package com.evolveum.midpoint.provisioning.impl;

import com.evolveum.midpoint.common.refinery.PropertyLimitations;
import com.evolveum.midpoint.common.refinery.RefinedAttributeDefinition;
import com.evolveum.midpoint.common.refinery.RefinedObjectClassDefinition;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.delta.ItemDelta;
import com.evolveum.midpoint.prism.delta.PropertyDelta;
import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.schema.processor.ResourceAttribute;
import com.evolveum.midpoint.schema.processor.ResourceAttributeContainer;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.util.ShadowUtil;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.LayerType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PropertyAccessType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
import java.util.Collection;
import javax.xml.namespace.QName;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:WEB-INF/lib/provisioning-impl-3.9.2-SNAPSHOT.jar:com/evolveum/midpoint/provisioning/impl/AccessChecker.class */
public class AccessChecker {
    public static final String OPERATION_NAME = AccessChecker.class.getName() + ".accessCheck";
    private static final Trace LOGGER = TraceManager.getTrace(AccessChecker.class);

    public void checkAdd(ProvisioningContext provisioningContext, PrismObject<ShadowType> prismObject, OperationResult operationResult) throws SchemaException, SecurityViolationException, ConfigurationException, ObjectNotFoundException, CommunicationException, ExpressionEvaluationException {
        PropertyAccessType access;
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(OPERATION_NAME);
        for (ResourceAttribute<?> resourceAttribute : ShadowUtil.getAttributesContainer(prismObject).getAttributes()) {
            RefinedAttributeDefinition findAttributeDefinition = provisioningContext.getObjectClassDefinition().findAttributeDefinition(resourceAttribute.getElementName());
            if (findAttributeDefinition == null) {
                String str = "No definition for attribute " + resourceAttribute.getElementName() + " in " + provisioningContext.getObjectClassDefinition();
                createMinorSubresult.recordFatalError(str);
                throw new SchemaException(str);
            }
            PropertyLimitations limitations = findAttributeDefinition.getLimitations(LayerType.MODEL);
            if (limitations != null && (access = limitations.getAccess()) != null && (access.isAdd() == null || !access.isAdd().booleanValue())) {
                String str2 = "Attempt to add shadow with non-createable attribute " + resourceAttribute.getElementName();
                LOGGER.error(str2);
                createMinorSubresult.recordFatalError(str2);
                throw new SecurityViolationException(str2);
            }
        }
        createMinorSubresult.recordSuccess();
    }

    public void checkModify(ResourceType resourceType, PrismObject<ShadowType> prismObject, Collection<? extends ItemDelta> collection, RefinedObjectClassDefinition refinedObjectClassDefinition, OperationResult operationResult) throws SecurityViolationException, SchemaException {
        PropertyAccessType access;
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(OPERATION_NAME);
        for (ItemDelta itemDelta : collection) {
            if (itemDelta instanceof PropertyDelta) {
                PropertyDelta propertyDelta = (PropertyDelta) itemDelta;
                if (SchemaConstants.PATH_ATTRIBUTES.equivalent(propertyDelta.getParentPath())) {
                    QName elementName = propertyDelta.getElementName();
                    RefinedAttributeDefinition findAttributeDefinition = refinedObjectClassDefinition.findAttributeDefinition(elementName);
                    if (findAttributeDefinition == null) {
                        throw new SchemaException("Cannot find definition of attribute " + elementName + " in " + refinedObjectClassDefinition);
                    }
                    PropertyLimitations limitations = findAttributeDefinition.getLimitations(LayerType.MODEL);
                    if (limitations != null && (access = limitations.getAccess()) != null && (access.isModify() == null || !access.isModify().booleanValue())) {
                        String str = "Attempt to modify non-updateable attribute " + elementName;
                        LOGGER.error(str);
                        createMinorSubresult.recordFatalError(str);
                        throw new SecurityViolationException(str);
                    }
                } else {
                    continue;
                }
            }
        }
        createMinorSubresult.recordSuccess();
    }

    public void filterGetAttributes(ResourceAttributeContainer resourceAttributeContainer, RefinedObjectClassDefinition refinedObjectClassDefinition, OperationResult operationResult) throws SchemaException {
        PropertyAccessType access;
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(OPERATION_NAME);
        for (ResourceAttribute<?> resourceAttribute : resourceAttributeContainer.getAttributes()) {
            QName elementName = resourceAttribute.getElementName();
            RefinedAttributeDefinition findAttributeDefinition = refinedObjectClassDefinition.findAttributeDefinition(elementName);
            if (findAttributeDefinition == null) {
                String str = "Unknown attribute " + elementName + " in objectclass " + refinedObjectClassDefinition;
                createMinorSubresult.recordFatalError(str);
                throw new SchemaException(str);
            }
            PropertyLimitations limitations = findAttributeDefinition.getLimitations(LayerType.MODEL);
            if (limitations != null && (access = limitations.getAccess()) != null && (access.isRead() == null || !access.isRead().booleanValue())) {
                LOGGER.trace("Removing non-readable attribute {}", elementName);
                resourceAttributeContainer.remove(resourceAttribute);
            }
        }
        createMinorSubresult.recordSuccess();
    }
}
