package com.evolveum.midpoint.model.impl.security;

import com.evolveum.midpoint.common.Clock;
import com.evolveum.midpoint.model.api.AuthenticationEvaluator;
import com.evolveum.midpoint.model.api.authentication.GuiProfiledPrincipal;
import com.evolveum.midpoint.model.api.authentication.GuiProfiledPrincipalManager;
import com.evolveum.midpoint.model.api.context.AbstractAuthenticationContext;
import com.evolveum.midpoint.prism.crypto.EncryptionException;
import com.evolveum.midpoint.prism.crypto.Protector;
import com.evolveum.midpoint.prism.delta.ItemDelta;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.equivalence.ParameterizedEquivalenceStrategy;
import com.evolveum.midpoint.prism.xml.XmlTypeConverter;
import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
import com.evolveum.midpoint.security.api.Authorization;
import com.evolveum.midpoint.security.api.ConnectionEnvironment;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.security.api.SecurityUtil;
import com.evolveum.midpoint.util.QNameUtil;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractCredentialType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.LockoutStatusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.LoginEventType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.MetadataType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordCredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityPolicyType;
import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import javax.xml.datatype.Duration;
import javax.xml.datatype.XMLGregorianCalendar;
import org.apache.commons.lang.StringUtils;
import org.jetbrains.annotations.NotNull;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.MessageSource;
import org.springframework.context.MessageSourceAware;
import org.springframework.context.support.MessageSourceAccessor;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.CredentialsExpiredException;
import org.springframework.security.authentication.DisabledException;
import org.springframework.security.authentication.InternalAuthenticationServiceException;
import org.springframework.security.authentication.LockedException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;

/* loaded from: input_file:com/evolveum/midpoint/model/impl/security/AuthenticationEvaluatorImpl.class */
public abstract class AuthenticationEvaluatorImpl<C extends AbstractCredentialType, T extends AbstractAuthenticationContext> implements AuthenticationEvaluator<T>, MessageSourceAware {
    private static final Trace LOGGER;

    @Autowired
    private Protector protector;

    @Autowired
    private Clock clock;

    @Autowired
    private SecurityHelper securityHelper;

    @Autowired
    GuiProfiledPrincipalManager focusProfileService;
    protected MessageSourceAccessor messages;
    static final /* synthetic */ boolean $assertionsDisabled;

    public void setMessageSource(MessageSource messageSource) {
        this.messages = new MessageSourceAccessor(messageSource);
    }

    protected abstract void checkEnteredCredentials(ConnectionEnvironment connectionEnvironment, T t);

    protected abstract boolean supportsAuthzCheck();

    protected abstract C getCredential(CredentialsType credentialsType);

    protected abstract void validateCredentialNotNull(ConnectionEnvironment connectionEnvironment, @NotNull MidPointPrincipal midPointPrincipal, C c);

    protected abstract boolean passwordMatches(ConnectionEnvironment connectionEnvironment, @NotNull MidPointPrincipal midPointPrincipal, C c, T t);

    protected abstract CredentialPolicyType getEffectiveCredentialPolicy(SecurityPolicyType securityPolicyType, T t) throws SchemaException;

    protected abstract boolean supportsActivation();

    public UsernamePasswordAuthenticationToken authenticate(ConnectionEnvironment connectionEnvironment, T t) throws BadCredentialsException, AuthenticationCredentialsNotFoundException, DisabledException, LockedException, CredentialsExpiredException, AuthenticationServiceException, AccessDeniedException, UsernameNotFoundException {
        checkEnteredCredentials(connectionEnvironment, t);
        MidPointPrincipal andCheckPrincipal = getAndCheckPrincipal(connectionEnvironment, t.getUsername(), t.getPrincipalType(), t.isSupportActivationByChannel());
        FocusType focus = andCheckPrincipal.getFocus();
        CredentialsType credentials = focus.getCredentials();
        CredentialPolicyType credentialsPolicy = getCredentialsPolicy(andCheckPrincipal, t);
        if (!checkCredentials(andCheckPrincipal, t, connectionEnvironment)) {
            recordPasswordAuthenticationFailure(andCheckPrincipal, connectionEnvironment, getCredential(credentials), credentialsPolicy, "password mismatch");
            throw new BadCredentialsException("web.security.provider.invalid");
        }
        if (checkRequiredAssignment(focus.getAssignment(), t.getRequireAssignments())) {
            recordPasswordAuthenticationSuccess(andCheckPrincipal, connectionEnvironment, getCredential(credentials));
            return new UsernamePasswordAuthenticationToken(andCheckPrincipal, t.getEnteredCredential(), andCheckPrincipal.getAuthorities());
        }
        recordPasswordAuthenticationFailure(andCheckPrincipal, connectionEnvironment, getCredential(credentials), credentialsPolicy, "not contains required assignment");
        throw new InternalAuthenticationServiceException("web.security.flexAuth.invalid.required.assignment");
    }

    protected boolean checkRequiredAssignment(List<AssignmentType> list, List<ObjectReferenceType> list2) {
        if (list2 == null || list2.isEmpty()) {
            return true;
        }
        if (list == null || list.isEmpty()) {
            return false;
        }
        for (ObjectReferenceType objectReferenceType : list2) {
            if (objectReferenceType == null) {
                throw new IllegalStateException("Required assignment is null");
            }
            if (objectReferenceType.getOid() == null) {
                throw new IllegalStateException("Oid of required assignment is null");
            }
            boolean z = false;
            Iterator<AssignmentType> it = list.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                AssignmentType next = it.next();
                ObjectReferenceType targetRef = next.getTargetRef();
                if (targetRef != null) {
                    if (targetRef.getOid() != null && targetRef.getOid().equals(objectReferenceType.getOid())) {
                        z = true;
                        break;
                    }
                } else if (next.getConstruction() != null && objectReferenceType.getType() != null && QNameUtil.match(objectReferenceType.getType(), ResourceType.COMPLEX_TYPE) && next.getConstruction().getResourceRef() != null && next.getConstruction().getResourceRef().getOid() != null && next.getConstruction().getResourceRef().getOid().equals(objectReferenceType.getOid())) {
                    z = true;
                    break;
                }
            }
            if (!z) {
                return false;
            }
        }
        return true;
    }

    @NotNull
    public FocusType checkCredentials(ConnectionEnvironment connectionEnvironment, T t) throws BadCredentialsException, AuthenticationCredentialsNotFoundException, DisabledException, LockedException, CredentialsExpiredException, AuthenticationServiceException, AccessDeniedException, UsernameNotFoundException {
        checkEnteredCredentials(connectionEnvironment, t);
        MidPointPrincipal andCheckPrincipal = getAndCheckPrincipal(connectionEnvironment, t.getUsername(), t.getPrincipalType(), false);
        FocusType focus = andCheckPrincipal.getFocus();
        CredentialsType credentials = focus.getCredentials();
        CredentialPolicyType credentialsPolicy = getCredentialsPolicy(andCheckPrincipal, t);
        if (checkCredentials(andCheckPrincipal, t, connectionEnvironment)) {
            return focus;
        }
        recordPasswordAuthenticationFailure(andCheckPrincipal, connectionEnvironment, getCredential(credentials), credentialsPolicy, "password mismatch");
        throw new BadCredentialsException("web.security.provider.invalid");
    }

    private boolean checkCredentials(MidPointPrincipal midPointPrincipal, T t, ConnectionEnvironment connectionEnvironment) {
        CredentialsType credentials = midPointPrincipal.getFocus().getCredentials();
        if (credentials == null || getCredential(credentials) == null) {
            recordAuthenticationFailure(midPointPrincipal, connectionEnvironment, "no credentials in user");
            throw new AuthenticationCredentialsNotFoundException("web.security.provider.invalid");
        }
        CredentialPolicyType credentialsPolicy = getCredentialsPolicy(midPointPrincipal, t);
        if (isLockedOut(getCredential(credentials), credentialsPolicy)) {
            recordAuthenticationFailure(midPointPrincipal, connectionEnvironment, "password locked-out");
            throw new LockedException("web.security.provider.locked");
        }
        if (!supportsAuthzCheck() || hasAnyAuthorization(midPointPrincipal)) {
            checkPasswordValidityAndAge(connectionEnvironment, midPointPrincipal, getCredential(credentials), credentialsPolicy);
            return passwordMatches(connectionEnvironment, midPointPrincipal, getCredential(credentials), t);
        }
        recordAuthenticationFailure(midPointPrincipal, connectionEnvironment, "no authorizations");
        throw new DisabledException("web.security.provider.access.denied");
    }

    private CredentialPolicyType getCredentialsPolicy(MidPointPrincipal midPointPrincipal, T t) {
        try {
            return getEffectiveCredentialPolicy(midPointPrincipal.getApplicableSecurityPolicy(), t);
        } catch (SchemaException e) {
            throw new AuthenticationServiceException("Bad config");
        }
    }

    public String getAndCheckUserPassword(ConnectionEnvironment connectionEnvironment, String str) throws AuthenticationCredentialsNotFoundException, DisabledException, LockedException, CredentialsExpiredException, AuthenticationServiceException, AccessDeniedException, UsernameNotFoundException {
        MidPointPrincipal andCheckPrincipal = getAndCheckPrincipal(connectionEnvironment, str, FocusType.class, true);
        CredentialsType credentials = andCheckPrincipal.getFocus().getCredentials();
        if (credentials == null) {
            recordAuthenticationFailure(andCheckPrincipal, connectionEnvironment, "no credentials in user");
            throw new AuthenticationCredentialsNotFoundException("web.security.provider.invalid");
        }
        PasswordType password = credentials.getPassword();
        PasswordCredentialsPolicyType effectivePasswordCredentialsPolicy = SecurityUtil.getEffectivePasswordCredentialsPolicy(andCheckPrincipal.getApplicableSecurityPolicy());
        if (isLockedOut(password, effectivePasswordCredentialsPolicy)) {
            recordAuthenticationFailure(andCheckPrincipal, connectionEnvironment, "password locked-out");
            throw new LockedException("web.security.provider.locked");
        }
        if (hasAnyAuthorization(andCheckPrincipal)) {
            checkPasswordValidityAndAge(connectionEnvironment, andCheckPrincipal, password.getValue(), password.getMetadata(), effectivePasswordCredentialsPolicy);
            return getPassword(connectionEnvironment, andCheckPrincipal, password.getValue());
        }
        recordAuthenticationFailure(andCheckPrincipal, connectionEnvironment, "no authorizations");
        throw new InternalAuthenticationServiceException("web.security.provider.access.denied");
    }

    public PreAuthenticatedAuthenticationToken authenticateUserPreAuthenticated(ConnectionEnvironment connectionEnvironment, AbstractAuthenticationContext abstractAuthenticationContext) {
        MidPointPrincipal andCheckPrincipal = getAndCheckPrincipal(connectionEnvironment, abstractAuthenticationContext.getUsername(), abstractAuthenticationContext.getPrincipalType(), abstractAuthenticationContext.isSupportActivationByChannel());
        if (!hasAnyAuthorization(andCheckPrincipal)) {
            recordAuthenticationFailure(andCheckPrincipal, connectionEnvironment, "no authorizations");
            throw new InternalAuthenticationServiceException("web.security.provider.access.denied");
        }
        if (!checkRequiredAssignment(andCheckPrincipal.getFocus().getAssignment(), abstractAuthenticationContext.getRequireAssignments())) {
            recordAuthenticationFailure(andCheckPrincipal.getUsername(), connectionEnvironment, "not contains required assignment");
            throw new InternalAuthenticationServiceException("web.security.flexAuth.invalid.required.assignment");
        }
        PreAuthenticatedAuthenticationToken preAuthenticatedAuthenticationToken = new PreAuthenticatedAuthenticationToken(andCheckPrincipal, (Object) null, andCheckPrincipal.getAuthorities());
        recordAuthenticationSuccess(andCheckPrincipal, connectionEnvironment);
        return preAuthenticatedAuthenticationToken;
    }

    @NotNull
    private MidPointPrincipal getAndCheckPrincipal(ConnectionEnvironment connectionEnvironment, String str, Class<? extends FocusType> cls, boolean z) {
        if (StringUtils.isBlank(str)) {
            recordAuthenticationFailure(str, connectionEnvironment, "no username");
            throw new UsernameNotFoundException("web.security.provider.invalid");
        }
        try {
            GuiProfiledPrincipal principal = this.focusProfileService.getPrincipal(str, cls);
            if (principal == null) {
                recordAuthenticationFailure(str, connectionEnvironment, "no focus");
                throw new UsernameNotFoundException("web.security.provider.invalid");
            }
            if (!z || principal.isEnabled()) {
                return principal;
            }
            recordAuthenticationFailure((MidPointPrincipal) principal, connectionEnvironment, "focus disabled");
            throw new DisabledException("web.security.provider.disabled");
        } catch (ExpressionEvaluationException e) {
            recordAuthenticationFailure(str, connectionEnvironment, "expression error");
            throw new InternalAuthenticationServiceException("web.security.provider.invalid");
        } catch (SchemaException e2) {
            recordAuthenticationFailure(str, connectionEnvironment, "schema error");
            throw new InternalAuthenticationServiceException("web.security.provider.invalid");
        } catch (CommunicationException e3) {
            recordAuthenticationFailure(str, connectionEnvironment, "communication error");
            throw new InternalAuthenticationServiceException("web.security.provider.invalid");
        } catch (ConfigurationException e4) {
            recordAuthenticationFailure(str, connectionEnvironment, "configuration error");
            throw new InternalAuthenticationServiceException("web.security.provider.invalid");
        } catch (ObjectNotFoundException e5) {
            recordAuthenticationFailure(str, connectionEnvironment, "no focus");
            throw new UsernameNotFoundException("web.security.provider.invalid");
        } catch (SecurityViolationException e6) {
            recordAuthenticationFailure(str, connectionEnvironment, "security violation");
            throw new InternalAuthenticationServiceException("web.security.provider.invalid");
        }
    }

    private boolean hasAnyAuthorization(MidPointPrincipal midPointPrincipal) {
        Collection<Authorization> authorities = midPointPrincipal.getAuthorities();
        if (authorities == null || authorities.isEmpty()) {
            return false;
        }
        for (Authorization authorization : authorities) {
            if (authorization.getAction() != null && !authorization.getAction().isEmpty()) {
                return true;
            }
        }
        return false;
    }

    private <P extends CredentialPolicyType> void checkPasswordValidityAndAge(ConnectionEnvironment connectionEnvironment, @NotNull MidPointPrincipal midPointPrincipal, C c, P p) {
        Duration maxAge;
        XMLGregorianCalendar changeTimestamp;
        if (c == null) {
            recordAuthenticationFailure(midPointPrincipal, connectionEnvironment, "no stored credential value");
            throw new AuthenticationCredentialsNotFoundException("web.security.provider.credential.bad");
        }
        validateCredentialNotNull(connectionEnvironment, midPointPrincipal, c);
        if (p == null || (maxAge = p.getMaxAge()) == null || (changeTimestamp = MiscSchemaUtil.getChangeTimestamp(c.getMetadata())) == null) {
            return;
        }
        if (this.clock.isPast(XmlTypeConverter.addDuration(changeTimestamp, maxAge))) {
            recordAuthenticationFailure(midPointPrincipal, connectionEnvironment, "password expired");
            throw new CredentialsExpiredException("web.security.provider.credential.expired");
        }
    }

    private void checkPasswordValidityAndAge(ConnectionEnvironment connectionEnvironment, @NotNull MidPointPrincipal midPointPrincipal, ProtectedStringType protectedStringType, MetadataType metadataType, CredentialPolicyType credentialPolicyType) {
        Duration maxAge;
        XMLGregorianCalendar changeTimestamp;
        if (protectedStringType == null) {
            recordAuthenticationFailure(midPointPrincipal, connectionEnvironment, "no stored password value");
            throw new AuthenticationCredentialsNotFoundException("web.security.provider.password.bad");
        }
        if (credentialPolicyType == null || (maxAge = credentialPolicyType.getMaxAge()) == null || (changeTimestamp = MiscSchemaUtil.getChangeTimestamp(metadataType)) == null) {
            return;
        }
        if (this.clock.isPast(XmlTypeConverter.addDuration(changeTimestamp, maxAge))) {
            recordAuthenticationFailure(midPointPrincipal, connectionEnvironment, "password expired");
            throw new CredentialsExpiredException("web.security.provider.credential.expired");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean decryptAndMatch(ConnectionEnvironment connectionEnvironment, @NotNull MidPointPrincipal midPointPrincipal, ProtectedStringType protectedStringType, String str) {
        ProtectedStringType protectedStringType2 = new ProtectedStringType();
        protectedStringType2.setClearValue(str);
        try {
            return this.protector.compareCleartext(protectedStringType2, protectedStringType);
        } catch (SchemaException | EncryptionException e) {
            LOGGER.error("Error dealing with credentials of user \"{}\" credentials: {}", midPointPrincipal.getUsername(), e.getMessage());
            recordAuthenticationFailure(midPointPrincipal, connectionEnvironment, "error decrypting password: " + e.getMessage());
            throw new AuthenticationServiceException("web.security.provider.unavailable", e);
        }
    }

    protected String getDecryptedValue(ConnectionEnvironment connectionEnvironment, @NotNull MidPointPrincipal midPointPrincipal, ProtectedStringType protectedStringType) {
        String decryptString;
        if (protectedStringType.getEncryptedDataType() != null) {
            try {
                decryptString = this.protector.decryptString(protectedStringType);
            } catch (EncryptionException e) {
                recordAuthenticationFailure(midPointPrincipal, connectionEnvironment, "error decrypting password: " + e.getMessage());
                throw new AuthenticationServiceException("web.security.provider.unavailable", e);
            }
        } else {
            LOGGER.warn("Authenticating user based on clear value. Please check objects, this should not happen. Protected string should be encrypted.");
            decryptString = (String) protectedStringType.getClearValue();
        }
        return decryptString;
    }

    private String getPassword(ConnectionEnvironment connectionEnvironment, @NotNull MidPointPrincipal midPointPrincipal, ProtectedStringType protectedStringType) {
        String decryptString;
        if (protectedStringType.getEncryptedDataType() != null) {
            try {
                decryptString = this.protector.decryptString(protectedStringType);
            } catch (EncryptionException e) {
                recordAuthenticationFailure(midPointPrincipal, connectionEnvironment, "error decrypting password: " + e.getMessage());
                throw new AuthenticationServiceException("web.security.provider.unavailable", e);
            }
        } else {
            LOGGER.warn("Authenticating user based on clear value. Please check objects, this should not happen. Protected string should be encrypted.");
            decryptString = (String) protectedStringType.getClearValue();
        }
        return decryptString;
    }

    private boolean isLockedOut(AbstractCredentialType abstractCredentialType, CredentialPolicyType credentialPolicyType) {
        return isOverFailedLockoutAttempts(abstractCredentialType, credentialPolicyType) && !isLockoutExpired(abstractCredentialType, credentialPolicyType);
    }

    private boolean isOverFailedLockoutAttempts(AbstractCredentialType abstractCredentialType, CredentialPolicyType credentialPolicyType) {
        return isOverFailedLockoutAttempts(abstractCredentialType.getFailedLogins() != null ? abstractCredentialType.getFailedLogins().intValue() : 0, credentialPolicyType);
    }

    private boolean isOverFailedLockoutAttempts(int i, CredentialPolicyType credentialPolicyType) {
        return credentialPolicyType != null && credentialPolicyType.getLockoutMaxFailedAttempts() != null && credentialPolicyType.getLockoutMaxFailedAttempts().intValue() > 0 && i >= credentialPolicyType.getLockoutMaxFailedAttempts().intValue();
    }

    private boolean isLockoutExpired(AbstractCredentialType abstractCredentialType, CredentialPolicyType credentialPolicyType) {
        XMLGregorianCalendar timestamp;
        Duration lockoutDuration = credentialPolicyType.getLockoutDuration();
        if (lockoutDuration == null) {
            return false;
        }
        LoginEventType lastFailedLogin = abstractCredentialType.getLastFailedLogin();
        if (lastFailedLogin == null || (timestamp = lastFailedLogin.getTimestamp()) == null) {
            return true;
        }
        return this.clock.isPast(XmlTypeConverter.addDuration(timestamp, lockoutDuration));
    }

    public void recordPasswordAuthenticationSuccess(MidPointPrincipal midPointPrincipal, ConnectionEnvironment connectionEnvironment, C c) {
        FocusType clone = midPointPrincipal.getFocus().clone();
        Integer failedLogins = c.getFailedLogins();
        if (failedLogins != null && failedLogins.intValue() > 0) {
            c.setFailedLogins(0);
        }
        LoginEventType loginEventType = new LoginEventType();
        loginEventType.setTimestamp(this.clock.currentTimeXMLGregorianCalendar());
        loginEventType.setFrom(connectionEnvironment.getRemoteHostAddress());
        c.setPreviousSuccessfulLogin(c.getLastSuccessfulLogin());
        c.setLastSuccessfulLogin(loginEventType);
        ActivationType activation = midPointPrincipal.getFocus().getActivation();
        if (activation != null) {
            activation.setLockoutStatus(LockoutStatusType.NORMAL);
            activation.setLockoutExpirationTimestamp((XMLGregorianCalendar) null);
        }
        this.focusProfileService.updateFocus(midPointPrincipal, computeModifications(clone, midPointPrincipal.getFocus()));
        recordAuthenticationSuccess(midPointPrincipal, connectionEnvironment);
    }

    private void recordAuthenticationSuccess(@NotNull MidPointPrincipal midPointPrincipal, @NotNull ConnectionEnvironment connectionEnvironment) {
        this.securityHelper.auditLoginSuccess(midPointPrincipal.getFocus(), connectionEnvironment);
    }

    public void recordPasswordAuthenticationFailure(@NotNull MidPointPrincipal midPointPrincipal, @NotNull ConnectionEnvironment connectionEnvironment, @NotNull C c, CredentialPolicyType credentialPolicyType, String str) {
        Duration lockoutFailedAttemptsDuration;
        FocusType clone = midPointPrincipal.getFocus().clone();
        Integer failedLogins = c.getFailedLogins();
        LoginEventType lastFailedLogin = c.getLastFailedLogin();
        XMLGregorianCalendar xMLGregorianCalendar = null;
        if (lastFailedLogin != null) {
            xMLGregorianCalendar = lastFailedLogin.getTimestamp();
        }
        if (credentialPolicyType != null && (lockoutFailedAttemptsDuration = credentialPolicyType.getLockoutFailedAttemptsDuration()) != null && xMLGregorianCalendar != null) {
            if (this.clock.isPast(XmlTypeConverter.addDuration(xMLGregorianCalendar, lockoutFailedAttemptsDuration))) {
                failedLogins = 0;
            }
        }
        Integer valueOf = failedLogins == null ? 1 : Integer.valueOf(failedLogins.intValue() + 1);
        c.setFailedLogins(valueOf);
        LoginEventType loginEventType = new LoginEventType();
        loginEventType.setTimestamp(this.clock.currentTimeXMLGregorianCalendar());
        loginEventType.setFrom(connectionEnvironment.getRemoteHostAddress());
        c.setLastFailedLogin(loginEventType);
        ActivationType activation = midPointPrincipal.getFocus().getActivation();
        if (isOverFailedLockoutAttempts(valueOf.intValue(), credentialPolicyType)) {
            if (activation == null) {
                activation = new ActivationType();
                midPointPrincipal.getFocus().setActivation(activation);
            }
            activation.setLockoutStatus(LockoutStatusType.LOCKED);
            XMLGregorianCalendar xMLGregorianCalendar2 = null;
            Duration lockoutDuration = credentialPolicyType.getLockoutDuration();
            if (lockoutDuration != null) {
                xMLGregorianCalendar2 = XmlTypeConverter.addDuration(loginEventType.getTimestamp(), lockoutDuration);
            }
            activation.setLockoutExpirationTimestamp(xMLGregorianCalendar2);
        }
        this.focusProfileService.updateFocus(midPointPrincipal, computeModifications(clone, midPointPrincipal.getFocus()));
        recordAuthenticationFailure(midPointPrincipal, connectionEnvironment, str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void recordAuthenticationFailure(@NotNull MidPointPrincipal midPointPrincipal, ConnectionEnvironment connectionEnvironment, String str) {
        this.securityHelper.auditLoginFailure(midPointPrincipal.getUsername(), midPointPrincipal.getFocus(), connectionEnvironment, str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void recordAuthenticationFailure(String str, ConnectionEnvironment connectionEnvironment, String str2) {
        this.securityHelper.auditLoginFailure(str, null, connectionEnvironment, str2);
    }

    private Collection<? extends ItemDelta<?, ?>> computeModifications(@NotNull FocusType focusType, @NotNull FocusType focusType2) {
        ObjectDelta diff = focusType.asPrismObject().diff(focusType2.asPrismObject(), ParameterizedEquivalenceStrategy.LITERAL);
        if ($assertionsDisabled || diff.isModify()) {
            return diff.getModifications();
        }
        throw new AssertionError();
    }

    static {
        $assertionsDisabled = !AuthenticationEvaluatorImpl.class.desiredAssertionStatus();
        LOGGER = TraceManager.getTrace(AuthenticationEvaluatorImpl.class);
    }
}
