package org.apache.syncope.core.misc.security;

import java.util.Arrays;
import java.util.Collection;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.annotation.Resource;
import org.apache.commons.collections4.Closure;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.collections4.IterableUtils;
import org.apache.commons.collections4.SetUtils;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.lang3.tuple.ImmutablePair;
import org.apache.commons.lang3.tuple.Pair;
import org.apache.syncope.common.lib.types.AuditElements;
import org.apache.syncope.core.misc.AuditManager;
import org.apache.syncope.core.misc.EntitlementsHolder;
import org.apache.syncope.core.misc.utils.MappingUtils;
import org.apache.syncope.core.misc.utils.RealmUtils;
import org.apache.syncope.core.persistence.api.dao.AnyTypeDAO;
import org.apache.syncope.core.persistence.api.dao.ConfDAO;
import org.apache.syncope.core.persistence.api.dao.DomainDAO;
import org.apache.syncope.core.persistence.api.dao.GroupDAO;
import org.apache.syncope.core.persistence.api.dao.RealmDAO;
import org.apache.syncope.core.persistence.api.dao.UserDAO;
import org.apache.syncope.core.persistence.api.entity.Domain;
import org.apache.syncope.core.persistence.api.entity.Realm;
import org.apache.syncope.core.persistence.api.entity.Role;
import org.apache.syncope.core.persistence.api.entity.conf.CPlainAttr;
import org.apache.syncope.core.persistence.api.entity.conf.CPlainAttrValue;
import org.apache.syncope.core.persistence.api.entity.group.Group;
import org.apache.syncope.core.persistence.api.entity.resource.ExternalResource;
import org.apache.syncope.core.persistence.api.entity.user.User;
import org.apache.syncope.core.provisioning.api.ConnectorFactory;
import org.identityconnectors.framework.common.objects.OperationOptions;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.DisabledException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.transaction.annotation.Transactional;

/* loaded from: input_file:org/apache/syncope/core/misc/security/AuthDataAccessor.class */
public class AuthDataAccessor {
    protected static final Logger LOG = LoggerFactory.getLogger(AuthDataAccessor.class);
    protected static final Encryptor ENCRYPTOR = Encryptor.getInstance();

    @Resource(name = "adminUser")
    protected String adminUser;

    @Resource(name = "anonymousUser")
    protected String anonymousUser;

    @Autowired
    protected DomainDAO domainDAO;

    @Autowired
    protected ConfDAO confDAO;

    @Autowired
    protected RealmDAO realmDAO;

    @Autowired
    protected UserDAO userDAO;

    @Autowired
    protected GroupDAO groupDAO;

    @Autowired
    protected AnyTypeDAO anyTypeDAO;

    @Autowired
    protected ConnectorFactory connFactory;

    @Autowired
    protected AuditManager auditManager;

    @Autowired
    protected MappingUtils mappingUtils;

    @Transactional(readOnly = true)
    public Domain findDomain(String str) {
        Domain find = this.domainDAO.find(str);
        if (find == null) {
            throw new AuthenticationServiceException("Could not find domain " + str);
        }
        return find;
    }

    @Transactional(noRollbackFor = {DisabledException.class})
    public Pair<Long, Boolean> authenticate(Authentication authentication) {
        Long l = null;
        Boolean bool = null;
        User find = this.userDAO.find(authentication.getName());
        if (find != null) {
            l = (Long) find.getKey();
            if (find.isSuspended() != null && find.isSuspended().booleanValue()) {
                throw new DisabledException("User " + find.getUsername() + " is suspended");
            }
            CPlainAttr find2 = this.confDAO.find("authentication.statuses");
            if (find2 != null && !find2.getValuesAsStrings().contains(find.getStatus())) {
                throw new DisabledException("User " + find.getUsername() + " not allowed to authenticate");
            }
            boolean z = false;
            bool = Boolean.valueOf(authenticate(find, authentication.getCredentials().toString()));
            if (bool.booleanValue()) {
                if (((CPlainAttrValue) this.confDAO.find("log.lastlogindate", Boolean.toString(true)).getValues().get(0)).getBooleanValue().booleanValue()) {
                    find.setLastLoginDate(new Date());
                    z = true;
                }
                if (find.getFailedLogins().intValue() != 0) {
                    find.setFailedLogins(0);
                    z = true;
                }
            } else {
                find.setFailedLogins(Integer.valueOf(find.getFailedLogins().intValue() + 1));
                z = true;
            }
            if (z) {
                this.userDAO.save(find);
            }
        }
        return ImmutablePair.of(l, bool);
    }

    protected boolean authenticate(User user, String str) {
        boolean verify = ENCRYPTOR.verify(str, user.getCipherAlgorithm(), user.getPassword());
        LOG.debug("{} authenticated on internal storage: {}", user.getUsername(), Boolean.valueOf(verify));
        Iterator<? extends ExternalResource> it = getPassthroughResources(user).iterator();
        while (it.hasNext() && !verify) {
            ExternalResource next = it.next();
            String str2 = null;
            try {
                str2 = this.mappingUtils.getConnObjectKeyValue(user, next.getProvision(this.anyTypeDAO.findUser()));
                if (this.connFactory.getConnector(next).authenticate(str2, str, (OperationOptions) null) != null) {
                    verify = true;
                }
            } catch (Exception e) {
                LOG.debug("Could not authenticate {} on {}", new Object[]{user.getUsername(), next.getKey(), e});
            }
            LOG.debug("{} authenticated on {} as {}: {}", new Object[]{user.getUsername(), next.getKey(), str2, Boolean.valueOf(verify)});
        }
        return verify;
    }

    protected Set<? extends ExternalResource> getPassthroughResources(User user) {
        Set set = null;
        for (ExternalResource externalResource : this.userDAO.findAllResources(user)) {
            if (externalResource.getAccountPolicy() != null && !externalResource.getAccountPolicy().getResources().isEmpty()) {
                if (set == null) {
                    set = externalResource.getAccountPolicy().getResources();
                } else {
                    set.retainAll(externalResource.getAccountPolicy().getResources());
                }
            }
        }
        for (Realm realm : this.realmDAO.findAncestors(user.getRealm())) {
            if (realm.getAccountPolicy() != null && !realm.getAccountPolicy().getResources().isEmpty()) {
                if (set == null) {
                    set = realm.getAccountPolicy().getResources();
                } else {
                    set.retainAll(realm.getAccountPolicy().getResources());
                }
            }
        }
        return SetUtils.emptyIfNull(set);
    }

    @Transactional(readOnly = true)
    public void audit(AuditElements.EventCategoryType eventCategoryType, String str, String str2, String str3, AuditElements.Result result, Object obj, Object obj2, Object... objArr) {
        this.auditManager.audit(eventCategoryType, str, str2, str3, result, obj, obj2, objArr);
    }

    @Transactional
    public Set<SyncopeGrantedAuthority> load(String str) {
        HashSet hashSet = new HashSet();
        if (this.anonymousUser.equals(str)) {
            hashSet.add(new SyncopeGrantedAuthority("ANONYMOUS"));
        } else if (this.adminUser.equals(str)) {
            CollectionUtils.collect(EntitlementsHolder.getInstance().getValues(), new Transformer<String, SyncopeGrantedAuthority>() { // from class: org.apache.syncope.core.misc.security.AuthDataAccessor.1
                public SyncopeGrantedAuthority transform(String str2) {
                    return new SyncopeGrantedAuthority(str2, "/");
                }
            }, hashSet);
        } else {
            User find = this.userDAO.find(str);
            if (find == null) {
                throw new UsernameNotFoundException("Could not find any user with id " + str);
            }
            if (find.isMustChangePassword()) {
                hashSet.add(new SyncopeGrantedAuthority("MUST_CHANGE_PASSWORD"));
            } else {
                final HashMap hashMap = new HashMap();
                for (final Role role : this.userDAO.findAllRoles(find)) {
                    IterableUtils.forEach(role.getEntitlements(), new Closure<String>() { // from class: org.apache.syncope.core.misc.security.AuthDataAccessor.2
                        public void execute(String str2) {
                            Set set = (Set) hashMap.get(str2);
                            if (set == null) {
                                set = new HashSet();
                                hashMap.put(str2, set);
                            }
                            CollectionUtils.collect(role.getRealms(), new Transformer<Realm, String>() { // from class: org.apache.syncope.core.misc.security.AuthDataAccessor.2.1
                                public String transform(Realm realm) {
                                    return realm.getFullPath();
                                }
                            }, set);
                        }
                    });
                }
                for (Group group : this.groupDAO.findOwnedByUser((Long) find.getKey())) {
                    for (String str2 : Arrays.asList("GROUP_READ", "GROUP_UPDATE", "GROUP_DELETE")) {
                        Set set = (Set) hashMap.get(str2);
                        if (set == null) {
                            set = new HashSet();
                            hashMap.put(str2, set);
                        }
                        set.add(RealmUtils.getGroupOwnerRealm(group.getRealm().getFullPath(), (Long) group.getKey()));
                    }
                }
                for (Map.Entry entry : hashMap.entrySet()) {
                    SyncopeGrantedAuthority syncopeGrantedAuthority = new SyncopeGrantedAuthority((String) entry.getKey());
                    syncopeGrantedAuthority.addRealms(RealmUtils.normalize((Collection) entry.getValue()));
                    hashSet.add(syncopeGrantedAuthority);
                }
            }
        }
        return hashSet;
    }
}
