package com.evolveum.midpoint.web.security.util;

import com.evolveum.midpoint.authentication.api.authorization.AuthorizationAction;
import com.evolveum.midpoint.authentication.api.authorization.PageDescriptor;
import com.evolveum.midpoint.authentication.api.config.CorrelationModuleAuthentication;
import com.evolveum.midpoint.authentication.api.config.MidpointAuthentication;
import com.evolveum.midpoint.authentication.api.util.AuthUtil;
import com.evolveum.midpoint.gui.api.page.PageAdminLTE;
import com.evolveum.midpoint.gui.api.util.GuiDisplayTypeUtil;
import com.evolveum.midpoint.gui.api.util.WebComponentUtil;
import com.evolveum.midpoint.gui.impl.component.menu.LeftMenuAuthzUtil;
import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.schema.util.SecurityPolicyUtil;
import com.evolveum.midpoint.web.component.menu.MainMenuItem;
import com.evolveum.midpoint.web.component.menu.MenuItem;
import com.evolveum.midpoint.web.page.error.PageError;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ArchetypeSelectionModuleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationSequenceChannelType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationSequenceModuleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationSequenceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsResetPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.IdentityRecoveryPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SelfRegistrationPolicyType;
import jakarta.servlet.http.HttpServletRequest;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.Validate;
import org.apache.wicket.RestartResponseException;
import org.apache.wicket.markup.ComponentTag;
import org.apache.wicket.markup.MarkupStream;
import org.apache.wicket.markup.html.WebMarkupContainer;
import org.apache.wicket.markup.html.WebPage;
import org.apache.wicket.request.Response;
import org.apache.wicket.request.cycle.RequestCycle;
import org.jetbrains.annotations.NotNull;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.security.web.reactive.result.view.CsrfRequestDataValueProcessor;

/* loaded from: input_file:BOOT-INF/lib/admin-gui-4.9.2-SNAPSHOT.jar:com/evolveum/midpoint/web/security/util/SecurityUtils.class */
public class SecurityUtils {
    public static final String DEFAULT_LOGOUT_PATH = "/logout";

    public static boolean isMenuAuthorized(MainMenuItem mainMenuItem) {
        Class<? extends WebPage> pageClass = mainMenuItem.getPageClass();
        return pageClass == null || isPageAuthorized(pageClass);
    }

    public static boolean isMenuAuthorized(@NotNull MenuItem menuItem) {
        Class<? extends WebPage> pageClass = menuItem.getPageClass();
        List<String> authorizationsForPage = LeftMenuAuthzUtil.getAuthorizationsForPage(pageClass);
        return CollectionUtils.isNotEmpty(authorizationsForPage) ? WebComponentUtil.isAuthorized(authorizationsForPage) : isPageAuthorized(pageClass);
    }

    public static boolean isCollectionMenuAuthorized(MenuItem menuItem) {
        Class<? extends WebPage> pageClass = menuItem.getPageClass();
        List<String> authorizationsForView = LeftMenuAuthzUtil.getAuthorizationsForView(pageClass);
        return CollectionUtils.isNotEmpty(authorizationsForView) ? WebComponentUtil.isAuthorized(authorizationsForView) : isPageAuthorized(pageClass);
    }

    public static boolean isPageAuthorized(Class<?> cls) {
        PageDescriptor pageDescriptor;
        if (cls == null || (pageDescriptor = (PageDescriptor) cls.getAnnotation(PageDescriptor.class)) == null) {
            return false;
        }
        AuthorizationAction[] action = pageDescriptor.action();
        ArrayList arrayList = new ArrayList();
        for (AuthorizationAction authorizationAction : action) {
            arrayList.add(authorizationAction.actionUri());
        }
        return WebComponentUtil.isAuthorized((String[]) arrayList.toArray(new String[0]));
    }

    public static List<String> getPageAuthorizations(Class<?> cls) {
        PageDescriptor pageDescriptor;
        ArrayList arrayList = new ArrayList();
        if (cls != null && (pageDescriptor = (PageDescriptor) cls.getAnnotation(PageDescriptor.class)) != null) {
            for (AuthorizationAction authorizationAction : pageDescriptor.action()) {
                arrayList.add(authorizationAction.actionUri());
            }
            return arrayList;
        }
        return arrayList;
    }

    public static WebMarkupContainer createHiddenInputForCsrf(String str) {
        WebMarkupContainer webMarkupContainer = new WebMarkupContainer(str) { // from class: com.evolveum.midpoint.web.security.util.SecurityUtils.1
            @Override // org.apache.wicket.MarkupContainer, org.apache.wicket.Component
            public void onComponentTagBody(MarkupStream markupStream, ComponentTag componentTag) {
                super.onComponentTagBody(markupStream, componentTag);
                SecurityUtils.appendHiddenInputForCsrf(getResponse());
            }
        };
        webMarkupContainer.setRenderBodyOnly(true);
        return webMarkupContainer;
    }

    public static void appendHiddenInputForCsrf(Response response) {
        CsrfToken csrfToken = getCsrfToken();
        if (csrfToken == null) {
            return;
        }
        response.write("<input type=\"hidden\" name=\"" + csrfToken.getParameterName() + "\" value=\"" + csrfToken.getToken() + "\"/>");
    }

    public static CsrfToken getCsrfToken() {
        return (CsrfToken) ((HttpServletRequest) RequestCycle.get().getRequest().getContainerRequest()).getAttribute(CsrfRequestDataValueProcessor.DEFAULT_CSRF_ATTR_NAME);
    }

    @Deprecated
    public static AuthenticationSequenceType getSequenceByName(String str, AuthenticationsPolicyType authenticationsPolicyType) {
        if (authenticationsPolicyType == null || authenticationsPolicyType.getSequence() == null || authenticationsPolicyType.getSequence().isEmpty()) {
            return null;
        }
        Validate.notBlank(str, "Name for searching of sequence is blank", new Object[0]);
        for (AuthenticationSequenceType authenticationSequenceType : authenticationsPolicyType.getSequence()) {
            if (authenticationSequenceType != null && (str.equals(authenticationSequenceType.getName()) || str.equals(authenticationSequenceType.getIdentifier()))) {
                if (authenticationSequenceType.getModule() == null || authenticationSequenceType.getModule().isEmpty()) {
                    return null;
                }
                return authenticationSequenceType;
            }
        }
        return null;
    }

    public static AuthenticationSequenceType getSequenceByIdentifier(String str, AuthenticationsPolicyType authenticationsPolicyType) {
        if (authenticationsPolicyType == null || CollectionUtils.isEmpty(authenticationsPolicyType.getSequence())) {
            return null;
        }
        Validate.notBlank(str, "Identifier for searching of sequence is blank", new Object[0]);
        for (AuthenticationSequenceType authenticationSequenceType : authenticationsPolicyType.getSequence()) {
            if (authenticationSequenceType != null && str.equals(authenticationSequenceType.getIdentifier())) {
                if (authenticationSequenceType.getModule() == null || authenticationSequenceType.getModule().isEmpty()) {
                    return null;
                }
                return authenticationSequenceType;
            }
        }
        return null;
    }

    public static String getPathForLogoutWithContextPath(String str, @NotNull String str2) {
        return StringUtils.isNotEmpty(str) ? "/" + AuthUtil.stripSlashes(str) + getPathForLogout(str2) : getPathForLogout(str2);
    }

    private static String getPathForLogout(@NotNull String str) {
        return "/" + AuthUtil.stripSlashes(str) + "/logout";
    }

    public static boolean sequenceExists(AuthenticationsPolicyType authenticationsPolicyType, String str) {
        return (getSequenceByIdentifier(str, authenticationsPolicyType) == null && getSequenceByName(str, authenticationsPolicyType) == null) ? false : true;
    }

    public static String getChannelUrlSuffixFromAuthSequence(String str, SecurityPolicyType securityPolicyType) {
        AuthenticationSequenceChannelType channel;
        if (securityPolicyType == null) {
            return null;
        }
        AuthenticationSequenceType sequenceByIdentifier = getSequenceByIdentifier(str, securityPolicyType.getAuthentication());
        if (sequenceByIdentifier == null) {
            sequenceByIdentifier = getSequenceByName(str, securityPolicyType.getAuthentication());
        }
        if (sequenceByIdentifier == null || (channel = sequenceByIdentifier.getChannel()) == null) {
            return null;
        }
        return channel.getUrlSuffix();
    }

    public static ArchetypeSelectionModuleType getArchetypeSelectionAuthModule(SecurityPolicyType securityPolicyType) {
        IdentityRecoveryPolicyType identityRecovery;
        AuthenticationSequenceType sequenceByIdentifier;
        if (securityPolicyType == null || securityPolicyType.getAuthentication() == null || securityPolicyType.getAuthentication().getModules() == null || (identityRecovery = securityPolicyType.getIdentityRecovery()) == null || (sequenceByIdentifier = getSequenceByIdentifier(identityRecovery.getAuthenticationSequenceIdentifier(), securityPolicyType.getAuthentication())) == null) {
            return null;
        }
        Iterator<AuthenticationSequenceModuleType> it = sequenceByIdentifier.getModule().iterator();
        while (it.hasNext()) {
            String identifier = it.next().getIdentifier();
            ArchetypeSelectionModuleType orElse = securityPolicyType.getAuthentication().getModules().getArchetypeSelection().stream().filter(archetypeSelectionModuleType -> {
                return archetypeSelectionModuleType.getIdentifier().equals(identifier);
            }).findFirst().orElse(null);
            if (orElse != null) {
                return orElse;
            }
        }
        return null;
    }

    public static CorrelationModuleAuthentication findCorrelationModuleAuthentication(PageAdminLTE pageAdminLTE) {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication instanceof MidpointAuthentication) {
            return (CorrelationModuleAuthentication) ((MidpointAuthentication) authentication).getAuthentications().stream().filter(moduleAuthentication -> {
                return moduleAuthentication instanceof CorrelationModuleAuthentication;
            }).findFirst().orElse(null);
        }
        pageAdminLTE.getSession().error(pageAdminLTE.getString("No midPoint authentication is found"));
        throw new RestartResponseException(PageError.class);
    }

    public static String getRegistrationUrl(SecurityPolicyType securityPolicyType) {
        SelfRegistrationPolicyType selfRegistrationPolicy = SecurityPolicyUtil.getSelfRegistrationPolicy(securityPolicyType);
        return (selfRegistrationPolicy == null || StringUtils.isBlank(selfRegistrationPolicy.getAdditionalAuthenticationSequence()) || securityPolicyType.getAuthentication().getSequence().stream().filter(authenticationSequenceType -> {
            return authenticationSequenceType.getChannel() != null && SchemaConstants.CHANNEL_INVITATION_URI.equals(authenticationSequenceType.getChannel().getChannelId());
        }).findAny().orElse(null) != null) ? "" : getAuthLinkUrl(selfRegistrationPolicy.getAdditionalAuthenticationSequence(), securityPolicyType);
    }

    public static String getRegistrationLabel(SecurityPolicyType securityPolicyType) {
        SelfRegistrationPolicyType selfRegistrationPolicy = SecurityPolicyUtil.getSelfRegistrationPolicy(securityPolicyType);
        return (selfRegistrationPolicy == null || selfRegistrationPolicy.getDisplay() == null) ? "" : GuiDisplayTypeUtil.getTranslatedLabel(selfRegistrationPolicy.getDisplay());
    }

    public static String getIdentityRecoveryUrl(SecurityPolicyType securityPolicyType) {
        IdentityRecoveryPolicyType identityRecovery = securityPolicyType.getIdentityRecovery();
        return identityRecovery == null ? "" : getAuthLinkUrl(identityRecovery.getAuthenticationSequenceIdentifier(), securityPolicyType);
    }

    public static String getIdentityRecoveryLabel(SecurityPolicyType securityPolicyType) {
        IdentityRecoveryPolicyType identityRecovery = securityPolicyType.getIdentityRecovery();
        return (identityRecovery == null || identityRecovery.getDisplay() == null) ? "" : GuiDisplayTypeUtil.getTranslatedLabel(identityRecovery.getDisplay());
    }

    public static String getPasswordResetUrl(SecurityPolicyType securityPolicyType) {
        String resetPasswordAuthenticationSequenceName = getResetPasswordAuthenticationSequenceName(securityPolicyType);
        return StringUtils.isBlank(resetPasswordAuthenticationSequenceName) ? "" : getAuthLinkUrl(resetPasswordAuthenticationSequenceName, securityPolicyType);
    }

    public static String getPasswordResetLabel(SecurityPolicyType securityPolicyType) {
        CredentialsResetPolicyType credentialsReset = securityPolicyType.getCredentialsReset();
        if (credentialsReset == null || credentialsReset.getDisplay() == null) {
            return null;
        }
        return GuiDisplayTypeUtil.getTranslatedLabel(credentialsReset.getDisplay());
    }

    public static String getResetPasswordAuthenticationSequenceName(SecurityPolicyType securityPolicyType) {
        CredentialsResetPolicyType credentialsReset;
        if (securityPolicyType == null || (credentialsReset = securityPolicyType.getCredentialsReset()) == null) {
            return null;
        }
        return credentialsReset.getAuthenticationSequenceName();
    }

    public static String getAuthLinkUrl(String str, SecurityPolicyType securityPolicyType) {
        String channelUrlSuffixFromAuthSequence = getChannelUrlSuffixFromAuthSequence(str, securityPolicyType);
        return StringUtils.isEmpty(channelUrlSuffixFromAuthSequence) ? "" : "./auth/" + channelUrlSuffixFromAuthSequence;
    }
}
