package com.evolveum.midpoint.model.impl.controller;

import com.evolveum.midpoint.model.api.ModelAuthorizationAction;
import com.evolveum.midpoint.model.impl.ModelBeans;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.query.ObjectFilter;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.security.api.Authorization;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.security.api.ProfileCompilerOptions;
import com.evolveum.midpoint.security.enforcer.api.CompileConstraintsOptions;
import com.evolveum.midpoint.security.enforcer.api.PrismEntityOpConstraints;
import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.util.DebugDumpable;
import com.evolveum.midpoint.util.DebugUtil;
import com.evolveum.midpoint.util.MiscUtil;
import com.evolveum.midpoint.util.exception.AuthorizationException;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationEvaluationAccessDecisionRequestType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationEvaluationFilterProcessingRequestType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationEvaluationRequestType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationEvaluationResponseType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationEvaluationTracingOptionsType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import com.evolveum.prism.xml.ns._public.query_3.SearchFilterType;
import java.util.List;
import java.util.UUID;
import javax.xml.namespace.QName;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;

/* loaded from: input_file:BOOT-INF/lib/model-impl-4.10-M4.jar:com/evolveum/midpoint/model/impl/controller/AuthorizationDiagEvaluation.class */
abstract class AuthorizationDiagEvaluation<REQ extends AuthorizationEvaluationRequestType> {

    @NotNull
    final REQ request;

    @NotNull
    final Task task;

    @NotNull
    final ModelBeans b = ModelBeans.get();

    @NotNull
    private final MyLogCollector logCollector;

    /* loaded from: input_file:BOOT-INF/lib/model-impl-4.10-M4.jar:com/evolveum/midpoint/model/impl/controller/AuthorizationDiagEvaluation$AccessDecision.class */
    static abstract class AccessDecision extends AuthorizationDiagEvaluation<AuthorizationEvaluationAccessDecisionRequestType> {
        AccessDecision(@NotNull AuthorizationEvaluationAccessDecisionRequestType authorizationEvaluationAccessDecisionRequestType, @NotNull Task task) {
            super(authorizationEvaluationAccessDecisionRequestType, task);
        }

        @Override // com.evolveum.midpoint.model.impl.controller.AuthorizationDiagEvaluation
        @NotNull
        String[] getDefaultActionUrls() {
            return ModelAuthorizationAction.AUTZ_ACTIONS_URLS_GET;
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/model-impl-4.10-M4.jar:com/evolveum/midpoint/model/impl/controller/AuthorizationDiagEvaluation$FilterProcessing.class */
    static class FilterProcessing extends AuthorizationDiagEvaluation<AuthorizationEvaluationFilterProcessingRequestType> {

        @NotNull
        private final Class<?> objectType;

        @Nullable
        private final ObjectFilter originalFilter;

        FilterProcessing(@NotNull AuthorizationEvaluationFilterProcessingRequestType authorizationEvaluationFilterProcessingRequestType, @NotNull Task task) throws SchemaException {
            super(authorizationEvaluationFilterProcessingRequestType, task);
            this.objectType = this.b.prismContext.getSchemaRegistry().determineClassForTypeRequired((QName) MiscUtil.argNonNull(authorizationEvaluationFilterProcessingRequestType.getType(), "Type is not specified", new Object[0]));
            SearchFilterType filter = authorizationEvaluationFilterProcessingRequestType.getFilter();
            this.originalFilter = filter != null ? this.b.prismContext.getQueryConverter().parseFilter(filter, this.objectType) : null;
        }

        @Override // com.evolveum.midpoint.model.impl.controller.AuthorizationDiagEvaluation
        @NotNull
        public AuthorizationEvaluationResponseType evaluate(@NotNull OperationResult operationResult) throws SchemaException, ExpressionEvaluationException, CommunicationException, SecurityViolationException, ConfigurationException, ObjectNotFoundException {
            MidPointPrincipal createPrincipal = createPrincipal(operationResult);
            return createResponse("Principal: %s\n\nOriginal filter with type %s:\n%s\n\n---------------------------------------------\n\nAugmented filter:\n%s".formatted(principalInfo(createPrincipal), this.objectType.getSimpleName(), DebugUtil.debugDump((DebugDumpable) this.originalFilter, 1), DebugUtil.debugDump((DebugDumpable) this.b.securityEnforcer.preProcessObjectFilter(createPrincipal, getActionUrls(), ModelAuthorizationAction.AUTZ_ACTIONS_URLS_SEARCH_BY, null, this.objectType, this.originalFilter, null, List.of(), createOptions(), this.task, operationResult), 1)));
        }

        @Override // com.evolveum.midpoint.model.impl.controller.AuthorizationDiagEvaluation
        @NotNull
        String[] getDefaultActionUrls() {
            return ModelAuthorizationAction.AUTZ_ACTIONS_URLS_SEARCH;
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/model-impl-4.10-M4.jar:com/evolveum/midpoint/model/impl/controller/AuthorizationDiagEvaluation$ItemAccessDecision.class */
    static class ItemAccessDecision extends AccessDecision {
        ItemAccessDecision(@NotNull AuthorizationEvaluationAccessDecisionRequestType authorizationEvaluationAccessDecisionRequestType, @NotNull Task task) {
            super(authorizationEvaluationAccessDecisionRequestType, task);
        }

        @Override // com.evolveum.midpoint.model.impl.controller.AuthorizationDiagEvaluation
        @NotNull
        public AuthorizationEvaluationResponseType evaluate(@NotNull OperationResult operationResult) throws SchemaException, ExpressionEvaluationException, CommunicationException, SecurityViolationException, ConfigurationException, ObjectNotFoundException {
            ObjectType resolve = this.b.modelObjectResolver.resolve((ObjectReferenceType) MiscUtil.argNonNull(((AuthorizationEvaluationAccessDecisionRequestType) this.request).getObjectRef(), "objectRef is missing", new Object[0]), ObjectType.class, null, "object", this.task, operationResult);
            MidPointPrincipal createPrincipal = createPrincipal(operationResult);
            PrismEntityOpConstraints.ForValueContent compileOperationConstraints = this.b.securityEnforcer.compileOperationConstraints(createPrincipal, resolve.asPrismObject().getValue(), null, getActionUrls(), createOptions(), CompileConstraintsOptions.create(), this.task, operationResult);
            AuthorizationException authorizationException = null;
            PrismObject prismObject = null;
            try {
                prismObject = this.b.dataAccessProcessor.applyReadConstraints(resolve.asPrismObject(), compileOperationConstraints);
            } catch (AuthorizationException e) {
                authorizationException = e;
            }
            Object[] objArr = new Object[4];
            objArr[0] = principalInfo(createPrincipal);
            objArr[1] = resolve;
            objArr[2] = DebugUtil.debugDump((DebugDumpable) compileOperationConstraints, 1);
            objArr[3] = authorizationException != null ? authorizationException.getMessage() : DebugUtil.debugDump((DebugDumpable) prismObject, 1);
            return createResponse("Principal: %s\n\nObject: %s\n\n---------------------------------------------\n\nComputed item constraints:\n%s\n\n---------------------------------------------\n\nObject with constraints applied:\n%s".formatted(objArr));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:BOOT-INF/lib/model-impl-4.10-M4.jar:com/evolveum/midpoint/model/impl/controller/AuthorizationDiagEvaluation$MyLogCollector.class */
    public static class MyLogCollector implements SecurityEnforcer.LogCollector {
        private final StringBuilder sb = new StringBuilder();
        private final boolean selectorTracingEnabled;

        MyLogCollector(boolean z) {
            this.selectorTracingEnabled = z;
        }

        @Override // com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer.LogCollector
        public void log(String str) {
            this.sb.append(str).append("\n");
        }

        @NotNull
        public String getLog() {
            return this.sb.toString();
        }

        @Override // com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer.LogCollector
        public boolean isSelectorTracingEnabled() {
            return this.selectorTracingEnabled;
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/model-impl-4.10-M4.jar:com/evolveum/midpoint/model/impl/controller/AuthorizationDiagEvaluation$OperationAccessDecision.class */
    static class OperationAccessDecision extends AccessDecision {
        OperationAccessDecision(@NotNull AuthorizationEvaluationAccessDecisionRequestType authorizationEvaluationAccessDecisionRequestType, @NotNull Task task) {
            super(authorizationEvaluationAccessDecisionRequestType, task);
        }

        @Override // com.evolveum.midpoint.model.impl.controller.AuthorizationDiagEvaluation
        @NotNull
        public AuthorizationEvaluationResponseType evaluate(@NotNull OperationResult operationResult) throws SchemaException, ExpressionEvaluationException, CommunicationException, SecurityViolationException, ConfigurationException, ObjectNotFoundException {
            throw new UnsupportedOperationException();
        }
    }

    AuthorizationDiagEvaluation(@NotNull REQ req, @NotNull Task task) {
        this.request = req;
        this.task = task;
        this.logCollector = new MyLogCollector(isSelectorTracingEnabled(req));
    }

    private boolean isSelectorTracingEnabled(REQ req) {
        AuthorizationEvaluationTracingOptionsType tracing = req.getTracing();
        return tracing != null && Boolean.TRUE.equals(tracing.isSelectorTracingEnabled());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static AuthorizationDiagEvaluation<?> of(@NotNull AuthorizationEvaluationRequestType authorizationEvaluationRequestType, @NotNull Task task) throws SchemaException {
        if (authorizationEvaluationRequestType instanceof AuthorizationEvaluationAccessDecisionRequestType) {
            AuthorizationEvaluationAccessDecisionRequestType authorizationEvaluationAccessDecisionRequestType = (AuthorizationEvaluationAccessDecisionRequestType) authorizationEvaluationRequestType;
            return authorizationEvaluationAccessDecisionRequestType.getActionUrl().isEmpty() ? new ItemAccessDecision(authorizationEvaluationAccessDecisionRequestType, task) : new OperationAccessDecision(authorizationEvaluationAccessDecisionRequestType, task);
        }
        if (authorizationEvaluationRequestType instanceof AuthorizationEvaluationFilterProcessingRequestType) {
            return new FilterProcessing((AuthorizationEvaluationFilterProcessingRequestType) authorizationEvaluationRequestType, task);
        }
        throw new IllegalArgumentException("Unknown request type: " + authorizationEvaluationRequestType);
    }

    @NotNull
    public abstract AuthorizationEvaluationResponseType evaluate(@NotNull OperationResult operationResult) throws SchemaException, ExpressionEvaluationException, CommunicationException, SecurityViolationException, ConfigurationException, ObjectNotFoundException;

    @NotNull
    MidPointPrincipal createPrincipal(OperationResult operationResult) throws SchemaException, ExpressionEvaluationException, CommunicationException, SecurityViolationException, ConfigurationException, ObjectNotFoundException {
        MidPointPrincipal createPrincipalRaw = createPrincipalRaw(operationResult);
        List<Authorization> list = this.request.getAdditionalAuthorization().stream().map(authorizationType -> {
            return Authorization.create(authorizationType, "additional authorization");
        }).toList();
        return list.isEmpty() ? createPrincipalRaw : createPrincipalRaw.cloneWithAdditionalAuthorizations(list, false);
    }

    private MidPointPrincipal createPrincipalRaw(OperationResult operationResult) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        ObjectReferenceType subjectRef = this.request.getSubjectRef();
        if (subjectRef != null) {
            return this.b.securityContextManager.getUserProfileService().getPrincipal(((FocusType) this.b.modelObjectResolver.resolve(subjectRef, FocusType.class, null, "subject", this.task, operationResult)).asPrismObject(), null, ProfileCompilerOptions.createNotCompileGuiAdminConfiguration().locateSecurityPolicy(false), operationResult);
        }
        MidPointPrincipal midPointPrincipal = this.b.securityEnforcer.getMidPointPrincipal();
        return MidPointPrincipal.create(midPointPrincipal != null ? new UserType().oid(midPointPrincipal.getOid()).name(midPointPrincipal.getName()) : new UserType().oid(UUID.randomUUID().toString()).name("Anonymous"));
    }

    String principalInfo(@NotNull MidPointPrincipal midPointPrincipal) {
        StringBuilder sb = new StringBuilder();
        sb.append(midPointPrincipal.getFocus()).append(" with ").append(midPointPrincipal.getAuthorities().size()).append(" authorization(s)");
        if (explicitAuthorizationsOnly()) {
            sb.append(" (explicit authorizations only)");
        }
        return sb.toString();
    }

    private boolean explicitAuthorizationsOnly() {
        return this.request.getSubjectRef() == null;
    }

    @NotNull
    String[] getActionUrls() {
        List<String> actionUrl = this.request.getActionUrl();
        return !actionUrl.isEmpty() ? (String[]) actionUrl.toArray(i -> {
            return new String[i];
        }) : getDefaultActionUrls();
    }

    SecurityEnforcer.Options createOptions() {
        return SecurityEnforcer.Options.create().withLogCollector(this.logCollector);
    }

    @NotNull
    AuthorizationEvaluationResponseType createResponse(String str) {
        return new AuthorizationEvaluationResponseType().result(str).computation(this.logCollector.getLog());
    }

    @NotNull
    abstract String[] getDefaultActionUrls();
}
