package com.evolveum.midpoint.model.impl.controller;

import com.evolveum.midpoint.TerminateSessionEvent;
import com.evolveum.midpoint.authentication.api.config.MidpointAuthentication;
import com.evolveum.midpoint.common.ActivationComputer;
import com.evolveum.midpoint.common.Clock;
import com.evolveum.midpoint.model.api.AssignmentCandidatesSpecification;
import com.evolveum.midpoint.model.api.AssignmentObjectRelation;
import com.evolveum.midpoint.model.api.CollectionStats;
import com.evolveum.midpoint.model.api.MetadataItemProcessingSpec;
import com.evolveum.midpoint.model.api.ModelAuditService;
import com.evolveum.midpoint.model.api.ModelAuthorizationAction;
import com.evolveum.midpoint.model.api.ModelExecuteOptions;
import com.evolveum.midpoint.model.api.ModelInteractionService;
import com.evolveum.midpoint.model.api.ModelService;
import com.evolveum.midpoint.model.api.ProgressListener;
import com.evolveum.midpoint.model.api.RoleSelectionSpecification;
import com.evolveum.midpoint.model.api.authentication.ClusterwideUserSessionManager;
import com.evolveum.midpoint.model.api.authentication.CompiledGuiProfile;
import com.evolveum.midpoint.model.api.authentication.CompiledObjectCollectionView;
import com.evolveum.midpoint.model.api.authentication.GuiProfiledPrincipal;
import com.evolveum.midpoint.model.api.authentication.GuiProfiledPrincipalManager;
import com.evolveum.midpoint.model.api.context.EvaluatedAssignmentTarget;
import com.evolveum.midpoint.model.api.context.EvaluatedPolicyRule;
import com.evolveum.midpoint.model.api.context.ModelContext;
import com.evolveum.midpoint.model.api.util.DeputyUtils;
import com.evolveum.midpoint.model.api.util.MergeDeltas;
import com.evolveum.midpoint.model.api.util.ReferenceResolver;
import com.evolveum.midpoint.model.api.validator.StringLimitationResult;
import com.evolveum.midpoint.model.api.visualizer.Scene;
import com.evolveum.midpoint.model.common.archetypes.ArchetypeManager;
import com.evolveum.midpoint.model.common.mapping.MappingFactory;
import com.evolveum.midpoint.model.common.mapping.metadata.MetadataItemProcessingSpecImpl;
import com.evolveum.midpoint.model.common.stringpolicy.FocusValuePolicyOriginResolver;
import com.evolveum.midpoint.model.common.stringpolicy.ObjectBasedValuePolicyOriginResolver;
import com.evolveum.midpoint.model.common.stringpolicy.ObjectValuePolicyEvaluator;
import com.evolveum.midpoint.model.common.stringpolicy.ShadowValuePolicyOriginResolver;
import com.evolveum.midpoint.model.common.stringpolicy.ValuePolicyProcessor;
import com.evolveum.midpoint.model.impl.ModelBeans;
import com.evolveum.midpoint.model.impl.ModelCrudService;
import com.evolveum.midpoint.model.impl.ModelObjectResolver;
import com.evolveum.midpoint.model.impl.lens.Clockwork;
import com.evolveum.midpoint.model.impl.lens.ContextFactory;
import com.evolveum.midpoint.model.impl.lens.LensContext;
import com.evolveum.midpoint.model.impl.lens.LensContextPlaceholder;
import com.evolveum.midpoint.model.impl.lens.LensUtil;
import com.evolveum.midpoint.model.impl.lens.assignments.AssignmentEvaluator;
import com.evolveum.midpoint.model.impl.lens.assignments.EvaluatedAssignmentImpl;
import com.evolveum.midpoint.model.impl.lens.projector.AssignmentOrigin;
import com.evolveum.midpoint.model.impl.lens.projector.loader.ContextLoader;
import com.evolveum.midpoint.model.impl.lens.projector.mappings.MappingEvaluator;
import com.evolveum.midpoint.model.impl.schema.transform.TransformableContainerDefinition;
import com.evolveum.midpoint.model.impl.schema.transform.TransformableObjectDefinition;
import com.evolveum.midpoint.model.impl.schema.transform.TransformableReferenceDefinition;
import com.evolveum.midpoint.model.impl.security.GuiProfileCompiler;
import com.evolveum.midpoint.model.impl.security.SecurityHelper;
import com.evolveum.midpoint.model.impl.visualizer.Visualizer;
import com.evolveum.midpoint.prism.Containerable;
import com.evolveum.midpoint.prism.Item;
import com.evolveum.midpoint.prism.ItemDefinition;
import com.evolveum.midpoint.prism.PrismConstants;
import com.evolveum.midpoint.prism.PrismContainer;
import com.evolveum.midpoint.prism.PrismContainerDefinition;
import com.evolveum.midpoint.prism.PrismContainerValue;
import com.evolveum.midpoint.prism.PrismContext;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.PrismObjectDefinition;
import com.evolveum.midpoint.prism.PrismProperty;
import com.evolveum.midpoint.prism.PrismPropertyDefinition;
import com.evolveum.midpoint.prism.crypto.EncryptionException;
import com.evolveum.midpoint.prism.crypto.Protector;
import com.evolveum.midpoint.prism.delta.DeltaFactory;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.delta.PlusMinusZero;
import com.evolveum.midpoint.prism.delta.PropertyDelta;
import com.evolveum.midpoint.prism.path.ItemName;
import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.prism.polystring.PolyString;
import com.evolveum.midpoint.prism.query.ObjectFilter;
import com.evolveum.midpoint.prism.query.ObjectPaging;
import com.evolveum.midpoint.prism.query.ObjectQuery;
import com.evolveum.midpoint.prism.query.OrderDirection;
import com.evolveum.midpoint.prism.util.ItemDeltaItem;
import com.evolveum.midpoint.prism.util.ItemPathTypeUtil;
import com.evolveum.midpoint.prism.util.ObjectDeltaObject;
import com.evolveum.midpoint.provisioning.api.ProvisioningService;
import com.evolveum.midpoint.repo.api.RepositoryService;
import com.evolveum.midpoint.repo.cache.RepositoryCache;
import com.evolveum.midpoint.repo.common.SystemObjectCache;
import com.evolveum.midpoint.repo.common.expression.ExpressionFactory;
import com.evolveum.midpoint.repo.common.expression.ExpressionUtil;
import com.evolveum.midpoint.schema.GetOperationOptions;
import com.evolveum.midpoint.schema.ObjectDeltaOperation;
import com.evolveum.midpoint.schema.RelationRegistry;
import com.evolveum.midpoint.schema.ResourceShadowCoordinates;
import com.evolveum.midpoint.schema.ResultHandler;
import com.evolveum.midpoint.schema.SearchResultList;
import com.evolveum.midpoint.schema.SelectorOptions;
import com.evolveum.midpoint.schema.cache.CacheConfigurationManager;
import com.evolveum.midpoint.schema.constants.ObjectTypes;
import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.schema.expression.VariablesMap;
import com.evolveum.midpoint.schema.processor.ResourceAttributeDefinition;
import com.evolveum.midpoint.schema.processor.ResourceObjectDefinition;
import com.evolveum.midpoint.schema.processor.ResourceSchemaFactory;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.statistics.ConnectorOperationalStatus;
import com.evolveum.midpoint.schema.util.LocalizationUtil;
import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
import com.evolveum.midpoint.schema.util.ObjectQueryUtil;
import com.evolveum.midpoint.schema.util.ObjectTypeUtil;
import com.evolveum.midpoint.schema.util.SchemaDeputyUtil;
import com.evolveum.midpoint.schema.util.ShadowUtil;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.security.api.SecurityContextManager;
import com.evolveum.midpoint.security.enforcer.api.ItemSecurityConstraints;
import com.evolveum.midpoint.security.enforcer.api.ObjectSecurityConstraints;
import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.task.api.TaskManager;
import com.evolveum.midpoint.util.DOMUtil;
import com.evolveum.midpoint.util.DebugUtil;
import com.evolveum.midpoint.util.DisplayableValue;
import com.evolveum.midpoint.util.LocalizableMessageBuilder;
import com.evolveum.midpoint.util.MiscUtil;
import com.evolveum.midpoint.util.Producer;
import com.evolveum.midpoint.util.QNameUtil;
import com.evolveum.midpoint.util.ShortDumpable;
import com.evolveum.midpoint.util.SingleLocalizableMessage;
import com.evolveum.midpoint.util.annotation.Experimental;
import com.evolveum.midpoint.util.exception.CommonException;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.PolicyViolationException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.exception.SystemException;
import com.evolveum.midpoint.util.logging.LoggingUtils;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.api_types_3.ExecuteCredentialResetRequestType;
import com.evolveum.midpoint.xml.ns._public.common.api_types_3.ExecuteCredentialResetResponseType;
import com.evolveum.midpoint.xml.ns._public.common.api_types_3.PolicyItemDefinitionType;
import com.evolveum.midpoint.xml.ns._public.common.api_types_3.PolicyItemTargetType;
import com.evolveum.midpoint.xml.ns._public.common.api_types_3.PolicyItemsDefinitionType;
import com.evolveum.midpoint.xml.ns._public.common.api_types_3.UserSessionManagementType;
import com.evolveum.midpoint.xml.ns._public.common.audit_3.AuditEventRecordType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractRoleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractWorkItemType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AccessCertificationConfigurationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ArchetypePolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ArchetypeType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentHolderType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentRelationApproachType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentRelationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CollectionRefSpecificationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialSourceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsResetPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.DeploymentInformationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.GuiObjectListViewType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.LayerType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.LensContextType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.LocalizableMessageTemplateType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.LocalizableMessageType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.MergeConfigurationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.NonceCredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectCollectionType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectTemplateType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OrderConstraintsType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OtherPrivilegesLimitationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.RegistrationsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.RelationDefinitionType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityQuestionsCredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityQuestionsCredentialsType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowAssociationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationAuditType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.TaskExecutionStateType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.TaskSchedulingStateType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.TaskType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ValuePolicyType;
import com.evolveum.prism.xml.ns._public.query_3.PagingType;
import com.evolveum.prism.xml.ns._public.types_3.ItemPathType;
import com.evolveum.prism.xml.ns._public.types_3.PolyStringType;
import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
import com.evolveum.prism.xml.ns._public.types_3.RawType;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import javax.xml.namespace.QName;
import org.apache.commons.lang3.BooleanUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.Validate;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.security.core.Authentication;
import org.springframework.stereotype.Component;

@Component("modelInteractionService")
/* loaded from: input_file:BOOT-INF/lib/model-impl-4.6.2-SNAPSHOT.jar:com/evolveum/midpoint/model/impl/controller/ModelInteractionServiceImpl.class */
public class ModelInteractionServiceImpl implements ModelInteractionService {

    @Autowired
    private ContextFactory contextFactory;

    @Autowired
    private SecurityEnforcer securityEnforcer;

    @Autowired
    private SecurityContextManager securityContextManager;

    @Autowired
    private SchemaTransformer schemaTransformer;

    @Autowired
    private ProvisioningService provisioning;

    @Autowired
    private ModelBeans modelBeans;

    @Autowired
    private ModelObjectResolver objectResolver;

    @Autowired
    private ObjectMerger objectMerger;

    @Autowired
    @Qualifier("cacheRepositoryService")
    private RepositoryService cacheRepositoryService;

    @Autowired
    private ReferenceResolver referenceResolver;

    @Autowired
    private SystemObjectCache systemObjectCache;

    @Autowired
    private ArchetypeManager archetypeManager;

    @Autowired
    private RelationRegistry relationRegistry;

    @Autowired
    private ValuePolicyProcessor policyProcessor;

    @Autowired
    private Protector protector;

    @Autowired
    private PrismContext prismContext;

    @Autowired
    private Visualizer visualizer;

    @Autowired
    private ModelService modelService;

    @Autowired
    private ModelCrudService modelCrudService;

    @Autowired
    private SecurityHelper securityHelper;

    @Autowired
    private MappingFactory mappingFactory;

    @Autowired
    private MappingEvaluator mappingEvaluator;

    @Autowired
    private ActivationComputer activationComputer;

    @Autowired
    private Clock clock;

    @Autowired
    private GuiProfiledPrincipalManager guiProfiledPrincipalManager;

    @Autowired
    private GuiProfileCompiler guiProfileCompiler;

    @Autowired
    private ExpressionFactory expressionFactory;

    @Autowired
    private Clockwork clockwork;

    @Autowired
    private CollectionProcessor collectionProcessor;

    @Autowired
    private CacheConfigurationManager cacheConfigurationManager;

    @Autowired
    private ClusterwideUserSessionManager clusterwideUserSessionManager;

    @Autowired
    private ContextLoader contextLoader;

    @Autowired
    private ModelAuditService modelAuditService;

    @Autowired
    private TaskManager taskManager;
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) ModelInteractionServiceImpl.class);
    private static final String OPERATION_GENERATE_VALUE = ModelInteractionService.class.getName() + ".generateValue";
    private static final String OPERATION_VALIDATE_VALUE = ModelInteractionService.class.getName() + ".validateValue";

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public <F extends ObjectType> ModelContext<F> previewChanges(Collection<ObjectDelta<? extends ObjectType>> collection, ModelExecuteOptions modelExecuteOptions, Task task, OperationResult operationResult) throws SchemaException, PolicyViolationException, ExpressionEvaluationException, ObjectNotFoundException, ObjectAlreadyExistsException, CommunicationException, ConfigurationException, SecurityViolationException {
        return previewChanges(collection, modelExecuteOptions, task, Collections.emptyList(), operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public <F extends ObjectType> ModelContext<F> previewChanges(Collection<ObjectDelta<? extends ObjectType>> collection, ModelExecuteOptions modelExecuteOptions, Task task, Collection<ProgressListener> collection2, OperationResult operationResult) throws SchemaException, PolicyViolationException, ExpressionEvaluationException, ObjectNotFoundException, ObjectAlreadyExistsException, CommunicationException, ConfigurationException, SecurityViolationException {
        if (ModelExecuteOptions.isRaw(modelExecuteOptions)) {
            throw new UnsupportedOperationException("previewChanges is not supported in raw mode");
        }
        LOGGER.debug("Preview changes input:\n{}", DebugUtil.debugDumpLazily(collection));
        Collection<ObjectDelta<? extends ObjectType>> cloneDeltas = cloneDeltas(collection);
        OperationResult createSubresult = operationResult.createSubresult(PREVIEW_CHANGES);
        LensContext<F> lensContext = null;
        try {
            RepositoryCache.enterLocalCaches(this.cacheConfigurationManager);
            lensContext = this.clockwork.previewChanges(this.contextFactory.createContext(cloneDeltas, modelExecuteOptions, task, createSubresult), collection2, task, createSubresult);
            this.schemaTransformer.applySchemasAndSecurity(lensContext, null, task, createSubresult);
            LensUtil.reclaimSequences(lensContext, this.cacheRepositoryService, task, createSubresult);
            RepositoryCache.exitLocalCaches();
            return lensContext;
        } catch (Throwable th) {
            LensUtil.reclaimSequences(lensContext, this.cacheRepositoryService, task, createSubresult);
            RepositoryCache.exitLocalCaches();
            throw th;
        }
    }

    @NotNull
    private Collection<ObjectDelta<? extends ObjectType>> cloneDeltas(Collection<ObjectDelta<? extends ObjectType>> collection) {
        if (collection == null) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList(collection.size());
        Iterator<ObjectDelta<? extends ObjectType>> it = collection.iterator();
        while (it.hasNext()) {
            arrayList.add(it.next().mo1160clone());
        }
        return arrayList;
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public <F extends ObjectType> ModelContext<F> unwrapModelContext(LensContextType lensContextType, Task task, OperationResult operationResult) throws SchemaException, ConfigurationException, ObjectNotFoundException, CommunicationException, ExpressionEvaluationException {
        return LensContext.fromLensContextBean(lensContextType, task, operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public <O extends ObjectType> PrismObjectDefinition<O> getEditObjectDefinition(PrismObject<O> prismObject, AuthorizationPhaseType authorizationPhaseType, Task task, OperationResult operationResult) throws SchemaException, ConfigurationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, SecurityViolationException {
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(GET_EDIT_OBJECT_DEFINITION);
        TransformableObjectDefinition transformableDefinition = this.schemaTransformer.transformableDefinition(prismObject.getDefinition());
        try {
            try {
                ObjectSecurityConstraints compileSecurityConstraints = this.securityEnforcer.compileSecurityConstraints(getFullObjectReadWrite(prismObject, createMinorSubresult), null, task, createMinorSubresult);
                LOGGER.trace("Security constrains for {}:\n{}", prismObject, DebugUtil.debugDumpLazily(compileSecurityConstraints));
                if (compileSecurityConstraints == null) {
                    createMinorSubresult.recordNotApplicable();
                    createMinorSubresult.computeStatusIfUnknown();
                    return null;
                }
                applyArchetypePolicy(transformableDefinition, prismObject, createMinorSubresult);
                this.schemaTransformer.applySecurityConstraints(transformableDefinition, compileSecurityConstraints, authorizationPhaseType);
                if (prismObject.canRepresent(ShadowType.class)) {
                    applyObjectClassDefinition(transformableDefinition, prismObject, authorizationPhaseType, task, createMinorSubresult);
                }
                return transformableDefinition;
            } catch (ConfigurationException | ExpressionEvaluationException | ObjectNotFoundException | SchemaException e) {
                createMinorSubresult.recordFatalError(e);
                throw e;
            }
        } finally {
            createMinorSubresult.computeStatusIfUnknown();
        }
    }

    private <O extends ObjectType> void applyObjectClassDefinition(TransformableObjectDefinition<O> transformableObjectDefinition, PrismObject<O> prismObject, AuthorizationPhaseType authorizationPhaseType, Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, ConfigurationException, ExpressionEvaluationException, CommunicationException, SecurityViolationException {
        String resourceOid = ShadowUtil.getResourceOid((PrismObject<ShadowType>) prismObject);
        if (resourceOid != null) {
            try {
                ResourceObjectDefinition editObjectClassDefinition = getEditObjectClassDefinition(prismObject, this.provisioning.getObject(ResourceType.class, resourceOid, GetOperationOptions.createReadOnlyCollection(), task, operationResult), authorizationPhaseType, task, operationResult);
                if (editObjectClassDefinition != null) {
                    transformableObjectDefinition.replaceDefinition(ShadowType.F_ATTRIBUTES, editObjectClassDefinition.toResourceAttributeContainerDefinition());
                    TransformableContainerDefinition.require(transformableObjectDefinition.findContainerDefinition(ItemPath.create(ShadowType.F_ASSOCIATION))).replaceDefinition(ShadowAssociationType.F_IDENTIFIERS, editObjectClassDefinition.toResourceAttributeContainerDefinition(ShadowAssociationType.F_IDENTIFIERS));
                }
            } catch (CommunicationException | ExpressionEvaluationException | SecurityViolationException e) {
                throw new ConfigurationException(e.getMessage(), e);
            }
        }
    }

    private <O extends ObjectType> void applyArchetypePolicy(PrismObjectDefinition<O> prismObjectDefinition, PrismObject<O> prismObject, OperationResult operationResult) throws SchemaException {
        try {
            ArchetypePolicyType determineArchetypePolicy = this.archetypeManager.determineArchetypePolicy((PrismObject<? extends ObjectType>) prismObject, operationResult);
            if (determineArchetypePolicy != null) {
                this.schemaTransformer.applyItemsConstraints(prismObjectDefinition, determineArchetypePolicy);
                ObjectReferenceType objectTemplateRef = determineArchetypePolicy.getObjectTemplateRef();
                if (objectTemplateRef != null) {
                    this.schemaTransformer.applyObjectTemplateToDefinition(prismObjectDefinition, (ObjectTemplateType) this.cacheRepositoryService.getObject(ObjectTemplateType.class, objectTemplateRef.getOid(), GetOperationOptions.createReadOnlyCollection(), operationResult).asObjectable(), operationResult);
                }
            }
        } catch (ConfigurationException | ObjectNotFoundException e) {
            operationResult.recordFatalError(e);
        }
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public PrismObjectDefinition<ShadowType> getEditShadowDefinition(ResourceShadowCoordinates resourceShadowCoordinates, AuthorizationPhaseType authorizationPhaseType, Task task, OperationResult operationResult) throws SchemaException, ConfigurationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, SecurityViolationException {
        PrismObject createObject = this.prismContext.createObject(ShadowType.class);
        ShadowType shadowType = (ShadowType) createObject.asObjectable();
        ObjectReferenceType objectReferenceType = new ObjectReferenceType();
        if (resourceShadowCoordinates != null) {
            objectReferenceType.setOid(resourceShadowCoordinates.getResourceOid());
            shadowType.setResourceRef(objectReferenceType);
            shadowType.setKind(resourceShadowCoordinates.getKind());
            shadowType.setIntent(resourceShadowCoordinates.getIntent());
            shadowType.setObjectClass(resourceShadowCoordinates.getObjectClass());
        }
        return getEditObjectDefinition(createObject, authorizationPhaseType, task, operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public ResourceObjectDefinition getEditObjectClassDefinition(@NotNull PrismObject<ShadowType> prismObject, @NotNull PrismObject<ResourceType> prismObject2, AuthorizationPhaseType authorizationPhaseType, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        Validate.notNull(prismObject2, "Resource must not be null", new Object[0]);
        ResourceObjectDefinition findDefinitionForShadow = ResourceSchemaFactory.getCompleteSchema(prismObject2).findDefinitionForShadow(prismObject.asObjectable());
        if (findDefinitionForShadow == null) {
            LOGGER.debug("No resource object definition for shadow {}, returning null", prismObject.getOid());
            return null;
        }
        ResourceObjectDefinition forLayer = findDefinitionForShadow.forLayer(LayerType.PRESENTATION);
        ObjectSecurityConstraints compileSecurityConstraints = this.securityEnforcer.compileSecurityConstraints(prismObject, null, task, operationResult);
        LOGGER.trace("Security constrains for {}:\n{}", prismObject, DebugUtil.debugDumpLazily(compileSecurityConstraints));
        if (compileSecurityConstraints == null) {
            return null;
        }
        AuthorizationDecisionType computeItemDecision = this.schemaTransformer.computeItemDecision(compileSecurityConstraints, SchemaConstants.PATH_ATTRIBUTES, ModelAuthorizationAction.AUTZ_ACTIONS_URLS_GET, compileSecurityConstraints.findAllItemsDecision(ModelAuthorizationAction.AUTZ_ACTIONS_URLS_GET, authorizationPhaseType), authorizationPhaseType);
        AuthorizationDecisionType computeItemDecision2 = this.schemaTransformer.computeItemDecision(compileSecurityConstraints, SchemaConstants.PATH_ATTRIBUTES, ModelAuthorizationAction.AUTZ_ACTIONS_URLS_ADD, compileSecurityConstraints.findAllItemsDecision(ModelAuthorizationAction.ADD.getUrl(), authorizationPhaseType), authorizationPhaseType);
        AuthorizationDecisionType computeItemDecision3 = this.schemaTransformer.computeItemDecision(compileSecurityConstraints, SchemaConstants.PATH_ATTRIBUTES, ModelAuthorizationAction.AUTZ_ACTIONS_URLS_MODIFY, compileSecurityConstraints.findAllItemsDecision(ModelAuthorizationAction.MODIFY.getUrl(), authorizationPhaseType), authorizationPhaseType);
        LOGGER.trace("Attributes container access read:{}, add:{}, modify:{}", computeItemDecision, computeItemDecision2, computeItemDecision3);
        ResourceObjectDefinition mo970clone = forLayer.mo970clone();
        for (ResourceAttributeDefinition resourceAttributeDefinition : new ArrayList(mo970clone.getAttributeDefinitions())) {
            ItemPath create = ItemPath.create(ShadowType.F_ATTRIBUTES, resourceAttributeDefinition.getItemName());
            AuthorizationDecisionType computeItemDecision4 = this.schemaTransformer.computeItemDecision(compileSecurityConstraints, create, ModelAuthorizationAction.AUTZ_ACTIONS_URLS_GET, computeItemDecision, authorizationPhaseType);
            AuthorizationDecisionType computeItemDecision5 = this.schemaTransformer.computeItemDecision(compileSecurityConstraints, create, ModelAuthorizationAction.AUTZ_ACTIONS_URLS_ADD, computeItemDecision2, authorizationPhaseType);
            AuthorizationDecisionType computeItemDecision6 = this.schemaTransformer.computeItemDecision(compileSecurityConstraints, create, ModelAuthorizationAction.AUTZ_ACTIONS_URLS_MODIFY, computeItemDecision3, authorizationPhaseType);
            LOGGER.trace("Attribute {} access read:{}, add:{}, modify:{}", resourceAttributeDefinition.getItemName(), computeItemDecision4, computeItemDecision5, computeItemDecision6);
            if (computeItemDecision4 != AuthorizationDecisionType.ALLOW || computeItemDecision5 != AuthorizationDecisionType.ALLOW || computeItemDecision6 != AuthorizationDecisionType.ALLOW) {
                ResourceAttributeDefinition mo970clone2 = resourceAttributeDefinition.mo970clone();
                if (computeItemDecision4 != AuthorizationDecisionType.ALLOW) {
                    mo970clone2.setOverrideCanRead(false);
                }
                if (computeItemDecision5 != AuthorizationDecisionType.ALLOW) {
                    mo970clone2.setOverrideCanAdd(false);
                }
                if (computeItemDecision6 != AuthorizationDecisionType.ALLOW) {
                    mo970clone2.setOverrideCanModify(false);
                }
                mo970clone.replaceDefinition(resourceAttributeDefinition.getItemName(), mo970clone2);
            }
        }
        return mo970clone;
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public <O extends ObjectType> MetadataItemProcessingSpec getMetadataItemProcessingSpec(ItemPath itemPath, PrismObject<O> prismObject, Task task, OperationResult operationResult) throws SchemaException, ConfigurationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, SecurityViolationException {
        ArchetypePolicyType determineArchetypePolicy = this.archetypeManager.determineArchetypePolicy((PrismObject<? extends ObjectType>) getFullObjectReadOnly(prismObject, operationResult), operationResult);
        ObjectReferenceType objectTemplateRef = determineArchetypePolicy != null ? determineArchetypePolicy.getObjectTemplateRef() : null;
        MetadataItemProcessingSpecImpl metadataItemProcessingSpecImpl = new MetadataItemProcessingSpecImpl(itemPath);
        metadataItemProcessingSpecImpl.populateFromObjectTemplate(objectTemplateRef, this.objectResolver, "getting items with provenance support for " + prismObject, task, operationResult);
        LOGGER.trace("getMetadataSupportSpec for {} in {}:\n - archetypePolicy = {}\n - templateRef = {}\n - processingSpec = \n{}", itemPath, prismObject, determineArchetypePolicy, objectTemplateRef, DebugUtil.debugDumpLazily(metadataItemProcessingSpecImpl, 1));
        return metadataItemProcessingSpecImpl;
    }

    /* JADX WARN: Multi-variable type inference failed */
    @NotNull
    private <O extends ObjectType> PrismObject<O> getFullObjectReadWrite(PrismObject<O> prismObject, OperationResult operationResult) throws ObjectNotFoundException, SchemaException {
        return prismObject.getOid() != null ? this.cacheRepositoryService.getObject(prismObject.getCompileTimeClass(), prismObject.getOid(), null, operationResult) : prismObject;
    }

    /* JADX WARN: Multi-variable type inference failed */
    @NotNull
    private <O extends ObjectType> PrismObject<O> getFullObjectReadOnly(PrismObject<O> prismObject, OperationResult operationResult) throws ObjectNotFoundException, SchemaException {
        return prismObject.getOid() != null ? this.cacheRepositoryService.getObject(prismObject.getCompileTimeClass(), prismObject.getOid(), GetOperationOptions.createReadOnlyCollection(), operationResult) : prismObject;
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public <O extends ObjectType, R extends AbstractRoleType> ItemSecurityConstraints getAllowedRequestAssignmentItems(PrismObject<O> prismObject, PrismObject<R> prismObject2, Task task, OperationResult operationResult) throws SchemaException, SecurityViolationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
        return this.securityEnforcer.getAllowedRequestAssignmentItems(this.securityContextManager.getPrincipal(), ModelAuthorizationAction.ASSIGN.getUrl(), prismObject, prismObject2, null, task, operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public Collection<? extends DisplayableValue<String>> getActionUrls() {
        return Arrays.asList(ModelAuthorizationAction.values());
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public <H extends AssignmentHolderType, R extends AbstractRoleType> RoleSelectionSpecification getAssignableRoleSpecification(PrismObject<H> prismObject, Class<R> cls, int i, Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, ConfigurationException, ExpressionEvaluationException, CommunicationException, SecurityViolationException {
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(GET_ASSIGNABLE_ROLE_SPECIFICATION);
        try {
            ObjectSecurityConstraints compileSecurityConstraints = this.securityEnforcer.compileSecurityConstraints(prismObject, null, task, createMinorSubresult);
            if (LOGGER.isTraceEnabled()) {
                LOGGER.trace("Security constrains for getAssignableRoleSpecification on {}:\n{}", prismObject, compileSecurityConstraints == null ? null : compileSecurityConstraints.debugDump(1));
            }
            if (compileSecurityConstraints == null) {
                return null;
            }
            ItemPath itemPath = i == 0 ? SchemaConstants.PATH_ASSIGNMENT : SchemaConstants.PATH_INDUCEMENT;
            AuthorizationDecisionType findItemDecision = compileSecurityConstraints.findItemDecision(itemPath, ModelAuthorizationAction.MODIFY.getUrl(), AuthorizationPhaseType.REQUEST);
            LOGGER.trace("getAssignableRoleSpecification decision for {}:{}", itemPath, findItemDecision);
            if (findItemDecision == AuthorizationDecisionType.ALLOW) {
                RoleSelectionSpecification roleSelectionSpecification = new RoleSelectionSpecification();
                roleSelectionSpecification.setGlobalFilter(this.prismContext.queryFactory().createAll());
                createMinorSubresult.recordSuccess();
                return roleSelectionSpecification;
            }
            if (findItemDecision == AuthorizationDecisionType.DENY) {
                createMinorSubresult.recordSuccess();
                RoleSelectionSpecification roleSelectionSpecification2 = new RoleSelectionSpecification();
                roleSelectionSpecification2.setGlobalFilter(this.prismContext.queryFactory().createNone());
                return roleSelectionSpecification2;
            }
            AuthorizationDecisionType findAllItemsDecision = compileSecurityConstraints.findAllItemsDecision(ModelAuthorizationAction.MODIFY.getUrl(), AuthorizationPhaseType.REQUEST);
            if (findAllItemsDecision == AuthorizationDecisionType.ALLOW) {
                RoleSelectionSpecification roleSelectionSpecification3 = new RoleSelectionSpecification();
                roleSelectionSpecification3.setGlobalFilter(this.prismContext.queryFactory().createAll());
                createMinorSubresult.recordSuccess();
                return roleSelectionSpecification3;
            }
            if (findAllItemsDecision == AuthorizationDecisionType.DENY) {
                createMinorSubresult.recordSuccess();
                RoleSelectionSpecification roleSelectionSpecification4 = new RoleSelectionSpecification();
                roleSelectionSpecification4.setGlobalFilter(this.prismContext.queryFactory().createNone());
                return roleSelectionSpecification4;
            }
            MidPointPrincipal midPointPrincipal = this.securityEnforcer.getMidPointPrincipal();
            OrderConstraintsType orderConstraintsType = new OrderConstraintsType();
            orderConstraintsType.setOrder(Integer.valueOf(i));
            ArrayList arrayList = new ArrayList(1);
            arrayList.add(orderConstraintsType);
            try {
                RoleSelectionSpecification roleSelectionSpecification5 = (RoleSelectionSpecification) this.securityEnforcer.computeSecurityFilter(midPointPrincipal, ModelAuthorizationAction.AUTZ_ACTIONS_URLS_ASSIGN, AuthorizationPhaseType.REQUEST, cls, prismObject, this.prismContext.queryFactory().createAll(), null, arrayList, new FilterGizmoAssignableRoles(this.prismContext), task, createMinorSubresult);
                createMinorSubresult.recordSuccess();
                return roleSelectionSpecification5;
            } catch (ConfigurationException | ExpressionEvaluationException | ObjectNotFoundException | SchemaException e) {
                createMinorSubresult.recordFatalError(e);
                throw e;
            }
        } catch (CommunicationException | ExpressionEvaluationException | ObjectNotFoundException | SchemaException | SecurityViolationException e2) {
            createMinorSubresult.recordFatalError(e2);
            throw e2;
        }
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public <T extends ObjectType> ObjectFilter getDonorFilter(Class<T> cls, ObjectFilter objectFilter, String str, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        return this.securityEnforcer.preProcessObjectFilter(ModelAuthorizationAction.AUTZ_ACTIONS_URLS_ATTORNEY, null, cls, null, objectFilter, str, null, task, operationResult);
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public <T extends ObjectType, O extends ObjectType> boolean canSearch(Class<T> cls, Class<O> cls2, String str, boolean z, ObjectQuery objectQuery, Task task, OperationResult operationResult) throws ObjectNotFoundException, CommunicationException, SchemaException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        PrismObject prismObject = null;
        if (str != null) {
            prismObject = this.objectResolver.getObject(cls2, str, GetOperationOptions.createReadOnlyCollection(), task, operationResult).asPrismObject();
        }
        return this.securityEnforcer.canSearch(ModelAuthorizationAction.AUTZ_ACTIONS_URLS_SEARCH, null, cls, prismObject, z, objectQuery.getFilter(), task, operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public AuthenticationsPolicyType getAuthenticationPolicy(PrismObject<UserType> prismObject, Task task, OperationResult operationResult) throws SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        return (AuthenticationsPolicyType) resolvePolicyTypeFromSecurityPolicy(SecurityPolicyType.F_AUTHENTICATION, prismObject, task, operationResult.createMinorSubresult(GET_AUTHENTICATIONS_POLICY));
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public RegistrationsPolicyType getFlowPolicy(PrismObject<? extends FocusType> prismObject, Task task, OperationResult operationResult) throws SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        return (RegistrationsPolicyType) resolvePolicyTypeFromSecurityPolicy(SecurityPolicyType.F_FLOW, prismObject, task, operationResult.createMinorSubresult(GET_REGISTRATIONS_POLICY));
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public CredentialsPolicyType getCredentialsPolicy(PrismObject<? extends FocusType> prismObject, Task task, OperationResult operationResult) throws SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        return (CredentialsPolicyType) resolvePolicyTypeFromSecurityPolicy(SecurityPolicyType.F_CREDENTIALS, prismObject, task, operationResult.createMinorSubresult(GET_CREDENTIALS_POLICY));
    }

    private <C extends Containerable> C resolvePolicyTypeFromSecurityPolicy(QName qName, PrismObject<? extends FocusType> prismObject, Task task, OperationResult operationResult) throws SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        Item findContainer;
        SecurityPolicyType securityPolicy = getSecurityPolicy(prismObject, task, operationResult);
        if (securityPolicy == null || (findContainer = securityPolicy.asPrismObject().findContainer(ItemName.fromQName(qName))) == null) {
            return null;
        }
        PrismContainerValue<C> value = findContainer.getValue();
        operationResult.recordSuccess();
        return value.asContainerable();
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public <F extends FocusType> SecurityPolicyType getSecurityPolicy(PrismObject<F> prismObject, Task task, OperationResult operationResult) throws SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(GET_SECURITY_POLICY);
        try {
            try {
                PrismObject<SystemConfigurationType> systemConfiguration = this.systemObjectCache.getSystemConfiguration(createMinorSubresult);
                if (systemConfiguration == null) {
                    createMinorSubresult.recordNotApplicableIfUnknown();
                    createMinorSubresult.computeStatusIfUnknown();
                    return null;
                }
                SecurityPolicyType locateSecurityPolicy = this.securityHelper.locateSecurityPolicy(prismObject, systemConfiguration, task, createMinorSubresult);
                if (locateSecurityPolicy != null) {
                    return locateSecurityPolicy;
                }
                createMinorSubresult.recordNotApplicableIfUnknown();
                createMinorSubresult.computeStatusIfUnknown();
                return null;
            } catch (Throwable th) {
                createMinorSubresult.recordFatalError(th);
                throw th;
            }
        } finally {
            createMinorSubresult.computeStatusIfUnknown();
        }
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public SecurityPolicyType getSecurityPolicy(ResourceObjectDefinition resourceObjectDefinition, Task task, OperationResult operationResult) throws SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException, ObjectNotFoundException {
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(GET_SECURITY_POLICY);
        try {
            try {
                SecurityPolicyType locateProjectionSecurityPolicy = this.securityHelper.locateProjectionSecurityPolicy(resourceObjectDefinition, task, createMinorSubresult);
                if (locateProjectionSecurityPolicy != null) {
                    return locateProjectionSecurityPolicy;
                }
                createMinorSubresult.recordNotApplicableIfUnknown();
                createMinorSubresult.computeStatusIfUnknown();
                return null;
            } catch (Throwable th) {
                createMinorSubresult.recordFatalError(th);
                throw th;
            }
        } finally {
            createMinorSubresult.computeStatusIfUnknown();
        }
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    @NotNull
    public CompiledGuiProfile getCompiledGuiProfile(Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        ShortDumpable shortDumpable = null;
        try {
            shortDumpable = this.securityContextManager.getPrincipal();
        } catch (SecurityViolationException e) {
            LOGGER.warn("Security violation while getting principlal to get GUI config: {}", e.getMessage(), e);
        }
        if (!(shortDumpable instanceof GuiProfiledPrincipal)) {
            return this.guiProfileCompiler.getGlobalCompiledGuiProfile(task, operationResult);
        }
        CompiledGuiProfile compiledGuiProfile = ((GuiProfiledPrincipal) shortDumpable).getCompiledGuiProfile();
        return compiledGuiProfile.isInvalid() ? this.guiProfiledPrincipalManager.refreshCompiledProfile((GuiProfiledPrincipal) shortDumpable) : compiledGuiProfile;
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public List<UserSessionManagementType> getLoggedInPrincipals(Task task, OperationResult operationResult) {
        return this.clusterwideUserSessionManager.getLoggedInPrincipals(task, operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public void terminateSessions(TerminateSessionEvent terminateSessionEvent, Task task, OperationResult operationResult) {
        this.clusterwideUserSessionManager.terminateSessions(terminateSessionEvent, task, operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public SystemConfigurationType getSystemConfiguration(OperationResult operationResult) throws SchemaException {
        PrismObject<SystemConfigurationType> systemConfiguration = this.systemObjectCache.getSystemConfiguration(operationResult);
        if (systemConfiguration == null) {
            return null;
        }
        return systemConfiguration.asObjectable();
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public DeploymentInformationType getDeploymentInformationConfiguration(OperationResult operationResult) throws SchemaException {
        PrismObject<SystemConfigurationType> systemConfiguration = this.systemObjectCache.getSystemConfiguration(operationResult);
        if (systemConfiguration == null) {
            return null;
        }
        return systemConfiguration.asObjectable().getDeploymentInformation();
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public SystemConfigurationAuditType getAuditConfiguration(OperationResult operationResult) throws SchemaException {
        PrismObject<SystemConfigurationType> systemConfiguration = this.systemObjectCache.getSystemConfiguration(operationResult);
        if (systemConfiguration == null) {
            return null;
        }
        return systemConfiguration.asObjectable().getAudit();
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public List<MergeConfigurationType> getMergeConfiguration(OperationResult operationResult) throws SchemaException {
        PrismObject<SystemConfigurationType> systemConfiguration = this.systemObjectCache.getSystemConfiguration(operationResult);
        if (systemConfiguration == null) {
            return null;
        }
        return systemConfiguration.asObjectable().getMergeConfiguration();
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public AccessCertificationConfigurationType getCertificationConfiguration(OperationResult operationResult) throws SchemaException {
        PrismObject<SystemConfigurationType> systemConfiguration = this.systemObjectCache.getSystemConfiguration(operationResult);
        if (systemConfiguration == null) {
            return null;
        }
        return systemConfiguration.asObjectable().getAccessCertification();
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public boolean checkPassword(String str, ProtectedStringType protectedStringType, Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException {
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(CHECK_PASSWORD);
        try {
            UserType userType = (UserType) this.objectResolver.getObjectSimple(UserType.class, str, null, task, createMinorSubresult);
            if (userType.getCredentials() == null || userType.getCredentials().getPassword() == null || userType.getCredentials().getPassword().getValue() == null) {
                return protectedStringType == null;
            }
            try {
                boolean compareCleartext = this.protector.compareCleartext(protectedStringType, userType.getCredentials().getPassword().getValue());
                createMinorSubresult.recordSuccess();
                return compareCleartext;
            } catch (EncryptionException e) {
                createMinorSubresult.recordFatalError(e);
                throw new SystemException(e.getMessage(), e);
            }
        } catch (ObjectNotFoundException e2) {
            createMinorSubresult.recordFatalError(e2);
            throw e2;
        }
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public List<? extends Scene> visualizeDeltas(List<ObjectDelta<? extends ObjectType>> list, Task task, OperationResult operationResult) throws SchemaException, ExpressionEvaluationException {
        return this.visualizer.visualizeDeltas(list, task, operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    @NotNull
    public Scene visualizeDelta(ObjectDelta<? extends ObjectType> objectDelta, Task task, OperationResult operationResult) throws SchemaException, ExpressionEvaluationException {
        return this.visualizer.visualizeDelta(objectDelta, task, operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    @NotNull
    public Scene visualizeDelta(ObjectDelta<? extends ObjectType> objectDelta, boolean z, Task task, OperationResult operationResult) throws SchemaException, ExpressionEvaluationException {
        return this.visualizer.visualizeDelta(objectDelta, (ObjectReferenceType) null, z, true, task, operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    @NotNull
    public Scene visualizeDelta(ObjectDelta<? extends ObjectType> objectDelta, boolean z, boolean z2, Task task, OperationResult operationResult) throws SchemaException, ExpressionEvaluationException {
        return this.visualizer.visualizeDelta(objectDelta, (ObjectReferenceType) null, z, z2, task, operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    @NotNull
    public Scene visualizeDelta(ObjectDelta<? extends ObjectType> objectDelta, boolean z, ObjectReferenceType objectReferenceType, Task task, OperationResult operationResult) throws SchemaException, ExpressionEvaluationException {
        return this.visualizer.visualizeDelta(objectDelta, objectReferenceType, task, operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public List<ConnectorOperationalStatus> getConnectorOperationalStatus(String str, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, ExpressionEvaluationException {
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(GET_CONNECTOR_OPERATIONAL_STATUS);
        try {
            List<ConnectorOperationalStatus> connectorOperationalStatus = this.provisioning.getConnectorOperationalStatus(str, task, createMinorSubresult);
            createMinorSubresult.computeStatus();
            return connectorOperationalStatus;
        } catch (CommunicationException | ConfigurationException | ExpressionEvaluationException | ObjectNotFoundException | SchemaException e) {
            createMinorSubresult.recordFatalError(e);
            throw e;
        }
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public <O extends ObjectType> MergeDeltas<O> mergeObjectsPreviewDeltas(Class<O> cls, String str, String str2, String str3, Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, ConfigurationException, ExpressionEvaluationException, CommunicationException, SecurityViolationException {
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(MERGE_OBJECTS_PREVIEW_DELTA);
        try {
            MergeDeltas<O> computeMergeDeltas = this.objectMerger.computeMergeDeltas(cls, str, str2, str3, task, createMinorSubresult);
            createMinorSubresult.computeStatus();
            return computeMergeDeltas;
        } catch (CommunicationException | ConfigurationException | ExpressionEvaluationException | ObjectNotFoundException | SchemaException | SecurityViolationException | Error | RuntimeException e) {
            createMinorSubresult.recordFatalError(e);
            throw e;
        }
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public <O extends ObjectType> PrismObject<O> mergeObjectsPreviewObject(Class<O> cls, String str, String str2, String str3, Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, ConfigurationException, ExpressionEvaluationException, CommunicationException, SecurityViolationException {
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(MERGE_OBJECTS_PREVIEW_OBJECT);
        try {
            MergeDeltas<O> computeMergeDeltas = this.objectMerger.computeMergeDeltas(cls, str, str2, str3, task, createMinorSubresult);
            if (LOGGER.isTraceEnabled()) {
                LOGGER.trace("Merge preview {} + {} deltas:\n{}", str, str2, computeMergeDeltas.debugDump(1));
            }
            PrismObject<O> prismObject = (PrismObject<O>) this.objectResolver.getObjectSimple(cls, str, null, task, createMinorSubresult).asPrismObject();
            if (computeMergeDeltas == null) {
                createMinorSubresult.computeStatus();
                return prismObject;
            }
            computeMergeDeltas.getLeftObjectDelta().applyTo(prismObject);
            computeMergeDeltas.getLeftLinkDelta().applyTo(prismObject);
            createMinorSubresult.computeStatus();
            return prismObject;
        } catch (CommunicationException | ConfigurationException | ExpressionEvaluationException | ObjectNotFoundException | SchemaException | SecurityViolationException | Error | RuntimeException e) {
            createMinorSubresult.recordFatalError(e);
            throw e;
        }
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public <O extends ObjectType> String generateNonce(NonceCredentialsPolicyType nonceCredentialsPolicyType, Task task, OperationResult operationResult) throws ExpressionEvaluationException, SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException {
        ValuePolicyType valuePolicyType = null;
        if (nonceCredentialsPolicyType != null && nonceCredentialsPolicyType.getValuePolicyRef() != null) {
            valuePolicyType = (ValuePolicyType) this.cacheRepositoryService.getObject(ValuePolicyType.class, nonceCredentialsPolicyType.getValuePolicyRef().getOid(), null, operationResult).asObjectable();
        }
        return generateValue(valuePolicyType, 24, false, (PrismObject) null, "nonce generation", task, operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public <O extends ObjectType> String generateValue(ValuePolicyType valuePolicyType, int i, boolean z, PrismObject<O> prismObject, String str, Task task, OperationResult operationResult) throws ExpressionEvaluationException, SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException {
        return this.policyProcessor.generate(null, valuePolicyType, i, z, createOriginResolver(prismObject, operationResult), str, task, operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public <O extends ObjectType> void generateValue(PrismObject<O> prismObject, PolicyItemsDefinitionType policyItemsDefinitionType, Task task, OperationResult operationResult) throws ObjectAlreadyExistsException, ExpressionEvaluationException, SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException, PolicyViolationException {
        OperationResult createSubresult = operationResult.createSubresult(OPERATION_GENERATE_VALUE);
        try {
            ValuePolicyType valuePolicy = getValuePolicy(prismObject, task, createSubresult);
            Collection<PropertyDelta<?>> arrayList = new ArrayList<>();
            for (PolicyItemDefinitionType policyItemDefinitionType : policyItemsDefinitionType.getPolicyItemDefinition()) {
                OperationResult createSubresult2 = operationResult.createSubresult(OPERATION_GENERATE_VALUE);
                LOGGER.trace("Default value policy: {}", valuePolicy);
                try {
                    generateValue(prismObject, valuePolicy, policyItemDefinitionType, task, createSubresult2);
                    ItemPath path = getPath(policyItemDefinitionType);
                    if (path == null && isExecute(policyItemDefinitionType)) {
                        LOGGER.error("No item path defined in the target for policy item definition. Cannot generate value");
                        createSubresult2.recordFatalError("No item path defined in the target for policy item definition. Cannot generate value");
                    } else {
                        PrismPropertyDefinition<?> prismPropertyDefinition = null;
                        if (path != null) {
                            createSubresult.addArbitraryObjectAsParam("policyItemPath", (Object) path);
                            prismPropertyDefinition = getItemDefinition(prismObject, path);
                            if (prismPropertyDefinition == null && isExecute(policyItemDefinitionType)) {
                                LOGGER.error("No definition for property {} in object. Is the path referencing prism property?" + path, prismObject);
                                createSubresult2.recordFatalError("No definition for property " + path + " in object " + prismObject + ". Is the path referencing prism property?");
                            }
                        }
                        collectDeltasForGeneratedValuesIfNeeded(prismObject, policyItemDefinitionType, arrayList, path, prismPropertyDefinition, createSubresult2);
                        createSubresult2.computeStatusIfUnknown();
                    }
                } catch (CommunicationException | ConfigurationException | ExpressionEvaluationException | ObjectNotFoundException | SchemaException | SecurityViolationException e) {
                    LOGGER.error("Failed to generate value for {} ", policyItemDefinitionType, e);
                    createSubresult2.recordFatalError("Failed to generate value for " + policyItemDefinitionType + ". Reason: " + e.getMessage(), e);
                    policyItemDefinitionType.setResult(createSubresult2.createOperationResultType());
                }
            }
            createSubresult.computeStatus();
            if (createSubresult.isAcceptable()) {
                try {
                    if (!arrayList.isEmpty()) {
                        if (prismObject == null) {
                            LOGGER.error("Cannot execute changes for generated values, no object specified in request.");
                            createSubresult.recordFatalError("Cannot execute changes for generated values, no object specified in request.");
                            throw new SchemaException("Cannot execute changes for generated values, no object specified in request.");
                        }
                        this.modelCrudService.modifyObject(prismObject.asObjectable().getClass(), prismObject.getOid(), arrayList, null, task, createSubresult);
                    }
                } catch (CommunicationException | ConfigurationException | ExpressionEvaluationException | ObjectAlreadyExistsException | ObjectNotFoundException | PolicyViolationException | SchemaException | SecurityViolationException e2) {
                    LOGGER.error("Could not execute deltas for generated values. Reason: " + e2.getMessage(), e2);
                    createSubresult.recordFatalError("Could not execute deltas for gegenerated values. Reason: " + e2.getMessage(), e2);
                    throw e2;
                }
            }
        } catch (CommunicationException | ConfigurationException | ExpressionEvaluationException | ObjectNotFoundException | SchemaException | SecurityViolationException e3) {
            LOGGER.error("Failed to get value policy for generating value. ", e3);
            createSubresult.recordFatalError("Error while getting value policy. Reason: " + e3.getMessage(), e3);
            throw e3;
        }
    }

    private boolean isExecute(PolicyItemDefinitionType policyItemDefinitionType) {
        if (policyItemDefinitionType.isExecute() == null) {
            return false;
        }
        return policyItemDefinitionType.isExecute().booleanValue();
    }

    private ItemPath getPath(PolicyItemDefinitionType policyItemDefinitionType) {
        ItemPathType path;
        PolicyItemTargetType target = policyItemDefinitionType.getTarget();
        if (target == null || (path = target.getPath()) == null) {
            return null;
        }
        return path.getItemPath();
    }

    private <O extends ObjectType> PrismPropertyDefinition<?> getItemDefinition(PrismObject<O> prismObject, ItemPath itemPath) {
        ItemDefinition findItemDefinition = prismObject.getDefinition().findItemDefinition(itemPath);
        if (findItemDefinition != null && (findItemDefinition instanceof PrismPropertyDefinition)) {
            return (PrismPropertyDefinition) findItemDefinition;
        }
        return null;
    }

    private <O extends ObjectType> void collectDeltasForGeneratedValuesIfNeeded(PrismObject<O> prismObject, PolicyItemDefinitionType policyItemDefinitionType, Collection<PropertyDelta<?>> collection, ItemPath itemPath, PrismPropertyDefinition<?> prismPropertyDefinition, OperationResult operationResult) throws SchemaException {
        Object value = policyItemDefinitionType.getValue();
        if (prismPropertyDefinition != null) {
            if (ProtectedStringType.COMPLEX_TYPE.equals(prismPropertyDefinition.getTypeName())) {
                ProtectedStringType protectedStringType = new ProtectedStringType();
                protectedStringType.setClearValue((String) value);
                value = protectedStringType;
            } else if (PolyStringType.COMPLEX_TYPE.equals(prismPropertyDefinition.getTypeName())) {
                value = new PolyString((String) value);
            }
        }
        if (prismObject == null && isExecute(policyItemDefinitionType)) {
            LOGGER.warn("Cannot apply generated changes and cannot execute them becasue there is no target object specified.");
            operationResult.recordFatalError("Cannot apply generated changes and cannot execute them becasue there is no target object specified.");
        } else if (prismObject != null) {
            PropertyDelta<?> createModificationReplaceProperty = this.prismContext.deltaFactory().property().createModificationReplaceProperty(itemPath, (PrismObjectDefinition<?>) prismObject.getDefinition(), value);
            createModificationReplaceProperty.applyTo(prismObject);
            if (BooleanUtils.isTrue(policyItemDefinitionType.isExecute())) {
                collection.add(createModificationReplaceProperty);
            }
        }
    }

    private <O extends ObjectType> void generateValue(PrismObject<O> prismObject, ValuePolicyType valuePolicyType, PolicyItemDefinitionType policyItemDefinitionType, Task task, OperationResult operationResult) throws ExpressionEvaluationException, SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException {
        PolicyItemTargetType target = policyItemDefinitionType.getTarget();
        if ((target == null || ItemPathTypeUtil.isEmpty(target.getPath())) && isExecute(policyItemDefinitionType)) {
            LOGGER.error("Target item path must be defined");
            throw new SchemaException("Target item path must be defined");
        }
        ItemPath itemPath = null;
        if (target != null) {
            itemPath = target.getPath().getItemPath();
        }
        ValuePolicyType resolveValuePolicy = resolveValuePolicy(policyItemDefinitionType, valuePolicyType, task, operationResult);
        LOGGER.trace("Value policy used for generating new value : {}", resolveValuePolicy);
        if ((resolveValuePolicy != null ? resolveValuePolicy.getStringPolicy() : null) != null) {
            policyItemDefinitionType.setValue(this.policyProcessor.generate(itemPath, resolveValuePolicy, 10, false, createOriginResolver(prismObject, operationResult), "generating value for" + itemPath, task, operationResult));
        } else {
            LOGGER.trace("No sting policy defined. Cannot generate value.");
            operationResult.recordFatalError("No string policy defined. Cannot generate value");
        }
    }

    private ValuePolicyType resolveValuePolicy(PolicyItemDefinitionType policyItemDefinitionType, ValuePolicyType valuePolicyType, Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        if (policyItemDefinitionType.getValuePolicyRef() == null) {
            return valuePolicyType;
        }
        LOGGER.trace("Trying to resolve value policy {} for policy item definition", policyItemDefinitionType);
        return (ValuePolicyType) this.objectResolver.resolve(policyItemDefinitionType.getValuePolicyRef(), ValuePolicyType.class, null, "valuePolicyRef in policyItemDefinition", task, operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public <O extends ObjectType> void validateValue(PrismObject<O> prismObject, PolicyItemsDefinitionType policyItemsDefinitionType, Task task, OperationResult operationResult) throws ExpressionEvaluationException, SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException, PolicyViolationException {
        ValuePolicyType valuePolicy = getValuePolicy(prismObject, task, operationResult);
        Iterator<PolicyItemDefinitionType> it = policyItemsDefinitionType.getPolicyItemDefinition().iterator();
        while (it.hasNext()) {
            validateValue(prismObject, valuePolicy, it.next(), task, operationResult);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    private <O extends ObjectType> ValuePolicyType getValuePolicy(PrismObject<O> prismObject, Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        SecurityPolicyType locateGlobalSecurityPolicy;
        CredentialsPolicyType credentialsPolicyType = null;
        PrismObject<? extends FocusType> prismObject2 = null;
        if (prismObject != 0 && prismObject.getCompileTimeClass().isAssignableFrom(UserType.class)) {
            LOGGER.trace("Start to resolve policy for user");
            prismObject2 = prismObject;
            credentialsPolicyType = getCredentialsPolicy(prismObject2, task, operationResult);
            LOGGER.trace("Resolved user policy: {}", credentialsPolicyType);
        }
        SystemConfigurationType systemConfiguration = getSystemConfiguration(operationResult);
        if (!containsValuePolicyDefinition(credentialsPolicyType) && (locateGlobalSecurityPolicy = this.securityHelper.locateGlobalSecurityPolicy(prismObject2, systemConfiguration.asPrismObject(), task, operationResult)) != null) {
            credentialsPolicyType = locateGlobalSecurityPolicy.getCredentials();
            LOGGER.trace("Resolved policy from global security policy: {}", credentialsPolicyType);
        }
        if (!containsValuePolicyDefinition(credentialsPolicyType) || credentialsPolicyType.getPassword().getValuePolicyRef() == null) {
            return null;
        }
        return (ValuePolicyType) this.objectResolver.resolve(credentialsPolicyType.getPassword().getValuePolicyRef(), ValuePolicyType.class, null, "valuePolicyRef in password credential policy", task, operationResult);
    }

    private boolean containsValuePolicyDefinition(CredentialsPolicyType credentialsPolicyType) {
        return (credentialsPolicyType == null || credentialsPolicyType.getPassword() == null || credentialsPolicyType.getPassword().getValuePolicyRef() == null) ? false : true;
    }

    private <T, O extends ObjectType> boolean validateValue(PrismObject<O> prismObject, ValuePolicyType valuePolicyType, PolicyItemDefinitionType policyItemDefinitionType, Task task, OperationResult operationResult) throws ExpressionEvaluationException, SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException, PolicyViolationException {
        ValuePolicyType resolveValuePolicy = resolveValuePolicy(policyItemDefinitionType, valuePolicyType, task, operationResult);
        Object value = policyItemDefinitionType.getValue();
        String str = value instanceof RawType ? (String) ((RawType) value).getParsedRealValue(String.class) : (String) value;
        ArrayList<String> arrayList = new ArrayList();
        PolicyItemTargetType target = policyItemDefinitionType.getTarget();
        ItemPath itemPath = target != null ? target.getPath().getItemPath() : null;
        if (StringUtils.isNotEmpty(str)) {
            arrayList.add(str);
        } else {
            if (target == null || target.getPath() == null) {
                LOGGER.error("Target item path must be defined");
                operationResult.recordFatalError("Target item path must be defined");
                throw new SchemaException("Target item path must be defined");
            }
            if (prismObject == null) {
                LOGGER.error("Object which values should be validated is null. Nothing to validate.");
                operationResult.recordFatalError("Object which values should be validated is null. Nothing to validate.");
                throw new SchemaException("Object which values should be validated is null. Nothing to validate.");
            }
            PrismProperty<T> findProperty = prismObject.findProperty(itemPath);
            if (findProperty == null || findProperty.isEmpty()) {
                LOGGER.error("Attribute {} has no value. Nothing to validate.", findProperty);
                operationResult.recordFatalError("Attribute " + findProperty + " has no value. Nothing to validate");
                throw new SchemaException("Attribute " + findProperty + " has no value. Nothing to validate");
            }
            PrismPropertyDefinition<T> definition = findProperty.getDefinition();
            QName typeName = definition.getTypeName();
            if (!isSupportedType(typeName)) {
                LOGGER.error("Trying to validate string policy on the property of type {} failed. Unsupported type.", definition);
                operationResult.recordFatalError("Trying to validate string policy on the property of type " + definition + " failed. Unsupported type.");
                throw new SchemaException("Trying to validate string policy on the property of type " + definition + " failed. Unsupported type.");
            }
            if (definition.isSingleValue()) {
                arrayList.add(typeName.equals(PolyStringType.COMPLEX_TYPE) ? ((PolyString) findProperty.getRealValue()).getOrig() : typeName.equals(ProtectedStringType.COMPLEX_TYPE) ? getClearValue((ProtectedStringType) findProperty.getRealValue()) : (String) findProperty.getRealValue());
            } else if (typeName.equals(DOMUtil.XSD_STRING)) {
                arrayList.addAll(findProperty.getRealValues(String.class));
            } else if (typeName.equals(ProtectedStringType.COMPLEX_TYPE)) {
                Iterator it = findProperty.getRealValues(ProtectedStringType.class).iterator();
                while (it.hasNext()) {
                    arrayList.add(getClearValue((ProtectedStringType) it.next()));
                }
            } else {
                Iterator it2 = findProperty.getRealValues(PolyString.class).iterator();
                while (it2.hasNext()) {
                    arrayList.add(((PolyString) it2.next()).getOrig());
                }
            }
        }
        for (String str2 : arrayList) {
            OperationResult createSubresult = operationResult.createSubresult(OPERATION_VALIDATE_VALUE + ".value");
            if (itemPath != null) {
                createSubresult.addParam("path", itemPath.toString());
            }
            createSubresult.addParam("valueToValidate", str2);
            ObjectValuePolicyEvaluator.Builder shortDesc = new ObjectValuePolicyEvaluator.Builder().valuePolicy(resolveValuePolicy).valuePolicyProcessor(this.policyProcessor).protector(this.protector).valueItemPath(itemPath).originResolver(getOriginResolver(prismObject)).task(task).shortDesc(" rest validate ");
            O asObjectable = prismObject != null ? prismObject.asObjectable() : null;
            if (itemPath != null && (asObjectable instanceof FocusType)) {
                if (itemPath.isSuperPathOrEquivalent(SchemaConstants.PATH_PASSWORD)) {
                    shortDesc.securityPolicy(getSecurityPolicy(prismObject, task, operationResult));
                    Item findContainer = prismObject.findContainer(SchemaConstants.PATH_PASSWORD);
                    shortDesc.oldCredential(findContainer != null ? (PasswordType) findContainer.getValue().asContainerable() : null);
                } else if (itemPath.isSuperPathOrEquivalent(SchemaConstants.PATH_SECURITY_QUESTIONS)) {
                    LOGGER.trace("Setting security questions related policy.");
                    SecurityPolicyType securityPolicy = getSecurityPolicy(prismObject, task, operationResult);
                    shortDesc.securityPolicy(securityPolicy);
                    Item findContainer2 = prismObject.findContainer(SchemaConstants.PATH_SECURITY_QUESTIONS);
                    SecurityQuestionsCredentialsType securityQuestionsCredentialsType = findContainer2 != null ? (SecurityQuestionsCredentialsType) findContainer2.getValue().asContainerable() : null;
                    shortDesc.valuePolicy(resolveSecurityQuestionsPolicy(securityPolicy, task, operationResult));
                }
            }
            shortDesc.now(this.clock.currentTimeXMLGregorianCalendar());
            LOGGER.trace("Validating value started");
            shortDesc.build().validateStringValue(str2, createSubresult);
            LOGGER.trace("Validating value finished");
            createSubresult.computeStatus();
        }
        operationResult.computeStatus();
        policyItemDefinitionType.setResult(operationResult.createOperationResultType());
        return operationResult.isAcceptable();
    }

    private ValuePolicyType resolveSecurityQuestionsPolicy(SecurityPolicyType securityPolicyType, Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        CredentialsPolicyType credentials;
        SecurityQuestionsCredentialsPolicyType securityQuestions;
        ObjectReferenceType valuePolicyRef;
        if (securityPolicyType == null || (credentials = securityPolicyType.getCredentials()) == null || (securityQuestions = credentials.getSecurityQuestions()) == null || (valuePolicyRef = securityQuestions.getValuePolicyRef()) == null) {
            return null;
        }
        return (ValuePolicyType) this.objectResolver.resolve(valuePolicyRef, ValuePolicyType.class, null, " resolve value policy for security questions", task, operationResult);
    }

    private <O extends ObjectType> ObjectBasedValuePolicyOriginResolver<?> getOriginResolver(PrismObject<O> prismObject) {
        if (prismObject == null || !UserType.class.equals(prismObject.getCompileTimeClass())) {
            return null;
        }
        return new FocusValuePolicyOriginResolver(prismObject, this.objectResolver);
    }

    private <O extends ObjectType> ObjectBasedValuePolicyOriginResolver<?> createOriginResolver(PrismObject<O> prismObject, OperationResult operationResult) throws SchemaException {
        if (prismObject == null) {
            return null;
        }
        if (prismObject.canRepresent(FocusType.class)) {
            return new FocusValuePolicyOriginResolver(prismObject, this.objectResolver);
        }
        if (prismObject.canRepresent(ShadowType.class)) {
            return new ShadowValuePolicyOriginResolver(prismObject, this.objectResolver);
        }
        SchemaException schemaException = new SchemaException("Unsupport object type " + prismObject);
        operationResult.recordFatalError(schemaException);
        throw schemaException;
    }

    private boolean isSupportedType(QName qName) {
        return QNameUtil.qNameToUri(qName).equals(QNameUtil.qNameToUri(DOMUtil.XSD_STRING)) || QNameUtil.qNameToUri(qName).equals(QNameUtil.qNameToUri(PolyStringType.COMPLEX_TYPE)) || QNameUtil.qNameToUri(qName).equals(QNameUtil.qNameToUri(ProtectedStringType.COMPLEX_TYPE));
    }

    private String getClearValue(ProtectedStringType protectedStringType) throws SchemaException, PolicyViolationException {
        if (protectedStringType == null) {
            return null;
        }
        try {
            if (!protectedStringType.isEncrypted() && protectedStringType.getClearValue() == null) {
                if (protectedStringType.isHashed()) {
                    throw new SchemaException("Cannot validate value of hashed password");
                }
                return null;
            }
            return this.protector.decryptString(protectedStringType);
        } catch (EncryptionException e) {
            throw new PolicyViolationException(e.getMessage(), e);
        }
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    @NotNull
    public List<ObjectReferenceType> getDeputyAssignees(AbstractWorkItemType abstractWorkItemType, Task task, OperationResult operationResult) throws SchemaException {
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(GET_DEPUTY_ASSIGNEES);
        RepositoryCache.enterLocalCaches(this.cacheConfigurationManager);
        try {
            try {
                HashSet hashSet = new HashSet();
                ArrayList arrayList = new ArrayList();
                abstractWorkItemType.getAssigneeRef().forEach(objectReferenceType -> {
                    hashSet.add(objectReferenceType.getOid());
                });
                getDeputyAssignees(arrayList, abstractWorkItemType, hashSet, task, createMinorSubresult);
                createMinorSubresult.computeStatusIfUnknown();
                RepositoryCache.exitLocalCaches();
                return arrayList;
            } finally {
            }
        } catch (Throwable th) {
            RepositoryCache.exitLocalCaches();
            throw th;
        }
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    @NotNull
    public List<ObjectReferenceType> getDeputyAssignees(ObjectReferenceType objectReferenceType, QName qName, Task task, OperationResult operationResult) throws SchemaException {
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(GET_DEPUTY_ASSIGNEES);
        RepositoryCache.enterLocalCaches(this.cacheConfigurationManager);
        try {
            try {
                HashSet hashSet = new HashSet();
                hashSet.add(objectReferenceType.getOid());
                ArrayList arrayList = new ArrayList();
                getDeputyAssigneesNoWorkItem(arrayList, objectReferenceType, qName, hashSet, task, createMinorSubresult);
                createMinorSubresult.computeStatusIfUnknown();
                RepositoryCache.exitLocalCaches();
                return arrayList;
            } finally {
            }
        } catch (Throwable th) {
            RepositoryCache.exitLocalCaches();
            throw th;
        }
    }

    private void getDeputyAssignees(List<ObjectReferenceType> list, AbstractWorkItemType abstractWorkItemType, Set<String> set, Task task, OperationResult operationResult) throws SchemaException {
        Iterator it = this.cacheRepositoryService.searchObjects(UserType.class, this.prismContext.queryFor(UserType.class).item(UserType.F_DELEGATED_REF).ref((List) abstractWorkItemType.getAssigneeRef().stream().map(objectReferenceType -> {
            return objectReferenceType.m1136clone().relation(PrismConstants.Q_ANY).asReferenceValue();
        }).collect(Collectors.toList())).build(), null, operationResult).iterator();
        while (it.hasNext()) {
            PrismObject<UserType> prismObject = (PrismObject) it.next();
            if (!set.contains(prismObject.getOid()) && determineDeputyValidity(prismObject, abstractWorkItemType.getAssigneeRef(), abstractWorkItemType, OtherPrivilegesLimitationType.F_APPROVAL_WORK_ITEMS, task, operationResult)) {
                list.add(ObjectTypeUtil.createObjectRefWithFullObject(prismObject, this.prismContext));
                set.add(prismObject.getOid());
            }
        }
    }

    private void getDeputyAssigneesNoWorkItem(List<ObjectReferenceType> list, ObjectReferenceType objectReferenceType, QName qName, Set<String> set, Task task, OperationResult operationResult) throws SchemaException {
        Iterator it = this.cacheRepositoryService.searchObjects(UserType.class, this.prismContext.queryFor(UserType.class).item(UserType.F_DELEGATED_REF).ref(objectReferenceType.m1136clone().relation(PrismConstants.Q_ANY).asReferenceValue()).build(), null, operationResult).iterator();
        while (it.hasNext()) {
            PrismObject<UserType> prismObject = (PrismObject) it.next();
            if (!set.contains(prismObject.getOid()) && determineDeputyValidity(prismObject, Collections.singletonList(objectReferenceType), null, qName, task, operationResult)) {
                list.add(ObjectTypeUtil.createObjectRefWithFullObject(prismObject, this.prismContext));
                set.add(prismObject.getOid());
            }
        }
    }

    private boolean determineDeputyValidity(PrismObject<UserType> prismObject, List<ObjectReferenceType> list, @Nullable AbstractWorkItemType abstractWorkItemType, QName qName, Task task, OperationResult operationResult) {
        AssignmentEvaluator build = new AssignmentEvaluator.Builder().referenceResolver(this.referenceResolver).focusOdo(new ObjectDeltaObject(prismObject, null, prismObject, prismObject.getDefinition())).channel(null).modelBeans(this.modelBeans).objectResolver(this.objectResolver).systemObjectCache(this.systemObjectCache).relationRegistry(this.relationRegistry).prismContext(this.prismContext).mappingFactory(this.mappingFactory).mappingEvaluator(this.mappingEvaluator).contextLoader(this.contextLoader).activationComputer(this.activationComputer).now(this.clock.currentTimeXMLGregorianCalendar()).loginMode(true).lensContext(new LensContextPlaceholder(prismObject)).build();
        for (AssignmentType assignmentType : prismObject.asObjectable().getAssignment()) {
            if (DeputyUtils.isDelegationAssignment(assignmentType, this.relationRegistry)) {
                try {
                    EvaluatedAssignmentImpl evaluate = build.evaluate(new ItemDeltaItem<>(LensUtil.createAssignmentSingleValueContainer(assignmentType)), PlusMinusZero.ZERO, false, prismObject.asObjectable(), prismObject.toString(), AssignmentOrigin.createInObject(), task, operationResult);
                    if (evaluate.isValid()) {
                        for (EvaluatedAssignmentTarget evaluatedAssignmentTarget : evaluate.getRoles().getNonNegativeValues()) {
                            if (evaluatedAssignmentTarget.getTarget().getOid() != null && DeputyUtils.isDelegationPath(evaluatedAssignmentTarget.getAssignmentPath(), this.relationRegistry) && ObjectTypeUtil.containsOid(list, evaluatedAssignmentTarget.getTarget().getOid())) {
                                List<OtherPrivilegesLimitationType> extractLimitations = DeputyUtils.extractLimitations(evaluatedAssignmentTarget.getAssignmentPath());
                                if (abstractWorkItemType != null && DeputyUtils.limitationsAllow(extractLimitations, qName, abstractWorkItemType)) {
                                    return true;
                                }
                                if (abstractWorkItemType == null && SchemaDeputyUtil.limitationsAllow(extractLimitations, qName)) {
                                    return true;
                                }
                            }
                        }
                    }
                } catch (CommonException e) {
                    LoggingUtils.logUnexpectedException(LOGGER, "Couldn't verify 'deputy' relation between {} and {} for work item {}; assignment: {}", e, prismObject, list, abstractWorkItemType, assignmentType);
                }
            }
        }
        return false;
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public ActivationStatusType getAssignmentEffectiveStatus(String str, ActivationType activationType) {
        return this.activationComputer.getEffectiveStatus(str, activationType, null);
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public MidPointPrincipal assumePowerOfAttorney(PrismObject<? extends FocusType> prismObject, Task task, OperationResult operationResult) throws SchemaException, SecurityViolationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
        MidPointPrincipal createDonorPrincipal = this.securityEnforcer.createDonorPrincipal(this.securityContextManager.getPrincipal(), ModelAuthorizationAction.ATTORNEY.getUrl(), prismObject, task, operationResult);
        Authentication authentication = this.securityContextManager.getAuthentication();
        if (authentication instanceof MidpointAuthentication) {
            ((MidpointAuthentication) authentication).setPrincipal(createDonorPrincipal);
            ((MidpointAuthentication) authentication).setCredential(null);
            ((MidpointAuthentication) authentication).setAuthorities(createDonorPrincipal.getAuthorities());
        } else {
            this.securityContextManager.setupPreAuthenticatedSecurityContext(createDonorPrincipal);
        }
        return createDonorPrincipal;
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public MidPointPrincipal dropPowerOfAttorney(Task task, OperationResult operationResult) throws SecurityViolationException {
        MidPointPrincipal principal = this.securityContextManager.getPrincipal();
        if (principal.getAttorney() == null) {
            throw new IllegalStateException("Attempt to drop attorney powers using non-donor principal " + principal);
        }
        MidPointPrincipal previousPrincipal = principal.getPreviousPrincipal();
        if (previousPrincipal == null) {
            throw new IllegalStateException("Attempt to drop attorney powers, but no previous principal in " + principal);
        }
        Authentication authentication = this.securityContextManager.getAuthentication();
        if (authentication instanceof MidpointAuthentication) {
            ((MidpointAuthentication) authentication).setPrincipal(previousPrincipal);
            ((MidpointAuthentication) authentication).setCredential(null);
            ((MidpointAuthentication) authentication).setAuthorities(previousPrincipal.getAuthorities());
        } else {
            this.securityContextManager.setupPreAuthenticatedSecurityContext(previousPrincipal);
        }
        return previousPrincipal;
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public <T> T runUnderPowerOfAttorney(Producer<T> producer, PrismObject<? extends FocusType> prismObject, Task task, OperationResult operationResult) throws SchemaException, SecurityViolationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
        assumePowerOfAttorney(prismObject, task, operationResult);
        try {
            T run = producer.run();
            dropPowerOfAttorney(task, operationResult);
            return run;
        } catch (Throwable th) {
            dropPowerOfAttorney(task, operationResult);
            throw th;
        }
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    @NotNull
    public LocalizableMessageType createLocalizableMessageType(LocalizableMessageTemplateType localizableMessageTemplateType, VariablesMap variablesMap, Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        VariablesMap variablesMap2 = new VariablesMap();
        variablesMap2.putAll(variablesMap);
        return LensUtil.interpretLocalizableMessageTemplate(localizableMessageTemplateType, variablesMap2, this.expressionFactory, this.prismContext, task, operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public ExecuteCredentialResetResponseType executeCredentialsReset(PrismObject<UserType> prismObject, ExecuteCredentialResetRequestType executeCredentialResetRequestType, Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException, ObjectAlreadyExistsException, PolicyViolationException {
        LocalizableMessageBuilder localizableMessageBuilder = new LocalizableMessageBuilder();
        ExecuteCredentialResetResponseType executeCredentialResetResponseType = new ExecuteCredentialResetResponseType(this.prismContext);
        String resetMethod = executeCredentialResetRequestType.getResetMethod();
        if (StringUtils.isBlank(resetMethod)) {
            SingleLocalizableMessage build = localizableMessageBuilder.fallbackMessage("Failed to execute reset password. Bad request.").key("execute.reset.credential.bad.request").build();
            executeCredentialResetResponseType.message(LocalizationUtil.createLocalizableMessageType(build));
            throw new SchemaException(build);
        }
        CredentialsResetPolicyType credentialsReset = getSecurityPolicy(prismObject, task, operationResult).getCredentialsReset();
        if (credentialsReset == null) {
            SingleLocalizableMessage build2 = localizableMessageBuilder.fallbackMessage("Failed to execute reset password. Bad configuration.").key("execute.reset.credential.bad.configuration").build();
            executeCredentialResetResponseType.message(LocalizationUtil.createLocalizableMessageType(build2));
            throw new SchemaException(build2);
        }
        if (!resetMethod.equals(credentialsReset.getName())) {
            SingleLocalizableMessage build3 = localizableMessageBuilder.fallbackMessage("Failed to execute reset password. Bad method.").key("execute.reset.credential.bad.method").build();
            executeCredentialResetResponseType.message(LocalizationUtil.createLocalizableMessageType(build3));
            throw new SchemaException(build3);
        }
        CredentialSourceType newCredentialSource = credentialsReset.getNewCredentialSource();
        if (newCredentialSource == null) {
            return executeCredentialResetResponseType.message(LocalizationUtil.createLocalizableMessageType(localizableMessageBuilder.fallbackMessage("Failed to execute reset password. No credential source.").key("execute.reset.credential.no.credential.source").build()));
        }
        ValuePolicyType valuePolicy = getValuePolicy(prismObject, task, operationResult);
        ObjectDelta objectDelta = null;
        if (newCredentialSource.getUserEntry() != null) {
            PolicyItemDefinitionType policyItemDefinitionType = new PolicyItemDefinitionType();
            policyItemDefinitionType.setValue(executeCredentialResetRequestType.getUserEntry());
            if (!validateValue(prismObject, valuePolicy, policyItemDefinitionType, task, operationResult)) {
                LOGGER.error("Cannot execute reset password. New password doesn't satisfy policy constraints");
                operationResult.recordFatalError("Cannot execute reset password. New password doesn't satisfy policy constraints");
                throw new PolicyViolationException(localizableMessageBuilder.fallbackMessage("New password doesn't satisfy policy constraints.").key("execute.reset.credential.validation.failed").build());
            }
            ProtectedStringType protectedStringType = new ProtectedStringType();
            protectedStringType.setClearValue(executeCredentialResetRequestType.getUserEntry());
            objectDelta = this.prismContext.deltaFactory().object().createModificationReplaceProperty(UserType.class, prismObject.getOid(), SchemaConstants.PATH_PASSWORD_VALUE, protectedStringType);
        }
        if (BooleanUtils.isTrue(credentialsReset.isForceChange()) && objectDelta != null) {
            objectDelta.addModificationReplaceProperty(SchemaConstants.PATH_PASSWORD_FORCE_CHANGE, Boolean.TRUE);
        }
        try {
            this.modelService.executeChanges(MiscUtil.createCollection(objectDelta), ModelExecuteOptions.create().raw(), task, operationResult);
            operationResult.recomputeStatus();
            executeCredentialResetResponseType.setMessage(LocalizationUtil.createLocalizableMessageType(localizableMessageBuilder.fallbackMessage("Reset password was successful").key("execute.reset.credential.successful").fallbackLocalizableMessage(null).build()));
            return executeCredentialResetResponseType;
        } catch (CommunicationException | ConfigurationException | ExpressionEvaluationException | ObjectAlreadyExistsException | ObjectNotFoundException | PolicyViolationException | SchemaException | SecurityViolationException e) {
            executeCredentialResetResponseType.message(LocalizationUtil.createForFallbackMessage("Failed to reset credential: " + e.getMessage()));
            throw e;
        }
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public void refreshPrincipal(String str, Class<? extends FocusType> cls) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        try {
            GuiProfiledPrincipal principalByOid = this.guiProfiledPrincipalManager.getPrincipalByOid(str, cls);
            Authentication authentication = this.securityContextManager.getAuthentication();
            if (authentication instanceof MidpointAuthentication) {
                ((MidpointAuthentication) authentication).setPrincipal(principalByOid);
                ((MidpointAuthentication) authentication).setAuthorities(principalByOid.getAuthorities());
            } else {
                this.securityContextManager.setupPreAuthenticatedSecurityContext(principalByOid);
            }
        } catch (Throwable th) {
            LOGGER.error("Cannot refresh authentication for user identified with" + str);
            throw th;
        }
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public List<RelationDefinitionType> getRelationDefinitions() {
        return this.relationRegistry.getRelationDefinitions();
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    @NotNull
    public TaskType submitTaskFromTemplate(String str, List<Item<?, ?>> list, Task task, OperationResult operationResult) throws CommunicationException, ObjectNotFoundException, SchemaException, SecurityViolationException, ConfigurationException, ExpressionEvaluationException, ObjectAlreadyExistsException, PolicyViolationException {
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(SUBMIT_TASK_FROM_TEMPLATE);
        try {
            MidPointPrincipal principal = this.securityContextManager.getPrincipal();
            if (principal == null) {
                throw new SecurityViolationException("No current user");
            }
            TaskType taskType = (TaskType) this.modelService.getObject(TaskType.class, str, SelectorOptions.createCollection(GetOperationOptions.createExecutionPhase()), task, createMinorSubresult).asObjectable();
            taskType.setName(PolyStringType.fromOrig(taskType.getName().getOrig() + " " + ((int) (Math.random() * 10000.0d))));
            taskType.setOid(null);
            taskType.setTaskIdentifier(null);
            taskType.setOwnerRef(ObjectTypeUtil.createObjectRef(principal.getFocus(), this.prismContext));
            taskType.setExecutionState(TaskExecutionStateType.RUNNABLE);
            taskType.setSchedulingState(TaskSchedulingStateType.READY);
            Iterator<Item<?, ?>> it = list.iterator();
            while (it.hasNext()) {
                taskType.asPrismObject().getOrCreateExtension().add(it.next().mo1164clone());
            }
            String findAddDeltaOid = ObjectDeltaOperation.findAddDeltaOid(this.modelService.executeChanges(Collections.singleton(DeltaFactory.Object.createAddDelta(taskType.asPrismObject())), null, task, createMinorSubresult), taskType.asPrismObject());
            taskType.setOid(findAddDeltaOid);
            taskType.setTaskIdentifier(findAddDeltaOid);
            createMinorSubresult.computeStatus();
            return taskType;
        } catch (Throwable th) {
            createMinorSubresult.recordFatalError("Couldn't submit task from template: " + th.getMessage(), th);
            throw th;
        }
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    @NotNull
    public TaskType submitTaskFromTemplate(String str, Map<QName, Object> map, Task task, OperationResult operationResult) throws CommunicationException, ObjectNotFoundException, SchemaException, SecurityViolationException, ConfigurationException, ExpressionEvaluationException, ObjectAlreadyExistsException, PolicyViolationException {
        return submitTaskFromTemplate(str, ObjectTypeUtil.mapToExtensionItems(map, this.prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(TaskType.class).findContainerDefinition(TaskType.F_EXTENSION), this.prismContext), task, operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public <O extends AssignmentHolderType> ArchetypePolicyType determineArchetypePolicy(PrismObject<O> prismObject, OperationResult operationResult) throws SchemaException, ConfigurationException {
        return this.archetypeManager.determineArchetypePolicy((PrismObject<? extends ObjectType>) prismObject, operationResult);
    }

    private ArchetypeType determineArchetype(PrismObject<? extends AssignmentHolderType> prismObject, OperationResult operationResult) throws SchemaException {
        return this.archetypeManager.determineStructuralArchetype(prismObject.asObjectable(), operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public ArchetypePolicyType mergeArchetypePolicies(PrismObject<ArchetypeType> prismObject, OperationResult operationResult) throws SchemaException, ConfigurationException {
        return this.archetypeManager.getPolicyForArchetype((ArchetypeType) ObjectTypeUtil.asObjectable(prismObject), operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public <O extends AssignmentHolderType> AssignmentCandidatesSpecification determineAssignmentTargetSpecification(PrismObject<O> prismObject, OperationResult operationResult) throws SchemaException {
        SearchResultList<PrismObject<ArchetypeType>> allArchetypes = this.systemObjectCache.getAllArchetypes(operationResult);
        ArrayList arrayList = new ArrayList();
        Iterator<PrismObject<ArchetypeType>> it = allArchetypes.iterator();
        while (it.hasNext()) {
            PrismObject<ArchetypeType> next = it.next();
            List<QName> list = null;
            Iterator<AssignmentType> it2 = next.asObjectable().getInducement().iterator();
            while (it2.hasNext()) {
                for (AssignmentRelationType assignmentRelationType : it2.next().getAssignmentRelation()) {
                    if (canBeAssignmentHolder(assignmentRelationType, prismObject)) {
                        if (list == null) {
                            list = determineArchetypeFocusTypes(next);
                        }
                        AssignmentObjectRelation assignmentObjectRelation = new AssignmentObjectRelation();
                        assignmentObjectRelation.addObjectTypes(list);
                        assignmentObjectRelation.addArchetypeRef(next);
                        assignmentObjectRelation.addRelations(assignmentRelationType.getRelation());
                        assignmentObjectRelation.setDescription(assignmentRelationType.getDescription());
                        arrayList.add(assignmentObjectRelation);
                    }
                }
            }
        }
        AssignmentCandidatesSpecification assignmentCandidatesSpecification = new AssignmentCandidatesSpecification();
        assignmentCandidatesSpecification.setAssignmentObjectRelations(arrayList);
        return assignmentCandidatesSpecification;
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public <O extends AssignmentHolderType> List<ArchetypeType> getFilteredArchetypesByHolderType(PrismObject<O> prismObject, OperationResult operationResult) throws SchemaException {
        SearchResultList<PrismObject<ArchetypeType>> allArchetypes = this.systemObjectCache.getAllArchetypes(operationResult);
        ArrayList arrayList = new ArrayList();
        Iterator<PrismObject<ArchetypeType>> it = allArchetypes.iterator();
        while (it.hasNext()) {
            PrismObject<ArchetypeType> next = it.next();
            Iterator<AssignmentType> it2 = next.asObjectable().getAssignment().iterator();
            while (it2.hasNext()) {
                Iterator<AssignmentRelationType> it3 = it2.next().getAssignmentRelation().iterator();
                while (it3.hasNext()) {
                    if (isHolderType(it3.next().getHolderType(), prismObject)) {
                        arrayList.add(next.asObjectable());
                    }
                }
                if (arrayList.contains(next.asObjectable())) {
                    break;
                }
            }
        }
        return arrayList;
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public <O extends AbstractRoleType> AssignmentCandidatesSpecification determineAssignmentHolderSpecification(PrismObject<O> prismObject, OperationResult operationResult) throws SchemaException {
        if (prismObject == null) {
            return null;
        }
        if (ArchetypeType.class.isAssignableFrom(prismObject.getCompileTimeClass())) {
            ArchetypeType archetypeType = (ArchetypeType) prismObject.asObjectable();
            return determineArchetypeAssignmentCandidateSpecification(archetypeType.getAssignment(), archetypeType.getArchetypePolicy());
        }
        ArchetypeType determineArchetype = determineArchetype(prismObject, operationResult);
        if (determineArchetype == null) {
            return null;
        }
        return determineArchetypeAssignmentCandidateSpecification(determineArchetype.getInducement(), determineArchetype.getArchetypePolicy());
    }

    private AssignmentCandidatesSpecification determineArchetypeAssignmentCandidateSpecification(List<AssignmentType> list, ArchetypePolicyType archetypePolicyType) {
        AssignmentCandidatesSpecification assignmentCandidatesSpecification = new AssignmentCandidatesSpecification();
        ArrayList arrayList = new ArrayList();
        Iterator<AssignmentType> it = list.iterator();
        while (it.hasNext()) {
            for (AssignmentRelationType assignmentRelationType : it.next().getAssignmentRelation()) {
                AssignmentObjectRelation assignmentObjectRelation = new AssignmentObjectRelation();
                assignmentObjectRelation.addObjectTypes(ObjectTypes.canonizeObjectTypes(assignmentRelationType.getHolderType()));
                assignmentObjectRelation.addArchetypeRefs(assignmentRelationType.getHolderArchetypeRef());
                assignmentObjectRelation.addRelations(assignmentRelationType.getRelation());
                assignmentObjectRelation.setDescription(assignmentRelationType.getDescription());
                arrayList.add(assignmentObjectRelation);
            }
        }
        assignmentCandidatesSpecification.setAssignmentObjectRelations(arrayList);
        assignmentCandidatesSpecification.setSupportGenericAssignment(archetypePolicyType == null || AssignmentRelationApproachType.CLOSED != archetypePolicyType.getAssignmentHolderRelationApproach());
        return assignmentCandidatesSpecification;
    }

    private List<QName> determineArchetypeFocusTypes(PrismObject<ArchetypeType> prismObject) {
        ArrayList arrayList = new ArrayList();
        Iterator<AssignmentType> it = prismObject.asObjectable().getAssignment().iterator();
        while (it.hasNext()) {
            Iterator<AssignmentRelationType> it2 = it.next().getAssignmentRelation().iterator();
            while (it2.hasNext()) {
                arrayList.addAll(ObjectTypes.canonizeObjectTypes(it2.next().getHolderType()));
            }
        }
        if (arrayList.isEmpty()) {
            arrayList.add(AssignmentHolderType.COMPLEX_TYPE);
        }
        return arrayList;
    }

    private <O extends AssignmentHolderType> boolean canBeAssignmentHolder(AssignmentRelationType assignmentRelationType, PrismObject<O> prismObject) {
        return isHolderType(assignmentRelationType.getHolderType(), prismObject) && isHolderArchetype(assignmentRelationType.getHolderArchetypeRef(), prismObject);
    }

    private <O extends AssignmentHolderType> boolean isHolderType(List<QName> list, PrismObject<O> prismObject) {
        if (list.isEmpty()) {
            return true;
        }
        Iterator<QName> it = list.iterator();
        while (it.hasNext()) {
            if (MiscSchemaUtil.canBeAssignedFrom(it.next(), prismObject.getCompileTimeClass())) {
                return true;
            }
        }
        return false;
    }

    private <O extends AssignmentHolderType> boolean isHolderArchetype(List<ObjectReferenceType> list, PrismObject<O> prismObject) {
        if (list.isEmpty()) {
            return true;
        }
        List<ObjectReferenceType> archetypeRef = prismObject.asObjectable().getArchetypeRef();
        Iterator<ObjectReferenceType> it = list.iterator();
        while (it.hasNext()) {
            if (MiscSchemaUtil.contains(archetypeRef, it.next())) {
                return true;
            }
        }
        return false;
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    @Experimental
    @NotNull
    public Collection<EvaluatedPolicyRule> evaluateCollectionPolicyRules(@NotNull PrismObject<ObjectCollectionType> prismObject, @Nullable CompiledObjectCollectionView compiledObjectCollectionView, @Nullable Class<? extends ObjectType> cls, @NotNull Task task, @NotNull OperationResult operationResult) throws ObjectNotFoundException, SchemaException, SecurityViolationException, CommunicationException, ConfigurationException, ExpressionEvaluationException {
        return this.collectionProcessor.evaluateCollectionPolicyRules(prismObject, compiledObjectCollectionView, cls, task, operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    @Experimental
    @NotNull
    public CompiledObjectCollectionView compileObjectCollectionView(@NotNull CollectionRefSpecificationType collectionRefSpecificationType, @Nullable Class<? extends Containerable> cls, @NotNull Task task, @NotNull OperationResult operationResult) throws SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException, ObjectNotFoundException {
        return this.collectionProcessor.compileObjectCollectionView(collectionRefSpecificationType, cls, task, operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    @Experimental
    @NotNull
    public <O extends ObjectType> CollectionStats determineCollectionStats(@NotNull CompiledObjectCollectionView compiledObjectCollectionView, @NotNull Task task, @NotNull OperationResult operationResult) throws SchemaException, ObjectNotFoundException, SecurityViolationException, ConfigurationException, CommunicationException, ExpressionEvaluationException {
        return this.collectionProcessor.determineCollectionStats(compiledObjectCollectionView, task, operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public void applyView(CompiledObjectCollectionView compiledObjectCollectionView, GuiObjectListViewType guiObjectListViewType) {
        this.collectionProcessor.compileView(compiledObjectCollectionView, guiObjectListViewType);
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public void compileView(CompiledObjectCollectionView compiledObjectCollectionView, GuiObjectListViewType guiObjectListViewType, Task task, OperationResult operationResult) throws SchemaException, ExpressionEvaluationException, CommunicationException, SecurityViolationException, ConfigurationException, ObjectNotFoundException {
        this.collectionProcessor.compileView(compiledObjectCollectionView, guiObjectListViewType, task, operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public <O extends ObjectType> List<StringLimitationResult> validateValue(ProtectedStringType protectedStringType, ValuePolicyType valuePolicyType, PrismObject<O> prismObject, Task task, OperationResult operationResult) throws SchemaException, PolicyViolationException, ObjectNotFoundException, SecurityViolationException, CommunicationException, ConfigurationException, ExpressionEvaluationException {
        return this.policyProcessor.validateValue(getClearValue(protectedStringType), valuePolicyType, createOriginResolver(prismObject, operationResult), "validate string", task, operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public void processObjectsFromCollection(CollectionRefSpecificationType collectionRefSpecificationType, QName qName, Predicate<PrismContainer> predicate, Collection<SelectorOptions<GetOperationOptions>> collection, VariablesMap variablesMap, Task task, OperationResult operationResult, boolean z) throws SchemaException, ObjectNotFoundException, SecurityViolationException, CommunicationException, ConfigurationException, ExpressionEvaluationException {
        Class<? extends Containerable> cls = null;
        if (collectionRefSpecificationType.getCollectionRef() != null && collectionRefSpecificationType.getCollectionRef().getOid() != null && collectionRefSpecificationType.getFilter() != null) {
            LOGGER.error("CollectionRefSpecificationType contains CollectionRef and Filter, please define only one");
            throw new IllegalArgumentException("CollectionRefSpecificationType contains CollectionRef and Filter, please define only one");
        }
        if (qName != null) {
            cls = this.prismContext.getSchemaRegistry().determineClassForType(qName);
        }
        CompiledObjectCollectionView compileObjectCollectionView = compileObjectCollectionView(collectionRefSpecificationType, cls, task, task.getResult());
        ObjectQuery parseFilterFromCollection = parseFilterFromCollection(compileObjectCollectionView, variablesMap, null, task, operationResult);
        Class<? extends Containerable> determineTypeForSearch = determineTypeForSearch(compileObjectCollectionView, qName);
        Collection<SelectorOptions<GetOperationOptions>> determineOptionsForSearch = determineOptionsForSearch(compileObjectCollectionView, collection);
        if (z) {
            task.setExpectedTotal(Long.valueOf(countObjectsFromCollectionByType(determineTypeForSearch, parseFilterFromCollection, determineOptionsForSearch, task, operationResult).intValue()));
        }
        if (AuditEventRecordType.class.equals(determineTypeForSearch)) {
            checkOrdering(parseFilterFromCollection, ItemPath.create(new QName(AuditEventRecordType.COMPLEX_TYPE.getNamespaceURI(), AuditEventRecordType.F_TIMESTAMP.getLocalPart())));
            processContainerByHandler(this.modelAuditService.searchObjects(parseFilterFromCollection, determineOptionsForSearch, task, operationResult), predicate);
        } else {
            if (!ObjectType.class.isAssignableFrom(determineTypeForSearch)) {
                processContainerByHandler(this.modelService.searchContainers(determineTypeForSearch, parseFilterFromCollection, determineOptionsForSearch, task, operationResult), predicate);
                return;
            }
            ResultHandler resultHandler = (prismObject, operationResult2) -> {
                return predicate.test(prismObject);
            };
            checkOrdering(parseFilterFromCollection, ObjectType.F_NAME);
            this.modelService.searchObjectsIterative(determineTypeForSearch, parseFilterFromCollection, resultHandler, determineOptionsForSearch, task, operationResult);
        }
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public <C extends Containerable> ModelInteractionService.SearchSpec<C> getSearchSpecificationFromCollection(CompiledObjectCollectionView compiledObjectCollectionView, QName qName, Collection<SelectorOptions<GetOperationOptions>> collection, VariablesMap variablesMap, Task task, OperationResult operationResult) throws ConfigurationException, SchemaException, ExpressionEvaluationException, CommunicationException, SecurityViolationException, ObjectNotFoundException {
        ModelInteractionService.SearchSpec<C> searchSpec = new ModelInteractionService.SearchSpec<>();
        Class<C> determineClassForType = qName != null ? this.prismContext.getSchemaRegistry().determineClassForType(qName) : null;
        if (compiledObjectCollectionView != null) {
            searchSpec.type = determineTypeForSearch(compiledObjectCollectionView, qName);
            searchSpec.query = parseFilterFromCollection(compiledObjectCollectionView, variablesMap, null, task, operationResult);
            searchSpec.options = determineOptionsForSearch(compiledObjectCollectionView, collection);
        } else {
            searchSpec.type = determineClassForType;
            searchSpec.query = null;
            searchSpec.options = collection;
        }
        if (AuditEventRecordType.class.equals(determineClassForType)) {
            searchSpec.query = checkOrdering(searchSpec.query, AuditEventRecordType.F_TIMESTAMP);
        } else if (determineClassForType != null && ObjectType.class.isAssignableFrom(determineClassForType)) {
            searchSpec.query = checkOrdering(searchSpec.query, ObjectType.F_NAME);
        }
        return searchSpec;
    }

    private ObjectQuery checkOrdering(ObjectQuery objectQuery, ItemPath itemPath) {
        if (objectQuery == null) {
            return this.prismContext.queryFactory().createQuery(this.prismContext.queryFactory().createPaging(itemPath, OrderDirection.ASCENDING));
        }
        if (objectQuery.getPaging() == null) {
            ObjectPaging convertToObjectPaging = ObjectQueryUtil.convertToObjectPaging(new PagingType(), this.prismContext);
            convertToObjectPaging.setOrdering(itemPath, OrderDirection.ASCENDING);
            objectQuery.setPaging(convertToObjectPaging);
        } else if (objectQuery.getPaging().getPrimaryOrderingPath() == null) {
            objectQuery.getPaging().setOrdering(itemPath, OrderDirection.ASCENDING);
        }
        return objectQuery;
    }

    private void processContainerByHandler(SearchResultList<? extends Containerable> searchResultList, Predicate<PrismContainer> predicate) throws SchemaException {
        Iterator<? extends Containerable> it = searchResultList.iterator();
        while (it.hasNext()) {
            PrismContainerValue asPrismContainerValue = it.next().asPrismContainerValue();
            asPrismContainerValue.setPrismContext(this.prismContext);
            if (!predicate.test(asPrismContainerValue.asSingleValuedContainer(asPrismContainerValue.getTypeName()))) {
                return;
            }
        }
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public List<? extends Containerable> searchObjectsFromCollection(CollectionRefSpecificationType collectionRefSpecificationType, QName qName, Collection<SelectorOptions<GetOperationOptions>> collection, ObjectPaging objectPaging, VariablesMap variablesMap, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, SecurityViolationException, CommunicationException, ConfigurationException, ExpressionEvaluationException {
        Class<? extends Containerable> cls = null;
        if (collectionRefSpecificationType.getCollectionRef() != null && collectionRefSpecificationType.getCollectionRef().getOid() != null && collectionRefSpecificationType.getFilter() != null) {
            LOGGER.error("CollectionRefSpecificationType contains CollectionRef and Filter, please define only one");
            throw new IllegalArgumentException("CollectionRefSpecificationType contains CollectionRef and Filter, please define only one");
        }
        if (qName != null) {
            cls = this.prismContext.getSchemaRegistry().determineClassForType(qName);
        }
        CompiledObjectCollectionView compileObjectCollectionView = compileObjectCollectionView(collectionRefSpecificationType, cls, task, task.getResult());
        ObjectQuery parseFilterFromCollection = parseFilterFromCollection(compileObjectCollectionView, variablesMap, objectPaging, task, operationResult);
        Class determineTypeForSearch = determineTypeForSearch(compileObjectCollectionView, qName);
        Collection<SelectorOptions<GetOperationOptions>> determineOptionsForSearch = determineOptionsForSearch(compileObjectCollectionView, collection);
        if (AuditEventRecordType.class.equals(determineTypeForSearch)) {
            return this.modelAuditService.searchObjects(parseFilterFromCollection, determineOptionsForSearch, task, operationResult).getList();
        }
        if (!ObjectType.class.isAssignableFrom(determineTypeForSearch)) {
            return this.modelService.searchContainers(determineTypeForSearch, parseFilterFromCollection, determineOptionsForSearch, task, operationResult).getList();
        }
        SearchResultList searchObjects = this.modelService.searchObjects(determineTypeForSearch, parseFilterFromCollection, determineOptionsForSearch, task, operationResult);
        ArrayList arrayList = new ArrayList();
        searchObjects.forEach(prismObject -> {
            arrayList.add(prismObject.asObjectable());
        });
        return arrayList;
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public Integer countObjectsFromCollection(CollectionRefSpecificationType collectionRefSpecificationType, QName qName, Collection<SelectorOptions<GetOperationOptions>> collection, ObjectPaging objectPaging, VariablesMap variablesMap, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, SecurityViolationException, CommunicationException, ConfigurationException, ExpressionEvaluationException {
        Class<? extends Containerable> cls = null;
        if (collectionRefSpecificationType.getCollectionRef() != null && collectionRefSpecificationType.getCollectionRef().getOid() != null && collectionRefSpecificationType.getFilter() != null) {
            LOGGER.error("CollectionRefSpecificationType contains CollectionRef and Filter, please define only one");
            throw new IllegalArgumentException("CollectionRefSpecificationType contains CollectionRef and Filter, please define only one");
        }
        if (qName != null) {
            cls = this.prismContext.getSchemaRegistry().determineClassForType(qName);
        }
        CompiledObjectCollectionView compileObjectCollectionView = compileObjectCollectionView(collectionRefSpecificationType, cls, task, task.getResult());
        return countObjectsFromCollectionByType(determineTypeForSearch(compileObjectCollectionView, qName), parseFilterFromCollection(compileObjectCollectionView, variablesMap, null, task, operationResult), determineOptionsForSearch(compileObjectCollectionView, collection), task, operationResult);
    }

    private Integer countObjectsFromCollectionByType(Class<? extends Containerable> cls, ObjectQuery objectQuery, Collection<SelectorOptions<GetOperationOptions>> collection, Task task, OperationResult operationResult) throws SchemaException, ExpressionEvaluationException, SecurityViolationException, CommunicationException, ConfigurationException, ObjectNotFoundException {
        return AuditEventRecordType.class.equals(cls) ? Integer.valueOf(this.modelAuditService.countObjects(objectQuery, collection, task, operationResult)) : ObjectType.class.isAssignableFrom(cls) ? this.modelService.countObjects(cls, objectQuery, collection, task, operationResult) : this.modelService.countContainers(cls, objectQuery, collection, task, operationResult);
    }

    private Collection<SelectorOptions<GetOperationOptions>> determineOptionsForSearch(CompiledObjectCollectionView compiledObjectCollectionView, Collection<SelectorOptions<GetOperationOptions>> collection) {
        return compiledObjectCollectionView.getOptions() == null ? collection : compiledObjectCollectionView.getOptions();
    }

    private <C extends Containerable> Class<C> determineTypeForSearch(CompiledObjectCollectionView compiledObjectCollectionView, QName qName) throws ConfigurationException {
        if (compiledObjectCollectionView.getTargetClass(this.prismContext) != null) {
            return compiledObjectCollectionView.getTargetClass(this.prismContext);
        }
        if (qName != null) {
            return this.prismContext.getSchemaRegistry().determineClassForType(qName);
        }
        LOGGER.error("Type of objects is null");
        throw new ConfigurationException("Type of objects is null");
    }

    private ObjectQuery parseFilterFromCollection(CompiledObjectCollectionView compiledObjectCollectionView, VariablesMap variablesMap, ObjectPaging objectPaging, Task task, OperationResult operationResult) throws ConfigurationException, SchemaException, ExpressionEvaluationException, CommunicationException, SecurityViolationException, ObjectNotFoundException {
        ObjectFilter evaluateFilterExpressions = ExpressionUtil.evaluateFilterExpressions(compiledObjectCollectionView.getFilter(), variablesMap, MiscSchemaUtil.getExpressionProfile(), this.expressionFactory, this.prismContext, "collection filter", task, operationResult);
        if (evaluateFilterExpressions == null) {
            LOGGER.warn("Couldn't find filter");
        }
        ObjectQuery createQuery = this.prismContext.queryFactory().createQuery();
        createQuery.setPaging(objectPaging == null ? ObjectQueryUtil.convertToObjectPaging(compiledObjectCollectionView.getPaging(), this.prismContext) : objectPaging);
        createQuery.setFilter(evaluateFilterExpressions);
        return createQuery;
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public void expandConfigurationObject(@NotNull PrismObject<? extends ObjectType> prismObject, @NotNull Task task, @NotNull OperationResult operationResult) throws SchemaException, ConfigurationException, ObjectNotFoundException {
        this.provisioning.expandConfigurationObject(prismObject, task, operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public void switchToBackground(Task task, OperationResult operationResult) {
        this.taskManager.switchToBackground(task, operationResult);
        operationResult.setBackgroundTaskOid(task.getOid());
    }

    @Override // com.evolveum.midpoint.model.api.ModelInteractionService
    public PrismContainerDefinition<AssignmentType> assignmentTypeDefinitionWithConcreteTargetRefType(PrismContainerDefinition<AssignmentType> prismContainerDefinition, QName qName) {
        TransformableContainerDefinition of = TransformableContainerDefinition.of(prismContainerDefinition);
        TransformableReferenceDefinition of2 = TransformableReferenceDefinition.of(prismContainerDefinition.getComplexTypeDefinition().findReferenceDefinition(AssignmentType.F_TARGET_REF));
        of2.setTargetTypeName(qName);
        of.getComplexTypeDefinition().replaceDefinition(AssignmentType.F_TARGET_REF, of2);
        return of;
    }
}
