package com.evolveum.midpoint.repo.common.security;

import com.evolveum.midpoint.prism.Item;
import com.evolveum.midpoint.prism.PrismContainer;
import com.evolveum.midpoint.prism.PrismContainerValue;
import com.evolveum.midpoint.prism.PrismContext;
import com.evolveum.midpoint.prism.PrismProperty;
import com.evolveum.midpoint.prism.PrismPropertyValue;
import com.evolveum.midpoint.prism.PrismValue;
import com.evolveum.midpoint.prism.crypto.EncryptionException;
import com.evolveum.midpoint.prism.crypto.ProtectedData;
import com.evolveum.midpoint.prism.crypto.Protector;
import com.evolveum.midpoint.prism.delta.ContainerDelta;
import com.evolveum.midpoint.prism.delta.ItemDelta;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.delta.PropertyDelta;
import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.security.api.SecurityUtil;
import com.evolveum.midpoint.util.MiscUtil;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsStorageTypeType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
import java.util.Collection;
import java.util.Iterator;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:BOOT-INF/lib/repo-common-4.9.2-SNAPSHOT.jar:com/evolveum/midpoint/repo/common/security/CredentialsStorageManager.class */
public class CredentialsStorageManager {
    private static final Trace LOGGER;

    @Autowired
    private Protector protector;
    static final /* synthetic */ boolean $assertionsDisabled;

    public <O extends ObjectType> ObjectDelta<O> transformFocusExecutionDelta(@Nullable CredentialsPolicyType credentialsPolicyType, @NotNull ObjectDelta<O> objectDelta) throws SchemaException, EncryptionException {
        if (credentialsPolicyType == null || objectDelta.isDelete()) {
            return objectDelta;
        }
        ObjectDelta<O> mo1625clone = objectDelta.mo1625clone();
        transformFocusExecutionDeltaForCredential(credentialsPolicyType, credentialsPolicyType.getPassword(), "password", SchemaConstants.PATH_PASSWORD_VALUE, mo1625clone);
        return mo1625clone;
    }

    private <O extends ObjectType> void transformFocusExecutionDeltaForCredential(@NotNull CredentialsPolicyType credentialsPolicyType, @Nullable CredentialPolicyType credentialPolicyType, @NotNull String str, @NotNull ItemPath itemPath, @NotNull ObjectDelta<O> objectDelta) throws SchemaException, EncryptionException {
        if (!$assertionsDisabled && objectDelta.isDelete()) {
            throw new AssertionError();
        }
        CredentialsStorageTypeType credentialStorageType = SecurityUtil.getCredentialStorageType(credentialsPolicyType.getDefault(), credentialPolicyType);
        switch (credentialStorageType) {
            case ENCRYPTION:
                LOGGER.trace("Credential {} should be encrypted, nothing to do", str);
                return;
            case HASHING:
                LOGGER.trace("Hashing credential: {}", str);
                hashCredentialValue(itemPath, objectDelta);
                return;
            case NONE:
                LOGGER.trace("Removing credential: {}", str);
                removeCredentialValue(itemPath, objectDelta);
                return;
            default:
                throw new SchemaException("Unknown storage type " + credentialStorageType);
        }
    }

    private <O extends ObjectType> void hashCredentialValue(ItemPath itemPath, ObjectDelta<O> objectDelta) throws SchemaException, EncryptionException {
        if (objectDelta.isAdd()) {
            Item findProperty = objectDelta.getObjectToAdd().findProperty(itemPath);
            if (findProperty != null) {
                hashValues(findProperty.getValues());
                return;
            }
            return;
        }
        PropertyDelta propertyDelta = (PropertyDelta) objectDelta.findItemDelta(itemPath, PropertyDelta.class, PrismProperty.class, true);
        if (propertyDelta != null) {
            hashValues(propertyDelta.getValuesToAdd());
            hashValues(propertyDelta.getValuesToReplace());
            hashValues(propertyDelta.getValuesToDelete());
            return;
        }
        ItemPath allExceptLast = itemPath.allExceptLast();
        ContainerDelta containerDelta = (ContainerDelta) objectDelta.findItemDelta(allExceptLast, ContainerDelta.class, PrismContainer.class, true);
        if (containerDelta != null) {
            hashPasswordPcvs(containerDelta.getValuesToAdd());
            hashPasswordPcvs(containerDelta.getValuesToReplace());
            return;
        }
        ContainerDelta containerDelta2 = (ContainerDelta) objectDelta.findItemDelta(allExceptLast.allExceptLast(), ContainerDelta.class, PrismContainer.class, true);
        if (containerDelta2 != null) {
            hashCredentialsPcvs(containerDelta2.getValuesToAdd());
            hashCredentialsPcvs(containerDelta2.getValuesToReplace());
        }
    }

    private <O extends ObjectType> void removeCredentialValue(ItemPath itemPath, ObjectDelta<O> objectDelta) {
        if (objectDelta.isAdd()) {
            objectDelta.getObjectToAdd().removeProperty(itemPath);
            return;
        }
        ItemDelta findPropertyDelta = objectDelta.findPropertyDelta(itemPath);
        if (findPropertyDelta != null) {
            findPropertyDelta.setValueToReplace();
        }
    }

    private void hashValues(Collection<PrismPropertyValue<ProtectedStringType>> collection) throws SchemaException, EncryptionException {
        Iterator it = MiscUtil.emptyIfNull(collection).iterator();
        while (it.hasNext()) {
            ProtectedStringType protectedStringType = (ProtectedStringType) ((PrismPropertyValue) it.next()).getValue();
            if (!protectedStringType.isHashed()) {
                this.protector.hash(protectedStringType);
            }
        }
    }

    private void encryptValues(Collection<PrismPropertyValue<ProtectedStringType>> collection) throws EncryptionException {
        Iterator it = MiscUtil.emptyIfNull(collection).iterator();
        while (it.hasNext()) {
            ProtectedStringType protectedStringType = (ProtectedStringType) ((PrismPropertyValue) it.next()).getValue();
            if (!protectedStringType.isEncrypted()) {
                this.protector.encrypt(protectedStringType);
            }
        }
    }

    private void hashPasswordPcvs(Collection<PrismContainerValue<PasswordType>> collection) throws SchemaException, EncryptionException {
        Iterator it = MiscUtil.emptyIfNull(collection).iterator();
        while (it.hasNext()) {
            PasswordType passwordType = (PasswordType) ((PrismContainerValue) it.next()).getValue();
            if (passwordType != null && passwordType.getValue() != null && !passwordType.getValue().isHashed()) {
                this.protector.hash(passwordType.getValue());
            }
        }
    }

    private void hashCredentialsPcvs(Collection<PrismContainerValue<CredentialsType>> collection) throws SchemaException, EncryptionException {
        ProtectedStringType value;
        if (collection != null) {
            Iterator<PrismContainerValue<CredentialsType>> it = collection.iterator();
            while (it.hasNext()) {
                CredentialsType value2 = it.next().getValue();
                if (value2 != null && value2.getPassword() != null && (value = value2.getPassword().getValue()) != null && !value.isHashed()) {
                    this.protector.hash(value);
                }
            }
        }
    }

    public PropertyDelta<ProtectedStringType> transformShadowPasswordDelta(@Nullable CredentialsPolicyType credentialsPolicyType, boolean z, PropertyDelta<ProtectedStringType> propertyDelta) throws SchemaException, EncryptionException {
        CredentialsStorageTypeType storageType = getStorageType(credentialsPolicyType, z);
        PropertyDelta<ProtectedStringType> mo1622clone = propertyDelta.mo1622clone();
        switch (storageType) {
            case ENCRYPTION:
                encryptValues(mo1622clone.getNewValues());
                break;
            case HASHING:
                hashValues(mo1622clone.getNewValues());
                break;
            case NONE:
                mo1622clone.clearValuesToAdd();
                mo1622clone.clearValuesToDelete();
                mo1622clone.setValueToReplace();
                break;
            default:
                throw unsupported(storageType);
        }
        return mo1622clone;
    }

    public void transformShadowPasswordWithRealValue(@Nullable CredentialsPolicyType credentialsPolicyType, boolean z, @NotNull PrismProperty<ProtectedStringType> prismProperty) throws SchemaException, EncryptionException {
        CredentialsStorageTypeType storageType = getStorageType(credentialsPolicyType, z);
        switch (storageType) {
            case ENCRYPTION:
                ProtectedStringType protectedStringType = (ProtectedStringType) prismProperty.getRealValue(ProtectedStringType.class);
                if (protectedStringType.isHashed()) {
                    throw new IllegalStateException("Hashed value cannot be stored in the shadow");
                }
                if (protectedStringType.hasClearValue()) {
                    this.protector.encrypt(protectedStringType);
                    return;
                }
                return;
            case HASHING:
                this.protector.hash((ProtectedData) prismProperty.getRealValue(ProtectedStringType.class));
                return;
            case NONE:
                prismProperty.clear();
                return;
            default:
                throw unsupported(storageType);
        }
    }

    @NotNull
    private static CredentialsStorageTypeType getStorageType(@Nullable CredentialsPolicyType credentialsPolicyType, boolean z) {
        CredentialsStorageTypeType passwordStorageType = SecurityUtil.getPasswordStorageType(credentialsPolicyType);
        return (z && passwordStorageType == CredentialsStorageTypeType.ENCRYPTION) ? CredentialsStorageTypeType.HASHING : passwordStorageType;
    }

    @Nullable
    public PropertyDelta<ProtectedStringType> createShadowPasswordDelta(@Nullable CredentialsPolicyType credentialsPolicyType, @Nullable ProtectedStringType protectedStringType, @NotNull ProtectedStringType protectedStringType2) throws SchemaException, EncryptionException {
        if (!$assertionsDisabled && !protectedStringType2.canGetCleartext()) {
            throw new AssertionError();
        }
        CredentialsStorageTypeType passwordStorageType = SecurityUtil.getPasswordStorageType(credentialsPolicyType);
        switch (passwordStorageType) {
            case ENCRYPTION:
                if (protectedStringType != null && protectedStringType.isEncrypted() && this.protector.compareCleartext(protectedStringType, protectedStringType2)) {
                    return null;
                }
                ProtectedStringType mo1616clone = protectedStringType2.mo1616clone();
                if (!mo1616clone.isEncrypted()) {
                    this.protector.encrypt(mo1616clone);
                }
                return createPasswordReplaceDelta(mo1616clone);
            case HASHING:
                if (protectedStringType != null && protectedStringType.isHashed() && this.protector.compareCleartext(protectedStringType, protectedStringType2)) {
                    return null;
                }
                ProtectedStringType mo1616clone2 = protectedStringType2.mo1616clone();
                this.protector.hash(mo1616clone2);
                return createPasswordReplaceDelta(mo1616clone2);
            case NONE:
                if (protectedStringType != null) {
                    return createPasswordReplaceDelta();
                }
                return null;
            default:
                throw unsupported(passwordStorageType);
        }
    }

    @Nullable
    public PropertyDelta<ProtectedStringType> updateShadowPasswordIfNeeded(@NotNull ProtectedStringType protectedStringType, CredentialsPolicyType credentialsPolicyType, boolean z) throws SchemaException, EncryptionException {
        if (!$assertionsDisabled && !protectedStringType.isEncrypted() && !protectedStringType.isHashed()) {
            throw new AssertionError();
        }
        CredentialsStorageTypeType storageType = getStorageType(credentialsPolicyType, z);
        switch (storageType) {
            case ENCRYPTION:
                return null;
            case HASHING:
                if (!protectedStringType.isEncrypted()) {
                    return null;
                }
                ProtectedStringType mo1616clone = protectedStringType.mo1616clone();
                this.protector.hash(mo1616clone);
                return createPasswordReplaceDelta(mo1616clone);
            case NONE:
                return createPasswordReplaceDelta();
            default:
                throw unsupported(storageType);
        }
    }

    private static PropertyDelta<ProtectedStringType> createPasswordReplaceDelta() throws SchemaException {
        return (PropertyDelta) PrismContext.get().deltaFor(ShadowType.class).item(SchemaConstants.PATH_PASSWORD_VALUE).replace(new PrismValue[0]).asItemDelta();
    }

    private static PropertyDelta<ProtectedStringType> createPasswordReplaceDelta(ProtectedStringType protectedStringType) throws SchemaException {
        return (PropertyDelta) PrismContext.get().deltaFor(ShadowType.class).item(SchemaConstants.PATH_PASSWORD_VALUE).replace(protectedStringType).asItemDelta();
    }

    private static UnsupportedOperationException unsupported(CredentialsStorageTypeType credentialsStorageTypeType) {
        return new UnsupportedOperationException("Unsupported credentials storage type: " + credentialsStorageTypeType);
    }

    static {
        $assertionsDisabled = !CredentialsStorageManager.class.desiredAssertionStatus();
        LOGGER = TraceManager.getTrace((Class<?>) CredentialsStorageManager.class);
    }
}
