package org.eclipse.stardust.engine.core.runtime.beans.interceptors;

import java.lang.reflect.Method;
import java.security.Principal;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import org.eclipse.stardust.common.Action;
import org.eclipse.stardust.common.CollectionUtils;
import org.eclipse.stardust.common.StringUtils;
import org.eclipse.stardust.common.config.ExtensionProviderUtils;
import org.eclipse.stardust.common.config.Parameters;
import org.eclipse.stardust.common.config.PropertyLayer;
import org.eclipse.stardust.common.error.AccessForbiddenException;
import org.eclipse.stardust.common.error.InternalException;
import org.eclipse.stardust.common.error.LoginFailedException;
import org.eclipse.stardust.common.error.ObjectNotFoundException;
import org.eclipse.stardust.common.log.LogManager;
import org.eclipse.stardust.common.log.Logger;
import org.eclipse.stardust.engine.api.model.IModel;
import org.eclipse.stardust.engine.api.runtime.BpmRuntimeError;
import org.eclipse.stardust.engine.api.runtime.LogCode;
import org.eclipse.stardust.engine.api.runtime.LoginUtils;
import org.eclipse.stardust.engine.core.runtime.beans.AuditTrailLogger;
import org.eclipse.stardust.engine.core.runtime.beans.BpmRuntimeEnvironment;
import org.eclipse.stardust.engine.core.runtime.beans.ForkingService;
import org.eclipse.stardust.engine.core.runtime.beans.ForkingServiceFactory;
import org.eclipse.stardust.engine.core.runtime.beans.IAuditTrailPartition;
import org.eclipse.stardust.engine.core.runtime.beans.IUser;
import org.eclipse.stardust.engine.core.runtime.beans.IUserDomain;
import org.eclipse.stardust.engine.core.runtime.beans.LoggedInUser;
import org.eclipse.stardust.engine.core.runtime.beans.ManagedService;
import org.eclipse.stardust.engine.core.runtime.beans.ModelManagerFactory;
import org.eclipse.stardust.engine.core.runtime.beans.SynchronizationService;
import org.eclipse.stardust.engine.core.runtime.beans.UserBean;
import org.eclipse.stardust.engine.core.runtime.beans.UserUtils;
import org.eclipse.stardust.engine.core.runtime.beans.removethis.LoginServiceFactory;
import org.eclipse.stardust.engine.core.runtime.beans.removethis.SecurityProperties;
import org.eclipse.stardust.engine.core.runtime.ejb.interceptors.SessionBeanLoginInterceptor;
import org.eclipse.stardust.engine.core.runtime.interceptor.MethodInterceptor;
import org.eclipse.stardust.engine.core.runtime.interceptor.MethodInvocation;
import org.eclipse.stardust.engine.core.runtime.internal.SessionManager;
import org.eclipse.stardust.engine.core.runtime.removethis.EngineProperties;
import org.eclipse.stardust.engine.core.security.InvokerPrincipal;
import org.eclipse.stardust.engine.core.security.InvokerPrincipalUtils;
import org.eclipse.stardust.engine.core.security.utils.SecurityUtils;
import org.eclipse.stardust.engine.core.spi.security.ExternalLoginResult;
import org.eclipse.stardust.engine.core.spi.security.PrincipalProvider;
import org.eclipse.stardust.engine.core.spi.security.PrincipalValidator;
import org.eclipse.stardust.engine.core.spi.security.PrincipalWithProperties;
import org.eclipse.stardust.engine.core.struct.beans.StructuredDataBean;
import org.eclipse.stardust.engine.extensions.ejb.utils.J2EEUtils;
import org.eclipse.stardust.engine.runtime.utils.TimestampProviderUtils;

/* loaded from: input_file:lib/carnot-engine.jar:org/eclipse/stardust/engine/core/runtime/beans/interceptors/AbstractLoginInterceptor.class */
public class AbstractLoginInterceptor implements MethodInterceptor {
    public static final String REAUTH_OUTER_PRINCIPAL = "Security.ReauthOuterPrincipal";
    public static final String REAUTH_USER_ID = "Security.ReauthUserId";
    public static final String REAUTH_PASSWORD = "Security.ReauthPassword";
    private static final Logger trace = LogManager.getLogger(AbstractLoginInterceptor.class);
    public static final String METHODNAME_LOGIN = "login";
    public static final String METHODNAME_LOGOUT = "logout";

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/carnot-engine.jar:org/eclipse/stardust/engine/core/runtime/beans/interceptors/AbstractLoginInterceptor$DisableUserAction.class */
    public static class DisableUserAction implements Action {
        long userOid;

        public DisableUserAction(long j) {
            this.userOid = j;
        }

        public Object execute() {
            UserBean findByOid = UserBean.findByOid(this.userOid);
            if (findByOid == null) {
                throw new LoginFailedException(BpmRuntimeError.ATDB_UNKNOWN_USER_OID.raise(this.userOid), 100);
            }
            findByOid.setPasswordExpired(true);
            findByOid.setValidTo(TimestampProviderUtils.getTimeStamp());
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/carnot-engine.jar:org/eclipse/stardust/engine/core/runtime/beans/interceptors/AbstractLoginInterceptor$LoginAction.class */
    public static class LoginAction implements Action {
        private String username;
        private String password;
        private Map properties;

        public LoginAction(String str, String str2, Map map) {
            this.password = str2;
            this.username = str;
            this.properties = map;
        }

        public Object execute() {
            HashMap hashMap = new HashMap(this.properties);
            LoginUtils.mergeDefaultCredentials(hashMap);
            ExternalLoginResult login = LoginServiceFactory.getService().login(this.username, this.password, hashMap);
            if (login != null) {
                return login;
            }
            return ExternalLoginResult.testifyFailure(new LoginFailedException("ExternalLoginProvider.login(String id, String password, Map properties) returned null.", 100));
        }

        public String toString() {
            return "logging in: " + this.username;
        }
    }

    @Override // org.eclipse.stardust.engine.core.runtime.interceptor.MethodInterceptor
    public Object invoke(MethodInvocation methodInvocation) throws Throwable {
        Object obj = null;
        Object obj2 = methodInvocation.getParameters().get(SecurityProperties.AUTHENTICATION_PRINCIPAL_PROVIDER_PROPERTY);
        if (obj2 instanceof PrincipalProvider) {
            Principal principal = ((PrincipalProvider) obj2).getPrincipal();
            if (null == principal) {
                throw new InternalException("No caller principal available. Implicit login attempt aborted.");
            }
            String principalName = J2EEUtils.getPrincipalName(principal);
            if (trace.isDebugEnabled()) {
                trace.debug("Performing implicit login for user " + principalName);
            }
            HashMap hashMap = new HashMap();
            if (principal instanceof PrincipalWithProperties) {
                hashMap.putAll(((PrincipalWithProperties) principal).getProperties());
            } else {
                InvokerPrincipal current = InvokerPrincipalUtils.getCurrent();
                if (null != current) {
                    if (!current.getName().equals(principalName)) {
                        throw new InternalException("No invoker principal does not match principal. Implicit login attempt aborted.");
                    }
                    hashMap.putAll(current.getProperties());
                }
            }
            LoginUtils.mergeDefaultCredentials(methodInvocation.getParameters(), hashMap);
            obj = performCall(methodInvocation, new LoggedInUser(principalName, hashMap));
        } else if (!methodInvocation.getMethod().getDeclaringClass().getName().equals(ManagedService.class.getName())) {
            obj = performCall(methodInvocation, null);
        } else if (isLoginCall(methodInvocation.getMethod())) {
            obj = performLoginCall(methodInvocation);
        } else if (isLogoutCall(methodInvocation.getMethod())) {
            performLogoutCall();
            obj = null;
        }
        return obj;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Object performCall(MethodInvocation methodInvocation, LoggedInUser loggedInUser) throws Throwable {
        if (null != loggedInUser && !StringUtils.isEmpty(loggedInUser.getUserId())) {
            BpmRuntimeEnvironment current = PropertyLayerProviderInterceptor.getCurrent();
            setCurrentPartitionAndDomain(methodInvocation.getParameters(), current, loggedInUser.getProperties());
            doSecurityCheck(loggedInUser);
            IModel findActiveModel = ModelManagerFactory.getCurrent().findActiveModel();
            if (findActiveModel == null) {
                findActiveModel = ModelManagerFactory.getCurrent().findLastDeployedModel();
            }
            IUser synchronize = SynchronizationService.synchronize(loggedInUser.getUserId(), findActiveModel, methodInvocation.getParameters().getBoolean(SecurityProperties.AUTHORIZATION_SYNC_LOGIN_PROPERTY, true), loggedInUser.getProperties());
            doReauthentication(loggedInUser);
            if (null != synchronize && LoginUtils.isUserExpired(synchronize)) {
                throw LoginUtils.createAccountExpiredException(synchronize);
            }
            UserUtils.updateDeputyGrants(synchronize);
            setCurrentUser(current, synchronize);
            SessionManager.instance().updateLastModificationTime(synchronize);
        }
        return methodInvocation.proceed();
    }

    private void doSecurityCheck(LoggedInUser loggedInUser) {
        Principal principal = getPrincipal(loggedInUser);
        if (SecurityProperties.isInternalAuthentication()) {
            if (InvokerPrincipalUtils.checkPrincipalSignature((InvokerPrincipal) principal)) {
                return;
            }
            trace.warn("The signature for principal '" + principal + "' is corrupt.");
            throw new AccessForbiddenException(BpmRuntimeError.AUTHx_NOT_LOGGED_IN.raise());
        }
        if (!SecurityProperties.isPrincipalBasedLogin() || determinePrincipalValidator().isValid(principal)) {
            return;
        }
        trace.warn("The principal '" + principal + "' is invalid.");
        throw new AccessForbiddenException(BpmRuntimeError.AUTHx_NOT_LOGGED_IN.raise());
    }

    private Principal getPrincipal(LoggedInUser loggedInUser) {
        if (SecurityProperties.isPrincipalBasedLogin() && (this instanceof SessionBeanLoginInterceptor)) {
            return ((SessionBeanLoginInterceptor) this).getPrincipal();
        }
        InvokerPrincipal current = InvokerPrincipalUtils.getCurrent();
        if (current == null) {
            Object obj = loggedInUser.getProperties().get(InvokerPrincipal.PRP_SIGNED_PRINCIPAL);
            if (!(obj instanceof InvokerPrincipal)) {
                trace.warn("No principal provided.");
                throw new AccessForbiddenException(BpmRuntimeError.AUTHx_NOT_LOGGED_IN.raise());
            }
            current = (InvokerPrincipal) obj;
        }
        return current;
    }

    private void doReauthentication(LoggedInUser loggedInUser) {
        Principal principal = getPrincipal(loggedInUser);
        if (principal instanceof InvokerPrincipal) {
            Map properties = ((InvokerPrincipal) principal).getProperties();
            if (properties.containsKey(REAUTH_USER_ID)) {
                ExternalLoginResult login = LoginServiceFactory.getService().login((String) properties.get(REAUTH_USER_ID), (String) properties.get(REAUTH_PASSWORD), Collections.unmodifiableMap(properties));
                if (!login.wasSuccessful()) {
                    throw login.getLoginFailedReason();
                }
                properties.remove(REAUTH_USER_ID);
                properties.remove(REAUTH_PASSWORD);
            }
        }
    }

    private PrincipalValidator determinePrincipalValidator() {
        if (Parameters.instance().get(SecurityProperties.PRINCIPAL_VALIDATOR_PROPERTY) == null) {
            Parameters.instance().set(SecurityProperties.PRINCIPAL_VALIDATOR_PROPERTY, SecurityProperties.PRINCIPAL_VALIDATOR_DEFAULT_VALUE);
        }
        return (PrincipalValidator) ExtensionProviderUtils.getFirstExtensionProvider(PrincipalValidator.class, SecurityProperties.PRINCIPAL_VALIDATOR_PROPERTY);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public LoggedInUser performLoginCall(MethodInvocation methodInvocation) {
        BpmRuntimeEnvironment current = PropertyLayerProviderInterceptor.getCurrent();
        Object[] arguments = methodInvocation.getArguments();
        setCurrentPartitionAndDomain(methodInvocation.getParameters(), current, 2 < arguments.length ? (Map) arguments[2] : Collections.EMPTY_MAP);
        LoggedInUser doLogin = doLogin(methodInvocation);
        IUser user = getUser(methodInvocation, doLogin.getUserId(), doLogin.getProperties());
        user.removeProperty(SecurityUtils.PASSWORD_RESET_TOKEN);
        setCurrentUser(current, user);
        SessionManager.instance().updateLastModificationTime(user);
        if (!LoginUtils.isLoginLoggingDisabled(user)) {
            AuditTrailLogger.getInstance(LogCode.SECURITY).info("Logged in.");
        }
        if (doLogin != null) {
            InvokerPrincipal generateSignedPrincipal = InvokerPrincipalUtils.generateSignedPrincipal(doLogin.getUserId(), doLogin.getProperties());
            HashMap newHashMap = CollectionUtils.newHashMap();
            newHashMap.putAll(doLogin.getProperties());
            newHashMap.put(InvokerPrincipal.PRP_SIGNED_PRINCIPAL, generateSignedPrincipal);
            doLogin = new LoggedInUser(doLogin.getUserId(), newHashMap);
        }
        return doLogin;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void performLogoutCall() {
    }

    public static boolean isLoginCall(Method method) {
        return method.getDeclaringClass().getName().equals(ManagedService.class.getName()) && METHODNAME_LOGIN.equals(method.getName());
    }

    public static boolean isLogoutCall(Method method) {
        return method.getDeclaringClass().getName().equals(ManagedService.class.getName()) && METHODNAME_LOGOUT.equals(method.getName());
    }

    public static LoggedInUser doLogin(MethodInvocation methodInvocation) throws LoginFailedException {
        ForkingService forkingService = ((ForkingServiceFactory) methodInvocation.getParameters().get(EngineProperties.FORKING_SERVICE_HOME)).get();
        Object[] arguments = methodInvocation.getArguments();
        String str = (String) arguments[0];
        String str2 = (String) arguments[1];
        Map map = 2 < arguments.length ? (Map) arguments[2] : Collections.EMPTY_MAP;
        ExternalLoginResult externalLoginResult = (ExternalLoginResult) forkingService.isolate(new LoginAction(str, str2, map));
        String userId = StringUtils.isNotEmpty(externalLoginResult.getUserId()) ? externalLoginResult.getUserId() : str;
        if (!externalLoginResult.wasSuccessful()) {
            if (externalLoginResult.getLoginFailedReason().getReason() != 8 && externalLoginResult.getLoginFailedReason().getReason() != 9) {
                throw externalLoginResult.getLoginFailedReason();
            }
            setCurrentPartitionAndDomain(methodInvocation.getParameters(), PropertyLayerProviderInterceptor.getCurrent(), map);
            IUser user = getUser(methodInvocation, userId, map);
            if (externalLoginResult.getLoginFailedReason().getReason() == 8) {
                if (user != null) {
                    user.setPasswordExpired(true);
                }
            } else if (externalLoginResult.getLoginFailedReason().getReason() == 9) {
                try {
                    forkingService.isolate(new DisableUserAction(user.getOID()));
                    throw externalLoginResult.getLoginFailedReason();
                } catch (LoginFailedException e) {
                    throw e;
                }
            }
        }
        if (externalLoginResult.isOverridingProperties()) {
            map.putAll(externalLoginResult.getProperties());
        }
        HashMap hashMap = new HashMap(map);
        LoginUtils.mergeDefaultCredentials(hashMap);
        return new LoggedInUser(userId, hashMap);
    }

    private static IUser getUser(MethodInvocation methodInvocation, String str, Map map) {
        IModel findActiveModel = ModelManagerFactory.getCurrent().findActiveModel();
        if (findActiveModel == null) {
            findActiveModel = ModelManagerFactory.getCurrent().findLastDeployedModel();
        }
        try {
            return SynchronizationService.synchronize(str, findActiveModel, methodInvocation.getParameters().getBoolean(SecurityProperties.AUTHORIZATION_SYNC_LOGIN_PROPERTY, true), map);
        } catch (ObjectNotFoundException e) {
            throw new LoginFailedException(e.getError(), StructuredDataBean.xpath_COLUMN_LENGTH);
        }
    }

    public static void setCurrentPartitionAndDomain(Parameters parameters, PropertyLayer propertyLayer, Map map) {
        IAuditTrailPartition findPartition = LoginUtils.findPartition(parameters, map);
        IUserDomain findUserDomain = LoginUtils.findUserDomain(parameters, findPartition, map);
        propertyLayer.setProperty(SecurityProperties.CURRENT_PARTITION, findPartition);
        propertyLayer.setProperty(SecurityProperties.CURRENT_PARTITION_OID, new Short(findPartition.getOID()));
        propertyLayer.setProperty(SecurityProperties.CURRENT_DOMAIN, findUserDomain);
        propertyLayer.setProperty(SecurityProperties.CURRENT_DOMAIN_OID, new Long(findUserDomain.getOID()));
    }

    public static void setCurrentUser(PropertyLayer propertyLayer, IUser iUser) {
        propertyLayer.setProperty(SecurityProperties.CURRENT_USER, iUser);
    }
}
