package com.evolveum.midpoint.security.enforcer.impl;

import com.evolveum.midpoint.prism.Containerable;
import com.evolveum.midpoint.prism.PrismContainerValue;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.PrismObjectValue;
import com.evolveum.midpoint.prism.PrismValue;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.prism.query.AllFilter;
import com.evolveum.midpoint.prism.query.ObjectFilter;
import com.evolveum.midpoint.schema.AccessDecision;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.security.api.Authorization;
import com.evolveum.midpoint.security.api.AuthorizationConstants;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.security.api.ProfileCompilerOptions;
import com.evolveum.midpoint.security.api.SecurityContextManager;
import com.evolveum.midpoint.security.enforcer.api.AbstractAuthorizationParameters;
import com.evolveum.midpoint.security.enforcer.api.AuthorizationParameters;
import com.evolveum.midpoint.security.enforcer.api.CompileConstraintsOptions;
import com.evolveum.midpoint.security.enforcer.api.FilterGizmo;
import com.evolveum.midpoint.security.enforcer.api.ItemSecurityConstraints;
import com.evolveum.midpoint.security.enforcer.api.ObjectSecurityConstraints;
import com.evolveum.midpoint.security.enforcer.api.PrismEntityOpConstraints;
import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
import com.evolveum.midpoint.security.enforcer.api.ValueAuthorizationParameters;
import com.evolveum.midpoint.security.enforcer.impl.EnforcerFilterOperation;
import com.evolveum.midpoint.security.enforcer.impl.ItemDecisionOperation;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.util.DebugUtil;
import com.evolveum.midpoint.util.MiscUtil;
import com.evolveum.midpoint.util.SingleLocalizableMessage;
import com.evolveum.midpoint.util.exception.AuthorizationException;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.NotHereAssertionError;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractRoleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OrderConstraintsType;
import java.io.Serializable;
import java.util.Collection;
import java.util.List;
import java.util.Locale;
import java.util.stream.Collectors;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;

@Component("securityEnforcer")
/* loaded from: input_file:BOOT-INF/lib/security-enforcer-impl-4.8.9-SNAPSHOT.jar:com/evolveum/midpoint/security/enforcer/impl/SecurityEnforcerImpl.class */
public class SecurityEnforcerImpl implements SecurityEnforcer {
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) SecurityEnforcerImpl.class);

    @Autowired
    private Beans beans;

    @Autowired
    @Qualifier("securityContextManager")
    private SecurityContextManager securityContextManager;

    @Override // com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer
    public void failAuthorization(String str, AuthorizationPhaseType authorizationPhaseType, AbstractAuthorizationParameters abstractAuthorizationParameters, OperationResult operationResult) throws SecurityViolationException {
        Serializable diagInfo;
        PrismObject prismObject;
        String str2;
        SingleLocalizableMessage singleLocalizableMessage;
        String quotedUsername = getQuotedUsername(this.securityContextManager.getPrincipal());
        if (abstractAuthorizationParameters instanceof AuthorizationParameters) {
            AuthorizationParameters authorizationParameters = (AuthorizationParameters) abstractAuthorizationParameters;
            diagInfo = authorizationParameters.getAnyObject();
            prismObject = authorizationParameters.getTarget();
        } else {
            if (!(abstractAuthorizationParameters instanceof ValueAuthorizationParameters)) {
                throw new NotHereAssertionError();
            }
            PrismValue value = ((ValueAuthorizationParameters) abstractAuthorizationParameters).getValue();
            diagInfo = value != null ? MiscUtil.getDiagInfo(value) : null;
            prismObject = null;
        }
        String translate = this.beans.expressionFactory.getLocalizationService().translate(new SingleLocalizableMessage(str));
        String translate2 = this.beans.expressionFactory.getLocalizationService().translate(new SingleLocalizableMessage(str), new Locale("en", "US"));
        if (prismObject == null && diagInfo == null) {
            str2 = "User '" + quotedUsername + "' not authorized for operation " + translate2;
            singleLocalizableMessage = new SingleLocalizableMessage("security.enforcer.message.notAuthorized", new Object[]{quotedUsername, translate}, str2);
        } else if (prismObject == null) {
            str2 = "User '" + quotedUsername + "' not authorized for operation " + translate2 + " on " + diagInfo;
            singleLocalizableMessage = new SingleLocalizableMessage("security.enforcer.message.notAuthorized.onObject", new Object[]{quotedUsername, translate, diagInfo}, str2);
        } else {
            str2 = "User '" + quotedUsername + "' not authorized for operation " + translate2 + " on " + diagInfo + " with target " + prismObject;
            singleLocalizableMessage = new SingleLocalizableMessage("security.enforcer.message.notAuthorized.onObject.withTarget", new Object[]{quotedUsername, translate, diagInfo, prismObject}, str2);
        }
        LOGGER.error("{}", str2);
        AuthorizationException authorizationException = new AuthorizationException(singleLocalizableMessage);
        operationResult.setFatalError(authorizationException);
        throw authorizationException;
    }

    private String getQuotedUsername(MidPointPrincipal midPointPrincipal) {
        return midPointPrincipal != null ? "'" + midPointPrincipal.getUsername() + "'" : "(none)";
    }

    @Override // com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer
    @NotNull
    public AccessDecision decideAccess(@Nullable MidPointPrincipal midPointPrincipal, @NotNull String str, @Nullable AuthorizationPhaseType authorizationPhaseType, @NotNull AbstractAuthorizationParameters abstractAuthorizationParameters, @NotNull SecurityEnforcer.Options options, @NotNull Task task, @NotNull OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        return new EnforcerDecisionOperation(str, abstractAuthorizationParameters, midPointPrincipal, options, this.beans, task).decideAccess(authorizationPhaseType, operationResult);
    }

    @Override // com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer
    @Nullable
    public MidPointPrincipal getMidPointPrincipal() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null) {
            LOGGER.debug("No authentication");
            return null;
        }
        Object principal = authentication.getPrincipal();
        if (principal == null) {
            LOGGER.debug("Null principal");
            return null;
        }
        if (principal instanceof MidPointPrincipal) {
            return (MidPointPrincipal) principal;
        }
        if (AuthorizationConstants.ANONYMOUS_USER_PRINCIPAL.equals(principal)) {
            return null;
        }
        LOGGER.debug("Unknown principal type {}", principal.getClass());
        return null;
    }

    @Override // com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer
    @NotNull
    public <O extends ObjectType> ObjectSecurityConstraints compileSecurityConstraints(@NotNull PrismObject<O> prismObject, boolean z, @NotNull SecurityEnforcer.Options options, @NotNull Task task, @NotNull OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        return new CompileConstraintsOperation(getMidPointPrincipal(), options, this.beans, CompileConstraintsOptions.create().withFullInformationAvailable(z), task).compileSecurityConstraints(prismObject, operationResult);
    }

    @Override // com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer
    public PrismEntityOpConstraints.ForValueContent compileOperationConstraints(@Nullable MidPointPrincipal midPointPrincipal, @NotNull PrismObjectValue<?> prismObjectValue, @Nullable AuthorizationPhaseType authorizationPhaseType, @NotNull String[] strArr, @NotNull SecurityEnforcer.Options options, @NotNull CompileConstraintsOptions compileConstraintsOptions, @NotNull Task task, @NotNull OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        return new CompileConstraintsOperation(midPointPrincipal, options, this.beans, compileConstraintsOptions, task).compileValueOperationConstraints(prismObjectValue, authorizationPhaseType, strArr, operationResult);
    }

    @Override // com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer
    @Nullable
    public <T> ObjectFilter preProcessObjectFilter(@Nullable MidPointPrincipal midPointPrincipal, @NotNull String[] strArr, @Nullable AuthorizationPhaseType authorizationPhaseType, @NotNull Class<T> cls, @Nullable ObjectFilter objectFilter, @Nullable String str, @NotNull List<OrderConstraintsType> list, @NotNull SecurityEnforcer.Options options, @NotNull Task task, @NotNull OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        FilterGizmoObjectFilterImpl filterGizmoObjectFilterImpl = new FilterGizmoObjectFilterImpl();
        ObjectFilter and = filterGizmoObjectFilterImpl.and(objectFilter, (ObjectFilter) computeSecurityFilterInternal(midPointPrincipal, strArr, authorizationPhaseType, cls, EnforcerFilterOperation.AuthorizationSelectorExtractor.forObject(), objectFilter, str, list, filterGizmoObjectFilterImpl, "filter pre-processing", options, task, operationResult));
        LOGGER.trace("SEC: pre-processed object filter (combined with the original one):\n{}", DebugUtil.debugDumpLazily(and, 1));
        if (and instanceof AllFilter) {
            return null;
        }
        return and;
    }

    @Override // com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer
    public <T extends ObjectType, O extends ObjectType, F> F computeTargetSecurityFilter(MidPointPrincipal midPointPrincipal, String[] strArr, AuthorizationPhaseType authorizationPhaseType, Class<T> cls, @NotNull PrismObject<O> prismObject, ObjectFilter objectFilter, String str, List<OrderConstraintsType> list, FilterGizmo<F> filterGizmo, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        return (F) computeSecurityFilterInternal(midPointPrincipal, strArr, authorizationPhaseType, cls, EnforcerFilterOperation.AuthorizationSelectorExtractor.forTarget(prismObject), objectFilter, str, list, filterGizmo, "security filter computation", SecurityEnforcer.Options.create(), task, operationResult);
    }

    private <T, F> F computeSecurityFilterInternal(@Nullable MidPointPrincipal midPointPrincipal, @NotNull String[] strArr, @Nullable AuthorizationPhaseType authorizationPhaseType, @NotNull Class<T> cls, @NotNull EnforcerFilterOperation.AuthorizationSelectorExtractor authorizationSelectorExtractor, @Nullable ObjectFilter objectFilter, @Nullable String str, @Nullable List<OrderConstraintsType> list, @NotNull FilterGizmo<F> filterGizmo, String str2, @NotNull SecurityEnforcer.Options options, @NotNull Task task, @NotNull OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        return (F) new EnforcerFilterOperation(strArr, cls, authorizationSelectorExtractor, objectFilter, str, list, filterGizmo, str2, midPointPrincipal, options, this.beans, task).computeSecurityFilter(authorizationPhaseType, operationResult);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String prettyActionUrl(String str) {
        return DebugUtil.shortenUrl(AuthorizationConstants.NS_SECURITY_PREFIX, str);
    }

    static String prettyActionUrl(Collection<String> collection) {
        return (String) collection.stream().map(str -> {
            return prettyActionUrl(str);
        }).collect(Collectors.joining(", "));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String prettyActionUrl(String[] strArr) {
        if (strArr.length == 1) {
            return prettyActionUrl(strArr[0]);
        }
        StringBuilder sb = new StringBuilder();
        for (int i = 0; i < strArr.length; i++) {
            sb.append(prettyActionUrl(strArr[i]));
            if (i < strArr.length - 1) {
                sb.append(",");
            }
        }
        return sb.toString();
    }

    @Override // com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer
    public <O extends ObjectType, R extends AbstractRoleType> ItemSecurityConstraints getAllowedRequestAssignmentItems(MidPointPrincipal midPointPrincipal, String str, PrismObject<O> prismObject, PrismObject<R> prismObject2, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        EnforcerOperation enforcerOperation = new EnforcerOperation(midPointPrincipal, SecurityEnforcer.Options.create(), this.beans, task);
        ItemSecurityConstraintsImpl itemSecurityConstraintsImpl = new ItemSecurityConstraintsImpl();
        int i = 0;
        for (Authorization authorization : enforcerOperation.getAuthorizations()) {
            int i2 = i;
            i++;
            AuthorizationEvaluation authorizationEvaluation = new AuthorizationEvaluation(i2, authorization, enforcerOperation, operationResult);
            authorizationEvaluation.traceStart();
            if (authorizationEvaluation.isApplicableToAction(str) && authorizationEvaluation.isApplicableToPhase(PhaseSelector.nonStrict(AuthorizationPhaseType.REQUEST)) && authorizationEvaluation.isApplicableToObject(prismObject) && authorizationEvaluation.isApplicableToTarget(prismObject2)) {
                itemSecurityConstraintsImpl.collectItems(authorization);
                authorizationEvaluation.traceEndApplied();
            } else {
                authorizationEvaluation.traceEndNotApplicable();
            }
        }
        return itemSecurityConstraintsImpl;
    }

    @Override // com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer
    public <F extends FocusType> MidPointPrincipal createDonorPrincipal(MidPointPrincipal midPointPrincipal, String str, PrismObject<F> prismObject, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        if (midPointPrincipal.getAttorney() != null) {
            throw new UnsupportedOperationException("Transitive attorney is not supported yet");
        }
        AuthorizationLimitationsCollector authorizationLimitationsCollector = new AuthorizationLimitationsCollector();
        AuthorizationParameters buildObject = AuthorizationParameters.Builder.buildObject(prismObject);
        if (decideAccess(midPointPrincipal, str, null, buildObject, SecurityEnforcer.Options.create().withApplicableAutzConsumer(authorizationLimitationsCollector), task, operationResult) != AccessDecision.ALLOW) {
            failAuthorization(str, null, buildObject, operationResult);
        }
        MidPointPrincipal principal = this.securityContextManager.getUserProfileService().getPrincipal(prismObject, authorizationLimitationsCollector, ProfileCompilerOptions.createNotCompileGuiAdminConfiguration().locateSecurityPolicy(false), operationResult);
        principal.setAttorney(midPointPrincipal.getFocus());
        principal.setPreviousPrincipal(midPointPrincipal);
        return principal;
    }

    @Override // com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer
    public <O extends ObjectType> AccessDecision determineItemDecision(@NotNull ObjectSecurityConstraints objectSecurityConstraints, @NotNull ObjectDelta<O> objectDelta, PrismObject<O> prismObject, @NotNull String str, @NotNull AuthorizationPhaseType authorizationPhaseType, @NotNull ItemPath itemPath) {
        return new ItemDecisionOperation(createSimpleTracer()).determineItemDecision(objectSecurityConstraints, objectDelta, prismObject, str, authorizationPhaseType, itemPath);
    }

    @Override // com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer
    public <C extends Containerable> AccessDecision determineItemValueDecision(@NotNull ObjectSecurityConstraints objectSecurityConstraints, @NotNull PrismContainerValue<C> prismContainerValue, @NotNull String str, @NotNull AuthorizationPhaseType authorizationPhaseType, boolean z, @NotNull String str2) {
        return new ItemDecisionOperation(createSimpleTracer()).determineItemValueDecision(objectSecurityConstraints, prismContainerValue, !z, str, authorizationPhaseType, str2);
    }

    private ItemDecisionOperation.SimpleTracer createSimpleTracer() {
        return LOGGER.isTraceEnabled() ? (str, objArr) -> {
            LOGGER.trace(str, objArr);
        } : (str2, objArr2) -> {
        };
    }
}
