package com.evolveum.midpoint.security.enforcer.impl;

import com.evolveum.midpoint.prism.Containerable;
import com.evolveum.midpoint.prism.Item;
import com.evolveum.midpoint.prism.PrismContainer;
import com.evolveum.midpoint.prism.PrismContainerValue;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.PrismValue;
import com.evolveum.midpoint.prism.delta.ContainerDelta;
import com.evolveum.midpoint.prism.delta.ItemDelta;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.schema.AccessDecision;
import com.evolveum.midpoint.schema.internals.InternalsConfig;
import com.evolveum.midpoint.security.api.AuthorizationConstants;
import com.evolveum.midpoint.security.enforcer.api.AbstractAuthorizationParameters;
import com.evolveum.midpoint.security.enforcer.api.AuthorizationParameters;
import com.evolveum.midpoint.security.enforcer.api.ObjectSecurityConstraints;
import com.evolveum.midpoint.util.MiscUtil;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import java.util.Collection;
import java.util.Iterator;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:BOOT-INF/lib/security-enforcer-impl-4.10-SNAPSHOT.jar:com/evolveum/midpoint/security/enforcer/impl/ItemDecisionOperation.class */
public class ItemDecisionOperation {
    private final SimpleTracer simpleTracer;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:BOOT-INF/lib/security-enforcer-impl-4.10-SNAPSHOT.jar:com/evolveum/midpoint/security/enforcer/impl/ItemDecisionOperation$SimpleTracer.class */
    public interface SimpleTracer {
        void trace(@NotNull String str, Object... objArr);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ItemDecisionOperation(@NotNull SimpleTracer simpleTracer) {
        this.simpleTracer = simpleTracer;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AccessDecision decideUsingAllowedItems(@NotNull AutzItemPaths autzItemPaths, @NotNull AuthorizationPhaseType authorizationPhaseType, @NotNull AbstractAuthorizationParameters abstractAuthorizationParameters) {
        ItemDecisionFunction itemDecisionFunction = (itemPath, z) -> {
            return decideUsingAllowedItems(itemPath, autzItemPaths, authorizationPhaseType, z);
        };
        if (abstractAuthorizationParameters instanceof AuthorizationParameters) {
            AuthorizationParameters authorizationParameters = (AuthorizationParameters) abstractAuthorizationParameters;
            if (authorizationParameters.hasDelta()) {
                return decideOnDeltaByItems(authorizationParameters.getDelta(), authorizationParameters.getOldObject(), itemDecisionFunction, (itemPath2, z2) -> {
                    return decideUsingAllowedItems(itemPath2, autzItemPaths, AuthorizationPhaseType.EXECUTION, z2);
                });
            }
        }
        if (abstractAuthorizationParameters.hasValue()) {
            return decideOnObjectValueByItems(abstractAuthorizationParameters.getValue(), itemDecisionFunction);
        }
        return null;
    }

    @NotNull
    private AccessDecision decideUsingAllowedItems(@NotNull ItemPath itemPath, @NotNull AutzItemPaths autzItemPaths, @NotNull AuthorizationPhaseType authorizationPhaseType, boolean z) {
        return (isAllowedByDefault(itemPath, authorizationPhaseType, z) || autzItemPaths.includes(itemPath)) ? AccessDecision.ALLOW : AccessDecision.DEFAULT;
    }

    private boolean isAllowedByDefault(ItemPath itemPath, AuthorizationPhaseType authorizationPhaseType, boolean z) {
        return (z && AuthorizationConstants.OPERATIONAL_ITEMS_ALLOWED_FOR_CONTAINER_DELETE.containsSubpathOrEquivalent(itemPath)) || (authorizationPhaseType == AuthorizationPhaseType.EXECUTION && AuthorizationConstants.EXECUTION_ITEMS_ALLOWED_BY_DEFAULT.containsSubpathOrEquivalent(itemPath));
    }

    @Nullable
    private AccessDecision decideOnDeltaByItems(@NotNull ObjectDelta<?> objectDelta, PrismObject<?> prismObject, ItemDecisionFunction itemDecisionFunction, ItemDecisionFunction itemDecisionFunction2) {
        if (objectDelta.isAdd()) {
            return decideOnObjectValueByItems(objectDelta.getObjectToAdd().getValue(), itemDecisionFunction);
        }
        if (objectDelta.isDelete()) {
            return decideOnObjectValueByItems(prismObject.getValue(), itemDecisionFunction2);
        }
        Collection<? extends ItemDelta<?, ?>> modifications = objectDelta.getModifications();
        if (modifications.isEmpty()) {
            return AccessDecision.ALLOW;
        }
        AccessDecision accessDecision = null;
        for (ItemDelta<?, ?> itemDelta : modifications) {
            ItemPath path = itemDelta.getPath();
            AccessDecision decide = itemDecisionFunction.decide(path.namedSegmentsOnly(), false);
            if (decide != null) {
                if (decide == AccessDecision.DEFAULT && (itemDelta instanceof ContainerDelta)) {
                    accessDecision = AccessDecision.combine(accessDecision, decideOnContainerDeltaByItems((ContainerDelta) itemDelta, prismObject, itemDecisionFunction));
                } else {
                    if (decide == AccessDecision.DENY) {
                        this.simpleTracer.trace("DENY operation because item {} in the delta is not allowed", path);
                    }
                    accessDecision = AccessDecision.combine(accessDecision, decide);
                }
            }
        }
        return accessDecision;
    }

    private AccessDecision decideOnContainerDeltaByItems(ContainerDelta<?> containerDelta, PrismObject<?> prismObject, ItemDecisionFunction itemDecisionFunction) {
        AccessDecision accessDecision = null;
        ItemPath path = containerDelta.getPath();
        Iterator it = MiscUtil.emptyIfNull(containerDelta.getValuesToAdd()).iterator();
        while (it.hasNext()) {
            accessDecision = AccessDecision.combine(accessDecision, decideOnContainerValueByItems((PrismContainerValue) it.next(), itemDecisionFunction, false, "delta add"));
        }
        for (PrismContainerValue<?> prismContainerValue : MiscUtil.emptyIfNull(containerDelta.getValuesToDelete())) {
            AccessDecision accessDecision2 = null;
            if (prismContainerValue.isIdOnly()) {
                PrismContainerValue<?> determineContainerValueFromCurrentObject = determineContainerValueFromCurrentObject(path, prismContainerValue.getId().longValue(), prismObject);
                if (determineContainerValueFromCurrentObject != null) {
                    accessDecision2 = decideOnContainerValueByItems(determineContainerValueFromCurrentObject, itemDecisionFunction, true, "delta delete (current value)");
                }
            } else {
                accessDecision2 = decideOnContainerValueByItems(prismContainerValue, itemDecisionFunction, true, "delta delete");
            }
            accessDecision = AccessDecision.combine(accessDecision, accessDecision2);
        }
        Collection<PrismContainerValue<V>> valuesToReplace = containerDelta.getValuesToReplace();
        if (valuesToReplace != 0) {
            Iterator it2 = valuesToReplace.iterator();
            while (it2.hasNext()) {
                accessDecision = AccessDecision.combine(accessDecision, decideOnContainerValueByItems((PrismContainerValue) it2.next(), itemDecisionFunction, false, "delta replace"));
            }
            Iterator it3 = MiscUtil.emptyIfNull(determineContainerValuesFromCurrentObject(path, prismObject)).iterator();
            while (it3.hasNext()) {
                accessDecision = AccessDecision.combine(accessDecision, decideOnContainerValueByItems((PrismContainerValue) it3.next(), itemDecisionFunction, true, "delta replace (removed current value)"));
            }
        }
        return accessDecision;
    }

    private PrismContainerValue<?> determineContainerValueFromCurrentObject(ItemPath itemPath, long j, PrismObject<?> prismObject) {
        for (PrismContainerValue<?> prismContainerValue : MiscUtil.emptyIfNull(determineContainerValuesFromCurrentObject(itemPath, prismObject))) {
            if (j == prismContainerValue.getId().longValue()) {
                return prismContainerValue;
            }
        }
        return null;
    }

    private <C extends Containerable> Collection<PrismContainerValue<C>> determineContainerValuesFromCurrentObject(ItemPath itemPath, PrismObject<?> prismObject) {
        Item findContainer = prismObject.findContainer(itemPath);
        if (findContainer != null) {
            return findContainer.getValues();
        }
        return null;
    }

    private AccessDecision decideOnObjectValueByItems(@NotNull PrismValue prismValue, ItemDecisionFunction itemDecisionFunction) {
        if (!(prismValue instanceof PrismContainerValue)) {
            return itemDecisionFunction.decide(ItemPath.EMPTY_PATH, false);
        }
        PrismContainerValue<?> prismContainerValue = (PrismContainerValue) prismValue;
        AccessDecision decideOnContainerValueByItems = decideOnContainerValueByItems(prismContainerValue, itemDecisionFunction, false, "object");
        return (decideOnContainerValueByItems == null && prismContainerValue.hasNoItems()) ? AccessDecision.ALLOW : decideOnContainerValueByItems;
    }

    private AccessDecision decideOnContainerValueByItems(@NotNull PrismContainerValue<?> prismContainerValue, ItemDecisionFunction itemDecisionFunction, boolean z, String str) {
        AccessDecision accessDecision = null;
        for (Item<?, ?> item : prismContainerValue.getItems()) {
            ItemPath path = item.getPath();
            AccessDecision decide = itemDecisionFunction.decide(path.namedSegmentsOnly(), z);
            logContainerValueItemDecision(decide, str, path);
            if (decide != null) {
                if (decide == AccessDecision.DEFAULT && (item instanceof PrismContainer)) {
                    Iterator it = ((PrismContainer) item).getValues().iterator();
                    while (it.hasNext()) {
                        accessDecision = AccessDecision.combine(accessDecision, decideOnContainerValueByItems((PrismContainerValue) it.next(), itemDecisionFunction, z, str));
                    }
                } else {
                    if (decide == AccessDecision.DENY) {
                        this.simpleTracer.trace("DENY operation because item {} in the object is not allowed", path);
                    }
                    accessDecision = AccessDecision.combine(accessDecision, decide);
                }
            }
        }
        logContainerValueDecision(accessDecision, str, prismContainerValue);
        return accessDecision;
    }

    private void logContainerValueItemDecision(AccessDecision accessDecision, String str, ItemPath itemPath) {
        if (accessDecision != AccessDecision.ALLOW || InternalsConfig.isDetailedAuthorizationLog()) {
            this.simpleTracer.trace("item {} for {}: decision={}", itemPath, str, accessDecision);
        }
    }

    private void logContainerValueDecision(AccessDecision accessDecision, String str, PrismContainerValue<?> prismContainerValue) {
        if (accessDecision != AccessDecision.ALLOW || InternalsConfig.isDetailedAuthorizationLog()) {
            this.simpleTracer.trace("container {} for {} (processed sub-items): decision={}", prismContainerValue.getPath(), str, accessDecision);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public <O extends ObjectType> AccessDecision determineItemDecision(@NotNull ObjectSecurityConstraints objectSecurityConstraints, @NotNull ObjectDelta<O> objectDelta, PrismObject<O> prismObject, @NotNull String str, @NotNull AuthorizationPhaseType authorizationPhaseType, @NotNull ItemPath itemPath) {
        return decideOnDeltaByItems(objectDelta, prismObject, (itemPath2, z) -> {
            return decideUsingSecurityConstraints(itemPath2, z, objectSecurityConstraints, str, authorizationPhaseType, itemPath);
        }, (itemPath3, z2) -> {
            return decideUsingSecurityConstraints(itemPath3, z2, objectSecurityConstraints, str, AuthorizationPhaseType.EXECUTION, itemPath);
        });
    }

    @Nullable
    private AccessDecision decideUsingSecurityConstraints(@NotNull ItemPath itemPath, boolean z, @NotNull ObjectSecurityConstraints objectSecurityConstraints, @NotNull String str, @NotNull AuthorizationPhaseType authorizationPhaseType, @Nullable ItemPath itemPath2) {
        if (isAllowedByDefault(itemPath, authorizationPhaseType, z)) {
            return null;
        }
        if (itemPath2 == null || itemPath2.isSubPathOrEquivalent(itemPath)) {
            return AccessDecision.translate(objectSecurityConstraints.findItemDecision(itemPath, str, authorizationPhaseType));
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AccessDecision determineItemValueDecision(@NotNull ObjectSecurityConstraints objectSecurityConstraints, @NotNull PrismContainerValue<?> prismContainerValue, boolean z, @NotNull String str, @NotNull AuthorizationPhaseType authorizationPhaseType, @NotNull String str2) {
        return decideOnContainerValueByItems(prismContainerValue, (itemPath, z2) -> {
            return decideUsingSecurityConstraints(itemPath, z2, objectSecurityConstraints, str, authorizationPhaseType, null);
        }, z, str2);
    }
}
