package edu.kit.datamanager.repo.util;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.github.fge.jsonpatch.JsonPatch;
import edu.kit.datamanager.controller.hateoas.event.PaginatedResultsRetrievedEvent;
import edu.kit.datamanager.entities.Identifier;
import edu.kit.datamanager.entities.PERMISSION;
import edu.kit.datamanager.entities.RepoServiceRole;
import edu.kit.datamanager.entities.RepoUserRole;
import edu.kit.datamanager.exceptions.AccessForbiddenException;
import edu.kit.datamanager.exceptions.CustomInternalServerError;
import edu.kit.datamanager.exceptions.ResourceElsewhereException;
import edu.kit.datamanager.exceptions.ResourceNotFoundException;
import edu.kit.datamanager.exceptions.ServiceUnavailableException;
import edu.kit.datamanager.exceptions.UpdateForbiddenException;
import edu.kit.datamanager.repo.configuration.RepoBaseConfiguration;
import edu.kit.datamanager.repo.domain.DataResource;
import edu.kit.datamanager.repo.domain.acl.AclEntry;
import edu.kit.datamanager.util.AuthenticationHelper;
import edu.kit.datamanager.util.ControllerUtils;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.net.URLEncoder;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.function.Function;
import javax.servlet.http.HttpServletResponse;
import lombok.NonNull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.data.domain.Page;
import org.springframework.data.domain.PageRequest;
import org.springframework.data.domain.Pageable;
import org.springframework.http.ResponseEntity;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.web.context.request.WebRequest;
import org.springframework.web.util.UriComponentsBuilder;

/* loaded from: input_file:edu/kit/datamanager/repo/util/DataResourceUtils.class */
public class DataResourceUtils {
    private static final Logger LOGGER = LoggerFactory.getLogger(DataResourceUtils.class);
    private static ObjectMapper mapper = new ObjectMapper();

    private DataResourceUtils() {
    }

    public static DataResource createResource(RepoBaseConfiguration repoBaseConfiguration, DataResource dataResource) {
        if (repoBaseConfiguration.isReadOnly()) {
            LOGGER.info("Repository is in read-only mode. Create request denied.");
            throw new ServiceUnavailableException("Repository is in read-only mode. Create request denied.");
        }
        ControllerUtils.checkAnonymousAccess();
        return repoBaseConfiguration.getDataResourceService().create(dataResource, (String) AuthenticationHelper.getAuthentication().getPrincipal(), AuthenticationHelper.getFirstname(), AuthenticationHelper.getLastname());
    }

    public static ResponseEntity<DataResource> readResource(RepoBaseConfiguration repoBaseConfiguration, String str, Long l, Function<String, String> function) {
        DataResource resourceByIdentifierOrRedirect = getResourceByIdentifierOrRedirect(repoBaseConfiguration, str, l, function);
        performPermissionCheck(resourceByIdentifierOrRedirect, PERMISSION.READ);
        long currentVersion = repoBaseConfiguration.getAuditService().getCurrentVersion(str);
        if (currentVersion <= 0) {
            return ResponseEntity.ok().eTag("\"" + resourceByIdentifierOrRedirect.getEtag() + "\"").body(filterResource(resourceByIdentifierOrRedirect));
        }
        ResponseEntity.BodyBuilder eTag = ResponseEntity.ok().eTag("\"" + resourceByIdentifierOrRedirect.getEtag() + "\"");
        String[] strArr = new String[1];
        strArr[0] = Long.toString(l != null ? l.longValue() : currentVersion);
        return eTag.header("Resource-Version", strArr).body(filterResource(resourceByIdentifierOrRedirect));
    }

    public static Page<DataResource> readAllVersionsOfResource(RepoBaseConfiguration repoBaseConfiguration, String str, Pageable pageable) {
        return repoBaseConfiguration.getDataResourceService().findAllVersions(str, pageable);
    }

    public static Page<DataResource> readAllResources(RepoBaseConfiguration repoBaseConfiguration, Instant instant, Instant instant2, Pageable pageable, HttpServletResponse httpServletResponse, UriComponentsBuilder uriComponentsBuilder) {
        return readAllResourcesFilteredByExample(repoBaseConfiguration, null, instant, instant2, pageable, httpServletResponse, uriComponentsBuilder);
    }

    public static Page<DataResource> readAllResourcesFilteredByExample(RepoBaseConfiguration repoBaseConfiguration, DataResource dataResource, Instant instant, Instant instant2, Pageable pageable, HttpServletResponse httpServletResponse, UriComponentsBuilder uriComponentsBuilder) {
        PageRequest checkPaginationInformation = ControllerUtils.checkPaginationInformation(pageable);
        Page<DataResource> findByExample = repoBaseConfiguration.getDataResourceService().findByExample(dataResource, instant, instant2, AuthenticationHelper.getAuthorizationIdentities(), AuthenticationHelper.hasAuthority(RepoUserRole.ADMINISTRATOR.toString()), checkPaginationInformation);
        if (dataResource != null) {
            repoBaseConfiguration.getEventPublisher().publishEvent(new PaginatedResultsRetrievedEvent(DataResource.class, "search", uriComponentsBuilder, httpServletResponse, findByExample.getNumber(), findByExample.getTotalPages(), checkPaginationInformation.getPageSize()));
        } else {
            repoBaseConfiguration.getEventPublisher().publishEvent(new PaginatedResultsRetrievedEvent(DataResource.class, uriComponentsBuilder, httpServletResponse, findByExample.getNumber(), findByExample.getTotalPages(), checkPaginationInformation.getPageSize()));
        }
        return findByExample;
    }

    public static DataResource updateResource(RepoBaseConfiguration repoBaseConfiguration, String str, DataResource dataResource, WebRequest webRequest, Function<String, String> function) {
        return updateResource(repoBaseConfiguration, str, dataResource, ControllerUtils.getEtagFromHeader(webRequest), function);
    }

    public static DataResource updateResource(RepoBaseConfiguration repoBaseConfiguration, String str, DataResource dataResource, String str2, Function<String, String> function) {
        if (repoBaseConfiguration.isReadOnly()) {
            LOGGER.info("Repository is in read-only mode. Put request denied.");
            throw new ServiceUnavailableException("Repository is in read-only mode. Put request denied.");
        }
        ControllerUtils.checkAnonymousAccess();
        DataResource resourceByIdentifierOrRedirect = getResourceByIdentifierOrRedirect(repoBaseConfiguration, str, null, function);
        performPermissionCheck(resourceByIdentifierOrRedirect, PERMISSION.WRITE);
        ControllerUtils.checkEtag(str2, resourceByIdentifierOrRedirect);
        dataResource.setId(resourceByIdentifierOrRedirect.getId());
        return repoBaseConfiguration.getDataResourceService().put(resourceByIdentifierOrRedirect, dataResource, getUserAuthorities(resourceByIdentifierOrRedirect));
    }

    public static void patchResource(RepoBaseConfiguration repoBaseConfiguration, String str, JsonPatch jsonPatch, String str2, Function<String, String> function) {
        if (repoBaseConfiguration.isReadOnly()) {
            LOGGER.info("Repository is in read-only mode. Patch request denied.");
            throw new ServiceUnavailableException("Repository is in read-only mode. Patch request denied.");
        }
        ControllerUtils.checkAnonymousAccess();
        DataResource resourceByIdentifierOrRedirect = getResourceByIdentifierOrRedirect(repoBaseConfiguration, str, null, function);
        performPermissionCheck(resourceByIdentifierOrRedirect, PERMISSION.WRITE);
        ControllerUtils.checkEtag(str2, resourceByIdentifierOrRedirect);
        repoBaseConfiguration.getDataResourceService().patch(resourceByIdentifierOrRedirect, jsonPatch, getUserAuthorities(resourceByIdentifierOrRedirect));
    }

    public static void deleteResource(RepoBaseConfiguration repoBaseConfiguration, String str, WebRequest webRequest, Function<String, String> function) {
        deleteResource(repoBaseConfiguration, str, ControllerUtils.getEtagFromHeader(webRequest), function);
    }

    public static void deleteResource(RepoBaseConfiguration repoBaseConfiguration, String str, String str2, Function<String, String> function) {
        if (repoBaseConfiguration.isReadOnly()) {
            LOGGER.info("Repository is in read-only mode. Delete request denied.");
            throw new ServiceUnavailableException("Repository is in read-only mode. Delete request denied.");
        }
        ControllerUtils.checkAnonymousAccess();
        try {
            DataResource resourceByIdentifierOrRedirect = getResourceByIdentifierOrRedirect(repoBaseConfiguration, str, null, function);
            LOGGER.trace("Resource found. Checking for permission {} or role {}.", PERMISSION.ADMINISTRATE, RepoUserRole.ADMINISTRATOR);
            if (!hasPermission(resourceByIdentifierOrRedirect, PERMISSION.ADMINISTRATE) && !AuthenticationHelper.hasAuthority(RepoUserRole.ADMINISTRATOR.getValue())) {
                LOGGER.info("Insufficient permissions. ADMINISTRATE permission or ROLE_ADMINISTRATOR required.");
                throw new UpdateForbiddenException("Insufficient permissions. ADMINISTRATE permission or ROLE_ADMINISTRATOR required.");
            }
            LOGGER.trace("Permissions found. Continuing with DELETE operation.");
            ControllerUtils.checkEtag(str2, resourceByIdentifierOrRedirect);
            if (!DataResource.State.REVOKED.equals(resourceByIdentifierOrRedirect.getState()) || AuthenticationHelper.hasAuthority(RepoUserRole.ADMINISTRATOR.getValue()) || AuthenticationHelper.isPrincipal("SELF")) {
                repoBaseConfiguration.getDataResourceService().delete(resourceByIdentifierOrRedirect);
            }
        } catch (ResourceNotFoundException e) {
            LOGGER.info("Resource with identifier {} not found. Returning with HTTP NO_CONTENT.", str);
        }
    }

    public static String getInternalIdentifier(DataResource dataResource) {
        for (Identifier identifier : dataResource.getAlternateIdentifiers()) {
            if (Identifier.IDENTIFIER_TYPE.INTERNAL.equals(identifier.getIdentifierType())) {
                return identifier.getValue();
            }
        }
        return null;
    }

    public static Optional<String> getAuditInformation(RepoBaseConfiguration repoBaseConfiguration, String str, Pageable pageable, Function<String, String> function) {
        performPermissionCheck(getResourceByIdentifierOrRedirect(repoBaseConfiguration, str, null, function), PERMISSION.READ);
        return repoBaseConfiguration.getDataResourceService().getAuditInformationAsJson(str, pageable);
    }

    public static DataResource filterResource(DataResource dataResource) {
        if (AuthenticationHelper.isAuthenticatedAsService() || hasPermission(dataResource, PERMISSION.ADMINISTRATE) || AuthenticationHelper.hasAuthority(RepoUserRole.ADMINISTRATOR.toString())) {
            LOGGER.debug("Administrator access detected, keeping ACL information in resources.");
        } else {
            LOGGER.debug("Removing ACL information from resources due to non-administrator access.");
            dataResource.setAcls(null);
        }
        return dataResource;
    }

    public static List<DataResource> filterResources(List<DataResource> list) {
        if (AuthenticationHelper.isAuthenticatedAsService() || AuthenticationHelper.hasAuthority(RepoUserRole.ADMINISTRATOR.toString())) {
            LOGGER.debug("Administrator access detected, keeping ACL information in resources.");
        } else {
            LOGGER.debug("Removing ACL information from resources due to non-administrator access.");
            list.forEach(dataResource -> {
                filterResource(dataResource);
            });
        }
        return list;
    }

    public static Collection<? extends GrantedAuthority> getUserAuthorities(DataResource dataResource) {
        LOGGER.trace("Determining user grants from authorization context.");
        ArrayList arrayList = new ArrayList();
        arrayList.add(new SimpleGrantedAuthority(getAccessPermission(dataResource).getValue()));
        if (AuthenticationHelper.hasAuthority(RepoUserRole.ADMINISTRATOR.toString())) {
            LOGGER.trace("Administrator access detected. Adding role {} to granted authorities.", RepoUserRole.ADMINISTRATOR.getValue());
            arrayList.add(new SimpleGrantedAuthority(RepoUserRole.ADMINISTRATOR.getValue()));
        }
        return arrayList;
    }

    public static void performPermissionCheck(DataResource dataResource, PERMISSION permission) throws AccessForbiddenException, ResourceNotFoundException {
        LOGGER.debug("Performing permission check for resource {} and permission {}.", "DataResource#" + dataResource.getId(), permission);
        PERMISSION accessPermission = getAccessPermission(dataResource);
        LOGGER.debug("Obtained caller permission {}. Checking resource state for special handling.", accessPermission);
        if (dataResource.getState() != null) {
            switch (dataResource.getState()) {
                case FIXED:
                    LOGGER.debug("Performing special access check for FIXED resource and {} permission.", permission);
                    if (permission.atLeast(PERMISSION.WRITE) && !accessPermission.atLeast(PERMISSION.ADMINISTRATE)) {
                        LOGGER.debug("{} permission to fixed resource NOT granted to principal with identifiers {}. ADMINISTRATE permissions required.", permission, AuthenticationHelper.getAuthorizationIdentities());
                        throw new AccessForbiddenException("Resource has been fixed. Modifications to this resource are no longer permitted.");
                    }
                    break;
                case REVOKED:
                    LOGGER.debug("Performing special access check for REVOKED resource and {} permission.", permission);
                    if (!accessPermission.atLeast(PERMISSION.ADMINISTRATE)) {
                        LOGGER.debug("Access to revoked resource NOT granted to principal with identifiers {}. ADMINISTRATE permissions required.", permission, AuthenticationHelper.getAuthorizationIdentities());
                        throw new ResourceNotFoundException("The resource never was or is not longer available.");
                    }
                    break;
                case VOLATILE:
                    LOGGER.trace("Resource state is {}. No special access check necessary.", dataResource.getState());
                    break;
                case GONE:
                    LOGGER.info("The resource never was or is not longer available.");
                    throw new ResourceNotFoundException("The resource never was or is not longer available.");
                default:
                    LOGGER.warn("Unhandled resource state {} detected. Not applying any special access checks.", dataResource.getState());
                    break;
            }
        }
        LOGGER.debug("Checking if caller permission {} meets required permission {}.", accessPermission, permission);
        if (accessPermission.atLeast(permission)) {
            LOGGER.debug("{} permission to resource granted to principal with identifiers {}.", permission, AuthenticationHelper.getAuthorizationIdentities());
        } else {
            LOGGER.debug("Caller permission {} does not met required permission {}. Resource access NOT granted.", permission);
            throw new AccessForbiddenException("Resource access restricted by acl.");
        }
    }

    public static PERMISSION getAccessPermission(DataResource dataResource) {
        if (AuthenticationHelper.hasAuthority(RepoUserRole.ADMINISTRATOR.getValue())) {
            return PERMISSION.ADMINISTRATE;
        }
        PERMISSION permission = PERMISSION.NONE;
        if (AuthenticationHelper.hasAuthority(RepoServiceRole.SERVICE_ADMINISTRATOR.getValue())) {
            permission = PERMISSION.ADMINISTRATE;
        } else if (AuthenticationHelper.hasAuthority(RepoServiceRole.SERVICE_WRITE.getValue())) {
            permission = PERMISSION.WRITE;
        } else if (AuthenticationHelper.hasAuthority(RepoServiceRole.SERVICE_READ.getValue())) {
            permission = PERMISSION.READ;
        }
        PERMISSION scopedPermission = AuthenticationHelper.getScopedPermission(DataResource.class.getSimpleName(), dataResource.getId());
        if (scopedPermission.atLeast(PERMISSION.READ)) {
            return scopedPermission;
        }
        List authorizationIdentities = AuthenticationHelper.getAuthorizationIdentities();
        PERMISSION permission2 = PERMISSION.NONE;
        for (AclEntry aclEntry : dataResource.getAcls()) {
            if (AclUtils.isSidInPrincipalList(aclEntry.getSid(), authorizationIdentities) && aclEntry.getPermission().ordinal() > permission2.ordinal()) {
                permission2 = aclEntry.getPermission();
            }
        }
        return permission.atLeast(permission2) ? permission : permission2;
    }

    public static boolean hasPermission(DataResource dataResource, PERMISSION permission) {
        return getAccessPermission(dataResource).atLeast(permission);
    }

    public static boolean areAclsEqual(@NonNull AclEntry[] aclEntryArr, @NonNull AclEntry[] aclEntryArr2) {
        if (aclEntryArr == null) {
            throw new NullPointerException("first is marked non-null but is null");
        }
        if (aclEntryArr2 == null) {
            throw new NullPointerException("second is marked non-null but is null");
        }
        if (aclEntryArr.length != aclEntryArr2.length) {
            return false;
        }
        Map<String, PERMISSION> aclEntriesToMap = aclEntriesToMap(aclEntryArr);
        Map<String, PERMISSION> aclEntriesToMap2 = aclEntriesToMap(aclEntryArr2);
        return aclEntriesToMap.entrySet().stream().noneMatch(entry -> {
            return !((PERMISSION) entry.getValue()).equals(aclEntriesToMap2.get(entry.getKey()));
        });
    }

    private static Map<String, PERMISSION> aclEntriesToMap(AclEntry... aclEntryArr) {
        HashMap hashMap = new HashMap();
        for (AclEntry aclEntry : aclEntryArr) {
            hashMap.put(aclEntry.getSid(), aclEntry.getPermission());
        }
        return hashMap;
    }

    public static DataResource getResourceByIdentifierOrRedirect(RepoBaseConfiguration repoBaseConfiguration, String str, Long l, Function<String, String> function) {
        try {
            LOGGER.trace("Performing getResourceByIdentifierOrRedirect({}, {}, #Function).", str, l);
            String decode = URLDecoder.decode(str, "UTF-8");
            LOGGER.trace("Decoded resource identifier: {}", decode);
            DataResource findByAnyIdentifier = repoBaseConfiguration.getDataResourceService().findByAnyIdentifier(decode, l);
            if (Objects.equals(decode, findByAnyIdentifier.getId())) {
                LOGGER.trace("Resource for identifier {} found. Returning resource #{}.", decode, findByAnyIdentifier.getId());
                return findByAnyIdentifier;
            }
            try {
                String encode = URLEncoder.encode(findByAnyIdentifier.getId(), "UTF-8");
                LOGGER.trace("No resource for identifier {} found. Redirecting to resource with identifier {}.", str, encode);
                throw new ResourceElsewhereException(function != null ? function.apply(encode) : encode);
            } catch (UnsupportedEncodingException e) {
                LOGGER.error("Failed to encode resource identifier " + findByAnyIdentifier.getId() + ".", e);
                throw new CustomInternalServerError("Failed to encode resource identifier " + findByAnyIdentifier.getId() + ".");
            }
        } catch (UnsupportedEncodingException e2) {
            LOGGER.error("Failed to decode resource identifier " + str + ".", e2);
            throw new CustomInternalServerError("Failed to decode provided identifier " + str + ".");
        }
    }

    public static DataResource copyDataResource(DataResource dataResource) {
        DataResource dataResource2;
        try {
            String writeValueAsString = mapper.writeValueAsString(dataResource);
            LOGGER.trace("dataresource: {}", writeValueAsString);
            dataResource2 = (DataResource) mapper.readValue(writeValueAsString, DataResource.class);
        } catch (JsonProcessingException e) {
            LOGGER.error("Error mapping dataresource!");
            dataResource2 = dataResource;
        }
        return dataResource2;
    }

    public static edu.kit.datamanager.entities.repo.DataResource migrateToDataResource(DataResource dataResource) {
        edu.kit.datamanager.entities.repo.DataResource dataResource2 = null;
        try {
            String writeValueAsString = mapper.writeValueAsString(dataResource);
            LOGGER.trace("dataresource: {}", writeValueAsString);
            dataResource2 = (edu.kit.datamanager.entities.repo.DataResource) mapper.readValue(writeValueAsString, edu.kit.datamanager.entities.repo.DataResource.class);
        } catch (JsonProcessingException e) {
            LOGGER.error("Error mapping dataresource!");
        }
        return dataResource2;
    }
}
