package com.evolveum.midpoint.model.impl.security;

import com.evolveum.midpoint.audit.api.AuditEventRecord;
import com.evolveum.midpoint.audit.api.AuditEventStage;
import com.evolveum.midpoint.audit.api.AuditEventType;
import com.evolveum.midpoint.audit.api.AuditService;
import com.evolveum.midpoint.model.api.ModelAuditRecorder;
import com.evolveum.midpoint.model.impl.ModelObjectResolver;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.xml.XmlTypeConverter;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.result.OperationResultStatus;
import com.evolveum.midpoint.security.api.ConnectionEnvironment;
import com.evolveum.midpoint.security.api.HttpConnectionInformation;
import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.task.api.TaskManager;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.NonceCredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordCredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordLifeTimeType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityQuestionsCredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ValuePolicyType;
import java.util.Iterator;
import javax.xml.datatype.Duration;
import javax.xml.soap.SOAPMessage;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.binding.soap.saaj.SAAJInInterceptor;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

@Component
/* loaded from: input_file:com/evolveum/midpoint/model/impl/security/SecurityHelper.class */
public class SecurityHelper implements ModelAuditRecorder {
    private static final Trace LOGGER = TraceManager.getTrace(SecurityHelper.class);
    public static final String CONTEXTUAL_PROPERTY_AUDITED_NAME = SecurityHelper.class.getName() + ".audited";

    @Autowired
    private TaskManager taskManager;

    @Autowired
    private AuditService auditService;

    @Autowired
    private ModelObjectResolver objectResolver;

    @Autowired
    private SecurityEnforcer securityEnforcer;

    public void auditLoginSuccess(@NotNull UserType userType, @NotNull ConnectionEnvironment connectionEnvironment) {
        auditLogin(userType.getName().getOrig(), userType, connectionEnvironment, OperationResultStatus.SUCCESS, null);
    }

    public void auditLoginFailure(@Nullable String str, @Nullable UserType userType, @NotNull ConnectionEnvironment connectionEnvironment, String str2) {
        auditLogin(str, userType, connectionEnvironment, OperationResultStatus.FATAL_ERROR, str2);
    }

    private void auditLogin(@Nullable String str, @Nullable UserType userType, @NotNull ConnectionEnvironment connectionEnvironment, @NotNull OperationResultStatus operationResultStatus, @Nullable String str2) {
        Task createTaskInstance = this.taskManager.createTaskInstance();
        createTaskInstance.setChannel(connectionEnvironment.getChannel());
        Trace trace = LOGGER;
        Object[] objArr = new Object[4];
        objArr[0] = operationResultStatus == OperationResultStatus.SUCCESS ? "success" : "failure";
        objArr[1] = str;
        objArr[2] = connectionEnvironment.getChannel();
        objArr[3] = str2;
        trace.debug("Login {} username={}, channel={}: {}", objArr);
        AuditEventRecord auditEventRecord = new AuditEventRecord(AuditEventType.CREATE_SESSION, AuditEventStage.REQUEST);
        auditEventRecord.setParameter(str);
        if (userType != null) {
            auditEventRecord.setInitiator(userType.asPrismObject());
        }
        auditEventRecord.setTimestamp(Long.valueOf(System.currentTimeMillis()));
        auditEventRecord.setOutcome(operationResultStatus);
        auditEventRecord.setMessage(str2);
        storeConnectionEnvironment(auditEventRecord, connectionEnvironment);
        this.auditService.audit(auditEventRecord, createTaskInstance);
    }

    public void auditLogout(ConnectionEnvironment connectionEnvironment, Task task) {
        AuditEventRecord auditEventRecord = new AuditEventRecord(AuditEventType.TERMINATE_SESSION, AuditEventStage.REQUEST);
        auditEventRecord.setInitiatorAndLoginParameter(task.getOwner());
        auditEventRecord.setTimestamp(Long.valueOf(System.currentTimeMillis()));
        auditEventRecord.setOutcome(OperationResultStatus.SUCCESS);
        storeConnectionEnvironment(auditEventRecord, connectionEnvironment);
        this.auditService.audit(auditEventRecord, task);
    }

    private void storeConnectionEnvironment(AuditEventRecord auditEventRecord, ConnectionEnvironment connectionEnvironment) {
        auditEventRecord.setChannel(connectionEnvironment.getChannel());
        auditEventRecord.setSessionIdentifier(connectionEnvironment.getSessionId());
        HttpConnectionInformation connectionInformation = connectionEnvironment.getConnectionInformation();
        if (connectionInformation != null) {
            auditEventRecord.setRemoteHostAddress(connectionInformation.getRemoteHostAddress());
            auditEventRecord.setHostIdentifier(connectionInformation.getLocalHostName());
        }
    }

    public String getUsernameFromMessage(SOAPMessage sOAPMessage) throws WSSecurityException {
        if (sOAPMessage == null) {
            return null;
        }
        return getUsernameFromSecurityHeader(WSSecurityUtil.getSecurityHeader(sOAPMessage.getSOAPPart(), ""));
    }

    private String getUsernameFromSecurityHeader(Element element) {
        if (element == null) {
            return null;
        }
        String str = "";
        NodeList childNodes = element.getChildNodes();
        int length = childNodes.getLength();
        for (int i = 0; i < length; i++) {
            Node item = childNodes.item(i);
            if (item.getNodeType() == 1 && "UsernameToken".equals(item.getLocalName())) {
                NodeList childNodes2 = item.getChildNodes();
                int length2 = childNodes2.getLength();
                for (int i2 = 0; i2 < length2; i2++) {
                    Node item2 = childNodes2.item(i2);
                    if ("Username".equals(item2.getLocalName())) {
                        str = item2.getTextContent();
                    }
                }
            }
        }
        return str;
    }

    public SOAPMessage getSOAPMessage(SoapMessage soapMessage) {
        SAAJInInterceptor.INSTANCE.handleMessage(soapMessage);
        return (SOAPMessage) soapMessage.getContent(SOAPMessage.class);
    }

    public <F extends FocusType> SecurityPolicyType locateSecurityPolicy(PrismObject<F> prismObject, PrismObject<SystemConfigurationType> prismObject2, Task task, OperationResult operationResult) throws SchemaException {
        SecurityPolicyType resolveGlobalPasswordPolicy;
        SecurityPolicyType resolveGlobalSecurityPolicy;
        PrismObject searchOrgTreeWidthFirstReference = this.objectResolver.searchOrgTreeWidthFirstReference(prismObject, prismObject3 -> {
            return prismObject3.asObjectable().getSecurityPolicyRef();
        }, "security policy", task, operationResult);
        LOGGER.trace("Found organization security policy: {}", searchOrgTreeWidthFirstReference);
        if (searchOrgTreeWidthFirstReference != null) {
            SecurityPolicyType securityPolicyType = (SecurityPolicyType) searchOrgTreeWidthFirstReference.asObjectable();
            postProcessSecurityPolicy(securityPolicyType, task, operationResult);
            traceSecurityPolicy(securityPolicyType, prismObject);
            return securityPolicyType;
        }
        if (prismObject2 != null && (resolveGlobalSecurityPolicy = resolveGlobalSecurityPolicy(prismObject, (SystemConfigurationType) prismObject2.asObjectable(), task, operationResult)) != null) {
            return resolveGlobalSecurityPolicy;
        }
        PrismObject searchOrgTreeWidthFirstReference2 = this.objectResolver.searchOrgTreeWidthFirstReference(prismObject, prismObject4 -> {
            return prismObject4.asObjectable().getPasswordPolicyRef();
        }, "security policy", task, operationResult);
        LOGGER.trace("Found organization password policy: {}", searchOrgTreeWidthFirstReference2);
        if (searchOrgTreeWidthFirstReference2 != null) {
            SecurityPolicyType postProcessPasswordPolicy = postProcessPasswordPolicy((ValuePolicyType) searchOrgTreeWidthFirstReference2.asObjectable());
            traceSecurityPolicy(postProcessPasswordPolicy, prismObject);
            return postProcessPasswordPolicy;
        }
        if (prismObject2 == null || (resolveGlobalPasswordPolicy = resolveGlobalPasswordPolicy(prismObject, (SystemConfigurationType) prismObject2.asObjectable(), task, operationResult)) == null) {
            return null;
        }
        return resolveGlobalPasswordPolicy;
    }

    public SecurityPolicyType locateGlobalSecurityPolicy(SystemConfigurationType systemConfigurationType, Task task, OperationResult operationResult) {
        SecurityPolicyType resolveGlobalSecurityPolicy;
        if (systemConfigurationType == null || (resolveGlobalSecurityPolicy = resolveGlobalSecurityPolicy(null, systemConfigurationType, task, operationResult)) == null) {
            return null;
        }
        return resolveGlobalSecurityPolicy;
    }

    public SecurityPolicyType locateGlobalPasswordPolicy(SystemConfigurationType systemConfigurationType, Task task, OperationResult operationResult) {
        SecurityPolicyType resolveGlobalPasswordPolicy;
        if (systemConfigurationType == null || (resolveGlobalPasswordPolicy = resolveGlobalPasswordPolicy(null, systemConfigurationType, task, operationResult)) == null) {
            return null;
        }
        return resolveGlobalPasswordPolicy;
    }

    private <F extends FocusType> SecurityPolicyType resolveGlobalSecurityPolicy(PrismObject<F> prismObject, SystemConfigurationType systemConfigurationType, Task task, OperationResult operationResult) {
        ObjectReferenceType globalSecurityPolicyRef = systemConfigurationType.getGlobalSecurityPolicyRef();
        if (globalSecurityPolicyRef == null) {
            return null;
        }
        try {
            SecurityPolicyType securityPolicyType = (SecurityPolicyType) this.objectResolver.resolve(globalSecurityPolicyRef, SecurityPolicyType.class, null, "global security policy reference in system configuration", task, operationResult);
            LOGGER.trace("Using global security policy: {}", securityPolicyType);
            postProcessSecurityPolicy(securityPolicyType, task, operationResult);
            traceSecurityPolicy(securityPolicyType, prismObject);
            return securityPolicyType;
        } catch (ObjectNotFoundException | SchemaException e) {
            LOGGER.error(e.getMessage(), e);
            traceSecurityPolicy(null, prismObject);
            return null;
        }
    }

    private <F extends FocusType> SecurityPolicyType resolveGlobalPasswordPolicy(PrismObject<F> prismObject, SystemConfigurationType systemConfigurationType, Task task, OperationResult operationResult) {
        ObjectReferenceType globalPasswordPolicyRef = systemConfigurationType.getGlobalPasswordPolicyRef();
        if (globalPasswordPolicyRef == null) {
            return null;
        }
        try {
            ValuePolicyType valuePolicyType = (ValuePolicyType) this.objectResolver.resolve(globalPasswordPolicyRef, ValuePolicyType.class, null, "global security policy reference in system configuration", task, operationResult);
            LOGGER.trace("Using global password policy: {}", valuePolicyType);
            SecurityPolicyType postProcessPasswordPolicy = postProcessPasswordPolicy(valuePolicyType);
            traceSecurityPolicy(postProcessPasswordPolicy, prismObject);
            return postProcessPasswordPolicy;
        } catch (ObjectNotFoundException | SchemaException e) {
            LOGGER.error(e.getMessage(), e);
            traceSecurityPolicy(null, prismObject);
            return null;
        }
    }

    private <F extends FocusType> void traceSecurityPolicy(SecurityPolicyType securityPolicyType, PrismObject<F> prismObject) {
        if (LOGGER.isTraceEnabled()) {
            if (prismObject != null) {
                if (securityPolicyType == null) {
                    LOGGER.trace("Located security policy for {}: null", prismObject);
                    return;
                } else {
                    LOGGER.trace("Located security policy for {}:\n{}", prismObject, securityPolicyType.asPrismObject().debugDump(1));
                    return;
                }
            }
            if (securityPolicyType == null) {
                LOGGER.trace("Located global security policy null");
            } else {
                LOGGER.trace("Located global security policy :\n{}", securityPolicyType.asPrismObject().debugDump(1));
            }
        }
    }

    private void postProcessSecurityPolicy(SecurityPolicyType securityPolicyType, Task task, OperationResult operationResult) {
        CredentialsPolicyType credentials = securityPolicyType.getCredentials();
        if (credentials != null) {
            PasswordCredentialsPolicyType password = credentials.getPassword();
            if (password != null) {
                postProcessPasswordCredentialPolicy(securityPolicyType, password, task, operationResult);
            }
            Iterator it = credentials.getNonce().iterator();
            while (it.hasNext()) {
                postProcessCredentialPolicy(securityPolicyType, (NonceCredentialsPolicyType) it.next(), "nonce credential policy", task, operationResult);
            }
            SecurityQuestionsCredentialsPolicyType securityQuestions = credentials.getSecurityQuestions();
            if (securityQuestions != null) {
                postProcessCredentialPolicy(securityPolicyType, securityQuestions, "security questions credential policy", task, operationResult);
            }
        }
    }

    private void postProcessPasswordCredentialPolicy(SecurityPolicyType securityPolicyType, PasswordCredentialsPolicyType passwordCredentialsPolicyType, Task task, OperationResult operationResult) {
        Integer passwordHistoryLength = passwordCredentialsPolicyType.getPasswordHistoryLength();
        if (passwordHistoryLength != null && passwordCredentialsPolicyType.getHistoryLength() == null) {
            passwordCredentialsPolicyType.setHistoryLength(passwordHistoryLength);
        }
        ObjectReferenceType passwordPolicyRef = passwordCredentialsPolicyType.getPasswordPolicyRef();
        if (passwordPolicyRef != null && passwordCredentialsPolicyType.getValuePolicyRef() == null) {
            passwordCredentialsPolicyType.setValuePolicyRef(passwordPolicyRef.clone());
        }
        ValuePolicyType postProcessCredentialPolicy = postProcessCredentialPolicy(securityPolicyType, passwordCredentialsPolicyType, "password credential policy", task, operationResult);
        if (postProcessCredentialPolicy != null) {
            setDeprecatedPasswordPolicyProperties(postProcessCredentialPolicy, passwordCredentialsPolicyType);
        }
    }

    private ValuePolicyType postProcessCredentialPolicy(SecurityPolicyType securityPolicyType, CredentialPolicyType credentialPolicyType, String str, Task task, OperationResult operationResult) {
        ObjectReferenceType valuePolicyRef = credentialPolicyType.getValuePolicyRef();
        if (valuePolicyRef == null) {
            return null;
        }
        try {
            ValuePolicyType resolve = this.objectResolver.resolve(valuePolicyRef, ValuePolicyType.class, null, str + " in " + securityPolicyType, task, operationResult);
            valuePolicyRef.asReferenceValue().setObject(resolve.asPrismObject());
            return resolve;
        } catch (ObjectNotFoundException | SchemaException e) {
            LOGGER.warn("{} {} referenced from {} was not found", new Object[]{str, valuePolicyRef.getOid(), securityPolicyType});
            return null;
        }
    }

    private SecurityPolicyType postProcessPasswordPolicy(ValuePolicyType valuePolicyType) {
        SecurityPolicyType securityPolicyType = new SecurityPolicyType();
        CredentialsPolicyType credentialsPolicyType = new CredentialsPolicyType();
        PasswordCredentialsPolicyType passwordCredentialsPolicyType = new PasswordCredentialsPolicyType();
        ObjectReferenceType objectReferenceType = new ObjectReferenceType();
        objectReferenceType.asReferenceValue().setObject(valuePolicyType.asPrismObject());
        passwordCredentialsPolicyType.setValuePolicyRef(objectReferenceType);
        credentialsPolicyType.setPassword(passwordCredentialsPolicyType);
        securityPolicyType.setCredentials(credentialsPolicyType);
        setDeprecatedPasswordPolicyProperties(valuePolicyType, passwordCredentialsPolicyType);
        return securityPolicyType;
    }

    private void setDeprecatedPasswordPolicyProperties(ValuePolicyType valuePolicyType, PasswordCredentialsPolicyType passwordCredentialsPolicyType) {
        PasswordLifeTimeType lifetime = valuePolicyType.getLifetime();
        if (lifetime != null) {
            Integer expiration = lifetime.getExpiration();
            if (expiration != null && expiration.intValue() != 0 && passwordCredentialsPolicyType.getMaxAge() == null) {
                passwordCredentialsPolicyType.setMaxAge(daysToDuration(expiration.intValue()));
            }
            Integer minPasswordAge = lifetime.getMinPasswordAge();
            if (minPasswordAge != null && minPasswordAge.intValue() != 0 && passwordCredentialsPolicyType.getMinAge() == null) {
                passwordCredentialsPolicyType.setMinAge(daysToDuration(minPasswordAge.intValue()));
            }
            Integer passwordHistoryLength = lifetime.getPasswordHistoryLength();
            if (passwordHistoryLength != null && passwordCredentialsPolicyType.getHistoryLength() == null) {
                passwordCredentialsPolicyType.setHistoryLength(passwordHistoryLength);
            }
        }
        String minOccurs = valuePolicyType.getMinOccurs();
        if (minOccurs == null || passwordCredentialsPolicyType.getMinOccurs() != null) {
            return;
        }
        passwordCredentialsPolicyType.setMinOccurs(minOccurs);
    }

    private Duration daysToDuration(int i) {
        return XmlTypeConverter.createDuration(i * 1000 * 60 * 60 * 24);
    }

    public SecurityEnforcer getSecurityEnforcer() {
        return this.securityEnforcer;
    }
}
