package com.evolveum.midpoint.repo.common.expression;

import com.evolveum.midpoint.prism.ItemDefinition;
import com.evolveum.midpoint.prism.PrimitiveType;
import com.evolveum.midpoint.prism.PrismContext;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.PrismPropertyDefinition;
import com.evolveum.midpoint.prism.PrismValue;
import com.evolveum.midpoint.prism.delta.PrismValueDeltaSetTriple;
import com.evolveum.midpoint.prism.path.ItemName;
import com.evolveum.midpoint.repo.common.ObjectResolver;
import com.evolveum.midpoint.schema.AccessDecision;
import com.evolveum.midpoint.schema.config.ConfigurationItemOrigin;
import com.evolveum.midpoint.schema.config.ExpressionConfigItem;
import com.evolveum.midpoint.schema.expression.ExpressionEvaluatorProfile;
import com.evolveum.midpoint.schema.expression.ExpressionEvaluatorsProfile;
import com.evolveum.midpoint.schema.expression.ExpressionProfile;
import com.evolveum.midpoint.schema.expression.VariablesMap;
import com.evolveum.midpoint.schema.internals.InternalsConfig;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.security.api.SecurityContextManager;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.util.MiscUtil;
import com.evolveum.midpoint.util.annotation.Experimental;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.util.exception.TunnelException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ExecutionPrivilegesSpecificationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ExpressionVariableDefinitionType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.evolveum.prism.xml.ns._public.types_3.ItemPathType;
import com.evolveum.prism.xml.ns._public.types_3.RawType;
import jakarta.xml.bind.JAXBElement;
import java.lang.invoke.SerializedLambda;
import java.util.List;
import javax.xml.namespace.QName;
import org.apache.commons.lang3.Validate;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.w3c.dom.Element;

/* loaded from: input_file:BOOT-INF/lib/repo-common-4.9.4-SNAPSHOT.jar:com/evolveum/midpoint/repo/common/expression/Expression.class */
public class Expression<V extends PrismValue, D extends ItemDefinition<?>> {

    @Nullable
    private final ExpressionConfigItem expressionCI;

    @Nullable
    private final D outputDefinition;

    @Nullable
    private final ExpressionProfile expressionProfile;

    @NotNull
    private final ExpressionEvaluator<V> evaluator;

    @NotNull
    private final ObjectResolver objectResolver;

    @Nullable
    private final SecurityContextManager securityContextManager;
    private static final Trace LOGGER;
    static final /* synthetic */ boolean $assertionsDisabled;

    private Expression(@Nullable ExpressionConfigItem expressionConfigItem, @Nullable D d, @Nullable ExpressionProfile expressionProfile, @NotNull ExpressionEvaluator<V> expressionEvaluator, @NotNull ObjectResolver objectResolver, @Nullable SecurityContextManager securityContextManager) {
        Validate.notNull(objectResolver, "null objectResolver", new Object[0]);
        this.expressionCI = expressionConfigItem;
        this.outputDefinition = d;
        this.expressionProfile = expressionProfile;
        this.evaluator = expressionEvaluator;
        this.objectResolver = objectResolver;
        this.securityContextManager = securityContextManager;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static <V extends PrismValue, D extends ItemDefinition<?>> Expression<V, D> create(@Nullable ExpressionConfigItem expressionConfigItem, @Nullable D d, @Nullable ExpressionProfile expressionProfile, @NotNull ExpressionFactory expressionFactory, String str, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, SecurityViolationException, ConfigurationException {
        ExpressionEvaluatorFactory expressionEvaluatorFactory;
        List<JAXBElement<?>> expressionEvaluator = expressionConfigItem != null ? expressionConfigItem.value().getExpressionEvaluator() : List.of();
        if (expressionEvaluator.isEmpty()) {
            expressionEvaluatorFactory = (ExpressionEvaluatorFactory) MiscUtil.stateNonNull(expressionFactory.getDefaultEvaluatorFactory(), "Internal error: No default expression evaluator factory", new Object[0]);
        } else {
            QName name = expressionEvaluator.get(0).getName();
            expressionEvaluatorFactory = (ExpressionEvaluatorFactory) MiscUtil.configNonNull(expressionFactory.getEvaluatorFactory(name), "Unknown expression evaluator element '%s' in %s", name, str);
        }
        return new Expression<>(expressionConfigItem, d, expressionProfile, expressionEvaluatorFactory.createEvaluator(expressionEvaluator, d, expressionProfile, expressionFactory, str, task, operationResult), expressionFactory.getObjectResolver(), expressionFactory.getSecurityContextManager());
    }

    @Nullable
    public D getOutputDefinition() {
        return this.outputDefinition;
    }

    @Nullable
    public PrismValueDeltaSetTriple<V> evaluate(ExpressionEvaluationContext expressionEvaluationContext, OperationResult operationResult) throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException {
        PrismValueDeltaSetTriple<V> prismValueDeltaSetTriple;
        if (expressionEvaluationContext.getExpressionProfile() == null) {
            expressionEvaluationContext.setExpressionProfile(this.expressionProfile);
        }
        VariablesMap variablesMap = null;
        try {
            variablesMap = processActorAndInnerVariables(expressionEvaluationContext.getVariables(), expressionEvaluationContext.getContextDescription(), expressionEvaluationContext.getTask(), operationResult);
            ExpressionEvaluationContext shallowClone = expressionEvaluationContext.shallowClone();
            shallowClone.setVariables(variablesMap);
            ExecutionPrivilegesSpecificationType privileges = this.expressionCI != null ? this.expressionCI.getPrivileges() : null;
            if (privileges == null) {
                prismValueDeltaSetTriple = runExpressionEvaluator(shallowClone, operationResult);
            } else {
                ObjectReferenceType runAsRef = privileges.getRunAsRef();
                PrismObject<? extends FocusType> asPrismObject = runAsRef != null ? ((FocusType) this.objectResolver.resolve(runAsRef, FocusType.class, null, "runAs in " + expressionEvaluationContext.getContextDescription(), expressionEvaluationContext.getTask(), operationResult)).asPrismObject() : null;
                LOGGER.trace("Running {} as {} ({})", expressionEvaluationContext.getContextDescription(), asPrismObject, runAsRef);
                try {
                    if (!$assertionsDisabled && this.securityContextManager == null) {
                        throw new AssertionError();
                    }
                    SecurityContextManager.ResultAwareProducer resultAwareProducer = operationResult2 -> {
                        try {
                            return runExpressionEvaluator(shallowClone, operationResult2);
                        } catch (ObjectNotFoundException e) {
                            throw new TunnelException(e);
                        }
                    };
                    boolean equals = Boolean.TRUE.equals(privileges.isRunPrivileged());
                    if (equals || asPrismObject != null) {
                        checkPrivilegeElevationAllowed(expressionEvaluationContext.getExpressionProfile());
                    }
                    prismValueDeltaSetTriple = (PrismValueDeltaSetTriple) this.securityContextManager.runAs(resultAwareProducer, asPrismObject, equals, operationResult);
                } catch (TunnelException e) {
                    Throwable cause = e.getCause();
                    if (cause instanceof ObjectNotFoundException) {
                        throw ((ObjectNotFoundException) cause);
                    }
                    throw e;
                }
            }
            traceSuccess(expressionEvaluationContext, variablesMap, prismValueDeltaSetTriple);
            return prismValueDeltaSetTriple;
        } catch (Throwable th) {
            traceFailure(expressionEvaluationContext, variablesMap, th);
            throw th;
        }
    }

    private void checkPrivilegeElevationAllowed(@Nullable ExpressionProfile expressionProfile) throws SecurityViolationException {
        AccessDecision privilegeElevation = expressionProfile != null ? expressionProfile.getPrivilegeElevation() : AccessDecision.ALLOW;
        if (privilegeElevation != AccessDecision.ALLOW) {
            Object[] objArr = new Object[2];
            objArr[0] = privilegeElevation == AccessDecision.DENY ? "denied" : "not allowed";
            objArr[1] = expressionProfile.getIdentifier();
            throw new SecurityViolationException("Access to privilege elevation feature %s (applied expression profile '%s')".formatted(objArr));
        }
    }

    @Nullable
    private PrismValueDeltaSetTriple<V> runExpressionEvaluator(ExpressionEvaluationContext expressionEvaluationContext, OperationResult operationResult) throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException {
        expressionEvaluationContext.setExpressionEvaluatorProfile(determineExpressionEvaluatorProfile(expressionEvaluationContext));
        PrismValueDeltaSetTriple<V> evaluate = this.evaluator.evaluate(expressionEvaluationContext, operationResult);
        if (evaluate == null) {
            return null;
        }
        evaluate.removeEmptyValues(isAllowEmptyValues());
        checkOutputTripleConsistence(evaluate);
        return evaluate;
    }

    private ExpressionEvaluatorProfile determineExpressionEvaluatorProfile(ExpressionEvaluationContext expressionEvaluationContext) throws SecurityViolationException {
        ExpressionProfile expressionProfile = expressionEvaluationContext.getExpressionProfile();
        if (expressionProfile == null) {
            return null;
        }
        ExpressionEvaluatorsProfile evaluatorsProfile = expressionProfile.getEvaluatorsProfile();
        ExpressionEvaluatorProfile evaluatorProfile = evaluatorsProfile.getEvaluatorProfile(this.evaluator.getElementName());
        if (evaluatorProfile != null) {
            return evaluatorProfile;
        }
        if (evaluatorsProfile.getDefaultDecision() == AccessDecision.ALLOW) {
            return null;
        }
        throw new SecurityViolationException("Access to expression evaluator %s not allowed (expression profile: %s) in %s".formatted(this.evaluator.shortDebugDump(), expressionProfile.getIdentifier(), expressionEvaluationContext.getContextDescription()));
    }

    private boolean isAllowEmptyValues() {
        return this.expressionCI != null && this.expressionCI.isAllowEmptyValues();
    }

    private void checkOutputTripleConsistence(PrismValueDeltaSetTriple<V> prismValueDeltaSetTriple) {
        if (InternalsConfig.consistencyChecks) {
            try {
                prismValueDeltaSetTriple.checkConsistence();
            } catch (IllegalStateException e) {
                throw new IllegalStateException(e.getMessage() + "; in expression " + this + ", evaluator " + this.evaluator, e);
            }
        }
    }

    private void traceSuccess(ExpressionEvaluationContext expressionEvaluationContext, VariablesMap variablesMap, PrismValueDeltaSetTriple<V> prismValueDeltaSetTriple) {
        if (isTraced()) {
            StringBuilder sb = new StringBuilder();
            sb.append("Expression trace:\n");
            appendTraceHeader(sb, expressionEvaluationContext, variablesMap);
            sb.append("\nResult: ");
            if (prismValueDeltaSetTriple == null) {
                sb.append("null");
            } else {
                sb.append(prismValueDeltaSetTriple.toHumanReadableString());
            }
            appendTraceFooter(sb);
            trace(sb.toString());
        }
    }

    private void traceFailure(ExpressionEvaluationContext expressionEvaluationContext, VariablesMap variablesMap, Throwable th) {
        LOGGER.error("Error evaluating expression in {}: {}", expressionEvaluationContext.getContextDescription(), th.getMessage(), th);
        if (isTraced()) {
            StringBuilder sb = new StringBuilder();
            sb.append("Expression failure:\n");
            appendTraceHeader(sb, expressionEvaluationContext, variablesMap);
            sb.append("\nERROR: ").append(th.getClass().getSimpleName()).append(": ").append(th.getMessage());
            appendTraceFooter(sb);
            trace(sb.toString());
        }
    }

    private boolean isTraced() {
        return isExplicitlyTraced() || LOGGER.isTraceEnabled();
    }

    private void trace(String str) {
        if (isExplicitlyTraced()) {
            LOGGER.info(str);
        } else {
            LOGGER.trace(str);
        }
    }

    private boolean isExplicitlyTraced() {
        return this.expressionCI != null && this.expressionCI.isTrace();
    }

    private void appendTraceHeader(StringBuilder sb, ExpressionEvaluationContext expressionEvaluationContext, VariablesMap variablesMap) {
        sb.append("---[ EXPRESSION in ");
        sb.append(expressionEvaluationContext.getContextDescription());
        sb.append("]---------------------------");
        sb.append("\nSources:");
        for (Source<?, ?> source : expressionEvaluationContext.getSources()) {
            sb.append("\n");
            sb.append(source.debugDump(1));
        }
        sb.append("\nVariables:");
        if (variablesMap == null) {
            sb.append(" null");
        } else {
            sb.append("\n");
            sb.append(variablesMap.debugDump(1));
        }
        sb.append("\nOutput definition: ").append(MiscUtil.toString(this.outputDefinition));
        if (expressionEvaluationContext.getExpressionProfile() != null) {
            sb.append("\nExpression profile: ").append(expressionEvaluationContext.getExpressionProfile().getIdentifier());
        }
        ConfigurationItemOrigin origin = this.expressionCI != null ? this.expressionCI.origin() : null;
        if (origin != null) {
            sb.append("\nOrigin: ").append(origin);
        }
        sb.append("\nEvaluators: ");
        sb.append(shortDebugDump());
    }

    private void appendTraceFooter(StringBuilder sb) {
        sb.append("\n------------------------------------------------------");
    }

    private VariablesMap processActorAndInnerVariables(VariablesMap variablesMap, String str, Task task, OperationResult operationResult) throws SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
        Object parsedValue;
        if (this.expressionCI == null) {
            return variablesMap;
        }
        VariablesMap shallowClone = variablesMap.shallowClone();
        ExpressionUtil.addActorVariableIfNeeded(shallowClone, this.securityContextManager);
        for (ExpressionVariableDefinitionType expressionVariableDefinitionType : this.expressionCI.value().getVariable()) {
            String localPart = ((QName) MiscUtil.configNonNull(expressionVariableDefinitionType.getName(), "no variable name in expression in %s", str)).getLocalPart();
            ObjectReferenceType objectRef = expressionVariableDefinitionType.getObjectRef();
            if (objectRef != null) {
                objectRef.setType(PrismContext.get().getSchemaRegistry().qualifyTypeName(objectRef.getType()));
                ObjectType resolve = this.objectResolver.resolve(objectRef, ObjectType.class, null, "variable " + localPart + " in " + str, task, operationResult);
                shallowClone.addVariableDefinition(localPart, resolve, resolve.asPrismObject().mo2415getDefinition());
            } else {
                Object value = expressionVariableDefinitionType.getValue();
                if (value != null) {
                    ItemName itemName = new ItemName("http://midpoint.evolveum.com/xml/ns/public/common/common-3", localPart);
                    PrismPropertyDefinition newPropertyDefinition = PrismContext.get().definitionFactory().newPropertyDefinition(itemName, PrimitiveType.STRING.getQname());
                    if (value instanceof String) {
                        parsedValue = value;
                    } else if (value instanceof Element) {
                        parsedValue = ((Element) value).getTextContent();
                    } else {
                        if (!(value instanceof RawType)) {
                            throw new ConfigurationException("Unexpected type %s in variable '%s' definition in %s".formatted(value.getClass(), localPart, str));
                        }
                        parsedValue = ((RawType) value).getParsedValue(null, itemName);
                    }
                    shallowClone.addVariableDefinition(localPart, parsedValue, newPropertyDefinition);
                } else {
                    ItemPathType path = expressionVariableDefinitionType.getPath();
                    if (path == null) {
                        throw new SchemaException("No value for variable '%s' in %s".formatted(localPart, str));
                    }
                    shallowClone.put(localPart, ExpressionUtil.resolvePathGetTypedValue(path.getItemPath(), variablesMap, false, null, this.objectResolver, str, task, operationResult));
                }
            }
        }
        return shallowClone;
    }

    @Experimental
    public boolean doesVetoTargetValueRemoval(@NotNull V v, @NotNull OperationResult operationResult) {
        return this.evaluator.doesVetoTargetValueRemoval(v, operationResult);
    }

    public String toString() {
        return "Expression(config=" + this.expressionCI + ", outputDefinition=" + this.outputDefinition + ": " + shortDebugDump() + ")";
    }

    public String shortDebugDump() {
        return this.evaluator.shortDebugDump();
    }

    private static /* synthetic */ Object $deserializeLambda$(SerializedLambda serializedLambda) {
        String implMethodName = serializedLambda.getImplMethodName();
        boolean z = -1;
        switch (implMethodName.hashCode()) {
            case 1748972921:
                if (implMethodName.equals("lambda$evaluate$84527419$1")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                if (serializedLambda.getImplMethodKind() == 5 && serializedLambda.getFunctionalInterfaceClass().equals("com/evolveum/midpoint/security/api/SecurityContextManager$ResultAwareProducer") && serializedLambda.getFunctionalInterfaceMethodName().equals("get") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Lcom/evolveum/midpoint/schema/result/OperationResult;)Ljava/lang/Object;") && serializedLambda.getImplClass().equals("com/evolveum/midpoint/repo/common/expression/Expression") && serializedLambda.getImplMethodSignature().equals("(Lcom/evolveum/midpoint/repo/common/expression/ExpressionEvaluationContext;Lcom/evolveum/midpoint/schema/result/OperationResult;)Lcom/evolveum/midpoint/prism/delta/PrismValueDeltaSetTriple;")) {
                    Expression expression = (Expression) serializedLambda.getCapturedArg(0);
                    ExpressionEvaluationContext expressionEvaluationContext = (ExpressionEvaluationContext) serializedLambda.getCapturedArg(1);
                    return operationResult2 -> {
                        try {
                            return runExpressionEvaluator(expressionEvaluationContext, operationResult2);
                        } catch (ObjectNotFoundException e) {
                            throw new TunnelException(e);
                        }
                    };
                }
                break;
        }
        throw new IllegalArgumentException("Invalid lambda deserialization");
    }

    static {
        $assertionsDisabled = !Expression.class.desiredAssertionStatus();
        LOGGER = TraceManager.getTrace((Class<?>) Expression.class);
    }
}
