package com.evolveum.midpoint.authentication.impl.authorization.evaluator;

import com.evolveum.midpoint.authentication.impl.authorization.AuthorizationActionValue;
import com.evolveum.midpoint.authentication.impl.authorization.DescriptorLoaderImpl;
import com.evolveum.midpoint.authentication.impl.util.AuthSequenceUtil;
import com.evolveum.midpoint.authentication.impl.util.EndPointsUrlMapping;
import com.evolveum.midpoint.prism.Containerable;
import com.evolveum.midpoint.prism.PrismContainerValue;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.PrismObjectValue;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.prism.query.ObjectFilter;
import com.evolveum.midpoint.schema.AccessDecision;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.security.api.HttpConnectionInformation;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.security.api.MidPointPrincipalManager;
import com.evolveum.midpoint.security.api.ProfileCompilerOptions;
import com.evolveum.midpoint.security.api.RestHandlerMethod;
import com.evolveum.midpoint.security.api.SecurityContextManager;
import com.evolveum.midpoint.security.api.SecurityUtil;
import com.evolveum.midpoint.security.enforcer.api.AbstractAuthorizationParameters;
import com.evolveum.midpoint.security.enforcer.api.CompileConstraintsOptions;
import com.evolveum.midpoint.security.enforcer.api.FilterGizmo;
import com.evolveum.midpoint.security.enforcer.api.ItemSecurityConstraints;
import com.evolveum.midpoint.security.enforcer.api.ObjectSecurityConstraints;
import com.evolveum.midpoint.security.enforcer.api.PrismEntityOpConstraints;
import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.task.api.TaskManager;
import com.evolveum.midpoint.util.DisplayableValue;
import com.evolveum.midpoint.util.Producer;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.exception.SystemException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractRoleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OrderConstraintsType;
import jakarta.servlet.http.HttpServletRequest;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.aopalliance.intercept.MethodInvocation;
import org.apache.commons.lang3.StringUtils;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.springframework.beans.factory.BeanFactoryUtils;
import org.springframework.context.ApplicationContext;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.HandlerExecutionChain;
import org.springframework.web.servlet.HandlerMapping;

/* loaded from: input_file:com/evolveum/midpoint/authentication/impl/authorization/evaluator/MidPointGuiAuthorizationEvaluator.class */
public class MidPointGuiAuthorizationEvaluator implements SecurityEnforcer, SecurityContextManager, AccessDecisionManager {
    private static final Trace LOGGER = TraceManager.getTrace(MidPointGuiAuthorizationEvaluator.class);
    private static final String AUTH_URL = "/auth/*";
    private final SecurityEnforcer securityEnforcer;
    private final SecurityContextManager securityContextManager;
    private final TaskManager taskManager;
    private final ApplicationContext applicationContext;
    private List<HandlerMapping> handlerMappingBeans = List.of();

    public MidPointGuiAuthorizationEvaluator(SecurityEnforcer securityEnforcer, SecurityContextManager securityContextManager, TaskManager taskManager, ApplicationContext applicationContext) {
        this.securityEnforcer = securityEnforcer;
        this.securityContextManager = securityContextManager;
        this.taskManager = taskManager;
        this.applicationContext = applicationContext;
    }

    public MidPointPrincipalManager getUserProfileService() {
        return this.securityContextManager.getUserProfileService();
    }

    public void setUserProfileService(MidPointPrincipalManager midPointPrincipalManager) {
        this.securityContextManager.setUserProfileService(midPointPrincipalManager);
    }

    public void setupPreAuthenticatedSecurityContext(Authentication authentication) {
        this.securityContextManager.setupPreAuthenticatedSecurityContext(authentication);
    }

    public void setupPreAuthenticatedSecurityContext(PrismObject<? extends FocusType> prismObject, OperationResult operationResult) throws SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        this.securityContextManager.setupPreAuthenticatedSecurityContext(prismObject, operationResult);
    }

    public void setupPreAuthenticatedSecurityContext(PrismObject<? extends FocusType> prismObject, ProfileCompilerOptions profileCompilerOptions, OperationResult operationResult) throws SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        this.securityContextManager.setupPreAuthenticatedSecurityContext(prismObject, profileCompilerOptions, operationResult);
    }

    public void setupPreAuthenticatedSecurityContext(MidPointPrincipal midPointPrincipal) {
        this.securityContextManager.setupPreAuthenticatedSecurityContext(midPointPrincipal);
    }

    public boolean isAuthenticated() {
        return this.securityContextManager.isAuthenticated();
    }

    public Authentication getAuthentication() {
        return this.securityContextManager.getAuthentication();
    }

    public String getPrincipalOid() {
        return this.securityContextManager.getPrincipalOid();
    }

    public void setTemporaryPrincipalOid(String str) {
        this.securityContextManager.setTemporaryPrincipalOid(str);
    }

    public void clearTemporaryPrincipalOid() {
        this.securityContextManager.clearTemporaryPrincipalOid();
    }

    public void failAuthorization(String str, AuthorizationPhaseType authorizationPhaseType, AbstractAuthorizationParameters abstractAuthorizationParameters, OperationResult operationResult) throws SecurityViolationException {
        this.securityEnforcer.failAuthorization(str, authorizationPhaseType, abstractAuthorizationParameters, operationResult);
    }

    @NotNull
    public AccessDecision decideAccess(@Nullable MidPointPrincipal midPointPrincipal, @NotNull String str, @Nullable AuthorizationPhaseType authorizationPhaseType, @NotNull AbstractAuthorizationParameters abstractAuthorizationParameters, @NotNull SecurityEnforcer.Options options, @NotNull Task task, @NotNull OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        return this.securityEnforcer.decideAccess(midPointPrincipal, str, authorizationPhaseType, abstractAuthorizationParameters, options, task, operationResult);
    }

    public boolean supports(ConfigAttribute configAttribute) {
        return (configAttribute instanceof SecurityConfig) || "org.springframework.security.web.access.expression.WebExpressionConfigAttribute".equals(configAttribute.getClass().getName());
    }

    public boolean supports(Class<?> cls) {
        if (MethodInvocation.class.isAssignableFrom(cls)) {
            return true;
        }
        return FilterInvocation.class.isAssignableFrom(cls);
    }

    @Nullable
    public MidPointPrincipal getMidPointPrincipal() {
        return this.securityEnforcer.getMidPointPrincipal();
    }

    public void decide(Authentication authentication, Object obj, Collection<ConfigAttribute> collection) throws AccessDeniedException, InsufficientAuthenticationException {
        if (!(obj instanceof FilterInvocation)) {
            LOGGER.trace("DECIDE: PASS because object is not FilterInvocation, it is {}", obj);
            return;
        }
        FilterInvocation filterInvocation = (FilterInvocation) obj;
        if (isPermitAll(filterInvocation)) {
            LOGGER.trace("DECIDE: authentication={}, object={}: ALLOW ALL (permitAll)", authentication, obj);
            return;
        }
        String servletPath = filterInvocation.getRequest().getServletPath();
        if ("".equals(servletPath) || "/".equals(servletPath)) {
            LOGGER.trace("DECIDE: authentication={}, object={}: ALLOW ALL (/)", authentication, obj);
            return;
        }
        HashSet hashSet = new HashSet();
        for (EndPointsUrlMapping endPointsUrlMapping : EndPointsUrlMapping.values()) {
            addSecurityConfig(filterInvocation, hashSet, endPointsUrlMapping.getUrl(), endPointsUrlMapping.getAction());
        }
        for (Map.Entry<String, AuthorizationActionValue[]> entry : DescriptorLoaderImpl.getActions().entrySet()) {
            addSecurityConfig(filterInvocation, hashSet, entry.getKey(), entry.getValue());
        }
        HandlerMethod restHandlerMethod = getRestHandlerMethod(filterInvocation.getRequest());
        if (restHandlerMethod != null) {
            addSecurityConfig(hashSet, restHandlerMethod);
        }
        if (hashSet.isEmpty()) {
            LOGGER.trace("DECIDE: DENY because determined empty required actions from {}", filterInvocation);
            SecurityUtil.logSecurityDeny(obj, ": Not authorized (page without authorizations)", (Throwable) null, hashSet);
            throw new AccessDeniedException("Not authorized");
        }
        decideInternal(getPrincipalFromAuthentication(authentication, obj, collection), hashSet, authentication, obj, this.taskManager.createTaskInstance(MidPointGuiAuthorizationEvaluator.class.getName() + ".decide"));
    }

    private HandlerMethod getRestHandlerMethod(HttpServletRequest httpServletRequest) {
        if (this.handlerMappingBeans.isEmpty()) {
            this.handlerMappingBeans = new ArrayList(BeanFactoryUtils.beansOfTypeIncludingAncestors(this.applicationContext, HandlerMapping.class, true, false).values());
        }
        Iterator<HandlerMapping> it = this.handlerMappingBeans.iterator();
        while (it.hasNext()) {
            try {
                HandlerExecutionChain handler = it.next().getHandler(httpServletRequest);
                if (handler != null) {
                    Object handler2 = handler.getHandler();
                    if (handler2 instanceof HandlerMethod) {
                        return (HandlerMethod) handler2;
                    }
                    continue;
                } else {
                    continue;
                }
            } catch (Exception e) {
            }
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public MidPointPrincipal getPrincipalFromAuthentication(Authentication authentication, Object obj, Object obj2) {
        Object principal = authentication.getPrincipal();
        if (principal instanceof MidPointPrincipal) {
            return (MidPointPrincipal) principal;
        }
        if (!(authentication.getPrincipal() instanceof String) || !"anonymousUser".equals(principal)) {
            LOGGER.trace("DECIDE: authentication={}, object={}, configAttributes={}: ERROR (wrong principal)", new Object[]{authentication, obj, obj2});
            throw new IllegalArgumentException("Expected that spring security principal will be of type " + MidPointPrincipal.class.getName() + " but it was " + (principal == null ? null : principal.getClass()));
        }
        SecurityUtil.logSecurityDeny(obj, ": Not logged in");
        LOGGER.trace("DECIDE: authentication={}, object={}, configAttributes={}: DENY (not logged in)", new Object[]{authentication, obj, obj2});
        throw new InsufficientAuthenticationException("Not logged in.");
    }

    protected void decideInternal(MidPointPrincipal midPointPrincipal, Set<String> set, Authentication authentication, Object obj, Task task) {
        try {
            AccessDecision decideAccess = this.securityEnforcer.decideAccess(midPointPrincipal, set, task, task.getResult());
            if (LOGGER.isTraceEnabled()) {
                LOGGER.trace("DECIDE: authentication={}, object={}, requiredActions={}: {}", new Object[]{authentication, obj, set, decideAccess});
            }
            if (decideAccess.equals(AccessDecision.ALLOW)) {
                return;
            }
            SecurityUtil.logSecurityDeny(obj, ": Not authorized", (Throwable) null, set);
            throw new AccessDeniedException("Not authorized");
        } catch (SchemaException | ObjectNotFoundException | ExpressionEvaluationException | CommunicationException | ConfigurationException | SecurityViolationException e) {
            LOGGER.error("Error while processing authorization: {}", e.getMessage(), e);
            LOGGER.trace("DECIDE: authentication={}, object={}, requiredActions={}: ERROR {}", new Object[]{authentication, obj, set, e.getMessage()});
            throw new SystemException("Error while processing authorization: " + e.getMessage(), e);
        }
    }

    private boolean isPermitAll(FilterInvocation filterInvocation) {
        if (filterInvocation.getResponse() != null && filterInvocation.getResponse().isCommitted() && new AntPathRequestMatcher(AUTH_URL).matches(filterInvocation.getRequest())) {
            return true;
        }
        for (String str : DescriptorLoaderImpl.getLoginPages()) {
            if (new AntPathRequestMatcher(str).matches(filterInvocation.getRequest()) && AuthSequenceUtil.existLoginPageForActualAuthModule()) {
                return AuthSequenceUtil.isLoginPageForActualAuthModule(str);
            }
        }
        Iterator<String> it = DescriptorLoaderImpl.getPermitAllUrls().iterator();
        while (it.hasNext()) {
            if (new AntPathRequestMatcher(it.next()).matches(filterInvocation.getRequest())) {
                return true;
            }
        }
        return false;
    }

    private void addSecurityConfig(FilterInvocation filterInvocation, Set<String> set, String str, DisplayableValue<String>[] displayableValueArr) {
        if (!new AntPathRequestMatcher(str).matches(filterInvocation.getRequest()) || displayableValueArr == null) {
            return;
        }
        for (DisplayableValue<String> displayableValue : displayableValueArr) {
            String str2 = (String) displayableValue.getValue();
            if (!StringUtils.isBlank(str2)) {
                set.add(str2);
            }
        }
    }

    private void addSecurityConfig(Set<String> set, HandlerMethod handlerMethod) {
        RestHandlerMethod methodAnnotation = handlerMethod.getMethodAnnotation(RestHandlerMethod.class);
        if (methodAnnotation != null) {
            set.add(methodAnnotation.authorization().getUri());
        }
    }

    @NotNull
    public <O extends ObjectType> ObjectSecurityConstraints compileSecurityConstraints(@NotNull PrismObject<O> prismObject, boolean z, @NotNull SecurityEnforcer.Options options, @NotNull Task task, @NotNull OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        return this.securityEnforcer.compileSecurityConstraints(prismObject, z, options, task, operationResult);
    }

    @NotNull
    public PrismEntityOpConstraints.ForValueContent compileOperationConstraints(@Nullable MidPointPrincipal midPointPrincipal, @NotNull PrismObjectValue<?> prismObjectValue, @Nullable AuthorizationPhaseType authorizationPhaseType, @NotNull String[] strArr, @NotNull SecurityEnforcer.Options options, @NotNull CompileConstraintsOptions compileConstraintsOptions, @NotNull Task task, @NotNull OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        return this.securityEnforcer.compileOperationConstraints(midPointPrincipal, prismObjectValue, authorizationPhaseType, strArr, options, compileConstraintsOptions, task, operationResult);
    }

    @Nullable
    public <T> ObjectFilter preProcessObjectFilter(@Nullable MidPointPrincipal midPointPrincipal, @NotNull String[] strArr, @Nullable AuthorizationPhaseType authorizationPhaseType, @NotNull Class<T> cls, @Nullable ObjectFilter objectFilter, @Nullable String str, @NotNull List<OrderConstraintsType> list, @NotNull SecurityEnforcer.Options options, @NotNull Task task, @NotNull OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        return this.securityEnforcer.preProcessObjectFilter(midPointPrincipal, strArr, authorizationPhaseType, cls, objectFilter, str, list, options, task, operationResult);
    }

    public <T extends ObjectType, O extends ObjectType, F> F computeTargetSecurityFilter(MidPointPrincipal midPointPrincipal, String[] strArr, AuthorizationPhaseType authorizationPhaseType, Class<T> cls, @NotNull PrismObject<O> prismObject, ObjectFilter objectFilter, String str, List<OrderConstraintsType> list, FilterGizmo<F> filterGizmo, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        return (F) this.securityEnforcer.computeTargetSecurityFilter(midPointPrincipal, strArr, authorizationPhaseType, cls, prismObject, objectFilter, str, list, filterGizmo, task, operationResult);
    }

    public <F extends FocusType> MidPointPrincipal createDonorPrincipal(MidPointPrincipal midPointPrincipal, String str, PrismObject<F> prismObject, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        return this.securityEnforcer.createDonorPrincipal(midPointPrincipal, str, prismObject, task, operationResult);
    }

    public <T> T runAs(@NotNull SecurityContextManager.ResultAwareProducer<T> resultAwareProducer, @Nullable PrismObject<? extends FocusType> prismObject, boolean z, @NotNull OperationResult operationResult) throws SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        return (T) this.securityContextManager.runAs(resultAwareProducer, prismObject, z, operationResult);
    }

    public <T> T runPrivileged(@NotNull Producer<T> producer) {
        return (T) this.securityContextManager.runPrivileged(producer);
    }

    public <O extends ObjectType, R extends AbstractRoleType> ItemSecurityConstraints getAllowedRequestAssignmentItems(MidPointPrincipal midPointPrincipal, String str, PrismObject<O> prismObject, PrismObject<R> prismObject2, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        return this.securityEnforcer.getAllowedRequestAssignmentItems(midPointPrincipal, str, prismObject, prismObject2, task, operationResult);
    }

    public void storeConnectionInformation(HttpConnectionInformation httpConnectionInformation) {
        this.securityContextManager.storeConnectionInformation(httpConnectionInformation);
    }

    public HttpConnectionInformation getStoredConnectionInformation() {
        return this.securityContextManager.getStoredConnectionInformation();
    }

    public <O extends ObjectType> AccessDecision determineItemDecision(@NotNull ObjectSecurityConstraints objectSecurityConstraints, @NotNull ObjectDelta<O> objectDelta, PrismObject<O> prismObject, @NotNull String str, @NotNull AuthorizationPhaseType authorizationPhaseType, @NotNull ItemPath itemPath) {
        return this.securityEnforcer.determineItemDecision(objectSecurityConstraints, objectDelta, prismObject, str, authorizationPhaseType, itemPath);
    }

    public <C extends Containerable> AccessDecision determineItemValueDecision(@NotNull ObjectSecurityConstraints objectSecurityConstraints, @NotNull PrismContainerValue<C> prismContainerValue, @NotNull String str, @NotNull AuthorizationPhaseType authorizationPhaseType, boolean z, @NotNull String str2) {
        return this.securityEnforcer.determineItemValueDecision(objectSecurityConstraints, prismContainerValue, str, authorizationPhaseType, z, str2);
    }
}
