package com.evolveum.midpoint.model.impl.lens;

import com.evolveum.midpoint.model.api.ModelAuthorizationAction;
import com.evolveum.midpoint.model.impl.ModelBeans;
import com.evolveum.midpoint.model.impl.ModelObjectResolver;
import com.evolveum.midpoint.model.impl.lens.LensContext;
import com.evolveum.midpoint.model.impl.util.ModelImplUtils;
import com.evolveum.midpoint.prism.Item;
import com.evolveum.midpoint.prism.PrismContainer;
import com.evolveum.midpoint.prism.PrismContainerValue;
import com.evolveum.midpoint.prism.PrismContext;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.PrismReferenceValue;
import com.evolveum.midpoint.prism.Referencable;
import com.evolveum.midpoint.prism.delta.ContainerDelta;
import com.evolveum.midpoint.prism.delta.ItemDelta;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.delta.PlusMinusZero;
import com.evolveum.midpoint.prism.path.ItemName;
import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.schema.AccessDecision;
import com.evolveum.midpoint.schema.RelationRegistry;
import com.evolveum.midpoint.schema.SchemaService;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.selector.eval.OwnerResolver;
import com.evolveum.midpoint.security.enforcer.api.AuthorizationParameters;
import com.evolveum.midpoint.security.enforcer.api.ObjectSecurityConstraints;
import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.util.MiscUtil;
import com.evolveum.midpoint.util.exception.AuthorizationException;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.NotHereAssertionError;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractRoleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentHolderType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OrderConstraintsType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import javax.xml.namespace.QName;
import org.jetbrains.annotations.NotNull;

/* loaded from: input_file:BOOT-INF/lib/model-impl-4.8.7-SNAPSHOT.jar:com/evolveum/midpoint/model/impl/lens/ClockworkRequestAuthorizer.class */
public class ClockworkRequestAuthorizer<F extends ObjectType, E extends ObjectType> {
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) ClockworkRequestAuthorizer.class);
    private static final String OP_AUTHORIZE_REQUEST = Clockwork.class.getName() + ".authorizeRequest";

    @NotNull
    private final LensContext<F> context;

    @NotNull
    private final LensElementContext<E> elementContext;
    private final boolean fullInformationAvailable;
    private final boolean isFocus;

    @NotNull
    private final Task task;

    @NotNull
    private final OperationResult result;

    @NotNull
    private final String ctxHumanReadableName;

    @NotNull
    private final SecurityEnforcer securityEnforcer;

    @NotNull
    private final ModelObjectResolver objectResolver;

    @NotNull
    private final OwnerResolver lensOwnerResolver;

    @NotNull
    private final RelationRegistry relationRegistry;

    @NotNull
    private final PrismContext prismContext;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:BOOT-INF/lib/model-impl-4.8.7-SNAPSHOT.jar:com/evolveum/midpoint/model/impl/lens/ClockworkRequestAuthorizer$DeltaAuthorization.class */
    public class DeltaAuthorization {

        @NotNull
        private final ObjectDelta<E> primaryDeltaClone;

        @NotNull
        private final PrismObject<E> objectCurrentOrNew;

        @NotNull
        private final ObjectSecurityConstraints securityConstraints;

        @NotNull
        private final String operationUrl;

        @NotNull
        private final AuthorizationPhaseType authorizationPhase;

        /* JADX INFO: Access modifiers changed from: private */
        /* loaded from: input_file:BOOT-INF/lib/model-impl-4.8.7-SNAPSHOT.jar:com/evolveum/midpoint/model/impl/lens/ClockworkRequestAuthorizer$DeltaAuthorization$AssignmentOrInducement.class */
        public enum AssignmentOrInducement {
            ASSIGNMENT(AssignmentHolderType.F_ASSIGNMENT),
            INDUCEMENT(AbstractRoleType.F_INDUCEMENT);


            @NotNull
            private final ItemName itemName;

            AssignmentOrInducement(@NotNull ItemName itemName) {
                this.itemName = itemName;
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        /* loaded from: input_file:BOOT-INF/lib/model-impl-4.8.7-SNAPSHOT.jar:com/evolveum/midpoint/model/impl/lens/ClockworkRequestAuthorizer$DeltaAuthorization$AssignmentValueAuthorization.class */
        public class AssignmentValueAuthorization {

            @NotNull
            private final PrismContainerValue<AssignmentType> changedAssignmentValue;

            @NotNull
            private final AssignmentType changedAssignment;

            @NotNull
            private final AssignmentOrInducement type;
            private final boolean consideringCreation;

            @NotNull
            private final ModelAuthorizationAction assignmentAction;

            @NotNull
            private final String operationDesc;
            private final boolean prohibitPolicies;

            AssignmentValueAuthorization(@NotNull PrismContainerValue<AssignmentType> prismContainerValue, @NotNull AssignmentOrInducement assignmentOrInducement, boolean z, boolean z2) {
                this.changedAssignmentValue = prismContainerValue;
                this.changedAssignment = prismContainerValue.asContainerable();
                this.type = assignmentOrInducement;
                this.consideringCreation = z;
                this.assignmentAction = z ? ModelAuthorizationAction.ASSIGN : ModelAuthorizationAction.UNASSIGN;
                this.operationDesc = this.assignmentAction.name();
                this.prohibitPolicies = z2;
            }

            void authorize() throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
                PrismObject prismObject;
                ObjectReferenceType targetRef = this.changedAssignment.getTargetRef();
                if (Referencable.getOid(targetRef) == null) {
                    authorizeNoTargetOidAssignmentValue();
                    return;
                }
                try {
                    PrismReferenceValue asReferenceValue = targetRef.m1348clone().asReferenceValue();
                    asReferenceValue.setObject(null);
                    prismObject = ClockworkRequestAuthorizer.this.objectResolver.resolve(asReferenceValue, "resolving " + this.type + " target", ClockworkRequestAuthorizer.this.task, ClockworkRequestAuthorizer.this.result);
                } catch (ObjectNotFoundException e) {
                    ClockworkRequestAuthorizer.LOGGER.warn("Object {} referenced as {} target in {} was not found", targetRef.asReferenceValue().getOid(), this.type, DeltaAuthorization.this.objectCurrentOrNew);
                    prismObject = null;
                }
                ObjectDelta<E> createModifyDelta = DeltaAuthorization.this.objectCurrentOrNew.createModifyDelta();
                createModifyDelta.createContainerModification(this.type.itemName).addValuesToAdd(this.changedAssignment.asPrismContainerValue().mo1355clone());
                QName relation = targetRef.getRelation();
                PrismContext prismContext = ClockworkRequestAuthorizer.this.prismContext;
                Objects.requireNonNull(prismContext);
                QName qName = (QName) Objects.requireNonNullElseGet(relation, prismContext::getDefaultRelation);
                AuthorizationParameters<E, ObjectType> build = new AuthorizationParameters.Builder().oldObject(DeltaAuthorization.this.objectCurrentOrNew).delta(createModifyDelta).target(prismObject).relation(qName).orderConstraints(determineOrderConstraints()).fullInformationAvailable(ClockworkRequestAuthorizer.this.fullInformationAvailable).build();
                if (this.prohibitPolicies && (this.changedAssignment.getPolicyRule() != null || !this.changedAssignment.getPolicyException().isEmpty() || !this.changedAssignment.getPolicySituation().isEmpty() || !this.changedAssignment.getTriggeredPolicyRule().isEmpty())) {
                    authorizePolicyAssignmentValue(build);
                    return;
                }
                SecurityEnforcer.Options withCustomOwnerResolver = SecurityEnforcer.Options.create().withCustomOwnerResolver(ClockworkRequestAuthorizer.this.lensOwnerResolver);
                if (ClockworkRequestAuthorizer.this.securityEnforcer.isAuthorized(this.assignmentAction.getUrl(), DeltaAuthorization.this.authorizationPhase, build, withCustomOwnerResolver, ClockworkRequestAuthorizer.this.task, ClockworkRequestAuthorizer.this.result)) {
                    ClockworkRequestAuthorizer.LOGGER.debug("{} of target {} to {} allowed with {} authorization", this.operationDesc, prismObject, DeltaAuthorization.this.objectCurrentOrNew, this.assignmentAction.getUrl());
                } else if (ClockworkRequestAuthorizer.this.relationRegistry.isDelegation(qName) && ClockworkRequestAuthorizer.this.securityEnforcer.isAuthorized(ModelAuthorizationAction.DELEGATE.getUrl(), DeltaAuthorization.this.authorizationPhase, build, withCustomOwnerResolver, ClockworkRequestAuthorizer.this.task, ClockworkRequestAuthorizer.this.result)) {
                    ClockworkRequestAuthorizer.LOGGER.debug("{} of target {} to {} allowed with {} authorization", this.operationDesc, prismObject, DeltaAuthorization.this.objectCurrentOrNew, ModelAuthorizationAction.DELEGATE.getUrl());
                } else {
                    ClockworkRequestAuthorizer.LOGGER.debug("{} of target {} to {} denied", this.operationDesc, prismObject, DeltaAuthorization.this.objectCurrentOrNew);
                    ClockworkRequestAuthorizer.this.securityEnforcer.failAuthorization(AssignmentOrInducement.ASSIGNMENT.equals(this.type) ? "clockwork.request.authorizer.operation.withAssignment" : "clockwork.request.authorizer.operation.withInducement", DeltaAuthorization.this.authorizationPhase, build, ClockworkRequestAuthorizer.this.result);
                }
            }

            private void authorizeNoTargetOidAssignmentValue() throws SecurityViolationException {
                if (ClockworkRequestAuthorizer.this.securityEnforcer.determineItemValueDecision(DeltaAuthorization.this.securityConstraints, this.changedAssignmentValue, DeltaAuthorization.this.operationUrl, DeltaAuthorization.this.authorizationPhase, this.consideringCreation, this.operationDesc) == AccessDecision.ALLOW) {
                    ClockworkRequestAuthorizer.LOGGER.debug("{} of non-target {} to {} allowed with {} authorization", this.operationDesc, this.type, DeltaAuthorization.this.objectCurrentOrNew, DeltaAuthorization.this.operationUrl);
                    return;
                }
                ClockworkRequestAuthorizer.LOGGER.debug("{} of non-target {} not allowed", this.operationDesc, this.type);
                ClockworkRequestAuthorizer.LOGGER.trace("Denied request for object {}: {} of non-target {} not allowed", DeltaAuthorization.this.objectCurrentOrNew, this.operationDesc, this.type);
                ClockworkRequestAuthorizer.this.securityEnforcer.failAuthorization(this.operationDesc, DeltaAuthorization.this.authorizationPhase, AuthorizationParameters.Builder.buildObject(DeltaAuthorization.this.objectCurrentOrNew, ClockworkRequestAuthorizer.this.fullInformationAvailable), ClockworkRequestAuthorizer.this.result);
                throw new NotHereAssertionError();
            }

            private void authorizePolicyAssignmentValue(@NotNull AuthorizationParameters<E, ObjectType> authorizationParameters) throws SecurityViolationException {
                if (ClockworkRequestAuthorizer.this.securityEnforcer.determineItemValueDecision(DeltaAuthorization.this.securityConstraints, this.changedAssignmentValue, DeltaAuthorization.this.operationUrl, DeltaAuthorization.this.authorizationPhase, this.consideringCreation, this.operationDesc) == AccessDecision.ALLOW) {
                    ClockworkRequestAuthorizer.LOGGER.debug("{} of policy assignment to {} allowed with {} authorization", this.operationDesc, DeltaAuthorization.this.objectCurrentOrNew, DeltaAuthorization.this.operationUrl);
                } else {
                    ClockworkRequestAuthorizer.this.securityEnforcer.failAuthorization("clockwork.request.authorizer.operation.authorizePolicyAssignmentValue", DeltaAuthorization.this.authorizationPhase, authorizationParameters, ClockworkRequestAuthorizer.this.result);
                    throw new NotHereAssertionError();
                }
            }

            private List<OrderConstraintsType> determineOrderConstraints() {
                if (this.type == AssignmentOrInducement.ASSIGNMENT) {
                    return List.of(new OrderConstraintsType().order(0));
                }
                AssignmentType asContainerable = this.changedAssignmentValue.asContainerable();
                List<OrderConstraintsType> orderConstraint = asContainerable.getOrderConstraint();
                return !orderConstraint.isEmpty() ? orderConstraint : List.of(new OrderConstraintsType().order((Integer) Objects.requireNonNullElse(asContainerable.getOrder(), 1)));
            }
        }

        DeltaAuthorization(@NotNull ObjectDelta<E> objectDelta, @NotNull PrismObject<E> prismObject, @NotNull ObjectSecurityConstraints objectSecurityConstraints) {
            this.primaryDeltaClone = objectDelta;
            this.objectCurrentOrNew = prismObject;
            this.securityConstraints = objectSecurityConstraints;
            this.operationUrl = ModelImplUtils.getOperationUrlFromDelta(objectDelta);
            this.authorizationPhase = ClockworkRequestAuthorizer.this.context.isExecutionPhaseOnly() ? AuthorizationPhaseType.EXECUTION : AuthorizationPhaseType.REQUEST;
        }

        void authorize() throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
            if (ClockworkRequestAuthorizer.this.isFocus) {
                if (this.objectCurrentOrNew.canRepresent(AssignmentHolderType.class)) {
                    authorizeAssignmentsOrInducementsOperation(AssignmentOrInducement.ASSIGNMENT);
                }
                if (this.objectCurrentOrNew.canRepresent(AbstractRoleType.class)) {
                    authorizeAssignmentsOrInducementsOperation(AssignmentOrInducement.INDUCEMENT);
                }
            }
            authorizeCredentialsOperation();
            if (!this.primaryDeltaClone.isEmpty()) {
                ClockworkRequestAuthorizer.this.securityEnforcer.authorize(this.operationUrl, this.authorizationPhase, AuthorizationParameters.Builder.buildObjectDelta(this.objectCurrentOrNew, this.primaryDeltaClone, ClockworkRequestAuthorizer.this.fullInformationAvailable), SecurityEnforcer.Options.create().withCustomOwnerResolver(ClockworkRequestAuthorizer.this.lensOwnerResolver), ClockworkRequestAuthorizer.this.task, ClockworkRequestAuthorizer.this.result);
            }
            ClockworkRequestAuthorizer.LOGGER.trace("Authorized request for element context {} (full info: {}), constraints:\n{}", ClockworkRequestAuthorizer.this.ctxHumanReadableName, Boolean.valueOf(ClockworkRequestAuthorizer.this.fullInformationAvailable), this.securityConstraints.debugDumpLazily(1));
        }

        private void authorizeAssignmentsOrInducementsOperation(@NotNull AssignmentOrInducement assignmentOrInducement) throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
            if (this.primaryDeltaClone.hasItemOrSubitemDelta(assignmentOrInducement.itemName)) {
                AccessDecision determineItemDecision = ClockworkRequestAuthorizer.this.securityEnforcer.determineItemDecision(this.securityConstraints, this.primaryDeltaClone, ClockworkRequestAuthorizer.this.elementContext.getObjectCurrentOrOld(), this.operationUrl, this.authorizationPhase, assignmentOrInducement.itemName);
                ClockworkRequestAuthorizer.LOGGER.trace("Security decision for {} item: {}", assignmentOrInducement, determineItemDecision);
                if (determineItemDecision == AccessDecision.ALLOW) {
                    ClockworkRequestAuthorizer.LOGGER.debug("Allow assignment/unassignment to {} because access to {} is explicitly allowed", this.objectCurrentOrNew, assignmentOrInducement);
                } else {
                    if (determineItemDecision == AccessDecision.DENY) {
                        ClockworkRequestAuthorizer.LOGGER.debug("Deny assignment/unassignment to {} because access to {} is explicitly denied", this.objectCurrentOrNew, assignmentOrInducement);
                        ClockworkRequestAuthorizer.LOGGER.trace("Denied request for element context {}: access to {} is explicitly denied", ClockworkRequestAuthorizer.this.ctxHumanReadableName, assignmentOrInducement);
                        throw new AuthorizationException("Access denied");
                    }
                    AuthorizationDecisionType findAllItemsDecision = this.securityConstraints.findAllItemsDecision(this.operationUrl, this.authorizationPhase);
                    if (findAllItemsDecision != AuthorizationDecisionType.ALLOW) {
                        if (findAllItemsDecision == AuthorizationDecisionType.DENY) {
                            ClockworkRequestAuthorizer.LOGGER.trace("Denied request for element context {}: access to {} items is explicitly denied", ClockworkRequestAuthorizer.this.elementContext.getHumanReadableName(), assignmentOrInducement);
                            throw new AuthorizationException("Access denied");
                        }
                        authorizeAssignmentRequest(assignmentOrInducement, true, true);
                        if (!this.primaryDeltaClone.isAdd()) {
                            authorizeAssignmentRequest(assignmentOrInducement, false, false);
                        }
                    }
                }
                if (this.primaryDeltaClone.isAdd()) {
                    this.primaryDeltaClone.getObjectToAdd().removeContainer(assignmentOrInducement.itemName);
                } else if (this.primaryDeltaClone.isModify()) {
                    this.primaryDeltaClone.removeContainerModification(assignmentOrInducement.itemName);
                }
            }
        }

        private void authorizeAssignmentRequest(@NotNull AssignmentOrInducement assignmentOrInducement, boolean z, boolean z2) throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
            ContainerDelta<AssignmentType> findContainerDelta = this.primaryDeltaClone.findContainerDelta(assignmentOrInducement.itemName);
            if (findContainerDelta == null) {
                return;
            }
            Iterator<PrismContainerValue<AssignmentType>> it = resolveIdOnlyValues(assignmentOrInducement, findContainerDelta, z).iterator();
            while (it.hasNext()) {
                new AssignmentValueAuthorization(it.next(), assignmentOrInducement, z, z2).authorize();
            }
        }

        private Collection<PrismContainerValue<AssignmentType>> resolveIdOnlyValues(AssignmentOrInducement assignmentOrInducement, ContainerDelta<AssignmentType> containerDelta, boolean z) {
            PrismContainerValue findValue;
            Collection<PrismContainerValue> valueChanges = containerDelta.getValueChanges(z ? PlusMinusZero.PLUS : PlusMinusZero.MINUS);
            if (z) {
                return valueChanges;
            }
            ArrayList arrayList = new ArrayList(valueChanges.size());
            LensFocusContext<F> focusContext = ClockworkRequestAuthorizer.this.context.getFocusContext();
            PrismObject<F> objectCurrentOrOld = focusContext.getObjectCurrentOrOld();
            MiscUtil.stateCheck(objectCurrentOrOld != null, "No focus while changing assignments? In %s", focusContext);
            PrismContainer<T> findContainer = objectCurrentOrOld.findContainer(assignmentOrInducement.itemName);
            for (PrismContainerValue prismContainerValue : valueChanges) {
                if (!prismContainerValue.isIdOnly()) {
                    arrayList.add(prismContainerValue);
                } else if (findContainer != 0 && (findValue = findContainer.findValue(prismContainerValue.getId().longValue())) != null) {
                    arrayList.add(findValue);
                }
            }
            return arrayList;
        }

        private void authorizeCredentialsOperation() throws AuthorizationException {
            if (!this.primaryDeltaClone.isAdd()) {
                if (this.primaryDeltaClone.isModify()) {
                    for (ItemDelta<?, ?> itemDelta : this.primaryDeltaClone.findItemDeltasSubPath(UserType.F_CREDENTIALS)) {
                        ItemPath path = itemDelta.getPath();
                        AuthorizationDecisionType evaluateCredentialDecision = evaluateCredentialDecision(path.namedSegmentsOnly());
                        ClockworkRequestAuthorizer.LOGGER.trace("AUTZ: credential delta {} decision: {}", path, evaluateCredentialDecision);
                        if (evaluateCredentialDecision == AuthorizationDecisionType.ALLOW) {
                            this.primaryDeltaClone.removeModification(itemDelta);
                        } else if (evaluateCredentialDecision == AuthorizationDecisionType.DENY) {
                            ClockworkRequestAuthorizer.LOGGER.trace("Denied request for element context {}: explicit credentials deny", ClockworkRequestAuthorizer.this.ctxHumanReadableName);
                            throw new AuthorizationException("Access denied");
                        }
                    }
                    return;
                }
                return;
            }
            PrismObject<E> objectToAdd = this.primaryDeltaClone.getObjectToAdd();
            Item findContainer = objectToAdd.findContainer(UserType.F_CREDENTIALS);
            if (findContainer != null) {
                ArrayList arrayList = new ArrayList();
                Iterator<Item<?, ?>> it = findContainer.getValue().getItems().iterator();
                while (it.hasNext()) {
                    ItemPath path2 = it.next().getPath();
                    AuthorizationDecisionType evaluateCredentialDecision2 = evaluateCredentialDecision(path2.namedSegmentsOnly());
                    ClockworkRequestAuthorizer.LOGGER.trace("AUTZ: credential add {} decision: {}", path2, evaluateCredentialDecision2);
                    if (evaluateCredentialDecision2 == AuthorizationDecisionType.ALLOW) {
                        arrayList.add(path2);
                    } else if (evaluateCredentialDecision2 == AuthorizationDecisionType.DENY) {
                        ClockworkRequestAuthorizer.LOGGER.trace("Denied request for element context {}: explicit credentials deny", ClockworkRequestAuthorizer.this.ctxHumanReadableName);
                        throw new AuthorizationException("Access denied");
                    }
                }
                Iterator it2 = arrayList.iterator();
                while (it2.hasNext()) {
                    objectToAdd.removeContainer((ItemPath) it2.next());
                }
            }
        }

        private AuthorizationDecisionType evaluateCredentialDecision(@NotNull ItemPath itemPath) {
            return this.securityConstraints.findItemDecision(itemPath, ModelAuthorizationAction.CHANGE_CREDENTIALS.getUrl(), this.authorizationPhase);
        }
    }

    private ClockworkRequestAuthorizer(@NotNull LensContext<F> lensContext, @NotNull LensElementContext<E> lensElementContext, boolean z, @NotNull Task task, @NotNull OperationResult operationResult) {
        this.context = lensContext;
        this.elementContext = lensElementContext;
        this.fullInformationAvailable = z;
        this.isFocus = lensElementContext instanceof LensFocusContext;
        this.task = task;
        this.result = operationResult;
        this.ctxHumanReadableName = lensElementContext.getHumanReadableName();
        ModelBeans modelBeans = ModelBeans.get();
        this.securityEnforcer = modelBeans.securityEnforcer;
        this.objectResolver = modelBeans.modelObjectResolver;
        this.lensOwnerResolver = new LensOwnerResolver(lensContext, this.objectResolver, task, operationResult);
        this.relationRegistry = SchemaService.get().relationRegistry();
        this.prismContext = PrismContext.get();
    }

    public static <F extends ObjectType> void authorizeContextRequest(LensContext<F> lensContext, boolean z, Task task, OperationResult operationResult) throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
        OperationResult createMinorSubresult = operationResult.createMinorSubresult(OP_AUTHORIZE_REQUEST);
        LOGGER.trace("Authorizing request for context");
        try {
            try {
                LensFocusContext<F> focusContext = lensContext.getFocusContext();
                if (focusContext != null) {
                    new ClockworkRequestAuthorizer(lensContext, focusContext, z, task, createMinorSubresult).authorize();
                }
                Iterator<LensProjectionContext> it = lensContext.getProjectionContexts().iterator();
                while (it.hasNext()) {
                    new ClockworkRequestAuthorizer(lensContext, it.next(), z, task, createMinorSubresult).authorize();
                }
                LensContext.AuthorizationState authorizationState = z ? LensContext.AuthorizationState.FULL : LensContext.AuthorizationState.PRELIMINARY;
                lensContext.setRequestAuthorized(authorizationState);
                LOGGER.trace("Request authorized: {}", authorizationState);
                createMinorSubresult.close();
            } finally {
            }
        } catch (Throwable th) {
            createMinorSubresult.close();
            throw th;
        }
    }

    private void authorize() throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
        LOGGER.trace("Authorizing request for element context {}", this.ctxHumanReadableName);
        ObjectDelta<E> primaryDelta = this.elementContext.getPrimaryDelta();
        if (primaryDelta == null) {
            LOGGER.trace("Authorized request for element context {}, constraints=null", this.ctxHumanReadableName);
            return;
        }
        ObjectDelta<E> mo1372clone = primaryDelta.mo1372clone();
        PrismObject<E> objectCurrentOrNew = this.elementContext.getObjectCurrentOrNew();
        if (objectCurrentOrNew != null) {
            new DeltaAuthorization(mo1372clone, objectCurrentOrNew, this.securityEnforcer.compileSecurityConstraints(objectCurrentOrNew, this.fullInformationAvailable, SecurityEnforcer.Options.create().withCustomOwnerResolver(this.lensOwnerResolver), this.task, this.result)).authorize();
        } else {
            if (this.isFocus || this.fullInformationAvailable) {
                throw new IllegalStateException("No object? In: " + this.elementContext);
            }
            LOGGER.trace("No projection object during preliminary autz evaluation -> skipping the check for now: {}", this.elementContext);
        }
    }
}
