package com.evolveum.midpoint.authentication.impl.evaluator;

import com.evolveum.midpoint.authentication.api.config.MidpointAuthentication;
import com.evolveum.midpoint.authentication.api.evaluator.AuthenticationEvaluator;
import com.evolveum.midpoint.authentication.api.evaluator.context.AbstractAuthenticationContext;
import com.evolveum.midpoint.authentication.api.evaluator.context.PreAuthenticationContext;
import com.evolveum.midpoint.authentication.api.util.AuthUtil;
import com.evolveum.midpoint.common.Clock;
import com.evolveum.midpoint.model.api.util.AuthenticationEvaluatorUtil;
import com.evolveum.midpoint.prism.crypto.EncryptionException;
import com.evolveum.midpoint.prism.crypto.Protector;
import com.evolveum.midpoint.prism.xml.XmlTypeConverter;
import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
import com.evolveum.midpoint.security.api.ConnectionEnvironment;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.security.api.SecurityUtil;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractCredentialType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationAttemptDataType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.LoginEventType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordCredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityPolicyType;
import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
import javax.xml.datatype.Duration;
import javax.xml.datatype.XMLGregorianCalendar;
import org.jetbrains.annotations.NotNull;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.MessageSource;
import org.springframework.context.MessageSourceAware;
import org.springframework.context.support.MessageSourceAccessor;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.CredentialsExpiredException;
import org.springframework.security.authentication.DisabledException;
import org.springframework.security.authentication.LockedException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UsernameNotFoundException;

/* loaded from: input_file:BOOT-INF/lib/authentication-impl-4.8.9-SNAPSHOT.jar:com/evolveum/midpoint/authentication/impl/evaluator/CredentialsAuthenticationEvaluatorImpl.class */
public abstract class CredentialsAuthenticationEvaluatorImpl<C extends AbstractCredentialType, T extends AbstractAuthenticationContext> extends AuthenticationEvaluatorImpl<T, UsernamePasswordAuthenticationToken> implements AuthenticationEvaluator<T, UsernamePasswordAuthenticationToken>, MessageSourceAware {
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) CredentialsAuthenticationEvaluatorImpl.class);

    @Autowired
    private Protector protector;

    @Autowired
    private Clock clock;
    protected MessageSourceAccessor messages;

    @Override // org.springframework.context.MessageSourceAware
    public void setMessageSource(@NotNull MessageSource messageSource) {
        this.messages = new MessageSourceAccessor(messageSource);
    }

    protected abstract void checkEnteredCredentials(ConnectionEnvironment connectionEnvironment, T t);

    protected abstract boolean supportsAuthzCheck();

    protected abstract C getCredential(CredentialsType credentialsType);

    protected abstract void validateCredentialNotNull(ConnectionEnvironment connectionEnvironment, @NotNull MidPointPrincipal midPointPrincipal, C c);

    protected abstract boolean passwordMatches(ConnectionEnvironment connectionEnvironment, @NotNull MidPointPrincipal midPointPrincipal, C c, T t);

    protected abstract CredentialPolicyType getEffectiveCredentialPolicy(SecurityPolicyType securityPolicyType, T t) throws SchemaException;

    protected abstract boolean supportsActivation();

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // com.evolveum.midpoint.authentication.api.evaluator.AuthenticationEvaluator
    public UsernamePasswordAuthenticationToken authenticate(ConnectionEnvironment connectionEnvironment, T t) throws BadCredentialsException, AuthenticationCredentialsNotFoundException, DisabledException, LockedException, CredentialsExpiredException, AuthenticationServiceException, AccessDeniedException, UsernameNotFoundException {
        checkEnteredCredentials(connectionEnvironment, t);
        MidPointPrincipal andCheckPrincipal = getAndCheckPrincipal(connectionEnvironment, t, t.isSupportActivationByChannel());
        FocusType focus = andCheckPrincipal.getFocus();
        CredentialPolicyType credentialsPolicy = getCredentialsPolicy(andCheckPrincipal, t);
        if (!checkCredentials(andCheckPrincipal, t, connectionEnvironment)) {
            recordModuleAuthenticationFailure(andCheckPrincipal.getUsername(), andCheckPrincipal, connectionEnvironment, credentialsPolicy, "password mismatch");
            throw new BadCredentialsException(AuthUtil.generateBadCredentialsMessageKey(SecurityContextHolder.getContext().getAuthentication()));
        }
        if (!AuthenticationEvaluatorUtil.checkRequiredAssignmentTargets(focus, t.getRequireAssignments())) {
            recordModuleAuthenticationFailure(andCheckPrincipal.getUsername(), andCheckPrincipal, connectionEnvironment, credentialsPolicy, "does not contain required assignment");
            throw new DisabledException("web.security.flexAuth.invalid.required.assignment");
        }
        checkAuthorizations(andCheckPrincipal, connectionEnvironment, t);
        recordModuleAuthenticationSuccess(andCheckPrincipal, connectionEnvironment);
        return new UsernamePasswordAuthenticationToken(andCheckPrincipal, t.getEnteredCredential(), andCheckPrincipal.getAuthorities());
    }

    private void checkAuthorizations(MidPointPrincipal midPointPrincipal, @NotNull ConnectionEnvironment connectionEnvironment, T t) {
        if (supportsAuthzCheck() && hasNoAuthorizations(midPointPrincipal)) {
            recordModuleAuthenticationFailure(midPointPrincipal.getUsername(), midPointPrincipal, connectionEnvironment, getCredentialsPolicy(midPointPrincipal, t), "no authorizations");
            throw new DisabledException("web.security.provider.access.denied");
        }
    }

    private boolean checkCredentials(MidPointPrincipal midPointPrincipal, T t, ConnectionEnvironment connectionEnvironment) {
        CredentialsType credentials = midPointPrincipal.getFocus().getCredentials();
        if (credentials == null || getCredential(credentials) == null) {
            recordModuleAuthenticationFailure(midPointPrincipal.getUsername(), midPointPrincipal, connectionEnvironment, getCredentialsPolicy(midPointPrincipal, t), "no credentials in user");
            throw new AuthenticationCredentialsNotFoundException(AuthUtil.generateBadCredentialsMessageKey(SecurityContextHolder.getContext().getAuthentication()));
        }
        CredentialPolicyType credentialsPolicy = getCredentialsPolicy(midPointPrincipal, t);
        if (!isLockedOut(getAuthenticationData(midPointPrincipal, connectionEnvironment), credentialsPolicy)) {
            checkPasswordValidityAndAge(connectionEnvironment, midPointPrincipal, getCredential(credentials), credentialsPolicy);
            return passwordMatches(connectionEnvironment, midPointPrincipal, getCredential(credentials), t);
        }
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication instanceof MidpointAuthentication) {
            ((MidpointAuthentication) authentication).setOverLockoutMaxAttempts(true);
        }
        recordModuleAuthenticationFailure(midPointPrincipal.getUsername(), midPointPrincipal, connectionEnvironment, getCredentialsPolicy(midPointPrincipal, t), "password locked-out");
        throw new LockedException("web.security.provider.locked");
    }

    private CredentialPolicyType getCredentialsPolicy(MidPointPrincipal midPointPrincipal, T t) {
        try {
            return getEffectiveCredentialPolicy(midPointPrincipal.getApplicableSecurityPolicy(), t);
        } catch (SchemaException e) {
            throw new AuthenticationServiceException("Bad config");
        }
    }

    public String getAndCheckUserPassword(ConnectionEnvironment connectionEnvironment, String str) throws AuthenticationCredentialsNotFoundException, DisabledException, LockedException, CredentialsExpiredException, AuthenticationServiceException, AccessDeniedException, UsernameNotFoundException {
        MidPointPrincipal andCheckPrincipal = getAndCheckPrincipal(connectionEnvironment, new PreAuthenticationContext(str, FocusType.class), true);
        CredentialsType credentials = andCheckPrincipal.getFocus().getCredentials();
        PasswordCredentialsPolicyType effectivePasswordCredentialsPolicy = SecurityUtil.getEffectivePasswordCredentialsPolicy(andCheckPrincipal.getApplicableSecurityPolicy());
        if (credentials == null) {
            recordModuleAuthenticationFailure(andCheckPrincipal.getUsername(), andCheckPrincipal, connectionEnvironment, effectivePasswordCredentialsPolicy, "no credentials in user");
            throw new AuthenticationCredentialsNotFoundException("web.security.provider.invalid.credentials");
        }
        PasswordType password = credentials.getPassword();
        if (isLockedOut(getAuthenticationData(andCheckPrincipal, connectionEnvironment), effectivePasswordCredentialsPolicy)) {
            recordModuleAuthenticationFailure(andCheckPrincipal.getUsername(), andCheckPrincipal, connectionEnvironment, effectivePasswordCredentialsPolicy, "password locked-out");
            throw new LockedException("web.security.provider.locked");
        }
        checkPasswordValidityAndAge(connectionEnvironment, andCheckPrincipal, password, effectivePasswordCredentialsPolicy);
        String password2 = getPassword(connectionEnvironment, andCheckPrincipal, password.getValue());
        if (!hasNoAuthorizations(andCheckPrincipal)) {
            return password2;
        }
        recordModuleAuthenticationFailure(andCheckPrincipal.getUsername(), andCheckPrincipal, connectionEnvironment, effectivePasswordCredentialsPolicy, "no authorizations");
        throw new DisabledException("web.security.provider.access.denied");
    }

    private <P extends CredentialPolicyType> void checkPasswordValidityAndAge(ConnectionEnvironment connectionEnvironment, @NotNull MidPointPrincipal midPointPrincipal, C c, P p) {
        Duration maxAge;
        XMLGregorianCalendar changeTimestamp;
        if (c == null) {
            recordModuleAuthenticationFailure(midPointPrincipal.getUsername(), midPointPrincipal, connectionEnvironment, p, "no stored credential value");
            throw new AuthenticationCredentialsNotFoundException("web.security.provider.credential.bad");
        }
        validateCredentialNotNull(connectionEnvironment, midPointPrincipal, c);
        if (p == null || (maxAge = p.getMaxAge()) == null || (changeTimestamp = MiscSchemaUtil.getChangeTimestamp(c.getMetadata())) == null) {
            return;
        }
        if (this.clock.isPast(XmlTypeConverter.addDuration(changeTimestamp, maxAge))) {
            recordModuleAuthenticationFailure(midPointPrincipal.getUsername(), midPointPrincipal, connectionEnvironment, p, "password expired");
            throw new CredentialsExpiredException("web.security.provider.credential.expired");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean decryptAndMatch(ConnectionEnvironment connectionEnvironment, @NotNull MidPointPrincipal midPointPrincipal, ProtectedStringType protectedStringType, String str) {
        ProtectedStringType protectedStringType2 = new ProtectedStringType();
        protectedStringType2.setClearValue(str);
        try {
            return this.protector.compareCleartext(protectedStringType2, protectedStringType);
        } catch (EncryptionException | SchemaException e) {
            LOGGER.error("Error dealing with credentials of user \"{}\" credentials: {}", midPointPrincipal.getUsername(), e.getMessage());
            recordModuleAuthenticationFailure(midPointPrincipal.getUsername(), midPointPrincipal, connectionEnvironment, null, "error decrypting password: ");
            throw new AuthenticationServiceException("web.security.provider.unavailable", e);
        }
    }

    private String getPassword(ConnectionEnvironment connectionEnvironment, @NotNull MidPointPrincipal midPointPrincipal, ProtectedStringType protectedStringType) {
        String decryptString;
        if (protectedStringType.getEncryptedDataType() != null) {
            try {
                decryptString = this.protector.decryptString(protectedStringType);
            } catch (EncryptionException e) {
                recordModuleAuthenticationFailure(midPointPrincipal.getUsername(), midPointPrincipal, connectionEnvironment, null, "error decrypting password: ");
                throw new AuthenticationServiceException("web.security.provider.unavailable", e);
            }
        } else {
            LOGGER.warn("Authenticating user based on clear value. Please check objects, this should not happen. Protected string should be encrypted.");
            decryptString = protectedStringType.getClearValue();
        }
        return decryptString;
    }

    private boolean isLockedOut(AuthenticationAttemptDataType authenticationAttemptDataType, CredentialPolicyType credentialPolicyType) {
        return isOverFailedLockoutAttempts(authenticationAttemptDataType, credentialPolicyType) && !isLockoutExpired(authenticationAttemptDataType, credentialPolicyType);
    }

    private boolean isOverFailedLockoutAttempts(AuthenticationAttemptDataType authenticationAttemptDataType, CredentialPolicyType credentialPolicyType) {
        return SecurityUtil.isOverFailedLockoutAttempts(getFailedLogins(authenticationAttemptDataType), credentialPolicyType);
    }

    private int getFailedLogins(AuthenticationAttemptDataType authenticationAttemptDataType) {
        Integer failedAttempts = authenticationAttemptDataType != null ? authenticationAttemptDataType.getFailedAttempts() : null;
        if (failedAttempts == null) {
            return 0;
        }
        return failedAttempts.intValue();
    }

    private boolean isLockoutExpired(AuthenticationAttemptDataType authenticationAttemptDataType, CredentialPolicyType credentialPolicyType) {
        XMLGregorianCalendar lockoutExpirationTimestamp = authenticationAttemptDataType.getLockoutExpirationTimestamp();
        if (lockoutExpirationTimestamp != null) {
            return this.clock.isPast(lockoutExpirationTimestamp);
        }
        Duration lockoutDuration = credentialPolicyType.getLockoutDuration();
        if (lockoutDuration == null) {
            return false;
        }
        XMLGregorianCalendar lockoutTimestamp = authenticationAttemptDataType.getLockoutTimestamp();
        if (lockoutTimestamp == null) {
            LoginEventType lastFailedLogin = getLastFailedLogin(authenticationAttemptDataType);
            if (lastFailedLogin == null) {
                return true;
            }
            lockoutTimestamp = lastFailedLogin.getTimestamp();
            if (lockoutTimestamp == null) {
                return true;
            }
        }
        return this.clock.isPast(XmlTypeConverter.addDuration(lockoutTimestamp, lockoutDuration));
    }

    private LoginEventType getLastFailedLogin(AuthenticationAttemptDataType authenticationAttemptDataType) {
        return authenticationAttemptDataType.getLastFailedAuthentication();
    }

    public AuthenticationAttemptDataType getAuthenticationData(MidPointPrincipal midPointPrincipal, ConnectionEnvironment connectionEnvironment) {
        return AuthUtil.findAuthAttemptDataForModule(connectionEnvironment, midPointPrincipal);
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // com.evolveum.midpoint.authentication.api.evaluator.AuthenticationEvaluator
    public /* bridge */ /* synthetic */ UsernamePasswordAuthenticationToken authenticate(ConnectionEnvironment connectionEnvironment, AbstractAuthenticationContext abstractAuthenticationContext) throws BadCredentialsException, AuthenticationCredentialsNotFoundException, DisabledException, LockedException, CredentialsExpiredException, AuthenticationServiceException, AccessDeniedException, UsernameNotFoundException {
        return authenticate(connectionEnvironment, (ConnectionEnvironment) abstractAuthenticationContext);
    }
}
