package com.evolveum.midpoint.security.enforcer.api;

import com.evolveum.midpoint.prism.Containerable;
import com.evolveum.midpoint.prism.PrismContainerValue;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.PrismObjectValue;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.prism.query.ObjectFilter;
import com.evolveum.midpoint.schema.AccessDecision;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.selector.eval.OwnerResolver;
import com.evolveum.midpoint.security.api.Authorization;
import com.evolveum.midpoint.security.api.AuthorizationConstants;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.security.enforcer.api.PrismEntityOpConstraints;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractRoleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OrderConstraintsType;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.function.Consumer;
import org.jetbrains.annotations.Contract;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;

/* loaded from: input_file:BOOT-INF/lib/security-enforcer-api-4.8.7-SNAPSHOT.jar:com/evolveum/midpoint/security/enforcer/api/SecurityEnforcer.class */
public interface SecurityEnforcer {

    /* loaded from: input_file:BOOT-INF/lib/security-enforcer-api-4.8.7-SNAPSHOT.jar:com/evolveum/midpoint/security/enforcer/api/SecurityEnforcer$LogCollector.class */
    public interface LogCollector {
        void log(String str);

        boolean isSelectorTracingEnabled();
    }

    /* loaded from: input_file:BOOT-INF/lib/security-enforcer-api-4.8.7-SNAPSHOT.jar:com/evolveum/midpoint/security/enforcer/api/SecurityEnforcer$Options.class */
    public static final class Options extends Record {

        @Nullable
        private final OwnerResolver customOwnerResolver;

        @Nullable
        private final LogCollector logCollector;

        @Nullable
        private final Consumer<Authorization> applicableAutzConsumer;
        private final boolean failOnNoAccess;

        public Options(@Nullable OwnerResolver ownerResolver, @Nullable LogCollector logCollector, @Nullable Consumer<Authorization> consumer, boolean z) {
            this.customOwnerResolver = ownerResolver;
            this.logCollector = logCollector;
            this.applicableAutzConsumer = consumer;
            this.failOnNoAccess = z;
        }

        public static Options create() {
            return new Options(null, null, null, true);
        }

        @NotNull
        public Options withCustomOwnerResolver(OwnerResolver ownerResolver) {
            return new Options(ownerResolver, this.logCollector, this.applicableAutzConsumer, this.failOnNoAccess);
        }

        @NotNull
        public Options withLogCollector(LogCollector logCollector) {
            return new Options(this.customOwnerResolver, logCollector, this.applicableAutzConsumer, this.failOnNoAccess);
        }

        @NotNull
        public Options withApplicableAutzConsumer(Consumer<Authorization> consumer) {
            return new Options(this.customOwnerResolver, this.logCollector, consumer, this.failOnNoAccess);
        }

        @NotNull
        public Options withNoFailOnNoAccess() {
            return new Options(this.customOwnerResolver, this.logCollector, this.applicableAutzConsumer, false);
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, Options.class), Options.class, "customOwnerResolver;logCollector;applicableAutzConsumer;failOnNoAccess", "FIELD:Lcom/evolveum/midpoint/security/enforcer/api/SecurityEnforcer$Options;->customOwnerResolver:Lcom/evolveum/midpoint/schema/selector/eval/OwnerResolver;", "FIELD:Lcom/evolveum/midpoint/security/enforcer/api/SecurityEnforcer$Options;->logCollector:Lcom/evolveum/midpoint/security/enforcer/api/SecurityEnforcer$LogCollector;", "FIELD:Lcom/evolveum/midpoint/security/enforcer/api/SecurityEnforcer$Options;->applicableAutzConsumer:Ljava/util/function/Consumer;", "FIELD:Lcom/evolveum/midpoint/security/enforcer/api/SecurityEnforcer$Options;->failOnNoAccess:Z").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, Options.class), Options.class, "customOwnerResolver;logCollector;applicableAutzConsumer;failOnNoAccess", "FIELD:Lcom/evolveum/midpoint/security/enforcer/api/SecurityEnforcer$Options;->customOwnerResolver:Lcom/evolveum/midpoint/schema/selector/eval/OwnerResolver;", "FIELD:Lcom/evolveum/midpoint/security/enforcer/api/SecurityEnforcer$Options;->logCollector:Lcom/evolveum/midpoint/security/enforcer/api/SecurityEnforcer$LogCollector;", "FIELD:Lcom/evolveum/midpoint/security/enforcer/api/SecurityEnforcer$Options;->applicableAutzConsumer:Ljava/util/function/Consumer;", "FIELD:Lcom/evolveum/midpoint/security/enforcer/api/SecurityEnforcer$Options;->failOnNoAccess:Z").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, Options.class, Object.class), Options.class, "customOwnerResolver;logCollector;applicableAutzConsumer;failOnNoAccess", "FIELD:Lcom/evolveum/midpoint/security/enforcer/api/SecurityEnforcer$Options;->customOwnerResolver:Lcom/evolveum/midpoint/schema/selector/eval/OwnerResolver;", "FIELD:Lcom/evolveum/midpoint/security/enforcer/api/SecurityEnforcer$Options;->logCollector:Lcom/evolveum/midpoint/security/enforcer/api/SecurityEnforcer$LogCollector;", "FIELD:Lcom/evolveum/midpoint/security/enforcer/api/SecurityEnforcer$Options;->applicableAutzConsumer:Ljava/util/function/Consumer;", "FIELD:Lcom/evolveum/midpoint/security/enforcer/api/SecurityEnforcer$Options;->failOnNoAccess:Z").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        @Nullable
        public OwnerResolver customOwnerResolver() {
            return this.customOwnerResolver;
        }

        @Nullable
        public LogCollector logCollector() {
            return this.logCollector;
        }

        @Nullable
        public Consumer<Authorization> applicableAutzConsumer() {
            return this.applicableAutzConsumer;
        }

        public boolean failOnNoAccess() {
            return this.failOnNoAccess;
        }
    }

    @NotNull
    AccessDecision decideAccess(@Nullable MidPointPrincipal midPointPrincipal, @NotNull String str, @Nullable AuthorizationPhaseType authorizationPhaseType, @NotNull AbstractAuthorizationParameters abstractAuthorizationParameters, @NotNull Options options, @NotNull Task task, @NotNull OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException;

    default boolean isAuthorized(@NotNull String str, @Nullable AuthorizationPhaseType authorizationPhaseType, @NotNull AbstractAuthorizationParameters abstractAuthorizationParameters, @NotNull Options options, @NotNull Task task, @NotNull OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        return decideAccess(getMidPointPrincipal(), str, authorizationPhaseType, abstractAuthorizationParameters, options, task, operationResult) == AccessDecision.ALLOW;
    }

    default boolean isAuthorizedAll(@NotNull Task task, @NotNull OperationResult operationResult) throws SchemaException, ExpressionEvaluationException, CommunicationException, SecurityViolationException, ConfigurationException, ObjectNotFoundException {
        return isAuthorized(AuthorizationConstants.AUTZ_ALL_URL, null, AuthorizationParameters.EMPTY, Options.create(), task, operationResult);
    }

    default boolean hasAnyAllowAuthorization(@NotNull List<String> list, @Nullable AuthorizationPhaseType authorizationPhaseType) {
        for (Authorization authorization : SecurityEnforcerUtil.getAuthorizations(getMidPointPrincipal())) {
            if (authorization.isAllow() && authorization.matchesPhase(authorizationPhaseType) && authorization.matchesAnyAction(list)) {
                return true;
            }
        }
        return false;
    }

    @NotNull
    default <O extends ObjectType, T extends ObjectType> AccessDecision decideAccess(@Nullable MidPointPrincipal midPointPrincipal, @NotNull Collection<String> collection, @NotNull AuthorizationParameters<O, T> authorizationParameters, @NotNull Task task, @NotNull OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        AccessDecision accessDecision = AccessDecision.DEFAULT;
        Iterator<String> it = collection.iterator();
        while (it.hasNext()) {
            switch (decideAccess(midPointPrincipal, it.next(), null, authorizationParameters, Options.create(), task, operationResult)) {
                case DENY:
                    return AccessDecision.DENY;
                case ALLOW:
                    accessDecision = AccessDecision.ALLOW;
                    break;
            }
        }
        return accessDecision;
    }

    @NotNull
    default AccessDecision decideAccess(@Nullable MidPointPrincipal midPointPrincipal, @NotNull Collection<String> collection, @NotNull Task task, @NotNull OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        return decideAccess(midPointPrincipal, collection, AuthorizationParameters.EMPTY, task, operationResult);
    }

    default void authorize(@NotNull String str, @Nullable AuthorizationPhaseType authorizationPhaseType, @NotNull AbstractAuthorizationParameters abstractAuthorizationParameters, @NotNull Options options, @NotNull Task task, @NotNull OperationResult operationResult) throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
        if (isAuthorized(str, authorizationPhaseType, abstractAuthorizationParameters, options, task, operationResult)) {
            return;
        }
        failAuthorization(str, authorizationPhaseType, abstractAuthorizationParameters, operationResult);
    }

    default void authorize(@NotNull String str, @Nullable AuthorizationPhaseType authorizationPhaseType, @NotNull AbstractAuthorizationParameters abstractAuthorizationParameters, @NotNull Task task, @NotNull OperationResult operationResult) throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
        authorize(str, authorizationPhaseType, abstractAuthorizationParameters, Options.create(), task, operationResult);
    }

    default void authorize(@NotNull String str, @NotNull Task task, @NotNull OperationResult operationResult) throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
        authorize(str, null, AuthorizationParameters.EMPTY, task, operationResult);
    }

    default void authorizeAll(Task task, OperationResult operationResult) throws CommunicationException, ObjectNotFoundException, SchemaException, SecurityViolationException, ConfigurationException, ExpressionEvaluationException {
        authorize(AuthorizationConstants.AUTZ_ALL_URL, task, operationResult);
    }

    @Contract("_, _, _, _ -> fail")
    void failAuthorization(String str, AuthorizationPhaseType authorizationPhaseType, AbstractAuthorizationParameters abstractAuthorizationParameters, OperationResult operationResult) throws SecurityViolationException;

    @Nullable
    MidPointPrincipal getMidPointPrincipal();

    @NotNull
    <O extends ObjectType> ObjectSecurityConstraints compileSecurityConstraints(@NotNull PrismObject<O> prismObject, boolean z, @NotNull Options options, @NotNull Task task, @NotNull OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException;

    PrismEntityOpConstraints.ForValueContent compileOperationConstraints(@Nullable MidPointPrincipal midPointPrincipal, @NotNull PrismObjectValue<?> prismObjectValue, @Nullable AuthorizationPhaseType authorizationPhaseType, @NotNull String[] strArr, @NotNull Options options, @NotNull CompileConstraintsOptions compileConstraintsOptions, @NotNull Task task, @NotNull OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException;

    @Nullable
    <T> ObjectFilter preProcessObjectFilter(@Nullable MidPointPrincipal midPointPrincipal, @NotNull String[] strArr, @Nullable AuthorizationPhaseType authorizationPhaseType, @NotNull Class<T> cls, @Nullable ObjectFilter objectFilter, @Nullable String str, @NotNull List<OrderConstraintsType> list, @NotNull Options options, @NotNull Task task, @NotNull OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException;

    <T extends ObjectType, O extends ObjectType, F> F computeTargetSecurityFilter(MidPointPrincipal midPointPrincipal, String[] strArr, AuthorizationPhaseType authorizationPhaseType, Class<T> cls, @NotNull PrismObject<O> prismObject, ObjectFilter objectFilter, String str, List<OrderConstraintsType> list, FilterGizmo<F> filterGizmo, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException;

    <O extends ObjectType, R extends AbstractRoleType> ItemSecurityConstraints getAllowedRequestAssignmentItems(MidPointPrincipal midPointPrincipal, String str, PrismObject<O> prismObject, PrismObject<R> prismObject2, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException;

    <F extends FocusType> MidPointPrincipal createDonorPrincipal(MidPointPrincipal midPointPrincipal, String str, PrismObject<F> prismObject, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException;

    <O extends ObjectType> AccessDecision determineItemDecision(@NotNull ObjectSecurityConstraints objectSecurityConstraints, @NotNull ObjectDelta<O> objectDelta, PrismObject<O> prismObject, @NotNull String str, @NotNull AuthorizationPhaseType authorizationPhaseType, @NotNull ItemPath itemPath);

    <C extends Containerable> AccessDecision determineItemValueDecision(@NotNull ObjectSecurityConstraints objectSecurityConstraints, @NotNull PrismContainerValue<C> prismContainerValue, @NotNull String str, @NotNull AuthorizationPhaseType authorizationPhaseType, boolean z, @NotNull String str2);
}
