package com.evolveum.midpoint.model.impl.security;

import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.crypto.EncryptionException;
import com.evolveum.midpoint.prism.crypto.Protector;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.security.api.SecurityEnforcer;
import com.evolveum.midpoint.security.api.UserProfileService;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
import org.apache.cxf.configuration.security.AuthorizationPolicy;
import org.apache.cxf.jaxrs.ext.RequestHandler;
import org.apache.cxf.jaxrs.ext.ResponseHandler;
import org.apache.cxf.jaxrs.model.ClassResourceInfo;
import org.apache.cxf.jaxrs.model.OperationResourceInfo;
import org.apache.cxf.message.Message;
import org.apache.cxf.transport.http.auth.HttpAuthHeader;
import org.springframework.beans.factory.annotation.Autowired;

/* loaded from: input_file:lib/model-impl-3.0.jar:com/evolveum/midpoint/model/impl/security/MidpointRestAuthenticationHandler.class */
public class MidpointRestAuthenticationHandler implements RequestHandler, ResponseHandler {

    @Autowired(required = true)
    private UserProfileService userDetails;

    @Autowired(required = true)
    private SecurityEnforcer securityEnforcer;

    @Autowired(required = true)
    private Protector protector;

    @Override // org.apache.cxf.jaxrs.ext.RequestHandler
    public Response handleRequest(Message message, ClassResourceInfo classResourceInfo) {
        String userName;
        PasswordType password;
        AuthorizationPolicy authorizationPolicy = (AuthorizationPolicy) message.get(AuthorizationPolicy.class);
        ((OperationResourceInfo) message.getExchange().get(OperationResourceInfo.class)).getMethodToInvoke().getName();
        if (authorizationPolicy != null && (userName = authorizationPolicy.getUserName()) != null) {
            try {
                MidPointPrincipal principal = this.userDetails.getPrincipal(userName);
                if (principal == null) {
                    return Response.status(401).header(HttpHeaders.WWW_AUTHENTICATE, HttpAuthHeader.AUTH_TYPE_BASIC).build();
                }
                UserType user = principal.getUser();
                String password2 = authorizationPolicy.getPassword();
                if (password2 == null) {
                    return Response.status(401).header(HttpHeaders.WWW_AUTHENTICATE, "Basic authentication failed. Cannot authenticate user without password").build();
                }
                if (user.getCredentials() != null && (password = user.getCredentials().getPassword()) != null) {
                    ProtectedStringType value = password.getValue();
                    if (value.getClearValue() != null) {
                        if (!password2.equals(value.getClearValue())) {
                            return Response.status(401).header(HttpHeaders.WWW_AUTHENTICATE, HttpAuthHeader.AUTH_TYPE_BASIC).build();
                        }
                    } else {
                        if (value.getEncryptedDataType() == null) {
                            return Response.status(401).header(HttpHeaders.WWW_AUTHENTICATE, "Basic authentication fialed. Cannot obtain password value.").build();
                        }
                        try {
                            if (!password2.equals(this.protector.decryptString(value))) {
                                return Response.status(401).header(HttpHeaders.WWW_AUTHENTICATE, HttpAuthHeader.AUTH_TYPE_BASIC).build();
                            }
                        } catch (EncryptionException unused) {
                            return Response.status(401).header(HttpHeaders.WWW_AUTHENTICATE, HttpAuthHeader.AUTH_TYPE_BASIC).build();
                        }
                    }
                    message.put("authenticatedUser", user);
                    this.securityEnforcer.setupPreAuthenticatedSecurityContext(user.asPrismObject());
                    return null;
                }
                return Response.status(401).header(HttpHeaders.WWW_AUTHENTICATE, "Basic authentication failed. Cannot authenticate user.").build();
            } catch (ObjectNotFoundException unused2) {
                return Response.status(401).header(HttpHeaders.WWW_AUTHENTICATE, "Basic authentication failed. Cannot authenticate user.").build();
            }
        }
        return Response.status(401).header(HttpHeaders.WWW_AUTHENTICATE, HttpAuthHeader.AUTH_TYPE_BASIC).build();
    }

    @Override // org.apache.cxf.jaxrs.ext.ResponseHandler
    public Response handleResponse(Message message, OperationResourceInfo operationResourceInfo, Response response) {
        this.securityEnforcer.setupPreAuthenticatedSecurityContext((PrismObject<UserType>) null);
        return null;
    }
}
