package com.evolveum.midpoint.security.enforcer.impl;

import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.prism.query.ObjectFilter;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.selector.spec.ValueSelector;
import com.evolveum.midpoint.schema.util.ObjectQueryUtil;
import com.evolveum.midpoint.security.api.Authorization;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.security.enforcer.api.FilterGizmo;
import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
import com.evolveum.midpoint.security.enforcer.impl.SecurityTraceEvent;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OrderConstraintsType;
import java.util.List;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:BOOT-INF/lib/security-enforcer-impl-4.8.7-SNAPSHOT.jar:com/evolveum/midpoint/security/enforcer/impl/EnforcerFilterOperation.class */
public class EnforcerFilterOperation<T, F> extends EnforcerOperation {
    private static final String PART_ID_PREFIX = "PART";

    @NotNull
    private final String[] operationUrls;

    @NotNull
    final Class<T> filterType;

    @NotNull
    final AuthorizationSelectorExtractor selectorExtractor;
    final ObjectFilter origFilter;
    private final String limitAuthorizationAction;
    private final List<OrderConstraintsType> paramOrderConstraints;

    @NotNull
    private final FilterGizmo<F> gizmo;
    private final String desc;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:BOOT-INF/lib/security-enforcer-impl-4.8.7-SNAPSHOT.jar:com/evolveum/midpoint/security/enforcer/impl/EnforcerFilterOperation$AuthorizationSelectorExtractor.class */
    public static abstract class AuthorizationSelectorExtractor {

        /* loaded from: input_file:BOOT-INF/lib/security-enforcer-impl-4.8.7-SNAPSHOT.jar:com/evolveum/midpoint/security/enforcer/impl/EnforcerFilterOperation$AuthorizationSelectorExtractor$ForObject.class */
        static class ForObject extends AuthorizationSelectorExtractor {
            ForObject() {
            }

            @Override // com.evolveum.midpoint.security.enforcer.impl.EnforcerFilterOperation.AuthorizationSelectorExtractor
            List<ValueSelector> getSelectors(Authorization authorization) throws ConfigurationException {
                return authorization.getParsedObjectSelectors();
            }

            @Override // com.evolveum.midpoint.security.enforcer.impl.EnforcerFilterOperation.AuthorizationSelectorExtractor
            String getSelectorLabel() {
                return "object";
            }

            @Override // com.evolveum.midpoint.security.enforcer.impl.EnforcerFilterOperation.AuthorizationSelectorExtractor
            boolean isAuthorizationApplicable(AuthorizationFilterEvaluation<?> authorizationFilterEvaluation) {
                return true;
            }

            public String toString() {
                return "object";
            }
        }

        /* loaded from: input_file:BOOT-INF/lib/security-enforcer-impl-4.8.7-SNAPSHOT.jar:com/evolveum/midpoint/security/enforcer/impl/EnforcerFilterOperation$AuthorizationSelectorExtractor$ForTarget.class */
        static class ForTarget extends AuthorizationSelectorExtractor {

            @NotNull
            private final PrismObject<? extends ObjectType> object;

            ForTarget(@NotNull PrismObject<? extends ObjectType> prismObject) {
                this.object = prismObject;
            }

            @Override // com.evolveum.midpoint.security.enforcer.impl.EnforcerFilterOperation.AuthorizationSelectorExtractor
            List<ValueSelector> getSelectors(Authorization authorization) throws ConfigurationException {
                return authorization.getParsedTargetSelectors();
            }

            @Override // com.evolveum.midpoint.security.enforcer.impl.EnforcerFilterOperation.AuthorizationSelectorExtractor
            String getSelectorLabel() {
                return "target";
            }

            @Override // com.evolveum.midpoint.security.enforcer.impl.EnforcerFilterOperation.AuthorizationSelectorExtractor
            boolean isAuthorizationApplicable(AuthorizationFilterEvaluation<?> authorizationFilterEvaluation) throws SchemaException, ExpressionEvaluationException, CommunicationException, SecurityViolationException, ConfigurationException, ObjectNotFoundException {
                return authorizationFilterEvaluation.isApplicableToObject(this.object);
            }

            public String toString() {
                return "target for " + this.object;
            }
        }

        AuthorizationSelectorExtractor() {
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public static AuthorizationSelectorExtractor forObject() {
            return new ForObject();
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public static AuthorizationSelectorExtractor forTarget(@NotNull PrismObject<? extends ObjectType> prismObject) {
            return new ForTarget(prismObject);
        }

        abstract List<ValueSelector> getSelectors(Authorization authorization) throws ConfigurationException;

        abstract String getSelectorLabel();

        abstract boolean isAuthorizationApplicable(AuthorizationFilterEvaluation<?> authorizationFilterEvaluation) throws SchemaException, ExpressionEvaluationException, CommunicationException, SecurityViolationException, ConfigurationException, ObjectNotFoundException;
    }

    /* loaded from: input_file:BOOT-INF/lib/security-enforcer-impl-4.8.7-SNAPSHOT.jar:com/evolveum/midpoint/security/enforcer/impl/EnforcerFilterOperation$PartialOp.class */
    class PartialOp {

        @NotNull
        private final String id;

        @NotNull
        private final PhaseSelector phaseSelector;

        @NotNull
        private final QueryAutzItemPaths queryItemsSpec = new QueryAutzItemPaths();
        private F securityFilterAllow = null;
        private F securityFilterDeny = null;

        PartialOp(@NotNull PhaseSelector phaseSelector) {
            this.id = "PART" + phaseSelector.getSymbol();
            this.phaseSelector = phaseSelector;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        @NotNull
        public EnforcerFilterOperation<T, F> getEnforcerFilterOperation() {
            return EnforcerFilterOperation.this;
        }

        private F computeFilter(OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
            this.queryItemsSpec.addRequiredItems(EnforcerFilterOperation.this.origFilter);
            tracePartialOperationStarted();
            int i = 0;
            for (Authorization authorization : EnforcerFilterOperation.this.getAuthorizations()) {
                int i2 = i;
                i++;
                AuthorizationFilterEvaluation<?> authorizationFilterEvaluation = new AuthorizationFilterEvaluation<>(i2, EnforcerFilterOperation.this.filterType, EnforcerFilterOperation.this.origFilter, authorization, EnforcerFilterOperation.this.selectorExtractor.getSelectors(authorization), EnforcerFilterOperation.this.selectorExtractor.getSelectorLabel(), EnforcerFilterOperation.this, operationResult);
                authorizationFilterEvaluation.traceStart();
                if (!authorizationFilterEvaluation.isApplicableToActions(EnforcerFilterOperation.this.operationUrls) || !authorizationFilterEvaluation.isApplicableToLimitations(EnforcerFilterOperation.this.limitAuthorizationAction, EnforcerFilterOperation.this.operationUrls) || !authorizationFilterEvaluation.isApplicableToPhase(this.phaseSelector) || !authorizationFilterEvaluation.isApplicableToOrderConstraints(EnforcerFilterOperation.this.paramOrderConstraints) || !EnforcerFilterOperation.this.selectorExtractor.isAuthorizationApplicable(authorizationFilterEvaluation)) {
                    authorizationFilterEvaluation.traceEndNotApplicable();
                } else if (authorizationFilterEvaluation.computeFilter()) {
                    F adopt = EnforcerFilterOperation.this.gizmo.adopt(ObjectQueryUtil.simplify(authorizationFilterEvaluation.getAutzFilter()), authorization);
                    if (authorization.isAllow()) {
                        this.securityFilterAllow = EnforcerFilterOperation.this.gizmo.or(this.securityFilterAllow, adopt);
                        if (!EnforcerFilterOperation.this.gizmo.isNone(adopt)) {
                            this.queryItemsSpec.collectItems(authorization);
                        }
                    } else if (authorization.hasItemSpecification()) {
                        continue;
                    } else {
                        if (EnforcerFilterOperation.this.gizmo.isAll(adopt)) {
                            F createDenyAll = EnforcerFilterOperation.this.gizmo.createDenyAll();
                            tracePartialOperationFinished(createDenyAll, "deny all");
                            return createDenyAll;
                        }
                        this.securityFilterDeny = EnforcerFilterOperation.this.gizmo.or(this.securityFilterDeny, adopt);
                    }
                } else {
                    continue;
                }
            }
            List<ItemPath> evaluateUnsatisfiedItems = this.queryItemsSpec.evaluateUnsatisfiedItems();
            if (!evaluateUnsatisfiedItems.isEmpty()) {
                F createDenyAll2 = EnforcerFilterOperation.this.gizmo.createDenyAll();
                tracePartialOperationFinished(createDenyAll2, "deny because items " + evaluateUnsatisfiedItems + " are not allowed");
                return createDenyAll2;
            }
            this.securityFilterAllow = EnforcerFilterOperation.this.gizmo.simplify(this.securityFilterAllow);
            if (this.securityFilterAllow == null) {
                F createDenyAll3 = EnforcerFilterOperation.this.gizmo.createDenyAll();
                tracePartialOperationFinished(createDenyAll3, "nothing allowed => default is deny");
                return createDenyAll3;
            }
            if (this.securityFilterDeny == null) {
                tracePartialOperationFinished(this.securityFilterAllow, "nothing denied, something allowed");
                return this.securityFilterAllow;
            }
            F f = (F) EnforcerFilterOperation.this.gizmo.and(this.securityFilterAllow, EnforcerFilterOperation.this.gizmo.not(this.securityFilterDeny));
            tracePartialOperationFinished(f, "allow with deny clauses");
            return f;
        }

        private void tracePartialOperationStarted() {
            if (EnforcerFilterOperation.this.tracer.isEnabled()) {
                EnforcerFilterOperation.this.tracer.trace(new SecurityTraceEvent.PartialFilterOperationStarted(this, this.phaseSelector, this.queryItemsSpec.shortDump()));
            }
        }

        private void tracePartialOperationFinished(F f, String str) {
            if (EnforcerFilterOperation.this.tracer.isEnabled()) {
                EnforcerFilterOperation.this.tracer.trace(new SecurityTraceEvent.PartialFilterOperationFinished(this, this.phaseSelector, f, str, new Object[0]));
            }
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        @NotNull
        public QueryAutzItemPaths getQueryItemsSpec() {
            return this.queryItemsSpec;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public F getSecurityFilterAllow() {
            return this.securityFilterAllow;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public F getSecurityFilterDeny() {
            return this.securityFilterDeny;
        }

        @NotNull
        public String getId() {
            return this.id;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public EnforcerFilterOperation(@NotNull String[] strArr, @NotNull Class<T> cls, @NotNull AuthorizationSelectorExtractor authorizationSelectorExtractor, ObjectFilter objectFilter, String str, List<OrderConstraintsType> list, @NotNull FilterGizmo<F> filterGizmo, String str2, @Nullable MidPointPrincipal midPointPrincipal, @NotNull SecurityEnforcer.Options options, @NotNull Beans beans, @NotNull Task task) {
        super(midPointPrincipal, options, beans, task);
        this.operationUrls = strArr;
        this.filterType = cls;
        this.selectorExtractor = authorizationSelectorExtractor;
        this.origFilter = objectFilter;
        this.limitAuthorizationAction = str;
        this.paramOrderConstraints = list;
        this.gizmo = filterGizmo;
        this.desc = str2;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* JADX WARN: Multi-variable type inference failed */
    public F computeSecurityFilter(@Nullable AuthorizationPhaseType authorizationPhaseType, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        F or;
        traceOperationStart();
        if (authorizationPhaseType != null) {
            or = new PartialOp(PhaseSelector.nonStrict(authorizationPhaseType)).computeFilter(operationResult);
        } else {
            or = this.gizmo.or(new PartialOp(PhaseSelector.both()).computeFilter(operationResult), this.gizmo.and(new PartialOp(PhaseSelector.strict(AuthorizationPhaseType.REQUEST)).computeFilter(operationResult), new PartialOp(PhaseSelector.strict(AuthorizationPhaseType.EXECUTION)).computeFilter(operationResult)));
        }
        traceOperationEnd(or);
        return or;
    }

    public String getDesc() {
        return this.desc;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String debugDumpFilter(F f, int i) {
        return this.gizmo.debugDumpFilter(f, i);
    }

    private void traceOperationStart() {
        if (this.tracer.isEnabled()) {
            this.tracer.trace(new SecurityTraceEvent.FilterOperationStarted(this));
        }
    }

    private void traceOperationEnd(F f) {
        if (this.tracer.isEnabled()) {
            this.tracer.trace(new SecurityTraceEvent.FilterOperationFinished(this, f));
        }
    }
}
