package jp.openstandia.midpoint.grpc;

import com.evolveum.midpoint.model.api.ModelService;
import com.evolveum.midpoint.model.impl.security.SecurityHelper;
import com.evolveum.midpoint.prism.PrismContext;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.polystring.PolyString;
import com.evolveum.midpoint.prism.query.ObjectQuery;
import com.evolveum.midpoint.schema.SearchResultList;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.util.ObjectQueryUtil;
import com.evolveum.midpoint.security.api.Authorization;
import com.evolveum.midpoint.security.api.AuthorizationConstants;
import com.evolveum.midpoint.security.api.AuthorizationTransformer;
import com.evolveum.midpoint.security.api.ConnectionEnvironment;
import com.evolveum.midpoint.security.api.HttpConnectionInformation;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.security.api.OwnerResolver;
import com.evolveum.midpoint.security.enforcer.api.AuthorizationParameters;
import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.task.api.TaskManager;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.web.boot.GrpcServerConfiguration;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import io.grpc.Context;
import io.grpc.Contexts;
import io.grpc.ForwardingServerCall;
import io.grpc.Grpc;
import io.grpc.Metadata;
import io.grpc.ServerCall;
import io.grpc.ServerCallHandler;
import io.grpc.ServerInterceptor;
import io.grpc.Status;
import io.grpc.StatusRuntimeException;
import java.io.UnsupportedEncodingException;
import java.net.SocketAddress;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Collection;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:jp/openstandia/midpoint/grpc/AbstractGrpcAuthenticationInterceptor.class */
public abstract class AbstractGrpcAuthenticationInterceptor implements ServerInterceptor {
    private static final Trace LOGGER = TraceManager.getTrace(AbstractGrpcAuthenticationInterceptor.class);
    protected static final String INVALID_REQUEST = "invalid_request";
    protected static final String INVALID_TOKEN = "invalid_token";
    protected static final String INSUFFICIENT_SCOPE = "insufficient_scope";
    protected static final String INTERNAL_ERROR = "internal_error";

    @Autowired
    PrismContext prismContext;

    @Autowired
    ModelService modelService;

    @Autowired
    SecurityEnforcer securityEnforcer;

    @Autowired
    SecurityHelper securityHelper;

    @Autowired
    TaskManager taskManager;

    /* renamed from: jp.openstandia.midpoint.grpc.AbstractGrpcAuthenticationInterceptor$3, reason: invalid class name */
    /* loaded from: input_file:jp/openstandia/midpoint/grpc/AbstractGrpcAuthenticationInterceptor$3.class */
    static /* synthetic */ class AnonymousClass3 {
        static final /* synthetic */ int[] $SwitchMap$io$grpc$Status$Code = new int[Status.Code.values().length];

        static {
            try {
                $SwitchMap$io$grpc$Status$Code[Status.Code.INVALID_ARGUMENT.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$grpc$Status$Code[Status.Code.UNAUTHENTICATED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$io$grpc$Status$Code[Status.Code.NOT_FOUND.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$io$grpc$Status$Code[Status.Code.ALREADY_EXISTS.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$io$grpc$Status$Code[Status.Code.FAILED_PRECONDITION.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$io$grpc$Status$Code[Status.Code.ABORTED.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$io$grpc$Status$Code[Status.Code.OUT_OF_RANGE.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$io$grpc$Status$Code[Status.Code.PERMISSION_DENIED.ordinal()] = 8;
            } catch (NoSuchFieldError e8) {
            }
        }
    }

    public <ReqT, RespT> ServerCall.Listener<ReqT> interceptCall(ServerCall<ReqT, RespT> serverCall, Metadata metadata, ServerCallHandler<ReqT, RespT> serverCallHandler) {
        try {
            return doProcess(serverCall, metadata, serverCallHandler);
        } catch (StatusRuntimeException e) {
            Metadata trailers = e.getTrailers();
            if (trailers == null) {
                trailers = new Metadata();
            }
            serverCall.close(e.getStatus(), trailers);
            return new ServerCall.Listener() { // from class: jp.openstandia.midpoint.grpc.AbstractGrpcAuthenticationInterceptor.1
            };
        }
    }

    protected <ReqT, RespT> ServerCall.Listener<ReqT> doProcess(ServerCall<ReqT, RespT> serverCall, Metadata metadata, ServerCallHandler<ReqT, RespT> serverCallHandler) {
        String obj = ((SocketAddress) serverCall.getAttributes().get(Grpc.TRANSPORT_ATTR_REMOTE_ADDR)).toString();
        String obj2 = ((SocketAddress) serverCall.getAttributes().get(Grpc.TRANSPORT_ATTR_LOCAL_ADDR)).toString();
        HttpConnectionInformation httpConnectionInformation = new HttpConnectionInformation();
        httpConnectionInformation.setRemoteHostAddress(obj);
        httpConnectionInformation.setLocalHostName(obj2);
        LOGGER.trace("Authenticating to gRPC service");
        final Task createTaskInstance = GrpcServerConfiguration.getApplication().getTaskManager().createTaskInstance(MidPointGrpcService.OPERATION_GRPC_SERVICE);
        createTaskInstance.setChannel(MidPointGrpcService.CHANNEL_GRPC_SERVICE_URI);
        httpConnectionInformation.setSessionId(createTaskInstance.getTaskIdentifier());
        final ConnectionEnvironment connectionEnvironment = new ConnectionEnvironment(MidPointGrpcService.CHANNEL_GRPC_SERVICE_URI, httpConnectionInformation);
        String str = (String) metadata.get(Constant.AuthorizationMetadataKey);
        if (str == null || !str.toLowerCase().startsWith(getType().toLowerCase() + " ")) {
            throw Status.INVALID_ARGUMENT.withDescription(INVALID_REQUEST).asRuntimeException();
        }
        Authentication authenticate = authenticate(connectionEnvironment, createTaskInstance, str);
        authorizeClient(authenticate, connectionEnvironment, createTaskInstance);
        Authentication switchToUser = switchToUser(authenticate, metadata, connectionEnvironment, createTaskInstance);
        createTaskInstance.setOwner(((MidPointPrincipal) switchToUser.getPrincipal()).getUser().asPrismObject());
        if (Boolean.parseBoolean((String) metadata.get(Constant.RunPrivilegedMetadataKey))) {
            switchToUser = runPrivileged(switchToUser);
        }
        return Contexts.interceptCall(Context.current().withValue(ServerConstant.ConnectionContextKey, httpConnectionInformation).withValue(ServerConstant.ConnectionEnvironmentContextKey, connectionEnvironment).withValue(ServerConstant.TaskContextKey, createTaskInstance).withValue(ServerConstant.AuthenticationContextKey, switchToUser).withValue(ServerConstant.AuthorizationHeaderContextKey, str), new ForwardingServerCall.SimpleForwardingServerCall<ReqT, RespT>(serverCall) { // from class: jp.openstandia.midpoint.grpc.AbstractGrpcAuthenticationInterceptor.2
            public void close(Status status, Metadata metadata2) {
                if (!status.isOk()) {
                    switch (AnonymousClass3.$SwitchMap$io$grpc$Status$Code[status.getCode().ordinal()]) {
                        case 1:
                        case 2:
                        case 3:
                        case 4:
                        case 5:
                        case 6:
                        case 7:
                        case 8:
                            AbstractGrpcAuthenticationInterceptor.LOGGER.info("Error in calling gRPC service. status={}, metadata={}", status, metadata2);
                            break;
                        default:
                            AbstractGrpcAuthenticationInterceptor.LOGGER.error("Error in calling gRPC service. status={}, metadata={}", status, metadata2);
                            break;
                    }
                }
                AbstractGrpcAuthenticationInterceptor.this.finishRequest(createTaskInstance, connectionEnvironment);
                super.close(status, metadata2);
            }
        }, metadata, serverCallHandler);
    }

    private Authentication runPrivileged(Authentication authentication) {
        LOGGER.debug("Running gRPC service as privileged");
        LOGGER.trace("ORIG auth {}", authentication);
        Authorization createPrivilegedAuthorization = createPrivilegedAuthorization();
        Object principal = authentication.getPrincipal();
        LOGGER.trace("ORIG principal {} ({})", principal, principal != null ? principal.getClass() : null);
        MidPointPrincipal clone = ((MidPointPrincipal) principal).clone();
        clone.getAuthorities().add(createPrivilegedAuthorization);
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(authentication.getAuthorities());
        arrayList.add(createPrivilegedAuthorization);
        PreAuthenticatedAuthenticationToken preAuthenticatedAuthenticationToken = new PreAuthenticatedAuthenticationToken(clone, (Object) null, arrayList);
        LOGGER.trace("NEW auth {}", preAuthenticatedAuthenticationToken);
        return preAuthenticatedAuthenticationToken;
    }

    private Authorization createPrivilegedAuthorization() {
        AuthorizationType authorizationType = new AuthorizationType();
        authorizationType.getAction().add(AuthorizationConstants.AUTZ_ALL_URL);
        return new Authorization(authorizationType);
    }

    protected abstract String getType();

    protected abstract Authentication authenticate(ConnectionEnvironment connectionEnvironment, Task task, String str);

    protected abstract void authorizeClient(Authentication authentication, ConnectionEnvironment connectionEnvironment, Task task);

    protected abstract Authentication switchToUser(Authentication authentication, Metadata metadata, ConnectionEnvironment connectionEnvironment, Task task);

    /* JADX INFO: Access modifiers changed from: protected */
    public Authentication authenticateUser(PrismObject<UserType> prismObject, ConnectionEnvironment connectionEnvironment, Task task) {
        try {
            MidPointPrincipal principal = GrpcServerConfiguration.getApplication().getSecurityContextManager().getUserProfileService().getPrincipal(prismObject, (AuthorizationTransformer) null, task.getResult());
            PreAuthenticatedAuthenticationToken preAuthenticatedAuthenticationToken = new PreAuthenticatedAuthenticationToken(principal, (Object) null, principal.getAuthorities());
            LOGGER.trace("Authenticated to gRPC service as {}", prismObject);
            return preAuthenticatedAuthenticationToken;
        } catch (SchemaException | CommunicationException | ConfigurationException | SecurityViolationException | ExpressionEvaluationException e) {
            this.securityHelper.auditLoginFailure(prismObject.getName().getOrig(), prismObject.asObjectable(), connectionEnvironment, "Schema error: " + e.getMessage());
            throw Status.INVALID_ARGUMENT.withDescription(e.getMessage()).asRuntimeException();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void authorizeUser(Authentication authentication, String str, UserType userType, PrismObject<UserType> prismObject, ConnectionEnvironment connectionEnvironment) {
        Task createTaskInstance = this.taskManager.createTaskInstance(AbstractGrpcAuthenticationInterceptor.class.getName() + ".authorizeUser");
        try {
            try {
                SecurityContextHolder.getContext().setAuthentication(authentication);
                this.securityEnforcer.authorize(str, (AuthorizationPhaseType) null, AuthorizationParameters.Builder.buildObject(prismObject), (OwnerResolver) null, createTaskInstance, createTaskInstance.getResult());
                SecurityContextHolder.getContext().setAuthentication((Authentication) null);
            } catch (SecurityViolationException e) {
                this.securityHelper.auditLoginFailure(userType.getName().getOrig(), userType, connectionEnvironment, "Not authorized");
                throw Status.PERMISSION_DENIED.withDescription(e.getMessage()).asRuntimeException();
            } catch (SchemaException | ObjectNotFoundException | ExpressionEvaluationException | CommunicationException | ConfigurationException e2) {
                this.securityHelper.auditLoginFailure(userType.getName().getOrig(), userType, connectionEnvironment, "Internal error: " + e2.getMessage());
                throw Status.INVALID_ARGUMENT.withDescription(e2.getMessage()).asRuntimeException();
            }
        } catch (Throwable th) {
            SecurityContextHolder.getContext().setAuthentication((Authentication) null);
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public PrismObject<UserType> findByOid(String str, Task task) {
        try {
            return this.modelService.getObject(UserType.class, str, (Collection) null, task, task.getResult());
        } catch (SchemaException | ObjectNotFoundException | SecurityViolationException | CommunicationException | ConfigurationException | ExpressionEvaluationException e) {
            LOGGER.trace("Exception while authenticating user identified with oid: '{}' to gRPC service: {}", new Object[]{str, e.getMessage(), e});
            throw Status.UNAUTHENTICATED.withDescription(e.getMessage()).asRuntimeException();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public PrismObject<UserType> findByUsername(String str, Task task) {
        OperationResult result = task.getResult();
        try {
            ObjectQuery createNormNameQuery = ObjectQueryUtil.createNormNameQuery(new PolyString(str), this.prismContext);
            LOGGER.trace("Looking for user, query:\n" + createNormNameQuery.debugDump());
            SearchResultList searchObjects = GrpcServerConfiguration.getApplication().getRepositoryService().searchObjects(UserType.class, createNormNameQuery, (Collection) null, result);
            LOGGER.trace("Users found: {}.", Integer.valueOf(searchObjects.size()));
            if (searchObjects.size() != 1) {
                throw Status.UNAUTHENTICATED.withDescription("Not found user").asRuntimeException();
            }
            return (PrismObject) searchObjects.get(0);
        } catch (SchemaException e) {
            LOGGER.trace("Exception while authenticating user identified with name: '{}' to gRPC service: {}", new Object[]{str, e.getMessage(), e});
            throw Status.UNAUTHENTICATED.withDescription(e.getMessage()).asRuntimeException();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String extractHeader(String str, String str2) {
        return str.substring(str2.length() + 1);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String extractAndDecodeHeader(String str, String str2) {
        try {
            try {
                return new String(Base64.getDecoder().decode(extractHeader(str, str2).getBytes("UTF-8")), "UTF-8");
            } catch (IllegalArgumentException e) {
                LOGGER.warn("Failed to base64 decode grpc authorization header: {}", str, e);
                throw Status.UNAUTHENTICATED.withDescription("Failed to decode basic authentication token").asRuntimeException();
            }
        } catch (UnsupportedEncodingException e2) {
            LOGGER.warn("Failed to decode grpc authorization header: {}", str, e2);
            throw Status.INVALID_ARGUMENT.withDescription(INVALID_REQUEST).asRuntimeException();
        }
    }

    protected Authentication authenticateSwitchUser(String str, ConnectionEnvironment connectionEnvironment, Task task) {
        return authenticateUser(findByOid(str, task), connectionEnvironment, task);
    }

    protected Authentication authenticateSwitchUserByName(String str, ConnectionEnvironment connectionEnvironment, Task task) {
        return authenticateUser(findByUsername(str, task), connectionEnvironment, task);
    }

    protected void finishRequest(Task task, ConnectionEnvironment connectionEnvironment) {
        task.getResult().computeStatus();
        connectionEnvironment.setSessionIdOverride(task.getTaskIdentifier());
        GrpcServerConfiguration.getSecurityHelper().auditLogout(connectionEnvironment, task);
    }
}
