package org.dataconservancy.pass.authz;

import java.net.URI;
import java.time.Duration;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.dataconservancy.pass.client.PassClient;
import org.dataconservancy.pass.client.fedora.FedoraConfig;
import org.dataconservancy.pass.model.User;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/dataconservancy/pass/authz/AuthRolesProvider.class */
public class AuthRolesProvider {
    static final Logger LOG = LoggerFactory.getLogger(AuthRolesProvider.class);
    public static final String ROLE_BASE = "http://oapass.org/ns/roles/";
    private final PassClient client;
    private final ExpiringLRUCache<URI, User> cache;

    public AuthRolesProvider(PassClient passClient) {
        this.client = passClient;
        this.cache = new ExpiringLRUCache<>(100, Duration.ofMinutes(30L));
    }

    public AuthRolesProvider(PassClient passClient, ExpiringLRUCache<URI, User> expiringLRUCache) {
        this.client = passClient;
        this.cache = expiringLRUCache;
    }

    public Set<URI> getRoles(AuthUser authUser) {
        HashSet hashSet = new HashSet();
        if (authUser == null) {
            LOG.warn("Authenticated user is null (this should never happen)");
            return hashSet;
        }
        if (authUser.getId() == null) {
            if (authUser.getPrincipal() != null) {
                LOG.info("Authenticated user {} does not have a PASS User resource yet", authUser.getPrincipal());
            } else {
                LOG.debug("No principal provided, skipping lookup for roles");
            }
            return hashSet;
        }
        try {
            User orDo = this.cache.getOrDo(authUser.getId(), () -> {
                return this.client.readResource(authUser.getId(), User.class);
            });
            if (orDo == null) {
                LOG.warn("User {} was not found, granting NO authz roles", authUser.getId());
                return hashSet;
            }
            for (String str : authUser.getDomains()) {
                Iterator it = orDo.getRoles().iterator();
                while (it.hasNext()) {
                    hashSet.add(getAuthRoleURI(str, (User.Role) it.next()));
                }
            }
            LOG.debug("Found roles for {}: {}", authUser.getPrincipal(), hashSet);
            hashSet.addAll(addFedoraHack(orDo.getId()));
            return hashSet;
        } catch (Exception e) {
            throw new RuntimeException("Error reading User resource for" + authUser.getId(), e);
        }
    }

    public static URI getAuthRoleURI(String str, User.Role role) {
        return URI.create(ROLE_BASE + String.format("%s#%s", str, role));
    }

    private List<URI> addFedoraHack(URI uri) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(uri);
        if (uri.toString().startsWith(FedoraConfig.getBaseUrl())) {
            arrayList.add(URI.create(uri.toString().replace(FedoraConfig.getBaseUrl(), "info:fedora/")));
        }
        return arrayList;
    }
}
