package com.evolveum.midpoint.model.impl.security;

import com.evolveum.midpoint.audit.api.AuditEventRecord;
import com.evolveum.midpoint.audit.api.AuditEventStage;
import com.evolveum.midpoint.audit.api.AuditEventType;
import com.evolveum.midpoint.audit.api.AuditService;
import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.schema.result.OperationResultStatus;
import com.evolveum.midpoint.security.api.AuthorizationConstants;
import com.evolveum.midpoint.security.api.SecurityEnforcer;
import com.evolveum.midpoint.security.api.UserProfileService;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.task.api.TaskManager;
import com.evolveum.midpoint.util.QNameUtil;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
import java.util.Collection;
import java.util.HashSet;
import java.util.Set;
import javax.xml.namespace.QName;
import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPMessage;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.binding.soap.saaj.SAAJInInterceptor;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.phase.PhaseInterceptor;
import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
import org.apache.ws.commons.schema.utils.DOMUtil;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.util.WSSecurityUtil;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

/* loaded from: input_file:lib/model-impl-3.0.jar:com/evolveum/midpoint/model/impl/security/SpringAuthenticationInjectorInterceptor.class */
public class SpringAuthenticationInjectorInterceptor implements PhaseInterceptor<SoapMessage> {
    private static final Trace LOGGER = TraceManager.getTrace(SpringAuthenticationInjectorInterceptor.class);
    private UserProfileService userDetailsService;
    private SecurityEnforcer securityEnforcer;
    private AuditService auditService;
    private TaskManager taskManager;
    private Set<String> before = new HashSet();
    private Set<String> after = new HashSet();
    private String id = getClass().getName();
    private String phase = Phase.PRE_PROTOCOL;

    public SpringAuthenticationInjectorInterceptor(UserProfileService userProfileService, SecurityEnforcer securityEnforcer, AuditService auditService, TaskManager taskManager) {
        this.userDetailsService = userProfileService;
        this.securityEnforcer = securityEnforcer;
        this.auditService = auditService;
        this.taskManager = taskManager;
        getAfter().add(WSS4JInInterceptor.class.getName());
    }

    @Override // org.apache.cxf.phase.PhaseInterceptor
    public Set<String> getAfter() {
        return this.after;
    }

    @Override // org.apache.cxf.phase.PhaseInterceptor
    public Set<String> getBefore() {
        return this.before;
    }

    @Override // org.apache.cxf.phase.PhaseInterceptor
    public String getId() {
        return this.id;
    }

    @Override // org.apache.cxf.phase.PhaseInterceptor
    public String getPhase() {
        return this.phase;
    }

    @Override // org.apache.cxf.phase.PhaseInterceptor
    public Collection<PhaseInterceptor<? extends Message>> getAdditionalInterceptors() {
        return null;
    }

    private SOAPMessage getSOAPMessage(SoapMessage soapMessage) {
        SAAJInInterceptor.INSTANCE.handleMessage(soapMessage);
        return (SOAPMessage) soapMessage.getContent(SOAPMessage.class);
    }

    @Override // org.apache.cxf.interceptor.Interceptor
    public void handleMessage(SoapMessage soapMessage) throws Fault {
        SOAPMessage sOAPMessage = getSOAPMessage(soapMessage);
        try {
            String usernameFromSecurityHeader = getUsernameFromSecurityHeader(WSSecurityUtil.getSecurityHeader(sOAPMessage.getSOAPPart(), ""));
            if (usernameFromSecurityHeader != null && usernameFromSecurityHeader.length() > 0) {
                SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken(this.userDetailsService.getPrincipal(usernameFromSecurityHeader), (Object) null));
                try {
                    String localName = DOMUtil.getFirstChildElement(sOAPMessage.getSOAPBody()).getLocalName();
                    String qNameToUri = QNameUtil.qNameToUri(new QName(AuthorizationConstants.NS_AUTHORIZATION_WS, localName));
                    LOGGER.trace("Determining authorization for web service operation {} (action: {})", localName, qNameToUri);
                    try {
                        if (!this.securityEnforcer.isAuthorized(qNameToUri, AuthorizationPhaseType.REQUEST, null, null, null, null)) {
                            LOGGER.debug("Access to web service denied for user '{}': not authorized", new Object[]{usernameFromSecurityHeader});
                            auditLoginFailure(usernameFromSecurityHeader);
                            throw new Fault(new WSSecurityException("Unauthorized"));
                        }
                    } catch (SchemaException e) {
                        LOGGER.debug("Access to web service denied for user '{}': schema error: {}", new Object[]{usernameFromSecurityHeader, e.getMessage(), e});
                        auditLoginFailure(usernameFromSecurityHeader);
                        throw new Fault(e);
                    }
                } catch (SOAPException e2) {
                    LOGGER.debug("Access to web service denied for user '{}': SOAP error: {}", new Object[]{usernameFromSecurityHeader, e2.getMessage(), e2});
                    auditLoginFailure(usernameFromSecurityHeader);
                    throw new Fault((Throwable) e2);
                }
            }
            LOGGER.debug("Access to web service allowed for user '{}'", usernameFromSecurityHeader);
        } catch (ObjectNotFoundException e3) {
            LOGGER.debug("Access to web service denied for user '{}': object not found: {}", new Object[]{null, e3.getMessage(), e3});
            auditLoginFailure(null);
            throw new Fault(new WSSecurityException("Unauthorized"));
        } catch (WSSecurityException e4) {
            LOGGER.debug("Access to web service denied for user '{}': security exception: {}", new Object[]{null, e4.getMessage(), e4});
            auditLoginFailure(null);
            throw new Fault(e4);
        }
    }

    private String getUsernameFromSecurityHeader(Element element) {
        String str = "";
        NodeList childNodes = element.getChildNodes();
        int length = childNodes.getLength();
        for (int i = 0; i < length; i++) {
            Node item = childNodes.item(i);
            if (item.getNodeType() == 1 && "UsernameToken".equals(item.getLocalName())) {
                NodeList childNodes2 = item.getChildNodes();
                int length2 = childNodes2.getLength();
                for (int i2 = 0; i2 < length2; i2++) {
                    Node item2 = childNodes2.item(i2);
                    if ("Username".equals(item2.getLocalName())) {
                        str = item2.getTextContent();
                    }
                }
            }
        }
        return str;
    }

    @Override // org.apache.cxf.interceptor.Interceptor
    public void handleFault(SoapMessage soapMessage) {
    }

    private void auditLoginFailure(String str) {
        Task createTaskInstance = this.taskManager.createTaskInstance();
        createTaskInstance.setChannel(SchemaConstants.CHANNEL_WEB_SERVICE_URI);
        AuditEventRecord auditEventRecord = new AuditEventRecord(AuditEventType.CREATE_SESSION, AuditEventStage.REQUEST);
        auditEventRecord.setParameter(str);
        auditEventRecord.setChannel(SchemaConstants.CHANNEL_WEB_SERVICE_URI);
        auditEventRecord.setTimestamp(Long.valueOf(System.currentTimeMillis()));
        auditEventRecord.setOutcome(OperationResultStatus.FATAL_ERROR);
        this.auditService.audit(auditEventRecord, createTaskInstance);
    }
}
