package com.evolveum.midpoint.security.enforcer.impl;

import com.evolveum.axiom.concepts.Lazy;
import com.evolveum.midpoint.prism.PrismContainerValue;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.PrismValue;
import com.evolveum.midpoint.prism.delta.ItemDelta;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.prism.path.PathSet;
import com.evolveum.midpoint.prism.util.ObjectDeltaObject;
import com.evolveum.midpoint.prism.xml.XsdTypeMapper;
import com.evolveum.midpoint.repo.common.expression.ExpressionUtil;
import com.evolveum.midpoint.schema.expression.VariablesMap;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.selector.eval.ObjectFilterExpressionEvaluator;
import com.evolveum.midpoint.schema.selector.spec.ValueSelector;
import com.evolveum.midpoint.schema.traces.details.AbstractTraceEvent;
import com.evolveum.midpoint.schema.traces.details.ProcessingTracer;
import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
import com.evolveum.midpoint.schema.util.ObjectTypeUtil;
import com.evolveum.midpoint.schema.util.SchemaDebugUtil;
import com.evolveum.midpoint.security.api.Authorization;
import com.evolveum.midpoint.security.api.AuthorizationConstants;
import com.evolveum.midpoint.security.enforcer.api.AbstractAuthorizationParameters;
import com.evolveum.midpoint.security.enforcer.api.AuthorizationParameters;
import com.evolveum.midpoint.security.enforcer.api.ValueAuthorizationParameters;
import com.evolveum.midpoint.security.enforcer.impl.SecurityTraceEvent;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.util.MiscUtil;
import com.evolveum.midpoint.util.QNameUtil;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.NotHereAssertionError;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationLimitationsType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OrderConstraintsType;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import javax.xml.namespace.QName;
import org.codehaus.groovy.runtime.MethodClosure;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;

/* loaded from: input_file:BOOT-INF/lib/security-enforcer-impl-4.9.2-SNAPSHOT.jar:com/evolveum/midpoint/security/enforcer/impl/AuthorizationEvaluation.class */
public class AuthorizationEvaluation {
    private static final String AUTZ_ID_PREFIX = "AUTZ.";
    private static final String SEL_ID_PREFIX = "SEL.";

    @NotNull
    private final String id;

    @NotNull
    final Authorization authorization;

    @NotNull
    private final Lazy<String> lazyDescription;

    @NotNull
    final EnforcerOperation op;

    @NotNull
    private final Beans b;

    @NotNull
    private final Task task;

    @NotNull
    final OperationResult result;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:BOOT-INF/lib/security-enforcer-impl-4.9.2-SNAPSHOT.jar:com/evolveum/midpoint/security/enforcer/impl/AuthorizationEvaluation$ItemsMatchResult.class */
    public static final class ItemsMatchResult extends Record {
        private final boolean value;

        @NotNull
        private final String message;
        private final Object[] objects;

        ItemsMatchResult(boolean z, @NotNull String str, Object... objArr) {
            this.value = z;
            this.message = str;
            this.objects = objArr;
        }

        static ItemsMatchResult positive(@NotNull String str, Object... objArr) {
            return new ItemsMatchResult(true, str, objArr);
        }

        static ItemsMatchResult negative(@NotNull String str, Object... objArr) {
            return new ItemsMatchResult(false, str, objArr);
        }

        String getFormattedMessage() {
            return this.message.formatted(this.objects);
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, ItemsMatchResult.class), ItemsMatchResult.class, "value;message;objects", "FIELD:Lcom/evolveum/midpoint/security/enforcer/impl/AuthorizationEvaluation$ItemsMatchResult;->value:Z", "FIELD:Lcom/evolveum/midpoint/security/enforcer/impl/AuthorizationEvaluation$ItemsMatchResult;->message:Ljava/lang/String;", "FIELD:Lcom/evolveum/midpoint/security/enforcer/impl/AuthorizationEvaluation$ItemsMatchResult;->objects:[Ljava/lang/Object;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, ItemsMatchResult.class), ItemsMatchResult.class, "value;message;objects", "FIELD:Lcom/evolveum/midpoint/security/enforcer/impl/AuthorizationEvaluation$ItemsMatchResult;->value:Z", "FIELD:Lcom/evolveum/midpoint/security/enforcer/impl/AuthorizationEvaluation$ItemsMatchResult;->message:Ljava/lang/String;", "FIELD:Lcom/evolveum/midpoint/security/enforcer/impl/AuthorizationEvaluation$ItemsMatchResult;->objects:[Ljava/lang/Object;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, ItemsMatchResult.class, Object.class), ItemsMatchResult.class, "value;message;objects", "FIELD:Lcom/evolveum/midpoint/security/enforcer/impl/AuthorizationEvaluation$ItemsMatchResult;->value:Z", "FIELD:Lcom/evolveum/midpoint/security/enforcer/impl/AuthorizationEvaluation$ItemsMatchResult;->message:Ljava/lang/String;", "FIELD:Lcom/evolveum/midpoint/security/enforcer/impl/AuthorizationEvaluation$ItemsMatchResult;->objects:[Ljava/lang/Object;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public boolean value() {
            return this.value;
        }

        @NotNull
        public String message() {
            return this.message;
        }

        public Object[] objects() {
            return this.objects;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/security-enforcer-impl-4.9.2-SNAPSHOT.jar:com/evolveum/midpoint/security/enforcer/impl/AuthorizationEvaluation$SelectorApplicabilityResult.class */
    public static final class SelectorApplicabilityResult extends Record {
        private final boolean value;

        @NotNull
        private final String message;

        private SelectorApplicabilityResult(boolean z, @NotNull String str) {
            this.value = z;
            this.message = str;
        }

        static SelectorApplicabilityResult positive(@NotNull String str) {
            return new SelectorApplicabilityResult(true, str);
        }

        static SelectorApplicabilityResult negative(@NotNull String str) {
            return new SelectorApplicabilityResult(false, str);
        }

        static SelectorApplicabilityResult combined(String str, SelectorApplicabilityResult selectorApplicabilityResult, String str2, SelectorApplicabilityResult selectorApplicabilityResult2) {
            return new SelectorApplicabilityResult(selectorApplicabilityResult.value && selectorApplicabilityResult2.value, selectorApplicabilityResult.message + " (" + str + "), " + selectorApplicabilityResult2.message + " (" + str2 + ")");
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, SelectorApplicabilityResult.class), SelectorApplicabilityResult.class, "value;message", "FIELD:Lcom/evolveum/midpoint/security/enforcer/impl/AuthorizationEvaluation$SelectorApplicabilityResult;->value:Z", "FIELD:Lcom/evolveum/midpoint/security/enforcer/impl/AuthorizationEvaluation$SelectorApplicabilityResult;->message:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, SelectorApplicabilityResult.class), SelectorApplicabilityResult.class, "value;message", "FIELD:Lcom/evolveum/midpoint/security/enforcer/impl/AuthorizationEvaluation$SelectorApplicabilityResult;->value:Z", "FIELD:Lcom/evolveum/midpoint/security/enforcer/impl/AuthorizationEvaluation$SelectorApplicabilityResult;->message:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, SelectorApplicabilityResult.class, Object.class), SelectorApplicabilityResult.class, "value;message", "FIELD:Lcom/evolveum/midpoint/security/enforcer/impl/AuthorizationEvaluation$SelectorApplicabilityResult;->value:Z", "FIELD:Lcom/evolveum/midpoint/security/enforcer/impl/AuthorizationEvaluation$SelectorApplicabilityResult;->message:Ljava/lang/String;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public boolean value() {
            return this.value;
        }

        @NotNull
        public String message() {
            return this.message;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthorizationEvaluation(int i, @NotNull Authorization authorization, @NotNull EnforcerOperation enforcerOperation, @NotNull OperationResult operationResult) {
        this("AUTZ." + i, authorization, enforcerOperation, operationResult);
    }

    private AuthorizationEvaluation(@Nullable String str, @NotNull Authorization authorization, @NotNull EnforcerOperation enforcerOperation, @NotNull OperationResult operationResult) {
        this.id = (String) Objects.requireNonNullElse(str, "");
        this.authorization = authorization;
        this.op = enforcerOperation;
        this.b = enforcerOperation.b;
        this.task = enforcerOperation.task;
        this.result = operationResult;
        this.lazyDescription = Lazy.from(() -> {
            return this.authorization.getHumanReadableDesc();
        });
    }

    @NotNull
    public Authorization getAuthorization() {
        return this.authorization;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isApplicableToAction(@NotNull String str) {
        List<String> action = this.authorization.getAction();
        if (action.contains(str) || action.contains(AuthorizationConstants.AUTZ_ALL_URL)) {
            traceAutzApplicableToAction(str);
            return true;
        }
        traceAutzNotApplicableToAction(str);
        return false;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isApplicableToActions(String[] strArr) {
        List<String> action = this.authorization.getAction();
        if (action.contains(AuthorizationConstants.AUTZ_ALL_URL)) {
            traceAutzApplicableToAnyAction();
            return true;
        }
        for (String str : strArr) {
            if (action.contains(str)) {
                traceAutzApplicableToAction(str);
                return true;
            }
        }
        traceAutzNotApplicableToActions(strArr);
        return false;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isApplicableToPhase(@NotNull PhaseSelector phaseSelector) {
        if (phaseSelector.matches(this.authorization.getPhase())) {
            traceAutzApplicableToPhase(phaseSelector);
            return true;
        }
        traceAutzNotApplicableToPhase(phaseSelector);
        return false;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isApplicableToLimitations(String str, String[] strArr) {
        AuthorizationLimitationsType limitations;
        if (str == null || (limitations = this.authorization.getLimitations()) == null) {
            return true;
        }
        List<String> action = limitations.getAction();
        if (action.isEmpty() || action.contains(str)) {
            return true;
        }
        traceAutzNotApplicableToLimitations(strArr);
        return false;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isApplicableToOrderConstraints(List<OrderConstraintsType> list) {
        boolean orderConstraintsApplicability = getOrderConstraintsApplicability(list);
        if (!orderConstraintsApplicability) {
            traceAutzNotApplicableToOrderConstraints(list);
        }
        return orderConstraintsApplicability;
    }

    private boolean getOrderConstraintsApplicability(List<OrderConstraintsType> list) {
        if (this.authorization.getAction().contains(AuthorizationConstants.AUTZ_ALL_URL)) {
            return true;
        }
        OrderConstraintsType orderConstraints = this.authorization.getOrderConstraints();
        if (list == null || list.isEmpty()) {
            return orderConstraints == null;
        }
        Iterator<OrderConstraintsType> it = list.iterator();
        while (it.hasNext()) {
            if (!isSubset(it.next(), orderConstraints)) {
                return false;
            }
        }
        return true;
    }

    private static boolean isSubset(OrderConstraintsType orderConstraintsType, OrderConstraintsType orderConstraintsType2) {
        int intValue;
        int intValue2;
        if (orderConstraintsType2 == null) {
            intValue = 0;
            intValue2 = 0;
        } else {
            if (orderConstraintsType2.getRelation() != null) {
                throw new UnsupportedOperationException("Complex order constraints with relation not supported in authorizations");
            }
            if (orderConstraintsType2.getResetOrder() != null) {
                throw new UnsupportedOperationException("Complex order constraints with resetOrder not supported in authorizations");
            }
            int or0 = MiscUtil.or0(orderConstraintsType2.getOrder());
            intValue = ((Integer) Objects.requireNonNullElse(XsdTypeMapper.multiplicityToInteger(orderConstraintsType2.getOrderMin()), Integer.valueOf(or0))).intValue();
            intValue2 = ((Integer) Objects.requireNonNullElse(XsdTypeMapper.multiplicityToInteger(orderConstraintsType2.getOrderMax()), Integer.valueOf(or0))).intValue();
        }
        Integer order = orderConstraintsType.getOrder();
        Integer multiplicityToInteger = XsdTypeMapper.multiplicityToInteger(orderConstraintsType.getOrderMin());
        if (multiplicityToInteger == null) {
            multiplicityToInteger = order;
        }
        Integer multiplicityToInteger2 = XsdTypeMapper.multiplicityToInteger(orderConstraintsType.getOrderMax());
        if (multiplicityToInteger2 == null) {
            multiplicityToInteger2 = order;
        }
        if (intValue < 0 || multiplicityToInteger.intValue() < 0 || multiplicityToInteger.intValue() < intValue) {
            return false;
        }
        if (intValue2 < 0) {
            return true;
        }
        return multiplicityToInteger2.intValue() >= 0 && multiplicityToInteger2.intValue() <= intValue2;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isApplicableToParameters(@NotNull AbstractAuthorizationParameters abstractAuthorizationParameters) throws SchemaException, ExpressionEvaluationException, CommunicationException, SecurityViolationException, ConfigurationException, ObjectNotFoundException {
        if (abstractAuthorizationParameters instanceof AuthorizationParameters) {
            AuthorizationParameters authorizationParameters = (AuthorizationParameters) abstractAuthorizationParameters;
            return isApplicableToRelation(authorizationParameters.getRelation()) && isApplicableToOrderConstraints(authorizationParameters.getOrderConstraints()) && isApplicableToObjectOperation(authorizationParameters.getOdo()) && isApplicableToTarget(authorizationParameters.getTarget());
        }
        if (abstractAuthorizationParameters instanceof ValueAuthorizationParameters) {
            return isApplicableToObjectValue(((ValueAuthorizationParameters) abstractAuthorizationParameters).getValue());
        }
        throw new NotHereAssertionError();
    }

    private boolean isApplicableToRelation(QName qName) {
        List<QName> relation = this.authorization.getRelation();
        if (relation.isEmpty() || QNameUtil.contains(relation, qName)) {
            return true;
        }
        traceAutzNotApplicableToRelation(qName);
        return false;
    }

    private boolean isApplicableToObjectOperation(ObjectDeltaObject<? extends ObjectType> objectDeltaObject) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        SelectorApplicabilityResult isApplicableToObjectDeltaObjectInternal = isApplicableToObjectDeltaObjectInternal(objectDeltaObject);
        traceAutzApplicabilityToObjectOrTarget("object", objectDeltaObject != null ? objectDeltaObject.getAnyObject() : null, isApplicableToObjectDeltaObjectInternal);
        return isApplicableToObjectDeltaObjectInternal.value;
    }

    private <O extends ObjectType> SelectorApplicabilityResult isApplicableToObjectDeltaObjectInternal(ObjectDeltaObject<O> objectDeltaObject) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        List<ValueSelector> parsedObjectSelectors = this.authorization.getParsedObjectSelectors();
        if (parsedObjectSelectors.isEmpty()) {
            return SelectorApplicabilityResult.positive("no object selectors defined");
        }
        if (objectDeltaObject == null) {
            return SelectorApplicabilityResult.negative("null object operation info but selector(s) defined");
        }
        ObjectDelta<O> objectDelta = objectDeltaObject.getObjectDelta();
        if (objectDelta == null || !objectDelta.isModify()) {
            return areSelectorsApplicable(parsedObjectSelectors, objectDeltaObject.getAnyObjectRequired(), "object");
        }
        SelectorApplicabilityResult areSelectorsApplicable = areSelectorsApplicable(parsedObjectSelectors, objectDeltaObject.getOldObjectRequired(), "object(old)");
        return (areSelectorsApplicable.value && this.authorization.keepZoneOfControl()) ? SelectorApplicabilityResult.combined("old", areSelectorsApplicable, MethodClosure.NEW, areSelectorsApplicable(parsedObjectSelectors, objectDeltaObject.getNewObjectRequired(), "object(new)")) : areSelectorsApplicable;
    }

    private <O extends ObjectType> SelectorApplicabilityResult areSelectorsApplicable(@NotNull List<ValueSelector> list, @Nullable PrismObject<O> prismObject, @NotNull String str) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        return areSelectorsApplicable(list, ObjectTypeUtil.getValue(prismObject), str);
    }

    private SelectorApplicabilityResult areSelectorsApplicable(@NotNull List<ValueSelector> list, @Nullable PrismValue prismValue, @NotNull String str) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        if (list.isEmpty()) {
            return SelectorApplicabilityResult.positive("no selectors defined");
        }
        if (prismValue == null) {
            return SelectorApplicabilityResult.negative("null object but selector(s) defined");
        }
        int i = 0;
        Iterator<ValueSelector> it = list.iterator();
        while (it.hasNext()) {
            int i2 = i;
            i++;
            if (isSelectorApplicable(selectorId(i2), it.next(), prismValue, str)) {
                return SelectorApplicabilityResult.positive("a selector matched");
            }
        }
        return SelectorApplicabilityResult.negative("no selector matched");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isApplicableToObject(PrismObject<? extends ObjectType> prismObject) throws SchemaException, ExpressionEvaluationException, CommunicationException, SecurityViolationException, ConfigurationException, ObjectNotFoundException {
        SelectorApplicabilityResult areSelectorsApplicable = areSelectorsApplicable(this.authorization.getParsedObjectSelectors(), prismObject, "object");
        traceAutzApplicabilityToObjectOrTarget("object", prismObject, areSelectorsApplicable);
        return areSelectorsApplicable.value;
    }

    private boolean isApplicableToObjectValue(@Nullable PrismValue prismValue) throws SchemaException, ExpressionEvaluationException, CommunicationException, SecurityViolationException, ConfigurationException, ObjectNotFoundException {
        SelectorApplicabilityResult areSelectorsApplicable = areSelectorsApplicable(this.authorization.getParsedObjectSelectors(), prismValue, "object");
        traceAutzApplicabilityToObjectValue(prismValue, areSelectorsApplicable);
        return areSelectorsApplicable.value;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public <T extends ObjectType> boolean isApplicableToTarget(PrismObject<T> prismObject) throws SchemaException, ExpressionEvaluationException, CommunicationException, SecurityViolationException, ConfigurationException, ObjectNotFoundException {
        SelectorApplicabilityResult areSelectorsApplicable = areSelectorsApplicable(this.authorization.getParsedTargetSelectors(), prismObject, "target");
        traceAutzApplicabilityToObjectOrTarget("target", prismObject, areSelectorsApplicable);
        return areSelectorsApplicable.value;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ItemsMatchResult matchesOnItems(@NotNull AbstractAuthorizationParameters abstractAuthorizationParameters) throws SchemaException {
        if (abstractAuthorizationParameters instanceof AuthorizationParameters) {
            AuthorizationParameters authorizationParameters = (AuthorizationParameters) abstractAuthorizationParameters;
            return matchesOnItems(ObjectTypeUtil.getValue(authorizationParameters.getOldObject()), authorizationParameters.getDelta());
        }
        if (abstractAuthorizationParameters instanceof ValueAuthorizationParameters) {
            return matchesOnItems(((ValueAuthorizationParameters) abstractAuthorizationParameters).getValue(), null);
        }
        throw new NotHereAssertionError();
    }

    private ItemsMatchResult matchesOnItems(PrismValue prismValue, ObjectDelta<? extends ObjectType> objectDelta) throws SchemaException {
        PathSet items = this.authorization.getItems();
        if (!items.isEmpty()) {
            return matchesOnItems(prismValue, objectDelta, items, true);
        }
        PathSet exceptItems = this.authorization.getExceptItems();
        return exceptItems.isEmpty() ? ItemsMatchResult.positive("no item constraints -> applicable to all items", new Object[0]) : matchesOnItems(prismValue, objectDelta, exceptItems, false);
    }

    private static ItemsMatchResult matchesOnItems(PrismValue prismValue, ObjectDelta<? extends ObjectType> objectDelta, PathSet pathSet, boolean z) throws SchemaException {
        Iterator<ItemPath> it = pathSet.iterator();
        while (it.hasNext()) {
            ItemPath next = it.next();
            if (objectDelta != null) {
                ItemDelta<IV, ID> findItemDelta = objectDelta.findItemDelta(next);
                if (findItemDelta != 0 && !findItemDelta.isEmpty()) {
                    return z ? ItemsMatchResult.positive("applicable delta item '%s'", next) : ItemsMatchResult.negative("excluded delta item '%s'", next);
                }
            } else if (prismValue != null && containsItem(prismValue, next)) {
                return z ? ItemsMatchResult.positive("applicable object item '%s'", next) : ItemsMatchResult.negative("excluded object item '%s'", next);
            }
        }
        return z ? ItemsMatchResult.negative("no applicable item", new Object[0]) : ItemsMatchResult.positive("no excluded item", new Object[0]);
    }

    private static boolean containsItem(@NotNull PrismValue prismValue, @NotNull ItemPath itemPath) throws SchemaException {
        if (itemPath.isEmpty()) {
            return true;
        }
        if (prismValue instanceof PrismContainerValue) {
            return ((PrismContainerValue) prismValue).containsItem(itemPath, false);
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ObjectFilterExpressionEvaluator createFilterEvaluator(String str) {
        return objectFilter -> {
            if (objectFilter == null) {
                return null;
            }
            VariablesMap variablesMap = new VariablesMap();
            FocusType principalFocus = this.op.getPrincipalFocus();
            if (principalFocus != null) {
                variablesMap.addVariableWithDeterminedDefinition("subject", principalFocus);
            }
            return ExpressionUtil.evaluateFilterExpressions(objectFilter, variablesMap, MiscSchemaUtil.getExpressionProfile(), this.b.expressionFactory, "expression in " + str + " in authorization " + getDesc(), this.task, this.result);
        };
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getDesc() {
        return this.lazyDescription.get();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean shouldSkipSubObjectSelectors() {
        EnforcerOperation enforcerOperation = this.op;
        if (enforcerOperation instanceof CompileConstraintsOperation) {
            return ((CompileConstraintsOperation) enforcerOperation).getOptions().isSkipSubObjectSelectors();
        }
        return false;
    }

    public boolean isSelectorApplicable(@NotNull String str, @NotNull ValueSelector valueSelector, @NotNull PrismValue prismValue, @NotNull String str2) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
        return new SelectorEvaluation(str, valueSelector, prismValue, str2, this, this.result).isSelectorApplicable();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void traceStart() {
        if (this.op.tracer.isEnabled()) {
            this.op.tracer.trace(new SecurityTraceEvent.AuthorizationProcessingStarted(this));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void traceEndNotApplicable(String str, Object... objArr) {
        if (this.op.tracer.isEnabled()) {
            this.op.tracer.trace(new SecurityTraceEvent.AuthorizationProcessingFinished(this, str, objArr));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void traceEndNotApplicable() {
        if (this.op.tracer.isEnabled()) {
            this.op.tracer.trace(new SecurityTraceEvent.AuthorizationProcessingFinished(this, "not applicable", new Object[0]));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void traceEndApplied() {
        if (this.op.tracer.isEnabled()) {
            this.op.tracer.trace(new SecurityTraceEvent.AuthorizationProcessingFinished(this, "applied", new Object[0]));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void traceEndApplied(String str, Object... objArr) {
        if (this.op.tracer.isEnabled()) {
            this.op.tracer.trace(new SecurityTraceEvent.AuthorizationProcessingFinished(this, str, objArr));
        }
    }

    private void traceAutzNotApplicableToAction(@NotNull String str) {
        if (this.op.tracer.isEnabled()) {
            this.op.tracer.trace(new SecurityTraceEvent.AuthorizationProcessingEvent(this, "Authorization is not applicable for operation %s", SecurityEnforcerImpl.prettyActionUrl(str)));
        }
    }

    private void traceAutzApplicableToAction(@NotNull String str) {
        if (this.op.tracer.isEnabled()) {
            this.op.tracer.trace(new SecurityTraceEvent.AuthorizationProcessingEvent(this, "Authorization is applicable for operation %s (continuing evaluation)", SecurityEnforcerImpl.prettyActionUrl(str)));
        }
    }

    private void traceAutzApplicableToAnyAction() {
        if (this.op.tracer.isEnabled()) {
            this.op.tracer.trace(new SecurityTraceEvent.AuthorizationProcessingEvent(this, "Authorization is applicable for all operations (continuing evaluation)", new Object[0]));
        }
    }

    private void traceAutzNotApplicableToActions(String[] strArr) {
        if (this.op.tracer.isEnabled()) {
            this.op.tracer.trace(new SecurityTraceEvent.AuthorizationProcessingEvent(this, "Authorization is not applicable for operation(s) %s", SecurityEnforcerImpl.prettyActionUrl(strArr)));
        }
    }

    private void traceAutzNotApplicableToPhase(@NotNull PhaseSelector phaseSelector) {
        if (this.op.tracer.isEnabled()) {
            this.op.tracer.trace(new SecurityTraceEvent.AuthorizationProcessingEvent(this, "Authorization is not applicable for '%s'", phaseSelector));
        }
    }

    private void traceAutzApplicableToPhase(@NotNull PhaseSelector phaseSelector) {
        if (this.op.tracer.isEnabled()) {
            this.op.tracer.trace(new SecurityTraceEvent.AuthorizationProcessingEvent(this, "Authorization is applicable for '%s' (continuing evaluation)", phaseSelector));
        }
    }

    private void traceAutzNotApplicableToLimitations(String[] strArr) {
        if (this.op.tracer.isEnabled()) {
            this.op.tracer.trace(new SecurityTraceEvent.AuthorizationProcessingEvent(this, "Authorization is limited to other action, not applicable for operation(s) %s", SecurityEnforcerImpl.prettyActionUrl(strArr)));
        }
    }

    private void traceAutzNotApplicableToOrderConstraints(List<OrderConstraintsType> list) {
        if (this.op.tracer.isEnabled()) {
            this.op.tracer.trace(new SecurityTraceEvent.AuthorizationProcessingEvent(this, "Authorization is not applicable for orderConstraints %s", SchemaDebugUtil.shortDumpOrderConstraintsList(list)));
        }
    }

    private void traceAutzNotApplicableToRelation(QName qName) {
        if (this.op.tracer.isEnabled()) {
            this.op.tracer.trace(new SecurityTraceEvent.AuthorizationProcessingEvent(this, "Authorization is not applicable for relation %s", qName));
        }
    }

    private void traceAutzApplicabilityToObjectOrTarget(String str, PrismObject<? extends ObjectType> prismObject, SelectorApplicabilityResult selectorApplicabilityResult) {
        if (this.op.tracer.isEnabled()) {
            ProcessingTracer<AbstractTraceEvent> processingTracer = this.op.tracer;
            Object[] objArr = new Object[5];
            objArr[0] = selectorApplicabilityResult.value ? "applicable" : "not applicable";
            objArr[1] = str;
            objArr[2] = prismObject;
            objArr[3] = selectorApplicabilityResult.message;
            objArr[4] = selectorApplicabilityResult.value ? " (continuing evaluation)" : "";
            processingTracer.trace(new SecurityTraceEvent.AuthorizationProcessingEvent(this, "Authorization is %s for %s %s [%s]%s", objArr));
        }
    }

    private void traceAutzApplicabilityToObjectValue(PrismValue prismValue, SelectorApplicabilityResult selectorApplicabilityResult) {
        if (this.op.tracer.isEnabled()) {
            ProcessingTracer<AbstractTraceEvent> processingTracer = this.op.tracer;
            Object[] objArr = new Object[4];
            objArr[0] = selectorApplicabilityResult.value ? "applicable" : "not applicable";
            objArr[1] = selectorApplicabilityResult.message;
            objArr[2] = selectorApplicabilityResult.value ? " (continuing evaluation)" : "";
            objArr[3] = MiscUtil.getDiagInfo(prismValue);
            processingTracer.trace(new SecurityTraceEvent.AuthorizationProcessingEvent(this, "Authorization is %s for object [%s]%s: %s", objArr));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void traceAutzProcessingNote(String str, Object... objArr) {
        if (this.op.tracer.isEnabled()) {
            this.op.tracer.trace(new SecurityTraceEvent.AuthorizationProcessingEvent(this, str, objArr));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void traceAuthorizationAllow(@NotNull String str) {
        if (this.op.tracer.isEnabled()) {
            this.op.tracer.trace(new SecurityTraceEvent.AuthorizationProcessingFinished(this, "ALLOWED operation %s => but continuing evaluation of other authorizations", SecurityEnforcerImpl.prettyActionUrl(str)));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void traceAuthorizationDenyIrrelevant(@NotNull String str, @NotNull ItemsMatchResult itemsMatchResult) {
        if (this.op.tracer.isEnabled()) {
            this.op.tracer.trace(new SecurityTraceEvent.AuthorizationProcessingFinished(this, "IRRELEVANT for operation %s (%s) => continuing evaluation of other authorizations", SecurityEnforcerImpl.prettyActionUrl(str), itemsMatchResult.getFormattedMessage()));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void traceAuthorizationDenyRelevant(@NotNull String str, @NotNull ItemsMatchResult itemsMatchResult) {
        if (this.op.tracer.isEnabled()) {
            this.op.tracer.trace(new SecurityTraceEvent.AuthorizationProcessingFinished(this, "DENIED operation %s (%s) => continuing evaluation of other authorizations", SecurityEnforcerImpl.prettyActionUrl(str), itemsMatchResult.getFormattedMessage()));
        }
    }

    @NotNull
    public String getId() {
        return this.id;
    }

    @NotNull
    public String selectorId(int i) {
        return this.id + ".SEL." + i;
    }
}
