package com.evolveum.midpoint.authentication.impl.authorization.evaluator;

import com.evolveum.midpoint.authentication.api.AuthenticationModuleState;
import com.evolveum.midpoint.authentication.api.config.MidpointAuthentication;
import com.evolveum.midpoint.authentication.api.config.ModuleAuthentication;
import com.evolveum.midpoint.authentication.api.util.AuthUtil;
import com.evolveum.midpoint.authentication.impl.module.authentication.HttpModuleAuthentication;
import com.evolveum.midpoint.model.api.ModelService;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.schema.AccessDecision;
import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.security.api.AuthorizationConstants;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.security.api.MidPointPrincipalManager;
import com.evolveum.midpoint.security.api.ProfileCompilerOptions;
import com.evolveum.midpoint.security.api.SecurityContextManager;
import com.evolveum.midpoint.security.api.SecurityUtil;
import com.evolveum.midpoint.security.enforcer.api.AuthorizationParameters;
import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.task.api.TaskManager;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.exception.SystemException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import java.lang.invoke.SerializedLambda;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import org.springframework.context.ApplicationContext;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;

/* loaded from: input_file:BOOT-INF/lib/authentication-impl-4.9.2-SNAPSHOT.jar:com/evolveum/midpoint/authentication/impl/authorization/evaluator/MidpointHttpAuthorizationEvaluator.class */
public class MidpointHttpAuthorizationEvaluator extends MidPointGuiAuthorizationEvaluator {
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) MidpointHttpAuthorizationEvaluator.class);
    public static final String CLASS_DOT = MidpointHttpAuthorizationEvaluator.class.getName() + ".";
    public static final String OPERATION_REST_SERVICE = CLASS_DOT + "restService";
    private final ModelService model;
    private final TaskManager taskManager;
    private final SecurityContextManager securityContextManager;

    public MidpointHttpAuthorizationEvaluator(SecurityEnforcer securityEnforcer, SecurityContextManager securityContextManager, TaskManager taskManager, ModelService modelService, ApplicationContext applicationContext) {
        super(securityEnforcer, securityContextManager, taskManager, applicationContext);
        this.model = modelService;
        this.taskManager = taskManager;
        this.securityContextManager = securityContextManager;
    }

    @Override // com.evolveum.midpoint.authentication.impl.authorization.evaluator.MidPointGuiAuthorizationEvaluator, org.springframework.security.access.AccessDecisionManager
    public void decide(Authentication authentication, Object obj, Collection<ConfigAttribute> collection) throws AccessDeniedException, InsufficientAuthenticationException {
        try {
            super.decide(authentication, obj, collection);
            if (authentication instanceof MidpointAuthentication) {
                MidpointAuthentication midpointAuthentication = (MidpointAuthentication) authentication;
                for (ModuleAuthentication moduleAuthentication : midpointAuthentication.getAuthentications()) {
                    if (AuthenticationModuleState.SUCCESSFULLY.equals(moduleAuthentication.getState()) && (moduleAuthentication instanceof HttpModuleAuthentication) && ((HttpModuleAuthentication) moduleAuthentication).getProxyUserOid() != null) {
                        String proxyUserOid = ((HttpModuleAuthentication) moduleAuthentication).getProxyUserOid();
                        Task createTaskInstance = this.taskManager.createTaskInstance(OPERATION_REST_SERVICE);
                        createTaskInstance.setChannel(SchemaConstants.CHANNEL_REST_URI);
                        ArrayList arrayList = new ArrayList();
                        PrismObject<? extends FocusType> searchUser = searchUser(proxyUserOid, createTaskInstance);
                        if (searchUser == null) {
                            throw new SystemException("Couldn't get proxy user");
                        }
                        try {
                            createTaskInstance.setOwner(searchUser);
                            arrayList.add(AuthorizationConstants.AUTZ_REST_PROXY_URL);
                            try {
                                decideInternal(getPrincipalFromAuthentication(authentication, obj, collection), arrayList, authentication, obj, createTaskInstance, AuthorizationParameters.Builder.buildObject(searchUser));
                                MidPointPrincipal principal = this.securityContextManager.getUserProfileService().getPrincipal(searchUser, ProfileCompilerOptions.createNotCompileGuiAdminConfiguration().locateSecurityPolicy(false), new OperationResult(MidPointPrincipalManager.OPERATION_GET_PRINCIPAL));
                                ((MidpointAuthentication) authentication).setPrincipal(principal);
                                ((MidpointAuthentication) authentication).setAuthorities(principal.getAuthorities());
                            } catch (AccessDeniedException | InsufficientAuthenticationException e) {
                                midpointAuthentication.setAlreadyAudited(true);
                                throw e;
                            }
                        } catch (CommunicationException | ConfigurationException | ExpressionEvaluationException | SchemaException | SecurityViolationException | SystemException e2) {
                            LOGGER.error("Error while processing authorization: {}", e2.getMessage(), e2);
                            LOGGER.trace("DECIDE: authentication={}, object={}, requiredActions={}: ERROR {}", authentication, obj, arrayList, e2.getMessage());
                            throw new SystemException("Error while processing authorization: " + e2.getMessage(), e2);
                        }
                    }
                }
            }
        } catch (AccessDeniedException | InsufficientAuthenticationException e3) {
            AuthUtil.getMidpointAuthentication().setAlreadyAudited(true);
            throw e3;
        }
    }

    private void decideInternal(MidPointPrincipal midPointPrincipal, List<String> list, Authentication authentication, Object obj, Task task, AuthorizationParameters<? extends ObjectType, ? extends ObjectType> authorizationParameters) {
        try {
            AccessDecision decideAccess = decideAccess(midPointPrincipal, list, authorizationParameters, task, task.getResult());
            if (LOGGER.isTraceEnabled()) {
                LOGGER.trace("DECIDE: authentication={}, object={}, requiredActions={}: {}", authentication, obj, list, decideAccess);
            }
            if (decideAccess.equals(AccessDecision.ALLOW)) {
                return;
            }
            SecurityUtil.logSecurityDeny(obj, ": Not authorized", null, list);
            throw new AccessDeniedException("Not authorized");
        } catch (CommunicationException | ConfigurationException | ExpressionEvaluationException | ObjectNotFoundException | SchemaException | SecurityViolationException e) {
            LOGGER.error("Error while processing authorization: {}", e.getMessage(), e);
            LOGGER.trace("DECIDE: authentication={}, object={}, requiredActions={}: ERROR {}", authentication, obj, list, e.getMessage());
            throw new SystemException("Error while processing authorization: " + e.getMessage(), e);
        }
    }

    private PrismObject<? extends FocusType> searchUser(String str, Task task) {
        return (PrismObject) this.securityContextManager.runPrivileged(() -> {
            try {
                return this.model.getObject(FocusType.class, str, null, task, task.getResult());
            } catch (CommunicationException | ConfigurationException | ExpressionEvaluationException | ObjectNotFoundException | SchemaException | SecurityViolationException e) {
                return null;
            }
        });
    }

    private static /* synthetic */ Object $deserializeLambda$(SerializedLambda serializedLambda) {
        String implMethodName = serializedLambda.getImplMethodName();
        boolean z = -1;
        switch (implMethodName.hashCode()) {
            case -447460782:
                if (implMethodName.equals("lambda$searchUser$8cfdb88$1")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                if (serializedLambda.getImplMethodKind() == 5 && serializedLambda.getFunctionalInterfaceClass().equals("com/evolveum/midpoint/util/Producer") && serializedLambda.getFunctionalInterfaceMethodName().equals("run") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("()Ljava/lang/Object;") && serializedLambda.getImplClass().equals("com/evolveum/midpoint/authentication/impl/authorization/evaluator/MidpointHttpAuthorizationEvaluator") && serializedLambda.getImplMethodSignature().equals("(Ljava/lang/String;Lcom/evolveum/midpoint/task/api/Task;)Lcom/evolveum/midpoint/prism/PrismObject;")) {
                    MidpointHttpAuthorizationEvaluator midpointHttpAuthorizationEvaluator = (MidpointHttpAuthorizationEvaluator) serializedLambda.getCapturedArg(0);
                    String str = (String) serializedLambda.getCapturedArg(1);
                    Task task = (Task) serializedLambda.getCapturedArg(2);
                    return () -> {
                        try {
                            return this.model.getObject(FocusType.class, str, null, task, task.getResult());
                        } catch (CommunicationException | ConfigurationException | ExpressionEvaluationException | ObjectNotFoundException | SchemaException | SecurityViolationException e) {
                            return null;
                        }
                    };
                }
                break;
        }
        throw new IllegalArgumentException("Invalid lambda deserialization");
    }
}
