package com.evolveum.midpoint.authentication.impl.evaluator;

import com.evolveum.midpoint.authentication.api.config.AuthenticationEvaluator;
import com.evolveum.midpoint.authentication.impl.util.AuthSequenceUtil;
import com.evolveum.midpoint.common.Clock;
import com.evolveum.midpoint.model.api.ModelAuditRecorder;
import com.evolveum.midpoint.model.api.authentication.GuiProfiledPrincipal;
import com.evolveum.midpoint.model.api.authentication.GuiProfiledPrincipalManager;
import com.evolveum.midpoint.model.api.context.AbstractAuthenticationContext;
import com.evolveum.midpoint.model.api.context.PreAuthenticationContext;
import com.evolveum.midpoint.model.api.util.AuthenticationEvaluatorUtil;
import com.evolveum.midpoint.prism.crypto.EncryptionException;
import com.evolveum.midpoint.prism.crypto.Protector;
import com.evolveum.midpoint.prism.delta.ItemDelta;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.equivalence.ParameterizedEquivalenceStrategy;
import com.evolveum.midpoint.prism.xml.XmlTypeConverter;
import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
import com.evolveum.midpoint.security.api.Authorization;
import com.evolveum.midpoint.security.api.ConnectionEnvironment;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.security.api.SecurityUtil;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractCredentialType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationBehavioralDataType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.LockoutStatusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.LoginEventType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.MetadataType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordCredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.TriggerType;
import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
import java.util.Collection;
import javax.xml.datatype.Duration;
import javax.xml.datatype.XMLGregorianCalendar;
import org.apache.commons.lang3.StringUtils;
import org.jetbrains.annotations.NotNull;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.MessageSource;
import org.springframework.context.MessageSourceAware;
import org.springframework.context.support.MessageSourceAccessor;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.CredentialsExpiredException;
import org.springframework.security.authentication.DisabledException;
import org.springframework.security.authentication.InternalAuthenticationServiceException;
import org.springframework.security.authentication.LockedException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;

/* loaded from: input_file:com/evolveum/midpoint/authentication/impl/evaluator/AuthenticationEvaluatorImpl.class */
public abstract class AuthenticationEvaluatorImpl<C extends AbstractCredentialType, T extends AbstractAuthenticationContext> implements AuthenticationEvaluator<T>, MessageSourceAware {
    private static final Trace LOGGER;

    @Autowired
    private Protector protector;

    @Autowired
    private Clock clock;

    @Autowired
    private ModelAuditRecorder securityHelper;
    private GuiProfiledPrincipalManager focusProfileService;
    protected MessageSourceAccessor messages;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Autowired
    public void setPrincipalManager(GuiProfiledPrincipalManager guiProfiledPrincipalManager) {
        this.focusProfileService = guiProfiledPrincipalManager;
    }

    @Override // org.springframework.context.MessageSourceAware
    public void setMessageSource(@NotNull MessageSource messageSource) {
        this.messages = new MessageSourceAccessor(messageSource);
    }

    protected abstract void checkEnteredCredentials(ConnectionEnvironment connectionEnvironment, T t);

    protected abstract boolean supportsAuthzCheck();

    protected abstract C getCredential(CredentialsType credentialsType);

    protected abstract void validateCredentialNotNull(ConnectionEnvironment connectionEnvironment, @NotNull MidPointPrincipal midPointPrincipal, C c);

    protected abstract boolean passwordMatches(ConnectionEnvironment connectionEnvironment, @NotNull MidPointPrincipal midPointPrincipal, C c, T t);

    protected abstract CredentialPolicyType getEffectiveCredentialPolicy(SecurityPolicyType securityPolicyType, T t) throws SchemaException;

    protected abstract boolean supportsActivation();

    @Override // com.evolveum.midpoint.authentication.api.config.AuthenticationEvaluator
    public UsernamePasswordAuthenticationToken authenticate(ConnectionEnvironment connectionEnvironment, T t) throws BadCredentialsException, AuthenticationCredentialsNotFoundException, DisabledException, LockedException, CredentialsExpiredException, AuthenticationServiceException, AccessDeniedException, UsernameNotFoundException {
        checkEnteredCredentials(connectionEnvironment, t);
        MidPointPrincipal andCheckPrincipal = getAndCheckPrincipal(connectionEnvironment, t.getUsername(), t.getPrincipalType(), t.isSupportActivationByChannel());
        FocusType focus = andCheckPrincipal.getFocus();
        CredentialsType credentials = focus.getCredentials();
        CredentialPolicyType credentialsPolicy = getCredentialsPolicy(andCheckPrincipal, t);
        if (!checkCredentials(andCheckPrincipal, t, connectionEnvironment)) {
            recordAuthenticationBehavior(andCheckPrincipal.getUsername(), andCheckPrincipal, connectionEnvironment, "password mismatch", t.getPrincipalType(), false);
            recordPasswordAuthenticationFailure(andCheckPrincipal, connectionEnvironment, getCredential(credentials), credentialsPolicy, "password mismatch", false);
            throw new BadCredentialsException("web.security.provider.invalid.credentials");
        }
        if (!AuthenticationEvaluatorUtil.checkRequiredAssignmentTargets(focus, t.getRequireAssignments())) {
            recordAuthenticationBehavior(andCheckPrincipal.getUsername(), andCheckPrincipal, connectionEnvironment, "does not contain required assignment", t.getPrincipalType(), false);
            recordPasswordAuthenticationFailure(andCheckPrincipal, connectionEnvironment, getCredential(credentials), credentialsPolicy, "does not contain required assignment", false);
            throw new InternalAuthenticationServiceException("web.security.flexAuth.invalid.required.assignment");
        }
        checkAuthorizations(andCheckPrincipal, connectionEnvironment, t);
        recordAuthenticationBehavior(andCheckPrincipal.getUsername(), andCheckPrincipal, connectionEnvironment, null, t.getPrincipalType(), true);
        recordPasswordAuthenticationSuccess(andCheckPrincipal, connectionEnvironment, getCredential(credentials), false);
        return new UsernamePasswordAuthenticationToken(andCheckPrincipal, t.getEnteredCredential(), andCheckPrincipal.getAuthorities());
    }

    @Override // com.evolveum.midpoint.authentication.api.config.AuthenticationEvaluator
    @NotNull
    public FocusType checkCredentials(ConnectionEnvironment connectionEnvironment, T t) throws BadCredentialsException, AuthenticationCredentialsNotFoundException, DisabledException, LockedException, CredentialsExpiredException, AuthenticationServiceException, AccessDeniedException, UsernameNotFoundException {
        checkEnteredCredentials(connectionEnvironment, t);
        MidPointPrincipal andCheckPrincipal = getAndCheckPrincipal(connectionEnvironment, t.getUsername(), t.getPrincipalType(), false);
        FocusType focus = andCheckPrincipal.getFocus();
        CredentialsType credentials = focus.getCredentials();
        CredentialPolicyType credentialsPolicy = getCredentialsPolicy(andCheckPrincipal, t);
        if (!checkCredentials(andCheckPrincipal, t, connectionEnvironment)) {
            recordAuthenticationBehavior(andCheckPrincipal.getUsername(), andCheckPrincipal, connectionEnvironment, "password mismatch", t.getPrincipalType(), false);
            recordPasswordAuthenticationFailure(andCheckPrincipal, connectionEnvironment, getCredential(credentials), credentialsPolicy, "password mismatch", false);
            throw new BadCredentialsException("web.security.provider.invalid.credentials");
        }
        checkAuthorizations(andCheckPrincipal, connectionEnvironment, t);
        recordAuthenticationBehavior(andCheckPrincipal.getUsername(), andCheckPrincipal, connectionEnvironment, "password mismatch", t.getPrincipalType(), true);
        recordPasswordAuthenticationSuccess(andCheckPrincipal, connectionEnvironment, getCredential(credentials), false);
        return focus;
    }

    private void checkAuthorizations(MidPointPrincipal midPointPrincipal, @NotNull ConnectionEnvironment connectionEnvironment, AbstractAuthenticationContext abstractAuthenticationContext) {
        if (supportsAuthzCheck() && hasNoneAuthorization(midPointPrincipal)) {
            recordAuthenticationBehavior(midPointPrincipal.getUsername(), midPointPrincipal, connectionEnvironment, "no authorizations", abstractAuthenticationContext.getPrincipalType(), false);
            throw new DisabledException("web.security.provider.access.denied");
        }
    }

    private boolean checkCredentials(MidPointPrincipal midPointPrincipal, T t, ConnectionEnvironment connectionEnvironment) {
        CredentialsType credentials = midPointPrincipal.getFocus().getCredentials();
        if (credentials == null || getCredential(credentials) == null) {
            recordAuthenticationBehavior(midPointPrincipal.getUsername(), midPointPrincipal, connectionEnvironment, "no credentials in user", t.getPrincipalType(), false);
            throw new AuthenticationCredentialsNotFoundException("web.security.provider.invalid.credentials");
        }
        CredentialPolicyType credentialsPolicy = getCredentialsPolicy(midPointPrincipal, t);
        if (isLockedOut(getCredential(credentials), credentialsPolicy)) {
            recordAuthenticationBehavior(midPointPrincipal.getUsername(), midPointPrincipal, connectionEnvironment, "password locked-out", t.getPrincipalType(), false);
            throw new LockedException("web.security.provider.locked");
        }
        checkPasswordValidityAndAge(connectionEnvironment, midPointPrincipal, getCredential(credentials), credentialsPolicy);
        return passwordMatches(connectionEnvironment, midPointPrincipal, getCredential(credentials), t);
    }

    private CredentialPolicyType getCredentialsPolicy(MidPointPrincipal midPointPrincipal, T t) {
        try {
            return getEffectiveCredentialPolicy(midPointPrincipal.getApplicableSecurityPolicy(), t);
        } catch (SchemaException e) {
            throw new AuthenticationServiceException("Bad config");
        }
    }

    public String getAndCheckUserPassword(ConnectionEnvironment connectionEnvironment, String str) throws AuthenticationCredentialsNotFoundException, DisabledException, LockedException, CredentialsExpiredException, AuthenticationServiceException, AccessDeniedException, UsernameNotFoundException {
        MidPointPrincipal andCheckPrincipal = getAndCheckPrincipal(connectionEnvironment, str, FocusType.class, true);
        CredentialsType credentials = andCheckPrincipal.getFocus().getCredentials();
        if (credentials == null) {
            recordAuthenticationBehavior(str, null, connectionEnvironment, "no credentials in user", FocusType.class, false);
            throw new AuthenticationCredentialsNotFoundException("web.security.provider.invalid.credentials");
        }
        PasswordType password = credentials.getPassword();
        PasswordCredentialsPolicyType effectivePasswordCredentialsPolicy = SecurityUtil.getEffectivePasswordCredentialsPolicy(andCheckPrincipal.getApplicableSecurityPolicy());
        if (isLockedOut(password, effectivePasswordCredentialsPolicy)) {
            recordAuthenticationBehavior(str, null, connectionEnvironment, "password locked-out", FocusType.class, false);
            throw new LockedException("web.security.provider.locked");
        }
        checkPasswordValidityAndAge(connectionEnvironment, andCheckPrincipal, password.getValue(), password.getMetadata(), effectivePasswordCredentialsPolicy);
        String password2 = getPassword(connectionEnvironment, andCheckPrincipal, password.getValue());
        if (!hasNoneAuthorization(andCheckPrincipal)) {
            return password2;
        }
        recordAuthenticationBehavior(str, null, connectionEnvironment, "no authorizations", FocusType.class, false);
        throw new InternalAuthenticationServiceException("web.security.provider.access.denied");
    }

    @Override // com.evolveum.midpoint.authentication.api.config.AuthenticationEvaluator
    public PreAuthenticatedAuthenticationToken authenticateUserPreAuthenticated(ConnectionEnvironment connectionEnvironment, PreAuthenticationContext preAuthenticationContext) throws DisabledException, AuthenticationServiceException, UsernameNotFoundException {
        MidPointPrincipal andCheckPrincipal = getAndCheckPrincipal(connectionEnvironment, preAuthenticationContext.getUsername(), preAuthenticationContext.getPrincipalType(), preAuthenticationContext.isSupportActivationByChannel());
        if (hasNoneAuthorization(andCheckPrincipal)) {
            recordAuthenticationBehavior(andCheckPrincipal.getUsername(), andCheckPrincipal, connectionEnvironment, "no authorizations", preAuthenticationContext.getPrincipalType(), false);
            throw new InternalAuthenticationServiceException("web.security.provider.access.denied");
        }
        if (!AuthenticationEvaluatorUtil.checkRequiredAssignmentTargets(andCheckPrincipal.getFocus(), preAuthenticationContext.getRequireAssignments())) {
            recordAuthenticationBehavior(andCheckPrincipal.getUsername(), andCheckPrincipal, connectionEnvironment, "not contains required assignment", preAuthenticationContext.getPrincipalType(), false);
            throw new InternalAuthenticationServiceException("web.security.flexAuth.invalid.required.assignment");
        }
        PreAuthenticatedAuthenticationToken preAuthenticatedAuthenticationToken = new PreAuthenticatedAuthenticationToken(andCheckPrincipal, null, andCheckPrincipal.getAuthorities());
        recordAuthenticationBehavior(andCheckPrincipal.getUsername(), andCheckPrincipal, connectionEnvironment, null, preAuthenticationContext.getPrincipalType(), true);
        return preAuthenticatedAuthenticationToken;
    }

    @NotNull
    protected MidPointPrincipal getAndCheckPrincipal(ConnectionEnvironment connectionEnvironment, String str, Class<? extends FocusType> cls, boolean z) {
        if (StringUtils.isBlank(str)) {
            recordAuthenticationFailure(str, connectionEnvironment, "no username");
            throw new UsernameNotFoundException("web.security.provider.invalid.credentials");
        }
        try {
            GuiProfiledPrincipal principal = this.focusProfileService.getPrincipal(str, cls);
            if (principal == null) {
                recordAuthenticationBehavior(str, null, connectionEnvironment, "no focus", cls, false);
                throw new UsernameNotFoundException("web.security.provider.invalid.credentials");
            }
            if (!z || principal.isEnabled()) {
                return principal;
            }
            recordAuthenticationBehavior(str, principal, connectionEnvironment, "focus disabled", cls, false);
            throw new DisabledException("web.security.provider.disabled");
        } catch (CommunicationException e) {
            recordAuthenticationFailure(str, connectionEnvironment, "communication error");
            throw new InternalAuthenticationServiceException("web.security.provider.invalid");
        } catch (ConfigurationException e2) {
            recordAuthenticationFailure(str, connectionEnvironment, "configuration error");
            throw new InternalAuthenticationServiceException("web.security.provider.invalid");
        } catch (ExpressionEvaluationException e3) {
            recordAuthenticationFailure(str, connectionEnvironment, "expression error");
            throw new InternalAuthenticationServiceException("web.security.provider.invalid");
        } catch (ObjectNotFoundException e4) {
            recordAuthenticationFailure(str, connectionEnvironment, "no focus");
            throw new UsernameNotFoundException("web.security.provider.invalid.credentials");
        } catch (SchemaException e5) {
            recordAuthenticationFailure(str, connectionEnvironment, "schema error");
            throw new InternalAuthenticationServiceException("web.security.provider.invalid");
        } catch (SecurityViolationException e6) {
            recordAuthenticationFailure(str, connectionEnvironment, "security violation");
            throw new InternalAuthenticationServiceException("web.security.provider.invalid");
        }
    }

    protected boolean hasNoneAuthorization(MidPointPrincipal midPointPrincipal) {
        Collection<Authorization> authorities = midPointPrincipal.getAuthorities();
        if (authorities == null || authorities.isEmpty()) {
            return true;
        }
        boolean z = false;
        for (Authorization authorization : authorities) {
            if (authorization.getAction() != null && !authorization.getAction().isEmpty()) {
                z = true;
            }
        }
        return !z;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private <P extends CredentialPolicyType> void checkPasswordValidityAndAge(ConnectionEnvironment connectionEnvironment, @NotNull MidPointPrincipal midPointPrincipal, C c, P p) {
        Duration maxAge;
        XMLGregorianCalendar changeTimestamp;
        if (c == null) {
            recordAuthenticationBehavior(midPointPrincipal.getUsername(), midPointPrincipal, connectionEnvironment, "no stored credential value", midPointPrincipal.getFocus().getClass(), false);
            throw new AuthenticationCredentialsNotFoundException("web.security.provider.credential.bad");
        }
        validateCredentialNotNull(connectionEnvironment, midPointPrincipal, c);
        if (p == null || (maxAge = p.getMaxAge()) == null || (changeTimestamp = MiscSchemaUtil.getChangeTimestamp(c.getMetadata())) == null) {
            return;
        }
        if (this.clock.isPast(XmlTypeConverter.addDuration(changeTimestamp, maxAge))) {
            recordAuthenticationBehavior(midPointPrincipal.getUsername(), midPointPrincipal, connectionEnvironment, "password expired", midPointPrincipal.getFocus().getClass(), false);
            throw new CredentialsExpiredException("web.security.provider.credential.expired");
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    private void checkPasswordValidityAndAge(ConnectionEnvironment connectionEnvironment, @NotNull MidPointPrincipal midPointPrincipal, ProtectedStringType protectedStringType, MetadataType metadataType, CredentialPolicyType credentialPolicyType) {
        Duration maxAge;
        XMLGregorianCalendar changeTimestamp;
        if (protectedStringType == null) {
            recordAuthenticationBehavior(midPointPrincipal.getUsername(), midPointPrincipal, connectionEnvironment, "no stored password value", midPointPrincipal.getFocus().getClass(), false);
            throw new AuthenticationCredentialsNotFoundException("web.security.provider.password.bad");
        }
        if (credentialPolicyType == null || (maxAge = credentialPolicyType.getMaxAge()) == null || (changeTimestamp = MiscSchemaUtil.getChangeTimestamp(metadataType)) == null) {
            return;
        }
        if (this.clock.isPast(XmlTypeConverter.addDuration(changeTimestamp, maxAge))) {
            recordAuthenticationBehavior(midPointPrincipal.getUsername(), midPointPrincipal, connectionEnvironment, "password expired", midPointPrincipal.getFocus().getClass(), false);
            throw new CredentialsExpiredException("web.security.provider.credential.expired");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* JADX WARN: Multi-variable type inference failed */
    public boolean decryptAndMatch(ConnectionEnvironment connectionEnvironment, @NotNull MidPointPrincipal midPointPrincipal, ProtectedStringType protectedStringType, String str) {
        ProtectedStringType protectedStringType2 = new ProtectedStringType();
        protectedStringType2.setClearValue(str);
        try {
            return this.protector.compareCleartext(protectedStringType2, protectedStringType);
        } catch (EncryptionException | SchemaException e) {
            LOGGER.error("Error dealing with credentials of user \"{}\" credentials: {}", midPointPrincipal.getUsername(), e.getMessage());
            recordAuthenticationBehavior(midPointPrincipal.getUsername(), midPointPrincipal, connectionEnvironment, "error decrypting password: " + e.getMessage(), midPointPrincipal.getFocus().getClass(), false);
            throw new AuthenticationServiceException("web.security.provider.unavailable", e);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    protected String getDecryptedValue(ConnectionEnvironment connectionEnvironment, @NotNull MidPointPrincipal midPointPrincipal, ProtectedStringType protectedStringType) {
        String decryptString;
        if (protectedStringType.getEncryptedDataType() != null) {
            try {
                decryptString = this.protector.decryptString(protectedStringType);
            } catch (EncryptionException e) {
                recordAuthenticationBehavior(midPointPrincipal.getUsername(), midPointPrincipal, connectionEnvironment, "error decrypting password: " + e.getMessage(), midPointPrincipal.getFocus().getClass(), false);
                throw new AuthenticationServiceException("web.security.provider.unavailable", e);
            }
        } else {
            LOGGER.warn("Authenticating user based on clear value. Please check objects, this should not happen. Protected string should be encrypted.");
            decryptString = protectedStringType.getClearValue();
        }
        return decryptString;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private String getPassword(ConnectionEnvironment connectionEnvironment, @NotNull MidPointPrincipal midPointPrincipal, ProtectedStringType protectedStringType) {
        String decryptString;
        if (protectedStringType.getEncryptedDataType() != null) {
            try {
                decryptString = this.protector.decryptString(protectedStringType);
            } catch (EncryptionException e) {
                recordAuthenticationBehavior(midPointPrincipal.getUsername(), midPointPrincipal, connectionEnvironment, "error decrypting password: " + e.getMessage(), midPointPrincipal.getFocus().getClass(), false);
                throw new AuthenticationServiceException("web.security.provider.unavailable", e);
            }
        } else {
            LOGGER.warn("Authenticating user based on clear value. Please check objects, this should not happen. Protected string should be encrypted.");
            decryptString = protectedStringType.getClearValue();
        }
        return decryptString;
    }

    private boolean isLockedOut(AbstractCredentialType abstractCredentialType, CredentialPolicyType credentialPolicyType) {
        return isOverFailedLockoutAttempts(abstractCredentialType, credentialPolicyType) && !isLockoutExpired(abstractCredentialType, credentialPolicyType);
    }

    private boolean isOverFailedLockoutAttempts(AbstractCredentialType abstractCredentialType, CredentialPolicyType credentialPolicyType) {
        return isOverFailedLockoutAttempts(abstractCredentialType.getFailedLogins() != null ? abstractCredentialType.getFailedLogins().intValue() : 0, credentialPolicyType);
    }

    private boolean isOverFailedLockoutAttempts(int i, CredentialPolicyType credentialPolicyType) {
        return credentialPolicyType != null && credentialPolicyType.getLockoutMaxFailedAttempts() != null && credentialPolicyType.getLockoutMaxFailedAttempts().intValue() > 0 && i >= credentialPolicyType.getLockoutMaxFailedAttempts().intValue();
    }

    private boolean isLockoutExpired(AbstractCredentialType abstractCredentialType, CredentialPolicyType credentialPolicyType) {
        XMLGregorianCalendar timestamp;
        Duration lockoutDuration = credentialPolicyType.getLockoutDuration();
        if (lockoutDuration == null) {
            return false;
        }
        LoginEventType lastFailedLogin = abstractCredentialType.getLastFailedLogin();
        if (lastFailedLogin == null || (timestamp = lastFailedLogin.getTimestamp()) == null) {
            return true;
        }
        return this.clock.isPast(XmlTypeConverter.addDuration(timestamp, lockoutDuration));
    }

    protected void recordPasswordAuthenticationSuccess(@NotNull MidPointPrincipal midPointPrincipal, @NotNull ConnectionEnvironment connectionEnvironment, @NotNull AuthenticationBehavioralDataType authenticationBehavioralDataType, boolean z) {
        FocusType clone = midPointPrincipal.getFocus().clone();
        Integer failedLogins = authenticationBehavioralDataType.getFailedLogins();
        boolean z2 = false;
        if (failedLogins != null && failedLogins.intValue() > 0) {
            authenticationBehavioralDataType.setFailedLogins(0);
            z2 = true;
        }
        LoginEventType loginEventType = new LoginEventType();
        loginEventType.setTimestamp(this.clock.currentTimeXMLGregorianCalendar());
        loginEventType.setFrom(connectionEnvironment.getRemoteHostAddress());
        authenticationBehavioralDataType.setPreviousSuccessfulLogin(authenticationBehavioralDataType.getLastSuccessfulLogin());
        authenticationBehavioralDataType.setLastSuccessfulLogin(loginEventType);
        ActivationType activation = midPointPrincipal.getFocus().getActivation();
        if (activation != null) {
            if (LockoutStatusType.LOCKED.equals(activation.getLockoutStatus())) {
                z2 = true;
            }
            activation.setLockoutStatus(LockoutStatusType.NORMAL);
            activation.setLockoutExpirationTimestamp(null);
        }
        if (AuthSequenceUtil.isAllowUpdatingAuthBehavior(z2)) {
            this.focusProfileService.updateFocus(midPointPrincipal, computeModifications(clone, midPointPrincipal.getFocus()));
        }
        if (z) {
            recordAuthenticationSuccess(midPointPrincipal, connectionEnvironment);
        }
    }

    private void recordAuthenticationSuccess(@NotNull MidPointPrincipal midPointPrincipal, @NotNull ConnectionEnvironment connectionEnvironment) {
        this.securityHelper.auditLoginSuccess(midPointPrincipal.getFocus(), connectionEnvironment);
    }

    public void recordAuthenticationBehavior(String str, MidPointPrincipal midPointPrincipal, @NotNull ConnectionEnvironment connectionEnvironment, String str2, Class<? extends FocusType> cls, boolean z) {
        if (midPointPrincipal == null && cls != null) {
            try {
                midPointPrincipal = this.focusProfileService.getPrincipal(str, cls);
            } catch (Exception e) {
            }
        }
        if (midPointPrincipal == null) {
            recordAuthenticationFailure(str, connectionEnvironment, str2);
            return;
        }
        AuthenticationBehavioralDataType behavior = AuthenticationEvaluatorUtil.getBehavior(midPointPrincipal.getFocus());
        if (z) {
            recordPasswordAuthenticationSuccess(midPointPrincipal, connectionEnvironment, behavior, true);
        } else {
            recordPasswordAuthenticationFailure(midPointPrincipal, connectionEnvironment, behavior, null, str2, true);
        }
    }

    private void recordPasswordAuthenticationFailure(@NotNull MidPointPrincipal midPointPrincipal, @NotNull ConnectionEnvironment connectionEnvironment, @NotNull AuthenticationBehavioralDataType authenticationBehavioralDataType, CredentialPolicyType credentialPolicyType, String str, boolean z) {
        Duration lockoutFailedAttemptsDuration;
        FocusType focus = midPointPrincipal.getFocus();
        FocusType clone = focus.clone();
        Integer failedLogins = authenticationBehavioralDataType.getFailedLogins();
        LoginEventType lastFailedLogin = authenticationBehavioralDataType.getLastFailedLogin();
        XMLGregorianCalendar xMLGregorianCalendar = null;
        if (lastFailedLogin != null) {
            xMLGregorianCalendar = lastFailedLogin.getTimestamp();
        }
        if (credentialPolicyType != null && (lockoutFailedAttemptsDuration = credentialPolicyType.getLockoutFailedAttemptsDuration()) != null && xMLGregorianCalendar != null) {
            if (this.clock.isPast(XmlTypeConverter.addDuration(xMLGregorianCalendar, lockoutFailedAttemptsDuration))) {
                failedLogins = 0;
            }
        }
        Integer valueOf = failedLogins == null ? 1 : Integer.valueOf(failedLogins.intValue() + 1);
        authenticationBehavioralDataType.setFailedLogins(valueOf);
        LoginEventType loginEventType = new LoginEventType();
        loginEventType.setTimestamp(this.clock.currentTimeXMLGregorianCalendar());
        loginEventType.setFrom(connectionEnvironment.getRemoteHostAddress());
        authenticationBehavioralDataType.setLastFailedLogin(loginEventType);
        if (isOverFailedLockoutAttempts(valueOf.intValue(), credentialPolicyType)) {
            ActivationType activation = focus.getActivation();
            if (activation == null) {
                activation = new ActivationType();
                focus.setActivation(activation);
            }
            activation.setLockoutStatus(LockoutStatusType.LOCKED);
            XMLGregorianCalendar xMLGregorianCalendar2 = null;
            Duration lockoutDuration = credentialPolicyType.getLockoutDuration();
            if (lockoutDuration != null) {
                xMLGregorianCalendar2 = XmlTypeConverter.addDuration(loginEventType.getTimestamp(), lockoutDuration);
            }
            activation.setLockoutExpirationTimestamp(xMLGregorianCalendar2);
            focus.getTrigger().add(new TriggerType().handlerUri("http://midpoint.evolveum.com/xml/ns/public/model/trigger/unlock/handler-3").timestamp(xMLGregorianCalendar2));
        }
        if (AuthSequenceUtil.isAllowUpdatingAuthBehavior(true)) {
            this.focusProfileService.updateFocus(midPointPrincipal, computeModifications(clone, focus));
        }
        if (z) {
            recordAuthenticationFailure(midPointPrincipal, connectionEnvironment, str);
        }
    }

    protected void recordAuthenticationFailure(@NotNull MidPointPrincipal midPointPrincipal, ConnectionEnvironment connectionEnvironment, String str) {
        this.securityHelper.auditLoginFailure(midPointPrincipal.getUsername(), midPointPrincipal.getFocus(), connectionEnvironment, str);
    }

    protected void recordAuthenticationFailure(String str, ConnectionEnvironment connectionEnvironment, String str2) {
        this.securityHelper.auditLoginFailure(str, null, connectionEnvironment, str2);
    }

    private Collection<? extends ItemDelta<?, ?>> computeModifications(@NotNull FocusType focusType, @NotNull FocusType focusType2) {
        ObjectDelta<? extends FocusType> diff = focusType.asPrismObject().diff(focusType2.asPrismObject(), ParameterizedEquivalenceStrategy.DATA);
        if ($assertionsDisabled || diff.isModify()) {
            return diff.getModifications();
        }
        throw new AssertionError();
    }

    static {
        $assertionsDisabled = !AuthenticationEvaluatorImpl.class.desiredAssertionStatus();
        LOGGER = TraceManager.getTrace((Class<?>) AuthenticationEvaluatorImpl.class);
    }
}
