package com.evolveum.midpoint.provisioning.impl;

import com.evolveum.midpoint.common.Clock;
import com.evolveum.midpoint.common.refinery.RefinedAssociationDefinition;
import com.evolveum.midpoint.common.refinery.RefinedAttributeDefinition;
import com.evolveum.midpoint.common.refinery.RefinedObjectClassDefinition;
import com.evolveum.midpoint.common.refinery.RefinedResourceSchema;
import com.evolveum.midpoint.common.refinery.RefinedResourceSchemaImpl;
import com.evolveum.midpoint.prism.Item;
import com.evolveum.midpoint.prism.ItemDefinition;
import com.evolveum.midpoint.prism.PrismContainer;
import com.evolveum.midpoint.prism.PrismContainerValue;
import com.evolveum.midpoint.prism.PrismContext;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.PrismProperty;
import com.evolveum.midpoint.prism.PrismPropertyValue;
import com.evolveum.midpoint.prism.delta.ContainerDelta;
import com.evolveum.midpoint.prism.delta.ItemDelta;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.delta.PropertyDelta;
import com.evolveum.midpoint.prism.match.MatchingRule;
import com.evolveum.midpoint.prism.match.MatchingRuleRegistry;
import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.prism.query.ObjectQuery;
import com.evolveum.midpoint.prism.query.builder.QueryBuilder;
import com.evolveum.midpoint.prism.util.JavaTypeConverter;
import com.evolveum.midpoint.prism.util.PrismUtil;
import com.evolveum.midpoint.provisioning.api.GenericConnectorException;
import com.evolveum.midpoint.provisioning.ucf.api.AttributesToReturn;
import com.evolveum.midpoint.provisioning.ucf.api.Change;
import com.evolveum.midpoint.provisioning.ucf.api.ConnectorInstance;
import com.evolveum.midpoint.provisioning.ucf.api.ExecuteProvisioningScriptOperation;
import com.evolveum.midpoint.provisioning.ucf.api.GenericFrameworkException;
import com.evolveum.midpoint.provisioning.ucf.api.Operation;
import com.evolveum.midpoint.provisioning.ucf.api.PropertyModificationOperation;
import com.evolveum.midpoint.provisioning.ucf.api.ShadowResultHandler;
import com.evolveum.midpoint.provisioning.util.ProvisioningUtil;
import com.evolveum.midpoint.repo.cache.RepositoryCache;
import com.evolveum.midpoint.schema.CapabilityUtil;
import com.evolveum.midpoint.schema.ResourceShadowDiscriminator;
import com.evolveum.midpoint.schema.ResultHandler;
import com.evolveum.midpoint.schema.SearchResultMetadata;
import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.schema.internals.InternalsConfig;
import com.evolveum.midpoint.schema.processor.ObjectClassComplexTypeDefinition;
import com.evolveum.midpoint.schema.processor.ResourceAttribute;
import com.evolveum.midpoint.schema.processor.ResourceAttributeContainer;
import com.evolveum.midpoint.schema.processor.ResourceAttributeDefinition;
import com.evolveum.midpoint.schema.processor.ResourceObjectIdentification;
import com.evolveum.midpoint.schema.processor.SearchHierarchyConstraints;
import com.evolveum.midpoint.schema.processor.SearchHierarchyScope;
import com.evolveum.midpoint.schema.result.AsynchronousOperationQueryable;
import com.evolveum.midpoint.schema.result.AsynchronousOperationResult;
import com.evolveum.midpoint.schema.result.AsynchronousOperationReturnValue;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.result.OperationResultStatus;
import com.evolveum.midpoint.schema.util.ObjectTypeUtil;
import com.evolveum.midpoint.schema.util.ResourceTypeUtil;
import com.evolveum.midpoint.schema.util.SchemaDebugUtil;
import com.evolveum.midpoint.schema.util.ShadowUtil;
import com.evolveum.midpoint.util.DebugUtil;
import com.evolveum.midpoint.util.Holder;
import com.evolveum.midpoint.util.MiscUtil;
import com.evolveum.midpoint.util.PrettyPrinter;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.exception.SystemException;
import com.evolveum.midpoint.util.exception.TunnelException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AttributeFetchStrategyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CapabilitiesType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.LockoutStatusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OperationProvisioningScriptType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OperationProvisioningScriptsType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ProvisioningOperationTypeType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceObjectReferenceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowAssociationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowKindType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
import com.evolveum.midpoint.xml.ns._public.resource.capabilities_3.ActivationCapabilityType;
import com.evolveum.midpoint.xml.ns._public.resource.capabilities_3.ActivationLockoutStatusCapabilityType;
import com.evolveum.midpoint.xml.ns._public.resource.capabilities_3.ActivationStatusCapabilityType;
import com.evolveum.midpoint.xml.ns._public.resource.capabilities_3.AddRemoveAttributeValuesCapabilityType;
import com.evolveum.midpoint.xml.ns._public.resource.capabilities_3.CreateCapabilityType;
import com.evolveum.midpoint.xml.ns._public.resource.capabilities_3.DeleteCapabilityType;
import com.evolveum.midpoint.xml.ns._public.resource.capabilities_3.LiveSyncCapabilityType;
import com.evolveum.midpoint.xml.ns._public.resource.capabilities_3.PagedSearchCapabilityType;
import com.evolveum.midpoint.xml.ns._public.resource.capabilities_3.ReadCapabilityType;
import com.evolveum.midpoint.xml.ns._public.resource.capabilities_3.UpdateCapabilityType;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Comparator;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.TreeMap;
import javax.xml.datatype.XMLGregorianCalendar;
import javax.xml.namespace.QName;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang.Validate;
import org.jetbrains.annotations.NotNull;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:com/evolveum/midpoint/provisioning/impl/ResourceObjectConverter.class */
public class ResourceObjectConverter {

    @Autowired
    private EntitlementConverter entitlementConverter;

    @Autowired
    private MatchingRuleRegistry matchingRuleRegistry;

    @Autowired
    private ResourceObjectReferenceResolver resourceObjectReferenceResolver;

    @Autowired
    private Clock clock;

    @Autowired
    private PrismContext prismContext;
    private static final String DOT_CLASS = ResourceObjectConverter.class.getName() + ".";
    public static final String OPERATION_MODIFY_ENTITLEMENT = DOT_CLASS + "modifyEntitlement";
    private static final String OPERATION_ADD_RESOURCE_OBJECT = DOT_CLASS + "addResourceObject";
    private static final String OPERATION_MODIFY_RESOURCE_OBJECT = DOT_CLASS + "modifyResourceObject";
    private static final String OPERATION_DELETE_RESOURCE_OBJECT = DOT_CLASS + "deleteResourceObject";
    private static final String OPERATION_REFRESH_OPERATION_STATUS = DOT_CLASS + "refreshOperationStatus";
    private static final Trace LOGGER = TraceManager.getTrace(ResourceObjectConverter.class);
    static final String FULL_SHADOW_KEY = ResourceObjectConverter.class.getName() + ".fullShadow";

    public PrismObject<ShadowType> getResourceObject(ProvisioningContext provisioningContext, Collection<? extends ResourceAttribute<?>> collection, boolean z, OperationResult operationResult) throws ObjectNotFoundException, CommunicationException, SchemaException, ConfigurationException, SecurityViolationException, GenericConnectorException, ExpressionEvaluationException {
        LOGGER.trace("Getting resource object {}", collection);
        PrismObject<ShadowType> fetchResourceObject = fetchResourceObject(provisioningContext, collection, ProvisioningUtil.createAttributesToReturn(provisioningContext), z, operationResult);
        LOGGER.trace("Got resource object\n{}", fetchResourceObject.debugDumpLazily());
        return fetchResourceObject;
    }

    public PrismObject<ShadowType> locateResourceObject(ProvisioningContext provisioningContext, Collection<? extends ResourceAttribute<?>> collection, OperationResult operationResult) throws ObjectNotFoundException, CommunicationException, SchemaException, ConfigurationException, SecurityViolationException, GenericConnectorException, ExpressionEvaluationException {
        LOGGER.trace("Locating resource object {}", collection);
        ConnectorInstance connector = provisioningContext.getConnector(ReadCapabilityType.class, operationResult);
        AttributesToReturn createAttributesToReturn = ProvisioningUtil.createAttributesToReturn(provisioningContext);
        if (hasAllIdentifiers(collection, provisioningContext.getObjectClassDefinition())) {
            return fetchResourceObject(provisioningContext, collection, createAttributesToReturn, true, operationResult);
        }
        Collection secondaryIdentifiers = provisioningContext.getObjectClassDefinition().getSecondaryIdentifiers();
        if (secondaryIdentifiers.size() > 1) {
            throw new UnsupportedOperationException("Composite secondary identifier is not supported yet");
        }
        if (secondaryIdentifiers.isEmpty()) {
            throw new SchemaException("No secondary identifier defined, cannot search");
        }
        RefinedAttributeDefinition refinedAttributeDefinition = (RefinedAttributeDefinition) secondaryIdentifiers.iterator().next();
        ResourceAttribute<?> resourceAttribute = null;
        for (ResourceAttribute<?> resourceAttribute2 : collection) {
            if (resourceAttribute2.getElementName().equals(refinedAttributeDefinition.getName())) {
                resourceAttribute = resourceAttribute2;
            }
        }
        if (resourceAttribute == null) {
            throw new SchemaException("No secondary identifier present, cannot search. Identifiers: " + collection);
        }
        final ResourceAttribute<?> resourceAttribute3 = resourceAttribute;
        List values = resourceAttribute.getValues();
        if (values.size() > 1) {
            throw new IllegalStateException("Secondary identifier has more than one value: " + resourceAttribute.getValues());
        }
        ObjectQuery build = QueryBuilder.queryFor(ShadowType.class, this.prismContext).itemWithDef(refinedAttributeDefinition, new QName[]{ShadowType.F_ATTRIBUTES, refinedAttributeDefinition.getName()}).eq(new Object[]{values.size() == 1 ? ((PrismPropertyValue) values.get(0)).clone() : null}).build();
        final Holder holder = new Holder();
        try {
            connector.search(provisioningContext.getObjectClassDefinition(), build, new ShadowResultHandler() { // from class: com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.1
                public boolean handle(PrismObject<ShadowType> prismObject) {
                    if (!holder.isEmpty()) {
                        throw new IllegalStateException("More than one value found for secondary identifier " + resourceAttribute3);
                    }
                    holder.setValue(prismObject);
                    return true;
                }
            }, createAttributesToReturn, (PagedSearchCapabilityType) null, (SearchHierarchyConstraints) null, provisioningContext, operationResult);
            if (holder.isEmpty()) {
                throw new ObjectNotFoundException("No object found for secondary identifier " + resourceAttribute);
            }
            PrismObject<ShadowType> postProcessResourceObjectRead = postProcessResourceObjectRead(provisioningContext, (PrismObject) holder.getValue(), true, operationResult);
            LOGGER.trace("Located resource object {}", postProcessResourceObjectRead);
            return postProcessResourceObjectRead;
        } catch (GenericFrameworkException e) {
            throw new GenericConnectorException(e.getMessage(), e);
        }
    }

    private boolean hasAllIdentifiers(Collection<? extends ResourceAttribute<?>> collection, RefinedObjectClassDefinition refinedObjectClassDefinition) {
        for (RefinedAttributeDefinition refinedAttributeDefinition : refinedObjectClassDefinition.getPrimaryIdentifiers()) {
            boolean z = false;
            for (ResourceAttribute<?> resourceAttribute : collection) {
                if (resourceAttribute.getElementName().equals(refinedAttributeDefinition.getName()) && !resourceAttribute.isEmpty()) {
                    z = true;
                }
            }
            if (!z) {
                return false;
            }
        }
        return true;
    }

    public AsynchronousOperationReturnValue<PrismObject<ShadowType>> addResourceObject(ProvisioningContext provisioningContext, PrismObject<ShadowType> prismObject, OperationProvisioningScriptsType operationProvisioningScriptsType, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, CommunicationException, ObjectAlreadyExistsException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        OperationResult createSubresult = operationResult.createSubresult(OPERATION_ADD_RESOURCE_OBJECT);
        ResourceType resource = provisioningContext.getResource();
        LOGGER.trace("Adding resource object {}", prismObject);
        PrismObject<ShadowType> clone = prismObject.clone();
        ShadowType shadowType = (ShadowType) clone.asObjectable();
        if (ProvisioningUtil.isProtectedShadow(provisioningContext.getObjectClassDefinition(), clone, this.matchingRuleRegistry)) {
            LOGGER.error("Attempt to add protected shadow " + shadowType + "; ignoring the request");
            SecurityViolationException securityViolationException = new SecurityViolationException("Cannot get protected shadow " + shadowType);
            createSubresult.recordFatalError(securityViolationException);
            throw securityViolationException;
        }
        checkForAddConflicts(provisioningContext, prismObject, createSubresult);
        ArrayList arrayList = new ArrayList();
        addExecuteScriptOperation(arrayList, ProvisioningOperationTypeType.ADD, operationProvisioningScriptsType, resource, createSubresult);
        this.entitlementConverter.processEntitlementsAdd(provisioningContext, clone);
        ConnectorInstance connector = provisioningContext.getConnector(CreateCapabilityType.class, createSubresult);
        try {
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("PROVISIONING ADD operation on resource {}\n ADD object:\n{}\n additional operations:\n{}", new Object[]{resource.asPrismObject(), shadowType.asPrismObject().debugDump(), SchemaDebugUtil.debugDump(arrayList, 2)});
            }
            transformActivationAttributesAdd(provisioningContext, shadowType, createSubresult);
            if (!ResourceTypeUtil.isCreateCapabilityEnabled(resource)) {
                throw new UnsupportedOperationException("Resource does not support 'create' operation");
            }
            Collection<ResourceAttribute<?>> collection = (Collection) connector.addObject(clone, arrayList, provisioningContext, createSubresult).getReturnValue();
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("PROVISIONING ADD successful, returned attributes:\n{}", SchemaDebugUtil.prettyPrint(collection));
            }
            applyAfterOperationAttributes(prismObject, collection);
            executeEntitlementChangesAdd(provisioningContext, clone, operationProvisioningScriptsType, createSubresult);
            LOGGER.trace("Added resource object {}", prismObject);
            computeResultStatus(createSubresult);
            return AsynchronousOperationReturnValue.wrap(prismObject, createSubresult);
        } catch (GenericFrameworkException e) {
            createSubresult.recordFatalError("Could not create object on the resource. Generic error in connector: " + e.getMessage(), e);
            throw new GenericConnectorException("Generic error in connector: " + e.getMessage(), e);
        } catch (ConfigurationException | SchemaException | Error | RuntimeException e2) {
            createSubresult.recordFatalError(e2);
            throw e2;
        } catch (CommunicationException e3) {
            createSubresult.recordFatalError("Could not create object on the resource. Error communicating with the connector " + connector + ": " + e3.getMessage(), e3);
            throw new CommunicationException("Error communicating with the connector " + connector + ": " + e3.getMessage(), e3);
        } catch (ObjectAlreadyExistsException e4) {
            createSubresult.recordFatalError("Could not create object on the resource. Object already exists on the resource: " + e4.getMessage(), e4);
            throw new ObjectAlreadyExistsException("Object already exists on the resource: " + e4.getMessage(), e4);
        }
    }

    private void checkForAddConflicts(ProvisioningContext provisioningContext, PrismObject<ShadowType> prismObject, OperationResult operationResult) throws ObjectAlreadyExistsException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException, ObjectNotFoundException {
        ConnectorInstance connectorInstance = null;
        try {
            ConnectorInstance connector = provisioningContext.getConnector(CreateCapabilityType.class, operationResult);
            connectorInstance = provisioningContext.getConnector(ReadCapabilityType.class, operationResult);
            if (connectorInstance == connector) {
                return;
            }
            if (connectorInstance.fetchObject(ResourceObjectIdentification.createFromShadow(provisioningContext.getObjectClassDefinition(), prismObject.asObjectable()), (AttributesToReturn) null, provisioningContext, operationResult) != null) {
                ObjectAlreadyExistsException objectAlreadyExistsException = new ObjectAlreadyExistsException("Object " + prismObject + " already exists in the backing store of resource " + provisioningContext.getResource());
                operationResult.recordFatalError(objectAlreadyExistsException);
                throw objectAlreadyExistsException;
            }
        } catch (GenericFrameworkException e) {
            operationResult.recordFatalError("Could not create object on the resource. Generic error in connector: " + e.getMessage(), e);
            throw new GenericConnectorException("Generic error in connector: " + e.getMessage(), e);
        } catch (CommunicationException e2) {
            operationResult.recordFatalError("Could not create object on the resource. Error communicating with the connector " + connectorInstance + ": " + e2.getMessage(), e2);
            throw new CommunicationException("Error communicating with the connector " + connectorInstance + ": " + e2.getMessage(), e2);
        } catch (ObjectNotFoundException e3) {
            operationResult.muteLastSubresultError();
        } catch (Throwable th) {
            operationResult.recordFatalError(th);
            throw th;
        }
    }

    public AsynchronousOperationResult deleteResourceObject(ProvisioningContext provisioningContext, PrismObject<ShadowType> prismObject, OperationProvisioningScriptsType operationProvisioningScriptsType, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        OperationResult createSubresult = operationResult.createSubresult(OPERATION_DELETE_RESOURCE_OBJECT);
        LOGGER.trace("Deleting resource object {}", prismObject);
        Collection allIdentifiers = ShadowUtil.getAllIdentifiers(prismObject);
        if (ProvisioningUtil.isProtectedShadow(provisioningContext.getObjectClassDefinition(), prismObject, this.matchingRuleRegistry)) {
            LOGGER.error("Attempt to delete protected resource object " + provisioningContext.getObjectClassDefinition() + ": " + allIdentifiers + "; ignoring the request");
            SecurityViolationException securityViolationException = new SecurityViolationException("Cannot delete protected resource object " + provisioningContext.getObjectClassDefinition() + ": " + allIdentifiers);
            createSubresult.recordFatalError(securityViolationException);
            throw securityViolationException;
        }
        if (allIdentifiers.isEmpty() && prismObject.asObjectable().getFailedOperationType() != null) {
            throw new GenericConnectorException("Unable to delete object from the resource. Probably it has not been created yet because of previous unavailability of the resource.");
        }
        executeEntitlementChangesDelete(provisioningContext, prismObject, operationProvisioningScriptsType, createSubresult);
        ArrayList arrayList = new ArrayList();
        addExecuteScriptOperation(arrayList, ProvisioningOperationTypeType.DELETE, operationProvisioningScriptsType, provisioningContext.getResource(), createSubresult);
        ConnectorInstance connector = provisioningContext.getConnector(DeleteCapabilityType.class, createSubresult);
        try {
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("PROVISIONING DELETE operation on {}\n DELETE object, object class {}, identified by:\n{}\n additional operations:\n{}", new Object[]{provisioningContext.getResource(), prismObject.asObjectable().getObjectClass(), SchemaDebugUtil.debugDump(allIdentifiers), SchemaDebugUtil.debugDump(arrayList)});
            }
            if (!ResourceTypeUtil.isDeleteCapabilityEnabled(provisioningContext.getResource())) {
                UnsupportedOperationException unsupportedOperationException = new UnsupportedOperationException("Resource does not support 'delete' operation");
                createSubresult.recordFatalError(unsupportedOperationException);
                throw unsupportedOperationException;
            }
            connector.deleteObject(provisioningContext.getObjectClassDefinition(), arrayList, allIdentifiers, provisioningContext, createSubresult);
            computeResultStatus(createSubresult);
            LOGGER.debug("PROVISIONING DELETE: {}", createSubresult.getStatus());
            LOGGER.trace("Deleted resource object {}", prismObject);
            return AsynchronousOperationResult.wrap(createSubresult);
        } catch (Error | RuntimeException e) {
            createSubresult.recordFatalError(e);
            throw e;
        } catch (ObjectNotFoundException e2) {
            createSubresult.recordFatalError("Can't delete object " + prismObject + ". Reason: " + e2.getMessage(), e2);
            throw new ObjectNotFoundException("An error occured while deleting resource object " + prismObject + "whith identifiers " + allIdentifiers + ": " + e2.getMessage(), e2);
        } catch (ExpressionEvaluationException e3) {
            createSubresult.recordFatalError("Expression error while setting up the resource: " + e3.getMessage(), e3);
            throw new ExpressionEvaluationException("Expression error while setting up the resource: " + e3.getMessage(), e3);
        } catch (GenericFrameworkException e4) {
            createSubresult.recordFatalError("Generic error in connector: " + e4.getMessage(), e4);
            throw new GenericConnectorException("Generic error in connector: " + e4.getMessage(), e4);
        } catch (ConfigurationException e5) {
            createSubresult.recordFatalError("Configuration error in connector " + connector + ": " + e5.getMessage(), e5);
            throw new ConfigurationException("Configuration error in connector " + connector + ": " + e5.getMessage(), e5);
        } catch (CommunicationException e6) {
            createSubresult.recordFatalError("Error communicating with the connector " + connector + ": " + e6.getMessage(), e6);
            throw new CommunicationException("Error communicating with the connector " + connector + ": " + e6.getMessage(), e6);
        }
    }

    public AsynchronousOperationReturnValue<Collection<PropertyDelta<PrismPropertyValue>>> modifyResourceObject(ProvisioningContext provisioningContext, PrismObject<ShadowType> prismObject, OperationProvisioningScriptsType operationProvisioningScriptsType, Collection<? extends ItemDelta> collection, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ObjectAlreadyExistsException, ExpressionEvaluationException {
        OperationResult createSubresult = operationResult.createSubresult(OPERATION_MODIFY_RESOURCE_OBJECT);
        try {
            if (LOGGER.isTraceEnabled()) {
                LOGGER.trace("Modifying resource object {}, deltas:\n", prismObject, DebugUtil.debugDump(collection, 1));
            }
            RefinedObjectClassDefinition objectClassDefinition = provisioningContext.getObjectClassDefinition();
            ArrayList arrayList = new ArrayList();
            Collection<? extends ResourceAttribute<?>> allIdentifiers = ShadowUtil.getAllIdentifiers(prismObject);
            Collection primaryIdentifiers = ShadowUtil.getPrimaryIdentifiers(prismObject);
            if (ProvisioningUtil.isProtectedShadow(provisioningContext.getObjectClassDefinition(), prismObject, this.matchingRuleRegistry)) {
                if (!hasChangesOnResource(collection)) {
                    LOGGER.trace("No resource modifications for protected resource object {}: {}; skipping", objectClassDefinition, allIdentifiers);
                    createSubresult.recordNotApplicableIfUnknown();
                    return AsynchronousOperationReturnValue.wrap((Object) null, createSubresult);
                }
                LOGGER.error("Attempt to modify protected resource object " + objectClassDefinition + ": " + allIdentifiers);
                SecurityViolationException securityViolationException = new SecurityViolationException("Cannot modify protected resource object " + objectClassDefinition + ": " + allIdentifiers);
                createSubresult.recordFatalError(securityViolationException);
                throw securityViolationException;
            }
            boolean z = false;
            boolean z2 = false;
            Iterator<? extends ItemDelta> it = collection.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                ItemPath path = it.next().getPath();
                QName firstName = ItemPath.getFirstName(path);
                if (ProvisioningUtil.isAttributeModification(firstName)) {
                    z2 = true;
                    QName firstName2 = ItemPath.getFirstName(path.rest());
                    if (provisioningContext.getObjectClassDefinition().findAttributeDefinition(firstName2).isVolatilityTrigger()) {
                        LOGGER.trace("Will pre-read and re-read object because volatility trigger attribute {} has changed", firstName2);
                        z = true;
                        break;
                    }
                } else if (ProvisioningUtil.isNonAttributeResourceModification(firstName)) {
                    z2 = true;
                }
            }
            if (!z2) {
                LOGGER.trace("No resource modification found for {}, skipping", allIdentifiers);
                createSubresult.recordNotApplicableIfUnknown();
                return AsynchronousOperationReturnValue.wrap((Object) null, createSubresult);
            }
            collectAttributeAndEntitlementChanges(provisioningContext, collection, arrayList, prismObject, createSubresult);
            PrismObject<ShadowType> prismObject2 = null;
            Collection<PropertyModificationOperation> collection2 = null;
            if (primaryIdentifiers.isEmpty() && prismObject.asObjectable().getFailedOperationType() != null) {
                GenericConnectorException genericConnectorException = new GenericConnectorException("Unable to modify object in the resource. Probably it has not been created yet because of previous unavailability of the resource.");
                createSubresult.recordFatalError(genericConnectorException);
                throw genericConnectorException;
            }
            if (z || ResourceTypeUtil.isAvoidDuplicateValues(provisioningContext.getResource()) || isRename(provisioningContext, arrayList)) {
                LOGGER.trace("Pre-reading resource shadow");
                prismObject2 = preReadShadow(provisioningContext, allIdentifiers, arrayList, true, createSubresult);
                if (LOGGER.isTraceEnabled()) {
                    LOGGER.trace("Pre-read object:\n{}", prismObject2 == null ? null : prismObject2.debugDump());
                }
            }
            if (arrayList.isEmpty()) {
                LOGGER.trace("No modifications for connector object specified. Skipping processing of subject executeModify.");
            } else {
                addExecuteScriptOperation(arrayList, ProvisioningOperationTypeType.MODIFY, operationProvisioningScriptsType, provisioningContext.getResource(), createSubresult);
                if (InternalsConfig.isSanityChecks() && MiscUtil.hasDuplicates(arrayList)) {
                    throw new SchemaException("Duplicated changes: " + arrayList);
                }
                collection2 = executeModify(provisioningContext, prismObject2, allIdentifiers, arrayList, createSubresult);
            }
            Collection<PropertyDelta<PrismPropertyValue>> convertToPropertyDelta = convertToPropertyDelta(collection2);
            PrismObject<ShadowType> clone = prismObject2 == null ? prismObject.clone() : prismObject2.clone();
            Iterator<? extends ItemDelta> it2 = collection.iterator();
            while (it2.hasNext()) {
                it2.next().applyTo(clone);
            }
            PrismObject<ShadowType> prismObject3 = null;
            if (z) {
                LOGGER.trace("Post-reading resource shadow");
                prismObject3 = preReadShadow(provisioningContext, allIdentifiers, arrayList, true, createSubresult);
                if (LOGGER.isTraceEnabled()) {
                    LOGGER.trace("Post-read object:\n{}", prismObject3.debugDump());
                }
                ObjectDelta diff = prismObject2.diff(prismObject3);
                if (LOGGER.isTraceEnabled()) {
                    LOGGER.trace("Determined side-effect changes by old-new diff:\n{}", diff.debugDump());
                }
                for (ItemDelta itemDelta : diff.getModifications()) {
                    if (itemDelta.getParentPath().startsWithName(ShadowType.F_ATTRIBUTES) && !ItemDelta.hasEquivalent(collection, itemDelta)) {
                        ItemDelta.merge(convertToPropertyDelta, itemDelta);
                    }
                }
                if (LOGGER.isTraceEnabled()) {
                    LOGGER.trace("Side-effect changes after merging with old-new diff:\n{}", DebugUtil.debugDump(convertToPropertyDelta));
                }
            }
            ArrayList arrayList2 = new ArrayList();
            arrayList2.addAll(collection);
            arrayList2.addAll(convertToPropertyDelta);
            executeEntitlementChangesModify(provisioningContext, prismObject2 == null ? prismObject : prismObject2, prismObject3 == null ? clone : prismObject3, operationProvisioningScriptsType, arrayList2, createSubresult);
            if (!convertToPropertyDelta.isEmpty()) {
                if (prismObject2 != null) {
                    PrismUtil.setDeltaOldValue(prismObject2, convertToPropertyDelta);
                } else {
                    PrismUtil.setDeltaOldValue(prismObject, convertToPropertyDelta);
                }
            }
            if (LOGGER.isTraceEnabled()) {
                LOGGER.trace("Modificaiton side-effect changes:\n{}", DebugUtil.debugDump(convertToPropertyDelta));
            }
            LOGGER.trace("Modified resource object {}", prismObject);
            computeResultStatus(createSubresult);
            return AsynchronousOperationReturnValue.wrap(convertToPropertyDelta, createSubresult);
        } catch (Throwable th) {
            createSubresult.recordFatalError(th);
            throw th;
        }
    }

    private Collection<PropertyDelta<PrismPropertyValue>> convertToPropertyDelta(Collection<PropertyModificationOperation> collection) {
        ArrayList arrayList = new ArrayList();
        if (collection != null) {
            Iterator<PropertyModificationOperation> it = collection.iterator();
            while (it.hasNext()) {
                arrayList.add(it.next().getPropertyDelta());
            }
        }
        return arrayList;
    }

    private Collection<PropertyModificationOperation> executeModify(ProvisioningContext provisioningContext, PrismObject<ShadowType> prismObject, Collection<? extends ResourceAttribute<?>> collection, Collection<Operation> collection2, OperationResult operationResult) throws ObjectNotFoundException, CommunicationException, SchemaException, SecurityViolationException, ConfigurationException, ObjectAlreadyExistsException, ExpressionEvaluationException {
        HashSet hashSet = new HashSet();
        RefinedObjectClassDefinition objectClassDefinition = provisioningContext.getObjectClassDefinition();
        if (collection2.isEmpty()) {
            LOGGER.trace("No modifications for resource object. Skipping modification.");
            return new ArrayList(0);
        }
        LOGGER.trace("Resource object modification operations: {}", collection2);
        if (!ShadowUtil.hasPrimaryIdentifier(collection, objectClassDefinition)) {
            Collection<? extends ResourceAttribute<?>> resolvePrimaryIdentifier = this.resourceObjectReferenceResolver.resolvePrimaryIdentifier(provisioningContext, collection, "modification of resource object " + collection, operationResult);
            if (resolvePrimaryIdentifier == null || resolvePrimaryIdentifier.isEmpty()) {
                throw new ObjectNotFoundException("Cannot find repository shadow for identifiers " + collection);
            }
            collection = resolvePrimaryIdentifier;
        }
        ConnectorInstance connector = provisioningContext.getConnector(UpdateCapabilityType.class, operationResult);
        try {
            if (ResourceTypeUtil.isAvoidDuplicateValues(provisioningContext.getResource())) {
                if (prismObject == null) {
                    LOGGER.trace("Fetching shadow for duplicate filtering");
                    prismObject = preReadShadow(provisioningContext, collection, collection2, false, operationResult);
                }
                if (prismObject == null) {
                    LOGGER.debug("We do not have pre-read shadow, skipping duplicate filtering");
                } else {
                    LOGGER.trace("Filtering out duplicate values");
                    ArrayList arrayList = new ArrayList(collection2.size());
                    Iterator<Operation> it = collection2.iterator();
                    while (it.hasNext()) {
                        PropertyModificationOperation propertyModificationOperation = (Operation) it.next();
                        if (propertyModificationOperation instanceof PropertyModificationOperation) {
                            PropertyModificationOperation propertyModificationOperation2 = propertyModificationOperation;
                            PropertyDelta propertyDelta = propertyModificationOperation2.getPropertyDelta();
                            PropertyDelta narrowPropertyDelta = ProvisioningUtil.narrowPropertyDelta(propertyDelta, prismObject, propertyModificationOperation2.getMatchingRuleQName(), this.matchingRuleRegistry);
                            if (narrowPropertyDelta == null || narrowPropertyDelta.isEmpty()) {
                                LOGGER.trace("Filtering out modification {} because it has empty delta after narrow", propertyDelta);
                            } else if (propertyDelta == narrowPropertyDelta) {
                                arrayList.add(propertyModificationOperation);
                            } else {
                                PropertyModificationOperation propertyModificationOperation3 = new PropertyModificationOperation(narrowPropertyDelta);
                                propertyModificationOperation3.setMatchingRuleQName(propertyModificationOperation2.getMatchingRuleQName());
                                arrayList.add(propertyModificationOperation3);
                            }
                        } else if (propertyModificationOperation instanceof ExecuteProvisioningScriptOperation) {
                            arrayList.add(propertyModificationOperation);
                        }
                    }
                    if (arrayList.isEmpty()) {
                        LOGGER.debug("No modifications for connector object specified (after filtering). Skipping processing.");
                        operationResult.recordSuccess();
                        return new ArrayList(0);
                    }
                    collection2 = arrayList;
                }
            }
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("PROVISIONING MODIFY operation on {}\n MODIFY object, object class {}, identified by:\n{}\n changes:\n{}", new Object[]{provisioningContext.getResource(), objectClassDefinition.getHumanReadableName(), SchemaDebugUtil.debugDump(collection, 1), SchemaDebugUtil.debugDump(collection2, 1)});
            }
            if (!ResourceTypeUtil.isUpdateCapabilityEnabled(provisioningContext.getResource())) {
                if (collection2 == null || collection2.isEmpty()) {
                    LOGGER.debug("No modifications for connector object specified (after filtering). Skipping processing.");
                    operationResult.recordSuccess();
                    return new ArrayList(0);
                }
                UnsupportedOperationException unsupportedOperationException = new UnsupportedOperationException("Resource does not support 'update' operation");
                operationResult.recordFatalError(unsupportedOperationException);
                throw unsupportedOperationException;
            }
            Collection<ResourceAttribute<?>> cloneIdentifiers = cloneIdentifiers(collection);
            List<Collection<Operation>> sortOperationsIntoWaves = sortOperationsIntoWaves(collection2, objectClassDefinition);
            LOGGER.trace("Operation waves: {}", Integer.valueOf(sortOperationsIntoWaves.size()));
            boolean z = false;
            String str = null;
            Iterator<Collection<Operation>> it2 = sortOperationsIntoWaves.iterator();
            while (it2.hasNext()) {
                Collection<Operation> next = it2.next();
                Collection<RefinedAttributeDefinition> determineReadReplace = determineReadReplace(next, objectClassDefinition);
                LOGGER.trace("Read+Replace attributes: {}", determineReadReplace);
                if (!determineReadReplace.isEmpty()) {
                    AttributesToReturn attributesToReturn = new AttributesToReturn();
                    attributesToReturn.setReturnDefaultAttributes(false);
                    attributesToReturn.setAttributesToReturn(determineReadReplace);
                    LOGGER.trace("Fetching object because of READ+REPLACE mode");
                    next = convertToReplace(provisioningContext, next, fetchResourceObject(provisioningContext, cloneIdentifiers, attributesToReturn, false, operationResult));
                }
                if (!next.isEmpty()) {
                    AsynchronousOperationReturnValue modifyObject = connector.modifyObject(objectClassDefinition, cloneIdentifiers, next, provisioningContext, operationResult);
                    Collection collection3 = (Collection) modifyObject.getReturnValue();
                    if (collection3 != null) {
                        hashSet.addAll(collection3);
                    }
                    if (modifyObject.isInProgress()) {
                        z = true;
                        str = modifyObject.getOperationResult().getAsynchronousOperationReference();
                    }
                }
            }
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("PROVISIONING MODIFY successful, inProgress={}, side-effect changes {}", Boolean.valueOf(z), DebugUtil.debugDump(hashSet));
            }
            if (z) {
                operationResult.recordInProgress();
                operationResult.setAsynchronousOperationReference(str);
            }
            return hashSet;
        } catch (CommunicationException e) {
            operationResult.recordFatalError("Error communicating with the connector " + connector + ": " + e.getMessage(), e);
            throw new CommunicationException("Error communicating with connector " + connector + ": " + e.getMessage(), e);
        } catch (ObjectAlreadyExistsException e2) {
            operationResult.recordFatalError("Conflict during modify: " + e2.getMessage(), e2);
            throw new ObjectAlreadyExistsException("Conflict during modify: " + e2.getMessage(), e2);
        } catch (ObjectNotFoundException e3) {
            operationResult.recordFatalError("Object to modify not found: " + e3.getMessage(), e3);
            throw new ObjectNotFoundException("Object to modify not found: " + e3.getMessage(), e3);
        } catch (ExpressionEvaluationException e4) {
            operationResult.recordFatalError("Configuration error: " + e4.getMessage(), e4);
            throw e4;
        } catch (GenericFrameworkException e5) {
            operationResult.recordFatalError("Generic error in the connector " + connector + ": " + e5.getMessage(), e5);
            throw new GenericConnectorException("Generic error in connector connector " + connector + ": " + e5.getMessage(), e5);
        } catch (SecurityViolationException e6) {
            operationResult.recordFatalError("Security violation: " + e6.getMessage(), e6);
            throw new SecurityViolationException("Security violation: " + e6.getMessage(), e6);
        } catch (ConfigurationException e7) {
            operationResult.recordFatalError("Configuration error: " + e7.getMessage(), e7);
            throw e7;
        } catch (SchemaException e8) {
            operationResult.recordFatalError("Schema violation: " + e8.getMessage(), e8);
            throw new SchemaException("Schema violation: " + e8.getMessage(), e8);
        }
    }

    private PrismObject<ShadowType> preReadShadow(ProvisioningContext provisioningContext, Collection<? extends ResourceAttribute<?>> collection, Collection<Operation> collection2, boolean z, OperationResult operationResult) throws ObjectNotFoundException, CommunicationException, SchemaException, SecurityViolationException, ConfigurationException, ExpressionEvaluationException {
        ArrayList arrayList = new ArrayList();
        Iterator<Operation> it = collection2.iterator();
        while (it.hasNext()) {
            RefinedAttributeDefinition refinedAttributeDefinitionIfApplicable = getRefinedAttributeDefinitionIfApplicable(it.next(), provisioningContext.getObjectClassDefinition());
            if (refinedAttributeDefinitionIfApplicable != null && (!refinedAttributeDefinitionIfApplicable.isReturnedByDefault() || refinedAttributeDefinitionIfApplicable.getFetchStrategy() == AttributeFetchStrategyType.EXPLICIT)) {
                arrayList.add(refinedAttributeDefinitionIfApplicable);
            }
        }
        AttributesToReturn attributesToReturn = new AttributesToReturn();
        attributesToReturn.setAttributesToReturn(arrayList);
        try {
            return fetchResourceObject(provisioningContext, collection, attributesToReturn, z, operationResult);
        } catch (ObjectNotFoundException e) {
            LOGGER.warn("Cannot pre-read shadow {}, it is probably not present in the {}. Skipping pre-read.", collection, provisioningContext.getResource());
            return null;
        }
    }

    private Collection<RefinedAttributeDefinition> determineReadReplace(Collection<Operation> collection, RefinedObjectClassDefinition refinedObjectClassDefinition) {
        ArrayList arrayList = new ArrayList();
        Iterator<Operation> it = collection.iterator();
        while (it.hasNext()) {
            PropertyModificationOperation propertyModificationOperation = (Operation) it.next();
            RefinedAttributeDefinition refinedAttributeDefinitionIfApplicable = getRefinedAttributeDefinitionIfApplicable(propertyModificationOperation, refinedObjectClassDefinition);
            if (refinedAttributeDefinitionIfApplicable != null && isReadReplaceMode(refinedAttributeDefinitionIfApplicable, refinedObjectClassDefinition) && (propertyModificationOperation instanceof PropertyModificationOperation)) {
                PropertyDelta propertyDelta = propertyModificationOperation.getPropertyDelta();
                if (propertyDelta.isAdd() || propertyDelta.isDelete()) {
                    arrayList.add(refinedAttributeDefinitionIfApplicable);
                }
            }
        }
        return arrayList;
    }

    private boolean isReadReplaceMode(RefinedAttributeDefinition refinedAttributeDefinition, RefinedObjectClassDefinition refinedObjectClassDefinition) {
        return refinedAttributeDefinition.getReadReplaceMode() != null ? refinedAttributeDefinition.getReadReplaceMode().booleanValue() : refinedObjectClassDefinition.getEffectiveCapability(AddRemoveAttributeValuesCapabilityType.class) == null;
    }

    private RefinedAttributeDefinition getRefinedAttributeDefinitionIfApplicable(Operation operation, RefinedObjectClassDefinition refinedObjectClassDefinition) {
        if (!(operation instanceof PropertyModificationOperation)) {
            return null;
        }
        PropertyDelta propertyDelta = ((PropertyModificationOperation) operation).getPropertyDelta();
        if (isAttributeDelta(propertyDelta)) {
            return refinedObjectClassDefinition.findAttributeDefinition(propertyDelta.getElementName());
        }
        return null;
    }

    private Collection<Operation> convertToReplace(ProvisioningContext provisioningContext, Collection<Operation> collection, PrismObject<ShadowType> prismObject) throws SchemaException, ConfigurationException, ObjectNotFoundException, CommunicationException, ExpressionEvaluationException {
        ArrayList arrayList = new ArrayList(collection.size());
        Iterator<Operation> it = collection.iterator();
        while (it.hasNext()) {
            PropertyModificationOperation propertyModificationOperation = (Operation) it.next();
            if (propertyModificationOperation instanceof PropertyModificationOperation) {
                PropertyDelta propertyDelta = propertyModificationOperation.getPropertyDelta();
                if (isAttributeDelta(propertyDelta)) {
                    RefinedAttributeDefinition findAttributeDefinition = provisioningContext.getObjectClassDefinition().findAttributeDefinition(propertyDelta.getElementName());
                    if (isReadReplaceMode(findAttributeDefinition, provisioningContext.getObjectClassDefinition()) && (propertyDelta.isAdd() || propertyDelta.isDelete())) {
                        PropertyModificationOperation convertToReplace = convertToReplace((PropertyDelta<?>) propertyDelta, prismObject, findAttributeDefinition.getMatchingRuleQName());
                        convertToReplace.setMatchingRuleQName(propertyModificationOperation.getMatchingRuleQName());
                        arrayList.add(convertToReplace);
                    }
                }
            }
            arrayList.add(propertyModificationOperation);
        }
        return arrayList;
    }

    private PropertyModificationOperation convertToReplace(PropertyDelta<?> propertyDelta, PrismObject<ShadowType> prismObject, QName qName) throws SchemaException {
        MatchingRule matchingRule;
        PrismProperty findProperty;
        if (propertyDelta.isReplace()) {
            throw new IllegalStateException("PropertyDelta is both ADD/DELETE and REPLACE");
        }
        ArrayList arrayList = new ArrayList();
        if (prismObject != null && (findProperty = prismObject.findProperty(propertyDelta.getPath())) != null) {
            Iterator it = findProperty.getValues().iterator();
            while (it.hasNext()) {
                arrayList.add(((PrismPropertyValue) it.next()).clone());
            }
        }
        if (qName != null) {
            ItemDefinition definition = propertyDelta.getDefinition();
            matchingRule = this.matchingRuleRegistry.getMatchingRule(qName, definition != null ? definition.getTypeName() : null);
        } else {
            matchingRule = null;
        }
        final MatchingRule matchingRule2 = matchingRule;
        Comparator<PrismPropertyValue<?>> comparator = new Comparator<PrismPropertyValue<?>>() { // from class: com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.2
            @Override // java.util.Comparator
            public int compare(PrismPropertyValue<?> prismPropertyValue, PrismPropertyValue<?> prismPropertyValue2) {
                return prismPropertyValue.equalsComplex(prismPropertyValue2, true, false, matchingRule2) ? 0 : 1;
            }
        };
        if (propertyDelta.isAdd()) {
            for (PrismPropertyValue prismPropertyValue : propertyDelta.getValuesToAdd()) {
                if (PrismPropertyValue.containsValue(arrayList, prismPropertyValue, comparator)) {
                    LOGGER.warn("Attempting to add a value of {} that is already present in {}: {}", new Object[]{prismPropertyValue, propertyDelta.getElementName(), arrayList});
                } else {
                    arrayList.add(prismPropertyValue.clone());
                }
            }
        }
        if (propertyDelta.isDelete()) {
            for (PrismPropertyValue<?> prismPropertyValue2 : propertyDelta.getValuesToDelete()) {
                Iterator it2 = arrayList.iterator();
                boolean z = false;
                while (it2.hasNext()) {
                    PrismPropertyValue<?> prismPropertyValue3 = (PrismPropertyValue) it2.next();
                    LOGGER.trace("Comparing existing {} to about-to-be-deleted {}, matching rule: {}", new Object[]{prismPropertyValue3, prismPropertyValue2, matchingRule});
                    if (comparator.compare(prismPropertyValue3, prismPropertyValue2) == 0) {
                        LOGGER.trace("MATCH! compared existing {} to about-to-be-deleted {}", prismPropertyValue3, prismPropertyValue2);
                        it2.remove();
                        z = true;
                    }
                }
                if (!z) {
                    LOGGER.warn("Attempting to remove a value of {} that is not in {}: {}", new Object[]{prismPropertyValue2, propertyDelta.getElementName(), arrayList});
                }
            }
        }
        PropertyDelta propertyDelta2 = new PropertyDelta(propertyDelta.getPath(), propertyDelta.getPropertyDefinition(), propertyDelta.getPrismContext());
        propertyDelta2.setValuesToReplace(arrayList);
        return new PropertyModificationOperation(propertyDelta2);
    }

    private List<Collection<Operation>> sortOperationsIntoWaves(Collection<Operation> collection, RefinedObjectClassDefinition refinedObjectClassDefinition) {
        TreeMap treeMap = new TreeMap();
        ArrayList arrayList = new ArrayList();
        for (Operation operation : collection) {
            RefinedAttributeDefinition refinedAttributeDefinitionIfApplicable = getRefinedAttributeDefinitionIfApplicable(operation, refinedObjectClassDefinition);
            if (refinedAttributeDefinitionIfApplicable == null || refinedAttributeDefinitionIfApplicable.getModificationPriority() == null) {
                arrayList.add(operation);
            } else {
                putIntoWaves(treeMap, refinedAttributeDefinitionIfApplicable.getModificationPriority(), operation);
            }
        }
        ArrayList arrayList2 = new ArrayList(treeMap.size() + 1);
        Map.Entry firstEntry = treeMap.firstEntry();
        while (true) {
            Map.Entry entry = firstEntry;
            if (entry == null) {
                arrayList2.add(arrayList);
                return arrayList2;
            }
            arrayList2.add(entry.getValue());
            firstEntry = treeMap.higherEntry(entry.getKey());
        }
    }

    private void putIntoWaves(Map<Integer, Collection<Operation>> map, Integer num, Operation operation) {
        Collection<Operation> collection = map.get(num);
        if (collection == null) {
            collection = new ArrayList();
            map.put(num, collection);
        }
        collection.add(operation);
    }

    private Collection<ResourceAttribute<?>> cloneIdentifiers(Collection<? extends ResourceAttribute<?>> collection) {
        HashSet hashSet = new HashSet(collection.size());
        Iterator<? extends ResourceAttribute<?>> it = collection.iterator();
        while (it.hasNext()) {
            hashSet.add(it.next().clone());
        }
        return hashSet;
    }

    private boolean isRename(ProvisioningContext provisioningContext, Collection<Operation> collection) throws SchemaException, ConfigurationException, ObjectNotFoundException, CommunicationException, ExpressionEvaluationException {
        Iterator<Operation> it = collection.iterator();
        while (it.hasNext()) {
            PropertyModificationOperation propertyModificationOperation = (Operation) it.next();
            if ((propertyModificationOperation instanceof PropertyModificationOperation) && isIdentifierDelta(provisioningContext, propertyModificationOperation.getPropertyDelta())) {
                return true;
            }
        }
        return false;
    }

    private <T> boolean isIdentifierDelta(ProvisioningContext provisioningContext, PropertyDelta<T> propertyDelta) throws SchemaException, ConfigurationException, ObjectNotFoundException, CommunicationException, ExpressionEvaluationException {
        return provisioningContext.getObjectClassDefinition().isPrimaryIdentifier(propertyDelta.getElementName()) || provisioningContext.getObjectClassDefinition().isSecondaryIdentifier(propertyDelta.getElementName());
    }

    private PrismObject<ShadowType> executeEntitlementChangesAdd(ProvisioningContext provisioningContext, PrismObject<ShadowType> prismObject, OperationProvisioningScriptsType operationProvisioningScriptsType, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, CommunicationException, SecurityViolationException, ConfigurationException, ObjectAlreadyExistsException, ExpressionEvaluationException {
        HashMap hashMap = new HashMap();
        PrismObject<ShadowType> collectEntitlementsAsObjectOperationInShadowAdd = this.entitlementConverter.collectEntitlementsAsObjectOperationInShadowAdd(provisioningContext, hashMap, prismObject, operationResult);
        executeEntitlements(provisioningContext, hashMap, operationResult);
        return collectEntitlementsAsObjectOperationInShadowAdd;
    }

    private PrismObject<ShadowType> executeEntitlementChangesModify(ProvisioningContext provisioningContext, PrismObject<ShadowType> prismObject, PrismObject<ShadowType> prismObject2, OperationProvisioningScriptsType operationProvisioningScriptsType, Collection<? extends ItemDelta> collection, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, CommunicationException, SecurityViolationException, ConfigurationException, ObjectAlreadyExistsException, ExpressionEvaluationException {
        HashMap hashMap = new HashMap();
        if (LOGGER.isTraceEnabled()) {
            LOGGER.trace("executeEntitlementChangesModify, old shadow:\n{}", prismObject.debugDump(1));
        }
        Iterator<? extends ItemDelta> it = collection.iterator();
        while (it.hasNext()) {
            ContainerDelta<ShadowAssociationType> containerDelta = (ItemDelta) it.next();
            ItemPath path = containerDelta.getPath();
            if (new ItemPath(new QName[]{ShadowType.F_ASSOCIATION}).equivalent(path)) {
                prismObject2 = this.entitlementConverter.collectEntitlementsAsObjectOperation(provisioningContext, hashMap, containerDelta, prismObject, prismObject2, operationResult);
            } else {
                ContainerDelta<ShadowAssociationType> createDelta = ContainerDelta.createDelta(ShadowType.F_ASSOCIATION, prismObject.getDefinition());
                PrismContainer findContainer = prismObject.findContainer(ShadowType.F_ASSOCIATION);
                if (findContainer == null || findContainer.isEmpty()) {
                    LOGGER.trace("No shadow association container in old shadow. Skipping processing entitlements change for {}.", path);
                } else {
                    if (LOGGER.isTraceEnabled()) {
                        LOGGER.trace("Processing association container in old shadow for {}:\n{}", path, findContainer.debugDump(1));
                    }
                    for (PrismContainerValue prismContainerValue : findContainer.getValues()) {
                        QName name = prismContainerValue.asContainerable().getName();
                        if (name == null) {
                            throw new IllegalStateException("No association name in " + prismContainerValue);
                        }
                        RefinedAssociationDefinition findAssociationDefinition = provisioningContext.getObjectClassDefinition().findAssociationDefinition(name);
                        if (findAssociationDefinition == null) {
                            throw new IllegalStateException("No association definition for " + prismContainerValue);
                        }
                        if (findAssociationDefinition.requiresExplicitReferentialIntegrity() && ShadowUtil.matchesAttribute(path, findAssociationDefinition.getResourceObjectAssociationType().getValueAttribute())) {
                            LOGGER.trace("Processing association {} on rename", name);
                            createDelta.addValuesToDelete(new PrismContainerValue[]{prismContainerValue.clone()});
                            createDelta.addValuesToAdd(new PrismContainerValue[]{prismContainerValue.clone()});
                        }
                    }
                    if (LOGGER.isTraceEnabled()) {
                        LOGGER.trace("Resulting association delta for {}:\n{}", path, createDelta.debugDump(1));
                    }
                    if (!createDelta.isEmpty()) {
                        this.entitlementConverter.collectEntitlementsAsObjectOperation(provisioningContext, hashMap, createDelta, prismObject, prismObject2, operationResult);
                    }
                }
            }
        }
        executeEntitlements(provisioningContext, hashMap, operationResult);
        return prismObject2;
    }

    private void executeEntitlementChangesDelete(ProvisioningContext provisioningContext, PrismObject<ShadowType> prismObject, OperationProvisioningScriptsType operationProvisioningScriptsType, OperationResult operationResult) throws SchemaException {
        try {
            HashMap hashMap = new HashMap();
            this.entitlementConverter.collectEntitlementsAsObjectOperationDelete(provisioningContext, hashMap, prismObject, operationResult);
            executeEntitlements(provisioningContext, hashMap, operationResult);
        } catch (CommunicationException | ObjectNotFoundException | SecurityViolationException | ConfigurationException | ObjectAlreadyExistsException | ExpressionEvaluationException | Error | RuntimeException e) {
            LOGGER.error(e.getMessage(), e);
        } catch (SchemaException e2) {
            throw e2;
        }
    }

    private void executeEntitlements(ProvisioningContext provisioningContext, Map<ResourceObjectDiscriminator, ResourceObjectOperations> map, OperationResult operationResult) throws ObjectNotFoundException, CommunicationException, SchemaException, SecurityViolationException, ConfigurationException, ObjectAlreadyExistsException {
        if (LOGGER.isTraceEnabled()) {
            LOGGER.trace("Excuting entitlement chanes, roMap:\n{}", DebugUtil.debugDump(map, 1));
        }
        for (Map.Entry<ResourceObjectDiscriminator, ResourceObjectOperations> entry : map.entrySet()) {
            ResourceObjectDiscriminator key = entry.getKey();
            ProvisioningContext resourceObjectContext = entry.getValue().getResourceObjectContext();
            Collection<? extends ResourceAttribute<?>> primaryIdentifiers = key.getPrimaryIdentifiers();
            ResourceObjectOperations value = entry.getValue();
            Collection<? extends ResourceAttribute<?>> allIdentifiers = value.getAllIdentifiers();
            if (allIdentifiers == null || allIdentifiers.isEmpty()) {
                allIdentifiers = primaryIdentifiers;
            }
            Collection<Operation> operations = value.getOperations();
            if (LOGGER.isTraceEnabled()) {
                LOGGER.trace("Excuting entitlement change identifiers={}:\n{}", allIdentifiers, DebugUtil.debugDump(operations, 1));
            }
            OperationResult createMinorSubresult = operationResult.createMinorSubresult(OPERATION_MODIFY_ENTITLEMENT);
            try {
                executeModify(resourceObjectContext, entry.getValue().getCurrentShadow(), allIdentifiers, operations, createMinorSubresult);
                createMinorSubresult.recordSuccess();
            } catch (ObjectNotFoundException | CommunicationException | SchemaException | SecurityViolationException | ConfigurationException | ObjectAlreadyExistsException | ExpressionEvaluationException e) {
                LOGGER.error("Error while modifying entitlement {} of {}: {}", new Object[]{resourceObjectContext, provisioningContext, e.getMessage(), e});
                createMinorSubresult.recordFatalError(e);
            } catch (Error | RuntimeException e2) {
                LOGGER.error("Error while modifying entitlement {} of {}: {}", new Object[]{resourceObjectContext, provisioningContext, e2.getMessage(), e2});
                createMinorSubresult.recordFatalError(e2);
                throw e2;
            }
        }
    }

    public SearchResultMetadata searchResourceObjects(ProvisioningContext provisioningContext, ResultHandler<ShadowType> resultHandler, ObjectQuery objectQuery, boolean z, OperationResult operationResult) throws SchemaException, CommunicationException, ObjectNotFoundException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        LOGGER.trace("Searching resource objects, query: {}", objectQuery);
        RefinedObjectClassDefinition objectClassDefinition = provisioningContext.getObjectClassDefinition();
        AttributesToReturn createAttributesToReturn = ProvisioningUtil.createAttributesToReturn(provisioningContext);
        SearchHierarchyConstraints searchHierarchyConstraints = null;
        ResourceObjectReferenceType baseContext = objectClassDefinition.getBaseContext();
        if (baseContext != null) {
            PrismObject<ShadowType> resolve = this.resourceObjectReferenceResolver.resolve(provisioningContext, baseContext, null, "base context specification in " + objectClassDefinition, operationResult);
            if (resolve == null) {
                throw new ObjectNotFoundException("No base context defined by " + baseContext + " in base context specification in " + objectClassDefinition);
            }
            searchHierarchyConstraints = new SearchHierarchyConstraints(ShadowUtil.getResourceObjectIdentification(resolve, provisioningContext.getRefinedSchema().determineCompositeObjectClassDefinition(resolve)), (SearchHierarchyScope) null);
        }
        if (InternalsConfig.consistencyChecks && objectQuery != null && objectQuery.getFilter() != null) {
            objectQuery.getFilter().checkConsistence(true);
        }
        ConnectorInstance connector = provisioningContext.getConnector(ReadCapabilityType.class, operationResult);
        try {
            SearchResultMetadata search = connector.search(objectClassDefinition, objectQuery, prismObject -> {
                RepositoryCache.enter();
                OperationResult createMinorSubresult = operationResult.createMinorSubresult("com.evolveum.midpoint.schema.result.searchResult");
                try {
                    try {
                        PrismObject<ShadowType> postProcessResourceObjectRead = postProcessResourceObjectRead(provisioningContext, prismObject, z, createMinorSubresult);
                        Validate.notNull(postProcessResourceObjectRead, "null shadow");
                        boolean handle = resultHandler.handle(postProcessResourceObjectRead, createMinorSubresult);
                        createMinorSubresult.computeStatus();
                        RepositoryCache.exit();
                        return handle;
                    } catch (SchemaException | CommunicationException | ConfigurationException | SecurityViolationException | ObjectNotFoundException | ExpressionEvaluationException e) {
                        throw new TunnelException(e);
                    }
                } catch (Throwable th) {
                    RepositoryCache.exit();
                    throw th;
                }
            }, createAttributesToReturn, objectClassDefinition.getPagedSearches(), searchHierarchyConstraints, provisioningContext, operationResult);
            computeResultStatus(operationResult);
            LOGGER.trace("Searching resource objects done: {}", operationResult.getStatus());
            return search;
        } catch (GenericFrameworkException e) {
            operationResult.recordFatalError("Generic error in the connector: " + e.getMessage(), e);
            throw new SystemException("Generic error in the connector: " + e.getMessage(), e);
        } catch (SecurityViolationException e2) {
            operationResult.recordFatalError("Security violation communicating with the connector " + connector + ": " + e2.getMessage(), e2);
            throw new SecurityViolationException("Security violation communicating with the connector " + connector + ": " + e2.getMessage(), e2);
        } catch (TunnelException e3) {
            SchemaException cause = e3.getCause();
            if (cause instanceof SchemaException) {
                throw cause;
            }
            if (cause instanceof CommunicationException) {
                throw ((CommunicationException) cause);
            }
            if (cause instanceof ObjectNotFoundException) {
                throw ((ObjectNotFoundException) cause);
            }
            if (cause instanceof ConfigurationException) {
                throw ((ConfigurationException) cause);
            }
            if (cause instanceof SecurityViolationException) {
                throw ((SecurityViolationException) cause);
            }
            if (cause instanceof ExpressionEvaluationException) {
                throw ((ExpressionEvaluationException) cause);
            }
            if (cause instanceof GenericFrameworkException) {
                throw new GenericConnectorException(cause.getMessage(), cause);
            }
            throw new SystemException(cause.getMessage(), cause);
        } catch (CommunicationException e4) {
            operationResult.recordFatalError("Error communicating with the connector " + connector + ": " + e4.getMessage(), e4);
            throw new CommunicationException("Error communicating with the connector " + connector + ": " + e4.getMessage(), e4);
        }
    }

    public PrismProperty fetchCurrentToken(ProvisioningContext provisioningContext, OperationResult operationResult) throws ObjectNotFoundException, CommunicationException, SchemaException, ConfigurationException, ExpressionEvaluationException {
        Validate.notNull(operationResult, "Operation result must not be null.");
        LOGGER.trace("Fetcing current sync token for {}", provisioningContext);
        ConnectorInstance connector = provisioningContext.getConnector(LiveSyncCapabilityType.class, operationResult);
        try {
            PrismProperty fetchCurrentToken = connector.fetchCurrentToken(provisioningContext.getObjectClassDefinition(), provisioningContext, operationResult);
            LOGGER.trace("Got last token: {}", SchemaDebugUtil.prettyPrint(fetchCurrentToken));
            computeResultStatus(operationResult);
            return fetchCurrentToken;
        } catch (CommunicationException e) {
            operationResult.recordFatalError("Error communicating with the connector " + connector + ": " + e.getMessage(), e);
            throw new CommunicationException("Error communicating with the connector " + connector + ": " + e.getMessage(), e);
        } catch (GenericFrameworkException e2) {
            operationResult.recordFatalError("Generic error in the connector: " + e2.getMessage(), e2);
            throw new CommunicationException("Generic error in the connector: " + e2.getMessage(), e2);
        }
    }

    private PrismObject<ShadowType> fetchResourceObject(ProvisioningContext provisioningContext, Collection<? extends ResourceAttribute<?>> collection, AttributesToReturn attributesToReturn, boolean z, OperationResult operationResult) throws ObjectNotFoundException, CommunicationException, SchemaException, SecurityViolationException, ConfigurationException, ExpressionEvaluationException {
        return postProcessResourceObjectRead(provisioningContext, this.resourceObjectReferenceResolver.fetchResourceObject(provisioningContext, collection, attributesToReturn, operationResult), z, operationResult);
    }

    private void applyAfterOperationAttributes(PrismObject<ShadowType> prismObject, Collection<ResourceAttribute<?>> collection) throws SchemaException {
        if (collection == null) {
            return;
        }
        ResourceAttributeContainer attributesContainer = ShadowUtil.getAttributesContainer(prismObject);
        for (ResourceAttribute<?> resourceAttribute : collection) {
            ResourceAttribute findAttribute = attributesContainer.findAttribute(resourceAttribute.getElementName());
            if (findAttribute != null) {
                attributesContainer.remove(findAttribute);
            }
            if (!attributesContainer.contains(resourceAttribute)) {
                attributesContainer.add(resourceAttribute.clone());
            }
        }
    }

    private Collection<Operation> determineActivationChange(ProvisioningContext provisioningContext, ShadowType shadowType, Collection<? extends ItemDelta> collection, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, ExpressionEvaluationException {
        ResourceType resource = provisioningContext.getResource();
        ArrayList arrayList = new ArrayList();
        CapabilitiesType connectorCapabilities = provisioningContext.getConnectorCapabilities(UpdateCapabilityType.class);
        ActivationCapabilityType activationCapabilityType = (ActivationCapabilityType) CapabilityUtil.getEffectiveCapability(connectorCapabilities, ActivationCapabilityType.class);
        PropertyDelta findPropertyDelta = PropertyDelta.findPropertyDelta(collection, SchemaConstants.PATH_ACTIVATION_ADMINISTRATIVE_STATUS);
        if (findPropertyDelta != null) {
            if (activationCapabilityType == null) {
                SchemaException schemaException = new SchemaException("Attempt to change activation administrativeStatus on " + resource + " which does not have the capability");
                operationResult.recordFatalError(schemaException);
                throw schemaException;
            }
            ActivationStatusType activationStatusType = (ActivationStatusType) findPropertyDelta.getPropertyNewMatchingPath().getRealValue();
            LOGGER.trace("Found activation administrativeStatus change to: {}", activationStatusType);
            if (CapabilityUtil.hasNativeCapability(connectorCapabilities, ActivationCapabilityType.class)) {
                checkSimulatedActivationAdministrativeStatus(provisioningContext, collection, activationStatusType, activationCapabilityType, shadowType, operationResult);
                arrayList.add(new PropertyModificationOperation(findPropertyDelta));
            } else {
                PropertyModificationOperation convertToSimulatedActivationAdministrativeStatusAttribute = convertToSimulatedActivationAdministrativeStatusAttribute(provisioningContext, findPropertyDelta, shadowType, activationStatusType, activationCapabilityType, operationResult);
                if (convertToSimulatedActivationAdministrativeStatusAttribute != null) {
                    arrayList.add(convertToSimulatedActivationAdministrativeStatusAttribute);
                }
            }
        }
        PropertyDelta findPropertyDelta2 = PropertyDelta.findPropertyDelta(collection, SchemaConstants.PATH_ACTIVATION_VALID_FROM);
        if (findPropertyDelta2 != null) {
            if (CapabilityUtil.getEffectiveActivationValidFrom(activationCapabilityType) == null) {
                SchemaException schemaException2 = new SchemaException("Attempt to change activation validFrom on " + resource + " which does not have the capability");
                operationResult.recordFatalError(schemaException2);
                throw schemaException2;
            }
            LOGGER.trace("Found activation validFrom change to: {}", (XMLGregorianCalendar) findPropertyDelta2.getPropertyNewMatchingPath().getRealValue());
            arrayList.add(new PropertyModificationOperation(findPropertyDelta2));
        }
        PropertyDelta findPropertyDelta3 = PropertyDelta.findPropertyDelta(collection, SchemaConstants.PATH_ACTIVATION_VALID_TO);
        if (findPropertyDelta3 != null) {
            if (CapabilityUtil.getEffectiveActivationValidTo(activationCapabilityType) == null) {
                SchemaException schemaException3 = new SchemaException("Attempt to change activation validTo on " + resource + " which does not have the capability");
                operationResult.recordFatalError(schemaException3);
                throw schemaException3;
            }
            LOGGER.trace("Found activation validTo change to: {}", (XMLGregorianCalendar) findPropertyDelta3.getPropertyNewMatchingPath().getRealValue());
            arrayList.add(new PropertyModificationOperation(findPropertyDelta3));
        }
        PropertyDelta findPropertyDelta4 = PropertyDelta.findPropertyDelta(collection, SchemaConstants.PATH_ACTIVATION_LOCKOUT_STATUS);
        if (findPropertyDelta4 != null) {
            if (activationCapabilityType == null) {
                SchemaException schemaException4 = new SchemaException("Attempt to change activation lockoutStatus on " + resource + " which does not have the capability");
                operationResult.recordFatalError(schemaException4);
                throw schemaException4;
            }
            LockoutStatusType lockoutStatusType = (LockoutStatusType) findPropertyDelta4.getPropertyNewMatchingPath().getRealValue();
            LOGGER.trace("Found activation lockoutStatus change to: {}", lockoutStatusType);
            if (CapabilityUtil.hasNativeCapability(connectorCapabilities, ActivationCapabilityType.class)) {
                checkSimulatedActivationLockoutStatus(provisioningContext, collection, lockoutStatusType, activationCapabilityType, shadowType, operationResult);
                arrayList.add(new PropertyModificationOperation(findPropertyDelta4));
            } else {
                arrayList.add(convertToSimulatedActivationLockoutStatusAttribute(provisioningContext, findPropertyDelta4, shadowType, lockoutStatusType, activationCapabilityType, operationResult));
            }
        }
        return arrayList;
    }

    private <T> void checkSimulatedActivationAdministrativeStatus(ProvisioningContext provisioningContext, Collection<? extends ItemDelta> collection, ActivationStatusType activationStatusType, ActivationCapabilityType activationCapabilityType, ShadowType shadowType, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, ExpressionEvaluationException {
        PropertyDelta findPropertyDelta;
        ResourceAttribute<T> simulatedActivationAdministrativeStatusAttribute = getSimulatedActivationAdministrativeStatusAttribute(provisioningContext, shadowType, getActivationAdministrativeStatusFromSimulatedActivation(provisioningContext, activationCapabilityType, shadowType, operationResult), operationResult);
        if (simulatedActivationAdministrativeStatusAttribute == null || (findPropertyDelta = PropertyDelta.findPropertyDelta(collection, simulatedActivationAdministrativeStatusAttribute.getPath())) == null) {
            return;
        }
        Collection realValues = findPropertyDelta.getPropertyNewMatchingPath().getRealValues();
        if (realValues.isEmpty()) {
            return;
        }
        if (realValues.size() > 1) {
            throw new SchemaException("Found more than one value for simulated activation.");
        }
        boolean transformedValue = getTransformedValue(provisioningContext, activationCapabilityType, shadowType, realValues.iterator().next(), operationResult);
        if (!transformedValue || activationStatusType != ActivationStatusType.ENABLED) {
            throw new SchemaException("Found conflicting change for activation. Simulated activation resulted to " + transformedValue + ", but native activation resulted to " + activationStatusType);
        }
    }

    private void checkSimulatedActivationLockoutStatus(ProvisioningContext provisioningContext, Collection<? extends ItemDelta> collection, LockoutStatusType lockoutStatusType, ActivationCapabilityType activationCapabilityType, ShadowType shadowType, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, ExpressionEvaluationException {
        ResourceAttribute<?> simulatedActivationLockoutStatusAttribute = getSimulatedActivationLockoutStatusAttribute(provisioningContext, shadowType, getActivationLockoutStatusFromSimulatedActivation(provisioningContext, activationCapabilityType, shadowType, operationResult), operationResult);
        if (simulatedActivationLockoutStatusAttribute == null) {
            return;
        }
        Collection realValues = PropertyDelta.findPropertyDelta(collection, simulatedActivationLockoutStatusAttribute.getPath()).getPropertyNewMatchingPath().getRealValues();
        if (realValues.isEmpty()) {
            return;
        }
        if (realValues.size() > 1) {
            throw new SchemaException("Found more than one value for simulated lockout.");
        }
        boolean transformedValue = getTransformedValue(provisioningContext, activationCapabilityType, shadowType, realValues.iterator().next(), operationResult);
        if (!transformedValue || lockoutStatusType != LockoutStatusType.NORMAL) {
            throw new SchemaException("Found conflicting change for activation lockout. Simulated lockout resulted to " + transformedValue + ", but native activation resulted to " + lockoutStatusType);
        }
    }

    private boolean getTransformedValue(ProvisioningContext provisioningContext, ActivationCapabilityType activationCapabilityType, ShadowType shadowType, Object obj, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, ExpressionEvaluationException {
        ActivationStatusCapabilityType activationAdministrativeStatusFromSimulatedActivation = getActivationAdministrativeStatusFromSimulatedActivation(provisioningContext, activationCapabilityType, shadowType, operationResult);
        String valueOf = String.valueOf(obj);
        Iterator it = activationAdministrativeStatusFromSimulatedActivation.getDisableValue().iterator();
        while (it.hasNext()) {
            if (((String) it.next()).equals(valueOf)) {
                return false;
            }
        }
        Iterator it2 = activationAdministrativeStatusFromSimulatedActivation.getEnableValue().iterator();
        while (it2.hasNext()) {
            if (((String) it2.next()).equals(valueOf)) {
                return true;
            }
        }
        throw new SchemaException("Could not map value for simulated activation: " + obj + " neither to enable nor disable values.");
    }

    private void transformActivationAttributesAdd(ProvisioningContext provisioningContext, ShadowType shadowType, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, ExpressionEvaluationException {
        ActivationType activation = shadowType.getActivation();
        if (activation == null) {
            return;
        }
        PrismContainer findContainer = shadowType.asPrismObject().findContainer(ShadowType.F_ATTRIBUTES);
        CapabilitiesType connectorCapabilities = provisioningContext.getConnectorCapabilities(CreateCapabilityType.class);
        ActivationCapabilityType activationCapabilityType = (ActivationCapabilityType) CapabilityUtil.getEffectiveCapability(connectorCapabilities, ActivationCapabilityType.class);
        if (activation.getAdministrativeStatus() != null && !CapabilityUtil.hasNativeCapability(connectorCapabilities, ActivationCapabilityType.class)) {
            ActivationStatusCapabilityType activationAdministrativeStatusFromSimulatedActivation = getActivationAdministrativeStatusFromSimulatedActivation(provisioningContext, activationCapabilityType, shadowType, operationResult);
            if (activationAdministrativeStatusFromSimulatedActivation == null) {
                throw new SchemaException("Attempt to change activation/administrativeStatus on " + provisioningContext.getResource() + " that has neither native nor simulated activation capability");
            }
            ResourceAttribute<?> simulatedActivationAdministrativeStatusAttribute = getSimulatedActivationAdministrativeStatusAttribute(provisioningContext, shadowType, activationAdministrativeStatusFromSimulatedActivation, operationResult);
            if (simulatedActivationAdministrativeStatusAttribute != null) {
                Class<?> attributeValueClass = getAttributeValueClass(provisioningContext, shadowType, simulatedActivationAdministrativeStatusAttribute, activationAdministrativeStatusFromSimulatedActivation);
                Object enableValue = activation.getAdministrativeStatus() == ActivationStatusType.ENABLED ? getEnableValue(activationAdministrativeStatusFromSimulatedActivation, attributeValueClass) : getDisableValue(activationAdministrativeStatusFromSimulatedActivation, attributeValueClass);
                Item findItem = findContainer.findItem(simulatedActivationAdministrativeStatusAttribute.getElementName());
                if (!isBlank(enableValue)) {
                    PrismPropertyValue prismPropertyValue = new PrismPropertyValue(enableValue);
                    if (findItem == null) {
                        simulatedActivationAdministrativeStatusAttribute.add(prismPropertyValue);
                        findContainer.add(simulatedActivationAdministrativeStatusAttribute);
                    } else {
                        findItem.replace(prismPropertyValue);
                    }
                } else if (findItem != null) {
                    findContainer.remove(findItem);
                }
                activation.setAdministrativeStatus((ActivationStatusType) null);
            }
        }
        if (activation.getLockoutStatus() == null || CapabilityUtil.hasNativeCapability(connectorCapabilities, ActivationCapabilityType.class)) {
            return;
        }
        ActivationLockoutStatusCapabilityType activationLockoutStatusFromSimulatedActivation = getActivationLockoutStatusFromSimulatedActivation(provisioningContext, activationCapabilityType, shadowType, operationResult);
        if (activationLockoutStatusFromSimulatedActivation == null) {
            throw new SchemaException("Attempt to change activation/lockout on " + provisioningContext.getResource() + " that has neither native nor simulated activation capability");
        }
        ResourceAttribute<?> simulatedActivationLockoutStatusAttribute = getSimulatedActivationLockoutStatusAttribute(provisioningContext, shadowType, activationLockoutStatusFromSimulatedActivation, operationResult);
        if (simulatedActivationLockoutStatusAttribute != null) {
            String lockoutNormalValue = activation.getLockoutStatus() == LockoutStatusType.NORMAL ? getLockoutNormalValue(activationLockoutStatusFromSimulatedActivation) : getLockoutLockedValue(activationLockoutStatusFromSimulatedActivation);
            Item findItem2 = findContainer.findItem(simulatedActivationLockoutStatusAttribute.getElementName());
            if (!StringUtils.isBlank(lockoutNormalValue)) {
                simulatedActivationLockoutStatusAttribute.add(new PrismPropertyValue(lockoutNormalValue));
                if (findContainer.findItem(simulatedActivationLockoutStatusAttribute.getElementName()) == null) {
                    findContainer.add(simulatedActivationLockoutStatusAttribute);
                } else {
                    findContainer.findItem(simulatedActivationLockoutStatusAttribute.getElementName()).replace(simulatedActivationLockoutStatusAttribute.getValue());
                }
            } else if (findItem2 != null) {
                findContainer.remove(findItem2);
            }
            activation.setLockoutStatus((LockoutStatusType) null);
        }
    }

    @NotNull
    private Class<?> getAttributeValueClass(ProvisioningContext provisioningContext, ShadowType shadowType, ResourceAttribute<?> resourceAttribute, @NotNull ActivationStatusCapabilityType activationStatusCapabilityType) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, ExpressionEvaluationException {
        ResourceAttributeDefinition definition = resourceAttribute.getDefinition();
        Class<?> typeClassIfKnown = definition != null ? definition.getTypeClassIfKnown() : null;
        if (typeClassIfKnown == null) {
            LOGGER.warn("No definition for simulated administrative status attribute {} for shadow {} on {}, assuming String", new Object[]{resourceAttribute, shadowType, provisioningContext.getResource()});
            typeClassIfKnown = String.class;
        }
        return typeClassIfKnown;
    }

    private boolean isBlank(Object obj) {
        if (obj == null) {
            return true;
        }
        if (obj instanceof String) {
            return StringUtils.isBlank((String) obj);
        }
        return false;
    }

    private boolean hasChangesOnResource(Collection<? extends ItemDelta> collection) {
        for (ItemDelta itemDelta : collection) {
            if (isAttributeDelta(itemDelta) || SchemaConstants.PATH_PASSWORD.equals(itemDelta.getParentPath()) || SchemaConstants.PATH_ACTIVATION.equivalent(itemDelta.getParentPath()) || new ItemPath(new QName[]{ShadowType.F_ASSOCIATION}).equivalent(itemDelta.getPath())) {
                return true;
            }
        }
        return false;
    }

    private void collectAttributeAndEntitlementChanges(ProvisioningContext provisioningContext, Collection<? extends ItemDelta> collection, Collection<Operation> collection2, PrismObject<ShadowType> prismObject, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, ExpressionEvaluationException {
        if (collection2 == null) {
            collection2 = new ArrayList();
        }
        boolean z = false;
        RefinedObjectClassDefinition objectClassDefinition = provisioningContext.getObjectClassDefinition();
        Iterator<? extends ItemDelta> it = collection.iterator();
        while (it.hasNext()) {
            PropertyDelta propertyDelta = (ItemDelta) it.next();
            if (isAttributeDelta(propertyDelta) || SchemaConstants.PATH_PASSWORD.equivalent(propertyDelta.getParentPath())) {
                if (propertyDelta instanceof PropertyDelta) {
                    PropertyModificationOperation propertyModificationOperation = new PropertyModificationOperation(propertyDelta);
                    RefinedAttributeDefinition findAttributeDefinition = objectClassDefinition.findAttributeDefinition(propertyDelta.getElementName());
                    if (findAttributeDefinition != null) {
                        propertyModificationOperation.setMatchingRuleQName(findAttributeDefinition.getMatchingRuleQName());
                        if (propertyDelta.getDefinition() == null) {
                            propertyDelta.setDefinition(findAttributeDefinition);
                        }
                    }
                    collection2.add(propertyModificationOperation);
                } else if (!(propertyDelta instanceof ContainerDelta)) {
                    throw new UnsupportedOperationException("Not supported delta: " + propertyDelta);
                }
            } else if (SchemaConstants.PATH_ACTIVATION.equivalent(propertyDelta.getParentPath())) {
                if (!z) {
                    Collection<Operation> determineActivationChange = determineActivationChange(provisioningContext, (ShadowType) prismObject.asObjectable(), collection, operationResult);
                    if (determineActivationChange != null) {
                        collection2.addAll(determineActivationChange);
                    }
                    z = true;
                }
            } else if (new ItemPath(new QName[]{ShadowType.F_ASSOCIATION}).equivalent(propertyDelta.getPath())) {
                if (!(propertyDelta instanceof ContainerDelta)) {
                    throw new UnsupportedOperationException("Not supported delta: " + propertyDelta);
                }
                this.entitlementConverter.collectEntitlementChange(provisioningContext, (ContainerDelta) propertyDelta, collection2);
            } else if (!new ItemPath(new QName[]{ShadowType.F_AUXILIARY_OBJECT_CLASS}).equivalent(propertyDelta.getPath())) {
                LOGGER.trace("Skip converting item delta: {}. It's not resource object change, but it is shadow change.", propertyDelta);
            } else {
                if (!(propertyDelta instanceof PropertyDelta)) {
                    throw new UnsupportedOperationException("Not supported delta: " + propertyDelta);
                }
                collection2.add(new PropertyModificationOperation(propertyDelta));
            }
        }
    }

    private boolean isAttributeDelta(ItemDelta itemDelta) {
        return new ItemPath(new QName[]{ShadowType.F_ATTRIBUTES}).equivalent(itemDelta.getParentPath());
    }

    public List<Change> fetchChanges(ProvisioningContext provisioningContext, PrismProperty<?> prismProperty, OperationResult operationResult) throws SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, GenericFrameworkException, ObjectNotFoundException, ExpressionEvaluationException {
        Validate.notNull(operationResult, "Operation result must not be null.");
        LOGGER.trace("START fetch changes, objectClass: {}", provisioningContext.getObjectClassDefinition());
        AttributesToReturn attributesToReturn = null;
        if (!provisioningContext.isWildcard()) {
            attributesToReturn = ProvisioningUtil.createAttributesToReturn(provisioningContext);
        }
        ConnectorInstance connector = provisioningContext.getConnector(LiveSyncCapabilityType.class, operationResult);
        List<Change> fetchChanges = connector.fetchChanges(provisioningContext.getObjectClassDefinition(), prismProperty, attributesToReturn, provisioningContext, operationResult);
        Iterator<Change> it = fetchChanges.iterator();
        while (it.hasNext()) {
            Change next = it.next();
            LOGGER.trace("Original change:\n{}", next.debugDump());
            if (!next.isTokenOnly()) {
                ProvisioningContext provisioningContext2 = provisioningContext;
                AttributesToReturn attributesToReturn2 = attributesToReturn;
                PrismObject<ShadowType> currentShadow = next.getCurrentShadow();
                ObjectClassComplexTypeDefinition objectClassDefinition = next.getObjectClassDefinition();
                if (objectClassDefinition == null && (!provisioningContext.isWildcard() || next.getObjectDelta() == null || !next.getObjectDelta().isDelete())) {
                    throw new SchemaException("No object class definition in change " + next);
                }
                if (provisioningContext.isWildcard() && objectClassDefinition != null) {
                    provisioningContext2 = provisioningContext.spawn(objectClassDefinition.getTypeName());
                    if (provisioningContext2.isWildcard()) {
                        String str = "Unkown object class " + objectClassDefinition.getTypeName() + " found in synchronization delta";
                        operationResult.recordFatalError(str);
                        throw new SchemaException(str);
                    }
                    next.setObjectClassDefinition(provisioningContext2.getObjectClassDefinition());
                    attributesToReturn2 = ProvisioningUtil.createAttributesToReturn(provisioningContext2);
                }
                if (next.getObjectDelta() == null || !next.getObjectDelta().isDelete()) {
                    if (currentShadow == null) {
                        try {
                            LOGGER.trace("Re-fetching object {} because it is not in the change", next.getIdentifiers());
                            next.setCurrentShadow(fetchResourceObject(provisioningContext2, next.getIdentifiers(), attributesToReturn2, true, operationResult));
                        } catch (ObjectNotFoundException e) {
                            operationResult.recordHandledError("Object detected in change log no longer exist on the resource. Skipping processing this object.", e);
                            LOGGER.warn("Object detected in change log no longer exist on the resource. Skipping processing this object " + e.getMessage());
                            it.remove();
                        }
                    } else {
                        if (provisioningContext.isWildcard() && !MiscUtil.equals(attributesToReturn2, attributesToReturn)) {
                            ResourceObjectIdentification create = ResourceObjectIdentification.create(provisioningContext2.getObjectClassDefinition(), next.getIdentifiers());
                            create.validatePrimaryIdenfiers();
                            LOGGER.trace("Re-fetching object {} because of attrsToReturn", create);
                            currentShadow = connector.fetchObject(create, attributesToReturn2, provisioningContext, operationResult);
                        }
                        next.setCurrentShadow(postProcessResourceObjectRead(provisioningContext2, currentShadow, true, operationResult));
                    }
                }
                LOGGER.trace("Processed change\n:{}", next.debugDump());
            }
        }
        computeResultStatus(operationResult);
        LOGGER.trace("END fetch changes ({} changes)", fetchChanges == null ? "null" : Integer.valueOf(fetchChanges.size()));
        return fetchChanges;
    }

    private PrismObject<ShadowType> postProcessResourceObjectRead(ProvisioningContext provisioningContext, PrismObject<ShadowType> prismObject, boolean z, OperationResult operationResult) throws SchemaException, CommunicationException, ObjectNotFoundException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        if (prismObject == null) {
            return null;
        }
        ShadowType asObjectable = prismObject.asObjectable();
        ProvisioningUtil.setProtectedFlag(provisioningContext, prismObject, this.matchingRuleRegistry);
        if (asObjectable.isExists() != Boolean.FALSE) {
            asObjectable.setExists(true);
        }
        completeActivation(provisioningContext, prismObject, operationResult);
        if (z) {
            this.entitlementConverter.postProcessEntitlementsRead(provisioningContext, prismObject, operationResult);
        }
        return prismObject;
    }

    private void completeActivation(ProvisioningContext provisioningContext, PrismObject<ShadowType> prismObject, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, ExpressionEvaluationException {
        ResourceType resource = provisioningContext.getResource();
        ShadowType asObjectable = prismObject.asObjectable();
        CapabilitiesType connectorCapabilities = provisioningContext.getConnectorCapabilities(ReadCapabilityType.class);
        ActivationCapabilityType effectiveCapability = CapabilityUtil.getEffectiveCapability(connectorCapabilities, ActivationCapabilityType.class);
        if (asObjectable.getActivation() == null && !CapabilityUtil.isCapabilityEnabled(effectiveCapability)) {
            asObjectable.setActivation((ActivationType) null);
            return;
        }
        ActivationType activationType = null;
        if (CapabilityUtil.hasNativeCapability(connectorCapabilities, ActivationCapabilityType.class)) {
            activationType = asObjectable.getActivation();
        } else if (CapabilityUtil.isCapabilityEnabled(effectiveCapability)) {
            activationType = convertFromSimulatedActivationAttributes(resource, prismObject, effectiveCapability, operationResult);
        }
        LOGGER.trace("Determined activation, administrativeStatus: {}, lockoutStatus: {}", activationType == null ? "null activationType" : activationType.getAdministrativeStatus(), activationType == null ? "null activationType" : activationType.getLockoutStatus());
        asObjectable.setActivation(activationType);
    }

    private static ActivationType convertFromSimulatedActivationAttributes(ResourceType resourceType, PrismObject<ShadowType> prismObject, ActivationCapabilityType activationCapabilityType, OperationResult operationResult) {
        if (activationCapabilityType == null) {
            return null;
        }
        ActivationType activationType = new ActivationType();
        convertFromSimulatedActivationAdministrativeStatus(activationType, activationCapabilityType, resourceType, prismObject, operationResult);
        convertFromSimulatedActivationLockoutStatus(activationType, activationCapabilityType, resourceType, prismObject, operationResult);
        return activationType;
    }

    private static void convertFromSimulatedActivationAdministrativeStatus(ActivationType activationType, ActivationCapabilityType activationCapabilityType, ResourceType resourceType, PrismObject<ShadowType> prismObject, OperationResult operationResult) {
        ActivationStatusCapabilityType effectiveActivationStatus = CapabilityUtil.getEffectiveActivationStatus(activationCapabilityType);
        if (effectiveActivationStatus == null) {
            return;
        }
        ResourceAttributeContainer attributesContainer = ShadowUtil.getAttributesContainer(prismObject);
        ResourceAttribute resourceAttribute = null;
        if (effectiveActivationStatus.getAttribute() != null) {
            resourceAttribute = attributesContainer.findAttribute(effectiveActivationStatus.getAttribute());
        }
        Collection collection = null;
        if (resourceAttribute != null) {
            collection = resourceAttribute.getRealValues(Object.class);
        }
        convertFromSimulatedActivationAdministrativeStatusInternal(activationType, effectiveActivationStatus, resourceType, collection, operationResult);
        Trace trace = LOGGER;
        Object[] objArr = new Object[4];
        objArr[0] = SchemaDebugUtil.prettyPrint(effectiveActivationStatus.getAttribute());
        objArr[1] = ObjectTypeUtil.toShortString(resourceType);
        objArr[2] = collection;
        objArr[3] = activationType == null ? "null" : activationType.getAdministrativeStatus();
        trace.trace("Detected simulated activation administrativeStatus attribute {} on {} with value {}, resolved into {}", objArr);
        if ((effectiveActivationStatus.isIgnoreAttribute() == null || effectiveActivationStatus.isIgnoreAttribute().booleanValue()) && resourceAttribute != null) {
            attributesContainer.remove(resourceAttribute);
        }
    }

    private static void convertFromSimulatedActivationAdministrativeStatusInternal(ActivationType activationType, ActivationStatusCapabilityType activationStatusCapabilityType, ResourceType resourceType, Collection<Object> collection, OperationResult operationResult) {
        List disableValue = activationStatusCapabilityType.getDisableValue();
        List<String> enableValue = activationStatusCapabilityType.getEnableValue();
        if (MiscUtil.isNoValue(collection)) {
            if (MiscUtil.hasNoValue(disableValue)) {
                activationType.setAdministrativeStatus(ActivationStatusType.DISABLED);
                return;
            }
            if (MiscUtil.hasNoValue(enableValue)) {
                activationType.setAdministrativeStatus(ActivationStatusType.ENABLED);
                return;
            }
            LOGGER.warn("The {} does not provide definition for null value of simulated activation attribute", ObjectTypeUtil.toShortString(resourceType));
            if (operationResult != null) {
                operationResult.recordPartialError("The " + ObjectTypeUtil.toShortString(resourceType) + " has native activation capability but does not provide value for DISABLE attribute");
                return;
            }
            return;
        }
        if (collection.size() > 1) {
            LOGGER.warn("The {} provides {} values for simulated activation status attribute, expecting just one value", ObjectTypeUtil.toShortString(resourceType), Integer.valueOf(disableValue.size()));
            if (operationResult != null) {
                operationResult.recordPartialError("The " + ObjectTypeUtil.toShortString(resourceType) + " provides " + disableValue.size() + " values for simulated activation status attribute, expecting just one value");
            }
        }
        Object next = collection.iterator().next();
        Iterator it = disableValue.iterator();
        while (it.hasNext()) {
            if (((String) it.next()).equals(String.valueOf(next))) {
                activationType.setAdministrativeStatus(ActivationStatusType.DISABLED);
                return;
            }
        }
        for (String str : enableValue) {
            if ("".equals(str) || str.equals(String.valueOf(next))) {
                activationType.setAdministrativeStatus(ActivationStatusType.ENABLED);
                return;
            }
        }
    }

    private static void convertFromSimulatedActivationLockoutStatus(ActivationType activationType, ActivationCapabilityType activationCapabilityType, ResourceType resourceType, PrismObject<ShadowType> prismObject, OperationResult operationResult) {
        ActivationLockoutStatusCapabilityType effectiveActivationLockoutStatus = CapabilityUtil.getEffectiveActivationLockoutStatus(activationCapabilityType);
        if (effectiveActivationLockoutStatus == null) {
            return;
        }
        ResourceAttributeContainer attributesContainer = ShadowUtil.getAttributesContainer(prismObject);
        ResourceAttribute resourceAttribute = null;
        if (effectiveActivationLockoutStatus.getAttribute() != null) {
            resourceAttribute = attributesContainer.findAttribute(effectiveActivationLockoutStatus.getAttribute());
        }
        Collection collection = null;
        if (resourceAttribute != null) {
            collection = resourceAttribute.getRealValues(Object.class);
        }
        convertFromSimulatedActivationLockoutStatusInternal(activationType, effectiveActivationLockoutStatus, resourceType, collection, operationResult);
        Trace trace = LOGGER;
        Object[] objArr = new Object[4];
        objArr[0] = SchemaDebugUtil.prettyPrint(effectiveActivationLockoutStatus.getAttribute());
        objArr[1] = ObjectTypeUtil.toShortString(resourceType);
        objArr[2] = collection;
        objArr[3] = activationType == null ? "null" : activationType.getAdministrativeStatus();
        trace.trace("Detected simulated activation lockout attribute {} on {} with value {}, resolved into {}", objArr);
        if ((effectiveActivationLockoutStatus.isIgnoreAttribute() == null || effectiveActivationLockoutStatus.isIgnoreAttribute().booleanValue()) && resourceAttribute != null) {
            attributesContainer.remove(resourceAttribute);
        }
    }

    private static void convertFromSimulatedActivationLockoutStatusInternal(ActivationType activationType, ActivationLockoutStatusCapabilityType activationLockoutStatusCapabilityType, ResourceType resourceType, Collection<Object> collection, OperationResult operationResult) {
        List lockedValue = activationLockoutStatusCapabilityType.getLockedValue();
        List<String> normalValue = activationLockoutStatusCapabilityType.getNormalValue();
        if (MiscUtil.isNoValue(collection)) {
            if (MiscUtil.hasNoValue(lockedValue)) {
                activationType.setLockoutStatus(LockoutStatusType.LOCKED);
                return;
            }
            if (MiscUtil.hasNoValue(normalValue)) {
                activationType.setLockoutStatus(LockoutStatusType.NORMAL);
                return;
            }
            LOGGER.warn("The {} does not provide definition for null value of simulated activation lockout attribute", resourceType);
            if (operationResult != null) {
                operationResult.recordPartialError("The " + resourceType + " has native activation capability but noes not provide value for lockout attribute");
                return;
            }
            return;
        }
        if (collection.size() > 1) {
            LOGGER.warn("The {} provides {} values for lockout attribute, expecting just one value", Integer.valueOf(lockedValue.size()), resourceType);
            if (operationResult != null) {
                operationResult.recordPartialError("The " + resourceType + " provides " + lockedValue.size() + " values for lockout attribute, expecting just one value");
            }
        }
        Object next = collection.iterator().next();
        Iterator it = lockedValue.iterator();
        while (it.hasNext()) {
            if (((String) it.next()).equals(String.valueOf(next))) {
                activationType.setLockoutStatus(LockoutStatusType.LOCKED);
                return;
            }
        }
        for (String str : normalValue) {
            if ("".equals(str) || str.equals(String.valueOf(next))) {
                activationType.setLockoutStatus(LockoutStatusType.NORMAL);
                return;
            }
        }
    }

    private ActivationStatusCapabilityType getActivationAdministrativeStatusFromSimulatedActivation(ProvisioningContext provisioningContext, ActivationCapabilityType activationCapabilityType, ShadowType shadowType, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, ExpressionEvaluationException {
        if (activationCapabilityType == null) {
            operationResult.recordWarning("Resource " + provisioningContext.getResource() + " does not have native or simulated activation capability. Processing of activation for " + shadowType + " was skipped");
            shadowType.setFetchResult(operationResult.createOperationResultType());
            return null;
        }
        ActivationStatusCapabilityType effectiveActivationStatus = CapabilityUtil.getEffectiveActivationStatus(activationCapabilityType);
        if (effectiveActivationStatus != null) {
            return effectiveActivationStatus;
        }
        operationResult.recordWarning("Resource " + provisioningContext.getResource() + " does not have native or simulated activation status capability. Processing of activation for " + shadowType + " was skipped");
        shadowType.setFetchResult(operationResult.createOperationResultType());
        return null;
    }

    private <T> ResourceAttribute<T> getSimulatedActivationAdministrativeStatusAttribute(ProvisioningContext provisioningContext, ShadowType shadowType, ActivationStatusCapabilityType activationStatusCapabilityType, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, ExpressionEvaluationException {
        if (activationStatusCapabilityType == null) {
            return null;
        }
        ResourceType resource = provisioningContext.getResource();
        QName attribute = activationStatusCapabilityType.getAttribute();
        LOGGER.trace("Simulated attribute name: {}", attribute);
        if (attribute == null) {
            operationResult.recordWarning("Resource " + ObjectTypeUtil.toShortString(resource) + " does not have attribute specification for simulated activation status capability. Processing of activation for " + shadowType + " was skipped");
            shadowType.setFetchResult(operationResult.createOperationResultType());
            return null;
        }
        RefinedAttributeDefinition findAttributeDefinition = provisioningContext.getObjectClassDefinition().findAttributeDefinition(attribute);
        if (findAttributeDefinition != null) {
            return findAttributeDefinition.instantiate(attribute);
        }
        operationResult.recordWarning("Resource " + ObjectTypeUtil.toShortString(resource) + "  attribute for simulated activation/enableDisable capability" + attribute + " in not present in the schema for objeclass " + provisioningContext.getObjectClassDefinition() + ". Processing of activation for " + ObjectTypeUtil.toShortString(shadowType) + " was skipped");
        shadowType.setFetchResult(operationResult.createOperationResultType());
        return null;
    }

    private PropertyModificationOperation convertToSimulatedActivationAdministrativeStatusAttribute(ProvisioningContext provisioningContext, PropertyDelta propertyDelta, ShadowType shadowType, ActivationStatusType activationStatusType, ActivationCapabilityType activationCapabilityType, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, ExpressionEvaluationException {
        PropertyDelta<?> createActivationPropDelta;
        ResourceType resource = provisioningContext.getResource();
        ActivationStatusCapabilityType activationAdministrativeStatusFromSimulatedActivation = getActivationAdministrativeStatusFromSimulatedActivation(provisioningContext, activationCapabilityType, shadowType, operationResult);
        if (activationAdministrativeStatusFromSimulatedActivation == null) {
            throw new SchemaException("Attempt to modify activation on " + resource + " which does not have activation capability");
        }
        ResourceAttribute<?> simulatedActivationAdministrativeStatusAttribute = getSimulatedActivationAdministrativeStatusAttribute(provisioningContext, shadowType, activationAdministrativeStatusFromSimulatedActivation, operationResult);
        if (simulatedActivationAdministrativeStatusAttribute == null) {
            return null;
        }
        Class<?> attributeValueClass = getAttributeValueClass(provisioningContext, shadowType, simulatedActivationAdministrativeStatusAttribute, activationAdministrativeStatusFromSimulatedActivation);
        if (activationStatusType == null && propertyDelta.isDelete()) {
            LOGGER.trace("deleting activation property.");
            createActivationPropDelta = PropertyDelta.createModificationDeleteProperty(new ItemPath(new QName[]{ShadowType.F_ATTRIBUTES, simulatedActivationAdministrativeStatusAttribute.getElementName()}), simulatedActivationAdministrativeStatusAttribute.getDefinition(), new Object[]{simulatedActivationAdministrativeStatusAttribute.getRealValue()});
        } else {
            createActivationPropDelta = activationStatusType == ActivationStatusType.ENABLED ? createActivationPropDelta(simulatedActivationAdministrativeStatusAttribute.getElementName(), simulatedActivationAdministrativeStatusAttribute.getDefinition(), getEnableValue(activationAdministrativeStatusFromSimulatedActivation, attributeValueClass)) : createActivationPropDelta(simulatedActivationAdministrativeStatusAttribute.getElementName(), simulatedActivationAdministrativeStatusAttribute.getDefinition(), getDisableValue(activationAdministrativeStatusFromSimulatedActivation, attributeValueClass));
        }
        return new PropertyModificationOperation(createActivationPropDelta);
    }

    private PropertyModificationOperation convertToSimulatedActivationLockoutStatusAttribute(ProvisioningContext provisioningContext, PropertyDelta propertyDelta, ShadowType shadowType, LockoutStatusType lockoutStatusType, ActivationCapabilityType activationCapabilityType, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, ExpressionEvaluationException {
        PropertyDelta<?> createActivationPropDelta;
        ActivationLockoutStatusCapabilityType activationLockoutStatusFromSimulatedActivation = getActivationLockoutStatusFromSimulatedActivation(provisioningContext, activationCapabilityType, shadowType, operationResult);
        if (activationLockoutStatusFromSimulatedActivation == null) {
            throw new SchemaException("Attempt to modify lockout on " + provisioningContext.getResource() + " which does not have activation lockout capability");
        }
        ResourceAttribute<?> simulatedActivationLockoutStatusAttribute = getSimulatedActivationLockoutStatusAttribute(provisioningContext, shadowType, activationLockoutStatusFromSimulatedActivation, operationResult);
        if (simulatedActivationLockoutStatusAttribute == null) {
            return null;
        }
        if (lockoutStatusType == null && propertyDelta.isDelete()) {
            LOGGER.trace("deleting activation property.");
            createActivationPropDelta = PropertyDelta.createModificationDeleteProperty(new ItemPath(new QName[]{ShadowType.F_ATTRIBUTES, simulatedActivationLockoutStatusAttribute.getElementName()}), simulatedActivationLockoutStatusAttribute.getDefinition(), new Object[]{simulatedActivationLockoutStatusAttribute.getRealValue()});
        } else {
            createActivationPropDelta = lockoutStatusType == LockoutStatusType.NORMAL ? createActivationPropDelta(simulatedActivationLockoutStatusAttribute.getElementName(), simulatedActivationLockoutStatusAttribute.getDefinition(), getLockoutNormalValue(activationLockoutStatusFromSimulatedActivation)) : createActivationPropDelta(simulatedActivationLockoutStatusAttribute.getElementName(), simulatedActivationLockoutStatusAttribute.getDefinition(), getLockoutLockedValue(activationLockoutStatusFromSimulatedActivation));
        }
        return new PropertyModificationOperation(createActivationPropDelta);
    }

    private PropertyDelta<?> createActivationPropDelta(QName qName, ResourceAttributeDefinition resourceAttributeDefinition, Object obj) {
        return isBlank(obj) ? PropertyDelta.createModificationReplaceProperty(new ItemPath(new QName[]{ShadowType.F_ATTRIBUTES, qName}), resourceAttributeDefinition, new Object[0]) : PropertyDelta.createModificationReplaceProperty(new ItemPath(new QName[]{ShadowType.F_ATTRIBUTES, qName}), resourceAttributeDefinition, new Object[]{obj});
    }

    private ActivationLockoutStatusCapabilityType getActivationLockoutStatusFromSimulatedActivation(ProvisioningContext provisioningContext, ActivationCapabilityType activationCapabilityType, ShadowType shadowType, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, ExpressionEvaluationException {
        if (activationCapabilityType == null) {
            operationResult.recordWarning("Resource " + provisioningContext.getResource() + " does not have native or simulated activation capability. Processing of activation for " + shadowType + " was skipped");
            shadowType.setFetchResult(operationResult.createOperationResultType());
            return null;
        }
        ActivationLockoutStatusCapabilityType effectiveActivationLockoutStatus = CapabilityUtil.getEffectiveActivationLockoutStatus(activationCapabilityType);
        if (effectiveActivationLockoutStatus != null) {
            return effectiveActivationLockoutStatus;
        }
        operationResult.recordWarning("Resource " + provisioningContext.getResource() + " does not have native or simulated activation lockout capability. Processing of activation for " + shadowType + " was skipped");
        shadowType.setFetchResult(operationResult.createOperationResultType());
        return null;
    }

    private ResourceAttribute<?> getSimulatedActivationLockoutStatusAttribute(ProvisioningContext provisioningContext, ShadowType shadowType, ActivationLockoutStatusCapabilityType activationLockoutStatusCapabilityType, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, ExpressionEvaluationException {
        QName attribute = activationLockoutStatusCapabilityType.getAttribute();
        LOGGER.trace("Simulated lockout attribute name: {}", attribute);
        if (attribute == null) {
            operationResult.recordWarning("Resource " + ObjectTypeUtil.toShortString(provisioningContext.getResource()) + " does not have attribute specification for simulated activation lockout capability. Processing of activation for " + shadowType + " was skipped");
            shadowType.setFetchResult(operationResult.createOperationResultType());
            return null;
        }
        RefinedAttributeDefinition findAttributeDefinition = provisioningContext.getObjectClassDefinition().findAttributeDefinition(attribute);
        if (findAttributeDefinition != null) {
            return findAttributeDefinition.instantiate(attribute);
        }
        operationResult.recordWarning("Resource " + ObjectTypeUtil.toShortString(provisioningContext.getResource()) + "  attribute for simulated activation/lockout capability" + attribute + " in not present in the schema for objeclass " + provisioningContext.getObjectClassDefinition() + ". Processing of activation for " + ObjectTypeUtil.toShortString(shadowType) + " was skipped");
        shadowType.setFetchResult(operationResult.createOperationResultType());
        return null;
    }

    private <T> T getDisableValue(ActivationStatusCapabilityType activationStatusCapabilityType, Class<T> cls) {
        return (T) JavaTypeConverter.convert(cls, activationStatusCapabilityType.getDisableValue().iterator().next());
    }

    private <T> T getEnableValue(ActivationStatusCapabilityType activationStatusCapabilityType, Class<T> cls) {
        return (T) JavaTypeConverter.convert(cls, (String) activationStatusCapabilityType.getEnableValue().iterator().next());
    }

    private String getLockoutNormalValue(ActivationLockoutStatusCapabilityType activationLockoutStatusCapabilityType) {
        return (String) activationLockoutStatusCapabilityType.getNormalValue().iterator().next();
    }

    private String getLockoutLockedValue(ActivationLockoutStatusCapabilityType activationLockoutStatusCapabilityType) {
        return (String) activationLockoutStatusCapabilityType.getLockedValue().iterator().next();
    }

    private RefinedObjectClassDefinition determineObjectClassDefinition(PrismObject<ShadowType> prismObject, ResourceType resourceType) throws SchemaException, ConfigurationException {
        RefinedObjectClassDefinition findRefinedDefinitionByObjectClassQName;
        ShadowType asObjectable = prismObject.asObjectable();
        RefinedResourceSchema refinedSchema = RefinedResourceSchemaImpl.getRefinedSchema(resourceType, this.prismContext);
        if (refinedSchema == null) {
            throw new ConfigurationException("No schema definied for " + resourceType);
        }
        ShadowKindType kind = asObjectable.getKind();
        String intent = asObjectable.getIntent();
        QName objectClass = prismObject.asObjectable().getObjectClass();
        if (kind != null) {
            findRefinedDefinitionByObjectClassQName = refinedSchema.getRefinedDefinition(kind, intent);
        } else {
            if (objectClass == null) {
                throw new SchemaException("No kind nor objectclass definied in " + prismObject);
            }
            findRefinedDefinitionByObjectClassQName = refinedSchema.findRefinedDefinitionByObjectClassQName((ShadowKindType) null, objectClass);
        }
        if (findRefinedDefinitionByObjectClassQName == null) {
            throw new SchemaException("Definition for " + prismObject + " not found (objectClass=" + PrettyPrinter.prettyPrint(objectClass) + ", kind=" + kind + ", intent='" + intent + "') in schema of " + resourceType);
        }
        return findRefinedDefinitionByObjectClassQName;
    }

    private ObjectClassComplexTypeDefinition determineObjectClassDefinition(ResourceShadowDiscriminator resourceShadowDiscriminator, ResourceType resourceType) throws SchemaException {
        ObjectClassComplexTypeDefinition findObjectClassDefinition = RefinedResourceSchemaImpl.getResourceSchema(resourceType, this.prismContext).findObjectClassDefinition(ShadowKindType.ACCOUNT, resourceShadowDiscriminator.getIntent());
        if (findObjectClassDefinition == null) {
            throw new SchemaException("Account type " + resourceShadowDiscriminator.getIntent() + " is not known in schema of " + resourceType);
        }
        return findObjectClassDefinition;
    }

    private void addExecuteScriptOperation(Collection<Operation> collection, ProvisioningOperationTypeType provisioningOperationTypeType, OperationProvisioningScriptsType operationProvisioningScriptsType, ResourceType resourceType, OperationResult operationResult) throws SchemaException {
        if (operationProvisioningScriptsType == null) {
            LOGGER.trace("Skipping creating script operation to execute. Scripts was not defined.");
            return;
        }
        for (OperationProvisioningScriptType operationProvisioningScriptType : operationProvisioningScriptsType.getScript()) {
            for (ProvisioningOperationTypeType provisioningOperationTypeType2 : operationProvisioningScriptType.getOperation()) {
                if (provisioningOperationTypeType.equals(provisioningOperationTypeType2)) {
                    ExecuteProvisioningScriptOperation convertToScriptOperation = ProvisioningUtil.convertToScriptOperation(operationProvisioningScriptType, "script value for " + provisioningOperationTypeType2 + " in " + resourceType, this.prismContext);
                    convertToScriptOperation.setScriptOrder(operationProvisioningScriptType.getOrder());
                    LOGGER.trace("Created script operation: {}", SchemaDebugUtil.prettyPrint(convertToScriptOperation));
                    collection.add(convertToScriptOperation);
                }
            }
        }
    }

    public OperationResultStatus refreshOperationStatus(ProvisioningContext provisioningContext, PrismObject<ShadowType> prismObject, String str, OperationResult operationResult) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, ExpressionEvaluationException {
        OperationResult createSubresult = operationResult.createSubresult(OPERATION_REFRESH_OPERATION_STATUS);
        try {
            ResourceType resource = provisioningContext.getResource();
            AsynchronousOperationQueryable connector = provisioningContext.getConnector(UpdateCapabilityType.class, createSubresult);
            OperationResultStatus operationResultStatus = null;
            if (connector instanceof AsynchronousOperationQueryable) {
                if (LOGGER.isDebugEnabled()) {
                    LOGGER.debug("PROVISIONING REFRESH operation on {}, object: {}", resource, prismObject);
                }
                try {
                    operationResultStatus = connector.queryOperationStatus(str, createSubresult);
                    createSubresult.recordSuccess();
                    if (LOGGER.isDebugEnabled()) {
                        LOGGER.debug("PROVISIONING REFRESH successful, returned status: {}", operationResultStatus);
                    }
                } catch (ObjectNotFoundException | SchemaException e) {
                    createSubresult.recordFatalError(e);
                    throw e;
                }
            } else {
                LOGGER.trace("Ignoring refresh of shadow {}, because the connector is not async");
                createSubresult.recordNotApplicableIfUnknown();
            }
            return operationResultStatus;
        } catch (ObjectNotFoundException | SchemaException | CommunicationException | ConfigurationException | ExpressionEvaluationException | Error | RuntimeException e2) {
            createSubresult.recordFatalError(e2);
            throw e2;
        }
    }

    private void computeResultStatus(OperationResult operationResult) {
        if (operationResult.isInProgress()) {
            return;
        }
        OperationResultStatus operationResultStatus = OperationResultStatus.SUCCESS;
        String str = null;
        for (OperationResult operationResult2 : operationResult.getSubresults()) {
            if (OPERATION_MODIFY_ENTITLEMENT.equals(operationResult2.getOperation()) && operationResult2.isError()) {
                operationResultStatus = OperationResultStatus.PARTIAL_ERROR;
            } else if (operationResult2.isError()) {
                operationResultStatus = OperationResultStatus.FATAL_ERROR;
            } else if (operationResult2.isInProgress()) {
                operationResultStatus = OperationResultStatus.IN_PROGRESS;
                str = operationResult2.getAsynchronousOperationReference();
            }
        }
        operationResult.setStatus(operationResultStatus);
        operationResult.setAsynchronousOperationReference(str);
    }
}
