefinition;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.result.OperationResultStatus;
import com.evolveum.midpoint.security.api.ConnectionEnvironment;
import com.evolveum.midpoint.security.api.HttpConnectionInformation;
import com.evolveum.midpoint.security.api.SecurityUtil;
import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.task.api.TaskManager;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.NodeType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.NonceCredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordCredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityQuestionsCredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ValuePolicyType;
import java.util.Iterator;
import javax.xml.datatype.Duration;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:WEB-INF/lib/model-impl-4.6-SNAPSHOT.jar:com/evolveum/midpoint/model/impl/security/SecurityHelper.class */
public class SecurityHelper implements ModelAuditRecorder {
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) SecurityHelper.class);

    @Autowired
    private TaskManager taskManager;

    @Autowired
    private AuditHelper auditHelper;

    @Autowired
    private ModelObjectResolver objectResolver;

    @Autowired
    private SecurityEnforcer securityEnforcer;

    @Autowired
    private PrismContext prismContext;

    @Autowired
    private SystemObjectCache systemObjectCache;

    @Override // com.evolveum.midpoint.model.api.ModelAuditRecorder
    public void auditLoginSuccess(@NotNull FocusType focusType, @NotNull ConnectionEnvironment connectionEnvironment) {
        auditLogin(focusType.getName().getOrig(), focusType, connectionEnvironment, OperationResultStatus.SUCCESS, null);
    }

    @Override // com.evolveum.midpoint.model.api.ModelAuditRecorder
    public void auditLoginSuccess(@NotNull NodeType nodeType, @NotNull ConnectionEnvironment connectionEnvironment) {
        auditLogin(nodeType.getName().getOrig(), null, connectionEnvironment, OperationResultStatus.SUCCESS, null);
    }

    @Override // com.evolveum.midpoint.model.api.ModelAuditRecorder
    public void auditLoginFailure(@Nullable String str, @Nullable FocusType focusType, @NotNull ConnectionEnvironment connectionEnvironment, String str2) {
        auditLogin(str, focusType, connectionEnvironment, OperationResultStatus.FATAL_ERROR, str2);
    }

    private void auditLogin(@Nullable String str, @Nullable FocusType focusType, @NotNull ConnectionEnvironment connectionEnvironment, @NotNull OperationResultStatus operationResultStatus, @Nullable String str2) {
        String channel = connectionEnvironment.getChannel();
        if (SecurityUtil.isAuditedLoginAndLogout(getSystemConfig(), channel)) {
            Task createTaskInstance = this.taskManager.createTaskInstance();
            createTaskInstance.setChannel(channel);
            Trace trace = LOGGER;
            Object[] objArr = new Object[4];
            objArr[0] = operationResultStatus == OperationResultStatus.SUCCESS ? "success" : "failure";
            objArr[1] = str;
            objArr[2] = connectionEnvironment.getChannel();
            objArr[3] = str2;
            trace.debug("Login {} username={}, channel={}: {}", objArr);
            AuditEventRecord auditEventRecord = new AuditEventRecord(AuditEventType.CREATE_SESSION, AuditEventStage.REQUEST);
            auditEventRecord.setParameter(str);
            if (focusType != null) {
                auditEventRecord.setInitiator(focusType.asPrismObject());
            }
            auditEventRecord.setTimestamp(Long.valueOf(System.currentTimeMillis()));
            auditEventRecord.setOutcome(operationResultStatus);
            auditEventRecord.setMessage(str2);
            storeConnectionEnvironment(auditEventRecord, connectionEnvironment);
            this.auditHelper.audit(auditEventRecord, null, createTaskInstance, new OperationResult(SecurityHelper.class.getName() + ".auditLogin"));
        }
    }

    @Override // com.evolveum.midpoint.model.api.ModelAuditRecorder
    public void auditLogout(ConnectionEnvironment connectionEnvironment, Task task, OperationResult operationResult) {
        if (SecurityUtil.isAuditedLoginAndLogout(getSystemConfig(), connectionEnvironment.getChannel())) {
            AuditEventRecord auditEventRecord = new AuditEventRecord(AuditEventType.TERMINATE_SESSION, AuditEventStage.REQUEST);
            auditEventRecord.setInitiatorAndLoginParameter(task.getOwner(operationResult));
            auditEventRecord.setTimestamp(Long.valueOf(System.currentTimeMillis()));
            auditEventRecord.setOutcome(OperationResultStatus.SUCCESS);
            storeConnectionEnvironment(auditEventRecord, connectionEnvironment);
            this.auditHelper.audit(auditEventRecord, null, task, operationResult);
        }
    }

    private SystemConfigurationType getSystemConfig() {
        SystemConfigurationType systemConfigurationType = null;
        try {
            systemConfigurationType = this.systemObjectCache.getSystemConfiguration(new OperationResult("LOAD SYSTEM CONFIGURATION")).asObjectable();
        } catch (SchemaException e) {
            LOGGER.error("Couldn't get system configuration from cache", (Throwable) e);
        }
        return systemConfigurationType;
    }

    private void storeConnectionEnvironment(AuditEventRecord auditEventRecord, ConnectionEnvironment connectionEnvironment) {
        auditEventRecord.setChannel(connectionEnvironment.getChannel());
        auditEventRecord.setSessionIdentifier(connectionEnvironment.getSessionId());
        HttpConnectionInformation connectionInformation = connectionEnvironment.getConnectionInformation();
        if (connectionInformation != null) {
            auditEventRecord.setRemoteHostAddress(connectionInformation.getRemoteHostAddress());
            auditEventRecord.setHostIdentifier(connectionInformation.getLocalHostName());
        }
    }

    public <F extends FocusType> SecurityPolicyType locateSecurityPolicy(PrismObject<F> prismObject, PrismObject<SystemConfigurationType> prismObject2, Task task, OperationResult operationResult) throws SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        SecurityPolicyType locateFocusSecurityPolicy = locateFocusSecurityPolicy(prismObject, task, operationResult);
        if (locateFocusSecurityPolicy != null) {
            traceSecurityPolicy(locateFocusSecurityPolicy, prismObject);
            return locateFocusSecurityPolicy;
        }
        SecurityPolicyType locateGlobalSecurityPolicy = locateGlobalSecurityPolicy(prismObject, prismObject2, task, operationResult);
        if (locateGlobalSecurityPolicy == null) {
            return null;
        }
        traceSecurityPolicy(locateGlobalSecurityPolicy, prismObject);
        return locateGlobalSecurityPolicy;
    }

    public <F extends FocusType> SecurityPolicyType locateFocusSecurityPolicy(PrismObject<F> prismObject, Task task, OperationResult operationResult) throws SchemaException {
        PrismObject searchOrgTreeWidthFirstReference = this.objectResolver.searchOrgTreeWidthFirstReference(prismObject, prismObject2 -> {
            return ((OrgType) prismObject2.asObjectable()).getSecurityPolicyRef();
        }, "security policy", task, operationResult);
        LOGGER.trace("Found organization security policy: {}", searchOrgTreeWidthFirstReference);
        if (searchOrgTreeWidthFirstReference == null) {
            return null;
        }
        SecurityPolicyType securityPolicyType = (SecurityPolicyType) searchOrgTreeWidthFirstReference.asObjectable();
        postProcessSecurityPolicy(securityPolicyType, task, operationResult);
        return securityPolicyType;
    }

    public <F extends FocusType> SecurityPolicyType locateGlobalSecurityPolicy(PrismObject<F> prismObject, PrismObject<SystemConfigurationType> prismObject2, Task task, OperationResult operationResult) throws CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        if (prismObject2 != null) {
            return resolveGlobalSecurityPolicy(prismObject, prismObject2.asObjectable(), task, operationResult);
        }
        return null;
    }

    public SecurityPolicyType locateProjectionSecurityPolicy(ResourceObjectDefinition resourceObjectDefinition, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, SecurityViolationException, CommunicationException, ConfigurationException, ExpressionEvaluationException {
        LOGGER.trace("locateProjectionSecurityPolicy starting");
        ObjectReferenceType securityPolicyRef = resourceObjectDefinition.getSecurityPolicyRef();
        if (securityPolicyRef == null || securityPolicyRef.getOid() == null) {
            LOGGER.trace("Security policy not defined for the structural object class.");
            return null;
        }
        LOGGER.trace("Loading security policy {} from: {}", securityPolicyRef, resourceObjectDefinition);
        SecurityPolicyType securityPolicyType = (SecurityPolicyType) this.objectResolver.resolve(securityPolicyRef, SecurityPolicyType.class, null, " projection security policy", task, operationResult);
        if (securityPolicyType == null) {
            LOGGER.debug("Security policy {} defined for the projection does not exist", securityPolicyRef);
            return null;
        }
        postProcessSecurityPolicy(securityPolicyType, task, operationResult);
        return securityPolicyType;
    }

    private <F extends FocusType> SecurityPolicyType resolveGlobalSecurityPolicy(PrismObject<F> prismObject, SystemConfigurationType systemConfigurationType, Task task, OperationResult operationResult) throws CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        ObjectReferenceType globalSecurityPolicyRef = systemConfigurationType.getGlobalSecurityPolicyRef();
        if (globalSecurityPolicyRef == null) {
            return null;
        }
        try {
            SecurityPolicyType securityPolicyType = (SecurityPolicyType) this.objectResolver.resolve(globalSecurityPolicyRef, SecurityPolicyType.class, null, "global security policy reference in system configuration", task, operationResult);
            LOGGER.trace("Using global security policy: {}", securityPolicyType);
            postProcessSecurityPolicy(securityPolicyType, task, operationResult);
            traceSecurityPolicy(securityPolicyType, prismObject);
            return securityPolicyType;
        } catch (ObjectNotFoundException | SchemaException e) {
            LOGGER.error(e.getMessage(), e);
            traceSecurityPolicy(null, prismObject);
            return null;
        }
    }

    private <F extends FocusType> void traceSecurityPolicy(SecurityPolicyType securityPolicyType, PrismObject<F> prismObject) {
        if (LOGGER.isTraceEnabled()) {
            if (prismObject != null) {
                if (securityPolicyType == null) {
                    LOGGER.trace("Located security policy for {}: null", prismObject);
                    return;
                } else {
                    LOGGER.trace("Located security policy for {}:\n{}", prismObject, securityPolicyType.asPrismObject().debugDump(1));
                    return;
                }
            }
            if (securityPolicyType == null) {
                LOGGER.trace("Located global security policy null");
            } else {
                LOGGER.trace("Located global security policy :\n{}", securityPolicyType.asPrismObject().debugDump(1));
            }
        }
    }

    private void postProcessSecurityPolicy(SecurityPolicyType securityPolicyType, Task task, OperationResult operationResult) {
        CredentialsPolicyType credentials = securityPolicyType.getCredentials();
        if (credentials != null) {
            PasswordCredentialsPolicyType password = credentials.getPassword();
            if (password != null) {
                postProcessPasswordCredentialPolicy(securityPolicyType, password, task, operationResult);
            }
            Iterator<NonceCredentialsPolicyType> it = credentials.getNonce().iterator();
            while (it.hasNext()) {
                postProcessCredentialPolicy(securityPolicyType, it.next(), "nonce credential policy", task, operationResult);
            }
            SecurityQuestionsCredentialsPolicyType securityQuestions = credentials.getSecurityQuestions();
            if (securityQuestions != null) {
                postProcessCredentialPolicy(securityPolicyType, securityQuestions, "security questions credential policy", task, operationResult);
            }
        }
    }

    private void postProcessPasswordCredentialPolicy(SecurityPolicyType securityPolicyType, PasswordCredentialsPolicyType passwordCredentialsPolicyType, Task task, OperationResult operationResult) {
        postProcessCredentialPolicy(securityPolicyType, passwordCredentialsPolicyType, "password credential policy", task, operationResult);
    }

    private ValuePolicyType postProcessCredentialPolicy(SecurityPolicyType securityPolicyType, CredentialPolicyType credentialPolicyType, String str, Task task, OperationResult operationResult) {
        ObjectReferenceType valuePolicyRef = credentialPolicyType.getValuePolicyRef();
        if (valuePolicyRef == null) {
            return null;
        }
        try {
            ValuePolicyType valuePolicyType = (ValuePolicyType) this.objectResolver.resolve(valuePolicyRef, ValuePolicyType.class, null, str + " in " + securityPolicyType, task, operationResult);
            valuePolicyRef.asReferenceValue().setObject(valuePolicyType.asPrismObject());
            return valuePolicyType;
        } catch (CommunicationException | ConfigurationException | ExpressionEvaluationException | ObjectNotFoundException | SchemaException | SecurityViolationException e) {
            LOGGER.warn("{} {} referenced from {} was not found", str, valuePolicyRef.getOid(), securityPolicyType);
            return null;
        }
    }

    private SecurityPolicyType postProcessPasswordPolicy(ValuePolicyType valuePolicyType) {
        SecurityPolicyType securityPolicyType = new SecurityPolicyType();
        CredentialsPolicyType credentialsPolicyType = new CredentialsPolicyType();
        PasswordCredentialsPolicyType passwordCredentialsPolicyType = new PasswordCredentialsPolicyType();
        ObjectReferenceType objectReferenceType = new ObjectReferenceType();
        objectReferenceType.asReferenceValue().setObject(valuePolicyType.asPrismObject());
        passwordCredentialsPolicyType.setValuePolicyRef(objectReferenceType);
        credentialsPolicyType.setPassword(passwordCredentialsPolicyType);
        securityPolicyType.setCredentials(credentialsPolicyType);
        return securityPolicyType;
    }

    private Duration daysToDuration(int i) {
        return XmlTypeConverter.createDuration(i * 1000 * 60 * 60 * 24);
    }

    public SecurityEnforcer getSecurityEnforcer() {
        return this.securityEnforcer;
    }
}
