package com.evolveum.midpoint.model.impl.controller.transformer;

import com.evolveum.midpoint.model.impl.controller.SchemaTransformer;
import com.evolveum.midpoint.model.impl.lens.LensElementContext;
import com.evolveum.midpoint.prism.Item;
import com.evolveum.midpoint.prism.ItemDefinition;
import com.evolveum.midpoint.prism.PrismContainerValue;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.PrismObjectValue;
import com.evolveum.midpoint.prism.PrismValue;
import com.evolveum.midpoint.prism.delta.ItemDelta;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.equivalence.EquivalenceStrategy;
import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.schema.AccessDecision;
import com.evolveum.midpoint.security.api.SecurityUtil;
import com.evolveum.midpoint.security.enforcer.api.PrismEntityOpConstraints;
import com.evolveum.midpoint.util.MiscUtil;
import com.evolveum.midpoint.util.exception.AuthorizationException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.exception.SystemException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.google.common.base.Preconditions;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:BOOT-INF/lib/model-impl-4.9.4-SNAPSHOT.jar:com/evolveum/midpoint/model/impl/controller/transformer/DataAccessProcessor.class */
public class DataAccessProcessor {
    private static final Trace LOGGER;
    static final /* synthetic */ boolean $assertionsDisabled;

    public <O extends ObjectType> PrismObject<O> applyReadConstraints(@NotNull PrismObject<O> prismObject, @NotNull PrismEntityOpConstraints.ForValueContent forValueContent) throws SecurityViolationException {
        return ((PrismObjectValue) applyReadConstraints((DataAccessProcessor) prismObject.getValue(), forValueContent)).asPrismObject();
    }

    /* JADX WARN: Multi-variable type inference failed */
    @NotNull
    private <V extends PrismValue> V applyReadConstraints(@NotNull V v, @NotNull PrismEntityOpConstraints.ForValueContent forValueContent) throws SecurityViolationException {
        AccessDecision decision = forValueContent.getDecision();
        if (decision == AccessDecision.ALLOW) {
            return v;
        }
        if (decision == AccessDecision.DENY || !(v instanceof PrismContainerValue)) {
            SecurityUtil.logSecurityDeny(v, "because the authorization denies access");
            throw new AuthorizationException("Access denied");
        }
        if (!$assertionsDisabled && decision != AccessDecision.DEFAULT) {
            throw new AssertionError();
        }
        PrismContainerValue prismContainerValue = (PrismContainerValue) applyReadConstraintsToMetadata(v.cloneIfImmutable(), forValueContent);
        applyReadConstraintsToMutablePcv(prismContainerValue, forValueContent);
        if (!prismContainerValue.isEmpty()) {
            return prismContainerValue;
        }
        SecurityUtil.logSecurityDeny(v, "because the subject has no access to any item");
        throw new AuthorizationException("Access denied");
    }

    private void applyReadConstraintsToMutablePcv(@NotNull PrismContainerValue<?> prismContainerValue, @NotNull PrismEntityOpConstraints.ForValueContent forValueContent) {
        Collection<Item<?, ?>> items = prismContainerValue.getItems();
        LOGGER.trace("applyReadConstraintsToMutablePcv: items={}", items);
        if (items.isEmpty()) {
            return;
        }
        ArrayList arrayList = new ArrayList();
        for (Item<?, ?> item : items) {
            PrismEntityOpConstraints.ForItemContent itemConstraints = forValueContent.getItemConstraints(item.getElementName());
            AccessDecision decision = itemConstraints.getDecision();
            if (decision != AccessDecision.ALLOW) {
                if (decision == AccessDecision.DENY) {
                    arrayList.add(item);
                } else {
                    if (!$assertionsDisabled && decision != AccessDecision.DEFAULT) {
                        throw new AssertionError();
                    }
                    applyReadConstraintsToMutableValues(item, itemConstraints);
                }
            }
        }
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            prismContainerValue.remove((Item) it.next());
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    private <V extends PrismValue, D extends ItemDefinition<?>> void applyReadConstraintsToMutableValues(Item<V, D> item, @NotNull PrismEntityOpConstraints.ForItemContent forItemContent) {
        ArrayList arrayList = new ArrayList();
        for (V v : item.getValues()) {
            PrismEntityOpConstraints.ForValueContent valueConstraints = forItemContent.getValueConstraints(v);
            AccessDecision decision = valueConstraints.getDecision();
            if (decision != AccessDecision.ALLOW) {
                if (decision == AccessDecision.DENY) {
                    arrayList.add(v);
                } else {
                    if (!$assertionsDisabled && decision != AccessDecision.DEFAULT) {
                        throw new AssertionError();
                    }
                    applyReadConstraintsToMetadata(v, valueConstraints);
                    if (v instanceof PrismContainerValue) {
                        applyReadConstraintsToMutablePcv((PrismContainerValue) v, valueConstraints);
                    } else {
                        arrayList.add(v);
                    }
                }
            }
        }
        if (arrayList.isEmpty()) {
            return;
        }
        if (arrayList.size() == item.size()) {
            item.clear();
        } else {
            item.removeAll(arrayList, EquivalenceStrategy.LITERAL);
        }
    }

    private <V extends PrismValue> V applyReadConstraintsToMetadata(V v, PrismEntityOpConstraints.ForValueContent forValueContent) {
        if (!v.hasValueMetadata()) {
            return v;
        }
        PrismEntityOpConstraints.ForItemContent metadataConstraints = forValueContent.getMetadataConstraints();
        AccessDecision decision = metadataConstraints.getDecision();
        switch (decision) {
            case ALLOW:
                return v;
            case DEFAULT:
                V v2 = (V) v.cloneIfImmutable();
                applyReadConstraintsToMutableValues(v2.getValueMetadataAsContainer(), metadataConstraints);
                return v2;
            case DENY:
                V v3 = (V) v.cloneIfImmutable();
                v3.getValueMetadata().clear();
                return v3;
            default:
                throw new UnsupportedOperationException("Unsupported decision {}" + decision);
        }
    }

    public <O extends ObjectType> boolean applyReadConstraints(LensElementContext<O> lensElementContext, PrismEntityOpConstraints.ForValueContent forValueContent) {
        AccessDecision decision = forValueContent.getDecision();
        if (decision == AccessDecision.ALLOW) {
            return true;
        }
        if (decision == AccessDecision.DENY) {
            return false;
        }
        if (!$assertionsDisabled && decision != AccessDecision.DEFAULT) {
            throw new AssertionError();
        }
        lensElementContext.forEachObject(prismObject -> {
            applyReadConstraintsToMutableValue(prismObject.getValue(), forValueContent);
        });
        lensElementContext.forEachDelta(objectDelta -> {
            applyReadConstraintsToDelta(objectDelta, forValueContent);
        });
        return true;
    }

    private void applyReadConstraintsToMutableValue(@NotNull PrismValue prismValue, @NotNull PrismEntityOpConstraints.ForValueContent forValueContent) {
        Preconditions.checkArgument(!prismValue.isImmutable(), "Value is not mutable: %s", prismValue);
        try {
            PrismValue applyReadConstraints = applyReadConstraints((DataAccessProcessor) prismValue, forValueContent);
            MiscUtil.stateCheck(applyReadConstraints == prismValue, "Value's identity was changed. Why? %s", applyReadConstraints);
        } catch (SecurityViolationException e) {
            throw SystemException.unexpected(e);
        }
    }

    private <O extends ObjectType> void applyReadConstraintsToDelta(@Nullable ObjectDelta<O> objectDelta, @NotNull PrismEntityOpConstraints.ForValueContent forValueContent) {
        if (objectDelta == null) {
            return;
        }
        if (objectDelta.isAdd()) {
            applyReadConstraintsToMutableValue(objectDelta.getObjectToAdd().getValue(), forValueContent);
            return;
        }
        if (objectDelta.isDelete()) {
            return;
        }
        Collection<? extends ItemDelta<?, ?>> modifications = objectDelta.getModifications();
        if (modifications.isEmpty()) {
            return;
        }
        ArrayList arrayList = new ArrayList();
        for (ItemDelta itemDelta : modifications) {
            ItemPath path = itemDelta.getPath();
            AccessDecision decision = forValueContent.getValueConstraints(path.namedSegmentsOnly()).getDecision();
            LOGGER.trace("applyReadConstraintsToDelta(item): {}: decision R={}", path, decision);
            if (decision == AccessDecision.DENY) {
                arrayList.add(itemDelta);
            } else if (decision != AccessDecision.ALLOW) {
                reduceValues(itemDelta.getValuesToAdd(), forValueContent);
                reduceValues(itemDelta.getValuesToDelete(), forValueContent);
                reduceValues(itemDelta.getValuesToReplace(), forValueContent);
                reduceValues(itemDelta.getEstimatedOldValues(), forValueContent);
                if (itemDelta.isEmpty()) {
                    arrayList.add(itemDelta);
                }
            }
        }
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            modifications.remove((ItemDelta) it.next());
        }
    }

    private void reduceValues(@Nullable Collection<? extends PrismValue> collection, @NotNull PrismEntityOpConstraints.ForValueContent forValueContent) {
        if (collection == null) {
            return;
        }
        Iterator<? extends PrismValue> it = collection.iterator();
        while (it.hasNext()) {
            PrismValue next = it.next();
            AccessDecision decision = forValueContent.getDecision();
            if (decision != AccessDecision.ALLOW) {
                if (decision == AccessDecision.DENY) {
                    it.remove();
                } else {
                    applyReadConstraintsToMutableValue(next, forValueContent);
                    if (next instanceof PrismContainerValue ? ((PrismContainerValue) next).hasNoItems() : next.isEmpty()) {
                        it.remove();
                    }
                }
            }
        }
    }

    static {
        $assertionsDisabled = !DataAccessProcessor.class.desiredAssertionStatus();
        LOGGER = TraceManager.getTrace((Class<?>) SchemaTransformer.class);
    }
}
