package com.evolveum.midpoint.model.impl.security;

import com.evolveum.midpoint.model.api.AuthenticationEvaluator;
import com.evolveum.midpoint.model.api.ModelService;
import com.evolveum.midpoint.model.api.context.AbstractAuthenticationContext;
import com.evolveum.midpoint.model.impl.ModelRestService;
import com.evolveum.midpoint.model.impl.util.RestServiceUtil;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.security.api.AuthorizationConstants;
import com.evolveum.midpoint.security.api.ConnectionEnvironment;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.security.api.OwnerResolver;
import com.evolveum.midpoint.security.api.SecurityContextManager;
import com.evolveum.midpoint.security.enforcer.api.AuthorizationParameters;
import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.task.api.TaskManager;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import java.util.Collection;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.core.Response;
import org.apache.commons.lang.StringUtils;
import org.apache.cxf.configuration.security.AuthorizationPolicy;
import org.apache.cxf.message.Message;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.CredentialsExpiredException;
import org.springframework.security.authentication.DisabledException;
import org.springframework.security.authentication.LockedException;
import org.springframework.security.core.userdetails.UsernameNotFoundException;

/* loaded from: input_file:com/evolveum/midpoint/model/impl/security/MidpointRestAuthenticator.class */
public abstract class MidpointRestAuthenticator<T extends AbstractAuthenticationContext> {
    private static final Trace LOGGER = TraceManager.getTrace(MidpointRestAuthenticator.class);

    @Autowired
    private SecurityContextManager securityContextManager;

    @Autowired
    private SecurityEnforcer securityEnforcer;

    @Autowired
    private SecurityHelper securityHelper;

    @Autowired
    private TaskManager taskManager;

    @Autowired
    private ModelService model;

    protected abstract AuthenticationEvaluator<T> getAuthenticationEvaluator();

    protected abstract T createAuthenticationContext(AuthorizationPolicy authorizationPolicy, ContainerRequestContext containerRequestContext, Class<? extends FocusType> cls);

    public void handleRequest(AuthorizationPolicy authorizationPolicy, Message message, ContainerRequestContext containerRequestContext) {
        if (authorizationPolicy == null) {
            RestServiceUtil.createAbortMessage(containerRequestContext);
            return;
        }
        T createAuthenticationContext = createAuthenticationContext(authorizationPolicy, containerRequestContext, UserType.class);
        if (createAuthenticationContext == null) {
            return;
        }
        String username = createAuthenticationContext.getUsername();
        if (username == null) {
            RestServiceUtil.createAbortMessage(containerRequestContext);
            return;
        }
        LOGGER.trace("Authenticating username '{}' to REST service", username);
        Task createTaskInstance = this.taskManager.createTaskInstance(ModelRestService.OPERATION_REST_SERVICE);
        createTaskInstance.setChannel(SchemaConstants.CHANNEL_REST_URI);
        ConnectionEnvironment create = ConnectionEnvironment.create(SchemaConstants.CHANNEL_REST_URI);
        create.setSessionIdOverride(createTaskInstance.getTaskIdentifier());
        try {
            FocusType focus = ((MidPointPrincipal) getAuthenticationEvaluator().authenticate(create, createAuthenticationContext).getPrincipal()).getFocus();
            createTaskInstance.setOwner(focus.asPrismObject());
            if (authorizeUser(focus, null, username, create, containerRequestContext)) {
                String headerString = containerRequestContext.getHeaderString("Switch-To-Principal");
                OperationResult result = createTaskInstance.getResult();
                if (StringUtils.isNotBlank(headerString)) {
                    try {
                        PrismObject<? extends FocusType> object = this.model.getObject(UserType.class, headerString, (Collection) null, createTaskInstance, result);
                        createTaskInstance.setOwner(object);
                        if (!authorizeUser(AuthorizationConstants.AUTZ_REST_PROXY_URL, focus, object, username, create, containerRequestContext)) {
                            return;
                        } else {
                            authenticateUser(object, object.getName().getOrig(), create, containerRequestContext);
                        }
                    } catch (ObjectNotFoundException | SchemaException | SecurityViolationException | CommunicationException | ConfigurationException | ExpressionEvaluationException e) {
                        LOGGER.trace("Exception while authenticating user identified with '{}' to REST service: {}", new Object[]{headerString, e.getMessage(), e});
                        RestServiceUtil.createAbortMessage(containerRequestContext);
                        return;
                    }
                }
                message.put(RestServiceUtil.MESSAGE_PROPERTY_TASK_NAME, createTaskInstance);
                LOGGER.trace("Authorized to use REST service ({})", focus);
            }
        } catch (UsernameNotFoundException | BadCredentialsException | DisabledException | LockedException | CredentialsExpiredException | AccessDeniedException | AuthenticationCredentialsNotFoundException | AuthenticationServiceException e2) {
            LOGGER.trace("Exception while authenticating username '{}' to REST service: {}", new Object[]{username, e2.getMessage(), e2});
            RestServiceUtil.createAbortMessage(containerRequestContext);
        }
    }

    private boolean authorizeUser(FocusType focusType, PrismObject<? extends FocusType> prismObject, String str, ConnectionEnvironment connectionEnvironment, ContainerRequestContext containerRequestContext) {
        authenticateUser(focusType.asPrismObject(), str, connectionEnvironment, containerRequestContext);
        return authorizeUser(AuthorizationConstants.AUTZ_REST_ALL_URL, focusType, null, str, connectionEnvironment, containerRequestContext);
    }

    private void authenticateUser(PrismObject<? extends FocusType> prismObject, String str, ConnectionEnvironment connectionEnvironment, ContainerRequestContext containerRequestContext) {
        try {
            this.securityContextManager.setupPreAuthenticatedSecurityContext(prismObject);
        } catch (SchemaException | CommunicationException | ConfigurationException | SecurityViolationException | ExpressionEvaluationException e) {
            this.securityHelper.auditLoginFailure(str, (FocusType) prismObject.asObjectable(), connectionEnvironment, "Schema error: " + e.getMessage());
            containerRequestContext.abortWith(Response.status(Response.Status.BAD_REQUEST).build());
        }
        LOGGER.trace("Authenticated to REST service as {}", prismObject);
    }

    private boolean authorizeUser(String str, FocusType focusType, PrismObject<? extends FocusType> prismObject, String str2, ConnectionEnvironment connectionEnvironment, ContainerRequestContext containerRequestContext) {
        Task createTaskInstance = this.taskManager.createTaskInstance(MidpointRestAuthenticator.class.getName() + ".authorizeUser");
        try {
            this.securityEnforcer.authorize(str, (AuthorizationPhaseType) null, AuthorizationParameters.Builder.buildObject(prismObject), (OwnerResolver) null, createTaskInstance, createTaskInstance.getResult());
            return true;
        } catch (SecurityViolationException e) {
            this.securityHelper.auditLoginFailure(str2, focusType, connectionEnvironment, "Not authorized");
            containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).build());
            return false;
        } catch (SchemaException | ObjectNotFoundException | ExpressionEvaluationException | CommunicationException | ConfigurationException e2) {
            this.securityHelper.auditLoginFailure(str2, focusType, connectionEnvironment, "Internal error: " + e2.getMessage());
            containerRequestContext.abortWith(Response.status(Response.Status.BAD_REQUEST).build());
            return false;
        }
    }

    public SecurityContextManager getSecurityContextManager() {
        return this.securityContextManager;
    }

    public SecurityEnforcer getSecurityEnforcer() {
        return this.securityEnforcer;
    }

    public ModelService getModel() {
        return this.model;
    }

    public TaskManager getTaskManager() {
        return this.taskManager;
    }
}
