package io.igia.config.fhir.interceptor;

import ca.uhn.fhir.rest.api.server.RequestDetails;
import ca.uhn.fhir.rest.server.exceptions.NotImplementedOperationException;
import ca.uhn.fhir.rest.server.interceptor.auth.AuthorizationFlagsEnum;
import ca.uhn.fhir.rest.server.interceptor.auth.AuthorizationInterceptor;
import ca.uhn.fhir.rest.server.interceptor.auth.IAuthRule;
import ca.uhn.fhir.rest.server.interceptor.auth.IAuthRuleBuilder;
import ca.uhn.fhir.rest.server.interceptor.auth.IAuthRuleBuilderRuleConditional;
import ca.uhn.fhir.rest.server.interceptor.auth.IAuthRuleBuilderRuleConditionalClassifier;
import ca.uhn.fhir.rest.server.interceptor.auth.IAuthRuleBuilderRuleOp;
import ca.uhn.fhir.rest.server.interceptor.auth.IAuthRuleBuilderRuleOpClassifier;
import ca.uhn.fhir.rest.server.interceptor.auth.RuleBuilder;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.hl7.fhir.dstu3.model.IdType;
import org.hl7.fhir.dstu3.model.ResourceFactory;
import org.hl7.fhir.exceptions.FHIRException;
import org.hl7.fhir.instance.model.api.IIdType;
import org.hspconsortium.platform.api.authorization.SmartScope;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.security.oauth2.resource.AuthoritiesExtractor;
import org.springframework.boot.autoconfigure.security.oauth2.resource.PrincipalExtractor;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.client.OAuth2RestTemplate;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.token.TokenStore;

/* loaded from: input_file:io/igia/config/fhir/interceptor/ScopeBasedAuthorizationInterceptor.class */
public class ScopeBasedAuthorizationInterceptor extends AuthorizationInterceptor {
    public static final String LAUNCH_CONTEXT_PATIENT_PARAM_NAME = "patient";
    private static final String RULE_PATIENT_SCOPE_DEFAULT_DENY = "DENY ALL patient, resource or operation access if not explicitly granted in authorized scope";
    private TokenStore tokenStore;
    private final OAuth2RestTemplate oAuth2RestTemplate;

    @Autowired
    private PrincipalExtractor principalExtractor;

    @Autowired
    private AuthoritiesExtractor authoritiesExtractor;

    public ScopeBasedAuthorizationInterceptor(TokenStore tokenStore, OAuth2RestTemplate oAuth2RestTemplate) {
        this.tokenStore = tokenStore;
        this.oAuth2RestTemplate = oAuth2RestTemplate;
        setFlags(new AuthorizationFlagsEnum[]{AuthorizationFlagsEnum.NO_NOT_PROACTIVELY_BLOCK_COMPARTMENT_READ_ACCESS});
    }

    public List<IAuthRule> buildRuleList(RequestDetails requestDetails) {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null || !(authentication instanceof OAuth2Authentication)) {
            return new RuleBuilder().allowAll().build();
        }
        OAuth2AccessToken readAccessToken = this.tokenStore.readAccessToken(this.oAuth2RestTemplate.getOAuth2ClientContext().getAccessToken().getValue());
        Set<SmartScope> smartScopes = getSmartScopes(readAccessToken);
        RuleBuilder ruleBuilder = new RuleBuilder();
        boolean z = false;
        Iterator<SmartScope> it = smartScopes.iterator();
        if (it.hasNext()) {
            SmartScope next = it.next();
            if (next.isUserScope() || next.isPatientScope()) {
                z = true;
            }
        }
        if (!z) {
            return new RuleBuilder().allowAll().build();
        }
        Map additionalInformation = readAccessToken.getAdditionalInformation();
        IAuthRuleBuilder filterToPatientScopes = filterToPatientScopes(filterToUserScopes(ruleBuilder, (String) this.principalExtractor.extractPrincipal(additionalInformation), this.authoritiesExtractor.extractAuthorities(additionalInformation), smartScopes), (String) additionalInformation.get(LAUNCH_CONTEXT_PATIENT_PARAM_NAME), smartScopes);
        filterToPatientScopes.allow().metadata().andThen();
        filterToPatientScopes.denyAll(RULE_PATIENT_SCOPE_DEFAULT_DENY).andThen();
        return filterToPatientScopes.build();
    }

    protected IAuthRuleBuilder filterToUserScopes(IAuthRuleBuilder iAuthRuleBuilder, String str, List<GrantedAuthority> list, Set<SmartScope> set) {
        for (SmartScope smartScope : set) {
            if (smartScope.isUserScope()) {
                filterToUserScope(str, list, smartScope, iAuthRuleBuilder);
            }
        }
        return iAuthRuleBuilder;
    }

    protected void filterToUserScope(String str, List<GrantedAuthority> list, SmartScope smartScope, IAuthRuleBuilder iAuthRuleBuilder) {
        String operation = smartScope.getOperation();
        boolean z = -1;
        switch (operation.hashCode()) {
            case 42:
                if (operation.equals("*")) {
                    z = false;
                    break;
                }
                break;
            case 3496342:
                if (operation.equals("read")) {
                    z = true;
                    break;
                }
                break;
            case 113399775:
                if (operation.equals("write")) {
                    z = 2;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                applyUserScopeResourceClassifier(iAuthRuleBuilder.allow().read(), str, list, smartScope);
                applyUserScopeResourceClassifier(iAuthRuleBuilder.allow().write(), str, list, smartScope);
                applyUserScopeResourceClassifier(iAuthRuleBuilder.allow().delete(), str, list, smartScope);
                applyUserScopeConditionalResourceClassifier(iAuthRuleBuilder.allow().createConditional(), smartScope);
                applyUserScopeConditionalResourceClassifier(iAuthRuleBuilder.allow().updateConditional(), smartScope);
                applyUserScopeConditionalResourceClassifier(iAuthRuleBuilder.allow().deleteConditional(), smartScope);
                applyUserScopeOperationResourceClassifier(iAuthRuleBuilder, str, list, smartScope);
                return;
            case true:
                applyUserScopeResourceClassifier(iAuthRuleBuilder.allow().read(), str, list, smartScope);
                return;
            case true:
                applyUserScopeResourceClassifier(iAuthRuleBuilder.allow().write(), str, list, smartScope);
                applyUserScopeResourceClassifier(iAuthRuleBuilder.allow().delete(), str, list, smartScope);
                applyUserScopeConditionalResourceClassifier(iAuthRuleBuilder.allow().createConditional(), smartScope);
                applyUserScopeConditionalResourceClassifier(iAuthRuleBuilder.allow().updateConditional(), smartScope);
                applyUserScopeConditionalResourceClassifier(iAuthRuleBuilder.allow().deleteConditional(), smartScope);
                return;
            default:
                throw new NotImplementedOperationException("Scope operation " + smartScope.getOperation() + " not supported.");
        }
    }

    protected void applyUserScopeResourceClassifier(IAuthRuleBuilderRuleOp iAuthRuleBuilderRuleOp, String str, List<GrantedAuthority> list, SmartScope smartScope) {
        if (smartScope.getResource().equalsIgnoreCase("*")) {
            ((IAuthRuleBuilderRuleOpClassifier) iAuthRuleBuilderRuleOp.allResources()).withAnyId().andThen();
        } else {
            try {
                ((IAuthRuleBuilderRuleOpClassifier) iAuthRuleBuilderRuleOp.resourcesOfType(ResourceFactory.createResource(smartScope.getResource()).getClass())).withAnyId().andThen();
            } catch (FHIRException e) {
                throw new NotImplementedOperationException("Scope resource " + smartScope.getResource() + " not supported.");
            }
        }
    }

    protected void applyUserScopeConditionalResourceClassifier(IAuthRuleBuilderRuleConditional iAuthRuleBuilderRuleConditional, SmartScope smartScope) {
        if (smartScope.getResource().equalsIgnoreCase("*")) {
            ((IAuthRuleBuilderRuleConditionalClassifier) iAuthRuleBuilderRuleConditional.allResources()).andThen();
        } else {
            try {
                ((IAuthRuleBuilderRuleConditionalClassifier) iAuthRuleBuilderRuleConditional.resourcesOfType(ResourceFactory.createResource(smartScope.getResource()).getClass())).andThen();
            } catch (FHIRException e) {
                throw new NotImplementedOperationException("Scope resource " + smartScope.getResource() + " not supported.");
            }
        }
    }

    protected void applyUserScopeOperationResourceClassifier(IAuthRuleBuilder iAuthRuleBuilder, String str, List<GrantedAuthority> list, SmartScope smartScope) {
        if (smartScope.getResource().equalsIgnoreCase("*")) {
            iAuthRuleBuilder.allow().operation().withAnyName().atAnyLevel().andThen();
            return;
        }
        try {
            Class<?> cls = ResourceFactory.createResource(smartScope.getResource()).getClass();
            iAuthRuleBuilder.allow().operation().withAnyName().onType(cls).andThen().allow().operation().withAnyName().onInstancesOfType(cls).andThen();
        } catch (FHIRException e) {
            throw new NotImplementedOperationException("Scope resource " + smartScope.getResource() + " not supported.");
        }
    }

    protected IAuthRuleBuilder filterToPatientScopes(IAuthRuleBuilder iAuthRuleBuilder, String str, Set<SmartScope> set) {
        IdType idType = new IdType("Patient", str);
        for (SmartScope smartScope : set) {
            if (smartScope.isPatientScope()) {
                if (str == null || str.isEmpty()) {
                    throw new SecurityException("For patient scope, a launch context parameter indicating the in-context patient is required, but none was found.");
                }
                filterToPatientScope(idType, smartScope, iAuthRuleBuilder);
            }
        }
        return iAuthRuleBuilder;
    }

    protected void filterToPatientScope(IIdType iIdType, SmartScope smartScope, IAuthRuleBuilder iAuthRuleBuilder) {
        String operation = smartScope.getOperation();
        boolean z = -1;
        switch (operation.hashCode()) {
            case 42:
                if (operation.equals("*")) {
                    z = false;
                    break;
                }
                break;
            case 3496342:
                if (operation.equals("read")) {
                    z = true;
                    break;
                }
                break;
            case 113399775:
                if (operation.equals("write")) {
                    z = 2;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                applyPatientScopeResourceClassifier(iAuthRuleBuilder.allow().read(), iIdType, smartScope);
                applyPatientScopeResourceClassifier(iAuthRuleBuilder.allow().write(), iIdType, smartScope);
                applyPatientScopeResourceClassifier(iAuthRuleBuilder.allow().delete(), iIdType, smartScope);
                applyPatientScopeConditionalResourceClassifier(iAuthRuleBuilder.allow().createConditional(), smartScope);
                applyPatientScopeConditionalResourceClassifier(iAuthRuleBuilder.allow().updateConditional(), smartScope);
                applyPatientScopeConditionalResourceClassifier(iAuthRuleBuilder.allow().deleteConditional(), smartScope);
                applyPatientScopeOperationResourceClassifier(iAuthRuleBuilder, iIdType, smartScope);
                return;
            case true:
                applyPatientScopeResourceClassifier(iAuthRuleBuilder.allow().read(), iIdType, smartScope);
                return;
            case true:
                applyPatientScopeResourceClassifier(iAuthRuleBuilder.allow().write(), iIdType, smartScope);
                applyPatientScopeResourceClassifier(iAuthRuleBuilder.allow().delete(), iIdType, smartScope);
                applyPatientScopeConditionalResourceClassifier(iAuthRuleBuilder.allow().createConditional(), smartScope);
                applyPatientScopeConditionalResourceClassifier(iAuthRuleBuilder.allow().updateConditional(), smartScope);
                applyPatientScopeConditionalResourceClassifier(iAuthRuleBuilder.allow().deleteConditional(), smartScope);
                return;
            default:
                throw new NotImplementedOperationException("Scope operation " + smartScope.getOperation() + " not supported.");
        }
    }

    protected void applyPatientScopeResourceClassifier(IAuthRuleBuilderRuleOp iAuthRuleBuilderRuleOp, IIdType iIdType, SmartScope smartScope) {
        if (smartScope.getResource().equalsIgnoreCase("*")) {
            ((IAuthRuleBuilderRuleOpClassifier) iAuthRuleBuilderRuleOp.allResources()).inCompartment("Patient", iIdType).andThen();
        } else {
            try {
                ((IAuthRuleBuilderRuleOpClassifier) iAuthRuleBuilderRuleOp.resourcesOfType(ResourceFactory.createResource(smartScope.getResource()).getClass())).inCompartment("Patient", iIdType).andThen();
            } catch (FHIRException e) {
                throw new NotImplementedOperationException("Scope resource " + smartScope.getResource() + " not supported.");
            }
        }
    }

    protected void applyPatientScopeConditionalResourceClassifier(IAuthRuleBuilderRuleConditional iAuthRuleBuilderRuleConditional, SmartScope smartScope) {
    }

    protected void applyPatientScopeOperationResourceClassifier(IAuthRuleBuilder iAuthRuleBuilder, IIdType iIdType, SmartScope smartScope) {
        if (smartScope.getResource().equalsIgnoreCase("Patient")) {
            iAuthRuleBuilder.allow().operation().withAnyName().onInstance(iIdType).andThen();
        }
    }

    private Set<SmartScope> getSmartScopes(OAuth2AccessToken oAuth2AccessToken) {
        HashSet hashSet = new HashSet();
        Iterator it = oAuth2AccessToken.getScope().iterator();
        while (it.hasNext()) {
            hashSet.add(new IgiaSmartScope((String) it.next()));
        }
        return hashSet;
    }
}
