package com.evolveum.midpoint.security.enforcer.impl;

import com.evolveum.midpoint.prism.Containerable;
import com.evolveum.midpoint.prism.Item;
import com.evolveum.midpoint.prism.PrismContainer;
import com.evolveum.midpoint.prism.PrismContainerValue;
import com.evolveum.midpoint.prism.PrismContext;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.PrismObjectDefinition;
import com.evolveum.midpoint.prism.PrismObjectValue;
import com.evolveum.midpoint.prism.PrismReferenceDefinition;
import com.evolveum.midpoint.prism.PrismReferenceValue;
import com.evolveum.midpoint.prism.PrismValueCollectionsUtil;
import com.evolveum.midpoint.prism.delta.ContainerDelta;
import com.evolveum.midpoint.prism.delta.ItemDelta;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.delta.PlusMinusZero;
import com.evolveum.midpoint.prism.path.ItemName;
import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.prism.query.AllFilter;
import com.evolveum.midpoint.prism.query.AndFilter;
import com.evolveum.midpoint.prism.query.FilterCreationUtil;
import com.evolveum.midpoint.prism.query.NoneFilter;
import com.evolveum.midpoint.prism.query.ObjectFilter;
import com.evolveum.midpoint.prism.query.RefFilter;
import com.evolveum.midpoint.prism.query.builder.S_FilterEntryOrEmpty;
import com.evolveum.midpoint.prism.query.builder.S_FilterExit;
import com.evolveum.midpoint.prism.util.ObjectDeltaObject;
import com.evolveum.midpoint.prism.xml.XsdTypeMapper;
import com.evolveum.midpoint.repo.api.RepositoryService;
import com.evolveum.midpoint.repo.api.query.ObjectFilterExpressionEvaluator;
import com.evolveum.midpoint.repo.common.expression.ExpressionFactory;
import com.evolveum.midpoint.repo.common.expression.ExpressionUtil;
import com.evolveum.midpoint.schema.AccessDecision;
import com.evolveum.midpoint.schema.RelationRegistry;
import com.evolveum.midpoint.schema.constants.ExpressionConstants;
import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.schema.expression.VariablesMap;
import com.evolveum.midpoint.schema.internals.InternalsConfig;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
import com.evolveum.midpoint.schema.util.ObjectQueryUtil;
import com.evolveum.midpoint.schema.util.SchemaDebugUtil;
import com.evolveum.midpoint.schema.util.SchemaDeputyUtil;
import com.evolveum.midpoint.schema.util.cases.CaseTypeUtil;
import com.evolveum.midpoint.security.api.Authorization;
import com.evolveum.midpoint.security.api.AuthorizationConstants;
import com.evolveum.midpoint.security.api.DelegatorWithOtherPrivilegesLimitations;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.security.api.OwnerResolver;
import com.evolveum.midpoint.security.api.SecurityContextManager;
import com.evolveum.midpoint.security.enforcer.api.AuthorizationParameters;
import com.evolveum.midpoint.security.enforcer.api.FilterGizmo;
import com.evolveum.midpoint.security.enforcer.api.ItemSecurityConstraints;
import com.evolveum.midpoint.security.enforcer.api.ObjectSecurityConstraints;
import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.util.DebugUtil;
import com.evolveum.midpoint.util.QNameUtil;
import com.evolveum.midpoint.util.exception.AuthorizationException;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.logging.LoggingUtils;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractRoleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentHolderType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationLimitationsType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CaseType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CaseWorkItemType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OrderConstraintsType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OrgRelationObjectSpecificationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OrgScopeType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OtherPrivilegesLimitationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OwnedObjectSelectorType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.RoleRelationObjectSpecificationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SpecialObjectSpecificationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SubjectedObjectSelectorType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.TaskType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.TenantSelectorType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import com.evolveum.prism.xml.ns._public.query_3.SearchFilterType;
import com.evolveum.prism.xml.ns._public.types_3.ItemPathType;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.function.Consumer;
import javax.xml.namespace.QName;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.lang3.BooleanUtils;
import org.jetbrains.annotations.NotNull;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;

@Component("securityEnforcer")
/* loaded from: input_file:BOOT-INF/lib/security-enforcer-impl-4.7.5-SNAPSHOT.jar:com/evolveum/midpoint/security/enforcer/impl/SecurityEnforcerImpl.class */
public class SecurityEnforcerImpl implements SecurityEnforcer {
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) SecurityEnforcerImpl.class);
    private static final boolean FILTER_TRACE_ENABLED = true;

    @Autowired
    @Qualifier("cacheRepositoryService")
    private RepositoryService repositoryService;

    @Autowired
    private ExpressionFactory expressionFactory;

    @Autowired
    private PrismContext prismContext;

    @Autowired
    private RelationRegistry relationRegistry;

    @Autowired
    @Qualifier("securityContextManager")
    private SecurityContextManager securityContextManager;

    @Override // com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer
    public <O extends ObjectType, T extends ObjectType> boolean isAuthorized(String str, AuthorizationPhaseType authorizationPhaseType, AuthorizationParameters<O, T> authorizationParameters, OwnerResolver ownerResolver, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        return isAuthorizedInternal(getMidPointPrincipal(), str, authorizationPhaseType, authorizationParameters, ownerResolver, null, task, operationResult).equals(AccessDecision.ALLOW);
    }

    private <O extends ObjectType, T extends ObjectType> AccessDecision isAuthorizedInternal(MidPointPrincipal midPointPrincipal, String str, AuthorizationPhaseType authorizationPhaseType, AuthorizationParameters<O, T> authorizationParameters, OwnerResolver ownerResolver, Consumer<Authorization> consumer, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        if (authorizationPhaseType != null) {
            return isAuthorizedPhase(midPointPrincipal, str, authorizationPhaseType, authorizationParameters, ownerResolver, consumer, task, operationResult);
        }
        AccessDecision isAuthorizedPhase = isAuthorizedPhase(midPointPrincipal, str, AuthorizationPhaseType.REQUEST, authorizationParameters, ownerResolver, consumer, task, operationResult);
        return !isAuthorizedPhase.equals(AccessDecision.ALLOW) ? isAuthorizedPhase : isAuthorizedPhase(midPointPrincipal, str, AuthorizationPhaseType.EXECUTION, authorizationParameters, ownerResolver, consumer, task, operationResult);
    }

    private <O extends ObjectType, T extends ObjectType> AccessDecision isAuthorizedPhase(MidPointPrincipal midPointPrincipal, String str, AuthorizationPhaseType authorizationPhaseType, AuthorizationParameters<O, T> authorizationParameters, OwnerResolver ownerResolver, Consumer<Authorization> consumer, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        if (AuthorizationConstants.AUTZ_NO_ACCESS_URL.equals(str)) {
            return AccessDecision.DENY;
        }
        if (authorizationPhaseType == null) {
            throw new IllegalArgumentException("No phase");
        }
        AccessDecision accessDecision = AccessDecision.DEFAULT;
        if (LOGGER.isTraceEnabled()) {
            LOGGER.trace("AUTZ: evaluating authorization principal={}, op={}, phase={}, {}", getUsername(midPointPrincipal), str, authorizationPhaseType, authorizationParameters.shortDump());
        }
        AutzItemPaths autzItemPaths = new AutzItemPaths();
        Collection<Authorization> authorities = getAuthorities(midPointPrincipal);
        if (authorities != null) {
            Iterator<Authorization> it = authorities.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Authorization next = it.next();
                String humanReadableDesc = next.getHumanReadableDesc();
                LOGGER.trace("  Evaluating {}", humanReadableDesc);
                if (next.getAction().contains(str) || next.getAction().contains(AuthorizationConstants.AUTZ_ALL_URL)) {
                    if (next.getPhase() == null) {
                        LOGGER.trace("    {} is applicable for all phases (continuing evaluation)", humanReadableDesc);
                    } else if (next.getPhase() != authorizationPhaseType) {
                        LOGGER.trace("    {} is not applicable for phases {} (breaking evaluation)", humanReadableDesc, authorizationPhaseType);
                    } else {
                        LOGGER.trace("    {} is applicable for phases {} (continuing evaluation)", humanReadableDesc, authorizationPhaseType);
                    }
                    if (!isApplicableRelation(next, authorizationParameters.getRelation())) {
                        LOGGER.trace("    {} not applicable for relation {}", humanReadableDesc, authorizationParameters.getRelation());
                    } else if (isApplicableOrderConstraints(next, authorizationParameters.getOrderConstraints())) {
                        if (isApplicableObject(next, authorizationParameters.getOdo(), authorizationParameters.isFullInformationAvailable(), midPointPrincipal, ownerResolver, humanReadableDesc, task, operationResult)) {
                            LOGGER.trace("    {} applicable for object {} (continuing evaluation)", humanReadableDesc, authorizationParameters.getAnyObject());
                            if (isApplicable(next.getTarget(), authorizationParameters.getTarget(), authorizationParameters.isFullInformationAvailable(), midPointPrincipal, ownerResolver, "target", humanReadableDesc, task, operationResult)) {
                                LOGGER.trace("    {} applicable for target {} (continuing evaluation)", humanReadableDesc, authorizationParameters.getAnyObject());
                                if (consumer != null) {
                                    consumer.accept(next);
                                }
                                AuthorizationDecisionType decision = next.getDecision();
                                if (decision == null || decision.equals(AuthorizationDecisionType.ALLOW)) {
                                    autzItemPaths.collectItems(next);
                                    LOGGER.trace("    {}: ALLOW operation {} (but continue evaluation)", humanReadableDesc, str);
                                    accessDecision = AccessDecision.ALLOW;
                                } else {
                                    if (isApplicableItem(next, authorizationParameters.getOldObject(), authorizationParameters.getDelta())) {
                                        LOGGER.trace("    {}: Deny authorization applicable for items (continuing evaluation)", humanReadableDesc);
                                        LOGGER.trace("    {}: DENY operation {}", humanReadableDesc, str);
                                        accessDecision = AccessDecision.DENY;
                                        break;
                                    }
                                    LOGGER.trace("    {} not applicable for items (breaking evaluation)", humanReadableDesc);
                                }
                            } else {
                                LOGGER.trace("    {} not applicable for target {}, none of the target specifications match (breaking evaluation)", humanReadableDesc, authorizationParameters.getAnyObject());
                            }
                        } else {
                            LOGGER.trace("    {} not applicable for object {}, none of the object specifications match (breaking evaluation)", humanReadableDesc, authorizationParameters.getAnyObject());
                        }
                    } else if (LOGGER.isTraceEnabled()) {
                        LOGGER.trace("    {} not applicable for orderConstraints {}", humanReadableDesc, SchemaDebugUtil.shortDumpOrderConstraintsList(authorizationParameters.getOrderConstraints()));
                    }
                } else {
                    LOGGER.trace("    {} not applicable for operation {}", humanReadableDesc, str);
                }
            }
        }
        if (accessDecision == AccessDecision.ALLOW) {
            if (autzItemPaths.isAllItems()) {
                LOGGER.trace("  Empty list of allowed items, operation allowed");
            } else {
                LOGGER.trace("  Checking for allowed items: {}", autzItemPaths);
                ItemDecisionFunction itemDecisionFunction = (itemPath, z) -> {
                    return decideAllowedItems(itemPath, autzItemPaths, authorizationPhaseType, z);
                };
                AccessDecision accessDecision2 = null;
                if (authorizationParameters.hasDelta()) {
                    accessDecision2 = determineDeltaDecision(authorizationParameters.getDelta(), authorizationParameters.getOldObject(), itemDecisionFunction, (itemPath2, z2) -> {
                        return decideAllowedItems(itemPath2, autzItemPaths, AuthorizationPhaseType.EXECUTION, z2);
                    });
                } else if (authorizationParameters.hasObject()) {
                    accessDecision2 = determineObjectDecision(authorizationParameters.getAnyObject(), itemDecisionFunction);
                }
                if (accessDecision2 != AccessDecision.ALLOW) {
                    LOGGER.trace("    NOT ALLOWED operation because the item decision is {}", accessDecision2);
                    accessDecision = AccessDecision.DEFAULT;
                }
            }
        }
        if (LOGGER.isTraceEnabled()) {
            LOGGER.trace("AUTZ result: principal={}, operation={}: {}", getUsername(midPointPrincipal), prettyActionUrl(str), accessDecision);
        }
        return accessDecision;
    }

    private AccessDecision decideAllowedItems(ItemPath itemPath, AutzItemPaths autzItemPaths, AuthorizationPhaseType authorizationPhaseType, boolean z) {
        return isAllowedItem(itemPath, autzItemPaths, authorizationPhaseType, z) ? AccessDecision.ALLOW : AccessDecision.DEFAULT;
    }

    private <O extends ObjectType> AccessDecision determineObjectDecision(PrismContainer<O> prismContainer, ItemDecisionFunction itemDecisionFunction) {
        AccessDecision determineContainerDecision = determineContainerDecision(prismContainer.getValue(), itemDecisionFunction, false, "object");
        return (determineContainerDecision == null && prismContainer.isEmpty()) ? AccessDecision.ALLOW : determineContainerDecision;
    }

    private <C extends Containerable, O extends ObjectType> AccessDecision determineContainerDeltaDecision(ContainerDelta<C> containerDelta, PrismObject<O> prismObject, ItemDecisionFunction itemDecisionFunction) {
        AccessDecision accessDecision = null;
        ItemPath path = containerDelta.getPath();
        Collection<PrismContainerValue<V>> valuesToAdd = containerDelta.getValuesToAdd();
        if (valuesToAdd != 0) {
            Iterator it = valuesToAdd.iterator();
            while (it.hasNext()) {
                accessDecision = AccessDecision.combine(accessDecision, determineContainerDecision((PrismContainerValue) it.next(), itemDecisionFunction, false, "delta add"));
            }
        }
        Collection<PrismContainerValue<V>> valuesToDelete = containerDelta.getValuesToDelete();
        if (valuesToDelete != 0) {
            Iterator it2 = valuesToDelete.iterator();
            while (it2.hasNext()) {
                PrismContainerValue<?> prismContainerValue = (PrismContainerValue) it2.next();
                AccessDecision accessDecision2 = null;
                if (prismContainerValue.isIdOnly()) {
                    PrismContainerValue<C> determineContainerValueFromCurrentObject = determineContainerValueFromCurrentObject(path, prismContainerValue.getId().longValue(), prismObject);
                    if (determineContainerValueFromCurrentObject != null) {
                        accessDecision2 = determineContainerDecision(determineContainerValueFromCurrentObject, itemDecisionFunction, true, "delta delete (current value)");
                    }
                } else {
                    accessDecision2 = determineContainerDecision(prismContainerValue, itemDecisionFunction, true, "delta delete");
                }
                if (accessDecision2 != null) {
                    accessDecision = AccessDecision.combine(accessDecision, accessDecision2);
                }
            }
        }
        Collection<PrismContainerValue<V>> valuesToReplace = containerDelta.getValuesToReplace();
        if (valuesToReplace != 0) {
            Iterator it3 = valuesToReplace.iterator();
            while (it3.hasNext()) {
                accessDecision = AccessDecision.combine(accessDecision, determineContainerDecision((PrismContainerValue) it3.next(), itemDecisionFunction, false, "delta replace"));
            }
            Collection<PrismContainerValue<C>> determineContainerValuesFromCurrentObject = determineContainerValuesFromCurrentObject(path, prismObject);
            if (determineContainerValuesFromCurrentObject != null) {
                Iterator<PrismContainerValue<C>> it4 = determineContainerValuesFromCurrentObject.iterator();
                while (it4.hasNext()) {
                    accessDecision = AccessDecision.combine(accessDecision, determineContainerDecision(it4.next(), itemDecisionFunction, true, "delta replace (removed current value)"));
                }
            }
        }
        return accessDecision;
    }

    private <C extends Containerable> void logSubitemContainerDecision(AccessDecision accessDecision, String str, PrismContainerValue<C> prismContainerValue) {
        if (LOGGER.isTraceEnabled()) {
            if (accessDecision != AccessDecision.ALLOW || InternalsConfig.isDetailedAuthorizationLog()) {
                LOGGER.trace("    container {} for {} (processed subitems): decision={}", prismContainerValue.getPath(), str, accessDecision);
            }
        }
    }

    private void logSubitemDecision(AccessDecision accessDecision, String str, ItemPath itemPath) {
        if (LOGGER.isTraceEnabled()) {
            if (accessDecision != AccessDecision.ALLOW || InternalsConfig.isDetailedAuthorizationLog()) {
                LOGGER.trace("    item {} for {}: decision={}", itemPath, str, accessDecision);
            }
        }
    }

    private <C extends Containerable, O extends ObjectType> PrismContainerValue<C> determineContainerValueFromCurrentObject(ItemPath itemPath, long j, PrismObject<O> prismObject) {
        Collection<PrismContainerValue<C>> determineContainerValuesFromCurrentObject = determineContainerValuesFromCurrentObject(itemPath, prismObject);
        if (determineContainerValuesFromCurrentObject == null) {
            return null;
        }
        for (PrismContainerValue<C> prismContainerValue : determineContainerValuesFromCurrentObject) {
            if (j == prismContainerValue.getId().longValue()) {
                return prismContainerValue;
            }
        }
        return null;
    }

    private <C extends Containerable, O extends ObjectType> Collection<PrismContainerValue<C>> determineContainerValuesFromCurrentObject(ItemPath itemPath, PrismObject<O> prismObject) {
        Item findContainer = prismObject.findContainer(itemPath);
        if (findContainer == null) {
            return null;
        }
        return findContainer.getValues();
    }

    private AccessDecision determineContainerDecision(PrismContainerValue<?> prismContainerValue, ItemDecisionFunction itemDecisionFunction, boolean z, String str) {
        Collection<Item<?, ?>> items = prismContainerValue.getItems();
        if (items.isEmpty()) {
            logSubitemContainerDecision(null, str, prismContainerValue);
            return null;
        }
        AccessDecision accessDecision = null;
        for (Item<?, ?> item : items) {
            ItemPath path = item.getPath();
            AccessDecision decide = itemDecisionFunction.decide(path.namedSegmentsOnly(), z);
            logSubitemDecision(decide, str, path);
            if (decide != null) {
                if (decide == AccessDecision.DEFAULT && (item instanceof PrismContainer)) {
                    AccessDecision accessDecision2 = null;
                    Iterator it = ((PrismContainer) item).getValues().iterator();
                    while (it.hasNext()) {
                        accessDecision2 = AccessDecision.combine(accessDecision2, determineContainerDecision((PrismContainerValue) it.next(), itemDecisionFunction, z, str));
                    }
                    if (accessDecision2 != null) {
                        accessDecision = AccessDecision.combine(accessDecision, accessDecision2);
                    }
                } else {
                    if (decide == AccessDecision.DENY) {
                        LOGGER.trace("  DENY operation because item {} in the object is not allowed", path);
                    }
                    accessDecision = AccessDecision.combine(accessDecision, decide);
                }
            }
        }
        logSubitemContainerDecision(accessDecision, str, prismContainerValue);
        return accessDecision;
    }

    private <O extends ObjectType> AccessDecision determineDeltaDecision(ObjectDelta<O> objectDelta, PrismObject<O> prismObject, ItemDecisionFunction itemDecisionFunction, ItemDecisionFunction itemDecisionFunction2) {
        if (objectDelta.isAdd()) {
            return determineObjectDecision(objectDelta.getObjectToAdd(), itemDecisionFunction);
        }
        if (objectDelta.isDelete()) {
            return determineObjectDecision(prismObject, itemDecisionFunction2);
        }
        AccessDecision accessDecision = null;
        for (ItemDelta<?, ?> itemDelta : objectDelta.getModifications()) {
            ItemPath path = itemDelta.getPath();
            AccessDecision decide = itemDecisionFunction.decide(path.namedSegmentsOnly(), false);
            if (decide != null) {
                if (decide == AccessDecision.DEFAULT && (itemDelta instanceof ContainerDelta)) {
                    accessDecision = AccessDecision.combine(accessDecision, determineContainerDeltaDecision((ContainerDelta) itemDelta, prismObject, itemDecisionFunction));
                } else {
                    if (decide == AccessDecision.DENY) {
                        LOGGER.trace("  DENY operation because item {} in the delta is not allowed", path);
                    }
                    accessDecision = AccessDecision.combine(accessDecision, decide);
                }
            }
        }
        return accessDecision;
    }

    private boolean isAllowedItem(ItemPath itemPath, AutzItemPaths autzItemPaths, AuthorizationPhaseType authorizationPhaseType, boolean z) {
        if (z && isInList(itemPath, AuthorizationConstants.OPERATIONAL_ITEMS_ALLOWED_FOR_CONTAINER_DELETE)) {
            return true;
        }
        if (AuthorizationPhaseType.EXECUTION.equals(authorizationPhaseType) && isInList(itemPath, AuthorizationConstants.EXECUTION_ITEMS_ALLOWED_BY_DEFAULT)) {
            return true;
        }
        return autzItemPaths.isApplicable(itemPath);
    }

    private boolean isInList(ItemPath itemPath, Collection<ItemPath> collection) {
        boolean z = false;
        Iterator<ItemPath> it = collection.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (it.next().isSubPathOrEquivalent(itemPath)) {
                z = true;
                break;
            }
        }
        return z;
    }

    @Override // com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer
    public <O extends ObjectType, T extends ObjectType> void authorize(String str, AuthorizationPhaseType authorizationPhaseType, AuthorizationParameters<O, T> authorizationParameters, OwnerResolver ownerResolver, Task task, OperationResult operationResult) throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
        if (isAuthorized(str, authorizationPhaseType, authorizationParameters, ownerResolver, task, operationResult)) {
            return;
        }
        failAuthorization(str, authorizationPhaseType, authorizationParameters, operationResult);
    }

    @Override // com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer
    public <O extends ObjectType, T extends ObjectType> void failAuthorization(String str, AuthorizationPhaseType authorizationPhaseType, AuthorizationParameters<O, T> authorizationParameters, OperationResult operationResult) throws SecurityViolationException {
        String quotedUsername = getQuotedUsername(this.securityContextManager.getPrincipal());
        String str2 = (authorizationParameters.getTarget() == null && authorizationParameters.getAnyObject() == null) ? "User '" + quotedUsername + "' not authorized for operation " + str : authorizationParameters.getTarget() == null ? "User '" + quotedUsername + "' not authorized for operation " + str + " on " + authorizationParameters.getAnyObject() : "User '" + quotedUsername + "' not authorized for operation " + str + " on " + authorizationParameters.getAnyObject() + " with target " + authorizationParameters.getTarget();
        LOGGER.error("{}", str2);
        AuthorizationException authorizationException = new AuthorizationException(str2);
        operationResult.recordFatalError(authorizationException.getMessage(), authorizationException);
        throw authorizationException;
    }

    private <O extends ObjectType> boolean isApplicableObject(Authorization authorization, ObjectDeltaObject<O> objectDeltaObject, boolean z, MidPointPrincipal midPointPrincipal, OwnerResolver ownerResolver, String str, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        List<OwnedObjectSelectorType> object = authorization.getObject();
        if (object == null || object.isEmpty()) {
            LOGGER.trace("    {}: No object specification in authorization (authorization is applicable)", str);
            return true;
        }
        if (objectDeltaObject == null) {
            LOGGER.trace("  object not applicable for null {}", str);
            return false;
        }
        if (objectDeltaObject.getObjectDelta() == null || !objectDeltaObject.getObjectDelta().isModify()) {
            PrismObject<O> anyObject = objectDeltaObject.getAnyObject();
            if (anyObject == null) {
                throw new IllegalStateException("No object in odo " + objectDeltaObject);
            }
            return isApplicable(object, anyObject, z, midPointPrincipal, ownerResolver, "object", str, task, operationResult);
        }
        if (!authorization.keepZoneOfControl()) {
            PrismObject<O> oldObject = objectDeltaObject.getOldObject();
            if (oldObject == null) {
                throw new IllegalStateException("No old object in odo " + objectDeltaObject);
            }
            return isApplicable(object, oldObject, z, midPointPrincipal, ownerResolver, "object(old)", str, task, operationResult);
        }
        PrismObject<O> oldObject2 = objectDeltaObject.getOldObject();
        if (oldObject2 == null) {
            throw new IllegalStateException("No old object in odo " + objectDeltaObject);
        }
        if (!isApplicable(object, oldObject2, z, midPointPrincipal, ownerResolver, "object(old)", str, task, operationResult)) {
            return false;
        }
        PrismObject<O> newObject = objectDeltaObject.getNewObject();
        if (newObject == null) {
            throw new IllegalStateException("No new object in odo " + objectDeltaObject);
        }
        return isApplicable(object, newObject, z, midPointPrincipal, ownerResolver, "object(new)", str, task, operationResult);
    }

    private <O extends ObjectType> boolean isApplicable(List<OwnedObjectSelectorType> list, PrismObject<O> prismObject, boolean z, MidPointPrincipal midPointPrincipal, OwnerResolver ownerResolver, String str, String str2, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        if (list == null || list.isEmpty()) {
            LOGGER.trace("    {}: No {} specification in authorization (authorization is applicable)", str2, str);
            return true;
        }
        if (prismObject == null) {
            LOGGER.trace("  {} not applicable for null {}", str2, str);
            return false;
        }
        Iterator<OwnedObjectSelectorType> it = list.iterator();
        while (it.hasNext()) {
            if (isApplicable(it.next(), prismObject, z, midPointPrincipal, Collections.emptySet(), ownerResolver, str, str2, task, operationResult)) {
                return true;
            }
        }
        return false;
    }

    private <O extends ObjectType> boolean isApplicable(SubjectedObjectSelectorType subjectedObjectSelectorType, PrismObject<O> prismObject, boolean z, MidPointPrincipal midPointPrincipal, Collection<String> collection, OwnerResolver ownerResolver, String str, String str2, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        if (!this.repositoryService.selectorMatches(subjectedObjectSelectorType, prismObject, z, createFilterEvaluator(midPointPrincipal, str, str2, task, operationResult), LOGGER, "    " + str2 + " not applicable for " + str + " because of")) {
            return false;
        }
        OrgRelationObjectSpecificationType orgRelation = subjectedObjectSelectorType.getOrgRelation();
        RoleRelationObjectSpecificationType roleRelation = subjectedObjectSelectorType.getRoleRelation();
        List<SpecialObjectSpecificationType> special = subjectedObjectSelectorType.getSpecial();
        if (special != null && !special.isEmpty()) {
            if (subjectedObjectSelectorType.getFilter() != null || subjectedObjectSelectorType.getOrgRef() != null || orgRelation != null || roleRelation != null) {
                throw new SchemaException("Both filter/org/role/archetype and special " + str + " specification specified in " + str2);
            }
            for (SpecialObjectSpecificationType specialObjectSpecificationType : special) {
                if (specialObjectSpecificationType != SpecialObjectSpecificationType.SELF) {
                    throw new SchemaException("Unsupported special " + str + " specification specified in " + str2 + ": " + specialObjectSpecificationType);
                }
                String oid = midPointPrincipal != null ? midPointPrincipal.getOid() : null;
                if (oid != null) {
                    if (oid.equals(prismObject.getOid())) {
                        LOGGER.trace("    {}: 'self' authorization applicable for {} - match on principal OID ({})", str2, str, oid);
                        return true;
                    }
                    if (collection != null && collection.contains(prismObject.getOid())) {
                        LOGGER.trace("    {}: 'self' authorization applicable for {} - match on other 'self OID' ({})", str2, str, prismObject.getOid());
                        return true;
                    }
                    LOGGER.trace("    {}: 'self' authorization not applicable for {}, principal OID: {} (other accepted self OIDs: {}), {} OID {}", str2, str, oid, collection, str, prismObject.getOid());
                }
            }
            LOGGER.trace("    {}: special authorization not applicable for {}", str2, str);
            return false;
        }
        LOGGER.trace("    {}: specials empty: {}", str2, special);
        if (orgRelation != null && z) {
            boolean z2 = false;
            Iterator<ObjectReferenceType> it = midPointPrincipal.getFocus().getParentOrgRef().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                ObjectReferenceType next = it.next();
                if (matchesOrgRelation(prismObject, next, orgRelation, str2, str)) {
                    LOGGER.trace("    org {} applicable for {}, object OID {} because subject org {} matches", str2, str, prismObject.getOid(), next.getOid());
                    z2 = true;
                    break;
                }
            }
            if (!z2) {
                LOGGER.trace("    org {} not applicable for {}, object OID {} because none of the subject orgs matches", str2, str, prismObject.getOid());
                return false;
            }
        }
        if (roleRelation != null && z) {
            boolean z3 = false;
            Iterator<ObjectReferenceType> it2 = midPointPrincipal.getFocus().getRoleMembershipRef().iterator();
            while (true) {
                if (!it2.hasNext()) {
                    break;
                }
                ObjectReferenceType next2 = it2.next();
                if (matchesRoleRelation(prismObject, next2, roleRelation)) {
                    LOGGER.trace("    {} applicable for {}, object OID {} because subject role relation {} matches", str2, str, prismObject.getOid(), next2.getOid());
                    z3 = true;
                    break;
                }
            }
            if (!z3) {
                LOGGER.trace("    {} not applicable for {}, object OID {} because none of the subject roles matches", str2, str, prismObject.getOid());
                return false;
            }
        }
        if (subjectedObjectSelectorType instanceof OwnedObjectSelectorType) {
            OwnedObjectSelectorType ownedObjectSelectorType = (OwnedObjectSelectorType) subjectedObjectSelectorType;
            SubjectedObjectSelectorType owner = ownedObjectSelectorType.getOwner();
            if (owner != null) {
                if (ownerResolver == null) {
                    ownerResolver = this.securityContextManager.getUserProfileService();
                    if (ownerResolver == null) {
                        LOGGER.trace("    {}: owner object spec not applicable for {}, object OID {} because there is no owner resolver", str2, str, prismObject.getOid());
                        return false;
                    }
                }
                PrismObject<O> resolveOwner = ownerResolver.resolveOwner(prismObject);
                if (resolveOwner == null) {
                    LOGGER.trace("    {}: owner object spec not applicable for {}, object OID {} because it has no owner", str2, str, prismObject.getOid());
                    return false;
                }
                if (!isApplicable(owner, resolveOwner, z, midPointPrincipal, Collections.emptySet(), ownerResolver, "owner of " + str, str2, task, operationResult)) {
                    LOGGER.trace("    {}: owner object spec not applicable for {}, object OID {} because owner does not match (owner={})", str2, str, prismObject.getOid(), resolveOwner);
                    return false;
                }
            }
            SubjectedObjectSelectorType delegator = ownedObjectSelectorType.getDelegator();
            if (delegator != null && z) {
                if (!isSelf(delegator)) {
                    throw new SchemaException("Unsupported non-self delegator clause");
                }
                if (!prismObject.canRepresent(UserType.class)) {
                    LOGGER.trace("    {}: delegator object spec not applicable for {}, because the object is not user", str2, str);
                    return false;
                }
                boolean z4 = false;
                Iterator<ObjectReferenceType> it3 = ((UserType) prismObject.asObjectable()).getDelegatedRef().iterator();
                while (true) {
                    if (!it3.hasNext()) {
                        break;
                    }
                    if (midPointPrincipal.getOid().equals(it3.next().getOid())) {
                        z4 = true;
                        break;
                    }
                }
                if (!z4) {
                    if (BooleanUtils.isTrue(delegator.isAllowInactive())) {
                        Iterator<AssignmentType> it4 = ((UserType) prismObject.asObjectable()).getAssignment().iterator();
                        while (true) {
                            if (!it4.hasNext()) {
                                break;
                            }
                            ObjectReferenceType targetRef = it4.next().getTargetRef();
                            if (targetRef != null && midPointPrincipal.getOid().equals(targetRef.getOid()) && this.relationRegistry.isDelegation(targetRef.getRelation())) {
                                z4 = true;
                                break;
                            }
                        }
                    }
                    if (!z4) {
                        LOGGER.trace("    {}: delegator object spec not applicable for {}, object OID {} because delegator does not match", str2, str, prismObject.getOid());
                        return false;
                    }
                }
            }
            SubjectedObjectSelectorType requester = ownedObjectSelectorType.getRequester();
            if (requester != null) {
                PrismObject<? extends ObjectType> requestor = getRequestor(prismObject, operationResult);
                if (requestor == null) {
                    LOGGER.trace("    {}: requester object spec not applicable for {}, object OID {} because it has no requestor", str2, str, prismObject.getOid());
                    return false;
                }
                if (!isApplicable(requester, requestor, true, midPointPrincipal, getDelegatorsForRequestor(midPointPrincipal), ownerResolver, "requestor of " + str, str2, task, operationResult)) {
                    LOGGER.trace("    {}: requester object spec not applicable for {}, object OID {} because requestor does not match (requestor={})", str2, str, prismObject.getOid(), requestor);
                    return false;
                }
            }
            SubjectedObjectSelectorType relatedObject = ownedObjectSelectorType.getRelatedObject();
            if (relatedObject != null) {
                PrismObject<? extends ObjectType> relatedObject2 = getRelatedObject(prismObject, operationResult);
                if (relatedObject2 == null) {
                    LOGGER.trace("    {}: related object spec not applicable for {}, object OID {} because it has no related object", str2, str, prismObject.getOid());
                    return false;
                }
                if (!isApplicable(relatedObject, relatedObject2, true, midPointPrincipal, getDelegatorsForRelatedObjects(midPointPrincipal), ownerResolver, "related object of " + str, str2, task, operationResult)) {
                    LOGGER.trace("    {}: related object spec not applicable for {}, object OID {} because related object does not match (related object={})", str2, str, prismObject.getOid(), relatedObject2);
                    return false;
                }
            }
            SubjectedObjectSelectorType assignee = ownedObjectSelectorType.getAssignee();
            if (assignee != null) {
                List<PrismObject<? extends ObjectType>> assignees = getAssignees(prismObject, operationResult);
                if (assignees.isEmpty()) {
                    LOGGER.trace("    {}: assignee spec not applicable for {}, object OID {} because it has no assignees", str2, str, prismObject.getOid());
                    return false;
                }
                Collection<String> delegatorsForAssignee = getDelegatorsForAssignee(midPointPrincipal);
                boolean z5 = false;
                Iterator<PrismObject<? extends ObjectType>> it5 = assignees.iterator();
                while (true) {
                    if (!it5.hasNext()) {
                        break;
                    }
                    if (isApplicable(assignee, it5.next(), true, midPointPrincipal, delegatorsForAssignee, ownerResolver, "assignee of " + str, str2, task, operationResult)) {
                        z5 = true;
                        break;
                    }
                }
                if (!z5) {
                    LOGGER.trace("    {}: assignee spec not applicable for {}, object OID {} because none of the assignees match (assignees={})", str2, str, prismObject.getOid(), assignees);
                    return false;
                }
            }
            TenantSelectorType tenant = ownedObjectSelectorType.getTenant();
            if (tenant != null && z) {
                if (!BooleanUtils.isTrue(tenant.isSameAsSubject())) {
                    LOGGER.trace("    {}: tenant object spec not applicable for {}, object OID {} because there is a strange tenant specification in authorization", str2, str, prismObject.getOid());
                    return false;
                }
                ObjectReferenceType tenantRef = midPointPrincipal.getFocus().getTenantRef();
                if (tenantRef == null || tenantRef.getOid() == null) {
                    LOGGER.trace("    {}: tenant object spec not applicable for {}, object OID {} because subject does not have tenantRef", str2, str, prismObject.getOid());
                    return false;
                }
                ObjectReferenceType tenantRef2 = prismObject.asObjectable().getTenantRef();
                if (tenantRef2 == null || tenantRef2.getOid() == null) {
                    LOGGER.trace("    {}: tenant object spec not applicable for {}, object OID {} because object does not have tenantRef", str2, str, prismObject.getOid());
                    return false;
                }
                if (!tenantRef.getOid().equals(tenantRef2.getOid())) {
                    LOGGER.trace("    {}: tenant object spec not applicable for {}, object OID {} because of tenant mismatch", str2, str, prismObject.getOid());
                    return false;
                }
                if (!BooleanUtils.isTrue(tenant.isIncludeTenantOrg())) {
                    O asObjectable = prismObject.asObjectable();
                    if ((asObjectable instanceof OrgType) && BooleanUtils.isTrue(((OrgType) asObjectable).isTenant())) {
                        LOGGER.trace("    {}: tenant object spec not applicable for {}, object OID {} because it is a tenant org and it is not included", str2, str, prismObject.getOid());
                        return false;
                    }
                }
            }
        }
        LOGGER.trace("    {} applicable for {} (filter)", str2, str);
        return true;
    }

    private Collection<String> getDelegatorsForRequestor(MidPointPrincipal midPointPrincipal) {
        return getDelegators(midPointPrincipal, OtherPrivilegesLimitationType.F_CASE_MANAGEMENT_WORK_ITEMS);
    }

    private Collection<String> getDelegatorsForRelatedObjects(MidPointPrincipal midPointPrincipal) {
        return Collections.emptySet();
    }

    private Collection<String> getDelegatorsForAssignee(MidPointPrincipal midPointPrincipal) {
        return getDelegators(midPointPrincipal, OtherPrivilegesLimitationType.F_CASE_MANAGEMENT_WORK_ITEMS);
    }

    private Collection<String> getDelegators(MidPointPrincipal midPointPrincipal, ItemName... itemNameArr) {
        HashSet hashSet = new HashSet();
        for (DelegatorWithOtherPrivilegesLimitations delegatorWithOtherPrivilegesLimitations : midPointPrincipal.getDelegatorWithOtherPrivilegesLimitationsCollection()) {
            int length = itemNameArr.length;
            int i = 0;
            while (true) {
                if (i < length) {
                    if (SchemaDeputyUtil.limitationsAllow(delegatorWithOtherPrivilegesLimitations.getLimitations(), itemNameArr[i])) {
                        hashSet.add(delegatorWithOtherPrivilegesLimitations.getDelegator().getOid());
                        break;
                    }
                    i++;
                }
            }
        }
        return hashSet;
    }

    private <O extends ObjectType> PrismObject<? extends ObjectType> getRequestor(PrismObject<O> prismObject, OperationResult operationResult) {
        ObjectType objectType = (ObjectType) PrismObjectValue.asObjectable(prismObject);
        if (objectType instanceof CaseType) {
            return resolveReference(((CaseType) objectType).getRequestorRef(), prismObject, "requestor", operationResult);
        }
        return null;
    }

    private <O extends ObjectType> PrismObject<? extends ObjectType> getRelatedObject(PrismObject<O> prismObject, OperationResult operationResult) {
        ObjectType objectType = (ObjectType) PrismObjectValue.asObjectable(prismObject);
        if (objectType instanceof CaseType) {
            return resolveReference(((CaseType) objectType).getObjectRef(), prismObject, "related object", operationResult);
        }
        if (objectType instanceof TaskType) {
            return resolveReference(((TaskType) objectType).getObjectRef(), prismObject, "related object", operationResult);
        }
        return null;
    }

    @NotNull
    private <O extends ObjectType> List<PrismObject<? extends ObjectType>> getAssignees(PrismObject<O> prismObject, OperationResult operationResult) {
        ArrayList arrayList = new ArrayList();
        ObjectType objectType = (ObjectType) PrismObjectValue.asObjectable(prismObject);
        if (objectType instanceof CaseType) {
            Iterator<ObjectReferenceType> it = CaseTypeUtil.getAllCurrentAssignees((CaseType) objectType).iterator();
            while (it.hasNext()) {
                CollectionUtils.addIgnoreNull(arrayList, resolveReference(it.next(), prismObject, ExpressionConstants.VAR_ASSIGNEE, operationResult));
            }
        }
        return arrayList;
    }

    private <O extends ObjectType> PrismObject<? extends ObjectType> resolveReference(ObjectReferenceType objectReferenceType, PrismObject<O> prismObject, String str, OperationResult operationResult) {
        if (objectReferenceType == null || objectReferenceType.getOid() == null) {
            return null;
        }
        try {
            return this.repositoryService.getObject(objectReferenceType.getType() != null ? this.prismContext.getSchemaRegistry().getCompileTimeClass(objectReferenceType.getType()) : UserType.class, objectReferenceType.getOid(), null, operationResult);
        } catch (ObjectNotFoundException | SchemaException e) {
            LoggingUtils.logExceptionAsWarning(LOGGER, "Couldn't resolve {} of {}", e, str, prismObject);
            return null;
        }
    }

    private ObjectFilterExpressionEvaluator createFilterEvaluator(MidPointPrincipal midPointPrincipal, String str, String str2, Task task, OperationResult operationResult) {
        return objectFilter -> {
            if (objectFilter == null) {
                return null;
            }
            VariablesMap variablesMap = new VariablesMap();
            PrismObject<? extends FocusType> asPrismObject = midPointPrincipal != null ? midPointPrincipal.getFocus().asPrismObject() : null;
            variablesMap.addVariableDefinition("subject", asPrismObject, asPrismObject != null ? asPrismObject.getDefinition() : this.prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(asPrismObject.asObjectable().getClass()));
            return ExpressionUtil.evaluateFilterExpressions(objectFilter, variablesMap, MiscSchemaUtil.getExpressionProfile(), this.expressionFactory, this.prismContext, "expression in " + str + " in authorization " + str2, task, operationResult);
        };
    }

    private <O extends ObjectType> ObjectFilter parseAndEvaluateFilter(MidPointPrincipal midPointPrincipal, PrismObjectDefinition<O> prismObjectDefinition, SearchFilterType searchFilterType, String str, String str2, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        ObjectFilter createObjectFilter = this.prismContext.getQueryConverter().createObjectFilter(prismObjectDefinition, searchFilterType);
        if (createObjectFilter == null) {
            return null;
        }
        return createFilterEvaluator(midPointPrincipal, str, str2, task, operationResult).evaluate(createObjectFilter);
    }

    private boolean isSelf(SubjectedObjectSelectorType subjectedObjectSelectorType) throws SchemaException {
        List<SpecialObjectSpecificationType> special = subjectedObjectSelectorType.getSpecial();
        if (special == null || special.isEmpty() || subjectedObjectSelectorType.getFilter() != null || subjectedObjectSelectorType.getOrgRef() != null || subjectedObjectSelectorType.getOrgRelation() != null || subjectedObjectSelectorType.getRoleRelation() != null) {
            return false;
        }
        Iterator<SpecialObjectSpecificationType> it = special.iterator();
        if (!it.hasNext()) {
            return false;
        }
        SpecialObjectSpecificationType next = it.next();
        if (next == SpecialObjectSpecificationType.SELF) {
            return true;
        }
        throw new SchemaException("Unsupported special object specification specified in authorization: " + next);
    }

    private <O extends ObjectType> boolean matchesOrgRelation(PrismObject<O> prismObject, ObjectReferenceType objectReferenceType, OrgRelationObjectSpecificationType orgRelationObjectSpecificationType, String str, String str2) throws SchemaException {
        if (!this.prismContext.relationMatches(orgRelationObjectSpecificationType.getSubjectRelation(), objectReferenceType.getRelation())) {
            return false;
        }
        if (BooleanUtils.isTrue(orgRelationObjectSpecificationType.isIncludeReferenceOrg()) && objectReferenceType.getOid().equals(prismObject.getOid())) {
            return true;
        }
        if (orgRelationObjectSpecificationType.getScope() == null) {
            return this.repositoryService.isDescendant(prismObject, objectReferenceType.getOid());
        }
        switch (orgRelationObjectSpecificationType.getScope()) {
            case ALL_DESCENDANTS:
                return this.repositoryService.isDescendant(prismObject, objectReferenceType.getOid());
            case DIRECT_DESCENDANTS:
                return hasParentOrgRef(prismObject, objectReferenceType.getOid());
            case ALL_ANCESTORS:
                return this.repositoryService.isAncestor(prismObject, objectReferenceType.getOid());
            default:
                throw new UnsupportedOperationException("Unknown orgRelation scope " + orgRelationObjectSpecificationType.getScope());
        }
    }

    private <O extends ObjectType> boolean hasParentOrgRef(PrismObject<O> prismObject, String str) {
        Iterator<ObjectReferenceType> it = prismObject.asObjectable().getParentOrgRef().iterator();
        while (it.hasNext()) {
            if (str.equals(it.next().getOid())) {
                return true;
            }
        }
        return false;
    }

    private <O extends ObjectType> boolean matchesRoleRelation(PrismObject<O> prismObject, ObjectReferenceType objectReferenceType, RoleRelationObjectSpecificationType roleRelationObjectSpecificationType) {
        if (!this.prismContext.relationMatches(roleRelationObjectSpecificationType.getSubjectRelation(), objectReferenceType.getRelation())) {
            return false;
        }
        if (BooleanUtils.isTrue(roleRelationObjectSpecificationType.isIncludeReferenceRole()) && objectReferenceType.getOid().equals(prismObject.getOid())) {
            return true;
        }
        if (BooleanUtils.isFalse(roleRelationObjectSpecificationType.isIncludeMembers()) || !prismObject.canRepresent(FocusType.class)) {
            return false;
        }
        for (ObjectReferenceType objectReferenceType2 : ((FocusType) prismObject.asObjectable()).getRoleMembershipRef()) {
            if (objectReferenceType.getOid().equals(objectReferenceType2.getOid()) && this.prismContext.relationMatches(roleRelationObjectSpecificationType.getObjectRelation(), objectReferenceType2.getRelation())) {
                return true;
            }
        }
        return false;
    }

    private <O extends ObjectType> boolean isApplicableItem(Authorization authorization, PrismObject<O> prismObject, ObjectDelta<O> objectDelta) throws SchemaException {
        List<ItemPathType> item = authorization.getItem();
        if (!item.isEmpty()) {
            return isApplicableItem(authorization, prismObject, objectDelta, item, true);
        }
        List<ItemPathType> exceptItem = authorization.getExceptItem();
        if (!exceptItem.isEmpty()) {
            return isApplicableItem(authorization, prismObject, objectDelta, exceptItem, false);
        }
        LOGGER.trace("  items empty");
        return true;
    }

    private <O extends ObjectType> boolean isApplicableItem(Authorization authorization, PrismObject<O> prismObject, ObjectDelta<O> objectDelta, List<ItemPathType> list, boolean z) throws SchemaException {
        Iterator<ItemPathType> it = list.iterator();
        while (it.hasNext()) {
            ItemPath itemPath = it.next().getItemPath();
            if (objectDelta != null) {
                ItemDelta<IV, ID> findItemDelta = objectDelta.findItemDelta(itemPath);
                if (findItemDelta != 0 && !findItemDelta.isEmpty()) {
                    if (z) {
                        LOGGER.trace("  applicable delta item " + itemPath);
                        return true;
                    }
                    LOGGER.trace("  excluded delta item " + itemPath);
                    return false;
                }
            } else if (prismObject != null && prismObject.containsItem(itemPath, false)) {
                if (z) {
                    LOGGER.trace("  applicable object item " + itemPath);
                    return true;
                }
                LOGGER.trace("  excluded object item " + itemPath);
                return false;
            }
        }
        if (z) {
            LOGGER.trace("  no applicable item");
            return false;
        }
        LOGGER.trace("  no excluded item");
        return true;
    }

    @Override // com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer
    public AccessDecision decideAccess(MidPointPrincipal midPointPrincipal, Collection<String> collection, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        return decideAccess(midPointPrincipal, collection, AuthorizationParameters.EMPTY, task, operationResult);
    }

    @Override // com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer
    public <O extends ObjectType, T extends ObjectType> AccessDecision decideAccess(MidPointPrincipal midPointPrincipal, Collection<String> collection, AuthorizationParameters<O, T> authorizationParameters, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        AccessDecision accessDecision = AccessDecision.DEFAULT;
        Iterator<String> it = collection.iterator();
        while (it.hasNext()) {
            AccessDecision isAuthorizedInternal = isAuthorizedInternal(midPointPrincipal, it.next(), null, authorizationParameters, null, null, task, operationResult);
            if (AccessDecision.DENY.equals(isAuthorizedInternal)) {
                return AccessDecision.DENY;
            }
            if (AccessDecision.ALLOW.equals(isAuthorizedInternal)) {
                accessDecision = AccessDecision.ALLOW;
            }
        }
        return accessDecision;
    }

    private String getQuotedUsername(MidPointPrincipal midPointPrincipal) {
        return midPointPrincipal == null ? "(none)" : "'" + midPointPrincipal.getUsername() + "'";
    }

    @Override // com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer
    public MidPointPrincipal getMidPointPrincipal() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null) {
            LOGGER.warn("No authentication");
            return null;
        }
        Object principal = authentication.getPrincipal();
        if (principal == null) {
            LOGGER.warn("Null principal");
            return null;
        }
        if (principal instanceof MidPointPrincipal) {
            return (MidPointPrincipal) principal;
        }
        if ((authentication.getPrincipal() instanceof String) && AuthorizationConstants.ANONYMOUS_USER_PRINCIPAL.equals(principal)) {
            return null;
        }
        LOGGER.warn("Unknown principal type {}", principal.getClass());
        return null;
    }

    private Collection<Authorization> getAuthorities(MidPointPrincipal midPointPrincipal) {
        if (midPointPrincipal != null) {
            return midPointPrincipal.getAuthorities();
        }
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        ArrayList arrayList = new ArrayList();
        if (authentication != null) {
            for (GrantedAuthority grantedAuthority : authentication.getAuthorities()) {
                if (grantedAuthority instanceof Authorization) {
                    arrayList.add((Authorization) grantedAuthority);
                }
            }
        }
        return arrayList;
    }

    @Override // com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer
    public <O extends ObjectType> ObjectSecurityConstraints compileSecurityConstraints(PrismObject<O> prismObject, boolean z, OwnerResolver ownerResolver, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        MidPointPrincipal midPointPrincipal = getMidPointPrincipal();
        if (prismObject == null) {
            throw new IllegalArgumentException("Cannot compile security constraints of null object");
        }
        if (LOGGER.isTraceEnabled()) {
            LOGGER.trace("AUTZ: evaluating security constraints principal={}, object={} (full: {})", getUsername(midPointPrincipal), prismObject, Boolean.valueOf(z));
        }
        ObjectSecurityConstraintsImpl objectSecurityConstraintsImpl = new ObjectSecurityConstraintsImpl();
        Collection<Authorization> authorities = getAuthorities(midPointPrincipal);
        if (authorities != null) {
            for (Authorization authorization : authorities) {
                String humanReadableDesc = authorization.getHumanReadableDesc();
                LOGGER.trace("  Evaluating {}", humanReadableDesc);
                if (isApplicable(authorization.getObject(), prismObject, z, midPointPrincipal, ownerResolver, "object", humanReadableDesc, task, operationResult)) {
                    LOGGER.trace("    {} applicable for object {} (continuing evaluation)", humanReadableDesc, prismObject);
                    objectSecurityConstraintsImpl.applyAuthorization(authorization);
                } else {
                    LOGGER.trace("    {} not applicable for object {}, none of the object specifications match (breaking evaluation)", humanReadableDesc, prismObject);
                }
            }
        }
        if (LOGGER.isTraceEnabled()) {
            LOGGER.trace("AUTZ: evaluated security constraints principal={}, object={}:\n{}", getUsername(midPointPrincipal), prismObject, objectSecurityConstraintsImpl.debugDump(1));
        }
        return objectSecurityConstraintsImpl;
    }

    @Override // com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer
    public <T extends ObjectType, O extends ObjectType> ObjectFilter preProcessObjectFilter(String[] strArr, AuthorizationPhaseType authorizationPhaseType, Class<T> cls, PrismObject<O> prismObject, ObjectFilter objectFilter, String str, List<OrderConstraintsType> list, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        MidPointPrincipal midPointPrincipal = getMidPointPrincipal();
        if (LOGGER.isTraceEnabled()) {
            LOGGER.trace("AUTZ: evaluating search pre-process principal={}, searchResultType={}, object={}: orig filter {}", getUsername(midPointPrincipal), cls, prismObject, objectFilter);
        }
        if (objectFilter == null) {
            objectFilter = FilterCreationUtil.createAll(this.prismContext);
        }
        FilterGizmoObjectFilterImpl filterGizmoObjectFilterImpl = new FilterGizmoObjectFilterImpl(this.prismContext);
        ObjectFilter and = filterGizmoObjectFilterImpl.and(objectFilter, (ObjectFilter) computeSecurityFilter(midPointPrincipal, strArr, authorizationPhaseType, cls, prismObject, objectFilter, str, list, filterGizmoObjectFilterImpl, task, operationResult));
        if (LOGGER.isTraceEnabled()) {
            LOGGER.trace("AUTZ: evaluated search pre-process principal={}, objectType={}: {}", getUsername(midPointPrincipal), getObjectType(cls), and);
        }
        if (and instanceof AllFilter) {
            return null;
        }
        return and;
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer
    public <T extends ObjectType, O extends ObjectType, F> F computeSecurityFilter(MidPointPrincipal midPointPrincipal, String[] strArr, AuthorizationPhaseType authorizationPhaseType, Class<T> cls, PrismObject<O> prismObject, ObjectFilter objectFilter, String str, List<OrderConstraintsType> list, FilterGizmo<F> filterGizmo, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        if (LOGGER.isTraceEnabled()) {
            LOGGER.trace("AUTZ: computing security filter principal={}, searchResultType={}, object={}: orig filter {}", getUsername(midPointPrincipal), cls, prismObject, objectFilter);
        }
        Object computeSecurityFilterPhase = authorizationPhaseType != null ? computeSecurityFilterPhase(midPointPrincipal, strArr, authorizationPhaseType, true, cls, prismObject, true, objectFilter, str, list, filterGizmo, "search pre-process", task, operationResult) : filterGizmo.or(computeSecurityFilterPhase(midPointPrincipal, strArr, null, false, cls, prismObject, true, objectFilter, str, list, filterGizmo, "search pre-process", task, operationResult), filterGizmo.and(computeSecurityFilterPhase(midPointPrincipal, strArr, AuthorizationPhaseType.REQUEST, false, cls, prismObject, true, objectFilter, str, list, filterGizmo, "search pre-process", task, operationResult), computeSecurityFilterPhase(midPointPrincipal, strArr, AuthorizationPhaseType.EXECUTION, false, cls, prismObject, true, objectFilter, str, list, filterGizmo, "search pre-process", task, operationResult)));
        if (LOGGER.isTraceEnabled()) {
            LOGGER.trace("AUTZ: computed security filter principal={}, objectType={}: {}", getUsername(midPointPrincipal), getObjectType(cls), computeSecurityFilterPhase);
        }
        return (F) computeSecurityFilterPhase;
    }

    @Override // com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer
    public <T extends ObjectType, O extends ObjectType> boolean canSearch(String[] strArr, AuthorizationPhaseType authorizationPhaseType, Class<T> cls, PrismObject<O> prismObject, boolean z, ObjectFilter objectFilter, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        MidPointPrincipal midPointPrincipal = getMidPointPrincipal();
        if (LOGGER.isTraceEnabled()) {
            LOGGER.trace("AUTZ: evaluating search permission principal={}, searchResultType={}, object={}: filter {}", getUsername(midPointPrincipal), cls, prismObject, objectFilter);
        }
        if (objectFilter == null) {
            return true;
        }
        FilterGizmoObjectFilterImpl filterGizmoObjectFilterImpl = new FilterGizmoObjectFilterImpl(this.prismContext);
        ObjectFilter simplify = ObjectQueryUtil.simplify(ObjectQueryUtil.filterAnd(objectFilter, authorizationPhaseType != null ? (ObjectFilter) computeSecurityFilterPhase(midPointPrincipal, strArr, authorizationPhaseType, true, cls, prismObject, z, objectFilter, null, null, filterGizmoObjectFilterImpl, "search permission", task, operationResult) : ObjectQueryUtil.filterOr((ObjectFilter) computeSecurityFilterPhase(midPointPrincipal, strArr, null, false, cls, prismObject, z, objectFilter, null, null, filterGizmoObjectFilterImpl, "search permission", task, operationResult), ObjectQueryUtil.filterAnd((ObjectFilter) computeSecurityFilterPhase(midPointPrincipal, strArr, AuthorizationPhaseType.REQUEST, false, cls, prismObject, z, objectFilter, null, null, filterGizmoObjectFilterImpl, "search permission", task, operationResult), (ObjectFilter) computeSecurityFilterPhase(midPointPrincipal, strArr, AuthorizationPhaseType.EXECUTION, false, cls, prismObject, z, objectFilter, null, null, filterGizmoObjectFilterImpl, "search permission", task, operationResult), this.prismContext), this.prismContext), this.prismContext), this.prismContext);
        boolean z2 = !(simplify instanceof NoneFilter);
        if (LOGGER.isTraceEnabled()) {
            LOGGER.trace("AUTZ: evaluated search permission principal={}, objectType={}, evulated from filter: {}: decision={}", getUsername(midPointPrincipal), getObjectType(cls), simplify, Boolean.valueOf(z2));
        }
        return z2;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v180, types: [com.evolveum.midpoint.prism.query.ObjectFilter] */
    /* JADX WARN: Type inference failed for: r0v181, types: [com.evolveum.midpoint.prism.query.TypeFilter] */
    /* JADX WARN: Type inference failed for: r11v0, types: [com.evolveum.midpoint.security.enforcer.impl.SecurityEnforcerImpl] */
    /* JADX WARN: Type inference failed for: r22v0, types: [com.evolveum.midpoint.security.enforcer.api.FilterGizmo, com.evolveum.midpoint.security.enforcer.api.FilterGizmo<F>] */
    private <T extends ObjectType, O extends ObjectType, F> F computeSecurityFilterPhase(MidPointPrincipal midPointPrincipal, String[] strArr, AuthorizationPhaseType authorizationPhaseType, boolean z, Class<T> cls, PrismObject<O> prismObject, boolean z2, ObjectFilter objectFilter, String str, List<OrderConstraintsType> list, FilterGizmo<F> filterGizmo, String str2, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        List<OwnedObjectSelectorType> object;
        String str3;
        S_FilterExit isChildOf;
        Collection<Authorization> authorities = getAuthorities(midPointPrincipal);
        Object obj = null;
        Object obj2 = null;
        QueryAutzItemPaths queryAutzItemPaths = new QueryAutzItemPaths();
        queryAutzItemPaths.addRequiredItems(objectFilter);
        LOGGER.trace("  phase={}, initial query items spec {}", authorizationPhaseType, queryAutzItemPaths.shortDumpLazily());
        if (authorities != null) {
            for (Authorization authorization : authorities) {
                String humanReadableDesc = authorization.getHumanReadableDesc();
                LOGGER.trace("    Evaluating {}", humanReadableDesc);
                if (isApplicableForActions(authorization, strArr)) {
                    if (authorization.getPhase() == authorizationPhaseType || (z && authorization.getPhase() == null)) {
                        LOGGER.trace("      Authorization is applicable for phases {} (continuing evaluation)", authorizationPhaseType);
                        if (isApplicableLimitations(authorization, str)) {
                            if (isApplicableOrderConstraints(authorization, list)) {
                                AllFilter allFilter = null;
                                if (prismObject == null) {
                                    object = authorization.getObject();
                                    str3 = "object";
                                } else {
                                    object = authorization.getTarget();
                                    str3 = "target";
                                    if (isApplicable(authorization.getObject(), prismObject, true, midPointPrincipal, null, "object", humanReadableDesc, task, operationResult)) {
                                        LOGGER.trace("      Authorization is applicable for object {}", prismObject);
                                    } else {
                                        LOGGER.trace("      Authorization is not applicable for object {}", prismObject);
                                    }
                                }
                                boolean z3 = true;
                                if (object == null || object.isEmpty()) {
                                    LOGGER.trace("      No {} specification in authorization (authorization is universally applicable)", str3);
                                    allFilter = FilterCreationUtil.createAll(this.prismContext);
                                } else {
                                    z3 = false;
                                    for (OwnedObjectSelectorType ownedObjectSelectorType : object) {
                                        ObjectFilter objectFilter2 = null;
                                        ObjectFilter objectFilter3 = null;
                                        SearchFilterType filter = ownedObjectSelectorType.getFilter();
                                        ObjectReferenceType orgRef = ownedObjectSelectorType.getOrgRef();
                                        List<ObjectReferenceType> archetypeRef = ownedObjectSelectorType.getArchetypeRef();
                                        OrgRelationObjectSpecificationType orgRelation = ownedObjectSelectorType.getOrgRelation();
                                        RoleRelationObjectSpecificationType roleRelation = ownedObjectSelectorType.getRoleRelation();
                                        TenantSelectorType tenant = ownedObjectSelectorType.getTenant();
                                        QName type = ownedObjectSelectorType.getType();
                                        PrismObjectDefinition prismObjectDefinition = null;
                                        if (type != null) {
                                            type = this.prismContext.getSchemaRegistry().qualifyTypeName(type);
                                            PrismObjectDefinition findObjectDefinitionByType = this.prismContext.getSchemaRegistry().findObjectDefinitionByType(type);
                                            if (findObjectDefinitionByType == null) {
                                                throw new SchemaException("Unknown object type " + type + " in " + humanReadableDesc);
                                            }
                                            Class<?> compileTimeClass = findObjectDefinitionByType.getCompileTimeClass();
                                            if (cls.equals(compileTimeClass)) {
                                                traceClassMatch("Authorization is applicable for object because of type exact match", compileTimeClass, cls);
                                            } else if (cls.isAssignableFrom(compileTimeClass)) {
                                                traceClassMatch("Authorization is applicable for object because of type match, adding more specific type filter", compileTimeClass, cls);
                                                objectFilter3 = this.prismContext.queryFactory().createType(type, null);
                                                prismObjectDefinition = findObjectDefinitionByType;
                                            } else {
                                                traceClassMatch("Authorization not applicable for object because of type mismatch", compileTimeClass, cls);
                                            }
                                        }
                                        if (ownedObjectSelectorType.getOwner() != null) {
                                            if (prismObjectDefinition == null) {
                                                prismObjectDefinition = this.prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(cls);
                                            }
                                            if (TaskType.class.isAssignableFrom(cls)) {
                                                objectFilter2 = applyOwnerFilterOwnerRef(TaskType.F_OWNER_REF, null, midPointPrincipal, prismObjectDefinition);
                                            } else {
                                                LOGGER.trace("      Authorization not applicable for object because it has owner specification (this is not applicable for search)");
                                            }
                                        }
                                        if (ownedObjectSelectorType.getRequester() != null) {
                                            if (CaseType.class.isAssignableFrom(cls)) {
                                                objectFilter2 = applyRequestorFilter(objectFilter2, midPointPrincipal);
                                            } else {
                                                LOGGER.trace("      Authorization not applicable for object because it has requester specification (this is not applicable for search for objects other than CaseType)");
                                            }
                                        }
                                        if (ownedObjectSelectorType.getRelatedObject() != null) {
                                            if (CaseType.class.isAssignableFrom(cls) || TaskType.class.isAssignableFrom(cls)) {
                                                objectFilter2 = applyRelatedObjectFilter(cls, objectFilter2, midPointPrincipal);
                                            } else {
                                                LOGGER.trace("      Authorization not applicable for object because it has related object specification (this is not applicable for search for objects other than CaseType and TaskType)");
                                            }
                                        }
                                        if (ownedObjectSelectorType.getAssignee() != null) {
                                            if (CaseType.class.isAssignableFrom(cls)) {
                                                objectFilter2 = applyAssigneeFilter(objectFilter2, midPointPrincipal);
                                            } else {
                                                LOGGER.trace("      Authorization not applicable for object because it has assignee specification (this is not applicable for search for objects other than CaseType)");
                                            }
                                        }
                                        if (ownedObjectSelectorType.getDelegator() != null) {
                                            LOGGER.trace("      Authorization not applicable for object because it has delegator specification (this is not applicable for search)");
                                        } else {
                                            z3 = true;
                                            List<SpecialObjectSpecificationType> special = ownedObjectSelectorType.getSpecial();
                                            if (special == null || special.isEmpty()) {
                                                LOGGER.trace("      specials empty: {}", special);
                                            } else {
                                                if (!z2) {
                                                    LOGGER.trace("      Skipping authorization, because specials are present: {}", special);
                                                    z3 = false;
                                                }
                                                if (filter != null || orgRef != null || orgRelation != null || roleRelation != null || tenant != null || !archetypeRef.isEmpty()) {
                                                    throw new SchemaException("Both filter/org/role/archetype/tenant and special object specification specified in authorization");
                                                }
                                                ObjectFilter objectFilter4 = null;
                                                for (SpecialObjectSpecificationType specialObjectSpecificationType : special) {
                                                    if (specialObjectSpecificationType != SpecialObjectSpecificationType.SELF) {
                                                        throw new SchemaException("Unsupported special object specification specified in authorization: " + specialObjectSpecificationType);
                                                    }
                                                    objectFilter4 = ObjectQueryUtil.filterOr(objectFilter4, this.prismContext.queryFactory().createInOid(midPointPrincipal.getOid()), this.prismContext);
                                                }
                                                objectFilter2 = type != null ? this.prismContext.queryFactory().createType(type, objectFilter4) : objectFilter4;
                                            }
                                            if (filter != null) {
                                                if (prismObjectDefinition == null) {
                                                    prismObjectDefinition = this.prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(cls);
                                                }
                                                ObjectFilter parseAndEvaluateFilter = parseAndEvaluateFilter(midPointPrincipal, prismObjectDefinition, filter, str3, humanReadableDesc, task, operationResult);
                                                if (parseAndEvaluateFilter != null) {
                                                    ObjectQueryUtil.assertNotRaw(parseAndEvaluateFilter, "Filter in authorization object has undefined items. Maybe a 'type' specification is missing in the authorization?");
                                                    ObjectQueryUtil.assertPropertyOnly(parseAndEvaluateFilter, "Filter in authorization object is not property-only filter");
                                                }
                                                LOGGER.trace("      applying property filter {}", parseAndEvaluateFilter);
                                                objectFilter2 = ObjectQueryUtil.filterAnd(objectFilter2, parseAndEvaluateFilter, this.prismContext);
                                            } else {
                                                LOGGER.trace("      filter empty (assuming \"all\")");
                                                if (objectFilter2 == null) {
                                                    objectFilter2 = this.prismContext.queryFactory().createAll();
                                                }
                                            }
                                            if (archetypeRef.isEmpty()) {
                                                LOGGER.trace("      archetype empty");
                                            } else {
                                                ObjectFilter objectFilter5 = null;
                                                Iterator<ObjectReferenceType> it = archetypeRef.iterator();
                                                while (it.hasNext()) {
                                                    objectFilter5 = ObjectQueryUtil.filterOr(objectFilter5, this.prismContext.queryFor(AssignmentHolderType.class).item(AssignmentHolderType.F_ARCHETYPE_REF).ref(it.next().getOid()).buildFilter(), this.prismContext);
                                                }
                                                objectFilter2 = ObjectQueryUtil.filterAnd(objectFilter2, objectFilter5, this.prismContext);
                                                LOGGER.trace("      applying archetype filter {}", objectFilter5);
                                            }
                                            if (orgRef != null) {
                                                ObjectFilter buildFilter = this.prismContext.queryFor(ObjectType.class).isChildOf(orgRef.getOid()).buildFilter();
                                                objectFilter2 = ObjectQueryUtil.filterAnd(objectFilter2, buildFilter, this.prismContext);
                                                LOGGER.trace("      applying org filter {}", buildFilter);
                                            } else {
                                                LOGGER.trace("      org empty");
                                            }
                                            if (orgRelation != null) {
                                                ObjectFilter objectFilter6 = null;
                                                QName subjectRelation = orgRelation.getSubjectRelation();
                                                for (ObjectReferenceType objectReferenceType : midPointPrincipal.getFocus().getParentOrgRef()) {
                                                    if (this.prismContext.relationMatches(subjectRelation, objectReferenceType.getRelation())) {
                                                        S_FilterEntryOrEmpty queryFor = this.prismContext.queryFor(ObjectType.class);
                                                        if (orgRelation.getScope() == null || orgRelation.getScope() == OrgScopeType.ALL_DESCENDANTS) {
                                                            isChildOf = queryFor.isChildOf(objectReferenceType.getOid());
                                                        } else if (orgRelation.getScope() == OrgScopeType.DIRECT_DESCENDANTS) {
                                                            isChildOf = queryFor.isDirectChildOf(objectReferenceType.getOid());
                                                        } else {
                                                            if (orgRelation.getScope() != OrgScopeType.ALL_ANCESTORS) {
                                                                throw new UnsupportedOperationException("Unknown orgRelation scope " + orgRelation.getScope());
                                                            }
                                                            isChildOf = queryFor.isParentOf(objectReferenceType.getOid());
                                                        }
                                                        if (BooleanUtils.isTrue(orgRelation.isIncludeReferenceOrg())) {
                                                            isChildOf = isChildOf.or().id(objectReferenceType.getOid());
                                                        }
                                                        objectFilter6 = ObjectQueryUtil.filterOr(objectFilter6, isChildOf.buildFilter(), this.prismContext);
                                                    }
                                                }
                                                if (objectFilter6 == null) {
                                                    objectFilter6 = FilterCreationUtil.createNone(this.prismContext);
                                                }
                                                objectFilter2 = ObjectQueryUtil.filterAnd(objectFilter2, objectFilter6, this.prismContext);
                                                LOGGER.trace("      applying orgRelation filter {}", objectFilter6);
                                            } else {
                                                LOGGER.trace("      orgRelation empty");
                                            }
                                            if (roleRelation != null) {
                                                ObjectFilter processRoleRelationFilter = processRoleRelationFilter(midPointPrincipal, authorization, roleRelation, queryAutzItemPaths, objectFilter);
                                                if (processRoleRelationFilter == null) {
                                                    if (authorization.maySkipOnSearch()) {
                                                        LOGGER.trace("      not applying roleRelation filter {} because it is not efficient and maySkipOnSearch is set", processRoleRelationFilter);
                                                        z3 = false;
                                                    } else {
                                                        processRoleRelationFilter = FilterCreationUtil.createNone(this.prismContext);
                                                    }
                                                }
                                                if (processRoleRelationFilter != null) {
                                                    objectFilter2 = ObjectQueryUtil.filterAnd(objectFilter2, processRoleRelationFilter, this.prismContext);
                                                    LOGGER.trace("      applying roleRelation filter {}", processRoleRelationFilter);
                                                }
                                            } else {
                                                LOGGER.trace("      roleRelation empty");
                                            }
                                            if (tenant != null) {
                                                ObjectFilter processTenantFilter = processTenantFilter(midPointPrincipal, authorization, tenant, queryAutzItemPaths, objectFilter);
                                                if (processTenantFilter == null) {
                                                    if (authorization.maySkipOnSearch()) {
                                                        LOGGER.trace("      not applying tenant filter {} because it is not efficient and maySkipOnSearch is set", processTenantFilter);
                                                        z3 = false;
                                                    } else {
                                                        processTenantFilter = FilterCreationUtil.createNone(this.prismContext);
                                                    }
                                                }
                                                if (processTenantFilter != null) {
                                                    objectFilter2 = ObjectQueryUtil.filterAnd(objectFilter2, processTenantFilter, this.prismContext);
                                                    LOGGER.trace("      applying tenant filter {}", processTenantFilter);
                                                }
                                            } else {
                                                LOGGER.trace("      tenant empty");
                                            }
                                            if (objectFilter3 != null) {
                                                objectFilter3.setFilter(objectFilter2);
                                                objectFilter2 = objectFilter3;
                                            }
                                            traceFilter("objSpecSecurityFilter", ownedObjectSelectorType, objectFilter2);
                                            allFilter = ObjectQueryUtil.filterOr(allFilter, objectFilter2, this.prismContext);
                                        }
                                    }
                                }
                                traceFilter("autzObjSecurityFilter", authorization, allFilter);
                                if (z3) {
                                    Object adopt = filterGizmo.adopt(ObjectQueryUtil.simplify(allFilter, this.prismContext), authorization);
                                    AuthorizationDecisionType decision = authorization.getDecision();
                                    if (decision == null || decision == AuthorizationDecisionType.ALLOW) {
                                        obj = filterGizmo.or(obj, adopt);
                                        traceFilter("securityFilterAllow", authorization, obj, filterGizmo);
                                        if (!filterGizmo.isNone(adopt)) {
                                            queryAutzItemPaths.collectItems(authorization);
                                        }
                                    } else if (!authorization.hasItemSpecification()) {
                                        if (filterGizmo.isAll(adopt)) {
                                            if (LOGGER.isTraceEnabled()) {
                                                LOGGER.trace("  phase={} done: principal={}, operation={}, {}: deny all", authorizationPhaseType, getUsername(midPointPrincipal), prettyActionUrl(strArr), str2);
                                            }
                                            F f = (F) filterGizmo.createDenyAll();
                                            traceFilter("secFilter", null, f, filterGizmo);
                                            return f;
                                        }
                                        obj2 = filterGizmo.or(obj2, adopt);
                                    }
                                }
                                traceFilter("securityFilterAllow", authorization, obj, filterGizmo);
                                traceFilter("securityFilterDeny", authorization, obj2, filterGizmo);
                            } else if (LOGGER.isTraceEnabled()) {
                                LOGGER.trace("      Authorization not applicable for orderConstraints {}", SchemaDebugUtil.shortDumpOrderConstraintsList(list));
                            }
                        } else if (LOGGER.isTraceEnabled()) {
                            LOGGER.trace("      Authorization is limited to other action, not applicable for operation {}", prettyActionUrl(strArr));
                        }
                    } else {
                        LOGGER.trace("      Authorization is not applicable for phase {} (includeNullPhase={})", authorizationPhaseType, Boolean.valueOf(z));
                    }
                } else if (LOGGER.isTraceEnabled()) {
                    LOGGER.trace("      Authorization not applicable for operation {}", prettyActionUrl(strArr));
                }
            }
        }
        traceFilter("securityFilterAllow", null, obj, filterGizmo);
        traceFilter("securityFilterDeny", null, obj2, filterGizmo);
        LOGGER.trace("  final items: {}", queryAutzItemPaths.shortDumpLazily());
        List<ItemPath> evaluateUnsatisfiedItems = queryAutzItemPaths.evaluateUnsatisfiedItems();
        if (!evaluateUnsatisfiedItems.isEmpty()) {
            if (LOGGER.isTraceEnabled()) {
                LOGGER.trace("  phase={} done: principal={}, operation={}, {}: deny because items {} are not allowed", authorizationPhaseType, getUsername(midPointPrincipal), prettyActionUrl(strArr), str2, evaluateUnsatisfiedItems);
            }
            F f2 = (F) filterGizmo.createDenyAll();
            traceFilter("secFilter", null, f2, filterGizmo);
            return f2;
        }
        F f3 = (F) filterGizmo.simplify(obj);
        if (f3 == null) {
            if (LOGGER.isTraceEnabled()) {
                LOGGER.trace("  phase={} done: principal={}, operation={}, {}: default deny", authorizationPhaseType, getUsername(midPointPrincipal), prettyActionUrl(strArr), str2);
            }
            F f4 = (F) filterGizmo.createDenyAll();
            traceFilter("secFilter", null, f4, filterGizmo);
            return f4;
        }
        if (obj2 == null) {
            if (LOGGER.isTraceEnabled()) {
                Trace trace = LOGGER;
                Object[] objArr = new Object[5];
                objArr[0] = authorizationPhaseType;
                objArr[1] = getUsername(midPointPrincipal);
                objArr[2] = prettyActionUrl(strArr);
                objArr[3] = str2;
                objArr[4] = f3 == null ? "null" : filterGizmo.debugDumpFilter(f3, 2);
                trace.trace("  phase={} done: principal={}, operation={}, {}: allow\n  Filter:\n{}", objArr);
            }
            traceFilter("securityFilterAllow", null, f3, filterGizmo);
            return f3;
        }
        F f5 = (F) filterGizmo.and(f3, filterGizmo.not(obj2));
        if (LOGGER.isTraceEnabled()) {
            Trace trace2 = LOGGER;
            Object[] objArr2 = new Object[5];
            objArr2[0] = authorizationPhaseType;
            objArr2[1] = getUsername(midPointPrincipal);
            objArr2[2] = prettyActionUrl(strArr);
            objArr2[3] = str2;
            objArr2[4] = f5 == null ? "null" : filterGizmo.debugDumpFilter(f5, 2);
            trace2.trace("  phase={} done: principal={}, operation={}, {}: allow (with deny clauses)\n  Filter:\n{}", objArr2);
        }
        traceFilter("secFilter", null, f5, filterGizmo);
        return f5;
    }

    private boolean isApplicableForActions(Authorization authorization, String[] strArr) {
        List<String> action = authorization.getAction();
        if (action.contains(AuthorizationConstants.AUTZ_ALL_URL)) {
            return true;
        }
        for (String str : strArr) {
            if (action.contains(str)) {
                return true;
            }
        }
        return false;
    }

    private boolean isApplicableLimitations(Authorization authorization, String str) {
        AuthorizationLimitationsType limitations;
        if (str == null || (limitations = authorization.getLimitations()) == null) {
            return true;
        }
        List<String> action = limitations.getAction();
        if (action.isEmpty()) {
            return true;
        }
        return action.contains(str);
    }

    private boolean isApplicableRelation(Authorization authorization, QName qName) {
        List<QName> relation = authorization.getRelation();
        if (relation == null || relation.isEmpty()) {
            return true;
        }
        return QNameUtil.contains(relation, qName);
    }

    private boolean isApplicableOrderConstraints(Authorization authorization, List<OrderConstraintsType> list) {
        if (authorization.getAction().contains(AuthorizationConstants.AUTZ_ALL_URL)) {
            return true;
        }
        OrderConstraintsType orderConstraints = authorization.getOrderConstraints();
        if (list == null || list.isEmpty()) {
            return orderConstraints == null;
        }
        Iterator<OrderConstraintsType> it = list.iterator();
        while (it.hasNext()) {
            if (!isSubset(it.next(), orderConstraints)) {
                return false;
            }
        }
        return true;
    }

    private boolean isSubset(OrderConstraintsType orderConstraintsType, OrderConstraintsType orderConstraintsType2) {
        Integer multiplicityToInteger;
        Integer multiplicityToInteger2;
        if (orderConstraintsType2 == null) {
            multiplicityToInteger = 0;
            multiplicityToInteger2 = 0;
        } else {
            if (orderConstraintsType2.getRelation() != null) {
                throw new UnsupportedOperationException("Complex order constraints with relation not supported in authorizations");
            }
            if (orderConstraintsType2.getResetOrder() != null) {
                throw new UnsupportedOperationException("Complex order constraints with resetOrder not supported in authorizations");
            }
            Integer order = orderConstraintsType2.getOrder();
            multiplicityToInteger = XsdTypeMapper.multiplicityToInteger(orderConstraintsType2.getOrderMin());
            if (multiplicityToInteger == null) {
                multiplicityToInteger = order == null ? 0 : order;
            }
            multiplicityToInteger2 = XsdTypeMapper.multiplicityToInteger(orderConstraintsType2.getOrderMax());
            if (multiplicityToInteger2 == null) {
                multiplicityToInteger2 = order == null ? 0 : order;
            }
        }
        Integer order2 = orderConstraintsType.getOrder();
        Integer multiplicityToInteger3 = XsdTypeMapper.multiplicityToInteger(orderConstraintsType.getOrderMin());
        if (multiplicityToInteger3 == null) {
            multiplicityToInteger3 = order2;
        }
        Integer multiplicityToInteger4 = XsdTypeMapper.multiplicityToInteger(orderConstraintsType.getOrderMax());
        if (multiplicityToInteger4 == null) {
            multiplicityToInteger4 = order2;
        }
        if (multiplicityToInteger.intValue() < 0 || multiplicityToInteger3.intValue() < 0 || multiplicityToInteger3.intValue() < multiplicityToInteger.intValue()) {
            return false;
        }
        if (multiplicityToInteger2.intValue() < 0) {
            return true;
        }
        return multiplicityToInteger4.intValue() >= 0 && multiplicityToInteger4.intValue() <= multiplicityToInteger2.intValue();
    }

    private void traceClassMatch(String str, Class<?> cls, Class<?> cls2) {
        if (LOGGER.isTraceEnabled()) {
            LOGGER.trace("      {}, authorization {}, query {}", str, cls.getSimpleName(), cls2.getSimpleName());
        }
    }

    private ObjectFilter processRoleRelationFilter(MidPointPrincipal midPointPrincipal, Authorization authorization, RoleRelationObjectSpecificationType roleRelationObjectSpecificationType, AutzItemPaths autzItemPaths, ObjectFilter objectFilter) {
        if (BooleanUtils.isTrue(roleRelationObjectSpecificationType.isIncludeReferenceRole()) && !authorization.maySkipOnSearch()) {
            throw new UnsupportedOperationException("Inefficient roleRelation search (includeReferenceRole=true) is not supported yet");
        }
        ObjectFilter objectFilter2 = null;
        if (!BooleanUtils.isFalse(roleRelationObjectSpecificationType.isIncludeMembers())) {
            List<PrismReferenceValue> roleOidsFromFilter = getRoleOidsFromFilter(objectFilter);
            if (roleOidsFromFilter != null && !roleOidsFromFilter.isEmpty()) {
                List<QName> subjectRelation = roleRelationObjectSpecificationType.getSubjectRelation();
                boolean z = false;
                Iterator<ObjectReferenceType> it = midPointPrincipal.getFocus().getRoleMembershipRef().iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    ObjectReferenceType next = it.next();
                    if (this.prismContext.relationMatches(subjectRelation, next.getRelation()) && PrismValueCollectionsUtil.containsOid(roleOidsFromFilter, next.getOid())) {
                        z = true;
                        break;
                    }
                }
                objectFilter2 = z ? FilterCreationUtil.createAll(this.prismContext) : FilterCreationUtil.createNone(this.prismContext);
            } else if (!authorization.maySkipOnSearch()) {
                throw new UnsupportedOperationException("Inefficient roleRelation search (includeMembers=true without role in the original query) is not supported yet");
            }
        }
        return ObjectQueryUtil.filterOr(null, objectFilter2, this.prismContext);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v29, types: [com.evolveum.midpoint.prism.query.ObjectFilter] */
    /* JADX WARN: Type inference failed for: r0v37, types: [com.evolveum.midpoint.prism.query.ObjectFilter] */
    private ObjectFilter processTenantFilter(MidPointPrincipal midPointPrincipal, Authorization authorization, TenantSelectorType tenantSelectorType, AutzItemPaths autzItemPaths, ObjectFilter objectFilter) {
        NoneFilter createNone;
        if (BooleanUtils.isTrue(tenantSelectorType.isSameAsSubject())) {
            ObjectReferenceType tenantRef = midPointPrincipal.getFocus().getTenantRef();
            if (tenantRef == null || tenantRef.getOid() == null) {
                LOGGER.trace("    subject tenant empty (none filter)");
                createNone = FilterCreationUtil.createNone(this.prismContext);
            } else {
                createNone = this.prismContext.queryFor(ObjectType.class).item(ObjectType.F_TENANT_REF).ref(tenantRef.getOid()).buildFilter();
            }
            if (!BooleanUtils.isTrue(tenantSelectorType.isIncludeTenantOrg())) {
                createNone = ObjectQueryUtil.filterAnd(createNone, this.prismContext.queryFor(ObjectType.class).not().type(OrgType.class).item(OrgType.F_TENANT).eq(true).buildFilter(), this.prismContext);
            }
            LOGGER.trace("    applying tenant filter {}", createNone);
        } else {
            createNone = FilterCreationUtil.createNone(this.prismContext);
            LOGGER.trace("    tenant authorization empty (none filter)");
        }
        return createNone;
    }

    private List<PrismReferenceValue> getRoleOidsFromFilter(ObjectFilter objectFilter) {
        if (objectFilter == null) {
            return null;
        }
        if ((objectFilter instanceof RefFilter) && ((RefFilter) objectFilter).getPath().equivalent(SchemaConstants.PATH_ROLE_MEMBERSHIP_REF)) {
            return ((RefFilter) objectFilter).getValues();
        }
        if (!(objectFilter instanceof AndFilter)) {
            return null;
        }
        Iterator<ObjectFilter> it = ((AndFilter) objectFilter).getConditions().iterator();
        while (it.hasNext()) {
            List<PrismReferenceValue> roleOidsFromFilter = getRoleOidsFromFilter(it.next());
            if (roleOidsFromFilter != null && !roleOidsFromFilter.isEmpty()) {
                return roleOidsFromFilter;
            }
        }
        return null;
    }

    private <T extends ObjectType> ObjectFilter applyOwnerFilterOwnerRef(ItemPath itemPath, ObjectFilter objectFilter, MidPointPrincipal midPointPrincipal, PrismObjectDefinition<T> prismObjectDefinition) {
        PrismReferenceDefinition findReferenceDefinition = prismObjectDefinition.findReferenceDefinition(itemPath);
        S_FilterExit ref = this.prismContext.queryFor(AbstractRoleType.class).item(itemPath, findReferenceDefinition).ref(midPointPrincipal.getFocus().getOid());
        for (ObjectReferenceType objectReferenceType : midPointPrincipal.getFocus().getParentOrgRef()) {
            if (this.prismContext.isDefaultRelation(objectReferenceType.getRelation())) {
                ref = ref.or().item(itemPath, findReferenceDefinition).ref(objectReferenceType.getOid());
            }
        }
        ObjectFilter buildFilter = ref.buildFilter();
        ObjectFilter filterAnd = ObjectQueryUtil.filterAnd(objectFilter, buildFilter, this.prismContext);
        LOGGER.trace("  applying owner filter {}", buildFilter);
        return filterAnd;
    }

    private ObjectFilter applyRequestorFilter(ObjectFilter objectFilter, MidPointPrincipal midPointPrincipal) {
        ObjectFilter buildFilter = this.prismContext.queryFor(CaseType.class).item(CaseType.F_REQUESTOR_REF).ref(getSelfAndOtherOids(midPointPrincipal, getDelegatorsForRequestor(midPointPrincipal))).buildFilter();
        ObjectFilter filterAnd = ObjectQueryUtil.filterAnd(objectFilter, buildFilter, this.prismContext);
        LOGGER.trace("  applying requestor filter {}", buildFilter);
        return filterAnd;
    }

    private ObjectFilter applyRelatedObjectFilter(Class<? extends ObjectType> cls, ObjectFilter objectFilter, MidPointPrincipal midPointPrincipal) {
        ObjectFilter buildFilter = this.prismContext.queryFor(cls).item(CaseType.F_OBJECT_REF).ref(getSelfAndOtherOids(midPointPrincipal, getDelegatorsForRelatedObjects(midPointPrincipal))).buildFilter();
        ObjectFilter filterAnd = ObjectQueryUtil.filterAnd(objectFilter, buildFilter, this.prismContext);
        LOGGER.trace("  applying related object filter {}", buildFilter);
        return filterAnd;
    }

    private ObjectFilter applyAssigneeFilter(ObjectFilter objectFilter, MidPointPrincipal midPointPrincipal) {
        ObjectFilter buildFilter = this.prismContext.queryFor(CaseType.class).exists(CaseType.F_WORK_ITEM).block().item(CaseWorkItemType.F_CLOSE_TIMESTAMP).isNull().and().item(CaseWorkItemType.F_ASSIGNEE_REF).ref(getSelfAndOtherOids(midPointPrincipal, getDelegatorsForAssignee(midPointPrincipal))).endBlock().buildFilter();
        ObjectFilter filterAnd = ObjectQueryUtil.filterAnd(objectFilter, buildFilter, this.prismContext);
        LOGGER.trace("  applying assignee filter {}", buildFilter);
        return filterAnd;
    }

    private String[] getSelfAndOtherOids(MidPointPrincipal midPointPrincipal, Collection<String> collection) {
        ArrayList arrayList = new ArrayList(collection.size() + 1);
        CollectionUtils.addIgnoreNull(arrayList, midPointPrincipal.getOid());
        arrayList.addAll(collection);
        return (String[]) arrayList.toArray(new String[0]);
    }

    private void traceFilter(String str, Object obj, ObjectFilter objectFilter) {
        Trace trace = LOGGER;
        Object[] objArr = new Object[3];
        objArr[0] = str;
        objArr[1] = obj;
        objArr[2] = objectFilter == null ? "  null" : objectFilter.debugDump(1);
        trace.trace("FILTER {} for {}:\n{}", objArr);
    }

    private <F> void traceFilter(String str, Object obj, F f, FilterGizmo<F> filterGizmo) {
        LOGGER.trace("FILTER {} for {}:\n{}", str, obj, filterGizmo.debugDumpFilter(f, 1));
    }

    private String getUsername(MidPointPrincipal midPointPrincipal) {
        if (midPointPrincipal == null) {
            return null;
        }
        return midPointPrincipal.getUsername();
    }

    private String prettyActionUrl(String str) {
        return DebugUtil.shortenUrl(AuthorizationConstants.NS_SECURITY_PREFIX, str);
    }

    private String prettyActionUrl(String[] strArr) {
        if (strArr.length == 1) {
            return DebugUtil.shortenUrl(AuthorizationConstants.NS_SECURITY_PREFIX, strArr[0]);
        }
        StringBuilder sb = new StringBuilder();
        for (int i = 0; i < strArr.length; i++) {
            sb.append(DebugUtil.shortenUrl(AuthorizationConstants.NS_SECURITY_PREFIX, strArr[i]));
            if (i < strArr.length - 1) {
                sb.append(",");
            }
        }
        return sb.toString();
    }

    private <O extends ObjectType> String getObjectType(Class<O> cls) {
        if (cls == null) {
            return null;
        }
        return cls.getSimpleName();
    }

    @Override // com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer
    public <O extends ObjectType, R extends AbstractRoleType> ItemSecurityConstraints getAllowedRequestAssignmentItems(MidPointPrincipal midPointPrincipal, String str, PrismObject<O> prismObject, PrismObject<R> prismObject2, OwnerResolver ownerResolver, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        ItemSecurityConstraintsImpl itemSecurityConstraintsImpl = new ItemSecurityConstraintsImpl();
        for (Authorization authorization : getAuthorities(midPointPrincipal)) {
            String humanReadableDesc = authorization.getHumanReadableDesc();
            LOGGER.trace("  Evaluating {}", humanReadableDesc);
            if (!authorization.getAction().contains(str) && !authorization.getAction().contains(AuthorizationConstants.AUTZ_ALL_URL)) {
                LOGGER.trace("    {} not applicable for operation {}", humanReadableDesc, str);
            } else if (authorization.getPhase() != null && authorization.getPhase() != AuthorizationPhaseType.REQUEST) {
                LOGGER.trace("    {} is not applicable for phase {} (breaking evaluation)", humanReadableDesc, AuthorizationPhaseType.REQUEST);
            } else if (isApplicable(authorization.getObject(), prismObject, true, midPointPrincipal, ownerResolver, "object", humanReadableDesc, task, operationResult)) {
                LOGGER.trace("    {} applicable for object {} (continuing evaluation)", humanReadableDesc, prismObject);
                if (isApplicable(authorization.getTarget(), prismObject2, true, midPointPrincipal, ownerResolver, "target", humanReadableDesc, task, operationResult)) {
                    LOGGER.trace("    {} applicable for target {} (continuing evaluation)", humanReadableDesc, prismObject);
                    itemSecurityConstraintsImpl.collectItems(authorization);
                } else {
                    LOGGER.trace("    {} not applicable for target {}, none of the target specifications match (breaking evaluation)", humanReadableDesc, prismObject);
                }
            } else {
                LOGGER.trace("    {} not applicable for object {}, none of the object specifications match (breaking evaluation)", humanReadableDesc, prismObject);
            }
        }
        return itemSecurityConstraintsImpl;
    }

    @Override // com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer
    public <F extends FocusType> MidPointPrincipal createDonorPrincipal(MidPointPrincipal midPointPrincipal, String str, PrismObject<F> prismObject, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        if (midPointPrincipal.getAttorney() != null) {
            throw new UnsupportedOperationException("Transitive attorney is not supported yet");
        }
        AuthorizationLimitationsCollector authorizationLimitationsCollector = new AuthorizationLimitationsCollector();
        AuthorizationParameters buildObject = AuthorizationParameters.Builder.buildObject(prismObject);
        if (!isAuthorizedInternal(midPointPrincipal, str, null, buildObject, null, authorizationLimitationsCollector, task, operationResult).equals(AccessDecision.ALLOW)) {
            failAuthorization(str, null, buildObject, operationResult);
        }
        MidPointPrincipal principal = this.securityContextManager.getUserProfileService().getPrincipal(prismObject, authorizationLimitationsCollector, operationResult);
        principal.setAttorney(midPointPrincipal.getFocus());
        principal.setPreviousPrincipal(midPointPrincipal);
        return principal;
    }

    @Override // com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer
    public <O extends ObjectType> AccessDecision determineSubitemDecision(ObjectSecurityConstraints objectSecurityConstraints, ObjectDelta<O> objectDelta, PrismObject<O> prismObject, String str, AuthorizationPhaseType authorizationPhaseType, ItemPath itemPath) {
        return determineDeltaDecision(objectDelta, prismObject, (itemPath2, z) -> {
            return subitemDecide(itemPath2, z, objectSecurityConstraints, str, authorizationPhaseType, itemPath);
        }, (itemPath3, z2) -> {
            return subitemDecide(itemPath3, z2, objectSecurityConstraints, str, AuthorizationPhaseType.EXECUTION, itemPath);
        });
    }

    private AccessDecision subitemDecide(ItemPath itemPath, boolean z, ObjectSecurityConstraints objectSecurityConstraints, String str, AuthorizationPhaseType authorizationPhaseType, ItemPath itemPath2) {
        if (z && isInList(itemPath, AuthorizationConstants.OPERATIONAL_ITEMS_ALLOWED_FOR_CONTAINER_DELETE)) {
            return null;
        }
        if (AuthorizationPhaseType.EXECUTION.equals(authorizationPhaseType) && isInList(itemPath, AuthorizationConstants.EXECUTION_ITEMS_ALLOWED_BY_DEFAULT)) {
            return null;
        }
        if (itemPath2 == null || itemPath2.isSubPathOrEquivalent(itemPath)) {
            return AccessDecision.translate(objectSecurityConstraints.findItemDecision(itemPath, str, authorizationPhaseType));
        }
        return null;
    }

    @Override // com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer
    public <C extends Containerable> AccessDecision determineSubitemDecision(ObjectSecurityConstraints objectSecurityConstraints, PrismContainerValue<C> prismContainerValue, String str, AuthorizationPhaseType authorizationPhaseType, ItemPath itemPath, PlusMinusZero plusMinusZero, String str2) {
        boolean z = false;
        if (plusMinusZero == PlusMinusZero.MINUS) {
            z = true;
        }
        return determineContainerDecision(prismContainerValue, (itemPath2, z2) -> {
            if (z2 && isInList(itemPath2, AuthorizationConstants.OPERATIONAL_ITEMS_ALLOWED_FOR_CONTAINER_DELETE)) {
                return null;
            }
            if (AuthorizationPhaseType.EXECUTION.equals(authorizationPhaseType) && isInList(itemPath2, AuthorizationConstants.EXECUTION_ITEMS_ALLOWED_BY_DEFAULT)) {
                return null;
            }
            if (itemPath == null || itemPath.isSubPathOrEquivalent(itemPath2)) {
                return AccessDecision.translate(objectSecurityConstraints.findItemDecision(itemPath2, str, authorizationPhaseType));
            }
            return null;
        }, z, str2);
    }
}
