package com.evolveum.midpoint.security.enforcer.impl;

import com.evolveum.midpoint.schema.AccessDecision;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.security.api.Authorization;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.security.enforcer.api.AbstractAuthorizationParameters;
import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
import com.evolveum.midpoint.security.enforcer.impl.AuthorizationEvaluation;
import com.evolveum.midpoint.security.enforcer.impl.SecurityTraceEvent;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
import java.util.Iterator;
import java.util.function.Consumer;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/evolveum/midpoint/security/enforcer/impl/EnforcerDecisionOperation.class */
public class EnforcerDecisionOperation extends EnforcerOperation {

    @NotNull
    final String operationUrl;

    @NotNull
    final AbstractAuthorizationParameters params;

    /* JADX INFO: Access modifiers changed from: package-private */
    public EnforcerDecisionOperation(@NotNull String str, @NotNull AbstractAuthorizationParameters abstractAuthorizationParameters, @Nullable MidPointPrincipal midPointPrincipal, @NotNull SecurityEnforcer.Options options, @NotNull Beans beans, @NotNull Task task) {
        super(midPointPrincipal, options, beans, task);
        this.operationUrl = str;
        this.params = abstractAuthorizationParameters;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @NotNull
    public AccessDecision decideAccess(@Nullable AuthorizationPhaseType authorizationPhaseType, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        if (authorizationPhaseType != null) {
            return decideAccessForPhase(authorizationPhaseType, operationResult);
        }
        AccessDecision decideAccessForPhase = decideAccessForPhase(AuthorizationPhaseType.REQUEST, operationResult);
        return decideAccessForPhase != AccessDecision.ALLOW ? decideAccessForPhase : decideAccessForPhase(AuthorizationPhaseType.EXECUTION, operationResult);
    }

    @NotNull
    private AccessDecision decideAccessForPhase(@NotNull AuthorizationPhaseType authorizationPhaseType, @NotNull OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        if ("http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#noAccess".equals(this.operationUrl)) {
            return AccessDecision.DENY;
        }
        tracePhasedDecisionOperationStart(authorizationPhaseType);
        AccessDecision accessDecision = AccessDecision.DEFAULT;
        AutzItemPaths autzItemPaths = new AutzItemPaths();
        int i = 0;
        Iterator<Authorization> it = getAuthorizations().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            Authorization next = it.next();
            int i2 = i;
            i++;
            AuthorizationEvaluation authorizationEvaluation = new AuthorizationEvaluation(i2, next, this, operationResult);
            authorizationEvaluation.traceStart();
            if (authorizationEvaluation.isApplicableToAction(this.operationUrl) && authorizationEvaluation.isApplicableToPhase(PhaseSelector.nonStrict(authorizationPhaseType)) && authorizationEvaluation.isApplicableToParameters(this.params)) {
                Consumer applicableAutzConsumer = this.options.applicableAutzConsumer();
                if (applicableAutzConsumer != null) {
                    applicableAutzConsumer.accept(next);
                }
                if (next.isAllow()) {
                    autzItemPaths.collectItems(next);
                    authorizationEvaluation.traceAuthorizationAllow(this.operationUrl);
                    accessDecision = AccessDecision.ALLOW;
                } else {
                    AuthorizationEvaluation.ItemsMatchResult matchesOnItems = authorizationEvaluation.matchesOnItems(this.params);
                    if (matchesOnItems.value()) {
                        authorizationEvaluation.traceAuthorizationDenyRelevant(this.operationUrl, matchesOnItems);
                        accessDecision = AccessDecision.DENY;
                        break;
                    }
                    authorizationEvaluation.traceAuthorizationDenyIrrelevant(this.operationUrl, matchesOnItems);
                }
            } else {
                authorizationEvaluation.traceEndNotApplicable();
            }
        }
        if (accessDecision == AccessDecision.ALLOW) {
            if (autzItemPaths.includesAllItems()) {
                tracePhasedDecisionOperationNote(authorizationPhaseType, "Allowing all items => operation allowed", new Object[0]);
            } else {
                tracePhasedDecisionOperationNote(authorizationPhaseType, "Checking for allowed items: %s", autzItemPaths);
                Object decideUsingAllowedItems = new ItemDecisionOperation((str, objArr) -> {
                    tracePhasedDecisionOperationNote(authorizationPhaseType, str.replace("{}", "%s"), objArr);
                }).decideUsingAllowedItems(autzItemPaths, authorizationPhaseType, this.params);
                if (decideUsingAllowedItems != AccessDecision.ALLOW) {
                    tracePhasedDecisionOperationNote(authorizationPhaseType, "NOT ALLOWED operation because the 'items' decision is %s", decideUsingAllowedItems);
                    accessDecision = AccessDecision.DEFAULT;
                }
            }
        }
        tracePhasedDecisionOperationEnd(authorizationPhaseType, accessDecision);
        return accessDecision;
    }

    private void tracePhasedDecisionOperationStart(@NotNull AuthorizationPhaseType authorizationPhaseType) {
        if (this.tracer.isEnabled()) {
            this.tracer.trace(new SecurityTraceEvent.PhasedDecisionOperationStarted(this, authorizationPhaseType));
        }
    }

    private void tracePhasedDecisionOperationEnd(@NotNull AuthorizationPhaseType authorizationPhaseType, AccessDecision accessDecision) {
        if (this.tracer.isEnabled()) {
            this.tracer.trace(new SecurityTraceEvent.PhasedDecisionOperationFinished(this, authorizationPhaseType, accessDecision));
        }
    }

    private void tracePhasedDecisionOperationNote(@NotNull AuthorizationPhaseType authorizationPhaseType, String str, Object... objArr) {
        if (this.tracer.isEnabled()) {
            this.tracer.trace(new SecurityTraceEvent.PhasedDecisionOperationNote(this, authorizationPhaseType, str, objArr));
        }
    }

    @Override // com.evolveum.midpoint.security.enforcer.impl.EnforcerOperation
    public boolean isFullInformationAvailable() {
        return this.params.isFullInformationAvailable();
    }
}
