package com.evolveum.midpoint.security.enforcer.impl;

import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.security.api.Authorization;
import com.evolveum.midpoint.security.api.AuthorizationConstants;
import com.evolveum.midpoint.security.enforcer.api.ObjectSecurityConstraints;
import com.evolveum.midpoint.util.DebugUtil;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
import java.util.HashMap;
import java.util.List;
import java.util.Map;

/* loaded from: input_file:WEB-INF/lib/security-enforcer-impl-3.7.3-SNAPSHOT.jar:com/evolveum/midpoint/security/enforcer/impl/ObjectSecurityConstraintsImpl.class */
public class ObjectSecurityConstraintsImpl implements ObjectSecurityConstraints {
    private Map<String, PhasedConstraints> actionMap = new HashMap();

    public void applyAuthorization(Authorization authorization) {
        List<String> action = authorization.getAction();
        AuthorizationPhaseType phase = authorization.getPhase();
        if (authorization.getDecision() == null) {
            AuthorizationDecisionType authorizationDecisionType = AuthorizationDecisionType.ALLOW;
        }
        for (String str : action) {
            if (phase == null) {
                getOrCreateItemConstraints(str, AuthorizationPhaseType.REQUEST).collectItems(authorization);
                getOrCreateItemConstraints(str, AuthorizationPhaseType.EXECUTION).collectItems(authorization);
            } else {
                getOrCreateItemConstraints(str, phase).collectItems(authorization);
            }
        }
    }

    private ItemSecurityConstraintsImpl getOrCreateItemConstraints(String str, AuthorizationPhaseType authorizationPhaseType) {
        return this.actionMap.computeIfAbsent(str, str2 -> {
            return new PhasedConstraints();
        }).get(authorizationPhaseType);
    }

    private ItemSecurityConstraintsImpl getItemConstraints(String str, AuthorizationPhaseType authorizationPhaseType) {
        PhasedConstraints phasedConstraints = this.actionMap.get(str);
        if (phasedConstraints == null) {
            return null;
        }
        return phasedConstraints.get(authorizationPhaseType);
    }

    @Override // com.evolveum.midpoint.security.enforcer.api.ObjectSecurityConstraints
    public AuthorizationDecisionType getActionDecision(String str, AuthorizationPhaseType authorizationPhaseType) {
        return findAllItemsDecision(str, authorizationPhaseType);
    }

    @Override // com.evolveum.midpoint.security.enforcer.api.ObjectSecurityConstraints
    public AuthorizationDecisionType findAllItemsDecision(String str, AuthorizationPhaseType authorizationPhaseType) {
        if (authorizationPhaseType != null) {
            return getActionDecisionPhase(str, authorizationPhaseType);
        }
        AuthorizationDecisionType actionDecisionPhase = getActionDecisionPhase(str, AuthorizationPhaseType.REQUEST);
        return (actionDecisionPhase == null || AuthorizationDecisionType.DENY.equals(actionDecisionPhase)) ? actionDecisionPhase : getActionDecisionPhase(str, AuthorizationPhaseType.EXECUTION);
    }

    public AuthorizationDecisionType getActionDecisionPhase(String str, AuthorizationPhaseType authorizationPhaseType) {
        ItemSecurityConstraintsImpl itemConstraints = getItemConstraints(str, authorizationPhaseType);
        if (itemConstraints == null) {
            return null;
        }
        if (itemConstraints.getDeniedItems().isAllItems()) {
            return AuthorizationDecisionType.DENY;
        }
        if (itemConstraints.getAllowedItems().isAllItems()) {
            return AuthorizationDecisionType.ALLOW;
        }
        return null;
    }

    @Override // com.evolveum.midpoint.security.enforcer.api.ObjectSecurityConstraints
    public AuthorizationDecisionType findItemDecision(ItemPath itemPath, String str, AuthorizationPhaseType authorizationPhaseType) {
        if (authorizationPhaseType != null) {
            return findItemDecisionPhase(itemPath, str, authorizationPhaseType);
        }
        AuthorizationDecisionType findItemDecisionPhase = findItemDecisionPhase(itemPath, str, AuthorizationPhaseType.REQUEST);
        return (findItemDecisionPhase == null || AuthorizationDecisionType.DENY.equals(findItemDecisionPhase)) ? findItemDecisionPhase : findItemDecisionPhase(itemPath, str, AuthorizationPhaseType.EXECUTION);
    }

    public AuthorizationDecisionType findItemDecisionPhase(ItemPath itemPath, String str, AuthorizationPhaseType authorizationPhaseType) {
        ItemSecurityConstraintsImpl itemConstraints = getItemConstraints(str, authorizationPhaseType);
        AuthorizationDecisionType authorizationDecisionType = null;
        if (itemConstraints != null) {
            authorizationDecisionType = itemConstraints.findItemDecision(itemPath);
            if (AuthorizationDecisionType.DENY.equals(authorizationDecisionType)) {
                return AuthorizationDecisionType.DENY;
            }
        }
        ItemSecurityConstraintsImpl itemConstraints2 = getItemConstraints(AuthorizationConstants.AUTZ_ALL_URL, authorizationPhaseType);
        if (itemConstraints2 == null) {
            return authorizationDecisionType;
        }
        AuthorizationDecisionType findItemDecision = itemConstraints2.findItemDecision(itemPath);
        return AuthorizationDecisionType.DENY.equals(findItemDecision) ? AuthorizationDecisionType.DENY : AuthorizationDecisionType.ALLOW.equals(findItemDecision) ? AuthorizationDecisionType.ALLOW : authorizationDecisionType;
    }

    @Override // com.evolveum.midpoint.util.DebugDumpable
    public String debugDump(int i) {
        StringBuilder createTitleStringBuilderLn = DebugUtil.createTitleStringBuilderLn(ObjectSecurityConstraintsImpl.class, i);
        DebugUtil.debugDumpWithLabel(createTitleStringBuilderLn, "actionMap", this.actionMap, i + 1);
        return createTitleStringBuilderLn.toString();
    }
}
