package com.evolveum.midpoint.model.impl.security;

import com.evolveum.midpoint.model.api.authentication.NodeAuthenticationEvaluator;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.crypto.EncryptionException;
import com.evolveum.midpoint.prism.crypto.Protector;
import com.evolveum.midpoint.prism.query.ObjectQuery;
import com.evolveum.midpoint.repo.api.RepositoryService;
import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.security.api.ConnectionEnvironment;
import com.evolveum.midpoint.task.api.TaskManager;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.logging.LoggingUtils;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.NodeOperationalStateType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.NodeType;
import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.stream.Collectors;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:com/evolveum/midpoint/model/impl/security/NodeAuthenticationEvaluatorImpl.class */
public class NodeAuthenticationEvaluatorImpl implements NodeAuthenticationEvaluator {

    @Autowired
    @Qualifier("cacheRepositoryService")
    private RepositoryService repositoryService;

    @Autowired
    private TaskManager taskManager;

    @Autowired
    private SecurityHelper securityHelper;

    @Autowired
    private Protector protector;
    private static final Trace LOGGER;
    private static final String OPERATION_SEARCH_NODE;
    static final /* synthetic */ boolean $assertionsDisabled;

    public boolean authenticate(@Nullable String str, String str2, @NotNull String str3, String str4) {
        LOGGER.debug("Checking if {} ({}) is a known node", str, str2);
        OperationResult operationResult = new OperationResult(OPERATION_SEARCH_NODE);
        ConnectionEnvironment create = ConnectionEnvironment.create(SchemaConstants.CHANNEL_REST_URI);
        try {
            List<PrismObject<NodeType>> matchingNodes = getMatchingNodes(this.repositoryService.searchObjects(NodeType.class, (ObjectQuery) null, (Collection) null, operationResult), str, str2);
            if (matchingNodes.isEmpty()) {
                LOGGER.debug("Authenticity cannot be established: No matching nodes for remote name '{}' and remote address '{}'", str, str2);
            } else if (matchingNodes.size() > 1 && !this.taskManager.isLocalNodeClusteringEnabled()) {
                LOGGER.debug("Authenticity cannot be established: More than one matching node for remote name '{}' and remote address '{}' with local-node clustering disabled: {}", new Object[]{str, str2, matchingNodes});
            } else {
                if (!$assertionsDisabled && matchingNodes.size() != 1 && (matchingNodes.size() <= 1 || !this.taskManager.isLocalNodeClusteringEnabled())) {
                    throw new AssertionError();
                }
                LOGGER.trace("Matching result: Node(s) {} recognized as known (remote host name {} or IP address {} matched).", new Object[]{matchingNodes, str, str2});
                PrismObject<NodeType> prismObject = null;
                Iterator<PrismObject<NodeType>> it = matchingNodes.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    PrismObject<NodeType> next = it.next();
                    ProtectedStringType secret = next.asObjectable().getSecret();
                    if (secret != null) {
                        try {
                            if (str3.equals(this.protector.decryptString(secret))) {
                                LOGGER.debug("Node secret matches for {}", next);
                                prismObject = next;
                                break;
                            }
                            LOGGER.debug("Node secret does not match for {}", next);
                        } catch (EncryptionException e) {
                            LoggingUtils.logUnexpectedException(LOGGER, "Couldn't decrypt node secret for {}", e, new Object[]{next});
                        }
                    } else {
                        LOGGER.debug("No secret known for node {}", next);
                    }
                }
                if (prismObject != null) {
                    LOGGER.trace("Established authenticity for remote {}", prismObject);
                    SecurityContextHolder.getContext().setAuthentication(new NodeAuthenticationToken(prismObject, str2, Collections.emptyList()));
                    this.securityHelper.auditLoginSuccess((NodeType) prismObject.asObjectable(), create);
                    return true;
                }
                LOGGER.debug("Authenticity for {} couldn't be established: none of the secrets match", matchingNodes);
            }
        } catch (RuntimeException | SchemaException e2) {
            LOGGER.error("Unhandled exception when listing nodes");
            LoggingUtils.logUnexpectedException(LOGGER, "Unhandled exception when listing nodes", e2, new Object[0]);
        }
        this.securityHelper.auditLoginFailure(str != null ? str : str2, null, create, "Failed to authenticate node.");
        return false;
    }

    private List<PrismObject<NodeType>> getMatchingNodes(List<PrismObject<NodeType>> list, String str, String str2) {
        LOGGER.trace("Selecting matching node(s) for remote name '{}' and remote address '{}'", str, str2);
        ArrayList arrayList = new ArrayList();
        for (PrismObject<NodeType> prismObject : list) {
            NodeType asObjectable = prismObject.asObjectable();
            if (asObjectable.getOperationalState() == NodeOperationalStateType.DOWN) {
                LOGGER.trace("Skipping {} because it has operationalState=DOWN", asObjectable);
            } else if (str != null && str.equalsIgnoreCase(asObjectable.getHostname())) {
                LOGGER.trace("The node {} was recognized as a known node (remote host name {} matched).", asObjectable.getName(), asObjectable.getHostname());
                arrayList.add(prismObject);
            } else if (asObjectable.getIpAddress().contains(str2)) {
                LOGGER.trace("The node {} was recognized as a known node (remote host address {} matched).", asObjectable.getName(), str2);
                arrayList.add(prismObject);
            }
        }
        if (arrayList.size() > 1) {
            List<PrismObject<NodeType>> list2 = (List) arrayList.stream().filter(prismObject2 -> {
                return this.taskManager.isCheckingIn(prismObject2.asObjectable());
            }).collect(Collectors.toList());
            LOGGER.trace("Tried to eliminate nodes that are not checking in; found {} node(s) that are up: {}", Integer.valueOf(list2.size()), list2);
            if (list2.size() == 1) {
                return list2;
            }
        }
        return arrayList;
    }

    static {
        $assertionsDisabled = !NodeAuthenticationEvaluatorImpl.class.desiredAssertionStatus();
        LOGGER = TraceManager.getTrace(NodeAuthenticationEvaluatorImpl.class);
        OPERATION_SEARCH_NODE = NodeAuthenticationEvaluatorImpl.class.getName() + ".searchNode";
    }
}
