package com.evolveum.midpoint.model.impl.controller.transformer;

import com.evolveum.midpoint.model.api.ModelAuthorizationAction;
import com.evolveum.midpoint.model.impl.controller.SchemaTransformer;
import com.evolveum.midpoint.prism.ItemDefinition;
import com.evolveum.midpoint.prism.PrismContainerDefinition;
import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.security.enforcer.api.ObjectSecurityConstraints;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
import java.util.IdentityHashMap;
import org.apache.commons.lang3.Validate;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:BOOT-INF/lib/model-impl-4.9.3.jar:com/evolveum/midpoint/model/impl/controller/transformer/DefinitionAccessProcessor.class */
public class DefinitionAccessProcessor {
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) SchemaTransformer.class);

    public <D extends ItemDefinition<?>> void applySecurityConstraintsToItemDef(@NotNull D d, @NotNull ObjectSecurityConstraints objectSecurityConstraints, @Nullable AuthorizationPhaseType authorizationPhaseType) {
        if (authorizationPhaseType != null) {
            applySecurityConstraintsToItemDefPhase(d, objectSecurityConstraints, authorizationPhaseType);
        } else {
            applySecurityConstraintsToItemDefPhase(d, objectSecurityConstraints, AuthorizationPhaseType.REQUEST);
            applySecurityConstraintsToItemDefPhase(d, objectSecurityConstraints, AuthorizationPhaseType.EXECUTION);
        }
    }

    private <D extends ItemDefinition<?>> void applySecurityConstraintsToItemDefPhase(@NotNull D d, @NotNull ObjectSecurityConstraints objectSecurityConstraints, @NotNull AuthorizationPhaseType authorizationPhaseType) {
        Validate.notNull(authorizationPhaseType);
        LOGGER.trace("applySecurityConstraints(itemDefs): def={}, phase={}", d, authorizationPhaseType);
        applySecurityConstraintsToItemDef(d, new IdentityHashMap<>(), ItemPath.EMPTY_PATH, objectSecurityConstraints, null, null, null, authorizationPhaseType);
    }

    /* JADX WARN: Multi-variable type inference failed */
    private <D extends ItemDefinition<?>> void applySecurityConstraintsToItemDef(@NotNull D d, @NotNull IdentityHashMap<ItemDefinition<?>, Object> identityHashMap, @NotNull ItemPath itemPath, @NotNull ObjectSecurityConstraints objectSecurityConstraints, @Nullable AuthorizationDecisionType authorizationDecisionType, @Nullable AuthorizationDecisionType authorizationDecisionType2, @Nullable AuthorizationDecisionType authorizationDecisionType3, @NotNull AuthorizationPhaseType authorizationPhaseType) {
        boolean containsKey = identityHashMap.containsKey(d);
        identityHashMap.put(d, null);
        AuthorizationDecisionType computeItemDecision = objectSecurityConstraints.computeItemDecision(itemPath, ModelAuthorizationAction.AUTZ_ACTIONS_URLS_GET, authorizationDecisionType, authorizationPhaseType);
        AuthorizationDecisionType computeItemDecision2 = objectSecurityConstraints.computeItemDecision(itemPath, ModelAuthorizationAction.AUTZ_ACTIONS_URLS_ADD, authorizationDecisionType2, authorizationPhaseType);
        AuthorizationDecisionType computeItemDecision3 = objectSecurityConstraints.computeItemDecision(itemPath, ModelAuthorizationAction.AUTZ_ACTIONS_URLS_MODIFY, authorizationDecisionType3, authorizationPhaseType);
        boolean z = false;
        boolean z2 = false;
        boolean z3 = false;
        if (d instanceof PrismContainerDefinition) {
            if (containsKey) {
                LOGGER.trace("applySecurityConstraintsToItemDef: {}: skipping (already seen)", itemPath);
            } else if (d.isElaborate()) {
                LOGGER.trace("applySecurityConstraintsToItemDef: {}: skipping (elaborate)", itemPath);
            } else {
                for (ItemDefinition<?> itemDefinition : ((PrismContainerDefinition) d).getDefinitions()) {
                    ItemPath create = ItemPath.create(itemPath, itemDefinition.getItemName());
                    if (!itemDefinition.getItemName().equals(ShadowType.F_ATTRIBUTES)) {
                        applySecurityConstraintsToItemDef(itemDefinition, identityHashMap, create, objectSecurityConstraints, computeItemDecision, computeItemDecision2, computeItemDecision3, authorizationPhaseType);
                    }
                    if (itemDefinition.canRead()) {
                        z = true;
                    }
                    if (itemDefinition.canAdd()) {
                        z2 = true;
                    }
                    if (itemDefinition.canModify()) {
                        z3 = true;
                    }
                }
            }
        }
        LOGGER.trace("applySecurityConstraintsToItemDef: {}: decisions R={}, A={}, M={}; sub-elements R={}, A={}, M={}", itemPath, computeItemDecision, computeItemDecision2, computeItemDecision3, Boolean.valueOf(z), Boolean.valueOf(z2), Boolean.valueOf(z3));
        if (computeItemDecision != AuthorizationDecisionType.ALLOW) {
            mutable(d).setCanRead(false);
        }
        if (computeItemDecision2 != AuthorizationDecisionType.ALLOW) {
            mutable(d).setCanAdd(false);
        }
        if (computeItemDecision3 != AuthorizationDecisionType.ALLOW) {
            mutable(d).setCanModify(false);
        }
        if (z) {
            mutable(d).setCanRead(true);
        }
        if (z2) {
            mutable(d).setCanAdd(true);
        }
        if (z3) {
            mutable(d).setCanModify(true);
        }
    }

    private ItemDefinition.ItemDefinitionMutator mutable(ItemDefinition<?> itemDefinition) {
        return itemDefinition.mutator();
    }
}
