package com.evolveum.midpoint.provisioning.impl.resourceobjects;

import com.evolveum.midpoint.prism.Item;
import com.evolveum.midpoint.prism.ModificationType;
import com.evolveum.midpoint.prism.PrismContainer;
import com.evolveum.midpoint.prism.PrismContainerValue;
import com.evolveum.midpoint.prism.PrismContext;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.PrismProperty;
import com.evolveum.midpoint.prism.PrismPropertyValue;
import com.evolveum.midpoint.prism.delta.ContainerDelta;
import com.evolveum.midpoint.prism.delta.PropertyDelta;
import com.evolveum.midpoint.prism.match.MatchingRuleRegistry;
import com.evolveum.midpoint.prism.path.ItemName;
import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.prism.query.ObjectQuery;
import com.evolveum.midpoint.prism.util.PrismUtil;
import com.evolveum.midpoint.provisioning.api.GenericConnectorException;
import com.evolveum.midpoint.provisioning.impl.ProvisioningContext;
import com.evolveum.midpoint.provisioning.impl.ResourceObjectDiscriminator;
import com.evolveum.midpoint.provisioning.impl.ResourceObjectOperations;
import com.evolveum.midpoint.provisioning.ucf.api.ConnectorInstance;
import com.evolveum.midpoint.provisioning.ucf.api.GenericFrameworkException;
import com.evolveum.midpoint.provisioning.ucf.api.Operation;
import com.evolveum.midpoint.provisioning.ucf.api.PropertyModificationOperation;
import com.evolveum.midpoint.provisioning.ucf.api.UcfFetchErrorReportingMethod;
import com.evolveum.midpoint.provisioning.ucf.api.UcfObjectHandler;
import com.evolveum.midpoint.provisioning.util.ProvisioningUtil;
import com.evolveum.midpoint.schema.processor.ObjectFactory;
import com.evolveum.midpoint.schema.processor.ResourceAssociationDefinition;
import com.evolveum.midpoint.schema.processor.ResourceAttribute;
import com.evolveum.midpoint.schema.processor.ResourceAttributeContainer;
import com.evolveum.midpoint.schema.processor.ResourceAttributeDefinition;
import com.evolveum.midpoint.schema.processor.ResourceObjectDefinition;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.util.ResourceTypeUtil;
import com.evolveum.midpoint.schema.util.ShadowUtil;
import com.evolveum.midpoint.util.MiscUtil;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.exception.TunnelException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceObjectAssociationDirectionType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowAssociationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowKindType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
import com.evolveum.midpoint.xml.ns._public.resource.capabilities_3.PagedSearchCapabilityType;
import com.evolveum.midpoint.xml.ns._public.resource.capabilities_3.ReadCapabilityType;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import javax.xml.namespace.QName;
import org.apache.commons.collections4.CollectionUtils;
import org.jetbrains.annotations.NotNull;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

/* JADX INFO: Access modifiers changed from: package-private */
@Component
/* loaded from: input_file:com/evolveum/midpoint/provisioning/impl/resourceobjects/EntitlementConverter.class */
public class EntitlementConverter {
    private static final Trace LOGGER = TraceManager.getTrace(EntitlementConverter.class);

    @Autowired
    private ResourceObjectReferenceResolver resourceObjectReferenceResolver;

    @Autowired
    private DelineationProcessor delineationProcessor;

    @Autowired
    private PrismContext prismContext;

    @Autowired
    private MatchingRuleRegistry matchingRuleRegistry;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/evolveum/midpoint/provisioning/impl/resourceobjects/EntitlementConverter$OperationMap.class */
    public static class OperationMap {
        private final Map<QName, PropertyModificationOperation<?>> operationMap = new HashMap();

        private OperationMap() {
        }

        public Collection<? extends PropertyModificationOperation<?>> getOperations() {
            return this.operationMap.values();
        }

        public PropertyModificationOperation<?> get(QName qName) {
            return this.operationMap.get(qName);
        }

        public void put(QName qName, PropertyModificationOperation<?> propertyModificationOperation) {
            this.operationMap.put(qName, propertyModificationOperation);
        }
    }

    EntitlementConverter() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void postProcessEntitlementsRead(PrismObject<ShadowType> prismObject, ProvisioningContext provisioningContext, OperationResult operationResult) throws SchemaException, CommunicationException, ObjectNotFoundException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        LOGGER.trace("Starting postProcessEntitlementRead");
        PrismContainer<ShadowAssociationType> prismContainer = (PrismContainer) prismObject.getDefinition().findContainerDefinition(ShadowType.F_ASSOCIATION).instantiate();
        for (ResourceAssociationDefinition resourceAssociationDefinition : provisioningContext.getAssociationDefinitions()) {
            ShadowKindType kind = resourceAssociationDefinition.getKind();
            for (String str : resourceAssociationDefinition.getIntents()) {
                LOGGER.trace("Resolving association {} for kind {} and intent {}", new Object[]{resourceAssociationDefinition.getName(), kind, str});
                ProvisioningContext spawnForKindIntent = provisioningContext.spawnForKindIntent(kind, str);
                ResourceObjectAssociationDirectionType direction = resourceAssociationDefinition.getDirection();
                if (direction == ResourceObjectAssociationDirectionType.SUBJECT_TO_OBJECT) {
                    postProcessReadSubjectToEntitlement(prismContainer, prismObject, resourceAssociationDefinition.getDefinitionBean().getAssociationAttribute(), resourceAssociationDefinition.getDefinitionBean().getValueAttribute(), resourceAssociationDefinition, provisioningContext, spawnForKindIntent);
                } else {
                    if (direction != ResourceObjectAssociationDirectionType.OBJECT_TO_SUBJECT) {
                        throw new IllegalArgumentException("Unknown entitlement direction " + direction + " in association " + resourceAssociationDefinition + " in " + provisioningContext);
                    }
                    if (resourceAssociationDefinition.getDefinitionBean().getShortcutAssociationAttribute() != null) {
                        postProcessReadSubjectToEntitlement(prismContainer, prismObject, resourceAssociationDefinition.getDefinitionBean().getShortcutAssociationAttribute(), resourceAssociationDefinition.getDefinitionBean().getShortcutValueAttribute(), resourceAssociationDefinition, provisioningContext, spawnForKindIntent);
                    } else {
                        postProcessReadEntitlementToSubject(prismContainer, prismObject, resourceAssociationDefinition, provisioningContext, spawnForKindIntent, operationResult);
                    }
                }
            }
        }
        if (!prismContainer.isEmpty()) {
            prismObject.add(prismContainer);
        }
        LOGGER.trace("Finished postProcessEntitlementRead with association container having {} item(s)", Integer.valueOf(prismContainer.size()));
    }

    private <S extends ShadowType, T> void postProcessReadSubjectToEntitlement(PrismContainer<ShadowAssociationType> prismContainer, PrismObject<S> prismObject, QName qName, QName qName2, ResourceAssociationDefinition resourceAssociationDefinition, ProvisioningContext provisioningContext, ProvisioningContext provisioningContext2) throws SchemaException {
        ItemName name = resourceAssociationDefinition.getName();
        ResourceObjectDefinition objectDefinitionRequired = provisioningContext.getObjectDefinitionRequired();
        ResourceObjectDefinition objectDefinitionRequired2 = provisioningContext2.getObjectDefinitionRequired();
        ResourceAttributeContainer attributesContainer = ShadowUtil.getAttributesContainer(prismObject);
        MiscUtil.schemaCheck(qName != null, "No association attribute defined in entitlement association '%s' in %s", new Object[]{name, provisioningContext});
        MiscUtil.schemaCheck(qName2 != null, "No value attribute defined in entitlement association '%s' in %s", new Object[]{name, provisioningContext});
        objectDefinitionRequired.findAttributeDefinitionRequired(qName, () -> {
            return " in entitlement association '" + name + "' in " + provisioningContext + " [association attribute]";
        });
        ResourceAttributeDefinition<T> findAttributeDefinitionRequired = objectDefinitionRequired2.findAttributeDefinitionRequired(qName2, () -> {
            return " in entitlement association '" + name + "' in " + provisioningContext + " [value attribute]";
        });
        ResourceAttribute findAttribute = attributesContainer.findAttribute(qName);
        if (findAttribute == null || findAttribute.isEmpty()) {
            LOGGER.trace("Association attribute {} is empty, skipping association {}", qName, name);
            return;
        }
        Iterator it = findAttribute.getValues().iterator();
        while (it.hasNext()) {
            LOGGER.trace("Association attribute value resolved to association container value {}", createAssociationValueFromIdentifier(prismContainer, (PrismPropertyValue) it.next(), findAttributeDefinitionRequired, name, objectDefinitionRequired2));
        }
    }

    private <S extends ShadowType, T> void postProcessReadEntitlementToSubject(PrismContainer<ShadowAssociationType> prismContainer, PrismObject<S> prismObject, ResourceAssociationDefinition resourceAssociationDefinition, ProvisioningContext provisioningContext, ProvisioningContext provisioningContext2, OperationResult operationResult) throws SchemaException, CommunicationException, ObjectNotFoundException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        ItemName name = resourceAssociationDefinition.getName();
        ResourceObjectDefinition objectDefinitionRequired = provisioningContext.getObjectDefinitionRequired();
        ResourceObjectDefinition objectDefinitionRequired2 = provisioningContext2.getObjectDefinitionRequired();
        ResourceAttributeContainer attributesContainer = ShadowUtil.getAttributesContainer(prismObject);
        QName auxiliaryObjectClass = resourceAssociationDefinition.getAuxiliaryObjectClass();
        if (auxiliaryObjectClass != null && !objectDefinitionRequired.hasAuxiliaryObjectClass(auxiliaryObjectClass)) {
            LOGGER.trace("Ignoring association {} because subject does not have auxiliary object class {}, it has {}", new Object[]{name, auxiliaryObjectClass, objectDefinitionRequired.getAuxiliaryDefinitions()});
            return;
        }
        QName associationAttribute = resourceAssociationDefinition.getDefinitionBean().getAssociationAttribute();
        QName valueAttribute = resourceAssociationDefinition.getDefinitionBean().getValueAttribute();
        MiscUtil.schemaCheck(associationAttribute != null, "No association attribute defined in entitlement association '%s' in %s", new Object[]{name, provisioningContext});
        MiscUtil.schemaCheck(valueAttribute != null, "No value attribute defined in entitlement association '%s' in %s", new Object[]{name, provisioningContext});
        ResourceAttributeDefinition findAttributeDefinitionRequired = objectDefinitionRequired2.findAttributeDefinitionRequired(associationAttribute, () -> {
            return " in entitlement association '" + name + "' in " + provisioningContext2 + " [association attribute]";
        });
        ResourceAttribute findAttribute = attributesContainer.findAttribute(valueAttribute);
        if (findAttribute == null || findAttribute.isEmpty()) {
            LOGGER.trace("Ignoring association {} because subject does not have any value in attribute {}", name, valueAttribute);
        } else {
            if (findAttribute.size() > 1) {
                throw new SchemaException("Referenced value attribute " + valueAttribute + " has more than one value; it is the attribute defined in entitlement association '" + name + "' in " + provisioningContext);
            }
            executeSearchForEntitlements(prismContainer, prismObject, createEntitlementQuery(findAttribute.getAnyValue(), findAttribute.getDefinition(), findAttributeDefinitionRequired, resourceAssociationDefinition), name, provisioningContext, provisioningContext2, operationResult);
        }
    }

    private <S extends ShadowType> void executeSearchForEntitlements(PrismContainer<ShadowAssociationType> prismContainer, PrismObject<S> prismObject, ObjectQuery objectQuery, QName qName, ProvisioningContext provisioningContext, ProvisioningContext provisioningContext2, OperationResult operationResult) throws SchemaException, ConfigurationException, ObjectNotFoundException, CommunicationException, ExpressionEvaluationException, SecurityViolationException {
        ResourceObjectDefinition objectDefinitionRequired = provisioningContext2.getObjectDefinitionRequired();
        QueryWithConstraints determineQueryWithConstraints = this.delineationProcessor.determineQueryWithConstraints(provisioningContext2, objectQuery, operationResult);
        UcfObjectHandler ucfObjectHandler = (ucfObjectFound, operationResult2) -> {
            PrismObject<ShadowType> resourceObject = ucfObjectFound.getResourceObject();
            try {
                createAssociationValueFromTarget(prismContainer, resourceObject, qName, objectDefinitionRequired);
                LOGGER.trace("Processed entitlement-to-subject association for account {} and entitlement {}", ShadowUtil.getHumanReadableNameLazily(prismObject), ShadowUtil.getHumanReadableNameLazily(resourceObject));
                return true;
            } catch (SchemaException e) {
                throw new TunnelException(e);
            }
        };
        ConnectorInstance connector = provisioningContext.getConnector(ReadCapabilityType.class, operationResult);
        try {
            LOGGER.trace("Processing entitlement-to-subject association for account {}: query {}", ShadowUtil.getHumanReadableNameLazily(prismObject), determineQueryWithConstraints.query);
            try {
                connector.search(objectDefinitionRequired, determineQueryWithConstraints.query, ucfObjectHandler, provisioningContext2.createAttributesToReturn(), (PagedSearchCapabilityType) null, determineQueryWithConstraints.constraints, UcfFetchErrorReportingMethod.EXCEPTION, provisioningContext.getUcfExecutionContext(), operationResult);
            } catch (GenericFrameworkException e) {
                throw new GenericConnectorException("Generic error in the connector " + connector + ". Reason: " + e.getMessage(), e);
            }
        } catch (TunnelException e2) {
            throw e2.getCause();
        }
    }

    private <T> PrismContainerValue<ShadowAssociationType> createAssociationValueFromIdentifier(PrismContainer<ShadowAssociationType> prismContainer, PrismPropertyValue<T> prismPropertyValue, ResourceAttributeDefinition<T> resourceAttributeDefinition, QName qName, ResourceObjectDefinition resourceObjectDefinition) throws SchemaException {
        PrismContainerValue<ShadowAssociationType> createNewValue = prismContainer.createNewValue();
        createNewValue.asContainerable().setName(qName);
        createNewValue.add(createIdentifiersContainerForIdentifierValue(prismPropertyValue, resourceAttributeDefinition, resourceObjectDefinition));
        return createNewValue;
    }

    private void createAssociationValueFromTarget(PrismContainer<ShadowAssociationType> prismContainer, PrismObject<ShadowType> prismObject, QName qName, ResourceObjectDefinition resourceObjectDefinition) throws SchemaException {
        PrismContainerValue createNewValue = prismContainer.createNewValue();
        createNewValue.asContainerable().setName(qName);
        createNewValue.add(createIdentifiersContainerForTargetObject(prismObject, resourceObjectDefinition));
    }

    @NotNull
    private <T> ResourceAttributeContainer createIdentifiersContainerForIdentifierValue(PrismPropertyValue<T> prismPropertyValue, ResourceAttributeDefinition<T> resourceAttributeDefinition, ResourceObjectDefinition resourceObjectDefinition) throws SchemaException {
        ResourceAttributeContainer createResourceAttributeContainer = ObjectFactory.createResourceAttributeContainer(ShadowAssociationType.F_IDENTIFIERS, resourceObjectDefinition.toResourceAttributeContainerDefinition());
        ResourceAttribute instantiate = resourceAttributeDefinition.instantiate();
        instantiate.add(prismPropertyValue.clone());
        createResourceAttributeContainer.add(instantiate);
        return createResourceAttributeContainer;
    }

    @NotNull
    private ResourceAttributeContainer createIdentifiersContainerForTargetObject(PrismObject<ShadowType> prismObject, ResourceObjectDefinition resourceObjectDefinition) throws SchemaException {
        ResourceAttributeContainer createResourceAttributeContainer = ObjectFactory.createResourceAttributeContainer(ShadowAssociationType.F_IDENTIFIERS, resourceObjectDefinition.toResourceAttributeContainerDefinition());
        createResourceAttributeContainer.getValue().addAll(Item.cloneCollection(MiscUtil.emptyIfNull(ShadowUtil.getAllIdentifiers(prismObject))));
        createResourceAttributeContainer.setUserData(ResourceObjectConverter.FULL_SHADOW_KEY, prismObject);
        return createResourceAttributeContainer;
    }

    private <TV, TA> ObjectQuery createEntitlementQuery(PrismPropertyValue<TV> prismPropertyValue, ResourceAttributeDefinition<TV> resourceAttributeDefinition, ResourceAttributeDefinition<TA> resourceAttributeDefinition2, ResourceAssociationDefinition resourceAssociationDefinition) throws SchemaException {
        Object realNormalizedConvertedValue = getRealNormalizedConvertedValue(prismPropertyValue, resourceAttributeDefinition, resourceAttributeDefinition2, resourceAssociationDefinition);
        LOGGER.trace("Going to look for entitlements using value: {} ({}) def={}", new Object[]{realNormalizedConvertedValue, realNormalizedConvertedValue.getClass(), resourceAttributeDefinition2});
        ObjectQuery build = this.prismContext.queryFor(ShadowType.class).item(ItemPath.create(new Object[]{ShadowType.F_ATTRIBUTES, resourceAttributeDefinition2.getItemName()}), resourceAttributeDefinition2).eq(new Object[]{realNormalizedConvertedValue}).build();
        build.setAllowPartialResults(true);
        return build;
    }

    private <TV, TA> TA getRealNormalizedConvertedValue(PrismPropertyValue<TV> prismPropertyValue, ResourceAttributeDefinition<TV> resourceAttributeDefinition, ResourceAttributeDefinition<TA> resourceAttributeDefinition2, ResourceAssociationDefinition resourceAssociationDefinition) throws SchemaException {
        return (TA) this.matchingRuleRegistry.getMatchingRule(resourceAssociationDefinition.getMatchingRule(), resourceAttributeDefinition2.getTypeName()).normalize(PrismUtil.convertPropertyValue(prismPropertyValue, resourceAttributeDefinition, resourceAttributeDefinition2).getValue());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void processEntitlementsAdd(PrismObject<ShadowType> prismObject, ProvisioningContext provisioningContext) throws SchemaException {
        PrismContainer findContainer = prismObject.findContainer(ShadowType.F_ASSOCIATION);
        if (findContainer == null || findContainer.isEmpty()) {
            return;
        }
        OperationMap operationMap = new OperationMap();
        collectEntitlementToAttrsDelta(operationMap, findContainer.getValues(), ModificationType.ADD, provisioningContext);
        Iterator<? extends PropertyModificationOperation<?>> it = operationMap.getOperations().iterator();
        while (it.hasNext()) {
            it.next().getPropertyDelta().applyTo(prismObject);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public PrismObject<ShadowType> collectEntitlementsAsObjectOperationInShadowAdd(Map<ResourceObjectDiscriminator, ResourceObjectOperations> map, PrismObject<ShadowType> prismObject, ProvisioningContext provisioningContext, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, CommunicationException, SecurityViolationException, ConfigurationException, ExpressionEvaluationException {
        PrismContainer findContainer = prismObject.findContainer(ShadowType.F_ASSOCIATION);
        return (findContainer == null || findContainer.isEmpty()) ? prismObject : collectEntitlementsAsObjectOperation(map, findContainer.getValues(), null, prismObject, ModificationType.ADD, provisioningContext, operationResult);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void collectEntitlementChange(Collection<Operation> collection, ContainerDelta<ShadowAssociationType> containerDelta, ProvisioningContext provisioningContext) throws SchemaException {
        OperationMap operationMap = new OperationMap();
        if (CollectionUtils.isNotEmpty(containerDelta.getValuesToReplace())) {
            LOGGER.error("Replace delta not supported for association, modifications {},\n provisioning context: {}", containerDelta, provisioningContext);
            throw new SchemaException("Cannot perform replace delta for association, replace values: " + containerDelta.getValuesToReplace());
        }
        collectEntitlementToAttrsDelta(operationMap, containerDelta.getValuesToAdd(), ModificationType.ADD, provisioningContext);
        collectEntitlementToAttrsDelta(operationMap, containerDelta.getValuesToDelete(), ModificationType.DELETE, provisioningContext);
        collectEntitlementToAttrsDelta(operationMap, containerDelta.getValuesToReplace(), ModificationType.REPLACE, provisioningContext);
        collection.addAll(operationMap.getOperations());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public PrismObject<ShadowType> collectEntitlementsAsObjectOperation(Map<ResourceObjectDiscriminator, ResourceObjectOperations> map, ContainerDelta<ShadowAssociationType> containerDelta, PrismObject<ShadowType> prismObject, PrismObject<ShadowType> prismObject2, ProvisioningContext provisioningContext, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, CommunicationException, SecurityViolationException, ConfigurationException, ExpressionEvaluationException {
        return collectEntitlementsAsObjectOperation(map, containerDelta.getValuesToReplace(), prismObject, collectEntitlementsAsObjectOperation(map, containerDelta.getValuesToDelete(), prismObject, collectEntitlementsAsObjectOperation(map, containerDelta.getValuesToAdd(), prismObject, prismObject2, ModificationType.ADD, provisioningContext, operationResult), ModificationType.DELETE, provisioningContext, operationResult), ModificationType.REPLACE, provisioningContext, operationResult);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public <T> void collectEntitlementsAsObjectOperationDelete(Map<ResourceObjectDiscriminator, ResourceObjectOperations> map, PrismObject<ShadowType> prismObject, ProvisioningContext provisioningContext, OperationResult operationResult) throws SchemaException, CommunicationException, ObjectNotFoundException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        ResourceObjectDefinition objectDefinitionRequired = provisioningContext.getObjectDefinitionRequired();
        Collection<ResourceAssociationDefinition> associationDefinitions = objectDefinitionRequired.getAssociationDefinitions();
        if (associationDefinitions.isEmpty()) {
            LOGGER.trace("No associations in deleted shadow, nothing to do");
            return;
        }
        ResourceAttributeContainer attributesContainer = ShadowUtil.getAttributesContainer(prismObject);
        for (ResourceAssociationDefinition resourceAssociationDefinition : associationDefinitions) {
            if (resourceAssociationDefinition.getDirection() != ResourceObjectAssociationDirectionType.OBJECT_TO_SUBJECT) {
                LOGGER.trace("Ignoring subject-to-object association in deleted shadow");
            } else if (!resourceAssociationDefinition.requiresExplicitReferentialIntegrity()) {
                LOGGER.trace("Ignoring association in deleted shadow because it does not require explicit referential integrity assurance");
            } else if (resourceAssociationDefinition.getAuxiliaryObjectClass() == null || objectDefinitionRequired.hasAuxiliaryObjectClass(resourceAssociationDefinition.getAuxiliaryObjectClass())) {
                ItemName name = resourceAssociationDefinition.getName();
                ShadowKindType kind = resourceAssociationDefinition.getKind();
                Iterator it = resourceAssociationDefinition.getIntents().iterator();
                while (it.hasNext()) {
                    ProvisioningContext spawnForKindIntent = provisioningContext.spawnForKindIntent(kind, (String) it.next());
                    ResourceObjectDefinition objectDefinitionRequired2 = spawnForKindIntent.getObjectDefinitionRequired();
                    QName associationAttribute = resourceAssociationDefinition.getDefinitionBean().getAssociationAttribute();
                    QName valueAttribute = resourceAssociationDefinition.getDefinitionBean().getValueAttribute();
                    MiscUtil.schemaCheck(associationAttribute != null, "No association attribute defined in entitlement association '%s' in %s", new Object[]{name, provisioningContext});
                    MiscUtil.schemaCheck(valueAttribute != null, "No value attribute defined in entitlement association '%s' in %s", new Object[]{name, provisioningContext});
                    ResourceAttributeDefinition findAttributeDefinitionRequired = objectDefinitionRequired2.findAttributeDefinitionRequired(associationAttribute, () -> {
                        return " in entitlement association '" + name + "' in " + spawnForKindIntent + " [association attribute]";
                    });
                    ResourceAttribute findAttribute = attributesContainer.findAttribute(valueAttribute);
                    if (findAttribute == null || findAttribute.isEmpty()) {
                        throw new SchemaException("Value attribute " + valueAttribute + " has no value; attribute defined in entitlement association '" + name + "' in " + provisioningContext);
                    }
                    if (findAttribute.size() > 1) {
                        throw new SchemaException("Value attribute " + valueAttribute + " has no more than one value; attribute defined in entitlement association '" + name + "' in " + provisioningContext);
                    }
                    QueryWithConstraints determineQueryWithConstraints = this.delineationProcessor.determineQueryWithConstraints(spawnForKindIntent, createEntitlementQuery(findAttribute.getAnyValue(), findAttribute.getDefinition(), findAttributeDefinitionRequired, resourceAssociationDefinition), operationResult);
                    UcfObjectHandler ucfObjectHandler = (ucfObjectFound, operationResult2) -> {
                        PrismObject resourceObject = ucfObjectFound.getResourceObject();
                        ResourceObjectDiscriminator resourceObjectDiscriminator = new ResourceObjectDiscriminator(objectDefinitionRequired2.getTypeName(), ShadowUtil.getPrimaryIdentifiers(resourceObject));
                        ResourceObjectOperations resourceObjectOperations = (ResourceObjectOperations) map.get(resourceObjectDiscriminator);
                        if (resourceObjectOperations == null) {
                            resourceObjectOperations = new ResourceObjectOperations();
                            map.put(resourceObjectDiscriminator, resourceObjectOperations);
                            resourceObjectOperations.setResourceObjectContext(spawnForKindIntent);
                            resourceObjectOperations.setAllIdentifiers(ShadowUtil.getAllIdentifiers(resourceObject));
                        }
                        PropertyDelta propertyDelta = null;
                        Iterator<Operation> it2 = resourceObjectOperations.getOperations().iterator();
                        while (it2.hasNext()) {
                            PropertyModificationOperation propertyModificationOperation = (Operation) it2.next();
                            if (propertyModificationOperation instanceof PropertyModificationOperation) {
                                PropertyModificationOperation propertyModificationOperation2 = propertyModificationOperation;
                                if (propertyModificationOperation2.getPropertyDelta().getElementName().equals(associationAttribute)) {
                                    propertyDelta = propertyModificationOperation2.getPropertyDelta();
                                }
                            }
                        }
                        if (propertyDelta == null) {
                            propertyDelta = findAttributeDefinitionRequired.createEmptyDelta(ItemPath.create(new Object[]{ShadowType.F_ATTRIBUTES, associationAttribute}));
                            PropertyModificationOperation propertyModificationOperation3 = new PropertyModificationOperation(propertyDelta);
                            propertyModificationOperation3.setMatchingRuleQName(resourceAssociationDefinition.getMatchingRule());
                            resourceObjectOperations.add(propertyModificationOperation3);
                        }
                        propertyDelta.addValuesToDelete(findAttribute.getClonedValues());
                        LOGGER.trace("Association in deleted shadow delta:\n{}", propertyDelta.debugDumpLazily());
                        return true;
                    };
                    try {
                        LOGGER.trace("Searching for associations in deleted shadow, query: {}", determineQueryWithConstraints.query);
                        provisioningContext.getConnector(ReadCapabilityType.class, operationResult).search(objectDefinitionRequired2, determineQueryWithConstraints.query, ucfObjectHandler, spawnForKindIntent.createAttributesToReturn(), (PagedSearchCapabilityType) null, determineQueryWithConstraints.constraints, UcfFetchErrorReportingMethod.EXCEPTION, provisioningContext.getUcfExecutionContext(), operationResult);
                    } catch (GenericFrameworkException e) {
                        throw new GenericConnectorException(e.getMessage(), e);
                    } catch (TunnelException e2) {
                        throw e2.getCause();
                    }
                }
            } else {
                LOGGER.trace("Ignoring association in deleted shadow because subject does not have {} auxiliary object class", resourceAssociationDefinition.getAuxiliaryObjectClass());
            }
        }
    }

    private void collectEntitlementToAttrsDelta(OperationMap operationMap, Collection<PrismContainerValue<ShadowAssociationType>> collection, ModificationType modificationType, ProvisioningContext provisioningContext) throws SchemaException {
        Iterator it = MiscUtil.emptyIfNull(collection).iterator();
        while (it.hasNext()) {
            collectEntitlementToAttrDelta(operationMap, (PrismContainerValue) it.next(), modificationType, provisioningContext);
        }
    }

    private <T> void collectEntitlementToAttrDelta(OperationMap operationMap, PrismContainerValue<ShadowAssociationType> prismContainerValue, ModificationType modificationType, ProvisioningContext provisioningContext) throws SchemaException {
        ResourceObjectDefinition objectDefinitionRequired = provisioningContext.getObjectDefinitionRequired();
        QName name = prismContainerValue.asContainerable().getName();
        MiscUtil.schemaCheck(name != null, "No name in entitlement association %s", new Object[]{prismContainerValue});
        ResourceAssociationDefinition findAssociationDefinitionRequired = objectDefinitionRequired.findAssociationDefinitionRequired(name, () -> {
            return " in " + provisioningContext;
        });
        if (findAssociationDefinitionRequired.getDirection() != ResourceObjectAssociationDirectionType.SUBJECT_TO_OBJECT) {
            return;
        }
        QName associationAttribute = findAssociationDefinitionRequired.getDefinitionBean().getAssociationAttribute();
        QName valueAttribute = findAssociationDefinitionRequired.getDefinitionBean().getValueAttribute();
        MiscUtil.schemaCheck(associationAttribute != null, "No association attribute defined in entitlement association '%s' in %s", new Object[]{name, provisioningContext});
        MiscUtil.schemaCheck(valueAttribute != null, "No value attribute defined in entitlement association '%s' in %s", new Object[]{name, provisioningContext});
        ResourceAttributeDefinition findAttributeDefinition = objectDefinitionRequired.findAttributeDefinition(associationAttribute);
        if (findAttributeDefinition == null) {
            throw new SchemaException("Association attribute '" + associationAttribute + "'defined in entitlement association '" + name + "' was not found in schema for " + provisioningContext);
        }
        PropertyModificationOperation<?> propertyModificationOperation = operationMap.get(associationAttribute);
        if (propertyModificationOperation == null) {
            propertyModificationOperation = new PropertyModificationOperation<>(findAttributeDefinition.createEmptyDelta(ItemPath.create(new Object[]{ShadowType.F_ATTRIBUTES, associationAttribute})));
            propertyModificationOperation.setMatchingRuleQName(findAssociationDefinitionRequired.getMatchingRule());
            operationMap.put(associationAttribute, propertyModificationOperation);
        }
        PrismProperty findProperty = prismContainerValue.findContainer(ShadowAssociationType.F_IDENTIFIERS).findProperty(ItemName.fromQName(valueAttribute));
        if (findProperty == null) {
            throw new SchemaException("No value attribute " + valueAttribute + " present in entitlement association '" + name + "' in shadow for " + provisioningContext);
        }
        if (modificationType == ModificationType.ADD) {
            propertyModificationOperation.getPropertyDelta().addValuesToAdd(findProperty.getClonedValues());
        } else if (modificationType == ModificationType.DELETE) {
            propertyModificationOperation.getPropertyDelta().addValuesToDelete(findProperty.getClonedValues());
        } else if (modificationType == ModificationType.REPLACE) {
            propertyModificationOperation.getPropertyDelta().setValuesToReplace(findProperty.getClonedValues());
        }
    }

    private PrismObject<ShadowType> collectEntitlementsAsObjectOperation(Map<ResourceObjectDiscriminator, ResourceObjectOperations> map, Collection<PrismContainerValue<ShadowAssociationType>> collection, PrismObject<ShadowType> prismObject, PrismObject<ShadowType> prismObject2, ModificationType modificationType, ProvisioningContext provisioningContext, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, CommunicationException, SecurityViolationException, ConfigurationException, ExpressionEvaluationException {
        Iterator it = MiscUtil.emptyIfNull(collection).iterator();
        while (it.hasNext()) {
            prismObject2 = collectEntitlementAsObjectOperation(map, (PrismContainerValue) it.next(), prismObject, prismObject2, modificationType, provisioningContext, operationResult);
        }
        return prismObject2;
    }

    private <TV, TA> PrismObject<ShadowType> collectEntitlementAsObjectOperation(Map<ResourceObjectDiscriminator, ResourceObjectOperations> map, PrismContainerValue<ShadowAssociationType> prismContainerValue, PrismObject<ShadowType> prismObject, PrismObject<ShadowType> prismObject2, ModificationType modificationType, ProvisioningContext provisioningContext, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, CommunicationException, SecurityViolationException, ConfigurationException, ExpressionEvaluationException {
        ResourceType resource = provisioningContext.getResource();
        QName name = prismContainerValue.asContainerable().getName();
        if (name == null) {
            throw new SchemaException("No name in entitlement association " + prismContainerValue);
        }
        ResourceAssociationDefinition findAssociationDefinitionRequired = provisioningContext.getObjectDefinitionRequired().findAssociationDefinitionRequired(name, () -> {
            return " in " + provisioningContext;
        });
        if (findAssociationDefinitionRequired.getDirection() != ResourceObjectAssociationDirectionType.OBJECT_TO_SUBJECT) {
            return prismObject2;
        }
        Collection<String> intents = findAssociationDefinitionRequired.getIntents();
        if (intents == null || intents.isEmpty()) {
            throw new SchemaException("No entitlement intent specified in association " + prismContainerValue + " in " + resource);
        }
        ShadowKindType kind = findAssociationDefinitionRequired.getKind();
        for (String str : intents) {
            ProvisioningContext spawnForKindIntent = provisioningContext.spawnForKindIntent(kind, str);
            ResourceObjectDefinition objectDefinitionRequired = spawnForKindIntent.getObjectDefinitionRequired();
            QName associationAttribute = findAssociationDefinitionRequired.getDefinitionBean().getAssociationAttribute();
            QName valueAttribute = findAssociationDefinitionRequired.getDefinitionBean().getValueAttribute();
            MiscUtil.schemaCheck(associationAttribute != null, "No association attribute defined in entitlement association '%s' in %s", new Object[]{name, provisioningContext});
            MiscUtil.schemaCheck(valueAttribute != null, "No value attribute defined in entitlement association '%s' in %s", new Object[]{name, provisioningContext});
            ResourceAttributeDefinition findAttributeDefinition = objectDefinitionRequired.findAttributeDefinition(associationAttribute);
            if (findAttributeDefinition == null) {
                throw new SchemaException("Association attribute '" + associationAttribute + "'defined in entitlement association was not found in entitlement intent(s) '" + intents + "' in schema for " + resource);
            }
            Collection<? extends ResourceAttribute<?>> attributes = getIdentifiersAttributeContainer(prismContainerValue, objectDefinitionRequired).getAttributes();
            ResourceObjectDiscriminator resourceObjectDiscriminator = new ResourceObjectDiscriminator(objectDefinitionRequired.getTypeName(), attributes);
            ResourceObjectOperations resourceObjectOperations = map.get(resourceObjectDiscriminator);
            if (resourceObjectOperations == null) {
                resourceObjectOperations = new ResourceObjectOperations();
                resourceObjectOperations.setResourceObjectContext(spawnForKindIntent);
                map.put(resourceObjectDiscriminator, resourceObjectOperations);
            }
            PrismObject<ShadowType> prismObject3 = modificationType != ModificationType.DELETE ? prismObject2 : findAssociationDefinitionRequired.requiresExplicitReferentialIntegrity() ? prismObject : prismObject2;
            ResourceAttribute attribute = ShadowUtil.getAttribute(prismObject3, valueAttribute);
            if (attribute == null) {
                if (!ShadowUtil.isFullShadow(prismObject3)) {
                    Collection<? extends ResourceAttribute<?>> allIdentifiers = ShadowUtil.getAllIdentifiers(prismObject3);
                    LOGGER.trace("Fetching {} ({})", prismObject3, allIdentifiers);
                    prismObject3 = this.resourceObjectReferenceResolver.fetchResourceObject(provisioningContext, allIdentifiers, null, prismObject3, operationResult);
                    prismObject2 = prismObject3;
                    attribute = ShadowUtil.getAttribute(prismObject3, valueAttribute);
                }
                if (attribute == null) {
                    LOGGER.error("No value attribute {} in shadow\n{}", valueAttribute, prismObject3.debugDump());
                    throw new SchemaException("No value attribute " + valueAttribute + " in " + prismObject3);
                }
            }
            PropertyDelta propertyDelta = null;
            Iterator<Operation> it = resourceObjectOperations.getOperations().iterator();
            while (it.hasNext()) {
                PropertyModificationOperation propertyModificationOperation = (Operation) it.next();
                if (propertyModificationOperation instanceof PropertyModificationOperation) {
                    PropertyModificationOperation propertyModificationOperation2 = propertyModificationOperation;
                    if (propertyModificationOperation2.getPropertyDelta().getElementName().equals(associationAttribute)) {
                        propertyDelta = propertyModificationOperation2.getPropertyDelta();
                    }
                }
            }
            if (propertyDelta == null) {
                propertyDelta = findAttributeDefinition.createEmptyDelta(ItemPath.create(new Object[]{ShadowType.F_ATTRIBUTES, associationAttribute}));
            }
            PrismProperty convertProperty = PrismUtil.convertProperty(attribute, findAttributeDefinition);
            if (modificationType == ModificationType.ADD) {
                propertyDelta.addValuesToAdd(convertProperty.getClonedValues());
            } else if (modificationType == ModificationType.DELETE) {
                propertyDelta.addValuesToDelete(convertProperty.getClonedValues());
            } else if (modificationType == ModificationType.REPLACE) {
                propertyDelta.setValuesToReplace(convertProperty.getClonedValues());
            }
            if (ResourceTypeUtil.isAvoidDuplicateValues(resource)) {
                PrismObject<ShadowType> currentShadow = resourceObjectOperations.getCurrentShadow();
                if (currentShadow == null) {
                    LOGGER.trace("Fetching entitlement shadow {} to avoid value duplication (intent={})", attributes, str);
                    currentShadow = this.resourceObjectReferenceResolver.fetchResourceObject(spawnForKindIntent, attributes, null, null, operationResult);
                    resourceObjectOperations.setCurrentShadow(currentShadow);
                }
                PropertyDelta narrowPropertyDelta = ProvisioningUtil.narrowPropertyDelta(propertyDelta, currentShadow, findAssociationDefinitionRequired.getMatchingRule(), this.matchingRuleRegistry);
                if (narrowPropertyDelta == null || narrowPropertyDelta.isEmpty()) {
                    LOGGER.trace("Not collecting entitlement object operations ({}) association {}: attribute delta is empty after narrow, orig delta: {}", new Object[]{modificationType, name.getLocalPart(), propertyDelta});
                }
                propertyDelta = narrowPropertyDelta;
            }
            if (propertyDelta != null && !propertyDelta.isEmpty()) {
                PropertyModificationOperation propertyModificationOperation3 = new PropertyModificationOperation(propertyDelta);
                propertyModificationOperation3.setMatchingRuleQName(findAssociationDefinitionRequired.getMatchingRule());
                LOGGER.trace("Collecting entitlement object operations ({}) association {}: {}", new Object[]{modificationType, name.getLocalPart(), propertyModificationOperation3});
                resourceObjectOperations.add(propertyModificationOperation3);
            }
        }
        return prismObject2;
    }

    @NotNull
    private ResourceAttributeContainer getIdentifiersAttributeContainer(PrismContainerValue<ShadowAssociationType> prismContainerValue, ResourceObjectDefinition resourceObjectDefinition) throws SchemaException {
        ResourceAttributeContainer findContainer = prismContainerValue.findContainer(ShadowAssociationType.F_IDENTIFIERS);
        if (findContainer == null) {
            throw new SchemaException("No identifiers in association value: " + prismContainerValue);
        }
        if (findContainer instanceof ResourceAttributeContainer) {
            return findContainer;
        }
        ResourceAttributeContainer instantiate = resourceObjectDefinition.toResourceAttributeContainerDefinition().instantiate(ShadowAssociationType.F_IDENTIFIERS);
        for (PrismProperty prismProperty : findContainer.getValue().getProperties()) {
            ResourceAttribute instantiate2 = resourceObjectDefinition.findAttributeDefinitionRequired(prismProperty.getElementName()).instantiate();
            Iterator it = prismProperty.getRealValues().iterator();
            while (it.hasNext()) {
                instantiate2.addRealValue(it.next());
            }
            instantiate.add(instantiate2);
        }
        return instantiate;
    }
}
