package com.evolveum.midpoint.model.impl.lens.projector.policy.evaluators;

import com.evolveum.midpoint.model.api.context.EvaluatedModificationTrigger;
import com.evolveum.midpoint.model.impl.lens.LensElementContext;
import com.evolveum.midpoint.model.impl.lens.LensProjectionContext;
import com.evolveum.midpoint.model.impl.lens.projector.policy.ObjectPolicyRuleEvaluationContext;
import com.evolveum.midpoint.model.impl.lens.projector.policy.PolicyRuleEvaluationContext;
import com.evolveum.midpoint.prism.PrismContainerValue;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.delta.ItemDelta;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.schema.processor.ResourceAssociationDefinition;
import com.evolveum.midpoint.schema.processor.ResourceAttributeDefinition;
import com.evolveum.midpoint.schema.processor.ResourceObjectDefinition;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.util.ObjectTypeUtil;
import com.evolveum.midpoint.schema.util.ShadowUtil;
import com.evolveum.midpoint.util.LocalizableMessage;
import com.evolveum.midpoint.util.LocalizableMessageBuilder;
import com.evolveum.midpoint.util.MiscUtil;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ModificationPolicyConstraintType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PolicyConstraintKindType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowAssociationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowKindType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SpecialItemSpecificationType;
import com.evolveum.prism.xml.ns._public.types_3.ChangeTypeType;
import com.evolveum.prism.xml.ns._public.types_3.ItemPathType;
import jakarta.xml.bind.JAXBElement;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.stream.Collectors;
import javax.xml.namespace.QName;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.lang3.BooleanUtils;
import org.jetbrains.annotations.NotNull;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:BOOT-INF/lib/model-impl-4.8.9-SNAPSHOT.jar:com/evolveum/midpoint/model/impl/lens/projector/policy/evaluators/ObjectModificationConstraintEvaluator.class */
public class ObjectModificationConstraintEvaluator extends ModificationConstraintEvaluator<ModificationPolicyConstraintType, EvaluatedModificationTrigger.EvaluatedObjectModificationTrigger> {
    private static final String OP_EVALUATE;
    private static final Trace LOGGER;
    private static final String CONSTRAINT_KEY_PREFIX = "objectModification.";
    static final /* synthetic */ boolean $assertionsDisabled;

    @Override // com.evolveum.midpoint.model.impl.lens.projector.policy.evaluators.PolicyConstraintEvaluator
    @NotNull
    public <O extends ObjectType> Collection<EvaluatedModificationTrigger.EvaluatedObjectModificationTrigger> evaluate(@NotNull JAXBElement<ModificationPolicyConstraintType> jAXBElement, @NotNull PolicyRuleEvaluationContext<O> policyRuleEvaluationContext, OperationResult operationResult) throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException {
        OperationResult build = operationResult.subresult(OP_EVALUATE).setMinor().build();
        try {
            try {
                if (!(policyRuleEvaluationContext instanceof ObjectPolicyRuleEvaluationContext)) {
                    LOGGER.trace("Policy rule evaluation context is not of type ObjectPolicyRuleEvaluationContext. Skipping processing.");
                    List of = List.of();
                    build.computeStatusIfUnknown();
                    return of;
                }
                if (!modificationConstraintMatches(jAXBElement, (ObjectPolicyRuleEvaluationContext) policyRuleEvaluationContext, build)) {
                    LOGGER.trace("No operation matches.");
                    List of2 = List.of();
                    build.computeStatusIfUnknown();
                    return of2;
                }
                List of3 = List.of(new EvaluatedModificationTrigger.EvaluatedObjectModificationTrigger(PolicyConstraintKindType.OBJECT_MODIFICATION, jAXBElement.getValue(), null, createMessage(jAXBElement, policyRuleEvaluationContext, build), createShortMessage(jAXBElement, policyRuleEvaluationContext, build)));
                build.computeStatusIfUnknown();
                return of3;
            } catch (Throwable th) {
                build.recordFatalError(th.getMessage(), th);
                throw th;
            }
        } catch (Throwable th2) {
            build.computeStatusIfUnknown();
            throw th2;
        }
    }

    private LocalizableMessage createMessage(JAXBElement<ModificationPolicyConstraintType> jAXBElement, PolicyRuleEvaluationContext<?> policyRuleEvaluationContext, OperationResult operationResult) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException {
        return this.evaluatorHelper.createLocalizableMessage(jAXBElement, policyRuleEvaluationContext, new LocalizableMessageBuilder().key("DefaultPolicyConstraint.objectModification." + (createStateKey(policyRuleEvaluationContext) + createOperationKey(policyRuleEvaluationContext))).args(ObjectTypeUtil.createDisplayInformation(policyRuleEvaluationContext.elementContext.getObjectAny(), true)).build(), operationResult);
    }

    private LocalizableMessage createShortMessage(JAXBElement<ModificationPolicyConstraintType> jAXBElement, PolicyRuleEvaluationContext<?> policyRuleEvaluationContext, OperationResult operationResult) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException {
        return this.evaluatorHelper.createLocalizableShortMessage(jAXBElement, policyRuleEvaluationContext, new LocalizableMessageBuilder().key("DefaultPolicyConstraint.Short.objectModification." + (createStateKey(policyRuleEvaluationContext) + createOperationKey(policyRuleEvaluationContext))).args(ObjectTypeUtil.createDisplayInformation(policyRuleEvaluationContext.elementContext.getObjectAny(), false)).build(), operationResult);
    }

    @NotNull
    private String createOperationKey(PolicyRuleEvaluationContext<?> policyRuleEvaluationContext) {
        return policyRuleEvaluationContext.elementContext.isAdd() ? "Added" : policyRuleEvaluationContext.elementContext.isDelete() ? "Deleted" : "Modified";
    }

    private boolean modificationConstraintMatches(JAXBElement<ModificationPolicyConstraintType> jAXBElement, ObjectPolicyRuleEvaluationContext<?> objectPolicyRuleEvaluationContext, OperationResult operationResult) throws SchemaException, ConfigurationException, ObjectNotFoundException, CommunicationException, SecurityViolationException, ExpressionEvaluationException {
        ModificationPolicyConstraintType value = jAXBElement.getValue();
        if (!operationMatches(objectPolicyRuleEvaluationContext.elementContext, value.getOperation())) {
            LOGGER.trace("Rule {} operation not applicable", objectPolicyRuleEvaluationContext.policyRule.getName());
            return false;
        }
        ObjectDelta<?> summaryDelta = objectPolicyRuleEvaluationContext.elementContext.getSummaryDelta();
        if (ObjectDelta.isEmpty(summaryDelta) && !objectPolicyRuleEvaluationContext.elementContext.isAdd() && !objectPolicyRuleEvaluationContext.elementContext.isDelete()) {
            LOGGER.trace("Element context has no delta (primary nor secondary) nor there is ADD/DELETE intention");
            return false;
        }
        List<ItemPathType> item = value.getItem();
        if (!item.isEmpty()) {
            boolean isTrue = BooleanUtils.isTrue(value.isExactPathMatch());
            for (ItemPathType itemPathType : item) {
                if (!pathMatches(summaryDelta, objectPolicyRuleEvaluationContext, this.prismContext.toPath(itemPathType), isTrue)) {
                    LOGGER.trace("Path {} does not match the delta (no modification there)", itemPathType);
                    return false;
                }
            }
        }
        List<SpecialItemSpecificationType> specialItem = value.getSpecialItem();
        if (!specialItem.isEmpty()) {
            if (!ObjectDelta.isModify(summaryDelta)) {
                LOGGER.trace("There are 'special items' specified but the delta is not MODIFY one -> ignoring");
                return false;
            }
            for (SpecialItemSpecificationType specialItemSpecificationType : specialItem) {
                if (!specialItemMatches(summaryDelta, objectPolicyRuleEvaluationContext, specialItemSpecificationType)) {
                    LOGGER.trace("Special item {} does not match the delta (no modification there)", specialItemSpecificationType);
                    return false;
                }
            }
        }
        return expressionPasses(jAXBElement, objectPolicyRuleEvaluationContext, operationResult);
    }

    private boolean pathMatches(ObjectDelta<?> objectDelta, ObjectPolicyRuleEvaluationContext<?> objectPolicyRuleEvaluationContext, ItemPath itemPath, boolean z) throws SchemaException {
        if (objectDelta == null) {
            return false;
        }
        if (objectDelta.isAdd()) {
            return objectDelta.getObjectToAdd().containsItem(itemPath, false);
        }
        if (objectDelta.isDelete()) {
            PrismObject<?> objectOld = objectPolicyRuleEvaluationContext.elementContext.getObjectOld();
            return objectOld != null && objectOld.containsItem(itemPath, false);
        }
        if (z) {
            return pathMatchesExactly(CollectionUtils.emptyIfNull(objectDelta.getModifications()), itemPath, 0);
        }
        ItemPath namedSegmentsOnly = itemPath.namedSegmentsOnly();
        PrismObject<?> objectOld2 = objectPolicyRuleEvaluationContext.elementContext.getObjectOld();
        PrismObject<?> objectNew = objectPolicyRuleEvaluationContext.elementContext.getObjectNew();
        MiscUtil.stateCheck(objectOld2 != null, "No 'old' object in %s", objectPolicyRuleEvaluationContext);
        MiscUtil.stateCheck(objectNew != null, "No 'new' object in %s", objectPolicyRuleEvaluationContext);
        return valuesChanged(objectOld2.getValue(), objectNew.getValue(), namedSegmentsOnly);
    }

    private boolean specialItemMatches(ObjectDelta<?> objectDelta, ObjectPolicyRuleEvaluationContext<?> objectPolicyRuleEvaluationContext, SpecialItemSpecificationType specialItemSpecificationType) throws SchemaException, ConfigurationException {
        if (!$assertionsDisabled && !objectDelta.isModify()) {
            throw new AssertionError();
        }
        ResourceObjectDefinition objectDefinition = getObjectDefinition(objectPolicyRuleEvaluationContext);
        if (objectDefinition == null) {
            LOGGER.trace("No object definition -> no special item {} evaluation", specialItemSpecificationType);
            return false;
        }
        switch (specialItemSpecificationType) {
            case RESOURCE_OBJECT_IDENTIFIER:
                return pathBasedSpecialItemMatches(objectDelta, specialItemSpecificationType, getResourceObjectIdentifierPaths(objectDefinition));
            case RESOURCE_OBJECT_NAMING_ATTRIBUTE:
                return pathBasedSpecialItemMatches(objectDelta, specialItemSpecificationType, getResourceObjectNamingAttributePath(objectDefinition, specialItemSpecificationType));
            case RESOURCE_OBJECT_ENTITLEMENT:
                return isEntitlementChange(objectDelta, objectDefinition);
            case RESOURCE_OBJECT_ITEM:
                return ShadowUtil.hasResourceModifications(objectDelta.getModifications());
            default:
                throw new IllegalStateException("Item specification " + specialItemSpecificationType + " is not supported");
        }
    }

    private boolean isEntitlementChange(ObjectDelta<?> objectDelta, ResourceObjectDefinition resourceObjectDefinition) {
        for (ItemDelta<?, ?> itemDelta : objectDelta.getModifications()) {
            if (itemDelta.getPath().equivalent(ShadowType.F_ASSOCIATION)) {
                Collection<?> valuesToReplace = itemDelta.getValuesToReplace();
                if (valuesToReplace == null) {
                    return isEntitlementChange(itemDelta.getValuesToAdd(), resourceObjectDefinition) || isEntitlementChange(itemDelta.getValuesToDelete(), resourceObjectDefinition);
                }
                if (isEntitlementChange(valuesToReplace, resourceObjectDefinition)) {
                    return true;
                }
                Collection<?> estimatedOldValues = itemDelta.getEstimatedOldValues();
                if (estimatedOldValues != null) {
                    return isEntitlementChange(estimatedOldValues, resourceObjectDefinition);
                }
                LOGGER.warn("Replacement delta for association, not knowing old values -> we cannot evaluate whether there are any entitlement changes. Delta: {}, modification: {}", objectDelta, itemDelta);
                return false;
            }
        }
        return false;
    }

    private boolean isEntitlementChange(Collection<?> collection, ResourceObjectDefinition resourceObjectDefinition) {
        PrismContainerValue prismContainerValue;
        Class compileTimeClass;
        if (collection == null) {
            return false;
        }
        HashSet<QName> hashSet = new HashSet();
        for (Object obj : collection) {
            if ((obj instanceof PrismContainerValue) && (compileTimeClass = (prismContainerValue = (PrismContainerValue) obj).getCompileTimeClass()) != null && ShadowAssociationType.class.isAssignableFrom(compileTimeClass)) {
                hashSet.add(((ShadowAssociationType) prismContainerValue.asContainerable()).getName());
            }
        }
        for (QName qName : hashSet) {
            if (qName != null) {
                ResourceAssociationDefinition findAssociationDefinition = resourceObjectDefinition.findAssociationDefinition(qName);
                if (findAssociationDefinition == null) {
                    LOGGER.warn("Modifying unknown association {} in {}", qName, resourceObjectDefinition);
                } else if (findAssociationDefinition.getKind() == ShadowKindType.ENTITLEMENT) {
                    return true;
                }
            }
        }
        return false;
    }

    private ResourceObjectDefinition getObjectDefinition(ObjectPolicyRuleEvaluationContext<?> objectPolicyRuleEvaluationContext) throws SchemaException, ConfigurationException {
        if (objectPolicyRuleEvaluationContext.elementContext instanceof LensProjectionContext) {
            return ((LensProjectionContext) objectPolicyRuleEvaluationContext.elementContext).getCompositeObjectDefinition();
        }
        return null;
    }

    private Collection<ItemPath> getResourceObjectIdentifierPaths(ResourceObjectDefinition resourceObjectDefinition) {
        return (Collection) resourceObjectDefinition.getAllIdentifiers().stream().map(resourceAttributeDefinition -> {
            return ItemPath.create(ShadowType.F_ATTRIBUTES, resourceAttributeDefinition.getItemName());
        }).collect(Collectors.toList());
    }

    private Collection<ItemPath> getResourceObjectNamingAttributePath(ResourceObjectDefinition resourceObjectDefinition, SpecialItemSpecificationType specialItemSpecificationType) {
        ResourceAttributeDefinition<?> namingAttribute = resourceObjectDefinition.getNamingAttribute();
        if (namingAttribute != null) {
            return List.of(ItemPath.create(ShadowType.F_ATTRIBUTES, namingAttribute.getItemName()));
        }
        LOGGER.trace("No naming attribute for {} -> no special item {} evaluation", resourceObjectDefinition, specialItemSpecificationType);
        return null;
    }

    private boolean pathBasedSpecialItemMatches(ObjectDelta<?> objectDelta, SpecialItemSpecificationType specialItemSpecificationType, Collection<ItemPath> collection) {
        if (collection == null) {
            LOGGER.trace("Special item {} is not applicable here", specialItemSpecificationType);
            return false;
        }
        Iterator<ItemPath> it = collection.iterator();
        while (it.hasNext()) {
            if (pathMatchesExactly(CollectionUtils.emptyIfNull(objectDelta.getModifications()), it.next(), 0)) {
                return true;
            }
        }
        return false;
    }

    private boolean operationMatches(LensElementContext<?> lensElementContext, List<ChangeTypeType> list) {
        if (list.isEmpty()) {
            return true;
        }
        Iterator<ChangeTypeType> it = list.iterator();
        while (it.hasNext()) {
            if (lensElementContext.operationMatches(it.next())) {
                return true;
            }
        }
        return false;
    }

    static {
        $assertionsDisabled = !ObjectModificationConstraintEvaluator.class.desiredAssertionStatus();
        OP_EVALUATE = ObjectModificationConstraintEvaluator.class.getName() + ".evaluate";
        LOGGER = TraceManager.getTrace((Class<?>) ObjectModificationConstraintEvaluator.class);
    }
}
