package com.evolveum.midpoint.model.impl.security;

import com.evolveum.midpoint.model.api.authentication.GuiProfiledPrincipal;
import com.evolveum.midpoint.model.api.authentication.GuiProfiledPrincipalManager;
import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.security.api.AuthorizationConstants;
import com.evolveum.midpoint.security.api.ConnectionEnvironment;
import com.evolveum.midpoint.security.enforcer.api.AuthorizationParameters;
import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.task.api.TaskManager;
import com.evolveum.midpoint.util.QNameUtil;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import java.util.Collection;
import java.util.HashSet;
import java.util.Set;
import javax.xml.namespace.QName;
import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPMessage;
import org.apache.commons.lang.StringUtils;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.phase.PhaseInterceptor;
import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
import org.apache.ws.commons.schema.utils.DOMUtil;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;

/* loaded from: input_file:WEB-INF/lib/model-impl-4.2-SNAPSHOT.jar:com/evolveum/midpoint/model/impl/security/SpringAuthenticationInjectorInterceptor.class */
public class SpringAuthenticationInjectorInterceptor implements PhaseInterceptor<SoapMessage> {
    private static final String OPERATION_AUTHORIZATION = SpringAuthenticationInjectorInterceptor.class.getName() + ".authorization";
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) SpringAuthenticationInjectorInterceptor.class);
    private GuiProfiledPrincipalManager guiProfiledPrincipalManager;
    private SecurityEnforcer securityEnforcer;
    private SecurityHelper securityHelper;
    private TaskManager taskManager;
    private Set<String> before = new HashSet();
    private Set<String> after = new HashSet();
    private String id = getClass().getName();
    private String phase = Phase.PRE_PROTOCOL;

    public SpringAuthenticationInjectorInterceptor(GuiProfiledPrincipalManager guiProfiledPrincipalManager, SecurityEnforcer securityEnforcer, SecurityHelper securityHelper, TaskManager taskManager) {
        this.guiProfiledPrincipalManager = guiProfiledPrincipalManager;
        this.securityEnforcer = securityEnforcer;
        this.securityHelper = securityHelper;
        this.taskManager = taskManager;
        getAfter().add(WSS4JInInterceptor.class.getName());
    }

    @Override // org.apache.cxf.phase.PhaseInterceptor
    public Set<String> getAfter() {
        return this.after;
    }

    @Override // org.apache.cxf.phase.PhaseInterceptor
    public Set<String> getBefore() {
        return this.before;
    }

    @Override // org.apache.cxf.phase.PhaseInterceptor
    public String getId() {
        return this.id;
    }

    @Override // org.apache.cxf.phase.PhaseInterceptor
    public String getPhase() {
        return this.phase;
    }

    @Override // org.apache.cxf.phase.PhaseInterceptor
    public Collection<PhaseInterceptor<? extends Message>> getAdditionalInterceptors() {
        return null;
    }

    @Override // org.apache.cxf.interceptor.Interceptor
    public void handleMessage(SoapMessage soapMessage) throws Fault {
        LOGGER.trace("Intercepted message: {}", soapMessage);
        SOAPMessage sOAPMessage = this.securityHelper.getSOAPMessage(soapMessage);
        if (sOAPMessage == null) {
            LOGGER.error("No soap message in handler");
            throw createFault(WSSecurityException.ErrorCode.FAILURE);
        }
        ConnectionEnvironment create = ConnectionEnvironment.create(SchemaConstants.CHANNEL_WEB_SERVICE_URI);
        String str = null;
        try {
            str = this.securityHelper.getUsernameFromMessage(sOAPMessage);
            LOGGER.trace("Attempt to authenticate user '{}'", str);
            if (StringUtils.isBlank(str)) {
                soapMessage.put(SecurityHelper.CONTEXTUAL_PROPERTY_AUDITED_NAME, (Object) true);
                this.securityHelper.auditLoginFailure(str, null, create, "Empty username");
                throw createFault(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
            }
            GuiProfiledPrincipal guiProfiledPrincipal = null;
            try {
                try {
                    guiProfiledPrincipal = this.guiProfiledPrincipalManager.getPrincipal(str, UserType.class);
                } catch (ExpressionEvaluationException e) {
                    handlePrincipalException(soapMessage, str, create, "Expression error", e);
                } catch (SecurityViolationException e2) {
                    handlePrincipalException(soapMessage, str, create, "Security violation", e2);
                }
            } catch (CommunicationException e3) {
                handlePrincipalException(soapMessage, str, create, "Communication error", e3);
            } catch (ConfigurationException e4) {
                handlePrincipalException(soapMessage, str, create, "Configuration error", e4);
            } catch (SchemaException e5) {
                handlePrincipalException(soapMessage, str, create, "Schema error", e5);
            }
            LOGGER.trace("Principal: {}", guiProfiledPrincipal);
            if (guiProfiledPrincipal == null) {
                soapMessage.put(SecurityHelper.CONTEXTUAL_PROPERTY_AUDITED_NAME, (Object) true);
                this.securityHelper.auditLoginFailure(str, null, create, "No user");
                throw createFault(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
            }
            SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken(guiProfiledPrincipal, null));
            try {
                String localName = DOMUtil.getFirstChildElement(sOAPMessage.getSOAPBody()).getLocalName();
                Task createTaskInstance = this.taskManager.createTaskInstance(OPERATION_AUTHORIZATION);
                OperationResult result = createTaskInstance.getResult();
                try {
                    boolean isAuthorized = this.securityEnforcer.isAuthorized(AuthorizationConstants.AUTZ_WS_ALL_URL, AuthorizationPhaseType.REQUEST, AuthorizationParameters.EMPTY, null, createTaskInstance, result);
                    LOGGER.trace("Determined authorization for web service access (action: {}): {}", AuthorizationConstants.AUTZ_WS_ALL_URL, Boolean.valueOf(isAuthorized));
                    if (!isAuthorized) {
                        String qNameToUri = QNameUtil.qNameToUri(new QName(AuthorizationConstants.NS_AUTHORIZATION_WS, localName));
                        try {
                            isAuthorized = this.securityEnforcer.isAuthorized(qNameToUri, AuthorizationPhaseType.REQUEST, AuthorizationParameters.EMPTY, null, createTaskInstance, result);
                            LOGGER.trace("Determined authorization for web service operation {} (action: {}): {}", localName, qNameToUri, Boolean.valueOf(isAuthorized));
                        } catch (CommunicationException | ConfigurationException | ExpressionEvaluationException | ObjectNotFoundException | SchemaException | SecurityViolationException e6) {
                            LOGGER.debug("Access to web service denied for user '{}': schema error: {}", str, e6.getMessage(), e6);
                            soapMessage.put(SecurityHelper.CONTEXTUAL_PROPERTY_AUDITED_NAME, (Object) true);
                            this.securityHelper.auditLoginFailure(str, guiProfiledPrincipal.getFocus(), create, "Internal error: " + e6.getMessage());
                            throw createFault(WSSecurityException.ErrorCode.FAILURE);
                        }
                    }
                    if (isAuthorized) {
                        soapMessage.put(SecurityHelper.CONTEXTUAL_PROPERTY_AUDITED_NAME, (Object) true);
                        LOGGER.debug("Access to web service allowed for user '{}'", str);
                    } else {
                        LOGGER.debug("Access to web service denied for user '{}': not authorized", str);
                        soapMessage.put(SecurityHelper.CONTEXTUAL_PROPERTY_AUDITED_NAME, (Object) true);
                        this.securityHelper.auditLoginFailure(str, guiProfiledPrincipal.getFocus(), create, "Not authorized");
                        throw createFault(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
                    }
                } catch (CommunicationException | ConfigurationException | ExpressionEvaluationException | ObjectNotFoundException | SchemaException | SecurityViolationException e7) {
                    LOGGER.debug("Access to web service denied for user '{}': internal error: {}", str, e7.getMessage(), e7);
                    soapMessage.put(SecurityHelper.CONTEXTUAL_PROPERTY_AUDITED_NAME, (Object) true);
                    this.securityHelper.auditLoginFailure(str, guiProfiledPrincipal.getFocus(), create, "Schema error: " + e7.getMessage());
                    throw createFault(WSSecurityException.ErrorCode.FAILURE);
                }
            } catch (SOAPException e8) {
                LOGGER.debug("Access to web service denied for user '{}': SOAP error: {}", str, e8.getMessage(), e8);
                soapMessage.put(SecurityHelper.CONTEXTUAL_PROPERTY_AUDITED_NAME, (Object) true);
                this.securityHelper.auditLoginFailure(str, guiProfiledPrincipal.getFocus(), create, "SOAP error: " + e8.getMessage());
                throw new Fault(e8);
            }
        } catch (ObjectNotFoundException e9) {
            LOGGER.debug("Access to web service denied for user '{}': object not found: {}", str, e9.getMessage(), e9);
            soapMessage.put(SecurityHelper.CONTEXTUAL_PROPERTY_AUDITED_NAME, (Object) true);
            this.securityHelper.auditLoginFailure(str, null, create, "No user");
            throw createFault(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
        } catch (WSSecurityException e10) {
            LOGGER.debug("Access to web service denied for user '{}': security exception: {}", str, e10.getMessage(), e10);
            soapMessage.put(SecurityHelper.CONTEXTUAL_PROPERTY_AUDITED_NAME, (Object) true);
            this.securityHelper.auditLoginFailure(str, null, create, "Security exception: " + e10.getMessage());
            throw new Fault(e10, e10.getFaultCode());
        }
    }

    private void handlePrincipalException(SoapMessage soapMessage, String str, ConnectionEnvironment connectionEnvironment, String str2, Exception exc) {
        LOGGER.debug("Access to web service denied for user '{}': {}: {}", str, str2, exc.getMessage(), exc);
        soapMessage.put(SecurityHelper.CONTEXTUAL_PROPERTY_AUDITED_NAME, (Object) true);
        this.securityHelper.auditLoginFailure(str, null, connectionEnvironment, str2 + ": " + exc.getMessage());
        throw new Fault(exc);
    }

    private Fault createFault(WSSecurityException.ErrorCode errorCode) {
        return new Fault(new WSSecurityException(errorCode), errorCode.getQName());
    }

    @Override // org.apache.cxf.interceptor.Interceptor
    public void handleFault(SoapMessage soapMessage) {
    }
}
