package com.evolveum.midpoint.model.impl.security;

import com.evolveum.midpoint.common.ActivationComputer;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.security.api.AuthorizationConstants;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.security.api.OwnerResolver;
import com.evolveum.midpoint.security.api.SecurityEnforcer;
import com.evolveum.midpoint.security.api.UserProfileService;
import com.evolveum.midpoint.util.QNameUtil;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
import java.util.Collection;
import java.util.HashSet;
import java.util.Set;
import javax.xml.namespace.QName;
import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPMessage;
import org.apache.commons.lang.StringUtils;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.PhaseInterceptor;
import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
import org.apache.ws.commons.schema.utils.DOMUtil;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;

/* loaded from: input_file:com/evolveum/midpoint/model/impl/security/SpringAuthenticationInjectorInterceptor.class */
public class SpringAuthenticationInjectorInterceptor implements PhaseInterceptor<SoapMessage> {
    private static final Trace LOGGER = TraceManager.getTrace(SpringAuthenticationInjectorInterceptor.class);
    private UserProfileService userDetailsService;
    private SecurityEnforcer securityEnforcer;
    private SecurityHelper securityHelper;
    private ActivationComputer activationComputer;
    private Set<String> before = new HashSet();
    private Set<String> after = new HashSet();
    private String id = getClass().getName();
    private String phase = "pre-protocol";

    public SpringAuthenticationInjectorInterceptor(UserProfileService userProfileService, SecurityEnforcer securityEnforcer, SecurityHelper securityHelper, ActivationComputer activationComputer) {
        this.userDetailsService = userProfileService;
        this.securityEnforcer = securityEnforcer;
        this.securityHelper = securityHelper;
        this.activationComputer = activationComputer;
        getAfter().add(WSS4JInInterceptor.class.getName());
    }

    public Set<String> getAfter() {
        return this.after;
    }

    public Set<String> getBefore() {
        return this.before;
    }

    public String getId() {
        return this.id;
    }

    public String getPhase() {
        return this.phase;
    }

    public Collection<PhaseInterceptor<? extends Message>> getAdditionalInterceptors() {
        return null;
    }

    public void handleMessage(SoapMessage soapMessage) throws Fault {
        LOGGER.trace("Intercepted message: {}", soapMessage);
        SOAPMessage sOAPMessage = this.securityHelper.getSOAPMessage(soapMessage);
        if (sOAPMessage == null) {
            LOGGER.error("No soap message in handler");
            throw createFault(WSSecurityException.ErrorCode.FAILURE);
        }
        try {
            String usernameFromMessage = this.securityHelper.getUsernameFromMessage(sOAPMessage);
            LOGGER.trace("Attempt to authenticate user '{}'", usernameFromMessage);
            if (StringUtils.isBlank(usernameFromMessage)) {
                soapMessage.setContextualProperty(SecurityHelper.CONTEXTUAL_PROPERTY_AUDITED_NAME, true);
                this.securityHelper.auditLoginFailure(usernameFromMessage, "Empty username", SchemaConstants.CHANNEL_WEB_SERVICE_URI);
                throw createFault(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
            }
            MidPointPrincipal principal = this.userDetailsService.getPrincipal(usernameFromMessage);
            LOGGER.trace("Principal: {}", principal);
            if (principal == null) {
                soapMessage.setContextualProperty(SecurityHelper.CONTEXTUAL_PROPERTY_AUDITED_NAME, true);
                this.securityHelper.auditLoginFailure(usernameFromMessage, "No user", SchemaConstants.CHANNEL_WEB_SERVICE_URI);
                throw createFault(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
            }
            if (!this.activationComputer.isActive(principal.getUser().getActivation())) {
                LOGGER.trace("Refusing access to {} because the user is not active", usernameFromMessage);
                soapMessage.setContextualProperty(SecurityHelper.CONTEXTUAL_PROPERTY_AUDITED_NAME, true);
                this.securityHelper.auditLoginFailure(usernameFromMessage, "User not active", SchemaConstants.CHANNEL_WEB_SERVICE_URI);
                throw createFault(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
            }
            SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken(principal, (Object) null));
            try {
                String localName = DOMUtil.getFirstChildElement(sOAPMessage.getSOAPBody()).getLocalName();
                try {
                    boolean isAuthorized = this.securityEnforcer.isAuthorized(AuthorizationConstants.AUTZ_WS_ALL_URL, AuthorizationPhaseType.REQUEST, (PrismObject) null, (ObjectDelta) null, (PrismObject) null, (OwnerResolver) null);
                    LOGGER.trace("Determined authorization for web service access (action: {}): {}", AuthorizationConstants.AUTZ_WS_ALL_URL, Boolean.valueOf(isAuthorized));
                    if (!isAuthorized) {
                        String qNameToUri = QNameUtil.qNameToUri(new QName("http://midpoint.evolveum.com/xml/ns/public/security/authorization-ws-3", localName));
                        try {
                            isAuthorized = this.securityEnforcer.isAuthorized(qNameToUri, AuthorizationPhaseType.REQUEST, (PrismObject) null, (ObjectDelta) null, (PrismObject) null, (OwnerResolver) null);
                            LOGGER.trace("Determined authorization for web service operation {} (action: {}): {}", new Object[]{localName, qNameToUri, Boolean.valueOf(isAuthorized)});
                        } catch (SchemaException e) {
                            LOGGER.debug("Access to web service denied for user '{}': schema error: {}", new Object[]{usernameFromMessage, e.getMessage(), e});
                            soapMessage.setContextualProperty(SecurityHelper.CONTEXTUAL_PROPERTY_AUDITED_NAME, true);
                            this.securityHelper.auditLoginFailure(usernameFromMessage, "Schema error: " + e.getMessage(), SchemaConstants.CHANNEL_WEB_SERVICE_URI);
                            throw createFault(WSSecurityException.ErrorCode.FAILURE);
                        }
                    }
                    if (isAuthorized) {
                        soapMessage.setContextualProperty(SecurityHelper.CONTEXTUAL_PROPERTY_AUDITED_NAME, true);
                        LOGGER.debug("Access to web service allowed for user '{}'", usernameFromMessage);
                    } else {
                        LOGGER.debug("Access to web service denied for user '{}': not authorized", new Object[]{usernameFromMessage});
                        soapMessage.setContextualProperty(SecurityHelper.CONTEXTUAL_PROPERTY_AUDITED_NAME, true);
                        this.securityHelper.auditLoginFailure(usernameFromMessage, "Not authorized", SchemaConstants.CHANNEL_WEB_SERVICE_URI);
                        throw createFault(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
                    }
                } catch (SchemaException e2) {
                    LOGGER.debug("Access to web service denied for user '{}': schema error: {}", new Object[]{usernameFromMessage, e2.getMessage(), e2});
                    soapMessage.setContextualProperty(SecurityHelper.CONTEXTUAL_PROPERTY_AUDITED_NAME, true);
                    this.securityHelper.auditLoginFailure(usernameFromMessage, "Schema error: " + e2.getMessage(), SchemaConstants.CHANNEL_WEB_SERVICE_URI);
                    throw createFault(WSSecurityException.ErrorCode.FAILURE);
                }
            } catch (SOAPException e3) {
                LOGGER.debug("Access to web service denied for user '{}': SOAP error: {}", new Object[]{usernameFromMessage, e3.getMessage(), e3});
                soapMessage.setContextualProperty(SecurityHelper.CONTEXTUAL_PROPERTY_AUDITED_NAME, true);
                this.securityHelper.auditLoginFailure(usernameFromMessage, "SOAP error: " + e3.getMessage(), SchemaConstants.CHANNEL_WEB_SERVICE_URI);
                throw new Fault(e3);
            }
        } catch (ObjectNotFoundException e4) {
            LOGGER.debug("Access to web service denied for user '{}': object not found: {}", new Object[]{null, e4.getMessage(), e4});
            soapMessage.setContextualProperty(SecurityHelper.CONTEXTUAL_PROPERTY_AUDITED_NAME, true);
            this.securityHelper.auditLoginFailure(null, "No user", SchemaConstants.CHANNEL_WEB_SERVICE_URI);
            throw createFault(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
        } catch (WSSecurityException e5) {
            LOGGER.debug("Access to web service denied for user '{}': security exception: {}", new Object[]{null, e5.getMessage(), e5});
            soapMessage.setContextualProperty(SecurityHelper.CONTEXTUAL_PROPERTY_AUDITED_NAME, true);
            this.securityHelper.auditLoginFailure(null, "Security exception: " + e5.getMessage(), SchemaConstants.CHANNEL_WEB_SERVICE_URI);
            throw new Fault(e5, e5.getFaultCode());
        }
    }

    private Fault createFault(WSSecurityException.ErrorCode errorCode) {
        return new Fault(new WSSecurityException(errorCode), errorCode.getQName());
    }

    public void handleFault(SoapMessage soapMessage) {
    }
}
