package org.apache.syncope.core.spring.security;

import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.annotation.Resource;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.collections4.SetUtils;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.lang3.BooleanUtils;
import org.apache.commons.lang3.tuple.ImmutablePair;
import org.apache.commons.lang3.tuple.Pair;
import org.apache.syncope.common.lib.types.AnyTypeKind;
import org.apache.syncope.common.lib.types.AuditElements;
import org.apache.syncope.core.persistence.api.ImplementationLookup;
import org.apache.syncope.core.persistence.api.dao.AccessTokenDAO;
import org.apache.syncope.core.persistence.api.dao.AnySearchDAO;
import org.apache.syncope.core.persistence.api.dao.AnyTypeDAO;
import org.apache.syncope.core.persistence.api.dao.ConfDAO;
import org.apache.syncope.core.persistence.api.dao.DomainDAO;
import org.apache.syncope.core.persistence.api.dao.GroupDAO;
import org.apache.syncope.core.persistence.api.dao.RealmDAO;
import org.apache.syncope.core.persistence.api.dao.UserDAO;
import org.apache.syncope.core.persistence.api.dao.search.AttributeCond;
import org.apache.syncope.core.persistence.api.dao.search.SearchCond;
import org.apache.syncope.core.persistence.api.entity.Domain;
import org.apache.syncope.core.persistence.api.entity.Realm;
import org.apache.syncope.core.persistence.api.entity.Role;
import org.apache.syncope.core.persistence.api.entity.conf.CPlainAttr;
import org.apache.syncope.core.persistence.api.entity.group.Group;
import org.apache.syncope.core.persistence.api.entity.resource.ExternalResource;
import org.apache.syncope.core.persistence.api.entity.user.User;
import org.apache.syncope.core.provisioning.api.AuditManager;
import org.apache.syncope.core.provisioning.api.ConnectorFactory;
import org.apache.syncope.core.provisioning.api.EntitlementsHolder;
import org.apache.syncope.core.provisioning.api.MappingManager;
import org.apache.syncope.core.provisioning.api.utils.EntityUtils;
import org.apache.syncope.core.provisioning.api.utils.RealmUtils;
import org.apache.syncope.core.spring.ApplicationContextProvider;
import org.identityconnectors.framework.common.objects.OperationOptions;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.DisabledException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.transaction.annotation.Transactional;

/* loaded from: input_file:org/apache/syncope/core/spring/security/AuthDataAccessor.class */
public class AuthDataAccessor {
    protected static final Logger LOG = LoggerFactory.getLogger(AuthDataAccessor.class);
    protected static final Encryptor ENCRYPTOR = Encryptor.getInstance();
    protected static final Set<SyncopeGrantedAuthority> ANONYMOUS_AUTHORITIES = Collections.singleton(new SyncopeGrantedAuthority("ANONYMOUS"));
    protected static final String[] GROUP_OWNER_ENTITLEMENTS = {"GROUP_READ", "GROUP_UPDATE", "GROUP_DELETE"};

    @Resource(name = "adminUser")
    protected String adminUser;

    @Resource(name = "anonymousUser")
    protected String anonymousUser;

    @Autowired
    protected DomainDAO domainDAO;

    @Autowired
    protected ConfDAO confDAO;

    @Autowired
    protected RealmDAO realmDAO;

    @Autowired
    protected UserDAO userDAO;

    @Autowired
    protected GroupDAO groupDAO;

    @Autowired
    protected AnyTypeDAO anyTypeDAO;

    @Autowired
    protected AnySearchDAO searchDAO;

    @Autowired
    protected AccessTokenDAO accessTokenDAO;

    @Autowired
    protected ConnectorFactory connFactory;

    @Autowired
    protected AuditManager auditManager;

    @Autowired
    protected MappingManager mappingManager;

    @Autowired
    protected ImplementationLookup implementationLookup;
    private Map<String, JWTSSOProvider> jwtSSOProviders;

    public JWTSSOProvider getJWTSSOProvider(String str) {
        synchronized (this) {
            if (this.jwtSSOProviders == null) {
                this.jwtSSOProviders = new HashMap();
                Iterator it = this.implementationLookup.getJWTSSOProviderClasses().iterator();
                while (it.hasNext()) {
                    JWTSSOProvider jWTSSOProvider = (JWTSSOProvider) ApplicationContextProvider.getBeanFactory().createBean((Class) it.next(), 2, true);
                    this.jwtSSOProviders.put(jWTSSOProvider.getIssuer(), jWTSSOProvider);
                }
            }
        }
        if (str == null) {
            throw new AuthenticationCredentialsNotFoundException("A null issuer is not permitted");
        }
        JWTSSOProvider jWTSSOProvider2 = this.jwtSSOProviders.get(str);
        if (jWTSSOProvider2 == null) {
            throw new AuthenticationCredentialsNotFoundException("Could not find any registered JWTSSOProvider for issuer " + str);
        }
        return jWTSSOProvider2;
    }

    @Transactional(readOnly = true)
    public Domain findDomain(String str) {
        Domain find = this.domainDAO.find(str);
        if (find == null) {
            throw new AuthenticationServiceException("Could not find domain " + str);
        }
        return find;
    }

    @Transactional(noRollbackFor = {DisabledException.class})
    public Pair<User, Boolean> authenticate(Authentication authentication) {
        User user = null;
        CPlainAttr find = this.confDAO.find("authentication.attributes");
        List singletonList = find == null ? Collections.singletonList("username") : find.getValuesAsStrings();
        for (int i = 0; user == null && i < singletonList.size(); i++) {
            if ("username".equals(singletonList.get(i))) {
                user = this.userDAO.findByUsername(authentication.getName());
            } else {
                AttributeCond attributeCond = new AttributeCond(AttributeCond.Type.EQ);
                attributeCond.setSchema((String) singletonList.get(i));
                attributeCond.setExpression(authentication.getName());
                List search = this.searchDAO.search(SearchCond.getLeafCond(attributeCond), AnyTypeKind.USER);
                if (search.size() == 1) {
                    user = (User) search.get(0);
                } else {
                    LOG.warn("Value {} provided for {} does not uniquely identify a user", authentication.getName(), singletonList.get(i));
                }
            }
        }
        Boolean bool = null;
        if (user != null) {
            if (user.isSuspended() != null && user.isSuspended().booleanValue()) {
                throw new DisabledException("User " + user.getUsername() + " is suspended");
            }
            if (!this.confDAO.getValuesAsStrings("authentication.statuses").contains(user.getStatus())) {
                throw new DisabledException("User " + user.getUsername() + " not allowed to authenticate");
            }
            boolean z = false;
            bool = Boolean.valueOf(authenticate(user, authentication.getCredentials().toString()));
            if (bool.booleanValue()) {
                if (((Boolean) this.confDAO.find("log.lastlogindate", true)).booleanValue()) {
                    user.setLastLoginDate(new Date());
                    z = true;
                }
                if (user.getFailedLogins().intValue() != 0) {
                    user.setFailedLogins(0);
                    z = true;
                }
            } else {
                user.setFailedLogins(Integer.valueOf(user.getFailedLogins().intValue() + 1));
                z = true;
            }
            if (z) {
                this.userDAO.save(user);
            }
        }
        return ImmutablePair.of(user, bool);
    }

    protected boolean authenticate(User user, String str) {
        boolean verify = ENCRYPTOR.verify(str, user.getCipherAlgorithm(), user.getPassword());
        LOG.debug("{} authenticated on internal storage: {}", user.getUsername(), Boolean.valueOf(verify));
        Iterator<? extends ExternalResource> it = getPassthroughResources(user).iterator();
        while (it.hasNext() && !verify) {
            ExternalResource next = it.next();
            String str2 = null;
            try {
                str2 = this.mappingManager.getConnObjectKeyValue(user, next.getProvision(this.anyTypeDAO.findUser()));
                if (this.connFactory.getConnector(next).authenticate(str2, str, (OperationOptions) null) != null) {
                    verify = true;
                }
            } catch (Exception e) {
                LOG.debug("Could not authenticate {} on {}", new Object[]{user.getUsername(), next.getKey(), e});
            }
            LOG.debug("{} authenticated on {} as {}: {}", new Object[]{user.getUsername(), next.getKey(), str2, Boolean.valueOf(verify)});
        }
        return verify;
    }

    protected Set<? extends ExternalResource> getPassthroughResources(User user) {
        Set set = null;
        for (ExternalResource externalResource : this.userDAO.findAllResources(user)) {
            if (externalResource.getAccountPolicy() != null && !externalResource.getAccountPolicy().getResources().isEmpty()) {
                if (set == null) {
                    set = externalResource.getAccountPolicy().getResources();
                } else {
                    set.retainAll(externalResource.getAccountPolicy().getResources());
                }
            }
        }
        for (Realm realm : this.realmDAO.findAncestors(user.getRealm())) {
            if (realm.getAccountPolicy() != null && !realm.getAccountPolicy().getResources().isEmpty()) {
                if (set == null) {
                    set = realm.getAccountPolicy().getResources();
                } else {
                    set.retainAll(realm.getAccountPolicy().getResources());
                }
            }
        }
        return SetUtils.emptyIfNull(set);
    }

    protected Set<SyncopeGrantedAuthority> getAdminAuthorities() {
        return (Set) CollectionUtils.collect(EntitlementsHolder.getInstance().getValues(), new Transformer<String, SyncopeGrantedAuthority>() { // from class: org.apache.syncope.core.spring.security.AuthDataAccessor.1
            public SyncopeGrantedAuthority transform(String str) {
                return new SyncopeGrantedAuthority(str, "/");
            }
        }, new HashSet());
    }

    protected Set<SyncopeGrantedAuthority> getUserAuthorities(User user) {
        HashSet hashSet = new HashSet();
        if (user.isMustChangePassword()) {
            hashSet.add(new SyncopeGrantedAuthority("MUST_CHANGE_PASSWORD"));
        } else {
            HashMap hashMap = new HashMap();
            for (Role role : this.userDAO.findAllRoles(user)) {
                for (String str : role.getEntitlements()) {
                    Set set = (Set) hashMap.get(str);
                    if (set == null) {
                        set = new HashSet();
                        hashMap.put(str, set);
                    }
                    CollectionUtils.collect(role.getRealms(), new Transformer<Realm, String>() { // from class: org.apache.syncope.core.spring.security.AuthDataAccessor.2
                        public String transform(Realm realm) {
                            return realm.getFullPath();
                        }
                    }, set);
                    if (!str.endsWith("_CREATE") && !str.endsWith("_DELETE")) {
                        CollectionUtils.collect(role.getDynRealms(), EntityUtils.keyTransformer(), set);
                    }
                }
            }
            for (Group group : this.groupDAO.findOwnedByUser(user.getKey())) {
                for (String str2 : GROUP_OWNER_ENTITLEMENTS) {
                    Set set2 = (Set) hashMap.get(str2);
                    if (set2 == null) {
                        set2 = new HashSet();
                        hashMap.put(str2, set2);
                    }
                    set2.add(RealmUtils.getGroupOwnerRealm(group.getRealm().getFullPath(), group.getKey()));
                }
            }
            for (Map.Entry entry : hashMap.entrySet()) {
                SyncopeGrantedAuthority syncopeGrantedAuthority = new SyncopeGrantedAuthority((String) entry.getKey());
                syncopeGrantedAuthority.addRealms(RealmUtils.normalize((Collection) entry.getValue()));
                hashSet.add(syncopeGrantedAuthority);
            }
        }
        return hashSet;
    }

    @Transactional
    public Set<SyncopeGrantedAuthority> getAuthorities(String str) {
        Set<SyncopeGrantedAuthority> userAuthorities;
        if (this.anonymousUser.equals(str)) {
            userAuthorities = ANONYMOUS_AUTHORITIES;
        } else if (this.adminUser.equals(str)) {
            userAuthorities = getAdminAuthorities();
        } else {
            User findByUsername = this.userDAO.findByUsername(str);
            if (findByUsername == null) {
                throw new UsernameNotFoundException("Could not find any user with id " + str);
            }
            userAuthorities = getUserAuthorities(findByUsername);
        }
        return userAuthorities;
    }

    @Transactional
    public Pair<String, Set<SyncopeGrantedAuthority>> authenticate(JWTAuthentication jWTAuthentication) {
        String username;
        Set<SyncopeGrantedAuthority> emptyIfNull;
        if (!this.adminUser.equals(jWTAuthentication.getClaims().getSubject())) {
            Pair<User, Set<SyncopeGrantedAuthority>> resolve = getJWTSSOProvider(jWTAuthentication.getClaims().getIssuer()).resolve(jWTAuthentication.getClaims());
            if (resolve == null || resolve.getLeft() == null) {
                throw new AuthenticationCredentialsNotFoundException("Could not find User " + jWTAuthentication.getClaims().getSubject() + " for JWT " + jWTAuthentication.getClaims().getTokenId());
            }
            User user = (User) resolve.getLeft();
            username = user.getUsername();
            emptyIfNull = SetUtils.emptyIfNull((Set) resolve.getRight());
            LOG.debug("JWT {} issued by {} resolved to User {} with authorities {}", new Object[]{jWTAuthentication.getClaims().getTokenId(), jWTAuthentication.getClaims().getIssuer(), username, emptyIfNull});
            if (BooleanUtils.isTrue(user.isSuspended())) {
                throw new DisabledException("User " + username + " is suspended");
            }
            if (!this.confDAO.getValuesAsStrings("authentication.statuses").contains(user.getStatus())) {
                throw new DisabledException("User " + username + " not allowed to authenticate");
            }
            if (BooleanUtils.isTrue(Boolean.valueOf(user.isMustChangePassword()))) {
                LOG.debug("User {} must change password, resetting authorities", username);
                emptyIfNull = Collections.singleton(new SyncopeGrantedAuthority("MUST_CHANGE_PASSWORD"));
            }
        } else {
            if (this.accessTokenDAO.find(jWTAuthentication.getClaims().getTokenId()) == null) {
                throw new AuthenticationCredentialsNotFoundException("Could not find an Access Token for JWT " + jWTAuthentication.getClaims().getTokenId());
            }
            username = this.adminUser;
            emptyIfNull = getAdminAuthorities();
        }
        return Pair.of(username, emptyIfNull);
    }

    @Transactional
    public void removeExpired(String str) {
        this.accessTokenDAO.delete(str);
    }

    @Transactional(readOnly = true)
    public void audit(AuditElements.EventCategoryType eventCategoryType, String str, String str2, String str3, AuditElements.Result result, Object obj, Object obj2, Object... objArr) {
        this.auditManager.audit(eventCategoryType, str, str2, str3, result, obj, obj2, objArr);
    }
}
