package com.evolveum.midpoint.model.impl.controller;

import com.evolveum.midpoint.audit.api.AuditEventRecord;
import com.evolveum.midpoint.audit.api.AuditResultHandler;
import com.evolveum.midpoint.audit.api.AuditService;
import com.evolveum.midpoint.model.api.ModelAuditService;
import com.evolveum.midpoint.model.api.ModelAuthorizationAction;
import com.evolveum.midpoint.model.common.util.AuditHelper;
import com.evolveum.midpoint.model.impl.ModelObjectResolver;
import com.evolveum.midpoint.prism.PrismContext;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.query.ObjectQuery;
import com.evolveum.midpoint.schema.DeltaConvertor;
import com.evolveum.midpoint.schema.GetOperationOptions;
import com.evolveum.midpoint.schema.SearchResultList;
import com.evolveum.midpoint.schema.SelectorOptions;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.security.enforcer.api.AuthorizationParameters;
import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.util.DebugUtil;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.audit_3.AuditEventRecordType;
import com.evolveum.midpoint.xml.ns._public.common.audit_3.AuditEventStageType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CleanupPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectDeltaOperationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OperationResultStatusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OperationResultType;
import com.evolveum.prism.xml.ns._public.types_3.ChangeTypeType;
import com.evolveum.prism.xml.ns._public.types_3.ObjectDeltaType;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:WEB-INF/lib/model-impl-4.6-SNAPSHOT.jar:com/evolveum/midpoint/model/impl/controller/AuditController.class */
public class AuditController implements ModelAuditService {
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) AuditController.class);

    @Autowired
    private AuditService auditService;

    @Autowired
    private AuditHelper auditHelper;

    @Autowired
    private ModelObjectResolver objectResolver;

    @Autowired
    private SecurityEnforcer securityEnforcer;

    @Autowired
    private PrismContext prismContext;

    @Override // com.evolveum.midpoint.model.api.ModelAuditService
    public void audit(AuditEventRecord auditEventRecord, Task task, OperationResult operationResult) throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
        authorize(ModelAuthorizationAction.AUDIT_RECORD, task, operationResult);
        this.auditHelper.audit(auditEventRecord, null, task, operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelAuditService
    @NotNull
    public SearchResultList<AuditEventRecordType> searchObjects(@Nullable ObjectQuery objectQuery, @Nullable Collection<SelectorOptions<GetOperationOptions>> collection, @NotNull Task task, @NotNull OperationResult operationResult) throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
        authorize(ModelAuthorizationAction.AUDIT_READ, task, operationResult);
        return this.auditService.searchObjects(objectQuery, collection, operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelAuditService
    public void searchObjectsIterative(@Nullable ObjectQuery objectQuery, @Nullable Collection<SelectorOptions<GetOperationOptions>> collection, @NotNull AuditResultHandler auditResultHandler, @NotNull Task task, @NotNull OperationResult operationResult) throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
        authorize(ModelAuthorizationAction.AUDIT_READ, task, operationResult);
        this.auditService.searchObjectsIterative(objectQuery, auditResultHandler, collection, operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelAuditService
    public int countObjects(@Nullable ObjectQuery objectQuery, @Nullable Collection<SelectorOptions<GetOperationOptions>> collection, Task task, @NotNull OperationResult operationResult) throws SchemaException, ExpressionEvaluationException, SecurityViolationException, CommunicationException, ConfigurationException, ObjectNotFoundException {
        authorize(ModelAuthorizationAction.AUDIT_READ, task, operationResult);
        return this.auditService.countObjects(objectQuery, collection, operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelAuditService
    public void cleanupAudit(CleanupPolicyType cleanupPolicyType, Task task, OperationResult operationResult) throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
        authorize(ModelAuthorizationAction.AUDIT_MANAGE, task, operationResult);
        this.auditService.cleanupAudit(cleanupPolicyType, operationResult);
    }

    @Override // com.evolveum.midpoint.model.api.ModelAuditService
    public boolean supportsRetrieval() {
        return this.auditService.supportsRetrieval();
    }

    @Override // com.evolveum.midpoint.model.api.ModelAuditService
    public <O extends ObjectType> PrismObject<O> reconstructObject(Class<O> cls, String str, String str2, Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException {
        PrismObject<? extends ObjectType> asPrismObject = this.objectResolver.getObjectSimple(cls, str, null, task, operationResult).asPrismObject();
        List<AuditEventRecordType> arrayList = new ArrayList<>(getChangeTrail(str, str2, operationResult));
        LOGGER.trace("Found change trail for {} containing {} events", str, Integer.valueOf(arrayList.size()));
        LOGGER.debug("TRAIL:\n{}", DebugUtil.debugDumpLazily(arrayList, 1));
        PrismObject<O> objectFromLastEvent = getObjectFromLastEvent(asPrismObject, arrayList, str2);
        return objectFromLastEvent != null ? objectFromLastEvent : rollBackTime(asPrismObject.mo1089clone(), arrayList);
    }

    private List<AuditEventRecordType> getChangeTrail(String str, String str2, OperationResult operationResult) throws ObjectNotFoundException, SchemaException {
        AuditEventRecordType findEvent = findEvent(str2, operationResult);
        if (findEvent == null) {
            throw new ObjectNotFoundException("Audit event ID " + str2 + " was not found");
        }
        LOGGER.trace("Final event:\n{}", findEvent.debugDumpLazily(1));
        return this.auditService.searchObjects(this.prismContext.queryFor(AuditEventRecordType.class).item(AuditEventRecordType.F_REPO_ID).ge(findEvent.getRepoId()).and().item(AuditEventRecordType.F_TARGET_REF).ref(str).and().item(AuditEventRecordType.F_EVENT_STAGE).eq(AuditEventStageType.EXECUTION).desc(AuditEventRecordType.F_REPO_ID).build(), null, operationResult);
    }

    private AuditEventRecordType findEvent(String str, OperationResult operationResult) throws SchemaException {
        SearchResultList<AuditEventRecordType> searchObjects = this.auditService.searchObjects(this.prismContext.queryFor(AuditEventRecordType.class).item(AuditEventRecordType.F_EVENT_IDENTIFIER).eq(str).build(), null, operationResult);
        if (searchObjects.isEmpty()) {
            return null;
        }
        if (searchObjects.size() > 1) {
            LOGGER.error("Found " + searchObjects.size() + " audit records for event ID " + str + " (expecting just one)");
        }
        return searchObjects.get(0);
    }

    private <O extends ObjectType> PrismObject<O> getObjectFromLastEvent(PrismObject<O> prismObject, List<AuditEventRecordType> list, String str) {
        if (list.isEmpty()) {
            return prismObject;
        }
        AuditEventRecordType remove = list.remove(list.size() - 1);
        if (!str.equals(remove.getEventIdentifier())) {
            throw new IllegalStateException("Wrong last event identifier, expected " + str + " but was " + remove.getEventIdentifier());
        }
        for (ObjectDeltaOperationType objectDeltaOperationType : remove.getDelta()) {
            if (isApplicable(objectDeltaOperationType, prismObject, remove)) {
                ObjectDeltaType objectDelta = objectDeltaOperationType.getObjectDelta();
                if (objectDelta.getChangeType() == ChangeTypeType.ADD) {
                    PrismObject<O> asPrismObject = objectDelta.getObjectToAdd().asPrismObject();
                    LOGGER.trace("Taking object from add delta in last event {}:\n{}", remove.getEventIdentifier(), asPrismObject.debugDumpLazily(1));
                    return asPrismObject;
                }
            }
        }
        return null;
    }

    private <O extends ObjectType> PrismObject<O> rollBackTime(PrismObject<O> prismObject, List<AuditEventRecordType> list) throws SchemaException {
        for (AuditEventRecordType auditEventRecordType : list) {
            if (LOGGER.isTraceEnabled()) {
                LOGGER.trace("Applying event {} ({})", auditEventRecordType.getEventIdentifier(), auditEventRecordType.getTimestamp());
            }
            for (ObjectDeltaOperationType objectDeltaOperationType : auditEventRecordType.getDelta()) {
                if (isApplicable(objectDeltaOperationType, prismObject, auditEventRecordType)) {
                    ObjectDelta createObjectDelta = DeltaConvertor.createObjectDelta(objectDeltaOperationType.getObjectDelta(), this.prismContext);
                    if (createObjectDelta.isDelete()) {
                        throw new SchemaException("Delete delta found in the audit trail. Object history cannot be reconstructed.");
                    }
                    if (createObjectDelta.isAdd()) {
                        throw new SchemaException("Add delta found in the audit trail. Object history cannot be reconstructed.");
                    }
                    ObjectDelta createReverseDelta = createObjectDelta.createReverseDelta();
                    if (LOGGER.isTraceEnabled()) {
                        LOGGER.trace("Applying delta (reverse):\n{}", createReverseDelta.debugDump(1));
                    }
                    createReverseDelta.applyTo(prismObject);
                }
            }
            if (LOGGER.isTraceEnabled()) {
                LOGGER.trace("Object after application of event {} ({}):\n{}", auditEventRecordType.getEventIdentifier(), auditEventRecordType.getTimestamp(), prismObject.debugDump(1));
            }
        }
        return prismObject;
    }

    private <O extends ObjectType> boolean isApplicable(ObjectDeltaOperationType objectDeltaOperationType, PrismObject<O> prismObject, AuditEventRecordType auditEventRecordType) {
        OperationResultType executionResult = objectDeltaOperationType.getExecutionResult();
        ObjectDeltaType objectDelta = objectDeltaOperationType.getObjectDelta();
        if (executionResult != null && executionResult.getStatus() == OperationResultStatusType.FATAL_ERROR) {
            LOGGER.trace("Skipping delta {} in event {} because it is {}", objectDelta, auditEventRecordType.getEventIdentifier(), executionResult.getStatus());
            return false;
        }
        if (prismObject.getOid().equals(objectDelta.getOid())) {
            return true;
        }
        if (!LOGGER.isTraceEnabled()) {
            return false;
        }
        LOGGER.trace("Skipping delta {} in event {} because OID does not match ({} vs {})", objectDelta, auditEventRecordType.getEventIdentifier(), prismObject.getOid(), objectDelta.getOid());
        return false;
    }

    private void authorize(ModelAuthorizationAction modelAuthorizationAction, Task task, OperationResult operationResult) throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
        this.securityEnforcer.authorize(modelAuthorizationAction.getUrl(), AuthorizationPhaseType.REQUEST, AuthorizationParameters.EMPTY, null, task, operationResult);
        this.securityEnforcer.authorize(modelAuthorizationAction.getUrl(), AuthorizationPhaseType.EXECUTION, AuthorizationParameters.EMPTY, null, task, operationResult);
    }
}
