package com.evolveum.midpoint.security.impl;

import com.evolveum.midpoint.prism.Item;
import com.evolveum.midpoint.prism.PrismContext;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.PrismObjectDefinition;
import com.evolveum.midpoint.prism.Visitable;
import com.evolveum.midpoint.prism.Visitor;
import com.evolveum.midpoint.prism.delta.ItemDelta;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.match.MatchingRuleRegistry;
import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.prism.query.AllFilter;
import com.evolveum.midpoint.prism.query.InOidFilter;
import com.evolveum.midpoint.prism.query.NoneFilter;
import com.evolveum.midpoint.prism.query.NotFilter;
import com.evolveum.midpoint.prism.query.ObjectFilter;
import com.evolveum.midpoint.prism.query.ObjectQuery;
import com.evolveum.midpoint.prism.query.OrgFilter;
import com.evolveum.midpoint.prism.query.QueryJaxbConvertor;
import com.evolveum.midpoint.prism.query.TypeFilter;
import com.evolveum.midpoint.repo.api.RepositoryService;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.util.ObjectQueryUtil;
import com.evolveum.midpoint.security.api.Authorization;
import com.evolveum.midpoint.security.api.AuthorizationConstants;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.security.api.ObjectSecurityConstraints;
import com.evolveum.midpoint.security.api.OwnerResolver;
import com.evolveum.midpoint.security.api.SecurityEnforcer;
import com.evolveum.midpoint.security.api.SecurityUtil;
import com.evolveum.midpoint.security.api.UserProfileService;
import com.evolveum.midpoint.util.QNameUtil;
import com.evolveum.midpoint.util.exception.AuthorizationException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.exception.SystemException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectSpecificationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OwnedObjectSpecificationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SpecialObjectSpecificationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import com.evolveum.prism.xml.ns._public.query_3.SearchFilterType;
import com.evolveum.prism.xml.ns._public.types_3.ItemPathType;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.xml.namespace.QName;
import org.aopalliance.intercept.MethodInvocation;
import org.apache.commons.lang.mutable.MutableBoolean;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
import org.springframework.stereotype.Component;

@Component("securityEnforcer")
/* loaded from: input_file:com/evolveum/midpoint/security/impl/SecurityEnforcerImpl.class */
public class SecurityEnforcerImpl implements SecurityEnforcer {
    private static final Trace LOGGER = TraceManager.getTrace(SecurityEnforcerImpl.class);

    @Autowired(required = true)
    @Qualifier("cacheRepositoryService")
    private RepositoryService repositoryService;

    @Autowired(required = true)
    private MatchingRuleRegistry matchingRuleRegistry;

    @Autowired(required = true)
    private PrismContext prismContext;
    private UserProfileService userProfileService = null;

    public UserProfileService getUserProfileService() {
        return this.userProfileService;
    }

    public void setUserProfileService(UserProfileService userProfileService) {
        this.userProfileService = userProfileService;
    }

    public MidPointPrincipal getPrincipal() throws SecurityViolationException {
        return SecurityUtil.getPrincipal();
    }

    public boolean isAuthenticated() {
        return SecurityUtil.isAuthenticated();
    }

    public void setupPreAuthenticatedSecurityContext(Authentication authentication) {
        SecurityContextHolder.getContext().setAuthentication(authentication);
    }

    public void setupPreAuthenticatedSecurityContext(PrismObject<UserType> prismObject) {
        MidPointPrincipal principal;
        if (this.userProfileService == null) {
            LOGGER.warn("No user profile service set up in SecurityEnforcer. This is OK in low-level tests but it is a serious problem in running system");
            principal = new MidPointPrincipal(prismObject.asObjectable());
        } else {
            principal = this.userProfileService.getPrincipal(prismObject);
        }
        setupPreAuthenticatedSecurityContext((Authentication) new PreAuthenticatedAuthenticationToken(principal, (Object) null));
    }

    public <O extends ObjectType, T extends ObjectType> boolean isAuthorized(String str, AuthorizationPhaseType authorizationPhaseType, PrismObject<O> prismObject, ObjectDelta<O> objectDelta, PrismObject<T> prismObject2, OwnerResolver ownerResolver) throws SchemaException {
        MidPointPrincipal midPointPrincipal = getMidPointPrincipal();
        if (midPointPrincipal == null) {
            return false;
        }
        if (authorizationPhaseType != null) {
            return isAuthorizedInternal(midPointPrincipal, str, authorizationPhaseType, prismObject, objectDelta, prismObject2, ownerResolver);
        }
        if (isAuthorizedInternal(midPointPrincipal, str, AuthorizationPhaseType.REQUEST, prismObject, objectDelta, prismObject2, ownerResolver)) {
            return isAuthorizedInternal(midPointPrincipal, str, AuthorizationPhaseType.EXECUTION, prismObject, objectDelta, prismObject2, ownerResolver);
        }
        return false;
    }

    private <O extends ObjectType, T extends ObjectType> boolean isAuthorizedInternal(MidPointPrincipal midPointPrincipal, String str, AuthorizationPhaseType authorizationPhaseType, PrismObject<O> prismObject, ObjectDelta<O> objectDelta, PrismObject<T> prismObject2, OwnerResolver ownerResolver) throws SchemaException {
        if ("http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#noAccess".equals(str)) {
            return false;
        }
        if (authorizationPhaseType == null) {
            throw new IllegalArgumentException("No phase");
        }
        boolean z = false;
        LOGGER.trace("AUTZ: evaluating authorization principal={}, op={}, phase={}, object={}, delta={}, target={}", new Object[]{midPointPrincipal, str, authorizationPhaseType, prismObject, objectDelta, prismObject2});
        final ArrayList arrayList = new ArrayList();
        Collection authorities = midPointPrincipal.getAuthorities();
        if (authorities != null) {
            Iterator it = authorities.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                GrantedAuthority grantedAuthority = (GrantedAuthority) it.next();
                if (grantedAuthority instanceof Authorization) {
                    Authorization authorization = (Authorization) grantedAuthority;
                    String humanReadableDesc = authorization.getHumanReadableDesc();
                    LOGGER.trace("Evaluating {}", humanReadableDesc);
                    if (authorization.getAction().contains(str) || authorization.getAction().contains(AuthorizationConstants.AUTZ_ALL_URL)) {
                        if (authorization.getPhase() == null) {
                            LOGGER.trace("  {} is applicable for all phases (continuing evaluation)", humanReadableDesc);
                        } else if (authorization.getPhase() != authorizationPhaseType) {
                            LOGGER.trace("  {} is not applicable for phases {} (breaking evaluation)", humanReadableDesc, authorizationPhaseType);
                        } else {
                            LOGGER.trace("  {} is applicable for phases {} (continuing evaluation)", humanReadableDesc, authorizationPhaseType);
                        }
                        if (isApplicable(authorization.getObject(), prismObject, midPointPrincipal, ownerResolver, "object", humanReadableDesc)) {
                            LOGGER.trace("  {} applicable for object {} (continuing evaluation)", humanReadableDesc, prismObject);
                            if (isApplicable(authorization.getTarget(), prismObject2, midPointPrincipal, ownerResolver, "target", humanReadableDesc)) {
                                LOGGER.trace("  {} applicable for target {} (continuing evaluation)", humanReadableDesc, prismObject);
                                AuthorizationDecisionType decision = authorization.getDecision();
                                if (decision == null || decision == AuthorizationDecisionType.ALLOW) {
                                    Collection<ItemPath> items = getItems(authorization);
                                    if (z && arrayList.isEmpty()) {
                                        LOGGER.trace("  {}: ALLOW operation {} (but continue evaluation)", humanReadableDesc, str);
                                    } else if (z && items.isEmpty()) {
                                        arrayList.clear();
                                    } else {
                                        arrayList.addAll(items);
                                    }
                                    LOGGER.trace("  {}: ALLOW operation {} (but continue evaluation)", humanReadableDesc, str);
                                    z = true;
                                } else {
                                    if (isApplicableItem(authorization, prismObject, objectDelta)) {
                                        LOGGER.trace("  {}: Deny authorization applicable for items (continuing evaluation)", humanReadableDesc);
                                        LOGGER.trace("  {}: DENY operation {}", humanReadableDesc, str);
                                        z = false;
                                        break;
                                    }
                                    LOGGER.trace("  {} not applicable for items (breaking evaluation)", humanReadableDesc);
                                }
                            } else {
                                LOGGER.trace("  {} not applicable for target {}, none of the target specifications match (breaking evaluation)", humanReadableDesc, prismObject);
                            }
                        } else {
                            LOGGER.trace("  {} not applicable for object {}, none of the object specifications match (breaking evaluation)", humanReadableDesc, prismObject);
                        }
                    } else {
                        LOGGER.trace("  {} not applicable for operation {}", humanReadableDesc, str);
                    }
                } else {
                    LOGGER.warn("Unknown authority type {} in user {}", grantedAuthority.getClass(), midPointPrincipal.getUsername());
                }
            }
        }
        if (z) {
            if (arrayList.isEmpty()) {
                LOGGER.trace("  Empty list of allowed items, operation allowed");
            } else {
                final MutableBoolean mutableBoolean = new MutableBoolean(true);
                if (objectDelta != null) {
                    objectDelta.accept(new Visitor() { // from class: com.evolveum.midpoint.security.impl.SecurityEnforcerImpl.1
                        public void visit(Visitable visitable) {
                            ItemPath path = SecurityEnforcerImpl.this.getPath(visitable);
                            if (path == null || path.isEmpty() || SecurityEnforcerImpl.this.isInList(path, arrayList)) {
                                return;
                            }
                            SecurityEnforcerImpl.LOGGER.trace("  DENY operation because item {} in the delta is not allowed", path);
                            mutableBoolean.setValue(false);
                        }
                    });
                } else if (prismObject != null) {
                    prismObject.accept(new Visitor() { // from class: com.evolveum.midpoint.security.impl.SecurityEnforcerImpl.2
                        public void visit(Visitable visitable) {
                            ItemPath path = SecurityEnforcerImpl.this.getPath(visitable);
                            if (path == null || path.isEmpty() || SecurityEnforcerImpl.this.isInList(path, arrayList)) {
                                return;
                            }
                            SecurityEnforcerImpl.LOGGER.trace("  DENY operation because item {} in the object is not allowed", path);
                            mutableBoolean.setValue(false);
                        }
                    });
                }
                z = mutableBoolean.booleanValue();
            }
        }
        if (LOGGER.isTraceEnabled()) {
            LOGGER.trace("AUTZ result: principal={}, operation={}: {}", new Object[]{midPointPrincipal, str, Boolean.valueOf(z)});
        }
        return z;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public ItemPath getPath(Visitable visitable) {
        if (visitable instanceof ItemDelta) {
            return ((ItemDelta) visitable).getPath();
        }
        if (visitable instanceof Item) {
            return ((Item) visitable).getPath();
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean isInList(ItemPath itemPath, Collection<ItemPath> collection) {
        boolean z = false;
        Iterator<ItemPath> it = collection.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (it.next().isSubPathOrEquivalent(itemPath)) {
                z = true;
                break;
            }
        }
        return z;
    }

    public <O extends ObjectType, T extends ObjectType> void authorize(String str, AuthorizationPhaseType authorizationPhaseType, PrismObject<O> prismObject, ObjectDelta<O> objectDelta, PrismObject<T> prismObject2, OwnerResolver ownerResolver, OperationResult operationResult) throws SecurityViolationException, SchemaException {
        MidPointPrincipal principal = getPrincipal();
        if (isAuthorized(str, authorizationPhaseType, prismObject, objectDelta, prismObject2, ownerResolver)) {
            return;
        }
        String quotedUsername = getQuotedUsername(principal);
        String str2 = (prismObject2 == null && prismObject == null) ? "User '" + quotedUsername + "' not authorized for operation " + str : prismObject2 == null ? "User '" + quotedUsername + "' not authorized for operation " + str + " on " + prismObject : "User '" + quotedUsername + "' not authorized for operation " + str + " on " + prismObject + " with target " + prismObject2;
        LOGGER.error("{}", str2);
        AuthorizationException authorizationException = new AuthorizationException(str2);
        operationResult.recordFatalError(authorizationException.getMessage(), authorizationException);
        throw authorizationException;
    }

    private <O extends ObjectType> boolean isApplicable(List<OwnedObjectSpecificationType> list, PrismObject<O> prismObject, MidPointPrincipal midPointPrincipal, OwnerResolver ownerResolver, String str, String str2) throws SchemaException {
        if (list == null || list.isEmpty()) {
            LOGGER.trace("  {}: No {} specification in authorization (authorization is applicable)", str2, str);
            return true;
        }
        if (prismObject == null) {
            LOGGER.trace("  {} not applicable for null {}", str2, str);
            return false;
        }
        Iterator<OwnedObjectSpecificationType> it = list.iterator();
        while (it.hasNext()) {
            if (isApplicable((ObjectSpecificationType) it.next(), (PrismObject) prismObject, midPointPrincipal, ownerResolver, str, str2)) {
                return true;
            }
        }
        return false;
    }

    private <O extends ObjectType> boolean isApplicable(ObjectSpecificationType objectSpecificationType, PrismObject<O> prismObject, MidPointPrincipal midPointPrincipal, OwnerResolver ownerResolver, String str, String str2) throws SchemaException {
        ObjectSpecificationType owner;
        if (objectSpecificationType == null) {
            LOGGER.trace("  {} not applicable for {} because of null object specification", str2, str);
            return false;
        }
        SearchFilterType filter = objectSpecificationType.getFilter();
        ObjectReferenceType orgRef = objectSpecificationType.getOrgRef();
        QName type = objectSpecificationType.getType();
        PrismObjectDefinition definition = prismObject.getDefinition();
        if (type != null && !QNameUtil.match(type, definition.getTypeName())) {
            LOGGER.trace("  {} not applicable for {} because of type mismatch, expected {}, was {}", new Object[]{str2, str, type, definition.getTypeName()});
            return false;
        }
        List<SpecialObjectSpecificationType> special = objectSpecificationType.getSpecial();
        if (special != null && !special.isEmpty()) {
            if (filter != null || orgRef != null) {
                throw new SchemaException("Both filter/org and special " + str + " specification specified in " + str2);
            }
            for (SpecialObjectSpecificationType specialObjectSpecificationType : special) {
                if (specialObjectSpecificationType != SpecialObjectSpecificationType.SELF) {
                    throw new SchemaException("Unsupported special " + str + " specification specified in " + str2 + ": " + specialObjectSpecificationType);
                }
                String oid = midPointPrincipal.getOid();
                if (oid != null) {
                    if (oid.equals(prismObject.getOid())) {
                        LOGGER.trace("  {}: 'self' authorization applicable for {}", str2, str);
                        return true;
                    }
                    LOGGER.trace("  {}: 'self' authorization not applicable for {}, principal OID: {}, {} OID {}", new Object[]{str2, str, oid, str, prismObject.getOid()});
                }
            }
            return false;
        }
        LOGGER.trace("  {}: specials empty: {}", str2, special);
        if (filter != null) {
            ObjectFilter createObjectFilter = QueryJaxbConvertor.createObjectFilter(prismObject.getCompileTimeClass(), filter, prismObject.getPrismContext());
            if (createObjectFilter != null) {
                ObjectQueryUtil.assertPropertyOnly(createObjectFilter, "Filter in " + str2 + " " + str + " is not property-only filter");
            }
            try {
                if (!ObjectQuery.match(prismObject, createObjectFilter, this.matchingRuleRegistry)) {
                    LOGGER.trace("  filter {} not applicable for {}, object OID {}", new Object[]{str2, str, prismObject.getOid()});
                    return false;
                }
            } catch (SchemaException e) {
                throw new SchemaException("Could not apply " + str2 + " for " + prismObject + ". " + e.getMessage(), e);
            }
        }
        if (orgRef != null) {
            List parentOrgRef = prismObject.asObjectable().getParentOrgRef();
            ArrayList arrayList = new ArrayList(parentOrgRef.size());
            Iterator it = parentOrgRef.iterator();
            while (it.hasNext()) {
                arrayList.add(((ObjectReferenceType) it.next()).getOid());
            }
            if (!this.repositoryService.isAnySubordinate(orgRef.getOid(), arrayList)) {
                LOGGER.trace("  org {} not applicable for {}, object OID {} (autz={} parentRefs={})", new Object[]{str2, str, prismObject.getOid(), orgRef.getOid(), arrayList});
                return false;
            }
        }
        if ((objectSpecificationType instanceof OwnedObjectSpecificationType) && (owner = ((OwnedObjectSpecificationType) objectSpecificationType).getOwner()) != null) {
            if (!prismObject.canRepresent(ShadowType.class)) {
                LOGGER.trace("  {}: owner object spec not applicable for {}, object OID {} because it is not a shadow", new Object[]{str2, str, prismObject.getOid()});
                return false;
            }
            if (ownerResolver == null) {
                ownerResolver = this.userProfileService;
                if (ownerResolver == null) {
                    LOGGER.trace("  {}: owner object spec not applicable for {}, object OID {} because there is no owner resolver", new Object[]{str2, str, prismObject.getOid()});
                    return false;
                }
            }
            PrismObject<O> resolveOwner = ownerResolver.resolveOwner(prismObject);
            if (resolveOwner == null) {
                LOGGER.trace("  {}: owner object spec not applicable for {}, object OID {} because it has no owner", new Object[]{str2, str, prismObject.getOid()});
                return false;
            }
            if (!isApplicable(owner, resolveOwner, midPointPrincipal, ownerResolver, "owner of " + str, str2)) {
                LOGGER.trace("  {}: owner object spec not applicable for {}, object OID {} because owner does not match (owner={})", new Object[]{str2, str, prismObject.getOid(), resolveOwner});
                return false;
            }
        }
        LOGGER.trace("  {} applicable for {} (filter)", str2, str);
        return true;
    }

    private <O extends ObjectType, T extends ObjectType> boolean isApplicableItem(Authorization authorization, PrismObject<O> prismObject, ObjectDelta<O> objectDelta) {
        ItemDelta findItemDelta;
        Item findItem;
        List item = authorization.getItem();
        if (item == null || item.isEmpty()) {
            LOGGER.trace("  items empty");
            return true;
        }
        Iterator it = item.iterator();
        while (it.hasNext()) {
            ItemPath itemPath = ((ItemPathType) it.next()).getItemPath();
            if (prismObject != null && (findItem = prismObject.findItem(itemPath)) != null && !findItem.isEmpty()) {
                LOGGER.trace("  applicable object item " + itemPath);
                return true;
            }
            if (objectDelta != null && (findItemDelta = objectDelta.findItemDelta(itemPath)) != null && !findItemDelta.isEmpty()) {
                LOGGER.trace("  applicable delta item " + itemPath);
                return true;
            }
        }
        LOGGER.trace("  no applicable item");
        return false;
    }

    private Collection<ItemPath> getItems(Authorization authorization) {
        List item = authorization.getItem();
        ArrayList arrayList = new ArrayList(item.size());
        if (item != null) {
            Iterator it = item.iterator();
            while (it.hasNext()) {
                arrayList.add(((ItemPathType) it.next()).getItemPath());
            }
        }
        return arrayList;
    }

    public void decide(Authentication authentication, Object obj, Collection<ConfigAttribute> collection) throws AccessDeniedException, InsufficientAuthenticationException {
        if (obj instanceof MethodInvocation) {
        } else {
            if (!(obj instanceof FilterInvocation)) {
                SecurityUtil.logSecurityDeny(obj, ": Unknown type of secure object");
                throw new IllegalArgumentException("Unknown type of secure object");
            }
        }
        Object principal = authentication.getPrincipal();
        if (!(principal instanceof MidPointPrincipal)) {
            if (!(authentication.getPrincipal() instanceof String) || !"anonymousUser".equals(principal)) {
                throw new IllegalArgumentException("Expected that spring security principal will be of type " + MidPointPrincipal.class.getName() + " but it was " + principal.getClass());
            }
            SecurityUtil.logSecurityDeny(obj, ": Not logged in");
            throw new InsufficientAuthenticationException("Not logged in.");
        }
        Collection actions = SecurityUtil.getActions(collection);
        Iterator it = actions.iterator();
        while (it.hasNext()) {
            try {
                if (isAuthorized((String) it.next(), null, null, null, null, null)) {
                    return;
                }
            } catch (SchemaException e) {
                throw new SystemException(e.getMessage(), e);
            }
        }
        SecurityUtil.logSecurityDeny(obj, ": Not authorized", (Throwable) null, actions);
        throw new AccessDeniedException("Not authorized");
    }

    public boolean supports(ConfigAttribute configAttribute) {
        return configAttribute instanceof SecurityConfig;
    }

    public boolean supports(Class<?> cls) {
        return MethodInvocation.class.isAssignableFrom(cls) || FilterInvocation.class.isAssignableFrom(cls);
    }

    private String getQuotedUsername(Authentication authentication) {
        Object principal = authentication.getPrincipal();
        return principal != null ? principal instanceof MidPointPrincipal ? "'" + ((MidPointPrincipal) principal).getUsername() + "'" : "(unknown:" + principal + ")" : "(none)";
    }

    private String getQuotedUsername(MidPointPrincipal midPointPrincipal) {
        return midPointPrincipal == null ? "(none)" : "'" + midPointPrincipal.getUsername() + "'";
    }

    private MidPointPrincipal getMidPointPrincipal() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null) {
            LOGGER.warn("No authentication");
            return null;
        }
        Object principal = authentication.getPrincipal();
        if (principal == null) {
            LOGGER.warn("Null principal");
            return null;
        }
        if (principal instanceof MidPointPrincipal) {
            return (MidPointPrincipal) principal;
        }
        if ((authentication.getPrincipal() instanceof String) && "anonymousUser".equals(principal)) {
            LOGGER.trace("AUTZ: deny because user is not logged in");
            return null;
        }
        LOGGER.warn("Unknown principal type {}", principal.getClass());
        return null;
    }

    public <O extends ObjectType> ObjectSecurityConstraints compileSecurityConstraints(PrismObject<O> prismObject, OwnerResolver ownerResolver) throws SchemaException {
        MidPointPrincipal midPointPrincipal = getMidPointPrincipal();
        if (prismObject == null) {
            throw new IllegalArgumentException("Cannot compile security constraints of null object");
        }
        if (midPointPrincipal == null) {
            return null;
        }
        LOGGER.trace("AUTZ: evaluating security constraints principal={}, object={}", midPointPrincipal, prismObject);
        ObjectSecurityConstraintsImpl objectSecurityConstraintsImpl = new ObjectSecurityConstraintsImpl();
        Collection<GrantedAuthority> authorities = midPointPrincipal.getAuthorities();
        if (authorities != null) {
            for (GrantedAuthority grantedAuthority : authorities) {
                if (grantedAuthority instanceof Authorization) {
                    Authorization authorization = (Authorization) grantedAuthority;
                    String humanReadableDesc = authorization.getHumanReadableDesc();
                    LOGGER.trace("Evaluating {}", humanReadableDesc);
                    if (isApplicable(authorization.getObject(), prismObject, midPointPrincipal, ownerResolver, "object", humanReadableDesc)) {
                        LOGGER.trace("  {} applicable for object {} (continuing evaluation)", humanReadableDesc, prismObject);
                        List<String> action = authorization.getAction();
                        AuthorizationPhaseType phase = authorization.getPhase();
                        AuthorizationDecisionType decision = authorization.getDecision();
                        if (decision == null || decision == AuthorizationDecisionType.ALLOW) {
                            Collection<ItemPath> items = getItems(authorization);
                            if (items == null || items.isEmpty()) {
                                applyDecision(objectSecurityConstraintsImpl.getActionDecisionMap(), action, phase, AuthorizationDecisionType.ALLOW);
                            } else {
                                Iterator<ItemPath> it = items.iterator();
                                while (it.hasNext()) {
                                    applyItemDecision(objectSecurityConstraintsImpl.getItemConstraintMap(), it.next(), action, phase, AuthorizationDecisionType.ALLOW);
                                }
                            }
                        } else {
                            Collection<ItemPath> items2 = getItems(authorization);
                            if (items2 == null || items2.isEmpty()) {
                                applyDecision(objectSecurityConstraintsImpl.getActionDecisionMap(), action, phase, AuthorizationDecisionType.DENY);
                            } else {
                                Iterator<ItemPath> it2 = items2.iterator();
                                while (it2.hasNext()) {
                                    applyItemDecision(objectSecurityConstraintsImpl.getItemConstraintMap(), it2.next(), action, phase, AuthorizationDecisionType.DENY);
                                }
                            }
                        }
                    } else {
                        LOGGER.trace("  {} not applicable for object {}, none of the object specifications match (breaking evaluation)", humanReadableDesc, prismObject);
                    }
                } else {
                    LOGGER.warn("Unknown authority type {} in user {}", grantedAuthority.getClass(), midPointPrincipal.getUsername());
                }
            }
        }
        if (LOGGER.isTraceEnabled()) {
            LOGGER.trace("AUTZ: evaluated security constraints principal={}, object={}:\n{}", new Object[]{midPointPrincipal, prismObject, objectSecurityConstraintsImpl.debugDump()});
        }
        return objectSecurityConstraintsImpl;
    }

    private void applyItemDecision(Map<ItemPath, ItemSecurityConstraintsImpl> map, ItemPath itemPath, List<String> list, AuthorizationPhaseType authorizationPhaseType, AuthorizationDecisionType authorizationDecisionType) {
        ItemSecurityConstraintsImpl itemSecurityConstraintsImpl = map.get(itemPath);
        if (itemSecurityConstraintsImpl == null) {
            itemSecurityConstraintsImpl = new ItemSecurityConstraintsImpl();
            map.put(itemPath, itemSecurityConstraintsImpl);
        }
        applyDecision(itemSecurityConstraintsImpl.getActionDecisionMap(), list, authorizationPhaseType, authorizationDecisionType);
    }

    private void applyDecision(Map<String, PhaseDecisionImpl> map, List<String> list, AuthorizationPhaseType authorizationPhaseType, AuthorizationDecisionType authorizationDecisionType) {
        for (String str : list) {
            if (authorizationPhaseType == null) {
                applyDecisionRequest(map, str, authorizationDecisionType);
                applyDecisionExecution(map, str, authorizationDecisionType);
            } else if (authorizationPhaseType == AuthorizationPhaseType.REQUEST) {
                applyDecisionRequest(map, str, authorizationDecisionType);
            } else {
                if (authorizationPhaseType != AuthorizationPhaseType.EXECUTION) {
                    throw new IllegalArgumentException("Unknown phase " + authorizationPhaseType);
                }
                applyDecisionExecution(map, str, authorizationDecisionType);
            }
        }
    }

    private void applyDecisionRequest(Map<String, PhaseDecisionImpl> map, String str, AuthorizationDecisionType authorizationDecisionType) {
        PhaseDecisionImpl phaseDecisionImpl = map.get(str);
        if (phaseDecisionImpl == null) {
            PhaseDecisionImpl phaseDecisionImpl2 = new PhaseDecisionImpl();
            phaseDecisionImpl2.setRequestDecision(authorizationDecisionType);
            map.put(str, phaseDecisionImpl2);
        } else if (phaseDecisionImpl.getRequestDecision() == null || (phaseDecisionImpl.getRequestDecision() == AuthorizationDecisionType.ALLOW && authorizationDecisionType == AuthorizationDecisionType.DENY)) {
            phaseDecisionImpl.setRequestDecision(authorizationDecisionType);
        }
    }

    private void applyDecisionExecution(Map<String, PhaseDecisionImpl> map, String str, AuthorizationDecisionType authorizationDecisionType) {
        PhaseDecisionImpl phaseDecisionImpl = map.get(str);
        if (phaseDecisionImpl == null) {
            PhaseDecisionImpl phaseDecisionImpl2 = new PhaseDecisionImpl();
            phaseDecisionImpl2.setExecDecision(authorizationDecisionType);
            map.put(str, phaseDecisionImpl2);
        } else if (phaseDecisionImpl.getExecDecision() == null || (phaseDecisionImpl.getExecDecision() == AuthorizationDecisionType.ALLOW && authorizationDecisionType == AuthorizationDecisionType.DENY)) {
            phaseDecisionImpl.setExecDecision(authorizationDecisionType);
        }
    }

    public <T extends ObjectType, O extends ObjectType> ObjectFilter preProcessObjectFilter(String str, AuthorizationPhaseType authorizationPhaseType, Class<T> cls, PrismObject<O> prismObject, ObjectFilter objectFilter) throws SchemaException {
        MidPointPrincipal midPointPrincipal = getMidPointPrincipal();
        if (midPointPrincipal == null) {
            throw new IllegalArgumentException("No vaild principal");
        }
        LOGGER.trace("AUTZ: evaluating search pre-process principal={}, objectType={}: orig filter {}", new Object[]{midPointPrincipal, cls, objectFilter});
        if (objectFilter == null) {
            objectFilter = AllFilter.createAll();
        }
        ObjectFilter preProcessObjectFilterInternal = authorizationPhaseType != null ? preProcessObjectFilterInternal(midPointPrincipal, str, authorizationPhaseType, true, cls, prismObject, objectFilter) : ObjectQueryUtil.filterOr(preProcessObjectFilterInternal(midPointPrincipal, str, null, false, cls, prismObject, objectFilter), ObjectQueryUtil.filterAnd(preProcessObjectFilterInternal(midPointPrincipal, str, AuthorizationPhaseType.REQUEST, false, cls, prismObject, objectFilter), preProcessObjectFilterInternal(midPointPrincipal, str, AuthorizationPhaseType.EXECUTION, false, cls, prismObject, objectFilter)));
        LOGGER.trace("AUTZ: evaluated search pre-process principal={}, objectType={}: {}", new Object[]{midPointPrincipal, cls, preProcessObjectFilterInternal});
        if (preProcessObjectFilterInternal instanceof AllFilter) {
            return null;
        }
        return preProcessObjectFilterInternal;
    }

    private <T extends ObjectType, O extends ObjectType> ObjectFilter preProcessObjectFilterInternal(MidPointPrincipal midPointPrincipal, String str, AuthorizationPhaseType authorizationPhaseType, boolean z, Class<T> cls, PrismObject<O> prismObject, ObjectFilter objectFilter) throws SchemaException {
        ObjectFilter filterAnd;
        List<OwnedObjectSpecificationType> target;
        Collection<GrantedAuthority> authorities = midPointPrincipal.getAuthorities();
        ObjectFilter objectFilter2 = null;
        ObjectFilter objectFilter3 = null;
        boolean z2 = false;
        if (authorities != null) {
            for (GrantedAuthority grantedAuthority : authorities) {
                if (grantedAuthority instanceof Authorization) {
                    Authorization authorization = (Authorization) grantedAuthority;
                    LOGGER.trace("Evaluating authorization {}", authorization);
                    if (!authorization.getAction().contains(str) && !authorization.getAction().contains(AuthorizationConstants.AUTZ_ALL_URL)) {
                        LOGGER.trace("  Authorization not applicable for operation {}", str);
                    } else if (authorization.getPhase() == authorizationPhaseType || (z && authorization.getPhase() == null)) {
                        LOGGER.trace("  Authorization is applicable for phases {} (continuing evaluation)", authorizationPhaseType);
                        ObjectFilter objectFilter4 = null;
                        if (prismObject == null) {
                            target = authorization.getObject();
                        } else {
                            target = authorization.getTarget();
                            if (!isApplicableItem(authorization, prismObject, null)) {
                                LOGGER.trace("  Authorization is not applicable for object {}", prismObject);
                            }
                        }
                        boolean z3 = true;
                        if (target == null || target.isEmpty()) {
                            LOGGER.trace("  No object specification in authorization (authorization is universaly applicable)");
                            objectFilter4 = AllFilter.createAll();
                        } else {
                            z3 = false;
                            for (OwnedObjectSpecificationType ownedObjectSpecificationType : target) {
                                TypeFilter typeFilter = null;
                                TypeFilter typeFilter2 = null;
                                SearchFilterType filter = ownedObjectSpecificationType.getFilter();
                                ObjectReferenceType orgRef = ownedObjectSpecificationType.getOrgRef();
                                QName type = ownedObjectSpecificationType.getType();
                                PrismObjectDefinition prismObjectDefinition = null;
                                if (type != null) {
                                    type = this.prismContext.getSchemaRegistry().qualifyTypeName(type);
                                    PrismObjectDefinition findObjectDefinitionByType = this.prismContext.getSchemaRegistry().findObjectDefinitionByType(type);
                                    Class<?> compileTimeClass = findObjectDefinitionByType.getCompileTimeClass();
                                    if (cls.isAssignableFrom(compileTimeClass)) {
                                        LOGGER.trace("  Authorization is applicable for object because of type match, authorization {}, query {}", new Object[]{compileTimeClass, cls});
                                        typeFilter2 = TypeFilter.createType(type, (ObjectFilter) null);
                                        prismObjectDefinition = findObjectDefinitionByType;
                                    } else {
                                        LOGGER.trace("  Authorization not applicable for object because of type mismatch, authorization {}, query {}", new Object[]{compileTimeClass, cls});
                                    }
                                }
                                if (ownedObjectSpecificationType.getOwner() != null) {
                                    LOGGER.trace("  Authorization not applicable for object because it has owner specification (this is not applicable for search)");
                                } else {
                                    z3 = true;
                                    List<SpecialObjectSpecificationType> special = ownedObjectSpecificationType.getSpecial();
                                    if (special == null || special.isEmpty()) {
                                        LOGGER.trace("  specials empty: {}", special);
                                    } else {
                                        if (filter != null || orgRef != null) {
                                            throw new SchemaException("Both filter/org and special object specification specified in authorization");
                                        }
                                        TypeFilter typeFilter3 = null;
                                        for (SpecialObjectSpecificationType specialObjectSpecificationType : special) {
                                            if (specialObjectSpecificationType != SpecialObjectSpecificationType.SELF) {
                                                throw new SchemaException("Unsupported special object specification specified in authorization: " + specialObjectSpecificationType);
                                            }
                                            typeFilter3 = ObjectQueryUtil.filterOr(typeFilter3, InOidFilter.createInOid(new String[]{midPointPrincipal.getOid()}));
                                        }
                                        typeFilter = type != null ? TypeFilter.createType(type, typeFilter3) : typeFilter3;
                                    }
                                    if (filter != null) {
                                        if (prismObjectDefinition == null) {
                                            prismObjectDefinition = this.prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(cls);
                                        }
                                        ObjectFilter createObjectFilter = QueryJaxbConvertor.createObjectFilter(prismObjectDefinition, filter, this.prismContext);
                                        if (createObjectFilter != null) {
                                            ObjectQueryUtil.assertNotRaw(createObjectFilter, "Filter in authorization object has undefined items. Maybe a 'type' specification is missing in the authorization?");
                                            ObjectQueryUtil.assertPropertyOnly(createObjectFilter, "Filter in authorization object is not property-only filter");
                                        }
                                        LOGGER.trace("  applying property filter " + createObjectFilter);
                                        typeFilter = ObjectQueryUtil.filterAnd(typeFilter, createObjectFilter);
                                    } else {
                                        LOGGER.trace("  filter empty");
                                    }
                                    if (orgRef != null) {
                                        OrgFilter createOrg = OrgFilter.createOrg(orgRef.getOid());
                                        typeFilter = ObjectQueryUtil.filterAnd(typeFilter, createOrg);
                                        LOGGER.trace("  applying org filter " + createOrg);
                                    } else {
                                        LOGGER.trace("  org empty");
                                    }
                                    if (typeFilter2 != null) {
                                        typeFilter2.setFilter(typeFilter);
                                        typeFilter = typeFilter2;
                                    }
                                    objectFilter4 = ObjectQueryUtil.filterOr(objectFilter4, typeFilter);
                                }
                            }
                        }
                        if (z3) {
                            AuthorizationDecisionType decision = authorization.getDecision();
                            if (decision != null && decision != AuthorizationDecisionType.ALLOW) {
                                if (ObjectQueryUtil.isAll(objectFilter4)) {
                                    LOGGER.trace("AUTZ search pre-process: principal={}, operation={}: deny all", new Object[]{midPointPrincipal.getUsername(), str});
                                    return NoneFilter.createNone();
                                }
                                objectFilter3 = ObjectQueryUtil.filterOr(objectFilter3, objectFilter4);
                            } else if (ObjectQueryUtil.isAll(objectFilter4)) {
                                z2 = true;
                            } else {
                                objectFilter2 = ObjectQueryUtil.filterOr(objectFilter2, objectFilter4);
                            }
                        } else {
                            continue;
                        }
                    } else {
                        LOGGER.trace("  Authorization is not applicable for phase {}", authorizationPhaseType);
                    }
                } else {
                    LOGGER.warn("Unknown authority type {} in user {}", grantedAuthority.getClass(), midPointPrincipal.getUsername());
                }
            }
        }
        if (z2) {
            filterAnd = objectFilter;
        } else {
            if (objectFilter2 == null) {
                LOGGER.trace("AUTZ search pre-process: principal={}, operation={}: default deny", new Object[]{midPointPrincipal.getUsername(), str});
                return NoneFilter.createNone();
            }
            filterAnd = ObjectQueryUtil.filterAnd(objectFilter, objectFilter2);
        }
        if (objectFilter3 == null) {
            if (LOGGER.isTraceEnabled()) {
                Trace trace = LOGGER;
                Object[] objArr = new Object[3];
                objArr[0] = midPointPrincipal.getUsername();
                objArr[1] = str;
                objArr[2] = filterAnd == null ? "null" : filterAnd.debugDump();
                trace.trace("AUTZ search pre-process: principal={}, operation={}: allow:\n{}", objArr);
            }
            return filterAnd;
        }
        ObjectFilter filterAnd2 = ObjectQueryUtil.filterAnd(filterAnd, NotFilter.createNot(objectFilter3));
        if (LOGGER.isTraceEnabled()) {
            Trace trace2 = LOGGER;
            Object[] objArr2 = new Object[3];
            objArr2[0] = midPointPrincipal.getUsername();
            objArr2[1] = str;
            objArr2[2] = filterAnd2 == null ? "null" : filterAnd2.debugDump();
            trace2.trace("AUTZ search pre-process: principal={}, operation={}: allow (with deny clauses):\n{}", objArr2);
        }
        return filterAnd2;
    }
}
