package com.evolveum.midpoint.provisioning.impl.shadows;

import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.delta.ItemDelta;
import com.evolveum.midpoint.prism.delta.PropertyDelta;
import com.evolveum.midpoint.prism.path.ItemName;
import com.evolveum.midpoint.provisioning.impl.ProvisioningContext;
import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.schema.processor.PropertyLimitations;
import com.evolveum.midpoint.schema.processor.ResourceAttribute;
import com.evolveum.midpoint.schema.processor.ResourceAttributeContainer;
import com.evolveum.midpoint.schema.processor.ResourceAttributeDefinition;
import com.evolveum.midpoint.schema.processor.ResourceObjectDefinition;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.util.ShadowUtil;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.LayerType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
import java.util.Collection;
import org.springframework.stereotype.Component;

/* JADX INFO: Access modifiers changed from: package-private */
@Component
/* loaded from: input_file:WEB-INF/lib/provisioning-impl-4.6-SNAPSHOT.jar:com/evolveum/midpoint/provisioning/impl/shadows/AccessChecker.class */
public class AccessChecker {
    private static final String OP_ACCESS_CHECK = AccessChecker.class.getName() + ".accessCheck";
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) AccessChecker.class);

    AccessChecker() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void checkAdd(ProvisioningContext provisioningContext, PrismObject<ShadowType> prismObject, OperationResult operationResult) throws SecurityViolationException, SchemaException {
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(OP_ACCESS_CHECK);
        try {
            try {
                for (ResourceAttribute<?> resourceAttribute : ShadowUtil.getAttributesContainer(prismObject).getAttributes()) {
                    PropertyLimitations limitations = provisioningContext.getObjectDefinitionRequired().findAttributeDefinitionRequired(resourceAttribute.getElementName()).getLimitations(LayerType.MODEL);
                    if (limitations != null && !limitations.canAdd()) {
                        throw new SecurityViolationException("Attempt to add shadow with non-creatable attribute " + resourceAttribute.getElementName());
                    }
                }
                createMinorSubresult.recordSuccess();
                createMinorSubresult.computeStatusIfUnknown();
            } catch (Throwable th) {
                createMinorSubresult.recordFatalError(th);
                throw th;
            }
        } catch (Throwable th2) {
            createMinorSubresult.computeStatusIfUnknown();
            throw th2;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void checkModify(ProvisioningContext provisioningContext, Collection<? extends ItemDelta<?, ?>> collection, OperationResult operationResult) throws SecurityViolationException, SchemaException {
        ResourceObjectDefinition objectDefinitionRequired = provisioningContext.getObjectDefinitionRequired();
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(OP_ACCESS_CHECK);
        try {
            try {
                for (ItemDelta<?, ?> itemDelta : collection) {
                    if (itemDelta instanceof PropertyDelta) {
                        PropertyDelta propertyDelta = (PropertyDelta) itemDelta;
                        if (SchemaConstants.PATH_ATTRIBUTES.equivalent(propertyDelta.getParentPath())) {
                            ItemName elementName = propertyDelta.getElementName();
                            LOGGER.trace("Checking attribute {} definition present in {}", elementName, objectDefinitionRequired);
                            PropertyLimitations limitations = objectDefinitionRequired.findAttributeDefinitionRequired(elementName).getLimitations(LayerType.MODEL);
                            if (limitations != null && !limitations.canModify()) {
                                String str = "Attempt to modify non-updateable attribute " + elementName;
                                LOGGER.error(str);
                                createMinorSubresult.recordFatalError(str);
                                throw new SecurityViolationException(str);
                            }
                        }
                    }
                }
            } finally {
            }
        } finally {
            createMinorSubresult.close();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void filterGetAttributes(ResourceAttributeContainer resourceAttributeContainer, ResourceObjectDefinition resourceObjectDefinition, OperationResult operationResult) throws SchemaException {
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(OP_ACCESS_CHECK);
        try {
            try {
                for (ResourceAttribute<?> resourceAttribute : resourceAttributeContainer.getAttributes()) {
                    ItemName elementName = resourceAttribute.getElementName();
                    ResourceAttributeDefinition<?> findAttributeDefinition = resourceObjectDefinition.findAttributeDefinition(elementName);
                    if (findAttributeDefinition == null) {
                        String str = "Unknown attribute " + elementName + " in objectclass " + resourceObjectDefinition;
                        createMinorSubresult.recordFatalError(str);
                        throw new SchemaException(str);
                    }
                    PropertyLimitations limitations = findAttributeDefinition.getLimitations(LayerType.MODEL);
                    if (limitations != null) {
                        if (!limitations.canRead()) {
                            LOGGER.trace("Removing non-readable attribute {}", elementName);
                            resourceAttributeContainer.remove(resourceAttribute);
                        }
                    }
                }
            } finally {
            }
        } finally {
            createMinorSubresult.close();
        }
    }
}
