package com.evolveum.midpoint.security.enforcer.impl;

import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.security.api.Authorization;
import com.evolveum.midpoint.security.api.AuthorizationConstants;
import com.evolveum.midpoint.security.enforcer.api.ObjectSecurityConstraints;
import com.evolveum.midpoint.util.DebugUtil;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;

/* loaded from: input_file:BOOT-INF/lib/security-enforcer-impl-4.8.9-SNAPSHOT.jar:com/evolveum/midpoint/security/enforcer/impl/ObjectSecurityConstraintsImpl.class */
public class ObjectSecurityConstraintsImpl implements ObjectSecurityConstraints {
    private final Map<String, PhasedConstraints> actionMap = new HashMap();
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    public void applyAuthorization(@NotNull Authorization authorization) {
        List<String> action = authorization.getAction();
        AuthorizationPhaseType phase = authorization.getPhase();
        for (String str : action) {
            if (phase == null) {
                getOrCreateItemConstraints(str, AuthorizationPhaseType.REQUEST).collectItems(authorization);
                getOrCreateItemConstraints(str, AuthorizationPhaseType.EXECUTION).collectItems(authorization);
            } else {
                getOrCreateItemConstraints(str, phase).collectItems(authorization);
            }
        }
    }

    @NotNull
    private ItemSecurityConstraintsImpl getOrCreateItemConstraints(@NotNull String str, @NotNull AuthorizationPhaseType authorizationPhaseType) {
        return this.actionMap.computeIfAbsent(str, str2 -> {
            return new PhasedConstraints();
        }).get(authorizationPhaseType);
    }

    @Override // com.evolveum.midpoint.security.enforcer.api.ObjectSecurityConstraints
    public boolean isEmpty() {
        return this.actionMap.isEmpty();
    }

    @Override // com.evolveum.midpoint.security.enforcer.api.ObjectSecurityConstraints
    @Nullable
    public AuthorizationDecisionType findAllItemsDecision(@NotNull String[] strArr, @Nullable AuthorizationPhaseType authorizationPhaseType) {
        AuthorizationDecisionType authorizationDecisionType = null;
        for (String str : strArr) {
            AuthorizationDecisionType findAllItemsDecision = findAllItemsDecision(str, authorizationPhaseType);
            if (findAllItemsDecision == AuthorizationDecisionType.DENY) {
                return findAllItemsDecision;
            }
            if (findAllItemsDecision != null) {
                if (!$assertionsDisabled && findAllItemsDecision != AuthorizationDecisionType.ALLOW) {
                    throw new AssertionError();
                }
                authorizationDecisionType = findAllItemsDecision;
            }
        }
        return authorizationDecisionType;
    }

    @Override // com.evolveum.midpoint.security.enforcer.api.ObjectSecurityConstraints
    @Nullable
    public AuthorizationDecisionType findAllItemsDecision(@NotNull String str, @Nullable AuthorizationPhaseType authorizationPhaseType) {
        if (authorizationPhaseType != null) {
            return getActionDecisionPhase(str, authorizationPhaseType);
        }
        AuthorizationDecisionType actionDecisionPhase = getActionDecisionPhase(str, AuthorizationPhaseType.REQUEST);
        return (actionDecisionPhase == null || actionDecisionPhase == AuthorizationDecisionType.DENY) ? actionDecisionPhase : getActionDecisionPhase(str, AuthorizationPhaseType.EXECUTION);
    }

    private AuthorizationDecisionType getActionDecisionPhase(@NotNull String str, @NotNull AuthorizationPhaseType authorizationPhaseType) {
        ItemSecurityConstraintsImpl itemConstraints = getItemConstraints(str, authorizationPhaseType);
        if (itemConstraints != null) {
            return itemConstraints.findAllItemsDecision();
        }
        return null;
    }

    private ItemSecurityConstraintsImpl getItemConstraints(@NotNull String str, @NotNull AuthorizationPhaseType authorizationPhaseType) {
        PhasedConstraints phasedConstraints = this.actionMap.get(str);
        if (phasedConstraints != null) {
            return phasedConstraints.get(authorizationPhaseType);
        }
        return null;
    }

    @Override // com.evolveum.midpoint.security.enforcer.api.ObjectSecurityConstraints
    @Nullable
    public AuthorizationDecisionType findItemDecision(@NotNull ItemPath itemPath, @NotNull String[] strArr, @Nullable AuthorizationPhaseType authorizationPhaseType) {
        AuthorizationDecisionType authorizationDecisionType = null;
        for (String str : strArr) {
            AuthorizationDecisionType findItemDecision = findItemDecision(itemPath, str, authorizationPhaseType);
            if (findItemDecision == AuthorizationDecisionType.DENY) {
                return findItemDecision;
            }
            if (findItemDecision != null) {
                if (!$assertionsDisabled && findItemDecision != AuthorizationDecisionType.ALLOW) {
                    throw new AssertionError();
                }
                authorizationDecisionType = findItemDecision;
            }
        }
        return authorizationDecisionType;
    }

    @Override // com.evolveum.midpoint.security.enforcer.api.ObjectSecurityConstraints
    @Nullable
    public AuthorizationDecisionType findItemDecision(@NotNull ItemPath itemPath, @NotNull String str, @Nullable AuthorizationPhaseType authorizationPhaseType) {
        if (authorizationPhaseType != null) {
            return findItemDecisionPhase(itemPath, str, authorizationPhaseType);
        }
        AuthorizationDecisionType findItemDecisionPhase = findItemDecisionPhase(itemPath, str, AuthorizationPhaseType.REQUEST);
        return (findItemDecisionPhase == null || findItemDecisionPhase == AuthorizationDecisionType.DENY) ? findItemDecisionPhase : findItemDecisionPhase(itemPath, str, AuthorizationPhaseType.EXECUTION);
    }

    private AuthorizationDecisionType findItemDecisionPhase(ItemPath itemPath, String str, @NotNull AuthorizationPhaseType authorizationPhaseType) {
        AuthorizationDecisionType authorizationDecisionType;
        ItemSecurityConstraintsImpl itemConstraints = getItemConstraints(str, authorizationPhaseType);
        if (itemConstraints != null) {
            authorizationDecisionType = itemConstraints.findItemDecision(itemPath);
            if (authorizationDecisionType == AuthorizationDecisionType.DENY) {
                return AuthorizationDecisionType.DENY;
            }
        } else {
            authorizationDecisionType = null;
        }
        ItemSecurityConstraintsImpl itemConstraints2 = getItemConstraints(AuthorizationConstants.AUTZ_ALL_URL, authorizationPhaseType);
        if (itemConstraints2 == null) {
            return authorizationDecisionType;
        }
        AuthorizationDecisionType findItemDecision = itemConstraints2.findItemDecision(itemPath);
        return AuthorizationDecisionType.DENY.equals(findItemDecision) ? AuthorizationDecisionType.DENY : AuthorizationDecisionType.ALLOW.equals(findItemDecision) ? AuthorizationDecisionType.ALLOW : authorizationDecisionType;
    }

    @Override // com.evolveum.midpoint.util.DebugDumpable
    public String debugDump(int i) {
        StringBuilder createTitleStringBuilderLn = DebugUtil.createTitleStringBuilderLn(ObjectSecurityConstraintsImpl.class, i);
        DebugUtil.debugDumpWithLabel(createTitleStringBuilderLn, "actionMap", this.actionMap, i + 1);
        return createTitleStringBuilderLn.toString();
    }

    static {
        $assertionsDisabled = !ObjectSecurityConstraintsImpl.class.desiredAssertionStatus();
    }
}
