package com.evolveum.midpoint.security.enforcer.impl.prism;

import com.evolveum.midpoint.prism.PrismObjectValue;
import com.evolveum.midpoint.prism.PrismValue;
import com.evolveum.midpoint.prism.path.InfraItemName;
import com.evolveum.midpoint.prism.path.ItemName;
import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.schema.AccessDecision;
import com.evolveum.midpoint.security.api.Authorization;
import com.evolveum.midpoint.security.enforcer.impl.AuthorizationEvaluation;
import com.evolveum.midpoint.security.enforcer.impl.prism.PrismEntityCoverageInformation;
import com.evolveum.midpoint.security.enforcer.impl.prism.UpdatablePrismEntityOpConstraints;
import com.evolveum.midpoint.util.DebugUtil;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
import org.jetbrains.annotations.NotNull;

/* loaded from: input_file:BOOT-INF/lib/security-enforcer-impl-4.9.1-SNAPSHOT.jar:com/evolveum/midpoint/security/enforcer/impl/prism/SinglePhasePrismEntityOpConstraintsImpl.class */
public abstract class SinglePhasePrismEntityOpConstraintsImpl<CI extends PrismEntityCoverageInformation> implements UpdatablePrismEntityOpConstraints {

    @NotNull
    final AuthorizationPhaseType phase;

    @NotNull
    final CI allowed;

    @NotNull
    final CI denied;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:BOOT-INF/lib/security-enforcer-impl-4.9.1-SNAPSHOT.jar:com/evolveum/midpoint/security/enforcer/impl/prism/SinglePhasePrismEntityOpConstraintsImpl$ForItemContent.class */
    public static class ForItemContent extends SinglePhasePrismEntityOpConstraintsImpl<PrismItemCoverageInformation> implements UpdatablePrismEntityOpConstraints.ForItemContent {
        ForItemContent(@NotNull AuthorizationPhaseType authorizationPhaseType, @NotNull PrismItemCoverageInformation prismItemCoverageInformation, @NotNull PrismItemCoverageInformation prismItemCoverageInformation2) {
            super(authorizationPhaseType, prismItemCoverageInformation, prismItemCoverageInformation2);
        }

        @Override // com.evolveum.midpoint.security.enforcer.impl.prism.UpdatablePrismEntityOpConstraints.ForItemContent, com.evolveum.midpoint.security.enforcer.api.PrismEntityOpConstraints.ForItemContent
        @NotNull
        public ForValueContent getValueConstraints(@NotNull PrismValue prismValue) {
            return new ForValueContent(this.phase, ((PrismItemCoverageInformation) this.allowed).getValueCoverageInformation(prismValue), ((PrismItemCoverageInformation) this.denied).getValueCoverageInformation(prismValue));
        }

        @Override // com.evolveum.midpoint.security.enforcer.impl.prism.SinglePhasePrismEntityOpConstraintsImpl
        String getDebugLabel() {
            return "Item-attached operation constraints";
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/security-enforcer-impl-4.9.1-SNAPSHOT.jar:com/evolveum/midpoint/security/enforcer/impl/prism/SinglePhasePrismEntityOpConstraintsImpl$ForValueContent.class */
    public static class ForValueContent extends SinglePhasePrismEntityOpConstraintsImpl<PrismValueCoverageInformation> implements UpdatablePrismEntityOpConstraints.ForValueContent {
        public ForValueContent(@NotNull AuthorizationPhaseType authorizationPhaseType) {
            this(authorizationPhaseType, PrismValueCoverageInformation.noCoverage(false), PrismValueCoverageInformation.noCoverage(false));
        }

        ForValueContent(@NotNull AuthorizationPhaseType authorizationPhaseType, @NotNull PrismValueCoverageInformation prismValueCoverageInformation, @NotNull PrismValueCoverageInformation prismValueCoverageInformation2) {
            super(authorizationPhaseType, prismValueCoverageInformation, prismValueCoverageInformation2);
        }

        @Override // com.evolveum.midpoint.security.enforcer.impl.prism.UpdatablePrismEntityOpConstraints.ForValueContent, com.evolveum.midpoint.security.enforcer.api.PrismEntityOpConstraints.ForValueContent
        @NotNull
        public ForItemContent getItemConstraints(@NotNull ItemName itemName) {
            return new ForItemContent(this.phase, ((PrismValueCoverageInformation) this.allowed).getItemCoverageInformation(itemName), ((PrismValueCoverageInformation) this.denied).getItemCoverageInformation(itemName));
        }

        @Override // com.evolveum.midpoint.security.enforcer.api.PrismEntityOpConstraints.ForValueContent
        @NotNull
        public ForValueContent getValueConstraints(@NotNull ItemPath itemPath) {
            return new ForValueContent(this.phase, ((PrismValueCoverageInformation) this.allowed).getValueCoverageInformation(itemPath), ((PrismValueCoverageInformation) this.denied).getValueCoverageInformation(itemPath));
        }

        @Override // com.evolveum.midpoint.security.enforcer.api.PrismEntityOpConstraints.ForValueContent
        @NotNull
        public ForItemContent getMetadataConstraints() {
            return (!((PrismValueCoverageInformation) this.allowed).isExceptMetadata() || ((PrismValueCoverageInformation) this.allowed).hasItemCoverage(InfraItemName.METADATA)) ? (((PrismValueCoverageInformation) this.allowed).isExceptMetadata() || !((PrismValueCoverageInformation) this.denied).hasItemCoverage(InfraItemName.METADATA)) ? getItemConstraints((ItemName) InfraItemName.METADATA) : new ForItemContent(this.phase, PrismItemCoverageInformation.fullCoverage(false), PrismItemCoverageInformation.noCoverage(false)) : new ForItemContent(this.phase, PrismItemCoverageInformation.noCoverage(false), PrismItemCoverageInformation.noCoverage(false));
        }

        @Override // com.evolveum.midpoint.security.enforcer.impl.prism.UpdatablePrismEntityOpConstraints.ForValueContent
        public void applyAuthorization(@NotNull PrismObjectValue<?> prismObjectValue, @NotNull AuthorizationEvaluation authorizationEvaluation) throws ConfigurationException, SchemaException, ExpressionEvaluationException, CommunicationException, SecurityViolationException, ObjectNotFoundException {
            PrismValueCoverageInformation forAuthorization;
            Authorization authorization = authorizationEvaluation.getAuthorization();
            if (!authorization.matchesPhase(this.phase) || (forAuthorization = PrismValueCoverageInformation.forAuthorization(prismObjectValue, authorizationEvaluation)) == null) {
                return;
            }
            if (authorization.isAllow()) {
                ((PrismValueCoverageInformation) this.allowed).merge(forAuthorization);
            } else {
                ((PrismValueCoverageInformation) this.denied).merge(forAuthorization);
            }
        }

        @Override // com.evolveum.midpoint.security.enforcer.impl.prism.SinglePhasePrismEntityOpConstraintsImpl
        String getDebugLabel() {
            return "Value-attached operation constraints";
        }
    }

    SinglePhasePrismEntityOpConstraintsImpl(@NotNull AuthorizationPhaseType authorizationPhaseType, @NotNull CI ci, @NotNull CI ci2) {
        this.phase = authorizationPhaseType;
        this.allowed = ci;
        this.denied = ci2;
    }

    @Override // com.evolveum.midpoint.security.enforcer.api.PrismEntityOpConstraints
    @NotNull
    public AccessDecision getDecision() {
        PrismEntityCoverage coverage = this.denied.getCoverage();
        if (coverage == PrismEntityCoverage.FULL) {
            return AccessDecision.DENY;
        }
        if (coverage == PrismEntityCoverage.NONE) {
            PrismEntityCoverage coverage2 = this.allowed.getCoverage();
            switch (coverage2) {
                case FULL:
                    return this.allowed.isExceptMetadata() ? AccessDecision.DEFAULT : AccessDecision.ALLOW;
                case PARTIAL:
                    return AccessDecision.DEFAULT;
                case NONE:
                    return AccessDecision.DENY;
                default:
                    throw new AssertionError(coverage2);
            }
        }
        if (!$assertionsDisabled && coverage != PrismEntityCoverage.PARTIAL) {
            throw new AssertionError();
        }
        PrismEntityCoverage coverage3 = this.allowed.getCoverage();
        switch (coverage3) {
            case FULL:
            case PARTIAL:
                return AccessDecision.DEFAULT;
            case NONE:
                return AccessDecision.DENY;
            default:
                throw new AssertionError(coverage3);
        }
    }

    @Override // com.evolveum.midpoint.util.DebugDumpable
    public String debugDump(int i) {
        StringBuilder createTitleStringBuilder = DebugUtil.createTitleStringBuilder(String.format("%s for %s [%s]\n", getDebugLabel(), this.phase, getClass().getSimpleName()), i);
        DebugUtil.debugDumpWithLabelLn(createTitleStringBuilder, "Allowed", this.allowed, i + 1);
        DebugUtil.debugDumpWithLabel(createTitleStringBuilder, "Denied", this.denied, i + 1);
        return createTitleStringBuilder.toString();
    }

    abstract String getDebugLabel();

    static {
        $assertionsDisabled = !SinglePhasePrismEntityOpConstraintsImpl.class.desiredAssertionStatus();
    }
}
