package com.evolveum.midpoint.authentication.impl.provider;

import com.evolveum.midpoint.authentication.api.AuthenticationChannel;
import com.evolveum.midpoint.authentication.api.config.MidpointAuthentication;
import com.evolveum.midpoint.authentication.api.config.ModuleAuthentication;
import com.evolveum.midpoint.authentication.api.util.AuthUtil;
import com.evolveum.midpoint.authentication.impl.module.authentication.CorrelationModuleAuthenticationImpl;
import com.evolveum.midpoint.authentication.impl.module.authentication.token.CorrelationVerificationToken;
import com.evolveum.midpoint.model.api.authentication.GuiProfiledPrincipalManager;
import com.evolveum.midpoint.model.api.correlation.CompleteCorrelationResult;
import com.evolveum.midpoint.model.api.correlation.CorrelationService;
import com.evolveum.midpoint.model.api.correlator.CandidateOwners;
import com.evolveum.midpoint.schema.CorrelatorDiscriminator;
import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.security.api.SecurityUtil;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.task.api.TaskManager;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import java.util.Collection;
import java.util.List;
import java.util.Set;
import org.jetbrains.annotations.NotNull;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;

/* loaded from: input_file:BOOT-INF/lib/authentication-impl-4.9.1-SNAPSHOT.jar:com/evolveum/midpoint/authentication/impl/provider/CorrelationProvider.class */
public class CorrelationProvider extends MidpointAbstractAuthenticationProvider {
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) CorrelationProvider.class);

    @Autowired
    protected CorrelationService correlationService;

    @Autowired
    private TaskManager taskManager;

    @Autowired
    private GuiProfiledPrincipalManager focusProfileService;

    @Override // com.evolveum.midpoint.authentication.impl.provider.MidpointAbstractAuthenticationProvider
    public Authentication doAuthenticate(Authentication authentication, String str, List<ObjectReferenceType> list, AuthenticationChannel authenticationChannel, Class<? extends FocusType> cls) throws AuthenticationException {
        if (!(authentication instanceof CorrelationVerificationToken)) {
            LOGGER.error("Unsupported authentication {}", authentication);
            throw new AuthenticationServiceException("web.security.provider.unavailable");
        }
        CorrelationVerificationToken correlationVerificationToken = (CorrelationVerificationToken) authentication;
        try {
            ModuleAuthentication processingModule = AuthUtil.getProcessingModule();
            if (!(processingModule instanceof CorrelationModuleAuthenticationImpl)) {
                LOGGER.error("Correlation module authentication is not set");
                throw new AuthenticationServiceException("web.security.provider.unavailable");
            }
            CorrelationModuleAuthenticationImpl correlationModuleAuthenticationImpl = (CorrelationModuleAuthenticationImpl) processingModule;
            CompleteCorrelationResult correlate = correlate(correlationVerificationToken, determineArchetypeOid(), correlationModuleAuthenticationImpl.getCandidateOids(), cls);
            ObjectType owner = correlate.getOwner();
            if (owner == null && !candidateOwnerExist(correlate)) {
                throw new AuthenticationServiceException("No identity is found.");
            }
            correlationModuleAuthenticationImpl.addAttributes(correlationVerificationToken.getDetails());
            correlationModuleAuthenticationImpl.setPreFocus(correlationVerificationToken.getPreFocus(cls, correlationModuleAuthenticationImpl.getProcessedAttributes()));
            if (owner != null) {
                correlationModuleAuthenticationImpl.rewriteOwner(owner);
                return authentication;
            }
            if (!isLastCorrelatorProcessing(correlationModuleAuthenticationImpl, correlationVerificationToken)) {
                correlationModuleAuthenticationImpl.rewriteCandidateOwners(correlate.getCandidateOwnersMap());
                return authentication;
            }
            if (candidateOwnerExist(correlate)) {
                rewriteCandidatesToOwners(correlate.getCandidateOwnersMap(), correlationModuleAuthenticationImpl);
            } else {
                correlationModuleAuthenticationImpl.clearOwners();
            }
            isOwnersNumberUnderRestriction(correlationModuleAuthenticationImpl);
            return authentication;
        } catch (Exception e) {
            LOGGER.error("Cannot correlate user, {}", e.getMessage(), e);
            throw new AuthenticationServiceException("web.security.provider.unavailable");
        }
    }

    private boolean isLastCorrelatorProcessing(CorrelationModuleAuthenticationImpl correlationModuleAuthenticationImpl, CorrelationVerificationToken correlationVerificationToken) {
        return correlationModuleAuthenticationImpl.isLastCorrelator() && correlationModuleAuthenticationImpl.currentCorrelatorIndexEquals(correlationVerificationToken.getCurrentCorrelatorIndex());
    }

    private String determineArchetypeOid() {
        Authentication authentication = SecurityUtil.getAuthentication();
        if (authentication instanceof MidpointAuthentication) {
            return ((MidpointAuthentication) authentication).getArchetypeOid();
        }
        return null;
    }

    private boolean candidateOwnerExist(CompleteCorrelationResult completeCorrelationResult) {
        return (completeCorrelationResult.getCandidateOwnersMap() == null || completeCorrelationResult.getCandidateOwnersMap().isEmpty()) ? false : true;
    }

    private void rewriteCandidatesToOwners(@NotNull CandidateOwners candidateOwners, CorrelationModuleAuthenticationImpl correlationModuleAuthenticationImpl) {
        correlationModuleAuthenticationImpl.clearOwners();
        candidateOwners.objectBasedValues().forEach(objectBased -> {
            correlationModuleAuthenticationImpl.addOwnerIfNotExist(objectBased.getValue());
        });
    }

    private void isOwnersNumberUnderRestriction(CorrelationModuleAuthenticationImpl correlationModuleAuthenticationImpl) {
        if (correlationModuleAuthenticationImpl.getCorrelationMaxUsersNumber() != null && correlationModuleAuthenticationImpl.getOwners().size() > correlationModuleAuthenticationImpl.getCorrelationMaxUsersNumber().intValue()) {
            LOGGER.error("Correlation result owners number exceeds the threshold.");
            throw new AuthenticationServiceException("web.security.provider.unavailable");
        }
    }

    private CompleteCorrelationResult correlate(CorrelationVerificationToken correlationVerificationToken, String str, Set<String> set, Class<? extends FocusType> cls) throws SchemaException, ExpressionEvaluationException, CommunicationException, SecurityViolationException, ConfigurationException, ObjectNotFoundException {
        Task createTaskInstance = this.taskManager.createTaskInstance("correlate");
        createTaskInstance.setChannel(SchemaConstants.CHANNEL_IDENTITY_RECOVERY_URI);
        return this.correlationService.correlate(correlationVerificationToken.getPreFocus(cls), str, set, CorrelatorDiscriminator.forIdentityRecovery(correlationVerificationToken.getCorrelatorName()), createTaskInstance, createTaskInstance.getResult());
    }

    @Override // com.evolveum.midpoint.authentication.impl.provider.AbstractAuthenticationProvider
    protected Authentication createNewAuthenticationToken(Authentication authentication, Collection<? extends GrantedAuthority> collection) {
        return authentication instanceof UsernamePasswordAuthenticationToken ? new UsernamePasswordAuthenticationToken(authentication.getPrincipal(), authentication.getCredentials(), collection) : authentication;
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public boolean supports(Class<?> cls) {
        return CorrelationVerificationToken.class.equals(cls);
    }
}
