package com.evolveum.midpoint.model.impl.lens;

import com.evolveum.midpoint.model.api.ModelAuthorizationAction;
import com.evolveum.midpoint.model.impl.ModelObjectResolver;
import com.evolveum.midpoint.model.impl.lens.LensContext;
import com.evolveum.midpoint.model.impl.util.ModelImplUtils;
import com.evolveum.midpoint.prism.PrismContainer;
import com.evolveum.midpoint.prism.PrismContainerValue;
import com.evolveum.midpoint.prism.PrismContext;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.PrismReferenceValue;
import com.evolveum.midpoint.prism.delta.ContainerDelta;
import com.evolveum.midpoint.prism.delta.ItemDelta;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.delta.PlusMinusZero;
import com.evolveum.midpoint.prism.path.ItemName;
import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.schema.AccessDecision;
import com.evolveum.midpoint.schema.RelationRegistry;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.security.api.OwnerResolver;
import com.evolveum.midpoint.security.enforcer.api.AuthorizationParameters;
import com.evolveum.midpoint.security.enforcer.api.ObjectSecurityConstraints;
import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.util.exception.AuthorizationException;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractRoleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentHolderType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OrderConstraintsType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import javax.xml.namespace.QName;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:com/evolveum/midpoint/model/impl/lens/ClockworkAuthorizationHelper.class */
public class ClockworkAuthorizationHelper {
    private static final Trace LOGGER = TraceManager.getTrace(ClockworkAuthorizationHelper.class);

    @Autowired
    private SecurityEnforcer securityEnforcer;

    @Autowired
    private ModelObjectResolver objectResolver;

    @Autowired
    private RelationRegistry relationRegistry;

    @Autowired
    private PrismContext prismContext;

    public <F extends ObjectType> void authorizeContextRequest(LensContext<F> lensContext, boolean z, Task task, OperationResult operationResult) throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(Clockwork.class.getName() + ".authorizeRequest");
        LOGGER.trace("Authorizing request for context");
        try {
            LensFocusContext<F> m68getFocusContext = lensContext.m68getFocusContext();
            LensOwnerResolver lensOwnerResolver = new LensOwnerResolver(lensContext, this.objectResolver, task, createMinorSubresult);
            if (m68getFocusContext != null) {
                authorizeElementContext(lensContext, m68getFocusContext, z, lensOwnerResolver, true, task, createMinorSubresult);
            }
            Iterator<LensProjectionContext> it = lensContext.getProjectionContexts().iterator();
            while (it.hasNext()) {
                authorizeElementContext(lensContext, it.next(), z, lensOwnerResolver, false, task, createMinorSubresult);
            }
            LensContext.AuthorizationState authorizationState = z ? LensContext.AuthorizationState.FULL : LensContext.AuthorizationState.PRELIMINARY;
            lensContext.setRequestAuthorized(authorizationState);
            LOGGER.trace("Request authorized: {}", authorizationState);
            createMinorSubresult.recordSuccess();
        } catch (Throwable th) {
            createMinorSubresult.recordFatalError(th);
            throw th;
        }
    }

    private <F extends ObjectType, O extends ObjectType> void authorizeElementContext(LensContext<F> lensContext, LensElementContext<O> lensElementContext, boolean z, OwnerResolver ownerResolver, boolean z2, Task task, OperationResult operationResult) throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
        if (LOGGER.isTraceEnabled()) {
            LOGGER.trace("Authorizing request for element context {}", lensElementContext.getHumanReadableName());
        }
        ObjectDelta<O> primaryDelta = lensElementContext.getPrimaryDelta();
        if (primaryDelta == null) {
            if (LOGGER.isTraceEnabled()) {
                LOGGER.trace("Authorized request for element context {}, constraints=null", lensElementContext.getHumanReadableName());
                return;
            }
            return;
        }
        ObjectDelta<O> clone = primaryDelta.clone();
        PrismObject<O> objectCurrent = lensElementContext.getObjectCurrent();
        if (objectCurrent == null) {
            objectCurrent = lensElementContext.getObjectNew();
        }
        if (objectCurrent == null) {
            if (z2 || z) {
                throw new IllegalStateException("No object? In: " + lensElementContext);
            }
            LOGGER.trace("No projection object during preliminary autz evaluation -> skipping the check for now: {}", lensElementContext);
            return;
        }
        String operationUrlFromDelta = ModelImplUtils.getOperationUrlFromDelta(clone);
        ObjectSecurityConstraints compileSecurityConstraints = this.securityEnforcer.compileSecurityConstraints(objectCurrent, z, ownerResolver, task, operationResult);
        if (compileSecurityConstraints == null) {
            if (LOGGER.isTraceEnabled()) {
                LOGGER.trace("Denied request for element context {}: null security constraints", lensElementContext.getHumanReadableName());
            }
            throw new AuthorizationException("Access denied");
        }
        if (z2) {
            if (objectCurrent.canRepresent(AssignmentHolderType.class)) {
                processAssignment(lensContext, lensElementContext, z, clone, operationUrlFromDelta, AssignmentHolderType.F_ASSIGNMENT, objectCurrent, ownerResolver, compileSecurityConstraints, task, operationResult);
            }
            if (objectCurrent.canRepresent(AbstractRoleType.class)) {
                processAssignment(lensContext, lensElementContext, z, clone, operationUrlFromDelta, AbstractRoleType.F_INDUCEMENT, objectCurrent, ownerResolver, compileSecurityConstraints, task, operationResult);
            }
        }
        if (!clone.isDelete()) {
            if (clone.isAdd()) {
                PrismObject objectToAdd = clone.getObjectToAdd();
                PrismContainer findContainer = objectToAdd.findContainer(UserType.F_CREDENTIALS);
                if (findContainer != null) {
                    ArrayList arrayList = new ArrayList();
                    for (PrismContainer prismContainer : findContainer.getValue().getItems()) {
                        ContainerDelta create = this.prismContext.deltaFactory().container().create(prismContainer.getPath(), prismContainer.getDefinition());
                        create.addValuesToAdd(new PrismContainerValue[]{prismContainer.getValue().clone()});
                        AuthorizationDecisionType evaluateCredentialDecision = evaluateCredentialDecision(lensContext, compileSecurityConstraints, create);
                        LOGGER.trace("AUTZ: credential add {} decision: {}", prismContainer.getPath(), evaluateCredentialDecision);
                        if (evaluateCredentialDecision == AuthorizationDecisionType.ALLOW) {
                            arrayList.add(prismContainer.getPath());
                        } else if (evaluateCredentialDecision == AuthorizationDecisionType.DENY) {
                            if (LOGGER.isTraceEnabled()) {
                                LOGGER.trace("Denied request for element context {}: explicit credentials deny", lensElementContext.getHumanReadableName());
                            }
                            throw new AuthorizationException("Access denied");
                        }
                    }
                    Iterator it = arrayList.iterator();
                    while (it.hasNext()) {
                        objectToAdd.removeContainer((ItemPath) it.next());
                    }
                }
            } else {
                for (ItemDelta itemDelta : clone.findItemDeltasSubPath(UserType.F_CREDENTIALS)) {
                    AuthorizationDecisionType evaluateCredentialDecision2 = evaluateCredentialDecision(lensContext, compileSecurityConstraints, itemDelta);
                    LOGGER.trace("AUTZ: credential delta {} decision: {}", itemDelta.getPath(), evaluateCredentialDecision2);
                    if (evaluateCredentialDecision2 == AuthorizationDecisionType.ALLOW) {
                        clone.removeModification(itemDelta);
                    } else if (evaluateCredentialDecision2 == AuthorizationDecisionType.DENY) {
                        if (LOGGER.isTraceEnabled()) {
                            LOGGER.trace("Denied request for element context {}: explicit credentials deny", lensElementContext.getHumanReadableName());
                        }
                        throw new AuthorizationException("Access denied");
                    }
                }
            }
        }
        if (!clone.isEmpty()) {
            this.securityEnforcer.authorize(operationUrlFromDelta, getRequestAuthorizationPhase(lensContext), AuthorizationParameters.Builder.buildObjectDelta(objectCurrent, clone, z), ownerResolver, task, operationResult);
        }
        if (LOGGER.isTraceEnabled()) {
            LOGGER.trace("Authorized request for element context {} (full info: {}), constraints:\n{}", new Object[]{lensElementContext.getHumanReadableName(), Boolean.valueOf(z), compileSecurityConstraints.debugDump(1)});
        }
    }

    private <F extends ObjectType, O extends ObjectType> void processAssignment(LensContext<F> lensContext, LensElementContext<O> lensElementContext, boolean z, ObjectDelta<O> objectDelta, String str, ItemName itemName, PrismObject<O> prismObject, OwnerResolver ownerResolver, ObjectSecurityConstraints objectSecurityConstraints, Task task, OperationResult operationResult) throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
        PrismObject<O> objectCurrent = lensElementContext.getObjectCurrent();
        if (objectCurrent == null) {
            objectCurrent = lensElementContext.getObjectOld();
        }
        if (objectDelta.hasItemOrSubitemDelta(itemName)) {
            AccessDecision determineDecisionForAssignmentItems = determineDecisionForAssignmentItems(objectSecurityConstraints, objectDelta, objectCurrent, str, itemName, getRequestAuthorizationPhase(lensContext));
            LOGGER.trace("Security decision for {} items: {}", itemName.getLocalPart(), determineDecisionForAssignmentItems);
            if (determineDecisionForAssignmentItems == AccessDecision.ALLOW) {
                LOGGER.debug("Allow assignment/unassignment to {} because access to {} container/properties is explicitly allowed", itemName.getLocalPart(), prismObject);
            } else {
                if (determineDecisionForAssignmentItems == AccessDecision.DENY) {
                    LOGGER.debug("Deny assignment/unassignment to {} because access to {} container/properties is explicitly denied", itemName.getLocalPart(), prismObject);
                    if (LOGGER.isTraceEnabled()) {
                        LOGGER.trace("Denied request for element context {}: access to {} container/properties is explicitly denied", lensElementContext.getHumanReadableName(), itemName.getLocalPart());
                    }
                    throw new AuthorizationException("Access denied");
                }
                AuthorizationDecisionType findAllItemsDecision = objectSecurityConstraints.findAllItemsDecision(str, getRequestAuthorizationPhase(lensContext));
                if (findAllItemsDecision != AuthorizationDecisionType.ALLOW) {
                    if (findAllItemsDecision == AuthorizationDecisionType.DENY) {
                        if (LOGGER.isTraceEnabled()) {
                            LOGGER.trace("Denied request for element context {}: access to {} items is explicitly denied", lensElementContext.getHumanReadableName(), itemName.getLocalPart());
                        }
                        throw new AuthorizationException("Access denied");
                    }
                    authorizeAssignmentRequest(lensContext, z, str, ModelAuthorizationAction.ASSIGN.getUrl(), itemName, prismObject, ownerResolver, objectSecurityConstraints, PlusMinusZero.PLUS, true, task, operationResult);
                    if (!objectDelta.isAdd()) {
                        authorizeAssignmentRequest(lensContext, z, str, ModelAuthorizationAction.UNASSIGN.getUrl(), itemName, prismObject, ownerResolver, objectSecurityConstraints, PlusMinusZero.MINUS, false, task, operationResult);
                    }
                }
            }
            if (objectDelta.isAdd()) {
                objectDelta.getObjectToAdd().removeContainer(itemName);
            } else if (objectDelta.isModify()) {
                objectDelta.removeContainerModification(ItemName.fromQName(itemName));
            }
        }
    }

    private <F extends ObjectType, O extends ObjectType> void authorizeAssignmentRequest(LensContext<F> lensContext, boolean z, String str, String str2, ItemName itemName, PrismObject<O> prismObject, OwnerResolver ownerResolver, ObjectSecurityConstraints objectSecurityConstraints, PlusMinusZero plusMinusZero, boolean z2, Task task, OperationResult operationResult) throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
        ContainerDelta<AssignmentType> findContainerDelta;
        PrismObject<O> prismObject2;
        ObjectDelta<F> primaryDelta = lensContext.m68getFocusContext().getPrimaryDelta();
        if (primaryDelta == null || (findContainerDelta = primaryDelta.findContainerDelta(itemName)) == null) {
            return;
        }
        String substring = str2.substring(str2.lastIndexOf(35) + 1);
        for (PrismContainerValue<AssignmentType> prismContainerValue : determineChangedAssignmentValues(lensContext.m68getFocusContext(), itemName, findContainerDelta, plusMinusZero)) {
            AssignmentType assignmentType = (AssignmentType) prismContainerValue.getRealValue();
            ObjectReferenceType targetRef = assignmentType.getTargetRef();
            if (targetRef == null || targetRef.getOid() == null) {
                if (this.securityEnforcer.determineSubitemDecision(objectSecurityConstraints, prismContainerValue, str, getRequestAuthorizationPhase(lensContext), (ItemPath) null, plusMinusZero, substring) != AccessDecision.ALLOW) {
                    LOGGER.debug("{} of non-target {} not allowed", substring, itemName.getLocalPart());
                    if (LOGGER.isTraceEnabled()) {
                        LOGGER.trace("Denied request for object {}: {} of non-target {} not allowed", new Object[]{prismObject, substring, itemName.getLocalPart()});
                    }
                    this.securityEnforcer.failAuthorization(substring, getRequestAuthorizationPhase(lensContext), AuthorizationParameters.Builder.buildObject(prismObject, z), operationResult);
                    throw new AssertionError("not here");
                }
                LOGGER.debug("{} of policy {} to {} allowed with {} authorization", new Object[]{substring, itemName.getLocalPart(), prismObject, str});
            } else {
                try {
                    PrismReferenceValue asReferenceValue = targetRef.clone().asReferenceValue();
                    asReferenceValue.setObject((PrismObject) null);
                    prismObject2 = this.objectResolver.resolve(asReferenceValue, "resolving " + itemName.getLocalPart() + " target", task, operationResult);
                } catch (ObjectNotFoundException e) {
                    LOGGER.warn("Object {} referenced as {} target in {} was not found", new Object[]{targetRef.asReferenceValue().getOid(), itemName.getLocalPart(), prismObject});
                    prismObject2 = null;
                }
                ObjectDelta createModifyDelta = prismObject.createModifyDelta();
                createModifyDelta.createContainerModification(itemName).addValuesToAdd(new PrismContainerValue[]{assignmentType.asPrismContainerValue().clone()});
                QName relation = targetRef.getRelation();
                if (relation == null) {
                    relation = this.prismContext.getDefaultRelation();
                }
                AuthorizationParameters build = new AuthorizationParameters.Builder().oldObject(prismObject).delta(createModifyDelta).target(prismObject2).relation(relation).orderConstraints(determineOrderConstraints(itemName, assignmentType)).fullInformationAvailable(z).build();
                if (z2 && (assignmentType.getPolicyRule() != null || !assignmentType.getPolicyException().isEmpty() || !assignmentType.getPolicySituation().isEmpty() || !assignmentType.getTriggeredPolicyRule().isEmpty())) {
                    if (this.securityEnforcer.determineSubitemDecision(objectSecurityConstraints, prismContainerValue, str, getRequestAuthorizationPhase(lensContext), (ItemPath) null, plusMinusZero, substring) == AccessDecision.ALLOW) {
                        LOGGER.debug("{} of policy assignment to {} allowed with {} authorization", new Object[]{substring, prismObject, str});
                    } else {
                        this.securityEnforcer.failAuthorization("with assignment because of policies in the assignment", getRequestAuthorizationPhase(lensContext), build, operationResult);
                    }
                }
                if (this.securityEnforcer.isAuthorized(str2, getRequestAuthorizationPhase(lensContext), build, ownerResolver, task, operationResult)) {
                    LOGGER.debug("{} of target {} to {} allowed with {} authorization", new Object[]{substring, prismObject2, prismObject, str2});
                } else if (!this.relationRegistry.isDelegation(relation) || !this.securityEnforcer.isAuthorized(ModelAuthorizationAction.DELEGATE.getUrl(), getRequestAuthorizationPhase(lensContext), build, ownerResolver, task, operationResult)) {
                    if (LOGGER.isDebugEnabled()) {
                        LOGGER.debug("{} of target {} to {} denied", new Object[]{substring, prismObject2, prismObject});
                    }
                    this.securityEnforcer.failAuthorization("with " + itemName.getLocalPart(), getRequestAuthorizationPhase(lensContext), build, operationResult);
                } else if (LOGGER.isDebugEnabled()) {
                    LOGGER.debug("{} of target {} to {} allowed with {} authorization", new Object[]{substring, prismObject2, prismObject, ModelAuthorizationAction.DELEGATE.getUrl()});
                }
            }
        }
    }

    private List<OrderConstraintsType> determineOrderConstraints(QName qName, AssignmentType assignmentType) {
        OrderConstraintsType orderConstraintsType = new OrderConstraintsType();
        if (FocusType.F_ASSIGNMENT.equals(qName)) {
            orderConstraintsType.setOrder(0);
        } else {
            List<OrderConstraintsType> orderConstraint = assignmentType.getOrderConstraint();
            if (!orderConstraint.isEmpty()) {
                return orderConstraint;
            }
            Integer order = assignmentType.getOrder();
            if (order == null) {
                orderConstraintsType.setOrder(1);
            } else {
                orderConstraintsType.setOrder(order);
            }
        }
        ArrayList arrayList = new ArrayList(1);
        arrayList.add(orderConstraintsType);
        return arrayList;
    }

    private <O extends ObjectType> AccessDecision determineDecisionForAssignmentItems(ObjectSecurityConstraints objectSecurityConstraints, ObjectDelta<O> objectDelta, PrismObject<O> prismObject, String str, ItemName itemName, AuthorizationPhaseType authorizationPhaseType) {
        return this.securityEnforcer.determineSubitemDecision(objectSecurityConstraints, objectDelta, prismObject, str, authorizationPhaseType, itemName);
    }

    private <F extends ObjectType> AuthorizationPhaseType getRequestAuthorizationPhase(LensContext<F> lensContext) {
        return lensContext.isExecutionPhaseOnly() ? AuthorizationPhaseType.EXECUTION : AuthorizationPhaseType.REQUEST;
    }

    private <F extends ObjectType> AuthorizationDecisionType evaluateCredentialDecision(LensContext<F> lensContext, ObjectSecurityConstraints objectSecurityConstraints, ItemDelta itemDelta) {
        return objectSecurityConstraints.findItemDecision(itemDelta.getPath().namedSegmentsOnly(), ModelAuthorizationAction.CHANGE_CREDENTIALS.getUrl(), getRequestAuthorizationPhase(lensContext));
    }

    private <F extends ObjectType> Collection<PrismContainerValue<AssignmentType>> determineChangedAssignmentValues(LensFocusContext<F> lensFocusContext, QName qName, ContainerDelta<AssignmentType> containerDelta, PlusMinusZero plusMinusZero) {
        PrismContainerValue findValue;
        Collection<PrismContainerValue<AssignmentType>> valueChanges = containerDelta.getValueChanges(plusMinusZero);
        if (plusMinusZero == PlusMinusZero.PLUS) {
            return valueChanges;
        }
        ArrayList arrayList = new ArrayList(valueChanges.size());
        PrismContainer findContainer = lensFocusContext.getObjectCurrentOrOld().findContainer(ItemName.fromQName(qName));
        for (PrismContainerValue<AssignmentType> prismContainerValue : valueChanges) {
            if (!prismContainerValue.isIdOnly()) {
                arrayList.add(prismContainerValue);
            } else if (findContainer != null && (findValue = findContainer.findValue(prismContainerValue.getId().longValue())) != null) {
                arrayList.add(findValue);
            }
        }
        return arrayList;
    }
}
