package com.evolveum.midpoint.model.impl.controller;

import com.evolveum.midpoint.common.crypto.CryptoUtil;
import com.evolveum.midpoint.model.api.ModelAuthorizationAction;
import com.evolveum.midpoint.model.api.ModelExecuteOptions;
import com.evolveum.midpoint.model.common.ArchetypeManager;
import com.evolveum.midpoint.model.common.SystemObjectCache;
import com.evolveum.midpoint.model.impl.lens.LensContext;
import com.evolveum.midpoint.model.impl.lens.LensElementContext;
import com.evolveum.midpoint.model.impl.lens.LensFocusContext;
import com.evolveum.midpoint.model.impl.lens.LensProjectionContext;
import com.evolveum.midpoint.prism.ConsistencyCheckScope;
import com.evolveum.midpoint.prism.Containerable;
import com.evolveum.midpoint.prism.Item;
import com.evolveum.midpoint.prism.ItemDefinition;
import com.evolveum.midpoint.prism.Itemable;
import com.evolveum.midpoint.prism.MutableComplexTypeDefinition;
import com.evolveum.midpoint.prism.MutableItemDefinition;
import com.evolveum.midpoint.prism.MutablePrismContainerDefinition;
import com.evolveum.midpoint.prism.PrismContainer;
import com.evolveum.midpoint.prism.PrismContainerDefinition;
import com.evolveum.midpoint.prism.PrismContainerValue;
import com.evolveum.midpoint.prism.PrismContext;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.PrismObjectDefinition;
import com.evolveum.midpoint.prism.PrismValue;
import com.evolveum.midpoint.prism.delta.ContainerDelta;
import com.evolveum.midpoint.prism.delta.ItemDelta;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.path.ItemName;
import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.prism.path.UniformItemPath;
import com.evolveum.midpoint.prism.xml.XsdTypeMapper;
import com.evolveum.midpoint.repo.api.RepositoryService;
import com.evolveum.midpoint.schema.DefinitionProcessingOption;
import com.evolveum.midpoint.schema.GetOperationOptions;
import com.evolveum.midpoint.schema.SearchResultList;
import com.evolveum.midpoint.schema.SelectorOptions;
import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.schema.internals.InternalsConfig;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
import com.evolveum.midpoint.schema.util.ObjectTypeUtil;
import com.evolveum.midpoint.security.api.SecurityUtil;
import com.evolveum.midpoint.security.enforcer.api.AuthorizationParameters;
import com.evolveum.midpoint.security.enforcer.api.ObjectSecurityConstraints;
import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.util.exception.AuthorizationException;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ArchetypePolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FormItemValidationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ItemConstraintType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ItemRefinedDefinitionType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.LayerType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectPolicyConfigurationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectTemplateItemDefinitionType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectTemplateType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OperationResultStatusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OperationResultType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PropertyAccessType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PropertyLimitationsType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ReportType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserInterfaceElementVisibilityType;
import com.evolveum.prism.xml.ns._public.types_3.ItemPathType;
import java.util.ArrayList;
import java.util.Collection;
import java.util.IdentityHashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang.Validate;
import org.jetbrains.annotations.Contract;
import org.jetbrains.annotations.NotNull;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:WEB-INF/lib/model-impl-4.1.1-SNAPSHOT.jar:com/evolveum/midpoint/model/impl/controller/SchemaTransformer.class */
public class SchemaTransformer {
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) SchemaTransformer.class);
    private static final String OPERATION_APPLY_SCHEMAS_AND_SECURITY = SchemaTransformer.class.getName() + ".applySchemasAndSecurity";

    @Autowired
    @Qualifier("cacheRepositoryService")
    private transient RepositoryService cacheRepositoryService;

    @Autowired
    private SecurityEnforcer securityEnforcer;

    @Autowired
    private SystemObjectCache systemObjectCache;

    @Autowired
    private ArchetypeManager archetypeManager;

    @Autowired
    private PrismContext prismContext;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/model-impl-4.1.1-SNAPSHOT.jar:com/evolveum/midpoint/model/impl/controller/SchemaTransformer$VisibilityPolicyEntry.class */
    public static class VisibilityPolicyEntry {
        private final UniformItemPath path;
        private final UserInterfaceElementVisibilityType visibility;

        private VisibilityPolicyEntry(UniformItemPath uniformItemPath, UserInterfaceElementVisibilityType userInterfaceElementVisibilityType) {
            this.path = uniformItemPath;
            this.visibility = userInterfaceElementVisibilityType;
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    public <T extends ObjectType> void applySchemasAndSecurityToObjectTypes(List<T> list, GetOperationOptions getOperationOptions, Collection<SelectorOptions<GetOperationOptions>> collection, AuthorizationPhaseType authorizationPhaseType, Task task, OperationResult operationResult) throws SecurityViolationException, SchemaException, ConfigurationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException {
        for (int i = 0; i < list.size(); i++) {
            PrismObject<? extends ObjectType> cloneIfImmutable = ((ObjectType) list.get(i)).asPrismObject().cloneIfImmutable();
            list.set(i, cloneIfImmutable.asObjectable());
            applySchemasAndSecurity(cloneIfImmutable, getOperationOptions, collection, authorizationPhaseType, task, operationResult);
        }
    }

    public <T extends ObjectType> void applySchemasAndSecurityToObjects(List<PrismObject<T>> list, GetOperationOptions getOperationOptions, Collection<SelectorOptions<GetOperationOptions>> collection, AuthorizationPhaseType authorizationPhaseType, Task task, OperationResult operationResult) throws SecurityViolationException, SchemaException {
        for (int i = 0; i < list.size(); i++) {
            PrismObject<T> cloneIfImmutable = list.get(i).cloneIfImmutable();
            list.set(i, cloneIfImmutable);
            applySchemaAndSecurityToObject(cloneIfImmutable, getOperationOptions, collection, authorizationPhaseType, task, operationResult);
        }
    }

    public <C extends Containerable, T extends ObjectType> SearchResultList<C> applySchemasAndSecurityToContainers(SearchResultList<C> searchResultList, Class<T> cls, ItemName itemName, GetOperationOptions getOperationOptions, Collection<SelectorOptions<GetOperationOptions>> collection, AuthorizationPhaseType authorizationPhaseType, Task task, OperationResult operationResult) throws SecurityViolationException, SchemaException, ObjectNotFoundException, ConfigurationException, ExpressionEvaluationException, CommunicationException {
        boolean z;
        PrismContainerValue value;
        ArrayList arrayList = new ArrayList();
        IdentityHashMap identityHashMap = new IdentityHashMap();
        Iterator<C> it = searchResultList.iterator();
        while (it.hasNext()) {
            C next = it.next();
            Long id = next.asPrismContainerValue().getId();
            if (id == null) {
                throw new SchemaException("No ID in container value " + next);
            }
            PrismObject parentObject = ObjectTypeUtil.getParentObject(next);
            if (parentObject != null) {
                z = identityHashMap.containsKey(parentObject);
            } else {
                parentObject = this.prismContext.createObject(cls);
                ((PrismContainer) parentObject.findOrCreateItem(itemName, PrismContainer.class)).add((PrismContainer) next.asPrismContainerValue());
                z = false;
            }
            if (!z) {
                applySchemasAndSecurity(parentObject, getOperationOptions, collection, authorizationPhaseType, task, operationResult);
                identityHashMap.put(parentObject, null);
            }
            PrismContainer<T> findContainer = parentObject.findContainer(itemName);
            if (findContainer != 0 && (value = findContainer.getValue(id)) != null) {
                arrayList.add(value.asContainerable());
            }
        }
        return new SearchResultList<>(arrayList, searchResultList.getMetadata());
    }

    private <T extends ObjectType> void applySchemaAndSecurityToObject(PrismObject<T> prismObject, GetOperationOptions getOperationOptions, Collection<SelectorOptions<GetOperationOptions>> collection, AuthorizationPhaseType authorizationPhaseType, Task task, OperationResult operationResult) throws SecurityViolationException {
        OperationResult operationResult2 = new OperationResult(SchemaTransformer.class.getName() + ".applySchemasAndSecurityToObject");
        try {
            applySchemasAndSecurity(prismObject, getOperationOptions, collection, authorizationPhaseType, task, operationResult2);
        } catch (CommunicationException | ConfigurationException | ExpressionEvaluationException | ObjectNotFoundException | SchemaException | IllegalArgumentException | IllegalStateException e) {
            LOGGER.error("Error post-processing object {}: {}", prismObject, e.getMessage(), e);
            OperationResultType fetchResult = prismObject.asObjectable().getFetchResult();
            if (fetchResult == null) {
                fetchResult = operationResult2.createOperationResultType();
                prismObject.asObjectable().setFetchResult(fetchResult);
            } else {
                fetchResult.getPartialResults().add(operationResult2.createOperationResultType());
            }
            fetchResult.setStatus(OperationResultStatusType.FATAL_ERROR);
        } catch (SecurityViolationException e2) {
            operationResult.recordFatalError(e2);
            throw e2;
        }
    }

    private <O extends ObjectType> void authorizeOptions(GetOperationOptions getOperationOptions, PrismObject<O> prismObject, ObjectDelta<O> objectDelta, AuthorizationPhaseType authorizationPhaseType, Task task, OperationResult operationResult) throws SchemaException, SecurityViolationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
        if (GetOperationOptions.isRaw(getOperationOptions)) {
            this.securityEnforcer.authorize(ModelAuthorizationAction.RAW_OPERATION.getUrl(), authorizationPhaseType, AuthorizationParameters.Builder.buildObjectDelta(prismObject, objectDelta), null, task, operationResult);
        }
    }

    public <O extends ObjectType> void applySchemasAndSecurity(PrismObject<O> prismObject, GetOperationOptions getOperationOptions, Collection<SelectorOptions<GetOperationOptions>> collection, AuthorizationPhaseType authorizationPhaseType, Task task, OperationResult operationResult) throws SchemaException, SecurityViolationException, ConfigurationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException {
        LOGGER.trace("applySchemasAndSecurity({}) starting", prismObject);
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(SchemaTransformer.class.getName() + ".applySchemasAndSecurity");
        authorizeOptions(getOperationOptions, prismObject, null, authorizationPhaseType, task, createMinorSubresult);
        validateObject(prismObject, getOperationOptions, createMinorSubresult);
        ObjectSecurityConstraints compileSecurityConstraints = compileSecurityConstraints(prismObject, task, createMinorSubresult);
        PrismObjectDefinition<O> deepCloneDefinition = prismObject.deepCloneDefinition(true, this::setFullAccessFlags);
        if (authorizationPhaseType == null) {
            if (!GetOperationOptions.isExecutionPhase(getOperationOptions)) {
                applySchemasAndSecurityPhase(prismObject, compileSecurityConstraints, deepCloneDefinition, getOperationOptions, AuthorizationPhaseType.REQUEST, task, createMinorSubresult);
            }
            applySchemasAndSecurityPhase(prismObject, compileSecurityConstraints, deepCloneDefinition, getOperationOptions, AuthorizationPhaseType.EXECUTION, task, createMinorSubresult);
        } else if (authorizationPhaseType != AuthorizationPhaseType.REQUEST || !GetOperationOptions.isExecutionPhase(getOperationOptions)) {
            applySchemasAndSecurityPhase(prismObject, compileSecurityConstraints, deepCloneDefinition, getOperationOptions, authorizationPhaseType, task, createMinorSubresult);
        }
        if (!GetOperationOptions.isRaw(getOperationOptions)) {
            try {
                applyObjectTemplateToObject(prismObject, determineObjectTemplate(prismObject, AuthorizationPhaseType.REQUEST, createMinorSubresult), createMinorSubresult);
            } catch (ConfigurationException | ObjectNotFoundException | SchemaException e) {
                createMinorSubresult.recordFatalError(e);
                throw e;
            }
        }
        if (CollectionUtils.isNotEmpty(collection)) {
            Map extractOptionValues = SelectorOptions.extractOptionValues(collection, getOperationOptions2 -> {
                return getOperationOptions2.getDefinitionProcessing();
            }, this.prismContext);
            if (CollectionUtils.isNotEmpty((Collection) extractOptionValues.get(DefinitionProcessingOption.NONE))) {
                throw new UnsupportedOperationException("'NONE' definition processing is not supported now");
            }
            Collection collection2 = (Collection) extractOptionValues.get(DefinitionProcessingOption.ONLY_IF_EXISTS);
            if (CollectionUtils.isNotEmpty(collection2)) {
                if (collection2.size() != 1 || !ItemPath.isEmpty((ItemPath) collection2.iterator().next())) {
                    throw new UnsupportedOperationException("'ONLY_IF_EXISTS' definition processing is currently supported on root level only; not on " + collection2);
                }
                prismObject.trimDefinitionTree((Collection) extractOptionValues.get(DefinitionProcessingOption.FULL));
            }
        }
        createMinorSubresult.computeStatus();
        createMinorSubresult.recordSuccessIfUnknown();
        LOGGER.trace("applySchemasAndSecurity finishing");
    }

    public <O extends ObjectType> void applySchemasAndSecurity(LensContext<O> lensContext, AuthorizationPhaseType authorizationPhaseType, Task task, OperationResult operationResult) throws SecurityViolationException, SchemaException, ConfigurationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException {
        LOGGER.trace("applySchemasAndSecurity({}) starting", lensContext);
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(OPERATION_APPLY_SCHEMAS_AND_SECURITY);
        try {
            applySchemasAndSecurityFocus(lensContext, authorizationPhaseType, task, createMinorSubresult);
            applySchemasAndSecurityProjections(lensContext, authorizationPhaseType, task, createMinorSubresult);
            createMinorSubresult.computeStatus();
            createMinorSubresult.recordSuccessIfUnknown();
            LOGGER.trace("applySchemasAndSecurity finishing");
        } catch (Throwable th) {
            createMinorSubresult.recordFatalError(th);
            throw th;
        }
    }

    private <O extends ObjectType> void applySchemasAndSecurityFocus(LensContext<O> lensContext, AuthorizationPhaseType authorizationPhaseType, Task task, OperationResult operationResult) throws SecurityViolationException, SchemaException, ConfigurationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException {
        LensFocusContext<O> focusContext = lensContext.getFocusContext();
        if (focusContext == null) {
            return;
        }
        if (AuthorizationDecisionType.ALLOW.equals(applySchemasAndSecurityElementContext(lensContext, focusContext, authorizationPhaseType, task, operationResult).findItemDecision(SchemaConstants.PATH_ASSIGNMENT, ModelAuthorizationAction.AUTZ_ACTIONS_URLS_GET, authorizationPhaseType))) {
            return;
        }
        PrismObject<O> objectAny = focusContext.getObjectAny();
        LOGGER.trace("Logged in user isn't authorized to read (or get) assignment item of the object: {}", objectAny);
        operationResult.recordWarning("Logged in user isn't authorized to read (or get) assignment item of the object: " + objectAny);
        lensContext.setEvaluatedAssignmentTriple(null);
    }

    private <O extends ObjectType> void applySchemasAndSecurityProjections(LensContext<O> lensContext, AuthorizationPhaseType authorizationPhaseType, Task task, OperationResult operationResult) throws SecurityViolationException, SchemaException, ConfigurationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException {
        for (LensProjectionContext lensProjectionContext : lensContext.getProjectionContexts()) {
            if (lensProjectionContext != null && lensProjectionContext.getObjectAny() != null) {
                applySchemasAndSecurityElementContext(lensContext, lensProjectionContext, authorizationPhaseType, task, operationResult);
            }
        }
    }

    private <F extends ObjectType, O extends ObjectType> ObjectSecurityConstraints applySchemasAndSecurityElementContext(LensContext<F> lensContext, LensElementContext<O> lensElementContext, AuthorizationPhaseType authorizationPhaseType, Task task, OperationResult operationResult) throws SecurityViolationException, SchemaException, ConfigurationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException {
        PrismObject<O> objectAny = lensElementContext.getObjectAny();
        if (objectAny == null) {
            if (lensElementContext.getDelta() == null) {
                return null;
            }
            throw new IllegalArgumentException("Cannot apply schema and security of null object");
        }
        authorizeOptions(ModelExecuteOptions.toGetOperationOptions(lensContext.getOptions()), objectAny, null, authorizationPhaseType, task, operationResult);
        ObjectSecurityConstraints compileSecurityConstraints = compileSecurityConstraints(objectAny, task, operationResult);
        AuthorizationDecisionType findAllItemsDecision = compileSecurityConstraints.findAllItemsDecision(ModelAuthorizationAction.AUTZ_ACTIONS_URLS_GET, authorizationPhaseType);
        if (findAllItemsDecision == AuthorizationDecisionType.DENY) {
            SecurityUtil.logSecurityDeny(objectAny, "because the authorization denies access");
            throw new AuthorizationException("Access denied");
        }
        AuthorizationDecisionType findAllItemsDecision2 = compileSecurityConstraints.findAllItemsDecision(ModelAuthorizationAction.ADD.getUrl(), authorizationPhaseType);
        AuthorizationDecisionType findAllItemsDecision3 = compileSecurityConstraints.findAllItemsDecision(ModelAuthorizationAction.MODIFY.getUrl(), authorizationPhaseType);
        lensElementContext.forEachObject(prismObject -> {
            applySecurityConstraints(prismObject.getValue(), compileSecurityConstraints, authorizationPhaseType, findAllItemsDecision, findAllItemsDecision2, findAllItemsDecision3, false);
        });
        lensElementContext.forEachDelta(objectDelta -> {
            applySecurityConstraints(objectDelta, compileSecurityConstraints, authorizationPhaseType, findAllItemsDecision, findAllItemsDecision2, findAllItemsDecision3);
        });
        return compileSecurityConstraints;
    }

    public void setFullAccessFlags(ItemDefinition<?> itemDefinition) {
        itemDefinition.toMutable().setCanRead(true);
        itemDefinition.toMutable().setCanAdd(true);
        itemDefinition.toMutable().setCanModify(true);
    }

    private <O extends ObjectType> void applySchemasAndSecurityPhase(PrismObject<O> prismObject, ObjectSecurityConstraints objectSecurityConstraints, PrismObjectDefinition<O> prismObjectDefinition, GetOperationOptions getOperationOptions, AuthorizationPhaseType authorizationPhaseType, Task task, OperationResult operationResult) throws SchemaException, SecurityViolationException, ConfigurationException, ObjectNotFoundException {
        Validate.notNull(authorizationPhaseType);
        try {
            AuthorizationDecisionType findAllItemsDecision = objectSecurityConstraints.findAllItemsDecision(ModelAuthorizationAction.AUTZ_ACTIONS_URLS_GET, authorizationPhaseType);
            if (findAllItemsDecision == AuthorizationDecisionType.DENY) {
                SecurityUtil.logSecurityDeny(prismObject, "because the authorization denies access");
                throw new AuthorizationException("Access denied");
            }
            AuthorizationDecisionType findAllItemsDecision2 = objectSecurityConstraints.findAllItemsDecision(ModelAuthorizationAction.ADD.getUrl(), authorizationPhaseType);
            AuthorizationDecisionType findAllItemsDecision3 = objectSecurityConstraints.findAllItemsDecision(ModelAuthorizationAction.MODIFY.getUrl(), authorizationPhaseType);
            applySecurityConstraints(prismObject.getValue(), objectSecurityConstraints, authorizationPhaseType, findAllItemsDecision, findAllItemsDecision2, findAllItemsDecision3, true);
            if (prismObject.isEmpty()) {
                SecurityUtil.logSecurityDeny(prismObject, "because the subject has not access to any item");
                throw new AuthorizationException("Access denied");
            }
            applySecurityConstraintsItemDef(prismObjectDefinition, new IdentityHashMap<>(), ItemPath.EMPTY_PATH, objectSecurityConstraints, findAllItemsDecision, findAllItemsDecision2, findAllItemsDecision3, authorizationPhaseType);
        } catch (SecurityViolationException | RuntimeException e) {
            operationResult.recordFatalError(e);
            throw e;
        }
    }

    private <O extends ObjectType> ObjectSecurityConstraints compileSecurityConstraints(PrismObject<O> prismObject, Task task, OperationResult operationResult) throws SecurityViolationException, SchemaException, ConfigurationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException {
        try {
            ObjectSecurityConstraints compileSecurityConstraints = this.securityEnforcer.compileSecurityConstraints(prismObject, null, task, operationResult);
            if (LOGGER.isTraceEnabled()) {
                LOGGER.trace("Security constraints for {}:\n{}", prismObject, compileSecurityConstraints == null ? "null" : compileSecurityConstraints.debugDump());
            }
            if (compileSecurityConstraints != null) {
                return compileSecurityConstraints;
            }
            SecurityUtil.logSecurityDeny(prismObject, "because no security constraints are defined (default deny)");
            throw new AuthorizationException("Access denied");
        } catch (Throwable th) {
            operationResult.recordFatalError(th);
            throw th;
        }
    }

    /* JADX WARN: Type inference failed for: r0v23, types: [com.evolveum.midpoint.prism.ItemDefinition] */
    private void applySecurityConstraints(PrismContainerValue<?> prismContainerValue, ObjectSecurityConstraints objectSecurityConstraints, AuthorizationPhaseType authorizationPhaseType, AuthorizationDecisionType authorizationDecisionType, AuthorizationDecisionType authorizationDecisionType2, AuthorizationDecisionType authorizationDecisionType3, boolean z) {
        LOGGER.trace("applySecurityConstraints(items): items={}, phase={}, defaults R={}, A={}, M={}", prismContainerValue.getItems(), authorizationPhaseType, authorizationDecisionType, authorizationDecisionType2, authorizationDecisionType3);
        if (prismContainerValue.hasNoItems()) {
            return;
        }
        ArrayList arrayList = new ArrayList();
        for (Item<?, ?> item : prismContainerValue.getItems()) {
            ItemPath path = item.getPath();
            ?? definition = item.getDefinition();
            if (definition == 0 || !definition.isElaborate()) {
                ItemPath namedSegmentsOnly = path.namedSegmentsOnly();
                AuthorizationDecisionType computeItemDecision = computeItemDecision(objectSecurityConstraints, namedSegmentsOnly, ModelAuthorizationAction.AUTZ_ACTIONS_URLS_GET, authorizationDecisionType, authorizationPhaseType);
                AuthorizationDecisionType computeItemDecision2 = computeItemDecision(objectSecurityConstraints, namedSegmentsOnly, ModelAuthorizationAction.AUTZ_ACTIONS_URLS_ADD, authorizationDecisionType, authorizationPhaseType);
                AuthorizationDecisionType computeItemDecision3 = computeItemDecision(objectSecurityConstraints, namedSegmentsOnly, ModelAuthorizationAction.AUTZ_ACTIONS_URLS_MODIFY, authorizationDecisionType, authorizationPhaseType);
                LOGGER.trace("applySecurityConstraints(item): {}: decisions R={}, A={}, M={}", path, computeItemDecision, computeItemDecision2, computeItemDecision3);
                if (z && definition != 0) {
                    if (computeItemDecision != AuthorizationDecisionType.ALLOW) {
                        definition.toMutable().setCanRead(false);
                    }
                    if (computeItemDecision2 != AuthorizationDecisionType.ALLOW) {
                        definition.toMutable().setCanAdd(false);
                    }
                    if (computeItemDecision3 != AuthorizationDecisionType.ALLOW) {
                        definition.toMutable().setCanModify(false);
                    }
                }
                if (item instanceof PrismContainer) {
                    if (computeItemDecision == AuthorizationDecisionType.DENY) {
                        arrayList.add(item);
                    } else {
                        AuthorizationDecisionType authorizationDecisionType4 = authorizationDecisionType;
                        if (computeItemDecision == AuthorizationDecisionType.ALLOW) {
                            authorizationDecisionType4 = AuthorizationDecisionType.ALLOW;
                        }
                        reduceContainerValues(((PrismContainer) item).getValues(), objectSecurityConstraints, authorizationPhaseType, computeItemDecision, computeItemDecision2, computeItemDecision3, authorizationDecisionType4, z);
                        if (item.hasNoValues() && computeItemDecision == null) {
                            arrayList.add(item);
                        }
                    }
                } else if (computeItemDecision == AuthorizationDecisionType.DENY || computeItemDecision == null) {
                    arrayList.add(item);
                }
            } else {
                LOGGER.trace("applySecurityConstraints(item): {}: skip (elaborate)", path);
            }
        }
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            prismContainerValue.remove((Item) it.next());
        }
    }

    /* JADX WARN: Type inference failed for: r0v31, types: [com.evolveum.midpoint.prism.ItemDefinition] */
    private <O extends ObjectType> void applySecurityConstraints(ObjectDelta<O> objectDelta, ObjectSecurityConstraints objectSecurityConstraints, AuthorizationPhaseType authorizationPhaseType, AuthorizationDecisionType authorizationDecisionType, AuthorizationDecisionType authorizationDecisionType2, AuthorizationDecisionType authorizationDecisionType3) {
        Collection<? extends ItemDelta<?, ?>> modifications;
        LOGGER.trace("applySecurityConstraints(objectDelta): items={}, phase={}, defaults R={}, A={}, M={}", objectDelta, authorizationPhaseType, authorizationDecisionType, authorizationDecisionType2, authorizationDecisionType3);
        if (objectDelta == null) {
            return;
        }
        if (objectDelta.isAdd()) {
            applySecurityConstraints(objectDelta.getObjectToAdd().getValue(), objectSecurityConstraints, authorizationPhaseType, authorizationDecisionType, authorizationDecisionType2, authorizationDecisionType3, false);
            return;
        }
        if (objectDelta.isDelete() || (modifications = objectDelta.getModifications()) == null || modifications.isEmpty()) {
            return;
        }
        ArrayList arrayList = new ArrayList();
        for (ItemDelta<?, ?> itemDelta : modifications) {
            ItemPath path = itemDelta.getPath();
            ?? definition = itemDelta.getDefinition();
            if (definition == 0 || !definition.isElaborate()) {
                ItemPath namedSegmentsOnly = path.namedSegmentsOnly();
                AuthorizationDecisionType computeItemDecision = computeItemDecision(objectSecurityConstraints, namedSegmentsOnly, ModelAuthorizationAction.AUTZ_ACTIONS_URLS_GET, authorizationDecisionType, authorizationPhaseType);
                AuthorizationDecisionType computeItemDecision2 = computeItemDecision(objectSecurityConstraints, namedSegmentsOnly, ModelAuthorizationAction.AUTZ_ACTIONS_URLS_ADD, authorizationDecisionType, authorizationPhaseType);
                AuthorizationDecisionType computeItemDecision3 = computeItemDecision(objectSecurityConstraints, namedSegmentsOnly, ModelAuthorizationAction.AUTZ_ACTIONS_URLS_MODIFY, authorizationDecisionType, authorizationPhaseType);
                LOGGER.trace("applySecurityConstraints(item): {}: decisions R={}, A={}, M={}", path, computeItemDecision, computeItemDecision2, computeItemDecision3);
                if (!(itemDelta instanceof ContainerDelta)) {
                    if (computeItemDecision == AuthorizationDecisionType.DENY || computeItemDecision == null) {
                        arrayList.add(itemDelta);
                        break;
                    }
                } else if (computeItemDecision == AuthorizationDecisionType.DENY) {
                    arrayList.add(itemDelta);
                } else {
                    AuthorizationDecisionType authorizationDecisionType4 = authorizationDecisionType;
                    if (computeItemDecision == AuthorizationDecisionType.ALLOW) {
                        authorizationDecisionType4 = AuthorizationDecisionType.ALLOW;
                    }
                    reduceContainerValues((List) ((ContainerDelta) itemDelta).getValuesToAdd(), objectSecurityConstraints, authorizationPhaseType, computeItemDecision, computeItemDecision2, computeItemDecision3, authorizationDecisionType4, false);
                    reduceContainerValues((List) ((ContainerDelta) itemDelta).getValuesToDelete(), objectSecurityConstraints, authorizationPhaseType, computeItemDecision, computeItemDecision2, computeItemDecision3, authorizationDecisionType4, false);
                    reduceContainerValues((List) ((ContainerDelta) itemDelta).getValuesToReplace(), objectSecurityConstraints, authorizationPhaseType, computeItemDecision, computeItemDecision2, computeItemDecision3, authorizationDecisionType4, false);
                    if (itemDelta.isEmpty() && computeItemDecision == null) {
                        arrayList.add(itemDelta);
                    }
                }
            } else {
                LOGGER.trace("applySecurityConstraints(item): {}: skip (elaborate)", path);
            }
        }
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            modifications.remove((ItemDelta) it.next());
        }
    }

    private boolean reduceContainerValues(List<? extends PrismContainerValue<?>> list, ObjectSecurityConstraints objectSecurityConstraints, AuthorizationPhaseType authorizationPhaseType, AuthorizationDecisionType authorizationDecisionType, AuthorizationDecisionType authorizationDecisionType2, AuthorizationDecisionType authorizationDecisionType3, AuthorizationDecisionType authorizationDecisionType4, boolean z) {
        if (list == null) {
            return false;
        }
        boolean z2 = false;
        Iterator<? extends PrismContainerValue<?>> it = list.iterator();
        while (it.hasNext()) {
            PrismContainerValue<?> next = it.next();
            applySecurityConstraints(next, objectSecurityConstraints, authorizationPhaseType, authorizationDecisionType4, authorizationDecisionType2, authorizationDecisionType3, z);
            if (next.hasNoItems() && authorizationDecisionType == null) {
                it.remove();
                z2 = true;
            }
        }
        return z2;
    }

    public <D extends ItemDefinition> void applySecurityConstraints(D d, ObjectSecurityConstraints objectSecurityConstraints, AuthorizationPhaseType authorizationPhaseType) {
        if (authorizationPhaseType != null) {
            applySecurityConstraintsPhase(d, objectSecurityConstraints, authorizationPhaseType);
        } else {
            applySecurityConstraintsPhase(d, objectSecurityConstraints, AuthorizationPhaseType.REQUEST);
            applySecurityConstraintsPhase(d, objectSecurityConstraints, AuthorizationPhaseType.EXECUTION);
        }
    }

    private <D extends ItemDefinition> void applySecurityConstraintsPhase(D d, ObjectSecurityConstraints objectSecurityConstraints, AuthorizationPhaseType authorizationPhaseType) {
        Validate.notNull(authorizationPhaseType);
        LOGGER.trace("applySecurityConstraints(itemDefs): def={}, phase={}", d, authorizationPhaseType);
        applySecurityConstraintsItemDef(d, new IdentityHashMap<>(), ItemPath.EMPTY_PATH, objectSecurityConstraints, null, null, null, authorizationPhaseType);
    }

    /* JADX WARN: Multi-variable type inference failed */
    private <D extends ItemDefinition> void applySecurityConstraintsItemDef(D d, IdentityHashMap<ItemDefinition, Object> identityHashMap, ItemPath itemPath, ObjectSecurityConstraints objectSecurityConstraints, AuthorizationDecisionType authorizationDecisionType, AuthorizationDecisionType authorizationDecisionType2, AuthorizationDecisionType authorizationDecisionType3, AuthorizationPhaseType authorizationPhaseType) {
        boolean containsKey = identityHashMap.containsKey(d);
        identityHashMap.put(d, null);
        AuthorizationDecisionType computeItemDecision = computeItemDecision(objectSecurityConstraints, itemPath, ModelAuthorizationAction.AUTZ_ACTIONS_URLS_GET, authorizationDecisionType, authorizationPhaseType);
        AuthorizationDecisionType computeItemDecision2 = computeItemDecision(objectSecurityConstraints, itemPath, ModelAuthorizationAction.AUTZ_ACTIONS_URLS_ADD, authorizationDecisionType2, authorizationPhaseType);
        AuthorizationDecisionType computeItemDecision3 = computeItemDecision(objectSecurityConstraints, itemPath, ModelAuthorizationAction.AUTZ_ACTIONS_URLS_MODIFY, authorizationDecisionType3, authorizationPhaseType);
        boolean z = false;
        boolean z2 = false;
        boolean z3 = false;
        if ((d instanceof PrismContainerDefinition) && !containsKey) {
            for (ItemDefinition itemDefinition : ((PrismContainerDefinition) d).getDefinitions()) {
                ItemPath create = ItemPath.create(itemPath, itemDefinition.getItemName());
                if (itemDefinition.isElaborate()) {
                    LOGGER.trace("applySecurityConstraints(itemDef): {}: skip (elaborate)", create);
                } else {
                    if (!itemDefinition.getItemName().equals(ShadowType.F_ATTRIBUTES)) {
                        applySecurityConstraintsItemDef(itemDefinition, identityHashMap, create, objectSecurityConstraints, computeItemDecision, computeItemDecision2, computeItemDecision3, authorizationPhaseType);
                    }
                    if (itemDefinition.canRead()) {
                        z = true;
                    }
                    if (itemDefinition.canAdd()) {
                        z2 = true;
                    }
                    if (itemDefinition.canModify()) {
                        z3 = true;
                    }
                }
            }
        }
        LOGGER.trace("applySecurityConstraints(itemDef): {}: decisions R={}, A={}, M={}; subelements R={}, A={}, M={}", itemPath, computeItemDecision, computeItemDecision2, computeItemDecision3, Boolean.valueOf(z), Boolean.valueOf(z2), Boolean.valueOf(z3));
        if (computeItemDecision != AuthorizationDecisionType.ALLOW) {
            d.toMutable().setCanRead(false);
        }
        if (computeItemDecision2 != AuthorizationDecisionType.ALLOW) {
            d.toMutable().setCanAdd(false);
        }
        if (computeItemDecision3 != AuthorizationDecisionType.ALLOW) {
            d.toMutable().setCanModify(false);
        }
        if (z) {
            d.toMutable().setCanRead(true);
        }
        if (z2) {
            d.toMutable().setCanAdd(true);
        }
        if (z3) {
            d.toMutable().setCanModify(true);
        }
    }

    @Contract("_, _, _, !null, _ -> !null")
    public AuthorizationDecisionType computeItemDecision(ObjectSecurityConstraints objectSecurityConstraints, ItemPath itemPath, String[] strArr, AuthorizationDecisionType authorizationDecisionType, AuthorizationPhaseType authorizationPhaseType) {
        AuthorizationDecisionType findItemDecision = objectSecurityConstraints.findItemDecision(itemPath, strArr, authorizationPhaseType);
        return findItemDecision != null ? findItemDecision : authorizationDecisionType;
    }

    public <O extends ObjectType> ObjectTemplateType determineObjectTemplate(PrismObject<O> prismObject, AuthorizationPhaseType authorizationPhaseType, OperationResult operationResult) throws SchemaException, ConfigurationException, ObjectNotFoundException {
        ObjectReferenceType objectTemplateRef;
        ArchetypePolicyType determineArchetypePolicy = this.archetypeManager.determineArchetypePolicy(prismObject, operationResult);
        if (determineArchetypePolicy == null || (objectTemplateRef = determineArchetypePolicy.getObjectTemplateRef()) == null || StringUtils.isEmpty(objectTemplateRef.getOid())) {
            return null;
        }
        return (ObjectTemplateType) this.cacheRepositoryService.getObject(ObjectTemplateType.class, objectTemplateRef.getOid(), null, operationResult).asObjectable();
    }

    public <O extends ObjectType> ObjectTemplateType determineObjectTemplate(Class<O> cls, AuthorizationPhaseType authorizationPhaseType, OperationResult operationResult) throws SchemaException, ConfigurationException, ObjectNotFoundException {
        ObjectPolicyConfigurationType determineObjectPolicyConfiguration;
        ObjectReferenceType objectTemplateRef;
        PrismObject<SystemConfigurationType> systemConfiguration = this.systemObjectCache.getSystemConfiguration(operationResult);
        if (systemConfiguration == null || (determineObjectPolicyConfiguration = ArchetypeManager.determineObjectPolicyConfiguration(cls, null, systemConfiguration.asObjectable())) == null || (objectTemplateRef = determineObjectPolicyConfiguration.getObjectTemplateRef()) == null) {
            return null;
        }
        return (ObjectTemplateType) this.cacheRepositoryService.getObject(ObjectTemplateType.class, objectTemplateRef.getOid(), null, operationResult).asObjectable();
    }

    public <O extends ObjectType> void applyObjectTemplateToDefinition(PrismObjectDefinition<O> prismObjectDefinition, ObjectTemplateType objectTemplateType, OperationResult operationResult) throws ObjectNotFoundException, SchemaException {
        if (objectTemplateType == null) {
            return;
        }
        Iterator<ObjectReferenceType> it = objectTemplateType.getIncludeRef().iterator();
        while (it.hasNext()) {
            applyObjectTemplateToDefinition(prismObjectDefinition, (ObjectTemplateType) this.cacheRepositoryService.getObject(ObjectTemplateType.class, it.next().getOid(), null, operationResult).asObjectable(), operationResult);
        }
        for (ObjectTemplateItemDefinitionType objectTemplateItemDefinitionType : objectTemplateType.getItem()) {
            ItemPathType ref = objectTemplateItemDefinitionType.getRef();
            if (ref == null) {
                throw new SchemaException("No 'ref' in item definition in " + objectTemplateType);
            }
            ItemPath path = this.prismContext.toPath(ref);
            ItemDefinition findItemDefinition = prismObjectDefinition.findItemDefinition(path);
            if (findItemDefinition != null) {
                applyObjectTemplateItem(findItemDefinition, objectTemplateItemDefinitionType, "item " + path + " in object type " + prismObjectDefinition.getTypeName() + " as specified in item definition in " + objectTemplateType);
            } else {
                operationResult.createMinorSubresult(SchemaTransformer.class.getName() + ".applyObjectTemplateToDefinition").recordPartialError("No definition for item " + path + " in object type " + prismObjectDefinition.getTypeName() + " as specified in item definition in " + objectTemplateType);
            }
        }
    }

    private <O extends ObjectType> void applyObjectTemplateToObject(PrismObject<O> prismObject, ObjectTemplateType objectTemplateType, OperationResult operationResult) throws ObjectNotFoundException, SchemaException {
        ItemDefinition definition;
        if (objectTemplateType == null) {
            return;
        }
        Iterator<ObjectReferenceType> it = objectTemplateType.getIncludeRef().iterator();
        while (it.hasNext()) {
            applyObjectTemplateToObject(prismObject, (ObjectTemplateType) this.cacheRepositoryService.getObject(ObjectTemplateType.class, it.next().getOid(), null, operationResult).asObjectable(), operationResult);
        }
        for (ObjectTemplateItemDefinitionType objectTemplateItemDefinitionType : objectTemplateType.getItem()) {
            ItemPathType ref = objectTemplateItemDefinitionType.getRef();
            if (ref == null) {
                throw new SchemaException("No 'ref' in item definition in " + objectTemplateType);
            }
            ItemPath path = this.prismContext.toPath(ref);
            ItemDefinition findItemDefinition = prismObject.getDefinition().findItemDefinition(path);
            if (findItemDefinition != null) {
                applyObjectTemplateItem(findItemDefinition, objectTemplateItemDefinitionType, "item " + path + " in " + prismObject + " as specified in item definition in " + objectTemplateType);
                Itemable findItem = prismObject.findItem(path);
                if (findItem != null && (definition = findItem.getDefinition()) != findItemDefinition) {
                    applyObjectTemplateItem(definition, objectTemplateItemDefinitionType, "item " + path + " in " + prismObject + " as specified in item definition in " + objectTemplateType);
                }
            } else {
                operationResult.createMinorSubresult(SchemaTransformer.class.getName() + ".applyObjectTemplateToObject").recordPartialError("No definition for item " + path + " in " + prismObject + " as specified in item definition in " + objectTemplateType);
            }
        }
    }

    private <IV extends PrismValue, ID extends ItemDefinition> void applyObjectTemplateItem(ID id, ObjectTemplateItemDefinitionType objectTemplateItemDefinitionType, String str) throws SchemaException {
        PropertyLimitationsType limitationsType;
        if (id == null) {
            throw new SchemaException("No definition for " + str);
        }
        MutableItemDefinition mutable = id.toMutable();
        String displayName = objectTemplateItemDefinitionType.getDisplayName();
        if (displayName != null) {
            mutable.setDisplayName(displayName);
        }
        String help = objectTemplateItemDefinitionType.getHelp();
        if (help != null) {
            mutable.setHelp(help);
        }
        Integer displayOrder = objectTemplateItemDefinitionType.getDisplayOrder();
        if (displayOrder != null) {
            mutable.setDisplayOrder(displayOrder);
        }
        Boolean isEmphasized = objectTemplateItemDefinitionType.isEmphasized();
        if (isEmphasized != null) {
            mutable.setEmphasized(isEmphasized.booleanValue());
        }
        Boolean isDeprecated = objectTemplateItemDefinitionType.isDeprecated();
        if (isDeprecated != null) {
            mutable.setDeprecated(isDeprecated.booleanValue());
        }
        Boolean isExperimental = objectTemplateItemDefinitionType.isExperimental();
        if (isExperimental != null) {
            mutable.setExperimental(isExperimental.booleanValue());
        }
        List<PropertyLimitationsType> limitations = objectTemplateItemDefinitionType.getLimitations();
        if (limitations != null && (limitationsType = MiscSchemaUtil.getLimitationsType(limitations, LayerType.PRESENTATION)) != null) {
            if (limitationsType.getMinOccurs() != null) {
                mutable.setMinOccurs(XsdTypeMapper.multiplicityToInteger(limitationsType.getMinOccurs()).intValue());
            }
            if (limitationsType.getMaxOccurs() != null) {
                mutable.setMaxOccurs(XsdTypeMapper.multiplicityToInteger(limitationsType.getMaxOccurs()).intValue());
            }
            if (limitationsType.getProcessing() != null) {
                mutable.setProcessing(MiscSchemaUtil.toItemProcessing(limitationsType.getProcessing()));
            }
            PropertyAccessType access = limitationsType.getAccess();
            if (access != null) {
                if (access.isAdd() != null) {
                    mutable.setCanAdd(access.isAdd().booleanValue());
                }
                if (access.isModify() != null) {
                    mutable.setCanModify(access.isModify().booleanValue());
                }
                if (access.isRead() != null) {
                    mutable.setCanRead(access.isRead().booleanValue());
                }
            }
        }
        ObjectReferenceType valueEnumerationRef = objectTemplateItemDefinitionType.getValueEnumerationRef();
        if (valueEnumerationRef != null) {
            mutable.setValueEnumerationRef(MiscSchemaUtil.objectReferenceTypeToReferenceValue(valueEnumerationRef, this.prismContext));
        }
        FormItemValidationType validation = objectTemplateItemDefinitionType.getValidation();
        if (validation != null) {
            id.setAnnotation(ItemRefinedDefinitionType.F_VALIDATION, validation.m2172clone());
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public <O extends ObjectType> void applyItemsConstraints(@NotNull MutablePrismContainerDefinition<O> mutablePrismContainerDefinition, @NotNull ArchetypePolicyType archetypePolicyType) throws SchemaException {
        List<VisibilityPolicyEntry> visibilityPolicy = getVisibilityPolicy(archetypePolicyType, mutablePrismContainerDefinition);
        if (visibilityPolicy.isEmpty()) {
            return;
        }
        reduceItems(mutablePrismContainerDefinition, this.prismContext.emptyPath(), visibilityPolicy);
    }

    @NotNull
    private <O extends ObjectType> List<VisibilityPolicyEntry> getVisibilityPolicy(ArchetypePolicyType archetypePolicyType, Object obj) throws SchemaException {
        ArrayList arrayList = new ArrayList();
        for (ItemConstraintType itemConstraintType : archetypePolicyType.getItemConstraint()) {
            UserInterfaceElementVisibilityType visibility = itemConstraintType.getVisibility();
            if (visibility != null) {
                ItemPathType path = itemConstraintType.getPath();
                if (path == null) {
                    throw new SchemaException("No 'path' in item definition in archetype policy for " + obj);
                }
                arrayList.add(new VisibilityPolicyEntry(this.prismContext.toUniformPath(path), visibility));
            }
        }
        return arrayList;
    }

    @NotNull
    private UserInterfaceElementVisibilityType reduceItems(PrismContainerDefinition<?> prismContainerDefinition, UniformItemPath uniformItemPath, List<VisibilityPolicyEntry> list) {
        UserInterfaceElementVisibilityType determineVisibility = determineVisibility(list, uniformItemPath);
        if (prismContainerDefinition.isElaborate()) {
            return determineVisibility;
        }
        Collection<ItemName> itemNames = determineVisibility == UserInterfaceElementVisibilityType.HIDDEN ? prismContainerDefinition.getItemNames() : selectItemsToDelete(prismContainerDefinition, uniformItemPath, list);
        MutableComplexTypeDefinition mutable = prismContainerDefinition.getComplexTypeDefinition().toMutable();
        for (ItemName itemName : itemNames) {
            LOGGER.trace("Removing item {}/{} due to visibility constraint", uniformItemPath, itemName.getLocalPart());
            mutable.delete(itemName);
        }
        return determineVisibility;
    }

    @NotNull
    private List<ItemName> selectItemsToDelete(PrismContainerDefinition<?> prismContainerDefinition, UniformItemPath uniformItemPath, List<VisibilityPolicyEntry> list) {
        ArrayList arrayList = new ArrayList();
        for (ItemDefinition itemDefinition : prismContainerDefinition.getDefinitions()) {
            UniformItemPath append = uniformItemPath.append(itemDefinition.getItemName());
            if (itemDefinition instanceof PrismContainerDefinition) {
                PrismContainerDefinition<?> prismContainerDefinition2 = (PrismContainerDefinition) itemDefinition;
                UserInterfaceElementVisibilityType reduceItems = reduceItems(prismContainerDefinition2, append, list);
                if (prismContainerDefinition2.isEmpty() && (reduceItems == UserInterfaceElementVisibilityType.VACANT || reduceItems == UserInterfaceElementVisibilityType.HIDDEN || (reduceItems == UserInterfaceElementVisibilityType.AUTOMATIC && prismContainerDefinition2.isCompletelyDefined()))) {
                    arrayList.add(itemDefinition.getItemName());
                }
            } else {
                UserInterfaceElementVisibilityType determineVisibility = determineVisibility(list, append);
                if (determineVisibility == UserInterfaceElementVisibilityType.VACANT || determineVisibility == UserInterfaceElementVisibilityType.HIDDEN) {
                    arrayList.add(itemDefinition.getItemName());
                }
            }
        }
        return arrayList;
    }

    @NotNull
    private UserInterfaceElementVisibilityType determineVisibility(List<VisibilityPolicyEntry> list, UniformItemPath uniformItemPath) {
        if (uniformItemPath == null || uniformItemPath.isEmpty()) {
            return UserInterfaceElementVisibilityType.AUTOMATIC;
        }
        UserInterfaceElementVisibilityType visibilityPolicy = getVisibilityPolicy(list, uniformItemPath);
        return visibilityPolicy != null ? visibilityPolicy : determineVisibility(list, uniformItemPath.allExceptLast());
    }

    private UserInterfaceElementVisibilityType getVisibilityPolicy(List<VisibilityPolicyEntry> list, UniformItemPath uniformItemPath) {
        for (VisibilityPolicyEntry visibilityPolicyEntry : list) {
            if (uniformItemPath.equivalent(visibilityPolicyEntry.path)) {
                return visibilityPolicyEntry.visibility;
            }
        }
        return null;
    }

    private <T extends ObjectType> void validateObject(PrismObject<T> prismObject, GetOperationOptions getOperationOptions, OperationResult operationResult) {
        try {
            if (InternalsConfig.readEncryptionChecks) {
                CryptoUtil.checkEncrypted(prismObject);
            }
            if (InternalsConfig.consistencyChecks) {
                Class<O> compileTimeClass = prismObject.getCompileTimeClass();
                boolean isTolerateRawData = GetOperationOptions.isTolerateRawData(getOperationOptions);
                if (compileTimeClass == ResourceType.class || ShadowType.class.isAssignableFrom(compileTimeClass) || compileTimeClass == ReportType.class) {
                    isTolerateRawData = GetOperationOptions.isRaw(getOperationOptions);
                }
                if (hasError(prismObject, operationResult)) {
                    isTolerateRawData = true;
                }
                if (InternalsConfig.consistencyChecks) {
                    prismObject.checkConsistence(true, !isTolerateRawData, ConsistencyCheckScope.THOROUGH);
                }
            }
        } catch (RuntimeException e) {
            operationResult.recordFatalError(e);
            throw e;
        }
    }

    private <T extends ObjectType> boolean hasError(PrismObject<T> prismObject, OperationResult operationResult) {
        if (operationResult != null && operationResult.isError()) {
            return true;
        }
        OperationResultType fetchResult = prismObject.asObjectable().getFetchResult();
        if (fetchResult != null) {
            return fetchResult.getStatus() == OperationResultStatusType.FATAL_ERROR || fetchResult.getStatus() == OperationResultStatusType.PARTIAL_ERROR;
        }
        return false;
    }
}
