package com.evolveum.midpoint.security.impl;

import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.security.api.AuthenticationAnonymousChecker;
import com.evolveum.midpoint.security.api.Authorization;
import com.evolveum.midpoint.security.api.HttpConnectionInformation;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.security.api.MidPointPrincipalManager;
import com.evolveum.midpoint.security.api.ProfileCompilerOptions;
import com.evolveum.midpoint.security.api.SecurityContextManager;
import com.evolveum.midpoint.security.api.SecurityUtil;
import com.evolveum.midpoint.util.Producer;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
import org.springframework.stereotype.Component;

@Component("securityContextManager")
/* loaded from: input_file:BOOT-INF/lib/security-impl-4.8.9-SNAPSHOT.jar:com/evolveum/midpoint/security/impl/SecurityContextManagerImpl.class */
public class SecurityContextManagerImpl implements SecurityContextManager {
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) SecurityContextManagerImpl.class);
    private MidPointPrincipalManager userProfileService = null;
    private final ThreadLocal<HttpConnectionInformation> connectionInformationThreadLocal = new ThreadLocal<>();
    private final ThreadLocal<String> temporaryPrincipalOidThreadLocal = new ThreadLocal<>();

    @Override // com.evolveum.midpoint.security.api.SecurityContextManager
    public MidPointPrincipalManager getUserProfileService() {
        return this.userProfileService;
    }

    @Override // com.evolveum.midpoint.security.api.SecurityContextManager
    public void setUserProfileService(MidPointPrincipalManager midPointPrincipalManager) {
        this.userProfileService = midPointPrincipalManager;
    }

    @Override // com.evolveum.midpoint.security.api.SecurityContextManager
    public String getPrincipalOid() {
        String principalOidIfAuthenticated = SecurityUtil.getPrincipalOidIfAuthenticated();
        return principalOidIfAuthenticated != null ? principalOidIfAuthenticated : this.temporaryPrincipalOidThreadLocal.get();
    }

    @Override // com.evolveum.midpoint.security.api.SecurityContextManager
    public void setTemporaryPrincipalOid(String str) {
        this.temporaryPrincipalOidThreadLocal.set(str);
    }

    @Override // com.evolveum.midpoint.security.api.SecurityContextManager
    public void clearTemporaryPrincipalOid() {
        this.temporaryPrincipalOidThreadLocal.remove();
    }

    @Override // com.evolveum.midpoint.security.api.SecurityContextManager
    public boolean isAuthenticated() {
        return SecurityUtil.isAuthenticated();
    }

    @Override // com.evolveum.midpoint.security.api.SecurityContextManager
    public Authentication getAuthentication() {
        return SecurityUtil.getAuthentication();
    }

    @Override // com.evolveum.midpoint.security.api.SecurityContextManager
    public void setupPreAuthenticatedSecurityContext(Authentication authentication) {
        SecurityContextHolder.getContext().setAuthentication(authentication);
    }

    @Override // com.evolveum.midpoint.security.api.SecurityContextManager
    public void setupPreAuthenticatedSecurityContext(MidPointPrincipal midPointPrincipal) {
        setupPreAuthenticatedSecurityContext(new PreAuthenticatedAuthenticationToken(midPointPrincipal, null, midPointPrincipal.getAuthorities()));
    }

    @Override // com.evolveum.midpoint.security.api.SecurityContextManager
    public void setupPreAuthenticatedSecurityContext(PrismObject<? extends FocusType> prismObject, OperationResult operationResult) throws SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        setupPreAuthenticatedSecurityContext(prismObject, ProfileCompilerOptions.createNotCompileGuiAdminConfiguration().locateSecurityPolicy(false), operationResult);
    }

    @Override // com.evolveum.midpoint.security.api.SecurityContextManager
    public void setupPreAuthenticatedSecurityContext(PrismObject<? extends FocusType> prismObject, ProfileCompilerOptions profileCompilerOptions, OperationResult operationResult) throws SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        MidPointPrincipal principal;
        if (this.userProfileService == null) {
            LOGGER.warn("No user profile service set up in SecurityEnforcer. This is OK in low-level tests but it is a serious problem in running system");
            principal = MidPointPrincipal.create(prismObject.asObjectable());
        } else {
            principal = this.userProfileService.getPrincipal(prismObject, profileCompilerOptions, operationResult);
        }
        principal.checkEnabled();
        setupPreAuthenticatedSecurityContext(principal);
    }

    private static Authentication getCurrentAuthentication() {
        return SecurityContextHolder.getContext().getAuthentication();
    }

    @Override // com.evolveum.midpoint.security.api.SecurityContextManager
    public <T> T runAs(@NotNull SecurityContextManager.ResultAwareProducer<T> resultAwareProducer, @Nullable PrismObject<? extends FocusType> prismObject, boolean z, @NotNull OperationResult operationResult) throws SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        LOGGER.debug("Running {} as {} (privileged: {})", resultAwareProducer, prismObject, Boolean.valueOf(z));
        Authentication currentAuthentication = getCurrentAuthentication();
        if (prismObject != null) {
            try {
                setupPreAuthenticatedSecurityContext(prismObject, ProfileCompilerOptions.createNotCompileGuiAdminConfiguration().locateSecurityPolicy(false).runAsRunner(true), operationResult);
            } catch (Throwable th) {
                SecurityContextHolder.getContext().setAuthentication(currentAuthentication);
                LOGGER.debug("Finished running {} as {} (privileged: {})", resultAwareProducer, prismObject, Boolean.valueOf(z));
                throw th;
            }
        }
        if (z) {
            loginAsPrivileged(getCurrentAuthentication());
        }
        T t = resultAwareProducer.get(operationResult);
        SecurityContextHolder.getContext().setAuthentication(currentAuthentication);
        LOGGER.debug("Finished running {} as {} (privileged: {})", resultAwareProducer, prismObject, Boolean.valueOf(z));
        return t;
    }

    private boolean isAnonymous(Authentication authentication) {
        return authentication instanceof AuthenticationAnonymousChecker ? ((AuthenticationAnonymousChecker) authentication).isAnonymous() : authentication instanceof AnonymousAuthenticationToken;
    }

    @Override // com.evolveum.midpoint.security.api.SecurityContextManager
    public <T> T runPrivileged(@NotNull Producer<T> producer) {
        LOGGER.debug("Running {} as privileged", producer);
        Authentication currentAuthentication = getCurrentAuthentication();
        LOGGER.trace("ORIG auth {}", currentAuthentication);
        try {
            loginAsPrivileged(currentAuthentication);
            T run = producer.run();
            SecurityContextHolder.getContext().setAuthentication(currentAuthentication);
            LOGGER.debug("Finished running {} as privileged", producer);
            LOGGER.trace("Security context after privileged operation: {}", SecurityContextHolder.getContext());
            return run;
        } catch (Throwable th) {
            SecurityContextHolder.getContext().setAuthentication(currentAuthentication);
            LOGGER.debug("Finished running {} as privileged", producer);
            LOGGER.trace("Security context after privileged operation: {}", SecurityContextHolder.getContext());
            throw th;
        }
    }

    private void loginAsPrivileged(@Nullable Authentication authentication) {
        Object obj;
        Collection<GrantedAuthority> createNewAuthorities;
        Authorization createPrivilegedAuthorization = SecurityUtil.createPrivilegedAuthorization();
        if (authentication == null) {
            LOGGER.debug("No original authentication, do NOT setting any privileged security context");
            return;
        }
        Object principal = authentication.getPrincipal();
        if (isAnonymous(authentication)) {
            obj = principal;
            createNewAuthorities = createNewAuthorities(authentication, createPrivilegedAuthorization);
        } else {
            LOGGER.trace("ORIG principal {} ({})", principal, principal != null ? principal.getClass() : null);
            if (principal instanceof MidPointPrincipal) {
                MidPointPrincipal cloneWithAdditionalAuthorizations = ((MidPointPrincipal) principal).cloneWithAdditionalAuthorizations(List.of(createPrivilegedAuthorization), true);
                obj = cloneWithAdditionalAuthorizations;
                createNewAuthorities = List.copyOf(cloneWithAdditionalAuthorizations.getAuthorities());
            } else {
                obj = null;
                createNewAuthorities = createNewAuthorities(authentication, createPrivilegedAuthorization);
            }
        }
        PreAuthenticatedAuthenticationToken preAuthenticatedAuthenticationToken = new PreAuthenticatedAuthenticationToken(obj, null, createNewAuthorities);
        LOGGER.trace("NEW auth {}", preAuthenticatedAuthenticationToken);
        SecurityContextHolder.getContext().setAuthentication(preAuthenticatedAuthenticationToken);
    }

    private Collection<GrantedAuthority> createNewAuthorities(Authentication authentication, Authorization authorization) {
        ArrayList arrayList = new ArrayList(authentication.getAuthorities());
        arrayList.add(authorization);
        return arrayList;
    }

    @Override // com.evolveum.midpoint.security.api.SecurityContextManager
    public void storeConnectionInformation(HttpConnectionInformation httpConnectionInformation) {
        this.connectionInformationThreadLocal.set(httpConnectionInformation);
    }

    @Override // com.evolveum.midpoint.security.api.SecurityContextManager
    public HttpConnectionInformation getStoredConnectionInformation() {
        return this.connectionInformationThreadLocal.get();
    }
}
