package com.evolveum.midpoint.authentication.impl.filter;

import com.evolveum.midpoint.authentication.api.AuthModule;
import com.evolveum.midpoint.authentication.api.AuthenticationChannel;
import com.evolveum.midpoint.authentication.api.RemoveUnusedSecurityFilterPublisher;
import com.evolveum.midpoint.authentication.api.config.MidpointAuthentication;
import com.evolveum.midpoint.authentication.api.util.AuthUtil;
import com.evolveum.midpoint.authentication.impl.MidpointProviderManager;
import com.evolveum.midpoint.authentication.impl.factory.channel.AuthChannelRegistryImpl;
import com.evolveum.midpoint.authentication.impl.factory.module.AuthModuleRegistryImpl;
import com.evolveum.midpoint.authentication.impl.module.authentication.ModuleAuthenticationImpl;
import com.evolveum.midpoint.authentication.impl.util.AuthSequenceUtil;
import com.evolveum.midpoint.authentication.impl.util.AuthenticationSequenceModuleCreator;
import com.evolveum.midpoint.model.api.ModelInteractionService;
import com.evolveum.midpoint.prism.PrismContext;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.repo.common.SystemObjectCache;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.util.SecurityPolicyUtil;
import com.evolveum.midpoint.task.api.TaskManager;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationSequenceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityPolicyType;
import jakarta.servlet.http.HttpServletRequest;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.commons.lang3.StringUtils;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

/* loaded from: input_file:BOOT-INF/lib/authentication-impl-4.10-SNAPSHOT.jar:com/evolveum/midpoint/authentication/impl/filter/AuthenticationWrapper.class */
class AuthenticationWrapper {
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) AuthenticationWrapper.class);
    private AuthenticationsPolicyType authenticationsPolicy;
    private List<AuthModule<?>> authModules;
    private AuthenticationChannel authenticationChannel;
    private final MidpointProviderManager authenticationManager;
    private final AuthModuleRegistryImpl authModuleRegistry;
    private final Map<Class<?>, Object> sharedObjects;
    private final RemoveUnusedSecurityFilterPublisher removeUnusedSecurityFilterPublisher;
    private final ModelInteractionService modelInteractionService;
    private final SystemObjectCache systemObjectCache;
    private volatile AuthenticationsPolicyType defaultAuthenticationPolicy;
    private CredentialsPolicyType credentialsPolicy = null;
    private PrismObject<SecurityPolicyType> securityPolicy = null;
    private AuthenticationSequenceType sequence = null;
    private final Map<String, List<AuthModule<?>>> authModulesOfSpecificSequences = new HashMap();

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthenticationWrapper(MidpointProviderManager midpointProviderManager, AuthModuleRegistryImpl authModuleRegistryImpl, Map<Class<?>, Object> map, RemoveUnusedSecurityFilterPublisher removeUnusedSecurityFilterPublisher, SystemObjectCache systemObjectCache, ModelInteractionService modelInteractionService) {
        this.authenticationManager = midpointProviderManager;
        this.authModuleRegistry = authModuleRegistryImpl;
        this.sharedObjects = map;
        this.removeUnusedSecurityFilterPublisher = removeUnusedSecurityFilterPublisher;
        this.systemObjectCache = systemObjectCache;
        this.modelInteractionService = modelInteractionService;
    }

    public AuthenticationWrapper create(MidpointAuthentication midpointAuthentication, HttpServletRequest httpServletRequest, TaskManager taskManager, AuthChannelRegistryImpl authChannelRegistryImpl) {
        resolvePolicies(midpointAuthentication, taskManager);
        initializeAuthenticationSequence(midpointAuthentication, httpServletRequest, taskManager);
        initializeAuthenticationChannel(authChannelRegistryImpl);
        initAuthenticationModule(midpointAuthentication, httpServletRequest);
        return this;
    }

    private void resolvePolicies(MidpointAuthentication midpointAuthentication, TaskManager taskManager) {
        try {
            this.securityPolicy = resolveSecurityPolicy(midpointAuthentication, taskManager);
        } catch (SchemaException e) {
            LOGGER.error("Couldn't load security policy", (Throwable) e);
        }
        try {
            this.authenticationsPolicy = getAuthenticationPolicy(this.securityPolicy);
            this.credentialsPolicy = this.securityPolicy != null ? this.securityPolicy.asObjectable().getCredentials() : null;
        } catch (SchemaException e2) {
            LOGGER.error("Couldn't get default authentication policy");
            throw new IllegalArgumentException("Couldn't get default authentication policy", e2);
        }
    }

    private PrismObject<SecurityPolicyType> resolveSecurityPolicy(MidpointAuthentication midpointAuthentication, TaskManager taskManager) throws SchemaException {
        SecurityPolicyType securityPolicyType = null;
        if (midpointAuthentication != null) {
            securityPolicyType = midpointAuthentication.resolveSecurityPolicyForPrincipal();
            if (securityPolicyType == null && midpointAuthentication.isArchetypeDefined()) {
                securityPolicyType = loadSecurityPolicyForArchetype(midpointAuthentication.getArchetypeOid(), taskManager);
            }
        }
        return securityPolicyType == null ? getGlobalSecurityPolicy() : securityPolicyType.asPrismObject();
    }

    private SecurityPolicyType loadSecurityPolicyForArchetype(String str, TaskManager taskManager) {
        try {
            return this.modelInteractionService.getSecurityPolicyForArchetype(str, taskManager.createTaskInstance("loadSecurityPolicyForArchetype"), new OperationResult("loadSecurityPolicyForArchetype"));
        } catch (Exception e) {
            LOGGER.debug("Couldn't load security policy for archetype");
            return null;
        }
    }

    private AuthenticationsPolicyType getAuthenticationPolicy(PrismObject<SecurityPolicyType> prismObject) throws SchemaException {
        return (prismObject == null || prismObject.asObjectable().getAuthentication() == null) ? getDefaultAuthenticationPolicy(SecurityPolicyUtil.NO_CUSTOM_IGNORED_LOCAL_PATH) : (prismObject.asObjectable().getAuthentication().getSequence() == null || prismObject.asObjectable().getAuthentication().getSequence().isEmpty()) ? getDefaultAuthenticationPolicy(prismObject.asObjectable().getAuthentication().getIgnoredLocalPath()) : prismObject.asObjectable().getAuthentication();
    }

    private AuthenticationsPolicyType getDefaultAuthenticationPolicy(List<String> list) throws SchemaException {
        if (this.defaultAuthenticationPolicy == null) {
            this.defaultAuthenticationPolicy = SecurityPolicyUtil.createDefaultAuthenticationPolicy(list, PrismContext.get().getSchemaRegistry());
        }
        return this.defaultAuthenticationPolicy;
    }

    private PrismObject<SecurityPolicyType> getGlobalSecurityPolicy() throws SchemaException {
        return this.systemObjectCache.getSecurityPolicy();
    }

    public String getSequenceIdentifier() {
        return AuthSequenceUtil.getAuthSequenceIdentifier(this.sequence);
    }

    public boolean isIgnoredLocalPath(HttpServletRequest httpServletRequest) {
        if (this.authenticationsPolicy == null || this.authenticationsPolicy.getIgnoredLocalPath().isEmpty()) {
            return false;
        }
        Iterator<String> it = this.authenticationsPolicy.getIgnoredLocalPath().iterator();
        while (it.hasNext()) {
            if (new AntPathRequestMatcher(it.next()).matches(httpServletRequest)) {
                return true;
            }
        }
        return false;
    }

    private void initializeAuthenticationSequence(MidpointAuthentication midpointAuthentication, HttpServletRequest httpServletRequest, TaskManager taskManager) {
        if (midpointAuthentication == null || !AuthSequenceUtil.isLoginPage(httpServletRequest)) {
            this.sequence = AuthSequenceUtil.getSequenceByPath(httpServletRequest, this.authenticationsPolicy, taskManager.getLocalNodeGroups());
        } else {
            if (midpointAuthentication.getAuthenticationChannel() != null && !midpointAuthentication.getAuthenticationChannel().getChannelId().equals(AuthSequenceUtil.findChannelByRequest(httpServletRequest)) && AuthSequenceUtil.getSequenceByPath(httpServletRequest, this.authenticationsPolicy, taskManager.getLocalNodeGroups()) == null) {
                return;
            }
            String sequenceIdentifier = midpointAuthentication.getSequenceIdentifier();
            if (StringUtils.isNotBlank(sequenceIdentifier)) {
                this.sequence = this.authenticationsPolicy.getSequence().stream().filter(authenticationSequenceType -> {
                    return sequenceIdentifier.equals(authenticationSequenceType.getIdentifier());
                }).findFirst().orElse(null);
            }
            if (this.sequence == null) {
                this.sequence = midpointAuthentication.getSequence();
            }
        }
        if (this.sequence == null || !isEqualChannelIdForAuthenticatedUser(midpointAuthentication, httpServletRequest)) {
            return;
        }
        changeLogoutToNewSequence(midpointAuthentication, httpServletRequest);
        this.sequence = midpointAuthentication.getSequence();
    }

    private void initializeAuthenticationChannel(AuthChannelRegistryImpl authChannelRegistryImpl) {
        this.authenticationChannel = AuthSequenceUtil.buildAuthChannel(authChannelRegistryImpl, this.sequence);
    }

    private boolean isEqualChannelIdForAuthenticatedUser(MidpointAuthentication midpointAuthentication, HttpServletRequest httpServletRequest) {
        return midpointAuthentication != null && !sequenceIdentifiersMatch(midpointAuthentication.getSequence(), this.sequence) && midpointAuthentication.isAuthenticated() && (!(this.sequence == null || this.sequence.getChannel() == null || !midpointAuthentication.getAuthenticationChannel().matchChannel(this.sequence)) || midpointAuthentication.getAuthenticationChannel().getChannelId().equals(AuthSequenceUtil.findChannelByRequest(httpServletRequest)));
    }

    private void changeLogoutToNewSequence(MidpointAuthentication midpointAuthentication, HttpServletRequest httpServletRequest) {
        if (AuthSequenceUtil.isBasePathForSequence(httpServletRequest, this.sequence)) {
            midpointAuthentication.getAuthenticationChannel().setPathAfterLogout(httpServletRequest.getServletPath());
            ModuleAuthenticationImpl moduleAuthenticationImpl = (ModuleAuthenticationImpl) AuthUtil.getAuthenticatedModule();
            if (moduleAuthenticationImpl != null) {
                moduleAuthenticationImpl.setInternalLogout(true);
            }
        }
    }

    public boolean sequenceIdentifiersMatch(AuthenticationSequenceType authenticationSequenceType) {
        return sequenceIdentifiersMatch(this.sequence, authenticationSequenceType);
    }

    private boolean sequenceIdentifiersMatch(AuthenticationSequenceType authenticationSequenceType, AuthenticationSequenceType authenticationSequenceType2) {
        String authSequenceIdentifier = AuthSequenceUtil.getAuthSequenceIdentifier(authenticationSequenceType);
        return authSequenceIdentifier != null && StringUtils.equals(authSequenceIdentifier, AuthSequenceUtil.getAuthSequenceIdentifier(authenticationSequenceType2));
    }

    private void initAuthenticationModule(MidpointAuthentication midpointAuthentication, HttpServletRequest httpServletRequest) {
        if (!AuthSequenceUtil.isClusterSequence(httpServletRequest)) {
            this.authModules = createAuthenticationModuleBySequence(midpointAuthentication, httpServletRequest);
            return;
        }
        if (!this.authModulesOfSpecificSequences.containsKey(getSequenceIdentifier())) {
            this.authModules = createAuthenticationModuleBySequence(midpointAuthentication, httpServletRequest);
            this.authModulesOfSpecificSequences.put(getSequenceIdentifier(), this.authModules);
            return;
        }
        this.authModules = this.authModulesOfSpecificSequences.get(getSequenceIdentifier());
        if (this.authModules != null) {
            Iterator<AuthModule<?>> it = this.authModules.iterator();
            while (it.hasNext()) {
                List<AuthenticationProvider> authenticationProviders = it.next().getAuthenticationProviders();
                if (authenticationProviders != null) {
                    this.authenticationManager.getProviders().clear();
                    this.authenticationManager.getProviders().addAll(authenticationProviders);
                }
            }
        }
    }

    private List<AuthModule<?>> createAuthenticationModuleBySequence(MidpointAuthentication midpointAuthentication, HttpServletRequest httpServletRequest) {
        List<AuthModule<?>> create;
        boolean processingDifferentAuthenticationSequence = processingDifferentAuthenticationSequence(midpointAuthentication, this.sequence);
        if (processingDifferentAuthenticationSequence || this.sequence.getModule().size() != midpointAuthentication.getSequence().getModule().size() || StringUtils.isNotEmpty(midpointAuthentication.getArchetypeOid())) {
            this.authenticationManager.getProviders().clear();
            create = new AuthenticationSequenceModuleCreator(this.authModuleRegistry, this.sequence, httpServletRequest, this.authenticationsPolicy.getModules(), this.authenticationChannel).credentialsPolicy(this.credentialsPolicy).sharedObjects(this.sharedObjects).create();
            if (processingDifferentAuthenticationSequence) {
                clearAuthentication(httpServletRequest);
            }
            updateMidpointAuthenticationModules(this.sequence, create, midpointAuthentication);
        } else {
            create = midpointAuthentication.getAuthModules();
        }
        return create;
    }

    private boolean processingDifferentAuthenticationSequence(MidpointAuthentication midpointAuthentication, AuthenticationSequenceType authenticationSequenceType) {
        return midpointAuthentication == null || !sequenceIdentifiersMatch(authenticationSequenceType, midpointAuthentication.getSequence());
    }

    private void updateMidpointAuthenticationModules(AuthenticationSequenceType authenticationSequenceType, List<AuthModule<?>> list, MidpointAuthentication midpointAuthentication) {
        if (midpointAuthentication == null) {
            return;
        }
        midpointAuthentication.setAuthModules(list);
        midpointAuthentication.setSequence(authenticationSequenceType);
    }

    private void clearAuthentication(HttpServletRequest httpServletRequest) {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (!AuthSequenceUtil.isClusterSequence(httpServletRequest) && (authentication instanceof MidpointAuthentication)) {
            MidpointAuthentication midpointAuthentication = (MidpointAuthentication) authentication;
            this.removeUnusedSecurityFilterPublisher.publishCustomEvent(midpointAuthentication.getAuthModules());
            midpointAuthentication.restart();
        }
        SecurityContextHolder.getContext().setAuthentication(null);
    }

    public PrismObject<SecurityPolicyType> getSecurityPolicy() {
        return this.securityPolicy;
    }

    public AuthenticationSequenceType getSequence() {
        return this.sequence;
    }

    public List<AuthModule<?>> getAuthModules() {
        return this.authModules;
    }

    public AuthenticationChannel getAuthenticationChannel() {
        return this.authenticationChannel;
    }

    public void buildMidPointAuthentication(HttpServletRequest httpServletRequest) {
        MidpointAuthentication midpointAuthentication = new MidpointAuthentication(this.sequence);
        midpointAuthentication.setSharedObjects(this.sharedObjects);
        midpointAuthentication.setAuthModules(this.authModules);
        midpointAuthentication.setAuthenticationChannel(this.authenticationChannel);
        midpointAuthentication.setSessionId(httpServletRequest.getSession(false) != null ? httpServletRequest.getSession(false).getId() : RandomStringUtils.random(30, true, true).toUpperCase());
        midpointAuthentication.addAuthentication(this.authModules.get(0).getBaseModuleAuthentication());
        clearAuthentication(httpServletRequest);
        SecurityContextHolder.getContext().setAuthentication(midpointAuthentication);
    }
}
