package com.evolveum.midpoint.model.common.expression;

import com.evolveum.midpoint.model.common.archetypes.ArchetypeManager;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.repo.common.SystemObjectCache;
import com.evolveum.midpoint.schema.config.ConfigurationItemOrigin;
import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.schema.expression.ExpressionProfile;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.util.MiscUtil;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ArchetypePolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ArchetypeType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.DefaultExpressionProfilesConfigurationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectPolicyConfigurationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationExpressionsType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationType;
import com.google.common.base.Preconditions;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:BOOT-INF/lib/model-common-4.10-SNAPSHOT.jar:com/evolveum/midpoint/model/common/expression/ExpressionProfileManager.class */
public class ExpressionProfileManager {

    @Autowired
    SystemObjectCache systemObjectCache;

    @Autowired
    ArchetypeManager archetypeManager;

    @Autowired
    SecurityEnforcer securityEnforcer;

    @NotNull
    public <O extends ObjectType> ExpressionProfile determineExpressionProfile(@NotNull PrismObject<O> prismObject, @NotNull OperationResult operationResult) throws SchemaException, ConfigurationException {
        return (ExpressionProfile) Objects.requireNonNullElse(determineExpressionProfileOrNull(prismObject, operationResult), ExpressionProfile.full());
    }

    @Nullable
    private <O extends ObjectType> ExpressionProfile determineExpressionProfileOrNull(@NotNull PrismObject<O> prismObject, @NotNull OperationResult operationResult) throws SchemaException, ConfigurationException {
        Preconditions.checkNotNull(prismObject, "Object is null");
        String determineExpressionProfileId = determineExpressionProfileId(prismObject, operationResult);
        if (determineExpressionProfileId != null) {
            return this.systemObjectCache.getExpressionProfile(determineExpressionProfileId, operationResult);
        }
        return null;
    }

    @Nullable
    private <O extends ObjectType> String determineExpressionProfileId(@NotNull PrismObject<O> prismObject, @NotNull OperationResult operationResult) throws SchemaException, ConfigurationException {
        O asObjectable = prismObject.asObjectable();
        List<ArchetypeType> determineArchetypes = this.archetypeManager.determineArchetypes(asObjectable, operationResult);
        HashSet hashSet = new HashSet();
        Iterator<ArchetypeType> it = determineArchetypes.iterator();
        while (it.hasNext()) {
            ArchetypePolicyType policyForArchetype = this.archetypeManager.getPolicyForArchetype(it.next(), operationResult);
            String expressionProfile = policyForArchetype != null ? policyForArchetype.getExpressionProfile() : null;
            if (expressionProfile != null) {
                hashSet.add(expressionProfile);
            }
        }
        if (hashSet.size() > 1) {
            throw new ConfigurationException("Multiple expression profile IDs for %s: %s".formatted(prismObject, hashSet));
        }
        if (hashSet.size() == 1) {
            return (String) hashSet.iterator().next();
        }
        ObjectPolicyConfigurationType determineObjectPolicyConfiguration = this.archetypeManager.determineObjectPolicyConfiguration(asObjectable, operationResult);
        if (determineObjectPolicyConfiguration != null) {
            return determineObjectPolicyConfiguration.getExpressionProfile();
        }
        return null;
    }

    @NotNull
    public ExpressionProfile determineExpressionProfileStrict(@NotNull ConfigurationItemOrigin configurationItemOrigin, @NotNull Task task, @NotNull OperationResult operationResult) throws SchemaException, ConfigurationException, ExpressionEvaluationException, CommunicationException, SecurityViolationException, ObjectNotFoundException {
        return configurationItemOrigin instanceof ConfigurationItemOrigin.External ? determineExpressionProfileForChannel(((ConfigurationItemOrigin.External) configurationItemOrigin).getChannelUri(), task, operationResult) : determineExpressionProfileCommon(configurationItemOrigin, operationResult);
    }

    @NotNull
    public ExpressionProfile determineExpressionProfileUnsafe(@NotNull ConfigurationItemOrigin configurationItemOrigin, @NotNull OperationResult operationResult) throws SchemaException, ConfigurationException {
        if (!(configurationItemOrigin instanceof ConfigurationItemOrigin.Undetermined)) {
            return configurationItemOrigin instanceof ConfigurationItemOrigin.External ? ExpressionProfile.full() : determineExpressionProfileCommon(configurationItemOrigin, operationResult);
        }
        MiscUtil.stateCheck(!((ConfigurationItemOrigin.Undetermined) configurationItemOrigin).isSafe(), "Safe undetermined origin cannot be used to derive expression profile", new Object[0]);
        return ExpressionProfile.full();
    }

    @NotNull
    private ExpressionProfile determineExpressionProfileCommon(@NotNull ConfigurationItemOrigin configurationItemOrigin, @NotNull OperationResult operationResult) throws SchemaException, ConfigurationException {
        if (configurationItemOrigin instanceof ConfigurationItemOrigin.InObject) {
            return determineExpressionProfile(((ConfigurationItemOrigin.InObject) configurationItemOrigin).getOriginatingPrismObject(), operationResult);
        }
        if (configurationItemOrigin instanceof ConfigurationItemOrigin.InDelta) {
            return determineExpressionProfile(((ConfigurationItemOrigin.InDelta) configurationItemOrigin).getTargetPrismObject(), operationResult);
        }
        if (configurationItemOrigin instanceof ConfigurationItemOrigin.Generated) {
            return ExpressionProfile.full();
        }
        if (configurationItemOrigin instanceof ConfigurationItemOrigin.Undetermined) {
            throw new IllegalStateException("Undetermined origin for expression profile is not supported");
        }
        if (configurationItemOrigin instanceof ConfigurationItemOrigin.External) {
            throw new IllegalStateException("'External' origin for expression profile is not supported");
        }
        throw new AssertionError(configurationItemOrigin);
    }

    @NotNull
    private ExpressionProfile determineExpressionProfileForChannel(@NotNull String str, @NotNull Task task, @NotNull OperationResult operationResult) throws SchemaException, ExpressionEvaluationException, CommunicationException, SecurityViolationException, ConfigurationException, ObjectNotFoundException {
        if (SchemaConstants.CHANNEL_INIT_URI.equals(str) || SchemaConstants.CHANNEL_REST_URI.equals(str) || SchemaConstants.CHANNEL_USER_URI.equals(str)) {
            return this.securityEnforcer.isAuthorizedAll(task, operationResult) ? ExpressionProfile.full() : ExpressionProfile.none();
        }
        throw new UnsupportedOperationException("The expression profile cannot be determined for channel: " + str);
    }

    @NotNull
    public ExpressionProfile determineBulkActionsProfile(@NotNull ConfigurationItemOrigin configurationItemOrigin, boolean z, @NotNull Task task, @NotNull OperationResult operationResult) throws SchemaException, ConfigurationException, ExpressionEvaluationException, CommunicationException, SecurityViolationException, ObjectNotFoundException {
        ExpressionProfile expressionProfile;
        if (configurationItemOrigin instanceof ConfigurationItemOrigin.InObject) {
            expressionProfile = determineExpressionProfileOrNull(((ConfigurationItemOrigin.InObject) configurationItemOrigin).getOriginatingPrismObject(), operationResult);
        } else if (configurationItemOrigin instanceof ConfigurationItemOrigin.InDelta) {
            expressionProfile = determineExpressionProfileOrNull(((ConfigurationItemOrigin.InDelta) configurationItemOrigin).getTargetPrismObject(), operationResult);
        } else if (configurationItemOrigin instanceof ConfigurationItemOrigin.Generated) {
            expressionProfile = ExpressionProfile.full();
        } else {
            if (configurationItemOrigin instanceof ConfigurationItemOrigin.Undetermined) {
                throw new UnsupportedOperationException("Undetermined origin for bulk actions is not supported");
            }
            if (!(configurationItemOrigin instanceof ConfigurationItemOrigin.External)) {
                throw new AssertionError(configurationItemOrigin);
            }
            expressionProfile = null;
        }
        return expressionProfile != null ? expressionProfile : (z || this.securityEnforcer.isAuthorizedAll(task, operationResult)) ? getPrivilegedBulkActionsProfile(operationResult) : getUnprivilegedBulkActionsProfile(operationResult);
    }

    @NotNull
    private ExpressionProfile getPrivilegedBulkActionsProfile(@NotNull OperationResult operationResult) throws SchemaException, ConfigurationException {
        DefaultExpressionProfilesConfigurationType defaults = getDefaults(operationResult);
        String privilegedBulkActions = defaults != null ? defaults.getPrivilegedBulkActions() : null;
        return privilegedBulkActions != null ? this.systemObjectCache.getExpressionProfile(privilegedBulkActions, operationResult) : ExpressionProfile.full();
    }

    @NotNull
    private ExpressionProfile getUnprivilegedBulkActionsProfile(@NotNull OperationResult operationResult) throws SchemaException, ConfigurationException {
        DefaultExpressionProfilesConfigurationType defaults = getDefaults(operationResult);
        String bulkActions = defaults != null ? defaults.getBulkActions() : null;
        return bulkActions != null ? this.systemObjectCache.getExpressionProfile(bulkActions, operationResult) : ExpressionProfile.legacyUnprivilegedBulkActions();
    }

    private DefaultExpressionProfilesConfigurationType getDefaults(@NotNull OperationResult operationResult) throws SchemaException {
        SystemConfigurationType systemConfigurationBean = this.systemObjectCache.getSystemConfigurationBean(operationResult);
        SystemConfigurationExpressionsType expressions = systemConfigurationBean != null ? systemConfigurationBean.getExpressions() : null;
        if (expressions != null) {
            return expressions.getDefaults();
        }
        return null;
    }

    @NotNull
    public ExpressionProfile getProfileForCustomWorkflowNotifications(OperationResult operationResult) throws SchemaException, ConfigurationException {
        DefaultExpressionProfilesConfigurationType defaults = getDefaults(operationResult);
        String customWorkflowNotifications = defaults != null ? defaults.getCustomWorkflowNotifications() : null;
        return customWorkflowNotifications != null ? this.systemObjectCache.getExpressionProfile(customWorkflowNotifications, operationResult) : ExpressionProfile.legacyUnprivilegedBulkActions();
    }
}
