package com.evolveum.midpoint.model.impl.controller;

import com.evolveum.midpoint.common.refinery.CompositeRefinedObjectClassDefinition;
import com.evolveum.midpoint.common.refinery.LayerRefinedAttributeDefinition;
import com.evolveum.midpoint.common.refinery.LayerRefinedAttributeDefinitionImpl;
import com.evolveum.midpoint.common.refinery.LayerRefinedObjectClassDefinition;
import com.evolveum.midpoint.common.refinery.RefinedObjectClassDefinition;
import com.evolveum.midpoint.common.refinery.RefinedResourceSchemaImpl;
import com.evolveum.midpoint.model.api.ModelAuthorizationAction;
import com.evolveum.midpoint.model.api.ModelExecuteOptions;
import com.evolveum.midpoint.model.api.ModelInteractionService;
import com.evolveum.midpoint.model.api.ProgressListener;
import com.evolveum.midpoint.model.api.RoleSelectionSpecification;
import com.evolveum.midpoint.model.api.context.ModelContext;
import com.evolveum.midpoint.model.api.util.MergeDeltas;
import com.evolveum.midpoint.model.api.visualizer.Scene;
import com.evolveum.midpoint.model.common.SystemObjectCache;
import com.evolveum.midpoint.model.impl.ModelObjectResolver;
import com.evolveum.midpoint.model.impl.lens.ContextFactory;
import com.evolveum.midpoint.model.impl.lens.LensContext;
import com.evolveum.midpoint.model.impl.lens.projector.Projector;
import com.evolveum.midpoint.model.impl.visualizer.Visualizer;
import com.evolveum.midpoint.prism.ComplexTypeDefinitionImpl;
import com.evolveum.midpoint.prism.Containerable;
import com.evolveum.midpoint.prism.PrismContainer;
import com.evolveum.midpoint.prism.PrismContainerValue;
import com.evolveum.midpoint.prism.PrismContext;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.PrismObjectDefinition;
import com.evolveum.midpoint.prism.PrismPropertyValue;
import com.evolveum.midpoint.prism.crypto.EncryptionException;
import com.evolveum.midpoint.prism.crypto.Protector;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.prism.query.AllFilter;
import com.evolveum.midpoint.prism.query.AndFilter;
import com.evolveum.midpoint.prism.query.EqualFilter;
import com.evolveum.midpoint.prism.query.NoneFilter;
import com.evolveum.midpoint.prism.query.NotFilter;
import com.evolveum.midpoint.prism.query.ObjectFilter;
import com.evolveum.midpoint.prism.query.OrFilter;
import com.evolveum.midpoint.prism.query.RefFilter;
import com.evolveum.midpoint.prism.query.TypeFilter;
import com.evolveum.midpoint.provisioning.api.ProvisioningService;
import com.evolveum.midpoint.repo.api.RepositoryService;
import com.evolveum.midpoint.schema.GetOperationOptions;
import com.evolveum.midpoint.schema.ResourceShadowDiscriminator;
import com.evolveum.midpoint.schema.RetrieveOption;
import com.evolveum.midpoint.schema.SelectorOptions;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.result.OperationResultStatus;
import com.evolveum.midpoint.schema.statistics.ConnectorOperationalStatus;
import com.evolveum.midpoint.schema.util.ShadowUtil;
import com.evolveum.midpoint.security.api.ItemSecurityDecisions;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.security.api.ObjectSecurityConstraints;
import com.evolveum.midpoint.security.api.SecurityEnforcer;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.util.DebugUtil;
import com.evolveum.midpoint.util.DisplayableValue;
import com.evolveum.midpoint.util.QNameUtil;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.PolicyViolationException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.exception.SystemException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractRoleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AccessCertificationConfigurationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AdminGuiConfigurationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.DeploymentInformationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.LayerType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.LensContextType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.LookupTableRowType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.LookupTableType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectTemplateItemDefinitionType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectTemplateType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.RegistrationsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.RoleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import com.evolveum.prism.xml.ns._public.types_3.ItemPathType;
import com.evolveum.prism.xml.ns._public.types_3.PolyStringType;
import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import javax.xml.namespace.QName;
import org.apache.commons.lang.Validate;
import org.jetbrains.annotations.NotNull;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.stereotype.Component;

@Component("modelInteractionService")
/* loaded from: input_file:WEB-INF/lib/model-impl-3.5.2-SNAPSHOT.jar:com/evolveum/midpoint/model/impl/controller/ModelInteractionServiceImpl.class */
public class ModelInteractionServiceImpl implements ModelInteractionService {
    private static final Trace LOGGER = TraceManager.getTrace(ModelInteractionServiceImpl.class);

    @Autowired(required = true)
    private ContextFactory contextFactory;

    @Autowired(required = true)
    private Projector projector;

    @Autowired(required = true)
    private SecurityEnforcer securityEnforcer;

    @Autowired(required = true)
    private SchemaTransformer schemaTransformer;

    @Autowired(required = true)
    private ProvisioningService provisioning;

    @Autowired(required = true)
    private ModelObjectResolver objectResolver;

    @Autowired(required = true)
    private ObjectMerger objectMerger;

    @Autowired(required = true)
    @Qualifier("cacheRepositoryService")
    private transient RepositoryService cacheRepositoryService;

    @Autowired(required = true)
    private SystemObjectCache systemObjectCache;

    @Autowired(required = true)
    private Protector protector;

    @Autowired(required = true)
    private PrismContext prismContext;

    @Autowired
    private Visualizer visualizer;

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public <F extends ObjectType> ModelContext<F> previewChanges(Collection<ObjectDelta<? extends ObjectType>> collection, ModelExecuteOptions modelExecuteOptions, Task task, OperationResult operationResult) throws SchemaException, PolicyViolationException, ExpressionEvaluationException, ObjectNotFoundException, ObjectAlreadyExistsException, CommunicationException, ConfigurationException, SecurityViolationException {
        return previewChanges(collection, modelExecuteOptions, task, Collections.emptyList(), operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public <F extends ObjectType> ModelContext<F> previewChanges(Collection<ObjectDelta<? extends ObjectType>> collection, ModelExecuteOptions modelExecuteOptions, Task task, Collection<ProgressListener> collection2, OperationResult operationResult) throws SchemaException, PolicyViolationException, ExpressionEvaluationException, ObjectNotFoundException, ObjectAlreadyExistsException, CommunicationException, ConfigurationException, SecurityViolationException {
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Preview changes input:\n{}", DebugUtil.debugDump(collection));
        }
        int i = 0;
        if (collection != null) {
            i = collection.size();
        }
        ArrayList arrayList = new ArrayList(i);
        if (collection != null) {
            Iterator<ObjectDelta<? extends ObjectType>> it = collection.iterator();
            while (it.hasNext()) {
                arrayList.add(it.next().m501clone());
            }
        }
        OperationResult createSubresult = operationResult.createSubresult(PREVIEW_CHANGES);
        try {
            LensContext<F> createContext = this.contextFactory.createContext(arrayList, modelExecuteOptions, task, createSubresult);
            if (LOGGER.isDebugEnabled()) {
                LOGGER.trace("Preview changes context:\n{}", createContext.debugDump());
            }
            createContext.setProgressListeners(collection2);
            this.projector.projectAllWaves(createContext, "preview", task, createSubresult);
            createContext.distributeResource();
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("Preview changes output:\n{}", createContext.debugDump());
            }
            createSubresult.computeStatus();
            createSubresult.cleanupResult();
            return createContext;
        } catch (CommunicationException e) {
            ModelUtils.recordFatalError(createSubresult, e);
            throw e;
        } catch (ConfigurationException e2) {
            ModelUtils.recordFatalError(createSubresult, e2);
            throw e2;
        } catch (ExpressionEvaluationException e3) {
            ModelUtils.recordFatalError(createSubresult, e3);
            throw e3;
        } catch (ObjectAlreadyExistsException e4) {
            ModelUtils.recordFatalError(createSubresult, e4);
            throw e4;
        } catch (ObjectNotFoundException e5) {
            ModelUtils.recordFatalError(createSubresult, e5);
            throw e5;
        } catch (PolicyViolationException e6) {
            ModelUtils.recordFatalError(createSubresult, e6);
            throw e6;
        } catch (SchemaException e7) {
            ModelUtils.recordFatalError(createSubresult, e7);
            throw e7;
        } catch (SecurityViolationException e8) {
            ModelUtils.recordFatalError(createSubresult, e8);
            throw e8;
        } catch (RuntimeException e9) {
            ModelUtils.recordFatalError(createSubresult, e9);
            throw e9;
        }
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public <F extends ObjectType> ModelContext<F> unwrapModelContext(LensContextType lensContextType, OperationResult operationResult) throws SchemaException, ConfigurationException, ObjectNotFoundException, CommunicationException {
        return LensContext.fromLensContextType(lensContextType, this.prismContext, this.provisioning, operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public <O extends ObjectType> PrismObjectDefinition<O> getEditObjectDefinition(PrismObject<O> prismObject, AuthorizationPhaseType authorizationPhaseType, OperationResult operationResult) throws SchemaException, ConfigurationException, ObjectNotFoundException {
        String resourceOid;
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(GET_EDIT_OBJECT_DEFINITION);
        PrismObjectDefinition<O> deepClone = prismObject.getDefinition().deepClone(true);
        PrismObject<O> prismObject2 = prismObject;
        if (prismObject.getOid() != null) {
            prismObject2 = this.cacheRepositoryService.getObject(prismObject.getCompileTimeClass(), prismObject.getOid(), null, createMinorSubresult);
        }
        ObjectSecurityConstraints compileSecurityConstraints = this.securityEnforcer.compileSecurityConstraints(prismObject2, null);
        if (LOGGER.isTraceEnabled()) {
            LOGGER.trace("Security constrains for {}:\n{}", prismObject, compileSecurityConstraints == null ? "null" : compileSecurityConstraints.debugDump());
        }
        if (compileSecurityConstraints == null) {
            createMinorSubresult.setStatus(OperationResultStatus.NOT_APPLICABLE);
            return null;
        }
        try {
            this.schemaTransformer.applyObjectTemplateToDefinition(deepClone, this.schemaTransformer.determineObjectTemplate(prismObject, authorizationPhaseType, createMinorSubresult), createMinorSubresult);
            this.schemaTransformer.applySecurityConstraints(deepClone, compileSecurityConstraints, authorizationPhaseType);
            if (prismObject.canRepresent(ShadowType.class) && (resourceOid = ShadowUtil.getResourceOid((PrismObject<ShadowType>) prismObject)) != null) {
                try {
                    RefinedObjectClassDefinition editObjectClassDefinition = getEditObjectClassDefinition(prismObject, this.provisioning.getObject(ResourceType.class, resourceOid, SelectorOptions.createCollection(GetOperationOptions.createReadOnly()), null, createMinorSubresult), authorizationPhaseType);
                    if (editObjectClassDefinition != null) {
                        ((ComplexTypeDefinitionImpl) deepClone.getComplexTypeDefinition()).replaceDefinition(ShadowType.F_ATTRIBUTES, editObjectClassDefinition.toResourceAttributeContainerDefinition());
                    }
                } catch (CommunicationException | SecurityViolationException e) {
                    throw new ConfigurationException(e.getMessage(), e);
                }
            }
            createMinorSubresult.computeStatus();
            return deepClone;
        } catch (ConfigurationException | ObjectNotFoundException e2) {
            createMinorSubresult.recordFatalError(e2);
            throw e2;
        }
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public PrismObjectDefinition<ShadowType> getEditShadowDefinition(ResourceShadowDiscriminator resourceShadowDiscriminator, AuthorizationPhaseType authorizationPhaseType, OperationResult operationResult) throws SchemaException, ConfigurationException, ObjectNotFoundException {
        PrismObject createObject = this.prismContext.createObject(ShadowType.class);
        ShadowType shadowType = (ShadowType) createObject.asObjectable();
        ObjectReferenceType objectReferenceType = new ObjectReferenceType();
        if (resourceShadowDiscriminator != null) {
            objectReferenceType.setOid(resourceShadowDiscriminator.getResourceOid());
            shadowType.setResourceRef(objectReferenceType);
            shadowType.setKind(resourceShadowDiscriminator.getKind());
            shadowType.setIntent(resourceShadowDiscriminator.getIntent());
            shadowType.setObjectClass(resourceShadowDiscriminator.getObjectClass());
        }
        return getEditObjectDefinition(createObject, authorizationPhaseType, operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public RefinedObjectClassDefinition getEditObjectClassDefinition(PrismObject<ShadowType> prismObject, PrismObject<ResourceType> prismObject2, AuthorizationPhaseType authorizationPhaseType) throws SchemaException {
        Validate.notNull(prismObject2, "Resource must not be null");
        CompositeRefinedObjectClassDefinition determineCompositeObjectClassDefinition = RefinedResourceSchemaImpl.getRefinedSchema(prismObject2).determineCompositeObjectClassDefinition(prismObject);
        if (determineCompositeObjectClassDefinition == null) {
            LOGGER.debug("No object class definition for shadow {}, returning null");
            return null;
        }
        LayerRefinedObjectClassDefinition forLayer = determineCompositeObjectClassDefinition.forLayer(LayerType.PRESENTATION);
        ObjectSecurityConstraints compileSecurityConstraints = this.securityEnforcer.compileSecurityConstraints(prismObject, null);
        if (LOGGER.isTraceEnabled()) {
            LOGGER.trace("Security constrains for {}:\n{}", prismObject, compileSecurityConstraints == null ? "null" : compileSecurityConstraints.debugDump());
        }
        if (compileSecurityConstraints == null) {
            return null;
        }
        ItemPath itemPath = new ItemPath(ShadowType.F_ATTRIBUTES);
        AuthorizationDecisionType computeItemDecision = this.schemaTransformer.computeItemDecision(compileSecurityConstraints, itemPath, ModelAuthorizationAction.READ.getUrl(), compileSecurityConstraints.getActionDecision(ModelAuthorizationAction.READ.getUrl(), authorizationPhaseType), authorizationPhaseType);
        AuthorizationDecisionType computeItemDecision2 = this.schemaTransformer.computeItemDecision(compileSecurityConstraints, itemPath, ModelAuthorizationAction.ADD.getUrl(), compileSecurityConstraints.getActionDecision(ModelAuthorizationAction.ADD.getUrl(), authorizationPhaseType), authorizationPhaseType);
        AuthorizationDecisionType computeItemDecision3 = this.schemaTransformer.computeItemDecision(compileSecurityConstraints, itemPath, ModelAuthorizationAction.MODIFY.getUrl(), compileSecurityConstraints.getActionDecision(ModelAuthorizationAction.MODIFY.getUrl(), authorizationPhaseType), authorizationPhaseType);
        LOGGER.trace("Attributes container access read:{}, add:{}, modify:{}", computeItemDecision, computeItemDecision2, computeItemDecision3);
        LayerRefinedObjectClassDefinition m203clone = forLayer.m203clone();
        for (LayerRefinedAttributeDefinition<?> layerRefinedAttributeDefinition : m203clone.getAttributeDefinitions()) {
            ItemPath itemPath2 = new ItemPath(ShadowType.F_ATTRIBUTES, layerRefinedAttributeDefinition.getName());
            AuthorizationDecisionType computeItemDecision4 = this.schemaTransformer.computeItemDecision(compileSecurityConstraints, itemPath2, ModelAuthorizationAction.READ.getUrl(), computeItemDecision, authorizationPhaseType);
            AuthorizationDecisionType computeItemDecision5 = this.schemaTransformer.computeItemDecision(compileSecurityConstraints, itemPath2, ModelAuthorizationAction.ADD.getUrl(), computeItemDecision2, authorizationPhaseType);
            AuthorizationDecisionType computeItemDecision6 = this.schemaTransformer.computeItemDecision(compileSecurityConstraints, itemPath2, ModelAuthorizationAction.MODIFY.getUrl(), computeItemDecision3, authorizationPhaseType);
            LOGGER.trace("Attribute {} access read:{}, add:{}, modify:{}", layerRefinedAttributeDefinition.getName(), computeItemDecision4, computeItemDecision5, computeItemDecision6);
            if (computeItemDecision4 != AuthorizationDecisionType.ALLOW) {
                ((LayerRefinedAttributeDefinitionImpl) layerRefinedAttributeDefinition).setOverrideCanRead(false);
            }
            if (computeItemDecision5 != AuthorizationDecisionType.ALLOW) {
                ((LayerRefinedAttributeDefinitionImpl) layerRefinedAttributeDefinition).setOverrideCanAdd(false);
            }
            if (computeItemDecision6 != AuthorizationDecisionType.ALLOW) {
                ((LayerRefinedAttributeDefinitionImpl) layerRefinedAttributeDefinition).setOverrideCanModify(false);
            }
        }
        return m203clone;
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public <O extends ObjectType, R extends AbstractRoleType> ItemSecurityDecisions getAllowedRequestAssignmentItems(PrismObject<O> prismObject, PrismObject<R> prismObject2) throws SchemaException, SecurityViolationException {
        return this.securityEnforcer.getAllowedRequestAssignmentItems(this.securityEnforcer.getPrincipal(), prismObject, prismObject2, null);
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public Collection<? extends DisplayableValue<String>> getActionUrls() {
        return Arrays.asList(ModelAuthorizationAction.values());
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public <F extends FocusType> RoleSelectionSpecification getAssignableRoleSpecification(PrismObject<F> prismObject, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, ConfigurationException {
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(GET_ASSIGNABLE_ROLE_SPECIFICATION);
        RoleSelectionSpecification roleSelectionSpecification = new RoleSelectionSpecification();
        ObjectSecurityConstraints compileSecurityConstraints = this.securityEnforcer.compileSecurityConstraints(prismObject, null);
        if (compileSecurityConstraints == null) {
            return null;
        }
        AuthorizationDecisionType findItemDecision = compileSecurityConstraints.findItemDecision(new ItemPath(FocusType.F_ASSIGNMENT), ModelAuthorizationAction.MODIFY.getUrl(), AuthorizationPhaseType.REQUEST);
        if (findItemDecision == AuthorizationDecisionType.ALLOW) {
            getAllRoleTypesSpec(roleSelectionSpecification, createMinorSubresult);
            createMinorSubresult.recordSuccess();
            return roleSelectionSpecification;
        }
        if (findItemDecision == AuthorizationDecisionType.DENY) {
            createMinorSubresult.recordSuccess();
            roleSelectionSpecification.setNoRoleTypes();
            roleSelectionSpecification.setFilter(NoneFilter.createNone());
            return roleSelectionSpecification;
        }
        AuthorizationDecisionType actionDecision = compileSecurityConstraints.getActionDecision(ModelAuthorizationAction.MODIFY.getUrl(), AuthorizationPhaseType.REQUEST);
        if (actionDecision == AuthorizationDecisionType.ALLOW) {
            getAllRoleTypesSpec(roleSelectionSpecification, createMinorSubresult);
            createMinorSubresult.recordSuccess();
            return roleSelectionSpecification;
        }
        if (actionDecision == AuthorizationDecisionType.DENY) {
            createMinorSubresult.recordSuccess();
            roleSelectionSpecification.setNoRoleTypes();
            roleSelectionSpecification.setFilter(NoneFilter.createNone());
            return roleSelectionSpecification;
        }
        try {
            ObjectFilter preProcessObjectFilter = this.securityEnforcer.preProcessObjectFilter(ModelAuthorizationAction.ASSIGN.getUrl(), AuthorizationPhaseType.REQUEST, RoleType.class, prismObject, AllFilter.createAll());
            LOGGER.trace("assignableRoleSpec filter: {}", preProcessObjectFilter);
            roleSelectionSpecification.setFilter(preProcessObjectFilter);
            if (preProcessObjectFilter instanceof NoneFilter) {
                createMinorSubresult.recordSuccess();
                roleSelectionSpecification.setNoRoleTypes();
                return roleSelectionSpecification;
            }
            if (preProcessObjectFilter == null || (preProcessObjectFilter instanceof AllFilter)) {
                getAllRoleTypesSpec(roleSelectionSpecification, createMinorSubresult);
                createMinorSubresult.recordSuccess();
                return roleSelectionSpecification;
            }
            if (preProcessObjectFilter instanceof OrFilter) {
                ArrayList arrayList = new ArrayList();
                Iterator<ObjectFilter> it = ((OrFilter) preProcessObjectFilter).getConditions().iterator();
                while (it.hasNext()) {
                    Collection<RoleSelectionSpecEntry> roleSelectionSpecEntries = getRoleSelectionSpecEntries(it.next());
                    if (roleSelectionSpecEntries == null || roleSelectionSpecEntries.isEmpty()) {
                        RoleSelectionSpecification roleSelectionSpecification2 = new RoleSelectionSpecification();
                        roleSelectionSpecification2.setFilter(preProcessObjectFilter);
                        getAllRoleTypesSpec(roleSelectionSpecification2, createMinorSubresult);
                        createMinorSubresult.recordSuccess();
                        return roleSelectionSpecification2;
                    }
                    arrayList.addAll(roleSelectionSpecEntries);
                }
                addRoleTypeSpecEntries(roleSelectionSpecification, arrayList, createMinorSubresult);
            } else {
                Collection<RoleSelectionSpecEntry> roleSelectionSpecEntries2 = getRoleSelectionSpecEntries(preProcessObjectFilter);
                if (roleSelectionSpecEntries2 == null || roleSelectionSpecEntries2.isEmpty()) {
                    getAllRoleTypesSpec(roleSelectionSpecification, createMinorSubresult);
                    createMinorSubresult.recordSuccess();
                    return roleSelectionSpecification;
                }
                addRoleTypeSpecEntries(roleSelectionSpecification, roleSelectionSpecEntries2, createMinorSubresult);
            }
            createMinorSubresult.recordSuccess();
            return roleSelectionSpecification;
        } catch (ConfigurationException | ObjectNotFoundException | SchemaException e) {
            createMinorSubresult.recordFatalError(e);
            throw e;
        }
    }

    private void addRoleTypeSpecEntries(RoleSelectionSpecification roleSelectionSpecification, Collection<RoleSelectionSpecEntry> collection, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, ConfigurationException {
        if (collection == null || collection.isEmpty()) {
            getAllRoleTypesSpec(roleSelectionSpecification, operationResult);
            return;
        }
        if (!RoleSelectionSpecEntry.hasNegative(collection)) {
            roleSelectionSpecification.addRoleTypes(collection);
            return;
        }
        Collection<RoleSelectionSpecEntry> positive = RoleSelectionSpecEntry.getPositive(collection);
        if (positive == null || positive.isEmpty()) {
            positive = getRoleSpecEntriesForAllRoles(operationResult);
        }
        if (positive == null || positive.isEmpty()) {
            return;
        }
        for (RoleSelectionSpecEntry roleSelectionSpecEntry : positive) {
            if (!RoleSelectionSpecEntry.hasNegativeValue(collection, roleSelectionSpecEntry.getValue())) {
                roleSelectionSpecification.addRoleType(roleSelectionSpecEntry);
            }
        }
    }

    private RoleSelectionSpecification getAllRoleTypesSpec(RoleSelectionSpecification roleSelectionSpecification, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, ConfigurationException {
        Collection<RoleSelectionSpecEntry> roleSpecEntriesForAllRoles = getRoleSpecEntriesForAllRoles(operationResult);
        if (roleSpecEntriesForAllRoles == null || roleSpecEntriesForAllRoles.isEmpty()) {
            return roleSelectionSpecification;
        }
        roleSelectionSpecification.addRoleTypes(roleSpecEntriesForAllRoles);
        return roleSelectionSpecification;
    }

    private Collection<RoleSelectionSpecEntry> getRoleSpecEntriesForAllRoles(OperationResult operationResult) throws ObjectNotFoundException, SchemaException, ConfigurationException {
        QName name;
        ObjectTemplateType determineObjectTemplate = this.schemaTransformer.determineObjectTemplate(RoleType.class, AuthorizationPhaseType.REQUEST, operationResult);
        if (determineObjectTemplate == null) {
            return null;
        }
        ArrayList arrayList = new ArrayList();
        for (ObjectTemplateItemDefinitionType objectTemplateItemDefinitionType : determineObjectTemplate.getItem()) {
            ItemPathType ref = objectTemplateItemDefinitionType.getRef();
            if (ref != null && (name = ItemPath.getName(ref.getItemPath().first())) != null && QNameUtil.match(RoleType.F_ROLE_TYPE, name)) {
                ObjectReferenceType valueEnumerationRef = objectTemplateItemDefinitionType.getValueEnumerationRef();
                if (valueEnumerationRef == null || valueEnumerationRef.getOid() == null) {
                    return arrayList;
                }
                for (LookupTableRowType lookupTableRowType : ((LookupTableType) this.cacheRepositoryService.getObject(LookupTableType.class, valueEnumerationRef.getOid(), SelectorOptions.createCollection(LookupTableType.F_ROW, GetOperationOptions.createRetrieve(RetrieveOption.INCLUDE)), operationResult).asObjectable()).getRow()) {
                    PolyStringType label = lookupTableRowType.getLabel();
                    String key = lookupTableRowType.getKey();
                    String str = key;
                    if (label != null) {
                        str = label.getOrig();
                    }
                    arrayList.add(new RoleSelectionSpecEntry(key, str, null));
                }
                return arrayList;
            }
        }
        return arrayList;
    }

    private Collection<RoleSelectionSpecEntry> getRoleSelectionSpecEntries(ObjectFilter objectFilter) throws SchemaException {
        RoleSelectionSpecEntry roleSelectionSpecEq;
        RoleSelectionSpecEntry roleSelectionSpecEq2;
        LOGGER.trace("getRoleSelectionSpec({})", objectFilter);
        if (objectFilter == null || (objectFilter instanceof AllFilter)) {
            return null;
        }
        if (objectFilter instanceof EqualFilter) {
            return createSingleDisplayableValueCollection(getRoleSelectionSpecEq((EqualFilter) objectFilter));
        }
        if (objectFilter instanceof AndFilter) {
            for (ObjectFilter objectFilter2 : ((AndFilter) objectFilter).getConditions()) {
                if ((objectFilter2 instanceof EqualFilter) && (roleSelectionSpecEq2 = getRoleSelectionSpecEq((EqualFilter) objectFilter2)) != null) {
                    return createSingleDisplayableValueCollection(roleSelectionSpecEq2);
                }
            }
            return null;
        }
        if (objectFilter instanceof OrFilter) {
            ArrayList arrayList = new ArrayList(((OrFilter) objectFilter).getConditions().size());
            for (ObjectFilter objectFilter3 : ((OrFilter) objectFilter).getConditions()) {
                if ((objectFilter3 instanceof EqualFilter) && (roleSelectionSpecEq = getRoleSelectionSpecEq((EqualFilter) objectFilter3)) != null) {
                    arrayList.add(roleSelectionSpecEq);
                }
            }
            return arrayList;
        }
        if (objectFilter instanceof TypeFilter) {
            return getRoleSelectionSpecEntries(((TypeFilter) objectFilter).getFilter());
        }
        if (objectFilter instanceof NotFilter) {
            Collection<RoleSelectionSpecEntry> roleSelectionSpecEntries = getRoleSelectionSpecEntries(((NotFilter) objectFilter).getFilter());
            RoleSelectionSpecEntry.negate(roleSelectionSpecEntries);
            return roleSelectionSpecEntries;
        }
        if (objectFilter instanceof RefFilter) {
            return null;
        }
        throw new UnsupportedOperationException("Unexpected filter " + objectFilter);
    }

    private Collection<RoleSelectionSpecEntry> createSingleDisplayableValueCollection(RoleSelectionSpecEntry roleSelectionSpecEntry) {
        if (roleSelectionSpecEntry == null) {
            return null;
        }
        ArrayList arrayList = new ArrayList(1);
        arrayList.add(roleSelectionSpecEntry);
        return arrayList;
    }

    private RoleSelectionSpecEntry getRoleSelectionSpecEq(EqualFilter<String> equalFilter) throws SchemaException {
        if (!QNameUtil.match(RoleType.F_ROLE_TYPE, equalFilter.getElementName())) {
            return null;
        }
        List<PrismPropertyValue<T>> values = equalFilter.getValues();
        if (values.size() > 1) {
            throw new SchemaException("More than one value in roleType search filter");
        }
        String str = (String) ((PrismPropertyValue) values.get(0)).getValue();
        return new RoleSelectionSpecEntry(str, str, null);
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public AuthenticationsPolicyType getAuthenticationPolicy(PrismObject<UserType> prismObject, Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException {
        return (AuthenticationsPolicyType) resolvePolicyTypeFromSecurityPolicy(AuthenticationsPolicyType.class, SecurityPolicyType.F_AUTHENTICATION, prismObject, task, operationResult.createMinorSubresult(GET_AUTHENTICATIONS_POLICY));
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public RegistrationsPolicyType getRegistrationPolicy(PrismObject<UserType> prismObject, Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException {
        return (RegistrationsPolicyType) resolvePolicyTypeFromSecurityPolicy(RegistrationsPolicyType.class, SecurityPolicyType.F_REGISTRATION, prismObject, task, operationResult.createMinorSubresult(GET_REGISTRATIONS_POLICY));
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public CredentialsPolicyType getCredentialsPolicy(PrismObject<UserType> prismObject, Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException {
        return (CredentialsPolicyType) resolvePolicyTypeFromSecurityPolicy(CredentialsPolicyType.class, SecurityPolicyType.F_CREDENTIALS, prismObject, task, operationResult.createMinorSubresult(GET_CREDENTIALS_POLICY));
    }

    private <C extends Containerable> C resolvePolicyTypeFromSecurityPolicy(Class<C> cls, QName qName, PrismObject<UserType> prismObject, Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException {
        PrismContainer<T> findContainer;
        SecurityPolicyType securityPolicy = getSecurityPolicy(prismObject, task, operationResult);
        if (securityPolicy == null || (findContainer = securityPolicy.asPrismObject().findContainer(qName)) == 0) {
            return null;
        }
        PrismContainerValue value = findContainer.getValue();
        operationResult.recordSuccess();
        return (C) value.asContainerable();
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public SecurityPolicyType getSecurityPolicy(PrismObject<UserType> prismObject, Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException {
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(GET_SECURITY_POLICY);
        try {
            PrismObject<SystemConfigurationType> systemConfiguration = this.systemObjectCache.getSystemConfiguration(createMinorSubresult);
            if (systemConfiguration == null) {
                createMinorSubresult.recordNotApplicableIfUnknown();
                return null;
            }
            ObjectReferenceType globalSecurityPolicyRef = systemConfiguration.asObjectable().getGlobalSecurityPolicyRef();
            if (globalSecurityPolicyRef == null) {
                createMinorSubresult.recordNotApplicableIfUnknown();
                return null;
            }
            SecurityPolicyType securityPolicyType = (SecurityPolicyType) this.objectResolver.resolve(globalSecurityPolicyRef, SecurityPolicyType.class, null, "security policy referred from system configuration", task, createMinorSubresult);
            if (securityPolicyType != null) {
                return securityPolicyType;
            }
            createMinorSubresult.recordNotApplicableIfUnknown();
            return null;
        } catch (ObjectNotFoundException | SchemaException e) {
            createMinorSubresult.recordFatalError(e);
            throw e;
        }
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public AdminGuiConfigurationType getAdminGuiConfiguration(Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException {
        MidPointPrincipal midPointPrincipal = null;
        try {
            midPointPrincipal = this.securityEnforcer.getPrincipal();
        } catch (SecurityViolationException e) {
            LOGGER.warn("Security violation while getting principlal to get GUI config: {}", e.getMessage(), e);
        }
        if (midPointPrincipal != null) {
            return midPointPrincipal.getAdminGuiConfiguration();
        }
        PrismObject<SystemConfigurationType> systemConfiguration = this.systemObjectCache.getSystemConfiguration(operationResult);
        if (systemConfiguration == null) {
            return null;
        }
        return systemConfiguration.asObjectable().getAdminGuiConfiguration();
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public DeploymentInformationType getDeploymentInformationConfiguration(OperationResult operationResult) throws ObjectNotFoundException, SchemaException {
        PrismObject<SystemConfigurationType> systemConfiguration = this.systemObjectCache.getSystemConfiguration(operationResult);
        if (systemConfiguration == null) {
            return null;
        }
        return systemConfiguration.asObjectable().getDeploymentInformation();
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public SystemConfigurationType getSystemConfiguration(OperationResult operationResult) throws ObjectNotFoundException, SchemaException {
        PrismObject<SystemConfigurationType> systemConfiguration = this.systemObjectCache.getSystemConfiguration(operationResult);
        if (systemConfiguration == null) {
            return null;
        }
        return systemConfiguration.asObjectable();
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public AccessCertificationConfigurationType getCertificationConfiguration(OperationResult operationResult) throws ObjectNotFoundException, SchemaException {
        PrismObject<SystemConfigurationType> systemConfiguration = this.systemObjectCache.getSystemConfiguration(operationResult);
        if (systemConfiguration == null) {
            return null;
        }
        return systemConfiguration.asObjectable().getAccessCertification();
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public boolean checkPassword(String str, ProtectedStringType protectedStringType, Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException {
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(CHECK_PASSWORD);
        try {
            UserType userType = (UserType) this.objectResolver.getObjectSimple(UserType.class, str, null, task, createMinorSubresult);
            if (userType.getCredentials() == null || userType.getCredentials().getPassword() == null || userType.getCredentials().getPassword().getValue() == null) {
                return protectedStringType == null;
            }
            try {
                boolean compare = this.protector.compare(protectedStringType, userType.getCredentials().getPassword().getValue());
                createMinorSubresult.recordSuccess();
                return compare;
            } catch (EncryptionException e) {
                createMinorSubresult.recordFatalError(e);
                throw new SystemException(e.getMessage(), e);
            }
        } catch (ObjectNotFoundException e2) {
            createMinorSubresult.recordFatalError(e2);
            throw e2;
        }
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public List<? extends Scene> visualizeDeltas(List<ObjectDelta<? extends ObjectType>> list, Task task, OperationResult operationResult) throws SchemaException {
        return this.visualizer.visualizeDeltas(list, task, operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    @NotNull
    public Scene visualizeDelta(ObjectDelta<? extends ObjectType> objectDelta, Task task, OperationResult operationResult) throws SchemaException {
        return this.visualizer.visualizeDelta(objectDelta, task, operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public ConnectorOperationalStatus getConnectorOperationalStatus(String str, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException {
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(GET_CONNECTOR_OPERATIONAL_STATUS);
        try {
            ConnectorOperationalStatus connectorOperationalStatus = this.provisioning.getConnectorOperationalStatus(str, createMinorSubresult);
            createMinorSubresult.computeStatus();
            return connectorOperationalStatus;
        } catch (CommunicationException | ConfigurationException | ObjectNotFoundException | SchemaException e) {
            createMinorSubresult.recordFatalError(e);
            throw e;
        }
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public <O extends ObjectType> MergeDeltas<O> mergeObjectsPreviewDeltas(Class<O> cls, String str, String str2, String str3, Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, ConfigurationException, ExpressionEvaluationException, CommunicationException, SecurityViolationException {
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(MERGE_OBJECTS_PREVIEW_DELTA);
        try {
            MergeDeltas<O> computeMergeDeltas = this.objectMerger.computeMergeDeltas(cls, str, str2, str3, task, createMinorSubresult);
            createMinorSubresult.computeStatus();
            return computeMergeDeltas;
        } catch (CommunicationException | ConfigurationException | ExpressionEvaluationException | ObjectNotFoundException | SchemaException | SecurityViolationException | Error | RuntimeException e) {
            createMinorSubresult.recordFatalError(e);
            throw e;
        }
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public <O extends ObjectType> PrismObject<O> mergeObjectsPreviewObject(Class<O> cls, String str, String str2, String str3, Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, ConfigurationException, ExpressionEvaluationException, CommunicationException, SecurityViolationException {
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(MERGE_OBJECTS_PREVIEW_OBJECT);
        try {
            MergeDeltas<O> computeMergeDeltas = this.objectMerger.computeMergeDeltas(cls, str, str2, str3, task, createMinorSubresult);
            if (LOGGER.isTraceEnabled()) {
                LOGGER.trace("Merge preview {} + {} deltas:\n{}", str, str2, computeMergeDeltas.debugDump(1));
            }
            PrismObject asPrismObject = this.objectResolver.getObjectSimple(cls, str, null, task, createMinorSubresult).asPrismObject();
            if (computeMergeDeltas == null) {
                createMinorSubresult.computeStatus();
                return asPrismObject;
            }
            computeMergeDeltas.getLeftObjectDelta().applyTo(asPrismObject);
            computeMergeDeltas.getLeftLinkDelta().applyTo(asPrismObject);
            createMinorSubresult.computeStatus();
            return asPrismObject;
        } catch (CommunicationException | ConfigurationException | ExpressionEvaluationException | ObjectNotFoundException | SchemaException | SecurityViolationException | Error | RuntimeException e) {
            createMinorSubresult.recordFatalError(e);
            throw e;
        }
    }
}
