package com.evolveum.midpoint.security.api;

import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.util.MiscUtil;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AttributeVerificationCredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationSequenceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsStorageMethodType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsStorageTypeType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.NonceCredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordCredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityQuestionsCredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ValuePolicyType;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpSession;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.function.Function;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.lang3.StringUtils;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.context.request.RequestAttributes;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;

/* loaded from: input_file:BOOT-INF/lib/security-api-4.9.1-SNAPSHOT.jar:com/evolveum/midpoint/security/api/SecurityUtil.class */
public class SecurityUtil {
    private static final long GET_LOCAL_NAME_THRESHOLD = 2000;
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) SecurityUtil.class);

    @NotNull
    private static List<String> remoteHostAddressHeaders = Collections.emptyList();

    public static Collection<String> getActions(Collection<ConfigAttribute> collection) {
        ArrayList arrayList = new ArrayList(collection.size());
        Iterator<ConfigAttribute> it = collection.iterator();
        while (it.hasNext()) {
            arrayList.add(it.next().getAttribute());
        }
        return arrayList;
    }

    public static void logSecurityDeny(Object obj, String str) {
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Denied access to {} by {} {}", obj, getSubjectDescription(), str);
        }
    }

    public static void logSecurityDeny(MidPointPrincipal midPointPrincipal, Object obj, String str) {
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Denied access to {} by {} {}", obj, midPointPrincipal, str);
        }
    }

    public static void logSecurityDeny(Object obj, String str, Throwable th, Collection<String> collection) {
        if (LOGGER.isDebugEnabled()) {
            String subjectDescription = getSubjectDescription();
            LOGGER.debug("Denied access to {} by {} {}", obj, subjectDescription, str);
            if (LOGGER.isTraceEnabled()) {
                LOGGER.trace("Denied access to {} by {} {}; one of the following authorization actions is required: " + collection, obj, subjectDescription, str, th);
            }
        }
    }

    public static String getSubjectDescription() {
        Object principal;
        Authentication authentication = getAuthentication();
        if (authentication == null || (principal = authentication.getPrincipal()) == null) {
            return null;
        }
        return principal instanceof MidPointPrincipal ? ((MidPointPrincipal) principal).getUsername() : principal.toString();
    }

    @NotNull
    public static CredentialsStorageTypeType getPasswordStorageType(@Nullable CredentialsPolicyType credentialsPolicyType) {
        return getCredentialStorageType(credentialsPolicyType != null ? credentialsPolicyType.getDefault() : null, credentialsPolicyType != null ? credentialsPolicyType.getPassword() : null);
    }

    @NotNull
    public static CredentialsStorageTypeType getCredentialStorageType(@Nullable CredentialPolicyType credentialPolicyType, @Nullable CredentialPolicyType credentialPolicyType2) {
        CredentialsStorageMethodType credentialsStorageMethodType = (CredentialsStorageMethodType) getCredentialPolicyItem(credentialPolicyType, credentialPolicyType2, (v0) -> {
            return v0.getStorageMethod();
        });
        return (CredentialsStorageTypeType) Objects.requireNonNullElse(credentialsStorageMethodType != null ? credentialsStorageMethodType.getStorageType() : null, CredentialsStorageTypeType.ENCRYPTION);
    }

    private static <T> T getCredentialPolicyItem(CredentialPolicyType credentialPolicyType, CredentialPolicyType credentialPolicyType2, Function<CredentialPolicyType, T> function) {
        T apply;
        if (credentialPolicyType2 != null && (apply = function.apply(credentialPolicyType2)) != null) {
            return apply;
        }
        if (credentialPolicyType != null) {
            return function.apply(credentialPolicyType);
        }
        return null;
    }

    public static PasswordCredentialsPolicyType getEffectivePasswordCredentialsPolicy(SecurityPolicyType securityPolicyType) {
        CredentialsPolicyType credentials;
        if (securityPolicyType == null || (credentials = securityPolicyType.getCredentials()) == null) {
            return null;
        }
        if (credentials.getDefault() == null) {
            return credentials.getPassword();
        }
        PasswordCredentialsPolicyType password = credentials.getPassword();
        PasswordCredentialsPolicyType passwordCredentialsPolicyType = password == null ? new PasswordCredentialsPolicyType() : password.mo1616clone();
        copyDefaults(credentials.getDefault(), passwordCredentialsPolicyType);
        return passwordCredentialsPolicyType;
    }

    public static String getInvitationSequenceIdentifier(SecurityPolicyType securityPolicyType) {
        AuthenticationSequenceType orElse;
        if (securityPolicyType == null || securityPolicyType.getAuthentication() == null || (orElse = securityPolicyType.getAuthentication().getSequence().stream().filter(authenticationSequenceType -> {
            return authenticationSequenceType.getChannel() != null && SchemaConstants.CHANNEL_INVITATION_URI.equals(authenticationSequenceType.getChannel().getChannelId());
        }).findFirst().orElse(null)) == null) {
            return null;
        }
        return orElse.getIdentifier();
    }

    public static SecurityQuestionsCredentialsPolicyType getEffectiveSecurityQuestionsCredentialsPolicy(SecurityPolicyType securityPolicyType) {
        CredentialsPolicyType credentials;
        if (securityPolicyType == null || (credentials = securityPolicyType.getCredentials()) == null) {
            return null;
        }
        if (credentials.getDefault() == null) {
            return credentials.getSecurityQuestions();
        }
        SecurityQuestionsCredentialsPolicyType securityQuestions = credentials.getSecurityQuestions();
        SecurityQuestionsCredentialsPolicyType securityQuestionsCredentialsPolicyType = securityQuestions == null ? new SecurityQuestionsCredentialsPolicyType() : securityQuestions.mo1616clone();
        copyDefaults(credentials.getDefault(), securityQuestionsCredentialsPolicyType);
        return securityQuestionsCredentialsPolicyType;
    }

    public static AttributeVerificationCredentialsPolicyType getEffectiveAttributeVerificationCredentialsPolicy(SecurityPolicyType securityPolicyType) {
        CredentialsPolicyType credentials;
        if (securityPolicyType == null || (credentials = securityPolicyType.getCredentials()) == null) {
            return null;
        }
        if (credentials.getDefault() == null) {
            return credentials.getAttributeVerification();
        }
        AttributeVerificationCredentialsPolicyType attributeVerification = credentials.getAttributeVerification();
        AttributeVerificationCredentialsPolicyType attributeVerificationCredentialsPolicyType = attributeVerification == null ? new AttributeVerificationCredentialsPolicyType() : attributeVerification.mo1616clone();
        copyDefaults(credentials.getDefault(), attributeVerificationCredentialsPolicyType);
        return attributeVerificationCredentialsPolicyType;
    }

    public static List<NonceCredentialsPolicyType> getEffectiveNonceCredentialsPolicies(SecurityPolicyType securityPolicyType) {
        CredentialsPolicyType credentials;
        if (securityPolicyType == null || (credentials = securityPolicyType.getCredentials()) == null) {
            return null;
        }
        if (credentials.getDefault() == null) {
            return credentials.getNonce();
        }
        List<NonceCredentialsPolicyType> nonce = credentials.getNonce();
        ArrayList arrayList = new ArrayList(nonce.size());
        Iterator<NonceCredentialsPolicyType> it = nonce.iterator();
        while (it.hasNext()) {
            NonceCredentialsPolicyType mo1616clone = it.next().mo1616clone();
            copyDefaults(credentials.getDefault(), mo1616clone);
            arrayList.add(mo1616clone);
        }
        return arrayList;
    }

    public static NonceCredentialsPolicyType getEffectiveNonceCredentialsPolicy(SecurityPolicyType securityPolicyType) throws SchemaException {
        List<NonceCredentialsPolicyType> effectiveNonceCredentialsPolicies = getEffectiveNonceCredentialsPolicies(securityPolicyType);
        if (CollectionUtils.isEmpty(effectiveNonceCredentialsPolicies)) {
            return null;
        }
        if (effectiveNonceCredentialsPolicies.size() > 1) {
            throw new SchemaException("More than one nonce policy");
        }
        return effectiveNonceCredentialsPolicies.get(0);
    }

    private static void copyDefaults(CredentialPolicyType credentialPolicyType, CredentialPolicyType credentialPolicyType2) {
        if (credentialPolicyType2.getHistoryLength() == null && credentialPolicyType.getHistoryLength() != null) {
            credentialPolicyType2.setHistoryLength(credentialPolicyType.getHistoryLength());
        }
        if (credentialPolicyType2.getHistoryStorageMethod() == null && credentialPolicyType.getHistoryStorageMethod() != null) {
            credentialPolicyType2.setHistoryStorageMethod(credentialPolicyType.getHistoryStorageMethod());
        }
        if (credentialPolicyType2.getLockoutDuration() == null && credentialPolicyType.getLockoutDuration() != null) {
            credentialPolicyType2.setLockoutDuration(credentialPolicyType.getLockoutDuration());
        }
        if (credentialPolicyType2.getLockoutFailedAttemptsDuration() == null && credentialPolicyType.getLockoutFailedAttemptsDuration() != null) {
            credentialPolicyType2.setLockoutFailedAttemptsDuration(credentialPolicyType.getLockoutFailedAttemptsDuration());
        }
        if (credentialPolicyType2.getLockoutMaxFailedAttempts() == null && credentialPolicyType.getLockoutMaxFailedAttempts() != null) {
            credentialPolicyType2.setLockoutMaxFailedAttempts(credentialPolicyType.getLockoutMaxFailedAttempts());
        }
        if (credentialPolicyType2.getMaxAge() == null && credentialPolicyType.getMaxAge() != null) {
            credentialPolicyType2.setMaxAge(credentialPolicyType.getMaxAge());
        }
        if (credentialPolicyType2.getMinAge() == null && credentialPolicyType.getMinAge() != null) {
            credentialPolicyType2.setMinAge(credentialPolicyType.getMinAge());
        }
        if (credentialPolicyType2.getPropagationUserControl() == null && credentialPolicyType.getPropagationUserControl() != null) {
            credentialPolicyType2.setPropagationUserControl(credentialPolicyType.getPropagationUserControl());
        }
        if (credentialPolicyType2.getResetMethod() == null && credentialPolicyType.getResetMethod() != null) {
            credentialPolicyType2.setResetMethod(credentialPolicyType.getResetMethod());
        }
        if (credentialPolicyType2.getStorageMethod() == null && credentialPolicyType.getStorageMethod() != null) {
            credentialPolicyType2.setStorageMethod(credentialPolicyType.getStorageMethod());
        }
        if (credentialPolicyType2.getWarningBeforeExpirationDuration() == null && credentialPolicyType.getWarningBeforeExpirationDuration() != null) {
            credentialPolicyType2.setWarningBeforeExpirationDuration(credentialPolicyType.getWarningBeforeExpirationDuration());
        }
        if (credentialPolicyType2.isHistoryAllowExistingPasswordReuse() != null || credentialPolicyType.isHistoryAllowExistingPasswordReuse() == null) {
            return;
        }
        credentialPolicyType2.setHistoryAllowExistingPasswordReuse(credentialPolicyType.isHistoryAllowExistingPasswordReuse());
    }

    public static int getCredentialHistoryLength(CredentialPolicyType credentialPolicyType) {
        Integer historyLength;
        if (credentialPolicyType == null || (historyLength = credentialPolicyType.getHistoryLength()) == null) {
            return 0;
        }
        return historyLength.intValue();
    }

    public static boolean isHistoryAllowExistingPasswordReuse(CredentialPolicyType credentialPolicyType) {
        Boolean isHistoryAllowExistingPasswordReuse;
        if (credentialPolicyType == null || (isHistoryAllowExistingPasswordReuse = credentialPolicyType.isHistoryAllowExistingPasswordReuse()) == null) {
            return false;
        }
        return isHistoryAllowExistingPasswordReuse.booleanValue();
    }

    public static CredentialsStorageTypeType getCredentialStorageTypeType(CredentialsStorageMethodType credentialsStorageMethodType) {
        if (credentialsStorageMethodType == null) {
            return null;
        }
        return credentialsStorageMethodType.getStorageType();
    }

    public static ValuePolicyType getPasswordPolicy(SecurityPolicyType securityPolicyType) {
        CredentialsPolicyType credentials;
        PasswordCredentialsPolicyType password;
        ObjectReferenceType valuePolicyRef;
        PrismObject object;
        if (securityPolicyType == null || (credentials = securityPolicyType.getCredentials()) == null || (password = credentials.getPassword()) == null || (valuePolicyRef = password.getValuePolicyRef()) == null || (object = valuePolicyRef.asReferenceValue().getObject()) == null) {
            return null;
        }
        return (ValuePolicyType) object.asObjectable();
    }

    public static void setRemoteHostAddressHeaders(SystemConfigurationType systemConfigurationType) {
        List<String> emptyList = (systemConfigurationType == null || systemConfigurationType.getInfrastructure() == null) ? Collections.emptyList() : new ArrayList<>(systemConfigurationType.getInfrastructure().getRemoteHostAddressHeader());
        if (!MiscUtil.unorderedCollectionEquals(remoteHostAddressHeaders, emptyList)) {
            LOGGER.debug("Setting new value for 'remoteHostAddressHeaders': {}", emptyList);
        }
        remoteHostAddressHeaders = emptyList;
    }

    public static HttpConnectionInformation getCurrentConnectionInformation() {
        RequestAttributes requestAttributes = RequestContextHolder.getRequestAttributes();
        if (!(requestAttributes instanceof ServletRequestAttributes)) {
            return null;
        }
        HttpServletRequest request = ((ServletRequestAttributes) requestAttributes).getRequest();
        HttpConnectionInformation httpConnectionInformation = new HttpConnectionInformation();
        HttpSession session = request.getSession(false);
        if (session != null) {
            httpConnectionInformation.setSessionId(session.getId());
        }
        long currentTimeMillis = System.currentTimeMillis();
        httpConnectionInformation.setLocalHostName(request.getLocalName());
        long currentTimeMillis2 = System.currentTimeMillis() - currentTimeMillis;
        if (currentTimeMillis2 > 2000) {
            LOGGER.warn("getLocalName() on HTTP request took {} milliseconds that is too long; please check your DNS configuration. Local name = {}, local address = {}", Long.valueOf(currentTimeMillis2), request.getLocalName(), request.getLocalAddr());
        }
        httpConnectionInformation.setRemoteHostAddress(getRemoteHostAddress(request));
        httpConnectionInformation.setServerName(request.getServerName());
        return httpConnectionInformation;
    }

    private static String getRemoteHostAddress(HttpServletRequest httpServletRequest) {
        for (String str : remoteHostAddressHeaders) {
            String header = httpServletRequest.getHeader(str);
            if (header != null) {
                return getAddressFromHeader(str, header);
            }
        }
        return httpServletRequest.getRemoteAddr();
    }

    private static String getAddressFromHeader(String str, String str2) {
        return StringUtils.trim(StringUtils.split(str2, ",")[0]);
    }

    public static MidPointPrincipal getPrincipalSilent() {
        try {
            return getPrincipal();
        } catch (SecurityViolationException e) {
            return null;
        }
    }

    public static MidPointPrincipal getPrincipal() throws SecurityViolationException {
        Authentication authentication = getAuthentication();
        if (authentication == null) {
            SecurityViolationException securityViolationException = new SecurityViolationException("No authentication");
            LOGGER.error("No authentication", (Throwable) securityViolationException);
            throw securityViolationException;
        }
        Object principal = authentication.getPrincipal();
        if (principal instanceof MidPointPrincipal) {
            return (MidPointPrincipal) principal;
        }
        if ((authentication.getPrincipal() instanceof String) && AuthorizationConstants.ANONYMOUS_USER_PRINCIPAL.equals(principal)) {
            return null;
        }
        throw new IllegalArgumentException("Expected that spring security principal will be of type %s but it was %s".formatted(MidPointPrincipal.class.getName(), MiscUtil.getObjectName(principal)));
    }

    @Nullable
    public static MidPointPrincipal getPrincipalIfExists() {
        Authentication authentication = getAuthentication();
        if (authentication == null) {
            return null;
        }
        Object principal = authentication.getPrincipal();
        if (principal instanceof MidPointPrincipal) {
            return (MidPointPrincipal) principal;
        }
        return null;
    }

    public static MidPointPrincipal getPrincipalRequired() throws SecurityViolationException {
        return (MidPointPrincipal) MiscUtil.requireNonNull(getPrincipal(), () -> {
            return new SecurityViolationException("No logged-in user");
        });
    }

    public static String getPrincipalOidIfAuthenticated() {
        Authentication authentication = getAuthentication();
        if (authentication == null) {
            return null;
        }
        Object principal = authentication.getPrincipal();
        if (principal instanceof MidPointPrincipal) {
            return ((MidPointPrincipal) principal).getOid();
        }
        return null;
    }

    public static boolean isAuthenticated() {
        Authentication authentication = getAuthentication();
        return authentication != null && authentication.isAuthenticated();
    }

    public static Authentication getAuthentication() {
        return SecurityContextHolder.getContext().getAuthentication();
    }

    public static boolean isRecordSessionLessAccessChannel(String str) {
        return isRestAndActuatorChannel(str);
    }

    public static boolean isRestAndActuatorChannel(String str) {
        return SchemaConstants.CHANNEL_REST_URI.equals(str) || SchemaConstants.CHANNEL_ACTUATOR_URI.equals(str);
    }

    public static boolean isAuditedLoginAndLogout(SystemConfigurationType systemConfigurationType, String str) {
        boolean z = false;
        if (systemConfigurationType != null && systemConfigurationType.getAudit() != null && systemConfigurationType.getAudit().getEventRecording() != null) {
            z = Boolean.TRUE.equals(systemConfigurationType.getAudit().getEventRecording().isRecordSessionlessAccess());
        }
        if (isRecordSessionLessAccessChannel(str)) {
            return z;
        }
        return true;
    }

    public static boolean isOverFailedLockoutAttempts(int i, CredentialPolicyType credentialPolicyType) {
        return credentialPolicyType != null && credentialPolicyType.getLockoutMaxFailedAttempts() != null && credentialPolicyType.getLockoutMaxFailedAttempts().intValue() > 0 && i >= credentialPolicyType.getLockoutMaxFailedAttempts().intValue();
    }

    @NotNull
    public static Authorization createPrivilegedAuthorization() {
        AuthorizationType authorizationType = new AuthorizationType();
        authorizationType.getAction().add(AuthorizationConstants.AUTZ_ALL_URL);
        return new Authorization(authorizationType);
    }
}
