package com.evolveum.midpoint.model.impl.lens.projector;

import com.evolveum.midpoint.common.policy.PasswordPolicyUtils;
import com.evolveum.midpoint.model.api.PolicyViolationException;
import com.evolveum.midpoint.model.impl.ModelObjectResolver;
import com.evolveum.midpoint.model.impl.lens.LensContext;
import com.evolveum.midpoint.model.impl.lens.LensFocusContext;
import com.evolveum.midpoint.model.impl.lens.LensProjectionContext;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.PrismProperty;
import com.evolveum.midpoint.prism.PrismReference;
import com.evolveum.midpoint.prism.PrismReferenceValue;
import com.evolveum.midpoint.prism.crypto.EncryptionException;
import com.evolveum.midpoint.prism.crypto.Protector;
import com.evolveum.midpoint.prism.delta.ChangeType;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.delta.PropertyDelta;
import com.evolveum.midpoint.prism.delta.ReferenceDelta;
import com.evolveum.midpoint.schema.GetOperationOptions;
import com.evolveum.midpoint.schema.SelectorOptions;
import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SystemException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ValuePolicyType;
import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:lib/model-impl-3.0.jar:com/evolveum/midpoint/model/impl/lens/projector/PasswordPolicyProcessor.class */
public class PasswordPolicyProcessor {
    private static final Trace LOGGER = TraceManager.getTrace(PasswordPolicyProcessor.class);

    @Autowired(required = true)
    Protector protector;

    @Autowired(required = true)
    ModelObjectResolver resolver;

    void processPasswordPolicy(ValuePolicyType valuePolicyType, PrismProperty prismProperty, OperationResult operationResult) throws PolicyViolationException, SchemaException {
        if (valuePolicyType == null) {
            LOGGER.trace("Skipping processing password policies. Password policy not specified.");
        } else {
            if (PasswordPolicyUtils.validatePassword(determinePasswordValue(prismProperty), valuePolicyType, operationResult)) {
                return;
            }
            operationResult.computeStatus();
            throw new PolicyViolationException("Provided password does not satisfy password policies. " + operationResult.getMessage());
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public <F extends FocusType> void processPasswordPolicy(LensFocusContext<F> lensFocusContext, LensContext<F> lensContext, OperationResult operationResult) throws PolicyViolationException, SchemaException {
        ValuePolicyType orgPasswordPolicy;
        if (!UserType.class.isAssignableFrom(lensFocusContext.getObjectTypeClass())) {
            LOGGER.trace("Skipping processing password policies because focus is not user");
            return;
        }
        ObjectDelta<F> delta = lensFocusContext.getDelta();
        if (delta == null) {
            LOGGER.trace("Skipping processing password policies. User delta not specified.");
            return;
        }
        if (delta.isDelete()) {
            LOGGER.trace("Skipping processing password policies. User will be deleted.");
            return;
        }
        PrismProperty prismProperty = null;
        if (ChangeType.ADD == delta.getChangeType()) {
            PrismObject<F> objectToAdd = lensFocusContext.getDelta().getObjectToAdd();
            if (objectToAdd != null) {
                prismProperty = objectToAdd.findProperty(SchemaConstants.PATH_PASSWORD_VALUE);
            }
        } else if (ChangeType.MODIFY == delta.getChangeType() && delta != null) {
            PropertyDelta<X> findPropertyDelta = delta.findPropertyDelta(SchemaConstants.PATH_PASSWORD_VALUE);
            if (findPropertyDelta == 0) {
                LOGGER.trace("Skipping processing password policies. User delta does not contain password change.");
                return;
            }
            prismProperty = (delta.getChangeType() != ChangeType.MODIFY || findPropertyDelta == 0) ? findPropertyDelta.getPropertyNew() : findPropertyDelta.isAdd() ? findPropertyDelta.getPropertyNew() : findPropertyDelta.isDelete() ? null : findPropertyDelta.getPropertyNew();
        }
        if (lensFocusContext.getOrgPasswordPolicy() == null) {
            orgPasswordPolicy = determineValuePolicy(delta, lensFocusContext.getObjectAny(), lensContext, operationResult);
            lensFocusContext.setOrgPasswordPolicy(orgPasswordPolicy);
        } else {
            orgPasswordPolicy = lensFocusContext.getOrgPasswordPolicy();
        }
        processPasswordPolicy(orgPasswordPolicy, prismProperty, operationResult);
    }

    private <T extends ObjectType, F extends ObjectType> ValuePolicyType determineValuePolicy(ObjectDelta<UserType> objectDelta, PrismObject<T> prismObject, LensContext<F> lensContext, OperationResult operationResult) throws SchemaException {
        ValuePolicyType determineValuePolicy = determineValuePolicy(objectDelta, operationResult);
        if (determineValuePolicy == null) {
            determineValuePolicy = determineValuePolicy(prismObject, operationResult);
        }
        if (determineValuePolicy == null) {
            determineValuePolicy = lensContext.getEffectivePasswordPolicy();
        }
        if (determineValuePolicy != null) {
            LOGGER.trace("Value policy {} will be user to check password.", determineValuePolicy.getName().getOrig());
        }
        return determineValuePolicy;
    }

    private ValuePolicyType determineValuePolicy(ObjectDelta<UserType> objectDelta, OperationResult operationResult) throws SchemaException {
        ReferenceDelta findReferenceModification = objectDelta.findReferenceModification(ObjectType.F_PARENT_ORG_REF);
        ValuePolicyType valuePolicyType = null;
        LOGGER.trace("Determining password policy from org delta.");
        if (findReferenceModification != null) {
            try {
                PrismObject<?> resolve = this.resolver.resolve(findReferenceModification.getAnyValue(), "resolving parent org ref", (GetOperationOptions) null, (Task) null, operationResult);
                OrgType orgType = (OrgType) resolve.asObjectable();
                ObjectReferenceType passwordPolicyRef = orgType.getPasswordPolicyRef();
                if (passwordPolicyRef != null) {
                    LOGGER.trace("Org {} has specified password policy.", orgType);
                    valuePolicyType = (ValuePolicyType) this.resolver.resolve(passwordPolicyRef, ValuePolicyType.class, (Collection<SelectorOptions<GetOperationOptions>>) null, "resolving password policy for organization", operationResult);
                    LOGGER.trace("Resolved password policy {}", valuePolicyType);
                }
                if (valuePolicyType == null) {
                    valuePolicyType = determineValuePolicy(resolve, operationResult);
                }
            } catch (ObjectNotFoundException e) {
                throw new IllegalStateException(e);
            }
        }
        return valuePolicyType;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private ValuePolicyType determineValuePolicy(PrismObject prismObject, OperationResult operationResult) throws SchemaException {
        LOGGER.trace("Determining password policies from object", prismObject);
        PrismReference findReference = prismObject.findReference(ObjectType.F_PARENT_ORG_REF);
        if (findReference == null) {
            return null;
        }
        List<PrismReferenceValue> values = findReference.getValues();
        ValuePolicyType valuePolicyType = null;
        ArrayList arrayList = new ArrayList();
        try {
            for (PrismReferenceValue prismReferenceValue : values) {
                if (prismReferenceValue != null) {
                    if (valuePolicyType != null) {
                        throw new IllegalStateException("Found more than one policy while trying to validate user's password. Please check your configuration");
                    }
                    PrismObject<?> resolve = this.resolver.resolve(prismReferenceValue, "resolving parent org ref", (GetOperationOptions) null, (Task) null, operationResult);
                    arrayList.add(resolve);
                    valuePolicyType = resolvePolicy(resolve, operationResult);
                }
            }
            if (valuePolicyType == null) {
                Iterator it = arrayList.iterator();
                while (it.hasNext()) {
                    valuePolicyType = determineValuePolicy((PrismObject) it.next(), operationResult);
                    if (valuePolicyType != null) {
                        return valuePolicyType;
                    }
                }
            }
            return valuePolicyType;
        } catch (ObjectNotFoundException e) {
            throw new IllegalStateException(e);
        }
    }

    private ValuePolicyType resolvePolicy(PrismObject<OrgType> prismObject, OperationResult operationResult) throws SchemaException {
        try {
            ObjectReferenceType passwordPolicyRef = prismObject.asObjectable().getPasswordPolicyRef();
            if (passwordPolicyRef == null) {
                return null;
            }
            return (ValuePolicyType) this.resolver.resolve(passwordPolicyRef, ValuePolicyType.class, (Collection<SelectorOptions<GetOperationOptions>>) null, "resolving password policy for organization", operationResult);
        } catch (ObjectNotFoundException e) {
            e.printStackTrace();
            throw new IllegalStateException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public <F extends ObjectType> void processPasswordPolicy(LensProjectionContext lensProjectionContext, LensContext<F> lensContext, OperationResult operationResult) throws SchemaException, PolicyViolationException {
        ValuePolicyType effectivePasswordPolicy;
        PrismObject<ShadowType> objectToAdd;
        ObjectDelta<ShadowType> delta = lensProjectionContext.getDelta();
        if (delta == null) {
            LOGGER.trace("Skipping processing password policies. Shadow delta not specified.");
            return;
        }
        if (ChangeType.DELETE == delta.getChangeType()) {
            return;
        }
        PrismProperty prismProperty = null;
        if (ChangeType.ADD == delta.getChangeType() && (objectToAdd = delta.getObjectToAdd()) != null) {
            prismProperty = objectToAdd.findProperty(SchemaConstants.PATH_PASSWORD_VALUE);
        }
        if ((ChangeType.MODIFY == delta.getChangeType() || prismProperty == null) && delta != null) {
            PropertyDelta<X> findPropertyDelta = delta.findPropertyDelta(SchemaConstants.PATH_PASSWORD_VALUE);
            if (delta.getChangeType() == ChangeType.MODIFY && findPropertyDelta != 0 && (findPropertyDelta.isAdd() || findPropertyDelta.isDelete())) {
                throw new SchemaException("Shadow password value cannot be added or deleted, it can only be replaced");
            }
            if (findPropertyDelta == 0) {
                LOGGER.trace("Skipping processing password policies. Shadow delta does not contain password change.");
                return;
            }
            prismProperty = findPropertyDelta.getPropertyNew();
        }
        if (isCheckOrgPolicy(lensContext)) {
            effectivePasswordPolicy = determineValuePolicy(lensContext.getFocusContext().getObjectAny(), operationResult);
            lensContext.getFocusContext().setOrgPasswordPolicy(effectivePasswordPolicy);
        } else {
            effectivePasswordPolicy = lensProjectionContext.getEffectivePasswordPolicy();
        }
        processPasswordPolicy(effectivePasswordPolicy, prismProperty, operationResult);
    }

    private <F extends ObjectType> boolean isCheckOrgPolicy(LensContext<F> lensContext) throws SchemaException {
        LensFocusContext<F> focusContext = lensContext.getFocusContext();
        if (focusContext.getDelta() != null) {
            if (focusContext.getDelta().isAdd()) {
                return false;
            }
            if (focusContext.getDelta().isModify() && focusContext.getDelta().hasItemDelta(SchemaConstants.PATH_PASSWORD_VALUE)) {
                return false;
            }
        }
        return focusContext.getOrgPasswordPolicy() == null;
    }

    private String determinePasswordValue(PrismProperty<PasswordType> prismProperty) {
        ProtectedStringType protectedStringType;
        if (prismProperty == null || prismProperty.getValue(ProtectedStringType.class) == null || (protectedStringType = (ProtectedStringType) prismProperty.getValue(ProtectedStringType.class).getValue()) == null) {
            return "";
        }
        String clearValue = protectedStringType.getClearValue();
        if (clearValue == null && protectedStringType.getEncryptedDataType() != null) {
            try {
                clearValue = this.protector.decryptString(protectedStringType);
            } catch (EncryptionException e) {
                throw new SystemException("Failed to process password for user: ", e);
            }
        }
        return clearValue != null ? clearValue : "";
    }
}
