package com.evolveum.midpoint.model.impl.controller;

import com.evolveum.midpoint.audit.api.AuditEventRecord;
import com.evolveum.midpoint.audit.api.AuditEventStage;
import com.evolveum.midpoint.audit.api.AuditService;
import com.evolveum.midpoint.model.api.ModelAuditService;
import com.evolveum.midpoint.model.api.ModelAuthorizationAction;
import com.evolveum.midpoint.model.impl.ModelObjectResolver;
import com.evolveum.midpoint.model.impl.util.AuditHelper;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.xml.XmlTypeConverter;
import com.evolveum.midpoint.schema.ObjectDeltaOperation;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.result.OperationResultStatus;
import com.evolveum.midpoint.security.enforcer.api.AuthorizationParameters;
import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.util.DebugUtil;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CleanupPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.xml.datatype.XMLGregorianCalendar;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:WEB-INF/lib/model-impl-4.3.3-SNAPSHOT.jar:com/evolveum/midpoint/model/impl/controller/AuditController.class */
public class AuditController implements ModelAuditService {
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) AuditController.class);

    @Autowired
    private AuditService auditService;

    @Autowired
    private AuditHelper auditHelper;

    @Autowired
    private ModelObjectResolver objectResolver;

    @Autowired
    private SecurityEnforcer securityEnforcer;

    @Override // com.evolveum.midpoint.model.api.ModelAuditService
    public void audit(AuditEventRecord auditEventRecord, Task task, OperationResult operationResult) throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
        authorize(ModelAuthorizationAction.AUDIT_RECORD, task, operationResult);
        this.auditHelper.audit(auditEventRecord, null, task, operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelAuditService
    public List<AuditEventRecord> listRecords(String str, Map<String, Object> map, Task task, OperationResult operationResult) throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
        authorize(ModelAuthorizationAction.AUDIT_READ, task, operationResult);
        return this.auditService.listRecords(str, map, operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelAuditService
    public long countObjects(String str, Map<String, Object> map, Task task, OperationResult operationResult) throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
        authorize(ModelAuthorizationAction.AUDIT_READ, task, operationResult);
        return this.auditService.countObjects(str, map);
    }

    @Override // com.evolveum.midpoint.model.api.ModelAuditService
    public void cleanupAudit(CleanupPolicyType cleanupPolicyType, Task task, OperationResult operationResult) throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
        authorize(ModelAuthorizationAction.AUDIT_MANAGE, task, operationResult);
        this.auditService.cleanupAudit(cleanupPolicyType, operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelAuditService
    public boolean supportsRetrieval() {
        return this.auditService.supportsRetrieval();
    }

    @Override // com.evolveum.midpoint.model.api.ModelAuditService
    public <O extends ObjectType> PrismObject<O> reconstructObject(Class<O> cls, String str, String str2, Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException {
        PrismObject<? extends ObjectType> asPrismObject = this.objectResolver.getObjectSimple(cls, str, null, task, operationResult).asPrismObject();
        List<AuditEventRecord> changeTrail = getChangeTrail(str, str2, operationResult);
        LOGGER.trace("Found change trail for {} containing {} events", str, Integer.valueOf(changeTrail.size()));
        LOGGER.debug("TRAIL:\n{}", DebugUtil.debugDumpLazily(changeTrail, 1));
        PrismObject<O> objectFromLastEvent = getObjectFromLastEvent(asPrismObject, changeTrail, str2);
        return objectFromLastEvent != null ? objectFromLastEvent : rollBackTime(asPrismObject.mo821clone(), changeTrail);
    }

    private List<AuditEventRecord> getChangeTrail(String str, String str2, OperationResult operationResult) throws ObjectNotFoundException {
        AuditEventRecord findEvent = findEvent(str2, operationResult);
        if (findEvent == null) {
            throw new ObjectNotFoundException("Audit event ID " + str2 + " was not found");
        }
        if (LOGGER.isTraceEnabled()) {
            LOGGER.trace("Final event:\n{}", findEvent.debugDump(1));
        }
        List<AuditEventRecord> changeTrail = getChangeTrail(str, XmlTypeConverter.createXMLGregorianCalendar(findEvent.getTimestamp()), operationResult);
        Iterator<AuditEventRecord> it = changeTrail.iterator();
        boolean z = false;
        while (it.hasNext()) {
            AuditEventRecord next = it.next();
            if (z) {
                it.remove();
            } else if (str2.equals(next.getEventIdentifier())) {
                z = true;
            }
        }
        return changeTrail;
    }

    private List<AuditEventRecord> getChangeTrail(String str, XMLGregorianCalendar xMLGregorianCalendar, OperationResult operationResult) {
        HashMap hashMap = new HashMap();
        hashMap.put("from", xMLGregorianCalendar);
        hashMap.put("targetOid", str);
        hashMap.put("stage", AuditEventStage.EXECUTION);
        return this.auditService.listRecords("select * from m_audit_event as aer where (aer.timestampValue >= :from) and (aer.targetOid = :targetOid) and (aer.eventStage = :stage) order by aer.timestampValue desc", hashMap, operationResult);
    }

    private AuditEventRecord findEvent(String str, OperationResult operationResult) {
        HashMap hashMap = new HashMap();
        hashMap.put("eventIdentifier", str);
        List<AuditEventRecord> listRecords = this.auditService.listRecords("select * from m_audit_event as aer where (aer.eventIdentifier = :eventIdentifier)", hashMap, operationResult);
        if (listRecords == null || listRecords.isEmpty()) {
            return null;
        }
        if (listRecords.size() > 1) {
            LOGGER.error("Found " + listRecords.size() + " audit records for event ID " + str + " (expecting just one)");
        }
        return listRecords.get(0);
    }

    private <O extends ObjectType> PrismObject<O> getObjectFromLastEvent(PrismObject<O> prismObject, List<AuditEventRecord> list, String str) {
        if (list.isEmpty()) {
            return prismObject;
        }
        AuditEventRecord remove = list.remove(list.size() - 1);
        if (!str.equals(remove.getEventIdentifier())) {
            throw new IllegalStateException("Wrong last event identifier, expected " + str + " but was " + remove.getEventIdentifier());
        }
        for (ObjectDeltaOperation<? extends ObjectType> objectDeltaOperation : remove.getDeltas()) {
            ObjectDelta<? extends ObjectType> objectDelta = objectDeltaOperation.getObjectDelta();
            if (isApplicable(objectDeltaOperation, prismObject, remove) && objectDelta.isAdd()) {
                PrismObject<O> prismObject2 = (PrismObject<O>) objectDelta.getObjectToAdd();
                if (LOGGER.isTraceEnabled()) {
                    LOGGER.trace("Taking object from add delta in last event {}:\n{}", remove.getEventIdentifier(), prismObject2.debugDump(1));
                }
                return prismObject2;
            }
        }
        return null;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private <O extends ObjectType> PrismObject<O> rollBackTime(PrismObject<O> prismObject, List<AuditEventRecord> list) throws SchemaException {
        for (AuditEventRecord auditEventRecord : list) {
            if (LOGGER.isTraceEnabled()) {
                LOGGER.trace("Applying event {} ({})", auditEventRecord.getEventIdentifier(), XmlTypeConverter.createXMLGregorianCalendar(auditEventRecord.getTimestamp()));
            }
            for (ObjectDeltaOperation<? extends ObjectType> objectDeltaOperation : auditEventRecord.getDeltas()) {
                ObjectDelta<? extends ObjectType> objectDelta = objectDeltaOperation.getObjectDelta();
                if (isApplicable(objectDeltaOperation, prismObject, auditEventRecord)) {
                    if (objectDelta.isDelete()) {
                        throw new SchemaException("Delete delta found in the audit trail. Object history cannot be reconstructed.");
                    }
                    if (objectDelta.isAdd()) {
                        throw new SchemaException("Add delta found in the audit trail. Object history cannot be reconstructed.");
                    }
                    ObjectDelta<? extends ObjectType> createReverseDelta = objectDelta.createReverseDelta();
                    if (LOGGER.isTraceEnabled()) {
                        LOGGER.trace("Applying delta (reverse):\n{}", createReverseDelta.debugDump(1));
                    }
                    createReverseDelta.applyTo(prismObject);
                }
            }
            if (LOGGER.isTraceEnabled()) {
                LOGGER.trace("Object after application of event {} ({}):\n{}", auditEventRecord.getEventIdentifier(), XmlTypeConverter.createXMLGregorianCalendar(auditEventRecord.getTimestamp()), prismObject.debugDump(1));
            }
        }
        return prismObject;
    }

    private <O extends ObjectType> boolean isApplicable(ObjectDeltaOperation<? extends ObjectType> objectDeltaOperation, PrismObject<O> prismObject, AuditEventRecord auditEventRecord) {
        OperationResult executionResult = objectDeltaOperation.getExecutionResult();
        ObjectDelta<? extends ObjectType> objectDelta = objectDeltaOperation.getObjectDelta();
        if (executionResult != null && executionResult.getStatus() == OperationResultStatus.FATAL_ERROR) {
            LOGGER.trace("Skipping delta {} in event {} because it is {}", objectDelta, auditEventRecord.getEventIdentifier(), executionResult.getStatus());
            return false;
        }
        if (prismObject.getOid().equals(objectDelta.getOid())) {
            return true;
        }
        if (!LOGGER.isTraceEnabled()) {
            return false;
        }
        LOGGER.trace("Skipping delta {} in event {} because OID does not match ({} vs {})", objectDelta, auditEventRecord.getEventIdentifier(), prismObject.getOid(), objectDelta.getOid());
        return false;
    }

    private void authorize(ModelAuthorizationAction modelAuthorizationAction, Task task, OperationResult operationResult) throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
        this.securityEnforcer.authorize(modelAuthorizationAction.getUrl(), AuthorizationPhaseType.REQUEST, AuthorizationParameters.EMPTY, null, task, operationResult);
        this.securityEnforcer.authorize(modelAuthorizationAction.getUrl(), AuthorizationPhaseType.EXECUTION, AuthorizationParameters.EMPTY, null, task, operationResult);
    }
}
