package pl.edu.icm.unity.engine.identity;

import com.google.common.collect.ImmutableMap;
import java.util.Date;
import java.util.Map;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Primary;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.engine.api.EntityCredentialManagement;
import pl.edu.icm.unity.engine.api.authn.local.LocalCredentialVerificator;
import pl.edu.icm.unity.engine.api.identity.EntityResolver;
import pl.edu.icm.unity.engine.attribute.AttributesHelper;
import pl.edu.icm.unity.engine.audit.AuditEventTrigger;
import pl.edu.icm.unity.engine.audit.AuditPublisher;
import pl.edu.icm.unity.engine.authz.AuthzCapability;
import pl.edu.icm.unity.engine.authz.InternalAuthorizationManager;
import pl.edu.icm.unity.engine.credential.CredentialAttributeTypeProvider;
import pl.edu.icm.unity.engine.credential.EntityCredentialsHelper;
import pl.edu.icm.unity.engine.events.InvocationEventProducer;
import pl.edu.icm.unity.engine.session.AdditionalAuthenticationService;
import pl.edu.icm.unity.exceptions.AuthorizationException;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.exceptions.IllegalCredentialException;
import pl.edu.icm.unity.exceptions.WrongArgumentException;
import pl.edu.icm.unity.stdext.attr.StringAttribute;
import pl.edu.icm.unity.store.api.AttributeDAO;
import pl.edu.icm.unity.store.api.tx.Transactional;
import pl.edu.icm.unity.store.types.StoredAttribute;
import pl.edu.icm.unity.types.authn.CredentialPublicInformation;
import pl.edu.icm.unity.types.authn.LocalCredentialState;
import pl.edu.icm.unity.types.basic.Attribute;
import pl.edu.icm.unity.types.basic.AttributeExt;
import pl.edu.icm.unity.types.basic.EntityParam;
import pl.edu.icm.unity.types.basic.audit.AuditEventAction;
import pl.edu.icm.unity.types.basic.audit.AuditEventTag;
import pl.edu.icm.unity.types.basic.audit.AuditEventType;

@Component
@Primary
@InvocationEventProducer
/* loaded from: input_file:pl/edu/icm/unity/engine/identity/EntityCredentialsManagementImpl.class */
public class EntityCredentialsManagementImpl implements EntityCredentialManagement {
    private EntityResolver idResolver;
    private AttributeDAO attributeDAO;
    private InternalAuthorizationManager authz;
    private AttributesHelper attributesHelper;
    private EntityCredentialsHelper credHelper;
    private AdditionalAuthenticationService repeatedAuthnService;
    private AuditPublisher audit;

    @Autowired
    public EntityCredentialsManagementImpl(EntityResolver entityResolver, AttributeDAO attributeDAO, InternalAuthorizationManager internalAuthorizationManager, AttributesHelper attributesHelper, EntityCredentialsHelper entityCredentialsHelper, AdditionalAuthenticationService additionalAuthenticationService, AuditPublisher auditPublisher) {
        this.idResolver = entityResolver;
        this.attributeDAO = attributeDAO;
        this.authz = internalAuthorizationManager;
        this.attributesHelper = attributesHelper;
        this.credHelper = entityCredentialsHelper;
        this.repeatedAuthnService = additionalAuthenticationService;
        this.audit = auditPublisher;
    }

    @Transactional
    public void setEntityCredentialRequirements(EntityParam entityParam, String str) throws EngineException {
        entityParam.validateInitialization();
        this.credHelper.setEntityCredentialRequirements(this.idResolver.getEntityId(entityParam), str);
    }

    @Transactional
    public void setEntityCredential(EntityParam entityParam, String str, String str2) throws EngineException {
        if (str2 == null) {
            throw new IllegalCredentialException("The credential can not be null");
        }
        entityParam.validateInitialization();
        long entityId = this.idResolver.getEntityId(entityParam);
        if (authorizeCredentialChange(entityId, str)) {
            this.repeatedAuthnService.checkAdditionalAuthenticationRequirements(str);
        }
        this.credHelper.setEntityCredential(entityId, str, str2);
    }

    private boolean authorizeCredentialChange(long j, String str) throws EngineException {
        try {
            this.authz.checkAuthorization(AuthzCapability.credentialModify);
            return false;
        } catch (AuthorizationException e) {
            this.authz.checkAuthorization(this.authz.isSelf(j), AuthzCapability.credentialModify);
            CredentialPublicInformation credentialPublicInformation = (CredentialPublicInformation) this.credHelper.getCredentialInfo(j).getCredentialsState().get(str);
            if (credentialPublicInformation == null) {
                throw new IllegalCredentialException("The credential " + str + " is not allowed for the entity");
            }
            return (credentialPublicInformation.getState() == LocalCredentialState.notSet || credentialPublicInformation.getState() == LocalCredentialState.outdated) ? false : true;
        }
    }

    @Transactional
    public void setEntityCredentialStatus(EntityParam entityParam, String str, LocalCredentialState localCredentialState) throws EngineException {
        entityParam.validateInitialization();
        if (localCredentialState == LocalCredentialState.correct) {
            throw new WrongArgumentException("Credential can not be put into the correct state with this method. Use setEntityCredential.");
        }
        long entityId = this.idResolver.getEntityId(entityParam);
        this.authz.checkAuthorization(this.authz.isSelf(entityId), AuthzCapability.identityModify);
        Map<String, AttributeExt> allAttributesAsMapOneGroup = this.attributesHelper.getAllAttributesAsMapOneGroup(entityId, "/");
        LocalCredentialVerificator credentialHandler = this.credHelper.getCredentialRequirements((String) allAttributesAsMapOneGroup.get(CredentialAttributeTypeProvider.CREDENTIAL_REQUIREMENTS).getValues().get(0)).getCredentialHandler(str);
        if (credentialHandler == null) {
            throw new IllegalCredentialException("The credential id is not among the entity's credential requirements: " + str);
        }
        String str2 = CredentialAttributeTypeProvider.CREDENTIAL_PREFIX + str;
        Attribute attribute = allAttributesAsMapOneGroup.get(str2);
        String str3 = attribute != null ? (String) attribute.getValues().get(0) : null;
        if (str3 == null) {
            if (localCredentialState != LocalCredentialState.notSet) {
                throw new IllegalCredentialException("The credential is not set, so it's state can be only notSet");
            }
            return;
        }
        if (localCredentialState == LocalCredentialState.notSet) {
            this.attributeDAO.deleteAttribute(str2, entityId, "/");
            allAttributesAsMapOneGroup.remove(str2);
            this.audit.log(AuditEventTrigger.builder().type(AuditEventType.CREDENTIALS).action(AuditEventAction.REMOVE).name(str2).subject(Long.valueOf(entityId)).tags(AuditEventTag.AUTHN));
        } else if (localCredentialState == LocalCredentialState.outdated) {
            if (!credentialHandler.isSupportingInvalidation()) {
                throw new IllegalCredentialException("The credential doesn't support the outdated state");
            }
            Attribute of = StringAttribute.of(str2, "/", new String[]{credentialHandler.invalidate(str3)});
            Date date = new Date();
            AttributeExt attributeExt = new AttributeExt(of, true, date, date);
            allAttributesAsMapOneGroup.put(str2, attributeExt);
            this.attributeDAO.updateAttribute(new StoredAttribute(attributeExt, entityId));
            this.audit.log(AuditEventTrigger.builder().type(AuditEventType.CREDENTIALS).action(AuditEventAction.UPDATE).name(str2).subject(Long.valueOf(entityId)).details(ImmutableMap.of("state", "outdated")).tags(AuditEventTag.AUTHN));
        }
    }
}
