package com.evolveum.midpoint.model.impl.controller;

import com.evolveum.midpoint.common.ActivationComputer;
import com.evolveum.midpoint.common.Clock;
import com.evolveum.midpoint.common.refinery.CompositeRefinedObjectClassDefinition;
import com.evolveum.midpoint.common.refinery.LayerRefinedAttributeDefinitionImpl;
import com.evolveum.midpoint.common.refinery.LayerRefinedObjectClassDefinition;
import com.evolveum.midpoint.common.refinery.RefinedObjectClassDefinition;
import com.evolveum.midpoint.common.refinery.RefinedResourceSchemaImpl;
import com.evolveum.midpoint.model.api.ModelAuthorizationAction;
import com.evolveum.midpoint.model.api.ModelExecuteOptions;
import com.evolveum.midpoint.model.api.ModelInteractionService;
import com.evolveum.midpoint.model.api.ModelService;
import com.evolveum.midpoint.model.api.ProgressListener;
import com.evolveum.midpoint.model.api.RoleSelectionSpecification;
import com.evolveum.midpoint.model.api.context.EvaluatedAssignmentTarget;
import com.evolveum.midpoint.model.api.context.ModelContext;
import com.evolveum.midpoint.model.api.hooks.ChangeHook;
import com.evolveum.midpoint.model.api.hooks.HookRegistry;
import com.evolveum.midpoint.model.api.util.DeputyUtils;
import com.evolveum.midpoint.model.api.util.MergeDeltas;
import com.evolveum.midpoint.model.api.visualizer.Scene;
import com.evolveum.midpoint.model.common.SystemObjectCache;
import com.evolveum.midpoint.model.common.mapping.MappingFactory;
import com.evolveum.midpoint.model.common.stringpolicy.AbstractValuePolicyOriginResolver;
import com.evolveum.midpoint.model.common.stringpolicy.ObjectValuePolicyEvaluator;
import com.evolveum.midpoint.model.common.stringpolicy.ShadowValuePolicyOriginResolver;
import com.evolveum.midpoint.model.common.stringpolicy.UserValuePolicyOriginResolver;
import com.evolveum.midpoint.model.common.stringpolicy.ValuePolicyProcessor;
import com.evolveum.midpoint.model.impl.ModelCrudService;
import com.evolveum.midpoint.model.impl.ModelObjectResolver;
import com.evolveum.midpoint.model.impl.lens.AssignmentEvaluator;
import com.evolveum.midpoint.model.impl.lens.ContextFactory;
import com.evolveum.midpoint.model.impl.lens.EvaluatedAssignmentImpl;
import com.evolveum.midpoint.model.impl.lens.LensContext;
import com.evolveum.midpoint.model.impl.lens.LensContextPlaceholder;
import com.evolveum.midpoint.model.impl.lens.LensUtil;
import com.evolveum.midpoint.model.impl.lens.OperationalDataManager;
import com.evolveum.midpoint.model.impl.lens.projector.MappingEvaluator;
import com.evolveum.midpoint.model.impl.lens.projector.Projector;
import com.evolveum.midpoint.model.impl.security.SecurityHelper;
import com.evolveum.midpoint.model.impl.util.ModelImplUtils;
import com.evolveum.midpoint.model.impl.visualizer.Visualizer;
import com.evolveum.midpoint.prism.Containerable;
import com.evolveum.midpoint.prism.Item;
import com.evolveum.midpoint.prism.PrismConstants;
import com.evolveum.midpoint.prism.PrismContainer;
import com.evolveum.midpoint.prism.PrismContainerDefinition;
import com.evolveum.midpoint.prism.PrismContainerValue;
import com.evolveum.midpoint.prism.PrismContext;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.PrismObjectDefinition;
import com.evolveum.midpoint.prism.PrismProperty;
import com.evolveum.midpoint.prism.PrismPropertyDefinition;
import com.evolveum.midpoint.prism.PrismPropertyValue;
import com.evolveum.midpoint.prism.PrismReferenceValue;
import com.evolveum.midpoint.prism.crypto.EncryptionException;
import com.evolveum.midpoint.prism.crypto.Protector;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.delta.PlusMinusZero;
import com.evolveum.midpoint.prism.delta.PropertyDelta;
import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.prism.polystring.PolyString;
import com.evolveum.midpoint.prism.query.AllFilter;
import com.evolveum.midpoint.prism.query.AndFilter;
import com.evolveum.midpoint.prism.query.EqualFilter;
import com.evolveum.midpoint.prism.query.InOidFilter;
import com.evolveum.midpoint.prism.query.NoneFilter;
import com.evolveum.midpoint.prism.query.NotFilter;
import com.evolveum.midpoint.prism.query.ObjectFilter;
import com.evolveum.midpoint.prism.query.ObjectQuery;
import com.evolveum.midpoint.prism.query.OrFilter;
import com.evolveum.midpoint.prism.query.RefFilter;
import com.evolveum.midpoint.prism.query.TypeFilter;
import com.evolveum.midpoint.prism.query.builder.QueryBuilder;
import com.evolveum.midpoint.prism.util.ItemDeltaItem;
import com.evolveum.midpoint.prism.util.ObjectDeltaObject;
import com.evolveum.midpoint.provisioning.api.ProvisioningService;
import com.evolveum.midpoint.repo.api.PreconditionViolationException;
import com.evolveum.midpoint.repo.api.RepositoryService;
import com.evolveum.midpoint.repo.cache.RepositoryCache;
import com.evolveum.midpoint.repo.common.expression.ExpressionFactory;
import com.evolveum.midpoint.repo.common.expression.ExpressionVariables;
import com.evolveum.midpoint.schema.GetOperationOptions;
import com.evolveum.midpoint.schema.RelationRegistry;
import com.evolveum.midpoint.schema.ResourceShadowDiscriminator;
import com.evolveum.midpoint.schema.RetrieveOption;
import com.evolveum.midpoint.schema.SelectorOptions;
import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.result.OperationResultStatus;
import com.evolveum.midpoint.schema.statistics.ConnectorOperationalStatus;
import com.evolveum.midpoint.schema.util.LocalizationUtil;
import com.evolveum.midpoint.schema.util.ObjectTypeUtil;
import com.evolveum.midpoint.schema.util.ShadowUtil;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.security.api.OwnerResolver;
import com.evolveum.midpoint.security.api.SecurityContextManager;
import com.evolveum.midpoint.security.api.UserProfileService;
import com.evolveum.midpoint.security.enforcer.api.ItemSecurityConstraints;
import com.evolveum.midpoint.security.enforcer.api.ObjectSecurityConstraints;
import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.util.DOMUtil;
import com.evolveum.midpoint.util.DebugUtil;
import com.evolveum.midpoint.util.DisplayableValue;
import com.evolveum.midpoint.util.LocalizableMessage;
import com.evolveum.midpoint.util.LocalizableMessageBuilder;
import com.evolveum.midpoint.util.MiscUtil;
import com.evolveum.midpoint.util.QNameUtil;
import com.evolveum.midpoint.util.SingleLocalizableMessage;
import com.evolveum.midpoint.util.exception.CommonException;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.PolicyViolationException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.exception.SystemException;
import com.evolveum.midpoint.util.logging.LoggingUtils;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.api_types_3.ExecuteCredentialResetRequestType;
import com.evolveum.midpoint.xml.ns._public.common.api_types_3.ExecuteCredentialResetResponseType;
import com.evolveum.midpoint.xml.ns._public.common.api_types_3.PolicyItemDefinitionType;
import com.evolveum.midpoint.xml.ns._public.common.api_types_3.PolicyItemTargetType;
import com.evolveum.midpoint.xml.ns._public.common.api_types_3.PolicyItemsDefinitionType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractRoleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractWorkItemType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AccessCertificationConfigurationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AdminGuiConfigurationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialSourceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsResetPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.DeploymentInformationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.LayerType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.LensContextType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.LifecycleStateModelType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.LocalizableMessageTemplateType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.LocalizableMessageType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.LookupTableRowType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.LookupTableType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectTemplateItemDefinitionType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectTemplateType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OrderConstraintsType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OtherPrivilegesLimitationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.RegistrationsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.RelationDefinitionType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.RoleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityQuestionsCredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityQuestionsCredentialsType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.TaskExecutionStatusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.TaskType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ValuePolicyType;
import com.evolveum.prism.xml.ns._public.types_3.ItemPathType;
import com.evolveum.prism.xml.ns._public.types_3.PolyStringType;
import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
import com.evolveum.prism.xml.ns._public.types_3.RawType;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import javax.xml.namespace.QName;
import org.apache.commons.lang.BooleanUtils;
import org.apache.commons.lang.Validate;
import org.apache.commons.lang3.StringUtils;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.stereotype.Component;

@Component("modelInteractionService")
/* loaded from: input_file:com/evolveum/midpoint/model/impl/controller/ModelInteractionServiceImpl.class */
public class ModelInteractionServiceImpl implements ModelInteractionService {

    @Autowired
    private ContextFactory contextFactory;

    @Autowired
    private Projector projector;

    @Autowired
    private SecurityEnforcer securityEnforcer;

    @Autowired
    private SecurityContextManager securityContextManager;

    @Autowired
    private SchemaTransformer schemaTransformer;

    @Autowired
    private ProvisioningService provisioning;

    @Autowired
    private ModelObjectResolver objectResolver;

    @Autowired
    private ObjectMerger objectMerger;

    @Autowired
    @Qualifier("cacheRepositoryService")
    private transient RepositoryService cacheRepositoryService;

    @Autowired
    private SystemObjectCache systemObjectCache;

    @Autowired
    private RelationRegistry relationRegistry;

    @Autowired
    private ValuePolicyProcessor policyProcessor;

    @Autowired
    private Protector protector;

    @Autowired
    private PrismContext prismContext;

    @Autowired
    private Visualizer visualizer;

    @Autowired
    private ModelService modelService;

    @Autowired
    private ModelCrudService modelCrudService;

    @Autowired
    private SecurityHelper securityHelper;

    @Autowired
    private MappingFactory mappingFactory;

    @Autowired
    private MappingEvaluator mappingEvaluator;

    @Autowired
    private ActivationComputer activationComputer;

    @Autowired
    private Clock clock;

    @Autowired
    private HookRegistry hookRegistry;

    @Autowired
    UserProfileService userProfileService;

    @Autowired
    private ExpressionFactory expressionFactory;

    @Autowired
    private OperationalDataManager metadataManager;
    private static final Trace LOGGER = TraceManager.getTrace(ModelInteractionServiceImpl.class);
    private static final String OPERATION_GENERATE_VALUE = ModelInteractionService.class.getName() + ".generateValue";
    private static final String OPERATION_VALIDATE_VALUE = ModelInteractionService.class.getName() + ".validateValue";

    public <F extends ObjectType> ModelContext<F> previewChanges(Collection<ObjectDelta<? extends ObjectType>> collection, ModelExecuteOptions modelExecuteOptions, Task task, OperationResult operationResult) throws SchemaException, PolicyViolationException, ExpressionEvaluationException, ObjectNotFoundException, ObjectAlreadyExistsException, CommunicationException, ConfigurationException, SecurityViolationException {
        return previewChanges(collection, modelExecuteOptions, task, Collections.emptyList(), operationResult);
    }

    public <F extends ObjectType> ModelContext<F> previewChanges(Collection<ObjectDelta<? extends ObjectType>> collection, ModelExecuteOptions modelExecuteOptions, Task task, Collection<ProgressListener> collection2, OperationResult operationResult) throws SchemaException, PolicyViolationException, ExpressionEvaluationException, ObjectNotFoundException, ObjectAlreadyExistsException, CommunicationException, ConfigurationException, SecurityViolationException {
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Preview changes input:\n{}", DebugUtil.debugDump(collection));
        }
        int i = 0;
        if (collection != null) {
            i = collection.size();
        }
        ArrayList arrayList = new ArrayList(i);
        if (collection != null) {
            Iterator<ObjectDelta<? extends ObjectType>> it = collection.iterator();
            while (it.hasNext()) {
                arrayList.add(it.next().clone());
            }
        }
        OperationResult createSubresult = operationResult.createSubresult(PREVIEW_CHANGES);
        LensContext<F> lensContext = null;
        try {
            try {
                RepositoryCache.enter();
                lensContext = this.contextFactory.createContext(arrayList, modelExecuteOptions, task, createSubresult);
                lensContext.setPreview(true);
                LOGGER.trace("Preview changes context:\n{}", lensContext.debugDumpLazily());
                lensContext.setProgressListeners(collection2);
                this.projector.projectAllWaves(lensContext, "preview", task, createSubresult);
                lensContext.distributeResource();
                if (this.hookRegistry != null) {
                    Iterator it2 = this.hookRegistry.getAllChangeHooks().iterator();
                    while (it2.hasNext()) {
                        ((ChangeHook) it2.next()).invokePreview(lensContext, task, createSubresult);
                    }
                }
                this.schemaTransformer.applySchemasAndSecurity(lensContext, null, task, createSubresult);
                LensUtil.reclaimSequences(lensContext, this.cacheRepositoryService, task, createSubresult);
                RepositoryCache.exit();
                if (LOGGER.isDebugEnabled()) {
                    LOGGER.debug("Preview changes output:\n{}", lensContext.debugDump());
                }
                createSubresult.computeStatus();
                createSubresult.cleanupResult();
                return lensContext;
            } catch (PreconditionViolationException e) {
                ModelImplUtils.recordFatalError(createSubresult, e);
                throw new SystemException(e);
            } catch (ConfigurationException | SecurityViolationException | ObjectNotFoundException | SchemaException | CommunicationException | PolicyViolationException | RuntimeException | ObjectAlreadyExistsException | ExpressionEvaluationException e2) {
                ModelImplUtils.recordFatalError(createSubresult, e2);
                throw e2;
            }
        } catch (Throwable th) {
            LensUtil.reclaimSequences(lensContext, this.cacheRepositoryService, task, createSubresult);
            RepositoryCache.exit();
            throw th;
        }
    }

    public <F extends ObjectType> ModelContext<F> unwrapModelContext(LensContextType lensContextType, Task task, OperationResult operationResult) throws SchemaException, ConfigurationException, ObjectNotFoundException, CommunicationException, ExpressionEvaluationException {
        return LensContext.fromLensContextType(lensContextType, this.prismContext, this.provisioning, task, operationResult);
    }

    public <O extends ObjectType> PrismObjectDefinition<O> getEditObjectDefinition(PrismObject<O> prismObject, AuthorizationPhaseType authorizationPhaseType, Task task, OperationResult operationResult) throws SchemaException, ConfigurationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, SecurityViolationException {
        String resourceOid;
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(GET_EDIT_OBJECT_DEFINITION);
        PrismObjectDefinition definition = prismObject.getDefinition();
        SchemaTransformer schemaTransformer = this.schemaTransformer;
        schemaTransformer.getClass();
        PrismObjectDefinition<O> deepClone = definition.deepClone(true, schemaTransformer::setFullAccessFlags);
        try {
            PrismObject<O> prismObject2 = prismObject;
            if (prismObject.getOid() != null) {
                prismObject2 = this.cacheRepositoryService.getObject(prismObject.getCompileTimeClass(), prismObject.getOid(), (Collection) null, createMinorSubresult);
            }
            ObjectSecurityConstraints compileSecurityConstraints = this.securityEnforcer.compileSecurityConstraints(prismObject2, (OwnerResolver) null, task, createMinorSubresult);
            if (LOGGER.isTraceEnabled()) {
                LOGGER.trace("Security constrains for {}:\n{}", prismObject, compileSecurityConstraints == null ? "null" : compileSecurityConstraints.debugDump());
            }
            if (compileSecurityConstraints == null) {
                createMinorSubresult.setStatus(OperationResultStatus.NOT_APPLICABLE);
                return null;
            }
            ObjectTemplateType objectTemplateType = null;
            try {
                objectTemplateType = this.schemaTransformer.determineObjectTemplate(prismObject, authorizationPhaseType, createMinorSubresult);
            } catch (ConfigurationException | ObjectNotFoundException e) {
                createMinorSubresult.recordFatalError(e);
            }
            this.schemaTransformer.applyObjectTemplateToDefinition(deepClone, objectTemplateType, createMinorSubresult);
            this.schemaTransformer.applySecurityConstraints(deepClone, compileSecurityConstraints, authorizationPhaseType);
            if (prismObject.canRepresent(ShadowType.class) && (resourceOid = ShadowUtil.getResourceOid(prismObject)) != null) {
                try {
                    RefinedObjectClassDefinition editObjectClassDefinition = getEditObjectClassDefinition(prismObject, this.provisioning.getObject(ResourceType.class, resourceOid, SelectorOptions.createCollection(GetOperationOptions.createReadOnly()), task, createMinorSubresult), authorizationPhaseType, task, createMinorSubresult);
                    if (editObjectClassDefinition != null) {
                        deepClone.getComplexTypeDefinition().replaceDefinition(ShadowType.F_ATTRIBUTES, editObjectClassDefinition.toResourceAttributeContainerDefinition());
                    }
                } catch (CommunicationException | SecurityViolationException | ExpressionEvaluationException e2) {
                    throw new ConfigurationException(e2.getMessage(), e2);
                }
            }
            createMinorSubresult.computeStatus();
            return deepClone;
        } catch (ConfigurationException | ObjectNotFoundException | ExpressionEvaluationException | SchemaException e3) {
            createMinorSubresult.recordFatalError(e3);
            throw e3;
        }
    }

    public PrismObjectDefinition<ShadowType> getEditShadowDefinition(ResourceShadowDiscriminator resourceShadowDiscriminator, AuthorizationPhaseType authorizationPhaseType, Task task, OperationResult operationResult) throws SchemaException, ConfigurationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, SecurityViolationException {
        PrismObject createObject = this.prismContext.createObject(ShadowType.class);
        ShadowType asObjectable = createObject.asObjectable();
        ObjectReferenceType objectReferenceType = new ObjectReferenceType();
        if (resourceShadowDiscriminator != null) {
            objectReferenceType.setOid(resourceShadowDiscriminator.getResourceOid());
            asObjectable.setResourceRef(objectReferenceType);
            asObjectable.setKind(resourceShadowDiscriminator.getKind());
            asObjectable.setIntent(resourceShadowDiscriminator.getIntent());
            asObjectable.setObjectClass(resourceShadowDiscriminator.getObjectClass());
        }
        return getEditObjectDefinition(createObject, authorizationPhaseType, task, operationResult);
    }

    public RefinedObjectClassDefinition getEditObjectClassDefinition(PrismObject<ShadowType> prismObject, PrismObject<ResourceType> prismObject2, AuthorizationPhaseType authorizationPhaseType, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        Validate.notNull(prismObject2, "Resource must not be null");
        CompositeRefinedObjectClassDefinition determineCompositeObjectClassDefinition = RefinedResourceSchemaImpl.getRefinedSchema(prismObject2).determineCompositeObjectClassDefinition(prismObject);
        if (determineCompositeObjectClassDefinition == null) {
            LOGGER.debug("No object class definition for shadow {}, returning null", prismObject.getOid());
            return null;
        }
        LayerRefinedObjectClassDefinition forLayer = determineCompositeObjectClassDefinition.forLayer(LayerType.PRESENTATION);
        ObjectSecurityConstraints compileSecurityConstraints = this.securityEnforcer.compileSecurityConstraints(prismObject, (OwnerResolver) null, task, operationResult);
        if (LOGGER.isTraceEnabled()) {
            LOGGER.trace("Security constrains for {}:\n{}", prismObject, compileSecurityConstraints == null ? "null" : compileSecurityConstraints.debugDump());
        }
        if (compileSecurityConstraints == null) {
            return null;
        }
        ItemPath itemPath = SchemaConstants.PATH_ATTRIBUTES;
        AuthorizationDecisionType computeItemDecision = this.schemaTransformer.computeItemDecision(compileSecurityConstraints, itemPath, ModelAuthorizationAction.AUTZ_ACTIONS_URLS_GET, compileSecurityConstraints.findAllItemsDecision(ModelAuthorizationAction.AUTZ_ACTIONS_URLS_GET, authorizationPhaseType), authorizationPhaseType);
        AuthorizationDecisionType computeItemDecision2 = this.schemaTransformer.computeItemDecision(compileSecurityConstraints, itemPath, ModelAuthorizationAction.AUTZ_ACTIONS_URLS_ADD, compileSecurityConstraints.findAllItemsDecision(ModelAuthorizationAction.ADD.getUrl(), authorizationPhaseType), authorizationPhaseType);
        AuthorizationDecisionType computeItemDecision3 = this.schemaTransformer.computeItemDecision(compileSecurityConstraints, itemPath, ModelAuthorizationAction.AUTZ_ACTIONS_URLS_MODIFY, compileSecurityConstraints.findAllItemsDecision(ModelAuthorizationAction.MODIFY.getUrl(), authorizationPhaseType), authorizationPhaseType);
        LOGGER.trace("Attributes container access read:{}, add:{}, modify:{}", new Object[]{computeItemDecision, computeItemDecision2, computeItemDecision3});
        LayerRefinedObjectClassDefinition clone = forLayer.clone();
        for (LayerRefinedAttributeDefinitionImpl layerRefinedAttributeDefinitionImpl : clone.getAttributeDefinitions()) {
            ItemPath itemPath2 = new ItemPath(new QName[]{ShadowType.F_ATTRIBUTES, layerRefinedAttributeDefinitionImpl.getName()});
            AuthorizationDecisionType computeItemDecision4 = this.schemaTransformer.computeItemDecision(compileSecurityConstraints, itemPath2, ModelAuthorizationAction.AUTZ_ACTIONS_URLS_GET, computeItemDecision, authorizationPhaseType);
            AuthorizationDecisionType computeItemDecision5 = this.schemaTransformer.computeItemDecision(compileSecurityConstraints, itemPath2, ModelAuthorizationAction.AUTZ_ACTIONS_URLS_ADD, computeItemDecision2, authorizationPhaseType);
            AuthorizationDecisionType computeItemDecision6 = this.schemaTransformer.computeItemDecision(compileSecurityConstraints, itemPath2, ModelAuthorizationAction.AUTZ_ACTIONS_URLS_MODIFY, computeItemDecision3, authorizationPhaseType);
            LOGGER.trace("Attribute {} access read:{}, add:{}, modify:{}", new Object[]{layerRefinedAttributeDefinitionImpl.getName(), computeItemDecision4, computeItemDecision5, computeItemDecision6});
            if (computeItemDecision4 != AuthorizationDecisionType.ALLOW) {
                layerRefinedAttributeDefinitionImpl.setOverrideCanRead(false);
            }
            if (computeItemDecision5 != AuthorizationDecisionType.ALLOW) {
                layerRefinedAttributeDefinitionImpl.setOverrideCanAdd(false);
            }
            if (computeItemDecision6 != AuthorizationDecisionType.ALLOW) {
                layerRefinedAttributeDefinitionImpl.setOverrideCanModify(false);
            }
        }
        return clone;
    }

    public <O extends ObjectType, R extends AbstractRoleType> ItemSecurityConstraints getAllowedRequestAssignmentItems(PrismObject<O> prismObject, PrismObject<R> prismObject2, Task task, OperationResult operationResult) throws SchemaException, SecurityViolationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
        return this.securityEnforcer.getAllowedRequestAssignmentItems(this.securityContextManager.getPrincipal(), ModelAuthorizationAction.ASSIGN.getUrl(), prismObject, prismObject2, (OwnerResolver) null, task, operationResult);
    }

    public Collection<? extends DisplayableValue<String>> getActionUrls() {
        return Arrays.asList(ModelAuthorizationAction.values());
    }

    public <F extends FocusType, R extends AbstractRoleType> RoleSelectionSpecification getAssignableRoleSpecification(PrismObject<F> prismObject, Class<R> cls, int i, Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, ConfigurationException, ExpressionEvaluationException, CommunicationException, SecurityViolationException {
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(GET_ASSIGNABLE_ROLE_SPECIFICATION);
        RoleSelectionSpecification roleSelectionSpecification = new RoleSelectionSpecification();
        try {
            ObjectSecurityConstraints compileSecurityConstraints = this.securityEnforcer.compileSecurityConstraints(prismObject, (OwnerResolver) null, task, createMinorSubresult);
            if (LOGGER.isTraceEnabled()) {
                LOGGER.trace("Security constrains for getAssignableRoleSpecification on {}:\n{}", prismObject, compileSecurityConstraints == null ? null : compileSecurityConstraints.debugDump(1));
            }
            if (compileSecurityConstraints == null) {
                return null;
            }
            ItemPath itemPath = i == 0 ? SchemaConstants.PATH_ASSIGNMENT : SchemaConstants.PATH_INDUCEMENT;
            AuthorizationDecisionType findItemDecision = compileSecurityConstraints.findItemDecision(itemPath, ModelAuthorizationAction.MODIFY.getUrl(), AuthorizationPhaseType.REQUEST);
            LOGGER.trace("getAssignableRoleSpecification decision for {}:{}", itemPath, findItemDecision);
            if (findItemDecision == AuthorizationDecisionType.ALLOW) {
                getAllRoleTypesSpec(roleSelectionSpecification, createMinorSubresult);
                createMinorSubresult.recordSuccess();
                return roleSelectionSpecification;
            }
            if (findItemDecision == AuthorizationDecisionType.DENY) {
                createMinorSubresult.recordSuccess();
                roleSelectionSpecification.setNoRoleTypes();
                roleSelectionSpecification.setFilter(NoneFilter.createNone());
                return roleSelectionSpecification;
            }
            AuthorizationDecisionType findAllItemsDecision = compileSecurityConstraints.findAllItemsDecision(ModelAuthorizationAction.MODIFY.getUrl(), AuthorizationPhaseType.REQUEST);
            if (findAllItemsDecision == AuthorizationDecisionType.ALLOW) {
                getAllRoleTypesSpec(roleSelectionSpecification, createMinorSubresult);
                createMinorSubresult.recordSuccess();
                return roleSelectionSpecification;
            }
            if (findAllItemsDecision == AuthorizationDecisionType.DENY) {
                createMinorSubresult.recordSuccess();
                roleSelectionSpecification.setNoRoleTypes();
                roleSelectionSpecification.setFilter(NoneFilter.createNone());
                return roleSelectionSpecification;
            }
            OrderConstraintsType orderConstraintsType = new OrderConstraintsType();
            orderConstraintsType.setOrder(Integer.valueOf(i));
            ArrayList arrayList = new ArrayList(1);
            arrayList.add(orderConstraintsType);
            try {
                OrFilter preProcessObjectFilter = this.securityEnforcer.preProcessObjectFilter(ModelAuthorizationAction.AUTZ_ACTIONS_URLS_ASSIGN, AuthorizationPhaseType.REQUEST, cls, prismObject, AllFilter.createAll(), (String) null, arrayList, task, createMinorSubresult);
                LOGGER.trace("assignableRoleSpec filter: {}", preProcessObjectFilter);
                roleSelectionSpecification.setFilter(preProcessObjectFilter);
                if (preProcessObjectFilter instanceof NoneFilter) {
                    createMinorSubresult.recordSuccess();
                    roleSelectionSpecification.setNoRoleTypes();
                    return roleSelectionSpecification;
                }
                if (preProcessObjectFilter == null || (preProcessObjectFilter instanceof AllFilter)) {
                    getAllRoleTypesSpec(roleSelectionSpecification, createMinorSubresult);
                    createMinorSubresult.recordSuccess();
                    return roleSelectionSpecification;
                }
                if (preProcessObjectFilter instanceof OrFilter) {
                    ArrayList arrayList2 = new ArrayList();
                    Iterator it = preProcessObjectFilter.getConditions().iterator();
                    while (it.hasNext()) {
                        Collection<RoleSelectionSpecEntry> roleSelectionSpecEntries = getRoleSelectionSpecEntries((ObjectFilter) it.next());
                        if (roleSelectionSpecEntries == null || roleSelectionSpecEntries.isEmpty()) {
                            RoleSelectionSpecification roleSelectionSpecification2 = new RoleSelectionSpecification();
                            roleSelectionSpecification2.setFilter(preProcessObjectFilter);
                            getAllRoleTypesSpec(roleSelectionSpecification2, createMinorSubresult);
                            createMinorSubresult.recordSuccess();
                            return roleSelectionSpecification2;
                        }
                        arrayList2.addAll(roleSelectionSpecEntries);
                    }
                    addRoleTypeSpecEntries(roleSelectionSpecification, arrayList2, createMinorSubresult);
                } else {
                    Collection<RoleSelectionSpecEntry> roleSelectionSpecEntries2 = getRoleSelectionSpecEntries(preProcessObjectFilter);
                    if (roleSelectionSpecEntries2 == null || roleSelectionSpecEntries2.isEmpty()) {
                        getAllRoleTypesSpec(roleSelectionSpecification, createMinorSubresult);
                        createMinorSubresult.recordSuccess();
                        return roleSelectionSpecification;
                    }
                    addRoleTypeSpecEntries(roleSelectionSpecification, roleSelectionSpecEntries2, createMinorSubresult);
                }
                createMinorSubresult.recordSuccess();
                return roleSelectionSpecification;
            } catch (SchemaException | ConfigurationException | ObjectNotFoundException | ExpressionEvaluationException e) {
                createMinorSubresult.recordFatalError(e);
                throw e;
            }
        } catch (ExpressionEvaluationException | ObjectNotFoundException | SchemaException | CommunicationException | SecurityViolationException e2) {
            createMinorSubresult.recordFatalError(e2);
            throw e2;
        }
    }

    private void addRoleTypeSpecEntries(RoleSelectionSpecification roleSelectionSpecification, Collection<RoleSelectionSpecEntry> collection, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, ConfigurationException {
        if (collection == null || collection.isEmpty()) {
            getAllRoleTypesSpec(roleSelectionSpecification, operationResult);
            return;
        }
        if (!RoleSelectionSpecEntry.hasNegative(collection)) {
            roleSelectionSpecification.addRoleTypes(collection);
            return;
        }
        Collection<RoleSelectionSpecEntry> positive = RoleSelectionSpecEntry.getPositive(collection);
        if (positive == null || positive.isEmpty()) {
            positive = getRoleSpecEntriesForAllRoles(operationResult);
        }
        if (positive == null || positive.isEmpty()) {
            return;
        }
        for (RoleSelectionSpecEntry roleSelectionSpecEntry : positive) {
            if (!RoleSelectionSpecEntry.hasNegativeValue(collection, (String) roleSelectionSpecEntry.getValue())) {
                roleSelectionSpecification.addRoleType(roleSelectionSpecEntry);
            }
        }
    }

    private RoleSelectionSpecification getAllRoleTypesSpec(RoleSelectionSpecification roleSelectionSpecification, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, ConfigurationException {
        Collection<RoleSelectionSpecEntry> roleSpecEntriesForAllRoles = getRoleSpecEntriesForAllRoles(operationResult);
        if (roleSpecEntriesForAllRoles == null || roleSpecEntriesForAllRoles.isEmpty()) {
            return roleSelectionSpecification;
        }
        roleSelectionSpecification.addRoleTypes(roleSpecEntriesForAllRoles);
        return roleSelectionSpecification;
    }

    private Collection<RoleSelectionSpecEntry> getRoleSpecEntriesForAllRoles(OperationResult operationResult) throws ObjectNotFoundException, SchemaException, ConfigurationException {
        QName name;
        ObjectTemplateType determineObjectTemplate = this.schemaTransformer.determineObjectTemplate(RoleType.class, AuthorizationPhaseType.REQUEST, operationResult);
        if (determineObjectTemplate == null) {
            return null;
        }
        ArrayList arrayList = new ArrayList();
        for (ObjectTemplateItemDefinitionType objectTemplateItemDefinitionType : determineObjectTemplate.getItem()) {
            ItemPathType ref = objectTemplateItemDefinitionType.getRef();
            if (ref != null && (name = ItemPath.getName(ref.getItemPath().first())) != null && QNameUtil.match(RoleType.F_ROLE_TYPE, name)) {
                ObjectReferenceType valueEnumerationRef = objectTemplateItemDefinitionType.getValueEnumerationRef();
                if (valueEnumerationRef == null || valueEnumerationRef.getOid() == null) {
                    return arrayList;
                }
                for (LookupTableRowType lookupTableRowType : this.cacheRepositoryService.getObject(LookupTableType.class, valueEnumerationRef.getOid(), SelectorOptions.createCollection(LookupTableType.F_ROW, GetOperationOptions.createRetrieve(RetrieveOption.INCLUDE)), operationResult).asObjectable().getRow()) {
                    PolyStringType label = lookupTableRowType.getLabel();
                    String key = lookupTableRowType.getKey();
                    String str = key;
                    if (label != null) {
                        str = label.getOrig();
                    }
                    arrayList.add(new RoleSelectionSpecEntry(key, str, null));
                }
                return arrayList;
            }
        }
        return arrayList;
    }

    private Collection<RoleSelectionSpecEntry> getRoleSelectionSpecEntries(ObjectFilter objectFilter) throws SchemaException {
        RoleSelectionSpecEntry roleSelectionSpecEq;
        RoleSelectionSpecEntry roleSelectionSpecEq2;
        LOGGER.trace("getRoleSelectionSpec({})", objectFilter);
        if (objectFilter == null || (objectFilter instanceof AllFilter)) {
            return null;
        }
        if (objectFilter instanceof EqualFilter) {
            return createSingleDisplayableValueCollection(getRoleSelectionSpecEq((EqualFilter) objectFilter));
        }
        if (objectFilter instanceof AndFilter) {
            for (ObjectFilter objectFilter2 : ((AndFilter) objectFilter).getConditions()) {
                if ((objectFilter2 instanceof EqualFilter) && (roleSelectionSpecEq2 = getRoleSelectionSpecEq((EqualFilter) objectFilter2)) != null) {
                    return createSingleDisplayableValueCollection(roleSelectionSpecEq2);
                }
            }
            return null;
        }
        if (objectFilter instanceof OrFilter) {
            ArrayList arrayList = new ArrayList(((OrFilter) objectFilter).getConditions().size());
            for (ObjectFilter objectFilter3 : ((OrFilter) objectFilter).getConditions()) {
                if ((objectFilter3 instanceof EqualFilter) && (roleSelectionSpecEq = getRoleSelectionSpecEq((EqualFilter) objectFilter3)) != null) {
                    arrayList.add(roleSelectionSpecEq);
                }
            }
            return arrayList;
        }
        if (objectFilter instanceof TypeFilter) {
            return getRoleSelectionSpecEntries(((TypeFilter) objectFilter).getFilter());
        }
        if (objectFilter instanceof NotFilter) {
            Collection<RoleSelectionSpecEntry> roleSelectionSpecEntries = getRoleSelectionSpecEntries(((NotFilter) objectFilter).getFilter());
            RoleSelectionSpecEntry.negate(roleSelectionSpecEntries);
            return roleSelectionSpecEntries;
        }
        if ((objectFilter instanceof RefFilter) || (objectFilter instanceof InOidFilter)) {
            return null;
        }
        throw new UnsupportedOperationException("Unexpected filter " + objectFilter);
    }

    private Collection<RoleSelectionSpecEntry> createSingleDisplayableValueCollection(RoleSelectionSpecEntry roleSelectionSpecEntry) {
        if (roleSelectionSpecEntry == null) {
            return null;
        }
        ArrayList arrayList = new ArrayList(1);
        arrayList.add(roleSelectionSpecEntry);
        return arrayList;
    }

    private RoleSelectionSpecEntry getRoleSelectionSpecEq(EqualFilter<String> equalFilter) throws SchemaException {
        if (!QNameUtil.match(RoleType.F_ROLE_TYPE, equalFilter.getElementName()) && !QNameUtil.match(RoleType.F_SUBTYPE, equalFilter.getElementName())) {
            return null;
        }
        List values = equalFilter.getValues();
        if (values.size() > 1) {
            throw new SchemaException("More than one value in roleType search filter");
        }
        String str = (String) ((PrismPropertyValue) values.get(0)).getValue();
        return new RoleSelectionSpecEntry(str, str, null);
    }

    public <T extends ObjectType> ObjectFilter getDonorFilter(Class<T> cls, ObjectFilter objectFilter, String str, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        return this.securityEnforcer.preProcessObjectFilter(ModelAuthorizationAction.AUTZ_ACTIONS_URLS_ATTORNEY, (AuthorizationPhaseType) null, cls, (PrismObject) null, objectFilter, str, (List) null, task, operationResult);
    }

    public <T extends ObjectType, O extends ObjectType> boolean canSearch(Class<T> cls, Class<O> cls2, String str, boolean z, ObjectQuery objectQuery, Task task, OperationResult operationResult) throws ObjectNotFoundException, CommunicationException, SchemaException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        PrismObject prismObject = null;
        if (str != null) {
            prismObject = this.objectResolver.getObject(cls2, str, null, task, operationResult).asPrismObject();
        }
        return this.securityEnforcer.canSearch(ModelAuthorizationAction.AUTZ_ACTIONS_URLS_SEARCH, (AuthorizationPhaseType) null, cls, prismObject, z, objectQuery.getFilter(), task, operationResult);
    }

    public AuthenticationsPolicyType getAuthenticationPolicy(PrismObject<UserType> prismObject, Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        return resolvePolicyTypeFromSecurityPolicy(AuthenticationsPolicyType.class, SecurityPolicyType.F_AUTHENTICATION, prismObject, task, operationResult.createMinorSubresult(GET_AUTHENTICATIONS_POLICY));
    }

    @Deprecated
    public RegistrationsPolicyType getRegistrationPolicy(PrismObject<UserType> prismObject, Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        return resolvePolicyTypeFromSecurityPolicy(RegistrationsPolicyType.class, SecurityPolicyType.F_REGISTRATION, prismObject, task, operationResult.createMinorSubresult(GET_REGISTRATIONS_POLICY));
    }

    public RegistrationsPolicyType getFlowPolicy(PrismObject<UserType> prismObject, Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        return resolvePolicyTypeFromSecurityPolicy(RegistrationsPolicyType.class, SecurityPolicyType.F_FLOW, prismObject, task, operationResult.createMinorSubresult(GET_REGISTRATIONS_POLICY));
    }

    public CredentialsPolicyType getCredentialsPolicy(PrismObject<UserType> prismObject, Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        return resolvePolicyTypeFromSecurityPolicy(CredentialsPolicyType.class, SecurityPolicyType.F_CREDENTIALS, prismObject, task, operationResult.createMinorSubresult(GET_CREDENTIALS_POLICY));
    }

    private <C extends Containerable> C resolvePolicyTypeFromSecurityPolicy(Class<C> cls, QName qName, PrismObject<UserType> prismObject, Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        PrismContainer findContainer;
        SecurityPolicyType securityPolicy = getSecurityPolicy(prismObject, task, operationResult);
        if (securityPolicy == null || (findContainer = securityPolicy.asPrismObject().findContainer(qName)) == null) {
            return null;
        }
        PrismContainerValue value = findContainer.getValue();
        operationResult.recordSuccess();
        return (C) value.asContainerable();
    }

    public SecurityPolicyType getSecurityPolicy(PrismObject<UserType> prismObject, Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(GET_SECURITY_POLICY);
        try {
            PrismObject<SystemConfigurationType> systemConfiguration = this.systemObjectCache.getSystemConfiguration(createMinorSubresult);
            if (systemConfiguration == null) {
                createMinorSubresult.recordNotApplicableIfUnknown();
                return null;
            }
            SecurityPolicyType locateSecurityPolicy = this.securityHelper.locateSecurityPolicy(prismObject, systemConfiguration, task, createMinorSubresult);
            if (locateSecurityPolicy != null) {
                return locateSecurityPolicy;
            }
            createMinorSubresult.recordNotApplicableIfUnknown();
            return null;
        } catch (Throwable th) {
            createMinorSubresult.recordFatalError(th);
            throw th;
        }
    }

    @NotNull
    public AdminGuiConfigurationType getAdminGuiConfiguration(Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException {
        AdminGuiConfigurationType adminGuiConfigurationInternal = getAdminGuiConfigurationInternal(task, operationResult);
        return adminGuiConfigurationInternal != null ? adminGuiConfigurationInternal : new AdminGuiConfigurationType();
    }

    public AdminGuiConfigurationType getAdminGuiConfigurationInternal(Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException {
        MidPointPrincipal midPointPrincipal = null;
        try {
            midPointPrincipal = this.securityContextManager.getPrincipal();
        } catch (SecurityViolationException e) {
            LOGGER.warn("Security violation while getting principlal to get GUI config: {}", e.getMessage(), e);
        }
        if (midPointPrincipal != null) {
            return midPointPrincipal.getAdminGuiConfiguration();
        }
        PrismObject systemConfiguration = this.systemObjectCache.getSystemConfiguration(operationResult);
        if (systemConfiguration == null) {
            return null;
        }
        return systemConfiguration.asObjectable().getAdminGuiConfiguration();
    }

    public SystemConfigurationType getSystemConfiguration(OperationResult operationResult) throws ObjectNotFoundException, SchemaException {
        PrismObject systemConfiguration = this.systemObjectCache.getSystemConfiguration(operationResult);
        if (systemConfiguration == null) {
            return null;
        }
        return systemConfiguration.asObjectable();
    }

    public DeploymentInformationType getDeploymentInformationConfiguration(OperationResult operationResult) throws ObjectNotFoundException, SchemaException {
        PrismObject systemConfiguration = this.systemObjectCache.getSystemConfiguration(operationResult);
        if (systemConfiguration == null) {
            return null;
        }
        return systemConfiguration.asObjectable().getDeploymentInformation();
    }

    public AccessCertificationConfigurationType getCertificationConfiguration(OperationResult operationResult) throws ObjectNotFoundException, SchemaException {
        PrismObject systemConfiguration = this.systemObjectCache.getSystemConfiguration(operationResult);
        if (systemConfiguration == null) {
            return null;
        }
        return systemConfiguration.asObjectable().getAccessCertification();
    }

    public boolean checkPassword(String str, ProtectedStringType protectedStringType, Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException {
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(CHECK_PASSWORD);
        try {
            UserType objectSimple = this.objectResolver.getObjectSimple(UserType.class, str, null, task, createMinorSubresult);
            if (objectSimple.getCredentials() == null || objectSimple.getCredentials().getPassword() == null || objectSimple.getCredentials().getPassword().getValue() == null) {
                return protectedStringType == null;
            }
            try {
                boolean compare = this.protector.compare(protectedStringType, objectSimple.getCredentials().getPassword().getValue());
                createMinorSubresult.recordSuccess();
                return compare;
            } catch (EncryptionException e) {
                createMinorSubresult.recordFatalError(e);
                throw new SystemException(e.getMessage(), e);
            }
        } catch (ObjectNotFoundException e2) {
            createMinorSubresult.recordFatalError(e2);
            throw e2;
        }
    }

    public List<? extends Scene> visualizeDeltas(List<ObjectDelta<? extends ObjectType>> list, Task task, OperationResult operationResult) throws SchemaException, ExpressionEvaluationException {
        return this.visualizer.visualizeDeltas(list, task, operationResult);
    }

    @NotNull
    public Scene visualizeDelta(ObjectDelta<? extends ObjectType> objectDelta, Task task, OperationResult operationResult) throws SchemaException, ExpressionEvaluationException {
        return this.visualizer.visualizeDelta(objectDelta, task, operationResult);
    }

    @NotNull
    public Scene visualizeDelta(ObjectDelta<? extends ObjectType> objectDelta, ObjectReferenceType objectReferenceType, Task task, OperationResult operationResult) throws SchemaException, ExpressionEvaluationException {
        return this.visualizer.visualizeDelta(objectDelta, objectReferenceType, task, operationResult);
    }

    public List<ConnectorOperationalStatus> getConnectorOperationalStatus(String str, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, ExpressionEvaluationException {
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(GET_CONNECTOR_OPERATIONAL_STATUS);
        try {
            List<ConnectorOperationalStatus> connectorOperationalStatus = this.provisioning.getConnectorOperationalStatus(str, task, createMinorSubresult);
            createMinorSubresult.computeStatus();
            return connectorOperationalStatus;
        } catch (SchemaException | ObjectNotFoundException | CommunicationException | ConfigurationException | ExpressionEvaluationException e) {
            createMinorSubresult.recordFatalError(e);
            throw e;
        }
    }

    public <O extends ObjectType> MergeDeltas<O> mergeObjectsPreviewDeltas(Class<O> cls, String str, String str2, String str3, Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, ConfigurationException, ExpressionEvaluationException, CommunicationException, SecurityViolationException {
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(MERGE_OBJECTS_PREVIEW_DELTA);
        try {
            MergeDeltas<O> computeMergeDeltas = this.objectMerger.computeMergeDeltas(cls, str, str2, str3, task, createMinorSubresult);
            createMinorSubresult.computeStatus();
            return computeMergeDeltas;
        } catch (ObjectNotFoundException | SchemaException | ConfigurationException | ExpressionEvaluationException | CommunicationException | SecurityViolationException | Error | RuntimeException e) {
            createMinorSubresult.recordFatalError(e);
            throw e;
        }
    }

    public <O extends ObjectType> PrismObject<O> mergeObjectsPreviewObject(Class<O> cls, String str, String str2, String str3, Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, ConfigurationException, ExpressionEvaluationException, CommunicationException, SecurityViolationException {
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(MERGE_OBJECTS_PREVIEW_OBJECT);
        try {
            MergeDeltas<O> computeMergeDeltas = this.objectMerger.computeMergeDeltas(cls, str, str2, str3, task, createMinorSubresult);
            if (LOGGER.isTraceEnabled()) {
                LOGGER.trace("Merge preview {} + {} deltas:\n{}", new Object[]{str, str2, computeMergeDeltas.debugDump(1)});
            }
            PrismObject<O> asPrismObject = this.objectResolver.getObjectSimple(cls, str, null, task, createMinorSubresult).asPrismObject();
            if (computeMergeDeltas == null) {
                createMinorSubresult.computeStatus();
                return asPrismObject;
            }
            computeMergeDeltas.getLeftObjectDelta().applyTo(asPrismObject);
            computeMergeDeltas.getLeftLinkDelta().applyTo(asPrismObject);
            createMinorSubresult.computeStatus();
            return asPrismObject;
        } catch (ObjectNotFoundException | SchemaException | ConfigurationException | ExpressionEvaluationException | CommunicationException | SecurityViolationException | Error | RuntimeException e) {
            createMinorSubresult.recordFatalError(e);
            throw e;
        }
    }

    public <O extends ObjectType> String generateValue(ValuePolicyType valuePolicyType, int i, boolean z, PrismObject<O> prismObject, String str, Task task, OperationResult operationResult) throws ExpressionEvaluationException, SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException {
        return this.policyProcessor.generate((ItemPath) null, valuePolicyType, i, z, createOriginResolver(prismObject, operationResult), str, task, operationResult);
    }

    public <O extends ObjectType> void generateValue(PrismObject<O> prismObject, PolicyItemsDefinitionType policyItemsDefinitionType, Task task, OperationResult operationResult) throws ObjectAlreadyExistsException, ExpressionEvaluationException, SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException, PolicyViolationException {
        OperationResult createSubresult = operationResult.createSubresult(OPERATION_GENERATE_VALUE);
        try {
            ValuePolicyType valuePolicy = getValuePolicy(prismObject, task, createSubresult);
            ArrayList arrayList = new ArrayList();
            for (PolicyItemDefinitionType policyItemDefinitionType : policyItemsDefinitionType.getPolicyItemDefinition()) {
                OperationResult createSubresult2 = operationResult.createSubresult(OPERATION_GENERATE_VALUE);
                LOGGER.trace("Default value policy: {}", valuePolicy);
                try {
                    generateValue(prismObject, valuePolicy, policyItemDefinitionType, task, createSubresult2);
                    ItemPath path = getPath(policyItemDefinitionType);
                    if (path == null && isExecute(policyItemDefinitionType)) {
                        LOGGER.error("No item path defined in the target for policy item definition. Cannot generate value");
                        createSubresult2.recordFatalError("No item path defined in the target for policy item definition. Cannot generate value");
                    } else {
                        PrismPropertyDefinition<?> prismPropertyDefinition = null;
                        if (path != null) {
                            createSubresult.addArbitraryObjectAsParam("policyItemPath", path);
                            prismPropertyDefinition = getItemDefinition(prismObject, path);
                            if (prismPropertyDefinition == null && isExecute(policyItemDefinitionType)) {
                                LOGGER.error("No definition for property {} in object. Is the path referencing prism property?" + path, prismObject);
                                createSubresult2.recordFatalError("No definition for property " + path + " in object " + prismObject + ". Is the path referencing prism property?");
                            }
                        }
                        collectDeltasForGeneratedValuesIfNeeded(prismObject, policyItemDefinitionType, arrayList, path, prismPropertyDefinition, createSubresult2);
                        createSubresult2.computeStatusIfUnknown();
                    }
                } catch (ExpressionEvaluationException | SchemaException | ObjectNotFoundException | CommunicationException | ConfigurationException | SecurityViolationException e) {
                    LOGGER.error("Failed to generate value for {} ", policyItemDefinitionType, e);
                    createSubresult2.recordFatalError("Failed to generate value for " + policyItemDefinitionType + ". Reason: " + e.getMessage(), e);
                    policyItemDefinitionType.setResult(createSubresult2.createOperationResultType());
                }
            }
            createSubresult.computeStatus();
            if (createSubresult.isAcceptable()) {
                try {
                    if (!arrayList.isEmpty()) {
                        if (prismObject == null) {
                            LOGGER.error("Cannot execute changes for generated values, no object specified in request.");
                            createSubresult.recordFatalError("Cannot execute changes for generated values, no object specified in request.");
                            throw new SchemaException("Cannot execute changes for generated values, no object specified in request.");
                        }
                        this.modelCrudService.modifyObject(prismObject.asObjectable().getClass(), prismObject.getOid(), arrayList, null, task, createSubresult);
                    }
                } catch (ObjectNotFoundException | SchemaException | ExpressionEvaluationException | CommunicationException | ConfigurationException | ObjectAlreadyExistsException | PolicyViolationException | SecurityViolationException e2) {
                    LOGGER.error("Could not execute deltas for generated values. Reason: " + e2.getMessage(), e2);
                    createSubresult.recordFatalError("Could not execute deltas for gegenerated values. Reason: " + e2.getMessage(), e2);
                    throw e2;
                }
            }
        } catch (ObjectNotFoundException | SchemaException | CommunicationException | ConfigurationException | SecurityViolationException | ExpressionEvaluationException e3) {
            LOGGER.error("Failed to get value policy for generating value. ", e3);
            createSubresult.recordFatalError("Error while getting value policy. Reason: " + e3.getMessage(), e3);
            throw e3;
        }
    }

    private boolean isExecute(PolicyItemDefinitionType policyItemDefinitionType) {
        if (policyItemDefinitionType.isExecute() == null) {
            return false;
        }
        return policyItemDefinitionType.isExecute().booleanValue();
    }

    private ItemPath getPath(PolicyItemDefinitionType policyItemDefinitionType) {
        ItemPathType path;
        PolicyItemTargetType target = policyItemDefinitionType.getTarget();
        if (target == null || (path = target.getPath()) == null) {
            return null;
        }
        return path.getItemPath();
    }

    private <O extends ObjectType> PrismPropertyDefinition<?> getItemDefinition(PrismObject<O> prismObject, ItemPath itemPath) {
        PrismPropertyDefinition<?> findItemDefinition = prismObject.getDefinition().findItemDefinition(itemPath);
        if (findItemDefinition != null && (findItemDefinition instanceof PrismPropertyDefinition)) {
            return findItemDefinition;
        }
        return null;
    }

    private <O extends ObjectType> void collectDeltasForGeneratedValuesIfNeeded(PrismObject<O> prismObject, PolicyItemDefinitionType policyItemDefinitionType, Collection<PropertyDelta<?>> collection, ItemPath itemPath, PrismPropertyDefinition<?> prismPropertyDefinition, OperationResult operationResult) throws SchemaException {
        Object value = policyItemDefinitionType.getValue();
        if (prismPropertyDefinition != null) {
            if (ProtectedStringType.COMPLEX_TYPE.equals(prismPropertyDefinition.getTypeName())) {
                ProtectedStringType protectedStringType = new ProtectedStringType();
                protectedStringType.setClearValue((String) value);
                value = protectedStringType;
            } else if (PolyStringType.COMPLEX_TYPE.equals(prismPropertyDefinition.getTypeName())) {
                value = new PolyString((String) value);
            }
        }
        if (prismObject == null && isExecute(policyItemDefinitionType)) {
            LOGGER.warn("Cannot apply generated changes and cannot execute them becasue there is no target object specified.");
            operationResult.recordFatalError("Cannot apply generated changes and cannot execute them becasue there is no target object specified.");
        } else if (prismObject != null) {
            PropertyDelta<?> createModificationReplaceProperty = PropertyDelta.createModificationReplaceProperty(itemPath, prismObject.getDefinition(), new Object[]{value});
            createModificationReplaceProperty.applyTo(prismObject);
            if (BooleanUtils.isTrue(policyItemDefinitionType.isExecute())) {
                collection.add(createModificationReplaceProperty);
            }
        }
    }

    private <O extends ObjectType> void generateValue(PrismObject<O> prismObject, ValuePolicyType valuePolicyType, PolicyItemDefinitionType policyItemDefinitionType, Task task, OperationResult operationResult) throws ExpressionEvaluationException, SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException {
        PolicyItemTargetType target = policyItemDefinitionType.getTarget();
        if ((target == null || ItemPath.isNullOrEmpty(target.getPath())) && isExecute(policyItemDefinitionType)) {
            LOGGER.error("Target item path must be defined");
            throw new SchemaException("Target item path must be defined");
        }
        ItemPath itemPath = null;
        if (target != null) {
            itemPath = target.getPath().getItemPath();
        }
        ValuePolicyType resolveValuePolicy = resolveValuePolicy(policyItemDefinitionType, valuePolicyType, task, operationResult);
        LOGGER.trace("Value policy used for generating new value : {}", resolveValuePolicy);
        if ((resolveValuePolicy != null ? resolveValuePolicy.getStringPolicy() : null) != null) {
            policyItemDefinitionType.setValue(this.policyProcessor.generate(itemPath, resolveValuePolicy, 10, false, createOriginResolver(prismObject, operationResult), "generating value for" + itemPath, task, operationResult));
        } else {
            LOGGER.trace("No sting policy defined. Cannot generate value.");
            operationResult.recordFatalError("No string policy defined. Cannot generate value");
        }
    }

    private ValuePolicyType resolveValuePolicy(PolicyItemDefinitionType policyItemDefinitionType, ValuePolicyType valuePolicyType, Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        if (policyItemDefinitionType.getValuePolicyRef() == null) {
            return valuePolicyType;
        }
        LOGGER.trace("Trying to resolve value policy {} for policy item definition", policyItemDefinitionType);
        return this.objectResolver.resolve(policyItemDefinitionType.getValuePolicyRef(), ValuePolicyType.class, null, "valuePolicyRef in policyItemDefinition", task, operationResult);
    }

    public <O extends ObjectType> void validateValue(PrismObject<O> prismObject, PolicyItemsDefinitionType policyItemsDefinitionType, Task task, OperationResult operationResult) throws ExpressionEvaluationException, SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException, PolicyViolationException {
        ValuePolicyType valuePolicy = getValuePolicy(prismObject, task, operationResult);
        Iterator it = policyItemsDefinitionType.getPolicyItemDefinition().iterator();
        while (it.hasNext()) {
            validateValue(prismObject, valuePolicy, (PolicyItemDefinitionType) it.next(), task, operationResult);
        }
    }

    private <O extends ObjectType> ValuePolicyType getValuePolicy(PrismObject<O> prismObject, Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        SecurityPolicyType locateGlobalPasswordPolicy;
        SecurityPolicyType locateGlobalSecurityPolicy;
        CredentialsPolicyType credentialsPolicyType = null;
        PrismObject<O> prismObject2 = null;
        if (prismObject != null && prismObject.getCompileTimeClass().isAssignableFrom(UserType.class)) {
            LOGGER.trace("Start to resolve policy for user");
            prismObject2 = prismObject;
            credentialsPolicyType = getCredentialsPolicy(prismObject2, task, operationResult);
            LOGGER.trace("Resolved user policy: {}", credentialsPolicyType);
        }
        SystemConfigurationType systemConfiguration = getSystemConfiguration(operationResult);
        if (!containsValuePolicyDefinition(credentialsPolicyType) && (locateGlobalSecurityPolicy = this.securityHelper.locateGlobalSecurityPolicy(prismObject2, systemConfiguration.asPrismObject(), task, operationResult)) != null) {
            credentialsPolicyType = locateGlobalSecurityPolicy.getCredentials();
            LOGGER.trace("Resolved policy from global security policy: {}", credentialsPolicyType);
        }
        if (!containsValuePolicyDefinition(credentialsPolicyType) && (locateGlobalPasswordPolicy = this.securityHelper.locateGlobalPasswordPolicy(systemConfiguration, task, operationResult)) != null) {
            credentialsPolicyType = locateGlobalPasswordPolicy.getCredentials();
            LOGGER.trace("Resolved global password policy: {}", credentialsPolicyType);
        }
        if (!containsValuePolicyDefinition(credentialsPolicyType)) {
            return null;
        }
        if (credentialsPolicyType.getPassword().getValuePolicyRef() != null) {
            return this.objectResolver.resolve(credentialsPolicyType.getPassword().getValuePolicyRef(), ValuePolicyType.class, null, "valuePolicyRef in password credential policy", task, operationResult);
        }
        if (credentialsPolicyType.getPassword().getPasswordPolicyRef() != null) {
            return this.objectResolver.resolve(credentialsPolicyType.getPassword().getPasswordPolicyRef(), ValuePolicyType.class, null, "valuePolicyRef in password credential policy", task, operationResult);
        }
        return null;
    }

    private boolean containsValuePolicyDefinition(CredentialsPolicyType credentialsPolicyType) {
        if (credentialsPolicyType == null || credentialsPolicyType.getPassword() == null) {
            return false;
        }
        return (credentialsPolicyType.getPassword().getValuePolicyRef() == null && credentialsPolicyType.getPassword().getPasswordPolicyRef() == null) ? false : true;
    }

    private <T, O extends ObjectType> boolean validateValue(PrismObject<O> prismObject, ValuePolicyType valuePolicyType, PolicyItemDefinitionType policyItemDefinitionType, Task task, OperationResult operationResult) throws ExpressionEvaluationException, SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException, PolicyViolationException {
        ValuePolicyType resolveValuePolicy = resolveValuePolicy(policyItemDefinitionType, valuePolicyType, task, operationResult);
        Object value = policyItemDefinitionType.getValue();
        String str = value instanceof RawType ? (String) ((RawType) value).getParsedRealValue(String.class) : (String) value;
        ArrayList<String> arrayList = new ArrayList();
        PolicyItemTargetType target = policyItemDefinitionType.getTarget();
        ItemPath itemPath = target != null ? target.getPath().getItemPath() : null;
        if (StringUtils.isNotEmpty(str)) {
            arrayList.add(str);
        } else {
            if (target == null || target.getPath() == null) {
                LOGGER.error("Target item path must be defined");
                operationResult.recordFatalError("Target item path must be defined");
                throw new SchemaException("Target item path must be defined");
            }
            itemPath = target.getPath().getItemPath();
            if (prismObject == null) {
                LOGGER.error("Object which values should be validated is null. Nothing to validate.");
                operationResult.recordFatalError("Object which values should be validated is null. Nothing to validate.");
                throw new SchemaException("Object which values should be validated is null. Nothing to validate.");
            }
            PrismProperty findProperty = prismObject.findProperty(itemPath);
            if (findProperty == null || findProperty.isEmpty()) {
                LOGGER.error("Attribute {} has no value. Nothing to validate.", findProperty);
                operationResult.recordFatalError("Attribute " + findProperty + " has no value. Nothing to validate");
                throw new SchemaException("Attribute " + findProperty + " has no value. Nothing to validate");
            }
            PrismPropertyDefinition definition = findProperty.getDefinition();
            QName typeName = definition.getTypeName();
            if (!isSupportedType(typeName)) {
                LOGGER.error("Trying to validate string policy on the property of type {} failed. Unsupported type.", definition);
                operationResult.recordFatalError("Trying to validate string policy on the property of type " + definition + " failed. Unsupported type.");
                throw new SchemaException("Trying to validate string policy on the property of type " + definition + " failed. Unsupported type.");
            }
            if (definition.isSingleValue()) {
                arrayList.add(typeName.equals(PolyStringType.COMPLEX_TYPE) ? ((PolyString) findProperty.getRealValue()).getOrig() : typeName.equals(ProtectedStringType.COMPLEX_TYPE) ? getClearValue((ProtectedStringType) findProperty.getRealValue()) : (String) findProperty.getRealValue());
            } else if (typeName.equals(DOMUtil.XSD_STRING)) {
                arrayList.addAll(findProperty.getRealValues(String.class));
            } else if (typeName.equals(ProtectedStringType.COMPLEX_TYPE)) {
                Iterator it = findProperty.getRealValues(ProtectedStringType.class).iterator();
                while (it.hasNext()) {
                    arrayList.add(getClearValue((ProtectedStringType) it.next()));
                }
            } else {
                Iterator it2 = findProperty.getRealValues(PolyString.class).iterator();
                while (it2.hasNext()) {
                    arrayList.add(((PolyString) it2.next()).getOrig());
                }
            }
        }
        for (String str2 : arrayList) {
            OperationResult createSubresult = operationResult.createSubresult(OPERATION_VALIDATE_VALUE + ".value");
            if (itemPath != null) {
                createSubresult.addParam("path", itemPath.toString());
            }
            createSubresult.addParam("valueToValidate", str2);
            ObjectValuePolicyEvaluator objectValuePolicyEvaluator = new ObjectValuePolicyEvaluator();
            objectValuePolicyEvaluator.setValuePolicy(resolveValuePolicy);
            objectValuePolicyEvaluator.setValuePolicyProcessor(this.policyProcessor);
            objectValuePolicyEvaluator.setProtector(this.protector);
            objectValuePolicyEvaluator.setValueItemPath(itemPath);
            objectValuePolicyEvaluator.setOriginResolver(getOriginResolver(prismObject));
            objectValuePolicyEvaluator.setTask(task);
            objectValuePolicyEvaluator.setShortDesc(" rest validate ");
            if (prismObject != null && itemPath != null) {
                if (itemPath.isSuperPathOrEquivalent(SchemaConstants.PATH_PASSWORD)) {
                    objectValuePolicyEvaluator.setSecurityPolicy(getSecurityPolicy(prismObject, task, operationResult));
                    PrismContainer findContainer = prismObject.findContainer(SchemaConstants.PATH_PASSWORD);
                    PasswordType passwordType = null;
                    if (findContainer != null) {
                        PrismContainerValue value2 = findContainer.getValue();
                        passwordType = value2 != null ? (PasswordType) value2.asContainerable() : null;
                    }
                    objectValuePolicyEvaluator.setOldCredentialType(passwordType);
                } else if (itemPath.isSuperPathOrEquivalent(SchemaConstants.PATH_SECURITY_QUESTIONS)) {
                    LOGGER.trace("Setting security questions related policy.");
                    SecurityPolicyType securityPolicy = getSecurityPolicy(prismObject, task, operationResult);
                    objectValuePolicyEvaluator.setSecurityPolicy(securityPolicy);
                    PrismContainer findContainer2 = prismObject.findContainer(SchemaConstants.PATH_SECURITY_QUESTIONS);
                    if (findContainer2 != null) {
                        PrismContainerValue value3 = findContainer2.getValue();
                        SecurityQuestionsCredentialsType securityQuestionsCredentialsType = value3 != null ? (SecurityQuestionsCredentialsType) value3.asContainerable() : null;
                    }
                    ValuePolicyType resolveSecurityQuestionsPolicy = resolveSecurityQuestionsPolicy(securityPolicy, task, operationResult);
                    if (resolveSecurityQuestionsPolicy != null) {
                        objectValuePolicyEvaluator.setValuePolicy(resolveSecurityQuestionsPolicy);
                    }
                }
            }
            objectValuePolicyEvaluator.setNow(this.clock.currentTimeXMLGregorianCalendar());
            LOGGER.trace("Validating value started");
            OperationResult validateStringValue = objectValuePolicyEvaluator.validateStringValue(str2);
            LOGGER.trace("Validating value finished");
            createSubresult.addSubresult(validateStringValue);
            createSubresult.computeStatus();
        }
        operationResult.computeStatus();
        policyItemDefinitionType.setResult(operationResult.createOperationResultType());
        return operationResult.isAcceptable();
    }

    private ValuePolicyType resolveSecurityQuestionsPolicy(SecurityPolicyType securityPolicyType, Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        CredentialsPolicyType credentials;
        SecurityQuestionsCredentialsPolicyType securityQuestions;
        ObjectReferenceType valuePolicyRef;
        if (securityPolicyType == null || (credentials = securityPolicyType.getCredentials()) == null || (securityQuestions = credentials.getSecurityQuestions()) == null || (valuePolicyRef = securityQuestions.getValuePolicyRef()) == null) {
            return null;
        }
        return this.objectResolver.resolve(valuePolicyRef, ValuePolicyType.class, null, " resolve value policy for security questions", task, operationResult);
    }

    private <O extends ObjectType> AbstractValuePolicyOriginResolver<O> getOriginResolver(PrismObject<O> prismObject) {
        if (prismObject == null || !UserType.class.equals(prismObject.getCompileTimeClass())) {
            return null;
        }
        return new UserValuePolicyOriginResolver(prismObject, this.objectResolver);
    }

    private <O extends ObjectType> AbstractValuePolicyOriginResolver<O> createOriginResolver(PrismObject<O> prismObject, OperationResult operationResult) throws SchemaException {
        if (prismObject == null) {
            return null;
        }
        if (prismObject.canRepresent(UserType.class)) {
            return new UserValuePolicyOriginResolver(prismObject, this.objectResolver);
        }
        if (prismObject.canRepresent(ShadowType.class)) {
            return new ShadowValuePolicyOriginResolver(prismObject, this.objectResolver);
        }
        SchemaException schemaException = new SchemaException("Unsupport object type " + prismObject);
        operationResult.recordFatalError(schemaException);
        throw schemaException;
    }

    private boolean isSupportedType(QName qName) {
        return QNameUtil.qNameToUri(qName).equals(QNameUtil.qNameToUri(DOMUtil.XSD_STRING)) || QNameUtil.qNameToUri(qName).equals(QNameUtil.qNameToUri(PolyStringType.COMPLEX_TYPE)) || QNameUtil.qNameToUri(qName).equals(QNameUtil.qNameToUri(ProtectedStringType.COMPLEX_TYPE));
    }

    private String getClearValue(ProtectedStringType protectedStringType) throws SchemaException, PolicyViolationException {
        try {
            if (!protectedStringType.isEncrypted() && protectedStringType.getClearValue() == null) {
                if (protectedStringType.isHashed()) {
                    throw new SchemaException("Cannot validate value of hashed password");
                }
                return null;
            }
            return this.protector.decryptString(protectedStringType);
        } catch (EncryptionException e) {
            throw new PolicyViolationException(e.getMessage(), e);
        }
    }

    @NotNull
    public List<ObjectReferenceType> getDeputyAssignees(AbstractWorkItemType abstractWorkItemType, Task task, OperationResult operationResult) throws SchemaException {
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(GET_DEPUTY_ASSIGNEES);
        RepositoryCache.enter();
        try {
            try {
                HashSet hashSet = new HashSet();
                ArrayList arrayList = new ArrayList();
                abstractWorkItemType.getAssigneeRef().forEach(objectReferenceType -> {
                    hashSet.add(objectReferenceType.getOid());
                });
                getDeputyAssignees(arrayList, abstractWorkItemType, hashSet, task, createMinorSubresult);
                createMinorSubresult.computeStatusIfUnknown();
                RepositoryCache.exit();
                return arrayList;
            } catch (Throwable th) {
                createMinorSubresult.recordFatalError(th.getMessage(), th);
                throw th;
            }
        } catch (Throwable th2) {
            RepositoryCache.exit();
            throw th2;
        }
    }

    @NotNull
    public List<ObjectReferenceType> getDeputyAssignees(ObjectReferenceType objectReferenceType, QName qName, Task task, OperationResult operationResult) throws SchemaException {
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(GET_DEPUTY_ASSIGNEES);
        RepositoryCache.enter();
        try {
            try {
                HashSet hashSet = new HashSet();
                hashSet.add(objectReferenceType.getOid());
                ArrayList arrayList = new ArrayList();
                getDeputyAssigneesNoWorkItem(arrayList, objectReferenceType, qName, hashSet, task, createMinorSubresult);
                createMinorSubresult.computeStatusIfUnknown();
                RepositoryCache.exit();
                return arrayList;
            } catch (Throwable th) {
                createMinorSubresult.recordFatalError(th.getMessage(), th);
                throw th;
            }
        } catch (Throwable th2) {
            RepositoryCache.exit();
            throw th2;
        }
    }

    private void getDeputyAssignees(List<ObjectReferenceType> list, AbstractWorkItemType abstractWorkItemType, Set<String> set, Task task, OperationResult operationResult) throws SchemaException {
        Iterator it = this.cacheRepositoryService.searchObjects(UserType.class, QueryBuilder.queryFor(UserType.class, this.prismContext).item(new QName[]{UserType.F_DELEGATED_REF}).ref((List) abstractWorkItemType.getAssigneeRef().stream().map(objectReferenceType -> {
            return objectReferenceType.clone().relation(PrismConstants.Q_ANY).asReferenceValue();
        }).collect(Collectors.toList())).build(), (Collection) null, operationResult).iterator();
        while (it.hasNext()) {
            PrismObject<UserType> prismObject = (PrismObject) it.next();
            if (!set.contains(prismObject.getOid()) && determineDeputyValidity(prismObject, abstractWorkItemType.getAssigneeRef(), abstractWorkItemType, OtherPrivilegesLimitationType.F_APPROVAL_WORK_ITEMS, task, operationResult)) {
                list.add(ObjectTypeUtil.createObjectRefWithFullObject(prismObject, this.prismContext));
                set.add(prismObject.getOid());
            }
        }
    }

    private void getDeputyAssigneesNoWorkItem(List<ObjectReferenceType> list, ObjectReferenceType objectReferenceType, QName qName, Set<String> set, Task task, OperationResult operationResult) throws SchemaException {
        Iterator it = this.cacheRepositoryService.searchObjects(UserType.class, QueryBuilder.queryFor(UserType.class, this.prismContext).item(new QName[]{UserType.F_DELEGATED_REF}).ref(new PrismReferenceValue[]{objectReferenceType.clone().relation(PrismConstants.Q_ANY).asReferenceValue()}).build(), (Collection) null, operationResult).iterator();
        while (it.hasNext()) {
            PrismObject<UserType> prismObject = (PrismObject) it.next();
            if (!set.contains(prismObject.getOid()) && determineDeputyValidity(prismObject, Collections.singletonList(objectReferenceType), null, qName, task, operationResult)) {
                list.add(ObjectTypeUtil.createObjectRefWithFullObject(prismObject, this.prismContext));
                set.add(prismObject.getOid());
            }
        }
    }

    private boolean determineDeputyValidity(PrismObject<UserType> prismObject, List<ObjectReferenceType> list, @Nullable AbstractWorkItemType abstractWorkItemType, QName qName, Task task, OperationResult operationResult) {
        AssignmentEvaluator build = new AssignmentEvaluator.Builder().repository(this.cacheRepositoryService).focusOdo(new ObjectDeltaObject(prismObject, (ObjectDelta) null, prismObject)).channel(null).objectResolver(this.objectResolver).systemObjectCache(this.systemObjectCache).relationRegistry(this.relationRegistry).prismContext(this.prismContext).mappingFactory(this.mappingFactory).mappingEvaluator(this.mappingEvaluator).activationComputer(this.activationComputer).now(this.clock.currentTimeXMLGregorianCalendar()).loginMode(true).lensContext(new LensContextPlaceholder(prismObject, this.prismContext)).build();
        for (AssignmentType assignmentType : prismObject.asObjectable().getAssignment()) {
            if (DeputyUtils.isDelegationAssignment(assignmentType, this.relationRegistry)) {
                try {
                    ItemDeltaItem<PrismContainerValue<AssignmentType>, PrismContainerDefinition<AssignmentType>> itemDeltaItem = new ItemDeltaItem<>();
                    itemDeltaItem.setItemOld(LensUtil.createAssignmentSingleValueContainerClone(assignmentType));
                    itemDeltaItem.recompute();
                    EvaluatedAssignmentImpl evaluate = build.evaluate(itemDeltaItem, PlusMinusZero.ZERO, false, (ObjectType) prismObject.asObjectable(), prismObject.toString(), task, operationResult);
                    if (evaluate.isValid()) {
                        for (EvaluatedAssignmentTarget evaluatedAssignmentTarget : evaluate.getRoles().getNonNegativeValues()) {
                            if (evaluatedAssignmentTarget.getTarget() != null && evaluatedAssignmentTarget.getTarget().getOid() != null && DeputyUtils.isDelegationPath(evaluatedAssignmentTarget.getAssignmentPath(), this.relationRegistry) && ObjectTypeUtil.containsOid(list, evaluatedAssignmentTarget.getTarget().getOid())) {
                                List extractLimitations = DeputyUtils.extractLimitations(evaluatedAssignmentTarget.getAssignmentPath());
                                if (abstractWorkItemType != null && DeputyUtils.limitationsAllow(extractLimitations, qName, abstractWorkItemType)) {
                                    return true;
                                }
                                if (abstractWorkItemType == null && DeputyUtils.limitationsAllow(extractLimitations, qName)) {
                                    return true;
                                }
                            }
                        }
                    }
                } catch (CommonException e) {
                    LoggingUtils.logUnexpectedException(LOGGER, "Couldn't verify 'deputy' relation between {} and {} for work item {}; assignment: {}", e, new Object[]{prismObject, list, abstractWorkItemType, assignmentType});
                }
            }
        }
        return false;
    }

    public ActivationStatusType getAssignmentEffectiveStatus(String str, ActivationType activationType) {
        return this.activationComputer.getEffectiveStatus(str, activationType, (LifecycleStateModelType) null);
    }

    public MidPointPrincipal assumePowerOfAttorney(PrismObject<UserType> prismObject, Task task, OperationResult operationResult) throws SchemaException, SecurityViolationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
        MidPointPrincipal createDonorPrincipal = this.securityEnforcer.createDonorPrincipal(this.securityContextManager.getPrincipal(), ModelAuthorizationAction.ATTORNEY.getUrl(), prismObject, task, operationResult);
        this.securityContextManager.setupPreAuthenticatedSecurityContext(createDonorPrincipal);
        return createDonorPrincipal;
    }

    public MidPointPrincipal dropPowerOfAttorney(Task task, OperationResult operationResult) throws SchemaException, SecurityViolationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
        MidPointPrincipal principal = this.securityContextManager.getPrincipal();
        if (principal.getAttorney() == null) {
            throw new IllegalStateException("Attempt to drop attorney powers using non-donor principal " + principal);
        }
        MidPointPrincipal previousPrincipal = principal.getPreviousPrincipal();
        if (previousPrincipal == null) {
            throw new IllegalStateException("Attempt to drop attorney powers, but no previous principal in " + principal);
        }
        this.securityContextManager.setupPreAuthenticatedSecurityContext(previousPrincipal);
        return previousPrincipal;
    }

    @NotNull
    public LocalizableMessageType createLocalizableMessageType(LocalizableMessageTemplateType localizableMessageTemplateType, Map<QName, Object> map, Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        ExpressionVariables expressionVariables = new ExpressionVariables();
        expressionVariables.addVariableDefinitions(map);
        return LensUtil.interpretLocalizableMessageTemplate(localizableMessageTemplateType, expressionVariables, this.expressionFactory, this.prismContext, task, operationResult);
    }

    public ExecuteCredentialResetResponseType executeCredentialsReset(PrismObject<UserType> prismObject, ExecuteCredentialResetRequestType executeCredentialResetRequestType, Task task, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException, ObjectAlreadyExistsException, PolicyViolationException {
        LocalizableMessageBuilder localizableMessageBuilder = new LocalizableMessageBuilder();
        ExecuteCredentialResetResponseType executeCredentialResetResponseType = new ExecuteCredentialResetResponseType(this.prismContext);
        String resetMethod = executeCredentialResetRequestType.getResetMethod();
        if (StringUtils.isBlank(resetMethod)) {
            SingleLocalizableMessage build = localizableMessageBuilder.fallbackMessage("Failed to execute reset password. Bad request.").key("execute.reset.credential.bad.request").build();
            executeCredentialResetResponseType.message(LocalizationUtil.createLocalizableMessageType(build));
            throw new SchemaException(build);
        }
        CredentialsResetPolicyType credentialsReset = getSecurityPolicy(prismObject, task, operationResult).getCredentialsReset();
        if (credentialsReset == null) {
            SingleLocalizableMessage build2 = localizableMessageBuilder.fallbackMessage("Failed to execute reset password. Bad configuration.").key("execute.reset.credential.bad.configuration").build();
            executeCredentialResetResponseType.message(LocalizationUtil.createLocalizableMessageType(build2));
            throw new SchemaException(build2);
        }
        if (!resetMethod.equals(credentialsReset.getName())) {
            SingleLocalizableMessage build3 = localizableMessageBuilder.fallbackMessage("Failed to execute reset password. Bad method.").key("execute.reset.credential.bad.method").build();
            executeCredentialResetResponseType.message(LocalizationUtil.createLocalizableMessageType(build3));
            throw new SchemaException(build3);
        }
        CredentialSourceType newCredentialSource = credentialsReset.getNewCredentialSource();
        if (newCredentialSource == null) {
            return executeCredentialResetResponseType.message(LocalizationUtil.createLocalizableMessageType(localizableMessageBuilder.fallbackMessage("Failed to execute reset password. No credential source.").key("execute.reset.credential.no.credential.source").build()));
        }
        ValuePolicyType valuePolicy = getValuePolicy(prismObject, task, operationResult);
        ObjectDelta objectDelta = null;
        if (newCredentialSource.getUserEntry() != null) {
            PolicyItemDefinitionType policyItemDefinitionType = new PolicyItemDefinitionType();
            policyItemDefinitionType.setValue(executeCredentialResetRequestType.getUserEntry());
            if (!validateValue(prismObject, valuePolicy, policyItemDefinitionType, task, operationResult)) {
                LOGGER.error("Cannot execute reset password. New password doesn't satisfy policy constraints");
                operationResult.recordFatalError("Cannot execute reset password. New password doesn't satisfy policy constraints");
                throw new PolicyViolationException(localizableMessageBuilder.fallbackMessage("New password doesn't satisfy policy constraints.").key("execute.reset.credential.validation.failed").build());
            }
            ProtectedStringType protectedStringType = new ProtectedStringType();
            protectedStringType.setClearValue(executeCredentialResetRequestType.getUserEntry());
            objectDelta = ObjectDelta.createModificationReplaceProperty(UserType.class, prismObject.getOid(), SchemaConstants.PATH_PASSWORD_VALUE, this.prismContext, new ProtectedStringType[]{protectedStringType});
        }
        if (BooleanUtils.isTrue(credentialsReset.isForceChange()) && objectDelta != null) {
            objectDelta.addModificationReplaceProperty(SchemaConstants.PATH_PASSWORD_FORCE_CHANGE, new Boolean[]{Boolean.TRUE});
        }
        try {
            this.modelService.executeChanges(MiscUtil.createCollection(new ObjectDelta[]{objectDelta}), ModelExecuteOptions.createRaw(), task, operationResult);
            operationResult.recomputeStatus();
            executeCredentialResetResponseType.setMessage(LocalizationUtil.createLocalizableMessageType(localizableMessageBuilder.fallbackMessage("Reset password was successful").key("execute.reset.credential.successful").fallbackLocalizableMessage((LocalizableMessage) null).build()));
            return executeCredentialResetResponseType;
        } catch (ObjectNotFoundException | SchemaException | CommunicationException | ConfigurationException | SecurityViolationException | ExpressionEvaluationException | ObjectAlreadyExistsException | PolicyViolationException e) {
            executeCredentialResetResponseType.message(LocalizationUtil.createForFallbackMessage("Failed to reset credential: " + e.getMessage()));
            throw e;
        }
    }

    public void refreshPrincipal(String str) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        try {
            this.securityContextManager.setupPreAuthenticatedSecurityContext(this.userProfileService.getPrincipalByOid(str));
        } catch (Throwable th) {
            LOGGER.error("Cannot refresh authentication for user identified with" + str);
            throw th;
        }
    }

    public List<RelationDefinitionType> getRelationDefinitions() {
        return this.relationRegistry.getRelationDefinitions();
    }

    @NotNull
    public TaskType submitTaskFromTemplate(String str, List<Item<?, ?>> list, Task task, OperationResult operationResult) throws CommunicationException, ObjectNotFoundException, SchemaException, SecurityViolationException, ConfigurationException, ExpressionEvaluationException, ObjectAlreadyExistsException, PolicyViolationException {
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(SUBMIT_TASK_FROM_TEMPLATE);
        try {
            MidPointPrincipal principal = this.securityContextManager.getPrincipal();
            if (principal == null) {
                throw new SecurityViolationException("No current user");
            }
            TaskType asObjectable = this.modelService.getObject(TaskType.class, str, SelectorOptions.createCollection(GetOperationOptions.createExecutionPhase()), task, createMinorSubresult).asObjectable();
            asObjectable.setName(PolyStringType.fromOrig(asObjectable.getName().getOrig() + " " + ((int) (Math.random() * 10000.0d))));
            asObjectable.setOid((String) null);
            asObjectable.setTaskIdentifier((String) null);
            asObjectable.setOwnerRef(ObjectTypeUtil.createObjectRef(principal.getUser(), this.prismContext));
            asObjectable.setExecutionStatus(TaskExecutionStatusType.RUNNABLE);
            Iterator<Item<?, ?>> it = list.iterator();
            while (it.hasNext()) {
                asObjectable.asPrismObject().getExtension().add(it.next().clone());
            }
            this.modelService.executeChanges(Collections.singleton(ObjectDelta.createAddDelta(asObjectable.asPrismObject())), (ModelExecuteOptions) null, task, createMinorSubresult);
            createMinorSubresult.computeStatus();
            return asObjectable;
        } catch (Throwable th) {
            createMinorSubresult.recordFatalError("Couldn't submit task from template: " + th.getMessage(), th);
            throw th;
        }
    }

    @NotNull
    public TaskType submitTaskFromTemplate(String str, Map<QName, Object> map, Task task, OperationResult operationResult) throws CommunicationException, ObjectNotFoundException, SchemaException, SecurityViolationException, ConfigurationException, ExpressionEvaluationException, ObjectAlreadyExistsException, PolicyViolationException {
        return submitTaskFromTemplate(str, ObjectTypeUtil.mapToExtensionItems(map, this.prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(TaskType.class).findContainerDefinition(TaskType.F_EXTENSION), this.prismContext), task, operationResult);
    }
}
