package com.evolveum.midpoint.model.impl.security;

import com.evolveum.midpoint.CacheInvalidationContext;
import com.evolveum.midpoint.TerminateSessionEvent;
import com.evolveum.midpoint.model.api.authentication.CompiledGuiProfile;
import com.evolveum.midpoint.model.api.authentication.GuiProfiledPrincipal;
import com.evolveum.midpoint.model.api.authentication.GuiProfiledPrincipalManager;
import com.evolveum.midpoint.model.common.archetypes.ArchetypeManager;
import com.evolveum.midpoint.model.impl.FocusComputer;
import com.evolveum.midpoint.prism.PrismContext;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.delta.ChangeType;
import com.evolveum.midpoint.prism.delta.ItemDelta;
import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.prism.polystring.PolyString;
import com.evolveum.midpoint.prism.query.ObjectQuery;
import com.evolveum.midpoint.repo.api.CacheDispatcher;
import com.evolveum.midpoint.repo.api.CacheInvalidationEventSpecification;
import com.evolveum.midpoint.repo.api.CacheListener;
import com.evolveum.midpoint.repo.api.RepositoryService;
import com.evolveum.midpoint.schema.GetOperationOptions;
import com.evolveum.midpoint.schema.SearchResultList;
import com.evolveum.midpoint.schema.constants.ObjectTypes;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.util.ObjectQueryUtil;
import com.evolveum.midpoint.security.api.AuthorizationTransformer;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.security.api.SecurityContextManager;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.task.api.TaskManager;
import com.evolveum.midpoint.util.DebugUtil;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.exception.SystemException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.api_types_3.UserSessionManagementType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractRoleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.LifecycleStateModelType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.RoleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemObjectsType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.TaskType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import com.google.common.collect.ImmutableSet;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.annotation.PostConstruct;
import org.apache.commons.collections4.CollectionUtils;
import org.jetbrains.annotations.NotNull;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.MessageSource;
import org.springframework.context.MessageSourceAware;
import org.springframework.context.support.MessageSourceAccessor;
import org.springframework.security.core.session.SessionInformation;
import org.springframework.security.core.session.SessionRegistry;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;

@Service("guiProfiledPrincipalManager")
/* loaded from: input_file:com/evolveum/midpoint/model/impl/security/GuiProfiledPrincipalManagerImpl.class */
public class GuiProfiledPrincipalManagerImpl implements CacheListener, GuiProfiledPrincipalManager, UserDetailsService, MessageSourceAware {
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) GuiProfiledPrincipalManagerImpl.class);
    private static final Set<ItemPath> ASSIGNMENTS_AND_ADMIN_GUI_PATHS = ImmutableSet.of(FocusType.F_ASSIGNMENT, RoleType.F_ADMIN_GUI_CONFIGURATION, FocusType.F_ACTIVATION);
    private static final Set<ChangeType> MODIFY_DELETE_CHANGES = CacheInvalidationEventSpecification.MODIFY_DELETE;
    private static final Collection<CacheInvalidationEventSpecification> CACHE_EVENT_SPECIFICATION = ImmutableSet.builder().add((ImmutableSet.Builder) CacheInvalidationEventSpecification.of(UserType.class, ASSIGNMENTS_AND_ADMIN_GUI_PATHS, MODIFY_DELETE_CHANGES)).add((ImmutableSet.Builder) CacheInvalidationEventSpecification.of(AbstractRoleType.class, ASSIGNMENTS_AND_ADMIN_GUI_PATHS, MODIFY_DELETE_CHANGES)).add((ImmutableSet.Builder) CacheInvalidationEventSpecification.of(SystemConfigurationType.class, ImmutableSet.of(SystemConfigurationType.F_ADMIN_GUI_CONFIGURATION), MODIFY_DELETE_CHANGES)).build();

    @Autowired
    @Qualifier("cacheRepositoryService")
    private RepositoryService repositoryService;

    @Autowired
    private GuiProfileCompiler guiProfileCompiler;

    @Autowired
    private FocusComputer focusComputer;

    @Autowired
    private PrismContext prismContext;

    @Autowired
    private TaskManager taskManager;

    @Autowired
    private SecurityContextManager securityContextManager;

    @Autowired
    private CacheDispatcher cacheDispatcher;

    @Autowired(required = false)
    private SessionRegistry sessionRegistry;
    private MessageSourceAccessor messages;

    @Override // org.springframework.context.MessageSourceAware
    public void setMessageSource(MessageSource messageSource) {
        this.messages = new MessageSourceAccessor(messageSource);
    }

    @PostConstruct
    public void initialize() {
        LOGGER.info("Registering as cache listener");
        this.cacheDispatcher.registerCacheListener(this);
    }

    @Override // com.evolveum.midpoint.model.api.authentication.GuiProfiledPrincipalManager, com.evolveum.midpoint.security.api.MidPointPrincipalManager
    public GuiProfiledPrincipal getPrincipal(String str, Class<? extends FocusType> cls) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        OperationResult operationResult = new OperationResult(OPERATION_GET_PRINCIPAL);
        try {
            PrismObject<FocusType> findByUsername = findByUsername(str, cls, operationResult);
            if (findByUsername == null) {
                throw new ObjectNotFoundException("Couldn't find focus with name '" + str + "'");
            }
            return getPrincipal((PrismObject<? extends FocusType>) findByUsername, (AuthorizationTransformer) null, operationResult);
        } catch (ObjectNotFoundException e) {
            LOGGER.trace("Couldn't find user with name '{}', reason: {}.", str, e.getMessage(), e);
            throw e;
        } catch (Exception e2) {
            LOGGER.warn("Error getting user with name '{}', reason: {}.", str, e2.getMessage(), e2);
            throw new SystemException(e2.getMessage(), e2);
        }
    }

    @Override // com.evolveum.midpoint.model.api.authentication.GuiProfiledPrincipalManager, com.evolveum.midpoint.security.api.MidPointPrincipalManager
    public GuiProfiledPrincipal getPrincipalByOid(String str, Class<? extends FocusType> cls) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        return getPrincipal(getUserByOid(str, cls, new OperationResult(OPERATION_GET_PRINCIPAL)).asPrismObject());
    }

    @Override // com.evolveum.midpoint.model.api.authentication.GuiProfiledPrincipalManager, com.evolveum.midpoint.security.api.MidPointPrincipalManager
    public GuiProfiledPrincipal getPrincipal(PrismObject<? extends FocusType> prismObject) throws SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        return getPrincipal(prismObject, (AuthorizationTransformer) null, new OperationResult(OPERATION_GET_PRINCIPAL));
    }

    @Override // com.evolveum.midpoint.model.api.authentication.GuiProfiledPrincipalManager, com.evolveum.midpoint.security.api.MidPointPrincipalManager
    public GuiProfiledPrincipal getPrincipal(PrismObject<? extends FocusType> prismObject, AuthorizationTransformer authorizationTransformer, OperationResult operationResult) throws SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        if (prismObject == null) {
            return null;
        }
        this.securityContextManager.setTemporaryPrincipalOid(prismObject.getOid());
        try {
            PrismObject<SystemConfigurationType> systemConfiguration = getSystemConfiguration(operationResult);
            this.focusComputer.recompute(prismObject, getLifecycleModel(prismObject, systemConfiguration));
            GuiProfiledPrincipal guiProfiledPrincipal = new GuiProfiledPrincipal(prismObject.asObjectable());
            initializePrincipalFromAssignments(guiProfiledPrincipal, systemConfiguration, authorizationTransformer);
            this.securityContextManager.clearTemporaryPrincipalOid();
            return guiProfiledPrincipal;
        } catch (Throwable th) {
            this.securityContextManager.clearTemporaryPrincipalOid();
            throw th;
        }
    }

    @Override // com.evolveum.midpoint.model.api.authentication.GuiProfiledPrincipalManager
    public List<UserSessionManagementType> getLocalLoggedInPrincipals() {
        List<SessionInformation> allSessions;
        String nodeId = this.taskManager.getNodeId();
        if (this.sessionRegistry == null) {
            return Collections.emptyList();
        }
        List<Object> allPrincipals = this.sessionRegistry.getAllPrincipals();
        ArrayList arrayList = new ArrayList();
        for (Object obj : allPrincipals) {
            if ((obj instanceof GuiProfiledPrincipal) && (allSessions = this.sessionRegistry.getAllSessions(obj, false)) != null && !allSessions.isEmpty()) {
                GuiProfiledPrincipal guiProfiledPrincipal = (GuiProfiledPrincipal) obj;
                UserSessionManagementType userSessionManagementType = new UserSessionManagementType();
                userSessionManagementType.setFocus(guiProfiledPrincipal.getFocus());
                userSessionManagementType.setActiveSessions(Integer.valueOf(allSessions.size()));
                userSessionManagementType.getNode().add(nodeId);
                arrayList.add(userSessionManagementType);
            }
        }
        return arrayList;
    }

    @Override // com.evolveum.midpoint.model.api.authentication.GuiProfiledPrincipalManager
    public void terminateLocalSessions(TerminateSessionEvent terminateSessionEvent) {
        List<SessionInformation> allSessions;
        List<String> principalOids = terminateSessionEvent.getPrincipalOids();
        if (this.sessionRegistry == null || !CollectionUtils.isNotEmpty(principalOids)) {
            return;
        }
        for (Object obj : this.sessionRegistry.getAllPrincipals()) {
            if ((obj instanceof GuiProfiledPrincipal) && principalOids.contains(((GuiProfiledPrincipal) obj).getOid()) && (allSessions = this.sessionRegistry.getAllSessions(obj, false)) != null && !allSessions.isEmpty()) {
                Iterator<SessionInformation> it = allSessions.iterator();
                while (it.hasNext()) {
                    it.next().expireNow();
                }
            }
        }
    }

    private PrismObject<SystemConfigurationType> getSystemConfiguration(OperationResult operationResult) {
        PrismObject<SystemConfigurationType> prismObject = null;
        try {
            prismObject = this.repositoryService.getObject(SystemConfigurationType.class, SystemObjectsType.SYSTEM_CONFIGURATION.value(), GetOperationOptions.createReadOnlyCollection(), operationResult);
        } catch (ObjectNotFoundException | SchemaException e) {
            LOGGER.warn("No system configuration: {}", e.getMessage(), e);
        }
        return prismObject;
    }

    private LifecycleStateModelType getLifecycleModel(PrismObject<? extends FocusType> prismObject, PrismObject<SystemConfigurationType> prismObject2) {
        if (prismObject2 == null) {
            return null;
        }
        try {
            return ArchetypeManager.determineLifecycleModel(prismObject, prismObject2.asObjectable());
        } catch (ConfigurationException e) {
            throw new SystemException(e.getMessage(), e);
        }
    }

    @Override // com.evolveum.midpoint.model.api.authentication.GuiProfiledPrincipalManager, com.evolveum.midpoint.security.api.MidPointPrincipalManager
    public void updateFocus(MidPointPrincipal midPointPrincipal, Collection<? extends ItemDelta<?, ?>> collection) {
        try {
            save(midPointPrincipal, collection, new OperationResult(OPERATION_UPDATE_USER));
        } catch (Exception e) {
            LOGGER.warn("Couldn't save user '{}, ({})', reason: {}.", midPointPrincipal.getUsername(), midPointPrincipal.getOid(), e.getMessage(), e);
        }
    }

    private PrismObject<FocusType> findByUsername(String str, Class<? extends FocusType> cls, OperationResult operationResult) throws SchemaException, ObjectNotFoundException {
        ObjectQuery createNormNameQuery = ObjectQueryUtil.createNormNameQuery(new PolyString(str), this.prismContext);
        LOGGER.trace("Looking for user, query:\n" + createNormNameQuery.debugDump());
        SearchResultList searchObjects = this.repositoryService.searchObjects(cls, createNormNameQuery, null, operationResult);
        LOGGER.trace("Users found: {}.", Integer.valueOf(searchObjects.size()));
        if (searchObjects.size() != 1) {
            return null;
        }
        return (PrismObject) searchObjects.get(0);
    }

    private void initializePrincipalFromAssignments(GuiProfiledPrincipal guiProfiledPrincipal, PrismObject<SystemConfigurationType> prismObject, AuthorizationTransformer authorizationTransformer) {
        Task createTaskInstance = this.taskManager.createTaskInstance(GuiProfiledPrincipalManagerImpl.class.getName() + ".initializePrincipalFromAssignments");
        try {
            this.guiProfileCompiler.compileFocusProfile(guiProfiledPrincipal, prismObject, authorizationTransformer, createTaskInstance, createTaskInstance.getResult());
        } catch (Throwable th) {
            LOGGER.error("Error compiling user profile for {}: {}", guiProfiledPrincipal, th.getMessage(), th);
        }
    }

    private void save(MidPointPrincipal midPointPrincipal, Collection<? extends ItemDelta<?, ?>> collection, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, ObjectAlreadyExistsException {
        LOGGER.trace("Updating user {} with deltas:\n{}", midPointPrincipal.getFocus(), DebugUtil.debugDumpLazily(collection));
        this.repositoryService.modifyObject(FocusType.class, midPointPrincipal.getFocus().getOid(), collection, operationResult);
    }

    private FocusType getUserByOid(String str, Class<? extends FocusType> cls, OperationResult operationResult) throws ObjectNotFoundException, SchemaException {
        return (FocusType) this.repositoryService.getObject(cls, str, null, operationResult).asObjectable();
    }

    @Override // com.evolveum.midpoint.security.api.OwnerResolver
    public <F extends FocusType, O extends ObjectType> PrismObject<F> resolveOwner(PrismObject<O> prismObject) {
        ObjectReferenceType ownerRef;
        if (prismObject == null || prismObject.getOid() == null) {
            return null;
        }
        PrismObject<? extends FocusType> prismObject2 = null;
        OperationResult operationResult = new OperationResult(GuiProfiledPrincipalManagerImpl.class + ".resolveOwner");
        if (prismObject.canRepresent(ShadowType.class)) {
            prismObject2 = this.repositoryService.searchShadowOwner(prismObject.getOid(), null, operationResult);
        } else if (prismObject.canRepresent(UserType.class)) {
            try {
                SearchResultList searchObjects = this.repositoryService.searchObjects(UserType.class, this.prismContext.queryFor(UserType.class).item(FocusType.F_PERSONA_REF).ref(prismObject.getOid()).build(), null, operationResult);
                if (searchObjects.isEmpty()) {
                    return null;
                }
                if (searchObjects.size() > 1) {
                    LOGGER.warn("More than one owner of {}: {}", prismObject, searchObjects);
                }
                prismObject2 = (PrismObject) searchObjects.get(0);
            } catch (SchemaException e) {
                LOGGER.warn("Cannot resolve owner of {}: {}", prismObject, e.getMessage(), e);
            }
        } else if (!prismObject.canRepresent(AbstractRoleType.class) && prismObject.canRepresent(TaskType.class) && (ownerRef = ((TaskType) prismObject.asObjectable()).getOwnerRef()) != null && ownerRef.getOid() != null && ownerRef.getType() != null) {
            try {
                prismObject2 = this.repositoryService.getObject(ObjectTypes.getObjectTypeFromTypeQName(ownerRef.getType()).getClassDefinition(), ownerRef.getOid(), null, operationResult);
            } catch (ObjectNotFoundException | SchemaException e2) {
                LOGGER.warn("Cannot resolve owner of {}: {}", prismObject, e2.getMessage(), e2);
            }
        }
        if (prismObject2 == null) {
            return null;
        }
        if (prismObject2.canRepresent(UserType.class)) {
            this.focusComputer.recompute(prismObject2, getLifecycleModel(prismObject2, getSystemConfiguration(operationResult)));
        }
        return (PrismObject<F>) prismObject2;
    }

    @Override // org.springframework.security.core.userdetails.UserDetailsService
    public UserDetails loadUserByUsername(String str) throws UsernameNotFoundException {
        try {
            return getPrincipal(str, FocusType.class);
        } catch (CommunicationException | ConfigurationException | ExpressionEvaluationException | SchemaException | SecurityViolationException e) {
            throw new SystemException(e.getMessage(), e);
        } catch (ObjectNotFoundException e2) {
            throw new UsernameNotFoundException(e2.getMessage(), e2);
        }
    }

    @Override // com.evolveum.midpoint.repo.api.CacheListener, com.evolveum.midpoint.repo.api.CacheInvalidationListener
    public Collection<CacheInvalidationEventSpecification> getEventSpecifications() {
        return CACHE_EVENT_SPECIFICATION;
    }

    @Override // com.evolveum.midpoint.repo.api.CacheInvalidationListener
    public <O extends ObjectType> void invalidate(Class<O> cls, String str, boolean z, CacheInvalidationContext cacheInvalidationContext) {
        List<SessionInformation> allSessions;
        if (this.sessionRegistry == null) {
            return;
        }
        for (Object obj : this.sessionRegistry.getAllPrincipals()) {
            if ((obj instanceof GuiProfiledPrincipal) && (allSessions = this.sessionRegistry.getAllSessions(obj, false)) != null && !allSessions.isEmpty()) {
                GuiProfiledPrincipal guiProfiledPrincipal = (GuiProfiledPrincipal) obj;
                CompiledGuiProfile compiledGuiProfile = guiProfiledPrincipal.getCompiledGuiProfile();
                LOGGER.debug("Checking {} if it is derived from {}", guiProfiledPrincipal, str);
                LOGGER.trace("      is actually derived from {}", compiledGuiProfile.getDependencies());
                if (str == null || compiledGuiProfile.derivedFrom(str)) {
                    LOGGER.debug("Markin profile invalid for {} because of change in {}:{}", guiProfiledPrincipal, cls, str);
                    compiledGuiProfile.markInvalid();
                }
            }
        }
    }

    @Override // com.evolveum.midpoint.model.api.authentication.GuiProfiledPrincipalManager
    @NotNull
    public CompiledGuiProfile refreshCompiledProfile(GuiProfiledPrincipal guiProfiledPrincipal) {
        OperationResult operationResult = new OperationResult("refreshCompiledProfile");
        LOGGER.debug("Recomputing GUI profile for {}", guiProfiledPrincipal);
        String oid = guiProfiledPrincipal.getFocus().getOid();
        try {
            PrismObject<? extends FocusType> object = this.repositoryService.getObject(guiProfiledPrincipal.getFocus().getClass(), oid, null, operationResult);
            guiProfiledPrincipal.replaceFocus(object.asObjectable());
            if (!guiProfiledPrincipal.isEnabled()) {
                TerminateSessionEvent terminateSessionEvent = new TerminateSessionEvent();
                terminateSessionEvent.setPrincipalOids(Collections.singletonList(guiProfiledPrincipal.getOid()));
                terminateLocalSessions(terminateSessionEvent);
                return guiProfiledPrincipal.getCompiledGuiProfile();
            }
            this.securityContextManager.setTemporaryPrincipalOid(oid);
            try {
                PrismObject<SystemConfigurationType> systemConfiguration = getSystemConfiguration(operationResult);
                this.focusComputer.recompute(object, getLifecycleModel(object, systemConfiguration));
                guiProfiledPrincipal.getAuthorities().clear();
                initializePrincipalFromAssignments(guiProfiledPrincipal, systemConfiguration, null);
                CompiledGuiProfile compiledGuiProfile = guiProfiledPrincipal.getCompiledGuiProfile();
                this.securityContextManager.clearTemporaryPrincipalOid();
                return compiledGuiProfile;
            } catch (Throwable th) {
                this.securityContextManager.clearTemporaryPrincipalOid();
                throw th;
            }
        } catch (ObjectNotFoundException e) {
            throw new SystemException("Focus was deleted");
        } catch (SchemaException e2) {
            throw new SystemException("Encountered schema exception", e2);
        }
    }

    @Override // com.evolveum.midpoint.model.api.authentication.GuiProfiledPrincipalManager, com.evolveum.midpoint.security.api.MidPointPrincipalManager
    public /* bridge */ /* synthetic */ MidPointPrincipal getPrincipal(PrismObject prismObject, AuthorizationTransformer authorizationTransformer, OperationResult operationResult) throws SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        return getPrincipal((PrismObject<? extends FocusType>) prismObject, authorizationTransformer, operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.authentication.GuiProfiledPrincipalManager, com.evolveum.midpoint.security.api.MidPointPrincipalManager
    public /* bridge */ /* synthetic */ MidPointPrincipal getPrincipal(PrismObject prismObject) throws SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        return getPrincipal((PrismObject<? extends FocusType>) prismObject);
    }

    @Override // com.evolveum.midpoint.model.api.authentication.GuiProfiledPrincipalManager, com.evolveum.midpoint.security.api.MidPointPrincipalManager
    public /* bridge */ /* synthetic */ MidPointPrincipal getPrincipalByOid(String str, Class cls) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        return getPrincipalByOid(str, (Class<? extends FocusType>) cls);
    }

    @Override // com.evolveum.midpoint.model.api.authentication.GuiProfiledPrincipalManager, com.evolveum.midpoint.security.api.MidPointPrincipalManager
    public /* bridge */ /* synthetic */ MidPointPrincipal getPrincipal(String str, Class cls) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        return getPrincipal(str, (Class<? extends FocusType>) cls);
    }
}
