package com.evolveum.midpoint.provisioning.impl.shadows.classification;

import com.evolveum.midpoint.prism.PrismConstants;
import com.evolveum.midpoint.prism.PrismContainerValue;
import com.evolveum.midpoint.prism.PrismPropertyDefinition;
import com.evolveum.midpoint.prism.PrismPropertyValue;
import com.evolveum.midpoint.prism.query.EqualFilter;
import com.evolveum.midpoint.prism.query.ObjectFilter;
import com.evolveum.midpoint.provisioning.util.QueryConversionUtil;
import com.evolveum.midpoint.repo.common.expression.ExpressionEnvironment;
import com.evolveum.midpoint.repo.common.expression.ExpressionEnvironmentThreadLocalHolder;
import com.evolveum.midpoint.repo.common.expression.ExpressionUtil;
import com.evolveum.midpoint.schema.processor.ResourceAttribute;
import com.evolveum.midpoint.schema.processor.ResourceObjectDefinition;
import com.evolveum.midpoint.schema.processor.ResourceObjectTypeDelineation;
import com.evolveum.midpoint.schema.processor.SearchHierarchyScope;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
import com.evolveum.midpoint.schema.util.Resource;
import com.evolveum.midpoint.schema.util.ShadowUtil;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.util.MiscUtil;
import com.evolveum.midpoint.util.QNameUtil;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.BaseContextClassificationUseType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ExpressionType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceObjectReferenceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
import com.evolveum.prism.xml.ns._public.query_3.SearchFilterType;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.xml.namespace.QName;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;

/* loaded from: input_file:com/evolveum/midpoint/provisioning/impl/shadows/classification/DelineationMatcher.class */
class DelineationMatcher {
    private static final Trace LOGGER = TraceManager.getTrace(DelineationMatcher.class);

    @NotNull
    private final ResourceObjectTypeDelineation delineation;

    @NotNull
    private final ResourceObjectDefinition resourceObjectDefinition;

    @NotNull
    private final ClassificationContext context;

    /* JADX INFO: Access modifiers changed from: package-private */
    public DelineationMatcher(@NotNull ResourceObjectTypeDelineation resourceObjectTypeDelineation, @NotNull ResourceObjectDefinition resourceObjectDefinition, @NotNull ClassificationContext classificationContext) {
        this.delineation = resourceObjectTypeDelineation;
        this.resourceObjectDefinition = resourceObjectDefinition;
        this.context = classificationContext;
    }

    public boolean matches(OperationResult operationResult) throws SchemaException, ExpressionEvaluationException, CommunicationException, SecurityViolationException, ConfigurationException, ObjectNotFoundException {
        if (!objectClassMatches()) {
            LOGGER.trace("Object class does not match");
            return false;
        }
        if (!isBaseContextIgnored() && !baseContextMatches()) {
            LOGGER.trace("Base context does not match");
            return false;
        }
        if (!filterMatches()) {
            LOGGER.trace("Filter does not match");
            return false;
        }
        if (conditionMatches(operationResult)) {
            LOGGER.trace("Delineation matches");
            return true;
        }
        LOGGER.trace("Condition does not match");
        return false;
    }

    private boolean objectClassMatches() throws SchemaException {
        return QNameUtil.match(ShadowUtil.getObjectClassRequired(this.context.getShadowedResourceObject()), this.delineation.getObjectClassName());
    }

    private boolean isBaseContextIgnored() {
        return this.delineation.getBaseContextClassificationUse() == BaseContextClassificationUseType.IGNORED;
    }

    private boolean baseContextMatches() throws SchemaException, ConfigurationException {
        ResourceObjectReferenceType baseContext = this.delineation.getBaseContext();
        if (baseContext == null) {
            return true;
        }
        LdapName rootDistinguishedName = getRootDistinguishedName(baseContext);
        if (rootDistinguishedName == null) {
            LOGGER.debug("-> no root DN, base context cannot be used for classification");
            return isBaseContextOptional();
        }
        LdapName shadowDistinguishedName = getShadowDistinguishedName();
        if (shadowDistinguishedName == null) {
            LOGGER.debug("-> no DN in shadow, base context cannot be used for classification");
            return isBaseContextOptional();
        }
        SearchHierarchyScope searchHierarchyScope = this.delineation.getSearchHierarchyScope();
        boolean isUnder = isUnder(shadowDistinguishedName, rootDistinguishedName, searchHierarchyScope);
        LOGGER.trace("{} is under {} (scope {}): {}", new Object[]{shadowDistinguishedName, rootDistinguishedName, searchHierarchyScope, Boolean.valueOf(isUnder)});
        return isUnder;
    }

    private boolean isBaseContextOptional() {
        return this.delineation.getBaseContextClassificationUse() == BaseContextClassificationUseType.IF_APPLICABLE;
    }

    private boolean isUnder(LdapName ldapName, LdapName ldapName2, SearchHierarchyScope searchHierarchyScope) {
        if (ldapName.startsWith(ldapName2)) {
            return searchHierarchyScope != SearchHierarchyScope.ONE || ldapName.size() == ldapName2.size() + 1;
        }
        return false;
    }

    @Nullable
    private LdapName getRootDistinguishedName(ResourceObjectReferenceType resourceObjectReferenceType) throws SchemaException, ConfigurationException {
        SearchFilterType filter = resourceObjectReferenceType.getFilter();
        if (filter == null) {
            LOGGER.debug("Base context without filter: not using for classification");
            return null;
        }
        QName objectClass = resourceObjectReferenceType.getObjectClass();
        if (objectClass == null) {
            LOGGER.debug("No object class in base context: not using for classification");
            return null;
        }
        EqualFilter parseFilter = QueryConversionUtil.parseFilter(filter, Resource.of(this.context.getResource()).getRawSchemaRequired().findObjectClassDefinitionRequired(objectClass));
        if (!(parseFilter instanceof EqualFilter)) {
            LOGGER.debug("Base context filter not supported for classification: {}", parseFilter);
            return null;
        }
        EqualFilter equalFilter = parseFilter;
        PrismPropertyDefinition<?> prismPropertyDefinition = (PrismPropertyDefinition) MiscUtil.requireNonNull(equalFilter.getDefinition(), () -> {
            return new IllegalStateException("No definition in " + parseFilter);
        });
        if (!isDistinguishedNameType(prismPropertyDefinition)) {
            LOGGER.debug("Base context filter is not DN-based: {}", prismPropertyDefinition);
            return null;
        }
        PrismPropertyValue singleValue = equalFilter.getSingleValue();
        if (singleValue == null) {
            LOGGER.debug("No base context root value in {}", equalFilter);
            return null;
        }
        Object realValue = singleValue.getRealValue();
        if (!(realValue instanceof String)) {
            LOGGER.debug("Root value of base context is not a String, not using for classification: {}", realValue);
            return null;
        }
        try {
            return new LdapName((String) realValue);
        } catch (InvalidNameException e) {
            LOGGER.warn("Root value of base context is not a legal LDAP name, not using for classification: {}", realValue, e);
            return null;
        }
    }

    private LdapName getShadowDistinguishedName() {
        ShadowType shadowedResourceObject = this.context.getShadowedResourceObject();
        ResourceAttribute<?> selectDistinguishedNameIdentifier = selectDistinguishedNameIdentifier(ShadowUtil.getAllIdentifiers(shadowedResourceObject));
        if (selectDistinguishedNameIdentifier == null) {
            LOGGER.debug("No DN-identifier in {}", shadowedResourceObject);
            return null;
        }
        Object realValue = selectDistinguishedNameIdentifier.getRealValue();
        if (!(realValue instanceof String)) {
            LOGGER.debug("Value of DN-identifier is not a String, not using for classification: {}", realValue);
            return null;
        }
        try {
            return new LdapName((String) realValue);
        } catch (InvalidNameException e) {
            LOGGER.warn("DN-identifier is not a legal LDAP name, not using for classification: '{}'; in {}", new Object[]{realValue, shadowedResourceObject, e});
            return null;
        }
    }

    private ResourceAttribute<?> selectDistinguishedNameIdentifier(Collection<ResourceAttribute<?>> collection) {
        for (ResourceAttribute<?> resourceAttribute : collection) {
            if (isDistinguishedNameType(resourceAttribute.getDefinition())) {
                return resourceAttribute;
            }
        }
        return null;
    }

    private boolean isDistinguishedNameType(PrismPropertyDefinition<?> prismPropertyDefinition) {
        return prismPropertyDefinition != null && QNameUtil.match(PrismConstants.DISTINGUISHED_NAME_MATCHING_RULE_NAME, prismPropertyDefinition.getMatchingRuleQName());
    }

    private boolean filterMatches() throws SchemaException {
        List<ObjectFilter> parseFilters = QueryConversionUtil.parseFilters(this.delineation.getFilterClauses(), this.resourceObjectDefinition);
        PrismContainerValue asPrismContainerValue = this.context.getShadowedResourceObject().asPrismContainerValue();
        Iterator<ObjectFilter> it = parseFilters.iterator();
        while (it.hasNext()) {
            if (!it.next().match(asPrismContainerValue, this.context.getBeans().matchingRuleRegistry)) {
                return false;
            }
        }
        return true;
    }

    private boolean conditionMatches(@NotNull OperationResult operationResult) throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException {
        ExpressionType classificationCondition = this.delineation.getClassificationCondition();
        if (classificationCondition == null) {
            return true;
        }
        try {
            Task task = this.context.getTask();
            ExpressionEnvironmentThreadLocalHolder.pushExpressionEnvironment(new ExpressionEnvironment(task, operationResult));
            boolean evaluateConditionDefaultTrue = ExpressionUtil.evaluateConditionDefaultTrue(this.context.createVariablesMap(), classificationCondition, MiscSchemaUtil.getExpressionProfile(), this.context.getBeans().expressionFactory, "condition in object synchronization", task, operationResult);
            ExpressionEnvironmentThreadLocalHolder.popExpressionEnvironment();
            return evaluateConditionDefaultTrue;
        } catch (Throwable th) {
            ExpressionEnvironmentThreadLocalHolder.popExpressionEnvironment();
            throw th;
        }
    }
}
